From driehuis.fcnzpbc2005 at playbeing.com Tue Feb 1 01:50:51 2005 From: driehuis.fcnzpbc2005 at playbeing.com (Bert Driehuis) Date: Mon Jan 31 19:55:07 2005 Subject: [SpamCop-List] Re: Cogentco?? In-Reply-To: References: <2370-41FC31B7-594@storefull-3251.bay.webtv.net> Message-ID: Pete Stephenson wrote: > I'm curious what other sources of information you may have access to in > order to make that determination. I rarely post to "spamcop" anymore, > and tend to stick to .geeks and .social when I must post. I often do a better job of mentally imaging the players before coming with nasty accusations :-) It's done using ancient crafts called "reading up" and "pondering", by the way. They're slowly falling by the wayside, together with proofreading, and I can't complete escape progress either. From bll at seer.gentoo.com Tue Feb 1 01:09:59 2005 From: bll at seer.gentoo.com (Brad Lanam) Date: Mon Jan 31 20:10:08 2005 Subject: [SpamCop-List] Re: gaoland.net vs 80.119.115.158 References: Message-ID: In article , Dar wrote: > Too funny! > > Parsing input: gaoland.net > host gaoland.net (checking ip) ip not found ; gaoland.net discarded as fake. > No recent reports, no history available > > Cannot resolve gaoland.net > No valid email addresses found, sorry! > [...] > Parsing input: 80.119.115.158 > host 80.119.115.158 = 158.115.119-80.rev.gaoland.net. (cached) There's nothing anywhere that says that the top-level domain must have an A record w/IP address assigned to it. Perfectly normal setup. Helps reduce the number of people trying to poke holes in your server(s). e.g. www:bll$ host gentoo.com # no ip address www:bll$ host -t mx gentoo.com gentoo.com mail is handled by 2 mail.gentoo.com. www:bll$ host mail.gentoo.com mail.gentoo.com has address 64.169.54.66 www:bll$ -- Brad -- -- Brad Lanam bll@gentoo.com From pete+usenet at heypete.com Tue Feb 1 00:10:19 2005 From: pete+usenet at heypete.com (Pete Stephenson) Date: Tue Feb 1 03:38:21 2005 Subject: [SpamCop-List] Re: Cogentco?? References: <2370-41FC31B7-594@storefull-3251.bay.webtv.net> Message-ID: In article , "Indigo" wrote: > Certain folks in .social would consider you a (gu)nutcase though ;-) I originally parsed that as "GNUnutcase", and was wondering when insanity went open-source. :-P -- Pete Stephenson HeyPete.com From mtszorf at netvision.net.il Tue Feb 1 12:16:40 2005 From: mtszorf at netvision.net.il (Maurice Tszorf) Date: Tue Feb 1 05:20:31 2005 Subject: [SpamCop-List] address blocked Message-ID: Hi, I am new to this forum. I am confronted with constant blocking of my email addresses. It started when I began using it for a mailing list. I can receive mails, but I cannot send off a single mail, no matter to what destination, for some 24 hours, after which the block sets in again the minute I send a message to the mailing list. This is tyranny. I need the email for business, and I would like to know how I can prevent being blocked constantly. Thanks, Maurice From porpoise1954 at yahoo.co.uk Tue Feb 1 10:43:51 2005 From: porpoise1954 at yahoo.co.uk (Porpoise) Date: Tue Feb 1 05:50:05 2005 Subject: [SpamCop-List] Re: address blocked References: Message-ID: "Maurice Tszorf" wrote in message news:ctnl14$8jn$1@news.spamcop.net... > Hi, > > I am new to this forum. > > I am confronted with constant blocking of my email addresses. It started > when I began using it for a mailing list. I can receive mails, but I > cannot send off a single mail, no matter to what destination, for some 24 > hours, after which the block sets in again the minute I send a message to > the mailing list. Sounds like the list may not be complying with best practice in some way and is therefore finding itself on bl's but there is insufficient information here to be able to determine what the problem is. > > This is tyranny. I need the email for business, and I would like to know > how I can prevent being blocked constantly. Ensure that you are not sending mails to people who didn't request them. From porpoise1954 at yahoo.co.uk Tue Feb 1 10:55:54 2005 From: porpoise1954 at yahoo.co.uk (Porpoise) Date: Tue Feb 1 06:00:07 2005 Subject: [SpamCop-List] Re: address blocked References: Message-ID: "Porpoise" wrote in message news:ctnmkf$9hh$1@news.spamcop.net... > > "Maurice Tszorf" wrote in message > news:ctnl14$8jn$1@news.spamcop.net... >> Hi, >> >> I am new to this forum. >> >> I am confronted with constant blocking of my email addresses. It started >> when I began using it for a mailing list. I can receive mails, but I >> cannot send off a single mail, no matter to what destination, for some 24 >> hours, after which the block sets in again the minute I send a message to >> the mailing list. > > Sounds like the list may not be complying with best practice in some way > and is therefore finding itself on bl's but there is insufficient > information here to be able to determine what the problem is. > >> >> This is tyranny. I need the email for business, and I would like to know >> how I can prevent being blocked constantly. > > Ensure that you are not sending mails to people who didn't request them. > Here's a pointer to some further information which may be helpful: http://www.outblaze.com/main.php?id=antispam&page=anti_ident In particular, the section on "Poorly managed mailing lists" may be of particular significance. From MikeE at ster.invalid Tue Feb 1 03:00:24 2005 From: MikeE at ster.invalid (Mike Easter) Date: Tue Feb 1 06:00:13 2005 Subject: [SpamCop-List] Re: address blocked References: Message-ID: Maurice Tszorf wrote: > I am confronted with constant blocking of my email addresses. It > started when I began using it for a mailing list. I can receive > mails, but I cannot send off a single mail, no matter to what > destination, for some 24 hours, after which the block sets in again > the minute I send a message to the mailing list. The only way we can talk about some mail which is blocked is to talk about the IP address which is being blocked. > I would like to > know how I can prevent being blocked constantly. You haven't given useful information yet, so I'll try your nntp IP address. Your nntp posting host is 85-64-66-198.barak.net.il IP address 85.64.66.198 http://www.spamcop.net/w3m?action=checkblock&ip=85.64.66.198 85.64.66.198 listed in bl.spamcop.net -- System has sent mail to SpamCop spam traps in the past week -- SpamCop users have reported system as a source of spam less than 10 times in the past week 85.64.66.198 is also listed in cbl^1 and some other blocklists besides SC. The cbl listing causes you to be spamhaus listed on the spamhaus XBL. ^1 The CBL takes its source data from very large spamtraps, and only lists IPs exhibiting characteristics which are specific to open proxies of various sorts (HTTP, socks, AnalogX, wingate etc) which have been abused to send spam, worms/viruses that do their own direct mail transmission, or some types of trojan-horse or "stealth" spamware, without doing open proxy tests of any kind. I would say that your mail is being blocked because its IP address has been associated with mail/spam from that IP hitting spamtraps and thus becoming blocklisted by several important blocklists which are popular as spam defenses. When your IP is listed, your mail will be blocked by those defenses. There's also an example of a spam from that IP in sightings which I've run through the SC parser to provide for an example here www.spamcop.net/sc?id=z727355563za1f4432282e2cb21dd5126cebbf13b37z Subject: Experts are jumping all over this st0ck Report Spam to: Re: 85.64.66.198 (Administrator of network where email originates) To: abuse@013barak.net.il (Notes) So, your IP appears to be an abused proxy being used for pump&dump stock spams and people don't want to get mail from it so they block the mail from that IP which causes your mail to be blocked. -- Mike Easter kibitzer, not SC admin From porpoise1954 at yahoo.co.uk Tue Feb 1 11:04:12 2005 From: porpoise1954 at yahoo.co.uk (Porpoise) Date: Tue Feb 1 06:10:03 2005 Subject: [SpamCop-List] Re: address blocked References: Message-ID: "Porpoise" wrote in message news:ctnnb2$9v9$1@news.spamcop.net... > > "Porpoise" wrote in message > news:ctnmkf$9hh$1@news.spamcop.net... >> >> "Maurice Tszorf" wrote in message >> news:ctnl14$8jn$1@news.spamcop.net... >>> Hi, >>> >>> I am new to this forum. >>> >>> I am confronted with constant blocking of my email addresses. It started >>> when I began using it for a mailing list. I can receive mails, but I >>> cannot send off a single mail, no matter to what destination, for some >>> 24 hours, after which the block sets in again the minute I send a >>> message to the mailing list. >> >> Sounds like the list may not be complying with best practice in some way >> and is therefore finding itself on bl's but there is insufficient >> information here to be able to determine what the problem is. >> >>> >>> This is tyranny. I need the email for business, and I would like to know >>> how I can prevent being blocked constantly. >> >> Ensure that you are not sending mails to people who didn't request them. >> > > Here's a pointer to some further information which may be helpful: > > http://www.outblaze.com/main.php?id=antispam&page=anti_ident > > In particular, the section on "Poorly managed mailing lists" may be of > particular significance. Here's another useful site for ensuring that mailing lists are run correctly: http://www.mail-abuse.com/support/an_listmgntgdlines.html From MikeE at ster.invalid Tue Feb 1 03:24:12 2005 From: MikeE at ster.invalid (Mike Easter) Date: Tue Feb 1 06:25:02 2005 Subject: [SpamCop-List] Re: address blocked References: Message-ID: Mike Easter wrote: > 85.64.66.198 listed in bl.spamcop.net A similar IP is 85.64.65.230 also listed in spamcop & cbl for proxified spamtrapping. They are both going crazy with mail activity as evidenced at senderbase Report on IP address: 85.64.65.230 Volume Statistics for this IP Magnitude Vol Change vs. Average Last day 3.9 10185% Last 30d 2.9 791% Average 1.9 Report on IP address: 85.64.66.198 Volume Statistics for this IP Magnitude Vol Change vs. Average Last day 3.8 15118% Last 30d 2.6 779% Average 1.7 Use monofont for columns The two stock items in sightings like the one I posted here actually went from the source IP out the barak server with lots of bogosity: www.spamcop.net/sc?id=z727355563za1f4432282e2cb21dd5126cebbf13b37z Abbreviated Received lines *comment from (mtain3.barak.net.il [212.150.49.74]) by mail.nwsup.com *serves recipient from barak.net.il ([85.64.66.198]) by mtain3.barak.net.il *sourceline, index IP from (HELO smtp.mixedthings.net) (181.137.80.89) by group21.345mail.com *bogosity from unknown (111.111.104.45) by mxs.perenter.com *bogosity from ([191.183.16.26]) by mxs.perenter.com *bogosity from mts.locks.grgtween.net ([158.8.99.73]) by mts.locks.grgtween.net *bogosity -- Mike Easter kibitzer, not SC admin From ng at bgdsv.co.uk Tue Feb 1 12:03:03 2005 From: ng at bgdsv.co.uk (Brian Gregory [UK]) Date: Tue Feb 1 07:05:03 2005 Subject: [SpamCop-List] Re: address blocked References: Message-ID: It's not clear to me exactly what you mean by "using it for a mailing list". -- Brian Gregory. (In the UK) ng@bgdsv.co.uk To email me remove the letter vee. From D.Gray at picture.oscar.wilde Tue Feb 1 14:35:03 2005 From: D.Gray at picture.oscar.wilde (Dorian Gray) Date: Tue Feb 1 09:35:03 2005 Subject: [SpamCop-List] Re: Spamcop Statistics References: Message-ID: In article , "WazoO" wrote: > "Dorian Gray" wrote in message > news:D.Gray-61C9F0.18084531012005@news.cesmail.net... > > In article , > > "WazoO" wrote: > > > > > "Edward D. Thompson" wrote in message > > > news:pan.2005.01.28.17.36.30.159767@cyrix.ed-thompson.org... > > > > > > > > Does anyone understand the behavior of the Spamcop statistics? > > > > > > > > http://mailsc.spamcop.net/spamgraph.shtml?spamyear > > > > > > Julian .... those charts track whatever he's got them pointed to, > > > and what's behind that curtain has been described in the past > > > as "not for public discussion" ... > > > > Been described in the past, by whom? I only recall WazoO saying such > > things as "not for public discussion". > > Dialog between Julian, Don, Deputies and myself have included > facts and conditions described as "not for public discussion" ... What dialog? Described by whom? Show me. Or do you mean you have off-newsgroup conversations with Julian etc., which you cannot tell us about, and that you then like to tell us that you can't tell us about? Frankly, if that's the case, I'd like to hear it from someone from Spamcop. Your unhelpful help is so vague WazoO as to seem implausible. From porpoise1954 at yahoo.co.uk Tue Feb 1 15:05:35 2005 From: porpoise1954 at yahoo.co.uk (Porpoise) Date: Tue Feb 1 10:10:03 2005 Subject: [SpamCop-List] Re: address blocked References: Message-ID: "Brian Gregory [UK]" wrote in message news:ctnr5s$cm2$1@news.spamcop.net... > It's not clear to me exactly what you mean by "using it for a mailing > list". > > -- > Who are you addressing? It's usually helpful to include a snippet of what you are replying to, in order to give it some context. From firewoman at default.domain.not.available Tue Feb 1 10:15:06 2005 From: firewoman at default.domain.not.available (Firewoman) Date: Tue Feb 1 10:15:03 2005 Subject: [SpamCop-List] Re: address blocked References: Message-ID: "Porpoise" wrote in message news:cto5v8$j8b$1@news.spamcop.net... > > "Brian Gregory [UK]" wrote in message > news:ctnr5s$cm2$1@news.spamcop.net... >> It's not clear to me exactly what you mean by "using it for a mailing >> list". >> >> -- >> > > Who are you addressing? It's usually helpful to include a snippet of what > you are replying to, in order to give it some context. In a standard newsreader, you can see that he is replying to the OP. The snippet is in "quotations" instead of >>. From porpoise1954 at yahoo.co.uk Tue Feb 1 15:14:47 2005 From: porpoise1954 at yahoo.co.uk (Porpoise) Date: Tue Feb 1 10:20:05 2005 Subject: [SpamCop-List] Re: address blocked References: Message-ID: "Firewoman" wrote in message news:cto69i$jit$1@news.spamcop.net... > "Porpoise" wrote in message > news:cto5v8$j8b$1@news.spamcop.net... >> >> "Brian Gregory [UK]" wrote in message >> news:ctnr5s$cm2$1@news.spamcop.net... >>> It's not clear to me exactly what you mean by "using it for a mailing >>> list". >>> >>> -- >>> >> >> Who are you addressing? It's usually helpful to include a snippet of what >> you are replying to, in order to give it some context. > > > In a standard newsreader, you can see that he is replying to the OP. The > snippet is in "quotations" instead of >>. That wasn't the point. It's still good netiquette to give some context to which you are replying. For those that like to "hide" headers for read messages it's a pain to have to hunt back. From nobody at spamcop.net Tue Feb 1 08:43:51 2005 From: nobody at spamcop.net (Ellen) Date: Tue Feb 1 11:40:02 2005 Subject: [SpamCop-List] Re: address blocked References: Message-ID: "Mike Easter" wrote in message news:ctnnf9$a4u$1@news.spamcop.net... > Maurice Tszorf wrote: > > I am confronted with constant blocking of my email addresses. It > > started when I began using it for a mailing list. I can receive > > mails, but I cannot send off a single mail, no matter to what > > destination, for some 24 hours, after which the block sets in again > > the minute I send a message to the mailing list. > > The only way we can talk about some mail which is blocked is to talk > about the IP address which is being blocked. > > > I would like to > > know how I can prevent being blocked constantly. > > You haven't given useful information yet, so I'll try your nntp IP > address. > > Your nntp posting host is 85-64-66-198.barak.net.il IP address > 85.64.66.198 Virus/worm infestation and spewing direct to mx. There are other IPs in the /16 listed, also spewing direct to mx. The spams are the usual pills/stocks/rolex/etc. Most of the listings are recent -- in the last 24-48 hours and obviously barak has done nothing about filtering port 25. As the spew is recent I suspect that barak haven't had time to hunt down the compromised and do anything about them yet. That said there is no telling what blocklists the admin of the listserver is using. Ellen From MikeE at ster.invalid Tue Feb 1 09:21:56 2005 From: MikeE at ster.invalid (Mike Easter) Date: Tue Feb 1 12:25:04 2005 Subject: [SpamCop-List] OT Spamalot Message-ID: Broadway will have a 'new musical ripoff' of the movie Monty Python and the Holy Grail called 'Monty Python's Spamalot' by Eric Idle starting Feb 14 http://www.montypythonsspamalot.com/ In 'celebration' of Spamalot's opening, Hormel will produce a collector's edition SPAM product - golden honey grail - http://media.hormel.com/templates/knowledge/knowledge.asp?catitemid=2&id=268 The Hormel PR was more interesting to me than the Register article below. But Hormel lost their trademark infringement suit against Spambuster. All of the above described recently in the Register http://www.theregister.co.uk/2005/01/31/spam_ruling/ -- Mike Easter kibitzer, not SC admin From MikeE at ster.invalid Tue Feb 1 09:45:17 2005 From: MikeE at ster.invalid (Mike Easter) Date: Tue Feb 1 12:45:02 2005 Subject: [SpamCop-List] Re: OT Spamalot References: Message-ID: Mike Easter wrote: > Broadway will have a 'new musical ripoff' of the movie Monty Python > and the Holy Grail called 'Monty Python's Spamalot' by Eric Idle > starting Feb 14 http://www.montypythonsspamalot.com/ The book was by Eric Idle. The musical is directed by Mike Nichols. The Broadway situation follows the Chicago Dec-Jan performances just finishing. Why Hormel doesn't have a pic of the commemorative collectors' edition can^1 at their site is beyond me. ^1 The SPAMT golden honey grail will be available, in limited quantities as of February 2005 at select New York City retailers, including Broadway merchandise stores and the Shubert Theatre merchandise kiosks. The can features SPAMALOT graphics and characters from the new musical and instructions in "SPAMALOT-ese" on how to "cooketh" SPAM?. -- Mike Easter kibitzer, not SC admin From MikeE at ster.invalid Tue Feb 1 09:51:39 2005 From: MikeE at ster.invalid (Mike Easter) Date: Tue Feb 1 12:55:03 2005 Subject: [SpamCop-List] Re: OT Spamalot References: Message-ID: Mike Easter wrote: > Why Hormel doesn't have a pic of the commemorative collectors' edition > can^1 at their site is beyond me. http://www.dailyllama.com/news/2004/images/golden_honey_spam_large.jpg http://www.dailyllama.com/news/2004/images/golden_honey_spam_back_large.jpg http://www.dailyllama.com/news/2004/images/golden_honey_spam_label.jpg Lotsa google links on articles for 'golden honey grail' - I must be the last one to find out about this. -- Mike Easter kibitzer, not SC admin From MikeE at ster.invalid Tue Feb 1 10:31:46 2005 From: MikeE at ster.invalid (Mike Easter) Date: Tue Feb 1 13:35:40 2005 Subject: [SpamCop-List] Re: OT Spamalot References: Message-ID: Mike Easter wrote: > "SPAMALOT-ese" on how to > "cooketh" SPAM?. > http://www.dailyllama.com/news/2004/images/golden_honey_spam_label.jpg Copied into IrvanView for 'handling', cooking instructions label section blown up and 'manipulated' to enhance readability and manually transcribed, since my search didn't show me the instructions in digital -- someone is going to have to help the Hormel PR people tend to these arcane details for posterity. "Fully cooked, ready to eat cold or hot. Taketh thine SPAM slices and fry it thusly for exactly 2 minutes. No more, no less. 1 minute is too little, and yet 3 minutes be far longer than thou needeth. Then thou shalt flippeth the SPAM and repeateth these instructions until it be crispy and browned upon both sides of this most tasty provision. The resulting divine creation shalt be lobbed into thine mouth rapidly for this is the love of SPAM." I think. Not everything was crystal clear in the transformations. -- Mike Easter kibitzer, not SC admin From nobody at nowhere.invalid Tue Feb 1 20:35:38 2005 From: nobody at nowhere.invalid (Steven Maesslein) Date: Tue Feb 1 14:40:03 2005 Subject: [SpamCop-List] Re: address blocked References: Message-ID: On Tue, 1 Feb 2005 08:43:51 -0500, Ellen coughed into spamcop and left this in : > and obviously barak has done nothing about filtering port 25. Now, why on $planet would they want to do that? *rolls eyes* > As the spew is recent I suspect that barak haven't had time to hunt > down the compromised and do anything about them yet. As if they ever will... -- Steve Windows is.... A 32-bit extension to a 16-bit graphical interface, sitting on an 8-bit operating system, originally written for a 4-bit processor by a 2-bit company without ONE BIT of common sense. From nobody at devnull.spamcop.net Tue Feb 1 13:41:57 2005 From: nobody at devnull.spamcop.net (LioNiNoiL_a t_Y a h 0 0_d 0 t_c 0 m) Date: Tue Feb 1 16:45:08 2005 Subject: [SpamCop-List] Re: OT Spamalot In-Reply-To: References: Message-ID: > Broadway will have a 'new musical ripoff' of the movie Monty > Python and the Holy Grail called 'Monty Python's Spamalot' > by Eric Idle starting Feb 14 > http://www.montypythonsspamalot.com/ I feel as though I've been living in Spamalot for years... -- In short, there's simply not A more congenial spot For happy spamvertiser rings than here in Spamalot. From nobody at spamcop.net Tue Feb 1 17:43:47 2005 From: nobody at spamcop.net (Miss Betsy) Date: Tue Feb 1 17:45:05 2005 Subject: [SpamCop-List] Why Am I Blocked? FAQ Message-ID: Why Am I Blocked? Probable Causes If your email has suddenly been blocked by the SpamCop blocklist, it is probably because you share an IP address with other email users and there is someone who: * is using auto-responses that are replying to spam with forged spamtrap email addresses (such as Out-of-Office/Vacation notices, virus notifications, and 'created email' bounces); * has a computer with a virus that sends spam without the owner's knowledge; * has a computer that has been compromised and spammers are remotely controlling it to transmit their spew; * is sending unsolicited emails and your internet service provider is allowing it; * or because, as in all systems, there may have been a mistake. (very rare) The SpmCopDNSbl listing will expire automatically within 48 hours of the last report of spam from it. For people who are operating servers: (followed by FAQ for people who do not operate servers; if you don’t operate a server, scroll down until you find it.) Am I really listed in the SpamCop Blocklist?: You can check the status of any server by entering its address at http://www.spamcop.net/bl.shtml The reason an IP address is listed can also be obtained from that page. If the blocklist only lists spamtraps, then auto responses are the likely culprit. If the blocklist only lists reports, you have a spammer at work. If the blocklist lists spam traps and reports, * You have your firewall configured to allow a compromised machine on your network to spew to the world (you do have a firewall in place, don't you?) * the SMTP/Auth exploit of an Exchange server is in progress, see these links: http://news.spamcop.net/cgi-bin/fom?file=372 http://www.winnetmag.com/article/articleid/40507/40507.html http://www.winnetmag.com/article/articleid/42406/42406.html How To Block Open SMTP Relaying and Clean Up Exchange Server SMTP Queues To prevent SMTP relaying with Microsoft Exchange Server see http://support.microsoft.com/default.aspx?scid=KB;EN-US;324958#4 # (NOTE: While commonly seen on Exchange servers, this condition is possible on all platforms) * Your PHP mailer program has been taken over by criminals. (You did not know that your PHP bulletin board had a very vulnerable mailer program on it? You did not know that you had PHP installed and running?) Please also see: * How can I get removed from SpamCop's blocking system? http://www.spamcop.net/fom-serve/cache/76.html * John's explanation at John's revised post, for Why Am I Blocked FAQ http://forum.spamcop.net/forums/index.php?showtopic=673 * Merlyn's explanation at FAQ Entry: Why is my email blocked? http://forum.spamcop.net/forums/index.php?showtopic=35 The rest of this FAQ is for people who do not run servers. Post the IP address that is blocked in the Spamcop web forum or newsgroup. There are many knowledgeable people in the SpamCop groups who will help you figure out why and offer solutions. If you need to know what triggered the report from a spamtrap, email deputies spamcop.net. Only they can see. However, a post will generally get you faster replies and more specific help on what is the problem. For people whose email was returned Q: What does SpamCop do with my email? A: Nothing The Internet Service Provider (ISP) of the person, or business, you are sending email "To" is blocking email from your ISP's computers (servers), using a list provided by SpamCop. Your email doesn't pass through SpamCop's mail servers and SpamCop has no way of blocking or bouncing your email. In addition, the SpamCop email service uses the blocklist to "tag" incoming mail so that suspected spam is placed in a particular folder and that is the way the blocklist is intended to be used. Q: What is a blocklist? A: A blocklist helps ISP’s to prevent spam coming to their customers. An ISP can use a blocklist (a list of IP addresses),to block (bounce back) all email coming from a particular IP address. The blocking is based not on your email address (which looks like username@example.com), but on the IP address (which looks like 198.162.250.196). This IP address is assigned to the mail server you use, which is probably run by your ISP. You may share this same server with hundreds or thousands of other customers. If one of the other customers is sending spam through that shared mail server, it will cause the IP address of that mail server to be put on the blocklist. And when you send email through that server, ISP’s who use blocklists to avoid receiving spam, will also block your email. SpamCop is one of many blocklists. DNS Blackhole Lists (DNSBLs) is a link to page that lists and categorizes a number of blocklists. Trying to describe the difference between spamcop & other lists (particularly the time it takes to get off the list) and how SpamCop can be an early warning system for ISP's is a bit difficult, as each is different in concept, targets, results ranges, and oversight. If more specific data is desired on other DNSBLs, please visit that listing site. Q: What is SpamCop? A: Unique, automated blocklist and spam filtering SpamCop has a program that will find the correct address to send a complaint because the email address you see that says who it is from is often forged by spammers. SpamCop finds the correct IP address and forwards complaints for its members. If a lot of reports are made, the IP address goes on the SpamCop blocklist that is used by many ISP’s. for more detailed information on how Spamcop works see: http://www.spamcop.net/fom-serve/cache/3.html Q: How do ISP’s use SpamCop A: As 1) a warning that spammers have slipped by their defenses and 2) to block spam. * Responsible ISP's welcome SpamCop reports and will remove spammers quickly from their systems. *When they block emails, they send a message that looks like this: 451 Blocked - see http://www.spamcop.net/bl.shtml?xxxx.xxxx.xxxx.xxxx: or email from xxx.com blocked,refused by Spamcop,see http://www.spamcop.net Q: Why me? A: It Happens to the best of us It is annoying to have your email blocked. It is also annoying to have a backhoe interrupt email service. However, until the blocking problem is resolved, you can email people through a web based email service (the most familiar web based email services are hotmail and yahoo). After you have taken care of the immediate problem of being able to communicate with someone by email, the next step is to see what can be done so this inconvenience does not happen to you again. The one thing you do not want to do is to complain to those correspondents who are using an email service that uses the SpamCop blocklist. They probably really like the reduction in spam! You have the responsibility to see that your ISP provides you with reliable email service. See this link for a longer explanation of costs http://forum.spamcop.net/forums/index.php?showtopic=660 Q: Who do I contact to correct this problem? A: Your ISP (email service provider) first Usually the ISP with the blocked IP address has also been notified with the evidence of spam reports. Your ISP may have already acted on the Spamcop report they have received by the time you call. It may just have been a mistake on their part or, possibly, the reporter's part. Reporters can be fined or banned for mistakes. As soon as your ISP stops the spam from being sent, or uses the procedures at SpamCop to point out the reporter's mistake, the IP address is taken off the blocklist (usually within 48 hours for spam; immediately for reporter error). It may be that your call is the first time your ISP has heard that SpamCop has listed your IP address. Listings are made, in addition to member reporting, automatically from spamtraps (an eMail address that is not used, nor published anywhere, so only gets eMail if someone is sending spam!). Your ISP can find out about SpamCop at http://www.spamcop.net/fom-serve/cache/76.html if they don’t already know about SpamCop. SpamCop deputies have access to the full evidence for a listing. Deputies can delist IP addresses which are listed in error. Q: My ISP says it’s not their fault. A: People in this forum will help with information to give your ISP You will need to know your IP address for people to understand what has happened (it should be in the message you received telling you your mail was blocked). It is also helpful to know the reasons why it was blocked. (To do this, go to http://www.spamcop.net/bl.shtml . Make a note of the reason for the listing. For example "Been reported as a source of spam about 30 times" "Been detected sending mail to spam traps" as this is important) There are many people who will explain to you what has happened and what you can do. If you are interested in finding out more about blocklists and exactly why your email was blocked, you may post in the web forum http://forum.spamcop.net/forums/index.php?showforum=11 or in the SpamCop NNTP newsgroup news://news.spamcop.net/spamcop.help with the above information. Please remember that this block is not aimed at you personally. There are a limited number of IP addresses on the Internet, so you, and the spammer, may get a different one each time you log-on. Your Internet Service Provider is the only one who can investigate and take action to stop spam from coming from that IP address. In the meantime, the email service at the other end does not have to accept your email until spam has stopped coming from that particular IP address just as postal and package services can refuse certain types of mail and packages. Revised 18 Nov 2004 - Wazoo added DNSBL List URL Revised 16 Nov 2004 - Wazoo - Ouch! newsgroup link fixed! Revised 2 Sep 2004 - Wazoo Revised August 7, 2004 - Miss Betsy, Wazoo, dbiel Edited per Wazoo comments March 6, 2004 rev March 7 rev Mar 8 for format (agsteele) Rev Mar11 with more links Rev Mar 12 with new John link rev 13 listized "Probable Causes" rev 14 consolidated some links Contributors: Michaell, Mike Easter, Wazoo, Greenlady, John, JT, JeffG (Last Revised 26 January 2005) (URL = http://forum.spamcop.net/forums/lofiversion/index.php/t972.html ) -- From user at domain.invalid Wed Feb 2 00:04:51 2005 From: user at domain.invalid (user@domain.invalid) Date: Tue Feb 1 18:05:03 2005 Subject: [SpamCop-List] Re: "Sorry, this email is too old to file a spam report" In-Reply-To: References: Message-ID: Steven Maesslein wrote: > Tracking URL: > http://www.spamcop.net/sc?id=z726781903z28608ffef3c19a6dda5566aff4f0f0bdz > > Spam received at spamcop.net at 30 Jan 2005 13:02:59 -0000, IOW about 8 > hours ago. > > However, the parser is relying on the timestamp when the spam was > received one hop further upstream, which *is* over 48 hours ago. > > It's therefore impossible to report spam if one of the spam relays holds > on to it for 48 hours... > Another trick to escape Spamcop I discovered in my mailbox is change the computer time, just enough to make push it out of the time frame. Guest at the fence LeaNder a/k/a KRAUT From user at domain.invalid Wed Feb 2 00:51:14 2005 From: user at domain.invalid (user@domain.invalid) Date: Tue Feb 1 18:55:06 2005 Subject: [SpamCop-List] Re: Empty spam In-Reply-To: References: Message-ID: Larry Kilgallen wrote: > In article , user@domain.invalid writes: > >>lebrad wrote: >> >>>I seem to be receiving a lot of spam with no subject and no content. Why >>>would someone want to send me spam with no message? >>> >>> >> >>I have the impression this is not spam > > > Meaning the recipient requested it ? > Or meaning that it only happened once ? No this is not what I meant. I have been watching this for quite some time now. Did you ever have doubled, tripled ... mails? At one time I watched this, it seemed to happen at certain intervals. The headers showed rather complicated patterns. Like being sent at certain time intervals with a third diverted somewhere on the line as if hold somewhere and then moved on. First they arrived at different time. Which showed in my mailbox. The second and third being higher up. Then something got fixed. And while they arrived later the neatly appeared next to each other now. But the headers showed still traces of their different roads through the web. Later the **empty mails*** appeared. At that point I was accustomed to take a closer look. Checking the headers - sorry no systematic exercise although I came close to it ... but mainly checking the headers. And then I realized the empty ones sometimes where just parts of ordinary mails. That is sometimes even mails I received too. Part of its header part of it's body end. No recognizable pattern, but something cut up in an unknown process. Sometimes they were parts of mails I received from a list or received sooner or later ... > > >>but cut up emails who float >>around the net. I am watching this for quite some time now. It stopped >>and now it starts again. > > > Email does not "float around" - it gets sent by someone. > I am no expert ... I wish I were. But even scientist need imagination. And out there on the net is much information about people that is quite valuable. Not only to spammers. > >>It probably is connected with some other web activity filtering the >>mails on their road on the net for contents information about the users. > > > Even if it were triggered by a technical error, it is still spam: > > Unsolicited Bulk Email > > Spam is a matter of conSent not conTent. Yes true, you have to use the delete button no matter if it is a technically produced bit or a whole one. But the bit can still have a different origin, not quite functioning excursions into fields not altogether known - not quite working yet KRAUT From nobody at spamcop.net Wed Feb 2 00:08:24 2005 From: nobody at spamcop.net (nobody@spamcop.net) Date: Tue Feb 1 19:10:04 2005 Subject: [SpamCop-List] m1fastcooloffers.com Message-ID: I've been spammed by m1fastcooloffers.com (63.147.28.5). SpamCop wants to send reports to stasu@veritex-tech.com, but that looks like a listwashing address and nothing will ever be done about shutting down this scam operation. The spamvertized site redirects to applyfree.com, which pushes fake-looking mortgages and debt consolidation plans. I want to report applyfree.com, but I tried reporting a similar site last year and quit after 100 reports were ignored. These scammers also have more than one ISP, so that if one ISP shuts down getrefi.com, the scammers still have getrefinow.com.cn, refinow.com.cn, and a slew of others. Is there legal action that can be started against these spam scam companies? How else should I report this issue? The spam lists an address: Global Offers Network 2033 San Elijo Avenue, #411 Cardiff-by-the-Sea, CA 92007 From not at home.today Wed Feb 2 02:05:25 2005 From: not at home.today (Ant) Date: Tue Feb 1 21:10:03 2005 Subject: [SpamCop-List] Re: OT Spamalot References: Message-ID: "Mike Easter" wrote: > Lotsa google links on articles for 'golden honey grail' - I must be > the last one to find out about this. Apart from me, that is. Thanks for the links Mike. I enjoyed the song "Not Dead Yet" on the high bandwidth site. I love Eric Idle's songs, and was an avid Python fan all those years ago when the shows were first screened on BBC TV. I'm jealous! He's taking the show to Broadway, and the commemorative SPAM cans are only available in limited numbers in the US. It would seem Eric feels that USians are greater Python fans than his own countrymen. Perhaps he'll bring it to London's West End if it goes down well across the Pond. From nobody at spamcop.net Tue Feb 1 18:41:30 2005 From: nobody at spamcop.net (K. Crocker) Date: Tue Feb 1 21:45:07 2005 Subject: [SpamCop-List] Open Proxy SCBL Rules Message-ID: If spam is reported coming from an open proxy and the address is subsequently listed, is there a check to keep the address listed if it is still open when the listing times out? If not, can anyone think of a reason not to add this qualification? Also, if spam is submitted that indicates that its source is an open proxy, would it make sense that the address should be listed immediately, bypassing any rules that require samples from different submitters before a listing occurs? My POP3 service uses the SCBL, so any spam I receive is usually from sources not on the SCBL. A large proportion of that spam appears to be coming from open proxies, hence the interest. Thanks for your comments! Regards, Ken Crocker From nobody at devnull.spamcop.net Tue Feb 1 22:13:35 2005 From: nobody at devnull.spamcop.net (WazoO) Date: Tue Feb 1 23:15:06 2005 Subject: [SpamCop-List] Re: Spamcop Statistics References: Message-ID: "Dorian Gray" wrote in message news:D.Gray-041775.14350301022005@news.cesmail.net... > In article , > "WazoO" wrote: > > > > > Julian .... those charts track whatever he's got them pointed to, > > > > and what's behind that curtain has been described in the past > > > > as "not for public discussion" ... > > > > > > Been described in the past, by whom? I only recall WazoO saying such > > > things as "not for public discussion". > > > > Dialog between Julian, Don, Deputies and myself have included > > facts and conditions described as "not for public discussion" ... > > What dialog? Described by whom? Show me. Your request doesn't make a lot of sense, but here's some background; http://forum.spamcop.net/forums/index.php?showtopic=1939 http://forum.spamcop.net/forums/index.php?showtopic=2030 http://forum.spamcop.net/forums/index.php?showtopic=2559 > Or do you mean you have off-newsgroup conversations with Julian etc., > which you cannot tell us about, and that you then like to tell us that > you can't tell us about? Just trying to answer a query. > Frankly, if that's the case, I'd like to hear it from someone from > Spamcop. Your unhelpful help is so vague WazoO as to seem implausible. whatever. From nobody at spamcop.net Wed Feb 2 04:16:08 2005 From: nobody at spamcop.net (I Hate Spam) Date: Tue Feb 1 23:15:17 2005 Subject: [SpamCop-List] Halifax Internet banking phishing site Message-ID: http://207.202.89.91:87/f/index.htm From wb8tyw at qsl.network Tue Feb 1 23:45:42 2005 From: wb8tyw at qsl.network (John E. Malmberg) Date: Tue Feb 1 23:50:02 2005 Subject: [SpamCop-List] Re: Open Proxy SCBL Rules In-Reply-To: References: Message-ID: K. Crocker wrote: > If spam is reported coming from an open proxy and the address is > subsequently listed, is there a check to keep the address listed if it > is still open when the listing times out? If not, can anyone think of a > reason not to add this qualification? Spamcop.net does not perform open proxy tests. It only looks at the open proxy data to aid in the accuracy of the parsing. My mail server operators, like many have the open proxy list checks before they accept e-mail, so once the spam source is on the open proxy list, their mail servers no longer receive any spam from it. It also means that their users are no longer reporting spam from it to spamcop.net. There is no reason for spamcop.net to duplicate the function of the open proxy lists. > Also, if spam is submitted that indicates that its source is an open > proxy, would it make sense that the address should be listed > immediately, bypassing any rules that require samples from different > submitters before a listing occurs? The parser does not indicate if the I.P. address is already on the spamcop.net list. For you to check that would mean an extra step each time you submit a spam. > My POP3 service uses the SCBL, so any spam I receive is usually from > sources not on the SCBL. A large proportion of that spam appears to be > coming from open proxies, hence the interest. Thanks for your comments! It is probably is a case that your mail server operators are using an open proxy list, yet at the time your mail server operator accepted the e-mail, that I.P. address was not yet on either the open proxy lists that they use, or on the spamcop.net list either. Statistics from one of my mail server operators show that the spamcop.net blocking list is only catching 3% of the spam. The majority of spam is removed by more conservative blocking lists. Other statistics that I am seeing indicate that the bulk of the spam is coming from dynamic pools, which many mail server operators block. Of the major DNSbls that cover dynamic pool addresses, the SORBS one seems to be the most up to date. If you show technical details on the spamcop.net parse, if the source I.P. is not an open proxy, but is known to SORBS as a dynamic address, it will show up as 127.0.0.10. In that case, find out which dynamic pool list that your ISP uses, and how to submit new entries to them, so when you find one that is in SORBs, it means it was not in your ISP's list, and you can get that fixed. If the SORBS line does not show up in the parse, then you need to do a manual lookup at the SORBS site. And the rDNS can also tell you if the I.P. address is a "dynamic", or "dhcp", or "dialup". In which case it should show up in the SORBS dynamic database. But do not submit I.P. addresses for listing in a dynamic pool unless you have strong evidence that the I.P. address is dynamic, as the processing of them is completely manual. -John wb8tyw@qsl.network Personal Opinion Only From nobody at devnull.spamcop.net Wed Feb 2 15:06:33 2005 From: nobody at devnull.spamcop.net (Patto) Date: Wed Feb 2 01:10:02 2005 Subject: [SpamCop-List] Re: Halifax Internet banking phishing site In-Reply-To: References: Message-ID: I Hate Spam wrote: > http://207.202.89.91:87/f/index.htm And what are we going to do with this link...? From nobody at spamcop.net Tue Feb 1 23:54:29 2005 From: nobody at spamcop.net (K. Crocker) Date: Wed Feb 2 02:55:03 2005 Subject: [SpamCop-List] Re: Open Proxy SCBL Rules In-Reply-To: References: Message-ID: John E. Malmberg wrote: > K. Crocker wrote: > >> If spam is reported coming from an open proxy and the address is >> subsequently listed, is there a check to keep the address listed if it >> is still open when the listing times out? If not, can anyone think of >> a reason not to add this qualification? > > > Spamcop.net does not perform open proxy tests. It only looks at the > open proxy data to aid in the accuracy of the parsing. > > My mail server operators, like many have the open proxy list checks > before they accept e-mail, so once the spam source is on the open proxy > list, their mail servers no longer receive any spam from it. > > It also means that their users are no longer reporting spam from it to > spamcop.net. > > There is no reason for spamcop.net to duplicate the function of the open > proxy lists. I suppose it depends on SpamCop's charter and how accurate the determination of "open proxy" is. My ISP hasn't revealed the algorithm it uses, except to say that they are using SCBL. Every additional list each ISP uses consumes that much more bandwidth, multiplied by each piece of email (spam and valid) flowing through the internet. Logistically, it could be argued that the perfect block list should add blackhat addresses ASAP and keep them there ALAP, commensurate with a totally automatic system. >> Also, if spam is submitted that indicates that its source is an open >> proxy, would it make sense that the address should be listed >> immediately, bypassing any rules that require samples from different >> submitters before a listing occurs? > > > The parser does not indicate if the I.P. address is already on the > spamcop.net list. For you to check that would mean an extra step each > time you submit a spam. I think you missed my point. I understand what you are saying. I've done both parsing and checking to see if an IP address was on the SCBL on numerous occasions. My intent was to foster a discussion, perhaps observed by a deputy, to get open proxy addresses added ASAP to the SCBL, rather than waiting for corroborative evidence. >> My POP3 service uses the SCBL, so any spam I receive is usually from >> sources not on the SCBL. A large proportion of that spam appears to be >> coming from open proxies, hence the interest. Thanks for your comments! > > > It is probably is a case that your mail server operators are using an > open proxy list, yet at the time your mail server operator accepted the > e-mail, that I.P. address was not yet on either the open proxy lists > that they use, or on the spamcop.net list either. I would guess that my ISP is *not* using an open proxy list, or, at least, not the one SC uses. I've parsed spam literally seconds old that shows up open proxy, yet was admitted through my ISP. > Statistics from one of my mail server operators show that the > spamcop.net blocking list is only catching 3% of the spam. The majority > of spam is removed by more conservative blocking lists. I think you meant liberal. SCBL would be considered conservative, since one of it's aims is to block as little valid email as possible. Pardon the nit picking... > Other statistics that I am seeing indicate that the bulk of the spam is > coming from dynamic pools, which many mail server operators block. Thanks for the info! > But do not submit I.P. addresses for listing in a dynamic pool unless > you have strong evidence that the I.P. address is dynamic, as the > processing of them is completely manual. Ah, if I had the kung fu (time + effort) to do this! I once kept track of some of the IP addresses used by one spammer as they sent one particular email campaign. I recorded well over 100 different addresses before I got tired, many from vastly differing blocks, none reused. This has nothing to do with the open proxy issue, but just to say that spammers have the "whack-a-mole" game down pat. If the open proxy determination was simple and bullet proof, I don't see a reason why it shouldn't be used to prevent known chronic repeat offenders from moving back into my neighborhood, to borrow from a different analogy. > -John > wb8tyw@qsl.network > Personal Opinion Only Thanks for your comments and info! From nobody at devnull.spamcop.net Wed Feb 2 17:16:57 2005 From: nobody at devnull.spamcop.net (Patto) Date: Wed Feb 2 03:20:08 2005 Subject: [SpamCop-List] Re: SpamCop Unresponsive In-Reply-To: References: Message-ID: Thomas Mooney wrote: > I sent a piece of spam in 50 minutes ago. It usually takes 1-4 minutes > before I get a response. I don't suppose there's anybody listening at this > time of day/night that can "kick the machine" and get things going again. > > Just as I thought. Oh well. I started sending spam some 7 hours ago; still no response. From nobody at spamcop.net Wed Feb 2 08:27:31 2005 From: nobody at spamcop.net (me-no-no) Date: Wed Feb 2 03:30:03 2005 Subject: [SpamCop-List] Re: Halifax Internet banking phishing site References: Message-ID: "I Hate Spam" wrote in message news:ctpk3k$rin$1@news.spamcop.net... > http://207.202.89.91:87/f/index.htm And ???? Perhaps you should have checked here first - as many others obviously have ! http://www.spamhaus.org/SBL/sbl.lasso?query=SBL22894 Been going on since early January - with IDT ignoring all SC and manual larts ! http://www.spamhaus.org/SBL/listings.lasso?isp=idt.net Inc cc larts to the following:- cybercrime--at--fbi.gov-- reportphishing--at--antiphishing.org-- spoof--at--millersmiles.co.uk-- reports--at--banksafeonline.org.uk-- Ciao Meno From bar_n0ne at hotmail.com Wed Feb 2 12:34:14 2005 From: bar_n0ne at hotmail.com (Berny) Date: Wed Feb 2 03:35:06 2005 Subject: [SpamCop-List] Re: SpamCop Unresponsive References: Message-ID: "Patto" wrote in message news:ctq29q$4q6$1@news.spamcop.net... > Thomas Mooney wrote: > > I sent a piece of spam in 50 minutes ago. It usually takes 1-4 minutes > > before I get a response. I don't suppose there's anybody listening at this > > time of day/night that can "kick the machine" and get things going again. > > > > Just as I thought. Oh well. > > I started sending spam some 7 hours ago; still no response. Well I sent spam 2&5 hours and ago, it was ready for reporting, within 5 min, replies recieved within 20. From l.rem.mayne at uea.ac.uk Wed Feb 2 09:41:56 2005 From: l.rem.mayne at uea.ac.uk (Leon Mayne) Date: Wed Feb 2 04:46:40 2005 Subject: [SpamCop-List] UK email CD Message-ID: Is this a Peter Francis-Macrae spam does anyone know? http://www.spamcop.net/sc?id=z727709647z8b39bd4a300145525835494b297b1e8dz Seems unlikely that a spammer would put their address in a spam email, so do I presume PFM has a grudge against someone again? From nobody at nowhere.invalid Wed Feb 2 12:08:29 2005 From: nobody at nowhere.invalid (Steven Maesslein) Date: Wed Feb 2 06:10:04 2005 Subject: [SpamCop-List] Re: Why Am I Blocked? FAQ References: Message-ID: On Tue, 1 Feb 2005 17:43:47 -0500, Miss Betsy coughed into spamcop and left this in : > The SpmCopDNSbl listing will expire automatically within 48 hours > of the last report of spam from it. This isn't quite accurate as I understand it. I was led to believe that the listing will expire within 48 hours of the last reportED spam being sent, not within 48 hours of the last report. For example, if a machine that was spewing merrily away is locked down on Monday morning at 10.00 am GMT, thus stopping the spewage, it'll age off the list by Wednesday morning 10.00 am GMT, even if someone waits until Tuesday night to report spam. The important part is that the spam being reported on Tuedsay night was still sent before the machine was locked down on Monday morning. -- Steve Why do people pay to go up tall buildings and then put money in binoculars to look down at things on the ground? From nobody at nowhere.invalid Wed Feb 2 12:11:12 2005 From: nobody at nowhere.invalid (Steven Maesslein) Date: Wed Feb 2 06:15:04 2005 Subject: [SpamCop-List] Re: "Sorry, this email is too old to file a spam report" References: Message-ID: On Wed, 02 Feb 2005 00:04:51 +0100, user@domain.invalid coughed into spamcop and left this in : > Another trick to escape Spamcop I discovered in my mailbox is change the > computer time, just enough to make push it out of the time frame. That's a material change to the spam that's forbidden by the rules. The point isn't to mess around with the spam until the parser accepts it, it's to create a parser that works accurately. There will inevitably be teething problems along the line, and the problem I was having with outdated spam is one of them, but they don't justify making changes to the spam itself IMO. -- Steve Don't be irreplaceable. If you can't be replaced, you can't be promoted. From nobody at spamcop.net Wed Feb 2 06:38:07 2005 From: nobody at spamcop.net (Miss Betsy) Date: Wed Feb 2 06:35:03 2005 Subject: [SpamCop-List] Re: Why Am I Blocked? FAQ References: Message-ID: "Steven Maesslein" wrote in message news:slrnd01d5d.mt.nobody@127.0.0.1... > On Tue, 1 Feb 2005 17:43:47 -0500, Miss Betsy coughed into spamcop and > left this in : > > > The SpmCopDNSbl listing will expire automatically within 48 hours > > of the last report of spam from it. > > This isn't quite accurate as I understand it. > > I was led to believe that the listing will expire within 48 hours of the > last reportED spam being sent, not within 48 hours of the last report. > > For example, if a machine that was spewing merrily away is locked down > on Monday morning at 10.00 am GMT, thus stopping the spewage, it'll age > off the list by Wednesday morning 10.00 am GMT, even if someone waits > until Tuesday night to report spam. The important part is that the spam > being reported on Tuedsay night was still sent before the machine was > locked down on Monday morning. Technically, you are correct. The point of this FAQ is to go from 'easy to understand' general statements (for most of the people who come to find out why they are blocked) to the more specific technical details. There are also the ways that ISPs can get off the blocklist now, etc. For an end user, nothing more is really needed to know than the IP addresses will age off the blocklist within a certain period of time. For those running servers when they start clicking on the links, they will find out all the technical details that they need to know. Of course, end users can click on those links also, but most get totally confused by the information - which is why it is put in links. It was a challenge to write this FAQ because it is directed toward people who know nothing about how email works and don't even understand simple terms like 'ISP' (that was one of the suggestions - to say 'internet service provider' because ISP was an unknown term) and those who are running servers and want to know the details. Miss Betsy From nobody at nowhere.invalid Wed Feb 2 13:54:42 2005 From: nobody at nowhere.invalid (Steven Maesslein) Date: Wed Feb 2 07:55:04 2005 Subject: [SpamCop-List] Re: Why Am I Blocked? FAQ References: Message-ID: On Wed, 2 Feb 2005 06:38:07 -0500, Miss Betsy coughed into spamcop and left this in : > The point of this FAQ is to go from 'easy to understand' general > statements (for most of the people who come to find out why they are > blocked) to the more specific technical details. Point taken. -- Steve Let's call it an accidental feature. -- Larry Wall From grover.joe at acd.net Wed Feb 2 09:42:00 2005 From: grover.joe at acd.net (Joe Grover) Date: Wed Feb 2 09:45:03 2005 Subject: [SpamCop-List] Report history for an IP? Message-ID: Two of my three SMTP servers were recently listed at Spamcop. I'm trying to find out why. In the past you could see samples of reports that resulted in a block when you looked up an IP in the BL. I'm unable to find this anymore. I occasionally have customers that use spamcop Outlook plugins that--when they report spam--it reports our SMTP server as one of the servers that sent the spam. It is because of this: Mail comes into one of three SMTP servers, and is delivered to a back-end mailbox server, like this: external server/client sending spame => smtp.acd.net => customer's mailbox server. Every now and then I get a Spamcop complaint implicating one of our SMTP servers, only to look at it and see that it was a message one of our customers received and reported, not a report from some user on the internet. I doubt this was the problem this morning, as I've only seen 2 of these complaints over the past several months. None of the other Spamcop complaints I've received have had anything to do with any of our SMTP servers, so naturally I'm curious as to what "abuse" resulted in two servers being listed this morning. Thanks in advance. Joe From nobody at spamcop.net Wed Feb 2 08:35:11 2005 From: nobody at spamcop.net (Ellen) Date: Wed Feb 2 09:50:05 2005 Subject: [SpamCop-List] Re: Why Am I Blocked? FAQ References: Message-ID: "Steven Maesslein" wrote in message news:slrnd01d5d.mt.nobody@127.0.0.1... > On Tue, 1 Feb 2005 17:43:47 -0500, Miss Betsy coughed into spamcop and > left this in : > > > The SpmCopDNSbl listing will expire automatically within 48 hours > > of the last report of spam from it. > > This isn't quite accurate as I understand it. > > I was led to believe that the listing will expire within 48 hours of the > last reportED spam being sent, not within 48 hours of the last report. > > For example, if a machine that was spewing merrily away is locked down > on Monday morning at 10.00 am GMT, thus stopping the spewage, it'll age > off the list by Wednesday morning 10.00 am GMT, even if someone waits > until Tuesday night to report spam. The important part is that the spam > being reported on Tuedsay night was still sent before the machine was > locked down on Monday morning. > Actually the age off is 24 hours and it has been that for at least a couple of months now. It is always good to take a glance at the faq every so often: http://www.spamcop.net/fom-serve/cache/297.html And indeed in any information put together as a resource for users coming to the forum, newsgroups or elsewhere the faq on the SC website should be referenced as it is the official source of the operation of the blocklist. This keeps down the necessity for remembering to update the other faqs/boilerplates. In any case the 24 hour clock runs off the valid timestamp from the last reported spam headers not the time that a user reported it. Ellen From D.Gray at picture.oscar.wilde Wed Feb 2 15:11:14 2005 From: D.Gray at picture.oscar.wilde (Dorian Gray) Date: Wed Feb 2 10:15:03 2005 Subject: [SpamCop-List] Re: Spamcop Statistics References: Message-ID: In article , "WazoO" wrote: > "Dorian Gray" wrote in message > news:D.Gray-041775.14350301022005@news.cesmail.net... > > In article , > > "WazoO" wrote: > > > > > > > Julian .... those charts track whatever he's got them pointed to, > > > > > and what's behind that curtain has been described in the past > > > > > as "not for public discussion" ... > > > > > > > > Been described in the past, by whom? I only recall WazoO saying such > > > > things as "not for public discussion". > > > > > > Dialog between Julian, Don, Deputies and myself have included > > > facts and conditions described as "not for public discussion" ... > > > > What dialog? Described by whom? Show me. > > Your request doesn't make a lot of sense, but here's some background; > http://forum.spamcop.net/forums/index.php?showtopic=1939 > http://forum.spamcop.net/forums/index.php?showtopic=2030 > http://forum.spamcop.net/forums/index.php?showtopic=2559 None of the those forum threads even go close to answering the question about the statistics, and only one actually mentions the statistics. But they do confirm my point that only WazoO has used words like "not for public discussion". The comments by Richard, Ellen and Julian that appear there (forwarded by WazoO) seem as helpful as possible, and don't say anything about restricting information. However they are talking about mole reporting, not the statistics, so don't help us with the question about the stats. So, does anyone *else* know of any explanations, that they are willing to share? Alternatively, does anyone from Spamcop know the explanation, but can't share it, and are willing to say so? Cheers. From nobody at devnull.spamcop.net Wed Feb 2 10:10:44 2005 From: nobody at devnull.spamcop.net (Pop) Date: Wed Feb 2 10:15:09 2005 Subject: [SpamCop-List] Re: Why Am I Blocked? FAQ References: Message-ID: Miss Betsy wrote: > Why Am I Blocked? > Probable Causes > Hope I'm not jumping the gun; please tell me if I am: As a tech writer in my most recent past life, I feel qualified to make a couple of observations on format. Content = pretty good! Fairly clear and concise. Not hard to read/understand. But(t) : Altho I can see it'll make a little work due to overlaps, I think this page should be two pages: It gets a little boring and dwindles a person's interest when they have to page thru "I'm an ISP", "I'm not an ISP", and, woops, wonder if I missed a heading? What else might be there; is there some other relevant section? Am I still in the ISPs part? Now, where was I? I think it should look like: ------------------------------ Why Am I Blocked? Probable Causes if: ----------------------------- < x > above = link That's clumsy, but I think it makes the point I want to make. Like I said, tell me if I'm ahead of things here. Not trying to be in the way. Online vetting; great idea. Best of luck! Regards, Pop From michael.spamcop at michaellefevre.com Wed Feb 2 15:13:21 2005 From: michael.spamcop at michaellefevre.com (Michael Lefevre) Date: Wed Feb 2 10:15:12 2005 Subject: [SpamCop-List] Re: Why Am I Blocked? FAQ References: Message-ID: Miss Betsy wrote: > "Steven Maesslein" wrote in message > news:slrnd01d5d.mt.nobody@127.0.0.1... >> On Tue, 1 Feb 2005 17:43:47 -0500, Miss Betsy coughed into > spamcop and >> left this in : >> >> > The SpmCopDNSbl listing will expire automatically within 48 > hours >> > of the last report of spam from it. >> >> This isn't quite accurate as I understand it. >> > Technically, you are correct. The point of this FAQ is to go from > 'easy to understand' general statements (for most of the people who > come to find out why they are blocked) to the more specific > technical details. It should be possible to do that by leaving out detail - making things technically incorrect in the process of simplifying isn't good, because if people do go further than reading the FAQ and are then told something contradictory, it causes more problems than it solves. > For an end user, nothing more is really > needed to know than the IP addresses will age off the blocklist > within a certain period of time. Indeed. So that's all you need to say - if you're going to go into more detail, then the extra detail should be accurate. And, if you're making edits anyway, "SpmCopDNSbl" is wrong. Aside from missing the "a" from SpamCop, it's generally called the SpamCop BL - given that the audience for the document are unlikely to know what a DNSBL is, there's no point in adding extra letters... -- Michael From michael.spamcop at michaellefevre.com Wed Feb 2 15:18:51 2005 From: michael.spamcop at michaellefevre.com (Michael Lefevre) Date: Wed Feb 2 10:20:02 2005 Subject: [SpamCop-List] Re: Why Am I Blocked? FAQ References: Message-ID: Pop wrote: [snip] > Altho I can see it'll make a little work due to overlaps, I > think this page should be two pages: I can see your point, but this is supposed to be a mini-FAQ to sit in a list of forum posts (like http://forum.spamcop.net/forums/index.php?showforum=11 ). If it was going to be split, then you wouldn't want 3 FAQ posts that refer to each other - you'd just have 2 FAQ posts with appropriate titles. Actually, I think it would be better to keep it as one document and make it shorter, with links to a better resource than a forum FAQ posting. -- Michael From wb8tyw at qsl.network Wed Feb 2 09:19:22 2005 From: wb8tyw at qsl.network (John E. Malmberg) Date: Wed Feb 2 10:20:06 2005 Subject: [SpamCop-List] Re: Open Proxy SCBL Rules References: Message-ID: <$QENvZ8ilhJi@eisner.encompasserve.org> In article , "K. Crocker" writes: > John E. Malmberg wrote: > >> K. Crocker wrote: >> >> >> There is no reason for spamcop.net to duplicate the function of the open >> proxy lists. > > I suppose it depends on SpamCop's charter and how accurate the > determination of "open proxy" is. My ISP hasn't revealed the algorithm > it uses, except to say that they are using SCBL. Every additional list > each ISP uses consumes that much more bandwidth, multiplied by each > piece of email (spam and valid) flowing through the internet. Not exactly true. Several of the blocklists are relatively static, and large mailserver operations routinely download local copies using tools like rsync which only transfer the changes. DHCP lists are an example of a DNSBL that is likely to only change on a daily basis or even longer. A local copy of a good DHCP blocking list will probably reject over 50% of the spam delivery attempts with out additional bandwidth use. The sbl.spamhaus.org list is also pretty stable for keeping a cached copy. It will have less effect, as the smart spammers have figured out that it is useless to send spam from any I.P. address listed in spamhaus.org. The spews.org lists are also only distributed as files. Some dnsbl operators will provide access to them through their servers. And it is quite likely that your mail server operator can use local blocking lists for the spam that gets through all their checks. I know of one postmaster that for certain countries, seems to locally block at least the /22 surrounding the I.P. address of any spam that gets through on them. In several years, that technique has not resulted in any reported real e-mail being rejected. The spamcop.net blocking list is not suitable for being the main blocking list of a mail server for several reasons. 