From porpoise1954 at yahoo.co.uk Tue Mar 1 01:42:00 2005 From: porpoise1954 at yahoo.co.uk (Porpoise) Date: Mon Feb 28 20:55:07 2005 Subject: [SpamCop-List] Re: Firefox and Opera Vulnerabilities References: Message-ID: "Ellen" wrote in message news:d00afb$rrf$1@news.spamcop.net... > > "David 1" wrote in message > news:d004c2$nn5$1@news.spamcop.net... >> Danny Goodman wrote: >> > on 2/27/05 8:30 PM, spamcop-list-request@news.spamcop.net wrote: >> > >> > >> >>Well, well, they're not so immune after all........ >> >> >> >>http://software.silicon.com/malware/0,3800003100,39127678,00.htm >> >> >> > >> > >> > The article is dated 8Feb2005. Hardly news. >> > > > Well it's interesting that on the firefox security page they don't mention > the problem nor do they say anything about updating to 1.01 :-( > > Ellen Probably because they didn't want to destroy the myth that anything but M$ is totally immune.... From nobody at devnull.spamcop.net Tue Mar 1 12:15:27 2005 From: nobody at devnull.spamcop.net (Patto) Date: Mon Feb 28 22:20:05 2005 Subject: [SpamCop-List] Re: Firefox and Opera Vulnerabilities In-Reply-To: References: Message-ID: Ellen wrote: > "David 1" wrote in message > news:d004c2$nn5$1@news.spamcop.net... > >>Danny Goodman wrote: >> >>>on 2/27/05 8:30 PM, spamcop-list-request@news.spamcop.net wrote: >>> >>> >>> >>>>Well, well, they're not so immune after all........ >>>> >>>>http://software.silicon.com/malware/0,3800003100,39127678,00.htm >>>> >>> >>> >>>The article is dated 8Feb2005. Hardly news. >>> > > > Well it's interesting that on the firefox security page they don't mention > the problem nor do they say anything about updating to 1.01 :-( > > Ellen If you follow the link (on http://www.mozilla.org/security/) "list of known vulnerablilities", it is right on top of the list. From David1 at suescornerweb.com Tue Mar 1 00:16:24 2005 From: David1 at suescornerweb.com (David 1) Date: Tue Mar 1 00:15:04 2005 Subject: [SpamCop-List] huhh, not important, just wondering Message-ID: here is the tracker http://www.spamcop.net/sc?id=z737419776zf5a2d4f80fb5d42c5450f8f2f2ce553bz this is the second one I got in the last hour, the first one I sent to admin, sure wish I hadn't done that now but oh well Question, does this mean anything or is it just a spammer having fun??? just wondering is all Ellen & Don & whom ever, sorry I wasted your time with the first one. -- David 1 bad addy spamtrap@suescornerweb.com From nobody at devnull.spamcop.net Tue Mar 1 01:10:40 2005 From: nobody at devnull.spamcop.net (Sofa King Tyred of Lar Ting) Date: Tue Mar 1 01:15:03 2005 Subject: [SpamCop-List] If you were the head of an ISP with 4000 zombies... Message-ID: If you were the head of an ISP with 4000 zombies, how would you solve the problem? I am not defending the ISPs, but after some thought, I now realize that logistically this is a daunting task, especially if flat-out "blaming the customer" is not an option. Apparently Comcast has begun taking action last year in this regard, by yanking connectivity, redirecting users to a web page where they can get information on how to clean up their system, where to buy and AV & firewall, etc. It must take weeks before the user comes back on line, especially if the user isn't technical. There are billing issues, since you can't charge someone who's not getting connectivity. However, even that may not have a net positive effect. On a network as big as Comcast's, for every /one/ customer you take the time to clean up by contacting, educating, verifying AV and firewall installation, reconnecting, etc., possibly /two more/ have become zombies. From nobody at devnull.spamcop.net Tue Mar 1 01:19:24 2005 From: nobody at devnull.spamcop.net (Cat) Date: Tue Mar 1 02:20:04 2005 Subject: [SpamCop-List] Re: Chris Rock Spam Solution [the telephone system ain't that geat] In-Reply-To: References: Message-ID: George Langford, Sc.D. wrote: > I use *69 and find out that the caller's number is (200) 000-0000. Sounds like you need Caller ID. From nobody at devnull.spamcop.net Tue Mar 1 18:28:33 2005 From: nobody at devnull.spamcop.net (Patto) Date: Tue Mar 1 04:30:29 2005 Subject: [SpamCop-List] Re: Firefox and Opera Vulnerabilities In-Reply-To: References: Message-ID: David 1 wrote: > Patto wrote: > >> Ellen wrote: >> >>> "David 1" wrote in message >>> news:d004c2$nn5$1@news.spamcop.net... >>> >>>> Danny Goodman wrote: >>>> >>>>> on 2/27/05 8:30 PM, spamcop-list-request@news.spamcop.net wrote: >>>>> >>>>> >>>>> >>>>>> Well, well, they're not so immune after all........ >>>>>> >>>>>> http://software.silicon.com/malware/0,3800003100,39127678,00.htm >>>>>> >>>>> >>>>> >>>>> The article is dated 8Feb2005. Hardly news. >>>>> >>> >>> >>> Well it's interesting that on the firefox security page they don't >>> mention >>> the problem nor do they say anything about updating to 1.01 :-( >>> >>> Ellen >> >> >> >> If you follow the link (on http://www.mozilla.org/security/) "list of >> known vulnerablilities", it is right on top of the list. > > > They turned the darn thing of so it's fixed Correct ???????? Yes, it's fixed in 1.0.1 From agent01413 at my-deja.com Tue Mar 1 09:28:37 2005 From: agent01413 at my-deja.com (Socks the Whitehouse Cat) Date: Tue Mar 1 04:30:39 2005 Subject: [SpamCop-List] reality check. Message-ID: I got a spam today through a listserv server. I didnt want to report the server as the source, because it wasnt the source and I didnt want to contribute to blocking it, so I deselected it from the reports. However, that server owner wants to know when spam is coming through his lists so that he can block the points of origin, so he is set up as a third party interested in spam reports from certain IPAs. Am I correct in my belief that if I deselect his IPA on the "origin of spam" line, but leave it selected on the "third party interest line", he'll get notice without getting a ding for the report? -- "...Life is not a journey to the grave with the intention of arriving safely in one pretty and well preserved piece, but to slide across the finish line broadside, thoroughly used up, worn out, leaking oil, and shouting GERONIMO!!!" -- Bill McKenna, date unknown From nobody at devnull.spamcop.net Tue Mar 1 18:34:15 2005 From: nobody at devnull.spamcop.net (Patto) Date: Tue Mar 1 04:35:02 2005 Subject: [SpamCop-List] Re: Firefox and Opera Vulnerabilities In-Reply-To: References: Message-ID: Patto wrote: > David 1 wrote: > >> Patto wrote: >> >>> Ellen wrote: >>> >>>> "David 1" wrote in message >>>> news:d004c2$nn5$1@news.spamcop.net... >>>> >>>>> Danny Goodman wrote: >>>>> >>>>>> on 2/27/05 8:30 PM, spamcop-list-request@news.spamcop.net wrote: >>>>>> >>>>>> >>>>>> >>>>>>> Well, well, they're not so immune after all........ >>>>>>> >>>>>>> http://software.silicon.com/malware/0,3800003100,39127678,00.htm >>>>>>> >>>>>> >>>>>> >>>>>> The article is dated 8Feb2005. Hardly news. >>>>>> >>>> >>>> >>>> Well it's interesting that on the firefox security page they don't >>>> mention >>>> the problem nor do they say anything about updating to 1.01 :-( >>>> >>>> Ellen >>> >>> >>> >>> >>> If you follow the link (on http://www.mozilla.org/security/) "list of >>> known vulnerablilities", it is right on top of the list. >> >> >> >> They turned the darn thing of so it's fixed Correct ???????? > > > Yes, it's fixed in 1.0.1 But on IE6 with all security patches on, you can still get 100% fooled! From David1 at suescornerweb.com Tue Mar 1 05:27:39 2005 From: David1 at suescornerweb.com (David 1) Date: Tue Mar 1 05:25:28 2005 Subject: [SpamCop-List] Re: Firefox and Opera Vulnerabilities In-Reply-To: References: Message-ID: Patto wrote: > Patto wrote: > >> David 1 wrote: >> >>> Patto wrote: >>> >>>> Ellen wrote: >>>> >>>>> "David 1" wrote in message >>>>> news:d004c2$nn5$1@news.spamcop.net... >>>>> >>>>>> Danny Goodman wrote: >>>>>> >>>>>>> on 2/27/05 8:30 PM, spamcop-list-request@news.spamcop.net wrote: >>>>>>> >>>>>>> >>>>>>> >>>>>>>> Well, well, they're not so immune after all........ >>>>>>>> >>>>>>>> http://software.silicon.com/malware/0,3800003100,39127678,00.htm >>>>>>>> >>>>>>> >>>>>>> >>>>>>> The article is dated 8Feb2005. Hardly news. >>>>>>> >>>>> >>>>> >>>>> Well it's interesting that on the firefox security page they don't >>>>> mention >>>>> the problem nor do they say anything about updating to 1.01 :-( >>>>> >>>>> Ellen >>>> >>>> >>>> >>>> >>>> >>>> If you follow the link (on http://www.mozilla.org/security/) "list >>>> of known vulnerablilities", it is right on top of the list. >>> >>> >>> >>> >>> They turned the darn thing of so it's fixed Correct ???????? >> >> >> >> Yes, it's fixed in 1.0.1 > > > But on IE6 with all security patches on, you can still get 100% fooled! that not be a problem for me the ONLY place I haven't been able to use FX is msn Groups & GEEEE I wonder why that is. I had a problem at my Bank but they laughed & said go away we are on it you ain't the only one. -- David 1 bad addy spamtrap@suescornerweb.com From devnull at spamcop.net Tue Mar 1 08:31:26 2005 From: devnull at spamcop.net (Frog Prince) Date: Tue Mar 1 08:35:03 2005 Subject: [SpamCop-List] Re: If you were the head of an ISP with 4000 zombies... References: Message-ID: "Sofa King Tyred of Lar Ting" | If you were the head of an ISP with 4000 zombies, how would you solve | the problem? | | I am not defending the ISPs, but after some thought, I now realize that | logistically this is a daunting task, especially if flat-out "blaming | the customer" is not an option. | | Apparently Comcast has begun taking action last year in this regard, by | yanking connectivity, redirecting users to a web page where they can get | information on how to clean up their system, where to buy and AV & | firewall, etc. It must take weeks before the user comes back on line, | especially if the user isn't technical. There are billing issues, since | you can't charge someone who's not getting connectivity. | | However, even that may not have a net positive effect. On a network as | big as Comcast's, for every /one/ customer you take the time to clean up | by contacting, educating, verifying AV and firewall installation, | reconnecting, etc., possibly /two more/ have become zombies. Charter is a bit more proactive in that they provide a suite of free security software for all customers with an emphasis on the new customers. The only problem I have with their system is that will not provide any data on who/what it is they are installing on the customers' machines. When I've run into problems with their 'stuff' the only options provided a) complete reinstall b) remove and replace with other software. Reinstall sometimes works, removal is problematic as there is no real way to know you've gotten it all off the system short of reformatting. From nobody at devnull.spamcop.net Tue Mar 1 08:35:40 2005 From: nobody at devnull.spamcop.net (Pop) Date: Tue Mar 1 08:40:03 2005 Subject: [SpamCop-List] Re: If you were the head of an ISP with 4000 zombies... References: Message-ID: "Sofa King Tyred of Lar Ting" wrote in message news:d0110t$d9b$1@news.spamcop.net... > If you were the head of an ISP with 4000 zombies, how would you solve the > problem? > > I am not defending the ISPs, but after some thought, I now realize that > logistically this is a daunting task, especially if flat-out "blaming the > customer" is not an option. > > Apparently Comcast has begun taking action last year in this regard, by > yanking connectivity, redirecting users to a web page where they can get > information on how to clean up their system, where to buy and AV & > firewall, etc. It must take weeks before the user comes back on line, > especially if the user isn't technical. There are billing issues, since > you can't charge someone who's not getting connectivity. > > However, even that may not have a net positive effect. On a network as big > as Comcast's, for every /one/ customer you take the time to clean up by > contacting, educating, verifying AV and firewall installation, > reconnecting, etc., possibly /two more/ have become zombies. I saw an interesting tidbit from Comast this morning that -might- indicate that they are at least trying to tell people they are working on it. A spam from them came in with a |spam ... trailer on the subject line. I still reported it; that's not good enough and doesn't excuse it. If they can tag it, they can stop it. I'll believe their progress when I see it, though I have seen a lot fewer comcast turdlets lately. At least in this one demographic. They're still spewing like crazy but they might be making progress. The biggest problems ISP face, IMO, is that they aren't pro-active. They wait to see if something's big enough to "bother with" before they'll even consider action. By that time, it's too late to save their reps. Pop From postmaster at aroundthecreek.com Tue Mar 1 09:29:28 2005 From: postmaster at aroundthecreek.com (Brent Pirolli) Date: Tue Mar 1 09:30:04 2005 Subject: [SpamCop-List] Pornographic Spam Assault Message-ID: Hey all, I'm new to the group and have been fighting one crazy mess lately... I'm curious if anyone else out there is fighting this same problem or if you have ways to fight it that I haven't thought of yet. I manage an Exchange 2000 mail server with about 60 accounts on it. We run Symantec Enterprise Edition which allows us to use RBL protection and I run about 5 RBLs on there, as well as use custom scanning rules to block unwanted junk. Lately we've been getting blasted by pornographic emails that are absolutely ridiculous. First off, only half of the accounts are getting the spam... half aren't. This immediately tells me that it is most likely an infected home computer of one of the office staff or volunteers that is infected and is spamming their address book at home. Unfortuneatly I have had zero luck in tracking down a source or completely blocking the emails... here's why: The emails come in with a spoofed random sender, spoofed random subject, and spoofed random text in the message (with purposely mis-spelled words). Generally only a word or two is in the message... such as "Have a good day." or "allow