From baloo at ursine.ca Sun May 1 00:14:00 2005 From: baloo at ursine.ca (Paul Johnson) Date: Sun May 1 03:10:27 2005 Subject: [SpamCop-List] Re: Submission by email References: <01c54c47$45163740$LocalHost@default> <1p3bk2-jds.ln1@ursine.ca> Message-ID: <8m8ek2-87v.ln1@ursine.ca> Steven Maesslein wrote: > You're preaching to the choir. [...] > Unless there's a Reply-To: header in there (such as the one inserted by > gmail users when they use gmail's network to send mail), which fscks up > the mailing list, and which is why I don't allow gmail addresses on > lists I run. Oh, OK. I think I lost proper track of the thread somewhere along the line... -- Paul Johnson Email and Instant Messenger (Jabber): baloo@ursine.ca http://ursine.ca/~baloo/ From baloo at ursine.ca Sun May 1 00:19:28 2005 From: baloo at ursine.ca (Paul Johnson) Date: Sun May 1 03:10:35 2005 Subject: [SpamCop-List] Re: Submission by email References: <01c54c47$45163740$LocalHost@default> <4s3bk2-jds.ln1@ursine.ca> Message-ID: Kenneth Loafman wrote: > On Fri, 29 Apr 2005 18:33:24 -0700, Paul Johnson wrote: > >>Kenneth Loafman wrote: >>> As a mailing list sender, you would insert your own Reply-To: to have it >>> reply back to the mailing list. What the user does with it after that >>> is none of your concern. >> >>NAK! Mailing list shouldn't be setting or touching reply-to. That's the >>user's field for the user to use. What you describe is the realm of the >>X-List, X-Mailing-List, X-Loop, or just about any other mailing list >>header. > > Then you must ban a lot of corporate mail as well. A lot of the folks > that use Outlook in business set their Reply-To: to their own address. > Don't know why they bother, but they do. We're talking a mailing list here. It might just be me, but in business environments, I generally see Outlook users use the distribution lists feature in Outlook. It's messy, but if you're writing only to people in the same environment as yourself, it's the quick and dirty fix that works for that environment. Though you have to go out of the way to set up the reply-to to be the same as from in Outlook... > BTW, you can override gmail's setting of the Reply-To:, or anyone's for > that matter. Depends on the mail list owner and how they want the replies > to default. Some default to the mail list and some to the original > author. Seems like a moot point. Right, but it's supposed to be a user-set heading none the less. It starts getting confusing and messy when third parties in between stomp on things like that. > Must be something else driving your decision to ban so many users from > your list. Not worth the effort. Not when a little user education fixes the problem, no. > Set the Reply-To: when you send the mail back out and go on. Once its in > your hands, it's yours, the user has no control over that field. Remember > "My server, My rules!". Once its in your control, its yours. Period. Right, but when you're offering services that require a certain level of inter-site consistency like email, changing headers inconsistent with documented standards is a Bad Thing(tm). -- Paul Johnson Email and Instant Messenger (Jabber): baloo@ursine.ca http://ursine.ca/~baloo/ From bar_n0ne at hotmail.com Sun May 1 14:04:02 2005 From: bar_n0ne at hotmail.com (Berny) Date: Sun May 1 05:06:48 2005 Subject: [SpamCop-List] Internic/Gandi registration problems take rediculously long to resolve Message-ID: for example: domain still misregistered complaint sent March 15 received below today. Now i don;t think I've seen whatshould.com since, in a spam. But even a cursory glance at the mailing addresses show illegitimacy that even a frenchman should recognize. city= three fingered tap on the keyboard? come on. Hello munged This message is in follow-up to the Whois Data Problem Report you submitted on March 15, 2005 regarding whatshould.com. As indicated to you at the time of submission, a copy of your report was forwarded to the sponsoring registrar for investigation. We would appreciate it if you could assist us in monitoring registrar compliance with Whois data accuracy obligations by selecting one of the options below: 1. The data inaccuracy was corrected. Please go to the following URL: References: Message-ID: Berny wrote: > for example: domain still misregistered complaint sent March 15 received > below today. > > Now i don;t think I've seen whatshould.com since, in a spam. > > But even a cursory glance at the mailing addresses show illegitimacy that > even a frenchman should recognize. > > city= three fingered tap on the keyboard? come on. Has Gandi ever nuked a domain because of wrong whois information? My experience: no. French providers (Gandi, Wanadoo...) seem to be totally clueless or intentionally supporting spammers: black hats. You can yose the registrar problem report form at: http://reports.internic.net/cgi/registrars/problem-report.cgi But if this helps? - kjz From bar_n0ne at hotmail.com Sun May 1 17:10:07 2005 From: bar_n0ne at hotmail.com (Berny) Date: Sun May 1 08:15:03 2005 Subject: [SpamCop-List] Re: Internic/Gandi registration problems take rediculously long to resolve References: Message-ID: "Karl-Josef Ziegler" wrote in message news:d52fme$7v6$1@news.spamcop.net... > Berny wrote: > > for example: domain still misregistered complaint sent March 15 received > > below today. > > SNIP > > Has Gandi ever nuked a domain because of wrong whois information? > My experience: no. French providers (Gandi, Wanadoo...) seem to be > totally clueless or intentionally supporting spammers: black hats. > You can yose the registrar problem report form at: > > http://reports.internic.net/cgi/registrars/problem-report.cgi > > But if this helps? > > - kjz I personally think that most registrars look at spammers as a major source of revenue, thousands of throwaway names at $10.00 a hit or so, I suspect that there would be a serious drop in income if they actually used due diligence and put off spammer business. So, they are an integral part of the spam game with few exceptions. From kjz at despammed.com Sun May 1 21:57:39 2005 From: kjz at despammed.com (Karl-Josef Ziegler) Date: Sun May 1 15:00:03 2005 Subject: [SpamCop-List] Re: Internic/Gandi registration problems take rediculously long to resolve In-Reply-To: References: Message-ID: Berny wrote: > I personally think that most registrars look at spammers as a major source > of revenue, thousands of throwaway names at $10.00 a hit or so, I suspect > that there would be a serious drop in income if they actually used due > diligence and put off spammer business. So, they are an integral part of the > spam game with few exceptions. Alas, that seems to be true. Domain registration is cheap and easy, but I think at the moment it's TOO cheap, TOO easy and TOO fast. Today I got spam for a spamvertized domain which was already set up in spammys DNS servers but still not showing any whois info. And with a revenue of US-$ 5000 a day(!) spammy can register a lot of throwaway domains. So most spam runs in these days have a fresh throwaway domain which only has the function to redirect to/protect the 'real' spamvertized website. ICANN should made an adress verification process mandatory in the registration procedure. E.g. a new domain first is set on registrar hold and an air mail letter with a security code is sent to the registrant. This security code must be verificated via a web form and only afterwards the domain is set in function. This process can be automated and the price will be only a little bit higher than an air mail stamp. More security at a low price increase. - kjz From jefferJones at not-valid-address-.com Sun May 1 16:10:40 2005 From: jefferJones at not-valid-address-.com (Jeffery Jones) Date: Sun May 1 15:10:03 2005 Subject: [SpamCop-List] Can't find admin of Ebay Phisher Message-ID: http://www.spamcop.net/sc?id=z758724962z736972e666372fcfbf40deab549fbdb1z Unable to locate admin for web site http://online-account-activation.com "Cannot find master for:http://online-account-activation.com/ebayisapi.dll&verifyregistrationshow" From nobody at devnull.spamcop.net Sun May 1 15:35:11 2005 From: nobody at devnull.spamcop.net (WazoO) Date: Sun May 1 15:40:03 2005 Subject: [SpamCop-List] Re: Can't find admin of Ebay Phisher References: Message-ID: "Jeffery Jones" wrote in message news:v5aa711tj9ck70ncfi7npc750b2i8rdkef@4ax.com... > > http://www.spamcop.net/sc?id=z758724962z736972e666372fcfbf40deab549fbdb1z > > Unable to locate admin for web site http://online-account-activation.com > > "Cannot find master for:http://online-account-activation.com/ebayisapi.dll&verifyregistrationsho w" whois -h whois.enom.com online-account-activation.com ... Registration Service Provided By: Microsoft Contact: personal_address@css.one.microsoft.com Visit: http://support.msn.com/contactus.aspx?pk=PersonalAddress Domain name: online-account-activation.com Registrant Contact: greg kessler greg kessler (admin@online-account-activation.com) +1.6364586523 Fax: none 1748 Millstream chesterfield, MO 63017 US Administrative Contact: greg kessler greg kessler (admin@online-account-activation.com) +1.6364586523 Fax: none 1748 Millstream chesterfield, MO 63017 US Technical Contact: NOC MSN NOC MSN (MSN-PA-TECH@msn.com) +1.4258828080 Fax: none One Microsoft Way Redmond, WA 98052 US Billing Contact: NOC MSN NOC MSN (MSN-PA-BILL@MSN.COM) +1.4258828080 Fax: none One Microsoft Way Redmond, WA 98052 US Status: Locked Name Servers: pdomns1.msn.com pdomns2.msn.com Creation date: 25 Apr 2005 15:31:06 Expiration date: 25 Apr 2006 15:31:06 From f.yaskin at worldnet.att.net Sun May 1 16:37:34 2005 From: f.yaskin at worldnet.att.net (FY) Date: Sun May 1 15:40:06 2005 Subject: [SpamCop-List] Error-why? Message-ID: Here is the error: error: couldn't parse head Message body parser requires full, accurate copy of message More information on this error.. no links found Same result from OE Express, and from ATT Webmail, view source selected, and copy/pasted into spamcop. ?? Spam sent as follows: --------------------- Received: from mx1.mail.yahoo.com (p2184-ipad36sasajima.aichi.ocn.ne.jp[60.45.123.184](untrusted sender)) by worldnet.att.net (mtiwmxc11) with SMTP id <2005050114143401100pim6oe>; Sun, 1 May 2005 14:14:45 +0000 X-Originating-IP: [60.45.123.184] Reply-To: "Susan" From: "Susan" To: Subject: Antidote may help boost immune system Date: Sun, 01 May 2005 08:10:57 -0700 MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="--09-6[5]-3237-0[3]-080[3]" ----09-6[5]-3237-0[3]-080[3] Content-Type: ;text/plain; Content-Transfer-Encoding: 7Bit The Ancient Secret of Life 'THE ANTIDOTE' http://www.crocinamillion.info/fvd/ Kills ALL known deadly Viruses & Bacteria in the body that keep diseases, = namely: Influenza, SARS, Cancer, HIV etc. etc. active. A disease must be made DORMANT to stop infection. 'The ANTIDOTE' is the answer. http://www.crocinamillion.info/fvd/ WE ARE THE ONLY COMPANY IN THE WORLD WHO HAVE DEVELOPED AND ENHANCED THIS = PRODUCT FOR SALE. LEARN MORE http://www.crocinamillion.info/fvd/ The Antidote is a unique Anti-Microbial Peptide offering the widest range of healing power on the market today. It kills all known deadly VIRUSES and BACTERIA in the body. The initial research was carried out over several years ago by the BBC. The Antidote acts as an additive for your body's immune system. It will fight and protect your body from all virus and bacteria activated infections. The Antidote may be taken safely by children and adults even if on current medication. Take me off from emailing list http://www.myfriendlyshop.com/gone/ ----09-6[5]-3237-0[3]-080[3]-- From MikeE at ster.invalid Sun May 1 13:42:12 2005 From: MikeE at ster.invalid (Mike Easter) Date: Sun May 1 15:45:03 2005 Subject: [SpamCop-List] Re: Can't find admin of Ebay Phisher References: Message-ID: Jeffery Jones wrote: www.spamcop.net/sc?id=z758724962z736972e666372fcfbf40deab549fbdb1z > > Unable to locate admin for web site > http://online-account-activation.com > > "Cannot find master > for:http://online-account-activation.com/ebayisapi.dll&verifyregistratio nshow" Here's what I'm seeing at the tracker: Tracking link: http://online-account-activation.com/ebayisapi.dll&verifyregistrationshow No recent reports, no history available Resolves to 65.54.132.254 Routing details for 65.54.132.254 Reports routes for 65.54.132.254: routeid:13943319 65.52.0.0 - 65.55.255.255 to:abuse@hotmail.com Administrator found from whois records [refresh/show] Cached whois for 65.54.132.254 : abuse@hotmail.com Using abuse net on abuse@hotmail.com abuse net hotmail.com = abuse@hotmail.com Using best contacts abuse@hotmail.com Using rdns to route to correct Microsoft department host 65.54.132.254 = yourpersonaladdress.net (cached) abuse net yourpersonaladdress.net = postmaster@yourpersonaladdress.net Message-ID: FY wrote: > Here is the error: > error: couldn't parse head > Message body parser requires full, accurate copy of message > More information on this error.. > no links found Even when the parser doesn't work, the general result is that it will provide you with a tracking url. That tracker is a reflection of what you fed the parser and is useful for troubleshooting this. You should *NOT* be posting what you did here for several important reasons. - posting spam anywhere other than the ng spamcop.spam is against some 'rule' or tradition for a variety of reasons - it doesn't help for you to post the spam item here. I can take it and get the parser to parse it and then what does that prove? - here's a tracker which has parsed my rendition of what I made out of what you posted here http://www.spamcop.net/sc?id=z758744423z1fa6a7fc57989ff5a1873ee18c66b835z Maybe my version of your spam works because I structured it so that it would work. When you post something into a newsmessage, it gets 'bent' and isn't the same as the original. The closest you can come to showing us the original easily is to put it into the parser properly and post the tracker for the result in here. The next closest you can come would be to save the item as an .eml from OE and then attach that file to a message in spamcop.spam. Notice that if you examine my tracker's 'View entire message' - you see that the Received traceline is not folded improperly, which it was here, perhaps by your newsreader, perhaps not; and that there is a proper empty line between the Content-Type boundary information and the first boundary marker, which was not present in what you posted here -- perhaps caused by your newsreader, perhaps not. So, to re-iterate... do *NOT* post spam in here. Only trackers. -- Mike Easter kibitzer, not SC admin From MikeE at ster.invalid Sun May 1 14:35:33 2005 From: MikeE at ster.invalid (Mike Easter) Date: Sun May 1 16:35:03 2005 Subject: [SpamCop-List] Re: Error-why? References: Message-ID: Mike Easter wrote: www.spamcop.net/sc?id=z758744423z1fa6a7fc57989ff5a1873ee18c66b835z Report Spam to: Re: 60.45.123.184 (Administrator of network where email originates) To: abuse@ocn.ad.jp (Notes) Re: 60.45.123.184 (Third party interested in email source) To: Cyveillance spam collection (Notes) Re: http://www.crocinamillion.info/fvd/ (Administrator of network hosting website referenced in spam) To: daihy@china-netcom.com (Notes) To: postmaster@china-netcom.com (Notes) To: cnc-abuse@abuse.sprint.net (Notes) Re: http://www.myfriendlyshop.com/gone/ (Administrator To: postmaster@chinatietong.com To: crnet_mgr@chinatietong.com To: crnet_tec@chinatietong.com -- Mike Easter kibitzer, not SC admin From nobody at devnull.spamcop.net Sun May 1 19:37:50 2005 From: nobody at devnull.spamcop.net (WazoO) Date: Sun May 1 19:40:02 2005 Subject: [SpamCop-List] Re: Can't find admin of Ebay Phisher References: Message-ID: "Mike Easter" wrote in message news:d53bau$l1g$1@news.spamcop.net... > Jeffery Jones wrote: > www.spamcop.net/sc?id=z758724962z736972e666372fcfbf40deab549fbdb1z > > > > Unable to locate admin for web site > > http://online-account-activation.com > > > > "Cannot find master > > > for:http://online-account-activation.com/ebayisapi.dll&verifyregistratio > nshow" > > Here's what I'm seeing at the tracker: > > SC degrade the notify down to a default pm from a registered one; that > doesn't make any sense. My flow, could be wrong .... Name Servers: pdomns1.msn.com pdomns2.msn.com Creation date: 25 Apr 2005 15:31:06 'Brand new shiney' web-site/URL created by a silly/new MSN user ... equating "pdoms" to "personal domains" ,,,, Then noted that this URL is simply redirecting; 05/01/05 18:27:11 Browsing http://online-account-activation.com/ Fetching http://online-account-activation.com/ ... GET / HTTP/1.1 Host: online-account-activation.com Connection: close User-Agent: Sam Spade 1.14 HTTP/1.1 302 Found Connection: close Date: Sun, 01 May 2005 23:27:21 GMT Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET P3P:CP="BUS CUR CONo FIN IVDo ONL OUR PHY SAMo TELo" X-AspNet-Version: 1.1.4322 Location: http://www.pearland.co.id/usage/index.htm?eBayISAPI.dll&VerifyRegistrationShow Cache-Control: private Expires: Sat, 01 Jan 2000 08:00:00 GMT Content-Type: text/html Object moved

Object moved to here.

Personal Domains URL Forwarder You can probably guess at what's sitting 'there' My bet is that there's a database that has been fed with "don't use this reporting address" which is also mucking up the works, but the parser isn't outputting this data/error ...???? From nobody at devnull.spamcop.net Sun May 1 19:40:59 2005 From: nobody at devnull.spamcop.net (WazoO) Date: Sun May 1 19:45:03 2005 Subject: [SpamCop-List] Re: Can't find admin of Ebay Phisher References: Message-ID: "Mike Easter" wrote in message news:d53bau$l1g$1@news.spamcop.net... > Jeffery Jones wrote: > www.spamcop.net/sc?id=z758724962z736972e666372fcfbf40deab549fbdb1z > > > > Unable to locate admin for web site > > http://online-account-activation.com > > > > "Cannot find master > > > for:http://online-account-activation.com/ebayisapi.dll&verifyregistratio > nshow" Noting also (ignoring some issues with SSfor WIN) but; 05/01/05 18:38:50 whois online-account-activation.com@pdomns1.msn.com whois -h pdomns1.msn.com online-account-activation.com ... failed, couldn't connect to host: Unknown error (0) From / at /.cn Mon May 2 16:47:00 2005 From: / at /.cn (Petzl) Date: Mon May 2 01:50:05 2005 Subject: [SpamCop-List] Re: ISP censors outbound mail, nixing spam discussions References: Message-ID: "WazoO" wrote in message news:d4pep4$jgq$1@news.spamcop.net... > "Pop" wrote in message > news:d4ov5o$b3i$1@news.spamcop.net... >> > >> Interesting; can you even report a spam from those accounts? That would >> suck. > > http://forum.spamcop.net/forums/index.php?showtopic=2782 > A big problem in accepting the compulsory email account with your provider is that they are mainly absolutely useless (I do not accept them) The worse fact is they then never seem to learn Right now a legacy email account from UU.net (ozemail) they are offering spam and virus filtering without whitelist. The only mail I still get is spam with legit mail disappearing There is still no doubt the only and best email account to have is a SpamCop one Petzl From nobody at nowhere.invalid Mon May 2 11:27:14 2005 From: nobody at nowhere.invalid (Steven Maesslein) Date: Mon May 2 04:30:20 2005 Subject: [SpamCop-List] Re: ISP censors outbound mail, nixing spam discussions References: Message-ID: On Mon, 2 May 2005 15:47:00 +1000, Petzl coughed into spamcop and left this in : > Right now a legacy email account from UU.net (ozemail) they are offering > spam and virus filtering without whitelist. The only mail I still get is > spam with legit mail disappearing Well, UUNet sees everything pink anyway, so the chances are that the filter is working as designed :) -- Steve Don't worry about people stealing your ideas. If your ideas are any good, you'll have to ram them down people's throats. -- Howard Aiken From / at /.cn Mon May 2 20:12:49 2005 From: / at /.cn (Petzl) Date: Mon May 2 05:16:31 2005 Subject: [SpamCop-List] Re: ISP censors outbound mail, nixing spam discussions References: Message-ID: "Steven Maesslein" wrote in message news:slrnd7bp32.36p.nobody@127.0.0.1... > On Mon, 2 May 2005 15:47:00 +1000, Petzl coughed into spamcop and left > this in : > >> Right now a legacy email account from UU.net (ozemail) they are offering >> spam and virus filtering without whitelist. The only mail I still get is >> spam with legit mail disappearing > > Well, UUNet sees everything pink anyway, so the chances are that the > filter is working as designed :) > As I have SpamCop retrieve the email it only ends up in the VER folder UUnet have just made the legacy account less than worthless I only wanted to keep it as I have a couple of pieces of software which sends notification of upgrades these no longer get past UUnet but spam does and it is in the area of 1000 spamms a day plus Before UUnet started filtering my SpamCop email account accurately filtered the UUnet spew to SpamCop's (Very Easy Reporting) VER folder which it still does but legit email disappears before it is even forwarded to SpamCop Will now see if I can have these UUnet idiots turn off the forwarding Just another example of what happens in accepting the compulsory email account with your provider is that they are mainly absolutely useless (I do not now ever accept them) The worse fact is they then never seem to learn for the better The reason we have a problem with spam is because of Internet Providers and their inability to secure the e-mail address they dump you with or force you to have. If spam was effectively blocked spamming would have no point! Even Hotmail offer a superior service to a vast many and is always good to have for first contact, as well as those "subscriptions" you have to sign up with. Hotmail (Microsoft) actively hunt down suing and jailing Spammers who attack their customers Petzl From bar_n0ne at hotmail.com Mon May 2 15:17:09 2005 From: bar_n0ne at hotmail.com (Berny) Date: Mon May 2 06:20:04 2005 Subject: [SpamCop-List] st0ck spams Message-ID: Given the length of time the same st0ck spams for the same crappy little companies, I am becoming doubtful that the companies themselves are not involved. Pump and Dumpers usually move in and out quickly, a few days, or a week or so. The endless steady stream of crap for this stuff (like VOIP) is beginning to look more like either a massive joe job, (hard to believe) or an active promotion, undertaken on behalf of the principals. Remember a Pump and dumper is not a long term investor, they're looking to flip their gains or shorts quickly. This crap comes in steadily for months at a time. From nobody at nowhere.invalid Mon May 2 13:38:01 2005 From: nobody at nowhere.invalid (Steven Maesslein) Date: Mon May 2 06:40:03 2005 Subject: [SpamCop-List] Re: ISP censors outbound mail, nixing spam discussions References: Message-ID: On Mon, 2 May 2005 19:12:49 +1000, Petzl coughed into spamcop and left this in : > UUnet have just made the legacy account less than worthless Heh - your legacy account is not the only e-mail account UUNet has made useless. Far from it. > Just another example of what happens in accepting the compulsory email > account with your provider is that they are mainly absolutely useless (I do > not now ever accept them) The worse fact is they then never seem to learn > for the better I agree. I don't even use the default account set up by my ISP since it's going to be essentially useless. I *do* have several domains of my own and my ISP allows me to run a mail server on my static IP address (for all their shortcomings they are rather pro-Linux at this ISP). > The reason we have a problem with spam is because of Internet Providers and > their inability to secure the e-mail address they dump you with or force you > to have. If spam was effectively blocked spamming would have no point! The fault lies further upstream of the ISP than that. Yes, it's one link in the chain that needs tightening up, but there's plenty to put right in the distribution chain too, such as ISPs allowing Windows machines (you'll notice I stopped using the term "zombified windows machines" a while back because of obvious redundancy) to spew unabated for months on end without pulling the plug on the luser. Another problem is ISPs like MCI, SBC and most Chinese outfits that seem to have a single clause in their enforced AUP "You can spam as much as you like as long as the cheque clears" > Even Hotmail offer a superior service to a vast many and is always good to > have for first contact, as well as those "subscriptions" you have to sign up > with. Hotmail (Microsoft) actively hunt down suing and jailing Spammers who > attack their customers I'd use a hotmail account if it was possible to get one without selling your soul by having to open a "Passport" account - whatever that is. -- Steve A group of cats is a "conceit". They'd like it to be called a "pride" but that would fool nobody. -- Morely Dotes in NANAE, 2-FEB-2004 From bar_n0ne at hotmail.com Mon May 2 16:22:36 2005 From: bar_n0ne at hotmail.com (Berny) Date: Mon May 2 07:25:04 2005 Subject: [SpamCop-List] Re: SBCGlobal) Software Factory solutions may be moving toXO/imedia References: Message-ID: "nospam" wrote in message news:BE95B135.14B73%nobody@spamcop.net... > latest turd for shopping spree/product testers/market research/free > satellite TV/free whatever came from XO/Imedia today at 65.182.142.2 > > spamvertizing still from MCI's stealthed server at 63.82.98.35 > > Seems SBewGlobal may have gotten too expensive or didn't like the heat > > Lets see how many months they give this fscker free reign over there. > > It might end for me, XO was a famous listwasher if I remember right. > Now at PacBell, and the spamvertized sites have moved also to 69.67.72.10 which isn't nearly as well stealthed as the MCI site was. Also XO is a 3d party interested in the sources and the sites, so hopefully we'll see the end of this crap soon. At least Software Factory Solutions may be on the run. Well Done CAT From / at /.cn Mon May 2 22:49:21 2005 From: / at /.cn (Petzl) Date: Mon May 2 07:50:02 2005 Subject: [SpamCop-List] Re: ISP censors outbound mail, nixing spam discussions References: Message-ID: "Steven Maesslein" wrote in message news:slrnd7c0o9.3ti.nobody@127.0.0.1... > On Mon, 2 May 2005 19:12:49 +1000, Petzl coughed into spamcop and left > this in : > >> UUnet have just made the legacy account less than worthless > > Heh - your legacy account is not the only e-mail account UUNet has made > useless. Far from it. ever got a single spam until UUnet took over Ozemail? >> Just another example of what happens in accepting the compulsory email >> account with your provider is that they are mainly absolutely useless (I >> do >> not now ever accept them) The worse fact is they then never seem to learn >> for the better > > I agree. I don't even use the default account set up by my ISP since > it's going to be essentially useless. I *do* have several domains of my > own and my ISP allows me to run a mail server on my static IP address > (for all their shortcomings they are rather pro-Linux at this ISP). In this case it is upto you to see that your IP remains clean >> The reason we have a problem with spam is because of Internet Providers >> and >> their inability to secure the e-mail address they dump you with or force >> you >> to have. If spam was effectively blocked spamming would have no point! > > The fault lies further upstream of the ISP than that. Yes, it's one link > in the chain that needs tightening up, but there's plenty to put right > in the distribution chain too, such as ISPs allowing Windows machines > (you'll notice I stopped using the term "zombified windows machines" a > while back because of obvious redundancy) to spew unabated for months on > end without pulling the plug on the luser. > > Another problem is ISPs like MCI, SBC and most Chinese outfits that seem > to have a single clause in their enforced AUP "You can spam as much as > you like as long as the cheque clears" But if ISP's gave the option to block China in its entirity allowing only whitelisted email through spaming becomes pointess The chinese, Korea, South America are all countries SpamCop allows blocking in this manner. It is also easily done Again the reason there are spammers is because providers are not interested enough to effectily stop it. They only want your cheque to clear and milk you like a cash cow >> Even Hotmail offer a superior service to a vast many and is always good >> to >> have for first contact, as well as those "subscriptions" you have to sign >> up >> with. Hotmail (Microsoft) actively hunt down suing and jailing Spammers >> who >> attack their customers > > I'd use a hotmail account if it was possible to get one without selling > your soul by having to open a "Passport" account - whatever that is. > I think HotMail have discontinued trying this? It was meant to evolve into a PayPal type of thingy but seems to of failed From nobody at nowhere.invalid Mon May 2 15:49:25 2005 From: nobody at nowhere.invalid (Steven Maesslein) Date: Mon May 2 08:50:04 2005 Subject: [SpamCop-List] Re: ISP censors outbound mail, nixing spam discussions References: Message-ID: On Mon, 2 May 2005 21:49:21 +1000, Petzl coughed into spamcop and left this in : > ever got a single spam until UUnet took over Ozemail? I'd never heard of Ozemail until this thread. I was emphasizing UUNet's role in e-mail abuse, that's all. >> I agree. I don't even use the default account set up by my ISP since >> it's going to be essentially useless. I *do* have several domains of my >> own and my ISP allows me to run a mail server on my static IP address >> (for all their shortcomings they are rather pro-Linux at this ISP). > > In this case it is upto you to see that your IP remains clean Agreed. And it will stay clean unless I expose some out-of-date daemon with known vulnerabilities to the 'Net. Who knows, it might happen one day, but it won't happen within 15 seconds of connecting the machine to the 'Net, that's for sure. Touch wood - so far it's been connected since September 2001 with no compromise. > But if ISP's gave the option to block China in its entirity allowing only > whitelisted email through spaming becomes pointess The chinese, Korea, South > America are all countries SpamCop allows blocking in this manner. It is also > easily done The ISP's would also be sued left, right and centre by klooless lusers not aware of what they're doing when they check the "block" box. >> I'd use a hotmail account if it was possible to get one without selling >> your soul by having to open a "Passport" account - whatever that is. > > I think HotMail have discontinued trying this? It was meant to evolve into a > PayPal type of thingy but seems to of failed Quoting from the hotmail signup page (which happens to be hosted on the registernet.passport.net domain): "Complete this form to register for a Hotmail account, which is also a Microsoft .NET Passport. The Hotmail e-mail address and password you create are your .NET Passport credentials. You'll need them to access your Hotmail account and to sign in where you see the .NET Passport sign-in button: [button]" Blech... -- Steve Give a man a fish and he will eat for a day. Teach him how to fish, and he will sit in a boat and drink beer all day. From f.yaskin at worldnet.att.net Mon May 2 10:05:42 2005 From: f.yaskin at worldnet.att.net (FY) Date: Mon May 2 09:10:04 2005 Subject: [SpamCop-List] Re: Error-why? References: Message-ID: Thanks a lot for the lecture Mike. You could have saved yourself a lot of time and still made your point, by skipping the re-iteration, and most of the lecture, but I'm know you are trying to be helpful, and mindful of, uh, tradition. Having used Spamcop for at least a couple years, and ,000's of spams, and thru several mailreaders successfully, lets assume for a moment that the sender malformed the from line. I am disappointed that Spamcop chokes on what garden variety readers can successfully decode. But thanks, really. While I have your attention, any suggestions on getting the ones with the line breaks in the body url to decode without manually removing the breaks and spaces? fy "Mike Easter" wrote in message news:d53e14$mfd$1@news.spamcop.net... > FY wrote: > > Here is the error: > > error: couldn't parse head > > Message body parser requires full, accurate copy of message > > More information on this error.. > > no links found > > Even when the parser doesn't work, the general result is that it will > provide you with a tracking url. That tracker is a reflection of what > you fed the parser and is useful for troubleshooting this. > > You should *NOT* be posting what you did here for several important > reasons. > > - posting spam anywhere other than the ng spamcop.spam is against some > 'rule' or tradition for a variety of reasons > - it doesn't help for you to post the spam item here. I can take it > and get the parser to parse it and then what does that prove? > - here's a tracker which has parsed my rendition of what I made out of > what you posted here > http://www.spamcop.net/sc?id=z758744423z1fa6a7fc57989ff5a1873ee18c66b835z > > Maybe my version of your spam works because I structured it so that it > would work. When you post something into a newsmessage, it gets 'bent' > and isn't the same as the original. The closest you can come to showing > us the original easily is to put it into the parser properly and post > the tracker for the result in here. > > The next closest you can come would be to save the item as an .eml from > OE and then attach that file to a message in spamcop.spam. > > Notice that if you examine my tracker's 'View entire message' - you see > that the Received traceline is not folded improperly, which it was here, > perhaps by your newsreader, perhaps not; and that there is a proper > empty line between the Content-Type boundary information and the first > boundary marker, which was not present in what you posted here -- > perhaps caused by your newsreader, perhaps not. > > So, to re-iterate... do *NOT* post spam in here. Only trackers. > > -- > Mike Easter > kibitzer, not SC admin > From f.yaskin at worldnet.att.net Mon May 2 10:11:42 2005 From: f.yaskin at worldnet.att.net (FY) Date: Mon May 2 09:15:03 2005 Subject: [SpamCop-List] Re: Error-why?(revised) References: Message-ID: "Mike Easter" wrote in message news:d53e14$mfd$1@news.spamcop.net... > FY wrote: > > Here is the error: > > error: couldn't parse head > > Message body parser requires full, accurate copy of message > > More information on this error.. > > no links found > > Even when the parser doesn't work, the general result is that it will > provide you with a tracking url. That tracker is a reflection of what > you fed the parser and is useful for troubleshooting this. > > You should *NOT* be posting what you did here for several important > reasons. > > - posting spam anywhere other than the ng spamcop.spam is against some > 'rule' or tradition for a variety of reasons > - it doesn't help for you to post the spam item here. I can take it > and get the parser to parse it and then what does that prove? > - here's a tracker which has parsed my rendition of what I made out of > what you posted here > http://www.spamcop.net/sc?id=z758744423z1fa6a7fc57989ff5a1873ee18c66b835z > > Maybe my version of your spam works because I structured it so that it > would work. When you post something into a newsmessage, it gets 'bent' > and isn't the same as the original. The closest you can come to showing > us the original easily is to put it into the parser properly and post > the tracker for the result in here. > > The next closest you can come would be to save the item as an .eml from > OE and then attach that file to a message in spamcop.spam. > > Notice that if you examine my tracker's 'View entire message' - you see > that the Received traceline is not folded improperly, which it was here, > perhaps by your newsreader, perhaps not; and that there is a proper > empty line between the Content-Type boundary information and the first > boundary marker, which was not present in what you posted here -- > perhaps caused by your newsreader, perhaps not. > > So, to re-iterate... do *NOT* post spam in here. Only trackers. > > -- > Mike Easter > kibitzer, not SC admin > Thanks a lot for the lecture Mike. You could have saved yourself a lot of time and still made your point, by skipping the re-iteration, and most of the lecture, but I'm know you are trying to be helpful, and mindful of, uh, tradition. Having used Spamcop for at least a couple years, and ,000's of spams, and thru several mailreaders successfully, lets assume for a moment that the sender malformed the from line. I am (mildly)disappointed that Spamcop chokes on what garden variety readers can successfully decode. But thanks, really. fy From MikeE at ster.invalid Mon May 2 09:07:44 2005 From: MikeE at ster.invalid (Mike Easter) Date: Mon May 2 11:10:33 2005 Subject: [SpamCop-List] Re: Error-why?(revised) References: Message-ID: FY wrote: > "Mike Easter" >> FY wrote: >>> error: couldn't parse head >> - here's a tracker which has parsed my rendition of what I made >> out of what you posted here www.spamcop.net/sc?id=z758744423z1fa6a7fc57989ff5a1873ee18c66b835z >> see that the Received traceline is not folded improperly, which it >> is a proper empty line between the Content-Type boundary information > Thanks a lot for the lecture Mike. Yabbut, you never did properly communicate what was wrong in the first place -- after you had a chance to see what 'my' spam looks like in the tracker and you became familiar with whatever was wrong with yours. > that the sender malformed the from line. I am (mildly)disappointed > that Spamcop chokes on what garden variety readers can successfully decode. The reason you are supposed to not fix what causes the choke is based on this principle http://www.spamcop.net/fom-serve/cache/283.html -- Material changes to spam --"SpamCop does what it does and doesn't do for a reason. Do not make any material changes to spam before submitting or parsing which may cause SpamCop to find a link, address or URL it normally would not, by design, find. " When I make/forge changes to a spam in order to accomplish a parse for an item which I subsequently cancel, it is *only* for purposes of demonstration -- to enable discussion of what was wrong that caused the parse to fail. In this instance, we still haven't gotten to the part about what was wrong because no one here but you has seen the original item which wouldn't parse unbent yet. -- Mike Easter kibitzer, not SC admin From eddie at eddie.web Mon May 2 13:02:39 2005 From: eddie at eddie.web (eddie) Date: Mon May 2 12:05:07 2005 Subject: [SpamCop-List] Re: st0ck spams References: Message-ID: On Mon, 02 May 2005 14:17:09 +0400, Berny scratched out the following: > Given the length of time the same st0ck spams for the same crappy little > companies, I am becoming doubtful that the companies themselves are not > involved. Pump and Dumpers usually move in and out quickly, a few days, or > a week or so. The endless steady stream of crap for this stuff (like VOIP) > is beginning to look more like either a massive joe job, (hard to believe) > or an active promotion, undertaken on behalf of the principals. > > Remember a Pump and dumper is not a long term investor, they're looking to > flip their gains or shorts quickly. This crap comes in steadily for months > at a time. I think that sometimes the stock companies are behind it, or at least they know about it and give it their tacit approval. Certainly there are trading companies involved, as well as individuals. Be sure to copy the SEC on all P&D scam reports, as well as the FTC. -- Once movie theaters gave out steak knives Today they confiscate them From f.yaskin at worldnet.att.net Mon May 2 13:28:35 2005 From: f.yaskin at worldnet.att.net (FY) Date: Mon May 2 12:30:02 2005 Subject: [SpamCop-List] Re: Error-why?(revised) References: Message-ID: "Mike Easter" wrote in message news:d55fkd$2u9$1@news.spamcop.net... > FY wrote: > > "Mike Easter" > >> FY wrote: > > >>> error: couldn't parse head > > >> - here's a tracker which has parsed my rendition of what I made > >> out of what you posted here > > www.spamcop.net/sc?id=z758744423z1fa6a7fc57989ff5a1873ee18c66b835z > > > Thanks a lot for the lecture Mike. > > Yabbut, you never did properly communicate what was wrong in the first > place -- after you had a chance to see what 'my' spam looks like in the > tracker and you became familiar with whatever was wrong with yours. >> > When I make/forge changes to a spam in order to accomplish a parse for > an item which I subsequently cancel, it is *only* for purposes of > demonstration -- to enable discussion of what was wrong that caused the > parse to fail. > > In this instance, we still haven't gotten to the part about what was > wrong because no one here but you has seen the original item which > wouldn't parse unbent yet. OK, now I am confused.[pardon the Yoda].. Is not the spam in my original post, with full headers, which I was (my bad)NOT supposed to post, "the original item which wouldn't parse unbent yet.", other than the copy and paste? Is not the SC error message posted above it communicating what was wrong? If you mean what is wrong in my reader(s), as far as I know, nothing..I followed the procedures for copying spam unmolested. Frank From MikeE at ster.invalid Mon May 2 13:50:23 2005 From: MikeE at ster.invalid (Mike Easter) Date: Mon May 2 15:50:02 2005 Subject: [SpamCop-List] Re: Error-why?(revised) References: Message-ID: FY wrote: > Is not the spam in my original post, with full headers, which I was > (my bad)NOT supposed to post, "the original item which wouldn't parse > unbent yet.", other than the copy and paste? No. When you posted a newsagent bent spam here, you failed to demonstrate properly what kind of spam misconstruction it was that the parser failed to parse because the bent condition of a spam you posted here leaves too much guesswork as to what was the condition of the original, as you received it, and as it was stored by OE in the Message source section. Since /we/ can't access /your/ OE's message source of that original item, the best thing for you to do would be to properly submit it to the parser and then to paste the parser's tracker in here.... ... unless for some strange reason the parser fails to give a tracker, in which case some generally not well accepted system would have to be used, such as attaching the isolated and saved OE .eml file to a message in spamcop.spam. The reason I say 'not well accepted' is because not all mailuser agents are going to perform in exactly the same way to provide some kind of .eml or .txt file to attach. And, the attaching business so far has only been an experimental technique used to investigate the solving of problems which pasting of spams into the body of newsgroup messages causes. > Is not the SC error message posted above it communicating what was > wrong? Not sufficiently precisely. That SC message is the same message for a variety of conditions of spam which fail to parse. > If you mean what is wrong in my reader(s), as far as I know, > nothing..I followed the procedures for copying spam unmolested. The problem isn't the /copying/ of the spam. The spam copies just fine. The copied spam also gets submitted to the parser just fine unless the submitter makes some kind of mistake. The problem with what you posted here is what happens to an item after you paste it into the body of your newsmessage. When your OE newsagent sends the news message, it 'messes with it' and bends it and causes various 'unknown' things including the introduction of linewraps to happen to it which were not present in the original -- all of that depending upon how it is configured -- which we don't even want to know because 'we' - namely me - don't want you to show us your spam by pasting it into a news message. Especially not here; but also it would get just as bent even if you had pasted it into spamcop.spam. It is better to not bend it at all to show it to us. So, 'showing' the spam by pasting it into any newsgroup is no good. The way to show the spam is to paste it into the parser and copy the tracker and paste the tracker in here. -- Mike Easter kibitzer, not SC admin From nobody at devnull.spamcop.net Mon May 2 18:14:10 2005 From: nobody at devnull.spamcop.net (WazoO) Date: Mon May 2 18:15:46 2005 Subject: [SpamCop-List] Re: ISP censors outbound mail, nixing spam discussions References: Message-ID: "Steven Maesslein" wrote in message news:slrnd7c8el.4k7.nobody@127.0.0.1... > > >> I'd use a hotmail account if it was possible to get one without selling > >> your soul by having to open a "Passport" account - whatever that is. > > > > I think HotMail have discontinued trying this? It was meant to evolve into a > > PayPal type of thingy but seems to of failed > > Quoting from the hotmail signup page (which happens to be hosted on the > registernet.passport.net domain): > > "Complete this form to register for a Hotmail account, which is also a > Microsoft .NET Passport. > > The Hotmail e-mail address and password you create are your .NET > Passport credentials. You'll need them to access your Hotmail account > and to sign in where you see the .NET Passport sign-in button: [button]" Technically, signing up and creating a HotMail address automatically puts you into the PassPort 'database' (actually used when trying to login to the HotMail system) ... The intent of this is basically a 'common' account data set, where if you go to another 'location' that is set up to recognize/use the PassPort database, you can log into that site with the existing HotMail account data ... I have no idea what third-party outfits jumped into this, but the PassPort system is used throughout the Microsoft 'empire' ... the various product support groups, development sections, etc .... You can actually "register" a non-HotMail e-mail address with the PassPort system if you'd actually want to ,,, From nobody at devnull.spamcop.net Mon May 2 18:18:47 2005 From: nobody at devnull.spamcop.net (Cat) Date: Mon May 2 18:25:03 2005 Subject: [SpamCop-List] Re: SBCGlobal) Software Factory solutions may be moving toXO/imedia In-Reply-To: References: Message-ID: Berny wrote: > "nospam" wrote in message > news:BE95B135.14B73%nobody@spamcop.net... > >>latest turd for shopping spree/product testers/market research/free >>satellite TV/free whatever came from XO/Imedia today at 65.182.142.2 >> >>spamvertizing still from MCI's stealthed server at 63.82.98.35 >> >>Seems SBewGlobal may have gotten too expensive or didn't like the heat >> >>Lets see how many months they give this fscker free reign over there. >> >>It might end for me, XO was a famous listwasher if I remember right. >> > > > Now at PacBell, and the spamvertized sites have moved also to 69.67.72.10 > which isn't nearly as well stealthed as the MCI site was. Also XO is a 3d > party interested in the sources and the sites, so hopefully we'll see the > end of this crap soon. At least Software Factory Solutions may be on the > run. > > Well Done CAT Thanks! =) I did finally reach a human at SBC, someone named Dawn S. Her reply was something to the effect of "we do investigate and take action against spammers" followed by something along the lines of "your yahoo account has a bulk folder so you can just let your spam go there, and you never have to report any of it." Apparently, she mistakenly thinks that I'm gullible enough to believe that just letting it hit the bulk folder will actually send reports to the ISP, or she's just trying to brush it off with a "just hit delete" claim in hopes that she won't have to deal with SBC's irate spam victims. Her comment about just letting it go to the bulk folder and leaving it alone sounded very much like she just didn't want to hear about spamming customers, as if she's just trying to sweep it under the rug to forget about them. I replied back to her letting her know that I wasn't the average computer illiterate person who would actually believe her claims and that I knew that leaving spam alone in the bulk folder wouldn't actually get the spam reported to the ISP. After three more SBC spams copied to Dawn S, the SBC spew stopped, and I've started getting the same spam through XO now. From noah.boddie at newsgroup.nospam Mon May 2 19:39:02 2005 From: noah.boddie at newsgroup.nospam (Dwayne Conyers) Date: Mon May 2 18:40:04 2005 Subject: [SpamCop-List] The Spamityville Horror... Message-ID: Recently noticed some of the web-based BBS' that I read are rapidly being filled with spam -- faster than the moderators can keep up with. This is the "Hey, here's how you can make a million dollars with a shoestring, a bottle cap and a spoonfull of faeces" type of spam that only a mental derelict would fall for. Even worse, a private news server that my company hosts for members of the entertainment industry has been hit multiple times by a spammer who posts in Portugese. Why Portugese? Are these people really making enough money with their scheiss to persist this way, or izzit a sign of desperation? Is there actually that much profit in idiotic get-rich-quick schemes? Just blowing off some steam... -- I Shave With Occams Razor http://www.dwacon.com From nospam at dev.null Tue May 3 02:52:45 2005 From: nospam at dev.null (Anty Spam) Date: Mon May 2 19:50:10 2005 Subject: [SpamCop-List] Re: Internic/Gandi registration problems take rediculously long to resolve References: Message-ID: "Berny" wrote in message news:d52624$41c$1@news.spamcop.net... > for example: domain still misregistered complaint sent March 15 received > below today. > ..SNIP ... > > domain: WHATSHOULD.COM > owner-address: daniel lessi > owner-address: 133 sjsj ed > owner-address: 90210 > owner-address: edghsuj > owner-address: California > owner-address: United States of America > owner-phone: +1.8434243587 > owner-e-mail: dl1217@gmail.com > admin-c: DL1021-GANDI > tech-c: AR41-GANDI > bill-c: DL1021-GANDI > nserver: ns3.mail18.biz > nserver: ns1.xzdns.biz > nserver: ns2.best-gifts.biz > nserver: ns4.mail18.biz > reg_created: 2005-03-12 04:42:31 > expires: 2006-03-12 04:42:31 > created: 2005-03-12 10:42:32 > changed: 2005-03-14 03:55:15 > No, not mis-registered. Gandi has been doing sweet blow all about it - not unusual. The report was sent to them, after a time delay, an automated process kicked in from ICANN that sent you the report to verify IF the correction has been made. You will notice that upon clicking on the link, you can add additional details here. These negative follow ups are registered, howver as to what is done is an opne question. Maybe next year ICANN, upon reviewing the results, might decide to take the matter up with Gandi in the next conference in ...???? 