1. It tries to identify the injection point of the spam, and your mail server can usually only use it against the last hop. 2. Long term spam sources may drop off the spamcop.net blocking list because the source I.P. is already on a more conservative list. 3. A more conservative list may have determined that a whole netblock is controlled by spammers and blocked the whole thing, while the spammer jumping around in it evades the spamcop.net algorithm. 4. The spamcop.net algorithm is aggressive and will list real mail servers, and many times this is from spam reporters not noticing that a parser error is reporting their own mail server. > Logistically, it could be argued that the perfect block list should add > blackhat addresses ASAP and keep them there ALAP, commensurate with a > totally automatic system. The blocking lists are specialized because of how they determine a listing. And there are several of them that are aggregated to simplify lookups. opm.blitzed.org only tests for open proxies known to be used to abuse IRC networks. The mail server protection is a side effect. cbl.abuseat.org has spamtraps that are content filtered to remove "bounce" backscatter so it tends to only list spam sources and viruses. The cbl.abuseat.org is very good at catching sources of direct to MX viruses or spammers that use harvested e-mail addresses. By querying the xbl.spamhaus.org, you get a lookup of the opm.blitzed.org and the cbl.abuseat.org at the same time. By querying the sbl-xbl.spamhaus.org, you get a lookup of the sbl.spamhaus.org, and the xbl.spamhaus.org. Combine the sbl-xbl.spamhaus.org with a good dhcp blocking list, and you will find that will catch lot of the spam, and as pointed out above, most of the data can be locally cached efficiently. The list.dsbl.org only lists I.P. addresses that have sent it a specially formatted listme message. That message is sent by special software by trusted volunteers that knows how to scan for many security vulnerabilities. The njabl.org runs proxy tests. There seems to be a high overlap in what njabl.org and dsbl.org list. > I think you missed my point. I understand what you are saying. I've > done both parsing and checking to see if an IP address was on the SCBL > on numerous occasions. My intent was to foster a discussion, perhaps > observed by a deputy, to get open proxy addresses added ASAP to the > SCBL, rather than waiting for corroborative evidence. That would place control of a spamcop.net listing under the control of an entity that has no affiliation with spamcop.net. Spamcop.net keeps evidence of spam being sent. The evidence used by the open proxy listing service may not be available for a deputy to determine why the open proxy service is listing it. By the time you submit the spam from a POP3 account, it may already be on the spamcop.net blocking list, or your report may be the one that puts it over the edge. >>> My POP3 service uses the SCBL, so any spam I receive is usually from >>> sources not on the SCBL. A large proportion of that spam appears to be >>> coming from open proxies, hence the interest. Thanks for your comments! >> >> >> It is probably is a case that your mail server operators are using an >> open proxy list, yet at the time your mail server operator accepted the >> e-mail, that I.P. address was not yet on either the open proxy lists >> that they use, or on the spamcop.net list either. > > I would guess that my ISP is *not* using an open proxy list, or, at > least, not the one SC uses. I've parsed spam literally seconds old that > shows up open proxy, yet was admitted through my ISP. There are several services that will check lots of blocking lists to see where an I.P. address is listed. By taking the I.P. address that your mail server accepted the spam from and putting it in those lists, you can determine which ones your mail server operator is likely using or not using. It would be a big surprise for a mail server operator to use the spamcop.net blocking list with out using the other ones, especially the open proxy lists or the spamhaus.org lists. The biggest argument that I have heard against using an open proxy list is that there is a high concern it will block real e-mails. This is from mail server operators that use open relay lists as their primary anti-spam defense. Their lack of understanding of why their logic is faulty is amazing, and it is always amazing that they can not be convinced of their error. Such mis-understandings usually translate too - "I barely got this mail server thing working, and if I change anything, it will probably break, and my boss will discover I have no clue of what I am doing". The simple issues are: An open relay is usually a real mail server that is misconfigured, so blocking open relays is probably going to have a measurable chance of causing a real e-mail to be blocked. An open proxy is usually a computer that is not intentionally a mail server, so blocking an open proxy has a much lower chance of blocking a real e-mail, than the open relay lists that the mail server operator is already using. Now is there any way to make it clearer that anyone using an open relay list, but not using an open proxy list, clearly does not have a good technical understanding of what they are doing? >> Statistics from one of my mail server operators show that the >> spamcop.net blocking list is only catching 3% of the spam. The majority >> of spam is removed by more conservative blocking lists. > > I think you meant liberal. SCBL would be considered conservative, since > one of it's aims is to block as little valid email as possible. Pardon > the nit picking... No, I mean conservative. The other blocking lists try not to list production mail servers unless there is either a documented security problem with them or that the mail server operator has through action or inaction allowed the mail server to be freely used by spammers. Spamcop.net will list real mail servers and has a much higher chance of causing collateral damage than the conservative lists. Using the spamcop.net list to reject e-mail will only block a small percentage more of the spam sources that the conservative lists will block, but is more likley to reject a real e-mail. The spamcop.net blocking list is more useful on a scoring system where additional tests can usually confirm that an item is spam, where in many cases, many of those tests by them selves could cause false positives. >> Other statistics that I am seeing indicate that the bulk of the spam is >> coming from dynamic pools, which many mail server operators block. > > Thanks for the info! > >> But do not submit I.P. addresses for listing in a dynamic pool unless >> you have strong evidence that the I.P. address is dynamic, as the >> processing of them is completely manual. > > Ah, if I had the kung fu (time + effort) to do this! I once kept track > of some of the IP addresses used by one spammer as they sent one > particular email campaign. I recorded well over 100 different addresses > before I got tired, many from vastly differing blocks, none reused. > This has nothing to do with the open proxy issue, but just to say that > spammers have the "whack-a-mole" game down pat. If you are getting that volume of spam, it indicates that there is a hole in your ISP's spam defences. I kept track for almost a year of spam from DHCP pools which basically proved that a comercial DHCP pool listing service was missing many very large and very well known DHCP pools. That mail server operator switched to using the SORB dhcp pool list, and that made a significant reduction in the spam leakage. One of the results of the tests showed that the spammers were apparently assuming that the dhcp address block that they spammed from was probably blocked for about two months, and then they would recycle it. Of course that could be the time that I.P. address was sitting in one of the open proxy lists that age out their listings. > If the open proxy determination was simple and bullet proof, I don't > see a reason why it shouldn't be used to prevent known chronic repeat > offenders from moving back into my neighborhood, to borrow from a > different analogy. Too many mail server operators or ISP operators do not have a clue of what they are doing. Too many of them are trying to do spam filtering by content analysis instead of source I.P blocking, because that is what most of the commercial spam filtering companies offer. Too many clueless media reporters mis-report the spam issue. Most media reports I have read present following statements as fact, with no data at all to back them up. 1. DNSbls are evil and will regularly cause real e-mail to be lost. 2. Content filtering from their (potential) advertisers is state of the art. 3. Spammers make big money from people buying spamvertized items. (It seems that the big money is selling spamming kits, not spamming, most of the actuall spammers seem to never make back even a fraction of what they spent to get started - It's is just a pyramid scam) They also omit the following information: 1. That blocking of e-mail and other packets has shown to be the only way to motivate a large number of network operators to do anything at all about abuse coming from their systems. 2. That once those blocks become noticed by a critical paying customer, the ISP allowing spam to be sent seems to be able clean up the problem almost instaneously, even though up to that point they were making excuses about how hard the job is, and how much time it will take. 3. Never ask one of the blocked ISP's why they are providing services for a web site advertising illegal items? 4. Never ask one of the blocked ISP's why they are keeping a customer that can be verified to be attempting to spam through open proxies? 5. Omit disclosing that they hope to sell advertising to the network operators that permit spam to be sent. 6. Ignore all tests that show that the DNSbls are more accurate both at detecting spam and real e-mail than any of the commercial content filters. 7. Never point out that large mail server operators pay a metered rate for their connection, so that to use content filtering greatly increaes their cost. Too many ISP users do not realize what the state of the art is in spam blocking, so they do not realize that all their ISP is offering is a placebo for spam filtering so that they can claim that they care, while just passing on the extra charges for doing an incompetent job. If an ISP wanted to really hurt the spammers, they would use the sbl.spamhaus.org list at their border routers to block access to the spammer's web pages. (or spews, if they really wanted to be a BOFH). This would make it obvious to the most of the spammers that no one at that ISP could even visit their web site to order the product should their spew get through their filters. Also too many people are not bugging their elective officials to hold ISP's corporate officers criminally responsible for not taking action against customers that are still using their services after one business day that the ISP should have received a notification. And make sure that the law indicates that the ISP is still liable if their abuse or postmaster e-mail address rejected or deleted the notification, or if they where a day behind in processing abuse/postmaster issues. -John wb8tyw@qsl.network Personal Opinion Only From nobody at xyzzy.claranet.de Wed Feb 2 16:35:06 2005 From: nobody at xyzzy.claranet.de (Frank Ellermann) Date: Wed Feb 2 10:40:04 2005 Subject: [SpamCop-List] Re: Why Am I Blocked? FAQ References: Message-ID: <4200F32A.44B@xyzzy.claranet.de> Ellen wrote: > In any case the 24 hour clock runs off the valid timestamp > from the last reported spam headers not the time that a user > reported it. Minus cases when SC believes in the timestamps of infosat.net instead of cesmail.net - SCNR. Something completely different: In 2004 I used "last answered by Ellen" in the spamcop.routing NG as "timestamp" to mark all prior articles as "old", is that still how it works ? Bye, Frank From nospam at nospam.org Wed Feb 2 16:42:55 2005 From: nospam at nospam.org (geo_splash_12) Date: Wed Feb 2 10:45:04 2005 Subject: [SpamCop-List] Re: Spamcop Statistics In-Reply-To: References: Message-ID: Dorian Gray wrote: > In article , > "WazoO" wrote: > > >>"Dorian Gray" wrote in message >>news:D.Gray-041775.14350301022005@news.cesmail.net... >> >>>In article , >>> "WazoO" wrote: >>> >>> >>>>>>Julian .... those charts track whatever he's got them pointed to, >>>>>>and what's behind that curtain has been described in the past >>>>>>as "not for public discussion" ... >>>>> >>>>>Been described in the past, by whom? I only recall WazoO saying such >>>>>things as "not for public discussion". >>>> >>>>Dialog between Julian, Don, Deputies and myself have included >>>>facts and conditions described as "not for public discussion" ... >>> >>>What dialog? Described by whom? Show me. >> >>Your request doesn't make a lot of sense, but here's some background; >>http://forum.spamcop.net/forums/index.php?showtopic=1939 >>http://forum.spamcop.net/forums/index.php?showtopic=2030 >>http://forum.spamcop.net/forums/index.php?showtopic=2559 > > > None of the those forum threads even go close to answering the question > about the statistics, and only one actually mentions the statistics. > But they do confirm my point that only WazoO has used words like "not > for public discussion". The comments by Richard, Ellen and Julian that > appear there (forwarded by WazoO) seem as helpful as possible, and don't > say anything about restricting information. However they are talking > about mole reporting, not the statistics, so don't help us with the > question about the stats. > > So, does anyone *else* know of any explanations, that they are willing > to share? Alternatively, does anyone from Spamcop know the explanation, > but can't share it, and are willing to say so? > > Cheers. I can very well imagine that the spamcop wizkids don't want to reveal too much about the statistics since foes would also be interested. -- And your Chinese exchange student asks: what does it mean "I'm busy". Location 51 57'N 4 28'E From D.Gray at picture.oscar.wilde Wed Feb 2 15:52:37 2005 From: D.Gray at picture.oscar.wilde (Dorian Gray) Date: Wed Feb 2 10:55:03 2005 Subject: [SpamCop-List] Re: Spamcop Statistics References: Message-ID: In article , Dorian Gray wrote: > So, does anyone *else* know of any explanations, that they are willing > to share? Alternatively, does anyone from Spamcop know the explanation, > but can't share it, and are willing to say so? P.S. Here (repeated) are the things about which we were after explanation if possible: "I also am interested in an explanation of aspects of the statistics. I *think* the drop in the second half of September, and sustained lower levels of submitted spam since then, correspond to the change in the limit on the age of accepted spam from 3 to 2 days, which IIRC also went with a recommendation that only spam less than 24 hours old was of any real usefulness to Spamcop. Can someone confirm this? The spikes in late-Oct and January are intriguing. Being a Mac-only user now, I'm not familiar with recent Windows virus/worm outbreaks, which perhaps provide an explanation? If so, which ones correspond to the spikes? Also, can anyone explain why the spike in submitted spam in late-Oct went with a corresponding spike in reports sent, while the spikes in submitted spam in January did not? Cheers." From kenbrody at spamcop.net Wed Feb 2 11:00:44 2005 From: kenbrody at spamcop.net (Kenneth Brody) Date: Wed Feb 2 11:05:05 2005 Subject: [SpamCop-List] Re: Why Am I Blocked? FAQ References: Message-ID: <4200F92C.72CCF96B@spamcop.net> Michael Lefevre wrote: > > Miss Betsy wrote: > > "Steven Maesslein" wrote in message > > news:slrnd01d5d.mt.nobody@127.0.0.1... > >> On Tue, 1 Feb 2005 17:43:47 -0500, Miss Betsy coughed into > > spamcop and > >> left this in : > >> > >> > The SpmCopDNSbl listing will expire automatically within 48 > > hours > >> > of the last report of spam from it. > >> > >> This isn't quite accurate as I understand it. > >> > > Technically, you are correct. The point of this FAQ is to go from > > 'easy to understand' general statements (for most of the people who > > come to find out why they are blocked) to the more specific > > technical details. > > It should be possible to do that by leaving out detail - making things > technically incorrect in the process of simplifying isn't good, because if > people do go further than reading the FAQ and are then told something > contradictory, it causes more problems than it solves. Perhaps change: The SpmCopDNSbl listing will expire automatically within 48 hours of the last report of spam from it. ^^^^^^^^^^^^^^^^^^^ to: The SpmCopDNSbl listing will expire automatically within 48 hours of the last reported spam from it. ^^^^^^^^^^^^^^^^^^ > And, if you're making edits anyway, "SpmCopDNSbl" is wrong. Aside from > missing the "a" from SpamCop, it's generally called the SpamCop BL - given > that the audience for the document are unlikely to know what a DNSBL is, > there's no point in adding extra letters... -- +-------------------------+--------------------+-----------------------------+ | Kenneth J. Brody | www.hvcomputer.com | | | kenbrody/at\spamcop.net | www.fptech.com | #include | +-------------------------+--------------------+-----------------------------+ Don't e-mail me at: From eddie at eddie.web Wed Feb 2 11:30:01 2005 From: eddie at eddie.web (eddie) Date: Wed Feb 2 11:30:33 2005 Subject: [SpamCop-List] don`t be an asshole Ethan Message-ID: (Subject of recent spam) Now that's really the way to attract customers. I believe that this shows not just the complete idiocy of the spamkiddys, but their total lack of knowledge about anyone outside their moronic group. They truly believe everyone speaks this way, just because all their friends do so. From eddie at eddie.web Wed Feb 2 12:03:15 2005 From: eddie at eddie.web (eddie) Date: Wed Feb 2 12:05:02 2005 Subject: [SpamCop-List] Re: don`t be an asshole Ethan References: Message-ID: On Wed, 02 Feb 2005 11:30:01 -0500, eddie scratched out the following: >From the same gang that shoots with their assholes comes this line from a spam without a URL, duh :) "I don't usually do this but, how would you like to keep me some company? My Asshole Husband works night shifts, which makes me very lonely at night" Besides being lower-chakra kiddies with no imagination or language skills, who would be interested in a woman so stupid to marry an "Asshole Husband?" I can smell her from here. Her problem is not her husband - he's out with a beautiful blond - he can't stand the crabs and the smell either :) Do people really respond to this stuff? If they do, they deserve whatever they get. From nobody at spamcop.net Wed Feb 2 12:11:27 2005 From: nobody at spamcop.net (Ellen) Date: Wed Feb 2 12:30:02 2005 Subject: [SpamCop-List] Re: Why Am I Blocked? FAQ References: <4200F32A.44B@xyzzy.claranet.de> Message-ID: "Frank Ellermann" wrote in message news:4200F32A.44B@xyzzy.claranet.de... > > In 2004 I used "last answered by Ellen" in the spamcop.routing > NG as "timestamp" to mark all prior articles as "old", is that > still how it works ? If that is a broad hint that I haven't been in the routing group in a long while -- you are correct. If the mail load ever decreases I might actually have time to get over there and plow thru the backed up posts. Ellen From nobody at spamcop.net Wed Feb 2 12:12:48 2005 From: nobody at spamcop.net (Ellen) Date: Wed Feb 2 12:30:07 2005 Subject: [SpamCop-List] Re: Report history for an IP? References: Message-ID: "Joe Grover" wrote in message news:ctqout$i34$1@news.spamcop.net... > > I doubt this was the problem this morning, as I've only seen 2 of these > complaints over the past several months. None of the other Spamcop > complaints I've received have had anything to do with any of our SMTP > servers, so naturally I'm curious as to what "abuse" resulted in two servers > being listed this morning. > Write to deputies@admin.spamcop.net with the IPs and/or use one of the forms on the website to generate a mail to us and someone will look and see what is happening. We are very backed up on mail so the response may not be immediate. Ellen SpamCop From nobody at spamcop.net Wed Feb 2 12:14:32 2005 From: nobody at spamcop.net (Ellen) Date: Wed Feb 2 12:30:10 2005 Subject: [SpamCop-List] Re: Spamcop Statistics References: Message-ID: "Dorian Gray" wrote in message news:D.Gray-7D1430.15111402022005@news.cesmail.net... > > So, does anyone *else* know of any explanations, that they are willing > to share? Alternatively, does anyone from Spamcop know the explanation, > but can't share it, and are willing to say so? > There are various reasons why you may see anomolies in the stat graphs. I cannot go into detail about them. Ellen SpamCop From nobody at nowhere.invalid Wed Feb 2 18:44:18 2005 From: nobody at nowhere.invalid (Steven Maesslein) Date: Wed Feb 2 12:45:05 2005 Subject: [SpamCop-List] Re: don`t be an asshole Ethan References: Message-ID: On Wed, 02 Feb 2005 11:30:01 -0500, eddie coughed into spamcop and left this in : > They truly believe everyone speaks this way, just because all their > friends do so. Friends? :) -- Steve The original point and click interface was a Smith & Wesson. From DougThegarden at hotmail.com Wed Feb 2 18:05:15 2005 From: DougThegarden at hotmail.com (Doug Thegarden) Date: Wed Feb 2 13:10:05 2005 Subject: [SpamCop-List] Re: don`t be an asshole Ethan In-Reply-To: References: Message-ID: eddie wrote: > > Do people really respond to this stuff? > You just have. Doug From nobody at devnull.spamcop.net Wed Feb 2 13:13:12 2005 From: nobody at devnull.spamcop.net (Pop) Date: Wed Feb 2 13:15:05 2005 Subject: [SpamCop-List] Re: Why Am I Blocked? FAQ References: Message-ID: Michael Lefevre wrote: > Pop wrote: ... > Actually, I think it would be better to keep it as one > document and make > it shorter, with links to a better resource than a forum FAQ > posting. Hmm, good point, especiall the "shorter" part. I read your next post too, and tend to agree there, too. Agreed. It should be shorter and more to the point so it'll grab my attention and get me to go to the -relavant- link with some confidence that if it requires another jump to get all the data I need, it'll be obvious to me which link it will be. My original thought was something along the lines of feeling like the other available links at this time aren't very well tied together and it's sometimes hard to know just where to look for something specific (like, why am I blocked, but not literally that issue), or even if one place is enough places to look. It was looking to me like the fuzziness might be duplicated, and, not trusting the rewrites to pull stuff together (NOT a dig at anyone other than human nature), I thought about branching it right there. One thing missing here, I -think-, is an Outline of the overall FAQ system, and IMO that leaves too many options open to those who aren't directly involved. Unless it's there and I just couldn't see it, which is possible. I'm starting to think a good FAQ tree might be in order, even an ASCII tree would be passably functional. So I don't add confusion, I'll draw back again - like I said, I don't feel qualified to make these observations at this time. ; Pop -out- ; Regards, Pop From scott-i at .-N0-SPAMplease.enm.com Wed Feb 2 10:31:06 2005 From: scott-i at .-N0-SPAMplease.enm.com (Scott Townsend) Date: Wed Feb 2 13:35:46 2005 Subject: [SpamCop-List] Who's Using SPAMCOP? Any major players? Reviews by CNET or others? Message-ID: Looking for info on what companies are using SPAMCOP to filter their mail. I'd like to use SPAMCOP, though it would be great to present this as a solution to management if I could say that Company X, Y and Z are also using it to filter their mail. Or are there any reviews by CNET or others that recommend SPAMCOP? Thanks, Scott<- From nobodyhere at spamcop.net Wed Feb 2 13:47:51 2005 From: nobodyhere at spamcop.net (Fluffy) Date: Wed Feb 2 13:50:05 2005 Subject: [SpamCop-List] Indigo can't post Message-ID: Sorry about the name, my pet troll is following me and spamming the newsgroup so I had to change. I'm posting this here as well as geeks, in case someone might be able to answer faster. Would he be blocked from the NNTP groups because his server is listed in SORBS? I know that Comcast is rife with open proxies, etc lately..... He says he is getting this message: "Outlook Express could not post your message. Subject 'immigrant thread', Account: 'news.spamcop.net', Server: 'news.spamcop.net', Protocol: NNTP, Server Response: '440 Posting not allowed', Port: 119, Secure(SSL): No, Server Error: 440, Error Number: 0x800CCCA9" Used SC to check his posting IP: Parsing input: pcp0011117988pcs.elkrdg01.md.comcast.net host pcp0011117988pcs.elkrdg01.md.comcast.net (checking ip) = 68.55.204.123 host 68.55.204.123 (getting name) = pcp0011117988pcs.elkrdg01.md.comcast.net. Routing details for 68.55.204.123 [refresh/show] Cached whois for 68.55.204.123 : abuse@comcast.net Using abuse net on abuse@comcast.net abuse net comcast.net = abuse@comcast.net Using best contacts abuse@comcast.net Statistics: 68.55.204.123 not listed in bl.spamcop.net More Information.. 68.55.204.123 not listed in dnsbl.njabl.org 68.55.204.123 not listed in dnsbl.njabl.org 68.55.204.123 not listed in cbl.abuseat.org 68.55.204.123 listed in dnsbl.sorbs.net ( 127.0.0.10 ) 68.55.204.123 not listed in relays.ordb.org. From nobody at spamcop.net Wed Feb 2 13:58:56 2005 From: nobody at spamcop.net (Miss Betsy) Date: Wed Feb 2 14:00:05 2005 Subject: [SpamCop-List] Re: Why Am I Blocked? FAQ References: Message-ID: "Ellen" wrote in message news:ctqp8o$i95$1@news.spamcop.net... > > Actually the age off is 24 hours and it has been that for at least a couple > of months now. It is always good to take a glance at the faq every so often: > > http://www.spamcop.net/fom-serve/cache/297.html > > And indeed in any information put together as a resource for users coming to > the forum, newsgroups or elsewhere the faq on the SC website should be > referenced as it is the official source of the operation of the blocklist. > This keeps down the necessity for remembering to update the other > faqs/boilerplates. > > In any case the 24 hour clock runs off the valid timestamp from the last > reported spam headers not the time that a user reported it. I think that the links do reference the 'official' spamcop FAQ (at least for the server admins). My original concept was for non-technically fluent users (who are hopelessly confused by the official FAQ). The end user part is not so much FAQ as an overview on the concept of what has happened and advice on what to do. Since addresses did age off the bl for various reasons, at the time this written, in much less time than 48 hours, saying 'within' makes it accurate for any time within that period without going into all the details and it is still accurate even though the maximum time has changed, though it probably should be changed either to reflect the official time or made even more indefinite. And I did know that it had changed, but didn't think that it was that important to change this FAQ. Admins will want to know exactly when or what the criteria are (which they will find if they use the official FAQ) and end users have no interest. Miss Betsy From D.Gray at picture.oscar.wilde Wed Feb 2 18:59:20 2005 From: D.Gray at picture.oscar.wilde (Dorian Gray) Date: Wed Feb 2 14:00:12 2005 Subject: [SpamCop-List] Re: Spamcop Statistics References: Message-ID: In article , "Ellen" wrote: > There are various reasons why you may see anomolies in the stat graphs. I > cannot go into detail about them. Thanks Ellen. By anomalies, do you mean the spikes? Okay, so they'll remain a mystery. But can you go into detail about the consistently lower level of submitted spam since September? Can you say whether or not it simply corresponds to the change in the limit on the age of accepted spam from 3 to 2 days, which IIRC also went with a recommendation that only spam less than 24 hours old was of any real usefulness to Spamcop? Cheers. From nobody at spamcop.net Wed Feb 2 14:07:09 2005 From: nobody at spamcop.net (Miss Betsy) Date: Wed Feb 2 14:05:03 2005 Subject: [SpamCop-List] Re: Why Am I Blocked? FAQ References: <4200F92C.72CCF96B@spamcop.net> Message-ID: "Kenneth Brody" wrote in message news:4200F92C.72CCF96B@spamcop.net... > Michael Lefevre wrote: > > > > Miss Betsy wrote: > > > "Steven Maesslein" wrote in message > > > news:slrnd01d5d.mt.nobody@127.0.0.1... > > >> On Tue, 1 Feb 2005 17:43:47 -0500, Miss Betsy coughed into > > > spamcop and > > >> left this in : > > >> > > >> > The SpmCopDNSbl listing will expire automatically within 48 > > > hours > > >> > of the last report of spam from it. > > >> > > >> This isn't quite accurate as I understand it. > > >> > > > Technically, you are correct. The point of this FAQ is to go from > > > 'easy to understand' general statements (for most of the people who > > > come to find out why they are blocked) to the more specific > > > technical details. > > > > It should be possible to do that by leaving out detail - making things > > technically incorrect in the process of simplifying isn't good, because if > > people do go further than reading the FAQ and are then told something > > contradictory, it causes more problems than it solves. > > Perhaps change: > > The SpmCopDNSbl listing will expire automatically within 48 hours > of the last report of spam from it. > ^^^^^^^^^^^^^^^^^^^ > > to: > > The SpmCopDNSbl listing will expire automatically within 48 hours > of the last reported spam from it. > ^^^^^^^^^^^^^^^^^^ I don't think that is accurate either since the basic criteria is the valid date stamp. Perhaps 'valid report' or 'timely report' It is the last report of spam if you look at it as 'last' being the 'last' spam to come from the IP address. There are no other reports since other reports are not counted. > > > And, if you're making edits anyway, "SpmCopDNSbl" is wrong. Aside from > > missing the "a" from SpamCop, it's generally called the SpamCop BL - given > > that the audience for the document are unlikely to know what a DNSBL is, > > there's no point in adding extra letters... That wasn't my choice, but somebody wanted to be more technical. I suppose the spamcop bl is not considered a DNSBL because it is supposed to tag email. (Or maybe it has nothing to do with that - I am basically technically non-fluent and am just guessing). Miss Betsy From nobody at devnull.spamcop.net Wed Feb 2 13:09:30 2005 From: nobody at devnull.spamcop.net (WazoO) Date: Wed Feb 2 14:10:03 2005 Subject: [SpamCop-List] Re: Spamcop Statistics References: Message-ID: "Dorian Gray" wrote in message news:D.Gray-452397.18592002022005@news.cesmail.net... > In article , > "Ellen" wrote: > > > There are various reasons why you may see anomolies in the stat graphs. I > > cannot go into detail about them. > > Thanks Ellen. I'm so confused at this point. You give me hell for saying "not for public discussion" .. wanting to hear from someone else .... Deputy Ellen states "cannot go into detail" and you offer her thanks. Then strangely enough, continue with the asking of the same questions that you started with. From TJLWBECGSGWU at spammotel.com Wed Feb 2 19:12:08 2005 From: TJLWBECGSGWU at spammotel.com (Mathew Hendry) Date: Wed Feb 2 14:15:02 2005 Subject: [SpamCop-List] Re: Indigo can't post References: Message-ID: <6l8201hl5qv8ed0str3s71dhtroj76m9iq@4ax.com> "Fluffy" wrote in : >Sorry about the name, my pet troll is following me and spamming the newsgroup so I >had to change. I'm posting this here as well as geeks, in case someone might be able >to answer faster. Would he be blocked from the NNTP groups because his server is >listed in SORBS? I know that Comcast is rife with open proxies, etc lately..... >... >68.55.204.123 listed in dnsbl.sorbs.net ( 127.0.0.10 ) 127.0.0.10 means he's on their list of dynamic hosts, not a proxy or anything. Using ComCast does guarantee a listing in plenty of places though... http://openrbl.org/ip/68/55/204/123.htm -- Mat. From nobody at spamcop.net Wed Feb 2 14:19:53 2005 From: nobody at spamcop.net (Miss Betsy) Date: Wed Feb 2 14:20:10 2005 Subject: [SpamCop-List] Re: Why Am I Blocked? Editors Welcome References: Message-ID: How is this for a revision: The SpamCop BL listing will expire automatically within a specific period of time based primarily on when the last spam came from that IP address. Miss Betsy From tdy at blackhole.invalid Wed Feb 2 11:19:49 2005 From: tdy at blackhole.invalid (N. Miller) Date: Wed Feb 2 14:20:25 2005 Subject: [SpamCop-List] Re: don`t be an asshole Ethan References: Message-ID: In article , Steven Maesslein says... > The original point and click interface was a Smith & Wesson. I thought it was the Colt Dragoon... -- Norman ~Win dain a lotica, En vai tu ri, Si lo ta ~Fin dein a loluca, En dragu a sei lain ~Vi fa-ru les shutai am, En riga-lint From nobody at xyzzy.claranet.de Wed Feb 2 20:30:28 2005 From: nobody at xyzzy.claranet.de (Frank Ellermann) Date: Wed Feb 2 14:35:02 2005 Subject: [SpamCop-List] Re: Why Am I Blocked? FAQ References: <4200F32A.44B@xyzzy.claranet.de> Message-ID: <42012A54.5564@xyzzy.claranet.de> Ellen wrote: > If that is a broad hint that I haven't been in the routing > group in a long while Actually I didn't know, sometimes there were bursts of replies from you, but that didn't happen for about 7 weeks. > If the mail load ever decreases With all the new SC features that won't be soon. Bye, Frank From nobody at devnull.spamcop.net Wed Feb 2 13:33:37 2005 From: nobody at devnull.spamcop.net (WazoO) Date: Wed Feb 2 14:35:08 2005 Subject: [SpamCop-List] Re: Why Am I Blocked? FAQ References: Message-ID: "Pop" wrote in message news:ctqqhg$j46$1@news.spamcop.net... > > > Hope I'm not jumping the gun; please tell me if I am: As a tech > writer in my most recent past life, I feel qualified to make a > couple of observations on format. > > Content = pretty good! Fairly clear and concise. Not hard to > read/understand. I'm not jumping on you Pop, this just lookd like a good starting point here. What is missing from all this mostly appreciated input is that the "home" of this FAQ entry is on the Forum. This means HTML display, links glowing, all that colorful stuff. It had been developed over some some time by input from a number of Forum users (and who can forget Mike E.'s call to call the NNTP/HTTP camps totally different nations?) ... Adter all of that, Miss Betsy snagged a copy of that, did a lot of editing so it would 'render' a bit better as a plain-text item, and made an attempt to answer the call for a "post the FAQ" in the newsgroup..... The last batch of input is still in the process of being added to the Forum entry (and I note that Miss Betsy didn't go grab another copy of that and start all over again) .. so let me say (and let me take the heat) ... there is a FAQ development section in the Forum structure, set up just for this purpose. There are but just a handful of folks frequenting both places .... > But(t) : > Altho I can see it'll make a little work due to overlaps, I > think this page should be two pages: It gets a little boring and > dwindles a person's interest when they have to page thru "I'm an > ISP", "I'm not an ISP", and, woops, wonder if I missed a heading? And in all fairness again, Miss Betsy had made the same suggestion in either an e-mail or PM to me a bit after the first time she posted this thing into the spamcop.help froup. See the above "still in progress" remark > I think it should look like: > ------------------------------ > Why Am I Blocked? > Probable Causes if: > ----------------------------- > < x > above = link > That's clumsy, but I think it makes the point I want to make. > > Like I said, tell me if I'm ahead of things here. Not trying to > be in the way. Point taken, but please understand how what Miss Betsy posted got to the present entity. I really don't think anyone responding to her has any real idea of how much work went into just getting that acconplished. > Online vetting; great idea. Best of luck! That was the way the www.spamcop.net FAQ once worked. From David1 at suescornerweb.com Wed Feb 2 14:38:04 2005 From: David1 at suescornerweb.com (David 1) Date: Wed Feb 2 14:40:03 2005 Subject: [SpamCop-List] Re: Spamcop Statistics In-Reply-To: References: Message-ID: WazoO wrote: > "Dorian Gray" wrote in message > news:D.Gray-452397.18592002022005@news.cesmail.net... > >>In article , >> "Ellen" wrote: >> >> >>>There are various reasons why you may see anomolies in the stat graphs. > > I > >>>cannot go into detail about them. >> >>Thanks Ellen. > > > I'm so confused at this point. You give me hell for saying > "not for public discussion" .. wanting to hear from someone > else .... Deputy Ellen states "cannot go into detail" and you > offer her thanks. Then strangely enough, continue with the > asking of the same questions that you started with. > > get use to it Wazoo, you get lots of folks like that, just shake your head & walk away, no matter what your answer is its wrong even if "sc personel" give the same answer if it maters folks like me do thank you for your work. -- David 1 bad addy spamtrap@suescornerweb.com From eddie at eddie.web Wed Feb 2 14:37:50 2005 From: eddie at eddie.web (eddie) Date: Wed Feb 2 14:40:09 2005 Subject: [SpamCop-List] Re: don`t be an asshole Ethan References: Message-ID: On Wed, 02 Feb 2005 18:05:15 +0000, Doug Thegarden scratched out the following: > eddie wrote: >> >> Do people really respond to this stuff? >> >> > You just have. > > Doug I suppose you have too but of course you know what I meant, or so I hope. From eddie at eddie.web Wed Feb 2 14:41:23 2005 From: eddie at eddie.web (eddie) Date: Wed Feb 2 14:45:03 2005 Subject: [SpamCop-List] Re: don`t be an asshole Ethan References: Message-ID: On Wed, 02 Feb 2005 18:05:15 +0000, Doug Thegarden scratched out the following: > eddie wrote: >> >> Do people really respond to this stuff? >> >> > You just have. > > Doug I suppose you have too but of course you know what I meant, or so I hope. There is a difference between commenting upon and responding to. From tdy at blackhole.invalid Wed Feb 2 11:41:08 2005 From: tdy at blackhole.invalid (N. Miller) Date: Wed Feb 2 14:45:06 2005 Subject: [SpamCop-List] Re: "Sorry, this email is too old to file a spam report" References: <41FDCF01.5981@xyzzy.claranet.de> Message-ID: In article <41FDCF01.5981@xyzzy.claranet.de>, Frank Ellermann says... > Besides "communigate pro" is IMNSHO always a very bad sign. It is not for me... http://www.spamcop.net/sc?id=z727656642z65e35da3ee1532f978b0ec2c70625142z -- Norman ~Win dain a lotica, En vai tu ri, Si lo ta ~Fin dein a loluca, En dragu a sei lain ~Vi fa-ru les shutai am, En riga-lint From nobody at devnull.spamcop.net Wed Feb 2 13:42:56 2005 From: nobody at devnull.spamcop.net (WazoO) Date: Wed Feb 2 14:45:09 2005 Subject: [SpamCop-List] Re: Why Am I Blocked? FAQ References: Message-ID: "Ellen" wrote in message news:ctqp8o$i95$1@news.spamcop.net... > > Actually the age off is 24 hours and it has been that for at least a couple > of months now. It is always good to take a glance at the faq every so often: > > http://www.spamcop.net/fom-serve/cache/297.html Just noting that as per yet another recent major change in that FAQ, some type of notice would be much appreciated that these changes had taken place. As is, there has yet to be any "ownership" arreibured to the last "big" change, other than the included bit of advertising for some hardware appliance .... > And indeed in any information put together as a resource for users coming to > the forum, newsgroups or elsewhere the faq on the SC website should be > referenced as it is the official source of the operation of the blocklist. > This keeps down the necessity for remembering to update the other > faqs/boilerplates. In fact, the Forum FAQ includes the content (pointers) right back to the www.spamcop.net FAQ ... but that still doesn't show any indication that the 'official' FAQ has been changed. (Dang it, yet another reminder that one of the first links in the Forum FAQ points to a www.spamcop.net entry that gor whacked.) > In any case the 24 hour clock runs off the valid timestamp from the last > reported spam headers not the time that a user reported it. Funny, there was just a bit of a discussion 'over there' that has some confusion over the 24 / 48 hour thing ... http://forum.spamcop.net/forums/lofiversion/index.php/t3585.html From nobody at spamcop.net Wed Feb 2 14:26:18 2005 From: nobody at spamcop.net (Ellen) Date: Wed Feb 2 15:10:02 2005 Subject: [SpamCop-List] Re: Why Am I Blocked? FAQ References: Message-ID: "Miss Betsy" wrote in message news:ctr7n0$spf$1@news.spamcop.net... > > > Since addresses did age off the bl for various reasons, at the time > this written, in much less time than 48 hours, saying 'within' > makes it accurate for any time within that period without going > into all the details and it is still accurate even though the > maximum time has changed, though it probably should be changed > either to reflect the official time or made even more indefinite. > And I did know that it had changed, but didn't think that it was > that important to change this FAQ. Admins will want to know > exactly when or what the criteria are (which they will find if they > use the official FAQ) and end users have no interest. > If you are going to write and post something called a faq that someone new who comes into either the newsgroups or forums is going to be pointed to or which it is likely that they will fall across on the way in, then it should be accurate. When people see "faq" then they assume that the information is the official information for the site as they have no way of knowing otherwise. The criteria for the blocklist changes periodically and the official information on the website is what should be pointed to. People who see some article calling itself a a faq expect it to reflect reality. It really does make a difference that people know the current expiration is 24 hours with no new reports and not 48 hours. And end user have *great* interest in knowing when something is going to delist -- our mail is overflowing with questions from end users as to when a listing is going to go away. In many cases, the end user is a whole lot more interested from what I can see. Ellen SpamCop From nobody at spamcop.net Wed Feb 2 14:56:57 2005 From: nobody at spamcop.net (Ellen) Date: Wed Feb 2 15:10:08 2005 Subject: [SpamCop-List] Re: Spamcop Statistics References: Message-ID: "Dorian Gray" wrote in message news:D.Gray-452397.18592002022005@news.cesmail.net... > In article , > "Ellen" wrote: > > > There are various reasons why you may see anomolies in the stat graphs. I > > cannot go into detail about them. > > Thanks Ellen. By anomalies, do you mean the spikes? the things that people ask about -- which include spikes, dips and other variations from the presumable norm >Okay, so they'll > remain a mystery. But can you go into detail about the consistently > lower level of submitted spam since September? No >Can you say whether or > not it simply corresponds to the change in the limit on the age of > accepted spam from 3 to 2 days, which IIRC also went with a > recommendation that only spam less than 24 hours old was of any real > usefulness to Spamcop? The vast majority of the spam reports are and were submitted in under 24 hours or less and the traps run in near realtime. Ellen SpamCop From tdy at blackhole.invalid Wed Feb 2 12:41:08 2005 From: tdy at blackhole.invalid (N. Miller) Date: Wed Feb 2 15:45:06 2005 Subject: [SpamCop-List] Is this a broken mail host? Message-ID: This is a question that arises from the manner in which I handle spam from a Dark Horse Comics web mail account (listed in Mailhosts as "facehugger.com"!) In order not to examine spam items within the web access, I have only two options available: A. Forward (re-writes message as a new item, with wholly new headers). B. Redirect (appends new headers to show route from host, four key original headers have "X-Original-" prepended. Background: ----------- SpamCop throws an error if I redirect to my SC reporting address. Oddly, if I redirect to a local account, then forward the redirected message to the SC reporting address as an attachment, the SC parser will then accept the message. I have, in the past, drastically edited the headers to restore the original appearance; but that is actually making material changes, as I understand the FAQ, so I discontinued the practice shortly after using it. ----------- Sometimes a parse, using this arrangement, will display the "Yum, this spam is fresh!" tag, but with "Messsage is old", no indication of how many hours old. A recent tracker will help explain my question: http://www.spamcop.net/sc?id=z727485666z26ea4d0b2d7eee01abadf8796f84a78cz Looking at the the lines which show timestamps I have: -------------------------------------- Received: from gator.darkhorse.com (209.95.33.140) by aosake.net (Mercury/32 v4.01b) with ESMTP ID MG000008; 1 Feb 2005 09:15:43 -0800 -------------------------------------- Which is the server to which the message was redirected. Aosake.net is configured as a mailhost. -------------------------------------- Received: by gator.darkhorse.com (CommuniGate Pro PIPE 4.2.8) Received: from host81-132-217-183.range81-132.btcentralplus.com ([81.132.217.183] verified) -------------------------------------- SC properly recognizes the source, and reports it as such. But there is no timestamp here. -------------------------------------- X-Original-Date: Tue, 01 Feb 2005 04:20:36 -0100 -------------------------------------- Who stamped this line? The SpamCop parse apparently accepted the timestamp of aosake.net for determining the time of the message. The aosake.net timestamp would be 17:15:43 GMT? (Reversing the -0800 in the PDT stamp.) So the "X-Original- Date:" stamp should be 05:20:36 GMT? But I shouldn't trust that second timestamp, right? Is something broken with "facehugger.com" (the configured mailhost ID) that "gator.darkhorse.com" is not stamping the time when it receives the message? I may need to watch the reports more closely, because I may have to manually cancel reports which are actually over the time limit? I guess I should get off my duff and question the administration of the DHC ("facehugger.com", according to Mailhosts) servers. It seems that between their implementation of SpamAssassin (sometimes breaks the headers), and the lack of rational timestamps, there may be serious problems with reporting spam to that account. P.S. Both aosake.net and gator.darkhorse.com are configured as "Mailhosts"; the former is my own domain, and listed by the domain name, the latter is listed in "Mailhosts" as "facehugger.com"; probably because the first person with a DHC account to configure the server as a mailhost had an email address in the "facehugger.com" domain. My DHC account is in the "ahmegami.net" domain. There are currently 36 domains total, all relating to some comic story published by Dark Horse Comics. All should be handled by the "gator.darkhorse.com" severs. If it were up to me, the mailhost name would be one of; "gator.darkhorse.com", "Dark Horse Comics", or just "DHC". -- Norman ~Win dain a lotica, En vai tu ri, Si lo ta ~Fin dein a loluca, En dragu a sei lain ~Vi fa-ru les shutai am, En riga-lint From tdy at blackhole.invalid Wed Feb 2 12:53:09 2005 From: tdy at blackhole.invalid (N. Miller) Date: Wed Feb 2 15:55:06 2005 Subject: [SpamCop-List] Did my ISP cache the DNS lookup? Message-ID: Last night I submitted a spam for processing. The SpamCop parser could not resolve the link in the body: http://www.spamcop.net/sc?id=z727656642z65e35da3ee1532f978b0ec2c70625142z Submitting the link to DNSStuff indicated no "A record" for the domain in the URL: http://www.dnsstuff.com/tools/lookup.ch?name=www.mymedcart.com&type=A At the time I was working on the spam, I tried that domain name in Sam Spade for Windows, which uses my ISP's DNS servers. The result then was: 02/01/05 21:41:54 dns www.mymedcart.com Canonical name: www.mymedcart.com Addresses: 218.30.21.33 ...and a safe browser actually pulled the raw data for the page from my Internet connection. Now SS is showing: 02/02/05 12:42:12 dns www.mymedcart.com No DNS for this address (host doesn't exist) Did I get lucky, and find the host before my ISP's DNS system got caught up with a change? Just curious. P.S. I did send a manual notify, using the Sam Spade template, on the assumption that, if I could get there from here, it would be a legitimate reason for the notify. SpamCop was only involved to the extent that I ran the IP address, only, to compare the notify recipients with the Sam Spade results. The SC notify only went to the spam source, not to the hosts. I did not make any material changes to the spam item to trick the parser into including the web host in the SC notify. P.P.S. The Sam Spade date convention seems to follow U.S. practice: mm/dd/yy. -- Norman ~Win dain a lotica, En vai tu ri, Si lo ta ~Fin dein