me... please :)" Then there are three image files that open from a randomly infected web server (usually apache or linux servers) that are in the message body next to each other to form one large image... Usually it is a scantilly clad female but some have been flat out pornographic material. The email then has a remove button at the bottom that is a link to the same page as the rest of the images are...If you click on an image or the remove button, you are taken to the infected server, which then redirects you to the source site they are promoting... This is 3 out of 4 times a "married housewives" dating site. Up until now I've been able to block the infected servers as we find them through filters (about 20 so far)... but obviously only more servers will be infected in the future... so this won't stop them permanently. I also block the mis-spelled words as they come in the subject lines... wmeon, wemon, wmoen.... all versions of women.... etc. There are about 30 of those so far... Heck... some of the subject lines were even dropping the f-bomb until I blocked that. But again, with the mis-spellings, they can make as many variations as they want.... hard to stop that! So has anyone heard of this? Does anyone else fight this? Suggestions, comments, advice? The emails don't contain any virus attachments or anything... so I don't even know what is causing them to be sent! Very frustrating. To top it off.... The mail server is for a church.... so obviously... porn at church isn't a great thing.... Any help you can offer is greatly appreciated. Thanks! -- Brent Pirolli From MikeE at ster.invalid Tue Mar 1 06:32:17 2005 From: MikeE at ster.invalid (Mike Easter) Date: Tue Mar 1 09:35:02 2005 Subject: [SpamCop-List] Re: ISP accountability, Internet software "inspections", licenses, etc. References: Message-ID: Larry Kilgallen wrote: > As it happens, today marked the final release of Special Publication > 800-53. > > http://csrc.nist.gov/sec-cert/ca-controls.html The FISMA Implementation Project is composed of three distinct phases: Phase I: Security Standards and Guidelines Development Phase II: Organizational Accreditation Program Project Status: Planned for FY 2006 but not funded at this time. Phase III: Security Tool Validation Program Project Status: Planned for FY 2006 but not funded at this time. -- Mike Easter kibitzer, not SC admin From MikeE at ster.invalid Tue Mar 1 06:53:36 2005 From: MikeE at ster.invalid (Mike Easter) Date: Tue Mar 1 09:55:02 2005 Subject: [SpamCop-List] Re: If you were the head of an ISP with 4000 zombies... References: Message-ID: Sofa King Tyred of Lar Ting wrote: > If you were the head of an ISP with 4000 zombies, how would you solve > the problem? As a provider in a very competitive environment the provider cannot be spending a ton of money getting this problem straightened out. I've been watching EL cutting corners and watching their pennies in every aspect of their business model; such as outsourcing their tech support to the level of incompetence and dissatisfaction of their clients to the point that if people need tech support for their connectivity satisfaction they should find some other provider. Such as not adding any new newsgroups in well over a year, and then when they finally started adding newsgroups, they aren't adding any binary ones, so they aren't chasing the binary news monster that unfolds if you provide a lot of broadband news access. That 'background' being mentioned for purposes of keeping my costs way way down for straightening out this insecurity problem, I proceed.... I would start publishing a webpage telling about the problem and what I was going to do about it and what was going to start happening to my clients who were insecure and/or zombified and what my clients could do about it on their own to prevent such a shutdown. That webpage would assert that my clients have a responsibility to not inadvertently cause network insecurity problems. I would also start accepting 'applications' from those who were interested in being on my list of approved home visit technicians, and I would set up criteria which greatly limited my responsibilities for these technicians as well as the requirements for what it took to be able to fulfill homevisit tech requirements and some guidelines for homevisit charges by these independent homevisit contractors. Then I would accept a few homevisit techs in some major cities. A homevisit tech has to be competent to evaluate someone's security and to configure the computer with the necessary software and/or hardware to have reasonable expectation that the computer will continue to be secure. A blocked client can't get unblocked without a visitation and approval by a homevisit tech. Then I would start pulling some connectivity or blocking port 25 or somehow adversely affecting a few zombies in a major city or two and not restore the full connectivity until the client had been 'inspected' by a homevisit tech at their expense. I would be publicizing that activity and some feedback from my users who had used the information from the first par above on their own and achieved some security and better configuration, as well as some feedback from a client who had been blocked and also some feedback from a homevisit tech. I'll leave it to someone else about just how to 'shutdown' a zombie while leaving some access to that webpage and some other information. -- Mike Easter kibitzer, not SC admin From nobody at devnull.spamcop.net Tue Mar 1 09:55:12 2005 From: nobody at devnull.spamcop.net (Sofa King Tyred of Lar Ting) Date: Tue Mar 1 10:00:03 2005 Subject: [SpamCop-List] Re: Pornographic Spam Assault In-Reply-To: References: Message-ID: Brent Pirolli wrote: > Unfortuneatly I have had zero luck in tracking > down a source or completely blocking the emails... here's why: > > The emails come in with a spoofed random sender, spoofed random subject, and > spoofed random text in the message (with purposely mis-spelled words). > Generally only a word or two is in the message... such as "Have a good day." > or "allow me... please :)" Then there are three image files that open from > a randomly infected web server (usually apache or linux servers) that are in > the message body next to each other to form one large image... Sounds like a zombie army problem (many links describing that are on this page: http://pages.infinit.net/filmore/educateYourISP.htm). What does SpamCop have to say about the emails? People in this group like to see trackers of sample emails you've put into the SpamCop parser, so you should post those here if you can. > So has anyone heard of this? Does anyone else fight this? Suggestions, > comments, advice? The emails don't contain any virus attachments or > anything... so I don't even know what is causing them to be sent! Very > frustrating. To top it off.... The mail server is for a church.... so > obviously... porn at church isn't a great thing.... Any help you can offer > is greatly appreciated. Thanks! It seems since you're on Exchange, you have limited options -- spamassassin works pretty well if you're on Linux. On the other hand, you could check out SpamPal.org -- even though it was initially designed to work on end-user (POP and IMAP clients) machines, I've read on the spampal.org web site that it's been used with windows email servers. SpamPal has a couple of nice features, at least while used on end-user PCs: 1) it has a plug-in (URLBody) that scans email content for URLs that are black-listed - probably the URLs for the compromised machines are already on a zombie-list, or, in many cases URLs pointing to IPs that are on dynamic IP addresses are considered to be bad news (a home-user isn't supposed to be running a web server). This is effective since you don't have to tweak any filters. The black-lists are dynamic and maintained by the community. In fact, reporting spams to spamcop helps in keeping those same lists up-to-date. 2) it can be configured easily to "white list" any email addresses. This is useful since occasionally a legitimate contact (who's on an ISP that has a bad reputation for spam, for example) get blocked as spam. It also has a regular expression plug-in that filters on content, although I don't use it. Good luck. From firewoman at default.domain.not.available Tue Mar 1 10:01:27 2005 From: firewoman at default.domain.not.available (Firewoman) Date: Tue Mar 1 10:00:05 2005 Subject: [SpamCop-List] Re: Chris Rock Spam Solution [the telephone system ain't that geat] References: Message-ID: "Cat" wrote in message news:d0151i$ft9$1@news.spamcop.net... > George Langford, Sc.D. wrote: > > > >> I use *69 and find out that the caller's number is (200) 000-0000. > > > > Sounds like you need Caller ID. CallerID doesn't help when it shows the caller's phone number to be (200) 000-0000. Yes, I get the exact same thing, along with the k00ks from the benevolent society of the week. However, if I'm home and the machine doesn't catch it, I have a little fun with them. Last week the benevolent telemarketer thought that he called in the middle of some really heavy stuff (panting, moaning, screaming and the like). I told him to keep talking, that the sound of his voice was really doing it for me. He hung up at the, uh, climax of the phone call. :-) Who says telemarketers are boring? From postmaster at aroundthecreek.com Tue Mar 1 10:06:06 2005 From: postmaster at aroundthecreek.com (Brent Pirolli) Date: Tue Mar 1 10:05:03 2005 Subject: [SpamCop-List] Re: Pornographic Spam Assault References: Message-ID: What about http://xwall.us? Does anyone know if this works well or is worth using? -- Brent Pirolli "Sofa King Tyred of Lar Ting" wrote in message news:d01vod$6qd$1@news.spamcop.net... > Brent Pirolli wrote: >> Unfortuneatly I have had zero luck in tracking down a source or >> completely blocking the emails... here's why: >> >> The emails come in with a spoofed random sender, spoofed random subject, >> and spoofed random text in the message (with purposely mis-spelled >> words). Generally only a word or two is in the message... such as "Have a >> good day." or "allow me... please :)" Then there are three image files >> that open from a randomly infected web server (usually apache or linux >> servers) that are in the message body next to each other to form one >> large image... > > Sounds like a zombie army problem (many links describing that are on this > page: http://pages.infinit.net/filmore/educateYourISP.htm). > > What does SpamCop have to say about the emails? > > People in this group like to see trackers of sample emails you've put into > the SpamCop parser, so you should post those here if you can. > >> So has anyone heard of this? Does anyone else fight this? Suggestions, >> comments, advice? The emails don't contain any virus attachments or >> anything... so I don't even know what is causing them to be sent! Very >> frustrating. To top it off.... The mail server is for a church.... so >> obviously... porn at church isn't a great thing.... Any help you can >> offer is greatly appreciated. Thanks! > > It seems since you're on Exchange, you have limited options -- > spamassassin works pretty well if you're on Linux. > > On the other hand, you could check out SpamPal.org -- even though it was > initially designed to work on end-user (POP and IMAP clients) machines, > I've read on the spampal.org web site that it's been used with windows > email servers. > > SpamPal has a couple of nice features, at least while used on end-user > PCs: > > 1) it has a plug-in (URLBody) that scans email content for URLs that are > black-listed - probably the URLs for the compromised machines are already > on a zombie-list, or, in many cases URLs pointing to IPs that are on > dynamic IP addresses are considered to be bad news (a home-user isn't > supposed to be running a web server). This is effective since you don't > have to tweak any filters. The black-lists are dynamic and maintained by > the community. In fact, reporting spams to spamcop helps in keeping those > same lists up-to-date. > > 2) it can be configured easily to "white list" any email addresses. This > is useful since occasionally a legitimate contact (who's on an ISP that > has a bad reputation for spam, for example) get blocked as spam. > > It also has a regular expression plug-in that filters on content, although > I don't use it. > > Good luck. From MikeE at ster.invalid Tue Mar 1 07:09:41 2005 From: MikeE at ster.invalid (Mike Easter) Date: Tue Mar 1 10:10:02 2005 Subject: [SpamCop-List] Re: If you were the head of an ISP with 4000 zombies... References: Message-ID: Mike Easter wrote: > Sofa King Tyred of Lar Ting wrote: >> If you were the head of an ISP with 4000 zombies, how would you solve >> the problem? > Then I would start pulling some connectivity or blocking port 25 or > somehow adversely affecting a few zombies in a major city or two and > not restore the full connectivity until the client had been > 'inspected' by a homevisit tech at their expense. > I'll leave it to someone else about just how to 'shutdown' a zombie > while leaving some access to that webpage and some other information. My primary target 'model', technically and network topology-wise is the cable modem user, which make very popular and prolific zombies. So, it is likely that my blockage is going to have to 'involve' the cable infrastructure provider; in the case of a provider like EL, that cable infrastructure might be from TimeWarner or Comcast or somesuch. I don't have a good enough understanding of the technical obstacles to be dealt with there to know if that would be a big problem or not. If this is going to cause time, trouble, and expense to the infrastructure provider, we are going to have to figure out how to cut a deal about those issues. The strategy for dsl would probably be different, as would that for dialup, which is not as popular a target to make a zombie army. -- Mike Easter kibitzer, not SC admin From MikeE at ster.invalid Tue Mar 1 07:13:07 2005 From: MikeE at ster.invalid (Mike Easter) Date: Tue Mar 1 10:15:03 2005 Subject: [SpamCop-List] Re: reality