From driehuis.fcnzpbc2005 at playbeing.com Tue Feb 1 01:50:51 2005 From: driehuis.fcnzpbc2005 at playbeing.com (Bert Driehuis) Date: Mon Jan 31 19:55:07 2005 Subject: [SpamCop-List] Re: Cogentco?? In-Reply-To: References: <2370-41FC31B7-594@storefull-3251.bay.webtv.net> Message-ID: Pete Stephenson wrote: > I'm curious what other sources of information you may have access to in > order to make that determination. I rarely post to "spamcop" anymore, > and tend to stick to .geeks and .social when I must post. I often do a better job of mentally imaging the players before coming with nasty accusations :-) It's done using ancient crafts called "reading up" and "pondering", by the way. They're slowly falling by the wayside, together with proofreading, and I can't complete escape progress either. From bll at seer.gentoo.com Tue Feb 1 01:09:59 2005 From: bll at seer.gentoo.com (Brad Lanam) Date: Mon Jan 31 20:10:08 2005 Subject: [SpamCop-List] Re: gaoland.net vs 80.119.115.158 References: Message-ID: In article , Dar wrote: > Too funny! > > Parsing input: gaoland.net > host gaoland.net (checking ip) ip not found ; gaoland.net discarded as fake. > No recent reports, no history available > > Cannot resolve gaoland.net > No valid email addresses found, sorry! > [...] > Parsing input: 80.119.115.158 > host 80.119.115.158 = 158.115.119-80.rev.gaoland.net. (cached) There's nothing anywhere that says that the top-level domain must have an A record w/IP address assigned to it. Perfectly normal setup. Helps reduce the number of people trying to poke holes in your server(s). e.g. www:bll$ host gentoo.com # no ip address www:bll$ host -t mx gentoo.com gentoo.com mail is handled by 2 mail.gentoo.com. www:bll$ host mail.gentoo.com mail.gentoo.com has address 64.169.54.66 www:bll$ -- Brad -- -- Brad Lanam bll@gentoo.com From pete+usenet at heypete.com Tue Feb 1 00:10:19 2005 From: pete+usenet at heypete.com (Pete Stephenson) Date: Tue Feb 1 03:38:21 2005 Subject: [SpamCop-List] Re: Cogentco?? References: <2370-41FC31B7-594@storefull-3251.bay.webtv.net> Message-ID: In article , "Indigo" wrote: > Certain folks in .social would consider you a (gu)nutcase though ;-) I originally parsed that as "GNUnutcase", and was wondering when insanity went open-source. :-P -- Pete Stephenson HeyPete.com From mtszorf at netvision.net.il Tue Feb 1 12:16:40 2005 From: mtszorf at netvision.net.il (Maurice Tszorf) Date: Tue Feb 1 05:20:31 2005 Subject: [SpamCop-List] address blocked Message-ID: Hi, I am new to this forum. I am confronted with constant blocking of my email addresses. It started when I began using it for a mailing list. I can receive mails, but I cannot send off a single mail, no matter to what destination, for some 24 hours, after which the block sets in again the minute I send a message to the mailing list. This is tyranny. I need the email for business, and I would like to know how I can prevent being blocked constantly. Thanks, Maurice From porpoise1954 at yahoo.co.uk Tue Feb 1 10:43:51 2005 From: porpoise1954 at yahoo.co.uk (Porpoise) Date: Tue Feb 1 05:50:05 2005 Subject: [SpamCop-List] Re: address blocked References: Message-ID: "Maurice Tszorf" wrote in message news:ctnl14$8jn$1@news.spamcop.net... > Hi, > > I am new to this forum. > > I am confronted with constant blocking of my email addresses. It started > when I began using it for a mailing list. I can receive mails, but I > cannot send off a single mail, no matter to what destination, for some 24 > hours, after which the block sets in again the minute I send a message to > the mailing list. Sounds like the list may not be complying with best practice in some way and is therefore finding itself on bl's but there is insufficient information here to be able to determine what the problem is. > > This is tyranny. I need the email for business, and I would like to know > how I can prevent being blocked constantly. Ensure that you are not sending mails to people who didn't request them. From porpoise1954 at yahoo.co.uk Tue Feb 1 10:55:54 2005 From: porpoise1954 at yahoo.co.uk (Porpoise) Date: Tue Feb 1 06:00:07 2005 Subject: [SpamCop-List] Re: address blocked References: Message-ID: "Porpoise" wrote in message news:ctnmkf$9hh$1@news.spamcop.net... > > "Maurice Tszorf" wrote in message > news:ctnl14$8jn$1@news.spamcop.net... >> Hi, >> >> I am new to this forum. >> >> I am confronted with constant blocking of my email addresses. It started >> when I began using it for a mailing list. I can receive mails, but I >> cannot send off a single mail, no matter to what destination, for some 24 >> hours, after which the block sets in again the minute I send a message to >> the mailing list. > > Sounds like the list may not be complying with best practice in some way > and is therefore finding itself on bl's but there is insufficient > information here to be able to determine what the problem is. > >> >> This is tyranny. I need the email for business, and I would like to know >> how I can prevent being blocked constantly. > > Ensure that you are not sending mails to people who didn't request them. > Here's a pointer to some further information which may be helpful: http://www.outblaze.com/main.php?id=antispam&page=anti_ident In particular, the section on "Poorly managed mailing lists" may be of particular significance. From MikeE at ster.invalid Tue Feb 1 03:00:24 2005 From: MikeE at ster.invalid (Mike Easter) Date: Tue Feb 1 06:00:13 2005 Subject: [SpamCop-List] Re: address blocked References: Message-ID: Maurice Tszorf wrote: > I am confronted with constant blocking of my email addresses. It > started when I began using it for a mailing list. I can receive > mails, but I cannot send off a single mail, no matter to what > destination, for some 24 hours, after which the block sets in again > the minute I send a message to the mailing list. The only way we can talk about some mail which is blocked is to talk about the IP address which is being blocked. > I would like to > know how I can prevent being blocked constantly. You haven't given useful information yet, so I'll try your nntp IP address. Your nntp posting host is 85-64-66-198.barak.net.il IP address 85.64.66.198 http://www.spamcop.net/w3m?action=checkblock&ip=85.64.66.198 85.64.66.198 listed in bl.spamcop.net -- System has sent mail to SpamCop spam traps in the past week -- SpamCop users have reported system as a source of spam less than 10 times in the past week 85.64.66.198 is also listed in cbl^1 and some other blocklists besides SC. The cbl listing causes you to be spamhaus listed on the spamhaus XBL. ^1 The CBL takes its source data from very large spamtraps, and only lists IPs exhibiting characteristics which are specific to open proxies of various sorts (HTTP, socks, AnalogX, wingate etc) which have been abused to send spam, worms/viruses that do their own direct mail transmission, or some types of trojan-horse or "stealth" spamware, without doing open proxy tests of any kind. I would say that your mail is being blocked because its IP address has been associated with mail/spam from that IP hitting spamtraps and thus becoming blocklisted by several important blocklists which are popular as spam defenses. When your IP is listed, your mail will be blocked by those defenses. There's also an example of a spam from that IP in sightings which I've run through the SC parser to provide for an example here www.spamcop.net/sc?id=z727355563za1f4432282e2cb21dd5126cebbf13b37z Subject: Experts are jumping all over this st0ck Report Spam to: Re: 85.64.66.198 (Administrator of network where email originates) To: abuse@013barak.net.il (Notes) So, your IP appears to be an abused proxy being used for pump&dump stock spams and people don't want to get mail from it so they block the mail from that IP which causes your mail to be blocked. -- Mike Easter kibitzer, not SC admin From porpoise1954 at yahoo.co.uk Tue Feb 1 11:04:12 2005 From: porpoise1954 at yahoo.co.uk (Porpoise) Date: Tue Feb 1 06:10:03 2005 Subject: [SpamCop-List] Re: address blocked References: Message-ID: "Porpoise" wrote in message news:ctnnb2$9v9$1@news.spamcop.net... > > "Porpoise" wrote in message > news:ctnmkf$9hh$1@news.spamcop.net... >> >> "Maurice Tszorf" wrote in message >> news:ctnl14$8jn$1@news.spamcop.net... >>> Hi, >>> >>> I am new to this forum. >>> >>> I am confronted with constant blocking of my email addresses. It started >>> when I began using it for a mailing list. I can receive mails, but I >>> cannot send off a single mail, no matter to what destination, for some >>> 24 hours, after which the block sets in again the minute I send a >>> message to the mailing list. >> >> Sounds like the list may not be complying with best practice in some way >> and is therefore finding itself on bl's but there is insufficient >> information here to be able to determine what the problem is. >> >>> >>> This is tyranny. I need the email for business, and I would like to know >>> how I can prevent being blocked constantly. >> >> Ensure that you are not sending mails to people who didn't request them. >> > > Here's a pointer to some further information which may be helpful: > > http://www.outblaze.com/main.php?id=antispam&page=anti_ident > > In particular, the section on "Poorly managed mailing lists" may be of > particular significance. Here's another useful site for ensuring that mailing lists are run correctly: http://www.mail-abuse.com/support/an_listmgntgdlines.html From MikeE at ster.invalid Tue Feb 1 03:24:12 2005 From: MikeE at ster.invalid (Mike Easter) Date: Tue Feb 1 06:25:02 2005 Subject: [SpamCop-List] Re: address blocked References: Message-ID: Mike Easter wrote: > 85.64.66.198 listed in bl.spamcop.net A similar IP is 85.64.65.230 also listed in spamcop & cbl for proxified spamtrapping. They are both going crazy with mail activity as evidenced at senderbase Report on IP address: 85.64.65.230 Volume Statistics for this IP Magnitude Vol Change vs. Average Last day 3.9 10185% Last 30d 2.9 791% Average 1.9 Report on IP address: 85.64.66.198 Volume Statistics for this IP Magnitude Vol Change vs. Average Last day 3.8 15118% Last 30d 2.6 779% Average 1.7 Use monofont for columns The two stock items in sightings like the one I posted here actually went from the source IP out the barak server with lots of bogosity: www.spamcop.net/sc?id=z727355563za1f4432282e2cb21dd5126cebbf13b37z Abbreviated Received lines *comment from (mtain3.barak.net.il [212.150.49.74]) by mail.nwsup.com *serves recipient from barak.net.il ([85.64.66.198]) by mtain3.barak.net.il *sourceline, index IP from (HELO smtp.mixedthings.net) (181.137.80.89) by group21.345mail.com *bogosity from unknown (111.111.104.45) by mxs.perenter.com *bogosity from ([191.183.16.26]) by mxs.perenter.com *bogosity from mts.locks.grgtween.net ([158.8.99.73]) by mts.locks.grgtween.net *bogosity -- Mike Easter kibitzer, not SC admin From ng at bgdsv.co.uk Tue Feb 1 12:03:03 2005 From: ng at bgdsv.co.uk (Brian Gregory [UK]) Date: Tue Feb 1 07:05:03 2005 Subject: [SpamCop-List] Re: address blocked References: Message-ID: It's not clear to me exactly what you mean by "using it for a mailing list". -- Brian Gregory. (In the UK) ng@bgdsv.co.uk To email me remove the letter vee. From D.Gray at picture.oscar.wilde Tue Feb 1 14:35:03 2005 From: D.Gray at picture.oscar.wilde (Dorian Gray) Date: Tue Feb 1 09:35:03 2005 Subject: [SpamCop-List] Re: Spamcop Statistics References: Message-ID: In article , "WazoO" wrote: > "Dorian Gray" wrote in message > news:D.Gray-61C9F0.18084531012005@news.cesmail.net... > > In article , > > "WazoO" wrote: > > > > > "Edward D. Thompson" wrote in message > > > news:pan.2005.01.28.17.36.30.159767@cyrix.ed-thompson.org... > > > > > > > > Does anyone understand the behavior of the Spamcop statistics? > > > > > > > > http://mailsc.spamcop.net/spamgraph.shtml?spamyear > > > > > > Julian .... those charts track whatever he's got them pointed to, > > > and what's behind that curtain has been described in the past > > > as "not for public discussion" ... > > > > Been described in the past, by whom? I only recall WazoO saying such > > things as "not for public discussion". > > Dialog between Julian, Don, Deputies and myself have included > facts and conditions described as "not for public discussion" ... What dialog? Described by whom? Show me. Or do you mean you have off-newsgroup conversations with Julian etc., which you cannot tell us about, and that you then like to tell us that you can't tell us about? Frankly, if that's the case, I'd like to hear it from someone from Spamcop. Your unhelpful help is so vague WazoO as to seem implausible. From porpoise1954 at yahoo.co.uk Tue Feb 1 15:05:35 2005 From: porpoise1954 at yahoo.co.uk (Porpoise) Date: Tue Feb 1 10:10:03 2005 Subject: [SpamCop-List] Re: address blocked References: Message-ID: "Brian Gregory [UK]" wrote in message news:ctnr5s$cm2$1@news.spamcop.net... > It's not clear to me exactly what you mean by "using it for a mailing > list". > > -- > Who are you addressing? It's usually helpful to include a snippet of what you are replying to, in order to give it some context. From firewoman at default.domain.not.available Tue Feb 1 10:15:06 2005 From: firewoman at default.domain.not.available (Firewoman) Date: Tue Feb 1 10:15:03 2005 Subject: [SpamCop-List] Re: address blocked References: Message-ID: "Porpoise" wrote in message news:cto5v8$j8b$1@news.spamcop.net... > > "Brian Gregory [UK]" wrote in message > news:ctnr5s$cm2$1@news.spamcop.net... >> It's not clear to me exactly what you mean by "using it for a mailing >> list". >> >> -- >> > > Who are you addressing? It's usually helpful to include a snippet of what > you are replying to, in order to give it some context. In a standard newsreader, you can see that he is replying to the OP. The snippet is in "quotations" instead of >>. From porpoise1954 at yahoo.co.uk Tue Feb 1 15:14:47 2005 From: porpoise1954 at yahoo.co.uk (Porpoise) Date: Tue Feb 1 10:20:05 2005 Subject: [SpamCop-List] Re: address blocked References: Message-ID: "Firewoman" wrote in message news:cto69i$jit$1@news.spamcop.net... > "Porpoise" wrote in message > news:cto5v8$j8b$1@news.spamcop.net... >> >> "Brian Gregory [UK]" wrote in message >> news:ctnr5s$cm2$1@news.spamcop.net... >>> It's not clear to me exactly what you mean by "using it for a mailing >>> list". >>> >>> -- >>> >> >> Who are you addressing? It's usually helpful to include a