a loluca, En dragu a sei lain ~Vi fa-ru les shutai am, En riga-lint From MikeE at ster.invalid Wed Feb 2 13:12:32 2005 From: MikeE at ster.invalid (Mike Easter) Date: Wed Feb 2 16:15:03 2005 Subject: [SpamCop-List] Re: Indigo can't post References: Message-ID: Fluffy wrote: > Would he be > blocked from the NNTP groups because his server is listed in SORBS? No. Unless something unusual is going on in the newsgroup management end to cope with the proxy abusing newsgroup trolls, there wouldn't be any blocking on the basis of any kind of dnsbl blocklists. If he hasn't been blocked accidentally by something involved with the troll problem, then I would next suspect that something is 'screwed up' with the/his spamcop newsserver account in OE. If that were happening to me, I would R&R the spamcop newsserver account. That is, OE/ Tools/ Accounts/ News tab - select the news.spamcop.net newsserver and then the Remove button. Then I would recreate the account in that same account place with the New button.. -- Mike Easter kibitzer, not SC admin From nobody at spamcop.net Wed Feb 2 17:02:22 2005 From: nobody at spamcop.net (Miss Betsy) Date: Wed Feb 2 17:00:02 2005 Subject: [SpamCop-List] Re: Why Am I Blocked? FAQ References: Message-ID: "Ellen" wrote in message news:ctrc2k$12h$1@news.spamcop.net... > > "Miss Betsy" wrote in message > news:ctr7n0$spf$1@news.spamcop.net... > > > > > > Since addresses did age off the bl for various reasons, at the time > > this written, in much less time than 48 hours, saying 'within' > > makes it accurate for any time within that period without going > > into all the details and it is still accurate even though the > > maximum time has changed, though it probably should be changed > > either to reflect the official time or made even more indefinite. > > And I did know that it had changed, but didn't think that it was > > that important to change this FAQ. Admins will want to know > > exactly when or what the criteria are (which they will find if they > > use the official FAQ) and end users have no interest. > > > > If you are going to write and post something called a faq that someone new > who comes into either the newsgroups or forums is going to be pointed to or > which it is likely that they will fall across on the way in, then it should > be accurate. When people see "faq" then they assume that the information is > the official information for the site as they have no way of knowing > otherwise. It is 'accurate' and much more informative than the 'official' FAQ for the newbie, non-technically fluent person. > > The criteria for the blocklist changes periodically and the official > information on the website is what should be pointed to. People who see some > article calling itself a a faq expect it to reflect reality. It really does > make a difference that people know the current expiration is 24 hours with > no new reports and not 48 hours. The point of this FAQ is that a lot of people do not access the 'official' FAQ before posting or don't understand it. Several people asked why no one posted a periodic FAQ in the ng the way that other ngs do. If someone 'official' wants to do that, please let me know. > > And end user have *great* interest in knowing when something is going to > delist -- our mail is overflowing with questions from end users as to when a > listing is going to go away. In many cases, the end user is a whole lot more > interested from what I can see. Well, see how well they understand the official FAQ. If they did understand it, they would know that it is more or less useless for them to be trying to find out when their IP address ages off since it is their ISP's policies (or lack thereof) that put their email on the bl. If the ISP is not careful about spam, they will just have more problems. They are wasting their time trying to find out when it ages off especially by writing to spamcop instead of complaining to their ISP and making them find out when their email is going to be reliable again. Miss Betsy From eddie at eddie.web Wed Feb 2 17:19:12 2005 From: eddie at eddie.web (eddie) Date: Wed Feb 2 17:20:03 2005 Subject: [SpamCop-List] are we down? Message-ID: Online spam reporting reports: "Service Unavailable The server is temporarily unable to service your request. Please try again later." From David1 at suescornerweb.com Wed Feb 2 17:31:31 2005 From: David1 at suescornerweb.com (David 1) Date: Wed Feb 2 17:35:13 2005 Subject: [SpamCop-List] Re: are we down? In-Reply-To: References: Message-ID: eddie wrote: > Online spam reporting reports: > "Service Unavailable > The server is temporarily unable to service your request. Please try again > later." guess so that's what I got just now also -- David 1 bad addy spamtrap@suescornerweb.com From nobody at xyzzy.claranet.de Wed Feb 2 23:44:14 2005 From: nobody at xyzzy.claranet.de (Frank Ellermann) Date: Wed Feb 2 17:45:03 2005 Subject: [SpamCop-List] Re: Why Am I Blocked? FAQ References: Message-ID: <420157BE.4C05@xyzzy.claranet.de> Miss Betsy wrote: > The point of this FAQ is that a lot of people do not access > the 'official' FAQ before posting or don't understand it. Ellen's point is probably, that deputies@ get numerous mails from whining users of blocked MTAs, and if your text somehow indicates that their MTA might be blocked for two days, then they might send really annoying mails to deputies@ "24 hours after the last spam was sent" is much more friendly for these upset users. > see how well they understand the official FAQ. Whining users don't read FAQs. But if they do it against all odds they might find yout text, and that should be as correct as possble. > If they did understand it Whining users don't want to understand FAQs. They want fuel for their flame throwers. And "24" is less fuel than "48" ;-) Bye, Frank From agent01413 at my-deja.com Wed Feb 2 22:59:14 2005 From: agent01413 at my-deja.com (Socks) Date: Wed Feb 2 18:00:08 2005 Subject: [SpamCop-List] Re: address blocked References: Message-ID: Maurice Tszorf wrote in news:ctnl14$8jn$1@news.spamcop.net: > Hi, > > I am new to this forum. > > I am confronted with constant blocking of my email addresses. It > started when I began using it for a mailing list. I can receive mails, > but I cannot send off a single mail, no matter to what destination, > for some 24 hours, after which the block sets in again the minute I > send a message to the mailing list. > > This is tyranny. I need the email for business, and I would like to > know how I can prevent being blocked constantly. > > Thanks, > Maurice leave barak.net.il they have a track record of ignoring spam complaints. nanas has extensive recent sightings of spam coming from that domain. Avoid gilat though. They are just as bad. it isnt your email address being blocked. it is your IPA. Also, Spamcop is not unique in listing you. A large number of the different databases report receiving spam from your IP range. Port 1834 is listed as an open proxy, so for starters you might secure that. oh, and it's not tyranny. if you don't like it, don't use it. Tyranny is thinking that you or anyone have the right to force people to accept your mail. We don't. -- "Some witty person in rec.arts.sf.composition (I forget who) called them feral apostrophes. Untamed, unregulated, they roam the wastes of the English language and pop up where lea'st expected." From nobody at devnull.spamcop.net Wed Feb 2 17:10:48 2005 From: nobody at devnull.spamcop.net (WazoO) Date: Wed Feb 2 18:15:04 2005 Subject: [SpamCop-List] Re: Why Am I Blocked? FAQ References: Message-ID: "Ellen" wrote in message news:ctqp8o$i95$1@news.spamcop.net... > > Actually the age off is 24 hours and it has been that for at least a couple > of months now. It is always good to take a glance at the faq every so often: > > http://www.spamcop.net/fom-serve/cache/297.html > > And indeed in any information put together as a resource for users coming to > the forum, newsgroups or elsewhere the faq on the SC website should be > referenced as it is the official source of the operation of the blocklist. > This keeps down the necessity for remembering to update the other > faqs/boilerplates. > > In any case the 24 hour clock runs off the valid timestamp from the last > reported spam headers not the time that a user reported it. Just a bit of a problem in what I'm seeing ... the Forum FAQ does point to your referenced link. However, reading that official FAQ entry here's what I'm reading right now; -=-=-=-=-=-=-=-=- Important Disclaimers: This description is subject to change and may be out of date. -=-=-=-=-=-=-=-=- (just for starters) .. but later on in the text; -=-=-=-=-=-=-=-=- The SCBL weights reports depending on how recently the mail was received (or "freshness"): The SCBL counts the most recently received reports 4:1. The SCBL counts reports for email 48 hours and older 1:1, with a linear sliding scale between the most recent and 48 hours past. With only two reports against an IP address, the SCBL will list the IP address for a maximum of 12 hours after the most recent reported mail was sent. The SCBL will not list an IP address if there are no reports against it within 24 hours. -=-=-=-=-=-=-=-=- As Miss Betsy states .... this is over the head of a lot of folks, and picking the "right and correct" number out of all that is a bit difficult, depending on whether you are talking to the ISP involved, and end-user complaining about e-mail being blocked, or the spam reporter asking why the report sent 10 minutes ago didn't "do" anything ... From MikeE at ster.invalid Wed Feb 2 15:43:35 2005 From: MikeE at ster.invalid (Mike Easter) Date: Wed Feb 2 18:45:03 2005 Subject: [SpamCop-List] Re: Is this a broken mail host? References: Message-ID: N. Miller wrote: > A recent tracker will help explain my question: > www.spamcop.net/sc?id=z727485666z26ea4d0b2d7eee01abadf8796f84a78cz > > Looking at the the lines which show timestamps I have: > > -------------------------------------- > Received: from gator.darkhorse.com (209.95.33.140) by aosake.net > (Mercury/32 v4.01b) with ESMTP ID MG000008; > 1 Feb 2005 09:15:43 -0800 > -------------------------------------- That is a healthy proper Received traceline. > Which is the server to which the message was redirected. Aosake.net is > configured as a mailhost. > > -------------------------------------- > Received: by gator.darkhorse.com (CommuniGate Pro PIPE 4.2.8) > Received: from host81-132-217-183.range81-132.btcentralplus.com > ([81.132.217.183] verified) > -------------------------------------- > > SC properly recognizes the source, and reports it as such. But there > is no timestamp here. That part of the headers is non-compliant; it [the traceline] is supposed to have a 'from' field which includes the IP from which it received the item and a 'by' field which has its domainname and a timestamp. It can have lines with 'Received: by' or 'Received: from' which aren't structured like my example below, but it needs/ is supposed to have/ a line with all of the appropriate 'values' to be a proper trace line. There should be a line which sez: Received: from host81-132-217-183.range81-132.btcentralplus.com ([81.132.217.183] verified) by gator.darkhorse.com (CommuniGate Pro PIPE 4.2.8); 01 Feb 2005 09:12:31 -0800 or, generically, Received: from source.IP.address by domain.name at datestamp > -------------------------------------- > X-Original-Date: Tue, 01 Feb 2005 04:20:36 -0100 > -------------------------------------- > > Who stamped this line? Xlines aren't reliable. They may be true and stamped by your provider, they may be true and stamped by some other provider, or they may be bogus and put in by the spammer. That one looks bogus to me. > The SpamCop parse apparently accepted the timestamp of aosake.net for > determining the time of the message. The aosake.net timestamp would be > 17:15:43 GMT? (Reversing the -0800 in the PDT stamp.) So the > "X-Original- Date:" stamp should be 05:20:36 GMT? But I shouldn't > trust that second timestamp, right? Correct. > Is something broken with "facehugger.com" (the configured mailhost > ID) that "gator.darkhorse.com" is not stamping the time when it > receives the message? Yes. See above. -- Mike Easter kibitzer, not SC admin From nobody at devnull.spamcop.net Wed Feb 2 19:16:45 2005 From: nobody at devnull.spamcop.net (Fluffy) Date: Wed Feb 2 19:40:12 2005 Subject: [SpamCop-List] Re: Indigo can't post References: Message-ID: "Mike Easter" wrote in message news:ctrfmq$3f7$1@news.spamcop.net... > > If that were happening to me, I would R&R the spamcop newsserver > account. That is, OE/ Tools/ Accounts/ News tab - select the > news.spamcop.net newsserver and then the Remove button. Then I would > recreate the account in that same account place with the New button.. He tried all that - no joy. Any more ideas? From nobody at devnull.spamcop.net Wed Feb 2 19:19:42 2005 From: nobody at devnull.spamcop.net (Fluffy) Date: Wed Feb 2 19:40:31 2005 Subject: [SpamCop-List] Re: Indigo can't post References: Message-ID: "Mike Easter" wrote in message news:ctrfmq$3f7$1@news.spamcop.net... > > If he hasn't been blocked accidentally by something involved with the > troll problem, then I would next suspect that something is 'screwed up' > with the/his spamcop newsserver account in OE. > (I love being the messenger, they always get shot).... Indi says: "I just remembered that I downloaded over 30 windows security updates over the weekend, I wonder if one of those is causing the problem with posting to spamcop newsgroups?" From nobody at spamcop.net Wed Feb 2 20:02:48 2005 From: nobody at spamcop.net (Miss Betsy) Date: Wed Feb 2 20:00:03 2005 Subject: [SpamCop-List] Re: Why Am I Blocked? FAQ References: <420157BE.4C05@xyzzy.claranet.de> Message-ID: "Frank Ellermann" wrote in message news:420157BE.4C05@xyzzy.claranet.de... > Miss Betsy wrote: > > > The point of this FAQ is that a lot of people do not access > > the 'official' FAQ before posting or don't understand it. > > Ellen's point is probably, that deputies@ get numerous mails > from whining users of blocked MTAs, and if your text somehow > indicates that their MTA might be blocked for two days, then > they might send really annoying mails to deputies@ If they read my text, they would email their ISP. > > "24 hours after the last spam was sent" is much more friendly > for these upset users. > > > see how well they understand the official FAQ. > > Whining users don't read FAQs. But if they do it against all > odds they might find yout text, and that should be as correct > as possble. Ok, I am conceding that 48 hours should not be used. Though I am betting that whiners would be relieved to find out that 'their' IP address will age off in 24 hours instead of 48 and think their email to the deputies has accomplished something. Edited version The SpamCop BL listing will expire automatically within a specific period of time based primarily on when the last spam came from that IP address. http://www.spamcop.net/fom-serve/cache/297.html for more information on the SpamCop BL listing. The official spamcop FAQ is referenced both for the admins and the end users already and is now referenced again. Miss Betsy From nobody at devnull.spamcop.net Wed Feb 2 20:02:25 2005 From: nobody at devnull.spamcop.net (Pop) Date: Wed Feb 2 20:05:03 2005 Subject: [SpamCop-List] Re: Why Am I Blocked? FAQ References: Message-ID: WazoO wrote: > "Pop" wrote in message > news:ctqqhg$j46$1@news.spamcop.net... >>> >> Hope I'm not jumping the gun; please tell me if I am: As a >> tech >> writer in my most recent past life, I feel qualified to make a >> couple of observations on format. >> >> Content = pretty good! Fairly clear and concise. Not hard >> to >> read/understand. > > I'm not jumping on you Pop, this just lookd like a good > starting point here. ===> Not a problem WazoO (boy, that name's hard to type!). Jump away if you need to; I'm fully aware of my lack of qualifications and believe it or not, AM trying to keep out of it, but it's just so danged good a thing, I failed. A little. Sorta. Maybe. to keep my nose in place, that is. What is missing from all this mostly > appreciated input is that the "home" of this FAQ entry is > on the Forum. This means HTML display, links glowing, > all that colorful stuff. It had been developed over some > some time by input from a number of Forum users (and > who can forget Mike E.'s call to call the NNTP/HTTP > camps totally different nations?) ... Adter all of that, > Miss Betsy snagged a copy of that, did a lot of editing ... ... ... ... ... ... Actually, thanks for that. I suspected there was going to be a lot I wasn't aware of or hadn't caught on to, and you did a good job of pointing that out, and explained a lot in the process. Positive criticism is a good thing and I always appreciate it, believe it or not, even if it was just a "starting point" for you to get the info out. Doing FAQ-work is a very thankless job and the authors have to be really thick skinned and almost have to be able to read what someone meant, not what they said, sometimes. Been there, done that. I seriously wish I could devote some time to help out with all this because I think I'd learn a lot, maybe more than I wanted to even. It can't be though, so don't invite me . I'm very unpredictable and most people who know me still think I'm an enigma, so ... . Regards, Pop -- I am retired -- this is as dressed up as I'm going to get. From MikeE at ster.invalid Wed Feb 2 17:07:01 2005 From: MikeE at ster.invalid (Mike Easter) Date: Wed Feb 2 20:10:02 2005 Subject: [SpamCop-List] Re: Indigo can't post References: Message-ID: Fluffy wrote: > "Mike Easter" >> If that were happening to me, I would R&R the spamcop newsserver > He tried all that - no joy. Any more ideas? Make sure nothing is 'wrong with' the news.spamcop.net account. Server tab - uncheck This server requires me to log in [which will cause the SPA field to be greyed out] Then I would configure to make a log of the nntp transaction between my OE and the newsserver. OE/ Toos/ Options/ Maintenance tab/ Troubleshooting section - temporarily check News Then try to access the newsgroup. That will cause a logfile to be written to disk called news.spamcop.net.log - buried deep in a folder/identity pathway and most easily found with the Find function searching on *.log or news.spamcop.net.log. It is very important to uncheck that Troubleshooting log file function after the troubleshooting is over, or else it will grow to large proportions. I just made one which looks something like this: Microsoft Internet Messaging API 6.00.2800.1441 NNTP Log started at 02/02/2005 17:01:49 NNTP: 17:01:49 [db] Connecting to 'news.spamcop.net' on port 119. NNTP: 17:01:49 [rx] 200 news.spamcop.net InterNetNews NNRP server INN 2.3.2 ready (posting ok). NNTP: 17:01:49 [tx] MODE READER NNTP: 17:01:50 [rx] 200 news.spamcop.net InterNetNews NNRP server INN 2.3.2 ready (posting ok). NNTP: 17:01:50 [tx] GROUP spamcop NNTP: 17:01:50 [rx] 211 3585 139488 143100 spamcop -- Mike Easter kibitzer, not SC admin From nobody at devnull.spamcop.net Wed Feb 2 20:15:54 2005 From: nobody at devnull.spamcop.net (Fluffy) Date: Wed Feb 2 20:20:02 2005 Subject: [SpamCop-List] Re: Indigo can't post References: Message-ID: "Mike Easter" wrote in message news:ctrtef$cb6$1@news.spamcop.net... > I just made one which looks something like this: > > Microsoft Internet Messaging API 6.00.2800.1441 > NNTP Log started at 02/02/2005 17:01:49 > NNTP: 17:01:49 [db] Connecting to 'news.spamcop.net' on port 119. > NNTP: 17:01:49 [rx] 200 news.spamcop.net InterNetNews NNRP server INN > 2.3.2 ready (posting ok). > NNTP: 17:01:49 [tx] MODE READER > NNTP: 17:01:50 [rx] 200 news.spamcop.net InterNetNews NNRP server INN > 2.3.2 ready (posting ok). > NNTP: 17:01:50 [tx] GROUP spamcop > NNTP: 17:01:50 [rx] 211 3585 139488 143100 spamcop > He sez he just made this one: Microsoft Internet Messaging API 6.00.2800.1441 NNTP Log started at 02/02/2005 20:15:04 NNTP: 20:15:04 [db] Connecting to 'news.spamcop.net' on port 119. NNTP: 20:15:04 [rx] 201 news.spamcop.net InterNetNews NNRP server INN 2.3.2 ready (no posting). NNTP: 20:15:04 [tx] MODE READER NNTP: 20:15:04 [rx] 201 news.spamcop.net InterNetNews NNRP server INN 2.3.2 ready (no posting). NNTP: 20:15:04 [tx] GROUP spamcop.social NNTP: 20:15:04 [rx] 211 8485 118360 127119 spamcop.social NNTP: 20:15:06 [tx] GROUP spamcop.geeks NNTP: 20:15:06 [rx] 211 746 19396 20146 spamcop.geeks From MikeE at ster.invalid Wed Feb 2 17:28:00 2005 From: MikeE at ster.invalid (Mike Easter) Date: Wed Feb 2 20:30:02 2005 Subject: [SpamCop-List] Re: Indigo can't post References: Message-ID: Fluffy wrote: > "Mike Easter" >> I just made one which looks something like this: >> NNTP: 17:01:49 [rx] 200 news.spamcop.net InterNetNews NNRP server INN >> 2.3.2 ready (posting ok). See, mine sez 'posting ok' > He sez he just made this one: > NNTP: 20:15:04 [rx] 201 news.spamcop.net InterNetNews NNRP server INN > 2.3.2 ready (no posting). What's with that 'no posting' business? What happens if he telnets in there? Run/ telnet then configure the telnet to access news.spamcop.net on port 119 by using the Connect menu - Remote system selection and then input news.spamcop.net in the Host name section and 119 in the Port section and click Connect. The first thing I get is this line: 200 news.spamcop.net InterNetNews NNRP server INN 2.3.2 ready (posting ok). Notice that it does *not* say 'no posting' but sez 'posting ok' -- Mike Easter kibitzer, not SC admin From nobody at spamcop.net Wed Feb 2 20:34:59 2005 From: nobody at spamcop.net (Miss Betsy) Date: Wed Feb 2 20:35:03 2005 Subject: [SpamCop-List] Re: Why Am I Blocked? FAQ References: Message-ID: "Pop" wrote in message > Doing FAQ-work is a very thankless job and the authors have to be > really thick skinned and almost have to be able to read what > someone meant, not what they said, sometimes. Been there, done > that. I appreciate your post and constructive criticism. It means a lot more than comments from someone who hasn't done it! Miss Betsy From MikeE at ster.invalid Wed Feb 2 18:14:24 2005 From: MikeE at ster.invalid (Mike Easter) Date: Wed Feb 2 21:15:02 2005 Subject: [SpamCop-List] Re: Indigo can't post References: Message-ID: Mike Easter wrote: > NNTP: 17:01:49 [rx] 200 news.spamcop.net InterNetNews NNRP server INN > 2.3.2 ready (posting ok). The docs for INN 2.x are here http://www.mibsoftware.com/userkt/inn2.0/innman.htm INN 2.x Man Pages The configuration to give a 200 posting ok vs a 201 no posting to someone is probably in there somewhere, but some parts of it require registration to access. But the gist of one place^1 is that it sez 201 if it isn't going to allow posting so that the client will know ahead of time that the post command isn't going to work. What I don't know is why indigo is getting the 201 -- what is the basis for that result. ^1 http://www.mibsoftware.com/userkt/inn/dev/inn2.0-beta/inn/doc/compliance-nntp -- Mike Easter kibitzer, not SC admin From nobody at devnull.spamcop.net Wed Feb 2 20:46:35 2005 From: nobody at devnull.spamcop.net (WazoO) Date: Wed Feb 2 21:50:05 2005 Subject: [SpamCop-List] alleged MailWasher default changes Message-ID: http://forum.spamcop.net/forums/lofiversion/index.php/t3399.html Bounce mode now turned off, says "Chris" .. whoever this may be ,,, From driehuis.fcnzpbc2005 at playbeing.com Thu Feb 3 04:12:37 2005 From: driehuis.fcnzpbc2005 at playbeing.com (Bert Driehuis) Date: Wed Feb 2 22:15:03 2005 Subject: [SpamCop-List] Re: Open Proxy SCBL Rules In-Reply-To: References: Message-ID: K. Crocker wrote: > If the open proxy determination was simple and bullet proof, I don't see > a reason why it shouldn't be used to prevent known chronic repeat > offenders from moving back into my neighborhood, to borrow from a > different analogy. John Malmberg addressed most concerns I had with the original posting, so this is just a minor addition. Determining that IP address X is an open proxy is not trivial. Proxies are known to migrate from IP address to address as DHCP leases get renewed, they're known to migrate from TCP port to port (and, to add insult to injury, do so under the control of the spammer), and they are notoriously flaky, especially under the load the spammers put on them. Both DSBL and opm.blitzed.org require reporters to prove the vulnerability by having the system connect to the listing service, and at the best of times 80% of IP/port combinations result in a listing. Actual conversion rates are closer to 40% for a variety of reasons. A ten minute delay between discovering a vulnerability and reporting it can blow the listing. If your ISP used both blitzed and DSBL in addition to the Spamcop BL you'd be golden. My personal estimate is that the Spamcop BL is the most aggressive of the three, once dynamic IP space is taken out of the equation. From MikeE at ster.invalid Wed Feb 2 19:18:27 2005 From: MikeE at ster.invalid (Mike Easter) Date: Wed Feb 2 22:20:03 2005 Subject: [SpamCop-List] Re: alleged MailWasher default changes References: Message-ID: WazoO wrote: > http://forum.spamcop.net/forums/lofiversion/index.php/t3399.html > Bounce mode now turned off, says "Chris" .. whoever this may be ,,, I don't know who Chris is, he clearly sounds like a MW bounce feature apologist/ supporter. I also don't see any evidence at a popular MW support forum^1 that there has been any change in the default configuration about the bogus bouncing -- so my first reaction is that Chris /sounds/ like a MW 'person' -- and my position toward the MW developers is that they are liars. They lie about bouncing in their promotion and they mislead those who would use MW -- so I think I will start by calling Chris a liar. ^1 http://computercops.biz/postlite102044-bounce+bouncing.html That page was active as recently as Fri Jan 28, and in it a stan_qaz of the special response team was telling the folks about spamcop's new policy about reporting misdirected bounces and he sez this The interesting point for mailwasher developers is the suggestion on preventing forged bounces. I have suggested similar actions in the past but they haven't made the feature list but with this change in spamcop.net policy I think this deserves a another look and a high priority - before mailwasher users start getting major grief for forging e-mails! So, I'm saying Chris is full of sh*t -- and if he wants to tell some lies to someone about what MW is doing, he should go tell the MW forum people some of his lies so they can straighten him out. -- Mike Easter kibitzer, not SC admin From driehuis.fcnzpbc2005 at playbeing.com Thu Feb 3 04:28:20 2005 From: driehuis.fcnzpbc2005 at playbeing.com (Bert Driehuis) Date: Wed Feb 2 22:30:03 2005 Subject: [SpamCop-List] Re: Who's Using SPAMCOP? Any major players? Reviews by CNET or others? In-Reply-To: References: Message-ID: Scott Townsend wrote: > Looking for info on what companies are using SPAMCOP to filter their mail. > I'd like to use SPAMCOP, though it would be great to present this as a > solution to management if I could say that Company X, Y and Z are also using > it to filter their mail. > > Or are there any reviews by CNET or others that recommend SPAMCOP? You could look at what Spamcop itself says about this topic. :-) Last I checked it said something to the effect that it was a rather aggressive list and would snag legitimate mail. Okay, so you had me look it up. It says: "The SCBL is aggressive and often errs on the side of blocking mail." I would personally recommend to use it as part of a scoring system. At my workplace, being listed on SCBL adds two points to the SpamAssassin score. Then again, your milage may vary. From MikeE at ster.invalid Wed Feb 2 19:58:42 2005 From: MikeE at ster.invalid (Mike Easter) Date: Wed Feb 2 23:00:03 2005 Subject: [SpamCop-List] Re: Who's Using SPAMCOP? Any major players? Reviews by CNET or others? References: Message-ID: Bert Driehuis wrote: > Scott Townsend wrote: > >> Looking for info on what companies are using SPAMCOP to filter their >> mail. > "The SCBL is aggressive and often errs on the side of blocking > mail." > > I would personally recommend to use it as part of a scoring system. I tho't Scott was talking about some company signing up for the spamcop spamfiltering email service. http://www.spamcop.net/ces/pricing.shtml -- The SpamCop Email System is inexpensively priced -- Businesses and other organizations who need multiple accounts should contact us about a custom solution. You Bert are talking about the usage of the SCbl as part of a company's server's filtering strategy. -- Mike Easter kibitzer, not SC admin From MikeE at ster.invalid Wed Feb 2 20:11:27 2005 From: MikeE at ster.invalid (Mike Easter) Date: Wed Feb 2 23:15:06 2005 Subject: [SpamCop-List] Re: Who's Using SPAMCOP? Any major players? Reviews by CNET or others? References: Message-ID: Mike Easter wrote: > I tho't Scott was talking about some company signing up for the > spamcop spamfiltering email service. I should've cited this page http://www.spamcop.net/ces/corporate.shtml Corporate Email Services http://www.spamcop.net/ces/smallbiz.shtml Small Business Service "Corporate Email Services, the parent company of the SpamCop Email System, can provide a custom-made solution for your email needs. Smaller companies might choose to filter their email through the SpamCop system, then either use the cesmail.net servers as their mail server or forward mail on to their own mail server. Larger companies might do the latter or have CES install a custom filtering server on-site. Contact us for more information on how we can meet your needs. " -- Mike Easter kibitzer, not SC admin From driehuis.fcnzpbc2005 at playbeing.com Thu Feb 3 06:02:57 2005 From: driehuis.fcnzpbc2005 at playbeing.com (Bert Driehuis) Date: Thu Feb 3 00:05:02 2005 Subject: [SpamCop-List] Re: Who's Using SPAMCOP? Any major players? Reviews by CNET or others? In-Reply-To: References: Message-ID: Mike Easter wrote: > I tho't Scott was talking about some company signing up for the spamcop > spamfiltering email service. > > http://www.spamcop.net/ces/pricing.shtml -- The SpamCop Email System is > inexpensively priced -- Businesses and other organizations who need > multiple accounts should contact us about a custom solution. > > You Bert are talking about the usage of the SCbl as part of a company's > server's filtering strategy. Yes I was. Why aren't paying users kept informed of such opportunities; it's not as if I skipped a payment on my spamcop account :-) From usenet1 at DE.LETE.THISljvideo.com Thu Feb 3 06:43:47 2005 From: usenet1 at DE.LETE.THISljvideo.com (Larry J.) Date: Thu Feb 3 01:45:03 2005 Subject: [SpamCop-List] Re: "Sorry, this email is too old to file a spam report" References: Message-ID: Waiving the right to remain silent, Steven Maesslein said: > On Wed, 02 Feb 2005 00:04:51 +0100, user@domain.invalid coughed > into spamcop and left this in : > >> Another trick to escape Spamcop I discovered in my mailbox is >> change the computer time, just enough to make push it out of >> the time frame. > > That's a material change to the spam that's forbidden by the > rules. Why should a day or two make any bloody difference..? Spam is spam, regardless of the date. If your car was stolen on Monday, but you didn't notice it gone until Wednesday, wouldn't you still report it missing..? -- Larry J. - Remove spamtrap in ALLCAPS to e-mail The United States is the greatest country in the world..! Twenty-five million illegal aliens can't be wrong. From tmcgraw at spamcop.net Wed Feb 2 23:04:05 2005 From: tmcgraw at spamcop.net (Tim McGraw) Date: Thu Feb 3 02:02:29 2005 Subject: [SpamCop-List] Re: Indigo can't post In-Reply-To: References: Message-ID: <4201CCE5.4030903@spamcop.net> Mike Easter wrote: > Mike Easter wrote: > >>NNTP: 17:01:49 [rx] 200 news.spamcop.net InterNetNews NNRP server INN >>2.3.2 ready (posting ok). > > > > What I don't know is why indigo is getting the 201 -- what is the basis > for that result. There is nothing "wrong with" Indie's account. I am getting a similar message in Mozilla. I have not been able to post since yesterday. Today I tried to "R&R" the news.spamcop.net account. I even tried it using the IP# instead of the canonical name. The newsserver is blocking certain IP#s and for good reason. From no at devnull.spamcop.net Tue Feb 1 22:45:21 2005 From: no at devnull.spamcop.net (Heidi) Date: Thu Feb 3 02:10:03 2005 Subject: [SpamCop-List] Good day! Message-ID: Good day, I'm a girl wanting to meet new people. This whole semester I felt very shyyy.... so I decided to open a website about me. My girlfriends like the idea of the site and I will post their pictures too ;D Unlike other sites, it doesn't cost anything to join my site -) Come check website I put together, I'm not that good tho with comp skills yet but tell me what you think ;0 From nobodyhere at spamcop.net Wed Feb 2 13:48:51 2005 From: nobodyhere at spamcop.net (Fluffy) Date: Thu Feb 3 02:25:04 2005 Subject: [SpamCop-List] Re: Indigo can't post References: Message-ID: Fluffy wrote: > Sorry about the name, my pet troll is following me and spamming the newsgroup so I > had to change. I'm posting this here as well as geeks, in case someone might be able > to answer faster. Would he be blocked from the NNTP groups because his server is > listed in SORBS? I know that Comcast is rife with open proxies, etc lately..... > > He says he is getting this message: > > "Outlook Express could not post your message. Subject 'immigrant thread', > Account: 'news.spamcop.net', Server: 'news.spamcop.net', Protocol: NNTP, > Server Response: '440 Posting not allowed', Port: 119, Secure(SSL): No, > Server Error: 440, Error Number: 0x800CCCA9" > > Used SC to check his posting IP: > > Parsing input: pcp0011117988pcs.elkrdg01.md.comcast.net > host pcp0011117988pcs.elkrdg01.md.comcast.net (checking ip) = > 68.55.204.123 > host 68.55.204.123 (getting name) = > pcp0011117988pcs.elkrdg01.md.comcast.net. > Routing details for 68.55.204.123 > [refresh/show] Cached whois for 68.55.204.123 : abuse@comcast.net > Using abuse net on abuse@comcast.net > abuse net comcast.net = abuse@comcast.net > Using best contacts abuse@comcast.net > > Statistics: > 68.55.204.123 not listed in bl.spamcop.net > More Information.. > 68.55.204.123 not listed in dnsbl.njabl.org > 68.55.204.123 not listed in dnsbl.njabl.org > 68.55.204.123 not listed in cbl.abuseat.org > 68.55.204.123 listed in dnsbl.sorbs.net ( 127.0.0.10 ) > 68.55.204.123 not listed in relays.ordb.org. > > > From no at devnull.spamcop.net Wed Feb 2 18:37:05 2005 From: no at devnull.spamcop.net (Heidi) Date: Thu Feb 3 02:30:02 2005 Subject: [SpamCop-List] Hello again! Message-ID: I'm kind of having a blah day. I got up, went to work, got all wet and cold from the rain, and came home. NOw I'm back in my pajamas and I don't want to do anything. My friend wants me to go to her house, but I don't really want to go because I have places to go tomorrow, and I just feel like lounging around the house in my pj's! It's that simple! I don't want to do anything...and it's making me fat, lol. byebye From nobody at devnull.spamcop.net Thu Feb 3 02:05:05 2005 From: nobody at devnull.spamcop.net (Fluffy) Date: Thu Feb 3 02:40:03 2005 Subject: [SpamCop-List] Re: Indigo can't post References: Message-ID: Tim McGraw wrote: >> Mike Easter wrote: >> >>> NNTP: 17:01:49 [rx] 200 news.spamcop.net InterNetNews NNRP server INN >>> 2.3.2 ready (posting ok). >> >> >> >> >> What I don't know is why indigo is getting the 201 -- what is the basis >> for that result. > > > There is nothing "wrong with" Indie's account. I am getting a similar > message in Mozilla. > > I have not been able to post since yesterday. > > Today I tried to "R&R" the news.spamcop.net account. I even tried it > using the IP# instead of the canonical name. > > The newsserver is blocking certain IP#s and for good reason. > > LOL! Blame Heidi. From MikeE at ster.invalid Thu Feb 3 01:40:47 2005 From: MikeE at ster.invalid (Mike Easter) Date: Thu Feb 3 04:46:38 2005 Subject: [SpamCop-List] Re: Indigo can't post References: Message-ID: Tim McGraw wrote: > Mike Easter wrote: >> What I don't know is why indigo is getting the 201 -- what is the >> basis for that result. > > There is nothing "wrong with" Indie's account. I am getting a similar > message in Mozilla. > > I have not been able to post since yesterday. > > Today I tried to "R&R" the news.spamcop.net account. I even tried it > using the IP# instead of the canonical name. > > The newsserver is blocking certain IP#s and for good reason. So now you are currently posting via the mail2news pathway. But I don't understand what you are saying/meaning about blocking certain IPs for good reason. You and Indigo both have posted from comcast IPs in the past, 24.5.197.151 rDNS c-24-5-197-151.client.comcast.net for Indigo and 68.55.204.123 rDNS pcp0011117988pcs.elkrdg01.md.comcast.net for you. If the newsserver admin is trying to cope with the trolls' abuse via the proxies, it isn't doing the job properly if it is blocking comcast non-trolls and not blocking the trolls. -- Mike Easter kibitzer, not SC admin From nobody at nowhere.invalid Thu Feb 3 12:23:00 2005 From: nobody at nowhere.invalid (Steven Maesslein) Date: Thu Feb 3 06:25:04 2005 Subject: [SpamCop-List] Re: Indigo can't post References: Message-ID: On Wed, 2 Feb 2005 17:28:00 -0800, Mike Easter coughed into spamcop and left this in : > Run/ telnet > > then configure the telnet to access news.spamcop.net on port 119 by > using the Connect menu - Remote system selection and then input > news.spamcop.net in the Host name section and 119 in the Port section > and click Connect. It's much easier just to run "telnet news.spamcop.net 119". Even Windblows has a semi-usable command line... -- Steve Some marriages are made in heaven, but they all have to be maintained on earth... From nobody at nowhere.invalid Thu Feb 3 12:31:22 2005 From: nobody at nowhere.invalid (Steven Maesslein) Date: Thu Feb 3 06:35:03 2005 Subject: [SpamCop-List] Re: "Sorry, this email is too old to file a spam report" References: Message-ID: On Thu, 3 Feb 2005 06:43:47 +0000 (UTC), Larry J. coughed into spamcop and left this in : > Why should a day or two make any bloody difference..? Spam is spam, > regardless of the date. Because it's forcing the parser to accept and report spam that is essentially useless past a certain age. Furthermore, tampering with the datestamp means one or both of 2 things: 1) The ISP won't be able to identify the perp if they're given an incorrect date and time to find out who had the dynamic IP address at that given point in time. 2) It shows that you've falsified something if the ESMTP ID and the datestamp don't match. Ergo, you are untrustworthy and your report will be discarded, possibly followed by a LART back to SpamCop. > If your car was stolen on Monday, but you didn't notice it gone until > Wednesday, wouldn't you still report it missing..? Yes, but I wouldn't claim that it'd been *stolen* on Wednesday (which is what falsifying the datestamp in the headers amounts to). I'd say that I saw it for the last time on Sunday or whenever it was. -- Steve The most difficult years of marriage are those following the wedding. From nobody at devnull.spamcop.net Thu Feb 3 07:07:47 2005 From: nobody at devnull.spamcop.net (Fluffy) Date: Thu Feb 3 07:10:22 2005 Subject: [SpamCop-List] Re: Indigo can't post References: Message-ID: "Mike Easter" wrote in message news:ctsrhn$ubr$1@news.spamcop.net... > But I don't understand what you are saying/meaning about blocking > certain IPs for good reason. > > You and Indigo both have posted from comcast IPs in the past, > 24.5.197.151 rDNS c-24-5-197-151.client.comcast.net for Indigo and > 68.55.204.123 rDNS pcp0011117988pcs.elkrdg01.md.comcast.net for you. > > If the newsserver admin is trying to cope with the trolls' abuse via the > proxies, it isn't doing the job properly if it is blocking comcast > non-trolls and not blocking the trolls. Please ignore the troll post, he likes to follow me around and try to forge my posting IP. I don't believe there has been any blocking put in place but some very specific IP's, Comcast open relays. From nospam at nospam.org Thu Feb 3 15:23:10 2005 From: nospam at nospam.org (geo_splash_12) Date: Thu Feb 3 09:25:04 2005 Subject: [SpamCop-List] Re: Spamcop Statistics In-Reply-To: References: Message-ID: WazoO wrote: > I'm so confused at this point. You give me hell for saying > "not for public discussion" .. wanting to hear from someone > else .... Deputy Ellen states "cannot go into detail" and you > offer her thanks. Then strangely enough, continue with the > asking of the same questions that you started with. A spamcop conspiracy? -- And your Chinese exchange student asks: what does it mean "I'm busy". Location 51 57'N 4 28'E From TJLWBECGSGWU at spammotel.com Thu Feb 3 15:29:17 2005 From: TJLWBECGSGWU at spammotel.com (Mathew Hendry) Date: Thu Feb 3 10:30:07 2005 Subject: [SpamCop-List] Spammers moving away from direct-to-mx? Message-ID: New malware sending through ISP relays http://news.com.com/Experts+Zombie+trick+set+to+send+spam+sky-high/2100-7349_3-5560664.html?tag=nefd.top Will the extra load on outgoing mail servers, and the possibility of them being blacklisted wholesale, persuade ISPs finally to do something about their zombies? My ISP receives SC reports on over a thousand different IPs every day, but they only move on the worst offenders - the threshold is something like 300 abuse reports in 24 hours. Plenty slip under the radar and continue spewing for weeks. Maybe this'll wake them up? -- Mat. From spamcop at shorthitt.com Thu Feb 3 10:57:19 2005 From: spamcop at shorthitt.com (GolfErik) Date: Thu Feb 3 11:00:03 2005 Subject: [SpamCop-List] my domain being used Message-ID: Hello all, Someone is spamming AOL and using my domain name in all the return addresses. Is there any course I can take to stop this, from finding out who it is to persuing punitive damages? Any tips/help would be appreciated. From TJLWBECGSGWU at spammotel.com Thu Feb 3 16:25:57 2005 From: TJLWBECGSGWU at spammotel.com (Mathew Hendry) Date: Thu Feb 3 11:30:03 2005 Subject: [SpamCop-List] Re: my domain being used References: Message-ID: "GolfErik" wrote in : >Someone is spamming AOL and using my domain name in all the return >addresses. Is there any course I can take to stop this, from finding out >who it is to persuing punitive damages? > >Any tips/help would be appreciated. How is it affecting you? Is AOL bouncing the messages, or are you receiving replies/fake bounces their users? Either way, you should be complaining to AOL about their policy of bouncing spam, or about their stupid users, depending. As to claiming damages, I think that would be very difficult. You can possibly trace the websites or whatever in the spam back to their owners, but that doesn't prove that it was them sending the spam. If the spam is being sent through open proxies then the true sender may be impossible to trace. -- Mat. From nobody at spamcop.net Thu Feb 3 11:30:15 2005 From: nobody at spamcop.net (Mike Nuss) Date: Thu Feb 3 11:30:09 2005 Subject: [SpamCop-List] Re: Empty spam In-Reply-To: References: Message-ID: I don't know what you're smoking, but I think I want some. From MikeE at ster.invalid Thu Feb 3 08:44:26 2005 From: MikeE at ster.invalid (Mike Easter) Date: Thu Feb 3 11:45:02 2005 Subject: [SpamCop-List] Re: my domain being used References: Message-ID: GolfErik wrote: > Someone is spamming AOL and using my domain name in all the return > addresses. Is there any course I can take to stop this, from finding > out who it is to persuing punitive damages? > > Any tips/help would be appreciated. If you have the original spam item with the bogus From/ Reply-To/ Return-Path 'we' can take a look at it and tell you some things about it. But don't post it here^1. The most common condition of an 'ordinary' everyday spam is that it has a bogus From; so that is not only a normal spam condition, it isn't anything special and it casts no reflection on the domainname forged into that field. Another common feature of everyday spam is that its headers and tracelines can be tracked backwards only as far as some abused proxy or trojan, not to the actual originator/injector abusing the proxy/trojan. Because of that, you are left to guess at the 'basis' for the spam by who is profiting from it, ie the spamvertiser. However, some uncommon spams are done by amateurs or baby spammers who can be traced and their providers notified. That provider would only provide you with the identity of such an inept baby spammer under the pressure of a court order. ^1 The best way to show us a spamitem is to feed it to the SpamCop parser, obtain a tracking url, and then cancel the report. The alternate way to show a spamitem if you aren't a registered SC reporter is to paste it into the newsgroup spamcop.spam and indicate that here. -- Mike Easter kibitzer, not SC admin From nobody at spamcop.net Thu Feb 3 09:04:32 2005 From: nobody at spamcop.net (K. Crocker) Date: Thu Feb 3 12:05:03 2005 Subject: [SpamCop-List] Re: Open Proxy SCBL Rules In-Reply-To: References: Message-ID: Bert Driehuis wrote: > K. Crocker wrote: > >> If the open proxy determination was simple and bullet proof, I don't >> see a reason why it shouldn't be used to prevent known chronic repeat >> offenders from moving back into my neighborhood, to borrow from a >> different analogy. > > > John Malmberg addressed most concerns I had with the original posting, > so this is just a minor addition. > > Determining that IP address X is an open proxy is not trivial. Proxies > are known to migrate from IP address to address as DHCP leases get > renewed, they're known to migrate from TCP port to port (and, to add > insult to injury, do so under the control of the spammer), and they are > notoriously flaky, especially under the load the spammers put on them. > > Both DSBL and opm.blitzed.org require reporters to prove the > vulnerability by having the system connect to the listing service, and > at the best of times 80% of IP/port combinations result in a listing. > Actual conversion rates are closer to 40% for a variety of reasons. A > ten minute delay between discovering a vulnerability and reporting it > can blow the listing. > > If your ISP used both blitzed and DSBL in addition to the Spamcop BL > you'd be golden. My personal estimate is that the Spamcop BL is the most > aggressive of the three, once dynamic IP space is taken out of the > equation. First, let me thank both of you for your comments. You are obviously both more knowledgeable than me and I appreciate the time you took to educate this neophyte. I made a request of my ISP to reveal the anti-spam steps they take and how effective they are at blocking spam. My ISP was recently acquired by another company, so its unclear (at least to me) whether their methods are consistent across both company's servers. Their reply was terse: > Currently, we use a number of RBL's: > > sbl.spamhaus.org > bl.spamcop.net > dnsbl.njabl.org > list.dsbl.org > relays.ordb.org > dynablock.njabl.org > dnsbl.sorbs.net > cbl.abuseat.org I'd appreciate your comments based on this list. Like I said in a previous post, I'm still getting at least 40 spam a day, but I have no idea how many are blocked (I asked and they didn't tell). They have generally been a reliable ISP over the years, but sometimes they lack a certain attention to detail. For example, when I sent my info request to the advertised support address, it bounced with: 550 5.1.1 /usr/home/hostmaster/.forward: line 5: ~... User unknown Fortunately, their phone works! Regards, Ken Crocker From spamcop at shorthitt.com Thu Feb 3 12:40:41 2005 From: spamcop at shorthitt.com (GolfErik) Date: Thu Feb 3 12:45:07 2005 Subject: [SpamCop-List] Re: my domain being used References: Message-ID: Thanks for the help. I am getting returned emails that were sent to non-existing aol accounts. I will post the spamitem in the other newsgroup and see what comes of it. Erik "Mike Easter" wrote in message news:cttkc1$d01$1@news.spamcop.net... > GolfErik wrote: >> Someone is spamming AOL and using my domain name in all the return >> addresses. Is there any course I can take to stop this, from finding >> out who it is to persuing punitive damages? >> >> Any tips/help would be appreciated. > > If you have the original spam item with the bogus From/ Reply-To/ > Return-Path 'we' can take a look at it and tell you some things about > it. But don't post it here^1. > > The most common condition of an 'ordinary' everyday spam is that it has > a bogus From; so that is not only a normal spam condition, it isn't > anything special and it casts no reflection on the domainname forged > into that field. > > Another common feature of everyday spam is that its headers and > tracelines can be tracked backwards only as far as some abused proxy or > trojan, not to the actual originator/injector abusing the proxy/trojan. > Because of that, you are left to guess at the 'basis' for the spam by > who is profiting from it, ie the spamvertiser. > > However, some uncommon spams are done by amateurs or baby spammers who > can be traced and their providers notified. That provider would only > provide you with the identity of such an inept baby spammer under the > pressure of a court order. > > ^1 The best way to show us a spamitem is to feed it to the SpamCop > parser, obtain a tracking url, and then cancel the report. The > alternate way to show a spamitem if you aren't a registered SC reporter > is to paste it into the newsgroup spamcop.spam and indicate that here. > > -- > Mike Easter > kibitzer, not SC admin > From MikeE at ster.invalid Thu Feb 3 09:47:41 2005 From: MikeE at ster.invalid (Mike Easter) Date: Thu Feb 3 12:50:07 2005 Subject: [SpamCop-List] Re: Indigo can't post References: Message-ID: Steven Maesslein wrote: > Mike Easter >> Run/ telnet >> >> then configure the telnet to access news.spamcop.net on port 119 by >> using the Connect menu - Remote system selection and then input >> news.spamcop.net in the Host name section and 119 in the Port section >> and click Connect. > > It's much easier just to run "telnet news.spamcop.net 119". > > Even Windblows has a semi-usable command line... Tnx. I knew someone would step up with a commandline. I'm not a good one to give someone instructions about commandlines; I have some kind of 'aversion' to them that causes me to make mistakes. One nice thing about the configured telnet is that after initial configuration, it is a pure point and click operation the next time, Run/ telnet [from the menu]/ Connect menu - click news.spamcop.net [in the menu]. All mouse, no keystrokes until you need to quit or do something. You could also make a little .bat file for it. -- Mike Easter kibitzer, not SC admin From MikeE at ster.invalid Thu Feb 3 10:01:30 2005 From: MikeE at ster.invalid (Mike Easter) Date: Thu Feb 3 13:05:02 2005 Subject: [SpamCop-List] Re: Indigo can't post References: Message-ID: Mike Easter wrote: > Steven Maesslein wrote: >> It's much easier just to run "telnet news.spamcop.net 119". > One nice thing about the configured telnet is that after initial > configuration, Aha; but if you do it your way, then the telnet news.spamcop.net 119 will reside/be stored/ in the Run menu for a quick repeat. It/telnet also stores the target host in its connect menu even if the host is accessed from the Run menu. I like that/your method much better. -- Mike Easter kibitzer, not SC admin From D.Gray at picture.oscar.wilde Thu Feb 3 18:22:57 2005 From: D.Gray at picture.oscar.wilde (Dorian Gray) Date: Thu Feb 3 13:25:11 2005 Subject: [SpamCop-List] Re: Spamcop Statistics References: Message-ID: In article , "WazoO" wrote: > "Dorian Gray" wrote in message > news:D.Gray-452397.18592002022005@news.cesmail.net... > > In article , > > "Ellen" wrote: > > > > > There are various reasons why you may see anomolies in the stat graphs. > I > > > cannot go into detail about them. > > > > Thanks Ellen. > > I'm so confused at this point. You give me hell for saying > "not for public discussion" .. wanting to hear from someone > else .... Deputy Ellen states "cannot go into detail" and you > offer her thanks. Then strangely enough, continue with the > asking of the same questions that you started with. Now don't take this the wrong way WazoO, but it's a matter of getting it from the horse's mouth. You don't know the reasons for the features in the statistics or details of their compilation and can only say that it can't be discussed. That is not authoritative, and anyone could say it. The difference is that Ellen knows what the answer is, and knows why some things can't be discussed, if that is the case (which she has confirmed). She went so far as to rule out my suggested reason for the big drop since September, which I must admit leaves it as a big mystery, but at least she answered my questions directly and authoritatively. My problem remains that I use the statistics to see the aggregate behaviour of Spamcop reporters - the statistics may also give some (very loose) idea of the effect of Spamcop reporters as well as gross spam trends - and if these statistics seem inexplicably haywire then I lose to some extent my sense of community with other Spamcop reporters because there is no way to follow our behaviour over time. I mean, did most reporters just give up in September? I hope not, but that is one thing that could be inferred from the stats. Without some degree of understandable feedback through the statistics, I feel like I could be wasting my time, which encourages me to stop reporting. I understand entirely the need to not give out information which would help spammers circumvent Spamcop's techniques. However published stats should be understandable. Is it really going to tell spammy anything useful by explaining the features in the stats? Restricting all information as a matter of policy alienates reporters in the long run. From MikeE at ster.invalid Thu Feb 3 10:33:29 2005 From: MikeE at ster.invalid (Mike Easter) Date: Thu Feb 3 13:35:03 2005 Subject: [SpamCop-List] Re: Spamcop Statistics References: Message-ID: Dorian Gray wrote: > it's a matter of getting > it from the horse's mouth. My guess about the overall problem of questioning the statistics is purely a guess or an opinion, but I'll venture it anyway. My guess would be that the statistic product is purely the result of someone like Julian 'tinkering' with some algorithm or programming variable. He doesn't ask Ellen or anyone else about/for their input; he probably doesn't even explain the condition or changes or anything else to them -- even if there is some kind of 'explosion' of disoriented reporters in the newsgroups or forum about it. He might leave the change in, or he might take it back out, or he might change it again differently. All without 'documenting' his activities or its impact on the graphs to the reporters or to the deputies. The deputy or other insider would be more likely to hear some 'scuttlebutt' about what's up - but maybe not. So, then maybe Ellen or someone participating in the newsgroups or the forum is left to answer questions about which they mostly don't have a clue; or perhaps they could hazard a guess but they don't really know; so, all in all, they would just rather not say. -- Mike Easter kibitzer, not SC admin From nospam at temporaryrelay002.ath.cx Thu Feb 3 19:36:54 2005 From: nospam at temporaryrelay002.ath.cx (Gingko) Date: Thu Feb 3 13:40:03 2005 Subject: [SpamCop-List] Re: Reset average reporting time References: Message-ID: "Ellen" a écrit dans le message de news: ctdeqq$nm2$2@news.spamcop.net... > > > "Lewis Kirk" wrote in message > news:ctcm77$8uf$1@news.spamcop.net... >> Is there a way to reset my average reporting time? Or could some admin >> type person do it for me? Thanks! >> > > Unfortunately there is no way to do that. > > Ellen Why not computing the average reporting time on the N (N may equal 1, 2 or 3) last months of each Spamcop account, rather than on all reported spams from the beginning of these stats for these accounts ? As this is certainly mostly done for encouraging people to report faster, I think it would be more efficient for people using Spamcop for a long time ! Gingko From tdy at blackhole.invalid Thu Feb 3 10:38:17 2005 From: tdy at blackhole.invalid (N. Miller) Date: Thu Feb 3 13:40:07 2005 Subject: [SpamCop-List] Re: Is this a broken mail host? References: Message-ID: In article , Mike Easter says... > That part of the headers is non-compliant; it [the traceline] is > supposed to have a 'from' field which includes the IP from which it > received the item and a 'by' field which has its domainname and a > timestamp. I just received a response from the DHC admin. He agrees that there is a problem with the Commuigate Pro package, and says he has submitted a report to their support line. He even offered me a link to follow the progress of that report, if I want to join another list. In the meantime, SC does create notifies, so I guess I just need to be