From completelyfalse at harrykiri.com Fri Oct 1 01:03:26 2004 From: completelyfalse at harrykiri.com (Harry Kiri) Date: Thu Sep 30 10:05:04 2004 Subject: [SpamCop-List] Re: Listwashed? References: Message-ID: "Bob" wrote in message news:cjdk5s$39b$1@news.spamcop.net... > I have all email that comes into the spamtrap directed into a spambucket, > and I was just curious about the sudden drop in spambucket contents for the > past 3 days. I was guessing that maybe the spammers found out that they were > being reported from spam sent to that email and took steps to limit their > damage. Some past posts have mentioned unusual rise and falls in spam numbers, most posters seem to think it's just a random variation. My own spam numbers dropped dramatically when my old ISP picked up the courage to block a port (25 ??). The numbers stayed down at the lower level. > Has anyone else heard of spam reporters being put on some sort of list by > spammers, and it happening this quickly? The biggest spammers don't seem to care very much about listwashing - they've got huge numbers of zombies so have the means to send spam no matter how many zombies are cleaned up. In four years, I've only had about 6 requests (via the SC response address) to listwash, after reporting an estimated 50,000 + spams ... That suggests to me that there isn't much incentive to listwash these days. Perhaps because there are so many people now reporting spams. Regards, Hughy -- I can be found at aw_electronics_ng atiinetdotnetdotau From completelyfalse at harrykiri.com Fri Oct 1 01:13:14 2004 From: completelyfalse at harrykiri.com (Harry Kiri) Date: Thu Sep 30 10:15:03 2004 Subject: [SpamCop-List] Re: 419 scammer sprung References: <415B1A4E.9040307@spamcop.net> Message-ID: "Anony Mouse" wrote in message news:415B1A4E.9040307@spamcop.net... > I have had a few 419 scams sent to a specific (ae3456.acde654@ sort of > email address) just five late last year... > > Now I am getting spam advertising virtual offices in Mexico using the > same two random email addresses... 4 all together 2 identical spam runs > to the two random email addresses. > > Gotcha spammy... > > Of course it has been reported immediatly to the authorities through my > contact at the ACA in Australia. Err ... did the spam have an "Australian connection"? If it did, great, more grist for the prosecution mill. If it didn't, the ACA will only use the spam for statistical purposes. Regards, Hughy -- I can be found at aw_electronics_ng atiinetdotnetdotau From nobody at nowhere.not Fri Oct 1 00:27:11 2004 From: nobody at nowhere.not (Robert Blair) Date: Thu Sep 30 19:30:13 2004 Subject: [SpamCop-List] Re: Submit by Mail Is Slow? References: Message-ID: On Thu, 30 Sep 2004 08:09:22 UTC, Chris Luth wrote: > Is it me or does SpamCop take a LOT longer to process and parse spams > submitted by email (as an attachment to submit.xxx@spamcop.net) than ones > submitted via the Web site? > > I often have to wait upwards of an hour -- sometimes more -- before finally > being notified that my email was processed and is ready for reports to be > sent. > > Does the incoming mail queue for the parsing service receive a much lower > priority than Web-submitted spams? For me it is usually only a few minutes. Starting yesterday it was about 45 minutes. Today it is about 2 1/2 hours. At this rate it is hardly worth reporting. -- Robert Blair From puoti at inwind.it Fri Oct 1 01:33:35 2004 From: puoti at inwind.it (Ivan Leo Puoti) Date: Thu Sep 30 19:40:02 2004 Subject: [SpamCop-List] Re: Dangerous JPEGs In-Reply-To: References: Message-ID: > And I have not seen it mentioned in connection with VAX VMS, Alpha VMS, > MacOS 9, OS400, MVS. Nor Linux :) Ivan. From eddie at eddie.web Fri Oct 1 01:05:58 2004 From: eddie at eddie.web (eddie) Date: Fri Oct 1 00:10:19 2004 Subject: [SpamCop-List] Making it easy on reporters Message-ID: Just got a spew from a cox.net user for cheap OEM software. This spewer is using a good software package, himself, since he gave me his real email address in the "from:" box of his spew. It could also be that cox.net automatically reassigns the correct email address to all outgoing email - I don't know. That would be nice, though. Anyway I have this spewer's address and I would hope all my spam comes in like this one. :) -- Rather: I don't want to be argumentative, Mr. vice president. Bush41(veep):You do, Dan. Rather: No -- no, sir, I don't. From luddite63 at yahoo.com Fri Oct 1 02:49:21 2004 From: luddite63 at yahoo.com (Sagesse) Date: Fri Oct 1 01:50:06 2004 Subject: [SpamCop-List] Re: Stats page In-Reply-To: References: Message-ID: Lars Poulsen wrote: > According to the stats page the spam report volume is dramatically down > the last 36 hours - have anyone got an explanation on this ? > > I am getting the same amount of spammails as I use to do, so there > doesn't seem to an decrease in the total amount of spam sent ..or ? > > Lars Poulsen > Denmark The volumes seem to have bounced back up for a day and are now trickling down. However the reports sent seems to have kept its 2:1 ration. Odd. From MikeE at ster.invalid Fri Oct 1 01:24:43 2004 From: MikeE at ster.invalid (Mike Easter) Date: Fri Oct 1 03:25:24 2004 Subject: [SpamCop-List] Re: Making it easy on reporters References: Message-ID: eddie wrote: > Just got a spew from a cox.net user for cheap OEM software. > This spewer is using a good software package, himself, since he gave > me his real email address in the "from:" box of his spew. How did you go about tying together the source IP address to the particular From address? Is this some 'dynamically static' IP source which 'sticks' to a particular machine like cable modem and from/with which the poster has occasion to also show hir presumed true address, like on newsgroup postings? Or did you derive your conclusion about the veracity of the email address in some other way? Do you also get good mail from the spammer? > It could also be that cox.net automatically reassigns the correct > email address to all outgoing email - I don't know. That would be > nice, though. That would seem pretty weird. > Anyway I have this spewer's address and I would hope all my spam > comes in like this one. :) Altho' I can't see what you are seeing, my first guess would be that you might be seeing something with a cox IP source which also coincidentally has a cox From. If that's how you made your conclusion, don't leap too far. -- Mike Easter kibitzer, not SC admin From ric.gates at bigsleep.org Fri Oct 1 08:54:40 2004 From: ric.gates at bigsleep.org (Blammo) Date: Fri Oct 1 03:55:02 2004 Subject: [SpamCop-List] Re: Making it easy on reporters References: Message-ID: On 01 Oct 2004 Mike Easter entered spamcop and left news:cjj0lg$lb$1@news.spamcop.net: >> It could also be that cox.net automatically reassigns the correct >> email address to all outgoing email - I don't know. That would be >> nice, though. > > That would seem pretty weird. > That would only happen if it was relayed through a cox MX, well, I suppose they could be filtering all port 25 transactions, but that would be extremely wierd. -- | Ric | From tdy at blackhole.invalid Fri Oct 1 03:51:10 2004 From: tdy at blackhole.invalid (N. Miller) Date: Fri Oct 1 05:55:04 2004 Subject: [SpamCop-List] Re: Strange Headers (to me, anyway) References: Message-ID: In article , spamcop says... > I received a strange mail... > The first Header lines are: > X-Symantec-TimeoutProtection: 0 > What is that TimeoutProtection:0 about? > Would that have come from my own ISP or would it be forgeable? I have seen that in email scanned by NAV during a POP3 fetch. It is definitely forgeable. > Also, what is : > X-UIDL: /7o"!U";!!XT'!!FPD"! > X-UIDL is new, to me at least. I have seen that in email received through the mail system of an ISP I used to use. I presume they were added by the MDA during the delivery phase. Also forgeable. > Thanks, I'm not sure where to even start to look to get the > answers to these questions. Apparently I've been asleep at the > keyboard for awhile (be nice, now!) since these are all new to > me. Maybe a Google search on "X-Headers" will turn up some information. > I also invite any serious comments anyone would care to make, in > addition to answers to my questions. I have found some X-Headers that seem to be only seen in spam. I have seen other cases where the X-Headers appear to be added by a specific email system; and, therefore, shouldn't appear in email that never passed through that system. I can use those for spam scoring. -- Norman ~Win dain a lotica, En vai tu ri, Si lo ta ~Fin dein a loluca, En dragu a sei lain ~Vi fa-ru les shutai am, En riga-lint From puoti at inwind.it Fri Oct 1 14:55:54 2004 From: puoti at inwind.it (Ivan Leo Puoti) Date: Fri Oct 1 09:05:23 2004 Subject: [SpamCop-List] Spam with pgp signature Message-ID: See spam with same subject in .spam Is it just anti-filter trash, or is it a real signature? If yes, why would a spammer sign his spam? Ivan. From firewoman at default.domain.not.available Fri Oct 1 11:05:27 2004 From: firewoman at default.domain.not.available (Firewoman) Date: Fri Oct 1 10:05:04 2004 Subject: [SpamCop-List] Re: Rip Off Report? References: Message-ID: "Merlyn" wrote in message news:cjhs0k$9ie$1@news.spamcop.net... > Firewoman, you have been here a long time and I respect your opinions :-) Ditto of yours. :-) I think you were the first person I learned to really respect here. > I have been there in the past but it did not leave any kind of impression on > me. My first impression was collapsing in giggles. > Just MHO but, this time I have to disagree, the place reeks of pondscum (The > Jerry Springer Type). Then you read the piece on Tupper Lake, NY? ;-) From julian at mehnle.net Fri Oct 1 17:50:35 2004 From: julian at mehnle.net (Julian Mehnle) Date: Fri Oct 1 10:55:04 2004 Subject: [SpamCop-List] Re: OT SPF is harmful. Adopt it In-Reply-To: References: Message-ID: Mike Easter wrote: > Julian Mehnle wrote: > > Mike Easter wrote: > > > Would you support my theoretical model of some kind of worldclass > > > FCC, [...] > > > > No, because I think it is too bureaucratic. Other than that, it > > might be feasible. > > You are against 'simple' licensing of smtp traffickers of all types of > smtp traffic because it is too bureaucratic; [...] > > But, you want various and different /bureaucracies/ to somehow define > and 'criminalize' spam against the resistance of all kinds of powerful > entities. > > I think that is backwards in order and also impossible. I think you > have to license all the traffic before you can begin to rationally > regulate some subset of it. I don't think you can call various independent reputation services "bureaucracies", or you'd have to call companies "bureaucracies", too. I'll try to give another perspective on my vision: I favor a somewhat guerilla-like approach for combating spam, with governments just providing some of the weapons (the legal ones). Of course it would be best if international anti-spam laws converged, but in my scenario this isn't a necessity. Instead, ISPs and users should be empowered to determine for themselves what level of reputation they accept for mail senders to be allowed to send mail to them. You see, today we already have quite a few different reputation services (most of them IP address based DNS blocklists), such as SpamCop, ORDB, SORBS, SPEWS, even innovative services like SURBL as of late. And although all of these services use greatly varying sets of criteria for defining "reputation", they can very well co-exist happily. Why force single definitions of "spam" or "sender reputation" on everyone? Yes, like with international laws, converging definitions are definitely (no pun intended) a good thing, but, again like with international laws, this is going to be incredibly difficult to achieve. From MikeE at ster.invalid Fri Oct 1 09:11:17 2004 From: MikeE at ster.invalid (Mike Easter) Date: Fri Oct 1 11:10:03 2004 Subject: [SpamCop-List] Re: OT SPF is harmful. Adopt it References: Message-ID: Julian Mehnle wrote: > Mike Easter wrote: > > But, you want various and different /bureaucracies/ to somehow > define > and 'criminalize' spam against the resistance of all kinds > of powerful > entities. > I don't think you can call various independent reputation services > "bureaucracies", or you'd have to call companies "bureaucracies", too. Actually, the 'bureaucracies' I was concerned about defining and criminalizing spam were the countries or governments. You had said Julian Mehnle wrote: > But we also need > to get our own governments to institute effective laws against > UBE/UCE (my definition of spam) to actively combat the spam industry > and to protect innocent users. I was saying that defining spam is very difficult. And I was still arguing that licensing all mailtraffickers was a useful tool, just like you are arguing that defining sender reputations is a useful tool. Neither strategy actually defines spam. -- Mike Easter kibitzer, not SC admin From 8vmb6jy02 at sneakemail.com Fri Oct 1 17:47:19 2004 From: 8vmb6jy02 at sneakemail.com (Sean W) Date: Fri Oct 1 11:50:03 2004 Subject: [SpamCop-List] Re: Spam with pgp signature In-Reply-To: References: Message-ID: Ivan Leo Puoti wrote: > See spam with same subject in .spam > Is it just anti-filter trash, or is it a real signature? If yes, why > would a spammer sign his spam? > > Ivan. It's totally bogus. OpenPGP won't even sign HTML mail as far as I know. Not sure about signing around an image attachment though. Not to mention: X-Mailer: Microsoft Office Outlook, Build 11.0.6353 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.6 (FreeBSD) Now that certainly don't add up (possible but doubtful). It's likely a real signature (not registering on here for me though) but certainly highly unlikely to belong to spammy. Someone will decode it for you if you want I am sure. -- Sean From eddie at eddie.web Fri Oct 1 13:04:58 2004 From: eddie at eddie.web (eddie) Date: Fri Oct 1 12:05:05 2004 Subject: [SpamCop-List] Re: Making it easy on reporters References: Message-ID: On Fri, 01 Oct 2004 00:24:43 -0700, Mike Easter scratched out the following: snip > > How did you go about tying together the source IP address to the > particular From address? Is this some 'dynamically static' IP source > which 'sticks' to a particular machine like cable modem and from/with > which the poster has occasion to also show hir presumed true address, like > on newsgroup postings? Or did you derive your conclusion about the > veracity of the email address in some other way? Do you also get good > mail from the spammer? The "From:" address included the IP which is the one that SC parsed and used for determining the abuse address. Here is the From: with the userid munged From: xx@cdm-66-76-138-160.jsbr.cox-internet.com It certainly looks like a return address to me, with the IP included, >> It could also be that cox.net automatically reassigns the correct email >> address to all outgoing email - I don't know. That would be nice, >> though. > > That would seem pretty weird. Yes, but it might also be true, based on the address I inserted above. Certainly the IP was correct, so I don't know how a spammer could forge the rest of it. It looks like an internal email address. > >> Anyway I have this spewer's address and I would hope all my spam comes >> in like this one. :) > > Altho' I can't see what you are seeing, my first guess would be that you > might be seeing something with a cox IP source which also coincidentally > has a cox From. If that's how you made your conclusion, don't leap too > far. I am not leaping, merely surmising. -- Rather: I don't want to be argumentative, Mr. vice president. Bush41(veep):You do, Dan. Rather: No -- no, sir, I don't. From dannyg at dannyg.com Fri Oct 1 10:29:15 2004 From: dannyg at dannyg.com (Danny Goodman) Date: Fri Oct 1 12:29:18 2004 Subject: [SpamCop-List] Re: Making it easy on reporters In-Reply-To: <200410011605.i91G5Co7034883@dannyg.com> Message-ID: on 10/1/04 9:05 AM, spamcop-list-request@news.spamcop.net wrote: > Here is the From: with the userid munged > From: xx@cdm-66-76-138-160.jsbr.cox-internet.com > It certainly looks like a return address to me, with the IP included, Hard to tell without seeing the full header, but it could be the IP of the Trojaned box that sent the message -- filled into the template by the controlling spammer and his virmware. Danny http://www.dannyg.com From philip at pch.home.cs.vu.nl Fri Oct 1 19:30:12 2004 From: philip at pch.home.cs.vu.nl (Philip Homburg) Date: Fri Oct 1 12:40:03 2004 Subject: [SpamCop-List] Re: OT SPF is harmful. Adopt it References: <72m2h8lsfmlmd524h6prtkf1m7@inews_id.stereo.hq.phicoh.net> <415C57A0.6DA6@xyzzy.claranet.de> Message-ID: In article <415C57A0.6DA6@xyzzy.claranet.de>, Frank Ellermann wrote: >Philip Homburg wrote: > >> When it comes to e-mail and when there are no (significant) >> security issues, I stick the "Be liberal in what you accept, >> and conservative in what you send" motto. > >That's nice, but it won't work for ISPs with numerous users. >These users simply refuse to download mail-worms and spam over >their modem lines. Especially if they pay for this "service". For most users, mail-worms are definitely a security issue, so it is better for an ISP not to present them to its users. I can imagine that for users who get a lot of spam and are at other end of a slow modem link, spam amounts to a denial of service attack. Again this is a security problem. Next question is: "does requiring proper HELOs and reverse DNS solve this security problem". To some extent it does because a significant amount of spam comes from machines that don't have proper reverse DNS. However, fixing reverse DNS is relatively easy. So I'm not sure that it helps a lot in the long run. >> Dynamic addresses is are just a local policy issue. > >Accepting mail is also a local policy issue, that doesn't help. If you don't want mail from dynamic addresses then that it your choice. RFCs are written to have common standards. HELO and reverse DNS are in the RFCs, dynamic addresses aren't (when it comes to e-mail). Proper HELOs and reverse DNS are not required from a technical point of view. But if it makes you happy to enforce that rule locally, go ahead. (Of course, my systems do have reverse DNS, proper HELOs, etc.) >> Rules that have no technical justification are just needless >> complications. > >Not accepting mail from open relays is a needless complication >for some users, and it obviously didn't solve the spam problem. I don't accept mail from spam sources. When an open relay forwards spam, I add that machine to my block list. >But I'd still say that open relays were a part of the problem. Is it good to block systems that might become a security risk? At the time of the open relay checks/lists, searching open relays was a good anti-spam measure. (Note that not having reverse DNS says much less about the likelyhood that that system is going to spam than a system that was an open relay a couple of years ago). >> Most of the time when I want to know something about an >> address, I do a whois lookup anyway. > >Sure, but probably not during a SMTP session. Bye, Frank During an SMTP session, my block lists grant or deny access. I block most systems by netblock anyhow to avoid relying on something that might be under control of the spammer. -- This Monk had first gone wrong when it was [...] cross-connected to a video recorder that was watching eleven TV channels simultaneously, [...] The video recorder only had to watch them, of course. It didn't have to believe them all as well. This is why instruction manuals are so important -- Douglas Adams From wb8tyw at qsl.network Fri Oct 1 13:12:26 2004 From: wb8tyw at qsl.network (John E. Malmberg) Date: Fri Oct 1 13:15:03 2004 Subject: [SpamCop-List] Re: Dangerous JPEGs References: Message-ID: In article , "Chris F. Willoughby" writes: > "John E. Malmberg" wrote in message = > news:zp-dncDi__wVMMHcRVn-hA@adelphia.com... > >> VAX/VMS otherwise now known as OpenVMS/VAX. > Ah! I didn't know that. Cool. Not that I plan on switching but I might > look just for the heck of it. Do those cost money or are they free? It depends. If you want support and to use it for a commercial activity, then you need to contact a Charron-VAX reseller for availability. If this is for personal home hobby use only, then the license costs for OpenVMS are free. The Simh VAX emulator is available as open source with x86 as one of it's many host platforms. See http://www.openvmshobbyist.org/ for the Hobby OpenVMS licensing procedure. See http://simh.trailing-edge.com/ for information on SIMH. -John wb8tyw@qsl.network Personal Opinion Only From agent01413 at my-deja.com Fri Oct 1 14:12:30 2004 From: agent01413 at my-deja.com (Socks the white house cat) Date: Fri Oct 1 15:15:03 2004 Subject: [SpamCop-List] Re: Spam with pgp signature References: Message-ID: Someday in the distant future, archeologists digging thru the ruins of spamcop will discover that Ivan Leo Puoti had this to say on 01 Oct 2004: > See spam with same subject in .spam > Is it just anti-filter trash, or is it a real signature? If yes, why > would a spammer sign his spam? > > Ivan. "unknown key" From wb8tyw at qsl.network Fri Oct 1 17:04:25 2004 From: wb8tyw at qsl.network (John E. Malmberg) Date: Fri Oct 1 17:05:14 2004 Subject: [SpamCop-List] Re: Spam with pgp signature References: Message-ID: <1BpxgwKuvCMD@eisner.encompasserve.org> In article , Ivan Leo Puoti writes: > See spam with same subject in .spam > Is it just anti-filter trash, or is it a real signature? If yes, why > would a spammer sign his spam? 1. To fool content filters that white list e-mail with alleged PGP signatures. 2. To poison the self learning content filters to consider all PGP signed messages spam, thus causing collateral damage. Spammers have figured out how easily defeat almost all content filters except for the ones that look up the I.P. addresses for the URLs in the e-mail and check them against DNSbls. See SpamAssasin 3.0 (Beta still?) Checking the link text only partially works as the spammers are registering hundreds of throwaway domains, so those databases are always a few hours behind the spammer. If they can not evade the filters with their creative spelling, they put in filler words and paragraphs to try to get the bayesian filters to consider all e-mail to be spam. -John wb8tyw@qsl.network Personal Opinion Only From baloo at ursine.dyndns.org Fri Oct 1 14:29:44 2004 From: baloo at ursine.dyndns.org (Paul Johnson) Date: Fri Oct 1 17:20:03 2004 Subject: [SpamCop-List] Re: Spam with pgp signature References: Message-ID: <87acv6gp1j.fsf@ursine.dyndns.org> <#secure method=pgp mode=sign> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Ivan Leo Puoti writes: > See spam with same subject in .spam > Is it just anti-filter trash, or is it a real signature? If yes, why > would a spammer sign his spam? I don't see a verifiable signature on it. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.5 (GNU/Linux) iD8DBQFBXb46UzgNqloQMwcRAvQAAJ4mVExUoJ2dAOeWyZMg3UPVlA6SUACg1plE BAwW/OZhCvVwDpTyfv9vc6Q= =xtmS -----END PGP SIGNATURE----- From baloo at ursine.dyndns.org Fri Oct 1 14:30:56 2004 From: baloo at ursine.dyndns.org (Paul Johnson) Date: Fri Oct 1 17:20:07 2004 Subject: [SpamCop-List] Re: Spam with pgp signature References: Message-ID: <87655ugozj.fsf@ursine.dyndns.org> <#secure method=pgp mode=sign> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Sean W <8vmb6jy02@sneakemail.com> writes: > It's likely a real signature (not registering on here for me though) > but certainly highly unlikely to belong to spammy. It would belong to spammy. You can't forge someone else's PGP signatures without their private key, and even then, you still need to know their password. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.5 (GNU/Linux) iD8DBQFBXb6AUzgNqloQMwcRAoJYAJ4za3hPPaH2BOOAaPVmgWuoaZH4EwCfZsDq X7DUpupstk7SeT8quY97qDc= =DbmG -----END PGP SIGNATURE----- From nobody at nowhere.invalid Sat Oct 2 01:17:15 2004 From: nobody at nowhere.invalid (Steven Maesslein) Date: Fri Oct 1 18:20:03 2004 Subject: [SpamCop-List] Re: Spam with pgp signature References: <87655ugozj.fsf@ursine.dyndns.org> Message-ID: On Fri, 01 Oct 2004 13:30:56 -0700, Paul Johnson coughed into spamcop and left this in <87655ugozj.fsf@ursine.dyndns.org>: > It would belong to spammy. You can't forge someone else's PGP > signatures without their private key, and even then, you still need to > know their password. No, but you can copy and paste the PGP signature off another mail (the fact that the signature wouldn't be valid is irrelevant with Rule #3 in play). Or you can just fill the signature bith BS and make it *look* like a signature. -- Steve If at first you don't succeed, skydiving is not for you. From nobody at spamcop.net Fri Oct 1 19:30:02 2004 From: nobody at spamcop.net (Pop (was Spamcop by accident)) Date: Fri Oct 1 18:30:03 2004 Subject: [SpamCop-List] Ziff-Davis? Message-ID: Apparently Ziff-Davis is spamming again? I thought they'd straightened things out but today I suddenly get a "newsletter" from them! Haven't even been to their site in, well, years, I'd say. Do they spam? Or was it a fluke? Just curious how widespread they spam. Pop From Spam_N_Scams_Reporter at yahoo.whatever Fri Oct 1 19:32:16 2004 From: Spam_N_Scams_Reporter at yahoo.whatever (Spam N Scams Reporter) Date: Fri Oct 1 21:35:16 2004 Subject: [SpamCop-List] Bullet-proof webhosting Message-ID: While researching a spamitem about bullet-proof webhosting, I had the thought that maybe this is an important detail that needs to be dealt with. I did a google on such and it came back with about 3,500 for "bullet proof hosting". Has or is anyone/group working on this angle? From nobody at devnull.spamcop.net Fri Oct 1 21:45:05 2004 From: nobody at devnull.spamcop.net (WazoO) Date: Fri Oct 1 21:50:05 2004 Subject: [SpamCop-List] Re: Rip Off Report? References: Message-ID: "Firewoman" wrote in message news:cjhge3$ksf$1@news.spamcop.net... > Found this while googling.... > > http://www.badbusinessbureau.com/reports/ripoff105872.htm > > Warning: Personal Opinion Follows > > I think one of the deputies or even Julian needs to get on the site and > respond/reply to the "report". Stuff like this can stick to a company > company easier than toilet paper sticks to a shoe. Well, it's been over 32 hours, so neither the "after midnight" and "after 24 hours" have correctly identified the magic moment of a provided response appearing on that page. From ric.gates at bigsleep.org Sat Oct 2 03:06:19 2004 From: ric.gates at bigsleep.org (Blammo) Date: Fri Oct 1 22:10:04 2004 Subject: [SpamCop-List] Re: Ziff-Davis? References: Message-ID: On 01 Oct 2004 Pop (was Spamcop by accident) entered spamcop and left news:cjklp5$ijd$1@news.spamcop.net: > Apparently Ziff-Davis is spamming again? I thought they'd > straightened things out but today I suddenly get a "newsletter" > from them! Haven't even been to their site in, well, years, I'd > say. > Are you sure it was from ZD, I'm pretty sure they're gone. Go check their site out. -- | Ric | From Spam_N_Scams_Reporter at yahoo.whatever Fri Oct 1 21:20:43 2004 From: Spam_N_Scams_Reporter at yahoo.whatever (Spam N Scams Reporter) Date: Fri Oct 1 23:25:05 2004 Subject: [SpamCop-List] Re: Bullet-proof webhosting In-Reply-To: References: Message-ID: Spam N Scams Reporter wrote: > While researching a spamitem about bullet-proof webhosting, I had the > thought that maybe this is an important detail that needs to be dealt > with. I did a google on such and it came back with about 3,500 for > "bullet proof hosting". > > Has or is anyone/group working on this angle? > On a web site of the domain that I am researching: Opt-In Direct E-Mail Marketing Take advantage the most cost effective way of marketing of this e-age to legally email to your potential customers and boost your sales during the great Chinese Monkey Year of 2004. * Check out the news of the CAN SPAM ACT signed on 12/16/03 by President Bush. Effective on Jan 1, 2004, this federal Law legalized UCE in the United States and overrides any contradictory state laws in the country. From Merlyn at Spamcop.net Sat Oct 2 01:33:48 2004 From: Merlyn at Spamcop.net (Merlyn) Date: Sat Oct 2 00:35:05 2004 Subject: [SpamCop-List] Re: Bullet-proof webhosting References: Message-ID: "Spam N Scams Reporter" wrote in message news:cjl6qh$aj8$1@news.spamcop.net... > Spam N Scams Reporter wrote: > >> While researching a spamitem about bullet-proof webhosting, I had the >> thought that maybe this is an important detail that needs to be dealt >> with. I did a google on such and it came back with about 3,500 for >> "bullet proof hosting". >> >> Has or is anyone/group working on this angle? Yes, we block them all. Start your research here: http://www.spamhaus.org/rokso/index.lasso > On a web site of the domain that I am researching: > > Opt-In Direct E-Mail Marketing > > Take advantage the most cost effective way of marketing of this e-age to > legally email to your potential customers and boost your sales during the > great Chinese Monkey Year of 2004. They are already blocked. > * Check out the news of the CAN SPAM ACT signed on 12/16/03 by > President Bush. Effective on Jan 1, 2004, this federal Law legalized UCE > in the United States and overrides any contradictory state laws in the > country. Old news. It doesn't work and has not stopped or even slowed down the flow of spam. -- Regards, Merlyn A Spamcop advocate No emails this account is for newsgroups only People demand freedom of speech to make up for the freedom of thought which they avoided From nobody at spamcop.net Sat Oct 2 06:52:49 2004 From: nobody at spamcop.net (Tuatara) Date: Sat Oct 2 01:55:14 2004 Subject: [SpamCop-List] Net giants adopt anti-spam system? Really? I'm skeptical. Message-ID: <415e419f.5257031@news.spamcop.net> The person quoted in this article in the BBC is too optimistic unless the person is profoundly naive. http://news.bbc.co.uk/2/hi/technology/3706828.stm The article refers to Mr. Anderson as such: He said greater use of authentication systems and lists of reputable e-mail senders should make a big difference. They quote a Dave Anderson of SendMail: "The amount of spam seen by users will plummet, if not go to zero," he said. It sounds like classic smoked-mirror marketing and hood-winking. A sender of unsolicited commercial email isn't reputable just because their unsolicited commercial email adheres to the authentication system. It's still spam, bar none! It sounds just like a goon from the DMA trying to legitimize unsolicited commercial email marketing for mainstream (really mainsleaze) companies. Authentication means nothing if it's still spam, spam, spam, spam. Does any know anything about SendMail for that company's rep to make a ludicrous statement like that? From ric.gates at bigsleep.org Sat Oct 2 07:10:26 2004 From: ric.gates at bigsleep.org (Blammo) Date: Sat Oct 2 02:15:03 2004 Subject: [SpamCop-List] Re: Ziff-Davis? References: Message-ID: On 01 Oct 2004 Bob W. entered spamcop and left news:responseguard- 6C4EA4.20260501102004@news.cesmail.net: > ZDnet is still alive and well, even if the domain "Ziff-Davis.com" > doesn't have a website... > I guess I'm thinking of their tech channel that's been passed around. -- | Ric | From ric.gates at bigsleep.org Sat Oct 2 07:15:46 2004 From: ric.gates at bigsleep.org (Blammo) Date: Sat Oct 2 02:20:03 2004 Subject: [SpamCop-List] Re: Net giants adopt anti-spam system? Really? I'm skeptical. References: <415e419f.5257031@news.spamcop.net> Message-ID: On 01 Oct 2004 Tuatara entered spamcop and left news:415e419f.5257031@news.spamcop.net: > Does any know anything about SendMail for that company's rep to make a > ludicrous statement like that? Sendmail is free, I use it, I have configured it to require authentication, and because of my rulesets and blocklists I get practically no spam, and no complaints. -- | Ric | From nobody at nowhere.invalid Sat Oct 2 13:01:53 2004 From: nobody at nowhere.invalid (Steven Maesslein) Date: Sat Oct 2 06:05:20 2004 Subject: [SpamCop-List] Re: Net giants adopt anti-spam system? Really? I'm skeptical. References: <415e419f.5257031@news.spamcop.net> Message-ID: On Sat, 2 Oct 2004 06:15:46 +0000 (UTC), Blammo coughed into spamcop and left this in : > Sendmail is free, I use it, I have configured it to require > authentication, and because of my rulesets and blocklists I get practically > no spam, and no complaints. I think you'll find the OP was talking about the company, sendmail.com, not the MTA "sendmail" available from sendmail.org. -- Steve If flying is so safe, why do they call the airport the terminal? From 8vmb6jy02 at sneakemail.com Sat Oct 2 12:39:17 2004 From: 8vmb6jy02 at sneakemail.com (Sean W) Date: Sat Oct 2 06:40:03 2004 Subject: [SpamCop-List] Re: Net giants adopt anti-spam system? Really? I'm skeptical. In-Reply-To: References: <415e419f.5257031@news.spamcop.net> Message-ID: Steven Maesslein wrote: > On Sat, 2 Oct 2004 06:15:46 +0000 (UTC), Blammo coughed into spamcop and > left this in : > > >>Sendmail is free, I use it, I have configured it to require >>authentication, and because of my rulesets and blocklists I get practically >>no spam, and no complaints. > > > I think you'll find the OP was talking about the company, sendmail.com, > not the MTA "sendmail" available from sendmail.org. > Yeah, ITHM Sendmails.com Try http://www.wired.com/news/business/0,1367,63146,00.html?tw=wn_bizhead_11 for a quick and dirty (literally) look at what they are. -- Sean From kenbrody at spamcop.net Sat Oct 2 11:15:38 2004 From: kenbrody at spamcop.net (Kenneth Brody) Date: Sat Oct 2 10:20:20 2004 Subject: [SpamCop-List] Re: Rip Off Report? References: Message-ID: <415EB846.7632F8DB@spamcop.net> WazoO wrote: > > "Firewoman" wrote in message > news:cjhge3$ksf$1@news.spamcop.net... > > Found this while googling.... > > > > http://www.badbusinessbureau.com/reports/ripoff105872.htm > > > > Warning: Personal Opinion Follows > > > > I think one of the deputies or even Julian needs to get on the site and > > respond/reply to the "report". Stuff like this can stick to a company > > company easier than toilet paper sticks to a shoe. > > Well, it's been over 32 hours, so neither the "after midnight" > and "after 24 hours" have correctly identified the magic > moment of a provided response appearing on that page. It's there now, Saturday 2-Oct 10:15AM EDT. -- +-------------------------+--------------------+-----------------------------+ | Kenneth J. Brody | www.hvcomputer.com | | | kenbrody/at\spamcop.net | www.fptech.com | #include | +-------------------------+--------------------+-----------------------------+ From nobody at devnull.spamcop.net Sat Oct 2 12:16:16 2004 From: nobody at devnull.spamcop.net (WazoO) Date: Sat Oct 2 12:20:21 2004 Subject: [SpamCop-List] Re: Ziff-Davis? References: Message-ID: "Bob W." wrote in message news:responseguard-92AEB4.08570902102004@news.cesmail.net... > > Well, I guess that analogy doesn't really fit, since TechTV has been > known to be useful... Gads, change that to "had been useful" ... ComCast has really screwed it up .. killed Call for Help, really dumbed down The Screensavers, and please tell me just how many idiots out there can actually enjoy listening to some dolt talk you through the button-push sequences for the "secret" code hacks of various games for an hour, listen to the debate on why some character's garb is red on the PlayStation version, but green on the PC? TechTV is no more. From rickert+nn at cs.niu.edu Sat Oct 2 17:23:38 2004 From: rickert+nn at cs.niu.edu (Neil Rickert) Date: Sat Oct 2 12:25:03 2004 Subject: [SpamCop-List] Re: Spam with pgp signature References: Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 2004-10-01, Sean W <8vmb6jy02@sneakemail.com> wrote: > Ivan Leo Puoti wrote: >> See spam with same subject in .spam >> Is it just anti-filter trash, or is it a real signature? If yes, why Anti-filter trash. There was no "BEGIN PGP MESSAGE" line. This was just a signature from elsewhere, glued on hoping it would fool a filter. > It's totally bogus. OpenPGP won't even sign HTML mail as far as I know. > Not sure about signing around an image attachment though. The pgp/mime standard allows signing mail with attachments. The signature applies to the transmitted text. Whether that is encoded from html or an image, or is plain text, is not relevant to the ability to sign. But it this case it was bogus, as you say. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.3.6 (SunOS) iD8DBQFBXtYIvmGe70vHPUMRAsArAKDW9+mz0MiKkHFTuVTq8xFLXLhIYACfeSTY xCr/lMY9OZT0NerII/P2goQ= =nS6V -----END PGP SIGNATURE----- From mrichter at cpl.net Sat Oct 2 13:28:44 2004 From: mrichter at cpl.net (Mike Richter) Date: Sat Oct 2 15:30:11 2004 Subject: [SpamCop-List] Re: Net giants adopt anti-spam system? Really? I'm skeptical. In-Reply-To: References: <415e419f.5257031@news.spamcop.net> Message-ID: Blammo wrote: > On 01 Oct 2004 Tuatara entered spamcop and left > news:415e419f.5257031@news.spamcop.net: > > >>Does any know anything about SendMail for that company's rep to make a >>ludicrous statement like that? > > > Sendmail is free, I use it, I have configured it to require > authentication, and because of my rulesets and blocklists I get practically > no spam, and no complaints. > How would you get a complaint from someone who declines to authenticate? (I am assuming that the scheme is a form of challenge/response.) I face the issue with some Earthlink correspondents who love the C/R they're introducing. If they introduce it for my MindSpring account without a refusal option, they'll lose a subscriber. Mike -- mrichter@cpl.net http://www.mrichter.com/ From ric.gates at bigsleep.org Sat Oct 2 21:39:24 2004 From: ric.gates at bigsleep.org (Blammo) Date: Sat Oct 2 16:40:14 2004 Subject: [SpamCop-List] Re: Making it easy on reporters References: Message-ID: On 01 Oct 2004 eddie entered spamcop and left news:pan.2004.10.01.16.04.57.329000@eddie.web: > From: xx@cdm-66-76-138-160.jsbr.cox-internet.com > It certainly looks like a return address to me, with the IP included, > Could be a message ID picked up off a news post, just happens to be the same as the zombied PC. -- | Ric | From nobody at nowhere.invalid Sun Oct 3 00:02:24 2004 From: nobody at nowhere.invalid (Steven Maesslein) Date: Sat Oct 2 17:05:03 2004 Subject: [SpamCop-List] Re: Making it easy on reporters References: Message-ID: On Fri, 01 Oct 2004 12:04:58 -0400, eddie coughed into spamcop and left this in : > Here is the From: with the userid munged > From: xx@cdm-66-76-138-160.jsbr.cox-internet.com > It certainly looks like a return address to me, with the IP included, It looks like a zombied machine to me. The spamware is most certainly geared to put the zombied machine's rDNS in the domain part of the e-mail address forged into the spam. $ host 66.76.138.160 160.138.76.66.in-addr.arpa domain name pointer cdm-66-76-138-160.jsbr.cox-internet.com. -- Steve In the 60's people took acid to make the world weird. Now the world is weird and people take Prozac to make it normal. From nobody at spamcop.net Sun Oct 3 11:40:43 2004 From: nobody at spamcop.net (Anony Mouse) Date: Sat Oct 2 17:45:09 2004 Subject: [SpamCop-List] Paging Mike Easter... Message-ID: <415F205B.2020205@spamcop.net> Greetings Mike... Do you remember this... From: Mike Easter (MikeE@ster.invalid) Subject: Re: The new sci.physics.strings newsgroup View: Complete Thread (4 articles) Original Format Newsgroups: alt.spam Date: 2003-12-21 17:49:54 PST Fabios wrote: > Yawn. Hey, Fabios. I have some more questions for you, since you decided to stick your nose and your posts into alt.spam. Is it true that you are a spammer? Fabios Caraminas is the registrant at sponsoring registrar Wild West Domains, according to whois.neulevel.biz for lunburrymeds.biz and yourpublicdns.biz and according to this website http://www.terrific.com/joejob/spamsample5.htm is spamming Subject: Upgrade your tool Get a Bigger Penis 100% $$ Back Guarantee She will love you for it. Get_it_here (http://lunburrymeds.biz) Get a months supply Free! I think lunburrymeds must also be singletonmeds.biz - also reg'd to Fabios Caraminas. I think I get it now. The reason you cross post things is because you are a spammer and don't know any better. -- Mike Easter Do you have any info about spammy Fabios? I am trying to have the email address closed at Yahoo so I can close spammies dns domain... Sent a bounce test to the email address with just the domain in the subject line... Spammy asks me what I want... Anyway spammy is making vieled threats... I am pretty sure Fabios is a Webfinity associate. Regards From MikeE at ster.invalid Sat Oct 2 18:58:47 2004 From: MikeE at ster.invalid (Mike Easter) Date: Sat Oct 2 21:00:21 2004 Subject: [SpamCop-List] Re: Paging Mike Easter... References: <415F205B.2020205@spamcop.net> Message-ID: Anony Mouse wrote: > Do you remember this... ----------------------- > From: Mike Easter > Subject: Re: The new sci.physics.strings newsgroup > Hey, Fabios. I have some more questions for you, since you decided to > stick your nose and your posts into alt.spam. > > Is it true that you are a spammer? ----------------------- Well, the little bit you are posting is missing a lot of context, so I should explain it a little. The original 2003 Dec thread started at From: Lubos Motl Newsgroups: alt.astrology Message-ID: in which there was a 'nice' message by Lubos trying to get support from alt.astrology in news.groups for a new group. Then Fabios crossposted his Yawn response to news.groups, alt.usenet.kooks, and alt.spam; which annoyed me because people are always dragging the alt.spam group into flamefests and other trollish behaviors. So, I commented separately in alt.astrology where I think Fabios hangs out and alt.spam. I made my bigger critique in alt.spam, part of what you posted, and just made a reference in alt.astrology to the longer criticism in alt.spam. At the time, I was annoyed at Fabios and looked into his persona's online behavior and found relationships such as those I described in that post. Some of the information I started with in 2003 Dec isn't the same now. > Do you have any info about spammy Fabios? Currently I only know what is at neulevel.biz - at the time I was probably full of stuff I glean when I'm identity sleuthing. I didn't keep notes. I had to go googling to refresh my memory about all this. neulevel has the registration information for Fabios for singletonmeds.biz and lunburrymeds.biz -- and there's a 'morphing' of personas and ownership of domain registrations between Fabios Caraminas in Sao Paulo .br and Bill Willson in Miami FL regarding the other domains yourpublicdns.biz and another one I forget. > I am trying to have the email address closed at Yahoo so I can close > spammies dns domain... > > Sent a bounce test to the email address with just the domain in the > subject line... Spammy asks me what I want... Anyway spammy is making > vieled threats... > > I am pretty sure Fabios is a Webfinity associate. I don't know webfinity from wildwest domains. I haven't researched it. Right now I just know what's at neulevel; I would have to go back over some googling to get anything useful for you. -- Mike Easter kibitzer, not SC admin From MikeE at ster.invalid Sat Oct 2 20:00:15 2004 From: MikeE at ster.invalid (Mike Easter) Date: Sat Oct 2 22:00:03 2004 Subject: [SpamCop-List] Re: Paging Mike Easter... References: <415F205B.2020205@spamcop.net> Message-ID: Mike Easter wrote: > just made a reference in alt.astrology to the longer > criticism in alt.spam. In fact, shortly after that, I had to go over to alt.astrology and beef some more about a couple [or perhaps the same] of their anonymous lurkers who only 'came out' to trollishly crosspost http://snipurl.com/9i2f After that little diatribe, that was the end of that particular kind of alt.astrology 'business'. -- Mike Easter kibitzer, not SC admin From baloo at ursine.dyndns.org Sat Oct 2 19:24:18 2004 From: baloo at ursine.dyndns.org (Paul Johnson) Date: Sat Oct 2 22:25:03 2004 Subject: [SpamCop-List] Re: Ziff-Davis? References: Message-ID: <87lleoegql.fsf@ursine.dyndns.org> <#secure method=pgp mode=sign> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 "WazoO" writes: > "Bob W." wrote... >> >> Well, I guess that analogy doesn't really fit, since TechTV has been >> known to be useful... > > Gads, change that to "had been useful" ... ComCast has > really screwed it up .. killed Call for Help, Yeah, I miss Call for Help when they would tell people to go RTFM on the obvious stuff, sticking only to the last-resort, stuck users. > really dumbed down The Screensavers At least they got rid of that Leo Laporte twit. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.5 (GNU/Linux) iD8DBQFBX1TCUzgNqloQMwcRArUCAKC8+AWl1dbBXZ8YnVhfiugbPSwieACeKn2G c/m7ik+Pzlf11WrxlEqmpTc= =PQoi -----END PGP SIGNATURE----- From Merlyn at Spamcop.net Sat Oct 2 23:58:47 2004 From: Merlyn at Spamcop.net (Merlyn) Date: Sat Oct 2 23:00:03 2004 Subject: [SpamCop-List] Re: Paging Mike Easter... References: <415F205B.2020205@spamcop.net> Message-ID: "Anony Mouse" wrote in message news:415F205B.2020205@spamcop.net... > Greetings Mike... > > Do you remember this... > [snippety snip] What's your point??????? -- Regards, Merlyn A Spamcop advocate No emails this account is for newsgroups only People demand freedom of speech to make up for the freedom of thought which they avoided From ric.gates at bigsleep.org Sun Oct 3 09:09:03 2004 From: ric.gates at bigsleep.org (Blammo) Date: Sun Oct 3 04:10:23 2004 Subject: [SpamCop-List] Re: Ziff-Davis? References: <87lleoegql.fsf@ursine.dyndns.org> Message-ID: On 02 Oct 2004 Paul Johnson entered spamcop and left news:87lleoegql.fsf@ursine.dyndns.org: >> really dumbed down The Screensavers > > At least they got rid of that Leo Laporte twit. > My opinion about him changed when I sent him an eMail saying he didn't know what he was talking about, and he actually read it live. -- | Ric | From nobody at xyzzy.claranet.de Sun Oct 3 13:14:04 2004 From: nobody at xyzzy.claranet.de (Frank Ellermann) Date: Sun Oct 3 06:20:20 2004 Subject: [SpamCop-List] Re: Net giants adopt anti-spam system? Really? I'm skeptical. References: <415e419f.5257031@news.spamcop.net> Message-ID: <415FD0EC.2BDB@xyzzy.claranet.de> Tuatara wrote: > the person is profoundly naive. > http://news.bbc.co.uk/2/hi/technology/3706828.stm No, you're too polite. About SPF vs. Sender-ID: | Despite the different names, these both do the same | job of authenticating where an e-mail message came from. Now if you get a mail from anywhere in the world with the headers (among others)... Return-Path: joe1@phisher.example Resent-From: joe2@phisher.example From: trusted@bank.example Subject: Verify your viagra order [...] ...then SPF checks the v=spf1 (resp. spf2.0/mfrom) sender policy of phisher.example against the sending IP. This policy can have the form "v=spf1 +all", or in other words "anybody is allowed to use phisher.example in MAIL FROM". No harm done, SPF is about useless bounces, and in this example the mail PASSes (=> later bounces go to joe1). Of course the normal idea is to specify less than +all, and reject mails with a FAIL result (forged MAIL FROM). Sender-ID checks the sender policy of the "PRA", in the example that's Resent-From: joe2@phisher.example. With a similar sender policy "spf2.0/pra +all" you get again a PASS. In both cases this stuff arrives in your inbox. You know nothing about the authentication with any existing MUA, and the From: trusted@bank.example was never tested. Sender-ID is snake oil. It does almost nothing against phishing. OTOH SPF works as expected, it's only about forged MAIL FROM headers. > "The amount of spam seen by users will plummet, if not > go to zero," he said. Hogwash. With SPF the amount of forged MAIL FROM addresses will drop for domains publishing a sender policy. Spammers simply forge addresses without sender policy. After some years the amount of forged MAIL FROM addresses will really drop. Not very exciting for normal users, as long as their address isn't abused by spammers. Then they publish a SPF sender policy, and the spammers abuse another address, etc. With Sender-ID the effects are less clear, maybe we see more Resent-* headers. Sender-ID is less interesting for mail admins, because they can't check the "PRA" before the DATA phase in a SMTP session. I wouldn't implement it, it is too expensive to receive the complete mail DATA and to evaluate a sender policy for Sender-ID. | It makes a huge difference on the phishing side, That's plain nonsense, see above. Bye, Frank From nobody at xyzzy.claranet.de Sun Oct 3 15:03:33 2004 From: nobody at xyzzy.claranet.de (Frank Ellermann) Date: Sun Oct 3 08:10:03 2004 Subject: [SpamCop-List] Re: OT SPF is harmful. Adopt it References: <72m2h8lsfmlmd524h6prtkf1m7@inews_id.stereo.hq.phicoh.net> <415C57A0.6DA6@xyzzy.claranet.de> Message-ID: <415FEA95.5499@xyzzy.claranet.de> Philip Homburg wrote: > I can imagine that for users who get a lot of spam and are at > other end of a slow modem link, spam amounts to a denial of > service attack. Again this is a security problem. True, and in 2003 something like... | Return-Path: interlotto_ned@yahoo.com | X-Envelope-To: nobody@xyzzy.claranet.de | Received: from [61.39.199.22] (helo=61.39.199.22) [...] | Subject: C:\Documents and Settings\richard\Bureaublad\winning | notification | Sender: (ACCREDITED LICENSED AGENT TO NATIONAL LOTTERY | COMPANY THE, NETHERLANDS HOST [...] | Date: Sat, 2 Oct 2004 16:18:09 +0200 | X-Mailer: eGroups Message Poster [...] | --> [3298027 of 3302391 bytes removed: | purl.net/xyzzy/src/popstop.cmd v1.4] ...would have infuriated me. But MyDoom forced me to write a PopsTop script, and some months later my ISP implemented a worm killer - but obviously it didn't get this pseudo-Nimda monster. OTOH I've no idea what my ISP really does, from time to time they identify SpamCop reports as spam. Probably triggered by the subjects. As soon as you filter something there are always false positives. And false negatives like this 3 MB monster. > Next question is: "does requiring proper HELOs and reverse > DNS solve this security problem". To some extent it does HELO can help in cases like HELO OEMcomputer. Not directly in the shown example, HELO [61.39.199.22] for IP 61.39.199.22 is much better than any RfC. Okay, maybe the sender forgot the square brackets, but that's something a worm author could fix. > a significant amount of spam comes from machines that don't > have proper reverse DNS. Are you sure ? A significant amount of "my" spam comes from trojaned Spamcast boxes, and these boxes have reverse DNS. And blocking port 25 is a stupid idea, because it doesn't help against other abuses like DDoS. Spammers are stupid and liars. > fixing reverse DNS is relatively easy. So I'm not sure that > it helps a lot in the long run. ACK, it's more about good will or minimal clue... ;-) Better than a "block port 25" scheme as an excuse for no abuse desk. > If you don't want mail from dynamic addresses then that it > your choice. Some of my ISPs use this method. Not very different from the "block port 25" idea. I'd probably test a modified approach, dyn. IPs are IMHO not good enough for an MX. So something like xyzzy.dnsalias.org with no MX at all should not send mail, or in other words I wouldn't accept mail from this host with a dyn. IP. No real problem, minus one "helo" script used to catch RfC ignorants on xyzzy.dnsalias.org when I'm online. ;-) > HELO and reverse DNS are in the RFCs The RfCs only say "FQDN, logging, never reject" about HELO, if you play by the rules you must accept HELO OEMcomputer (unless you claim that that's your own name ;-). You could say "but OEMcomputer has no IP", and that's really not allowed. This can be tricky, what about "HELO localhost" or even "HELO tv" ? Somebody in dan-am (German version of nanae) found the latter, tv is a host: tv = 65.201.175.144 I really like this example. The RfC says "MUST accept" even if the IPs don't match. Reverse DNS also isn't clear, somewhere in 103? I've seen a note roughly equivalent to a SHOULD, but no MUST. > dynamic addresses aren't (when it comes to e-mail). In theory you're free to reject mail from any IP with an odd digit, and whatever it does, today with more than 80% spam it will reject a lot of spam. There's also no RfC about odd digits in IPs. "Almost all numbers have an odd digit" is a theorem in number theory. I'm planning to patent "Odd IP" as the FUSSP before MicroSoft, "Odd IP" certainly beats Sender-ID. > Proper HELOs and reverse DNS are not required from a > technical point of view. IMHO a proper HELO makes sense, technically. At least for some definitions of "proper" like "is there a at FQDN", e.g. tv has no MX and no smtpd. Reverse DNS also makes sense, if GetHostByAddr(IP) fails it "should" be a private IP. Or an error, or a timeout, shit happens. But definitely unusual. Bye, Frank From ric.gates at bigsleep.org Sun Oct 3 15:05:09 2004 From: ric.gates at bigsleep.org (Blammo) Date: Sun Oct 3 10:10:03 2004 Subject: [SpamCop-List] Re: Net giants adopt anti-spam system? Really? I'm skeptical. References: <415e419f.5257031@news.spamcop.net> Message-ID: On 02 Oct 2004 Steven Maesslein entered spamcop and left news:slrnclsv4h.1d6.nobody@127.0.0.1: > I think you'll find the OP was talking about the company, sendmail.com, > not the MTA "sendmail" available from sendmail.org. > I didn't realize there was a commercial version, but they are made by the same company. News from the sendmail.org site... "Recently (2004-08-30), Sendmail, Inc. announced their support for IETF's Sender ID proposal. sendmail.org has been receiving feedback on that decision. Please note that sendmail.org is a separate entity and hence feedback regarding Sendmail, Inc's decision should be directed to them, not sendmail.org. Please also do not ask us for help with the released software for Sender ID." I haven't looked into Sender ID, so I can't comment on it yet. -- | Ric | From ric.gates at bigsleep.org Sun Oct 3 15:11:03 2004 From: ric.gates at bigsleep.org (Blammo) Date: Sun Oct 3 10:15:02 2004 Subject: [SpamCop-List] Re: Net giants adopt anti-spam system? Really? I'm skeptical. References: <415e419f.5257031@news.spamcop.net> Message-ID: On 02 Oct 2004 Mike Richter entered spamcop and left news:cjmvg1$5pj$1@news.spamcop.net: > Blammo wrote: > >> >> Sendmail is free, I use it, I have configured it to require >> authentication, and because of my rulesets and blocklists I get >> practically no spam, and no complaints. >> > How would you get a complaint from someone who declines to > authenticate? (I am assuming that the scheme is a form of > challenge/response.) > I probably shouldn't have replied, they are apparently talking about Sender ID, I was talking about SMTP Authentication. > I face the issue with some Earthlink correspondents who love the C/R > they're introducing. If they introduce it for my MindSpring account > without a refusal option, they'll lose a subscriber. > Yes, I find C/R abusive and tend to block servers that use it because it often looks like an attack on the server. -- | Ric | From MikeE at ster.invalid Sun Oct 3 08:38:28 2004 From: MikeE at ster.invalid (Mike Easter) Date: Sun Oct 3 10:40:04 2004 Subject: [SpamCop-List] Re: Net giants adopt anti-spam system? Really? I'm skeptical. References: <415e419f.5257031@news.spamcop.net> Message-ID: Blammo wrote: > "Recently (2004-08-30), Sendmail, Inc. announced their support for > IETF's Sender ID proposal. IETF's senderID proposal and all of the MARID working group structure around it has disappeared since then. Those guys are in fallback position, SPF, let's wait and see mode. -- Mike Easter kibitzer, not SC admin From ric.gates at bigsleep.org Sun Oct 3 16:11:35 2004 From: ric.gates at bigsleep.org (Blammo) Date: Sun Oct 3 11:15:03 2004 Subject: [SpamCop-List] Re: Net giants adopt anti-spam system? Really? I'm skeptical. References: <415e419f.5257031@news.spamcop.net> <415FD0EC.2BDB@xyzzy.claranet.de> Message-ID: On 03 Oct 2004 Frank Ellermann entered spamcop and left news:415FD0EC.2BDB@xyzzy.claranet.de: > Sender-ID is snake oil. It does almost nothing against > phishing. OTOH SPF works as expected, it's only about > forged MAIL FROM headers. > MAIL FROM is not a header. I'm still looking into this, but I think you are incorrect, SPF support is being built into Sendmail, this is what http://www.sendmail.net/ is all about. -- | Ric | From bct at annonymous.domain Sun Oct 3 14:13:24 2004 From: bct at annonymous.domain (BCT) Date: Sun Oct 3 13:15:18 2004 Subject: [SpamCop-List] Reporting "zombie" spam Message-ID: http://www.spamhaus.org/query/bl?ip=132.220.81.69 spam in .spam where to report www.truecreditinfo.biz? many thanx, bct From MikeE at ster.invalid Sun Oct 3 12:26:59 2004 From: MikeE at ster.invalid (Mike Easter) Date: Sun Oct 3 14:30:06 2004 Subject: [SpamCop-List] Re: Reporting "zombie" spam References: Message-ID: BCT wrote: > http://www.spamhaus.org/query/bl?ip=132.220.81.69 > > spam in .spam > > where to report www.truecreditinfo.biz? SC doesn't like what arin sez because whois -h whois.arin.net 132.220.81.69 ... OrgName: Sobeco Group, Inc. NetRange: 132.220.0.0 - 132.220.255.255 CIDR: 132.220.0.0/16 NetName: SOBECO-NET Comment: The information for this network has been reported to Comment: be invalid. ARIN has attempted to obtain updated data, but has Comment: been unsuccessful. To provide current contact information, The spamhaus listing would suggest going upstream, the sorbs listing calls it a hijacked disused netblock. I would go after the ASN and the upstreams. radb doesn't give an asn but cymru sez whois -h whois.cymru.com 132.220.81.69 ... ASN | IP | Name 22177 | 132.220.81.69 | BUSINESSNET DO BRASIL LTDA. asn22177 = owner: BUSINESSNET DO BRASIL LTDA owner-c: ACS1-ARIN = asilva@BUSINESSNET.COM.BR whois -h whois.abuse.net businessnet.com.br ... mail-abuse@nic.br postmaster@businessnet.com.br and its upstreams are Upstream Adjacent AS list AS6140 IMPSA ImpSat = AS17379 Intelig Telecomunica Ltda whois -h whois.abuse.net impsat.com ... postmaster@impsat.com vgadda@impsat.com t.lynch@IMPSAT.COM (for impsat.com) whois -h whois.abuse.net intelig.net.br ... postmaster@intelig.net.br analuiza.radler@inteligtelecom.com.br jcorreia@contax.net.br (for intelig.net.br) -- Mike Easter kibitzer, not SC admin From ric.gates at bigsleep.org Sun Oct 3 19:47:03 2004 From: ric.gates at bigsleep.org (Blammo) Date: Sun Oct 3 14:50:04 2004 Subject: [SpamCop-List] Re: Ziff-Davis? References: <87lleoegql.fsf@ursine.dyndns.org> Message-ID: On 03 Oct 2004 Bob W. entered spamcop and left news:responseguard-A0C36F.10314603102004@news.cesmail.net: > In article , > Blammo wrote: > >> On 02 Oct 2004 Paul Johnson entered spamcop and left >> news:87lleoegql.fsf@ursine.dyndns.org: >> >> > >> > At least they got rid of that Leo Laporte twit. >> > >> >> My opinion about him changed when I sent him an eMail saying he >> didn't know what he was talking about, and he actually read it live. > > So... What was his response? And how did it change your opinion? > Oh, well, he made an incorrect statement, I corrected him and wrote something like "next time check your facts before spouting off garbage". He read the entire message, corrected himself, and so kinda made me look like a jerk. 'Course it's possible he was told to read it and never read it beforehand. -- | Ric | From nobody at spamcop.net Sun Oct 3 17:13:03 2004 From: nobody at spamcop.net (Pop (was Spamcop by accident)) Date: Sun Oct 3 16:15:07 2004 Subject: [SpamCop-List] Re: Ziff-Davis? References: <87lleoegql.fsf@ursine.dyndns.org> Message-ID: "Blammo" wrote in message news:Xns957777F0186B8blammo@216.154.195.61... | On 03 Oct 2004 Bob W. entered spamcop and left | news:responseguard-A0C36F.10314603102004@news.cesmail.net: | | > In article , | > Blammo wrote: | > | >> On 02 Oct 2004 Paul Johnson entered spamcop and left | >> news:87lleoegql.fsf@ursine.dyndns.org: | >> | >> > | >> > At least they got rid of that Leo Laporte twit. | >> > | >> | >> My opinion about him changed when I sent him an eMail saying he | >> didn't know what he was talking about, and he actually read it live. | > | > So... What was his response? And how did it change your opinion? | > | | Oh, well, he made an incorrect statement, I corrected him and wrote | something like "next time check your facts before spouting off garbage". | He read the entire message, corrected himself, and so kinda made me look | like a jerk. | 'Course it's possible he was told to read it and never read it beforehand. | | -- || Ric || Well, you were a jerk: Before spouting off garbage, you should think about how it will be received; as a jerk, or as someone wanting to be helpful. Your message hit the jerkoff bell in my opinion. Pop From aharper at D_N_A_I_._C_O_M Sun Oct 3 14:52:26 2004 From: aharper at D_N_A_I_._C_O_M (Alan Harper) Date: Sun Oct 3 16:55:11 2004 Subject: [SpamCop-List] Less spam avoiding filters Message-ID: <031020041352265732%aharper@D_N_A_I_._C_O_M> It feels as if Spamcop is becoming more effective over the last few months. I don't keep detailed statistics, but the amount of spam that has slipped through my filters has been Jun 04: 468 Jul 04: 388 Aug 04: 366 Sep 04: 271 I think I get about the same number of spams arriving at my mailboxes: 120 or so a day. My guess is that there are few machines being converted to spam sources, so spam cop is able to filter them more effectively, but perhaps the spamcop algorithms and data sets are getting better too? Alan From ric.gates at bigsleep.org Sun Oct 3 23:19:53 2004 From: ric.gates at bigsleep.org (Blammo) Date: Sun Oct 3 18:20:08 2004 Subject: [SpamCop-List] Re: Ziff-Davis? References: <87lleoegql.fsf@ursine.dyndns.org> Message-ID: On 03 Oct 2004 Pop (was Spamcop by accident) entered spamcop and left news:cjpmg6$3dt$1@news.spamcop.net: > Well, you were a jerk: Before spouting off garbage, you should > think about how it will be received; as a jerk, or as someone > wanting to be helpful. Your message hit the jerkoff bell in my > opinion. > You don't need to lecture me, I do learn. Didn't I say I was a jerk? I don't understand why you even replied, I suppose you didn't understand that I was implicating myself. You are preaching to me when you have no idea of the whole story, what do you call that? -- | Ric From ric.gates at bigsleep.org Sun Oct 3 23:40:29 2004 From: ric.gates at bigsleep.org (Blammo) Date: Sun Oct 3 18:45:04 2004 Subject: [SpamCop-List] Re: Ziff-Davis? References: <87lleoegql.fsf@ursine.dyndns.org> Message-ID: On 03 Oct 2004 Bob W. entered spamcop and left news:responseguard- 8B3646.15223303102004@news.cesmail.net: > Trolling. > > But he appears to be the original poster, and I believe, a regular. Odd that it is (his) only reply, but, better ignored. -- | Ric From nobody at xyzzy.claranet.de Mon Oct 4 06:41:41 2004 From: nobody at xyzzy.claranet.de (Frank Ellermann) Date: Sun Oct 3 23:45:23 2004 Subject: [SpamCop-List] Re: Net giants adopt anti-spam system? Really? I'm skeptical. References: <415e419f.5257031@news.spamcop.net> <415FD0EC.2BDB@xyzzy.claranet.de> Message-ID: <4160C675.53F7@xyzzy.claranet.de> Blammo wrote: > MAIL FROM is not a header. Yes, sorry, it's an SMTP command. Only the final MTA (MDA) translates it into a Return-Path. > I'm still looking into this, but I think you are incorrect, > SPF support is being built into Sendmail Oops, I never said they didn't, because I don't know. I only didn't like the stuff in the BBC report, the end of spam and phishing isn't near. > this is what http://www.sendmail.net/ is all about. They are talking about spf2.0/pra, that's the Microsoft idea. spf2.0/mfrom is roughly the same as the classic v=spf1, and spf2.0/mfrom was published September 15. The sendmail.net announce was published August 30 (if the date on their page is correct), 3 weeks before MARID was closed by the IETF without result (September 23). The current state of the art is, that the author of the latest MARID drafts (spf2.0/mfrom based on protocol-03) agreed to integrate as many good ideas as possible from protocol-03 and spf2.0/mfrom into an updated v=spf1 document. That consolidates the MARID improvements in a v=spf1 compatible syntax (excl. PRA). It's the plan for the next days. Quite a lot of work for the author, but not really difficult, because the classic v=spf1 concepts are clear. Bye, Frank From 8vmb6jy02 at sneakemail.com Mon Oct 4 13:56:50 2004 From: 8vmb6jy02 at sneakemail.com (Sean W) Date: Mon Oct 4 08:00:22 2004 Subject: [SpamCop-List] Re: Reporting "zombie" spam In-Reply-To: References: Message-ID: Mike Easter wrote: > BCT wrote: > >>http://www.spamhaus.org/query/bl?ip=132.220.81.69 >> Yet more Ivo Ottavio Reali Camargo sewers. It's spew gets around. This name is cropping up everywhere lately. -- Sean From missannie at nospam.invalid Mon Oct 4 09:50:00 2004 From: missannie at nospam.invalid (MissAnnie) Date: Mon Oct 4 08:55:12 2004 Subject: [SpamCop-List] How to deal with this spam porn hosting site Message-ID: I have been receiving pornographic spam with inline images some advertising teen sex movies. The image host is a blacklisted IP. The images are held on movieexchange.biz which DNS is 222.222.48.115 CHINATELECOM-HE . Here is the samspade info on that DNS http://www.samspade.org/t/lookat?a=222.222.48.115 I have reported the header to SpamCop and spam@uce.gov. Received: from 88.100.39.236 by 65.75.79.72; Mon, 04 Oct 2004 22:01:48 +0400 Message-ID: From: "Wesley Gibbons" Reply-To: "Wesley Gibbons" The email header says it is from a Hotmail address. The spam abuse report sends mail to abuse@cablebahamas.com abuse@coralwave.com, hostmaster@cablebahamas.com. Is there anything a private individual can do to contact the image host to get the images removed from the server?. I can't imagine that someone has not tried to do it already since I have been receiving this porn spam for several days or weeks. SpamPal detects it as spam. Is that all I can do? -- MissAnnie From firewoman at default.domain.not.available Mon Oct 4 11:21:04 2004 From: firewoman at default.domain.not.available (Firewoman) Date: Mon Oct 4 10:20:24 2004 Subject: [SpamCop-List] Re: Rip Off Report? References: Message-ID: "WazoO" wrote in message news:cjl172$3ge$1@news.spamcop.net... > Well, it's been over 32 hours, so neither the "after midnight" > and "after 24 hours" have correctly identified the magic > moment of a provided response appearing on that page. I don't usually check the groups on the weekend, but here's what I found Monday AM: Rebuttal REBUTTAL employee Submitted: 9/30/2004 12:11:28 PM Modified: 10/1/2004 11:49:14 PM Much Clarification First of all, the $30 per year is the current cost for a Filtered E-Mail account that also has spam reporting capabilities. Not noted in this complaint is that there is also a free-reporting account and a pay-as-you-go type reporting account. From MikeE at ster.invalid Mon Oct 4 08:27:25 2004 From: MikeE at ster.invalid (Mike Easter) Date: Mon Oct 4 10:30:04 2004 Subject: [SpamCop-List] Re: How to deal with this spam porn hosting site References: Message-ID: MissAnnie wrote: > I have been receiving pornographic spam with inline images some > advertising teen sex movies. The image host is a blacklisted IP. > The images are held on movieexchange.biz which DNS is 222.222.48.115 I can't find any such thing as movieexchange.biz - it doesn't DNS and it isn't in neulevel.biz and it doesn't google. Maybe you mistyped. > CHINATELECOM-HE . Here is the samspade info on that DNS > http://www.samspade.org/t/lookat?a=222.222.48.115 I have reported the > header to SpamCop and spam@uce.gov. 222.222.48.115 /24netblock is spamhaused for various things http://www.spamhaus.org/SBL/sbl.lasso?query=SBL18652 notifying those .cn providers or their upstreams isn't going to get you much. > Received: from 88.100.39.236 by 65.75.79.72; Mon, 04 Oct 2004 > 22:01:48 +0400 Message-ID: > From: "Wesley Gibbons" > Reply-To: "Wesley Gibbons" What is this clipping of part of some headers supposed to mean? It is not at all helpful. If you want to talk about the complete headers and/or spam you should post the tracker here or the whole thing in .spam, not here. > The email header says it is from a Hotmail address. The spam abuse > report sends mail to abuse@cablebahamas.com > abuse@coralwave.com, hostmaster@cablebahamas.com. cablebahamas could be the notify for a lot of things, including the IP in the 'by' field up there - how that correlates with what we are talking about isn't clear yet. whois -h whois.arin.net 65.75.79.72 ... OrgName: Cable Bahamas NetRange: 65.75.64.0 - 65.75.79.255 > Is there anything a private individual can do to contact the image > host to get the images removed from the server?. First, we have to get it exactly straight what site we are talking about; but if it is on a .cn host, the answer is probably 'no'. > I can't imagine > that someone has not tried to do it already since I have been > receiving this porn spam for several days or weeks. For some unresponsive providers, notifying upstreams is useful. For some others, the upstreams are nonresponsive as well. > SpamPal detects it as spam. Is that all I can do? Just about. We can talk about it a little more if we get the domainname straight. Spamhaus sez this about the IP family 222.222.48.0/24 "also hosting domains spammed by hijacking trojaned zombies and misconfigured proxies" -- Mike Easter kibitzer, not SC admin From MikeE at ster.invalid Mon Oct 4 09:00:17 2004 From: MikeE at ster.invalid (Mike Easter) Date: Mon Oct 4 11:00:03 2004 Subject: [SpamCop-List] Re: How to deal with this spam porn hosting site References: Message-ID: MissAnnie wrote: > which DNS is 222.222.48.115 > CHINATELECOM-HE . BTW, if you want to see an 'intense' recent examination and notify of a spam which involves that IP in the popup part, take a look at this workup by spamless in sightings http://snipurl.com/9iyj From: spamless@Nil.nil Newsgroups: news.admin.net-abuse.sightings Subject: [email] Cheating house wife Message-ID: <200410030126.i931QK4r026148@NanasPost> spamless is indefatigable - and a potent encoded javascript explorer and redirector chaser -- Mike Easter kibitzer, not SC admin From missannie at nospam.invalid Mon Oct 4 12:19:21 2004 From: missannie at nospam.invalid (MissAnnie) Date: Mon Oct 4 11:20:03 2004 Subject: [SpamCop-List] Re: How to deal with this spam porn hosting site References: Message-ID: "Mike Easter" wrote in message news:cjrmht$55r$1@news.spamcop.net... .> > > Received: from 88.100.39.236 by 65.75.79.72; Mon, 04 Oct 2004 > > 22:01:48 +0400 Message-ID: > > From: "Wesley Gibbons" > > Reply-To: "Wesley Gibbons" > > What is this clipping of part of some headers supposed to mean? It is > not at all helpful. If you want to talk about the complete headers > and/or spam you should post the tracker here or the whole thing in .spam, > not here. > Sorry I didn't know the whole header was necessary since I was just inquiring whether I could do anything other than report it to spamcop and with abuse.exe software. I want to keep my businsess IP private. Some over in "social" have verbally harassed me when I have posted here. I want to make sure that does not happen again. Received: from 88.100.39.236 by 65.75.79.72; Mon, 04 Oct 2004 22:01:48 +0400 Message-ID: From: "Wesley Gibbons" Reply-To: "Wesley Gibbons" To: daylily@willowbrookacres.com Subject: **SPAM** largest movie collection Date: Mon, 04 Oct 2004 23:08:48 +0500 X-Mailer: AOL 5.0 for Windows US sub 413 MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="--11076429834977228569" X-Priority: 1 X-MSMail-Priority: High X-IP:235.139.245.172 ----11076429834977228569 Content-Type: text/html; Content-Transfer-Encoding: quoted-printable X-IMAIL-SPAM-VALFROM: (29a883a00066641c) X-RCPT-TO: private Status: U X-UIDL: 380126815 X-RegEx-Score: 987.5 X-RegEx-Warning: spam (987.5 > 499.9) X-RegEx: [109.6] FROM_AND_RECEIVED_DO_NOT_MATCH FQDN in From and Received header do not match X-RegEx: [52.9] SMTPD_IN_RCVD Received via SMTPD32 server (SMTPD32-n.n) X-RegEx: [193.7] X_PRIORITY_HIGH Sent with 'X-Priority' set to high X-RegEx: [50.0] X_MSMAIL_PRIORITY_HIGH Sent with 'X-Msmail-Priority' set to high X-RegEx: [50.1] MISSING_MIMEOLE Message has X-MSMail-Priority, but no X-MimeOLE X-RegEx: [21.2] HTML_MESSAGE HTML included in message X-RegEx: [80.0] MIME_HTML_ONLY Message only has text/html MIME parts X-RegEx: [430.0] FORGED_MUA_AOL Forged mail pretending to be from AOL X-SpamPal: SPAM REGEX ID#278075805-70 exchange


Unlimited access to the largest
MOVIE collection Anywhere!

Lady Fellatio in the Dog House - Scene 8
Download, Sign Up Now For FREE
Blonde girl in a winter hat giving head to a guy on top of a A frame house. She sucks his cock and plays with her tits and pussy before getting a steaming load in her mouth.
Length:(00:05:56) - Niche: Hardcore

Highest Quality, Lowest File Sizes,
For Fastest Downloads!

Anal Teen Tryouts 2 - Scene 3
Download, Sign Up Now For FREE
Hot little blonde with small tits gets fucked in the ass.
Length:(00:19:42) - Niche: Anal

Unlimited Search & Screenshot Viewing

6 Black Sticks 1 White Trick - Scene 1
Download, Sign Up Now For FREE
Hot brunette is taken by six black guys and gang banged.
Length:(00:37:58) - Niche: Interracial

JOIN NOW FOR FREE ACCESS!

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

You are receiving this email because someone has shown interest in your profile before, or you have browsed our profiles in the past or please let us know if you are not interested in receiving our high quality letters in the future and you will never get our letter again. Thank you
Rmove yourself here

