From baloo at ursine.ca Sun May 1 00:14:00 2005 From: baloo at ursine.ca (Paul Johnson) Date: Sun May 1 03:10:27 2005 Subject: [SpamCop-List] Re: Submission by email References: <01c54c47$45163740$LocalHost@default> <1p3bk2-jds.ln1@ursine.ca> Message-ID: <8m8ek2-87v.ln1@ursine.ca> Steven Maesslein wrote: > You're preaching to the choir. [...] > Unless there's a Reply-To: header in there (such as the one inserted by > gmail users when they use gmail's network to send mail), which fscks up > the mailing list, and which is why I don't allow gmail addresses on > lists I run. Oh, OK. I think I lost proper track of the thread somewhere along the line... -- Paul Johnson Email and Instant Messenger (Jabber): baloo@ursine.ca http://ursine.ca/~baloo/ From baloo at ursine.ca Sun May 1 00:19:28 2005 From: baloo at ursine.ca (Paul Johnson) Date: Sun May 1 03:10:35 2005 Subject: [SpamCop-List] Re: Submission by email References: <01c54c47$45163740$LocalHost@default> <4s3bk2-jds.ln1@ursine.ca> Message-ID: Kenneth Loafman wrote: > On Fri, 29 Apr 2005 18:33:24 -0700, Paul Johnson wrote: > >>Kenneth Loafman wrote: >>> As a mailing list sender, you would insert your own Reply-To: to have it >>> reply back to the mailing list. What the user does with it after that >>> is none of your concern. >> >>NAK! Mailing list shouldn't be setting or touching reply-to. That's the >>user's field for the user to use. What you describe is the realm of the >>X-List, X-Mailing-List, X-Loop, or just about any other mailing list >>header. > > Then you must ban a lot of corporate mail as well. A lot of the folks > that use Outlook in business set their Reply-To: to their own address. > Don't know why they bother, but they do. We're talking a mailing list here. It might just be me, but in business environments, I generally see Outlook users use the distribution lists feature in Outlook. It's messy, but if you're writing only to people in the same environment as yourself, it's the quick and dirty fix that works for that environment. Though you have to go out of the way to set up the reply-to to be the same as from in Outlook... > BTW, you can override gmail's setting of the Reply-To:, or anyone's for > that matter. Depends on the mail list owner and how they want the replies > to default. Some default to the mail list and some to the original > author. Seems like a moot point. Right, but it's supposed to be a user-set heading none the less. It starts getting confusing and messy when third parties in between stomp on things like that. > Must be something else driving your decision to ban so many users from > your list. Not worth the effort. Not when a little user education fixes the problem, no. > Set the Reply-To: when you send the mail back out and go on. Once its in > your hands, it's yours, the user has no control over that field. Remember > "My server, My rules!". Once its in your control, its yours. Period. Right, but when you're offering services that require a certain level of inter-site consistency like email, changing headers inconsistent with documented standards is a Bad Thing(tm). -- Paul Johnson Email and Instant Messenger (Jabber): baloo@ursine.ca http://ursine.ca/~baloo/ From bar_n0ne at hotmail.com Sun May 1 14:04:02 2005 From: bar_n0ne at hotmail.com (Berny) Date: Sun May 1 05:06:48 2005 Subject: [SpamCop-List] Internic/Gandi registration problems take rediculously long to resolve Message-ID: for example: domain still misregistered complaint sent March 15 received below today. Now i don;t think I've seen whatshould.com since, in a spam. But even a cursory glance at the mailing addresses show illegitimacy that even a frenchman should recognize. city= three fingered tap on the keyboard? come on. Hello munged This message is in follow-up to the Whois Data Problem Report you submitted on March 15, 2005 regarding whatshould.com. As indicated to you at the time of submission, a copy of your report was forwarded to the sponsoring registrar for investigation. We would appreciate it if you could assist us in monitoring registrar compliance with Whois data accuracy obligations by selecting one of the options below: 1. The data inaccuracy was corrected. Please go to the following URL: References: Message-ID: Berny wrote: > for example: domain still misregistered complaint sent March 15 received > below today. > > Now i don;t think I've seen whatshould.com since, in a spam. > > But even a cursory glance at the mailing addresses show illegitimacy that > even a frenchman should recognize. > > city= three fingered tap on the keyboard? come on. Has Gandi ever nuked a domain because of wrong whois information? My experience: no. French providers (Gandi, Wanadoo...) seem to be totally clueless or intentionally supporting spammers: black hats. You can yose the registrar problem report form at: http://reports.internic.net/cgi/registrars/problem-report.cgi But if this helps? - kjz From bar_n0ne at hotmail.com Sun May 1 17:10:07 2005 From: bar_n0ne at hotmail.com (Berny) Date: Sun May 1 08:15:03 2005 Subject: [SpamCop-List] Re: Internic/Gandi registration problems take rediculously long to resolve References: Message-ID: "Karl-Josef Ziegler" wrote in message news:d52fme$7v6$1@news.spamcop.net... > Berny wrote: > > for example: domain still misregistered complaint sent March 15 received > > below today. > > SNIP > > Has Gandi ever nuked a domain because of wrong whois information? > My experience: no. French providers (Gandi, Wanadoo...) seem to be > totally clueless or intentionally supporting spammers: black hats. > You can yose the registrar problem report form at: > > http://reports.internic.net/cgi/registrars/problem-report.cgi > > But if this helps? > > - kjz I personally think that most registrars look at spammers as a major source of revenue, thousands of throwaway names at $10.00 a hit or so, I suspect that there would be a serious drop in income if they actually used due diligence and put off spammer business. So, they are an integral part of the spam game with few exceptions. From kjz at despammed.com Sun May 1 21:57:39 2005 From: kjz at despammed.com (Karl-Josef Ziegler) Date: Sun May 1 15:00:03 2005 Subject: [SpamCop-List] Re: Internic/Gandi registration problems take rediculously long to resolve In-Reply-To: References: Message-ID: Berny wrote: > I personally think that most registrars look at spammers as a major source > of revenue, thousands of throwaway names at $10.00 a hit or so, I suspect > that there would be a serious drop in income if they actually used due > diligence and put off spammer business. So, they are an integral part of the > spam game with few exceptions. Alas, that seems to be true. Domain registration is cheap and easy, but I think at the moment it's TOO cheap, TOO easy and TOO fast. Today I got spam for a spamvertized domain which was already set up in spammys DNS servers but still not showing any whois info. And with a revenue of US-$ 5000 a day(!) spammy can register a lot of throwaway domains. So most spam runs in these days have a fresh throwaway domain which only has the function to redirect to/protect the 'real' spamvertized website. ICANN should made an adress verification process mandatory in the registration procedure. E.g. a new domain first is set on registrar hold and an air mail letter with a security code is sent to the registrant. This security code must be verificated via a web form and only afterwards the domain is set in function. This process can be automated and the price will be only a little bit higher than an air mail stamp. More security at a low price increase. - kjz From jefferJones at not-valid-address-.com Sun May 1 16:10:40 2005 From: jefferJones at not-valid-address-.com (Jeffery Jones) Date: Sun May 1 15:10:03 2005 Subject: [SpamCop-List] Can't find admin of Ebay Phisher Message-ID: http://www.spamcop.net/sc?id=z758724962z736972e666372fcfbf40deab549fbdb1z Unable to locate admin for web site http://online-account-activation.com "Cannot find master for:http://online-account-activation.com/ebayisapi.dll&verifyregistrationshow" From nobody at devnull.spamcop.net Sun May 1 15:35:11 2005 From: nobody at devnull.spamcop.net (WazoO) Date: Sun May 1 15:40:03 2005 Subject: [SpamCop-List] Re: Can't find admin of Ebay Phisher References: Message-ID: "Jeffery Jones" wrote in message news:v5aa711tj9ck70ncfi7npc750b2i8rdkef@4ax.com... > > http://www.spamcop.net/sc?id=z758724962z736972e666372fcfbf40deab549fbdb1z > > Unable to locate admin for web site http://online-account-activation.com > > "Cannot find master for:http://online-account-activation.com/ebayisapi.dll&verifyregistrationsho w" whois -h whois.enom.com online-account-activation.com ... Registration Service Provided By: Microsoft Contact: personal_address@css.one.microsoft.com Visit: http://support.msn.com/contactus.aspx?pk=PersonalAddress Domain name: online-account-activation.com Registrant Contact: greg kessler greg kessler (admin@online-account-activation.com) +1.6364586523 Fax: none 1748 Millstream chesterfield, MO 63017 US Administrative Contact: greg kessler greg kessler (admin@online-account-activation.com) +1.6364586523 Fax: none 1748 Millstream chesterfield, MO 63017 US Technical Contact: NOC MSN NOC MSN (MSN-PA-TECH@msn.com) +1.4258828080 Fax: none One Microsoft Way Redmond, WA 98052 US Billing Contact: NOC MSN NOC MSN (MSN-PA-BILL@MSN.COM) +1.4258828080 Fax: none One Microsoft Way Redmond, WA 98052 US Status: Locked Name Servers: pdomns1.msn.com pdomns2.msn.com Creation date: 25 Apr 2005 15:31:06 Expiration date: 25 Apr 2006 15:31:06 From f.yaskin at worldnet.att.net Sun May 1 16:37:34 2005 From: f.yaskin at worldnet.att.net (FY) Date: Sun May 1 15:40:06 2005 Subject: [SpamCop-List] Error-why? Message-ID: Here is the error: error: couldn't parse head Message body parser requires full, accurate copy of message More information on this error.. no links found Same result from OE Express, and from ATT Webmail, view source selected, and copy/pasted into spamcop. ?? Spam sent as follows: --------------------- Received: from mx1.mail.yahoo.com (p2184-ipad36sasajima.aichi.ocn.ne.jp[60.45.123.184](untrusted sender)) by worldnet.att.net (mtiwmxc11) with SMTP id <2005050114143401100pim6oe>; Sun, 1 May 2005 14:14:45 +0000 X-Originating-IP: [60.45.123.184] Reply-To: "Susan" From: "Susan" To: Subject: Antidote may help boost immune system Date: Sun, 01 May 2005 08:10:57 -0700 MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="--09-6[5]-3237-0[3]-080[3]" ----09-6[5]-3237-0[3]-080[3] Content-Type: ;text/plain; Content-Transfer-Encoding: 7Bit The Ancient Secret of Life 'THE ANTIDOTE' http://www.crocinamillion.info/fvd/ Kills ALL known deadly Viruses & Bacteria in the body that keep diseases, = namely: Influenza, SARS, Cancer, HIV etc. etc. active. A disease must be made DORMANT to stop infection. 'The ANTIDOTE' is the answer. http://www.crocinamillion.info/fvd/ WE ARE THE ONLY COMPANY IN THE WORLD WHO HAVE DEVELOPED AND ENHANCED THIS = PRODUCT FOR SALE. LEARN MORE http://www.crocinamillion.info/fvd/ The Antidote is a unique Anti-Microbial Peptide offering the widest range of healing power on the market today. It kills all known deadly VIRUSES and BACTERIA in the body. The initial research was carried out over several years ago by the BBC. The Antidote acts as an additive for your body's immune system. It will fight and protect your body from all virus and bacteria activated infections. The Antidote may be taken safely by children and adults even if on current medication. Take me off from emailing list http://www.myfriendlyshop.com/gone/ ----09-6[5]-3237-0[3]-080[3]-- From MikeE at ster.invalid Sun May 1 13:42:12 2005 From: MikeE at ster.invalid (Mike Easter) Date: Sun May 1 15:45:03 2005 Subject: [SpamCop-List] Re: Can't find admin of Ebay Phisher References: Message-ID: Jeffery Jones wrote: www.spamcop.net/sc?id=z758724962z736972e666372fcfbf40deab549fbdb1z > > Unable to locate admin for web site > http://online-account-activation.com > > "Cannot find master > for:http://online-account-activation.com/ebayisapi.dll&verifyregistratio nshow" Here's what I'm seeing at the tracker: Tracking link: http://online-account-activation.com/ebayisapi.dll&verifyregistrationshow No recent reports, no history available Resolves to 65.54.132.254 Routing details for 65.54.132.254 Reports routes for 65.54.132.254: routeid:13943319 65.52.0.0 - 65.55.255.255 to:abuse@hotmail.com Administrator found from whois records [refresh/show] Cached whois for 65.54.132.254 : abuse@hotmail.com Using abuse net on abuse@hotmail.com abuse net hotmail.com = abuse@hotmail.com Using best contacts abuse@hotmail.com Using rdns to route to correct Microsoft department host 65.54.132.254 = yourpersonaladdress.net (cached) abuse net yourpersonaladdress.net = postmaster@yourpersonaladdress.net Message-ID: FY wrote: > Here is the error: > error: couldn't parse head > Message body parser requires full, accurate copy of message > More information on this error.. > no links found Even when the parser doesn't work, the general result is that it will provide you with a tracking url. That tracker is a reflection of what you fed the parser and is useful for troubleshooting this. You should *NOT* be posting what you did here for several important reasons. - posting spam anywhere other than the ng spamcop.spam is against some 'rule' or tradition for a variety of reasons - it doesn't help for you to post the spam item here. I can take it and get the parser to parse it and then what does that prove? - here's a tracker which has parsed my rendition of what I made out of what you posted here http://www.spamcop.net/sc?id=z758744423z1fa6a7fc57989ff5a1873ee18c66b835z Maybe my version of your spam works because I structured it so that it would work. When you post something into a newsmessage, it gets 'bent' and isn't the same as the original. The closest you can come to showing us the original easily is to put it into the parser properly and post the tracker for the result in here. The next closest you can come would be to save the item as an .eml from OE and then attach that file to a message