sure that I only submit spam for parsing when I know it is within the SC required 48 hour term. Currently, it seems that the parser goes by my local server's time stamp, the one you stated was working correctly, in the absence of a proper timestamp later in the message. I have seen spam that should be 12 to 18 hours old identified as "fresh". -- Norman ~Win dain a lotica, En vai tu ri, Si lo ta ~Fin dein a loluca, En dragu a sei lain ~Vi fa-ru les shutai am, En riga-lint From tdy at blackhole.invalid Thu Feb 3 10:43:28 2005 From: tdy at blackhole.invalid (N. Miller) Date: Thu Feb 3 13:45:02 2005 Subject: [SpamCop-List] Re: Spammers moving away from direct-to-mx? References: Message-ID: In article , Mathew Hendry says... > New malware sending through ISP relays > http://news.com.com/Experts+Zombie+trick+set+to+send+spam+sky-high/2100-7349_3-5560664.html?tag=nefd.top > Will the extra load on outgoing mail servers, and the possibility of them > being blacklisted wholesale, persuade ISPs finally to do something about > their zombies? > My ISP receives SC reports on over a thousand different IPs every day, but > they only move on the worst offenders - the threshold is something like 300 > abuse reports in 24 hours. Plenty slip under the radar and continue spewing > for weeks. Maybe this'll wake them up? I should hope so. SBC, my ISP, is the second largest regional telephone company in the U.S. When they joined the "block port 25" brigade, along with Comcast (neither uses a wholesale block on all IPs, but, apparently, enough to make a dent in the problem) I realized that the next level of abuse would have to be finding a way to abuse the ISP's SMTP servers by forcing their zombie nets to go through those servers. If the ISPs don't get serious, email will be dead. OTOH, maybe that is what the ISPs want. -- Norman ~Win dain a lotica, En vai tu ri, Si lo ta ~Fin dein a loluca, En dragu a sei lain ~Vi fa-ru les shutai am, En riga-lint From David1 at suescornerweb.com Thu Feb 3 13:47:44 2005 From: David1 at suescornerweb.com (David 1) Date: Thu Feb 3 13:50:04 2005 Subject: [SpamCop-List] Re: are we down? In-Reply-To: References: Message-ID: David 1 wrote: > eddie wrote: > >> Online spam reporting reports: >> "Service Unavailable >> The server is temporarily unable to service your request. Please try >> again >> later." > > > guess so that's what I got just now also > & I just got it again -- David 1 bad addy spamtrap@suescornerweb.com From nobody at spamcop.net Thu Feb 3 13:47:07 2005 From: nobody at spamcop.net (Anti-Spam) Date: Thu Feb 3 13:50:12 2005 Subject: [SpamCop-List] Re: are we down? References: Message-ID: "David 1" wrote in message news:ctrkce$6h9$1@news.spamcop.net... > eddie wrote: > > Online spam reporting reports: > > "Service Unavailable > > The server is temporarily unable to service your request. Please try again > > later." > > guess so that's what I got just now also Was working earlier today, but died some time in the last half hour. -- Bring in the death penalty for repeat spammers. Non-functional spambait addr: to71@lseqfrktuzq.net (generated by Webpoison) From y33sw5g02 at sneakemail.com Thu Feb 3 13:48:10 2005 From: y33sw5g02 at sneakemail.com (ScrapeThis) Date: Thu Feb 3 13:50:18 2005 Subject: [SpamCop-List] Re: my domain being used References: Message-ID: "GolfErik" wrote in message news:ctthks$bb7$1@news.spamcop.net... > Hello all, > > Someone is spamming AOL and using my domain name in all the return > addresses. Is there any course I can take to stop this, from finding out > who it is to persuing punitive damages? > > Any tips/help would be appreciated. > > AOL is probably willing to help identify the source of these... Try asking the AOL postmaster group for help... http://postmaster.aol.com... Also SPF/Sender ID and Domain Keys for your email domain could help. Cheers ST From f at f.f Thu Feb 3 10:49:34 2005 From: f at f.f (funkgypsy) Date: Thu Feb 3 13:50:23 2005 Subject: [SpamCop-List] spamcop performance - several newbee questions Message-ID: I have noticed that the spamcop email filtering service now works with hotmail. And it is now ok to leave message on the remote server. Does that make any sense? How much storage space do I get for my $30? I have a total of six email addresses (ok, I know that is excessive). Would it be possible to leave all of my email messages on the spamcop server so I can access them from anywhere? My other question is, how long does it take spamcop to pick up a message from hotmail, process the message, and deliver it to me. I ask because the greylist filtering on one of my providers sometimes slows delivery to a slow crawl. Obviously I want to get my mail quickly. Am I asking too much here? thanks for any insight funkgysy From nobodyhere at spamcop.net Thu Feb 3 04:41:47 2005 From: nobodyhere at spamcop.net (Fluffy) Date: Thu Feb 3 14:00:06 2005 Subject: [SpamCop-List] Re: Indigo can't post References: Message-ID: "Mike Easter" wrote: > If the newsserver admin is trying to cope with the trolls' abuse via the > proxies, it isn't doing the job properly if it is blocking comcast > non-trolls and not blocking the trolls. > DUH. From eddie at eddie.web Thu Feb 3 14:01:10 2005 From: eddie at eddie.web (eddie) Date: Thu Feb 3 14:05:09 2005 Subject: [SpamCop-List] Re: are we down? References: Message-ID: On Thu, 03 Feb 2005 13:47:07 -0500, Anti-Spam scratched out the following: > > Was working earlier today, but died some time in the last half hour. I originally posted this yesterday, but it's down again right now, again. Might just be very busy. From eddie at eddie.web Thu Feb 3 14:03:16 2005 From: eddie at eddie.web (eddie) Date: Thu Feb 3 14:05:18 2005 Subject: [SpamCop-List] Re: Good day! References: Message-ID: On Tue, 01 Feb 2005 22:45:21 -0500, Heidi scratched out the following: > Good day, > gives new meaning to Heidi Ho :) BIG PLONK~!!!!!! From f at f.f Thu Feb 3 11:07:13 2005 From: f at f.f (funkgypsy) Date: Thu Feb 3 14:10:05 2005 Subject: [SpamCop-List] is spamcop filtering any good Message-ID: the bottom line is, is spamcop email filtering any good? or should I just contine to use spamcop spam reporting? any use opinions would be appreciated. thanks funkgypsy From nobody at devnull.spamcop.net Thu Feb 3 13:19:21 2005 From: nobody at devnull.spamcop.net (WazoO) Date: Thu Feb 3 14:20:07 2005 Subject: [SpamCop-List] Re: Spamcop Statistics References: Message-ID: "Dorian Gray" wrote in message news:D.Gray-B3A26C.18225703022005@news.cesmail.net... > In article , > "WazoO" wrote: > > > I'm so confused at this point. You give me hell for saying > > "not for public discussion" .. wanting to hear from someone > > else .... Deputy Ellen states "cannot go into detail" and you > > offer her thanks. Then strangely enough, continue with the > > asking of the same questions that you started with. > > Now don't take this the wrong way WazoO, but it's a matter of getting it > from the horse's mouth. You don't know the reasons for the features in > the statistics or details of their compilation and can only say that it > can't be discussed. That is not authoritative, and anyone could say it. You have no idea what I know. You basically started out with a "who the hell are you" thing, absurdly asking that I "show" you something already described as 'not for public discussion' .. you tossed out your apparent disbelief that there is dialog that occurs outside the confines of this newsgroup, then even challenge even that possibility after reading some public excerpts posted from commentary in some of that 'other' dialog, apparently excited that I didn't post all e-mails in full in defiance of the requests from the people I was corresponding with ... funny as it may seem, I had to edit a user's posting over in the Forum this morning (and advised said user as to what and why) due to his noticing some particular details and wrote that up and pointed out that it was odd that this situation wasn't documented anywhere ... and that's another one of those that Don had asked that data existing not be changed, as decisions on that process were still being evaluated. > The difference is that Ellen knows what the answer is, and knows why > some things can't be discussed, if that is the case (which she has > confirmed). She went so far as to rule out my suggested reason for the > big drop since September, which I must admit leaves it as a big mystery, > but at least she answered my questions directly and authoritatively. And if it helps, my background comes from an environment in which you might want to know, you might ask, but the scenario was based around the magic phrase "need to know" .. and if you didn't meet that little tidbit, it didn't matter what rank, pay-grade, or clearance level you thought you had .... in the current capacity of moderating and managing the Forum, sometimes I'll get a heads-up on something, sometimes I'll get a not-so-nice note about something, sometimes a bit of a nudge to change a few answers here and there due to ..... From no at devnull.spamcop.net Thu Feb 3 19:25:17 2005 From: no at devnull.spamcop.net (Heidi) Date: Thu Feb 3 14:30:03 2005 Subject: [SpamCop-List] Heyz.... Message-ID: Heyz, it's me Heidi... husband left last night have a look on my online profile...if you are interested in me, we can spend some private time together From MikeE at ster.invalid Thu Feb 3 11:26:48 2005 From: MikeE at ster.invalid (Mike Easter) Date: Thu Feb 3 14:30:10 2005 Subject: [SpamCop-List] Re: is spamcop filtering any good References: Message-ID: funkgypsy wrote: > the bottom line is, is spamcop email filtering any good? or should I > just contine to use spamcop spam reporting? > > any use opinions would be appreciated. You are talking to all kinds of people here. The highest number is free spamcop reporters who don't use spamcop mail. There are also a lot of paid spamcop reporters who don't use spamcop mail. There are a lot of advantages to using spamcop filtering. In the first place, it is powerful and configurable. In the second place it enables easy reporting. In the third place it is reasonably priced. One person might want to put 'reasonably priced' in first place, and then compare it with free, which it isn't. Another person might want to choose a different form of power and configurability than spamcop's. One person's mail needs might be completely different from another's. Someone who has 'simple' mail needs like me might be able to whitelist all of their friends and mailing lists and use a crude filter as primitive as Outlook Express, since they receive no wanted unknown mail. Someone else might be getting tons of wanted unknown mail of a wide variety of content and also tons of spam might need incredibly complex handmade regular expression derived filters in some client side filter like SpamPal. Someone else might have very acute needs about not downloading any/much spam, which wouldn't work well with SpamPal, so they would need quality server side filtering such as SpamCop's which their own provider doesn't have. I'm sure that the opinions around here of those who use it are that SC mail filtering is very good and that it is well worth the standard/typical $30/y. Someone else who has a different strategy and prefers free might consider that the advantages are more valuable to someone else, not them. -- Mike Easter kibitzer, not SC admin From MikeE at ster.invalid Thu Feb 3 11:48:05 2005 From: MikeE at ster.invalid (Mike Easter) Date: Thu Feb 3 14:50:05 2005 Subject: [SpamCop-List] Re: spamcop performance - several newbee questions References: Message-ID: funkgypsy wrote: > I have a total of six email addresses (ok, I know that is excessive). > Would it be possible to leave all of my email messages on the > spamcop server so I can access them from anywhere? You might find this post from the forum useful http://forum.spamcop.net/forums/index.php?showtopic=2385 The post turned out being a very detailed listing of just how I use SpamCop. Since I have not seen any other examples of how others use it, it thought it might be helpful to post it here in the Lounge. If there are others who would care to detail just how you use SpamCop I would definately be interested in hearing from you. -- Mike Easter kibitzer, not SC admin From D.Gray at picture.oscar.wilde Thu Feb 3 20:13:41 2005 From: D.Gray at picture.oscar.wilde (Dorian Gray) Date: Thu Feb 3 15:15:04 2005 Subject: [SpamCop-List] Re: Spamcop Statistics References: Message-ID: In article , "WazoO" wrote: > You have no idea what I know. <...> > , sometimes a > bit of a nudge to change a few answers here and there due to ..... You've missed the point WazoO. In fact you cut out the important paragraphs in my post. And your posts are making things worse, not better. From DougThegarden at hotmail.com Thu Feb 3 20:13:16 2005 From: DougThegarden at hotmail.com (Doug Thegarden) Date: Thu Feb 3 15:15:18 2005 Subject: [SpamCop-List] Re: Heyz.... In-Reply-To: References: Message-ID: Heidi wrote: > Heyz, it's me Heidi... husband left last night > He probably got tired of having Spam for breakfast, lunch and dinner every day Heidi. Doug From TJLWBECGSGWU at spammotel.com Thu Feb 3 21:27:37 2005 From: TJLWBECGSGWU at spammotel.com (Mathew Hendry) Date: Thu Feb 3 16:30:06 2005 Subject: [SpamCop-List] Re: is spamcop filtering any good References: Message-ID: "funkgypsy" wrote in : >the bottom line is, is spamcop email filtering any good? or should I just >contine to use spamcop spam reporting? > >any use opinions would be appreciated. For me, yes, but YMMV. It "holds" 95%+ of my spam with no false positives in recent memory. I have it set to use the Spamhaus SBL+XBL, DSBL open relays, and Spamassassin with threshold = 6.0. I don't have it set to use the SCBL - too high a risk of false positives. The accuracy of filtering isn't the most important thing for me - I could (and do) run local filters anyway. More important is the ease of reporting, and the fact that it can collect mail from many different accounts (including Yahoo and Hotmail) and make everything available from from a single POP3/IMAP/Webmail interface. -- Mat. From nobody at spamcop.net Thu Feb 3 17:44:46 2005 From: nobody at spamcop.net (Anti-Spam) Date: Thu Feb 3 17:50:03 2005 Subject: [SpamCop-List] Abuse addresses Message-ID: I was about to post something in .routing, but figured maybe I'd start with a more generic question: I just processed a spam where the parser was devnulling the results being sent to the originating e-mail server. Seems it had decided to use postmaster@, since nothing was registered with abuse.net. My question is, why is postmaster@ better than the registered whois contact address, and in the future, should these cases be flagged in .routing? http://www.spamcop.net/sc?action=rcache;ip=213.215.208.134 Searched through the website FAQs to no avail. Thanks. -- Bring in the death penalty for repeat spammers. Non-functional spambait addr: be@yalefgndoceetv.com (generated by Webpoison) From f at f.f Thu Feb 3 15:22:30 2005 From: f at f.f (funkgypsy) Date: Thu Feb 3 18:25:05 2005 Subject: [SpamCop-List] Re: is spamcop filtering any good References: Message-ID: Speed! I want speed. How long does it take for spamcop to process email and deliver it to me? I have tried other services that were all too slow for my taset. i.e. 10 minutes to deliver one message is too slow. From asterix at no_where.net Fri Feb 4 00:26:17 2005 From: asterix at no_where.net (Asterix) Date: Thu Feb 3 18:30:04 2005 Subject: [SpamCop-List] Links in IFRAME tags Message-ID: <1grfnhm.1snggqe1y22uzsN%asterix@no_where.net> Why doesn't SpamCop parse links in IFRAME tags ? I' got some 30 spams the last week promoting - or rather thrying to shove up my ass the site http://www.eyaowang.com (don't bother - it's all Chinese - I checked). Since Eudora doesn't display IFRAMEs it's no-go... Sample here.
-- I recommend Macs to my friends, and Intel machines to those whom I don't mind billing by the hour From agent01413 at my-deja.com Thu Feb 3 23:58:25 2005 From: agent01413 at my-deja.com (Socks) Date: Thu Feb 3 19:00:22 2005 Subject: [SpamCop-List] Re: my domain being used References: Message-ID: "GolfErik" wrote in news:ctthks$bb7$1@news.spamcop.net: > Hello all, > > Someone is spamming AOL and using my domain name in all the return > addresses. Is there any course I can take to stop this, from finding > out who it is to persuing punitive damages? > > Any tips/help would be appreciated. > > Depends on what state you're in. California yes. this is where you talk to a lawyer. I was hired once by a company in NY to chase down a forger. I did, and it got passed on the the NY Atty General, since the forger used a fake address in NYC on his domain registration (the lawyers tell me that is sufficient to establish a NY presence and create jurisdiction). What if anything happened as a result of that is unknown to me. -- "Some witty person in rec.arts.sf.composition (I forget who) called them feral apostrophes. Untamed, unregulated, they roam the wastes of the English language and pop up where lea'st expected." From agent01413 at my-deja.com Fri Feb 4 00:02:25 2005 From: agent01413 at my-deja.com (Socks) Date: Thu Feb 3 19:05:06 2005 Subject: [SpamCop-List] Re: is spamcop filtering any good References: Message-ID: "funkgypsy" wrote in news:cttso8$jqp$1@news.spamcop.net: > the bottom line is, is spamcop email filtering any good? or should I just > contine to use spamcop spam reporting? > > any use opinions would be appreciated. > > thanks > > funkgypsy > I like it. Spamhaus, SORBS, and AHBL have higher hit rates though without much in the way of increased false positives. OTOH, Fiveten has too many false positives for my purposes. YMMV -- "Some witty person in rec.arts.sf.composition (I forget who) called them feral apostrophes. Untamed, unregulated, they roam the wastes of the English language and pop up where lea'st expected." From MikeE at ster.invalid Thu Feb 3 16:09:17 2005 From: MikeE at ster.invalid (Mike Easter) Date: Thu Feb 3 19:10:04 2005 Subject: [SpamCop-List] Re: is spamcop filtering any good References: Message-ID: funkgypsy wrote: > Speed! I want speed. How long does it take for spamcop to process > email and deliver it to me? I have tried other services that were > all too slow for my taset. i.e. 10 minutes to deliver one message is > too slow. I don't think I understand why there should be any delay unless something were b0rken. Altho' I'm neither a hotmail nor a spamcop mail user, I can read the faq/s and forum -- but I can't guess at why some experience you've had elsewhere, as yet undescribed, were 'services too slow for your taste'. In my mind, I see spamcop's system popping your mail from hotmail into its system via popgate.cesmail.net according to http://www.spamcop.net/fom-serve/cache/305.html about how the webmail gizmo is configured for hotmail. Then it would seem that you could access your filtered mail via webmail, imap, or pop it out of spamcop into your own mailuser agent, such as OE. I'm not presently imagining what would cause a delay, unless something were wrong with hotmail or spamcop. You have the ability to configure your OE as to how often you want it to automatically fetch your pop or imap accounts in OE/ Tools/ Options/ General tab - check for new messages every X minutes - plus you can always hit your Receive button to trip the OE to server transactions. What kind of delay experience have you had with what service? -- Mike Easter kibitzer, not SC admin From MikeE at ster.invalid Thu Feb 3 16:12:03 2005 From: MikeE at ster.invalid (Mike Easter) Date: Thu Feb 3 19:15:03 2005 Subject: [SpamCop-List] Re: is spamcop filtering any good References: Message-ID: Socks wrote: > "funkgypsy" >> the bottom line is, is spamcop email filtering any good? or should I >> just contine to use spamcop spam reporting? > I like it. Spamhaus, SORBS, and AHBL have higher hit rates though > without much in the way of increased false positives. OTOH, Fiveten > has too many false positives for my purposes. funk isn't asking about the using SCbl. S/he is wondering about subscribing to spamcop mail to filter hir hotmail account. -- Mike Easter kibitzer, not SC admin From TJLWBECGSGWU at spammotel.com Fri Feb 4 00:25:59 2005 From: TJLWBECGSGWU at spammotel.com (Mathew Hendry) Date: Thu Feb 3 19:30:05 2005 Subject: [SpamCop-List] Re: is spamcop filtering any good References: Message-ID: "Mike Easter" wrote in : >funkgypsy wrote: >> Speed! I want speed. How long does it take for spamcop to process >> email and deliver it to me? I have tried other services that were >> all too slow for my taset. i.e. 10 minutes to deliver one message is >> too slow. > >I don't think I understand why there should be any delay unless >something were b0rken. Altho' I'm neither a hotmail nor a spamcop mail >user, I can read the faq/s and forum -- but I can't guess at why some >experience you've had elsewhere, as yet undescribed, were 'services too >slow for your taste'. In my mind, I see spamcop's system popping your >mail from hotmail into its system via popgate.cesmail.net according to >http://www.spamcop.net/fom-serve/cache/305.html about how the webmail >gizmo is configured for hotmail. If you mail your.account.name@spamcop.net directly, it appears within a minute or two, unless there's been some drastic failure. For external mail (POP3 or Webmail) SCMail polls every half hour or so, giving an average delay of 15 minutes. To get it faster than that, you'd need to arrange to have it forwarded, and not many ISPs will do that AFAICT. I've never bothered to try - for anything urgent, IM or phone usually works better anyway... -- Mat. From nobody at spamcop.net Thu Feb 3 19:18:00 2005 From: nobody at spamcop.net (Ellen) Date: Thu Feb 3 19:35:05 2005 Subject: [SpamCop-List] Maint window 2/4/2005 Message-ID: The system will be in maintenance mode for some hardware changes tomorrow at about 2PM PST. The maintenance is to address the outages of the last 48 hours that you may have noticed. The maintenance should take under an hour. This will affect only the reporting system and not the email system. Ellen SpamCop followups to spamcop Please propagate to the appropriate forums. From MikeE at ster.invalid Thu Feb 3 16:43:32 2005 From: MikeE at ster.invalid (Mike Easter) Date: Thu Feb 3 19:45:03 2005 Subject: [SpamCop-List] Re: is spamcop filtering any good References: Message-ID: Mathew Hendry wrote: > To get it faster than > that, you'd need to arrange to have it forwarded, and not many ISPs > will do that AFAICT. I don't think hotmail/msn will do that. My provider EarthLink will; gmail will. -- Mike Easter kibitzer, not SC admin From TJLWBECGSGWU at spammotel.com Fri Feb 4 01:01:36 2005 From: TJLWBECGSGWU at spammotel.com (Mathew Hendry) Date: Thu Feb 3 20:05:04 2005 Subject: [SpamCop-List] Re: is spamcop filtering any good References: Message-ID: "Mike Easter" wrote in : >Mathew Hendry wrote: >> To get it faster than >> that, you'd need to arrange to have it forwarded, and not many ISPs >> will do that AFAICT. > >I don't think hotmail/msn will do that. > >My provider EarthLink will; gmail will. I think Yahoo will as well, on paid accounts anyway. The two ISPs I have accounts with (Blueyonder and Pipex, among the biggest in the UK) both said no last time I asked. -- Mat. From MikeE at ster.invalid Thu Feb 3 17:08:29 2005 From: MikeE at ster.invalid (Mike Easter) Date: Thu Feb 3 20:10:04 2005 Subject: [SpamCop-List] Re: is spamcop filtering any good References: Message-ID: Mike Easter wrote: > In my mind, I see spamcop's > system popping your mail from hotmail into its system via > popgate.cesmail.net according to > http://www.spamcop.net/fom-serve/cache/305.html about how the webmail > gizmo is configured for hotmail. Apparently that isn't really popping from hotmail to popgate.cesmail -- because I'm reading that hotmail doesn't allow any kind of popping from the free accounts' mailbox; such as that which was done with the s/w hotmail popper. MSN is only allowing the premium accounts to do that, so apparently the popgate server uses some kind of OE-like http transaction accessing to fetch the hotmailbox. -- Mike Easter kibitzer, not SC admin From f at f.f Thu Feb 3 17:15:21 2005 From: f at f.f (funkgypsy) Date: Thu Feb 3 20:15:03 2005 Subject: [SpamCop-List] Re: is spamcop filtering any good References: Message-ID: Thanks for all the replies. It is true that new free hotmail accounts do not support pop3 access. of course, you can run freepops to solve that problem. i have an older account that works with oe. as for polling the server, i am using oe. i use the send/receive button to poll the server. i dont wait for the program to do it. i am impatient! From MikeE at ster.invalid Thu Feb 3 17:24:44 2005 From: MikeE at ster.invalid (Mike Easter) Date: Thu Feb 3 20:25:02 2005 Subject: [SpamCop-List] Re: is spamcop filtering any good References: Message-ID: funkgypsy wrote: > It is true that new free hotmail accounts do not support pop3 access. > of course, you can run freepops to solve that problem. i have an > older account that works with oe. > > as for polling the server, i am using oe. i use the send/receive > button to poll the server. i dont wait for the program to do it. i am > impatient! Ah, so. Apparently the spamcop system will introduce a potential delay because its polling frequency is less frequent than your own. I suppose you could access your hotmailbox unfiltered with your OE/freepops if you were in a hurry for something, and the normal polling would go at its own pace for providing filtered mail. -- Mike Easter kibitzer, not SC admin From wb8tyw at qsl.network Thu Feb 3 21:25:11 2005 From: wb8tyw at qsl.network (John E. Malmberg) Date: Thu Feb 3 21:30:04 2005 Subject: [SpamCop-List] Re: Spammers moving away from direct-to-mx? In-Reply-To: References: Message-ID: Mathew Hendry wrote: > New malware sending through ISP relays > > http://news.com.com/Experts+Zombie+trick+set+to+send+spam+sky-high/2100-7349_3-5560664.html?tag=nefd.top > > Will the extra load on outgoing mail servers, and the possibility of them > being blacklisted wholesale, persuade ISPs finally to do something about > their zombies? Based on some internal forums on my broadband supplier: There are a couple of very popular ISP's that seem to have a hair trigger on blocking I.P. addresses that send spam. If an ISP allows much spam or viruses to reach one of them, then they will quickly find out if any of their paying customers. Spammers that even have a slight fog of a clue have long avoided sending through the broadband ISP's main mailservers because they known that the ISP will take quick action, and that also the main mailservers of the more experienced ISPs have anti-spam defenses to foil getting much mail out through that way. -John wb8tyw@qsl.network Personal Opinion Only From driehuis.fcnzpbc2005 at playbeing.com Fri Feb 4 03:59:07 2005 From: driehuis.fcnzpbc2005 at playbeing.com (Bert Driehuis) Date: Thu Feb 3 22:00:08 2005 Subject: [SpamCop-List] Re: Spammers moving away from direct-to-mx? In-Reply-To: References: Message-ID: John E. Malmberg wrote: > If an ISP allows much spam or viruses to reach one of them, then they > will quickly find out if any of their paying customers. > > Spammers that even have a slight fog of a clue have long avoided sending > through the broadband ISP's main mailservers because they known that the > ISP will take quick action, and that also the main mailservers of the > more experienced ISPs have anti-spam defenses to foil getting much mail > out through that way. 419ers seem to get away with abusing Tiscali.uk's and Infosat's mailservers on a massive basis, because these two ISPs do not take quick action. Or any action at all, for that matter. Apparently it took a brief stint in sbl.spamhaus.org for tiscali.dk to take notice. Unfortunately I can't check why they were listed, as http://www.spamhaus.org/SBL/sbl.lasso?query=SBL23408 no longer has the goods on them. But I agree with the analysis; if the trend noted by news.com.squared continues, it will seperate the wheat from the chaff and we may finally see the last of the truly incompetent ISPs. I'm this close: > < to giving all mail from Tiscali and Infosat an automatic "+5, interesting" boost in SpamAssassin. From devnull at spamcop.net Thu Feb 3 22:36:16 2005 From: devnull at spamcop.net (Frog Prince) Date: Thu Feb 3 22:40:03 2005 Subject: [SpamCop-List] Really dumb spammer Message-ID: I just received a spam message promoting a CD to teach me Spanish. The text of the spam was completely in Spanish ... From driehuis.fcnzpbc2005 at playbeing.com Fri Feb 4 04:47:01 2005 From: driehuis.fcnzpbc2005 at playbeing.com (Bert Driehuis) Date: Thu Feb 3 22:50:03 2005 Subject: [SpamCop-List] Re: Open Proxy SCBL Rules In-Reply-To: References: Message-ID: K. Crocker wrote: > I made a request of my ISP to reveal the anti-spam steps they take and > how effective they are at blocking spam. The first is a reasonable request. The second is not. Some spammers want to fly beneath the radar and stop a spam run to 1,000 recipients because they get a bounce that may indicate that they've been found out. Other spammers will just not give up until your MX said "250 OK" to them. In the first example, blocking one message saves a thousand spams, in the second example, blocking a thousand messages will not stop the spam if only one slips through. Spam stats are unreliable. I have seen evidence of both forms and I'm not exagerrating the scale. > My ISP was recently acquired by > another company, so its unclear (at least to me) whether their methods > are consistent across both company's servers. Their reply was terse: > >> Currently, we use a number of RBL's: >> >> sbl.spamhaus.org >> bl.spamcop.net >> dnsbl.njabl.org >> list.dsbl.org >> relays.ordb.org >> dynablock.njabl.org >> dnsbl.sorbs.net >> cbl.abuseat.org That's a pretty comprehensive list. I'd personally throw in the PDL because I believe dynablock isn't as comprehensive as it used to be, but other than that it is a sane setup for most users. The list is certainly more aggressive than I could stomach, if I don my support-role hat. > I'd appreciate your comments based on this list. Like I said in a > previous post, I'm still getting at least 40 spam a day, but I have no > idea how many are blocked (I asked and they didn't tell). They have > generally been a reliable ISP over the years, but sometimes they lack a > certain attention to detail. For example, when I sent my info request to > the advertised support address, it bounced with: > > 550 5.1.1 /usr/home/hostmaster/.forward: line 5: ~... User unknown > > Fortunately, their phone works! Yeah, that really looks amateurish. Then again, I'd pick an ISP that makes the odd mistake and is honest over the goliath that lies about mistakes and stonewalls its customers any day. If the outright blocking isn't sufficient, you may want to get them to tag all mail with SpamAssassin. That way, you give the worst spammers the "250 OK" he craves so much while not having to deal with the spam. It is impossible to win the war on spam and still leave the US a democracy. If you have spare cycles, get your elected representative off his proverbial to make sure that law enforcement does their job. Last I checked, computer breakins were illegal in the US and the vast majority of spam comes from a small number of people in the US breaking US law to deliver spam to the tune of around $10bn damages per annum. If I were a politician I'd see an opportunity there. From driehuis.fcnzpbc2005 at playbeing.com Fri Feb 4 05:16:45 2005 From: driehuis.fcnzpbc2005 at playbeing.com (Bert Driehuis) Date: Thu Feb 3 23:20:03 2005 Subject: [SpamCop-List] Re: Really dumb spammer In-Reply-To: References: Message-ID: Frog Prince wrote: > I just received a spam message promoting a CD to teach me Spanish. > > The text of the spam was completely in Spanish ... I get truckloads of spam for language courses to teach English. Unfortunately, the spam itself is in Korean. I had (as the Chinese proverb implies) an interesting time dissecting the Korean spam with an English-Korean word list. I now speak a few words of Korean, but only when represented in hex :-) I still need a solid translation into Korean of "Kick those filthy spammers of your network, you spam supporting scum!" For the terminally curious, one of the websites is at 211.233.5.169 on kidc (a Korean colo facility): http://7english.co.kr/ You may want to disable Flash; I've got no clue what the .swf does. Enjoy! From notan at ddress.com Thu Feb 3 21:24:38 2005 From: notan at ddress.com (Notan) Date: Thu Feb 3 23:25:03 2005 Subject: [SpamCop-List] SpamCop Imposter? Message-ID: <4202F906.D9B2EB2E@ddress.com> Anyone else receive this one?... -------------------------------- Dear user of e-mail server "Spamcop.net", Your e-mail account will be disabled because of improper using in next three days, if you are still wishing to use it, please, resign your account information. Further details can be obtained from attached file. For security reasons attached file is password protected. The password is "xxxxx". The Management, The Spamcop.net team http://www.spamcop.net --------------------------------- Notan From dannyg at dannyg.com Thu Feb 3 20:28:44 2005 From: dannyg at dannyg.com (Danny Goodman) Date: Thu Feb 3 23:28:51 2005 Subject: [SpamCop-List] Re: Really dumb spammer In-Reply-To: <200502040350.j143oG3h058862@dannyg.com> Message-ID: > I just received a spam message promoting a CD to teach me Spanish. > > The text of the spam was completely in Spanish ... Se habla espamol. Danny http://www.dannyg.com http://www.spamwars.com From driehuis.fcnzpbc2005 at playbeing.com Fri Feb 4 06:05:30 2005 From: driehuis.fcnzpbc2005 at playbeing.com (Bert Driehuis) Date: Fri Feb 4 00:10:41 2005 Subject: [SpamCop-List] Re: SpamCop Imposter? In-Reply-To: <4202F906.D9B2EB2E@ddress.com> References: <4202F906.D9B2EB2E@ddress.com> Message-ID: Notan wrote: > Anyone else receive this one?... > Dear user of e-mail server "Spamcop.net", [snip] Standard virus spam. Nothing new. Disregard. Notice how it tries to look credible by repeating the domain name over and over again. From MikeE at ster.invalid Thu Feb 3 21:17:21 2005 From: MikeE at ster.invalid (Mike Easter) Date: Fri Feb 4 00:20:04 2005 Subject: [SpamCop-List] Re: SpamCop Imposter? References: <4202F906.D9B2EB2E@ddress.com> Message-ID: Notan wrote: > Further details can be obtained from attached file. > > For security reasons attached file is password protected. The > password is "xxxxx". That sounds quite nasty. I'm presuming we're talking about a zip file. Did you peek in there? Carefully, of course. As Clint's character Frankie in Million Dollar Baby sed, 'Protect yourself at all times.' -- Mike Easter kibitzer, not SC admin From notan at ddress.com Thu Feb 3 22:42:57 2005 From: notan at ddress.com (Notan) Date: Fri Feb 4 00:45:04 2005 Subject: [SpamCop-List] Re: SpamCop Imposter? References: <4202F906.D9B2EB2E@ddress.com> Message-ID: <42030B61.A0EF270@ddress.com> Mike Easter wrote: > > Notan wrote: > > Further details can be obtained from attached file. > > > > For security reasons attached file is password protected. The > > password is "xxxxx". > > That sounds quite nasty. I'm presuming we're talking about a zip file. > Did you peek in there? Carefully, of course. As Clint's character > Frankie in Million Dollar Baby sed, 'Protect yourself at all times.' Yup, zip file. Deleted immediately. In addition, the poor grammar kinda tipped me off. The folks at SpamCop are better than that! Notan From nobody at xyzzy.claranet.de Fri Feb 4 07:11:11 2005 From: nobody at xyzzy.claranet.de (Frank Ellermann) Date: Fri Feb 4 01:15:03 2005 Subject: [SpamCop-List] Re: Maint window 2/4/2005 References: Message-ID: <420311FF.1F94@xyzzy.claranet.de> Ellen wrote: > The system will be in maintenance mode for some hardware > changes tomorrow at about 2PM PST. That's 2005-02-04T21:00:00Z in the Internet, if I got this right ;-) Bye, Frank From nobody at xyzzy.claranet.de Fri Feb 4 07:15:50 2005 From: nobody at xyzzy.claranet.de (Frank Ellermann) Date: Fri Feb 4 01:20:03 2005 Subject: [SpamCop-List] Re: Maint window 2/4/2005 References: <420311FF.1F94@xyzzy.claranet.de> Message-ID: <42031316.3FAA@xyzzy.claranet.de> Ellen wrote: > The system will be in maintenance mode for some hardware > changes tomorrow at about 2PM PST. That's 2005-02-04T22:00:00Z in the Internet, if I got this right ;-) Bye, Frank P.S.: 2nd attempt, supersedes <420311FF.1F94@xyzzy.claranet.de> From nobody at xyzzy.claranet.de Fri Feb 4 07:40:27 2005 From: nobody at xyzzy.claranet.de (Frank Ellermann) Date: Fri Feb 4 01:45:02 2005 Subject: [SpamCop-List] Re: my domain being used References: Message-ID: <420318DB.BF3@xyzzy.claranet.de> ScrapeThis wrote: > Also SPF/Sender ID and Domain Keys for your email domain > could help. Sender-ID never checks the MAIL FROM (aka Return-Path) and therefore most probably won't help. SPF could do the trick if AOL rejects mail for an SPF result FAIL. E.g if a sender policy like "v=spf1 a mx -all" says that all other IPs (-all) aren't allowed to claim MAIL FROM his.address@his.domain.example Bye, Frank From nobody at spamcop.net Thu Feb 3 22:57:21 2005 From: nobody at spamcop.net (Don Wannit) Date: Fri Feb 4 02:00:03 2005 Subject: [SpamCop-List] Re: is spamcop filtering any good In-Reply-To: References: Message-ID: funkgypsy wrote: > Speed! I want speed. How long does it take for spamcop to process email and > deliver it to me? I have tried other services that were all too slow for my > taset. i.e. 10 minutes to deliver one message is too slow. > > I have all email to my public address(es) go through SpamCop, using a .forward on my Unix box, and have the SC email account set up to forward to a secret email address on the same Unix box. I then check my mail on that Unix box, and deal with the SC email host only when I do the daily or so check for legitimate email that got held ("false positives"). In my experience over the last 4 years or more, except for two brief episodes when SC was under a DDOS attack, my email is delayed for all of 10-30 seconds. I'll just try a simple experiment here, now it's not quite 10PM PST. Send a text email to my public email address, which will get forwarded to my SC email filtering account, then sent back to my secret email address here. How long will it take? ... insert time-passing music ... It took 3.2 seconds from the time my local SMTP server received the email from my MUA to the time my incoming MTA server received the filtered message back from the SpamCop filtering service. I'm satisfied, and have been for a while now. Except for those two brief periods when I had to disable the .forward thru SC so I could get my incoming email (including all the spam). But those didn't last very long, less than 24 hours each, until the pricey Internet bandwidth/redundancy providers kicked in. Based on my personal experience, I've set up my company to use it for filtering incoming business email on our role accounts. I check personally every day to catch false positives from customers (or potential customers), and it keeps the rest of the company from seeing close to 3,000 spams every day. Multiplied by the entire staff seeing the spam on the incoming role account. Big bang for the buck. Bottom line: I recommend it, if used properly. -- Don Wannit A paid SpamCop user since 1999 From nobody at devnull.spamcop.net Thu Feb 3 22:57:26 2005 From: nobody at devnull.spamcop.net (LioNiNoiL_a t_Y a h 0 0_d 0 t_c 0 m) Date: Fri Feb 4 02:00:10 2005 Subject: [SpamCop-List] Re: Really dumb spammer In-Reply-To: References: Message-ID: Bert Driehuis wrote: > For the terminally curious, one of the websites is at > 211.233.5.169 on kidc (a Korean colo facility): > http://7english.co.kr/ > > You may want to disable Flash; I've got no clue what > the .swf does. It's a fairly well-done animation of the 7English pitch, with the Statue of Liberty featured prominently. You have no reason to fear Flash. -- "[Spammers] are the mutant spawn of a bizarre reproductive act involving a telemarketer, Larry Flynt, a tapeworm, and an executive of the Third Class Mail industry." -- Dave Barry From nobody at xyzzy.claranet.de Fri Feb 4 07:57:39 2005 From: nobody at xyzzy.claranet.de (Frank Ellermann) Date: Fri Feb 4 02:00:15 2005 Subject: [SpamCop-List] Re: Why Am I Blocked? FAQ References: <420157BE.4C05@xyzzy.claranet.de> Message-ID: <42031CE3.2B20@xyzzy.claranet.de> Miss Betsy wrote: >| The SpamCop BL listing will expire automatically within a >| specific period of time based primarily on when the last >| spam came from that IP address. >| http://www.spamcop.net/fom-serve/cache/297.html for >| more information on the SpamCop BL listing. Elegant. The "official" gibberish with 12, 24, 48, and its obscure "reputation points" is of course beyond recognition. But whatever it's supposed to mean, your text now covers it ;-) Bye, Frank From nobody at devnull.spamcop.net Thu Feb 3 23:08:24 2005 From: nobody at devnull.spamcop.net (LioNiNoiL_a t_Y a h 0 0_d 0 t_c 0 m) Date: Fri Feb 4 02:10:04 2005 Subject: [SpamCop-List] Re: SpamCop Imposter? In-Reply-To: References: <4202F906.D9B2EB2E@ddress.com> Message-ID: Mike Easter wrote: > As Clint's character Frankie in Million Dollar Baby sed, > 'Protect yourself at all times.' That's the standard boxing referee's final instruction, usually given before the match in the dressing rooms, but sometimes in the ring. -- "You don't understand. I coulda had class. I coulda been a contenduh. I coulda been somebody, instead of a bum, which is what I am, let's face it." -- Marlon Brando, "On The Waterfront" (1954) From MikeE at ster.invalid Thu Feb 3 23:09:50 2005 From: MikeE at ster.invalid (Mike Easter) Date: Fri Feb 4 02:10:11 2005 Subject: [SpamCop-List] Re: SpamCop Imposter? References: <4202F906.D9B2EB2E@ddress.com> <42030B61.A0EF270@ddress.com> Message-ID: Notan wrote: > Mike Easter wrote: >> Did you peek in there? > Yup, zip file. Deleted immediately. Oooh. I always have to find out what the critter was. In fact, I stick them in a little folder and save them after/for identification. It's hard to handle them with the AV turned on, so I keep it turned off for moving them around or isolating them from the mail. The AV always wants to protect me and interfere with what I'm doing. -- Mike Easter kibitzer, not SC admin From nobody at spamcop.net Thu Feb 3 23:16:42 2005 From: nobody at spamcop.net (K. Crocker) Date: Fri Feb 4 02:20:03 2005 Subject: [SpamCop-List] Re: Open Proxy SCBL Rules In-Reply-To: References: Message-ID: Bert Driehuis wrote: > K. Crocker wrote: > >> I made a request of my ISP to reveal the anti-spam steps they take and >> how effective they are at blocking spam. > > > The first is a reasonable request. The second is not. Some spammers want > to fly beneath the radar and stop a spam run to 1,000 recipients because > they get a bounce that may indicate that they've been found out. Other > spammers will just not give up until your MX said "250 OK" to them. In > the first example, blocking one message saves a thousand spams, in the > second example, blocking a thousand messages will not stop the spam if > only one slips through. Spam stats are unreliable. > > I have seen evidence of both forms and I'm not exagerrating the scale. > > > My ISP was recently acquired by > >> another company, so its unclear (at least to me) whether their methods >> are consistent across both company's servers. Their reply was terse: >> >>> Currently, we use a number of RBL's: >>> >>> sbl.spamhaus.org >>> bl.spamcop.net >>> dnsbl.njabl.org >>> list.dsbl.org >>> relays.ordb.org >>> dynablock.njabl.org >>> dnsbl.sorbs.net >>> cbl.abuseat.org > > > That's a pretty comprehensive list. I'd personally throw in the PDL > because I believe dynablock isn't as comprehensive as it used to be, but > other than that it is a sane setup for most users. The list is certainly > more aggressive than I could stomach, if I don my support-role hat. > >> I'd appreciate your comments based on this list. Like I said in a >> previous post, I'm still getting at least 40 spam a day, but I have no >> idea how many are blocked (I asked and they didn't tell). They have >> generally been a reliable ISP over the years, but sometimes they lack >> a certain attention to detail. For example, when I sent my info >> request to the advertised support address, it bounced with: >> >> 550 5.1.1 /usr/home/hostmaster/.forward: line 5: ~... User unknown >> >> Fortunately, their phone works! > > > Yeah, that really looks amateurish. Then again, I'd pick an ISP that > makes the odd mistake and is honest over the goliath that lies about > mistakes and stonewalls its customers any day. > > If the outright blocking isn't sufficient, you may want to get them to > tag all mail with SpamAssassin. That way, you give the worst spammers > the "250 OK" he craves so much while not having to deal with the spam. > > It is impossible to win the war on spam and still leave the US a > democracy. If you have spare cycles, get your elected representative off > his proverbial to make sure that law enforcement does their job. Last I > checked, computer breakins were illegal in the US and the vast majority > of spam comes from a small number of people in the US breaking US law to > deliver spam to the tune of around $10bn damages per annum. If I were a > politician I'd see an opportunity there. Thanks for your comments, although most of the spam that makes it through the gauntlet above into my mailbox comes from China, Korea, France, Brazil, and Russia. From USA residents (I can't bring myself to call them citizens), most likely, from USA machines, no. Web hosting is another issue. This is just my observation. What my ISP's server sees may show a different mix. From MikeE at ster.invalid Thu Feb 3 23:31:01 2005 From: MikeE at ster.invalid (Mike Easter) Date: Fri Feb 4 02:35:03 2005 Subject: [SpamCop-List] Re: SpamCop Imposter? References: <4202F906.D9B2EB2E@ddress.com> Message-ID: LioNiNoiL_a t_Y a h 0 0_d 0 t_c 0 m wrote: > Mike Easter wrote: > >> As Clint's character Frankie in Million Dollar Baby sed, >> 'Protect yourself at all times.' > > That's the standard boxing referee's final instruction, usually given > before the match in the dressing rooms, but sometimes in the ring. Yes. And since the story makes the ring and the fight game a microcosm of life itself it is a useful theme or thread for the work. Great movie. -- Mike Easter kibitzer, not SC admin From no at devnull.spamcop.net Thu Feb 3 22:36:16 2005 From: no at devnull.spamcop.net (Heidi) Date: Fri Feb 4 05:20:38 2005 Subject: [SpamCop-List] heyy ;) Message-ID: heyy ;), I'm a girl who just made her own website :) Most of the time scared of osmehting I don't even know what... old time friend suggested to start my own web page. My website is like my new hobby :D All it needs is age verification.. I want to have a cyber friend if you don't mind -) From nobody at nowhere.invalid Fri Feb 4 11:35:19 2005 From: nobody at nowhere.invalid (Steven Maesslein) Date: Fri Feb 4 05:40:03 2005 Subject: [SpamCop-List] Re: Really dumb spammer References: Message-ID: On Thu, 3 Feb 2005 22:36:16 -0500, Frog Prince coughed into spamcop and left this in : > I just received a spam message promoting a CD to teach me Spanish. > > The text of the spam was completely in Spanish ... You think that's dumb? My spamcop.net address seems to have found its way onto the spam list of someone selling pizzas delivered to your home in Moscow (in Russian, of course). Do you think they deliver to central France? Will my pizza still be hot by the time it gets here? -- Steve There are only 10 kinds of people in the world: Those who understand binary, and those who don't. From nobody at spamcop.net Fri Feb 4 07:14:48 2005 From: nobody at spamcop.net (Miss Betsy) Date: Fri Feb 4 07:15:30 2005 Subject: [SpamCop-List] Re: Why Am I Blocked? FAQ References: <420157BE.4C05@xyzzy.claranet.de> <42031CE3.2B20@xyzzy.claranet.de> Message-ID: "Frank Ellermann" wrote in message news:42031CE3.2B20@xyzzy.claranet.de... > Miss Betsy wrote: > > >| The SpamCop BL listing will expire automatically within a > >| specific period of time based primarily on when the last > >| spam came from that IP address. > >| http://www.spamcop.net/fom-serve/cache/297.html for > >| more information on the SpamCop BL listing. > > Elegant. The "official" gibberish with 12, 24, 48, and its > obscure "reputation points" is of course beyond recognition. > But whatever it's supposed to mean, your text now covers it ;-) > > Bye, Frank Thanks, Frank! :) I love elegant! Miss Betsy From nobody at spamcop.net Sat Feb 5 01:19:13 2005 From: nobody at spamcop.net (Aaron Lawrence) Date: Fri Feb 4 07:30:04 2005 Subject: [SpamCop-List] Many broken links in the web version of FAQ Message-ID: Many of the URLs in the FAQ at http://forum.spamcop.net/forums/lofiversion/index.php/t2238.html are broken, e.g http://forum.spamcop.net/forums/http://forum.spamcop.net/forums/index.ph p?showtopic=2527&view=findpost&p=16402 for "Say NO to the Challenge Response Lunacy" the forums URL is being stuck on the front of the real URL - looks like some bad forum software?? Couldn't figure out any way to post there :) -- aaronl at consultant dot com For every expert, there is an equal and opposite expert. - Arthur C. Clarke From nobody at spamcop.net Fri Feb 4 07:25:53 2005 From: nobody at spamcop.net (Ellen) Date: Fri Feb 4 08:25:02 2005 Subject: [SpamCop-List] Re: Maint window 2/4/2005 References: <420311FF.1F94@xyzzy.claranet.de> <42031316.3FAA@xyzzy.claranet.de> Message-ID: "Frank Ellermann" wrote in message news:42031316.3FAA@xyzzy.claranet.de... > Ellen wrote: > > > The system will be in maintenance mode for some hardware > > changes tomorrow at about 2PM PST. > > That's 2005-02-04T22:00:00Z in the Internet, if I got this > right ;-) > > Bye, Frank > > P.S.: 2nd attempt, supersedes <420311FF.1F94@xyzzy.claranet.de> > Should have added -0800, sorry about that ... Ellen From nobody at nowhere.invalid Fri Feb 4 14:51:21 2005 From: nobody at nowhere.invalid (Steven Maesslein) Date: Fri Feb 4 08:55:05 2005 Subject: [SpamCop-List] Re: Maint window 2/4/2005 References: <420311FF.1F94@xyzzy.claranet.de> <42031316.3FAA@xyzzy.claranet.de> Message-ID: On Fri, 4 Feb 2005 07:25:53 -0500, Ellen coughed into spamcop and left this in : > Should have added -0800, sorry about that ... You did. You said "2PM PST" :) -- Steve Money isn't everything, but at least it keeps the kids in touch. From michael.spamcop at michaellefevre.com Fri Feb 4 13:51:36 2005 From: michael.spamcop at michaellefevre.com (Michael Lefevre) Date: Fri Feb 4 08:55:25 2005 Subject: [SpamCop-List] Re: Why Am I Blocked? FAQ References: <4200F92C.72CCF96B@spamcop.net> Message-ID: Miss Betsy wrote: >> Michael Lefevre wrote: >> >> > And, if you're making edits anyway, "SpmCopDNSbl" is wrong. Aside >> > from missing the "a" from SpamCop, it's generally called the SpamCop >> > BL - given that the audience for the document are unlikely to know >> > what a DNSBL is, there's no point in adding extra letters... > > That wasn't my choice, but somebody wanted to be more technical. I > suppose the spamcop bl is not considered a DNSBL because it is supposed > to tag email. (Or maybe it has nothing to do with that - I am basically > technically non-fluent and am just guessing). It doesn't actually - the DNS part refers to the way that the lookups to the list are made, so it is a DNSBL. However, most people (and the SpamCop site) tend to refer to it as the SpamCop BL (or even SCBL), so while it wouldn't be wrong to call it the "SpamCop DNSBL" (with a space), it just isn't usual to do that, and, as you say, non-technical folks won't gain anything from having DNSBL instead of just BL. -- Michael From wb8tyw at qsl.network Fri Feb 4 09:10:06 2005 From: wb8tyw at qsl.network (John E. Malmberg) Date: Fri Feb 4 09:15:17 2005 Subject: [SpamCop-List] Re: Open Proxy SCBL Rules In-Reply-To: References: Message-ID: Bert Driehuis wrote: >> another company, so its unclear (at least to me) whether their methods >> are consistent across both company's servers. Their reply was terse: >> >>> Currently, we use a number of RBL's: >>> >>> sbl.spamhaus.org >>> bl.spamcop.net >>> dnsbl.njabl.org >>> list.dsbl.org >>> relays.ordb.org >>> dynablock.njabl.org >>> dnsbl.sorbs.net >>> cbl.abuseat.org Request that they change sbl.spamhaus.org entry to sbl-xbl.spamhaus.org as it looks up sbl.spamhaus.org, opm.blitzed.org, and cbl.abuseat.org all in one query. Then they can block their separate query of the cbl.abuseat.org. > > That's a pretty comprehensive list. I'd personally throw in the PDL > because I believe dynablock isn't as comprehensive as it used to be, but > other than that it is a sane setup for most users. The list is certainly > more aggressive than I could stomach, if I don my support-role hat. In the spot tests that I have done on the spam that gets through, the PDL was missing quite a few well known dynamic pools, pretty much the same ones that were missing from maps. The dynablock.njabl.org seemed to be much better than either of those two, but is still letting through some DHCP ranges. The SORBS DHUL seems to be the most complete. > > It is impossible to win the war on spam and still leave the US a > democracy. If you have spare cycles, get your elected representative off > his proverbial to make sure that law enforcement does their job. Last I > checked, computer breakins were illegal in the US and the vast majority > of spam comes from a small number of people in the US breaking US law to > deliver spam to the tune of around $10bn damages per annum. If I were a > politician I'd see an opportunity there. The enforced laws need to explicitly require that ISP's take action with in one business day after being notified of criminal activity on their network, and that they are still liable if they did not get notified in a timely manor because either their abuse e-mail box was not functional or the person reading it was too far behind. When an ISP finds that some other major ISPs are refusing e-mail from them because of their lack of action to abuse complaints, they seem to be able to fix the problems with lightning speed, no matter how big the problem is. So there is plenty of public evidence that having the above legal requirement is not too much of a burden. -John wb8tyw@qsl.network Personal Opinion Only From p.hofman at citywebwatch.com Fri Feb 4 14:40:31 2005 From: p.hofman at citywebwatch.com (Paul Hofman) Date: Fri Feb 4 09:45:03 2005 Subject: [SpamCop-List] Blocked, but on no blacklists Message-ID: Email that our company sends out on an opt in and subscription basis (i.e. they're legal!) has just started to be blocked, though intermittently over the last week. The bounced mail says that it was denied 'because your server is listed in one or more of the following Spam Blacklist services (as either a open relay or a spam email source): http://www.dnsbl.au.sorbs.net or http://www.spamcop.net.' . The IP quoted and other IPs in that subnet do not appear on these blacklists or any other I can find. I assume that some spam filters that use scoring are returning this as a blanket message, even though an IP may not be listed? Does anyone have any deeper knowledge, experience or help on this one? From nobody at spamcop.net Fri Feb 4 10:02:48 2005 From: nobody at spamcop.net (Anti-Spam) Date: Fri Feb 4 10:05:12 2005 Subject: [SpamCop-List] Re: Blocked, but on no blacklists References: Message-ID: "Paul Hofman" wrote in message news:cu01jo$299$1@news.spamcop.net... > Email that our company sends out on an opt in and subscription basis (i.e. > they're legal!) has just started to be blocked, though intermittently over > the last week. The bounced mail says that it was denied 'because your server > is listed in one or more of the following Spam Blacklist services (as either > a open relay or a spam email source): http://www.dnsbl.au.sorbs.net or > http://www.spamcop.net.' . The IP quoted and other IPs in that subnet do not > appear on these blacklists or any other I can find. > > I assume that some spam filters that use scoring are returning this as a > blanket message, even though an IP may not be listed? > > Does anyone have any deeper knowledge, experience or help on this one? Spamcop listings are based on detected spam. Non-repeat offenders normally are delisted after 24 hours of non-activity. (See the FAQ for more precise details.) If you're an admin for your domain (i.e. have access to postmaster, etc.) you can contact deputies at spamcop.net to see what's causing you to be listed. However, as you say, the problem may not have anything to do with spamcop at all. If you have a configuration problem and are an open relay, presumably that isn't coming and going. :) Usually mailers only send out a response when you're actually blocked (i.e. it blocks a message). If that's not what your question meant, another answer may be: yes, it is indeed easy to misconfigure a mail server program to blame