----11076429834977228569-- From MikeE at ster.invalid Mon Oct 4 09:50:00 2004 From: MikeE at ster.invalid (Mike Easter) Date: Mon Oct 4 11:50:03 2004 Subject: [SpamCop-List] Re: How to deal with this spam porn hosting site References: Message-ID: MissAnnie wrote: > "Mike Easter" >> If you want to talk about the complete >> headers and/or spam you should post the tracker here or the whole >> thing in .spam, not here. Notice that that up there from me distinctly sez *not here* And the headers you posted still don't say 65.75.79.72 was the source. If SC parsed some headers and said that the source notify was the cablebahamas there must be another line on top which you didn't post here but excluded. http://www.moviexchange.biz/emx1/emx1.htm Also, the site is *moviexchange.biz* - not with 2 e/s in the middle 'movieexchange.biz' like you sed earlier. It currently shows registration information at neulevel.biz and with tucows sponsoring, but it doesn't currently resolve, so it is effectively 'dead' for the time being, and unreportable. > Sorry I didn't know the whole header was necessary since I was just > inquiring whether I could do anything other than report it to spamcop > and with abuse.exe software. I want to keep my businsess IP private. > Some over in "social" have verbally harassed me when I have posted > here. I want to make sure that does not happen again. Well, I guess I'm going to harrass you again. You shouldn't post the spam here, as I said, and if you are trying to discuss anything about the source, you can't be cutting off the top of whatever you want to talk about; that part of the information is where the sourceline is. It would be better to put the spam in the parser after mungeing the information in the top 'by' field, not excluding the whole Received line, and then copy the tracker url and paste it in here. Pasting spam in here is 'not allowed'. -- Mike Easter kibitzer, not SC admin From porpoise1954 at yahoo.co.uk Mon Oct 4 17:53:53 2004 From: porpoise1954 at yahoo.co.uk (Porpoise) Date: Mon Oct 4 11:55:03 2004 Subject: [SpamCop-List] Re: Net giants adopt anti-spam system? Really? I'm skeptical. References: <415e419f.5257031@news.spamcop.net> <415FD0EC.2BDB@xyzzy.claranet.de> <4160C675.53F7@xyzzy.claranet.de> Message-ID: "Frank Ellermann" wrote in message news:4160C675.53F7@xyzzy.claranet.de... > Blammo wrote: > <> > > They are talking about spf2.0/pra, that's the Microsoft idea. > spf2.0/mfrom is roughly the same as the classic v=spf1, and > spf2.0/mfrom was published September 15. > > The sendmail.net announce was published August 30 (if the date > on their page is correct), 3 weeks before MARID was closed by > the IETF without result (September 23). > > The current state of the art is, that the author of the latest > MARID drafts (spf2.0/mfrom based on protocol-03) agreed to > integrate as many good ideas as possible from protocol-03 and > spf2.0/mfrom into an updated v=spf1 document. > > That consolidates the MARID improvements in a v=spf1 compatible > syntax (excl. PRA). It's the plan for the next days. Quite a > lot of work for the author, but not really difficult, because > the classic v=spf1 concepts are clear. > > Bye, Frank > I don't think it was a M$ idea so much, as that they tried to patent it (so that they would be able to claim royalties off everyone at a later date no doubt) and it was this that scuppered the scheme because IBM et al walked away once they got wind of it. http://www.pcpro.co.uk/news/63160/antispoofing-initiative-sender-id-grinds-to-a-halt.html? From porpoise1954 at yahoo.co.uk Mon Oct 4 17:59:39 2004 From: porpoise1954 at yahoo.co.uk (Porpoise) Date: Mon Oct 4 12:05:02 2004 Subject: [SpamCop-List] Re: How to deal with this spam porn hosting site References: Message-ID: "MissAnnie" wrote in message news:cjrpln$a6u$1@news.spamcop.net... > "Mike Easter" wrote in message > news:cjrmht$55r$1@news.spamcop.net... > .> > > > Received: from 88.100.39.236 by 65.75.79.72; Mon, 04 Oct 2004 > > > 22:01:48 +0400 Message-ID: > > > From: "Wesley Gibbons" > > > Reply-To: "Wesley Gibbons" > > > > What is this clipping of part of some headers supposed to mean? It is > > not at all helpful. If you want to talk about the complete headers > > and/or spam you should post the tracker here or the whole thing in .spam, > > not here. > > > > Sorry I didn't know the whole header was necessary since I was just > inquiring whether I could do anything other than report it to spamcop and > with abuse.exe software. I want to keep my businsess IP private. Some over > in "social" have verbally harassed me when I have posted here. I want to > make sure that does not happen again. > <> It would have been more helpful if you'd read Mike's reply in full. Especially the bit about posting the spam in .spam or the *tracker* here............ From MikeE at ster.invalid Mon Oct 4 10:12:17 2004 From: MikeE at ster.invalid (Mike Easter) Date: Mon Oct 4 12:15:03 2004 Subject: [SpamCop-List] Re: How to deal with this spam porn hosting site References: Message-ID: Mike Easter wrote: > It would be better to put the spam in the parser after mungeing the > information in the top 'by' field, not excluding the whole Received > line, and then copy the tracker url and paste it in here. Pasting > spam in here is 'not allowed'. Here's a 'demonstration' of what I'm talking about. www.spamcop.net/sc?id=z679168157z4869c9be6af42b1ab766ec0b6ea7f447z That's the tracker for the spam example of my demonstration. That's what you can post here, it lives in this context at the top: "Here is your TRACKING URL - it may be saved for future reference:" Also, for your concern about exposing your IP, my demonstration item above also replaces my EL server's information, which was in the 'by' field with '' Then, anyone who wants to 'look at' the entire issue anyone is talking about that spam and how SC parses it and reports it can see everything, without posting any spam in the wrong places. If you must post spam somewhere, it can only be posted in the newsgroup spamcop.spam; but the problem with that is that your newsreader makes a 'mess' of the posting because it introduces linewraps where they don't belong, which have to be removed by hand if one wants to see how SC parses the item. The tracker shows it all, the parse, no wraps, and no 'bad' spam posting. -- Mike Easter kibitzer, not SC admin From ric.gates at bigsleep.org Mon Oct 4 18:24:07 2004 From: ric.gates at bigsleep.org (Blammo) Date: Mon Oct 4 13:25:18 2004 Subject: [SpamCop-List] Re: Net giants adopt anti-spam system? Really? I'm skeptical. References: <415e419f.5257031@news.spamcop.net> <415FD0EC.2BDB@xyzzy.claranet.de> <4160C675.53F7@xyzzy.claranet.de> Message-ID: On 03 Oct 2004 Frank Ellermann entered spamcop and left news:4160C675.53F7@xyzzy.claranet.de: > Blammo wrote: > >> MAIL FROM is not a header. > > Yes, sorry, it's an SMTP command. Only the final MTA (MDA) > translates it into a Return-Path. > That's not necessarily true either, Return-Path is only added by mail relays, as per the RFCs. I believe some MTAs like Postfix add it regardless. > >> this is what http://www.sendmail.net/ is all about. > > They are talking about spf2.0/pra, that's the Microsoft idea. > spf2.0/mfrom is roughly the same as the classic v=spf1, and > spf2.0/mfrom was published September 15. > My take was they are combining three different types of sender authentication. But it seems unclear, I think we are at the wait-and-see stage. -- | Ric From Spam_N_Scams_Reporter at yahoo.whatever Mon Oct 4 15:18:52 2004 From: Spam_N_Scams_Reporter at yahoo.whatever (Spam N Scams Reporter) Date: Mon Oct 4 17:20:21 2004 Subject: [SpamCop-List] Lolita site shut down by Yahoo/GeoCities Message-ID: I'm not sure why SC Hello, Thank you for writing to Yahoo! GeoCities. Thank you for informing us of possible abuse on Yahoo! GeoCities. We have investigated the site and taken the necessary action. Please continue to notify us of any content you believe violates the GeoCities Terms of Service, located at: http://docs.yahoo.com/info/terms/geoterms.html Site in question: http://www.geocities.com/diosfanplitorda/pppd/ I do not understand why spamcop does't use the geo-guidelines@yahoo-inc.com addy for sites hosted by Yahoo/GeoCities, unless that is where the "internal SpamCop handling (Yahoo)" ends up. I've have been successfull numerous times using this address. http://www.spamcop.net/sc?id=z678472168z5c6d60ee44802e283c4ec812f1f40814z From usenet1 at DE.LETE.THISljvideo.com Mon Oct 4 23:49:44 2004 From: usenet1 at DE.LETE.THISljvideo.com (Larry J.) Date: Mon Oct 4 18:50:21 2004 Subject: [SpamCop-List] Re: Spammer Contact Info.: What to Do with It? References: <415A53CC.946AAF2B@spammersgotohell.com> <415AFD37.8C122282@spammersgotohell.com> Message-ID: Waving the right to remain silent, "Bob" wrote: > I was not looking for an argument either, nor was I looking for an > education on netiquette. You're gonna get it, whether you like it or not, from that guy. -- Larry J. - Remove spamtrap in ALLCAPS to e-mail "Lord, are we worthy of the task that lies before us, or are we just jerking off..?" From spamcop at oitc.com Mon Oct 4 20:05:56 2004 From: spamcop at oitc.com (spamcop) Date: Mon Oct 4 19:10:13 2004 Subject: [SpamCop-List] Missed url Message-ID: Missed iframe in http://www.spamcop.net/sc?id=z679302539z9de5f0f071f599de41dabf0b73e28b6bz From eddie at eddie.web Mon Oct 4 23:41:24 2004 From: eddie at eddie.web (eddie) Date: Mon Oct 4 22:45:24 2004 Subject: [SpamCop-List] Another helpful spammer? Message-ID: I had written that a spammer had apparently left me his real email address, either by accident or by virtue of the ISP forcing his real address on the header. Here is another one, from comcast, which seems to contain the actual email address of Mr. Spewbucket. Do I really have his email address or is this a fake? The IP embedded in the address is the one in the header, and there certainly is a name@[IPkind of thingee.comcast.net] as the return address in the From: box. Comments ? tracker: http://www.spamcop.net/sc?id=z679356793zfdc497316110ffd0debdbbfdfbf1b545z -- Rather: I don't want to be argumentative, Mr. vice president. Bush41(veep):You do, Dan. Rather: No -- no, sir, I don't. From nobody at nowhere.invalid Tue Oct 5 11:36:04 2004 From: nobody at nowhere.invalid (Steven Maesslein) Date: Tue Oct 5 04:40:49 2004 Subject: [SpamCop-List] Re: Another helpful spammer? References: Message-ID: On Mon, 04 Oct 2004 22:41:24 -0400, eddie coughed into spamcop and left this in : > Do I really have his email address or is this a fake? The IP embedded in > the address is the one in the header, and there certainly is a > name@[IPkind of thingee.comcast.net] as the return address in the From: > box. Fake and completely unusable unless there's an MTA running on that box. The spamware simply constructs the "From:" address using a random username and the rDNS name as the domain part. A mail sent to the address in question here has no more chance of being delivered to spammy than something sent to randomname@your_rdns_name has of being delivered to you. -- Steve If you don't pay your exorcist, do you get repossessed? From nobody at devnull.spamcop.net Tue Oct 5 18:55:02 2004 From: nobody at devnull.spamcop.net (Patto) Date: Tue Oct 5 04:55:59 2004 Subject: [SpamCop-List] SpamCop Statistics Message-ID: What is it with the low spam / report volume on the statistics ( http://members.spamcop.net/spamgraph.shtml?spammonth ) this and last week? I did not notice any drop in spam volumes; has SC improved their filters? (I am still a classical SpamCop memeber). From MikeE at ster.invalid Tue Oct 5 03:41:39 2004 From: MikeE at ster.invalid (Mike Easter) Date: Tue Oct 5 05:45:20 2004 Subject: [SpamCop-List] Re: SpamCop Statistics References: Message-ID: Patto wrote: > What is it with the low spam / report volume on the statistics ( > http://members.spamcop.net/spamgraph.shtml?spammonth ) this and last > week? I did not notice any drop in spam volumes; has SC improved > their filters? (I am still a classical SpamCop memeber). Two fairly recent threads on the subject here: From: "Mike Easter" Subject: Statistics Date: Sun, 26 Sep 2004 02:33:23 -0700 Message-ID: From: Lars Poulsen Newsgroups: spamcop Subject: Stats page Date: Wed, 22 Sep 2004 09:42:46 +0200 Message-ID: Lars thread addresses the change starting the 20th of Sep, while mine addresses the similarities of things from a year ago to the present, followed by a change in 2004 July, followed by the Sep change, sortofa reversal to the earlier configuration. Ellen comments in Lars thread that there was an under the covers change in the SC reporting methods, not a real change in the spam. Wazoo comments in my thread about Aug comments in the forum at http://forum.spamcop.net/forums/index.php?showtopic=2437 The condition from 2004 Jul-Sep causes the statistical appearance of a higher number of spams but a lower ratio of reports per spam. It might be further added, parenthetically, that mole reporting of one spam does not result in actual reporting; and that quick reporting of one spam reports source only, whereas normal reporting of one spam reports source and spamvertisers. And it might be still further added, that a 'definition' of the statistics pages and how the statistics are actually calculated is not provided and never has been, before or after any changes. -- Mike Easter kibitzer, not SC admin From dkona7b02 at sneakemail.com Tue Oct 5 11:09:15 2004 From: dkona7b02 at sneakemail.com (Spam Hater) Date: Tue Oct 5 10:11:41 2004 Subject: [SpamCop-List] funky routing, why take bad default over presumably good whoisinfo? Attn: Deputies Message-ID: <3.0.5.32.20041005100915.01369110@loki.fstrf.org> I just filed a report for a 419 scam SPAM: http://www.spamcop.net/sc?id=z679536327zb49c778f07b1cdb6b5cd98b6a761a7a6z the parser identified the source and looked up the whois info and came back with info@greatnet.de. It then went to check abuse.net and couldn't find an address so decided to go with the default of postmaster@greatnet.de instead. Only problem with that is that address bounces!!! So, the report ends up going to the bit bucket which really doesn't help anyone... Why does the parser make such bad choices given seemingly valid data from whois?? Tracking message source: 83.133.97.66: Routing details for 83.133.97.66 [refresh/show] Cached whois for 83.133.97.66 : info@greatnet.de Using abuse net on info@greatnet.de No abuse net record for greatnet.de Using default postmaster contacts postmaster@greatnet.de postmaster@greatnet.de bounces (9 sent : 7 bounces) Using postmaster#greatnet.de@devnull.spamcop.net for statistical tracking Ugggg... Disclaimer: I don't care about your personal opinions regarding my posting style nor do I care that I may have posted this in the wrong group. If you feel so strongly that it belongs in .routing, feel free to copy it there. If you can't answer my question or offer a "me to", don't respond at all! This isn't flame bait, it is a simple question that I'd appreciate a simple answer for and I don't need any lessons from the netiquette neurotics on this list who have no lives and have nothing better to do than rip into each and every poster who comes here for help and advice. From I_Report_Spam at webtv.net Tue Oct 5 08:38:54 2004 From: I_Report_Spam at webtv.net (DJ Mike) Date: Tue Oct 5 10:50:03 2004 Subject: [SpamCop-List] Spamcop email hacked again Message-ID: <13838-4162B1FE-87@storefull-3277.bay.webtv.net> Logging in today. I got: Last login: Tue 05 Oct 2004 01:31:48 AM EDT from 0-1pool6-198.nas35.los-angeles2.ca.us.da.qwest.net I only use webtv so it shold only be: ..from netcache-3001.bay.webtv.net Webtv cannot run any kind of executable files so it can't run viruses or spyware. I have changed my password since this last happened. I have never shared my PW before or after that. The links on spamcop email don't work for webtv so they couldn't have gotten in by following a referal. (Not sure if that would work on SC) and I had been offline for several hours any way. Anyone else finding their accounts hacked or have any idea how this is happening? From MikeE at ster.invalid Tue Oct 5 09:31:31 2004 From: MikeE at ster.invalid (Mike Easter) Date: Tue Oct 5 11:35:04 2004 Subject: [SpamCop-List] Re: funky routing, why take bad default over presumably good whois info? Attn: Deputies References: Message-ID: Spam Hater wrote: >www.spamcop.net/sc?id=z679536327zb49c778f07b1cdb6b5cd98b6a761a7a6z > > the parser identified the source and looked up the whois info and > came back with info@greatnet.de. That is the eml of the technical contact. If I were notifying as a human, I would take note of it. > It then went to check abuse.net and > couldn't find an address so decided to go with the default of > postmaster@greatnet.de instead. Correct. The algorithm does that. In the past it has chosen to use the technical contact address. I as a human decline to send notifies to default pm addresses; but I often notify a lot differently than SC does, so leaving out the default pm is just as well for me to do. > Only problem > with that is that address bounces!!! The SC experience is postmaster@greatnet.de bounces (9 sent : 7 bounces) which means that 9 were sent successfully and 7 were sent which bounced. I don't know the 'formula' that SC uses about when to switch to postmaster#greatnet.de@devnull.spamcop.net and when not. > So, the report ends up going to > the bit bucket which really doesn't help anyone... The report still counts toward the SCbl where that IP is listed, among other places. But, the pm addy and the info addy don't get mailed a report, if that's what you mean. Not receiving SC reports successfully is a disadvantage to greatnet.de - but they should have some abuse addresses reg'd. > Why does the parser make such bad choices given seemingly valid data > from whois?? I don't know that it is necessarily 'bad' - someone else will have to defend the algorithm's choice here; I've explained that I would do it differently. SC has also done it differently in the past. > Using postmaster#greatnet.de@devnull.spamcop.net for statistical > tracking > Disclaimer: I don't care about your personal opinions regarding my > posting style Anyone is free to comment on anything about your post they care to. This is a community and you are a participant just like the rest of us. -- Mike Easter kibitzer, not SC admin From MikeE at ster.invalid Tue Oct 5 11:00:14 2004 From: MikeE at ster.invalid (Mike Easter) Date: Tue Oct 5 13:00:07 2004 Subject: [SpamCop-List] Re: funky routing, why take bad default over presumably good whois info? Attn: Deputies References: Message-ID: Mike Easter wrote: > Spam Hater wrote: >> the parser identified the source and looked up the whois info and >> came back with info@greatnet.de. > > That is the eml of the technical contact. If I were notifying as a > human, I would take note of it. > >> It then went to check abuse.net and >> couldn't find an address so decided to go with the default of >> postmaster@greatnet.de instead. > postmaster@greatnet.de bounces (9 sent : 7 bounces) If anyone from routing is peeking in here, the abuse addy might work better than the pm RCPT TO: 250 2.1.5 ... Recipient ok RCPT TO: 550 5.1.1 ... User unknown Doesn't want to talk to us Personally, as a human, I take into account the fact that there is an info addy, that SC was able to successfully mail the pm sometimes, and any other information I have, such as this current investigation about the abuse address, the fact that the pm bounces a lot, and the fact that there isn't a reg'd abuse.net address. I would also note that the IP is listed in multiple db/s, but not spews or spamhaus, but I might notify the upstream or ASN on the general principles theory. The ASN is AS13237 according to both radb and cymru and that is lambdanet which has reg'd abuse addies whois -h whois.abuse.net lambdanet.net ... abuse@lambdanet.net postmaster@lambdanet.net (for lambdanet.net) That lambdanet information also appears in the ripe lookup for the IP. So, humans like me might notify 3 greatnet addies and 2 lambdanets and make a note to lambdanet about greatnet's problems with their not being listed in abuse.net and having a sometimes bouncing pm, also about their being listed in multiple spam db/s including SC, dnsbl, moensted, psbl, & wpbl. It is possible that lambdanet might speak to greatnet about something in there. -- Mike Easter kibitzer, not SC admin From mfkmek820 at yahoo.com Tue Oct 5 11:37:26 2004 From: mfkmek820 at yahoo.com (Spam Hater) Date: Tue Oct 5 13:40:06 2004 Subject: [SpamCop-List] 419 Scam reporting Message-ID: Can anyone testify to the validity and authenticity of the following links. They are soliciting 419 scammer reports. 419@nigeriapolice.org and fpro@nigeriapolice.org From MikeE at ster.invalid Tue Oct 5 11:40:45 2004 From: MikeE at ster.invalid (Mike Easter) Date: Tue Oct 5 13:40:15 2004 Subject: [SpamCop-List] Re: funky routing, why take bad default over presumably good whois info? Attn: Deputies References: Message-ID: Spam Hater wrote: > nor do I care that I may have posted this in the wrong group. If you > feel so strongly that it belongs in .routing, feel free to copy it > there. The business about .routing can be examined by going over to routing and reading some fraction or all of the total 189 messages there since mid July, 42 of which are from Ellen. The idea is that if a person has a good enough question about how the routing is configured, including a tracker, and/or a good enough suggestion about how the routing might be alternatively configured, Ellen might or not act on it. Naturally I would assume that would have to be integrated with other priorities. Personally, I think routing and notifies in general is a complicated kinda business, and I would rather make my 'personal' notifies on my own terms and let SC derive its own forumulas and routing entries for how to notify. Therefore I decided that I couldn't be very helpful in routing. -- Mike Easter kibitzer, not SC admin From MikeE at ster.invalid Tue Oct 5 11:48:54 2004 From: MikeE at ster.invalid (Mike Easter) Date: Tue Oct 5 13:50:02 2004 Subject: [SpamCop-List] Re: 419 Scam reporting References: Message-ID: Spam Hater wrote: > Can anyone testify to the validity and authenticity of the following > links. They are soliciting 419 scammer reports. > > 419@nigeriapolice.org and fpro@nigeriapolice.org No I can't testify, except others have mentioned the domain and addies. They have a website at http://www.nigeriapolice.org/ but they aren't mentioned at a very important 419 informational site http://home.rica.net/alphae/419coal/ Nigeria - The 419 Coalition Website We Fight the Nigerian Scam with Education and/but I don't see anything negative googling. -- Mike Easter kibitzer, not SC admin From mfkmek820 at yahoo.com Tue Oct 5 11:57:27 2004 From: mfkmek820 at yahoo.com (Spam Hater) Date: Tue Oct 5 14:00:04 2004 Subject: [SpamCop-List] Re: funky routing, why take bad default over presumably good whois info? Attn: Deputies References: Message-ID: Hello I was surprised to see this post. Are you another "Spam Hater"? I have previously posted using that handle. Fred "Spam Hater" wrote in message news:mailman.259.1096985486.9607.spamcop-list@news.spamcop.net... >I just filed a report for a 419 scam SPAM: > > http://www.spamcop.net/sc?id=z679536327zb49c778f07b1cdb6b5cd98b6a761a7a6z > > the parser identified the source and looked up the whois info and came > back with > info@greatnet.de. It then went to check abuse.net and couldn't find an > address so > decided to go with the default of postmaster@greatnet.de instead. Only > problem > with that is that address bounces!!! So, the report ends up going to the > bit bucket > which really doesn't help anyone... > > Why does the parser make such bad choices given seemingly valid data from > whois?? > > Tracking message source: 83.133.97.66: > Routing details for 83.133.97.66 > [refresh/show] Cached whois for 83.133.97.66 : info@greatnet.de > Using abuse net on info@greatnet.de > No abuse net record for greatnet.de > Using default postmaster contacts postmaster@greatnet.de > postmaster@greatnet.de bounces (9 sent : 7 bounces) > > Using postmaster#greatnet.de@devnull.spamcop.net for statistical tracking > > Ugggg... > > Disclaimer: I don't care about your personal opinions regarding my posting > style > nor do I care that I may have posted this in the wrong group. If you feel > so > strongly that it belongs in .routing, feel free to copy it there. If you > can't answer > my question or offer a "me to", don't respond at all! This isn't flame > bait, it is a > simple question that I'd appreciate a simple answer for and I don't need > any > lessons from the netiquette neurotics on this list who have no lives and > have > nothing better to do than rip into each and every poster who comes here > for > help and advice. From nobody at spamcop.net Tue Oct 5 15:35:47 2004 From: nobody at spamcop.net (Ellen) Date: Tue Oct 5 14:40:05 2004 Subject: [SpamCop-List] Re: funky routing, why take bad default over presumably good whois info? Attn: Deputies References: Message-ID: "Mike Easter" wrote in message news:cjujsr$n83$1@news.spamcop.net... > Mike Easter wrote: > > Spam Hater wrote: > > >> the parser identified the source and looked up the whois info and > >> came back with info@greatnet.de. > > > > That is the eml of the technical contact. If I were notifying as a > > human, I would take note of it. > > > >> It then went to check abuse.net and > >> couldn't find an address so decided to go with the default of > >> postmaster@greatnet.de instead. > > > postmaster@greatnet.de bounces (9 sent : 7 bounces) > > If anyone from routing is peeking in here, the abuse addy might work > better than the pm > > RCPT TO: > 250 2.1.5 ... Recipient ok > > RCPT TO: > 550 5.1.1 ... User unknown > Doesn't want to talk to us > > Personally, as a human, I take into account the fact that there is an > info addy, that SC was able to successfully mail the pm sometimes, and > any other information I have, such as this current investigation about > the abuse address, the fact that the pm bounces a lot, and the fact that > there isn't a reg'd abuse.net address. I would also note that the IP is > listed in multiple db/s, but not spews or spamhaus, but I might notify > the upstream or ASN on the general principles theory. > > The ASN is AS13237 according to both radb and cymru and that is lambdanet > which has reg'd abuse addies > > whois -h whois.abuse.net lambdanet.net ... > abuse@lambdanet.net postmaster@lambdanet.net (for lambdanet.net) > > That lambdanet information also appears in the ripe lookup for the IP. > > So, humans like me might notify 3 greatnet addies and 2 lambdanets and > make a note to lambdanet about greatnet's problems with their not being > listed in abuse.net and having a sometimes bouncing pm, also about their > being listed in multiple spam db/s including SC, dnsbl, moensted, psbl, & > wpbl. > > It is possible that lambdanet might speak to greatnet about something in > there. > I reset the bounce counter, we'll see what happens. I note, looking at the history, that the last report sent was in August. Now if there have only been 7 or 9 reports that have been attempted to be sent since then and bounced that is interesting. Ellen From MikeE at ster.invalid Tue Oct 5 12:52:15 2004 From: MikeE at ster.invalid (Mike Easter) Date: Tue Oct 5 14:55:03 2004 Subject: [SpamCop-List] Re: funky routing, why take bad default over presumably good whois info? Attn: Deputies References: Message-ID: Spam Hater mfkmek820@yahoo.com wrote: > I was surprised to see this post. Are you another "Spam Hater"? I have > previously posted using that handle. > Fred > > "Spam Hater" wrote in message You two spamhaters need to get that worked out between yourselves because it is very confusing to have identical handles, especially if they are going to have conversations with each other or even be found in the same newsgroup at about the same time. Rather than argue about who was first, I suggest that both of you make some modification or adjustment, great or small, to distinguish your handles from each other. I've also seen another spamhater from addy here, namely a gci one; I'm assuming that's also Fred on the basis of some other information. -- Mike Easter kibitzer, not SC admin From Merlyn at Spamcop.net Tue Oct 5 15:54:38 2004 From: Merlyn at Spamcop.net (Merlyn) Date: Tue Oct 5 14:55:10 2004 Subject: [SpamCop-List] Re: funky routing, why take bad default over presumably good whois info? Attn: Deputies References: Message-ID: "Mike Easter" wrote in message news:cjuqes$26l$1@news.spamcop.net... > Spam Hater mfkmek820@yahoo.com wrote: > > You two spamhaters need to get that worked out between yourselves because > it is very confusing to have identical handles, especially if they are > going to have conversations with each other or even be found in the same > newsgroup at about the same time. Rather than argue about who was first, > I suggest that both of you make some modification or adjustment, great or > small, to distinguish your handles from each other. > > I've also seen another spamhater from addy here, namely a gci one; I'm > assuming that's also Fred on the basis of some other information. > I hope both of them don't top post. -- Regards, Merlyn A Spamcop advocate No emails this account is for newsgroups only People demand freedom of speech to make up for the freedom of thought which they avoided From MikeE at ster.invalid Tue Oct 5 12:59:41 2004 From: MikeE at ster.invalid (Mike Easter) Date: Tue Oct 5 15:00:04 2004 Subject: [SpamCop-List] Re: funky routing, why take bad default over presumably good whois info? Attn: Deputies References: Message-ID: Merlyn wrote: > I hope both of them don't top post. Heh. I reckon we'll 'get into' that eventually. -- Mike Easter kibitzer, not SC admin From nobody at nowhere.invalid Tue Oct 5 22:59:58 2004 From: nobody at nowhere.invalid (Steven Maesslein) Date: Tue Oct 5 16:00:17 2004 Subject: [SpamCop-List] Re: 419 Scam reporting References: Message-ID: On Tue, 5 Oct 2004 10:48:54 -0700, Mike Easter coughed into spamcop and left this in : > No I can't testify, except others have mentioned the domain and addies. > They have a website at http://www.nigeriapolice.org/ > > but they aren't mentioned at a very important 419 informational site I wouldn't expect any action against 419ers from inside Nigeria itself. 419ing is a state-sanctioned activity which brings in a significant chunk of the total foreign currency flowing into Nigeria. The Nigerian government (or what attempts to pass as one) has too much at stake to allow people actually to apply the law and stop it from happening. -- Steve A conclusion is simply the place where someone got tired of thinking. From MikeE at ster.invalid Tue Oct 5 14:21:51 2004 From: MikeE at ster.invalid (Mike Easter) Date: Tue Oct 5 16:25:02 2004 Subject: [SpamCop-List] Re: 419 Scam reporting References: Message-ID: Steven Maesslein wrote: > I wouldn't expect any action against 419ers from inside Nigeria > itself. Our [US] 419 reporting and advisory site http://www.secretservice.gov/alert419.shtml doesn't mention the nigeriapolice domain one way or another; but the police site is 'interesting' and seems to be mostly oriented around the functions of the 'Force Public Relations Officer' and the force's aggrandizement and public image. I wondered if it was totally bogus and some kind of gig to gain from the myriad people who get 419s, but I haven't seen that yet. I think it must really be there for a public interface - also has a forum. -- Mike Easter kibitzer, not SC admin From mfkmek820 at yahoo.com Tue Oct 5 14:33:14 2004 From: mfkmek820 at yahoo.com (Fred K) Date: Tue Oct 5 16:35:03 2004 Subject: [SpamCop-List] Changing Handle Message-ID: Ok I changed the handle in my news account. The Spam Hater is my spamcop alias. From dkona7b02 at sneakemail.com Tue Oct 5 16:25:32 2004 From: dkona7b02 at sneakemail.com (Spam Hater) Date: Tue Oct 5 16:35:55 2004 Subject: [SpamCop-List] Re: Who's who - was: funky routing In-Reply-To: References: Message-ID: <3.0.5.32.20041005152532.014aaab8@loki.fstrf.org> Odd, I didn't see his original message... :( I have been Spam Hater on here since I joined the list: Subject: SpamCop-List -- confirmation of subscription -- request 270982 From: spamcop-list-request@news.spamcop.net Date: Tue, 2 Apr 2002 13:37:09 -0500 (EST) I don't post all that often because the netiquette neurotics jump all over my posts without adding anything useful to the underlying question at hand. See Merlyn's response after Mike's for a prefect example of what I am referring to! At least Mike took the time to do a rather detailed analysis of my original problem and answered as best he could over several very good posts offering both facts and his opinions. Due to the plethora of information he dug up, Ellen took notice and tweaked something to reset it which should help the situation. It also sounded as if she would look into this particular example a bit more because it seems odd enough to warrant further investigation. This is exactly the sort of response I was hoping for when I sent the original details of the problem as I saw it. I found it amusing when your posts first showed up but it is definitely confusing when someone replies to you and I think it is to me. No big deal though. This group isn't about individuals, so who cares what name is on the post, right? The only thing I should warn you about is that some of the aforementioned nettiquette neurotics have *plonked* me and if they did so based only on my name and not my address, you may be getting ignored as well. Good riddance, I say, but you may feel differently. As far as distinguishing between us goes, I'll always use a sneakemail address for my posts/replies here... Mike - thank you for your investigations. Ellen - thank you for resetting the counter and looking into the details of what is going on with this ISP. Merlyn - Pffffft.... At 11:52 AM 10/5/2004 -0700, Mike Easter typed: >Spam Hater mfkmek820@yahoo.com wrote: > >> I was surprised to see this post. Are you another "Spam Hater"? I have >> previously posted using that handle. >> Fred >> >> "Spam Hater" wrote in message > >You two spamhaters need to get that worked out between yourselves because >it is very confusing to have identical handles, especially if they are >going to have conversations with each other or even be found in the same >newsgroup at about the same time. Rather than argue about who was first, >I suggest that both of you make some modification or adjustment, great or >small, to distinguish your handles from each other. > >I've also seen another spamhater from addy here, namely a gci one; I'm >assuming that's also Fred on the basis of some other information. From Merlyn at Spamcop.net Tue Oct 5 17:35:40 2004 From: Merlyn at Spamcop.net (Merlyn) Date: Tue Oct 5 16:40:03 2004 Subject: [SpamCop-List] Re: Changing Handle References: Message-ID: "Fred K" wrote in message news:cjv0el$bno$1@news.spamcop.net... > Ok I changed the handle in my news account. The Spam Hater is my spamcop > alias. Which one are you? Are you the top poster? Need to know for my filter. I don't read top posts. -- Regards, Merlyn A Spamcop advocate No emails this account is for newsgroups only People demand freedom of speech to make up for the freedom of thought which they avoided From mfkmek820 at yahoo.com Tue Oct 5 14:57:36 2004 From: mfkmek820 at yahoo.com (Fred K) Date: Tue Oct 5 17:00:03 2004 Subject: [SpamCop-List] Re: Changing Handle References: Message-ID: Yes, I was I believe the original "Spam Hater", as that is my SC user name from when I bought in over a year ago. Now to minimize confusion I am Fred K. :-) "Merlyn" wrote in message news:cjv0it$c48$1@news.spamcop.net... > "Fred K" wrote in message > news:cjv0el$bno$1@news.spamcop.net... >> Ok I changed the handle in my news account. The Spam Hater is my spamcop >> alias. > > Which one are you? Are you the top poster? > > Need to know for my filter. > > I don't read top posts. > > -- > > Regards, > Merlyn > > A Spamcop advocate > No emails this account is for newsgroups only > People demand freedom of speech to make up for the freedom of thought > which they avoided > > From Merlyn at Spamcop.net Tue Oct 5 18:27:14 2004 From: Merlyn at Spamcop.net (Merlyn) Date: Tue Oct 5 17:30:03 2004 Subject: [SpamCop-List] Re: Changing Handle References: Message-ID: Same thing I did a year ago. Plonk -- Regards, Merlyn A Spamcop advocate No emails this account is for newsgroups only People demand freedom of speech to make up for the freedom of thought which they avoided From nobody at devnull.spamcop.net Tue Oct 5 17:39:43 2004 From: nobody at devnull.spamcop.net (Cat) Date: Tue Oct 5 17:40:03 2004 Subject: [SpamCop-List] Re: Changing Handle In-Reply-To: References: Message-ID: (Top posting corrected) Fred K wrote: > "Merlyn" wrote in message > news:cjv0it$c48$1@news.spamcop.net... > >>"Fred K" wrote in message >>news:cjv0el$bno$1@news.spamcop.net... >> >>>Ok I changed the handle in my news account. The Spam Hater is my spamcop >>>alias. >> >>Which one are you? Are you the top poster? >> >>Need to know for my filter. >> >>I don't read top posts. > Yes, I was I believe the original "Spam Hater", as that is my SC user name > from when I bought in over a year ago. Now to minimize confusion I am Fred > K. > :-) And aparently, you still haven't learned that no one wants to read unsnipped top posted comments. Back in my killfile you go. I don't see why it's such an ordeal for you people to knock off the top posting and be more polite in how you construct your replies. See #6 at http://linux.sgms-centre.com/misc/netiquette.php and #1 and #2 at http://www.river.com/users/share/etiquette/ for more on newsgroup posting netiquette. From tmcgraw at spamcop.net Tue Oct 5 15:44:19 2004 From: tmcgraw at spamcop.net (Tim McGraw) Date: Tue Oct 5 17:45:04 2004 Subject: [SpamCop-List] Re: Changing Handle References: Message-ID: <416315B3.6030205@spamcop.net> Cat wrote: > > http://www.river.com/users/share/etiquette A must-read for Internet users in general, IMHO. At least Fred K. was kind enuf to give us a morph notice. From tmcgraw at spamcop.net Tue Oct 5 15:45:11 2004 From: tmcgraw at spamcop.net (Tim McGraw) Date: Tue Oct 5 17:50:03 2004 Subject: [SpamCop-List] New Look Message-ID: <416315E7.2070005@spamcop.net> I have no complaints, but I'm sure someone will. Change is funny that way. From nobody at xyzzy.claranet.de Wed Oct 6 01:00:30 2004 From: nobody at xyzzy.claranet.de (Frank Ellermann) Date: Tue Oct 5 18:05:03 2004 Subject: [SpamCop-List] Re: Net giants adopt anti-spam system? Really? I'm skeptical. References: <415e419f.5257031@news.spamcop.net> <415FD0EC.2BDB@xyzzy.claranet.de> <4160C675.53F7@xyzzy.claranet.de> Message-ID: <4163197E.5803@xyzzy.claranet.de> Blammo wrote: > Return-Path is only added by mail relays, as per the RFCs. You're probably confusing Received: and Return-Path: headers. All MTAs from first to last add Received: headers, that's the from ... by ... with ... for ... stuff (incl. the HELO, normally, and the "true name", optionally). Only the last MTA also known as MDA (mail delivery agent) translates the MAIL FROM to a Return-Path: (bounce address). Sender-ID (spf2.0/pra) does nothing with this info, it uses 2822 headers (From:, Sender:, Resent-From:, Resent-Sender:) and a new SMTP SUBMITTER corresponding to this PRA. SPF (v=spf1, spf2.0/mfrom) uses only this info and ignores the 2822 headers From:, Sender:, or Resent-stuff. > My take was they are combining three different types of > sender authentication. That's possible. And it would be a good idea, because so far nobody really tested the Sender-ID (PRA) idea. What's the third concept in your count, spf2.0/helo ? Some HELO tests are mandatory in v=spf1 and therefore also a part of spf2.0/mfrom. If the MAIL FROM isn't empty (no bounce) a HELO test is optional in v=spf1. That bit never made it into a separate spf2.0/helo document, because MARID was closed before a real discussion about HELO and CSV was allowed (by the co-chairs) to begin. The authors of CSV started now their own mailing list CLEAR, that's not (yet) an official IETF WG. > I think we are at the wait-and-see stage. It's IMHO a divide and conquer stage, but it won't work as planned by these big players. Bye, Frank From nobody at nowhere.invalid Wed Oct 6 01:13:11 2004 From: nobody at nowhere.invalid (Steven Maesslein) Date: Tue Oct 5 18:15:03 2004 Subject: [SpamCop-List] Re: New Look References: <416315E7.2070005@spamcop.net> Message-ID: On Tue, 05 Oct 2004 14:45:11 -0700, Tim McGraw coughed into spamcop and left this in <416315E7.2070005@spamcop.net>: > I have no complaints, but I'm sure someone will. Not me, anyway. I think it's a great improvement over the previous "new" look. -- Steve Sign spotted outside a second hand shop: WE EXCHANGE ANYTHING - BICYCLES, WASHING MACHINES, ETC. WHY NOT BRING YOUR WIFE ALONG AND GET A WONDERFUL BARGAIN? From MikeE at ster.invalid Tue Oct 5 16:18:46 2004 From: MikeE at ster.invalid (Mike Easter) Date: Tue Oct 5 18:20:03 2004 Subject: [SpamCop-List] Re: New Look References: <416315E7.2070005@spamcop.net> Message-ID: Steven Maesslein wrote: > Tim McGraw >> I have no complaints, but I'm sure someone will. > > Not me, anyway. I think it's a great improvement over the previous > "new" look. Okay by me; I think it helps IE a little bit by degrading gracefully - but I hadn't seen the previous with multiple browsers. New look and feel Welcome to the new look of SpamCop. Modern web standards have been used to create a clean look and feel as well as a fast, scaleable, compatible web interface. The latest versions of opera, mozilla (firefox) and Microsoft IE should work perfectly with the new design. Older browsers may cause some cosmetic problems, but the site should still work OK. Please report any problems in the forum as always. -- Mike Easter kibitzer, not SC admin From nobody at xyzzy.claranet.de Wed Oct 6 01:37:05 2004 From: nobody at xyzzy.claranet.de (Frank Ellermann) Date: Tue Oct 5 18:45:06 2004 Subject: [SpamCop-List] Re: Net giants adopt anti-spam system? Really? I'm skeptical. References: <415e419f.5257031@news.spamcop.net> <415FD0EC.2BDB@xyzzy.claranet.de> <4160C675.53F7@xyzzy.claranet.de> Message-ID: <41632211.6431@xyzzy.claranet.de> Porpoise wrote: > they tried to patent it (so that they would be able to claim > royalties off everyone at a later date no doubt) and it was > this that scuppered the scheme because IBM et al walked > away once they got wind of it. That's certainly one aspect of this mess, but my point always was that PRA (as it is) simply doesn't work as expected. Even if you ignore all legal issues for a moment, even if M$ would drop its patent claim - what they are trying to patent is an "algorithm" stated in RfC 822 plus some ideas from RMX / SPF. > http://www.pcpro.co.uk/news/63160/antispoofing-initiative-sender-id-grinds-to-a-halt.html? Much better than the misleading PR nonsense in the BBC article. MARID wasted a third of its time to reject the stupid idea of using DNS to distribute XML documents, then it needed another third of its time to identify PRA as very different from SPF, and the remaining time was spent for legal stuff. And after all this was finally clear, the co-chairs allowed to discuss the real thing (SPF) for less than one week, and then closed the WG. Bye, Frank From ric.gates at bigsleep.org Tue Oct 5 23:51:35 2004 From: ric.gates at bigsleep.org (Blammo) Date: Tue Oct 5 18:55:03 2004 Subject: [SpamCop-List] Re: Net giants adopt anti-spam system? Really? I'm skeptical. References: <415e419f.5257031@news.spamcop.net> <415FD0EC.2BDB@xyzzy.claranet.de> <4160C675.53F7@xyzzy.claranet.de> <4163197E.5803@xyzzy.claranet.de> Message-ID: On 05 Oct 2004 Frank Ellermann entered spamcop and left news:4163197E.5803@xyzzy.claranet.de: > Blammo wrote: > >> Return-Path is only added by mail relays, as per the RFCs. > > You're probably confusing Received: and Return-Path: headers. > All MTAs from first to last add Received: headers, that's > the from ... by ... with ... for ... stuff (incl. the HELO, > normally, and the "true name", optionally). > NO, I have to know these things, as I already looked it up. One of the RFCs list all the message headers and their use, I can't at the moment find that one. However many other RFCs list it, such as the following statements... rfc2822 3.6.7. Trace fields The trace fields are a group of header fields consisting of an optional "Return-Path:" field, and one or more "Received:" fields. rfc2821 4.4 Trace Information Historical note: Text in RFC 822 that appears to contradict the use of the Return-path header (or the envelope reverse path address from the MAIL command) as the destination for error messages is not applicable on the Internet. The reverse path address (as copied into the Return-path) MUST be used as the target of any mail containing delivery error messages. In particular: - a gateway from SMTP->elsewhere SHOULD insert a return-path header, unless it is known that the "elsewhere" transport also uses Internet domain addresses and maintains the envelope sender address separately. - a gateway from elsewhere->SMTP SHOULD delete any return-path header present in the message, and either copy that information to the SMTP envelope or combine it with information present in the envelope of the other transport system to construct the reverse path argument to the MAIL command in the SMTP envelope. > Only the last MTA also known as MDA (mail delivery agent) > translates the MAIL FROM to a Return-Path: (bounce address). > No, that's far from true, the purpose of the Return-Path is to preserve the DSN address, so it can certainly be added anywhere necessary. MDAs often do nothing more than add a From line. > Sender-ID (spf2.0/pra) does nothing with this info, it uses > 2822 headers (From:, Sender:, Resent-From:, Resent-Sender:) > and a new SMTP SUBMITTER corresponding to this PRA. > I thought it was Caller-ID that used the From: header, for some reason they want it to be user visiable. I don't see the logic in that, it's just too easy to forge headers, and I see no reason why From: can't be different than the sender, they serve two different purposes. > > That's possible. And it would be a good idea, because so > far nobody really tested the Sender-ID (PRA) idea. What's > the third concept in your count, spf2.0/helo ? > Some kind of encrytion thing that I wasn't interested in looking at. Like I said, I havn't read up on everything. But I have my own ideas that mainly involve authenticating outgoing mail (and preserving that info), which noone else seems to be touching on. I don't see why the burden should be put on the receiving end to validate everything, and I am against that idea. -- | Ric | From no_one at noplace.org Tue Oct 5 17:45:09 2004 From: no_one at noplace.org (Perky Not) Date: Tue Oct 5 19:50:04 2004 Subject: [SpamCop-List] Court Hits 'Spam' Envelope-Stuffing Scam Message-ID: Hopefully these two will be shut down permanently. Amazing, their from Florida. The two violated an anti-spam law because they faked return e-mail addresses and used deceptive subject lines like "Info You Have Requested" to trick recipients into opening them, the FTC said. The scam also violates deceptive-business and telemarketing laws, the FTC said. The operation has been temporarily shut down by a U.S. court in Florida, and the FTC said it would press to shut it down permanently and return profits to consumers. http://story.news.yahoo.com/news?tmpl=story&cid=581&e=1&u=/nm/20041005/tc_nm/tech_spam_dc or if it wraps http://snipurl.com/spam_scam -- Perky Not From nobody at xyzzy.claranet.de Wed Oct 6 03:29:01 2004 From: nobody at xyzzy.claranet.de (Frank Ellermann) Date: Tue Oct 5 20:35:03 2004 Subject: [SpamCop-List] Re: Net giants adopt anti-spam system? Really? I'm skeptical. References: <415e419f.5257031@news.spamcop.net> <415FD0EC.2BDB@xyzzy.claranet.de> <4160C675.53F7@xyzzy.claranet.de> <4163197E.5803@xyzzy.claranet.de> Message-ID: <41633C4D.2962@xyzzy.claranet.de> Blammo wrote: > One of the RFCs list all the message headers and their use, > I can't at the moment find that one. IIRC it's not yet published. RfC 3864 (BCP 90) published last month asks for a new IANA header registry, and internet draft is intended to start the part about mail and MIME headers. You'll find pointers to the relevant RfC(s) in this registry, for Received: and Return-Path: it's as you said 822 resp. 2822. The standard is 822, the proposed standard is 2822, but there are so many errors in RfC 2822 that it won't be recognized as standard. (Insert a somewhere... ;-) >> Only the last MTA also known as MDA (mail delivery agent) >> translates the MAIL FROM to a Return-Path: (bounce address). > No, that's far from true, the purpose of the Return-Path is > to preserve the DSN address, so it can certainly be added > anywhere necessary. The "final delivery" as seen from SMTP normally is by an "MDA". Of course it could be also a gateway to UUCP, or other kinds of relays from SMTP to something else. The important part is to preserve the bounce address: | 4.3.1. RETURN-PATH | This field is added by the final transport system that | delivers the message to its recipient. The field is intended | to contain definitive information about the address and route | back to the message's originator. [..,] [...snipping a note about "Reply-To" vs. "Return-Path"] [...] | While the syntax indicates that a route specification is | optional, every attempt should be made to provide that infor- | mation in this field. And that's the stuff you find in the new RfC 3834 about "Auto- Responders", quite interesting for all users getting _tons_ of unsolicited out-of-office etc. crap to forged MAIL FROM bounce addresses. Two quotes from RfC 3834 4.0: | If the response is to be generated after delivery, and there | is no Return-Path field in the subject message, there is an | implementation or configuration error in the SMTP server that | delivered the message or gatewayed the message outside of | SMTP. | A Personal or Group responder SHOULD NOT deliver a response | to any address other than that in the Return-Path field, even | if the Return-Path field is missing. It is better to fix the | problem with the mail delivery system than to rely on | heuristics to guess the appropriate destination of the | response. Such heuristics have been known to cause problems | in the past. [...] | The Return-Path address is really the only one from the | message header that can be expected, as a matter of protocol, | to be suitable for automatic responses that were not | anticipated by the sender. Just another strong indicator that SPF got it right, and that the Sender-ID PRA is snake oil. > I thought it was Caller-ID that used the From: header Yes, Caller-ID was the original name of this concept, and if there is no Sender: or Resent-* header, then the address found in the From:-header is the "PRA". Later they merged this with the syntactical format of SPF sender policies, and renamed it to Sender-ID (spf2.0/pra). Otherwise it's still the same as the old Caller-ID, and it's still very different from SPF (v=spf1 resp. spf2.0/mfrom). > I see no reason why From: can't be different than the sender, > they serve two different purposes. Sure, you need a single Sender: address if there is more than one address in the From: header. You could also use a Sender: if it's different from the From: address. And in these cases the "PRA" is determined by the Sender, so far that works. It doesn't work in cases where there is no Sender:, and the From: differs from the MAIL FROM. In theory "something" on the side of the sender could have inserted a Sender: in this case, but in practice that's not always the case (it's only an option in RfC 2476, not a SHOULD). One of the cases where I'd get a FAIL with the PRA if somebody tries to match my 2822-From against my 2821 MAIL FROM policy. Did I mention that PRA is snake oil and doesn't work for me ? [3rd idea] > Some kind of encrytion thing that I wasn't interested in Yes, that's an independent concept. Yahoo's "domain keys" fall in this category. Now discussed in the new IETF WG MASS. > I don't see why the burden should be put on the receiving end > to validate everything, and I am against that idea. In the case of SPF the receiver can reject anything resulting in a FAIL, and then it's no waste of time. If all you want is to reject useless bounces caused by forged MAIL FROM addresses, you could test BATV (draft-levine-mass-batv-00.txt), it works without cooperation of the receiver. But it requires quite a lot of cooperation from all parties on the sending side (most important the MX blocking all bounces to non-BATV-addresses). Bye, Frank From wb8tyw at qsl.network Tue Oct 5 22:23:25 2004 From: wb8tyw at qsl.network (John E. Malmberg) Date: Tue Oct 5 21:25:06 2004 Subject: [SpamCop-List] Re: Spamcop email hacked again In-Reply-To: <13838-4162B1FE-87@storefull-3277.bay.webtv.net> References: <13838-4162B1FE-87@storefull-3277.bay.webtv.net> Message-ID: DJ Mike wrote: > Logging in today. I got: > > Last login: Tue 05 Oct 2004 01:31:48 AM EDT from > 0-1pool6-198.nas35.los-angeles2.ca.us.da.qwest.net > > I only use webtv so it shold only be: > > ..from netcache-3001.bay.webtv.net > > Webtv cannot run any kind of executable files so it can't run viruses or > spyware. I have changed my password since this last happened. I have > never shared my PW before or after that. > > The links on spamcop email don't work for webtv so they couldn't have > gotten in by following a referal. (Not sure if that would work on SC) > and I had been offline for several hours any way. > > Anyone else finding their accounts hacked or have any idea how this is > happening? I suggest that you e-mail deputies(at)spamcop.net and give them the details since no one seems to be answering your question. -John wb8tyw@qsl.network Personal Opinion Only From nobody at devnull.spamcop.net Tue Oct 5 23:02:45 2004 From: nobody at devnull.spamcop.net (Glenn Daniels) Date: Tue Oct 5 22:05:05 2004 Subject: [SpamCop-List] Re: Curious JScript - IE vuln spam? References: Message-ID: "Jon (spamtrap)" wrote in message > Folks > > A spam today contained the following script (I've removed the angle brackets > in case it does something bad)... anyone any idea what it does? > Please post a parse tracker... When the items are posted in the ng, line wraps make the decoding unnecessarily difficult. Also, the script is found in a context as at times may provide clues to its purpose or "keys" that may be needed to unlock a site and unravel the purpose of the script. Your jscript was seen previously, and the "what it does" is still unfolding. There are at least five ng regulars who are "on call" to decode such gems, provided there is intent to make the effort worthwhile, as by notifying admins at the apparently compromised sites involved. I do have interest in such scripted exploits but the subject matter is better suited to .geeks, as it is rather less of a general interest for .spamcop or .help. For practical purposes it is a test for vulnerability and being uninformed about the criminality of spamming. The code will only run on unpatched operating systems, and then only when the code is rendered as by "seeing" a spamitem as html in preview pane. Such code does not "run" when viewed as "text only" and even when "run" it is nothing more than an unseen link which autoloads a site, such as http://127.0.0.1/link.html. The link then triggers additional responders which eventually lead to installing a spamsending remotely activated trojan worm on the target computer for purposes of sending more spam. I am withholding my own observations as the case you posted was seen elsewhere and is well covered through this link: http://groups.google.com/groups?hl=en&lr=&ie=UTF-8&newwindow=1&c2coff=1&safe=off&threadm=10lp2024ns6c3e6%40corp.supernews.com&rnum=1&prev=/groups%3Fq%3D%255BBezeqint.net%255D%255Btrojan%2Bdropper%255D%2B%26ie%3DUTF-8%26hl%3Den%26btnG%3DGoogle%2BSearch > Please don't mail ng.fjxrp@jondh.me.uk as it is a spamtrap. Thanks for the "heads up". I'll be careful not to use that address! Glenn From nobody at devnull.spamcop.net Wed Oct 6 12:56:27 2004 From: nobody at devnull.spamcop.net (Patto) Date: Tue Oct 5 23:00:03 2004 Subject: [SpamCop-List] Re: SpamCop Statistics References: Message-ID: "Mike Easter" wrote in message news:cjtq6i$gq2$1@news.spamcop.net... > Patto wrote: >> What is it with the low spam / report volume on the statistics >> ( http://members.spamcop.net/spamgraph.shtml?spammonth ) >> this and last week? ... > > Two fairly recent threads on the subject here: > ... Thanks for the explanation; I must have been on vacation during that time. From MikeE at ster.invalid Tue Oct 5 21:14:31 2004 From: MikeE at ster.invalid (Mike Easter) Date: Tue Oct 5 23:15:02 2004 Subject: [SpamCop-List] Re: SpamCop Statistics References: Message-ID: Patto wrote: > "Mike Easter" >> Patto wrote: >>> What is it with the low spam / report volume on the statistics >> Two fairly recent threads on the subject here: > Thanks for the explanation; I must have been on vacation during that > time. If you have a comprehensive understanding from all of the available information and prior posts; would you please explain it to the rest of us? ;-) -- Mike Easter kibitzer, not SC admin From jefft at spamcop.net Wed Oct 6 00:16:27 2004 From: jefft at spamcop.net (JT) Date: Tue Oct 5 23:20:02 2004 Subject: [SpamCop-List] Re: Spamcop email hacked again In-Reply-To: <13838-4162B1FE-87@storefull-3277.bay.webtv.net> References: <13838-4162B1FE-87@storefull-3277.bay.webtv.net> Message-ID: DJ Mike wrote: > Logging in today. I got: > > Last login: Tue 05 Oct 2004 01:31:48 AM EDT from > 0-1pool6-198.nas35.los-angeles2.ca.us.da.qwest.net > I don't have any evidence that anything has been hacked. Logging in to your account via webmail doesn't seem like a very useful thing for a hacker to do anyway. Send me your username via email and I'll be able to take a look more closely. JT From MikeE at ster.invalid Tue Oct 5 21:46:57 2004 From: MikeE at ster.invalid (Mike Easter) Date: Tue Oct 5 23:50:04 2004 Subject: [SpamCop-List] Re: Spamcop email hacked again References: <13838-4162B1FE-87@storefull-3277.bay.webtv.net> Message-ID: JT wrote: > Logging in to > your account via webmail doesn't seem like a very useful thing for a > hacker to do anyway. Yeah. Ain't that a puzzle? What fun! And the rest of us have to content ourselves with crosswords and such. ;-) -- Mike Easter kibitzer, not SC admin From skiwi at spamcop.net Tue Oct 5 21:50:05 2004 From: skiwi at spamcop.net (sk1w1) Date: Tue Oct 5 23:55:03 2004 Subject: [SpamCop-List] Re: New Look [suggestion for 'held mail' look] In-Reply-To: <416315E7.2070005@spamcop.net> References: <416315E7.2070005@spamcop.net> Message-ID: Tim McGraw wrote: > I have no complaints, but I'm sure someone will. > > Change is funny that way. Maybe add a line between individual held emails in mailsc.spamcop.net - with the bolding, etc it is hard to see where one finishes and the next starts... From skiwi at spamcop.net Tue Oct 5 21:52:42 2004 From: skiwi at spamcop.net (sk1w1) Date: Wed Oct 6 00:00:03 2004 Subject: [SpamCop-List] Re: New Look In-Reply-To: References: <416315E7.2070005@spamcop.net> Message-ID: Mike Easter wrote: [snip] > Okay by me; I think it helps IE a little bit by degrading gracefully - > but I hadn't seen the previous with multiple browsers. [snip] Although, as a dyed-in-the-wool Mozilla user in an IMAP environment, I didn't kind of like the original "best on anything *except* IE" or some such line on the 'new original'!!! :-) From rcarlton at spamcop.net Tue Oct 5 23:38:45 2004 From: rcarlton at spamcop.net (Rick Carlton) Date: Wed Oct 6 01:40:02 2004 Subject: [SpamCop-List] Re: Lolita site shut down by Yahoo/GeoCities In-Reply-To: References: Message-ID: Spam N Scams Reporter wrote: > I'm not sure why SC Hello, > > Thank you for writing to Yahoo! GeoCities. > > Thank you for informing us of possible abuse on Yahoo! GeoCities. We > have investigated the site and taken the necessary action. Please > continue to notify us of any content you believe violates the GeoCities > Terms of Service, located at: > > http://docs.yahoo.com/info/terms/geoterms.html > > Site in question: > http://www.geocities.com/diosfanplitorda/pppd/ And...they're back. http://www.geocities.com/romseal_parvn_aliceco/el/ Too your advice and manually reported to geo-guidelines@yahoo-inc.com Let's see what happens. From rcarlton at spamcop.net Tue Oct 5 23:43:25 2004 From: rcarlton at spamcop.net (Rick Carlton) Date: Wed Oct 6 01:45:03 2004 Subject: [SpamCop-List] Re: Complete your Tickle Registration In-Reply-To: References: Message-ID: Bob W. wrote: > Posted in .spam, this spew is badly disguised as a "confirmation" email. > Note the advertising in the body (which legit confirmations do not > have). In addition, a second spam was sent by Tickle, attempting to say > that I had already taken an IQ test with them. If I haven't confirmed my > account, how would that be possible? I used to work with/for some of the execs at Tickle at a previous firm. This is fully normalized behavior for them. Tame, in fact. From gospamming at yourdomain.invalid Wed Oct 6 08:11:35 2004 From: gospamming at yourdomain.invalid (D.Diaz) Date: Wed Oct 6 03:15:22 2004 Subject: [SpamCop-List] Re: New Look References: <416315E7.2070005@spamcop.net> Message-ID: Steven Maesslein wrote in news:slrncm673n.2ui.nobody@127.0.0.1: > On Tue, 05 Oct 2004 14:45:11 -0700, Tim McGraw coughed into spamcop > and left this in <416315E7.2070005@spamcop.net>: > >> I have no complaints, but I'm sure someone will. > > Not me, anyway. I think it's a great improvement over the previous > "new" look. > Me too! Seriously now, it really has improved, at least for IE, beyond the aesthetically pleasant look. Previously, when reporting with the 'Clean' CSS template, the list of reports sent always had trouble to show on the screen. This new look seems to no longer have that problem. -- Daniel Diaz From nobody at devnull.spamcop.net Wed Oct 6 01:11:52 2004 From: nobody at devnull.spamcop.net (LioNiNoiL_a t_Y a h 0 0_d 0 t_c 0 m) Date: Wed Oct 6 03:15:37 2004 Subject: [SpamCop-List] Re: New Look In-Reply-To: References: <416315E7.2070005@spamcop.net> Message-ID: >>I have no complaints, but I'm sure someone will. > > Not me, anyway. I think it's a great improvement over > the previous "new" look. Yes, the new "new" look is better than the old "new" look. -- "[Spammers] are the mutant spawn of a bizarre reproductive act involving a telemarketer, Larry Flynt, a tapeworm, and an executive of the Third Class Mail industry." -- Dave Barry From nobody at devnull.spamcop.net Wed Oct 6 17:18:46 2004 From: nobody at devnull.spamcop.net (Patto) Date: Wed Oct 6 03:20:04 2004 Subject: [SpamCop-List] Re: New Look References: <416315E7.2070005@spamcop.net> Message-ID: "Tim McGraw" wrote in message news:416315E7.2070005@spamcop.net... >I have no complaints, but I'm sure someone will. I like the new style, look, and functionality, especially the Text Size feature in the upper right corner. It even keeps the adjusted text size when recycling the browser. From gezgin at spamcop.net Wed Oct 6 11:53:53 2004 From: gezgin at spamcop.net (Gezgin) Date: Wed Oct 6 03:55:03 2004 Subject: [SpamCop-List] Re: New Look References: <416315E7.2070005@spamcop.net> Message-ID: "D.Diaz" wrote >>> I have no complaints, but I'm sure someone will. >> Not me, anyway. I think it's a great improvement over the >> previous >> "new" look. > Me too! I'm glad that the mildly confusing "Check mail" option has been replaced with the more precise "Webmail" and better position so that I no hit it instead of "Held email". The pages are also much more readable now. "Good show" those responsible for the improvements. -- Bob Kanyak's Doghouse http://www.kanyak.com From vincehoran at gmail.com Wed Oct 6 10:08:07 2004 From: vincehoran at gmail.com (Vince Horan) Date: Wed Oct 6 04:08:12 2004 Subject: [SpamCop-List] Backscatter policy Message-ID: Hi, I am sure I read somewhere on spamcop.net that I cannot use the service to report emails received which are the result of spammers using our domain in the "from" field (sent by the spammer to invalid addresses). I can't see this now and wonder if it is still the case, and if so why? We receive about 300 emails a day which are bounces resulting from spammers using our domain in the from field. We reported the spamvertised web site to the hosting (in Korea) and the sites are no longer there, yet the spam continues advertising the sites that are gone. The email address in the Whois for the spamvertised domain registration no longer works. I was wondering if spamcop could report the compromised hosts that are still sending this stuff. Whilst the bounces are not spam in themselves, they contain useful info against compromised hosts being used to send spam. And they are using up our bandwidth! thanks Vince Horan From ric.gates at bigsleep.org Wed Oct 6 09:20:42 2004 From: ric.gates at bigsleep.org (Blammo) Date: Wed Oct 6 04:25:03 2004 Subject: [SpamCop-List] Re: More about your IQ References: Message-ID: On 05 Oct 2004 Bob W. entered spamcop and left news:responseguard- A20587.21021905102004@news.cesmail.net: > Second Tickle spam, posted in .spam, supposedly reeals the results of a > "free IQ test" that I took earlier today. > > Fraud. > It doesn't actually say that, nowhere does it claim you were ever there. I'd bet they got your address from someone else you subscribed to at one time. > Appears to be direct spamming done by emode, a company that had > previously spammed through third parties. > I have never gotten spam from emode, nor tickle, though I don't trust tickle. Subscribers get messages from Received: from priority.mail.tickle.com (priority.mail.tickle.com [130.94.6.236]) So maybe express. is for fishing for new ones, so report it as spam. It looks legit, though attempts to mislead you, and it's questionable how they got your address in the first place. > Again, hosted by the sleazoids at Verio, so the fraud will likely > continue unchecked. > I doubt it, Verio are not sleazoids. -- | Ric | From ric.gates at bigsleep.org Wed Oct 6 09:31:56 2004 From: ric.gates at bigsleep.org (Blammo) Date: Wed Oct 6 04:35:03 2004 Subject: [SpamCop-List] Re: More about your IQ References: Message-ID: On 06 Oct 2004 Blammo entered spamcop and left news:Xns957ADC139906blammo@216.154.195.61: >> Second Tickle spam, posted in .spam, supposedly reeals the results of a >> "free IQ test" that I took earlier today. >> >> Fraud. >> > > It doesn't actually say that, nowhere does it claim you were ever there. > I'd bet they got your address from someone else you subscribed to at one > time. > Silly me, I missed your other post. Some nice person signed you up. They are attempting to remind you to confirm your registration, report it as spam. -- | Ric | From tobias.katz at cim-team.de Wed Oct 6 11:44:48 2004 From: tobias.katz at cim-team.de (Tobias Katz) Date: Wed Oct 6 04:46:19 2004 Subject: [SpamCop-List] How to remove from bl.spamcop.net Message-ID: Hi Group, We are listed on bl.spamcop.net (http://www.spamcop.net/w3m?action=blcheck&ip=194.25.145.146). In the last 48 hours there was no E-Mail to a trap. Why we still are listed? Can anybody help me? Thanks Tobias Katz CIM-Team GmbH From nobody at nowhere.invalid Wed Oct 6 11:57:08 2004 From: nobody at nowhere.invalid (Steven Maesslein) Date: Wed Oct 6 05:00:59 2004 Subject: [SpamCop-List] Re: New Look References: <416315E7.2070005@spamcop.net> Message-ID: On Tue, 05 Oct 2004 20:52:42 -0700, sk1w1 coughed into spamcop and left this in : > Although, as a dyed-in-the-wool Mozilla user in an IMAP environment, I > didn't kind of like the original "best on anything *except* IE" or some > such line on the 'new original'!!! :-) That was removed fairly soon after it appeared due to the storm it stirred up in here. Of course, saying "Designed for any W3C-compliant browser" is pretty much the same thing as "Designed for just about anything but IE" anyway :) -- Steve Profanity is the one language all programmers know best. From nobody at nowhere.invalid Wed Oct 6 11:57:56 2004 From: nobody at nowhere.invalid (Steven Maesslein) Date: Wed Oct 6 05:01:39 2004 Subject: [SpamCop-List] Re: New Look References: <416315E7.2070005@spamcop.net> Message-ID: On Wed, 6 Oct 2004 10:53:53 +0300, Gezgin coughed into spamcop and left this in : > I'm glad that the mildly confusing "Check mail" option has > been replaced with the more precise "Webmail" and better > position so that I no hit it instead of "Held email". The > pages are also much more readable now. Ah! So, I wasn't alone in doing that! -- Steve Just remember: when you go to court, you are trusting your fate to twelve people that weren't smart enough to get out of jury duty! From nobody at nowhere.invalid Wed Oct 6 12:03:32 2004 From: nobody at nowhere.invalid (Steven Maesslein) Date: Wed Oct 6 05:05:13 2004 Subject: [SpamCop-List] Re: How to remove from bl.spamcop.net References: Message-ID: On Wed, 6 Oct 2004 10:44:48 +0200, Tobias Katz coughed into spamcop and left this in : > In the last 48 hours there was no E-Mail to a trap. How do you know? The only way you can be sure that no mail was sent to a trap over the past 48 hours is if no mail was sent out at all during that period. -- Steve Money isn't everything, but at least it keeps the kids in touch. From porpoise1954 at yahoo.co.uk Wed Oct 6 11:06:17 2004 From: porpoise1954 at yahoo.co.uk (Porpoise) Date: Wed Oct 6 05:10:11 2004 Subject: [SpamCop-List] Virus spam Message-ID: Received this interesting spam item which the SC parser sees as a bounced mail but would appear to me to be a spam with a virus pay-load deliberately constructed to look like a bounce... I'm 99.9999999999999999999% certain that the mailservers we go through have not been compromised. Comments/observations welcomed. http://www.spamcop.net/sc?id=z679883473z291f7c92e8d2387d33b48c68aa30246bz From ric.gates at bigsleep.org Wed Oct 6 10:15:45 2004 From: ric.gates at bigsleep.org (Blammo) Date: Wed Oct 6 05:20:26 2004 Subject: [SpamCop-List] Re: How to remove from bl.spamcop.net References: Message-ID: On 06 Oct 2004 Tobias Katz entered spamcop and left news:ck0b9p$hsk$1@news.spamcop.net: > Hi Group, > > We are listed on bl.spamcop.net > (http://www.spamcop.net/w3m?action=blcheck&ip=194.25.145.146). In the > last 48 hours there was no E-Mail to a trap. Why we still are listed? > Notice it says "Causes of listing System has sent mail to SpamCop spam traps in the past week" A week is 7 days. "Listing History In the past 8.6 days, it has been listed 2 times for a total of 7.3 days" Now if I understand that correctly, there may have been an email sent as recent as 32 hours ago. -- | Ric From gospamming at yourdomain.invalid Wed Oct 6 10:16:29 2004 From: gospamming at yourdomain.invalid (D.Diaz) Date: Wed Oct 6 05:20:42 2004 Subject: [SpamCop-List] Re: How to remove from bl.spamcop.net References: Message-ID: Steven Maesslein wrote in news:slrncm7d74.181.nobody@127.0.0.1: > On Wed, 6 Oct 2004 10:44:48 +0200, Tobias Katz coughed into spamcop > and left this in : > >> In the last 48 hours there was no E-Mail to a trap. > > How do you know? > > The only way you can be sure that no mail was sent to a trap over the > past 48 hours is if no mail was sent out at all during that period. > [quote - Senderbase lookup - use fixed font to see it better] Volume Statistics for this IP Magnitude Vol Change vs. Average Last day 3.7 579% Last 30 days 3.4 218% Average 2.9 [/quote] It seems the spew kept flowing... Still a 579% increment in mail flow in the last day. Tobias, are you sure you really did solve your mailserver problems? -- Daniel Diaz From gospamming at yourdomain.invalid Wed Oct 6 10:23:00 2004 From: gospamming at yourdomain.invalid (D.Diaz) Date: Wed Oct 6 05:25:03 2004 Subject: [SpamCop-List] Re: Virus spam References: Message-ID: "Porpoise" wrote in news:ck0cj2$kcb$1@news.spamcop.net: > Received this interesting spam item which the SC parser sees as a > bounced mail but would appear to me to be a spam with a virus pay-load > deliberately constructed to look like a bounce... > > I'm 99.9999999999999999999% certain that the mailservers we go through > have not been compromised. Comments/observations welcomed. > > http://www.spamcop.net/sc?id=z679883473z291f7c92e8d2387d33b48c68aa30246 > bz > > Return-path: There's no way an MTA would ever send a bounce with a mail address in the return-path. All bounces have always a null return path. Oh, and after decoding the Base64 chunk, one can see: Norton AntiVirus removed the attachment: transcript.scr. The attachment was infected with the W32.Mydoom.M@mm virus. -- Daniel Diaz From gospamming at yourdomain.invalid Wed Oct 6 10:25:30 2004 From: gospamming at yourdomain.invalid (D.Diaz) Date: Wed Oct 6 05:30:03 2004 Subject: [SpamCop-List] Re: How to remove from bl.spamcop.net References: Message-ID: Steven Maesslein wrote in news:slrncm7d74.181.nobody@127.0.0.1: > On Wed, 6 Oct 2004 10:44:48 +0200, Tobias Katz coughed into spamcop > and left this in : > >> In the last 48 hours there was no E-Mail to a trap. > > How do you know? > > The only way you can be sure that no mail was sent to a trap over the > past 48 hours is if no mail was sent out at all during that period. > [quote - Senderbase lookup - use fixed font to see it better] Volume Statistics for this IP Magnitude Vol Change vs. Average Last day 3.7 579% Last 30 days 3.4 218% Average 2.9 [/quote] It seems the spew kept flowing... Still a 579% increment in mail flow in the last day. Tobias, are you sure you really did solve your mailserver problems? -- Daniel Diaz From tobias.katz at cim-team.de Wed Oct 6 12:34:32 2004 From: tobias.katz at cim-team.de (Tobias Katz) Date: Wed Oct 6 05:35:04 2004 Subject: [SpamCop-List] Re: How to remove from bl.spamcop.net References: Message-ID: HI > [Senderbase lookup - use fixed font to see it better] > Volume Statistics for this IP > Magnitude Vol Change vs. Average > Last day 3.7 579% > Last 30 days 3.4 218% > Average 2.9 Does that mean, that our mail Traffic has increased 579% in 1 day????? And this month 279% more than last month? Thanks Tobias Katz From ric.gates at bigsleep.org Wed Oct 6 10:43:47 2004 From: ric.gates at bigsleep.org (Blammo) Date: Wed Oct 6 05:45:04 2004 Subject: [SpamCop-List] Re: Virus spam References: Message-ID: On 06 Oct 2004 Porpoise entered spamcop and left news:ck0cj2$kcb$1@news.spamcop.net: > I'm 99.9999999999999999999% certain that the mailservers we go through > have not been compromised. Comments/observations welcomed. > Looks to me like mailgate.abexltd.co.uk has no A or PTR record, that's the reason for the Spamcop message "No unique hostname found for source: 62.49.206.2" It is a virus, I've seen these before. It's not spam, but I'm willing to bet that it came from a spammer's machine. -- | Ric From gospamming at yourdomain.invalid Wed Oct 6 10:47:39 2004 From: gospamming at yourdomain.invalid (D.Diaz) Date: Wed Oct 6 05:50:03 2004 Subject: [SpamCop-List] Re: How to remove from bl.spamcop.net References: Message-ID: "Tobias Katz" wrote in news:ck0e71$n6p$1@news.spamcop.net: > HI > >> [Senderbase lookup - use fixed font to see it better] >> Volume Statistics for this IP >> Magnitude Vol Change vs. Average >> Last day 3.7 579% >> Last 30 days 3.4 218% >> Average 2.9 > > > Does that mean, that our mail Traffic has increased 579% in 1 day????? > And this month 279% more than last month? > Yes, that's how I understand it; a 579% increase in volume of traffic in the last day measured versus your average traffic, and a 218% increase in the last 30 days. Scales used are logarithmic. ISTR there was another post with a nice explanation not long ago by Mike Easter... -- Daniel Diaz From porpoise1954 at yahoo.co.uk Wed Oct 6 12:21:11 2004 From: porpoise1954 at yahoo.co.uk (Porpoise) Date: Wed Oct 6 06:25:39 2004 Subject: [SpamCop-List] Re: Virus spam References: Message-ID: "Blammo" wrote in message news:Xns957A1BD5EC055blammo@216.154.195.61... > On 06 Oct 2004 Porpoise entered spamcop and left > news:ck0cj2$kcb$1@news.spamcop.net: > > > I'm 99.9999999999999999999% certain that the mailservers we go through > > have not been compromised. Comments/observations welcomed. > > > > Looks to me like mailgate.abexltd.co.uk has no A or PTR record, that's the > reason for the Spamcop message "No unique hostname found for source: > 62.49.206.2" > > It is a virus, I've seen these before. It's not spam, but I'm willing to > bet that it came from a spammer's machine. > > -- > | Ric I know it contained a virus - that wasn't the purpose of the parse. It was the fact that the person was purportedly advising me that the original mail was sent by me - which it wasn't - so it was made up to *look like* I had sent them a virus and that they had bounced it back to me. In my book that makes it a spam From porpoise1954 at yahoo.co.uk Wed Oct 6 12:26:33 2004 From: porpoise1954 at yahoo.co.uk (Porpoise) Date: Wed Oct 6 06:30:03 2004 Subject: [SpamCop-List] Re: Virus spam References: Message-ID: "D.Diaz" wrote in message news:Xns957A73CC080D9xnddmxn@216.154.195.61... > "Porpoise" wrote in > news:ck0cj2$kcb$1@news.spamcop.net: > > > Received this interesting spam item which the SC parser sees as a > > bounced mail but would appear to me to be a spam with a virus pay-load > > deliberately constructed to look like a bounce... > > > > I'm 99.9999999999999999999% certain that the mailservers we go through > > have not been compromised. Comments/observations welcomed. > > > > http://www.spamcop.net/sc?id=z679883473z291f7c92e8d2387d33b48c68aa30246 > > bz > > > > > > Return-path: > > There's no way an MTA would ever send a bounce with a mail address in > the return-path. All bounces have always a null return path. That was my point - it was being made to look like a bounce. > > Oh, and after decoding the Base64 chunk, one can see: > > Norton AntiVirus removed the attachment: transcript.scr. > The attachment was infected with the W32.Mydoom.M@mm virus. I know that bit. that was from my machine deleting the virus that was attached to the mail I received purporting to have been bounced back to me as the originator - which I wasn't. That's what made me want to find out whether: 1) It was a genuine bounce to a forged From: address 2) A spam disguised to look like a bounce in order to drop the virus payload on my system. > > -- > Daniel Diaz From philip at pch.home.cs.vu.nl Wed Oct 6 13:08:03 2004 From: philip at pch.home.cs.vu.nl (Philip Homburg) Date: Wed Oct 6 06:35:02 2004 Subject: [SpamCop-List] Re: Net giants adopt anti-spam system? Really? I'm skeptical. References: <415e419f.5257031@news.spamcop.net> <4163197E.5803@xyzzy.claranet.de> <41633C4D.2962@xyzzy.claranet.de> Message-ID: In article <41633C4D.2962@xyzzy.claranet.de>, Frank Ellermann wrote: >And that's the stuff you find in the new RfC 3834 about "Auto- >Responders", quite interesting for all users getting _tons_ of >unsolicited out-of-office etc. crap to forged MAIL FROM bounce >addresses. > >| The Return-Path address is really the only one from the >| message header that can be expected, as a matter of protocol, >| to be suitable for automatic responses that were not >| anticipated by the sender. I get most auto-responder junk as a result of a virus forging my e-mail address as the envelope-from. The quoted text doesn't contain anything to reduce that problem. I can imagine that this text help against the junk you get from posting to a mailing list, but for spam and viruses it doesn't do anything. My current policy is that when I get two pieces of junk from the same organisation, their outging MTAs go in my blocklist. -- This Monk had first gone wrong when it was [...] cross-connected to a video recorder that was watching eleven TV channels simultaneously, [...] The video recorder only had to watch them, of course. It didn't have to believe them all as well. This is why instruction manuals are so important -- Douglas Adams From dan at w-i-m-b-a-RemoveAllHyphens.com Wed Oct 6 13:36:43 2004 From: dan at w-i-m-b-a-RemoveAllHyphens.com (Dan Ric|-.ter) Date: Wed Oct 6 06:40:03 2004 Subject: [SpamCop-List] 419eater.com gets $200 from 419ers Message-ID: Pardon me if this is old news to you: I couldn't find it in previous NG discussions. The owner of 419eater.com has actually succeeded in getting 419ers to send him money: $200 in one case! Though he previously made idiots out of them by telling them to send funny pictures of themselves, he now turns their game around and scams them! The biggest prize can be found here: http://www.419eater.com/html/frank_kabongo.htm 419ers trick their victims by playing on their greed. I guess it's not surprising that they're vulnerable to the same tactics. I'm sure it will only be a matter of time before the crooks catch onto the game, but in the meantime there's a window of opportunity to turn the tables on them. -- They've signed me up for every advertising campaign and mailing list there is. These people are out of their minds. They're harassing me. - spam tycoon Alan Ralsky, who was signed up for tons of (paper) junk mail after publicly proclaiming that he had no regrets about his spam empire. From ric.gates at bigsleep.org Wed Oct 6 11:39:59 2004 From: ric.gates at bigsleep.org (Blammo) Date: Wed Oct 6 06:40:09 2004 Subject: [SpamCop-List] Re: Virus spam References: Message-ID: On 06 Oct 2004 Porpoise entered spamcop and left news:ck0gvi$re4$1@news.spamcop.net: > I know it contained a virus - that wasn't the purpose of the parse. It > was the fact that the person was purportedly advising me that the > original mail was sent by me - which it wasn't - so it was made up to > *look like* I had sent them a virus and that they had bounced it back > to me. It was not sent by a person, but a virus, that's what I said. http://www.f-secure.com/v-descs/mydoom_m.shtml -- | Ric From gospamming at yourdomain.invalid Wed Oct 6 11:44:21 2004 From: gospamming at yourdomain.invalid (D.Diaz) Date: Wed Oct 6 06:45:04 2004 Subject: [SpamCop-List] Re: Virus spam References: Message-ID: "Porpoise" wrote in news:ck0h9k$s08$1@news.spamcop.net: > > "D.Diaz" wrote in message > news:Xns957A73CC080D9xnddmxn@216.154.195.61... [snip] >> Oh, and after decoding the Base64 chunk, one can see: >> >> Norton AntiVirus removed the attachment: transcript.scr. >> The attachment was infected with the W32.Mydoom.M@mm virus. > > I know that bit. that was from my machine deleting the virus that was > attached to the mail I received purporting to have been bounced back > to me as the originator - which I wasn't. That's what made me want to > find out whether: > > 1) It was a genuine bounce to a forged From: address > > 2) A spam disguised to look like a bounce in order to drop the virus > payload on my system. > It is a well known virm propagation disguised to look like a bounce to drop the virus payload on your system. You may consider it spam (I personally don't) but it definitely is not SpamCop reportable. -- Daniel Diaz From MikeE at ster.invalid Wed Oct 6 05:01:13 2004 From: MikeE at ster.invalid (Mike Easter) Date: Wed Oct 6 07:05:04 2004 Subject: [SpamCop-List] Re: How to remove from bl.spamcop.net References: Message-ID: D.Diaz wrote: > "Tobias Katz" >>> Last day 3.7 579% >>> Last 30 days 3.4 218% >>> Average 2.9 >> >> >> Does that mean, that our mail Traffic has increased 579% in 1 >> day????? And this month 279% more than last month? >> > > Yes, that's how I understand it; a 579% increase in volume of traffic > in the last day measured versus your average traffic, and a 218% > increase in the last 30 days. Scales used are logarithmic. ISTR > there was another post with a nice explanation not long ago by Mike > Easter... Yes, correct - logrithmic in that magnitude section. <<< 220 w2-exchange.CIM-Team.de Microsoft ESMTP MAIL Service, Version: 5.0.2195.6713 ready at Wed, 6 Oct 2004 12:43:53 +0200 That's the server in question; probably smtpauth exploit. http://www.winnetmag.com/MicrosoftExchangeOutlook/Article/ArticleID/7696/MicrosoftExchangeOutlook_7696.html Is Your Exchange Server Relay-Secure? http://www.slipstick.com/exs/relay.htm To prevent SMTP relaying with Microsoft Exchange Server http://www.microsoft.com/technet/security/bulletin/MS02-011.mspx Authentication Flaw Could Allow Unauthorized Users To Authenticate To SMTP Service -- Mike Easter kibitzer, not SC admin From MikeE at ster.invalid Wed Oct 6 05:09:52 2004 From: MikeE at ster.invalid (Mike Easter) Date: Wed Oct 6 07:10:04 2004 Subject: [SpamCop-List] Re: Backscatter policy References: Message-ID: Vince Horan wrote: > I can't see this now and wonder if it is still the case, > and if so why? Rules - bounce section http://www.spamcop.net/fom-serve/cache/14.html On what type of email should I (not) use SpamCop? - If the bounce message contains spam, it is not permitted for you to report the spam contained within the bounce, even if it includes what appear to be the full original headers. This is someone else's spam, not yours. That par also sez "It is expected that you can verify the headers of reported mail are accurate, something you can't do for mail received on a network you are not familiar with." Whether or not you agree with the rationale, it is still the rule. > I was wondering if spamcop could report > the compromised hosts that are still sending this stuff. You can manually report them. Make yourself a little template to attach the spam to and fire away. -- Mike Easter kibitzer, not SC admin From Kilgallen at SpamCop.net Wed Oct 6 07:45:21 2004 From: Kilgallen at SpamCop.net (Larry Kilgallen) Date: Wed Oct 6 07:50:26 2004 Subject: [SpamCop-List] Re: New Look References: <416315E7.2070005@spamcop.net> Message-ID: In article <416315E7.2070005@spamcop.net>, Tim McGraw writes: > I have no complaints, but I'm sure someone will. For me (running with a secured browser) it is _much_better_, putting actually useful stuff in the first windowful. From Kilgallen at SpamCop.net Wed Oct 6 07:47:48 2004 From: Kilgallen at SpamCop.net (Larry Kilgallen) Date: Wed Oct 6 07:50:50 2004 Subject: [SpamCop-List] Re: Net giants adopt anti-spam system? Really? I'm skeptical. References: <415e419f.5257031@news.spamcop.net> <415FD0EC.2BDB@xyzzy.claranet.de> <4160C675.53F7@xyzzy.claranet.de> <4163197E.5803@xyzzy.claranet.de> Message-ID: In article <4163197E.5803@xyzzy.claranet.de>, Frank Ellermann writes: > Blammo wrote: > >> Return-Path is only added by mail relays, as per the RFCs. > > You're probably confusing Received: and Return-Path: headers. > All MTAs from first to last add Received: headers, that's > the from ... by ... with ... for ... stuff (incl. the HELO, > normally, and the "true name", optionally). Not the first one if it did not receive the message by SMTP. For example, Multinet running on VMS. From porpoise1954 at yahoo.co.uk Wed Oct 6 14:33:34 2004 From: porpoise1954 at yahoo.co.uk (Porpoise) Date: Wed Oct 6 08:35:03 2004 Subject: [SpamCop-List] Virus spam - another one Message-ID: Here's another one from a different recipient but the same format: http://www.spamcop.net/sc?id=z679942095z45970f6bf0b5f55a7a8687dd07322498z Of course, without the original headers of the bounced mail, one can't track the original IP........... Another problem of bouncing stuff instead of dealing with it properly........... From porpoise1954 at yahoo.co.uk Wed Oct 6 14:37:21 2004 From: porpoise1954 at yahoo.co.uk (Porpoise) Date: Wed Oct 6 08:40:02 2004 Subject: [SpamCop-List] Re: Net giants adopt anti-spam system? Really? I'm skeptical. References: <415e419f.5257031@news.spamcop.net> <4163197E.5803@xyzzy.claranet.de> <41633C4D.2962@xyzzy.claranet.de> Message-ID: "Philip Homburg" wrote in message news:oicvqrmh9gbhtrfn2raauaf2j5@inews_id.stereo.hq.phicoh.net... > In article <41633C4D.2962@xyzzy.claranet.de>, > Frank Ellermann wrote: > >And that's the stuff you find in the new RfC 3834 about "Auto- > >Responders", quite interesting for all users getting _tons_ of > >unsolicited out-of-office etc. crap to forged MAIL FROM bounce > >addresses. > > > >| The Return-Path address is really the only one from the > >| message header that can be expected, as a matter of protocol, > >| to be suitable for automatic responses that were not > >| anticipated by the sender. > > I get most auto-responder junk as a result of a virus forging my e-mail > address as the envelope-from. > > The quoted text doesn't contain anything to reduce that problem. I can > imagine that this text help against the junk you get from posting to a > mailing list, but for spam and viruses it doesn't do anything. > > My current policy is that when I get two pieces of junk from the same > organisation, their outging MTAs go in my blocklist. > Of course, this is the whole problem of bouncing stuff - it does nothing to solve the problem - only makes it worse by not dealing with the problem properly and adds to the "noise". From porpoise1954 at yahoo.co.uk Wed Oct 6 14:43:23 2004 From: porpoise1954 at yahoo.co.uk (Porpoise) Date: Wed Oct 6 08:45:07 2004 Subject: [SpamCop-List] Re: Virus spam References: Message-ID: "Blammo" wrote in message news:Xns957A255D25F37blammo@216.154.195.61... > On 06 Oct 2004 Porpoise entered spamcop and left > news:ck0gvi$re4$1@news.spamcop.net: > > > I know it contained a virus - that wasn't the purpose of the parse. It > > was the fact that the person was purportedly advising me that the > > original mail was sent by me - which it wasn't - so it was made up to > > *look like* I had sent them a virus and that they had bounced it back > > to me. > > It was not sent by a person, but a virus, that's what I said. > > http://www.f-secure.com/v-descs/mydoom_m.shtml > -- > | Ric Sorry, must have misunderstood what you said..... When you said "It's a virus" I didn't realise you meant it was *sent by* a virus...... So, should we be informing the sender that they've been infected........???? and to update their AV From nobody at spamcop.net Wed Oct 6 10:29:16 2004 From: nobody at spamcop.net (Ellen) Date: Wed Oct 6 09:35:17 2004 Subject: [SpamCop-List] Re: How to remove from bl.spamcop.net References: Message-ID: "Tobias Katz" wrote in message news:ck0b9p$hsk$1@news.spamcop.net... > Hi Group, > > We are listed on bl.spamcop.net > (http://www.spamcop.net/w3m?action=blcheck&ip=194.25.145.146). In the last > 48 hours there was no E-Mail to a trap. Why we still are listed? > > Can anybody help me? > > Thanks > > Tobias Katz > CIM-Team GmbH > > There is continuing spam to our spamtraps from IP 194.25.145.146. This appears to be the SMTp/AUTH exploit; see these articles: http://news.spamcop.net/cgi-bin/fom?file=372 http://www.winnetmag.com/article/articleid/40507/40507.html http://www.winnetmag.com/article/articleid/42406/42406.html http://support.microsoft.com/default.aspx?scid=KB;EN-US;324958#4 Ellen SpamCop From baloo at ursine.dyndns.org Wed Oct 6 07:30:39 2004 From: baloo at ursine.dyndns.org (Paul Johnson) Date: Wed Oct 6 09:50:04 2004 Subject: [SpamCop-List] Re: How to remove from bl.spamcop.net References: Message-ID: <87fz4synwg.fsf@ursine.dyndns.org> <#secure method=pgp mode=sign> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 "Tobias Katz" writes: > Hi Group, > > We are listed on bl.spamcop.net > (http://www.spamcop.net/w3m?action=blcheck&ip=194.25.145.146). In the last > 48 hours there was no E-Mail to a trap. Why we still are listed? > > Can anybody help me? 72 is the magic number, not 48. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.5 (GNU/Linux) iD8DBQFBY/OBUzgNqloQMwcRApt7AJsGUmiQB5/Zw3o9vju4IIy/v2SY4gCgjJch 5wW0VM04uO2zzzxYFLHLFDs= =8c5W -----END PGP SIGNATURE----- From nobody at devnull.spamcop.net Wed Oct 6 14:50:35 2004 From: nobody at devnull.spamcop.net (JohnL) Date: Wed Oct 6 09:55:04 2004 Subject: [SpamCop-List] Re: How to remove from bl.spamcop.net References: <87fz4synwg.fsf@ursine.dyndns.org> Message-ID: Paul Johnson scribbled in news:87fz4synwg.fsf@ursine.dyndns.org: > 72 is the magic number, not 48. You REALLY need to check before stating something... http://www.spamcop.net/fom-serve/cache/76.html From tmcgraw at spamcop.net Wed Oct 6 08:16:36 2004 From: tmcgraw at spamcop.net (Tim McGraw) Date: Wed Oct 6 10:20:04 2004 Subject: [SpamCop-List] Re: More about your IQ References: Message-ID: <4163FE44.9090803@spamcop.net> Blammo wrote: > > Verio are not sleazoids. With 77 ROKSO listings? From nobody at spamcop.net Wed Oct 6 11:11:46 2004 From: nobody at spamcop.net (Ellen) Date: Wed Oct 6 10:20:11 2004 Subject: [SpamCop-List] Re: How to remove from bl.spamcop.net References: <87fz4synwg.fsf@ursine.dyndns.org> Message-ID: "Paul Johnson" wrote in message news:87fz4synwg.fsf@ursine.dyndns.org... > > 72 is the magic number, not 48. ??? Ellen From tmcgraw at spamcop.net Wed Oct 6 08:21:47 2004 From: tmcgraw at spamcop.net (Tim McGraw) Date: Wed Oct 6 10:25:04 2004 Subject: [SpamCop-List] Re: Virus spam References: Message-ID: <4163FF7B.9070205@spamcop.net> Porpoise wrote: > > So, should we be informing the sender that they've been infected........???? > and to update their AV I keep it as simple as possibly, using the subject line: "You have a virus at " and a short body (with the unmunged headers and deleting the viral attachment) urging them to "take appropriate action." I also include the security@isp addy. From tmcgraw at spamcop.net Wed Oct 6 08:51:37 2004 From: tmcgraw at spamcop.net (Tim McGraw) Date: Wed Oct 6 10:55:03 2004 Subject: [SpamCop-List] Re: How to remove from bl.spamcop.net References: <87fz4synwg.fsf@ursine.dyndns.org> Message-ID: <41640679.6030601@spamcop.net> Ellen wrote: > "Paul Johnson" wrote in message > news:87fz4synwg.fsf@ursine.dyndns.org... > >>72 is the magic number, not 48. > > ??? > > Ellen Perhaps if we ran it through his PGP key it would make sense. From gospamming at yourdomain.invalid Wed Oct 6 16:16:56 2004 From: gospamming at yourdomain.invalid (D.Diaz) Date: Wed Oct 6 11:20:03 2004 Subject: [SpamCop-List] Re: Virus spam - another one References: Message-ID: "Porpoise" wrote in news:ck0onr$882$1@news.spamcop.net: > Here's another one from a different recipient but the same format: > > http://www.spamcop.net/sc?id=z679942095z45970f6bf0b5f55a7a8687dd0732249 > 8z > > > Of course, without the original headers of the bounced mail, one can't > track the original IP........... Another problem of bouncing stuff > instead of dealing with it properly........... > > > Ehm... this one also is not a real bounce, but a virm propagation. The infected machine is 62.49.206.2 -- Daniel Diaz From porpoise1954 at yahoo.co.uk Wed Oct 6 17:31:53 2004 From: porpoise1954 at yahoo.co.uk (Porpoise) Date: Wed Oct 6 11:35:03 2004 Subject: [SpamCop-List] Re: How to remove from bl.spamcop.net References: <87fz4synwg.fsf@ursine.dyndns.org> <41640679.6030601@spamcop.net> Message-ID: "Tim McGraw" wrote in message news:41640679.6030601@spamcop.net... > Ellen wrote: > > "Paul Johnson" wrote in message > > news:87fz4synwg.fsf@ursine.dyndns.org... > > > >>72 is the magic number, not 48. > > > > ??? > > > > Ellen > > Perhaps if we ran it through his PGP key it would make sense. > Perhaps his PGP key *IS* the magic number................. From porpoise1954 at yahoo.co.uk Wed Oct 6 17:58:14 2004 From: porpoise1954 at yahoo.co.uk (Porpoise) Date: Wed Oct 6 12:00:32 2004 Subject: [SpamCop-List] Re: Virus spam References: <4163FF7B.9070205@spamcop.net> Message-ID: "Tim McGraw" wrote in message news:4163FF7B.9070205@spamcop.net... > Porpoise wrote: > > > > So, should we be informing the sender that they've been infected........???? > > and to update their AV > > I keep it as simple as possibly, using the subject line: "You have a > virus at " and a short body (with the unmunged headers and deleting > the viral attachment) urging them to "take appropriate action." > > I also include the security@isp addy. > Well, the From: is definitely spoofed as I've just spoken to a person and they've just done another full system AV scan and are definitely not infected with the W32.Mydoom.M@mm virus. Of course that's the nature of viruses - self-propagating.............. From firewoman at default.domain.not.available Wed Oct 6 13:05:52 2004 From: firewoman at default.domain.not.available (Firewoman) Date: Wed Oct 6 12:05:02 2004 Subject: [SpamCop-List] Needing Header Reading Expertise! Message-ID: Our mailhost merged with a new company recently, and I've been fighting with them about their spam filtering. We prefer to do our own filtering because our ISP's spam filter was filtering EVERYTHING. They claim they have shut the filter off. However, I still keep getting the following two lines in every single header of every single e-mail (confirmed company-wide, happening to everyone): X-PMX-Version: 4.7.0.111621, Antispam-Engine: 2.0.1.0, Antispam-Data: 2004.10.5.6 X-nupop-filename: /Maildir:1097077898.27696_0.mx03.gnvlscdb.sys.MUNGEDISP.net Is our e-mail still being filtered, or does this appear to be added in while being passed through the filter? If anyone can decipher this, I'd greatly appreciate it! TIA! From MikeE at ster.invalid Wed Oct 6 10:27:50 2004 From: MikeE at ster.invalid (Mike Easter) Date: Wed Oct 6 12:30:03 2004 Subject: [SpamCop-List] Re: Needing Header Reading Expertise! References: Message-ID: Firewoman wrote: > They claim they have shut the filter off. > X-PMX-Version: 4.7.0.111621, Antispam-Engine: 2.0.1.0, Antispam-Data: > 2004.10.5.6 > If anyone can decipher this, I'd greatly appreciate it! I think if it is turned on you get a X-PerlMx-Spam line which works like the SpamAssassin line for Sophos's ActiveState PureMessage This page http://www.cs.indiana.edu/Facilities/notices/Spam.html told me more than the Sophos page http://www.activestate.com/Products/PureMessage/ So, maybe if it doesn't have that line, the filter isn't doing anything but stamping its version/engine. But I dunno, really. -- Mike Easter kibitzer, not SC admin From Spam_N_Scams_Reporter at yahoo.whatever Wed Oct 6 11:32:55 2004 From: Spam_N_Scams_Reporter at yahoo.whatever (Spam N Scams Reporter) Date: Wed Oct 6 13:35:14 2004 Subject: [SpamCop-List] Re: Needing Header Reading Expertise! In-Reply-To: References: Message-ID: Firewoman wrote: > Our mailhost merged with a new company recently, and I've been fighting with > them about their spam filtering. We prefer to do our own filtering because > our ISP's spam filter was filtering EVERYTHING. > > They claim they have shut the filter off. However, I still keep getting the > following two lines in every single header of every single e-mail (confirmed > company-wide, happening to everyone): > > X-PMX-Version: 4.7.0.111621, Antispam-Engine: 2.0.1.0, Antispam-Data: > 2004.10.5.6 > X-nupop-filename: > /Maildir:1097077898.27696_0.mx03.gnvlscdb.sys.MUNGEDISP.net > > Is our e-mail still being filtered, or does this appear to be added in while > being passed through the filter? > > If anyone can decipher this, I'd greatly appreciate it! > > TIA! > > I have my ISP's spam filtering turned off for one of my accounts. The SpamAssasin headers are still added, including what it finds. It just doesn't act on it. From nobody at spamcop.net Wed Oct 6 14:33:47 2004 From: nobody at spamcop.net (indigo) Date: Wed Oct 6 13:35:32 2004 Subject: [SpamCop-List] Re: How to remove from bl.spamcop.net References: <87fz4synwg.fsf@ursine.dyndns.org> Message-ID: JohnL wrote: > Paul Johnson scribbled in > news:87fz4synwg.fsf@ursine.dyndns.org: > > > 72 is the magic number, not 48. > > You REALLY need to check before stating something... > http://www.spamcop.net/fom-serve/cache/76.html Who? PJ? Surely you jest! From asterix at no_where.net Wed Oct 6 20:58:14 2004 From: asterix at no_where.net (Asterix) Date: Wed Oct 6 14:00:05 2004 Subject: [SpamCop-List] Re: Virus spam References: <4163FF7B.9070205@spamcop.net> Message-ID: <1gl92un.12g6zq2v1ftpsN%asterix@no_where.net> Come on guys ! How hard is it to read up a little on what this virm actually does: http://securityresponse.symantec.com/avcenter/venc/data/w32.mydoom.m@mm.html Especially look at the description at 8. It is designed to send a mail that looks like bounced spam! And " The From address will be spoofed. " Does it look familiar, Porpoise ? Tim McGraw wrote: > Porpoise wrote: > > > > So, should we be informing the sender that they've been infected........???? > > and to update their AV > > I keep it as simple as possibly, using the subject line: "You have a > virus at " and a short body (with the unmunged headers and deleting > the viral attachment) urging them to "take appropriate action." Don't ! The sender's addy is stolen from the infected computer's address book (or mailboxes). "Sender" is an innocent bystander. You may tell the ISP of the originating IP address - and at the same time tell them that you suspect the computer is hijacked as a spam proxy. The virm installs a Trojan that can probably be used for that. -- I recommend Macs to my friends, and Intel machines to those whom I don't mind billing by the hour From ric.gates at bigsleep.org Wed Oct 6 19:35:05 2004 From: ric.gates at bigsleep.org (Blammo) Date: Wed Oct 6 14:40:03 2004 Subject: [SpamCop-List] Re: More about your IQ References: Message-ID: On 06 Oct 2004 Bob W. entered spamcop and left news:responseguard-CE5B86.10064406102004@news.cesmail.net: >> Silly me, I missed your other post. Some nice person signed you up. > > Some nice person called "Tickle". > >> They are attempting to remind you to confirm your registration, >> report it as spam. > > Thanks, but I did that immediately. > > The point of my posting this spam was not to ask whether it should be > reported as spam. It was to let people know the sleazoid tactics that > Tickle uses. > All your acusations are complete assumptions. Websites have been operating this way for as long as I can remember, and suddenly you assume they're all out to get you. If you really want to blemish someone's reputation, you should at least provide some proof, that was the point of my reply. If you really hate Verio, then you should quit visiting spamcop.net. -- | Ric | From ric.gates at bigsleep.org Wed Oct 6 19:42:57 2004 From: ric.gates at bigsleep.org (Blammo) Date: Wed Oct 6 14:45:03 2004 Subject: [SpamCop-List] Re: More about your IQ References: Message-ID: On 06 Oct 2004 Bob W. entered spamcop and left news:responseguard-1308ED.10045106102004@news.cesmail.net: > In article , > Blammo wrote: > >> On 05 Oct 2004 Bob W. entered spamcop and left news:responseguard- >> A20587.21021905102004@news.cesmail.net: >> >> > Second Tickle spam, posted in .spam, supposedly reeals the results >> > of a "free IQ test" that I took earlier today. >> > >> > Fraud. >> > >> >> It doesn't actually say that, nowhere does it claim you were ever >> there. > > Of course it does. > > It gives the results of an IQ test. To take an IQ test, you have to > actually be there. Gee you're dumb, it doesn't say it was the result of your test. Besides, I said I missed your other post, so someone else could have taken it, duh. > >> I'd bet they got your address from someone else you subscribed to at >> one time. > > They bought the address from a spam list vendor. Oh really? Which one. Oh, wait, perhaps the spam vendor submitted you, I probably would if I was a spam vendor. >> >> So maybe express. is for fishing for new ones, so report it as spam. >> It looks legit, though attempts to mislead you, and it's questionable >> how they got your address in the first place. > > "Questionable"? > Yes questionable, oh, you "know" how they got it... >> > Again, hosted by the sleazoids at Verio, so the fraud will likely >> > continue unchecked. >> > >> >> I doubt it, Verio are not sleazoids. > > What planet are you from? > > Verio has been hosting spammers for ages. > Gee, so who hasn't. Like I said in my other post... -- | Ric | From Kilgallen at SpamCop.net Wed Oct 6 15:14:18 2004 From: Kilgallen at SpamCop.net (Larry Kilgallen) Date: Wed Oct 6 15:15:02 2004 Subject: [SpamCop-List] Re: Virus spam References: <4163FF7B.9070205@spamcop.net> Message-ID: <5yOt6oAqnI8t@eisner.encompasserve.org> In article <4163FF7B.9070205@spamcop.net>, Tim McGraw writes: > Porpoise wrote: >> >> So, should we be informing the sender that they've been infected........???? >> and to update their AV > > I keep it as simple as possibly, using the subject line: "You have a > virus at " and a short body (with the unmunged headers and deleting > the viral attachment) urging them to "take appropriate action." > > I also include the security@isp addy. So you are spamming their Security@ address without direct knowledge of what they use it for ? What makes you think it is not the people with the guns and guard dogs patrolling the fence ? From nobody at spamcop.net Wed Oct 6 17:15:05 2004 From: nobody at spamcop.net (Pop (was Spamcop by accident)) Date: Wed Oct 6 16:20:06 2004 Subject: [SpamCop-List] OT? Strange event - comments? Message-ID: Hi, I'm afraid this might be off topic, but I thought I'd give you guys a try anyway; you certainly know your way around the web etc. I'm lost as to what to do next; this is a new one on me. I had OE open and had accessed an MVP site to remember how to move My Documents folder to another drive. So, I did a Copy of the info I wanted, and opened Word to put it into a file for posterity. When Word opened, it wanted to ccess ----------nic.phys.ethz.ch (each "-" is actually a space). When Word opened, I was alerted by my firewall that Word wanted to access nic.phys.ethz.ch, and should I let it? Of course, I Denied it. It wanted to go to nic.phys.ethz.ch, and the spaces there ARE present in the address display; the address is offset approximately a tab space+ from the way they normally display. I looked it up on Spamcop and came up with: Reporting addresses: armin.brunner@id.ethz.ch but, uhh, well, what good is that? Spamcop, when fed the IP, came back with: --------- Parsing input: 129.132.86.219 host 129.132.86.219 = rauti.ethz.ch (cached) Routing details for 129.132.86.219 [refresh/show] Cached whois for 129.132.86.219 : armin.brunner@id.ethz.ch Using last resort contacts armin.brunner@id.ethz.ch ---------- and, searching for id.ethz.ch resulted in: ------- Parsing input: id.ethz.ch Cannot resolve id.ethz.ch No valid email addresses found, sorry! ------ Anyone have ANY idea what this is/was/might be? Or what kind of malicious code/etc it is? Yes, I do intend to send a note to ethz.net from my throw-away, but I don't expect them to be very helpful. The full details from the firewall alert are at the end of this post and gives more info. It wanted to use port 1564. It's not terribly long. Oh, and yes, I did look for Word macros and there were only the two that I use fequently for faxes, nothing strange anywhere as far as I could see. Interestingly enough, I was unable to access any of the three newsgroup hosts I frequent, including this one, until I closed/reopened OE. Email worked fine, only the newsgroups were fouled up; error; Cannot Find Host. The Address book, etc. were all OK. My Norton, Adaware, Spybot S&D, Spywear guard or whatever it's called, are all up to date and found nothing. Yes, I checked for updates on all of them just before doing the scan. I'll look for another one or two malware scanners later tonite if I get a chance. I cannot imagine this is a legit access, not to .ch. XP Pro, SP2 installed three weeks ago. No other programs were open at the time. Logs showed nothing unusual that I could find, system or traffic. Dialup, variable IP. Nothing else strange or untoward is happening. Yet . Thanks for your expertise and any thoughts you may have. Regards, Pop -- ----- Firewall Alert ------ File Version : 10.0.2627.0 File Description : Microsoft Word (WINWORD.EXE) File Path : C:\Program Files\Microsoft Office\Office10\WINWORD.EXE Process ID : 0xC0 (Heximal) 192 (Decimal) Connection origin : local initiated Protocol : TCP Local Address : 66.218.11.28 Local Port : 1564 Remote Name : nic.phys.ethz.ch Remote Address : 129.132.86.219 Remote Port : 80 (HTTP - World Wide Web) Ethernet packet details: Ethernet II (Packet Length: 76) Destination: 03-00-20-00-03-00 Source: 00-00-03-00-00-00 Type: IP (0x0800) Internet Protocol Version: 4 Header Length: 20 bytes Flags: .1.. = Don't fragment: Set ..0. = More fragments: Not set Fragment offset:0 Time to live: 128 Protocol: 0x6 (TCP - Transmission Control Protocol) Header checksum: 0x227e (Correct) Source: 66.218.11.28 Destination: 129.132.86.219 Transmission Control Protocol (TCP) Source port: 1564 Destination port: 80 Sequence number: 120864482 Acknowledgment number: 0 Header length: 28 Flags: 0... .... = Congestion Window Reduce (CWR): Not set .0.. .... = ECN-Echo: Not set ..0. .... = Urgent: Not set ...0 .... = Acknowledgment: Not set .... 0... = Push: Not set .... .0.. = Reset: Not set .... ..1. = Syn: Set .... ...0 = Fin: Not set Checksum: 0x47f0 (Correct) Data (0 Bytes) Binary dump of the packet: 0000: 03 00 20 00 03 00 00 00 : 03 00 00 00 08 00 45 00 | .. ...........E. 0010: 00 30 56 50 40 00 80 06 : 7E 22 42 DA 0B 1C 81 84 | .0VP@...~"B..... 0020: 56 DB 06 1C 00 50 07 34 : 3E E2 00 00 00 00 70 02 | V....P.4>.....p. 0030: 20 00 F0 47 00 00 02 04 : 05 B4 01 01 04 02 73 04 | ..G..........s. 0040: 65 74 68 7A 02 63 68 00 : 00 01 00 01 | ----------- End ----------- From nobody at nowhere.invalid Wed Oct 6 23:15:55 2004 From: nobody at nowhere.invalid (Steven Maesslein) Date: Wed Oct 6 16:20:17 2004 Subject: [SpamCop-List] Re: More about your IQ References: <4163FE44.9090803@spamcop.net> Message-ID: > Blammo wrote: >> >> Verio are not sleazoids. On Wed, 06 Oct 2004 07:16:36 -0700, Tim McGraw coughed into spamcop and left this in <4163FE44.9090803@spamcop.net>: > With 77 ROKSO listings? Where did you get that figure from? There are 10 SBL listings against Verio, admittedly 2 of which are ROKSO spammers. All the listings are single IPs except one /25 and one /24. -- Steve I don't approve of political jokes... I've seen too many of them get elected. From firewoman at default.domain.not.available Wed Oct 6 17:24:58 2004 From: firewoman at default.domain.not.available (Firewoman) Date: Wed Oct 6 16:25:03 2004 Subject: [SpamCop-List] Re: OT? Strange event - comments? References: Message-ID: "Pop (was Spamcop by accident)" wrote in message news:ck1jo9$jfc$1@news.spamcop.net... > Hi, > > I'm afraid this might be off topic, but I thought I'd give you > guys a try anyway; you certainly know your way around the web > etc. I'm lost as to what to do next; this is a new one on me. > > I had OE open and had accessed an MVP site to remember how to > move My Documents folder to another drive. So, I did a Copy of > the info I wanted, and opened Word to put it into a file for > posterity. When Word opened, it wanted to > ccess ----------nic.phys.ethz.ch (each "-" is actually a space). > When Word opened, I was alerted by my firewall that Word wanted > to access nic.phys.ethz.ch, and should I let it? Of > course, I Denied it. > > It wanted to go to nic.phys.ethz.ch, and the > spaces there ARE present in the address display; the address is > offset approximately a tab space+ from the way they normally > display. I looked it up on Spamcop and came up with: > Reporting addresses: > armin.brunner@id.ethz.ch > but, uhh, well, what good is that? > > Spamcop, when fed the IP, came back with: > --------- > Parsing input: 129.132.86.219 > host 129.132.86.219 = rauti.ethz.ch (cached) > Routing details for 129.132.86.219 > [refresh/show] Cached whois for 129.132.86.219 : > armin.brunner@id.ethz.ch > Using last resort contacts armin.brunner@id.ethz.ch > ---------- > and, searching for id.ethz.ch resulted in: > ------- > Parsing input: id.ethz.ch > Cannot resolve id.ethz.ch > No valid email addresses found, sorry! > ------ > > Anyone have ANY idea what this is/was/might be? Or what kind of > malicious code/etc it is? Yes, I do intend to send a note to > ethz.net from my throw-away, but I don't expect them to be very > helpful. > The full details from the firewall alert are at the end of > this post and gives more info. It wanted to use port 1564. > It's not terribly long. > Oh, and yes, I did look for Word macros and there were only > the two that I use fequently for faxes, nothing strange anywhere > as far as I could see. What was the web page you were copying and pasting from? When I do this, Word accesses the page that I'm pasting in order to download images and other code. Possibly the website had a link or was providing text to the specific page you were using? HTH From porpoise1954 at yahoo.co.uk Wed Oct 6 23:42:29 2004 From: porpoise1954 at yahoo.co.uk (Porpoise) Date: Wed Oct 6 17:45:04 2004 Subject: [SpamCop-List] Magic numbers - was: Re: How to remove from bl.spamcop.net References: <87fz4synwg.fsf@ursine.dyndns.org> Message-ID: "indigo" wrote in message news:ck1a9s$4co$1@news.spamcop.net... > > > JohnL wrote: > > Paul Johnson scribbled in > > news:87fz4synwg.fsf@ursine.dyndns.org: > > > > > 72 is the magic number, not 48. > > > > You REALLY need to check before stating something... > > http://www.spamcop.net/fom-serve/cache/76.html > > Who? PJ? Surely you jest! > > Actually.................................................. He's right, 72 is a magic number. And 12, 30, 360, 2160, 25920, 36, 4320, 108, 10800, 54, 540, 54000 etc.......... However, there is an element of rounding involved (72 is more acurately calculated at 71.6 & 2160 gets rounded from 2148 by extension & 25920 is more accurately calculated at 25776). From glnews030922 at highspot.net Wed Oct 6 23:56:56 2004 From: glnews030922 at highspot.net (Graeme Leith) Date: Wed Oct 6 18:00:02 2004 Subject: [SpamCop-List] Re: Magic numbers - was: Re: How to remove from bl.spamcop.net In-Reply-To: References: <87fz4synwg.fsf@ursine.dyndns.org> Message-ID: Porpoise wrote: > Actually.................................................. He's right, 72 is > a magic number. And 12, 30, 360, 2160, 25920, 36, 4320, 108, 10800, 54, 540, > 54000 etc.......... However, there is an element of rounding involved (72 is > more acurately calculated at 71.6 & 2160 gets rounded from 2148 by extension > & 25920 is more accurately calculated at 25776). 550 5.7.1 & 553 5.3.0 are also magic numbers. ;-) -- Evidence shows Cyveillance abuse internet resources. I recommend unchecking their box in SpamCop reports. Cyveillance are part of the problem. They are not part of the solution. From nobody at devnull.spamcop.net Wed Oct 6 23:04:22 2004 From: nobody at devnull.spamcop.net (JohnL) Date: Wed Oct 6 18:05:04 2004 Subject: [SpamCop-List] Re: Magic numbers - was: Re: How to remove from bl.spamcop.net References: <87fz4synwg.fsf@ursine.dyndns.org> Message-ID: Graeme Leith scribbled in news:ck1pl8$sbd$1@news.spamcop.net: > Porpoise wrote: > >> Actually.................................................. He's >> right, 72 is a magic number. And 12, 30, 360, 2160, 25920, 36, >> 4320, 108, 10800, 54, 540, 54000 etc.......... However, there is >> an element of rounding involved (72 is more acurately calculated >> at 71.6 & 2160 gets rounded from 2148 by extension & 25920 is >> more accurately calculated at 25776). > > 550 5.7.1 & 553 5.3.0 are also magic numbers. ;-) > You're BOTH a little strange. ;-) From porpoise1954 at yahoo.co.uk Thu Oct 7 00:19:12 2004 From: porpoise1954 at yahoo.co.uk (Porpoise) Date: Wed Oct 6 18:20:04 2004 Subject: [SpamCop-List] Re: Magic numbers - was: Re: How to remove from bl.spamcop.net References: <87fz4synwg.fsf@ursine.dyndns.org> Message-ID: "JohnL" wrote in message news:Xns957AA380A6087nobodyspamcopnet@216.154.195.61... > Graeme Leith scribbled in > news:ck1pl8$sbd$1@news.spamcop.net: > > > Porpoise wrote: > > > >> Actually.................................................. He's > >> right, 72 is a magic number. And 12, 30, 360, 2160, 25920, 36, > >> 4320, 108, 10800, 54, 540, 54000 etc.......... However, there is > >> an element of rounding involved (72 is more acurately calculated > >> at 71.6 & 2160 gets rounded from 2148 by extension & 25920 is > >> more accurately calculated at 25776). > > > > 550 5.7.1 & 553 5.3.0 are also magic numbers. ;-) > > > > You're BOTH a little strange. ;-) And each speaking totally different numbers...... The ones I quoted are to do with precession and the codification dates back thousands of years and is encoded into the Osiris myth. The most important of these is the number 72 (or 71.6 as it has now been re-calculated using modern science and mathematics) which is the number of years required for the equinoctial sun to complete a precesional shift of one degree along the ecliptic. From glnews030922 at highspot.net Thu Oct 7 00:27:56 2004 From: glnews030922 at highspot.net (Graeme Leith) Date: Wed Oct 6 18:30:03 2004 Subject: [SpamCop-List] Re: Magic numbers - was: Re: How to remove from bl.spamcop.net In-Reply-To: References: <87fz4synwg.fsf@ursine.dyndns.org> Message-ID: Porpoise wrote: > "JohnL" wrote in message > news:Xns957AA380A6087nobodyspamcopnet@216.154.195.61... > >>Graeme Leith scribbled in >>news:ck1pl8$sbd$1@news.spamcop.net: >> >> >>>Porpoise wrote: >>> >>> >>>>Actually.................................................. He's >>>>right, 72 is a magic number. And 12, 30, 360, 2160, 25920, 36, >>>>4320, 108, 10800, 54, 540, 54000 etc.......... However, there is >>>>an element of rounding involved (72 is more acurately calculated >>>>at 71.6 & 2160 gets rounded from 2148 by extension & 25920 is >>>>more accurately calculated at 25776). >>> >>>550 5.7.1 & 553 5.3.0 are also magic numbers. ;-) >>> >> >>You're BOTH a little strange. ;-) > > > And each speaking totally different numbers...... The ones I quoted are to > do with precession and the codification dates back thousands of years and is > encoded into the Osiris myth. The most important of these is the number 72 > (or 71.6 as it has now been re-calculated using modern science and > mathematics) which is the number of years required for the equinoctial sun > to complete a precesional shift of one degree along the ecliptic. Mine are more on topic. They are the SMTP error codes and DSNs (Delivery Status Notifications) for relaying denied and ruleset based rejects. -- Evidence shows Cyveillance abuse internet resources. I recommend unchecking their box in SpamCop reports. Cyveillance are part of the problem. They are not part of the solution. From nobody at devnull.spamcop.net Wed Oct 6 23:26:54 2004 From: nobody at devnull.spamcop.net (JohnL) Date: Wed Oct 6 18:30:12 2004 Subject: [SpamCop-List] Re: Magic numbers - was: Re: How to remove from bl.spamcop.net References: <87fz4synwg.fsf@ursine.dyndns.org> Message-ID: "Porpoise" scribbled in news:ck1r1p$usd$1@news.spamcop.net: > > "JohnL" wrote in message > news:Xns957AA380A6087nobodyspamcopnet@216.154.195.61... >> You're BOTH a little strange. ;-) > > And each speaking totally different numbers...... The ones I > quoted are to do with precession and the codification dates back > thousands of years and is encoded into the Osiris myth. The most > important of these is the number 72 (or 71.6 as it has now been > re-calculated using modern science and mathematics) which is the > number of years required for the equinoctial sun to complete a > precesional shift of one degree along the ecliptic. > I stand by my statement. ;-) From porpoise1954 at yahoo.co.uk Thu Oct 7 00:32:35 2004 From: porpoise1954 at yahoo.co.uk (Porpoise) Date: Wed Oct 6 18:35:03 2004 Subject: [SpamCop-List] Re: Magic numbers - was: Re: How to remove from bl.spamcop.net References: <87fz4synwg.fsf@ursine.dyndns.org> Message-ID: "Graeme Leith" wrote in message news:ck1rf5$vm8$1@news.spamcop.net... > Porpoise wrote: > > "JohnL" wrote in message > > news:Xns957AA380A6087nobodyspamcopnet@216.154.195.61... > > < > >You're BOTH a little strange. ;-) > > > > > > And each speaking totally different numbers...... The ones I quoted are to > > do with precession and the codification dates back thousands of years and is > > encoded into the Osiris myth. The most important of these is the number 72 > > (or 71.6 as it has now been re-calculated using modern science and > > mathematics) which is the number of years required for the equinoctial sun > > to complete a precesional shift of one degree along the ecliptic. > > Mine are more on topic. They are the SMTP error codes and DSNs (Delivery > Status Notifications) for relaying denied and ruleset based rejects. > Are you insinuating I'm a ruleset based reject?....... (];-)> From e.schrama_NOSPAM at NOSPAM_hccnet.nl Thu Oct 7 01:37:06 2004 From: e.schrama_NOSPAM at NOSPAM_hccnet.nl (geo_splash_12) Date: Wed Oct 6 18:40:03 2004 Subject: [SpamCop-List] High number of bounces Message-ID: Is this anomalous? http://www.spamcop.net/sc?action=rcache;ip=222.170.7.250 It contains the text: Using best contacts network@hljtele.com postmaster@hljtele.com anti-spam@ns.chinanet.cn.net anti-spam@ns.chinanet.cn.net bounces (102 sent : 23203 bounces) Why are there so many bounces, is this necessary? Do the chinese really care about spam reports? From rcarlton at spamcop.net Wed Oct 6 16:41:36 2004 From: rcarlton at spamcop.net (Rick Carlton) Date: Wed Oct 6 18:45:03 2004 Subject: [SpamCop-List] Re: Complete your Tickle Registration In-Reply-To: References: Message-ID: Bob W. wrote: > > Congrats on leaving their den of iniquity. > Actually, that firm got shut down when its primary backers - IBM - refused to back any more. The reputation of having worked there sullies my resume to this day. From ric.gates at bigsleep.org Thu Oct 7 00:33:22 2004 From: ric.gates at bigsleep.org (Blammo) Date: Wed Oct 6 19:35:19 2004 Subject: [SpamCop-List] Re: More about your IQ References: Message-ID: On 06 Oct 2004 Bob W. entered spamcop and left news:responseguard- 4ADEBB.15235106102004@news.cesmail.net: > If you really like trolling this much, maybe *you* should stop visiting > spamcop.net. > I don't see why ;-) I was trying to have a reasonable discussion about your post, apparently you don't want that. So I guess there's no point in any discussion with with you. > I've been here one hell of a lot longer than you. > Another assumption. -- | Ric | From MikeE at ster.invalid Wed Oct 6 17:35:51 2004 From: MikeE at ster.invalid (Mike Easter) Date: Wed Oct 6 19:35:36 2004 Subject: [SpamCop-List] Re: High number of bounces References: Message-ID: geo_splash_12 wrote: > Is this anomalous? > anti-spam@ns.chinanet.cn.net bounces (102 sent : 23203 bounces) > > Why are there so many bounces, is this necessary? Do the chinese > really care about spam reports? No, they don't. The business about notifying for .cn IPs is very difficult. You can spend your time resources some other ways. If you look at this one dissected you can see how it all goes. 222.170.7.250 no rDNS whois -h whois.apnic.net 222.170.7.250 ... inetnum: 222.170.0.0 - 222.172.127.255 netname: CHINATELECOM-HL descr: CHINANET heilongjiang province network admin-c: CH93-AP = e-mail: hostmaster@ns.chinanet.cn.net e-mail: anti-spam@ns.chinanet.cn.net tech-c: LZ298-AP = e-mail: network@hljtele.com aut-num: AS17897 as-name: CHINATELECOM-HLJ-AS-AP descr: asn for Heilongjiang Provincial Net of CT admin-c: CH93-AP = see above tech-c: YY246-AP = e-mail: yuyuan@cndata.com 222.170.7.248/29 [8 IPs] is listed on the Spamhaus Block List (SBL) indicating nonresponsiveness - also numerous spamsource lists, csma, dnsbl, moensted, orid, psbl, spamhaus xbl, spamcop, & wpbl. - suggesting you might consider upstream ASN adjacencies to notify, but... Upstream Adjacent AS list for AS17897 AS4134 CHINANET-BACKBONE No.31,Jin-rong Street nic-hdl: CH93-AP = see above and there's not really anywhere to go from there. It is a waste of time to analyze how to notify. A tracert shows the last 8-10 hops being the target and that backbone. Eventually you get to sprint on the route to me. If you put the naked IP into the parser, SC suggests the notify to be Reporting addresses: network@hljtele.com postmaster@hljtele.com which is the abuse.net reg'd for hljtele minus the bouncing addy you mentioned at the top whois -h whois.abuse.net hljtele.com ... anti-spam@ns.chinanet.cn.net network@hljtele.com postmaster@hljtele.com (for hljtele.com) IMO, you would do just as well to not notify providers of webspace for .cn and .kr sites. You might attack by some other strategy. The SC notify for spamvertiser doesn't have teeth, so why bother? Naturally the source report should be made to count toward the SCbl. How many minutes do you think you should spend like the above determining how to notify for a .cn webspace spamvertiser? Probably none. -- Mike Easter kibitzer, not SC admin From ric.gates at bigsleep.org Thu Oct 7 00:37:12 2004 From: ric.gates at bigsleep.org (Blammo) Date: Wed Oct 6 19:40:03 2004 Subject: [SpamCop-List] Re: Virus spam References: Message-ID: On 06 Oct 2004 Porpoise entered spamcop and left news:ck0pa8$96e$1@news.spamcop.net: > So, should we be informing the sender that they've been > infected........???? and to update their AV > I usually run the source IP through Spamcop and notify the ISP, in this case I'm not sure it would do any good. I'm sure the sender eMail is forged. -- | Ric | From ric.gates at bigsleep.org Thu Oct 7 00:55:17 2004 From: ric.gates at bigsleep.org (Blammo) Date: Wed Oct 6 20:00:03 2004 Subject: [SpamCop-List] Re: Virus spam - another one References: Message-ID: On 06 Oct 2004 D.Diaz entered spamcop and left news:Xns957AAFCE04C7Cxnddmxn@216.154.195.61: >> Of course, without the original headers of the bounced mail, one can't >> track the original IP........... Another problem of bouncing stuff >> instead of dealing with it properly........... >> >> >> > > Ehm... this one also is not a real bounce, but a virm propagation. The > infected machine is 62.49.206.2 > Yes, on a real bounce the Return-Path should be <> Though some virus scanners will put an address in there when bouncing, but then there wouldn't be any binary attachment. -- | Ric | From MikeE at ster.invalid Wed Oct 6 18:01:20 2004 From: MikeE at ster.invalid (Mike Easter) Date: Wed Oct 6 20:05:03 2004 Subject: [SpamCop-List] Re: Virus spam References: Message-ID: Blammo wrote: > Porpoise >> So, should we be informing the sender that they've been >> infected........???? and to update their AV > > I usually run the source IP through Spamcop and notify the ISP, in > this case I'm not sure it would do any good. I'm sure the sender > eMail is forged. The way I notify about those is to determine the virm identity, and then use 'tools' to help me figure out how to notify rather than what SC sez, depending. Here's what you see, with some abbreviation 62.49.206.2 rDNS mailgate.abexltd.co.uk No abuse address is registered with abuse.net inetnum: 62.49.206.0 - 62.49.206.7 netname: BXEA-ADSL descr: DEMON ADSL CUSTOMER descr: Abex Limited ABUSE CONTACT: abuse@demon.net IN CASE OF INTRUSIONS, ILLEGAL ACTIVITY, ATTACKS, SCANS, PROBES, SPAM, ETC. person: Martin Connop address: Abex Limited address: GB e-mail: abex@lineone.net Then my notify would attention about the source IP, tell the virm identity, and I would attach the headers and part of the body and mailto the demon abuse addy and Martin's. Abex is some kind of truck equipment place, used, rentals. -- Mike Easter kibitzer, not SC admin From ric.gates at bigsleep.org Thu Oct 7 01:23:40 2004 From: ric.gates at bigsleep.org (Blammo) Date: Wed Oct 6 20:25:24 2004 Subject: [SpamCop-List] Re: Needing Header Reading Expertise! References: Message-ID: On 06 Oct 2004 Spam N Scams Reporter entered spamcop and left news:ck1a8b$4ac$1@news.spamcop.net: > I have my ISP's spam filtering turned off for one of my accounts. The > SpamAssasin headers are still added, including what it finds. It just > doesn't act on it. > You can remove all the headers Spamassassin adds except for the X-Spam- Version header. On my ISP Spamassassin runs from Procmail, and if I remove the Spamassassin rule from Procmail it won't filter my mail at all. However if the spam filtering engine is run by the mailer daemon, durring the SMTP phase, you usually can't disable it per user, it's system wide, and you have to add a rule to skip the checks for mail sent to certain users. This is because there is only on copy of the message, and copies are made for each recipient after the mail is filtered and accepted. I am only familiar with a couple MTAs, but it is entirely possible that some of your mail is being filtered. On another ISP I have the spam filter turned off, but I still sometimes get spam with an appended *** Possible Spam *** subject, and it's always sent to multiple users. Apparently only messages sent only to me are NOT filtered. -- | Ric | From ric.gates at bigsleep.org Thu Oct 7 01:40:00 2004 From: ric.gates at bigsleep.org (Blammo) Date: Wed Oct 6 20:40:03 2004 Subject: [SpamCop-List] Re: Virus spam References: Message-ID: On 06 Oct 2004 Mike Easter entered spamcop and left news:ck20u9$8qe$1@news.spamcop.net: > The way I notify about those is to determine the virm identity, and then > use 'tools' to help me figure out how to notify rather than what SC sez, > depending. Here's what you see, with some abbreviation > Yes, that would be better, but I really don't care what the virus is, as long as I know it's a virus. Spamcop usually will give an ISP abuse address, and I'm usually there anyway. But on this particular source, I would do more Digging. What "tools" did you use? -- | Ric | From MikeE at ster.invalid Wed Oct 6 19:51:53 2004 From: MikeE at ster.invalid (Mike Easter) Date: Wed Oct 6 21:55:08 2004 Subject: [SpamCop-List] Re: Virus spam References: Message-ID: Blammo wrote: > What "tools" did you use? Just SamSpade personal's console accessible stuff. The advantage to naming the virm is that I'm not sending it in the notify. Naming or characterizing it is more 'convincing' that I got it, I analyzed it, I know what I'm talking about, and I'm telling them about it. If there's some 'trust me' in there; you should be backing it up with something. Isolated trust me aint' too impressive or convincing -- Mike Easter kibitzer, not SC admin From nobody at devnull.spamcop.net Thu Oct 7 12:21:52 2004 From: nobody at devnull.spamcop.net (Patto) Date: Wed Oct 6 22:25:20 2004 Subject: [SpamCop-List] Re: High number of bounces References: Message-ID: "geo_splash_12" wrote in message news:ck1s2l$17d$1@news.spamcop.net... > Is this anomalous? > > http://www.spamcop.net/sc?action=rcache;ip=222.170.7.250 > > It contains the text: > > Using best contacts network@hljtele.com postmaster@hljtele.com > anti-spam@ns.chinanet.cn.net > anti-spam@ns.chinanet.cn.net bounces (102 sent : 23203 bounces) Just use anti-spam@chinanet.cn.net - it doesn't bounce. From wb8tyw at qsl.network Wed Oct 6 23:32:00 2004 From: wb8tyw at qsl.network (John E. Malmberg) Date: Wed Oct 6 22:35:03 2004 Subject: [SpamCop-List] Re: Virus spam In-Reply-To: <5yOt6oAqnI8t@eisner.encompasserve.org> References: <4163FF7B.9070205@spamcop.net> <5yOt6oAqnI8t@eisner.encompasserve.org> Message-ID: Larry Kilgallen wrote: > > So you are spamming their Security@ address without direct knowledge > of what they use it for ? What makes you think it is not the people > with the guns and guard dogs patrolling the fence ? Earthlink used to auto-ack anything that they detected as a virus report that it was being redirected to their security@ address, and in the future to report viruses directly there. When I started getting viruses from an Earthlink customer in January, that message was missing from the auto-acks. Also missing was any action taken against the infected machine, and the virus scanner on the same network that was insisting on telling me about the infected machine on a non-routable address. After a week, the infection spread to the machine with the virus scanner. It was only after that that someone stopped the worm. About a month later, the same network got infected, and the virus scanner thought that I should know about it. This time apparently Earthlink took quick action. But for many ISP's the security@ address will get viruses fixed faster. Unfortunately there is no way to know in advance. Most of the ISP's that I report misconfigured worm scanners to do not have a working abuse address, and their postmaster address is over quota. Many of them are bouncing plain text messages that contain their own virus report because they find it suspicious. -John wb8tyw@qsl.network Personal Opinion Only From MikeE at ster.invalid Wed Oct 6 20:53:50 2004 From: MikeE at ster.invalid (Mike Easter) Date: Wed Oct 6 22:55:02 2004 Subject: [SpamCop-List] Re: Virus spam References: <4163FF7B.9070205@spamcop.net> <5yOt6oAqnI8t@eisner.encompasserve.org> Message-ID: John E. Malmberg wrote: > Larry Kilgallen wrote: >> >> So you are spamming their Security@ address without direct knowledge >> of what they use it for ? > Earthlink used to auto-ack anything that they detected as a virus > report that it was being redirected to their security@ address, and > in the future to report viruses directly there. > But for many ISP's the security@ address will get viruses fixed > faster. Unfortunately there is no way to know in advance. > Most of the ISP's that I report misconfigured worm scanners to do not > have a working abuse address, and their postmaster address is over > quota. Many of them are bouncing plain text messages that contain > their own virus report because they find it suspicious. We see here an abrogation of provider responsibility - that of improper behaviors toward managing mails with bogus Froms in virms and spams - that of incompetence at policing virm and trojan propagation from their own users - that of not being able to properly handle abuse address directed notification of security related issues absent a security published address. If the various smtp traffickers, including the littlest personal servers, naturally including ISP providers, also including backbones and all the little pieces that lie between those, were licensed -- such incompetent irresponsibility behaviors would or should be easily targetable - 'simple' fines to get their attention attached to potential loss of license. There's already a potential underlying structure there which is successfully globally managing a medium -- the FCC and its kindred global spirits. Worldwide air traffic control, for example, is not a problem. -- Mike Easter kibitzer, not SC admin From mfkmek820 at yahoo.com Wed Oct 6 22:22:04 2004 From: mfkmek820 at yahoo.com (Fred K) Date: Thu Oct 7 00:25:15 2004 Subject: [SpamCop-List] Test Message-ID: Testing new post From mfkmek820 at yahoo.com Wed Oct 6 22:34:42 2004 From: mfkmek820 at yahoo.com (Fred K) Date: Thu Oct 7 00:40:04 2004 Subject: [SpamCop-List] Re: High number of bounces References: Message-ID: Excuse this I am trying to diagnose my posting problem "geo_splash_12" wrote in message news:ck1s2l$17d$1@news.spamcop.net... > Is this anomalous? > > http://www.spamcop.net/sc?action=rcache;ip=222.170.7.250 > > It contains the text: > > Using best contacts network@hljtele.com postmaster@hljtele.com > anti-spam@ns.chinanet.cn.net > anti-spam@ns.chinanet.cn.net bounces (102 sent : 23203 bounces) > > Why are there so many bounces, is this necessary? Do the chinese really > care about spam reports? From baloo at ursine.dyndns.org Wed Oct 6 19:38:40 2004 From: baloo at ursine.dyndns.org (Paul Johnson) Date: Thu Oct 7 00:45:03 2004 Subject: [SpamCop-List] Re: How to remove from bl.spamcop.net References: <87fz4synwg.fsf@ursine.dyndns.org> Message-ID: <87acuz8fz3.fsf@ursine.dyndns.org> <#secure method=pgp mode=sign> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 JohnL writes: > Paul Johnson scribbled in > news:87fz4synwg.fsf@ursine.dyndns.org: > >> 72 is the magic number, not 48. > > You REALLY need to check before stating something... When did it change? -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.5 (GNU/Linux) iD8DBQFBZJ4hUzgNqloQMwcRAkzMAJ4r6lZ+cCShtPXjw5iIA7e7nDFyNACghe/K zzSdP4NB5B+Rq9QJegIFMkw= =LtNp -----END PGP SIGNATURE----- From MikeE at ster.invalid Wed Oct 6 22:42:29 2004 From: MikeE at ster.invalid (Mike Easter) Date: Thu Oct 7 00:45:15 2004 Subject: [SpamCop-List] Re: Test References: Message-ID: Fred K wrote: > Testing new post Bad form, Fred K. There's a spamcop.test group here for such malarkey, to say nothing of myriad test groups specifically for such a purpose on other news servers. Never post test messages into a normal active group. It is rude and a sign of a newbie. Being a newbie isn't rude in and of itself, but newbie instructional groups and pages give specific advice about all that to help the newbies out. Here are some, in case you haven't been there yet. http://members.fortunecity.com/nnqweb/nnqlinks.html Welcome to the news.newusers.questions Links Page http://members.fortunecity.com/nnqweb/virgins.html Where to post your very first message http://members.fortunecity.com/nnqweb/test.html Where to post test messages -- Mike Easter kibitzer, not SC admin From nobody at devnull.spamcop.net Thu Oct 7 05:43:22 2004 From: nobody at devnull.spamcop.net (JohnL) Date: Thu Oct 7 00:45:20 2004 Subject: [SpamCop-List] Re: How to remove from bl.spamcop.net References: <87fz4synwg.fsf@ursine.dyndns.org> <87acuz8fz3.fsf@ursine.dyndns.org> Message-ID: Paul Johnson scribbled in news:87acuz8fz3.fsf@ursine.dyndns.org: > > JohnL writes: > >> Paul Johnson scribbled in >> news:87fz4synwg.fsf@ursine.dyndns.org: >> >>> 72 is the magic number, not 48. >> >> You REALLY need to check before stating something... > > When did it change? Hasn't changed in a loong time. Been 48 hours as long as I've been here. From ric.gates at bigsleep.org Thu Oct 7 05:49:47 2004 From: ric.gates at bigsleep.org (Blammo) Date: Thu Oct 7 00:50:02 2004 Subject: [SpamCop-List] Re: More about your IQ References: Message-ID: On 06 Oct 2004 Bob W. entered spamcop and left news:responseguard-B8D89E.20264606102004@news.cesmail.net: > I wrote: > >>> They bought the address from a spam list vendor. > > To which you replied: > >> Oh really? Which one. Oh, wait, perhaps the spam vendor submitted you, >> I probably would if I was a spam vendor. > > That's "trying to have a reasonable discussion"? > A sarcastic reply to your assumption. Somewhat similar to "What planet are you from?" -- | Ric | From ric.gates at bigsleep.org Thu Oct 7 05:56:46 2004 From: ric.gates at bigsleep.org (Blammo) Date: Thu Oct 7 01:00:03 2004 Subject: [SpamCop-List] Re: Virus spam References: Message-ID: On 06 Oct 2004 Mike Easter entered spamcop and left news:ck27dh$i4n$1@news.spamcop.net: > The advantage to naming the virm is that I'm not sending it in the > notify. Naming or characterizing it is more 'convincing' that I got it, > I analyzed it, I know what I'm talking about, and I'm telling them about > it. > > If there's some 'trust me' in there; you should be backing it up with > something. Isolated trust me aint' too impressive or convincing > Good point. I send the headers, and body up to the first line of the attachment. I used to look up the virus name, but I don't like wasting that much time on it, unless it's from/ for a client. -- | Ric | From MikeE at ster.invalid Wed Oct 6 23:16:02 2004 From: MikeE at ster.invalid (Mike Easter) Date: Thu Oct 7 01:15:02 2004 Subject: [SpamCop-List] Re: Virus spam References: Message-ID: Blammo wrote: > Good point. I send the headers, and body up to the first line of the > attachment. I used to look up the virus name, but I don't like > wasting that much time on it, unless it's from/ for a client. Depending on how you handle it, sometimes the AV will tell you what you are messing with. For some reason, I started isolating them a long time ago; saving the executable to a little folder with my AV turned off [because it wouldn't let me do it the way I like] and then characterizing like that. If you have your AV on, likely it will give you some kind of alert which you can mention in the notify. If it's already been stripped by your provider, typically the provider has IDed it. If it is 'too much trouble', then I wouldn't bother. The majority of the time the notified provider has absolutely no interest in performing appropriately for those. A long time ago RR said that they notified the client of their propagations, gave them links to sanitizing, and warned them that if such notifies continued that their account was jeopardized. To the best of my knowledge, that whole program has been abandoned. -- Mike Easter kibitzer, not SC admin From mfkmek820 at yahoo.com Thu Oct 7 00:07:46 2004 From: mfkmek820 at yahoo.com (Fred K) Date: Thu Oct 7 02:10:03 2004 Subject: [SpamCop-List] Re: Test References: Message-ID: Thanks for the lesson. But I have been having trouble and been working with SC people. I did not test as a "newby". "Mike Easter" wrote in message news:ck2hdc$1cj$1@news.spamcop.net... > Fred K wrote: >> Testing new post > > Bad form, Fred K. There's a spamcop.test group here for such malarkey, > to say nothing of myriad test groups specifically for such a purpose on > other news servers. > > Never post test messages into a normal active group. It is rude and a > sign of a newbie. Being a newbie isn't rude in and of itself, but newbie > instructional groups and pages give specific advice about all that to > help the newbies out. Here are some, in case you haven't been there yet. > > http://members.fortunecity.com/nnqweb/nnqlinks.html Welcome to the > news.newusers.questions Links Page > http://members.fortunecity.com/nnqweb/virgins.html Where to post your > very first message http://members.fortunecity.com/nnqweb/test.html Where > to post test messages > > > > -- > Mike Easter > kibitzer, not SC admin > From mfkmek820 at yahoo.com Thu Oct 7 00:10:00 2004 From: mfkmek820 at yahoo.com (Fred K) Date: Thu Oct 7 02:15:02 2004 Subject: [SpamCop-List] Can anyone figure this one? Message-ID: I don't want to try to see if the spamvertised link is valid somehow. SC could not find one. http://www.spamcop.net/sc?id=z680209807z161c9e8ee2360a946b6fe4f6f6923f18z From nobody at devnull.spamcop.net Thu Oct 7 03:38:28 2004 From: nobody at devnull.spamcop.net (Glenn Daniels) Date: Thu Oct 7 02:40:03 2004 Subject: [SpamCop-List] Re: Can anyone figure this one? References: Message-ID: "Fred K" wrote in message > I don't want to try to see if the spamvertised link is valid somehow. SC > could not find one. > [...] The URL points to domain jkhgdvz.com. Notifies /could/ be sent to: Reporting addresses: postmaster@pub.sd.cninfo.net abuse@cnc-noc.net postmaster@sd.cninfo.net support@pub.sd.cninfo.net ct-abuse@abuse.sprint.net security@pub.sd.cninfo.net But if you don't want to see the link, you probably don't want to be doing any notifies. Cheers, Glenn From mfkmek820 at yahoo.com Thu Oct 7 00:58:27 2004 From: mfkmek820 at yahoo.com (Fred K) Date: Thu Oct 7 03:00:03 2004 Subject: [SpamCop-List] Re: Can anyone figure this one? References: Message-ID: Thanks Glen Are scammers doing this then to nullify SC? If so can SC be improved to find these kind of obscured links? Fred K "Glenn Daniels" wrote in message news:ck2o8t$bsb$1@news.spamcop.net... > "Fred K" wrote in message From mfkmek820 at yahoo.com Thu Oct 7 01:12:21 2004 From: mfkmek820 at yahoo.com (Fred K) Date: Thu Oct 7 03:15:05 2004 Subject: [SpamCop-List] Re: Can anyone figure this one? References: Message-ID: Glenn I have another thing I need help with about this. In the past I have "dug" out the link when SC gave up because of too many links. But all I know to do is to put 1 address in the blank field provided for user reported link. How would one send to all the ones you listed below? "Glenn Daniels" wrote in message news:ck2o8t$bsb$1@news.spamcop.net... > "Fred K" wrote in message >> I don't want to try to see if the spamvertised link is valid somehow. SC >> could not find one. >> > [...] > > The URL points to domain jkhgdvz.com. > > Notifies /could/ be sent to: > > Reporting addresses: > postmaster@pub.sd.cninfo.net > abuse@cnc-noc.net > postmaster@sd.cninfo.net > support@pub.sd.cninfo.net > ct-abuse@abuse.sprint.net > security@pub.sd.cninfo.net > > But if you don't want to see the link, you probably don't > want to be doing any notifies. > > Cheers, > Glenn > > From porpoise1954 at yahoo.co.uk Thu Oct 7 11:24:54 2004 From: porpoise1954 at yahoo.co.uk (Porpoise) Date: Thu Oct 7 05:30:20 2004 Subject: [SpamCop-List] Re: Virus spam References: Message-ID: "Mike Easter" wrote in message news:ck2jc9$4ff$1@news.spamcop.net... > <> > > A long time ago RR said that they notified the client of their > propagations, gave them links to sanitizing, and warned them that if such > notifies continued that their account was jeopardized. To the best of my > knowledge, that whole program has been abandoned. > > Well guys, thanks for all that info. Normally, I just vapourise Vs but somehow there seemed to be something different with these two..??... Nothing I can put a finger on..... was just a feeling.......... prolly wrong. From nobody at devnull.spamcop.net Thu Oct 7 07:44:21 2004 From: nobody at devnull.spamcop.net (Glenn Daniels) Date: Thu Oct 7 06:45:22 2004 Subject: [SpamCop-List] Re: Can anyone figure this one? References: Message-ID: > "Glenn Daniels" wrote in message "Fred K" wrote in message > Thanks Glen > Are scammers doing this then to nullify SC? If so can SC be improved to find > these kind of obscured links? > The purpose of SpamCop.net seems rather to be more toward identifying and correcting for problems on the spamsending side. If you have issues with spamvendors, then you need to be looking to doing something other than giving the hosting ISP's a SpamCop.net courtesy notify of the abuse of their space. Somehow, a few spamsenders have got the notion that the abuse of the spamvending was somehow out of the admins' awareness. By making it impossible for the parser to find the URL's they cause a flap in the ng, but all they accomplish is to deny the ISP's a report that basically notes that the spamvending domain was mentioned in the spamitem. It is a toothless notify, so it really is not so clear why they go to such trouble but to make it appear that something terribly sinister is going on that the ISP ought not to know about. Mostly the ISP's ignore the fuss about their paying customers as would make business sense. Eventually the IP's establish their own reputation and end up blocklisted for any communications and the spamvendors move on to greener pasture leaving the ISP to figure out what to do for the unusable resources. If you wish to be "going after" spamvendors, you might consider forwarding your spamitems to the FTC at spam /at/ uce.gov and numerous "interested third parties" as you will find at: http://banspam.javawoman.com/report3.html and http://spamlinks.openrbl.org/report-addresses.htm#abuse-fraud-health. Spamming seems to be caused by greed and a lack of integrity, so there is a whole "other world" of issues when it comes to confronting spamvendors as opposed to the spamsenders. And SpamCop.net really does not make it its business to "go there". Law enforcement in that direction is largely the province of the FTC and other enforcement agencies, not SpamCop.net. I also "dig out" those hidden URL's in spamitems and do a courtesy "notify" pointing to the URL, and noting that the spamsender has denied the ISP a courtesy SpamCop.net notify. One must bear in mind that the ISP's have been gracious enough to request the notifies. Anything more is really not called for: the ISP either knows or does not know about the spamvending domain. Some providers nullify spamvendors as readily as Yahoo! Mail does spamsenders, but most of the spam you will see is pointing to ISP's as are largely unconcerned for the abuse of their space until the resources are lost to them. Glenn From nobody at devnull.spamcop.net Thu Oct 7 08:05:39 2004 From: nobody at devnull.spamcop.net (Glenn Daniels) Date: Thu Oct 7 07:10:03 2004 Subject: [SpamCop-List] Re: Can anyone figure this one? References: Message-ID: "Fred K" wrote in message > "Glenn Daniels" wrote in message > > "Fred K" wrote in message [...] > > > > The URL points to domain jkhgdvz.com. > > > > Notifies /could/ be sent to: > > > > Reporting addresses: > > postmaster@pub.sd.cninfo.net > > abuse@cnc-noc.net > > postmaster@sd.cninfo.net > > support@pub.sd.cninfo.net > > ct-abuse@abuse.sprint.net > > security@pub.sd.cninfo.net > > > I have another thing I need help with about this. In the past I have "dug" > out the link when SC gave up because of too many links. But all I know to do > is to put 1 address in the blank field provided for user reported link. How > would one send to all the ones you listed [ed] above/below? > SpamCop.net only permits up to four addys to be user notified, so you need to decide where you think the notify might do the most good. One simply strings the addys together, separated by commas. If it is more than one, they usually scroll out of the allowed "window", but are still "in the box". You may scroll backwards and forwards to verify that your input is there. I, personally, would drop out the "postmaster@" addresses as they have a rather higher probability of "bouncing". And they will "bounce" back to SpamCop.net as is better served to be sending less pointless notifies. Of course, you still have the option of doing additional manual notifies to other "interested parties" as works for you... Glenn From nobody at spamcop.net Thu Oct 7 13:17:09 2004 From: nobody at spamcop.net (TimeLord) Date: Thu Oct 7 07:20:03 2004 Subject: [SpamCop-List] Re: Test References: Message-ID: "Fred K" wrote in message news:ck2mh4$96u$1@news.spamcop.net... > Thanks for the lesson. But I have been having trouble and been working with > SC people. I did not test as a "newby". > Watch it - you'll get shot for top posting too :-) Kev From ric.gates at bigsleep.org Thu Oct 7 12:49:01 2004 From: ric.gates at bigsleep.org (Blammo) Date: Thu Oct 7 07:50:02 2004 Subject: [SpamCop-List] Re: High number of bounces References: Message-ID: On 06 Oct 2004 Mike Easter entered spamcop and left news:ck1vef$67r$1@news.spamcop.net: > How many minutes do you think you should spend like the above determining > how to notify for a .cn webspace spamvertiser? Probably none. > Time better spent making sure they are in your block/ black list. -- | Ric From nobody at nowhere.invalid Thu Oct 7 14:52:00 2004 From: nobody at nowhere.invalid (Steven Maesslein) Date: Thu Oct 7 07:55:04 2004 Subject: [SpamCop-List] Re: How to remove from bl.spamcop.net References: <87fz4synwg.fsf@ursine.dyndns.org> <87acuz8fz3.fsf@ursine.dyndns.org> Message-ID: On Wed, 06 Oct 2004 18:38:40 -0700, Paul Johnson coughed into spamcop and left this in <87acuz8fz3.fsf@ursine.dyndns.org>: >>> 72 is the magic number, not 48. >> >> You REALLY need to check before stating something... > > When did it change? Sorry, but I think it's in your mind that it changed. It's been 48 hours for as long as I can remember. -- Steve Stupidity is NOT a handicap. Park elsewhere! From nobody at nowhere.invalid Thu Oct 7 14:52:35 2004 From: nobody at nowhere.invalid (Steven Maesslein) Date: Thu Oct 7 07:55:14 2004 Subject: [SpamCop-List] Re: High number of bounces References: Message-ID: On Thu, 7 Oct 2004 11:21:52 +0900, Patto coughed into spamcop and left this in : > Just use anti-spam@chinanet.cn.net - it doesn't bounce. That's because /dev/null never fills up. -- Steve Stupidity is NOT a handicap. Park elsewhere! From e.schrama_NOSPAM at NOSPAM_hccnet.nl Thu Oct 7 15:06:01 2004 From: e.schrama_NOSPAM at NOSPAM_hccnet.nl (geo_splash_12) Date: Thu Oct 7 08:10:03 2004 Subject: [SpamCop-List] Re: High number of bounces In-Reply-To: References: Message-ID: Blammo wrote: > On 06 Oct 2004 Mike Easter entered spamcop and left > news:ck1vef$67r$1@news.spamcop.net: > > >>How many minutes do you think you should spend like the above determining >>how to notify for a .cn webspace spamvertiser? Probably none. >> > > > Time better spent making sure they are in your block/ black list. > I reversed the order of RBL checking, spamhaus sbl-xbl has all these blocklists, spamcop should be the second. From devilspgd at crazyhat.net Thu Oct 7 04:31:19 2004 From: devilspgd at crazyhat.net (DevilsPGD) Date: Thu Oct 7 08:15:03 2004 Subject: [SpamCop-List] Re: Test In-Reply-To: References: Message-ID: Fred K wrote: > Thanks for the lesson. But I have been having trouble and been working with > SC people. I did not test as a "newby". But yet you still tested in a non-test group... -- Americans couldn't be any more self-absorbed if they were made from equal parts water and papertowel. -- Dennis Miller From fred558 at bobames.com Thu Oct 7 15:23:04 2004 From: fred558 at bobames.com (Anonymous) Date: Thu Oct 7 08:25:03 2004 Subject: [SpamCop-List] Re: Test In-Reply-To: References: Message-ID: <41653528.8080106@bobames.com> Fred K wrote: > Thanks for the lesson. But I have been having trouble and been working > with SC people. I did not test as a "newby". Many (most?) regulars here have added you to thier killfiles because they don't care to read your ignorant posting style. You'd have lots less trouble communicating with others if you stopped stubbornly refusing to listen to numerous persons who have tried to help you by informing you that it is improper to top post in this newsgroup. Posting a test message and then claiming that you "did not test as a newby" is further evidence of your ignorance. Have a nice day, Bob (use bob at this domain to reach me) Don't Send Any Email To: From fred558 at bobames.com Thu Oct 7 15:32:00 2004 From: fred558 at bobames.com (Bob Ames) Date: Thu Oct 7 08:35:03 2004 Subject: [SpamCop-List] Re: Test In-Reply-To: <41653528.8080106@bobames.com> References: <41653528.8080106@bobames.com> Message-ID: <41653740.8070801@bobames.com> "Anonymous" (that's me) wrote something with a misspelled word calling someone else (a persistent top-poster) ignorant. Dumb! I'm posting this because I'm not "the" Anonymous who posts the militant Vampiring techniques and I wanted to make that clear. I've corrected my headers so I'm not "Anonymous" anymore, since the other Anonymous has already taken that name here. :-) Have a nice day, Bob (use bob at this domain to reach me) Don't Send Any Email To: From me at privacy.net Thu Oct 7 09:40:51 2004 From: me at privacy.net (Frog Prince) Date: Thu Oct 7 08:55:03 2004 Subject: [SpamCop-List] Is this a legitimate reporting address? Message-ID: http://www.spamcop.net/sc?id=z680288378z5bb8e01b8662689d924a123bf39d5f76z Spam report id 1260003819 sent to: d0mainstek@hotmail.com Is this a legitimate reporting address? From Merlyn at Spamcop.net Thu Oct 7 10:03:08 2004 From: Merlyn at Spamcop.net (Merlyn) Date: Thu Oct 7 09:05:03 2004 Subject: [SpamCop-List] Re: Is this a legitimate reporting address? References: Message-ID: "Frog Prince" wrote in message news:ck3e6j$fva$1@news.spamcop.net... > http://www.spamcop.net/sc?id=z680288378z5bb8e01b8662689d924a123bf39d5f76z > > > Spam report id 1260003819 sent to: d0mainstek@hotmail.com > > Is this a legitimate reporting address? > Looks like a hijacked block: Comment: The information for this network has been reported to Comment: be invalid. ARIN has attempted to obtain updated data, but has Comment: been unsuccessful. To provide current contact information, Comment: please e-mail hostmaster@arin.net. Lets check: Yup - Nothing should be accepted from 209.41.64.0/18 (209.41.64.0 - 209.41.127.255) it's been hijacked. http://www.spamhaus.org/SBL/sbl.lasso?query=SBL14344 Ref: SBL14344 209.41.64.0/18 is listed on the Spamhaus Block List (SBL) 26-Mar-2004 12:03 GMT | SR12 zombies UniComp Technologies International Corp. (dead TX company) You should post this to routing. -- Regards, Merlyn A Spamcop advocate No emails this account is for newsgroups only People demand freedom of speech to make up for the freedom of thought which they avoided From firewoman at default.domain.not.available Thu Oct 7 10:14:33 2004 From: firewoman at default.domain.not.available (Firewoman) Date: Thu Oct 7 09:15:04 2004 Subject: [SpamCop-List] Re: Needing Header Reading Expertise! References: Message-ID: "Blammo" wrote in message news:Xns957AB104E9CE7blammo@216.154.195.61... > On 06 Oct 2004 Spam N Scams Reporter entered spamcop and left > news:ck1a8b$4ac$1@news.spamcop.net: > > > I have my ISP's spam filtering turned off for one of my accounts. The > > SpamAssasin headers are still added, including what it finds. It just > > doesn't act on it. > > > > You can remove all the headers Spamassassin adds except for the X-Spam- > Version header. On my ISP Spamassassin runs from Procmail, and if I remove > the Spamassassin rule from Procmail it won't filter my mail at all. > However if the spam filtering engine is run by the mailer daemon, durring > the SMTP phase, you usually can't disable it per user, it's system wide, > and you have to add a rule to skip the checks for mail sent to certain > users. This is because there is only on copy of the message, and copies are > made for each recipient after the mail is filtered and accepted. > I am only familiar with a couple MTAs, but it is entirely possible that > some of your mail is being filtered. On another ISP I have the spam filter > turned off, but I still sometimes get spam with an appended *** Possible > Spam *** subject, and it's always sent to multiple users. Apparently only > messages sent only to me are NOT filtered. > > -- > | Ric > | I'm hoping that our spam filtering is off. I received quite a bit more e-mail this morning, but still only received TWO spam e-mails. This is quite unusual because I receive mail for all the standard addresses... webmaster@, administrator@, postmaster@, abuse@, etc. I find it hard to believe that spam levels have dropped off that much! >From the responses here, it appears that our ISP is using Spam Assassin, although they won't actually tell me what they're using or what blocklists they are applying. I still have some work to do on them. I just hate calling and getting the general attitude quite a few in tech support still have towards women, but then, if I'm in the right mood, it can be a bit fun. }:) From nobody at xyzzy.claranet.de Thu Oct 7 16:12:19 2004 From: nobody at xyzzy.claranet.de (Frank Ellermann) Date: Thu Oct 7 09:15:14 2004 Subject: [SpamCop-List] Re: Test References: Message-ID: <416540B3.2880@xyzzy.claranet.de> Fred K wrote: > I did not test as a "newby". *PLONK* and FOAD From 8vmb6jy02 at sneakemail.com Thu Oct 7 15:19:13 2004 From: 8vmb6jy02 at sneakemail.com (Sean W) Date: Thu Oct 7 09:20:04 2004 Subject: [SpamCop-List] Re: High number of bounces In-Reply-To: References: Message-ID: Steven Maesslein wrote: > On Thu, 7 Oct 2004 11:21:52 +0900, Patto coughed into spamcop and left > this in : > > >>Just use anti-spam@chinanet.cn.net - it doesn't bounce. > > > That's because /dev/null never fills up. > Oooh you old cynic lol :-p On second thoughts though, has anyone ever received an ack/auto-ack from that addie? -- Sean From nobody at nowhere.invalid Thu Oct 7 16:29:54 2004 From: nobody at nowhere.invalid (Steven Maesslein) Date: Thu Oct 7 09:30:04 2004 Subject: [SpamCop-List] Re: High number of bounces References: Message-ID: On Thu, 07 Oct 2004 14:19:13 +0100, Sean W coughed into spamcop and left this in : > On second thoughts though, has anyone ever received an ack/auto-ack from > that addie? The address that SpamCop is using is anti-spam@ns.chinanet.cn.net (note the "ns." after the @ sign. anti-spam@ns.chinanet.cn.net anti-spam@ns.chinanet.cn.net bounces (102 sent : 23203 bounces) Using anti-spam#ns.chinanet.cn.net@devnull.spamcop.net for statistical tracking. -- Steve "Politics is supposed to be the second oldest profession. I have come to realize that it bears a very close resemblance to the first." From nobody at xyzzy.claranet.de Thu Oct 7 16:32:55 2004 From: nobody at xyzzy.claranet.de (Frank Ellermann) Date: Thu Oct 7 09:50:02 2004 Subject: [SpamCop-List] Re: Net giants adopt anti-spam system? Really? I'm skeptical. References: <415e419f.5257031@news.spamcop.net> <415FD0EC.2BDB@xyzzy.claranet.de> <4160C675.53F7@xyzzy.claranet.de> <4163197E.5803@xyzzy.claranet.de> Message-ID: <41654587.17B8@xyzzy.claranet.de> Larry Kilgallen wrote: > Not the first one if it did not receive the message by SMTP. > For example, Multinet running on VMS. Why doesn't it add a Received: header ? The syntax for the "with" part doesn't insist on SMTP, it could be any protocol. Normally one of the protocols listed in... ...where I found only UUCP and various *MTP*, but in practice other values for "with" are sometimes also used. But that's beside the point, the "with" part is optional. So why not just a plain Received: header as time stamp as in RfC 821 ? Bye, Frank From nobody at nowhere.invalid Thu Oct 7 17:12:00 2004 From: nobody at nowhere.invalid (Steven Maesslein) Date: Thu Oct 7 10:15:04 2004 Subject: [SpamCop-List] Re: Net giants adopt anti-spam system? Really? I'm skeptical. References: <415e419f.5257031@news.spamcop.net> <415FD0EC.2BDB@xyzzy.claranet.de> <4160C675.53F7@xyzzy.claranet.de> <4163197E.5803@xyzzy.claranet.de> <41654587.17B8@xyzzy.claranet.de> Message-ID: > Larry Kilgallen wrote: > >> Not the first one if it did not receive the message by SMTP. >> For example, Multinet running on VMS. On Thu, 07 Oct 2004 15:32:55 +0200, Frank Ellermann coughed into spamcop and left this in <41654587.17B8@xyzzy.claranet.de>: > Why doesn't it add a Received: header ? The syntax for the > "with" part doesn't insist on SMTP, it could be any protocol. Yabbut - the RFC which mandates "Received" headers in the first place is the RFC for SMTP. -- Steve Let's call it an accidental feature. -- Larry Wall From nobody at xyzzy.claranet.de Thu Oct 7 17:11:52 2004 From: nobody at xyzzy.claranet.de (Frank Ellermann) Date: Thu Oct 7 10:15:16 2004 Subject: [SpamCop-List] Re: Net giants adopt anti-spam system? Really? I'm skeptical. References: <415e419f.5257031@news.spamcop.net> <4163197E.5803@xyzzy.claranet.de> <41633C4D.2962@xyzzy.claranet.de> Message-ID: <41654EA8.5AED@xyzzy.claranet.de> Philip Homburg wrote: [new Auto-Responder RfC 3834] > The quoted text doesn't contain anything to reduce that > problem. At least it focuses the problem on the MAIL FROM address. When you add SPF against abuses of your MAIL FROM address, and if that works as expected, then you _should_ get less unsolicited auto-responder crap to this address. It's a theory based on the assumption that the spammers cooperate (by stopping to abuse SPF protected addresses), because they want to bypass SPF-tests by e.g. SA. Okay, the weak point of this theory is rule #3. If a receiver rejects forged MAIL FROM addresses, you won't get out-of-office crap from _this_ receiver, that part of SPF is no theory, it's in the spec. Bye, Frank From nobody at xyzzy.claranet.de Thu Oct 7 17:26:45 2004 From: nobody at xyzzy.claranet.de (Frank Ellermann) Date: Thu Oct 7 10:30:04 2004 Subject: [SpamCop-List] Re: How to remove from bl.spamcop.net References: <87fz4synwg.fsf@ursine.dyndns.org> <87acuz8fz3.fsf@ursine.dyndns.org> Message-ID: <41655225.5EF7@xyzzy.claranet.de> Paul Johnson wrote: >>> 72 is the magic number, not 48. >> You REALLY need to check before stating something... > When did it change? Never, you probably confused it with the 3 days for reports. But the BL link only says "in the past week", no idea where the OP got his magic number 48 on this page, it's not there. Bye, Frank From puoti at inwind.it Thu Oct 7 16:28:07 2004 From: puoti at inwind.it (Ivan Leo Puoti) Date: Thu Oct 7 10:35:03 2004 Subject: [SpamCop-List] Bringing bullet proof hosts down Message-ID: This is an easy, simple, and legal way to shell bullet proof hosts http://www003.portalis.it/115/ladvampire.html I believe it will be more effective than reporting (Hey I'm not saying this is a good reason not to report anyway) Do you think it's a good idea? I'm targeting the top web sites in spamcop stats for now, suggestions are welcome. Not of much use for 56k users. Just my little contribution to fight spam. Ivan. From porpoise1954 at yahoo.co.uk Thu Oct 7 16:36:50 2004 From: porpoise1954 at yahoo.co.uk (Porpoise) Date: Thu Oct 7 10:40:02 2004 Subject: [SpamCop-List] Re: How to remove from bl.spamcop.net References: <87fz4synwg.fsf@ursine.dyndns.org> <87acuz8fz3.fsf@ursine.dyndns.org> <41655225.5EF7@xyzzy.claranet.de> Message-ID: "Frank Ellermann" wrote in message news:41655225.5EF7@xyzzy.claranet.de... > Paul Johnson wrote: > > >>> 72 is the magic number, not 48. > >> You REALLY need to check before stating something... > > When did it change? > > Never, you probably confused it with the 3 days for reports. > But the BL link only says "in the past week", no idea where > the OP got his magic number 48 on this page, it's not there. > > Bye, Frank > Well............., to me, "If not, then you will be unblocked by SpamCop automatically after 48 hours." says 48. That quoted sentence was cut&paste from the page so I couldn't be accused on mistyping it. (Quite apart from being easier than typing it). From nobody at nowhere.invalid Thu Oct 7 18:47:27 2004 From: nobody at nowhere.invalid (Steven Maesslein) Date: Thu Oct 7 11:50:21 2004 Subject: [SpamCop-List] Re: Bringing bullet proof hosts down References: Message-ID: On Thu, 07 Oct 2004 15:28:07 +0100, Ivan Leo Puoti coughed into spamcop and left this in : > This is an easy, simple, and legal way to shell bullet proof hosts > http://www003.portalis.it/115/ladvampire.html This is the same principle as SpamVampire. Two wrongs don't make a right IMO. Don't resort to DDoS'ing spammers unless you want to put your own Internet connectivity at risk. Not to mention the fact that it is unethical. > I believe it will be more effective than reporting (Hey I'm not saying > this is a good reason not to report anyway) > Do you think it's a good idea? No. Definitely not. -- Steve Q: Why is Christmas just like a day at the office? A: You do all of the work and the fat guy in the suit gets all the credit. From MikeE at ster.invalid Thu Oct 7 09:50:54 2004 From: MikeE at ster.invalid (Mike Easter) Date: Thu Oct 7 11:50:40 2004 Subject: [SpamCop-List] Re: Needing Header Reading Expertise! References: Message-ID: Firewoman wrote: > From the responses here, it appears that our ISP is using Spam > Assassin, although they won't actually tell me what they're using or > what blocklists they are applying. I think Sophos ActiveState PureMessage, not SA Mike Easter wrote: > X-PerlMx-Spam > > which works like the SpamAssassin line for Sophos's ActiveState > PureMessage > http://www.activestate.com/Products/PureMessage/ -- Mike Easter kibitzer, not SC admin From puoti at inwind.it Thu Oct 7 17:49:51 2004 From: puoti at inwind.it (Ivan Leo Puoti) Date: Thu Oct 7 11:55:04 2004 Subject: [SpamCop-List] Re: Bringing bullet proof hosts down In-Reply-To: References: Message-ID: > Two wrongs don't make a right IMO. Don't resort to DDoS'ing spammers > unless you want to put your own Internet connectivity at risk. This is NOT a DDoS attack. A DDoS attack sends file requests to a server, and keeps the connection open. Reloading a web page or a jpeg over and over again is not a DDoS attack, it is just an attempt to make hosting for spammers more expensive, and less worth while. They will have to buy more bandwidth, and will earn less. Ivan. From puoti at inwind.it Thu Oct 7 17:58:55 2004 From: puoti at inwind.it (Ivan Leo Puoti) Date: Thu Oct 7 12:05:03 2004 Subject: [SpamCop-List] Re: Bringing bullet proof hosts down In-Reply-To: References: Message-ID: > Two wrongs don't make a right IMO. Don't resort to DDoS'ing spammers > unless you want to put your own Internet connectivity at risk. I don't think people that sell pirated software, contaminated meds, send porn spam to potentially millions of kids, or steal credit card numbers are in any position to file an abuse complaint. It's as if a scambiter was sued by a Nigerian scammer, it just won't happen. Ivan. From Merlyn at Spamcop.net Thu Oct 7 13:11:26 2004 From: Merlyn at Spamcop.net (Merlyn) Date: Thu Oct 7 12:15:03 2004 Subject: [SpamCop-List] Re: Bringing bullet proof hosts down References: Message-ID: "Ivan Leo Puoti" wrote in message news:ck3oqm$2in$1@news.spamcop.net... >> Two wrongs don't make a right IMO. Don't resort to DDoS'ing spammers >> unless you want to put your own Internet connectivity at risk. > This is NOT a DDoS attack. A DDoS attack sends file requests to a server, > and keeps the connection open. Reloading a web page or a jpeg over and > over again is not a DDoS attack, it is just an attempt to make hosting for > spammers more expensive, and less worth while. They will have to buy more > bandwidth, and will earn less. > It is still a form of "Denial of Service" which is most likely against your providers TOS. Fighting abuse with abuse is not the way. -- Regards, Merlyn A Spamcop advocate No emails this account is for newsgroups only People demand freedom of speech to make up for the freedom of thought which they avoided From mfkmek820 at yahoo.com Thu Oct 7 10:21:52 2004 From: mfkmek820 at yahoo.com (Fred K) Date: Thu Oct 7 12:25:03 2004 Subject: [SpamCop-List] Re: Test References: Message-ID: "TimeLord" wrote in message news:ck38mr$6gj$1@news.spamcop.net... > > "Fred K" wrote in message > news:ck2mh4$96u$1@news.spamcop.net... >> Thanks for the lesson. But I have been having trouble and been working > with >> SC people. I did not test as a "newby". >> > > Watch it - you'll get shot for top posting too :-) > > Kev I apologize for all the violations. I really don't know how to test a problem I started to have with my posts/replies only on this site. Fred K > > From mfkmek820 at yahoo.com Thu Oct 7 10:26:25 2004 From: mfkmek820 at yahoo.com (Fred K) Date: Thu Oct 7 12:30:04 2004 Subject: [SpamCop-List] Re: Can anyone figure this one? References: Message-ID: "Glenn Daniels" wrote in message news:ck37tp$4uh$1@news.spamcop.net... > "Fred K" wrote in message >> "Glenn Daniels" wrote in message >> > "Fred K" wrote in message > [...] > >> > >> > The URL points to domain jkhgdvz.com. >> > >> > Notifies /could/ be sent to: >> > >> > Reporting addresses: >> > postmaster@pub.sd.cninfo.net >> > abuse@cnc-noc.net >> > postmaster@sd.cninfo.net >> > support@pub.sd.cninfo.net >> > ct-abuse@abuse.sprint.net >> > security@pub.sd.cninfo.net >> > > > >> I have another thing I need help with about this. In the past I have > "dug" >> out the link when SC gave up because of too many links. But all I know to > do >> is to put 1 address in the blank field provided for user reported link. > How >> would one send to all the ones you listed [ed] above/below? >> > > SpamCop.net only permits up to four addys to be user notified, > so you need to decide where you think the notify might do the most > good. One simply strings the addys together, separated by commas. > If it is more than one, they usually scroll out of the allowed "window", > but are still "in the box". You may scroll backwards and forwards to > verify that your input is there. > > I, personally, would drop out the "postmaster@" addresses as they > have a rather higher probability of "bouncing". And they will "bounce" > back to SpamCop.net as is better served to be sending less pointless > notifies. > > Of course, you still have the option of doing additional > manual notifies to other "interested parties" as works for > you... > > Glenn > >Glen You are a "scholar and a gentleman". I really appreciate your clear and concise explanations. Fred K. From nobody at spamcop.net Thu Oct 7 13:38:32 2004 From: nobody at spamcop.net (Pop (was Spamcop by accident)) Date: Thu Oct 7 12:40:02 2004 Subject: [SpamCop-List] Re: Bringing bullet proof hosts down References: Message-ID: "Merlyn" wrote in message news:ck3pre$4l4$1@news.spamcop.net... | "Ivan Leo Puoti" wrote in message | news:ck3oqm$2in$1@news.spamcop.net... | >> Two wrongs don't make a right IMO. Don't resort to DDoS'ing spammers | >> unless you want to put your own Internet connectivity at risk. | > This is NOT a DDoS attack. A DDoS attack sends file requests to a server, | > and keeps the connection open. Reloading a web page or a jpeg over and | > over again is not a DDoS attack, it is just an attempt to make hosting for | > spammers more expensive, and less worth while. They will have to buy more | > bandwidth, and will earn less. | It is still a form of "Denial of Service" which is most likely against your | providers TOS. | Fighting abuse with abuse is not the way. | Regards, | Merlyn ... I agree, it's definitely a Denial Of Service; anything one does that denies service to a provider or any clients of the provider is performing denial of services. No, it's not illegal, on the surface, and neither is spamming for the most part, not that it matters to scum like that. However, if it were probable that any particular person were responsible for it, there ARE legal recourses that can be taken, and that doesn't necessarily scare scums like you're addressing. IMO, that's using vigilante tactics and lowers those who do it to the same level as those they are "attacking". If someone throws feces at you, the right response is not to plug their arsehole. Pop From puoti at inwind.it Thu Oct 7 18:35:51 2004 From: puoti at inwind.it (Ivan Leo Puoti) Date: Thu Oct 7 12:40:13 2004 Subject: [SpamCop-List] Re: Bringing bullet proof hosts down In-Reply-To: References: Message-ID: > Fighting abuse with abuse is not the way. It depends by what you define as abuse, most chinese hosters could claim spam reports are abuse because it's a form of harrasment, if they didn't /dev/null all complaints. Again, the objective of the page I put up is mainly bring hosting costs up for spammers. Ivan. From nobody at spamcop.net Thu Oct 7 13:40:51 2004 From: nobody at spamcop.net (Pop (was Spamcop by accident)) Date: Thu Oct 7 12:45:03 2004 Subject: [SpamCop-List] Re: Bringing bullet proof hosts down References: Message-ID: "Ivan Leo Puoti" wrote in message news:ck3pbm$3ip$1@news.spamcop.net... |> Two wrongs don't make a right IMO. Don't resort to DDoS'ing spammers | > unless you want to put your own Internet connectivity at risk. | I don't think people that sell pirated software, contaminated meds, send | porn spam to potentially millions of kids, or steal credit card numbers | are in any position to file an abuse complaint. It's as if a scambiter | was sued by a Nigerian scammer, it just won't happen. | | Ivan. Why not: Try it, and see. I would be very, very careful though because you -might- be wrong; if they think they can get money for it, they'll think long and hard about it. What THEY are doing would have zero bearing in a court of law if they accuse YOU of something different. Moot points and all that. Pop From puoti at inwind.it Thu Oct 7 18:38:07 2004 From: puoti at inwind.it (Ivan Leo Puoti) Date: Thu Oct 7 12:45:12 2004 Subject: [SpamCop-List] Re: Bringing bullet proof hosts down In-Reply-To: References: Message-ID: > IMO, that's using vigilante tactics and lowers those who do it > to the same level as those they are "attacking". If someone > throws feces at you, the right response is not to plug their > arsehole. I only do it to web sites that spam me, so it's their fault anyway. Ivan. From MikeE at ster.invalid Thu Oct 7 10:43:43 2004 From: MikeE at ster.invalid (Mike Easter) Date: Thu Oct 7 12:45:18 2004 Subject: [SpamCop-List] Re: Test References: Message-ID: Fred K wrote: > I apologize for all the violations. I really don't know how to test a > problem I started to have with my posts/replies only on this site. Your newsreader is OE. There are a number of people around here who know how to help solve problems with that newsreader. Perhaps if you would explain what the problem is, someone might be able to help. -- Mike Easter kibitzer, not SC admin From puoti at inwind.it Thu Oct 7 18:42:04 2004 From: puoti at inwind.it (Ivan Leo Puoti) Date: Thu Oct 7 12:50:03 2004 Subject: [SpamCop-List] Re: Bringing bullet proof hosts down In-Reply-To: References: Message-ID: I doubt they would ever come from their country to Italy just to sue me, and even if they did I could initiate criminal prosecution against them for spamming me, and I could claim damages for every lie in every spam (The past reports link is a great thing) and I'm quite sure I would get more money out of them that they could get out of me. Also in Italy you can't sue someone without first sending a cease and desist warning, but that would make the spammers quite traceable, and again they could be prosecuted for spamming. Ivan. From Merlyn at Spamcop.net Thu Oct 7 13:52:47 2004 From: Merlyn at Spamcop.net (Merlyn) Date: Thu Oct 7 12:55:04 2004 Subject: [SpamCop-List] Re: Bringing bullet proof hosts down References: Message-ID: "Ivan Leo Puoti" wrote in message news:ck3rgv$7fo$1@news.spamcop.net... >> Fighting abuse with abuse is not the way. > It depends by what you define as abuse, most chinese hosters could claim > spam reports are abuse because it's a form of harrasment, > if they didn't /dev/null all complaints. Again, the objective of the page > I put up is mainly bring hosting costs up for spammers. We already know what you think, you asked for opinions. If you are going to argue with everyone that responds with their opinion then why did you ask? Nuff said -- Regards, Merlyn A Spamcop advocate No emails this account is for newsgroups only People demand freedom of speech to make up for the freedom of thought which they avoided From puoti at inwind.it Thu Oct 7 18:51:14 2004 From: puoti at inwind.it (Ivan Leo Puoti) Date: Thu Oct 7 13:00:04 2004 Subject: [SpamCop-List] Re: Bringing bullet proof hosts down In-Reply-To: References: Message-ID: > We already know what you think, And I believe I have I right to explain why I think what I think. From nobody at spamcop.net Thu Oct 7 14:02:10 2004 From: nobody at spamcop.net (Pop (was Spamcop by accident)) Date: Thu Oct 7 13:05:04 2004 Subject: [SpamCop-List] Re: Bringing bullet proof hosts down References: Message-ID: "Ivan Leo Puoti" wrote in message news:ck3sdp$9bn$1@news.spamcop.net... |> We already know what you think, | And I believe I have I right to explain why I think what I think. Sooo, it's necessary to exercise EVERY right you have? You've no scruples, methinks. From e.schrama_NOSPAM at NOSPAM_hccnet.nl Thu Oct 7 20:05:40 2004 From: e.schrama_NOSPAM at NOSPAM_hccnet.nl (geo_splash_12) Date: Thu Oct 7 13:10:03 2004 Subject: [SpamCop-List] Re: High number of bounces In-Reply-To: References: Message-ID: Steven Maesslein wrote: > On Thu, 7 Oct 2004 11:21:52 +0900, Patto coughed into spamcop and left > this in : > > >>Just use anti-spam@chinanet.cn.net - it doesn't bounce. > > > That's because /dev/null never fills up. > The reaction here was: mu ha ha ha ha ha ha ha From puoti at inwind.it Thu Oct 7 19:04:41 2004 From: puoti at inwind.it (Ivan Leo Puoti) Date: Thu Oct 7 13:10:13 2004 Subject: [SpamCop-List] Re: Bringing bullet proof hosts down In-Reply-To: References: Message-ID: > Sooo, it's necessary to exercise EVERY right you have? You've no > scruples, methinks. Do you think that I should not explain my opinions/ideas? Don't you think this could lead to misunderstandings? Ivan. From mfkmek820 at yahoo.com Thu Oct 7 11:11:45 2004 From: mfkmek820 at yahoo.com (Fred K) Date: Thu Oct 7 13:15:03 2004 Subject: [SpamCop-List] Re: Test References: Message-ID: "Mike Easter" wrote in message news:ck3rlk$7rs$1@news.spamcop.net... > Fred K wrote: > >> I apologize for all the violations. I really don't know how to test a >> problem I started to have with my posts/replies only on this site. > > Your newsreader is OE. There are a number of people around here who know > how to help solve problems with that newsreader. Perhaps if you would > explain what the problem is, someone might be able to help. > > -- > Mike Easter > kibitzer, not SC admin > Well I have not had any problem until I hit the road traveling, and then only with this site. I have been working with SC staff and the problem is resolved. I could post a new message, but got bounced doing a reply. The test was to see which one was the problem. Anyway enough said. I will be more cautious not to rile up the people on this site. Fred K. From MikeE at ster.invalid Thu Oct 7 11:29:45 2004 From: MikeE at ster.invalid (Mike Easter) Date: Thu Oct 7 13:30:03 2004 Subject: [SpamCop-List] Re: Bringing bullet proof hosts down References: Message-ID: Ivan Leo Puoti wrote: > Do you think that I should not explain my opinions/ideas? I have a gripe about the fact that if you post a link like http://www003.portalis.it/115/ladvampire.html here or anywhere else, and someone is foolishly configured to browse around insecurely, then you have 'induced' or manipulated them to participate in your Vampire abuse plan. That strategy is remarkable similar to that of the spammer who sends an email to an insecure spammee which causes them to unwittingly access the spammersite because of their insecure configuration. -- Mike Easter kibitzer, not SC admin From nobody at devnull.spamcop.net Thu Oct 7 14:39:50 2004 From: nobody at devnull.spamcop.net (Glenn Daniels) Date: Thu Oct 7 13:40:03 2004 Subject: [SpamCop-List] Request for translation of Russian item Message-ID: SpamCop.net parse tracker: http://www.spamcop.net/sc?id=z680357860z84b271eed51bf32042462a77759844baz Item through open proxy in Brazil in Russian. I would like help translating the Russian in the byte64 encoded segment. I see it as unsolicited but wonder if others are receiving this item, which is to ask, "is it bulk?" Also, there are no links in it, so I wonder if it is commercial? Opinions are welcome, need more data before I call it "spam". Thanks, Glenn From Merlyn at Spamcop.net Thu Oct 7 14:46:20 2004 From: Merlyn at Spamcop.net (Merlyn) Date: Thu Oct 7 13:50:03 2004 Subject: [SpamCop-List] Re: Request for translation of Russian item References: Message-ID: "Glenn Daniels" wrote in message news:ck3v0q$e6o$1@news.spamcop.net... > SpamCop.net parse tracker: > http://www.spamcop.net/sc?id=z680357860z84b271eed51bf32042462a77759844baz > > Item through open proxy in Brazil in Russian. I would like help > translating the Russian in the byte64 encoded segment. > > I see it as unsolicited but wonder if others are receiving this item, > which is to ask, "is it bulk?" Also, there are no links in it, so I > wonder if it is commercial? > > Opinions are welcome, need more data before I call it "spam". > It came through a open proxy in BR.! No need to look any further -- Regards, Merlyn A Spamcop advocate No emails this account is for newsgroups only People demand freedom of speech to make up for the freedom of thought which they avoided From MikeE at ster.invalid Thu Oct 7 11:59:35 2004 From: MikeE at ster.invalid (Mike Easter) Date: Thu Oct 7 14:00:06 2004 Subject: [SpamCop-List] Re: Request for translation of Russian item References: Message-ID: Glenn Daniels wrote: > Item through open proxy in Brazil in Russian. I would like help > translating the Russian in the byte64 encoded segment. If you have your Cyrillic fonts enabled, you can copy those .ru words/letters in the graphic and go paste them into some kind of translator. I'll paste them here, but I don't know what is going to happen, since I'm sending using plaintext mime with no encoding. If I recall, my newsreader will offer me the option of sending as unicode, which you will have to be able to handle on your end. Since you are Win/OE, I think you can do that, but I'm not sure about the configuration requirements. ??????????? ???????? ??????? ????????, ??????????? -- Mike Easter kibitzer, not SC admin From puoti at inwind.it Thu Oct 7 19:57:07 2004 From: puoti at inwind.it (Ivan Leo Puoti) Date: Thu Oct 7 14:05:04 2004 Subject: [SpamCop-List] Re: Bringing bullet proof hosts down In-Reply-To: References: Message-ID: > I have a gripe about the fact that if you post a link like > http://www003.portalis.it/115/ladvampire.html here or anywhere else, and > someone is foolishly configured to browse around insecurely I don't know what you're talking about, what do you mean by insecurely? > then you > have 'induced' or manipulated them to participate in your Vampire abuse > plan. Manipulated? I don't manipulate, one can or cannot load that page, it's up to him and his free will. > That strategy is remarkable similar to that of the spammer who > sends an email to an insecure spammee which causes them to unwittingly > access the spammersite because of their insecure configuration. Insecure configuration? Please explain. From MikeE at ster.invalid Thu Oct 7 12:03:57 2004 From: MikeE at ster.invalid (Mike Easter) Date: Thu Oct 7 14:05:14 2004 Subject: [SpamCop-List] Re: Request for translation of Russian item References: Message-ID: Mike Easter wrote: > I'll paste them here, but I don't know what is going to happen, since > I'm sending using plaintext mime with no encoding. If I recall, my > newsreader will offer me the option of sending as unicode, That is true, and it got sent as unicode > which you > will have to be able to handle on your end. Since you are Win/OE, I > think you can do that, but I'm not sure about the configuration > requirements. In order to see the .ru words correctly, you have to configure as Tools/ Options/ Read/ International settings button - uncheck 'use default encoding for all incoming messages' > > Электронные раÑÑылки рекламы > > ДоÑтупно, качеÑтвенно > > -- Mike Easter kibitzer, not SC admin From MikeE at ster.invalid Thu Oct 7 12:04:51 2004 From: MikeE at ster.invalid (Mike Easter) Date: Thu Oct 7 14:05:21 2004 Subject: [SpamCop-List] Re: Request for translation of Russian item References: Message-ID: Mike Easter wrote: >> >> Электронные раÑÑылки рекламы >> >> ДоÑтупно, качеÑтвенно >> >> That one is no good, because of the way it got copied and cited. But the first one is. -- Mike Easter kibitzer, not SC admin From nobody at devnull.spamcop.net Thu Oct 7 15:06:02 2004 From: nobody at devnull.spamcop.net (Glenn Daniels) Date: Thu Oct 7 14:10:04 2004 Subject: [SpamCop-List] Re: Request for translation of Russian item References: Message-ID: "Merlyn" wrote in message > "Glenn Daniels" wrote in message ... [...] > > Opinions are welcome, need more data before I call it "spam". > > > It came through a open proxy in BR.! No need to look any further > My Babel Fish Russian assistant reads "1,000,000 probable clients" in the "Subject:" header and the message reads: "Electronic advertisement distribution" "It is accessible, it is qualitative." I know what I think it is, but am mostly trying to verify on whether it is bulk or commercial... or neither, and targeted to some other purpose. Thanks, Glenn From MikeE at ster.invalid Thu Oct 7 12:11:28 2004 From: MikeE at ster.invalid (Mike Easter) Date: Thu Oct 7 14:15:04 2004 Subject: [SpamCop-List] Re: Bringing bullet proof hosts down References: Message-ID: Ivan Leo Puoti wrote: >> I have a gripe about the fact that if you post a link like >> http://www003.portalis.it/115/ladvampire.html here or anywhere else, >> and someone is foolishly configured to browse around insecurely I'm putting an empty line between my cites and your responses; you should do that for 'us' for clarity in your postings. > I don't know what you're talking about, what do you mean by > insecurely? People shouldn't be running around with their browsers configured to be running scripts wherever they might land. If a person is properly configured, all they will see when they try to access the page you posted is This page requires JavaScript and a W3C DOM capable browser. Please use the AA419 web site http://www.aa419.org/ instead. >> then you >> have 'induced' or manipulated them to participate in your Vampire >> abuse plan. But if they are insecurely configured, the javascript will run and they will be abusing someone/s of your choosing. > Manipulated? I don't manipulate, one can or cannot load that page, > it's up to him and his free will. The foolish insecurely configured doesn't know what s/he is doing when s/he contributes to your abuse unwittingly. Just like they don't know what they are doing when they open a spam with a webbug. >> That strategy is remarkable similar to that of the spammer who >> sends an email to an insecure spammee which causes them to >> unwittingly access the spammersite because of their insecure >> configuration. > Insecure configuration? Please explain. Allowing one's browser to execute your abusive scripts willy-nilly is an insecure configuration. -- Mike Easter kibitzer, not SC admin From nobody at devnull.spamcop.net Thu Oct 7 15:11:40 2004 From: nobody at devnull.spamcop.net (Glenn Daniels) Date: Thu Oct 7 14:15:13 2004 Subject: [SpamCop-List] Re: Request for translation of Russian item References: Message-ID: "Mike Easter" wrote in message > Mike Easter wrote: > >> > > That one is no good, because of the way it got copied and cited. But the > first one is. > Umm, right... That part I think I understand. But is this a bulk solicitation or is it more specifically targeted? Thanks, Glenn From dkona7b02 at sneakemail.com Thu Oct 7 15:16:01 2004 From: dkona7b02 at sneakemail.com (Spam Hater) Date: Thu Oct 7 14:16:15 2004 Subject: [SpamCop-List] Re: Request for translation of Russian item In-Reply-To: References: Message-ID: <3.0.5.32.20041007141601.00f795f0@loki.fstrf.org> Correct me if I am wrong, but this item arrived in your email box unexpectedly from an unknown source, right? That is SPAM... Why are you bothering with this in depth analysis? Bulk or commercial is not the issue. Did you consent to receive it or not? If not, and the fact that you can't read Russian certainly seems to back this up, then it is SPAM! Report it and move on to the next one... At 02:06 PM 10/7/2004 -0400, Glenn Daniels typed: >"Merlyn" wrote in message >> "Glenn Daniels" wrote in message ... >[...] > >> > Opinions are welcome, need more data before I call it "spam". >> > > >> It came through a open proxy in BR.! No need to look any further >> > >My Babel Fish Russian assistant reads "1,000,000 probable clients" >in the "Subject:" header and the message reads: >"Electronic advertisement distribution" >"It is accessible, it is qualitative." > >I know what I think it is, but am mostly trying to verify >on whether it is bulk or commercial... or neither, and >targeted to some other purpose. > >Thanks, >Glenn From MikeE at ster.invalid Thu Oct 7 12:24:38 2004 From: MikeE at ster.invalid (Mike Easter) Date: Thu Oct 7 14:25:03 2004 Subject: [SpamCop-List] Re: Request for translation of Russian item References: Message-ID: Spam Hater wrote: > Report it and move on to the next one... Heh. Some of us like to take watches apart to see what's inside instead of just looking to see what time it is. Sometimes. Sometimes we should just be trying to not miss the train while frittering around with something when we don't even know what time it is. -- Mike Easter kibitzer, not SC admin From not at home.today Thu Oct 7 20:23:41 2004 From: not at home.today (Ant) Date: Thu Oct 7 14:25:13 2004 Subject: [SpamCop-List] Re: Bringing bullet proof hosts down References: Message-ID: "Pop" wrote... > If someone throws feces at you, the right response is not to > plug their arsehole. LOL, LOL, LOL! That really appeals to my lavatorial sense of humour. Sig material, I think! From nobody at spamcop.net Thu Oct 7 15:22:39 2004 From: nobody at spamcop.net (Ellen) Date: Thu Oct 7 14:25:19 2004 Subject: [SpamCop-List] Re: Is this a legitimate reporting address? References: Message-ID: "Merlyn" wrote in message news:ck3eqc$h23$1@news.spamcop.net... > "Frog Prince" wrote in message > news:ck3e6j$fva$1@news.spamcop.net... > > http://www.spamcop.net/sc?id=z680288378z5bb8e01b8662689d924a123bf39d5f76z > > > > > > Spam report id 1260003819 sent to: d0mainstek@hotmail.com > > > > Is this a legitimate reporting address? > > > > Looks like a hijacked block: > > Comment: The information for this network has been reported to > Comment: be invalid. ARIN has attempted to obtain updated data, but has > Comment: been unsuccessful. To provide current contact information, > Comment: please e-mail hostmaster@arin.net. > > Lets check: > Yup - Nothing should be accepted from 209.41.64.0/18 (209.41.64.0 - > 209.41.127.255) it's been hijacked. > > http://www.spamhaus.org/SBL/sbl.lasso?query=SBL14344 > got it -- thanks Ellen From porpoise1954 at yahoo.co.uk Thu Oct 7 20:26:35 2004 From: porpoise1954 at yahoo.co.uk (Porpoise) Date: Thu Oct 7 14:30:03 2004 Subject: [SpamCop-List] Re: Bringing bullet proof hosts down References: Message-ID: "Ivan Leo Puoti" wrote in message news:ck3rsk$8eh$1@news.spamcop.net... > I doubt they would ever come from their country to Italy just to sue me, > and even if they did I could initiate criminal prosecution against them > for spamming me, and I could claim damages for every lie in every spam > (The past reports link is a great thing) and I'm quite sure I would get > more money out of them that they could get out of me. Also in Italy you > can't sue someone without first sending a cease and desist warning, but > that would make the spammers quite traceable, and again they could be > prosecuted for spamming. > > Ivan. Let us know how it turns out........... Oh, the naivety and immaturity of the young........... From ric.gates at bigsleep.org Thu Oct 7 19:29:30 2004 From: ric.gates at bigsleep.org (Blammo) Date: Thu Oct 7 14:30:12 2004 Subject: [SpamCop-List] Re: Needing Header Reading Expertise! References: Message-ID: On 07 Oct 2004 Mike Easter entered spamcop and left news:ck3oij$2aj$1@news.spamcop.net: > Firewoman wrote: >> From the responses here, it appears that our ISP is using Spam >> Assassin, although they won't actually tell me what they're using or >> what blocklists they are applying. > > I think Sophos ActiveState PureMessage, not SA > > Mike Easter wrote: >> X-PerlMx-Spam >> >> which works like the SpamAssassin line for Sophos's ActiveState >> PureMessage > >> http://www.activestate.com/Products/PureMessage/ > > I didn't mean to mislead Firewoman, Mike had it right, "Spam n Scams" mentioned Spamassassin. Spamassassin will always say it's Spammassassin... X-Spam-Checker-Version: SpamAssassin 3.0.0 (2004-09-13) And since you can't remove that in Spamassassin, I betting others are the same way. -- | Ric | From ric.gates at bigsleep.org Thu Oct 7 19:42:04 2004 From: ric.gates at bigsleep.org (Blammo) Date: Thu Oct 7 14:45:03 2004 Subject: [SpamCop-List] Re: Test References: Message-ID: On 07 Oct 2004 Fred K entered spamcop and left news:ck3tfa$bhd$1@news.spamcop.net: > I could post a new message, but got bounced doing a reply. You probably replied to an eMail address, as newsgroups don't bounce messages, replying is no different than posting (except there is a Xref: header in replies). When you reply make sure there is no eMail address beside the To:, should only be Newsgroups: spamcop. -- | Ric | From nobody at devnull.spamcop.net Thu Oct 7 15:46:43 2004 From: nobody at devnull.spamcop.net (Glenn Daniels) Date: Thu Oct 7 14:50:02 2004 Subject: [SpamCop-List] Re: Request for translation of Russian item References: Message-ID: "Mike Easter" wrote in message > Spam Hater wrote: > > Report it and move on to the next one... > > Heh. > > Some of us like to take watches apart to see what's inside instead of > just looking to see what time it is. > > Sometimes. > > Sometimes we should just be trying to not miss the train while frittering > around with something when we don't even know what time it is. > Thanks, Mike. I am yet to figure how it serves a commercial purpose. And I still don't know that it is bulk. And I am suspicious that it is directed for purposes of listwashing the reporting account which has been a very useful spamtrap for reporting purposes. If I reflexly respond to it as spam just because it is unsolicited or unwanted I may risk losing my spamtrap spam sewer over a rash call. I know what it looks like, but things are not always what they appear to be. Glenn From ric.gates at bigsleep.org Thu Oct 7 19:52:37 2004 From: ric.gates at bigsleep.org (Blammo) Date: Thu Oct 7 14:55:03 2004 Subject: [SpamCop-List] Re: Test References: Message-ID: On 07 Oct 2004 Fred K entered spamcop and left news:ck3tfa$bhd$1@news.spamcop.net: > I could post a new message, but got bounced doing a reply. You probably replied to an eMail address, as newsgroups don't bounce messages, replying is no different than posting (except there is a References: header in replies). When you reply make sure there is no eMail address beside the To:, should only be Newsgroups: spamcop. -- | Ric | From nobody at devnull.spamcop.net Thu Oct 7 15:55:46 2004 From: nobody at devnull.spamcop.net (Glenn Daniels) Date: Thu Oct 7 15:00:03 2004 Subject: [SpamCop-List] Re: Test References: Message-ID: "Blammo" wrote in message > On 07 Oct 2004 Fred K entered spamcop and left > > > I could post a new message, but got bounced doing a reply. > > You probably replied to an eMail address, as newsgroups don't bounce > messages, replying is no different than posting (except there is a Xref: > header in replies). > When you reply make sure there is no eMail address beside the To:, should > only be Newsgroups: spamcop. > Fred is apparently using Ouchlook Express which gives you a context menu with choices to reply to group, or reply to sender. I recall thinking that I was only responding to the sender, and got bounced afore I figgered out that "group" was the only way to go... Glenn From firewoman at default.domain.not.available Thu Oct 7 15:59:33 2004 From: firewoman at default.domain.not.available (Firewoman) Date: Thu Oct 7 15:00:14 2004 Subject: [SpamCop-List] Re: Needing Header Reading Expertise! References: Message-ID: "Mike Easter" wrote in message news:ck3oij$2aj$1@news.spamcop.net... > I think Sophos ActiveState PureMessage, not SA > Whoops! Thanks for the head's up. I appreciate all the help, Mike! From MikeE at ster.invalid Thu Oct 7 13:06:18 2004 From: MikeE at ster.invalid (Mike Easter) Date: Thu Oct 7 15:10:03 2004 Subject: [SpamCop-List] Re: Test References: Message-ID: Blammo wrote: > Fred K >> I could post a new message, but got bounced doing a reply. > > You probably replied to an eMail address, as newsgroups don't bounce > messages, replying is no different than posting (except there is a > References: header in replies). > When you reply make sure there is no eMail address beside the To:, > should only be Newsgroups: spamcop. The funky routing thread, the one with 2 spamhaters, had a mailing list participant, the 'other' spamhater. But the OE should/would have tried to email the mailing list in addition to the nntp post, not the addy of the other spamhater which appeared in the From, even if Fred clicked reply to all or reply to sender - if he clicked that toward the mailing list poster. However, if he clicked it^1 toward some other, like my .invalid, that wouldn't fly at all. ^1 where 'it' means 'reply to all' instead of 'reply to group'. A common error. -- Mike Easter kibitzer, not SC admin From puoti at inwind.it Thu Oct 7 21:38:10 2004 From: puoti at inwind.it (Ivan Leo Puoti) Date: Thu Oct 7 15:45:17 2004 Subject: [SpamCop-List] Re: Bringing bullet proof hosts down In-Reply-To: References: Message-ID: > This page requires JavaScript and a W3C DOM capable browser. I am no the original author of the page, I just adapted it a bit. > But if they are insecurely configured, the javascript will run and they > will be abusing someone/s of your choosing. I still don't understand this unsecured thing, I mean from what I can see the page just uses javascript. > The foolish insecurely configured doesn't know what s/he is doing when > s/he contributes to your abuse unwittingly. Just like they don't know > what they are doing when they open a spam with a webbug. Maybe you can live with javascript off, most people can't. And they can close the page as soon as they open it, causing little or no damage. > Allowing one's browser to execute your abusive scripts willy-nilly is an > insecure configuration. Oh, well I suppouse you just read the source of all scripts of all web pages you visit before running them. I'm sorry but I don't believe having scripting or even Java on is unsafe. As long as your browser is up to date the only dangerous stuff is ActiveX, or more correctly IE. Ivan. From nobody at devnull.spamcop.net Thu Oct 7 16:04:49 2004 From: nobody at devnull.spamcop.net (Cat) Date: Thu Oct 7 16:05:24 2004 Subject: [SpamCop-List] Re: Bringing bullet proof hosts down In-Reply-To: References: Message-ID: Ivan Leo Puoti wrote: >> But if they are insecurely configured, the javascript will run and they >> will be abusing someone/s of your choosing. > I still don't understand this unsecured thing, I mean from what I can > see the page just uses javascript. > >> The foolish insecurely configured doesn't know what s/he is doing when >> s/he contributes to your abuse unwittingly. Just like they don't know >> what they are doing when they open a spam with a webbug. > Maybe you can live with javascript off, most people can't. And they can > close the page as soon as they open it, causing little or no damage. Since Mike Easter mentioned this, could you also skip a line below the quoted parts and above your own comments. It's hard to pick out your replies separate from the quoted parts when you don't skip lines between the quoted text and your own comments. Just skipping the line below your comments isn't enough. From MikeE at ster.invalid Thu Oct 7 14:12:28 2004 From: MikeE at ster.invalid (Mike Easter) Date: Thu Oct 7 16:15:04 2004 Subject: [SpamCop-List] Re: Bringing bullet proof hosts down References: Message-ID: Ivan Leo Puoti wrote: > And they > can close the page as soon as they open it, causing little or no > damage. Unless they're browsing with an anonymizer, they've left their IP address with the unhappy spammersite who is being abused. I think. And, many of us have 'dynamically static' IP addresses - so we keep the same address indefinitely - meaning that your happy little tricks invite retaliation to the person who is sufficiently insecure to run your scripts and might also be sufficiently insecure to suffer from an irate hacker/spammer attack. -- Mike Easter kibitzer, not SC admin From baloo at ursine.dyndns.org Thu Oct 7 14:15:56 2004 From: baloo at ursine.dyndns.org (Paul Johnson) Date: Thu Oct 7 16:20:05 2004 Subject: [SpamCop-List] Re: Test References: Message-ID: <87wty2nv2b.fsf@ursine.dyndns.