check. References: Message-ID: Socks the Whitehouse Cat wrote: > I got a spam today through a listserv server. I didnt want to report > the server as the source, because it wasnt the source and I didnt > want to contribute to blocking it, so I deselected it from the > reports. However, that server owner wants to know when spam is coming > through his lists so that he can block the points of origin, so he is > set up as a third party interested in spam reports from certain IPAs. > Am I correct in my belief that if I deselect his IPA on the "origin > of spam" line, but leave it selected on the "third party interest > line", he'll get notice without getting a ding for the report? I didn't think you were supposed to handle the problem of mailing list spam like that, ie with SC. http://www.spamcop.net/fom-serve/cache/14.html On what type of email should I (not) use SpamCop? -- Spam sent to mailing lists -- Spam sent to mail lists/groups must not be reported using SpamCop except by the list owner. Subscribers may send a note to the list owner who can block the source from sending to the list or take responsibility for reporting the spam themselves. -- Mike Easter kibitzer, not SC admin From nobody at devnull.spamcop.net Tue Mar 1 10:35:14 2005 From: nobody at devnull.spamcop.net (Sofa King Tyred of Lar Ting) Date: Tue Mar 1 10:40:03 2005 Subject: [SpamCop-List] Re: Pornographic Spam Assault In-Reply-To: References: Message-ID: Brent Pirolli wrote: > What about http://xwall.us? Does anyone know if this works well or is worth > using? > Google loves you: Among other immediate answers to questions about xwall and spam and reviews, it provides http://www.windowsitpro.com/Windows/Article/ArticleID/44695/44695.html The review is dated January 2005, so it seems recent. Can't say much more. From dkona7b02 at sneakemail.com Tue Mar 1 11:51:36 2005 From: dkona7b02 at sneakemail.com (Spam Hater) Date: Tue Mar 1 11:51:52 2005 Subject: [SpamCop-List] Re: If you were the head of an ISP with 4000 zombies... In-Reply-To: References: Message-ID: <3.0.5.32.20050301115136.00fe2320@loki.fstrf.org> I have a cable modem. I was leasing mine from Adelphia for $3 a month but got a new one for Xmas so I can avoid that extra charge. I decided to just hook up the new one to see what would happen. It seemed to sync right up and everything was a go. I fired up my browser to see if I could get out to the 'net. No matter what address I typed in, I would only get an Adelphia support page telling me that they saw the new modem and that I would have to register it before I could do anything else. Long story short, their online registration wouldn't work so I had to call them. During that conversation, I was told that as soon as their system realized that I had installed a new modem, I was automatically rerouted to their test network. I couldn't do anything other than access their support page or send email to them directly. So, in response to this thread, that is exactly what they could do to anyone that triggers their zombie detection alert. Cut them off the live net and shunt them to a test server that severely limits what they can do until they clean up their system. As long as it is spelled out in their TOS, they can certainly continue to charge their fee during this time. The user is still getting connectivity, they just aren't able to spew out to the rest of the world! At 07:09 AM 3/1/2005 -0800, Mike Easter typed: >Mike Easter wrote: >> Sofa King Tyred of Lar Ting wrote: >>> If you were the head of an ISP with 4000 zombies, how would you solve >>> the problem? > >> Then I would start pulling some connectivity or blocking port 25 or >> somehow adversely affecting a few zombies in a major city or two and >> not restore the full connectivity until the client had been >> 'inspected' by a homevisit tech at their expense. > >> I'll leave it to someone else about just how to 'shutdown' a zombie >> while leaving some access to that webpage and some other information. > >My primary target 'model', technically and network topology-wise is the >cable modem user, which make very popular and prolific zombies. > >So, it is likely that my blockage is going to have to 'involve' the >cable infrastructure provider; in the case of a provider like EL, that >cable infrastructure might be from TimeWarner or Comcast or somesuch. I >don't have a good enough understanding of the technical obstacles to be >dealt with there to know if that would be a big problem or not. If this >is going to cause time, trouble, and expense to the infrastructure >provider, we are going to have to figure out how to cut a deal about >those issues. > >The strategy for dsl would probably be different, as would that for >dialup, which is not as popular a target to make a zombie army. From MikeE at ster.invalid Tue Mar 1 09:16:18 2005 From: MikeE at ster.invalid (Mike Easter) Date: Tue Mar 1 12:15:06 2005 Subject: [SpamCop-List] Re: If you were the head of an ISP with 4000 zombies... References: Message-ID: Spam Hater wrote: > No matter what address I typed in, I would > only get an Adelphia support page telling me that they saw the new > modem and that I would have to register it before I could do anything > else. I'm not sure I understand exactly what is going on there. I mean, I understand, but.... My current configuration is that I have a switch router between my LAN, the cable modem, and the cable modem's network 'connectivity' which is via TimeWarner. My provider is EL. The 'intermediate' hops in a traceroute next to me are RoadRunner IPs which are TimeWarners. Depending on where I'm going, ie 'across country' to Atlanta instead of Pasadena, the routing is different now that I'm an EL subscriber than it was when I was a RR subscriber. My news is EL's, my mail is EL's. But, if I have 'genuine' connectivity problems, such as my cable modem having blinking lights and not properly 'connected', I call TW for those problems. I try to avoid calling EL for anything, and TW is responsive to troubleshooting my connectivity. When the cable modem 'connects' it has obtained a 'lease' on an IP, and that lease lasts about a day, but then it gets a new lease, which is the same IP, and that IP sticks to me for many many months, even tho' ostensibly it is a dynamic IP. The 'system' at TW knows my cable modem's MAC address, and it also knows how many IPs it can give it; because once upon a time before my current configuration I actually subscribed to have 2 IPs instead of one, which, BTW, makes for great troubleshooting ability. I suppose that the cable modem also knows my switchrouter's MAC address, and the switchrouter is thus doing the address translation business for the various computers on the LAN. My point about all of that is that whatever was going on with you and Adelphia might be different for EL/TW and it might also be different for remedying this zombie problem. -- Mike Easter kibitzer, not SC admin From feldethom2165 at email2me.net Tue Mar 1 08:56:08 2005 From: feldethom2165 at email2me.net (Fred k) Date: Tue Mar 1 13:00:04 2005 Subject: [SpamCop-List] Re: If you were the head of an ISP with 4000 zombies... References: Message-ID: "Mike Easter" wrote in message news:d027ul$dj8$1@news.spamcop.net... > Spam Hater wrote: >> No matter what address I typed in, I would >> only get an Adelphia support page telling me that they saw the new >> modem and that I would have to register it before I could do anything >> else. > Maybe I am not up to snuff, but stopping zombies should be as simple as comparing the From: to the account subscribers addy, and if not matching reject back to client. What is wrong with that? Not a big ISP resource would be needed. Of course rogue ISP's would not comply, so then they would be cut off by the upstream provider. Fred k From nobody at nowhere.invalid Tue Mar 1 19:05:37 2005 From: nobody at nowhere.invalid (Steven Maesslein) Date: Tue Mar 1 13:10:02 2005 Subject: [SpamCop-List] Re: If you were the head of an ISP with 4000 zombies... References: Message-ID: On Tue, 1 Mar 2005 08:56:08 -0900, Fred k coughed into spamcop and left this in : > Maybe I am not up to snuff, but stopping zombies should be as simple as > comparing the From: to the account subscribers addy, and if not matching > reject back to client. What is wrong with that? You're preventing anyone from using any domain other than that of their ISP - including preventing people from using their spamcop.net address. -- Steve Microsoft Palladium: "Where the hell do you think YOU'RE going today?" From feldethom2165 at email2me.net Tue Mar 1 09:17:59 2005 From: feldethom2165 at email2me.net (Fred k) Date: Tue Mar 1 13:20:02 2005 Subject: [SpamCop-List] Re: If you were the head of an ISP with 4000 zombies... References: Message-ID: "Steven Maesslein" wrote in message news:slrnd29bnh.1vrc.nobody@127.0.0.1... > > You're preventing anyone from using any domain other than that of their > ISP - including preventing people from using their spamcop.net address. Well, I am not sure what you are saying. But if I log into my email from another domain via an internet connection, I have to log in with my password and my mail goes out with my email address in the from field. Fred k From porpoise1954 at yahoo.co.uk Tue Mar 1 18:11:52 2005 From: porpoise1954 at yahoo.co.uk (Porpoise) Date: Tue Mar 1 13:25:06 2005 Subject: [SpamCop-List] Re: If you were the head of an ISP with 4000 zombies... References: Message-ID: "Steven Maesslein" wrote in message news:slrnd29bnh.1vrc.nobody@127.0.0.1... > On Tue, 1 Mar 2005 08:56:08 -0900, Fred k coughed into spamcop and left > this in : > >> Maybe I am not up to snuff, but stopping zombies should be as simple as >> comparing the From: to the account subscribers addy, and if not matching >> reject back to client. What is wrong with that? > > You're preventing anyone from using any domain other than that of their > ISP - including preventing people from using their spamcop.net address. > Also, not sure how that would work where it is not the ISP which is providing the email facitlities.... From nobody at nowhere.invalid Tue Mar 1 19:31:43 2005 From: nobody at nowhere.invalid (Steven Maesslein) Date: Tue Mar 1 13:35:02 2005 Subject: [SpamCop-List] Re: If you were the head of an ISP with 4000 zombies... References: Message-ID: On Tue, 1 Mar 2005 09:17:59 -0900, Fred k coughed into spamcop and left this in : > Well, I am not sure what you are saying. But if I log into my email from > another domain via an internet connection, I have to log in with my password > and my mail goes out with my email address in the from field. >From what I understood, you were basically saying that mail coming from an IP address unrelated to the domain in the From: e-mail address should be rejected. That won't work. The IP addresses from which mail I send comes will have nothing to do with spamcop.net or with any of the domains I use and would therefore be rejected according to your system. -- Steve There's no place like ~ From eddie at eddie.web Tue Mar 1 13:36:05 2005 From: eddie at eddie.web (eddie) Date: Tue Mar 1 13:40:02 2005 Subject: [SpamCop-List] Re: If you were the head of an ISP with 4000 zombies... References: Message-ID: On Tue, 01 Mar 2005 01:10:40 -0500, Sofa King Tyred of Lar Ting scratched out the following: > If you were the head of an ISP with 4000 zombies, how would you solve the > problem? > > I am not defending the ISPs, but after some thought, I now realize that > logistically this is a daunting task, especially if flat-out "blaming the > customer" is not an option. snip "The customer is always right" was said by a customer. Honest dealers know that the customer is almost always wrong. I would put the zombies, as they were discovered, on a separate server which would require the user to let the server access his computer, clean it out, check it each time the user logs on, or once every few hours, and when he is a "good guy" for a month he could get back to the normal server. XP has a backdoor that could be used for this service and if the infected customer refuses, he cannot access the internet. -- Once movie theaters gave out steak knives Today they confiscate them From feldethom2165 at email2me.net Tue Mar 1 09:44:25 2005 From: feldethom2165 at email2me.net (Fred k) Date: Tue Mar 1 13:50:06 2005 Subject: [SpamCop-List] Re: If you were the head of an ISP with 4000 zombies... References: Message-ID: "Steven Maesslein" wrote in message news:slrnd29d8f.29vn.nobody@127.0.0.1... > The IP addresses from which mail I send comes will have nothing to do > with spamcop.net or with any of the domains I use and would therefore be > rejected according to your system. My understanding is that I have an email account at myname@mailprovider.net. In order to send email from any computer signed into that account, it gets to the ISP that provides that mailservice. It then examines the mail for what to do with it and what email account sent it and does that match the from field. In your example I presume you are at work at a WiFi hotspot etc and are logged into and are sending email through your home email account. Fred k From zypher at spamcop.net Tue Mar 1 13:02:00 2005 From: zypher at spamcop.net (Ron B.) Date: Tue Mar 1 14:05:04 2005 Subject: [SpamCop-List] Re: If you were the head of an ISP with 4000 zombies... In-Reply-To: References: Message-ID: eddie wrote: > On Tue, 01 Mar 2005 01:10:40 -0500, Sofa King Tyred of Lar Ting scratched > out the following: > > >>If you were the head of an ISP with 4000 zombies, how would you solve the >>problem? >> >>I am not defending the ISPs, but after some thought, I now realize that >>logistically this is a daunting task, especially if flat-out "blaming the >>customer" is not an option. > > > snip > "The customer is always right" was said by a customer. Honest dealers > know that the customer is almost always wrong. > I would put the zombies, as they were discovered, on a separate server > which would require the user to let the server access his computer, clean > it out, check it each time the user logs on, or once every few hours, and > when he is a "good guy" for