one block for another. To paraphrase Mike Easter, people here could tell you more if you gave the IP addr in question. Hope that helps. -- Bring in the death penalty for repeat spammers. Non-functional spambait addr: address@oxdzfj.com (generated by Webpoison) From Paul.does.not.want.spam at BAD.EXAMPLE.com Fri Feb 4 15:10:34 2005 From: Paul.does.not.want.spam at BAD.EXAMPLE.com (Paul) Date: Fri Feb 4 10:15:03 2005 Subject: [SpamCop-List] Re: heyy ;) References: Message-ID: "Heidi" wrote in news:ctvi5l$p24$1 @news.spamcop.net: > heyy ;), > > I'm a girl who just made her own website :) Most of the time scared of > osmehting I don't even know what... old time friend suggested to start > my own web page. My website is like my new hobby :D All it needs is age > verification.. Because you are only 13? > I want to have a cyber friend if you don't mind -) Why don't you build one from a kit? -- From kenbrody at spamcop.net Fri Feb 4 10:06:12 2005 From: kenbrody at spamcop.net (Kenneth Brody) Date: Fri Feb 4 10:30:02 2005 Subject: [SpamCop-List] Re: Blocked, but on no blacklists References: Message-ID: <42038F64.55937683@spamcop.net> Paul Hofman wrote: > > Email that our company sends out on an opt in and subscription basis (i.e. > they're legal!) FYI: "legal" != "not spam" Are you sure you're using a confirmed opt-in list? (Someone here will probably post the URL for how to properly run a confirmed opt-in list.) How, exactly, do you "opt-in" someone? And what, exactly, is a "subscription basis"? How do you confirm that the e-mail address you add to your list is the correct one, and that the owner of that address really wants to get your e-mail? > has just started to be blocked, though intermittently over > the last week. The bounced mail says that it was denied 'because your server > is listed in one or more of the following Spam Blacklist services (as either > a open relay or a spam email source): http://www.dnsbl.au.sorbs.net or > http://www.spamcop.net.' . The IP quoted and other IPs in that subnet do not > appear on these blacklists or any other I can find. > > I assume that some spam filters that use scoring are returning this as a > blanket message, even though an IP may not be listed? > > Does anyone have any deeper knowledge, experience or help on this one? Without an actual IP address, preferrably the complete bounce message stating that it was rejected because of SpamCop, we can only guess. -- +-------------------------+--------------------+-----------------------------+ | Kenneth J. Brody | www.hvcomputer.com | | | kenbrody/at\spamcop.net | www.fptech.com | #include | +-------------------------+--------------------+-----------------------------+ Don't e-mail me at: From Merlyn at Spamcop.net Fri Feb 4 10:31:57 2005 From: Merlyn at Spamcop.net (Merlyn) Date: Fri Feb 4 10:35:04 2005 Subject: [SpamCop-List] Re: Blocked, but on no blacklists References: Message-ID: "Paul Hofman" wrote in message news:cu01jo$299$1@news.spamcop.net... > Email that our company sends out on an opt in and subscription basis (i.e. > they're legal!) has just started to be blocked, though intermittently over > the last week. The bounced mail says that it was denied 'because your > server > is listed in one or more of the following Spam Blacklist services (as > either > a open relay or a spam email source): http://www.dnsbl.au.sorbs.net or > http://www.spamcop.net.' . The IP quoted and other IPs in that subnet do > not > appear on these blacklists or any other I can find. > > I assume that some spam filters that use scoring are returning this as a > blanket message, even though an IP may not be listed? > > Does anyone have any deeper knowledge, experience or help on this one? > Just because it's legal doesn't mean it isn't spam. If you want assistance you will have to post he IP of the server you think is blocked or the entire block/reject message. -- Regards, Merlyn A Spamcop advocate No emails this account is for newsgroups only People demand freedom of speech to make up for the freedom of thought which they avoided From wb8tyw at qsl.network Fri Feb 4 10:33:08 2005 From: wb8tyw at qsl.network (John E. Malmberg) Date: Fri Feb 4 10:35:10 2005 Subject: [SpamCop-List] Re: Blocked, but on no blacklists In-Reply-To: References: Message-ID: Paul Hofman wrote: > Email that our company sends out on an opt in and subscription basis (i.e. > they're legal!) has just started to be blocked, > > Does anyone have any deeper knowledge, experience or help on this one? With out giving the I.P. that is blocked, there is no way to provide you with any useful information except to have you read the FAQs or other information on what ever is claimed to be rejecting your e-mail. With the I.P. then many of us can check publicly internet archives to see what the problem may be. Paid spamcop members and deputies have access to even more information if the I.P. address has ever been reported to Spamcop.net. A copy of the exact text from the rejecting mail servers might also be useful. E-mail addresses and original message body is not needed. There are some broken mail servers that are happily rejecting either all or a significant amount of e-mail because of mis-configurations, and apparently no on them seems to be noticing. I have had two broadand ISPs, each of them on multiple occasions set their mail servers to reject all e-mail with a non-existent user code. So far, you have given zero information that is needed to even slightly diagnose the issue. -John wb8tyw@qsl.network Personal Opinion Only. From nobody at devnull.spamcop.net Fri Feb 4 09:34:16 2005 From: nobody at devnull.spamcop.net (WazoO) Date: Fri Feb 4 10:35:16 2005 Subject: [SpamCop-List] Re: Many broken links in the web version of FAQ References: Message-ID: "Aaron Lawrence" wrote in message news:MPG.1c6e2f6b4148340e9896bf@news.spamcop.net... > Many of the URLs in the FAQ at > > http://forum.spamcop.net/forums/lofiversion/index.php/t2238.html > > are broken, e.g > > http://forum.spamcop.net/forums/http://forum.spamcop.net/forums/index.ph > p?showtopic=2527&view=findpost&p=16402 > > for "Say NO to the Challenge Response Lunacy" > > the forums URL is being stuck on the front of the real URL - looks like > some bad forum software?? > > Couldn't figure out any way to post there :) All of the above is fallout of the "lo-fi" viewing of the page. I have this in as a bug report to the Invision folks. From nobody at devnull.spamcop.net Fri Feb 4 10:57:26 2005 From: nobody at devnull.spamcop.net (Miss Betsy) Date: Fri Feb 4 11:00:10 2005 Subject: [SpamCop-List] Re: Abuse addresses References: Message-ID: "Anti-Spam" wrote in message news:ctu9iq$sdb$1@news.spamcop.net... >I was about to post something in .routing, but figured > maybe I'd start with a more generic question: > > I just processed a spam where the parser was > devnulling the results being sent to the originating > e-mail server. Seems it had decided to use > postmaster@, since nothing was registered with > abuse.net. My question is, why is postmaster@ > better than the registered whois contact address, > and in the future, should these cases be flagged > in .routing? IIUC, postmaster@ is never supposed to refuse email (possibly there is an RFC on this). The registered whois contact addresses can filter email and probably do. If the postmaster@ box is overwhelmed (or someone is ignoring the RFC), then it may bounce. If spamcop gets enough bounces, it quits trying and uses devnull (which does put the IP address on the bl just as if reports went). Miss Betsy From nobody at devnull.spamcop.net Fri Feb 4 11:00:03 2005 From: nobody at devnull.spamcop.net (Miss Betsy) Date: Fri Feb 4 11:05:03 2005 Subject: [SpamCop-List] Re: Why Am I Blocked? FAQ References: <4200F92C.72CCF96B@spamcop.net> Message-ID: "Michael Lefevre" wrote in message news:ctvul8$vrv$1@news.spamcop.net... > Miss Betsy wrote: >>> Michael Lefevre wrote: >>> >>> > And, if you're making edits anyway, "SpmCopDNSbl" is wrong. Aside >>> > from missing the "a" from SpamCop, it's generally called the SpamCop >>> > BL - given that the audience for the document are unlikely to know >>> > what a DNSBL is, there's no point in adding extra letters... >> >> That wasn't my choice, but somebody wanted to be more technical. I >> suppose the spamcop bl is not considered a DNSBL because it is supposed >> to tag email. (Or maybe it has nothing to do with that - I am basically >> technically non-fluent and am just guessing). > > It doesn't actually - the DNS part refers to the way that the lookups to > the list are made, so it is a DNSBL. However, most people (and the > SpamCop site) tend to refer to it as the SpamCop BL (or even SCBL), so > while it wouldn't be wrong to call it the "SpamCop DNSBL" (with a space), > it just isn't usual to do that, and, as you say, non-technical folks won't > gain anything from having DNSBL instead of just BL. That was my second guess. And I agree totally and am glad to have a knowledgable person to back me up. Miss Betsy From MikeE at ster.invalid Fri Feb 4 08:05:39 2005 From: MikeE at ster.invalid (Mike Easter) Date: Fri Feb 4 11:10:02 2005 Subject: [SpamCop-List] Re: Blocked, but on no blacklists References: Message-ID: Paul Hofman wrote: > The IP quoted > Does anyone have any deeper knowledge, experience or help on this one? Not without the IP you didn't cite. I'm puzzled why you would think you could talk about an IP address problem here without saying what it is. -- Mike Easter kibitzer, not SC admin From scott-i at .-N0-SPAMplease.enm.com Fri Feb 4 08:31:00 2005 From: scott-i at .-N0-SPAMplease.enm.com (Scott Townsend) Date: Fri Feb 4 11:35:07 2005 Subject: [SpamCop-List] Re: Who's Using SPAMCOP? Any major players? Reviews by CNET or others? References: Message-ID: I was more interested in say if Company A is saying "Hey we use SPAMCop and we love it!" and they have their mail servers check the blacklist. Not necessarily having mail through SPAMCop... The Filters I'm currently using do not allow me access to the % that it determines that the message is. We are currently using ORF and IMF. Thanks, Scott<- "Mike Easter" wrote in message news:cts7ge$idv$1@news.spamcop.net... > Bert Driehuis wrote: >> Scott Townsend wrote: >> >>> Looking for info on what companies are using SPAMCOP to filter their >>> mail. > >> "The SCBL is aggressive and often errs on the side of blocking >> mail." >> >> I would personally recommend to use it as part of a scoring system. > > I tho't Scott was talking about some company signing up for the spamcop > spamfiltering email service. > > http://www.spamcop.net/ces/pricing.shtml -- The SpamCop Email System is > inexpensively priced -- Businesses and other organizations who need > multiple accounts should contact us about a custom solution. > > You Bert are talking about the usage of the SCbl as part of a company's > server's filtering strategy. > > -- > Mike Easter > kibitzer, not SC admin > From nobody at spamcop.net Fri Feb 4 09:49:50 2005 From: nobody at spamcop.net (Dar) Date: Fri Feb 4 12:50:03 2005 Subject: [SpamCop-List] Spammers' New Strategy - Oh, Man!! Message-ID: Illegal bulk-mailers have been able to deploy massive blasts of spam by routing it through the computers of their Internet service providers, rather than sending it directly from individual machines, the experts said. http://story.news.yahoo.com/news?tmpl=story&cid=1804&e=6&u=/washpost/a61901_2005feb3 http://tinyurl.com/4wf9p The result is that "blacklists" of known spamming computers -- which other network operators rely upon to block mail from those machines -- are no longer effective. To block spam coming directly from an ISP's computers, all mail from that ISP would be have to be blocked, which would cripple electronic communication. From nobody at devnull.spamcop.net Fri Feb 4 12:21:01 2005 From: nobody at devnull.spamcop.net (WazoO) Date: Fri Feb 4 13:25:07 2005 Subject: [SpamCop-List] Re: Many broken links in the web version of FAQ References: Message-ID: "WazoO" wrote in message news:cu04lp$4c2$1@news.spamcop.net... > "Aaron Lawrence" wrote in message > news:MPG.1c6e2f6b4148340e9896bf@news.spamcop.net... > > Many of the URLs in the FAQ at > > > > http://forum.spamcop.net/forums/lofiversion/index.php/t2238.html > > > > are broken, e.g > > All of the above is fallout of the "lo-fi" viewing of the page. > I have this in as a bug report to the Invision folks. Current status is "This bug has been confirmed and has been moved for further examination." From nobody at devnull.spamcop.net Fri Feb 4 12:27:47 2005 From: nobody at devnull.spamcop.net (WazoO) Date: Fri Feb 4 13:30:02 2005 Subject: [SpamCop-List] Re: Why Am I Blocked? FAQ References: Message-ID: "Michael Lefevre" wrote in message news:ctqqmh$imv$1@news.spamcop.net... > > And, if you're making edits anyway, "SpmCopDNSbl" is wrong. Aside from > missing the "a" from SpamCop, it's generally called the SpamCop BL - given > that the audience for the document are unlikely to know what a DNSBL is, > there's no point in adding extra letters... I recognize the capitalization used there ... Miss Betsy had nothing to do with that sequence / title ... please blame the author ... me ... From Merlyn at Spamcop.net Fri Feb 4 13:37:34 2005 From: Merlyn at Spamcop.net (Merlyn) Date: Fri Feb 4 13:40:05 2005 Subject: [SpamCop-List] Re: Spammers' New Strategy - Oh, Man!! References: Message-ID: "Dar" wrote in message news:cu0ck5$9u3$1@news.spamcop.net... > Illegal bulk-mailers have been able to deploy massive blasts of > spam by routing it through the computers of their Internet > service providers, rather than sending it directly from individual > machines, the experts said. > > http://story.news.yahoo.com/news?tmpl=story&cid=1804&e=6&u=/washpost/a61901_2005feb3 > > http://tinyurl.com/4wf9p > > The result is that "blacklists" of known spamming computers -- > which other network operators rely upon to block mail from those > machines -- are no longer effective. To block spam coming directly > from an ISP's computers, all mail from that ISP would be have to > be blocked, which would cripple electronic communication. > Actually this will make the blocklists more effective as it will put even more pressure on ISP's to dump their spamming pondscum or lose customers because they cannot get their mail delivered :-) As for MCI it will not be long before they get an IDP imposed upon them which they deserve. There is a line being drawn and it appears that MCI has chosen the wrong side. MCI's list just keeps growing: Found 211 SBL listings for IPs under the responsibility of mci.com http://www.spamhaus.org/sbl/listings.lasso?isp=mci.com -- Regards, Merlyn A Spamcop advocate No emails this account is for newsgroups only People demand freedom of speech to make up for the freedom of thought which they avoided From nobodyhere at spamcop.net Fri Feb 4 14:05:04 2005 From: nobodyhere at spamcop.net (Fluffy) Date: Fri Feb 4 14:10:03 2005 Subject: [SpamCop-List] Re: heyy ;) References: Message-ID: "Paul" wrote in message news:Xns95F367847B67DSenex@216.154.195.61... > > Why don't you build one from a kit? Paul, you're feeding a troll who is forging my posts - please don't. From tdy at blackhole.invalid Fri Feb 4 11:16:05 2005 From: tdy at blackhole.invalid (N. Miller) Date: Fri Feb 4 14:20:04 2005 Subject: [SpamCop-List] Re: Spammers' New Strategy - Oh, Man!! References: Message-ID: In article , Merlyn says... > As for MCI it will not be long before they get an IDP imposed upon them > which they deserve. There is a line being drawn and it appears that MCI has > chosen the wrong side. When the "Qworst" deal goes through, there will be a real long list of blocks. -- Norman ~Win dain a lotica, En vai tu ri, Si lo ta ~Fin dein a loluca, En dragu a sei lain ~Vi fa-ru les shutai am, En riga-lint From no at devnull.spamcop.net Fri Feb 4 13:10:34 2005 From: no at devnull.spamcop.net (Heidi) Date: Fri Feb 4 14:30:03 2005 Subject: [SpamCop-List] Shall we get to know one another.........? Message-ID: I'm a girl who likes to have fun. I can be very hyper or very calm it all depends on how I feel at the moment. I like goin' places and traveling. And I like to try new things... More about me: Im a very fun loving, outgoing, open minded woman looking for someone to share fun times, good conversation and quiet moments with. I enjoy the outdoors, horseback riding, gardening, and my two dogs. First and formost there are certin ecciencials that are necessary for any kind of relationship (friend, lover, ect.) I am positive, and always look for the silver lining in everything. Anyways, there's not much to say cuz I'm not that compicated. I love to go out and I am usually up for a good time come whatever may. I love to anything once and twice if your lucky. I love to go to concerts, party, or just chill by the fireplace. From gezgin at spamcop.net Fri Feb 4 21:28:01 2005 From: gezgin at spamcop.net (Gezgin) Date: Fri Feb 4 14:30:08 2005 Subject: [SpamCop-List] Re: Shall we get to know one another.........? References: Message-ID: "Watch conversation" activated... -- Bob Kanyak's Doghouse http://www.kanyak.com From blacklist-me at davjam.org Fri Feb 4 21:31:59 2005 From: blacklist-me at davjam.org (David Bolt) Date: Fri Feb 4 17:05:03 2005 Subject: [SpamCop-List] Re: Blocked, but on no blacklists References: Message-ID: On Fri, 4 Feb 2005, Paul Hofman wrote:- >Email that our company sends out on an opt in and subscription basis (i.e. >they're legal!) has just started to be blocked, though intermittently over >the last week. The bounced mail says that it was denied 'because your server >is listed in one or more of the following Spam Blacklist services (as either >a open relay or a spam email source): http://www.dnsbl.au.sorbs.net or >http://www.spamcop.net.' . The IP quoted and other IPs in that subnet do not >appear on these blacklists or any other I can find. After a little searching, I managed to locate 193.82.145.216/29[0] which appears to be allocated to citywebwatch.com. I also guessed that 146.101.129.48/29 might be related, since that is where the web site is hosted. If the IP you're having a problem with is in either of those net blocks, it doesn't appear to be listed in any of the DNSNLs checked by either openrbl.org or moensted.dk. If it's not in either of those net blocks, you'll have to post it so we do further checking. >I assume that some spam filters that use scoring are returning this as a >blanket message, even though an IP may not be listed? Possibly. It may be returned as a default message by what apparently is a sloppily maintained server when they are rejecting mail due to a lack of reverse DNS, which could easily apply to all the IPs in the above /29s since none have a reverse DNS, even though it's definitely the wrong error. >Does anyone have any deeper knowledge, experience or help on this one? Without more information, the help you will get is limited. [0] guessed by checking to see where www.citywebwatch.com (146.101.129.52) and mail.citywebwatch.com (193.82.145.220) were located. Regards, David Bolt -- Member of Team Acorn checking nodes at 63 Mnodes/s: http://www.distributed.net/ AMD 1800 1Gb WinXP/SuSE 9.2 | AMD 2400 160Mb SuSE 8.1 | AMD 2400 256Mb SuSE 9.0 AMD 1300 512Mb SuSE 9.0 | Falcon 14Mb TOS 4.02 | STE 4Mb TOS 1.62 RPC600 129Mb RISCOS 3.6 | A3010 4Mb RISCOS 3.11 | A4000 4Mb RISCOS 3.11 From usenet1 at DE.LETE.THISljvideo.com Fri Feb 4 22:14:50 2005 From: usenet1 at DE.LETE.THISljvideo.com (Larry J.) Date: Fri Feb 4 17:15:03 2005 Subject: [SpamCop-List] Re: Shall we get to know one another.........? References: Message-ID: Waiving the right to remain silent, "Heidi" wrote: > I'm a girl who likes to have fun. I can be very hyper or very calm it > all depends on how I feel at the moment. I like goin' places and > traveling. And I like to try new things... Cool. Meet me out back of the Hardee's in ten minutes. -- Larry J. - Remove spamtrap in ALLCAPS to e-mail "If you take out the killings, Washington actually has a very low crime rate." - Marion Barry, mayor of Washington, D.C. From nobody at spamcop.net Fri Feb 4 22:55:44 2005 From: nobody at spamcop.net (me-no-no) Date: Fri Feb 4 18:00:12 2005 Subject: [SpamCop-List] Evidence Wanted (anonymous or otherwise) Message-ID: Anyone else been bugged or auto "opted-in" to cruise.com - aka Omega World Travel Inc ? If so, spamples and /or info required - for what could be an interesting C&C type saga at:- http://www.sueaspammer.com/spammers/omega/ or email - anonymous -at - sueaspammer.com Ciao Meno From f at f.f Fri Feb 4 15:07:33 2005 From: f at f.f (funkgypsy) Date: Fri Feb 4 18:10:03 2005 Subject: [SpamCop-List] Re: is spamcop filtering any good References: Message-ID: Thanks for the reply Don. That sounds great to me and I am going to recommend that our company do something similar. From TJLWBECGSGWU at spammotel.com Sat Feb 5 00:00:33 2005 From: TJLWBECGSGWU at spammotel.com (Mathew Hendry) Date: Fri Feb 4 19:05:32 2005 Subject: [SpamCop-List] Error reporting misdirected bounce Message-ID: Misdirected bounce from AOL: http://www.spamcop.net/sc?id=z728711877z92f5509b6f729ce7b5c72bdd7d6bd86ez After selecting abuse@aol.com as the target and pressing the report button: |putRow Column 'type' cannot be null (1048)/sc? |Sorry, failed to get reportid from database, will not send. Report preview says: |[ SpamCop V1.406 ] |This message is brief for your comfort. Please use links below for details. | |82.41.104.193 Unknown report type in getTypeDesc: bounce (64.12.138.5) Looks like this new "bounce" report type isn't fully hooked up. -- Mat. From pxpearson at spamxcop.net Fri Feb 4 17:17:26 2005 From: pxpearson at spamxcop.net (Peter Pearson) Date: Fri Feb 4 20:20:04 2005 Subject: [SpamCop-List] Re: Spammers' New Strategy - Oh, Man!! References: Message-ID: Dar wrote: > Illegal bulk-mailers have been able to deploy massive blasts of > spam by routing it through the computers of their Internet > service providers, rather than sending it directly from individual > machines, the experts said. > > http://story.news.yahoo.com/news?tmpl=story&cid=1804&e=6&u=/washpost a61901_2005feb3 Thanks to the usual journalistic cluelessness, it's not clear what this article is talking about. It seems to be talking about using zombies (infected computers belonging to honest ISP customers), but spammers have been doing that for many months, if not years. At least, I assume that's why so much spam comes from places like pc-24-181-188-52.sbi.ct.charter.com, which looks like an address allocated by Charter to one of its customers. And I assume that's one reason why Spamcop gets the query, "Why is my IP address blocked when I haven't spammed anybody." Is there an alternative interpretation of the article that makes it more "new" news? -- Remove the two x's to get a good email address. From nobody at devnull.spamcop.net Fri Feb 4 17:45:16 2005 From: nobody at devnull.spamcop.net (LioNiNoiL_a t_Y a h 0 0_d 0 t_c 0 m) Date: Fri Feb 4 20:50:05 2005 Subject: [SpamCop-List] Re: Shall we get to know one another.........? In-Reply-To: References: Message-ID: Heidi wrote: > I can be very hyper or very calm it all depends on how I feel > at the moment. That used to be called "manic depression", but now it's known as "bipolar disorder". -- "[Spammers] are the mutant spawn of a bizarre reproductive act involving a telemarketer, Larry Flynt, a tapeworm, and an executive of the Third Class Mail industry." -- Dave Barry From wb8tyw at qsl.network Fri Feb 4 21:13:46 2005 From: wb8tyw at qsl.network (John E. Malmberg) Date: Fri Feb 4 21:15:03 2005 Subject: [SpamCop-List] New link for FAQs - Spammer Relay methods from DSBL.ORG In-Reply-To: References: Message-ID: http://dsbl.org/relay-methods This describes how spammers will exploit an insecure computer to send spam, so that mail server operators can do a self test of their systems. If there is someone subscribed to the DSBL.ORG general mailing list, the listing about the browser vulnerabilities does not have an entry for Mozilla. Mozilla is not vulnerable to that exploit according to: https://bugzilla.mozilla.org/show_bug.cgi?id=276257 -John wb8tyw@qsl.network Personal Opinion Only From TJLWBECGSGWU at spammotel.com Sat Feb 5 03:02:58 2005 From: TJLWBECGSGWU at spammotel.com (Mathew Hendry) Date: Fri Feb 4 22:05:32 2005 Subject: [SpamCop-List] Re: Spammers' New Strategy - Oh, Man!! References: Message-ID: Peter Pearson wrote in : >Dar wrote: > >> Illegal bulk-mailers have been able to deploy massive blasts of >> spam by routing it through the computers of their Internet >> service providers, rather than sending it directly from individual >> machines, the experts said. >> >> http://story.news.yahoo.com/news?tmpl=story&cid=1804&e=6&u=/washposta61901_2005feb3 > >Thanks to the usual journalistic cluelessness, it's not clear what >this article is talking about. It seems to be talking about using >zombies (infected computers belonging to honest ISP customers), but >spammers have been doing that for many months, if not years. That link doesn't appear to work anymore, but they're talking about spam being sent via mail relays at the host ISP, not directly to target MXes as most current zombies do. To deal with this, the target MXes could blacklist the relays, but that would also block all legitimate mail from those ISPs. Or, they could start checking Received: lines to try and trace the original source, but that might be too costly. -- Mat. From zypher at spamcop.net Fri Feb 4 21:15:29 2005 From: zypher at spamcop.net (Ron B.) Date: Fri Feb 4 22:20:03 2005 Subject: [SpamCop-List] Marketing to Folks with Anxiety Disorders Message-ID: Rx spam is bad enough when aimed at people wanting anti-impotency medications. This getting downright dangerous: http://www.spamcop.net/sc?id=z728762843z37ada5b483e1632656e3f555c5eda94bz Please see the original spam in spamcop.spam. Every time I think that the scum can't get any lower ... From SCNews.5.myspamgobbler at spamgourmet.com Fri Feb 4 21:22:20 2005 From: SCNews.5.myspamgobbler at spamgourmet.com (Brian (SnSR)) Date: Sat Feb 5 00:25:06 2005 Subject: [SpamCop-List] Re: Continued Encoded Subject Gags Parser In-Reply-To: References: Message-ID: 32123 wrote: > When a spam subject line is encoded and > continued without a leading space on the > continuation line, the parser cannot > handle it. > > (Example in spamcop.spam with same subject.) > > It seems that the parser should be upgraded > just slightly so that header continuation > lines do not need the leading gap if and > only if the line break occurs inside an > encoding of the form =?[^?]*?[BQ]?[^?]*?= > > Here is the example subject header: > > Subject: =?Windows-1251?B?KCDPcO70ZWPx6O7t4Ov87fvlIPDgY/H76+roICkgzeD26P8sIOru8u7w4P8g7O7m > ?= > =?Windows-1251?B?5fIg6CDk7uvm7eAg4fvy/CDx7+Dx5e3gIO7k7ejsLeXk6O3x8uLl7e377CD35evu > ?= > =?Windows-1251?B?4uXq7uwsIO3lIOfg8evz5uji4OXyIO/u+eDk+y4gL8guIMfl6ezlLw== > ?= > > Note that only the line breaks inside the > encodings omit the otherwise-required > leading whitespace on the following line. > > The parser should be fixed to parse these. > > HTH > I'm not sure where the parser broke down for you. I pasted your spam into the parser and didn't see the problem, but it was using what you supplied, not the original. Do you have a tracker to share with us? From nobody at spamcop.net Sat Feb 5 06:06:45 2005 From: nobody at spamcop.net (me-no-no) Date: Sat Feb 5 01:10:06 2005 Subject: [SpamCop-List] [Media] Ex-AOL Worker Pleads Guilty ! Message-ID: Poor Jason - My heart bleeds ! CNN Friday, February 4, 2005 http://www.cnn.com/2005/TECH/internet/02/04/aol.spam.plea/ "A former AOL software engineer accused of stealing 92 million screen names has pleaded guilty to conspiracy and interstate transport of stolen property". "Jason Smathers, 24, of Harpers Ferry, West Virginia, faces a maximum sentence of 15 years and up to $500,000 in fines at a May 20 hearing, although federal guidelines call for significantly less. Smathers submitted a plea in December that was rejected by U.S. District Judge Alvin Hellerstein in New York, who said the government had to provide more information" Ciao Meno From bar_n0ne at hotmail.com Sat Feb 5 10:26:18 2005 From: bar_n0ne at hotmail.com (Berny) Date: Sat Feb 5 01:40:04 2005 Subject: [SpamCop-List] Re: Marketing to Folks with Anxiety Disorders References: Message-ID: "Ron B." wrote in message news:cu1dst$u2f$1@news.spamcop.net... > Rx spam is bad enough when aimed at people wanting anti-impotency > medications. This getting downright dangerous: > > http://www.spamcop.net/sc?id=z728762843z37ada5b483e1632656e3f555c5eda94bz > > Please see the original spam in spamcop.spam. > > > Every time I think that the scum can't get any lower ... > Well why not, They market Crocodile cures to AIDS sufferers, Penis and Breast enlargements to people with anxiety about their size, Little bottles to hang in front of their license plates so chronic speedsters and Red light runners so they can get away with it. Erection drugs for people with anxiety about their erections. Opiates for Junkies. Mortgeges and Debt reduction for people with money anxieties. Prepayment lottery scams. Prepayment Nigerian scams. How is your example any lower? Should anxiety sufferers be more immune from abuse? From nospam at temporaryrelay002.ath.cx Sat Feb 5 08:15:29 2005 From: nospam at temporaryrelay002.ath.cx (Gingko) Date: Sat Feb 5 02:20:53 2005 Subject: [SpamCop-List] Re: Spammers' New Strategy - Oh, Man!! References: Message-ID: > That link doesn't appear to work anymore, [...] It does, but a slash disappeared in the middle of the quotation thread. :-) Use http://tinyurl.com/4wf9p Gingko From sdnsdbaq8734632623 at yahoo.com Sat Feb 5 09:41:43 2005 From: sdnsdbaq8734632623 at yahoo.com (Biwah) Date: Sat Feb 5 04:46:42 2005 Subject: [SpamCop-List] WP: Spammers' New Strategy Message-ID: Spammers' New Strategy Unsolicited E-Mail Sent Using ISP Computers By Jonathan Krim Washington Post Staff Writer Friday, February 4, 2005; Page E01 An advanced spamming technique could push the volume of unwanted e-mail to new heights in coming months, straining the integrity of the online communication system, according to several top experts who monitor the activity of spam gangs around the world. Illegal bulk-mailers have been able to deploy massive blasts of spam by routing it through the computers of their Internet service providers, rather than sending it directly from individual machines, the experts said. The result is that "blacklists" of known spamming computers -- which other network operators rely upon to block mail from those machines -- are no longer effective. To block spam coming directly from an ISP's computers, all mail from that ISP would be have to be blocked, which would cripple electronic communication. "From what we've seen, the volumes of this type of spam are going up dramatically," said Steve Linford, who heads the Spamhaus Project, the world's leading anti-spam organization. "We're really looking at a bleak thing" if ISPs don't quickly employ countermeasures, he said. Linford added that based on monitoring of spammers' online discussion forums, the new trick is rapidly being adopted by the world's most prolific spammers. Carl Hutzler, director of anti-spam operations at America Online, said he began seeing increases in spam traffic coming directly from other ISP mail servers in the fall of 2003. Now, he said, 95 percent of all spam aimed at AOL's 29 million worldwide members is coming directly from ISP computers. Hutzler said he has been warning industry counterparts about the problem and has made AOL's technical solutions available online. Most critically, Linford and Hutzler said, ISPs must be more aggressive in monitoring and limiting how much mail is being sent from individual machines on their networks, since that is where the spam originates. "We're trying to get the word out," Hutzler said, "but we're not sure that people have taken us that seriously." The new method of attack reflects the evolving sophistication and efficiency of top spamming groups, a community of people who support each other by trading intelligence, products and services. Spammers long ago stopped using their own machines to send spam. Instead, they rely on malicious code placed on consumers' machines via viruses or spyware that turn them into unwitting "zombies" remotely controlled by spammers. That and other tactics have allowed spammers to circumvent many technical measures taken by network operators to thwart them, and they have all but ignored federal and state laws that prohibit their activities. Mark Sunner, chief technology officer of MessageLabs Inc., an anti-spam software company, said that the use of multiple zombies on the networks of large Internet service providers allows spammers to spread out the amount of mail sent by any one computer, helping them to fly under the radar of ISP limits. Some ISPs have been able to make dents in the amount of spam reaching the inboxes of computer users, but spam traffic over the Internet continues to rise and to exact steep costs on network operators, businesses and consumers. In a study released yesterday, market research firm Rockbridge Associates Inc. and the Center for Excellence in Service at the University of Maryland Robert H. Smith School of Business estimated that deleting spam alone costs nearly $22 billion a year in lost productivity. The study, based on a survey of 1,000 adults, said the 78 percent who said they receive spam spend an average of three minutes deleting it each day they check their e-mail. What alarms Linford and others about the latest spam offensive is that it strikes at the heart of the blacklist system, a baseline of defense for virtually all network operators. E-mail filters help to segregate good e-mail from bad, but blacklists that identify the Internet addresses of spamming machines keep large amounts of spam off networks and force spammers to find new launchpads. Linford said that in addition to imposing more aggressive limits on mail sent from individual machines, ISPs should do more to authenticate the mail they pass on through their own computers. He said many U.S. ISPs have not improved their anti-spam enforcement. For example, he said, the spammers' latest trick is contained in software called Send-Safe. According to Internet registration records, the site is registered to a Florida company and is hosted on the Web by UUNet Technologies, a division of MCI Inc. Linford said his group has repeatedly asked MCI to remove the Send-Safe site, arguing that the software is a prime spamming tool, developed by a notorious spammer. Timothy Vogel, who heads MCI's legal team for technology issues, said that UUNet does not host the site but instead leases the Internet address to a company that in turn hosts Send-Safe's Web site. More important, he said, MCI does not want to censor Internet content. If MCI had evidence that the Send-Safe company was spamming, that would violate MCI policy. But merely advertising its product is a form of speech that should not be censored, Vogel said. http://www.washingtonpost.com/wp-dyn/articles/A61901-2005Feb3.html From nobody at nowhere.invalid Sat Feb 5 11:22:26 2005 From: nobody at nowhere.invalid (Steven Maesslein) Date: Sat Feb 5 05:25:29 2005 Subject: [SpamCop-List] Re: Spammers' New Strategy - Oh, Man!! References: Message-ID: On Fri, 04 Feb 2005 17:17:26 -0800, Peter Pearson coughed into spamcop and left this in : > Is there an alternative interpretation of the article that > makes it more "new" news? I haven't read the article but what *is* new about this particular infestation is that it sends the spam out through the ISP's official SMTP circuit instead of going out direct-to-mx. -- Steve "Here, Outlook Express, run this program!" "Okay, stranger." From nobody at nowhere.invalid Sat Feb 5 11:23:45 2005 From: nobody at nowhere.invalid (Steven Maesslein) Date: Sat Feb 5 05:25:53 2005 Subject: [SpamCop-List] Re: Shall we get to know one another.........? References: Message-ID: On Fri, 04 Feb 2005 17:45:16 -0800, LioNiNoiL_a t_Y a h 0 0_d 0 t_c 0 m coughed into spamcop and left this in : > That used to be called "manic depression", but now it's known as > "bipolar disorder". It's also called a raving troll. .:\:/:. +-------------------+ .:\:\:/:/:. | PLEASE DO NOT | :.:\:\:/:/:.: | FEED THE TROLLS | :=.' - - '.=: | | '=(\ 9 9 /)=' | Thank you, | ( (_) ) | Management | /`-vvv-'\ +-------------------+ / \ | | @@@ / /|,,,,,|\ \ | | @@@ /_// /^\ \\_\ @x@@x@ | | |/ WW( ( ) )WW \||||/ | | \| __\,,\ /,,/__ \||/ | | | jgs (______Y______) /\/\/\/\/\/\/\/\//\/\\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\ -- Steve From bar_n0ne at hotmail.com Sat Feb 5 14:31:31 2005 From: bar_n0ne at hotmail.com (Berny) Date: Sat Feb 5 05:35:04 2005 Subject: [SpamCop-List] Re: Spammers' New Strategy - Oh, Man!! References: Message-ID: "Steven Maesslein" wrote in message news:slrnd097j2.sg.nobody@127.0.0.1... > On Fri, 04 Feb 2005 17:17:26 -0800, Peter Pearson coughed into spamcop > and left this in : > > > Is there an alternative interpretation of the article that > > makes it more "new" news? > > I haven't read the article but what *is* new about this particular > infestation is that it sends the spam out through the ISP's official > SMTP circuit instead of going out direct-to-mx. Isn't that jsut what they used to do a few years ago, all over again, except instead of having an account, spammer "borrows" one from a zombied user? From nobody at nowhere.invalid Sat Feb 5 13:02:16 2005 From: nobody at nowhere.invalid (Steven Maesslein) Date: Sat Feb 5 07:05:04 2005 Subject: [SpamCop-List] Re: Spammers' New Strategy - Oh, Man!! References: Message-ID: On Sat, 5 Feb 2005 14:31:31 +0400, Berny coughed into spamcop and left this in : > Isn't that jsut what they used to do a few years ago, all over again, except > instead of having an account, spammer "borrows" one from a zombied user? Quite a few years ago, yes, that's what they used to do. -- Steve In most countries selling harmful things like drugs is punishable. Then how come people can sell Microsoft software and go unpunished? -- Hasse Skrifvars From MikeE at ster.invalid Sat Feb 5 04:23:03 2005 From: MikeE at ster.invalid (Mike Easter) Date: Sat Feb 5 07:25:02 2005 Subject: [SpamCop-List] Re: Continued Encoded Subject Gags Parser References: Message-ID: 32123 wrote: > Brian >> 32123 wrote: > >>> When a spam subject line is encoded and >>> continued without a leading space on the >>> continuation line, the parser cannot >>> handle it. >> I'm not sure where the parser broke down for you. I pasted your spam >> into the parser and didn't see the problem, but it was using what you >> supplied, not the original. Do you have a tracker to share with us? > > On the supplied spam example, the parser always displays > the following two-line error message: The problem is that the 'supplied spam example' was 'supplied' via being pasted into a news message in .spam instead of being 'supplied' by giving us a tracker. Anything which is posted into .spam into a message body by a newsreader has resultant newsreader induced linewraps unless some special method, such as posting it as an attachment or other strategy, is used to prevent this newsreader linewrap introduction. When you provide a tracker of the original item, this spurious newsreader linewrapping doesn't occur. Those of us who are trying to troubleshoot a parser problem have to take the/your item which has been 'bent' and changed by your newsreader's posting and 'unbend' it by removing its spurious induced linewraps. Sometimes the unbending of the problem your newsreader has introduced destroys or obscures the bending of the /original/ problem which you are trying to talk about in the first place. > error: couldn't parse head > Message body parser requires full, accurate copy of message You should've posted the tracker to the item from which you copied that parsing verbose instead of posting what you did in .spam, because that isn't the result I get, see below. > This means that it ignores all links inside the body of the > message, yet those links often point to the spammer and > should therefore be reported. That's what you say, but that's not what I see when I ask the parser to parse what I cleaned up from what you posted into .spam. It is imperative that I remove linewraps from what you posted.in .spam or it won't parse at all. If remove those newsreader induced wraps I get this parse: www.spamcop.net/sc?id=z728887873z1b3210684d15e314098053d6e6ba8e79z Finding links in message body Recurse multipart: Recurse multipart: Parsing text part Parsing HTML part Ignored image/jpeg part no links found That parsing result is exactly what I see when I examine the item by human eyeball. I see a multipart boundary structure inside of a multipart boundary structure, and nothing contains any links. > Spammers should not profit from the inability of the > parser to parse headers containing continued encoded > lines when the continued line does not begin with a gap. We can't even talk about what you are trying to talk about until you post a tracker instead of a bent representation of the original in .spam. > More info on the importance of leading gaps on ordinary > (non-encoded) header continuation lines: > > http://mailsc.spamcop.net/fom-serve/cache/368.html -- Mike Easter kibitzer, not SC admin From null at null.com.none Sat Feb 5 13:42:40 2005 From: null at null.com.none (Martin) Date: Sat Feb 5 08:45:33 2005 Subject: [SpamCop-List] Empty Body not being accepted Message-ID: How come spamcop refuses to accept submissions with an empty body now, it used to parse and report them ok now it says error in submission empty body. I have to insert something like to get it to report ok, have re-read the rules and nothing there says empty bodied spam can't be submited. And from reading previous posts on here the common belief is the content makes no difference to whether its classified as spam, but more the intent. Most are from zombied pc's or open proxies, accepting them will help to block them quicker before more spam comes though them. Martin From bar_n0ne at hotmail.com Sat Feb 5 17:50:04 2005 From: bar_n0ne at hotmail.com (Berny) Date: Sat Feb 5 08:55:04 2005 Subject: [SpamCop-List] Re: Empty Body not being accepted References: Message-ID: "Martin" wrote in message news:cu2igg$jvm$1@news.spamcop.net... > How come spamcop refuses to accept submissions with an empty body now, it > used to parse and report them ok now it says error in submission empty body. > I have to insert something like to get it to report ok, have re-read > the rules and nothing there says empty bodied spam can't be submited. > And from reading previous posts on here the common belief is the content > makes no difference to whether its classified as spam, but more the intent. > Most are from zombied pc's or open proxies, accepting them will help to > block them quicker before more spam comes though them. > > Martin AFAIK it never worked, you have the correct method in hand. others insert: "No Body Text" or similar From null at null.com.none Sat Feb 5 14:37:44 2005 From: null at null.com.none (Martin) Date: Sat Feb 5 09:40:04 2005 Subject: [SpamCop-List] Re: Empty Body not being accepted References: Message-ID: "Berny" wrote in message news:cu2iuf$kcj$1@news.spamcop.net... > > AFAIK it never worked, you have the correct method in hand. others insert: > > "No Body Text" or similar > Ok maybe my mistake, I thought it did work with blank lines after the headers before but I could be wrong, thanks for your reply :) Martin From nobody at devnull.spamcop.net Sat Feb 5 09:46:19 2005 From: nobody at devnull.spamcop.net (Sofa King Tyred of Lar Ting) Date: Sat Feb 5 09:50:03 2005 Subject: [SpamCop-List] Re: Spammers moving away from direct-to-mx? In-Reply-To: References: Message-ID: Bert Driehuis wrote: > But I agree with the analysis; if the trend noted by news.com.squared > continues, it will seperate the wheat from the chaff and we may finally > see the last of the truly incompetent ISPs. I'm in Quebec, where Videotron is the only cable game in town. In the four years I'm here, things have slowly improved with respect to abuse. The last tech support guy I spoke to, regarding virus-laden emails I was getting from another Videotron IP, actually was pretty clued. An interesting strategy would be to neutralize the zombies in a mechanical way - a proactive activity as opposed to some reactive one (i.e., shut down an IP after complaints, analyzing spam logs, etc.) From the ISP-level, it should be feasible to identify traffic used to control the zombies/trojans -- perhaps this is already known from information about the trojans in question. ISP techies could do port scans of all their customers looking for only the known zombie comm ports. Shut off those accounts until the users can clean up their PCs. From cbminfo at toast.net Sat Feb 5 09:56:09 2005 From: cbminfo at toast.net (ken) Date: Sat Feb 5 10:00:03 2005 Subject: [SpamCop-List] ignoring reply to: Message-ID: I'm now getting Tsunami scams worth Millions of dollars. They're all coming from the same isp and same reply to: at Netscape.com roots to abuse@aol.com . Just to be sure I've been submitting them to spamcop to make sure I'm not screwing up with Sam spade. Only spam reports spamcop's sending to from this are the final mailbox at my isp. I realize the reply to, from etc can all be forged, but when the emails are identical, wouldn't it make sense for the reports to use any available links supplied by the spammer ? From Kilgallen at SpamCop.net Sat Feb 5 09:00:58 2005 From: Kilgallen at SpamCop.net (Larry Kilgallen) Date: Sat Feb 5 10:05:03 2005 Subject: [SpamCop-List] Re: Spammers' New Strategy - Oh, Man!! References: Message-ID: In article , Mathew Hendry writes: > That link doesn't appear to work anymore, but they're talking about spam > being sent via mail relays at the host ISP, not directly to target MXes as > most current zombies do. > > To deal with this, the target MXes could blacklist the relays, but that > would also block all legitimate mail from those ISPs. ...thereby encouraging those ISPs to ban compromised machines (and perhaps even readily susceptible machines) from their networks. What's not to like ? From amenex at amenex.com Sat Feb 5 10:09:51 2005 From: amenex at amenex.com (George Langford, Sc.D.) Date: Sat Feb 5 10:09:59 2005 Subject: [SpamCop-List] How does Yahoo (or its registrars) get away with this ? Message-ID: <200502051509.j15F9pe06997@email1.voicenet.com> Tracker: http://www.spamcop.net/sc?id=z728915987z046dd46c99e70e6238e4cdcf9756e015z Domain name in message body: http://citifinancialinf.com/ TraceRT leads to: premium3.geo.yahoo.akadns.net (68.142.234.76). None of my WhoIs sources can find the registration information. I tried CompleteWhoIS: http://www.completewhois.com/ EasyWhoIS: http://www.easywhois.com/ and OpenRBL.org: http://us.openrbl.org/ As no AS number was forthcoming from OpenRBL, I sent my LART to abuse@level3.net in addition to abuse@akamai.com (akadns.net), slurp@inktomi.com, and mail-abuse@yahoo-inc.com, not to mention phish@millersmiles.co.uk and spam@uce.gov. To whom should I have addressed a LART about the lack of information about the registrant of the domain, citifinancialinf.com ? amenex From wb8tyw at qsl.network Sat Feb 5 10:12:52 2005 From: wb8tyw at qsl.network (John E. Malmberg) Date: Sat Feb 5 10:15:04 2005 Subject: [SpamCop-List] Re: Spammers moving away from direct-to-mx? In-Reply-To: References: Message-ID: Sofa King Tyred of Lar Ting wrote: > > From the ISP-level, it should be feasible to identify traffic used to > control the zombies/trojans -- perhaps this is already known from > information about the trojans in question. ISP techies could do port > scans of all their customers looking for only the known zombie comm > ports. Shut off those accounts until the users can clean up their PCs. Traffic surge monitoring and alert capability is already built in to commercial network monitoring equipment, the kind that any medium to large network needs. A spam run direct of either direct to MX or through the ISP's mail servers should be very easy for these traffic monitors to detect, as only known mail servers should produce enough SMTP traffic to even register above a very low threshold. Port scans are more troublesome to do automatically. They also consume bandwidth, so must be throttled. It is probably likely that the time needed to sequentially scan all I.P. addresses for an ISP can be measured in weeks or months if they do not want to disrupt their network. And apparently the spamware keeps morphing to evade automatic scans. The open source test sets available from dsbl.org seem to be very comprehensive and easily adaptable for an ISP to use to scan a suspect machine, or a range. An ISP can set up programs to receive alerts from the traffic analyzers that they should already have to trigger a scan, and they can also trigger a scan from any e-mail received by their postmaster/abuse or other role accounts where they scan any I.P. addresses of theirs that is found in the e-mail. Any ISP that allows their abuse/postmaster queue to get behind on a regular basis, is operating on the model of the Hooterville Phone complany featured in the old U.S. TV show "Green Acres". And usually making the same excuses. By not taking immediate action on problems, they are causing the affects of those problems to multiply in the amount of cleanup the ISP must do, and the amount of operating profit that they lose. It is likely in those cases, if ISP owners checked, they would find that the cash losses from letting these problems queue up greatly exceed the costs of competent personel that could deal with them in real time. -John wb8tyw@qsl.network Personal Opinion Only From reply at newsgroup.please Sat Feb 5 10:14:02 2005 From: reply at newsgroup.please (Geoffrey Welsh) Date: Sat Feb 5 10:15:14 2005 Subject: [SpamCop-List] "Message body parser requires full, accurate copy of message" again Message-ID: Message was delivered directly to SpamCop (i.e., it IS a full, accurate copy.) I have no problem with SpamCop not being able to parse every message - and this is a very ugly one, a base 64 encoded HTML attachment with no line wraps - but I think that "More information on this error.. " is obviously wrong when it says "It is an error introduced by the recipient (you) when copying or submitting email to spamcop. If you encounter this problem, please review how you submit spam to SpamCop and take corrective action" because I didn't submit it - the spammer sent it to my @spamcop.net address. -- Geoffrey Welsh From nobody at devnull.spamcop.net Sat Feb 5 10:16:09 2005 From: nobody at devnull.spamcop.net (Sofa King Tyred of Lar Ting) Date: Sat Feb 5 10:20:02 2005 Subject: [SpamCop-List] zombie hunting? Message-ID: Question: why don't more ISPs proactively seek out zombies today, as opposed to sitting around and waiting to possibly get LARTs about their use tomorrow? (ok, so I know the answer to this question -- money, education, competence, etc.) I found these articles: http://www.theregister.co.uk/2004/09/22/p-cube_zombie_buster/ http://www.infoworld.com/article/05/01/31/HNciphertrust_1.html From nobody at devnull.spamcop.net Sat Feb 5 10:48:45 2005 From: nobody at devnull.spamcop.net (Sofa King Tyred of Lar Ting) Date: Sat Feb 5 10:50:03 2005 Subject: [SpamCop-List] Re: Spammers moving away from direct-to-mx? In-Reply-To: References: Message-ID: John E. Malmberg wrote: [snip] Thanks for the details, as always very informative -- I especially liked the Hooterville analogy! Would port scans on known spam/DDOS trojan ports be that costly in terms of bandwidth? -- Don't have to check for all trojans, although that could be good. Even if it took weeks/months, that seems like a good strategy since MyDoom's zombies have been around for at least a year. > It is likely in those cases, if ISP owners checked, they would find that > the cash losses from letting these problems queue up greatly exceed the > costs of competent personel that could deal with them in real time. I agree. My guess is that what makes things change here for the better is a retarded form of what you describe. Scenario: Some months after the zombie spam surge problem, someone in management sees a tech-support backlog, increased complaints from customers about support, increased budget requests from tech support, higher-than-usual turnover (from employee burnout) problems, etc. Perhaps a competent upper manager investigates and discovers the possible causes, and implements policies to fix them. Speculation on my part, of course... Meanwhile, technology has evolved to a set of other problems. Trojans morph faster than management or lawmakers. From MikeE at ster.invalid Sat Feb 5 08:00:14 2005 From: MikeE at ster.invalid (Mike Easter) Date: Sat Feb 5 11:00:03 2005 Subject: [SpamCop-List] Re: "Message body parser requires full, accurate copy of message" again References: Message-ID: Geoffrey Welsh wrote: > Message was delivered directly to SpamCop (i.e., it IS a full, > accurate copy.) > www.spamcop.net/sc?id=z728927016z70f1d854f949531a606a847109217d75z> That item is 'screwed up' - perhaps starting before it got to SC, but surely now, because SC has 'compounded' its screwup. The parts consist of header with [headercontent & boundary information + bodycontent & boundary marker in the header + SC Xlines] then the body which is now without its body content or boundary marker which were squished up into the header as described and then further screwed up by SC adding SC Xlines to/below the squished condition. It should be header with header content & boundary information followed by the SC Xlines then a space to the body, then the boundary marker and body content information. If I dissassemble the screwup and put all of its parts back together again in the appropriate order, you get this: www.spamcop.net/sc?id=z728948917z3c8d961d6254e4be09e7eaf43bb1d996z Report Spam to: Re: 81.15.194.37 (Administrator of network where email originates) To: mkrzysztofowicz@telenergo.pl (Notes) To: dolsat#poczta.fm@devnull.spamcop.net (Notes) Re: 81.15.194.37 (Third party interested in email source) To: Cyveillance spam collection (Notes) Re: http://hjuytr.iaigakbdjj.info/?ixenktiimhj5uice... (Administrator of network hosting website referenced in spam) To: abuse@mci.com (Notes) which includes finding the links in the b64/d html. > I have no problem with SpamCop not being able to parse every message > - and this is a very ugly one, a base 64 encoded HTML attachment with > no line wraps - but I think that "More information on this error.. " > is obviously wrong when it says "It is an error introduced by the > recipient (you) when copying or submitting email to spamcop. If you > encounter this problem, please review how you submit spam to SpamCop > and take corrective action" because I didn't submit it - the spammer > sent it to my @spamcop.net address. -- Mike Easter kibitzer, not SC admin From usenet1 at DE.LETE.THISljvideo.com Sat Feb 5 16:28:38 2005 From: usenet1 at DE.LETE.THISljvideo.com (Larry J.) Date: Sat Feb 5 11:30:03 2005 Subject: [SpamCop-List] Spam subject of the week Message-ID: Subject from a mortgage spam: "Countenance bank con" -- Larry J. - Remove spamtrap in ALLCAPS to e-mail The United States is the greatest country in the world..! Twenty-five million illegal aliens can't be wrong. From MikeE at ster.invalid Sat Feb 5 08:30:32 2005 From: MikeE at ster.invalid (Mike Easter) Date: Sat Feb 5 11:30:10 2005 Subject: [SpamCop-List] Re: How does Yahoo (or its registrars) get away with this ? References: Message-ID: George Langford, Sc.D. wrote: www.spamcop.net/sc?id=z728915987z046dd46c99e70e6238e4cdcf9756e015z > > Domain name in message body: http://citifinancialinf.com/ SC wants to notify slurp@inktomi.com based on the arin for OrgName: Inktomi Corporation NetRange: 68.142.192.0 - 68.142.255.255 CIDR: 68.142.192.0/18 which actually sez: Comment: For general abuse contact netblockadmin@yahoo-inc.com. Comment: For Web Crawler questions please contact slurp@inktomi.com. AbuseEmail: netblockadmin@yahoo-inc.com so I would say netblockadmin at yahoo is better. > TraceRT leads to: premium3.geo.yahoo.akadns.net (68.142.234.76). I don't find the tracert to be a good strategy. It is a poor substitute for the ASN, and the upstream notifications are often inappropriate. There's no point in notifying upstreams of the IP of a yahoo/inktomi website issue. > None of my WhoIs sources can find the registration information. > I tried CompleteWhoIS: http://www.completewhois.com/ > EasyWhoIS: http://www.easywhois.com/ > and OpenRBL.org: http://us.openrbl.org/ 'Registration information' is ambiguous. There is the regional registrar's information, Inktomi above, and the domainname below. The registration information for a domainname is found according to the tld, toplevel domain, in this case .com, so I use internic, which comes up empty, so then I use crsnic which sez whois.melbourneit.com and is brandnew as of today. whois -h whois.melbourneit.com citifinancialinf.com ... Domain Name.......... citifinancialinf.com Creation Date........ 2005-02-05 Organisation Name.... Armond Lehman Organisation Address. 