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 "Fred K" writes: > Thanks for the lesson. But I have been having trouble and been working with > SC people. I did not test as a "newby". You reclassified yourself as noob around the time you posted a test outside spamcop.test. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.5 (GNU/Linux) iD8DBQFBZaP+UzgNqloQMwcRAnssAKDcQksnDVP2PpGu78E1YeFA26+oNwCdFgoM WDkrIbaX5xrQ83+fCtBEI0Q= =9htt -----END PGP SIGNATURE----- From nobody at devnull.spamcop.net Thu Oct 7 16:17:18 2004 From: nobody at devnull.spamcop.net (Cat) Date: Thu Oct 7 16:20:18 2004 Subject: [SpamCop-List] Re: Bringing bullet proof hosts down In-Reply-To: References: Message-ID: Mike Easter wrote: > Ivan Leo Puoti wrote: > >>And they >>can close the page as soon as they open it, causing little or no >>damage. > > > Unless they're browsing with an anonymizer, they've left their IP address > with the unhappy spammersite who is being abused. I think. Correct on that if they have a cookie or something that tracks IP addresses of visitors. > And, many of us have 'dynamically static' IP addresses - so we keep the > same address indefinitely - meaning that your happy little tricks invite > retaliation to the person who is sufficiently insecure to run your > scripts and might also be sufficiently insecure to suffer from an irate > hacker/spammer attack. So that program exploits some other random person's system somehow and not the person who is attempting to attack? I'm slightly confused. Not trying to advocate what Ivan is trying to do but just learning more about what goes on with that sort of program. From baloo at ursine.dyndns.org Thu Oct 7 14:18:03 2004 From: baloo at ursine.dyndns.org (Paul Johnson) Date: Thu Oct 7 16:20:24 2004 Subject: [SpamCop-List] Re: How to remove from bl.spamcop.net References: <87fz4synwg.fsf@ursine.dyndns.org> <87acuz8fz3.fsf@ursine.dyndns.org> <41655225.5EF7@xyzzy.claranet.de> Message-ID: <87sm8qnuys.fsf@ursine.dyndns.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Frank Ellermann writes: > Paul Johnson wrote: > >>>> 72 is the magic number, not 48. >>> You REALLY need to check before stating something... >> When did it change? > > Never, you probably confused it with the 3 days for reports. Oh, that might be it. > But the BL link only says "in the past week", no idea where > the OP got his magic number 48 on this page, it's not there. The FAQ, considering they even posted URL to the page that says it. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.5 (GNU/Linux) iD8DBQFBZaR7UzgNqloQMwcRAvUdAJ0Xx2jzRvW4wl8hUDlzEEcFIbzF0QCfeUdQ 415jNWgR1czHH83W0xH2x2g= =pi47 -----END PGP SIGNATURE----- From Merlyn at Spamcop.net Thu Oct 7 17:45:03 2004 From: Merlyn at Spamcop.net (Merlyn) Date: Thu Oct 7 16:50:03 2004 Subject: [SpamCop-List] Re: Bringing bullet proof hosts down References: Message-ID: "Cat" wrote in message news:ck4884$uvc$1@news.spamcop.net... > Mike Easter wrote: > >> Ivan Leo Puoti wrote: >> > > So that program exploits some other random person's system somehow and not > the person who is attempting to attack? I'm slightly confused. Not trying > to advocate what Ivan is trying to do but just learning more about what > goes on with that sort of program. It is your system that is pulling the pictures which means the person who has the page up in their browser is performing a Denial of Service attack. What it breaks down to is the site running the script is innocent but whoever brings up the page is the culprit. -- Regards, Merlyn A Spamcop advocate No emails this account is for newsgroups only People demand freedom of speech to make up for the freedom of thought which they avoided From puoti at inwind.it Thu Oct 7 23:06:36 2004 From: puoti at inwind.it (Ivan Leo Puoti) Date: Thu Oct 7 17:15:03 2004 Subject: [SpamCop-List] Re: Bringing bullet proof hosts down In-Reply-To: References: Message-ID: > Correct on that if they have a cookie or something that tracks IP > addresses of visitors. Now not wanually reviewing all cookie requests is unsafe. Ivan. From MikeE at ster.invalid Thu Oct 7 15:31:06 2004 From: MikeE at ster.invalid (Mike Easter) Date: Thu Oct 7 17:30:02 2004 Subject: [SpamCop-List] Re: Bringing bullet proof hosts down References: Message-ID: Ivan Leo Puoti wrote: > Now not wanually reviewing all cookie requests is unsafe. Cookies aren't necessary to transmit the IP of the requestor to the site which is being accessed; that is, the cookie business has nothing to do with my point of view that the visitor to your Vampire javascript site is providing the abused spamsite with hir IP address. -- Mike Easter kibitzer, not SC admin From paman10 at comcast.net Thu Oct 7 19:23:16 2004 From: paman10 at comcast.net (Stan) Date: Thu Oct 7 18:25:03 2004 Subject: [SpamCop-List] Re: Bringing bullet proof hosts down References: Message-ID: "Ivan Leo Puoti" wrote in message news:ck3k1e$qlf$1@news.spamcop.net... > This is an easy, simple, and legal way to shell bullet proof hosts > http://www003.portalis.it/115/ladvampire.html > I believe it will be more effective than reporting (Hey I'm not saying > this is a good reason not to report anyway) > Do you think it's a good idea? I'm targeting the top web sites in spamcop > stats for now, suggestions are welcome. > Not of much use for 56k users. > Just my little contribution to fight spam. > > Ivan. I believe that Bullet Proof Hosts and any other Spam Host should have there Domains be published and a list provided so that everyone can choose to block theses spam hosts. If they have there traffic blocked they can go out of business. For the years I have been sending in complaints I see little change in the amount of Spam,all reported through Spamcops reporting page. Its time for looking at the Domains of the Spam Web Sites as a means for fighting Spam. MO on Vampires I don't want to stop to there level. But I do think more can and should be done. From eddie at eddie.web Thu Oct 7 20:29:39 2004 From: eddie at eddie.web (eddie) Date: Thu Oct 7 19:30:31 2004 Subject: [SpamCop-List] Re: Request for translation of Russian item References: Message-ID: On Thu, 07 Oct 2004 13:39:50 -0400, Glenn Daniels scratched out the following: > Item through open proxy in Brazil in Russian. I would like help > translating the Russian in the byte64 encoded segment. > > I see it as unsolicited but wonder if others are receiving this item, > which is to ask, "is it bulk?" Also, there are no links in it, so I wonder > if it is commercial? I get them on a regular basis. I consider them harassment. Some have a russky website, most have a moscow phone number. The are sent by idiots, but we knew that :) They are spam of the worst kind. -- Rather: I don't want to be argumentative, Mr. vice president. Bush41(veep):You do, Dan. Rather: No -- no, sir, I don't. From eddie at eddie.web Thu Oct 7 20:31:24 2004 From: eddie at eddie.web (eddie) Date: Thu Oct 7 19:35:03 2004 Subject: [SpamCop-List] Re: Test References: Message-ID: On Thu, 07 Oct 2004 09:21:52 -0700, Fred K scratched out the following: > I apologize for all the violations. I really don't know how to test a > problem I started to have with my posts/replies only on this site. > > Fred K Well you just made it worse : PLONK!!!! Rather: I don't want to be argumentative, Mr. vice president. Bush41(veep):You do, Dan. Rather: No -- no, sir, I don't. From nobody at devnull.spamcop.net Thu Oct 7 20:52:51 2004 From: nobody at devnull.spamcop.net (Glenn Daniels) Date: Thu Oct 7 19:55:03 2004 Subject: [SpamCop-List] Re: Request for translation of Russian item References: Message-ID: "eddie" wrote in message > On Thu, 07 Oct 2004 13:39:50 -0400, Glenn Daniels scratched out the > following: [...] > I get them on a regular basis. I consider them harassment. Some have a > russky website, most have a moscow phone number. The are sent by idiots, > but we knew that :) > They are spam of the worst kind. > Thanks! I only see what I see. I can't know on one item that its UBE, and from here it isn't UCE, either... So it is UBE if you say so! Maybe it is just a b0rk3ri |-r0g3... Cheers, Glenn From MikeE at ster.invalid Thu Oct 7 18:33:12 2004 From: MikeE at ster.invalid (Mike Easter) Date: Thu Oct 7 20:35:03 2004 Subject: [SpamCop-List] Re: SC Password reset - harassment? References: Message-ID: Bob W. wrote: > And... anyone happen to see any posts in the SC forums coming from > 64.147.15.130? That doesn't show over there. That Cox is Orange County - probably somewhere around San Juan Capistrano. -- Mike Easter kibitzer, not SC admin From eddie at eddie.web Thu Oct 7 21:41:29 2004 From: eddie at eddie.web (eddie) Date: Thu Oct 7 20:45:03 2004 Subject: [SpamCop-List] Re: Request for translation of Russian item References: Message-ID: On Thu, 07 Oct 2004 19:52:51 -0400, Glenn Daniels scratched out the following: snip > Thanks! I only see what I see. I can't know on one item that its UBE, and > from here it isn't UCE, either... So it is UBE if you say so! > > Maybe it is just a b0rk3ri |-r0g3... > > Cheers, > Glenn My general rule is that if it uses forged headers and/or false email addressing, it's spam. The only time spam could possibly be questioned, in my opinion, is when the return address and headers are legit. Then I usually do a manual LART telling them that if I get another one, I will consider it spam. This is a rare thing, though - most spam is obviously spam. -- Rather: I don't want to be argumentative, Mr. vice president. Bush41(veep):You do, Dan. Rather: No -- no, sir, I don't. From me at privacy.net Thu Oct 7 22:13:52 2004 From: me at privacy.net (Frog Prince) Date: Thu Oct 7 21:30:22 2004 Subject: [SpamCop-List] Re: Magic numbers - was: Re: How to remove from bl.spamcop.net References: <87fz4synwg.fsf@ursine.dyndns.org> Message-ID: "JohnL" | >> Actually.................................................. He's | >> right, 72 is a magic number. And 12, 30, 360, 2160, 25920, 36, | >> 4320, 108, 10800, 54, 540, 54000 etc.......... However, there is | >> an element of rounding involved (72 is more acurately calculated | >> at 71.6 & 2160 gets rounded from 2148 by extension & 25920 is | >> more accurately calculated at 25776). | > | > 550 5.7.1 & 553 5.3.0 are also magic numbers. ;-) | > | | You're BOTH a little strange. ;-) LITTLE? From ric.gates at bigsleep.org Fri Oct 8 02:46:04 2004 From: ric.gates at bigsleep.org (Blammo) Date: Thu Oct 7 21:50:03 2004 Subject: [SpamCop-List] Re: Bringing bullet proof hosts down References: Message-ID: On 07 Oct 2004 Cat entered spamcop and left news:ck4884$uvc$1@news.spamcop.net: >> Unless they're browsing with an anonymizer, they've left their IP >> address with the unhappy spammersite who is being abused. I think. > > Correct on that if they have a cookie or something that tracks IP > addresses of visitors. > All web servers log your IP address, it doesn't require cookies or anything else, in fact just connecting to another computer reveals your IP. However a cookie may identify you through a proxy, no Javascript required either. -- | Ric | From MikeE at ster.invalid Thu Oct 7 19:51:21 2004 From: MikeE at ster.invalid (Mike Easter) Date: Thu Oct 7 21:55:02 2004 Subject: [SpamCop-List] Re: SC Password reset - harassment? References: Message-ID: Bob W. wrote: >> somewhere around San Juan Capistrano. > > Thanks... Must be a spamming swallow. That's a very nice story - the scout swallows prior to the return to the mission on the religious holiday, the insects of Capistrano valley nearby which influence the migratory behavior, the 6000 mile long annual trip from Goya .ar, the ancient mission itself and its history, the little mud swallow nests and how that figures into the basis for the tradtional migration. -- Mike Easter kibitzer, not SC admin From nobody at devnull.spamcop.net Thu Oct 7 23:09:27 2004 From: nobody at devnull.spamcop.net (Steve Gilder) Date: Thu Oct 7 22:10:04 2004 Subject: [SpamCop-List] Re: Bringing bullet proof hosts down References: Message-ID: "Blammo" wrote in message news:Xns957BBEFE57Ablammo@216.154.195.61... > On 07 Oct 2004 Cat entered spamcop and left > news:ck4884$uvc$1@news.spamcop.net: > >>> Unless they're browsing with an anonymizer, they've left their IP >>> address with the unhappy spammersite who is being abused. I think. >> >> Correct on that if they have a cookie or something that tracks IP >> addresses of visitors. >> > > All web servers log your IP address, it doesn't require cookies or > anything > else, in fact just connecting to another computer reveals your IP. However > a cookie may identify you through a proxy, no Javascript required either. > > -- > | Ric > | Servers can log a bunch of stuff but ONLY if logging is turned on. Based on a gut feeling and no facts, my guess is spammers do not care about log(s) and most would not know how to interpret it if they did look at it. From MikeE at ster.invalid Thu Oct 7 20:25:18 2004 From: MikeE at ster.invalid (Mike Easter) Date: Thu Oct 7 22:25:02 2004 Subject: [SpamCop-List] Re: SC Password reset - harassment? References: Message-ID: Mike Easter wrote: >>> somewhere around San Juan Capistrano. >> >> Thanks... Must be a spamming swallow. > > That's a very nice story - Here's part of one version of it; they're getting ready to leave town in a fortnight or so for their winter vacation http://www.infoplease.com/spot/swallows1.html The Swallows of San Juan Capistrano [ME: this article was a Mar one, not an Oct one] The famous cliff swallows of San Juan Capistrano, that leave town every year in a swirling mass near the Day of San Juan (October 23), are returning from their winter vacation spot 6,000 miles south in Goya, Corrientes, Argentina. They land at the mission in San Juan, California, on or around St. Joseph's Day, March 19, to the ringing bells of the old church and a crowd of visitors from all over the world who are in town awaiting their arrival and celebrating with a huge fiesta as well as a parade. And, here's a little snip from a different one, this writer sez their trip is 7500 miles "During the flight, that is to say, during the thirty days that the voyage lasts, they do not eat or drink, since they fly from dawn to sunset in order not to waste time." "They fly at an altitude of more than 2,ooo kms. (6,600 ft.) In order to take advantage of the fast and favorable currents (tail winds) and, besides, because at that altitude they avoid plundering birds. Their flight plan lasts fifteen hours of flight daily, in steps of 450 kms. With a velocity of 30 kms. (18 miles) per hour, always taking advantage of the winds." How can they not eat or drink? I'm not sure I believe that. -- Mike Easter kibitzer, not SC admin From Kilgallen at SpamCop.net Thu Oct 7 22:28:18 2004 From: Kilgallen at SpamCop.net (Larry Kilgallen) Date: Thu Oct 7 22:30:04 2004 Subject: [SpamCop-List] Re: Net giants adopt anti-spam system? Really? I'm skeptical. References: <415e419f.5257031@news.spamcop.net> <415FD0EC.2BDB@xyzzy.claranet.de> <4160C675.53F7@xyzzy.claranet.de> <4163197E.5803@xyzzy.claranet.de> <41654587.17B8@xyzzy.claranet.de> Message-ID: <82M2uPJI+$aO@eisner.encompasserve.org> In article <41654587.17B8@xyzzy.claranet.de>, Frank Ellermann writes: > Larry Kilgallen wrote: > >> Not the first one if it did not receive the message by SMTP. >> For example, Multinet running on VMS. > > Why doesn't it add a Received: header ? The syntax for the > "with" part doesn't insist on SMTP, it could be any protocol. There is no protocol. It is internal to the same machine. Besides, there is no need to add a header. The operating system vouches for the correctness of the username specified in the headers. From masfjorden at spamcop.net Fri Oct 8 07:16:21 2004 From: masfjorden at spamcop.net (helge) Date: Fri Oct 8 00:20:16 2004 Subject: [SpamCop-List] Re: Request for translation of Russian item In-Reply-To: References: Message-ID: Just in case Glenn still wants the translation (not my own, I could only decipher the electronic and reklam bit) Mike Easter wrote: snip > ??????????? ???????? ??????? Electronic Distribution of Advertising > ????????, ??????????? > Affordable, Quality > It walks like a duck. helge From nobody at xyzzy.claranet.de Fri Oct 8 08:06:42 2004 From: nobody at xyzzy.claranet.de (Frank Ellermann) Date: Fri Oct 8 01:10:03 2004 Subject: [SpamCop-List] Re: Net giants adopt anti-spam system? Really? I'm skeptical. References: <415e419f.5257031@news.spamcop.net> <415FD0EC.2BDB@xyzzy.claranet.de> <4160C675.53F7@xyzzy.claranet.de> <4163197E.5803@xyzzy.claranet.de> <41654587.17B8@xyzzy.claranet.de> <82M2uPJI+$aO@eisner.encompasserve.org> Message-ID: <41662062.716F@xyzzy.claranet.de> Larry Kilgallen wrote: > there is no need to add a header. The operating system > vouches for the correctness of the username specified in > the headers. Okay, now I got it, you don't need a "time stamp line" in this situation, because there's a Date: header in your mail. And when I wrote "from first to last" it should have been "from first resp. second to last". Apparently this depends on the MTA, in my (unused) sendmail.cf "Received" is listed as required header, Bye, Frank From MikeE at ster.invalid Thu Oct 7 23:13:13 2004 From: MikeE at ster.invalid (Mike Easter) Date: Fri Oct 8 01:15:04 2004 Subject: [SpamCop-List] Re: Request for translation of Russian item References: Message-ID: helge wrote: > It walks like a duck. I severely suspect that it is another one of those g*dd*mn ducks. Lord. That reminds me of a couple of duck stories. In my backyard. Two tales; one was about trying to keep the beautiful devoted and amorous couple out of the pool without actually 'harvesting' them [a hunting term] and roasting them up for dinner; the other was later about trying to rescue a couple of the resultant precious baby duck/s from an impossible steep deep hole they fell into that the mama duck couldn't help them out of quack as she might and was going to abandon them in favor of the rest of the tribe or flock or gaggle or covey or whatever you call a duck collective [turns out it is brace, team, or flock]. To cut to the chase, it was a happy ending for all. -- Mike Easter kibitzer, not SC admin From nobody at xyzzy.claranet.de Fri Oct 8 08:17:03 2004 From: nobody at xyzzy.claranet.de (Frank Ellermann) Date: Fri Oct 8 01:20:03 2004 Subject: [SpamCop-List] Re: How to remove from bl.spamcop.net References: <87fz4synwg.fsf@ursine.dyndns.org> <87acuz8fz3.fsf@ursine.dyndns.org> <41655225.5EF7@xyzzy.claranet.de> Message-ID: <416622CF.32E0@xyzzy.claranet.de> Porpoise wrote: > "If not, then you will be unblocked by SpamCop automatically > after 48 hours." says 48. Sure, but Tobias posted an URL with the BL entry: |(http://www.spamcop.net/w3m?action=blcheck&ip=194.25.145.146). | In the last 48 hours there was no E-Mail to a trap And this BL entry was no evidence for "in the last 48 hours", because it only said "in the past week" (and the last 48 hours belong to the past week ;-) Forget it, it's a solved problem. Bye, Frank From usenet1 at DE.LETE.THISljvideo.com Fri Oct 8 06:48:20 2004 From: usenet1 at DE.LETE.THISljvideo.com (Larry J.) Date: Fri Oct 8 01:50:02 2004 Subject: [SpamCop-List] Re: Bringing bullet proof hosts down References: Message-ID: Waiving the right to remain silent, Ivan Leo Puoti said: >> Two wrongs don't make a right IMO. Don't resort to DDoS'ing >> spammers unless you want to put your own Internet connectivity >> at risk. > This is NOT a DDoS attack. A DDoS attack sends file requests to > a server, and keeps the connection open. Reloading a web page or > a jpeg over and over again is not a DDoS attack, it is just an > attempt to make hosting for spammers more expensive, and less > worth while. They will have to buy more bandwidth, and will earn > less. What about this line from the page..? "The whole time this page is running on your machine you are stealing bandwidth from these web sites,..." -- Larry J. - Remove spamtrap in ALLCAPS to e-mail "Lord, are we worthy of the task that lies before us, or are we just jerking off..?" From Merlyn at Spamcop.net Fri Oct 8 02:59:37 2004 From: Merlyn at Spamcop.net (Merlyn) Date: Fri Oct 8 02:00:03 2004 Subject: [SpamCop-List] Re: Bringing bullet proof hosts down References: Message-ID: "Larry J." wrote in message news:Xns957BE80064FA0larryathome@216.154.195.61... > Waiving the right to remain silent, Ivan Leo Puoti > said: > >>> Two wrongs don't make a right IMO. Don't resort to DDoS'ing >>> spammers unless you want to put your own Internet connectivity >>> at risk. >> This is NOT a DDoS attack. A DDoS attack sends file requests to >> a server, and keeps the connection open. Reloading a web page or >> a jpeg over and over again is not a DDoS attack, it is just an >> attempt to make hosting for spammers more expensive, and less >> worth while. They will have to buy more bandwidth, and will earn >> less. > > What about this line from the page..? > > "The whole time this page is running on your machine you are stealing > bandwidth from these web sites,..." We all know he is a thief, a troll,,,, yada yada yada............. He knows so little and he knows it so fluently. -- Regards, Merlyn A Spamcop advocate No emails this account is for newsgroups only People demand freedom of speech to make up for the freedom of thought which they avoided From jld1 at cam.ac.uk Fri Oct 8 11:50:29 2004 From: jld1 at cam.ac.uk (John Dawson) Date: Fri Oct 8 05:55:22 2004 Subject: [SpamCop-List] Re: SC Password reset - harassment? References: Message-ID: > "They fly at an altitude of more than 2,ooo kms. (6,600 ft.) In order to > take advantage of the fast and favorable currents (tail winds) and, > besides, because at that altitude they avoid plundering birds. Wow - a new breed of space birds!! (Or could the writer have meant 2,000 metres ... ?) :-) John From agent01413 at my-deja.com Fri Oct 8 07:28:56 2004 From: agent01413 at my-deja.com (Socks the white house cat) Date: Fri Oct 8 08:30:09 2004 Subject: [SpamCop-List] Re: Backscatter policy References: Message-ID: Pausing only once for breath, "Mike Easter" said: > >> I was wondering if spamcop could report >> the compromised hosts that are still sending this stuff. > > You can manually report them. Make yourself a little template to attach > the spam to and fire away. > When you do the mechanical part of the analysis, you usually find that enough people have already reported it to trigger spamcop. The backscatter that annoys me is the reports of forged viruses. Those guys get a cease and desist demand. From puoti at inwind.it Fri Oct 8 14:48:13 2004 From: puoti at inwind.it (Ivan Leo Puoti) Date: Fri Oct 8 08:55:02 2004 Subject: [SpamCop-List] Re: Bringing bullet proof hosts down In-Reply-To: References: Message-ID: You can use on open proxy. And accepting all incoming cookies is unsafe IMHO. Ivan. From puoti at inwind.it Fri Oct 8 14:49:22 2004 From: puoti at inwind.it (Ivan Leo Puoti) Date: Fri Oct 8 08:55:12 2004 Subject: [SpamCop-List] Re: Bringing bullet proof hosts down In-Reply-To: References: Message-ID: > We all know he is a thief, a troll,,,, yada yada yada............. Then report me to my ISP. Ivan. From MikeE at ster.invalid Fri Oct 8 09:05:03 2004 From: MikeE at ster.invalid (Mike Easter) Date: Fri Oct 8 11:05:03 2004 Subject: [SpamCop-List] Re: SC Password reset - harassment? References: Message-ID: John Dawson wrote: >> "They fly at an altitude of more than 2,ooo kms. (6,600 ft.) In >> order to take advantage of the fast and favorable currents (tail >> winds) and, besides, because at that altitude they avoid plundering >> birds. > > Wow - a new breed of space birds!! > (Or could the writer have meant 2,000 metres ... ?) > :-) John Heh. I usually 'proofread' things I paste . I changed a typo in the next par of that same snip "always taking advantage of the wines" but I missed the meters error. That particular article is full of 'kms', which probably accounts for the slip. When I pasted that in here, I also commented on the implausibility of the swallows not eating. I just went back to the article^1, which is actually about the swallows of Goya - namely the same ones - and the writer discusses the analysis of the 'fuel' situation for the swallows in great detail. Altho' he didn't address the metabolism issue, since pre-departure the fuel is fat, they must derive their water from the combustion CH2 + O2 => CO2 + H2O He also figgered that while they were fueling up, they must eat about a thousand bugs a day. ^1 http://www.sanjuancapistrano.net/swallows/goya.html The Swallows of Goya - Flight Plan of a Fantastic Flight -- Mike Easter kibitzer, not SC admin From nobody at nowhere.invalid Fri Oct 8 19:12:48 2004 From: nobody at nowhere.invalid (Steven Maesslein) Date: Fri Oct 8 12:15:13 2004 Subject: [SpamCop-List] Re: SC Password reset - harassment? References: Message-ID: On Fri, 8 Oct 2004 08:05:03 -0700, Mike Easter coughed into spamcop and left this in : > I usually 'proofread' things I paste . I changed a typo in the next par > of that same snip "always taking advantage of the wines" but I missed the > meters error. That particular article is full of 'kms', which probably > accounts for the slip. Birds taking advantage of wines could also account for a few slips... -- Steve Notice spotted in a field: THE FARMER ALLOWS WALKERS TO CROSS THE FIELD FOR FREE, BUT THE BULL CHARGES From eddie at eddie.web Fri Oct 8 14:27:16 2004 From: eddie at eddie.web (eddie) Date: Fri Oct 8 13:30:03 2004 Subject: [SpamCop-List] SC Resolution bug? Message-ID: Recently, I have been getting the following errors from SC on a few spamvertized websites: "Parsing input: http://www.lowmortnow.info No recent reports, no history available Cannot resolve http://www.lowmortnow.info No valid email addresses found, sorry!" www.lowmortnow.info is just my most recent example; I have had many similar failures in obtaining a reporting address via SC When i check www.lowmortnow.info myself, I get Domain ID:D6144528-LRMS Domain Name:LOWMORTNOW.INFO Created On:29-Aug-2004 22:13:35 UTC Last Updated On:11-Sep-2004 19:09:44 UTC Expiration Date:29-Aug-2005 22:13:35 UTC Sponsoring Registrar:R123-LRMS Status:ACTIVE Status:OK Registrant ID:C5152629-LRMS Registrant Name:lasse hansen Registrant Street1:musikgaden Registrant City:neastved Registrant Postal Code:4700 Registrant Country:DK Registrant Phone:+45.77883754 Registrant Email:lassehansen@as-if.com Admin ID:C5152629-LRMS Admin Name:lasse hansen Admin Street1:musikgaden Admin City:neastved Admin Postal Code:4700 Admin Country:DK Admin Phone:+45.77883754 Admin Email:lassehansen@as-if.com Billing ID:C5152629-LRMS Billing Name:lasse hansen Billing Street1:musikgaden Billing City:neastved Billing Postal Code:4700 Billing Country:DK Billing Phone:+45.77883754 Billing Email:lassehansen@as-if.com Tech ID:C5152629-LRMS Tech Name:lasse hansen Tech Street1:musikgaden Tech City:neastved Tech Postal Code:4700 Tech Country:DK Tech Phone:+45.77883754 Tech Email:lassehansen@as-if.com Name Server:NS1.INFONAMED.INFO Name Server:NS2.INFONAMED.INFO and the ISP, inetnum: 219.147.64.0 - 219.147.95.255 netname: CHINATELECOM-HL descr: CHINANET heilongjiang province network descr: China Telecom descr: No.31,jingrong street descr: Beijing 100032 country: CN admin-c: CH93-AP tech-c: LZ298-AP mnt-by: MAINT-CHINANET mnt-lower: MAINT-CHINATELECOM-hl changed: hostmaster@ns.chinanet.cn.net 20030820 status: ALLOCATED NON-PORTABLE source: APNIC What's the story? Is something broken at SC? Being suspicious, I note that this started happening with the "new look" but that could just be another hitchhiker's guide-type coincidence. -- Rather: I don't want to be argumentative, Mr. vice president. Bush41(veep):You do, Dan. Rather: No -- no, sir, I don't. From MikeE at ster.invalid Fri Oct 8 12:29:16 2004 From: MikeE at ster.invalid (Mike Easter) Date: Fri Oct 8 14:30:05 2004 Subject: [SpamCop-List] Re: SC Resolution bug? References: Message-ID: eddie wrote: > Recently, I have been getting the following errors from SC on a few > spamvertized websites: > > "Parsing input: http://www.lowmortnow.info > No recent reports, no history available > Cannot resolve http://www.lowmortnow.info > No valid email addresses found, sorry!" If I feed the naked link to the parser I get the same > When i check www.lowmortnow.info myself, I get That is the domainname registration information; that's not what SC uses. > Domain ID:D6144528-LRMS > Domain Name:LOWMORTNOW.INFO ... what SC wants is the DNS for the name, to get the IP. If the DNS times out and SC comes up empty, it can't look up the IP in the apnic whois I can get the DNS www.lowmortnow.info DNS 219.147.65.246 so I can get whois -h whois.apnic.net 219.147.65.246 ... inetnum: 219.147.64.0 - 219.147.95.255 netname: CHINATELECOM-HL descr: CHINANET heilongjiang province network which is what you have > and the ISP, > > inetnum: 219.147.64.0 - 219.147.95.255 > netname: CHINATELECOM-HL > What's the story? Is something broken at SC? > Being suspicious, I note that this started happening with the "new > look" but that could just be another hitchhiker's guide-type > coincidence. It is due to pokey nameservice. Sometimes the nameservice problem is tricky and pokey; sometimes it is just tricky. Here is a 'rating' on the nameservice http://www.dnsstuff.com/tools/dnstime.ch?name=lowmortnow.info&type=A Time to look up lowmortnow.info A record Average of all 2 nameservers: 1624ms (plus 142ms overhead). Score: F -- Mike Easter kibitzer, not SC admin From masfjorden at spamcop.net Fri Oct 8 22:36:58 2004 From: masfjorden at spamcop.net (helge) Date: Fri Oct 8 15:40:08 2004 Subject: [SpamCop-List] Re: SC Password reset - harassment? In-Reply-To: References: Message-ID: John Dawson wrote: > > "They fly at an altitude of more than 2,ooo kms. (6,600 ft.) In order to > >> take advantage of the fast and favorable currents (tail winds) and, >> besides, because at that altitude they avoid plundering birds. > > > Wow - a new breed of space birds!! > (Or could the writer have meant 2,000 metres ... ?) > :-) John I don't have links, but I am sure Mike can find one. To me '2,ooo kms' means two kilometres while 2.000 kms means two thousand kilometres; that's how the comma and the full stop is used in several European languages, including mine. My wild speculation is that the article is written by a Spanish-speaking person, who uses the comma like I do, and during translation or whatever that one nonAmerican usage survived. I am certainly impressed by the speed and endurance of these swallows. But one species of tern (which is a sort of slender seagull with forked tail) actually migrates nearly all the way from the north pole to the Antarctic continent. Specifically some birds were traced from Sweden (say 60degrees North) to the Antarctic, and the claim was that these birds saw more daylight than any other creature. In my area (west .no, about 60N), the tern is a threatened species, at least locally, because escaped minks, no natural inhabitant here, but imported and bred as fur animal, go for the nests on the ground. Since the terns are getting scarce, it is always enjoyable to hear their characteristic cry. helge From eddie at eddie.web Fri Oct 8 16:53:52 2004 From: eddie at eddie.web (eddie) Date: Fri Oct 8 15:55:03 2004 Subject: [SpamCop-List] Re: SC Resolution bug? References: Message-ID: On Fri, 08 Oct 2004 11:29:16 -0700, Mike Easter scratched out the following: snip > It is due to pokey nameservice. Sometimes the nameservice problem is > tricky and pokey; sometimes it is just tricky. > > Here is a 'rating' on the nameservice > http://www.dnsstuff.com/tools/dnstime.ch?name=lowmortnow.info&type=A > > Time to look up lowmortnow.info A record Average of all 2 nameservers: > 1624ms (plus 142ms overhead). Score: F Thanks, Mike, for the info. It's like the old prayer, "Lord, I want patience, and I demand it *right now* " :) I guess a sluggish nameserver won't help the spammers either. Even an idiot who wants to go to their website will give up. -- Rather: I don't want to be argumentative, Mr. vice president. Bush41(veep):You do, Dan. Rather: No -- no, sir, I don't. From MikeE at ster.invalid Fri Oct 8 14:06:20 2004 From: MikeE at ster.invalid (Mike Easter) Date: Fri Oct 8 16:05:03 2004 Subject: [SpamCop-List] Re: SC Password reset - harassment? References: Message-ID: helge wrote: > My wild speculation is that the article is > written by a Spanish-speaking person, who uses the comma like I do, > and during translation or whatever that one nonAmerican usage > survived. By Enrique Bermudez ? courtesy of Para Todos Magazine ? www.paratodos.com Correspondent in Argentina Pedro Iribarren, Director/Proprietor of the journal NUEVA ETAPA of Mar de Plata, Argentina translation by Charles Heizman. This article appeared in the April/May, 1996 issue of Para Todos Magazine, a local Spanish language magazine, published by and edited by Silvia Ichar who also comes from Argentina. (This translation is literal, with little attempt to rewrite it in good English prose.) -- Mike Easter kibitzer, not SC admin From masfjorden at spamcop.net Fri Oct 8 23:23:50 2004 From: masfjorden at spamcop.net (helge) Date: Fri Oct 8 16:25:04 2004 Subject: [SpamCop-List] Re: Request for translation of Russian item In-Reply-To: References: Message-ID: Mike Easter wrote: > helge wrote: > >>It walks like a duck. > > > I severely suspect that it is another one of those g*dd*mn ducks. > > > Lord. > > > That reminds me of a couple of duck stories. > > In my backyard. Two tales; one was about trying to keep the beautiful > devoted and amorous couple out of the pool without actually 'harvesting' > them [a hunting term] and roasting them up for dinner; the other was > later about trying to rescue a couple of the resultant precious baby > duck/s from an impossible steep deep hole they fell into that the mama > duck couldn't help them out of quack as she might and was going to > abandon them in favor of the rest of the tribe or flock or gaggle or > covey or whatever you call a duck collective [turns out it is brace, > team, or flock]. > > To cut to the chase, it was a happy ending for all. > A few times I have visited English rustic pubs in Tudor style half-timbered buildings, where the opening between rooms may be very, very low even for a short person like myself. But just like Starbucks warns its customers that coffee is a hot drink, the publican put up a warning sign above the low beam: 'Duck or grouse'. helge From not at home.today Sat Oct 9 00:43:24 2004 From: not at home.today (Ant) Date: Fri Oct 8 18:45:20 2004 Subject: [SpamCop-List] Re: Request for translation of Russian item References: Message-ID: "helge" wrote... > A few times I have visited English rustic pubs in Tudor style > half-timbered buildings, where the opening between rooms may be very, > very low even for a short person like myself. But just like Starbucks > warns its customers that coffee is a hot drink, the publican put up a > warning sign above the low beam: 'Duck or grouse'. This talk of ducks and pubs means it's silly joke time. A duck walks into a bar and says to the barman "Do you have any grapes?". The barman looks puzzled and says "No, we don't serve grapes". The next day, the duck enters the bar, asks the same question, and gets a similar reply. The day after, and again the duck asks for grapes. The barman is getting a little irritated. "Look, I've told you we don't have any grapes. If you ask me again I'll nail your feet to the bar!". The duck visits the bar on the following day, and this time asks "Have you got any nails?" The exasperated barman says "No, we have't got any f***ing nails!". The duck replies "In that case, I'll have some grapes". From nobody at devnull.spamcop.net Fri Oct 8 20:21:09 2004 From: nobody at devnull.spamcop.net (Glenn Daniels) Date: Fri Oct 8 19:25:08 2004 Subject: [SpamCop-List] Re: SC Password reset - harassment? References: Message-ID: "Mike Easter" wrote in message > John Dawson wrote: > >> "They fly at an altitude of more than 2,ooo kms. (6,600 ft.) In > >> order to take advantage of the fast and favorable currents (tail > >> winds) and, besides, because at that altitude they avoid plundering > >> birds. > > > > Wow - a new breed of space birds!! > > (Or could the writer have meant 2,000 metres ... ?) > > :-) John > > Heh. > > I usually 'proofread' things I paste . I changed a typo in the next par > of that same snip "always taking advantage of the wines" but I missed the > meters error. That particular article is full of 'kms', which probably > accounts for the slip. > > When I pasted that in here, I also commented on the implausibility of the > swallows not eating. I just went back to the article^1, which is > actually about the swallows of Goya - namely the same ones - and the > writer discusses the analysis of the 'fuel' situation for the swallows in > great detail. > > Altho' he didn't address the metabolism issue, since pre-departure the > fuel is fat, they must derive their water from the combustion CH2 + O2 => > CO2 + H2O > > He also figgered that while they were fueling up, they must eat about a > thousand bugs a day. > > ^1 http://www.sanjuancapistrano.net/swallows/goya.html The Swallows of > Goya - Flight Plan of a Fantastic Flight > Also, birds do not remove Nitrogen waste as urea in water, but conserve on water as Dalmatians do by excreting their Nitrogen waste as the less soluble white crystalline substance uric acid. But that is probably quite a bit off the lofty flight path the birds were taking... Church mice go for months without water by combusting candle wax, chemistry much as Mike pointed out above... Cheers, Glenn From nobody at spamcop.net Fri Oct 8 22:12:48 2004 From: nobody at spamcop.net (Tom) Date: Fri Oct 8 22:15:34 2004 Subject: [SpamCop-List] Re: Lolita site shut down by Yahoo/GeoCities References: Message-ID: On Tue, 05 Oct 2004 22:38:45 -0700, Rick Carlton wrote: >> Site in question: >> http://www.geocities.com/diosfanplitorda/pppd/ > >And...they're back. > >http://www.geocities.com/romseal_parvn_aliceco/el/ > >Too your advice and manually reported to geo-guidelines@yahoo-inc.com > >Let's see what happens. Unless it is a pedophile trap (run by the authorities). Just a thought. From ric.gates at bigsleep.org Sat Oct 9 03:18:07 2004 From: ric.gates at bigsleep.org (Blammo) Date: Fri Oct 8 22:20:03 2004 Subject: [SpamCop-List] Re: SC Resolution bug? References: Message-ID: On 08 Oct 2004 eddie entered spamcop and left news:pan.2004.10.08.19.53.52.75000@eddie.web: > It's like the old prayer, "Lord, I want patience, and I demand it *right > now* " :) > There is probably a "wait forever" option, but I would rather not wait forever to report spam. -- | Ric | | "Mankind united with infinitely greater purpose in pursuit of war | than he ever did in pursuit of peace." | - Father - Equilibrium From nobody at spamcop.net Fri Oct 8 22:18:34 2004 From: nobody at spamcop.net (Tom) Date: Fri Oct 8 22:20:13 2004 Subject: [SpamCop-List] Re: Changing Handle References: Message-ID: <0giem09bp4jk2c5nvgklm1glj3dfo41937@4ax.com> On Tue, 05 Oct 2004 16:39:43 -0500, Cat wrote: >And aparently, you still haven't learned that no one wants to read >unsnipped top posted comments. Back in my killfile you go. I don't see >why it's such an ordeal for you people to knock off the top posting and >be more polite in how you construct your replies. Having fought with Outlook (or, in my estimation LookOUT), I know that that e-mail system is The Pits! It plugs in the signature at the top and expects you to enter your comments there, too. One of the reasons why I prefer Forte's Agent. It does things the "netiquette" way (including allowing my to preselect the quoted material I want to comment on). Tom From nobody at spamcop.net Fri Oct 8 22:23:17 2004 From: nobody at spamcop.net (Tom) Date: Fri Oct 8 22:25:04 2004 Subject: [SpamCop-List] Re: Court Hits 'Spam' Envelope-Stuffing Scam References: Message-ID: On Tue, 05 Oct 2004 16:45:09 -0700, Perky Not wrote: >The two violated an anti-spam law because they faked return e-mail >addresses and used deceptive subject lines like "Info You Have >Requested" to trick recipients into opening them, the FTC said. > >The scam also violates deceptive-business and telemarketing laws, the >FTC said. Hm. My thoughts are not overly friendly toward the FTC right now, mostly because it seems that something other than spam has to be involved to get them to act. Why can't they simply go after all the spammers that fake return e-mail addresses, use deceptive subject lines, or don't include the required CAN-SPAM return addresses, phone numbers, et al? Or am I dreaming again? Tom From MikeE at ster.invalid Fri Oct 8 20:25:52 2004 From: MikeE at ster.invalid (Mike Easter) Date: Fri Oct 8 22:25:15 2004 Subject: [SpamCop-List] Re: SC Password reset - harassment? References: Message-ID: Glenn Daniels wrote: > conserve on water as Dalmatians do by excreting their Nitrogen > waste as the less soluble white crystalline substance uric acid. Which [in part] accounts for the fact that [practically] only man and the Dalmatian dog are susceptible to 'gout'; an affliction of humans caused by the 'mismanagement' of uric acid with the resultant joint complications. Before someone calls me on it; the human condition is 'different' altho' both are purine metabolism issues - the Dalmatian's problem [uric acid stones] is an inability to convert uric acid to allantoin in their liver - whereas the human situation is different from that, in which the big problem is the uric acid joint problem. Birds also can't do allantoin; but their elimination system is different. Birds can also have uric acid joint problems. -- Mike Easter kibitzer, not SC admin From nobody at spamcop.net Fri Oct 8 22:30:15 2004 From: nobody at spamcop.net (Tom) Date: Fri Oct 8 22:35:03 2004 Subject: [SpamCop-List] Re: Virus spam References: Message-ID: On Wed, 6 Oct 2004 11:26:33 +0100, "Porpoise" wrote: >I know that bit. that was from my machine deleting the virus that was >attached to the mail I received purporting to have been bounced back to me >as the originator - which I wasn't. That's what made me want to find out >whether: > >1) It was a genuine bounce to a forged From: address > >2) A spam disguised to look like a bounce in order to drop the virus payload >on my system. Neither. It is virus propagated. Do NOT report as spam. From nobody at spamcop.net Fri Oct 8 22:31:53 2004 From: nobody at spamcop.net (Tom) Date: Fri Oct 8 22:35:15 2004 Subject: [SpamCop-List] Re: 419eater.com gets $200 from 419ers References: Message-ID: <7bjem05ei6plsh1v7d2qh6ld822fh0mfaq@4ax.com> On Wed, 06 Oct 2004 12:36:43 +0200, "Dan Ric|-.ter" wrote: >419ers trick their victims by playing on their greed. I guess it's not >surprising that they're vulnerable to the same tactics. Salesmen are the biggest suckers for other salesmen. Or at least, that's what I've been told. I guess it takes one to know one. (not you, but scammers) From nobody at spamcop.net Fri Oct 8 22:35:45 2004 From: nobody at spamcop.net (Tom) Date: Fri Oct 8 22:40:03 2004 Subject: [SpamCop-List] Re: OT? Strange event - comments? References: Message-ID: On Wed, 6 Oct 2004 16:24:58 -0400, Firewoman wrote: >What was the web page you were copying and pasting from? When I do this, >Word accesses the page that I'm pasting in order to download images and >other code. Possibly the website had a link or was providing text to the >specific page you were using? Paste to Notepad, rather than Word. Then you can copy and paste to Word without picking up the original page (unless you really want all that extra crap).. Tom From nobody at spamcop.net Fri Oct 8 22:43:42 2004 From: nobody at spamcop.net (Tom) Date: Fri Oct 8 22:45:03 2004 Subject: [SpamCop-List] Re: Bringing bullet proof hosts down References: Message-ID: <8rjem098slgk9l5nfnesngp5f77u6b7qs2@4ax.com> On Thu, 07 Oct 2004 15:28:07 +0100, Ivan Leo Puoti wrote: >This is an easy, simple, and legal way to shell bullet proof hosts >http://www003.portalis.it/115/ladvampire.html >I believe it will be more effective than reporting (Hey I'm not saying >this is a good reason not to report anyway) >Do you think it's a good idea? I'm targeting the top web sites in >spamcop stats for now, suggestions are welcome. >Not of much use for 56k users. >Just my little contribution to fight spam. > In my not so humble opinion... fighting spammers with this kind of tactic may be a way to "get back at them," but I do not consider using revenge tactics to be going after spammers with "clean hands." It is an ethics question and I say "no" to doing something like that. I'd rather work toward getting the laws enforced, rather than just adding to the load on the internet. With over 42 percent of spam still originating in the United States, we Americans have a long way to go before we can say, it's the rest of the world that is doing it. We really do need the FTC to do more than posture politically to help win re-election for the current administration... My two cents' worth. Tom From nobody at spamcop.net Fri Oct 8 22:45:58 2004 From: nobody at spamcop.net (Tom) Date: Fri Oct 8 22:50:12 2004 Subject: [SpamCop-List] Re: Bringing bullet proof hosts down References: Message-ID: On Thu, 07 Oct 2004 17:38:07 +0100, Ivan Leo Puoti wrote: >> IMO, that's using vigilante tactics and lowers those who do it >> to the same level as those they are "attacking". If someone >> throws feces at you, the right response is not to plug their >> arsehole. >I only do it to web sites that spam me, so it's their fault anyway. Placing blame doesn't remove the tactic or make it "white." I am a big believer in being personally accountable for all of my actions, and not blaming someone else for them. You are the one deciding to engage in the vigilante tactic, not them. You are the one in control of your actions. From MikeE at ster.invalid Fri Oct 8 20:47:34 2004 From: MikeE at ster.invalid (Mike Easter) Date: Fri Oct 8 22:50:25 2004 Subject: [SpamCop-List] Re: Changing Handle References: <0giem09bp4jk2c5nvgklm1glj3dfo41937@4ax.com> Message-ID: Tom wrote: > Having fought with Outlook (or, in my estimation LookOUT), I know that > that e-mail system is The Pits! It plugs in the signature at the top > and expects you to enter your comments there, too. I don't know about OL, but in OE, the choice to automatically put in the sig is optional. If you don't put in the sig, the only thing which starts at the top is the cursor, which is where the trimming should start from anyway, so that's a Good Thing. Then you click put the sig at the bottom after trimming and contextualizing everything. An even better choice is to use QF QuoteFix for OL, which I assume has all of the functionality of QF for OE, so it automatically trims sigs, and can automatically put the sig at the bottom. > One of the reasons why I prefer Forte's Agent. It does things the > "netiquette" way (including allowing my to preselect the quoted > material I want to comment on). Agent is very popular and a much more compliant or compatible 'agent' than the OE/OL situation especially in their 'native' state - which has problems with sigs and some other things. -- Mike Easter kibitzer, not SC admin From Spam_N_Scams_Reporter at yahoo.whatever Fri Oct 8 21:24:30 2004 From: Spam_N_Scams_Reporter at yahoo.whatever (Spam N Scams Reporter) Date: Fri Oct 8 23:25:04 2004 Subject: [SpamCop-List] Help me understand this phoney bounce Message-ID: Email/Bounce/whatever is posted in .spam with same subject. This has me puzzled. I was preparing a report to TrendMicro, as it appeared to be a possible trademark infringement or scam of some sort. As I kept digging, I realized that the origin of the email appears to be TrendMicro in TW. I do realize that this is how the Netsky.Y worm looks, but as far as I can tell, the email is coming from TrendMicro. Now I am really confused. Why would TrendMicro send me an bounce from a (with a?) non-existant email address? Maybe I should start from the beginning. Here's part of what I was getting ready to send to TrendMicro. [I keep wanting to abbreviate to TM, but that is a well known abbreviation for Trancendental Meditation. Maybe I need to take some time and meditate on this. Usually a good thing to do. :)] I received an email that is a phoney bounce as far as I can tell. I am a spam reporter. I investigated. The email with full headers is included below, for your benefit. For now, I'll just use the pertinent parts. Received: from gorge.net (higp3.gatelock.com.tw [211.20.183.163]) by mcnary.gorge.net (8.12.10/8.12.9) with ESMTP id i982fwQQ080087 for <[MUNGED]@gorge.net>; Thu, 7 Oct 2004 19:41:59 -0700 (PDT) (envelope-from brian1992@earthlink.net) The email address - brian1992@earthlink.net is not a valid address. Doing a Whois lookup for higp3.gatelock.com.tw returns: Registrant: ?????????? Trend Micro Inc. 9F, 319, Section 2, Tun Ha\wa South Road, Taipei, Taiwan, R.O.C. Domain Name: gatelock.com.tw Contact: Benjamin Wang benjamin@trend.com.tw TEL: (02)23764949 FAX: (02)23779748 Record expires on 2006-03-27 (YYYY-MM-DD) Record created on 2001-03-23 (YYYY-MM-DD) Domain servers in listed order: ns1.gatelock.com.tw 211.20.183.131 ns2.gatelock.com.tw 211.20.183.132 Registrar: HINET Hmmm. Maybe I am mistaken. I was thinking that this was a phoney setup, but the email address for Benjamin Wang is a valid TrendMicro addy: Validating benjamin@trend.com.tw... Validation results confidence rating: 3 - SMTP canonical address: MX records preference exchange IP address (if included) 10 udcmail01.udc.trendmicro.com [66.35.253.5] 20 udcmail02.udc.trendmicro.com [66.35.255.5] SMTP session [Contacting udcmail01.udc.trendmicro.com [66.35.253.5]...] [Connected] 220 UDCMAIL01.udc.trendmicro.com ESMTP Postfix HELO hexillion.com 250 UDCMAIL01.udc.trendmicro.com MAIL FROM: 250 Ok RCPT TO: 250 Ok Now I'm puzzled. I know this is a phoney bounce. I have many safeguards in place, firewall, adaware, spybot S&D, SpyBlaster, AV all updated everyday, and I scan my computer regularly, so I am quite certain that my computer is not infested. I do cause spammers/scammers a hassle so I do what I can to keep my computer secure. Is gatelock.com.tw part of TrendMicro, or is this some sort of scam? It's possible that it is some sort of veiled threat, as I'm thinking that 1992 (brian1992@earthlink.net) is possibly the year that I first acquired the [MUNGED]@gorge.net addy [and my name is Brian, which is a part of the email addy]. And no, I am not overly paranoid, but from seeing what goes on in this cyber world, yes, I am always questioning things. I protect myself. I just don't let it get to me. Ok, now I am really confused. I just answered the above question. Yes, it does indeed belongs to TrendMicro. Why would I receive an email from TrendMicro with forged headers? What part of this picture am I not seeing? From MikeE at ster.invalid Fri Oct 8 21:40:39 2004 From: MikeE at ster.invalid (Mike Easter) Date: Fri Oct 8 23:40:04 2004 Subject: [SpamCop-List] Re: SC Password reset - harassment? References: Message-ID: Glenn Daniels wrote: > Church mice go for months without water by combusting > candle wax, chemistry much as Mike pointed out above... I knew about the kangaroo rat's abilities to retard almost all of the various insensible water losses except for a little bit from the footpad sweat glands, but I never tho't about the 'poor' mice in church and candlewax. All mice are pretty good about conserving their water. You aren't trying to run a poor church mouse candlewax myth by me are you? ;-) I'll have to do some checking on mice and wax eating. -- Mike Easter kibitzer, not SC admin From MikeE at ster.invalid Fri Oct 8 21:42:31 2004 From: MikeE at ster.invalid (Mike Easter) Date: Fri Oct 8 23:45:03 2004 Subject: [SpamCop-List] Re: SC Password reset - harassment? References: Message-ID: Mike Easter wrote: > I'll have to do some checking on mice and wax eating. That didn't take long; those little devils will eat the wax used for 'canning' sealing. Eek! -- Mike Easter kibitzer, not SC admin From wb8tyw at qsl.network Sat Oct 9 01:39:07 2004 From: wb8tyw at qsl.network (John E. Malmberg) Date: Sat Oct 9 00:40:08 2004 Subject: [SpamCop-List] Re: Court Hits 'Spam' Envelope-Stuffing Scam In-Reply-To: References: Message-ID: Tom wrote: > Hm. My thoughts are not overly friendly toward the FTC right now, > mostly because it seems that something other than spam has to be > involved to get them to act. Why can't they simply go after all the > spammers that fake return e-mail addresses, use deceptive subject > lines, or don't include the required CAN-SPAM return addresses, phone > numbers, et al? Most of the spammers directly traceable for sending the spew seem to be victims that spend their last dollars buying a spamming kit for $150 to $300 or more. Basically spamming is a MLM pyramid scam, where only a few on the top are getting any money. The rest are victims/(investors) that never make a dime. See the Earthlink investigation of the Buffalo spammer. Spamming is not what is making the money. Selling spamming kits is what is making the money, and media reporters reporting that people are getting rich off of spamming is helping the con-men. The current trend in law enforcement in the U.S. is to go after the big fish, and not do much against the bottom levels of these scams. And it takes a lot of time and money to get evidence that can be used in court against the top con-men. The feeling is apparently that it is useless to go after the ones on the bottom of the food chain, as there is no money to collect, and as fast as they are arrested, more suckers sign up for what they think will be easy money. I have come to dissagree with that strategy. By having few high profile busts, it reinforces that it is easy to get away with the crime if you are just small potatoes, and the con-men at the top make and hide money while the investigators make their way up the ladder, and the investigators can only concentrate on a few of them at a time, which allows an income flow to most of them. Start busting the low level participants in a multilevel crime operation as soon as they become visible cuts off the revenue flow to the top con men. While it does not help get the top con men convicted, the loss of revenue would hurt most of them more than what small sentences they end up getting through plea bargains anyway. It is a case of making the crime unprofitable rather than making sure that the top criminals get arrested and put in jail. -John wb8tyw@qsl.network Personal Opinion Only From MikeE at ster.invalid Fri Oct 8 22:53:15 2004 From: MikeE at ster.invalid (Mike Easter) Date: Sat Oct 9 00:55:03 2004 Subject: [SpamCop-List] Re: Help me understand this phoney bounce References: Message-ID: Spam N Scams Reporter wrote: > Email/Bounce/whatever is posted in .spam with same subject. This has > me puzzled. You are 'thinking' too much. This is a bogus bounce. Here's the important part of the headers, the last 3 Received tracelines. The [topmost shown here] top to show it start moving thru' your mailhosts and the bottom to include the last bottom bogus line: Abbreviated Received lines *comment from mail.gorge.net [209.216.160.4] by mailgate.cesmail.net *serves you from gorge.net (higp3.gatelock.com.tw [211.20.183.163]) by mcnary.gorge.net *sourceline, bogus helo from ([61.60.55.74]) by higp3.gatelock.com.tw *bogusline whois -h whois.twnic.net 211.20.183.163 ... NEW NET Netblock: 211.20.183.128/26 Administrator contact: axl yen (AY65-TW) axl_yen@trend.com.tw The brian1992 business From [which causes envelope interpretations] is just bogus spammer business; don't let your imagination run wild. SC called it a bounce because of its subject. If I experimentally change it to 'filure' and make some other 'convenience' changes, SC will try to report it www.spamcop.net/sc?id=z680762681z1caa283b96fa842b5fb38aa31629312az SC wants to report that to hinet - that doesn't look so good to me, but I guess I would do hinet and axl, maybe abuse.net's hostmaster@twnic.net -- Mike Easter kibitzer, not SC admin From Spam_N_Scams_Reporter at yahoo.whatever Fri Oct 8 23:40:50 2004 From: Spam_N_Scams_Reporter at yahoo.whatever (Spam N Scams Reporter) Date: Sat Oct 9 01:45:04 2004 Subject: [SpamCop-List] Re: Help me understand this phoney bounce In-Reply-To: References: Message-ID: Mike Easter wrote: > Spam N Scams Reporter wrote: > >>Email/Bounce/whatever is posted in .spam with same subject. This has >>me puzzled. > > > You are 'thinking' too much. > I know that I have a tendency to 'think too much', but I also know how to read the headers Mike. > This is a bogus bounce. Here's the important part of the headers, the > last 3 Received tracelines. > I agree and stated this. It is a bogus bounce. > The [topmost shown here] top to show it start moving thru' your mailhosts > and the bottom to include the last bottom bogus line: > > Abbreviated Received lines *comment > from mail.gorge.net [209.216.160.4] by mailgate.cesmail.net *serves you > from gorge.net (higp3.gatelock.com.tw [211.20.183.163]) by > mcnary.gorge.net *sourceline, bogus helo > from ([61.60.55.74]) by higp3.gatelock.com.tw *bogusline > > whois -h whois.twnic.net 211.20.183.163 ... > NEW NET > Netblock: 211.20.183.128/26 > Administrator contact: > axl yen (AY65-TW) axl_yen@trend.com.tw This is a valid email addres for TrendMicro > > The brian1992 business From [which causes envelope interpretations] is > just bogus spammer business; don't let your imagination run wild. > I know that brian1992... is an invalid email address. > SC called it a bounce because of its subject. If I experimentally change > it to 'filure' and make some other 'convenience' changes, SC will try to > report it > > www.spamcop.net/sc?id=z680762681z1caa283b96fa842b5fb38aa31629312az > > SC wants to report that to hinet - that doesn't look so good to me, but I > guess I would do hinet and axl, maybe abuse.net's hostmaster@twnic.net > > This was also my first reaction. But I dug further, and realized that this is actually TrendMicro. From MikeE at ster.invalid Fri Oct 8 23:47:13 2004 From: MikeE at ster.invalid (Mike Easter) Date: Sat Oct 9 01:50:09 2004 Subject: [SpamCop-List] Re: Help me understand this phoney bounce References: Message-ID: Spam N Scams Reporter wrote: > This was also my first reaction. But I dug further, and realized that > this is actually TrendMicro. What is your 'picture' of TrendMicro? Who is that? -- Mike Easter kibitzer, not SC admin From MikeE at ster.invalid Sat Oct 9 00:07:40 2004 From: MikeE at ster.invalid (Mike Easter) Date: Sat Oct 9 02:10:03 2004 Subject: [SpamCop-List] Re: Help me understand this phoney bounce References: Message-ID: Mike Easter wrote: > Spam N Scams Reporter wrote: >> This was also my first reaction. But I dug further, and realized that >> this is actually TrendMicro. > > What is your 'picture' of TrendMicro? Who is that? After posting that, I went to look at some similar items in sightings and also to look around the TrendMicro site, including their GateLock section -- and I have a new theory about the spams I saw in sightings -- but I can't read the language in the big5 fonts in sightings. Your .spam item has similarities to more complete items I saw in sightings. I think the GateLock stuff is something to strip virms from outgoing mail and leave information about it. So, if your item was like the ones in sightings, an attempt to send you a viral propagation was made, but the mailer's provider had trendmicro gatelock s/w installed, which stripped off the virus attachment from the body and left a message about it. So, all you get is the headers, the original body, and GateLock attachments representing the s/w's role in removing the executable. If we could read that stuff, I'm predicting that's what it would say. -- Mike Easter kibitzer, not SC admin From tobias.katz at cim-team.de Sat Oct 9 11:01:38 2004 From: tobias.katz at cim-team.de (Tobias Katz) Date: Sat Oct 9 04:05:19 2004 Subject: [SpamCop-List] Re: How to remove from bl.spamcop.net References: Message-ID: Hi again, Yes it was the SMTp/AUTH exploit. Now theres no more spamming from 194.25.145.146. And the entry is removed from the BL too. Thanks to all. Tobias Katz From ric.gates at bigsleep.org Sat Oct 9 09:55:29 2004 From: ric.gates at bigsleep.org (Blammo) Date: Sat Oct 9 05:00:54 2004 Subject: [SpamCop-List] Re: Help me understand this phoney bounce References: Message-ID: On 08 Oct 2004 Mike Easter entered spamcop and left news:ck7v4q$nbg$1@news.spamcop.net: > I think the GateLock stuff is something to strip virms from outgoing mail > and leave information about it. > I don't know, the forged HELO and MessageId really bugs me, but the "gatelock" IP could be forged, though this info is dated... http://www.trendmicro.com.au/News/GL%20Award%20NR.htm Trend Micro’s award-winning GateLock security system is an easy-to-use plug-and-play unit with comprehensive security features specially designed for "always-on" broadband connections. GateLock hides and secures broadband connections with a hardware-based firewall, high-performance virus scanning, and Network Address Translation, which assigns a "false" IP address and hides the PC's actual address from outsiders. A DHCP server permits multiple computers or a small network to share a secure broadband connection. Trend Micro has partnered with Chunghwa Telecom (TSEC: 2412), Taiwan's leading telecommunications carrier, to offer GateLock to ADSL subscribers in Taiwan since September 2001. GateLock is also available in Singapore and Hong Kong and will be introduced to additional markets in the near future. -- | Ric | From ric.gates at bigsleep.org Sat Oct 9 10:11:30 2004 From: ric.gates at bigsleep.org (Blammo) Date: Sat Oct 9 05:15:41 2004 Subject: [SpamCop-List] Re: Help me understand this phoney bounce References: Message-ID: On 09 Oct 2004 Blammo entered spamcop and left news:Xns957D13A9B2AAblammo@216.154.195.61: > I don't know, the forged HELO and MessageId really bugs me, I think I see what happened, the original message had no Message-Id so it was added by the receiving server. The first two Received lines were added by GateLock (it copied the HELO from what the virus used for the HELO name). So the source, I believe, is [61.60.55.74]. -- | Ric | From ric.gates at bigsleep.org Sat Oct 9 11:38:53 2004 From: ric.gates at bigsleep.org (Blammo) Date: Sat Oct 9 06:40:02 2004 Subject: [SpamCop-List] Re: How to remove from bl.spamcop.net References: Message-ID: On 09 Oct 2004 Tobias Katz entered spamcop and left news:ck85t4$15q$1@news.spamcop.net: > Yes it was the SMTp/AUTH exploit. Thanks for the follow-up, and letting us know. -- | Ric | From e.schrama_NOSPAM at NOSPAM_hccnet.nl Sat Oct 9 14:01:55 2004 From: e.schrama_NOSPAM at NOSPAM_hccnet.nl (geo_splash_12) Date: Sat Oct 9 07:05:03 2004 Subject: [SpamCop-List] Re: Magic numbers - was: Re: How to remove from bl.spamcop.net In-Reply-To: References: <87fz4synwg.fsf@ursine.dyndns.org> Message-ID: Porpoise wrote: > "indigo" wrote in message > news:ck1a9s$4co$1@news.spamcop.net... > >> >>JohnL wrote: >> >>>Paul Johnson scribbled in >>>news:87fz4synwg.fsf@ursine.dyndns.org: >>> >>> >>>>72 is the magic number, not 48. >>> >>>You REALLY need to check before stating something... >>>http://www.spamcop.net/fom-serve/cache/76.html >> >>Who? PJ? Surely you jest! >> >> > > > Actually.................................................. He's right, 72 is > a magic number. And 12, 30, 360, 2160, 25920, 36, 4320, 108, 10800, 54, 540, > 54000 etc.......... However, there is an element of rounding involved (72 is > more acurately calculated at 71.6 & 2160 gets rounded from 2148 by extension > & 25920 is more accurately calculated at 25776). > > In mathematics there are no magic numbers, it is a contradiction in terms. Suppose that you had a large bag with tickets each carrying their own number. If a certain ticket is magic because of its number then the rest is apparently less magic. But, this is a contradiction because all other tickets in the bag also gain importance because they are not the magic ticket. In fact, you could go on with the bag minus the magic ticket and select another magic ticket. By induction it follows that in the end all tickets become magic. What remains is .. the bag. From porpoise1954 at yahoo.co.uk Sat Oct 9 13:34:34 2004 From: porpoise1954 at yahoo.co.uk (Porpoise) Date: Sat Oct 9 07:35:05 2004 Subject: [SpamCop-List] Re: Bringing bullet proof hosts down References: <8rjem098slgk9l5nfnesngp5f77u6b7qs2@4ax.com> Message-ID: "Tom" wrote in message news:8rjem098slgk9l5nfnesngp5f77u6b7qs2@4ax.com... > On Thu, 07 Oct 2004 15:28:07 +0100, Ivan Leo Puoti wrote: > > > > In my not so humble opinion... fighting spammers with this kind of > tactic may be a way to "get back at them," but I do not consider using > revenge tactics to be going after spammers with "clean hands." > > It is an ethics question and I say "no" to doing something like that. > I'd rather work toward getting the laws enforced, rather than just > adding to the load on the internet. > > With over 42 percent of spam still originating in the United States, > we Americans have a long way to go before we can say, it's the rest of > the world that is doing it. We really do need the FTC to do more than > posture politically to help win re-election for the current > administration... > > My two cents' worth. > > Tom Hear, hear............ From porpoise1954 at yahoo.co.uk Sat Oct 9 13:36:54 2004 From: porpoise1954 at yahoo.co.uk (Porpoise) Date: Sat Oct 9 07:40:04 2004 Subject: [SpamCop-List] Re: Bringing bullet proof hosts down References: Message-ID: "Tom" wrote in message news:a4kem096uctcmhseaqieat3pvrgipikdeu@4ax.com... > On Thu, 07 Oct 2004 17:38:07 +0100, Ivan Leo Puoti wrote: > > >> IMO, that's using vigilante tactics and lowers those who do it > >> to the same level as those they are "attacking". If someone > >> throws feces at you, the right response is not to plug their > >> arsehole. > >I only do it to web sites that spam me, so it's their fault anyway. > > Placing blame doesn't remove the tactic or make it "white." > > I am a big believer in being personally accountable for all of my > actions, and not blaming someone else for them. > > You are the one deciding to engage in the vigilante tactic, not them. > You are the one in control of your actions. > I agree. I think a lot of OPs show their age/level of maturity to be rather on the low side sometimes Tom. From porpoise1954 at yahoo.co.uk Sat Oct 9 14:36:17 2004 From: porpoise1954 at yahoo.co.uk (Porpoise) Date: Sat Oct 9 08:40:06 2004 Subject: [SpamCop-List] Re: Magic numbers - was: Re: How to remove from bl.spamcop.net References: <87fz4synwg.fsf@ursine.dyndns.org> Message-ID: "geo_splash_12" wrote in message news:ck8gf3$gb8$1@news.spamcop.net... > Porpoise wrote: > > "indigo" wrote in message > > news:ck1a9s$4co$1@news.spamcop.net... > > <> > > > > > > Actually.................................................. He's right, 72 is > > a magic number. And 12, 30, 360, 2160, 25920, 36, 4320, 108, 10800, 54, 540, > > 54000 etc.......... However, there is an element of rounding involved (72 is > > more acurately calculated at 71.6 & 2160 gets rounded from 2148 by extension > > & 25920 is more accurately calculated at 25776). > > > > > > In mathematics there are no magic numbers, it is a contradiction in > terms. Suppose that you had a large bag with tickets each carrying their > own number. If a certain ticket is magic because of its number then the > rest is apparently less magic. But, this is a contradiction because all > other tickets in the bag also gain importance because they are not the > magic ticket. In fact, you could go on with the bag minus the magic > ticket and select another magic ticket. By induction it follows that in > the end all tickets become magic. What remains is .. the bag. Wrong context. The context you are using it in the above example is along the lines of supernatural/luck. The context I was using the word is: magic (SPECIAL QUALITY) [Show phonetics] noun [U] a special and exciting quality that makes something seem different from ordinary things: Although the film was made fifty years ago, it has lost none of its magic. No one could fail to be charmed by the magic of this beautiful city. http://dictionary.cambridge.org/define.asp?key=48042&dict=CALD In the same way that 1,3,7,11,13 etc. are magic/special numbers but for a different reason to the numbers in the previous context. In other words, the context in which I was using the word 'magic' is in the context of; they are numbers 'which have special signifance' ("magic" is shorter to write than "which have special significance") I don't recall mentioning mathematics, although mathematics is involved in the calculations to which these numbers relate. From puoti at inwind.it Sat Oct 9 15:37:18 2004 From: puoti at inwind.it (Ivan Leo Puoti) Date: Sat Oct 9 09:45:22 2004 Subject: [SpamCop-List] Re: Bringing bullet proof hosts down In-Reply-To: <8rjem098slgk9l5nfnesngp5f77u6b7qs2@4ax.com> References: <8rjem098slgk9l5nfnesngp5f77u6b7qs2@4ax.com> Message-ID: > With over 42 percent of spam still originating in the United States, > we Americans have a long way to go before we can say, it's the rest of > the world that is doing it. We really do need the FTC to do more than > posture politically to help win re-election for the current > administration... Then you americans should get your laws enforced more effectively. Ivan. From e.schrama_NOSPAM at NOSPAM_hccnet.nl Sat Oct 9 17:46:26 2004 From: e.schrama_NOSPAM at NOSPAM_hccnet.nl (geo_splash_12) Date: Sat Oct 9 10:50:03 2004 Subject: [SpamCop-List] Re: Magic numbers - was: Re: How to remove from bl.spamcop.net In-Reply-To: References: <87fz4synwg.fsf@ursine.dyndns.org> Message-ID: Porpoise wrote: > "geo_splash_12" wrote in message > news:ck8gf3$gb8$1@news.spamcop.net... > >>Porpoise wrote: >> >>>"indigo" wrote in message >>>news:ck1a9s$4co$1@news.spamcop.net... >>> > > <> > >>> >>>Actually.................................................. He's right, > > 72 is > >>>a magic number. And 12, 30, 360, 2160, 25920, 36, 4320, 108, 10800, 54, > > 540, > >>>54000 etc.......... However, there is an element of rounding involved > > (72 is > >>>more acurately calculated at 71.6 & 2160 gets rounded from 2148 by > > extension > >>>& 25920 is more accurately calculated at 25776). >>> >>> >> >>In mathematics there are no magic numbers, it is a contradiction in >>terms. Suppose that you had a large bag with tickets each carrying their >>own number. If a certain ticket is magic because of its number then the >>rest is apparently less magic. But, this is a contradiction because all >>other tickets in the bag also gain importance because they are not the >>magic ticket. In fact, you could go on with the bag minus the magic >>ticket and select another magic ticket. By induction it follows that in >>the end all tickets become magic. What remains is .. the bag. > > > Wrong context. The context you are using it in the above example is along > the lines of supernatural/luck. The context I was using the word is: > > > magic (SPECIAL QUALITY) [Show phonetics] > noun [U] > a special and exciting quality that makes something seem different from > ordinary things: > Although the film was made fifty years ago, it has lost none of its magic. > No one could fail to be charmed by the magic of this beautiful city. > > > http://dictionary.cambridge.org/define.asp?key=48042&dict=CALD > > In the same way that 1,3,7,11,13 etc. are magic/special numbers but for a > different reason to the numbers in the previous context. > > In other words, the context in which I was using the word 'magic' is in the > context of; they are numbers 'which have special signifance' ("magic" is > shorter to write than "which have special significance") > > I don't recall mentioning mathematics, although mathematics is involved in > the calculations to which these numbers relate. > > The other context is http://dictionary.cambridge.org/define.asp?key=magic*1+0&dict=A and this shows why the word magic is so impopular. Mathematics is the science of numbers, so I brought it up. Nowhere you'll find the word magic. Of course there are special numbers like pi=3.1415... and e=2.7183... as in http://functions.wolfram.com/Constants/ but we call them mathematical constants that follow from a definition. In your case we are dealing perhaps with a series, perhaps prime numbers or special prime numbers, but not magic numbers. From nobody at spamcop.net Sat Oct 9 11:08:10 2004 From: nobody at spamcop.net (Tom) Date: Sat Oct 9 11:10:05 2004 Subject: [SpamCop-List] Re: Court Hits 'Spam' Envelope-Stuffing Scam References: Message-ID: On Sat, 09 Oct 2004 00:39:07 -0400, John E. Malmberg wrote: >Start busting the low level participants in a multilevel crime operation >as soon as they become visible cuts off the revenue flow to the top con men. > >While it does not help get the top con men convicted, the loss of >revenue would hurt most of them more than what small sentences they end >up getting through plea bargains anyway. > >It is a case of making the crime unprofitable rather than making sure >that the top criminals get arrested and put in jail. I snipped most of your comments, but agree with them. This last item is the real key, except that I think more than just "spammers" are now involved (i.e., phishing schemes seem to be well set up and operated). From nobody at spamcop.net Sat Oct 9 11:10:21 2004 From: nobody at spamcop.net (Tom) Date: Sat Oct 9 11:15:02 2004 Subject: [SpamCop-List] Re: Bringing bullet proof hosts down References: <8rjem098slgk9l5nfnesngp5f77u6b7qs2@4ax.com> Message-ID: <9pvfm0lepnkqh8ds680f9fnqpkul5nsn4n@4ax.com> On Sat, 09 Oct 2004 14:37:18 +0100, Ivan Leo Puoti wrote: >Then you americans should get your laws enforced more effectively. I don't have any argument with that at all. We have a very bad habit of passing all sorts of laws and then either: 1. Not enforcing them, except when we want to, or 2. Plea bargaining away any teeth that was in the law. From porpoise1954 at yahoo.co.uk Sat Oct 9 17:37:58 2004 From: porpoise1954 at yahoo.co.uk (Porpoise) Date: Sat Oct 9 11:40:03 2004 Subject: [SpamCop-List] Re: Magic numbers - was: Re: How to remove from bl.spamcop.net References: <87fz4synwg.fsf@ursine.dyndns.org> Message-ID: "geo_splash_12" wrote in message news:ck8tk2$3jo$1@news.spamcop.net... > Porpoise wrote: > > > "geo_splash_12" wrote in message > > news:ck8gf3$gb8$1@news.spamcop.net... > > <> > > > > > > Wrong context. The context you are using it in the above example is along > > the lines of supernatural/luck. The context I was using the word is: > > > > > > magic (SPECIAL QUALITY) [Show phonetics] > > noun [U] > > a special and exciting quality that makes something seem different from > > ordinary things: > > Although the film was made fifty years ago, it has lost none of its magic. > > No one could fail to be charmed by the magic of this beautiful city. > > > > > > http://dictionary.cambridge.org/define.asp?key=48042&dict=CALD > > > > In the same way that 1,3,7,11,13 etc. are magic/special numbers but for a > > different reason to the numbers in the previous context. > > > > In other words, the context in which I was using the word 'magic' is in the > > context of; they are numbers 'which have special signifance' ("magic" is > > shorter to write than "which have special significance") > > > > I don't recall mentioning mathematics, although mathematics is involved in > > the calculations to which these numbers relate. > > > > > > The other context is > > http://dictionary.cambridge.org/define.asp?key=magic*1+0&dict=A > > and this shows why the word magic is so impopular. Well, in the history of the English language I've found it to be quite a popular word (as opposed to unpopular [not impopular]). The film industry have made quite popular use of it too (although not necessarily in the same context). In either case contextual meaning can change over time with common usage (in the same way that some nouns have subsequently become verbs, adjectives, etc.) and a common use of the word is to convey the meaning of something "special, out of the ordinary, really good, etc." which is the context it was being used here. > Mathematics is the > science of numbers, so I brought it up. Nowhere you'll find the word > magic. Nowhere? Where? I've found the word magic occuring in a multitude of places. If you mean in math text books; well I've already made it clear we weren't discussing math. > Of course there are special numbers like pi=3.1415... and > e=2.7183... as in http://functions.wolfram.com/Constants/ but we call > them mathematical constants that follow from a definition. In your case > we are dealing perhaps with a series, perhaps prime numbers or special > prime numbers, but not magic numbers. > Of course we could get really pedantic here go on ad infinitum, so I'll say; okay, we'll call them special numbers then. Still no-one has discussed what the *special* numbers relate to though.............. From MikeE at ster.invalid Sat Oct 9 09:48:10 2004 From: MikeE at ster.invalid (Mike Easter) Date: Sat Oct 9 11:50:03 2004 Subject: [SpamCop-List] Re: Help me understand this phoney bounce References: Message-ID: Blammo wrote: > So the source, I believe, is [61.60.55.74]. Yes, I've now been leaning in that direction because of the 'appearance' of the gatelock word in the rDNS and 'by' field - but the whole thing is badly configured and handled. The IP of the gatelock isn't an mx, and doesn't have a port 25, so whatever server handled the mail and did the stripping is not only doing a Bad Thing, but it is also misconfigured in several ways by not announcing its IP properly and moving the helo.. I'd just as soon see the gatelock get credit for the spam/propagation and blocked; and that's what's happening in sightings. Also axl_yen@trend.com.tw is a software engineer for TrendMicro and trendmicro is the registrant for the domainname gatelock.com.tw - so that all lends credence to that middle line I posted earlier 'moving' the helo [Doh!] and relaying the stripped item and 'hiding' or anonymizing the real IP which took it from the source. That's enough 'justification' to 'mistakenly' leave them 'holding the bag' for being the source. - even if they weren't. -- Mike Easter kibitzer, not SC admin From MikeE at ster.invalid Sat Oct 9 10:20:40 2004 From: MikeE at ster.invalid (Mike Easter) Date: Sat Oct 9 12:20:11 2004 Subject: [SpamCop-List] Re: Magic numbers - was: Re: How to remove from bl.spamcop.net References: <87fz4synwg.fsf@ursine.dyndns.org> Message-ID: If I googleup /"magic numbers"/ I get quite a little collection of concepts and books and webpages. Using magic to describe something is one thing, using magic to describe a number or numbers results in a lot of confusion, unless you also simultaneously introduce the concept of what it is you are trying to apply the magic of the number/s to -- such as the magical numbers of human social organizations, or the magical numbers of file-types, etc. Google gives 66300 hits for magical numbers, mostly all different kinds of ideas, and 289,000 for 'magic number' singular It is beginning to remind me of how unique isn't unique and it is; and magic isn't magic and it is. ...and what is is. Bill must've been right. -- Mike Easter kibitzer, not SC admin From not at home.today Sat Oct 9 18:28:34 2004 From: not at home.today (Ant) Date: Sat Oct 9 12:30:03 2004 Subject: [SpamCop-List] Re: Magic numbers - was: Re: How to remove from bl.spamcop.net References: <87fz4synwg.fsf@ursine.dyndns.org> Message-ID: "Porpoise"... > "geo_splash_12": >> Mathematics is the >> science of numbers, so I brought it up. Nowhere you'll find the word >> magic. > > Nowhere? Where? I've found the word magic occuring in a multitude of places. > If you mean in math text books; well I've already made it clear we weren't > discussing math. You will often hear the term "magic square" to describe an arrangement of numbers which give special properties to that square. Software developers refer to "magic numbers" when describing a sequence of bytes in the header part of certain files. For example, the "MZ" marker at the start of an exe file, or the hex sequence 0xCAFEBABE at the start of a Java class file. From remaker at suespammers.org Sat Oct 9 10:43:14 2004 From: remaker at suespammers.org (Phillip Remaker) Date: Sat Oct 9 12:45:03 2004 Subject: [SpamCop-List] Feature Request Message-ID: I reported this on spamcop.help but was directed here. I report all email spam through submit.xxxxxx@spamcop.net When I visit the website, I click "report now" and it works well. MAIN REQUEST: When I select "Send Spam Report(s) Now" I'd like to be taken to the next spam to be reported instead of the "report now" like. It would save me time. As it is, I have to wait, click and wait. Two waits. I'd only like to wait once (when I click "process") Option B: A fourth button an the spam report page that says "Send, and move to next in queue" Some folks want the option but "butt in" a cut and paste request in the stream. Allow the "spam report" page to allow you to jump to a cut-and-paste report form if that is a worryt. LESSER REQUESTS Tell me how many spams I have in queue to report. You have *N* Unreported Spam Saved Tell me before I send the report how old it is. I can't tell. I would prefer to cancel anything over 12 hours old. Towards that end, process my "saved spam" in REVERSE chronological order, so fresh spam is reported first. THANKS! Phil Happy Spamcop user (PS: Get on the IPV6 Spam, soon...) From nobody at devnull.spamcop.net Sat Oct 9 13:36:21 2004 From: nobody at devnull.spamcop.net (Cat) Date: Sat Oct 9 13:40:04 2004 Subject: [SpamCop-List] Re: Bringing bullet proof hosts down In-Reply-To: References: <8rjem098slgk9l5nfnesngp5f77u6b7qs2@4ax.com> Message-ID: Ivan Leo Puoti wrote: >> With over 42 percent of spam still originating in the United States, >> we Americans have a long way to go before we can say, it's the rest of >> the world that is doing it. We really do need the FTC to do more than >> posture politically to help win re-election for the current >> administration... > Then you americans should get your laws enforced more effectively. You're still not skipping a line between the quoted part and your reply. If you want people to read your posts, one would think you'd want to make it easy for people to distinguish between the quoted parts and your added comments. From nospam at temporaryrelay002.ath.cx Sat Oct 9 20:42:16 2004 From: nospam at temporaryrelay002.ath.cx (Gingko) Date: Sat Oct 9 13:45:04 2004 Subject: [SpamCop-List] "Sorry, this email is too old to file a spam report" Message-ID: http://www.spamcop.net/sc?id=z680884532z9afcf3c22a99f18ccf8935008b67d4c8z "Sorry, this email is too old to file a spam report. You must report spam within 3 days of receipt. This mail was received on Mon, 04 Oct 2004 23:04:09 -0400 Message is 4.6 days old Nothing to do." I received this message 5 hours ago. The given time comes from the oldest "Received" line : Received: from [12.104.248.95] (helo=doramail.com) by qsmtp2.america.net with esmtp (Exim 4.10) id 1CEfcV-0005OY-00; Mon, 04 Oct 2004 23:04:09 -0400 As 'qsmtp2.america.net' is not part of my mailhosts, I'm wondering if the spammer didn't succeed to have a forgery line validated. Gingko. From MikeE at ster.invalid Sat Oct 9 12:23:04 2004 From: MikeE at ster.invalid (Mike Easter) Date: Sat Oct 9 14:25:03 2004 Subject: [SpamCop-List] Re: "Sorry, this email is too old to file a spam report" References: Message-ID: Gingko wrote: > As 'qsmtp2.america.net' is not part of my mailhosts, I'm wondering > if the spammer didn't succeed to have a forgery line validated. It looks to me like SC thinks qsmtp2.america.net is a hostname for you. Hostname verified: qsmtp2.america.net If SC parses that spam without the hostname information, it breaks the chain at 69.60.160.245 - because of what I call the 'mx step' because it doesn't trust the IP to be a server [at this time] www.spamcop.net/sc?id=z680901185zeec75ab581b157e10f547d59ee90e060z However, there /is/ a server at 69.60.160.245 named qsmtp2.america.net which is running ESMTP Exim 4.10 and doesn't 'appear' to relay. There is also spam evidence at some blocklists that shows a similar delayed line underneath the server's line. Oops, nevermind; now SC trusts the server to relay. That's a change. I should've copied the earlier verbose. Possible spammer: 69.60.160.245 69.60.160.245 is not an MX for qsmtp2.america.net host qsmtp2.america.net (checking ip) = 69.60.160.245 Relay trusted (69.60.160) Possible relay: 69.60.160.245 69.60.160.245 not listed in relays.ordb.org. 69.60.160.245 has already been sent to relay testers Received line accepted -- Mike Easter kibitzer, not SC admin From MikeE at ster.invalid Sat Oct 9 12:30:00 2004 From: MikeE at ster.invalid (Mike Easter) Date: Sat Oct 9 14:30:04 2004 Subject: [SpamCop-List] Re: "Sorry, this email is too old to file a spam report" References: Message-ID: Mike Easter wrote: > However, there /is/ a server at 69.60.160.245 named > qsmtp2.america.net which is running ESMTP Exim 4.10 and doesn't > 'appear' to relay. There is also spam evidence at some blocklists > that shows a similar delayed line underneath the server's line. And here are 3 recent spams coming thru' that IP apparently relaying, one of which shows a significant delay at the server, and 2 don't http://groups.google.com/groups?q=69.60.160.245&hl=en&btnG=Google+Search -- Mike Easter kibitzer, not SC admin From dfm2a3l0t2 at spymac.com Sat Oct 9 15:50:20 2004 From: dfm2a3l0t2 at spymac.com (D.F. Manno) Date: Sat Oct 9 14:55:05 2004 Subject: [SpamCop-List] Re: Court Hits 'Spam' Envelope-Stuffing Scam References: Message-ID: In article , Tom wrote: > Hm. My thoughts are not overly friendly toward the FTC right now, > mostly because it seems that something other than spam has to be > involved to get them to act. Why can't they simply go after all the > spammers that fake return e-mail addresses, use deceptive subject > lines, or don't include the required CAN-SPAM return addresses, phone > numbers, et al? > > Or am I dreaming again? Well, you seem to be under the impression that the CAN-SPAM Act was actually intended to stop spam. -- D.F. Manno dfm2a3l0t2@spymac.com Countdown to Regime Change: T-minus 26 days. From 8vmb6jy02 at sneakemail.com Sat Oct 9 22:02:21 2004 From: 8vmb6jy02 at sneakemail.com (Sean W) Date: Sat Oct 9 16:05:03 2004 Subject: [SpamCop-List] Peculiar Bounce Message-ID: Following on from the post in .spam regarding Brazilian networks here is my 'bounce' I received the other day. Is this beyond lame or is there any legitimacy to this at all (considering it was sent to the reporter address and not the report bounce adress etc. and shows a web server error). Am I naive or are these totally stupid or what? Surely a 'bounce' report is for none delivery of email not internal problems reported (by hand) to a third party and including the original content (with comments as well). Anyone in receipt of anything similar? -- Sean "Report" follows: (Headers included as evidence). ********************************************* Please report this to your system support people: ****WARNING: ****MESG action=receivemail mailheader=From bounceaddress Mon Oct 4 10:58:08 2004 Received: from wks05.rjo.embratel.net.br (wks05.rjo.embratel.net.br [200.255.253.239]) by srv05.embratel.net.br (8.11.6/8.11.6/EBT) with ESMTP id i94Dw8R03663 for ; Mon, 4 Oct 2004 10:58:08 -0300 Received: by wks05.rjo.embratel.net.br (Postfix) id 83495109C7; Mon, 4 Oct 2004 10:58:08 -0300 (EST) Received: from vmx1.spamcop.net (vmx1.spamcop.net [64.74.133.248]) by wks05.rjo.embratel.net.br (Postfix) with ESMTP id 8B6C8109BF for ; Mon, 4 Oct 2004 10:58:07 -0300 (EST) Received: from sc-app3.eq.ironport.com (HELO spamcop.net) (192.168.19.203) by vmx1.spamcop.net with SMTP; 04 Oct 2004 06:58:08 -0700 Received: from [myip] by spamcop.net with HTTP; Mon, 04 Oct 2004 13:58:07 GMT From: "Me" To: spamc@embratel.net.br Subject: [SpamCop (http://mcgee.suprapage.com/download1/gen0/remo.html) id:redacted]This program knows where you live! Precedence: list Message-ID: Date: early Mon X-SpamCop-sourceip: 210.173.48.6 X-Mailer: my ua name=Me uid=reportid email=reportid@reports.spamcop.net rhost= description=[ SpamCop V1.371 ] This message is brief for your comfort. Please use links below for details. Spamvertised web site: Ivo's latest and current 'page' site. [ Offending message ] removed date=Mon nearly tuesday (hours after recieving). warn= mailcat= who=mail debugmode=0 ****SERVER: HTTP/1.1 500 Internal Server Error Date: Mon, 04 Oct 2004 13:58:08 GMT Server: Apache/1.3.24 (Unix) Connection: close Content-Type: text/html; charset=iso-8859-1 500 Internal Server Error