a month he could get back to the > normal server. XP has a backdoor that could be used for this service and > if the infected customer refuses, he cannot access the internet. > Customer simply goes to another ISP _with_ his infected machine. From pxpearson at spamxcop.net Tue Mar 1 12:15:14 2005 From: pxpearson at spamxcop.net (Peter Pearson) Date: Tue Mar 1 15:15:03 2005 Subject: [SpamCop-List] Re: If you were the head of an ISP with 4000 zombies... References: Message-ID: Fred k wrote: > "Steven Maesslein" wrote >> The IP addresses from which mail I send comes will have nothing to do >> with spamcop.net or with any of the domains I use and would therefore be >> rejected according to your system. > > My understanding is that I have an email account at > myname@mailprovider.net. In order to send email from any computer signed > into that account, it gets to the ISP that provides that mailservice. . . Is somebody here confusing the "From " field and the "From:" field? My ISP, Charter, seems to require that my "From " field match my Charter email address, but allows a Spamcop "From:" field. -- Remove the two x's to get a good email address. From eddie at eddie.web Tue Mar 1 15:14:38 2005 From: eddie at eddie.web (eddie) Date: Tue Mar 1 15:15:10 2005 Subject: [SpamCop-List] Re: If you were the head of an ISP with 4000 zombies... References: Message-ID: On Tue, 01 Mar 2005 13:02:00 -0600, Ron B. scratched out the following: snip > > Customer simply goes to another ISP _with_ his infected machine. Eventually he will give up. But that kind of customer would not listen to advice anyway. He's a "know-it-all" and that's why he's got a zombie. Most normal people would follow their ISP's instructions and be happy to be rid of the infection. But some people enjoy disease. -- Once movie theaters gave out steak knives Today they confiscate them From devnull at spamcop.net Tue Mar 1 15:16:41 2005 From: devnull at spamcop.net (Frog Prince) Date: Tue Mar 1 15:20:03 2005 Subject: [SpamCop-List] Re: If you were the head of an ISP with 4000 zombies... References: Message-ID: "Mike Easter" wrote in message news:d020h8$7sf$1@news.spamcop.net... | Mike Easter wrote: | > Sofa King Tyred of Lar Ting wrote: | >> If you were the head of an ISP with 4000 zombies, how would you solve | >> the problem? | | > Then I would start pulling some connectivity or blocking port 25 or | > somehow adversely affecting a few zombies in a major city or two and | > not restore the full connectivity until the client had been | > 'inspected' by a homevisit tech at their expense. | | > I'll leave it to someone else about just how to 'shutdown' a zombie | > while leaving some access to that webpage and some other information. | | My primary target 'model', technically and network topology-wise is the | cable modem user, which make very popular and prolific zombies. | | So, it is likely that my blockage is going to have to 'involve' the | cable infrastructure provider; in the case of a provider like EL, that | cable infrastructure might be from TimeWarner or Comcast or somesuch. I | don't have a good enough understanding of the technical obstacles to be | dealt with there to know if that would be a big problem or not. If this | is going to cause time, trouble, and expense to the infrastructure | provider, we are going to have to figure out how to cut a deal about | those issues. Technical problem can't be that great. Takes them only seconds to pull the plug if the payment is not made. From devnull at spamcop.net Tue Mar 1 15:20:33 2005 From: devnull at spamcop.net (Frog Prince) Date: Tue Mar 1 15:50:03 2005 Subject: [SpamCop-List] Re: If you were the head of an ISP with 4000 zombies... References: Message-ID: "eddie" | | > If you were the head of an ISP with 4000 zombies, how would you solve the | > problem? | > | > I am not defending the ISPs, but after some thought, I now realize that | > logistically this is a daunting task, especially if flat-out "blaming the | > customer" is not an option. | | snip | "The customer is always right" was said by a customer. Honest dealers | know that the customer is almost always wrong. Not to change the topic but in many cases that approach equates to the customer being someone else's customer in short order and if carried to extreme the business is no more. From MikeE at ster.invalid Tue Mar 1 12:54:46 2005 From: MikeE at ster.invalid (Mike Easter) Date: Tue Mar 1 15:55:04 2005 Subject: [SpamCop-List] Re: If you were the head of an ISP with 4000 zombies... References: Message-ID: Frog Prince wrote: > "Mike Easter" >> My primary target 'model', technically and network topology-wise is >> the cable modem user, which make very popular and prolific zombies. >> >> So, it is likely that my blockage is going to have to 'involve' the >> cable infrastructure provider; in the case of a provider like EL, >> that cable infrastructure might be from TimeWarner or Comcast or >> somesuch. I don't have a good enough understanding of the technical >> obstacles to be dealt with there to know if that would be a big >> problem or not. If this is going to cause time, trouble, and >> expense to the infrastructure provider, we are going to have to >> figure out how to cut a deal about those issues. > > Technical problem can't be that great. Takes them only seconds to > pull the plug if the payment is not made. Pulling the plug is one thing -- the refusal to grant or lease renew an IP to that cablemodem MAC = no connectivity. The problem is about this 'discriminatory' partial blockage we're discussing. EL sez they are going to be using some kind of 'targeted' port 25 blockage. Part of this discussion here has been about allowing the bad IP to be able to access a website and to have some other kind of partial connectivity but stopping the proxy/trojan smtp injection business. I can assure you that EL doesn't want to be talking on the telephone to much of anyone -- even their good customers, much less someone who has been disabled by this cleanup process. I don't think you are going to be able to get providers to adopt the attitude, "Just permanently kill 'em and be done with it." -- Mike Easter kibitzer, not SC admin From feldethom2165 at email2me.net Tue Mar 1 13:35:22 2005 From: feldethom2165 at email2me.net (Fred k) Date: Tue Mar 1 17:40:20 2005 Subject: [SpamCop-List] Re: If you were the head of an ISP with 4000 zombies... References: Message-ID: "Peter Pearson" wrote in message news:d02ieq$mtg$1@news.spamcop.net... > Fred k wrote: > Is somebody here confusing the "From " field and the "From:" field? > My ISP, Charter, seems to require that my "From " field match my > Charter email address, but allows a Spamcop "From:" field. I don't think so.In the case of spam through zombied clients the message FROM filed is a fictitious addy. What I am saying if the connected client machine and the spam's FROM addy don't match the ISP should not forward,but maybe bounce back to the zombied client. Fred k I could be wet behind my ears From nobody at nowhere.not Tue Mar 1 22:43:17 2005 From: nobody at nowhere.not (Robert Blair) Date: Tue Mar 1 17:45:03 2005 Subject: [SpamCop-List] Re: If you were the head of an ISP with 4000 zombies... References: Message-ID: On Tue, 1 Mar 2005 20:15:14 UTC, Peter Pearson wrote: > > "Steven Maesslein" wrote > >> The IP addresses from which mail I send comes will have nothing to do > >> with spamcop.net or with any of the domains I use and would therefore be > >> rejected according to your system. > > > > My understanding is that I have an email account at > > myname@mailprovider.net. In order to send email from any computer signed > > into that account, it gets to the ISP that provides that mailservice. . . > > Is somebody here confusing the "From " field and the "From:" field? > My ISP, Charter, seems to require that my "From " field match my > Charter email address, but allows a Spamcop "From:" field. Your ISP may require you to do that but mine does not. I have several domain names (only one hosted by my ISP) and I can send email with both "From " and "From:" being anything I want and I do use this when I send email for my other domains. Of course this also depends on the options allowed by your software. -- Robert Blair From porpoise1954 at yahoo.co.uk Wed Mar 2 00:06:42 2005 From: porpoise1954 at yahoo.co.uk (Porpoise) Date: Tue Mar 1 19:20:09 2005 Subject: [SpamCop-List] Re: If you were the head of an ISP with 4000 zombies... References: Message-ID: "Peter Pearson" wrote in message news:d02ieq$mtg$1@news.spamcop.net... > Fred k wrote: >> "Steven Maesslein" wrote >>> The IP addresses from which mail I send comes will have nothing to do >>> with spamcop.net or with any of the domains I use and would therefore be >>> rejected according to your system. >> >> My understanding is that I have an email account at >> myname@mailprovider.net. In order to send email from any computer signed >> into that account, it gets to the ISP that provides that mailservice. . . > > Is somebody here confusing the "From " field and the "From:" field? > My ISP, Charter, seems to require that my "From " field match my > Charter email address, but allows a Spamcop "From:" field. > My ISP only provides the DSL connection. All my email is handled by my hosting company's Mxes. In order to send email, you have to have the username and password correct for that email address before the server will accept it for onward transmission. So merely having My Name myname@mydomain.com would not be sufficient to send email from any of my addresses under the various domains. The account logins and passwords are required also (which are unique to each address). So far, it hasn't failed....... From nobody at devnull.spamcop.net Tue Mar 1 19:57:31 2005 From: nobody at devnull.spamcop.net (Miss Betsy) Date: Tue Mar 1 19:55:04 2005 Subject: [SpamCop-List] Re: Chris Rock Spam Solution [the telephone system ain't that geat] References: Message-ID: "Firewoman" wrote in message news:d01vut$6u8$1@news.spamcop.net... > "Cat" wrote in message > news:d0151i$ft9$1@news.spamcop.net... > > George Langford, Sc.D. wrote: > > > > > > > >> I use *69 and find out that the caller's number is (200) 000-0000. > > > > > > > > Sounds like you need Caller ID. > > CallerID doesn't help when it shows the caller's phone number to be (200) > 000-0000. > > Yes, I get the exact same thing, along with the k00ks from the benevolent > society of the week. > > However, if I'm home and the machine doesn't catch it, I have a little fun > with them. Last week the benevolent telemarketer thought that he called in > the middle of some really heavy stuff (panting, moaning, screaming and the > like). I told him to keep talking, that the sound of his voice was really > doing it for me. He hung up at the, uh, climax of the phone call. > > :-) > > Who says telemarketers are boring? I read somewhere that what to do with obscene phone calls was to start talking gibberish. I only tried it once, but it turned out to be a legitimate call. Not boring, no. Miss Betsy From SCNews.5.myspamgobbler at spamgourmet.com Tue Mar 1 17:20:12 2005 From: SCNews.5.myspamgobbler at spamgourmet.com (Brian (SnSR)) Date: Tue Mar 1 20:25:03 2005 Subject: [SpamCop-List] Re: Chris Rock Spam Solution [the telephone system ain't that geat] In-Reply-To: References: Message-ID: Miss Betsy wrote: > > I read somewhere that what to do with obscene phone calls was to > start talking gibberish. I only tried it once, but it turned out > to be a legitimate call. Not boring, no. > > Miss Betsy > > What's a legitimate obscene phone call? :) From devnull at spamcop.net Tue Mar 1 20:27:03 2005 From: devnull at spamcop.net (Frog Prince) Date: Tue Mar 1 20:30:04 2005 Subject: [SpamCop-List] Re: Chris Rock Spam Solution [the telephone system ain't that geat] References: Message-ID: "Brian (SnSR)" | > I read somewhere that what to do with obscene phone calls was to | > start talking gibberish. I only tried it once, but it turned out | > to be a legitimate call. Not boring, no. | > | > Miss Betsy | > | > | | What's a legitimate obscene phone call? Collect and you accept the charges. From nobody at devnull.spamcop.net Tue Mar 1 20:33:10 2005 From: nobody at devnull.spamcop.net (Miss Betsy) Date: Tue Mar 1 20:30:08 2005 Subject: [SpamCop-List] Re: Chris Rock Spam Solution [the telephone system ain't that geat] References: Message-ID: "Brian (SnSR)" wrote in message news:d034d7$3eh$1@news.spamcop.net... > Miss Betsy wrote: > > > > > I read somewhere that what to do with obscene phone calls was to > > start talking gibberish. I only tried it once, but it turned out > > to be a legitimate call. Not boring, no. > > > > Miss Betsy > > > > > > What's a legitimate obscene phone call? > > :) That's a good question! It's too long a story to recreate. I just never gave them a chance. On that subject, one time my husband got an obscene call from a woman. You should have seen the look on his face! It's just too bad that you can't deal with spammers by replying with gibberish. I wish I had the time to answer mortgage spammers the way one person did. Maybe one could quote scripture to the lonely housewives. Miss Betsy From nobody at devnull.spamcop.net Wed Mar 2 10:38:10 2005 From: nobody at devnull.spamcop.net (Patto) Date: Tue Mar 1 20:40:03 2005 Subject: [SpamCop-List] PayPal phishing scam reported to eBay Message-ID: http://www.spamcop.net/sc?id=z737702656zbda166a0a13c232b1a197bfaffd2ff5fz Contains several PayPal URLs, but SC attempts to report them to spoof#ebay.com@devnull.spamcop.net Had another one yesterday that correctly reported to spoof@paypal.com I wonder what this is...? From MikeE at ster.invalid Tue Mar 1 17:52:49 2005 From: MikeE at ster.invalid (Mike Easter) Date: Tue Mar 1 20:55:03 2005 Subject: [SpamCop-List] Re: PayPal phishing scam reported to eBay References: Message-ID: Patto wrote: www.spamcop.net/sc?id=z737702656zbda166a0a13c232b1a197bfaffd2ff5fz > > Contains several PayPal URLs, but SC attempts to report them to > spoof#ebay.com@devnull.spamcop.net Not now. Yes now. Not now. Yes now. Something is dynamic. It depends on which