in spamcop.spam. Notice that if you examine my tracker's 'View entire message' - you see that the Received traceline is not folded improperly, which it was here, perhaps by your newsreader, perhaps not; and that there is a proper empty line between the Content-Type boundary information and the first boundary marker, which was not present in what you posted here -- perhaps caused by your newsreader, perhaps not. So, to re-iterate... do *NOT* post spam in here. Only trackers. -- Mike Easter kibitzer, not SC admin From MikeE at ster.invalid Sun May 1 14:35:33 2005 From: MikeE at ster.invalid (Mike Easter) Date: Sun May 1 16:35:03 2005 Subject: [SpamCop-List] Re: Error-why? References: Message-ID: Mike Easter wrote: www.spamcop.net/sc?id=z758744423z1fa6a7fc57989ff5a1873ee18c66b835z Report Spam to: Re: 60.45.123.184 (Administrator of network where email originates) To: abuse@ocn.ad.jp (Notes) Re: 60.45.123.184 (Third party interested in email source) To: Cyveillance spam collection (Notes) Re: http://www.crocinamillion.info/fvd/ (Administrator of network hosting website referenced in spam) To: daihy@china-netcom.com (Notes) To: postmaster@china-netcom.com (Notes) To: cnc-abuse@abuse.sprint.net (Notes) Re: http://www.myfriendlyshop.com/gone/ (Administrator To: postmaster@chinatietong.com To: crnet_mgr@chinatietong.com To: crnet_tec@chinatietong.com -- Mike Easter kibitzer, not SC admin From nobody at devnull.spamcop.net Sun May 1 19:37:50 2005 From: nobody at devnull.spamcop.net (WazoO) Date: Sun May 1 19:40:02 2005 Subject: [SpamCop-List] Re: Can't find admin of Ebay Phisher References: Message-ID: "Mike Easter" wrote in message news:d53bau$l1g$1@news.spamcop.net... > Jeffery Jones wrote: > www.spamcop.net/sc?id=z758724962z736972e666372fcfbf40deab549fbdb1z > > > > Unable to locate admin for web site > > http://online-account-activation.com > > > > "Cannot find master > > > for:http://online-account-activation.com/ebayisapi.dll&verifyregistratio > nshow" > > Here's what I'm seeing at the tracker: > > SC degrade the notify down to a default pm from a registered one; that > doesn't make any sense. My flow, could be wrong .... Name Servers: pdomns1.msn.com pdomns2.msn.com Creation date: 25 Apr 2005 15:31:06 'Brand new shiney' web-site/URL created by a silly/new MSN user ... equating "pdoms" to "personal domains" ,,,, Then noted that this URL is simply redirecting; 05/01/05 18:27:11 Browsing http://online-account-activation.com/ Fetching http://online-account-activation.com/ ... GET / HTTP/1.1 Host: online-account-activation.com Connection: close User-Agent: Sam Spade 1.14 HTTP/1.1 302 Found Connection: close Date: Sun, 01 May 2005 23:27:21 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET P3P:CP="BUS CUR CONo FIN IVDo ONL OUR PHY SAMo TELo" X-AspNet-Version: 1.1.4322 Location: http://www.pearland.co.id/usage/index.htm?eBayISAPI.dll&VerifyRegistrationShow Cache-Control: private Expires: Sat, 01 Jan 2000 08:00:00 GMT Content-Type: text/html Object moved

Object moved to here.

Personal Domains URL Forwarder You can probably guess at what's sitting 'there' My bet is that there's a database that has been fed with "don't use this reporting address" which is also mucking up the works, but the parser isn't outputting this data/error ...???? From nobody at devnull.spamcop.net Sun May 1 19:40:59 2005 From: nobody at devnull.spamcop.net (WazoO) Date: Sun May 1 19:45:03 2005 Subject: [SpamCop-List] Re: Can't find admin of Ebay Phisher References: Message-ID: "Mike Easter" wrote in message news:d53bau$l1g$1@news.spamcop.net... > Jeffery Jones wrote: > www.spamcop.net/sc?id=z758724962z736972e666372fcfbf40deab549fbdb1z > > > > Unable to locate admin for web site > > http://online-account-activation.com > > > > "Cannot find master > > > for:http://online-account-activation.com/ebayisapi.dll&verifyregistratio > nshow" Noting also (ignoring some issues with SSfor WIN) but; 05/01/05 18:38:50 whois online-account-activation.com@pdomns1.msn.com whois -h pdomns1.msn.com online-account-activation.com ... failed, couldn't connect to host: Unknown error (0) From / at /.cn Mon May 2 16:47:00 2005 From: / at /.cn (Petzl) Date: Mon May 2 01:50:05 2005 Subject: [SpamCop-List] Re: ISP censors outbound mail, nixing spam discussions References: Message-ID: "WazoO" wrote in message news:d4pep4$jgq$1@news.spamcop.net... > "Pop" wrote in message > news:d4ov5o$b3i$1@news.spamcop.net... >> > >> Interesting; can you even report a spam from those accounts? That would >> suck. > > http://forum.spamcop.net/forums/index.php?showtopic=2782 > A big problem in accepting the compulsory email account with your provider is that they are mainly absolutely useless (I do not accept them) The worse fact is they then never seem to learn Right now a legacy email account from UU.net (ozemail) they are offering spam and virus filtering without whitelist. The only mail I still get is spam with legit mail disappearing There is still no doubt the only and best email account to have is a SpamCop one Petzl From nobody at nowhere.invalid Mon May 2 11:27:14 2005 From: nobody at nowhere.invalid (Steven Maesslein) Date: Mon May 2 04:30:20 2005 Subject: [SpamCop-List] Re: ISP censors outbound mail, nixing spam discussions References: Message-ID: On Mon, 2 May 2005 15:47:00 +1000, Petzl coughed into spamcop and left this in : > Right now a legacy email account from UU.net (ozemail) they are offering > spam and virus filtering without whitelist. The only mail I still get is > spam with legit mail disappearing Well, UUNet sees everything pink anyway, so the chances are that the filter is working as designed :) -- Steve Don't worry about people stealing your ideas. If your ideas are any good, you'll have to ram them down people's throats. -- Howard Aiken From / at /.cn Mon May 2 20:12:49 2005 From: / at /.cn (Petzl) Date: Mon May 2 05:16:31 2005 Subject: [SpamCop-List] Re: ISP censors outbound mail, nixing spam discussions References: Message-ID: "Steven Maesslein" wrote in message news:slrnd7bp32.36p.nobody@127.0.0.1... > On Mon, 2 May 2005 15:47:00 +1000, Petzl coughed into spamcop and left > this in : > >> Right now a legacy email account from UU.net (ozemail) they are offering >> spam and virus filtering without whitelist. The only mail I still get is >> spam with legit mail disappearing > > Well, UUNet sees everything pink anyway, so the chances are that the > filter is working as designed :) > As I have SpamCop retrieve the email it only ends up in the VER folder UUnet have just made the legacy account less than worthless I only wanted to keep it as I have a couple of pieces of software which sends notification of upgrades these no longer get past UUnet but spam does and it is in the area of 1000 spamms a day plus Before UUnet started filtering my SpamCop email account accurately filtered the UUnet spew to SpamCop's (Very Easy Reporting) VER folder which it still does but legit email disappears before it is even forwarded to SpamCop Will now see if I can have these UUnet idiots turn off the forwarding Just another example of what happens in accepting the compulsory email account with your provider is that they are mainly absolutely useless (I do not now ever accept them) The worse fact is they then never seem to learn for the better The reason we have a problem with spam is because of Internet Providers and their inability to secure the e-mail address they dump you with or force you to have. If spam was effectively blocked spamming would have no point! Even Hotmail offer a superior service to a vast many and is always good to have for first contact, as well as those "subscriptions" you have to sign up with. Hotmail (Microsoft) actively hunt down suing and jailing Spammers who attack their customers Petzl From bar_n0ne at hotmail.com Mon May 2 15:17:09 2005 From: bar_n0ne at hotmail.com (Berny) Date: Mon May 2 06:20:04 2005 Subject: [SpamCop-List] st0ck spams Message-ID: Given the length of time the same st0ck spams for the same crappy little companies, I am becoming doubtful that the companies themselves are not involved. Pump and Dumpers usually move in and out quickly, a few days, or a week or so. The endless steady stream of crap for this stuff (like VOIP) is beginning to look more like either a massive joe job, (hard to believe) or an active promotion, undertaken on behalf of the principals. Remember a Pump and dumper is not a long term investor, they're looking to flip their gains or shorts quickly. This crap comes in steadily for months at a time. From nobody at nowhere.invalid Mon May 2 13:38:01 2005 From: nobody at nowhere.invalid (Steven Maesslein) Date: Mon May 2 06:40:03 2005 Subject: [SpamCop-List] Re: ISP censors outbound mail, nixing spam discussions References: Message-ID: On Mon, 2 May 2005 19:12:49 +1000, Petzl coughed into spamcop and left this in : > UUnet have just made the legacy account less than worthless Heh - your legacy account is not the only e-mail account UUNet has made useless. Far from it. > Just another example of what happens in accepting the compulsory email > account with your provider is that they are mainly absolutely useless (I do > not now ever accept them) The worse fact is they then never seem to learn > for the better I agree. I don't even use the default account set up by my ISP since it's going to be essentially useless. I *do* have several domains of my own and my ISP allows me to run a mail server on my static IP address (for all their shortcomings they are rather pro-Linux at this ISP). > The reason we have a problem with spam is because of Internet Providers and > their inability to secure the e-mail address they dump you with or force you > to have. If spam was effectively blocked spamming would have no point! The fault lies further upstream of the ISP than that. Yes, it's one link in the chain that needs tightening up, but there's plenty to put right in the distribution chain too, such as ISPs allowing Windows machines (you'll notice I stopped using the term "zombified windows machines" a while back because of obvious redundancy) to spew unabated for months on end without pulling the plug on the luser. Another problem is ISPs like MCI, SBC and most Chinese outfits that seem to have a single clause in their enforced AUP "You can spam as much as you like as long as the cheque clears" > Even Hotmail offer a superior service to a vast many and is always good to > have for first contact, as well as those "subscriptions" you have to sign up > with. Hotmail (Microsoft) actively hunt down suing and jailing Spammers who > attack their customers I'd use a hotmail account if it was possible to get one without selling your soul by having to open a "Passport" account - whatever that is. -- Steve A group of cats is a "conceit". They'd like it to be called a "pride" but that would fool nobody. -- Morely Dotes in NANAE, 2-FEB-2004 From bar_n0ne at hotmail.com Mon May 2 16:22:36 2005 From: bar_n0ne at hotmail.com (Berny) Date: Mon May 2 07:25:04 2005 Subject: [SpamCop-List] Re: SBCGlobal) Software Factory solutions may be moving toXO/imedia References: Message-ID: "nospam" wrote in message news:BE95B135.14B73%nobody@spamcop.net... > latest turd for shopping spree/product testers/market research/free > satellite TV/free whatever came from XO/Imedia today at 65.182.142.2 > > spamvertizing still from MCI's stealthed server at 63.82.98.35 > > Seems SBewGlobal may have gotten too expensive or didn't like the heat > > Lets see how many months they give this fscker free reign over there. > > It might end for me, XO was a famous listwasher if I remember right. > Now at PacBell, and the spamvertized sites have moved also to 69.67.72.10 which isn't nearly as well stealthed as the MCI site was. Also XO is a 3d party interested in the sources and the sites, so hopefully we'll see the end of this crap soon. At least Software Factory Solutions may be on the run. Well Done CAT From / at /.cn Mon May 2 22:49:21 2005 From: / at /.cn (Petzl) Date: Mon May 2 07:50:02 2005 Subject: [SpamCop-List] Re: ISP censors outbound mail, nixing spam discussions References: Message-ID: "Steven Maesslein" wrote in message news:slrnd7c0o9.3ti.nobody@127.0.0.1... > On Mon, 2 May 2005 19:12:49 +1000, Petzl coughed into spamcop and left > this in : > >> UUnet have just made the legacy account less than worthless > > Heh - your legacy account is not the only e-mail account UUNet has made > useless. Far from it. ever got a single spam until UUnet took over Ozemail? >> Just another example of what happens in accepting the compulsory email >> account with your provider is that they are mainly absolutely useless (I >> do >> not now ever accept them) The worse fact is they then never seem to learn >> for the better > > I agree. I don't even use the default account set up by my ISP since > it's going to be essentially useless. I *do* have several domains of my > own and my ISP allows me to run a mail server on my static IP address > (for all their shortcomings they are rather pro-Linux at this ISP). In this case it is upto you to see that your IP remains clean >> The reason we have a problem with spam is because of Internet Providers >> and >> their inability to secure the e-mail address they dump you with or force >> you >> to have. If spam was effectively blocked spamming would have no point! > > The fault lies further upstream of the ISP than that. Yes, it's one link > in the chain that needs tightening up, but there's plenty to put right > in the distribution chain too, such as ISPs allowing Windows machines > (you'll notice I stopped using the term "zombified windows machines" a > while back because of obvious redundancy) to spew unabated for months on > end without pulling the plug on the luser. > > Another problem is ISPs like MCI, SBC and most Chinese outfits that seem > to have a single clause in their enforced AUP "You can spam as much as > you like as long as the cheque clears" But if ISP's gave the option to block China in its entirity allowing only whitelisted email through spaming becomes pointess The chinese, Korea, South America are all countries SpamCop