snippet of what >> you are replying to, in order to give it some context. > > > In a standard newsreader, you can see that he is replying to the OP. The > snippet is in "quotations" instead of >>. That wasn't the point. It's still good netiquette to give some context to which you are replying. For those that like to "hide" headers for read messages it's a pain to have to hunt back. From nobody at spamcop.net Tue Feb 1 08:43:51 2005 From: nobody at spamcop.net (Ellen) Date: Tue Feb 1 11:40:02 2005 Subject: [SpamCop-List] Re: address blocked References: Message-ID: "Mike Easter" wrote in message news:ctnnf9$a4u$1@news.spamcop.net... > Maurice Tszorf wrote: > > I am confronted with constant blocking of my email addresses. It > > started when I began using it for a mailing list. I can receive > > mails, but I cannot send off a single mail, no matter to what > > destination, for some 24 hours, after which the block sets in again > > the minute I send a message to the mailing list. > > The only way we can talk about some mail which is blocked is to talk > about the IP address which is being blocked. > > > I would like to > > know how I can prevent being blocked constantly. > > You haven't given useful information yet, so I'll try your nntp IP > address. > > Your nntp posting host is 85-64-66-198.barak.net.il IP address > 85.64.66.198 Virus/worm infestation and spewing direct to mx. There are other IPs in the /16 listed, also spewing direct to mx. The spams are the usual pills/stocks/rolex/etc. Most of the listings are recent -- in the last 24-48 hours and obviously barak has done nothing about filtering port 25. As the spew is recent I suspect that barak haven't had time to hunt down the compromised and do anything about them yet. That said there is no telling what blocklists the admin of the listserver is using. Ellen From MikeE at ster.invalid Tue Feb 1 09:21:56 2005 From: MikeE at ster.invalid (Mike Easter) Date: Tue Feb 1 12:25:04 2005 Subject: [SpamCop-List] OT Spamalot Message-ID: Broadway will have a 'new musical ripoff' of the movie Monty Python and the Holy Grail called 'Monty Python's Spamalot' by Eric Idle starting Feb 14 http://www.montypythonsspamalot.com/ In 'celebration' of Spamalot's opening, Hormel will produce a collector's edition SPAM product - golden honey grail - http://media.hormel.com/templates/knowledge/knowledge.asp?catitemid=2&id=268 The Hormel PR was more interesting to me than the Register article below. But Hormel lost their trademark infringement suit against Spambuster. All of the above described recently in the Register http://www.theregister.co.uk/2005/01/31/spam_ruling/ -- Mike Easter kibitzer, not SC admin From MikeE at ster.invalid Tue Feb 1 09:45:17 2005 From: MikeE at ster.invalid (Mike Easter) Date: Tue Feb 1 12:45:02 2005 Subject: [SpamCop-List] Re: OT Spamalot References: Message-ID: Mike Easter wrote: > Broadway will have a 'new musical ripoff' of the movie Monty Python > and the Holy Grail called 'Monty Python's Spamalot' by Eric Idle > starting Feb 14 http://www.montypythonsspamalot.com/ The book was by Eric Idle. The musical is directed by Mike Nichols. The Broadway situation follows the Chicago Dec-Jan performances just finishing. Why Hormel doesn't have a pic of the commemorative collectors' edition can^1 at their site is beyond me. ^1 The SPAMT golden honey grail will be available, in limited quantities as of February 2005 at select New York City retailers, including Broadway merchandise stores and the Shubert Theatre merchandise kiosks. The can features SPAMALOT graphics and characters from the new musical and instructions in "SPAMALOT-ese" on how to "cooketh" SPAM?. -- Mike Easter kibitzer, not SC admin From MikeE at ster.invalid Tue Feb 1 09:51:39 2005 From: MikeE at ster.invalid (Mike Easter) Date: Tue Feb 1 12:55:03 2005 Subject: [SpamCop-List] Re: OT Spamalot References: Message-ID: Mike Easter wrote: > Why Hormel doesn't have a pic of the commemorative collectors' edition > can^1 at their site is beyond me. http://www.dailyllama.com/news/2004/images/golden_honey_spam_large.jpg http://www.dailyllama.com/news/2004/images/golden_honey_spam_back_large.jpg http://www.dailyllama.com/news/2004/images/golden_honey_spam_label.jpg Lotsa google links on articles for 'golden honey grail' - I must be the last one to find out about this. -- Mike Easter kibitzer, not SC admin From MikeE at ster.invalid Tue Feb 1 10:31:46 2005 From: MikeE at ster.invalid (Mike Easter) Date: Tue Feb 1 13:35:40 2005 Subject: [SpamCop-List] Re: OT Spamalot References: Message-ID: Mike Easter wrote: > "SPAMALOT-ese" on how to > "cooketh" SPAM?. > http://www.dailyllama.com/news/2004/images/golden_honey_spam_label.jpg Copied into IrvanView for 'handling', cooking instructions label section blown up and 'manipulated' to enhance readability and manually transcribed, since my search didn't show me the instructions in digital -- someone is going to have to help the Hormel PR people tend to these arcane details for posterity. "Fully cooked, ready to eat cold or hot. Taketh thine SPAM slices and fry it thusly for exactly 2 minutes. No more, no less. 1 minute is too little, and yet 3 minutes be far longer than thou needeth. Then thou shalt flippeth the SPAM and repeateth these instructions until it be crispy and browned upon both sides of this most tasty provision. The resulting divine creation shalt be lobbed into thine mouth rapidly for this is the love of SPAM." I think. Not everything was crystal clear in the transformations. -- Mike Easter kibitzer, not SC admin From nobody at nowhere.invalid Tue Feb 1 20:35:38 2005 From: nobody at nowhere.invalid (Steven Maesslein) Date: Tue Feb 1 14:40:03 2005 Subject: [SpamCop-List] Re: address blocked References: Message-ID: On Tue, 1 Feb 2005 08:43:51 -0500, Ellen coughed into spamcop and left this in : > and obviously barak has done nothing about filtering port 25. Now, why on $planet would they want to do that? *rolls eyes* > As the spew is recent I suspect that barak haven't had time to hunt > down the compromised and do anything about them yet. As if they ever will... -- Steve Windows is.... A 32-bit extension to a 16-bit graphical interface, sitting on an 8-bit operating system, originally written for a 4-bit processor by a 2-bit company without ONE BIT of common sense. From nobody at devnull.spamcop.net Tue Feb 1 13:41:57 2005 From: nobody at devnull.spamcop.net (LioNiNoiL_a t_Y a h 0 0_d 0 t_c 0 m) Date: Tue Feb 1 16:45:08 2005 Subject: [SpamCop-List] Re: OT Spamalot In-Reply-To: References: Message-ID: > Broadway will have a 'new musical ripoff' of the movie Monty > Python and the Holy Grail called 'Monty Python's Spamalot' > by Eric Idle starting Feb 14 > http://www.montypythonsspamalot.com/ I feel as though I've been living in Spamalot for years... -- In short, there's simply not A more congenial spot For happy spamvertiser rings than here in Spamalot. From nobody at spamcop.net Tue Feb 1 17:43:47 2005 From: nobody at spamcop.net (Miss Betsy) Date: Tue Feb 1 17:45:05 2005 Subject: [SpamCop-List] Why Am I Blocked? FAQ Message-ID: Why Am I Blocked? Probable Causes If your email has suddenly been blocked by the SpamCop blocklist, it is probably because you share an IP address with other email users and there is someone who: * is using auto-responses that are replying to spam with forged spamtrap email addresses (such as Out-of-Office/Vacation notices, virus notifications, and 'created email' bounces); * has a computer with a virus that sends spam without the owner's knowledge; * has a computer that has been compromised and spammers are remotely controlling it to transmit their spew; * is sending unsolicited emails and your internet service provider is allowing it; * or because, as in all systems, there may have been a mistake. (very rare) The SpmCopDNSbl listing will expire automatically within 48 hours of the last report of spam from it. For people who are operating servers: (followed by FAQ for people who do not operate servers; if you don’t operate a server, scroll down until you find it.) Am I really listed in the SpamCop Blocklist?: You can check the status of any server by entering its address at http://www.spamcop.net/bl.shtml The reason an IP address is listed can also be obtained from that page. If the blocklist only lists spamtraps, then auto responses are the likely culprit. If the blocklist only lists reports, you have a spammer at work. If the blocklist lists spam traps and reports, * You have your firewall configured to allow a compromised machine on your network to spew to the world (you do have a firewall in place, don't you?) * the SMTP/Auth exploit of an Exchange server is in progress, see these links: http://news.spamcop.net/cgi-bin/fom?file=372 http://www.winnetmag.com/article/articleid/40507/40507.html http://www.winnetmag.com/article/articleid/42406/42406.html How To Block Open SMTP Relaying and Clean Up Exchange Server SMTP Queues To prevent SMTP relaying with Microsoft Exchange Server see http://support.microsoft.com/default.aspx?scid=KB;EN-US;324958#4 # (NOTE: While commonly seen on Exchange servers, this condition is possible on all platforms) * Your PHP mailer program has been taken over by criminals. (You did not know that your PHP bulletin board had a very vulnerable mailer program on it? You did not know that you had PHP installed and running?) Please also see: * How can I get removed from SpamCop's blocking system? http://www.spamcop.net/fom-serve/cache/76.html * John's explanation at John's revised post, for Why Am I Blocked FAQ http://forum.spamcop.net/forums/index.php?showtopic=673 * Merlyn's explanation at FAQ Entry: Why is my email blocked? http://forum.spamcop.net/forums/index.php?showtopic=35 The rest of this FAQ is for people who do not run servers. Post the IP address that is blocked in the Spamcop web forum or newsgroup. There are many knowledgeable people in the SpamCop groups who will help you figure out why and offer solutions. If you need to know what triggered the report from a spamtrap, email deputies spamcop.net. Only they can see. However, a post will generally get you faster replies and more specific help on what is the problem. For people whose email was returned Q: What does SpamCop do with my email? A: Nothing The Internet Service Provider (ISP) of the person, or business, you are sending email "To" is blocking email from your ISP's computers (servers), using a list provided by SpamCop. Your email doesn't pass through SpamCop's mail servers and SpamCop has no way of blocking or bouncing your email. In addition, the SpamCop email service uses the blocklist to "tag" incoming mail so that suspected spam is placed in a particular folder and that is the way the blocklist is intended to be used. Q: What is a blocklist? A: A blocklist helps ISP’s to prevent spam coming to their customers. An ISP can use a blocklist (a list of IP addresses),to block (bounce back) all email coming from a particular IP address. The blocking is based not on your email address (which looks like username@example.com), but on the IP address (which looks like 198.162.250.196). This IP address is assigned to the mail server you use, which is probably run by your ISP. You may share this same server with hundreds or thousands of other customers. If one of the other customers is sending spam through that shared mail server, it will cause the IP address of that mail server to be put on the blocklist. And when you send email through that server, ISP’s who use blocklists to avoid receiving spam, will also block your email. SpamCop is one of many blocklists. DNS Blackhole Lists (DNSBLs) is a link to page that lists and categorizes a number of blocklists. Trying to describe the difference between spamcop & other lists (particularly the time it takes to get off the list) and how SpamCop can be an early warning system for ISP's is a bit difficult, as each is different in concept, targets, results ranges, and oversight. If more specific data is desired on other DNSBLs, please visit that listing site. Q: What is SpamCop? A: Unique, automated blocklist and spam filtering SpamCop has a program that will find the correct address to send a complaint because the email address you see that says who it is from is often forged by spammers. SpamCop finds the correct IP address and forwards complaints for its members. If a lot of reports are made, the IP address goes on the SpamCop blocklist that is used by many ISP’s. for more detailed information on how Spamcop works see: http://www.spamcop.net/fom-serve/cache/3.html Q: How do ISP’s use SpamCop A: As 1) a warning that spammers have slipped by their defenses and 2) to block spam. * Responsible ISP's welcome SpamCop reports and will remove spammers quickly from their systems. *When they block emails, they send a message that looks like this: 451 Blocked - see http://www.spamcop.net/bl.shtml?xxxx.xxxx.xxxx.xxxx: or email from xxx.com blocked,refused by Spamcop,see http://www.spamcop.net Q: Why me? A: It Happens to the best of us It is annoying to have your email blocked. It is also annoying to have a backhoe interrupt email service. However, until the blocking problem is resolved, you can email people through a web based email service (the most familiar web based email services are hotmail and yahoo). After you have taken care of the immediate problem of being able to communicate with someone by email, the next step is to see what can be done so this inconvenience does not happen to you again. The one thing you do not want to do is to complain to those correspondents who are using an email service that uses the SpamCop blocklist. They probably really like the reduction in spam! You have the responsibility to see that your ISP provides you with reliable email service. See this link for a longer explanation of costs http://forum.spamcop.net/forums/index.php?showtopic=660 Q: Who do I contact to correct this problem? A: Your ISP (email service provider) first Usually the ISP with the blocked IP address has also been notified with the evidence of spam reports. Your ISP may have already acted on the Spamcop report they have received by the time you call. It may just have been a mistake on their part or, possibly, the reporter's part. Reporters can be fined or banned for mistakes. As soon as your ISP stops the spam from being sent, or uses the procedures at SpamCop to point out the reporter's mistake, the