Internal Server Error

The server encountered an internal error or misconfiguration and was unable to complete your request.

Please contact the server administrator, admin@embratel.net.br and inform them of the time the error occurred, and anything you might have done that may have caused the error.

More information about this error may be available in the server error log.

Apache/1.3.24 Server at srv05.embratel.net.br Port 80
Failed after 1 tries Thank you From 8vmb6jy02 at sneakemail.com Sat Oct 9 22:06:59 2004 From: 8vmb6jy02 at sneakemail.com (Sean W) Date: Sat Oct 9 16:10:02 2004 Subject: [SpamCop-List] Re: Peculiar Bounce In-Reply-To: References: Message-ID: Sean W wrote: [Nonsense mainly after his sig the dumboid ;-p) Sorry about that. -- Sean From ric.gates at bigsleep.org Sat Oct 9 21:21:42 2004 From: ric.gates at bigsleep.org (Blammo) Date: Sat Oct 9 16:25:04 2004 Subject: [SpamCop-List] Re: Help me understand this phoney bounce References: Message-ID: On 09 Oct 2004 Mike Easter entered spamcop and left news:ck9157$92t$1@news.spamcop.net: > Blammo wrote: >> So the source, I believe, is [61.60.55.74]. > > Yes, I've now been leaning in that direction because of the 'appearance' > of the gatelock word in the rDNS and 'by' field - but the whole thing is > badly configured and handled. The IP of the gatelock isn't an mx, and > doesn't have a port 25, so whatever server handled the mail and did the > stripping is not only doing a Bad Thing, but it is also misconfigured in > several ways by not announcing its IP properly and moving the helo.. > I'm not quite that hard on it, because it is, at least, adding the received header when it could actually hide the source. However, in the case of a virus like this, it should be completely blocking the message, what's the point of allowing it to be sent. That provides a good reason to block gatelock. -- | Ric | From windsorfoxNOSPAM at cox.net Sat Oct 9 17:15:09 2004 From: windsorfoxNOSPAM at cox.net (WindsorFox[SS]) Date: Sat Oct 9 17:15:04 2004 Subject: [SpamCop-List] Re: 419 Scam reporting In-Reply-To: References: Message-ID: Mike Easter wrote: > No I can't testify, except others have mentioned the domain and addies. > They have a website at http://www.nigeriapolice.org/ > > but they aren't mentioned at a very important 419 informational site > My, what an, umm, interesting web site... From windsorfoxNOSPAM at cox.net Sat Oct 9 17:43:39 2004 From: windsorfoxNOSPAM at cox.net (WindsorFox[SS]) Date: Sat Oct 9 17:45:03 2004 Subject: [SpamCop-List] Re: Bringing bullet proof hosts down In-Reply-To: References: Message-ID: Merlyn wrote: > It is still a form of "Denial of Service" which is most likely against your > providers TOS. > > Fighting abuse with abuse is not the way. > Then what is? What we are doing now is obviously not working. Either something is going to have to get extremely nasty soon, or the Internet will have to abandon the use of email. From nobody at spamcop.net Sat Oct 9 22:20:15 2004 From: nobody at spamcop.net (Pop (was Spamcop by accident)) Date: Sat Oct 9 21:25:33 2004 Subject: [SpamCop-List] Re: OT? Strange event - comments? References: Message-ID: "Tom" wrote in message news:thjem0hh7cpumtvu2orcco0op1heli70k7@4ax.com... | On Wed, 6 Oct 2004 16:24:58 -0400, Firewoman wrote: | | >What was the web page you were copying and pasting from? When I do this, | >Word accesses the page that I'm pasting in order to download images and | >other code. Possibly the website had a link or was providing text to the | >specific page you were using? | | Paste to Notepad, rather than Word. Then you can copy and paste to | Word without picking up the original page (unless you really want all | that extra crap).. | | Tom Hmm, good point; thanks. The simplest answer is always the best. Pop From completelyfalse at harrykiri.com Sun Oct 10 12:46:39 2004 From: completelyfalse at harrykiri.com (Harry Kiri) Date: Sat Oct 9 21:50:10 2004 Subject: [SpamCop-List] Re: Bringing bullet proof hosts down References: Message-ID: "WindsorFox[SS]" wrote in message news:ck9m14$7vt$1@news.spamcop.net... > Merlyn wrote: > > It is still a form of "Denial of Service" which is most likely against your > > providers TOS. Yes, it may well be contrary to an ISP's wishes, it might also be contrary to the providers TOS. But "Denial of Service"? Not true at all. > > Fighting abuse with abuse is not the way. > Then what is? What we are doing now is obviously not working. > Either something is going to have to get extremely nasty soon, or the > Internet will have to abandon the use of email. You are correct, in the US and most other countries, what "conventional" spamfighters are doing isn't reducing spam. It grows every day. It recently forced me to give up my email address of seven years standing, when my incoming spam exceeded 250 per day, outnumbering my wanted emails by around 50:1. The only country making progress seems to be Australia, who now have draconian spam laws and massive penalties (AUS $1 million fines for spams with an Australian connection). I haven't seen any Oz originated spams since April, although I don't read incoming spams and I might easily have missed some. Australians don't take kindly to spam, although incredibly, the Oz politicians have exempted themselves from the spam laws! With regards to fighting abuse with abuse, some pretty simple principles apply. The schoolyard bully only stops when they get back what they dish out. That is human nature and no amount of turning the other cheek is going to stop that. If you are under continuous personal attack, you must do whatever you can, (within the law), to stop the attacker. If spamfighters choose to fight back with one arm tied behind their back, then so be it, that is their right. But for years now, the one armed fighter has failed to stop spam, in fact there's barely a dent in the traffic. Given this failure to stop it, it's absurd for one armed fighters to criticise two armed fighters. I have reported many tens of thousands of spams over the last four years and I will continue to do so for spam received on my "throwaway" addresses, even though I know it's like urinating into the wind. Notwithstanding that, I congratulate and encourage those with bandwidth to spare who can hit the spammers in the pocket - where it will have *much* more effect than conventional reporting. The "denial of service" argument is completely invalid - anyone who wishes to, can still access spamvertised sites, whether or not "spamvampires" are active. Again, my heartfelt "thanks" to fellow spamfighters using *any* lawful methods to fight spam. Pay no attention to those who twist the natural meaning of "denial of service". Saying that spamvampires (or similar techniques) are "a form of denial of service" is like saying "Taxation is a form of stealing". It simply isn't so, but this erroneous argument gets trotted out time and again - no one ever claims they can't access a website because a spamvampire was active! Does anyone claim this? Then please post the link to the spamvampired website to we can all test to see if it is a DOS ... We are all fighting for a spam free Internet. Attacking each others (legal) methods will make the spammers happy, fragment us and in the end help fill the pockets of the Richters of this world. Regards, Hughy From MikeE at ster.invalid Sat Oct 9 21:21:51 2004 From: MikeE at ster.invalid (Mike Easter) Date: Sat Oct 9 23:25:04 2004 Subject: [SpamCop-List] Re: Bringing bullet proof hosts down References: Message-ID: WindsorFox[SS] wrote: > What we are doing now is obviously not working. > Either something is going to have to get extremely nasty soon, or the > Internet will have to abandon the use of email. The spamreading spambelieving spamclicking spammees are busily feeding profits to the spammers in spite of your doomsaying and blocklisting and filtering. The people have spoken. They want and use spam and buy spamproducts from the spamsites. Sometimes they whine and cry about it; but it is not what they say, but it is what they /do/ that tells/shows what they /really/ want. You and/or your provider will just have to do your filtering, and the bandwidth and service providers will just have to undergo how much ever expansion and coping they need to carry and deliver and store the unlimited spam to facilitate the spammers and spammees ablity to use it. The opinion or concept that 'someone should do something' has no meaning absent a 'controllable' infrastructure for smtp traffic in *general*, much less any kind of operational /legalistic/ definition of spam, and especially in the face of a marketing industry which has a much *more* important guiding influence on framing legislation for its own wishes than a relatively /tiny/ bunch of anti-s. And spammees /functionally/ *agree* with the marketers and 'non-regulating' public officials; clamorous anti-s should 'just hit delete' or the automatic filtering equivalent of it; and meanwhile the spammee spamuser will delete /some/ but also /select/ and open and visit and buy the spamvertised products of some others. Just wait until mainsleaze gets it all worked out about how to spam without besmirching their image; you ain't seen nothin' yet. Email marketing proportions will be worse than the postoffice - which is now predominantly a marketing based enterprise, and will result in whatever trivial amount of non-spam just /also/ being carried around in addition to the main flow of *spam*, just like the relationship of snailmail's marketing proponderance vs non marketing inferiority. Except *much* worse because of the absence of the financial throttle of snailmail as contrasted to email spam, which has no throttle. Email, like the airwaves, will belong to the marketers. -- Mike Easter kibitzer, not SC admin From porpoise1954 at yahoo.co.uk Sun Oct 10 11:43:16 2004 From: porpoise1954 at yahoo.co.uk (Porpoise) Date: Sun Oct 10 05:45:19 2004 Subject: [SpamCop-List] Re: Bringing bullet proof hosts down References: Message-ID: "Mike Easter" wrote in message news:cka9pq$785$1@news.spamcop.net... > <> > > Email, like the airwaves, will belong to the marketers. > Sad but true........ That's why only some proper opt-in approach (like the Aussies draconian measures) will work in the long run..... Even the Caller ID type response won't get rid of spam, only that the people/corps sending it will have to use their real address.... Snailmail spammers, of course already do that so they won't have any more qualms about using their real address than they do now. But, if I have requested to be advised of updates, new products, whatever, then that is legitimate marketing email and I should be able to opt-out at any time. That's the difference between "legitimate" marketing emails and spam. I *choose* to have daily currency updates via email - and several other regular mailings that *would be* classified as spam if it weren't for the fact I *requested* them specifically. From e.schrama_NOSPAM at NOSPAM_hccnet.nl Sun Oct 10 14:17:33 2004 From: e.schrama_NOSPAM at NOSPAM_hccnet.nl (geo_splash_12) Date: Sun Oct 10 07:20:04 2004 Subject: [SpamCop-List] Spamcop reporting troubles Message-ID: On an average day I get about 100 e-mails from three accounts, two are at work and one is via a commercial ISP. I report spam, as many of you do, either to spamcop or to first alert. Whereas the latter goes via a web site, the spamcop reporting is direct by e-mail. If you set up quick reporting then spamcop doesn't require the slow boat to china web interaction for each and every spam that you submit. The mail host configuration sort of excludes the possibility that you report your own hosts. Now, at work everybody is picky about abuse and virus alerts, and the last thing you want to get involved in is a phone call from the central help desk telling you that your PC is spreading viruses. This can't be true, was my initial reaction, but they were right and mailwasher was unfortunately to blame after I saw their evidence. My own ignorance and a spam with a javascript caused a one day IP lock and an animated discussion with our help desk. These guys don't help you, instead they simply hang up the IP number first and then the phone. All reports sent at work go through the smtp server at work, and this is a rather picky server with a sensitive filter that captures all java scripts or fishing attempts in an e-mail. My Norton AV doesn't recognize the script viruses. I was however reporting a spam that I received through my commercial ISP, and these guys couldn't care less what is going on, sometimes I have that feeling at least. The solution would be that spamcop reports need to be scrambled in some way so that this doesn't happen again. But for the time being my solution is to avoid spamcop reporting at work. Any of you guys have similar experiences? From e.schrama_NOSPAM at NOSPAM_hccnet.nl Sun Oct 10 14:28:42 2004 From: e.schrama_NOSPAM at NOSPAM_hccnet.nl (geo_splash_12) Date: Sun Oct 10 07:30:04 2004 Subject: [SpamCop-List] Re: Bringing bullet proof hosts down In-Reply-To: <9pvfm0lepnkqh8ds680f9fnqpkul5nsn4n@4ax.com> References: <8rjem098slgk9l5nfnesngp5f77u6b7qs2@4ax.com> <9pvfm0lepnkqh8ds680f9fnqpkul5nsn4n@4ax.com> Message-ID: Tom wrote: > On Sat, 09 Oct 2004 14:37:18 +0100, Ivan Leo Puoti wrote: > > >>Then you americans should get your laws enforced more effectively. > > > I don't have any argument with that at all. For almost all other countries in the world I think there is a similar situation. > We have a very bad habit of passing all sorts of laws and then either: > > 1. Not enforcing them, except when we want to, or > 2. Plea bargaining away any teeth that was in the law. And for this reason the Netherlands has very strict laws that clearly prohibit hard and soft drugs, prostitution, speeding, money laundering, driving under influence, and so on. In practice some of these are condoned, and sometimes when politicians are personally involved. From MikeE at ster.invalid Sun Oct 10 06:01:33 2004 From: MikeE at ster.invalid (Mike Easter) Date: Sun Oct 10 08:05:03 2004 Subject: [SpamCop-List] Re: Spamcop reporting troubles References: Message-ID: geo_splash_12 wrote: < paraphrasing >. par 1 sez you quickreport to SC and use mailhosts. par 2 sez you got a virus; you somehow concluded something about getting infected via an email propagation, javascript, and mailwasher that I don't understand. > The > solution would be that spamcop reports need to be scrambled in some > way so that this doesn't happen again. I don't understand again. I think you are saying that you think that spamcop reporting by email has something to do with getting the virus or you have some reason for thinking 'spamcop reports need to be scrambled' that I don't get. > But for the time being my > solution is to avoid spamcop reporting at work. Your solution to what? -- Mike Easter kibitzer, not SC admin From bar_n0ne at hotmail.com Sun Oct 10 17:20:08 2004 From: bar_n0ne at hotmail.com (Berny) Date: Sun Oct 10 08:25:03 2004 Subject: [SpamCop-List] Re: Spamcop reporting troubles References: Message-ID: "Mike Easter" wrote in message news:ckb888$ja1$1@news.spamcop.net... > geo_splash_12 wrote: > > < paraphrasing >. > > par 1 sez you quickreport to SC and use mailhosts. > > par 2 sez you got a virus; you somehow concluded something about getting > infected via an email propagation, javascript, and mailwasher that I > don't understand. > > > The > > solution would be that spamcop reports need to be scrambled in some > > way so that this doesn't happen again. > > I don't understand again. > > I think you are saying that you think that spamcop reporting by email has > something to do with getting the virus or you have some reason for > thinking 'spamcop reports need to be scrambled' that I don't get. > > > But for the time being my > > solution is to avoid spamcop reporting at work. > > Your solution to what? I think, after reading the whole thing, he submitted a virus or jscript laden email to SC, which was caught by outbound filters and flagged the IT to shut him down. From brad at clickbrain.com Sun Oct 10 11:16:01 2004 From: brad at clickbrain.com (Brad Nickel) Date: Sun Oct 10 10:20:04 2004 Subject: [SpamCop-List] Mail Not Coming Through Message-ID: I have several accounts forwarded to spamcop. This morning, mail is not coming through. It is not in held mail and not in web mail. I have verified, by sending test emails. I then changed the forwarding for one of my accounts directly to my web mail account and it came through with no problem. Why is this happening and where are my emails? One is an important financial document. From e.schrama_NOSPAM at NOSPAM_hccnet.nl Sun Oct 10 17:48:29 2004 From: e.schrama_NOSPAM at NOSPAM_hccnet.nl (geo_splash_12) Date: Sun Oct 10 10:50:08 2004 Subject: [SpamCop-List] Re: Spamcop reporting troubles In-Reply-To: References: Message-ID: Berny wrote: > "Mike Easter" wrote in message > news:ckb888$ja1$1@news.spamcop.net... > >>geo_splash_12 wrote: >> >>< paraphrasing >. >> >>par 1 sez you quickreport to SC and use mailhosts. >> >>par 2 sez you got a virus; you somehow concluded something about getting >>infected via an email propagation, javascript, and mailwasher that I >>don't understand. >> >> >>>The >>>solution would be that spamcop reports need to be scrambled in some >>>way so that this doesn't happen again. >> >>I don't understand again. >> >>I think you are saying that you think that spamcop reporting by email has >>something to do with getting the virus or you have some reason for >>thinking 'spamcop reports need to be scrambled' that I don't get. >> >> >>>But for the time being my >>>solution is to avoid spamcop reporting at work. >> >>Your solution to what? > > > I think, after reading the whole thing, he submitted a virus or jscript > laden email to SC, which was caught by outbound filters and flagged the IT > to shut him down. > > You got the point, a script virus was reported as spam using the mailwasher program. The solution would be to encode the e-mail that is submitted to spamcop, but that option doesn't exist. From brad at clickbrain.com Sun Oct 10 11:55:52 2004 From: brad at clickbrain.com (Brad Nickel) Date: Sun Oct 10 11:00:03 2004 Subject: [SpamCop-List] Re: Mail Not Coming Through - Clarification References: Message-ID: When I say the email is coming through to my web mail account after I change it to be forwarded there instead of my spamcop account, I am not talking abotu spamcop webmail, but yahoo web mail. Any help appreciated. Thanks, Brad "Brad Nickel" wrote in message news:ckbg78$umh$1@news.spamcop.net... >I have several accounts forwarded to spamcop. This morning, mail is not >coming through. It is not in held mail and not in web mail. I have >verified, by sending test emails. I then changed the forwarding for one of >my accounts directly to my web mail account and it came through with no >problem. > > Why is this happening and where are my emails? One is an important > financial document. > From MikeE at ster.invalid Sun Oct 10 10:09:51 2004 From: MikeE at ster.invalid (Mike Easter) Date: Sun Oct 10 12:10:16 2004 Subject: [SpamCop-List] Re: Spamcop reporting troubles References: Message-ID: Berny wrote: > I think, after reading the whole thing, he submitted a virus or > jscript laden email to SC, which was caught by outbound filters and > flagged the IT to shut him down. Ah, so. Now I see. I was interpreting this geo_splash_12 wrote: > a phone call from the > central help desk telling you that your PC is spreading viruses. This > can't be true, was my initial reaction, but they were right as saying that the desk told him he was propagating as an infected, and his investigation confirmed that he /was/ an infected propagator. It makes a lot more sense if I don't interpret that he was infected. -- Mike Easter kibitzer, not SC admin From MikeE at ster.invalid Sun Oct 10 10:38:52 2004 From: MikeE at ster.invalid (Mike Easter) Date: Sun Oct 10 12:40:03 2004 Subject: [SpamCop-List] Re: Spamcop reporting troubles References: Message-ID: geo_splash_12 wrote: > a spam with a javascript caused a one day IP lock Do you still have that item? > My Norton AV doesn't > recognize the script viruses. I was however reporting a spam that I > received through my commercial ISP That one. Do you have it? If you have it, paste it into the webparser, copy the tracking url at the top of the verbose page, then cancel the SC report and paste the tracking url here. That will give anyone access to the exact item you are talking about that caused the trouble. -- Mike Easter kibitzer, not SC admin From e.schrama_NOSPAM at NOSPAM_hccnet.nl Sun Oct 10 20:06:33 2004 From: e.schrama_NOSPAM at NOSPAM_hccnet.nl (geo_splash_12) Date: Sun Oct 10 13:10:04 2004 Subject: [SpamCop-List] Re: Spamcop reporting troubles In-Reply-To: References: Message-ID: Mike Easter wrote: > geo_splash_12 wrote: > >>a spam with a javascript caused a one day IP lock > > > Do you still have that item? no. >>My Norton AV doesn't >>recognize the script viruses. I was however reporting a spam that I >>received through my commercial ISP > > > That one. Do you have it? I'm slowly beginning to hate NAV > If you have it, paste it into the webparser, copy the tracking url at the > top of the verbose page, then cancel the SC report and paste the tracking > url here. That will give anyone access to the exact item you are talking > about that caused the trouble. ok From MikeE at ster.invalid Sun Oct 10 11:21:37 2004 From: MikeE at ster.invalid (Mike Easter) Date: Sun Oct 10 13:25:03 2004 Subject: [SpamCop-List] Re: Spamcop reporting troubles References: Message-ID: geo_splash_12 wrote: > I'm slowly beginning to hate NAV I keep my AV agent uptodate and turned off ;-) I'm a believer in behaving and configuring against virus infections rather than depending upon an AV agent to replace good configuration and behavior, because AVs will 'let you down'. Every virus was once a virus which didn't have an AV agent's template or .dat file for it, so you shouldn't be counting on them. If you can intelligently defend yourself not counting on them, then there is no point in slowing down your system or consuming resources scanning a lot of things in realtime 'unnecessarily'. So, my mail virms get corralled into a BigMail folder simply on the basis of their size; I have some tricks to help me deal with my friends' bigmails containing graphics and such. I never open spam or virms or html render an email which I don't know what it contains. I 'handle' my virm virmail - virus worm email - propagations by handling the mailitem by its Properties, isolating the executable, decoding if necessary, pointing my AV agent at the isolated executable, and characterizing it for notification of the propagator's provider. If I were using a realtime AV agent, it would try to interfere with my handling and do its own quarantining or whatever. -- Mike Easter kibitzer, not SC admin From lostwithout at home.com Sun Oct 10 15:54:14 2004 From: lostwithout at home.com (Flwrite) Date: Sun Oct 10 14:55:20 2004 Subject: [SpamCop-List] Re: Spamcop reporting troubles References: Message-ID: > > a phone call from the > > central help desk telling you that your PC is spreading viruses. This > > can't be true, was my initial reaction, but they were right >>>But for the time being my >>>solution is to avoid spamcop reporting at work As a neophyte, here's my opinion. The punchline is to remove the virus-file-attachment before forwarding the email to SpamCop. If your procedure includes sending, forwarding, or otherwise transmitting a virus email, then you're doing it wrong. I have never heard of any legitimate service that would want you to re-send a virus. If I try to email a virus, my antivirus program interrupts when I hit the Send button, and I receive a small electric shock in the keyboard. (That was an inexpensive, optional peripheral.) To avoid such warnings when forwarding a virus email, the outgoing email should include the complete headers of the virus email, but first remove the virus attachment. That would do the trick. But problems remain. If spam is forwarded "Quoted In-Line," the complete headers of the offending email is displayed in the Body of the email. If the headers are included properly, SpamCop will accept this. However, the headers are rendered unusuble by SpamCop if they are messed with, such as being broken up into multiple lines. And invariably, long lines in the header _will_ be broken up into two or three lines when Quoting In-Line. If that happens, SpamCop won't accept the submission. Personally, I have never successfully forwarded offending headers in the body of an email, no matter how hard I try. Forwarding the email in-line opens it, re-formats it, and otherwise screws up its headers. Therefore, I send spam "as attachments," which simply forwards the offending email file without opening it. It has never failed. Forwarding a virus email in-line would have an advantage. Up in the corner, the virus-file-attachment will be listed in the attachments. At that point, I can delete the attachment, and send the email to SpamCop without actually re-transmitting the virus, bothering my anti-virus software, or bothering my IT department (who is me). However, I still have a problem with the header information getting screwed up, so SpamCop won't accept the submission, anyway. If I hit "forward as an attachment" instead, the headers are kept intact within the original email file, including its virus. That opens a New Email window with an empty body, and the offending email listed in the "Attachments List." In that case, there is no way to remove the virus because it is contained within the single attached file -- the original offending email inlcluding its header information, its body, its virus attachment, etc., all in the single attached file. (.eml?) So, I can't send a virus email to SpamCop as Quoted In-Line, because that screws up its headers. And I can't send a virus email as an attachment, because that doesn't provide an opportunity to delete the virus, first. This may not be a bad thing. I have read something, somewhere, deep in the SpamCop instructions, that they only want you to forward spam to them, not viruses. So I do not consider myself "stuck" if I can't find a way to forward a virus email to them -- they specified they don't want them, anyway. My biggest concern, Geo_Splash, is that your computer is apparently able to Send a virus email, without making a fuss. I recommend either installing some antivirus software that has email protection, or upgrade what you already have. Check out http://www.my-etrust.com/microsoft/ by Computer Associates. Its user interface is a dog, but the protection is good, and it's free for a year. Not to be confused with Network Associates, who foist McAfee upon the world. eTrust is much less bloated, and it even works well with my older, Win98se computer. When I try to email a virus, the screen switches to 640x480 16-color DOS, and provides a good clear warning (in ugly red and yellow). When the monitor switches to ugly DOS, it lets out a little high-voltage "snap!" which helps to attract attention and slow down carelessly fast fingers. When I tell it "No," it returns to the previous windoze mode, and all is well with the world. In the meantime, the question is what to do with a virus email if SpamCop won't process it for you. This is an opportunity to check out it's headers, learn to eliminate the fraudulent "From" and "Reply-To" fields, to search for the true ISP from where the email was really sent, and to find that ISP's "abuse address" for reporting that one of their customers are sending virus emails. Just like spam, there may be a bunch of red herring IP addresses in the email, and you don't want to send a complaint to the wrong organization. When you are sure you have the proper IP address of the sender, go to http://ww3.arin.net/whois/ and put the offending IP address into the field. Instead of putting the whole IP address into the field, just put in the first two bytes followed by two x's, like this -- 69.168.x.x In that case, they will return a page with the organization's information, especially the abuse@blah.com email address. Then you're in business, and you can diplomatically send them an email with a copy of the headers of the offending email. (Headers include the IP address of the offender and the time they sent the email. That should be sufficient to pin down the particular customer, even if they use dynamic IP addresses.) You might include the name of the virus as reported by your antivirus software. Keeping the original format of the header won't be quite as sensitive as if you were submitting the information to the SpamCop system, but you don't want to change anything, anyway. Within a day or two, you'll get an email back from the other ISP, thanking you for making the world a little cleaner. Best luck, -Neil- From MikeE at ster.invalid Sun Oct 10 13:29:44 2004 From: MikeE at ster.invalid (Mike Easter) Date: Sun Oct 10 15:30:03 2004 Subject: [SpamCop-List] Re: Spamcop reporting troubles References: Message-ID: Flwrite wrote: > As a neophyte, here's my opinion. The punchline is to remove the > virus-file-attachment before forwarding the email to SpamCop. Correct; also not be quickreporting an intact virm. I think the reason there were so many words in each initial par was to 'explain' how it was 'all' caused by the failure of NAV and MW to be handling the mailitem properly - and how SC needs to reconfigure itself to prevent friction between the user's mistakes at work and the work IT desk. > If your procedure includes sending, forwarding, or otherwise > transmitting a virus email, then you're doing it wrong. Correct. > If I try to email a virus, my antivirus program interrupts > when I hit the Send button, and I receive a small electric shock in > the keyboard. (That was an inexpensive, optional peripheral.) Heh. > Therefore, I send spam "as attachments," which simply forwards the > offending email file without opening it. It has never failed. That works fine with OE. Some others have to do something else. > If I hit "forward as an attachment" instead, the headers are kept > intact within the original email file, including its virus. If I wanted to parse a virmail with SC I would use the webparser and edit out the executable. But I also think I could email it, which I've never done. > there is no way to > remove the virus because it is contained within the single attached > file -- the original offending email inlcluding its header > information, its body, its virus attachment, etc., all in the single > attached file. (.eml?) But, you could save that, open it, edit out the executable, and save it again before opening it for sending. You could also save the original virm, edit its executable out, then open it and forward as attachment. > in the SpamCop instructions, that they only want you to forward spam > to them, not viruses. Correct; it is against the rules to SC report virus propagations, bounces, bogus From notifications, or other spawn. -- Mike Easter kibitzer, not SC admin From MikeE at ster.invalid Sun Oct 10 13:52:18 2004 From: MikeE at ster.invalid (Mike Easter) Date: Sun Oct 10 15:55:09 2004 Subject: [SpamCop-List] Re: Spamcop reporting troubles References: Message-ID: Mike Easter wrote: > But, you could save that, open it, edit out the executable, and save > it again before opening it for sending. You could also save the > original virm, edit its executable out, then open it and forward as > attachment. Not enough details in there. You could 'grab' the entire virm by its Properties [File/ Properties/ Details/ message source - selectall copy paste into say notepad. Edit out the executable. Save the item as an .eml file. Then open the .eml file - which will launch OE - and then forward that as an attachment to the submit addy. You could perform a similar drill in a slightly different order. Select the virm unopened, R click to forward as attachment, but rather than send, save that item as .eml file, open the .eml with notepad and edit out the executable, then resave it as .eml and open it with OE to send. -- Mike Easter kibitzer, not SC admin From MikeE at ster.invalid Sun Oct 10 13:56:50 2004 From: MikeE at ster.invalid (Mike Easter) Date: Sun Oct 10 16:00:04 2004 Subject: [SpamCop-List] Re: Spamcop reporting troubles References: Message-ID: Mike Easter wrote: > If I wanted to parse a virmail with SC I would use the webparser and > edit out the executable. But I also think I could email it, which > I've never done. But, whether you webparse or email submit a stripped virm, you have to cancel the notify. It is not SC reportable either way. -- Mike Easter kibitzer, not SC admin From e.schrama_NOSPAM at NOSPAM_hccnet.nl Mon Oct 11 00:48:53 2004 From: e.schrama_NOSPAM at NOSPAM_hccnet.nl (geo_splash_12) Date: Sun Oct 10 17:50:09 2004 Subject: [SpamCop-List] Re: Spamcop reporting troubles In-Reply-To: References: Message-ID: Mike Easter wrote: > geo_splash_12 wrote: > >>a spam with a javascript caused a one day IP lock > > > Do you still have that item? > > >>My Norton AV doesn't >>recognize the script viruses. I was however reporting a spam that I >>received through my commercial ISP > > > That one. Do you have it? > > If you have it, paste it into the webparser, copy the tracking url at the > top of the verbose page, then cancel the SC report and paste the tracking > url here. That will give anyone access to the exact item you are talking > about that caused the trouble. > > Actually, I narrowed the search to two possibilities (based on the time stamp and sender that the help desk people gave me). Furthermore I had to dive into the MW log directory and unrotate one of its rot135 learning files. After following Mike's suggestion I got two tracking URL's: http://www.spamcop.net/sc?id=z681182236z4c73ffb34e9e075e0f8f97c41c485e89z http://www.spamcop.net/sc?id=z681182502z01709d15e00a244eec16e86f891a5c74z I think the first one keeps a script that could have triggered a virusscanner, (again, it doesn't trigger my NAV). Phishing perhaps? Ejo From MikeE at ster.invalid Sun Oct 10 16:35:37 2004 From: MikeE at ster.invalid (Mike Easter) Date: Sun Oct 10 18:35:03 2004 Subject: [SpamCop-List] Re: Spamcop reporting troubles References: Message-ID: geo_splash_12 wrote: > Mike Easter wrote: >> geo_splash_12 wrote: >>> a spam with a javascript caused a one day IP lock >> Do you still have that item? >> copy the tracking url > Actually, I narrowed the search to two possibilities www.spamcop.net/sc?id=z681182236z4c73ffb34e9e075e0f8f97c41c485e89z > I think the first one keeps a script that could have triggered a > virusscanner, (again, it doesn't trigger my NAV). Phishing perhaps? Aha! The infamous furiousfledglingflavors.com BLOCK mess. My opinions about the significance of that is different from others. Rather than me putting my spin on the issue, see the threads by Glenn Daniels here and in .geeks on that subject; but I don't know the subjects yet; I'll have to research that. My theory is that the mysterious stuff inside that block is 'randomly' put there. Glenn thinks it has a purpose. It has to be reformatted and decoded to see what it really looks like. -- Mike Easter kibitzer, not SC admin From porpoise1954 at yahoo.co.uk Mon Oct 11 00:36:32 2004 From: porpoise1954 at yahoo.co.uk (Porpoise) Date: Sun Oct 10 18:40:03 2004 Subject: [SpamCop-List] Re: Spamcop reporting troubles References: Message-ID: "Flwrite" wrote in message news:ckc0h9$ni5$1@news.spamcop.net... <> > > When you are sure you have the proper IP address of the sender, go to > http://ww3.arin.net/whois/ and put the offending IP address into the field. Good link but a bit limited in that it only applies to ARIN. A better one IMHO is: http://www.dnsstuff.com/ As it's not limited to just ARIN (for the rest of the world). > Instead of putting the whole IP address into the field, just put in the > first two bytes followed by two x's, like this -- 69.168.x.x In that case, > they will return a page with the organization's information, especially the > abuse@blah.com email address. > <> There's a big wide world out there ya know ;-) From ric.gates at bigsleep.org Sun Oct 10 23:59:08 2004 From: ric.gates at bigsleep.org (Blammo) Date: Sun Oct 10 19:00:02 2004 Subject: [SpamCop-List] Re: Spamcop reporting troubles References: Message-ID: On 10 Oct 2004 geo_splash_12 entered spamcop and left news:ckcao5$6v4$1@news.spamcop.net: > I think the first one keeps a script that could have triggered a > virusscanner, (again, it doesn't trigger my NAV). Phishing perhaps? > I don't see why, there's nothing in either of those, no Javascript, no MS JScript, no MS JScript.Encode (which is used by a common virus). The URL encoding in the "BLOCK" is nothing but garbage. -- | Ric | From ric.gates at bigsleep.org Mon Oct 11 00:19:46 2004 From: ric.gates at bigsleep.org (Blammo) Date: Sun Oct 10 19:20:04 2004 Subject: [SpamCop-List] Re: Spamcop reporting troubles References: Message-ID: On 10 Oct 2004 Mike Easter entered spamcop and left news:ckcdd4$arl$1@news.spamcop.net: > My theory is that the mysterious stuff inside that block is 'randomly' > put there. Glenn thinks it has a purpose. > > It has to be reformatted and decoded to see what it really looks like. > Undoubtably a mess aiming to poison filters. Those with lots of time to waste could attempt to make some sense out of it, but personally I think it's a subliminal message from Alpha Centuri meant to brain wash the curious. -- | Ric | From MikeE at ster.invalid Sun Oct 10 17:28:39 2004 From: MikeE at ster.invalid (Mike Easter) Date: Sun Oct 10 19:30:04 2004 Subject: [SpamCop-List] Re: Spamcop reporting troubles References: Message-ID: Blammo wrote: > but personally I think it's a subliminal message from Alpha > Centuri meant to brain wash the curious. ...or some 'static' from one of those recent X- & gamma- ray flashes, bursts, or 'belches' of the 3 /different/ wannabe supernovae getting ready to blow. What in the world/universe is going on out there? -- Mike Easter kibitzer, not SC admin From MikeE at ster.invalid Sun Oct 10 17:43:04 2004 From: MikeE at ster.invalid (Mike Easter) Date: Sun Oct 10 19:45:03 2004 Subject: [SpamCop-List] Re: Spamcop reporting troubles References: Message-ID: geo_splash_12 wrote: > a phone call from the > central help desk telling you that your PC is spreading viruses. This > can't be true, was my initial reaction, but they were right and > mailwasher was unfortunately to blame after I saw their evidence. > All reports sent at work go through the smtp server at work, and this > is a rather picky server with a sensitive filter that captures all > java scripts or fishing attempts in an e-mail. > I was however reporting a spam that I > received through my commercial ISP So, let me see if I comprehensively understand this situation. First of all, I'm anti-quick reporting; so you're just going to have to put up with that. Anyhow, you were trying to email SC quickreport spams and your office's IT dude/tte sez you are trying to send out a virm according to their ware. How, exactly, does that work? The server's virm identified email is 'captured' by some kind of filter? And what kind of filter is that? Exactly or precisely. And what does the filter do with the so identified virm? Exactly. And, how does that result in an 'analysis' or human oversight process by which 'they' say you are infected and you further /agree/ that you were sending a virus? It would seem that the filter should be standing there holding this piece of spam it is calling a viral propagation so that either you or the help desk could say "No, that is not a viral propagation. That, sir or ma'am as the case may be, is a piece of spam, I'm mailing somewhere. Tell your filter to put its spectacles on." Unless we don't have the complete picture yet. -- Mike Easter kibitzer, not SC admin From MikeE at ster.invalid Sun Oct 10 17:55:28 2004 From: MikeE at ster.invalid (Mike Easter) Date: Sun Oct 10 19:55:04 2004 Subject: [SpamCop-List] Re: Spamcop reporting troubles References: Message-ID: geo_splash_12 wrote: > a spam with a javascript caused a one day IP lock What does that actually mean? There is some kind of filter that spots whatall and does whatall about it? Let's say it differently and more precisely if possible. Besides IDing /real/ virus items. I understand how /that/ works. I also understand that some 'antiviral' gizmos 'spot' everything from so-call 'illegal container violations' - to all kinds of 'bright ideas' which someone has dreamed up for an AV agent to expand into - which has absolutely nothing to do with viral templates or structure or even heuristics but instead are based on dumb*ss filter recognition of some daffy html configurations which have been 'associated with' some kind of viral propagation in the past. Sometimes or ofttimes, 'stupid' constructions. Spammers are famous for stupid constructions. When you start getting too 'smart' with the AV agent, you start introducing all kinds of false positive potentials. -- Mike Easter kibitzer, not SC admin From fuhrman at videoSANS_SPAMtron.ca Sun Oct 10 21:34:52 2004 From: fuhrman at videoSANS_SPAMtron.ca (Christopher Fuhrman) Date: Sun Oct 10 20:35:03 2004 Subject: [SpamCop-List] AP News: China Offers Rewards for Reporting Porn Message-ID: Not sure what percentage of spam promotes porn sites based on Chinese hosts, but perhaps this is a way to make spam reporting more effective. Unfortunately, I didn't see the reporting address!! I wonder how serious this whole thing is. Any comments? http://story.news.yahoo.com/news?tmpl=story&cid=562&e=2&u=/ap/china_porn_rewards From not at home.today Mon Oct 11 02:45:53 2004 From: not at home.today (Ant) Date: Sun Oct 10 20:50:03 2004 Subject: [SpamCop-List] Re: Spamcop reporting troubles References: Message-ID: "Mike Easter" wrote... [...] > When you start getting too 'smart' with the AV agent, you start > introducing all kinds of false positive potentials. Or AVs can be very un-smart. For example Dark Avenger's signature "Eddie lives...somewhere in time!" would cause Norton AV to alert on any text file that contained it. Maybe it still does (oops!). From MikeE at ster.invalid Sun Oct 10 19:14:09 2004 From: MikeE at ster.invalid (Mike Easter) Date: Sun Oct 10 21:15:03 2004 Subject: [SpamCop-List] Re: Spamcop reporting troubles References: Message-ID: Ant wrote: > "Mike Easter" wrote... >>> When you start getting too 'smart' with the AV agent, you start >> introducing all kinds of false positive potentials. > > Or AVs can be very un-smart. For example Dark Avenger's signature > "Eddie lives...somewhere in time!" would cause Norton AV to alert > on any text file that contained it. Maybe it still does (oops!). Symantec's 'enterprise level' AV agent, which it provides to EarthLink for a pretty penny I would imagine, tripped and called an 'illegal container violation' on a simple spam I got which just happened to have some weird chars in the subject and was otherwise a very simple little mortgage spam. That doesn't even seem to me to be 'related' to what kind of mistake it /should/ be making about illegal containers. That should be an html structure issue; not a bad character in the subject issue. It seems to me that the Symantec enterprise level AV doesn't even know how to go about making a mistake properly. For people to put their trust in AV agents to keep themselves from getting virus infected is a big mistake. Tons of false positives and false negatives in that little world. -- Mike Easter kibitzer, not SC admin From baloo at ursine.dyndns.org Sun Oct 10 20:05:42 2004 From: baloo at ursine.dyndns.org (Paul Johnson) Date: Sun Oct 10 22:10:23 2004 Subject: [SpamCop-List] Re: Spamcop reporting troubles References: Message-ID: <87llee6mbt.fsf@ursine.dyndns.org> <#secure method=pgp mode=sign> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 geo_splash_12 writes: > These guys don't help you, instead they simply hang up the IP number > first and then the phone. Umm, they're supposed to cut off network access to hosts that are malfunctioning. That's their job. > All reports sent at work go through the smtp server at work, and this > is a rather picky server with a sensitive filter that captures all > java scripts or fishing attempts in an e-mail. My Norton AV doesn't > recognize the script viruses. AVG does, it has a $0 version. http://www.grisoft.com/ ClamAV does, it's really free. http://clamav.net/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.5 (GNU/Linux) iD8DBQFBaep2UzgNqloQMwcRAof2AKDmA8omBfAb75krvgq4U3LlPoSAaQCgwdI5 diS9db8w2qPiBHHhKGH+fhI= =5Gw2 -----END PGP SIGNATURE----- From usenet1 at DE.LETE.THISljvideo.com Mon Oct 11 04:12:23 2004 From: usenet1 at DE.LETE.THISljvideo.com (Larry J.) Date: Sun Oct 10 23:15:05 2004 Subject: [SpamCop-List] Changing Preferences..? Message-ID: I've tried several times to change my non-functioning email address. Each time, I get this as a confirmation: "Sending confirmation to xxxx@xxxxxx.com" <--- my new address "Confirmation email has been sent. Please check your mail to complete confirmation. You must retrieve this confirmation email and respond to it for your account to be activated." The address never gets the confirmation email, and SpamCop reverts back to the non-functioning email address. -- Larry J. - Remove spamtrap in ALLCAPS to e-mail "Lord, are we worthy of the task that lies before us, or are we just jerking off..?" From tdy at blackhole.invalid Sun Oct 10 22:30:33 2004 From: tdy at blackhole.invalid (N. Miller) Date: Mon Oct 11 00:35:14 2004 Subject: [SpamCop-List] Re: Spamcop reporting troubles References: Message-ID: In article , Mike Easter says... > I think you are saying that you think that spamcop reporting by email has > something to do with getting the virus or you have some reason for > thinking 'spamcop reports need to be scrambled' that I don't get. Actually, I got the impression that the OP's work server was taking some kind of eradication action on email reports to SC. If the spam was a phish, or had javascript, the work SMTP server quashed it instead of relaying it to SC. -- Norman ~Win dain a lotica, En vai tu ri, Si lo ta ~Fin dein a loluca, En dragu a sei lain ~Vi fa-ru les shutai am, En riga-lint From MikeE at ster.invalid Sun Oct 10 23:18:37 2004 From: MikeE at ster.invalid (Mike Easter) Date: Mon Oct 11 01:20:03 2004 Subject: [SpamCop-List] Re: Spamcop reporting troubles References: Message-ID: N. Miller wrote: > Actually, I got the impression that the OP's work server was taking > some kind of eradication action on email reports to SC. If the spam > was a phish, or had javascript, the work SMTP server quashed it > instead of relaying it to SC. Yeah, I didn't understand and I misinterpreted the first post and tho't he was nailed as an infected propagator, but that wasn't it. -- Mike Easter kibitzer, not SC admin From nobody at spamcop.net Mon Oct 11 02:04:45 2004 From: nobody at spamcop.net (Tom) Date: Mon Oct 11 02:05:03 2004 Subject: [SpamCop-List] Re: Court Hits 'Spam' Envelope-Stuffing Scam References: Message-ID: On Sat, 09 Oct 2004 14:50:20 -0400, D.F. Manno wrote: >Well, you seem to be under the impression that the CAN-SPAM Act was >actually intended to stop spam. Not really. It was intended to "control" spam by requiring certain policies be followed. For those "litgitimate" advertisers, it allowed them to at least hit everyone on a list once. That, of course, is still not acceptable, but at the very least, the recipient could "opt out" of the list. The problem is that spammers ignore even that much of the law (meeting the requirements) for various reasons, the major one of which, I believe, is to avoid having to listwash. It wouldn't take much for some really astute people to "seed" a list and then opt-out, watching for violations and then reporting them, nailing the spammers. This is one of the few instances where the "Spammers are stupid" law doesn't seem to have any relevance. Spammy seems to have totally avoided making use of any validation for mail lists by using the law against itself (probably because it would be relatively easy to prove that spammy was intentionally violating the law). My complaint is that the law hasn't had even that much effect and so almost 100 percent of all spam I now see into my old addresses totally ignores the requirements of the law, which makes for a meaningless law, since there appears to be almost no effort on the part of the LEOs to go after these U.S. based spammers, despite their use of overseas equipment and zombied Comcast machines. From nobody at spamcop.net Mon Oct 11 02:08:38 2004 From: nobody at spamcop.net (Tom) Date: Mon Oct 11 02:10:03 2004 Subject: [SpamCop-List] Re: AP News: China Offers Rewards for Reporting Porn References: Message-ID: On Sun, 10 Oct 2004 20:34:52 -0400, Christopher Fuhrman wrote: >I wonder how serious this whole thing is. Any comments? > >http://story.news.yahoo.com/news?tmpl=story&cid=562&e=2&u=/ap/china_porn_rewards The source of most porn spam is in Russia, not China. S.E. Asia holds to some strong religious-based moral standards at a political level. That doesn't apply to nightclubs and the "oldest profession" but as far as the "face" on the country is concerned, it is a big issue. Mao's philosophies failed to replace Bhudda's. From nobody at spamcop.net Mon Oct 11 02:19:41 2004 From: nobody at spamcop.net (Tom) Date: Mon Oct 11 02:20:04 2004 Subject: [SpamCop-List] Re: Spamcop reporting troubles References: Message-ID: On Sun, 10 Oct 2004 12:29:44 -0700, Mike Easter wrote: >> Therefore, I send spam "as attachments," which simply forwards the >> offending email file without opening it. It has never failed. > >That works fine with OE. Some others have to do something else. Since I use Agent, I open the spam in the raw message format. Nothing is triggered, because I see only the source in that form (no html or anything else is executed), which I cut and paste into spamcop's web reporting system. From MikeE at ster.invalid Mon Oct 11 00:46:42 2004 From: MikeE at ster.invalid (Mike Easter) Date: Mon Oct 11 02:50:03 2004 Subject: [SpamCop-List] Re: Spamcop reporting troubles References: Message-ID: Tom wrote: > Mike Easter wrote: >>> Therefore, I send spam "as attachments," which simply forwards the >>> offending email file without opening it. It has never failed. >> >> That works fine with OE. Some others have to do something else. > > Since I use Agent, I open the spam in the raw message format. Nothing > is triggered, because I see only the source in that form (no html or > anything else is executed), which I cut and paste into spamcop's web > reporting system. Does that mean that it /isn't/ possible to use Agent's mail agent the same way as OE, to select an unopened mail item and 'forward as attachment' and have the structure^1 of the item work properly for the SC email submit method? What about if you've opened the item as described above, does the 'forward' [or forward as attachment] in Agent result in the email parser getting the item in the right configuration? Where the right configuration^1 or structure of what the submit address receives is - ^1 headers of submitter to spamcop saying multipart mixed boundary + mime boundary structure + mime msg/rfc822 attachment structure + complete headers and raw message format of the spam I can't see anything in the faq about whether Agent can email submit or not. -- Mike Easter kibitzer, not SC admin From MikeE at ster.invalid Mon Oct 11 01:04:03 2004 From: MikeE at ster.invalid (Mike Easter) Date: Mon Oct 11 03:05:10 2004 Subject: [SpamCop-List] Re: Spamcop reporting troubles References: Message-ID: Mike Easter wrote: > I can't see anything in the faq about whether Agent can email submit > or not. Nor anything at Forte's site about Agent forwarding as attachment. -- Mike Easter kibitzer, not SC admin From nobody at spamcop.net Mon Oct 11 02:38:06 2004 From: nobody at spamcop.net (RW) Date: Mon Oct 11 03:40:05 2004 Subject: [SpamCop-List] Re: How to remove from bl.spamcop.net References: <87fz4synwg.fsf@ursine.dyndns.org> <87acuz8fz3.fsf@ursine.dyndns.org> Message-ID: "Paul Johnson" wrote in message news:87acuz8fz3.fsf@ursine.dyndns.org... > When did it change? Never was 72. Was 7 days prior to moving to 48 hours. Richard From ric.gates at bigsleep.org Mon Oct 11 08:41:01 2004 From: ric.gates at bigsleep.org (Blammo) Date: Mon Oct 11 03:45:03 2004 Subject: [SpamCop-List] Re: Spamcop reporting troubles References: Message-ID: On 10 Oct 2004 Mike Easter entered spamcop and left news:ckda5s$p6i$1@news.spamcop.net: > I can't see anything in the faq about whether Agent can email submit or > not. > My old version has a "Forward Verbatim" option that appears to forward a message as a message/rfc822 attachment, but it looks like it doesn't include all the headers. -- | Ric From nobody at spamcop.net Mon Oct 11 02:45:17 2004 From: nobody at spamcop.net (RW) Date: Mon Oct 11 03:50:02 2004 Subject: [SpamCop-List] Re: Changing Preferences..? References: Message-ID: "Larry J." wrote in message news:Xns957ECD94A7D0Clarryathome@216.154.195.61... > I've tried several times to change my non-functioning email address. > Each time, I get this as a confirmation: > > "Sending confirmation to xxxx@xxxxxx.com" <--- my new address > > "Confirmation email has been sent. Please check your mail to complete > confirmation. You must retrieve this confirmation email and respond > to it for your account to be activated." > > The address never gets the confirmation email, and SpamCop reverts > back to the non-functioning email address. Your mail server must be dropping SC messages for some reason. Send an email to Don at server at admin.spamcop.net. Once he establishes the account is your's he can change it with the admin screen. However, if your ISP is dropping this SC mail, your account will go dead if they bounce system mail to you later. Richard From e.schrama_NOSPAM at NOSPAM_hccnet.nl Mon Oct 11 10:53:16 2004 From: e.schrama_NOSPAM at NOSPAM_hccnet.nl (geo_splash_12) Date: Mon Oct 11 03:55:02 2004 Subject: [SpamCop-List] Re: Spamcop reporting troubles In-Reply-To: References: Message-ID: Blammo wrote: > On 10 Oct 2004 geo_splash_12 entered spamcop and left > news:ckcao5$6v4$1@news.spamcop.net: > > >>I think the first one keeps a script that could have triggered a >>virusscanner, (again, it doesn't trigger my NAV). Phishing perhaps? >> > > > I don't see why, there's nothing in either of those, no Javascript, no MS > JScript, no MS JScript.Encode (which is used by a common virus). > > The URL encoding in the "BLOCK" is nothing but garbage. > My theory is that it is sufficient to cause confusion, two virus scanners say no, one say yes. Let me check with the DTO people what version and what scanner they are using. From nigel at -remove-awardsplus.co.uk Mon Oct 11 09:55:21 2004 From: nigel at -remove-awardsplus.co.uk (Nigel) Date: Mon Oct 11 04:00:03 2004 Subject: [SpamCop-List] Is there anything I can do to stop this? Message-ID: It seems that a major spammer using a Korean server is using random names at my domain name as the sender of their spam emails. I'm getting about 500 bounced emails a day from accounts over quota or now closed etc. The emails are for loans and point recipients towards money-deal.info (211.115.213.175). I have no idea why this spammer should have chosen to use my domain as the sender. I've checked the IP addresses of mail going out & it's coming from various compromised servers fortunately non of them belonging to me (actually if I did own them at least I could do something about it). I can obviously bounce emails for unknown users at my domain but are there any other suggestions about any way to stop this abuse? From porpoise1954 at yahoo.co.uk Mon Oct 11 10:33:32 2004 From: porpoise1954 at yahoo.co.uk (Porpoise) Date: Mon Oct 11 04:35:03 2004 Subject: [SpamCop-List] Re: Spamcop reporting troubles References: Message-ID: "Mike Easter" wrote in message news:ckchbj$hk2$1@news.spamcop.net... > geo_splash_12 wrote: > <> > > Anyhow, you were trying to email SC quickreport spams and your office's > IT dude/tte sez you are trying to send out a virm according to their > ware. > > How, exactly, does that work? The server's virm identified email is > 'captured' by some kind of filter? And what kind of filter is that? > Exactly or precisely. And what does the filter do with the so identified > virm? Exactly. And, how does that result in an 'analysis' or human > oversight process by which 'they' say you are infected and you further > /agree/ that you were sending a virus? > > It would seem that the filter should be standing there holding this piece > of spam it is calling a viral propagation so that either you or the help > desk could say "No, that is not a viral propagation. That, sir or ma'am > as the case may be, is a piece of spam, I'm mailing somewhere. Tell your > filter to put its spectacles on." > > Unless we don't have the complete picture yet. > C'mon Mike. Polish the crystal ball and get the old psychic powers working for god's sake! The suspense is killing me! ;-) From ric.gates at bigsleep.org Mon Oct 11 09:54:10 2004 From: ric.gates at bigsleep.org (Blammo) Date: Mon Oct 11 04:56:23 2004 Subject: [SpamCop-List] Re: Is there anything I can do to stop this? References: Message-ID: On 11 Oct 2004 Nigel entered spamcop and left news:ckde9a$vue$1@news.spamcop.net: > I can obviously bounce emails for unknown users at my domain That's exactly the problem, you need to know the difference between "bounce" and "reject". -- | Ric | From MikeE at ster.invalid Mon Oct 11 03:37:19 2004 From: MikeE at ster.invalid (Mike Easter) Date: Mon Oct 11 05:40:22 2004 Subject: [SpamCop-List] Re: Spamcop reporting troubles References: Message-ID: Porpoise wrote: > C'mon Mike. Polish the crystal ball and get the old psychic powers > working for god's sake! The suspense is killing me! Speaking of crystal; it is not crystal clear to me yet exactly what happened -- whether the desk discovered a false positive virus alert triggered by the filter on one of the two items we've seen trackers here for or a real virus alert triggered by some other item we haven't seen yet. It's nice that we've had all of these conversations about various things, but it would also be nice if we actually knew what we started talking about. -- Mike Easter kibitzer, not SC admin From vincehoran at gmail.com Mon Oct 11 13:50:01 2004 From: vincehoran at gmail.com (Vince Horan) Date: Mon Oct 11 07:50:32 2004 Subject: [SpamCop-List] Is there anything I can do to stop this? In-Reply-To: References: Message-ID: On Mon, 11 Oct 2004 08:55:21 +0100, Nigel wrote: > It seems that a major spammer using a Korean server is using random names > at my domain name as the sender of their spam emails. I'm getting about 500 > bounced emails a day from accounts over quota or now closed etc. The emails > are for loans and point recipients towards money-deal.info > (211.115.213.175). > > I have no idea why this spammer should have chosen to use my domain as the > sender. I've checked the IP addresses of mail going out & it's coming from > various compromised servers fortunately non of them belonging to me > (actually if I did own them at least I could do something about it). > > I can obviously bounce emails for unknown users at my domain but are there > any other suggestions about any way to stop this abuse? Firstly its not a major spammer, quite small fry really. However, this person is annoying as they are also using *my* employer's domain bandce.co.uk in from addresses, so as mail admin for the domain, I am seeing some 300 mail returned messages per day. The original campaign for money-deal.info and several others has finished, but they just started up on insidefinancial.net overnight. The target spamvertised web site is already down but the bounces keep coming. Interestingly the registrations for the domains are in Winnipeg, MB. Different names but all quote the same phone number +1.2044804569 - anyone care to call em up? I am in the UK so no thanks From b.vander.bent at chello.nl Mon Oct 11 15:15:07 2004 From: b.vander.bent at chello.nl (basalk) Date: Mon Oct 11 08:20:04 2004 Subject: [SpamCop-List] Re: AP News: China Offers Rewards for Reporting Porn References: Message-ID: According to news reports on the same subject in the Netherlands one of the people jailed was a 24 year old female student who runned a porn site. Spamvertising for porn sites in China is not unusual in my spam reports and I have the impression that China is more often in spam as Russia. The most people convicted tho are people with views unwelcome to the Chinese governement. Bas "Tom" schreef in bericht news:rn8km05ssnq37r020qvh7v7avclrhmhuae@4ax.com... > On Sun, 10 Oct 2004 20:34:52 -0400, Christopher Fuhrman wrote: > >>I wonder how serious this whole thing is. Any comments? >> >>http://story.news.yahoo.com/news?tmpl=story&cid=562&e=2&u=/ap/china_porn_rewards > > The source of most porn spam is in Russia, not China. S.E. Asia holds > to some strong religious-based moral standards at a political level. > That doesn't apply to nightclubs and the "oldest profession" but as > far as the "face" on the country is concerned, it is a big issue. > Mao's philosophies failed to replace Bhudda's. > --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.773 / Virus Database: 520 - Release Date: 9-10-2004 From spamcop at 1bigthink.com Mon Oct 11 10:52:43 2004 From: spamcop at 1bigthink.com (spamcop) Date: Mon Oct 11 10:02:09 2004 Subject: [SpamCop-List] Re: Is there anything I can do to stop this? In-Reply-To: References: Message-ID: <6.1.2.0.0.20041011095039.08932cd8@mx.1bigthink.com> At 04:54 AM 10/11/2004, you wrote: >On 11 Oct 2004 Nigel entered spamcop and left >news:ckde9a$vue$1@news.spamcop.net: > > > I can obviously bounce emails for unknown users at my domain > >That's exactly the problem, you need to know the difference between >"bounce" and "reject". > >-- In case you didn't "get" Blammo's message: Quit bouncing! You are generating the same amount of bandwidth usage as the spammer in bouncing their messages. Worse, it's not even going to them, it's going to the forged address; some other poor sap taking your sh*t and abuse now! Cheers! -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. http://www.sng.ecs.soton.ac.uk/mailscanner/ Configuration by Glenn Parsons dnsadmin-at-1bigthink.com From chance10 at verizon.net Mon Oct 11 11:42:26 2004 From: chance10 at verizon.net (gayle) Date: Mon Oct 11 10:42:49 2004 Subject: [SpamCop-List] Message-ID: <001401c4afa0$876974c0$2f01a8c0@DJGCYN31> Please enter me on your list. From nigel at deletethis.keeper.fsbusiness.co.uk Mon Oct 11 17:12:54 2004 From: nigel at deletethis.keeper.fsbusiness.co.uk (Nigel) Date: Mon Oct 11 11:15:25 2004 Subject: [SpamCop-List] Re: Is there anything I can do to stop this? References: Message-ID: "spamcop" wrote in message news:mailman.268.1097503315.9607.spamcop-list@news.spamcop.net... > In case you didn't "get" Blammo's message: Quit bouncing! You are > generating the same amount of bandwidth usage as the spammer in bouncing > their messages. Worse, it's not even going to them, it's going to the > forged address; some other poor sap taking your sh*t and abuse now! > > Cheers! No, you didn't read my message properly - I'm not bouncing anything. I am the poor sap taking the sh*t and abuse because others are bouncing the spam emails which have MY domain as the forged 'from' address... From MikeE at ster.invalid Mon Oct 11 09:33:18 2004 From: MikeE at ster.invalid (Mike Easter) Date: Mon Oct 11 11:35:04 2004 Subject: [SpamCop-List] Re: Is there anything I can do to stop this? References: Message-ID: Nigel wrote: > getting about 500 bounced emails a day from accounts over quota or > I can obviously bounce emails for unknown users at my domain but are You can only reject them. That word 'bounce' has a vague meaning. I think if it is to be used at all, it should be seen from the view of the legitimate /sender/ of a goodmail with no bogosity. Then, from the sender's perspective, a bounce can be viewed as a 'hard bounce' - a notification by one's own mailserver or provider's mailserver that an attempt to send mail didn't work at all. The business about a 'good' nonspam sender getting a newmail from some server about having accepted the mail for delivery but then the/a server deciding that it couldn't be delivered and initiating an entirely new mail 'back' to the good sender - which is referred to as a 'soft bounce' - is at the crux of the problem because of a world full of spams with bogus Froms. If you are operating a server you should only 'permanently' accept the mails which you don't reject or temporize. So, if mails come to/for nonexistent usernames you have to permanently reject them during the transaction. That is no kind of 'bounce' because my defnition of bounce is something else which is above. -- Mike Easter kibitzer, not SC admin From spamcop at 1bigthink.com Mon Oct 11 12:49:35 2004 From: spamcop at 1bigthink.com (spamcop) Date: Mon Oct 11 11:48:21 2004 Subject: [SpamCop-List] Re: Is there anything I can do to stop this? In-Reply-To: References: Message-ID: <6.1.2.0.0.20041011114426.0756a840@mx.1bigthink.com> At 11:12 AM 10/11/2004, you wrote: >"spamcop" wrote in message >news:mailman.268.1097503315.9607.spamcop-list@news.spamcop.net... > > In case you didn't "get" Blammo's message: Quit bouncing! You are > > generating the same amount of bandwidth usage as the spammer in bouncing > > their messages. Worse, it's not even going to them, it's going to the > > forged address; some other poor sap taking your sh*t and abuse now! > > > > Cheers! > >No, you didn't read my message properly - I'm not bouncing anything. I am >the poor sap taking the sh*t and abuse because others are bouncing the spam >emails which have MY domain as the forged 'from' address... > AhRGH! My apologies (and my sympathies)! Have you any filtering software to help pick it out? You could filter based on some expected or predictable bounce subjects. I would certainly be contacting the admins whom are responsible for the bounces! Good Luck! Glenn -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. http://www.sng.ecs.soton.ac.uk/mailscanner/ Configuration by Glenn Parsons dnsadmin-at-1bigthink.com From nigel at deletethis.keeper.fsbusiness.co.uk Mon Oct 11 18:04:11 2004 From: nigel at deletethis.keeper.fsbusiness.co.uk (Nigel) Date: Mon Oct 11 12:05:04 2004 Subject: [SpamCop-List] Is there anything I can do to stop this? References: Message-ID: "Vince Horan" wrote in message news:mailman.267.1097495416.9607.spamcop-list@news.spamcop.net... > Firstly its not a major spammer, quite small fry really. However, this > person is annoying as they are also using *my* employer's domain > bandce.co.uk in from addresses, so as mail admin for the domain, I am > seeing some 300 mail returned messages per day. The original campaign > for money-deal.info and several others has finished, but they just > started up on insidefinancial.net overnight. The target spamvertised > web site is already down but the bounces keep coming. > > Interestingly the registrations for the domains are in Winnipeg, MB. > Different names but all quote the same phone number +1.2044804569 - > anyone care to call em up? I am in the UK so no thanks Oh well, at least I'm not the only one - that makes me feel better . The money-deal.info site went down for a bit last week, then came back again but now seems to have gone. But, as you say the problem doesn't stop because now I'm just getting all the bounces for their new insidefinancial.net site. The registered address for the domains are genuine places in Winnipeg (Winnipeg Arena & Planitarium) but it's my guess the phone number is entirely fake. From Merlyn at Spamcop.net Mon Oct 11 13:13:44 2004 From: Merlyn at Spamcop.net (Merlyn) Date: Mon Oct 11 12:15:03 2004 Subject: [SpamCop-List] Is there anything I can do to stop this? References: Message-ID: "Nigel" wrote in message news:ckeatr$do9$1@news.spamcop.net... > > Oh well, at least I'm not the only one - that makes me feel better . > The money-deal.info site went down for a bit last week, then came back > again but now seems to have gone. But, as you say the problem doesn't stop > because now I'm just getting all the bounces for their new > insidefinancial.net site. The registered address for the domains are > genuine places in Winnipeg (Winnipeg Arena & Planitarium) but it's my > guess the phone number is entirely fake. Nigel looks like your MySql server is open for anyone to setup including adding a usercode/password. See: http://awardsplus.co.uk or http://awardsplus.co.uk/pgm-configure.php I assume you know about this.......... -- Regards, Merlyn A Spamcop advocate No emails this account is for newsgroups only People demand freedom of speech to make up for the freedom of thought which they avoided From fred558 at bobames.com Mon Oct 11 19:14:40 2004 From: fred558 at bobames.com (Bob Ames) Date: Mon Oct 11 12:15:15 2004 Subject: [SpamCop-List] BBCNEWS: Call for global action on spam Message-ID: <416AB170.5080908@bobames.com> http://news.bbc.co.uk/2/hi/technology/3733864.stm > Only more global co-operation will help stop the scourge > of spam, say experts. > > ANTI-SPAM HINTS > [...] > If an e-mail looks doubtful, delete it REPORT IT! How can we get the spamcop.net Spam Reporting Service popularized with the mass media? Bob (use bob at this domain to reach me) Don't Send Any Email To: From nobody at xyzzy.claranet.de Mon Oct 11 20:36:55 2004 From: nobody at xyzzy.claranet.de (Frank Ellermann) Date: Mon Oct 11 13:40:22 2004 Subject: [SpamCop-List] Re: Is there anything I can do to stop this? References: Message-ID: <416AC4B7.660B@xyzzy.claranet.de> Nigel wrote: > I am the poor sap taking the sh*t and abuse because others > are bouncing the spam emails which have MY domain as the > forged 'from' address... Publish a sender policy (SPF) for the abused domain, then the spammer can't reach mailers supporting SPF. Any spam rejected with a SPF result FAIL means one spam less in the inbox of a user resp. one bounce less for you if the user is over quota, on vacation, out of office, whatever, you know this crap. Bye, Frank From agent01413 at my-deja.com Mon Oct 11 13:05:30 2004 From: agent01413 at my-deja.com (Socks the white house cat) Date: Mon Oct 11 14:05:08 2004 Subject: [SpamCop-List] Re: Is there anything I can do to stop this? References: Message-ID: Pausing only once for breath, "Nigel" said: > > "spamcop" wrote in message > news:mailman.268.1097503315.9607.spamcop-list@news.spamcop.net... >> In case you didn't "get" Blammo's message: Quit bouncing! You are >> generating the same amount of bandwidth usage as the spammer in >> bouncing their messages. Worse, it's not even going to them, it's >> going to the forged address; some other poor sap taking your sh*t and >> abuse now! >> >> Cheers! > > No, you didn't read my message properly - I'm not bouncing anything. I > am the poor sap taking the sh*t and abuse because others are bouncing > the spam emails which have MY domain as the forged 'from' address... > Since the spammer is asserting that you are the author of the message (by using your address), they are also asserting that you are the copyright owner of the message. DMCA doesn't require an active court case to subpoena identities. IANAL From ric.gates at bigsleep.org Mon Oct 11 19:05:03 2004 From: ric.gates at bigsleep.org (Blammo) Date: Mon Oct 11 14:10:04 2004 Subject: [SpamCop-List] Re: Is there anything I can do to stop this? References: Message-ID: On 11 Oct 2004 spamcop entered spamcop and left news:mailman.268.1097503315.9607.spamcop-list@news.spamcop.net: > At 04:54 AM 10/11/2004, you wrote: >>On 11 Oct 2004 Nigel entered spamcop and left >>news:ckde9a$vue$1@news.spamcop.net: >> >> > I can obviously bounce emails for unknown users at my domain >> >>That's exactly the problem, you need to know the difference between >>"bounce" and "reject". >> >>-- > > In case you didn't "get" Blammo's message: Quit bouncing! No, I meant "you" in the plural sense, they are causing the problem because they don't know the difference either. -- | Ric | From nobody at spamcop.net Mon Oct 11 20:05:43 2004 From: nobody at spamcop.net (John McLusky) Date: Mon Oct 11 14:10:15 2004 Subject: [SpamCop-List] Re: BBCNEWS: Call for global action on spam References: <416AB170.5080908@bobames.com> Message-ID: Bob Ames wrote: > http://news.bbc.co.uk/2/hi/technology/3733864.stm > >> Only more global co-operation will help stop the scourge >> of spam, say experts. >> >> ANTI-SPAM HINTS >> [...] >> If an e-mail looks doubtful, delete it > > REPORT IT! > > How can we get the spamcop.net Spam Reporting Service popularized > with the mass media? 1. Better to delete it than open it! 2. Do we really want a whole flood of people joining SpamCop and reporting everything that comes their way? I would rather see SpamCop stay roughly the size it is with quality reports than get people joining via mass media and providing bad reports. I would like to have seen a 'don't click on Unsubscribe links' tip on that article, though. John. From bjtexas at hotmale.com Mon Oct 11 15:00:40 2004 From: bjtexas at hotmale.com (BJ) Date: Mon Oct 11 15:05:09 2004 Subject: [SpamCop-List] Re: Bringing bullet proof hosts down References: Message-ID: Ivan Leo Puoti wrote: >> We already know what you think, > And I believe I have I right to explain why I think what I > think. Nobody asked for your opinion, you asked for theirs. From hee.haw at jack.ass Mon Oct 11 16:20:19 2004 From: hee.haw at jack.ass (DC) Date: Mon Oct 11 15:25:03 2004 Subject: [SpamCop-List] Shooting Blanks? Message-ID: I notice that right after I report a "blank" spam I get deluged with a ton of spam and have to re-re-re-recalibrate my spam filters. Are these blanks some sort of ping to see if my email is valid? Should I bounce them to avoid the deluge? TIA -- Six Scents http://tinyurl.com/4hfm2 From not at home.today Mon Oct 11 21:24:55 2004 From: not at home.today (Ant) Date: Mon Oct 11 15:30:03 2004 Subject: [SpamCop-List] Error: "couldn't parse head" Message-ID: http://www.spamcop.net/sc?id=z681430848zdadacb6d34a2a6aa4e9bb3c2bb8e30f5z This is a "bad" spam which causes the parser to miss the links, and directs me to the "Problems with spam not in original format" page. However, it still allows me to report the sender. The spam renders fine in OE 5.5, and the two links are active. The message given is: "error: couldn't parse head" "Message body parser requires full, accurate copy of message" The problem is after the boundary before the html: === spam snippet === ------=_NextPart_000_00YC_07N5783LG_08R.821O74M0 Content-Type: text/html; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Sarah Message-ID: <416AE52B.FDF39E60@gmx.net> DC schrieb: > > I notice that right after I report a "blank" spam I get deluged with a ton > of spam and have to re-re-re-recalibrate my spam filters. > > Are these blanks some sort of ping to see if my email is valid? Should I > bounce them to avoid the deluge? > > TIA > > -- > Six Scents > http://tinyurl.com/4hfm2 Bouncing is not a good idea: The "From" and "Reply-To" addresses are forged, in most cases, so innocent bystanders are annoyed by Your bounce. BTW, bouncing is not the same as when the mailserver refuses to accept a mail. HTH, Toni From kenbrody at spamcop.net Mon Oct 11 17:10:42 2004 From: kenbrody at spamcop.net (Kenneth Brody) Date: Mon Oct 11 16:15:03 2004 Subject: [SpamCop-List] netspend.biz Message-ID: <416AE8C2.47B0CB08@spamcop.net> I got some spam supposedly telling me that money had been deposited into my netspend.biz account. (Not that I've ever heard of them before, of course.) Out of curiosity, I tried to see what was on their site (using SamSpade for safety) and was greeted with: This directNIC Free Hosting account has been terminated due to a violation of the directNIC Free Hosting Terms of Service. :-) -- +-------------------------+--------------------+-----------------------------+ | Kenneth J. Brody | www.hvcomputer.com | | | kenbrody/at\spamcop.net | www.fptech.com | #include | +-------------------------+--------------------+-----------------------------+ From Merlyn at Spamcop.net Mon Oct 11 17:20:45 2004 From: Merlyn at Spamcop.net (Merlyn) Date: Mon Oct 11 16:25:08 2004 Subject: [SpamCop-List] Re: netspend.biz References: <416AE8C2.47B0CB08@spamcop.net> Message-ID: "Kenneth Brody" wrote in message news:416AE8C2.47B0CB08@spamcop.net... >I got some spam supposedly telling me that money had been deposited into > my netspend.biz account. (Not that I've ever heard of them before, of > course.) Out of curiosity, I tried to see what was on their site (using > SamSpade for safety) and was greeted with: > > This directNIC Free Hosting account has been terminated due > to a violation of the directNIC Free Hosting Terms of Service. > > :-) Well he got his name correct when he registered. Looks like he lives in a very deserving city too. Domain Name: NETSPEND.BIZ Domain ID: D7893454-BIZ Sponsoring Registrar: INTERCOSMOS MEDIA GROUP, INC. D.B.A. DIRECTNIC.COM Sponsoring Registrar IANA ID: 291 Domain Status: clientTransferProhibited Domain Status: clientUpdateProhibited Registrant ID: IMG-629742 Registrant Name: frick fruck Registrant Organization: etrade Registrant Address1: 16090 Address Registrant City: fuck Registrant State/Province: IL Registrant Postal Code: 60030 Registrant Country: United States Registrant Country Code: US Registrant Phone Number: +1.6786786678 Registrant Email: Administrative Contact ID: IMG-629742 Administrative Contact Name: frick fruck Administrative Contact Organization: etrade Administrative Contact Address1: 16090 Address Administrative Contact City: fuck Administrative Contact State/Province: IL Administrative Contact Postal Code: 60030 Administrative Contact Country: United States Administrative Contact Country Code: US Administrative Contact Phone Number: +1.6786786678 Administrative Contact Email: Billing Contact ID: IMG-629742 Billing Contact Name: frick fruck Billing Contact Organization: etrade Billing Contact Address1: 16090 Address Billing Contact City: fuck Billing Contact State/Province: IL Billing Contact Postal Code: 60030 Billing Contact Country: United States Billing Contact Country Code: US Billing Contact Phone Number: +1.6786786678 Billing Contact Email: Technical Contact ID: IMG-629742 Technical Contact Name: frick fruck Technical Contact Organization: etrade Technical Contact Address1: 16090 Address Technical Contact City: fuck Technical Contact State/Province: IL Technical Contact Postal Code: 60030 Technical Contact Country: United States Technical Contact Country Code: US Technical Contact Phone Number: +1.6786786678 Technical Contact Email: Name Server: NS0.DIRECTNIC.COM Name Server: NS1.DIRECTNIC.COM Created by Registrar: INTERCOSMOS MEDIA GROUP, INC. D.B.A. DIRECTNIC.COM Last Updated by Registrar: INTERCOSMOS MEDIA GROUP, INC. D.B.A. DIRECTNIC.COM Domain Registration Date: Wed Oct 06 07:31:10 GMT 2004 Domain Expiration Date: Wed Oct 05 23:59:59 GMT 2005 Domain Last Updated Date: Mon Oct 11 18:01:04 GMT 2004 -- Regards, Merlyn A Spamcop advocate No emails this account is for newsgroups only People demand freedom of speech to make up for the freedom of thought which they avoided begin 666 ec.php?ec=a90d9419d17950f35607e24c57e7c04aee-d77643568afd62a108e9e241514304c8 MB5!.1PT*&@H````-24A$4@```'X````/`0,````8D^FO````!E!,5$7___\` M``!5PM-^````#K- M,D',\@&0SR@DR6H2FBH6Z3I!T@6D@O&3@*WX55>10% References: <416AE8C2.47B0CB08@spamcop.net> Message-ID: Merlyn wrote: [snip] NG Attachment Nazi on lines 6, 8 & 14. I'm shocked that you would post an attachment to this froup. Shocked, I tell you. -- Evidence shows Cyveillance abuse internet resources. I recommend unchecking their box in SpamCop reports. Cyveillance are part of the problem. They are not part of the solution. From Merlyn at Spamcop.net Mon Oct 11 17:29:03 2004 From: Merlyn at Spamcop.net (Merlyn) Date: Mon Oct 11 16:30:15 2004 Subject: [SpamCop-List] Re: netspend.biz References: <416AE8C2.47B0CB08@spamcop.net> Message-ID: "Graeme Leith" wrote in message news:ckeq8n$66j$2@news.spamcop.net... > Merlyn wrote: > [snip] > > NG Attachment Nazi on lines 6, 8 & 14. > > I'm shocked that you would post an attachment to this froup. Shocked, I > tell you. > WOW, you know me better than that....... Not sure where that came from... I will try to delete the post and resend without. Thanks....... -- Regards, Merlyn A Spamcop advocate No emails this account is for newsgroups only People demand freedom of speech to make up for the freedom of thought which they avoided From glnews030922 at highspot.net Mon Oct 11 22:34:26 2004 From: glnews030922 at highspot.net (Graeme Leith) Date: Mon Oct 11 16:35:03 2004 Subject: [SpamCop-List] Re: netspend.biz In-Reply-To: References: <416AE8C2.47B0CB08@spamcop.net> Message-ID: Merlyn wrote: > I will try to delete the post and resend without. Thanks....... NP. ;-) -- Evidence shows Cyveillance abuse internet resources. I recommend unchecking their box in SpamCop reports. Cyveillance are part of the problem. They are not part of the solution. From Merlyn at Spamcop.net Mon Oct 11 17:32:48 2004 From: Merlyn at Spamcop.net (Merlyn) Date: Mon Oct 11 16:35:14 2004 Subject: [SpamCop-List] Re: netspend.biz References: <416AE8C2.47B0CB08@spamcop.net> Message-ID: "Graeme Leith" wrote in message news:ckeqiv$66j$3@news.spamcop.net... > Merlyn wrote: > >> I will try to delete the post and resend without. Thanks....... > > NP. ;-) > OK, It's Gone I will repost! -- Regards, Merlyn A Spamcop advocate No emails this account is for newsgroups only People demand freedom of speech to make up for the freedom of thought which they avoided From Merlyn at Spamcop.net Mon Oct 11 17:35:11 2004 From: Merlyn at Spamcop.net (Merlyn) Date: Mon Oct 11 16:40:03 2004 Subject: [SpamCop-List] Re: netspend.biz References: <416AE8C2.47B0CB08@spamcop.net> Message-ID: "Kenneth Brody" wrote in message news:416AE8C2.47B0CB08@spamcop.net... >I got some spam supposedly telling me that money had been deposited into > my netspend.biz account. (Not that I've ever heard of them before, of > course.) Out of curiosity, I tried to see what was on their site (using > SamSpade for safety) and was greeted with: > > This directNIC Free Hosting account has been terminated due > to a violation of the directNIC Free Hosting Terms of Service. > > :-) > Reposted due to technical difficulties....... Well he got his name correct when he registered. Looks like he lives in a very deserving city too. Domain Name: NETSPEND.BIZ Domain ID: D7893454-BIZ Sponsoring Registrar: INTERCOSMOS MEDIA GROUP, INC. D.B.A. DIRECTNIC.COM Sponsoring Registrar IANA ID: 291 Domain Status: clientTransferProhibited Domain Status: clientUpdateProhibited Registrant ID: IMG-629742 Registrant Name: frick fruck Registrant Organization: etrade Registrant Address1: 16090 Address Registrant City: fuck Registrant State/Province: IL Registrant Postal Code: 60030 Registrant Country: United States Registrant Country Code: US Registrant Phone Number: +1.6786786678 Registrant Email: Administrative Contact ID: IMG-629742 Administrative Contact Name: frick fruck Administrative Contact Organization: etrade Administrative Contact Address1: 16090 Address Administrative Contact City: fuck Administrative Contact State/Province: IL Administrative Contact Postal Code: 60030 Administrative Contact Country: United States Administrative Contact Country Code: US Administrative Contact Phone Number: +1.6786786678 Administrative Contact Email: Billing Contact ID: IMG-629742 Billing Contact Name: frick fruck Billing Contact Organization: etrade Billing Contact Address1: 16090 Address Billing Contact City: fuck Billing Contact State/Province: IL Billing Contact Postal Code: 60030 Billing Contact Country: United States Billing Contact Country Code: US Billing Contact Phone Number: +1.6786786678 Billing Contact Email: Technical Contact ID: IMG-629742 Technical Contact Name: frick fruck Technical Contact Organization: etrade Technical Contact Address1: 16090 Address Technical Contact City: fuck Technical Contact State/Province: IL Technical Contact Postal Code: 60030 Technical Contact Country: United States Technical Contact Country Code: US Technical Contact Phone Number: +1.6786786678 Technical Contact Email: Name Server: NS0.DIRECTNIC.COM Name Server: NS1.DIRECTNIC.COM Created by Registrar: INTERCOSMOS MEDIA GROUP, INC. D.B.A. DIRECTNIC.COM Last Updated by Registrar: INTERCOSMOS MEDIA GROUP, INC. D.B.A. DIRECTNIC.COM Domain Registration Date: Wed Oct 06 07:31:10 GMT 2004 Domain Expiration Date: Wed Oct 05 23:59:59 GMT 2005 Domain Last Updated Date: Mon Oct 11 18:01:04 GMT 2004 -- Regards, Merlyn A Spamcop advocate No emails this account is for newsgroups only People demand freedom of speech to make up for the freedom of thought which they avoided From glnews030922 at highspot.net Mon Oct 11 22:43:09 2004 From: glnews030922 at highspot.net (Graeme Leith) Date: Mon Oct 11 16:45:03 2004 Subject: [SpamCop-List] Re: netspend.biz In-Reply-To: References: <416AE8C2.47B0CB08@spamcop.net> Message-ID: Merlyn wrote: > OK, It's Gone I will repost! It was a small PNG file. It probably got snagged along with the text in your copy from the web site. -- Evidence shows Cyveillance abuse internet resources. I recommend unchecking their box in SpamCop reports. Cyveillance are part of the problem. They are not part of the solution. From Merlyn at Spamcop.net Mon Oct 11 17:42:12 2004 From: Merlyn at Spamcop.net (Merlyn) Date: Mon Oct 11 16:45:16 2004 Subject: [SpamCop-List] Re: netspend.biz References: <416AE8C2.47B0CB08@spamcop.net> Message-ID: "Graeme Leith" wrote in message news:cker38$8te$1@news.spamcop.net... > Merlyn wrote: > >> OK, It's Gone I will repost! > > It was a small PNG file. It probably got snagged along with the text in > your copy from the web site. > Thanks Graeme! -- Regards, Merlyn From puoti at inwind.it Mon Oct 11 23:31:02 2004 From: puoti at inwind.it (Ivan Leo Puoti) Date: Mon Oct 11 17:40:03 2004 Subject: [SpamCop-List] Re: Bringing bullet proof hosts down In-Reply-To: References: Message-ID: > Nobody asked for your opinion, you asked for theirs. They questioned what I was doing, so I explained why I was doing it. Is there something you don't like about that? Ivan. From kenbrody at spamcop.net Mon Oct 11 19:26:52 2004 From: kenbrody at spamcop.net (Kenneth Brody) Date: Mon Oct 11 18:30:04 2004 Subject: [SpamCop-List] Re: Is there anything I can do to stop this? References: Message-ID: <416B08AC.8F431162@spamcop.net> Nigel wrote: > > It seems that a major spammer using a Korean server is using random names > at my domain name as the sender of their spam emails. I'm getting about 500 > bounced emails a day from accounts over quota or now closed etc. The emails > are for loans and point recipients towards money-deal.info > (211.115.213.175). > > I have no idea why this spammer should have chosen to use my domain as the > sender. I've checked the IP addresses of mail going out & it's coming from > various compromised servers fortunately non of them belonging to me > (actually if I did own them at least I could do something about it). > > I can obviously bounce emails for unknown users at my domain but are there > any other suggestions about any way to stop this abuse? Unfortunately, there's not much you can do beyond waiting a couple of days until the spammer picks someone else's domain name to forge. That, and if possible, remove the "catch-all" address you have, so that all e-mails to unknown users at your domain will be rejected (not "bounced", as other will tell you, that's "bad"). That way, at least you'll stop getting all of those bounces to fake addresses. -- +-------------------------+--------------------+-----------------------------+ | Kenneth J. Brody | www.hvcomputer.com | | | kenbrody/at\spamcop.net | www.fptech.com | #include | +-------------------------+--------------------+-----------------------------+ From rcarlton at spamcop.net Mon Oct 11 19:18:40 2004 From: rcarlton at spamcop.net (Rick Carlton) Date: Mon Oct 11 21:20:20 2004 Subject: [SpamCop-List] Re: netspend.biz In-Reply-To: References: <416AE8C2.47B0CB08@spamcop.net> Message-ID: Karsten Self posted about them on Sauturday... http://groups.google.com/groups?q=%22netspend.biz%22&hl=en&lr=&selm=E1CGX0R-0008LF-00%40localhost&rnum=1 From nigel at -remove-awardsplus.co.uk Tue Oct 12 09:30:07 2004 From: nigel at -remove-awardsplus.co.uk (Nigel) Date: Tue Oct 12 03:35:22 2004 Subject: [SpamCop-List] Re: Is there anything I can do to stop this? References: <416B08AC.8F431162@spamcop.net> Message-ID: Thanks for the replies & suggestions. Sorry I used the term 'bounce' incorrectly - I knew what I meant :) Watch my lips, not what I write. I've been waiting several weeks for this spammer to choose another 'sent from domain' - I'm still waiting. I'll reorganize the way I handle mail to improve the situation. Nigel "Kenneth Brody" wrote in message news:416B08AC.8F431162@spamcop.net... > > Unfortunately, there's not much you can do beyond waiting a couple of days > until the spammer picks someone else's domain name to forge. > > That, and if possible, remove the "catch-all" address you have, so that > all > e-mails to unknown users at your domain will be rejected (not "bounced", > as > other will tell you, that's "bad"). That way, at least you'll stop > getting > all of those bounces to fake addresses. > > -- > +-------------------------+--------------------+-----------------------------+ > | Kenneth J. Brody | www.hvcomputer.com | > | > | kenbrody/at\spamcop.net | www.fptech.com | #include > | > +-------------------------+--------------------+-----------------------------+ > > From jld1 at cam.ac.uk Tue Oct 12 11:28:52 2004 From: jld1 at cam.ac.uk (John Dawson) Date: Tue Oct 12 05:30:22 2004 Subject: [SpamCop-List] Cyveillance again ... Message-ID: ... [quote]IndyMedia seems most concerned with one part of the article which states: "Last year, Cyveillance was able to inform a UK high street bank that one of its branches in the city of London was being targeted by May Day protesters, and tell it which window the activists were planning to throw a bomb through." To boldly state such an unlikely event as fact is daft in the extreme. There has been no suggestion of a bomb threat at the May Day event or any previous anti-capitalist march, and Muir's claim that he told a bank not only about a bomb but also which exact window it would be put through stretches his credibility to breaking point.[/quote] ... http://www.theregister.co.uk/2001/09/07/activists_slam_cyveillance_may_day/ From MikeE at ster.invalid Tue Oct 12 07:37:16 2004 From: MikeE at ster.invalid (Mike Easter) Date: Tue Oct 12 09:40:21 2004 Subject: [SpamCop-List] Re: Cyveillance again ... References: Message-ID: John Dawson wrote: > http://www.theregister.co.uk/2001/09/07/activists_slam_cyveillance_may_day/ Unfortunately that article is based on two articles, the first of which appeared in the Guardian http://media.guardian.co.uk/mediaguardian/story/0,7558,545786,00.html and which requires an email confirmed registration to access; and the response to which apppeared in IndyMedia, http://www.uk.indymedia.org/display.php3?article_id=10751 which is a broken link, probably because IndyMedia is being 'attacked' and disrupted by having its servers confiscated and such. IndyMedia is accessible, but I didn't dig to try to recreate a good link. You Brits and your anti-capitalism activism, the anti-Cyveillance Yank sed goodnaturedly, from the right shore of the big pond, instead of the left shore of the little pond. ;-) Hmm. Before too much offbeat confusion slips in here, us Pacific Rimmers refer to the Atlantic as the little pond and the US as its left shore, because of the old 'Atlantic-centrism' which referred to US-Europe as being across the pond from each other. -- Mike Easter kibitzer, not SC admin From MikeE at ster.invalid Tue Oct 12 07:55:37 2004 From: MikeE at ster.invalid (Mike Easter) Date: Tue Oct 12 09:55:03 2004 Subject: [SpamCop-List] Re: Cyveillance again ... References: Message-ID: Mike Easter wrote: > John Dawson wrote: >> > http://www.theregister.co.uk/2001/09/07/activists_slam_cyveillance_may_day/ > > Unfortunately that article is based on two articles, The fact that the article itself is over 3 years old, 2001 Sep 7, makes it all the more difficult. -- Mike Easter kibitzer, not SC admin From porpoise1954 at yahoo.co.uk Tue Oct 12 16:17:25 2004 From: porpoise1954 at yahoo.co.uk (Porpoise) Date: Tue Oct 12 10:20:10 2004 Subject: [SpamCop-List] Coffee's on! What are u waiting for? Message-ID: This tracker is for a spam received apparently from a server with no name: Someone using their own smtp server? http://www.spamcop.net/sc?id=z680634793z023a7cf4234fadcfc19165c5a521b83fz This is the result of a DNS search on the IP: http://www.dnsstuff.com/tools/whois.ch?ip=64.65.215.26 with a further link to here http://www.dnsstuff.com/tools/whois.ch?ip=!NET-64-65-215-0-1&server=whois.arin.net From MikeE at ster.invalid Tue Oct 12 08:24:58 2004 From: MikeE at ster.invalid (Mike Easter) Date: Tue Oct 12 10:25:03 2004 Subject: [SpamCop-List] Re: Cyveillance again ... References: Message-ID: Mike Easter wrote: > which is a broken link, probably because IndyMedia is being 'attacked' > and disrupted by having its servers confiscated and such. Players: US, UK, Italy, Switzerland vs Independent Media Center Playing field: Rackspace's London offices where the indymedia servers were seized Rulebook: MLAT - Mutual Legal Assistance Treaty Allegedly the US FBI, working with its UK cohorts, issued the seizure subpoena at the behest of a 'third country' - presumably something to do with Italy and Switzerland. The Swiss say are investigating something and will say what Tuesday today. The Italians say they will make a press release Thu. The MLAT is supposed to be about counter-terrorism, kidnapping, money laundering and such. Indymedia naturally has services all over the world and has been disrupted and is trying to figure out what is going on and doesn't even know where its servers are. Various US interests, including the EFF, Electronic Freedom Foundation, are also wondering what's up. Rackspace, based in San Antonio, ain't sayin' nothin' because of the conditions of the court order. -- Mike Easter kibitzer, not SC admin From MikeE at ster.invalid Tue Oct 12 08:41:57 2004 From: MikeE at ster.invalid (Mike Easter) Date: Tue Oct 12 10:45:04 2004 Subject: [SpamCop-List] Re: Coffee's on! What are u waiting for? References: Message-ID: Porpoise wrote: > This tracker is for a spam received apparently from a server with no > name: Someone using their own smtp server? > www.spamcop.net/sc?id=z680634793z023a7cf4234fadcfc19165c5a521b83fz Abbreviated Received tracelines *comment from [216.47.224.11] by mxng09.kundenserver.de *mailhost from unknown (64.65.215.26) by gra-smtp3-sun.choiceone.net *sourceline, insecure 64.65.215.10 rDNS mgmt.choiceone.net listed in db/s; tests positive for port 80 http post insecurity. The insecurity evidence goes direct; this spam appears to be from a choiceone IP, which SC sez is a mailhost for you: Hostname verified: gra-smtp3-sun.choiceone.net Hostname verified: mgmt.choiceone.net Similar spams can be seen in sightings, eg one sourced from 213.203.197.115 rDNS 115.197.203.213.rev.plexline.net which is also listed for a port 80 http post insecurity. So, maybe the spammer for those gevalia^1 guys prefers that style of spamming. ^1 http://pws.prserv.net/Gevalia/Automatic101.htm - spamvertised -- Mike Easter kibitzer, not SC admin From porpoise1954 at yahoo.co.uk Tue Oct 12 16:42:31 2004 From: porpoise1954 at yahoo.co.uk (Porpoise) Date: Tue Oct 12 10:45:16 2004 Subject: [SpamCop-List] Cannot resolve http://www.broadcastemailingtoday.biz/unsub.html Message-ID: Cannot resolve in this spam: http://www.spamcop.net/sc?id=z681625421zfa856b3e0fb500770eb3a6c8f38a48d2z Doing a DNS on brings up: http://www.dnsstuff.com/tools/whois.ch?ip=broadcastemailingtoday.biz Is this bulletproof hosting at work? From MikeE at ster.invalid Tue Oct 12 08:54:52 2004 From: MikeE at ster.invalid (Mike Easter) Date: Tue Oct 12 10:55:02 2004 Subject: [SpamCop-List] Re: Coffee's on! What are u waiting for? References: Message-ID: Mike Easter wrote: > which SC sez is a mailhost for you: > > Hostname verified: gra-smtp3-sun.choiceone.net > Hostname verified: mgmt.choiceone.net After looking at another one of yours, I gather that that 'SC language' doesn't actually /mean/ that is a mailhost for you. SC sometimes speaks with forked tongue. -- Mike Easter kibitzer, not SC admin From MikeE at ster.invalid Tue Oct 12 09:04:04 2004 From: MikeE at ster.invalid (Mike Easter) Date: Tue Oct 12 11:05:04 2004 Subject: [SpamCop-List] Re: Cannot resolve http://www.broadcastemailingtoday.biz/unsub.html References: Message-ID: Porpoise wrote: > Cannot resolve in this spam: > www.spamcop.net/sc?id=z681625421zfa856b3e0fb500770eb3a6c8f38a48d2z broadcastingemailtoday.biz doesn't resolve; ie there isn't a DNS, so it 'doesn't work' > Doing a DNS on brings up: That below is not a 'DNS' - that is a lookup on the domainname. > http://www.dnsstuff.com/tools/whois.ch?ip=broadcastemailingtoday.biz That think that you used at dnsstuff is the whois which will work one way on an IP and another way on a domainname. If you are going to work at dnsstuff, you should find out if the domainname resolves over at another gizmo http://www.dnsstuff.com/tools/lookup.ch?name=broadcastingemailtoday.biz&type=A Actually, I prefer to look for 'plain' DNS on a domainname with SS pers. > Is this bulletproof hosting at work? They've lost their nameservice. That is a good thing. -- Mike Easter kibitzer, not SC admin From porpoise1954 at yahoo.co.uk Tue Oct 12 17:29:50 2004 From: porpoise1954 at yahoo.co.uk (Porpoise) Date: Tue Oct 12 11:35:04 2004 Subject: [SpamCop-List] Re: Coffee's on! What are u waiting for? References: Message-ID: "Mike Easter" wrote in message news:ckgr4v$e5n$1@news.spamcop.net... > Mike Easter wrote: > > which SC sez is a mailhost for you: > > > > Hostname verified: gra-smtp3-sun.choiceone.net > > Hostname verified: mgmt.choiceone.net > > After looking at another one of yours, I gather that that 'SC language' > doesn't actually /mean/ that is a mailhost for you. SC sometimes speaks > with forked tongue. > > -- > Mike Easter > kibitzer, not SC admin > I was just about to fire one back at you saying "Ain't my host!" when I saw you had posted this response to your previous post... ;-) From porpoise1954 at yahoo.co.uk Tue Oct 12 17:32:48 2004 From: porpoise1954 at yahoo.co.uk (Porpoise) Date: Tue Oct 12 11:35:18 2004 Subject: [SpamCop-List] Re: Cannot resolve http://www.broadcastemailingtoday.biz/unsub.html References: Message-ID: "Mike Easter" wrote in message news:ckgrm8$f2p$1@news.spamcop.net... > Porpoise wrote: > > Cannot resolve in this spam: > > > www.spamcop.net/sc?id=z681625421zfa856b3e0fb500770eb3a6c8f38a48d2z > > broadcastingemailtoday.biz doesn't resolve; ie there isn't a DNS, so it > 'doesn't work' > > > Doing a DNS on brings up: > > That below is not a 'DNS' - that is a lookup on the domainname. Picky, picky.......... Domain Name Search? ;-) > > > http://www.dnsstuff.com/tools/whois.ch?ip=broadcastemailingtoday.biz > > That think that you used at dnsstuff is the whois which will work one way > on an IP and another way on a domainname. If you are going to work at > dnsstuff, you should find out if the domainname resolves over at another > gizmo > > http://www.dnsstuff.com/tools/lookup.ch?name=broadcastingemailtoday.biz&type=A > > Actually, I prefer to look for 'plain' DNS on a domainname with SS pers. > > > Is this bulletproof hosting at work? > > They've lost their nameservice. That is a good thing. Aha!..... So have they effectively had their legs kicked out from under them then? > > > > -- > Mike Easter > kibitzer, not SC admin > From d*r*i*c*h*t*e*r at e*s*s*i.f*r*****without*asterisks**** Tue Oct 12 18:45:03 2004 From: d*r*i*c*h*t*e*r at e*s*s*i.f*r*****without*asterisks**** (Dan) Date: Tue Oct 12 11:50:03 2004 Subject: [SpamCop-List] Is there anything I can do to stop this? In-Reply-To: References: Message-ID: > Interestingly the registrations for the domains are in Winnipeg, MB. > Different names but all quote the same phone number +1.2044804569 - > anyone care to call em up? I am in the UK so no thanks No, but a reverse lookup on the phone number suggests that it doesn't exist (see http://www.yellowpages.ca ). This guy did a pretty good job: the city name, province name, postal code and phone number correspond. (It's in Canada, not the U.S.) In addition, the street names used to register both domains exist in that city. However, as I said, the phone number appears to not exist. This might simply mean that it's unlisted, but insidefinancial.net is registered in the name of a company, and a company wouldn't logically use an unlisted phone number. I reported insidefinancial.net to its registrar using ICANN's WHOIS reporting form: http://wdprs.internic.net/ However, I couldn't find enough evidence to prove that money-deal.info is fake, so I didn't report it. Still, one out of two isn't bad. We'll see if the registrar, who obviously can't contact the owner using fake data, cancels the domain. -- They've signed me up for every advertising campaign and mailing list there is. These people are out of their minds. They're harassing me. - spam tycoon Alan Ralsky, who was signed up for tons of (paper) junk mail after publicly proclaiming that he had no regrets about his spam empire. From MikeE at ster.invalid Tue Oct 12 10:01:50 2004 From: MikeE at ster.invalid (Mike Easter) Date: Tue Oct 12 12:05:05 2004 Subject: [SpamCop-List] Re: Cannot resolve http://www.broadcastemailingtoday.biz/unsub.html References: Message-ID: Porpoise wrote: > "Mike Easter" >> Porpoise wrote: >>> Doing a DNS on brings up: >> >> That below is not a 'DNS' - that is a lookup on the domainname. > > Picky, picky.......... Domain Name Search? ;-) Actually, messing around with that item is interesting. You got information at dnsstuff that sez that netsol is the registrar, but it also sez that the information is cached and old, and you can access fresher information; but fresher still sez the domainname is registered. But, I'm getting different information everywhere I look, whois.biz, whois.neulevel.biz, whois.nic.biz, geektools, - none of them have it; so I went to netsol. NetSol sez the domainname is available; so not only did they lose their nameservice, they also lost their domainname. broadcastingemailtoday.biz is available. Aha! I see the problem. We [or you or I] are confusing two different domainnames. The actual original spam sez: http://www.emailtoday2004.com which resolves fine, and has a remove http://www.broadcastemailingtoday.biz/unsub.html which doesn't resolve --- notice the words: broadcast + emailing + today but, you sed Porpoise wrote: > Doing a DNS on brings up: which is made out of the words: broadcasting + email + today which is what I started working with, rather than the proper domainname, and that name isn't even registered. However, the 'real' spam remove domainname, broadcastemailingtoday.biz - is registered, it just doesn't resolve to an IP address. -- Mike Easter kibitzer, not SC admin From spamcop at oitc.com Tue Oct 12 14:13:19 2004 From: spamcop at oitc.com (spamcop) Date: Tue Oct 12 13:15:08 2004 Subject: [SpamCop-List] Anyone know earthlink outbound IP? Message-ID: Spamcop is blocking earthlink outbound mail 207.217.121.184 listed in bl.spamcop.net (127.0.0.2) Would like to get mail from clients and friends so a server list would be good. Tom From MikeE at ster.invalid Tue Oct 12 11:40:53 2004 From: MikeE at ster.invalid (Mike Easter) Date: Tue Oct 12 13:40:25 2004 Subject: [SpamCop-List] Re: Anyone know earthlink outbound IP? References: Message-ID: spamcop wrote: > Spamcop is blocking earthlink outbound mail Spamcop doesn't block anything. SC provides a free and paid parsing and reporting service, maintains the SCbl derived from spamsource reports therefrom, and provides a subscribed mailservice with spamtagging based on various criteria defined by the individual subscriber. A great many servers and individuals use spamblocking filters based on dnsbl/s - especially the scbl - as an aid to block the spam which is coming in to them. > 207.217.121.184 listed in bl.spamcop.net (127.0.0.2) SC: System has sent mail to SpamCop spam traps in the past week - It has been listed for 34 hours. That IP is also extremely busy spewing out huge amounts of excess traffic/spam Senderbase report, 10x increase over normal. Report on IP address: 207.217.121.184 Volume Statistics for this IP Magnitude Vol Change vs. Average Last day 5.5 10567% Last 30d 4.6 1215% Average 3.5 use monofont for columns 207.217.121.184 rDNS pop-a065c10.pas.sa.earthlink.net > Would like to get mail from clients and friends so a server list > would be good. There are also a lot of other IPs in that neighborhood with SC reports: Other hosts in this "neighborhood" with spam reports 207.217.120.228 207.217.120.246 207.217.120.247 207.217.121.183 207.217.121.247 207.217.121.248 207.217.121.249 207.217.121.251 207.217.121.252 207.217.121.254 -- Mike Easter kibitzer, not SC admin From MikeE at ster.invalid Tue Oct 12 11:51:25 2004 From: MikeE at ster.invalid (Mike Easter) Date: Tue Oct 12 13:50:03 2004 Subject: [SpamCop-List] Re: Anyone know earthlink outbound IP? References: Message-ID: spamcop wrote: Subject: Anyone know earthlink outbound IP? > Would like to get mail from clients and friends so a server list > would be good. I don't understand the question. I use EL's smtpauth.earthlink.net for my outgoing EL mail, but that doesn't control what IP it is going out. That smtpauth resolves to 8 different IPs which take the mail in from the EL [and other domains] subscribers 207.217.121.156 207.217.121.157 207.217.121.150 207.217.121.151 207.217.121.152 207.217.121.153 207.217.121.154 207.217.121.155 and then it goes out however it goes out. -- Mike Easter kibitzer, not SC admin From MikeE at ster.invalid Tue Oct 12 11:58:06 2004 From: MikeE at ster.invalid (Mike Easter) Date: Tue Oct 12 14:00:03 2004 Subject: [SpamCop-List] Re: Anyone know earthlink outbound IP? References: Message-ID: Mike Easter wrote: > Spamcop doesn't block anything. For some reason when I posted that I tho't I was replying in an EL support group. -- Mike Easter kibitzer, not SC admin From nobody at spamcop.net Tue Oct 12 15:15:30 2004 From: nobody at spamcop.net (Ellen) Date: Tue Oct 12 14:25:03 2004 Subject: [SpamCop-List] Re: Anyone know earthlink outbound IP? References: Message-ID: "spamcop" wrote in message news:BD9188EF.D819%spamcop@oitc.com... > Spamcop is blocking earthlink outbound mail > > 207.217.121.184 listed in bl.spamcop.net (127.0.0.2) > > Would like to get mail from clients and friends so a server list would be > good. > > Tom There are a couple or so apparent EL pop servers listed -- we have written to EL to try to resolve this problem. Ellen From Merlyn at Spamcop.net Tue Oct 12 16:17:47 2004 From: Merlyn at Spamcop.net (Merlyn) Date: Tue Oct 12 15:20:06 2004 Subject: [SpamCop-List] Re: Anyone know earthlink outbound IP? References: Message-ID: "spamcop" wrote in message news:BD9188EF.D819%spamcop@oitc.com... > Spamcop is blocking earthlink outbound mail > > 207.217.121.184 listed in bl.spamcop.net (127.0.0.2) > > Would like to get mail from clients and friends so a server list would be > good. > Earthlink has a spam problem. Talk to you earthlink support person and point them to: http://www.spamhaus.org/sbl/listings.lasso?isp=earthlink.net -- Regards, Merlyn A Spamcop advocate No emails this account is for newsgroups only People demand freedom of speech to make up for the freedom of thought which they avoided From spamcop at oitc.com Tue Oct 12 16:24:43 2004 From: spamcop at oitc.com (spamcop) Date: Tue Oct 12 15:25:03 2004 Subject: [SpamCop-List] Re: Anyone know earthlink outbound IP? References: Message-ID: Yes, Mike. I missspoke. All I meant was that the IP was listed in the bl and I was hoping to locate outbound mailserver IPs so I could whitelist them on my system and hope that spamassassin will stop the spam that comes through which is what we do for AOL Tom On 10/12/04 1:40 PM, in article ckh4s8$tat$1@news.spamcop.net, "Mike Easter" wrote: > spamcop wrote: >> Spamcop is blocking earthlink outbound mail > > Spamcop doesn't block anything. SC provides a free and paid parsing and > reporting service, maintains the SCbl derived from spamsource reports > therefrom, and provides a subscribed mailservice with spamtagging based > on various criteria defined by the individual subscriber. > > A great many servers and individuals use spamblocking filters based on > dnsbl/s - especially the scbl - as an aid to block the spam which is > coming in to them. > >> 207.217.121.184 listed in bl.spamcop.net (127.0.0.2) > > SC: System has sent mail to SpamCop spam traps in the past week - It has > been listed for 34 hours. > > That IP is also extremely busy spewing out huge amounts of excess > traffic/spam > > Senderbase report, 10x increase over normal. > > Report on IP address: 207.217.121.184 > Volume Statistics for this IP > Magnitude Vol Change vs. Average > Last day 5.5 10567% > Last 30d 4.6 1215% > Average 3.5 > use monofont for columns > > 207.217.121.184 rDNS pop-a065c10.pas.sa.earthlink.net > >> Would like to get mail from clients and friends so a server list >> would be good. > > There are also a lot of other IPs in that neighborhood with SC reports: > > Other hosts in this "neighborhood" with spam reports > 207.217.120.228 207.217.120.246 207.217.120.247 207.217.121.183 > 207.217.121.247 207.217.121.248 207.217.121.249 207.217.121.251 > 207.217.121.252 207.217.121.254 > > From MikeE at ster.invalid Tue Oct 12 13:32:09 2004 From: MikeE at ster.invalid (Mike Easter) Date: Tue Oct 12 15:35:03 2004 Subject: [SpamCop-List] Re: Anyone know earthlink outbound IP? References: Message-ID: Merlyn wrote: > Earthlink has a spam problem. Talk to you earthlink support person > and point them to: > http://www.spamhaus.org/sbl/listings.lasso?isp=earthlink.net Most of the spamhaus stuff is about the insecurity of some individual IPs and hitting honeypots and such. What is even worse, in some ways, is the fact that we 'rap' about listed EL /servers/ for weeks at a time in the same newsgroups which occasionally show the appearance of some EL tech admin about some other issue, not spam. That is, an EL server may be listed on several bl/s - some of which only require that you click off of them - others of which would require EL to look at the server's logs and probably kill an EL subscriber account whose username + pw have been used to access an smtpauth EL server and spam from a non-EL IP. It'll be interesting [except probably only Ellen will sense what happens] to see what becomes of the fact that there is some kind of dialog between SC & EL. I know that once upon a time an EL abusedesk person showed up here, but there are many ways that EL doesn't take care of business about keeping itself off of listings. It would seem that a big provider should take care of business better than that. They're not comcast or RR, but some things seem pretty sloppy. -- Mike Easter kibitzer, not SC admin From Merlyn at Spamcop.net Tue Oct 12 16:39:18 2004 From: Merlyn at Spamcop.net (Merlyn) Date: Tue Oct 12 15:40:03 2004 Subject: [SpamCop-List] Re: Anyone know earthlink outbound IP? References: Message-ID: "Mike Easter" wrote in message news:ckhbcr$8ab$1@news.spamcop.net... > Merlyn wrote: >> Earthlink has a spam problem. Talk to you earthlink support person >> and point them to: >> http://www.spamhaus.org/sbl/listings.lasso?isp=earthlink.net > > Most of the spamhaus stuff is about the insecurity of some individual IPs > and hitting honeypots and such. [snippage] > It would seem that a big provider should take care of business better > than that. They're not comcast or RR, but some things seem pretty > sloppy. All of those are Spamhaus (SBL) and not XBL. A couple of those Spamhaus blocks are ROKSO listed spammers incluuding a hijacked block on earthlink. and yes I agree with you :-) -- Regards, Merlyn A Spamcop advocate No emails this account is for newsgroups only People demand freedom of speech to make up for the freedom of thought which they avoided From me at privacy.net Tue Oct 12 20:41:46 2004 From: me at privacy.net (Michael R N Dolbear) Date: Tue Oct 12 15:45:02 2004 Subject: [SpamCop-List] Is there anything I can do to stop this? References: Message-ID: <01c4b075$7c9f66a0$LocalHost@default> Vince Horan wrote [...] > Interestingly the registrations for the domains are in Winnipeg, MB. > Different names but all quote the same phone number +1.2044804569 - > anyone care to call em up? I am in the UK so no thanks Calling that number is probably a waste of time and money at any price, but it can cost you < 10p from the UK. See http://www.telediscount.co.uk/accessnumbers.php (UK internal long distance too !) or niftylist http://www.niftylist.co.uk/ for the latest offers from all suppliers. subscribe to the Usenet uk.telecom NG if telecoms prices interest you. -- Mike D From Merlyn at Spamcop.net Tue Oct 12 16:57:53 2004 From: Merlyn at Spamcop.net (Merlyn) Date: Tue Oct 12 16:00:02 2004 Subject: [SpamCop-List] Re: Is there anything I can do to stop this? References: Message-ID: "Nigel" wrote in message news:ckde9a$vue$1@news.spamcop.net... > It seems that a major spammer using a Korean server is using random names > at my domain name as the sender of their spam emails. I'm getting about > 500 bounced emails a day from accounts over quota or now closed etc. The > emails are for loans and point recipients towards money-deal.info > (211.115.213.175). > > I have no idea why this spammer should have chosen to use my domain as the > sender. I've checked the IP addresses of mail going out & it's coming from > various compromised servers fortunately non of them belonging to me > (actually if I did own them at least I could do something about it). > > I can obviously bounce emails for unknown users at my domain but are there > any other suggestions about any way to stop this abuse? > Nigel, I just want to let you know if you own the domain in you above email addy you used then you probably also know you are blocked by much of the internet. Even though you mail servers are not located with them you are still supporting spammers or spam supporting hosts. awardsplus.co.uk is hosted by NetTransactions, LLC See: http://spews.org/html/S2485.html 66.55.128.0/20, NetTransactions / netlabs.net (ASN'd - Reach feed) (not related to netblock stealing spammer hosts?) Hopefully you can find another non-spamming host to give your money to. -- Regards, Merlyn A Spamcop advocate No emails this account is for newsgroups only People demand freedom of speech to make up for the freedom of thought which they avoided From igsmith at spamcop.net Tue Oct 12 22:14:14 2004 From: igsmith at spamcop.net (Ian Smith) Date: Tue Oct 12 16:15:03 2004 Subject: [SpamCop-List] Is there anything I can do to stop this? In-Reply-To: <01c4b075$7c9f66a0$LocalHost@default> References: <01c4b075$7c9f66a0$LocalHost@default> Message-ID: Michael R N Dolbear wrote: > Vince Horan wrote > [...] > >>Interestingly the registrations for the domains are in Winnipeg, MB. >>Different names but all quote the same phone number +1.2044804569 - >>anyone care to call em up? I am in the UK so no thanks > > > Calling that number is probably a waste of time and money at any price, > but it can cost you < 10p from the UK. By <10p I assume you mean 1p! http://www.call18866.co.uk/ regards Ian Smith From someone at msn.com Tue Oct 12 18:21:24 2004 From: someone at msn.com (news.concentric.net) Date: Tue Oct 12 17:20:27 2004 Subject: [SpamCop-List] Get off the list. Message-ID: I installed GFI mail essentials, and the NDR for the black list generated 100's of mails of which all were detected as spam and now mail is sparce. I have stopped it, but what do I do now, the web site is very poor on help. I just need to get mail back online. It seems to be a shame that blocking spam gets me on the list. From Merlyn at Spamcop.net Tue Oct 12 18:25:24 2004 From: Merlyn at Spamcop.net (Merlyn) Date: Tue Oct 12 17:30:03 2004 Subject: [SpamCop-List] Re: Get off the list. References: Message-ID: "news.concentric.net" wrote in message news:ckhhns$ipv$1@news.spamcop.net... >I installed GFI mail essentials, and the NDR for the black list generated > 100's of mails of which all were detected as spam and now mail is sparce. > I > have stopped it, but what do I do now, the web site is very poor on help. > I > just need to get mail back online. It seems to be a shame that blocking > spam gets me on the list. > You did not block spam! You sent a non delivery notice to innocent victims and spam traps. You spammed them. If that is your only problem you will be delisted within 48 hours from the last spam report. 205.158.121.242 listed in bl.spamcop.net (127.0.0.2) Causes of listing System has sent mail to SpamCop spam traps in the past week (spam traps are secret, no reports or evidence are provided by SpamCop) Additional potential problems (these factors do not directly result in spamcop listing) Listing History In the past 241.2 days, it has been listed 3 times for a total of 19.6 days You are also in other blocklists. -- Regards, Merlyn A Spamcop advocate No emails this account is for newsgroups only People demand freedom of speech to make up for the freedom of thought which they avoided From MikeE at ster.invalid Tue Oct 12 15:32:57 2004 From: MikeE at ster.invalid (Mike Easter) Date: Tue Oct 12 17:35:03 2004 Subject: [SpamCop-List] Re: Get off the list. References: Message-ID: news.concentric.net wrote: > I installed GFI mail essentials, and the NDR for the black list > generated 100's of mails of which all were detected as spam and now > mail is sparce. That's not clear, but I'm wondering if you are talking about sending out fake NDRs http://www.gfi.com/mes/mesfeatures.htm - Other features: Fake non-delivery reports (NDRs) > I have stopped it, but what do I do now, the web > site is very poor on help. Actually, I tho't the website was pretty good about support http://www.gfi.com/mes/mesfeatures.htm - left column links Essentials Overview Features Screenshots Pricing How to buy Download Full eval Freeware In-depth Manual Brochure/datasheet Product tour Product news Reviews Testimonials White papers Freeware Support Support Center Forums FAQ/KBase LiveSupport >I just need to get mail back online. It > seems to be a shame that blocking spam gets me on the list. Blocking spam is blocking spam. 'Spamming' innocent bogus Froms with abusive bogus NDRs will get you blocked as abusive. -- Mike Easter kibitzer, not SC admin From nobody at devnull.spamcop.net Tue Oct 12 17:50:32 2004 From: nobody at devnull.spamcop.net (WazoO) Date: Tue Oct 12 17:55:02 2004 Subject: [SpamCop-List] Re: Get off the list. References: Message-ID: "Mike Easter" wrote in message news:ckhifb$k41$1@news.spamcop.net... > > > I have stopped it, but what do I do now, the web > > site is very poor on help. > > Actually, I tho't the website was pretty good about support I'm guessing the OP was actually complaining about the SpamCop website. Between the freshly painted web pages there and the web-forum stuff though, it's a bit hard to go with the simple "poor on help" description. Obviously, posting in these newsgroups doesn't do any good From Merlyn at Spamcop.net Tue Oct 12 19:04:06 2004 From: Merlyn at Spamcop.net (Merlyn) Date: Tue Oct 12 18:05:03 2004 Subject: [SpamCop-List] Re: Get off the list. References: Message-ID: "WazoO" wrote in message news:ckhjj8$lsk$1@news.spamcop.net... > "Mike Easter" wrote in message > news:ckhifb$k41$1@news.spamcop.net... >> >> > I have stopped it, but what do I do now, the web >> > site is very poor on help. >> >> Actually, I tho't the website was pretty good about support > > Obviously, posting in these newsgroups > doesn't do any good > Especially if it is not the help group and they are spamming -- Regards, Merlyn A Spamcop advocate No emails this account is for newsgroups only People demand freedom of speech to make up for the freedom of thought which they avoided From MikeE at ster.invalid Tue Oct 12 16:08:38 2004 From: MikeE at ster.invalid (Mike Easter) Date: Tue Oct 12 18:10:03 2004 Subject: [SpamCop-List] Re: Get off the list. References: Message-ID: Mike Easter wrote: > Actually, I tho't the website was pretty good about support I suppose he meant the SC "web site is very poor on help" rather than the GFI one - which isn't true either. I tho't I would look into the GFI manual to see what kind of warning is given about bogus NDRs - figuring that it couldn't possibly be as bad as MW's hype of that 'feature' - flaw. Unfortunately, the GFI manual doesn't give adequate warning about its abusiveness either, it doesn't hype, but definitely fails to include the advice that hardly any spam qualifies as a candidate for a fake NDR: The Generate Non Delivery Report (NDR) feature allows You to create a fake Non Delivery Report (NDR). This will cause most bulk mailing software to remove your address from their database. In addition you can use this feature to notify the sender that his email has been considered spam. This feature can be handy to use whilst in initial training phase. Note: If you wish you can customize the NDR. Go to the chapter Miscellaneous options for more information on this. Very poor. -- Mike Easter kibitzer, not SC admin From Merlyn at Spamcop.net Tue Oct 12 19:17:46 2004 From: Merlyn at Spamcop.net (Merlyn) Date: Tue Oct 12 18:20:03 2004 Subject: [SpamCop-List] Re: Get off the list. References: Message-ID: "Mike Easter" wrote in message news:ckhki8$njr$1@news.spamcop.net... > Mike Easter wrote: >> Actually, I tho't the website was pretty good about support > > I suppose he meant the SC "web site is very poor on help" rather than the > GFI one - which isn't true either. > > I tho't I would look into the GFI manual to see what kind of warning is > given about bogus NDRs - figuring that it couldn't possibly be as bad as > MW's hype of that 'feature' - flaw. > > Unfortunately, the GFI manual doesn't give adequate warning about its > abusiveness either, it doesn't hype, but definitely fails to include the > advice that hardly any spam qualifies as a candidate for a fake NDR: > > > The Generate Non Delivery Report (NDR) feature allows You to > create a fake Non Delivery Report (NDR). This will cause most > bulk mailing software to remove your address from their database. > In addition you can use this feature to notify the sender that his > email has been considered spam. This feature can be handy to > use whilst in initial training phase. If that info is publicly available about their product then that must qualify as the "truth in advertising" thingy. -- Regards, Merlyn A Spamcop advocate No emails this account is for newsgroups only People demand freedom of speech to make up for the freedom of thought which they avoided From porpoise1954 at yahoo.co.uk Wed Oct 13 01:59:00 2004 From: porpoise1954 at yahoo.co.uk (Porpoise) Date: Tue Oct 12 20:00:20 2004 Subject: [SpamCop-List] Re: Cannot resolve http://www.broadcastemailingtoday.biz/unsub.html References: Message-ID: "Mike Easter" wrote in message news:ckgv2h$kfn$1@news.spamcop.net... > Porpoise wrote: > > "Mike Easter" > >> Porpoise wrote: > > >>> Doing a DNS on brings up: > >> > >> That below is not a 'DNS' - that is a lookup on the domainname. > > > > Picky, picky.......... Domain Name Search? ;-) > > Actually, messing around with that item is interesting. You got > information at dnsstuff that sez that netsol is the registrar, but it > also sez that the information is cached and old, and you can access > fresher information; but fresher still sez the domainname is registered. > > But, I'm getting different information everywhere I look, whois.biz, > whois.neulevel.biz, whois.nic.biz, geektools, - none of them have it; so > I went to netsol. > > NetSol sez the domainname is available; so not only did they lose their > nameservice, they also lost their domainname. > > broadcastingemailtoday.biz is available. > > Aha! I see the problem. We [or you or I] are confusing two different > domainnames. > > The actual original spam sez: > > http://www.emailtoday2004.com > > which resolves fine, and has a remove > > http://www.broadcastemailingtoday.biz/unsub.html > > which doesn't resolve --- notice the words: broadcast + emailing + today > > but, you sed > > Porpoise wrote: > > Doing a DNS on brings up: > > which is made out of the words: broadcasting + email + today > > which is what I started working with, rather than the proper domainname, > and that name isn't even registered. > > However, the 'real' spam remove domainname, broadcastemailingtoday.biz - > is registered, it just doesn't resolve to an IP address. > > -- > Mike Easter > kibitzer, not SC admin Phew! Gets complicated huh? From MikeE at ster.invalid Tue Oct 12 18:14:14 2004 From: MikeE at ster.invalid (Mike Easter) Date: Tue Oct 12 20:15:03 2004 Subject: [SpamCop-List] Re: Cannot resolve http://www.broadcastemailingtoday.biz/unsub.html References: Message-ID: Porpoise wrote: > Phew! Gets complicated huh? I think you can keep it simple. I usually don't even notify for removes. I usually don't do anything with the domainname registration, unless I take a notion to. So, I notify for the source and usually don't go upstream for that even if they are refractory, nonresponsive, ie spews or spamhaus listed. I notify for the spamvertiser based on RiR/abuse.net, usually doing nothing about domainname and/but go upstream asn adjacency if that IP is spewed or spamhaused unless it is something like .cn or .kr. As I sed, I don't notify removes, so that saves one little step. -- Mike Easter kibitzer, not SC admin From kenn at nesbitt.com Tue Oct 12 18:40:05 2004 From: kenn at nesbitt.com (Kenn Nesbitt) Date: Tue Oct 12 20:45:03 2004 Subject: [SpamCop-List] I want my two dollars! Message-ID: I added $2.00 "fuel" to create a 1Mb test account. PayPal shows that the money has been deducted from my PayPal account, but I never received a receipt from SpamCop and the $2.00 has not been credited to my account. What's up with this? I can't find any way to contact SpamCop (other than snailmail and this forum) to ask them to credit the $2.00 to my account. --Kenn From MikeE at ster.invalid Tue Oct 12 18:46:10 2004 From: MikeE at ster.invalid (Mike Easter) Date: Tue Oct 12 20:45:16 2004 Subject: [SpamCop-List] Re: I want my two dollars! References: Message-ID: Kenn Nesbitt wrote: > I added $2.00 "fuel" to create a 1Mb test account. PayPal shows that > the money has been deducted from my PayPal account, but I never > received a receipt from SpamCop and the $2.00 has not been credited > to my account. Naturally I don't have the answer to your plight; but PayPal has been in a big mess lately. They did some kind of upgrade recently and it screwed them all up. I'm sure a deputy will come along shortly and tell you the email addy to communicate. > What's up with this? I can't find any way to contact SpamCop (other > than snailmail and this forum) to ask them to credit the $2.00 to my > account. -- Mike Easter kibitzer, not SC admin From nobody at spamcop.net Tue Oct 12 21:48:40 2004 From: nobody at spamcop.net (Ellen) Date: Tue Oct 12 20:50:03 2004 Subject: [SpamCop-List] Re: I want my two dollars! References: Message-ID: "Kenn Nesbitt" wrote in message news:ckhth4$5dk$1@news.spamcop.net... > I added $2.00 "fuel" to create a 1Mb test account. PayPal shows that > the money has been deducted from my PayPal account, but I never received > a receipt from SpamCop and the $2.00 has not been credited to my account. > > What's up with this? I can't find any way to contact SpamCop (other > than snailmail and this forum) to ask them to credit the $2.00 to my > account. > > --Kenn I forwarded your post to Don at service@admin.spamcop.net who will be in touch with you. Ellen SpamCop From MikeE at ster.invalid Tue Oct 12 18:55:56 2004 From: MikeE at ster.invalid (Mike Easter) Date: Tue Oct 12 20:55:04 2004 Subject: [SpamCop-List] Re: I want my two dollars! References: Message-ID: Mike Easter wrote: > PayPal has > been in a big mess lately. They did some kind of upgrade recently > and it screwed them all up. Slashdot discussion http://slashdot.org/article.pl?sid=04/10/12/0255227&tid=95&tid=1 Paypal Grinds To A Halt Posted by timothy on Monday October 11, @11:05PM from the get-your-pal-to-pay dept. BillBrasky writes "After a 'Monthly Software Update', it appears that PayPal started having problems^1. There were reports all weekend of troubles, and as of Monday night here, I can't access it at all (connection time out). One user even reported^2 that his PayPal Debit card was getting refused!" A message on the site now says the site is expected to be back at 8:10 PM PDT, not long from now. ^1 http://biz.yahoo.com/ap/041011/paypal_outage_1.html ^2 http://www.otwa.com/community/showpost.php?p=139780&postcount=5 ... and then, of course, there are the chronic situations which people like to talk about at paypalsucks http://www.paypalsucks.com -- Mike Easter kibitzer, not SC admin From nobody at devnull.spamcop.net Tue Oct 12 21:51:52 2004 From: nobody at devnull.spamcop.net (Cat) Date: Tue Oct 12 21:55:23 2004 Subject: [SpamCop-List] Re: Get off the list. In-Reply-To: References: Message-ID: news.concentric.net wrote: > It seems to be a shame that blocking > spam gets me on the list. Um, blocking spam isn't want got you on SpamCop's block list. Please do not claim that you were added just for blocking spam. Sending block notices to forged addresses of innocent bystanders is what got you blocked. I do not understand how you did not realize that sending out block notices to forged addresses would cause problems. -Cat SpamCop user, not an admin From nobody at spamcop.dev.null.net Wed Oct 13 03:40:49 2004 From: nobody at spamcop.dev.null.net (Nobody) Date: Wed Oct 13 03:45:07 2004 Subject: [SpamCop-List] Re: citibank citi card phishing References: Message-ID: <416CDC01.6EE50422@spamcop.dev.null.net> waldo kitty wrote: > > 209.239.37.192 is phishing for citibank's citi card infos... the IP > belongs to our old old friends at alabanza up in maryland... > I don't get it. Aren't they exposing themselves to prosecution for wire fraud? Why would anyone do something so stupid, entirely within a jurisdiction that is likely to land on them like a ton of bricks? It seems they're wandering right up the Secret Service FCD's alley with tags hanging out of their pockets that say, "please arrest me, I'm obnoxious and stupid and am breaking your laws." Regards, Michael From b.vander.bent at chello.nl Wed Oct 13 11:02:15 2004 From: b.vander.bent at chello.nl (basalk) Date: Wed Oct 13 04:05:04 2004 Subject: [SpamCop-List] Did spamcop made an error? Message-ID: I got this mail today, and I only report what Spamcop is advising me. : This email address is for reporting incidents of abuse coming from IP addresses registered to Charter Communications. Abuse from IP addresses not registered to Charter Communications should be directed to the registered owners of the IP address in question. The following link should be of assistance in locating the organization responsible for the IP address: http://www.arin.net/whois Thank you, Charter High-Speed Internet Security Team # # # From: 1263928295@reports.spamcop.net To: abuse@charter.net Date: Tue, 12 Oct 2004 23:38:15 +0200 Subject: [SpamCop (68.191.62.124) id:1263928295]-Refinance TODAY- as low as 3.98% [Part 0 (plain text)] [ SpamCop V1.379 ] This message is brief for your comfort. Please use links below for details. Email from 68.191.62.124 / Tue, 12 Oct 2004 23:38:15 +0200 http://www.spamcop.net/w3m?i=z1263928295ze9b4c30069d927ee44870b4c1b87803az 68.191.62.124 is open proxy, see: http://www.spamcop.net/mky-proxies.html [ Offending message ] Return-Path: Received: from modusdormiendi.de (pc-68-191-62-124.newt1.ct.charter.com [68.191.62.124]) by s016.interlize.net (8.12.11/8.12.8) with SMTP id i9CLcD3N032062 for ; Tue, 12 Oct 2004 23:38:15 +0200 Message-ID: <890d______________________3437@modusdormiendi.de> From: "Rosanna Boone" To: x Subject: -Refinance TODAY- as low as 3.98% Date: Tue, 12 Oct 2004 22:59:40 +0000 MIME-Version: 1.0 Content-Type: text/html; charset="us-ascii" Content-Transfer-Encoding: 8bit Status: Hey