allows blocking in this manner. It is also easily done Again the reason there are spammers is because providers are not interested enough to effectily stop it. They only want your cheque to clear and milk you like a cash cow >> Even Hotmail offer a superior service to a vast many and is always good >> to >> have for first contact, as well as those "subscriptions" you have to sign >> up >> with. Hotmail (Microsoft) actively hunt down suing and jailing Spammers >> who >> attack their customers > > I'd use a hotmail account if it was possible to get one without selling > your soul by having to open a "Passport" account - whatever that is. > I think HotMail have discontinued trying this? It was meant to evolve into a PayPal type of thingy but seems to of failed From nobody at nowhere.invalid Mon May 2 15:49:25 2005 From: nobody at nowhere.invalid (Steven Maesslein) Date: Mon May 2 08:50:04 2005 Subject: [SpamCop-List] Re: ISP censors outbound mail, nixing spam discussions References: Message-ID: On Mon, 2 May 2005 21:49:21 +1000, Petzl coughed into spamcop and left this in : > ever got a single spam until UUnet took over Ozemail? I'd never heard of Ozemail until this thread. I was emphasizing UUNet's role in e-mail abuse, that's all. >> I agree. I don't even use the default account set up by my ISP since >> it's going to be essentially useless. I *do* have several domains of my >> own and my ISP allows me to run a mail server on my static IP address >> (for all their shortcomings they are rather pro-Linux at this ISP). > > In this case it is upto you to see that your IP remains clean Agreed. And it will stay clean unless I expose some out-of-date daemon with known vulnerabilities to the 'Net. Who knows, it might happen one day, but it won't happen within 15 seconds of connecting the machine to the 'Net, that's for sure. Touch wood - so far it's been connected since September 2001 with no compromise. > But if ISP's gave the option to block China in its entirity allowing only > whitelisted email through spaming becomes pointess The chinese, Korea, South > America are all countries SpamCop allows blocking in this manner. It is also > easily done The ISP's would also be sued left, right and centre by klooless lusers not aware of what they're doing when they check the "block" box. >> I'd use a hotmail account if it was possible to get one without selling >> your soul by having to open a "Passport" account - whatever that is. > > I think HotMail have discontinued trying this? It was meant to evolve into a > PayPal type of thingy but seems to of failed Quoting from the hotmail signup page (which happens to be hosted on the registernet.passport.net domain): "Complete this form to register for a Hotmail account, which is also a Microsoft .NET Passport. The Hotmail e-mail address and password you create are your .NET Passport credentials. You'll need them to access your Hotmail account and to sign in where you see the .NET Passport sign-in button: [button]" Blech... -- Steve Give a man a fish and he will eat for a day. Teach him how to fish, and he will sit in a boat and drink beer all day. From f.yaskin at worldnet.att.net Mon May 2 10:05:42 2005 From: f.yaskin at worldnet.att.net (FY) Date: Mon May 2 09:10:04 2005 Subject: [SpamCop-List] Re: Error-why? References: Message-ID: Thanks a lot for the lecture Mike. You could have saved yourself a lot of time and still made your point, by skipping the re-iteration, and most of the lecture, but I'm know you are trying to be helpful, and mindful of, uh, tradition. Having used Spamcop for at least a couple years, and ,000's of spams, and thru several mailreaders successfully, lets assume for a moment that the sender malformed the from line. I am disappointed that Spamcop chokes on what garden variety readers can successfully decode. But thanks, really. While I have your attention, any suggestions on getting the ones with the line breaks in the body url to decode without manually removing the breaks and spaces? fy "Mike Easter" wrote in message news:d53e14$mfd$1@news.spamcop.net... > FY wrote: > > Here is the error: > > error: couldn't parse head > > Message body parser requires full, accurate copy of message > > More information on this error.. > > no links found > > Even when the parser doesn't work, the general result is that it will > provide you with a tracking url. That tracker is a reflection of what > you fed the parser and is useful for troubleshooting this. > > You should *NOT* be posting what you did here for several important > reasons. > > - posting spam anywhere other than the ng spamcop.spam is against some > 'rule' or tradition for a variety of reasons > - it doesn't help for you to post the spam item here. I can take it > and get the parser to parse it and then what does that prove? > - here's a tracker which has parsed my rendition of what I made out of > what you posted here > http://www.spamcop.net/sc?id=z758744423z1fa6a7fc57989ff5a1873ee18c66b835z > > Maybe my version of your spam works because I structured it so that it > would work. When you post something into a newsmessage, it gets 'bent' > and isn't the same as the original. The closest you can come to showing > us the original easily is to put it into the parser properly and post > the tracker for the result in here. > > The next closest you can come would be to save the item as an .eml from > OE and then attach that file to a message in spamcop.spam. > > Notice that if you examine my tracker's 'View entire message' - you see > that the Received traceline is not folded improperly, which it was here, > perhaps by your newsreader, perhaps not; and that there is a proper > empty line between the Content-Type boundary information and the first > boundary marker, which was not present in what you posted here -- > perhaps caused by your newsreader, perhaps not. > > So, to re-iterate... do *NOT* post spam in here. Only trackers. > > -- > Mike Easter > kibitzer, not SC admin > From f.yaskin at worldnet.att.net Mon May 2 10:11:42 2005 From: f.yaskin at worldnet.att.net (FY) Date: Mon May 2 09:15:03 2005 Subject: [SpamCop-List] Re: Error-why?(revised) References: Message-ID: "Mike Easter" wrote in message news:d53e14$mfd$1@news.spamcop.net... > FY wrote: > > Here is the error: > > error: couldn't parse head > > Message body parser requires full, accurate copy of message > > More information on this error.. > > no links found > > Even when the parser doesn't work, the general result is that it will > provide you with a tracking url. That tracker is a reflection of what > you fed the parser and is useful for troubleshooting this. > > You should *NOT* be posting what you did here for several important > reasons. > > - posting spam anywhere other than the ng spamcop.spam is against some > 'rule' or tradition for a variety of reasons > - it doesn't help for you to post the spam item here. I can take it > and get the parser to parse it and then what does that prove? > - here's a tracker which has parsed my rendition of what I made out of > what you posted here > http://www.spamcop.net/sc?id=z758744423z1fa6a7fc57989ff5a1873ee18c66b835z > > Maybe my version of your spam works because I structured it so that it > would work. When you post something into a newsmessage, it gets 'bent' > and isn't the same as the original. The closest you can come to showing > us the original easily is to put it into the parser properly and post > the tracker for the result in here. > > The next closest you can come would be to save the item as an .eml from > OE and then attach that file to a message in spamcop.spam. > > Notice that if you examine my tracker's 'View entire message' - you see > that the Received traceline is not folded improperly, which it was here, > perhaps by your newsreader, perhaps not; and that there is a proper > empty line between the Content-Type boundary information and the first > boundary marker, which was not present in what you posted here -- > perhaps caused by your newsreader, perhaps not. > > So, to re-iterate... do *NOT* post spam in here. Only trackers. > > -- > Mike Easter > kibitzer, not SC admin > Thanks a lot for the lecture Mike. You could have saved yourself a lot of time and still made your point, by skipping the re-iteration, and most of the lecture, but I'm know you are trying to be helpful, and mindful of, uh, tradition. Having used Spamcop for at least a couple years, and ,000's of spams, and thru several mailreaders successfully, lets assume for a moment that the sender malformed the from line. I am (mildly)disappointed that Spamcop chokes on what garden variety readers can successfully decode. But thanks, really. fy From MikeE at ster.invalid Mon May 2 09:07:44 2005 From: MikeE at ster.invalid (Mike Easter) Date: Mon May 2 11:10:33 2005 Subject: [SpamCop-List] Re: Error-why?(revised) References: Message-ID: FY wrote: > "Mike Easter" >> FY wrote: >>> error: couldn't parse head >> - here's a tracker which has parsed my rendition of what I made >> out of what you posted here www.spamcop.net/sc?id=z758744423z1fa6a7fc57989ff5a1873ee18c66b835z >> see that the Received traceline is not folded improperly, which it >> is a proper empty line between the Content-Type boundary information > Thanks a lot for the lecture Mike. Yabbut, you never did properly communicate what was wrong in the first place -- after you had a chance to see what 'my' spam looks like in the tracker and you became familiar with whatever was wrong with yours. > that the sender malformed the from line. I am (mildly)disappointed > that Spamcop chokes on what garden variety readers can successfully decode. The reason you are supposed to not fix what causes the choke is based on this principle http://www.spamcop.net/fom-serve/cache/283.html -- Material changes to spam --"SpamCop does what it does and doesn't do for a reason. Do not make any material changes to spam before submitting or parsing which may cause SpamCop to find a link, address or URL it normally would not, by design, find. " When I make/forge changes to a spam in order to accomplish a parse for an item which I subsequently cancel, it is *only* for purposes of demonstration -- to enable discussion of what was wrong that caused the parse to fail. In this instance, we still haven't gotten to the part about what was wrong because no one here but you has seen the original item which wouldn't parse unbent yet. -- Mike Easter kibitzer, not SC admin From eddie at eddie.web Mon May 2 13:02:39 2005 From: eddie at eddie.web (eddie) Date: Mon May 2 12:05:07 2005 Subject: [SpamCop-List] Re: st0ck spams References: Message-ID: On Mon, 02 May 2005 14:17:09 +0400, Berny scratched out the following: > Given the length of time the same st0ck spams for the same crappy little > companies, I am becoming doubtful that the companies themselves are not > involved. Pump and Dumpers usually move in and out quickly, a few days, or > a week or so. The endless steady stream of crap for this stuff (like VOIP) > is beginning to look more like either a massive joe job, (hard to believe) > or an active promotion, undertaken on behalf of the principals. > > Remember a Pump and dumper is not a long term investor, they're looking to > flip their gains or shorts quickly. This crap comes in steadily for months > at a time. I think that sometimes the stock companies are behind it, or at least they know about it and give it their tacit approval. Certainly there are trading companies involved, as well as individuals. Be sure to copy the SEC on all P&D scam reports, as well as the FTC. -- Once movie theaters gave out steak knives Today they confiscate them From f.yaskin at worldnet.att.net Mon May 2 13:28:35 2005 From: f.yaskin at worldnet.att.net (FY) Date: Mon May 2 12:30:02 2005 Subject: [SpamCop-List] Re: Error-why?(revised) References: Message-ID: "Mike Easter" wrote in message news:d55fkd$2u9$1@news.spamcop.net... > FY wrote: > > "Mike Easter" > >> FY wrote: > > >>> error: couldn't parse head > > >> - here's a tracker which has parsed my rendition of what I made > >> out of what you posted here > > www.spamcop.net/sc?id=z758744423z1fa6a7fc57989ff5a1873ee18c66b835z > > > Thanks a lot for the lecture Mike. > > Yabbut, you never did properly communicate what was wrong in the first > place -- after you had a chance to see what 'my' spam looks like in the > tracker and you became familiar with whatever was wrong with yours. >> > When I make/forge changes to a spam in order to accomplish a parse for > an item which I subsequently cancel, it is *only* for purposes of > demonstration -- to enable discussion of what was wrong that caused the > parse to fail. > > In this instance, we still haven't gotten to the part about what was > wrong because no one here but you has seen the original item which > wouldn't parse unbent yet. OK, now I am confused.[pardon the Yoda].. Is not the spam in my original post, with full headers, which I was (my bad)NOT supposed to post, "the original item which wouldn't parse unbent yet.", other than the copy and paste? Is not the SC error message posted above it communicating what was wrong? If you mean what is wrong in my reader(s), as far as I know, nothing..I followed the procedures for copying spam unmolested. Frank From MikeE at ster.invalid Mon May 2 13:50:23 2005 From: MikeE at ster.invalid (Mike Easter) Date: Mon May 2 15:50:02 2005 Subject: [SpamCop-List] Re: Error-why?