2007??? and ????try???? to resolve. Frustrating. You may try: http://rip.gandi.net/index-en.html , but I can guarantee you it will take at least 15 days. Despite - sorry to do this to you - http://www.icann.org/announcements/advisory-03apr03.htm :-( However, "IF" you feel like trying to get into a mail argument with the whois chap at Gandi - support-en@support.gandi.net However, under similar circumstance I got: "Please use our interface for one or several domains, and take care to argue about false data (which data are false, why). The come back to me and tell me the compalints links, I will see if I can speed the 15 fays delay manually." I tried - and wiated 15 days.... Cheers E From f.yaskin at worldnet.att.net Mon May 2 21:07:19 2005 From: f.yaskin at worldnet.att.net (FY) Date: Mon May 2 20:10:08 2005 Subject: [SpamCop-List] Re: Error-why? with tracking URL References: Message-ID: OK, Mike, I got another with the same format and error from SC. Here is the tracking url. This was submitted from ATT Webmail: http://www.spamcop.net/sc?id=z759118320z438d92754b29196f81b0f423102d8913z And this was submitted from OE http://www.spamcop.net/sc?id=z759119449zce492efb03dbde10301b13e28bb8a9dfz Skip to Reports So what's up? "Mike Easter" wrote in message news:d5606b$bmj$1@news.spamcop.net... > FY wrote: > Follow thread above if you are interested From f.yaskin at worldnet.att.net Mon May 2 21:13:50 2005 From: f.yaskin at worldnet.att.net (FY) Date: Mon May 2 20:15:04 2005 Subject: [SpamCop-List] Re: Link Resolving Failures References: Message-ID: "A.J." wrote in message news:d4udmn$a4u$1@news.spamcop.net... > "A.J." wrote in message > : > > I've received several spams over the past week or so with hyperlinks like > > this: > > > > > > > SRC="cid:weovwgph_coafueav_ooeazvze" border="0" ALT=""> > > > > (From > > ) > > The line breaks in the URL (but not the extraneous or > SRC=> tags) are copied verbatim from the original. > > > > SpamCop adds a second "http://" to the beginning of this mess when > > attempting to straighten it out, resulting in: > > > > === > > Resolving link obfuscation > > http://http://foztetdpbqm.com&omifjg4c5k1h6ujift4%2eiliacgnkln%2ecom/ > > Percent unescape: > > http://http://foztetdpbqm.com&omifjg4c5k1h6ujift4.iliacgnkln.com/ > > host http (getting name) no name > > http is not a hostname > > http is not a hostname > > === > > > > Manually removing the extra line breaks still leaves SpamCop with a problem: > > > > === > > Resolving link obfuscation > > http://foztetdpbqm.com&omifjg4c5k1h6ujift4%2eiliacgnkln%2ecom/ > > Percent unescape: > > http://foztetdpbqm.com&omifjg4c5k1h6ujift4.iliacgnkln.com/ > > host foztetdpbqm.com (checking ip) ip not found ; foztetdpbqm.com > > discarded as fake. > > host foztetdpbqm.com (checking ip) ip not found ; foztetdpbqm.com > > discarded as fake. > > > > Tracking link: http://foztetdpbqm.com&omifjg4c5k1h6ujift4.iliacgnkln.com/ > > [report history] > > Resolves to 82.114.48.67 > > Routing details for 82.114.48.67 > > [refresh/show] Cached whois for 82.114.48.67 : abuse@tautel.ru > > Using abuse net on abuse@tautel.ru > > abuse net tautel.ru = abuse@tautel.ru, postmaster@tautel.ru > > Using best contacts abuse@tautel.ru postmaster@tautel.ru > > === > > > > SC interprets the TLD as ending at the "&" following the first ".com" > > (foztetdpbqm.com), rather than at the next "/" as it should (iliacgnkln.com > > - the real domain), causing it to interpret the URL as fake. The tracker > > appears to function correctly; however, using other tools I come up with a > > different IP address: 218.7.112.241 > > I noticed today that both of the above issues seem to have been fixed. > > WTG SC team! Or apparently not. See below, same obfuscation. Same failure. http://www.spamcop.net/sc?id=z759120944z15b5d414a9477214bcf929963c922640z From MikeE at ster.invalid Mon May 2 18:45:59 2005 From: MikeE at ster.invalid (Mike Easter) Date: Mon May 2 20:45:03 2005 Subject: [SpamCop-List] Re: Error-why? with tracking URL References: Message-ID: FY wrote: > OK, Mike, I got another with the same format and error from SC. > > Here is the tracking url. Good job ;-) > This was submitted from ATT Webmail: www.spamcop.net/sc?id=z759118320z438d92754b29196f81b0f423102d8913z > > And this was submitted from OE www.spamcop.net/sc?id=z759119449zce492efb03dbde10301b13e28bb8a9dfz > Skip to Reports > > > So what's up? They both show the same condition of a part of what is supposed to be in the body 'squished up' into the header - I also addressed that in the bent one posted here earlier. The bent one also appeared to show a Received traceline folding problem, but these 'true' renditions of the original don't show that -- so I'll assume that the earlier bent one folding problem was an artifact of the posting -- which is what I was 'harping' about. A very important 'requirement' of headers is the format in which there is a fieldname which is single continuous 'word' without any spaces followed by a colon and a space followed by the field's elements or contents. There can be /properly/ folded lines to allow the field's elements to encompass more than one line, but there can't be anything 'organized' like a fieldname which isn't. So, if you look at the headerlines of your tracker items, as you get to the bottom of the header, you see that the fieldname condition is 'screwed up' by there being an item which isn't a proper fieldname, namely appearance of a boundary delimitor which belongs in the first part of the body 'squished up' into the header. There needs to be an empty space between the last proper headerline which is properly constructed with a fieldname and the first line of the body, which in this case is a boundary delimitor. That's a lot of words to say what this tracker will show: http://www.spamcop.net/sc?id=z759126058zf2428d7891188485a64b3e4fd44854afz That header shows a proper header in which all of the fieldnames are properly constructed, and then the last fieldname is Content-Type: and then follows a properly folded content for the fieldname, including that it is distributed on 2 lines appropriately, as is the Received: line further up distributed on 3 lines with leading whitespace. Then follows an empty line. This is the structural element which was missing before. That empty line separates the headers from the elements of the body. The first element of the body is the boundary delimitor which was defined in what was the last part of the header in this case, namely the Content-Type -- which defined the boundary delimitor. That first boundary delimitor is known as the 'prologue' or prolog. The boundary delimitor is followed by a description of what is contained in that boundaried section, which in this case is plaintext. After all of the plaintext comes the last delimitor, in this case -- in some other cases some other kind of delimited section could follow. Here, the last delimitor which is structured appropriately, ends the message body. SpamCop uses all of that 'stuff' to find things. It pays attention to boundary delimitors and content type descriptors and all that jazz -- so when the stuff is misconstructed, it causes problems in the interpretation. -- Mike Easter kibitzer, not SC admin From onyx0 at gamebox.net Tue May 3 04:25:44 2005 From: onyx0 at gamebox.net (Onyx) Date: Mon May 2 21:25:23 2005 Subject: [SpamCop-List] Failed delivery nightmare Message-ID: Ok, I just recieved cca 100 messages notifying me of failed delivery of emails I didn't send and they keep coming, woo hoo. Apparently, spammer vermin used email on my domain as a return address for their spam. Two questions: 1. What would be the best way to deal with this? 2. Could this possibly get my domain listed on anti-spam lists? Thank you. From zypher at spamcop.net Mon May 2 21:36:47 2005 From: zypher at spamcop.net (Ron B.) Date: Mon May 2 21:40:04 2005 Subject: [SpamCop-List] AOL Filters Block Emergency Weather E-Mails Message-ID: AOL Filters Block Emergency Weather E-Mails POSTED: 3:25 pm CDT May 2, 2005 VERO BEACH, Fla. -- Efforts by one Florida county to put out weather alerts by e-mail have hit a high-tech roadblock: AOL is tagging the messages as spam. The problem dates back to last year's unusually busy hurricane season when Indian River County was hit by two major storms -- Frances and Jeanne. Some 4,200 people signed up for the county's e-mail alert service, which offers quick alerts on hurricanes, tornadoes and other weather emergencies. But a county computer software engineer says because e-mail is sent out in large numbers, "it becomes a pattern for spam senders." The county is working with AOL to fix the problem. In the meantime, AOL users are being told to put the county's e-mail account in their computer's address book so their computers know to accept the messages. Copyright 2005 by The Associated Press. All rights reserved. This material may not be published, broadcast, rewritten or redistributed. From f.yaskin at worldnet.att.net Mon May 2 22:47:52 2005 From: f.yaskin at worldnet.att.net (FY) Date: Mon May 2 21:50:14 2005 Subject: [SpamCop-List] Re: Error-why? Last question References: Message-ID: "Mike Easter" wrote in message news:d56hgh$l0j$1@news.spamcop.net... > FY wrote: > > OK, Mike, I got another with the same format and error from SC. > > > > Here is the tracking url. > > Good job ;-) > > > This was submitted from ATT Webmail: > www.spamcop.net/sc?id=z759118320z438d92754b29196f81b0f423102d8913z > > > > And this was submitted from OE > www.spamcop.net/sc?id=z759119449zce492efb03dbde10301b13e28bb8a9dfz > > Skip to Reports > > > > > > So what's up? > > They both show the same condition of a part of what is supposed to be in > the body 'squished up' into the header - I also addressed that in the > bent one posted here earlier. The bent one also appeared to show a > Received traceline folding problem, but these 'true' renditions of the > original don't show that -- so I'll assume that the earlier bent one > folding problem was an artifact of the posting -- which is what I was > 'harping' about. > SpamCop uses all of that 'stuff' to find things. It pays attention to > boundary delimitors and content type descriptors and all that jazz -- so > when the stuff is misconstructed, it causes problems in the > interpretation. OK, got that. Thanks.So, from the lack of interest on SC's part, in reconstituting/decoding formatting that mailreaders seem to have no problem with, I draw the conclusion that SC is much more interested in the SOURCE ISPs of the spam, rather than the morons behind the spamvertised web sites? (Hoping I'm wrong , but hey...Truth and Soul!) Frank From MikeE at ster.invalid Mon May 2 20:38:30 2005 From: MikeE at ster.invalid (Mike Easter) Date: Mon May 2 22:40:21 2005 Subject: [SpamCop-List] Re: Error-why? Last question References: Message-ID: FY wrote: > OK, got that. Thanks.So, from the lack of interest on SC's part, in > reconstituting/decoding formatting that mailreaders seem to have no > problem with, I draw the conclusion that SC is much more interested > in the SOURCE ISPs of the spam, rather than the morons behind the > spamvertised web sites? (Hoping I'm wrong , but hey...Truth and Soul!) However important anyone may think that disrupting the relationships between the spamsites and their providers may be, realize that the various spamfighting tools are designed for specific purposes. If you start trying to drive a nail with a screwdriver, you're going to find that it doesn't work as well as a hammer -- likewise some other tool related examples. In the case of spamcop, its parser is designed to determine spamsources *primarily* [IMO] and secondarily do things like feed possible relays to the relay testers for 'handling' like testing/listing and to notify providers for spamsources and spamvertisers. But, while it /notifies/ providers for source and spamvertiser, the notification business is totally toothless except for the toothiness of the provider -- that is, the result of a notify of a whitehat vs grayhat vs blackhat vs pinkhat provider has a very wide range of outcomes -- some of which are better for the spammer/spammersupport than the spammee/notifier. OTOH -- besides a parser/notifier, SC is something else. SC is maintainer of the SCbl, the blocklist of spamsources; which for various reasons has turned out to be a very powerful blocklist. Powerful because it is popular. Popular because it is unique in its mechanism of listing and delisting compared to the many other db/s. So, the SCbl is nothing to be sneezed at. It is a blocklist to be respected. But, the SCbl is simply a blocklist of spamsources. SC doesn't make any kind of list of spamvertisers of similar import. The only thing that SC does with its spamvertisers is to put them on a page. It happens that from that page, a different blocklisting service, sc-surbl 'scrapes' the SC scraped spamvertisers and makes its own list from that. The sc-surbl is *not* a powerful list like the SCbl; but it /is/ a list. There are a lot of lists. So, what all of that comes down to is that the business which SC performs of finding the spamvertisers in the body isn't as important as the business of SC finding the spamsource -- because the spamsource determination feeds the SCbl, whereas the spamvertiser discoveries tends to notify blackhat providers of things about spamcop reporters and doesn't feed anything very potent at all. If you want to get into taking action against the business of spamsupport, which is what spamvertiser providers are doing, then you will have to appreciate blocklists which put leverage against them, such as spews and to a lesser extent spamhaus. What spews does is spews business. What SC does is SC's business. The two lists are very very different and SC's doesn't do anything about spamvertisers or spam support. -- Mike Easter kibitzer, not SC admin From wb8tyw at qsl.network Mon May 2 23:46:20 2005 From: wb8tyw at qsl.network (John E. Malmberg) Date: Mon May 2 22:50:02 2005 Subject: [SpamCop-List] Re: The Spamityville Horror... In-Reply-To: References: Message-ID: Dwayne Conyers wrote: > Recently noticed some of the web-based BBS' that I read are rapidly > being filled with spam -- faster than the moderators can keep up with. I would recommend not allowing postings from anything that is known to be an open proxy. Unfortunately the xbl.spamhaus.org can not be used as a gate for it as it now contains the NJABL dynablock zone which should block most legitimate posters. And if that does not lower the noise level, start blocking postings from netblocks where spam postings have been received from and post a message that such postings are blocked until their ISP stops all the network abuse. > > Why Portugese? Apparently the spammers that use other languages have not found it yet. > Are these people really making enough money with their scheiss to > persist this way, or izzit a sign of desperation? Only the ones selling the get rich quick schemes. The ones spamming have usually spent their last cash on buying the spamming kit, and never make back anything close to their initial investment. > Is there actually that much profit in idiotic get-rich-quick schemes? Apparently there is in selling the spamming kits, and every time some media article profiles the riches of the "spam kings" there is a rise in the number of suckers that sign up. Posting a note on the web site that BBS posters must read before posting indicating that the people posting spam are victims of scam artist, and that no one other than the people selling the scam to these victims have ever made any money at it may also help, in your Portugese case see if you can get that accurately translated. From postings here and elsewhere, it appears that the people selling the scams are blaming the various anti-spam organizations for the reason that none of their suckers are making any money. A good scam artist can get some pretty expensive property on a seller financing with only a minimal down payment, and it can take over a decade to evict them for non-payment. It is possible to create quite an illusion of wealth that way. -John wb8tyw@qsl.network Personal Opinion Only From spamtrap at mrsmith.com Mon May 2 23:50:25 2005 From: spamtrap at mrsmith.com (Mr. Smith) Date: Mon May 2 22:55:02 2005 Subject: [SpamCop-List] Re: stupid spam of the week References: Message-ID: "Danny Goodman" wrote in message news:mailman.146.1114894446.4572.spamcop-list@news.spamcop.net... >>> You could at least omit the link or make it unclickable. > >> why? What bad happens when you click on it? > > Some spammers get paid on click-throughs. Any publicly available link to a > spamvertised site encourages curious folks to click, perhaps putting coin > into the spammer's pocket. > > Just another one of the insidious, indirect ways that keeps the spam > economy > going while one thinks he or she is doing nothing to contribute. Well, I kind of can see that. But in the larger scheme of things, if one spammer is simply giving another spammer money, but neither you or I are actually buying anything -- that basically defeats the economic model But this is all a stretch anyway. Let's be real for a second -- posting a spam link in an anti-spam newsgroup ain't going to do anything. It ain't going support no spammer. And it certainly ain't not isn't going qualify as "free advertising". I think we all know that -- this is just shop talk. And I don't see any reason not to post a simple link. I may be naive, but if I post such a link --- I trust you guys to do the right thing. -Marc From MikeE at ster.invalid Mon May 2 20:58:08 2005 From: MikeE at ster.invalid (Mike Easter) Date: Mon May 2 23:00:04 2005 Subject: [SpamCop-List] Re: The Spamityville Horror... References: Message-ID: John E. Malmberg wrote: > Unfortunately the xbl.spamhaus.org can not be used as a gate for it as > it now contains the NJABL dynablock zone which should block most > legitimate posters. No. xbl is composed of cbl, blitzed opm and most recently one subset of njabl, just the open proxy subset, the 127.0.0.9. It does not include the other njabl returns, .2 open relays, .3 dynamics, .4 spamsources, .5 multistage relays, or .8 script sources. That is my understanding based on the words at spamhaus which say "the NJABL open proxy IPs list from www.njabl.org" I do not have any specific confirmation of that opinion of mine from anyone else. I posted it in a discussion in alt.spam and no one rebutted it there. -- Mike Easter kibitzer, not SC admin From wb8tyw at qsl.network Tue May 3 00:13:09 2005 From: wb8tyw at qsl.network (John E. Malmberg) Date: Mon May 2 23:15:03 2005 Subject: [SpamCop-List] Re: Failed delivery nightmare In-Reply-To: References: Message-ID: Onyx wrote: > Ok, I just recieved cca 100 messages notifying me of failed delivery of > emails I didn't send and they keep coming, woo hoo. Apparently, spammer > vermin used email on my domain as a return address for their spam. > > Two questions: > 1. What would be the best way to deal with this? First of all, check your mail server to make sure that it will not relay for a spammer forging a real user on your domain. Apparently there is a popular mail server software out there that is designed to do that and there is no way to disable that feature except to enable SMTP-AUTH for all e-mail. This is what I have picked up from the admin(at)dsbl.org list's public archives. Then assuming that your mail server is not the one that is affected by this feature: File abuse reports about the delayed bounces with each mail server that is doing the delayed bounce. Such delayed bounces are not reportable by spamcop.net: See a recent post in spamcop.help by Larry Kilgallen for a sample text: : As I report that spam (the message claiming I sent a message " I did not) I include something like the following text in my : SpamCop report: Believe it or not, spammers lie. Please adjust your software to not send these meaningless warnings blindly to the "From:" address, but instead respond within the SMTP dialog, so your comments get to the actual originator rather than pestering an innocent bystander. While the bounces are allowed by RFC, it is from a time when third party open relays were also allowed. Most mail servers do an SMTP reject, which means that any bounce message will come from the original sending mail server, and the only ones of those that are relaying spam are either the domain that should receive the abuse report of one of their users, or an open relay. Open relays should be blocked on site. When mail servers do not do an SMTP reject, and do an accept and bounce, then they are participating in a DDOS to victims like you. There have also been several recent posts on news.admin.net-abuse.email about the practice of abusive bouncing of spam. There are some mail server operators that claim that it is not practical to convert to SMTP rejects instead of bouncing. These mail server operations must be bigger than AOL.COM which had several years ago announced on the SPAM-L mailing list that they recognized that such bounces where abusive to the rest of the internet and were switching over to only using SMTP rejects. It seems that for every example of someone claiming that their network is too large to convert, an example can be found of a larger network that did so. And I suspect that it is a much lower operational cost to use SMTP rejects instead of doing the accept and then bouncing. > 2. Could this possibly get my domain listed on anti-spam lists? Only if the mail server operator is either incompetent, or is so small that it is unlikely that they will ever receive a legitimate e-mail from your domain. According to posts on news.admin.net-abuse.email, even the conservative spamhaus.org will eventually list I.P. addresses that bounce spam to forged addresses. It is far more likely that the I.P. addresses of the mail servers that are bouncing the spam will get put on local and public blocking lists than the I.P. address of your domain. Most medium to large mail servers pay a metered rate for their bandwidth, and accepting fake bounces or spam needlessly increases their operating costs. So if the only e-mail they have ever seen from an I.P. address is spam or fake bounces, many mail server operators that are paying for bandwidth out of their profits or pockets will block that I.P. address. -John wb8tyw@qsl.network Personal Opinion Only From wb8tyw at qsl.network Tue May 3 00:20:16 2005 From: wb8tyw at qsl.network (John E. Malmberg) Date: Mon May 2 23:25:02 2005 Subject: [SpamCop-List] Re: The Spamityville Horror... In-Reply-To: References: Message-ID: Mike Easter wrote: > John E. Malmberg wrote: > > >>Unfortunately the xbl.spamhaus.org can not be used as a gate for it as >>it now contains the NJABL dynablock zone which should block most >>legitimate posters. > > No. > > xbl is composed of cbl, blitzed opm and most recently one subset of > njabl, just the open proxy subset, the 127.0.0.9. > > It does not include the other njabl returns, .2 open relays, .3 > dynamics, .4 spamsources, .5 multistage relays, or .8 script sources. > > That is my understanding based on the words at spamhaus which say "the > NJABL open proxy IPs list from www.njabl.org" > > I do not have any specific confirmation of that opinion of mine from > anyone else. I posted it in a discussion in alt.spam and no one > rebutted it there. If you can get a clarification please post. I do notice that spamhaus.org representatives post in the news.admin.net-abuse.email occasionally, but there is a lot of noise there. But it does indicate a risk of using an anti-spam blocking list for other purposes. -John wb8tyw@qsl.network Personal Opinion Only From nobody at devnull.spamcop.net Tue May 3 01:40:58 2005 From: nobody at devnull.spamcop.net (WazoO) Date: Tue May 3 01:45:31 2005 Subject: [SpamCop-List] Re: Error-why? Last question References: Message-ID: "Mike Easter" wrote in message news:d56o3h$oia$1@news.spamcop.net... gmail From rg at nospam.please Tue May 3 02:46:05 2005 From: rg at nospam.please (rg) Date: Tue May 3 01:50:05 2005 Subject: [SpamCop-List] ieypzkbc.tatzwz.info doesn't resolve on first try. (Or second, third, etc.) Message-ID: Below is the report for http://www.spamcop.net/sc?id=z759058001zcc15a0f3201f890a3416b31a01900fbaz You will notice the section: Resolving link obfuscation http://ieypzkbc.tatzwz.info/?29f3922cb8d56f5cd48f092a595a8f47 http://ohgbtn.tatzwz.info/?29f3922cb8d56f5cd48f092a595a8f47 I have to submit them separately: http://www.spamcop.net/sc?track=http%3A%2F%2Fohgbtn.tatzwz.info%2F%3F29f3922cb8d56f5cd48f092a595a8f47%0D%0A Then resubmit and cancel the spam report a few times before it finally ends up resolving. SUGGESTION: Increase the DNS timeout and retry numbers! Thanks! Report follows as copied from my PC, since you can't tell what will resolve when you use the report link: Help | Site Map | Text size: - + rgerharz Report Spam Mailhosts Statistics Past Reports Preferences SpamCop v 1.439 (C) Ironport Systems Inc., 1998-2005 , All rights reserved. Here is your TRACKING URL - it may be saved for future reference: http://www.spamcop.net/sc?id=z759058001zcc15a0f3201f890a3416b31a01900fbaz Skip to Reports Received: from a213-22-193-212.netcabo.pt ([213.22.193.212]) by rwcrmxc18.comcast.net (rwcrmxc18) with SMTP id <20050502191935r1800ftreoe>; Mon, 2 May 2005 19:19:59 +0000 X-Originating-IP: [213.22.193.212] From: "Viola Bain" Reply-To: "Viola Bain" To: x, x, x, x, x, x, x, x, x, x Subject: Isidro said hi Date: Mon, 02 May 2005 15:19:31 -0800 MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="--77996649553783422" View entire message Parsing header: Received: from a213-22-193-212.netcabo.pt ([213.22.193.212]) by rwcrmxc18.comcast.net (rwcrmxc18) with SMTP id <20050502191935r1800ftreoe>; Mon, 2 May 2005 19:19:59 +0000 213.22.193.212 found host 213.22.193.212 (getting name) = a213-22-193-212.netcabo.pt. a213-22-193-212.netcabo.pt is 213.22.193.212 Possible spammer: 213.22.193.212 Received line accepted Tracking message source: 213.22.193.212: Routing details for 213.22.193.212 [refresh/show] Cached whois for 213.22.193.212 : abuse@tvcabo.pt Using abuse net on abuse@tvcabo.pt abuse net tvcabo.pt = abuse@tvcabo.pt, postmaster@tvcabo.pt, abuse@netcabo.pt Using best contacts abuse@tvcabo.pt postmaster@tvcabo.pt abuse@netcabo.pt postmaster@tvcabo.pt redirects to abuse@tvcabo.pt Yum, this spam is fresh! Message is 0 hours old 213.22.193.212 not listed in dnsbl.njabl.org 213.22.193.212 not listed in dnsbl.njabl.org 213.22.193.212 not listed in cbl.abuseat.org 213.22.193.212 listed in dnsbl.sorbs.net ( 127.0.0.10 ) 213.22.193.212 not listed in relays.ordb.org. 213.22.193.212 not listed in query.bondedsender.org 213.22.193.212 not listed in iadb.isipp.com Finding links in message body Recurse multipart: Parsing HTML part Resolving link obfuscation http://ieypzkbc.tatzwz.info/?29f3922cb8d56f5cd48f092a595a8f47 http://ohgbtn.tatzwz.info/?29f3922cb8d56f5cd48f092a595a8f47 Please make sure this email IS spam: From: "Viola Bain" (Isidro said hi) ----77996649553783422 Content-Type: text/html; View full message Report Spam to: Re: 213.22.193.212 (Administrator of network where email originates) To: abuse@netcabo.pt (Notes) To: abuse@tvcabo.pt (Notes) Re: 213.22.193.212 (Third party interested in email source) To: Cyveillance spam collection (Notes) Additional notes (optional - max 2000 characters): ATTENTION: Report only those e-mail addresses and web sites that you think your spammer has used. Avoid checking any boxes left empty unless you know that your spammer has used the addresses or sites thus identified. Each false report that you submit means wasted time for a network administrator, so take care. The last thing SpamCop wants are network administrators so accustomed to false claims that they no longer take these spam reports seriously. Comments for:abuse@netcabo.pt (213.22.193.212) Return to report Comments for:abuse@tvcabo.pt (213.22.193.212) Return to report Comments for:spamcop@imaphost.com (213.22.193.212) Return to report (C) Ironport Systems Inc., 1998-2005 , All rights reserved. HTML4 / CSS2 Firefox recommended - Policies and Disclaimers From nobody at nowhere.invalid Tue May 3 11:21:50 2005 From: nobody at nowhere.invalid (Steven Maesslein) Date: Tue May 3 04:25:41 2005 Subject: [SpamCop-List] Re: Failed delivery nightmare References: Message-ID: On Mon, 02 May 2005 23:13:09 -0400, John E. Malmberg coughed into spamcop and left this in : > Such delayed bounces are not reportable by spamcop.net They are now, and have been for a few months. -- Steve I haven't lost my mind; I know exactly where I left it. From m at remove.this.part.rtij.nl Tue May 3 12:27:50 2005 From: m at remove.this.part.rtij.nl (Martijn Lievaart) Date: Tue May 3 05:31:10 2005 Subject: [SpamCop-List] Re: Failed delivery nightmare References: Message-ID: On Tue, 03 May 2005 03:25:44 +0200, Onyx wrote: > Two questions: > 1. What would be the best way to deal with this? - Get rid of any catch all domains - Firewall the worst bouncers, maybe after an email telling them to fix their systems. - Inform your ISP, they may get bogus complaints. - Other than that, not much you can do I'm afraid. > 2. Could this possibly get my domain listed on anti-spam lists? No, not very likely. It happens every day to someone. M4 -- Ah, the beauty of OSS. Hundreds of volunteers worldwide volunteering their time inventing and implementing new, exciting ways for software to suck. -- Toni Lassila in the Monastry From m at remove.this.part.rtij.nl Tue May 3 12:29:58 2005 From: m at remove.this.part.rtij.nl (Martijn Lievaart) Date: Tue May 3 05:35:06 2005 Subject: [SpamCop-List] Re: The Spamityville Horror... References: Message-ID: On Mon, 02 May 2005 23:20:16 -0400, John E. Malmberg wrote: > But it does indicate a risk of using an anti-spam blocking list for > other purposes. I recommended this approach (blocking open proxies based on a dnsbl) to a friend of mine who moderates a forum and he has been very satisfied with the results. M4 -- Ah, the beauty of OSS. Hundreds of volunteers worldwide volunteering their time inventing and implementing new, exciting ways for software to suck. -- Toni Lassila in the Monastry From wb8tyw at qsl.network Tue May 3 07:51:42 2005 From: wb8tyw at qsl.network (John E. Malmberg) Date: Tue May 3 06:55:03 2005 Subject: [SpamCop-List] Re: Failed delivery nightmare In-Reply-To: References: Message-ID: Steven Maesslein wrote: > On Mon, 02 May 2005 23:13:09 -0400, John E. Malmberg coughed into > spamcop and left this in : >>Such delayed bounces are not reportable by spamcop.net > > They are now, and have been for a few months. A typo on my part, I meant to type now instead of not. In this case though it may not have been obvious. -John wb8tyw@qsl.network Personal Opinion Only From Ilgaz at spamcop.net Tue May 3 14:54:24 2005 From: Ilgaz at spamcop.net (Ilgaz) Date: Tue May 3 06:55:08 2005 Subject: [SpamCop-List] Re: AOL Filters Block Emergency Weather E-Mails References: Message-ID: On 2005-05-03 04:36:47 +0300, "Ron B." said: > > AOL Filters Block Emergency Weather E-Mails > > POSTED: 3:25 pm CDT May 2, 2005 > > VERO BEACH, Fla. -- Efforts by one Florida county to put out weather > alerts by e-mail have hit a high-tech roadblock: AOL is tagging the > messages as spam. > > The problem dates back to last year's unusually busy hurricane season > when Indian River County was hit by two major storms -- Frances and > Jeanne. > > Some 4,200 people signed up for the county's e-mail alert service, > which offers quick alerts on hurricanes, tornadoes and other weather > emergencies. > > But a county computer software engineer says because e-mail is sent out > in large numbers, "it becomes a pattern for spam senders." > > The county is working with AOL to fix the problem. In the meantime, AOL > users are being told to put the county's e-mail account in their > computer's address book so their computers know to accept the messages. > > Copyright 2005 by The Associated Press. All rights reserved. This > material may not be published, broadcast, rewritten or redistributed. You must know how many morons out there marking stuff as "Spam" from the lists/stuff they SIGNED UP for. Could be a factor too. E.g. I missed a very critical update from a very known, awarded OS X software house, Panic.com because of those yahoo morons clicking "its spam" It ended up in junk folder of Yahoo. :) I think there should be a way/method developed for those clueless. They can mark spam whatever they like, others won'T be affected after a certain point of false positives by them Ilgaz Ocal From smjg_1998 at yahoo.com Tue May 3 15:18:27 2005 From: smjg_1998 at yahoo.com (Stewart Gordon) Date: Tue May 3 09:20:05 2005 Subject: [SpamCop-List] A novel approach to spamming Message-ID: A spammer's come up with an interesting idea. Rather than just sending the spam content, this one told a joke. And it even had a topical subject line - so at first glance it looks like the kind of email a friend might pass on. That's until you get to the bottom, where the Stupid Person's AdvertiseMent itself is found. Nonetheless, Entourage managed to mark it as spam. Though very probably by the rule I set up rather than by its own heuristics. Has anyone else had anything like this? Just noticed at the very bottom: "Click on this link to keep up my beginning of making spam not so boring thing. Have a nice day." Hmm.... Well, at least it's another novel thing that this person actually admits spamming.... Stewart. PS For those who are interested and not yet sick of the same thing as the character in the joke, I've posted it over on .social. -- My e-mail is valid but not my primary mailbox. Please keep replies on the 'group where everyone may benefit. From m at remove.this.part.rtij.nl Tue May 3 16:43:09 2005 From: m at remove.this.part.rtij.nl (Martijn Lievaart) Date: Tue May 3 09:50:04 2005 Subject: [SpamCop-List] Re: The Spamityville Horror... References: Message-ID: On Tue, 03 May 2005 11:29:58 +0200, Martijn Lievaart wrote: > On Mon, 02 May 2005 23:20:16 -0400, John E. Malmberg wrote: > >> But it does indicate a risk of using an anti-spam blocking list for >> other purposes. > > I recommended this approach (blocking open proxies based on a dnsbl) to > a friend of mine who moderates a forum and he has been very satisfied with > the results. Followup on self, see also nanabl, thread "The MCI problem", specifically msgid M4 -- Ah, the beauty of OSS. Hundreds of volunteers worldwide volunteering their time inventing and implementing new, exciting ways for software to suck. -- Toni Lassila in the Monastry From not at home.today Tue May 3 16:01:21 2005 From: not at home.today (Ant) Date: Tue May 3 10:05:04 2005 Subject: [SpamCop-List] Re: ieypzkbc.tatzwz.info doesn't resolve on first try. (Or second, third, etc.) References: Message-ID: "rg" wrote: > Below is the report for > http://www.spamcop.net/sc?id=z759058001zcc15a0f3201f890a3416b31a01900fbaz > > You will notice the section: > Resolving link obfuscation [...] Yes, and no information is given about what the parser did with those links before the "Please make sure this email IS spam" message. I first noticed this in the middle of March this year, and reported it here with the subject "Links found, but not parsed". The problem continues to regularly occur, but no Spamcop person has commented on it to my knowledge. > I have to submit them separately: [...] > Then resubmit and cancel the spam report a few times before it finally ends > up resolving. You don't need to cancel. Just refresh the parse page in your browser or go to the "report spam" link if you've visited another page, and you can then follow the "unreported spam, report now" link. I will sometimes resolve the spamvertized URLs separately, or refresh the the parse once, but if the links still aren't resolved I submit the report anyway. It's not worth the hassle. > SUGGESTION: Increase the DNS timeout and retry numbers! I'm not sure if this is the problem. My understanding is that when a lookup times out you get a message "unable to resolve..." [report snipped] From ron.shafii at hossequipment.com Tue May 3 10:38:03 2005 From: ron.shafii at hossequipment.com (Ron Shafii) Date: Tue May 3 10:40:04 2005 Subject: [SpamCop-List] spam posed as returned mail Message-ID: The last 2 weeks I've been receiving SPAM to tune of hundreds posed as RETURNED TO SENDER or Block Email with a virus attached. The virus name, origination IP and subject are not very consistent, therefore creating rules to bounce the mail is difficult. What is consistent is the means by which our spam server accepts these messages and quarantines them. The message itself is posed as a Return To Sender or Bounced email. If it weren't for blocking all attachments there's a good chance it wouldn't even get caught in our spam server and would get sent to the end user. Currently we are using Imail server from IPswitch. When I submit this SPAM to spamcop it also detects my mail server as a possible source of SPAM. Thanks ahead of time for any constructive reponses. below are two examples; Received: from lkhqo.net [216.227.86.141] by mail.dozernet.com (SMTPD-8.20) id A5A2025C; Tue, 03 May 2005 09:07:30 -0500 From: info@cvip.net To: joan@hossequipment.com Date: Tue, 03 May 2005 13:34:33 UTC Subject: FwD: Your email was blocked Importance: Normal X-Priority: 3 (Normal) Message-ID: <5f6e.9ed8efa32e23da7@hossequipment.com> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="======c0cd44.0fabda1e2eb" Content-Transfer-Encoding: 7bit This is a multi-part message in MIME format. X-IMAIL-SPAM-DNSBL: (v6net,85a2009e00002886,65.77.130.111) X-RCPT-TO: Status: U X-IMail-Rule: B~name=.{1,30}\.zip!AND!F!~dummy:dummy-File_Attachments@dozernet.com Data- NAME=ERROR-MAIL_INFO.ZIP X-UIDL: 411163348 X-IMail-ThreadID: 85a2009e00002886 This is an automatically generated E-Mail Delivery Status Notification. Mail-Header, Mail-Body and Error Description are attached error-mail_info.zip (Binary attachment) the zip file contains W32.Sober.O@mm ------------------------------------------- Here's Another ------------------------------------------- Received: from smtp1.dnb.com [204.254.175.106] by mail.dozernet.com with ESMTP (SMTPD-8.20) id AAF3048C; Mon, 02 May 2005 22:07:31 -0500 Received: from unknown (0.0.0.0) by smtp1.dnb.com with ; 02 May 2005 23:07:53 -0400 Date: 02 May 2005 23:07:53 -0400 To: postmaster@dozernet.com From: Mail Delivery System Subject: Delivery Status Notification (Failure) MIME-Version: 1.0 Content-Type: multipart/report; report-type=delivery-status; boundary="8327904216949392.unknown" Message-Id: <200505022207424.SM03464@smtp1.dnb.com> X-IMAIL-SPAM-DNSBL: (v6net,eaf30149000007e0,65.77.130.111) X-RCPT-TO: Status: U X-IMail-Rule: B~name=.{1,30}\.zip!AND!F!~dummy:dummy-File_Attachments@dozernet.com Data- NAME=ERROR-MAIL_INFO.ZIP X-UIDL: 411163241 X-IMail-ThreadID: eaf30149000007e0 The following message to was undeliverable. The reason for the problem: 5.1.1 - Bad destination email address 'ldap reject' Final-Recipient: rfc822;csc.austral@dnb.com Action: failed Status: 5.0.0 (permanent failure) Diagnostic-Code: smtp; 5.1.1 - Bad destination email address 'ldap reject' (delivery attempts: 0) Reporting-MTA: dns; unknown This is an automatically generated E-Mail Delivery Status Notification. Mail-Header, Mail-Body and Error Description are attached error-mail_info.zip (Binary attachment) From onyx0 at gamebox.net Tue May 3 18:27:14 2005 From: onyx0 at gamebox.net (Onyx) Date: Tue May 3 11:30:04 2005 Subject: [SpamCop-List] Re: Failed delivery nightmare References: Message-ID: John E. Malmberg wrote: > First of all, check your mail server to make sure that it will not > relay for a spammer forging a real user on your domain. Apparently > there is a popular mail server software out there that is designed to > do that and there is no way to disable that feature except to enable > SMTP-AUTH for all e-mail. I don't run my own, I use mail server from my hosting provider. The originating IP's of spam messages with my forged domain name are from all over the world.. > Then assuming that your mail server is not the one that is affected by > this feature: > > File abuse reports about the delayed bounces with each mail server > that is doing the delayed bounce. Hello carpal tunnel syndrome... Besides bounces, I also got a fair number of those i'm-away autoresponders, they seem to be popular as well. Thanks to all for good info and help. From MikeE at ster.invalid Tue May 3 09:48:43 2005 From: MikeE at ster.invalid (Mike Easter) Date: Tue May 3 11:50:03 2005 Subject: [SpamCop-List] Re: spam posed as returned mail References: Message-ID: Ron Shafii wrote: > The last 2 weeks I've been receiving SPAM to tune of hundreds posed as > RETURNED TO SENDER or Block Email with a virus attached. > below are two examples; First, a housekeeping issue. For various reasons, spam and spamlike and other mailitems are not 'supposed to be' posted into the discussion groups; but instead they are supposed to be submitted to the parser to get a tracking url and the tracker posted here and the report cancelled. As a weak alternative, the newsgroup spamcop.spam has been designated for pasting such items into news messages. Then that message would be referred to and discussed here, not discussed there in .spam. Second, about these items you posted here. Altho' you didn't completely describe their structure sufficiently for me to be sure, I think they are of 2 different types. The first one is simply a virus propagation 'dressed up' in a DSN [delivery status notification] suit. That is, a fake DSN. It looks like the 2nd one is actually a DSN of a fake DSN, but I would have to see the complete originals [as a tracker url, not pasted here] to be sure. Third, about this remark > When I submit this SPAM to spamcop it also detects my mail server as a > possible source of SPAM. That doesn't make sense. I'm assuming your mailserver is dozernet and that it is serving your hossequipment domain. I can't see how the parser would name hoss or dozer as the source of either of those headers. This is a tracker for the first one, to demonstrate what a tracking url is/looks like/ and to show you that your server isn't named as source. http://www.spamcop.net/sc?id=z759331281za04d52c564dc5a70d5b2a2174c620adbz > Thanks ahead of time for any constructive reponses. -- Mike Easter kibitzer, not SC admin From dannyg at dannyg.com Tue May 3 10:14:52 2005 From: dannyg at dannyg.com (Danny Goodman) Date: Tue May 3 12:15:08 2005 Subject: [SpamCop-List] Re: stupid spam of the week In-Reply-To: <200505030545.j435jmRu083946@dannyg.com> Message-ID: > But in the larger scheme of things, if one > spammer is simply giving another spammer money, but neither you or I are > actually buying anything -- that basically defeats the economic model I think the spammers who sell spammer kits and services to wannabe spammers would disagree. So would mortgage spammers (who get paid handsomely for filled-out leads apps, not completed mortgages--no coin out of the spammee's pocket). Wherever money changes hands profitably, the recipient has an incentive to continue. The spam economy thrives on far more than sales of creams, medz, inkjet carts, and JackRabbits. Danny http://www.dannyg.com http://www.spamwars.com From borgholio at storymind.com Tue May 3 11:56:12 2005 From: borgholio at storymind.com (Borgholio) Date: Tue May 3 14:00:03 2005 Subject: [SpamCop-List] Quick reporting via email? Message-ID: I forgot...how do I submit spam via email for quick-reporting? From MikeE at ster.invalid Tue May 3 12:07:13 2005 From: MikeE at ster.invalid (Mike Easter) Date: Tue May 3 14:10:03 2005 Subject: [SpamCop-List] Re: Quick reporting via email? References: Message-ID: Borgholio wrote: > I forgot...how do I submit spam via email for quick-reporting? Quick reporting is disabled due to careless use. ... but you can beseech admin for access at service admin.SC on a casebycase basis -- Mike Easter kibitzer, not SC admin From nobody at devnull.spamcop.net Tue May 3 15:13:25 2005 From: nobody at devnull.spamcop.net (Glenn Daniels) Date: Tue May 3 14:15:03 2005 Subject: [SpamCop-List] Re: A novel approach to spamming References: Message-ID: "Stewart Gordon" wrote in message > A spammer's come up with an interesting idea. Rather than just sending > the spam content, this one told a joke. And it even had a topical > subject line - so at first glance it looks like the kind of email a > friend might pass on. Received a similar last week. Munged it abusively and posted it in .spam. Some say that having had all the offensive parts so munged it is actually ROTFL funny. Unfortunately something or other got screwed up in the munging and then the parser would not parse it, so I could not post a tracker. Where, oh where, did I go wrong... Glenn From ron.shafii at hossequipment.com Tue May 3 14:18:50 2005 From: ron.shafii at hossequipment.com (Ron Shafii) Date: Tue May 3 14:20:03 2005 Subject: [SpamCop-List] Re: spam posed as returned mail References: Message-ID: Mr. Easter thanks a lot for the tips. Sorry for not following the rules. I was a little hesistant revealing my mailserver info online anyhow. too late. here's a link from SPAMCOP regarding the spam I previously mentioned, which was parsing our ip address as a possible source of spam. http://www.spamcop.net/sc?id=z759369967zf5f08711459561ae426f911b4e192414z http://www.spamcop.net/sc?id=z759371087z622d4f17d0a654ca301570c73e40e43fz I wonder if I am misreading it. www.hossequipment.com (Administrator of network hosting website referenced in spam) Is this sending a copy of the email back to me or is it parsing me as a spammer? Sorry if I am lame at this, but I'm new to SPAM techniques and prevention. "Mike Easter" wrote in message news:d586d6$pjh$1@news.spamcop.net... > Ron Shafii wrote: > >> The last 2 weeks I've been receiving SPAM to tune of hundreds posed as >> RETURNED TO SENDER or Block Email with a virus attached. > >> below are two examples; > > First, a housekeeping issue. > > For various reasons, spam and spamlike and other mailitems are not > 'supposed to be' posted into the discussion groups; but instead they > are supposed to be submitted to the parser to get a tracking url and the > tracker posted here and the report cancelled. As a weak alternative, > the newsgroup spamcop.spam has been designated for pasting such items > into news messages. Then that message would be referred to and > discussed here, not discussed there in .spam. > > Second, about these items you posted here. > > Altho' you didn't completely describe their structure sufficiently for > me to be sure, I think they are of 2 different types. The first one is > simply a virus propagation 'dressed up' in a DSN [delivery status > notification] suit. That is, a fake DSN. It looks like the 2nd one is > actually a DSN of a fake DSN, but I would have to see the complete > originals [as a tracker url, not pasted here] to be sure. > > Third, about this remark > >> When I submit this SPAM to spamcop it also detects my mail server as a >> possible source of SPAM. > > That doesn't make sense. I'm assuming your mailserver is dozernet and > that it is serving your hossequipment domain. I can't see how the > parser would name hoss or dozer as the source of either of those > headers. > > This is a tracker for the first one, to demonstrate what a tracking url > is/looks like/ and to show you that your server isn't named as source. > > http://www.spamcop.net/sc?id=z759331281za04d52c564dc5a70d5b2a2174c620adbz > >> Thanks ahead of time for any constructive reponses. > > > -- > Mike Easter > kibitzer, not SC admin > From MikeE at ster.invalid Tue May 3 12:41:37 2005 From: MikeE at ster.invalid (Mike Easter) Date: Tue May 3 14:40:22 2005 Subject: [SpamCop-List] Re: spam posed as returned mail References: Message-ID: Ron Shafii wrote: > here's a link from SPAMCOP regarding the spam I previously mentioned, > which was parsing our ip address as a possible source of spam. www.spamcop.net/sc?id=z759369967zf5f08711459561ae426f911b4e192414z What you are seeing about hoss is that the parser parses for source, which is 209.177.232.252 rDNS nsc209.177.232-252.newsouth.net at NewSouth Communications notify abuse@nuvox.net abuse@newsouth.net postmaster@newsouth.net (for newsouth.net) ... and also provides a notify addy for any links it finds in the body, presuming the links are a spamvertiser -- while cautioning you to be sure that the item is spam. The link in the body is a trailer attached by your AV agent which has your hossequipment website's URL. SC sees the URL and is providing an address to notify the provider for hoss. If your AV scanner is normally able to look inside zip attachments, then it needs to be updated for the sober if it isn't recognizing its viral template. www.spamcop.net/sc?id=z759371087z622d4f17d0a654ca301570c73e40e43fz This is the same condition and the same source 209.177.232.252 at newsouth and also shows your hoss website URL in the body in the AV stamped trailer. > www.hossequipment.com (Administrator of network hosting website > referenced in spam) > > Is this sending a copy of the email back to me or is it parsing me as > a spammer? If you feed that item to the parser as a spam and it contains your website in the trailer, SC is going to offer to notify the provider for hoss unless you uncheck it. It will also put that URL on its statistics page where another blocklister of spamvertised websites will pick it up for inclusion in its listing of spamvertisers. Whenever you see an IB innocent bystander named as a spamvertiser in a parse, including your own, you should uncheck it for notification as spamvertiser, as it is not a spamvertiser. > Sorry if I am lame at this, but I'm new to SPAM techniques and > prevention. SpamCop parses spams to notify for spamsource and spamvertisers. The algorithm can't read, so it doesn't know what the body of the item sez, and it is up to the alert spamcop reporter to oversee what the algorithm is offering to report about. -- Mike Easter kibitzer, not SC admin From borgholio at storymind.com Tue May 3 12:48:44 2005 From: borgholio at storymind.com (Borgholio) Date: Tue May 3 14:50:04 2005 Subject: [SpamCop-List] Re: Quick reporting via email? In-Reply-To: References: Message-ID: Mike Easter wrote: > Borgholio wrote: > >>I forgot...how do I submit spam via email for quick-reporting? > > > Quick reporting is disabled due to careless use. > > ... but you can beseech admin for access at service admin.SC on a > casebycase basis > What's the address? From MikeE at ster.invalid Tue May 3 12:56:25 2005 From: MikeE at ster.invalid (Mike Easter) Date: Tue May 3 14:55:05 2005 Subject: [SpamCop-List] Re: Quick reporting via email? References: Message-ID: Borgholio wrote: > Mike Easter wrote: >> ... but you can beseech admin for access at service admin.SC on >> a casebycase basis > > What's the address? Errm.... what I sed: service at admin dot spamcop dot net. -- Mike Easter kibitzer, not SC admin From borgholio at storymind.com Tue May 3 12:59:35 2005 From: borgholio at storymind.com (Borgholio) Date: Tue May 3 15:00:04 2005 Subject: [SpamCop-List] Re: Quick reporting via email? In-Reply-To: References: Message-ID: Mike Easter wrote: > Borgholio wrote: > >>Mike Easter wrote: > > >>>... but you can beseech admin for access at service admin.SC on >>>a casebycase basis >> >>What's the address? > > > Errm.... what I sed: service at admin dot spamcop dot net. > Whoops..missed that. Thanks. From nobody at spamcop.net Tue May 3 17:21:45 2005 From: nobody at spamcop.net (Ellen) Date: Tue May 3 17:05:51 2005 Subject: [SpamCop-List] Re: Quick reporting via email? References: Message-ID: "Mike Easter" wrote in message news:d58egs$u52$1@news.spamcop.net... > Borgholio wrote: > > I forgot...how do I submit spam via email for quick-reporting? > > Quick reporting is disabled due to careless use. > > ... but you can beseech admin for access at service admin.SC on a > casebycase basis > Beseech? not for quick submit -- that requires grovel :-) E From nobody at spamcop.net Tue May 3 18:46:50 2005 From: nobody at spamcop.net (Anti-Spam) Date: Tue May 3 17:50:15 2005 Subject: [SpamCop-List] "One in 20 'fall for online fraud'" Message-ID: If 1% lost money through phishing, does that mean 4% are falling for non-phishing fraud? No wonder there is so much non-phishing spam. -- Bring in the death penalty for repeat spammers. Non-functional spambait addr: oura@ylhowyddliy.net (generated by Webpoison) From nospam at dev.null Wed May 4 03:08:26 2005 From: nospam at dev.null (Anty Spam) Date: Tue May 3 20:05:05 2005 Subject: [SpamCop-List] Re: A novel approach to spamming References: Message-ID: "Stewart Gordon" wrote in message news:d57tn4$kgd$1@news.spamcop.net... > A spammer's come up with an interesting idea. Rather than just sending > the spam content, this one told a joke. And it even had a topical > subject line - so at first glance it looks like the kind of email a > friend might pass on. > > That's until you get to the bottom, where the Stupid Person's > AdvertiseMent itself is found. > > Nonetheless, Entourage managed to mark it as spam. Though very probably > by the rule I set up rather than by its own heuristics. > > Has anyone else had anything like this? ...Snip... Yes a while ago. Was porno related spam to a well know Canadian chain of similar sites. From ticket at web-hosting-support.com Tue May 3 21:25:08 2005 From: ticket at web-hosting-support.com (Support) Date: Tue May 3 22:30:15 2005 Subject: [SpamCop-List] blocklisted need help id'ing abuse Message-ID: Dear Deputies, I need some help, we have a user somewhere on our servers that is sending mail to spam traps. Our servers are setup to identify every piece of mail with a UID/GID in the headers, if you could kindly lookup who is causing the spam trap block I would appreciate it. web11.thehostingnet.com 66.6.223.140 Thanks, Jeremy Technical Support Web-hosting-support.com From MikeE at ster.invalid Tue May 3 20:59:51 2005 From: MikeE at ster.invalid (Mike Easter) Date: Tue May 3 23:00:02 2005 Subject: [SpamCop-List] Re: blocklisted need help id'ing abuse References: Message-ID: Support wrote: > I need some help, we have a user somewhere on our servers that is > sending mail to spam traps. Our servers are setup to identify every > piece of mail with a UID/GID in the headers, if you could kindly > lookup who is causing the spam trap block I would appreciate it. > > web11.thehostingnet.com 66.6.223.140 According to the information available from the website lookup, that IP is listed because of reports from reporters, not spamtrap hits: http://www.spamcop.net/w3m?action=checkblock&ip=66.6.223.140 Causes of listing SpamCop users have reported system as a source of spam less than 10 times in the past week and according to the routing information, the spamcop reports are going to pajo and internetwebhosting, the latter of which is presumably you. Reporting addresses: abuse@pajo.com Third parties interested in reports: abuse@internetwebhosting.com Altho' copies of the spam aren't available for spamtrap reports, spamtrap hits don't seem to be the current cause of the listing. Also, it looks like the listing is due to expire in 12 hours. If that is an output server, I would think that it would only get listed for backscatter problems, not for a user passing spam thru' it. -- Mike Easter kibitzer, not SC admin From nobody at spamcop.net Wed May 4 01:03:32 2005 From: nobody at spamcop.net (Ellen) Date: Wed May 4 01:30:31 2005 Subject: [SpamCop-List] Re: blocklisted need help id'ing abuse References: Message-ID: "Support" wrote in message news:d59bq6$df8$1@news.spamcop.net... > Dear Deputies, > > I need some help, we have a user somewhere on our servers that is sending > mail to spam traps. Our servers are setup to identify every piece of > mail with a UID/GID in the headers, if you could kindly lookup who is > causing the spam trap block I would appreciate it. > > web11.thehostingnet.com 66.6.223.140 > > Thanks, > > Jeremy > Technical Support > Web-hosting-support.com > > Answered in email. Ellen From rg at nospam.please Wed May 4 02:46:00 2005 From: rg at nospam.please (rg) Date: Wed May 4 01:50:03 2005 Subject: [SpamCop-List] Re: ieypzkbc.tatzwz.info doesn't resolve on first try. (Or second, third, etc.) References: Message-ID: Yeah, refresh worked. It took about ten attempts, though! Wish they'd fix this... Thanks! "Ant" wrote in message news:d5807s$lv9$1@news.spamcop.net... > "rg" wrote: > >> Below is the report for >> http://www.spamcop.net/sc?id=z759058001zcc15a0f3201f890a3416b31a01900fbaz >> >> You will notice the section: >> Resolving link obfuscation > [...] > > Yes, and no information is given about what the parser did with those > links before the "Please make sure this email IS spam" message. > > I first noticed this in the middle of March this year, and reported it > here with the subject "Links found, but not parsed". The problem > continues to regularly occur, but no Spamcop person has commented on > it to my knowledge. > >> I have to submit them separately: [...] >> Then resubmit and cancel the spam report a few times before it finally >> ends >> up resolving. > > You don't need to cancel. Just refresh the parse page in your browser > or go to the "report spam" link if you've visited another page, and > you can then follow the "unreported spam, report now" link. > > I will sometimes resolve the spamvertized URLs separately, or refresh > the the parse once, but if the links still aren't resolved I submit > the report anyway. It's not worth the hassle. > >> SUGGESTION: Increase the DNS timeout and retry numbers! > > I'm not sure if this is the problem. My understanding is that when a > lookup times out you get a message "unable to resolve..." > > [report snipped] > > From zitt at _no_spam_bigfoot.com Wed May 4 01:25:16 2005 From: zitt at _no_spam_bigfoot.com (John Zitterkopf) Date: Wed May 4 03:30:34 2005 Subject: [SpamCop-List] Popped hotmail spam w/ reporting confusion Message-ID: http://www.spamcop.net/sc?id=z759554231za1b9b8679752d1eb4227775630378465z I did not sign up for these "offers" which come 3-5/day. When I attempt to report it; it comes across with the following ?useless? reports: Re: 216.21.208.203 (Administrator of network where email originates) To: abuse#virtumundo.com@devnull.spamcop.net (Notes) Re: 216.21.208.203 (Third party interested in email source) To: Internal spamcop handling: (ironport) (Notes) Should this be reported to the internal handler? ------ full headers with email address removed: Return-Path: Delivered-To: spamcop-net-x Received: (qmail 7039 invoked from network); 3 May 2005 05:17:37 -0000 Received: from unknown (HELO c60.cesmail.net) (192.168.1.105) by blade2.cesmail.net with SMTP; 3 May 2005 05:17:37 -0000 Received: from mailgate.cesmail.net (216.154.195.36) by c60.cesmail.net with ESMTP; 03 May 2005 01:17:24 -0400 X-IronPort-AV: i="3.92,147,1112587200"; d="scan'208,217"; a="220171863:sNHT41282976" X-Message-Status: n X-SID-PRA: Visit Orlando X-SID-Result: Pass X-Message-Info: H83ySVbTRY1PVhh5crlmkWM5my1izH8A8a/In5hognU= Received: from popgate.cesmail.net [192.168.1.201] by mailgate.cesmail.net with POP3 (fetchmail-6.2.1) for x (single-drop); Tue, 03 May 2005 01:17:24 -0400 (EDT) Received: from vm208-203.adknowledgemail.com ([216.21.208.203]) by mc9-f26.hotmail.com with Microsoft SMTPSVC(6.0.3790.211); Mon, 2 May 2005 22:05:54 -0700 Received: from adknowledgemail.com (10.10.50.51) by vm208-203.adknowledgemail.com with ESMTP; 02 May 2005 23:42:13 -0500 X-ClientHost: 122105116116119097114101064104111116109097105108046099111109 X-MailingID: 4687767 From: Visit Orlando To: 0 Errors-To: errors@adknowledgemail.com Reply-To: return@adknowledgemail.com Subject: Visit Orlando and see the magic for yourself. Mime-Version: 1.0 Content-Type: text/html Content-Transfer-Encoding: 8bit Message-ID: X-OriginalArrivalTime: 03 May 2005 05:05:55.0180 (UTC) FILETIME=[C91232C0:01C54F9D] Date: 2 May 2005 22:05:55 -0700 X-Spam-Checker-Version: SpamAssassin 3.0.2 (2004-11-16) on blade2.cesmail.net X-Spam-Level: ************ X-Spam-Status: hits=12.9 tests=DOMAIN_RATIO,HTML_90_100,HTML_MESSAGE, MIME_HTML_ONLY,MSGID_FROM_MTA_HOTMAIL,SARE_HEAD_HDR_XCLIHST, SARE_RD_TO_BAD_TLD,X_MESSAGE_INFO version=3.0.2 X-SpamCop-Checked: 192.168.1.105 216.154.195.36 192.168.1.201 216.21.208.203 10.10.50.51 X-SpamCop-Disposition: Blocked SpamAssassin=12 From nobody at devnull.spamcop.net Wed May 4 03:48:04 2005 From: nobody at devnull.spamcop.net (WazoO) Date: Wed May 4 03:50:03 2005 Subject: [SpamCop-List] Re: Popped hotmail spam w/ reporting confusion References: Message-ID: "John Zitterkopf" wrote in message news:d59tct$m4t$1@news.spamcop.net... > http://www.spamcop.net/sc?id=z759554231za1b9b8679752d1eb4227775630378465z Tracking URL provided, so repeated posting of "header contents" was redundent. > When I attempt to report it; it comes across with the following ?useless? > reports: > > Re: 216.21.208.203 (Administrator of network where email originates) > To: abuse#virtumundo.com@devnull.spamcop.net (Notes) Feeds the SpamCopDNSBL for possible inclusion. > Re: 216.21.208.203 (Third party interested in email source) > To: Internal spamcop handling: (ironport) (Notes) > > Should this be reported to the internal handler? Question seems odd ... Statement indicates that it "was" reported to an "internal address" ... reason explained as "Message source bonded by IronPort, reporting" (Tech/Full details turned on) .. or see the following data; http://www.senderbase.org/?searchBy=ipaddress&sb=1&searchString=216.21.208.203 From SCNews.5.myspamgobbler at spamgourmet.com Wed May 4 08:51:15 2005 From: SCNews.5.myspamgobbler at spamgourmet.com (Brian (SnSR)) Date: Wed May 4 10:55:03 2005 Subject: [SpamCop-List] Re: Popped hotmail spam w/ reporting confusion In-Reply-To: References: Message-ID: John Zitterkopf wrote: > http://www.spamcop.net/sc?id=z759554231za1b9b8679752d1eb4227775630378465z > > I did not sign up for these "offers" which come 3-5/day. > > When I attempt to report it; it comes across with the following ?useless? > reports: > > Re: 216.21.208.203 (Administrator of network where email originates) > To: abuse#virtumundo.com@devnull.spamcop.net (Notes) > > > Re: 216.21.208.203 (Third party interested in email source) > To: Internal spamcop handling: (ironport) (Notes) > > Should this be reported to the internal handler? > > ------ > Tracking message source: 216.21.208.203: Routing details for 216.21.208.203 [refresh/show] Cached whois for 216.21.208.203 : postmaster@virtumundo.com Using abuse net on postmaster@virtumundo.com abuse net virtumundo.com = abuse@virtumundo.com Using best contacts abuse@virtumundo.com abuse@virtumundo.com refuses SpamCop reports Using abuse#virtumundo.com@devnull.spamcop.net for statistical tracking. Whois reports back with adknowledge.com. abuse.net returns isprelations@adknowledge.com as the abuse address for 216.21.208.203. The reason for the report to Ironport is that 216.21.208.203 is a bonded sender. This will cost them for each spam. So, yes, report away if it is truly spam. The spamvertized domain also belongs to adknowledge, as does the network, so reporting them to themselves is not likely to accomplish much. Domain Name: AK2.CC Administrative Contact, Technical Contact: Adknowledge sysrenew@adknowledge.com 4600 Madison Suite 500 Kansas City, MO 64112 US (816) 931-1771 From nospam at fuck-off-and-die.com Thu May 5 05:17:39 2005 From: nospam at fuck-off-and-die.com (Kadaitcha Man) Date: Wed May 4 18:35:06 2005 Subject: [SpamCop-List] Re: Internic/Gandi registration problems take rediculously long to resolve References: Message-ID: <5abca81a7ce44460a39fa3cda2849ed5@alt.sex.wanted.photos.nude> Karl-Josef Ziegler, , the liverish, wooden-headed gnawing mammal, and crockery maker and pig attendant on the farm, gabbed: > ICANN should made an adress verification process mandatory in the > registration procedure. E.g. a new domain first is set on registrar > hold and an air mail letter with a security code is sent to the > registrant. This security code must be verificated via a web form and > only afterwards the domain is set in function. This process can be > automated BWAHAHAHAHAHAHAHAHAHAAHA! That's right, ignore all the privacy laws in numerous countries, ignore all the globe-shrinking benefits of modern technology, ignore the general public's demand for instant gratification wrought through selfish, "I want it and I want it now and I want it cheaper!" Pavlovian training, and go back to the bad old days of snail-mail and increased cost. BWAHAHAHAHAAHA! > and the price will be only a