resolution paypal does. Canonical name: www.paypal.com Addresses: 216.113.188.66 64.4.241.32 => ebay 64.4.241.33 => ebay 216.113.188.33 216.113.188.34 216.113.188.35 216.113.188.64 216.113.188.65 Re: https://www.paypal.com/us (Administrator of network hosting website referenced in spam) spoof@paypal.com postmaster@paypal.com accessviolation@paypal.com when SC gets the 64. resolution.... Re: https://www.paypal.com/us (Administrator of network hosting website referenced in spam) spoof#ebay.com@devnull.spamcop.net spam@ebay.com postmaster@ebay.com -- Mike Easter kibitzer, not SC admin From nobody at devnull.spamcop.net Wed Mar 2 11:11:18 2005 From: nobody at devnull.spamcop.net (Patto) Date: Tue Mar 1 21:15:03 2005 Subject: [SpamCop-List] Re: PayPal phishing scam reported to eBay In-Reply-To: References: Message-ID: Mike Easter wrote: > Patto wrote: > www.spamcop.net/sc?id=z737702656zbda166a0a13c232b1a197bfaffd2ff5fz > >>Contains several PayPal URLs, but SC attempts to report them to >>spoof#ebay.com@devnull.spamcop.net > > > Not now. Yes now. Not now. Yes now. Something is dynamic. It > depends on which resolution paypal does. > > Canonical name: www.paypal.com > Addresses: > 216.113.188.66 > 64.4.241.32 => ebay > 64.4.241.33 => ebay > 216.113.188.33 > 216.113.188.34 > 216.113.188.35 > 216.113.188.64 > 216.113.188.65 > > Re: https://www.paypal.com/us (Administrator of network hosting website > referenced in spam) > spoof@paypal.com > postmaster@paypal.com > accessviolation@paypal.com > > when SC gets the 64. resolution.... > > Re: https://www.paypal.com/us (Administrator of network hosting website > referenced in spam) > spoof#ebay.com@devnull.spamcop.net > spam@ebay.com > postmaster@ebay.com Thank you, Mike, you always have good explanations for the mysteries of the Internet. From nobody at devnull.spamcop.net Wed Mar 2 11:19:59 2005 From: nobody at devnull.spamcop.net (Patto) Date: Tue Mar 1 21:20:02 2005 Subject: [SpamCop-List] Re: Pornographic Spam Assault In-Reply-To: References: Message-ID: Brent Pirolli wrote: > Hey all, > > I'm new to the group and have been fighting one crazy mess lately... I'm > curious if anyone else out there is fighting this same problem or if you > have ways to fight it that I haven't thought of yet. > > I manage an Exchange 2000 mail server with about 60 accounts on it. We run > Symantec Enterprise Edition which allows us to use RBL protection and I run > about 5 RBLs on there, as well as use custom scanning rules to block > unwanted junk. Lately we've been getting blasted by pornographic emails > that are absolutely ridiculous. > > First off, only half of the accounts are getting the spam... half aren't. > This immediately tells me that it is most likely an infected home computer > of one of the office staff or volunteers that is infected and is spamming > their address book at home. Unfortuneatly I have had zero luck in tracking > down a source or completely blocking the emails... here's why: > > The emails come in with a spoofed random sender, spoofed random subject, and > spoofed random text in the message (with purposely mis-spelled words). > Generally only a word or two is in the message... such as "Have a good day." > or "allow me... please :)" Then there are three image files that open from > a randomly infected web server (usually apache or linux servers) that are in > the message body next to each other to form one large image... Usually it is > a scantilly clad female but some have been flat out pornographic material. > The email then has a remove button at the bottom that is a link to the same > page as the rest of the images are...If you click on an image or the remove > button, you are taken to the infected server, which then redirects you to > the source site they are promoting... This is 3 out of 4 times a "married > housewives" dating site. > > Up until now I've been able to block the infected servers as we find them > through filters (about 20 so far)... but obviously only more servers will be > infected in the future... so this won't stop them permanently. I also block > the mis-spelled words as they come in the subject lines... wmeon, wemon, > wmoen.... all versions of women.... etc. There are about 30 of those so > far... Heck... some of the subject lines were even dropping the f-bomb until > I blocked that. But again, with the mis-spellings, they can make as many > variations as they want.... hard to stop that! > > So has anyone heard of this? Does anyone else fight this? Suggestions, > comments, advice? The emails don't contain any virus attachments or > anything... so I don't even know what is causing them to be sent! Very > frustrating. To top it off.... The mail server is for a church.... so > obviously... porn at church isn't a great thing.... Any help you can offer > is greatly appreciated. Thanks! The reasons why some accounts get spam, and others none, are various. Simple account names are prone to dictionary attacks, and therefore are spammed. Email addresses that have been exposed to the Internet get spammed. There may be a multitude of other reasons. So to avoid spam, avoid simple account names, and avoid exposing email addresses. Which may be hard if you need a sales@domain.name address on your website. So then you need filtering. I don't think manual filtering as you do it will get the job done. It will just drive you crazy! Our company has IMF (Exchange Intelligent Message Filter) on the Exchange Server, and I have Cloudmark's SafetyNet on my Outlook client. Together these two tools manage to keep my account 100% spam-free. From nobody at spamcop.net Wed Mar 2 03:15:49 2005 From: nobody at spamcop.net (me-no-no) Date: Tue Mar 1 22:20:03 2005 Subject: [SpamCop-List] FL = Safe Haven (No More) ? Message-ID: Possibly :-) [News] BellSouth Investigation Leads to Guilty Plea in Spamming Case. State of Florida Prosecutes and Convicts Spammer on Felony Charge... http://biz.yahoo.com/prnews/050301/cltu050_1.html Ciao Meno From nobody at devnull.spamcop.net Tue Mar 1 21:35:45 2005 From: nobody at devnull.spamcop.net (Cat) Date: Tue Mar 1 22:40:02 2005 Subject: [SpamCop-List] Re: Chris Rock Spam Solution [the telephone system ain't that geat] In-Reply-To: References: Message-ID: Firewoman wrote: > "Cat" wrote in message > news:d0151i$ft9$1@news.spamcop.net... >>Sounds like you need Caller ID. > > > CallerID doesn't help when it shows the caller's phone number to be (200) > 000-0000. How do they get it to show up like that? > Yes, I get the exact same thing, along with the k00ks from the benevolent > society of the week. I've never gotten that one, not that I'm complaining though. > However, if I'm home and the machine doesn't catch it, I have a little fun > with them. Last week the benevolent telemarketer thought that he called in > the middle of some really heavy stuff (panting, moaning, screaming and the > like). I told him to keep talking, that the sound of his voice was really > doing it for me. He hung up at the, uh, climax of the phone call. > > :-) > > Who says telemarketers are boring? LOL! It's been a while since I've had to deal with a telemarketer since I'm on the Do Not Call list. I've never tried that approach though, but it made me laugh. I have actually asked telemarketers if I could have their home numbers so that I could call and bug them while they're busy. From pete+usenet at heypete.com Tue Mar 1 20:02:37 2005 From: pete+usenet at heypete.com (Pete Stephenson) Date: Tue Mar 1 23:05:03 2005 Subject: [SpamCop-List] Re: If you were the head of an ISP with 4000 zombies... References: Message-ID: In article , eddie wrote: > XP has a backdoor that could be used for this service and if the > infected customer refuses, he cannot access the internet. What if the customer doesn't have Windows XP? What if the network arrangements at the user's residence prevent such monitoring (i.e. the user was infected by email, but cannot accept incoming connections from the network due to a firewall)? What about the privacy concerns of this? ----- That said, here's my idea: 1) If reports (either from external sources, or through automated network monitoring tools) indicate that the user is zombied and sending malicious data (i.e. viruses, spam, etc.), my first step would be to immediately block all traffic to and from the connection. 2) All HTTP traffic would then be directed to an ISP-run site describing the issue in very simple terms (advanced information could be accessed by a link, but by default the information would be suitable for someone's grandmother). 3) As the ISP, I would have attempted to license various anti-virus software for my end-user's use (many anti-virus programs, such as Avast! or Grisoft AVG are freely available for end-users). This software would then be provided, free of charge, to the customer. Holes would be punched in the access-restriction for sites like http://housecall.trendmicro.com/, or to resources like Windows Update and anti-virus definition update sites that are connected to by the anti-virus software itself (i.e. Symantec's LiveUpdate, etc.) 4) The help-page described above would also indicate that access would be restricted indefinitely, until malicious traffic ceased for at least 6 hours (perhaps 12-24, depending on how the ISP feels, I'd prefer 6). 5) If the user follows the instructions, but still is unable to stem the flow of malicious traffic (say the user's machine is secure, but someone mooching off their WiFi network is the one who's zombied), they would be directed to call tech support for help limiting access over WiFi or more advanced malware removal. ----- Seems pretty simple and easy, at least to me. I'm sure there's plenty of flaws in the idea, and plenty of stupid people to fall for them. :) -- Pete Stephenson HeyPete.com From wb8tyw at qsl.network Tue Mar 1 23:10:27 2005 From: wb8tyw at qsl.network (John E. Malmberg) Date: Tue Mar 1 23:15:02 2005 Subject: [SpamCop-List] Re: If you were the head of an ISP with 4000 zombies... In-Reply-To: References: Message-ID: Fred k wrote: > > > I don't think so.In the case of spam through zombied clients the message > FROM filed is a fictitious addy. What I am saying if the connected client > machine and the spam's FROM addy don't match the ISP should not forward,but > maybe bounce back to the zombied client. What you do not understand is two things: 1. That legitimate users of a mail server routinely use different sending domains than the one of the mail server. Requiring the sending domain of the mail server to match the name of the sender's domain would cause a lot of real mail to be rejected. Far more mail than it would stop spam. 2. That the zombies do not usually send the spam through the ISP's mail server. They do not go though secure relays either. The defense against zombies on an ISP is simple, leave port 25 open only for registered mail servers. Other users can use port 587 to access external mail servers. All broadband ISPs should be warning their customers that access remote mail servers by port 25 now to make arrangements now to use port 587 instead and to prepare for port 25 to be cut off. There already is precedence for an ISP to block port 25 with out warning because some other ISP put a block all e-mail from that because of the zombies that were attacking it. There have been reports here of other residential ISPs putting a block on port 25 with out notice, and no reason has been given for this sudden action. Now in the meantime, the protection from zombies on the receiving end is through two means: 1. DNSBLS including a DHCP list like SORBS.NET offers. 2. rDNS checks. Real mail servers have an rDNS assigned. An I.P. address with no rDNS at all should not be sending mail. Also having DHCP,DIAL,DYNA,or pool and a few others in the rDNS means that it is probably a zombie. -John wb8tyw@qsl.network Personal Opinion Only From MikeE at ster.invalid Tue Mar 1 20:21:50 2005 From: MikeE at ster.invalid (Mike Easter) Date: Tue Mar 1 23:25:02 2005 Subject: [SpamCop-List] Re: PayPal phishing scam reported to eBay References: Message-ID: Patto wrote: > Thank you, Mike, you always have good explanations for the mysteries > of the Internet. My first answer was 'not now' and I was going to paste the paypal result I was seeing -- but then when I checked 'underneath' I got a different answer. Then I saw the 'back and forth' result, so I wanted to know why. -- Mike Easter kibitzer, not SC admin From MikeE at ster.invalid Tue Mar 1 21:43:19 2005 From: MikeE at ster.invalid (Mike Easter) Date: Wed Mar 2 00:45:03 2005 Subject: [SpamCop-List] Re: Pornographic Spam Assault References: Message-ID: Brent Pirolli wrote: > We run Symantec Enterprise Edition which allows us to use RBL > protection and I run about 5 RBLs on there, Which RBLs? > Unfortuneatly I > have had zero luck in tracking down a source Why is that? Presumably they, the various sources, are abused proxies, most pr0n spams are. Perhaps you mean a /single/ or 'meaningful' source IP. > The emails come in with a spoofed random sender, spoofed random > subject, and spoofed random text in the message Neither of those - sender or subject - are useful screening elements. Trying to screen body content is tricky. I suspect you'd be better focusing on a better source blocklist strategy than a different body algorithm. However, some regex rules for the body are pretty classy. SpamAssassin's are -- but then you are mucking about with Exchange. -- Mike Easter kibitzer, not SC admin From skiwi at spamcop.net Tue Mar 1 23:11:46 2005 From: skiwi at spamcop.net (Skiwi) Date: Wed Mar 2 02:15:03 2005 Subject: [SpamCop-List] "http://definitive.ofthedistancehighchance.com/" can't be resolved (?) Message-ID: "Parsing input: http://definitive.ofthedistancehighchance.com/ host definitive.ofthedistancehighchance.com (checking ip) ip not found ; definitive.ofthedistancehighchance.com discarded as fake. No recent reports, no history available Cannot resolve http://definitive.ofthedistancehighchance.com/ No valid email addresses found, sorry!" but Mozilla can get there! :-) From skiwi at spamcop.net Tue Mar 1 23:16:08 2005 From: skiwi at spamcop.net (Skiwi) Date: Wed Mar 2 02:20:04 2005 Subject: [SpamCop-List] Re: "http://definitive.ofthedistancehighchance.com/" can't beresolved (?) In-Reply-To: References: Message-ID: Skiwi wrote: > "Parsing input: http://definitive.ofthedistancehighchance.com/ > host definitive.ofthedistancehighchance.com (checking ip) ip not found ; > definitive.ofthedistancehighchance.com discarded as fake. > No recent reports, no history available > Cannot resolve http://definitive.ofthedistancehighchance.com/ > No valid email addresses found, sorry!" > > but Mozilla can get there! :-) SamSpade does OK though - and hey look, its Austria, the new Brazil! ---------- whois Whois: @whois. Server Used: [ whois.joker.com ] http://definitive.ofthedistancehighchance.com/ = [ 195.214.239.110 ] domain: ofthedistancehighchance.com status: lock owner: gordon bank email: gg200hf@hotmail.com address: 67 ruth st city: viena state: -- postal-code: 54323 country: AT admin-c: gg200hf@hotmail.com0 tech-c: gg200hf@hotmail.com0 billing-c: gg200hf@hotmail.com0 nserver: ns1.www1212.com nserver: ns2.www1212.com nserver: ns1.perfectons.com 213.159.120.98 nserver: ns2.perfectons.com 202.99.172.153 registrar: JORE-1 created: 2005-02-08 08: 23: 11 UTC JORE-1 modified: 2005-02-08 08: 35: 05 UTC JORE-1 expires: 2006-02-08 03: 23: 11 UTC source: joker.com db-updated: 2005-03-02 07: 13: 39 UTC From sache at grignon.inra.fr Wed Mar 2 08:56:39 2005 From: sache at grignon.inra.fr (Ivan Sache) Date: Wed Mar 2 03:00:03 2005 Subject: [SpamCop-List] Re: "http://definitive.ofthedistancehighchance.com/" can't be resolved(?) References: Message-ID: <422571B7.5B932F1D@grignon.inra.fr> Hi, Skiwi wrote: > SamSpade does OK though - and hey look, its Austria, the new Brazil! > Server Used: [ whois.joker.com ] > > http://definitive.ofthedistancehighchance.com/ = [ 195.214.239.110 ] > domain: ofthedistancehighchance.com > status: lock > owner: gordon bank > email: gg200hf@hotmail.com > > address: 67 ruth st > city: viena > state: -- > postal-code: 54323 > country: AT > admin-c: gg200hf@hotmail.com0 Probably bogus registration data. And that does not seem to be Austria but Russia. SpamCop v 1.412 (C) Ironport Systems Inc., 1998-2005 , All rights reserved. Parsing input: 195.214.239.110 host 195.214.239.110 (getting name) no name host 195.214.239.110 = pci8n110.telpol.net.pl (old cache) Routing details for 195.214.239.110 [refresh/show] Cached whois for 195.214.239.110 : igor@hostelecom.ru.com Using last resort contacts igor@hostelecom.ru.com Bad guys, indeed: 195.214.236.0/22 is listed on the Register Of Known Spam Operations (ROKSO) database as being assigned to, under the control of, or providing service to a known professional spam operation run by Jeffrey Peters - JTel / CPU Solutions. Hostelecom / iptransitonline.net (Feb 23, 2005) Peer1.net link terminated inetnum: 195.214.236.0 - 195.214.239.255 netname: Hostelecom-01 descr: Hostelecom, Russian Federation, Saint-Petersburg country: RU org: ORG-HR2-RIPE admin-c: IK900-RIPE tech-c: IK900-RIPE notify: igor@hostelecom.ru.com status: ASSIGNED PI ... Regards -- Ivan Sache From bar_n0ne at hotmail.com Wed Mar 2 12:19:26 2005 From: bar_n0ne at hotmail.com (Berny) Date: Wed Mar 2 03:20:02 2005 Subject: [SpamCop-List] Re: "http://definitive.ofthedistancehighchance.com/" can't be resolved(?) References: <422571B7.5B932F1D@grignon.inra.fr> Message-ID: See interspersed comments: "Ivan Sache" wrote in message news:422571B7.5B932F1D@grignon.inra.fr... > Hi, > > Skiwi wrote: > > > SamSpade does OK though - and hey look, its Austria, the new Brazil! > > > Server Used: [ whois.joker.com ] > > > > http://definitive.ofthedistancehighchance.com/ = [ 195.214.239.110 ] > > domain: ofthedistancehighchance.com > > status: lock > > owner: gordon bank > > email: gg200hf@hotmail.com > > > > address: 67 ruth st Would be RuthStrasse in Austria, or Ruth Str > > city: viena would be Wien in Austria, (in English VieNNa) > > state: -- Yes they do have states in Austria and they are part of the postal address > > postal-code: 54323 > > country: AT > > admin-c: gg200hf@hotmail.com0 Violation of Hotmail TOS, which can get the address killed. The whole registration is bogus, Joker truly are jokers for not even doing the most basic and elementary due diligence. I'd be surprised if the registration would even look plausible to any German/Austrian without even checking postal codes, city, or street names. In my book Joker are not a reputable registrar. > > Probably bogus registration data. And that does not seem to be Austria > but Russia. > SNIPPED > Regards > > -- > Ivan Sache Cheers, Berny From nobody at xyzzy.claranet.de Wed Mar 2 11:39:51 2005 From: nobody at xyzzy.claranet.de (Frank Ellermann) Date: Wed Mar 2 05:45:03 2005 Subject: [SpamCop-List] Re: reality check. References: Message-ID: <422597F7.3A8D@xyzzy.claranet.de> Socks the Whitehouse Cat wrote: > if I deselect his IPA on the "origin of spam" line, but leave > it selected on the "third party interest line", he'll get > notice without getting a ding for the report? Yes, you'd see it on the "reports sent" page. As Mike said it's not enough to deselect all other reports, it would be still counted for the SCBL. Bye, Frank From nobody at xyzzy.claranet.de Wed Mar 2 11:49:55 2005 From: nobody at xyzzy.claranet.de (Frank Ellermann) Date: Wed Mar 2 05:55:03 2005 Subject: [SpamCop-List] Re: If you were the head of an ISP with 4000 zombies... References: Message-ID: <42259A53.2267@xyzzy.claranet.de> Sofa King Tyred of Lar Ting wrote: > If you were the head of an ISP with 4000 zombies, how would > you solve the problem? Get a proper abuse desk and let them tackle 40 cases per day. After four months you're almost clean. Process it as stack (last in first out), not as queue. > I am not defending the ISPs Yes, you are. Criminal organizations like spamcast just want excuses for not paying a proper abuse desk. But a zombie without port 25 is still a zombie, these criminals and their customers should be hunted as the scum they are. Bye, Frank _every_ _spamcast_ _customer_ _belongs_ _to_ _the_ _mob_ From philip at pch.home.cs.vu.nl Wed Mar 2 11:33:00 2005 From: philip at pch.home.cs.vu.nl (Philip Homburg) Date: Wed Mar 2 06:05:02 2005 Subject: [SpamCop-List] Re: If you were the head of an ISP with 4000 zombies... References: Message-ID: <1j2uh5qdk0al652kggb6j61dn3@inews_id.stereo.hq.phicoh.net> In article , Sofa King Tyred of Lar Ting wrote: >If you were the head of an ISP with 4000 zombies, how would you solve >the problem? > >I am not defending the ISPs, but after some thought, I now realize that >logistically this is a daunting task, especially if flat-out "blaming >the customer" is not an option. 1) Prevention. Provide free virus/trojan scanning on the ISPs incoming mail servers. Provide free trojan scanning on web-proxies and encourage customers to use those proxies. This is expensive, but it can be done 2) Detection. Create monitoring systems that detect suspicious activity, and have enough staff to disconnect systems that abuse the net. This is also expensive. I don't think that billing issues should be a problem. That is a matter of carefully wording the contract. 3) Prevention. When it comes to spam, keep port 25 closet and let customers pay a monthly fee to have it openened (this makes it possible to make those customers pay for the extra abuse staff). For ddos attacks, make sure that egress filtering is in place. The basic problem is that the spam situation is not bad enough the spend a lot of extra money solving it. (The ddos problem is very serious, but it is very hard to put pressure on ISPs to make sure that egress filtering is in place). What is most likely going to happen is that DUL lists will get more and more complete and that more and more people will start using those lists. At some point spammers start sending large amounts of spam through smarthosts (the Spamhaus warning). At that point, people will slowly start blocking outgoing MTAs of major ISPs. At that point ISP will have to take action (and increase prices to cover the costs) or their customers won't have e-mail connectivity. An alternative is that customers of access ISPs will start buying services such as e-mail from other ISPs to make sure that their e-mail will get through. -- That was it. Done. The faulty Monk was turned out into the desert where it could believe what it liked, including the idea that it bad been done by. It was allowed to keep its horse, since horses where so cheap to make. -- Douglas Adams in Dirk Gently's Holistic Detective Agency From nobody at nowhere.invalid Wed Mar 2 12:45:03 2005 From: nobody at nowhere.invalid (Steven Maesslein) Date: Wed Mar 2 06:50:25 2005 Subject: [SpamCop-List] Re: "http://definitive.ofthedistancehighchance.com/" can't be resolved(?) References: <422571B7.5B932F1D@grignon.inra.fr> Message-ID: On Wed, 2 Mar 2005 12:19:26 +0400, Berny coughed into spamcop and left this in : >> > address: 67 ruth st > > Would be RuthStrasse in Austria, or Ruth Str And the number would be after: Ruth Str. 67. >> > city: viena > > would be Wien in Austria, (in English VieNNa) Since when have you expected spammers to spell correctly? :) -- Steve Stupidity is NOT a handicap. Park elsewhere! From porpoise1954 at yahoo.co.uk Wed Mar 2 12:07:07 2005 From: porpoise1954 at yahoo.co.uk (Porpoise) Date: Wed Mar 2 07:20:02 2005 Subject: [SpamCop-List] Re: Pornographic Spam Assault References: Message-ID: "Patto" wrote in message news:d037sg$6pn$1@news.spamcop.net... > Brent Pirolli wrote: >> >> First off, only half of the accounts are getting the spam... half aren't. >> This immediately tells me that it is most likely an infected home >> computer of one of the office staff or volunteers that is infected and is >> spamming their address book at home. Unfortuneatly I have had zero luck >> in tracking down a source or completely blocking the emails... here's >> why: >> >> >> So has anyone heard of this? Does anyone else fight this? Suggestions, >> comments, advice? The emails don't contain any virus attachments or >> anything... so I don't even know what is causing them to be sent! Very >> frustrating. To top it off.... The mail server is for a church.... so >> obviously... porn at church isn't a great thing.... Any help you can >> offer is greatly appreciated. Thanks! > > The reasons why some accounts get spam, and others none, are various. > Simple account names are prone to dictionary attacks, and therefore are > spammed. Email addresses that have been exposed to the Internet get > spammed. There may be a multitude of other reasons. Probably one of the main ones is being in the address books of other people who get the addresses scraped from them via trojans, phone-homes, whatever. With those, it doesn't matter how complicated you make your email address................ > > So to avoid spam, avoid simple account names, and avoid exposing email > addresses. Which may be hard if you need a sales@domain.name address on > your website. Obfuscating email addresses within webpages is child's play if you're using something like PHP because it only "appears" when the page is rendered within the browser window, so it can't be scraped from the file by robots like it can from a vanilla HTML file. From wb8tyw at qsl.network Wed Mar 2 07:41:53 2005 From: wb8tyw at qsl.network (John E. Malmberg) Date: Wed Mar 2 07:45:03 2005 Subject: [SpamCop-List] Re: If you were the head of an ISP with 4000 zombies... In-Reply-To: <1j2uh5qdk0al652kggb6j61dn3@inews_id.stereo.hq.phicoh.net> References: <1j2uh5qdk0al652kggb6j61dn3@inews_id.stereo.hq.phicoh.net> Message-ID: Philip Homburg wrote: > 2) Detection. Create monitoring systems that detect suspicious activity, > and have enough staff to disconnect systems that abuse the net. > This is also expensive. I don't think that billing issues should be > a problem. That is a matter of carefully wording the contract. The capability is standard in professional monitoring equipment if the technicians are skilled enough to use it once it has been set up. Any major network that does not have this monitoring equipment is basically blind and unable to solve most of the common network problems that can be expected. There are significant costs in not doing this monitoring. The ISP buys bandwidth at a metered rate, and sizes their equipment for a predicted load. It does not take too many zombies to saturate a network segment, in some cases only one. In which case, not only is the ISP losing money on the bandwidth being stolen, they are also losing money as they are issuing refunds/credits to the affected customers until the zombie is shut down. And even with out the zombie issue, this monitoring is needed to find broken equipment. One of the failure modes of network equipment is to start flooding the network with bogus packets, and in some cases this can trigger a cascade failure where other pieces of equipment join in. So any ISP that is whining about the cost of doing that type of monitoring does not have a clue as to how much cash loss it would prevent and is trying to operate like the Hooterville phone company on Green Acres instead of a real business. > 3) Prevention. When it comes to spam, keep port 25 closet and let > customers pay a monthly fee to have it openened (this makes it possible > to make those customers pay for the extra abuse staff). > For ddos attacks, make sure that egress filtering is in place. No reason for charging extra to unblock the port, unless there already is multiple tiers of service. The port is only needed if the customer is authorized to run a mail server, and most of the TOS I have seen prohibit such servers on their DHCP pools. The unlocking can be done by request of a web page. > The basic problem is that the spam situation is not bad enough the spend > a lot of extra money solving it. (The ddos problem is very serious, but it > is very hard to put pressure on ISPs to make sure that egress filtering is > in place). I disagree, the problem is that ISPs are not looking at how much their inaction is costing them in profits and reputation. I