(revised) References: Message-ID: FY wrote: > Is not the spam in my original post, with full headers, which I was > (my bad)NOT supposed to post, "the original item which wouldn't parse > unbent yet.", other than the copy and paste? No. When you posted a newsagent bent spam here, you failed to demonstrate properly what kind of spam misconstruction it was that the parser failed to parse because the bent condition of a spam you posted here leaves too much guesswork as to what was the condition of the original, as you received it, and as it was stored by OE in the Message source section. Since /we/ can't access /your/ OE's message source of that original item, the best thing for you to do would be to properly submit it to the parser and then to paste the parser's tracker in here.... ... unless for some strange reason the parser fails to give a tracker, in which case some generally not well accepted system would have to be used, such as attaching the isolated and saved OE .eml file to a message in spamcop.spam. The reason I say 'not well accepted' is because not all mailuser agents are going to perform in exactly the same way to provide some kind of .eml or .txt file to attach. And, the attaching business so far has only been an experimental technique used to investigate the solving of problems which pasting of spams into the body of newsgroup messages causes. > Is not the SC error message posted above it communicating what was > wrong? Not sufficiently precisely. That SC message is the same message for a variety of conditions of spam which fail to parse. > If you mean what is wrong in my reader(s), as far as I know, > nothing..I followed the procedures for copying spam unmolested. The problem isn't the /copying/ of the spam. The spam copies just fine. The copied spam also gets submitted to the parser just fine unless the submitter makes some kind of mistake. The problem with what you posted here is what happens to an item after you paste it into the body of your newsmessage. When your OE newsagent sends the news message, it 'messes with it' and bends it and causes various 'unknown' things including the introduction of linewraps to happen to it which were not present in the original -- all of that depending upon how it is configured -- which we don't even want to know because 'we' - namely me - don't want you to show us your spam by pasting it into a news message. Especially not here; but also it would get just as bent even if you had pasted it into spamcop.spam. It is better to not bend it at all to show it to us. So, 'showing' the spam by pasting it into any newsgroup is no good. The way to show the spam is to paste it into the parser and copy the tracker and paste the tracker in here. -- Mike Easter kibitzer, not SC admin From nobody at devnull.spamcop.net Mon May 2 18:14:10 2005 From: nobody at devnull.spamcop.net (WazoO) Date: Mon May 2 18:15:46 2005 Subject: [SpamCop-List] Re: ISP censors outbound mail, nixing spam discussions References: Message-ID: "Steven Maesslein" wrote in message news:slrnd7c8el.4k7.nobody@127.0.0.1... > > >> I'd use a hotmail account if it was possible to get one without selling > >> your soul by having to open a "Passport" account - whatever that is. > > > > I think HotMail have discontinued trying this? It was meant to evolve into a > > PayPal type of thingy but seems to of failed > > Quoting from the hotmail signup page (which happens to be hosted on the > registernet.passport.net domain): > > "Complete this form to register for a Hotmail account, which is also a > Microsoft .NET Passport. > > The Hotmail e-mail address and password you create are your .NET > Passport credentials. You'll need them to access your Hotmail account > and to sign in where you see the .NET Passport sign-in button: [button]" Technically, signing up and creating a HotMail address automatically puts you into the PassPort 'database' (actually used when trying to login to the HotMail system) ... The intent of this is basically a 'common' account data set, where if you go to another 'location' that is set up to recognize/use the PassPort database, you can log into that site with the existing HotMail account data ... I have no idea what third-party outfits jumped into this, but the PassPort system is used throughout the Microsoft 'empire' ... the various product support groups, development sections, etc .... You can actually "register" a non-HotMail e-mail address with the PassPort system if you'd actually want to ,,, From nobody at devnull.spamcop.net Mon May 2 18:18:47 2005 From: nobody at devnull.spamcop.net (Cat) Date: Mon May 2 18:25:03 2005 Subject: [SpamCop-List] Re: SBCGlobal) Software Factory solutions may be moving toXO/imedia In-Reply-To: References: Message-ID: Berny wrote: > "nospam" wrote in message > news:BE95B135.14B73%nobody@spamcop.net... > >>latest turd for shopping spree/product testers/market research/free >>satellite TV/free whatever came from XO/Imedia today at 65.182.142.2 >> >>spamvertizing still from MCI's stealthed server at 63.82.98.35 >> >>Seems SBewGlobal may have gotten too expensive or didn't like the heat >> >>Lets see how many months they give this fscker free reign over there. >> >>It might end for me, XO was a famous listwasher if I remember right. >> > > > Now at PacBell, and the spamvertized sites have moved also to 69.67.72.10 > which isn't nearly as well stealthed as the MCI site was. Also XO is a 3d > party interested in the sources and the sites, so hopefully we'll see the > end of this crap soon. At least Software Factory Solutions may be on the > run. > > Well Done CAT Thanks! =) I did finally reach a human at SBC, someone named Dawn S. Her reply was something to the effect of "we do investigate and take action against spammers" followed by something along the lines of "your yahoo account has a bulk folder so you can just let your spam go there, and you never have to report any of it." Apparently, she mistakenly thinks that I'm gullible enough to believe that just letting it hit the bulk folder will actually send reports to the ISP, or she's just trying to brush it off with a "just hit delete" claim in hopes that she won't have to deal with SBC's irate spam victims. Her comment about just letting it go to the bulk folder and leaving it alone sounded very much like she just didn't want to hear about spamming customers, as if she's just trying to sweep it under the rug to forget about them. I replied back to her letting her know that I wasn't the average computer illiterate person who would actually believe her claims and that I knew that leaving spam alone in the bulk folder wouldn't actually get the spam reported to the ISP. After three more SBC spams copied to Dawn S, the SBC spew stopped, and I've started getting the same spam through XO now. From noah.boddie at newsgroup.nospam Mon May 2 19:39:02 2005 From: noah.boddie at newsgroup.nospam (Dwayne Conyers) Date: Mon May 2 18:40:04 2005 Subject: [SpamCop-List] The Spamityville Horror... Message-ID: Recently noticed some of the web-based BBS' that I read are rapidly being filled with spam -- faster than the moderators can keep up with. This is the "Hey, here's how you can make a million dollars with a shoestring, a bottle cap and a spoonfull of faeces" type of spam that only a mental derelict would fall for. Even worse, a private news server that my company hosts for members of the entertainment industry has been hit multiple times by a spammer who posts in Portugese. Why Portugese? Are these people really making enough money with their scheiss to persist this way, or izzit a sign of desperation? Is there actually that much profit in idiotic get-rich-quick schemes? Just blowing off some steam... -- I Shave With Occams Razor http://www.dwacon.com From nospam at dev.null Tue May 3 02:52:45 2005 From: nospam at dev.null (Anty Spam) Date: Mon May 2 19:50:10 2005 Subject: [SpamCop-List] Re: Internic/Gandi registration problems take rediculously long to resolve References: Message-ID: "Berny" wrote in message news:d52624$41c$1@news.spamcop.net... > for example: domain still misregistered complaint sent March 15 received > below today. > ..SNIP ... > > domain: WHATSHOULD.COM > owner-address: daniel lessi > owner-address: 133 sjsj ed > owner-address: 90210 > owner-address: edghsuj > owner-address: California > owner-address: United States of America > owner-phone: +1.8434243587 > owner-e-mail: dl1217@gmail.com > admin-c: DL1021-GANDI > tech-c: AR41-GANDI > bill-c: DL1021-GANDI > nserver: ns3.mail18.biz > nserver: ns1.xzdns.biz > nserver: ns2.best-gifts.biz > nserver: ns4.mail18.biz > reg_created: 2005-03-12 04:42:31 > expires: 2006-03-12 04:42:31 > created: 2005-03-12 10:42:32 > changed: 2005-03-14 03:55:15 > No, not mis-registered. Gandi has been doing sweet blow all about it - not unusual. The report was sent to them, after a time delay, an automated process kicked in from ICANN that sent you the report to verify IF the correction has been made. You will notice that upon clicking on the link, you can add additional details here. These negative follow ups are registered, howver as to what is done is an opne question. Maybe next year ICANN, upon reviewing the results, might decide to take the matter up with Gandi in the next conference in ...???? 2007??? and ????try???? to resolve. Frustrating. You may try: http://rip.gandi.net/index-en.html , but I can guarantee you it will take at least 15 days. Despite - sorry to do this to you - http://www.icann.org/announcements/advisory-03apr03.htm :-( However, "IF" you feel like trying to get into a mail argument with the whois chap at Gandi - support-en@support.gandi.net However, under similar circumstance I got: "Please use our interface for one or several domains, and take care to argue about false data (which data are false, why). The come back to me and tell me the compalints links, I will see if I can speed the 15 fays delay manually." I tried - and wiated 15 days.... Cheers E From f.yaskin at worldnet.att.net Mon May 2 21:07:19 2005 From: f.yaskin at worldnet.att.net (FY) Date: Mon May 2 20:10:08 2005 Subject: [SpamCop-List] Re: Error-why? with tracking URL References: Message-ID: OK, Mike, I got another with the same format and error from SC. Here is the tracking url. This was submitted from ATT Webmail: http://www.spamcop.net/sc?id=z759118320z438d92754b29196f81b0f423102d8913z And this was submitted from OE http://www.spamcop.net/sc?id=z759119449zce492efb03dbde10301b13e28bb8a9dfz Skip to Reports So what's up? "Mike Easter" wrote in message news:d5606b$bmj$1@news.spamcop.net... > FY wrote: > Follow thread above if you are interested From f.yaskin at worldnet.att.net Mon May 2 21:13:50 2005 From: f.yaskin at worldnet.att.net (FY) Date: Mon May 2 20:15:04 2005 Subject: [SpamCop-List] Re: Link Resolving Failures References: Message-ID: "A.J." wrote in message news:d4udmn$a4u$1@news.spamcop.net... > "A.J." wrote in message > : > > I've received several spams over the past week or so with hyperlinks like > > this: > > > > > > > SRC="cid:weovwgph_coafueav_ooeazvze" border="0" ALT=""> > > > > (From > > ) > > The line breaks in the URL (but not the extraneous or > SRC=> tags) are copied verbatim from the original. > > > > SpamCop adds a second "http://" to the beginning of this mess when > > attempting to straighten it out, resulting in: > > > > === > > Resolving link obfuscation > > http://http://foztetdpbqm.com&omifjg4c5k1h6ujift4%2eiliacgnkln%2ecom/ > > Percent unescape: > > http://http://foztetdpbqm.com&omifjg4c5k1h6ujift4.iliacgnkln.com/ > > host http (getting name) no name > > http is not a hostname > > http is not a hostname > > === > > > > Manually removing the extra line breaks still leaves SpamCop with a problem: > > > > === > > Resolving link obfuscation > > http://foztetdpbqm.com&omifjg4c5k1h6ujift4%2eiliacgnkln%2ecom/ > > Percent unescape: > > http://foztetdpbqm.com&omifjg4c5k1h6ujift4.iliacgnkln.com/ > > host foztetdpbqm.com (checking ip) ip not found ; foztetdpbqm.com > > discarded as fake. > > host foztetdpbqm.com (checking ip) ip not found ; foztetdpbqm.com > > discarded as fake. > > > > Tracking link: http://foztetdpbqm.com&omifjg4c5k1h6ujift4.iliacgnkln.com/ > > [report history] > > Resolves to 82.114.48.67 > > Routing details for 82.114.48.67 > > [refresh/show] Cached whois for 82.114.48.67 : abuse@tautel.ru > > Using abuse net on abuse@tautel.ru > > abuse net tautel.ru = abuse@tautel.ru, postmaster@tautel.ru > > Using best contacts abuse@tautel.ru postmaster@tautel.ru > > === > > > > SC interprets the TLD as ending at the "&" following the first ".com" > > (foztetdpbqm.com), rather than at the next "/" as it should (iliacgnkln.com > > - the real domain), causing it to interpret the URL as fake. The tracker > > appears to function correctly; however, using other tools I come up with a > > different IP address: 218.7.112.241 > > I noticed today that both of the above issues seem to have been fixed. > > WTG SC team! Or apparently not. See below, same obfuscation. Same failure. http://www.spamcop.net/sc?id=z759120944z15b5d414a9477214bcf929963c922640z From MikeE at ster.invalid Mon May 2 18:45:59 2005 From: MikeE at ster.invalid (Mike Easter) Date: Mon May 2 20:45:03 2005 Subject: [SpamCop-List] Re: Error-why? with tracking URL References: Message-ID: FY wrote: > OK, Mike, I got another with the same format and error from SC. > > Here is the tracking url. Good job ;-) > This was submitted from ATT Webmail: www.spamcop.net/sc?id=z759118320z438d92754b29196f81b0f423102d8913z > > And this was submitted from OE www.spamcop.net/sc?id=z759119449zce492efb03dbde10301b13e28bb8a9dfz > Skip to Reports > > > So what's up? They both show the same condition of a part of what is supposed to be in the body 'squished up' into the header - I also addressed that in the bent one posted here earlier. The bent one also appeared to show a Received traceline folding problem, but these 'true' renditions of the original don't show that -- so I'll assume that the earlier bent one folding problem was an artifact of the posting -- which is what I was 'harping' about. A very important 'requirement' of headers is the format in which there is a fieldname which is single continuous 'word' without any spaces followed by a colon and a space followed by the field's elements or contents. There can be /properly/ folded lines to allow the field's elements to encompass more than one line, but there can't be anything 'organized' like a fieldname which isn't. So, if you look at the headerlines of your tracker items, as you get to the bottom of the header, you see that the fieldname condition is 'screwed up' by there being an item which isn't a proper fieldname, namely appearance of a boundary delimitor which belongs in the first part of the body 'squished up' into the header. There needs to be an empty