7893 macdougall dr. Organisation Address. Jacksonville Organisation Address. 32244 Organisation Address. FL Organisation Address. UNITED STATES > As no AS number was forthcoming from OpenRBL, I sent my LART to > abuse@level3.net in addition to abuse@akamai.com (akadns.net), > slurp@inktomi.com, and mail-abuse@yahoo-inc.com, not to mention > phish@millersmiles.co.uk and spam@uce.gov. > > To whom should I have addressed a LART about the lack of information > about the registrant of the domain, citifinancialinf.com ? I think somehow you went astray in looking for that. It isn't available at internic for some reason. -- Mike Easter kibitzer, not SC admin From MikeE at ster.invalid Sat Feb 5 08:45:41 2005 From: MikeE at ster.invalid (Mike Easter) Date: Sat Feb 5 11:50:12 2005 Subject: [SpamCop-List] Re: zombie hunting? References: Message-ID: Sofa King Tyred of Lar Ting wrote: > Question: why don't more ISPs proactively seek out zombies today, as > opposed to sitting around and waiting to possibly get LARTs about > their use tomorrow? (ok, so I know the answer to this question -- > money, education, competence, etc.) It is much worse than you think. Not only do major ISPs not properly proactively monitor what their proxy/trojan cable modem subscribers are pumping out; but even when they are /notified/ of exactly what the problem is, they don't do anything about it. That is the problem with RR and that is the problem with EL; two providers whom I've had the experience of hounding in public newsgroup fora by naming some IPs, what is wrong with them, where they are listed, how much spew they are putting out using senderbase now, spamcop's data in the past. Previously when I was RR I would focus on a spam I had received from a RR IP. Now that I'm EL I do it differently. I hope to shame them into accepting the responsibilities. A few days ago I picked the top 3 mindspring IPs from the SC statistics page and started talking about it in the EL email newsgroup [access limited to EL news servers] and I'm still talking about it every day and a half or so with ongoing followups of the senderbase activity and the fact that all 3 are still spamcop listed. Previously someone suggested I make my racket over in dslreports forums, because some of the EL people don't like to look bad in there, whereas they mostly don't even know what is going on in the newsgroups. -- Mike Easter kibitzer, not SC admin From amenex at amenex.com Sat Feb 5 12:05:13 2005 From: amenex at amenex.com (George Langford, Sc.D.) Date: Sat Feb 5 12:05:28 2005 Subject: [SpamCop-List] Active eBay phishing sites beyond the radar Message-ID: <200502051705.j15H5D3Y021426@voicenet.com> Hello eBay: The following site has been active since October 30, 2004: http://213.136.106.214/.ls/ for which the Spamcop tracker is: http://www.spamcop.net/sc?id=z687361272z9a582fd2cc6499788f7cf719cdd80969z This one has been reported to: padkla@aviso.ci, assied@aviso.ci, and postmaster@opentransit.net, apparently to no avail. It gets worse. The guy appears to be getting set to do it again: http://213.136.106.214/cetig/.images/index.html (returns a blank screen but the HTML code is still there ... ?). However, read on; there's more. The Spamcop tracker for one of the three emails originally received is: http://www.spamcop.net/sc?id=z708555609za6ec7e8b8c61d469cdbb68cfd7d7625az See also: http://213.136.106.214/cetig/index2.htm but the following is the actual eBay phishing source is now in a new index file: http://213.136.106.214/cetig/.images/index2.htm This sourcecode has been changed since I last reported the site. Note that the IP address is the same as the site at the top of this page. I reported this site to assied@aviso.ci and j.zano@aviso.ci, clearly to no avail. The following site also remains active: http://pl.changwon.ac.kr/secure/saw-cgi/DllUpdate/signin/ws2/ISAPIDll/eBayISAPIdllSignIn_favoritenavid.uproduct.ppco_partnerId2ru.http_my.ebay.com_80_Fws2FeBayISAPI.dll3FMyeBay26ssPageName3Dh253Ah253Amebay_253AUS1ruparams_pageType1883.pa2.bshowgif.a1pUserId.errmsg_UsingSSL_0uname.siteid0.html For which the Spamcop tracker is: http://www.spamcop.net/sc?id=z715217569zbfae347f7e56405c295fb7331961fc97z This site was reported to: hjs123@kt.co.kr, kren@snu.ac.kr, and mail-abuse@yahoo-inc.com. I am now reporting it also to slurp@inktomi.com. What's a concerned citizen to do ? George Langford, Sc.D. amenex@amenex.com From MikeE at ster.invalid Sat Feb 5 09:09:05 2005 From: MikeE at ster.invalid (Mike Easter) Date: Sat Feb 5 12:10:03 2005 Subject: [SpamCop-List] Re: Continued Encoded Subject Gags Parser References: Message-ID: 32123 wrote: www.spamcop.net/sc?id=z728962596z67032fce83e6cb49ced0525698dcbfb5z Yes, you are correct. That improper subject structure bolloxes the parse. Even without the subject, there are no links to be found, tho'. That subject doesn't work for my mailuser agent either, but that's 'partly' because it is a Cyrrilic 1251 charset. If I had the proper charset, and /if/ the subject were constructed properly, my mua should decode the b64 and display the chars. I don't know that the parser should be able to accomodate every zany idea someone comes up with for some part of a mail. Your 368 link which you posted before, whose generic non-spamcop-mail link is http://www.spamcop.net/fom-serve/cache/368.html to address the issue of how folding should be done doesn't really address this weird encoding folding problem. I'm not familiar with the smtp RFC for how to properly fold an encoded subject line. I'm pretty sure whatever is going on with that subject has nothing to do with any RFC compliance. -- Mike Easter kibitzer, not SC admin From MikeE at ster.invalid Sat Feb 5 09:33:53 2005 From: MikeE at ster.invalid (Mike Easter) Date: Sat Feb 5 12:35:03 2005 Subject: [SpamCop-List] Re: Continued Encoded Subject Gags Parser References: Message-ID: Mike Easter wrote: > I'm not familiar with the smtp RFC for how to properly fold an encoded > subject line. I'm pretty sure whatever is going on with that subject > has nothing to do with any RFC compliance. Apparently this is a proper folding, and it turns out that I do have cyrrilic www.spamcop.net/sc?id=z728978505z36456a10cf9f0fb5803556fc631577dbz Finding links in message body Recurse multipart: Recurse multipart: Parsing text part Parsing HTML part Ignored image/jpeg part no links found I wonder if the improper folding was done by the spammer or something the mail encountered along the way. -- Mike Easter kibitzer, not SC admin From SCNews.5.myspamgobbler at spamgourmet.com Sat Feb 5 09:44:00 2005 From: SCNews.5.myspamgobbler at spamgourmet.com (Brian (SnSR)) Date: Sat Feb 5 12:45:04 2005 Subject: [SpamCop-List] Re: Continued Encoded Subject Gags Parser In-Reply-To: References: Message-ID: Mike Easter wrote: > 32123 wrote: > www.spamcop.net/sc?id=z728962596z67032fce83e6cb49ced0525698dcbfb5z > > Yes, you are correct. That improper subject structure bolloxes the > parse. Even without the subject, there are no links to be found, tho'. There may have been links but the message was truncated. > > That subject doesn't work for my mailuser agent either, but that's > 'partly' because it is a Cyrrilic 1251 charset. If I had the proper > charset, and /if/ the subject were constructed properly, my mua should > decode the b64 and display the chars. I don't know that the parser > should be able to accomodate every zany idea someone comes up with for > some part of a mail. > > Your 368 link which you posted before, whose generic non-spamcop-mail > link is http://www.spamcop.net/fom-serve/cache/368.html to address the > issue of how folding should be done doesn't really address this weird > encoding folding problem. > > I'm not familiar with the smtp RFC for how to properly fold an encoded > subject line. I'm pretty sure whatever is going on with that subject > has nothing to do with any RFC compliance. > > From nobody at devnull.spamcop.net Sat Feb 5 12:48:40 2005 From: nobody at devnull.spamcop.net (Sofa King Tyred of Lar Ting) Date: Sat Feb 5 12:50:04 2005 Subject: [SpamCop-List] Re: zombie hunting? In-Reply-To: References: Message-ID: Mike Easter wrote: > It is much worse than you think. Not only do major ISPs not properly > proactively monitor what their proxy/trojan cable modem subscribers are > pumping out; but even when they are /notified/ of exactly what the > problem is, they don't do anything about it. Things were like that (and possibly still are to some extent) with Videotron here in Quebec. However, complaints about virus-laden emails coming from IPs in their space (diagnosed with SC, but not LARTed) got resolved in the past (1+ yrs ago). There was a major "reform" (relatively speaking) that took place at the ISP after MyDoom -- the ISP all of a sudden had a security page on their support site, with suggested procedures, tools, etc. In a couple of cases I logged personally in the past, it took two-three weeks for the virus-laden emails from various IPs to stop, at least counting from when my complaints started. When it comes from IPs on your own ISP, you can be more effective when you complain. I would phone up (sometimes every day) and ask about my complaint number, and stay on the line and insist on knowing what action was being taken to stop virus emails from coming from that IP. This took a lot of my time, and I can't say for certain it had any true effect, but something did change. Perhaps it was just the sheer numbers and press involved with MyDoom. Somebody woke up to the problem, perhaps because of other pressures, bandwidth, someone with a clue and authority (both) in the company who took action. I found some good stuff on Comcast and their proactive approach: http://www.infoworld.com/article/04/03/09/HNcomcastspam_1.html Perhaps more ISPs could follow their lead. After some googling, I see there are some other recommendations from Anti-Spam Technical Alliance (ASTA): http://docs.yahoo.com/docs/pr/release1169.html Strange to see that EL is part of ASTA, but you're saying they aren't so proactive (or even reactive) to zombies -- the best practices address this problem. Perhaps the ASTA is being used by some ISPs for the marketing image. The ASTA policy proposal (available even on the EL sites at http://www.earthlink.net/about/press/pr_asta_tech/asta_tech.pdf) seems intelligently written, at least the few pages I read in detail. > That is the problem with RR and that is the problem with EL; two > providers whom I've had the experience of hounding in public newsgroup > fora by naming some IPs, what is wrong with them, where they are listed, > how much spew they are putting out using senderbase now, spamcop's data > in the past. > > Previously when I was RR I would focus on a spam I had received from a > RR IP. Now that I'm EL I do it differently. Long-time, unresolved issues show up on the radar of a customer support group in a company that tracks them -- my wife worked for more than a year in that position at an online jewelry vendor (though not at an ISP). It is costly in terms of time to pursue issues, both as a user and as a tech-support manager. Maybe you can get more EL users to phone-in or email (and insist on action by pursuing) the complaints about zombie PCs. Just an idea. Anyway, the latest news about zombies using local relays as opposed to remote MX may force ISPs to take action, since they risk getting blocked in major ways. Not cleaning up zombies is perhaps going to be just as bad as harboring spammers. Some other discussions in this group seem to indicate that. From SCNews.5.myspamgobbler at spamgourmet.com Sat Feb 5 10:05:48 2005 From: SCNews.5.myspamgobbler at spamgourmet.com (Brian (SnSR)) Date: Sat Feb 5 13:10:12 2005 Subject: [SpamCop-List] Re: ignoring reply to: In-Reply-To: References: Message-ID: ken wrote: > I'm now getting Tsunami scams worth Millions of dollars. They're all coming > from the same isp and same reply to: at Netscape.com roots to abuse@aol.com > . > Just to be sure I've been submitting them to spamcop to make sure I'm not > screwing up with Sam spade. > > Only spam reports spamcop's sending to from this are the final mailbox at my > isp. > I realize the reply to, from etc can all be forged, but when the emails are > identical, wouldn't it make sense for the reports to use any available links > supplied by the spammer ? > > This is where human intervention works better than the parser can. Usually the reply to is forged, but often not in scams where the perp needs a response. This requires manually reporting the reply to address as well as any email address given in the message body. I use a variety of methods to get this point across to abuse desks. Subject: is being used for 419 spam drop box. I then let them know where the email address can be found, whether in the headers or in the message body, and where in the message body. This helps them to quickly locate it and not have to read thru the whole message. I also add that this address is often forged, but in this case, it is being used for such-and-such a reason. Then I paste the message. I have had this work well. Unfortunately, in a discussion with Carl Hutzler, AOL's Director of Spam Operations, AOL hasn't found a method to determine that it's not a joe job and willingly delete those accounts. I've been attempting to change his opinion. If you would like to forward some samples (as attachments) to me, I can use it to possibly get him to respond to this. SpamNScamsReporter at gmail dot com. From MikeE at ster.invalid Sat Feb 5 10:13:02 2005 From: MikeE at ster.invalid (Mike Easter) Date: Sat Feb 5 13:15:05 2005 Subject: [SpamCop-List] Re: Active eBay phishing sites beyond the radar References: Message-ID: George Langford, Sc.D. wrote: > Hello eBay: > > The following site has been active since October 30, 2004: > http://213.136.106.214/.ls/ for which the Spamcop tracker is: > http://www.spamcop.net/sc?id=z687361272z9a582fd2cc6499788f7cf719cdd80969z That tracker won't work for me Failed to load spam header:687361272 / 9a582fd2cc6499788f7cf719cdd80969 It appears to my GET that the site is currently operational. > This one has been reported to: padkla@aviso.ci, assied@aviso.ci, and > postmaster@opentransit.net, apparently to no avail. SC wants to report 213.136.106.214 to the aviso.ci addies you named, but the abuse.net reg'ds are whois -h whois.abuse.net aviso.ci ... postmaster@aviso.ci assied@aviso.ci j.zano@aviso.ci (for aviso.ci) Aviso is AS29571 and 29571 is citelecom aut-num: AS29571 as-name: CITelecom-AS admin-c: JZ1631-RIPE j.zano@aviso.ci admin-c: KAD6-RIPE padkla@aviso.ci tech-c: KAD6-RIPE tech-c: AE5-RIPE assied@aviso.ci so upstream is AS5511 OPENTRANSIT France Telecom whois -h whois.abuse.net opentransit.net ... webmaster@opentransit.net abuse@opentransit.net postmaster@opentransit.net (for opentransit.net) > The following site also remains active: > > http://pl.changwon.ac.kr/secure/saw-cgi/DllUpdate/signin/ws2/ISAPIDll/eBayISAPIdllSignIn_favoritenavid.uproduct.ppco_partnerId2ru.http_my.ebay.com_80_Fws2FeBayISAPI.dll3FMyeBay26ssPageName3Dh253Ah253Amebay_253AUS1ruparams_pageType1883.pa2.bshowgif.a1pUserId.errmsg_UsingSSL_0uname.siteid0.html > For which the Spamcop tracker is: www.spamcop.net/sc?id=z715217569zbfae347f7e56405c295fb7331961fc97z That tracker works and its link performs an ebay phish GET > This site was reported to: hjs123@kt.co.kr, kren@snu.ac.kr, and > mail-abuse@yahoo-inc.com. I am now reporting it also to > slurp@inktomi.com. SC currently sez Reporting addresses: hjs123@kt.co.kr kren@snu.ac.kr but apnic sez that 203.246.5.68 is inetnum: 203.246.5.0 - 203.246.5.255 netname: KREN-CWNU-LL-470-KR descr: CHANGWON NATIONAL UNIVERSITY so I'm wondering how the phisher parked the site at the university. > What's a concerned citizen to do ? I think my first choice would be to try harder than SC did for the university. radb sez the IP is AS18170 and cymru fails. AS18170 = aut-num: AS18170 as-name: CHANGWON-UNIV-AS-AP descr: CHANGWON NATIONAL UNIVERSITY admin-c: JL1638-AP ljd@changwon.ack.kr tech-c: JL1638-AP whois -h whois.abuse.net changwon.ack.kr ... spamcop@kisa.or.kr postmaster@changwon.ack.kr abuse@changwon.ack.kr (for kr) Bora was also mentioned somewhere in there; so I would also notify them abuse@bora.net -- Mike Easter kibitzer, not SC admin From SCNews.5.myspamgobbler at spamgourmet.com Sat Feb 5 10:21:23 2005 From: SCNews.5.myspamgobbler at spamgourmet.com (Brian (SnSR)) Date: Sat Feb 5 13:25:04 2005 Subject: [SpamCop-List] Re: How does Yahoo (or its registrars) get away with this ? In-Reply-To: References: Message-ID: Mike Easter wrote: > George Langford, Sc.D. wrote: > www.spamcop.net/sc?id=z728915987z046dd46c99e70e6238e4cdcf9756e015z > >>Domain name in message body: http://citifinancialinf.com/ > > > SC wants to notify slurp@inktomi.com based on the arin for > OrgName: Inktomi Corporation > NetRange: 68.142.192.0 - 68.142.255.255 > CIDR: 68.142.192.0/18 > > which actually sez: > > Comment: For general abuse contact netblockadmin@yahoo-inc.com. > Comment: For Web Crawler questions please contact slurp@inktomi.com. > AbuseEmail: netblockadmin@yahoo-inc.com > > so I would say netblockadmin at yahoo is better. > > > > whois -h whois.melbourneit.com citifinancialinf.com ... > Domain Name.......... citifinancialinf.com > Creation Date........ 2005-02-05 > Organisation Name.... Armond Lehman > Organisation Address. 7893 macdougall dr. > Organisation Address. Jacksonville > Organisation Address. 32244 > Organisation Address. FL > Organisation Address. UNITED STATES > > >>As no AS number was forthcoming from OpenRBL, I sent my LART to >>abuse@level3.net in addition to abuse@akamai.com (akadns.net), >>slurp@inktomi.com, and mail-abuse@yahoo-inc.com, not to mention >>phish@millersmiles.co.uk and spam@uce.gov. >> >>To whom should I have addressed a LART about the lack of information >>about the registrant of the domain, citifinancialinf.com ? > > > I think somehow you went astray in looking for that. It isn't available > at internic for some reason. > > Also, the contact email address for the domain is armondlehman@yahoo.com, so you could lart abuse at yahoo on this And the Tech data for this domain: Tech Name............ YahooDomains TechContact Tech Address......... 701 First Ave. Tech Address......... Tech Address......... Sunnyvale Tech Address......... 94089 Tech Address......... CA Tech Address......... UNITED STATES Tech Email........... domain.tech@YAHOO-INC.COM Tech Phone........... +1.6198813096 Tech Fax............. +1.6198813010 domain.tech may also be a worthwhile addy to lart From SCNews.5.myspamgobbler at spamgourmet.com Sat Feb 5 11:10:01 2005 From: SCNews.5.myspamgobbler at spamgourmet.com (Brian (SnSR)) Date: Sat Feb 5 14:15:04 2005 Subject: [SpamCop-List] Re: Active eBay phishing sites beyond the radar In-Reply-To: References: Message-ID: George Langford, Sc.D. wrote: > Hello eBay: > > The following site has been active since October 30, 2004: > http://213.136.106.214/.ls/ for which the Spamcop tracker is: > http://www.spamcop.net/sc?id=z687361272z9a582fd2cc6499788f7cf719cdd80969z > This one has been reported to: padkla@aviso.ci, assied@aviso.ci, and > postmaster@opentransit.net, apparently to no avail. > > It gets worse. The guy appears to be getting set to do it again: > http://213.136.106.214/cetig/.images/index.html (returns a blank screen > but the HTML code is still there ... ?). However, read on; there's more. > The Spamcop tracker for one of the three emails originally received is: > http://www.spamcop.net/sc?id=z708555609za6ec7e8b8c61d469cdbb68cfd7d7625az > See also: http://213.136.106.214/cetig/index2.htm but the following is > the actual eBay phishing source is now in a new index file: > http://213.136.106.214/cetig/.images/index2.htm > This sourcecode has been changed since I last reported the site. Note that > the IP address is the same as the site at the top of this page. I reported > this site to assied@aviso.ci and j.zano@aviso.ci, clearly to no avail. > > The following site also remains active: > > http://pl.changwon.ac.kr/secure/saw-cgi/DllUpdate/signin/ws2/ISAPIDll/eBayISAPIdllSignIn_favoritenavid.uproduct.ppco_partnerId2ru.http_my.ebay.com_80_Fws2FeBayISAPI.dll3FMyeBay26ssPageName3Dh253Ah253Amebay_253AUS1ruparams_pageType1883.pa2.bshowgif.a1pUserId.errmsg_UsingSSL_0uname.siteid0.html > For which the Spamcop tracker is: > http://www.spamcop.net/sc?id=z715217569zbfae347f7e56405c295fb7331961fc97z > This site was reported to: hjs123@kt.co.kr, kren@snu.ac.kr, and mail-abuse@yahoo-inc.com. I am > now reporting it also to slurp@inktomi.com. > > What's a concerned citizen to do ? > > George Langford, Sc.D. > amenex@amenex.com > > One of the things that I do is notify eTrust when I see their logo on bogus sites. I did file a report. https://www.truste.org/consumers/watchdog_complaint.php Same with Verisign https://www.verisign.com/support/site/abuse.html I'm not sure that this does any good, but I would think it may help to bring in some 'big guns' I also found jefpro@nic.ci - hmmm, that's interesting because that is not the address shown. This may be the perp's email address. Down at the very bottom of 213.136.106.214 it shows an email address of ahissi@nic.ci but the address is actually jefpro and on checking, this is a valid address according to CentralOps. Digging further, nic.ci is Network Information Center C?te d'Ivoire. They show a support at nic dot ci address that may be useful. No abuse addy listed with abuse.net. http://www.nic.ci/presta_net.htm may be helpful. This may be the place to go. Good luck. Brian From MikeE at ster.invalid Sat Feb 5 11:50:18 2005 From: MikeE at ster.invalid (Mike Easter) Date: Sat Feb 5 14:50:08 2005 Subject: [SpamCop-List] Re: zombie hunting? References: Message-ID: Sofa King Tyred of Lar Ting wrote: > I found some good stuff on Comcast and their proactive approach: > > http://www.infoworld.com/article/04/03/09/HNcomcastspam_1.html That is a 2004 Mar article saying that comcast was going to do something about their zombies, but comcast still ranks very high in the spamcop statistics for spamsource, #9 of those IPs which resolve, just below pacbell now. Previously it was worse, so they must be doing a little something. But spews still has many many millions of comcast IPs listed http://www.spews.org/html/S2963.html I was EL newsgroup posting EL's position 2 days ago and it was #9 -- somehow it has dropped to #37 today. I don't understand that. > After some googling, I see there are some other recommendations from > Anti-Spam Technical Alliance (ASTA): > > http://docs.yahoo.com/docs/pr/release1169.html > > Strange to see that EL is part of ASTA, but you're saying they aren't > so proactive (or even reactive) to zombies -- the best practices > address this problem. Perhaps the ASTA is being used by some ISPs for > the marketing image. The ASTA policy proposal (available even on the > EL sites at > http://www.earthlink.net/about/press/pr_asta_tech/asta_tech.pdf) seems > intelligently written, at least the few pages I read in detail. Yes. I've been beating up on EL for being an ASTA 'talker' and not an ASTA 'walker' > Anyway, the latest news about zombies using local relays as opposed to > remote MX may force ISPs to take action, since they risk getting > blocked in major ways. Not cleaning up zombies is perhaps going to be > just as bad as harboring spammers. Some other discussions in this > group seem to indicate that. Yes. The reason I try to incite people in the EL newsgroup to 'act' is because occasionally an EL output server will get on a blocklist that interferes with people's mail delivery. They need to understand that if EL isn't going to tend to business, that their mail out delivery will be affected. My battlecry is that people who use a provider which has a lax policy about squashing abuses [in EL's case that consists of cable proxytrojans and hacked username/pw to abuse the EL smtpauth servers] will need to have some alternate way to mail out, because they will sometimes run into blockages of their EL mail. But, the only thing people ever complain about is EL not blocking enough spam. EL's antispam system has the positives of being able to be turned off [also the AV] and being able to be configured to only let in whitelisted and to be able to turn off challenges to the suspect and to be able to save 500 blocked spam at no cost to the mailbox. It has the negative of having a very porous 'normal' filter and having a default condition of challenging suspect spam. Personally I don't use EL's filter at all, but SpamPal tag mine. So, I like EL's filtering better than RR's. RR didn't allow you to turn off its spamblocking or antivirus, and its MAPS RBL+ wasn't all that good a filter, and it wasn't configurable -- so the EL clients who are whining so much don't have a good understanding of some of the problems they could be having with spamfiltering. Such as.... A while back a friend of mine wasn't getting my mail because her provider's filter was silently dropping it on the floor, and they didn't even /tell her/ [ie display on their webpages] they have a spamfilter until I found myself in communication with them tracking down my mail problem. I couldn't complete the mail from my EL account or from my gmail account, probably they had some kind of zany body filter that was killing/devnulling my plaintext mail and not bouncing anything. -- Mike Easter kibitzer, not SC admin From amenex at amenex.com Sat Feb 5 14:56:15 2005 From: amenex at amenex.com (George Langford, Sc.D.) Date: Sat Feb 5 14:56:25 2005 Subject: [SpamCop-List] Re: How does Yahoo (or its registrars) get away with this ? Message-ID: <200502051956.j15JuFq01117@email1.voicenet.com> Mike Easter wrote: >> SC wants to notify slurp@inktomi.com based on the arin for >> OrgName: Inktomi Corporation >> NetRange: 68.142.192.0 - 68.142.255.255 >> CIDR: 68.142.192.0/18 >> which actually sez: >> Comment: For general abuse contact netblockadmin@yahoo-inc.com. >> Comment: For Web Crawler questions please contact slurp@inktomi.com. >> AbuseEmail: netblockadmin@yahoo-inc.com > > so I would say netblockadmin at yahoo is better. That's good to know. > I don't find the tracert to be a good strategy. It is a poor substitute > for the ASN, and the upstream notifications are often inappropriate. > There's no point in notifying upstreams of the IP of a yahoo/inktomi > website issue. I didn't make myself clear. TraceRT often knows the IP address of a mysterious domain before anyone else. Why else could I connect when none of the WhoIs's that I knew could do it yet ? Also, TraceRt can get past any redirect sites so that the real location of the sourcecode can be found. As well as the IP address of the redirect site, whose abuse@ may want to know how his resources are being used fraudulently. TraceRT actually de-obfuscated the IP address for me: > TraceRT FROM voa.his.com TO www.citifinancialinf.com: > traceroute to premium3.geo.yahoo.akadns.net (68.142.234.76) The second line above is the conversion, The last line in the TraceRT is: > 12 p3w8.geo.re2.yahoo.com (68.142.234.76) Note that the IP block is correct. I get to the same location whether I add the www. to the domain or not. I notified abuse@akamai.com because of the akadns.net relationship to the destination IP address. > The registration information for a domainname is found according to the > tld, toplevel domain, in this case .com, so I use internic, which comes > up empty, so then I use crsnic which sez whois.melbourneit.com and is > brandnew as of today. Sho' 'nuf, http://www.completewhois.com/ finally comes around and sez: > Domain Name: CITIFINANCIALINF.COM > Namespace: ICANN Unsponsored Generic TLD - http://www.icann.org > TLD Info: See IANA Whois - http://www.iana.org/root-whois/com.htm > Registry: VeriSign, Inc. - http://www.verisign-grs.com > Registrar: MELBOURNE IT, LTD. D/B/A INTERNET NAMES WORLDWIDE - > http://www.melbourneit.com > Whois Server: whois.melbourneit.com > Name Server[whois+dns with ip] YNS1.YAHOO.COM 66.218.71.205 > Name Server[whois+dns with ip] YNS2.YAHOO.COM 216.109.116.20 > Status: ACTIVE > Updated Date: 04-feb-2005 > Creation Date: 04-feb-2005 > Expiration Date: 04-feb-2006 > [whois.melbourneit.com] It wouldn't do that while I was capturing the sourcecodes with Mozilla's Composer HTML editor. This is the same guy as Mike quoted; alas only one Google hit, on the man's name. However, I did find out that he owns property at the address given in the WhoIs record. >> To whom should I have addressed a LART about the lack of information >> about the registrant of the domain, citifinancialinf.com ? > I think somehow you went astray in looking for that. It isn't available > at internic for some reason. I guess the answer is that, as far as Yahoo is concerned, these slowly propagating WhoIs records are probably going to be found first at http://whois.melbourneit.com, which works for me, too, by golly. Thanks for heping out with this fine resource. George Langford (amenex) From MikeE at ster.invalid Sat Feb 5 12:39:12 2005 From: MikeE at ster.invalid (Mike Easter) Date: Sat Feb 5 15:40:02 2005 Subject: [SpamCop-List] Re: How does Yahoo (or its registrars) get away with this ? References: Message-ID: George Langford, Sc.D. wrote: > Mike Easter wrote: >> I don't find the tracert to be a good strategy. It is a poor >> substitute for the ASN, and the upstream notifications are often >> inappropriate. There's no point in notifying upstreams of the IP of >> a yahoo/inktomi website issue. > > I didn't make myself clear. TraceRT often knows the IP address of > a mysterious domain before anyone else. Ah. We are saying different things I think. I think you are talking about using some suite of tools called TraceRT which can perform nslookup and dig and such, whereas I was talking about the unix commandtool traceroute or the win commandtool tracert which performs a single function. Could you be more specific about what you mean when you say TraceRT so I can understand if it is an application or suite of tools or what? Is there a website? I'll show some below about what I mean on my end. > Why else could I connect > when none of the WhoIs's that I knew could do it yet ? Also, TraceRt > can get past any redirect sites so that the real location of the > sourcecode can be found. As well as the IP address of the redirect > site, whose abuse@ may want to know how his resources are being used > fraudulently. > > TraceRT actually de-obfuscated the IP address for me: >> TraceRT FROM voa.his.com TO www.citifinancialinf.com: >> traceroute to premium3.geo.yahoo.akadns.net (68.142.234.76) > The second line above is the conversion, The last line in the > TraceRT is: >> 12 p3w8.geo.re2.yahoo.com (68.142.234.76) My SSwin tool's DNS tool sez this about that 02/05/05 12:19:45 dns www.citifinancialinf.com Canonical name: premium3.geo.yahoo.akadns.net Aliases: www.citifinancialinf.com Addresses: 68.142.234.36 68.142.234.37 68.142.234.38 68.142.234.39 68.142.234.40 68.142.234.76 68.142.234.77 68.142.234.35 So, that shows you the various IPs to which the domainname resolves, also the CNAME at/of akadns. which doesn't involve anything about tracert [or traceroute] which is an entirely different function which looks like this: 7 64.159.0.230 (ae-0-0.bbr2.Washington1.Level3.net ok) 8 4.68.121.130 (ge-3-0-0-55.gar1.Washington1.Level3.net ok) 9 63.210.29.230 (No rDNS) 10 206.190.41.73 (UNKNOWN-206-190-41-73.yahoo.com bogus rDNS: host not found [authoritative]) 11 68.142.234.36 (premium3.geo.yahoo.akadns.net ok) excluding the top part and the hoptimes for brevity. That is, I think you are using your TraceRT to get a DNS on the domainname and a rDNS on the result. That's fine, that is useful information, but when I talk about the tracert I'm thinking about the people who are using the tracert result to find out about an upstream, ie my #10 and #9 [which is silently level3] above. > Note that the IP block is correct. I get to the same location whether > I add the www. to the domain or not. I notified abuse@akamai.com > because of the akadns.net relationship to the destination IP address. > >> The registration information for a domainname is found according to >> the tld, toplevel domain, in this case .com, so I use internic, >> which comes up empty, so then I use crsnic which sez >> whois.melbourneit.com and is brandnew as of today. > > Sho' 'nuf, http://www.completewhois.com/ finally comes around and sez: >>> To whom should I have addressed a LART about the lack of information >>> about the registrant of the domain, citifinancialinf.com ? > >> I think somehow you went astray in looking for that. It isn't >> available at internic for some reason. > > I guess the answer is that, as far as Yahoo is concerned, these slowly > propagating WhoIs records are probably going to be found first at > http://whois.melbourneit.com, which works for me, too, by golly. > > Thanks for heping out with this fine resource. Clear me up on exactly which resource we're talking about. -- Mike Easter kibitzer, not SC admin From me at privacy.net Sat Feb 5 20:44:27 2005 From: me at privacy.net (Michael R N Dolbear) Date: Sat Feb 5 15:45:03 2005 Subject: [SpamCop-List] Re: Empty Body not being accepted References: Message-ID: <01c50bc0$cedc5620$LocalHost@default> Martin wrote in article ... > How come spamcop refuses to accept submissions with an empty body now, it > used to parse and report them ok now it says error in submission empty body. > I have to insert something like to get it to report ok, have re-read [...] As "Berny" says, empty body spam never did work for normal full reporting. However it appears that it does work for Quick Reporting (report as Spam from SpamCop email or email as attachment to quick.-magic string-@spam.spamcop.net if you have these features enabled). This is logical since Quick Reporting doesn't report on the body and is in fact quite helpful now that SpamCop email seems to have been upgraded to POP/fetch even Spams with no bodies (used to ignore them). -- Mike D From ric.gates at bigsleep.org Sat Feb 5 23:50:54 2005 From: ric.gates at bigsleep.org (Blammo) Date: Sat Feb 5 18:55:03 2005 Subject: [SpamCop-List] Re: Spammers moving away from direct-to-mx? References: Message-ID: On 05 Feb 2005 John E. Malmberg entered spamcop and left news:cu2npl$na0$1@news.spamcop.net: > is operating on the model of the Hooterville Phone > complany They have an Internet ISP there now. Problem is, every time someone opens a new account, it drains all the bandwidth out of someone else's account, so people have to continually open new accounts. ;-) -- | Ric | From ric.gates at bigsleep.org Sun Feb 6 00:14:32 2005 From: ric.gates at bigsleep.org (Blammo) Date: Sat Feb 5 19:15:03 2005 Subject: [SpamCop-List] Re: Active eBay phishing sites beyond the radar References: Message-ID: On 05 Feb 2005 George Langford, Sc.D. entered spamcop and left news:mailman.79.1107623126.4572.spamcop-list@news.spamcop.net: > It gets worse. The guy appears to be getting set to do it again: > http://213.136.106.214/cetig/.images/index.html (returns a blank screen > but the HTML code is still there ... ?). This page simply tries to load index2.htm (which you have already discovered) via JavaScript. index2.htm appears to load a eBay page (signin.ebay.com) in an inline frame, and the page most likely tries to use a security exploit (which the browser shouldn't allow, but may) to intercept the info you enter. That's just what I determined from a quick look. -- | Ric | From ric.gates at bigsleep.org Sun Feb 6 00:25:20 2005 From: ric.gates at bigsleep.org (Blammo) Date: Sat Feb 5 19:30:03 2005 Subject: [SpamCop-List] Re: Active eBay phishing sites beyond the radar References: Message-ID: On 05 Feb 2005 Blammo entered spamcop and left news:Xns95F4A5621EB12blammo@216.154.195.61: > On 05 Feb 2005 George Langford, Sc.D. entered spamcop and left > news:mailman.79.1107623126.4572.spamcop-list@news.spamcop.net: > >> It gets worse. The guy appears to be getting set to do it again: >> http://213.136.106.214/cetig/.images/index.html (returns a blank >> screen but the HTML code is still there ... ?). > > This page simply tries to load index2.htm (which you have already > discovered) via JavaScript. > index2.htm appears to load a eBay page (signin.ebay.com) in an inline > frame, and the page most likely tries to use a security exploit (which > the browser shouldn't allow, but may) to intercept the info you enter. > That's just what I determined from a quick look. > I should add that the first site tries to open a pop-up that has the Location bar hidden so that you don't see that you are not actually on ebay. Even if a person did see the numerical URL, they would not know that it wasn't eBay, some may even think that a numerical URL is some kind of "secure" location. -- | Ric | From tdy at blackhole.invalid Sat Feb 5 16:26:00 2005 From: tdy at blackhole.invalid (N. Miller) Date: Sat Feb 5 19:30:12 2005 Subject: [SpamCop-List] Re: How does Yahoo (or its registrars) get away with this ? References: Message-ID: In article , Mike Easter says... > I don't find the tracert to be a good strategy. It is a poor substitute > for the ASN, and the upstream notifications are often inappropriate. > There's no point in notifying upstreams of the IP of a yahoo/inktomi > website issue. And I should thank you for that lesson. I have added "whois.cymru.com" to my Sam Spade Win Tools application, using this link: http://www.samspade.org/ssw/tips.html Going down to the "Adding whois servers" section, and following the directions. I haven't taken time to see if I can automate the process any further; currently I get a result with Sam Spade: ----------------- 02/05/05 16:23:30 whois 68.142.234.38@whois.cymru.com whois -h whois.cymru.com 68.142.234.38 ... ASN | IP | Name 14779 | 68.142.234.38 | INKT Inktomi Corporation ----------------- I can then surf to this bookmarked link to fill in the final pieces of the puzzle: http://bgp.potaroo.net/cgi-bin/as-report?as=AS I can open the page on that link, then past the Sam Spade ASN result to the end of the link to get something like: http://bgp.potaroo.net/cgi-bin/as-report?as=AS14779 -- Norman ~Win dain a lotica, En vai tu ri, Si lo ta ~Fin dein a loluca, En dragu a sei lain ~Vi fa-ru les shutai am, En riga-lint From MikeE at ster.invalid Sat Feb 5 16:52:55 2005 From: MikeE at ster.invalid (Mike Easter) Date: Sat Feb 5 19:55:05 2005 Subject: [SpamCop-List] Re: How does Yahoo (or its registrars) get away with this ? References: Message-ID: N. Miller wrote: > I have added > "whois.cymru.com" to my Sam Spade Win Tools application, using this > link: > > http://www.samspade.org/ssw/tips.html Yes. Good. There's also radb if you don't have it. whois.radb.net > I can then surf to this bookmarked link to fill in the final pieces > of the puzzle: > > http://bgp.potaroo.net/cgi-bin/as-report?as=AS Yes. The Robban tool I like better than potaroo has been down for a long long time. It was here http://www.netlantis.org/ There's also one that Ellen told me/us about here that you telnet into, but I've forgotten that one. I suppose I could look it up somehow. I found a link for telnet://route-server.cerf.net and/or telnet://route-server.ip.att.net/ - but I can't remember how to command it or read its output. -- Mike Easter kibitzer, not SC admin From tdy at blackhole.invalid Sat Feb 5 16:56:01 2005 From: tdy at blackhole.invalid (N. Miller) Date: Sat Feb 5 20:00:02 2005 Subject: [SpamCop-List] Re: zombie hunting? References: Message-ID: In article , Mike Easter says... > Sofa King Tyred of Lar Ting wrote: > > I found some good stuff on Comcast and their proactive approach: > > http://www.infoworld.com/article/04/03/09/HNcomcastspam_1.html > That is a 2004 Mar article saying that comcast was going to do something > about their zombies, but comcast still ranks very high in the spamcop > statistics for spamsource, #9 of those IPs which resolve, just below > pacbell now. Previously it was worse, so they must be doing a little > something. Comcast is using selective blocks on outbound port 25. It seems that, when they identify an abusive Comcast source IP address, they tweak the customer's modem for a 48 hour period. I doubt that they pro-actively scan for compromised computes; more likely are acting reactively to reports. Pacbell.net is only the tip of the SBC iceberg. I get nearly equal amounts of proxy spam from pacbell.net, swbell.net, and ameritech.net IP addresses. Tody I got a rare one from an snet.net IP address (formerly Southern New England Telephone Company; not an RBOC, but a part of the SBC Borg; which will soon include AT&T). SBC rolled out port 25 blocks in San Luis Obispo, California, and, I think, Houston, Texas last September. (For some kind of insanity, they should have used San Antonio, Texas; I am sure that saints Luis and Anthony would have appreciated the notice!) Supposedly the SBC port 25 blocks are expanding; based on numerous complaints in the BBR SBC forums, as well as the sbcglobal.help.tech.* groups. However, SBC will unblock ports on request. I don't know what sort of information must be provided in the request, or what impact it will have on the intended purpose. For my part, I have tested the three off-ISP SMTP servers which I use, on occasion; accessible either on port 465, or port 587 with STARTTLS, so I guess I don't care about the blockage. -- Norman ~Win dain a lotica, En vai tu ri, Si lo ta ~Fin dein a loluca, En dragu a sei lain ~Vi fa-ru les shutai am, En riga-lint From MikeE at ster.invalid Sat Feb 5 17:33:00 2005 From: MikeE at ster.invalid (Mike Easter) Date: Sat Feb 5 20:35:03 2005 Subject: [SpamCop-List] Re: How does Yahoo (or its registrars) get away with this ? References: Message-ID: Mike Easter wrote: > There's also one that Ellen told me/us about here that you telnet > into, but I've forgotten that one. I suppose I could look it up > somehow. I found a link for telnet://route-server.cerf.net and/or > telnet://route-server.ip.att.net/ - but I can't remember how to > command it or read its output. I found a little note by Ellen's name for a command that sez: sh ip bgp ip.address So I tested it out on 68.142.234.38 which I know to be AS14779 Inktomi with a single upstream at Potaroo of AS3356 which is level3 and I got this output: BGP routing table entry for 68.142.224.0/20, version 1802400 Paths: (2 available, best #2, table Default-IP-Routing-Table) Not advertised to any peer 17233 7018 3356 14779, (aggregated by 14779 66.196.112.252), (received & used) 12.129.192.2 from 12.129.192.2 (12.129.192.2) Origin IGP, localpref 100, valid, external Community: 7018:5000 17233:666 17233:1002 17233:7018 17233 7018 3356 14779, (aggregated by 14779 66.196.112.252), (received & used) 12.129.192.1 from 12.129.192.1 (12.129.192.1) Origin IGP, localpref 100, valid, external, best Community: 7018:5000 17233:666 17233:1001 17233:7018 which seems like a lot more information than I really wanted ;-) but you get it very fast. And I see the 14779 in there, both in the aggregated by and the last # before that. Then, I also see the 3356 just before that. I would have to mess with it some more to figure out how to interpret multiple upstreams and whether or not there is any way to 'see' the kind of information that the Robban gave about 'fractionating' multiple upstreams. I can also see the 12.129.192.2 and .1 in there which is an att/cerf IP and I can see that it is AS7018 so it was probably looking from those IPs. I don't know what 17233 is. I have no idea what that community info is, except that I see 7018 in there and 17233 again which I can't figure out. -- Mike Easter kibitzer, not SC admin From amenex at amenex.com Sat Feb 5 22:12:35 2005 From: amenex at amenex.com (George Langford, Sc.D.) Date: Sat Feb 5 22:12:48 2005 Subject: [SpamCop-List] Re: Active eBay phishing sites beyond the radar Message-ID: <200502060312.j163CZSK019112@voicenet.com> Mike Easter wondered ... > so upstream is > AS5511 OPENTRANSIT France Telecom > whois -h whois.abuse.net opentransit.net ... > webmaster@opentransit.net abuse@opentransit.net > postmaster@opentransit.net (for opentransit.net) I thought I had LART'd Them. But I can try again, especially as the same site is working on a new PayPal phish with all the latest bells & whistles (see my recent post to MillerSmiles). > Paraphrasing Mike Easter: "How'd 'e do dat ?" My TraceRT linkis: http://voa.his.com/cgi-bin/trace This has the quirk that you can't right-click and paste the URL whose IP your're tracking - have to use the edit button at the top of the page. (I'm using Mozilla). > ... CHANGWON NATIONAL UNIVERSITY ... I'll try your suggestions and see what happens. Then Brain piped in with: > Also, the contact email address for the domain is > armondlehman@yahoo.com, so you could lart abuse at yahoo on this I've tried mail-abuse@yahoo-inc.com for contact emails in spam and in fraudulent emails and they always tell me that there's no abuse going on ... heads in the sand ? Look him up with: http://www.searchsystems.net/ and you'll see he's either an innocent victim or a really stupid perpetrator. Another Brian suggestion: > domain.tech may also be a worthwhile addy to lart (that's domain.tech@YAHOO-INC.COM) - I'll add it to my list. More Brian words: > I also found jefpro@nic.ci - hmmm, that's interesting because that is > not the address shown. This may be the perp's email address. Down at the > very bottom of 213.136.106.214 it shows an email address of > ahissi@nic.ci but the address is actually jefpro and on checking, this > is a valid address according to CentralOps. I've sent LART's to all these emails ... no effect. My visual image is of a bombed-out building with a solar panel powering that teeny little nic.ci box sitting in the corner ... We need that little plane that the folks back home fly around all over that war-torn country farther to the north. In the meantime, someone is getting rich with the codes that can still be retrieved from and uploaded to that box. I doubt that _anything_ in the nic.ci box can be trusted. And it can't be shut off without killing a whole bunch of WhoIs data for Ivory Coast (now known as C?te d'Ivoire). And Mike Easter closed the conversation with a quote from me: >> Thanks for he[l]ping out with this fine resource. > Clear me up on exactly which resource we're talking about. SpamCop and the spamcop-list discussion group. I've been LARTing phishes at an ever-increasing rate for quite some time now, and without your help my efficiency would have remained next to zero, I should mention the nice connection between OpenRBL.org and SpamCop wherein it links to SpamCop to find the best reporting addy's for the domain being WhoIs'd. George Langford (amenex) From nobody at spamcop.net Sun Feb 6 05:19:08 2005 From: nobody at spamcop.net (Tuatara) Date: Sun Feb 6 00:20:32 2005 Subject: [SpamCop-List] Re: WP: Spammers' New Strategy References: Message-ID: <4205a791.39708781@news.spamcop.net> For every action, there's a reaction. While ISP's will continue to rely on filtering strategies, what will we SpamCop users do to report spam that doesn't point to the origin? I guess that ISPs will receive Spamcop reports rather than the source IP hosts. Surely, ISPs will resolve this problem. Nevertheless, it will be curious how this impacts Spamcop usage as well as those who produce and maintain blacklists. On Sat, 05 Feb 2005 09:41:43 +0000, Biwah wrote: >Spammers' New Strategy >Unsolicited E-Mail Sent Using ISP Computers > >By Jonathan Krim >Washington Post Staff Writer >Friday, February 4, 2005; Page E01 > >An advanced spamming technique could push the volume of unwanted e-mail to >new heights in coming months, straining the integrity of the online >communication system, according to several top experts who monitor the >activity of spam gangs around the world. > >Illegal bulk-mailers have been able to deploy massive blasts of spam by >routing it through the computers of their Internet service providers, rather >than sending it directly from individual machines, the experts said. From drjohn at sueF***INGspammers.org Sat Feb 5 21:32:24 2005 From: drjohn at sueF***INGspammers.org (J.R.) Date: Sun Feb 6 00:35:02 2005 Subject: [SpamCop-List] Re: Good day! References: Message-ID: I think Heidi is the comic newsbot. "eddie" wrote in message news:pan.2005.02.03.19.03.16.99000@eddie.web... > On Tue, 01 Feb 2005 22:45:21 -0500, Heidi scratched out the following: > > > Good day, > > gives new meaning to Heidi Ho :) > > BIG PLONK~!!!!!! From nobody at spamcop.net Sun Feb 6 00:12:43 2005 From: nobody at spamcop.net (RW) Date: Sun Feb 6 01:15:03 2005 Subject: [SpamCop-List] Re: Open Proxy SCBL Rules References: Message-ID: "K. Crocker" wrote in message news:ctpekn$hc6$1@news.spamcop.net... > If spam is reported coming from an open proxy and the address is > subsequently listed, is there a check to keep the address listed if it is > still open when the listing times out? If not, can anyone think of a > reason not to add this qualification? Short answer is no. The SCBL is a list of IPs that have been identified as the source of recent spam (last 24 hours). It is not an open relay, open proxy, or list. The short turn-arounds do have drawbacks, but it is the best we've got right now that allows the list to be aggressive, but at the same time cause minimal collateral damage and reduce support requirements. (i.e., we're already handling up to 300 emails a day. I can only imagine what that number would grow to if listings lasted longer). Richard From nobody at spamcop.net Sun Feb 6 00:32:28 2005 From: nobody at spamcop.net (RW) Date: Sun Feb 6 01:35:04 2005 Subject: [SpamCop-List] Re: Who's Using SPAMCOP? Any major players? Reviews by CNET or others? References: Message-ID: "Scott Townsend" wrote in message news:cu0805$6uq$1@news.spamcop.net... >I was more interested in say if Company A is saying "Hey we use SPAMCop and >we love it!" and they have their mail servers check the blacklist. Not >necessarily having mail through SPAMCop... > > The Filters I'm currently using do not allow me access to the % that it > determines that the message is. We are currently using ORF and IMF. To be completely honest, we have no idea who uses the blocking list as is it freely available to anyone who wants to set it up in their dnsbl file. The only way we find out who uses it is when we get "why am I blocked" mail from someone that includes the blocking information. I don't know of any major North American ISP that uses the SCBL on its own, but some do use it as part of their spam solution. The SCBL is best suit for corporations versus ISPs, because their expected mail comes from a much narrower groups of servers. Heed the advice given. If using the SCBL, use it as part of a scoring system (i.e. with SpamAssassin). Also, anyone using any spam filtering should also run a whitelist facility along side it. Richard From nobody at xyzzy.claranet.de Sun Feb 6 08:09:06 2005 From: nobody at xyzzy.claranet.de (Frank Ellermann) Date: Sun Feb 6 02:15:03 2005 Subject: [SpamCop-List] Re: Why Am I Blocked? FAQ References: <4200F92C.72CCF96B@spamcop.net> Message-ID: <4205C292.79F0@xyzzy.claranet.de> Michael Lefevre wrote: >> I suppose the spamcop bl is not considered a DNSBL because >> it is supposed to tag email. That's an idea for the B in blAck vs. blOck. The SCBL can be too aggressive for big ISPs as a blOck-list. But even if it's "only" used as blAck list to tag mail, it's still a "DNSBL". > the DNS part refers to the way that the lookups to the list > are made, so it is a "DNSBL". One definition of "DNSBL". Another (less popular) definition is "DNSBL" for BLs with IPs, and "RHSBL" for BLs of domain names (RHS = right hand side of mail addresses, behind the @). In that sense the remaining RFCI-lists are "RHSBLs". If you want to test what.ever@some.domain.example against a "RHSBL" like postmaster.rfc-ignorant.org, then you would ask for the name some.domain.example.postmaster.rfc-ignorant.org If you get an answer like 127.0.0.2 then some.domain.example is listed as ignorant postmaster. Technically the "host" some.domain.example.postmaster.rfc-ignorant.org has the "IP" 127.0.0.2. In practice everybody knows that that's no real "host" and no Internet "IP", it's a code meaning "listed". For IPs like 11.22.33.44 and a DNSBL like bl.spamcop.net it's very similar, the only difference is to use the reverse IP in the query for "host" 44.33.22.11.bl.spamcop.net - and if that "host" has an "IP" like 127.0.0.2 then it's listed, i.e. the original IP 11.22.33.44 somehow made it on this black list. The command line tool "host" can be used to check BLs. Most BLs offer a test entry 127.0.0.2, it's always "listed". The command `host 2.0.0.127.bl.spamcop.net` would report: host 2.0.0.127.bl.spamcop.net = 127.0.0.2 Some servers offer a Web interface for DNS queries. I like because I have no "dig" on my box: > most people (and the SpamCop site) tend to refer to it as the > SpamCop BL (or even SCBL) Yes, famous BLs like the SCBL and SURBL have their own acronyms. > non-technical folks won't gain anything from having DNSBL > instead of just BL. As long as they don't say "RBL" (relay), "RHSBL" (RHS), or even WL (white list), that would be wrong for the SCBL. Bye, Frank From Nospam at Here.com Sun Feb 6 10:54:18 2005 From: Nospam at Here.com (David Purdy) Date: Sun Feb 6 05:55:26 2005 Subject: [SpamCop-List] Re: Time for a new approach References: Message-ID: "Doug Thegarden" wrote in message news:cso606$97i$1@news.spamcop.net... > How long has Spamcop been running? Its doing an excellent job of helping > keep the spam volumes most people see down to a tolerable level with the > emphasis being on tolerable. But it takes a lot of effort to make it all > work and to keep up with the ingenuity of spammers finding new ways of > spamming. Meanwhile Governments huff and puff but do very little because > spam levels are "tolerable". Thankfully, I don't suffer the level of spam that some do, but nevertheless the spam received by my main e-mail address has *tripled* in a year (Jan 2005 vs. Jan 2004). NB The e-mail address cannot be traced using Google. This seems to carry the hallmark of situation that is out of control and one which ISPs themselves (and software designers) should address. Regards, Dave. From DougThegarden at hotmail.com Sun Feb 6 12:33:38 2005 From: DougThegarden at hotmail.com (Doug Thegarden) Date: Sun Feb 6 07:35:35 2005 Subject: [SpamCop-List] Re: Time for a new approach In-Reply-To: References: Message-ID: David Purdy wrote: > > Thankfully, I don't suffer the level of spam that some do, but nevertheless > the spam received by my main e-mail address has *tripled* in a year (Jan > 2005 vs. Jan 2004). NB The e-mail address cannot be traced using Google. > > This seems to carry the hallmark of situation that is out of control and one > which ISPs themselves (and software designers) should address. > I propose we have an SBL free day, announced in advance with publicity, when the SBLs are switched off for a day just to show the world what the hidden reality is. Doug From nobody at spamcop.net Sun Feb 6 07:45:50 2005 From: nobody at spamcop.net (Miss Betsy) Date: Sun Feb 6 07:45:03 2005 Subject: [SpamCop-List] Re: Time for a new approach References: Message-ID: "Doug Thegarden" wrote in message news:cu52r1$usb$1@news.spamcop.net... > David Purdy wrote: > > > > Thankfully, I don't suffer the level of spam that some do, but nevertheless > > the spam received by my main e-mail address has *tripled* in a year (Jan > > 2005 vs. Jan 2004). NB The e-mail address cannot be traced using Google. > > > > This seems to carry the hallmark of situation that is out of control and one > > which ISPs themselves (and software designers) should address. > > > > I propose we have an SBL free day, announced in advance with publicity, > when the SBLs are switched off for a day just to show the world what the > hidden reality is. A more positive approach is for ISPs who are using the SCBL (or other bls) to advertise that they are doing so and why and make it a selling point to use their service. If a group of them had an industry trade association, then they could be even more effective at 'educating' the end user. Miss Betsy From Nospam at Here.com Sun Feb 6 12:51:26 2005 From: Nospam at Here.com (David Purdy) Date: Sun Feb 6 07:55:02 2005 Subject: [SpamCop-List] Re: Time for a new approach References: Message-ID: "Miss Betsy" wrote in message news:cu53ba$v5l$1@news.spamcop.net... > A more positive approach is for ISPs who are using the SCBL (or > other bls) to advertise that they are doing so and why and make it > a selling point to use their service. If a group of them had an > industry trade association, then they could be even more effective > at 'educating' the end user. Other businesses have recognised that the irresponsible actions of other businesses in the same industry can damage the