little bit higher than an air > mail stamp. More security at a low price increase. BWAHAHAHAAHAHAAHA! Buy the printing equipment, create or purchase the relevant software to interface with the registration database and print the mail, buy the mail packaging machinery, hire staff to manage and maintain all the gear and hope to fuck nothing ever gets lost in the mail, eh. From eddie at eddie.web Wed May 4 21:38:25 2005 From: eddie at eddie.web (eddie) Date: Wed May 4 20:40:03 2005 Subject: [SpamCop-List] Re: "One in 20 'fall for online fraud'" References: Message-ID: On Tue, 03 May 2005 17:46:50 -0400, Anti-Spam scratched out the following: > > > If 1% lost money through phishing, does that mean 4% are falling for > non-phishing fraud? No wonder there is so much non-phishing spam. The most interesting thing is that it's probably the same 4% over and over and over, like Homer Simpson slamming the car door on his finger, over and over and over, yelling Ouch! each time and then doing it again :) -- Once movie theaters gave out steak knives Today they confiscate them From jr70 at blackhole.invalid Wed May 4 22:54:16 2005 From: jr70 at blackhole.invalid (John Richards) Date: Thu May 5 00:55:06 2005 Subject: [SpamCop-List] Re: Internic/Gandi registration problems take rediculously long to resolve References: Message-ID: "Karl-Josef Ziegler" wrote in message news:d538qr$jfa$1@news.spamcop.net... > ICANN should made an adress verification process mandatory in the > registration procedure. E.g. a new domain first is set on registrar hold > and an air mail letter with a security code is sent to the registrant. > This security code must be verificated via a web form and only > afterwards the domain is set in function. This process can be automated > and the price will be only a little bit higher than an air mail stamp. > More security at a low price increase. There should be an exemption for non-commercial domain owners. I own a vanity domain, but it is for personal use only. I used my registrar's address as the address listed in my domain registration. I don't want stalkers and other malcontents coming to my residence. -- John Richards From zitt at _no_spam_bigfoot.com Thu May 5 00:43:21 2005 From: zitt at _no_spam_bigfoot.com (John Zitterkopf) Date: Thu May 5 02:45:04 2005 Subject: [SpamCop-List] Re: Popped hotmail spam w/ reporting confusion References: Message-ID: > The reason for the report to Ironport is that 216.21.208.203 is a bonded > sender. This will cost them for each spam. So, yes, report away if it is > truly spam. Ah. I was just "concerned" that Ironport being Spamcop's parent... that something wasn't working right. In the future; I'll be reporting to that address. Thanks. John From 79ytka802 at sneakemail.com Thu May 5 09:48:16 2005 From: 79ytka802 at sneakemail.com (Aviatrix) Date: Thu May 5 03:50:03 2005 Subject: [SpamCop-List] Re: Internic/Gandi registration problems take rediculously long to resolve In-Reply-To: References: Message-ID: John Richards wrote: > There should be an exemption for non-commercial domain owners. > I own a vanity domain, but it is for personal use only. I used my > registrar's address as the address listed in my domain registration. I > don't want stalkers and other malcontents coming to my > residence. > The .uk registry allows private individuals to opt out of having their address listed in the public Whois - but still requires them to *provide* this information, and will delete domains that are registered with false addresses. Also, if they receive reports of an opted-out domain being used for any commercial purposes the address goes straight back into the Whois. From noone at nowhere.com Thu May 5 12:15:15 2005 From: noone at nowhere.com (Robert) Date: Thu May 5 11:15:03 2005 Subject: [SpamCop-List] Re: Popped hotmail spam w/ reporting confusion References: Message-ID: > The reason for the report to Ironport is that 216.21.208.203 is a bonded > sender. This will cost them for each spam. So, yes, report away if it is > truly spam. Just out of curiosity, how is a cost rendered to a bonded sender? Robert From SCNews.5.myspamgobbler at spamgourmet.com Thu May 5 10:15:15 2005 From: SCNews.5.myspamgobbler at spamgourmet.com (Brian (SnSR)) Date: Thu May 5 12:20:08 2005 Subject: [SpamCop-List] Re: Popped hotmail spam w/ reporting confusion In-Reply-To: References: Message-ID: Robert wrote: >>The reason for the report to Ironport is that 216.21.208.203 is a bonded >>sender. This will cost them for each spam. So, yes, report away if it is >>truly spam. > > > Just out of curiosity, how is a cost rendered to a bonded sender? > > Robert > > http://www.bondedsender.com/fees.jsp The Debit Rate = the rate at which participating senders will be charged for each complaint received after a sender has exceeded the allowable complaint rate. The current debit rate is $20 per complaint. From MikeE at ster.invalid Thu May 5 10:23:54 2005 From: MikeE at ster.invalid (Mike Easter) Date: Thu May 5 12:25:03 2005 Subject: [SpamCop-List] Re: Popped hotmail spam w/ reporting confusion References: Message-ID: Robert wrote: >> The reason for the report to Ironport is that 216.21.208.203 is a >> bonded sender. This will cost them for each spam. So, yes, report >> away if it is truly spam. > > Just out of curiosity, how is a cost rendered to a bonded sender? The concept for bonded senders and similar programs is for there to be a program by which senders of bulk mail 'promise' on penalty of charges or fines or penalties or whatever you want to call it to play by the rules of the program - which are kinda loose from an anti-'s point of view. Then, when anti-s notify about a spam, the program's process examines the issue to determine if the bulk mailer has broken the [loose] rules, and if so, then the bulker has to pay. The theoretical advantage to a bulker of joining such a program is that you get to have your IP on a list which is a wannabe whitelist of bonded senders -- and further that there are different 'degrees' or classes of bonded sender-ness. So some bonded senders get to play by looser rules than others. In nanae there is also the argument that by being 'involved with' IronPort's bonded sender programs, you get some special handling by IronPort's antispam hard/soft/ware and IronPort's antispam blocklisting 'insight' - namely the spamcop information and system. The nanae-ites claim that getting a SC ding as a bonded sender doesn't count the same way as getting a ding as a non-bonded sender -- or maybe some bonded senders get SC dinged differently from others. You would have to be on the 'inside' of SC or IronPort to know the truth or fiction of those accusations. -- Mike Easter kibitzer, not SC admin From kjz at despammed.com Thu May 5 19:26:19 2005 From: kjz at despammed.com (Karl-Josef Ziegler) Date: Thu May 5 12:30:03 2005 Subject: [SpamCop-List] Re: Internic/Gandi registration problems take rediculously long to resolve In-Reply-To: References: Message-ID: John Richards wrote: > There should be an exemption for non-commercial domain owners. > I own a vanity domain, but it is for personal use only. I used my > registrar's address as the address listed in my domain registration. > I don't want stalkers and other malcontents coming to my > residence. And there are countries which require by law that on each website (also private ones, not only commercials!) the owner and email contact must be mentioned. There must be shown a person who is legally responsible for the content of each website. Otherwise you will have the risk to pay a penalty. - kjz From MikeE at ster.invalid Thu May 5 10:29:06 2005 From: MikeE at ster.invalid (Mike Easter) Date: Thu May 5 12:30:13 2005 Subject: [SpamCop-List] Re: Popped hotmail spam w/ reporting confusion References: Message-ID: Mike Easter wrote: > The nanae-ites claim that getting a SC ding as a bonded sender doesn't > count the same way as getting a ding as a non-bonded sender -- or > maybe some bonded senders get SC dinged differently from others. You > would have to be on the 'inside' of SC or IronPort to know the truth > or fiction of those accusations. The other nanae gripe is that vis spam; bulkers, bonded senders, ironport, spamcop, and reporters represent farmer, fox, henhouse, and chickens, not in any particular order. -- Mike Easter kibitzer, not SC admin From OokUseNet at emberts.UpYoursSpammer.com Thu May 5 21:58:57 2005 From: OokUseNet at emberts.UpYoursSpammer.com (Ook) Date: Fri May 6 00:15:03 2005 Subject: [SpamCop-List] Sober virus Message-ID: I'm being innundated with sober virus emails - 1000+ a day at 75K a pop. It overflowed my mail server limit and my email stopped until I could get my ISP to increase the limit. I'm guessing there is nothing that can be done about this - is anyone else being flooded with these? Is there hope that this flood will slow down soon? From nobody at spamcop.net Thu May 5 23:49:47 2005 From: nobody at spamcop.net (N. Miller) Date: Fri May 6 01:50:04 2005 Subject: [SpamCop-List] Re: Sober virus References: Message-ID: On Thu, 5 May 2005 20:58:57 -0600, Ook wrote: > I'm being innundated with sober virus emails - 1000+ a day at 75K a pop. It > overflowed my mail server limit and my email stopped until I could get my > ISP to increase the limit. I'm guessing there is nothing that can be done > about this - is anyone else being flooded with these? Is there hope that > this flood will slow down soon? I saw three in a pacbell.net account. I haven't seen any in any other account. Maybe I am too reclusive. -- Norman ~Win dain a lotica, En vai tu ri, Si lo ta ~Fin dein a loluca, En dragu a sei lain ~Vi fa-ru les shutai am, En riga-lint From nobody at spamcop.net Fri May 6 00:42:50 2005 From: nobody at spamcop.net (RandallW) Date: Fri May 6 02:45:04 2005 Subject: [SpamCop-List] pump and dump & webpresence.com Message-ID: I've been receiving pump and dump mail for months; it WAS being hosted on a server where the Spamcop pinging was not timing out ( for the admin address ). Then the spam moved to webpresence.com, causing pingouts for the admin ( some supposed Victor Allan ). By a Google search I noticed there was some discussion of this on the Spamcop forum, with speculation that the spam is something done by one of The Big 50 Spammers. Has anyone called the number on the registration of webpresence.com? Is webpresence supposed to be an ISP? Does Victor Allan actually exist? From baloo at ursine.ca Fri May 6 00:18:01 2005 From: baloo at ursine.ca (Paul Johnson) Date: Fri May 6 03:10:19 2005 Subject: [SpamCop-List] Re: Sober virus References: Message-ID: Ook wrote: > I'm being innundated with sober virus emails - 1000+ a day at 75K a pop. > It overflowed my mail server limit and my email stopped until I could get > my ISP to increase the limit. I'm guessing there is nothing that can be > done about this - is anyone else being flooded with these? Not if their mail server filters out viruses at SMTP time like they should be... http://ursine.ca/Rejecting_Viruses_The_Right_Way -- Paul Johnson Email and Instant Messenger (Jabber): baloo@ursine.ca http://ursine.ca/~baloo/ From wb8tyw at qsl.network Fri May 6 04:40:19 2005 From: wb8tyw at qsl.network (John E. Malmberg) Date: Fri May 6 03:45:03 2005 Subject: [SpamCop-List] Re: Sober virus In-Reply-To: References: Message-ID: Ook wrote: > I'm being innundated with sober virus emails - 1000+ a day at 75K a pop. It > overflowed my mail server limit and my email stopped until I could get my > ISP to increase the limit. I'm guessing there is nothing that can be done > about this - is anyone else being flooded with these? Is there hope that > this flood will slow down soon? I have only seen one thing that appear to obviously be a virus being relayed through an Earthlink mail server. I do not know which one it was because I do not have a scanner. What is important is if this is a direct to MX virus. Such viruses are usually very effectively blocked by the SORBS DUHL or the NJABL dynablock list when used with the cbl.abuseat.org as the viruses that are not coming from DHCP pools tend to get listed very quickly in the cbl.abuseat.org. -John wb8tyw@qsl.network Personal Opinion Only From nobody at nowhere.invalid Fri May 6 11:00:46 2005 From: nobody at nowhere.invalid (Steven Maesslein) Date: Fri May 6 04:05:03 2005 Subject: [SpamCop-List] Re: Sober virus References: Message-ID: On Thu, 5 May 2005 20:58:57 -0600, Ook coughed into spamcop and left this in : > I'm guessing there is nothing that can be done about this Well, there is. Switch to a competent ISP. One that filters out viruses from your inbound mail, for example. -- Steve Q: Why is Christmas just like a day at the office? A: You do all of the work and the fat guy in the suit gets all the credit. From PossumTrot at dont.spam.me Fri May 6 08:16:39 2005 From: PossumTrot at dont.spam.me (Possum Trot) Date: Fri May 6 10:20:03 2005 Subject: [SpamCop-List] Anyone know the MS address to report suspected piracy? Message-ID: From nobody at spamcop.net Fri May 6 11:32:19 2005 From: nobody at spamcop.net (Anti-Spam) Date: Fri May 6 10:40:03 2005 Subject: [SpamCop-List] Re: Anyone know the MS address to report suspected piracy? References: Message-ID: "Possum Trot" wrote in message news:d5fucu$ojf$1@news.spamcop.net... > "piracy at microsoft dot com" PS. More reporting addresses can be found at . -- Bring in the death penalty for repeat spammers. Non-functional spambait addr: can@njtaxk.com (generated by Webpoison) From nobody at devnull.spamcop.net Fri May 6 11:39:15 2005 From: nobody at devnull.spamcop.net (Pop) Date: Fri May 6 10:40:11 2005 Subject: [SpamCop-List] Email Address Finder at DNS Stuff Message-ID: Has anyone here tried the e-mail address tester on http://www.dnsstuff.com/ ? I looked briefly at them on google and they seem fine, and I think I've seen them mentioned here a few times, but never the address tester. NANAE folk seem to mention it a lot too. I put a few addresses into it, and it does seem to be able to say whether an e-mail address exists or not, but ... I was wondering what kind of pitfalls there are to using it. It seems "too good to be true". TIA, Pop From nobody at devnull.spamcop.net Fri May 6 11:42:17 2005 From: nobody at devnull.spamcop.net (Pop) Date: Fri May 6 10:45:03 2005 Subject: [SpamCop-List] Re: Sober virus References: Message-ID: "Ook" wrote in message news:d5eqsv$7a8$1@news.spamcop.net... > I'm being innundated with sober virus emails - 1000+ a day at 75K a pop. > It overflowed my mail server limit and my email stopped until I could get > my ISP to increase the limit. I'm guessing there is nothing that can be > done about this - is anyone else being flooded with these? Is there hope > that this flood will slow down soon? > Talk to your ISP; they can shut that off easily if they're at all competent. Did you TELL them it was a virus? Pop From MikeE at ster.invalid Fri May 6 09:34:27 2005 From: MikeE at ster.invalid (Mike Easter) Date: Fri May 6 11:35:22 2005 Subject: [SpamCop-List] Re: Email Address Finder at DNS Stuff References: Message-ID: Pop wrote: > Has anyone here tried the e-mail address tester on > http://www.dnsstuff.com/ ? I just did, to see what you are talking about. > I looked briefly at them on google and they seem fine, and I think > I've seen them mentioned here a few times, but never the address > tester. NANAE folk seem to mention it a lot too. I use the tools there all the time, but not that domain mx tester at the bottom of the middle column in the 'other tests' section called: E-mail Test - Enter E-mail address or domain ? - Are there problems sending mail to a user or domain? and then you push the 'Mail Test' button. > I put a few addresses into it, and it does seem to be able to say > whether an e-mail address exists or not, but ... I was wondering what > kind of pitfalls there are to using it. It seems "too good to be > true". That tool simply finds the mxes for a domainname and checks to see if it can connect to all of the mxes. It doesn't test for the username in any way. The tool in SamSpade for win has a little algorithm by which it connects with the mx and checks a rcpt to for the username to get some kind of result, and then it checks a rcpt to a bogusname to compare. Sometimes you can find out that a username doesn't exist at the domainname, sometimes you can't. -- Mike Easter kibitzer, not SC admin From eddie at eddie.web Fri May 6 12:45:20 2005 From: eddie at eddie.web (eddie) Date: Fri May 6 11:50:02 2005 Subject: [SpamCop-List] Re: Anyone know the MS address to report suspected piracy? References: Message-ID: On Fri, 06 May 2005 07:16:39 -0700, Possum Trot scratched out the following: ,zilch. Here's an excellent website with many reporting addresses, including piracy: http://banspam.javawoman.com/report3/piracy1.html -- Once movie theaters gave out steak knives Today they confiscate them From phantom523 at no-spam.gmail.com Fri May 6 12:21:20 2005 From: phantom523 at no-spam.gmail.com (Lance) Date: Fri May 6 12:25:03 2005 Subject: [SpamCop-List] Zero hour is up Message-ID: Our mail servers 216.229.64.71, 216.229.64.72, 216.229.64.73 are currently still showing as blocked even the it has reached the zero hour. When exactally does the delisting happen? Thanks, Lance From nobody at spamcop.net Fri May 6 13:50:53 2005 From: nobody at spamcop.net (indigo) Date: Fri May 6 12:55:02 2005 Subject: [SpamCop-List] Re: Email Address Finder at DNS Stuff References: Message-ID: Mike Easter wrote: > The tool in SamSpade for win has a little algorithm by which it > connects with the mx and checks a rcpt to for the username to get > some kind of result, and then it checks a rcpt to a bogusname to > compare. Which tool it that? I tried the SMTP tool and that didn't work. Nothing else looks obvious as to the tool you're referring to..... From Vanguard at domain.invalid Fri May 6 13:24:04 2005 From: Vanguard at domain.invalid (Vanguard) Date: Fri May 6 13:25:03 2005 Subject: [SpamCop-List] Re: Anyone know the MS address to report suspected piracy? References: Message-ID: "Possum Trot" wrote in message news:d5fucu$ojf$1@news.spamcop.net... > > Um, how about Microsoft? http://www.microsoft.com/piracy/Reporting.mspx From averyc at spamcop.net Fri May 6 14:49:06 2005 From: averyc at spamcop.net (Christopher Avery) Date: Fri May 6 14:50:05 2005 Subject: [SpamCop-List] web4presence.com? Message-ID: My wife gets a lot of spam that spamcop says should be reported to abuse@web4presence.com. But of course that email address is being /dev/null'ed by spamcop. Is there any information about this spammer somewhere? Also, can spamcop find an upstream provider to report to instead? Thanks. -- -- Chris Avery averyc@spamcop.net From nobody at spamcop.net Fri May 6 16:36:45 2005 From: nobody at spamcop.net (Ellen) Date: Fri May 6 15:55:02 2005 Subject: [SpamCop-List] Re: Zero hour is up References: Message-ID: "Lance" wrote in message news:d5g5if$stb$1@news.spamcop.net... > Our mail servers 216.229.64.71, delisted: 5/6/2005 11:05:01 AM -0400 216.229.64.72, delisted: 5/6/2005 11:05:01 AM -0400 216.229.64.73 delisted: 5/6/2005 11:05:01 AM -0400 > are currently > still showing as blocked even the it has reached the zero hour. When > exactally does the delisting happen? > Once an IP reaches the "0" hour then it can take up to 2 or 3 hours for the information to propagate thru the various cron jobs to the mirrors. Will be delisted in 0 hours means it has started into the delist process. Ellen From MikeE at ster.invalid Fri May 6 14:00:25 2005 From: MikeE at ster.invalid (Mike Easter) Date: Fri May 6 16:00:02 2005 Subject: [SpamCop-List] Re: Email Address Finder at DNS Stuff References: Message-ID: indigo wrote: > Mike Easter wrote: >> The tool in SamSpade for win has a little algorithm by which it >> connects with the mx and checks a rcpt to for the username to get >> some kind of result, and then it checks a rcpt to a bogusname to >> compare. > > Which tool it that? I tried the SMTP tool and that didn't work. > Nothing else looks obvious as to the tool you're referring to..... You start by putting an email addy into the L window; there needs to be some preliminary configuration in options such as an email address for the mail from command part. Then the Basics menu will have a functional selection called 'SMTP Verify'. That algorithm tries to use expn and vrfy, which 'never' work, and it also does the rcpt to I described. -- Mike Easter kibitzer, not SC admin From nobody at nowhere.invalid Fri May 6 23:52:30 2005 From: nobody at nowhere.invalid (Steven Maesslein) Date: Fri May 6 16:55:28 2005 Subject: [SpamCop-List] Re: Sober virus References: Message-ID: On Fri, 6 May 2005 10:42:17 -0400, Pop coughed into spamcop and left this in : > Talk to your ISP; they can shut that off easily if they're at all competent. > Did you TELL them it was a virus? If the ISP was competent, it would't need telling. Its antivirus filters would already be up to date and the viral flood would be a non-story by now. -- Steve Stupidity is NOT a handicap. Park elsewhere! From nttp.sc.s at bigsleep.org Sat May 7 00:00:33 2005 From: nttp.sc.s at bigsleep.org (Blammo) Date: Fri May 6 19:05:06 2005 Subject: [SpamCop-List] Re: "One in 20 'fall for online fraud'" References: Message-ID: On 04 May 2005 eddie entered spamcop and left news:pan.2005.05.05.00.38.25.362000@eddie.web: > like Homer Simpson slamming the car door on his finger, > over and over and over, yelling Ouch! each time and then doing it > again :) > More like Lisa's shock experiment on Bart. That'd probably work on Homer too, just hook a shocker up to his donut. -- | Ric | From agent01413 at my-deja.com Sat May 7 00:32:00 2005 From: agent01413 at my-deja.com (Socks the Whitehouse Cat) Date: Fri May 6 19:35:03 2005 Subject: [SpamCop-List] Re: web4presence.com? References: Message-ID: "Christopher Avery" wrote in news:d5ge7f$1ti$1@news.spamcop.net: > My wife gets a lot of spam that spamcop says should be reported to > abuse@web4presence.com. But of course that email address is being > /dev/null'ed by spamcop. > > Is there any information about this spammer somewhere? Also, can > spamcop find an upstream provider to report to instead? Thanks. > OPENRBL WHOIS says to use postmaster@jriad.info for that one -- "...Life is not a journey to the grave with the intention of arriving safely in one pretty and well preserved piece, but to slide across the finish line broadside, thoroughly used up, worn out, leaking oil, and shouting GERONIMO!!!" -- Bill McKenna, date unknown From nobody at devnull.spamcop.net Fri May 6 21:17:27 2005 From: nobody at devnull.spamcop.net (Pop) Date: Fri May 6 20:20:10 2005 Subject: [SpamCop-List] Re: Email Address Finder at DNS Stuff References: Message-ID: "Mike Easter" wrote in message news:d5g2md$r1d$1@news.spamcop.net... > Pop wrote: >> Has anyone here tried the e-mail address tester on >> http://www.dnsstuff.com/ ? > ... > > That tool simply finds the mxes for a domainname and checks to see if it > can connect to all of the mxes. It doesn't test for the username in any > way. > ... > -- > Mike Easter > kibitzer, not SC admin > Thanks, Mike, the dns stuff explanation is about what I expected to hear, but fiddling with it some more tonight, looking for a pattern or whatever, I'm getting 100% correct responses. I did notice it's using a "relay recipient table", whatever that is, and there are both smtp and mx information. There's a lot I don't know, so here's my arguement so you can maybe figure out where I'm coming from: If I use nobody@spamcop.net, I get several lines of: "Got an unknown RCPT TO response: 550 sorry, no such user here" Using My personal address, I get: " [Successful connect: Got a good response [250 Ok]]" Another of my real addresses, this one at Yahoo: "Got a good response [250 recipient ok]]" My own address but munged to uselessness: "Got an unknown RCPT TO response: 550 : Recipient address rejected: User unknown in relay recipient table" So, there are at least two different negative responses: user rejected, and no such user. BTW, how/where/how-important is, a "relay recipient table"? I've tested it with every address I can think of without looking them up; probably about fifteen of them, and each time it says the recipient is "OK". But, frogging up the addresses gets me the 550. I guess the key is what 250, 520, and 550 messages are. Occasionally I'll get: "Could not connect: Connection closed before I received all my data" but if I retry it, it'll usually work and other smtp's or mx's will instead have the those messages and the previous couldn't connects now work. Soooo, knowing better than to say you're wrong (I always *lose* when I say that!), I'm still wondering about what the down-side is. I mean other than the obvious problems that can come up such as abandoned accounts, anymail goes to one address type stuff, which I think I understand. I suppose it reverts to whatever the "relay recipient table" is, but ... I don't know what the implication is. Regards, Pop From jr70 at blackhole.invalid Fri May 6 18:29:24 2005 From: jr70 at blackhole.invalid (John Richards) Date: Fri May 6 20:30:04 2005 Subject: [SpamCop-List] Re: Internic/Gandi registration problems take rediculously long to resolve References: Message-ID: "Karl-Josef Ziegler" wrote in message news:d5dhf4$hge$1@news.spamcop.net... > John Richards wrote: > >> There should be an exemption for non-commercial domain owners. >> I own a vanity domain, but it is for personal use only. I used my >> registrar's address as the address listed in my domain registration. >> I don't want stalkers and other malcontents coming to my >> residence. > > And there are countries which require by law that on each website (also > private ones, not only commercials!) the owner and email contact must be > mentioned. There must be shown a person who is legally responsible for > the content of each website. Otherwise you will have the risk to pay a > penalty. Then how can registrars like GoDaddy.com legally offer "private" registration which hides the owner's personal information? https://www.godaddy.com/gdshop/dbp/landing.asp?se=%2B&ci=717 -- John Richards From MikeE at ster.invalid Fri May 6 21:06:26 2005 From: MikeE at ster.invalid (Mike Easter) Date: Fri May 6 23:05:07 2005 Subject: [SpamCop-List] Re: Email Address Finder at DNS Stuff References: Message-ID: Pop wrote: > "Mike Easter" >> That tool simply finds the mxes for a domainname and checks to see >> if it can connect to all of the mxes. It doesn't test for the >> username in any way. > If I use nobody@spamcop.net, I get several lines of: > "Got an unknown RCPT TO response: 550 sorry, no such user here" You are correct. That tester /does/ test for rcpt to - I misinterpreted what I saw before. But testing the rcpt to is all it does, it doesn't also test with a bogus rcpt to. You would need to do that as a separate operation for the mxes which accept any username for the domain they serve. > Using My personal address, I get: > " [Successful connect: Got a good response [250 Ok]]" > > Another of my real addresses, this one at Yahoo: > "Got a good response [250 recipient ok]]" Many mxes will give you a 250 no matter what username is attached to their domainname. > My own address but munged to uselessness: > "Got an unknown RCPT TO response: 550 : Recipient address rejected: > User unknown in relay recipient table" "My own address but munged to uselessness" is ambiguous as to how it was munged. If I use uselessness@yahoo.com I get a 250 OK. > So, there are at least two different negative responses: user > rejected, and no such user. The tool is saying/ telling you/ what the mx server sed. The words attached to the 550 or whatever reject code is used. > BTW, how/where/how-important is, a "relay recipient table"? That sounds like term that would be used for the domains that a mx is serving for. > I've tested it with every address I can think of without looking them > up; probably about fifteen of them, and each time it says the > recipient is "OK". But, frogging up the addresses gets me the 550. "frogging up the addresses" is ambiguous again. I'm assuming that when you frog up an address, you are changing the username only somehow. When you describe your experiment, you should make it clear to who is reading what has been changed. > I guess the key is what 250, 520, and 550 messages are. A 250 means the mx is saying OK continue with the transaction. Any kind of 5xx means that transaction is permanently rejected. > Occasionally I'll get: > "Could not connect: Connection closed before I received all my data" > but if I retry it, it'll usually work and other smtp's or mx's will > instead have the those messages and the previous couldn't connects > now work. > > Soooo, knowing better than to say you're wrong (I always *lose* when > I say that!), No. I was wrong. The tool is looking at the username in the rcpt to. But, don't overinterpret what the meaning of accepting a username means. In some cases an mx will say 250 to a bogus username as well as a good username. > I'm still wondering about what the down-side is. The downside is only in the misinterpretation of what you are seeing. > I > mean other than the obvious problems that can come up such as > abandoned accounts, anymail goes to one address type stuff, which I > think I understand. I suppose it reverts to whatever the "relay > recipient table" is, but ... I don't know what the implication is. An mx might handle any number of different domainnames. So, if your addressees domainname is in the list of acceptable domainnames, it can be accepted. Not if it is not. -- Mike Easter kibitzer, not SC admin From nobody at devnull.spamcop.net Fri May 6 23:06:11 2005 From: nobody at devnull.spamcop.net (WazoO) Date: Fri May 6 23:10:07 2005 Subject: [SpamCop-List] Spamvertized URL resolving issue - Someone from SpamCop responds Message-ID: For those of you that have been asking for input from "Someone from SpamCop" ... here's your response. The Forum FAQ http://forum.spamcop.net/forums/index.php?showtopic=2238 Contains an entry titled; New! SpamCop reporting of spamvertized sites - some philosophy Which links to an entry that includes commentary from myself, Mike Easter, Don (and by extension, Ellen) http://forum.spamcop.net/forums/index.php?showtopic=4085 and for those not happy with the HTML version, a LoFi view http://forum.spamcop.net/forums/lofiversion/index.php/t4085.html From MikeE at ster.invalid Fri May 6 21:21:34 2005 From: MikeE at ster.invalid (Mike Easter) Date: Fri May 6 23:20:03 2005 Subject: [SpamCop-List] Re: Spamvertized URL resolving issue - Someone from SpamCop responds References: Message-ID: WazoO wrote: > New! SpamCop reporting of spamvertized sites - some philosophy > > Which links to an entry that includes commentary from > myself, Mike Easter, Don (and by extension, Ellen) > http://forum.spamcop.net/forums/index.php?showtopic=4085 Altho' in that response there's not any confirmation or denial or commentary about whether or not the parser intentionally bails 'immediately' - without waiting for any resolution under some conditions of resource management or something. That is, there's the condition of the parser not finding a url, the condition of the parser finding an url but the url resolving poorly/ too slowly/ not/ for the SC resolver, and the /other/ condition of the parser finding an url and not trying to resolve it. That 'other' condition seems to me to be something new or different which the parser didn't do at some time in the past -- realizing that the parser is a dynamic thing, always changing. -- Mike Easter kibitzer, not SC admin From nobody at devnull.spamcop.net Fri May 6 23:53:54 2005 From: nobody at devnull.spamcop.net (WazoO) Date: Fri May 6 23:55:03 2005 Subject: [SpamCop-List] Re: Spamvertized URL resolving issue - Someone from SpamCop responds References: Message-ID: "Mike Easter" wrote in message news:d5hc48$h43$1@news.spamcop.net... > > Altho' in that response there's not any confirmation or denial or > commentary about whether or not the parser intentionally bails > 'immediately' - without waiting for any resolution under some > conditions of resource management or something. Although I surely agree, I did leave a bit of a hint that this wasn't something put together on a whim. There's been quite a bit of dialog just to get this far with a getting an "official" response ... just doing the best I can In Don's / Ellen's defense, some of what you are pointing out is probably covered under the "best not discussed" phrase .. hard to guess what Julian's exact words might have been From nobody at devnull.spamcop.net Sat May 7 00:04:08 2005 From: nobody at devnull.spamcop.net (WazoO) Date: Sat May 7 00:05:03 2005 Subject: [SpamCop-List] Re: binary files References: Message-ID: "Karen" wrote in message news:pan.2005.05.06.17.50.30.401412@spamcop.net... > I've noticed something new in my last several email reports but do not see > anything similar in my webpage of held mail: I see no one has responded yet ... perhaps due to this being a SpamCop e-mail account issue which would normally be posted into the spamcop.mail newsgroup .. for perhaps a quicker answer, there are a number of other e-mail account folks over in the web forum, which is where JT has 'pushed' as the primary e-mail account support spot .... http://forum.spamcop.net/forums/ To hopefully speed things up, I've 'posted' your query 'over there' .. maybe by the time you see this, answers will be in place ..??? http://forum.spamcop.net/forums/index.php?showtopic=4132 From SCNews.5.myspamgobbler at spamgourmet.com Fri May 6 22:22:05 2005 From: SCNews.5.myspamgobbler at spamgourmet.com (Brian (SnSR)) Date: Sat May 7 00:25:04 2005 Subject: [SpamCop-List] Re: Email Address Finder at DNS Stuff In-Reply-To: References: Message-ID: Mike Easter wrote: > Pop wrote: > >>"Mike Easter" >> >>>That tool simply finds the mxes for a domainname and checks to see >>>if it can connect to all of the mxes. It doesn't test for the >>>username in any way. > > >>If I use nobody@spamcop.net, I get several lines of: >>"Got an unknown RCPT TO response: 550 sorry, no such user here" > > > You are correct. That tester /does/ test for rcpt to - I misinterpreted > what I saw before. But testing the rcpt to is all it does, it doesn't > also test with a bogus rcpt to. You would need to do that as a separate > operation for the mxes which accept any username for the domain they > serve. > > >>Using My personal address, I get: >>" [Successful connect: Got a good response [250 Ok]]" >> >>Another of my real addresses, this one at Yahoo: >>"Got a good response [250 recipient ok]]" > Yahoo responds the same whether a username is good or not. There are two ways that I know of to test yahoo addresses. One is by going to http://edit.yahoo.com/config/eval_register?.v=&.intl=&new=1&.done=http%3a//mail.yahoo.com&.src=ym&.partner=&.p=&promo=&.last= and entering in the username part of the address in Yahoo! ID: and click the "Check Availability of This ID" button. If it returns "Yahoo! ID uselessness is unavailable.", then the email address is likely valid. If it returns " Congratulations, the ID rti4396 is available!", then you have an invalid address. The other is to put the username part of the email address into http://profiles.yahoo.com/"username" without the quotes. If it returns a profile, then the account is likely to still be active. If it returns "Sorry, but the profile you are looking for is not currently available," then it is not a valid address. I use likely because I'm not sure about a lot of things that Yahoo does. > > Many mxes will give you a 250 no matter what username is attached to > their domainname. > > >>My own address but munged to uselessness: >>"Got an unknown RCPT TO response: 550 : Recipient address rejected: >>User unknown in relay recipient table" > > > "My own address but munged to uselessness" is ambiguous as to how it was > munged. If I use uselessness@yahoo.com I get a 250 OK. > That's because uselessness@yahoo.com is a valid email address according to my tests. Must be someone with low self esteem. The tool that I use often is the email dossier at http://centralops.net/co/ . Not that it is necessarily any better than any other, I just find it convenient. The domain dossier I use often as well. From SCNews.5.myspamgobbler at spamgourmet.com Fri May 6 22:32:08 2005 From: SCNews.5.myspamgobbler at spamgourmet.com (Brian (SnSR)) Date: Sat May 7 00:35:02 2005 Subject: [SpamCop-List] Re: web4presence.com? In-Reply-To: References: Message-ID: Socks the Whitehouse Cat wrote: > "Christopher Avery" wrote in > news:d5ge7f$1ti$1@news.spamcop.net: > > >>My wife gets a lot of spam that spamcop says should be reported to >>abuse@web4presence.com. But of course that email address is being >>/dev/null'ed by spamcop. >> >>Is there any information about this spammer somewhere? Also, can >>spamcop find an upstream provider to report to instead? Thanks. >> > > > OPENRBL WHOIS says to use postmaster@jriad.info for that one > Both addresses belong to the spammers. I have been reporting a lot of web4presence spam to the FTC and the SEC for awhile now. I keep hoping that they gather enough evidence and shut them down. There spew is the only mail I get to a couple of old hotmail accounts and it makes it past the spam filters. I keep reporting it as spam to hotmail, but it doesn't seem to matter. It usually comes as a pair, one pump and dump and one give-a-way that I believe is used as an email harvester. The last one I checked out goes through three redirects before getting to the spam content. This is Ralsky. http://www.spamhaus.org/SBL/sbl.lasso?query=SBL25586 From nobody at spamcop.net Fri May 6 23:27:58 2005 From: nobody at spamcop.net (N. Miller) Date: Sat May 7 01:30:03 2005 Subject: [SpamCop-List] Re: Email Address Finder at DNS Stuff References: Message-ID: <1ounpf63l5yqx.dlg@news.spamcop.net> On Fri, 6 May 2005 20:17:27 -0400, Pop wrote: > Occasionally I'll get: > "Could not connect: Connection closed before I received all my data" > but if I retry it, it'll usually work and other smtp's or mx's will instead > have the those messages and the previous couldn't connects now work. If you tried that experiment on my domain, the fourth failed RCPT TO would cause that problem for you. I expect that some domains will also log connections where the connecting server bails on the nth successful RCPT TO because that appears to be a "dictionary attack" on that domain. -- Norman ~Win dain a lotica, En vai tu ri, Si lo ta ~Fin dein a loluca, En dragu a sei lain ~Vi fa-ru les shutai am, En riga-lint From nobody at spamcop.net Sat May 7 01:50:13 2005 From: nobody at spamcop.net (NerdRevenge) Date: Sat May 7 03:45:06 2005 Subject: [SpamCop-List] Re: Zero hour is up References: Message-ID: "Lance" wrote in message news:d5g5if$stb$1@news.spamcop.net... > Our mail servers 216.229.64.71, 216.229.64.72, 216.229.64.73 are currently > still showing as blocked even the it has reached the zero hour. When > exactally does the delisting happen? > Once the spam stops > Thanks, Lance > From bar_n0ne at hotmail.com Sat May 7 14:07:55 2005 From: bar_n0ne at hotmail.com (Berny) Date: Sat May 7 05:10:24 2005 Subject: [SpamCop-List] Cavtel.net, pretty Cavalier? (sober) Message-ID: I've been getting a steady stream (>100 in a day) of sober viruses from the same IP at Cavtel.net: 66.160.72.2 Both manual and SC larts have no effect after more than 36 hours of the spew. By the way folks, if you do use SC to lart, uncheck the links, they are innocent. This virus also seems to be designed to be a joe job generator. From nobody at nowhere.invalid Sat May 7 12:44:55 2005 From: nobody at nowhere.invalid (Steven Maesslein) Date: Sat May 7 05:45:06 2005 Subject: [SpamCop-List] Re: Cavtel.net, pretty Cavalier? (sober) References: Message-ID: On Sat, 7 May 2005 13:07:55 +0400, Berny coughed into spamcop and left this in : > I've been getting a steady stream (>100 in a day) of sober viruses from the > same IP at Cavtel.net: Why has your ISP been letting them get to your mailspool in the first place? I'm extremely lucky in that hardly any viruses are ever sent to me, but this month so far 2 of those were sent. The antivirus running on my server (ClamAV) detected them and procmail shunted them away from my mailbox: ------- Possible virus: Worm.Sober.P FOUND --------- >From MAILER-DAEMON Tue May 3 08:30:39 2005 Subject: Delivery Status Notification (Failure) Folder: /usr/local/junk/viruses200505 80881 ------- Possible virus: Worm.Sober.P FOUND --------- >From xxxx@xxxxxxxxx Sat May 7 08:39:20 2005 Subject: Returned mail: see transcript for details Folder: /usr/local/junk/viruses200505 77457 -- Steve Tomorrow is cancelled due to lack of interest. From bar_n0ne at hotmail.com Sat May 7 15:53:17 2005 From: bar_n0ne at hotmail.com (Berny) Date: Sat May 7 06:55:03 2005 Subject: [SpamCop-List] Re: Cavtel.net, pretty Cavalier? (sober) References: Message-ID: "Steven Maesslein" wrote in message news:slrnd7p3gn.3hm.nobody@127.0.0.1... > On Sat, 7 May 2005 13:07:55 +0400, Berny coughed into spamcop and left > this in : > SNIP > Why has your ISP been letting them get to your mailspool in the first > place? Ask Yahoo that. I have no idea if Yahoo fails to catch them, or doesn;t check until you try to open them, or what. I only discovered it was a "sober" when I pressed "view oringinal mail"-during a SC parse. It seems there was enough of the mime text available for Norton to noticeand recognize that the browser cache was "infected". From kjz at despammed.com Sat May 7 14:02:13 2005 From: kjz at despammed.com (Karl-Josef Ziegler) Date: Sat May 7 07:05:02 2005 Subject: [SpamCop-List] Re: Internic/Gandi registration problems take rediculously long to resolve In-Reply-To: References: Message-ID: John Richards wrote: > Then how can registrars like GoDaddy.com legally offer "private" registration > which hides the owner's personal information? > https://www.godaddy.com/gdshop/dbp/landing.asp?se=%2B&ci=717 Because GoDaddy is located in USA which have no such requirements. Registrars in other countries may have other legal regulations. That's one of the general problems with the net: it's global but law enforcement only is national. So criminals can evade to the country with the 'softest' legislation. - kjz From nobody at nowhere.invalid Sat May 7 14:32:00 2005 From: nobody at nowhere.invalid (Steven Maesslein) Date: Sat May 7 07:35:03 2005 Subject: [SpamCop-List] Re: Cavtel.net, pretty Cavalier? (sober) References: Message-ID: On Sat, 7 May 2005 14:53:17 +0400, Berny coughed into spamcop and left this in : >> Why has your ISP been letting them get to your mailspool in the first >> place? > > Ask Yahoo that. Yahpoo! Uhh, OK, say no more. It all makes sense now. -- Steve There are only 10 kinds of people in the world: Those who understand binary, and those who don't. From nobody at devnull.spamcop.net Sat May 7 11:05:12 2005 From: nobody at devnull.spamcop.net (Pop) Date: Sat May 7 10:10:04 2005 Subject: [SpamCop-List] Re: Email Address Finder at DNS Stuff References: Message-ID: ... >> Another of my real addresses, this one at Yahoo: >> "Got a good response [250 recipient ok]]" > > Many mxes will give you a 250 no matter what username is attached to > their domainname. ===> Yes, that I understand. I learned that right here at SC, in fact. I think one could determine that though by munging an address or two and see what happens. > >> My own address but munged to uselessness: >> "Got an unknown RCPT TO response: 550 : Recipient address rejected: >> User unknown in relay recipient table" > > "My own address but munged to uselessness" is ambiguous as to how it was > munged. If I use uselessness@yahoo.com I get a 250 OK. ===> OOPS! I didn't notice that! So much for my "testing" abilities! It brings out your point rather well; always finish the tests! > >> So, there are at least two different negative responses: user >> rejected, and no such user. > > The tool is saying/ telling you/ what the mx server sed. The words > attached to the 550 or whatever reject code is used. > >> BTW, how/where/how-important is, a "relay recipient table"? > > That sounds like term that would be used for the domains that a mx is > serving for. > >> I've tested it with every address I can think of without looking them >> up; probably about fifteen of them, and each time it says the >> recipient is "OK". But, frogging up the addresses gets me the 550. > > "frogging up the addresses" is ambiguous again. I'm assuming that when > you frog up an address, you are changing the username only somehow. > When you describe your experiment, you should make it clear to who is > reading what has been changed. ===> Yeah, you're right. I'd change one character in the username to see what happened. Had they come back with a hit, I'd have tried adding or deleting a character to see what happened, but never had to. > >> I guess the key is what 250, 520, and 550 messages are. > > A 250 means the mx is saying OK continue with the transaction. Any kind > of 5xx means that transaction is permanently rejected. > >> Occasionally I'll get: >> "Could not connect: Connection closed before I received all my data" >> but if I retry it, it'll usually work and other smtp's or mx's will >> instead have the those messages and the previous couldn't connects >> now work. ... > No. I was wrong. The tool is looking at the username in the rcpt to. > But, don't overinterpret what the meaning of accepting a username means. > In some cases an mx will say 250 to a bogus username as well as a good > username. ===> Yup. I'll try to keep that in mind. > >> I'm still wondering about what the down-side is. > > The downside is only in the misinterpretation of what you are seeing. > ... > An mx might handle any number of different domainnames. So, if your > addressees domainname is in the list of acceptable domainnames, it can > be accepted. Not if it is not. ===> Ah, I see! So there could be multiple "John@"s which means you wouldn't know that. But, this would only be an issue in the case of a forged address, true? The user's address would contain the relevant domainname unless he was forging it. Which makes it more widespread than just in the mx serves multiple domainnames case. I'll have to remember that too, in case it makes any difference in the future. > > -- > Mike Easter > kibitzer, not SC admin > Just FYI, what I'm doing is probing around trying to verify some addresses of some scum who have invaded a newsgroup and are disrupting it to the point of near uselessness. Mostly just to see if I can do it, but it might come in handy if they don't go away in a reasonable length of time. Regards, Pop From nobody at devnull.spamcop.net Sat May 7 11:14:31 2005 From: nobody at devnull.spamcop.net (Pop) Date: Sat May 7 10:15:03 2005 Subject: [SpamCop-List] Re: Email Address Finder at DNS Stuff References: Message-ID: ... > > Yahoo responds the same whether a username is good or not. ===> Yup, as Mike pointed out! I didn't finish the work on that one! I looked for myelf just for grins, and you're 100% correct. There are two > ways that I know of to test yahoo addresses. > > One is by going to > http://edit.yahoo.com/config/eval_register?.v=&.intl=&new=1&.done=http%3a//mail.yahoo.com&.src=ym&.partner=&.p=&promo=&.last= > and entering in the username part of the address in Yahoo! ID: and click > the "Check Availability of This ID" button. > > If it returns "Yahoo! ID uselessness is unavailable.", then the email > address is likely valid. If it returns " Congratulations, the ID > rti4396 is available!", then you have an invalid address. ===> Fortunately I'm not too interested in the Yahoo's et al, but that might work. I'll check it out more fully to see how accurate it is. I'm wondering if they actually remove old addresses or not. I've heard they don't. Course, a past ISP I had did that, too. My old address is still there, and it's been years since I used them. I can't access the account, but I can send mail to it. So, there are gotcha's all over the place. > > The other is to put the username part of the email address into > http://profiles.yahoo.com/"username" without the quotes. If it returns a > profile, then the account is likely to still be active. ===> I don't think profiles are very useful. It's a simply keyclick to keep your profile off the screen as I recall. I've tried to access my own profile at Yahoo and it won't let me. So, to appearances, that way, I'm not there. But, IF it found a profile, you're right, it would be a verification. Just not finding it isn't a verification it's NOT there. Thanks for the input Regards, Pop From SCNews.5.myspamgobbler at spamgourmet.com Sat May 7 08:40:26 2005 From: SCNews.5.myspamgobbler at spamgourmet.com (Brian (SnSR)) Date: Sat May 7 10:45:04 2005 Subject: [SpamCop-List] Re: Email Address Finder at DNS Stuff In-Reply-To: References: Message-ID: Pop wrote: > ... > >>The other is to put the username part of the email address into >>http://profiles.yahoo.com/"username" without the quotes. If it returns a >>profile, then the account is likely to still be active. > > ===> I don't think profiles are very useful. It's a simply keyclick to keep > your profile off the screen as I recall. I've tried to access my own > profile at Yahoo and it won't let me. So, to appearances, that way, I'm not > there. But, IF it found a profile, you're right, it would be a > verification. Just not finding it isn't a verification it's NOT there. > That's not true. There is no way to hide your profile, so it is a good way to determine that it's _not_ there. From Yahoo Help: "It is not possible to delete the profile associated with your main Yahoo! ID on the My Profiles page. Profiles for your main Yahoo! ID or your Yahoo! Mail account can only be deleted by closing your account and removing all of the information they contain. If you don't want any information displayed on the profile for your Yahoo! ID or Mail account, simply remove all of the content in the profile." From MikeE at ster.invalid Sat May 7 09:34:55 2005 From: MikeE at ster.invalid (Mike Easter) Date: Sat May 7 11:35:07 2005 Subject: [SpamCop-List] Re: Email Address Finder at DNS Stuff References: Message-ID: Pop wrote: > Just FYI, what I'm doing is probing around trying to verify some > addresses of some scum who have invaded a newsgroup and are > disrupting it to the point of near uselessness. Mostly just to see > if I can do it, but it might come in handy if they don't go away in a > reasonable length of time. Disruptive trolls don't normally use a good From; in fact they would be more likely to spoof someone else's identity; so I wouldn't be looking at the From at all. I would be sizing them up from their ability to obscure themselves; are they using a newsserver that provides the nntp or are they not; are they using an anonymizing remailer or are they not; can you recognize their 'handwriting' and other nyms they've posted under. Things like that. The From would be the last thing [namely not at all] I would use to help me figure out a disruptive troll -- Mike Easter kibitzer, not SC admin From not at home.today Sat May 7 17:51:18 2005 From: not at home.today (Ant) Date: Sat May 7 11:55:30 2005 Subject: [SpamCop-List] Re: Spamvertized URL resolving issue - Someone from SpamCop responds References: Message-ID: "WazoO" wrote: > For those of you that have been asking for input from > "Someone from SpamCop" ... here's your response. > > The Forum FAQ > http://forum.spamcop.net/forums/index.php?showtopic=2238 > > Contains an entry titled; > New! SpamCop reporting of spamvertized sites - some philosophy > > Which links to an entry that includes commentary from > myself, Mike Easter, Don (and by extension, Ellen) > http://forum.spamcop.net/forums/index.php?showtopic=4085 Thanks for that information, but it does not address the problem of the parser finding a link and giving no message about the tracking of that link. If the parser has problems it will often say "no links found" or "cannot resolve". However, when it says nothing at all after "resolving link obfuscation" and showing a link which it *has* found, we are left wondering if there has been an error, or if this is by design. I can accept the reasons why it sometimes can't find links or cannot resolve them, and that sometimes things are "best not discussed", but I believe completion should be evident for all attempted or abandoned link resolutions. A message simply stating "tracking abandoned" would be better than nothing. That way people do not have to waste time, or Spamcop's resources, in repeatedly refreshing the parse because they think there has been some sort of error. From MikeE at ster.invalid Sat May 7 10:06:13 2005 From: MikeE at ster.invalid (Mike Easter) Date: Sat May 7 12:05:03 2005 Subject: [SpamCop-List] Re: Spamvertized URL resolving issue - Someone from SpamCop responds References: Message-ID: Ant wrote: > we are left wondering if there has been an error, or if this is by > design. > I can accept the reasons why it sometimes can't find links or cannot > resolve them, and that sometimes things are "best not discussed", > but I believe completion should be evident for all attempted or > abandoned link resolutions. A message simply stating "tracking > abandoned" would be better than nothing. That way people do not have > to waste time, or Spamcop's resources, in repeatedly refreshing the > parse because they think there has been some sort of error. I'm not much of a fan of security by obscurity -- and your point about the resource management or misuse by refreshing is an excellent one. Perhaps there's a cache process or something. I can't figger it out yet. Sometimes the parser wants to spend a really really long time not resolving something; and sometimes it doesn't want to spend any time at all not resolving something. Like "I've already decided that I'm not going to mess with that." vs "I keep thinking I'm going to get this one resolved." -- Mike Easter kibitzer, not SC admin From nobody at spamcop.net Sat May 7 10:14:04 2005 From: nobody at spamcop.net (N. Miller) Date: Sat May 7 12:15:03 2005 Subject: [SpamCop-List] Re: Cavtel.net, pretty Cavalier? (sober) References: Message-ID: On Sat, 7 May 2005 14:53:17 +0400, Berny wrote: > "Steven Maesslein" wrote in message > news:slrnd7p3gn.3hm.nobody@127.0.0.1... >> On Sat, 7 May 2005 13:07:55 +0400, Berny coughed into spamcop and left >> this in : >> SNIP >> Why has your ISP been letting them get to your mailspool in the first >> place? > Ask Yahoo that. I have no idea if Yahoo fails to catch them, or doesn;t > check until you try to open them, or what. > > I only discovered it was a "sober" when I pressed "view oringinal > mail"-during a SC parse. It seems there was enough of the mime text > available for Norton to noticeand recognize that the browser cache was > "infected". Are you downloading the contents of your Bulk Mail folder? In my case, Yahoo! has been routing viral infected email to the Bulk Mail folder on a regular basis; the ones that their virus checker is missing. -- Norman ~Win dain a lotica, En vai tu ri, Si lo ta ~Fin dein a loluca, En dragu a sei lain ~Vi fa-ru les shutai am, En riga-lint From dhill at cricalix.net Sat May 7 21:24:08 2005 From: dhill at cricalix.net (Duncan Hill) Date: Sat May 7 15:25:25 2005 Subject: [SpamCop-List] Re: Cavtel.net, pretty Cavalier? (sober) References: Message-ID: Berny wrote: > I've been getting a steady stream (>100 in a day) of sober viruses from > the same IP at Cavtel.net: > > 66.160.72.2 66-160-72-114-ntkk.cavtel.net has been hitting one of $dayjob's nodes fairly heavily - ~6400 at last check. The AV engines are doing their job though. Can't remember if I larted abuse or not, but I think at this point that IP address is going into a blackhole. From wb8tyw at qsl.network Sat May 7 18:02:12 2005 From: wb8tyw at qsl.network (John E. Malmberg) Date: Sat May 7 17:05:06 2005 Subject: [SpamCop-List] Re: Cavtel.net, pretty Cavalier? (sober) In-Reply-To: References: Message-ID: Duncan Hill wrote: > Berny wrote: > >>I've been getting a steady stream (>100 in a day) of sober viruses from >>the same IP at Cavtel.net: >> >>66.160.72.2 Dynamic/Residential IP range listed by NJABL dynablock - http://njabl.org/dynablock.html Find out what DHCP list your ISP is using and then ask them why it is missing this range and when the omission is going to be corrected. > 66-160-72-114-ntkk.cavtel.net has been hitting one of $dayjob's nodes fairly > heavily - ~6400 at last check. The AV engines are doing their job though. > Can't remember if I larted abuse or not, but I think at this point that IP > address is going into a blackhole. Dynamic/Residential IP range listed by NJABL dynablock - http://njabl.org/dynablock.html Find out why your $dayjob is still accepting e-mail from DHCP pools, or why the DHCP pool list they are using does not have this range as above. Blocked - see http://cbl.abuseat.org/lookup.cgi?ip=66.160.72.114 And if they are using the sbl-xbl.spamhaus.org the virus should not even be getting to the virus screening software. Accepting spam/viruses from DHCP or sbl-xbl.spamhaus.org listed addresses only increases the cost of operating the mail servers. If an I.P. address is listed in as a DHCP address or in the sbl-xbl.spamhaus.org, if there is a real mail server there they are used to most of the world refusing their e-mail already. Currently MAP-DUL and SORBS-DUHL, and the PDL are not listing either I.P. address as dynamic. Of course these virus infections are probably causing network slowdowns and outages for cavtel.net customers on the same subnet so how ever bad your network is being hit, the damage to the real customers of cavtel.net is probably worse. -John