space between the last proper headerline which is properly constructed with a fieldname and the first line of the body, which in this case is a boundary delimitor. That's a lot of words to say what this tracker will show: http://www.spamcop.net/sc?id=z759126058zf2428d7891188485a64b3e4fd44854afz That header shows a proper header in which all of the fieldnames are properly constructed, and then the last fieldname is Content-Type: and then follows a properly folded content for the fieldname, including that it is distributed on 2 lines appropriately, as is the Received: line further up distributed on 3 lines with leading whitespace. Then follows an empty line. This is the structural element which was missing before. That empty line separates the headers from the elements of the body. The first element of the body is the boundary delimitor which was defined in what was the last part of the header in this case, namely the Content-Type -- which defined the boundary delimitor. That first boundary delimitor is known as the 'prologue' or prolog. The boundary delimitor is followed by a description of what is contained in that boundaried section, which in this case is plaintext. After all of the plaintext comes the last delimitor, in this case -- in some other cases some other kind of delimited section could follow. Here, the last delimitor which is structured appropriately, ends the message body. SpamCop uses all of that 'stuff' to find things. It pays attention to boundary delimitors and content type descriptors and all that jazz -- so when the stuff is misconstructed, it causes problems in the interpretation. -- Mike Easter kibitzer, not SC admin From onyx0 at gamebox.net Tue May 3 04:25:44 2005 From: onyx0 at gamebox.net (Onyx) Date: Mon May 2 21:25:23 2005 Subject: [SpamCop-List] Failed delivery nightmare Message-ID: Ok, I just recieved cca 100 messages notifying me of failed delivery of emails I didn't send and they keep coming, woo hoo. Apparently, spammer vermin used email on my domain as a return address for their spam. Two questions: 1. What would be the best way to deal with this? 2. Could this possibly get my domain listed on anti-spam lists? Thank you. From zypher at spamcop.net Mon May 2 21:36:47 2005 From: zypher at spamcop.net (Ron B.) Date: Mon May 2 21:40:04 2005 Subject: [SpamCop-List] AOL Filters Block Emergency Weather E-Mails Message-ID: AOL Filters Block Emergency Weather E-Mails POSTED: 3:25 pm CDT May 2, 2005 VERO BEACH, Fla. -- Efforts by one Florida county to put out weather alerts by e-mail have hit a high-tech roadblock: AOL is tagging the messages as spam. The problem dates back to last year's unusually busy hurricane season when Indian River County was hit by two major storms -- Frances and Jeanne. Some 4,200 people signed up for the county's e-mail alert service, which offers quick alerts on hurricanes, tornadoes and other weather emergencies. But a county computer software engineer says because e-mail is sent out in large numbers, "it becomes a pattern for spam senders." The county is working with AOL to fix the problem. In the meantime, AOL users are being told to put the county's e-mail account in their computer's address book so their computers know to accept the messages. Copyright 2005 by The Associated Press. All rights reserved. This material may not be published, broadcast, rewritten or redistributed. From f.yaskin at worldnet.att.net Mon May 2 22:47:52 2005 From: f.yaskin at worldnet.att.net (FY) Date: Mon May 2 21:50:14 2005 Subject: [SpamCop-List] Re: Error-why? Last question References: Message-ID: "Mike Easter" wrote in message news:d56hgh$l0j$1@news.spamcop.net... > FY wrote: > > OK, Mike, I got another with the same format and error from SC. > > > > Here is the tracking url. > > Good job ;-) > > > This was submitted from ATT Webmail: > www.spamcop.net/sc?id=z759118320z438d92754b29196f81b0f423102d8913z > > > > And this was submitted from OE > www.spamcop.net/sc?id=z759119449zce492efb03dbde10301b13e28bb8a9dfz > > Skip to Reports > > > > > > So what's up? > > They both show the same condition of a part of what is supposed to be in > the body 'squished up' into the header - I also addressed that in the > bent one posted here earlier. The bent one also appeared to show a > Received traceline folding problem, but these 'true' renditions of the > original don't show that -- so I'll assume that the earlier bent one > folding problem was an artifact of the posting -- which is what I was > 'harping' about. > SpamCop uses all of that 'stuff' to find things. It pays attention to > boundary delimitors and content type descriptors and all that jazz -- so > when the stuff is misconstructed, it causes problems in the > interpretation. OK, got that. Thanks.So, from the lack of interest on SC's part, in reconstituting/decoding formatting that mailreaders seem to have no problem with, I draw the conclusion that SC is much more interested in the SOURCE ISPs of the spam, rather than the morons behind the spamvertised web sites? (Hoping I'm wrong , but hey...Truth and Soul!) Frank From MikeE at ster.invalid Mon May 2 20:38:30 2005 From: MikeE at ster.invalid (Mike Easter) Date: Mon May 2 22:40:21 2005 Subject: [SpamCop-List] Re: Error-why? Last question References: Message-ID: FY wrote: > OK, got that. Thanks.So, from the lack of interest on SC's part, in > reconstituting/decoding formatting that mailreaders seem to have no > problem with, I draw the conclusion that SC is much more interested > in the SOURCE ISPs of the spam, rather than the morons behind the > spamvertised web sites? (Hoping I'm wrong , but hey...Truth and Soul!) However important anyone may think that disrupting the relationships between the spamsites and their providers may be, realize that the various spamfighting tools are designed for specific purposes. If you start trying to drive a nail with a screwdriver, you're going to find that it doesn't work as well as a hammer -- likewise some other tool related examples. In the case of spamcop, its parser is designed to determine spamsources *primarily* [IMO] and secondarily do things like feed possible relays to the relay testers for 'handling' like testing/listing and to notify providers for spamsources and spamvertisers. But, while it /notifies/ providers for source and spamvertiser, the notification business is totally toothless except for the toothiness of the provider -- that is, the result of a notify of a whitehat vs grayhat vs blackhat vs pinkhat provider has a very wide range of outcomes -- some of which are better for the spammer/spammersupport than the spammee/notifier. OTOH -- besides a parser/notifier, SC is something else. SC is maintainer of the SCbl, the blocklist of spamsources; which for various reasons has turned out to be a very powerful blocklist. Powerful because it is popular. Popular because it is unique in its mechanism of listing and delisting compared to the many other db/s. So, the SCbl is nothing to be sneezed at. It is a blocklist to be respected. But, the SCbl is simply a blocklist of spamsources. SC doesn't make any kind of list of spamvertisers of similar import. The only thing that SC does with its spamvertisers is to put them on a page. It happens that from that page, a different blocklisting service, sc-surbl 'scrapes' the SC scraped spamvertisers and makes its own list from that. The sc-surbl is *not* a powerful list like the SCbl; but it /is/ a list. There are a lot of lists. So, what all of that comes down to is that the business which SC performs of finding the spamvertisers in the body isn't as important as the business of SC finding the spamsource -- because the spamsource determination feeds the SCbl, whereas the spamvertiser discoveries tends to notify blackhat providers of things about spamcop reporters and doesn't feed anything very potent at all. If you want to get into taking action against the business of spamsupport, which is what spamvertiser providers are doing, then you will have to appreciate blocklists which put leverage against them, such as spews and to a lesser extent spamhaus. What spews does is spews business. What SC does is SC's business. The two lists are very very different and SC's doesn't do anything about spamvertisers or spam support. -- Mike Easter kibitzer, not SC admin From wb8tyw at qsl.network Mon May 2 23:46:20 2005 From: wb8tyw at qsl.network (John E. Malmberg) Date: Mon May 2 22:50:02 2005 Subject: [SpamCop-List] Re: The Spamityville Horror... In-Reply-To: References: Message-ID: Dwayne Conyers wrote: > Recently noticed some of the web-based BBS' that I read are rapidly > being filled with spam -- faster than the moderators can keep up with. I would recommend not allowing postings from anything that is known to be an open proxy. Unfortunately the xbl.spamhaus.org can not be used as a gate for it as it now contains the NJABL dynablock zone which should block most legitimate posters. And if that does not lower the noise level, start blocking postings from netblocks where spam postings have been received from and post a message that such postings are blocked until their ISP stops all the network abuse. > > Why Portugese? Apparently the spammers that use other languages have not found it yet. > Are these people really making enough money with their scheiss to > persist this way, or izzit a sign of desperation? Only the ones selling the get rich quick schemes. The ones spamming have usually spent their last cash on buying the spamming kit, and never make back anything close to their initial investment. > Is there actually that much profit in idiotic get-rich-quick schemes? Apparently there is in selling the spamming kits, and every time some media article profiles the riches of the "spam kings" there is a rise in the number of suckers that sign up. Posting a note on the web site that BBS posters must read before posting indicating that the people posting spam are victims of scam artist, and that no one other than the people selling the scam to these victims have ever made any money at it may also help, in your Portugese case see if you can get that accurately translated. From postings here and elsewhere, it appears that the people selling the scams are blaming the various anti-spam organizations for the reason that none of their suckers are making any money. A good scam artist can get some pretty expensive property on a seller financing with only a minimal down payment, and it can take over a decade to evict them for non-payment. It is possible to create quite an illusion of wealth that way. -John wb8tyw@qsl.network Personal Opinion Only From spamtrap at mrsmith.com Mon May 2 23:50:25 2005 From: spamtrap at mrsmith.com (Mr. Smith) Date: Mon May 2 22:55:02 2005 Subject: [SpamCop-List] Re: stupid spam of the week References: Message-ID: "Danny Goodman" wrote in message news:mailman.146.1114894446.4572.spamcop-list@news.spamcop.net... >>> You could at least omit the link or make it unclickable. > >> why? What bad happens when you click on it? > > Some spammers get paid on click-throughs. Any publicly available link to a > spamvertised site encourages curious folks to click, perhaps putting coin > into the spammer's pocket. > > Just another one of the insidious, indirect ways that keeps the spam > economy > going while one thinks he or she is doing nothing to contribute. Well, I kind of can see that. But in the larger scheme of things, if one spammer is simply giving another spammer money, but neither you or I are actually buying anything -- that basically defeats the economic model But this is all a stretch anyway. Let's be real for a second -- posting a spam link in an anti-spam newsgroup ain't going to do anything. It ain't going support no spammer. And it certainly ain't not isn't going qualify as "free advertising". I think we all know that -- this is just shop talk. And I don't see any reason not to post a simple link. I may be naive, but if I post such a link --- I trust you guys to do the right thing. -Marc From MikeE at ster.invalid Mon May 2 20:58:08 2005 From: MikeE at ster.invalid (Mike Easter) Date: Mon May 2 23:00:04 2005 Subject: [SpamCop-List] Re: The Spamityville Horror... References: Message-ID: John E. Malmberg wrote: > Unfortunately the xbl.spamhaus.org can not be used as a gate for it as > it now contains the NJABL dynablock zone which should block most > legitimate posters. No. xbl is composed of cbl, blitzed opm and most recently one subset of njabl, just the open proxy subset, the 127.0.0.9. It does not include the other njabl returns, .2 open relays, .3 dynamics, .4 spamsources, .5 multistage relays, or .8 script sources. That is my understanding based on the words at spamhaus which say "the NJABL open proxy IPs list from www.njabl.org" I do not have any specific confirmation of that opinion of mine from anyone else. I posted it in a discussion in alt.spam and no one rebutted it there. -- Mike Easter kibitzer, not SC admin From wb8tyw at qsl.network Tue May 3 00:13:09 2005 From: wb8tyw at qsl.network (John E. Malmberg) Date: Mon May 2 23:15:03 2005 Subject: [SpamCop-List] Re: Failed delivery nightmare In-Reply-To: References: Message-ID: Onyx wrote: > Ok, I just recieved cca 100 messages notifying me of failed delivery of > emails I didn't send and they keep coming, woo hoo. Apparently, spammer > vermin used email on my domain as a return address for their spam. > > Two questions: > 1. What would be the best way to deal with this? First of all, check your mail server to make sure that it will not relay for a spammer forging a real user on your domain. Apparently there is a popular mail server software out there that is designed to do that and there is no way to disable that feature except to enable SMTP-AUTH for all e-mail. This is what I have picked up from the admin(at)dsbl.org list's public archives. Then assuming that your mail server is not the one that is affected by this feature: File abuse reports about the delayed bounces with each mail server that is doing the delayed bounce. Such delayed bounces are not reportable by spamcop.net: See a recent post in spamcop.help