think that if they did a true accounting, they would find out that they are wasting money by not keeping the zombies under control. > What is most likely going to happen is that DUL lists will get more and > more complete and that more and more people will start using those lists. > At some point spammers start sending large amounts of spam through > smarthosts (the Spamhaus warning). At that point, people will slowly start > blocking outgoing MTAs of major ISPs. At that point ISP will have to take > action (and increase prices to cover the costs) or their customers won't > have e-mail connectivity. Already happened in the past, the reasons that spammers avoid the smart hosting is that the ISPs usually react to that very quickly. And the better run ones have rate limiting and other anti-spam measures in place that will prevent the spammer from getting out more than a few spams before the zombie is blocked. Based on postings on an internal forum for my broadband ISP, at least two major U.S. ISPs block the I.P. or the subnet that any spam or viruses comes from as quickly as it is detected, and they do not care if they block all the mail servers of an ISP. It usually takes from 24 to 72 hours to get all the blocks removed by the requests from the blocked ISP. Right now, the ISPs are increasing prices to cover the costs lost from their lack of action. If they did things properly their costs would be lower. So they can not use the excuse that it would cost more money. That is bogus. It only costs more money to clean up a problem that has been allowed to grow to the point where there is thousands of active zombies. All it means is that the ISP has not learned from the lessons of the past. > An alternative is that customers of access ISPs will start buying services > such as e-mail from other ISPs to make sure that their e-mail will get > through. I already have had to do that. But not because of zombies, but because the mail servers for at least two broadband ISPs have been misconfigured on several occasions each to refuse all e-mail claiming that none of the e-mail addresses exist on them. You will not find a zombie problem on a network where the owner is paying attention to how much each zombie costs them in additional costs. You will not find much spam in your inbox if the cost of the additional bandwidth and equipment to handle spam is coming out of the mail server operators pocket. The case where AOL blocked a European ISP for 72 hours about the spam zombie issue proved how quickly that an ISP can bring their zombies under control if they are motivated enough. The costs of the zombies alone should motivate an ISP to get serious about preventing them. Waiting for someone else to block them indicates that they have no clue as to how to make money at their business. And blocking port 25 for non-registered mail servers, makes the primary use of the zombies useless for that network. The other step is to block I.P. ranges that are attempting to use viruses at the router, and to block I.P. addresses of spam web servers at the border until a local customer requests an opening. -John wb8tyw@qsl.network Personal Opinion Only From nobody at nowhere.invalid Wed Mar 2 14:04:43 2005 From: nobody at nowhere.invalid (Steven Maesslein) Date: Wed Mar 2 08:05:04 2005 Subject: [SpamCop-List] Re: Pornographic Spam Assault References: Message-ID: On Wed, 2 Mar 2005 12:07:07 -0000, Porpoise coughed into spamcop and left this in : > Obfuscating email addresses within webpages is child's play if you're using > something like PHP because it only "appears" when the page is rendered > within the browser window, so it can't be scraped from the file by robots > like it can from a vanilla HTML file. Robots also call up pages using HTTP. If an e-mail address is sent to a browser by PHP, it can also be sent to a 'bot. Until spammer bots know how to interpret javascript (some might already), the arguably best way to have mailto: links on a page is to have them built by javascript. Yes, it breaks for people using browsers with javascript disabled, but those people are probably fully aware of the reasons behind not putting an e-mail address up in the clear in the first place. Alternatively, something like this works fine on a domain I administer (no spam attempts yet on the e-mail address whivh is UNfiltered): Otherwise, the script I use to obfuscate the address is this: -- Steve Why is it that people say they slept like a baby when babies wake up every two hours? From MikeE at ster.invalid Wed Mar 2 05:33:18 2005 From: MikeE at ster.invalid (Mike Easter) Date: Wed Mar 2 08:35:03 2005 Subject: [SpamCop-List] Re: Pornographic Spam Assault References: Message-ID: Steven Maesslein wrote: > Porpoise >> Obfuscating email addresses within webpages is child's play > the arguably best way to have mailto: links on a page is to > have them built by javascript. Yes, it breaks for people using > browsers with javascript disabled, There are a lot of ways to hide mailto/s http://spamlinks.net/spambots-hiding.htm Hiding from Spambots Generalised Hiders and Descriptions Javascript Email Encoders HTML Character Entities CSS Encoding Passive Web-based Scripts Web-based Contact Pages Other Methods Manual Address Munging Examples -- Mike Easter kibitzer, not SC admin From nobody at devnull.spamcop.net Wed Mar 2 09:01:43 2005 From: nobody at devnull.spamcop.net (Pop) Date: Wed Mar 2 09:05:03 2005 Subject: [SpamCop-List] Re: Pornographic Spam Assault References: Message-ID: ... > There are a lot of ways to hide mailto/s > > http://spamlinks.net/spambots-hiding.htm Hiding from Spambots > Generalised Hiders and Descriptions > Javascript Email Encoders > HTML Character Entities > CSS Encoding > Passive Web-based Scripts > Web-based Contact Pages > Other Methods > Manual Address Munging > Examples ... Excellent Resource - thanks. I've wished for an all-in-one page like that and been unable to find one. Makes it easy to check on various methods. Pop From nobody at devnull.spamcop.net Wed Mar 2 09:07:41 2005 From: nobody at devnull.spamcop.net (Pop) Date: Wed Mar 2 09:10:06 2005 Subject: [SpamCop-List] OT to Steve: Re: "http://definitive.ofthedistancehighchance.com/" can't be resolved(?) References: <422571B7.5B932F1D@grignon.inra.fr> Message-ID: Steve, ... > > Stupidity is NOT a handicap. Park elsewhere! I'm disabled; any problems with my thieving your sig? I'm gonna make up business cards with it to stick in the door slits or under the wipers where I shop. Pop From philip at pch.home.cs.vu.nl Wed Mar 2 15:16:31 2005 From: philip at pch.home.cs.vu.nl (Philip Homburg) Date: Wed Mar 2 09:35:03 2005 Subject: [SpamCop-List] Re: If you were the head of an ISP with 4000 zombies... References: <1j2uh5qdk0al652kggb6j61dn3@inews_id.stereo.hq.phicoh.net> Message-ID: In article , John E. Malmberg wrote: >Philip Homburg wrote: >> 2) Detection. Create monitoring systems that detect suspicious activity, >> and have enough staff to disconnect systems that abuse the net. >> This is also expensive. I don't think that billing issues should be >> a problem. That is a matter of carefully wording the contract. > >The capability is standard in professional monitoring equipment if the >technicians are skilled enough to use it once it has been set up. Any >major network that does not have this monitoring equipment is basically >blind and unable to solve most of the common network problems that can >be expected. I am not that worried about the network equipment. I think that when larger ISPs make a list of customers who generate a lot of SMTP connections and they compute the number of people needed to disconnect them and the hand holding required to reconnect them, then they will ignore those statistics, because it is too expensive to do anything about it. >There are significant costs in not doing this monitoring. The ISP buys >bandwidth at a metered rate, and sizes their equipment for a predicted >load. It does not take too many zombies to saturate a network segment, >in some cases only one. In which case, not only is the ISP losing money >on the bandwidth being stolen, they are also losing money as they are >issuing refunds/credits to the affected customers until the zombie is >shut down. I don't know. My ISP just went from a fair use policy to completely unrestricted bandwidth usage. Now, my ISP does have a relavely clean network, so it may not be an issue. But my guess is that they have plenty of unused upstream bandwidth available anyhow. Most customers generate a lot of downstream traffic, leaving the upstream on symmetrical connections mostly idle. (I have ADSL, for cable the situation may be different). >And even with out the zombie issue, this monitoring is needed to find >broken equipment. One of the failure modes of network equipment is to >start flooding the network with bogus packets, and in some cases this >can trigger a cascade failure where other pieces of equipment join in. I can imagine that extremely sloppy ISP simply wait for complaints to come in before they investigate anything. >> 3) Prevention. When it comes to spam, keep port 25 closet and let >> customers pay a monthly fee to have it openened (this makes it possible >> to make those customers pay for the extra abuse staff). >> For ddos attacks, make sure that egress filtering is in place. > >No reason for charging extra to unblock the port, unless there already >is multiple tiers of service. The port is only needed if the customer >is authorized to run a mail server, and most of the TOS I have seen >prohibit such servers on their DHCP pools. The unlocking can be done by >request of a web page. This may be the case in the US. In .nl, most ADSL providers allowed servers and home networks from day one. Running servers is popular enough that the better cable providers are also changing their AUPs to allow this kind of use. The main thing is: most customers do not use direct-to-MX, so by default port 25 should be closed. >> The basic problem is that the spam situation is not bad enough the spend >> a lot of extra money solving it. (The ddos problem is very serious, but it >> is very hard to put pressure on ISPs to make sure that egress filtering is >> in place). > >I disagree, the problem is that ISPs are not looking at how much their >inaction is costing them in profits and reputation. I think that if >they did a true accounting, they would find out that they are wasting >money by not keeping the zombies under control. I don't know about the US. I think that in .nl reputation is mostly a non-issue when it comes to zombies. Customers care about the spam in their mailboxes, they have no clue where the spam comes from (and most spam comes from other countries anyhow). I guess that upstream traffic is mostly free, except when a cable segment is overloaded. >> What is most likely going to happen is that DUL lists will get more and >> more complete and that more and more people will start using those lists. >> At some point spammers start sending large amounts of spam through >> smarthosts (the Spamhaus warning). At that point, people will slowly start >> blocking outgoing MTAs of major ISPs. At that point ISP will have to take >> action (and increase prices to cover the costs) or their customers won't >> have e-mail connectivity. > >Already happened in the past, the reasons that spammers avoid the smart >hosting is that the ISPs usually react to that very quickly. And the >better run ones have rate limiting and other anti-spam measures in place >that will prevent the spammer from getting out more than a few spams >before the zombie is blocked. Most ISPs didn't have rate limiting when Swen first broke out. 419 spammers often use smarthosts, and they don't seem to have any problems sending lots of spams. At the moment, using zombies and direct-to-MX is probably the best choice for spammers. >Based on postings on an internal forum for my broadband ISP, at least >two major U.S. ISPs block the I.P. or the subnet that any spam or >viruses comes from as quickly as it is detected, and they do not care if >they block all the mail servers of an ISP. It usually takes from 24 to >72 hours to get all the blocks removed by the requests from the blocked ISP. That is probably the kind of pressure that will convince ISPs to cleanup their act. >Right now, the ISPs are increasing prices to cover the costs lost from >their lack of action. If they did things properly their costs would be >lower. I don't know. My ISP is doing thing properly, and they are one of the most expensive ISPs around (in .nl). -- That was it. Done. The faulty Monk was turned out into the desert where it could believe what it liked, including the idea that it bad been done by. It was allowed to keep its horse, since horses where so cheap to make. -- Douglas Adams in Dirk Gently's Holistic Detective Agency From AHaumer_gmxnet at nospam.invalid Wed Mar 2 15:36:51 2005 From: AHaumer_gmxnet at nospam.invalid (Anton Haumer) Date: Wed Mar 2 09:40:03 2005 Subject: [SpamCop-List] Re: "http://definitive.ofthedistancehighchance.com/" can't be resolved(?) References: <422571B7.5B932F1D@grignon.inra.fr> Message-ID: <4225CF83.A9CA5ED0@nospam.invalid> Berny wrote: > > See interspersed comments: > > "Ivan Sache" wrote in message > news:422571B7.5B932F1D@grignon.inra.fr... > > Hi, > > > > Skiwi wrote: > > > > > SamSpade does OK though - and hey look, its Austria, the new Brazil! > > > > > Server Used: [ whois.joker.com ] > > > > > > http://definitive.ofthedistancehighchance.com/ = [ 195.214.239.110 ] > > > domain: ofthedistancehighchance.com > > > status: lock > > > owner: gordon bank > > > email: gg200hf@hotmail.com > > > > > > address: 67 ruth st > > Would be RuthStrasse in Austria, or Ruth Str > > > > city: viena > > would be Wien in Austria, (in English VieNNa) > > > > state: -- > > Yes they do have states in Austria and they are part of the postal address No, they aren't part of the ostal address > > > > postal-code: 54323 > > > country: AT > > > admin-c: gg200hf@hotmail.com0 postal codes in Austria consist of 4 numbers, not 5. > > Violation of Hotmail TOS, which can get the