Would you REFlNANCE if you knew you'd SAVE TH0USANDS?

We'll get you lnterest as low as 3.92%.

Don't believe me? Fill out our small online form and we'll show you how.

Get the house and/or car you always wanted, it only takes 2 minutes of your time:
----->check it out<----- What happened? Bas --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.773 / Virus Database: 520 - Release Date: 11-10-2004 From nobody at spamcop.dev.null.net Wed Oct 13 05:35:33 2004 From: nobody at spamcop.dev.null.net (Nobody) Date: Wed Oct 13 05:40:23 2004 Subject: [SpamCop-List] Who Is This Spammer? How'd He Get/Build My ISP's Member List? Message-ID: <416CF6E5.AD918E6B@spamcop.dev.null.net> Folks, I've been getting spammed at my ISP address, which I usually guard closely (fewer than 5 spams per month until June). The flow started in June, about six or seven a week (I know, that's not big-league), and I checked back very closely to see whether I'd accidentally compromised my e-mail address with newsgroups posts (I use Netscape, with munged headers as per SpamCop or other newsgroup's usage, as a dedicated mail client in text-only mode). Unless Spammy went through my home ISP's usergroups and manually unmunged my username and URL, he got access to a bunch of e-mail addresses all at once (the AOL caper comes to mind) and began spamming them all immediately, about the first week of June. He chops the userlist (or username list, better) into segments with about six or seven names and then either sends to all of the names in the small group, or he sends to one name and either cc's or bcc's the rest. I've just started filtering on a long list of usernames and the flow has dropped off a bit, but now he's sending his sludge directly to me, and at least one e-mail sent to a filtered username got through my filter (which was set at the ISP's server). The spamvertised content can be pretty nasty (I've been sent porn featuring underage kids, but fortunately I've blocked the IMG SRC lines and any web beacons by going offline before handling any spam, so I didn't get the spew shoved in my face -- that stuff goes off to an anti-kiddieporn .ORG as well as the FTC), but usually it's run-of-the-mill mortgage, shrinkwrap software, prescription drugs, and phony university "degree" programs. In the last couple of months I've also received a couple of criminal phishes, which go to Secret Service Financial Crimes Division (with a "no financial loss" disclaimer); earlier tonight I got one purporting to come from SunTrust, which parsed on SpamCop as coming from SunTrust. The links looked good. I also sometimes get offered a list of local housewives who are just dying for me to call on them and slake their lust. Yeah, right. Usually the spams are text or text with some HTML. About one in five is Base 64. The sender and bounce addresses are randomly-generated "@hotmail/yahoo"; I haven't yet detected anything intended to collect bounces or otherwise qualify the addresses on the address list other than the usual unsubscribe line. I haven't yet seen a clear .GIF file. That prompts me to think Spammy knows the info on his address CD is golden. Here are links to a few of my recent reports: http://www.spamcop.net/sc?id=z681815727zac8df666c59401baa5baf12adf5052d4z http://www.spamcop.net/sc?id=z681678768z222813f30b6c3df445600a2dce2d754fz http://www.spamcop.net/sc?id=z680298186zb432a41459c2d4e34702c6b74140cd83z http://www.spamcop.net/sc?id=z679682344zc448fd5a9535a621c18b798f42046de5z http://www.spamcop.net/sc?id=z681904857zcf512a72e72ff5df081fe1482db9796cz I am intrigued with internal evidence in one spam that suggested that the sender was local to my area (the .GIF file had been given the name of a local university sports mascot). The thought crossed my mind that the mailing list had been compromised at the local ISP (repeated e-mails to their admins and board members -- it's a usergroup-supported ISP -- went thunderously unanswered), or that someone locally had somehow penetrated their security to obtain a list of usernames. The ISP/league may have taken the attitude that, since Postini offers us spamblocking and virus-filtering service for (a very nominal) $2/month, anyone who is too cheap to front the $2 deserves everything he gets. Can anyone identify who the spammer(s) might be from the parsed headers in the reports linked above? I'd be very appreciative. Michael From nobody at devnull.spamcop.net Wed Oct 13 05:37:39 2004 From: nobody at devnull.spamcop.net (WazoO) Date: Wed Oct 13 05:40:44 2004 Subject: [SpamCop-List] Re: Did spamcop made an error? References: Message-ID: "basalk" wrote in message news:ckine7$b96$1@news.spamcop.net... > I got this mail today, and I only report what Spamcop is advising me. : > > This email address is for reporting incidents of abuse coming from IP > addresses registered to Charter Communications. Abuse from IP addresses > not registered to Charter Communications should be directed to the > registered owners of the IP address in question. > > The following link should be of assistance in locating the organization > responsible for the IP address: > > http://www.arin.net/whois > > Thank you, > > Charter High-Speed Internet Security Team > > http://www.spamcop.net/w3m?i=z1263928295ze9b4c30069d927ee44870b4c1b87803az > 68.191.62.124 is open proxy, see: http://www.spamcop.net/mky-proxies.html > What happened? You got smacked by the thunderclap caused by someone either pushing the wrong "send an idiotic response message to this whiner" or someone that can't use the same tool that he/she is suggesting that you use ..... 10/13/04 04:31:27 IP block 68.191.62.124 Trying 68.191.62.124 at ARIN Trying 68.191.62 at ARIN Charter Communications CHARTER-NET-7BLK (NET-68-184-0-0-1) 68.184.0.0 - 68.191.255.255 Charter Communications NWT-CT-68-191-32 (NET-68-191-32-0-1) 68.191.32.0 - 68.191.63.255 # ARIN WHOIS database, last updated 2004-10-12 19:10 From nobody at spamcop.net Wed Oct 13 07:00:24 2004 From: nobody at spamcop.net (Ellen) Date: Wed Oct 13 06:20:03 2004 Subject: [SpamCop-List] Re: Did spamcop made an error? References: Message-ID: "basalk" wrote in message news:ckine7$b96$1@news.spamcop.net... > I got this mail today, and I only report what Spamcop is advising me. : > > This email address is for reporting incidents of abuse coming from IP > addresses registered to Charter Communications. Abuse from IP addresses > not registered to Charter Communications should be directed to the > registered owners of the IP address in question. > > The following link should be of assistance in locating the organization > responsible for the IP address: > > http://www.arin.net/whois > > > Thank you, > > Charter High-Speed Internet Security Team > > # # # > > From: 1263928295@reports.spamcop.net > To: abuse@charter.net > Date: Tue, 12 Oct 2004 23:38:15 +0200 > Subject: [SpamCop (68.191.62.124) id:1263928295]-Refinance TODAY- as low as > 3.98% > Charter seeems to have forgotten what their IPs are ... if you want to forward their whole message with headers to deputies spamcop.net I will write to them -- probably just a matter of someone sending the wrong boilerplate. Or you can just ignore the whole thing ... Ellen From nobody at xyzzy.claranet.de Wed Oct 13 13:24:09 2004 From: nobody at xyzzy.claranet.de (Frank Ellermann) Date: Wed Oct 13 06:30:03 2004 Subject: [SpamCop-List] Re: Error: "couldn't parse head" References: Message-ID: <416D0249.7C09@xyzzy.claranet.de> Ant wrote: > === spam snippet === > ------=_NextPart_000_00YC_07N5783LG_08R.821O74M0 > Content-Type: text/html; > charset="us-ascii" > Content-Transfer-Encoding: quoted-printable > Sarah > > === /spam snippet === > Removing the "Sarah" line fixes the error You could probably also add an empty line (CrLf) before "Sarah". I tried to test this, but with mailhosts SC won't allow me to parse foreign spam (sigh). > I'm not sure if the parser should be expected to handle this It's essentially the same problem as an invalid header in the 2822-headers. The SC parser must abort the identification of _further_ headers in this case. OTOH it could use as many headers as it has, and treat the line "Sarah" and the following lines as body of the text/html part. That strategy might be good enough for multipart headers, but it would be dangerous for 2822 headers, If you have something like... | MIME-Version: 1.0 | Sarah | Content-Type: text/html ...then you'd miss the important text/html if you treat "Sarah" as the begin of a "normal" (= text/plain) body. IMHO it's better if the SC parser errs on the conservative side for all 2822 problems. In one of my scripts I look for lines starting with space or Tab (=> folded header), "Content-" (=> potential multipart header), empty line (=> end of headers), "--" (=> potential boundary, that's a hack only relevant for my script), or other rubbish (=> abort multipart recognition, same idea as with SC). SC's parser _must_ reliably work for both multipart/digest and multipart/mixed, because that's the format of spam submissions by mail (with more than one spam). For your case SC would need a special parser only used to find more links in multipart spam. IMHO it's better if SC never tries to emulate OE bugs, it's a can of worms :-( Bye, Frank From usenet1 at DE.LETE.THISljvideo.com Wed Oct 13 11:38:40 2004 From: usenet1 at DE.LETE.THISljvideo.com (Larry J.) Date: Wed Oct 13 06:40:03 2004 Subject: [SpamCop-List] Re: Changing Preferences..? References: Message-ID: Waiving the right to remain silent, "RW" said: > Your mail server must be dropping SC messages for some reason. > Send an email to Don at server at admin.spamcop.net. Once he > establishes the account is your's he can change it with the > admin screen. Thanks, Richard. I'll try that. -- Larry J. - Remove spamtrap in ALLCAPS to e-mail "Lord, are we worthy of the task that lies before us, or are we just jerking off..?" From b.vander.bent at chello.nl Wed Oct 13 14:42:57 2004 From: b.vander.bent at chello.nl (basalk) Date: Wed Oct 13 07:45:04 2004 Subject: [SpamCop-List] Re: Did spamcop made an error? References: Message-ID: Thanks both for the information, my English is not always good enough to understand what I'm reading so this was important. @Ellen, the mail is posted. Bas "Ellen" schreef in bericht news:ckivch$mrp$1@news.spamcop.net... > > "basalk" wrote in message > news:ckine7$b96$1@news.spamcop.net... >> I got this mail today, and I only report what Spamcop is advising me. : >> >> This email address is for reporting incidents of abuse coming from IP >> addresses registered to Charter Communications. Abuse from IP addresses >> not registered to Charter Communications should be directed to the >> registered owners of the IP address in question. >> >> The following link should be of assistance in locating the organization >> responsible for the IP address: >> >> http://www.arin.net/whois >> >> >> Thank you, >> >> Charter High-Speed Internet Security Team >> >> # # # >> >> From: 1263928295@reports.spamcop.net >> To: abuse@charter.net >> Date: Tue, 12 Oct 2004 23:38:15 +0200 >> Subject: [SpamCop (68.191.62.124) id:1263928295]-Refinance TODAY- as low > as >> 3.98% >> > Charter seeems to have forgotten what their IPs are ... if you want to > forward their whole message with headers to deputies spamcop.net I > will > write to them -- probably just a matter of someone sending the wrong > boilerplate. Or you can just ignore the whole thing ... > > Ellen > > --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.773 / Virus Database: 520 - Release Date: 11-10-2004 From nobody at spamcop.net Wed Oct 13 10:13:07 2004 From: nobody at spamcop.net (indigo) Date: Wed Oct 13 09:15:17 2004 Subject: [SpamCop-List] Paging Wazoo and/or Ellen Message-ID: Who is in charge of maintaining the Spamcop FAQ these days, is it Wazoo? We have a certain troll over in .social that has morphed at least 10 times to avoid killfiles, and now has taken to posting with attachments and sometimes in HTML. When we bitched about all of the above behavior s/h/it pointed out the the NNTP NG FAQ page no longer lists these "behaviors" as being forbidden. Can someone fix this please? S/h/it ought to be banned from the server just for the intentional morphing, but I don't think JT gives a rats ass anymore....... From Alexis at NotBob.frop Wed Oct 13 10:44:08 2004 From: Alexis at NotBob.frop (Alexis) Date: Wed Oct 13 09:45:04 2004 Subject: [SpamCop-List] Re: Did spamcop made an error? References: Message-ID: "Ellen" wrote in message news:ckivch$mrp$1@news.spamcop.net... > > "basalk" wrote in message > news:ckine7$b96$1@news.spamcop.net... > > I got this mail today, and I only report what Spamcop is advising me. : > > > > This email address is for reporting incidents of abuse coming from IP > > addresses registered to Charter Communications. Abuse from IP addresses > > not registered to Charter Communications should be directed to the > > registered owners of the IP address in question. > > > > The following link should be of assistance in locating the organization > > responsible for the IP address: > > > > http://www.arin.net/whois > > > > > > Thank you, > > > > Charter High-Speed Internet Security Team > > > > # # # > > > > From: 1263928295@reports.spamcop.net > > To: abuse@charter.net > > Date: Tue, 12 Oct 2004 23:38:15 +0200 > > Subject: [SpamCop (68.191.62.124) id:1263928295]-Refinance TODAY- as low > as > > 3.98% > > > Charter seeems to have forgotten what their IPs are ... if you want to > forward their whole message with headers to deputies spamcop.net I will > write to them -- probably just a matter of someone sending the wrong > boilerplate. Or you can just ignore the whole thing ... > > Ellen > I've gotten a few of those before, if that helps any. I always just assumed that it was a lame boilerplate auto-ack and ignored them. From Merlyn at Spamcop.net Wed Oct 13 10:49:15 2004 From: Merlyn at Spamcop.net (Merlyn) Date: Wed Oct 13 09:50:03 2004 Subject: [SpamCop-List] Re: Paging Wazoo and/or Ellen References: Message-ID: "indigo" wrote in message news:ckj9l3$60o$1@news.spamcop.net... > Who is in charge of maintaining the Spamcop FAQ these days, is it Wazoo? > We > have a certain troll over in .social that has morphed at least 10 times to > avoid killfiles, and now has taken to posting with attachments and > sometimes > in HTML. When we bitched about all of the above behavior s/h/it pointed > out > the the NNTP NG FAQ page no longer lists these "behaviors" as being > forbidden. Can someone fix this please? S/h/it ought to be banned from the > server just for the intentional morphing, but I don't think JT gives a > rats > ass anymore....... > Indigo, what is this troll's latest morph? -- Regards, Merlyn A Spamcop advocate No emails this account is for newsgroups only People demand freedom of speech to make up for the freedom of thought which they avoided From nobody at spamcop.net Wed Oct 13 11:08:04 2004 From: nobody at spamcop.net (indigo) Date: Wed Oct 13 10:10:04 2004 Subject: [SpamCop-List] Re: Paging Wazoo and/or Ellen References: Message-ID: Merlyn wrote: > > > > > Indigo, what is this troll's latest morph? LadySarah (not!), I believe she posted in this group last week. From kenbrody at spamcop.net Wed Oct 13 10:45:47 2004 From: kenbrody at spamcop.net (Kenneth Brody) Date: Wed Oct 13 10:15:03 2004 Subject: [SpamCop-List] Re: I want my two dollars! References: Message-ID: <416D318B.76A5B0D0@spamcop.net> Mike Easter wrote: > > Kenn Nesbitt wrote: > > I added $2.00 "fuel" to create a 1Mb test account. PayPal shows that > > the money has been deducted from my PayPal account, but I never > > received a receipt from SpamCop and the $2.00 has not been credited > > to my account. > > Naturally I don't have the answer to your plight; but PayPal has been in > a big mess lately. They did some kind of upgrade recently and it screwed > them all up. Someone tried to order some software from our website (not related to SpamCop, BTW) and pay via PayPal, and they were having problems getting it to take their credit card info. > I'm sure a deputy will come along shortly and tell you the email addy to > communicate. > > > What's up with this? I can't find any way to contact SpamCop (other > > than snailmail and this forum) to ask them to credit the $2.00 to my > > account. Have you tried deputies -at- spamcop _dot_ net ? -- +-------------------------+--------------------+-----------------------------+ | Kenneth J. Brody | www.hvcomputer.com | | | kenbrody/at\spamcop.net | www.fptech.com | #include | +-------------------------+--------------------+-----------------------------+ From masfjorden at spamcop.net Wed Oct 13 17:16:04 2004 From: masfjorden at spamcop.net (helge) Date: Wed Oct 13 10:20:10 2004 Subject: [SpamCop-List] out of the mouth of babies and spammers Message-ID: From a recent spam: "Who can resist a 24kt. white gold Rolex watch surrounded in stainless steal?" Steal is right, I guess helge From d*r*i*c*h*t*e*r at e*s*s*i.f*r*****without*asterisks**** Wed Oct 13 17:22:07 2004 From: d*r*i*c*h*t*e*r at e*s*s*i.f*r*****without*asterisks**** (Dan) Date: Wed Oct 13 10:25:03 2004 Subject: [SpamCop-List] Searching WHOIS database Message-ID: I'm tracking a spammer and I'd like to know all the domain names he registered under a certain (presumably fake) name. Is there a way to search the WHOIS database for all domain names registered by a company named "Software Factory Solutions"? -- The hardest thing about any political campaign is how to win without proving that you are unworthy of winning. - Adlai Stevenson From MikeE at ster.invalid Wed Oct 13 08:56:17 2004 From: MikeE at ster.invalid (Mike Easter) Date: Wed Oct 13 10:55:10 2004 Subject: [SpamCop-List] Re: Paging Wazoo and/or Ellen References: Message-ID: indigo wrote: > LadySarah (not!), I believe she posted in this group last week. I don't hangout in .social, but I'll stick my opinion in here anyway; and that opinion is based /only/ on the thread From: "LadySarah" Newsgroups: spamcop.social Subject: When was terrorism ever just the "nuisance" Kerry wants to get back to? Date: Mon, 11 Oct 2004 13:57:06 -0400 Message-ID: not any previous spats or troubles or morphs or trolls or such. In that thread LS posted an html with a graphic and people started fussing. She is currently posting in plaintext and there is a disagreement about the 'rules' - the newsgroup faq doesn't forbid html [or anything else, such as attachments, topposting, etc.] I personally think a newsgroup should work out its own little problems and also not make itself crazy trying to do so, rather than look for some kind of 'moderation' from on high. If some poster is being /persistently/ annoying to 'you', the ubiquitous you, not any particular you, after whatever has been said about what could be reformed, such as posting style - the best thing to do is to ignore them, by 'mentally' or 'mechanically' killfiling them. That's the way to deal with trolls and that's the way to deal with non-trolls who are just being a pain. Getting the group in an uproar and calling in the 'police' isn't really the best way to handle things, IMO. Just work it out among yourselves, which is best done by ignoring the problem poster when appropriate. -- Mike Easter kibitzer, not SC admin From Merlyn at Spamcop.net Wed Oct 13 12:38:12 2004 From: Merlyn at Spamcop.net (Merlyn) Date: Wed Oct 13 11:40:14 2004 Subject: [SpamCop-List] Re: Searching WHOIS database References: Message-ID: "Dan" wrote in message news:ckjdmf$cn5$1@news.spamcop.net... > I'm tracking a spammer and I'd like to know all the domain names he > registered under a certain (presumably fake) name. Is there a way to > search the WHOIS database for all domain names registered by a company > named "Software Factory Solutions"? > Looks like AMAZINGEMAILSPY.COM belongs to "Software Factory Solutions" AMAZINGEMAILSPY.COM: Administrative Contact: Software Factory Solutions Software Factory (contact@apricotstaircase.com) +1.8775725732 Fax: +1.- 2135A des Laurentides Blvd. Suite #124 Laval, QC H7M 4M2 CA Address lookup canonical name AMAZINGEMAILSPY.COM. aliases addresses 221.5.251.226 http://www.spamhaus.org/sbl/sbl.lasso?query=SBL18126 http://www.spamhaus.org/sbl/sbl.lasso?query=SBL20102 IP Addresses: 222.222.48.112 IP Country: CHINA Reverse IP Lookup: IP hosts 157 domains Here is a list of sites on that machine, I am not sure if they all belong to them, you will have to do the leg work but there seems to be more than a few that do belong to them. 1 123GETNOW.COM 2 18ANDOLDEROFFERS.BIZ 3 1UXYS01UT10NS.COM 4 2DAY4U.BIZ 5 888-LUVU.COM 6 A11THES0FTWAREY0UNEED.COM - Software Factory Solutions 7 ADULTONLYOFFERS.BIZ 8 ALLOFTHISFORYOU.BIZ 9 AMAZINGEMAILSPY.COM - Software Factory Solutions 10 AMAZINGPASSWORDSTEALER.COM - Software Factory Solutions 11 B1C0RP1US.COM 12 BABEDORMROOM.BIZ 13 BABEDORMROOM.COM 14 BABEPLAYGROUNDS.BIZ 15 BABEPLAYGROUNDS.COM 16 BABES4ABUCK.BIZ 17 BABES4ABUCK.COM 18 BABETIMEZ.BIZ 19 BABETIMEZ.COM 20 BICORPLUS.BIZ 21 BIGHUGEONE.COM 22 BILLPOORME.COM 23 BOGYDOG.BIZ 24 BOGYISCUTE.COM 25 C0MP1ETE1S01UT10NS.COM 26 C0MP1ETETARGET1NG.COM 27 C3030.BIZ 28 C3031.BIZ 29 C3038.BIZ 30 CHANGEYOUROPTIONS.COM 31 CLEARTHINKING.BIZ 32 COMPLETETARGETING.BIZ 33 CRAZYROOF.COM 34 CREDIT-A111.BIZ 35 DADDY-CD.BIZ 36 DEALSFOR18ANDUP.BIZ 37 DEALSTHATJUSTSEEMTOWORK.BIZ 38 DIRTYLITTLEGALS.BIZ 39 DIRTYLITTLEGALS.COM 40 E11TEPR0DUCTSSPEC1A11YF0RY0U.COM 41 EBABEKINGDOM.BIZ 42 EKISSME.ORG 43 ELITEPRODUCTSSPECIALLYFORYOU.BIZ 44 EMA11SPYPR0GRAM.COM 45 EMAILSPYPROGRAM.BIZ 46 EMODELSALLEY.BIZ 47 EMODELSALLEY.COM 48 ENLARGEMENTRESULTS.COM 49 EXTRAOFFER.BIZ 50 EZ1DOLLARACCESS.COM 51 EZFETISHGIRL.BIZ 52 EZFETISHGIRL.COM 53 EZNEIGHBORGIRL.BIZ 54 EZNEIGHBORGIRL.COM 55 EZVMODELAVENUE.BIZ 56 FETISHHOTBABE.BIZ 57 FREIGHTOFF919.COM 58 FUCKMEHARDER.NET 59 FULLHOUSESITE.COM 60 GABBYPLANET.COM 61 GETHOOKEDUPWITHSOFTWARE.BIZ 62 GETTH1SS0FTWAREN0W.COM 63 GETTHEIRPASSWORD.COM 64 GETTHETHINGSTHATYOUWANT.BIZ 65 GETTHISSOFTWARENOW.BIZ 66 GFD-ONLINE.COM 67 GOTOTHEGALAXY.COM 68 GREATDEALSONADULTSITES.BIZ 69 GREATVALUEVGR.COM 70 GREENGROWGRASS.COM 71 GREENSLIPPER.COM. 72 GROWINCHESNOW.COM. 73 HELPINGYOUSAVEMOREMONEY.BIZ. 74 HOTANDNEWPROGRAMS.BIZ. 75 HOTMATURESITES.BIZ. 76 IAMSWEETCANDY.COM. 77 INC-CHEAP.COM. 78 INCREDIBLEBARGINSFOREVERYONE.BIZ. 79 INNOVATIVESOFTWAREGROUP.BIZ. 80 INTOUCHCREATIVECONCEPTS.BIZ. 81 IVANSUCS.BIZ. 82 JEOPARDIZE909.COM. 83 JUNGLECARS.NET. 84 JUSTNICETITS.COM. 85 KISSMYNIPPLES.COM. 86 KLUTCH99.COM. 87 LEGALPASSWORDSTEALER.COM. 88 LIFEISVERYIMPORTANT.BIZ. 89 LIFTOFF999.COM. 90 LOOSEBELLYFATS.BIZ. 91 LOWFLOODPLANE.COM. 92 LUXYSOLUTIONS.BIZ. 93 M0N1T0RWHATTHEYD0.COM. 94 MAKEYOURSELECTIONNOW.BIZ. 95 MAKINGITYOURWAY.BIZ. 96 MATUREWEBSITEDEALS.BIZ. 97 MAYBE999.COM. 98 MISSINGTREES.COM. 99 MONITORWHATTHEYDO.BIZ. 100 NAUGHTYMODELVAULT.BIZ. 101 NAUGHTYMODELVAULT.COM. 102 NICEBOOTYGIRL.COM. 103 OFFERSANDDEALSTOHELPSAVE.BIZ. 104 OKEMWOD.BIZ. 105 OLIVETREE.BIZ. 106 ONEDOLLARX.BIZ. 107 ONEDOLLARX.COM. 108 ONTHEBALLSOFTWARE.BIZ. 109 PAB10S0FT.NET. 110 PAIGENEEDSIT.NET. 111 PAIGEPANTSDOWN.COM. 112 PAIGESHOENTIP.BIZ. 113 PASSTHED4.COM. 114 PCAMATEURGIRL.BIZ. 115 PERFECTVGR.COM. 116 PETITEHO.BIZ. 117 PI11MART.COM. 118 PREMARKETPROMOTIONS.COM. 119 R1GHTMAPS.COM. 120 RADICALSOFTWAREPROGRAMS.BIZ. 121 RAINGOAWAY.BIZ. 122 RISINGWATER.BIZ. 123 SAVEBIGONTHESEAMAZINGOFFERS.BIZ. 124 SAVEHUGEONTHESEOFFERSNOW.BIZ. 125 SECRET1YKN0WEVERYTH1NG.COM. 126 SENDINGALOT.COM. 127 SLOPPYSHOES.COM. 128 SOAKEDPANTS.NET. 129 SOFTWARECOMPETITION.BIZ. 130 SOFTWAREFACTORYONLINE.BIZ. 131 SOLUTIONENTER645.COM. 132 SOLUTIONSTHATMAKEITBETTER.BIZ. 133 SUFFICIENTLOVE1.COM. 134 SUPERCRAZYNIGHT.COM. 135 SUPERPHARM.BIZ. 136 TAKEYOURPICKPLEASE.BIZ. 137 THANKSFORFLYING11.COM. 138 THEBESTS0FTWAREY0UCANBUY.COM. 139 THEBESTSOFTWAREYOUCANBUY.BIZ. 140 THEDEALSOFALIFETIME.BIZ. 141 THERXSHOP.NET. 142 TREESDOWN.NET. 143 TREVBURN12.COM. 144 TWENT22.COM. 145 ULTIMATEADULTOFFERS.BIZ. 146 UN1QUE0FFERS0N11NE.COM. 147 UNIFORMSOFTWAREMAKERS.BIZ. 148 UNIQUEOFFERSONLINE.BIZ. 149 VICTORYSOFTWAREPRODUCTIONS.BIZ. 150 WETFEET.BIZ. 151 WILDSOFTWAREINNOVATIONS.BIZ. 152 WINDBLOWME.COM. 153 WORLDWIDEHOTTIES.BIZ. 154 Y0UCANW1NW1THTH1S.COM. 155 YOUCANWINWITHTHIS.BIZ. 156 YOURCHOICEOFTHESE.BIZ. 157 YOURSIZEDOESMATTER.COM. -- Regards, Merlyn A Spamcop advocate No emails this account is for newsgroups only People demand freedom of speech to make up for the freedom of thought which they avoided From eddie at eddie.web Wed Oct 13 13:13:52 2004 From: eddie at eddie.web (eddie) Date: Wed Oct 13 12:15:02 2004 Subject: [SpamCop-List] [Spam] can't stop laughing Message-ID: Recent spam: "This tablets is a full earthy herbal pills containing a mixed bag of herbs known for boosting intimate desire with fulfilment. By exploitation our product you should experience an addition in sexual desire, an improvement in your volume and performance, as well as increased power and delectation during intimate activity." As if that isn't bad enough, the moron goes on: "My tablets is an all earthy grass lozenge containing a salmagundi of herbage known for advancing intimate longing with fulfilment. By victimisation my lozenge you should experience an increase in intimate desire, an amelioration in your size and performance, ..." Then comes the clincher - the URL http:///pp/index.php?pid=3Deph5653 I think they are taking too many of their own pills and ameliorating their brains -- Rather: I don't want to be argumentative, Mr. vice president. Bush41(veep):You do, Dan. Rather: No -- no, sir, I don't. From nobody at spamcop.net Wed Oct 13 13:18:54 2004 From: nobody at spamcop.net (indigo) Date: Wed Oct 13 12:20:09 2004 Subject: [SpamCop-List] Re: Paging Wazoo and/or Ellen References: Message-ID: Mike Easter wrote: > > In that thread LS posted an html with a graphic and people started > fussing. She is currently posting in plaintext and there is a > disagreement about the 'rules' - the newsgroup faq doesn't forbid html > [or anything else, such as attachments, topposting, etc.] > It used to forbid html and attachments. So you don't mind if everyone starts posting with attachments whenever they please? > > If some poster is being /persistently/ annoying to 'you', the > ubiquitous you, not any particular you, after whatever has been said > about what could be reformed, such as posting style - the best thing > to do is to ignore them, by 'mentally' or 'mechanically' killfiling > them. That's the way to deal with trolls and that's the way to deal > with non-trolls who are just being a pain. Some folks over there *do* wish to killfile s/h/it, but when someone morphs 5 times in one day (true statement) it's hard for others to keep their KFs in order. > > Getting the group in an uproar and calling in the 'police' isn't > really the best way to handle things, IMO. Just work it out among > yourselves, which is best done by ignoring the problem poster when > appropriate. I'm not asking for a ban of anyone based on their political views or stupidity, I"m asking for re-establishment of "do not do this" rules in the SC FAQ like there used to be. Why were those rules removed from the page? From b.vander.bent at chello.nl Wed Oct 13 19:27:42 2004 From: b.vander.bent at chello.nl (basalk) Date: Wed Oct 13 12:30:02 2004 Subject: [SpamCop-List] Re: out of the mouth of babies and spammers References: Message-ID: Probably a freudian typo Bas "helge" schreef in bericht news:ckjdaj$bkd$1@news.spamcop.net... > From a recent spam: > "Who can resist a 24kt. white gold Rolex watch surrounded in stainless > steal?" > > Steal is right, I guess > > helge --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.773 / Virus Database: 520 - Release Date: 11-10-2004 From dkona7b02 at sneakemail.com Wed Oct 13 13:37:14 2004 From: dkona7b02 at sneakemail.com (Spam Hater) Date: Wed Oct 13 12:37:20 2004 Subject: [SpamCop-List] Re: Paging Wazoo and/or Ellen In-Reply-To: References: Message-ID: <3.0.5.32.20041013123714.00f988d8@loki.fstrf.org> Why are you dragging .social drama into this group??? Please take it back there where it belongs. This is why that group was set up in the first place! If the people in charge of this system don't care, why should we? At 12:18 PM 10/13/2004 -0400, indigo typed: >Mike Easter wrote: >> Getting the group in an uproar and calling in the 'police' isn't >> really the best way to handle things, IMO. Just work it out among >> yourselves, which is best done by ignoring the problem poster when >> appropriate. > >I'm not asking for a ban of anyone based on their political views or >stupidity, I"m asking for re-establishment of "do not do this" rules in the >SC FAQ like there used to be. Why were those rules removed from the page? From nobody at devnull.spamcop.net Wed Oct 13 12:23:37 2004 From: nobody at devnull.spamcop.net (WazoO) Date: Wed Oct 13 12:40:03 2004 Subject: [SpamCop-List] Re: Paging Wazoo and/or Ellen References: Message-ID: "indigo" wrote in message news:ckj9l3$60o$1@news.spamcop.net... > Who is in charge of maintaining the Spamcop FAQ these days, is it Wazoo? My "control" over the FAQ is only the version I glued together over in the Forums ... Taking what was in the www.spamcop.net FAQ, making it a single page point os access, then adding in more elements from the other Forum entries and requested additions. The FAQ on the spamcop.net pages are access controlled, Julian, JT, RW, and Courtney (IronPort staff) are the only folks I know for sure that have access to make changes there. Courtney was tasked (as an additional duty) to freshen up thos pages. In her defense, lets just go with it's a bit confusing as to how things should go ... back to JT's desire to move support to the web-based Froum. Recall that the newsgroups are still under the "could disappear at any time" situation ... also recall that they are hosted on JT's side of the house. Perhaps the HTML stuff was dropped as the Forum app doesn't do graphics and attachments ... At the time "we" were talking, Courtney said she was monitoring the spamcop newsgroup (never actually questioned which one that might have been) and she did post over in those Forums, stating she'd be willing to receive input. On the other hand, this was work being done while working towards the latest "fresh face" on the spamcop.net web pages. All that said, I'll drop a note to Deputies (to catch RW's eyes, another to Courtney ... From nobody at spamcop.net Wed Oct 13 14:11:11 2004 From: nobody at spamcop.net (indigo) Date: Wed Oct 13 13:15:03 2004 Subject: [SpamCop-List] Re: Paging Wazoo and/or Ellen References: Message-ID: WazoO wrote: > > All that said, I'll drop a note to Deputies (to catch RW's > eyes, another to Courtney ... TIA Waz. From nobody at spamcop.net Wed Oct 13 14:16:09 2004 From: nobody at spamcop.net (indigo) Date: Wed Oct 13 13:20:03 2004 Subject: [SpamCop-List] Re: Paging Wazoo and/or Ellen References: Message-ID: Spam Hater wrote: > Why are you dragging .social drama into this group??? > > Please take it back there where it belongs. This is why that group > was set up in the first place! > It's not strictly a .social issue -- there are no longer any NG posting rules for *any* SC NG on the NNTP page except: Newsgroup Posting Rules No spam. Please do not post copies of spam or other commercials except in the spamcop.spam group specifically designated for it. SpamCop provides "tracking URL"s for posting spam samples. Please use them. Limit quoting. Please avoid quoting in threads unnecessarily. So quit yer bitchin unless you don't care if binaries start flooding the groups (hey, it's ok according to the rules!) From nobody at spamcop.net Wed Oct 13 14:22:03 2004 From: nobody at spamcop.net (indigo) Date: Wed Oct 13 13:25:04 2004 Subject: [SpamCop-List] Re: Test References: Message-ID: DevilsPGD wrote: > Fred K wrote: > > Thanks for the lesson. But I have been having trouble and been > > working with SC people. I did not test as a "newby". > > But yet you still tested in a non-test group... In his defense, if he was going by what he saw on the "new" NNTP FAQ page he wouldn't _know_ that spamcop.test even existed. From Spam_N_Scams_Reporter at yahoo.whatever Wed Oct 13 11:25:16 2004 From: Spam_N_Scams_Reporter at yahoo.whatever (Spam N Scams Reporter) Date: Wed Oct 13 13:30:03 2004 Subject: [SpamCop-List] Re: [Spam] can't stop laughing In-Reply-To: References: Message-ID: eddie wrote: > Recent spam: > "This tablets is a full earthy herbal pills > containing a mixed bag of herbs known for boosting intimate > desire with fulfilment. By exploitation our product you > should experience an addition in sexual desire, an improvement > in your volume and performance, as well as increased power > and delectation during intimate activity." > > As if that isn't bad enough, the moron goes on: > > "My tablets is an all earthy grass lozenge containing a salmagundi of > herbage known for advancing intimate longing with fulfilment. By > victimisation my lozenge you should experience an increase in > intimate desire, an amelioration in your size and performance, ..." > > Then comes the clincher - the URL > > http:///pp/index.php?pid=3Deph5653 > > I think they are taking too many of their own pills and ameliorating their > brains > Probably didn't realize that s/h/it was using the thesaurus part of the dictionary. From nobody at spamcop.net Wed Oct 13 14:54:46 2004 From: nobody at spamcop.net (indigo) Date: Wed Oct 13 13:55:03 2004 Subject: [SpamCop-List] Re: Bringing bullet proof hosts down References: Message-ID: Stan wrote: > I believe that Bullet Proof Hosts and any other Spam Host should have > there Domains be published and a list provided so that everyone can > choose to block theses spam hosts. Take your pick: http://www.moensted.dk/spam/ From nobody at spamcop.net Wed Oct 13 15:11:30 2004 From: nobody at spamcop.net (indigo) Date: Wed Oct 13 14:15:08 2004 Subject: [SpamCop-List] Re: SC Password reset - harassment? References: Message-ID: Mike Easter wrote: > > Their flight plan lasts fifteen hours of flight daily, in steps of 450 > kms. With a velocity of 30 kms. (18 miles) per hour, always taking > advantage of the winds." > The airspeed velocity of a European or African swallow? Oh wait, African swallows are non-migratory ;-) From nobody at spamcop.net Wed Oct 13 15:16:06 2004 From: nobody at spamcop.net (indigo) Date: Wed Oct 13 14:20:03 2004 Subject: [SpamCop-List] Re: Magic numbers - was: Re: How to remove from bl.spamcop.net References: <87fz4synwg.fsf@ursine.dyndns.org> Message-ID: geo_splash_12 wrote: In your > case we are dealing perhaps with a series, perhaps prime numbers or > special prime numbers, but not magic numbers. I'm sure the group of folks who just won the $245 million Powerball lottery think that their numbers are *magic* ;-) From nobody at spamcop.net Wed Oct 13 15:21:11 2004 From: nobody at spamcop.net (indigo) Date: Wed Oct 13 14:25:03 2004 Subject: [SpamCop-List] Re: Changing Handle References: <0giem09bp4jk2c5nvgklm1glj3dfo41937@4ax.com> Message-ID: Mike Easter wrote: > Tom wrote: > > Having fought with Outlook (or, in my estimation LookOUT), I know > > that that e-mail system is The Pits! It plugs in the signature at > > the top and expects you to enter your comments there, too. > > I don't know about OL, but in OE, the choice to automatically put in > the sig is optional. Outlook doesn't *do* newsgroups.......which *is* the topic here, isn't it? From eddie at eddie.web Wed Oct 13 16:32:12 2004 From: eddie at eddie.web (eddie) Date: Wed Oct 13 15:35:04 2004 Subject: [SpamCop-List] Re: out of the mouth of babies and spammers References: Message-ID: On Wed, 13 Oct 2004 16:16:04 +0200, helge scratched out the following: > From a recent spam: > "Who can resist a 24kt. white gold Rolex watch surrounded in stainless > steal?" > > Steal is right, I guess > > helge Heh heh. When I was doing some software work for a major NYC ad agency, I learned that spelling in an ad was so critical, that if you misspelled anything in an ad you were history. One classic case was an Eve Arden perfume, in which millennium was spelled with one "n", millenium and they had to spend lots of money to spin it so it came out that it was misspelled on purpose. The basic rule is that the attention given to an ad, which includes spelling, is equivalent to the attention they give to the product; and many discriminating buyers will not buy a product if there is a misspelling in the ad. (Sloppy ad, sloppy product). The software I developed for this unnamed company was a glorified spellchecker specifically for this purpose. No, it wasn't Eve Arden :) -- Rather: I don't want to be argumentative, Mr. vice president. Bush41(veep):You do, Dan. Rather: No -- no, sir, I don't. From arthur_byington at spamisevil.com Wed Oct 13 15:32:12 2004 From: arthur_byington at spamisevil.com (Steve Holmes) Date: Wed Oct 13 15:35:21 2004 Subject: [SpamCop-List] Secret Service - Phishing Message-ID: <416D82BB.CBC9A21F@spamisevil.com> Hello: What is the contact info. for the Secret Service Financial Crimes Division relating to phishing? It's not on their webpage or in the FAQ. Thank you. -- Steve Holmes Executive Producer "The New Ball Game" "RailFAN" 319-337-9507 From arthur_byington at spamisevil.com Wed Oct 13 15:53:58 2004 From: arthur_byington at spamisevil.com (Steve Holmes) Date: Wed Oct 13 15:55:08 2004 Subject: [SpamCop-List] Detecting False WHOIS Data Message-ID: <416D87D6.52AEB813@spamisevil.com> Yesterday, someone in this group mentioned the bright idea of reporting spammers at http://wdprs.internic.net/ for listing false contact info. Problem is, I should know it's false before I complain. How do I nail down as much of this as possible without contacting the spammer? I'm going after a pr0n spammer who uses misspelled words and filthy subject lines. Here's his latest identity (he spams from 10-20 domains for about ten days, then begins again with new contact info.): Registrant Name: Brian Turpin Registrant Organization: none Registrant Address1: 633 Main St Registrant City: Danville Registrant Postal Code: 24543 Registrant Country: United States Registrant Country Code: US Registrant Phone Number: +1.8047930817 Registrant Email: briantur@lycos.com The phone number is not listed in his name. I suppose he could be living with the people to whom it's registered, so I don't know how to prove it's bogus except to call up and say, "Is Brian there?". I'd rather not start putting money into this and make probable wrong-number calls deliberately. Lumberton has a "549 Main," but Google shows no business there. Any other way to find out what's at that address without making a 1,000 mile trip to New Jersey? Is it OK to send a polite e-mail saying, "If you're spamming, stop. If this reached you in error, please accept my apologies."? Then, if that bounces, it's false info. I can report. Under the idea of "know thy enemy," anyone know why he moves around every couple of weeks? Thanks in advance. -- Steve Holmes Executive Producer "The New Ball Game" "RailFAN" 319-337-9507 From nobody at spamcop.net Wed Oct 13 17:01:50 2004 From: nobody at spamcop.net (indigo) Date: Wed Oct 13 16:05:14 2004 Subject: [SpamCop-List] Re: citibank citi card phishing References: <416CDC01.6EE50422@spamcop.dev.null.net> Message-ID: Nobody wrote: > waldo kitty wrote: > > > > 209.239.37.192 is phishing for citibank's citi card infos... the IP > > belongs to our old old friends at alabanza up in maryland... > > > > > I don't get it. Aren't they exposing themselves to prosecution for > wire fraud? Why would anyone do something so stupid, entirely within > a jurisdiction that is likely to land on them like a ton of bricks? Especially now that our new anti-spam law has gone into effect (on Sept 30, 2004 ;-) ANNAPOLIS - Marylanders whose computers are flooded with unwanted e-mails offering pornography and get-rich-quick schemes may get some relief starting today, when one of the strongest anti-spam laws in the nation goes into effect. The law gives the state attorney general power to go after spammers who use false or misleading information, allowing jail terms and large financial penalties for people convicted of violating the law. When Gov. Robert L. Ehrlich Jr. signed the anti-spam law bill in May, America Online called it "a huge leap forward" in the national battle against spam. "This new state law ... will help us rein in the kingpin, outlaw spammers who continue to use tactics of fraud, deceit and evasion to avoid state and federal laws, as well as trick AOL's anti-spam filters," the company said. The new law makes it a crime to hack into a computer to send spam; knowingly mislead recipients or Internet service providers about the origin of a message; falsify information regarding the source and routing of e-mails; and use a false identity to register for 15 or more e-mail addresses and send spam from those addresses. The law provides for criminal penalties of a jail term of up to five years and a fine of up to $25,000 for violations. The attorney general also can seek civil penalties of up to $25,000 a day or $2 to $8 for every spam message sent in violation of the law. From nobody at devnull.spamcop.net Wed Oct 13 16:07:14 2004 From: nobody at devnull.spamcop.net (Cat) Date: Wed Oct 13 16:10:02 2004 Subject: [SpamCop-List] Re: Paging Wazoo and/or Ellen In-Reply-To: References: Message-ID: indigo wrote: > Spam Hater wrote: > >>Why are you dragging .social drama into this group??? >> >>Please take it back there where it belongs. This is why that group >>was set up in the first place! It's not ".social drama." It's universal to all of the newsgroups because it's about posting rules and harassment, and the troll in question has posted to this newsgroup under at least one of s/h/its previous identities. Unless you're willing to stop top posting, learn to snip properly, and stop screaming the word spam, and going ape s*** on anyone who dares to ask you to stop, then don't complain about what anyone else in this newsgroup chooses to post about. > It's not strictly a .social issue -- there are no longer any NG posting > rules for *any* SC NG on the NNTP page except: > > Newsgroup Posting Rules > > No spam. Please do not post copies of spam or other commercials except in > the spamcop.spam group specifically designated for it. SpamCop provides > "tracking URL"s for posting spam samples. Please use them. > Limit quoting. Please avoid quoting in threads unnecessarily. > > So quit yer bitchin unless you don't care if binaries start flooding the > groups (hey, it's ok according to the rules!) Spam Hater is just another newsgroup troll who does nothing but try to stir up trouble and goes completely psycho if anyone dares to ask s/h/it to stop top posting or question why s/h/it feels this desparate need to always type spam in all caps, which is why some of us have already killfiled s/h/it. I agree though that something needs to be done about the .social trolls continued morphing and rule breaking and other general harassment. From nobody at spamcop.net Wed Oct 13 17:17:10 2004 From: nobody at spamcop.net (indigo) Date: Wed Oct 13 16:20:03 2004 Subject: [SpamCop-List] Re: SC Password reset - harassment? References: Message-ID: Bob W. wrote: > In article , > "indigo" wrote: > > > > The airspeed velocity of a European or African swallow? Oh wait, > > African swallows are non-migratory ;-) > > Laden or unladen? Why, I dunno Aaaaaahhhhhhhhh! From Merlyn at Spamcop.net Wed Oct 13 17:17:27 2004 From: Merlyn at Spamcop.net (Merlyn) Date: Wed Oct 13 16:20:20 2004 Subject: [SpamCop-List] Re: Detecting False WHOIS Data References: <416D87D6.52AEB813@spamisevil.com> Message-ID: "Steve Holmes" wrote in message news:416D87D6.52AEB813@spamisevil.com... > Yesterday, someone in this group mentioned the bright idea of reporting > spammers at http://wdprs.internic.net/ for listing false contact info. > Problem is, I should know it's false before I complain. How do I nail > down as much of this as possible without contacting the spammer? > > I'm going after a pr0n spammer who uses misspelled words and filthy > subject lines. Here's his latest identity (he spams from 10-20 domains > for about ten days, then begins again with new contact info.): > > Registrant Name: Brian Turpin > Registrant Organization: none > Registrant Address1: 633 Main St > Registrant City: Danville > Registrant Postal Code: 24543 > Registrant Country: United States > Registrant Country Code: US > Registrant Phone Number: +1.8047930817 > Registrant Email: briantur@lycos.com > > The phone number is not listed in his name. I suppose he could be living > with the people to whom it's registered, so I don't know how to prove > it's bogus except to call up and say, "Is Brian there?". I'd rather not > start putting money into this and make probable wrong-number calls > deliberately. > > Lumberton has a "549 Main," but Google shows no business there. Any > other way to find out what's at that address without making a 1,000 mile > trip to New Jersey? > > Is it OK to send a polite e-mail saying, "If you're spamming, stop. If > this reached you in error, please accept my apologies."? Then, if that > bounces, it's false info. I can report. > > Under the idea of "know thy enemy," anyone know why he moves around > every couple of weeks? > > Thanks in advance. What makes you think it's in New Jersey? There is no State in his Address. 24543 is one of the zip codes for Danville VA. There is a 633 Main St in Danville, VA but the zip is 24541 so that would make this zip code wrong. Looks like he is fudging the address just enough so people will think it is real. In the business Directory you will also see: Colonial Mortgage 633 Main St. Danville, VA 24541, 792-5377 You could call them as see if they are the only business in that address. As for the phone number, 804 is an exchange for VA so why don't you call it from a pay phone and ask if they are the owner of the alleged site? -- Regards, Merlyn A Spamcop advocate No emails this account is for newsgroups only People demand freedom of speech to make up for the freedom of thought which they avoided From nobody at spamcop.net Wed Oct 13 17:26:58 2004 From: nobody at spamcop.net (Pop (was Spamcop by accident)) Date: Wed Oct 13 16:30:03 2004 Subject: [SpamCop-List] Question re format to use Message-ID: Hi, I've started getting spams in another language, I think Chinese. When I go to email them to SC, my browser notices the language problem and asks me if I want to send them as Unicode, As is, or something else I don't recall at the moment, possible a language choice. It would seem to me to be irrelevant to spamcop since the headers etc. required are in English, but who knows what's hidden in all that garbage that identifies me. Which format is the best one to send to spamcop? Or doesn't it matter, other than as Plain Text? They're also in HTML but I don't see any of the graphics as I prevent those from going to disk. Interestingly, these -might- be dictionary attacks of some sort - they are arriving at my sneakemail account, or one of them anyway. Yeah, I know, I'll delete that account and be rid of it, but ... it's interesting for the moment. Even moreso if they show up at another account. The one that's getting them is fairly old, about six months or so. Regards, Pop --- I may or may not know what I'm saying, but if I have nothing to say, that's what I say! From nobody at spamcop.net Wed Oct 13 17:29:37 2004 From: nobody at spamcop.net (Pop (was Spamcop by accident)) Date: Wed Oct 13 16:30:16 2004 Subject: [SpamCop-List] PS Re: Question re format to use References: Message-ID: PS: http://www.spamcop.net/sc?id=z682082754z6d700cae3f8ebc54b9baa7e540f11cabz From arthur_byington at spammersgotohell.com Wed Oct 13 16:33:27 2004 From: arthur_byington at spammersgotohell.com (Steve Holmes) Date: Wed Oct 13 16:35:02 2004 Subject: [SpamCop-List] Re: Detecting False WHOIS Data References: <416D87D6.52AEB813@spamisevil.com> Message-ID: <416D9117.E825047B@spammersgotohell.com> Merlyn wrote: > (snip) > > What makes you think it's in New Jersey? > There is no State in his Address. (snip) My mistake, Merlyn. That's an abandoned ID. Here's his latest: Tim Welch ( ) +1.8569851974 Fax: none 549 Main St. Lumberton, NJ 08048 US -- Steve Holmes Executive Producer "The New Ball Game" "RailFAN" 319-337-9507 From Merlyn at Spamcop.net Wed Oct 13 18:03:02 2004 From: Merlyn at Spamcop.net (Merlyn) Date: Wed Oct 13 17:05:02 2004 Subject: [SpamCop-List] Re: Detecting False WHOIS Data References: <416D87D6.52AEB813@spamisevil.com> <416D9117.E825047B@spammersgotohell.com> Message-ID: "Steve Holmes" wrote in message news:416D9117.E825047B@spammersgotohell.com... > Merlyn wrote: > >> (snip) >> >> What makes you think it's in New Jersey? >> There is no State in his Address. (snip) > > My mistake, Merlyn. That's an abandoned ID. Here's his latest: > > Tim Welch ( ) > +1.8569851974 > Fax: none > 549 Main St. > Lumberton, NJ 08048 > US > Sorry can't find anything on that one. -- Regards, Merlyn A Spamcop advocate No emails this account is for newsgroups only People demand freedom of speech to make up for the freedom of thought which they avoided From dfm2a3l0t2 at spymac.com Wed Oct 13 18:08:35 2004 From: dfm2a3l0t2 at spymac.com (D.F. Manno) Date: Wed Oct 13 17:10:02 2004 Subject: [SpamCop-List] Re: Secret Service - Phishing References: <416D82BB.CBC9A21F@spamisevil.com> Message-ID: In article <416D82BB.CBC9A21F@spamisevil.com>, Steve Holmes wrote: > What is the contact info. for the Secret Service Financial Crimes > Division relating to phishing? It's not on their webpage or in the FAQ. There's a Web form at: -- D.F. Manno dfm2a3l0t2@spymac.com From not at home.today Wed Oct 13 23:44:42 2004 From: not at home.today (Ant) Date: Wed Oct 13 17:50:22 2004 Subject: [SpamCop-List] Re: Error: "couldn't parse head" References: <416D0249.7C09@xyzzy.claranet.de> Message-ID: "Frank Ellermann" wrote... > Ant wrote: >> Removing the "Sarah" line fixes the error > > You could probably also add an empty line (CrLf) before "Sarah". > I tried to test this, but with mailhosts SC won't allow me to > parse foreign spam (sigh). I did that, and it parses correctly. >> I'm not sure if the parser should be expected to handle this > > It's essentially the same problem as an invalid header in the > 2822-headers. [...] Thanks for the feedback Frank. I understand the issues a bit more now. > IMHO it's better if SC never tries to emulate OE bugs, > it's a can of worms :-( Probably best! From nobody at devnull.spamcop.net Wed Oct 13 19:33:25 2004 From: nobody at devnull.spamcop.net (Glenn Daniels) Date: Wed Oct 13 18:35:04 2004 Subject: [SpamCop-List] Re: Detecting False WHOIS Data References: <416D87D6.52AEB813@spamisevil.com> <416D9117.E825047B@spammersgotohell.com> Message-ID: "Steve Holmes" wrote in message > Merlyn wrote: > > > (snip) > > > > What makes you think it's in New Jersey? > > There is no State in his Address. (snip) > > My mistake, Merlyn. That's an abandoned ID. Here's his latest: > > Tim Welch ( ) > +1.8569851974 > Fax: none > 549 Main St. > Lumberton, NJ 08048 > US > Grew up about five miles from Lumberton. The village Main Drag goesfor miles in/out of town, which of itself is at least five blocks, so, the zip is 080xx which puts it in south Jersey, 08060 is five miles away, so the zip is reasonable. The phone number, however, may be offshore. That region of NJ is not heavily populated, sandy, but not quite into the pine barrens. Tele area code for huge section of south Jersey remained 609 until a few years back when a second area code was intoduced to pick up added load for populated areas along the coast. But the area code for Lumberton is/remains almost certainly 609. My map of US showing area codes does not have an 856 listing, but it is a couple years old. Try dialing 18565551212. Operator says, "what city?", you say, "what country, I must have misdialed"... Probably a dollar call now?? Better yet use 1-800-collect from a pay phone and keep s/h/it on phone as long as you can scam s/h/it that s/h/it needs to talk to you... Glenn From nobody at devnull.spamcop.net Wed Oct 13 19:44:57 2004 From: nobody at devnull.spamcop.net (Glenn Daniels) Date: Wed Oct 13 18:45:02 2004 Subject: [SpamCop-List] Re: Question re format to use References: Message-ID: "Pop (was Spamcop by accident)" wrote in message > Hi, > > I've started getting spams in another language, I think Chinese. > When I go to email them to SC, my browser notices the language > problem and asks me if I want to send them as Unicode, As is, or > something else I don't recall at the moment, possible a language > choice. > > It would seem to me to be irrelevant to spamcop since the headers > etc. required are in English, but who knows what's hidden in all > that garbage that identifies me. > > Which format is the best one to send to spamcop? Or doesn't it > matter, other than as Plain Text? They're also in HTML but I > don't see any of the graphics as I prevent those from going to > disk. > > Interestingly, these -might- be dictionary attacks of some sort - > they are arriving at my sneakemail account, or one of them > anyway. Yeah, I know, I'll delete that account and be rid of it, > but ... it's interesting for the moment. Even moreso if they > show up at another account. The one that's getting them is > fairly old, about six months or so. > This happens using Netscape Mail Client which by default makes the subject of your forward [Fwd: Original Subject]. If the original was in unicode, then yours will be also. For my purposes it suits me to delete the "Subject:" entirely in such cases, as then the question does not arise. The encoding you select applies only to your part of the message and has no bearing on your attachments. Happy hunting! Glenn From MikeE at ster.invalid Wed Oct 13 18:08:59 2004 From: MikeE at ster.invalid (Mike Easter) Date: Wed Oct 13 20:10:03 2004 Subject: [SpamCop-List] Re: Secret Service - Phishing References: <416D82BB.CBC9A21F@spamisevil.com> Message-ID: Steve Holmes wrote: > What is the contact info. for the Secret Service Financial Crimes > Division relating to phishing? It's not on their webpage or in the > FAQ. So far, I've never heard of such a thing. -- Mike Easter kibitzer, not SC admin From baloo at ursine.dyndns.org Wed Oct 13 20:20:26 2004 From: baloo at ursine.dyndns.org (Paul Johnson) Date: Wed Oct 13 22:25:39 2004 Subject: [SpamCop-List] Re: Test References: Message-ID: <878yaavy51.fsf@ursine.dyndns.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 "indigo" writes: > DevilsPGD wrote: >> Fred K wrote: >> > Thanks for the lesson. But I have been having trouble and been >> > working with SC people. I did not test as a "newby". >> >> But yet you still tested in a non-test group... > > In his defense, if he was going by what he saw on the "new" NNTP FAQ > page he wouldn't _know_ that spamcop.test even existed. On the gripping hand, spamcop* heirarchy isn't big, even on a 24-line console, you could see the entire newsgroup heirarchy without scrolling. It's bloody obvious. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.5 (GNU/Linux) iD8DBQFBbeJqUzgNqloQMwcRAgmbAKCeCWYGh829bIc5FoQzDKONrUeorACg4pk/ tFhS1ADMk/EFoedJQG8xSgM= =Trt2 -----END PGP SIGNATURE----- From baloo at ursine.dyndns.org Tue Oct 12 22:02:05 2004 From: baloo at ursine.dyndns.org (Paul Johnson) Date: Wed Oct 13 22:35:03 2004 Subject: [SpamCop-List] Re: I want my two dollars! References: Message-ID: <87acur466a.fsf@ursine.dyndns.org> <#secure method=pgp mode=sign> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Kenn Nesbitt writes: > I added $2.00 "fuel" to create a 1Mb test account. PayPal shows that > the money has been deducted from my PayPal account, but I never > received a receipt from SpamCop and the $2.00 has not been credited to > my account. > > What's up with this? I can't find any way to contact SpamCop (other > than snailmail and this forum) to ask them to credit the $2.00 to my > account. Had you actually googled before asking, you would have found dozens of archive messages saying service@spamcop.net is the place to mail about anything like this. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.5 (GNU/Linux) iD8DBQFBbKi9UzgNqloQMwcRAuEvAJ97Li5KLk+HOKllV/dkUH8zcJkHEQCfVCOi zH/UqgxCsG8LjfD3a9+N4+U= =8u7s -----END PGP SIGNATURE----- From nobody at spamcop.net Thu Oct 14 00:08:14 2004 From: nobody at spamcop.net (Pop (was Spamcop by accident)) Date: Wed Oct 13 23:10:04 2004 Subject: [SpamCop-List] Re: Question re format to use References: Message-ID: "Glenn Daniels" wrote in message news:ckkb49$ukb$1@news.spamcop.net... | "Pop (was Spamcop by accident)" wrote in message | > Hi, | > | > I've started getting spams in another language, I think Chinese. | > When I go to email them to SC, my browser notices the language | > problem and asks me if I want to send them as Unicode, As is, or | > something else I don't recall at the moment, possible a language | > choice. | > ... | | This happens using Netscape Mail Client which by default | makes the subject of your forward [Fwd: Original Subject]. | If the original was in unicode, then yours will be also. | | For my purposes it suits me to delete the "Subject:" entirely | in such cases, as then the question does not arise. The encoding | you select applies only to your part of the message and | has no bearing on your attachments. | | Happy hunting! | Glenn Aha! You're right, of couse! It wouldn't impact the attachment! Duhhh!! Not useing Netscape though; have IE on XP. Thanks for the kick, I mean, reminder. Sumanagun! Pop -- Dumb questions are SO easy to ask And the answers are usually embarrassing. From agent01413 at my-deja.com Wed Oct 13 22:33:23 2004 From: agent01413 at my-deja.com (Socks the white house cat) Date: Wed Oct 13 23:30:03 2004 Subject: [SpamCop-List] attn deputies:bad report Message-ID: Mind checking spam reports related to 168.103.150.113 That IPA is used by a credit card processor to send order information to clients. Manual mail from that domain supposedly doesn't come from that server, or even from that /24. I am whitelisting it for my purposes, but I am wondering if someone made a bad report. Report occured sometime after 10-10 and before 10-13. We bounced mail from it on 10-12. We got mail from it clean late on 10th and 13th. tia From Merlyn at Spamcop.net Thu Oct 14 01:57:57 2004 From: Merlyn at Spamcop.net (Merlyn) Date: Thu Oct 14 01:00:06 2004 Subject: [SpamCop-List] Re: attn deputies:bad report References: Message-ID: "Socks the white house cat" wrote in message news:Xns9581DB48D4AB4votekerry2004@216.154.195.61... > Mind checking spam reports related to 168.103.150.113 > > That IPA is used by a credit card processor to send order information to > clients. Manual mail from that domain supposedly doesn't come from that > server, or even from that /24. I am whitelisting it for my purposes, but > I am wondering if someone made a bad report. Report occured sometime > after > 10-10 and before 10-13. We bounced mail from it on 10-12. We got mail > from it clean late on 10th and 13th. > Socks, did ya check em out? This is just an opinion: canonical name lestat.processing.net. addresses 168.103.150.113 The Processing Network (PROCESSING3-DOM) 1461 Alice St #404 Oakland, CA 94612 US They name their server after a bloodsucking vampire - Anyone can process credit cards, It's not a tough thing to do. They cannot be too large if they are sharing a server with: AIRSOFTWASHINGTON.COM ALPHA5-WWII.COM BATTLESIM.COM CHILDSOFTWARE.NET CITYOFIMMORTALS.COM GOATTALK.COM HELLZHUNDZ.COM MERCHACCOUNT.COM PROCESSING.NET SECTION8OUTFIT.COM SPORTBIKEREVIEWS.COM THEWELLSFAMILY.ORG WASHINGTONAIRSOFT.COM WWIIAIRSOFT.COM WWIICON.COM You would think they would have their own secure server. This also looks real secure: Their SSL Cert is www.battlesim.com I hope you researched this company before you started doing business with them. They are also in the following blocklists: NOMOREFUNN local bl at moensted.dk: no-more-funn.moensted.dk -> 127.0.0.7 added 2002-04-11; spam support - netblk-q0228-65-125-188-0 KROPKAALL Quite aggressive database, maintained by a few private persons: all.rbl.kropka.net -> 127.0.0.1 KROPKAIP kropka ip: ip.rbl.kropka.net -> 127.0.0.1 168.103.150.113 listed in bl.spamcop.net (127.0.0.2) Causes of listing SpamCop users have reported system as a source of spam less than 10 times in the past week Additional potential problems (these factors do not directly result in spamcop listing) DNS error: 168.103.150.113 has no reverse dns Listing History In the past 3.0 days, it has been listed 2 times for a total of 2.1 days I think you better keep them whitelisted. -- Regards, Merlyn A Spamcop advocate No emails this account is for newsgroups only People demand freedom of speech to make up for the freedom of thought which they avoided From nobody at spamcop.net Thu Oct 14 08:11:56 2004 From: nobody at spamcop.net (Ellen) Date: Thu Oct 14 08:35:19 2004 Subject: [SpamCop-List] Re: attn deputies:bad report References: Message-ID: "Socks the white house cat" wrote in message news:Xns9581DB48D4AB4votekerry2004@216.154.195.61... > Mind checking spam reports related to 168.103.150.113 > > That IPA is used by a credit card processor to send order information to > clients. Manual mail from that domain supposedly doesn't come from that > server, or even from that /24. I am whitelisting it for my purposes, but > I am wondering if someone made a bad report. Report occured sometime after > 10-10 and before 10-13. We bounced mail from it on 10-12. We got mail > from it clean late on 10th and 13th. > Nothing wrong with the reports that I can see -- the headers are clearly showing the mails came from that IP and the spam starts: "
Dear valued eBay member:
It has come to our attention that your eBay billing informations are
out of order" You have an address for them, I will write to them -- you can send the address to me at deputies spamcop.net with a brief reminder as to why you are sending it. Ellen From spamcop at oitc.com Thu Oct 14 09:59:50 2004 From: spamcop at oitc.com (spamcop) Date: Thu Oct 14 09:00:04 2004 Subject: [SpamCop-List] ug.net.mystufftoday.com Message-ID: Re http://www.spamcop.net/sc?id=z682277425za57699326f6dbf0af202520ea27f6b5fz Tracking link: http://ug.net.mystufftoday.com?r=t12k62 No recent reports, no history available Cannot resolve http://ug.net.mystufftoday.com?r=t12k62 Yet % host ug.net.mystufftoday.com ug.net.mystufftoday.com is an alias for mystufftoday.com. mystufftoday.com has address 61.109.250.215 mystufftoday.com has address 200.139.105.66 mystufftoday.com has address 200.139.105.67 mystufftoday.com has address 200.139.105.68 mystufftoday.com has address 211.115.213.176 From agent01413 at my-deja.com Thu Oct 14 08:28:36 2004 From: agent01413 at my-deja.com (Socks the white house cat) Date: Thu Oct 14 09:25:03 2004 Subject: [SpamCop-List] Re: attn deputies:bad report References: Message-ID: Pausing only once for breath, "Ellen" said: > You have an address for them, I will write to them -- you can send the > address to me at deputies spamcop.net with a brief reminder as to > why you are sending it. thanks. done. I also decided it was time to pay for a membership, since this is the second time I've escalated a problem like this and gotten a good, fast response from Ellen. As soon as I reset my paypal password, which I can never remember, that will be on the way. From Alexis at NotBob.frop Thu Oct 14 10:28:39 2004 From: Alexis at NotBob.frop (Alexis) Date: Thu Oct 14 09:30:04 2004 Subject: [SpamCop-List] Re: Detecting False WHOIS Data References: <416D87D6.52AEB813@spamisevil.com> <416D9117.E825047B@spammersgotohell.com> Message-ID: "Steve Holmes" wrote in message news:416D9117.E825047B@spammersgotohell.com... > Merlyn wrote: > > > (snip) > > > > What makes you think it's in New Jersey? > > There is no State in his Address. (snip) > > My mistake, Merlyn. That's an abandoned ID. Here's his latest: > > Tim Welch ( ) > +1.8569851974 > Fax: none > 549 Main St. > Lumberton, NJ 08048 > US > > -- > Steve Holmes > Executive Producer > "The New Ball Game" > "RailFAN" > 319-337-9507 http://zip4.usps.com/zip4/welcome.jsp shows a valid address the phone number doesn't have to be for that address, it just has to work, it doesn't matter where it is. to check email addresses for validity http://www.dnsstuff.com/ http://www.addresses.com/email_verify.php also checks for catch-alls From d*r*i*c*h*t*e*r at e*s*s*i.f*r*****without*asterisks**** Thu Oct 14 17:07:20 2004 From: d*r*i*c*h*t*e*r at e*s*s*i.f*r*****without*asterisks**** (Dan) Date: Thu Oct 14 10:10:29 2004 Subject: [SpamCop-List] Re: Detecting False WHOIS Data In-Reply-To: <416D9117.E825047B@spammersgotohell.com> References: <416D87D6.52AEB813@spamisevil.com> <416D9117.E825047B@spammersgotohell.com> Message-ID: > Tim Welch ( ) > +1.8569851974 > Fax: none > 549 Main St. > Lumberton, NJ 08048 > US Oh my goodness: a White Pages reverse lookup shows that there really is someone by that name at precisely that address: http://snipurl.com/9rjh http://www.whitepages.com/search/Reverse_Address?housenumber=549&street=Main+Street&city_zip=08048&state_id= However, a reverse phone number lookup shows that the phone number is not his: http://snipurl.com/9rjj http://www.whitepages.com/search/Reverse_Phone?phone=8569851974 What's the e-mail address? If it bounces, I'd say you have a case and you can report both the phone number and e-mail address as faulty. (In other words, the only way the registrar could contact the real person is by snail mail, which they're not going to like.) If the e-mail address doesn't bounce, I wouldn't say that the phone number by itself is worth reporting. -- Free clue to ICANN: When even spamming, fake-renewal-notice-spewing, domain-slamming scumbag registrars like VeriSlime aren't afraid to write the Commerce Department and call you scum, you've got problems. - "Tackhead", writing on Slashdot about VeriSign's criticism of ICANN From D.Gray at picture.oscar.wilde Thu Oct 14 16:35:31 2004 From: D.Gray at picture.oscar.wilde (Dorian Gray) Date: Thu Oct 14 10:35:03 2004 Subject: [SpamCop-List] Quick reporting bug, or feature? Message-ID: For each spam message I Quick Report, SC only sends reports to addresses identified as "Administrator of network where email originates". Reports are never sent to addresses identified as either "Third party interested in email source" or "Administrator of network hosting website referenced in spam". However by default these addresses would be targeted if Full Reporting was used. Is this a bug or a feature of Quick Reporting? If it is a feature, what is the reason? Cheers. From Spam_N_Scams_Reporter at yahoo.whatever Thu Oct 14 09:00:04 2004 From: Spam_N_Scams_Reporter at yahoo.whatever (Spam N Scams Reporter) Date: Thu Oct 14 11:05:03 2004 Subject: [SpamCop-List] Re: Detecting False WHOIS Data In-Reply-To: References: <416D87D6.52AEB813@spamisevil.com> <416D9117.E825047B@spammersgotohell.com> Message-ID: Merlyn wrote: > "Steve Holmes" wrote in message > news:416D9117.E825047B@spammersgotohell.com... > >>Merlyn wrote: >> >> >>>(snip) >>> >>>What makes you think it's in New Jersey? >>>There is no State in his Address. (snip) >> >>My mistake, Merlyn. That's an abandoned ID. Here's his latest: >> >>Tim Welch ( ) >> +1.8569851974 >> Fax: none >> 549 Main St. >> Lumberton, NJ 08048 >> US >> > > > > Sorry can't find anything on that one. > (856) 985-1974 Frederick, John H & Joanne F more info 36 Pocahontas Trl Medford, NJ 08055-8176 (856) 985-1974 Medford is close to Lumberton. Timothy J Welch 549 Main St Lumberton, NJ 08048 (609) 261-4345 [Contacting lycos-com.mr.outblaze.com [208.36.123.75]...] [Connected] 220 spf7-15.us4.outblaze.com ESMTP Postfix HELO hexillion.com 250 spf7-15.us4.outblaze.com MAIL FROM: 250 Ok RCPT TO: 250 Ok Looks like the email addy is valid. From nobody at devnull.spamcop.net Thu Oct 14 11:29:03 2004 From: nobody at devnull.spamcop.net (WazoO) Date: Thu Oct 14 11:30:02 2004 Subject: [SpamCop-List] Re: Quick reporting bug, or feature? References: Message-ID: "Dorian Gray" wrote in message news:D.Gray-3BDCCD.15353114102004@news.cesmail.net... > For each spam message I Quick Report, SC only sends reports to addresses > identified as "Administrator of network where email originates". > Reports are never sent to addresses identified as either "Third party > Is this a bug or a feature of Quick Reporting? If it is a feature, what > is the reason? If the answer isn't in the FAQ under the Help functions on the www.spamcop.net pages, I know that the FAQ over in the web-based Forum does ... http://forum.spamcop.net/forums/index.php? From MikeE at ster.invalid Thu Oct 14 09:31:33 2004 From: MikeE at ster.invalid (Mike Easter) Date: Thu Oct 14 11:30:17 2004 Subject: [SpamCop-List] Re: Quick reporting bug, or feature? References: Message-ID: Dorian Gray wrote: > For each spam message I Quick Report, SC only sends reports to > addresses identified as "Administrator of network where email > originates". Reports are never sent to addresses identified as either > "Third party interested in email source" or "Administrator of network > hosting website referenced in spam". However by default these > addresses would be targeted if Full Reporting was used. > > Is this a bug or a feature of Quick Reporting? If it is a feature, > what is the reason? Quick reporting only notifies source, not spamvertisers. I don't know about 3rd parties for source. I don't think there is an official faq for quick reporting. -- Mike Easter kibitzer, not SC admin From MikeE at ster.invalid Thu Oct 14 09:44:43 2004 From: MikeE at ster.invalid (Mike Easter) Date: Thu Oct 14 11:45:02 2004 Subject: [SpamCop-List] Re: Quick reporting bug, or feature? References: Message-ID: WazoO wrote: > know that the FAQ over > in the web-based Forum does ... > http://forum.spamcop.net/forums/index.php? I don't think so. I looked over there and even saw a graphic for the VER function, but not the answer about 3rd parties. -- Mike Easter kibitzer, not SC admin From kenbrody at spamcop.net Thu Oct 14 12:47:13 2004 From: kenbrody at spamcop.net (Kenneth Brody) Date: Thu Oct 14 11:50:04 2004 Subject: [SpamCop-List] Re: Quick reporting bug, or feature? References: Message-ID: <416E9F81.88105427@spamcop.net> Dorian Gray wrote: > > For each spam message I Quick Report, SC only sends reports to addresses > identified as "Administrator of network where email originates". > Reports are never sent to addresses identified as either "Third party > interested in email source" or "Administrator of network hosting website > referenced in spam". However by default these addresses would be > targeted if Full Reporting was used. > > Is this a bug or a feature of Quick Reporting? If it is a feature, what > is the reason? I believe that since, by definition, quick reporting doesn't let the reported chose the "correct" places to report, and one of the main tenets of SpamCop is that it's a tool to help you send reports, and not an automated report-sender, this is how quick reporting must be. -- +-------------------------+--------------------+-----------------------------+ | Kenneth J. Brody | www.hvcomputer.com | | | kenbrody/at\spamcop.net | www.fptech.com | #include | +-------------------------+--------------------+-----------------------------+ From MikeE at ster.invalid Thu Oct 14 10:07:48 2004 From: MikeE at ster.invalid (Mike Easter) Date: Thu Oct 14 12:10:04 2004 Subject: [SpamCop-List] Re: ug.net.mystufftoday.com References: Message-ID: spamcop wrote: www.spamcop.net/sc?id=z682277425za57699326f6dbf0af202520ea27f6b5fz > Tracking link: http://ug.net.mystufftoday.com?r=t12k62 > No recent reports, no history available > > Cannot resolve http://ug.net.mystufftoday.com?r=t12k62 A test you can do to get a clue about what SC is 'struggling' with is to time how long it takes for your tracker to come up, and/or how long it takes SC if you put the naked link into the parser. Answer: about 24 secs to fail to resolve That means that the parser is timing out trying to resolve it. > Yet > > % host ug.net.mystufftoday.com > ug.net.mystufftoday.com is an alias for mystufftoday.com. > mystufftoday.com has address 61.109.250.215 > mystufftoday.com has address 200.139.105.66 > mystufftoday.com has address 200.139.105.67 > mystufftoday.com has address 200.139.105.68 > mystufftoday.com has address 211.115.213.176 I would be notifying the provider for the treetops nameserver/s - all 6 of them have the same IP at telus, but sometimes 3 of the nameservers change their address too. ns1.treetops2.com A (Address) 208.38.61.228 ns1.treetops3.com A (Address) 208.38.61.228 ns1.treetops4.com A (Address) 208.38.61.228 ns1.treetops5.com A (Address) 208.38.61.228 ns1.treetops6.com A (Address) 208.38.61.228 ns1.treestops3.com A (Address) 200.139.105.66 ns1.treestops5.com A (Address) 200.184.84.131 ns1.treestops6.com A (Address) 200.139.105.67 Then I would check on the nameservice for the nameservers, which is very pokey, flakey, and has stealth nameservers - aczl.com - so I would check on /its/ nameservice - mjmhosting.com - which is where you finally get something doing its own nameserving. -- Mike Easter kibitzer, not SC admin From MikeE at ster.invalid Thu Oct 14 10:12:31 2004 From: MikeE at ster.invalid (Mike Easter) Date: Thu Oct 14 12:15:03 2004 Subject: [SpamCop-List] Re: Quick reporting bug, or feature? References: <416E9F81.88105427@spamcop.net> Message-ID: Kenneth Brody wrote: > I believe that since, by definition, quick reporting doesn't let the > reported chose the "correct" places to report, and one of the main > tenets of SpamCop is that it's a tool to help you send reports, and > not an automated report-sender, this is how quick reporting must be. That would be logical. SC might want to notify the least possible, but satisfy the 'problem' that the source is going to count toward the SCbl, so it is 'imperative' that at least the source IP space provider be notified. -- Mike Easter kibitzer, not SC admin From D.Gray at picture.oscar.wilde Thu Oct 14 18:12:31 2004 From: D.Gray at picture.oscar.wilde (Dorian Gray) Date: Thu Oct 14 12:15:18 2004 Subject: [SpamCop-List] Re: Quick reporting bug, or feature? References: Message-ID: In article , "Mike Easter" wrote: > Quick reporting only notifies source, not spamvertisers. Hmmm. I would have thought spamvertisers were more juicy targets (more stable, more trouble for the spammers when the sites are taken down) than the spam sources. This would mean that Quick Reporting is limited compared with Full Reporting, in terms of the effect it can have. > I don't think there is an official faq for quick reporting. I searched the SC website (help/FAQ _and_ Forum) before posting here - I couldn't find anything. Cheers. From MikeE at ster.invalid Thu Oct 14 10:31:37 2004 From: MikeE at ster.invalid (Mike Easter) Date: Thu Oct 14 12:35:02 2004 Subject: [SpamCop-List] Re: Quick reporting bug, or feature? References: Message-ID: Dorian Gray wrote: > "Mike Easter" >> Quick reporting only notifies source, not spamvertisers. > > Hmmm. I would have thought spamvertisers were more juicy targets > (more stable, more trouble for the spammers when the sites are taken > down) than the spam sources. This would mean that Quick Reporting is > limited compared with Full Reporting, in terms of the effect it can > have. Absolutely. Some of us think there shouldn't be any such thing as quick reporting; that it is irresponsible. Traditionally, the SC parser has been 'full of' frailties and errors. Ideally the human spamcop reporter overseeing the 'crude' automated algorithm is able to use human 'good sense' and spamfighting experience to recognize when the parser has 'gone wrong'. Some SC errors are very bad. They ID the wrong IP source, cause that IP to get listed, which can cause innocent people's mail to get blocked -- or can cause your own provider's server to get listed, which can cause you to lose your mail account. More recently, as SC has continued to improve the methods of the algorithm and introduce mailhosts and such and reduce the chances for errors, the 'hazards' of quick reporting are reduced - but they are still present. In addition; not only are there reporters who 'don't mind' shirking the responsiblity of oversight in favor of wanting to report more spam, whether it is reported accurately or not - but there are also reporters who feel that their capacity for oversight is 'diminished' anyway - that they don't know what they are doing about looking at headers and such, so what's they use of their being responsible anyway. Obviously there's more than one set of opinions on the subject, and also obviously SC 'allows' quick reporting - so apparently the 'condition' is acceptable to the powers that be. -- Mike Easter kibitzer, not SC admin From nobody at spamcop.net Thu Oct 14 14:00:24 2004 From: nobody at spamcop.net (Ellen) Date: Thu Oct 14 13:05:12 2004 Subject: [SpamCop-List] Re: attn deputies:bad report References: Message-ID: "Socks the white house cat" wrote in message news:Xns95824C0F18247votekerry2004@216.154.195.61... > Pausing only once for breath, "Ellen" said: > > > You have an address for them, I will write to them -- you can send the > > address to me at deputies spamcop.net with a brief reminder as to > > why you are sending it. > > thanks. done. > > I also decided it was time to pay for a membership, since this is the > second time I've escalated a problem like this and gotten a good, fast > response from Ellen. As soon as I reset my paypal password, which I can > never remember, that will be on the way. > cool :-) E From nobody at spamcop.net Thu Oct 14 14:21:42 2004 From: nobody at spamcop.net (indigo) Date: Thu Oct 14 13:25:06 2004 Subject: [SpamCop-List] Sanford Wallace back with new tricks...... Message-ID: http://tinyurl.com/6nrhp The Federal Trade Commission has filed a suit against two Internet advertising and software firms that allegedly infected users' computers with spyware, then offered to sell them software to fix the problem. The FTC filed the complaint against New Hampshire resident Sanford Wallace and his two firms -- Seismic Entertainment Productions and SmartBot.Net. The companies marketed two programs, Spy Wiper and Spy Deleter. And more at http://yro.slashdot.org/yro/04/10/08/1418223.shtml?tid=123&tid=172 From MikeE at ster.invalid Thu Oct 14 11:37:18 2004 From: MikeE at ster.invalid (Mike Easter) Date: Thu Oct 14 13:40:04 2004 Subject: [SpamCop-List] Re: Quick reporting bug, or feature? References: Message-ID: Mike Easter wrote: > Traditionally, the SC parser has been 'full of' frailties and errors. > Some SC errors are very bad. They ID the wrong IP source, cause that > IP to get listed, which can cause innocent people's mail to get > blocked -- or can cause your own provider's server to get listed, > which can cause you to lose your mail account. Losing your mail account can also equal losing your entire internet access; which is a serious mess. > More recently, as SC has continued to improve the methods of the > algorithm and introduce mailhosts and such and reduce the chances for > errors, the 'hazards' of quick reporting are reduced - but they are > still present. An example of SC error was/is being discussed in .geeks [for some reason] in the thread From: "Chris F. Willoughby" Newsgroups: spamcop.geeks Subject: Hmm.. Is this right? Date: Wed, 13 Oct 2004 12:56:06 -0700 Message-ID: that is an example of someone using mailhosts and reporting their own provider if they weren't doing oversight. That kind of thing makes a provider very unhappy. Why would they want to keep a client who might errantly cause them to get SC blocklisted? -- Mike Easter kibitzer, not SC admin From nobody at devnull.spamcop.net Thu Oct 14 13:48:58 2004 From: nobody at devnull.spamcop.net (WazoO) Date: Thu Oct 14 13:50:02 2004 Subject: [SpamCop-List] Re: Quick reporting bug, or feature? References: Message-ID: "Mike Easter" wrote in message news:ckm6qe$sc9$1@news.spamcop.net... > WazoO wrote: > > know that the FAQ over > > in the web-based Forum does ... > > http://forum.spamcop.net/forums/index.php? > > I don't think so. I looked over there and even saw a graphic for the VER > function, but not the answer about 3rd parties. Dang, you're right. I was specifically thinking of JeffG's "What is Quick Reporting?" .. but looking at it, the "definition" isn't there. And I'll be danged, several searches of the spamcop.net web pages for the words or word sequence of quick-report and "quick report" come back with zero hits. For as many times as it's been explained here in the newsgroups and over in those Forum discussions, I can't explain why it's not in either FAQ version. I'll fix the one in the Forum. I haven't heard back from Courtney on the last requested change on the FAQ on the spamcop.net pages, so not sure if she's still involved ... maybe RW will catch this? (Ellen responded to the last Deputies note about the last FAQ change) From MikeE at ster.invalid Thu Oct 14 11:57:28 2004 From: MikeE at ster.invalid (Mike Easter) Date: Thu Oct 14 14:00:03 2004 Subject: [SpamCop-List] Re: Quick reporting bug, or feature? References: Message-ID: Mike Easter wrote: > Some of us think there shouldn't be any such thing as > quick reporting; that it is irresponsible. In the example I 'cited' being discussed in .geeks, if I'm understanding the situation properly; if that reporter Chris were quick reporting a 'gang' of similar spams and got the surewest server^1 listed - that would be very bad for both the reporter Chris and the provider. SC identifies the mx of the mailhost [I presume from the output] surewest as the spamsource for reasons which aren't apparent, because I don't really understand how mailhosting works for the algorithm - except that if you don't have it 'right' - you better not be taking a chance on quick reporting -- and if you don't have mailhosts configured at all, you /really/ better not be quick reporting. Currently SC calls the source of www.spamcop.net/sc?id=z682083724z8653378c34f35f353a2e50b1a3f2fb86z 66.60.128.65 -- but surewest's MX is ba.mc.surewest.net A (Address) 66.60.128.65 altho' 66.60.128.65 isn't configured quite right and doesn't rDNS back the other way 10/14/04 10:46:16 dns 66.60.128.65 nslookup 66.60.128.65 No reverse DNS In addition, dnsstuff has this advice for surewest: Details: ns1.surewest.net. (an authoritative nameserver for 128.60.66.in-addr.arpa., which is in charge of the reverse DNS for 66.60.128.65) says that there are no PTR records for 66.60.128.65. To get reverse DNS set up for 66.60.128.65, you need to speak to your Internet provider. You could also check with dnsadmin@surewest.net., who is in charge of the 128.60.66.in-addr.arpa. zone. Note that all Internet accessible hosts are expected to have a reverse DNS entry (per RFC1912 2.1), and many mailservers (such as AOL) will likely block E-mail from mailservers with no reverse DNS entry. To see the reverse DNS traversal, to make sure that all DNS servers are reporting the correct results, you can Click Here. -- Mike Easter kibitzer, not SC admin From MikeE at ster.invalid Thu Oct 14 12:00:59 2004 From: MikeE at ster.invalid (Mike Easter) Date: Thu Oct 14 14:00:18 2004 Subject: [SpamCop-List] Re: Quick reporting bug, or feature? References: Message-ID: WazoO wrote: > Dang, you're right. I was specifically thinking of JeffG's > "What is Quick Reporting?" .. but looking at it, the > "definition" isn't there. And I'll be danged, several > searches of the spamcop.net web pages for the > words or word sequence of quick-report and > "quick report" come back with zero hits. > > For as many times as it's been explained here in the > newsgroups and over in those Forum discussions, > I can't explain why it's not in either FAQ version. > I'll fix the one in the Forum. I haven't heard back > from Courtney on the last requested change on the > FAQ on the spamcop.net pages, so not sure if she's > still involved ... maybe RW will catch this? (Ellen > responded to the last Deputies note about the last > FAQ change) I tho't maybe the powers that be were trying to keep quick reporting a 'secret' so as to keep more people from using it. It is a very unhealthy feature, and only serves to increase the number of reports, while also serving to increase the number of errant source reports, the worse kind of SC result. There don't actually /need/ to be more reports; there need to be /less/ errant reports. I think. -- Mike Easter kibitzer, not SC admin From dkona7b02 at sneakemail.com Thu Oct 14 12:26:30 2004 From: dkona7b02 at sneakemail.com (Spam Hater) Date: Thu Oct 14 14:53:42 2004 Subject: [SpamCop-List] Re: Quick reporting bug, or feature? In-Reply-To: Message-ID: <3.0.5.32.20041014112630.010413c8@loki.fstrf.org> This is a feature, not a bug. The reasoning goes that if you can't be bothered to verify where the reports are going to be sent, then they simply won't be sent. When you use Full Reporting, there is that message warning you to check the report carefully to insure that it is going to the proper place so that sysadmins won't be bothered with false reports and give up paying attention to SpamCop reports in the future. Rather than take the chance of large numbers of false reports going out, they limit quick reporting to just the original source and nothing more. At 03:35 PM 10/14/2004 +0100, Dorian Gray typed: >For each spam message I Quick Report, SC only sends reports to addresses >identified as "Administrator of network where email originates". >Reports are never sent to addresses identified as either "Third party >interested in email source" or "Administrator of network hosting website >referenced in spam". However by default these addresses would be >targeted if Full Reporting was used. > >Is this a bug or a feature of Quick Reporting? If it is a feature, what >is the reason? From nobody at devnull.spamcop.net Thu Oct 14 14:54:05 2004 From: nobody at devnull.spamcop.net (WazoO) Date: Thu Oct 14 14:55:05 2004 Subject: [SpamCop-List] Re: Quick reporting bug, or feature? References: Message-ID: "Mike Easter" wrote in message news:ckmepv$9pc$1@news.spamcop.net... > > I tho't maybe the powers that be were trying to keep quick reporting a > 'secret' so as to keep more people from using it. It is a very unhealthy > feature, and only serves to increase the number of reports, while also > serving to increase the number of errant source reports, the worse kind > of SC result. There don't actually /need/ to be more reports; there > need to be /less/ errant reports. > > I think. Well, here's what I did. Actually, I see that JeffG's FAQ entry did say "Quick Reporting allows the reporting of only spam sources, very quickly." but that was only the first line .. then he went on to explain the various e-mail and web-based e-mail submittal actions. That first line has been added to. Also added references to other "discussion points" (which include comments on the down-side of quick-reporting) http://forum.spamcop.net/forums/index.php?showtopic=163 (Talk about Topic drift ... one link goes into the deep end of my request / suggestion for an expanded layout of Forum / Discussion areas over there ... weird ...) Then added another entry to the SpamCop Glossary I started "over there" http://forum.spamcop.net/forums/index.php?showtopic=2530 From MikeE at ster.invalid Thu Oct 14 13:15:49 2004 From: MikeE at ster.invalid (Mike Easter) Date: Thu Oct 14 15:15:04 2004 Subject: [SpamCop-List] Re: Quick reporting bug, or feature? References: Message-ID: WazoO wrote: > > Well, here's what I did. Actually, I see that JeffG's FAQ entry > did say "Quick Reporting allows the reporting of only spam > sources, very quickly." but that was only the first line .. then > he went on to explain the various e-mail and web-based e-mail > submittal actions. That first line has been added to. > > Also added references to other "discussion points" (which > include comments on the down-side of quick-reporting) > http://forum.spamcop.net/forums/index.php?showtopic=163 I'm not finding references to discussion points or downside. -- Mike Easter kibitzer, not SC admin From nobody at devnull.spamcop.net Thu Oct 14 15:40:06 2004 From: nobody at devnull.spamcop.net (WazoO) Date: Thu Oct 14 15:45:04 2004 Subject: [SpamCop-List] Re: Quick reporting bug, or feature? References: Message-ID: "Mike Easter" wrote in message news:ckmj68$gq2$1@news.spamcop.net... > WazoO wrote: > > > > Also added references to other "discussion points" (which > > include comments on the down-side of quick-reporting) > > http://forum.spamcop.net/forums/index.php?showtopic=163 > > I'm not finding references to discussion points or downside. There should be a link titled "Is quick-reporting still BETA?" .... third line of text ..???? From MikeE at ster.invalid Thu Oct 14 13:53:00 2004 From: MikeE at ster.invalid (Mike Easter) Date: Thu Oct 14 15:55:09 2004 Subject: [SpamCop-List] Re: Quick reporting bug, or feature? References: Message-ID: WazoO wrote: > "Mike Easter" >> I'm not finding references to discussion points or downside. > > There should be a link titled "Is quick-reporting > still BETA?" .... third line of text ..???? Yep, I found that link and went there; but I'm not finding downside in there. http://forum.spamcop.net/forums/index.php?showtopic=1672&st=30&p=11991&#entry11991 I'll go look again again. I found this WazoO "Basically, quick-reporting only spends time looking for and reporting to the source of the e-mail. It was this submit, boom, and complaint was sent that ended up with way too many users reporting themselves/their ISP that caused the halt to the blanket availability of this particular tool. " -- Mike Easter kibitzer, not SC admin From porpoise1954 at yahoo.co.uk Thu Oct 14 22:42:22 2004 From: porpoise1954 at yahoo.co.uk (Porpoise) Date: Thu Oct 14 16:45:02 2004 Subject: [SpamCop-List] Re: I want my two dollars! References: <87acur466a.fsf@ursine.dyndns.org> Message-ID: "Paul Johnson" wrote in message news:87acur466a.fsf@ursine.dyndns.org... > <#secure method=pgp mode=sign> > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Kenn Nesbitt writes: > > > I added $2.00 "fuel" to create a 1Mb test account. PayPal shows that > > the money has been deducted from my PayPal account, but I never > > received a receipt from SpamCop and the $2.00 has not been credited to > > my account. > > > > What's up with this? I can't find any way to contact SpamCop (other > > than snailmail and this forum) to ask them to credit the $2.00 to my > > account. > > Had you actually googled before asking, you would have found dozens of > archive messages saying service@spamcop.net is the place to mail about > anything like this. Not that I particularly have any interest in this thread, but, just out of interest, what did you google to come up with that address? I've tried several searches under the criteria of the OPs original query and so far not one of them has come up with that address. I'm not inclined to waste tons of time searching in that fashion. From agent01413 at my-deja.com Thu Oct 14 16:05:43 2004 From: agent01413 at my-deja.com (Socks the white house cat) Date: Thu Oct 14 17:05:05 2004 Subject: [SpamCop-List] Re: Paging Wazoo and/or Ellen References: Message-ID: Pausing only once for breath, "indigo" said: >> >> If some poster is being /persistently/ annoying to 'you', the >> ubiquitous you, not any particular you, after whatever has been said >> about what could be reformed, such as posting style - the best thing >> to do is to ignore them, by 'mentally' or 'mechanically' killfiling >> them. That's the way to deal with trolls and that's the way to deal >> with non-trolls who are just being a pain. > > Some folks over there *do* wish to killfile s/h/it, but when someone > morphs 5 times in one day (true statement) it's hard for others to > keep their KFs in order. > When that happens, I suggest that they install xnews. you can killfile on just about anything. For instance, I forget who this one is, but I think it is a persistent morph on .social whom I haven't seen in awhile: [^spamcop\.social$] % Another morphing twit for Bush Score:: -9999 NNTP-Posting-Host: 64.186.198. % Another morphing twit for Bush Score:: -9999 NNTP-Posting-Host: 64.186.199. They can morph hourly, for all I care, but until they switch where they post news from, I won't see them. And Xnews is free. You can killfile on virtually any header out there. Moronis over on nanae likes to morph. Some of my rules for him are: %Another moronis morph 1 Score:: -9999 NNTP-Posting-Host: 212.67.1[012][0-9]. %Another moronis morph 3 Score:: -9999 X-Complaints-To: abuse@plus.net.uk Any news client that can't stay ahead of the garden variety morphing kook isn't up to today's requirements for usenet. From nobody at spamcop.net Thu Oct 14 18:11:12 2004 From: nobody at spamcop.net (indigo) Date: Thu Oct 14 17:15:03 2004 Subject: [SpamCop-List] Re: Sanford Wallace back with new tricks...... References: Message-ID: Bob W. wrote: > I think most of us (tinu) figured his "rehabilitation" wouldn't last > long. > > It's nice to see this action! Hey, he was "clean" for quite a long time, or maybe he was just flying under the radar... From nobody at spamcop.net Thu Oct 14 18:17:58 2004 From: nobody at spamcop.net (indigo) Date: Thu Oct 14 17:20:04 2004 Subject: [SpamCop-List] Re: Paging Wazoo and/or Ellen References: Message-ID: Socks the white house cat wrote: > Pausing only once for breath, "indigo" said: > > > > Some folks over there *do* wish to killfile s/h/it, but when someone > > morphs 5 times in one day (true statement) it's hard for others to > > keep their KFs in order. > > > > When that happens, I suggest that they install xnews. you can > killfile on just about anything. I'm not going to be forced (nor should anyone else) to change my preferred newsreader to avoid some troll. In any case, that's a sub issue -- the one I'm going on about is the almost total lack of posting rules on the new FAQ help page. From MikeE at ster.invalid Thu Oct 14 15:28:42 2004 From: MikeE at ster.invalid (Mike Easter) Date: Thu Oct 14 17:30:03 2004 Subject: [SpamCop-List] Re: Paging Wazoo and/or Ellen References: Message-ID: indigo wrote: > Mike Easter wrote: > It used to forbid html and attachments. So you don't mind if everyone > starts posting with attachments whenever they please? No, I'm against html and attachments or anything other than plaintext anywhere but .spam [or .test] - but it would be nice to have some 'latitude' somewhere like .spam or .test so that some kind of 'illustration' of something could be done with a pointer to it. We also have some other troubles cropping up with posting style from time to time - but making rules is one thing, enforcing them is another, it all gets a little sticky. We aren't /really/ moderated here - altho' I can guess at some misbehaviors which would make a deputy very unhappy. >> If some poster is being /persistently/ annoying to 'you', the >> ubiquitous you, not any particular you, after whatever has been said >> about what could be reformed, such as posting style - the best thing >> to do is to ignore them, by 'mentally' or 'mechanically' killfiling >> them. That's the way to deal with trolls and that's the way to deal >> with non-trolls who are just being a pain. > > Some folks over there *do* wish to killfile s/h/it, but when someone > morphs 5 times in one day (true statement) it's hard for others to > keep their KFs in order. Someone somewhere may be morphing a lot at sometime, but my brief perusal of .social looks like LadySarah has been that in .social since Sep 25. How hard is /that/ to deal with? -- Mike Easter kibitzer, not SC admin From nobody at devnull.spamcop.net Thu Oct 14 22:06:43 2004 From: nobody at devnull.spamcop.net (Steve Gilder) Date: Thu Oct 14 21:10:28 2004 Subject: [SpamCop-List] Re: ug.net.mystufftoday.com References: Message-ID: "spamcop" wrote in message news:BD93F087.E189%spamcop@oitc.com... > Re > http://www.spamcop.net/sc?id=z682277425za57699326f6dbf0af202520ea27f6b5fz > > > Tracking link: http://ug.net.mystufftoday.com?r=t12k62 > No recent reports, no history available > > Cannot resolve http://ug.net.mystufftoday.com?r=t12k62 > > Yet > > % host ug.net.mystufftoday.com > ug.net.mystufftoday.com is an alias for mystufftoday.com. > mystufftoday.com has address 61.109.250.215 > mystufftoday.com has address 200.139.105.66 > mystufftoday.com has address 200.139.105.67 > mystufftoday.com has address 200.139.105.68 > mystufftoday.com has address 211.115.213.176 > This spammer is one I have been after for a while. Moniker (the registrar is the problem - do nothings!) I reported the following domains as having inaccurate info against Moniker with InterNIC: mythingsforme.com mythingsusa.com ourpillsbrand.com ourpillscomplete.com thepillsbrand.com yourstuffchoice.com yourstuffforme.com yourstuffforus.com yourthingsplace.com yourthingssite.com yourthingssoltuion.com mypills4us.com mypillsusa.com mypillsvalues.com mypillsweb.com I also included the treetops1-6 dot com's since they also have inaccurate info. I bet in 15 days no change will be made (demanded) by Moniker. From spamcop at bnmnetworks.net Fri Oct 15 00:45:02 2004 From: spamcop at bnmnetworks.net (Scott Nelson) Date: Thu Oct 14 23:50:23 2004 Subject: [SpamCop-List] Re: Secret Service - Phishing References: <416D82BB.CBC9A21F@spamisevil.com> Message-ID: Report suspicious activity to the FTC. If you get spam that is phishing for information, forward it to spam@uce.gov For more info: http://www.ftc.gov/bcp/conline/edcams/spam/consumer.htm and http://www.ftc.gov/bcp/conline/pubs/alerts/phishingalrt.htm Scotty "Mike Easter" wrote in message news:ckkg01$7o1$1@news.spamcop.net... > Steve Holmes wrote: > > What is the contact info. for the Secret Service Financial Crimes > > Division relating to phishing? It's not on their webpage or in the > > FAQ. > > So far, I've never heard of such a thing. > > -- > Mike Easter > kibitzer, not SC admin From nobody at spamcop.net Thu Oct 14 23:48:35 2004 From: nobody at spamcop.net (Miss Betsy) Date: Thu Oct 14 23:50:48 2004 Subject: [SpamCop-List] Re: Paging Wazoo and/or Ellen References: Message-ID: "Mike Easter" wrote in message news:ckmqvd$tka$1@news.spamcop.net... > indigo wrote: > > Mike Easter wrote: > > > > It used to forbid html and attachments. So you don't mind if everyone > > starts posting with attachments whenever they please? > > No, I'm against html and attachments or anything other than plaintext > anywhere We also > have some other troubles cropping up with posting style from time to > time - but making rules is one thing, enforcing them is another, it all > gets a little sticky. We aren't /really/ moderated here - Since I have been in the sc ng, it has been mostly 'moderated' by regulars. Usually those who don't want to post in plain text, inline, don't come back, it seems like, after being told by several people, it isn't good form - or conform. It does help to have the 'rules' posted so that people aren't upset at being 'scolded' for not knowing any better. Miss Betsy From spamcop at bnmnetworks.net Fri Oct 15 00:47:32 2004 From: spamcop at bnmnetworks.net (Scott Nelson) Date: Thu Oct 14 23:50:57 2004 Subject: [SpamCop-List] Re: Secret Service - Phishing References: <416D82BB.CBC9A21F@spamisevil.com> Message-ID: The FTC handles this stuff now. Report suspicious activity to the FTC. If you get spam that is phishing for information, forward it to spam@uce.gov For more info: http://www.ftc.gov/bcp/conline/edcams/spam/consumer.htm and http://www.ftc.gov/bcp/conline/pubs/alerts/phishingalrt.htm Scotty "D.F. Manno" wrote in message news:dfm2a3l0t2-8E507E.17083513102004@news.cesmail.net... > In article <416D82BB.CBC9A21F@spamisevil.com>, > Steve Holmes wrote: > > > What is the contact info. for the Secret Service Financial Crimes > > Division relating to phishing? It's not on their webpage or in the FAQ. > > There's a Web form at: > > > -- > D.F. Manno > dfm2a3l0t2@spymac.com From spamcop at bnmnetworks.net Fri Oct 15 00:55:36 2004 From: spamcop at bnmnetworks.net (Scott Nelson) Date: Fri Oct 15 00:00:03 2004 Subject: [SpamCop-List] Re: SC Password reset - harassment? References: Message-ID: > > > Laden or unladen? > > > > Why, I dunno Aaaaaahhhhhhhhh! > > It's always nice to play to a hip room. > > -- > ...Bob W. --->ROFL! Nice random Marty Python reference! ;-) Scotty From nobody at nobody.net Fri Oct 15 01:01:31 2004 From: nobody at nobody.net (Nobody) Date: Fri Oct 15 00:05:04 2004 Subject: [SpamCop-List] Mailhosts and reverse DNS (No unique hostname found for source...) Message-ID: Hi there, My school and its ISP have had some wonderful past experiences with configuring the DNS servers such that it causes problems that are tough to debug. Right now, when I try to report a spam, SC says that one of the servers can't be trusted, because it doesn't have a unique host name (I suppose that either means it doesn't do reverse DNS properly). Here's the line from the detailed SC report (which I've canceled, BTW): ---------- 3: Received: From Amnesix.uqss.uquebec.ca ([192.77.51.5]) by ns1.etsmtl.ca (WebShield SMTP v4.5 MR1a); id 1097811082122; Thu, 14 Oct 2004 23:31:22 -0400 No unique hostname found for source: 192.77.51.5 ETS received mail from sending system 192.77.51.5 ---------- I used an on-line web tool to reverse DNS 192.77.51.5 and it yields the following: ---------- Reverse Lookup Results Host Type Value 5.51.77.192.in-addr.arpa PTR Amnesix.uqss.uquebec.ca 51.77.192.in-addr.arpa NS clouso.risq.qc.ca 51.77.192.in-addr.arpa NS Amnesix.uqss.uquebec.ca 51.77.192.in-addr.arpa NS Asterix.uqss.uquebec.ca clouso.risq.qc.ca A 192.26.210.1 ---------- The PTR line appears to match what's in the SMTP header. But perhaps SC's lookup was different (or worse, the reverse DNS is giving intermittently different results). Can anyone help me understand where the problem is? In the mean time, I've stopped reporting spam, since it wants to point to my school's ISP as the source (which I highly doubt). Thanks! From nobody at spamcop.dev.null.net Fri Oct 15 01:34:04 2004 From: nobody at spamcop.dev.null.net (Nobody) Date: Fri Oct 15 01:35:24 2004 Subject: [SpamCop-List] Re: out of the mouth of babies and spammers References: Message-ID: <416F614C.38F10AB8@spamcop.dev.null.net> helge wrote: > > From a recent spam: > "Who can resist a 24kt. white gold Rolex watch surrounded in stainless > steal?" > > Steal is right, I guess > > helge Helge: Who ever heard of "24 kt. white gold"? If it's 24K, it's deep yellow, with a slight greenish tinge, like a Maple Leaf, which _IS_ 24 kt. Regards, Michael From baloo at ursine.dyndns.org Thu Oct 14 23:35:30 2004 From: baloo at ursine.dyndns.org (Paul Johnson) Date: Fri Oct 15 01:40:03 2004 Subject: [SpamCop-List] Re: I want my two dollars! References: <87acur466a.fsf@ursine.dyndns.org> Message-ID: <877jpspmql.fsf@ursine.dyndns.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 "Porpoise" writes: >> Had you actually googled before asking, you would have found dozens of >> archive messages saying service@spamcop.net is the place to mail about >> anything like this. > > Not that I particularly have any interest in this thread, but, just out of > interest, what did you google to come up with that address? refund email site:spamcop.net , second link from the top. What did you try? -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.5 (GNU/Linux) iD8DBQFBb2GkUzgNqloQMwcRAhvcAJ0RtfEAueYUq5rgcudGdj4vDpYA9wCgtZbL XBHuFwSxhof6J/6Oe8C/d+E= =u1Os -----END PGP SIGNATURE----- From MikeE at ster.invalid Thu Oct 14 23:39:17 2004 From: MikeE at ster.invalid (Mike Easter) Date: Fri Oct 15 01:40:19 2004 Subject: [SpamCop-List] Re: Mailhosts and reverse DNS (No unique hostname found for source...) References: Message-ID: Nobody wrote: > Right now, when I try to report a spam, SC says that one of the > servers can't be trusted, because it doesn't have a unique host name > (I suppose that either means it doesn't do reverse DNS properly). Something is fishy down there; that's a mailhosts type of display, and if you've configured your mailhosts properly SC is supposed to recognize what is going on, even if it were badly configured, which yours isn't. > 3: Received: From Amnesix.uqss.uquebec.ca ([192.77.51.5]) by > ns1.etsmtl.ca (WebShield SMTP v4.5 MR1a); id 1097811082122; Thu, 14 > Oct 2004 23:31:22 -0400 > No unique hostname found for source: 192.77.51.5 > ETS received mail from sending system 192.77.51.5 That 3: Received is the way SC displays that step of a mailhosted user, so it shouldn't be tripping over that 'from' field; it should actually already know about it and be ready to get right on down to the next line. And, I agree, it does rDNS. I think if you are having trouble getting your mailhost configured properly, you might need a deputy to help. > Can anyone help me understand where the problem is? In my opinion it is the mailhost configuration. I don't know if you can just 'redo' it or what; as I don't use mailhost. Maybe the way your mail is being handled by your server changed, so SC doesn't recognize it as your mailhost, and it is 'new' and therefore untrusted to be a server. -- Mike Easter kibitzer, not SC admin From MikeE at ster.invalid Thu Oct 14 23:47:12 2004 From: MikeE at ster.invalid (Mike Easter) Date: Fri Oct 15 01:50:04 2004 Subject: [SpamCop-List] Re: Mailhosts and reverse DNS (No unique hostname found for source...) References: Message-ID: Nobody wrote: > In the mean time, I've stopped reporting spam, since it wants to point > to my school's ISP as the source (which I highly doubt). As long as you aren't reporting spam anyway, you could 'add' that system as your mailhost, I think, by just going thru' the same process by which you configured for your mailhost in the first place. -- Mike Easter kibitzer, not SC admin From nobody at devnull.spamcop.net Fri Oct 15 02:52:36 2004 From: nobody at devnull.spamcop.net (Sofa King Tyred of Lar Ting) Date: Fri Oct 15 01:55:03 2004 Subject: [SpamCop-List] Re: Mailhosts and reverse DNS (No unique hostname found for source...) In-Reply-To: References: Message-ID: Mike Easter wrote: > Maybe the way your mail is being handled by your server changed, so SC > doesn't recognize it as your mailhost, and it is 'new' and therefore > untrusted to be a server. > Thanks Mike -- your posts are always helpful, and like clockwork! I (re)posted my question in the mailhosts forum, with much more details and a full report link if you're curious. There *is* a DNS problem and I think it's confusing SC. Just try reverse DNS on grenat.etsmtl.ca in both IP4 (A record) and IP6 (AAAA record). At least as of tonight, there's no IP6 record. Also, the ns2 server is reporting in the SMTP header grenat's hostname as CREME which has a *different* IP address. You have to see the whole report to understand, and that's cited in that discussion. http://forum.spamcop.net/forums/index.php?showtopic=2854 By the way, I've been using mailhosts for as long as it's been functional (perhaps more than a year now?) with no problems prior. From porpoise1954 at yahoo.co.uk Fri Oct 15 09:00:17 2004 From: porpoise1954 at yahoo.co.uk (Porpoise) Date: Fri Oct 15 03:05:28 2004 Subject: [SpamCop-List] Re: I want my two dollars! References: <87acur466a.fsf@ursine.dyndns.org> <877jpspmql.fsf@ursine.dyndns.org> Message-ID: "Paul Johnson" wrote in message news:877jpspmql.fsf@ursine.dyndns.org... > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > "Porpoise" writes: > > >> Had you actually googled before asking, you would have found dozens of > >> archive messages saying service@spamcop.net is the place to mail about > >> anything like this. > > > > Not that I particularly have any interest in this thread, but, just out of > > interest, what did you google to come up with that address? > > refund email site:spamcop.net , second link from the top. What did > you try? Haaa..... there ya go see.... being in retail, tried everything *except* refund! I was searching more on the problem to find the solution rather than thinking "refund". From ric.gates at bigsleep.org Fri Oct 15 08:33:05 2004 From: ric.gates at bigsleep.org (Blammo) Date: Fri Oct 15 03:35:03 2004 Subject: [SpamCop-List] Re: [Spam] can't stop laughing References: Message-ID: On 13 Oct 2004 eddie entered spamcop and left news:pan.2004.10.13.16.13.51.576000@eddie.web: > http:///pp/index.php?pid=3Deph5653 > /pp/ is pretty much all you'll be doing after taking it, or, at least it will smell funny. -- | Ric From gospamming at yourdomain.invalid Fri Oct 15 08:36:10 2004 From: gospamming at yourdomain.invalid (D.Diaz) Date: Fri Oct 15 03:40:03 2004 Subject: [SpamCop-List] Re: Paging Wazoo and/or Ellen References: Message-ID: Socks the white house cat wrote in news:Xns9582998EBA3E6votekerry2004@216.154.195.61: > > When that happens, I suggest that they install xnews. you can killfile > on just about anything. For instance, I forget who this one is, but I > think it is a persistent morph on .social whom I haven't seen in > awhile: > > > [^spamcop\.social$] > > % Another morphing twit for Bush > Score:: -9999 > NNTP-Posting-Host: 64.186.198. > [snip] > > You can killfile on virtually any header out there. Moronis over on > nanae likes to morph. Some of my rules for him are: > [snip] > > %Another moronis morph 3 > Score:: -9999 > X-Complaints-To: abuse@plus.net.uk > [quote Socks headers] User-Agent: Xnews/06.01.10 [/quote] Hmmm... I'm puzzled. I'm using Xnews 06.08.25 (the latest test version) and I cannot do that. Every time I tried to create that kind of rules in the score file, they didn't work. Xnews 06.08.25 filters only on the usual headers (From, Subject, Msg-ID, References and Xref) and just ignores you if you try to put anything different in the score file. Perhaps the author had to disable it in the newer versions for some reason... Do you know where could I find version 06.01.10 at this time? I've found only versions 05.08.12 and 06.08.25 so far... :-/ -- Daniel Diaz SpamCop User From agent01413 at my-deja.com Fri Oct 15 06:19:20 2004 From: agent01413 at my-deja.com (Socks the white house cat) Date: Fri Oct 15 07:20:22 2004 Subject: [SpamCop-List] Re: Paging Wazoo and/or Ellen References: Message-ID: Pausing only once for breath, "D.Diaz" said: > Socks the white house cat wrote in > news:Xns9582998EBA3E6votekerry2004@216.154.195.61: > >> >> When that happens, I suggest that they install xnews. you can >> killfile on just about anything. For instance, I forget who this one >> is, but I think it is a persistent morph on .social whom I haven't >> seen in awhile: >> >> >> [^spamcop\.social$] >> >> % Another morphing twit for Bush >> Score:: -9999 >> NNTP-Posting-Host: 64.186.198. >> > [snip] >> >> You can killfile on virtually any header out there. Moronis over on >> nanae likes to morph. Some of my rules for him are: >> > [snip] >> >> %Another moronis morph 3 >> Score:: -9999 >> X-Complaints-To: abuse@plus.net.uk >> > > > [quote Socks headers] > User-Agent: Xnews/06.01.10 > [/quote] > > Hmmm... I'm puzzled. > I'm using Xnews 06.08.25 (the latest test version) and I cannot do > that. Every time I tried to create that kind of rules in the score > file, they didn't work. Xnews 06.08.25 filters only on the usual > headers (From, Subject, Msg-ID, References and Xref) and just ignores > you if you try to put anything different in the score file. Perhaps > the author had to disable it in the newer versions for some reason... > Do you know where could I find version 06.01.10 at this time? I've > found only versions 05.08.12 and 06.08.25 so far... :-/ > I assume that you are editting the score file under the "Special" pulldown. His documentation stops at the production version. Since you are using a beta version, it makes sense to post a bug report. news://news.software.readers or rtfm http://xnews.newsguy.com/manual.html -- I AM SPEWS (SLAPP PREVENTION ELECTRONIC WHITENOISE SYSTEM) "The day Microsoft makes something that doesn't suck is probably the day that they start making vacuum cleaners."--Doc in alt.privacy From agent01413 at my-deja.com Fri Oct 15 06:20:17 2004 From: agent01413 at my-deja.com (Socks the white house cat) Date: Fri Oct 15 07:20:42 2004 Subject: [SpamCop-List] rule check Message-ID: if someone is told to stop emailing me, but this is a harasser rather than a bulk mailer, is it permitted to report them through spamcop? -- I AM SPEWS (SLAPP PREVENTION ELECTRONIC WHITENOISE SYSTEM) "The day Microsoft makes something that doesn't suck is probably the day that they start making vacuum cleaners."--Doc in alt.privacy From gospamming at yourdomain.invalid Fri Oct 15 12:49:06 2004 From: gospamming at yourdomain.invalid (D.Diaz) Date: Fri Oct 15 07:50:21 2004 Subject: [SpamCop-List] Re: Paging Wazoo and/or Ellen References: Message-ID: Socks the white house cat wrote in news:Xns958336249432Bvotekerry2004@216.154.195.61: > > I assume that you are editting the score file under the "Special" > pulldown. Yes, that's what I do. The "Add to score file" option from the "Article" pulldown has a nice GUI, but does not offer the same flexibility as editing the score file yourself. > > His documentation stops at the production version. Since you are > using a beta version, it makes sense to post a bug report. > > news://news.software.readers > > or rtfm http://xnews.newsguy.com/manual.html > Maybe. Reading further, I found this at the scoring.txt file in Xnews main directory: [quote] Xnews' score file format is very similar to slrn's, with (at least) these differences: 1) regular expressions are case insensitive in Xnews; 2) slrn treats section headers as wildcard expressions while xnews treats them as full regular expressions; 3) Xnews does NOT allow scoring on any header other than those mentioned, namely, Message-ID, From, Subject, XRef, Lines, and References; and 4) as far as I know, slrn doesn't use the empty section as a mean to stop evaluation. [snip] Luu Tran Feb 23, 1999 [/quote] According to the docs, it seems Xnews never allowed scoring on arbitrary headers. That's why I was puzzled to read you saying it was possible with version 06.01.10 Since the developer does not make updates regularly, I was more inclined to "downgrade" my Xnews to the same version you're using... (you know, I also lurk in nanae regularly and could benefit from NNTP-Posting-Host filtering... I actually had to make some "creative" rules to effectively killfile Moris) -- Daniel Diaz SpamCop User From nobody at spamcop.net Fri Oct 15 09:18:51 2004 From: nobody at spamcop.net (Ellen) Date: Fri Oct 15 08:25:04 2004 Subject: [SpamCop-List] Re: rule check References: Message-ID: "Socks the white house cat" wrote in message news:Xns9583364D92B6Fvotekerry2004@216.154.195.61... > if someone is told to stop emailing me, but this is a harasser rather than > a bulk mailer, is it permitted to report them through spamcop? > No -- you cannot involve SC in your personal disputes. You can certainly write personally to the ISP and you can determine the correct place to write using SC as one of your tools but you cannot report them using the system. And indeed, a well documented personal email is much more likely to make sense to the ISP then the random SC report -- not to mention that you would have your well documented and well reasoned explanation of the issue before the ISP first rather than if you had sent a SC report and then the ISP wrote to their customer who presented his side of the story first :-) Ellen From D.Gray at picture.oscar.wilde Fri Oct 15 14:56:00 2004 From: D.Gray at picture.oscar.wilde (Dorian Gray) Date: Fri Oct 15 09:00:04 2004 Subject: [SpamCop-List] I misreported Western Union Message-ID: Yesterday I went back to Full Reporting, when I learnt that Quick Reporting is designed not to report spamvertised websites. But I'm afraid mistakes still can occasionally happen, even with Full Reporting...: I just misreported Western Union, which was actually an innocent bystander: http://www.spamcop.net/sc?id=z682533924z370d5d4204fe3b9000d80bd7533d8d61z The Western Union report was sent to 70007.6400-at-compuserve dot com I noticed as soon as I clicked the submit button, and tried clicking cancel, but too late. Could a deputy please clean up after me? I'm sorry, and also I looked in the help/FAQ/forum to see the procedure after misreporting, but could find anything. I hope this is the way to do it. If not please let me know for future reference (but hopefully it won't happen again). Cheers. :( From agent01413 at my-deja.com Fri Oct 15 08:20:04 2004 From: agent01413 at my-deja.com (Socks the white house cat) Date: Fri Oct 15 09:20:02 2004 Subject: [SpamCop-List] Re: rule check References: Message-ID: Pausing only once for breath, "Ellen" said: > > > "Socks the white house cat" wrote in message > news:Xns9583364D92B6Fvotekerry2004@216.154.195.61... >> if someone is told to stop emailing me, but this is a harasser rather >> than a bulk mailer, is it permitted to report them through spamcop? >> > > No -- you cannot involve SC in your personal disputes. You can > certainly write personally to the ISP and you can determine the > correct place to write using SC as one of your tools but you cannot > report them using the system. And indeed, a well documented personal > email is much more likely to make sense to the ISP then the random SC > report -- not to mention that you would have your well documented and > well reasoned explanation of the issue before the ISP first rather > than if you had sent a SC report and then the ISP wrote to their > customer who presented his side of the story first :-) > > Ellen > > > just checking. thanks -- I AM SPEWS (SLAPP PREVENTION ELECTRONIC WHITENOISE SYSTEM) "The day Microsoft makes something that doesn't suck is probably the day that they start making vacuum cleaners."--Doc in alt.privacy From nobody at spamcop.net Fri Oct 15 18:22:34 2004 From: nobody at spamcop.net (nospam) Date: Fri Oct 15 09:25:02 2004 Subject: [SpamCop-List] Re: out of the mouth of babies and spammers References: <416F614C.38F10AB8@spamcop.dev.null.net> Message-ID: in article 416F614C.38F10AB8@spamcop.dev.null.net, Nobody at nobody@spamcop.dev.null.net wrote on 10/15/04 9:34 AM: > helge wrote: >> >> From a recent spam: >> "Who can resist a 24kt. white gold Rolex watch surrounded in stainless >> steal?" >> >> Steal is right, I guess >> >> helge > > Helge: > > Who ever heard of "24 kt. white gold"? If it's 24K, it's deep yellow, > with a slight greenish tinge, like a Maple Leaf, which _IS_ 24 kt. > > Regards, > Michael Are you sure? A very small chromium impurity will make "white gold" and possibly may still qualify the gold as 24C. Not being an assayer I don't know how pure 24C needs to be. In any case I've no doubt the s[c/p]ammer intends to rip people off. From masfjorden at spamcop.net Fri Oct 15 16:23:15 2004 From: masfjorden at spamcop.net (helge) Date: Fri Oct 15 09:25:18 2004 Subject: [SpamCop-List] Re: out of the mouth of babies and spammers In-Reply-To: <416F614C.38F10AB8@spamcop.dev.null.net> References: <416F614C.38F10AB8@spamcop.dev.null.net> Message-ID: Nobody wrote: > helge wrote: > >> From a recent spam: >>"Who can resist a 24kt. white gold Rolex watch surrounded in stainless >>steal?" >> >>Steal is right, I guess >> >>helge > > > Helge: > > Who ever heard of "24 kt. white gold"? If it's 24K, it's deep yellow, > with a slight greenish tinge, like a Maple Leaf, which _IS_ 24 kt. > > Regards, > Michael Then it *must* be the sort of white gold that usually is called stainless steal helge From agent01413 at my-deja.com Fri Oct 15 08:35:25 2004 From: agent01413 at my-deja.com (Socks the white house cat) Date: Fri Oct 15 09:35:03 2004 Subject: [SpamCop-List] Re: Paging Wazoo and/or Ellen References: Message-ID: Pausing only once for breath, "D.Diaz" said: > Socks the white house cat wrote in > news:Xns958336249432Bvotekerry2004@216.154.195.61: > >> >> I assume that you are editting the score file under the "Special" >> pulldown. > > Yes, that's what I do. The "Add to score file" option from the > "Article" pulldown has a nice GUI, but does not offer the same > flexibility as editing the score file yourself. > >> >> His documentation stops at the production version. Since you are >> using a beta version, it makes sense to post a bug report. >> >> news://news.software.readers >> >> or rtfm http://xnews.newsguy.com/manual.html >> > > Maybe. Reading further, I found this at the scoring.txt file in Xnews > main directory: > > [quote] > > Xnews' score file format is very similar to slrn's, with (at least) > these differences: 1) regular expressions are case insensitive in > Xnews; 2) slrn treats section headers as wildcard expressions while > xnews treats them as full regular expressions; 3) Xnews does NOT allow > scoring on any header other than those mentioned, namely, Message-ID, > From, Subject, XRef, Lines, and References; and 4) as far as I know, > slrn doesn't use the empty section as a mean to stop evaluation. > > [snip] > > Luu Tran > Feb 23, 1999 > > [/quote] > > > According to the docs, it seems Xnews never allowed scoring on > arbitrary headers. That's why I was puzzled to read you saying it was > possible with version 06.01.10 > > Since the developer does not make updates regularly, I was more > inclined to "downgrade" my Xnews to the same version you're using... > (you know, I also lurk in nanae regularly and could benefit from > NNTP-Posting-Host filtering... I actually had to make some "creative" > rules to effectively killfile Moris) > It may not have been his intention, but I know that my rules work in nanae to block moronis. none of my rules cover the headers that your quote references. ergo - either by design or by accident, my version of xnews works better than the doc says it does. -- I AM SPEWS (SLAPP PREVENTION ELECTRONIC WHITENOISE SYSTEM) "The day Microsoft makes something that doesn't suck is probably the day that they start making vacuum cleaners."--Doc in alt.privacy From MikeE at ster.invalid Fri Oct 15 07:45:41 2004 From: MikeE at ster.invalid (Mike Easter) Date: Fri Oct 15 09:45:03 2004 Subject: [SpamCop-List] Re: I want my two dollars! References: <87acur466a.fsf@ursine.dyndns.org> <877jpspmql.fsf@ursine.dyndns.org> Message-ID: Porpoise wrote: > Haaa..... there ya go see.... being in retail, tried everything > *except* refund! I was searching more on the problem to find the > solution rather than thinking "refund". Yabbut... ... even tho' the subject sez 'I want my two dollars', he didn't want a 'refund' - he wanted fuel credit for the $2 he had paid. The issue didn't have anything to do with 'refund'. The logic would have to go "How do you contact the fuel accounting department to get proper credit for money paid?" Answer, search on 'refund' - the sub-logic being that it is more likely to find a previous problem that involves getting a refund from the accounting dept than the original, real, issue. Seems like searching on 'fuel' and 'paid' concurrent would make more sense, but I didn't try it. -- Mike Easter kibitzer, not SC admin From b.vander.bent at chello.nl Fri Oct 15 16:52:46 2004 From: b.vander.bent at chello.nl (basalk) Date: Fri Oct 15 09:55:03 2004 Subject: [SpamCop-List] Re: out of the mouth of babies and spammers References: <416F614C.38F10AB8@spamcop.dev.null.net> Message-ID: The stuff that handcuffs are made of. Bas "helge" schreef in bericht news:ckoivo$blq$1@news.spamcop.net... > Nobody wrote: >> helge wrote: >> >>> From a recent spam: >>>"Who can resist a 24kt. white gold Rolex watch surrounded in stainless >>>steal?" >>> >>>Steal is right, I guess >>> >>>helge >> >> >> Helge: >> >> Who ever heard of "24 kt. white gold"? If it's 24K, it's deep yellow, >> with a slight greenish tinge, like a Maple Leaf, which _IS_ 24 kt. >> >> Regards, >> Michael > > Then it *must* be the sort of white gold that usually is called stainless > steal > > helge --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.776 / Virus Database: 523 - Release Date: 12-10-2004 From nobody at spamcop.net Fri Oct 15 11:01:24 2004 From: nobody at spamcop.net (indigo) Date: Fri Oct 15 10:05:03 2004 Subject: [SpamCop-List] Re: Paging Wazoo and/or Ellen References: Message-ID: Mike Easter wrote: We aren't /really/ moderated > here - altho' I can guess at some misbehaviors which would make a > deputy very unhappy. That being my main point. > Someone somewhere may be morphing a lot at sometime, but my brief > perusal of .social looks like LadySarah has been that in .social > since Sep 25. How hard is /that/ to deal with? Hey, *I* don't give a rat's ass how many times she morphs, reading her posts is kinda like slowing down to look at a car wreck ;-) From nobody at spamcop.net Fri Oct 15 11:05:19 2004 From: nobody at spamcop.net (indigo) Date: Fri Oct 15 10:10:03 2004 Subject: [SpamCop-List] Re: SC Password reset - harassment? References: Message-ID: Scott Nelson wrote: > > > > > > Laden or unladen? > > > > > > Why, I dunno Aaaaaahhhhhhhhh! > > > > It's always nice to play to a hip room. > > > > -- > > ...Bob W. > > > --->ROFL! > Nice random Marty Python reference! ;-) > Huh? The "hip room" is MP ref? Sounds more like a Bill Murray lounge singer line to me...... From nobody at spamcop.net Fri Oct 15 11:08:55 2004 From: nobody at spamcop.net (indigo) Date: Fri Oct 15 10:10:22 2004 Subject: [SpamCop-List] Re: I want my two dollars! References: <87acur466a.fsf@ursine.dyndns.org> <877jpspmql.fsf@ursine.dyndns.org> Message-ID: Porpoise wrote: > "Paul Johnson" wrote in message > news:877jpspmql.fsf@ursine.dyndns.org... > > -----BEGIN PGP SIGNED MESSAGE----- > > Hash: SHA1 > > > > "Porpoise" writes: > > > > >> Had you actually googled before asking, you would have found > > >> dozens of archive messages saying service@spamcop.net is the > > >> place to mail about anything like this. > > > > > > Not that I particularly have any interest in this thread, but, > > > just out of interest, what did you google to come up with that > > > address? > > > > refund email site:spamcop.net , second link from the top. What did > > you try? > > Haaa..... there ya go see.... being in retail, tried everything > *except* refund! I was searching more on the problem to find the > solution rather than thinking "refund". Strange, I tried the search function for the whole site using service@spamcop.net as the search term and it came up blank. From MikeE at ster.invalid Fri Oct 15 08:15:51 2004 From: MikeE at ster.invalid (Mike Easter) Date: Fri Oct 15 10:15:04 2004 Subject: [SpamCop-List] Re: I misreported Western Union References: Message-ID: Dorian Gray wrote: > I just misreported Western Union, which was actually an innocent > bystander: The 'report' is a 'harmless' [from spamcop's point of view] notification of WU that their website appeared in a spam, implying spamsupport - but in fact the appearance there is that of an IB, as you say. My point is that that particular error, while errant, doesn't have /spamcop/ 'consequences' which are harmful to WU and which would need some kind of 'repair' -- such as the consequences of excessively errantly reporting a /source/ - not spamvertiser - and causing it to become listed in the SCbl - and which a deputy would want to delist as a spamcop controllable action. A 'potential' adverse consequence of an errant or mistaken /spamvertiser/ - not spamsource- report in another different circumstance would be that the netspace provider who is notified would terminate the spamvertiser account for spamming. That adverse consequence isn't something which the deputy can 'fix' or prevent. That's not hir job. In reality in this case, WU controls their own /20 netspace 206.201.224.0 - 206.201.239.255 and William Vanglhan is the tech with the compuserve addy 70007.6400 who works for them. He isn't going to be squashing their account ;-) > The Western Union report was sent to 70007.6400-at-compuserve dot com Pretty weird notify addy. That comes from the arin information; but if I were going to be notifying WU about some kind of abuse, I would use the reg'd abuse.net addy postmaster@westernunion.com > I noticed as soon as I clicked the submit button, and tried clicking > cancel, but too late. Could a deputy please clean up after me? That implies that you think a deputy can 'unsend' the mail. Mail sent can't be unsent, and a spamvertiser notify doesn't require fixing anything at spamcop. The standard remedy is to email the notify address that you made the error to, and the deputies that you made the error so that if they get back a response from WU saying, 'we were not spamvertising in this item you sent us' they will know what is going on because you have already told them. -- Mike Easter kibitzer, not SC admin From MikeE at ster.invalid Fri Oct 15 08:22:39 2004 From: MikeE at ster.invalid (Mike Easter) Date: Fri Oct 15 10:25:04 2004 Subject: [SpamCop-List] Re: rule check References: Message-ID: Socks the white house cat wrote: > if someone is told to stop emailing me, but this is a harasser rather > than a bulk mailer, is it permitted to report them through spamcop? I've seen Ellen's 'no' - but I'll just comment that a very effective way to 'communicate' with someone who is email annoying you is to 'simply' email tell them to stop emailing you and copy that to the abuse addy of their provider. And, I wouldn't be 'splaining to them, either one of them in that mail to both of them, all kinds of 'controversies' and points of view - the provider isn't interested in hearing all of that. It should be a very simple, succinct communication. The point of that mail isn't to win some kind of argument you are having, but to stop the conversation. The elements of the disagreement don't belong in there. If you are emailing back and forth about the argument with the harrasser, you can't very well expect the provider to support your wishes to have them stop emailing you. -- Mike Easter kibitzer, not SC admin From MikeE at ster.invalid Fri Oct 15 09:00:50 2004 From: MikeE at ster.invalid (Mike Easter) Date: Fri Oct 15 11:00:06 2004 Subject: [SpamCop-List] Re: I want my two dollars! References: <87acur466a.fsf@ursine.dyndns.org> <877jpspmql.fsf@ursine.dyndns.org> Message-ID: indigo wrote: > Strange, I tried the search function for the whole site using > service@spamcop.net as the search term and it came up blank. When Ellen posted, she sed at admin SC, if that makes a difference. -- Mike Easter kibitzer, not SC admin From gospamming at yourdomain.invalid Fri Oct 15 16:37:43 2004 From: gospamming at yourdomain.invalid (D.Diaz) Date: Fri Oct 15 11:40:03 2004 Subject: [SpamCop-List] Re: Paging Wazoo and/or Ellen References: Message-ID: Socks the white house cat wrote in news:Xns95834D36F5972votekerry2004@216.154.195.61: > It may not have been his intention, but I know that my rules work in > nanae to block moronis. none of my rules cover the headers that your > quote references. ergo - either by design or by accident, my version > of xnews works better than the doc says it does. > Following your pointer on news.software.readers I just found this... http://groups.google.com/groups?q=Yes+Virginia+group:news.software.reader s+insubject:Xnews&hl=es&lr=&c2coff=1&selm=Xns91E99030ECEA0imamidnighttoke n%40130.133.1.4&rnum=5 Or, in short: http://tinyurl.com/5kcl8 [quote] >From the changefile for Xnews 5.01.09 (IOW, January 9, 2002): " + Yes, Virginia, you can now score on non-standard headers such as NNTP-Posting-Host. By non standard headers, I mean those that are NOT included in XOVER) . As with everything Xnews, there are caveats: 1) Your server must support the XHDR command. As I understand it, most do. However, some servers (e.g., Typhoon) only support the standard XOVER headers, so you still can't score on anything other than the standard headers (subject, from, message-id, lines, xref, and now, bytes). 2) It takes time to download those extra headers. 3) I don't save them in storage, so if you have ScoreStoredArticles=1, scores with non standard headers will not work on stored headers. 4) If you edit the score file while a group is opened and add one or more non-standard headers, those scores will not take effect til next time you open the group. " [/quote] So perhaps I should be checking the news server I'm using for XHDR support... -- Daniel Diaz SpamCop User From MikeE at ster.invalid Fri Oct 15 09:43:31 2004 From: MikeE at ster.invalid (Mike Easter) Date: Fri Oct 15 11:45:03 2004 Subject: [SpamCop-List] Re: Mail being parsed incorrectly References: Message-ID: Tom Geldner wrote: > Any thoughts?? The first thought is "Don't post spam here." That is against the rules. If you ever want to talk about SC's parsing of an item you should post the tracker for it, not the item. See an example of a tracker below. The tracker takes up only a line, shows the entire spam intact and SC's logic. What you posted is 'bent' - your newsreader has changed it from the original, which has to be 'repaired' to work on, and you are forcing people who have to pay for their downloading to download and look at your spam, in a condition which no one wants to see. Posting spam here is bad; if you want to post it in that condition, there is a special newsgroup spamcop.spam where no one ever goes except to look at a specific spam for doing that. Besdies, you didn't even want to talk about the whole spam, only the headers. Why in the world would you post all that raw html here for people to dl and look at? > Here's a strange one -- reading the headers, this email should have > originated from 69.107.167.51. However, spamcop thinks it's coming > from tfb.com (which it is but only after being relayed). No. Look at this tracker. SC parses those headers correctly and names the open proxy source behind the relay. www.spamcop.net/sc?id=z682585405za42c47912d1c10ddbbd0ab67cff24dfcz I only submitted the headers, but you can see there the parse is correct: Abbreviated Received lines *comment from clusterb1.tfb.com ([65.126.210.70]) by blarp.com *relay output from (adsl-69-107-167-51.dsl.snfc21.pacbell.net [69.107.167.51]) by clusterb1.tfb.com *sourceline from 242.82.96.128 by albany.69.107.167.51 *bogusline -- Mike Easter kibitzer, not SC admin From D.Gray at picture.oscar.wilde Fri Oct 15 19:34:12 2004 From: D.Gray at picture.oscar.wilde (Dorian Gray) Date: Fri Oct 15 13:35:17 2004 Subject: [SpamCop-List] Re: I misreported Western Union References: Message-ID: In article , "Mike Easter" wrote: > Dorian Gray wrote: > > I just misreported Western Union, which was actually an innocent > > bystander: > > The 'report' is a 'harmless' [from spamcop's point of view] notification > of WU that their website appeared in a spam > In reality in this case, WU controls their own /20 > netspace 206.201.224.0 - 206.201.239.255 and William Vanglhan is the > tech with the compuserve addy 70007.6400 who works for them. He isn't > going to be squashing their account ;-) Okay, that's good then - I wanted to make sure that I hadn't put in train some horrible BL consequences for Western Union. But from what you say, maybe Western Union would actually *appreciate* being informed like this, that their website appeared in a spam; who knows they might want to take action against the spammer. If these types of reports don't have any consequences, but might be seen as informative, why aren't they enabled for Quick Reporting? (To answer my own question, maybe for the case where an innocent bystander doesn't control their own netspace, and might have action taken against them by their provider by mistake.) > > I noticed as soon as I clicked the submit button, and tried clicking > > cancel, but too late. Could a deputy please clean up after me? > > That implies that you think a deputy can 'unsend' the mail. Mail sent > can't be unsent, C'mon, really? You mean it doesn't come back down the fibre if I suck as hard as I normally blow? > and a spamvertiser notify doesn't require fixing > anything at spamcop. Okay, that's what I needed to know. > The standard remedy is to email the notify address > that you made the error to, and the deputies that you made the error so > that if they get back a response from WU saying, 'we were not > spamvertising in this item you sent us' they will know what is going on > because you have already told them. I'll do that now then. Cheers. From D.Gray at picture.oscar.wilde Fri Oct 15 20:03:39 2004 From: D.Gray at picture.oscar.wilde (Dorian Gray) Date: Fri Oct 15 14:05:06 2004 Subject: [SpamCop-List] Re: I misreported Western Union References: Message-ID: In article , "Mike Easter" wrote: > In reality in this case, WU controls their own /20 > netspace 206.201.224.0 - 206.201.239.255 and William Vanglhan is the > tech with the compuserve addy 70007.6400 who works for them. He isn't > going to be squashing their account ;-) > > > The Western Union report was sent to 70007.6400-at-compuserve dot com > > Pretty weird notify addy. That comes from the arin information; but if > I were going to be notifying WU about some kind of abuse, I would use the > reg'd abuse.net addy postmaster@westernunion.com In article , Dorian Gray wrote: > In article , > "Mike Easter" wrote: > > > The standard remedy is to email the notify address > > that you made the error to, and the deputies that you made the error so > > that if they get back a response from WU saying, 'we were not > > spamvertising in this item you sent us' they will know what is going on > > because you have already told them. > > I'll do that now then. Well I tried, but that compuserve address is invalid! Can it be true that Western Union has bad arin information? Cheers. From nobody at devnull.spamcop.net Fri Oct 15 14:46:24 2004 From: nobody at devnull.spamcop.net (WazoO) Date: Fri Oct 15 14:50:02 2004 Subject: [SpamCop-List] Re: I misreported Western Union References: Message-ID: "Dorian Gray" wrote in message news:D.Gray-C50FA0.13560015102004@news.cesmail.net... > > I noticed as soon as I clicked the submit button, and tried clicking > cancel, but too late. Could a deputy please clean up after me? I'm > sorry, and also I looked in the help/FAQ/forum to see the procedure > after misreporting, but could find anything. I hope this is the way to > do it. If not please let me know for future reference (but hopefully it > won't happen again). I know, it's off the beaten track, but over in the web-based Forum, there is a FAQ entry Titled; "How can I unsend a Report" http://forum.spamcop.net/forums/index.php? From nobody at devnull.spamcop.net Fri Oct 15 16:20:01 2004 From: nobody at devnull.spamcop.net (Cat) Date: Fri Oct 15 16:20:03 2004 Subject: [SpamCop-List] Re: out of the mouth of babies and spammers In-Reply-To: References: <416F614C.38F10AB8@spamcop.dev.null.net> Message-ID: basalk wrote: > The stuff that handcuffs are made of. > Bas Huh? When you top post and don't snip anything, it's harder to understand your posts. If you would snip the parts you aren't replying to and add your own comments BELOW each quoted point like most other posters in this newsgroup, your posts would be a whole lot easier to read and understand. See #6 at http://linux.sgms-centre.com/misc/netiquette.php and #1 and #2 at http://www.river.com/users/share/etiquette/ for more snipping and inline posting netiquette. From pxpearson at spamxcop.net Fri Oct 15 14:21:34 2004 From: pxpearson at spamxcop.net (Peter Pearson) Date: Fri Oct 15 16:25:03 2004 Subject: [SpamCop-List] Re: Secret Service - Phishing References: <416D82BB.CBC9A21F@spamisevil.com> Message-ID: Scott Nelson wrote: > Report suspicious activity to the FTC. If you get spam that is phishing > for information, forward it to spam@uce.gov I wouldn't deny the Authorities the opportunity to put their Top People on it, but I suggest forwarding it to spoof@millersmiles.co.uk. The "spoof and phishing" page at http://millersmiles.co.uk/ makes interesting reading, and scams reported there seem to go off the air quickly. - Peter Pearson -- Remove the two x's to get a good email address. From agent01413 at my-deja.com Fri Oct 15 19:39:40 2004 From: agent01413 at my-deja.com (Socks the white house cat) Date: Fri Oct 15 20:40:03 2004 Subject: [SpamCop-List] Re: rule check References: Message-ID: Pausing only once for breath, "Mike Easter" said: > Socks the white house cat wrote: >> if someone is told to stop emailing me, but this is a harasser rather >> than a bulk mailer, is it permitted to report them through spamcop? > > I've seen Ellen's 'no' - but I'll just comment that a very effective way > to 'communicate' with someone who is email annoying you is to 'simply' > email tell them to stop emailing you and copy that to the abuse addy of > their provider. > Actually, I solved it with procmail. Attempts seem to have stopped according to the logs. -- I AM SPEWS (SLAPP PREVENTION ELECTRONIC WHITENOISE SYSTEM) "The day Microsoft makes something that doesn't suck is probably the day that they start making vacuum cleaners."