reputation of all, hence the creation of trade associations. The absence of industry 'self-regulation' leaves a vacuum for governments to intervene - for better or for worse. Regards, Dave. From DougThegarden at hotmail.com Sun Feb 6 13:39:11 2005 From: DougThegarden at hotmail.com (Doug Thegarden) Date: Sun Feb 6 08:40:07 2005 Subject: [SpamCop-List] Re: Time for a new approach In-Reply-To: References: Message-ID: David Purdy wrote: > > Other businesses have recognised that the irresponsible actions of other > businesses in the same industry can damage the reputation of all, hence the > creation of trade associations. > > The absence of industry 'self-regulation' leaves a vacuum for governments to > intervene - for better or for worse. > Honour among thieves you mean? Doug From DougThegarden at hotmail.com Sun Feb 6 13:39:20 2005 From: DougThegarden at hotmail.com (Doug Thegarden) Date: Sun Feb 6 08:40:25 2005 Subject: [SpamCop-List] Re: Time for a new approach In-Reply-To: References: Message-ID: Miss Betsy wrote: > > A more positive approach is for ISPs who are using the SCBL (or > other bls) to advertise that they are doing so and why and make it > a selling point to use their service. If a group of them had an > industry trade association, then they could be even more effective > at 'educating' the end user. > People rarely pay much attention to things that are not affecting their daily lives. So as long as SBLs keep the spam to a low level they are happy to reside in their relatively secure internet burbs beleiving all is well with the world while the invisible army of fence builders and repairers toil away unseen and unrecogised to maintain their blissful ignorance. Its only when spam starts to really affect their daily lives that they will want something done about the spammers instead of leaving it to the fence builders to build bigger and stronger fences Doug From cbminfo at toast.net Sun Feb 6 10:20:29 2005 From: cbminfo at toast.net (ken) Date: Sun Feb 6 10:25:10 2005 Subject: [SpamCop-List] Re: ignoring reply to: References: Message-ID: Well if I get another I can forward it. But other than my own isp as the last mailbox touching it, the aol Netscape address was the only constant. "Brian (SnSR)" wrote in message news:cu31u6$th9$1@news.spamcop.net... > ken wrote: >> I'm now getting Tsunami scams worth Millions of dollars. They're all >> coming from the same isp and same reply to: at Netscape.com roots to >> abuse@aol.com . >> Just to be sure I've been submitting them to spamcop to make sure I'm not >> screwing up with Sam spade. >> >> Only spam reports spamcop's sending to from this are the final mailbox at >> my isp. >> I realize the reply to, from etc can all be forged, but when the emails >> are identical, wouldn't it make sense for the reports to use any >> available links supplied by the spammer ? >> >> > > This is where human intervention works better than the parser can. Usually > the reply to is forged, but often not in scams where the perp needs a > response. This requires manually reporting the reply to address as well as > any email address given in the message body. > > I use a variety of methods to get this point across to abuse desks. > > Subject: is being used for 419 spam drop box. > > I then let them know where the email address can be found, whether in the > headers or in the message body, and where in the message body. > This helps them to quickly locate it and not have to read thru the whole > message. > > I also add that this address is often forged, but in this case, it is > being used for such-and-such a reason. > > Then I paste the message. I have had this work well. > > Unfortunately, in a discussion with Carl Hutzler, AOL's Director of Spam > Operations, AOL hasn't found a method to determine that it's not a joe job > and willingly delete those accounts. I've been attempting to change his > opinion. > > If you would like to forward some samples (as attachments) to me, I can > use it to possibly get him to respond to this. SpamNScamsReporter at gmail > dot com. > From QUALITY_DISC at webtv.net Sun Feb 6 14:10:40 2005 From: QUALITY_DISC at webtv.net (QUALITY DISC) Date: Sun Feb 6 14:35:02 2005 Subject: [SpamCop-List] Help with ISP for Domain names please! Message-ID: <29323-42066BB0-48@storefull-3173.bay.webtv.net> Does anyone know how I can find out who provides the service for someone harassing me under their own domain name? From reply at newsgroup.please Sun Feb 6 15:48:49 2005 From: reply at newsgroup.please (Geoffrey Welsh) Date: Sun Feb 6 15:50:04 2005 Subject: [SpamCop-List] Re: zombie hunting? References: Message-ID: Sofa King Tyred of Lar Ting wrote: > Question: why don't more ISPs proactively seek out zombies today, There is hope: a number of broadband companies are looking into solutions from Sandvine http://www.sandvine.com/ -- Geoffrey Welsh Ambidextrous? No, I said I'm ambinonscattous - I don't give a crap either way! From feldethom2165 at email2me.net Sun Feb 6 11:56:02 2005 From: feldethom2165 at email2me.net (Fred k) Date: Sun Feb 6 16:00:03 2005 Subject: [SpamCop-List] Re: Help with ISP for Domain names please! References: <29323-42066BB0-48@storefull-3173.bay.webtv.net> Message-ID: "QUALITY DISC" wrote in message news:29323-42066BB0-48@storefull-3173.bay.webtv.net... > Does anyone know how I can find out who provides the service for someone > harassing me under their own domain name? > Please post a tracker, you don't give enough information. Fred k From MikeE at ster.invalid Sun Feb 6 13:00:23 2005 From: MikeE at ster.invalid (Mike Easter) Date: Sun Feb 6 16:00:15 2005 Subject: [SpamCop-List] Re: Help with ISP for Domain names please! References: <29323-42066BB0-48@storefull-3173.bay.webtv.net> Message-ID: QUALITY DISC wrote: > Does anyone know how I can find out who provides the service for > someone harassing me under their own domain name? First you need to know how to read email headers to determine the source, then you need to know how to find the proper notify address. http://spamlinks.net/trace.htm Spam Tracing http://spamlinks.net/report-addresses.htm Spam Reporting Addresses Or, if you are a spamcop reporter, you can submit the mail item to the parser which will provide you with a notify address for the source, and then cancel the report. If you are not a spamcop reporter, you would take your source determination someplace like Sam Spade to determine the notify. http://samspade.org/t/ Alternatively, you could post the headers of the item into the newsgroup spamcop.spam and someone here would help you determine the source and the notify address. If you have not been corresponding with the person and they are providing you with their return address, one strategy is to send a very brief non-inflammatory mail to them copied to their provider's abuse address saying simply, "Do not email me." which contains a copy of their email to you with complete headers. That mail is not for the purpose of 'telling them off' or rebutting anything their mail has to say, but to simply demand that they not email you. If you /have/ been corresponding with them and they want to keep corresponding with you but you don't want them to any more, neither your provider nor their provider is likely to help you with that. You would be better to just block their mail from your view using your mailagent's filter functions. -- Mike Easter kibitzer, not SC admin From nobody at spamcop.net Sun Feb 6 17:53:56 2005 From: nobody at spamcop.net (Miss Betsy) Date: Sun Feb 6 17:55:03 2005 Subject: [SpamCop-List] Re: Help with ISP for Domain names please! References: <29323-42066BB0-48@storefull-3173.bay.webtv.net> Message-ID: "QUALITY DISC" wrote in message news:29323-42066BB0-48@storefull-3173.bay.webtv.net... > Does anyone know how I can find out who provides the service for someone > harassing me under their own domain name? There is not nearly enough information to help you. Spammers can, and do, forge email addresses into their spam so the email address that it appears to be from may not be the one who is sending the emails that are bothering you. If it is someone previously known to you, then the best strategy is to filter out their emails. Read Mike Easter's post if you want to pursue the matter. Miss Betsy From driehuis.fcnzpbc2005 at playbeing.com Mon Feb 7 01:41:21 2005 From: driehuis.fcnzpbc2005 at playbeing.com (Bert Driehuis) Date: Sun Feb 6 19:45:04 2005 Subject: [SpamCop-List] Re: SpamCop Imposter? In-Reply-To: References: <4202F906.D9B2EB2E@ddress.com> <42030B61.A0EF270@ddress.com> Message-ID: Mike Easter wrote: > Oooh. I always have to find out what the critter was. > > In fact, I stick them in a little folder and save them after/for > identification. It's hard to handle them with the AV turned on, so I > keep it turned off for moving them around or isolating them from the > mail. The AV always wants to protect me and interfere with what I'm > doing. I've dealt with more than one virus outbreak in $ORKPLACE caused by a cow orker "checking out" a suspected message that the end user didn't trust. Unless you have _significant_ experience in dealing with such crap I would recommend against this practice. Sandboxing in VMware is a minimum first step (and so is wiping the session when you're done, and running it without network connectivity). I'd strongly suggest to not play the sorcerers apprentice. :-) From driehuis.fcnzpbc2005 at playbeing.com Mon Feb 7 02:16:31 2005 From: driehuis.fcnzpbc2005 at playbeing.com (Bert Driehuis) Date: Sun Feb 6 20:20:04 2005 Subject: [SpamCop-List] Re: ignoring reply to: In-Reply-To: References: Message-ID: ken topposted: > Well if I get another I can forward it. But other than my own isp as the > last mailbox touching it, the aol Netscape address was the only constant. Please don't top-post. Anyway, my gut feeling tells me you didn't set up your mailhosts. When you do, Spamcop will know to skip the Received: line your mailbox host stuck in. From driehuis.fcnzpbc2005 at playbeing.com Mon Feb 7 03:12:36 2005 From: driehuis.fcnzpbc2005 at playbeing.com (Bert Driehuis) Date: Sun Feb 6 21:15:05 2005 Subject: [SpamCop-List] Re: Open Proxy SCBL Rules In-Reply-To: References: Message-ID: K. Crocker wrote: > Thanks for your comments, although most of the spam that makes it > through the gauntlet above into my mailbox comes from China, Korea, > France, Brazil, and Russia. From USA residents (I can't bring myself to > call them citizens), most likely, from USA machines, no. The machines that do the final drop are zombies. They are controlled from the USA, by and large. That simple act of controlling the spam run (in other words, choreographing a mass unauthorized computer breakin abroad) is easy to determine for an ISP with a suitable legal document in hand. My point is that if the government is serious about making a dent in illegal spam, they could actually act on the data that people have offered them based on honeypots. My observation is that the US government is not taking this constant barrage on computer security serious. My recommendation is that they should. From nobody at devnull.spamcop.net Mon Feb 7 11:27:02 2005 From: nobody at devnull.spamcop.net (Patto) Date: Sun Feb 6 21:30:05 2005 Subject: [SpamCop-List] "putRow Column 'type' cannot be null (1048)/sc?" Message-ID: I'm getting the following messages when trying to report: putRow Column 'type' cannot be null (1048)/sc? Sorry, failed to get reportid from database, will not send. Example http://www.spamcop.net/sc?id=z729480615z718a5962e77f5eb354c8e9e78f0280d0z The error occurs when clicking 'Send Spam Report(s) now'. From driehuis.fcnzpbc2005 at playbeing.com Mon Feb 7 03:26:55 2005 From: driehuis.fcnzpbc2005 at playbeing.com (Bert Driehuis) Date: Sun Feb 6 21:30:22 2005 Subject: [SpamCop-List] Re: Spammers moving away from direct-to-mx? In-Reply-To: References: Message-ID: John E. Malmberg wrote: > Port scans are more troublesome to do automatically. They also consume > bandwidth, so must be throttled. It is probably likely that the time > needed to sequentially scan all I.P. addresses for an ISP can be > measured in weeks or months if they do not want to disrupt their network. > > And apparently the spamware keeps morphing to evade automatic scans. The morphing isn't that bad -- it just means ISPs have to scan all 65,534 possible ports of every customer before they allow the first activity on Port 25. That's something like 5MB of traffic per user -- this could be a profit center for ISPs that charge per megabyte! :-) The big problem with port scanning is that some Trojan proxies are so badly written that at the best of times, they fail 50% of requests. In other words, scanning all 65,534 is no guarantee of finding the Trojan. From driehuis.fcnzpbc2005 at playbeing.com Mon Feb 7 03:34:08 2005 From: driehuis.fcnzpbc2005 at playbeing.com (Bert Driehuis) Date: Sun Feb 6 21:35:05 2005 Subject: [SpamCop-List] Re: Really dumb spammer In-Reply-To: References: Message-ID: LioNiNoiL_a t_Y a h 0 0_d 0 t_c 0 m wrote: > Bert Driehuis wrote: [...] >> You may want to disable Flash; I've got no clue what >> the .swf does. > > It's a fairly well-done animation of the 7English pitch, with the Statue > of Liberty featured prominently. Ah. Thanks for the review. > You have no reason to fear Flash. If you're running on Windows and have Flash, you have every reason to fear it. Flash has been the vector to bypass IE security zones on more than one occasion. I have reason to believe (though I have no hard data) that Flash has access to IE even if you use Firefox. From feldethom2165 at email2me.net Sun Feb 6 19:02:04 2005 From: feldethom2165 at email2me.net (Fred k) Date: Sun Feb 6 23:05:05 2005 Subject: [SpamCop-List] Re: SpamCop Imposter? References: <4202F906.D9B2EB2E@ddress.com> <42030B61.A0EF270@ddress.com> Message-ID: "Bert Driehuis" wrote in message news:cu6dg6$kj8$1@news.spamcop.net... > Unless you have _significant_ experience in dealing with such crap I would > recommend against this practice. Sandboxing in VMware is a minimum first > step (and so is wiping the session when you're done, and running it > without network connectivity). > > I'd strongly suggest to not play the sorcerers apprentice. :-) He does have the experience. fRED K From nobody at devnull.spamcop.net Sun Feb 6 22:58:03 2005 From: nobody at devnull.spamcop.net (WazoO) Date: Mon Feb 7 00:00:36 2005 Subject: [SpamCop-List] Re: "putRow Column 'type' cannot be null (1048)/sc?" References: Message-ID: "Patto" wrote in message news:cu6jlj$nh3$1@news.spamcop.net... > I'm getting the following messages when trying to report: > > putRow Column 'type' cannot be null (1048)/sc? > Sorry, failed to get reportid from database, will not send. > > Example > http://www.spamcop.net/sc?id=z729480615z718a5962e77f5eb354c8e9e78f0280d0z > > The error occurs when clicking 'Send Spam Report(s) now'. One user has reported this 'same' error over in the Forum; http://forum.spamcop.net/forums/lofiversion/index.php/t3610.html However, Tracking URL was never provided. Noting only that the Forum user's submittal was a Challenge/Response thing, and yours also seems to fall under a bit of a similar instance .. i.e. something that doesn't appear to be an actual reportable spam .... though your opinion may be different of course .... I'm just going with what I see in a quick look at your sample ... From nobody at devnull.spamcop.net Mon Feb 7 14:32:47 2005 From: nobody at devnull.spamcop.net (Patto) Date: Mon Feb 7 00:35:05 2005 Subject: [SpamCop-List] Re: "putRow Column 'type' cannot be null (1048)/sc?" In-Reply-To: References: Message-ID: WazoO wrote: > "Patto" wrote in message > news:cu6jlj$nh3$1@news.spamcop.net... > >>I'm getting the following messages when trying to report: >> >>putRow Column 'type' cannot be null (1048)/sc? >>Sorry, failed to get reportid from database, will not send. >> >>Example >>http://www.spamcop.net/sc?id=z729480615z718a5962e77f5eb354c8e9e78f0280d0z >> >>The error occurs when clicking 'Send Spam Report(s) now'. > > > One user has reported this 'same' error over in the Forum; > http://forum.spamcop.net/forums/lofiversion/index.php/t3610.html > However, Tracking URL was never provided. Noting only > that the Forum user's submittal was a Challenge/Response > thing, and yours also seems to fall under a bit of a similar > instance .. i.e. something that doesn't appear to be an > actual reportable spam .... though your opinion may > be different of course .... I'm just going with what I > see in a quick look at your sample ... I was under the impression that misdirected virus bounces were now reportable? If I was wrong; my apologies. Background (of this particular message): I am getting these bounces from the same ISP (pacific.net.ph) for weeks and weeks, dozens of times a day. I have written them time and again; tried to explain why their bounces (with the infected message attached!) is bad practice. I pointed them to the SpamCop website and whatnot; I keep receiving their bounces, but never any reply. Last week I told them that from this week I will start reporting them, so their IP addresses will end up on blocklists. But, if this is not allowed, then that was an empty threat. Any other suggestion what I can do? From nobody at devnull.spamcop.net Mon Feb 7 14:40:49 2005 From: nobody at devnull.spamcop.net (Patto) Date: Mon Feb 7 00:45:04 2005 Subject: [SpamCop-List] Another new spammer trick... Message-ID: ... to make reporting more difficult. Plain text message, with body text only "See attachment message.html". The attachment is of course a beautifully composed HTML document, which I have to open and extract the source code, then paste it together with the email headers to report. 1. much more work to report 2. I am exposing myself by opening the HTML doc Result: http://www.spamcop.net/sc?id=z729531874z899ae1bcb2ae6ef83c0f89e623a61753z Any suggestions how these things should best be handled? From MikeE at ster.invalid Sun Feb 6 21:54:27 2005 From: MikeE at ster.invalid (Mike Easter) Date: Mon Feb 7 00:55:03 2005 Subject: [SpamCop-List] Re: "putRow Column 'type' cannot be null (1048)/sc?" References: Message-ID: Patto wrote: >> "Patto" www.spamcop.net/sc?id=z729480615z718a5962e77f5eb354c8e9e78f0280d0z >>> The error occurs when clicking 'Send Spam Report(s) now'. That item currently parses and offers to report www.spamcop.net/sc?id=z729537117z2377bbdb5df00e320d572785a92c9c2ez Report Spam to: Re: 210.23.235.81 () To: abuse@pacific.net.ph (Notes) > I was under the impression that misdirected virus bounces were now > reportable? If I was wrong; my apologies. That's the way I'm reading it, reportable. http://www.spamcop.net/fom-serve/cache/14.html -- Messages which may be reported: -- There are several types of responses to forged email that SpamCop has in the past prohibited. However, these messages have become a big enough problem that we now allow them to be reported as the spam that they technically are. Known colloquially as 'back scatter' > Background (of this particular message): I am getting these bounces > from the same ISP (pacific.net.ph) for weeks and weeks, dozens of > times a day. I have written them time and again; tried to explain why > their bounces (with the infected message attached!) is bad practice. > I pointed them to the SpamCop website and whatnot; I keep receiving > their bounces, but never any reply. > > Last week I told them that from this week I will start reporting them, > so their IP addresses will end up on blocklists. But, if this is not > allowed, then that was an empty threat. > > Any other suggestion what I can do? Sounds to me like you are doing things in just the right order including reporting this one. You just ran into a technical glitch. If you submit it and its littermates again, it should work just fine. That IP isn't appearing on any blocklists yet, but if it is acting like that, it will be. -- Mike Easter kibitzer, not SC admin From MikeE at ster.invalid Sun Feb 6 22:00:21 2005 From: MikeE at ster.invalid (Mike Easter) Date: Mon Feb 7 01:00:04 2005 Subject: [SpamCop-List] Re: "putRow Column 'type' cannot be null (1048)/sc?" References: Message-ID: Mike Easter wrote: >>> "Patto" >>>> The error occurs when clicking 'Send Spam Report(s) now'. > That item currently parses and offers to report > You just ran into a technical glitch. > If you submit it and its littermates again, it should work just fine. Actually, I don't know that, since I didn't click 'send reports' - but I would sure give it another shot. -- Mike Easter kibitzer, not SC admin From MikeE at ster.invalid Sun Feb 6 22:11:33 2005 From: MikeE at ster.invalid (Mike Easter) Date: Mon Feb 7 01:15:08 2005 Subject: [SpamCop-List] Re: Another new spammer trick... References: Message-ID: Patto wrote: > ... to make reporting more difficult. Plain text message, with body > text only "See attachment message.html". The attachment is of course > a beautifully composed HTML document, which I have to open and > extract the source code, then paste it together with the email > headers to report. > > 1. much more work to report > 2. I am exposing myself by opening the HTML doc > > Result: www.spamcop.net/sc?id=z729531874z899ae1bcb2ae6ef83c0f89e623a61753z > > Any suggestions how these things should best be handled? I'm not familiar with how to do things with OL or Eudora, which function is what you used to parse that tracker, but if I would get something like that in OE, I think that I would access its message properties and paste the whole enchilada, which would be complete headers with plaintext body + mime attachment structure + the raw html source into the regular single pane parser. That wouldn't necessitate me opening or rendering the html. What I don't know is whether or not the parser would find the links because of the structure being different from that of inline html mime structure. I don't have one like that to experiment with, and the tracker isn't a true representation of the original anymore. "X-SpamCop-note: Converted to text/html by SpamCop (outlook/eudora hack)" -- Mike Easter kibitzer, not SC admin From bar_n0ne at hotmail.com Mon Feb 7 10:44:46 2005 From: bar_n0ne at hotmail.com (Berny) Date: Mon Feb 7 01:45:05 2005 Subject: [SpamCop-List] Strange IP Shenanigans Message-ID: Folks, I recieved a spam that would be reported to Nomaster so I did traceroutes on the sending IP and various IP's and domains of spamvertizements contained within. for the sending ID: ..... 7 t2a5-s12-0-0.uk-lon2.eu.bt.net (166.49.189.217) 197.155 ms 176.167 ms 161.428 ms 8 t2c1-ge7-0.uk-lon2.eu.bt.net (166.49.176.43) 196.525 ms 173.287 ms 172.403 ms 9 t2c1-p4-2.uk-ilf.eu.bt.net (166.49.195.121) 177.554 ms 176.383 ms 186.296 ms 10 sl-gw10-lon-6-1.sprintlink.net (213.206.159.45) 178.554 ms 201.362 ms 284.450 ms 11 sl-bb21-lon-8-0.sprintlink.net (213.206.128.45) 620.861 ms 194.753 ms 166.440 ms 12 sl-bb21-tuk-10-0.sprintlink.net (144.232.19.69) 424.299 ms 265.057 ms 248.593 ms 13 sl-bb20-tuk-15-0.sprintlink.net (144.232.20.132) 245.228 ms 240.330 ms 250.211 ms 14 sl-bb21-rly-14-3.sprintlink.net (144.232.20.122) 253.367 ms 268.676 ms 243.227 ms 15 sl-bb22-rly-13-0.sprintlink.net (144.232.7.254) 246.981 ms 254.829 ms 280.305 ms 16 sl-bb22-sj-10-0.sprintlink.net (144.232.20.186) 347.138 ms 404.169 ms 302.793 ms 17 sl-bb21-sj-14-0.sprintlink.net (144.232.3.161) 325.654 ms 310.777 ms 310.902 ms 18 sl-bb24-sj-12-0.sprintlink.net (144.232.3.202) 449.792 ms 518.301 ms 423.173 ms 19 sl-bb20-ana-6-0.sprintlink.net (144.232.20.100) 451.514 ms 346.863 ms 480.227 ms 20 sl-gw29-ana-0-0.sprintlink.net (144.232.1.146) 333.509 ms 323.873 ms 343.242 ms 21 sl-china1-6-0.sprintlink.net (144.228.74.222) 416.712 ms * 413.998 ms 22 202.97.51.161 (202.97.51.161) 614.736 ms 615.309 ms 620.855 ms 23 * 202.97.33.137 (202.97.33.137) 757.847 ms 707.643 ms 24 202.97.43.146 (202.97.43.146) 687.170 ms 704.135 ms 701.639 ms 25 219.133.30.238 (219.133.30.238) 687.404 ms 709.482 ms 733.614 ms 26 219.133.30.186 (219.133.30.186) 753.215 ms 703.368 ms 745.979 ms MPLS Label=2001 CoS=1 TTL=1 S=0 27 218.17.200.2 (218.17.200.2) 705.011 ms 773.676 ms 768.691 ms 28 218.17.200.66 (218.17.200.66) 740.981 ms 738.705 ms 747.095 ms 29 219.133.144.104 (219.133.144.104) 644.078 ms 638.923 ms 628.974 ms what is the meaning of the crap after #21 and does this mean sprintlink is upstream? (funny how everything points to china too) And moreover, how does that whole last IP-range not resolve to anybody at all? APNIC shows nothing according to SC. And with latencies of almost a second on the last half dozen hops, their clients must be really patient and desperate for their enlargement/cialis/medz. and more wierdness here: .... 9 t2c1-p4-2.uk-ilf.eu.bt.net (166.49.195.121) 198.903 ms 214.144 ms 250.334 ms 10 sl-gw10-lon-6-0.sprintlink.net (213.206.159.41) 254.368 ms 182.771 ms 164.799 ms 11 sl-bb21-lon-8-0.sprintlink.net (213.206.128.45) 228.248 ms 181.914 ms 173.551 ms 12 sl-bb21-tuk-10-0.sprintlink.net (144.232.19.69) 240.490 ms 242.108 ms 235.734 ms 13 sl-bb20-tuk-15-0.sprintlink.net (144.232.20.132) 241.860 ms 243.348 ms 236.137 ms 14 sl-bb21-rly-15-1.sprintlink.net (144.232.20.120) 244.980 ms 238.586 ms 250.987 ms 15 sl-bb22-rly-13-0.sprintlink.net (144.232.7.254) 253.088 ms 239.355 ms 240.733 ms 16 sl-bb22-sj-10-0.sprintlink.net (144.232.20.186) 390.602 ms 439.534 ms 494.113 ms 17 sl-bb21-sj-14-0.sprintlink.net (144.232.3.161) 394.319 ms 322.653 ms 304.174 ms 18 sl-bb24-sj-12-0.sprintlink.net (144.232.3.202) 411.679 ms 521.960 ms 476.249 ms 19 sl-bb20-ana-6-0.sprintlink.net (144.232.20.100) 501.953 ms 360.368 ms 315.277 ms 20 sl-gw29-ana-0-0.sprintlink.net (144.232.1.146) 320.402 ms 341.509 ms 831.151 ms 21 sl-china1-6-0.sprintlink.net (144.228.74.222) 450.880 ms 405.320 ms 406.450 ms 22 202.97.51.225 (202.97.51.225) 714.998 ms * 718.165 ms 23 202.97.53.81 (202.97.53.81) 720.374 ms * * 24 202.97.54.86 (202.97.54.86) 701.926 ms * 700.652 ms 25 * 219.148.18.229 (219.148.18.229) 703.050 ms 703.862 ms 26 219.148.18.42 (219.148.18.42) 728.494 ms 735.093 ms * 27 219.148.124.3 (219.148.124.3) 713.758 ms * * 28 222.223.134.242 (222.223.134.242) 706.593 ms 701.746 ms * 29 * * * 30 222.223.134.252 (222.223.134.252) 619.768 ms 578.863 ms 643.087 ms (spamvertized site) what's with line 29? and one more: 10 t2c2-p4-0.us-nyb.eu.bt.net (166.49.164.50) 251.477 ms 250.698 ms 254.094 ms 11 aer1-gigabitethernet2-6.newyork.savvis.net (208.173.135.157) 255.718 ms 256.580 ms 262.091 ms 12 dcr3-ae2.newyork.savvis.net (208.174.228.9) 271.332 ms 275.952 ms 268.325 ms 13 dcr2-loopback.losangeles.savvis.net (208.172.34.108) 323.020 ms 324.528 ms dcr1-loopback.losangeles.savvis.net (208.172.34.107) 323.757 ms 14 aer1-port-channel-1-0.losangeles.savvis.net (208.172.47.12) 340.630 ms dcr1-ae2-0.losangeles.savvis.net (208.172.47.77) 362.356 ms 339.017 ms 15 china-telecommunications-corporation.losangeles.savvis.net (208.173.55.198) 444.026 ms 450.765 ms * 16 * 202.97.49.129 (202.97.49.129) 441.309 ms * 17 202.97.51.161 (202.97.51.161) 612.536 ms 609.820 ms 608.977 ms 18 202.97.33.149 (202.97.33.149) 614.105 ms 609.655 ms 609.977 ms 19 222.176.2.225 (222.176.2.225) 741.350 ms 737.360 ms 734.106 ms 20 * 222.176.2.17 (222.176.2.17) 723.363 ms 726.638 ms MPLS Label=130087 CoS=1 TTL=1 S=0 21 * 222.176.3.98 (222.176.3.98) 719.627 ms 722.121 ms 22 222.177.192.158 (222.177.192.158) 753.977 ms 740.857 ms 740.847 ms 23 61.186.170.65 (61.186.170.65) 737.107 ms 735.615 ms 737.366 ms 24 * * * 25 * * * 26 * * * 27 211.144.164.194 (211.144.164.194) 733.955 ms 780.828 ms 784.441 ms 28 * * * 29 211.144.164.202 (211.144.164.202) 631.204 ms 634.349 ms 631.466 ms more of those lines with "* * *" and is savvis the upstream for china telecom? From ross at ross.orq Mon Feb 7 03:14:46 2005 From: ross at ross.orq (Peter J. Ross) Date: Mon Feb 7 03:30:14 2005 Subject: [SpamCop-List] Re: Strange IP Shenanigans References: Message-ID: Berny wrote: > what is the meaning of the crap after #21 If by "crap" you mean those hops that only resolve to a numeric IP, it probably means there's no rDNS (Reverse-DNS) configured for them. > and does this mean sprintlink is upstream? W-a-y upstream. > (funny how everything points to china too) Some of us wouldn't exactly consider that to be funny... > And moreover, how does that whole last IP-range not resolve to anybody at > all? See above re: no rDNS. > APNIC shows nothing according to SC. And with latencies of almost a > second on the last half dozen hops, their clients must be really patient > and desperate for their enlargement/cialis/medz. Spammers can be rather patient people -- they don't have much choice, we chased a lot of them offshore several years ago. > and more wierdness here: > 29 * * * > what's with line 29? Some routers are apparently setup not to respond to ICMP messages. > more of those lines with "* * *" See above. > and is savvis the upstream for china telecom? So it would appear, but they're a backbone provider and probably too far up the food chain to bother (at least at this point). -- PJR From tdy at blackhole.invalid Mon Feb 7 01:04:54 2005 From: tdy at blackhole.invalid (N. Miller) Date: Mon Feb 7 04:10:05 2005 Subject: [SpamCop-List] Re: Strange IP Shenanigans References: Message-ID: In article , Berny says... > ...and does this mean sprintlink is upstream? (funny how everything > points to china too) I learned a long time ago to use two different tracerts through two different providers to try an triangulate the difference between "upstream" and "peer". I also learned not to trust tracert to find the "upstream" provider. >From Mike Easter I learned how to look up ASN adjacencies; probably the closest thing to a reliable "upstream" locator that you will encounter. I have configured "whois.cymru.com" into my Sam Spade WinTools utility, which gave me this: ---------------- 02/07/05 00:54:49 whois 219.133.144.104@whois.cymru.com whois -h whois.cymru.com 219.133.144.104 ... ASN | IP | Name 4134 | 219.133.144.104 | CHINANET-BACKBONE No.31,Jin-ro ---------------- Taking the ASN and plugging it into the "potaroo.net" site I get a result which should be located at this link: http://bgp.potaroo.net/cgi-bin/as-report?as=AS4134 But read the disclaimer under the "AS Adjancency Report" heading carefully: "In the context of this report "Upstream" indicates that there is an adjacent AS that lines between the BGP table collection point (in this case at AS4637) as the specified AS. Similarly, "Downstream" refers to an adjacent AS that lies beyond the specified AS. This upstream / downstream categorisation is strictly a description relative topology, and should not be confused with provider / customer / peer inter-AS relationships." In other words, being listed here as an "upstream" does not mean that the listed "uptream" has the standing to force a "downstream" to act (no customer relationship). -- Norman ~Win dain a lotica, En vai tu ri, Si lo ta ~Fin dein a loluca, En dragu a sei lain ~Vi fa-ru les shutai am, En riga-lint From nobody at devnull.spamcop.net Mon Feb 7 18:28:51 2005 From: nobody at devnull.spamcop.net (Patto) Date: Mon Feb 7 04:30:02 2005 Subject: [SpamCop-List] Re: "putRow Column 'type' cannot be null (1048)/sc?" In-Reply-To: References: Message-ID: Mike Easter wrote: > Mike Easter wrote: > >>>>"Patto" > > >>>>>The error occurs when clicking 'Send Spam Report(s) now'. > > >>That item currently parses and offers to report > > >>You just ran into a technical glitch. >>If you submit it and its littermates again, it should work just fine. > > > Actually, I don't know that, since I didn't click 'send reports' - but I > would sure give it another shot. I just submitted the newest batch, and the error disappeared. From MikeE at ster.invalid Mon Feb 7 04:07:59 2005 From: MikeE at ster.invalid (Mike Easter) Date: Mon Feb 7 07:10:24 2005 Subject: [SpamCop-List] Re: Strange IP Shenanigans References: Message-ID: Berny wrote: > I recieved a spam that would be reported to Nomaster I presume Nomaster means devnull, since SC has trouble with a reporting address for 219.133.144.104 > so I did > traceroutes on the sending IP and various IP's and domains of > spamvertizements contained within. Starting your 'notify attack' with the tracert or traceroute isn't the strategy I would recommend. Start your 'better notify than SC' analysis by looking directly at the target in a 'normal' reporting way, the trouble SC has with apnic here. I'm using my SamSpadeWin console for pasting here, but you can actually get some of this same information from SpamCop's access to apnic or a mirror thereof. I'm abbreviating here: whois -h whois.apnic.net 219.133.144.104 ... inetnum: 219.128.0.0 - 219.137.255.255 netname: CHINANET-GD I can already tell you that Chinanet Guangdong is not going to give you a good notify - where good notify means someone worth notifying. But we will go thru' a drill to demonstrate admin-c: CH93-AP tech-c: IC83-AP The admin/tech contacts are admin-c: CH93-AP e-mail: hostmaster@ns.chinanet.cn.net e-mail: anti-spam@ns.chinanet.cn.net and nic-hdl: IC83-AP e-mail: ipadm@gddc.com.cn but the remarks say, in 2 different places, things which SC may not see because of how it reads. remarks: hostmaster is not for spam complaint,please send spam complaint to anti-spam@ns.chinanet.cn.net remarks: IPMASTER is not for spam complaint,please send spam complaint to abuse@gddc.com.cn So, in general terms of evaluating how to notify for something, looking directly at the information in the same way that SC does is the way to start, not with a tracert. You now may know something that SC didn't because SC sed it couldn't find an addy for CH93-AP or IC83-AP and we did -- but we have found a remarks notify addy. You can demonstrate the trouble that SC has with a notify for this IP by simply putting the isolated IP into the parser and looking at the result trouble. Next, after getting the above notify addies from apnic, you can look at what kind of responsiveness to expect from notifying about the IP by checking to see if it is listed in spews or spamhaus. You can do that at those websites or at openrbl or at dnsstuff. I prefer dnsstuff. You can also go by your own experience if you are familiar with a particular provider like Chinanet Guangdong, which I am, and I consider them unresponsive. In this particular case, that IP isn't listed in spews, but it is in spamhaus sbl-xbl because it is in cbl, a listed of proxy/trojan spamtrap spamsources. Then, if you decide you are going to go upstream, which I wouldn't because I know what I've already seen upstream about Chinanet-GD, you would best use the ASN upstream adjacency as described by Norman. But, just to 'glance at' the tracert to see what useful information it has, you would start near to the target. There's no point in notifying just some place on the route. In this case, going backwards up the tracert, you have to lookup each item in apnic to see the Chinanet BB backbone. Theoretically the Chinanet BB would be the notify, but it is unresponsive as well. Just because the appropriate notify is unresponsive and the appropriate upstream is unresponsive doesn't mean you go around notifying further and further upstreams in such cases. Think about what the original issue is about. This item we are currently talking about is a source IP which is spamcop listed and listed in the CBL which is a listing of spamsources which are proxy/trojans. Upstreams don't want to hear about that. They don't even want to hear about the provider being unresponsive about that. -- Mike Easter kibitzer, not SC admin From MikeE at ster.invalid Mon Feb 7 04:14:34 2005 From: MikeE at ster.invalid (Mike Easter) Date: Mon Feb 7 07:15:05 2005 Subject: [SpamCop-List] Re: Strange IP Shenanigans References: Message-ID: Mike Easter wrote: > SC has trouble with a > reporting address for 219.133.144.104 > You now may know something > that SC didn't because SC sed it couldn't find an addy for CH93-AP or > IC83-AP and we did Parsing input: 219.133.144.104 host 219.133.144.104 (getting name) no name "whois 219.133.144.104@whois.apnic.net" (Getting contact from whois.apnic.net mirror) Display data: Lookup ch93-ap@whois.apnic.net "whois ch93-ap@whois.apnic.net" (Getting contact from whois.apnic.net mirror) Display data: ch93-ap = Lookup ic83-ap@whois.apnic.net "whois ic83-ap@whois.apnic.net" (Getting contact from whois.apnic.net mirror) Display data: ic83-ap = whois.apnic.net 219.133.144.104 (nothing found) host 219.133.144.104 (getting name) no name No reporting addresses found for 219.133.144.104, using devnull for tracking. -- Mike Easter kibitzer, not SC admin From Kilgallen at SpamCop.net Mon Feb 7 06:23:01 2005 From: Kilgallen at SpamCop.net (Larry Kilgallen) Date: Mon Feb 7 07:25:02 2005 Subject: [SpamCop-List] Re: SpamCop Imposter? References: <4202F906.D9B2EB2E@ddress.com> <42030B61.A0EF270@ddress.com> Message-ID: In article , Bert Driehuis writes: > Mike Easter wrote: > >> Oooh. I always have to find out what the critter was. >> >> In fact, I stick them in a little folder and save them after/for >> identification. It's hard to handle them with the AV turned on, so I >> keep it turned off for moving them around or isolating them from the >> mail. The AV always wants to protect me and interfere with what I'm >> doing. > > I've dealt with more than one virus outbreak in $ORKPLACE caused by a > cow orker "checking out" a suspected message that the end user didn't trust. > > Unless you have _significant_ experience in dealing with such crap I > would recommend against this practice. Sandboxing in VMware is a minimum > first step (and so is wiping the session when you're done, and running > it without network connectivity). How about inspecting it by using an operating system without a history of viruses ? From bar_n0ne at hotmail.com Mon Feb 7 16:51:56 2005 From: bar_n0ne at hotmail.com (Berny) Date: Mon Feb 7 07:55:04 2005 Subject: [SpamCop-List] Re: Strange IP Shenanigans References: Message-ID: "Mike Easter" wrote in message news:cu7m1r$95k$1@news.spamcop.net... > Mike Easter wrote: > > SC has trouble with a > > reporting address for 219.133.144.104 > > > You now may know something > > that SC didn't because SC sed it couldn't find an addy for CH93-AP or > > IC83-AP and we did > > > Parsing input: 219.133.144.104 > host 219.133.144.104 (getting name) no name > "whois 219.133.144.104@whois.apnic.net" (Getting contact from > whois.apnic.net mirror) > Display data: > Lookup ch93-ap@whois.apnic.net > "whois ch93-ap@whois.apnic.net" (Getting contact from whois.apnic.net > mirror) > Display data: > ch93-ap = > Lookup ic83-ap@whois.apnic.net > "whois ic83-ap@whois.apnic.net" (Getting contact from whois.apnic.net > mirror) > Display data: > ic83-ap = > whois.apnic.net 219.133.144.104 (nothing found) > host 219.133.144.104 (getting name) no name > > No reporting addresses found for 219.133.144.104, using devnull for > tracking. > > > -- > Mike Easter > kibitzer, not SC admin > Too bad the "shock and awe" wasn;t applied to Chinanet, GDDC, CRC, and CNC_NOC instead of Baghdad From jld1 at cam.ac.uk Mon Feb 7 15:18:36 2005 From: jld1 at cam.ac.uk (John Dawson) Date: Mon Feb 7 10:20:11 2005 Subject: [SpamCop-List] A small success!! :-) Message-ID: From: Sympatico Abuse Subject: Re: Eid Al-Ghadeer Al-Mubarak Season (fwd) (KMM10800120V81324L0KM) The situation you have brought to our attention has been investigated and treated by a member of our staff. We have enforced our AUP(Acceptable Use Policy) against the offending account. Sympatico always enforces a strong anti-abuse policy; customers who abuse the network risk having their service terminated. Should you encounter any Internet Abuse originating within the Sympatico network, please do not hesitate to contact us again at abuse@sympatico.ca. Regards, Mikael Bellini Service Abuse Investigator Bell Sympatico Member Services http://security.sympatico.ca abuse@sympatico.ca Original Message Follows: ------------------------- I have been receiving this spam for more than a year now. Each time, I report it via SpamCop, which must mean that mail from your servers is blocked by many people around the world. Please deal with it!! ======================================== Tracking message source: 69.157.237.100: [refresh/show] Cached whois for 69.157.237.100 : noc@in.bell.ca Using abuse net on noc@in.bell.ca abuse net in.bell.ca = abuse@sympatico.ca From DougThegarden at hotmail.com Mon Feb 7 15:22:35 2005 From: DougThegarden at hotmail.com (Doug Thegarden) Date: Mon Feb 7 10:25:49 2005 Subject: [SpamCop-List] Re: Time for a new approach In-Reply-To: References: Message-ID: Kenneth Loafman wrote: > > Like the joke, "I'm from the government and I'm here to help."? > > The same idiots that brought you the I-CAN-SPAM act. > OTOH. Unabomber - nothing done Oklahoma - nothing much done 9/11 - Realisation that terrorism wasn't just something that happened to other countries and that the public would demand something be done about it. You may debate whether the subsequent response was good or bad but its just another example of government doing not a lot until it really impacts them or their public. I-CAN-SPAM is in the not doing a lot category. I bet if the true volume of spam were unleashed, the public would be onto their politician in a shot demanding something be done about it Doug From nobody at devnull.spamcop.net Mon Feb 7 10:30:50 2005 From: nobody at devnull.spamcop.net (Sofa King Tyred of Lar Ting) Date: Mon Feb 7 10:35:05 2005 Subject: [SpamCop-List] Re: Spammers moving away from direct-to-mx? In-Reply-To: References: Message-ID: Bert Driehuis wrote: > John E. Malmberg wrote: > >> And apparently the spamware keeps morphing to evade automatic scans. > > > The morphing isn't that bad -- it just means ISPs have to scan all > 65,534 possible ports of every customer before they allow the first > activity on Port 25. That's something like 5MB of traffic per user -- > this could be a profit center for ISPs that charge per megabyte! :-) > > The big problem with port scanning is that some Trojan proxies are so > badly written that at the best of times, they fail 50% of requests. In > other words, scanning all 65,534 is no guarantee of finding the Trojan. I found this interesting web page on reverse-engineering of Zombie network software: http://lowkeysoft.com/proxy/ I'd bet not much has changed since the analysis. It seems to be consistent with the documentation at http://www.send-safe.com/ From lhp at cotse.net Mon Feb 7 16:09:23 2005 From: lhp at cotse.net (LHP) Date: Mon Feb 7 11:10:07 2005 Subject: [SpamCop-List] Submitting by email takes hours? Message-ID: Submitting spam from COTSE.NET's Squirrelmail 'Report Spam' feature. Spam leaving their mailservers within minutes. However, counted at least a three hour delay between that and spamcop.net flagging them as ready for reporting. Any ideas? From MikeE at ster.invalid Mon Feb 7 08:39:00 2005 From: MikeE at ster.invalid (Mike Easter) Date: Mon Feb 7 11:40:14 2005 Subject: [SpamCop-List] Re: Submitting by email takes hours? References: Message-ID: LHP wrote: > Submitting spam from COTSE.NET's Squirrelmail 'Report Spam' feature. > > Spam leaving their mailservers within minutes. > > However, counted at least a three hour delay between that and > spamcop.net flagging them as ready for reporting. > > Any ideas? The webparser is proceeding slowly, but parses a dozen spams in about 6 minutes, including nag times. -- Mike Easter kibitzer, not SC admin From nobody at devnull.spamcop.net Mon Feb 7 12:32:35 2005 From: nobody at devnull.spamcop.net (Sofa King Tyred of Lar Ting) Date: Mon Feb 7 12:35:16 2005 Subject: [SpamCop-List] Re: Damnit! In-Reply-To: References: Message-ID: <4207A633.9050707@devnull.spamcop.net> Pete Stephenson wrote: > "Hello, my name is Inigo Montoya....you spammed my mail box...prepare to > die." :) > HAHAH! Anyway Pete, You shouldn't be so upset that one got away with something! If half the ISPs implemented half the anti-spam measures that you do, etc., etc. I only wish there were some consumer group that gave out awards to ISPs who follow best practices, at least until a better, standard technological solution (not requiring heroes such as you to implement it) comes around. From nobody at devnull.spamcop.net Mon Feb 7 12:39:55 2005 From: nobody at devnull.spamcop.net (Sofa King Tyred of Lar Ting) Date: Mon Feb 7 12:40:11 2005 Subject: [SpamCop-List] Re: Spammers moving away from direct-to-mx? In-Reply-To: References: Message-ID: Bert Driehuis wrote: > John E. Malmberg wrote: > >> Port scans are more troublesome to do automatically. They also >> consume bandwidth, so must be throttled. It is probably likely that >> the time needed to sequentially scan all I.P. addresses for an ISP can >> be measured in weeks or months if they do not want to disrupt their >> network. [snip] > The big problem with port scanning is that some Trojan proxies are so > badly written that at the best of times, they fail 50% of requests. In > other words, scanning all 65,534 is no guarantee of finding the Trojan. Here's another idea, after reading the spam analysis in my other posting: it seems you could find the zombies by passively watching (as an ISP can) for traffic used to command them. For example, the HTTPS, SOCKS4/5 connections -- you don't even need to decrypt them, just find out who's receiving them. I understood that a zombie's just a proxy usually on one of those protocols. That can't be so much bandwidth to monitor, relatively speaking. At least you can aim your port scans at those potential IP addresses. From nobody at devnull.spamcop.net Mon Feb 7 13:00:48 2005 From: nobody at devnull.spamcop.net (Sofa King Tyred of Lar Ting) Date: Mon Feb 7 13:05:30 2005 Subject: [SpamCop-List] Re: Another new spammer trick... In-Reply-To: References: Message-ID: Patto wrote: > ... to make reporting more difficult. Plain text message, with body > text only "See attachment message.html". The attachment is of course a > beautifully composed HTML document, which I have to open and extract the > source code, then paste it together with the email headers to report. > > 1. much more work to report > 2. I am exposing myself by opening the HTML doc > > Result: > http://www.spamcop.net/sc?id=z729531874z899ae1bcb2ae6ef83c0f89e623a61753z > > Any suggestions how these things should best be handled? I just got a spam like this. I reported it with full headers like I do with all spams. No change in procedure; SC found the links and sent reports to email source ISP and that of the URLs in attached HTML document. I use Thunderbird 1.0 (free, mozilla.org) as an email client, which won't view the HTML images by default, even in attachments. Seems pretty spam-safe, even with this approach. I think the latest security features in Outlook also provide something like this, although I don't think it works in Outlook Express. They are two products developed by different teams, apparently. Full headers in Outlook is a real pain. From nobody at devnull.spamcop.net Mon Feb 7 13:40:53 2005 From: nobody at devnull.spamcop.net (Pop) Date: Mon Feb 7 14:00:06 2005 Subject: [SpamCop-List] Re: Another new spammer trick... References: Message-ID: >From the Peanut Gallery, FWIW: "Sofa King Tyred of Lar Ting" wrote in message news:cu8ace$795$1@news.spamcop.net... > Patto wrote: >> 1. much more work to report >> 2. I am exposing myself by opening the HTML doc >> >> Result: >> http://www.spamcop.net/sc?id=z729531874z899ae1bcb2ae6ef83c0f89e623a61753z >> >> Any suggestions how these things should best be handled? I used to use Outlook at work and Outlook Express at home, so I got to know both of them (on Win98). When I got into spamfighting I used OE almost exclusively, keeping Outlook for calendars, appts, and minimal email use. My point is, since both are part of the os, and each had differenct pros and cons, it works fine to use Outlook for normal communications, and OE for spamwork. OE handles many things more conveniently, but then Outlook is more integrated. Your spam would have been a relative snap to report in OE. So perhaps you could consider using OE when you report spam? An d Outlook for the rest? F3 is the magic command to get the spam source code to copy, then just Send As Attachment to SC. You have of course noticed the Outlook workarounds on SC's page, right? > > > I just got a spam like this. I reported it with full headers like I do > with all spams. No change in procedure; SC found the links and sent > reports to email source ISP and that of the URLs in attached HTML > document. > > I use Thunderbird 1.0 (free, mozilla.org) as an email client, which won't > view the HTML images by default, even in attachments. Seems pretty > spam-safe, even with this approach. With OE you can also set Plain Text for reading mail. If you think you want to see the HTML, a simple Reply (set to reply in HTML) shows you what's actually in the complete messages. A useful feature, IMO. > > I think the latest security features in Outlook also provide something > like this, although I don't think it works in Outlook Express. They are > two products developed by different teams, apparently. Full headers in > Outlook is a real pain. I may have lost your meaning here, but OE does everything that's mentioned on this reponse fine, unless I missed something. Regards, Pop From null at null.com.none Mon Feb 7 18:58:03 2005 From: null at null.com.none (Martin) Date: Mon Feb 7 14:00:26 2005 Subject: [SpamCop-List] Re: Submitting by email takes hours? References: Message-ID: "LHP" wrote in message news:cu83rt$rbu$1@news.spamcop.net... > Submitting spam from COTSE.NET's Squirrelmail 'Report Spam' feature. > > Spam leaving their mailservers within minutes. > > However, counted at least a three hour delay between that and spamcop.net > flagging them as ready for reporting. > > Any ideas? > Been slow the last week for me, taking 1 1/2 hrs from submiting to receiving a reply, very infuriating because I often have to wait till I am home from work before I can finish reporting them, by which time its old spam. Martin From eddie at eddie.web Mon Feb 7 14:09:46 2005 From: eddie at eddie.web (eddie) Date: Mon Feb 7 14:10:11 2005 Subject: [SpamCop-List] Re: Submitting by email takes hours? References: Message-ID: On Mon, 07 Feb 2005 18:58:03 +0000, Martin scratched out the following: snip > Been slow the last week for me, taking 1 1/2 hrs from submiting to > receiving a reply, very infuriating because I often have to wait till I am > home from work before I can finish reporting them, by which time its old > spam. > > Martin That may be the spammer's trick - to make processing slow enough to cause the spam to exceed the 2-day SC limit. Neat, if it works. I submit directly through the web interface and it's been extremely slow for the last few weeks. Any slower and I switch into my delete mode, merely checking over the spam to see if any real email slipped through before deleting it. As good as SC is, I wonder if it really does anything on a global basis. From eddie at eddie.web Mon Feb 7 14:14:33 2005 From: eddie at eddie.web (eddie) Date: Mon Feb 7 14:15:05 2005 Subject: [SpamCop-List] Re: Another new spammer trick... References: Message-ID: On Mon, 07 Feb 2005 14:40:49 +0900, Patto scratched out the following: > ... to make reporting more difficult. Plain text message, with body text > only "See attachment message.html". The attachment is of course a > beautifully composed HTML document, which I have to open and extract the > source code, then paste it together with the email headers to report. > > 1. much more work to report > 2. I am exposing myself by opening the HTML doc If your OS or AV software allows it, take your computer offline temporarily while viewing any such messages. Norton allows a right-click on their taskbar icon to take the computer offline, as does the MS LAN connection icon in the same area. You might also check the "work offline" button in the Outlook/Outlook Express File dropdown menu. The URLs will "light up" but no connection will be made to the source. From nobody at devnull.spamcop.net Mon Feb 7 13:53:29 2005 From: nobody at devnull.spamcop.net (WazoO) Date: Mon Feb 7 14:55:04 2005 Subject: [SpamCop-List] Re: Another new spammer trick... References: Message-ID: "Pop" wrote in message news:cu8dl7$dga$1@news.spamcop.net... > > I used to use Outlook at work and Outlook Express at home, so I got to know > both of them (on Win98). When I got into spamfighting I used OE almost > exclusively, keeping Outlook for calendars, appts, and minimal email use. > My point is, since both are part of the os, Not really ... Outlook is either pusrchased on its own or as part of the Office product. Outlook Express is "free" as part of Microsoft's Internet Explorer. Had you said that both products "use" the OS .. which is where the security issues all started .... > and each had differenct pros and cons, it works fine to use > Outlook for normal communications, and OE for > spamwork. OE handles many things more conveniently, > but then Outlook is more integrated. Again the different targets / types of users ... Outlook is great for those at the office, handling all that stuff of internal affairs, documents, data and such, which of course opened up many more avenues of security issues. From MikeE at ster.invalid Mon Feb 7 11:57:22 2005 From: MikeE at ster.invalid (Mike Easter) Date: Mon Feb 7 15:00:08 2005 Subject: [SpamCop-List] Re: Submitting by email takes hours? References: Message-ID: eddie wrote: > As good as SC is, I wonder if it really does anything on a global > basis. It makes the SCbl and feeds the sc-surbl. Those are useful. Some very tiny subset of SC spam notifies also influence the notified, but not many. -- Mike Easter kibitzer, not SC admin From SCNews.5.myspamgobbler at spamgourmet.com Mon Feb 7 12:26:27 2005 From: SCNews.5.myspamgobbler at spamgourmet.com (Brian (SnSR)) Date: Mon Feb 7 15:30:16 2005 Subject: [SpamCop-List] Re: Another new spammer trick... In-Reply-To: References: Message-ID: Patto wrote: > ... to make reporting more difficult. Plain text message, with body > text only "See attachment message.html". The attachment is of course a > beautifully composed HTML document, which I have to open and extract the > source code, then paste it together with the email headers to report. > > 1. much more work to report > 2. I am exposing myself by opening the HTML doc > > Result: > http://www.spamcop.net/sc?id=z729531874z899ae1bcb2ae6ef83c0f89e623a61753z > > Any suggestions how these things should best be handled? Maybe I missed someone stating this. If you need to view source, right click on the attachment and save it to disk. Open with notepad. From nobody at spamcop.net Mon Feb 7 17:05:15 2005 From: nobody at spamcop.net (Miss Betsy) Date: Mon Feb 7 17:05:07 2005 Subject: [SpamCop-List] Re: Time for a new approach References: Message-ID: "Kenneth Loafman" wrote in message news:o83f01pctev69k0rqnrc3coqlgc6vbmdfm@4ax.com... > Government control of the internet is NOT the way to go for any reason! > That's why I think a trade association would be the best way to 'educate' and advertise blocklists. It combines the older function of the internet to reach out to each other and help each other AND the supply/demand economics. Miss Betsy > -- > Just a SpamCop user helping out. From lkrupp at pssw.NOSPAM.com.INVALID Mon Feb 7 15:09:59 2005 From: lkrupp at pssw.NOSPAM.com.INVALID (Louis Krupp) Date: Mon Feb 7 17:15:06 2005 Subject: [SpamCop-List] Re: Submitting by email takes hours? In-Reply-To: References: Message-ID: Mike Easter wrote: > eddie wrote: > >>As good as SC is, I wonder if it really does anything on a global >>basis. > > > It makes the SCbl and feeds the sc-surbl. Those are useful. Some very > tiny subset of SC spam notifies also influence the notified, but not > many. > Isn't fresh spam required to keep the block lists up to date? Could SC be a victim of its own success, with a cascade effect of e-mail submissions taking more than a couple of hours to make their way through the queue, the block lists failing to keep up with the flood, more spam getting through, and more e-mail submissions to process? On the other hand, it could be a cyclic thing; if people lose interest and submit fewer e-mails, then SC will be able to keep up once again, at least until too many people start using it again... Louis Krupp From eddie at eddie.web Mon Feb 7 17:18:10 2005 From: eddie at eddie.web (eddie) Date: Mon Feb 7 17:20:09 2005 Subject: [SpamCop-List] nomaster found confection8fossilized.com Message-ID: I just got a nomaster found from SC for confection8fossilized.com yet I can visit the site. Is it now possible for someone to have a website hosted by nobody and yet accessible by anyone? This is news to me. How do I get started? From nobody at devnull.spamcop.net Mon Feb 7 14:20:27 2005 From: nobody at devnull.spamcop.net (LioNiNoiL_a t_Y a h 0 0_d 0 t_c 0 m) Date: Mon Feb 7 17:25:06 2005 Subject: [SpamCop-List] Re: Submitting by email takes hours? In-Reply-To: References: Message-ID: LHP wrote: > Submitting spam from COTSE.NET's Squirrelmail 'Report Spam' feature. > > Spam