address killed. > > The whole registration is bogus, Joker truly are jokers for not even doing > the most basic and elementary due diligence. > I'd be surprised if the registration would even look plausible to any > German/Austrian without even checking postal codes, city, or street names. > In my book Joker are not a reputable registrar. > > > > > Probably bogus registration data. And that does not seem to be Austria > > but Russia. > > > SNIPPED > > Regards > > > > -- > > Ivan Sache > > Cheers, Berny Greetings from Austria, Toni From nobody at nowhere.invalid Wed Mar 2 15:51:40 2005 From: nobody at nowhere.invalid (Steven Maesslein) Date: Wed Mar 2 09:55:03 2005 Subject: [SpamCop-List] Re: OT to Steve: Re: "http://definitive.ofthedistancehighchance.com/" can't be resolved(?) References: <422571B7.5B932F1D@grignon.inra.fr> Message-ID: On Wed, 2 Mar 2005 09:07:41 -0500, Pop coughed into spamcop and left this in : >> Stupidity is NOT a handicap. Park elsewhere! > > I'm disabled; any problems with my thieving your sig? I'm gonna make up > business cards with it to stick in the door slits or under the wipers where > I shop. Be my guest! Now, if I could only remember where *I* found it... -- Steve There are only 10 kinds of people in the world: Those who understand binary, and those who don't. From nobody at devnull.spamcop.net Wed Mar 2 10:00:05 2005 From: nobody at devnull.spamcop.net (Pop) Date: Wed Mar 2 10:05:02 2005 Subject: [SpamCop-List] Honeypot Message-ID: Is anyone familiar with honeypots.org? If so, has your experience been positive? The hype looks good, I see a possibility for abuse, but, I might be overly paranoid. I don't run a server, but do have web pages and cgi access, on the two sites, shortly 3 that I manage - this looks useful if it's on the up and up. TIA Pop -- Perfection is not only elusive, it is also limited with unexpected and dangerous results for the idealist. From nobody at devnull.spamcop.net Wed Mar 2 10:02:54 2005 From: nobody at devnull.spamcop.net (Pop) Date: Wed Mar 2 10:05:08 2005 Subject: [SpamCop-List] Re: http://www.projecthoneypot.org/ References: Message-ID: OOPS! Got my tongue in front of my eye teeth and couldn't see what I was typing: That URL is http://www.projecthoneypot.org/, NOT honeypot.org!! Sorry 'bout that! Pop -- Perfection is not only elusive, it is also limited with unexpected and dangerous results for the idealist. "Pop" wrote in message news:d04kdi$9pc$1@news.spamcop.net... > Is anyone familiar with honeypots.org? > > If so, has your experience been positive? > > The hype looks good, I see a possibility for abuse, but, I might be overly > paranoid. I don't run a server, but do have web pages and cgi access, on > the two sites, shortly 3 that I manage - this looks useful if it's on the > up and up. > > TIA > Pop > -- > Perfection is not only elusive, > it is also limited with unexpected and > dangerous results for the idealist. > From Merlyn at Spamcop.net Wed Mar 2 10:11:38 2005 From: Merlyn at Spamcop.net (Merlyn) Date: Wed Mar 2 10:15:02 2005 Subject: [SpamCop-List] Re: http://www.projecthoneypot.org/ References: Message-ID: "Pop" wrote in message news:d04kiq$a0t$1@news.spamcop.net... > OOPS! Got my tongue in front of my eye teeth and couldn't see what I was > typing: That URL is > http://www.projecthoneypot.org/, > > NOT honeypot.org!! > > Sorry 'bout that! > > Pop > They worked with me to complete a new setup that wasn't on their list. They were very helpful and I give em a two thumbs up. -- Regards, Merlyn A Spamcop advocate No emails this account is for newsgroups only People demand freedom of speech to make up for the freedom of thought which they avoided From wb8tyw at qsl.network Wed Mar 2 10:36:27 2005 From: wb8tyw at qsl.network (John E. Malmberg) Date: Wed Mar 2 11:40:47 2005 Subject: [SpamCop-List] Re: OT to Steve: Re: "http://definitive.ofthedistancehighchance.com/" can't be resolved(?) References: <422571B7.5B932F1D@grignon.inra.fr> Message-ID: In article , Steven Maesslein writes: > On Wed, 2 Mar 2005 09:07:41 -0500, Pop coughed into spamcop and left > this in : > >>> Stupidity is NOT a handicap. Park elsewhere! Being Lazy is also NOT a handicap. >> I'm disabled; any problems with my thieving your sig? I'm gonna make up >> business cards with it to stick in the door slits or under the wipers where >> I shop. I think that the lazyness comment should be added to the signs. What I would like to see on some tv show is for them to rig up what looks like a wheelchair lift on a van so that it can flip over cars that park in the no parking zones next to the handicap stalls, blocking the door to the van. -John wb8tyw@qsl.network Personal Opinon Only. From eddie at eddie.web Wed Mar 2 11:54:10 2005 From: eddie at eddie.web (eddie) Date: Wed Mar 2 11:55:02 2005 Subject: [SpamCop-List] Re: If you were the head of an ISP with 4000 zombies... References: Message-ID: On Tue, 01 Mar 2005 20:02:37 -0800, Pete Stephenson scratched out the following: > In article , > eddie wrote: > >> XP has a backdoor that could be used for this service and if the >> infected customer refuses, he cannot access the internet. > > What if the customer doesn't have Windows XP? What trojans are out there that are not XP? How many? > What about the privacy concerns of this? Privacy on the internet?? If you want privacy, use a phone. If your computer is trojanized, you have no privacy - somebody is using it Having it fixed increases privacy. > ----- -- Once movie theaters gave out steak knives Today they confiscate them From porpoise1954 at yahoo.co.uk Wed Mar 2 17:54:56 2005 From: porpoise1954 at yahoo.co.uk (Porpoise) Date: Wed Mar 2 13:10:07 2005 Subject: [SpamCop-List] Re: If you were the head of an ISP with 4000 zombies... References: Message-ID: "eddie" wrote in message news:pan.2005.03.02.16.54.09.462000@eddie.web... > On Tue, 01 Mar 2005 20:02:37 -0800, Pete Stephenson scratched out the > following: > >> In article , >> eddie wrote: >> >>> XP has a backdoor that could be used for this service and if the >>> infected customer refuses, he cannot access the internet. >> >> What if the customer doesn't have Windows XP? > What trojans are out there that are not XP? How many? > Do you seriously think most machines out there are running XP? The ones in US/EU maybe, but I bet there are more running other flavours round the planet. 95, 98, ME, DOS, etc. > >> What about the privacy concerns of this? > Privacy on the internet?? If you want privacy, use a phone. > If your computer is trojanized, you have no privacy - somebody is using it > Having it fixed increases privacy. I concur! From porpoise1954 at yahoo.co.uk Wed Mar 2 18:06:22 2005 From: porpoise1954 at yahoo.co.uk (Porpoise) Date: Wed Mar 2 13:20:03 2005 Subject: [SpamCop-List] Re: If you were the head of an ISP with 4000 zombies... References: Message-ID: "Kenneth Loafman" wrote in message news:metb215744sl5j16c476psji47oij1ap0o@4ax.com... > On Tue, 1 Mar 2005 08:56:08 -0900, "Fred k" > wrote: > >> >>"Mike Easter" wrote in message >>news:d027ul$dj8$1@news.spamcop.net... >>> Spam Hater wrote: >>>> No matter what address I typed in, I would >>>> only get an Adelphia support page telling me that they saw the new >>>> modem and that I would have to register it before I could do anything >>>> else. >>> >> >> >>Maybe I am not up to snuff, but stopping zombies should be as simple as >>comparing the From: to the account subscribers addy, and if not matching >>reject back to client. What is wrong with that? Not a big ISP resource >>would >>be needed. Of course rogue ISP's would not comply, so then they would be >>cut >>off by the upstream provider. > > That's the very reason I dropped my previous providers. I have my own > domain and I *will* use that address in the email, or the service is not > adequate to my needs. > I still don't follow what everyone is harping on about here. My ISP has absolutely nothing to do with where my mailservers are hosted and my mailserver host doesn't know what IP I might be connecting from at any given time. So how does it make sure that I have authorisation to use the mailservers? Simple! It requires a login and password before it will accept mail from anyone. So while I'm travelling round with my laptop, or using other PCs or whatever, in different locations, I can send and download mail from anywhere I can get an internet connection - as long as I know the valid login/password. No login/password? No sendee email! Same as is required to D/L mail. So, whether I use my home ADSL, my work ADSL, a dialin from wherever, or whatever - it's irrelevant. So if my hosting company can manage it, whatsall wrong with the others? From porpoise1954 at yahoo.co.uk Wed Mar 2 18:10:45 2005 From: porpoise1954 at yahoo.co.uk (Porpoise) Date: Wed Mar 2 13:25:03 2005 Subject: [SpamCop-List] Re: "http://definitive.ofthedistancehighchance.com/" can't be resolved(?) References: <422571B7.5B932F1D@grignon.inra.fr> Message-ID: "Ivan Sache" wrote in message news:422571B7.5B932F1D@grignon.inra.fr... > Hi, > > Skiwi wrote: > >> SamSpade does OK though - and hey look, its Austria, the new Brazil! > >> Server Used: [ whois.joker.com ] >> >> http://definitive.ofthedistancehighchance.com/ = [ 195.214.239.110 ] >> domain: ofthedistancehighchance.com >> status: lock >> owner: gordon bank >> email: gg200hf@hotmail.com >> >> address: 67 ruth st >> city: viena >> state: -- >> postal-code: 54323 >> country: AT >> admin-c: gg200hf@hotmail.com0 > > Probably bogus registration data. And that does not seem to be Austria > but Russia. > That's funny, I was just about to say that: (From www.DNSstuff.com) Country: UKRAINE (high) Looking up 195.214.239.110 at whois.ripe.net. % This is the RIPE Whois query server #1. % The objects are in RPSL format. % % Rights restricted by copyright. % See http://www.ripe.net/db/copyright.html inetnum: 195.214.236.0 - 195.214.239.255 netname: Hostelecom-01 descr: Hostelecom, Russian Federation, Saint-Petersburg country: RU org: ORG-HR2-RIPE admin-c: IK900-RIPE tech-c: IK900-RIPE notify: ****@hostelecom.ru.com status: ASSIGNED PI mnt-by: RIPE-NCC-HM-PI-MNT mnt-by: AS15497-MNT mnt-lower: RIPE-NCC-HM-PI-MNT mnt-routes: AS15497-MNT mnt-domains: AS15497-MNT changed: **********@ripe.net 20050204 source: RIPE route: 195.214.236.0/22 descr: Hostelecom origin: AS34542 mnt-by: MNT-HOSTELECOM changed: ********@colocall.net 20050214 source: RIPE organisation: ORG-HR2-RIPE org-name: Hostelecom Russia org-type: NON-REGISTRY address: Russian Federation, Saint-Petersburg, address: Milionaya Prospect, 2-3-196 e-mail: ****@hostelecom.ru.com admin-c: IK900-RIPE tech-c: IK900-RIPE mnt-ref: AS15497-MNT mnt-by: AS15497-MNT changed: ********@colocall.net 20050126 source: RIPE person: Igor Kazakov address: Russian Federation, Saint-Petersburg, address: Milionaya Prospect, 2-3-196 phone: +7 921 8725096 e-mail: ****@hostelecom.ru.com nic-hdl: IK900-RIPE notify: ****@hostelecom.ru.com changed: ********@colocall.net 20050126 source: RIPE From spamcop at oitc.com Wed Mar 2 13:24:52 2005 From: spamcop at oitc.com (spamcop) Date: Wed Mar 2 13:25:08 2005 Subject: [SpamCop-List] Missed url in phish Message-ID: http://www.spamcop.net/sc?id=z737953367z716bd014d5f55f52b3e41d93bad116a6z From porpoise1954 at yahoo.co.uk Wed Mar 2 18:24:11 2005 From: porpoise1954 at yahoo.co.uk (Porpoise) Date: Wed Mar 2 13:40:02 2005 Subject: [SpamCop-List] Re: Pornographic Spam Assault References: Message-ID: "Steven Maesslein" wrote in message news:slrnd2befb.7oo.nobody@127.0.0.1... > On Wed, 2 Mar 2005 12:07:07 -0000, Porpoise coughed into spamcop and > left this in : > >> Obfuscating email addresses within webpages is child's play if you're >> using >> something like PHP because it only "appears" when the page is rendered >> within the browser window, so it can't be scraped from the file by robots >> like it can from a vanilla HTML file. > > Robots also call up pages using HTTP. If an e-mail address is sent to a > browser by PHP, it can also be sent to a 'bot. > > Until spammer bots know how to interpret javascript (some might > already), the arguably best way to have mailto: links on a page is to > have them built by javascript. Yes, it breaks for people using browsers > with javascript disabled, but those people are probably fully aware of > the reasons behind not putting an e-mail address up in the clear in the > first place. Alternatively, something like this works fine on a domain I > administer (no spam attempts yet on the e-mail address whivh is > UNfiltered): > > Otherwise, the script I use to obfuscate the address is this: > > > Well that doesn't look terribly different to my PHP script so I'm not sure why a robot would find any difference between them...........?? (Mind you, I'm not as "up" on javascript - I've not gone that route due to more and more people blocking their browsers from accepting it). The PHP script that constructs the email addresses is not in the same file as the one calling the function - it's called from within other scripts in other files that build the pages somewhat dynamically, so the robot would need to know how all the bits go together in order to make sense of it. I think! :-) From porpoise1954 at yahoo.co.uk Wed Mar 2 18:29:43 2005 From: porpoise1954 at yahoo.co.uk (Porpoise) Date: Wed Mar 2 13:45:03 2005 Subject: [SpamCop-List] Re: Pornographic Spam Assault References: Message-ID: "Mike Easter" wrote in message news:d04f8p$5r2$1@news.spamcop.net... > Steven Maesslein wrote: >> Porpoise > >>> Obfuscating email addresses within webpages is child's play > >> the arguably best way to have mailto: links on a page is to >> have them built by javascript. Yes, it breaks for people using >> browsers with javascript disabled, > > There are a lot of ways to hide mailto/s > > http://spamlinks.net/spambots-hiding.htm Hiding from Spambots > Generalised Hiders and Descriptions > Javascript Email Encoders > HTML Character Entities > CSS Encoding > Passive Web-based Scripts > Web-based Contact Pages > Other Methods > Manual Address Munging > Examples > As ever, Mike knows the places........!! From nobody at nowhere.invalid Wed