--Doc in alt.privacy From agent01413 at my-deja.com Fri Oct 15 19:42:33 2004 From: agent01413 at my-deja.com (Socks the white house cat) Date: Fri Oct 15 20:40:21 2004 Subject: [SpamCop-List] Re: Paging Wazoo and/or Ellen References: Message-ID: Pausing only once for breath, "D.Diaz" said: > > So perhaps I should be checking the news server I'm using for XHDR > support... > FWIW, I'm on Supernews. Andrew seems to be grabbing significant market share lately. -- I AM SPEWS (SLAPP PREVENTION ELECTRONIC WHITENOISE SYSTEM) "The day Microsoft makes something that doesn't suck is probably the day that they start making vacuum cleaners."--Doc in alt.privacy From MikeE at ster.invalid Fri Oct 15 18:46:33 2004 From: MikeE at ster.invalid (Mike Easter) Date: Fri Oct 15 20:45:03 2004 Subject: [SpamCop-List] Re: Mail being parsed incorrectly References: Message-ID: Tom Geldner wrote: > What's weird is that the first time I sent this to SpamCop, it > identified TFBnet as the spam source. Now, it is correctly > identifying the PacBell account as the open relay. BTW, I use > SpamSource with Outlook to do this. > www.spamcop.net/sc?id=z682684178z3b785ecab14548ae5c7f73ac68fec8e3z The parser stores the original item in that tracker. When the tracker is accessed, the parse is 're-performed'- ie the algorithm does the parse all over again. The result of a parse can change because of various dynamics that cause the result of a parse to be different at one point in time compared to another. The algorithm chains from top toward the bottom until the first sign of bogosity or the end, whichever comes first. The algorithmic strategy is to chain from upper 'from' field to lower 'by' field. In the course of that chaining, it performs what I call an 'mx step', in which it uses algorithmic logic to determine if it thinks that the under 'by' corresponds to the upper 'from'. It cares about the rDNS of an IP of the upper 'from'. It cares about the 'mx-ness' of the domainname of the lower 'by'. It cares about the 'familiarity' with a known server/relay which it has encountered before and found to be functioning as a relay and sent to the relay testers. If sufficient tests and relationships are met, it learns to trust a domainname's IP as an accepted relay, ie 'trusted relay' - not that it is trusted to be healthy or not promiscuously open, but simply trusted to be a relay. If it trusts it to be a relay, then SC is able to continue to chain to the next such 'from' to below 'by' and so on. If such a relay is unfamiliar or fails the 'mx step' or other factors which cause it to be untrusted, then the chain breaks and then the source is determined therefrom. Then, with the passage of time, the information about the relay 'matures'. Then, when we ask the parser to reparse the same headers, /now/ the relay is trusted and the chain doesn't break. There are potentials for errors in that logic, and SC has made those errors many times, chaining past bogosity and breaking the chain prematurely. For that reason, the newer implementation of the mailhosts function allows SC to view or parse a set of headers with the aforeknowledge of the 'condition' of the submitter's own mailhosts particular configuration findings. This is extremely helpful in preventing errors; /if/ the mailhosts configuration is correct, ie accurate. -- Mike Easter kibitzer, not SC admin From baloo at ursine.dyndns.org Fri Oct 15 23:36:12 2004 From: baloo at ursine.dyndns.org (Paul Johnson) Date: Sat Oct 16 01:40:21 2004 Subject: [SpamCop-List] Re: rule check References: Message-ID: <878ya7xm0j.fsf@ursine.dyndns.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Socks the white house cat writes: > if someone is told to stop emailing me, but this is a harasser rather than > a bulk mailer, is it permitted to report them through spamcop? No. Read the FAQ. http://www.spamcop.net/fom-serve/cache/14.html You can, however, LART them manually. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.5 (GNU/Linux) iD8DBQFBcLNNUzgNqloQMwcRAv6OAJ93LQZSQEKI5YWf61PLxTebKF4vugCguFyg wBURlWzdxhVcEMKppMVnqHY= =kZ9I -----END PGP SIGNATURE----- From baloo at ursine.dyndns.org Sat Oct 16 01:29:57 2004 From: baloo at ursine.dyndns.org (Paul Johnson) Date: Sat Oct 16 03:30:21 2004 Subject: [SpamCop-List] Re: I want my two dollars! References: <87acur466a.fsf@ursine.dyndns.org> <877jpspmql.fsf@ursine.dyndns.org> Message-ID: <87oej3aznu.fsf@ursine.dyndns.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 "Porpoise" writes: >> "Porpoise" writes: >> >> >> Had you actually googled before asking, you would have found dozens of >> >> archive messages saying service@spamcop.net is the place to mail about >> >> anything like this. >> > >> > Not that I particularly have any interest in this thread, but, just out of >> > interest, what did you google to come up with that address? >> >> refund email site:spamcop.net , second link from the top. What did >> you try? > > Haaa..... there ya go see.... being in retail, tried everything *except* > refund! I was searching more on the problem to find the solution rather than > thinking "refund". That's your excuse? 8:o) Heh, I recently got fed up with my old boss and went into a computer repair shop that also does significant retail business and I still noticed it... -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.5 (GNU/Linux) iD8DBQFBcM33UzgNqloQMwcRAv9oAJ9gcQVvPKPUx+OXYXLa1Zqk3ziGcwCfZ7g6 ALS7Jx8LJrIu6GC4Oll3qcE= =UkuA -----END PGP SIGNATURE----- From baloo at ursine.dyndns.org Sat Oct 16 01:31:00 2004 From: baloo at ursine.dyndns.org (Paul Johnson) Date: Sat Oct 16 03:35:04 2004 Subject: [SpamCop-List] Re: I want my two dollars! References: <87acur466a.fsf@ursine.dyndns.org> <877jpspmql.fsf@ursine.dyndns.org> Message-ID: <87k6trazm3.fsf@ursine.dyndns.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 "Mike Easter" writes: > Seems like searching on 'fuel' and 'paid' concurrent would make more > sense, but I didn't try it. Howso? The original poster just danced around the word "refund" without using it, IIRC... -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.5 (GNU/Linux) iD8DBQFBcM40UzgNqloQMwcRAny/AJ9PxFEDgTz+tN7Izk+NejI7SHjDmgCgxHvc dd6fskZM9sdQpflz36uj3F0= =/arf -----END PGP SIGNATURE----- From MikeE at ster.invalid Sat Oct 16 01:48:11 2004 From: MikeE at ster.invalid (Mike Easter) Date: Sat Oct 16 03:50:03 2004 Subject: [SpamCop-List] Re: I want my two dollars! References: <87acur466a.fsf@ursine.dyndns.org> <877jpspmql.fsf@ursine.dyndns.org> <87k6trazm3.fsf@ursine.dyndns.org> Message-ID: Kenn Nesbitt wrote: > I added $2.00 "fuel" to create a 1Mb test account. PayPal shows that > the money has been deducted from my PayPal account, but I never > received a receipt from SpamCop and the $2.00 has not been credited > to my account. > > What's up with this? I can't find any way to contact SpamCop (other > than snailmail and this forum) to ask them to credit the $2.00 to my > account. Mike Easter wrote: > ... even tho' the subject sez 'I want my two dollars', he didn't want > a 'refund' - he wanted fuel credit for the $2 he had paid. The issue > didn't have anything to do with 'refund'. > Seems like searching on 'fuel' and 'paid' concurrent would make more > sense, but I didn't try it. Paul Johnson wrote: > Howso? The original poster just danced around the word "refund" > without using it, IIRC... Au contraire, Pierre. You do not recall correctly; YDNRC. He just wanted proper credit in his account for the fuel he had paid for. No dancing. -- Mike Easter kibitzer, not SC admin From neil.howie at Ireportallspam.net Sat Oct 16 11:16:56 2004 From: neil.howie at Ireportallspam.net (Neil Howie) Date: Sat Oct 16 05:20:22 2004 Subject: [SpamCop-List] Mailhost configuration Message-ID: I don't like to criticise spamcop who have been doing a sterling job of sanitising my mail, but I must say that the article on mailhost configuration is as clear as mud, because it is lacking in examples. Some of my mail is forwarded into my spamcop.net mailbox and then forwarded on to my home account. From the description given, I have no idea where I should start configuring. -- Neil Anti-spam - Domain is really oakleaf ~ idps ~ co ~ uk (change ~ to dot) From sap at internaviga.it Sat Oct 16 14:44:39 2004 From: sap at internaviga.it (Uomovento) Date: Sat Oct 16 07:45:22 2004 Subject: [SpamCop-List] mail reporting address Message-ID: I have registered a free account to send spam reports via Mailwasher but, after login, I can't find my spamcop email address to set in Mailwasher for reporting. Can anyone help me please? From MikeE at ster.invalid Sat Oct 16 08:13:23 2004 From: MikeE at ster.invalid (Mike Easter) Date: Sat Oct 16 10:15:22 2004 Subject: [SpamCop-List] Re: Mailhost configuration References: Message-ID: Neil Howie wrote: > I don't like to criticise spamcop who have been doing a sterling job > of sanitising my mail, but I must say that the article on mailhost > configuration is as clear as mud, because it is lacking in examples. > > Some of my mail is forwarded into my spamcop.net mailbox and then > forwarded on to my home account. From the description given, I have no > idea where I should start configuring. Disclaimer: I've never used or configured a mailhosts, but I went to read the page called "mailhost configuration" accessed by clicking on 'mailhosts' from the logged in parser page. You can see a slightly different page if you access it from help or the faq at http://www.spamcop.net/fom-serve/cache/397.html The former has an access point to click into 'Add first hosts' at the bottom and a .gif graphic whose name is 'forwarding_diagram' which is missing on the page accessed from help or the faq. There is even more discussion at http://forum.spamcop.net/forums/index.php?showtopic=2009 as well as the general mailhosts forum http://forum.spamcop.net/forums/index.php?showforum=7 where with reading one can get a 'feeling' about the handling of probes to aid the configuration and the admonitions about not using quick reporting or the reporting of any spam until all mailhosts are configured. Have you seen all of those, including the diagram? -- Mike Easter kibitzer, not SC admin From MikeE at ster.invalid Sat Oct 16 08:21:14 2004 From: MikeE at ster.invalid (Mike Easter) Date: Sat Oct 16 10:20:04 2004 Subject: [SpamCop-List] Re: mail reporting address References: Message-ID: Uomovento wrote: > I have registered a free account to send spam reports via Mailwasher > but, after login, I can't find my spamcop email address to set in > Mailwasher for reporting. > > Can anyone help me please? When you are logged in at the report spam parser, it is just above the spam submission window in the sentence Forward your spam to: submit.16charANcodeNMBR@spam.spamcop.net or: Paste entire spam (headers, blank line, body) - or - single address (one line only): where '16charANcodeNMBR' above is to represent your own unique code and the submit address is the one to use for reporting. -- Mike Easter kibitzer, not SC admin From MikeE at ster.invalid Sat Oct 16 08:44:04 2004 From: MikeE at ster.invalid (Mike Easter) Date: Sat Oct 16 10:45:03 2004 Subject: [SpamCop-List] Re: mail reporting address References: Message-ID: Uomovento wrote: > Mailwasher Anyone who is a MW user has been subjected to a lot of lies and misleading information from the MW developers. Do *not* believe anything MW tells you about bogus bouncing. It is almost universally harmful and abusive and should defnitely turned off in all instances. MW should *not* be used in its default configuration, which involves bogus bouncing. Disclaimer: I have never used MW nor seen it open on a screen; but I'm very familiar with the information at the MW site and at FireTrust and at computercops.biz forums, where people say things like "The main reason why I wanted Mailwasher is for the bounce option" which proves that the lies the MW developers tell are pervasive and influential. Fortunately, if you search bounce in those forums the majority of posters there are knowledgeable about the evils of bouncing -- however, I fear that the majority of /users/ are not readers of the forum and actually use MW in its bad default condition. -- Mike Easter kibitzer, not SC admin From nobody at nowhere.invalid Sat Oct 16 18:07:34 2004 From: nobody at nowhere.invalid (Steven Maesslein) Date: Sat Oct 16 11:10:03 2004 Subject: [SpamCop-List] Re: mail reporting address References: Message-ID: On Sat, 16 Oct 2004 07:44:04 -0700, Mike Easter coughed into spamcop and left this in : > Do *not* believe anything MW tells you about bogus bouncing. It is > almost universally harmful and abusive and... ...can lead to you losing your account with your ISP because it forges bounce messages from postmaster@your_isp.tld. ISPs don't usually like their subscribers trying to pass themselves off as the postmaster, nor do they appreciate the backscatter which lands in their postmaster mailbox which, if it complies with the RFCs, is unfiltered. -- Steve Linux: the choice of a GNU generation -- ksh @ cis . ufl . edu put this on Tshirts in '93 From MikeE at ster.invalid Sat Oct 16 09:17:57 2004 From: MikeE at ster.invalid (Mike Easter) Date: Sat Oct 16 11:20:05 2004 Subject: [SpamCop-List] Re: mail reporting address References: Message-ID: Mike Easter wrote: > Disclaimer: I have never used MW nor seen it open on a screen; If someone here who uses MW and has a website where they could paste a screenshot, it would be nice to have a link to a screenshot of the disabling of MW's bogus bounce feature. I looked all around in the forums and firetrust support but couldn't find a useful description of the access to the bounce feature. I could probably find a word description if I searched the forums long enough, because there is so *much* antibounce sentiment there, but a screenshot is the best. -- Mike Easter kibitzer, not SC admin From MikeE at ster.invalid Sat Oct 16 09:29:25 2004 From: MikeE at ster.invalid (Mike Easter) Date: Sat Oct 16 11:30:03 2004 Subject: [SpamCop-List] Re: mail reporting address References: Message-ID: Steven Maesslein wrote: > Mike Easter >> Do *not* believe anything MW tells you about bogus bouncing. It is >> almost universally harmful and abusive and... > > ...can lead to you losing your account with your ISP because it forges > bounce messages from postmaster@your_isp.tld. > > ISPs don't usually like their subscribers trying to pass themselves > off as the postmaster, nor do they appreciate the backscatter which > lands in their postmaster mailbox which, if it complies with the > RFCs, is unfiltered. ---------------- http://computercops.biz/postlite43343-bouncing.html stan_qaz "My ISPs weren't amused either and told me I'd get turned off if I didn't quit." ---------------- I'm still drilling around in those forums; I'm glad I found that cite, once I was having an argument in alt.spam where someone doubted the /real/ danger of a provider squashing someone's account for fraudulent bogus bouncing. -- Mike Easter kibitzer, not SC admin From MikeE at ster.invalid Sat Oct 16 09:37:57 2004 From: MikeE at ster.invalid (Mike Easter) Date: Sat Oct 16 11:40:04 2004 Subject: [SpamCop-List] Re: mail reporting address References: Message-ID: Mike Easter wrote: > If someone here who uses MW and has a website where they could paste a > screenshot, it would be nice to have a link to a screenshot of the > disabling of MW's bogus bounce feature. Here's an example of the kind of problem someone can have 'thoroughly' disabling MW's bounce - I pasted it into an alt.spam discussion but it was extracted from a MW forum discussion: ============== From: "Mike Easter" Newsgroups: alt.spam Subject: Re: Please advice Message-ID: <2CC0d.239$_G4.176@newsread3.news.pas.earthlink.net> Date: Sat, 11 Sep 2004 12:56:30 GMT As a classic example of how the developers of MW making the bogus bounce function the default condition permeating the entire application, here's an exchange in your pet CCSP firetrust/MW forum about a bouncing configuration problem. This better than average user who has the good sense to want to disable bouncing and also the above average motivation and drive to find a MW forum to ask questions needed the help of 2 or 3 experienced experts to rid himself of bouncing. ------------------------- Post subject: Can't disable bounce I have unchecked every option in "Spam Tools" so as to disable the bounce feature but Mailwasher insists on putting a check in the Bounce column on most all Spam. What gives? ------------------------- Have you disabled bouncing at each account? ------------------------- Ike, that will let you remove the bounce column but it sounds like he missed a spot in one of the spam tools. bdinger, go back and go through the tools again and check each sub-tab to make sure you didn't miss one. That is the most likely problem. ------------------------- It would be good if there were a Super-button to disable all bouncing. ------------------------- I only have one account so yes, I have disabled for each account. In reply to the post just after yours, I went back through the Spam Tools for about the 7th time and no, there is not one check in any of the Bounce options including the subroutines. ------------------------- That is really strange, nobody has reported a problem like this that wasn't traceable back to a tool. What is the status field for the messages getting marked for bouncing? ------------------------- Apparently, most all of them share the status - "Not to me". ------------------------- You must have a filter with a status field "Not to me". Check each of your filters to look for such a status field. When you find it, you have your culprit! ------------------------- OOPs, it looks like neither of us was specific enough where to look... Each filter has individually settable options that need to be checked by opening each filter. This could use some UI improvement! ------------------------- Yes, that was it. I've unchecked the bounce option. Thanks. And, not onlythat, but on top of everything else, if you will go thru' the MW site promoting the product, bogus bouncing is promoted as the greatest thing since sliced bread. Next, I'll have to bring some of that crap over here to show you. ============== -- Mike Easter kibitzer, not SC admin From spamcop at bnmnetworks.net Sat Oct 16 12:44:28 2004 From: spamcop at bnmnetworks.net (Scott Nelson) Date: Sat Oct 16 11:45:03 2004 Subject: [SpamCop-List] Re: Secret Service - Phishing References: <416D82BB.CBC9A21F@spamisevil.com> Message-ID: "Peter Pearson" wrote in message news:ckpbg3$rmd$1@news.spamcop.net... > Scott Nelson wrote: > > > Report suspicious activity to the FTC. If you get spam that is phishing > > for information, forward it to spam@uce.gov > > I wouldn't deny the Authorities the opportunity to put their Top People > on it, but I suggest forwarding it to spoof@millersmiles.co.uk. > The "spoof and phishing" page at http://millersmiles.co.uk/ makes > interesting reading, and scams reported there seem to go off > the air quickly. > > - Peter Pearson -->Good link. Thanks! Scotty From MikeE at ster.invalid Sat Oct 16 09:54:01 2004 From: MikeE at ster.invalid (Mike Easter) Date: Sat Oct 16 11:55:02 2004 Subject: [SpamCop-List] Re: Secret Service - Phishing References: <416D82BB.CBC9A21F@spamisevil.com> Message-ID: Scott Nelson wrote: > "Peter Pearson" >> The "spoof and phishing" page at http://millersmiles.co.uk/ makes >> interesting reading, and scams reported there seem to go off >> the air quickly. > -->Good link. Thanks! Very interesting site; I especially liked the books section http://millersmiles.co.uk/bookguide/bookguide.htm -- Mike Easter kibitzer, not SC admin From eddie at eddie.web Sat Oct 16 13:33:44 2004 From: eddie at eddie.web (eddie) Date: Sat Oct 16 12:35:02 2004 Subject: [SpamCop-List] No reporting address for emailtoday2004.com?? Message-ID: What's with http://www.emailtoday2004.com SC cannot find a reporting address for it. It must have an ISP, no? -- Rather: I don't want to be argumentative, Mr. vice president. Bush41(veep):You do, Dan. Rather: No -- no, sir, I don't. From e.schrama_NOSPAM at NOSPAM_hccnet.nl Sat Oct 16 19:34:48 2004 From: e.schrama_NOSPAM at NOSPAM_hccnet.nl (geo_splash_12) Date: Sat Oct 16 12:35:18 2004 Subject: [SpamCop-List] openrbl via senderbase Message-ID: What's going on at http://openrbl.org? This site still works but their format changed and the link that you get in www.senderbase.org is wrong. Senderbase.org in turn is called from one of the spamcop menus. From fred558 at bobames.com Sat Oct 16 20:00:52 2004 From: fred558 at bobames.com (Bob Ames) Date: Sat Oct 16 13:05:03 2004 Subject: [SpamCop-List] Re: No reporting address for emailtoday2004.com?? In-Reply-To: References: Message-ID: eddie wrote: > What's with > http://www.emailtoday2004.com > SC cannot find a reporting address for it. It must have an ISP, no? $ whois emailtoday2004.com [Querying whois.networksolutions.com] [whois.networksolutions.com] Registrant: None (TERXVVFVWD) 1200 Western Avenue Seattle, WA 98101 US Domain Name: EMAILTODAY2004.COM Administrative Contact, Technical Contact: Alan, Robert (38475615P) biz300@mail.com Box 1259 Seattle, WA 98111 US (503)213-6416 Record expires on 30-Sep-2005. Record created on 30-Sep-2004. Database last updated on 16-Oct-2004 12:45:31 EDT. Domain servers in listed order: NS1.ACTIVENAMESERVER.INFO 221.139.2.77 NS2.ACTIVENAMESERVER.INFO 222.55.10.24 $ host www.emailtoday2004.com www.emailtoday2004.com is an alias for emailtoday2004.com. emailtoday2004.com has address 167.212.112.214 $ nslookup 167.212.112.214 ** server can't find 214.112.212.167.in-addr.arpa: NXDOMAIN $ nslookup emailtoday2004.com Non-authoritative answer: Name: emailtoday2004.com Address: 167.212.112.214 $ whois 167.212.112.214 OrgName: Shark Information Services Corporation OrgID: SISV Address: 120 Wall Street, 9th floor City: New York StateProv: NY PostalCode: 10005 Country: US NetRange: 167.212.0.0 - 167.212.255.255 CIDR: 167.212.0.0/16 NetName: SHARK NetHandle: NET-167-212-0-0-1 Parent: NET-167-0-0-0-0 NetType: Direct Allocation Comment: RegDate: 1993-10-06 Updated: 2003-06-19 $ whois ACTIVENAMESERVER.INFO [whois.afilias.info] Domain ID:D6120817-LRMS Domain Name:ACTIVENAMESERVER.INFO Created On:11-Aug-2004 03:36:02 UTC Last Updated On:21-Sep-2004 12:25:11 UTC Expiration Date:11-Aug-2006 03:36:02 UTC Sponsoring Registrar:R158-LRMS Status:ACTIVE Status:OK Registrant ID:C5072667-LRMS Registrant Name:berardo D Registrant Organization:Shared Hosting S.A. Registrant Street1:Av de mayo 3243 Registrant City:Buenos Aires Registrant Postal Code:21111 Registrant Country:AR Registrant Phone:+82.1544447755 Registrant FAX:+82.1544441217 Registrant Email:bulkmails -at- tom.com Admin ID:C5072668-LRMS Admin Name:berardo D Admin Organization:Shared Hosting S.A. Admin Street1:Av de mayo 3243 Admin City:Buenos Aires Admin Postal Code:21111 Admin Country:AR Admin Phone:+82.1544447755 Admin Email:bulkmails@tom.com Billing ID:C5072669-LRMS Billing Name:berardo D Billing Organization:Shared Hosting S.A. Billing Street1:Av de mayo 3243 Billing City:Buenos Aires Billing Postal Code:21111 Billing Country:KR Billing Phone:+82.1544447755 Billing Email:bulkmails@tom.com Tech ID:C5072669-LRMS Tech Name:berardo D Tech Organization:Shared Hosting S.A. Tech Street1:Av de mayo 3243 Tech City:Buenos Aires Tech Postal Code:21111 Tech Country:KR Tech Phone:+82.1544447755 Tech Email:bulkmails@tom.com Name Server:NS1.ACTIVENAMESERVER.INFO Name Server:NS2.ACTIVENAMESERVER.INFO The namesever for this domain has no reverse DNS, which violates RFCs. This registration has too many sets of consecutive numbers so I think the -at- tom.com address is bogus. -- Bob (Use bob at this domain to reach me) Don't Send Any Email To: From MikeE at ster.invalid Sat Oct 16 11:33:24 2004 From: MikeE at ster.invalid (Mike Easter) Date: Sat Oct 16 13:35:09 2004 Subject: [SpamCop-List] Re: No reporting address for emailtoday2004.com?? References: Message-ID: eddie wrote: > What's with > http://www.emailtoday2004.com > SC cannot find a reporting address for it. It must have an ISP, no? SC comes up empty because arin is empty Parsing input: http://www.emailtoday2004.com/ host 167.212.112.214 (getting name) no name Display data: "whois 167.212.112.214@whois.arin.net" (Getting contact from whois.arin.net ) nothing found host 167.212.112.214 (getting name) no name That is very difficult, it leads to shark which doesn't have a contact addy and is spews and spamhaus listed It doesn't have an asn number at cymru or radb to work with Sapient Fridge worked it up in nanae today: http://snipurl.com/9tgj Message-ID: From: Sapient Fridge Newsgroups: news.admin.net-abuse.email Subject: Re: E-mail from Robert Soloway? Date: Sat, 16 Oct 2004 09:41:47 GMT and showed this about the hijack status http://www.completewhois.com/hijacked/files/167.212.0.0.txt http://www.spamhaus.org/SBL/sbl.lasso?query=SBL9111 I don't think it is useful to attack the .cn & .kr nameservice for the url, tracert doesn't help. Since it is a spamvertised link; you're pretty much left to drop it as far as SC goes and let the spews spamhaus situation work on it. -- Mike Easter kibitzer, not SC admin From MikeE at ster.invalid Sat Oct 16 11:36:16 2004 From: MikeE at ster.invalid (Mike Easter) Date: Sat Oct 16 13:35:25 2004 Subject: [SpamCop-List] Re: openrbl via senderbase References: Message-ID: geo_splash_12 wrote: > What's going on at http://openrbl.org? This site still works but their > format changed and the link that you get in www.senderbase.org is > wrong. Senderbase.org in turn is called from one of the spamcop menus. I never try to go to senderbase from openrbl, I always go from SC. I liked the older openrbl format better, but it doesn't make that much difference to me. I currently use dnsstuff more than openrbl for multi dnsbl search. -- Mike Easter kibitzer, not SC admin From A_No_Spam_Haumer at gmx.net Sat Oct 16 21:20:34 2004 From: A_No_Spam_Haumer at gmx.net (Anton Haumer) Date: Sat Oct 16 14:25:06 2004 Subject: [SpamCop-List] Re: mail reporting address References: Message-ID: <41716672.84D2F513@gmx.net> Mike Easter schrieb: > > Mike Easter wrote: > > Disclaimer: I have never used MW nor seen it open on a screen; > > If someone here who uses MW and has a website where they could paste a > screenshot, it would be nice to have a link to a screenshot of the > disabling of MW's bogus bounce feature. > > I looked all around in the forums and firetrust support but couldn't find > a useful description of the access to the bounce feature. I could > probably find a word description if I searched the forums long enough, > because there is so *much* antibounce sentiment there, but a screenshot > is the best. > > -- > Mike Easter > kibitzer, not SC admin Well, I'm using MailWasher, I'm satisfied. I've switched off bouncing totally, I use MW to submit spam. You have to go to Spam Tools, unfortunately You have to go through a rather long list to switch off bouncing for: * emails marked by First Alert filter * emails marked by personal blacklist * emails marked by personal filters * emails marked by learning filters * emails marked by DNS blacklist filters But: You have to do this setup only once. And: You see the list of emails and You can check whether there are any marked for bouncing. I go through the list and mark for deletion only or deletion and submission to SC. Only the rest I get with Outlook. Toni From nobody at apamcop.com Sat Oct 16 15:13:24 2004 From: nobody at apamcop.com (cwg) Date: Sat Oct 16 15:15:05 2004 Subject: [SpamCop-List] New interface really sucks now Message-ID: I mean, before, I didn't mind the lack of margins, but now, can't even login from the front page? From nobody at devnull.spamcop.net Sat Oct 16 20:15:00 2004 From: nobody at devnull.spamcop.net (JohnL) Date: Sat Oct 16 15:15:20 2004 Subject: [SpamCop-List] Re: New interface really sucks now References: Message-ID: "cwg" scribbled in news:ckrrr3$rod$1@news.spamcop.net: > I mean, before, I didn't mind the lack of margins, but now, can't > even login from the front page? > > > Did you try the boxes in the upper right of the screen? From e.schrama_NOSPAM at NOSPAM_hccnet.nl Sat Oct 16 23:14:05 2004 From: e.schrama_NOSPAM at NOSPAM_hccnet.nl (geo_splash_12) Date: Sat Oct 16 16:15:11 2004 Subject: [SpamCop-List] Re: openrbl via senderbase In-Reply-To: References: Message-ID: Mike Easter wrote: > geo_splash_12 wrote: > >>What's going on at http://openrbl.org? This site still works but their >>format changed and the link that you get in www.senderbase.org is >>wrong. Senderbase.org in turn is called from one of the spamcop menus. > > > I never try to go to senderbase from openrbl, I always go from SC. I > liked the older openrbl format better, but it doesn't make that much > difference to me. I currently use dnsstuff more than openrbl for multi > dnsbl search. > Hey kibitzer, the script is wrong, that's all. From MikeE at ster.invalid Sat Oct 16 14:41:35 2004 From: MikeE at ster.invalid (Mike Easter) Date: Sat Oct 16 16:40:05 2004 Subject: [SpamCop-List] Re: openrbl via senderbase References: Message-ID: geo_splash_12 wrote: > Mike Easter wrote: >> geo_splash_12 wrote: >>> the link that you get in >>> www.senderbase.org is wrong. >> I never try to go to senderbase from openrbl, > Hey kibitzer, the script is wrong, that's all. Okay... checking it out. I put in an IP at openrbl; my javascript is disabled so I have to do another click; then I get my report. Down in the lower section is Search "167.212.112.214" at [Google |SpamCop*| SenderBase] [MAPS |Schlund] then clicking senderbase in there I go to http://openrbl.org/link/167.212.112.214@sb and get the same senderbase display I would have gotten if I had gone to http://www.senderbase.org/search and put that IP into the search field function there. What is different/wrong? I didn't use the senderbase link before the format change, but I can't imagine that the senderbase display would've been any different. -- Mike Easter kibitzer, not SC admin From MikeE at ster.invalid Sat Oct 16 15:03:46 2004 From: MikeE at ster.invalid (Mike Easter) Date: Sat Oct 16 17:05:06 2004 Subject: [SpamCop-List] Re: openrbl via senderbase References: Message-ID: Mike Easter wrote: > then clicking senderbase in there I go to > http://openrbl.org/link/167.212.112.214@sb > > and get the same senderbase display I would have gotten if I had gone > to http://www.senderbase.org/search and put that IP into the search > field function there. No it's not. The openrbl one is for the /24; the senderbase one from SC and the senderbase search is the IP. The openrbl link generates another link: http://www.senderbase.org/search?rawWhois=1&searchBy=ipaddress&searchString=167.212.112.214/24 That is in error. I see the problem. -- Mike Easter kibitzer, not SC admin From e.schrama_NOSPAM at NOSPAM_hccnet.nl Sun Oct 17 00:09:09 2004 From: e.schrama_NOSPAM at NOSPAM_hccnet.nl (geo_splash_12) Date: Sat Oct 16 17:10:03 2004 Subject: [SpamCop-List] Re: openrbl via senderbase In-Reply-To: References: Message-ID: Mike Easter wrote: > Mike Easter wrote: > >>then clicking senderbase in there I go to >>http://openrbl.org/link/167.212.112.214@sb >> >>and get the same senderbase display I would have gotten if I had gone >>to http://www.senderbase.org/search and put that IP into the search >>field function there. > > > No it's not. The openrbl one is for the /24; the senderbase one from SC > and the senderbase search is the IP. > > The openrbl link generates another link: > http://www.senderbase.org/search?rawWhois=1&searchBy=ipaddress&searchString=167.212.112.214/24 > > > That is in error. I see the problem. > > It always takes some iterations to convince you. From Kilgallen at SpamCop.net Sat Oct 16 17:12:30 2004 From: Kilgallen at SpamCop.net (Larry Kilgallen) Date: Sat Oct 16 17:15:03 2004 Subject: [SpamCop-List] Re: New interface really sucks now References: Message-ID: In article , "Michael Vilain " writes: > In article , > JohnL wrote: > >> "cwg" scribbled in >> news:ckrrr3$rod$1@news.spamcop.net: >> >> > I mean, before, I didn't mind the lack of margins, but now, can't >> > even login from the front page? >> > >> >> Did you try the boxes in the upper right of the screen? > > Just so you know, iCab doesn't support CSS2 yet (it's been over 2 > years--sheesh) and doesn't display the spamcop page very well. At the > bottom of the page, spamcop says "HTML 4 / CSS2 Firefox recommended". > > I realize that at some point, web site developers have to decide what > browsers they'll support. Most lazy-assed web designers like those at > some major companies and even local governments just code for Internet > Explorer because that's what their web design tools do. At least > Spamcop has made an effort to make a usable form that looks clean. The new format works fine in Netscape Communicator 4. From taghat at geldner.com Sat Oct 16 22:20:05 2004 From: taghat at geldner.com (Tom Geldner) Date: Sat Oct 16 17:25:03 2004 Subject: [SpamCop-List] Re: Mail being parsed incorrectly References: Message-ID: "Mike Easter" wrote in news:ckpqu7$p93$1 @news.spamcop.net: > This is extremely helpful in > preventing errors; /if/ the mailhosts configuration is correct, ie > accurate. OK, I just gave the mailhosts config a shot for my three main accounts. We shall see. -- Tom Remove my hat to reply From nobody at devnull.spamcop.net Sat Oct 16 22:20:38 2004 From: nobody at devnull.spamcop.net (JohnL) Date: Sat Oct 16 17:25:18 2004 Subject: [SpamCop-List] Re: New interface really sucks now References: Message-ID: Kilgallen@SpamCop.net (Larry Kilgallen) scribbled in news:auMO0RnZjEV7 @eisner.encompasserve.org: > The new format works fine in Netscape Communicator 4. You can even log in using NS3.01 ;-) From MikeE at ster.invalid Sat Oct 16 15:29:39 2004 From: MikeE at ster.invalid (Mike Easter) Date: Sat Oct 16 17:30:03 2004 Subject: [SpamCop-List] Re: openrbl via senderbase References: Message-ID: geo_splash_12 wrote: > Mike Easter wrote: >> That is in error. I see the problem. > > It always takes some iterations to convince you. I have to see it for myself before I believe it ;-) .. then the next part of the problem is when I don't understand or believe what I'm seeing. Then it gets really bad. -- Mike Easter kibitzer, not SC admin From baloo at ursine.dyndns.org Sat Oct 16 15:40:51 2004 From: baloo at ursine.dyndns.org (Paul Johnson) Date: Sat Oct 16 17:45:03 2004 Subject: [SpamCop-List] Re: New interface really sucks now References: Message-ID: <87acumbau4.fsf@ursine.dyndns.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 "Michael Vilain " writes: > Just so you know, iCab doesn't support CSS2 yet (it's been over 2 > years--sheesh) and doesn't display the spamcop page very well. At the > bottom of the page, spamcop says "HTML 4 / CSS2 Firefox recommended". Well, iCab needs to become standards compliant, then. File a bug report, this isn't a spamcop bug. > I realize that at some point, web site developers have to decide what > browsers they'll support. You missed the lesson to be learned here entirely. At some point web developers will have to realize that gratuitously violating standards isn't the way to get their page viewed, and browser developers will have to realize that gratiutiously failing to support standards isn't the way to get people to use their software. Firefox is winning because more people are realizing exactly that. > Guess the OP is going to have to find some other way to deal with spam > since they can't use spamcop anymore. That's what they get for using > lynx. Looks great in Lynx. Why would you think otherwise unless you didn't actually try it? -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.5 (GNU/Linux) iD8DBQFBcZVjUzgNqloQMwcRAk/JAJ9oMxR80dfiL6LecnF6QGDV9qAWvACgl3Vo OjO1K7uZ3UVPxCSUcjX5KSI= =PcCg -----END PGP SIGNATURE----- From sap at internaviga.it Sun Oct 17 01:36:50 2004 From: sap at internaviga.it (Uomovento) Date: Sat Oct 16 18:40:09 2004 Subject: [SpamCop-List] Re: mail reporting address References: Message-ID: "Mike Easter" ha scritto nel messaggio news:ckraln$rhm$1@news.spamcop.net... > Uomovento wrote: > > I have registered a free account to send spam reports via Mailwasher > > but, after login, I can't find my spamcop email address to set in > > Mailwasher for reporting. > > > > Can anyone help me please? > > When you are logged in at the report spam parser, it is just above the > spam submission window in the sentence > > Forward your spam to: submit.16charANcodeNMBR@spam.spamcop.net or: > Paste entire spam (headers, blank line, body) - or - single address (one > line only): > > where '16charANcodeNMBR' above is to represent your own unique code and > the submit address is the one to use for reporting. > > > -- > Mike Easter > kibitzer, not SC admin > When I'm logged I can't see a report spam parser. I'm in a page with an "ISP control center" with "Find reports" or "Close issues" otpions. The other options on top of the page are: Statistics Webmail Preferences Add routes Show routes and I don't see a code in none of these. From nobody at devnull.spamcop.net Sat Oct 16 20:29:43 2004 From: nobody at devnull.spamcop.net (WazoO) Date: Sat Oct 16 20:30:18 2004 Subject: [SpamCop-List] Re: mail reporting address References: Message-ID: "Uomovento" wrote in message news:cks7pe$j2g$1@news.spamcop.net... > > When I'm logged I can't see a report spam parser. I'm in a page with an "ISP > control center" with "Find reports" or "Close issues" otpions. This means that somehow the bits got flipped to set your account to an ISP .... send enough data to identify the account and yourself to service@admin.spamcop.net and Don will take care of that issue. From nobody at spamcop.net Sat Oct 16 21:35:50 2004 From: nobody at spamcop.net (Ellen) Date: Sat Oct 16 20:40:03 2004 Subject: [SpamCop-List] Re: mail reporting address References: Message-ID: "Uomovento" wrote in message news:cks7pe$j2g$1@news.spamcop.net... > > > > When I'm logged I can't see a report spam parser. I'm in a page with an "ISP > control center" with "Find reports" or "Close issues" otpions. > > The other options on top of the page are: Statistics Webmail Preferences > Add routes Show routes and I don't see a code in none of these. > Your account had an ISP flag -- I removed it. You should be able to log in OK now. Ellen From bomarc_com at spam.hotmail.nospam.com.use.spamcop.net Sat Oct 16 18:53:22 2004 From: bomarc_com at spam.hotmail.nospam.com.use.spamcop.net (Dan French) Date: Sat Oct 16 20:55:03 2004 Subject: [SpamCop-List] Latin Magic... Message-ID: Ref: http://www.spamcop.net/sc?id=z682953981z0140e0fda380e5a225c796ad1f8262dcz Has been sending me spam (about once a month) for several years now. The most recent part has: Tracking link: http://www.latinmagic.com [report history] ISP believes this issue is resolved http://www.latinmagic.com Resolves to 209.215.97.106 Routing details for 209.215.97.106 [refresh/show] Cached whois for 209.215.97.106 : abuse@bellsouth.net Using abuse net on abuse@bellsouth.net abuse net bellsouth.net = abuse@bellsouth.net Using best contacts abuse@bellsouth.net ISP has already taken action against the account:http://www.latinmagic.com (Red) http://www.latinmagic.com has been appealed previously. (Yellow) How could a spammer "appealed previously" ? Why is there no report going to bellsouth? Why is there no report history for http://www.latinmagic.com ? If ISP has taken action against Latin Magic, why are they still up? Dan French (Info showing latinmagic is till running (below) C:\>ping www.latinmagic.com Pinging monster.latinmagic.com [209.215.97.106] with 32 bytes of data: Reply from 209.215.97.106: bytes=32 time=120ms TTL=42 Ping statistics for 209.215.97.106: Packets: Sent = 1, Received = 1, Lost = 0 (0% loss), Approximate round trip times in milli-seconds: Minimum = 120ms, Maximum = 120ms, Average = 120ms C:\>tracert www.latinmagic.com Tracing route to monster.latinmagic.com [209.215.97.106] over a maximum of 30 hops: ... 13 119 ms 120 ms 119 ms so-6-0-0.gar1.Atlanta1.Level3.net [4.68.96.10] 14 121 ms 121 ms 121 ms BELLSOUTH-TE.gar1.Level3.net [67.72.8.42] 15 121 ms 121 ms 131 ms axr00asm-1-0-0.bellsouth.net [65.83.236.3] 16 127 ms 126 ms 126 ms ixc00bhm-6-0-1.bellsouth.net [65.83.237.41] 17 124 ms 117 ms 117 ms 207.203.159.89 18 120 ms 121 ms 120 ms 68.152.224.106 19 127 ms 121 ms 119 ms monster.simplecom.net [209.215.97.106] Trace complete. From lordtyr at paganpower.com Sat Oct 16 19:12:30 2004 From: lordtyr at paganpower.com (Lord Tyr) Date: Sat Oct 16 21:15:03 2004 Subject: [SpamCop-List] Re: New interface really sucks now In-Reply-To: References: Message-ID: cwg wrote: > I mean, before, I didn't mind the lack of margins, but now, can't even login > from the front page? > > Well my only "complaint" with the new interface is that even without the "Lag" screen it seems to take longer to Report Spam? Nothing has change on my PC that would cause a difference? I even tried it at the PC's at my work... ---------------------------- Lord Tyr LordTyr@paganpower.com AMD-64 3200+, 3 512 DDR's 2700, Two 120g Wd Hd, Two 40g SATA Wd Hd (Raid 0), Asus K8V SE Deluxe, ATI Radeon 9200 Agp, XP Pro, Roudrunner (3000/384) - Linksys BEFSR41 From MikeE at ster.invalid Sat Oct 16 19:19:04 2004 From: MikeE at ster.invalid (Mike Easter) Date: Sat Oct 16 21:20:03 2004 Subject: [SpamCop-List] Re: Latin Magic... References: Message-ID: Dan French wrote: www.spamcop.net/sc?id=z682953981z0140e0fda380e5a225c796ad1f8262dcz That item shows a spam sourced at swbell.net for some reason relayed thru' llc.net to a yahoo which is spamvertising latinmagic. > ISP believes this issue is resolved http://www.latinmagic.com If a provider indicates in any way that they don't want to hear any more about something, then SC is no longer interested in telling them any more about it. SC spamvertiser notifies have no teeth, they are a 'courtesy' - if the provider doesn't want to hear about it, that's just fine with SC. If you think a spamvertiser provider or its upstream adjacencies or the FBI or Immigration Services or anyone else need to be notified about something, then it is up to you do do it with your own mail. > Resolves to 209.215.97.106 > abuse@bellsouth.net > > ISP has already taken action against the > http://www.latinmagic.com has been appealed previously. > (Yellow) > How could a spammer "appealed previously" ? Has /been/ appealed. If a SC paying reporter wants to 'appeal' to SC to notify even tho' the provider sed they don't want to hear about it they can do so up to a point; but that isn't much more important than a nonpaying one if the provider doesn't want to hear about it. In the end, the provider who doesn't want to hear about it doesn't have to hear about it. Get it? If the provider doesn't want to hear about it, it doesn't have to. > Why is there no report going to bellsouth? The provider doesn't want to hear about it. > Why is there no report history for http://www.latinmagic.com ? I don't know what that means. > If ISP has taken action against Latin Magic, why are they still up? The action the provider took doesn't include taking down the site. > C:\>ping www.latinmagic.com Pinging something isn't the same as there being a site there. > C:\>tracert www.latinmagic.com Tracert/ing something isn't the same as there being a site there. But, my SSpers GET function shows me there is an operational site there. So would a browser. -- Mike Easter kibitzer, not SC admin From MikeE at ster.invalid Sat Oct 16 19:32:58 2004 From: MikeE at ster.invalid (Mike Easter) Date: Sat Oct 16 21:35:02 2004 Subject: [SpamCop-List] Re: Latin Magic... References: Message-ID: Mike Easter wrote: > If a provider indicates in any way that they don't want to hear any > more about something, then SC is no longer interested in telling them > any more about it. > SC spamvertiser notifies have no teeth, they are a > 'courtesy' - if the provider doesn't want to hear about it, that's > just fine with SC. For example, if a spamvertiser provider wanted to, they could tell SC that they don't want to hear about *any* of their spamvertisers - as a /blanket/ position. All they would have to do would be to read this: http://www.spamcop.net/fom-serve/cache/92.html SpamCop now features a way to refuse or accept each type of report individually. So if you get a lot of erronious "web hosting" report, but you still want to be alerted to abused open relays on your network, you should use the new report selection preferences. Then, by clicking to here http://www.spamcop.net/fom-serve/cache/266.html You can elect to accept or refuse reports depending on their type (source of mail, web hosting, open relays, etc..). then SC will continue to courteously notify them about source, open relays, or whatever they like - and *not* tell them notify them about the webhosting spamvertising. A provider could also say that they don't want to be notified about spamsources or to be sent any munged reports, but the spamsource report would still count toward the SCbl, so it is to the provider's disadvantage to not be receiving such reports. Since the SC spamvertiser notifies count toward nothing, there really isn't any necessity for the spamvertiser to hear about them if they don't intend to do anything about it. -- Mike Easter kibitzer, not SC admin From MikeE at ster.invalid Sat Oct 16 19:35:32 2004 From: MikeE at ster.invalid (Mike Easter) Date: Sat Oct 16 21:35:17 2004 Subject: [SpamCop-List] Re: Latin Magic... References: Message-ID: Mike Easter wrote: > Since the SC spamvertiser notifies count toward nothing, there really > isn't any necessity for the spamvertiser to hear about them if they > don't intend to do anything about it. s/spamvertiser/spamvertiser provider/ Put in provider 2 places. Since the SC spamvertiser provider notifies count toward nothing, there really isn't any necessity for the spamvertiser provider to hear about them if they don't intend to do anything about it. -- Mike Easter kibitzer, not SC admin From MikeE at ster.invalid Sat Oct 16 20:08:57 2004 From: MikeE at ster.invalid (Mike Easter) Date: Sat Oct 16 22:10:15 2004 Subject: [SpamCop-List] Re: Latin Magic... References: Message-ID: And another thing.... Dan French wrote: > http://www.latinmagic.com > Resolves to 209.215.97.106 > Using best contacts abuse@bellsouth.net Just in case it makes you feel any better about the fact that the provider doesn't have to listen to any SC notifies from you or anyone else, that IP and its associated block are spewed because of another, different issue of unresponsiveness. http://spews.org/html/S1139.html 1, 209.215.97.106, mojoent.com (simplecom.net/bellsouth.net) 1, 209.215.97.96/27, mojoent.com (simplecom.net/bellsouth.net) This was all about stuff that didn't have anything to do with latinmagic, but currently that /27 of 209.215.97.96-209.215.97.112 will affect those bellsouth customers which are in that block and will force them to do something about it, or spews will just keep making the block bigger and bigger. Theoretically, spews could eventually do the /15, but that is unlikely OrgName: BellSouth.net Inc. NetRange: 209.214.0.0 - 209.215.255.255 CIDR: 209.214.0.0/15 -- Mike Easter kibitzer, not SC admin From MikeE at ster.invalid Sat Oct 16 20:25:25 2004 From: MikeE at ster.invalid (Mike Easter) Date: Sat Oct 16 22:25:02 2004 Subject: [SpamCop-List] Re: Latin Magic... References: Message-ID: Mike Easter wrote: > 1, 209.215.97.96/27, mojoent.com (simplecom.net/bellsouth.net) > that /27 of 209.215.97.96-209.215.97.112 oops. The /27 is 32 IPs, 209.215.97.96 - 209.215.97.127 I tho't that .112 looked wrong; anyway it would've been .111 if it were a /28. I should look at a table before I say anything about CIDR -- it doesn't just 'pop out' at me, except for /24s and /32s. And I guess 8s and 16s. -- Mike Easter kibitzer, not SC admin From ric.gates at bigsleep.org Sun Oct 17 04:55:10 2004 From: ric.gates at bigsleep.org (Blammo) Date: Sun Oct 17 00:00:12 2004 Subject: [SpamCop-List] Re: New interface really sucks now References: Message-ID: On 16 Oct 2004 Lord Tyr entered spamcop and left news:cksgu6$448$1@news.spamcop.net: > Well my only "complaint" with the new interface is that even > without > the "Lag" screen it seems to take longer to Report Spam? Nothing has > change on my PC that would cause a difference? I even tried it at the > PC's at my work... > Sometimes it is just slow when reporting, even for members. There can be many reasons for this, such as the amount of time it takes to resolve the links in the message you are reporting. Unlikely that has anything at all to do with the page design. -- | Ric | From nobody at spamcop.net Sun Oct 17 01:30:49 2004 From: nobody at spamcop.net (Claudio Valderrama C.) Date: Sun Oct 17 00:45:14 2004 Subject: [SpamCop-List] Impunity Message-ID: Whoever created this, it's well thought to render SC useless as a reporting system: http://www.spamcop.net/sc?id=z682981765z9539f0b2329edaf2c4247a6d6a4ce52fz The interesting part is: Using best contacts abuse@mediaways.net abuse@telefonica.de abuse@mediaways.net refuses SpamCop reports Using abuse#mediaways.net@devnull.spamcop.net for statistical tracking. I understand SC thinks mediaways is better than to report to telefonica in Germany. Ok, but mediaways refuses SC reports and if you look in spam NG the title bullet proof hosting !! It's FREE !!! then it's evident the hosting service itself relies on the provider (that should be mediaways, IMO) to discard anti-spam complaints. The hosting service in turn offers to pay no attention to spam reports if you host a site with them and use spam to promote it. Since mediaways is cooperating with the spam, why not report to telefonica? I thought it would be good idea, but when I added that email under "User Notification", I got after posting "abuse@telefonica.de doesn't want to receive user-copied reports" or something alike. Therefore, the spammer remains in total impunity. Any ideas? Should I report directly to telefonica in Germany? C. From nobody at devnull.spamcop.net Sun Oct 17 00:45:33 2004 From: nobody at devnull.spamcop.net (Cat) Date: Sun Oct 17 00:50:02 2004 Subject: [SpamCop-List] Re: Impunity In-Reply-To: References: Message-ID: Claudio Valderrama C. wrote: > I thought it would be good idea, but when I added that email under "User > Notification", I got after posting > "abuse@telefonica.de doesn't want to receive user-copied reports" or > something alike. > Therefore, the spammer remains in total impunity. Any ideas? Should I report > directly to telefonica in Germany? I would definitely go with sending a manual complaint to Telefonica. From MikeE at ster.invalid Sat Oct 16 23:20:33 2004 From: MikeE at ster.invalid (Mike Easter) Date: Sun Oct 17 01:20:02 2004 Subject: [SpamCop-List] Re: Impunity References: Message-ID: Claudio Valderrama C. wrote: www.spamcop.net/sc?id=z682981765z9539f0b2329edaf2c4247a6d6a4ce52fz This spam item is sourced from an open proxy 217.185.13.20 rDNS horb-d9b90d14.pool.mediaWays.net It is listed in many db/s as an open proxy -- also in many db/s as a spamsource. It is not listed anywhere like spews or spamhaus as a refractory non-responsive IP block. There are a lot of providers who fail to secure their open proxies. Since this spamsource business is all about trying to notify correctly; it has nothing to do with bulletproof hosting, it is about a spamsource. The spamsource can be notified with the ripe information, which looks like this, some trimming: whois -h whois.ripe.net 217.185.13.20 ... inetnum: 217.184.0.0 - 217.185.255.255 admin-c: ABU1-RIPE tech-c: ABU1-RIPE remarks: send hack and spam complaints to: remarks: abuse@mediaways.net route: 217.184.0.0/13 descr: mediaWays GmbH origin: AS6805 person: mediaWays abuse e-mail: abuse@telefonica.de nic-hdl: ABU1-RIPE remarks: +------------------------------------+ remarks: | Send hack and spam complaints to: | remarks: | abuse@telefonica.de | remarks: +------------------------------------+ so I would notify both of those abuse addies, the .de telefonica and mediaways. That also covers the reg'd abuse.net on the rDNS. Now, let's get down to the bulletproof hosting spamvertiser. SC finds no body url. If you examine that spambody very carefully, it is a 'tacky' construction and only contains a bent email address, not a website for the payload. That payload is hosting1@hostnet5.com Mail for hostnet5.com is handled by mail.hostnet5.com = 221.12.94.34 whois -h whois.apnic.net 221.12.94.34 ... inetnum: 221.12.94.32 - 221.12.94.35 netname: YanJiMing-CLUB-JH admin-c: JQ16-AP tech-c: JQ16-AP e-mail: qianjh@zjnetcom.com -- Mike Easter kibitzer, not SC admin From lordtyr at paganpower.com Sat Oct 16 23:22:59 2004 From: lordtyr at paganpower.com (Lord Tyr) Date: Sun Oct 17 01:25:03 2004 Subject: [SpamCop-List] Re: New interface really sucks now In-Reply-To: References: Message-ID: Blammo wrote: > On 16 Oct 2004 Lord Tyr entered spamcop and left > news:cksgu6$448$1@news.spamcop.net: > > >> Well my only "complaint" with the new interface is that even >> without >>the "Lag" screen it seems to take longer to Report Spam? Nothing has >>change on my PC that would cause a difference? I even tried it at the >>PC's at my work... >> > > > Sometimes it is just slow when reporting, even for members. There can be > many reasons for this, such as the amount of time it takes to resolve the > links in the message you are reporting. > Unlikely that has anything at all to do with the page design. > Understood... however it's the only time I ever noticed a difference in speed... but I still like the almight SpamCop.... ^_* -- ---------------------------- Lord Tyr LordTyr@paganpower.com AMD-64 3200+, 3 512 DDR's 2700, Two 120g Wd Hd, Two 40g SATA Wd Hd (Raid 0), Asus K8V SE Deluxe, ATI Radeon 9200 Agp, XP Pro, Roudrunner (3000/384) - Linksys BEFSR41 From nobody at spamcop.net Sun Oct 17 02:02:25 2004 From: nobody at spamcop.net (Ellen) Date: Sun Oct 17 02:05:02 2004 Subject: [SpamCop-List] Re: Impunity References: Message-ID: "Claudio Valderrama C." wrote in message news:ckst5g$pqn$2@news.spamcop.net... > Whoever created this, it's well thought to render SC useless as a reporting > system: > > http://www.spamcop.net/sc?id=z682981765z9539f0b2329edaf2c4247a6d6a4ce52fz > > The interesting part is: > Using best contacts abuse@mediaways.net abuse@telefonica.de > abuse@mediaways.net refuses SpamCop reports > The system *is* sending a report to telefonica Ellen From skiwi at spamcop.net Sun Oct 17 00:11:44 2004 From: skiwi at spamcop.net (sk1w1) Date: Sun Oct 17 02:15:02 2004 Subject: [SpamCop-List] New Interface Formatting Suggestion - small piece of whitespacebetween each listed held mail Message-ID: Hello, As suggested - here at the newsgroup 'forum'... :-) New Interface Formatting Suggestion - add small piece of whitespace between each listed held mail (for web mail user...) It is hard to read each individual listed spam subject, 'sender', etc prior to reporting (currently I log on to webmail, even at home, and report it from there as I can differentiate each listed piece of spew easily...) - tried on Mozilla 1.7.2, 1.8 and IE 6.??... Thanks in advance! GREG... From e.schrama_NOSPAM at NOSPAM_hccnet.nl Sun Oct 17 09:19:59 2004 From: e.schrama_NOSPAM at NOSPAM_hccnet.nl (geo_splash_12) Date: Sun Oct 17 02:25:03 2004 Subject: [SpamCop-List] Re: mail reporting address In-Reply-To: <41716672.84D2F513@gmx.net> References: <41716672.84D2F513@gmx.net> Message-ID: Anton Haumer wrote: > Mike Easter schrieb: > >>Mike Easter wrote: >> >>>Disclaimer: I have never used MW nor seen it open on a screen; >> >>If someone here who uses MW and has a website where they could paste a >>screenshot, it would be nice to have a link to a screenshot of the >>disabling of MW's bogus bounce feature. >> >>I looked all around in the forums and firetrust support but couldn't find >>a useful description of the access to the bounce feature. I could >>probably find a word description if I searched the forums long enough, >>because there is so *much* antibounce sentiment there, but a screenshot >>is the best. >> >>-- >>Mike Easter >>kibitzer, not SC admin > > > Well, I'm using MailWasher, I'm satisfied. > I've switched off bouncing totally, I use MW to submit spam. > > You have to go to Spam Tools, unfortunately You have to go > through a rather long list to switch off bouncing for: > * emails marked by First Alert filter > * emails marked by personal blacklist > * emails marked by personal filters > * emails marked by learning filters > * emails marked by DNS blacklist filters > > But: You have to do this setup only once. > And: You see the list of emails and You can check > whether there are any marked for bouncing. > > I go through the list and mark for deletion only > or deletion and submission to SC. > Only the rest I get with Outlook. > > Toni I think Mike is overreacting on the bounce issue in MW. Under account management you can turn bounce off, as many MW users do, it is indeed a bit strange that Nick Bolton tells you that bouncing is useful, people who keep the bounce option on apparently don't understand the problem of forged e-mail return addresses. Still MW is a fine tool and I love it for all reasons that Toni mentions here. You can add that it does a great job on spamcop reporting. Ejo From nobody at devnull.spamcop.net Sun Oct 17 01:26:10 2004 From: nobody at devnull.spamcop.net (LioNiNoiL_a t_Y a h 0 0_d 0 t_c 0 m) Date: Sun Oct 17 03:30:05 2004 Subject: [SpamCop-List] Re: [Spam] can't stop laughing In-Reply-To: References: Message-ID: > "My tablets is an all earthy grass lozenge..." > ... > Then comes the clincher - the URL > > http:///pp/index.php?pid=3Deph5653 He's been smoking too much of his "earthy grass". -- "[Spammers] are the mutant spawn of a bizarre reproductive act involving a telemarketer, Larry Flynt, a tapeworm, and an executive of the Third Class Mail industry." -- Dave Barry From ric.gates at bigsleep.org Sun Oct 17 10:20:29 2004 From: ric.gates at bigsleep.org (Blammo) Date: Sun Oct 17 05:25:24 2004 Subject: [SpamCop-List] Re: New interface really sucks now References: Message-ID: On 16 Oct 2004 Lord Tyr entered spamcop and left news:cksvjr$u4c$1@news.spamcop.net: > Understood... however it's the only time I ever noticed a difference in > speed... but I still like the almight SpamCop.... ^_* > Actually, the lack of tables can make a noticable difference, especially over dial-up. But this difference is usually only noticable when there are many images on the page (as so many poorly designed sites are designed that way). So, anyway, the old SC site may have appeared to load faster, because the top of the page may have started to appear sooner (but I don't remeber), however, now the entire page loading time should be faster because of the table-less design. I have at times noticed the page load up to a certain point, then pause, like when it gets to the parsing HTML part. And at other times, it just takes a long time to even start loading to begin with. So, for me, being on dial-up, I'd have to say that SpamCop (reporting pages) is often faster than my ISPs' poorly designed site, if you can believe that. But then Google is always faster (even though their HTML code is far from optimal), it has many more hits, but it also has many more servers. -- | Ric From neil.howie at Ireportallspam.net Sun Oct 17 11:56:59 2004 From: neil.howie at Ireportallspam.net (Neil Howie) Date: Sun Oct 17 06:00:05 2004 Subject: [SpamCop-List] Re: Mailhost configuration References: Message-ID: Thanks for the input. I have followed the links you suggested and it took a very long time to get an understanding from them. The point I was making is that the help page lists a chain A B C. I described the specific chain by which I get e-mail from the spammed address to another, unspammed, address on the same mail server. So to my simple mind, A is my spammed address, B is spamcop to whom it is forwarded and C is the address where my mail finishes. This seems now like a total misunderstanding of the situation, due entirely to the vague way the process is described in the help page. All I tried to do was suggest the addition of a concrete example to make things clearer, hardly a major revision. I don't want to cause any havoc. Further, from my point of view, the situation is more uncertain because, for me, the start address and the finishing address are aliases for the same ISP account. The bit before the @ can be anything I like. So, if I understand it correctly, the spammed address is the only one I need to register, but does this cause any complication with respect the ultimate destination address? -- Neil Anti-spam - Domain is really oakleaf ~ idps ~ co ~ uk (change ~ to dot) "Mike Easter" wrote in message news:ckra6v$qij$1@news.spamcop.net... | Neil Howie wrote: | > I don't like to criticise spamcop who have been doing a sterling job | > of sanitising my mail, but I must say that the article on mailhost | > configuration is as clear as mud, because it is lacking in examples. | > | > Some of my mail is forwarded into my spamcop.net mailbox and then | > forwarded on to my home account. From the description given, I have no | > idea where I should start configuring. | | Disclaimer: I've never used or configured a mailhosts, but I went to | read the page called "mailhost configuration" accessed by clicking on | 'mailhosts' from the logged in parser page. You can see a slightly | different page if you access it from help or the faq at | http://www.spamcop.net/fom-serve/cache/397.html The former has an | access point to click into 'Add first hosts' at the bottom and a .gif | graphic whose name is 'forwarding_diagram' which is missing on the page | accessed from help or the faq. | | There is even more discussion at | http://forum.spamcop.net/forums/index.php?showtopic=2009 as well as the | general mailhosts forum | http://forum.spamcop.net/forums/index.php?showforum=7 where with reading | one can get a 'feeling' about the handling of probes to aid the | configuration and the admonitions about not using quick reporting or the | reporting of any spam until all mailhosts are configured. | | Have you seen all of those, including the diagram? | | | -- | Mike Easter | kibitzer, not SC admin | From porpoise1954 at yahoo.co.uk Sun Oct 17 12:02:21 2004 From: porpoise1954 at yahoo.co.uk (Porpoise) Date: Sun Oct 17 06:05:03 2004 Subject: [SpamCop-List] Re: Mailhost configuration References: Message-ID: "Neil Howie" wrote in message news:cktflg$qg5$1@news.spamcop.net... > Thanks for the input. I have followed the links you suggested and it > took a very long time to get an understanding from them. > > The point I was making is that the help page lists a chain A B C. I > described the specific chain by which I get e-mail from the spammed > address to another, unspammed, address on the same mail server. So to my > simple mind, A is my spammed address, B is spamcop to whom it is > forwarded and C is the address where my mail finishes. This seems now > like a total misunderstanding of the situation, due entirely to the > vague way the process is described in the help page. All I tried to do > was suggest the addition of a concrete example to make things clearer, > hardly a major revision. I don't want to cause any havoc. > > Further, from my point of view, the situation is more uncertain because, > for me, the start address and the finishing address are aliases for the > same ISP account. The bit before the @ can be anything I like. > > So, if I understand it correctly, the spammed address is the only one I > need to register, but does this cause any complication with respect the > ultimate destination address? > > -- > Neil > > Anti-spam - Domain is really oakleaf ~ idps ~ co ~ uk (change ~ to dot) > > Tut, Tut......... Top-posting will likely get you shot in these yer hills............... From MikeE at ster.invalid Sun Oct 17 04:50:48 2004 From: MikeE at ster.invalid (Mike Easter) Date: Sun Oct 17 06:50:03 2004 Subject: [SpamCop-List] Re: mail reporting address References: <41716672.84D2F513@gmx.net> Message-ID: geo_splash_12 wrote: > I think Mike is overreacting on the bounce issue in MW. /Over/ reacting? As soon as the MW developers do the following things, I'll stop 'reacting' altogether. - Stop hyping bogus bouncing all over their promotional activities and lying about what it does and how effective it is about stopping spam. Those lies are being blathered because spamfilter developers with integrity don't enable bogus bouncing because it is unhealthy and abusive. And then incompetent reveiwers pass the same blather along. Amazing. - Have bogus bouncing disabled throughout the application *BY DEFAULT* - so that foolish and ignorant newbies don't start bogus bouncing out of the box and never get a clue about how to use that application or any other application in anything but the default mode. - Have a special key which is only accessible from the developers to be able to turn *on* bogus bouncing. To get this special key would require the submission of a form which the user completes indicating that they understand how bogus bouncing works, and that they perceive how bounces to the bogus From is almost always abusive. That form would be submitted along with an affidavit signed by the user's provider authorizing the user to forge the provider's role addresses in a bogus bounce form. Upon submission of those forms, the user would get the bogus bouncing key to enable some special kind of non-abusive bogus bouncing for 'special occasions' not spam. > Under account > management you can turn bounce off, as many MW users do, The number of people who use programs throughout their 'lives' in the default mode is the 'default' user condition; that's what the vast majority of people do. Some people have trouble turning MW's bogus bounce off when they /want/ to because there isn't a proper user interface for a global bogus bounce disabling switch. > it is indeed > a bit strange that Nick Bolton tells you that bouncing is useful, Strange? How strange that you would say strange! It is beyond incompetent because it /isn't/ incompetent. It is blatantly dishonest. Do you think that the MW developer doesn't /know/ that he is being dishonest in the name of greed? I sincerely doubt it. > people who keep the bounce option on apparently don't understand the > problem of forged e-mail return addresses. You would think that the users should be smarter than the developers appear to be, huh? Apparently your willingness to forgive MW's developers over this issue is being caused by a slavish devotion to the app which is separate from rational thought about the bogus bouncing issue. -- Mike Easter kibitzer, not SC admin From bud at telus.net Sun Oct 17 05:42:01 2004 From: bud at telus.net (Bud) Date: Sun Oct 17 07:45:13 2004 Subject: [SpamCop-List] Re: mail reporting address References: <41716672.84D2F513@gmx.net> Message-ID: <41725A89.56CC9279@telus.net> Mike Easter wrote: > geo_splash_12 wrote: > > I think Mike is overreacting on the bounce issue in MW. > > /Over/ reacting? > > As soon as the MW developers do the following things, I'll stop > 'reacting' altogether.................. > > > -- > Mike Easter > kibitzer, not SC admin Heh.. Take a deep breath Mike. Ever since I stumbled out of this 'MW bounce' mine field and the admonishment here for using it that came with it, my life with MW has been much more pleasant. Bud From e.schrama_NOSPAM at NOSPAM_hccnet.nl Sun Oct 17 15:03:39 2004 From: e.schrama_NOSPAM at NOSPAM_hccnet.nl (geo_splash_12) Date: Sun Oct 17 08:05:03 2004 Subject: [SpamCop-List] Re: mail reporting address In-Reply-To: References: <41716672.84D2F513@gmx.net> Message-ID: Mike Easter wrote: > geo_splash_12 wrote: > >>I think Mike is overreacting on the bounce issue in MW. > > > /Over/ reacting? [snip] > You would think that the users should be smarter than the developers > appear to be, huh? > Apparently your willingness to forgive MW's developers over this issue is > being caused by a slavish devotion to the app which is separate from > rational thought about the bogus bouncing issue. Yes, I think that users are pretty smart. No, I don't think that the MW developers are incompetent, as I said before. MW does the job, it is easy to set up, it has a big active community and there are forums on http://computercops.biz/index.php, and the program is updated regularly. Most mail readers and programs in general have funny options and default settings that can make your day. Altogether, I think that most users are pretty smart and find ways around the problem. The whole discussion reminds me about that joke where a kibitzer and a schlemiel go on vacation. You would think that it ends with both of them in a car that dives into the Grand Canyon, reality is that they both make it safe back home. From sap at internaviga.it Sun Oct 17 15:06:16 2004 From: sap at internaviga.it (Uomovento) Date: Sun Oct 17 08:10:05 2004 Subject: [SpamCop-List] Re: mail reporting address References: Message-ID: > > Your account had an ISP flag -- I removed it. You should be able to log in > OK now. > Now it's works. Thanks. From MikeE at ster.invalid Sun Oct 17 06:28:04 2004 From: MikeE at ster.invalid (Mike Easter) Date: Sun Oct 17 08:30:02 2004 Subject: [SpamCop-List] Re: mail reporting address References: <41716672.84D2F513@gmx.net> <41725A89.56CC9279@telus.net> Message-ID: Bud wrote: > Heh.. > Take a deep breath Mike. Everyone thinks/sees that MW's fraudulent bogus bounce feature 'makes Mike crazy'. Think about it. What are those guys thinking about? Look at their website and how the bogus bouncing is promoted. We all *know* that bogus bouncing is very bad - look at the forums where MW is being discussed by its many users who /know/ bogus bouncing is bad. What /are/ those developers thinking about? What *are* they thinking about? It is pretty clear to me. They aren't 'stupid' or 'incompetent'. They have to be greedy liars loudly misrepresenting something intentionally for profit. Taking advantage of and misleading ignorant or foolish newbies looking for a 'good' spamfilter while knowingly abusing innocent forged spamfroms; as a bogus 'competitive' strategy against other more sensible spamfilters by honest ethical developers. That makes me crazy, so I declared war on them to try to get them to change their ways; to get rid of a bad abusive dishonest fraudulent configuration in favor of a better one. > Ever since I stumbled out of this 'MW bounce' mine field and the > admonishment here for using it that came with it, my life with MW has > been much more pleasant. Hopefully one fallout of my war on them will be fewer people configured to bogus bounce. -- Mike Easter kibitzer, not SC admin From amenex at amenex.com Sun Oct 17 11:11:58 2004 From: amenex at amenex.com (George Langford, Sc.D.) Date: Sun Oct 17 10:12:01 2004 Subject: [SpamCop-List] Whazzat den - "domain has no A record" ? Message-ID: <200410171411.i9HEBwDm006959@email2.voicenet.com> Hello List ! Regarding this discussion: http://news.spamcop.net/pipermail/spamcop-help/2003-November/048953.html I got the following reply when I attempted to LART 2o7.net about a PayPal phish: > The following message to was undeliverable. > ... > 5.1.2 - Bad destination host 'DNS Hard Error looking up 2o7.net (A): domain has no A record' Here's the SpamCop tracker for the offending spam: http://www.spamcop.net/sc?id=z683087269z3b5d69d40f1ddaf1a46a32910ea09accz And here's the link that I found when I tracked the various links in the train of URL's that the phisher used:
By comparison, here's a presumably legitimate link that I found in an eBay auction's sourcecode that I saved some time ago: var rs='http://192.168.112.2O7.net/b/ss/'+unl+'/1/c4.2/'+sess+'?'+(s_apn!='Opera'?'[AQB]':'')+'&box=split'+(r?'&r='+s_escape(r):'')+(s?'&s='+s_escape(s):'')+(c?'&c='+s_escape(c):'')+(o?'&o='+s_escape(o):'')+(j?'&j='+j:'')+(v?'&v='+v:'')+(k?'&k='+k:'')+(bw?'&bw='+bw:'')+(bh?'&bh=' It's no secret that Omniture's SiteCatalyst software is being used by PayPal, eBay, General Motors, etc. to track site visitors' preferences. However, is it also possible for a thief to use the same software to capture the personal information of phishing in a similar manner ? My best guess is that the SiteCatalyst software is quite flexible when used in conjuction with Javascript code and that there is no way of guarding against malicious use of the software other than careful selection and background checks on customers of the software vendor. Thanks, amenex Does this mean that 2o7.net is violating its registration TOS ? From MikeE at ster.invalid Sun Oct 17 08:44:14 2004 From: MikeE at ster.invalid (Mike Easter) Date: Sun Oct 17 10:45:09 2004 Subject: [SpamCop-List] Re: Whazzat den - "domain has no A record" ? References: Message-ID: George Langford, Sc.D. wrote: > Hello List ! Not 'list' - list typically refers to a mailing list. You are participating in a newsgroup discussion via a mailman connection to a mailing list, but almost everyone you are talking to is nntp. It would be like addressing a radio audience with 'hello aliens' to the aliens who are picking up the signals in deep outerspace instead of 'hello radio audience' to your real audience. And, besides that, I'm not much into 'greetings' in news messages anyway. Or windy attribution lines, for that matter - but greeting is OK - why not 'hello' if you must > Regarding this discussion: > http://news.spamcop.net/pipermail/spamcop-help/2003-November/048953.html That is a discussion of "Re: 3 or more hours for email to hit my inbox" which has in common a error message with what you are talking about here - but I hope we end up talking about something more interesting instead. > I got the following reply when I attempted to LART 2o7.net about a > PayPal phish: Stop right there. Why did you try to email 2o7.net about this phish? > Here's the SpamCop tracker for the offending spam: www.spamcop.net/sc?id=z683087269z3b5d69d40f1ddaf1a46a32910ea09accz The phish is taking place here: http://64.23.124.207/paypal2/ > And here's the link that I found when I tracked the various links in > the train of URL's that the phisher used: > src="https://102.112.2O7.net/b/ss/paypalglobal/1/G.4--NS/0?pageName=Log%2 0In::p/gen/login::_login-submit&c6=" > alt="" border="0" height="1" width="1">
I don't know exactly how you tracked from the above phish to that link, but let's suppose that was good work and we want to notify for 102.112.2O7.net - noting the 'o' in there doesn't prevent us from doing it 'properly' on the DNS to the IP block 102.112.2O7.net DNS 216.52.17.118 whois -h whois.arin.net 216.52.17.118 ... Internap Network Services 216.52.0.0 - 216.52.255.255 abuse@internap.com Omniture 216.52.17.0 - 216.52.17.255 abuse@internap.com We can also lookup the domainname reg for 2o7 at netsol whois -h whois.networksolutions.com 2o7.net ... blah blah Omniture, Inc but that wouldn't lead us to be trying to email 2o7 2o7.net has no DNS and it has no MX > Does this mean that 2o7.net is violating its registration TOS ? No. It doesn't have to want to receive mail like that, or send mail like that, or even have a website at www.2o7.net. It has nameservice, the nameservice is what works to get a DNS for 102.112.2o7.net -- Mike Easter kibitzer, not SC admin From MikeE at ster.invalid Sun Oct 17 09:01:59 2004 From: MikeE at ster.invalid (Mike Easter) Date: Sun Oct 17 11:05:03 2004 Subject: [SpamCop-List] Re: Whazzat den - "domain has no A record" ? References: Message-ID: George Langford, Sc.D. wrote: > Does this mean that 2o7.net is violating its registration TOS ? It might make it eligible to be included in rfc-ignorant, but hell, spamcop.net is in rfc-ignorant 'twice' and 2o7.net isn't at all. rfc-ignorant doesn't do a very good job at all of 'citing' the RFC bases for its very existence. Maybe they don't even know what they are all about. In my opinion, and I don't know exactly what the RFCs say, but I think if there isn't any mail from 2o7.net, it doesn't have to do diddly about a MX for that domainname or even a DNS. In order to be 'operational' for what it is doing, it needs operational nameservice, which it has thru' ns1.omniture.com. & ns2.omniture.com. -- Mike Easter kibitzer, not SC admin From lordtyr at paganpower.com Sun Oct 17 11:38:38 2004 From: lordtyr at paganpower.com (Lord Tyr) Date: Sun Oct 17 13:40:29 2004 Subject: [SpamCop-List] dev/null? Message-ID: Okay the latest spam report i did today http://www.spamcop.net/sc?id=z683146532za7bc31ce0026487650eecd5994976094z However... my questions is what is this /dev/null'ing report for ?? Does that mean it was not reported? -- ---------------------------- Lord Tyr LordTyr@paganpower.com AMD-64 3200+, 3 512 DDR's 2700, Two 120g Wd Hd, Two 40g SATA Wd Hd (Raid 0), Asus K8V SE Deluxe, ATI Radeon 9200 Agp, XP Pro, Roudrunner (3000/384) - Linksys BEFSR41 From tdy at blackhole.invalid Sun Oct 17 12:12:39 2004 From: tdy at blackhole.invalid (N. Miller) Date: Sun Oct 17 14:15:02 2004 Subject: [SpamCop-List] Re: I misreported Western Union References: Message-ID: In article , Dorian Gray says... > Well I tried, but that compuserve address is invalid! Can it be true > that Western Union has bad arin information? Did you try the postmaster address that Mike mentioned? -- Norman ~Win dain a lotica, En vai tu ri, Si lo ta ~Fin dein a loluca, En dragu a sei lain ~Vi fa-ru les shutai am, En riga-lint From mrichter at cpl.net Sun Oct 17 12:14:35 2004 From: mrichter at cpl.net (Mike Richter) Date: Sun Oct 17 14:15:18 2004 Subject: [SpamCop-List] Minor enhancement suggestion Message-ID: When a single address is submitted, please put the reporting addresses on a single line with commas for separation - and limit the list to four. Typically, I use that line for the e-mail address in the body of a 419. When more than four are offered, I need to select four; when more than one is offered, I need to bring up notepad to form them into something the report will accept. Mike -- mrichter@cpl.net http://www.mrichter.com/ From puoti at inwind.it Sun Oct 17 20:22:14 2004 From: puoti at inwind.it (Ivan Leo Puoti) Date: Sun Oct 17 14:25:03 2004 Subject: [SpamCop-List] Re: dev/null? In-Reply-To: References: Message-ID: > Does that mean it was not reported? Yes, it is only tracked for statistics, because spamcop can't send the report for some reason that is described in the tech details when you parse a spam. Ivan. From tdy at blackhole.invalid Sun Oct 17 12:26:40 2004 From: tdy at blackhole.invalid (N. Miller) Date: Sun Oct 17 14:30:02 2004 Subject: [SpamCop-List] Re: Mailhost configuration References: Message-ID: In article , Neil Howie says... > Thanks for the input. I have followed the links you suggested and it > took a very long time to get an understanding from them. > The point I was making is that the help page lists a chain A B C. I > described the specific chain by which I get e-mail from the spammed > address to another, unspammed, address on the same mail server. So to my > simple mind, A is my spammed address, B is spamcop to whom it is > forwarded and C is the address where my mail finishes. This seems now > like a total misunderstanding of the situation, due entirely to the > vague way the process is described in the help page. All I tried to do > was suggest the addition of a concrete example to make things clearer, > hardly a major revision. I don't want to cause any havoc. > Further, from my point of view, the situation is more uncertain because, > for me, the start address and the finishing address are aliases for the > same ISP account. The bit before the @ can be anything I like. > So, if I understand it correctly, the spammed address is the only one I > need to register, but does this cause any complication with respect the > ultimate destination address? A. = 'spammed' account? B. = Spamcop account? C. = home account? I have a web mail account that wouldn't forward to Spamcop in a format that SC wanted. Oddly, if I use the service "redirect" to my local account, I can forward from that account to Spamcop. So, when I set up a mailhost, I first made sure that my local account (equivalent to your 'C') was set up. Then I set up the web mail account (equivalent to your 'A'). I am pretty sure that you also need to set one up for 'B'. If I understand the purpose of Mailhost, you are telling the SpamCop parser which SMTP servers, the "Mailhosts", are normally in the chain of servers from the server receiving the spamitem to the server your reporting from. In my case, if I forward the web mail spam from my local server, SC would want to report the web mail account as the source of the spam if it did not know that I was receiving the spamitem at that account. The first couple of times I used that method, redirect from web account to local account and forward from there to SC, SC wanted to report that account. That was over a year before I decided to set up mailhosts on my accounts. I had to manually uncheck that report until SC finally learned to trust it. -- Norman ~Win dain a lotica, En vai tu ri, Si lo ta ~Fin dein a loluca, En dragu a sei lain ~Vi fa-ru les shutai am, En riga-lint From tdy at blackhole.invalid Sun Oct 17 12:41:00 2004 From: tdy at blackhole.invalid (N. Miller) Date: Sun Oct 17 14:45:04 2004 Subject: [SpamCop-List] Re: mail reporting address References: <41716672.84D2F513@gmx.net> <41725A89.56CC9279@telus.net> Message-ID: In article <41725A89.56CC9279@telus.net>, Bud says... > Take a deep breath Mike. > Ever since I stumbled out of this 'MW bounce' mine field and the admonishment > here for using it that came with it, my life with MW has been much more > pleasant. I am in complete agreement with Mike. In another group on another NNTP service, I get pretty much the same treatment as Mike, for pretty much the same reasons. I had given MW a spin. Once. I decided to test the bounce feature by creating email on accounts that I use to bounce the messages. Right away I could see why it was a bad feature. Until June, 2003 all I had to show why MW bounces were bad were the results of my test; in that month I received four MW bounces from people bouncing their messages to my account which was forged in a spam run. For SC reporting, I could set up autoforwarding. The only trouble with that is, I get more spam than I wish to take time to report. I would have to take time to cancel pending reports. It is simpler for me to do that part manually. I refuse to support a product which is faulty by design. -- Norman ~Win dain a lotica, En vai tu ri, Si lo ta ~Fin dein a loluca, En dragu a sei lain ~Vi fa-ru les shutai am, En riga-lint From 9ucs5y001 at sneakemail.com Sun Oct 17 13:07:58 2004 From: 9ucs5y001 at sneakemail.com (DS) Date: Sun Oct 17 15:10:03 2004 Subject: [SpamCop-List] Fake Rolex spam Message-ID: Hey all, I was wondering if anyone else is receiving a butt-load of spam hawking cheap (aka fake) Rolexes, etc. I have had 14 of the li'l bastages slip past the gates in the last couple of days, all from KR/JP zombied machines. DS From skiwi at spamcop.net Sun Oct 17 13:38:22 2004 From: skiwi at spamcop.net (sk1w1) Date: Sun Oct 17 15:40:03 2004 Subject: [SpamCop-List] Re: Fake Rolex spam In-Reply-To: References: Message-ID: DS wrote: > Hey all, > > I was wondering if anyone else is receiving a butt-load of spam hawking > cheap (aka fake) Rolexes, etc. I have had 14 of the li'l bastages slip past > the gates in the last couple of days, all from KR/JP zombied machines. > > DS for the last couple of months here - and now piracy@rolex.com 'bounces' on SC user reports... From Spam_N_Scams_Reporter at yahoo.whatever Sun Oct 17 13:40:14 2004 From: Spam_N_Scams_Reporter at yahoo.whatever (Spam N Scams Reporter) Date: Sun Oct 17 15:45:03 2004 Subject: [SpamCop-List] Re: Fake Rolex spam In-Reply-To: References: Message-ID: DS wrote: > Hey all, > > I was wondering if anyone else is receiving a butt-load of spam hawking > cheap (aka fake) Rolexes, etc. I have had 14 of the li'l bastages slip past > the gates in the last couple of days, all from KR/JP zombied machines. > > DS > > The increase in Rolex spam the past couple of days has been enormous for me. That is for my spam filled email address that I use for reporting. I just checked about 10 of the other accounts that I have and none had any. From rednoise at REMOVETHIScomcast.net Sun Oct 17 20:42:41 2004 From: rednoise at REMOVETHIScomcast.net (Nil) Date: Sun Oct 17 15:45:19 2004 Subject: [SpamCop-List] Re: Fake Rolex spam References: Message-ID: On 17 Oct 2004, "DS" <9ucs5y001@sneakemail.com> wrote in news:ckufue$il7$1@news.spamcop.net: > I was wondering if anyone else is receiving a butt-load of spam > hawking cheap (aka fake) Rolexes, etc. I have had 14 of the li'l > bastages slip past the gates in the last couple of days, all from > KR/JP zombied machines. Yes, I am. It's been going on for about a week. From masfjorden at spamcop.net Sun Oct 17 22:45:48 2004 From: masfjorden at spamcop.net (helge) Date: Sun Oct 17 15:50:04 2004 Subject: [SpamCop-List] Re: Fake Rolex spam In-Reply-To: References: Message-ID: sk1w1 wrote: > DS wrote: > >> Hey all, >> >> I was wondering if anyone else is receiving a butt-load of spam >> hawking cheap (aka fake) Rolexes, etc. I have had 14 of the li'l >> bastages slip past the gates in the last couple of days, all from >> KR/JP zombied machines. >> >> DS > > > for the last couple of months here - and now piracy@rolex.com 'bounces' > on SC user reports... According to Marjolein Katsma's excellent site http://banspam.javawoman.com/index.html , you may use the address steve.gobin /at/ rolex.com . My preferences are set to accept only sentient replies, so I wouldn't know if that address 'bounces'. I get tons of fake rolex spams helge From pantheus at suespammers.org Sun Oct 17 14:33:16 2004 From: pantheus at suespammers.org (Ken Knull) Date: Sun Oct 17 16:35:04 2004 Subject: [SpamCop-List] Re: Fake Rolex spam References: Message-ID: On Sun, 17 Oct 2004 21:45:48 +0200, helge wrote: > >> for the last couple of months here - and now piracy@rolex.com 'bounces' >> on SC user reports... > > According to Marjolein Katsma's excellent site > http://banspam.javawoman.com/index.html , you may use the address > steve.gobin /at/ rolex.com . My preferences are set to accept only > sentient replies, so I wouldn't know if that address 'bounces'. > helge I haven't heard from Steve Gobin in a couple months, but I did get an actual non-auto-ack from him just after I started reporting copies to him from a non-spamcop account. It tolled his appreciation of the reports. I continue to send copies, and they don't bounce, but haven't received any response recently. Ken -- The day Microsoft makes a product that doesn't suck is the day they start making vacuum cleaners." -- Unknown In a world without walls and fences nobody needs Windows and Gates! User #104362 with the Linux Counter, http://counter.li.org From amenex at amenex.com Sun Oct 17 17:53:13 2004 From: amenex at amenex.com (George Langford, Sc.D.) Date: Sun Oct 17 16:57:04 2004 Subject: [SpamCop-List] Re: Whazzat den - "domain has no A record" ? Message-ID: <200410172053.i9HKrDq10480@email1.voicenet.com> Skipping all pretense of civility ... Mike Easter wrote in part, quoting my earlier post: >> Here's the SpamCop tracker for the offending spam: www.spamcop.net/sc?id=z683087269z3b5d69d40f1ddaf1a46a32910ea09accz > The phish is taking place here: http://64.23.124.207/paypal2/ Yup; that's what I got. But there's more to it; read on. >> I got the following reply when I attempted to LART 2o7.net about a >> PayPal phish: ... > Stop right there. Why did you try to email 2o7.net about this phish? I kinda thought it would be pretty obvious to this group, but here's what I said in my LART, severely edited to remove sourcecode which isn't welcome here: > A secondary linked page: http://64.23.124.207/paypal2/loginsubmit.htm > contains this link to Omniture's 2o7.net: >
That secondary link comes from piecing together the javascript on the first linked page: http://64.23.124.207/paypal2 _plus_ loginsubmit.htm > I get a "connection refused" error when I attempt to connect to the 2o7.net link. More data: > When I first attempted to connect to: > https://64.23.124.207/paypal2/js/pp_main.js That URL is another secondary link ... which doesn't yield much to me, except on that first attempt: > I got an error message that referred to an incorrect site certificate. > The original certificate had been assigned by Thawte Consulting (Pty) Ltd. > The server was identified as secure1.valueweb.com, by Affinity Internet > Inc. with the serial number 20:85:45, and the MD5 fingerprint > was given as: 47:F8:CA:B1:49:21:DE:30:CO(or 0):71:ED:C3:78:ED:47:8E (That's why I LARTed affinity.com ... notified 'em, actually.) > ...[paraphrasing] the following URL is what actually [has the phish] > when the original URL is placed in the address line of my Mozilla browser: > http://64.23.124.207/ (was: https://64.23.124.207/paypal2): ... Good Grief ! It's still there as of 16:40 EDT ! Typical Sunday IP situation. So I did the best I could and thereby tracked the deposit site for the victims' data to the 2o7.net URL. Look up Omniture's SiteCatalyst S/W to see what this complex URL does. It's beyond me. BTW, "pp_main.js" appears to be a blank page. My guess is that's what's hidden under the fake PayPal page and that's what receives the victims' personal data. See also: http://www.millersmiles.co.uk/forum/about39.html where I did post all the codes I could collect so as to place the whole phish in perspective and perhaps allow someone to ID the thief. Thanks for pointing out in your second reply that there's no need to LART 2o7.net since I also I sent a notice to Omniture. I also cc'd affinity.com, valueweb.net, and internap.com. All the addys came from the SpamCop notify list obtained by way of OpenRBL.org. That's a fine combination ! I hope this clears things up a little. BTW, I've put the Omniture and 2o7.net servers in my hosts file, so Omniture's not getting any data from me any more, I hope. Best regards, amenex From skiwi at spamcop.net Sun Oct 17 16:06:59 2004 From: skiwi at spamcop.net (sk1w1) Date: Sun Oct 17 18:10:20 2004 Subject: [SpamCop-List] Re: Fake Rolex spam In-Reply-To: References: Message-ID: <4172ED03.5050706@spamcop.net> helge wrote: [snip] > According to Marjolein Katsma's excellent site > http://banspam.javawoman.com/index.html , > you may use the address steve.gobin /at/ rolex.com . My preferences are > set to accept only sentient replies, so I wouldn't know if that address > 'bounces'. > > I get tons of fake rolex spams Thanks, I will give that Rolex email address a go next time I see one! From pete at heypete.com Sun Oct 17 16:38:35 2004 From: pete at heypete.com (Pete Stephenson) Date: Sun Oct 17 18:40:04 2004 Subject: [SpamCop-List] SpamCop Thunderbird extension? Message-ID: Greetings all, I'm curious, is there any sort of extension for Thunderbird that would allow one to submit spam to SpamCop for reporting? Cursory searches both here and at Mozilla.org came up with no results. Perhaps others have been more successful than I. I'm considering migrating away from Eudora to Thunderbird, and this is the only thing preventing me from doing so. Cheers! -- Pete Stephenson HeyPete.com From nobody at spamcop.net Sun Oct 17 17:13:19 2004 From: nobody at spamcop.net (A.J.) Date: Sun Oct 17 19:15:03 2004 Subject: [SpamCop-List] Spamcop Falsely Calling spam a Bounce? Message-ID: http://www.spamcop.net/sc?id=z683216169zf7e23b08060100bf75dc57f67f30d120z If it's merely the use of "majordomo" in the From: and Return-Path: headers that causes this to be interpreted as a bounce, then Spamcop is broken, and it won't be long before it becomes common spammer practice. -- A.J. -- Evidence shows Cyveillance abuse internet resources. I recommend unchecking their box in SpamCop reports. Cyveillance are part of the problem. They are not part of the solution. From MikeE at ster.invalid Sun Oct 17 18:04:57 2004 From: MikeE at ster.invalid (Mike Easter) Date: Sun Oct 17 20:05:07 2004 Subject: [SpamCop-List] Re: Spamcop Falsely Calling spam a Bounce? References: Message-ID: A.J. wrote: www.spamcop.net/sc?id=z683216169zf7e23b08060100bf75dc57f67f30d120z > > If it's merely the use of "majordomo" in the From: and Return-Path: > headers that causes this to be interpreted as a bounce, then Spamcop > is broken, and it won't be long before it becomes common spammer > practice. You are correct; a From mjordomo works for an experimental cancelled item - no change necessary in the Return-Path. One 'a' dropped goes. www.spamcop.net/sc?id=z683226073z72d901df6adadd681c0e5a9d2ff64b71z Cheap tricks don't fly. -- Mike Easter kibitzer, not SC admin From MikeE at ster.invalid Sun Oct 17 18:11:10 2004 From: MikeE at ster.invalid (Mike Easter) Date: Sun Oct 17 20:10:03 2004 Subject: [SpamCop-List] Re: SpamCop Thunderbird extension? References: Message-ID: Pete Stephenson wrote: > I'm curious, is there any sort of extension for Thunderbird that would > allow one to submit spam to SpamCop for reporting? Cursory searches > both here and at Mozilla.org came up with no results. Perhaps others > have been more successful than I. > > I'm considering migrating away from Eudora to Thunderbird, and this is > the only thing preventing me from doing so. What's the problem with Tbird? Getting something to put into the webparser? Forwarding as an attachment? Both? How have you experimented? Can you get something to paste into the parser to post a tracker for that is useful? Into .spam? forward yourself something as an attachment? put /it/ into .spam? I haven't heard the problem defined yet. There is no information in the faq for tbird, and I don't think looking at netscape information is useful. Unless it is. -- Mike Easter kibitzer, not SC admin From Spam_N_Scams_Reporter at yahoo.whatever Sun Oct 17 19:09:40 2004 From: Spam_N_Scams_Reporter at yahoo.whatever (Spam N Scams Reporter) Date: Sun Oct 17 21:10:22 2004 Subject: [SpamCop-List] Re: Whazzat den - "domain has no A record" ? In-Reply-To: References: Message-ID: George Langford, Sc.D. wrote: > Here's the SpamCop tracker for the offending spam: > http://www.spamcop.net/sc?id=z683087269z3b5d69d40f1ddaf1a46a32910ea09accz > Links listed in tracker: https://www.paypal.com/us/prefs-noti https://64.23.124.207/paypal2 https://www.paypal.com/us https://www.paypal.com/us/cgi-bin/webscr?cmd=_login-run Going to https://64.23.124.207/paypal2 I receive a Security Error: Domain Name Mismatch You have attempted to establish a connection with "64.23.124.207". However, the security certificate presented belongs to "secure1.valueweb.com". It is possible, though unlikely, that someone may be trying to intercept your communication with this web site. If you suspect the certificate shown does not belong to "64.23.124.207", please cancel the connection and notify the site administrator. Once on this fake site, the form posts the login info to http://64.23.214.207/paypal2/loginsubmit.php Interesting. When I submit a bogus email address and password, I am taken to a Paypal Wrong Log In page. Still not a legitimate secure Paypal site. Ok, when I submit a valid email address, but not a paypal login address it takes me to http://64.23.124.207/paypal2/loginloading.htm, which states New Immediate Payment Option and gives some info with a Continue button at the bottom. This takes me to http://64.23.124.207/paypal2/agreement.htm?Continue=Continue which is User Agreement and Privacy Policy PayPal has recently made several important changes to our User Agreement and Privacy Policy. Please read the new User Agreement and Privacy Policy, because they contain important information about your PayPal account, your rights as a PayPal user, and the ways in which PayPal will use your personal information. After you have reviewed the User Agreement and Privacy Policy below, please choose the "Yes" radio buttons and click Continue. If you fail to read and agree to the new User Agreement within 120 days, PayPal will assume you do not accept PayPal's User Agreement and prefer not to do business with PayPal. In such circumstances, after providing additional notice, PayPal will limit your access to your PayPal account and will payout any remaining account balance under the terms of the old User Agreement. The prior statement in red. You must on yes and then the next button.... Is it door number 1, 2 or 3? This is the phishing page. http://64.23.124.207/paypal2/pp.htm?Submit=Submit They went to a little more work with this one. lookup failed 64.23.124.207 Could not find a domain name corresponding to this IP address. Network Whois record Queried whois.arin.net with "64.23.124.207"... OrgName: SkyNetWEB, Ltd OrgID: SKWB Address: c/o SkyNetWeb -- 3500 Boston St. #231 City: Baltimore StateProv: MD PostalCode: 21224 Country: US NetRange: 64.23.0.0 - 64.23.127.255 CIDR: 64.23.0.0/17 NetName: SKYNETWEB NetHandle: NET-64-23-0-0-1 Parent: NET-64-0-0-0-0 NetType: Direct Allocation NameServer: NS1.SKYNETWEB.COM NameServer: NS2.SKYNETWEB.COM Comment: ADDRESSES WITHIN THIS BLOCK ARE NON-PORTABLE RegDate: 2000-01-07 Updated: 2001-04-27 TechHandle: PR240-ARIN TechName: Ryker, Phillip TechPhone: +1-410-563-6384 TechEmail: pryker@skynetweb.com > And here's the link that I found when I tracked the various links in > the train of URL's that the phisher used: > src="https://102.112.2O7.net/b/ss/paypalglobal/1/G.4--NS/0?pageName=Log%20In::p/gen/login::_login-submit&c6=" > alt="" border="0" height="1" width="1">
> I found the above link that you mention, to an image. It was on the Wrong Log In page. > By comparison, here's a presumably legitimate link that I found in an > eBay auction's sourcecode that I saved some time ago: > var > rs='http://192.168.112.2O7.net/b/ss/'+unl+'/1/c4.2/'+sess+'?'+(s_apn!='Opera'?'[AQB]':'')+'&box=split'+(r?'&r='+s_escape(r):'')+(s?'&s='+s_escape(s):'')+(c?'&c='+s_escape(c):'')+(o?'&o='+s_escape(o):'')+(j?'&j='+j:'')+(v?'&v='+v:'')+(k?'&k='+k:'')+(bw?'&bw='+bw:'')+(bh?'&bh=' > > > It's no secret that Omniture's SiteCatalyst software is being used by > PayPal, eBay, General Motors, etc. to track site visitors' preferences. > However, is it also possible for a thief to use the same software to > capture the personal information of phishing in a similar manner ? > My best guess is that the SiteCatalyst software is quite flexible when > used in conjuction with Javascript code and that there is no way of > guarding against malicious use of the software other than careful > selection and background checks on customers of the software vendor. > > Thanks, > amenex > Does this mean that 2o7.net is violating its registration TOS ? This does not neccessarily address your question, but maybe will be of help. From pete at heypete.com Sun Oct 17 19:10:30 2004 From: pete at heypete.com (Pete Stephenson) Date: Sun Oct 17 21:15:02 2004 Subject: [SpamCop-List] Re: SpamCop Thunderbird extension? References: Message-ID: In article , "Mike Easter" wrote: > What's the problem with Tbird? Getting something to put into the > webparser? Forwarding as an attachment? Both? The vast quantities of mail that I receive daily. I have an AppleScript for Eudora that allows me to selecte a theoretically unlimited number of messages and simply select "Report To SpamCop". While the time savings are minimal for, say, under a dozen messages, when reporting several hundreds or thousands it makes it much easier. If Thunderbird allows me to selected a multitude of messages and forward them all as a single attachment to a message that SpamCop can interpret, that's excellent. Otherwise, I require some sort of extension, script, or other form of automation to speed up the process. -- Pete Stephenson HeyPete.com From Spam_N_Scams_Reporter at yahoo.whatever Sun Oct 17 21:50:40 2004 From: Spam_N_Scams_Reporter at yahoo.whatever (Spam N Scams Reporter) Date: Sun Oct 17 23:55:23 2004 Subject: [SpamCop-List] error: couldn't parse head Message-ID: Finding links in message body error: couldn't parse head Message body parser requires full, accurate copy of message More information on this error.. no links found http://www.spamcop.net/sc?id=z683267863z7d00038c6978a452405d8e6706bf299dz Haven't had a chance to look at why this is so. My Spamcop account is the one that received this spam. This account is not very old and has not received much spam yet, tho the numbers are increasing. There are only a couple of instances that I have used this email address, and it is not likely that a dictionary spammer would come up with it. My other account that is very similar at another ISP has received no spam and it has been in existence longer and I use it regularly. Makes you kinda go HMMMMM. Anyway, not only did this error come back after I clicked on the View full message link because the parser found no links again, it came back with this error. I'm going to attempt this again to see if it changes. I have been receiving a lot of spam that SC is unable to find the links on from validpage.com. From tdy at blackhole.invalid Sun Oct 17 22:24:11 2004 From: tdy at blackhole.invalid (N. Miller) Date: Mon Oct 18 00:25:04 2004 Subject: [SpamCop-List] Re: Fake Rolex spam References: Message-ID: In article , DS says... > I was wondering if anyone else is receiving a butt-load of spam hawking > cheap (aka fake) Rolexes, etc. I have had 14 of the li'l bastages slip past > the gates in the last couple of days, all from KR/JP zombied machines. Only to one ISP email account. -- Norman ~Win dain a lotica, En vai tu ri, Si lo ta ~Fin dein a loluca, En dragu a sei lain ~Vi fa-ru les shutai am, En riga-lint From lordtyr at paganpower.com Sun Oct 17 22:31:11 2004 From: lordtyr at paganpower.com (Lord Tyr) Date: Mon Oct 18 00:35:02 2004 Subject: [SpamCop-List] Re: Fake Rolex spam In-Reply-To: References: Message-ID: DS wrote: > Hey all, > > I was wondering if anyone else is receiving a butt-load of spam hawking > cheap (aka fake) Rolexes, etc. I have had 14 of the li'l bastages slip past > the gates in the last couple of days, all from KR/JP zombied machines. > > DS > > I've had at least 10 & reported almost all of them.... -- Lord Tyr LordTyr@paganpower.com AMD-64 3200+, 3 512 DDR's 2700, Two 120g Wd Hd, Two 40g SATA Wd Hd (Raid 0), Asus K8V SE Deluxe, GeForce FX 5500 oc, XP Pro, Roudrunner (3000/384) - Linksys BEFSR41 From newsspamcop.20.kuch at recursor.net Mon Oct 18 02:04:53 2004 From: newsspamcop.20.kuch at recursor.net (Rob) Date: Mon Oct 18 01:05:04 2004 Subject: [SpamCop-List] Re: SpamCop Thunderbird extension? In-Reply-To: References: Message-ID: Pete Stephenson wrote: > Greetings all, > > I'm curious, is there any sort of extension for Thunderbird that would > allow one to submit spam to SpamCop for reporting? Cursory searches both > here and at Mozilla.org came up with no results. Perhaps others have > been more successful than I. > > I'm considering migrating away from Eudora to Thunderbird, and this is > the only thing preventing me from doing so. > > Cheers! > I have used Thunderbird to report spam to spamcop. Setting options to forward messages as attachments does the trick. Select multiple e-mails, forward to your reporting address. I usually limited myself to 25-30, but have not actually run into any limitations. From MikeE at ster.invalid Sun Oct 17 23:07:42 2004 From: MikeE at ster.invalid (Mike Easter) Date: Mon Oct 18 01:10:02 2004 Subject: [SpamCop-List] Re: error: couldn't parse head References: Message-ID: Spam N Scams Reporter wrote: www.spamcop.net/sc?id=z683267863z7d00038c6978a452405d8e6706bf299dz It's a structure problem. As it sits there, it has header and body merged, with the spamcop xlines squishing the very top part of the body [mime boundary elements] into a sandwich between those xlines and the original header which was there before the xlines were added. In order to restore its original condition, I would remove the SC xlines and separate the part of the body that was squished into the header by an empty blank line. If you wanted to completely rearrange it so that it would have the xlines back again, you would add those back into the bottom of the original header, still keeping an empty blank line between the last xline and the first part of the body, namely the mime boundary elements. You might wonder how it got to be that way. My theory is that the first thing that was missing was the empty blank line between header and body, causing mime boundary elements to be stuck onto the header, and then SC tried to add its xlines to the end of the headers, but since the end of the headers was misidentified by the missing blank line, the SC xlines were instead added just above the first place an empty line was encountered, which was partly into the body past the mime boundary elements. I've reconstructed these things before to achieve an experimental parse to cancel, but I don't know that the exercise is particularly useful. -- Mike Easter kibitzer, not SC admin From MikeE at ster.invalid Sun Oct 17 23:15:45 2004 From: MikeE at ster.invalid (Mike Easter) Date: Mon Oct 18 01:15:02 2004 Subject: [SpamCop-List] Re: error: couldn't parse head References: Message-ID: Mike Easter wrote: > In order to restore its original condition, I would remove the SC > xlines and separate the part of the body that was squished into the > header by an empty blank line. This is the way I predict the original item /should/ have been - with an empty line between header and body - and before the SC SA xlines were added. It parses. www.spamcop.net/sc?id=z683287770zb42ba392ab41847a01d352236115224fz but, it wouldn't have parsed without that empty line between header and mime boundary structure, which probably /wasn't/ present in the original item. Unless the original item was sound or correct and the spamcop handling screwed it up. I have no way of knowing if that could have happened. I /do/ know this condition has been seen before. -- Mike Easter kibitzer, not SC admin From pete at heypete.com Sun Oct 17 23:21:06 2004 From: pete at heypete.com (Pete Stephenson) Date: Mon Oct 18 01:25:04 2004 Subject: [SpamCop-List] Re: SpamCop Thunderbird extension? References: Message-ID: In article , Rob wrote: > I have used Thunderbird to report spam to spamcop. Setting options to > forward messages as attachments does the trick. Select multiple > e-mails, forward to your reporting address. I usually limited myself to > 25-30, but have not actually run into any limitations. Hmm. Interesting. I shall definitely check that out. It should simplify things quite a bit. Thanks! -- Pete Stephenson HeyPete.com From Spam_N_Scams_Reporter at yahoo.whatever Sun Oct 17 23:41:15 2004 From: Spam_N_Scams_Reporter at yahoo.whatever (Spam N Scams Reporter) Date: Mon Oct 18 01:45:02 2004 Subject: [SpamCop-List] Re: error: couldn't parse head In-Reply-To: References: Message-ID: Mike Easter wrote: > Spam N Scams Reporter wrote: > www.spamcop.net/sc?id=z683267863z7d00038c6978a452405d8e6706bf299dz > > It's a structure problem. As it sits there, it has header and body > merged, with the spamcop xlines squishing the very top part of the body > [mime boundary elements] into a sandwich between those xlines and the > original header which was there before the xlines were added. > > In order to restore its original condition, I would remove the SC xlines > and separate the part of the body that was squished into the header by an > empty blank line. If you wanted to completely rearrange it so that it > would have the xlines back again, you would add those back into the > bottom of the original header, still keeping an empty blank line between > the last xline and the first part of the body, namely the mime boundary > elements. > > You might wonder how it got to be that way. > > My theory is that the first thing that was missing was the empty blank > line between header and body, causing mime boundary elements to be stuck > onto the header, and then SC tried to add its xlines to the end of the > headers, but since the end of the headers was misidentified by the > missing blank line, the SC xlines were instead added just above the first > place an empty line was encountered, which was partly into the body past > the mime boundary elements. > > I've reconstructed these things before to achieve an experimental parse > to cancel, but I don't know that the exercise is particularly useful. > Thanks Mike, I missed that observation when I looked. From nobody at spamcop.net Mon Oct 18 02:00:53 2004 From: nobody at spamcop.net (Tom) Date: Mon Oct 18 02:05:04 2004 Subject: [SpamCop-List] Re: Spamcop reporting troubles References: Message-ID: On Sun, 10 Oct 2004 23:46:42 -0700, Mike Easter wrote: >> Since I use Agent, I open the spam in the raw message format. Nothing >> is triggered, because I see only the source in that form (no html or >> anything else is executed), which I cut and paste into spamcop's web >> reporting system. > >Does that mean that it /isn't/ possible to use Agent's mail agent the >same way as OE, to select an unopened mail item and 'forward as >attachment' and have the structure^1 of the item work properly for the SC >email submit method? The current version can forward verbatim, but I haven't used that in a long, long time. I prefer to take a long look at the spam (in its raw form) and decide how I want to report it. If I have the system set to forward verbatim with the raw message setting to on, it will forward all the headers, but at the same time, I will add its own set, including a new subject line, etc. > >What about if you've opened the item as described above, does the >'forward' [or forward as attachment] in Agent result in the email parser >getting the item in the right configuration? Where the right >configuration^1 or structure of what the submit address receives is - I haven't tried to forward as an attachment, but I can export a message and send that (complete with headers) as an attachment, but I think I'll end up with the same result and possibly not something that will produce the wanted results. Plus, it's a lot of extra work. > >^1 headers of submitter to spamcop saying multipart mixed boundary + mime >boundary structure + mime msg/rfc822 attachment structure + complete >headers and raw message format of the spam Nope. Doesn't come across that way. > >I can't see anything in the faq about whether Agent can email submit or >not. I used to do this, but that was a long time ago and it worked "okay." I wanted to be able to do more, so I switched to web reporting, copying in the actual raw message. The advantage I have is that I don't let things go through that I don't want to go through and therefore, don't report wanted e-mails. I whitelist almost everything that I receive into individual folders. The result is that very little goes into the spam folder that isn't spam (less than 1 percent). From nobody at spamcop.net Mon Oct 18 02:04:03 2004 From: nobody at spamcop.net (Tom) Date: Mon Oct 18 02:05:30 2004 Subject: [SpamCop-List] Re: AP News: China Offers Rewards for Reporting Porn References: Message-ID: <03n6n0dh7cn1ts9avt8r8goctqkeu09kci@4ax.com> Top posting corrected. On Mon, 11 Oct 2004 14:15:07 +0200, basalk wrote: >"Tom" schreef in bericht >news:rn8km05ssnq37r020qvh7v7avclrhmhuae@4ax.com... >> On Sun, 10 Oct 2004 20:34:52 -0400, Christopher Fuhrman wrote: >> >>>I wonder how serious this whole thing is. Any comments? >>> >>>http://story.news.yahoo.com/news?tmpl=story&cid=562&e=2&u=/ap/china_porn_rewards >> >> The source of most porn spam is in Russia, not China. S.E. Asia holds >> to some strong religious-based moral standards at a political level. >> That doesn't apply to nightclubs and the "oldest profession" but as >> far as the "face" on the country is concerned, it is a big issue. >> Mao's philosophies failed to replace Bhudda's. >> >According to news reports on the same subject in the Netherlands one of the >people jailed was a 24 year old female student who runned a porn site. >Spamvertising for porn sites in China is not unusual in my spam reports and >I have the impression that China is more often in spam as Russia. The most >people convicted tho are people with views unwelcome to the Chinese >governement. >Bas You could be correct. The limited amount of porn spam I get is usually tied to russian sites, so really I don't know. I should probably 'seed' some of the alt.binaries sex-related sites with a spam trap address, just to see what comes of it. From nobody at spamcop.net Mon Oct 18 01:13:58 2004 From: nobody at spamcop.net (RW) Date: Mon Oct 18 02:15:03 2004 Subject: [SpamCop-List] Re: Get off the list. References: Message-ID: "news.concentric.net" wrote in message news:ckhhns$ipv$1@news.spamcop.net... >I installed GFI mail essentials, and the NDR for the black list generated > 100's of mails of which all were detected as spam and now mail is sparce. > I > have stopped it, but what do I do now, the web site is very poor on help. > I > just need to get mail back online. It seems to be a shame that blocking > spam gets me on the list. > Actually, GFI and NDR (presumably) have nothing to do with the listing of your IP. Rather, your server is the victim of the smtp-auth exploit. 205.158.121.242 is listed because the server on that IP is relaying spam to traps on our servers. The spammer has gained authenticated access to the server, most likely by "guessing" a valid user/pw. We have information on this exploit at http://www.spamcop.net/fom-serve/cache/372.html Once the compromised account has been found and secured and we see the spam has stopped, the IP will delist. Fresh spam has been received by our traps approximately 2 hours ago. To make matters worse, your server doesn't identify the connecting IP; according to your server, all the spam is originating from 192.168.20.1 Richard From d*r*i*c*h*t*e*r at e*s*s*i.f*r*****without*asterisks**** Mon Oct 18 10:53:43 2004 From: d*r*i*c*h*t*e*r at e*s*s*i.f*r*****without*asterisks**** (Dan) Date: Mon Oct 18 03:55:19 2004 Subject: [SpamCop-List] Jokes as hashbusting Message-ID: This pump-and-dump spammer found an interesting form of hashbusting: jokes. Interestingly, the jokes are munged to avoid triggering spam filters. For example, any dollar signs are converted to hash marks. What follows is an excerpt from one mail: A woman in Brooklyn decided to prepare her Will and make her final requests. She told her rabbi she had two final requests. First, she wanted to be cremated, and second, she wanted her ashes scattered all over Bloomingdales. "Why Bloomingdales?" asked the rabbi. "Then I'll be sure my daughters visit me twice a week." Frustrated, he sends e-mails to all his frieends and coworkers,tono avail. Afteran hour, he wakesthe blonde,and hands her #500.00. Theblonde says, Thank you, andturns back toget somemoresleep.The lawyer,who is morethan a little miffed, wakes the blonde and asks, Well, what's the answer? Without a word, the blonde reaches into her purse, hands the lawyer #5.00, and goes back to sleep. And you thought blondes were dumb. From nobody at devnull.spamcop.net Mon Oct 18 18:03:50 2004 From: nobody at devnull.spamcop.net (Patto) Date: Mon Oct 18 04:05:03 2004 Subject: [SpamCop-List] OT - Weird Message-ID: This may be very old news, but I found this today: "Aoccdrnig to a rscheearch at Cmabrigde Uinervtisy, it deosn't mttaer in waht oredr the ltteers in a wrod are, the olny iprmoetnt tihng is taht the frist and lsat ltteer be at the rghit pclae. The rset can be a toatl mses and you can sitll raed it wouthit porbelm. Tihs is bcuseae the huamn mnid deos not raed ervey lteter by istlef, but the wrod as a wlohe." Is it possible that spammers actually go to universities...? From clebaudy at netfinca.com Mon Oct 18 12:46:10 2004 From: clebaudy at netfinca.com (Christian) Date: Mon Oct 18 05:50:19 2004 Subject: [SpamCop-List] spamcop efficiency ???? Message-ID: Hello, i am a recently user of spam cop, i find the idea great and since i am spammed (due certainly to a virus in some friends computer that gave all its adressbook to some spammer) i wanted to report spam. I said to myself that if it has a consequence on the amount of spam i receive each day i will be happy to pay and contribute to spam cop efforts. BUT, i used it for 2 or 3 weeks, reporting each day each spam and now i am sure to get twice as spam as before. I am sure of what i say because i used it also on my hotmail account and today i got 8 mails of spam, i used to get 2 or 3 per day. My business address was spammed seriously (about 20 spam per day), and this week end i received 160 spam emails instead of about 50 per week end. The result is : now i can't even report them (your stupid interface makes me wait), even if i submit per mail i have a confirmation email with and http link to click. If you think i am going to click 160 times and wait http to respond then you are really stupid. I don't known if your intention is good but i know that the result is bad, i won't pay anything till i am not sure it works. I would like to discuss with spamcop administrator (in www.spamcop.com there is no form or email like the "contact us" typical form of each respectable site). Sincerely From ric.gates at bigsleep.org Mon Oct 18 10:53:05 2004 From: ric.gates at bigsleep.org (Blammo) Date: Mon Oct 18 05:55:02 2004 Subject: [SpamCop-List] Re: SpamCop Thunderbird extension? References: Message-ID: On 17 Oct 2004 Pete Stephenson entered spamcop and left news:pete- FF27BB.18103017102004@news.cesmail.net: > I have an AppleScript for Eudora that allows me to selecte a > theoretically unlimited number of messages and simply select "Report To > SpamCop". While the time savings are minimal for, say, under a dozen > messages, when reporting several hundreds or thousands it makes it much > easier. > Assuming Thunderbird stores mail in the same UNIX format on Mac, I see no reason why the AppleScript couldn't be modified to work the same, or probably better, with Thunderbird. However simply selecting all messages, which would preferably end up in the Thunderbird Junk folder, and forwarding them to my SpamCop reporting address, has always worked for me with Mozilla (which is nearly identical to Thunderbird). So using some extension would seem rather redundant. -- | Ric From ric.gates at bigsleep.org Mon Oct 18 10:59:13 2004 From: ric.gates at bigsleep.org (Blammo) Date: Mon Oct 18 06:00:03 2004 Subject: [SpamCop-List] Re: OT - Weird References: Message-ID: On 18 Oct 2004 Patto entered spamcop and left news:ckvtd8$3ig$1@news.spamcop.net: > Is it possible that spammers actually go to universities...? > Maybe, if spam was as easy to read as that is. Even if they did, it's obvious they didn't learn anything useful. -- | Ric From b.vander.bent at chello.nl Mon Oct 18 14:15:36 2004 From: b.vander.bent at chello.nl (basalk) Date: Mon Oct 18 07:20:19 2004 Subject: [SpamCop-List] Re: Fake Rolex spam References: Message-ID: I reported several Rolex scams, two types tho, one with only a Rolex offer and another one with a list of watch brands starting with Rolex. Bas "DS" <9ucs5y001@sneakemail.com> schreef in bericht news:ckufue$il7$1@news.spamcop.net... > Hey all, > > I was wondering if anyone else is receiving a butt-load of spam hawking > cheap (aka fake) Rolexes, etc. I have had 14 of the li'l bastages slip > past the gates in the last couple of days, all from KR/JP zombied > machines. > > DS > > --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.776 / Virus Database: 523 - Release Date: 15-10-2004 From porpoise1954 at yahoo.co.uk Mon Oct 18 13:43:05 2004 From: porpoise1954 at yahoo.co.uk (Porpoise) Date: Mon Oct 18 07:45:02 2004 Subject: [SpamCop-List] Re: OT - Weird References: Message-ID: "Patto" wrote in message news:ckvtd8$3ig$1@news.spamcop.net... > This may be very old news, but I found this today: > "Aoccdrnig to a rscheearch at Cmabrigde Uinervtisy, it deosn't mttaer in > waht oredr the ltteers in a wrod are, the olny iprmoetnt tihng is taht the > frist and lsat ltteer be at the rghit pclae. The rset can be a toatl mses > and you can sitll raed it wouthit porbelm. Tihs is bcuseae the huamn mnid > deos not raed ervey lteter by istlef, but the wrod as a wlohe." > > Is it possible that spammers actually go to universities...? > > Nit anly taht bet alse uf wirds ore masspelud toa. Doesn't gain anything though - still not an excuse for bad spelling/grammar. [Grammar Police] From glnews030922 at highspot.net Mon Oct 18 14:16:47 2004 From: glnews030922 at highspot.net (Graeme Leith) Date: Mon Oct 18 08:20:03 2004 Subject: [SpamCop-List] Re: Get off the list. In-Reply-To: References: Message-ID: RW wrote: [snip] > 205.158.121.242 is listed because the server on that IP is relaying spam > to traps on our servers. The spammer has gained authenticated access to the > server, most likely by "guessing" a valid user/pw. We have information on > this exploit at http://www.spamcop.net/fom-serve/cache/372.html > > Once the compromised account has been found and secured and we see the spam > has stopped, the IP will delist. Fresh spam has been received by our traps > approximately 2 hours ago. To make matters worse, your server doesn't > identify the connecting IP; according to your server, all the spam is > originating from 192.168.20.1 Well, the OP posted his initial request over a week ago and didn't respond to any of the other replies, so I guess he doesn't care that much. For what it's worth, the accounts with weak passwords are "guest" and "data". -- Evidence shows Cyveillance abuse internet resources. I recommend unchecking their box in SpamCop reports. Cyveillance are part of the problem. They are not part of the solution. From MikeE at ster.invalid Mon Oct 18 07:49:26 2004 From: MikeE at ster.invalid (Mike Easter) Date: Mon Oct 18 09:50:19 2004 Subject: [SpamCop-List] Re: spamcop efficiency ???? References: Message-ID: Christian wrote: > BUT, i used it for 2 or 3 weeks, reporting each day each spam and now > i am sure to get twice as spam as before. > I am sure of what i say because i used it also on my hotmail account > and today i got 8 mails of spam, i used to get 2 or 3 per day. > My business address was spammed seriously (about 20 spam per day), > and this week end i received 160 spam emails instead of about 50 per > week end. As a general rule, SpamCop reporting does not directly reduce your spam. The 'standard' spam sources from an abused proxy/trojan and spamvertises at a nonresponsive provider - therefore notifying those doesn't do anything to 'remove' you from a spammerlist. As a general rule, your spam will increase, that's what spam does. As a general rule, there is nothing about spamcop reporting per se which will increase your spam *unless* you are handling your spam insecurely. A great many inexperienced spamcop reporters do not handle their spam wisely/securely. If spam is handled insecurely during reporting, it will draw more spam -- thus it will 'appear' that spamcop reporting is causing more spam, when in fact it was insecure spam handling in the reporting 'mechanics' which is causing more spam. If you open spam and render its html accessing webbugs while online, you will surely get more spam. Some people open their spam and render its html accessing the webbugs in order to 'handle' it to spamcop report it. Very bad move. -- Mike Easter kibitzer, not SC admin From nospam at nospam.org Mon Oct 18 18:03:01 2004 From: nospam at nospam.org (geo_splash_12) Date: Mon Oct 18 11:05:20 2004 Subject: [SpamCop-List] Re: spamcop efficiency ???? In-Reply-To: References: Message-ID: Mike Easter wrote: [snip] > > If you open spam and render its html accessing webbugs while online, you > will surely get more spam. Some people open their spam and render its > html accessing the webbugs in order to 'handle' it to spamcop report it. > Very bad move. A hum, I'm testing now Thunderbird 0.8, the cutest, meanest and leanest of all if I understand all the propaganda, it has block load images on in the e-mail preview pane (by default). Better turn that one off. Mailwasher would never ever do this! (nag nag nag) Ejo From masfjorden at spamcop.net Mon Oct 18 18:07:07 2004 From: masfjorden at spamcop.net (helge) Date: Mon Oct 18 11:10:02 2004 Subject: [SpamCop-List] Re: spamcop efficiency ???? In-Reply-To: References: Message-ID: Christian wrote: snip > BUT, i used it for 2 or 3 weeks, reporting each day each spam and now i am > sure to get twice as spam as before. > I am sure of what i say because i used it also on my hotmail account and > today i got 8 mails of spam, i used to get 2 or 3 per day. > My business address was spammed seriously (about 20 spam per day), and this > week end i received 160 spam emails instead of about 50 per week end. Like Mike Easter said: insecure handling of spam may lead to just that. I know, because I did all possible foolish things when I started using spamcop two years ago, including an unsubscribe or two. But in the last six months I have had some decrease in spam, but I can't say for sure that that is because of spamcop. > > The result is : now i can't even report them (your stupid interface makes me > wait), even if i submit per mail i have a confirmation email with and http > link to click. If you think i am going to click 160 times and wait http to > respond then you are really stupid. Don't try to report every spam, report only as much as you can comfortably manage - other reporters feed the spamcop blocklist too. You may also forward several spams together when you forward as attachment. > > I don't known if your intention is good but i know that the result is bad, i > won't pay anything till i am not sure it works. I would like to discuss with > spamcop administrator The result of spamcop is that those service providers who block spam using the spamcop blocklist can quite reliably say what is spam and what is not spam and either stop it or divert it to a special folder. (in www.spamcop.com there is no form or email like the > "contact us" typical form of each respectable site). This is a newsgroup for *Spamcop.net* users. *Spamcop.com* is something else, and I don't think anyone here recommends Spamcop.com helge From MikeE at ster.invalid Mon Oct 18 09:13:06 2004 From: MikeE at ster.invalid (Mike Easter) Date: Mon Oct 18 11:15:03 2004 Subject: [SpamCop-List] Re: spamcop efficiency ???? References: Message-ID: geo_splash_12 wrote: > Mailwasher would never ever do this! (nag nag nag) Speaking of nagging.... If I were a MW fan, I would be over in the MW support forum beating up on the developers to get them to shape up MW by disabling bogus bouncing by default, only enabling it by a special 'approved' key as I described earlier. You can't take 'pride' in the app while it comes out of the box like it does and 'presents itself' like it does. You should be ashamed of it. If you say "I use MW!" then someone looks at you and sez "Oh, really?" Then, you must hastily add, "But, but, but.... I always turn /off/ bogus bouncing!" Then someone like me who is disgusted with the default and the promotion and the developers sez, "Yeah. Whatever." -- Mike Easter kibitzer, not SC admin From Alexis at NotBob.frop Mon Oct 18 12:35:14 2004 From: Alexis at NotBob.frop (Alexis) Date: Mon Oct 18 11:40:03 2004 Subject: [SpamCop-List] Hahaha Hanaro Message-ID: >> Hello, I'm in charge of dealing with spam mails in Hanaro Telecom. We get a request related to spam reports only at We'll close ,so it will be unavailable from November 15. We'd like to ask you to follow the instruction below. If you do not follow this instruction, your request may be deleted without comment of notification, or delayed. 1.Please send us the header of the original spam mail. (It is required to find the exact spammer.) 2.Your request will be dealt with much more quickly if you include spammer's IP in the title of your mail. For example, "Hanaro spam XXX.XXX.XXX.XXX 3.Before you report spam, please reconfirm whether the IP is belong to Hanaro. If the IP is not Hanaro's, it is impossible to inquire the spammer. We'd like to ask you not to send spam which is not Hanaro's. You can check whether the IP is Hanaro's at "http://whois.nic.or.kr/english/index.htm." We've been doing our best to take lead to cultivate sound Internet culture. If you have further questions, please feel free to contact us. Thank you. Sincerely, ( mina jun ) From MikeE at ster.invalid Mon Oct 18 09:44:34 2004 From: MikeE at ster.invalid (Mike Easter) Date: Mon Oct 18 11:45:05 2004 Subject: [SpamCop-List] Re: Hahaha Hanaro References: Message-ID: Alexis wrote: > Hello, I'm in charge of dealing with spam mails in Hanaro Telecom. > We get a request related to spam reports only at > We'll close , so it will be unavailable from > November 15. whois -h whois.abuse.net hanaro.com ... nospam@hanaro.com security@hanaro.com rasung@hanaro.com abuse@hanaro.com spamcenter@hanafos.com postmaster@hanaro.com (for hanaro.com) http://www.abuse.net/addnew.html Submitting new entries for the contact database For system managers - You are welcome to contribute contact information for the database, for your own domain, those of your customers, and other domains for which you've researched the contact info. whois -h whois.nic.or.kr [ ISP Network Abuse Contact Information ] E-Mail : nospam@hanaro.com Don't fix things here. Fix things at abuse.net and at nic.or.kr. -- Mike Easter kibitzer, not SC admin From nospam at nospam.org Mon Oct 18 18:43:23 2004 From: nospam at nospam.org (geo_splash_12) Date: Mon Oct 18 11:45:19 2004 Subject: [SpamCop-List] Re: spamcop efficiency ???? In-Reply-To: References: Message-ID: > If I were a MW fan, I would be over in the MW support forum beating up on > the developers to get them to shape up MW by disabling bogus bouncing by > default, only enabling it by a special 'approved' key as I described > earlier. Actually, I just posted something along those lines on castlecops whatever. I just want to show that most of the e-mail readers have their pecularities. I'm now trying TB 0.8, just to see how I like it. The image loading still is bad, as you explained. But, what I miss already is the ability to search specifically in e-mail headers. This is the place where many ISP's would store information indicating the spam status or RBL blackblist information. Any clue how to do this? The message filters and junk control in TB are really limited, Bayesian filtering is the main trick in TB, what a shame. Ejo From Merlyn at Spamcop.net Mon Oct 18 12:47:43 2004 From: Merlyn at Spamcop.net (Merlyn) Date: Mon Oct 18 11:50:03 2004 Subject: [SpamCop-List] Re: Hahaha Hanaro References: Message-ID: "Alexis" wrote in message news:cl0nrq$f1r$1@news.spamcop.net... >>> > Hello, I'm in charge of dealing with spam mails in Hanaro Telecom. > We get a request related to spam reports only at > We'll close ,so it will be unavailable from November > 15. > We'd like to ask you to follow the instruction below. If you do not follow > this instruction, your request may be deleted without comment of [snipperoo] And this is relevant to what? Hanaro is blocked by almost everyone. Hanaro == spam nuff said. -- Regards, Merlyn A Spamcop advocate No emails this account is for newsgroups only People demand freedom of speech to make up for the freedom of thought which they avoided From MikeE at ster.invalid Mon Oct 18 09:53:20 2004 From: MikeE at ster.invalid (Mike Easter) Date: Mon Oct 18 11:55:03 2004 Subject: [SpamCop-List] Re: spamcop efficiency ???? References: Message-ID: geo_splash_12 wrote: >> If I were a MW fan, I would be over in the MW support forum beating >> up on the developers > Actually, I just posted something along those lines on castlecops > whatever. Good. > the ability to search specifically in e-mail headers. This > is the place where many ISP's would store information indicating the > spam status or RBL blackblist information. Any clue how to do this? I don't know TB at all. Most/many 'simple' mailreaders are weak there. If you want some headerfilter power, you need to put in a 'dedicated' filter - MW is one, SpamPal another, etc. -- Mike Easter kibitzer, not SC admin From MikeE at ster.invalid Mon Oct 18 10:07:11 2004 From: MikeE at ster.invalid (Mike Easter) Date: Mon Oct 18 12:10:03 2004 Subject: [SpamCop-List] Re: spamcop efficiency ???? References: Message-ID: geo_splash_12 wrote: >> If I were a MW fan, I would be over in the MW support forum beating >> up on the developers to get them to shape up MW by disabling bogus >> bouncing by default, only enabling it by a special 'approved' key as >> I described earlier. > Actually, I just posted something along those lines on castlecops > whatever. I see 2 posts by you in mw's section at computercops.biz, but nothing along those lines. http://computercops.biz/postlite80236-ejo.html -- Mike Easter kibitzer, not SC admin From pxpearson at spamxcop.net Mon Oct 18 10:43:58 2004 From: pxpearson at spamxcop.net (Peter Pearson) Date: Mon Oct 18 12:45:03 2004 Subject: [SpamCop-List] Re: New Interface Formatting Suggestion - small piece of whitespace between each listed held mail References: Message-ID: sk1w1 wrote: > New Interface Formatting Suggestion - add small piece of whitespace > between each listed held mail (for web mail user...) > It is hard to read each individual listed spam subject, 'sender', etc > prior to reporting . . . Hmm... It looks fine under Firefox on my Suse 9.0 Linux system. I think subtle and incomprehensible font-system details create this sort of discrepancy; but usually it's *my* screen that looks bad. -- Remove the two x's to get a good email address. From temp1 at telinco.co.uk Mon Oct 18 18:56:57 2004 From: temp1 at telinco.co.uk (Oliver Broad) Date: Mon Oct 18 13:00:05 2004 Subject: [SpamCop-List] Re: spamcop efficiency ???? References: Message-ID: "Christian" wrote in message news:cl03d4$cq9$1@news.spamcop.net... > BUT, i used it for 2 or 3 weeks, reporting each day each spam and now i am > sure to get twice as spam as before. I've seen the spam on one account drop to near zero but that took over a year. Another account was last running at 30+/day and appears irrecoverable. I think you have to regard reporting as a way to hit back rather than a way to cancel the spam. From nospam at nospam.org Mon Oct 18 20:25:30 2004 From: nospam at nospam.org (geo_splash_12) Date: Mon Oct 18 13:30:03 2004 Subject: [SpamCop-List] Re: spamcop efficiency ???? In-Reply-To: References: Message-ID: Mike Easter wrote: > geo_splash_12 wrote: > > >>>If I were a MW fan, I would be over in the MW support forum beating >>>up on the developers to get them to shape up MW by disabling bogus >>>bouncing by default, only enabling it by a special 'approved' key as >>>I described earlier. > > >>Actually, I just posted something along those lines on castlecops >>whatever. > > > I see 2 posts by you in mw's section at computercops.biz, but nothing > along those lines. > > http://computercops.biz/postlite80236-ejo.html > > Look here (also previous page): http://computercops.biz/posts79549-15.html From MikeE at ster.invalid Mon Oct 18 11:38:46 2004 From: MikeE at ster.invalid (Mike Easter) Date: Mon Oct 18 13:40:03 2004 Subject: [SpamCop-List] Re: spamcop efficiency ???? References: Message-ID: geo_splash_12 wrote: > Mike Easter wrote: >> http://computercops.biz/postlite80236-ejo.html That's me making the mistake of searching on 'ejo' rather than your handle 'geo_splash_12' > Look here (also previous page): > > http://computercops.biz/posts79549-15.html If I change my search strategy I do a lot better ;-) I find posts in 9 different places instead of one. -- Mike Easter kibitzer, not SC admin From ric.gates at bigsleep.org Mon Oct 18 19:16:43 2004 From: ric.gates at bigsleep.org (Blammo) Date: Mon Oct 18 14:20:24 2004 Subject: [SpamCop-List] Re: OT - Weird References: Message-ID: On 18 Oct 2004 Porpoise entered spamcop and left news:cl0a95$nnu$1@news.spamcop.net: > Nit anly taht bet alse uf wirds ore masspelud toa. > > Doesn't gain anything though - still not an excuse for bad > spelling/grammar. > > I can't read that, so I don't understand what you are saying. I think it's a good example of something that doesn't follow the example, just like spam. Oh, now I see what you did, but that makes it totally unreadable. -- | Ric From fred558 at bobames.com Mon Oct 18 21:21:12 2004 From: fred558 at bobames.com (Bob Ames) Date: Mon Oct 18 14:25:04 2004 Subject: [SpamCop-List] Re: spamcop efficiency ???? In-Reply-To: References: Message-ID: <41740998.8030703@bobames.com> "Christian" wrote in message news:cl03d4$cq9$1@news.spamcop.net > > I think you have to regard reporting as a way to hit back rather > than a way to cancel the spam. I think Miss Betsy said it best: > Reporting spam is a long term solution, not a way to get rid > of spam for yourself. Bob -- Bob Ames (use bob at this domain to reach me) Don't Send Any Email To: From nobody at spamcop.net Mon Oct 18 16:37:14 2004 From: nobody at spamcop.net (indigo) Date: Mon Oct 18 15:40:23 2004 Subject: [SpamCop-List] Re: spamcop efficiency ???? References: Message-ID: Christian wrote: > > I don't known if your intention is good but i know that the result is > bad, i won't pay anything till i am not sure it works. Won't pay for anything until you are *not* sure it works....? > I would like to discuss with spamcop administrator (in www.spamcop.com there is no > form or email like the "contact us" typical form of each respectable > site). > Well, between your attitude, illogical statements, and trying to email someone at spamcop.COM......... I think SC would be better off without you...... From MikeE at ster.invalid Mon Oct 18 13:47:32 2004 From: MikeE at ster.invalid (Mike Easter) Date: Mon Oct 18 15:50:04 2004 Subject: [SpamCop-List] Re: spamcop efficiency ???? References: Message-ID: indigo wrote: > Well, between your attitude, illogical statements, and trying to email > someone at spamcop.COM......... I think SC would be better off without > you...... heh ... don't let the door... -- Mike Easter kibitzer, not SC admin From firewoman at default.domain.not.available Mon Oct 18 17:19:11 2004 From: firewoman at default.domain.not.available (Firewoman) Date: Mon Oct 18 16:20:05 2004 Subject: [SpamCop-List] Re: spamcop efficiency ???? References: Message-ID: "Christian" wrote in message news:cl03d4$cq9$1@news.spamcop.net... I'm hoping you actually come back to read the responses your original post has generated. Spam flows are never predictable. My spam has dropped dramatically, and I can't even pinpoint one specific reason why. A few weeks ago, however, I was receiving over 50 a day. I've been using SpamCop.*NET* for almost 2 years now. I made the same mistakes others have, such as not reading directions about submitting spam, and best methods for submitting it. I opened HTML e-mail (which waves a big flag at the spammer that says "Lookee here! A live one!") to get the code, and I even clicked a few unsubscribe links when I was still a newbie. We all make mistakes, but we (usually) learn from them. Asking for assistance instead of making accusations is one way of learning. If you'd like assistance with submitting spam safely, please let us know. From not at home.today Mon Oct 18 22:43:32 2004 From: not at home.today (Ant) Date: Mon Oct 18 16:45:04 2004 Subject: [SpamCop-List] Re: Jokes as hashbusting References: Message-ID: "Dan" wrote... > This pump-and-dump spammer found an interesting form of hashbusting: jokes. [snip] Parts of joke text, in the case of the last paragraph. My ISP prefixes a spam marker to the subject line, and I just got this as a subject: *** SPAM *** quickly delivered and processed Certainly was: "Yum, this spam is fresh! Message is 0 hours old" :) From puoti at inwind.it Mon Oct 18 23:25:46 2004 From: puoti at inwind.it (Ivan Leo Puoti) Date: Mon Oct 18 17:30:15 2004 Subject: [SpamCop-List] For deputies: new link obfuscation technique Message-ID: http://www.spamcop.net/sc?id=z683538048za6e44be2203b3a61f4ae9b8d6e8eedaaz&action=display I say new, well I've personally never seen it before. They've turned http://www.laura.kjhbnl.com/ into