IP address is taken off the blocklist (usually within 48 hours for spam; immediately for reporter error). It may be that your call is the first time your ISP has heard that SpamCop has listed your IP address. Listings are made, in addition to member reporting, automatically from spamtraps (an eMail address that is not used, nor published anywhere, so only gets eMail if someone is sending spam!). Your ISP can find out about SpamCop at http://www.spamcop.net/fom-serve/cache/76.html if they don’t already know about SpamCop. SpamCop deputies have access to the full evidence for a listing. Deputies can delist IP addresses which are listed in error. Q: My ISP says it’s not their fault. A: People in this forum will help with information to give your ISP You will need to know your IP address for people to understand what has happened (it should be in the message you received telling you your mail was blocked). It is also helpful to know the reasons why it was blocked. (To do this, go to http://www.spamcop.net/bl.shtml . Make a note of the reason for the listing. For example "Been reported as a source of spam about 30 times" "Been detected sending mail to spam traps" as this is important) There are many people who will explain to you what has happened and what you can do. If you are interested in finding out more about blocklists and exactly why your email was blocked, you may post in the web forum http://forum.spamcop.net/forums/index.php?showforum=11 or in the SpamCop NNTP newsgroup news://news.spamcop.net/spamcop.help with the above information. Please remember that this block is not aimed at you personally. There are a limited number of IP addresses on the Internet, so you, and the spammer, may get a different one each time you log-on. Your Internet Service Provider is the only one who can investigate and take action to stop spam from coming from that IP address. In the meantime, the email service at the other end does not have to accept your email until spam has stopped coming from that particular IP address just as postal and package services can refuse certain types of mail and packages. Revised 18 Nov 2004 - Wazoo added DNSBL List URL Revised 16 Nov 2004 - Wazoo - Ouch! newsgroup link fixed! Revised 2 Sep 2004 - Wazoo Revised August 7, 2004 - Miss Betsy, Wazoo, dbiel Edited per Wazoo comments March 6, 2004 rev March 7 rev Mar 8 for format (agsteele) Rev Mar11 with more links Rev Mar 12 with new John link rev 13 listized "Probable Causes" rev 14 consolidated some links Contributors: Michaell, Mike Easter, Wazoo, Greenlady, John, JT, JeffG (Last Revised 26 January 2005) (URL = http://forum.spamcop.net/forums/lofiversion/index.php/t972.html ) -- From user at domain.invalid Wed Feb 2 00:04:51 2005 From: user at domain.invalid (user@domain.invalid) Date: Tue Feb 1 18:05:03 2005 Subject: [SpamCop-List] Re: "Sorry, this email is too old to file a spam report" In-Reply-To: References: Message-ID: Steven Maesslein wrote: > Tracking URL: > http://www.spamcop.net/sc?id=z726781903z28608ffef3c19a6dda5566aff4f0f0bdz > > Spam received at spamcop.net at 30 Jan 2005 13:02:59 -0000, IOW about 8 > hours ago. > > However, the parser is relying on the timestamp when the spam was > received one hop further upstream, which *is* over 48 hours ago. > > It's therefore impossible to report spam if one of the spam relays holds > on to it for 48 hours... > Another trick to escape Spamcop I discovered in my mailbox is change the computer time, just enough to make push it out of the time frame. Guest at the fence LeaNder a/k/a KRAUT From user at domain.invalid Wed Feb 2 00:51:14 2005 From: user at domain.invalid (user@domain.invalid) Date: Tue Feb 1 18:55:06 2005 Subject: [SpamCop-List] Re: Empty spam In-Reply-To: References: Message-ID: Larry Kilgallen wrote: > In article , user@domain.invalid writes: > >>lebrad wrote: >> >>>I seem to be receiving a lot of spam with no subject and no content. Why >>>would someone want to send me spam with no message? >>> >>> >> >>I have the impression this is not spam > > > Meaning the recipient requested it ? > Or meaning that it only happened once ? No this is not what I meant. I have been watching this for quite some time now. Did you ever have doubled, tripled ... mails? At one time I watched this, it seemed to happen at certain intervals. The headers showed rather complicated patterns. Like being sent at certain time intervals with a third diverted somewhere on the line as if hold somewhere and then moved on. First they arrived at different time. Which showed in my mailbox. The second and third being higher up. Then something got fixed. And while they arrived later the neatly appeared next to each other now. But the headers showed still traces of their different roads through the web. Later the **empty mails*** appeared. At that point I was accustomed to take a closer look. Checking the headers - sorry no systematic exercise although I came close to it ... but mainly checking the headers. And then I realized the empty ones sometimes where just parts of ordinary mails. That is sometimes even mails I received too. Part of its header part of it's body end. No recognizable pattern, but something cut up in an unknown process. Sometimes they were parts of mails I received from a list or received sooner or later ... > > >>but cut up emails who float >>around the net. I am watching this for quite some time now. It stopped >>and now it starts again. > > > Email does not "float around" - it gets sent by someone. > I am no expert ... I wish I were. But even scientist need imagination. And out there on the net is much information about people that is quite valuable. Not only to spammers. > >>It probably is connected with some other web activity filtering the >>mails on their road on the net for contents information about the users. > > > Even if it were triggered by a technical error, it is still spam: > > Unsolicited Bulk Email > > Spam is a matter of conSent not conTent. Yes true, you have to use the delete button no matter if it is a technically produced bit or a whole one. But the bit can still have a different origin, not quite functioning excursions into fields not altogether known - not quite working yet KRAUT From nobody at spamcop.net Wed Feb 2 00:08:24 2005 From: nobody at spamcop.net (nobody@spamcop.net) Date: Tue Feb 1 19:10:04 2005 Subject: [SpamCop-List] m1fastcooloffers.com Message-ID: I've been spammed by m1fastcooloffers.com (63.147.28.5). SpamCop wants to send reports to stasu@veritex-tech.com, but that looks like a listwashing address and nothing will ever be done about shutting down this scam operation. The spamvertized site redirects to applyfree.com, which pushes fake-looking mortgages and debt consolidation plans. I want to report applyfree.com, but I tried reporting a similar site last year and quit after 100 reports were ignored. These scammers also have more than one ISP, so that if one ISP shuts down getrefi.com, the scammers still have getrefinow.com.cn, refinow.com.cn, and a slew of others. Is there legal action that can be started against these spam scam companies? How else should I report this issue? The spam lists an address: Global Offers Network 2033 San Elijo Avenue, #411 Cardiff-by-the-Sea, CA 92007 From not at home.today Wed Feb 2 02:05:25 2005 From: not at home.today (Ant) Date: Tue Feb 1 21:10:03 2005 Subject: [SpamCop-List] Re: OT Spamalot References: Message-ID: "Mike Easter" wrote: > Lotsa google links on articles for 'golden honey grail' - I must be > the last one to find out about this. Apart from me, that is. Thanks for the links Mike. I enjoyed the song "Not Dead Yet" on the high bandwidth site. I love Eric Idle's songs, and was an avid Python fan all those years ago when the shows were first screened on BBC TV. I'm jealous! He's taking the show to Broadway, and the commemorative SPAM cans are only available in limited numbers in the US. It would seem Eric feels that USians are greater Python fans than his own countrymen. Perhaps he'll bring it to London's West End if it goes down well across the Pond. From nobody at spamcop.net Tue Feb 1 18:41:30 2005 From: nobody at spamcop.net (K. Crocker) Date: Tue Feb 1 21:45:07 2005 Subject: [SpamCop-List] Open Proxy SCBL Rules Message-ID: If spam is reported coming from an open proxy and the address is subsequently listed, is there a check to keep the address listed if it is still open when the listing times out? If not, can anyone think of a reason not to add this qualification? Also, if spam is submitted that indicates that its source is an open proxy, would it make sense that the address should be listed immediately, bypassing any rules that require samples from different submitters before a listing occurs? My POP3 service uses the SCBL, so any spam I receive is usually from sources not on the SCBL. A large proportion of that spam appears to be coming from open proxies, hence the interest. Thanks for your comments! Regards, Ken Crocker From nobody at devnull.spamcop.net Tue Feb 1 22:13:35 2005 From: nobody at devnull.spamcop.net (WazoO) Date: Tue Feb 1 23:15:06 2005 Subject: [SpamCop-List] Re: Spamcop Statistics References: Message-ID: "Dorian Gray" wrote in message news:D.Gray-041775.14350301022005@news.cesmail.net... > In article , > "WazoO" wrote: > > > > > Julian .... those charts track whatever he's got them pointed to, > > > > and what's behind that curtain has been described in the past > > > > as "not for public discussion" ... > > > > > > Been described in the past, by whom? I only recall WazoO saying such > > > things as "not for public discussion". > > > > Dialog between Julian, Don, Deputies and myself have included > > facts and conditions described as "not for public discussion" ... > > What dialog? Described by whom? Show me. Your request doesn't make a lot of sense, but here's some background; http://forum.spamcop.net/forums/index.php?showtopic=1939 http://forum.spamcop.net/forums/index.php?showtopic=2030 http://forum.spamcop.net/forums/index.php?showtopic=2559 > Or do you mean you have off-newsgroup conversations with Julian etc., > which you cannot tell us about, and that you then like to tell us that > you can't tell us about? Just trying to answer a query. > Frankly, if that's the case, I'd like to hear it from someone from > Spamcop. Your unhelpful help is so vague WazoO as to seem implausible. whatever. From nobody at spamcop.net Wed Feb 2 04:16:08 2005 From: nobody at spamcop.net (I Hate Spam) Date: Tue Feb 1 23:15:17 2005 Subject: [SpamCop-List] Halifax Internet banking phishing site Message-ID: http://207.202.89.91:87/f/index.htm From wb8tyw at qsl.network Tue Feb 1 23:45:42 2005 From: wb8tyw at qsl.network (John E. Malmberg) Date: Tue Feb 1 23:50:02 2005 Subject: [SpamCop-List] Re: Open Proxy SCBL Rules In-Reply-To: References: Message-ID: K. Crocker wrote: > If spam is reported coming from an open proxy and the address is > subsequently listed, is there a check to keep the address listed if it > is still open when the listing times out? If not, can anyone think of a > reason not to add this qualification? Spamcop.net does not perform open proxy tests. It only looks at the open proxy data to aid in the accuracy of the parsing. My mail server operators, like many have the open proxy list checks before they accept e-mail, so once the spam source is on the open proxy list, their mail servers no longer receive any spam from it. It also means that their users are no longer reporting spam from it to spamcop.net. There is no reason for spamcop.net to duplicate the function of the open proxy lists. > Also, if spam is submitted that indicates that its source is an open > proxy, would it make sense that the address should be listed > immediately, bypassing any rules that require samples from different > submitters before a listing occurs? The parser does not indicate if the I.P. address is already on the spamcop.net list. For you to check that would mean an extra step each time you submit a spam. > My POP3 service uses the SCBL, so any spam I receive is usually from > sources not on the SCBL. A large proportion of that spam appears to be > coming from open proxies, hence the interest. Thanks for your comments! It is probably is a case that your mail server operators are using an open proxy list, yet at the time your mail server operator accepted the e-mail, that I.P. address was not yet on either the open proxy lists that they use, or on the spamcop.net list either. Statistics from one of my mail server operators show that the spamcop.net blocking list is only catching 3% of the spam. The majority of spam is removed by more conservative blocking lists. Other statistics that I am seeing indicate that the bulk of the spam is coming from dynamic pools, which many mail server operators block. Of the major DNSbls that cover dynamic pool addresses, the SORBS one seems to be the most up to date. If you show technical details on the spamcop.net parse, if the source I.P. is not an open proxy, but is known to SORBS as a dynamic address, it will show up as 127.0.0.10. In that case, find out which dynamic pool list that your ISP uses, and how to submit new entries to them, so when you find one that is in SORBs, it means it was not in your ISP's list, and you can get that fixed. If the SORBS line does not show up in the parse, then you need to do a manual lookup at the SORBS site. And the rDNS can also tell you if the I.P. address is a "dynamic", or "dhcp", or "dialup". In which case it should show up in the SORBS dynamic database. But do not submit I.P. addresses for listing in a dynamic pool unless you have strong evidence that the I.P. address is dynamic, as the processing of them is completely manual. -John wb8tyw@qsl.network Personal Opinion Only From nobody at devnull.spamcop.net Wed Feb 2 15:06:33 2005 From: nobody at devnull.spamcop.net (Patto) Date: Wed Feb 2 01:10:02 2005 Subject: [SpamCop-List] Re: Halifax Internet banking phishing site In-Reply-To: References: Message-ID: I Hate Spam wrote: > http://207.202.89.91:87/f/index.htm And what are we going to do with this link...? From nobody at spamcop.net Tue Feb 1 23:54:29 2005 From: nobody at spamcop.net (K. Crocker) Date: Wed Feb 2 02:55:03 2005 Subject: [SpamCop-List] Re: Open Proxy SCBL Rules In-Reply-To: References: Message-ID: John E. Malmberg wrote: > K. Crocker wrote: > >> If spam is reported coming from an open proxy and the address is >> subsequently listed, is there a check to keep the address listed if it >> is still open when the listing times out? If not, can anyone think of >> a reason not to add this qualification? > > > Spamcop.net does not perform open proxy tests. It only looks at the > open proxy data to aid in the accuracy of the parsing. > > My mail server operators, like many have the open proxy list checks > before they accept e-mail, so once the spam source is on the open proxy > list, their mail servers no longer receive any spam from it. > > It also means that their users are no longer reporting spam from it to > spamcop.net. > > There is no reason for spamcop.net to duplicate the function of the open > proxy lists. I suppose it depends on SpamCop's charter and how accurate the determination of "open proxy" is. My ISP hasn't revealed the algorithm it uses, except to say that they are using SCBL. Every additional list each ISP uses consumes that much more bandwidth, multiplied by each piece of email (spam and valid) flowing through the internet. Logistically, it could be argued that the perfect block list should add blackhat addresses ASAP and keep them there ALAP, commensurate with a totally automatic system. >> Also, if spam is submitted that indicates that its source is an open >> proxy, would it make sense that the address should be listed >> immediately, bypassing any rules that require samples from different >> submitters before a listing occurs? > > > The parser does not indicate if the I.P. address is already on the > spamcop.net list. For you to check that would mean an extra step each > time you submit a spam. I think you missed my point. I understand what you are saying. I've done both parsing and checking to see if an IP address was on the SCBL on numerous occasions. My intent was to foster a discussion, perhaps observed by a deputy, to get open proxy addresses added ASAP to the SCBL, rather than waiting for corroborative evidence. >> My POP3 service uses the SCBL, so any spam I receive is usually from >> sources not on the SCBL. A large proportion of that spam appears to be >> coming from open proxies, hence the interest. Thanks for your comments! > > > It is probably is a case that your mail server operators are using an > open proxy list, yet at the time your mail server operator accepted the > e-mail, that I.P. address was not yet on either the open proxy lists > that they use, or on the spamcop.net list either. I would guess that my ISP is *not* using an open proxy list, or, at least, not the one SC uses. I've parsed spam literally seconds old that shows up open proxy, yet was admitted through my ISP. > Statistics from one of my mail server operators show that the > spamcop.net blocking list is only catching 3% of the spam. The majority > of spam is removed by more conservative blocking lists. I think you meant liberal. SCBL would be considered conservative, since one of it's aims is to block as little valid email as possible. Pardon the nit picking... > Other statistics that I am seeing indicate that the bulk of the spam is > coming from dynamic pools, which many mail server operators block. Thanks for the info! > But do not submit I.P. addresses for listing in a dynamic pool unless > you have strong evidence that the I.P. address is dynamic, as the > processing of them is completely manual. Ah, if I had the kung fu (time + effort) to do this! I once kept track of some of the IP addresses used by one spammer as they sent one particular email campaign. I recorded well over 100 different addresses before I got tired, many from vastly differing blocks, none reused. This has nothing to do with the open proxy issue, but just to say that spammers have the "whack-a-mole" game down pat. If the open proxy determination was simple and bullet proof, I don't see a reason why it shouldn't be used to prevent known chronic repeat offenders from moving back into my neighborhood, to borrow from a different analogy. > -John > wb8tyw@qsl.network > Personal Opinion Only Thanks for your comments and info! From nobody at devnull.spamcop.net Wed Feb 2 17:16:57 2005 From: nobody at devnull.spamcop.net (Patto) Date: Wed Feb 2 03:20:08 2005 Subject: [SpamCop-List] Re: SpamCop Unresponsive In-Reply-To: References: Message-ID: Thomas Mooney wrote: > I sent a piece of spam in 50 minutes ago. It usually takes 1-4 minutes > before I get a response. I don't suppose there's anybody listening at this > time of day/night that can "kick the machine" and get things going again. > > Just as I thought. Oh well. I started sending spam some 7 hours ago; still no response. From nobody at spamcop.net Wed Feb 2 08:27:31 2005 From: nobody at spamcop.net (me-no-no) Date: Wed Feb 2 03:30:03 2005 Subject: [SpamCop-List] Re: Halifax Internet banking phishing site References: Message-ID: "I Hate Spam" wrote in message news:ctpk3k$rin$1@news.spamcop.net... > http://207.202.89.91:87/f/index.htm And ???? Perhaps you should have checked here first - as many others obviously have ! http://www.spamhaus.org/SBL/sbl.lasso?query=SBL22894 Been going on since early January - with IDT ignoring all SC and manual larts ! http://www.spamhaus.org/SBL/listings.lasso?isp=idt.net Inc cc larts to the following:- cybercrime--at--fbi.gov-- reportphishing--at--antiphishing.org-- spoof--at--millersmiles.co.uk-- reports--at--banksafeonline.org.uk-- Ciao Meno From bar_n0ne at hotmail.com Wed Feb 2 12:34:14 2005 From: bar_n0ne at hotmail.com (Berny) Date: Wed Feb 2 03:35:06 2005 Subject: [SpamCop-List] Re: SpamCop Unresponsive References: Message-ID: "Patto" wrote in message news:ctq29q$4q6$1@news.spamcop.net... > Thomas Mooney wrote: > > I sent a piece of spam in 50 minutes ago. It usually takes 1-4 minutes > > before I get a response. I don't suppose there's anybody listening at this > > time of day/night that can "kick the machine" and get things going again. > > > > Just as I thought. Oh well. > > I started sending spam some 7 hours ago; still no response. Well I sent spam 2&5 hours and ago, it was ready for reporting, within 5 min, replies recieved within 20. From l.rem.mayne at uea.ac.uk Wed Feb 2 09:41:56 2005 From: l.rem.mayne at uea.ac.uk (Leon Mayne) Date: Wed Feb 2 04:46:40 2005 Subject: [SpamCop-List] UK email CD Message-ID: Is this a Peter Francis-Macrae spam does anyone know? http://www.spamcop.net/sc?id=z727709647z8b39bd4a300145525835494b297b1e8dz Seems unlikely that a spammer would put their address in a spam email, so do I presume PFM has a grudge against someone again? From nobody at nowhere.invalid Wed Feb 2 12:08:29 2005 From: nobody at nowhere.invalid (Steven Maesslein) Date: Wed Feb 2 06:10:04 2005 Subject: [SpamCop-List] Re: Why Am I Blocked? FAQ References: Message-ID: On Tue, 1 Feb 2005 17:43:47 -0500, Miss Betsy coughed into spamcop and left this in : > The SpmCopDNSbl listing will expire automatically within 48 hours > of the last report of spam from it. This isn't quite accurate as I understand it. I was led to believe that the listing will expire within 48 hours of the last reportED spam being sent, not within 48 hours of the last report. For example, if a machine that was spewing merrily away is locked down on Monday morning at 10.00 am GMT, thus stopping the spewage, it'll age off the list by Wednesday morning 10.00 am GMT, even if someone waits until Tuesday night to report spam. The important part is that the spam being reported on Tuedsay night was still sent before the machine was locked down on Monday morning. -- Steve Why do people pay to go up tall buildings and then put money in binoculars to look down at things on the ground? From nobody at nowhere.invalid Wed Feb 2 12:11:12 2005 From: nobody at nowhere.invalid (Steven Maesslein) Date: Wed Feb 2 06:15:04 2005 Subject: [SpamCop-List] Re: "Sorry, this email is too old to file a spam report" References: Message-ID: On Wed, 02 Feb 2005 00:04:51 +0100, user@domain.invalid coughed into spamcop and left this in : > Another trick to escape Spamcop I discovered in my mailbox is change the > computer time, just enough to make push it out of the time frame. That's a material change to the spam that's forbidden by the rules. The point isn't to mess around with the spam until the parser accepts it, it's to create a parser that works accurately. There will inevitably be teething problems along the line, and the problem I was having with outdated spam is one of them, but they don't justify making changes to the spam itself IMO. -- Steve Don't be irreplaceable. If you can't be replaced, you can't be promoted. From nobody at spamcop.net Wed Feb 2 06:38:07 2005 From: nobody at spamcop.net (Miss Betsy) Date: Wed Feb 2 06:35:03 2005 Subject: [SpamCop-List] Re: Why Am I Blocked? FAQ References: Message-ID: "Steven Maesslein" wrote in message news:slrnd01d5d.mt.nobody@127.0.0.1... > On Tue, 1 Feb 2005 17:43:47 -0500, Miss Betsy coughed into spamcop and > left this in : > > > The SpmCopDNSbl listing will expire automatically within 48 hours > > of the last report of spam from it. > > This isn't quite accurate as I understand it. > > I was led to believe that the listing will expire within 48 hours of the > last reportED spam being sent, not within 48 hours of the last report. > > For example, if a machine that was spewing merrily away is locked down > on Monday morning at 10.00 am GMT, thus stopping the spewage, it'll age > off the list by Wednesday morning 10.00 am GMT, even if someone waits > until Tuesday night to report spam. The important part is that the spam > being reported on Tuedsay night was still sent before the machine was > locked down on Monday morning. Technically, you are correct. The point of this FAQ is to go from 'easy to understand' general statements (for most of the people who come to find out why they are blocked) to the more specific technical details. There are also the ways that ISPs can get off the blocklist now, etc. For an end user, nothing more is really needed to know than the IP addresses will age off the blocklist within a certain period of time. For those running servers when they start clicking on the links, they will find out all the technical details that they need to know. Of course, end users can click on those links also, but most get totally confused by the information - which is why it is put in links. It was a challenge to write this FAQ because it is directed toward people who know nothing about how email works and don't even understand simple terms like 'ISP' (that was one of the suggestions - to say 'internet service provider' because ISP was an unknown term) and those who are running servers and want to know the details. Miss Betsy From nobody at nowhere.invalid Wed Feb 2 13:54:42 2005 From: nobody at nowhere.invalid (Steven Maesslein) Date: Wed Feb 2 07:55:04 2005 Subject: [SpamCop-List] Re: Why Am I Blocked? FAQ References: Message-ID: On Wed, 2 Feb 2005 06:38:07 -0500, Miss Betsy coughed into spamcop and left this in : > The point of this FAQ is to go from 'easy to understand' general > statements (for most of the people who come to find out why they are > blocked) to the more specific technical details. Point taken. -- Steve Let's call it an accidental feature. -- Larry Wall From grover.joe at acd.net Wed Feb 2 09:42:00 2005 From: grover.joe at acd.net (Joe Grover) Date: Wed Feb 2 09:45:03 2005 Subject: [SpamCop-List] Report history for an IP? Message-ID: Two of my three SMTP servers were recently listed at Spamcop. I'm trying to find out why. In the past you could see samples of reports that resulted in a block when you looked up an IP in the BL. I'm unable to find this anymore. I occasionally have customers that use spamcop Outlook plugins that--when they report spam--it reports our SMTP server as one of the servers that sent the spam. It is because of this: Mail comes into one of three SMTP servers, and is delivered to a back-end mailbox server, like this: external server/client sending spame => smtp.acd.net => customer's mailbox server. Every now and then I get a Spamcop complaint implicating one of our SMTP servers, only to look at it and see that it was a message one of our customers received and reported, not a report from some user on the internet. I doubt this was the problem this morning, as I've only seen 2 of these complaints over the past several months. None of the other Spamcop complaints I've received have had anything to do with any of our SMTP servers, so naturally I'm curious as to what "abuse" resulted in two servers being listed this morning. Thanks in advance. Joe From nobody at spamcop.net Wed Feb 2 08:35:11 2005 From: nobody at spamcop.net (Ellen) Date: Wed Feb 2 09:50:05 2005 Subject: [SpamCop-List] Re: Why Am I Blocked? FAQ References: Message-ID: "Steven Maesslein" wrote in message news:slrnd01d5d.mt.nobody@127.0.0.1... > On Tue, 1 Feb 2005 17:43:47 -0500, Miss Betsy coughed into spamcop and > left this in : > > > The SpmCopDNSbl listing will expire automatically within 48 hours > > of the last report of spam from it. > > This isn't quite accurate as I understand it. > > I was led to believe that the listing will expire within 48 hours of the > last reportED spam being sent, not within 48 hours of the last report. > > For example, if a machine that was spewing merrily away is locked down > on Monday morning at 10.00 am GMT, thus stopping the spewage, it'll age > off the list by Wednesday morning 10.00 am GMT, even if someone waits > until Tuesday night to report spam. The important part is that the spam > being reported on Tuedsay night was still sent before the machine was > locked down on Monday morning. > Actually the age off is 24 hours and it has been that for at least a couple of months now. It is always good to take a glance at the faq every so often: http://www.spamcop.net/fom-serve/cache/297.html And indeed in any information put together as a resource for users coming to the forum, newsgroups or elsewhere the faq on the SC website should be referenced as it is the official source of the operation of the blocklist. This keeps down the necessity for remembering to update the other faqs/boilerplates. In any case the 24 hour clock runs off the valid timestamp from the last reported spam headers not the time that a user reported it. Ellen From D.Gray at picture.oscar.wilde Wed Feb 2 15:11:14 2005 From: D.Gray at picture.oscar.wilde (Dorian Gray) Date: Wed Feb 2 10:15:03 2005 Subject: [SpamCop-List] Re: Spamcop Statistics