by Larry Kilgallen for a sample text: : As I report that spam (the message claiming I sent a message " I did not) I include something like the following text in my : SpamCop report: Believe it or not, spammers lie. Please adjust your software to not send these meaningless warnings blindly to the "From:" address, but instead respond within the SMTP dialog, so your comments get to the actual originator rather than pestering an innocent bystander. While the bounces are allowed by RFC, it is from a time when third party open relays were also allowed. Most mail servers do an SMTP reject, which means that any bounce message will come from the original sending mail server, and the only ones of those that are relaying spam are either the domain that should receive the abuse report of one of their users, or an open relay. Open relays should be blocked on site. When mail servers do not do an SMTP reject, and do an accept and bounce, then they are participating in a DDOS to victims like you. There have also been several recent posts on news.admin.net-abuse.email about the practice of abusive bouncing of spam. There are some mail server operators that claim that it is not practical to convert to SMTP rejects instead of bouncing. These mail server operations must be bigger than AOL.COM which had several years ago announced on the SPAM-L mailing list that they recognized that such bounces where abusive to the rest of the internet and were switching over to only using SMTP rejects. It seems that for every example of someone claiming that their network is too large to convert, an example can be found of a larger network that did so. And I suspect that it is a much lower operational cost to use SMTP rejects instead of doing the accept and then bouncing. > 2. Could this possibly get my domain listed on anti-spam lists? Only if the mail server operator is either incompetent, or is so small that it is unlikely that they will ever receive a legitimate e-mail from your domain. According to posts on news.admin.net-abuse.email, even the conservative spamhaus.org will eventually list I.P. addresses that bounce spam to forged addresses. It is far more likely that the I.P. addresses of the mail servers that are bouncing the spam will get put on local and public blocking lists than the I.P. address of your domain. Most medium to large mail servers pay a metered rate for their bandwidth, and accepting fake bounces or spam needlessly increases their operating costs. So if the only e-mail they have ever seen from an I.P. address is spam or fake bounces, many mail server operators that are paying for bandwidth out of their profits or pockets will block that I.P. address. -John wb8tyw@qsl.network Personal Opinion Only From wb8tyw at qsl.network Tue May 3 00:20:16 2005 From: wb8tyw at qsl.network (John E. Malmberg) Date: Mon May 2 23:25:02 2005 Subject: [SpamCop-List] Re: The Spamityville Horror... In-Reply-To: References: Message-ID: Mike Easter wrote: > John E. Malmberg wrote: > > >>Unfortunately the xbl.spamhaus.org can not be used as a gate for it as >>it now contains the NJABL dynablock zone which should block most >>legitimate posters. > > No. > > xbl is composed of cbl, blitzed opm and most recently one subset of > njabl, just the open proxy subset, the 127.0.0.9. > > It does not include the other njabl returns, .2 open relays, .3 > dynamics, .4 spamsources, .5 multistage relays, or .8 script sources. > > That is my understanding based on the words at spamhaus which say "the > NJABL open proxy IPs list from www.njabl.org" > > I do not have any specific confirmation of that opinion of mine from > anyone else. I posted it in a discussion in alt.spam and no one > rebutted it there. If you can get a clarification please post. I do notice that spamhaus.org representatives post in the news.admin.net-abuse.email occasionally, but there is a lot of noise there. But it does indicate a risk of using an anti-spam blocking list for other purposes. -John wb8tyw@qsl.network Personal Opinion Only From nobody at devnull.spamcop.net Tue May 3 01:40:58 2005 From: nobody at devnull.spamcop.net (WazoO) Date: Tue May 3 01:45:31 2005 Subject: [SpamCop-List] Re: Error-why? Last question References: Message-ID: "Mike Easter" wrote in message news:d56o3h$oia$1@news.spamcop.net... gmail From rg at nospam.please Tue May 3 02:46:05 2005 From: rg at nospam.please (rg) Date: Tue May 3 01:50:05 2005 Subject: [SpamCop-List] ieypzkbc.tatzwz.info doesn't resolve on first try. (Or second, third, etc.) Message-ID: Below is the report for http://www.spamcop.net/sc?id=z759058001zcc15a0f3201f890a3416b31a01900fbaz You will notice the section: Resolving link obfuscation http://ieypzkbc.tatzwz.info/?29f3922cb8d56f5cd48f092a595a8f47 http://ohgbtn.tatzwz.info/?29f3922cb8d56f5cd48f092a595a8f47 I have to submit them separately: http://www.spamcop.net/sc?track=http%3A%2F%2Fohgbtn.tatzwz.info%2F%3F29f3922cb8d56f5cd48f092a595a8f47%0D%0A Then resubmit and cancel the spam report a few times before it finally ends up resolving. SUGGESTION: Increase the DNS timeout and retry numbers! Thanks! Report follows as copied from my PC, since you can't tell what will resolve when you use the report link: Help | Site Map | Text size: - + rgerharz Report Spam Mailhosts Statistics Past Reports Preferences SpamCop v 1.439 (C) Ironport Systems Inc., 1998-2005 , All rights reserved. Here is your TRACKING URL - it may be saved for future reference: http://www.spamcop.net/sc?id=z759058001zcc15a0f3201f890a3416b31a01900fbaz Skip to Reports Received: from a213-22-193-212.netcabo.pt ([213.22.193.212]) by rwcrmxc18.comcast.net (rwcrmxc18) with SMTP id <20050502191935r1800ftreoe>; Mon, 2 May 2005 19:19:59 +0000 X-Originating-IP: [213.22.193.212] From: "Viola Bain" Reply-To: "Viola Bain" To: x, x, x, x, x, x, x, x, x, x Subject: Isidro said hi Date: Mon, 02 May 2005 15:19:31 -0800 MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="--77996649553783422" View entire message Parsing header: Received: from a213-22-193-212.netcabo.pt ([213.22.193.212]) by rwcrmxc18.comcast.net (rwcrmxc18) with SMTP id <20050502191935r1800ftreoe>; Mon, 2 May 2005 19:19:59 +0000 213.22.193.212 found host 213.22.193.212 (getting name) = a213-22-193-212.netcabo.pt. a213-22-193-212.netcabo.pt is 213.22.193.212 Possible spammer: 213.22.193.212 Received line accepted Tracking message source: 213.22.193.212: Routing details for 213.22.193.212 [refresh/show] Cached whois for 213.22.193.212 : abuse@tvcabo.pt Using abuse net on abuse@tvcabo.pt abuse net tvcabo.pt = abuse@tvcabo.pt, postmaster@tvcabo.pt, abuse@netcabo.pt Using best contacts abuse@tvcabo.pt postmaster@tvcabo.pt abuse@netcabo.pt postmaster@tvcabo.pt redirects to abuse@tvcabo.pt Yum, this spam is fresh! Message is 0 hours old 213.22.193.212 not listed in dnsbl.njabl.org 213.22.193.212 not listed in dnsbl.njabl.org 213.22.193.212 not listed in cbl.abuseat.org 213.22.193.212 listed in dnsbl.sorbs.net ( 127.0.0.10 ) 213.22.193.212 not listed in relays.ordb.org. 213.22.193.212 not listed in query.bondedsender.org 213.22.193.212 not listed in iadb.isipp.com Finding links in message body Recurse multipart: Parsing HTML part Resolving link obfuscation http://ieypzkbc.tatzwz.info/?29f3922cb8d56f5cd48f092a595a8f47 http://ohgbtn.tatzwz.info/?29f3922cb8d56f5cd48f092a595a8f47 Please make sure this email IS spam: From: "Viola Bain" (Isidro said hi) ----77996649553783422 Content-Type: text/html; View full message Report Spam to: Re: 213.22.193.212 (Administrator of network where email originates) To: abuse@netcabo.pt (Notes) To: abuse@tvcabo.pt (Notes) Re: 213.22.193.212 (Third party interested in email source) To: Cyveillance spam collection (Notes) Additional notes (optional - max 2000 characters): ATTENTION: Report only those e-mail addresses and web sites that you think your spammer has used. Avoid checking any boxes left empty unless you know that your spammer has used the addresses or sites thus identified. Each false report that you submit means wasted time for a network administrator, so take care. The last thing SpamCop wants are network administrators so accustomed to false claims that they no longer take these spam reports seriously. Comments for:abuse@netcabo.pt (213.22.193.212) Return to report Comments for:abuse@tvcabo.pt (213.22.193.212) Return to report Comments for:spamcop@imaphost.com (213.22.193.212) Return to report (C) Ironport Systems Inc., 1998-2005 , All rights reserved. HTML4 / CSS2 Firefox recommended - Policies and Disclaimers From nobody at nowhere.invalid Tue May 3 11:21:50 2005 From: nobody at nowhere.invalid (Steven Maesslein) Date: Tue May 3 04:25:41 2005 Subject: [SpamCop-List] Re: Failed delivery nightmare References: Message-ID: On Mon, 02 May 2005 23:13:09 -0400, John E. Malmberg coughed into spamcop and left this in : > Such delayed bounces are not reportable by spamcop.net They are now, and have been for a few months. -- Steve I haven't lost my mind; I know exactly where I left it. From m at remove.this.part.rtij.nl Tue May 3 12:27:50 2005 From: m at remove.this.part.rtij.nl (Martijn Lievaart) Date: Tue May 3 05:31:10 2005 Subject: [SpamCop-List] Re: Failed delivery nightmare References: Message-ID: On Tue, 03 May 2005 03:25:44 +0200, Onyx wrote: > Two questions: > 1. What would be the best way to deal with this? - Get rid of any catch all domains - Firewall the worst bouncers, maybe after an email telling them to fix their systems. - Inform your ISP, they may get bogus complaints. - Other than that, not much you can do I'm afraid. > 2. Could this possibly get my domain listed on anti-spam lists? No, not very likely. It happens every day to someone. M4 -- Ah, the beauty of OSS. Hundreds of volunteers worldwide volunteering their time inventing and implementing new, exciting ways for software to suck. -- Toni Lassila in the Monastry From m at remove.this.part.rtij.nl Tue May 3 12:29:58 2005 From: m at remove.this.part.rtij.nl (Martijn Lievaart) Date: Tue May 3 05:35:06 2005 Subject: [SpamCop-List] Re: The Spamityville Horror... References: Message-ID: On Mon, 02 May 2005 23:20:16 -0400, John E. Malmberg wrote: > But it does indicate a risk of using an anti-spam blocking list for > other purposes. I recommended this approach (blocking open proxies based on a dnsbl) to a friend of mine who moderates a forum and he has been very satisfied with the results. M4 -- Ah, the beauty of OSS. Hundreds of volunteers worldwide volunteering their time inventing and implementing new, exciting ways for software to suck. -- Toni Lassila in the Monastry From wb8tyw at qsl.network Tue May 3 07:51:42 2005 From: wb8tyw at qsl.network (John E. Malmberg) Date: Tue May 3 06:55:03 2005 Subject: [SpamCop-List] Re: Failed delivery nightmare In-Reply-To: References: Message-ID: Steven Maesslein wrote: > On Mon, 02 May 2005 23:13:09 -0400, John E. Malmberg coughed into > spamcop and left this in : >>Such delayed bounces are not reportable by spamcop.net > > They are now, and have been for a few months. A typo on my part, I meant to type now instead of not. In this case though it may not have been obvious. -John wb8tyw@qsl.network Personal Opinion Only From Ilgaz at spamcop.net Tue May 3 14:54:24 2005 From: Ilgaz at spamcop.net (Ilgaz) Date: Tue May 3 06:55:08 2005 Subject: [SpamCop-List] Re: AOL Filters Block Emergency Weather E-Mails References: Message-ID: On 2005-05-03 04:36:47 +0300, "Ron B." said: > > AOL Filters Block Emergency Weather E-Mails > > POSTED: 3:25 pm CDT May 2, 2005 > > VERO BEACH, Fla. -- Efforts by one Florida county to put out weather > alerts by e-mail have hit a high-tech roadblock: AOL is tagging the > messages as spam. > > The problem dates back to last year's unusually busy hurricane season > when Indian River County was hit by two major storms -- Frances and > Jeanne. > > Some 4,200 people signed up for the county's e-mail alert service, > which offers quick alerts on hurricanes, tornadoes and other weather > emergencies. > > But a county computer software engineer says because e-mail is sent out > in large numbers, "it becomes a pattern for spam senders." > > The county is working with AOL to fix the problem. In the meantime, AOL > users are being told to put the county's e-mail account in their > computer's address book so their computers know to accept the messages. > > Copyright 2005 by The Associated Press. All rights reserved. This > material may not be published, broadcast, rewritten or redistributed. You must know how many morons out there marking stuff as "Spam" from the lists/stuff they SIGNED UP for. Could be a factor too. E.g. I missed a very critical update from a very known, awarded OS X software house, Panic.com because of those yahoo morons clicking "its spam" It ended up in junk folder of Yahoo. :) I think there should be a way/method developed for those clueless. They can mark spam whatever they like, others won'T be affected after a certain point of false positives by them Ilgaz Ocal From smjg_1998 at yahoo.com Tue May 3 15:18:27 2005 From: smjg_1998 at yahoo.com (Stewart Gordon) Date: Tue May 3 09:20:05 2005 Subject: [SpamCop-List] A novel approach to spamming Message-ID: A spammer's come up with an interesting idea. Rather than just sending the spam content, this one told a joke. And it even had a topical subject line - so at first glance it looks like the kind of email a friend might pass on. That's until you get to the bottom, where the Stupid Person's AdvertiseMent itself is found. Nonetheless, Entourage managed to mark it as spam. Though very probably by the rule I set up rather than by its own heuristics. Has anyone else had anything like this? Just noticed at the very bottom: "Click on this link to keep up my beginning of making spam not so boring thing. Have a nice day." Hmm.... Well, at least it's another novel thing that this person actually admits spamming.... Stewart. PS For those who are interested and not yet sick of the same thing as the character in the joke, I've posted it over on .social. -- My e-mail is valid but not my primary mailbox. Please keep replies on the 'group where everyone may benefit. From