wb8tyw@qsl.network Personal Opinion Only From wb8tyw at qsl.network Sat May 7 18:13:55 2005 From: wb8tyw at qsl.network (John E. Malmberg) Date: Sat May 7 17:15:03 2005 Subject: [SpamCop-List] Re: Spamvertized URL resolving issue - Someone from SpamCop responds In-Reply-To: References: Message-ID: As a further date point, some of the pirated software spammers were apparently running both the web sites and the DNS servers on zombied computers. One ISP administrator showed up on this forum where he discovered such services running on a zombie after receiving a spamcop.net report. So when one of those zombies was taken out, there might be a delay before a backup or a replacement zombie was being brought in. Tracing back the registration of the DNS server of a web server that is running on a zombie will sometimes show that the DNS server is only used by the spammer, and in some cases it will show that the domain for the DNS server is actually also a through away domain that is pointed to by a DNS server that is owned by the spammer. Such spammers may have taken measures to make sure that the DNS servers only answer queries from source that they do not think are spam reporting services. -John wb8tyw@qsl.network Personal Opinion Only From bar_n0ne at hotmail.com Sun May 8 10:18:45 2005 From: bar_n0ne at hotmail.com (Berny) Date: Sun May 8 01:20:05 2005 Subject: [SpamCop-List] Re: Cavtel.net, pretty Cavalier? (sober) References: Message-ID: "Duncan Hill" wrote in message news:d5j4ja$d9c$1@news.spamcop.net... > Berny wrote: > > > I've been getting a steady stream (>100 in a day) of sober viruses from > > the same IP at Cavtel.net: > > > > 66.160.72.2 > > 66-160-72-114-ntkk.cavtel.net has been hitting one of $dayjob's nodes fairly > heavily - ~6400 at last check. The AV engines are doing their job though. > Can't remember if I larted abuse or not, but I think at this point that IP > address is going into a blackhole. Please LART, it's not been listed at all, so either I'm the only SC reporter getting these, or the only one LARTing, accordoing to Ironport, mail volume out of the box is low, so that next reporter ought to get it listed. From bar_n0ne at hotmail.com Sun May 8 10:36:06 2005 From: bar_n0ne at hotmail.com (Berny) Date: Sun May 8 01:40:02 2005 Subject: [SpamCop-List] Re: Cavtel.net, pretty Cavalier? (sober) References: Message-ID: "N. Miller" wrote in message news:ytor9m2i3eep$.dlg@news.spamcop.net... > On Sat, 7 May 2005 14:53:17 +0400, Berny wrote: > > Are you downloading the contents of your Bulk Mail folder? In my case, > Yahoo! has been routing viral infected email to the Bulk Mail folder on a > regular basis; the ones that their virus checker is missing. No I am not.. I do report the entire contents though. I have no idea how some user in VA got that addy, It's only exposed in spams, or by a yahoo profiles cruiser. From cchamb2 at qwest.net Sun May 8 11:19:32 2005 From: cchamb2 at qwest.net (Charles Chambers) Date: Sun May 8 13:20:03 2005 Subject: [SpamCop-List] E-mail reporting Message-ID: Anyone noticed that e-mail reporting now has a lower priority than web-based reporting? I submit spam through the web interface, and I can confirm it in about 15 seconds. I submit through e-mail, and I may have a 10 minute wait until SpamCop has processed it. From salvisberg at spamcop.net Sun May 8 21:03:30 2005 From: salvisberg at spamcop.net (Hans Salvisberg) Date: Sun May 8 13:55:02 2005 Subject: [SpamCop-List] Re: E-mail reporting In-Reply-To: References: Message-ID: Charles Chambers wrote: > Anyone noticed that e-mail reporting now has a lower priority than web-based > reporting? That's only reasonable. You wouldn't want to wait 10 minutes glued to your web browser, would you? > I submit spam through the web interface, and I can confirm it in about 15 > seconds. I submit through e-mail, and I may have a 10 minute wait until > SpamCop has processed it. Three weeks ago the backlog was more like 10 hours, so I'm pretty happy with 10 minutes. Besides, some of those 10 minutes might also be spent in transit. Hans From MikeE at ster.invalid Sun May 8 11:59:14 2005 From: MikeE at ster.invalid (Mike Easter) Date: Sun May 8 14:00:02 2005 Subject: [SpamCop-List] Re: X-SpamCop-Checked Header Problem References: Message-ID: Hans Salvisberg wrote: www.spamcop.net/sc?id=z761051069z4a4e0561461b900de21e392678382551z > > lists > > X-SpamCop-Checked: 192.168.1.101 209.239.38.159 > X-SpamCop-Disposition: Blocked bl.spamcop.net Yep. > and I was under the impression, that the last IP listed would be the > one that was blacklisted. But it's not so. That is also what the faq sez http://www.spamcop.net/fom-serve/cache/312.html Why did this message get held? -- "The LAST IP in the X-SpamCop-Checked list is the one that resulted in the message being held" > The one that appparently caused the message to be held is > 194.230.198.46, which may very well be blacklisted (it's a dial-up > modem of a large not-so-great ISP), even though this particular > message is not spam. The parser determines 194.230.198.46 to be the source. Source determination is not necessarily the same thing as why an item was flagged. Abbreviated Received lines *comment from unknown (192.168.1.101) by blade6.cesmail.net *serves you from host.idesigns.net (209.239.38.159) by mailgate.cesmail.net *serves you, spews2 listed from (mail.gmx.net [213.165.64.20]) by host.idesigns.net *serves you? from pop-zh-12-1-dialup-46.freesurf.ch [194.230.198.46] by mail.gmx.net *sourceline > Is the X-SpamCop-Checked header unreliable? I don't know your mailhost condition and I'm not able to interpret the condition of the parse on/for your mailhost setup, so I don't know if idesigns is 'yours' or not, so I put a ? beside it in the *comment section above At the present time, 209.239.38.159 rDNS host.idesigns.net is not SCbl listed, but it is possible that it might have been at the time the item was flagged, it which case the SC X-line would be correct -- but since it isn't currently listed, it doesn't confirm. SC trusts the idesigns and gmx servers to be a server/s, so it parses back thru' both the idesigns server and the gmx server to get to the 194 dynamic .ch IP. The spews2 situation is a class 2 listing for a /25 netblock which is a 'threat' because the provider isn't getting rid of a spamvertiser 1, 209.239.38.227, host.vh3.jbx.com 2, 209.239.38.128/25, alabanza.com (host.vh3.jbx.com) Spews wants Alabanza to get rid of host.vh3.jbx.com, and is saying that if alabanza doesn't do that, it is going to block the 128 IPs 209.239.38.128-209.239.38.255 which would include the idesigns server. -- Mike Easter kibitzer, not SC admin From nobody at devnull.spamcop.net Sun May 8 14:40:25 2005 From: nobody at devnull.spamcop.net (WazoO) Date: Sun May 8 14:45:03 2005 Subject: [SpamCop-List] Re: E-mail reporting References: Message-ID: "Charles Chambers" wrote in message news:d5lhg8$hsl$1@news.spamcop.net... > Anyone noticed that e-mail reporting now has a lower priority than web-based > reporting? That's per the original concept of adding in the e-mail submittal capability. Office worker arrives in the morning, fires up e-mail app, handles/submits spam for processing, then actually gets to working at the real job, able to handle the actual parsing results and sending of complaints/reports as time became available during the rest of the day ....and this 'solution' was offered to resolve the complaints from folks that didn't want to hover over their screens, waiting for the web-page submittal process to finish up, especially when the "estimated time to process" was coming up with numbers like 7983 seconds ..... (coding error) From nospam at dev.null Sun May 8 22:32:26 2005 From: nospam at dev.null (Anty Spam) Date: Sun May 8 15:30:03 2005 Subject: [SpamCop-List] Report away -mail addresses dead Message-ID: Hi All The following email addresses are now dead. So please do http://wdprs.internic.net/ if you meet them in domains. whoisofdomain@yahoo.ca kjhsdfjh23kjh4kjhs@yahoo.ca jahesh321@yahoo.com tokubetuyuushi@yahoo.co.jp Cheers E PS: Maybe some overzealous harvester gets this, and bounces itself out of existence. Well... I may dream ;-) From devnull at spamcop.net Sun May 8 16:54:16 2005 From: devnull at spamcop.net (Frog Prince) Date: Sun May 8 16:25:03 2005 Subject: [SpamCop-List] Re: E-mail reporting References: Message-ID: "Charles Chambers" | Anyone noticed that e-mail reporting now has a lower priority than web-based | reporting? | | I submit spam through the web interface, and I can confirm it in about 15 | seconds. I submit through e-mail, and I may have a 10 minute wait until | SpamCop has processed it. Works for me. fire up the old coffee pot, slam a few email reports, do a bit (or a lot) of caffeine then tag the bad boys go out of the porch and hold down the hammock until lunch. From sbb78247 at gmail.com Sun May 8 22:55:14 2005 From: sbb78247 at gmail.com (sbb78247) Date: Sun May 8 22:55:02 2005 Subject: [SpamCop-List] fucking test Message-ID: aaaaaaaaaaaaaaaaaaaahhhhhhhhhhhhhhhh!!!!! From sbb78247 at gmail.com Sun May 8 23:00:28 2005 From: sbb78247 at gmail.com (sbb78247) Date: Sun May 8 23:05:07 2005 Subject: [SpamCop-List] and Message-ID: you all suck From nobody at nowhere.invalid Mon May 9 12:09:14 2005 From: nobody at nowhere.invalid (Steven Maesslein) Date: Mon May 9 05:11:27 2005 Subject: [SpamCop-List] Re: and References: Message-ID: On Sun, 8 May 2005 22:00:28 -0500, sbb78247 coughed into spamcop and left this in : > you all suck Spanked spammer? -- Steve The only person to get all of his work done by Friday was Robinson Crusoe From bar_n0ne at hotmail.com Mon May 9 14:18:06 2005 From: bar_n0ne at hotmail.com (Berny) Date: Mon May 9 05:20:30 2005 Subject: [SpamCop-List] Re: and References: Message-ID: "Steven Maesslein" wrote in message news:slrnd7ua5q.35a.nobody@127.0.0.1... > On Sun, 8 May 2005 22:00:28 -0500, sbb78247 coughed into spamcop and > left this in : > > > you all suck > > Spanked spammer? tourettes From Ilgaz at spamcop.net Mon May 9 16:34:03 2005 From: Ilgaz at spamcop.net (Ilgaz) Date: Mon May 9 08:35:13 2005 Subject: [SpamCop-List] Grow up References: Message-ID: On 2005-05-09 05:55:14 +0300, "sbb78247" said: > aaaaaaaaaaaaaaaaaaaahhhhhhhhhhhhhhhh!!!!! Your test (!) works and I think it will mysteriously stop working not allowing further "tests" when some admin wakes up ;) I'd remove spamcop from my subscribed news servers for future. E.g. "host unreachable" etc ;) Ilgaz Ocal From salvisberg at spamcop.net Mon May 9 15:49:40 2005 From: salvisberg at spamcop.net (Hans Salvisberg) Date: Mon May 9 08:40:04 2005 Subject: [SpamCop-List] Re: X-SpamCop-Checked Header Problem In-Reply-To: References: Message-ID: Thank you for your analysis, Mike! Mike Easter wrote: >>X-SpamCop-Checked: 192.168.1.101 209.239.38.159 >>X-SpamCop-Disposition: Blocked bl.spamcop.net > > The parser determines 194.230.198.46 to be the source. Source > determination is not necessarily the same thing as why an item was > flagged. Yes, but I'd expect IP lookup to proceed along the chain back to what SC determines to be the source, stopping at the first IP that's blacklisted, and that X-SpamCop-Checked would reflect that path. Am I wrong here? > Abbreviated Received lines *comment > from unknown (192.168.1.101) by blade6.cesmail.net *serves you > from host.idesigns.net (209.239.38.159) by mailgate.cesmail.net > *serves you, spews2 listed > from (mail.gmx.net [213.165.64.20]) by host.idesigns.net *serves you? > from pop-zh-12-1-dialup-46.freesurf.ch [194.230.198.46] by > mail.gmx.net *sourceline Starting at the bottom: the sender connected through a dial-up modem to GMX, where he presumably used a WebMail application to send the message. > I don't know your mailhost condition and I'm not able to interpret the > condition of the parse on/for your mailhost setup, so I don't know if > idesigns is 'yours' or not, so I put a ? beside it in the *comment > section above IDesigns.net is indeed part of my mailhosts setup. > At the present time, 209.239.38.159 rDNS host.idesigns.net is not SCbl > listed, but it is possible that it might have been at the time the item > was flagged, it which case the SC X-line would be correct -- but since > it isn't currently listed, it doesn't confirm. Hmm, so there's no history data, is there? Given that 209.239.38.159 is in my mailhosts, would SC still block on it, if it were blacklisted? > SC trusts the idesigns and gmx servers to be a server/s, so it parses > back thru' both the idesigns server and the gmx server to get to the 194 > dynamic .ch IP. That's definitely correct, and freesurf.ch is notorious for not cleaning up. > The spews2 situation is a class 2 listing for a /25 netblock which is a > 'threat' because the provider isn't getting rid of a spamvertiser > > 1, 209.239.38.227, host.vh3.jbx.com > 2, 209.239.38.128/25, alabanza.com (host.vh3.jbx.com) > > Spews wants Alabanza to get rid of host.vh3.jbx.com, and is saying that > if alabanza doesn't do that, it is going to block the 128 IPs > 209.239.38.128-209.239.38.255 which would include the idesigns server. Alabanza is IDesigns' upstream provider. I don't know whether IDesigns have any relation with host.vh3.jbx.com, but I have high regards for them. I searched for this information and found http://www.spews.org/html/S1903.html, but it's somewhat cryptic to me. Why would spews block an entire /25 netblock based on a single address? 209.239.38.227 does still point to host.vh3.jbx.com, but the spam listed at the bottom of the page dates from 2002, so how current is this? Should I give IDesigns a heads up about this? Hans From Ilgaz at spamcop.net Mon May 9 16:38:58 2005 From: Ilgaz at spamcop.net (Ilgaz) Date: Mon May 9 08:40:11 2005 Subject: [SpamCop-List] Re: Sober virus References: Message-ID: On 2005-05-06 05:58:57 +0300, "Ook" said: > I'm being innundated with sober virus emails - 1000+ a day at 75K a > pop. It overflowed my mail server limit and my email stopped until I > could get my ISP to increase the limit. I'm guessing there is nothing > that can be done about this - is anyone else being flooded with these? > Is there hope that this flood will slow down soon? One of real rare times that Yahoo mail doesn't put sober stuff to Bulk mail as all other viruses. They directly purge at server level. It shows a clue about the amazing volume they get. They tend to stay away from "purging" normally. If you see the posts/flames because some peoples ISP purchased Spamcop and marking stuff as spam, you may understand why :) Ilgaz Ocal From MikeE at ster.invalid Mon May 9 07:47:51 2005 From: MikeE at ster.invalid (Mike Easter) Date: Mon May 9 09:50:34 2005 Subject: [SpamCop-List] Re: X-SpamCop-Checked Header Problem References: Message-ID: Hans Salvisberg wrote: > Thank you for your analysis, Mike! YW. Bitte sch?n. De rien. That's probably the extent of my French, except what I need for crossword puzzles ;-) > Mike Easter wrote: >>> X-SpamCop-Checked: 192.168.1.101 209.239.38.159 >>> X-SpamCop-Disposition: Blocked bl.spamcop.net >> >> The parser determines 194.230.198.46 to be the source. Source >> determination is not necessarily the same thing as why an item was >> flagged. > > Yes, but I'd expect IP lookup to proceed along the chain back to what > SC determines to be the source, stopping at the first IP that's > blacklisted, and that X-SpamCop-Checked would reflect that path. Am I > wrong here? Correct. Proceed along the chain until it gets to something blocked; no need to go further. We're assuming it found the 209 to be SCbl listed then, not now. >> Abbreviated Received lines *comment >> from unknown (192.168.1.101) by blade6.cesmail.net *serves you >> from host.idesigns.net (209.239.38.159) by mailgate.cesmail.net >> *serves you, spews2 listed >> from (mail.gmx.net [213.165.64.20]) by host.idesigns.net *serves >> you? from pop-zh-12-1-dialup-46.freesurf.ch [194.230.198.46] by >> mail.gmx.net *sourceline > > Starting at the bottom: the sender connected through a dial-up modem > to GMX, where he presumably used a WebMail application to send the > message. Correct that dialup source relays thru' the gmx. I don't see evidence of a webmailer in the spam, instead I see Outlook mail application. Assuming the item is not spam and does not contain bogosity, the source's email address is gmx.ch and so the source has 'permission' to use the gmx server. >> I don't know your mailhost condition and I'm not able to interpret >> the condition of the parse on/for your mailhost setup, so I don't >> know if idesigns is 'yours' or not, so I put a ? beside it in the >> *comment section above > > IDesigns.net is indeed part of my mailhosts setup. > >> At the present time, 209.239.38.159 rDNS host.idesigns.net is not >> SCbl listed, but it is possible that it might have been at the time >> the item was flagged, it which case the SC X-line would be correct >> -- but since it isn't currently listed, it doesn't confirm. > > Hmm, so there's no history data, is there? Given that 209.239.38.159 > is in my mailhosts, would SC still block on it, if it were blacklisted? Yes. The filter doesn't know parser mailhosts information. Think about the sequence. When the mail is coming in to the SC mail filter, it is using its filtering strategies of SpamAssassin and how you've configured for filtering including whatever whitelist information you have provided. So, the filtering process takes place on that basis and for that reason if the 209 were listed it would get flagged. The business about your mailhost doesn't arise until you have submitted the flagged item for parsing. It is the parser which knows your mailhost, not the filter. >> SC trusts the idesigns and gmx servers to be a server/s, so it parses >> back thru' both the idesigns server and the gmx server to get to the >> 194 dynamic .ch IP. > > That's definitely correct, and freesurf.ch is notorious for not > cleaning up. > > >> The spews2 situation is a class 2 listing for a /25 netblock which >> is a 'threat' because the provider isn't getting rid of a >> spamvertiser >> >> 1, 209.239.38.227, host.vh3.jbx.com >> 2, 209.239.38.128/25, alabanza.com (host.vh3.jbx.com) >> >> Spews wants Alabanza to get rid of host.vh3.jbx.com, and is saying >> that if alabanza doesn't do that, it is going to block the 128 IPs >> 209.239.38.128-209.239.38.255 which would include the idesigns >> server. > > Alabanza is IDesigns' upstream provider. I don't know whether IDesigns > have any relation with host.vh3.jbx.com, but I have high regards for > them. Alabanza 'owns' all of the netspace that idesigns uses for its mx and nameservice and thus controls/assigns the rDNS by which the Alabanza IPs resolve back to idesigns. mail.idesigns.net A (Address) 216.147.38.230 ns.idesigns.net A (Address) 209.239.38.160 ns2.idesigns.net A (Address) 209.239.47.29 NetRange: 216.147.0.0 - 216.147.127.255 CIDR: 216.147.0.0/17 NetName: ALABANZA-BALT-2 NetRange: 209.239.32.0 - 209.239.63.255 CIDR: 209.239.32.0/19 NetName: ALABANZA-BALT-1 > I searched for this information and found > http://www.spews.org/html/S1903.html, but it's somewhat cryptic to me. > Why would spews block an entire /25 netblock based on a single > address? Spews is 'assertive' about its efforts to motivate a provider to stop a spamsupport. That includes blocking innocent bystanders when the spews block starts expanding. An example of the expansion would be that first would be the /32 which is presently blocked as a spews1, the threat is to expand to the /25 by showing the spews2. If that /25 became a spews1, then the next thing might be to threaten the entire Alabanza /19 as a spews2. The spews business of collateral damage is nasty and a lot of people don't like its arbitrariness. You can imagine how unhappy you would be if spews blocking were affecting your mail and you were an innocent bystander as a client of idesigns, who also isn't a spammer. The concept is that if alabanza were too problematic about spam support, then idesigns, who is not a spammer, should be paying their money to someone who isn't helping spammers. That is, if alabanza were a big spam supporter, then idesigns, an alabanza customer, is also indirectly supporting a spam supporter. > 209.239.38.227 does still point to host.vh3.jbx.com, but the spam > listed > at the bottom of the page dates from 2002, so how current is this? > Should I give IDesigns a heads up about this? Sure. I think it is the responsibility of idesigns to know about the spews listing and I especially think it would be their responsibility if you got any more information about the SCbl listing which we didn't see. If idesigns has something misconfigured which is causing their server to get itself SCbl listed, that could seriously affect your mail. In the old days the listing history of an IP was available. Now only the deputies can look in there and see that if it isn't currently listed. -- Mike Easter kibitzer, not SC admin From l.rem.mayne at uea.ac.uk Mon May 9 16:05:26 2005 From: l.rem.mayne at uea.ac.uk (Leon Mayne) Date: Mon May 9 10:10:05 2005 Subject: [SpamCop-List] Spam excuse Message-ID: "Spam Clause - You are recieving this e-mail as a part of our promotional activity. If you are not interested, please delete it. - Thankyou. WebSamrat Team" Oh right, so if it's for your promotional activity then I guess that's OK. If only I'd thought of using my delete button eh? From bar_n0ne at hotmail.com Mon May 9 19:28:09 2005 From: bar_n0ne at hotmail.com (Berny) Date: Mon May 9 10:30:04 2005 Subject: [SpamCop-List] Re: Sober virus References: Message-ID: "Ilgaz" wrote in message news:d5nll2$ir6$2@news.spamcop.net... > On 2005-05-06 05:58:57 +0300, "Ook" > said: > > > I'm being innundated with sober virus emails - 1000+ a day at 75K a > > pop. It overflowed my mail server limit and my email stopped until I > > could get my ISP to increase the limit. I'm guessing there is nothing > > that can be done about this - is anyone else being flooded with these? > > Is there hope that this flood will slow down soon? > > One of real rare times that Yahoo mail doesn't put sober stuff to Bulk > mail as all other viruses. > > They directly purge at server level. > > It shows a clue about the amazing volume they get. They tend to stay > away from "purging" normally. If you see the posts/flames because some > peoples ISP purchased Spamcop and marking stuff as spam, you may > understand why :) > > Ilgaz Ocal > They put all of my sobers in bulk, and the lame sender took 4 days to get shut down, and I'm not even sure s/he was. I wish they had purged mine so i never see them From nobody at spamcop.net Mon May 9 11:32:30 2005 From: nobody at spamcop.net (indigo) Date: Mon May 9 10:35:03 2005 Subject: [SpamCop-List] Re: Email Address Finder at DNS Stuff References: Message-ID: Mike Easter wrote: > indigo wrote: > > Mike Easter wrote: > >> The tool in SamSpade for win has a little algorithm by which it > >> connects with the mx and checks a rcpt to for the username to get > >> some kind of result, and then it checks a rcpt to a bogusname to > >> compare. > > > > Which tool it that? I tried the SMTP tool and that didn't work. > > Nothing else looks obvious as to the tool you're referring to..... > > You start by putting an email addy into the L window; there needs to > be some preliminary configuration in options such as an email address > for the mail from command part. What kind of "preliminary configs" are you referring to? From SCNews.5.myspamgobbler at spamgourmet.com Mon May 9 10:02:10 2005 From: SCNews.5.myspamgobbler at spamgourmet.com (Brian (SnSR)) Date: Mon May 9 12:05:03 2005 Subject: [SpamCop-List] Re: Sober virus In-Reply-To: References: Message-ID: Berny wrote: > "Ilgaz" wrote in message > news:d5nll2$ir6$2@news.spamcop.net... > >>On 2005-05-06 05:58:57 +0300, "Ook" >> said: >> >> >>>I'm being innundated with sober virus emails - 1000+ a day at 75K a >>>pop. It overflowed my mail server limit and my email stopped until I >>>could get my ISP to increase the limit. I'm guessing there is nothing >>>that can be done about this - is anyone else being flooded with these? >>>Is there hope that this flood will slow down soon? >> >>One of real rare times that Yahoo mail doesn't put sober stuff to Bulk >>mail as all other viruses. >> >>They directly purge at server level. >> >>It shows a clue about the amazing volume they get. They tend to stay >>away from "purging" normally. If you see the posts/flames because some >>peoples ISP purchased Spamcop and marking stuff as spam, you may >>understand why :) >> >>Ilgaz Ocal >> > > > They put all of my sobers in bulk, and the lame sender took 4 days to get > shut down, and I'm not even sure s/he was. > > I wish they had purged mine so i never see them > > I'm not certain of this, but it may be something that you can configure with Yahoo. Look in options. From eddie at eddie.web Mon May 9 15:21:44 2005 From: eddie at eddie.web (eddie) Date: Mon May 9 14:25:09 2005 Subject: [SpamCop-List] Re: Grow up References: Message-ID: On Mon, 09 May 2005 15:34:03 +0300, Ilgaz scratched out the following: > On 2005-05-09 05:55:14 +0300, "sbb78247" said: > >> aaaaaaaaaaaaaaaaaaaahhhhhhhhhhhhhhhh!!!!! > > Your test (!) works and I think it will mysteriously stop working not > allowing further "tests" when some admin wakes up ;) > > I'd remove spamcop from my subscribed news servers for future. E.g. "host > unreachable" etc ;) > > Ilgaz Ocal Some server scrambled your post into totally meaningless drivel, or someone is using your name and posting garbage. I would look into the problem if I were you, which, thankfully, I am not -- Once movie theaters gave out steak knives Today they confiscate them From eddie at eddie.web Mon May 9 15:23:32 2005 From: eddie at eddie.web (eddie) Date: Mon May 9 14:25:23 2005 Subject: [SpamCop-List] Re: and References: Message-ID: On Sun, 08 May 2005 22:00:28 -0500, sbb78247 scratched out the following: > you all suck awrrrrm that's so 16-year old and soooo verrrry 20th century Only girly-men use "suck" these days. Real men know the new word. Fried Spam smells so great, especially when one more sucker is dead. -- Once movie theaters gave out steak knives Today they confiscate them From rowen at cesmail.net Mon May 9 12:21:13 2005 From: rowen at cesmail.net (Russell E. Owen) Date: Mon May 9 15:19:03 2005 Subject: [SpamCop-List] secure pop? Message-ID: Any hope of supporting SSH authentication for the spamcop POP server (for subscription email users)? I realize that by not support SMTP you take care of the problem of spammers posing as me sending email, but it's still seems a needless security risk to know that others could trivially get my email. -- Russell From nobody at spamcop.net Mon May 9 16:32:11 2005 From: nobody at spamcop.net (indigo) Date: Mon May 9 15:35:03 2005 Subject: [SpamCop-List] Re: Grow up References: Message-ID: eddie wrote: > On Mon, 09 May 2005 15:34:03 +0300, Ilgaz scratched out the following: > > > On 2005-05-09 05:55:14 +0300, "sbb78247" said: > > > >> aaaaaaaaaaaaaaaaaaaahhhhhhhhhhhhhhhh!!!!! > > > > Your test (!) works and I think it will mysteriously stop working > > not allowing further "tests" when some admin wakes up ;) > > > > I'd remove spamcop from my subscribed news servers for future. E.g. > > "host unreachable" etc ;) > > > > Ilgaz Ocal > > Some server scrambled your post into totally meaningless drivel, or > someone is using your name and posting garbage. I would look into the > problem if I were you, which, thankfully, I am not English is not Ilgaz's native language (pretty obvious if you actually read the posting name). Go ridicule the spammer instead of him. From nobody at devnull.spamcop.net Mon May 9 15:41:37 2005 From: nobody at devnull.spamcop.net (WazoO) Date: Mon May 9 15:45:02 2005 Subject: [SpamCop-List] Re: secure pop? References: Message-ID: "Russell E. Owen" wrote in message news:mailman.149.1115666344.4572.spamcop-list@news.spamcop.net... > Any hope of supporting SSH authentication for the spamcop POP server > (for subscription email users)? I realize that by not support SMTP you > take care of the problem of spammers posing as me sending email, but > it's still seems a needless security risk to know that others could > trivially get my email. On another foray to drag yet another user to the SpamCop e-mail support areas .... try the spamcop.mail newsgroup (so little traffic it was asked recently if it really existed) or head over to the Forum. Don't know how you are logging in now, but for a bit of an indirect answer, see http://forum.spamcop.net/forums/index.php?showtopic=1579&view=findpost&p=10197 that discussion also includes a link to a Jeff G. entry about setting things up at http://forum.spamcop.net/forums/index.php?showtopic=152 And if you still aren't happy, there is a Forum section I created just for "New Feature requests, Suggestions, etc." in hopes of keeping all these items in one place for those involved to 'find' rather than scattered and buried in all kinds of placed. From hans at salvisberg.invalid Mon May 9 23:04:04 2005 From: hans at salvisberg.invalid (Hans Salvisberg) Date: Mon May 9 15:55:03 2005 Subject: [SpamCop-List] Re: X-SpamCop-Checked Header Problem In-Reply-To: References: Message-ID: Mike Easter wrote: > YW. Bitte sch?n. De rien. That's probably the extent of my French, > except what I need for crossword puzzles ;-) It's a start :-) > Correct that dialup source relays thru' the gmx. I don't see evidence > of a webmailer in the spam, instead I see Outlook mail application. Yes, of course. I let myself be distracted by my (wrong) idea of how gmx.ch operates. > Yes. The filter doesn't know parser mailhosts information. Think about > the sequence. When the mail is coming in to the SC mail filter, it is > using its filtering strategies of SpamAssassin and how you've configured > for filtering including whatever whitelist information you have > provided. So, the filtering process takes place on that basis and for > that reason if the 209 were listed it would get flagged. That makes sense. So, I could presumably whitelist 209 to get the message to pass, even if 209 was blacklisted (I certainly don't expect that, I'm just wondering), but that would circumvent SpamAssassin for all email going through 209. > The concept is that if alabanza were too problematic about spam support, > then idesigns, who is not a spammer, should be paying their money to > someone who isn't helping spammers. That is, if alabanza were a big > spam supporter, then idesigns, an alabanza customer, is also indirectly > supporting a spam supporter. That's pretty heavy, but I've suffered enough from spam to relate to the concept. More coming up... Thanks again! Hans From hans at salvisberg.invalid Mon May 9 23:04:51 2005 From: hans at salvisberg.invalid (Hans Salvisberg) Date: Mon May 9 15:55:11 2005 Subject: [SpamCop-List] www.soft-top100.com resolves, but SC doesn't know about it... Message-ID: http://www.spamcop.net/sc?id=z761477845zdd8fc3d6291246baee3e336468e343a8z spamvertises http://www.soft-top100.com/, which resolves to 217.107.217.8, but SC can't find anything. However, http://whois.webhosting.info/217.107.217.8 shows ALL-DISKS.COM. ALL-THE-PILLS.COM. ALL-THE-SOFT.COM. ALLSOFT-CDS.COM. ALLSOFT-DISKS.COM. ALLTABLETS.COM. Four of these are anonymous, but two reveal some information: http://whois.webhosting.info/ALL-THE-SOFT.COM. http://whois.webhosting.info/ALLTABLETS.COM. Anything we can do about this? Hans P.S. This spammer harvested my SC address off this newsgroup! From hans at salvisberg.invalid Mon May 9 23:05:03 2005 From: hans at salvisberg.invalid (Hans Salvisberg) Date: Mon May 9 15:55:17 2005 Subject: [SpamCop-List] Anyone from =?iso-8859-1?q?W=FCrzburg=2C_Germany=3F_Is_it_legal_to_peddle_pre?= =?iso-8859-1?q?scription_drugs_over_the_Internet_in_Germany=3F?= Message-ID: http://www.spamcop.net/sc?id=z761484882zc765cbd002e9d466068ee91600edcc5fz spamvertises elongates.net, which belongs to Helmut Fischer in W?rzburg: http://whois.webhosting.info/elongates.net The funniest part is how his email address is obfuscated as a graphic to save him from being spammed... elongates.net resolves to 210.21.119.131, which seems to host 31 other fine domains: http://whois.webhosting.info/210.21.119.131 Hans From MikeE at ster.invalid Mon May 9 14:27:38 2005 From: MikeE at ster.invalid (Mike Easter) Date: Mon May 9 16:30:32 2005 Subject: [SpamCop-List] Re: Email Address Finder at DNS Stuff References: Message-ID: indigo wrote: > Mike Easter wrote: >> You start by putting an email addy into the L window; there needs to >> be some preliminary configuration in options such as an email address >> for the mail from command part. > > What kind of "preliminary configs" are you referring to? Just that one I mentioned for the address is all you need to do the smtp test: SSwin/ Edit/ Basics tab - Email address. That way it has something to put when it is saying 'mail from'. Then, paste the target addy into what it calls the 'address box' -- namely the left window. Until you have an email addy in there, the basics menu will have most things grayed out. If you just put a domainname in there, the smtp veryify is grayed out. If you put an email address in there, the Basics menu SMTP verify will become operational. The same conditions apply to the little tool icons in the tool bar. My usual configuration is to have everything in the View menu checked except scripts. That way I have 3 windows at the top, the addressbox, the whois box, and the dns box. -- Mike Easter kibitzer, not SC admin From MikeE at ster.invalid Mon May 9 14:37:31 2005 From: MikeE at ster.invalid (Mike Easter) Date: Mon May 9 16:40:05 2005 Subject: [SpamCop-List] Re: X-SpamCop-Checked Header Problem References: Message-ID: Hans Salvisberg wrote: > Mike Easter wrote: > That makes sense. So, I could presumably whitelist 209 to get the > message to pass, even if 209 was blacklisted (I certainly don't expect > that, I'm just wondering), but that would circumvent SpamAssassin for > all email going through 209. Except I don't know if SpamCop will/can do that; and I'm not sure it would work the way you want it to if it did. That is, you don't want everything which 'shows' a 209 in the headers to get passed -- because it is always going to be in there. What you would like most is if your 209 server didn't get itself blocklisted in any blocklists which you use, especially the SCbl. My SpamPal has an 'ignore' list for IPs, but I'm not completely sure how that works, or whether it would work in the way you are thinking about. What you are thinking is 'don't flag an item if my provider's server is what trips the SCbl'. Theoretically the mailhosts configuration should save you from reporting your own provider if you accidentally submitted a presumed spamitem which got caught by the filter. That is, in this case, the item we're talking about was caught by the filter, but the IP which caused it to be caught wouldn't be named as the source if you were to 'carelessly' try to report a non-spam. That is, at least your false or bad report wouldn't be naming your own provider. You would be naming your 'friend's' IP. >> The concept is that if alabanza were too problematic about spam >> support, then idesigns, who is not a spammer, should be paying their >> money to someone who isn't helping spammers. That is, if alabanza >> were a big spam supporter, then idesigns, an alabanza customer, is >> also indirectly supporting a spam supporter. > > That's pretty heavy, but I've suffered enough from spam to relate to > the concept. More coming up... -- Mike Easter kibitzer, not SC admin From amenex at amenex.com Mon May 9 18:25:50 2005 From: amenex at amenex.com (George Langford, Sc.D.) Date: Mon May 9 17:25:57 2005 Subject: [SpamCop-List] Demise of phish reporting at millersmiles.co.uk ? Message-ID: <200505092125.j49LPo0M023461@voicenet.com> Here's what cesmail.net said about an email I tried to send to phish@millersmiles.co.uk (about a phish, naturally): > Final-Recipient: rfc822;phish@millersmiles.co.uk > Action: failed > Status: 5.0.0 (permanent failure) > Diagnostic-Code: smtp; 5.1.0 - Unknown address error 554-' > : Relay access denied' (delivery attempts: 0) > Reporting-MTA: dns; c60.cesmail.net This has happened to the last two phishes that I reported. Oops: http://www.millersmiles.co.uk/ - looks like it's been swallowed. What's a good second choice for a phish phighting website ? From rowen at cesmail.net Mon May 9 15:40:46 2005 From: rowen at cesmail.net (Russell E. Owen) Date: Mon May 9 17:43:17 2005 Subject: [SpamCop-List] Re: secure pop? References: Message-ID: In article , "WazoO" wrote: > "Russell E. Owen" wrote in message > news:mailman.149.1115666344.4572.spamcop-list@news.spamcop.net... > > Any hope of supporting SSH authentication for the spamcop POP server > > (for subscription email users)? I realize that by not support SMTP you > > take care of the problem of spammers posing as me sending email, but > > it's still seems a needless security risk to know that others could > > trivially get my email. > > On another foray to drag yet another user to the SpamCop e-mail > support areas .... try the spamcop.mail newsgroup (so little traffic > it was asked recently if it really existed) or head over to the Forum. > Don't know how you are logging in now, but for a bit of an indirect > answer, see > http://forum.spamcop.net/forums/index.php?showtopic=1579&view=findpost&p=10197 > that discussion also includes a link to a Jeff G. entry about setting > things up at http://forum.spamcop.net/forums/index.php?showtopic=152 That's great! For anyone else who was wondering. the first link says spamcop pop supports SSL. And indeed it does. Once I told Eudora to use the alternate port SSL started working. Regarding the 2nd link (about setting things up), I did not see anything about SSL. It'd be nice if SSL info was added to the standard "how to set things up" page. I have subscribed to the email group and will ask there about such things in the future. Thanks for the tip. -- Russell From nanae at splorfING.net Mon May 9 23:41:14 2005 From: nanae at splorfING.net (David) Date: Mon May 9 17:45:04 2005 Subject: [SpamCop-List] Re: Demise of phish reporting at millersmiles.co.uk ? References: Message-ID: "George Langford, Sc.D." wrote in message news:mailman.150.1115673959.4572.spamcop-list@news.spamcop.net... > Here's what cesmail.net said about an email I tried to send > to phish@millersmiles.co.uk (about a phish, naturally): > >> Final-Recipient: rfc822;phish@millersmiles.co.uk >> Action: failed >> Status: 5.0.0 (permanent failure) >> Diagnostic-Code: smtp; 5.1.0 - Unknown address error 554-' >> : Relay access denied' (delivery attempts: 0) >> Reporting-MTA: dns; c60.cesmail.net > > This has happened to the last two phishes that I reported. > > Oops: http://www.millersmiles.co.uk/ - looks like it's been swallowed. > > What's a good second choice for a phish phighting website ? Site is still good from here ... I understood spoof@millersmiles.co.uk was reporting address ??? -- David Remove the ING to reply by email From nobody at devnull.spamcop.net Mon May 9 17:42:01 2005 From: nobody at devnull.spamcop.net (WazoO) Date: Mon May 9 17:45:09 2005 Subject: [SpamCop-List] Re: Demise of phish reporting at millersmiles.co.uk ? References: Message-ID: "George Langford, Sc.D." wrote in message news:mailman.150.1115673959.4572.spamcop-list@news.spamcop.net... > > What's a good second choice for a phish phighting website ? Yet again, the Forum FAQ has a number of address lists available, to include a direct link to the Anti-Phishing Working Group .... Plain text list of that FAQ entry was posted recently into the three main spamcop newsgroups ... see http://forum.spamcop.net/forums/index.php?showtopic=2238 From Ilgaz at spamcop.net Tue May 10 01:47:04 2005 From: Ilgaz at spamcop.net (Ilgaz) Date: Mon May 9 17:50:05 2005 Subject: [SpamCop-List] Re: Grow up References: Message-ID: On 2005-05-09 22:32:11 +0300, "indigo" said: > > > eddie wrote: >> On Mon, 09 May 2005 15:34:03 +0300, Ilgaz scratched out the following: >> >>> On 2005-05-09 05:55:14 +0300, "sbb78247" said: >>> >>>> aaaaaaaaaaaaaaaaaaaahhhhhhhhhhhhhhhh!!!!! >>> >>> Your test (!) works and I think it will mysteriously stop working >>> not allowing further "tests" when some admin wakes up ;) >>> >>> I'd remove spamcop from my subscribed news servers for future. E.g. >>> "host unreachable" etc ;) >>> >>> Ilgaz Ocal >> >> Some server scrambled your post into totally meaningless drivel, or >> someone is using your name and posting garbage. I would look into the >> problem if I were you, which, thankfully, I am not > > English is not Ilgaz's native language (pretty obvious if you actually read > the posting name). Go ridicule the spammer instead of him. I guess it was a parsing error his side. ;) I am downing the level of post. It means, after such crap being posted, some spamcop Admin will see it and be sure they know how to block IPs on such issues. So, his "test" won't work. Ilgaz Ocal ps: I am fine with entire thread being deleted of course (when it happens) From nono at nonono.no Tue May 10 00:46:29 2005 From: nono at nonono.no (Carter) Date: Mon May 9 17:55:05 2005 Subject: [SpamCop-List] Re: Grow up References: Message-ID: Ilgaz wrote: > On 2005-05-09 05:55:14 +0300, "sbb78247" said: > >> aaaaaaaaaaaaaaaaaaaahhhhhhhhhhhhhhhh!!!!! > > Your test (!) works and I think it will mysteriously stop working not > allowing further "tests" when some admin wakes up ;) > > I'd remove spamcop from my subscribed news servers for future. E.g. > "host unreachable" etc ;) > > Ilgaz Ocal Fuck off, you turkish named cunt. -- (><) Carter From Ilgaz at spamcop.net Tue May 10 01:52:51 2005 From: Ilgaz at spamcop.net (Ilgaz) Date: Mon May 9 17:55:12 2005 Subject: [SpamCop-List] =?iso-8859-1?q?Re=3A_Anyone_from_W=FCrzburg=2C_?= =?iso-8859-1?q?Germany=3F_Is_it_legal_to_pe?= =?iso-8859-1?q?ddle_prescription_drugs_ov?= =?iso-8859-1?q?er_the_Internet_in_Germany=3F?= References: Message-ID: On 2005-05-09 23:05:03 +0300, Hans Salvisberg said: > http://www.spamcop.net/sc?id=z761484882zc765cbd002e9d466068ee91600edcc5fz > > spamvertises elongates.net, which belongs to Helmut Fischer in W?rzburg: > > http://whois.webhosting.info/elongates.net > > The funniest part is how his email address is obfuscated as a graphic to > save him from being spammed... > > elongates.net resolves to 210.21.119.131, which seems to host 31 other > fine domains: > > http://whois.webhosting.info/210.21.119.131 > > Hans >From what I know, hear etc. That guy has no chance if some german figures it. :) Speaking about jail, not speaking about some $10 dialup cancelled. I had a friend got arrested for politely hitting the phone cabins glass (with coin) and showing his watch to some phone talking guy. To hurry. Guess what happened? He smiled , hung up, called another number and very politely left. 5 mins later, he came with cops. *g* Yes, guy got arrested as a tourist for that. I mean, speaking about the system in Germany. Now, imagine selling that stuff when you are based in Germany. Will look the reporting addresses tomorrow ;) Or, will find some germans to look into. Thanks Ilgaz Ocal From Ilgaz at spamcop.net Tue May 10 01:55:15 2005 From: Ilgaz at spamcop.net (Ilgaz) Date: Mon May 9 18:00:06 2005 Subject: [SpamCop-List] Re: www.soft-top100.com resolves, but SC doesn't know about it... References: Message-ID: On 2005-05-09 23:04:51 +0300, Hans Salvisberg said: > http://www.spamcop.net/sc?id=z761477845zdd8fc3d6291246baee3e336468e343a8z > > spamvertises http://www.soft-top100.com/, which resolves to 217.107.217.8, > but SC can't find anything. > > However, > > http://whois.webhosting.info/217.107.217.8 > > shows > > ALL-DISKS.COM. > ALL-THE-PILLS.COM. > ALL-THE-SOFT.COM. > ALLSOFT-CDS.COM. > ALLSOFT-DISKS.COM. > ALLTABLETS.COM. > > Four of these are anonymous, but two reveal some information: > > http://whois.webhosting.info/ALL-THE-SOFT.COM. > http://whois.webhosting.info/ALLTABLETS.COM. > > Anything we can do about this? > > Hans > > P.S. This spammer harvested my SC address off this newsgroup! Well its clear that they found a tactic to make DNS block to Spamcop. There are other similar reports here too, I remember them. I guess Spamcop will find a way out. If it requires some user level help, my OS X is in their serve :) Lets wait for someone actually knows advanced DNS. Ilgaz Ocal From nono at nonono.no Tue May 10 00:57:36 2005 From: nono at nonono.no (Carter) Date: Mon May 9 18:00:13 2005 Subject: [SpamCop-List] Re: fucking test References: Message-ID: sbb78247 wrote: > aaaaaaaaaaaaaaaaaaaahhhhhhhhhhhhhhhh!!!!! That's what my gf was screaming last night. -- (><) Carter From Ilgaz at spamcop.net Tue May 10 01:58:20 2005 From: Ilgaz at spamcop.net (Ilgaz) Date: Mon May 9 18:00:18 2005 Subject: [SpamCop-List] Re: Email Address Finder at DNS Stuff References: Message-ID: On 2005-05-06 17:39:15 +0300, "Pop" said: > Has anyone here tried the e-mail address tester on http://www.dnsstuff.com/ ? > I looked briefly at them on google and they seem fine, and I think I've > seen them mentioned here a few times, but never the address tester. > NANAE folk seem to mention it a lot too. > > I put a few addresses into it, and it does seem to be able to say > whether an e-mail address exists or not, but ... I was wondering what > kind of pitfalls there are to using it. It seems "too good to be true". > > TIA, > > Pop Its web based and I don't know the guy. Can be good or bad, you can never be sure. Maybe it uses VRFY command existing in some SMTP servers. As a general rule, check the information etc before using such sites. There is no "elite" stuff there and I'd suggest (of course) Ironport's andr Spamcop's www services instead. Ilgaz Ocal From Ilgaz at spamcop.net Tue May 10 02:02:03 2005 From: Ilgaz at spamcop.net (Ilgaz) Date: Mon May 9 18:05:07 2005 Subject: [SpamCop-List] Re: secure pop? References: Message-ID: On 2005-05-09 21:21:13 +0300, "Russell E. Owen" said: > Any hope of supporting SSH authentication for the spamcop POP server > (for subscription email users)? I realize that by not support SMTP you > take care of the problem of spammers posing as me sending email, but > it's still seems a needless security risk to know that others could > trivially get my email. > > -- Russell Check Wazoo's post. Also, www help of spamcop is pretty complete. I think they do support some SSL and APOP. To try, I must mess with Eudora pro settings which are SSL IMAP, not a good idea :) You have to use pop btw? IMAP with a good client designed for good offline etc is more secure and really practical for spamcop features. Held Mail is an IMAP folder for instance. Ilgaz Ocal From Ilgaz at spamcop.net Tue May 10 02:04:53 2005 From: Ilgaz at spamcop.net (Ilgaz) Date: Mon May 9 18:05:18 2005 Subject: [SpamCop-List] Re: Sober virus References: Message-ID: On 2005-05-09 19:02:10 +0300, "Brian (SnSR)" said: > Berny wrote: >> "Ilgaz" wrote in message >> news:d5nll2$ir6$2@news.spamcop.net... >> >>> On 2005-05-06 05:58:57 +0300, "Ook" >>> said: >>> >>> >>>> I'm being innundated with sober virus emails - 1000+ a day at 75K a >>>> pop. It overflowed my mail server limit and my email stopped until I >>>> could get my ISP to increase the limit. I'm guessing there is nothing >>>> that can be done about this - is anyone else being flooded with these? >>>> Is there hope that this flood will slow down soon? >>> >>> One of real rare times that Yahoo mail doesn't put sober stuff to Bulk >>> mail as all other viruses. >>> >>> They directly purge at server level. >>> >>> It shows a clue about the amazing volume they get. They tend to stay >>> away from "purging" normally. If you see the posts/flames because some >>> peoples ISP purchased Spamcop and marking stuff as spam, you may >>> understand why :) >>> >>> Ilgaz Ocal >>> >> >> >> They put all of my sobers in bulk, and the lame sender took 4 days to get >> shut down, and I'm not even sure s/he was. >> >> I wish they had purged mine so i never see them >> >> > > > I'm not certain of this, but it may be something that you can configure > with Yahoo. Look in options. Filters are the weakest part of Yahoo. You have to see it to believe how lame it is. Don't ask why the heck I bought it. It just sounded good idea to me. Well, now using Spamcop mail exclusively and Yahoo for mail list etc junk. Got URL at my iCal application to open browser to cancel my account at Dec. something. :) Ilgaz Ocal From MikeE at ster.invalid Mon May 9 16:13:58 2005 From: MikeE at ster.invalid (Mike Easter) Date: Mon May 9 18:15:03 2005 Subject: [SpamCop-List] Re: www.soft-top100.com resolves, but SC doesn't know about it... References: Message-ID: Hans Salvisberg wrote: www.spamcop.net/sc?id=z761477845zdd8fc3d6291246baee3e336468e343a8z > > spamvertises http://www.soft-top100.com/, which resolves to > 217.107.217.8, but SC can't find anything. When I accessed the tracker [the 2nd time], SC resolved it: Tracking link: http://www.soft-top100.com [report history] Resolves to 217.107.217.8 Routing details for 217.107.217.8 [refresh/show] Cached whois for 217.107.217.8 : magdesiev@webrider.ru uljashin@webrider.ru De-referencing magdesiev@webrider.ru abuse net webrider.ru = abuse@webrider.ru De-referencing uljashin@webrider.ru abuse net webrider.ru = abuse@webrider.ru Using best contacts abuse@webrider.ru When I accessed it the 1st time, SC 'passed'. Sometimes I try to guess about why something didn't resolve based on -1- did the parser spend a lot of time 'doing something' or did it finish pretty fast -2- if SC failed to resolve the url then I resolve it and I also take it to dnsstuff to 'diagnose' nameservice weaknesses -3- if SC failed to resolve it and didn't spend any time on it and neither my resolver nor dnsstuff's resolver had any trouble or delay or weaknesses of the nameservice, I conclude that the parser didn't feel like resolving links at that time. Under those circumstances I assume that the parser has prioritized its resources to be doing other than resolving /any/ urls. Then, there's also a problem with notifying about that IP at webride. 217.107.217.8 cname webrider.ru is listed in spews and spamhause. Either one would suggest non-responsiveness -- the implication being that the parent or upstream should be notified in addition. That IP is AS8342 or abuse@rtcomm.ru -- Then you have to decide if you are happy enough leaving it there. > Anything we can do about this? My notifies would be the non-responsive webrider, the parent and router rtcomm, the piracy business which would be the various general antipiracy groups plus the specifics for the ones being marketed, Adobe, MS, and others. -- Mike Easter kibitzer, not SC admin From SCNews.5.myspamgobbler at spamgourmet.com Mon May 9 16:15:26 2005 From: SCNews.5.myspamgobbler at spamgourmet.com (Brian (SnSR)) Date: Mon May 9 18:20:03 2005 Subject: [SpamCop-List] Re: Demise of phish reporting at millersmiles.co.uk ? In-Reply-To: References: Message-ID: George Langford, Sc.D. wrote: > Here's what cesmail.net said about an email I tried to send > to phish@millersmiles.co.uk (about a phish, naturally): > > >>Final-Recipient: rfc822;phish@millersmiles.co.uk >>Action: failed >>Status: 5.0.0 (permanent failure) >>Diagnostic-Code: smtp; 5.1.0 - Unknown address error 554-' >>: Relay access denied' (delivery attempts: 0) >>Reporting-MTA: dns; c60.cesmail.net > > > This has happened to the last two phishes that I reported. > > Oops: http://www.millersmiles.co.uk/ - looks like it's been swallowed. > > What's a good second choice for a phish phighting website ? Maybe just a temporary thing as it is working now. Phish reporting address is spoof@millersmiles.co.uk . From pantheus at suespammers.org Mon May 9 17:13:40 2005 From: pantheus at suespammers.org (Ken Knull) Date: Mon May 9 19:15:11 2005 Subject: [SpamCop-List] Re: Demise of phish reporting at millersmiles.co.uk ? References: Message-ID: On Mon, 09 May 2005 16:42:01 -0500, WazoO wrote: > "George Langford, Sc.D." wrote in message > news:mailman.150.1115673959.4572.spamcop-list@news.spamcop.net... >> >> What's a good second choice for a phish phighting website ? > > Yet again, the Forum FAQ has a number of address lists available, to > include a direct link to the Anti-Phishing Working Group .... Plain text > list of that FAQ entry was posted recently into the three main spamcop > newsgroups ... see > http://forum.spamcop.net/forums/index.php?showtopic=2238 Damn, Wazoo, quit touting the forum ... MANY of us refuse to be involved "over there" when adequate and faster access is here. Is your sole goal, along with the JeffG simply to troll here to "try" to swing those who appreciate nntp over to a slow forum? From nobody at devnull.spamcop.net Mon May 9 19:40:44 2005 From: nobody at devnull.spamcop.net (WazoO) Date: Mon May 9 19:45:03 2005 Subject: [SpamCop-List] Re: Educating non-techies not to spam References: Message-ID: "Stretch" wrote in message news:stretch-964BA3.16131209052005@news.cesmail.net... > > I'm struggling to educate these people, but the money is just to strong > in this situation. I can see them making the business decision to spam > "just this once", burn the bridge with our ISP, and move to another. > > Any recommendations? My Clue-By-Four is getting all splintered > battering on some very dense heads... Frequently Asked Question .. and as such, already handled in a thing called a FAQ ... either drill down to it via the Help button in the www.spamcop.net web page or browse down the Forum FAQ at http://forum.spamcop.net/forums/index.php?showtopic=2238 From nobody at spamcop.net Mon May 9 17:54:46 2005 From: nobody at spamcop.net (N. Miller) Date: Mon May 9 20:00:04 2005 Subject: [SpamCop-List] Re: and References: Message-ID: <3pybby02g3bq.dlg@news.spamcop.net> On Mon, 09 May 2005 14:23:32 -0400, eddie wrote: > On Sun, 08 May 2005 22:00:28 -0500, sbb78247 scratched out the following: > >> you all suck > > awrrrrm that's so 16-year old and soooo verrrry 20th century > Only girly-men use "suck" these days. Real men know the new word. > Fried Spam smells so great, especially when one more sucker is dead. One of the oddities of the U.S. culture is that it is more acceptable to be a manly girl than it is to be a girly man. :P -- Norman ~Win dain a lotica, En vai tu ri, Si lo ta ~Fin dein a loluca, En dragu a sei lain ~Vi fa-ru les shutai am, En riga-lint From nobody at devnull.spamcop.net Mon May 9 19:57:53 2005 From: nobody at devnull.spamcop.net (WazoO) Date: Mon May 9 20:00:20 2005 Subject: [SpamCop-List] Re: Demise of phish reporting at millersmiles.co.uk ? References: Message-ID: "Ken Knull" wrote in message news:pan.2005.05.09.23.13.40.383501@suespammers.org... > On Mon, 09 May 2005 16:42:01 -0500, WazoO wrote: > > >> What's a good second choice for a phish phighting website ? > > > > Yet again, the Forum FAQ has a number of address lists available, to > > include a direct link to the Anti-Phishing Working Group .... Plain text > > list of that FAQ entry was posted recently into the three main spamcop > > newsgroups ... see > > http://forum.spamcop.net/forums/index.php?showtopic=2238 > > Damn, Wazoo, quit touting the forum ... MANY of us refuse to be > involved "over there" when adequate and faster access is here. > > Is your sole goal, along with the JeffG simply to troll here to "try" to > swing those who appreciate nntp over to a slow forum? On the other hand, it is absurd to keep seeing the same questions over and over, yet the answers actually exist in a continually updated document ... (and I'm not even going to bring up the typical "Google it!" response) I've passed on JT's offer to even buy some other software to build a knowledgeable/FAQ thing that many could contribute to at least three times 'here' with very little response. Check the archives for the years of bitching about the www.spamcop.net FAQ. The only thing I'm "pushing for" would be more input to offer answers to even more "Frequently Asked Questions" .. flush out the "How to Use ...." section From D.Gray at picture.oscar.wilde Tue May 10 02:18:45 2005 From: D.Gray at picture.oscar.wilde (Dorian Gray) Date: Mon May 9 20:20:03 2005 Subject: [SpamCop-List] Getting beyond an open proxy? Message-ID: Recently I got a flood of viral-laden emails with various strangers in the From: fields, all of whom were English-speaking academics from various countries. I have strong reasons to believe that these originated from an infected machine belonging to a certain headhunting agency in New Zealand. It would not be the first time they have flooded their contacts' inboxes with viruses like this - in August something quite similar happened and they admitted they were the source. For the previous infection it was relatively easy to source the emails to them because the earliest Received line had as the source a New Zealand ISP that they use. This time the earliest Received line is forged. The helo is the domain part of my own email address, but the IP number does not match, and cannot be reverse-DNS'ed. All of the emails had the same IP number. I did a search on Google at the time for the IP number and a Russian website showed it as an open proxy in Hong Kong, but it since seems to have disappeared from that Russian list. I reported the problem to the New Zealand company, and claimed that they were infected AGAIN. They deny everything, saying: "We pride ourselves on our strong sense of confidentiality and take measures to ensure that confidentiality is preserved at all times." (yeah right, not in August they didn't) They go on to threaten me with a defamation action if I don't cease spreading false and unsubstantiated information. They claim that their IT support people have confirmed that the virus emails are originating at .edu.au below, that is, my own email server. Rubbish, as any fool knows from the headers. I've told them what I think of their IT experts. I asked them to remove me from their address book - the virus-laden emails stopped the instant they did so. I can't send these messages through SC for a tracking ref because they are redirected to a forwarding alias, which picks up the virus, strips it and reports it to me elsewhere with the following auto-message. I've included one below, appropriately munged but not too much. My question is, can anyone find out anything about 202.174.155.163? Am I right in thinking this is some kind of anonymising open proxy used by the virus email source? Is there any way of saying anything about where the message originated? Cheers. --Start of body of auto-message-- The Declude Virus software on .org has reported that you were sent an E-mail from , containing the W32/Netsky.Z@mm virus in the Notice.zip attachment. The subject of the E-mail was "Important". The E-mail containing the virus has been quarantined to prevent further damage. Headers Follow: Received: from [202.174.155.163] (helo=.edu.au) by ..edu.au with esmtp (Exim 4.34) id 1DPkoe-0006os-09 for @.edu.au; Mon, 25 Apr 2005 01:22:56 +0800 From: To: @.edu.au Subject: Important Date: Sun, 24 Apr 2005 23:26:28 +0600 MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="----=_NextPart_000_0009_00005C33.00005403" X-Priority: 1 X-MSMail-Priority: High X-Broken-Reverse-DNS: no host name found for IP address 202.174.155.163 Message-Id: <@..edu.au> --End of auto-message-- From usenet2 at DE.LETE.THISljvideo.com Tue May 10 01:26:30 2005 From: usenet2 at DE.LETE.THISljvideo.com (Larry J.) Date: Mon May 9 20:30:03 2005 Subject: [SpamCop-List] Re: Educating non-techies not to spam References: Message-ID: Waiving the right to remain silent, Stretch wrote: > The Board of Directors sends out a newsletter and various announcements > via USsnail and are trying to cut costs by sending out what they can > electronically. They're eyeing the membership email list with great > interest dispite my admonishments about sending bulk unsolicited email. Unfortunately the mind-set of too many operators of non-profits. They somehow think that being a NP gives them the right to do all sorts of less than above-board things. My wife consults for NPs seeking grants, so I do have a certain knowledge of their ways. -- Larry J. - Remove spamtrap in ALLCAPS to e-mail "Ninety eight percent of the adults in this country are decent, hardworking, honest Americans. It's the other lousy two percent that get all the publicity. But then, we elected them." -Lily Tomlin From usenet2 at DE.LETE.THISljvideo.com Tue May 10 01:30:38 2005 From: usenet2 at DE.LETE.THISljvideo.com (Larry J.) Date: Mon May 9 20:35:05 2005 Subject: [SpamCop-List] Re: and References: Message-ID: Waiving the right to remain silent, "sbb78247" wrote: > you all suck I love the smell of fried spammer in the morning..! -- Larry J. - Remove spamtrap in ALLCAPS to e-mail "Ninety eight percent of the adults in this country are decent, hardworking, honest Americans. It's the other lousy two percent that get all the publicity. But then, we elected them." -Lily Tomlin From MikeE at ster.invalid Mon May 9 18:45:18 2005 From: MikeE at ster.invalid (Mike Easter) Date: Mon May 9 20:45:02 2005 Subject: [SpamCop-List] Re: Getting beyond an open proxy? References: Message-ID: Dorian Gray wrote: > My question is, can anyone find out anything about 202.174.155.163? > Am I right in thinking this is some kind of anonymising open proxy > used by the virus email source? 