References: Message-ID: In article , "WazoO" wrote: > "Dorian Gray" wrote in message > news:D.Gray-041775.14350301022005@news.cesmail.net... > > In article , > > "WazoO" wrote: > > > > > > > Julian .... those charts track whatever he's got them pointed to, > > > > > and what's behind that curtain has been described in the past > > > > > as "not for public discussion" ... > > > > > > > > Been described in the past, by whom? I only recall WazoO saying such > > > > things as "not for public discussion". > > > > > > Dialog between Julian, Don, Deputies and myself have included > > > facts and conditions described as "not for public discussion" ... > > > > What dialog? Described by whom? Show me. > > Your request doesn't make a lot of sense, but here's some background; > http://forum.spamcop.net/forums/index.php?showtopic=1939 > http://forum.spamcop.net/forums/index.php?showtopic=2030 > http://forum.spamcop.net/forums/index.php?showtopic=2559 None of the those forum threads even go close to answering the question about the statistics, and only one actually mentions the statistics. But they do confirm my point that only WazoO has used words like "not for public discussion". The comments by Richard, Ellen and Julian that appear there (forwarded by WazoO) seem as helpful as possible, and don't say anything about restricting information. However they are talking about mole reporting, not the statistics, so don't help us with the question about the stats. So, does anyone *else* know of any explanations, that they are willing to share? Alternatively, does anyone from Spamcop know the explanation, but can't share it, and are willing to say so? Cheers. From nobody at devnull.spamcop.net Wed Feb 2 10:10:44 2005 From: nobody at devnull.spamcop.net (Pop) Date: Wed Feb 2 10:15:09 2005 Subject: [SpamCop-List] Re: Why Am I Blocked? FAQ References: Message-ID: Miss Betsy wrote: > Why Am I Blocked? > Probable Causes > Hope I'm not jumping the gun; please tell me if I am: As a tech writer in my most recent past life, I feel qualified to make a couple of observations on format. Content = pretty good! Fairly clear and concise. Not hard to read/understand. But(t) : Altho I can see it'll make a little work due to overlaps, I think this page should be two pages: It gets a little boring and dwindles a person's interest when they have to page thru "I'm an ISP", "I'm not an ISP", and, woops, wonder if I missed a heading? What else might be there; is there some other relevant section? Am I still in the ISPs part? Now, where was I? I think it should look like: ------------------------------ Why Am I Blocked? Probable Causes if: ----------------------------- < x > above = link That's clumsy, but I think it makes the point I want to make. Like I said, tell me if I'm ahead of things here. Not trying to be in the way. Online vetting; great idea. Best of luck! Regards, Pop From michael.spamcop at michaellefevre.com Wed Feb 2 15:13:21 2005 From: michael.spamcop at michaellefevre.com (Michael Lefevre) Date: Wed Feb 2 10:15:12 2005 Subject: [SpamCop-List] Re: Why Am I Blocked? FAQ References: Message-ID: Miss Betsy wrote: > "Steven Maesslein" wrote in message > news:slrnd01d5d.mt.nobody@127.0.0.1... >> On Tue, 1 Feb 2005 17:43:47 -0500, Miss Betsy coughed into > spamcop and >> left this in : >> >> > The SpmCopDNSbl listing will expire automatically within 48 > hours >> > of the last report of spam from it. >> >> This isn't quite accurate as I understand it. >> > Technically, you are correct. The point of this FAQ is to go from > 'easy to understand' general statements (for most of the people who > come to find out why they are blocked) to the more specific > technical details. It should be possible to do that by leaving out detail - making things technically incorrect in the process of simplifying isn't good, because if people do go further than reading the FAQ and are then told something contradictory, it causes more problems than it solves. > For an end user, nothing more is really > needed to know than the IP addresses will age off the blocklist > within a certain period of time. Indeed. So that's all you need to say - if you're going to go into more detail, then the extra detail should be accurate. And, if you're making edits anyway, "SpmCopDNSbl" is wrong. Aside from missing the "a" from SpamCop, it's generally called the SpamCop BL - given that the audience for the document are unlikely to know what a DNSBL is, there's no point in adding extra letters... -- Michael From michael.spamcop at michaellefevre.com Wed Feb 2 15:18:51 2005 From: michael.spamcop at michaellefevre.com (Michael Lefevre) Date: Wed Feb 2 10:20:02 2005 Subject: [SpamCop-List] Re: Why Am I Blocked? FAQ References: Message-ID: Pop wrote: [snip] > Altho I can see it'll make a little work due to overlaps, I > think this page should be two pages: I can see your point, but this is supposed to be a mini-FAQ to sit in a list of forum posts (like http://forum.spamcop.net/forums/index.php?showforum=11 ). If it was going to be split, then you wouldn't want 3 FAQ posts that refer to each other - you'd just have 2 FAQ posts with appropriate titles. Actually, I think it would be better to keep it as one document and make it shorter, with links to a better resource than a forum FAQ posting. -- Michael From wb8tyw at qsl.network Wed Feb 2 09:19:22 2005 From: wb8tyw at qsl.network (John E. Malmberg) Date: Wed Feb 2 10:20:06 2005 Subject: [SpamCop-List] Re: Open Proxy SCBL Rules References: Message-ID: <$QENvZ8ilhJi@eisner.encompasserve.org> In article , "K. Crocker" writes: > John E. Malmberg wrote: > >> K. Crocker wrote: >> >> >> There is no reason for spamcop.net to duplicate the function of the open >> proxy lists. > > I suppose it depends on SpamCop's charter and how accurate the > determination of "open proxy" is. My ISP hasn't revealed the algorithm > it uses, except to say that they are using SCBL. Every additional list > each ISP uses consumes that much more bandwidth, multiplied by each > piece of email (spam and valid) flowing through the internet. Not exactly true. Several of the blocklists are relatively static, and large mailserver operations routinely download local copies using tools like rsync which only transfer the changes. DHCP lists are an example of a DNSBL that is likely to only change on a daily basis or even longer. A local copy of a good DHCP blocking list will probably reject over 50% of the spam delivery attempts with out additional bandwidth use. The sbl.spamhaus.org list is also pretty stable for keeping a cached copy. It will have less effect, as the smart spammers have figured out that it is useless to send spam from any I.P. address listed in spamhaus.org. The spews.org lists are also only distributed as files. Some dnsbl operators will provide access to them through their servers. And it is quite likely that your mail server operator can use local blocking lists for the spam that gets through all their checks. I know of one postmaster that for certain countries, seems to locally block at least the /22 surrounding the I.P. address of any spam that gets through on them. In several years, that technique has not resulted in any reported real e-mail being rejected. The spamcop.net blocking list is not suitable for being the main blocking list of a mail server for several reasons. 1. It tries to identify the injection point of the spam, and your mail server can usually only use it against the last hop. 2. Long term spam sources may drop off the spamcop.net blocking list because the source I.P. is already on a more conservative list. 3. A more conservative list may have determined that a whole netblock is controlled by spammers and blocked the whole thing, while the spammer jumping around in it evades the spamcop.net algorithm. 4. The spamcop.net algorithm is aggressive and will list real mail servers, and many times this is from spam reporters not noticing that a parser error is reporting their own mail server. > Logistically, it could be argued that the perfect block list should add > blackhat addresses ASAP and keep them there ALAP, commensurate with a > totally automatic system. The blocking lists are specialized because of how they determine a listing. And there are several of them that are aggregated to simplify lookups. opm.blitzed.org only tests for open proxies known to be used to abuse IRC networks. The mail server protection is a side effect. cbl.abuseat.org has spamtraps that are content filtered to remove "bounce" backscatter so it tends to only list spam sources and viruses. The cbl.abuseat.org is very good at catching sources of direct to MX viruses or spammers that use harvested e-mail addresses. By querying the xbl.spamhaus.org, you get a lookup of the opm.blitzed.org and the cbl.abuseat.org at the same time. By querying the sbl-xbl.spamhaus.org, you get a lookup of the sbl.spamhaus.org, and the xbl.spamhaus.org. Combine the sbl-xbl.spamhaus.org with a good dhcp blocking list, and you will find that will catch lot of the spam, and as pointed out above, most of the data can be locally cached efficiently. The list.dsbl.org only lists I.P. addresses that have sent it a specially formatted listme message. That message is sent by special software by trusted volunteers that knows how to scan for many security vulnerabilities. The njabl.org runs proxy tests. There seems to be a high overlap in what njabl.org and dsbl.org list. > I think you missed my point. I understand what you are saying. I've > done both parsing and checking to see if an IP address was on the SCBL > on numerous occasions. My intent was to foster a discussion, perhaps > observed by a deputy, to get open proxy addresses added ASAP to the > SCBL, rather than waiting for corroborative evidence. That would place control of a spamcop.net listing under the control of an entity that has no affiliation with spamcop.net. Spamcop.net keeps evidence of spam being sent. The evidence used by the open proxy listing service may not be available for a deputy to determine why the open proxy service is listing it. By the time you submit the spam from a POP3 account, it may already be on the spamcop.net blocking list, or your report may be the one that puts it over the edge. >>> My POP3 service uses the SCBL, so any spam I receive is usually from >>> sources not on the SCBL. A large proportion of that spam appears to be >>> coming from open proxies, hence the interest. Thanks for your comments! >> >> >> It is probably is a case that your mail server operators are using an >> open proxy list, yet at the time your mail server operator accepted the >> e-mail, that I.P. address was not yet on either the open proxy lists >> that they use, or on the spamcop.net list either. > > I would guess that my ISP is *not* using an open proxy list, or, at > least, not the one SC uses. I've parsed spam literally seconds old that > shows up open proxy, yet was admitted through my ISP. There are several services that will check lots of blocking lists to see where an I.P. address is listed. By taking the I.P. address that your mail server accepted the spam from and putting it in those lists, you can determine which ones your mail server operator is likely using or not using. It would be a big surprise for a mail server operator to use the spamcop.net blocking list with out using the other ones, especially the open proxy lists or the spamhaus.org lists. The biggest argument that I have heard against using an open proxy list is that there is a high concern it will block real e-mails. This is from mail server operators that use open relay lists as their primary anti-spam defense. Their lack of understanding of why their logic is faulty is amazing, and it is always amazing that they can not be convinced of their error. Such mis-understandings usually translate too - "I barely got this mail server thing working, and if I change anything, it will probably break, and my boss will discover I have no clue of what I am doing". The simple issues are: An open relay is usually a real mail server that is misconfigured, so blocking open relays is probably going to have a measurable chance of causing a real e-mail to be blocked. An open proxy is usually a computer that is not intentionally a mail server, so blocking an open proxy has a much lower chance of blocking a real e-mail, than the open relay lists that the mail server operator is already using. Now is there any way to make it clearer that anyone using an open relay list, but not using an open proxy list, clearly does not have a good technical understanding of what they are doing? >> Statistics from one of my mail server operators show that the >> spamcop.net blocking list is only catching 3% of the spam. The majority >> of spam is removed by more conservative blocking lists. > > I think you meant liberal. SCBL would be considered conservative, since > one of it's aims is to block as little valid email as possible. Pardon > the nit picking... No, I mean conservative. The other blocking lists try not to list production mail servers unless there is either a documented security problem with them or that the mail server operator has through action or inaction allowed the mail server to be freely used by spammers. Spamcop.net will list real mail servers and has a much higher chance of causing collateral damage than the conservative lists. Using the spamcop.net list to reject e-mail will only block a small percentage more of the spam sources that the conservative lists will block, but is more likley to reject a real e-mail. The spamcop.net blocking list is more useful on a scoring system where additional tests can usually confirm that an item is spam, where in many cases, many of those tests by them selves could cause false positives. >> Other statistics that I am seeing indicate that the bulk of the spam is >> coming from dynamic pools, which many mail server operators block. > > Thanks for the info! > >> But do not submit I.P. addresses for listing in a dynamic pool unless >> you have strong evidence that the I.P. address is dynamic, as the >> processing of them is completely manual. > > Ah, if I had the kung fu (time + effort) to do this! I once kept track > of some of the IP addresses used by one spammer as they sent one > particular email campaign. I recorded well over 100 different addresses > before I got tired, many from vastly differing blocks, none reused. > This has nothing to do with the open proxy issue, but just to say that > spammers have the "whack-a-mole" game down pat. If you are getting that volume of spam, it indicates that there is a hole in your ISP's spam defences. I kept track for almost a year of spam from DHCP pools which basically proved that a comercial DHCP pool listing service was missing many very large and very well known DHCP pools. That mail server operator switched to using the SORB dhcp pool list, and that made a significant reduction in the spam leakage. One of the results of the tests showed that the spammers were apparently assuming that the dhcp address block that they spammed from was probably blocked for about two months, and then they would recycle it. Of course that could be the time that I.P. address was sitting in one of the open proxy lists that age out their listings. > If the open proxy determination was simple and bullet proof, I don't > see a reason why it shouldn't be used to prevent known chronic repeat > offenders from moving back into my neighborhood, to borrow from a > different analogy. Too many mail server operators or ISP operators do not have a clue of what they are doing. Too many of them are trying to do spam filtering by content analysis instead of source I.P blocking, because that is what most of the commercial spam filtering companies offer. Too many clueless media reporters mis-report the spam issue. Most media reports I have read present following statements as fact, with no data at all to back them up. 1. DNSbls are evil and will regularly cause real e-mail to be lost. 2. Content filtering from their (potential) advertisers is state of the art. 3. Spammers make big money from people buying spamvertized items. (It seems that the big money is selling spamming kits, not spamming, most of the actuall spammers seem to never make back even a fraction of what they spent to get started - It's is just a pyramid scam) They also omit the following information: 1. That blocking of e-mail and other packets has shown to be the only way to motivate a large number of network operators to do anything at all about abuse coming from their systems. 