http://www.laura.kjhbnl.com

and spamcop doesn't find it. Ivan. From nobody at devnull.spamcop.net Mon Oct 18 17:44:07 2004 From: nobody at devnull.spamcop.net (WazoO) Date: Mon Oct 18 17:45:04 2004 Subject: [SpamCop-List] Re: For deputies: new link obfuscation technique References: Message-ID: "Ivan Leo Puoti" wrote in message news:cl1cd1$rqv$1@news.spamcop.net... > http://www.spamcop.net/sc?id=z683538048za6e44be2203b3a61f4ae9b8d6e8eedaaz&action=display > I say new, well I've personally never seen it before. > They've turned http://www.laura.kjhbnl.com/ into >

http://www.laura.kjhbnl.co type="hidden" value="">m

> and spamcop doesn't find it. The link isn't even HTML encoded to begin with. So the parser treats it as just another string of plain text. Any idiot that either uses a totally brain dead app that renders this as a clickable URL or takes the action of cut and paste to go there deserves what they end up with. From mfkmek820 at yahoo.com Mon Oct 18 16:19:50 2004 From: mfkmek820 at yahoo.com (Fred K) Date: Mon Oct 18 18:25:03 2004 Subject: [SpamCop-List] What is going on with resolving links Message-ID: SC fails to resolve this and other links. But when I use proxify.com, they take me to the website? http://www.spamcop.net/sc?id=z683549708z71e3d87859ec5fe89ca96eaadf9d088fz Tracking link: http://www.daydark.net.md.transfersp.com No recent reports, no history available Cannot resolve http://www.daydark.net.md.transfersp.com From MikeE at ster.invalid Mon Oct 18 16:34:36 2004 From: MikeE at ster.invalid (Mike Easter) Date: Mon Oct 18 18:35:04 2004 Subject: [SpamCop-List] Re: What is going on with resolving links References: Message-ID: Fred K wrote: > SC fails to resolve this and other links. But when I use proxify.com, > they take me to the website? > www.spamcop.net/sc?id=z683549708z71e3d87859ec5fe89ca96eaadf9d088fz > > Tracking link: http://www.daydark.net.md.transfersp.com > No recent reports, no history available > > Cannot resolve http://www.daydark.net.md.transfersp.com Sometimes you have to give SC a 'second chance' Resolving link obfuscation http://www.daydark.net.md.transfersp.com host 222.134.66.52 (getting name) no name Re: http://www.daydark.net.md.transfersp.com (Administrator of network hosting website referenced in spam) postmaster@pub.sd.cninfo.net abuse@cnc-noc.net postmaster#cnc-noc.net@devnull.spamcop.net postmaster@sd.cninfo.net support@pub.sd.cninfo.net ct-abuse@abuse.sprint.net security@pub.sd.cninfo.net -- Mike Easter kibitzer, not SC admin From baloo at ursine.dyndns.org Mon Oct 18 17:02:55 2004 From: baloo at ursine.dyndns.org (Paul Johnson) Date: Mon Oct 18 19:05:03 2004 Subject: [SpamCop-List] Re: dev/null? References: Message-ID: <87sm8bmxy8.fsf@ursine.dyndns.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Lord Tyr writes: > Okay the latest spam report i did today > http://www.spamcop.net/sc?id=z683146532za7bc31ce0026487650eecd5994976094z > However... my questions is what is this /dev/null'ing report for ?? > Does that mean it was not reported? Yup. For those who couldn't graduate high school this century due to lack of computer knowledge, /dev/null is the device that just throws everything away. Whatever you pipe to it goes away permanently. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.5 (GNU/Linux) iD8DBQFBdEufUzgNqloQMwcRAr0dAKC1wmWTJBbWZ9H8+RdjxqWUs5oINACg4zrZ 9AqsfbLNXAaFaoOARIlfGZA= =kg7F -----END PGP SIGNATURE----- From eddie at eddie.web Mon Oct 18 21:38:22 2004 From: eddie at eddie.web (eddie) Date: Mon Oct 18 20:40:19 2004 Subject: [SpamCop-List] very slow real-time reporting Message-ID: reporting side is very slow, gateway timeouts, etc. What's up with that? -- Rather: I don't want to be argumentative, Mr. vice president. Bush41(veep):You do, Dan. Rather: No -- no, sir, I don't. From nobody at devnull.spamcop.net Tue Oct 19 12:33:37 2004 From: nobody at devnull.spamcop.net (Patto) Date: Mon Oct 18 22:35:19 2004 Subject: [SpamCop-List] Re: dev/null? References: Message-ID: "Ivan Leo Puoti" wrote in message news:ckud8m$dnk$1@news.spamcop.net... >> Does that mean it was not reported? > Yes, it is only tracked for statistics, because spamcop can't send the > report for some reason that is described in the tech details when you > parse a spam. But it gives you a hint where to send a manual report if you are inclined to do so. From skiwi at spamcop.net Mon Oct 18 21:50:44 2004 From: skiwi at spamcop.net (sk1w1) Date: Mon Oct 18 23:55:06 2004 Subject: [SpamCop-List] Re: New Interface Formatting Suggestion - small piece of whitespace between each listed held mail In-Reply-To: References: Message-ID: Peter Pearson wrote: > sk1w1 wrote: > >>New Interface Formatting Suggestion - add small piece of whitespace >>between each listed held mail (for web mail user...) >>It is hard to read each individual listed spam subject, 'sender', etc >>prior to reporting . . . > > > Hmm... It looks fine under Firefox on my Suse 9.0 Linux system. > I think subtle and incomprehensible font-system details create > this sort of discrepancy; but usually it's *my* screen that looks bad. > The purists will (rightly (?)) kill me for this, but it is only 9K and I see no other way to show you - so see attached graphic snip - 50% reduction, from Mozilla 1.7.2 but look the same in Mozilla 1.8beta and IE 6.x See what I mean? The amorphous mass of text is a PITA IMHO, especially if there is line wrap... I would be very grateful if this small formatting change could be made... From MikeE at ster.invalid Mon Oct 18 23:45:24 2004 From: MikeE at ster.invalid (Mike Easter) Date: Tue Oct 19 01:45:03 2004 Subject: [SpamCop-List] Re: New Interface Formatting Suggestion - small piece of whitespace between each listed held mail References: Message-ID: sk1w1 wrote: > The purists will (rightly (?)) kill me for this, but it is only 9K > and I see no other way to show you - so see attached graphic snip - > 50% reduction, I'm not in favor of the graphic attachment, but if we're going to discuss /just/ the concept of filesize minimization while trying to maintain best 'quality' or viewability, .jpg/ing it in 'so many' colors while reducing it in a lossy format wasn't the best way. Something like a B&W 2 color .gif or its equivalent would've been even smaller filesize and not lossy. And, if I /had/ to do it, I would've put it in .spam and pointed to it, for propriety's sake. -- Mike Easter kibitzer, not SC admin From skiwi at spamcop.net Mon Oct 18 23:59:42 2004 From: skiwi at spamcop.net (sk1w1) Date: Tue Oct 19 02:00:03 2004 Subject: [SpamCop-List] Re: New Interface Formatting Suggestion - small piece of whitespace between each listed held mail In-Reply-To: References: Message-ID: Mike Easter wrote: > sk1w1 wrote: > >>The purists will (rightly (?)) kill me for this, but it is only 9K >>and I see no other way to show you - so see attached graphic snip - >>50% reduction, > > > I'm not in favor of the graphic attachment, but if we're going to discuss > /just/ the concept of filesize minimization while trying to maintain best > 'quality' or viewability, .jpg/ing it in 'so many' colors while reducing > it in a lossy format wasn't the best way. Something like a B&W 2 color > .gif or its equivalent would've been even smaller filesize and not lossy. > > And, if I /had/ to do it, I would've put it in .spam and pointed to it, > for propriety's sake. speaking hypothetically, thanks for the input Mike... From newandrew at rump.dk Tue Oct 19 09:39:52 2004 From: newandrew at rump.dk (Andrew Engels Rump (formerly Leif Andrew Rump)) Date: Tue Oct 19 04:40:50 2004 Subject: [SpamCop-List] Re: very slow real-time reporting References: Message-ID: After drinking 3 Pan Galactic Gargle Blasters, eddie mumbled in news:pan.2004.10.19.00.38.21.998000@eddie.web: > reporting side is very slow, gateway timeouts, etc. > What's up with that? Good question! I am experiencing the same thing 10:37AM (GMT+1-1 (summertime)=UTC) in Denmark. Andrew -- *** The opinions expressed are not necessarily those of my employer. *** * Software Engineer Andrew Engels Rump * BLIK og ROERarbejderforbundet * * Immerkaer 42, 2650 Hvidovre * Tlf: +45 3638 3638, Fax: +45 3638 3639 * Home: N55?41'38.9" E12?29'08.6" (WGS 84) Work: N55?39'50.9" E12?27'47.4" E-mail: mailto:newandrew@rump.dk WWW http://www.rump.dk/homepage/andrew/ From newandrew at rump.dk Tue Oct 19 10:00:36 2004 From: newandrew at rump.dk (Andrew Engels Rump (formerly Leif Andrew Rump)) Date: Tue Oct 19 05:06:02 2004 Subject: [SpamCop-List] Re: spamcop efficiency ???? References: Message-ID: After drinking 3 Pan Galactic Gargle Blasters, "Christian" mumbled in news:cl03d4$cq9$1@news.spamcop.net: > i am a recently user of spam cop, i find the idea great and since > i am spammed (due certainly to a virus in some friends computer > that gave all its adressbook to some spammer) i wanted to report > spam. Yeah! That is a well known example of getting e-mail addresses exposed! :-( > I said to myself that if it has a consequence on the amount of > spam i receive each day i will be happy to pay and contribute to > spam cop efforts. Great, then you should do that and experience what SpamCop can do for you and what you can do for SpamCop - but don't expect to get rid of spam! :-( And if you think your time could be used better somewhere else - go there! By using SpamCop you are supporting a huge fight against spam using technology - with ease compared to manual reporting. The Register has an article about the power of reporting "illegal material" on the internet - we actually have so much power that we have to be carefull what we report! :-) http://www.theregister.co.uk/2004/10/14/isp_takedown_study/ refer to http://www.bof.nl/docs/researchpaperSANE.pdf > BUT, i used it for 2 or 3 weeks, reporting each day each spam and > now i am sure to get twice as spam as before. SpamCop tries to munch your reports (if not disabled), but it is not foolproof. But also your own handling of spam may get yourself exposed! Tread spam as if it was a virus! > ... > The result is : now i can't even report them (your stupid > interface makes me wait), even if i submit per mail i have a > confirmation email with and http link to click. If you think i am > going to click 160 times and wait http to respond then you are > really stupid. Do you use the free service (with the nag-screen)? That interface only works for a few spammail per day. Without the nag-screen you may handle a few more every day - unless you want to take the chance with quick-reporting - don't - the chance of getting yourself reported is too big! It all cost money but it is well worth it - and if you go the whole way and pay $30 a year you get a virtually spamfree mailbox!!! It is worth any penny! You may call the interface stupid, but SpamCop is a webbased reporting system and HTML has it's limitations. I think the interface is working quite well. I've had to program my own system to report the 500+ spammails I receive every a day, but report a small selection and forget about the rest! > I don't known if your intention is good but i know that the result > is bad, i won't pay anything till i am not sure it works. I would > like to discuss with spamcop administrator (in www.spamcop.com > there is no form or email like the "contact us" typical form of > each respectable site). You must surely mean spamcop.net (spamcop.com is a spammer-site!!!) I have been with spamcop.net for several years now and I "know" that the intentions are working for the good against the evil. You could e-mail supportspamcop.net - I hope the address is correct - SpamCop have to hide their addresses for obvious reasons. But I would suggest that you discuss your ideas with the SpamCop users using this newsgroup or the forum http://forum.spamcop.net/. Please consider that a "shoot and forget"-system fails because too many people will report anything including legimit mails! SpamCop's interface gives you all the information you need to make sure that you are reporting genuin spam! Andrew -- *** The opinions expressed are not necessarily those of my employer. *** * Software Engineer Andrew Engels Rump * BLIK og ROERarbejderforbundet * * Immerkaer 42, 2650 Hvidovre * Tlf: +45 3638 3638, Fax: +45 3638 3639 * Home: N55?41'38.9" E12?29'08.6" (WGS 84) Work: N55?39'50.9" E12?27'47.4" E-mail: mailto:newandrew@rump.dk WWW http://www.rump.dk/homepage/andrew/ From nobody at nowhere.invalid Tue Oct 19 12:20:12 2004 From: nobody at nowhere.invalid (Steven Maesslein) Date: Tue Oct 19 05:25:26 2004 Subject: [SpamCop-List] Re: Hahaha Hanaro References: Message-ID: On Mon, 18 Oct 2004 11:35:14 -0400, Alexis coughed into spamcop and left this in : > Hello, I'm in charge of dealing with spam mails in Hanaro Telecom. Your name isn't Dave, by any chance? > If you do not follow this instruction, your request may be deleted > without comment of notification, or delayed. It already is, so what difference does this make? > We've been doing our best to take lead to cultivate sound Internet culture. *snicker* > If you have further questions, please feel free to contact us. Here's one. When is Hanaro going to pull the plug on itself and release its IP allocations back to APNIC/KRNIC? -- Steve From newandrew at rump.dk Tue Oct 19 10:22:14 2004 From: newandrew at rump.dk (Andrew Engels Rump (formerly Leif Andrew Rump)) Date: Tue Oct 19 05:25:57 2004 Subject: [SpamCop-List] Re: very slow real-time reporting References: Message-ID: After drinking 3 Pan Galactic Gargle Blasters, "Andrew Engels Rump (formerly Leif Andrew Rump)" mumbled in news:Xns95876C7C6D678newandrewrumpdk@216.154.195.61: > After drinking 3 Pan Galactic Gargle Blasters, eddie > mumbled in news:pan.2004.10.19.00.38.21.998000@eddie.web: >> reporting side is very slow, gateway timeouts, etc. >> What's up with that? > Good question! I am experiencing the same thing 10:37AM (GMT+1-1 > (summertime)=UTC) in Denmark. Now everything seems to be working again at 11:01AM! Andrew -- *** The opinions expressed are not necessarily those of my employer. *** * Software Engineer Andrew Engels Rump * BLIK og ROERarbejderforbundet * * Immerkaer 42, 2650 Hvidovre * Tlf: +45 3638 3638, Fax: +45 3638 3639 * Home: N55?41'38.9" E12?29'08.6" (WGS 84) Work: N55?39'50.9" E12?27'47.4" E-mail: mailto:newandrew@rump.dk WWW http://www.rump.dk/homepage/andrew/ From bar_n0ne at hotmail.com Tue Oct 19 15:15:52 2004 From: bar_n0ne at hotmail.com (Berny) Date: Tue Oct 19 06:20:09 2004 Subject: [SpamCop-List] Re: spamcop efficiency ???? References: Message-ID: "Andrew Engels Rump (formerly Leif Andrew Rump)" wrote in message news:Xns958770004D941newandrewrumpdk@216.154.195.61... > After drinking 3 Pan Galactic Gargle Blasters, "Christian" > mumbled in news:cl03d4$cq9$1@news.spamcop.net: > > i am a recently user of spam cop, i find the idea great and since > > i am spammed (due certainly to a virus in some friends computer > > that gave all its adressbook to some spammer) i wanted to report > > spam. >A lot of stuff SNIPPED Andrews suggestion of using an SC mailbox for $30.00 a year is probably a good one, I'd prefer a service which simply rejected blacklisted sources, I get so much spam nowadays that tagging spam is pretty worthless, as the crap mailbox still needs to be inspected for "ham". I switched to unmunged reporting a month or so back and neither reporting munged or unmunged has made a dent in the relentless increase in spam, and sincve 1997 I have disabled rendering of html and fetching html in my mailreaders, none ot it has helped. I don't think spammers care any longer wether they hit spamtraps or reporters, so the only benefit is for those who reject blacklisted mails. Any other technique fails since there is a substantial risk of false positives in spam detection and the mail being consequently dumped silently without proper sender notification. I believe that's what Hotmail and Yahoo do already. We'd have a lot more interest by spammy ISP's in fixing the problems if they actually received significant rejects from large ISP's. AOL's rejection of mail from Telia a couple of years back sure had an impact on spam from that source. From ric.gates at bigsleep.org Tue Oct 19 11:21:54 2004 From: ric.gates at bigsleep.org (Blammo) Date: Tue Oct 19 06:25:02 2004 Subject: [SpamCop-List] Re: New Interface Formatting Suggestion - small piece of whitespace between each listed held mail References: Message-ID: On 18 Oct 2004 sk1w1 entered spamcop and left news:cl22v2$1q8$2@news.spamcop.net: > See what I mean? The amorphous mass of text is a PITA IMHO, especially > if there is line wrap... I would be very grateful if this small > formatting change could be made... > I don't have access to that page, so I can't see the code, but it looks to me like line spacing. I think that particular font (probably Verdana) has a low profile, notice the short descenders, and when it's small the line space may seem to disappear. Though the pic is a little degraded, it appears there is a slightly negative line-height (can't imagine why he'd do that), that space should be slightly greater than the height of the descender. You could try pressing CTRL+plus and see what difference that makes. Also you can mess with the settings in Preferences - Appearance - Fonts, where you can make sure your display size is correct, and the proportional font size should probably be 16, or you can force it to use your own font/ size. -- | Ric From nobody at spamcop.dev.null.net Tue Oct 19 07:27:24 2004 From: nobody at spamcop.dev.null.net (Nobody) Date: Tue Oct 19 07:30:19 2004 Subject: [SpamCop-List] Re: Rip Off Report? References: Message-ID: <4174FA1C.583647AA@spamcop.dev.null.net> Merlyn wrote: > > Why? That site has nothing to do with the BBB? > > Looks pretty loony to me. I wouldn't trust anything on that site. > > It means nothing, kinda reminds me of the freespeechstore idiot. > > Registrant: > Xcentric Ventures, llc > P.O. Box 470 > Tempe, AZ 85280 > US > 602.518.4357 > > Resolved badbusinessbureau.com to 69.16.185.48 to 69.16.185.47 > > DRBL-VOTE-GREMLIN Distributed RBL node: gremlin.ru: vote.drbl.gremlin.ru -> > 127.0.0.2 > Spam source > > DRBL-WORK-GREMLIN Distributed RBL node: gremlin.ru: work.drbl.gremlin.ru -> > 127.0.0.2 > Spam source > > [badbusinessbureau.com has 2 MX records mx1.dnsmanaged.com.(0) > mx2.dnsmanaged.com.(0)] > > STBL Spam Trap dnsbl: bl.spam-trap.net -> 127.0.0.4 > 1089225080 (Wed Jul 7 20:31:20 2004) uu.net Blocked by STBL, see > http://www.stop-spam.info/lookup.php?ip=65.199.34.53 > > SORBSSPEWS-L2 Spam Prevention Early Warning System - Level 2 Mirror: > l2.spews.dnsbl.sorbs.net -> 127.0.0.2 > > -- Merlyn, Does this mean that the BadBusinessBureau site is really run by a blocklisted Russian site that has a maildrop address in Tempe, Arizona? Michael From crappy.trappy at ntlworld.com Tue Oct 19 13:30:32 2004 From: crappy.trappy at ntlworld.com (Tim) Date: Tue Oct 19 07:30:43 2004 Subject: [SpamCop-List] [Media] Financial adviser fleeced in 419 scam Message-ID: Story here : http://www.theregister.co.uk/2004/10/19/aussie_419_victim/ A can't believe that a /financial adviser/ could be so stupid! I assume that a /financial adviser/ would required some level of intelligence. From MikeE at ster.invalid Tue Oct 19 05:53:15 2004 From: MikeE at ster.invalid (Mike Easter) Date: Tue Oct 19 07:55:03 2004 Subject: [SpamCop-List] Re: [Media] Financial adviser fleeced in 419 scam References: Message-ID: Tim wrote: > http://www.theregister.co.uk/2004/10/19/aussie_419_victim/ > > A can't believe that a /financial adviser/ could be so stupid! > I assume that a /financial adviser/ would required some level of > intelligence. The register likes to 'collect' articles about successful 419s. That particular stupidity took place 2001 Sep to 2002 Aug - the story is the fallout of the prosecution of the brilliant advisor. >From July Register http://www.theregister.co.uk/2004/07/09/419_scam_anatomy/ Anatomy of a 419 scam -- Regular readers will be familiar with our ongoing coverage of variations on the 419 advance fee fraud scam [...] we have been accused in the past of carrying too much 419 coverage 2003 http://www.theregister.co.uk/2003/03/10/419_scammers_take_us_con/ 419 scammers take US con artist for $750,000 2002 http://www.theregister.co.uk/2002/09/23/woman_falls_for_nigerian_scam/ Woman falls for Nigerian scam, steals $2.1m from law firm -- Mike Easter kibitzer, not SC admin From crappy.trappy at ntlworld.com Tue Oct 19 13:57:29 2004 From: crappy.trappy at ntlworld.com (Tim) Date: Tue Oct 19 08:00:04 2004 Subject: [SpamCop-List] Re: [Media] Financial adviser fleeced in 419 scam In-Reply-To: References: Message-ID: Mike Easter wrote: > ....brilliant... > Did you use the wrong word there? ;) This guy (and the others) should have know better. From nobody at spamcop.dev.null.net Tue Oct 19 08:09:48 2004 From: nobody at spamcop.dev.null.net (Nobody) Date: Tue Oct 19 08:10:03 2004 Subject: [SpamCop-List] Re: Who Is This Spammer? How'd He Get/Build My ISP's Member List? References: <416CF6E5.AD918E6B@spamcop.dev.null.net> Message-ID: <4175040C.C0D3A5FF@spamcop.dev.null.net> Nobody wrote: > > Can anyone identify who the spammer(s) might be from the parsed headers > in the reports linked above? I'd be very appreciative. > Thanks for the response. Guess I asked the wrong question. Regards, Michael From bjtexas at hotmale.com Tue Oct 19 08:41:12 2004 From: bjtexas at hotmale.com (BJ) Date: Tue Oct 19 08:45:03 2004 Subject: [SpamCop-List] Re: Hahaha Hanaro References: Message-ID: Alexis wrote: || Hello, I'm in charge of dealing with spam mails in Hanaro || Telecom. || We get a request related to spam reports only at || || We'll close ,so it will be unavailable || from November 15. We'd like to ask you to follow the || instruction below. If you do not follow this instruction, || your request may be deleted without comment of notification, || or delayed. || || 1.Please send us the header of the original spam mail. || (It is required to find the exact spammer.) || || 2.Your request will be dealt with much more quickly if you || include spammer's || IP in the title of your mail. || For example, "Hanaro spam XXX.XXX.XXX.XXX || || 3.Before you report spam, please reconfirm whether the IP is || belong || to Hanaro. If the IP is not Hanaro's, it is impossible to || inquire || the spammer. We'd like to ask you not to send spam which is || not Hanaro's. You can check whether the IP is Hanaro's at || "http://whois.nic.or.kr/english/index.htm." || || We've been doing our best to take lead to cultivate sound || Internet culture. If you have further questions, please feel || free to contact us. || Thank you. Should have put a warning on that one... I couldn't stop laughing for 10 minutes. BJ From MikeE at ster.invalid Tue Oct 19 09:53:54 2004 From: MikeE at ster.invalid (Mike Easter) Date: Tue Oct 19 11:55:21 2004 Subject: [SpamCop-List] Re: [Media] Financial adviser fleeced in 419 scam References: Message-ID: Tim wrote: > Mike Easter wrote: > >> ....brilliant... >> > > Did you use the wrong word there? ;) There isn't a 'well-recognized' or perfectly appropo sarcasm emoticon. There is plenty of discussion about it [search sarcasm emoticon], and there are plenty of little emoticon glossaries which 'act like' there is a sarcasm one, but I don't think the answer is 'crystal clear' and unambiguous. I don't think a winking smiley gets it, precisely. Nor the wry grimace or other suggestions. I was sorta hoping it would be 'self-evident' - to spare me from having to add sarcasm on sarcasm off flags. > This guy (and the others) should have know better. Errrm. Ye e s s ss. -- Mike Easter kibitzer, not SC admin From nobody at apamcop.com Tue Oct 19 12:27:50 2004 From: nobody at apamcop.com (cwg) Date: Tue Oct 19 12:30:05 2004 Subject: [SpamCop-List] Re: New interface really sucks now References: <87acumbau4.fsf@ursine.dyndns.org> Message-ID: Viewed the page in FF, looks nice. Lynx? Text Only? Or am I using a different Lynx than you? P.S. Anything looks great in Lynx :-) Lynx 2.8.3rel.1 (23 Apr 2000) http://lynx.browser.org/ File that you are currently viewing Linkname: SpamCop.net - Beware of cheap imitations URL: http://www.spamcop.net/ Charset: utf-8 Server: Apache/1.3.29 (Unix) mod_perl/1.28 Date: Tue, 19 Oct 2004 16:24:37 GMT Expires: Tue, 19 Oct 2004 16:24:37 GMT Cache-Control: max-age=0, no-cache, no-store Content-Length: 5431 bytes Owner(s): None size: 58 lines mode: forms mode, no-cache Link that you currently have selected Linkname: Login Method: POST Enctype: application/x-www-form-urlencoded Action: http://www.spamcop.net/mcgi "Paul Johnson" wrote in message news:87acumbau4.fsf@ursine.dyndns.org... > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > "Michael Vilain " writes: > > > Just so you know, iCab doesn't support CSS2 yet (it's been over 2 > > years--sheesh) and doesn't display the spamcop page very well. At the > > bottom of the page, spamcop says "HTML 4 / CSS2 Firefox recommended". > > Well, iCab needs to become standards compliant, then. File a bug > report, this isn't a spamcop bug. > > > I realize that at some point, web site developers have to decide what > > browsers they'll support. > > You missed the lesson to be learned here entirely. > > At some point web developers will have to realize that gratuitously > violating standards isn't the way to get their page viewed, and > browser developers will have to realize that gratiutiously failing to > support standards isn't the way to get people to use their software. > Firefox is winning because more people are realizing exactly that. > > > Guess the OP is going to have to find some other way to deal with spam > > since they can't use spamcop anymore. That's what they get for using > > lynx. > > Looks great in Lynx. Why would you think otherwise unless you didn't > actually try it? > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.2.5 (GNU/Linux) > > iD8DBQFBcZVjUzgNqloQMwcRAk/JAJ9oMxR80dfiL6LecnF6QGDV9qAWvACgl3Vo > OjO1K7uZ3UVPxCSUcjX5KSI= > =PcCg > -----END PGP SIGNATURE----- From Kilgallen at SpamCop.net Tue Oct 19 12:41:11 2004 From: Kilgallen at SpamCop.net (Larry Kilgallen) Date: Tue Oct 19 12:45:04 2004 Subject: [SpamCop-List] Re: [Media] Financial adviser fleeced in 419 scam References: Message-ID: In article , Tim writes: > Story here : > > http://www.theregister.co.uk/2004/10/19/aussie_419_victim/ > > A can't believe that a /financial adviser/ could be so stupid! Since he responded with other people's money, what is so stupid ? Oh, he got caught... > I assume that a /financial adviser/ would required some level of > intelligence. That is the assumption those selling financial advice want you to make. From nospam at temporaryrelay002.ath.cx Tue Oct 19 20:26:43 2004 From: nospam at temporaryrelay002.ath.cx (Gingko) Date: Tue Oct 19 13:30:06 2004 Subject: [SpamCop-List] This message looks like a bounce, will not report. Message-ID: I got this result when submitting a message : "This message looks like a bounce, will not report." "Do not report bounces as spam!" "Message is old" "Nothing to do." http://www.spamcop.net/sc?id=z683808711zc360cd6ea4e91f15746efb75be4ec5bez After that, I submitted the same message a second time, same result : http://www.spamcop.net/sc?id=z683827310z72c708046121a075269a61abacdf1d56z Could somebody explain me why ? Gingko From MikeE at ster.invalid Tue Oct 19 11:40:57 2004 From: MikeE at ster.invalid (Mike Easter) Date: Tue Oct 19 13:40:04 2004 Subject: [SpamCop-List] Re: This message looks like a bounce, will not report. References: Message-ID: Gingko wrote: > "This message looks like a bounce, will not report." www.spamcop.net/sc?id=z683808711zc360cd6ea4e91f15746efb75be4ec5bez > Could somebody explain me why ? Must be the Return-Path: <> line Here's an experimental cancelled parse with it absent. www.spamcop.net/sc?id=z683830747z3fd653c69cc9d7af2a8778b768f85767z Report Spam to: Re: 168.160.228.156 (Administrator of network where email originates) To: lianyc#bepc2.ihep.ac.cn@devnull.spamcop.net (Notes) Re: 168.160.228.156 (Third party interested in email source) To: Cyveillance spam collection (Notes) Re: http://lnebgfmh.info/diamondtron.php?affiliate_... (Administrator of network hosting website referenced in spam) To: abuse@mci.com (Notes) Re: http://secure.lnebgfmh.info/?cr8h8tcpuaj_uc6 (Administrator of network hosting website referenced in spam) To: abuse@mci.com (Notes) -- Mike Easter kibitzer, not SC admin From kenbrody at spamcop.net Tue Oct 19 14:54:04 2004 From: kenbrody at spamcop.net (Kenneth Brody) Date: Tue Oct 19 14:50:14 2004 Subject: [SpamCop-List] Re: OT - Weird References: Message-ID: <417554BC.7A12312B@spamcop.net> Blammo wrote: > > On 18 Oct 2004 Porpoise entered spamcop and left > news:cl0a95$nnu$1@news.spamcop.net: > > > Nit anly taht bet alse uf wirds ore masspelud toa. > > > > Doesn't gain anything though - still not an excuse for bad > > spelling/grammar. > > > > > > I can't read that, so I don't understand what you are saying. I think it's > a good example of something that doesn't follow the example, just like > spam. [...] Nit anly taht bet alse uf wirds ore masspelud toa. Not only that but also if words are misspelled too. You are correct, however, that it makes it very hard to read. To original example I was able to read without hesitation. (And, yes, it was old news to me.) -- +-------------------------+--------------------+-----------------------------+ | Kenneth J. Brody | www.hvcomputer.com | | | kenbrody/at\spamcop.net | www.fptech.com | #include | +-------------------------+--------------------+-----------------------------+ Don't e-mail me at: From baloo at ursine.dyndns.org Tue Oct 19 12:57:41 2004 From: baloo at ursine.dyndns.org (Paul Johnson) Date: Tue Oct 19 15:00:03 2004 Subject: [SpamCop-List] Re: [Media] Financial adviser fleeced in 419 scam References: Message-ID: <87oeiyy1qy.fsf@ursine.dyndns.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Tim writes: > Story here : > > http://www.theregister.co.uk/2004/10/19/aussie_419_victim/ > > A can't believe that a /financial adviser/ could be so stupid! > I assume that a /financial adviser/ would required some level of > intelligence. This seems to be congruent with my theory that as the amount of money you handle regularly increases, the amount of common sense retained decreases. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.5 (GNU/Linux) iD8DBQFBdWOqUzgNqloQMwcRAuDCAJ9zRZCanokA6+X+q+jxN8yYXSBMhwCgsqmj fB/FbNimmK3On5IRGAzRKno= =bAkS -----END PGP SIGNATURE----- From baloo at ursine.dyndns.org Tue Oct 19 12:59:31 2004 From: baloo at ursine.dyndns.org (Paul Johnson) Date: Tue Oct 19 15:00:19 2004 Subject: [SpamCop-List] Re: New interface really sucks now References: <87acumbau4.fsf@ursine.dyndns.org> Message-ID: <87k6tmy1nw.fsf@ursine.dyndns.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 "cwg" writes: >> Looks great in Lynx. Why would you think otherwise unless you didn't >> actually try it? > > Viewed the page in FF, looks nice. > Lynx? Text Only? Or am I using a different Lynx than you? > P.S. Anything looks great in Lynx :-) We're talking about the same Lynx. And not everything looks great in Lynx... -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.5 (GNU/Linux) iD8DBQFBdWQTUzgNqloQMwcRAoGlAJ91G/QAghvJVk0fVNJN0fpjBJtAhwCfaBWK XNN8zv7iye0XOpEZB2ek41E= =8Onx -----END PGP SIGNATURE----- From nobody at spamcop.net Tue Oct 19 16:11:38 2004 From: nobody at spamcop.net (indigo) Date: Tue Oct 19 15:15:03 2004 Subject: [SpamCop-List] Re: dev/null? References: <87sm8bmxy8.fsf@ursine.dyndns.org> Message-ID: Paul Johnson wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Lord Tyr writes: > > > Okay the latest spam report i did today > > http://www.spamcop.net/sc?id=z683146532za7bc31ce0026487650eecd5994976094z > > However... my questions is what is this /dev/null'ing report for ?? > > Does that mean it was not reported? > > Yup. For those who couldn't graduate high school this century due to > lack of computer knowledge, Even when you have an actual correct answer to a question from a newbie you have to be a superiority-complexed asshole about it. From nobody at spamcop.net Tue Oct 19 16:14:36 2004 From: nobody at spamcop.net (indigo) Date: Tue Oct 19 15:15:21 2004 Subject: [SpamCop-List] Re: New Interface Formatting Suggestion - small piece of whitespace between each listed held mail References: Message-ID: sk1w1 wrote: > Mike Easter wrote: > > sk1w1 wrote: > > > >>The purists will (rightly (?)) kill me for this, but it is only 9K > >>and I see no other way to show you - so see attached graphic snip - > >>50% reduction, > > > > > > I'm not in favor of the graphic attachment, but if we're going to > > discuss /just/ the concept of filesize minimization while trying to > > maintain best 'quality' or viewability, .jpg/ing it in 'so many' > > colors while reducing it in a lossy format wasn't the best way. > > Something like a B&W 2 color .gif or its equivalent would've been > > even smaller filesize and not lossy. > > > > And, if I /had/ to do it, I would've put it in .spam and pointed to > > it, for propriety's sake. > > speaking hypothetically, thanks for the input Mike... Speaking hypothetically, there's no official NG rule about posting attachments anymore, so you needn't apologize..... From newsspamcop.20.kuch at recursor.net Tue Oct 19 17:02:39 2004 From: newsspamcop.20.kuch at recursor.net (Rob) Date: Tue Oct 19 16:00:03 2004 Subject: [SpamCop-List] Non server usage of blocklists Message-ID: I have a local network in my home that I would like to make more secure. Linksys router, zone alarm on the pc's and implementing smoothwall firewall, but I would also like to have more control on the spam situation. I would like to use blocklists, mail control software such as Spam Assassin along with my mail client with filters in place (Thunderbird - great client, but no ability to modify/edit filters). I don't have a mail server and I understand that the blocklists and control software are geared towards server control. Could I use a mail proxy to "trick" the software? Any suggestions? Thanks. From MikeE at ster.invalid Tue Oct 19 14:05:04 2004 From: MikeE at ster.invalid (Mike Easter) Date: Tue Oct 19 16:05:04 2004 Subject: [SpamCop-List] Re: Non server usage of blocklists References: Message-ID: Rob wrote: > I have a local network in my home that I would like to make more > secure. Linksys router, zone alarm on the pc's and implementing > smoothwall firewall, but I would also like to have more control on > the spam situation. I would like to use blocklists, mail control > software such as Spam Assassin along with my mail client with filters > in place (Thunderbird - great client, but no ability to modify/edit > filters). > > I don't have a mail server and I understand that the blocklists and > control software are geared towards server control. Could I use a > mail proxy to "trick" the software? > > Any suggestions? SpamPal. Functions as a transparent proxy between your mail client and your provider's smtp/pop [or imap] server - and handles dsnbl/s just fine and dandy. http://www.spampal.org Features compared to others in a very comprehensive chart http://spampal.de/comparison-chart.html -- Mike Easter kibitzer, not SC admin From Spam_N_Scams_Reporter at yahoo.whatever Tue Oct 19 14:10:40 2004 From: Spam_N_Scams_Reporter at yahoo.whatever (Spam N Scams Reporter) Date: Tue Oct 19 16:15:04 2004 Subject: [SpamCop-List] Re: Detecting False WHOIS Data In-Reply-To: <416D87D6.52AEB813@spamisevil.com> References: <416D87D6.52AEB813@spamisevil.com> Message-ID: Steve Holmes wrote: > Yesterday, someone in this group mentioned the bright idea of reporting > spammers at http://wdprs.internic.net/ for listing false contact info. > Problem is, I should know it's false before I complain. How do I nail > down as much of this as possible without contacting the spammer? > > I'm going after a pr0n spammer who uses misspelled words and filthy > subject lines. Here's his latest identity (he spams from 10-20 domains > for about ten days, then begins again with new contact info.): > > Registrant Name: Brian Turpin > Registrant Organization: none > Registrant Address1: 633 Main St > Registrant City: Danville > Registrant Postal Code: 24543 > Registrant Country: United States > Registrant Country Code: US > Registrant Phone Number: +1.8047930817 > Registrant Email: briantur@lycos.com > > The phone number is not listed in his name. I suppose he could be living > with the people to whom it's registered, so I don't know how to prove > it's bogus except to call up and say, "Is Brian there?". I'd rather not > start putting money into this and make probable wrong-number calls > deliberately. > > Lumberton has a "549 Main," but Google shows no business there. Any > other way to find out what's at that address without making a 1,000 mile > trip to New Jersey? > > Is it OK to send a polite e-mail saying, "If you're spamming, stop. If > this reached you in error, please accept my apologies."? Then, if that > bounces, it's false info. I can report. > > Under the idea of "know thy enemy," anyone know why he moves around > every couple of weeks? > > Thanks in advance. > > -- > Steve Holmes > Executive Producer > "The New Ball Game" > "RailFAN" > 319-337-9507 > I have received a bit of spam that I've traced back to domains that are 'owned' by Tim Welch. I just placed a phone call to him and he is not the owner. I'm wondering if he has been the target of a phish. He told me that he had a check at the supermarket not be good. I do believe his sincerity. Gather up all domains that are associated with this so that we can present them to the proper places. Brian From tdy at blackhole.invalid Tue Oct 19 14:16:15 2004 From: tdy at blackhole.invalid (N. Miller) Date: Tue Oct 19 16:20:02 2004 Subject: [SpamCop-List] Re: spamcop efficiency ???? References: Message-ID: In article , Berny says... > Any other technique fails since there is a substantial > risk of false positives in spam detection and the mail being consequently > dumped silently without proper sender notification. I believe that's what > Hotmail and Yahoo do already. Actually, neither does that at all; not that I can see. The basic Hotmail and Yahoo! mail accounts accept all email for delivery until the user sets up the spam filters. Hotmail has an "Exclusive" setting, which dumps all incoming email from senders not in the user's address book into the "Bulk Mail" folder. Another option, "Immediate Delete" will keep the folder clear; all email is deleted without notice. But the important point is that the user has to set it up. Yahoo! has their SpamGuard. Unless the user configures the account to make use of SpamGuar, all email is delivered to the Inbox. With SpamGuard configured, email identified as "Bulk" is moved to the "Bulk" folder. There is an option to set SpamGuard to immediately delete messages in the "Bulk" folder. Again, that is set by the user. In neither of the cases that I have described is the default setting going to silently dispose of email. In each case, though, the user can set the mail service to silently dispose of email. That is a dangerous approach; I have seen false positives, especially in my Yahoo! account. -- Norman ~Win dain a lotica, En vai tu ri, Si lo ta ~Fin dein a loluca, En dragu a sei lain ~Vi fa-ru les shutai am, En riga-lint From MikeE at ster.invalid Tue Oct 19 14:19:42 2004 From: MikeE at ster.invalid (Mike Easter) Date: Tue Oct 19 16:20:19 2004 Subject: [SpamCop-List] Re: New Interface Formatting Suggestion - small piece of whitespace between each listed held mail References: Message-ID: indigo wrote: > sk1w1 wrote: >> Mike Easter wrote: >>> sk1w1 wrote: >>> >>>> The purists will (rightly (?)) kill me for this, but it is only 9K >>>> and I see no other way to show you - so see attached graphic snip - >>>> 50% reduction, >>> >>> I'm not in favor of the graphic attachment, >>> And, if I /had/ to do it, I would've put it in .spam and pointed to >>> it, for propriety's sake. >> >> speaking hypothetically, thanks for the input Mike... > > Speaking hypothetically, there's no official NG rule about posting > attachments anymore, so you needn't apologize..... We are all already aware of general newsgroup netiquette; plaintext not html, no binaries, trimming and contextualizing -- there are plenty of netiquette guidelines around, some long, some short. Here's a long one on binaries http://www.uwasa.fi/~ts/http/nobin.html May I just go ahead and post binaries to discussion newsgroups? Here's a little section in a larger helpfile http://www.wurd.com/ngfaqs_new-users.php#Binary Newsgroup FAQs - New Users -- Question: How can I post binary files in newsgroups? Answer: If you have a binary file you want to share with other members of a newsgroup, here are some suggestions on how to make it available without upsetting other people. -- Mike Easter kibitzer, not SC admin From nobody at spamcop.net Tue Oct 19 17:51:11 2004 From: nobody at spamcop.net (indigo) Date: Tue Oct 19 16:55:08 2004 Subject: [SpamCop-List] Re: New Interface Formatting Suggestion - small piece of whitespace between each listed held mail References: Message-ID: Mike Easter wrote: > We are all already aware of general newsgroup netiquette; plaintext > not html, no binaries, trimming and contextualizing -- there are > plenty of netiquette guidelines around, some long, some short. But newbies aren't, and they're not going to get sufficient guidance from the new SC help page. From todd at techcenterfl.com Tue Oct 19 18:35:18 2004 From: todd at techcenterfl.com (Todd Simmons) Date: Tue Oct 19 17:40:05 2004 Subject: [SpamCop-List] How to get off the blacklist. - XYTRANS Message-ID: Our IP address is 67.105.20.194. Two months ago, we took mail in house and away from XO communications. We implemented an Exchange 2003 server and Symantec mail security. We did clean up a blaster virus shortly after the server install. We need to get off the Spamcop blasklist as several e-mails are starting to bounce back. I don't really understand your spam traps. The report says we have been listed twice in three weeks. Any hint as to waht happened our how we can get off. From newsspamcop.20.kuch at recursor.net Tue Oct 19 19:01:10 2004 From: newsspamcop.20.kuch at recursor.net (Rob) Date: Tue Oct 19 18:00:04 2004 Subject: [SpamCop-List] Re: Non server usage of blocklists In-Reply-To: References: Message-ID: Mike Easter wrote: > Rob wrote: > >>I have a local network in my home that I would like to make more >> secure. Linksys router, zone alarm on the pc's and implementing >>smoothwall firewall, but I would also like to have more control on >>the spam situation. I would like to use blocklists, mail control >>Any suggestions? > > > SpamPal. Functions as a transparent proxy between your mail client and > your provider's smtp/pop [or imap] server - and handles dsnbl/s just fine > and dandy. http://www.spampal.org > > Features compared to others in a very comprehensive chart > http://spampal.de/comparison-chart.html > Wonderful! Easy setup and Thunderbird had no problem connecting. With the **spam** added to the subject line the baysean filters won't have too long to "learn" this new indicator. What is the protocol of reporting these e-mails with modified subject line and added headers? Would this be considered "Material changes to spam"? From puoti at inwind.it Wed Oct 20 00:02:09 2004 From: puoti at inwind.it (Ivan Leo Puoti) Date: Tue Oct 19 18:05:03 2004 Subject: [SpamCop-List] Re: For deputies: new link obfuscation technique In-Reply-To: References: Message-ID: > The link isn't even HTML encoded to begin with. So the > parser treats it as just another string of plain text. Any > idiot that either uses a totally brain dead app that renders > this as a clickable URL or takes the action of cut and > paste to go there deserves what they end up with. This is no good reason to report the web site. From Merlyn at Spamcop.net Tue Oct 19 19:22:28 2004 From: Merlyn at Spamcop.net (Merlyn) Date: Tue Oct 19 18:25:06 2004 Subject: [SpamCop-List] Re: How to get off the blacklist. - XYTRANS References: Message-ID: "Todd Simmons" wrote in message news:cl41e8$hps$1@news.spamcop.net... > Our IP address is 67.105.20.194. Two months ago, we took mail in house > and > away from XO communications. We implemented an Exchange 2003 server and > Symantec mail security. We did clean up a blaster virus shortly after the > server install. > > We need to get off the Spamcop blasklist as several e-mails are starting > to > bounce back. I don't really understand your spam traps. The report says > we > have been listed twice in three weeks. Any hint as to waht happened our > how > we can get off. > SMTP Auth hack. The spammers know one or more of your usercode/passwords See: http://news.spamcop.net/cgi-bin/fom?file=372 http://www.winnetmag.com/article/articleid/40507/40507.html http://www.winnetmag.com/article/articleid/42406/42406.html http://support.microsoft.com/default.aspx?...;EN-US;324958#4 http://www.slipstick.com/exs/relay.htm http://www.msexchange.org/tutorials/Preven..._Server_55.html You are also in PSBL Passive Spam Block List: psbl.surriel.com -> 127.0.0.2 Listed in PSBL, see http://psbl.surriel.com/listing?ip=67.105.20.194 Example spam header received from your machine: >From tempersalec@pacbell.net Thu Oct 14 10:00:33 2004 Delivery-date: Thu, 14 Oct 2004 10:00:33 -0400 Received: from [67.105.20.194] (helo=server2.xytrans.com) by mail.victim.example with esmtp (Exim 4.41) id 1CI69h-0001VG-Iy for psbltrap@kernelnewbies.nl; Thu, 14 Oct 2004 10:00:33 -0400 Received: from executors ([218.59.22.235]) by server2.xytrans.com with Microsoft SMTPSVC(6.0.3790.0); Thu, 14 Oct 2004 10:00:52 -0400 From: "Margarita Low" To: spamvictim Subject: CHEAPEST MED||CATION 0NlI1NE Mime-Version: 1.0 Date: 14 Oct 2004 10:00:55 -0400 You should have waited to run your own server until you took an exchange class. -- Regards, Merlyn A Spamcop advocate No emails this account is for newsgroups only People demand freedom of speech to make up for the freedom of thought which they avoided From MikeE at ster.invalid Tue Oct 19 16:57:59 2004 From: MikeE at ster.invalid (Mike Easter) Date: Tue Oct 19 19:00:03 2004 Subject: [SpamCop-List] Re: Non server usage of blocklists References: Message-ID: Rob wrote: > Wonderful! Easy setup and Thunderbird had no problem connecting. > With the **spam** added to the subject line the baysean filters won't > have too long to "learn" this new indicator. > > What is the protocol of reporting these e-mails with modified subject > line and added headers? Would this be considered "Material changes to > spam"? No. Not a problem even tho' the faq doesn't say it. The concept of concern about material changes lies predominately in the consideration of the 'effect' of a change on the desk receiving the notify. 'We' tinw think that spamcop/Julian thinks that a desk will clearly recognize the function of header changes which have been introduced by spamfiltering strategies - such as that kind of subject change or the big fat string of headerlines which many spamfilters such as SpamAssassin introduce. Also, these are not changes which cause SC to find a link or IP which it wouldn't otherwise find. -- Mike Easter kibitzer, not SC admin From MikeE at ster.invalid Tue Oct 19 17:08:44 2004 From: MikeE at ster.invalid (Mike Easter) Date: Tue Oct 19 19:10:02 2004 Subject: [SpamCop-List] Re: Detecting False WHOIS Data References: <416D87D6.52AEB813@spamisevil.com> Message-ID: Spam N Scams Reporter wrote: > I have received a bit of spam that I've traced back to domains that > are 'owned' by Tim Welch. What do you mean, exactly? Why don't you SC parse the spam, copy the tracker, cancel the report, and post the tracker so that we can see this item. > I just placed a phone call to him and he is > not the owner. Let's see the spam. > I'm wondering if he has been the target of a phish. Let's see the spam. > He told me that he > had a check at the supermarket not be good. I do believe his > sincerity. Let's see the spam. > Gather up all domains that are associated with this so that we can > present them to the proper places. Let's see the spam you are talking about. -- Mike Easter kibitzer, not SC admin From glnews030922 at highspot.net Wed Oct 20 01:10:26 2004 From: glnews030922 at highspot.net (Graeme Leith) Date: Tue Oct 19 19:10:24 2004 Subject: [SpamCop-List] Re: How to get off the blacklist. - XYTRANS In-Reply-To: References: Message-ID: Todd Simmons wrote: > Our IP address is 67.105.20.194. Two months ago, we took mail in house and > away from XO communications. We implemented an Exchange 2003 server and > Symantec mail security. We did clean up a blaster virus shortly after the > server install. > > We need to get off the Spamcop blasklist as several e-mails are starting to > bounce back. I don't really understand your spam traps. The report says we > have been listed twice in three weeks. Any hint as to waht happened our how > we can get off. Your server has an account called "webmaster" which has a weak password. Changing this password to a secure one should stop your box being used to relay spam. If you do not require remote users to be able to relay mail through your server, then disabling SMTP AUTH will make the box a lot more secure. One of the links supplied by Merlyn tells you how to do this in the section "Plugging the Hole". http://www.winnetmag.com/article/articleid/42406/42406.html -- Evidence shows Cyveillance abuse internet resources. I recommend unchecking their box in SpamCop reports. Cyveillance are part of the problem. They are not part of the solution. From MikeE at ster.invalid Tue Oct 19 17:26:29 2004 From: MikeE at ster.invalid (Mike Easter) Date: Tue Oct 19 19:25:12 2004 Subject: [SpamCop-List] Re: New Interface Formatting Suggestion - small piece of whitespace between each listed held mail References: Message-ID: indigo wrote: > Mike Easter wrote: >> We are all already aware of general newsgroup netiquette; plaintext >> not html, no binaries, trimming and contextualizing -- there are >> plenty of netiquette guidelines around, some long, some short. > > But newbies aren't, and they're not going to get sufficient guidance > from the new SC help page. I'm not against there being more on that page; but my point is that the page has always been inadequate and misleading and we all have to work these things out for ourselves, whatever it sez on that page. The page will always be inadequate compared to various other 'sources' that one might have to use or cite to guide the newbie. The 'usual' or typical situation with a usenet newsgroup's charter is that all of that newsgroup customs and netiquette business isn't adquately spelled out in there. MB's point earlier was that having some 'guidance' from that page makes 'self-enforcement' easier, but the page has never said anything about trimming and contextualizing, and I can't exactly remember exactly how it handled the issue of html vs plaintext and attachments, and it has always been outofwhack about how .spam really works. Currently that page doesn't even recognize the existence of .help any more. We would really hate it if some 'rule' got put in there that no one likes. The last time anything was changed in there it was for the worse. I would hope that any further changes wouldn't make it worse still. At one time I was thinking that a better way to handle posting spam in .spam would be as an attachment instead of inline. I still think we need to have a great deal of latitude with the .spam group; or if it isn't in .spam then some other 'loose' anything goes group. The more rules you put someplace, then the stronger the argument is that anything which isn't covered by the rules must be OK. The less 'rules' there are in favor of cooperative guidance, the greater the flexibility, and then it is just a matter of getting everyone to cooperate than having to perpetually adjust or fix again a bunch of stupid rules. -- Mike Easter kibitzer, not SC admin From jason.mangiafico at verizon.net Tue Oct 19 21:45:16 2004 From: jason.mangiafico at verizon.net (JM) Date: Tue Oct 19 20:50:17 2004 Subject: [SpamCop-List] Re: Fake Rolex spam References: Message-ID: quoting: > Hey all, > > I was wondering if anyone else is receiving a butt-load of spam hawking > cheap (aka fake) Rolexes, etc. I have had 14 of the li'l bastages slip past > the gates in the last couple of days, all from KR/JP zombied machines. I see that my mailserver has rejected a bunch on these lately. From jason.mangiafico at verizon.net Tue Oct 19 22:09:39 2004 From: jason.mangiafico at verizon.net (JM) Date: Tue Oct 19 21:10:04 2004 Subject: [SpamCop-List] Is there anything I can do to stop this? References: Message-ID: quoting: > > It seems that a major spammer using a Korean server is using random names > > at my domain name as the sender of their spam emails. I'm getting about 500 > > bounced emails a day from accounts over quota or now closed etc. The emails > > are for loans and point recipients towards money-deal.info > > (211.115.213.175). > > > > I have no idea why this spammer should have chosen to use my domain as the > > sender. I've checked the IP addresses of mail going out & it's coming from > > various compromised servers fortunately non of them belonging to me > > (actually if I did own them at least I could do something about it). > > > > I can obviously bounce emails for unknown users at my domain but are there > > any other suggestions about any way to stop this abuse? > > Firstly its not a major spammer, quite small fry really. However, this > person is annoying as they are also using *my* employer's domain > bandce.co.uk in from addresses, so as mail admin for the domain, I am > seeing some 300 mail returned messages per day. The original campaign > for money-deal.info and several others has finished, but they just > started up on insidefinancial.net overnight. The target spamvertised > web site is already down but the bounces keep coming. > > Interestingly the registrations for the domains are in Winnipeg, MB. > Different names but all quote the same phone number +1.2044804569 - > anyone care to call em up? I am in the UK so no thanks In this day in age with so much spam and viruses forging headers, STILL clueless admins have misconfigured mailservers that accept all mail, then bounce back to forged From: line. Why isn't there a blacklist for these bastards? WHY? BTW, this is the message I send to postmaster and abuse of the domain that sent me a forged bounce. ------ You are bouncing back to forged From: headers! Do not accept the mail, then bounce it back later, it is bad practice. In this day in age with all the forged spam and virus going around, accepting then bouncing later is email suicide. Ten years ago this would have been "OK", since back then, there was not the spam and virus problem as it is today. Your forged bounces will only end up in innocent third parties' mailboxes, and it will be viewed as spam, and your mailserver may end up being listed in public blacklists. If it is "user unknown" or some other reason for non-delivery, then you are supposed to give a "550" error, then disconnect. **forwarded bounce would start here** ------ From nobody at devnull.spamcop.net Wed Oct 20 11:44:35 2004 From: nobody at devnull.spamcop.net (Patto) Date: Tue Oct 19 21:45:08 2004 Subject: [SpamCop-List] Re: spamcop efficiency ???? References: Message-ID: "Berny" wrote in message news:cl2pgq$7ks$1@news.spamcop.net... > >>A lot of stuff SNIPPED > > Andrews suggestion of using an SC mailbox for $30.00 a year is probably a > good one, ... I would love to use the SC mailbox you mention here. But I simply do not understand how it works - how do I get the spammers to send their garbage to SC instead of my mailbox...? I am currently paying much more than $30 at http://members.spamcop.net/ so I am very interested to switch to a fix cost system. From baloo at ursine.dyndns.org Tue Oct 19 20:24:29 2004 From: baloo at ursine.dyndns.org (Paul Johnson) Date: Tue Oct 19 22:25:05 2004 Subject: [SpamCop-List] Re: dev/null? References: <87sm8bmxy8.fsf@ursine.dyndns.org> Message-ID: <87fz4at9cy.fsf@ursine.dyndns.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 "indigo" writes: >> > However... my questions is what is this /dev/null'ing report for ?? >> > Does that mean it was not reported? >> >> Yup. For those who couldn't graduate high school this century due to >> lack of computer knowledge, > > Even when you have an actual correct answer to a question from a newbie you > have to be a superiority-complexed asshole about it. What? I'm right. Try passing a computer class worth the name in high school these days and pass without knowing that... -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.5 (GNU/Linux) iD8DBQFBdcxdUzgNqloQMwcRAntmAJ9qDkKRVwktiNw0ufI1ISXg69wluwCgh08k gRUDTXYQMpeOzFQKSOFmbfc= =DpGs -----END PGP SIGNATURE----- From eddie at eddie.web Tue Oct 19 23:24:39 2004 From: eddie at eddie.web (eddie) Date: Tue Oct 19 22:25:27 2004 Subject: [SpamCop-List] Re: very slow real-time reporting References: Message-ID: On Tue, 19 Oct 2004 09:22:14 +0000, Andrew Engels Rump (formerly Leif Andrew Rump) scratched out the following: snip > > Now everything seems to be working again at 11:01AM! > > Andrew Those Gargle Blasters do the trick every time. :) Svlad sends his regards. -- Rather: I don't want to be argumentative, Mr. vice president. Bush41(veep):You do, Dan. Rather: No -- no, sir, I don't. From Spam_N_Scams_Reporter at yahoo.whatever Tue Oct 19 22:58:40 2004 From: Spam_N_Scams_Reporter at yahoo.whatever (Spam N Scams Reporter) Date: Wed Oct 20 01:00:23 2004 Subject: [SpamCop-List] Re: Detecting False WHOIS Data In-Reply-To: References: <416D87D6.52AEB813@spamisevil.com> Message-ID: Mike Easter wrote: > Spam N Scams Reporter wrote: > >>I have received a bit of spam that I've traced back to domains that >>are 'owned' by Tim Welch. > > > What do you mean, exactly? Why don't you SC parse the spam, copy the > tracker, cancel the report, and post the tracker so that we can see this > item. > > >>I just placed a phone call to him and he is >>not the owner. > > > Let's see the spam. > > >>I'm wondering if he has been the target of a phish. > > > Let's see the spam. > > >>He told me that he >>had a check at the supermarket not be good. I do believe his >>sincerity. > > > Let's see the spam. > > >>Gather up all domains that are associated with this so that we can >>present them to the proper places. > > > Let's see the spam you are talking about. > > The reply did not have all that much to do with the spam that I've received. It's about a spammer that is possibly using identity theft to register domains. Here is a report that I am in the process of working up. I'm sure glad that you've been appointed SC's cop and not me. Someone has to keep everyone in line ;) I really do appreciate a lot of what you have to say. We are in this together. At least most of us are. Not everything needs a tracker. Here's the start of a report that I am putting together. At this point, I have spreadsheet filling up with data, a dozen tabs in one Firefox window with Whois Data Report Problem reports waiting to be sent and numerous abuse@ addies waiting for me to send along with a few emails started and about 14 more spam items to go through. I have been researching a spammer/scammer. S/h/it uses the same boilerplate for spam. The links found in the spam will be something similar to this: http://gretamills.net/813205b022bef8b47a8a9e79b/BBAHMgAUJwUJEAk2QAkCFg==.htm that redirect to another domain. This one being http://coolsites1.com/sites/gushingcuntmovies/ As far as I have found so far, the registration data for these numerous domains before the redirect are either for Brian Turpin or for a Timothy Welch. I have been in contact with Tim Welch and he states that he knows nothing about any domains. He didn't even know what a domain really was. I believe he is sincere. I tried to contact Brian Turin, as I feel that this is probably the case for him as well. The phone number listed did not belong to him. So it is very likely that this domain registration is also bogus. Possibly from an identity theft. Tim Welch was concerned about this and stated that he had a check turned down at the supermarket the other day, which had puzzled him. I am attempting to find the domains that are registered to these two and possibly others in an attempt to shut down a spammer/scammer. I am beginning to get the feeling that some of this may be done as an affiliate, with no direct connection to the spamvertized domain other than that, though there is also some direct connections. Any help is appreciated. Subject: Re: Nice Next Door Girls gushing loads - 7 Oct 2004 http://gretamills.net/813205b022bef8b47a8a9e79b/BBAHMgAUJwUJEAk2QAkCFg==.htm Domain Name: GRETAMILLS.NET Registrar: GO DADDY SOFTWARE, INC. Name Server: NS2.2DNSSERVER2.COM Name Server: NS3.3DNSSERVER3.COM Name Server: NS5.5DNSSERVER5.COM Name Server: NS6.6DNSSERVER6.COM Status: ACTIVE Updated Date: 05-oct-2004 Creation Date: 05-oct-2004 Expiration Date: 05-oct-2005 Administrative Contact: Turpin, Brian briantur@lycos.com 633 Main St Danville, Virginia 24543 United States 18047930817 Fax -- [No one at this phone number knows Brian Turpin] Redirects to http://coolsites1.com/sites/gushingcuntmovies/ Domain Name: COOLSITES1.COM Registrar: YESNIC CO. LTD. Name Server: NS2.2DNSSERVER2.COM Name Server: NS3.3DNSSERVER3.COM Name Server: NS5.5DNSSERVER5.COM Name Server: NS6.6DNSSERVER6.COM Status: ACTIVE Updated Date: 16-sep-2004 Creation Date: 10-sep-2004 Expiration Date: 10-sep-2005 Registrant:: Name : Barnu Email : barnu@barnurapatska.com Address : Snemovni 3 Zipcode : 118 24 Nation : CZ Tel : +420257174252 Fax : Domain Name: 2DNSSERVER2.COM Registrar: INTERCOSMOS MEDIA GROUP, INC. D/B/A DIRECTNIC.COM Name Server: NS2.2DNSSERVER2.COM Name Server: NS3.3DNSSERVER3.COM Name Server: NS5.5DNSSERVER5.COM Name Server: NS6.6DNSSERVER6.COM Status: ACTIVE Updated Date: 12-oct-2004 Creation Date: 10-sep-2004 Expiration Date: 10-sep-2005 Domain Name: 2DNSSERVER2.COM Administrative Contact: Rapatska, Barnu barnu@barnurapatska.com Snemovni 3 Prague, PR 11824 CZ 420257174252 Domain Name: 3DNSSERVER3.COM Registrar: NAMEBAY Name Server: NS2.2DNSSERVER2.COM Name Server: NS3.3DNSSERVER3.COM Name Server: NS5.5DNSSERVER5.COM Name Server: NS6.6DNSSERVER6.COM Status: ACTIVE Updated Date: 14-sep-2004 Creation Date: 10-sep-2004 Expiration Date: 10-sep-2005 Admin Handle : BR23724 Admin Name : Barnu Rapatska Admin Street1 : Snemovni 3 Admin City : Prague Admin State/Province : CZ Admin Postal Code : 118 24 Admin Country : CZ Admin Phone : +420.257174252 Admin Email : barnu@barnurapatska.com Domain Name: 5DNSSERVER5.COM Registrar: COMPUTER SERVICES LANGENBACH GMBH DBA JOKER.COM Name Server: NS2.2DNSSERVER2.COM Name Server: NS3.3DNSSERVER3.COM Name Server: NS5.5DNSSERVER5.COM Name Server: NS6.6DNSSERVER6.COM Status: ACTIVE Updated Date: 15-sep-2004 Creation Date: 14-sep-2004 Expiration Date: 14-sep-2005 domain: 5dnsserver5.com status: production organization: Individual owner: Barnu Rapatska email: barnurapatska@yahoo.com address: Snemovni 3 city: Prague state: PR postal-code: 118 24 country: CZ admin-c: barnurapatska@yahoo.com#0 tech-c: barnurapatska@yahoo.com#0 billing-c: barnurapatska@yahoo.com#0 nserver: ns3.3dnsserver3.com nserver: ns5.5dnsserver5.com 221.5.251.149 nserver: ns6.6dnsserver6.com nserver: ns2.2dnsserver2.com Domain Name: 6DNSSERVER6.COM Registrar: INAMEPRO DBA DYNADOT Name Server: NS2.2DNSSERVER2.COM Name Server: NS3.3DNSSERVER3.COM Name Server: NS5.5DNSSERVER5.COM Status: ACTIVE Updated Date: 20-sep-2004 Creation Date: 14-sep-2004 Expiration Date: 14-sep-2005 Administrative Contact: Rapatska Barnu Snemovni 3 Prague, PR 11824 Czech Republic barnu@barnurapatska.com +420 2 5717 4252 Subject: Re: Wild Mmos wants to meet you - 7 Oct 2004 http://koptelov.info/6ea3da7e795b81a79b6087395/BBAHMgAUJwUJEAk2QAkCFg==.htm Domain ID:D7670425-LRMS Domain Name:KOPTELOV.INFO Created On:05-Oct-2004 19:03:03 UTC Last Updated On:05-Oct-2004 19:31:28 UTC Sponsoring Registrar:R171-LRMS Status:ACTIVE Registrant ID:C6844108-LRMS Registrant Name:Brian Turpin Registrant Street1:633 Main St Registrant City:Danville Registrant State/Province:Virginia Registrant Postal Code:24543 Registrant Country:US Registrant Phone:+1.18047930817 Registrant Email:briantur@lycos.com Name Server:NS2.2DNSSERVER2.COM Name Server:NS3.3DNSSERVER3.COM Name Server:NS5.5DNSSERVER5.COM Name Server:NS6.6DNSSERVER6.COM REDIRECTS to: http://coolsites1.com/sites/lonelywifepersonals/fullpage.html Subject: Good afternoon. - 7 Oct 2004 http://larion.us/50f4c312e3f5900f94b3/UCkMu/BBAHMgAUJwUJEAk2QAkCFg==.jpg REDIRECTS to: http://www.realitypornpass.com/t1/index.html?site=RPP&ref=16013&revid=16013&tour=1&popup=1&join=0&lang=en&ref_url=Blank&opt=&track=G&a= Domain Name: LARION.US Domain ID: D6777737-US Sponsoring Registrar: GO DADDY SOFTWARE, INC. Domain Status: ok Registrant ID: GODA-08365508 Registrant Name: Brian Turpin Registrant Organization: Unknown Registrant Address1: 633 Main St Registrant City: Danville Registrant State/Province: Virginia Registrant Postal Code: 24543 Registrant Country: United States Registrant Country Code: US Registrant Phone Number: +1.8047930817 Registrant Email: briantur@lycos.com Name Server: NS2.2DNSSERVER2.COM Name Server: NS3.3DNSSERVER3.COM Name Server: NS5.5DNSSERVER5.COM Name Server: NS6.6DNSSERVER6.COM Created by Registrar: GO DADDY SOFTWARE, INC. Last Updated by Registrar: GO DADDY SOFTWARE, INC. Domain Registration Date: Tue Oct 05 19:03:03 GMT 2004 Domain Expiration Date: Tue Oct 04 23:59:59 GMT 2005 Domain Last Updated Date: Tue Oct 05 19:31:34 GMT 2004 Domain Name: REALITYPORNPASS.COM Registrar: INTERCOSMOS MEDIA GROUP, INC. D/B/A DIRECTNIC.COM Name Server: NS2.NATIONAL-NET.COM Name Server: NS1.NATIONAL-NET.COM Status: REGISTRAR-LOCK Updated Date: 03-aug-2004 Creation Date: 01-mar-2004 Expiration Date: 01-mar-2006 Registrant: Vision eMedia 1308 Delaware Avenue New Castle County Wilmington, DE 19806 US 416-532-1680 Fax:416-532-3766 I called 416-532-1680, which is listed for: Marketing Extension Inc 99 Atlantic Toronto, ON M6K 3J8 (416) 532-1680 I believe that this is the real name and address of the registrant. The person that I talked with did not recognize Vision eMedia and said that REALITYPORNPASS.COM domain belonged to them and that they had no offices in Delaware. She also stated that they have been trying to track down the affiliate that was spamming. Subject: Fw: Shy Amateur Girls and Big Dick - 8 Oct 2004 http://mommsen.info/c9cac2012973bc22858d/BBAHMgAUJwUJEAk2QAkCFg==.htm REDIRECTS to: http://coolsites1.com/sites/bigcockbangers/index.html Domain ID:D7670423-LRMS Domain Name:MOMMSEN.INFO Created On:05-Oct-2004 19:03:03 UTC Last Updated On:05-Oct-2004 19:31:30 UTC Expiration Date:05-Oct-2005 19:03:03 UTC Sponsoring Registrar:R171-LRMS Status:ACTIVE Status:OK Registrant ID:C6844110-LRMS Registrant Name:Brian Turpin Registrant Street1:633 Main St Registrant City:Danville Registrant State/Province:Virginia Registrant Postal Code:24543 Registrant Country:US Registrant Phone:+1.18047930817 Registrant Email:briantur@lycos.com Subject: FW: Nasty Girl lick cum oozing form their pussies - 8 Oct 2004 http://prymachenko.info/ee59c4d7e7a143e3d6c86adb7/BBAHMgAUJwUJEAk2QAkCFg==.htm REDIRECTS to: http://www.asstraffic.com/05573573/index.html Domain ID:D7670428-LRMS Domain Name:PRYMACHENKO.INFO Created On:05-Oct-2004 19:03:07 UTC Last Updated On:05-Oct-2004 19:31:30 UTC Expiration Date:05-Oct-2005 19:03:07 UTC Sponsoring Registrar:R171-LRMS Status:ACTIVE Status:OK Registrant ID:C6844121-LRMS Registrant Name:Brian Turpin Registrant Street1:633 Main St Registrant City:Danville Registrant State/Province:Virginia Registrant Postal Code:24543 Registrant Country:US Registrant Phone:+1. Registrant Email:briantur@lycos.com Name Server:NS2.2DNSSERVER2.COM Name Server:NS3.3DNSSERVER3.COM Name Server:NS5.5DNSSERVER5.COM Name Server:NS6.6DNSSERVER6.COM Domain Name: ASSTRAFFIC.COM Registrar: INTERCOSMOS MEDIA GROUP, INC. D/B/A DIRECTNIC.COM Whois Server: whois.directnic.com Referral URL: http://www.directnic.com Name Server: NS1.PERFECTGONZO.COM Name Server: NS2.PERFECTGONZO.COM Status: REGISTRAR-LOCK Updated Date: 01-jun-2004 Creation Date: 11-aug-2003 Expiration Date: 11-aug-2005 Registrant: DEV8 Entertainment LLC Inc Ramon Arias Ave. Maheli Building Office 12E Panama City, Panama City 5535 PA 1-801-684-0735 Record last updated 10-16-2004 11:57:51 AM Record expires on 08-11-2005 Record created on 08-11-2003 Domain servers in listed order: NS1.PERFECTGONZO.COM 69.42.72.20 NS2.PERFECTGONZO.COM 69.42.72.21 The phone number "(801) 684-0735" is a Midvale, UT based phone number, not Panama. Domain Name: PERFECTGONZO.COM Registrar: INTERCOSMOS MEDIA GROUP, INC. D/B/A DIRECTNIC.COM Whois Server: whois.directnic.com Referral URL: http://www.directnic.com Name Server: NS1.PERFECTGONZO.COM Name Server: NS2.PERFECTGONZO.COM Status: REGISTRAR-LOCK Updated Date: 01-jun-2004 Creation Date: 11-aug-2003 Expiration Date: 11-aug-2005 Registrant: DEV8 Entertainment LLC Inc Ramon Arias Ave. Maheli Building Office 12E Panama City, Panama City 5535 PA 1-801-684-0735 Record last updated 10-10-2003 05:26:50 PM Record expires on 08-11-2005 Record created on 08-11-2003 Subject: Reply: Amateur Mhoetr Cheating on husband http://stateira.info/e3cdefb0212616a1ada065232/BBAHMgAUJwUJEAk2QAkCFg==.htm REDIRECTS to: http://coolsites1.com/sites/cheatinghousewifeservices/fullpage.html Domain ID:D7670429-LRMS Domain Name:STATEIRA.INFO Created On:05-Oct-2004 19:03:07 UTC Last Updated On:05-Oct-2004 19:31:32 UTC Expiration Date:05-Oct-2005 19:03:07 UTC Sponsoring Registrar:R171-LRMS Status:ACTIVE Status:OK Registrant ID:C6844122-LRMS Registrant Name:Brian Turpin Registrant Street1:633 Main St Registrant City:Danville Registrant State/Province:Virginia Registrant Postal Code:24543 Registrant Country:US Registrant Phone:+1.18047930817 Registrant Email:briantur@lycos.com Name Server:NS2.2DNSSERVER2.COM Name Server:NS3.3DNSSERVER3.COM Name Server:NS5.5DNSSERVER5.COM Name Server:NS6.6DNSSERVER6.COM Subject: Average Bitch Sucking Big Dick -- 8 Oct 2004 http://yokotatakao.us/c196b11fe1a6e220ba38/BBAHMgAUJwUJEAk2QAkCFg==.htm REDIRECTS to: http://coolsites1.com/sites/massivedickaction/index.php Domain Name: YOKOTATAKAO.US Domain ID: D6777734-US Sponsoring Registrar: GO DADDY SOFTWARE, INC. Domain Status: ok Registrant ID: GODA-08365506 Registrant Name: Brian Turpin Registrant Organization: Unknown Registrant Address1: 633 Main St Registrant City: Danville Registrant State/Province: Virginia Registrant Postal Code: 24543 Registrant Country: United States Registrant Country Code: US Registrant Phone Number: +1.8047930817 Registrant Email: briantur@lycos.com Name Server: NS2.2DNSSERVER2.COM Name Server: NS3.3DNSSERVER3.COM Name Server: NS5.5DNSSERVER5.COM Name Server: NS6.6DNSSERVER6.COM Created by Registrar: GO DADDY SOFTWARE, INC. Last Updated by Registrar: GO DADDY SOFTWARE, INC. Domain Registration Date: Tue Oct 05 19:03:03 GMT 2004 Domain Expiration Date: Tue Oct 04 23:59:59 GMT 2005 Domain Last Updated Date: Tue Oct 05 19:31:34 GMT 2004 I?m not sure what just happened, but I just lost a lot of spam that was in my trash folder. I?m going through this chronologically to look at all the spam from this person/group and now none of what I just listed is there and there is a big gap. The next one is: Subject: Reply: Poor Men future Ponsrtar --- 13 Oct 2004 http://holmhallar.net/6267d6cb6532862d4709440aa/BBAHMgAUJwUJEAk2QAkCFg==.htm REDIRECTS to: http://seducedguys.com/?wmid=gek Domain Name: HOLMHALLAR.NET Registrar: ENOM, INC. Name Server: NS2.2DNSSERVER2.COM Name Server: NS3.3DNSSERVER3.COM Name Server: NS5.5DNSSERVER5.COM Name Server: NS6.6DNSSERVER6.COM Status: REGISTRAR-LOCK Updated Date: 11-oct-2004 Creation Date: 11-oct-2004 Expiration Date: 11-oct-2005 Registration Service Provided By: Registerfly.com Contact: support@registerflysupport.com Visit: http://www.RegisterFly.com Domain name: holmhallar.net Registrant Contact: none Tim Welch (welch@easy.com) +1.8569851974 Fax: none 549 Main St. Lumberton, 08048 US This is totally bogus. I have communicated with Tim Welch and I believe that he has nothing to do with this. The address is his, the phone number is an old one that is no longer in use, but redirects to his cell phone. The email address is not his. Also, still using #DNSSERVER#.COM Domain Name: SEDUCEDGUYS.COM Registrar: ENOM, INC. Name Server: NS1.BMALE.COM Name Server: NS2.BMALE.COM Status: REGISTRAR-LOCK Updated Date: 26-feb-2004 Creation Date: 26-feb-2004 Expiration Date: 26-feb-2005 Registrant Contact: Gaynichecash Oleg Nederev (olegwn@yahoo.com) +99999999999999999 Fax: PO BOX 52134 Limassol, NA 4016 CY Domain Name: BMALE.COM Registrar: ENOM, INC. Whois Server: whois.enom.com Referral URL: http://www.enom.com Name Server: NS1.BMALE.COM Name Server: NS2.BMALE.COM Name Server: NS3.BMALE.COM Status: ACTIVE Updated Date: 02-sep-2004 Creation Date: 20-may-2002 Expiration Date: 20-may-2005 Registrant Contact: RegisterFly.com - Ref# 13028347 Whois Protection Service - ProtectFly.com (13028347.fly@spamfly.com) +1.2122952121 Fax: +1.2122952153 230 Park Avenue Suite 864 New York, NY 10169 US [Hmmm. Seems that this is what the spammer/scammer wants to protect :)] ENOM are you paying attention? From nobody at devnull.spamcop.net Wed Oct 20 01:18:03 2004 From: nobody at devnull.spamcop.net (WazoO) Date: Wed Oct 20 01:20:02 2004 Subject: [SpamCop-List] Re: Detecting False WHOIS Data References: <416D87D6.52AEB813@spamisevil.com> Message-ID: "Spam N Scams Reporter" wrote in message news:cl4ra3$sii$1@news.spamcop.net... > > This is totally bogus. I have communicated with Tim Welch and I believe > that he has nothing to do with this. The address is his, the phone > number is an old one that is no longer in use, but redirects to his cell > phone. The email address is not his. Screw all the bull .. just tell me the name of the phone company that will let me use all my "old, no longer in use" phone numbers to redirect to my currrent one. > ENOM are you paying attention? Probably long asleep like everyone else. From arthur_byington at spammersgotohell.com Wed Oct 20 01:20:31 2004 From: arthur_byington at spammersgotohell.com (Steve Holmes) Date: Wed Oct 20 01:25:03 2004 Subject: [SpamCop-List] Re: Detecting False WHOIS Data (LONG message) References: <416D87D6.52AEB813@spamisevil.com> Message-ID: <4175F59F.565CDA61@spammersgotohell.com> Spam N Scams Reporter wrote: > Steve Holmes wrote: > (snip) > > I'm going after a pr0n spammer who uses misspelled words and filthy > > subject lines. Here's his latest identity (he spams from 10-20 domains > > for about ten days, then begins again with new contact info.): > > > > Registrant Name: Brian Turpin > > Registrant Organization: none > > Registrant Address1: 633 Main St > > Registrant City: Danville > > Registrant Postal Code: 24543 > > Registrant Country: United States > > Registrant Country Code: US > > Registrant Phone Number: +1.8047930817 > > Registrant Email: briantur@lycos.com > > > > The phone number is not listed in his name. I suppose he could be living > > with the people to whom it's registered, so I don't know how to prove > > it's bogus except to call up and say, "Is Brian there?". I'd rather not > > start putting money into this and make probable wrong-number calls > > deliberately. > > > > Lumberton has a "549 Main," but Google shows no business there. Any > > other way to find out what's at that address without making a 1,000 mile > > trip to New Jersey? > > > > Is it OK to send a polite e-mail saying, "If you're spamming, stop. If > > this reached you in error, please accept my apologies."? Then, if that > > bounces, it's false info. I can report. > > > > Under the idea of "know thy enemy," anyone know why he moves around > > every couple of weeks? > > > > Thanks in advance. > > > > -- > > Steve Holmes > > Executive Producer > > "The New Ball Game" > > "RailFAN" > > 319-337-9507 > > > I have received a bit of spam that I've traced back to domains that are > 'owned' by Tim Welch. I just placed a phone call to him and he is not > the owner. > > I'm wondering if he has been the target of a phish. He told me that he > had a check at the supermarket not be good. I do believe his sincerity. > > Gather up all domains that are associated with this so that we can > present them to the proper places. Gladly! Here are the identities the spammer has used (I am guessing that they're all the same person since the style is exactly the same -- never uses a domain twice, street address usually checks out to be an office building with multiple tenants): ID #1 (first noticed on 10/4): Billing Contact Name: David Morgan Billing Contact Organization: none Billing Contact Address1: 413 Monticello Cir Billing Contact City: Devine Billing Contact State/Province: TX Billing Contact Postal Code: 78016 Billing Contact Country: United States Billing Contact Country Code: US Billing Contact Phone Number: +1.8306655758 Billing Contact Email: dmorgan@myself.com Domains: bukovanska.net caccioppoli.net fivesparks.net heishu.net jeanperrin.info johnheise.net kosmodemyanskaya.net marcustacitus.net valgrirasp.us ID #2: Registrant Name: Alfred Robinson Registrant Organization: Unknown Registrant Address1: 1172 Goodlette Rd N Ste 101 Registrant City: Naples Registrant State/Province: Florida Registrant Postal Code: 34018 Registrant Country: United States Registrant Country Code: US Registrant Phone Number: +1.2394349112 Registrant Email: arobinson@whoever.com Domains: enirac.info gelria.us gismonda.info lassine.com mittlefehldt.us obstephen.us stradonice.net tanjiazhen.info tezcatlipoca.info ID #3: Registrant Name: Brian Turpin Registrant Organization: none Registrant Address1: 633 Main St Registrant City: Danville Registrant Postal Code: 24543 Registrant Country: United States Registrant Country Code: US Registrant Phone Number: +1.8047930817 Registrant Email: briantur@lycos.com Domains: aigyptios.us baggaley.us batens.com chriskuyu.us danielgude.net gretamills.net hlawka.info kemurdzhian.us koptelov.info kushida.us moldun.info mommsen.info palermiti.into paranal.us petermrva.info richelen.info satpaev.us stateira.info toravere.us victoriahsu.net yokotatakao.us ID #4: Tim Welch +1.8569851974 Fax: none 549 Main St. Lumberton, NJ 08048 US welch@easy.com Domains: bedini.info bohnhardt.us gerasimenko.net kjeriksson.net kvicala.us haigha.info lilliana.us mariacapria.net nilstamm.info ostankino.us peraga.info steinheil.net ID #5: Mike Reinecke +1.5164962301 Fax: +. 177 Crossways Park Rd Woodbury, NY 11797 US reinecke@coolgoose.com Domains: bressole.info firneis.info kohman.com jacobrucker.net toaldo.us He abandoned Reinecke pretty quickly, after just four days and five domains, which leads me to believe people are starting to report him for false whois data and he's forced to move on. ID #6 (just started 10/19): Registrant Name:Bill Martin Registrant Organization:none Registrant Street1:Main St S Side SQ Registrant City:Newton Registrant Postal Code:75966 (checks out to Newton, TX) Registrant Country:US Registrant Email: bimartin@sacbeemail.com Domain: ceraskia.info Brian, I read your later post and the subject lines sound like the ones I'm getting. I haven't acted on any of this yet because of what you believe you've found -- an apparent innocent caught in an ID theft. I've been gathering information and hoping he'll slip up or I can detect a pattern that lets me track him down. What's our next step? -- Steve Holmes Executive Producer "The New Ball Game" "RailFAN" 319-337-9507 From arthur_byington at spammersgotohell.com Wed Oct 20 01:22:06 2004 From: arthur_byington at spammersgotohell.com (Steve Holmes) Date: Wed Oct 20 01:25:21 2004 Subject: [SpamCop-List] Re: Secret Service - Phishing References: <416D82BB.CBC9A21F@spamisevil.com> Message-ID: <4175F5FE.5F6FD2EE@spammersgotohell.com> "D.F. Manno" wrote: > In article <416D82BB.CBC9A21F@spamisevil.com>, > Steve Holmes wrote: > > > What is the contact info. for the Secret Service Financial Crimes > > Division relating to phishing? It's not on their webpage or in the FAQ. > > There's a Web form at: > > > -- > D.F. Manno > dfm2a3l0t2@spymac.com Thanks. Appreciate the info. -- Steve Holmes Executive Producer "The New Ball Game" "RailFAN" 319-337-9507 From nobody at devnull.spamcop.net Wed Oct 20 01:27:35 2004 From: nobody at devnull.spamcop.net (WazoO) Date: Wed Oct 20 01:30:02 2004 Subject: [SpamCop-List] Re: spamcop efficiency ???? References: Message-ID: "Patto" wrote in message news:cl4fu4$a88$1@news.spamcop.net... > > I would love to use the SC mailbox you mention here. But I simply do not > understand how it works - how do I get the spammers to send their garbage to > SC instead of my mailbox...? > > I am currently paying much more than $30 at http://members.spamcop.net/ so I > am very interested to switch to a fix cost system. If the Help pages at www.spamcop.net aren't sufficient to explain it, then try the web-based Forum stuff at http://forum.spamcop.net/forums/index.php? Many additional items in the FAQ there, a section just for setting up the e-mail accounts .... From Spam_N_Scams_Reporter at yahoo.whatever Tue Oct 19 23:47:34 2004 From: Spam_N_Scams_Reporter at yahoo.whatever (Spam N Scams Reporter) Date: Wed Oct 20 01:50:03 2004 Subject: [SpamCop-List] Re: Detecting False WHOIS Data (LONG message) In-Reply-To: <4175F59F.565CDA61@spammersgotohell.com> References: <416D87D6.52AEB813@spamisevil.com> <4175F59F.565CDA61@spammersgotohell.com> Message-ID: Steve Holmes wrote: > Spam N Scams Reporter wrote: > > >>Steve Holmes wrote: >>(snip) >> > > Brian, I read your later post and the subject lines sound like the ones I'm > getting. I haven't acted on any of this yet because of what you believe you've > found -- an apparent innocent caught in an ID theft. I've been gathering > information and hoping he'll slip up or I can detect a pattern that lets me > track him down. > > What's our next step? > > -- > Steve Holmes > Executive Producer > "The New Ball Game" > "RailFAN" > 319-337-9507 > Thanks Steve I was hoping that you were paying attention. Right now I am just gathering as much data as I can. It looks like what needs to be taken down is Name Server:NS2.2DNSSERVER2.COM Name Server:NS3.3DNSSERVER3.COM Name Server:NS5.5DNSSERVER5.COM Name Server:NS6.6DNSSERVER6.COM at least for a temporary fix. But I would also like to catch this SOB. I am looking for other connections also, that use a different boilerplate. Thanks for the update. Brian From Spam_N_Scams_Reporter at yahoo.whatever Tue Oct 19 23:53:35 2004 From: Spam_N_Scams_Reporter at yahoo.whatever (Spam N Scams Reporter) Date: Wed Oct 20 01:55:04 2004 Subject: [SpamCop-List] Re: Detecting False WHOIS Data In-Reply-To: References: <416D87D6.52AEB813@spamisevil.com> Message-ID: WazoO wrote: > "Spam N Scams Reporter" wrote in > message news:cl4ra3$sii$1@news.spamcop.net... > >>This is totally bogus. I have communicated with Tim Welch and I believe >>that he has nothing to do with this. The address is his, the phone >>number is an old one that is no longer in use, but redirects to his cell >>phone. The email address is not his. > > > Screw all the bull .. just tell me the name of the phone > company that will let me use all my "old, no longer in > use" phone numbers to redirect to my currrent one. > I really do believe that he has nothing to do with this. We have been communicating on the phone and email. He is genuinely concerned about this. > >>ENOM are you paying attention? > > > Probably long asleep like everyone else. > > Most likely. Just hoping that when I send this off to the various places that ENOM will see this :) Ctrl-f ENOM will pick that up. From Spam_N_Scams_Reporter at yahoo.whatever Tue Oct 19 23:59:18 2004 From: Spam_N_Scams_Reporter at yahoo.whatever (Spam N Scams Reporter) Date: Wed Oct 20 02:00:03 2004 Subject: [SpamCop-List] Re: Detecting False WHOIS Data (LONG message) In-Reply-To: <4175F59F.565CDA61@spammersgotohell.com> References: <416D87D6.52AEB813@spamisevil.com> <4175F59F.565CDA61@spammersgotohell.com> Message-ID: Steve Holmes wrote: > Spam N Scams Reporter wrote: > > >>Steve Holmes wrote: >>(snip) >> > > What's our next step? > > -- > Steve Holmes > Executive Producer > "The New Ball Game" > "RailFAN" > 319-337-9507 > Steve, Can you contact me directly. There is more information that I would like to have/share. Just replace the whatever with com. Brian From bar_n0ne at hotmail.com Wed Oct 20 12:48:44 2004 From: bar_n0ne at hotmail.com (Berny) Date: Wed Oct 20 03:50:15 2004 Subject: [SpamCop-List] Re: spamcop efficiency ???? References: Message-ID: "N. Miller" wrote in message news:MPG.1bdf15ea3a888c87989759@news.spamcop.net... > In article , Berny says... > > > > Any other technique fails since there is a substantial > > risk of false positives in spam detection and the mail being consequently > > dumped silently without proper sender notification. I believe that's what > > Hotmail and Yahoo do already. > > > Actually, neither does that at all; not that I can see. The basic Hotmail > and Yahoo! mail accounts accept all email for delivery until the user sets > up the spam filters. > REST SNIPPED, Norman, Hmmm.... You may be in a postion to know, I am working from conjecture. What I do know is that around a year ago (December I think) my HotMail(tm) junk mail folder went from dozens per day to almost none overnight, so did everyone elses that I knew with hotmail accounts. Since then what I notice on all hotmail accounts is no spam for a week or 2 then a trckle increasing to about 5 a day, and then none again, as if the (rejecting) spam filters were retuned, followed by retuning by the spammers, and so on. I just assumed there was a hierarchy of spam, some rejected, other considered suspect and allowed to pass, but winding up in the junk folder if the user set up spam filtering. I posted a M$N Messenger conversation a spammer that I had following a posting here, back in February or so, where, among other things, he acknowledged having had some difficulty getting through to hotmail accounts since December but that they had recently "figured it out" and were gettig spam delivered again. Yahoo spam had a similar decline a month or tweo later. The accounts I know of are set up to recieve all mail, Junk filters turned on, and either let M$N or Yahoo separate the ham from the spam, or operate on a whitelist basis where mail from sources not in the address book is diverted to the spam folder. The only other scenario that makes sense to me and accounts for the above, is that many spammers have been put off spamming yahoo and hotmail for fear of prosecution, being shut down or whatever. In any case we still get stuff in the junk mail folders, but it's sharply down since the quantum changees. At my work account I just have constant sea level rise in spam, and have had to switch the way my Eudora filters work to what amounts to a whitelist system, my inbox is essentially 99.9% spam after filtering. (Maybe the glaciers in Greenland are made of spam and not H20, and spam is the result of global warming) :D From nobody at nowhere.invalid Wed Oct 20 11:49:30 2004 From: nobody at nowhere.invalid (Steven Maesslein) Date: Wed Oct 20 04:51:36 2004 Subject: [SpamCop-List] Re: spamcop efficiency ???? References: Message-ID: On Wed, 20 Oct 2004 10:44:35 +0900, Patto coughed into spamcop and left this in : > I would love to use the SC mailbox you mention here. But I simply do not > understand how it works - how do I get the spammers to send their garbage to > SC instead of my mailbox...? You don't. You get SC to pop mail from your mail box and then filter it, and *you* POP/IMAP your now filtered mail from SC. -- Steve From nobody at nowhere.invalid Wed Oct 20 11:50:59 2004 From: nobody at nowhere.invalid (Steven Maesslein) Date: Wed Oct 20 04:55:12 2004 Subject: [SpamCop-List] Re: dev/null? References: <87sm8bmxy8.fsf@ursine.dyndns.org> <87fz4at9cy.fsf@ursine.dyndns.org> Message-ID: On Tue, 19 Oct 2004 19:24:29 -0700, Paul Johnson coughed into spamcop and left this in <87fz4at9cy.fsf@ursine.dyndns.org>: > What? I'm right. Try passing a computer class worth the name in high > school these days and pass without knowing that... Why should anyone have to take computer classes to use SpamCop? -- Steve From nobody at devnull.spamcop.net Wed Oct 20 03:02:13 2004 From: nobody at devnull.spamcop.net (LioNiNoiL_a t_Y a h 0 0_d 0 t_c 0 m) Date: Wed Oct 20 05:05:42 2004 Subject: [SpamCop-List] Re: dev/null? In-Reply-To: <87fz4at9cy.fsf@ursine.dyndns.org> References: <87sm8bmxy8.fsf@ursine.dyndns.org> <87fz4at9cy.fsf@ursine.dyndns.org> Message-ID: > "indigo" writes: > >>>> However... my questions is what is this /dev/null'ing >>>> report for ?? Does that mean it was not reported? >>> >>> Yup. For those who couldn't graduate high school this >>> century due to lack of computer knowledge, >> >> Even when you have an actual correct answer to a question >> from a newbie you have to be a superiority-complexed >> asshole about it. > > What? I'm right. Yup. So is Indigo. -- "[Spammers] are the mutant spawn of a bizarre reproductive act involving a telemarketer, Larry Flynt, a tapeworm, and an executive of the Third Class Mail industry." -- Dave Barry From nobody at devnull.spamcop.net Wed Oct 20 19:34:28 2004 From: nobody at devnull.spamcop.net (Patto) Date: Wed Oct 20 05:35:05 2004 Subject: [SpamCop-List] Re: spamcop efficiency ???? References: Message-ID: "Steven Maesslein" wrote in message news:slrncnc9kq.kp.nobody@127.0.0.1... > On Wed, 20 Oct 2004 10:44:35 +0900, Patto coughed into spamcop and left > this in : > >> I would love to use the SC mailbox you mention here. But I simply do not >> understand how it works - how do I get the spammers to send their garbage >> to >> SC instead of my mailbox...? > > You don't. > > You get SC to pop mail from your mail box and then filter it, and *you* > POP/IMAP your now filtered mail from SC. I do not have POP mail; my mailbox is located on an Exchange Server. I will try to read the Help pages that WazoO mentioned. From newandrew at rump.dk Wed Oct 20 11:06:11 2004 From: newandrew at rump.dk (Andrew Engels Rump (formerly Leif Andrew Rump)) Date: Wed Oct 20 06:10:03 2004 Subject: [SpamCop-List] Re: spamcop efficiency ???? References: Message-ID: After drinking 3 Pan Galactic Gargle Blasters, "Patto" mumbled in news:cl5bf5$m2l$1@news.spamcop.net: > "Steven Maesslein" wrote in message > news:slrncnc9kq.kp.nobody@127.0.0.1... >> On Wed, 20 Oct 2004 10:44:35 +0900, Patto coughed into spamcop and >> left this in : >>> I would love to use the SC mailbox you mention here. But I simply >>> do not understand how it works - how do I get the spammers to send >>> their garbage to SC instead of my mailbox...? >> You don't. >> You get SC to pop mail from your mail box and then filter it, and >> *you* POP/IMAP your now filtered mail from SC. > I do not have POP mail; my mailbox is located on an Exchange Server. > I will try to read the Help pages that WazoO mentioned. One way of doing it is to set Exchange to forward all the mail you receive to SC and then setup SC to forward back to another newly created secret address only you know and never reveal to anyone else. The new address must be in a new mailbox or you will create and infinite loop! If possible you should redirect your mail before hitting your Exchange server if possible because I don't know if SC likes Exchange headers. Andrew -- *** The opinions expressed are not necessarily those of my employer. *** * Software Engineer Andrew Engels Rump * BLIK og ROERarbejderforbundet * * Immerkaer 42, 2650 Hvidovre * Tlf: +45 3638 3638, Fax: +45 3638 3639 * Home: N55?41'38.9" E12?29'08.6" (WGS 84) Work: N55?39'50.9" E12?27'47.4" E-mail: mailto:newandrew@rump.dk WWW http://www.rump.dk/homepage/andrew/ From joris.dobbelsteen at mail.com Wed Oct 20 16:53:31 2004 From: joris.dobbelsteen at mail.com (Joris Dobbelsteen) Date: Wed Oct 20 09:55:02 2004 Subject: [SpamCop-List] error: couldn't parse head Message-ID: My reports seem to have some trouble getting parsed. Example: http://www.spamcop.net/sc?id=z684042096z5a5fc004ab2f1a8b5cf3b8f0d94a9fb1z I've got my mail stored on an exchange 2003 server. I use a macro in outlook to extract the headers and message and send it to spamcop. It worked fine with PST files. - Joris From puoti at inwind.it Wed Oct 20 16:25:11 2004 From: puoti at inwind.it (Ivan Leo Puoti) Date: Wed Oct 20 10:30:03 2004 Subject: [SpamCop-List] For deputies: link obfuscation that fools spamcop Message-ID: http://www.spamcop.net/sc?id=z684107746z492eb75042312306192750ffe8fdc5efz Ivan. From MikeE at ster.invalid Wed Oct 20 08:31:03 2004 From: MikeE at ster.invalid (Mike Easter) Date: Wed Oct 20 10:30:25 2004 Subject: [SpamCop-List] Re: error: couldn't parse head References: Message-ID: Joris Dobbelsteen wrote: > My reports seem to have some trouble getting parsed. www.spamcop.net/sc?id=z684042096z5a5fc004ab2f1a8b5cf3b8f0d94a9fb1z > I've got my mail stored on an exchange 2003 server. > I use a macro in outlook to extract the headers and message and send > it to spamcop. It worked fine with PST files. Your system stuck this thing Microsoft Mail Internet Headers Version 2.0 thread-index: AcS2GrtdPoXHBeRRTiOIECoUdZNzjQ== on top of the 'proper' original headers. SC manages headers as if they were proper smtp compliant headers, fieldname colon space field, nextline fieldname colon space field, etc. without any 'improper' bad fieldnames, spaces, colons, etc. A fieldname has no spaces in that scenario. Each such fieldname driven structure element has to be correct regarding spaces colons nospaces etc. Not too 'many', not too 'few'. It has to be just right, even if there needs to be leading whitespace for wrapping continuation lines. It is all defined in great detail. Your MS advertisement and index blah blah screws that up, it isn't a proper fieldname etc. Here's the parse without it. www.spamcop.net/sc?id=z684107020z16de8d852e4bb3caabf5e0f7689bfd00z -- Mike Easter kibitzer, not SC admin From nobody at spamcop.net Wed Oct 20 11:42:24 2004 From: nobody at spamcop.net (indigo) Date: Wed Oct 20 10:45:02 2004 Subject: [SpamCop-List] Re: New Interface Formatting Suggestion - small piece of whitespace between each listed held mail References: Message-ID: Mike Easter wrote: > > MB's point earlier was that having some 'guidance' from that page > makes 'self-enforcement' easier, but the page has never said anything > about trimming and contextualizing, and I can't exactly remember > exactly how it handled the issue of html vs plaintext and > attachments, and it has always been outofwhack about how .spam really > works. Currently that page doesn't even recognize the existence of > .help any more. Currently the page shows: Newsgroup Posting Rules No spam. Please do not post copies of spam or other commercials except in the spamcop.spam group specifically designated for it. SpamCop provides "tracking URL"s for posting spam samples. Please use them. Limit quoting. Please avoid quoting in threads unnecessarily. I believe this text has always been there, and there also used to be no HTML or attachment rules too. I don't believe those are very restrictive rules beyond what a newbie should know, do you? From MikeE at ster.invalid Wed Oct 20 08:47:11 2004 From: MikeE at ster.invalid (Mike Easter) Date: Wed Oct 20 10:50:02 2004 Subject: [SpamCop-List] Re: For deputies: link obfuscation that fools spamcop References: Message-ID: Ivan Leo Puoti wrote: Subject: For deputies: link obfuscation that fools spamcop www.spamcop.net/sc?id=z684107746z492eb75042312306192750ffe8fdc5efz Hi, Ivan. Are your parses so important that they can only be gazed upon by a deputy? There is no 'link obfuscation'. SC doesn't like empty lines in headers or certain types of content type discrepancies; eg it is not acceptable to say the content type is multipart alternative when it is one plaintext part. Here's the experimental cancelled parse of those issues fixed www.spamcop.net/sc?id=z684112796z1b3c16ae04364bcf482866a6181c1865z Report Spam to: Re: 218.238.115.38 (Administrator of network where email originates) To: abuse@hanaro.com (Notes) Re: 218.238.115.38 (Third party interested in email source) To: Cyveillance spam collection (Notes) Re: http://vujd.xolwed.com/azwme (Administrator of network hosting website referenced in spam) To: Internal spamcop handling: (spambr) (Notes) To: mail-abuse@nic.br (Notes) -- Mike Easter kibitzer, not SC admin From nobody at spamcop.net Wed Oct 20 11:56:24 2004 From: nobody at spamcop.net (indigo) Date: Wed Oct 20 11:00:02 2004 Subject: [SpamCop-List] Re: dev/null? References: <87sm8bmxy8.fsf@ursine.dyndns.org> <87fz4at9cy.fsf@ursine.dyndns.org> Message-ID: Steven Maesslein wrote: > On Tue, 19 Oct 2004 19:24:29 -0700, Paul Johnson coughed into spamcop > and left this in <87fz4at9cy.fsf@ursine.dyndns.org>: > > > What? I'm right. Try passing a computer class worth the name in > > high school these days and pass without knowing that... > > Why should anyone have to take computer classes to use SpamCop? And I'd add "what about everyone who finished school before personal computers even existed?" (meaning most everyone over the age of 40 or so) From nobody at devnull.spamcop.net Wed Oct 20 11:00:06 2004 From: nobody at devnull.spamcop.net (WazoO) Date: Wed Oct 20 11:05:03 2004 Subject: [SpamCop-List] Re: For deputies: link obfuscation that fools spamcop References: Message-ID: "Ivan Leo Puoti" wrote in message news:cl5sgn$fjm$1@news.spamcop.net... > http://www.spamcop.net/sc?id=z684107746z492eb75042312306192750ffe8fdc5efz > Your Subject line is so misleading. What obfuscation are you talking about? What I see is a total whack job done on the construct of this spam ... either by the spammer or by you trying to handle/process it. X-Lines separated from the header, MIME Boundary lines in the wrong spot .... ????? From MikeE at ster.invalid Wed Oct 20 09:04:10 2004 From: MikeE at ster.invalid (Mike Easter) Date: Wed Oct 20 11:05:19 2004 Subject: [SpamCop-List] Re: New Interface Formatting Suggestion - small piece of whitespace between each listed held mail References: Message-ID: indigo wrote: > Mike Easter wrote: >> >> MB's point earlier was that having some 'guidance' from that page >> makes 'self-enforcement' easier, but the page has never said anything >> about trimming and contextualizing, and I can't exactly remember >> exactly how it handled the issue of html vs plaintext and >> attachments, and it has always been outofwhack about how .spam really >> works. Currently that page doesn't even recognize the existence of >> .help any more. > > Currently the page shows: > > Newsgroup Posting Rules > > No spam. Please do not post copies of spam or other commercials > except in the spamcop.spam group specifically designated for it. > SpamCop provides "tracking URL"s for posting spam samples. Please use > them. > > Limit quoting. Please avoid quoting in threads unnecessarily. > > I believe this text has always been there, and there also used to be > no HTML or attachment rules too. I don't believe those are very > restrictive rules beyond what a newbie should know, do you? You and I are not arguing or discussing my opinion being against whatever the rules used to say, which your citing of what they /currently/ say doesn't address precisely, except that /it/ isn't there, where 'it' is anything about html /or/ attachments or binaries or something different from unattached plaintext. I /think/ you are saying that you wish that that page would say whatever it used to say which isn't at all clearly defined here; or perhaps you are saying that you wish that page said something 'better' than it used to say, which is also not clearly defined here. I think if we are going to argue about it, you should come right out and say exactly what you think the page ought to say instead of what it sez now. -- Mike Easter kibitzer, not SC admin From porpoise1954 at yahoo.co.uk Wed Oct 20 17:19:45 2004 From: porpoise1954 at yahoo.co.uk (Porpoise) Date: Wed Oct 20 11:25:02 2004 Subject: [SpamCop-List] Re: OT - Weird References: <417554BC.7A12312B@spamcop.net> Message-ID: "Kenneth Brody" wrote in message news:417554BC.7A12312B@spamcop.net... > Blammo wrote: > > > > > > > I can't read that, so I don't understand what you are saying. I think it's > > a good example of something that doesn't follow the example, just like > > spam. > [...] > > Nit anly taht bet alse uf wirds ore masspelud toa. > Not only that but also if words are misspelled too. > > You are correct, however, that it makes it very hard to read. To original > example I was able to read without hesitation. (And, yes, it was old news > to me.) > Yes, it's harder to read when *every* word in the sentence is misspelled. The point I was making though, whether it's mispelled, wrong word in wrong context (there instead of their) or missing/wrong punctuation, is that it doesn't excuse bad grammar just because you can still make some sense of it. From porpoise1954 at yahoo.co.uk Wed Oct 20 17:30:35 2004 From: porpoise1954 at yahoo.co.uk (Porpoise) Date: Wed Oct 20 11:35:03 2004 Subject: [SpamCop-List] Re: dev/null? References: <87sm8bmxy8.fsf@ursine.dyndns.org> <87fz4at9cy.fsf@ursine.dyndns.org> Message-ID: "Paul Johnson" wrote in message news:87fz4at9cy.fsf@ursine.dyndns.org... > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > "indigo" writes: > > >> > However... my questions is what is this /dev/null'ing report for ?? > >> > Does that mean it was not reported? > >> > >> Yup. For those who couldn't graduate high school this century due to > >> lack of computer knowledge, > > > > Even when you have an actual correct answer to a question from a newbie you > > have to be a superiority-complexed asshole about it. > > What? I'm right. Try passing a computer class worth the name in high > school these days and pass without knowing that... Well, as virtually every school I've seen using computers runs windows, I would think very few would know it - unless they've had some exposure to *nix. IWHAG that approx. 90% of computer users learn how to use them as office tools rather than how to programme or administer them. Much the same as people learn to drive a car - they don't *need* to know how to strip the engine down in order to use it as a mode of transport to get from A to B - they mostly leave that side of things to the mechanics/people actually interested in that side of things. So it's the same with computers....................... and most household appliances. From nobody at apamcop.com Wed Oct 20 11:33:25 2004 From: nobody at apamcop.com (cwg) Date: Wed Oct 20 11:35:20 2004 Subject: [SpamCop-List] Re: New interface really sucks now References: <87acumbau4.fsf@ursine.dyndns.org> <87k6tmy1nw.fsf@ursine.dyndns.org> Message-ID: "Paul Johnson" wrote in message news:87k6tmy1nw.fsf@ursine.dyndns.org... > "cwg" writes: > > >> Looks great in Lynx. Why would you think otherwise unless you didn't > >> actually try it? > > > > Viewed the page in FF, looks nice. > > Lynx? Text Only? Or am I using a different Lynx than you? > > P.S. Anything looks great in Lynx :-) > > We're talking about the same Lynx. And not everything looks great in > Lynx... Only if you're really after the naked pictures, .... ;-) Point taken, however there is times when I prefer to use Lynx over graphical browsers even though the page won't look good, mainly because at that particular instance, I don't care, I'm looking for something very specific at the site. Or, it's not the page that matters, it's the URL that matters for my commercial schedule registration to quit getting reminders to download my spots for the week. %-) From nobody at spamcop.net Wed Oct 20 13:20:16 2004 From: nobody at spamcop.net (indigo) Date: Wed Oct 20 12:25:04 2004 Subject: [SpamCop-List] Re: New Interface Formatting Suggestion - small piece of whitespace between each listed held mail References: Message-ID: Mike Easter wrote: > > I think if we are going to argue about it, you should come right out > and say exactly what you think the page ought to say instead of what > it sez now. IIRC I did, in the post subject "Paging Ellen" or something like that. I think the point is moot anyway, although Wazoo did post in that thread that he was going to talk to someone at SC about fixing that page, it's clear that the NNTP groups are now an afterthought as far as JT and Julian are concerned, i.e. not worth their time. So you and I can debate til we're blue in the face and nothing will change anyway, newbies will just have to take their lumps when they stumble into the groups making posts that don't follow standard netiquette. It just makes me cringe a bit when some of the more, uh, corrosive personalities get to them first; they don't know any better, come here to get help, and get smacked upside the head instead. From crappy.trappy at ntlworld.com Wed Oct 20 18:42:01 2004 From: crappy.trappy at ntlworld.com (Tim) Date: Wed Oct 20 12:45:03 2004 Subject: [SpamCop-List] www . CosmeticMall . com : Who are these clowns? Message-ID: Get about one a week from www. CosmeticMall . com. Never gets stopped by Spamcop filtering. Many spam reports have not made a bit difference so far. Anyone else get this? From nobody at devnull.spamcop.net Wed Oct 20 13:08:37 2004 From: nobody at devnull.spamcop.net (WazoO) Date: Wed Oct 20 13:10:04 2004 Subject: [SpamCop-List] Re: New Interface Formatting Suggestion - small piece of whitespace between each listed held mail References: Message-ID: "indigo" wrote in message news:cl6380$rh2$1@news.spamcop.net... > > IIRC I did, in the post subject "Paging Ellen" or something like that. I > think the point is moot anyway, although Wazoo did post in that thread that > he was going to talk to someone at SC about fixing that page, it's clear > that the NNTP groups are now an afterthought as far as JT and Julian are > concerned, i.e. not worth their time. Not that it's any help, but I just sent another e-mail to Courtney, asking if she's even still tasked to do the FAQ updates/additions. The previous e-mail also went to the Deputies address, primarily to catch RW's eyes, as he still has access to those pages. However, all I've heard since then was a concurrence from Ellen that these items should also be addressed. Wondering now that with that shared InBox, perhaps Ellen's handling of that e-mail removed it from RW's view? Though also recalling that some items I saw as being pretty clear were tagged as something that Courtney would have to "run past the powers ..." Perhaps this item is still in that process? From nobody at nowhere.invalid Wed Oct 20 20:20:22 2004 From: nobody at nowhere.invalid (Steven Maesslein) Date: Wed Oct 20 13:25:02 2004 Subject: [SpamCop-List] Re: dev/null? References: <87sm8bmxy8.fsf@ursine.dyndns.org> <87fz4at9cy.fsf@ursine.dyndns.org> Message-ID: On Wed, 20 Oct 2004 16:30:35 +0100, Porpoise coughed into spamcop and left this in : > Much the same as people learn to drive a car - they don't *need* to know how > to strip the engine down in order to use it as a mode of transport to get > from A to B - they mostly leave that side of things to the mechanics/people > actually interested in that side of things. Let's not go overboard. Knowing what /dev/null is is *not* the same as knowing how to strip an engine down to its spare parts and then put it back together again (in working order). It's more like knowing where the fog lamps switch is. Trouble is, Windows cars don't have a fog lamps, only Unix cars do, hence the possible unfamiliarity of the darn thing. -- Steve From nobody at spamcop.net Wed Oct 20 14:34:29 2004 From: nobody at spamcop.net (indigo) Date: Wed Oct 20 13:35:03 2004 Subject: [SpamCop-List] Re: New Interface Formatting Suggestion - small piece of whitespace between each listed held mail References: Message-ID: WazoO wrote: > Not that it's any help, but I just sent another e-mail to > Courtney, asking if she's even still tasked to do the > FAQ updates/additions. The previous e-mail also > went to the Deputies address, primarily to catch RW's > eyes, as he still has access to those pages. However, > all I've heard since then was a concurrence from > Ellen that these items should also be addressed. > Wondering now that with that shared InBox, perhaps > Ellen's handling of that e-mail removed it from RW's > view? Though also recalling that some items I saw > as being pretty clear were tagged as something that > Courtney would have to "run past the powers ..." > Perhaps this item is still in that process? Thanks for the update Wazoo. Now you or Courtney will have to take up the debate with Mr. Easter over whether the page should list more rules or not ;-) From A_No_Spam_Haumer at gmx.net Wed Oct 20 20:43:49 2004 From: A_No_Spam_Haumer at gmx.net (Anton Haumer) Date: Wed Oct 20 13:45:04 2004 Subject: [SpamCop-List] how to "unreport" Message-ID: <4176A3D5.B4315316@gmx.net> Well I did it, I sent a report that I did not want to send (I submitted a mail I did not want to submit, and I pressed "Send Reports" to quickly ...) What can I do that the sender's ISP is not getting blacklisted? I contacted him by mail and sent my apology ... Thx, Toni From nobody at devnull.spamcop.net Wed Oct 20 13:53:23 2004 From: nobody at devnull.spamcop.net (WazoO) Date: Wed Oct 20 13:55:03 2004 Subject: [SpamCop-List] Re: how to "unreport" References: <4176A3D5.B4315316@gmx.net> Message-ID: "Anton Haumer" wrote in message news:4176A3D5.B4315316@gmx.net... > Well I did it, I sent a report that I did not want to send > (I submitted a mail I did not want to submit, > and I pressed "Send Reports" to quickly ...) > What can I do that the sender's ISP is not getting blacklisted? > I contacted him by mail and sent my apology ... Already answered over in the web-based Forum by pointing to the FAQ entry "How do I unsend a Report" From nobody at devnull.spamcop.net Wed Oct 20 13:59:57 2004 From: nobody at devnull.spamcop.net (WazoO) Date: Wed Oct 20 14:00:03 2004 Subject: [SpamCop-List] Re: New Interface Formatting Suggestion - small piece of whitespace between each listed held mail References: Message-ID: "indigo" wrote in message news:cl67j6$32p$1@news.spamcop.net... > > Thanks for the update Wazoo. Now you or Courtney will have to take up the > debate with Mr. Easter over whether the page should list more rules or not > ;-) Odd, almost as if that 'first' e-mail wasn't received ... have already gone back and forth with Courtney a couple of times since my last post here. For whatever reason, the first response was that she would run the issue by the Deputies However, I got to looking at one of those pages again, and am stirring the pot a bit more ... the text on munging your address includes "newsgroups feed to / from usenet" ... I suggested that gmane and Google don't actually qualify as "usenet" ... but I can't recall when this bit of text came into being either. From tdy at blackhole.invalid Wed Oct 20 12:35:21 2004 From: tdy at blackhole.invalid (N. Miller) Date: Wed Oct 20 14:40:03 2004 Subject: [SpamCop-List] Re: [Media] Financial adviser fleeced in 419 scam References: Message-ID: In article , Tim says... > Story here : > http://www.theregister.co.uk/2004/10/19/aussie_419_victim/ > A can't believe that a /financial adviser/ could be so stupid! > I assume that a /financial adviser/ would required some level of > intelligence. In an existential, hedonistic culture, such as has overtaken the West, greed trumps intelligence. -- Norman ~Win dain a lotica, En vai tu ri, Si lo ta ~Fin dein a loluca, En dragu a sei lain ~Vi fa-ru les shutai am, En riga-lint From tdy at blackhole.invalid Wed Oct 20 12:45:31 2004 From: tdy at blackhole.invalid (N. Miller) Date: Wed Oct 20 14:50:03 2004 Subject: [SpamCop-List] Re: How to get off the blacklist. - XYTRANS References: Message-ID: In article , Todd Simmons says... > We implemented an Exchange 2003 server and Symantec mail security. Do you have a degree in Black Magic? You will need one to secure any MSFT product. Especially there server products. -- Norman ~Win dain a lotica, En vai tu ri, Si lo ta ~Fin dein a loluca, En dragu a sei lain ~Vi fa-ru les shutai am, En riga-lint From A_No_Spam_Haumer at gmx.net Wed Oct 20 22:28:45 2004 From: A_No_Spam_Haumer at gmx.net (Anton Haumer) Date: Wed Oct 20 15:30:03 2004 Subject: [SpamCop-List] Re: how to "unreport" References: <4176A3D5.B4315316@gmx.net> Message-ID: <4176BC6D.60380DAE@gmx.net> WazoO schrieb: > > "Anton Haumer" wrote in message > news:4176A3D5.B4315316@gmx.net... > > Well I did it, I sent a report that I did not want to send > > (I submitted a mail I did not want to submit, > > and I pressed "Send Reports" to quickly ...) > > What can I do that the sender's ISP is not getting blacklisted? > > I contacted him by mail and sent my apology ... > > Already answered over in the web-based Forum by > pointing to the FAQ entry "How do I unsend a Report" Thx. I followed this hints. Thx again, Toni From MikeE at ster.invalid Wed Oct 20 13:40:25 2004 From: MikeE at ster.invalid (Mike Easter) Date: Wed Oct 20 15:40:02 2004 Subject: [SpamCop-List] Re: New Interface Formatting Suggestion - small piece of whitespace between each listed held mail References: Message-ID: indigo wrote: > Mike Easter wrote: >> >> I think if we are going to argue about it, you should come right out >> and say exactly what you think the page ought to say instead of what >> it sez now. > > IIRC I did, in the post subject "Paging Ellen" or something like > that. This is all I recall -- edited From: "indigo" Subject: Re: Paging Wazoo and/or Ellen Date: Wed, 13 Oct 2004 12:18:54 -0400 Message-ID: It used to forbid html and attachments. So you don't mind if everyone starts posting with attachments whenever they please? I"m asking for re-establishment of "do not do this" rules in the SC FAQ like there used to be. Why were those rules removed from the page? > So you and I can debate til we're blue in the face and nothing will > change anyway, newbies will just have to take their lumps when they > stumble into the groups making posts that don't follow standard > netiquette. It just makes me cringe a bit when some of the more, uh, > corrosive personalities get to them first; they don't know any > better, come here to get help, and get smacked upside the head > instead. I also think it is 'silly' or, not silly, but more like 're-inventing the wheel' to have to create or 'edit' or 'compose' a set of usenet posting recommendations or guidelines or 'rules' - 'from scratch'. Those guidelines and suggestions are all over the place in various forms, including numerous newsgroup charters. It seems like we could 'all' - tina - tinw - look around and find some examples which are already created and 'propose' that example or this example be used as a 'guideline'. There is precedent for that in the faq. When the faq wants to explain how to use the scbl it points to ordb for instructions^1; and there are numerous other examples thru'out the faq where the faq uses some other place as a guideline for how to do something. ^1 http://www.spamcop.net/fom-serve/cache/291.html - How do I configure my mailserver to reject mail based on the blocklist? -- Pick your mailserver software for information on how to properly configure it. If your software isn't included in this list, a comprehensive list is available at http://ordb.org/faq/#usage. Substitute or add "bl.spamcop.net" where applicable. That way there could be some discussion about what these rules are going to be or perhaps shouldn't be before they come down from on high and then we - tinw - don't really like them so much after all. -- Mike Easter kibitzer, not SC admin From nobody at spamcop.net Wed Oct 20 17:34:53 2004