202.174.155.163 no rDNS of the Bangladesh speedcast inetnum: 202.174.155.160 - 202.174.155.167 netname: DNS-BD notify trouble: send spam reports to support@speedcast.com trouble: and abuse reports to noc@speedcast.com is an open port 8080 [currently online and abusable] proxy which is on numerous blocklists such as cbl and dsbl for hitting spamtraps and testing proxy positive and other blocklists such spamcop for spamsource > Is there any way of saying anything > about where the message originated? No. The abusable proxy completely conceals what abused it. -- Mike Easter kibitzer, not SC admin From MikeE at ster.invalid Mon May 9 19:18:24 2005 From: MikeE at ster.invalid (Mike Easter) Date: Mon May 9 21:20:08 2005 Subject: [SpamCop-List] Re: Getting beyond an open proxy? References: Message-ID: Dorian Gray wrote: > I reported the problem to the New Zealand company, and claimed that > they were infected AGAIN. They deny everything, I have no opinion on the business of how you analyzed the headers. Posting some part of a munged header as if we were going to talk about how to parse it or the accuracy of your parsing doesn't work. I don't understand the concept of how you accused some NZ co. of providing for someone who was abusing a Bangladesh proxy -- if in fact this IP which we are discussing here was the source of the item. The other thing I don't have a supporting opinion on your analysis of is the concept of someone intentionally propagating virms. That almost never happens, altho' it seem that people are always supposing it, for some reason or another. The first thing you should assume about any viral propagation is that it is being propagated in the normal infected machine propagation style -- not that some evil virus writer has chosen email viral propagations to do some intentional dirty work. The ratio of simple infected propagations to intentional 'dropping' must be about a zillion to one. So, mathematically and logically, I would say that there is something wrong with your analysis of this situation. -- Mike Easter kibitzer, not SC admin From D.Gray at picture.oscar.wilde Tue May 10 03:22:59 2005 From: D.Gray at picture.oscar.wilde (Dorian Gray) Date: Mon May 9 21:25:04 2005 Subject: [SpamCop-List] Re: Getting beyond an open proxy? References: Message-ID: In article , "Mike Easter" wrote: > Dorian Gray wrote: > > My question is, can anyone find out anything about 202.174.155.163? > > Am I right in thinking this is some kind of anonymising open proxy > > used by the virus email source? > > 202.174.155.163 no rDNS of the Bangladesh speedcast > is an open port 8080 [currently online and abusable] proxy which is on > numerous blocklists such as cbl and dsbl for hitting spamtraps and > testing proxy positive and other blocklists such spamcop for spamsource > > > Is there any way of saying anything > > about where the message originated? > > No. The abusable proxy completely conceals what abused it. Thanks for your objective and informative reply Mike. I couldn't find that info when I tried. But I see it is as I feared. You answered my questions fully, but can I draw you (or others) to give an opinion on my battle with this company, and whether you would have drawn the same conclusions as I have, and whether you think I should stick to my guns? I have already told them that defamation law requires that they have an intact reputation, which they blew in August. Also, can you think of any other facts/tests for determining infection within this company? (Apart from having a competent IT person find the infection. :) I thought of asking them to re-add me to their address book, and see if the virus-laden emails start again. How do we protect the world from internet menaces like this company? Thanks. From SCNews.5.myspamgobbler at spamgourmet.com Mon May 9 19:48:22 2005 From: SCNews.5.myspamgobbler at spamgourmet.com (Brian (SnSR)) Date: Mon May 9 21:50:06 2005 Subject: [SpamCop-List] Re: Educating non-techies not to spam In-Reply-To: References: Message-ID: WazoO wrote: > "Stretch" wrote in message > news:stretch-964BA3.16131209052005@news.cesmail.net... > >>I'm struggling to educate these people, but the money is just to strong >>in this situation. I can see them making the business decision to spam >>"just this once", burn the bridge with our ISP, and move to another. >> >>Any recommendations? My Clue-By-Four is getting all splintered >>battering on some very dense heads... > > > Frequently Asked Question .. and as such, already handled in a > thing called a FAQ ... either drill down to it via the Help button > in the www.spamcop.net web page or browse down the Forum > FAQ at http://forum.spamcop.net/forums/index.php?showtopic=2238 > > WazoO, I also am getting very tired of opening one of your messages, hoping to see some intelligent insight of your's (I do believe that is possible) and seeing nothing useful, only you trying to direct someone to a place that they are not. PLEASE STOP If it bothers you so much to see the same questions than stay away. From MikeE at ster.invalid Mon May 9 19:53:57 2005 From: MikeE at ster.invalid (Mike Easter) Date: Mon May 9 21:55:03 2005 Subject: [SpamCop-List] Re: Getting beyond an open proxy? References: Message-ID: Dorian Gray wrote: > Recently I got a flood of viral-laden emails with various > strangers in the From: fields, all of whom were > English-speaking academics from various countries. I have strong > reasons to believe that these originated from an infected machine > belonging to a certain headhunting > agency in New Zealand. Why do you think /that/? > This time the earliest Received line is > forged. The helo is the domain part of my own email address, but the > IP number does not match, and cannot be reverse-DNS'ed. All of the > emails had the same IP number. This business of *describing* headers is very very uninteresting and nonproductive. If you can't produce them, simply state that you determined the source to be such and such. Maybe you were right and maybe you were wrong. If you want to produce them in their entirety, put the headers into the webparser, copy the tracking url, and paste it in here. If you want to *gently* munge something like an address before the parse, go ahead. I don't understand any good reason to be mungeing hostnames in the 'from' or 'by' fields. -- Mike Easter kibitzer, not SC admin From SCNews.5.myspamgobbler at spamgourmet.com Mon May 9 19:58:31 2005 From: SCNews.5.myspamgobbler at spamgourmet.com (Brian (SnSR)) Date: Mon May 9 22:00:03 2005 Subject: [SpamCop-List] Re: Sober virus In-Reply-To: References: Message-ID: Ilgaz wrote: > On 2005-05-09 19:02:10 +0300, "Brian (SnSR)" > said: > >> Berny wrote: >> >>> "Ilgaz" wrote in message >>> news:d5nll2$ir6$2@news.spamcop.net... >>> >>>> On 2005-05-06 05:58:57 +0300, "Ook" >>>> said: >>>> >>>> >>>>> I'm being innundated with sober virus emails - 1000+ a day at 75K a >>>>> pop. It overflowed my mail server limit and my email stopped until I >>>>> could get my ISP to increase the limit. I'm guessing there is nothing >>>>> that can be done about this - is anyone else being flooded with these? >>>>> Is there hope that this flood will slow down soon? >>>> >>>> >>>> One of real rare times that Yahoo mail doesn't put sober stuff to Bulk >>>> mail as all other viruses. >>>> >>>> They directly purge at server level. >>>> >>>> It shows a clue about the amazing volume they get. They tend to stay >>>> away from "purging" normally. If you see the posts/flames because some >>>> peoples ISP purchased Spamcop and marking stuff as spam, you may >>>> understand why :) >>>> >>>> Ilgaz Ocal >>>> >>> >>> >>> They put all of my sobers in bulk, and the lame sender took 4 days to >>> get >>> shut down, and I'm not even sure s/he was. >>> >>> I wish they had purged mine so i never see them >>> >>> >> >> >> I'm not certain of this, but it may be something that you can >> configure with Yahoo. Look in options. > > > Filters are the weakest part of Yahoo. You have to see it to believe how > lame it is. > > Don't ask why the heck I bought it. It just sounded good idea to me. > Well, now using Spamcop mail exclusively and Yahoo for mail list etc junk. > > Got URL at my iCal application to open browser to cancel my account at > Dec. something. :) > > Ilgaz Ocal > Spam Filter SpamGuard is ON [Turn SpamGuard OFF - What's this?] For messages SpamGuard identifies as Spam: Immediately delete these messages upon receipt. (Note: If you choose this option, you will not be able to review the messages before they are deleted.) Save these messages in the Bulk Folder for From D.Gray at picture.oscar.wilde Tue May 10 04:35:28 2005 From: D.Gray at picture.oscar.wilde (Dorian Gray) Date: Mon May 9 22:35:03 2005 Subject: [SpamCop-List] Re: Getting beyond an open proxy? References: Message-ID: In article , "Mike Easter" wrote: > The other thing I don't have a supporting opinion on your analysis of is > the concept of someone intentionally propagating virms. I never said such a thing, didn't imply it, and don't think it. If that's what you thought I think then you might need to do a reformulate your opinions with your view corrected... These people are incompetent, not malicious. Last time, they admitted they were infected and fixed it. This time they're claiming they're too careful ever to be infected. So Mike, after you've reset your presumptions, care to offer a view on what I (really) said? My question about how to protect the world from them was not because they are trying to do nasty things, but because they have built up an extensive address book of academics and then unwittingly cause viral havoc with it. The previous viral infection is not the only case in my dealings with them where the IT incompetence has reared its head. The problem is their default reaction with IT problems is to assume the other party is to blame, even when it is clear to anyone competent that it isn't. BTW, if you look at the munging of the headers that were contained in the body of the auto-report I got, you will see that the helo is recognisably not associated with the IP address shown. You will also see that I've munged various strings and given them labels which you can see repeated. In other words, you don't need to know anything more than what I've given to respond sensibly, or at least as sensibly as you could if I didn't munge at all. Cheers. From Kilgallen at SpamCop.net Mon May 9 22:38:39 2005 From: Kilgallen at SpamCop.net (Larry Kilgallen) Date: Mon May 9 22:40:03 2005 Subject: [SpamCop-List] Re: Educating non-techies not to spam References: Message-ID: In article , "Brian (SnSR)" writes: > WazoO wrote: >> "Stretch" wrote in message >> news:stretch-964BA3.16131209052005@news.cesmail.net... >> >>>I'm struggling to educate these people, but the money is just to strong >>>in this situation. I can see them making the business decision to spam >>>"just this once", burn the bridge with our ISP, and move to another. >>> >>>Any recommendations? My Clue-By-Four is getting all splintered >>>battering on some very dense heads... >> >> >> Frequently Asked Question .. and as such, already handled in a >> thing called a FAQ ... either drill down to it via the Help button >> in the www.spamcop.net web page or browse down the Forum >> FAQ at http://forum.spamcop.net/forums/index.php?showtopic=2238 >> >> > WazoO, > > I also am getting very tired of opening one of your messages, hoping to > see some intelligent insight of your's (I do believe that is possible) > and seeing nothing useful, only you trying to direct someone to a place > that they are not. > > PLEASE STOP Amen. From MikeE at ster.invalid Mon May 9 20:59:19 2005 From: MikeE at ster.invalid (Mike Easter) Date: Mon May 9 23:00:02 2005 Subject: [SpamCop-List] Re: Getting beyond an open proxy? References: Message-ID: Dorian Gray wrote: > care to offer a view on > what I (really) said? No. I have no clue about what you are talking about. -- Mike Easter kibitzer, not SC admin From MikeE at ster.invalid Mon May 9 21:23:22 2005 From: MikeE at ster.invalid (Mike Easter) Date: Mon May 9 23:25:02 2005 Subject: [SpamCop-List] Re: Getting beyond an open proxy? References: Message-ID: I'm going to put this part up at the top first, and then in context down below: > Am I right in thinking this is some kind of anonymising open proxy > used by the virus email source? No. Viral propagations don't use open proxies to anoymize themselves. Dorian Gray wrote: > Recently I got a flood of viral-laden emails with various > strangers in the From: fields, all of whom were > English-speaking academics from various countries. That simply means that the propagation had access to such addies to put them into the To, From, envelope rcpt to or whatever. > I have strong > reasons to believe that these originated from an infected machine > belonging to a certain headhunting > agency in New Zealand. That doesn't make any sense regarding anything you have exposed here. We are getting websites and infected user IPs all mixed up somehow. > It would not be the first time they have > flooded their contacts' inboxes with viruses like this - in August > something quite similar happened and they admitted they were the > source. www.academic-search.net = 210.48.1.214 inetnum: 210.48.0.0 - 210.48.127.255 netname: ICONZ-NZ descr: ICONZ, Internet Service Provider Mail for academic-search.net is handled by mx-f.maxnet.net.nz & mx-us.maxnet.net.nz The nameservice and incoming mail is handled by more than one provider. How the outgoing is handled isn't apparent. Saying that 'they' admitted 'they' were the source isn't informative to me. I doubt that you are saying that the website was the source. > For the previous infection it was relatively easy to source the emails > to them because the earliest Received line had as the source a New > Zealand ISP that they use. This time the earliest Received line is > forged. The helo is the domain part of my own email address, but the > IP number does not match, and cannot be reverse-DNS'ed. All of the > emails had the same IP number. I did a search on Google at the time > for the IP number and a Russian website showed it as an open proxy in > Hong Kong, but it since seems to have disappeared from that Russian > list. > > I reported the problem to the New Zealand company, and claimed that > they were infected AGAIN. They deny everything, saying: When you are tracking a viral propagator, if you parse the headers correctly, you should arrive at the source IP of the infected propagator. Viral propagators are not like spammers who abuse open proxies. Viral propagators propagate. That's what they do. I'm not sure why we are talking about the IP 202.174.155.163. Either you think it is the source of the propagation or you have erred in your analysis of the headers or something. I also don't see what 202.174.155.163 has to do with your NZ co. You didn't answer that yet. > Am I right in thinking this is some kind of anonymising open proxy > used by the virus email source? No. Viral propagations don't use open proxies to anoymize themselves. -- Mike Easter kibitzer, not SC admin From edb2000 at spamcop.net Tue May 10 00:13:08 2005 From: edb2000 at spamcop.net (Don Wannit) Date: Tue May 10 02:15:04 2005 Subject: [SpamCop-List] Re: fucking test In-Reply-To: References: Message-ID: Carter wrote: > sbb78247 wrote: > > >>aaaaaaaaaaaaaaaaaaaahhhhhhhhhhhhhhhh!!!!! > > > That's what my gf was screaming last night. Your Gay Friend? Why would we care in the least if your are gay? It has nothing whatsoever to do with fighting spam and spammer sleaze. From nospam at fuck-off-and-die.com Tue May 10 15:36:38 2005 From: nospam at fuck-off-and-die.com (Kadaitcha Man) Date: Tue May 10 04:56:37 2005 Subject: [SpamCop-List] Re: fucking test References: Message-ID: <6d746235f6a04453bb2d26463987ba88@comp.graphics.slash.and.burn> Don Wannit, , the snakelike, ill-composed jizz receptacle, and lady living in a rural location who embroiders flowers on muslin, revealed: > Carter wrote: > >> sbb78247 wrote: >> >> >>> aaaaaaaaaaaaaaaaaaaahhhhhhhhhhhhhhhh!!!!! >> >> >> That's what my gf was screaming last night. > > > Your Gay Friend? Why would we care in the least if your are gay? You tell me why you care then everyone will know. From nobody at nowhere.invalid Tue May 10 12:18:32 2005 From: nobody at nowhere.invalid (Steven Maesslein) Date: Tue May 10 05:20:37 2005 Subject: [SpamCop-List] Re: and References: Message-ID: On Tue, 10 May 2005 00:30:38 +0000 (UTC), Larry J. coughed into spamcop and left this in : > Waiving the right to remain silent, "sbb78247" wrote: > >> you all suck > > I love the smell of fried spammer in the morning..! It smells like..... Perhaps I won't complete that sentence on second thoughts. 'Scuse me while I wipe the barf off my keyboard. -- Steve Why is it that people say they slept like a baby when babies wake up every two hours? From nobody at nowhere.invalid Tue May 10 12:20:26 2005 From: nobody at nowhere.invalid (Steven Maesslein) Date: Tue May 10 05:25:05 2005 Subject: [SpamCop-List] Re: Educating non-techies not to spam References: Message-ID: On Mon, 09 May 2005 16:13:13 -0700, Stretch coughed into spamcop and left this in : > Any recommendations? My Clue-By-Four is getting all splintered > battering on some very dense heads... Send them over to NANAE to tell of their intentions. They won't know what hit them in the replies! -- Steve Everyone has a photographic memory. Some just don't have film. From hans at salvisberg.invalid Tue May 10 13:16:20 2005 From: hans at salvisberg.invalid (Hans Salvisberg) Date: Tue May 10 06:05:05 2005 Subject: [SpamCop-List] Re: Educating non-techies not to spam In-Reply-To: References: Message-ID: Stretch wrote: > We have an email list server where members must physically go to our web > site, login, and click a button to sign up to join the list. Then they > have to confirm their joining by replying to an email. Most don't > bother with the second step and to date, we have 12 members of of 800 > who've successfully signed up. Are you sure your system is fool-proof? I run a similar operation and my experience is that a lot of people are challenged with (for us) simple things like replying to an email message. Asking for a click on a (short, i.e. non-breaking!) web link would be easier than an email reply. Do you make it abundantly clear that clicking the button is only the lesser half of the sign-up process? Do they eagerly wait for the email, so they can do the second step? Would they tell you if they never got the email? 12 out of 800 really is awfully low... In my group, we've managed to position the mailing lists as a primary benefit of membership, and people who join are eager to get on the lists. They declare their wish and give their email address when they sign up for membership, and I enter their address into the lists without any further confirmation. There is a certain risk of entering a wrong address, and it happens sometimes, but then the welcome message usually bounces. Maybe you can offer a discount on the membership fee for those who join the email list, or raise the fee for those who don't, which would only be fair... Offering alternatives to the BoD will be easier than just telling them not to do that. Hans From nobody at nowhere.invalid Tue May 10 13:13:22 2005 From: nobody at nowhere.invalid (Steven Maesslein) Date: Tue May 10 06:15:02 2005 Subject: [SpamCop-List] Re: Educating non-techies not to spam References: Message-ID: On Tue, 10 May 2005 12:16:20 +0200, Hans Salvisberg coughed into spamcop and left this in : > They declare their wish and give their email address when they sign up > for membership, and I enter their address into the lists without any > further confirmation. What steps do you take to ensure that the e-mail address given by a member actually belongs to that member? What you're describing sounds like it would allow any new member to sign up with you and give someone else's e-mail address, which is liable to get you blocklisted. -- Steve Recorded message on an answerphone: "This is not an answering machine, this is a telepathic thought-recording device. After the tone, think about your name, your number, and your reason for calling.... and I'll think about returning your call." From hans at salvisberg.invalid Tue May 10 13:30:23 2005 From: hans at salvisberg.invalid (Hans Salvisberg) Date: Tue May 10 06:20:03 2005 Subject: [SpamCop-List] Re: Anyone from =?iso-8859-1?q?W=FCrzburg=2C_Germany=3F_Is_it_legal_to_peddle_pre?= =?iso-8859-1?q?scription_drugs_over_the_Internet_in_Germany=3F?= In-Reply-To: References: Message-ID: Ilgaz wrote: > From what I know, hear etc. That guy has no chance if some german > figures it. :) Speaking about jail, not speaking about some $10 dialup > cancelled. Yes, let's hope some German friend picks it up. > I had a friend got arrested for politely hitting the phone cabins glass > (with coin) and showing his watch to some phone talking guy. To hurry. > > Guess what happened? He smiled , hung up, called another number and very > politely left. 5 mins later, he came with cops. *g* Yes, guy got > arrested as a tourist for that. > > I mean, speaking about the system in Germany. Now, imagine selling that > stuff when you are based in Germany. I live in Switzerland, which is a neighboring country to Germany, and I'm not aware of such harsh police measures in Germany. You painted this way too black IMO. I also have ties to the U.S., and even though I never had a close encounter with either country's police (nor any personal reason to fear such an encounter) I'd rather be arrested ten times by German police than once by U.S. authorities... In fact just being a foreigner wanting to visit the U.S. is reason enough for the U.S. authorities to treat you as a criminal and take your fingerprints (unless you present a biometric passport which lets them electronically retrieve equivalent identifying information). But nevertheless, I also think that Helmut Fischer from W?rzburg will be in deep trouble if we find someone who knows how to turn him in. Hans From nobody at devnull.spamcop.net Tue May 10 07:13:09 2005 From: nobody at devnull.spamcop.net (Miss Betsy) Date: Tue May 10 07:10:26 2005 Subject: [SpamCop-List] Re: Getting beyond an open proxy? References: Message-ID: "Dorian Gray" wrote in message news:D.Gray-87B3A7.02225910052005@news.cesmail.net... > How do we protect the world from internet menaces like this company? Offline when someone acts against the mores of the group, the proper etiquette is to give them the 'cut direct' according to Miss Manners. The internet equivalent of that is to block them with a polite message that you don't want emails from them because of spam or viruses or whatever. Offline, one can force others to do what you want them to. Online, it is not very easy to control what others do. OTOH, they can't force you either. That leaves 'netiquette' to make the internet workable. In the old days, it worked just fine. Those who were technically ignorant welcomed the advice of those who knew what they were doing so everyone was competent and everyone was 'polite' Now the 'offliners' have invaded and are trying to impose offline values, but it isn't working. the only way to stop obnoxious behavior is to ignore it, to reject it at the server level if possible. If not, to either report (politely) or delete. If this is a company, then when no one gets their emails, perhaps that will solve the problem. Persistence is the key to assertive behavior that gets changes. Assertiveness is always polite also. IOW, 'please stop sending virmen, it is not a good practice for you or me,' repeatedly to as high up in the company as you can reach if you are interested in keeping them in business. Miss Betsy From nobody at devnull.spamcop.net Tue May 10 08:49:34 2005 From: nobody at devnull.spamcop.net (Pop) Date: Tue May 10 07:50:05 2005 Subject: [SpamCop-List] OT: Re: Educating non-techies not to spam References: Message-ID: "Brian (SnSR)" wrote in message news:d5p3te$eru$1@news.spamcop.net... > WazoO wrote: >> "Stretch" wrote in message >> news:stretch-964BA3.16131209052005@news.cesmail.net... >> >>>I'm struggling to educate these people, but the money is just to strong ... >> thing called a FAQ ... either drill down to it via the Help button >> in the www.spamcop.net web page or browse down the Forum >> FAQ at http://forum.spamcop.net/forums/index.php?showtopic=2238 >> >> > WazoO, > > I also am getting very tired of opening one of your messages, hoping to > see some intelligent insight of your's (I do believe that is possible) and > seeing nothing useful, only you trying to direct someone to a place that > they are not. > > PLEASE STOP > > If it bothers you so much to see the same questions than stay away. > Well, that's one line of thought. Another is, his advice, AFAIK, always does get you into the ballpark you need where the information you get is pre-meditated and approved for use, as opposed to regurgitated re-speak. It also lets anyone else reading know that the FAQs or whatever exist, which has been a fairly recent problem, and often times others than the OP are helped with the reference. IMO, the best practice is to lurk around long enough to know the players and if you know some aren't posting the way -you- prefer, organized the way -you- prefer, just glance, don't read, OR ignore, OR killfile, and so on. There are many ways to not let that stuff bother you. After all, this is an open area, albeit fairly well operated and monitored, and with a -very- minimal amount of trash-talk compared to almost all others of its kind, technical or not. It may not be perfect, but appreciate it for the knowledge it contains and that which the constant participants provide. The last point is, don't try to PO those who may one day be able to provide help you need where no one else can. Some here are quite specialized. Pop From Nobody at Spamcop.net Tue May 10 07:53:32 2005 From: Nobody at Spamcop.net (Nobody) Date: Tue May 10 07:55:02 2005 Subject: [SpamCop-List] Re: Grow up References: Message-ID: <4280A0BC.E92CD670@Spamcop.net> Ilgaz wrote: > > On 2005-05-09 05:55:14 +0300, "sbb78247" said: > > > aaaaaaaaaaaaaaaaaaaahhhhhhhhhhhhhhhh!!!!! > > Your test (!) works and I think it will mysteriously stop working not > allowing further "tests" when some admin wakes up ;) > > I'd remove spamcop from my subscribed news servers for future. E.g. > "host unreachable" etc ;) Concur. Excellent suggestion for our village idiot. Regards, Michael From nobody at devnull.spamcop.net Tue May 10 08:57:16 2005 From: nobody at devnull.spamcop.net (Pop) Date: Tue May 10 08:00:04 2005 Subject: [SpamCop-List] Re: Educating non-techies not to spam References: Message-ID: "Larry Kilgallen" wrote in message news:ZeLtKAKfnr6e@eisner.encompasserve.org... > In article , "Brian (SnSR)" > writes: >> WazoO wrote: >>> "Stretch" wrote in message >>> news:stretch-964BA3.16131209052005@news.cesmail.net... >>> >>>>I'm struggling to educate these people, but the money is just to strong >>>>in this situation. I can see them making the business decision to spam >>>>"just this once", burn the bridge with our ISP, and move to another. >>>> >>>>Any recommendations? My Clue-By-Four is getting all splintered >>>>battering on some very dense heads... >>> >>> >>> Frequently Asked Question .. and as such, already handled in a >>> thing called a FAQ ... either drill down to it via the Help button >>> in the www.spamcop.net web page or browse down the Forum >>> FAQ at http://forum.spamcop.net/forums/index.php?showtopic=2238 >>> >>> >> WazoO, >> >> I also am getting very tired of opening one of your messages, hoping to >> see some intelligent insight of your's (I do believe that is possible) >> and seeing nothing useful, only you trying to direct someone to a place >> that they are not. >> >> PLEASE STOP > > Amen. In no way is this intended to be a flame: Larry, I'd agree with you -if- the references were wrong or misleading, but if they are accurate, then what's so bad about that? Are they often wrong or misled? Many technical newsgroups have naturally occurring "paired" posters where one says where the info is located for a horse's mouth source, and then someone comes along right behind them with a more verbose answer, sometimes simply gleaned from the given references, sometimes from the horse's ass, but at least inconcistencies come to light that way. To my way of thinking, it's the best of both worlds. It's just too easy to bypass Wazoo if I don't feel like just seeing a reference and not a verbose answer, but ... if it's MY question, I really appreciate both! The more similar responses, the better I feel about the accuracy and if they help me to interpret a reference, well, great; that just adds to my confidence level. Regards, Pop From Nobody at Spamcop.net Tue May 10 07:57:48 2005 From: Nobody at Spamcop.net (Nobody) Date: Tue May 10 08:00:13 2005 Subject: [SpamCop-List] Re: and References: Message-ID: <4280A1BC.FE6FBA52@Spamcop.net> sbb78247 wrote: > > you all suck Moron. Go back to chickenboning for Ralsky. See if he'll pay you. We'll be along to mop you up again in a bit. Regards, Michael From nobody at devnull.spamcop.net Tue May 10 09:02:21 2005 From: nobody at devnull.spamcop.net (Pop) Date: Tue May 10 08:05:03 2005 Subject: [SpamCop-List] Re: Demise of phish reporting at millersmiles.co.uk ? References: Message-ID: "WazoO" wrote in message news:d5olfc$5l7$1@news.spamcop.net... > "George Langford, Sc.D." wrote in message > news:mailman.150.1115673959.4572.spamcop-list@news.spamcop.net... >> >> What's a good second choice for a phish phighting website ? > > Yet again, the Forum FAQ has a number of address lists > available, to include a direct link to the Anti-Phishing Working > Group .... Plain text list of that FAQ entry was posted > recently into the three main spamcop newsgroups ... see > http://forum.spamcop.net/forums/index.php?showtopic=2238 > > Thank you Wazoo; good info. Pop From nobody at devnull.spamcop.net Tue May 10 09:07:02 2005 From: nobody at devnull.spamcop.net (Pop) Date: Tue May 10 08:10:03 2005 Subject: [SpamCop-List] Re: Demise of phish reporting at millersmiles.co.uk ? References: Message-ID: ... > Damn, Wazoo, quit touting the forum ... MANY of us refuse to be > involved "over there" when adequate and faster access is here. > > Is your sole goal, along with the JeffG simply to troll here to "try" to > swing those who appreciate nntp over to a slow forum? It is your right to not read ANY post here you wish to ignore. You have identified a poster you cannot appreciate; now youre armed to keep your liver from quivering quite so badly. Or, you could try another ng that is more to your liking. You have many solutions available to you. Perhaps someone could send you a location for the netiquette RFC and FYI; it would appear you have not read them. They specifically address newsgroups in addition to email etc.. I will abstain from giving you that URL because I know you prefer not to see references, but, that's really your loss. You'll never know what you are missing. Ignorance can be bliss, I guess. From nobody at devnull.spamcop.net Tue May 10 09:19:38 2005 From: nobody at devnull.spamcop.net (Pop) Date: Tue May 10 08:20:04 2005 Subject: [SpamCop-List] Re: Email Address Finder at DNS Stuff References: Message-ID: ... >> I put a few addresses into it, and it does seem to be able to say whether >> an e-mail address exists or not, but ... I was wondering what kind of >> pitfalls there are to using it. It seems "too good to be true". >> >> TIA, >> >> Pop > > Its web based and I don't know the guy. Can be good or bad, you can never > be sure. > > Maybe it uses VRFY command existing in some SMTP servers. > > As a general rule, check the information etc before using such sites. > > There is no "elite" stuff there and I'd suggest (of course) Ironport's > andr Spamcop's www services instead. > > Ilgaz Ocal > AFAIK, SC cannot verify whether or not an email address exists and is accepting emails. Or did I miss something somewhere? If you're talking about using the spam copy box for processing, all that does is give you the addresses to complain to, not whether or not the user email name is valid. Provide a pointer, please? From nobody at devnull.spamcop.net Tue May 10 09:22:21 2005 From: nobody at devnull.spamcop.net (Pop) Date: Tue May 10 08:25:03 2005 Subject: [SpamCop-List] Re: Grow up References: Message-ID: bye arsehole From Kilgallen at SpamCop.net Tue May 10 08:48:30 2005 From: Kilgallen at SpamCop.net (Larry Kilgallen) Date: Tue May 10 08:50:21 2005 Subject: [SpamCop-List] Re: Educating non-techies not to spam References: Message-ID: In article , "Pop" writes: > > "Larry Kilgallen" wrote in message > news:ZeLtKAKfnr6e@eisner.encompasserve.org... >> In article , "Brian (SnSR)" >> writes: >>> WazoO, >>> >>> I also am getting very tired of opening one of your messages, hoping to >>> see some intelligent insight of your's (I do believe that is possible) >>> and seeing nothing useful, only you trying to direct someone to a place >>> that they are not. >>> >>> PLEASE STOP >> >> Amen. > > In no way is this intended to be a flame: > > Larry, I'd agree with you -if- the references were wrong or misleading, but > if they are accurate, then what's so bad about that? Are they often wrong > or misled? How would you feel if I responded to every spamcop.geeks complaint about an operating system with the advice to use my own favorite ? Even if I were right on that subject, repeating something to those who had heard it over and over again would be obnoxious. > Many technical newsgroups have naturally occurring "paired" posters where > one says where the info is located for a horse's mouth source, and then > someone comes along right behind them with a more verbose answer, sometimes > simply gleaned from the given references, sometimes from the horse's ass, > but at least inconcistencies come to light that way. To my way of thinking, > it's the best of both worlds. It's just too easy to bypass Wazoo if I don't > feel like just seeing a reference and not a verbose answer, but ... if it's > MY question, I really appreciate both! The more similar responses, the > better I feel about the accuracy and if they help me to interpret a > reference, well, great; that just adds to my confidence level. Not all of us have that much reading time available. From Nobody at Spamcop.net Tue May 10 08:53:51 2005 From: Nobody at Spamcop.net (Nobody) Date: Tue May 10 08:55:03 2005 Subject: [SpamCop-List] Re: pump and dump & webpresence.com References: Message-ID: <4280AEDF.587A7F2E@Spamcop.net> RandallW wrote: > > I've been receiving pump and dump mail for months; it WAS being hosted on a > server where the Spamcop pinging was not timing out ( for the admin > address ). Then the spam moved to webpresence.com, causing pingouts for the > admin ( some supposed Victor Allan ). > > By a Google search I noticed there was some discussion of this on the > Spamcop forum, with speculation that the spam is something done by one of > The Big 50 Spammers. > > Has anyone called the number on the registration of webpresence.com? Is > webpresence supposed to be an ISP? > > Does Victor Allan actually exist? I don't know anything about Victor Allan, sorry, but have you been turning this spew to SEC's enforcement address? They have the ball on this pump-and-dump stuff. Best regards, Michael From nobody at spamcop.net Tue May 10 11:38:12 2005 From: nobody at spamcop.net (indigo) Date: Tue May 10 10:40:15 2005 Subject: [SpamCop-List] Re: Email Address Finder at DNS Stuff References: Message-ID: Mike Easter wrote: > indigo wrote: > > Mike Easter wrote: > > >> You start by putting an email addy into the L window; there needs > >> to be some preliminary configuration in options such as an email > >> address for the mail from command part. > > > > What kind of "preliminary configs" are you referring to? > > Just that one I mentioned for the address is all you need to do the > smtp test: > > SSwin/ Edit/ Basics tab - Email address. > > That way it has something to put when it is saying 'mail from'. > > Then, paste the target addy into what it calls the 'address box' -- > namely the left window. I tried doing that, but still get the same error message: 05/10/05 10:36:32 SMTP Verify somebody@mycompany.com, at  Host  doesn't exist, trying  instead Still doing something wrong...... From D.Gray at picture.oscar.wilde Tue May 10 17:01:18 2005 From: D.Gray at picture.oscar.wilde (Dorian Gray) Date: Tue May 10 11:00:04 2005 Subject: [SpamCop-List] Re: Getting beyond an open proxy? References: Message-ID: In article , "Mike Easter" wrote: > > > Am I right in thinking this is some kind of anonymising open proxy > > used by the virus email source? > > No. Viral propagations don't use open proxies to anoymize themselves. I think maybe this one does. > Dorian Gray wrote: > > Recently I got a flood of viral-laden emails with various > > strangers in the From: fields, all of whom were > > English-speaking academics from various countries. > > That simply means that the propagation had access to such addies to put > them into the To, From, envelope rcpt to or whatever. The question is who would have such an address book, especially given the concentration of New Zealand and Australian addresses in it. The other point is that NONE of my academic contacts have my address (the one that received the virus emails) in their address book, because it has effectively been obsolete for 3 years, and I informed all of my academic contacts of my new address back then, and I have been in contact with all of them using the new address. BUT I know that THIS company still had my old address in their address books, and I since I used to use yahoo addresses for other companies, I don't think ANY other company has the address that received these emails. This all narrows down things considerably. You also missed the point that I stopped receiving the viral-laden emails at the instant that they removed me from their address book. > > It would not be the first time they have > > flooded their contacts' inboxes with viruses like this - in August > > something quite similar happened and they admitted they were the > > source. > > www.academic-search.net = 210.48.1.214 > inetnum: 210.48.0.0 - 210.48.127.255 > netname: ICONZ-NZ > descr: ICONZ, Internet Service Provider > Mail for academic-search.net is handled by mx-f.maxnet.net.nz & > mx-us.maxnet.net.nz > The nameservice and incoming mail is handled by more than one provider. > How the outgoing is handled isn't apparent. > > Saying that 'they' admitted 'they' were the source isn't informative to > me. I doubt that you are saying that the website was the source. Their previous infection was with the W32/Bagle.AI@mm virus. The earliest Received line in those messages started: Received: from port54-17-53.adsl.maxnet.co.nz ([210.54.17.53] helo=server.com) by This is apparently not an open proxy - I guess the W32/Bagle.AI@mm virus is not as sophisticated as the W32/Netsky.Z@mm virus. But the headers did not lead me to decide conclusively that the company with the website http://www.academic-search.net was the source - although it lead me to suspect them strongly. I was convinced when I forwarded them a list of the addresses in the From field for each message I received, and they admitted that every address was in their contacts list. They said they were sorry that being infected had caused everyone trouble, and then disinfected their systems. > When you are tracking a viral propagator, if you parse the headers > correctly, you should arrive at the source IP of the infected > propagator. Since the earliest Received line is obviously forged, as you can see in my original post, this is apparently not necessarily the case. From D.Gray at picture.oscar.wilde Tue May 10 17:13:36 2005 From: D.Gray at picture.oscar.wilde (Dorian Gray) Date: Tue May 10 11:15:04 2005 Subject: [SpamCop-List] Re: Getting beyond an open proxy? References: Message-ID: In article , "Miss Betsy" wrote: > "Dorian Gray" wrote in message > news:D.Gray-87B3A7.02225910052005@news.cesmail.net... > > > How do we protect the world from internet menaces like this > > company? > > Offline when someone acts against the mores of the group, the > proper etiquette is to give them the 'cut direct' according to > Miss Manners. I'm not familiar with the phrase "cut direct", what does it mean? > the only way to stop obnoxious > behavior is to ignore it, to reject it at the server level if > possible. If not, to either report (politely) or delete. If this > is a company, then when no one gets their emails, perhaps that will > solve the problem. Unfortunately, there is little or no penalty for this company in this case, since the emails with the viruses do not appear to come from them. The people who are adversely affected are the recipients, and the innocent bystanders who get listed in the forged From: fields of the emails. There is not much to say that the emails came from an infected system in this company, so no-one blocks them. > Persistence is the key to assertive behavior that gets changes. > Assertiveness is always polite also. IOW, 'please stop sending > virmen, it is not a good practice for you or me,' repeatedly to as > high up in the company as you can reach if you are interested in > keeping them in business. I'm trying that - their response so far this time seems to be: "cease and desist or we could take action for defamation". I think their attitude is that because no-one can tell for sure that they are the source of these emails (and only some will be able to guess as I have), they don't have to care unless I tell the others of my suspicions. I think you understand my motives for contacting them - I was trying to help them out and help protect everyone in their address book at the same time. Since I think I know what was happening, I thought they would appreciate me telling them so they could fix it. But as I said above, they see my knowledge as the threat, rather that their infection, since no-one else knows about the latter. > Miss Betsy Thanks for that, and the rest of your post - it was well-considered. From MikeE at ster.invalid Tue May 10 09:18:54 2005 From: MikeE at ster.invalid (Mike Easter) Date: Tue May 10 11:20:03 2005 Subject: [SpamCop-List] Re: Email Address Finder at DNS Stuff References: Message-ID: indigo wrote: > I tried doing that, but still get the same error message: > > 05/10/05 10:36:32 SMTP Verify somebody@mycompany.com, at  > Host  doesn't exist, trying  instead > > Still doing something wrong...... Do you mean that nothing is inside that little box representing a non-printing char? "at  Host  doesn't exist, trying  instead" On my system, what goes into the 'box' after the 'at' is the mx for the domain I'm testing. If you aren't 'talking to' the mx, the transaction isn't going to take place. >From an 'infrastructure' point of view, SS is taking the domainname of the address and finding out what its mx is and contacting that mx to start the script. So, the dns which SS is using would have to be working so as to get the mx, and you would have to have access out your port 25 to be able to talk to the mx. What happens if you try to telnet it? In the specific example of somebody@mycompany.com, there really is a mycompany.com and its mx is mailgate.kcl.net and if I try to verify the username somebody the mx refuses to verify or expand, but it offers to accept mail to somebody and it also offers to accept mail to a bogus37722. So, to connect to that mx by telnet, you could give the command telnet mailgate.kcl.net 25 [there's no colon between 'net' and '25' - just a space] When I do that, I'm talking to the mx for mycompany.com. If you can't do that, then I suspect your port 25 is blocked. If you can do that, I suspect something is funny with your SSwin situation. -- Mike Easter kibitzer, not SC admin From MikeE at ster.invalid Tue May 10 09:27:44 2005 From: MikeE at ster.invalid (Mike Easter) Date: Tue May 10 11:30:02 2005 Subject: [SpamCop-List] Re: Email Address Finder at DNS Stuff References: Message-ID: Mike Easter wrote: > So, to connect to that mx by telnet, you could give the command > > telnet mailgate.kcl.net 25 That's using telnet from your run command. You can also just open up your telnet app and type in the values. If you do it by opening telnet, the run command would just be telnet, then the Connect menu/ Remote system - will give you a dialog to input hostname mailgate.kcl.net and then port 25. I used to do it that way, but the advantage of putting it on the Run commandline is that Run will remember the command, so you can use it again. Telnet will also remember recent functions, so that memory will be available in the Connect menu. There are better more powerful telnetters. I have never been a commandline kinda person. I much prefer scripts. Live commandlines make me crazy. -- Mike Easter kibitzer, not SC admin From D.Gray at picture.oscar.wilde Tue May 10 17:36:33 2005 From: D.Gray at picture.oscar.wilde (Dorian Gray) Date: Tue May 10 11:40:04 2005 Subject: [SpamCop-List] Re: Getting beyond an open proxy? References: Message-ID: In article , "Mike Easter" wrote: > Dorian Gray wrote: > > care to offer a view on > > what I (really) said? > > No. I have no clue about what you are talking about. Thanks for your very first reply, which confirmed that 202.174.155.163 is an open proxy (in Bangladesh) and that beyond this, it is not possible *from the headers*, *without additional information* to determine the source. As you would have seen if your properly examined the headers I posted, 202.174.155.163 is the apparent source of the message, and the earliest Received line is forging so that the forged hostname makes it looks like the message came from the domain of the recipient address. Everything else in the Received lines is legitimate and the regular path that my emails take, and I've munged things appropriately in the headers I provided. I never asked you or intended for you to confirm or discuss my "analysis" of the headers - there was nothing to discuss! From the headers, all I wanted to know was information about the 202.174.155.163, and since things cannot be tracked further, you can forget about the headers. Unfortunately, all of your other posts were full of presumptions and misunderstandings, and really didn't make much sense. My strong belief that this company is unwittingly the source of the virus-laden emails is not based on an analysis of the headers (and I thought that was clear), but rather is based on a history and various other clues, most of which I outlined for you to think about. You chose not to - your prerogative. From hans at salvisberg.invalid Tue May 10 19:38:02 2005 From: hans at salvisberg.invalid (Hans Salvisberg) Date: Tue May 10 12:30:04 2005 Subject: [SpamCop-List] Re: secure pop? In-Reply-To: References: Message-ID: Hi Ilgaz, Ilgaz wrote: > You have to use pop btw? IMAP with a good client designed for good > offline etc is more secure and really practical for spamcop features. > Held Mail is an IMAP folder for instance. Can you quick-report and/or queue for reporting from a Held Email IMAP folder? Hans From hans at salvisberg.invalid Tue May 10 19:38:06 2005 From: hans at salvisberg.invalid (Hans Salvisberg) Date: Tue May 10 12:30:19 2005 Subject: [SpamCop-List] Re: Educating non-techies not to spam In-Reply-To: References: Message-ID: Steven Maesslein wrote: > On Tue, 10 May 2005 12:16:20 +0200, Hans Salvisberg coughed into spamcop > and left this in : > > >>They declare their wish and give their email address when they sign up >>for membership, and I enter their address into the lists without any >>further confirmation. > > > What steps do you take to ensure that the e-mail address given by a > member actually belongs to that member? What you're describing sounds > like it would allow any new member to sign up with you and give someone > else's e-mail address, which is liable to get you blocklisted. We have the advantage of being a local group, and we usually know and have talked to the people who sign up. Also, membership is not free, and I have yet to hear of a case where someone PAYED for the pleasure of signing up someone else's email address. Stretch didn't specifically say this, but since they send out regular paper mailings, I assume membership is not free. Also, it seems that his members sign up electronically, which would mean giving a credit card number, and who would give their credit card number to sign up someone else's email address? Hans From clewis at nortelnetworks.com Tue May 10 17:29:08 2005 From: clewis at nortelnetworks.com (Chris Lewis) Date: Tue May 10 12:30:25 2005 Subject: [SpamCop-List] Re: Getting beyond an open proxy? References: Message-ID: According to Dorian Gray : > In article , > "Mike Easter" wrote: > > No. Viral propagations don't use open proxies to anoymize themselves. > I think maybe this one does. Exceedingly unlikely. While the IP may have a proxy on it, it's unlikely to be the _source_ of the virus. Given how many things individual machines get infected with, it should be no surprise that a given IP may be doing several different things at once. > > Dorian Gray wrote: > > That simply means that the propagation had access to such addies to put > > them into the To, From, envelope rcpt to or whatever. > The question is who would have such an address book, especially given > the concentration of New Zealand and Australian addresses in it. Anybody (like you) who received the last blast of these _may_ have all of them in their address books - especially those forged in the from lines. Depending on their addressbook collection parameters. > Their previous infection was with the W32/Bagle.AI@mm virus. The > earliest Received line in those messages started: > Received: from port54-17-53.adsl.maxnet.co.nz ([210.54.17.53] > helo=server.com) > by > This is apparently not an open proxy - I guess the W32/Bagle.AI@mm virus > is not as sophisticated as the W32/Netsky.Z@mm virus. Ectually, it's the other way around. But not all viruses/proxies emit the same thing to the same people. > Since the earliest Received line is obviously forged, as you can see in > my original post, this is apparently not necessarily the case. The "by" IP isn't forged. If the received line was forged, there'd be more of them. -- Chris Lewis, Una confibula non set est It's not just anyone who gets a Starship Cruiser class named after them. From MikeE at ster.invalid Tue May 10 10:59:12 2005 From: MikeE at ster.invalid (Mike Easter) Date: Tue May 10 13:00:08 2005 Subject: [SpamCop-List] Re: Getting beyond an open proxy? References: Message-ID: Dorian Gray wrote: > "Mike Easter" >> >>> Am I right in thinking this is some kind of anonymising open proxy >>> used by the virus email source? >> >> No. Viral propagations don't use open proxies to anoymize >> themselves. > > I think maybe this one does. It is that kind of thinking on your part that causes me to think that you think that someone is intentionally email virms. >> Dorian Gray wrote: >>> Recently I got a flood of viral-laden emails with various >>> strangers in the From: fields, all of whom were >>> English-speaking academics from various countries. >> >> That simply means that the propagation had access to such addies to >> put them into the To, From, envelope rcpt to or whatever. > > The question is who would have such an address book, especially given > the concentration of New Zealand and Australian addresses in it. I didn't say anything about an 'address book'. Modern virms don't use address books AB; that is, they don't /just/ use ABs. They scrape from everywhere. You should never suspect that when you get a virm that the propagator of your virm had you in the AB > The > other point is that NONE of my academic contacts have my address (the > one that received the virus emails) in their address book, Now I'm perceiving that 'thinking' that 'I can figure out who propagated me this virm by who has this address' -- don't try to do that. > because it > has effectively been obsolete for 3 years, and I informed all of my > academic contacts of my new address back then, and I have been in > contact with all of them using the new address. BUT I know that THIS > company still had my old address in their address books, and I since I > used to use yahoo addresses for other companies, I don't think ANY > other company has the address that received these emails. You are deriving improper conclusions based on your suspicions and some kind of logical applied to the old vs new address business. > This all narrows down things considerably. You also missed the point > that I stopped receiving the viral-laden emails at the instant that > they removed me from their address book. These 'points' are your points. I don't choose to share them. It isn't a matter of 'missing' - it is a matter of rejecting. > Since the earliest Received line is obviously forged, as you can see > in my original post, this is apparently not necessarily the case. I can't see anything from your original post that has to do with my knowing the earliest received line is obviously forged. I can't say anything about the received lines if I haven't seen them. All you provided was part of one munged line and I don't know whether that line was forged or real. -- Mike Easter kibitzer, not SC admin From nobody at spamcop.net Tue May 10 14:27:46 2005 From: nobody at spamcop.net (Anti-Spam) Date: Tue May 10 13:30:04 2005 Subject: [SpamCop-List] Re: Getting beyond an open proxy? References: Message-ID: "Dorian Gray" wrote in message news:D.Gray-A3F3F9.16011810052005@news.cesmail.net... > In article , > "Mike Easter" wrote: > > > Dorian Gray wrote: > > > Recently I got a flood of viral-laden emails with various > > > strangers in the From: fields, all of whom were > > > English-speaking academics from various countries. > > > > That simply means that the propagation had access to such addies to put > > them into the To, From, envelope rcpt to or whatever. > > The question is who would have such an address book, especially given > the concentration of New Zealand and Australian addresses in it. The > other point is that NONE of my academic contacts have my address (the > one that received the virus emails) in their address book, because it > has effectively been obsolete for 3 years, and I informed all of my > academic contacts of my new address back then, and I have been in > contact with all of them using the new address. BUT I know that THIS > company still had my old address in their address books, and I since I > used to use yahoo addresses for other companies, I don't think ANY other > company has the address that received these emails. One issue you will have to live with (my condolences) is that there are viruses out there that also steal address books on the compromised machine, or search them for e-mail and compile a list of all senders and receivers, and send these to a server controlled by the virus author, which then shares this list with other copies of the virus, etc. Happened to me a few years back, where someone I knew got infected, and it's now been at least a couple of years since a virus has hit my filter from an address or even a domain I recognise. (i.e. I don't know anyone in es, br, mx, pt, or co, but most of the virii that try to get through my filter come from local ISPs in those countries.) -- Bring in the death penalty for repeat spammers. Non-functional spambait addr: thel26@clmgmbbjm.com (generated by Webpoison) From MikeE at ster.invalid Tue May 10 12:15:50 2005 From: MikeE at ster.invalid (Mike Easter) Date: Tue May 10 14:15:02 2005 Subject: [SpamCop-List] Re: Getting beyond an open proxy? References: Message-ID: Dorian Gray wrote: > Their previous infection was with the W32/Bagle.AI@mm virus. The > earliest Received line in those messages started: The earliest Received line may or may not be the source of an item. You seem to use that term as a method of communicating a 'description' of headers. I am typically suspicious that someone may have made a mistake in parsing headers if the conclusions they derive from their parsing are not logical -- as in the previous posts in this thread in which you are claiming that a NZ co. is somehow propagating thru' a Bangladesh open proxy. > Received: from port54-17-53.adsl.maxnet.co.nz ([210.54.17.53] > helo=server.com) > by That IP's 'relationship' is more consistent with the NZ website you mentioned earlier, because of the website's relationship with maxnet, as I described earlier. In this IP's situation, notifying the provider for the 210.54.17.53 rDNS port54-17-53.adsl.maxnet.co.nz is a little annoying because the provider for the domainnames for maxnet.co.nz and for netgate.net.nz don't give an abuse.net reg'd addy -- so you are left to fish around for the proper notify. I would notify those default postmasters and also Netgate's upstream provider; because a big outfit like netgate needs to have a good abuse address. That is, my gripe to netgate would be about the propagation of their user. My gripe to their upstream would be because they don't have a reg'd abuse address. route: 210.54.0.0/17 descr: NetGate Telecom New Zealand Limited origin: AS4648 notify: noc@netgate.net.nz whois -h whois.abuse.net netgate.net.nz ... No abuse address is registered with abuse.net Upstream Adjacent AS list AS10026 ANC Asia Netcom Corporation AS1239 SPRINTLINK - Sprint AS4637 REACH Reach Network Border AS I guess I would pick sprint. The whole idea is to get netgate to wish that you weren't 'pestering' sprint about netgate not having a good abuse address. > This is apparently not an open proxy - I guess the W32/Bagle.AI@mm > virus is not as sophisticated as the W32/Netsky.Z@mm virus. Both of those viruses propagate by using their own smtp engine. They don't have some kind of complex strategy of propagating thru' an open proxy. [However] It is common for some virus infections to open a backdoor which can lead to them becoming a trojan. Bagle opens up a 1080 backdoor. -- Mike Easter kibitzer, not SC admin From MikeE at ster.invalid Tue May 10 12:46:25 2005 From: MikeE at ster.invalid (Mike Easter) Date: Tue May 10 14:45:03 2005 Subject: [SpamCop-List] Re: Getting beyond an open proxy? References: Message-ID: Corrections of several typo/s along the way Mike Easter wrote: > Viral propagations don't use open proxies to anoymize themselves. s/anoymize/anonymize/ you think that someone is intentionally email virms. s/email/emailing/ You are deriving improper conclusions based on your suspicions and some kind of logical applied to the old vs new address business. s/logical/logic/ I would notify those default postmasters Nah. I would notify abuse@global-gateway.net.nz postmaster@global-gateway.net.nz nic@global-gateway.net.nz I missed that in the initial evaluation of how to notify for 210.54.17.53 rDNS port54-17-53.adsl.maxnet.co.nz -- Mike Easter kibitzer, not SC admin From MikeE at ster.invalid Tue May 10 13:05:49 2005 From: MikeE at ster.invalid (Mike Easter) Date: Tue May 10 15:05:05 2005 Subject: [SpamCop-List] Re: Educating non-techies not to spam References: Message-ID: Kenneth Loafman wrote: > It would help if instead of pointing to the FAQ itself, the poster > would point to the answer in the FAQ... Lots less to read. The ng/s could also be used as a place to 'pin' things. There could be a group for announcements which was restricted [or moderated or robomoderated] to just be for faq/ish things or updated faq/s or whatever. Items in there would of course have msgid/s and it would be very easy to refer to an item if there got to be dozens or scores of them. -- Mike Easter kibitzer, not SC admin From D.Gray at picture.oscar.wilde Tue May 10 21:12:34 2005 From: D.Gray at picture.oscar.wilde (Dorian Gray) Date: Tue May 10 15:15:02 2005 Subject: [SpamCop-List] Re: Getting beyond an open proxy? References: Message-ID: In article , Dorian Gray wrote: > Unfortunately, there is little or no penalty for this company in this > case, since the emails with the viruses do not appear to come from them. I should clarify: by "do not *appear* to come from them", I meant "do not obviously (provably from headers) come from them", but as I made clear elsewhere, my strong belief is that the virus-laden email *do* actually come from them. > > Miss Betsy > > Thanks for that, and the rest of your post - it was well-considered. From zypher at spamcop.net Tue May 10 15:42:46 2005 From: zypher at spamcop.net (Ron B.) Date: Tue May 10 15:45:27 2005 Subject: [SpamCop-List] Stopping Spam (From Scientific American) Message-ID: Stopping Spam What can be done to stanch the flood of junk e-mail messages? By Joshua Goodman, David Heckerman and Robert Rounthwaite http://www.sciam.com/article.cfm?chanID=sa006&colID=1&articleID=000F3A4B-BF70-1238-BF7083414B7FFE9F From nobody at spamcop.net Tue May 10 17:28:44 2005 From: nobody at spamcop.net (indigo) Date: Tue May 10 16:30:04 2005 Subject: [SpamCop-List] Re: Email Address Finder at DNS Stuff References: Message-ID: Mike Easter wrote: > > Do you mean that nothing is inside that little box representing a > non-printing char? > Nope. > "at  Host  doesn't exist, trying  instead" > > > What happens if you try to telnet it? I have never been able to get the built in winbloze telnet proggie to work -- it won't let me type any commands in the window! From MikeE at ster.invalid Tue May 10 14:38:39 2005 From: MikeE at ster.invalid (Mike Easter) Date: Tue May 10 16:40:04 2005 Subject: [SpamCop-List] Re: Email Address Finder at DNS Stuff References: Message-ID: indigo wrote: > I have never been able to get the built in winbloze telnet proggie to > work -- it won't let me type any commands in the window! Well, you can't type anything in there [the little console] until 'something is happening'. Let's just do this with the example I gave earlier. Click Start/ Run/ [appears an alert with an field available, into that field paste...] telnet mailgate.kcl.net 25 ... if your port 25 isn't blocked, your little telnet console will open up with the mx's answer... 