m at remove.this.part.rtij.nl Tue May 3 16:43:09 2005 From: m at remove.this.part.rtij.nl (Martijn Lievaart) Date: Tue May 3 09:50:04 2005 Subject: [SpamCop-List] Re: The Spamityville Horror... References: Message-ID: On Tue, 03 May 2005 11:29:58 +0200, Martijn Lievaart wrote: > On Mon, 02 May 2005 23:20:16 -0400, John E. Malmberg wrote: > >> But it does indicate a risk of using an anti-spam blocking list for >> other purposes. > > I recommended this approach (blocking open proxies based on a dnsbl) to > a friend of mine who moderates a forum and he has been very satisfied with > the results. Followup on self, see also nanabl, thread "The MCI problem", specifically msgid M4 -- Ah, the beauty of OSS. Hundreds of volunteers worldwide volunteering their time inventing and implementing new, exciting ways for software to suck. -- Toni Lassila in the Monastry From not at home.today Tue May 3 16:01:21 2005 From: not at home.today (Ant) Date: Tue May 3 10:05:04 2005 Subject: [SpamCop-List] Re: ieypzkbc.tatzwz.info doesn't resolve on first try. (Or second, third, etc.) References: Message-ID: "rg" wrote: > Below is the report for > http://www.spamcop.net/sc?id=z759058001zcc15a0f3201f890a3416b31a01900fbaz > > You will notice the section: > Resolving link obfuscation [...] Yes, and no information is given about what the parser did with those links before the "Please make sure this email IS spam" message. I first noticed this in the middle of March this year, and reported it here with the subject "Links found, but not parsed". The problem continues to regularly occur, but no Spamcop person has commented on it to my knowledge. > I have to submit them separately: [...] > Then resubmit and cancel the spam report a few times before it finally ends > up resolving. You don't need to cancel. Just refresh the parse page in your browser or go to the "report spam" link if you've visited another page, and you can then follow the "unreported spam, report now" link. I will sometimes resolve the spamvertized URLs separately, or refresh the the parse once, but if the links still aren't resolved I submit the report anyway. It's not worth the hassle. > SUGGESTION: Increase the DNS timeout and retry numbers! I'm not sure if this is the problem. My understanding is that when a lookup times out you get a message "unable to resolve..." [report snipped] From ron.shafii at hossequipment.com Tue May 3 10:38:03 2005 From: ron.shafii at hossequipment.com (Ron Shafii) Date: Tue May 3 10:40:04 2005 Subject: [SpamCop-List] spam posed as returned mail Message-ID: The last 2 weeks I've been receiving SPAM to tune of hundreds posed as RETURNED TO SENDER or Block Email with a virus attached. The virus name, origination IP and subject are not very consistent, therefore creating rules to bounce the mail is difficult. What is consistent is the means by which our spam server accepts these messages and quarantines them. The message itself is posed as a Return To Sender or Bounced email. If it weren't for blocking all attachments there's a good chance it wouldn't even get caught in our spam server and would get sent to the end user. Currently we are using Imail server from IPswitch. When I submit this SPAM to spamcop it also detects my mail server as a possible source of SPAM. Thanks ahead of time for any constructive reponses. below are two examples; Received: from lkhqo.net [216.227.86.141] by mail.dozernet.com (SMTPD-8.20) id A5A2025C; Tue, 03 May 2005 09:07:30 -0500 From: info@cvip.net To: joan@hossequipment.com Date: Tue, 03 May 2005 13:34:33 UTC Subject: FwD: Your email was blocked Importance: Normal X-Priority: 3 (Normal) Message-ID: <5f6e.9ed8efa32e23da7@hossequipment.com> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="======c0cd44.0fabda1e2eb" Content-Transfer-Encoding: 7bit This is a multi-part message in MIME format. X-IMAIL-SPAM-DNSBL: (v6net,85a2009e00002886,65.77.130.111) X-RCPT-TO: Status: U X-IMail-Rule: B~name=.{1,30}\.zip!AND!F!~dummy:dummy-File_Attachments@dozernet.com Data- NAME=ERROR-MAIL_INFO.ZIP X-UIDL: 411163348 X-IMail-ThreadID: 85a2009e00002886 This is an automatically generated E-Mail Delivery Status Notification. Mail-Header, Mail-Body and Error Description are attached error-mail_info.zip (Binary attachment) the zip file contains W32.Sober.O@mm ------------------------------------------- Here's Another ------------------------------------------- Received: from smtp1.dnb.com [204.254.175.106] by mail.dozernet.com with ESMTP (SMTPD-8.20) id AAF3048C; Mon, 02 May 2005 22:07:31 -0500 Received: from unknown (0.0.0.0) by smtp1.dnb.com with ; 02 May 2005 23:07:53 -0400 Date: 02 May 2005 23:07:53 -0400 To: postmaster@dozernet.com From: Mail Delivery System Subject: Delivery Status Notification (Failure) MIME-Version: 1.0 Content-Type: multipart/report; report-type=delivery-status; boundary="8327904216949392.unknown" Message-Id: <200505022207424.SM03464@smtp1.dnb.com> X-IMAIL-SPAM-DNSBL: (v6net,eaf30149000007e0,65.77.130.111) X-RCPT-TO: Status: U X-IMail-Rule: B~name=.{1,30}\.zip!AND!F!~dummy:dummy-File_Attachments@dozernet.com Data- NAME=ERROR-MAIL_INFO.ZIP X-UIDL: 411163241 X-IMail-ThreadID: eaf30149000007e0 The following message to was undeliverable. The reason for the problem: 5.1.1 - Bad destination email address 'ldap reject' Final-Recipient: rfc822;csc.austral@dnb.com Action: failed Status: 5.0.0 (permanent failure) Diagnostic-Code: smtp; 5.1.1 - Bad destination email address 'ldap reject' (delivery attempts: 0) Reporting-MTA: dns; unknown This is an automatically generated E-Mail Delivery Status Notification. Mail-Header, Mail-Body and Error Description are attached error-mail_info.zip (Binary attachment) From onyx0 at gamebox.net Tue May 3 18:27:14 2005 From: onyx0 at gamebox.net (Onyx) Date: Tue May 3 11:30:04 2005 Subject: [SpamCop-List] Re: Failed delivery nightmare References: Message-ID: John E. Malmberg wrote: > First of all, check your mail server to make sure that it will not > relay for a spammer forging a real user on your domain. Apparently > there is a popular mail server software out there that is designed to > do that and there is no way to disable that feature except to enable > SMTP-AUTH for all e-mail. I don't run my own, I use mail server from my hosting provider. The originating IP's of spam messages with my forged domain name are from all over the world.. > Then assuming that your mail server is not the one that is affected by > this feature: > > File abuse reports about the delayed bounces with each mail server > that is doing the delayed bounce. Hello carpal tunnel syndrome... Besides bounces, I also got a fair number of those i'm-away autoresponders, they seem to be popular as well. Thanks to all for good info and help. From MikeE at ster.invalid Tue May 3 09:48:43 2005 From: MikeE at ster.invalid (Mike Easter) Date: Tue May 3 11:50:03 2005 Subject: [SpamCop-List] Re: spam posed as returned mail References: Message-ID: Ron Shafii wrote: > The last 2 weeks I've been receiving SPAM to tune of hundreds posed as > RETURNED TO SENDER or Block Email with a virus attached. > below are two examples; First, a housekeeping issue. For various reasons, spam and spamlike and other mailitems are not 'supposed to be' posted into the discussion groups; but instead they are supposed to be submitted to the parser to get a tracking url and the tracker posted here and the report cancelled. As a weak alternative, the newsgroup spamcop.spam has been designated for pasting such items into news messages. Then that message would be referred to and discussed here, not discussed there in .spam. Second, about these items you posted here. Altho' you didn't completely describe their structure sufficiently for me to be sure, I think they are of 2 different types. The first one is simply a virus propagation 'dressed up' in a DSN [delivery status notification] suit. That is, a fake DSN. It looks like the 2nd one is actually a DSN of a fake DSN, but I would have to see the complete originals [as a tracker url, not pasted here] to be sure. Third, about this remark > When I submit this SPAM to spamcop it also detects my mail server as a > possible source of SPAM. That doesn't make sense. I'm assuming your mailserver is dozernet and that it is serving your hossequipment domain. I can't see how the parser would name hoss or dozer as the source of either of those headers. This is a tracker for the first one, to demonstrate what a tracking url is/looks like/ and to show you that your server isn't named as source. http://www.spamcop.net/sc?id=z759331281za04d52c564dc5a70d5b2a2174c620adbz > Thanks ahead of time for any constructive reponses. -- Mike Easter kibitzer, not SC admin From dannyg at dannyg.com Tue May 3 10:14:52 2005 From: dannyg at dannyg.com (Danny Goodman) Date: Tue May 3 12:15:08 2005 Subject: [SpamCop-List] Re: stupid spam of the week In-Reply-To: <200505030545.j435jmRu083946@dannyg.com> Message-ID: > But in the larger scheme of things, if one > spammer is simply giving another spammer money, but neither you or I are > actually buying anything -- that basically defeats the economic model I think the spammers who sell spammer kits and services to wannabe spammers would disagree. So would mortgage spammers (who get paid handsomely for filled-out leads apps, not completed mortgages--no coin out of the spammee's pocket). Wherever money changes hands profitably, the recipient has an incentive to continue. The spam economy thrives on far more than sales of creams, medz, inkjet carts, and JackRabbits. Danny http://www.dannyg.com http://www.spamwars.com From borgholio at storymind.com Tue May 3 11:56:12 2005 From: borgholio at storymind.com (Borgholio) Date: Tue May 3 14:00:03 2005 Subject: [SpamCop-List] Quick reporting via email? Message-ID: I forgot...how do I submit spam via email for quick-reporting? From MikeE at ster.invalid Tue May 3 12:07:13 2005 From: MikeE at ster.invalid (Mike Easter) Date: Tue May 3 14:10:03 2005 Subject: [SpamCop-List] Re: Quick reporting via email? References: Message-ID: Borgholio wrote: > I forgot...how do I submit spam via email for quick-reporting? Quick reporting is disabled due to careless use. ... but you can beseech admin for access at service admin.SC on a casebycase basis -- Mike Easter kibitzer, not SC admin From nobody at devnull.spamcop.net Tue May 3 15:13:25 2005 From: nobody at devnull.spamcop.net (Glenn Daniels) Date: Tue May 3 14:15:03 2005 Subject: [SpamCop-List] Re: A novel approach to spamming References: Message-ID: "Stewart Gordon" wrote in message > A spammer's come up with an interesting idea. Rather than just sending > the spam content, this one told a joke. And it even had a topical > subject line - so at first glance it looks like the kind of email a > friend might pass on. Received a similar last week. Munged it abusively and posted it in .spam. Some say that having had all the offensive parts so munged it is actually ROTFL funny. Unfortunately something or other got screwed up in the munging and then the parser would not parse it, so I could not post a tracker. Where, oh where, did I go wrong... Glenn From ron.shafii at hossequipment.com Tue May 3 14:18:50 2005 From: ron.shafii at hossequipment.com (Ron Shafii) Date: Tue May 3 14:20:03 2005 Subject: [SpamCop-List] Re: spam posed as returned mail References: Message-ID: Mr. Easter thanks a lot for the tips. Sorry for not following the rules. I was a little hesistant revealing my mailserver info online anyhow. too late. here's a link from SPAMCOP regarding the spam I previously mentioned, which was parsing our ip address as a possible source of spam. http://www.spamcop.net/sc?id=z759369967zf5f08711459561ae426f911b4e192414z http://www.spamcop.net/sc?id=z759371087z622d4f17d0a654ca301570c73e40e43fz I wonder if I am misreading it. www.hossequipment.com (Administrator of network hosting website referenced in spam) Is this sending a copy of the email back to me or is it parsing me as a spammer? Sorry if I am lame at this, but I'm new to SPAM techniques and prevention. "Mike Easter" wrote in message news:d586d6$pjh$1@news.spamcop.net... > Ron Shafii wrote: > >> The last 2 weeks I've been receiving SPAM to tune of hundreds posed as >> RETURNED TO SENDER or Block Email with a virus attached. > >> below are two examples; > > First, a housekeeping issue. > > For various reasons, spam and spamlike and other mailitems are not > 'supposed to be' posted into the discussion groups; but instead they > are supposed to be submitted to the parser to get a tracking url and the > tracker posted here and the report cancelled. As a weak alternative, > the newsgroup spamcop.spam has been designated for pasting such items > into news messages. Then that message would be referred to and > discussed here, not discussed there in .spam. > > Second, about these items you posted here. > > Altho' you didn't completely describe their structure sufficiently for > me to be sure, I think they are of 2 different types. The first one is > simply a virus propagation 'dressed up' in a DSN [delivery status > notification] suit. That is, a fake DSN. It looks like the 2nd one is > actually a DSN of a fake DSN, but I would have to see the complete > originals [as a tracker url, not pasted here] to be sure. > > Third, about this remark > >> When I submit this SPAM to spamcop it also detects my mail server as a >> possible source of SPAM. > > That doesn't make sense. I'm assuming your mailserver is dozernet and > that it is serving your hossequipment domain. I can't see how the > parser would name hoss or dozer as the source of either of those > headers. > > This is a tracker for the first one, to demonstrate what a tracking url > is/looks like/ and to show you that your server isn't named as source. > > http://www.spamcop.net/sc?id=z759331281za04d52c564dc5a70d5b2a2174c620adbz > >> Thanks ahead of time for any constructive reponses. > > > -- > Mike Easter > kibitzer, not SC admin > From MikeE at ster.invalid Tue May 3 12:41:37 2005 From: MikeE at ster.invalid (Mike Easter) Date: Tue May 3 14:40:22 2005 Subject: [SpamCop-List] Re: spam posed as returned mail