2. That once those blocks become noticed by a critical paying customer, the ISP allowing spam to be sent seems to be able clean up the problem almost instaneously, even though up to that point they were making excuses about how hard the job is, and how much time it will take. 3. Never ask one of the blocked ISP's why they are providing services for a web site advertising illegal items? 4. Never ask one of the blocked ISP's why they are keeping a customer that can be verified to be attempting to spam through open proxies? 5. Omit disclosing that they hope to sell advertising to the network operators that permit spam to be sent. 6. Ignore all tests that show that the DNSbls are more accurate both at detecting spam and real e-mail than any of the commercial content filters. 7. Never point out that large mail server operators pay a metered rate for their connection, so that to use content filtering greatly increaes their cost. Too many ISP users do not realize what the state of the art is in spam blocking, so they do not realize that all their ISP is offering is a placebo for spam filtering so that they can claim that they care, while just passing on the extra charges for doing an incompetent job. If an ISP wanted to really hurt the spammers, they would use the sbl.spamhaus.org list at their border routers to block access to the spammer's web pages. (or spews, if they really wanted to be a BOFH). This would make it obvious to the most of the spammers that no one at that ISP could even visit their web site to order the product should their spew get through their filters. Also too many people are not bugging their elective officials to hold ISP's corporate officers criminally responsible for not taking action against customers that are still using their services after one business day that the ISP should have received a notification. And make sure that the law indicates that the ISP is still liable if their abuse or postmaster e-mail address rejected or deleted the notification, or if they where a day behind in processing abuse/postmaster issues. -John wb8tyw@qsl.network Personal Opinion Only From nobody at xyzzy.claranet.de Wed Feb 2 16:35:06 2005 From: nobody at xyzzy.claranet.de (Frank Ellermann) Date: Wed Feb 2 10:40:04 2005 Subject: [SpamCop-List] Re: Why Am I Blocked? FAQ References: Message-ID: <4200F32A.44B@xyzzy.claranet.de> Ellen wrote: > In any case the 24 hour clock runs off the valid timestamp > from the last reported spam headers not the time that a user > reported it. Minus cases when SC believes in the timestamps of infosat.net instead of cesmail.net - SCNR. Something completely different: In 2004 I used "last answered by Ellen" in the spamcop.routing NG as "timestamp" to mark all prior articles as "old", is that still how it works ? Bye, Frank From nospam at nospam.org Wed Feb 2 16:42:55 2005 From: nospam at nospam.org (geo_splash_12) Date: Wed Feb 2 10:45:04 2005 Subject: [SpamCop-List] Re: Spamcop Statistics In-Reply-To: References: Message-ID: Dorian Gray wrote: > In article , > "WazoO" wrote: > > >>"Dorian Gray" wrote in message >>news:D.Gray-041775.14350301022005@news.cesmail.net... >> >>>In article , >>> "WazoO" wrote: >>> >>> >>>>>>Julian .... those charts track whatever he's got them pointed to, >>>>>>and what's behind that curtain has been described in the past >>>>>>as "not for public discussion" ... >>>>> >>>>>Been described in the past, by whom? I only recall WazoO saying such >>>>>things as "not for public discussion". >>>> >>>>Dialog between Julian, Don, Deputies and myself have included >>>>facts and conditions described as "not for public discussion" ... >>> >>>What dialog? Described by whom? Show me. >> >>Your request doesn't make a lot of sense, but here's some background; >>http://forum.spamcop.net/forums/index.php?showtopic=1939 >>http://forum.spamcop.net/forums/index.php?showtopic=2030 >>http://forum.spamcop.net/forums/index.php?showtopic=2559 > > > None of the those forum threads even go close to answering the question > about the statistics, and only one actually mentions the statistics. > But they do confirm my point that only WazoO has used words like "not > for public discussion". The comments by Richard, Ellen and Julian that > appear there (forwarded by WazoO) seem as helpful as possible, and don't > say anything about restricting information. However they are talking > about mole reporting, not the statistics, so don't help us with the > question about the stats. > > So, does anyone *else* know of any explanations, that they are willing > to share? Alternatively, does anyone from Spamcop know the explanation, > but can't share it, and are willing to say so? > > Cheers. I can very well imagine that the spamcop wizkids don't want to reveal too much about the statistics since foes would also be interested. -- And your Chinese exchange student asks: what does it mean "I'm busy". Location 51 57'N 4 28'E From D.Gray at picture.oscar.wilde Wed Feb 2 15:52:37 2005 From: D.Gray at picture.oscar.wilde (Dorian Gray) Date: Wed Feb 2 10:55:03 2005 Subject: [SpamCop-List] Re: Spamcop Statistics References: Message-ID: In article , Dorian Gray wrote: > So, does anyone *else* know of any explanations, that they are willing > to share? Alternatively, does anyone from Spamcop know the explanation, > but can't share it, and are willing to say so? P.S. Here (repeated) are the things about which we were after explanation if possible: "I also am interested in an explanation of aspects of the statistics. I *think* the drop in the second half of September, and sustained lower levels of submitted spam since then, correspond to the change in the limit on the age of accepted spam from 3 to 2 days, which IIRC also went with a recommendation that only spam less than 24 hours old was of any real usefulness to Spamcop. Can someone confirm this? The spikes in late-Oct and January are intriguing. Being a Mac-only user now, I'm not familiar with recent Windows virus/worm outbreaks, which perhaps provide an explanation? If so, which ones correspond to the spikes? Also, can anyone explain why the spike in submitted spam in late-Oct went with a corresponding spike in reports sent, while the spikes in submitted spam in January did not? Cheers." From kenbrody at spamcop.net Wed Feb 2 11:00:44 2005 From: kenbrody at spamcop.net (Kenneth Brody) Date: Wed Feb 2 11:05:05 2005 Subject: [SpamCop-List] Re: Why Am I Blocked? FAQ References: Message-ID: <4200F92C.72CCF96B@spamcop.net> Michael Lefevre wrote: > > Miss Betsy wrote: > > "Steven Maesslein" wrote in message > > news:slrnd01d5d.mt.nobody@127.0.0.1... > >> On Tue, 1 Feb 2005 17:43:47 -0500, Miss Betsy coughed into > > spamcop and > >> left this in : > >> > >> > The SpmCopDNSbl listing will expire automatically within 48 > > hours > >> > of the last report of spam from it. > >> > >> This isn't quite accurate as I understand it. > >> > > Technically, you are correct. The point of this FAQ is to go from > > 'easy to understand' general statements (for most of the people who > > come to find out why they are blocked) to the more specific > > technical details. > > It should be possible to do that by leaving out detail - making things > technically incorrect in the process of simplifying isn't good, because if > people do go further than reading the FAQ and are then told something > contradictory, it causes more problems than it solves. Perhaps change: The SpmCopDNSbl listing will expire automatically within 48 hours of the last report of spam from it. ^^^^^^^^^^^^^^^^^^^ to: The SpmCopDNSbl listing will expire automatically within 48 hours of the last reported spam from it. ^^^^^^^^^^^^^^^^^^ > And, if you're making edits anyway, "SpmCopDNSbl" is wrong. Aside from > missing the "a" from SpamCop, it's generally called the SpamCop BL - given > that the audience for the document are unlikely to know what a DNSBL is, > there's no point in adding extra letters... -- +-------------------------+--------------------+-----------------------------+ | Kenneth J. Brody | www.hvcomputer.com | | | kenbrody/at\spamcop.net | www.fptech.com | #include | +-------------------------+--------------------+-----------------------------+ Don't e-mail me at: From eddie at eddie.web Wed Feb 2 11:30:01 2005 From: eddie at eddie.web (eddie) Date: Wed Feb 2 11:30:33 2005 Subject: [SpamCop-List] don`t be an asshole Ethan Message-ID: (Subject of recent spam) Now that's really the way to attract customers. I believe that this shows not just the complete idiocy of the spamkiddys, but their total lack of knowledge about anyone outside their moronic group. They truly believe everyone speaks this way, just because all their friends do so. From eddie at eddie.web Wed Feb 2 12:03:15 2005 From: eddie at eddie.web (eddie) Date: Wed Feb 2 12:05:02 2005 Subject: [SpamCop-List] Re: don`t be an asshole Ethan References: Message-ID: On Wed, 02 Feb 2005 11:30:01 -0500, eddie scratched out the following: >From the same gang that shoots with their assholes comes this line from a spam without a URL, duh :) "I don't usually do this but, how would you like to keep me some company? My Asshole Husband works night shifts, which makes me very lonely at night" Besides being lower-chakra kiddies with no imagination or language skills, who would be interested in a woman so stupid to marry an "Asshole Husband?" I can smell her from here. Her problem is not her husband - he's out with a beautiful blond - he can't stand the crabs and the smell either :) Do people really respond to this stuff? If they do, they deserve whatever they get. From nobody at spamcop.net Wed Feb 2 12:11:27 2005 From: nobody at spamcop.net (Ellen) Date: Wed Feb 2 12:30:02 2005 Subject: [SpamCop-List] Re: Why Am I Blocked? FAQ References: <4200F32A.44B@xyzzy.claranet.de> Message-ID: "Frank Ellermann" wrote in message news:4200F32A.44B@xyzzy.claranet.de... > > In 2004 I used "last answered by Ellen" in the spamcop.routing > NG as "timestamp" to mark all prior articles as "old", is that > still how it works ? If that is a broad hint that I haven't been in the routing group in a long while -- you are correct. If the mail load ever decreases I might actually have time to get over there and plow thru the backed up posts. Ellen From nobody at spamcop.net Wed Feb 2 12:12:48 2005 From: nobody at spamcop.net (Ellen) Date: Wed Feb 2 12:30:07 2005 Subject: [SpamCop-List] Re: Report history for an IP? References: Message-ID: "Joe Grover" wrote in message news:ctqout$i34$1@news.spamcop.net... > > I doubt this was the problem this morning, as I've only seen 2 of these > complaints over the past several months. None of the other Spamcop > complaints I've received have had anything to do with any of our SMTP > servers, so naturally I'm curious as to what "abuse" resulted in two servers > being listed this morning. > Write to deputies@admin.spamcop.net with the IPs and/or use one of the forms on the website to generate a mail to us and someone will look and see what is happening. We are very backed up on mail so the response may not be immediate. Ellen SpamCop From nobody at spamcop.net Wed Feb 2 12:14:32 2005 From: nobody at spamcop.net (Ellen) Date: Wed Feb 2 12:30:10 2005 Subject: [SpamCop-List] Re: Spamcop Statistics References: Message-ID: "Dorian Gray" wrote in message news:D.Gray-7D1430.15111402022005@news.cesmail.net... > > So, does anyone *else* know of any explanations, that they are willing > to share? Alternatively, does anyone from Spamcop know the explanation, > but can't share it, and are willing to say so? > There are various reasons why you may see anomolies in the stat graphs. I cannot go into detail about them. Ellen SpamCop From nobody at nowhere.invalid Wed Feb 2 18:44:18 2005 From: nobody at nowhere.invalid (Steven Maesslein) Date: Wed Feb 2 12:45:05 2005 Subject: [SpamCop-List] Re: don`t be an asshole Ethan References: Message-ID: On Wed, 02 Feb 2005 11:30:01 -0500, eddie coughed into spamcop and left this in : > They truly believe everyone speaks this way, just because all their > friends do so. Friends? :) -- Steve The original point and click interface was a Smith & Wesson. From DougThegarden at hotmail.com Wed Feb 2 18:05:15 2005 From: DougThegarden at hotmail.com (Doug Thegarden) Date: Wed Feb 2 13:10:05 2005 Subject: [SpamCop-List] Re: don`t be an asshole Ethan In-Reply-To: References: Message-ID: eddie wrote: > > Do people really respond to this stuff? > You just have. Doug From nobody at devnull.spamcop.net Wed Feb 2 13:13:12 2005 From: nobody at devnull.spamcop.net (Pop) Date: Wed Feb 2 13:15:05 2005 Subject: [SpamCop-List] Re: Why Am I Blocked? FAQ References: Message-ID: Michael Lefevre wrote: > Pop wrote: ... > Actually, I think it would be better to keep it as one > document and make > it shorter, with links to a better resource than a forum FAQ > posting. Hmm, good point, especiall the "shorter" part. I read your next post too, and tend to agree there, too. Agreed. It should be shorter and more to the point so it'll grab my attention and get me to go to the -relavant- link with some confidence that if it requires another jump to get all the data I need, it'll be obvious to me which link it will be. My original thought was something along the lines of feeling like the other available links at this time aren't very well tied together and it's sometimes hard to know just where to look for something specific (like, why am I blocked, but not literally that issue), or even if one place is enough places to look. It was looking to me like the fuzziness might be duplicated, and, not trusting the rewrites to pull stuff together (NOT a dig at anyone other than human nature), I thought about branching it right there. One thing missing here, I -think-, is an Outline of the overall FAQ system, and IMO that leaves too many options open to those who aren't directly involved. Unless it's there and I just couldn't see it, which is possible. I'm starting to think a good FAQ tree might be in order, even an ASCII tree would be passably functional. So I don't add confusion, I'll draw back again - like I said, I don't feel qualified to make these observations at this time. ; Pop -out- ; Regards, Pop From scott-i at .