220 mailgate.kcl.net ESMTP Postfix ... then you will be able to type something. If you type 'quit' then y'all disengage. -- Mike Easter kibitzer, not SC admin From MikeE at ster.invalid Tue May 10 14:44:57 2005 From: MikeE at ster.invalid (Mike Easter) Date: Tue May 10 16:45:04 2005 Subject: [SpamCop-List] Re: Email Address Finder at DNS Stuff References: Message-ID: Mike Easter wrote: > indigo wrote: >> I have never been able to get the built in winbloze telnet proggie to >> work -- it won't let me type any commands in the window! > > Well, you can't type anything in there [the little console] until > 'something is happening'. Oh, I forgot about a little bit of configuring. I have mine configured in this way: Telnet/ Terminal menu/ Preferences - these are checked Terminal options: local echo, blinking cursor, block cursor Emulation: VT-100/ANSI -- Mike Easter kibitzer, not SC admin From nobody at devnull.spamcop.net Tue May 10 20:10:02 2005 From: nobody at devnull.spamcop.net (Pop) Date: Tue May 10 19:15:11 2005 Subject: [SpamCop-List] Re: Educating non-techies not to spam References: Message-ID: Well, I guess that's why we're all entitled to our own opinions: ... > > How would you feel if I responded to every spamcop.geeks complaint about > an operating system with the advice to use my own favorite ? Even if > I were right on that subject, repeating something to those who had heard > it over and over again would be obnoxious. ===> ?? I was talking about giving only a link as a response, not people posting opinions. ?? If you were to always post just a URL as a response, if I was casually interested, I might skip your post. But, if I were more than casually interested, and no more verbose post was presented, then I'd go back and rethink using the link after all. If there's a reasonable length written response, that's a lot more efficient than jumping over to a web site and perusing for the information if I already have what I need and find it to be a usable response. ... >> it's the best of both worlds. It's just too easy to bypass Wazoo if I >> don't >> feel like just seeing a reference and not a verbose answer, but ... if >> it's >> MY question, I really appreciate both! The more similar responses, the >> better I feel about the accuracy and if they help me to interpret a >> reference, well, great; that just adds to my confidence level. > > Not all of us have that much reading time available. ===> It's time consuming to bypass Wazoo (or anyone else for that matter)? I don't understand. Please re-read what I've said rather than my reiterating it all here. Either you mis-understood my language, or we're stuck in a syntax loop. Any time it's MY question, I will make the time available if I need the answer badly enough. But I fail to see any way it requires "too much" reading time. What's quicker to read: A direct response which one finds is correct, or perusing a web site someone provided a link to? Both are good, and both have their places, and both are useful in different ways. Guess all I mean is, I fail to see your point, but it's no big deal, really. Like I said at the top ... Pop From nobody at devnull.spamcop.net Tue May 10 20:12:57 2005 From: nobody at devnull.spamcop.net (Pop) Date: Tue May 10 19:15:29 2005 Subject: [SpamCop-List] Re: Educating non-techies not to spam References: Message-ID: ... > It would help if instead of pointing to the FAQ itself, the poster would > point to the answer in the FAQ... Lots less to read. > > ...Ken > That's true, but in reality I think it's asking a lot of the poster to do that. I could easily and happily refer you to, say a netiquette RFC, but trying to tell you just where the newsgroup is mentioned would be more work than I was willing to do for someone else. The questioner really should be willing to do the footwork, don't you think, than to expect the responder to do it? Just my two cents, Pop From nobody at devnull.spamcop.net Tue May 10 20:16:23 2005 From: nobody at devnull.spamcop.net (Pop) Date: Tue May 10 19:20:02 2005 Subject: [SpamCop-List] Re: Educating non-techies not to spam References: Message-ID: "Mike Easter" wrote in message news:d5r0ii$hau$1@news.spamcop.net... > Kenneth Loafman wrote: >> It would help if instead of pointing to the FAQ itself, the poster >> would point to the answer in the FAQ... Lots less to read. > > The ng/s could also be used as a place to 'pin' things. There could be > a group for announcements which was restricted [or moderated or > robomoderated] to just be for faq/ish things or updated faq/s or > whatever. > > Items in there would of course have msgid/s and it would be very easy to > refer to an item if there got to be dozens or scores of them. > > -- > Mike Easter > kibitzer, not SC admin > Now, -that- would be great! Yeah, I know, some will complain it smells of a windows forum, but I still think that's a good way to do it. I mentioned same a few/several weeks back and was pretty promptly and roundly put down for it. Since I wasn't about to volunteer to do any of the actual work (not enough experience/resources or I'd be happy to), I quietly went away . But, it was and still is a good idea. Regards, Pop From sbb78247 at stilldon'tfuckincare.invalid Tue May 10 19:49:10 2005 From: sbb78247 at stilldon'tfuckincare.invalid (sbb78247) Date: Tue May 10 19:50:06 2005 Subject: [SpamCop-List] Re: fucking test References: Message-ID: and all of y'all can still go fuck yourself From sbb78247 at stilldon'tfuckincare.invalid Tue May 10 19:50:08 2005 From: sbb78247 at stilldon'tfuckincare.invalid (sbb78247) Date: Tue May 10 19:50:25 2005 Subject: [SpamCop-List] Re: and References: Message-ID: Steven Maesslein wrote: > On Sun, 8 May 2005 22:00:28 -0500, sbb78247 coughed into spamcop and > left this in : > >> you all suck > > Spanked spammer? not even close Nigel and you still suck From sbb78247 at stilldon'tfuckincare.invalid Tue May 10 20:32:13 2005 From: sbb78247 at stilldon'tfuckincare.invalid (sbb78247) Date: Tue May 10 20:35:03 2005 Subject: [SpamCop-List] Re: and References: Message-ID: eddie wrote: > On Sun, 08 May 2005 22:00:28 -0500, sbb78247 scratched out the > following: > >> you all suck > > awrrrrm that's so 16-year old and soooo verrrry 20th century > Only girly-men use "suck" these days. Real men know the new word. > Fried Spam smells so great, especially when one more sucker is dead. oh i am sorry that i didn't use the proper metrosexual faggot term. but you still suck or as you would have it, a large vaccuum that is only challenged by the space between your ears. you know being politically correct and all that shit From nobody at devnull.spamcop.net Tue May 10 22:16:16 2005 From: nobody at devnull.spamcop.net (Miss Betsy) Date: Tue May 10 22:15:03 2005 Subject: [SpamCop-List] Re: Stopping Spam (From Scientific American) References: Message-ID: "Ron B." wrote in message news:d5r2rm$ilm$1@news.spamcop.net... > > > > Stopping Spam > > > What can be done to stanch the flood of junk e-mail messages? > By Joshua Goodman, David Heckerman and Robert Rounthwaite > > > http://www.sciam.com/article.cfm?chanID=sa006&colID=1&articleID=000F3A4B-BF70-1238-BF7083414B7FFE9F Just goes to show you that scientists can be as dumb as the rest of the world. Miss Betsy From nobody at devnull.spamcop.net Tue May 10 22:25:32 2005 From: nobody at devnull.spamcop.net (Miss Betsy) Date: Tue May 10 22:25:03 2005 Subject: [SpamCop-List] Re: Getting beyond an open proxy? References: Message-ID: "Dorian Gray" wrote in message news:D.Gray-A22C5B.16133610052005@news.cesmail.net... > In article , > "Miss Betsy" wrote: > > > "Dorian Gray" wrote in message > > news:D.Gray-87B3A7.02225910052005@news.cesmail.net... > > > > > How do we protect the world from internet menaces like this > > > company? > > > > Offline when someone acts against the mores of the group, the > > proper etiquette is to give them the 'cut direct' according to > > Miss Manners. > > I'm not familiar with the phrase "cut direct", what does it mean? That means obviously ignoring the person, as in not acknowledging that they are there. > > the only way to stop obnoxious > > behavior is to ignore it, to reject it at the server level if > > possible. If not, to either report (politely) or delete. If this > > is a company, then when no one gets their emails, perhaps that will > > solve the problem. > > Unfortunately, there is little or no penalty for this company in this > case, since the emails with the viruses do not appear to come from them. > The people who are adversely affected are the recipients, and the > innocent bystanders who get listed in the forged From: fields of the > emails. There is not much to say that the emails came from an infected > system in this company, so no-one blocks them. The only trusted IP address is the address where the email was received from. If you know that, then you can definitely say it comes from them. If it isn't their IP address, then it doesn't come from them. Sometimes trojans do not use the usual port for email and virus activity is discovered by looking at other logs. Since I am not technically fluent, I am not quite sure what it is that you would tell them to look for. Still, the IP address is consistent. Perhaps you are saying that you think that someone in their organization is 'creating' the virus rather than just inadvertently propogating it. That is something that can be proven, but it takes real experts to track down. If you have evidence of that sort, you should be talking to law enforcement. Miss Betsy From nobody at devnull.spamcop.net Tue May 10 22:36:02 2005 From: nobody at devnull.spamcop.net (Miss Betsy) Date: Tue May 10 22:35:05 2005 Subject: [SpamCop-List] Re: Educating non-techies not to spam References: Message-ID: "Mike Easter" wrote in message news:d5r0ii$hau$1@news.spamcop.net... > Kenneth Loafman wrote: > > It would help if instead of pointing to the FAQ itself, the poster > > would point to the answer in the FAQ... Lots less to read. > > The ng/s could also be used as a place to 'pin' things. There could be > a group for announcements which was restricted [or moderated or > robomoderated] to just be for faq/ish things or updated faq/s or > whatever. > > Items in there would of course have msgid/s and it would be very easy to > refer to an item if there got to be dozens or scores of them. Since I don't have a lot of experience with other ngs, I don't know how they work. In this particular one, however, IMHO, it doesn't hurt to have FAQ answer now and then (or even a regular post). IMHO, the complaintant voiced his opinion, but I don't agree with him. I agree with Kenneth that it was a waste of time to be given the 'whole' FAQ instead the link to the answer, but as a source of information, it certainly isn't a bad answer and regulars can certainly skip over them (I often skipped Larry K's answers when I suspected they were just one of his templates). Miss Betsy From nobody at devnull.spamcop.net Tue May 10 22:40:17 2005 From: nobody at devnull.spamcop.net (Miss Betsy) Date: Tue May 10 22:35:26 2005 Subject: [SpamCop-List] Re: Educating non-techies not to spam References: Message-ID: Another argument is to ask them what they hope to accomplish with this mass mailing when it is obvious that most of the membership are not 'online' types? and don't even answer confirmation emails? They are going to magically read something else? Miss Betsy From eddie at eddie.web Tue May 10 23:48:59 2005 From: eddie at eddie.web (eddie) Date: Tue May 10 22:50:02 2005 Subject: [SpamCop-List] Re: Stopping Spam (From Scientific American) References: Message-ID: On Tue, 10 May 2005 14:42:46 -0500, Ron B. scratched out the following: > > > > Stopping Spam > > > What can be done to stanch the flood of junk e-mail messages? By Joshua > Goodman, David Heckerman and Robert Rounthwaite snip Scientific American has little or nothing to do with Science. Perhaps a long time ago it was a legit publication, but no longer. http://www.dartreview.com/issues/1.21.02/lomborg.html Like all other soft-science groups, their main goal, as Michael Crichton aptly put it is to create a "State of Fear." Crichton says that the dictum of the medial is to "simplify and exaggerate, just like Walt Disney told his cartoonists to do." -- Once movie theaters gave out steak knives Today they confiscate them From eddie at eddie.web Tue May 10 23:50:55 2005 From: eddie at eddie.web (eddie) Date: Tue May 10 22:55:04 2005 Subject: [SpamCop-List] Re: and References: Message-ID: On Tue, 10 May 2005 19:32:13 -0500, sbb78247 scratched out the following: > eddie wrote: >> On Sun, 08 May 2005 22:00:28 -0500, sbb78247 scratched out the >> following: >> >>> you all suck >> >> awrrrrm that's so 16-year old and soooo verrrry 20th century Only >> girly-men use "suck" these days. Real men know the new word. Fried Spam >> smells so great, especially when one more sucker is dead. > > oh i am sorry that i didn't use the proper metrosexual faggot term. but > you still suck or as you would have it, a large vaccuum that is only > challenged by the space between your ears. you know being politically > correct and all that shit Gotcha! Why you can't even spell vacuum, you moron. I take it back, your aren't even 16, you are probably closer to 12, studying cucumbers in class. -- Once movie theaters gave out steak knives Today they confiscate them From eddie at eddie.web Tue May 10 23:51:46 2005 From: eddie at eddie.web (eddie) Date: Tue May 10 22:55:17 2005 Subject: [SpamCop-List] Re: and References: Message-ID: On Tue, 10 May 2005 18:50:08 -0500, sbb78247 scratched out the following: > Steven Maesslein wrote: >> On Sun, 8 May 2005 22:00:28 -0500, sbb78247 coughed into spamcop and >> left this in : >> >>> you all suck >> >> Spanked spammer? > > not even close Nigel > > and you still suck Sucking may be cool, but man, you blow. -- Once movie theaters gave out steak knives Today they confiscate them From MikeE at ster.invalid Tue May 10 21:43:36 2005 From: MikeE at ster.invalid (Mike Easter) Date: Tue May 10 23:45:05 2005 Subject: [SpamCop-List] Re: Stopping Spam (From Scientific American) References: Message-ID: Ron B. wrote: > Stopping Spam > What can be done to stanch the flood of junk e-mail messages? > By Joshua Goodman, David Heckerman and Robert Rounthwaite > > http://www.sciam.com/article.cfm?chanID=sa006&colID=1&articleID=000F3A4B-BF70-1238-BF7083414B7FFE9F I tho't it was a well written article. I had never heard of the authors, here's what SciAm sez about them: JOSHUA GOODMAN, DAVID HECKERMAN and ROBERT ROUNTHWAITE have worked together on ways to stop spam for many years. Heckerman and Rounthwaite, with others, created the first machine-learning spam filter in 1997. Heckerman manages the Machine Learning and Applied Statistics (MLAS) group at Microsoft Research. Goodman and Rounthwaite helped to organize the Microsoft product team that delivers the anti-spam technologies deployed in Exchange, Outlook, MSN and Hotmail. Rounthwaite is currently the group's chief architect. Goodman is a member of the MLAS team and does research on spam and e-mail-related topics. Miss Betsy wrote: > Just goes to show you that scientists can be as dumb as the rest of > the world. How do you mean? The thread isn't about SciAm spam, it is a pointer to the article. Did you mean the article was dumb? eddie wrote: > Scientific American has little or nothing to do with Science. > Perhaps a long time ago it was a legit publication, but no longer. SciAm has always been about writing about science for some subset of the masses -- its science is pretty good. The issues of what is and what is not junk science to further a political agenda is a complicated subject. > http://www.dartreview.com/issues/1.21.02/lomborg.html I haven't read the articles from that 2002 Jan SciAm - but clearly that editorialist had an agenda. You can't discredit SciAm just because you have a point of view about the environment and global warming that differs with some scientific points of view put forward in that edition. The editorialist was a fan of a book he was 'featuring' in the article. The authors and articles in SciAm apparently weren't. > Like all other soft-science groups, their main goal, as Michael > Crichton aptly put it is to create a "State of Fear." Crichton says > that the dictum of the medial is to "simplify and exaggerate, just > like Walt Disney told his cartoonists to do." There is both political and real science and junk science promulgated on both sides of the global warming debate. A smart scientist would keep an open mind to both sides of the argument and watch out for junk science, it is very misleading. Incidentally; there's another interesting article in the May issue, His Brain, Her Brain - which fortunately is available in its entirety online, not just a teaser version http://www.sciam.com/article.cfm?chanID=sa006&articleID=000363E3-1806-1264-980683414B7F0000 -- Mike Easter kibitzer, not SC admin From cchamb2 at qwest.net Tue May 10 22:05:28 2005 From: cchamb2 at qwest.net (Charles Chambers) Date: Wed May 11 00:05:11 2005 Subject: [SpamCop-List] Re: E-mail reporting References: Message-ID: "Charles Chambers" wrote in message news:d5lhg8$hsl$1@news.spamcop.net... > Anyone noticed that e-mail reporting now has a lower priority than > web-based reporting? > > I submit spam through the web interface, and I can confirm it in about 15 > seconds. I submit through e-mail, and I may have a 10 minute wait until > SpamCop has processed it. Not a problem. I can be patient. It's just that I *am* glued to my browser when I'm bouncing phishing spam - the e-mail forwarding process is used when I'm checking my Yahoo mail. OE spam goes through the web interface. From zypher at spamcop.net Wed May 11 00:26:16 2005 From: zypher at spamcop.net (Ron B.) Date: Wed May 11 00:30:04 2005 Subject: [SpamCop-List] Re: Stopping Spam (From Scientific American) In-Reply-To: References: Message-ID: eddie wrote: > On Tue, 10 May 2005 14:42:46 -0500, Ron B. scratched out the following: > > >> >> >>Stopping Spam >> >> >>What can be done to stanch the flood of junk e-mail messages? By Joshua >>Goodman, David Heckerman and Robert Rounthwaite > > snip > > Scientific American has little or nothing to do with Science. > Perhaps a long time ago it was a legit publication, but no longer. > http://www.dartreview.com/issues/1.21.02/lomborg.html > Like all other soft-science groups, their main goal, as Michael Crichton > aptly put it is to create a "State of Fear." Crichton says that the dictum > of the medial is to "simplify and exaggerate, just like Walt Disney told > his cartoonists to do." > Did you actually read the article? From zypher at spamcop.net Wed May 11 00:27:25 2005 From: zypher at spamcop.net (Ron B.) Date: Wed May 11 00:30:19 2005 Subject: [SpamCop-List] Re: Stopping Spam (From Scientific American) In-Reply-To: References: Message-ID: Miss Betsy wrote: > "Ron B." wrote in message > news:d5r2rm$ilm$1@news.spamcop.net... > >> >> >>Stopping Spam >> >> >>What can be done to stanch the flood of junk e-mail messages? >>By Joshua Goodman, David Heckerman and Robert Rounthwaite >> >> >> > > http://www.sciam.com/article.cfm?chanID=sa006&colID=1&articleID=000F3A4B-BF70-1238-BF7083414B7FFE9F > > Just goes to show you that scientists can be as dumb as the rest of > the world. > > Miss Betsy > > Really? It what ways were the authors "... dumb as the rest of the world."? From baloo at ursine.ca Tue May 10 22:55:07 2005 From: baloo at ursine.ca (Paul Johnson) Date: Wed May 11 01:10:03 2005 Subject: [SpamCop-List] Re: Stopping Spam (From Scientific American) References: Message-ID: http://ursine.ca/Top_Posting Mike Easter wrote: > I had never heard of the authors, here's what SciAm sez about them: You do realize that the biographical blurbs are written by the authors of the article and not the editor or publisher, right? > Heckerman manages the Machine Learning and Applied Statistics (MLAS) > group at Microsoft Research. I have a hard time believing such a department exists, and if it does, it helps explain why Microsoft can't be bothered to fix security problems with it's operating systems that have existed since 1981. > Goodman and Rounthwaite helped to organize the Microsoft product team that > delivers the anti-spam technologies deployed in Exchange, Outlook, MSN and > Hotmail. Oh, yeah, blocking mail based on the From: header really works... -- Paul Johnson Email and Instant Messenger (Jabber): baloo@ursine.ca http://ursine.ca/~baloo/ From zypher at spamcop.net Wed May 11 01:20:04 2005 From: zypher at spamcop.net (Ron B.) Date: Wed May 11 01:25:03 2005 Subject: [SpamCop-List] Re: Stopping Spam (From Scientific American) In-Reply-To: References: Message-ID: Paul Johnson wrote: > http://ursine.ca/Top_Posting > > Mike Easter wrote: > > >>I had never heard of the authors, here's what SciAm sez about them: > > > You do realize that the biographical blurbs are written by the authors of > the article and not the editor or publisher, right? > > >>Heckerman manages the Machine Learning and Applied Statistics (MLAS) >>group at Microsoft Research. > > > I have a hard time believing such a department exists, and if it does, it > helps explain why Microsoft can't be bothered to fix security problems with > it's operating systems that have existed since 1981. > > >>Goodman and Rounthwaite helped to organize the Microsoft product team that >>delivers the anti-spam technologies deployed in Exchange, Outlook, MSN and >>Hotmail. > > > Oh, yeah, blocking mail based on the From: header really works... > Um, have _you_ actually read the article? From nobody at spamcop.net Wed May 11 04:04:57 2005 From: nobody at spamcop.net (Claudio Valderrama C.) Date: Wed May 11 03:05:05 2005 Subject: [SpamCop-List] Intermitent problem with bora.net Message-ID: Hello. I want to know if someone else has been observing this astray behavior. Take this URL, for example: http://members.spamcop.net/sc?id=z762161327z10fc569dff3bf9d5ac21bbbef74989a6z You'll observe that it detected security at bora.net and from abuse.net, abuse at bora.net, so far so good. However, the following problem seems to happen daily or near 24 hours: when the lart should be sent to that address, SC detects that the IP is from bora.net, but tries to send to something like users123 at bora.net (I don't remember the exact account name) It doesn't attempt to contact abuse.net either. Then I have to refresh the contact information. Then SC discovers security at bora.net and gets abuse at bora.net from abuse.net. It works on all emails I'm reporting. I close the session, etc. The next day, some of the spam again comes from the domain and again SC gives that strange address resembling users123 at bora.net until I ask it to refresh the cached information. It has happened three days already. Is it normal? It seems that the SC parser is doing strange things the last weeks. I see several people having trouble with addresses SC doesn't resolve (even though I insist two times) but that you manually can resolve. C. -- Claudio Valderrama C. www.cvalde.net - www.firebirdSql.org From mrichter at cpl.net Wed May 11 01:41:11 2005 From: mrichter at cpl.net (Mike Richter) Date: Wed May 11 03:45:03 2005 Subject: [SpamCop-List] Re: Stopping Spam (From Scientific American) In-Reply-To: References: Message-ID: Ron B. wrote: > > > Stopping Spam > > > What can be done to stanch the flood of junk e-mail messages? > By Joshua Goodman, David Heckerman and Robert Rounthwaite > > > http://www.sciam.com/article.cfm?chanID=sa006&colID=1&articleID=000F3A4B-BF70-1238-BF7083414B7FFE9F Logical enough, but whether it proves practical and then salable are open questions. 'Selling' Bayesian filters is tough enough and they are easier to feed. Of course, it cures only the symptom of spam arriving in the IN box; unless most people sign up to the approach, it will do nothing noticeable about the spew on the Internet. Mike -- mrichter@cpl.net http://www.mrichter.com/ From nobody at devnull.spamcop.net Wed May 11 04:05:27 2005 From: nobody at devnull.spamcop.net (WazoO) Date: Wed May 11 04:10:02 2005 Subject: [SpamCop-List] Re: secure pop? References: Message-ID: "Russell E. Owen" wrote in message news:mailman.151.1115674997.4572.spamcop-list@news.spamcop.net... > In article , > "WazoO" wrote: > > > On another foray to drag yet another user to the SpamCop e-mail > > support areas .... try the spamcop.mail newsgroup (so little traffic > > it was asked recently if it really existed) or head over to the Forum. > > Don't know how you are logging in now, but for a bit of an indirect > > answer, see > > http://forum.spamcop.net/forums/index.php?showtopic=1579&view=findpost&p=10197 > > that discussion also includes a link to a Jeff G. entry about setting > > things up at http://forum.spamcop.net/forums/index.php?showtopic=152 > > That's great! > > For anyone else who was wondering. the first link says spamcop pop > supports SSL. And indeed it does. Once I told Eudora to use the > alternate port SSL started working. > > Regarding the 2nd link (about setting things up), I did not see anything > about SSL. It'd be nice if SSL info was added to the standard "how to > set things up" page. Done. I edited that entry later that day, amazed that in over a year no one had pointed out a typo in the URL for the SSL connection ... Talked to Jeff G. last night, he edited it some more, adding in some data. Think it needs more? From MikeE at ster.invalid Wed May 11 04:20:23 2005 From: MikeE at ster.invalid (Mike Easter) Date: Wed May 11 06:20:03 2005 Subject: [SpamCop-List] Re: Intermitent problem with bora.net References: Message-ID: Claudio Valderrama C. wrote: spamcop.net/sc?id=z762161327z10fc569dff3bf9d5ac21bbbef74989a6z > You'll observe that it detected security at bora.net and from > abuse.net, abuse at bora.net, so far so good. The strategy SC employs should be explained/described for this. This is a spam sourced from 61.35.132.217 no rDNS which is inetnum: 61.35.132.192 - 61.35.132.255 netname: KOREANA4033336D If you look at the contact information in apnic you get KJ92-AP = b4033336@users.bora.net whois -h whois.abuse.net users.bora.net ... abuse@bora.net If SC were to use the abuse/tech contact it would be kj92, else abuse. OTOH - it is SC's routine to go past apnic to krnic or nic.or.kr The contact info at krnic is [ ISP Network Abuse Contact Information ] E-mail : security@bora.net and admin/tech are ipadm@nic.bora.net Also the org sez Org Name : DACOM Corporation Service Name : BORANET > However, the following problem seems to happen daily or near 24 > hours: when the lart should be sent to that address, SC detects that > the IP is from bora.net, but tries to send to something like > users123 at bora.net (I don't remember the exact account name) > It doesn't attempt to contact abuse.net either. This pasting from the verbose information may explain some steps: Tracking details Display data: <== link here "whois 61.35.132.217@whois.arin.net" (Getting contact from whois.arin.net ) Redirect to apnic: "whois 61.35.132.217@whois.apnic.net" (Getting contact from whois.apnic.net mirror) Display data: <== link here whois.apnic.net redirects to krnic Display data: <== link here "whois 61.35.132.217@whois.krnic.net" (Getting contact from whois.krnic.net) (old krnic) Found ISP IP Admin Contact Information : ipadm@nic.bora.net Found ISP IP Tech Contact Information : ipadm@nic.bora.net Found ISP Network Abuse Contact Information : security@bora.net Assuming /24 network for cache whois: 61.35.132.0 - 61.35.132.255 : ipadm@nic.bora.net, security@bora.net Routing details for 61.35.132.217 De-referencing ipadm@nic.bora.net abuse net bora.net = abuse@bora.net Using abuse net on security@bora.net abuse net bora.net = abuse@bora.net Using best contacts abuse@bora.net > Then I have to refresh the contact information. Then SC discovers > security at bora.net and gets abuse at bora.net from abuse.net. > It works on all emails I'm reporting. I close the session, etc. The > next day, some of the spam again comes from the domain and again SC > gives that strange address resembling users123 at bora.net until I > ask it to refresh the cached information. > It has happened three days already. > Is it normal? There are several different results you could get depending upon the cache and the accessibility of registrars. > It seems that the SC parser is doing strange things the last weeks. I > see several people having trouble with addresses SC doesn't resolve > (even though I insist two times) but that you manually can resolve. The business about problems resolving body urls is another matter altogether. -- Mike Easter kibitzer, not SC admin From hans at salvisberg.invalid Wed May 11 13:45:03 2005 From: hans at salvisberg.invalid (Hans Salvisberg) Date: Wed May 11 06:35:05 2005 Subject: [SpamCop-List] Re: Educating non-techies not to spam In-Reply-To: References: Message-ID: Stretch wrote: > I changed the list server to just enroll people without a confirmation. > We still only have 12 people out of the 800. Most of these people are > not technical and I'm constantly holding their hands to login to the > site. Now you'll have another problem (there's always one more, isn't there...): the mailboxes of this type of audience tend to get full or otherwise cease to work. My mailer removes them after four bounces in a row (should be tuned to your traffic). There's only so much we can do at our end. Also, there'll always be one on the list that catches the latest worm, so you have to be careful about what email addresses you send over the list. Hans From bar_n0ne at hotmail.com Wed May 11 15:44:22 2005 From: bar_n0ne at hotmail.com (Berny) Date: Wed May 11 06:45:05 2005 Subject: [SpamCop-List] Re: SBCGlobal) Software Factory solutionsSFSFL and PACBell and Whoa007 @pacbell References: Message-ID: "Cat" wrote in message news:d5693r$gdb$1@news.spamcop.net... SNIP . > After three more SBC spams copied to Dawn S, the SBC spew stopped, and > I've started getting the same spam through XO now. This guy just moves around with impunity, 5 or more turdlets a day, all SOS, product testing , free this and that, rate the shops, free-- whateverrs (now including kitchen and garden appliances) Contact is still contact@hotteststuffaround.com Registrar has been changed to names4ever, but the names have been recycled, using topserver.com, freeserving.com and others, nameservice from ns1/2.lockingpoint.com. Whoa007 has some kind of ROKSO listing. spew server and web hoster is 69.67.72.* ( don't know how to express it as a /whatever Can't anyone run him over with a heavy vehicle when he checks his mail in Laval Quebec? From bar_n0ne at hotmail.com Wed May 11 15:48:41 2005 From: bar_n0ne at hotmail.com (Berny) Date: Wed May 11 06:50:04 2005 Subject: [SpamCop-List] Re: SBCGlobal) Software Factory solutionsSFSFL and PACBell and Whoa007 @pacbell References: Message-ID: OOPS "Berny" wrote in message news:d5snme$jg8$1@news.spamcop.net... > > "Cat" wrote in message > news:d5693r$gdb$1@news.spamcop.net... > > SNIP > . > > After three more SBC spams copied to Dawn S, the SBC spew stopped, and > > I've started getting the same spam through XO now. > > This guy just moves around with impunity, 5 or more turdlets a day, all SOS, > product testing , free this and that, rate the shops, free-- whateverrs (now > including kitchen and garden appliances) > OOPs > Contact is still contact@hotteststuffaround.com WRONG Should read:: thehottestthingaround.com > > Registrar has been changed to names4ever, but the names have been recycled, > using topserver.com, freeserving.com and others, nameservice from > ns1/2.lockingpoint.com. > > Whoa007 has some kind of ROKSO listing. > > spew server and web hoster is 69.67.72.* ( don't know how to express it as a > /whatever > > Can't anyone run him over with a heavy vehicle when he checks his mail in > Laval Quebec? > > From sbb78247 at stilldon'tfuckincare.invalid Wed May 11 07:06:12 2005 From: sbb78247 at stilldon'tfuckincare.invalid (sbb78247) Date: Wed May 11 07:10:05 2005 Subject: [SpamCop-List] Re: and References: Message-ID: eddie wrote: > On Tue, 10 May 2005 18:50:08 -0500, sbb78247 scratched out the > following: > >> Steven Maesslein wrote: >>> On Sun, 8 May 2005 22:00:28 -0500, sbb78247 coughed into spamcop and >>> left this in : >>> >>>> you all suck >>> >>> Spanked spammer? >> >> not even close Nigel >> >> and you still suck > > Sucking may be cool, but man, you blow. said the expert From sbb78247 at stilldon'tfuckincare.invalid Wed May 11 07:05:27 2005 From: sbb78247 at stilldon'tfuckincare.invalid (sbb78247) Date: Wed May 11 07:10:22 2005 Subject: [SpamCop-List] Re: and References: Message-ID: eddie wrote: > On Tue, 10 May 2005 19:32:13 -0500, sbb78247 scratched out the > following: > >> eddie wrote: >>> On Sun, 08 May 2005 22:00:28 -0500, sbb78247 scratched out the >>> following: >>> >>>> you all suck >>> >>> awrrrrm that's so 16-year old and soooo verrrry 20th century Only >>> girly-men use "suck" these days. Real men know the new word. Fried >>> Spam smells so great, especially when one more sucker is dead. >> >> oh i am sorry that i didn't use the proper metrosexual faggot term. >> but you still suck or as you would have it, a large vaccuum that is >> only challenged by the space between your ears. you know being >> politically correct and all that shit > > Gotcha! > Why you can't even spell vacuum, you moron. I take it back, your > aren't even 16, you are probably closer to 12, studying cucumbers in > class. OH MY a spell lamer! You know, I caught the end of your movie last night on the satelite - Eddie and the Loosers, i mean Cruisers From nobody at nowhere.invalid Wed May 11 15:32:41 2005 From: nobody at nowhere.invalid (Steven Maesslein) Date: Wed May 11 08:35:03 2005 Subject: [SpamCop-List] Re: and References: Message-ID: On Wed, 11 May 2005 06:05:27 -0500, sbb78247 coughed into spamcop and left this in : > You know, I caught the end of your movie last night on the satelite - Eddie > and the Loosers, i mean Cruisers Speaking of luzers, [spamcop, spamcop.*] Score:: =-9999 %Expires: From: "Heid." Path: \.MISMATCH! Buh bye :) -- Steve Windows is.... A 32-bit extension to a 16-bit graphical interface, sitting on an 8-bit operating system, originally written for a 4-bit processor by a 2-bit company without ONE BIT of common sense. From nobody at spamcop.net Wed May 11 10:24:38 2005 From: nobody at spamcop.net (Mike Nuss) Date: Wed May 11 09:25:05 2005 Subject: [SpamCop-List] Can't read ISP's reply Message-ID: I don't speak Portuguese, but the administrator seems to be saying that they are not responsible for the IP address the spam came from. Is this a spamcop routing issue or is it that these people can't manage their netblock? It looks like the person Spamcop sent the report to forwarded it to Mr. Martinez, who is claiming it is not his IP. I can't make out most of this so it's hard to tell what's going on - maybe someone who can read Portuguese could elaborate? This is the message I received: ------------------------- Conforme j? informado anteriormente, n?o somos mais respons?veis pelo IP em quest?o! Marcelo Martinez Administra??o de Rede /Seguran?a T.I. U.O. Tecnologia da Informa??o Tel.: +55 11.3177.4631 Fax.: +55 11.3177.4569 martinez@sebraesp.com.br -----Mensagem original----- De: Security-Embratel [mailto:abuse@embratel.net.br] Enviada em: ter?a-feira, 10 de maio de 2005 18:31 Para: DnsAdmin Cc: 1421860354@reports.spamcop.net Assunto: [Spam-c #844913] [SpamCop (200.231.248.135) id:1421860354] Caro administrador, Recebemos a mensagem abaixo, reclamando de um SPAM/UCE originado em sua rede. Favor analisar o conteudo da reclamacao, identificando o usuario que esta fazendo USO ABUSIVO/NAO AUTORIZADO dos recursos da rede, e/ou a utilizacao de servidor(es) como relay para envio de SPAM/UCE; Solicitamos que sejam tomadas as providencias cabiveis, objetivando inibir tal comportamento. Favor manter a Equipe de Seguranca Internet EMBRATEL informada, sobre suas providencias, enviando e-mail para (spamc@embratel.net.br), mantendo o Subject ('Assunto') original desta mensagem. E' importante que vc responda a este incidente pois nosso sistema ira enviar uma copia para o originador da reclamacao. Agradecemos antecipadamente, ================================================================= Internet Security Team Network Operation Center EMBRATEL - BRAZIL _____________________________________________ [received by email] From 1421860354.af22a1c8@bounces.spamcop.net Tue May 10 18:30:32 2005 Received: from wks05.rjo.embratel.net.br (wks05.rjo.embratel.net.br [200.255.253.239]) by srv05.embratel.net.br (8.11.6/8.11.6/EBT) with ESMTP id j4ALUWK26531 for ; Tue, 10 May 2005 18:30:32 -0300 Received: by wks05.rjo.embratel.net.br (Postfix) id ED71D106D4; Tue, 10 May 2005 18:30:32 -0300 (EST) Received: from vmx2.spamcop.net (vmx2.spamcop.net [64.74.133.250]) by wks05.rjo.embratel.net.br (Postfix) with ESMTP id 2E3711066F for ; Tue, 10 May 2005 18:30:31 -0300 (EST) Received: from sc-app5.eq.ironport.com (HELO spamcop.net) (192.168.19.205) by vmx2.spamcop.net with SMTP; 10 May 2005 14:30:30 -0700 From: "Michael Nuss" <1421860354@reports.spamcop.net> To: spamc@embratel.net.br Subject: [SpamCop (200.231.248.135) id:1421860354] Precedence: list Message-ID: Date: 10 May 2005 17:24:19 -0000 X-SpamCop-sourceip: X-Mailer: http://www.spamcop.net/ v1.446 X-OSBF-Lua-Version: 1.0b12 X-OSBF-Lua-Score: 1000.00/0.00 >From: "Michael Nuss" <1421860354@reports.spamcop.net> >To: spamc@embratel.net.br >Subject: [SpamCop (200.231.248.135) id:1421860354] [ SpamCop V1.446 ] This message is brief for your comfort. Please use links below for details. Email from 200.231.248.135 / 10 May 2005 17:24:19 -0000 http://www.spamcop.net/w3m?i=z1421860354zaf22a1c8f8381368591d786017406561z 200.231.248.135 is open proxy, see: http://www.spamcop.net/mky-proxies.html [ Offending message ] Return-Path: Delivered-To: x Received: (qmail 25735 invoked from network); 10 May 2005 17:24:21 -0000 Received: from unknown (192.168.1.101) by blade4.cesmail.net with QMQP; 10 May 2005 17:24:21 -0000 Received: from tehun.pair.com (209.68.2.71) by mailgate.cesmail.net with SMTP; 10 May 2005 17:24:21 -0000 Received: (qmail 471 invoked by uid 3379); 10 May 2005 17:24:21 -0000 Delivered-To: nmx-fromtheshadows:net-x Received: (qmail 453 invoked from network); 10 May 2005 17:24:19 -0000 Received: from unknown (HELO 209.68.2.71) (200.231.248.135) by tehun.pair.com with SMTP; 10 May 2005 17:24:19 -0000 Received: from castigate.fresh.de ([213.130.63.233]) by continuant.freeze.com (InterMail vK.4.04.00.00 909-602-860 license 142609cy34tb5hdj1wl019a5l52j8n19) with ESMTP id <20036429298958.BOZG313.continuant@castigate.fresh.de> for ; Tue, 10 May 2005 13:20:40 -0500 Received: from Callie ([202.59.169.10]) by castigate.fresh.de (iPlanet Messaging Server 5.2 HotFix 1.14 (built Mar 18 2003)) with ESMTPA id <0BXW005ALKZ6[2 X-Spam-Checker-Version: SpamAssassin 3.0.2 (2004-11-16) on blade4 X-Spam-Level: *** X-Spam-Status: hits=3.7 tests=MISSING_DATE,MISSING_SUBJECT, RCVD_HELO_IP_MISMATCH,RCVD_NUMERIC_HELO version=3.0.2 X-SpamCop-Checked: 192.168.1.101 209.68.2.71 209.68.2.71 200.231.248.135 X-SpamCop-Disposition: Blocked brazil.blackholes.us From Kilgallen at SpamCop.net Wed May 11 09:40:28 2005 From: Kilgallen at SpamCop.net (Larry Kilgallen) Date: Wed May 11 09:45:28 2005 Subject: [SpamCop-List] Re: Educating non-techies not to spam References: Message-ID: <3oHCCtYCax5X@eisner.encompasserve.org> In article , "Pop" writes: > Well, I guess that's why we're all entitled to our own opinions: > ... >> >> How would you feel if I responded to every spamcop.geeks complaint about >> an operating system with the advice to use my own favorite ? Even if >> I were right on that subject, repeating something to those who had heard >> it over and over again would be obnoxious. > ===> ?? I was talking about giving only a link as a response, not people > posting opinions. ?? Some of us took it that you were talking about redirecting people elsewhere as part of an effort to "convert" people to the other tool. The poster has repeatedly done that. I do hope someone is regularly cluttering up the web forums with exhortations to switch to the NNTP newsgroups. But I am not about to check. From sam at logan1.loganet.net Wed May 11 09:34:33 2005 From: sam at logan1.loganet.net (Sam) Date: Wed May 11 09:48:54 2005 Subject: [SpamCop-List] Re: and In-Reply-To: Message-ID: :0 * ^From:.sbb78247 /dev/null plonk -- Sam Morris, Owner Loganet Internet Service Logan IA, United States of America 712-644-3578 From kjz at despammed.com Wed May 11 16:59:59 2005 From: kjz at despammed.com (Karl-Josef Ziegler) Date: Wed May 11 10:00:03 2005 Subject: [SpamCop-List] Re: Anyone from =?iso-8859-1?q?W=FCrzburg=2C_Germany=3F_Is_it_legal_to_peddle_pre?= =?iso-8859-1?q?scription_drugs_over_the_Internet_in_Germany=3F?= In-Reply-To: References: Message-ID: Hans Salvisberg wrote: > http://www.spamcop.net/sc?id=z761484882zc765cbd002e9d466068ee91600edcc5fz > > spamvertises elongates.net, which belongs to Helmut Fischer in W?rzburg: I got the same spam and it has some characteristics which point to Leo Kuvayev in Russia as the real originator. - kjz From hans at salvisberg.invalid Wed May 11 17:25:52 2005 From: hans at salvisberg.invalid (Hans Salvisberg) Date: Wed May 11 10:15:12 2005 Subject: [SpamCop-List] Who to Notify? In-Reply-To: References: Message-ID: Hi Mike, Thanks for your heuristics re SC weblink resolution. Mike Easter wrote: > My notifies would be the non-responsive webrider, the parent and router > rtcomm, the piracy business which would be the various general > antipiracy groups plus the specifics for the ones being marketed, Adobe, > MS, and others. If you notify anti-piracy groups (I did), does it make sense to notify the provider at the same time? Ideally, if the latter does their job, the website might be gone when the former get around to take a look. And if the former do thier job, they'll contact the provider, and if their clout doesn't knock the site off the Internet, I can save my breath... Hans From jay at Advertisnet.com Wed May 11 10:17:40 2005 From: jay at Advertisnet.com (JHT4) Date: Wed May 11 10:20:03 2005 Subject: [SpamCop-List] Re: Blocklisted References: Message-ID: I also found our authenticating outbound smtp server 216.176.166.220 blocked for 1 hour last night about 9pm central us, with no info given for us to track down the guilty customer. Mike, could you lookup our ip the way you did Davids? Or is there an appropriate interface/process for this? Thanks, Jay Teutenberg "Mike Easter" wrote in message news:d4uhio$c4k$1@news.spamcop.net... > David Rubinstein wrote: >> I need some help, we have a user somewhere on our servers that is >> sending mail to spam traps. Our servers are setup to identify every >> piece of mail with a UID/GID in the headers, if you could kindly >> lookup who is causing the spam trap block I would appreciate it. >> >> web19.thehostingnet.com 66.6.223.34 > > I'm not a deputy, but until one comes along I'll kibitz. > > 66.6.223.34 rDNS web19.thehostingnet.com is not currently SC > blocklisted according to the web based SCbl lookup^1, in spite of the > fact that external db lookups such dnsstuff and senderbase show it to be > SCbl/ed when I looked at 4:49 PM PDT (-0700 UTC) > > http://www.spamcop.net/w3m?action=checkblock&ip=66.6.223.34 > > The parser is designed to not name the server if there is a user IP > 'behind' the item. Typically servers get named because of backscatter; > misdirected bouncing to bogus spam Froms, out of office autoresponders > to bogus Froms, viral propagation notifications to bogus Froms. > > If your server makes newmails addressed to Froms under any of those > circumstances, that will get the server listed. See > http://www.spamcop.net/fom-serve/cache/14.html Messages which may be > reported: > > > -- > Mike Easter > kibitzer, not SC admin > From MikeE at ster.invalid Wed May 11 08:37:35 2005 From: MikeE at ster.invalid (Mike Easter) Date: Wed May 11 10:40:14 2005 Subject: [SpamCop-List] Re: Can't read ISP's reply References: Message-ID: Mike Nuss wrote: > I don't speak Portuguese, but the administrator seems to be saying > that they are not responsible for the IP address the spam came from. I don't either, but that's what it looks like to me. In the beginning the spam was sourced from 200.231.248.135 no rDNS whois -h whois.registro.br 200.231.248.135 ... inetnum: 200.231.248/23 aut-num: AS4230 owner-c/tech-c: AEC134 = dnsadmin@sebraesp.com.br abuse-c: GSE6 = abuse@embratel.net.br owner: SERVICO DE APOIO AS MICRO E PEQUENAS EMPRESAS DE sebraesp.com.br = SERVICO DE APOIO AS MICRO E PEQUENAS EMPRESAS DE I would notify the abuse.net reg'd postmaster@sebraesp.com.br mail-abuse@nic.br dnsadmin@sebraesp.com.br abuse@embratel.net.br It looks to me like your report was sent to embratel who sent it to Marcelo at sebraesp. Marcelo is saying they aren't in charge of the IP, but registro and embratel think/say they are. It is possible that Marcelo doesn't realize that the target IP is 200.231.248.135 and that earlier or lower Received lines in the original spam are bogus. Some desks have incompetent parsers, so maybe Marcelo is. Abbreviated Received lines *comment from unknown (HELO 209.68.2.71) (200.231.248.135) by tehun.pair.com *sourceline from castigate.fresh.de ([213.130.63.233]) by continuant.freeze.com *bogusline from Callie ([202.59.169.10]) by castigate.fresh.de *bogusline -- Mike Easter kibitzer, not SC admin From MikeE at ster.invalid Wed May 11 08:43:38 2005 From: MikeE at ster.invalid (Mike Easter) Date: Wed May 11 10:45:06 2005 Subject: [SpamCop-List] Re: Educating non-techies not to spam References: <3oHCCtYCax5X@eisner.encompasserve.org> Message-ID: Larry Kilgallen wrote: > I do hope someone is regularly cluttering up the web forums with > exhortations to switch to the NNTP newsgroups. I have never seen such a thing there, but there is a line at the top of the forums with links. SPAMCOP HOME ? ORIGINAL FAQ ? FORUM FAQ ? NEWSGROUPS ? WEBMAIL ? SSL WEBMAIL -- Mike Easter kibitzer, not SC admin From MikeE at ster.invalid Wed May 11 08:59:05 2005 From: MikeE at ster.invalid (Mike Easter) Date: Wed May 11 11:00:03 2005 Subject: [SpamCop-List] Re: Blocklisted References: Message-ID: JHT4 wrote: > I also found our authenticating outbound smtp server 216.176.166.220 > blocked for 1 hour last night about 9pm central us, with no info > given for us to track down the guilty customer. > > Mike, could you lookup our ip the way you did Davids? > > Or is there an appropriate interface/process for this? 216.176.166.220 rDNS 8of4.advertisnet.com is not currently SCbl listed. When an IP is currently listed you can see why by putting it in here http://www.spamcop.net/bl.shtml but when it isn't currently listed you can't get any history. Deputies can look back at the IP's listing history. There's a problem about 216.176.166.220 in that no one is being notified of spamcop reports because the admin/you has decided they don't want to hear about it. Parsing input: 216.176.166.220 host 216.176.166.220 = 8of4.advertisnet.com (cached) ISP does not wish to receive report regarding 216.176.166.220 216.176.160.0 - 216.176.175.255:jay@dam.net NetName: ADVERINTERSER TechHandle: JT1339-ARIN TechName: Teutenberg, Jay TechEmail: jay@dam.net > Thanks, > Jay Teutenberg If you hadn't turned off the reports, you would get spamreports which contain copies of the spam; except when they come from spamtrap hits. There is also a problem with some other IPs in your netblock 216.176.173.181 rDNS c173-p181.advertisnet.com is proxified and spewing out spam and is SCbl listed. 216.176.173.199 rDNS c173-p199.advertisnet.com is proxified and hitting spamtraps and isn't SCbl listed at present 216.176.163.26 rDNS c163-p26.advertisnet.com is proxified and hitting spamtraps and isn't SCbl listed at present I don't understand why you would turn off SC notifies. -- Mike Easter kibitzer, not SC admin From MikeE at ster.invalid Wed May 11 09:02:16 2005 From: MikeE at ster.invalid (Mike Easter) Date: Wed May 11 11:05:02 2005 Subject: [SpamCop-List] Re: Who to Notify? References: Message-ID: Hans Salvisberg wrote: > Thanks for your heuristics re SC weblink resolution. YW > Mike Easter wrote: >> My notifies would be the non-responsive webrider, the parent and >> router rtcomm, the piracy business which would be the various general >> antipiracy groups plus the specifics for the ones being marketed, >> Adobe, MS, and others. > > If you notify anti-piracy groups (I did), does it make sense to notify > the provider at the same time? Ideally, if the latter does their job, > the website might be gone when the former get around to take a look. In the case of the non-responsive .ru providers, their notification by you probably doesn't do anything. > And if the former do thier job, they'll contact the provider, and if > their clout doesn't knock the site off the Internet, I can save my > breath... -- Mike Easter kibitzer, not SC admin From kjz at despammed.com Wed May 11 19:23:05 2005 From: kjz at despammed.com (Karl-Josef Ziegler) Date: Wed May 11 12:25:05 2005 Subject: [SpamCop-List] Re: Anyone from =?iso-8859-1?q?W=FCrzburg=2C_Germany=3F_Is_it_legal_to_peddle_pre?= =?iso-8859-1?q?scription_drugs_over_the_Internet_in_Germany=3F?