leaving their mailservers within minutes. > > However, counted at least a three hour delay between that and spamcop.net > flagging them as ready for reporting. Spam forwarded by me today at 08:48:06 -0800 (PST) was returned for processing 2 hours 23 minutes later at 19:10:54 GMT. -- "[Spammers] are the mutant spawn of a bizarre reproductive act involving a telemarketer, Larry Flynt, a tapeworm, and an executive of the Third Class Mail industry." -- Dave Barry From spamcop at oitc.com Mon Feb 7 18:00:37 2005 From: spamcop at oitc.com (spamcop) Date: Mon Feb 7 18:05:47 2005 Subject: [SpamCop-List] Missing url Message-ID: See http://www.spamcop.net/sc?id=z729826661z5be7b2238e2e6a2016585e6cf25de1f1z Missed the phishing url Tom From nobody at devnull.spamcop.net Mon Feb 7 19:01:20 2005 From: nobody at devnull.spamcop.net (Pop) Date: Mon Feb 7 19:05:04 2005 Subject: [SpamCop-List] Re: Another new spammer trick... References: Message-ID: ... > Not really ... Outlook is either pusrchased on its own or as > part of the Office product. Outlook Express is "free" as part > of Microsoft's Internet Explorer. Had you said that both > products "use" the OS .. which is where the security issues > all started .... The OP, to whom I responded, already had and was using Outlook, was he not? Then, he also had to have OE, right? Then ... the person I responded to got the info I intended him to get. Nitpicks aside, he appears to HAVE both apps. ... > Again the different targets / types of users ... Outlook is > great for those at the office, handling all that stuff of > internal affairs, documents, data and such, which of course > opened up many more avenues of security issues. It's also great for me, right here at home. My dr. appts, my foster kid's appts, my wife's work hours, her doc appts, school board meetings, volunteer times at the SPCA and blood center, vacations, days planned off, people coming to town, important birthdays and life events plus etc etc etc ALL go into the Outlook calendar with applicable alarms, available and unavailable times and importance levels are all kept where they'r avalable at a glance. The Journal is very handy, as are the Task panes and planning guides. I seldom over-schedule or overlap family events etc. thanks to Outlook and I find it a GREAT tool! Had I not already known how Outlook worked and then listened to you, I would have missed out on an excellent tool. Please, -do- -not- generalize that way. Because it's not handy for you at home does not mean it's not handy for anyone at home. Once most people understand its value, many of them find it very useful, plus the integration with MS is a big plus. Because they've seen me using it over the years, at least three relatives, four friends, and several nephews also use it. Pretty handy to glance at the screen and see that "hmm, I really should back up again; not a lot new, but it's been too long. It only takes not being color blind to use that part of it. If I seem crabby, it's because I am; just spent three full days rebuilding this boat anchor, I mean, piece of, errr, system! One more backup to go! Regards, Pop From driehuis.fcnzpbc2005 at playbeing.com Tue Feb 8 01:05:42 2005 From: driehuis.fcnzpbc2005 at playbeing.com (Bert Driehuis) Date: Mon Feb 7 19:10:04 2005 Subject: [SpamCop-List] Re: nomaster found confection8fossilized.com In-Reply-To: References: Message-ID: eddie wrote: > I just got a nomaster found from SC for > confection8fossilized.com > yet I can visit the site. > Is it now possible for someone to have a website hosted by nobody and yet > accessible by anyone? This is news to me. How do I get started? Is there any particular reason why you would want the report stonewalled by an unresponsive ISP in China rather than being stonewalled by nomaster@devnull? At least the latter name practices truth in advertising. And remember, your report feeds the URL bl either way. From TJLWBECGSGWU at spammotel.com Tue Feb 8 00:32:04 2005 From: TJLWBECGSGWU at spammotel.com (Mathew Hendry) Date: Mon Feb 7 19:35:04 2005 Subject: [SpamCop-List] Re: Missing url In-Reply-To: References: Message-ID: spamcop wrote: > http://www.spamcop.net/sc?id=z729826661z5be7b2238e2e6a2016585e6cf25de1f1z > > Missed the phishing url Bold indeed - an eBay phish using eBay's own redirector! -- Mat. From usenet1 at DE.LETE.THISljvideo.com Tue Feb 8 00:46:49 2005 From: usenet1 at DE.LETE.THISljvideo.com (Larry J.) Date: Mon Feb 7 19:50:03 2005 Subject: [SpamCop-List] Re: A small success!! :-) References: Message-ID: Waiving the right to remain silent, "John Dawson" wrote: > From: Sympatico Abuse > Subject: Re: Eid Al-Ghadeer Al-Mubarak Season (fwd) > (KMM10800120V81324L0KM) > > The situation you have brought to our attention has been investigated > and treated by a member of our staff. We have enforced our > AUP(Acceptable Use Policy) against the offending account. WOW..! Spampatico acts on a complaint. Wonders never cease. I wonder what "enforcement" was taken..? -- Larry J. - Remove spamtrap in ALLCAPS to e-mail "If you take out the killings, Washington actually has a very low crime rate." - Marion Barry, mayor of Washington, D.C. From driehuis.fcnzpbc2005 at playbeing.com Tue Feb 8 01:47:26 2005 From: driehuis.fcnzpbc2005 at playbeing.com (Bert Driehuis) Date: Mon Feb 7 19:50:18 2005 Subject: [SpamCop-List] Re: Spammers moving away from direct-to-mx? In-Reply-To: References: Message-ID: Sofa King Tyred of Lar Ting wrote: > Here's another idea, after reading the spam analysis in my other > posting: it seems you could find the zombies by passively watching (as > an ISP can) for traffic used to command them. For example, the HTTPS, > SOCKS4/5 connections -- you don't even need to decrypt them, just find > out who's receiving them. I understood that a zombie's just a proxy > usually on one of those protocols. > > That can't be so much bandwidth to monitor, relatively speaking. At > least you can aim your port scans at those potential IP addresses. I hadn't given this aspect much thought. You're right, it's interesting. Monitoring traffic at gigabit concentrators is not cheap if you have to add the taps. Then again, once they have the equipment adding passive monitoring for socks and http-connect is cheap (not so for https, obviously). It is trivial to set up using off the shelf tools like snort (the trick is to strip its ruleset down to the bare minimum to not get swamped in data). It would take some forward thinking on the part of ISPs that I would welcome were it to happen. From driehuis.fcnzpbc2005 at playbeing.com Tue Feb 8 01:50:55 2005 From: driehuis.fcnzpbc2005 at playbeing.com (Bert Driehuis) Date: Mon Feb 7 19:55:04 2005 Subject: [SpamCop-List] Re: SpamCop Imposter? In-Reply-To: References: <4202F906.D9B2EB2E@ddress.com> <42030B61.A0EF270@ddress.com> Message-ID: Larry Kilgallen wrote: > How about inspecting it by using an operating system without a history > of viruses ? That would be an excellent idea, if it gets you far enough. Unfortunately, once you need to break custom compression, for example, you're pretty much limited to Windows. I'm not aware of any debugging tools that run on a proper OS. I've toyed with using WINE for that (in a VMware sandbox, obviously :-) but have not been successful with that. If anyone has pointers I'd appreciate it. From TJLWBECGSGWU at spammotel.com Tue Feb 8 00:51:23 2005 From: TJLWBECGSGWU at spammotel.com (Mathew Hendry) Date: Mon Feb 7 19:55:22 2005 Subject: [SpamCop-List] Re: Submitting by email takes hours? In-Reply-To: References: Message-ID: Louis Krupp wrote: > Isn't fresh spam required to keep the block lists up to date? > > Could SC be a victim of its own success, with a cascade effect of e-mail > submissions taking more than a couple of hours to make their way through > the queue, the block lists failing to keep up with the flood, more spam > getting through, and more e-mail submissions to process? On the other > hand, it could be a cyclic thing; if people lose interest and submit > fewer e-mails, then SC will be able to keep up once again, at least > until too many people start using it again... It looks to me like the vast majority of reports come from spamtraps anyway. The stats below are recent aggregates for my current ISP, and typical of what I see. Very few of them consist only of user reports, and very few of *those* are enough in themselves to result in a listing (2 or more independent reports). Spamtrap reports are much more numerous and more trusted. -- SPAM SOURCE REPORT -- IP Address Start/Duration Trap User Mole Simp Additional comments 82.36.165.32 Feb 7 23h/6 52 5 1 0 82.43.152.181 Feb 7 23h/0 0 1 0 0 82.39.56.119 Feb 7 23h/0 1 1 0 0 82.34.224.124 Feb 7 23h/0 0 1 0 0 82.38.202.149 Feb 7 22h/0 0 2 0 0 82.33.129.140 Feb 7 22h/0 9 1 0 0 82.39.27.12 Feb 7 22h/0 31 1 0 0 82.39.105.50 Feb 7 22h/1 32 4 1 0 82.42.243.190 Feb 7 22h/0 0 1 0 0 82.32.103.194 Feb 7 21h/0 0 1 0 0 82.42.180.29 Feb 7 21h/0 0 1 0 0 82.39.128.226 Feb 7 21h/0 1835 20 0 0 82.40.46.192 Feb 7 21h/0 1 3 0 0 82.36.210.9 Feb 7 21h/0 0 1 0 0 82.43.70.80 Feb 7 21h/6 47 11 2 0 82.41.44.158 Feb 7 21h/0 17 1 0 0 82.43.97.60 Feb 7 21h/0 4 1 0 0 82.43.33.150 Feb 7 21h/0 0 1 0 0 82.41.206.120 Feb 7 21h/0 7 1 0 0 82.44.186.189 Feb 7 21h/0 0 1 0 0 82.38.251.95 Feb 7 21h/0 0 3 0 0 82.41.235.19 Feb 7 21h/0 0 1 0 0 82.34.156.151 Feb 7 21h/0 7 1 0 0 82.38.214.39 Feb 7 21h/0 7 1 0 0 82.33.149.246 Feb 7 21h/0 141 2 0 0 82.36.139.145 Feb 7 21h/0 4 2 2 0 82.43.179.73 Feb 7 21h/0 1 0 3 0 82.37.219.212 Feb 7 20h/0 2 1 0 0 82.38.162.109 Feb 7 20h/0 8 2 0 0 82.40.222.95 Feb 7 20h/0 0 1 0 0 82.40.106.53 Feb 7 20h/0 0 1 0 0 82.44.196.144 Feb 7 20h/0 4 1 0 0 82.40.3.136 Feb 7 20h/0 0 1 0 0 82.41.83.233 Feb 7 20h/0 104 5 0 0 82.32.228.156 Feb 7 20h/0 1 0 0 0 82.36.55.170 Feb 7 20h/0 34 1 0 0 82.39.159.245 Feb 7 20h/0 46 0 0 0 82.36.39.183 Feb 7 20h/0 1 0 0 0 82.33.119.228 Feb 7 20h/0 7 0 0 0 82.40.74.34 Feb 7 20h/0 0 1 0 0 82.38.156.205 Feb 7 20h/0 10 1 10 0 82.42.18.83 Feb 7 20h/0 7 1 0 0 82.35.12.231 Feb 7 20h/0 37 0 0 0 82.41.112.155 Feb 7 20h/0 0 1 0 0 82.36.66.236 Feb 7 20h/0 2 1 0 0 82.44.228.136 Feb 7 20h/0 1 0 0 0 82.32.18.147 Feb 7 20h/0 1 0 0 0 82.44.150.171 Feb 7 20h/0 3 0 0 0 82.43.100.197 Feb 7 20h/0 1 0 0 0 82.35.91.106 Feb 7 20h/0 28 3 0 0 82.40.34.129 Feb 7 20h/0 1 0 0 0 82.34.49.177 Feb 7 20h/0 41 1 0 0 82.37.228.210 Feb 7 20h/7 100 1 1 0 82.44.98.73 Feb 7 20h/0 1 1 0 0 82.39.34.18 Feb 7 20h/0 4 1 0 0 82.41.198.188 Feb 7 20h/0 421 2 0 0 82.36.205.216 Feb 7 20h/0 35 0 0 0 82.35.247.205 Feb 7 20h/0 0 1 0 0 82.36.127.155 Feb 7 20h/0 184 3 0 0 82.40.54.225 Feb 7 20h/7 1281 11 3 0 82.37.5.248 Feb 7 20h/7 896 7 1 0 82.38.153.207 Feb 7 20h/4 37 1 1 0 82.42.82.113 Feb 7 20h/0 24 1 0 0 82.34.85.153 Feb 7 20h/0 33 1 0 0 82.42.178.136 Feb 7 20h/0 70 4 0 0 82.35.149.94 Feb 7 20h/0 1 1 0 0 82.39.2.253 Feb 7 20h/0 85 1 0 0 82.38.218.94 Feb 7 20h/0 1 0 0 0 82.32.227.175 Feb 7 20h/0 1 0 0 0 82.43.113.58 Feb 7 20h/0 1 0 0 0 82.33.2.50 Feb 7 20h/0 89 1 0 0 82.38.5.159 Feb 7 20h/0 0 1 0 0 82.34.26.223 Feb 7 20h/0 29 2 0 0 82.40.6.168 Feb 7 20h/0 47 0 0 0 82.40.114.225 Feb 7 20h/0 1 0 0 0 80.192.247.100 Feb 7 20h/0 301 16 0 0 82.34.241.80 Feb 7 20h/0 3 0 1 0 82.42.119.209 Feb 7 20h/0 25 2 0 0 82.36.130.225 Feb 7 20h/0 195 2 1 0 80.192.246.8 Feb 7 20h/0 2 0 0 0 82.42.184.70 Feb 7 20h/0 2 0 0 0 82.41.1.85 Feb 7 20h/0 57 1 0 0 82.40.89.134 Feb 7 20h/0 2 0 0 0 82.39.50.20 Feb 7 20h/7 1877 17 6 0 82.33.158.82 Feb 7 20h/0 9 0 0 0 82.44.218.92 Feb 7 20h/0 33 0 0 0 82.44.17.51 Feb 7 20h/0 91 3 0 0 82.41.68.108 Feb 7 20h/0 4 2 0 0 82.43.50.13 Feb 7 19h/0 105 5 0 0 82.43.124.234 Feb 7 19h/0 1 0 0 0 82.43.51.183 Feb 7 19h/0 2 0 0 0 82.35.91.71 Feb 7 19h/0 8 0 0 0 82.35.52.172 Feb 7 19h/0 32 0 0 0 80.192.54.34 Feb 7 19h/0 14 1 0 0 213.48.137.16 Feb 7 19h/0 1 0 0 0 82.38.207.44 Feb 7 19h/0 1 0 0 0 82.34.141.6 Feb 7 19h/0 1 0 0 0 82.42.25.204 Feb 7 19h/0 1 0 0 0 82.34.96.96 Feb 7 19h/0 1 0 0 0 82.34.164.9 Feb 7 19h/0 1 0 0 0 82.42.49.213 Feb 7 19h/1 2 1 1 0 82.32.21.50 Feb 7 19h/0 1 0 0 0 82.34.71.153 Feb 7 19h/0 1 0 0 0 82.40.42.165 Feb 7 19h/6 115 4 2 0 82.34.97.29 Feb 7 19h/0 1 1 0 0 82.34.198.154 Feb 7 19h/0 5 0 0 0 80.193.156.46 Feb 7 19h/0 1 0 0 0 82.37.204.174 Feb 7 19h/0 1 1 1 0 82.43.33.213 Feb 7 19h/0 1 1 0 0 82.35.58.127 Feb 7 19h/6 377 1 1 0 82.33.88.131 Feb 7 19h/0 1 0 0 0 82.32.22.100 Feb 7 19h/0 24 4 0 0 82.40.74.204 Feb 7 19h/0 1 0 0 0 82.39.109.187 Feb 7 19h/0 2 0 0 0 82.42.144.211 Feb 7 19h/0 40 3 0 0 82.40.21.89 Feb 7 19h/0 2 0 0 0 82.39.45.112 Feb 7 19h/0 65 7 0 0 82.32.106.30 Feb 7 19h/0 1 0 0 0 80.195.189.249 Feb 7 19h/0 9 0 0 0 82.38.59.156 Feb 7 19h/0 1 0 0 0 82.39.70.83 Feb 7 19h/7 10 1 2 0 82.41.4.173 Feb 7 19h/0 360 4 0 0 82.46.128.113 Feb 7 19h/0 1 0 0 0 82.42.178.243 Feb 7 19h/0 1 0 0 0 80.195.188.38 Feb 7 19h/7 389 12 4 0 82.37.146.231 Feb 7 19h/0 1 0 0 0 82.47.128.110 Feb 7 19h/0 4 0 0 0 82.39.34.155 Feb 7 19h/0 35 1 0 0 82.44.60.23 Feb 7 19h/0 4 0 0 0 82.37.137.244 Feb 7 19h/0 5 0 0 0 82.32.107.196 Feb 7 19h/0 14 0 0 0 82.42.152.109 Feb 7 19h/0 1 0 0 0 82.33.195.250 Feb 7 19h/6 101 0 1 0 82.35.150.175 Feb 7 19h/0 1 0 0 0 82.37.114.209 Feb 7 19h/0 1 0 0 0 82.39.105.29 Feb 7 19h/0 21 0 0 0 82.36.75.226 Feb 7 19h/0 1 0 0 0 82.38.60.51 Feb 7 19h/0 16 0 0 0 82.35.37.146 Feb 7 19h/6 381 16 3 0 82.38.57.254 Feb 7 19h/7 370 5 2 0 82.42.77.18 Feb 7 19h/0 15 0 0 0 82.33.132.57 Feb 7 19h/0 1 0 0 0 82.36.137.184 Feb 7 19h/0 17 0 0 0 82.38.93.37 Feb 7 19h/0 1 0 0 0 82.37.26.9 Feb 7 19h/0 1 0 0 0 82.36.202.79 Feb 7 19h/0 9 1 0 0 82.39.18.127 Feb 7 19h/0 1 0 0 0 82.46.211.105 Feb 7 19h/0 3 2 0 0 82.32.113.99 Feb 7 19h/0 1 0 0 0 82.45.239.228 Feb 7 19h/0 1 0 0 0 80.192.163.52 Feb 7 19h/0 38 0 1 0 82.42.123.87 Feb 7 19h/0 4 0 0 0 82.36.146.137 Feb 7 19h/0 28 2 0 0 82.37.150.227 Feb 7 19h/0 3 0 0 0 82.34.59.38 Feb 7 19h/0 1 0 1 0 82.37.250.187 Feb 7 19h/0 2 0 0 0 82.44.215.216 Feb 7 19h/0 2 0 0 0 82.45.186.188 Feb 7 19h/0 11 2 0 0 82.41.115.79 Feb 7 19h/0 1 0 0 0 82.39.80.93 Feb 7 19h/0 1 0 0 0 82.42.145.58 Feb 7 19h/0 13 0 0 0 82.40.42.243 Feb 7 19h/0 70 0 0 0 82.38.57.43 Feb 7 19h/0 19 8 0 0 82.36.156.109 Feb 7 19h/0 42 2 0 0 82.43.221.227 Feb 7 19h/0 7 0 0 0 82.32.102.225 Feb 7 19h/0 0 1 0 0 82.38.173.140 Feb 7 19h/0 2 0 0 0 82.41.142.145 Feb 7 19h/0 1 0 0 0 82.34.124.202 Feb 7 19h/0 758 16 1 0 82.38.82.2 Feb 7 19h/0 16 2 0 0 82.38.188.56 Feb 7 19h/0 1 0 0 0 82.32.218.88 Feb 7 19h/0 1 0 0 0 82.37.11.117 Feb 7 19h/0 67 1 0 0 82.32.100.248 Feb 7 19h/6 50 1 2 0 82.43.153.120 Feb 7 19h/0 3 3 0 0 82.38.113.47 Feb 7 19h/6 107 5 1 0 82.37.93.171 Feb 7 19h/0 24 0 0 0 82.42.166.62 Feb 7 19h/0 67 0 0 0 82.35.90.12 Feb 7 19h/0 139 1 0 0 82.38.81.19 Feb 7 19h/0 8 1 0 0 82.42.35.202 Feb 7 19h/0 63 3 0 0 82.35.137.213 Feb 7 19h/0 1 0 0 0 82.36.132.85 Feb 7 19h/0 5 0 0 0 82.41.190.179 Feb 7 19h/0 72 3 1 0 82.43.100.79 Feb 7 19h/0 2 0 0 0 82.39.33.208 Feb 7 19h/0 3 0 0 0 82.41.124.32 Feb 7 19h/0 72 0 0 0 82.38.252.189 Feb 7 19h/0 1 0 0 0 82.35.150.85 Feb 7 19h/0 3 0 0 0 82.41.81.70 Feb 7 19h/0 1 0 0 0 82.38.96.144 Feb 7 19h/0 43 0 0 0 82.41.100.135 Feb 7 19h/0 109 3 0 0 82.41.92.135 Feb 7 19h/0 195 12 0 0 82.32.87.31 Feb 7 19h/0 25 0 0 0 82.35.139.175 Feb 7 19h/0 1 0 0 0 82.35.36.87 Feb 7 19h/0 45 3 0 0 82.34.91.54 Feb 7 19h/0 2 0 0 0 82.40.89.96 Feb 7 19h/0 374 5 0 0 82.38.188.87 Feb 7 19h/0 2 0 0 0 82.33.142.7 Feb 7 19h/6 236 10 1 0 82.40.46.102 Feb 7 19h/0 6 1 0 0 82.39.53.3 Feb 7 19h/0 9 0 0 0 80.195.55.17 Feb 7 19h/0 45 0 0 0 82.36.109.237 Feb 7 19h/0 26 8 0 0 82.37.18.61 Feb 7 19h/0 22 0 0 0 82.39.12.144 Feb 7 19h/4 32 1 1 0 82.36.37.17 Feb 7 19h/0 1 0 0 0 82.38.0.179 Feb 7 19h/0 0 2 0 0 82.35.21.83 Feb 7 19h/6 272 13 3 0 82.41.41.109 Feb 7 19h/0 1 0 0 0 82.34.218.199 Feb 7 19h/5 120 7 1 0 82.39.56.176 Feb 7 19h/0 22 2 2 0 82.42.116.54 Feb 7 19h/0 165 10 0 0 82.41.210.78 Feb 7 19h/0 1 0 0 0 82.40.138.57 Feb 7 19h/0 38 0 0 0 82.37.4.66 Feb 7 19h/0 32 0 0 0 82.40.113.128 Feb 7 19h/1 1 0 1 0 82.40.139.54 Feb 7 19h/0 0 0 1 0 82.40.48.209 Feb 7 19h/0 84 0 0 0 82.37.46.56 Feb 7 19h/0 35 3 0 0 82.44.182.125 Feb 7 19h/0 42 3 0 0 82.36.231.243 Feb 7 19h/0 31 2 0 0 82.47.101.217 Feb 7 19h/0 11 1 0 0 82.35.78.193 Feb 7 19h/0 86 5 0 0 82.42.83.165 Feb 7 19h/0 162 4 0 0 213.48.109.106 Feb 7 19h/0 1 0 0 0 82.40.106.195 Feb 7 19h/0 2 0 0 0 80.193.0.78 Feb 7 19h/0 1 1 0 0 82.36.228.185 Feb 7 19h/0 1 0 0 0 82.36.33.48 Feb 7 19h/0 44 2 0 0 82.38.146.18 Feb 7 19h/0 1 0 0 0 82.39.97.232 Feb 7 19h/0 55 2 0 0 82.39.66.149 Feb 7 19h/0 1 0 0 0 82.40.120.155 Feb 7 19h/0 53 3 0 0 82.47.219.11 Feb 7 19h/0 49 0 0 0 82.37.232.253 Feb 7 19h/0 1 0 0 0 82.45.186.211 Feb 7 19h/0 1 0 0 0 82.37.216.57 Feb 7 19h/0 5 0 0 0 82.38.76.170 Feb 7 19h/0 274 4 0 0 82.43.182.93 Feb 7 19h/0 154 1 0 0 82.35.2.44 Feb 7 19h/0 53 2 0 0 82.37.65.154 Feb 7 19h/0 1 0 0 0 82.39.165.150 Feb 7 19h/0 0 1 0 0 82.38.207.139 Feb 7 19h/4 78 4 2 0 82.43.241.48 Feb 7 19h/0 241 8 0 0 82.41.202.34 Feb 7 19h/0 1 0 0 0 82.41.57.36 Feb 7 19h/0 1 0 0 0 82.38.42.152 Feb 7 19h/0 134 1 1 0 82.36.97.21 Feb 7 19h/0 1 0 0 0 82.35.41.217 Feb 7 19h/0 1 0 0 0 82.36.68.226 Feb 7 19h/0 86 1 0 0 82.42.105.224 Feb 7 19h/0 64 7 0 0 82.40.112.109 Feb 7 19h/2 263 5 3 0 82.42.206.10 Feb 7 19h/0 8 0 0 0 82.43.130.136 Feb 7 19h/0 1 0 0 0 82.32.82.67 Feb 7 19h/6 135 3 1 0 82.37.52.67 Feb 7 19h/0 1 0 0 0 82.34.3.22 Feb 7 19h/6 104 4 1 0 82.39.113.236 Feb 7 19h/0 61 0 0 0 82.44.213.112 Feb 7 19h/0 22 4 1 0 82.35.81.63 Feb 7 19h/0 12 0 0 0 82.42.161.18 Feb 7 19h/0 1 0 0 0 82.34.68.200 Feb 7 19h/0 1 0 0 0 82.33.18.76 Feb 7 19h/0 1 1 0 0 82.40.200.10 Feb 7 19h/0 1 0 0 0 82.33.42.33 Feb 7 19h/0 23 1 0 0 82.35.73.67 Feb 7 19h/0 130 12 0 0 82.42.185.121 Feb 7 19h/0 19 0 1 0 82.35.40.172 Feb 7 19h/0 1 0 0 0 82.38.52.99 Feb 7 19h/0 1 1 0 0 82.41.170.163 Feb 7 19h/0 21 2 0 0 82.36.155.128 Feb 7 19h/0 1 0 0 0 82.42.170.77 Feb 7 19h/0 0 1 0 0 82.44.154.157 Feb 7 19h/0 145 9 0 0 82.34.125.44 Feb 7 19h/0 130 3 0 0 82.36.145.69 Feb 7 19h/0 1 0 0 0 82.36.154.54 Feb 7 19h/0 1 0 0 0 82.36.97.83 Feb 7 19h/0 68 0 0 0 82.43.63.155 Feb 7 19h/0 21 1 0 0 82.32.229.16 Feb 7 19h/0 1 0 0 0 82.35.242.160 Feb 7 19h/0 1 0 0 0 82.34.67.228 Feb 7 19h/0 1 0 0 0 82.34.45.136 Feb 7 19h/7 131 3 1 0 82.32.225.223 Feb 7 19h/0 11 3 0 0 82.36.156.146 Feb 7 19h/3 4 3 1 0 82.40.57.181 Feb 7 19h/0 1 0 0 0 82.37.133.9 Feb 7 19h/0 19 1 0 0 82.32.170.144 Feb 7 19h/0 1 0 0 0 80.195.94.127 Feb 7 19h/0 1 1 0 0 82.37.31.162 Feb 7 19h/0 1 0 0 0 82.38.161.88 Feb 7 19h/0 44 1 0 0 82.38.64.96 Feb 7 19h/0 1 0 0 0 82.40.89.25 Feb 7 19h/0 29 0 0 0 82.41.186.9 Feb 7 19h/0 9 0 0 0 82.42.153.12 Feb 7 19h/6 22 0 1 0 82.39.152.188 Feb 7 19h/0 1 0 0 0 -- Mat. From eddie at eddie.web Mon Feb 7 19:58:04 2005 From: eddie at eddie.web (eddie) Date: Mon Feb 7 20:00:05 2005 Subject: [SpamCop-List] Re: nomaster found confection8fossilized.com References: Message-ID: On Tue, 08 Feb 2005 01:05:42 +0100, Bert Driehuis scratched out the following: > eddie wrote: > >> I just got a nomaster found from SC for confection8fossilized.com >> yet I can visit the site. >> Is it now possible for someone to have a website hosted by nobody and >> yet accessible by anyone? This is news to me. How do I get started? > > Is there any particular reason why you would want the report stonewalled > by an unresponsive ISP in China rather than being stonewalled by > nomaster@devnull? At least the latter name practices truth in advertising. > And remember, your report feeds the URL bl either way. All of china is blacklisted. I was simply curious how someone could get an IP and not have an ISP, which is what SC seems to indicate. Not that the ISP is unresponsive, but simply that SC cannot find an ISP. That would mean the entire chain of authority is broken, from the local ISP through whoever is responsible for assigning domain names. I only see more of this stuff - in fact I just got two more of the same type. From amenex at amenex.com Mon Feb 7 20:43:23 2005 From: amenex at amenex.com (George Langford, Sc.D.) Date: Mon Feb 7 20:43:39 2005 Subject: [SpamCop-List] Re: nomaster found confection8fossilized.com Message-ID: <200502080143.j181hNXY018434@voicenet.com> Eddie of eddieweb inquired: > I just got a nomaster found from SC for confection8fossilized.com > yet I can visit the site. Is it now possible for someone to have a > website hosted by nobody and yet accessible by anyone? This is > news to me. How do I get started? Don't feel bad; it can be hard work, Long-winded reply: Step 1: Do a TraceRT, using (http://voa.his.com/cgi-bin/trace): FROM voa.his.com TO confection8fossilized.com. traceroute to confection8fossilized.com (222.134.66.61), 64 hops max, 44 byte packets 1 pm28-fe00.his.net (216.194.225.65) 0.330 ms 0.259 ms 0.253 ms 2 att-kensington-ds3-1.his.net (216.194.224.6) 1.329 ms 1.287 ms 1.342 ms ... snippage of internmediate steps ...] 19 * 61.179.255.38 (61.179.255.38) 296.652 ms 261.865 ms 20 222.134.155.58 (222.134.155.58) 288.689 ms 289.571 ms 263.281 ms 21 222.134.155.110 (222.134.155.110) 300.903 ms 301.010 ms 305.867 ms 22 222.134.66.61 (222.134.66.61) 301.518 ms * * Step 2: Do a WhoIs on the IP address that TraceRT found: Querying: http://www.completewhois.com/ for 222.134.66.61 [IPv4 whois information for 222.134.66.61 ] [whois.apnic.net] % [whois.apnic.net node-1] % Whois data copyright terms http://www.apnic.net/db/dbcopyright.html inetnum: 222.132.0.0 - 222.135.255.255 netname: CNCGROUP-SD descr: CNCGROUP Shandong province network descr: China Network Communications Group Corporation descr: No.156,Fu-Xing-Men-Nei Street, descr: Beijing 100031 country: CN admin-c: CH455-AP tech-c: XZ14-AP mnt-by: APNIC-HM mnt-lower: MAINT-CNCGROUP-SD mnt-routes: MAINT-CNCGROUP-SD changed: hm-changed@apnic.net 20031211 status: ALLOCATED PORTABLE source: APNIC role: CNCGroup Hostmaster e-mail: abuse@cnc-noc.net address: No.156,Fu-Xing-Men-Nei Street, address: Beijing,100031,P.R.China nic-hdl: CH455-AP phone: +86-10-82993155 fax-no: +86-10-82993102 country: CN admin-c: CH444-AP tech-c: CH444-AP changed: abuse@cnc-noc.net 20041119 mnt-by: MAINT-CNCGROUP source: APNIC person: XIAOFENG ZHANG nic-hdl: XZ14-AP e-mail: ip@pub.sd.cninfo.net address: Jinan,Shandong P.R China phone: +86-531-605 fax-no: +86-531-605 country: CN changed: zhang-xf@sd.cn.net 20050128 mnt-by: MAINT-ZXF source: APNIC Step 3: Look up what SpamCop has to say about "cnc-noc.net" (that's the abuse-reporting address given above) with http://us.openrbl.org/ which has nothing nice to say; SpamCop returns no reporting address; but the OpenRBL data says the AS no. is AS4808. Step 4: Look up the upstream adjacencies with: http://www.cidr-report.org/ http://www.cidr-report.org/cgi-bin/as-report?as=AS4808&view=4637 AS Adjancency Report In the context of this report "Upstream" indicates that there is an adjacent AS that lines between the BGP table collection point (in this case at AS4637) as the specified AS. Similarly, "Downstream" referes to an adjacent AS that lies beyond the specified AS. This upstream / downstream categorisation is strictly a description relative topology, and should not be confused with provider / customer / peer inter-AS relationships. 405 AS4808 CHINA169-BJ CNCGROUP IP network??China169 Beijing Province Network Adjacency: 10 Upstream: 1 Downstream: 9 Upstream Adjacent AS list AS4837 CHINA169-BACKBONE CNCGROUP IP network??China169 Backbone That's not much of an improvement ... same reporting address: abuse@cnc-noc.net. Therefore, get the upstreams for AS4837, using http://www.cidr-report.org/ again: AS Adjancency Report ... snippage ... 288 AS4837 CHINA169-BACKBONE CNCGROUP IP network??China169 Backbone Adjacency: 14 Upstream: 5 Downstream: 9 Upstream Adjacent AS list AS1239 SPRN Sprint AS7018 ATTW AT&T WorldNet Services AS3320 Deutsche Telekom AG AS4637 REACH Reach Network Border AS AS3561 SAVVI-3 Savvis Now you can pick & choose whom to LART. At least these folks are more likely to be able to read what you send 'em. George Langford (amenex) From nobody at spamcop.net Tue Feb 8 15:12:00 2005 From: nobody at spamcop.net (Aaron Lawrence) Date: Mon Feb 7 21:15:04 2005 Subject: [SpamCop-List] Re: Submitting by email takes hours? In-Reply-To: References: Message-ID: Mathew Hendry wrote: > It looks to me like the vast majority of reports come from spamtraps > anyway. The stats below are recent aggregates for my current ISP, and > typical of what I see. Very few of them consist only of user reports, > and very few of *those* are enough in themselves to result in a listing > (2 or more independent reports). Spamtrap reports are much more numerous > and more trusted. Is that typical? In that case, there is virtually no point reporting to spamcop, might as well just use the blacklist and forget about it. Cheers Aaron From nobody at spamcop.net Tue Feb 8 15:34:25 2005 From: nobody at spamcop.net (Aaron Lawrence) Date: Mon Feb 7 21:40:20 2005 Subject: [SpamCop-List] Re: Many broken links in the web version of FAQ In-Reply-To: References: Message-ID: WazoO wrote: > Current status is "This bug has been confirmed and has been > moved for further examination." Thanks. From nobody at spamcop.net Tue Feb 8 07:17:56 2005 From: nobody at spamcop.net (nospam) Date: Mon Feb 7 22:20:03 2005 Subject: [SpamCop-List] Re: nomaster found confection8fossilized.com References: Message-ID: in article cu8vpd$bkg$1@news.spamcop.net, Bert Driehuis at driehuis.fcnzpbc2005@playbeing.com wrote on 2/8/05 4:05 AM: > eddie wrote: > >> I just got a nomaster found from SC for >> confection8fossilized.com >> yet I can visit the site. >> Is it now possible for someone to have a website hosted by nobody and yet >> accessible by anyone? This is news to me. How do I get started? > > Is there any particular reason why you would want the report stonewalled > by an unresponsive ISP in China rather than being stonewalled by > nomaster@devnull? At least the latter name practices truth in > advertising. And remember, your report feeds the URL bl either way. I'm not so sure about that, I've been watching the spamvertized sites on stats after submissions., I almost never see the ones I've submitted, so the list that some are fetching from the stats page is filtered or weighted in some way, and in no way complete, the numbers should give that away anyhow. If there are some 5 or more reports per second and say 10% are reporting spamvertized sites, then in 1/2 an hour there should be way more sites than are listed there. From nobody at devnull.spamcop.net Tue Feb 8 13:54:25 2005 From: nobody at devnull.spamcop.net (Patto) Date: Mon Feb 7 23:55:16 2005 Subject: [SpamCop-List] Re: Another new spammer trick... In-Reply-To: References: Message-ID: Pop wrote: > From the Peanut Gallery, FWIW: > "Sofa King Tyred of Lar Ting" wrote in message > news:cu8ace$795$1@news.spamcop.net... > >>Patto wrote: >> >>>1. much more work to report >>>2. I am exposing myself by opening the HTML doc >>> >>>Result: >>>http://www.spamcop.net/sc?id=z729531874z899ae1bcb2ae6ef83c0f89e623a61753z >>> >>>Any suggestions how these things should best be handled? > > > I used to use Outlook at work and Outlook Express at home, so I got to know > both of them (on Win98). When I got into spamfighting I used OE almost > exclusively, keeping Outlook for calendars, appts, and minimal email use. > My point is, since both are part of the os, and each had differenct pros > and cons, it works fine to use Outlook for normal communications, and OE for > spamwork. OE handles many things more conveniently, but then Outlook is > more integrated. > Your spam would have been a relative snap to report in OE. So perhaps > you could consider using OE when you report spam? An d Outlook for the > rest? F3 is the magic command to get the spam source code to copy, then > just Send As Attachment to SC. > You have of course noticed the Outlook workarounds on SC's page, right? > >> >>I just got a spam like this. I reported it with full headers like I do >>with all spams. No change in procedure; SC found the links and sent >>reports to email source ISP and that of the URLs in attached HTML >>document. >> >>I use Thunderbird 1.0 (free, mozilla.org) as an email client, which won't >>view the HTML images by default, even in attachments. Seems pretty >>spam-safe, even with this approach. > > > With OE you can also set Plain Text for reading mail. If you think you want > to see the HTML, a simple Reply (set to reply in HTML) shows you what's > actually in the complete messages. A useful feature, IMO. > > >>I think the latest security features in Outlook also provide something >>like this, although I don't think it works in Outlook Express. They are >>two products developed by different teams, apparently. Full headers in >>Outlook is a real pain. > > > I may have lost your meaning here, but OE does everything that's mentioned > on this reponse fine, unless I missed something. > > Regards, > > Pop Unfortunately OE does not handle Exchange Server mail. From nobody at devnull.spamcop.net Tue Feb 8 13:55:48 2005 From: nobody at devnull.spamcop.net (Patto) Date: Tue Feb 8 00:00:03 2005 Subject: [SpamCop-List] Re: Another new spammer trick... In-Reply-To: References: Message-ID: Brian (SnSR) wrote: > Patto wrote: > >> ... to make reporting more difficult. Plain text message, with body >> text only "See attachment message.html". The attachment is of course >> a beautifully composed HTML document, which I have to open and extract >> the source code, then paste it together with the email headers to report. >> >> 1. much more work to report >> 2. I am exposing myself by opening the HTML doc >> >> Result: >> http://www.spamcop.net/sc?id=z729531874z899ae1bcb2ae6ef83c0f89e623a61753z >> >> Any suggestions how these things should best be handled? > > > Maybe I missed someone stating this. If you need to view source, right > click on the attachment and save it to disk. Open with notepad. You are right; I should have thought of that. But it's two more steps in the reporting process... Well, I will probably just quick-report them in the future. From nobody at devnull.spamcop.net Mon Feb 7 22:13:27 2005 From: nobody at devnull.spamcop.net (LioNiNoiL_a t_Y a h 0 0_d 0 t_c 0 m) Date: Tue Feb 8 01:15:09 2005 Subject: [SpamCop-List] Re: Submitting by email takes hours? In-Reply-To: References: Message-ID: >> Submitting spam from COTSE.NET's Squirrelmail 'Report Spam' feature. >> >> Spam leaving their mailservers within minutes. >> >> However, counted at least a three hour delay between that and spamcop.net >> flagging them as ready for reporting. > > Spam forwarded by me today at 08:48:06 -0800 (PST) was returned for > processing 2 hours 23 minutes later at 19:10:54 GMT. More sent at 14:11:17 -0800 (PST) was returned for processing 3 hours 22 minutes later at 01:33:00 GMT. -- "[Spammers] are the mutant spawn of a bizarre reproductive act involving a telemarketer, Larry Flynt, a tapeworm, and an executive of the Third Class Mail industry." -- Dave Barry From drjohn at sueF***INGspammers.org Mon Feb 7 22:30:50 2005 From: drjohn at sueF***INGspammers.org (J.R.) Date: Tue Feb 8 01:35:04 2005 Subject: [SpamCop-List] Self-reporting e-mail links loading real slowwww Message-ID: Anybody else having this problem? From drjohn at sueF***INGspammers.org Mon Feb 7 22:40:28 2005 From: drjohn at sueF***INGspammers.org (J.R.) Date: Tue Feb 8 01:45:05 2005 Subject: [SpamCop-List] Re: Self-reporting e-mail links loading real slowwww References: Message-ID: Now it's coming back with: Gateway Timeout The proxy server did not receive a timely response from the upstream server. And I am not behind a proxy server. "J.R." wrote in message news:cu9ma7$scg$1@news.spamcop.net... > Anybody else having this problem? > > From tdy at blackhole.invalid Mon Feb 7 22:49:01 2005 From: tdy at blackhole.invalid (N. Miller) Date: Tue Feb 8 01:50:05 2005 Subject: [SpamCop-List] Re: Another new spammer trick... References: Message-ID: In article , Patto says... > Unfortunately OE does not handle Exchange Server mail. Unfortunately, some people are still using Exchange Server. -- Norman ~Win dain a lotica, En vai tu ri, Si lo ta ~Fin dein a loluca, En dragu a sei lain ~Vi fa-ru les shutai am, En riga-lint From nobody at devnull.spamcop.net Tue Feb 8 16:16:20 2005 From: nobody at devnull.spamcop.net (Patto) Date: Tue Feb 8 02:20:03 2005 Subject: [SpamCop-List] Re: Self-reporting e-mail links loading real slowwww In-Reply-To: References: Message-ID: J.R. wrote: > Anybody else having this problem? Everything is a bit slow right now. From e.streit at bluewin.ch Tue Feb 8 09:27:02 2005 From: e.streit at bluewin.ch (Ernst) Date: Tue Feb 8 03:30:02 2005 Subject: [SpamCop-List] Wrong originating IP Message-ID: Occasionally the parsing of SP seems to get confused. When I submitted the message of this SP report the first time, my ISP was identified as the originating IP. After cancelling the report and submitting the message again, the correct originating IP was identified. Ernst From nobody at nowhere.invalid Tue Feb 8 10:22:33 2005 From: nobody at nowhere.invalid (Steven Maesslein) Date: Tue Feb 8 04:25:08 2005 Subject: [SpamCop-List] Re: Another new spammer trick... References: Message-ID: On Tue, 08 Feb 2005 13:54:25 +0900, Patto coughed into spamcop and left this in : > Unfortunately OE does not handle Exchange Server mail. Well then, OE has at least *that* going for it :) -- Steve The most difficult years of marriage are those following the wedding. From jamieb_usenet at hotmail.com Tue Feb 8 04:23:03 2005 From: jamieb_usenet at hotmail.com (Jamie) Date: Tue Feb 8 04:25:33 2005 Subject: [SpamCop-List] No Reporting Address for 222.223.134.246 Message-ID: Hi can some one at spamcop.net please update the email addresses where the abuse complaints are sent to for this IP block. Right now there appears to be no contacts listed and abuse complaints are not being sent about this spammer.. When you are submitting a spam complaint it says there is no reporting Address http://www.spamcop.net/sc?id=z729982491za77e8e027257b1756b84cb0fd4544d4ez Resolving link obfuscation http://sdlkfjdlkjsworld.com/index.php?id=173&affid=8754 host sdlkfjdlkjsworld.com (checking ip) = 222.223.134.246 host 222.223.134.246 (getting name) no name Tracking link: http://sdlkfjdlkjsworld.com/index.php?id=173&affid=8754 [report history] Resolves to 222.223.134.246 "whois 222.223.134.246@whois.apnic.net" (Getting contact from whois.apnic.net mirror) Display data: Lookup br3-ap@whois.apnic.net "whois br3-ap@whois.apnic.net" (Getting contact from whois.apnic.net mirror) Display data: br3-ap = Lookup ch93-ap@whois.apnic.net "whois ch93-ap@whois.apnic.net" (Getting contact from whois.apnic.net mirror) Display data: ch93-ap = whois.apnic.net 222.223.134.246 (nothing found) host 222.223.134.246 (getting name) no name No reporting addresses found for 222.223.134.246, using devnull for tracking. 02/08/05 04:13:53 whois 222.223.134.246@whois.apnic.net whois -h whois.apnic.net 222.223.134.246 ... % [whois.apnic.net node-1] % Whois data copyright terms http://www.apnic.net/db/dbcopyright.html inetnum: 222.222.0.0 - 222.223.255.255 netname: CHINATELECOM-HE descr: CHINANET hebei province network descr: China Telecom descr: No.31,jingrong street descr: Beijing 100032 country: CN admin-c: CH93-AP tech-c: BR3-AP mnt-by: APNIC-HM mnt-lower: MAINT-CHINATELECOM-HE mnt-routes: MAINT-CHINATELECOM-HE status: ALLOCATED PORTABLE remarks: -+-+-+-+-+-+-+-+-+-+-+-++-+-+-+-+-+-+-+-+-+-+-+-+-+-+ remarks: This object can only be updated by APNIC hostmasters. remarks: To update this object, please contact APNIC remarks: hostmasters and include your organisation's account remarks: name in the subject line. remarks: -+-+-+-+-+-+-+-+-+-+-+-++-+-+-+-+-+-+-+-+-+-+-+-+-+-+ changed: hm-changed@apnic.net 20040428 source: APNIC person: Chinanet Hostmaster address: No.31 ,jingrong street,beijing address: 100032 country: CN phone: +86-10-66027112 fax-no: +86-10-58501144 e-mail: hostmaster@ns.chinanet.cn.net e-mail: anti-spam@ns.chinanet.cn.net nic-hdl: CH93-AP mnt-by: MAINT-CHINANET changed: hostmaster@ns.chinanet.cn.net 20021016 remarks: hostmaster is not for spam complaint,please send spam complaint to anti-spam@ns.chinanet.cn.net source: APNIC person: Bin Ren nic-hdl: BR3-AP e-mail: renbin@mail.he.cn address: 10F Ximei Building NO.6 Jianshe South Street address: Shijiazhuang 050011 China phone: +86-311-5211551 fax-no: +86-311-5211578 country: CN changed: renbin@mail.he.cn 20040430 mnt-by: MAINT-CHINATELECOM-HE source: APNIC 02/08/05 04:17:38 Abuse address lookup for cn.net whois -h whois.abuse.net cn.net ... postmaster@cn.net (for cn.net) ctsummary@special.abuse.net (for cn.net) anti-spam@chinanet.cn.net (for cn.net) Complaints should go to postmaster@cn.net ctsummary@special.abuse.net anti-spam@chinanet.cn.net hostmaster@ns.chinanet.cn.net renbin@mail.he.cn Can some one at spamcop.net please update this so the abuse complaints can be sent Thanks, Jamie -- For newsgroups and email this message is the property of the sender. NO portion of this message may be copied or reposted without my written consent. The message may not be altered in any way with out written permission. Copyright © 2003 - 2004 by Jamie From nobody at nowhere.invalid Tue Feb 8 10:27:22 2005 From: nobody at nowhere.invalid (Steven Maesslein) Date: Tue Feb 8 04:30:04 2005 Subject: [SpamCop-List] Re: Submitting by email takes hours? References: Message-ID: On Mon, 07 Feb 2005 22:13:27 -0800, LioNiNoiL_a t_Y a h 0 0_d 0 t_c 0 m coughed into spamcop and left this in : > More sent at 14:11:17 -0800 (PST) was returned for processing 3 hours 22 > minutes later at 01:33:00 GMT. Those of you who also have SC e-mail accounts can simply set up a SpamCop IMAP account in your mailers and drag/drop the spam into the "held mail" folder. -- Steve Do molecular biologists wear designer genes? From korhojy at POISSPAMMIThotmail.com Tue Feb 8 11:36:29 2005 From: korhojy at POISSPAMMIThotmail.com (Jyri Korhonen) Date: Tue Feb 8 04:40:04 2005 Subject: [SpamCop-List] Re: Submitting by email takes hours? References: Message-ID: "LioNiNoiL_a t_Y a h 0 0_d 0 t_c 0 m" wrote: >> Spam forwarded by me today at 08:48:06 -0800 (PST) was returned for >> processing 2 hours 23 minutes later at 19:10:54 GMT. > > More sent at 14:11:17 -0800 (PST) was returned for processing 3 hours 22 > minutes later at 01:33:00 GMT. My latest quick reporting replies indicate a five hour turn-around time: Sent Reply 01:30 GMT 06:28 GMT 02:06 GMT 07:03 GMT 02:23 GMT 07:33 GMT From pantheus at suespammers.org Tue Feb 8 01:51:20 2005 From: pantheus at suespammers.org (Ken Knull) Date: Tue Feb 8 04:51:30 2005 Subject: [SpamCop-List] Re: A small success!! :-) References: Message-ID: On Mon, 07 Feb 2005 15:18:36 +0000, John Dawson wrote: > From: Sympatico Abuse Subject: Re: Eid Al-Ghadeer > Al-Mubarak Season (fwd) (KMM10800120V81324L0KM) > > The situation you have brought to our attention has been investigated and > treated by a member of our staff. We have enforced our AUP(Acceptable Use > Policy) against the offending account. Interpretation: The customers check bounced, so he'll need to steal a credit card to get reinstated. From ross at ross.orq Tue Feb 8 04:24:03 2005 From: ross at ross.orq (Peter J. Ross) Date: Tue Feb 8 06:20:03 2005 Subject: [SpamCop-List] Re: No Reporting Address for 222.223.134.246 References: Message-ID: "Jamie" wrote: Test. -- PJR From MikeE at ster.invalid Tue Feb 8 04:56:31 2005 From: MikeE at ster.invalid (Mike Easter) Date: Tue Feb 8 08:00:04 2005 Subject: [SpamCop-List] Re: No Reporting Address for 222.223.134.246 References: Message-ID: Jamie wrote: > Hi can some one at spamcop.net please update the email addresses > where the abuse complaints are sent to for this IP block. > Right now there appears to be no contacts listed and abuse > complaints are not being sent about this spammer.. > When you are submitting a spam complaint it says there is no > reporting Address > "whois 222.223.134.246@whois.apnic.net" (Getting contact from > whois.apnic.net mirror) > No reporting addresses found for 222.223.134.246, using devnull for > tracking. SC's apnic mirror is or was earlier today [is still] 'b0rken' or incomplete, ie it doesn't show all of the apnic information, and it doesn't return anything for the nic-hdl information in apnic. As a result, many or all of the apnic notifies have no accessible apnic notify, and there is no independently deputy entered routing information. This has been posted and discussed by non-deputies in spamcop.routing.and also in 'Strange IP Shenanigans' here. -- Mike Easter kibitzer, not SC admin From MikeE at ster.invalid Tue Feb 8 05:16:07 2005 From: MikeE at ster.invalid (Mike Easter) Date: Tue Feb 8 08:20:03 2005 Subject: [SpamCop-List] Re: nomaster found confection8fossilized.com References: Message-ID: nospam wrote: > I've been watching the spamvertized sites > on stats after submissions, I almost never see the ones I've > submitted, so the list that some are fetching from the stats page is > filtered or weighted in some way, and in no way complete, the numbers > should give that away anyhow. > > If there are some 5 or more reports per second and say 10% are > reporting spamvertized sites, then in 1/2 an hour there should be way > more sites than are listed there. I don't know what the stats page is showing on the spamvertised websites page http://www.spamcop.net/w3m?action=inprogress;type=www which sez Abuse report sent to and Reported web site. That is, I know what it is saying, but I don't know where it is getting it and what it is leaving out. And I think I think it should be done differently. I think, but I'm not sure, that I believe that the stats page should be 'showing' every link whether it was reported or not. If it was not reported by the reporter because all was unchecked, then if the page /must/ say 'abuse report sent to' then that can say devnull or something. I think that because I think there is a difference between calling something a spamsource and calling something a spam which also contains URLs. That is, if a reporter unchecks all of the notifies for a source, then it shouldn't be considered a source in terms of the spamcop blocklist; but if a reporter unchecks all of the notifies for a spamvertised site, then the site should still be published on the statistics page. There is currently consequence if spamcop reports a source. There is currently no consequence if spamcop reports a spamvertiser except for the consequence of sc-surbl seeing it on the stats page. sc-surbl has a variety of its own internal methodology to handle the issues of innocent bystanders and such, so I think the stats page can include the innocent bystanders who have been 'unreported' by the spamcop reporter as well as the guilty spamvertisers who may have been unreported by the reporter. I think there are reporters who would like to be the equivalent of moles as regards spamvertisers, but are willing to be simply spamcop munged as regards spamsources. Those reporters are going to be unchecking all of the notifies to 'undesirable' spamvertiser providers, but it would be good if sc-surbl picked them up anyway. -- Mike Easter kibitzer, not SC admin From TJLWBECGSGWU at spammotel.com Tue Feb 8 13:54:12 2005 From: TJLWBECGSGWU at spammotel.com (Mathew Hendry) Date: Tue Feb 8 08:55:04 2005 Subject: [SpamCop-List] Re: Submitting by email takes hours? In-Reply-To: References: Message-ID: Aaron Lawrence wrote: > > Mathew Hendry wrote: > >> It looks to me like the vast majority of reports come from spamtraps >> anyway. The stats below are recent aggregates for my current ISP, and >> typical of what I see. Very few of them consist only of user reports, >> and very few of *those* are enough in themselves to result in a >> listing (2 or more independent reports). Spamtrap reports are much >> more numerous and more trusted. > > Is that typical? It's typical for my ISP, which I'm assuming is a typical consumer ISP. Truly blackhat ISPs might show different abuse patterns. -- Mat. From skiwi at spamcop.net Tue Feb 8 07:19:46 2005 From: skiwi at spamcop.net (Skiwi) Date: Tue Feb 8 10:20:11 2005 Subject: [SpamCop-List] Re: Another new spammer trick... In-Reply-To: References: Message-ID: Patto wrote: [snap] > > > Unfortunately OE does not handle Exchange Server mail. > OE doesn't do IMAP? (I use Mozilla at work, and that that is how I get around NOT using Outlook XP to get my email...) From nobody at spamcop.net Tue Feb 8 19:40:12 2005 From: nobody at spamcop.net (nospam) Date: Tue Feb 8 10:45:07 2005 Subject: [SpamCop-List] Re: nomaster found confection8fossilized.com References: Message-ID: in article cuae14$dd7$1@news.spamcop.net, Mike Easter at MikeE@ster.invalid wrote on 2/8/05 5:16 PM: > nospam wrote: >> I've been watching the spamvertized sites >> on stats after submissions, I almost never see the ones I've >> submitted, so the list that some are fetching from the stats page is >> filtered or weighted in some way, and in no way complete, the numbers >> should give that away anyhow. >> >> If there are some 5 or more reports per second and say 10% are >> reporting spamvertized sites, then in 1/2 an hour there should be way >> more sites than are listed there. > > I don't know what the stats page is showing on the spamvertised websites > page http://www.spamcop.net/w3m?action=inprogress;type=www which sez > Abuse report sent to and Reported web site. That is, I know what it is > saying, but I don't know where it is getting it and what it is leaving > out. And I think I think it should be done differently. For example just now there are 45 issues and 26 recipients for the past half hour, looking at those 46 issues, it is plain many are form the same spam, there is URL/?some/php and URL/unsub etc. so at a glance I would say there are no more than 23 spqms represented. Now according to spamstats (whatever they count) there were 6 reports submitted per second (let's take 4 to be conservative, the low for the day). that means that 4*60*30 spams were submitted in the past half hour which is 7200 spams, so we get a ratio of 23/7600 or 1/300, more or less, spams reported versus websites posted. Now, some submitted spams are never consumated, some are probably "quick" or VER reports, some don't have URL payloads, but that seems like an astonishingly low ratio, Since reports sent tracks the magnitude of spam submitted, I don't think spamtraps are in the count. So, I conclude that what we see in the stats page for spamvertized web sites is merely the very tip of the spamberg. From MikeE at ster.invalid Tue Feb 8 07:44:23 2005 From: MikeE at ster.invalid (Mike Easter) Date: Tue Feb 8 10:45:28 2005 Subject: [SpamCop-List] Re: Another new spammer trick... References: Message-ID: Skiwi wrote: > OE doesn't do IMAP? OE IMAPs. -- Mike Easter kibitzer, not SC admin From MikeE at ster.invalid Tue Feb 8 07:59:09 2005 From: MikeE at ster.invalid (Mike Easter) Date: Tue Feb 8 11:00:05 2005 Subject: [SpamCop-List] Re: nomaster found confection8fossilized.com References: Message-ID: nospam wrote: > Now, some submitted spams are never consumated, some are probably > "quick" or VER reports, some don't have URL payloads, but that seems > like an astonishingly low ratio, Since reports sent tracks the > magnitude of spam submitted, I don't think spamtraps are in the > count. So, I conclude that what we see in the stats page for > spamvertized web sites is merely the very tip of the spamberg. Definitely the quick and spamtraps aren't surveyed; and maybe the proportion of quick and spamtrap items to reported spamvertised items is a very large number. I also think there are reporters who don't want to report to spamvertiser providers. Perhaps a significant number. I think the parser should provide a devnull 'address' as one option for every spamvertised url, so that the reporters can check that instead of notifying the spamvertiser provider. -- Mike Easter kibitzer, not SC admin From jld1 at cam.ac.uk Tue Feb 8 16:01:13 2005 From: jld1 at cam.ac.uk (John Dawson) Date: Tue Feb 8 11:05:09 2005 Subject: [SpamCop-List] webmanshop.com (still!) and tiscali.fr Message-ID: HAH - lies, damn lies, and statistics ... ========================== How can we deal with the b*st*rds? ========================== Tracking link: http://www.webmanshop.com [report history] ISP believes this issue is resolved http://www.webmanshop.com Resolves to 212.83.150.40 Routing details for 212.83.150.40 [refresh/show] Cached whois for 212.83.150.40 : abuse@tiscali.fr ripe-mnt@net.tiscali.fr Using abuse net on abuse@tiscali.fr abuse net tiscali.fr = abuse@tiscali.fr Using best contacts abuse@tiscali.fr ISP has already taken action against the account: http://www.webmanshop.com http://www.webmanshop.com has been appealed previously. ========================== So tiscali.fr are liars, like most of the other tiscali ISPs? From MikeE at ster.invalid Tue Feb 8 08:13:09 2005 From: MikeE at ster.invalid (Mike Easter) Date: Tue Feb 8 11:15:04 2005 Subject: [SpamCop-List] Re: webmanshop.com (still!) and tiscali.fr References: Message-ID: John Dawson wrote: > How can we deal with the b*st*rds? > Using best contacts abuse@tiscali.fr > So tiscali.fr are liars, like most of the other tiscali ISPs? tiscali.fr upstream is tiscali intntl abuse@ip.tiscali.net The IP isn't spewed or spamhaused. You would do a manual report and include the intntl addy in addition to .fr. -- Mike Easter kibitzer, not SC admin From A_no.spam_Haumer at gmx.net Tue Feb 8 17:53:19 2005 From: A_no.spam_Haumer at gmx.net (Anton Haumer) Date: Tue Feb 8 11:55:04 2005 Subject: [SpamCop-List] slow response Message-ID: <4208EE7F.C998CF11@gmx.net> why is reporting since yesterday so extremely slow? I'm submitting spam via email, but reporting takes extremely long ... Toni From eddie at eddie.web Tue Feb 8 12:13:18 2005 From: eddie at eddie.web (eddie) Date: Tue Feb 8 12:15:03 2005 Subject: [SpamCop-List] Re: Strange IP Shenanigans References: Message-ID: On Mon, 07 Feb 2005 16:51:56 +0400, Berny scratched out the following: snip > Too bad the "shock and awe" wasn;t applied to Chinanet, GDDC, CRC, and > CNC_NOC instead of Baghdad That might have caused major problems for Wal-Mart :) From noah.boddie at newsgroup.nospam Tue Feb 8 12:32:27 2005 From: noah.boddie at newsgroup.nospam (Dwayne Conyers) Date: Tue Feb 8 12:35:39 2005 Subject: [SpamCop-List] A thought Message-ID: I read that of the billions of spam that flood the net, only 4% reap results in the form of some person purchasing what was being sold. I wonder why not just mail those four-percenters rather than bombard those of us who aren't that stupid and why use our domains as reply addresses to retaliate against reporting them? Well... anyway... off my soap box. -- dwacon spampire slayer www.dwacon.com From nobody at devnull.spamcop.net Tue Feb 8 09:32:52 2005 From: nobody at devnull.spamcop.net (LioNiNoiL_a t_Y a h 0 0_d 0 t_c 0 m) Date: Tue Feb 8 12:36:14 2005 Subject: [SpamCop-List] Re: Submitting by email takes hours? In-Reply-To: References: Message-ID: Jyri Korhonen wrote: > My latest quick reporting replies indicate > a five hour turn-around time: > > Sent Reply > 01:30 GMT 06:28 GMT > 02:06 GMT 07:03 GMT > 02:23 GMT 07:33 GMT received from me: 07 Feb 2005 22:01:42 -0800 response sent: 08 Feb 2005 11:25:58 GMT elapsed time: 5 hours 24 minutes -- "[Spammers] are the mutant spawn of a bizarre reproductive act involving a telemarketer, Larry Flynt, a tapeworm, and an executive of the Third Class Mail industry." -- Dave Barry From sommerfeld at hamachi.org Tue Feb 8 12:49:38 2005 From: sommerfeld at hamachi.org (Bill Sommerfeld) Date: Tue Feb 8 12:50:04 2005 Subject: [SpamCop-List] Re: slow response In-Reply-To: <4208EE7F.C998CF11@gmx.net> References: <4208EE7F.C998CF11@gmx.net> Message-ID: Anton Haumer wrote: > why is reporting since yesterday so extremely slow? It's been getting slower over the past few days; the symptoms are consistent with congestive collapse.. which can result simply from the processing throughput being a little lower than the arrival rate .. the queues build up over time. - Bill From luddite63 at yahoo.com Tue Feb 8 13:01:54 2005 From: luddite63 at yahoo.com (Sagesse) Date: Tue Feb 8 13:05:04 2005 Subject: [SpamCop-List] Re: Empty spam In-Reply-To: References: Message-ID: lebrad wrote: > I seem to be receiving a lot of spam with no subject and no content. Why > would someone want to send me spam with no message? I always assumed they were hoping you'd reply so they could confirm your address, but I have no evidence for that. From nobody at devnull.spamcop.net Tue Feb 8 13:24:57 2005 From: nobody at devnull.spamcop.net (Pop) Date: Tue Feb 8 13:26:15 2005 Subject: [SpamCop-List] Re: Empty spam References: Message-ID: "Sagesse" wrote in message news:cuauqh$nr7$1@news.spamcop.net... > lebrad wrote: >> I seem to be receiving a lot of spam with no subject and no content. Why >> would someone want to send me spam with no message? > > I always assumed they were hoping you'd reply so they could confirm your > address, but I have no evidence for that. The spammers get a few things out of it: 1 No bounce; address is real and worth money 2 Wrote to ask what's up; and, it's active! Worth more money yet 3 Bounces back; no such address, take it off the list or try again later 4 Sell the list to other spammers. IMO Pop From MikeE at ster.invalid Tue Feb 8 10:39:48 2005 From: MikeE at ster.invalid (Mike Easter) Date: Tue Feb 8 13:40:08 2005 Subject: [SpamCop-List] Re: Empty spam References: Message-ID: Pop wrote: > The spammers get a few things out of it: > 1 No bounce; address is real and worth money > 2 Wrote to ask what's up; and, it's active! Worth more money yet > 3 Bounces back; no such address, take it off the list or try again > later 4 Sell the list to other spammers. Except: - I don't think many spammers 'manage' their lists, ie remove addies - The vast majority of spam goes out from proxy/trojans, no bounce - so, very few spammers will ever see a bounce or do anything about it I do think that: - a list of people who believe their spam, which is indicated by opening it, clicking on it, responding to removes, etc is more valuable than a list of 'mixed up' live addies and dead addies, respondents and non-respondents, believers and disbelievers - spammers buy and sell and trade various lists to each other -- Mike Easter kibitzer, not SC admin From nobody at spamcop.net Tue Feb 8 19:09:43 2005 From: nobody at spamcop.net (Heidi) Date: Tue Feb 8 14:10:07 2005 Subject: [SpamCop-List] Hi Message-ID: hi, I'm a girl who just made her own website :) This whole semester I felt like I want to do something I've never done before.. friend suggested to finally make a site about me, and what I do everyday. It's neet how my private life is inside one website ;) Verify your age and connect to my webcam today -) Hope you'll anjoy my new hobby as much as I do :) From boom at boom.boom Tue Feb 8 15:05:27 2005 From: boom at boom.boom (Boom-Boom) Date: Tue Feb 8 15:10:04 2005 Subject: [SpamCop-List] Re: A thought References: Message-ID: "Dwayne Conyers" wrote: > I read that of the billions of spam that flood the net, only 4% reap > results in the form of some person purchasing what was being sold. > > I wonder why not just mail those four-percenters rather than bombard those > of us who aren't that stupid and why use our domains as reply addresses to > retaliate against reporting them? > > Well... anyway... off my soap box. And your plan for locating those 4% would be?........ St00pid git. From lise.tr372 at videotron.ca Tue Feb 8 15:45:02 2005 From: lise.tr372 at videotron.ca (Lise) Date: Tue Feb 8 15:45:05 2005 Subject: [SpamCop-List] Submitted about 8 Spam, but didn't get any reports... Message-ID: hello, I don't know if something has changed since yesterday or if I sent something I shouldn't have today, because I submitted some Spam today, (after checking if it was something acceptable to send), but didn't get even ONE spam to report... I tried to check the "black list", but got discouraged.. Did Spamcop stopped reporting spam received in Yahoo mail ? Lise From lise.tr372 at videotron.ca Tue Feb 8 15:47:28 2005 From: lise.tr372 at videotron.ca (Lise) Date: Tue Feb 8 15:50:07 2005 Subject: [SpamCop-List] Re: Self-reporting e-mail links loading real slowwww References: Message-ID: "J.R." wrote in message news:cu9ma7$scg$1@news.spamcop.net... > Anybody else having this problem? ================== yes, depending on time of day, sometimes it's r-e-a-l-l-y loooooong to loooooaaaad > Lise > From MikeE at ster.invalid Tue Feb 8 13:02:09 2005 From: MikeE at ster.invalid (Mike Easter) Date: Tue Feb 8 16:05:05 2005 Subject: [SpamCop-List] Re: Submitted about 8 Spam, but didn't get any reports... References: Message-ID: Lise wrote: > I submitted some Spam > today, (after checking if it was something acceptable to send), but > didn't get even ONE spam to report... > Did Spamcop stopped reporting spam received in Yahoo mail ? Presumably your method of submitting the spam from yahoo mail was by forwarding as attachment to the submit address as described at http://www.spamcop.net/fom-serve/cache/23.html Yahoo Mail Then you would await the return of the spamcop mail which would contain the links to report the spam; which woul