-N0-SPAMplease.enm.com Wed Feb 2 10:31:06 2005 From: scott-i at .-N0-SPAMplease.enm.com (Scott Townsend) Date: Wed Feb 2 13:35:46 2005 Subject: [SpamCop-List] Who's Using SPAMCOP? Any major players? Reviews by CNET or others? Message-ID: Looking for info on what companies are using SPAMCOP to filter their mail. I'd like to use SPAMCOP, though it would be great to present this as a solution to management if I could say that Company X, Y and Z are also using it to filter their mail. Or are there any reviews by CNET or others that recommend SPAMCOP? Thanks, Scott<- From nobodyhere at spamcop.net Wed Feb 2 13:47:51 2005 From: nobodyhere at spamcop.net (Fluffy) Date: Wed Feb 2 13:50:05 2005 Subject: [SpamCop-List] Indigo can't post Message-ID: Sorry about the name, my pet troll is following me and spamming the newsgroup so I had to change. I'm posting this here as well as geeks, in case someone might be able to answer faster. Would he be blocked from the NNTP groups because his server is listed in SORBS? I know that Comcast is rife with open proxies, etc lately..... He says he is getting this message: "Outlook Express could not post your message. Subject 'immigrant thread', Account: 'news.spamcop.net', Server: 'news.spamcop.net', Protocol: NNTP, Server Response: '440 Posting not allowed', Port: 119, Secure(SSL): No, Server Error: 440, Error Number: 0x800CCCA9" Used SC to check his posting IP: Parsing input: pcp0011117988pcs.elkrdg01.md.comcast.net host pcp0011117988pcs.elkrdg01.md.comcast.net (checking ip) = 68.55.204.123 host 68.55.204.123 (getting name) = pcp0011117988pcs.elkrdg01.md.comcast.net. Routing details for 68.55.204.123 [refresh/show] Cached whois for 68.55.204.123 : abuse@comcast.net Using abuse net on abuse@comcast.net abuse net comcast.net = abuse@comcast.net Using best contacts abuse@comcast.net Statistics: 68.55.204.123 not listed in bl.spamcop.net More Information.. 68.55.204.123 not listed in dnsbl.njabl.org 68.55.204.123 not listed in dnsbl.njabl.org 68.55.204.123 not listed in cbl.abuseat.org 68.55.204.123 listed in dnsbl.sorbs.net ( 127.0.0.10 ) 68.55.204.123 not listed in relays.ordb.org. From nobody at spamcop.net Wed Feb 2 13:58:56 2005 From: nobody at spamcop.net (Miss Betsy) Date: Wed Feb 2 14:00:05 2005 Subject: [SpamCop-List] Re: Why Am I Blocked? FAQ References: Message-ID: "Ellen" wrote in message news:ctqp8o$i95$1@news.spamcop.net... > > Actually the age off is 24 hours and it has been that for at least a couple > of months now. It is always good to take a glance at the faq every so often: > > http://www.spamcop.net/fom-serve/cache/297.html > > And indeed in any information put together as a resource for users coming to > the forum, newsgroups or elsewhere the faq on the SC website should be > referenced as it is the official source of the operation of the blocklist. > This keeps down the necessity for remembering to update the other > faqs/boilerplates. > > In any case the 24 hour clock runs off the valid timestamp from the last > reported spam headers not the time that a user reported it. I think that the links do reference the 'official' spamcop FAQ (at least for the server admins). My original concept was for non-technically fluent users (who are hopelessly confused by the official FAQ). The end user part is not so much FAQ as an overview on the concept of what has happened and advice on what to do. Since addresses did age off the bl for various reasons, at the time this written, in much less time than 48 hours, saying 'within' makes it accurate for any time within that period without going into all the details and it is still accurate even though the maximum time has changed, though it probably should be changed either to reflect the official time or made even more indefinite. And I did know that it had changed, but didn't think that it was that important to change this FAQ. Admins will want to know exactly when or what the criteria are (which they will find if they use the official FAQ) and end users have no interest. Miss Betsy From D.Gray at picture.oscar.wilde Wed Feb 2 18:59:20 2005 From: D.Gray at picture.oscar.wilde (Dorian Gray) Date: Wed Feb 2 14:00:12 2005 Subject: [SpamCop-List] Re: Spamcop Statistics References: Message-ID: In article , "Ellen" wrote: > There are various reasons why you may see anomolies in the stat graphs. I > cannot go into detail about them. Thanks Ellen. By anomalies, do you mean the spikes? Okay, so they'll remain a mystery. But can you go into detail about the consistently lower level of submitted spam since September? Can you say whether or not it simply corresponds to the change in the limit on the age of accepted spam from 3 to 2 days, which IIRC also went with a recommendation that only spam less than 24 hours old was of any real usefulness to Spamcop? Cheers. From nobody at spamcop.net Wed Feb 2 14:07:09 2005 From: nobody at spamcop.net (Miss Betsy) Date: Wed Feb 2 14:05:03 2005 Subject: [SpamCop-List] Re: Why Am I Blocked? FAQ References: <4200F92C.72CCF96B@spamcop.net> Message-ID: "Kenneth Brody" wrote in message news:4200F92C.72CCF96B@spamcop.net... > Michael Lefevre wrote: > > > > Miss Betsy wrote: > > > "Steven Maesslein" wrote in message > > > news:slrnd01d5d.mt.nobody@127.0.0.1... > > >> On Tue, 1 Feb 2005 17:43:47 -0500, Miss Betsy coughed into > > > spamcop and > > >> left this in : > > >> > > >> > The SpmCopDNSbl listing will expire automatically within 48 > > > hours > > >> > of the last report of spam from it. > > >> > > >> This isn't quite accurate as I understand it. > > >> > > > Technically, you are correct. The point of this FAQ is to go from > > > 'easy to understand' general statements (for most of the people who > > > come to find out why they are blocked) to the more specific > > > technical details. > > > > It should be possible to do that by leaving out detail - making things > > technically incorrect in the process of simplifying isn't good, because if > > people do go further than reading the FAQ and are then told something > > contradictory, it causes more problems than it solves. > > Perhaps change: > > The SpmCopDNSbl listing will expire automatically within 48 hours > of the last report of spam from it. > ^^^^^^^^^^^^^^^^^^^ > > to: > > The SpmCopDNSbl listing will expire automatically within 48 hours > of the last reported spam from it. > ^^^^^^^^^^^^^^^^^^ I don't think that is accurate either since the basic criteria is the valid date stamp. Perhaps 'valid report' or 'timely report' It is the last report of spam if you look at it as 'last' being the 'last' spam to come from the IP address. There are no other reports since other reports are not counted. > > > And, if you're making edits anyway, "SpmCopDNSbl" is wrong. Aside from > > missing the "a" from SpamCop, it's generally called the SpamCop BL - given > > that the audience for the document are unlikely to know what a DNSBL is, > > there's no point in adding extra letters... That wasn't my choice, but somebody wanted to be more technical. I suppose the spamcop bl is not considered a DNSBL because it is supposed to tag email. (Or maybe it has nothing to do with that - I am basically technically non-fluent and am just guessing). Miss Betsy From nobody at devnull.spamcop.net Wed Feb 2 13:09:30 2005 From: nobody at devnull.spamcop.net (WazoO) Date: Wed Feb 2 14:10:03 2005 Subject: [SpamCop-List] Re: Spamcop Statistics References: Message-ID: "Dorian Gray" wrote in message news:D.Gray-452397.18592002022005@news.cesmail.net... > In article , > "Ellen" wrote: > > > There are various reasons why you may see anomolies in the stat graphs. I > > cannot go into detail about them. > > Thanks Ellen. I'm so confused at this point. You give me hell for saying "not for public discussion" .. wanting to hear from someone else .... Deputy Ellen states "cannot go into detail" and you offer her thanks. Then strangely enough, continue with the asking of the same questions that you started with. From TJLWBECGSGWU at spammotel.com Wed Feb 2 19:12:08 2005 From: TJLWBECGSGWU at spammotel.com (Mathew Hendry) Date: Wed Feb 2 14:15:02 2005 Subject: [SpamCop-List] Re: Indigo can't post References: Message-ID: <6l8201hl5qv8ed0str3s71dhtroj76m9iq@4ax.com> "Fluffy" wrote in : >Sorry about the name, my pet troll is following me and spamming the newsgroup so I >had to change. I'm posting this here as well as geeks, in case someone might be able >to answer faster. Would he be blocked from the NNTP groups because his server is >listed in SORBS? I know that Comcast is rife with open proxies, etc lately..... >... >68.55.204.123 listed in dnsbl.sorbs.net ( 127.0.0.10 ) 127.0.0.10 means he's on their list of dynamic hosts, not a proxy or anything. Using ComCast does guarantee a listing in plenty of places though... http://openrbl.org/ip/68/55/204/123.htm -- Mat. From nobody at spamcop.net Wed Feb 2 14:19:53 2005 From: nobody at spamcop.net (Miss Betsy) Date: Wed Feb 2 14:20:10 2005 Subject: [SpamCop-List] Re: Why Am I Blocked? Editors Welcome References: Message-ID: How is this for a revision: The SpamCop BL listing will expire automatically within a specific period of time based primarily on when the last spam came from that IP address. Miss Betsy From tdy at blackhole.invalid Wed Feb 2 11:19:49 2005 From: tdy at blackhole.invalid (N. Miller) Date: Wed Feb 2 14:20:25 2005 Subject: [SpamCop-List] Re: don`t be an asshole Ethan References: Message-ID: In article , Steven Maesslein says... > The original point and click interface was a Smith & Wesson. I thought it was the Colt Dragoon... -- Norman ~Win dain a lotica, En vai tu ri, Si lo ta ~Fin dein a loluca, En dragu a sei lain ~Vi fa-ru les shutai am, En riga-lint From nobody at xyzzy.claranet.de Wed Feb 2 20:30:28 2005 From: nobody at xyzzy.claranet.de (Frank Ellermann) Date: Wed Feb 2 14:35:02 2005 Subject: [SpamCop-List] Re: Why Am I Blocked? FAQ References: <4200F32A.44B@xyzzy.claranet.de> Message-ID: <42012A54.5564@xyzzy.claranet.de> Ellen wrote: > If that is a broad hint that I haven't been in the routing > group in a long while Actually I didn't know, sometimes there were bursts of replies from you, but that didn't happen for about 7 weeks. > If the mail load ever decreases With all the new SC features that won't be soon. Bye, Frank From nobody at devnull.spamcop.net Wed Feb 2 13:33:37 2005 From: nobody at devnull.spamcop.net (WazoO) Date: Wed Feb 2 14:35:08 2005 Subject: [SpamCop-List] Re: Why Am I Blocked? FAQ References: Message-ID: "Pop" wrote in message news:ctqqhg$j46$1@news.spamcop.net... > > > Hope I'm not jumping the gun; please tell me if I am: As a tech > writer in my most recent past life, I feel qualified to make a > couple of observations on format. > > Content = pretty good! Fairly clear and concise. Not hard to > read/understand. I'm not jumping on you Pop, this just lookd like a good starting point here. What is missing from all this mostly appreciated input is that the "home" of this FAQ entry is on the Forum. This means HTML display, links glowing, all that colorful stuff. It had been developed over some some time by input from a number of Forum users (and who can forget Mike E.'s call to call the NNTP/HTTP camps totally different nations?) ... Adter all of that, Miss Betsy snagged a copy of that, did a lot of editing so it would 'render' a bit better as a plain-text item, and made an attempt to answer the call for a "post the FAQ" in the newsgroup..... The last batch of input is still in the process of being added to the Forum entry (and I note that Miss Betsy didn't go grab another copy of that and start all over again) .. so let me say (and let me take the heat) ... there is a FAQ development section in the Forum structure, set up just for this purpose. There are but just a handful of folks frequenting both places .... > But(t) : > Altho I can see it'll make a little work due to overlaps, I > think this page should be two pages: It gets a little boring and > dwindles a person's interest when they have to page thru "I'm an > ISP", "I'm not an ISP", and, woops, wonder if I missed a heading? And in all fairness again, Miss Betsy had made the same suggestion in either an e-mail or PM to me a bit after the first time she posted this thing into the spamcop.help froup. See the above "still in progress" remark > I think it should look like: > ------------------------------ > Why Am I Blocked? > Probable Causes if: > ----------------------------- > < x > above = link > That's clumsy, but I think it makes the point I want to