= In-Reply-To: References: Message-ID: Hans Salvisberg wrote: > http://www.spamcop.net/sc?id=z761484882zc765cbd002e9d466068ee91600edcc5fz > > spamvertises elongates.net, which belongs to Helmut Fischer in W?rzburg: Street exists, but no house number 7a, no Mr. Fischer, wrong ZIP code, wrong phone no. Domain is now on Registrar Hold. Maybe, Leo used some faked data from his pillz selling form for registration? also look at: http://whois.webhosting.info/CONNOTING.COM - kjz From nobody at devnull.spamcop.net Wed May 11 12:32:51 2005 From: nobody at devnull.spamcop.net (WazoO) Date: Wed May 11 12:35:02 2005 Subject: [SpamCop-List] Re: Educating non-techies not to spam References: <3oHCCtYCax5X@eisner.encompasserve.org> Message-ID: "Larry Kilgallen" wrote in message news:3oHCCtYCax5X@eisner.encompasserve.org... > > Some of us took it that you were talking about redirecting people > elsewhere as part of an effort to "convert" people to the other > tool. The poster has repeatedly done that. Convert? Whatever ... pointing to yet another support resource that does in fact hold answers to a query is hardly an attempt to cast spells, break arms, or mis-guide people ... let's point out the obvious, the use of Google for instance in tryng to research one's issues would tend to remove a major portion of the "asking for help/explanations" in either venue .. pointing to the existing/expanding Forum FAQ saves much wear and tear on folks having to re-type the same data. You want a specific link, whereas my view is generally that if the user hadn't done the preliminary resach to begin with (query already answered in the www.spamcop.net FAQ doe instance) then it's likely that there's a lot more that the user has no clue on ... thus my normal point of reference is "the whole thing" such that those other questions not thought of yet will already be on-screen. "The poster" - geeze .. having been around since the yellow page days, one would think you'd be a bit more precise/direct ... > I do hope someone is regularly cluttering up the web forums with > exhortations to switch to the NNTP newsgroups. But I am not about > to check. As Mike Easter points out, per a bit of conversation in spamcop.mail, I added links at the top of the displayed Forum page that includes a link (that for most folks will connect them) to the SpamCop news server with 'all' newsgroups showing ... Start here for instance, even trying to take into account your text only access mode .... just a few of the references made Kind of bull if you want to make the challenge but not look at the evidence .... http://forum.spamcop.net/forums/index.php?showtopic=3486&view=findpost&p=23252 http://forum.spamcop.net/forums/lofiversion/index.php/t3486.html or the corresponding newsgroup post seen at http://news.spamcop.net/pipermail/spamcop-list/2005-January/096737.html http://forum.spamcop.net/forums/index.php?showtopic=3948&view=findpost&p=27206 from a user that "saw my references to the newsgroups and checked it out http://forum.spamcop.net/forums/index.php?showtopic=4049&view=findpost&p=27164 http://forum.spamcop.net/forums/lofiversion/index.php/t4049.html user having issues with posting to the newsgroups with OE6 http://forum.spamcop.net/forums/lofiversion/index.php/t4049.html http://forum.spamcop.net/forums/index.php?showtopic=4044&view=findpost&p=27123 http://forum.spamcop.net/forums/index.php?showtopic=3486&view=findpost&p=26964 From nobody at devnull.spamcop.net Wed May 11 13:43:54 2005 From: nobody at devnull.spamcop.net (Pop) Date: Wed May 11 12:45:05 2005 Subject: [SpamCop-List] gone OT: Re: Educating non-techies not to spam References: <3oHCCtYCax5X@eisner.encompasserve.org> Message-ID: "Larry Kilgallen" wrote in message news:3oHCCtYCax5X@eisner.encompasserve.org... > In article , "Pop" > writes: >> Well, I guess that's why we're all entitled to our own opinions: >> ... >>> >>> How would you feel if I responded to every spamcop.geeks complaint about >>> an operating system with the advice to use my own favorite ? Even if >>> I were right on that subject, repeating something to those who had heard >>> it over and over again would be obnoxious. >> ===> ?? I was talking about giving only a link as a response, not people >> posting opinions. ?? > > Some of us took it that you were talking about redirecting people > elsewhere as part of an effort to "convert" people to the other > tool. The poster has repeatedly done that. ===> Nahh, I don't particularly care for the forum and seldom go there, but I will admit the forum/s in the online world do have their places. I think for myself, and I expect other to do the same. That's not to say though, that I wouldn't recommend forums to someone that appeared as though they'd be better served with a forum. AFAIR, I have never posted a word here professing the advantages or disadvantages of either means. > > I do hope someone is regularly cluttering up the web forums with > exhortations to switch to the NNTP newsgroups. But I am not about > to check. ===> Why? I wouldn't consider that fair. It would be OK to note now and then that the group/s exists, same as here for the forums, but to exhort anyone to either isn't reasonable. Knowing both exist, is reasonable though. Other than that, let nature cause either to profit or become deceased if it so decrees. They stand on their merits or they fall on their merits. Regards, Pop From DougThegarden at hotmail.com Wed May 11 19:21:14 2005 From: DougThegarden at hotmail.com (Doug Thegarden) Date: Wed May 11 13:25:04 2005 Subject: [SpamCop-List] Latest Google tool Message-ID: http://j-walk.com/other/googlecb/index.htm What is Google Content Blocker? Google's mission is to organize the world's advertising for maximum exposure to Web users. Unfortunately, annoying Web content often overwhelms the page, causing many users to become distracted and overlook the ads. That's where Google Content Blocker comes in. It effectively blocks all Web site content, leaving only the advertisements. How does Google Content Blocker work? After you install Google Content Block, just surf the Web as you normally do. When we find a site that has content, we will block that content so you see only the ads. It all happens automatically, with no effort on your part. What types of ads will I see? Once the content is removed from a Web site, you will see all of the original ads, unencumbered by annoying content. Doug ;-) From nobody at devnull.spamcop.net Wed May 11 15:19:18 2005 From: nobody at devnull.spamcop.net (Pop) Date: Wed May 11 14:20:05 2005 Subject: [SpamCop-List] Re: Educating non-techies not to spam References: Message-ID: "Kenneth Loafman" wrote in message news:kth4819ej5mhdih2g3d8ngom4knmm8nbug@4ax.com... > On Tue, 10 May 2005 19:12:57 -0400, "Pop" > wrote: > >>... >>> It would help if instead of pointing to the FAQ itself, the poster would >>> point to the answer in the FAQ... Lots less to read. >>> >>> ...Ken >>> >> >>That's true, but in reality I think it's asking a lot of the poster to do >>that. I could easily and happily refer you to, say a netiquette RFC, but >>trying to tell you just where the newsgroup is mentioned would be more >>work >>than I was willing to do for someone else. The questioner really should >>be >>willing to do the footwork, don't you think, than to expect the responder >>to >>do it? >> >>Just my two cents, >> >>Pop > > As an infrequent FAQ reader, I'd probably make sure the info was in the > FAQ before just sending off an answer. So, by the time I had verified it > to be there, I would be able to link directly. Just being thorough. > > ...Ken > Good point. I'll often bypass the FAQs initially if I have no idea where to look, hoping someone I know is knowledgeable will respond, and leave the FAQs for "relaxing" reading while I have to remain at the computer anyway. When I do read the FAQs, I'll often end up so bored I don't remember what I read, or I'll remember it, but not which FAQ it came from, making them, for me, better as "general reference" links than they are answers for a specific question I can't figure out how what to look for. I'm not talking just about SC: I'm talking about FAQs in general. FAQs are especially useful once you learn you way around one, but initially they take a lot of reading and searching and shotgunning. YMMV of course, and I'd ask readers becoming annoyed with my method to remember that this poster has short-term memory retrieval problems. I "remember", but not until a day or so later, if at all, unless I properly motivate myself to recall something. I've learned SC's FAQs to a "fair" degree only, but it's much better than some! Regards, Pop --- Who? Who's Dale Carnegie?! From nobody at devnull.spamcop.net Wed May 11 15:32:17 2005 From: nobody at devnull.spamcop.net (Pop) Date: Wed May 11 14:35:07 2005 Subject: [SpamCop-List] Re: Educating non-techies not to spam References: <3oHCCtYCax5X@eisner.encompasserve.org> Message-ID: ... > Start here for instance, even trying to take into account your > text only access mode .... just a few of the references made > Kind of bull if you want to make the challenge but not look > at the evidence .... > > http://forum.spamcop.net/forums/index.php?showtopic=3486&view=findpost&p=23252 > http://forum.spamcop.net/forums/lofiversion/index.php/t3486.html > or the corresponding newsgroup post seen at > http://news.spamcop.net/pipermail/spamcop-list/2005-January/096737.html > > http://forum.spamcop.net/forums/index.php?showtopic=3948&view=findpost&p=27206 > from a user that "saw my references to the newsgroups and checked it out > > http://forum.spamcop.net/forums/index.php?showtopic=4049&view=findpost&p=27164 > http://forum.spamcop.net/forums/lofiversion/index.php/t4049.html > user having issues with posting to the newsgroups with OE6 > > http://forum.spamcop.net/forums/lofiversion/index.php/t4049.html > > http://forum.spamcop.net/forums/index.php?showtopic=4044&view=findpost&p=27123 > > http://forum.spamcop.net/forums/index.php?showtopic=3486&view=findpost&p=26964 > > That's tellin' 'em! lol I had to think twice about saying I sometimes bypassed your posts, in public, but I thought I made it obvious why your postings are desirable and had no intention to feed anyone who thinks they need specifics handed to them on a platter. What it amounts to is, I read first what I think will give me the most usable, quickest answer. Sometimes that's you, usually I check your post anyway, and I'm seldom disappointed. To me it's all relative and I don't mind being pointed to a solution as long as the solution is actually there, and yours are pretty accurate, even if I do say so myself, and I do say so. You might see all this as left-handed compliments, but I have this nasty habit of saying what I mean. Actually, your reference posts ARE often useful in that they have pointed out that they not only exist, but the links TO them also. I just wish someone (I can't; too unreliable or I'd offer to) could take it upon themselves to auto-post pieces of the FAQs on a periodic basis, just to keep them in front of everyone. I seldom think of them myself, because I don't go to the main page of the site all that often. I know I probably should, but I don't. my 2 centses Pop From usenet2 at DE.LETE.THISljvideo.com Wed May 11 19:40:43 2005 From: usenet2 at DE.LETE.THISljvideo.com (Larry J.) Date: Wed May 11 14:45:04 2005 Subject: [SpamCop-List] 419 scam reporting at FBI Message-ID: Where to send 419 scams to the FBI..? I've tried 419@fbi.gov and fraud@fbi.gov. Both bounce. -- Larry J. - Remove spamtrap in ALLCAPS to e-mail "Ninety eight percent of the adults in this country are decent, hardworking, honest Americans. It's the other lousy two percent that get all the publicity. But then, we elected them." -Lily Tomlin From Vanguard at domain.invalid Wed May 11 14:44:28 2005 From: Vanguard at domain.invalid (Vanguard) Date: Wed May 11 14:45:14 2005 Subject: [SpamCop-List] Re: Latest Google tool References: Message-ID: "Doug Thegarden" wrote in message news:d5teu8$mr$1@news.spamcop.net... > http://j-walk.com/other/googlecb/index.htm > > What is Google Content Blocker? > ... > That's where Google Content Blocker comes in. It effectively blocks > all Web site content, leaving only the advertisements. Hmm, I thought the advertisements *were* the overwhelming and distracting content. > Once the content is removed from a Web site, you will see all of the > original ads, unencumbered by annoying content. Interesting. I wonder if someone will reverse engineer their program so it can be reversed in its behavior. Instead of only showing the ads, it would instead remove the ads. Nah, there already exists ad-block software. From zypher at spamcop.net Wed May 11 14:45:43 2005 From: zypher at spamcop.net (Ron B.) Date: Wed May 11 14:50:04 2005 Subject: [SpamCop-List] Re: Latest Google tool In-Reply-To: References: Message-ID: Vanguard wrote: > "Doug Thegarden" wrote in message > news:d5teu8$mr$1@news.spamcop.net... > >> http://j-walk.com/other/googlecb/index.htm >> >> What is Google Content Blocker? >> ... >> That's where Google Content Blocker comes in. It effectively blocks >> all Web site content, leaving only the advertisements. > > > Hmm, I thought the advertisements *were* the overwhelming and > distracting content. > >> Once the content is removed from a Web site, you will see all of the >> original ads, unencumbered by annoying content. > > > Interesting. I wonder if someone will reverse engineer their program so > it can be reversed in its behavior. Instead of only showing the ads, it > would instead remove the ads. Nah, there already exists ad-block software. > It's a joke, son. From zypher at spamcop.net Wed May 11 14:51:38 2005 From: zypher at spamcop.net (Ron B.) Date: Wed May 11 14:55:03 2005 Subject: [SpamCop-List] Re: 419 scam reporting at FBI In-Reply-To: References: Message-ID: Larry J. wrote: > Where to send 419 scams to the FBI..? > > I've tried 419@fbi.gov and fraud@fbi.gov. Both bounce. From: United States - Additional Country Specific Instructions - United States 1. The United States Secret Service continues to be tasked as the primary US law enforcement agency in dealing with Advance Fee Fraud (419) matters. US Citizens or Residents with No Financial Loss may email 419er documents to the United States Secret Service at 419.fcd@usss.treas.gov where they are archived for future datamining. Only No Loss reports are to be sent to this email address. Due to the sheer volume of materials received, USSS does not respond to submissions to this address. 2. United States Citizens and Residents who HAVE suffered a Financial Loss are instructed to contact the nearest Field Office of the United States Secret Service (USSS) by telephone. 3. You may also file a Financial Loss complaint online with the Internet Fraud Complaint Center (IFCC), which is being renamed the Internet Crime Complaint Center (IC3). This organization is a partnership of the National White Collar Crime Center (NW3C) and the Federal Bureau of Investigation (FBI). From MikeE at ster.invalid Wed May 11 12:56:11 2005 From: MikeE at ster.invalid (Mike Easter) Date: Wed May 11 14:55:13 2005 Subject: [SpamCop-List] Re: 419 scam reporting at FBI References: Message-ID: Larry J. wrote: > Where to send 419 scams to the FBI..? It is treasury who is interested in 419s. Advisory http://www.secretservice.gov/alert419.shtml The notify is 419.fcd@usss.treas.gov Supposed to say 'no monetary loss' SEC info for addy http://www.sec.gov/answers/nigeria.htm > I've tried 419@fbi.gov and fraud@fbi.gov. Both bounce. -- Mike Easter kibitzer, not SC admin From nobody at spamcop.net Wed May 11 14:51:07 2005 From: nobody at spamcop.net (N. Miller) Date: Wed May 11 16:55:03 2005 Subject: [SpamCop-List] Re: SBCGlobal) Software Factory solutionsSFSFL and PACBell and Whoa007 @pacbell References: Message-ID: <2a5l23mdxndq.dlg@news.spamcop.net> On Wed, 11 May 2005 14:44:22 +0400, Berny wrote: > spew server and web hoster is 69.67.72.* ( don't know how to express it as a > /whatever By a Sam Spade check, that would be a 69.67.72.0/24: ------------------------------------------------------- 05/11/05 13:44:52 IP block 69.67.72.1@whois.arin.net Trying 69.67.72.1 at ARIN Trying 69.67.72 at ARIN Whoa USA Inc WHOA-USA-INC (NET-69-67-64-0-1) 69.67.64.0 - 69.67.79.255 Roger Graves DATAMONITOR-BUSSINESS-INFORMATION (NET-69-67-72-0-1) 69.67.72.0 - 69.67.72.255 # ARIN WHOIS database, last updated 2005-05-10 19:10 # Enter ? for additional hints on searching ARIN's WHOIS database. ------------------------------------------------------- 69.67.72.0 - 69.67.72.255 is the same as 69.67.72.0/24. But the Spamhaus listing is larger: 69.67.64.0/20. That covers the entire range of 69.67.64.0 - 69.67.79.255 in that Sam Spade listing. I like to use this for CIDR calculations: http://grox.net/utils/whatmask/ -- Norman ~Win dain a lotica, En vai tu ri, Si lo ta ~Fin dein a loluca, En dragu a sei lain ~Vi fa-ru les shutai am, En riga-lint From nobody at devnull.spamcop.net Wed May 11 16:52:13 2005 From: nobody at devnull.spamcop.net (WazoO) Date: Wed May 11 16:55:30 2005 Subject: [SpamCop-List] Re: Blocklisted References: Message-ID: "JHT4" wrote in message news:d5t46n$qdn$1@news.spamcop.net... > I also found our authenticating outbound smtp server 216.176.166.220 > blocked for 1 hour last night about 9pm central us, with no info given for > us to track down the guilty customer. > > Mike, could you lookup our ip the way you did Davids? See that Mike has already replied. > Or is there an appropriate interface/process for this? But he didn't mention Miss Betsy's compilation in the "Why am I Blocked?" FAQ entry .. found at http://forum.spamcop.net/forums/index.php?showtopic=972 seen both as an entry in the Forum FAQ at http://forum.spamcop.net/forums/index.php?showtopic=2238 and as a Pinned entry in the "SpamCop Blocklist Help" section of the support Forum found at http://forum.spamcop.net/forums/ Again, a Frequently Asked Question that has much data available for your perusal. From usenet2 at DE.LETE.THISljvideo.com Wed May 11 22:50:52 2005 From: usenet2 at DE.LETE.THISljvideo.com (Larry J.) Date: Wed May 11 17:55:05 2005 Subject: [SpamCop-List] Re: 419 scam reporting at FBI References: Message-ID: Waiving the right to remain silent, "Mike Easter" wrote: > It is treasury who is interested in 419s. > > Advisory http://www.secretservice.gov/alert419.shtml > The notify is 419.fcd@usss.treas.gov > Supposed to say 'no monetary loss' > SEC info for addy http://www.sec.gov/answers/nigeria.htm Thanks, Mike & Ron. -- Larry J. - Remove spamtrap in ALLCAPS to e-mail "Ninety eight percent of the adults in this country are decent, hardworking, honest Americans. It's the other lousy two percent that get all the publicity. But then, we elected them." -Lily Tomlin From usenet2 at DE.LETE.THISljvideo.com Wed May 11 22:55:13 2005 From: usenet2 at DE.LETE.THISljvideo.com (Larry J.) Date: Wed May 11 18:00:03 2005 Subject: [SpamCop-List] Re: Can't read ISP's reply References: Message-ID: Waiving the right to remain silent, Mike Nuss wrote: > I don't speak Portuguese, but the administrator seems to be saying that > they are not responsible for the IP address the spam came from. Babelfish does a half-assed job of translating it: "Expensive administrator, We receive the message below, complaining of a SPAM/UCE originated in its net. Favor to analyze the conteudo of reclamacao, identifying to the usuario that this making AUTHORIZED USE ABUSIVO/NAO of the resources of the net, and/or utilizacao of servidor(es) as relay for SPAM/UCE sending; We request that they are taken you provide them cabiveis, objectifying to inhibit such behavior. Favor to keep the Team of Security InterNet EMBRATEL informed, on its you provide, sending email for (spamc@embratel.net.br), keeping the Subject (' Subject ') original of this message. Important E ' that vc answer to this incident therefore our system anger to send one copies for the originador of reclamacao. We are thankful anticipatedly," -- Larry J. - Remove spamtrap in ALLCAPS to e-mail "Ninety eight percent of the adults in this country are decent, hardworking, honest Americans. It's the other lousy two percent that get all the publicity. But then, we elected them." -Lily Tomlin From jay at advertisnet.com Wed May 11 21:11:48 2005 From: jay at advertisnet.com (Jay Teutenberg) Date: Wed May 11 21:15:03 2005 Subject: [SpamCop-List] Re: Blocklisted References: Message-ID: "Mike Easter" wrote in message news:d5t6fv$rok$1@news.spamcop.net... > JHT4 wrote: >> I also found our authenticating outbound smtp server 216.176.166.220 >> blocked for 1 hour last night about 9pm central us, with no info >> given for us to track down the guilty customer. >> >> Mike, could you lookup our ip the way you did Davids? >> >> Or is there an appropriate interface/process for this? > > 216.176.166.220 rDNS 8of4.advertisnet.com is not currently SCbl > listed. > > When an IP is currently listed you can see why by putting it in here > http://www.spamcop.net/bl.shtml found that, saw my ip would be delisted in a hour > > but when it isn't currently listed you can't get any history. Deputies > can look back at the IP's listing history. ok, will send email. > > There's a problem about 216.176.166.220 in that no one is being > notified of spamcop reports because the admin/you has decided they don't > want to hear about it. I dont recall logging into spamcop as a user before, I got my pw mailed to me and got in tho, it was system created... I think I opened up notifications appropriately. > > Parsing input: 216.176.166.220 > host 216.176.166.220 = 8of4.advertisnet.com (cached) > ISP does not wish to receive report regarding 216.176.166.220 > 216.176.160.0 - 216.176.175.255:jay@dam.net > > NetName: ADVERINTERSER > TechHandle: JT1339-ARIN > TechName: Teutenberg, Jay > TechEmail: jay@dam.net > >> Thanks, >> Jay Teutenberg > > If you hadn't turned off the reports, you would get spamreports which > contain copies of the spam; except when they come from spamtrap hits. if they dont want to give us the offending headers of spamtrap hits , how are we supposed to deal with it? email deputies is the process? or perhaps the notifications give the necessary info. > > There is also a problem with some other IPs in your netblock > > 216.176.173.181 rDNS c173-p181.advertisnet.com is proxified and > spewing out spam and is SCbl listed. > 216.176.173.199 rDNS c173-p199.advertisnet.com is proxified and > hitting spamtraps and isn't SCbl listed at present > 216.176.163.26 rDNS c163-p26.advertisnet.com is proxified and > hitting spamtraps and isn't SCbl listed at present Normally we filter port 25 at our border router for our dial ups, but I found the filters had been left off for one of the upstreams, its back on now, that should fix the 173.x ips, the other appears to be a dedicated customers compromised machine, and I have put someone on the case to deal with them (and null routed them until they fix) > I don't understand why you would turn off SC notifies. Im not sure I did. thanks for your help, Jay From MikeE at ster.invalid Wed May 11 20:00:00 2005 From: MikeE at ster.invalid (Mike Easter) Date: Wed May 11 22:00:03 2005 Subject: [SpamCop-List] Re: Blocklisted References: Message-ID: Jay Teutenberg wrote: > "Mike Easter" > if they dont want to give us the offending headers of spamtrap hits , > how are we supposed to deal with it? email deputies is the process? > or perhaps the notifications give the necessary info. I don't know what the deputies say when they handle something with email, but when they speak publicly sometimes they will 'characterize' an issue at a spamtrap. Normally the parser's algorithm will parse past the output server to name the source IP behind it and the output server doesn't get listed. The kind of thing which will get an output server in trouble is backscatter problems - belated bounces as I described in an earlier post in a similar thread http://www.spamcop.net/fom-serve/cache/14.html Even if you were not getting the spamtrap items, if your notify addy were getting the normal reports that would be very useful. >> I don't understand why you would turn off SC notifies. > > Im not sure I did. I'm sure you can fix it since you are already an authorized ISP with pw http://www.spamcop.net/fom-serve/cache/94.html "use the "Request Reports" menu item to specify which networks you would like to receive reports about. At any time, you may use the "show routes" menu item to view which networks you are configured to receive reports about." I'm also noticing that that page sez you can get recent reports on your own "In addition, your ISP account allows you to spot-check any IP address for recent reports." > thanks for your help, YW. Tnx for stopping the misbehaving IPs from your network. -- Mike Easter kibitzer, not SC admin From nobody at spamcop.net Thu May 12 04:13:50 2005 From: nobody at spamcop.net (Claudio Valderrama C.) Date: Thu May 12 03:15:20 2005 Subject: [SpamCop-List] Re: Intermitent problem with bora.net References: Message-ID: Mike Easter wrote: > > There are several different results you could get depending upon the > cache and the accessibility of registrars. That may explain the issue, thanks. C. From hans at salvisberg.invalid Thu May 12 12:59:25 2005 From: hans at salvisberg.invalid (Hans Salvisberg) Date: Thu May 12 05:50:30 2005 Subject: [SpamCop-List] Re: Anyone from =?iso-8859-1?q?W=FCrzburg=2C_Germany=3F_Is_it_legal_to_peddle_pre?= =?iso-8859-1?q?scription_drugs_over_the_Internet_in_Germany=3F?= In-Reply-To: References: Message-ID: Hi kjz Karl-Josef Ziegler wrote: > Hans Salvisberg wrote: > > >>http://www.spamcop.net/sc?id=z761484882zc765cbd002e9d466068ee91600edcc5fz >> >>spamvertises elongates.net, which belongs to Helmut Fischer in W?rzburg: > > > Street exists, but no house number 7a, no Mr. Fischer, wrong ZIP code, > wrong phone no. The phone number looked phony, but the ZIP code /is/ in W?rzburg, and with the (intentional?) obfuscation "Wuezburg" the address looked real enough that the post office might actually succeed in delivering mail, even though the address may not be 100% correct. > Domain is now on Registrar Hold. Great! > Maybe, Leo used some > faked data from his pillz selling form for registration? > > also look at: > > http://whois.webhosting.info/CONNOTING.COM Yeah. Helmut Fischer is also listed here: http://eclecticdjs.com/mike/spam/spam-05-05.html Thanks! Hans From agent01413 at my-deja.com Thu May 12 12:03:53 2005 From: agent01413 at my-deja.com (Socks the Whitehouse Cat) Date: Thu May 12 07:05:08 2005 Subject: [SpamCop-List] Re: Blocklisted References: Message-ID: "Mike Easter" wrote in news:d5t6fv$rok$1 @news.spamcop.net: > > 216.176.166.220 rDNS 8of4.advertisnet.com is not currently SCbl > listed. > > When an IP is currently listed you can see why by putting it in here > http://www.spamcop.net/bl.shtml > > but when it isn't currently listed you can't get any history. Deputies > can look back at the IP's listing history. one good resource is to check news.admin.net-abuse.sightings. http://openrbl.org has good links too. After I report a piece of spam to spamcop, I will frequently plug the originating IPA into openrbl to see what other dnsbls have picked up the spam run. the google search link on that page is configured to show sightings after the initial query is done there. I think the amalgamation of information from multiple sources is a far better resource for getting as much as you need than anything else that I have used. -- See NANAE kooks, including Barbara Schwarz: http://www.morningmist.org/nanae/kookfaq.html From MikeE at ster.invalid Thu May 12 06:32:09 2005 From: MikeE at ster.invalid (Mike Easter) Date: Thu May 12 08:35:03 2005 Subject: [SpamCop-List] Re: Blocklisted References: Message-ID: Socks the Whitehouse Cat wrote: > "Mike Easter" >> but when it isn't currently listed you can't get any history. >> Deputies can look back at the IP's listing history. That statement turned out to be wrong. The admin for an IP can get its listing history. http://www.spamcop.net/fom-serve/cache/94.html > one good resource is to check news.admin.net-abuse.sightings. > http://openrbl.org has good links too. I used to use openrbl for that, now I use dnsstuff. What is useful about sightings for a server is to see if there's anything weird about how it stamps its lines for its relays for a user IP and to see if there's any recent backscatter there. > After I report a piece of > spam to spamcop, I will frequently plug the originating IPA into > openrbl to see what other dnsbls have picked up the spam run. the > google search link on that page is configured to show sightings after > the initial query is done there. I think the amalgamation of > information from multiple sources is a far better resource for > getting as much as you need than anything else that I have used. Yes -- if you are determining your own notifies independently from SC's there's a lot of useful information. E.g. if an IP is listed in spews or spamhaus the likelihood is that it is non-responsive and needs some better strategy for notifying than simply the nonresponsive entity But, I interpreted the discussion to be about the SCbl listing, since that was an admin asking about a SCbl listing. The first place I looked was in dnsstuff and it wasn't listed in SCbl or anywhere else. The next place I looked was at IronPort; that's how I found those other IPs I told him about. -- Mike Easter kibitzer, not SC admin From kjz at despammed.com Thu May 12 15:42:27 2005 From: kjz at despammed.com (Karl-Josef Ziegler) Date: Thu May 12 08:45:03 2005 Subject: [SpamCop-List] Re: Anyone from =?iso-8859-1?q?W=FCrzburg=2C_Germany=3F_Is_it_legal_to_peddle_pre?= =?iso-8859-1?q?scription_drugs_over_the_Internet_in_Germany=3F?= In-Reply-To: References: Message-ID: Hans Salvisberg wrote: > The phone number looked phony, but the ZIP code /is/ in W?rzburg, and > with the (intentional?) obfuscation "Wuezburg" the address looked real > enough that the post office might actually succeed in delivering mail, > even though the address may not be 100% correct. Yes, ZIP code (97078) is for Wuerzburg, but this street has another ZIP code (97080). - kjz From nobody at devnull.spamcop.net Thu May 12 09:46:56 2005 From: nobody at devnull.spamcop.net (Miss Betsy) Date: Thu May 12 09:45:03 2005 Subject: [SpamCop-List] Re: Stopping Spam (From Scientific American) References: Message-ID: > Miss Betsy wrote: > > > Just goes to show you that scientists can be as dumb as the rest of > > the world. > > How do you mean? The thread isn't about SciAm spam, it is a pointer to > the article. > > Did you mean the article was dumb? The article was very unscientific and since it is presumably aimed at 'scientists', the editors were dumb to allow it. AFAICT, it was written by the writers of content filters and had nothing to do with the control of spam, but merely a comparison of different kinds of content filters. It should have been entitled, "How to use filters to stop spam from entering your inbox." Miss Betsy From MikeE at ster.invalid Thu May 12 08:23:32 2005 From: MikeE at ster.invalid (Mike Easter) Date: Thu May 12 10:25:12 2005 Subject: [SpamCop-List] Re: Stopping Spam (From Scientific American) References: Message-ID: Miss Betsy wrote: > The article was very unscientific and since it is presumably aimed > at 'scientists', the editors were dumb to allow it. SciAm isn't a scientific 'journal' -- it is a magazine for the general public of a scientific 'bent'. Some examples of filter science that the article talked about were Bayesian training programs using discriminative linear logic to weigh later decisions heavier, speeding up algorithms by 'sequential minimal optimization' and 'sequential generalized iterative scaling' to accomplish the same filtering more than 2 orders of magnitude faster, n-gram enabling, benign vs porno image discimination errors. There was a discussion of proof systems including captcha/hip methods, micropayments, and smtp standards change. > AFAICT, it was > written by the writers of content filters Correct. > and had nothing to do > with the control of spam, but merely a comparison of different > kinds of content filters. The thrust of the article was keeping spam out of the inbox; about 40% of it was content filtering. The reason spam works is because human beings are reading their spam and buying spam promoted products. Antispam efforts are swimming upstream against the tide of human behavior, like prohibition. And then there's the issue of wanted or acceptable 'spam' see below. > It should have been entitled, "How to use > filters to stop spam from entering your inbox." Actually the overview 'title' was "Guarding Your In-Box" I found one of the par/s about the definition of spam interesting, in that it applied to a realworld experience of the investigators themselves. .... We recently received an e-mailed proposal, for example, to turn a short story we had published on the Internet into a motion picture. This communication met the requirements of the law: unsolicited, commercial, from an unknown sender, but almost no one would call it spam. An alternative definition might include the fact that spam is typically mass-mailed. But we recently solicited papers for a technical conference to discuss e-mail systems and anti-spam methods by sending requests to 50 people we had never met who had published on this topic. None of them complained. Perhaps the best characterization of spam is that it is poorly targeted and unwanted. Formulating a precise definition of spam is exceedingly difficult, but, like pornography, we certainly know it when we see it flooding our mailboxes. So, it comes down to 'poorly targeted and unwanted'? That's pretty tricky to scientifically target. -- Mike Easter kibitzer, not SC admin From sbb78247 at stilldon'tfuckincare.invalid Thu May 12 23:21:06 2005 From: sbb78247 at stilldon'tfuckincare.invalid (sbb78247) Date: Thu May 12 23:25:19 2005 Subject: [SpamCop-List] like i said Message-ID: fuck off you nazis From sbb78247 at stilldon'tfuckincare.invalid Thu May 12 23:20:08 2005 From: sbb78247 at stilldon'tfuckincare.invalid (sbb78247) Date: Thu May 12 23:25:47 2005 Subject: [SpamCop-List] Re: Grow up References: Message-ID: Pop wrote: > bye arsehole is that what you said to your last boyfriend? From zypher at spamcop.net Thu May 12 23:34:12 2005 From: zypher at spamcop.net (Ron B.) Date: Thu May 12 23:35:05 2005 Subject: [SpamCop-List] Re: Grow up In-Reply-To: References: Message-ID: sbb78247 wrote: > Pop wrote: > >>bye arsehole > > > is that what you said to your last boyfriend? > > Please stop feeding this troll. Replying to their posts and taking them seriously only gives them new fuel to add to their fire, and sooner or later, you will find yourself under a barrage of personal attacks and flames. The only way to deal with trolls is just to ignore them and to go about your business having fun talking with other people on Usenet. Forget about the trolls and they will not bother you again. http://www.usenet.com/articles/usenet_trolls.htm From redwolfe_98 at nospam.com Fri May 13 01:01:24 2005 From: redwolfe_98 at nospam.com (redwolfe_98) Date: Fri May 13 00:05:08 2005 Subject: [SpamCop-List] Spamcop Feedback Message-ID: i notice that sometimes spamcop cannot process, trace, url's in spam where the url has an unusual ending, lke http://www.xyz.com/chk.. maybe spamcom could set things up to work the way that "samspade.org" does where it ignores the part of the url that comes at the end, after ".com", and then spamcop would be able to trace the url.. for example, instead of trying to trace http://www.xyz.com/chk it would trace http://www.xyz.com , ignoring the part on the end of the url, and then maybe spamcop would trace those url's that it otherwise, sometimes does not trace, and then we could better report those url's for spamming... From nobody at devnull.spamcop.net Fri May 13 15:46:06 2005 From: nobody at devnull.spamcop.net (Patto) Date: Fri May 13 01:50:03 2005 Subject: [SpamCop-List] Re: like i said In-Reply-To: References: Message-ID: sbb78247 wrote: > fuck off you nazis he, he, he - fried spam again; my favorite! From oren.freidenstein at you.bogus-grouchy-freebooter.org Fri May 13 09:49:37 2005 From: oren.freidenstein at you.bogus-grouchy-freebooter.org (Oren Freidenstein) Date: Fri May 13 02:50:31 2005 Subject: [SpamCop-List] Re: Grow up References: Message-ID: <7b4887176a81415b8366f9e5489b9b24@you.tinpot-openmouthed-pudding.org> Ron B., wrote: > Please stop feeding this troll. Ok. *PLONK* From nttp.sc.s at bigsleep.org Fri May 13 09:18:27 2005 From: nttp.sc.s at bigsleep.org (Blammo) Date: Fri May 13 04:20:22 2005 Subject: [SpamCop-List] Re: SBCGlobal) Software Factory solutionsSFSFL and PACBell and Whoa007 @pacbell References: <2a5l23mdxndq.dlg@news.spamcop.net> Message-ID: On 11 May 2005 N. Miller entered spamcop and left news:2a5l23mdxndq.dlg@news.spamcop.net: > I like to use this for CIDR calculations: > I finally figured out how to do that with the scientific calculator, here I use the carot ^ for the button [x^y]. e.g. /24 2 ^ (32 - 24) = 256 - 1 = 255 This gives you the number of addresses minus the one you already have. Converting to dotted quad is a little clumsy, you need to divide by 256 for any number greater than 255 to get each quad, (then subtract 1) adding the result to the first address. Converting back probably makes this more clear: e.g. 69.67.64.0 - 69.67.79.255 each dotted quad = 256, and we have to add one to include the "0" address. (79 - 64 + 1) * 256 = 4096 32 - (4096 log / 2 log) = 20 69.67.64.0 - 69.67.79.255 = 69.67.64.0/20 Another example: 69.67.0.0 - 69.68.255.255 I know this = 69.67.0.0/15 69.68.255.255 - 69.67.0.0 = (68 - 67 + 1) * 256 * 256 = 131072 Or I think you could expand that to say (69 - 69 + 1) * (68 - 67 + 1) * (255 - 0 + 1) * (255 - 0 + 1) = 131072 32 - (131072 log / 2 log) = 15 converting back... 2 ^ (32 - 15) = 131072 131072 / 256 = 512 [0.0.0.255] 512 / 256 = 2 [0.0.255.0] 2 - 1 = 1 [0.1.0.0] 69.67.0.0 + 0.1.255.255 = 69.68.255.255 or hex(131072 - 1) = 1FFFF CIDR seems complicated, but its simply the number of fixed bits in the address range. IPv4 contain 32 bits, so a range of one address would have 32 fixed bits or /32. 2 ^ (32 - 32) = 1 binary is multiples of 2 (2^y), so /32 = 1 /31 = 2 /30 = 4 /29 = 8 /28 = 16 -- | Ric | From nobody at nowhere.invalid Fri May 13 11:29:28 2005 From: nobody at nowhere.invalid (Steven Maesslein) Date: Fri May 13 04:30:03 2005 Subject: [SpamCop-List] Re: SBCGlobal) Software Factory solutionsSFSFL and PACBell and Whoa007 @pacbell References: <2a5l23mdxndq.dlg@news.spamcop.net> Message-ID: On Fri, 13 May 2005 08:18:27 +0000 (UTC), Blammo coughed into spamcop and left this in : > CIDR seems complicated.... You hit the nail square on the head there. It 'seems' complicated when you're not used to working in binary, but in actual fact it's really easy. Give it a bit of practice and you won't even need your scientific calculator any more - you'll be doing it mentally. -- Steve genius, n: A chemist who discovers a laundry additive that rhymes with "bright". From 0rio85a02 at sneakemail.com Fri May 13 02:40:59 2005 From: 0rio85a02 at sneakemail.com (Fred k) Date: Fri May 13 05:45:24 2005 Subject: [SpamCop-List] Eternal Optimism Message-ID: a.. Massachusetts fires legal broadside at spam gang ... as failed junk mailers escape FTC fine http://go.theregister.com/news/http://www.theregister.co.uk/2005/05/12/spam_lawsuit/ Fred k From hans at salvisberg.invalid Fri May 13 14:05:41 2005 From: hans at salvisberg.invalid (Hans Salvisberg) Date: Fri May 13 06:55:09 2005 Subject: [SpamCop-List] Re: Anyone from =?iso-8859-1?q?W=FCrzburg=2C_Germany=3F_Is_it_legal_to_peddle_pre?= =?iso-8859-1?q?scription_drugs_over_the_Internet_in_Germany=3F?= In-Reply-To: References: Message-ID: Karl-Josef Ziegler wrote: > I got the same spam and it has some characteristics which point to Leo > Kuvayev in Russia as the real originator. Fred k already posted the reference, but I'll still add it here as it specifically mentions Leo Kuvayev: http://www.theregister.co.uk/2005/05/12/spam_lawsuit/ http://www.ago.state.ma.us/sp.cfm?pageid=986&id=1416 This would also explain why the domains we talked about went on REGISTRAR-HOLD, if they really are connected to Leo Kuvayev as you suspect. Hans From sbb78247 at stilldon'tfuckincare.invalid Fri May 13 07:06:27 2005 From: sbb78247 at stilldon'tfuckincare.invalid (sbb78247) Date: Fri May 13 07:10:04 2005 Subject: [SpamCop-List] Re: like i said References: Message-ID: Patto wrote: > sbb78247 wrote: >> fuck off you nazis > > he, he, he - fried spam again; my favorite! not even close you censorship nazi From MikeE at ster.invalid Fri May 13 06:24:36 2005 From: MikeE at ster.invalid (Mike Easter) Date: Fri May 13 08:25:05 2005 Subject: [SpamCop-List] Re: Spamcop Feedback References: Message-ID: redwolfe_98 wrote: > i notice that sometimes spamcop cannot process, trace, url's in spam > where the url has an unusual ending, lke http://www.xyz.com/chk.. > maybe spamcom could set things up to work the way that "samspade.org" > does where it ignores the part of the url that comes at the end, > after ".com", and then spamcop would be able to trace the url.. for > example, instead of trying to trace http://www.xyz.com/chk it would > trace http://www.xyz.com , ignoring the part on the end of the url, > and then maybe spamcop would trace those url's that it otherwise, > sometimes does not trace, and then we could better report those url's > for spamming... I don't think that would make any difference, but it is very easy for you to test the result of your theory by feeding the parser the modified item. You can even test the result of feeding the parser an entire spam forged to contain your modified url as long as you cancel any offered reports on spam forgeries. -- Mike Easter kibitzer, not SC admin From bar_n0ne at hotmail.com Fri May 13 18:32:17 2005 From: bar_n0ne at hotmail.com (Berny) Date: Fri May 13 09:35:12 2005 Subject: [SpamCop-List] wierd website resolving to 127.0.0.1! Message-ID: tracker: h ttp://www.spamcop.net/sc?id=z762673943zf424b2a95bd2ccec629d75ff7677c7b1z tracert at home gave the same result for www.xlyrl.locationspots.com I checked with DNS stuff and the nameservice resolves to that, is that a new way to shut down a website? or a "new" way to attack a vulnerable computer? From nospam at fuck-off-and-die.com Fri May 13 20:19:48 2005 From: nospam at fuck-off-and-die.com (Kadaitcha Man) Date: Fri May 13 09:35:39 2005 Subject: [SpamCop-List] Re: wierd website resolving to 127.0.0.1! References: Message-ID: Berny, , the gripping, vegetarian lost soul, and minor, worthless author of usenet posts, noted: > tracker: > > h > ttp://www.spamcop.net/sc?id=z762673943zf424b2a95bd2ccec629d75ff7677c7b1z > > tracert at home gave the same result for www.xlyrl.locationspots.com > > I checked with DNS stuff and the nameservice resolves to that, > > is that a new way to shut down a website? or a "new" way to attack a > vulnerable computer? Check your fucking hosts file, you dumb cunt. From DougThegarden at hotmail.com Fri May 13 15:54:24 2005 From: DougThegarden at hotmail.com (Doug Thegarden) Date: Fri May 13 09:55:04 2005 Subject: [SpamCop-List] Re: wierd website resolving to 127.0.0.1! In-Reply-To: References: Message-ID: Kadaitcha Man wrote: > Kindatetchy Man shurely? Doug From bar_n0ne at hotmail.com Fri May 13 19:49:08 2005 From: bar_n0ne at hotmail.com (Berny) Date: Fri May 13 10:50:03 2005 Subject: [SpamCop-List] Re: wierd website resolving to 127.0.0.1! References: Message-ID: "Doug Thegarden" wrote in message news:d62bid$g1i$1@news.spamcop.net... > Kadaitcha Man wrote: > > > > Kindatetchy Man shurely? > > Doug And I did check my Hosts files bythe way, butit would have been too much coincidence for me and SC to have that entry. From SCNews.5.myspamgobbler at spamgourmet.com Fri May 13 09:04:27 2005 From: SCNews.5.myspamgobbler at spamgourmet.com (Brian (SnSR)) Date: Fri May 13 11:05:04 2005 Subject: [SpamCop-List] Re: wierd website resolving to 127.0.0.1! In-Reply-To: References: Message-ID: Berny wrote: > tracker: > > h > ttp://www.spamcop.net/sc?id=z762673943zf424b2a95bd2ccec629d75ff7677c7b1z > > tracert at home gave the same result for www.xlyrl.locationspots.com > > I checked with DNS stuff and the nameservice resolves to that, > > is that a new way to shut down a website? or a "new" way to attack a > vulnerable computer? > > It's a way to permanently shut down a domain. From MikeE at ster.invalid Fri May 13 09:16:16 2005 From: MikeE at ster.invalid (Mike Easter) Date: Fri May 13 11:15:08 2005 Subject: [SpamCop-List] Re: wierd website resolving to 127.0.0.1! References: Message-ID: Berny wrote: www.spamcop.net/sc?id=z762673943zf424b2a95bd2ccec629d75ff7677c7b1z>h > www.xlyrl.locationspots.com = 127.0.0.1 > is that a new way to shut down a website? or a "new" way to attack a > vulnerable computer? If the resolution doesn't result in a website, then the 'site' is dead. The registrar for locationspots is SPOT DOMAIN LLC DBA DOMAINSITE.COM - who is also providing the nameservice and is at http://www.domainsite.com They are also 'absorbing' the registration information information -- that is, they are listed as the registrant [as well as the registrar] for the domain's contact information. I think it would be interesting for you to contact them with a manual notify and see if they respond; that is, they are the 'registered' spamvertisers and are providing spam support. SC's design is to notify the webspace provider which is normally a good strategy, and generally the business about how the domain registration is handled is a separate issue which spamfighters do 'on their own' -- sometimes by completing the bad registration form at internic. I'm not sure whether this is a bad policy by domainsite to hide the registrant or if the domainname is really registered to the registrar, but the point is that you got a spam, and it is even an 'illegal' spam by CANSPAM terms, because it has a bogus headerline and other 'illegal' characteristics and the registered owner of the spamming domainname is the registrar domainsite. So, you could legitimately notify internic at both places, the place where you complain about registrars and the place where you complain about bad registration information^1. You can also notify domainsite to see how they respond, if at all. ^1 To submit a complaint about an accredited registrar go to the Registrar Problem Report form. http://reports.internic.net/cgi/registrars/problem-report.cgi To report incomplete or inaccurate Registrar Whois data, please visit the new Whois Data Problem Report System. http://wdprs.internic.net/ It is possible that domainsite's 'idea' is that they have killed the spamsupport by waylaying the nameservice resolution and thus the access to some website which was there before - but that doesn't explain their approach to how they are handling the registration information, by putting themselves as the registrant. That looks to me like a 'policy' decision that isn't in keeping with the ICANN rules. All of the registrant and nameservice information is 'fresh' - ie updated yesterday, so it is possible that the registrar is acting responsibly instead of irresponsibly - it is hard to say without the earlier information and knowing if domainsite is white or blackhat. The domainname was registered over a year ago. -- Mike Easter kibitzer, not SC admin From eddie at eddie.web Fri May 13 12:32:46 2005 From: eddie at eddie.web (eddie) Date: Fri May 13 11:35:03 2005 Subject: [SpamCop-List] comcast "selling" illegal cable descramblers Message-ID: Besides being ironic, I wonder if one could use the comcast spew as a defense for using such an illegal device. Showing that the spam promoting the device came from comcast might be considered that comcast is promoting it. You could claim you thought it was a comcast advertisement. It's funny, at least to me. -- Once movie theaters gave out steak knives Today they confiscate them From MikeE at ster.invalid Fri May 13 09:39:26 2005 From: MikeE at ster.invalid (Mike Easter) Date: Fri May 13 11:40:06 2005 Subject: [SpamCop-List] Re: wierd website resolving to 127.0.0.1! References: Message-ID: Mike Easter wrote: > If the resolution doesn't result in a website, then the 'site' is > dead. The registrar for locationspots is SPOT DOMAIN LLC DBA > DOMAINSITE.COM - who is also providing the nameservice and is at > http://www.domainsite.com > > They are also 'absorbing' the registration information information -- > that is, they are listed as the registrant [as well as the registrar] > for the domain's contact information. They also own their own webspace under internap whois -h whois.arin.net 69.25.212.135 ... Internap Network Services 69.25.0.0 - 69.25.255.255 Name.com 69.25.212.128 - 69.25.212.191 name and domainsite are both dba/s of spot domain. OTOH, those entities get an attaboy from me for suing Verisign and ICANN over the Verisign gig here http://www.whois.sc/news/2004-02/wls-lawsuit.html Domain registrars sue ICANN, VeriSign -- Mike Easter kibitzer, not SC admin From mrichter at cpl.net Fri May 13 11:20:19 2005 From: mrichter at cpl.net (Mike Richter) Date: Fri May 13 13:25:31 2005 Subject: [SpamCop-List] Re: Spamcop Feedback In-Reply-To: References: Message-ID: redwolfe_98 wrote: > i notice that sometimes spamcop cannot process, trace, url's in spam where > the url has an unusual ending, lke http://www.xyz.com/chk.. maybe spamcom > could set things up to work the way that "samspade.org" does where it > ignores the part of the url that comes at the end, after ".com", and then > spamcop would be able to trace the url.. for example, instead of trying to > trace http://www.xyz.com/chk it would trace http://www.xyz.com , ignoring > the part on the end of the url, and then maybe spamcop would trace those > url's that it otherwise, sometimes does not trace, and then we could better > report those url's for spamming... > > In your example, xyz.com is the domain hosting the spamvertized site. SC reports to the abuse desk for that domain. '/chk' is the specific page being referenced in the spam, but there is no way to report to its owner. Mike -- mrichter@cpl.net http://www.mrichter.com/ From agent01413 at my-deja.com Fri May 13 18:58:34 2005 From: agent01413 at my-deja.com (Socks the Whitehouse Cat) Date: Fri May 13 14:00:04 2005 Subject: [SpamCop-List] Re: like i said References: Message-ID: "sbb78247" wrote in news:d629qj.3cg.1@133.256.1.103.MISMATCH: > fuck off you nazis > > godwin in one. you lose -- See NANAE kooks, including Barbara Schwarz: http://www.morningmist.org/nanae/kookfaq.html From agent01413 at my-deja.com Fri May 13 18:59:44 2005 From: agent01413 at my-deja.com (Socks the Whitehouse Cat) Date: Fri May 13 14:00:15 2005 Subject: [SpamCop-List] Re: like i said References: Message-ID: "sbb78247" wrote in news:d63533.23c.1@133.256.1.103.MISMATCH: > Patto wrote: >> sbb78247 wrote: >>> fuck off you nazis >> >> he, he, he - fried spam again; my favorite! > > not even close you censorship nazi > i love the smell of fried spammer nads in the morning. i wonder if his mommy knows that he's palying with her computer. someone will get his britches warmed. -- See NANAE kooks, including Barbara Schwarz: http://www.morningmist.org/nanae/kookfaq.html From Vanguard at domain.invalid Fri May 13 14:09:46 2005 From: Vanguard at domain.invalid (Vanguard) Date: Fri May 13 14:20:04 2005 Subject: [SpamCop-List] Why can't Spamcop's parser find URL links in body? Message-ID: See http://www.spamcop.net/sc?id=z763127086z1600142eb6ae87f8924f27973158fac1z for my spam report. Notice it says no links were found in the body of the e-mail. Yet there is a link: Does SpamCop's parser have a problem of knowing to terminate the parsing at the first illegal character used in the domain portion of the URL? Isn't the URL pointing to ntoslal.net (which is what the deobfuscators say it is), or is it bramiadcjlj.com? I know that I can specify either http://support.microsoft.com/?id=300698 as a URL to a Microsoft KB article but http://support.microsoft.com?id=300698 also works, so I figure the domain URL parsing stops at the first character that isn't allowed in a domain, and that would the ampersand ("&") character. Even if the domain is no longer registered, shouldn't the parser note the domain from the URL (so you are reminded that there is a URL to site within the body without having to view the entire message) and also note that there was no lookup on it at that time? -- ____________________________________________________________ ** Post your replies to the newsgroup - Share with others ** For e-mail Reply: remove "DELETE", add "~VN56~" to Subject. ____________________________________________________________ From Vanguard at domain.invalid Fri May 13 14:24:27 2005 From: Vanguard at domain.invalid (Vanguard) Date: Fri May 13 14:25:04 2005 Subject: [SpamCop-List] Re: Why can't Spamcop's parser find URL links in body? References: Message-ID: I would've thought the first part of the domain portion of the URL would've been truncated at the "&" character and the first part used. But according to another SpamCop parse shown at http://www.spamcop.net/sc?id=z763048974zd6c29db5fcdb5b26b51ea2ea24dbe1f9z, it trashes the first part before the "&" and uses the second half. The deobfuscators that I've used return the first part before the ampersand. In fact, a real easy deobfuscator is to simply use the ping.exe program. When I run: ping kwmsbgk.net&trjqauq2hnd6l2ipv2jgc5.bokarknjkjl.com it is trying to ping kwmsbgk.net. It seems SpamCop's parser is using the wrong portion of the obfuscated URL. As a result, SpamCop will be sending it spam reports to wrong recipients, something that I've heard accused of SpamCop. For this particular spam report, I decided to deselect the Chinese contacts because they were based on the domain extracted from the URL but SpamCop used the wrong portion of that URL. From news at schmide.com Fri May 13 12:36:53 2005 From: news at schmide.com (Schmide) Date: Fri May 13 14:40:05 2005 Subject: [SpamCop-List] Spam Gang (DOH) Message-ID: http://www.theinquirer.net/?article=23212 The wheels of justice turn slooooooow From nobody at spamcop.net Fri May 13 16:36:19 2005 From: nobody at spamcop.net (Ellen) Date: Fri May 13 15:40:07 2005 Subject: [SpamCop-List] Re: Why can't Spamcop's parser find URL links in body? References: Message-ID: "Vanguard" wrote in message news:d62rcr$q59$1@news.spamcop.net... > I would've thought the first part of the domain portion of the URL > would've been truncated at the "&" character and the first part used. > But according to another SpamCop parse shown at > http://www.spamcop.net/sc?id=z763048974zd6c29db5fcdb5b26b51ea2ea24dbe1f9z, > it trashes the first part before the "&" and uses the second half. The > deobfuscators that I've used return the first part before the ampersand. > In fact, a real easy deobfuscator is to simply use the ping.exe program. > When I run: > > ping kwmsbgk.net&trjqauq2hnd6l2ipv2jgc5.bokarknjkjl.com > > it is trying to ping kwmsbgk.net. It seems SpamCop's parser is using > the wrong portion of the obfuscated URL. As a result, SpamCop will be > sending it spam reports to wrong recipients, something that I've heard > accused of SpamCop. For this particular spam report, I decided to > deselect the Chinese contacts because they were based on the domain > extracted from the URL but SpamCop used the wrong portion of that URL. > The & is invalid in a url -- however some versions of firefox, opera and safari will accept that url and bring it up as ntoslal.netsxwgzihurfngdush5utq4x.bramiadcjlj.com/ -- if you remove the ntoslal.net from the front of it you get to the same site. And ping seems to handle it the same way as those browsers. The nameservers for bramiadcjlj.com accept wildcards: host sxwgzihurfngdush5utq4x.bramiadcjlj.com sxwgzihurfngdush5utq4x.bramiadcjlj.com has address 82.78.42.131 sxwgzihurfngdush5utq4x.bramiadcjlj.com has address 218.7.112.241 host ntoslal.net.sxwgzihurfngdush5utq4x.bramiadcjlj.com ntoslal.net.sxwgzihurfngdush5utq4x.bramiadcjlj.com has address 82.78.42.131 ntoslal.net.sxwgzihurfngdush5utq4x.bramiadcjlj.com has address 218.7.112.241 host lskdejslkdjf.bramiadcjlj.com lskdejslkdjf.bramiadcjlj.com has address 218.7.112.241 lskdejslkdjf.bramiadcjlj.com has address 82.78.42.131 The parse is finding the correct reporting address(es). Ellen From 79ytka802 at sneakemail.com Sat May 14 00:01:27 2005 From: 79ytka802 at sneakemail.com (Aviatrix) Date: Fri May 13 18:05:05 2005 Subject: [SpamCop-List] Re: like i said In-Reply-To: References: Message-ID: Why are you all feeding the troll? From spam at spam.no.not.spam Sat May 14 01:02:18 2005 From: spam at spam.no.not.spam (sparkle) Date: Fri May 13 18:05:24 2005 Subject: [SpamCop-List] What's this mean? Message-ID: I just sent a spamcop report and the spamcop page reported: To: abuse@above.net (refuses munged reports) (Notes) The option to send a report was unchecked. Out of interest, what is the explanation for that? From nobody at devnull.spamcop.net Fri May 13 18:28:37 2005 From: nobody at devnull.spamcop.net (WazoO) Date: Fri May 13 18:30:05 2005 Subject: [SpamCop-List] Re: What's this mean? References: Message-ID: "sparkle" wrote in message news:d6385h$lg6$0@pita.alt.net... > I just sent a spamcop report and the spamcop page reported: > > To: abuse@above.net (refuses munged reports) (Notes) > > Out of interest, what is the explanation for that? http://www.spamcop.net/fom-serve/cache/75.html specifically, the item "You've munged the header..." http://www.spamcop.net/fom-serve/cache/267.html From MikeE at ster.invalid Fri May 13 16:47:35 2005 From: MikeE at ster.invalid (Mike Easter) Date: Fri May 13 18:50:03 2005 Subject: [SpamCop-List] Re: What's this mean? References: Message-ID: WazoO wrote: > "sparkle" wrote in message > news:d6385h$lg6$0@pita.alt.net... >> I just sent a spamcop report and the spamcop page reported: >> >> To: abuse@above.net (refuses munged reports) (Notes) >> Out of interest, what is the explanation for that? The standard SC config is to 'SC munge' a