References: Message-ID: Ron Shafii wrote: > here's a link from SPAMCOP regarding the spam I previously mentioned, > which was parsing our ip address as a possible source of spam. www.spamcop.net/sc?id=z759369967zf5f08711459561ae426f911b4e192414z What you are seeing about hoss is that the parser parses for source, which is 209.177.232.252 rDNS nsc209.177.232-252.newsouth.net at NewSouth Communications notify abuse@nuvox.net abuse@newsouth.net postmaster@newsouth.net (for newsouth.net) ... and also provides a notify addy for any links it finds in the body, presuming the links are a spamvertiser -- while cautioning you to be sure that the item is spam. The link in the body is a trailer attached by your AV agent which has your hossequipment website's URL. SC sees the URL and is providing an address to notify the provider for hoss. If your AV scanner is normally able to look inside zip attachments, then it needs to be updated for the sober if it isn't recognizing its viral template. www.spamcop.net/sc?id=z759371087z622d4f17d0a654ca301570c73e40e43fz This is the same condition and the same source 209.177.232.252 at newsouth and also shows your hoss website URL in the body in the AV stamped trailer. > www.hossequipment.com (Administrator of network hosting website > referenced in spam) > > Is this sending a copy of the email back to me or is it parsing me as > a spammer? If you feed that item to the parser as a spam and it contains your website in the trailer, SC is going to offer to notify the provider for hoss unless you uncheck it. It will also put that URL on its statistics page where another blocklister of spamvertised websites will pick it up for inclusion in its listing of spamvertisers. Whenever you see an IB innocent bystander named as a spamvertiser in a parse, including your own, you should uncheck it for notification as spamvertiser, as it is not a spamvertiser. > Sorry if I am lame at this, but I'm new to SPAM techniques and > prevention. SpamCop parses spams to notify for spamsource and spamvertisers. The algorithm can't read, so it doesn't know what the body of the item sez, and it is up to the alert spamcop reporter to oversee what the algorithm is offering to report about. -- Mike Easter kibitzer, not SC admin From borgholio at storymind.com Tue May 3 12:48:44 2005 From: borgholio at storymind.com (Borgholio) Date: Tue May 3 14:50:04 2005 Subject: [SpamCop-List] Re: Quick reporting via email? In-Reply-To: References: Message-ID: Mike Easter wrote: > Borgholio wrote: > >>I forgot...how do I submit spam via email for quick-reporting? > > > Quick reporting is disabled due to careless use. > > ... but you can beseech admin for access at service admin.SC on a > casebycase basis > What's the address? From MikeE at ster.invalid Tue May 3 12:56:25 2005 From: MikeE at ster.invalid (Mike Easter) Date: Tue May 3 14:55:05 2005 Subject: [SpamCop-List] Re: Quick reporting via email? References: Message-ID: Borgholio wrote: > Mike Easter wrote: >> ... but you can beseech admin for access at service admin.SC on >> a casebycase basis > > What's the address? Errm.... what I sed: service at admin dot spamcop dot net. -- Mike Easter kibitzer, not SC admin From borgholio at storymind.com Tue May 3 12:59:35 2005 From: borgholio at storymind.com (Borgholio) Date: Tue May 3 15:00:04 2005 Subject: [SpamCop-List] Re: Quick reporting via email? In-Reply-To: References: Message-ID: Mike Easter wrote: > Borgholio wrote: > >>Mike Easter wrote: > > >>>... but you can beseech admin for access at service admin.SC on >>>a casebycase basis >> >>What's the address? > > > Errm.... what I sed: service at admin dot spamcop dot net. > Whoops..missed that. Thanks. From nobody at spamcop.net Tue May 3 17:21:45 2005 From: nobody at spamcop.net (Ellen) Date: Tue May 3 17:05:51 2005 Subject: [SpamCop-List] Re: Quick reporting via email? References: Message-ID: "Mike Easter" wrote in message news:d58egs$u52$1@news.spamcop.net... > Borgholio wrote: > > I forgot...how do I submit spam via email for quick-reporting? > > Quick reporting is disabled due to careless use. > > ... but you can beseech admin for access at service admin.SC on a > casebycase basis > Beseech? not for quick submit -- that requires grovel :-) E From nobody at spamcop.net Tue May 3 18:46:50 2005 From: nobody at spamcop.net (Anti-Spam) Date: Tue May 3 17:50:15 2005 Subject: [SpamCop-List] "One in 20 'fall for online fraud'" Message-ID: If 1% lost money through phishing, does that mean 4% are falling for non-phishing fraud? No wonder there is so much non-phishing spam. -- Bring in the death penalty for repeat spammers. Non-functional spambait addr: oura@ylhowyddliy.net (generated by Webpoison) From nospam at dev.null Wed May 4 03:08:26 2005 From: nospam at dev.null (Anty Spam) Date: Tue May 3 20:05:05 2005 Subject: [SpamCop-List] Re: A novel approach to spamming References: Message-ID: "Stewart Gordon" wrote in message news:d57tn4$kgd$1@news.spamcop.net... > A spammer's come up with an interesting idea. Rather than just sending > the spam content, this one told a joke. And it even had a topical > subject line - so at first glance it looks like the kind of email a > friend might pass on. > > That's until you get to the bottom, where the Stupid Person's > AdvertiseMent itself is found. > > Nonetheless, Entourage managed to mark it as spam. Though very probably > by the rule I set up rather than by its own heuristics. > > Has anyone else had anything like this? ...Snip... Yes a while ago. Was porno related spam to a well know Canadian chain of similar sites. From ticket at web-hosting-support.com Tue May 3 21:25:08 2005 From: ticket at web-hosting-support.com (Support) Date: Tue May 3 22:30:15 2005 Subject: [SpamCop-List] blocklisted need help id'ing abuse Message-ID: Dear Deputies, I need some help, we have a user somewhere on our servers that is sending mail to spam traps. Our servers are setup to identify every piece of mail with a UID/GID in the headers, if you could kindly lookup who is causing the spam trap block I would appreciate it. web11.thehostingnet.com 66.6.223.140 Thanks, Jeremy Technical Support Web-hosting-support.com From MikeE at ster.invalid Tue May 3 20:59:51 2005 From: MikeE at ster.invalid (Mike Easter) Date: Tue May 3 23:00:02 2005 Subject: [SpamCop-List] Re: blocklisted need help id'ing abuse References: Message-ID: Support wrote: > I need some help, we have a user somewhere on our servers that is > sending mail to spam traps. Our servers are setup to identify every > piece of mail with a UID/GID in the headers, if you could kindly > lookup who is causing the spam trap block I would appreciate it. > > web11.thehostingnet.com 66.6.223.140 According to the information available from the website lookup, that IP is listed because of reports from reporters, not spamtrap hits: http://www.spamcop.net/w3m?action=checkblock&ip=66.6.223.140 Causes of listing SpamCop users have reported system as a source of spam less than 10 times in the past week and according to the routing information, the spamcop reports are going to pajo and internetwebhosting, the latter of which is presumably you. Reporting addresses: abuse@pajo.com Third parties interested in reports: abuse@internetwebhosting.com Altho' copies of the spam aren't available for spamtrap reports, spamtrap hits don't seem to be the current cause of the listing. Also, it looks like the listing is due to expire in 12 hours. If that is an output server, I would think that it would only get listed for backscatter problems, not for a user passing spam thru' it. -- Mike Easter kibitzer, not SC admin From nobody at spamcop.net Wed May 4 01:03:32 2005 From: nobody at spamcop.net (Ellen) Date: Wed May 4 01:30:31 2005 Subject: [SpamCop-List] Re: blocklisted need help id'ing abuse References: Message-ID: "Support" wrote in message news:d59bq6$df8$1@news.spamcop.net... > Dear Deputies, > > I need some help, we have a user somewhere on our servers that is sending > mail to spam traps. Our servers are setup to identify every piece of > mail with a UID/GID in the headers, if you could kindly lookup who is > causing the spam trap block I would appreciate it. > > web11.thehostingnet.com 66.6.223.140 > > Thanks, > > Jeremy > Technical Support > Web-hosting-support.com > > Answered in email. Ellen From rg at nospam.please Wed May 4 02:46:00 2005 From: rg at nospam.please (rg) Date: Wed May 4 01:50:03 2005 Subject: [SpamCop-List] Re: ieypzkbc.tatzwz.info doesn't resolve on first try. (Or second, third, etc.) References: Message-ID: Yeah, refresh worked. It took about ten attempts, though! Wish they'd fix this... Thanks! "Ant" wrote in message news:d5807s$lv9$1@news.spamcop.net... > "rg" wrote: > >> Below is the report for >> http://www.spamcop.net/sc?id=z759058001zcc15a0f3201f890a3416b31a01900fbaz >> >> You will notice the section: >> Resolving link obfuscation > [...] > > Yes, and no information is given about what the parser did with those > links before the "Please make sure this email IS spam" message. > > I first noticed this in the middle of March this year, and reported it > here with the subject "Links found, but not parsed". The problem > continues to regularly occur, but no Spamcop person has commented on > it to my knowledge. > >> I have to submit them separately: [...] >> Then resubmit and cancel the spam report a few times before it finally >> ends >> up resolving. > > You don't need to cancel. Just refresh the parse page in your browser > or go to the "report spam" link if you've visited another page, and > you can then follow the "unreported spam, report now" link. > > I will sometimes resolve the spamvertized URLs separately, or refresh > the the parse once, but if the links still aren't resolved I submit > the report anyway. It's not worth the hassle. > >> SUGGESTION: Increase the DNS timeout and retry numbers! > > I'm not sure if this is the problem. My understanding is that when a > lookup times out you get a message "unable to resolve..." > > [report snipped] > > From zitt at _no_spam_bigfoot.com Wed May 4 01:25:16 2005 From: zitt at _no_spam_bigfoot.com (John Zitterkopf) Date: Wed May 4 03:30:34 2005 Subject: [SpamCop-List] Popped hotmail spam w/ reporting confusion Message-ID: http://www.spamcop.net/sc?id=z759554231za1b9b8679752d1eb4227775630378465z I did not sign up for these "offers" which come 3-5/day. When I attempt to report it; it comes across with the following ?useless? reports: Re: 216.21.208.203 (Administrator of network where email originates) To: abuse#virtumundo.com@devnull.spamcop.net (Notes) Re: 216.21.208.203 (Third party interested in email source) To: Internal spamcop handling: (ironport) (Notes) Should this be reported to the internal handler? ------ full headers with email address removed: Return-Path: Delivered-To: spamcop-net-x Received: (qmail 7039 invoked from network); 3 May 2005 05:17:37 -0000 Received: from unknown (HELO c60.cesmail.net) (192.168.1.105) by blade2.cesmail.net with SMTP; 3 May 2005 05:17:37 -0000 Received: from mailgate.cesmail.net (216.154.195.36) by c60.cesmail.net with ESMTP; 03 May 2005 01:17:24 -0400 X-IronPort-AV: i="3.92,147,1112587200"; d="scan'208,217"; a="220171863:sNHT41282976" X-Message-Status: n X-SID-PRA: Visit Orlando X-SID-Result: Pass X-Message-Info: H83ySVbTRY1PVhh5crlmkWM5my1izH8A8a/In5hognU= Received: from popgate.cesmail.net [192.168.1.201] by mailgate.cesmail.net with POP3 (fetchmail-6.2.1) for x (single-drop); Tue, 03 May 2005 01:17:24 -0400 (EDT) Received: from vm208-203.adknowledgemail.com ([216.21.208.203]) by mc9-f26.hotmail.com with Microsoft SMTPSVC(6.0.3790.211); Mon, 2 May 2005 22:05:54 -0700 Received: from adknowledgemail.com (10.10.50.51) by vm208-203.adknowledgemail.com with ESMTP; 02 May 2005 23:42:13 -0500 X-ClientHost: 122105116116119097114101064104111116109097105108046099111109 X-MailingID: 4687767 From: Visit Orlando To: 0 Errors-To: errors@adknowledgemail.com Reply-To: return@adknowledgemail.com Subject: Visit Orlando and see the magic for yourself. Mime-Version: 1.0 Content-Type: text/html Content-Transfer-Encoding: 8bit Message-ID: X-OriginalArrivalTime: 03 May 2005 05:05:55.0180 (UTC) FILETIME=[C91232C0:01C54F9D] Date: 2 May 2005 22:05:55 -0700 X-Spam-Checker-Version: SpamAssassin 3.0.2 (2004-11-16) on blade2.cesmail.net X-Spam-Level: ************ X-Spam-Status: hits=12.9 tests=DOMAIN_RATIO,HTML_90_100,HTML_MESSAGE, MIME_HTML_ONLY,MSGID_FROM_MTA_HOTMAIL,SARE_HEAD_HDR_XCLIHST, SARE_RD_TO_BAD_TLD,X_MESSAGE_INFO version=3.0.2 X-SpamCop-Checked: 192.168.1.105 216.154.195.36 192.168.1.201 216.21.208.203 10.10.50.51 X-SpamCop-Disposition: Blocked SpamAssassin=12 From nobody at devnull.spamcop.net Wed May 4 03:48:04 2005 From: nobody at devnull.spamcop.net (WazoO) Date: Wed May 4 03:50:03 2005 Subject: [SpamCop-List] Re: Popped hotmail spam w/ reporting confusion References: Message-ID: "John Zitterkopf" wrote in message news:d59tct$m4t$1@news.spamcop.net... > http://www.spamcop.net/sc?id=z759554231za1b9b8679752d1eb4227775630378465z Tracking URL provided, so repeated posting of "header contents" was redundent. > When I attempt to report it; it comes across with the following ?useless? > reports: > > Re: 216.21.208.203 (Administrator of network where email originates) > To: abuse#virtumundo.com@devnull.spamcop.net (Notes) Feeds the SpamCopDNSBL for possible inclusion. > Re: 216.21.208.203 (Third party interested in email source) > To: Internal spamcop handling: (ironport) (Notes) > > Should this be reported to the internal handler? Question seems odd ... Statement indicates that it "was" reported to an "internal address" ... reason explained as "Message source bonded by IronPort, reporting" (Tech/Full details turned on) .. or see the following data; http://www.senderbase.org/?searchBy=ipaddress&sb=1&searchString=216.21.208.203 From SCNews.5.myspamgobbler at spamgourmet.com Wed May 4 08:51:15 2005 From: SCNews.5.myspamgobbler at spamgourmet.com (Brian (SnSR)) Date: Wed May 4 10:55:03 2005 Subject: [SpamCop-List] Re: Popped hotmail spam w/ reporting confusion In-Reply-To: References: Message-ID: John Zitterkopf wrote: > http://www