make. > > Like I said, tell me if I'm ahead of things here. Not trying to > be in the way. Point taken, but please understand how what Miss Betsy posted got to the present entity. I really don't think anyone responding to her has any real idea of how much work went into just getting that acconplished. > Online vetting; great idea. Best of luck! That was the way the www.spamcop.net FAQ once worked. From David1 at suescornerweb.com Wed Feb 2 14:38:04 2005 From: David1 at suescornerweb.com (David 1) Date: Wed Feb 2 14:40:03 2005 Subject: [SpamCop-List] Re: Spamcop Statistics In-Reply-To: References: Message-ID: WazoO wrote: > "Dorian Gray" wrote in message > news:D.Gray-452397.18592002022005@news.cesmail.net... > >>In article , >> "Ellen" wrote: >> >> >>>There are various reasons why you may see anomolies in the stat graphs. > > I > >>>cannot go into detail about them. >> >>Thanks Ellen. > > > I'm so confused at this point. You give me hell for saying > "not for public discussion" .. wanting to hear from someone > else .... Deputy Ellen states "cannot go into detail" and you > offer her thanks. Then strangely enough, continue with the > asking of the same questions that you started with. > > get use to it Wazoo, you get lots of folks like that, just shake your head & walk away, no matter what your answer is its wrong even if "sc personel" give the same answer if it maters folks like me do thank you for your work. -- David 1 bad addy spamtrap@suescornerweb.com From eddie at eddie.web Wed Feb 2 14:37:50 2005 From: eddie at eddie.web (eddie) Date: Wed Feb 2 14:40:09 2005 Subject: [SpamCop-List] Re: don`t be an asshole Ethan References: Message-ID: On Wed, 02 Feb 2005 18:05:15 +0000, Doug Thegarden scratched out the following: > eddie wrote: >> >> Do people really respond to this stuff? >> >> > You just have. > > Doug I suppose you have too but of course you know what I meant, or so I hope. From eddie at eddie.web Wed Feb 2 14:41:23 2005 From: eddie at eddie.web (eddie) Date: Wed Feb 2 14:45:03 2005 Subject: [SpamCop-List] Re: don`t be an asshole Ethan References: Message-ID: On Wed, 02 Feb 2005 18:05:15 +0000, Doug Thegarden scratched out the following: > eddie wrote: >> >> Do people really respond to this stuff? >> >> > You just have. > > Doug I suppose you have too but of course you know what I meant, or so I hope. There is a difference between commenting upon and responding to. From tdy at blackhole.invalid Wed Feb 2 11:41:08 2005 From: tdy at blackhole.invalid (N. Miller) Date: Wed Feb 2 14:45:06 2005 Subject: [SpamCop-List] Re: "Sorry, this email is too old to file a spam report" References: <41FDCF01.5981@xyzzy.claranet.de> Message-ID: In article <41FDCF01.5981@xyzzy.claranet.de>, Frank Ellermann says... > Besides "communigate pro" is IMNSHO always a very bad sign. It is not for me... http://www.spamcop.net/sc?id=z727656642z65e35da3ee1532f978b0ec2c70625142z -- Norman ~Win dain a lotica, En vai tu ri, Si lo ta ~Fin dein a loluca, En dragu a sei lain ~Vi fa-ru les shutai am, En riga-lint From nobody at devnull.spamcop.net Wed Feb 2 13:42:56 2005 From: nobody at devnull.spamcop.net (WazoO) Date: Wed Feb 2 14:45:09 2005 Subject: [SpamCop-List] Re: Why Am I Blocked? FAQ References: Message-ID: "Ellen" wrote in message news:ctqp8o$i95$1@news.spamcop.net... > > Actually the age off is 24 hours and it has been that for at least a couple > of months now. It is always good to take a glance at the faq every so often: > > http://www.spamcop.net/fom-serve/cache/297.html Just noting that as per yet another recent major change in that FAQ, some type of notice would be much appreciated that these changes had taken place. As is, there has yet to be any "ownership" arreibured to the last "big" change, other than the included bit of advertising for some hardware appliance .... > And indeed in any information put together as a resource for users coming to > the forum, newsgroups or elsewhere the faq on the SC website should be > referenced as it is the official source of the operation of the blocklist. > This keeps down the necessity for remembering to update the other > faqs/boilerplates. In fact, the Forum FAQ includes the content (pointers) right back to the www.spamcop.net FAQ ... but that still doesn't show any indication that the 'official' FAQ has been changed. (Dang it, yet another reminder that one of the first links in the Forum FAQ points to a www.spamcop.net entry that gor whacked.) > In any case the 24 hour clock runs off the valid timestamp from the last > reported spam headers not the time that a user reported it. Funny, there was just a bit of a discussion 'over there' that has some confusion over the 24 / 48 hour thing ... http://forum.spamcop.net/forums/lofiversion/index.php/t3585.html From nobody at spamcop.net Wed Feb 2 14:26:18 2005 From: nobody at spamcop.net (Ellen) Date: Wed Feb 2 15:10:02 2005 Subject: [SpamCop-List] Re: Why Am I Blocked? FAQ References: Message-ID: "Miss Betsy" wrote in message news:ctr7n0$spf$1@news.spamcop.net... > > > Since addresses did age off the bl for various reasons, at the time > this written, in much less time than 48 hours, saying 'within' > makes it accurate for any time within that period without going > into all the details and it is still accurate even though the > maximum time has changed, though it probably should be changed > either to reflect the official time or made even more indefinite. > And I did know that it had changed, but didn't think that it was > that important to change this FAQ. Admins will want to know > exactly when or what the criteria are (which they will find if they > use the official FAQ) and end users have no interest. > If you are going to write and post something called a faq that someone new who comes into either the newsgroups or forums is going to be pointed to or which it is likely that they will fall across on the way in, then it should be accurate. When people see "faq" then they assume that the information is the official information for the site as they have no way of knowing otherwise. The criteria for the blocklist changes periodically and the official information on the website is what should be pointed to. People who see some article calling itself a a faq expect it to reflect reality. It really does make a difference that people know the current expiration is 24 hours with no new reports and not 48 hours. And end user have *great* interest in knowing when something is going to delist -- our mail is overflowing with questions from end users as to when a listing is going to go away. In many cases, the end user is a whole lot more interested from what I can see. Ellen SpamCop From nobody at spamcop.net Wed Feb 2 14:56:57 2005 From: nobody at spamcop.net (Ellen) Date: Wed Feb 2 15:10:08 2005 Subject: [SpamCop-List] Re: Spamcop Statistics References: Message-ID: "Dorian Gray" wrote in message news:D.Gray-452397.18592002022005@news.cesmail.net... > In article , > "Ellen" wrote: > > > There are various reasons why you may see anomolies in the stat graphs. I > > cannot go into detail about them. > > Thanks Ellen. By anomalies, do you mean the spikes? the things that people ask about -- which include spikes, dips and other variations from the presumable norm >Okay, so they'll > remain a mystery. But can you go into detail about the consistently > lower level of submitted spam since September? No >Can you say whether or > not it simply corresponds to the change in the limit on the age of > accepted spam from 3 to 2 days, which IIRC also went with a > recommendation that only spam less than 24 hours old was of any real > usefulness to Spamcop? The vast majority of the spam reports are and were submitted in under 24 hours or less and the traps run in near realtime. Ellen SpamCop From tdy at blackhole.invalid Wed Feb 2 12:41:08 2005 From: tdy at blackhole.invalid (N. Miller) Date: Wed Feb 2 15:45:06 2005 Subject: [SpamCop-List] Is this a broken mail host? Message-ID: This is a question that arises from the manner in which I handle spam from a Dark Horse Comics web mail account (listed in Mailhosts as "facehugger.com"!) In order not to examine spam items within the web access, I have only two options available: A. Forward (re-writes message as a new item, with wholly new headers). B. Redirect (appends new headers to show route from host, four key original headers have "X-Original-" prepended. Background: ----------- SpamCop throws an error if I redirect to my SC reporting address. Oddly, if I redirect to a local account, then forward the redirected message to the SC reporting address as an attachment, the SC parser will then accept the message. I have, in the past, drastically edited the headers to restore the original appearance; but that is actually making material changes, as I understand the FAQ, so I discontinued the practice shortly after using it. ----------- Sometimes a parse, using this arrangement, will display the "Yum, this spam is fresh!" tag, but with "Messsage is old", no indication of how many hours old. A recent tracker will help explain my question: http://www.spamcop.net/sc?id=z727485666z26ea4d0b2d7eee01abadf8796f84a78cz Looking at the the lines which show timestamps I have: -------------------------------------- Received: from gator.darkhorse.com (209.95.33.140) by aosake.net (Mercury/32 v4.01b) with ESMTP ID MG000008; 1 Feb 2005 09:15:43 -0800 -------------------------------------- Which is the server to which the message was redirected. Aosake.net is configured as a mailhost. -------------------------------------- Received: by gator.darkhorse.com (CommuniGate Pro PIPE 4.2.8) Received: from host81-132-217-183.range81-132.btcentralplus.com ([81.132.217.183] verified) -------------------------------------- SC properly recognizes the source, and reports it as such. But there is no timestamp here. -------------------------------------- X-Original-Date: Tue, 01 Feb 2005 04:20:36 -0100 -------------------------------------- Who stamped this line? The SpamCop parse apparently accepted the timestamp of aosake.net for determining the time of the message. The aosake.net timestamp would be 17:15:43 GMT? (Reversing the -0800 in the PDT stamp.) So the "X-Original- Date:" stamp should be 05:20:36 GMT? But I shouldn't trust that second timestamp, right? Is something broken with "facehugger.com" (the configured mailhost ID) that "gator.darkhorse.com" is not stamping the time when it receives the message? I may need to watch the reports more closely, because I may have to manually cancel reports which are actually over the time limit? I guess I should get off my duff and question the administration of the DHC ("facehugger.com", according to Mailhosts) servers. It seems that between their implementation of SpamAssassin (sometimes breaks the headers), and the lack of rational timestamps, there may be serious problems with reporting spam to that account. P.S. Both aosake.net and gator.darkhorse.com are configured as "Mailhosts"; the former is my own domain, and listed by the domain name, the latter is listed in "Mailhosts" as "facehugger.com"; probably because the first person with a DHC account to configure the server as a mailhost had an email address in the "facehugger.com" domain. My DHC account is in the "ahmegami.net" domain. There are currently 36 domains total, all relating to some comic story published by Dark Horse Comics. All should be handled by the "gator.darkhorse.com" severs. If it were up to me, the mailhost name would be one of; "gator.darkhorse.com", "Dark Horse Comics", or just "DHC". -- Norman ~Win dain a lotica, En vai tu ri, Si lo ta ~Fin dein a loluca, En dragu a sei lain ~Vi fa-ru les shutai am, En riga-lint From tdy at blackhole.invalid Wed Feb 2 12:53:09 2005 From: tdy at blackhole.invalid (N. Miller) Date: Wed Feb 2 15:55:06 2005 Subject: [SpamCop-List] Did my ISP cache the DNS lookup? Message-ID: Last night I submitted a spam for processing. The SpamCop parser could not resolve the link in the body: http://www.spamcop.net/sc?id=z727656642z65e35da3ee1532f978b0ec2c70625142z Submitting the link to DNSStuff indicated no "A record" for the domain in the URL: http://www.dnsstuff.com/tools/lookup.ch?name=www.mymedcart.com&type=A At the time I was working on the spam, I tried that domain name in Sam Spade for Windows, which uses my ISP's DNS servers. The result then was: 02/01/05 21:41:54 dns www.mymedcart.com Canonical name: www.mymedcart.com Addresses: 218.30.21.33 ...and a safe browser actually pulled the raw data for the page from my Internet connection. Now SS is showing: 02/02/05 12:42:12 dns www.mymedcart.com No DNS for this address (host doesn't exist) Did I get lucky, and find the host before my ISP's DNS system got caught up with a change? Just curious. P.S. I did send a manual notify, using the Sam Spade template, on the assumption that, if I could get there from here, it would be a legitimate reason for the notify. SpamCop was only involved to the extent that I ran the IP address, only, to compare the notify recipients with the Sam Spade results. The SC notify only went to the spam source, not to the hosts. I did not make any material changes to the spam item to trick the parser into including the web host in the SC notify. P.P.S. The Sam Spade date convention seems to follow U.S. practice: mm/dd/yy. -- Norman ~Win dain a lotica, En vai tu ri, Si lo ta ~Fin dein a loluca, En dragu a sei lain ~Vi fa-ru les shutai am, En riga-lint From MikeE at ster.invalid Wed Feb 2 13:12:32 2005 From: MikeE at ster.invalid (Mike Easter) Date: Wed Feb 2 16:15:03 2005 Subject: [SpamCop-List] Re: Indigo can't post References: Message-ID: Fluffy wrote: > Would he be > blocked from the NNTP groups because his server is listed in SORBS? No. Unless something unusual is going on in the newsgroup management end to cope with the proxy abusing newsgroup trolls, there wouldn't be any blocking on the basis of any kind of dnsbl blocklists. If he hasn't been blocked accidentally by something involved with the troll problem, then I would next suspect that something is 'screwed up' with the/his spamcop newsserver account in OE. If that were happening to me, I would R&R the spamcop newsserver account. That is, OE/ Tools/ Accounts/ News tab - select the news.spamcop.net newsserver and then the Remove button. Then I would recreate the account in that same account place with the New button.. -- Mike Easter kibitzer, not SC admin From nobody