standard SC report -- the concept being to hide the email addy of the reporter and to 'stand between' as an anonymizer for the reporter and replace the reporter with a report id #- by which issues can be responded to and resolved. Some providers do not want to receive munged reports. One reason for that is because they look upon the evidence like 'legal' evidence and don't want it tampered with - they want the original in its entirety. So, the provider can register their insistence that they receive unmunged. See below - bottom. If you are default configured to SC munge, the provider won't get your report. It still counts toward the SCbl about a source, the provider just doesn't receive the notify. If you choose to check the unchecked box, SC will ask you if you are sure that you want to unmunge and if you say yes, then that notified will get an unmunged report. Some reporters choose to configure unmunge all of their reports. > http://www.spamcop.net/fom-serve/cache/75.html > specifically, the item "You've munged the header..." > http://www.spamcop.net/fom-serve/cache/267.html And those links are for the admins - the first the general admin faq page, and the 2nd is an explanation to an admin about the standard or default SC mungeing. It shows the admin where to go to have their preferences recorded about receiving munged headers or not. If the OP were an admin that would help them understand why they get a munged report. -- Mike Easter kibitzer, not SC admin From wb8tyw at qsl.network Fri May 13 20:00:18 2005 From: wb8tyw at qsl.network (John E. Malmberg) Date: Fri May 13 19:05:02 2005 Subject: [SpamCop-List] Re: What's this mean? In-Reply-To: References: Message-ID: sparkle wrote: > I just sent a spamcop report and the spamcop page reported: > > To: abuse@above.net (refuses munged reports) (Notes) > > The option to send a report was unchecked. > > Out of interest, what is the explanation for that? If you are a paying member you have the option of always sending unmunged reports. Otherwise the default is to send munged reports where spamcop.net attempts to remove information that would identify the specific e-mail address that was spammed. This munging by spamcop is incomplete as spammers will often put codes in their spam to identify what address is complaining. So if you check the box, above.net will get a copy of the spam that reveals the e-mail address that was spammed to them. Some reporters never mung their reports. Now the importance of sending a munged report really depends if the notification is going to the spam source, which is usually an open proxy or to the host of the spamvertised website. In the case of a the spam source, if it is an open proxy, the network owner usually has no idea who the spammer is, so they can not pass it on to a spammer. So if you do not check the box, they will not get a notification that bandwidth is being stolen from them. (Some networks do not care, and just pass those extra costs on to their customers) In the case of a web site, the network owner may just be passing on the complaints directly to the spammer instead of dealing with them. If they pass it on to the spammer instead of removing the spammer, that spammer may remove you from his lists that spamvertise their sites on that network and then sell your now validated e-mail address to other spammers. Earthlink wants unmunged reports, but Earthlink publicly admits to suing spammers that spam through their network. You will have to use your own judgment as to if you want to send an unmunged report or not. If you use your favorate search engine for the ISP name and the words listwashing and spam, you may find what others think about that ISP. -John wb8tyw@qsl.network Personal Opinion Only From nobody at devnull.spamcop.net Fri May 13 19:26:36 2005 From: nobody at devnull.spamcop.net (WazoO) Date: Fri May 13 19:30:03 2005 Subject: [SpamCop-List] Re: What's this mean? References: Message-ID: "Mike Easter" wrote in message news:d63amc$55q$1@news.spamcop.net... > WazoO wrote: > > > http://www.spamcop.net/fom-serve/cache/75.html > > specifically, the item "You've munged the header..." > > http://www.spamcop.net/fom-serve/cache/267.html > > And those links are for the admins - the first the general admin faq > page, and the 2nd is an explanation to an admin about the standard or > default SC mungeing. It shows the admin where to go to have their > preferences recorded about receiving munged headers or not. If the OP > were an admin that would help them understand why they get a munged > report. Ok fine ... I was attempting to offer the explanation for the action. If you believe it was just the word "mung" that was behind the query; http://forum.spamcop.net/forums/index.php?showtopic=2530 From MikeE at ster.invalid Fri May 13 17:46:23 2005 From: MikeE at ster.invalid (Mike Easter) Date: Fri May 13 19:45:03 2005 Subject: [SpamCop-List] Re: What's this mean? References: Message-ID: WazoO wrote: > Ok fine ... I was attempting to offer the explanation for the action. > If you believe it was just the word "mung" that was behind the query; > http://forum.spamcop.net/forums/index.php?showtopic=2530 That link shows the glossary including for munged Oh, I get it, perhaps you and I read her query differently. Maybe you interpreted it as her not knowing what munge meant, or maybe what a munged report meant. I interpreted her as meaning that she didn't understand why SC was unchecking the box and not wanting to send a report. That is, she was asking what she should do based on asking what that meant. Reposting her at the bottom. It seemed to me that she would be wondering if she should check the box. That forum link would help her with an understanding of generic munge [my choice of the words] -- but not about what to do when SC presents her with her options to respond for the report. sparkle wrote: Subject: What's this mean? > I just sent a spamcop report and the spamcop page reported: > > To: abuse@above.net (refuses munged reports) (Notes) > > The option to send a report was unchecked. > > Out of interest, what is the explanation for that? -- Mike Easter kibitzer, not SC admin From spam at spam.no.not.spam Sat May 14 02:56:46 2005 From: spam at spam.no.not.spam (sparkle) Date: Fri May 13 20:00:03 2005 Subject: [SpamCop-List] Re: What's this mean? References: Message-ID: Mike Easter MikeE@ster.invalid, wrote in message 63e4j$79j$1@news.spamcop.net: > WazoO wrote: >> Ok fine ... I was attempting to offer the explanation for the action. >> If you believe it was just the word "mung" that was behind the query; >> http://forum.spamcop.net/forums/index.php?showtopic=2530 > > That link shows the glossary including for munged > > Oh, I get it, perhaps you and I read her query differently. Maybe you > interpreted it as her not knowing what munge meant, or maybe what a > munged report meant. > > I interpreted her as meaning that she didn't understand why SC was > unchecking the box and not wanting to send a report. That is, she was > asking what she should do based on asking what that meant. Reposting > her at the bottom. :) xxx >> The option to send a report was unchecked. >> >> Out of interest, what is the explanation for that? From nobody at devnull.spamcop.net Fri May 13 21:13:18 2005 From: nobody at devnull.spamcop.net (Pop) Date: Fri May 13 20:15:04 2005 Subject: [SpamCop-List] Re: Grow up References: Message-ID: ... > > Please stop feeding this troll. ===> You just added food for the troll by virtue of this post. > > Replying to their posts and taking them seriously > only gives them new > fuel to add to their fire, and sooner or later, you > will find yourself > under a barrage of personal attacks and flames. ===> Is that a threat? Do you REALLY think I'll respond to your threats in the way you want me to? The only way to deal > with trolls is just to ignore them and to go about > your business having > fun talking with other people on Usenet. ===> Check the name of this newsgroup. Forget about the trolls and > they will not bother you again. ===> Oh, I didn't know that! U sure are smart. > > http://www.usenet.com/articles/usenet_trolls.htm ===> Bye, to you, too. From nobody at devnull.spamcop.net Fri May 13 20:29:12 2005 From: nobody at devnull.spamcop.net (WazoO) Date: Fri May 13 20:30:21 2005 Subject: [SpamCop-List] Re: What's this mean? References: Message-ID: "Mike Easter" wrote in message news:d63e4j$79j$1@news.spamcop.net... > > I interpreted her as meaning that she didn't understand why SC was > unchecking the box and not wanting to send a report. That is, she was > asking what she should do based on asking what that meant. Reposting > her at the bottom. > > It seemed to me that she would be wondering if she should check the box. I interpreted it the same way, that's why I offered the link to the explanation "behind the (unchecked) box amd message" Bottom line, sparkle appears to be happy at this point. From MikeE at ster.invalid Fri May 13 18:40:14 2005 From: MikeE at ster.invalid (Mike Easter) Date: Fri May 13 20:40:04 2005 Subject: [SpamCop-List] Re: What's this mean? References: Message-ID: WazoO wrote: > "Mike Easter" >> It seemed to me that she would be wondering if she should check the >> box. > > I interpreted it the same way, that's why I offered the link to > the explanation "behind the (unchecked) box amd message" Yabbut; the faq doesn't really have an item aimed at the reporter about this. Those faq links are aimed at admins. I looked around for something in the faq, but actually the best place would've been the section in Preferences: Spam Munging > Bottom line, sparkle appears to be happy at this point. Yes. She could also go visit her Preferences section. It sez it in a lot fewer words than I did. -- Mike Easter kibitzer, not SC admin From spamtrap at secnap.net Fri May 13 22:10:04 2005 From: spamtrap at secnap.net (Michael Scheidell) Date: Fri May 13 21:10:03 2005 Subject: [SpamCop-List] forged dates fool spamcop? Message-ID: looks like a forged date fools spamcop. I have had about 10 like this (last 10 I tried to report) if spammer puts a date 3 days ago in email, spamcop won't list it. it WAS sent at 20:38:42 EDT, wasn't it? or it took 15 days to travel 25 meters from one host on the same network to another. (does anyone requeue email up for 15 days?) Received: from smarthost3.tiscali.dk (smarthost3.tiscali.dk [62.79.79.29]) by 0.mail.spammertrap.net (Postfix) with ESMTP id 2BF3018F3B7 for ; Fri, 13 May 2005 20:38:42 -0400 (EDT) Received: from cpmail.dk.tiscali.com (mail.tiscali.dk [212.54.64.159]) by smarthost3.tiscali.dk (8.13.1/8.13.1) with ESMTP id j3QCO4WA088728; Tue, 26 Apr 2005 14:24:04 +0200 (CEST) >From x Fri May 13 20:38:48 2005 Return-Path: X-Original-To: spamtrap Received: by mail.secnap.net (Postfix, from userid 1001) id 3157E2066; Fri, 13 May 2005 20:38:48 -0400 (EDT) X-Original-To: x Received: from 0.mail.spammertrap.net (feci.hackertrap.net [10.80.0.94]) by mail.secnap.net (Postfix) with ESMTP id F40CB205E for ; Fri, 13 May 2005 20:38:47 -0400 (EDT) Received: from localhost (localhost [127.0.0.1]) by 0.mail.spammertrap.net (Postfix) with ESMTP id B228918F3BE for ; Fri, 13 May 2005 20:38:47 -0400 (EDT) Received: from smarthost3.tiscali.dk (smarthost3.tiscali.dk [62.79.79.29]) by 0.mail.spammertrap.net (Postfix) with ESMTP id 2BF3018F3B7 for ; Fri, 13 May 2005 20:38:42 -0400 (EDT) Received: from cpmail.dk.tiscali.com (mail.tiscali.dk [212.54.64.159]) by smarthost3.tiscali.dk (8.13.1/8.13.1) with ESMTP id j3QCO4WA088728; Tue, 26 Apr 2005 14:24:04 +0200 (CEST) (envelope-from x) Received: from [213.255.201.15] by cpmail.dk.tiscali.com with HTTP; Tue, 26 Apr 2005 06:03:38 +0200 Date: Tue, 26 Apr 2005 05:03:38 +0100 Message-ID: <421E________FE57@cpfe9.be.tisc.dk> From: "walter smith" Subject: respond a.s.a.p if you love yourself and family Reply-To: agent06_larry@excite.com To: x MIME-Version: 1.0 Content-Type: text/plain; charset="US-ASCII" Content-Transfer-Encoding: 7bit From MikeE at ster.invalid Fri May 13 19:44:51 2005 From: MikeE at ster.invalid (Mike Easter) Date: Fri May 13 21:45:03 2005 Subject: [SpamCop-List] Re: forged dates fool spamcop? References: Message-ID: Michael Scheidell wrote: > looks like a forged date fools spamcop. > I have had about 10 like this (last 10 I tried to report) Usually the cause of too old disturbances is /not/ forged date fooling SC -- but something else. In this case tiscali => spammertrap The best way to talk about a parsing is to post a tracker which is at the top of the parse and looks like this: http://www.spamcop.net/sc?id=z763240921z1e2e4e0fdf57d5e2399e5b1d749ad2b9z That is the tracker for the parse of the body-less headers you posted here. Much better. It doesn't say the item is too old.and wants to name the source as 213.255.201.15 rDNS mel.cool-talk.us which is SCbl listed and spews and others. Abbreviated Received lines *comment from (feci.hackertrap.net [10.80.0.94]) by mail.secnap.net *serves you from localhost (localhost [127.0.0.1]) by 0.mail.spammertrap.net *serves you from (smarthost3.tiscali.dk [62.79.79.29]) by 0.mail.spammertrap.net 13 May *serves you from (mail.tiscali.dk [212.54.64.159]) by smarthost3.tiscali.dk 26 Apr *serves you, timestamp from [213.255.201.15] by cpmail.dk.tiscali.com *sourceline Those comments are based on the SC interpretation that the relays of spammertrap and tiscali are trusted to be servers. The tiscali servers are listed for hitting spamtraps; but that doesn't keep them from being trusted to be servers. The timestamp discrepancy resides between when tiscali received the item from the .ng source. I have no way of knowing what your mailhost configuration is. That item has headers which appear to have been sent from the .ng source to tiscali to spammertrap to you. Unfortunately some of the clues which might be derived from the body are missing. You are proposing that the item actually originated at the tiscali smarthost IP and that the bottom 2 lines are forged. I think it originated in from the .ng IP and got stuck in the tiscali system. There are items almost identical to that one in sightings which do not have the timestamp discrepancy. -- Mike Easter kibitzer, not SC admin From MikeE at ster.invalid Fri May 13 19:48:00 2005 From: MikeE at ster.invalid (Mike Easter) Date: Fri May 13 21:50:05 2005 Subject: [SpamCop-List] Re: forged dates fool spamcop? References: Message-ID: Mike Easter wrote: > The timestamp discrepancy resides between when tiscali received the > item from the .ng source. Oops. I didn't finish the sentence. The 17 day timestamp discrepancy resides between when tiscali received the item from the .ng source and when it sent it on to spammertrap. -- Mike Easter kibitzer, not SC admin From agent01413 at my-deja.com Sat May 14 03:15:23 2005 From: agent01413 at my-deja.com (Socks the Whitehouse Cat) Date: Fri May 13 22:20:04 2005 Subject: [SpamCop-List] Re: What's this mean? References: Message-ID: sparkle wrote in news:d6385h$lg6$0@pita.alt.net: > I just sent a spamcop report and the spamcop page reported: > > To: abuse@above.net (refuses munged reports) (Notes) > > The option to send a report was unchecked. > > Out of interest, what is the explanation for that? rather than cutting down abuse by terminating spammers, above.net wants to reduce abuse complaints by helping its spammers list wash. if you send munged reports, they can't list wash. The address I use to report spam manually is not the address I use to receive spam, so i just manually report those with addresses elided without spamcop's help. -- See NANAE kooks, including Barbara Schwarz: http://www.morningmist.org/nanae/kookfaq.html From nobody at spamcop.net Fri May 13 20:31:18 2005 From: nobody at spamcop.net (N. Miller) Date: Fri May 13 22:35:03 2005 Subject: [SpamCop-List] Re: comcast "selling" illegal cable descramblers References: Message-ID: <18p5qu5w31fdi$.dlg@news.spamcop.net> On Fri, 13 May 2005 11:32:46 -0400, eddie wrote: > Besides being ironic, I wonder if one could use the comcast spew as a > defense for using such an illegal device. Showing that the spam promoting > the device came from comcast might be considered that comcast is promoting > it. You could claim you thought it was a comcast advertisement. > It's funny, at least to me. I doubt it, but you failed to include a tracker for the spam item that you think is a Comcast spew. My guess is that a Comcast customer's computer with a spamming proxy was used to promote a site not hosted by Comcast. -- Norman ~Win dain a lotica, En vai tu ri, Si lo ta ~Fin dein a loluca, En dragu a sei lain ~Vi fa-ru les shutai am, En riga-lint From sbb78247 at stilldon'tfuckincare.invalid Sat May 14 00:44:52 2005 From: sbb78247 at stilldon'tfuckincare.invalid (sbb78247) Date: Sat May 14 00:45:04 2005 Subject: [SpamCop-List] Re: like i said References: Message-ID: Aviatrix wrote: > Why are you all feeding the troll? because they are fucking stupid? i think they have a problem with free speach whether they agree or not. freedom of speach is a given right to every man, woman, mutant or whatever. if you don't like it, you are cordially invited to KISS MY ARSE. From sbb78247 at stilldon'tfuckincare.invalid Sat May 14 00:48:55 2005 From: sbb78247 at stilldon'tfuckincare.invalid (sbb78247) Date: Sat May 14 00:50:02 2005 Subject: [SpamCop-List] Re: Grow up References: Message-ID: Pop wrote: > ... >> >> Please stop feeding this troll. > ===> You just added food for the troll by virtue of > this post. >> >> Replying to their posts and taking them seriously >> only gives them new >> fuel to add to their fire, and sooner or later, you >> will find yourself >> under a barrage of personal attacks and flames. > ===> Is that a threat? Do you REALLY think I'll > respond to your threats in the way you want me to? > > The only way to deal >> with trolls is just to ignore them and to go about >> your business having >> fun talking with other people on Usenet. > ===> Check the name of this newsgroup. > Forget about the trolls and >> they will not bother you again. > ===> Oh, I didn't know that! U sure are smart. >> >> http://www.usenet.com/articles/usenet_trolls.htm ===> Bye, to you, >> too. BAAAAAAHAHAHAHHAHAHAHAHA!! what a maroon if you hate free speach so much, why don't you live in say cuba? From sbb78247 at stilldon'tfuckincare.invalid Sat May 14 00:49:58 2005 From: sbb78247 at stilldon'tfuckincare.invalid (sbb78247) Date: Sat May 14 00:55:03 2005 Subject: [SpamCop-List] Re: forged dates fool spamcop? References: Message-ID: Michael Scheidell wrote: > looks like a forged date fools spamcop. > I have had about 10 like this (last 10 I tried to report) > > > if spammer puts a date 3 days ago in email, spamcop won't list it. > it WAS sent at 20:38:42 EDT, wasn't it? > > or it took 15 days to travel 25 meters from one host on the same > network to another. > (does anyone requeue email up for 15 days?) > > > Received: from smarthost3.tiscali.dk (smarthost3.tiscali.dk > [62.79.79.29]) by 0.mail.spammertrap.net (Postfix) with ESMTP id > 2BF3018F3B7 for ; Fri, 13 May 2005 20:38:42 -0400 (EDT) > Received: from cpmail.dk.tiscali.com (mail.tiscali.dk [212.54.64.159]) > by smarthost3.tiscali.dk (8.13.1/8.13.1) with ESMTP id j3QCO4WA088728; > Tue, 26 Apr 2005 14:24:04 +0200 (CEST) > > > From x Fri May 13 20:38:48 2005 > Return-Path: > X-Original-To: spamtrap > Received: by mail.secnap.net (Postfix, from userid 1001) > id 3157E2066; Fri, 13 May 2005 20:38:48 -0400 (EDT) > X-Original-To: x > Received: from 0.mail.spammertrap.net (feci.hackertrap.net > [10.80.0.94]) by mail.secnap.net (Postfix) with ESMTP id F40CB205E > for ; Fri, 13 May 2005 20:38:47 -0400 (EDT) > Received: from localhost (localhost [127.0.0.1]) > by 0.mail.spammertrap.net (Postfix) with ESMTP id B228918F3BE > for ; Fri, 13 May 2005 20:38:47 -0400 (EDT) > Received: from smarthost3.tiscali.dk (smarthost3.tiscali.dk > [62.79.79.29]) by 0.mail.spammertrap.net (Postfix) with ESMTP id > 2BF3018F3B7 for ; Fri, 13 May 2005 20:38:42 -0400 (EDT) > Received: from cpmail.dk.tiscali.com (mail.tiscali.dk [212.54.64.159]) > by smarthost3.tiscali.dk (8.13.1/8.13.1) with ESMTP id j3QCO4WA088728; > Tue, 26 Apr 2005 14:24:04 +0200 (CEST) > (envelope-from x) > Received: from [213.255.201.15] by cpmail.dk.tiscali.com with HTTP; > Tue, 26 Apr 2005 06:03:38 +0200 > Date: Tue, 26 Apr 2005 05:03:38 +0100 > Message-ID: <421E________FE57@cpfe9.be.tisc.dk> > From: "walter smith" > Subject: respond a.s.a.p if you love yourself and family > Reply-To: agent06_larry@excite.com > To: x > MIME-Version: 1.0 > Content-Type: text/plain; charset="US-ASCII" > Content-Transfer-Encoding: 7bit oh fuck me dead, you are an anal retentive fuck aren't you From sbb78247 at stilldon'tfuckincare.invalid Sat May 14 00:51:31 2005 From: sbb78247 at stilldon'tfuckincare.invalid (sbb78247) Date: Sat May 14 00:55:16 2005 Subject: [SpamCop-List] Re: Spam Gang (DOH) References: Message-ID: Schmide wrote: > http://www.theinquirer.net/?article=23212 > > The wheels of justice turn slooooooow OH MY, this will never stick From sbb78247 at stilldon'tfuckincare.invalid Sat May 14 00:52:57 2005 From: sbb78247 at stilldon'tfuckincare.invalid (sbb78247) Date: Sat May 14 00:55:22 2005 Subject: [SpamCop-List] Re: What's this mean? References: Message-ID: sparkle wrote: > I just sent a spamcop report and the spamcop page reported: > > To: abuse@above.net (refuses munged reports) (Notes) > > The option to send a report was unchecked. > > Out of interest, what is the explanation for that? no one give a fuck? From none.of at your.biz Fri May 13 23:25:01 2005 From: none.of at your.biz (R. Asby Dragon) Date: Sat May 14 01:30:04 2005 Subject: [SpamCop-List] Re: comcast "selling" illegal cable descramblers In-Reply-To: <18p5qu5w31fdi$.dlg@news.spamcop.net> References: <18p5qu5w31fdi$.dlg@news.spamcop.net> Message-ID: N. Miller wrote: > On Fri, 13 May 2005 11:32:46 -0400, eddie wrote: > > >>Besides being ironic, I wonder if one could use the comcast spew as a >>defense for using such an illegal device. Showing that the spam promoting >>the device came from comcast might be considered that comcast is promoting >>it. You could claim you thought it was a comcast advertisement. >>It's funny, at least to me. > > > I doubt it, but you failed to include a tracker for the spam item that you > think is a Comcast spew. My guess is that a Comcast customer's computer > with a spamming proxy was used to promote a site not hosted by Comcast. > Methinks that was what the OP was implying.... From usenet2 at DE.LETE.THISljvideo.com Sat May 14 06:39:17 2005 From: usenet2 at DE.LETE.THISljvideo.com (Larry J.) Date: Sat May 14 01:40:04 2005 Subject: [SpamCop-List] Re: wierd website resolving to 127.0.0.1! References: Message-ID: Waiving the right to remain silent, Kadaitcha Man said: > Berny, , the gripping, vegetarian lost > soul, and minor, worthless author of usenet posts, noted: > >> tracker: >> >> >677c7b1z>h >> ttp://www.spamcop.net/sc?id=z762673943zf424b2a95bd2ccec629d75ff7 >> 677c7b1z >> >> tracert at home gave the same result for >> www.xlyrl.locationspots.com >> >> I checked with DNS stuff and the nameservice resolves to that, >> >> is that a new way to shut down a website? or a "new" way to >> attack a vulnerable computer? > > Check your fucking hosts file, you dumb cunt. What's this asshole doing here..? In case you don't know, "Kadaitcha Man" is an Aussie who swoops in on various forums and usenet news groups with comments like the one here. -- Larry J. - Remove spamtrap in ALLCAPS to e-mail The United States is the greatest country in the world..! Twenty-five million illegal aliens can't be wrong. From usenet2 at DE.LETE.THISljvideo.com Sat May 14 06:40:48 2005 From: usenet2 at DE.LETE.THISljvideo.com (Larry J.) Date: Sat May 14 01:45:02 2005 Subject: [SpamCop-List] Re: like i said References: Message-ID: Waiving the right to remain silent, "sbb78247" said: > Aviatrix wrote: >> Why are you all feeding the troll? > > because they are fucking stupid? > > i think they have a problem with free speach whether they agree > or not. freedom of speach is a given right to every man, woman, > mutant or whatever. if you don't like it, you are cordially > invited to KISS MY ARSE. Aw, go clean up your chicken bones, you little loser. -- Larry J. - Remove spamtrap in ALLCAPS to e-mail The United States is the greatest country in the world..! Twenty-five million illegal aliens can't be wrong. From usenet2 at DE.LETE.THISljvideo.com Sat May 14 06:41:25 2005 From: usenet2 at DE.LETE.THISljvideo.com (Larry J.) Date: Sat May 14 01:45:14 2005 Subject: [SpamCop-List] Re: Grow up References: Message-ID: Waiving the right to remain silent, "Ron B." said: > Replying to their posts and taking them seriously only gives > them new fuel to add to their fire, and sooner or later, you > will find yourself under a barrage of personal attacks and > flames. The only way to deal with trolls is just to ignore them > and to go about your business having fun talking with other > people on Usenet. Forget about the trolls and they will not > bother you again. Aw, this one is particularly fun to slap around... -- Larry J. - Remove spamtrap in ALLCAPS to e-mail The United States is the greatest country in the world..! Twenty-five million illegal aliens can't be wrong. From nospam at fuck-off-and-die.com Sat May 14 12:37:54 2005 From: nospam at fuck-off-and-die.com (Kadaitcha Man) Date: Sat May 14 01:55:02 2005 Subject: [SpamCop-List] Re: wierd website resolving to 127.0.0.1! References: Message-ID: Larry J., , the blasted, thrown and twisted measle, and person who wears tents because no regular clothes will fit, incited: > What's this asshole doing here..? Oh, so that's why you remind me of Cyclops. From nobody at nowhere.invalid Sat May 14 12:36:08 2005 From: nobody at nowhere.invalid (Steven Maesslein) Date: Sat May 14 05:40:27 2005 Subject: [SpamCop-List] Re: What's this mean? References: Message-ID: On Fri, 13 May 2005 15:47:35 -0700, Mike Easter coughed into spamcop and left this in : > Some providers do not want to receive munged reports. One reason for > that is because they look upon the evidence like 'legal' evidence and > don't want it tampered with With above.net that's hardly likely to be the case. above.net is a well-known sewer that more than likely wants to pass full details on to their pet spammers so that they can listwash. "Legal evidence" doesn't come into the equation because the last place above.net wants to be is in a court. http://groups-beta.google.com/group/news.admin.net-abuse.sightings/search?q=above.net&scoring=d -- Steve Computers are like air conditioners They stop working properly when you open Windows From nobody at nowhere.invalid Sat May 14 12:40:33 2005 From: nobody at nowhere.invalid (Steven Maesslein) Date: Sat May 14 05:45:04 2005 Subject: [SpamCop-List] Re: What's this mean? References: Message-ID: On Fri, 13 May 2005 19:00:18 -0400, John E. Malmberg coughed into spamcop and left this in : > In the case of a the spam source, if it is an open proxy, the network > owner usually has no idea who the spammer is, so they can not pass it > on to a spammer. So if you do not check the box, they will not get a > notification that bandwidth is being stolen from them. If the network's main concern is bandwidth being stolen then they couldn't care less about the spammed e-mail address and there's no justification for them wanting unmunged reports. > Earthlink wants unmunged reports, but Earthlink publicly admits to suing > spammers that spam through their network. And that's why Earthlink is the only network to which I send unmunged reports. -- Steve Sign spotted in a Laundromat: AUTOMATIC WASHING MACHINES: PLEASE REMOVE ALL YOUR CLOTHES WHEN THE LIGHT GOES OUT From nobody at nowhere.invalid Sat May 14 12:44:15 2005 From: nobody at nowhere.invalid (Steven Maesslein) Date: Sat May 14 05:45:18 2005 Subject: [SpamCop-List] Re: wierd website resolving to 127.0.0.1! References: Message-ID: On Sat, 14 May 2005 05:39:17 +0000 (UTC), Larry J. coughed into spamcop and left this in in response to a missive from Kadaitcha Troll: > What's this asshole doing here..? Being invisible until someone pokes a hole in the killfile :) -- Steve The average nutritional value of promises is roughly zero. From bar_n0ne at hotmail.com Sat May 14 14:48:04 2005 From: bar_n0ne at hotmail.com (Berny) Date: Sat May 14 05:50:03 2005 Subject: [SpamCop-List] Re: What's this mean? References: Message-ID: "Steven Maesslein" wrote in message news:slrnd8bhk8.3f5.nobody@127.0.0.1... > On Fri, 13 May 2005 15:47:35 -0700, Mike Easter coughed into spamcop and > left this in : > > > Some providers do not want to receive munged reports. One reason for > > that is because they look upon the evidence like 'legal' evidence and > > don't want it tampered with > > With above.net that's hardly likely to be the case. above.net is a > well-known sewer that more than likely wants to pass full details on to > their pet spammers so that they can listwash. "Legal evidence" doesn't > come into the equation because the last place above.net wants to be is > in a court. > > http://groups-beta.google.com/group/news.admin.net-abuse.sightings/search?q=above.net&scoring=d > > -- > Steve > > Computers are like air conditioners > They stop working properly when you open Windows I see no evidence of listwashing, I do see better and better forgeries of recieved lines and better evasion of spam scoring systems. From nobody at devnull.spamcop.net Sat May 14 06:50:28 2005 From: nobody at devnull.spamcop.net (Peter) Date: Sat May 14 05:55:03 2005 Subject: [SpamCop-List] Re: Grow up References: Message-ID: sbb, if you have all this time to waste why don't you learn how to spell at an English class? The word is S P E E C H . "sbb78247" wrote in message news:d653b2.2d0.1@133.256.1.103.MISMATCH... > Pop wrote: >> ... >>> >>> Please stop feeding this troll. >> ===> You just added food for the troll by virtue of >> this post. >>> >>> Replying to their posts and taking them seriously >>> only gives them new >>> fuel to add to their fire, and sooner or later, you >>> will find yourself >>> under a barrage of personal attacks and flames. >> ===> Is that a threat? Do you REALLY think I'll >> respond to your threats in the way you want me to? >> >> The only way to deal >>> with trolls is just to ignore them and to go about >>> your business having >>> fun talking with other people on Usenet. >> ===> Check the name of this newsgroup. >> Forget about the trolls and >>> they will not bother you again. >> ===> Oh, I didn't know that! U sure are smart. >>> >>> http://www.usenet.com/articles/usenet_trolls.htm ===> Bye, to you, >>> too. > > > BAAAAAAHAHAHAHHAHAHAHAHA!! what a maroon > > if you hate free speach so much, why don't you live in say cuba? > > From nobody at nowhere.invalid Sat May 14 13:54:06 2005 From: nobody at nowhere.invalid (Steven Maesslein) Date: Sat May 14 06:55:04 2005 Subject: [SpamCop-List] Re: Grow up References: Message-ID: On Sat, 14 May 2005 05:50:28 -0400, Peter coughed into spamcop and left this in : > sbb, if you have all this time to waste why don't you learn how to spell at > an English class? > The word is S P E E C H Guys'n'gals, please just ignore the troll. .:\:/:. +-------------------+ .:\:\:/:/:. | PLEASE DO NOT | :.:\:\:/:/:.: | FEED THE TROLLS | :=.' - - '.=: | | '=(\ 9 9 /)=' | Thank you, | ( (_) ) | Management | /`-vvv-'\ +-------------------+ / \ | | @@@ / /|,,,,,|\ \ | | @@@ /_// /^\ \\_\ @x@@x@ | | |/ WW( ( ) )WW \||||/ | | \| __\,,\ /,,/__ \||/ | | | jgs (______Y______) /\/\/\/\/\/\/\/\//\/\\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\ -- Steve Linux: the choice of a GNU generation -- ksh @ cis . ufl . edu put this on Tshirts in '93 From nospam at fuck-off-and-die.com Sat May 14 18:21:33 2005 From: nospam at fuck-off-and-die.com (Kadaitcha Man) Date: Sat May 14 07:40:04 2005 Subject: [SpamCop-List] Re: Grow up References: Message-ID: Peter, , the stigmatic, cast-off ratsbane, and ankle biter, yapped: > sbb, if you have all this time to waste why don't you learn how to > spell at an English class? > The word is S P E E C H Now, see? You too are an anti-free speech nazi. If you truly believed in free speech, you would not have spell lamed, you fucktard cunt. From MikeE at ster.invalid Sat May 14 07:42:27 2005 From: MikeE at ster.invalid (Mike Easter) Date: Sat May 14 09:45:02 2005 Subject: [SpamCop-List] Re: Grow up References: Message-ID: Steven Maesslein wrote: > Guys'n'gals, please just ignore the troll. People who don't ignore trolls cause more trouble than the trolls. When things get bad, I just kf all the people who respond to them. -- Mike Easter kibitzer, not SC admin From spamcop-news.5.rafael at spamgourmet.com Sat May 14 17:18:17 2005 From: spamcop-news.5.rafael at spamgourmet.com (rafael) Date: Sat May 14 10:20:08 2005 Subject: [SpamCop-List] p***.dip.t-dialin.net abuse contact Message-ID: Spamcop always comes up with abuse -at- t-ipnet.de (Deutsche Telekom) as abuse contact for dip.t-dialin.net. From my understanding, t-ipnet.de is associated with the upstream provider for the actual German ISP T-Online.de. t-ipnet.de always replies to reports with the remark that the message has been forwarded to the T-Online abuse desk and that you can see for yourself from the IP that it belongs to T-Online. Wouldn't it be better to have the reports sent to T-Online directly? Rafael Example: http://www.spamcop.net/sc?id=z763418515zeb8295e6bee98b982a0eabb106f323ffz From MikeE at ster.invalid Sat May 14 09:02:02 2005 From: MikeE at ster.invalid (Mike Easter) Date: Sat May 14 11:00:06 2005 Subject: [SpamCop-List] Re: p***.dip.t-dialin.net abuse contact References: Message-ID: rafael wrote: > Example: www.spamcop.net/sc?id=z763418515zeb8295e6bee98b982a0eabb106f323ffz Source: 84.179.243.136 rDNS p54B3F388.dip.t-dialin.net inetnum: 84.136.0.0 - 84.191.255.255 descr: Deutsche Telekom AG admin-c: DTIP = ripe.dtip@telekom.de tech-c: DTST = abuse@t-ipnet.de > Spamcop always comes up with abuse -at- t-ipnet.de (Deutsche Telekom) > as abuse contact for dip.t-dialin.net. From my understanding, > t-ipnet.de is associated with the upstream provider for the actual > German ISP T-Online.de. SC is going to derive its notify from the admin/tech or the abuse.net lookup on the admintech domainname. > t-ipnet.de always replies to reports with the remark that the message > has been forwarded to the T-Online abuse desk and that you can see > for yourself from the IP that it belongs to T-Online. .. and, in fact, if you use abuse.net's reg'd on the rDNS of the IP you get whois -h whois.abuse.net p54b3f388.dip.t-dialin.net ... abuse@t-dialin.net (for t-dialin.net) > Wouldn't it be better to have the reports sent to T-Online directly? If you mean abuse@t-online.de or even -- you would have to argue that point in routing. The way routing handles an issue in which the advice is to notify differently because there is 'something wrong with' the formulaic notify mechanism is to take some netblock and notify for it differently. Exactly which netblock are you suggesting be notified differently? That is, your argument can't be that 'if an IP rDNSes to t-dialin.net then SC should notify abuse@t-online.de' - because that isn't how the algorithm works. The algorithm takes the IP to the appropriate RIR, in this case ripe, and determines the contacts. If there is going to be a special routing entered into the routing db, it would have to be based on some 'family' of IPs. I don't see the family of IPs you would have in mind about the dialin; but if you come up with some subset of Deutsche Telekom or if you believe that entire /10 above 84.136.0.0 - 84.191.255.255 should be notified as t-online then you would argue it in the routing ng. I don't know that there is very much wrong with letting abuse desks route certain issues to 'their' preferred desks. If they feel something is a very separate entity, they can always change the way they have it structured in ripe. -- Mike Easter kibitzer, not SC admin From sbb78247 at stilldon'tfuckincare.invalid Sat May 14 12:12:26 2005 From: sbb78247 at stilldon'tfuckincare.invalid (sbb78247) Date: Sat May 14 12:15:06 2005 Subject: [SpamCop-List] Re: Grow up References: Message-ID: Larry J. wrote: > Waiving the right to remain silent, "Ron B." > said: > >> Replying to their posts and taking them seriously only gives >> them new fuel to add to their fire, and sooner or later, you >> will find yourself under a barrage of personal attacks and >> flames. The only way to deal with trolls is just to ignore them >> and to go about your business having fun talking with other >> people on Usenet. Forget about the trolls and they will not >> bother you again. > > Aw, this one is particularly fun to slap around... is that what you say to your willy while you are wanking? From kjz at despammed.com Sat May 14 22:19:11 2005 From: kjz at despammed.com (Karl-Josef Ziegler) Date: Sat May 14 15:20:19 2005 Subject: [SpamCop-List] Re: p***.dip.t-dialin.net abuse contact In-Reply-To: References: Message-ID: rafael wrote: > Spamcop always comes up with abuse -at- t-ipnet.de (Deutsche Telekom) as > abuse contact for dip.t-dialin.net. From my understanding, t-ipnet.de is > associated with the upstream provider for the actual German ISP T-Online.de. Yes, this should be better. It's all the German Telekom, but T-Ipnet normally are IPs given from an IP-pool to different resellers; dip... (Dial In Pool) are the IPs used as a poll for T-Online, a daughter company of Telekom. And the latter has the abuse desk at abuse (at) t-online.de. abuse (at) t-ipnet.de is another abuse desk which will forward the mails to abuse (at) t-online.de but this will introduce a delay of a few days. And yes, the Ripe records of Telekom are not always correct and no, they will not change it because of Spamcop. - kjz From nobody at devnull.spamcop.net Sat May 14 22:46:33 2005 From: nobody at devnull.spamcop.net (Fernando) Date: Sat May 14 17:50:06 2005 Subject: [SpamCop-List] "Cannot resolve http://www.promovendas.org" Message-ID: Just faced this issue and that's occuring with other (major) spamvertized sites coming from Brazil. Resolving link obfuscation http://www.promovendas.org host www.promovendas.org (checking ip) ip not found ; www.promovendas.org discarded as fake. Tracking link: http://www.promovendas.org [report history] Cannot resolve http://www.promovendas.org By the time of this report, the above site is alive and well, doing what it does best, selling crap goods. www.promovendas.org is 200.223.52.21 and contacts are: -(1)- abuse@telemar.net.br (sadly) -(2)- hostmaster@dialserver.com (probably spam friendly host) Sincerely, Fernando. From MikeE at ster.invalid Sat May 14 16:54:01 2005 From: MikeE at ster.invalid (Mike Easter) Date: Sat May 14 18:55:04 2005 Subject: [SpamCop-List] Re: "Cannot resolve http://www.promovendas.org" References: Message-ID: Fernando wrote: > Cannot resolve http://www.promovendas.org I don't know if you have any interest in researching some of these issues, but I think they are educational; and one of the main reasons I started messing around with the hobby or sport of spamfighting was for its educational value. First, there's the issue of 'watching' SC try to resolve that. If you put the naked url into the parser, you can see SC sit there and work on something for quite a number of seconds. That tells you something about what is going on in the background.. Then, if you want, you can resolve it yourself, and depending upon what kind of tool you are using, you get certain information. For example, my simple tool tells me that it doesn't have a 'straight' A address, but instead it has a CNAME which has an A address. 05/14/05 15:34:14 dns www.promovendas.org Mail for www.promovendas.org is handled by smtp.promovendas.org mail.promovendas.org Canonical name: promovendas.org Aliases: www.promovendas.org Addresses: 200.223.52.21 But then, things start getting much more informative when you use the better tools at DNS stuff. The two I like for this kinda stuff are the dns timing and the dns report -- because they show me all kinds of pieces and parts to the information. Here's the dns timing: http://www.dnsstuff.com/tools/dnstime.ch?name=www.promovendas.org&type=A I don't want to paste in everything that is available there, and the tables are a little trouble too Time to look up www.promovendas.org A record Looking up at ns4.pontonews.net.... [Had to look up A record for ns4.pontonews.net; assume +200ms]...Reports 2 A record(s). 445ms. Looking up at ns3.pontonews.net.... [Had to look up A record for ns3.pontonews.net; assume +200ms]...Reports 2 A record(s). 6060ms. Average of all 2 nameservers: 3252ms (plus 297ms overhead). Score: F Took off 3 points for ".org" TLD (extra lookups may be required to find the parent servers). Took off 8 points for having no glue at a parent server [adds 2 extra packets to lookup]. Took off 6 points for having no glue for ns4.pontonews.net [adds 2 extra packets to lookup]. Took off 2 points since ns4.pontonews.net allows recursive lookups (if lots of people are using the server, it can slow down). Took off 6 points for having no glue for ns3.pontonews.net [adds 2 extra packets to lookup]. Took off 2 points since ns3.pontonews.net allows recursive lookups (if lots of people are using the server, it can slow down). Took off 3 points for having a CNAME (www.promovendas.org is really promovendas.org., which could potentially cause extra lookups). Took off 25 points for >700ms average response time. That timing is a 'reflection' or a different point of view of the kind of information you can get at the dnsreport which is similarly affected by the problems with the nameservice http://www.dnsreport.com/tools/dnsreport.ch?domain=www.promovendas.org DNS Report for promovendas.org Which is especially 'good' [ie interesting/bad] in the nameserver section FAIL Missing (stealth) nameservers FAIL: You have one or more missing (stealth) nameservers. The following nameserver(s) are listed (at your nameservers) as nameservers for your domain, but are not listed at the the parent nameservers (therefore, they may or may not get used, depending on whether your DNS servers return them in the authority section for other requests, per RFC2181 5.4.1). You need to make sure that these stealth nameservers are working; if they are not responding, you may have serious problems! The DNS Report will not query these servers, so you need to be very careful that they are working roperly. -- ns2.dialserver.com.br. -- ns1.dialserver.com.br. -- This is listed as an ERROR because there are some cases where nasty problems can occur (if the TTLs vary from the NS records at the root servers and the NS records point to your own domain, for example). And there's some more about problems with the stealths FAIL Stealth NS record leakage Your DNS servers leak stealth information in non-NS requests: Stealth nameservers are leaked [ns1.dialserver.com.br.]! Stealth nameservers are leaked [ns2.dialserver.com.br.]! This can cause some serious problems (especially if there is a TTL discrepancy). If you must have stealth NS records (NS records listed at the authoritative DNS servers, but not the parent DNS servers), you should make sure that your DNS server does not leak the stealth NS records in response to other queries. So, you can see that the nameservice for that url is a mess. Whether or not it intentionally blocks spamcop or if it is just too overall pokey can't be determined from our observations. -- Mike Easter kibitzer, not SC admin From hans at salvisberg.invalid Sun May 15 04:39:30 2005 From: hans at salvisberg.invalid (Hans Salvisberg) Date: Sat May 14 21:30:11 2005 Subject: [SpamCop-List] Re: secure pop? In-Reply-To: References: Message-ID: Ilgaz wrote: > On 2005-05-10 19:38:02 +0300, Hans Salvisberg > said: >> Can you quick-report and/or queue for reporting from a Held Email IMAP >> folder? > > There is this page: (sign in) > http://mailsc.spamcop.net/ > > You will see "held mail" tab. I guess its fine for you. Yes, I'm using that for my primary account. In fact, I have it open in a tab in Firefox at all times. However, I also manage a second SC account (for a non-profit organization). I don't know if I could have two browser tabs open, logged into two different accounts at the same time, but I don't really want to anyway, because the second account only gets one or two pieces of spam per day, so it's not worth it. Here's where IMAP comes in: that second account is set to forward to a different domain (where a non-tech person takes care of the legitimate messages), so the Inbox is always empty, but I can use IMAP to check the Held Mail folder. My task is to occasionally check the Held Mail folder and make sure that no false positives are trapped. If I feel the urge, I also report the spam, if it's not too old yet. Checking the Held Mail is very efficient with IMAP and Thunderbird: just click the folder and TB will log in and show what's there. However, I haven't found a way to do any of the operations that http://mailsc.spamcop.net/ offers, except for Delete. > ps: A good IMAP client can also move the (spam) messages to held mail > from your inbox without touching anything in message but I am not sure > how efficient it is compared to web based marking from your inbox in > webmail or equal. Interesting! I tried doing it the other way: I dragged a (false positive) message from Held Mail to the Inbox, but it stays there instead of being forwarded. For anything but Delete I have to log in manually, which is a pain... Hans From none.of at your.biz Sat May 14 20:27:06 2005 From: none.of at your.biz (R. Asby Dragon) Date: Sat May 14 22:30:04 2005 Subject: [SpamCop-List] Re: "Cannot resolve http://www.promovendas.org" In-Reply-To: References: Message-ID: Mike Easter wrote: > Fernando wrote: > >>Cannot resolve http://www.promovendas.org > > So, you can see that the nameservice for that url is a mess. > Whether or not it intentionally blocks spamcop or if it is just too > overall pokey can't be determined from our observations. I suspect the "slow/broken" DNS is primarily intended to defeat SC and possibly other spamtools; either "reporting" or blocking by lookups on message body URLs. That doesn't stop anyone with *other* tools (SSW; DNSSTUFF; et al) from finding the real stuff. They are hoping that the "average Joe" SpamCop user will take it as "just shit that happens" and move on. However: there's a balance point on slow DNS-- most folks won't wait 30 seconds for a page to "look like it's loading" and move on . They will think that the link is dead. How many people *really* watch the lower "status" bar of their browser to see the steps in retrieving a webpage?? A good example: http://www.hitsforyoursite.com/ (the latest "frontend" site for SPACEISP.COM) That one took over 2 minutes to resolve this AM; on a reasonable DSL hookup. Overall there's so much of this crap going on that I've been adding a line for spamvertised sites in the message body; a complete duplicate (including appropriate HTML tags if needed). I substitute the IP address for the domain in this line and say so in the notes. I realize that this isn't what's "supposed to be"; but I figure that it's still a valid report going to the right place. I do check my "substitute line" to see that it goes to the same place. (I'm also doing the same on blatent redirects like Amateurmatch ..) From edb2000 at spamcop.net Sat May 14 23:11:45 2005 From: edb2000 at spamcop.net (Don Wannit) Date: Sun May 15 01:15:04 2005 Subject: [SpamCop-List] Deputies: SC clock might need resetting Message-ID: or as they say, "Clock Police!" Reports I just submitted seconds ago are showing up in the Past Reports history of recent reports with a datetime of roughly 25 minutes earlier than I submitted them. Seems like SC might have improved on the slow processing time some users have complained about recently. But this is certainly unexpectedly prompt! -- Don Wannit A paid SpamCop user since 1999 From agent01413 at my-deja.com Sun May 15 06:38:54 2005 From: agent01413 at my-deja.com (Socks the Whitehouse Cat) Date: Sun May 15 01:40:03 2005 Subject: [SpamCop-List] Re: Grow up References: Message-ID: "sbb78247" wrote in news:d653b2.2d0.1@133.256.1.103.MISMATCH: > > BAAAAAAHAHAHAHHAHAHAHAHA!! what a maroon > > if you hate free speach so much, why don't you live in say cuba? PLONK -- See NANAE kooks, including Barbara Schwarz: http://www.morningmist.org/nanae/kookfaq.html From nobody at devnull.spamcop.net Sun May 15 14:40:01 2005 From: nobody at devnull.spamcop.net (Fernando) Date: Sun May 15 09:40:43 2005 Subject: [SpamCop-List] Re: "Cannot resolve http://www.promovendas.org" References: Message-ID: "R. Asby Dragon" wrote: >I suspect the "slow/broken" DNS is primarily intended to defeat SC and >possibly other spamtools; either "reporting" or blocking by lookups on >message body URLs. Me too. www.promovendas.org is a seasoned low-life person as well as www.super.vendas.nom.br which I'm pretty sure is the same criminal coming from a different route. Again, SpamCop failed to find a decent address to report (just reported): www.super.vendas.nom.br, best report contact is abuse@comdominio.com.br not a mere statistical address as "mail-abuse@nic.br". Wake up people, SpamCop is losing ground! We should get more involved in manually (trying) to trace these spam gang connections and offer higher quality reports, quick! Sincerely, Fernando. From nospam at fuck-off-and-die.com Sun May 15 20:36:03 2005 From: nospam at fuck-off-and-die.com (Kadaitcha Man) Date: Sun May 15 09:55:07 2005 Subject: [SpamCop-List] Re: "Cannot resolve http://www.promovendas.org" References: Message-ID: Fernando, , the pigheaded, blustery charity shop worker, and person who is responsible for the care and maintenance of dirty old men’s underpants, toadied: > "R. Asby Dragon" wrote: > >> I suspect the "slow/broken" DNS is primarily intended to defeat SC >> and possibly other spamtools; either "reporting" or blocking by >> lookups on message body URLs. > > Me too. > > www.promovendas.org is a seasoned low-life person as well as > www.super.vendas.nom.br which I'm pretty sure is the same criminal > coming from a different route. > > Again, SpamCop failed to find a decent address to report (just > reported): www.super.vendas.nom.br, best report contact is > abuse@comdominio.com.br not a mere statistical address as > "mail-abuse@nic.br". > > Wake up people, SpamCop is losing ground! > > We should get more involved in manually (trying) to trace these spam > gang connections and offer higher quality reports, quick! No. nic.br is, IMBO, accountable. -- "Frank" illustrates the complete and utter fucktardery of all 24hoursupport.helpdesk regulars: "That's good news fiddy, thankfully you solved it before following my advice!" news:d65i6g$vj$1@nwrdmz02.dmz.ncs.ea.ibs-infra.bt.com More techno-fuckwittery; "DUHane Arnold" in response to the question, "How can I uninstall packaged software with no entry in Add/remove programs?" DUHane: "If you cannot uninstall the application by using an uninstaller, the [sic] whack it off of the machine by any means necessary and be done with it." news:MZvhe.78614$r53.41192@attbi_s21 Yes, folks, DUHane is a 24hoursupport.helpdesk regular. From bar_n0ne at hotmail.com Sun May 15 18:59:55 2005 From: bar_n0ne at hotmail.com (Berny) Date: Sun May 15 10:05:23 2005 Subject: [SpamCop-List] Re: "Cannot resolve http://www.promovendas.org" References: Message-ID: "Fernando" wrote in message news:d67jfh$ejm$1@news.spamcop.net... > "R. Asby Dragon" wrote: > > >I suspect the "slow/broken" DNS is primarily intended to defeat SC and > >possibly other spamtools; either "reporting" or blocking by lookups on > >message body URLs. > > Me too. > > SNIP > > Wake up people, SpamCop is losing ground! > > We should get more involved in manually (trying) to trace these spam gang > connections and offer higher quality reports, quick! > > Sincerely, > Fernando. And exactly to whom that might care? The networks that give a damn have kicked their spammers off, and we are left reporting to Korea, Brazil, XO and MCI. Spammers are their bread and butter. or in some cases maybe just their marmalade. From nospam at dev.null Sun May 15 17:24:49 2005 From: nospam at dev.null (Anty Spam) Date: Sun May 15 10:30:02 2005 Subject: [SpamCop-List] smae spammer Message-ID: Hi http://66.218.71.225/search/cache?p=xmasta%40gmail.com&sm=Yahoo%21+Search&toggle=1&ei=UTF-8&u=www.brujula.net/cgi-bin/nntp2/wwwnntp%3Fjapan.test&w=xmasta+gmail+.com&d=DFEAC359E5&icp=1&.intl=us refers Looks like xmasta@gmail.com same party as admin@taiwanmedialtd.com ?? Or am I wrong? Cheers E From nobody at devnull.spamcop.net Sun May 15 16:52:21 2005 From: nobody at devnull.spamcop.net (Fernando) Date: Sun May 15 11:55:15 2005 Subject: [SpamCop-List] Re: "Cannot resolve http://www.promovendas.org" References: Message-ID: Kadaitcha Man wrote: >No. nic.br is, IMBO, accountable. I'll not sit and wait for them. Let's do our part and make SpamCop a better tool. Does SpamCop accept help to better find these sources? From eddie at eddie.web Sun May 15 13:27:47 2005 From: eddie at eddie.web (eddie) Date: Sun May 15 12:30:07 2005 Subject: [SpamCop-List] Re: comcast "selling" illegal cable descramblers References: <18p5qu5w31fdi$.dlg@news.spamcop.net> Message-ID: On Fri, 13 May 2005 19:31:18 -0700, N. Miller scratched out the following: > On Fri, 13 May 2005 11:32:46 -0400, eddie wrote: > >> Besides being ironic, I wonder if one could use the comcast spew as a >> defense for using such an illegal device. snip > > I doubt it, but you failed to include a tracker for the spam item that you > think is a Comcast spew. My guess is that a Comcast customer's computer > with a spamming proxy was used to promote a site not hosted by Comcast. Of course it was a proxy on the comcast system. That wasn't my point. I was kidding about playing innocent and used the "comcast" defense, but the irony should not go unnoticed. Comcast hawking the seeds of its own destruction :) I have also noticed, lately, a sharp increase in comcast spew. I guess they have let their guard down. For a while their spam level was quite low. -- Once movie theaters gave out steak knives Today they confiscate them From nobody at nowhere.invalid Sun May 15 20:57:30 2005 From: nobody at nowhere.invalid (Steven Maesslein) Date: Sun May 15 14:00:30 2005 Subject: [SpamCop-List] Re: "Cannot resolve http://www.promovendas.org" References: Message-ID: On Sun, 15 May 2005 15:52:21 +0000 (UTC), Fernando coughed into spamcop and left this in : > Kadaitcha Man wrote: > >>No. nic.br is, IMBO, accountable. > > I'll not sit and wait for them. Let's do our part and make SpamCop a better > tool. > > Does SpamCop accept help to better find these sources? Fernando, don't waste your time with Kadaitcha Man. He(?) is a well-known troll who's already been ridiculed in NANAE, and killfiled by every man and his dog. You'd be well advised to do likewise. Just a suggestion of course. Point is, I wouldn't have seen it had you not responded to its post... -- Steve QOTD - "It was so cold last Winter that I even saw a lawyer with his hands in his own pockets" From spamtrap at secnap.net Sun May 15 15:33:33 2005 From: spamtrap at secnap.net (Michael Scheidell) Date: Sun May 15 14:35:05 2005 Subject: [SpamCop-List] Re: forged dates fool spamcop? References: Message-ID: I didn't see your first reply, so all I can comment on is this one: "Mike Easter" wrote in message news:d63l8j$b9b$1@news.spamcop.net... > Oops. I didn't finish the sentence. > > The 17 day timestamp discrepancy resides between when tiscali received > the item from the .ng source and when it sent it on to spammertrap. I seriously doubt that the sending system queued up the spam for 17 days. 5 days is the default for sendmail and most systems. Some system admins drop it to 3. Since I am getting more and more spam with dates in the past, it seems more likely that the spammers have found a way around spamcop. In fact, every spam I received (that got past our initial filters) were all dated several days in the past. If they forge the date in the past (at least 3 days) then spamcop won't index it, won't report it. Its still the weapon escallation game: spamcop sees that it is being defeated, finds a way to counter the workarounds, then spammers find a new way to defeat spamcop, and then spamcop fixes it. It is an easy way to defeat spamcop reporting. ps, to answer that last question? yes, I am and proud of it. From MikeE at ster.invalid Sun May 15 13:00:59 2005 From: MikeE at ster.invalid (Mike Easter) Date: Sun May 15 15:00:03 2005 Subject: [SpamCop-List] Re: forged dates fool spamcop? References: Message-ID: Michael Scheidell wrote: > I didn't see your first reply, so all I can comment on is this one: Try clicking this news://news.spamcop.net/d63l2m$b5e$1@news.spamcop.net -- Mike Easter kibitzer, not SC admin From MikeE at ster.invalid Sun May 15 13:03:18 2005 From: MikeE at ster.invalid (Mike Easter) Date: Sun May 15 15:05:03 2005 Subject: [SpamCop-List] Re: "Cannot resolve http://www.promovendas.org" References: Message-ID: Fernando wrote: > I'll not sit and wait for them. Let's do our part and make SpamCop a > better tool. > > Does SpamCop accept help to better find these sources? Personally I don't think the SC notify of spamvertiser providers, especially blackhat spamvertisers is an important or valuable function. The feed of spam into spamcop by -1- standard reporters -2- quick reporters and -3- spamtraps performs the number 1 major function of feeding the SCbl for spamsources, the minor function of feeding possible smtp relays, a thing of the past, into smtp relay testers, and the minor function of posting spamvertisers to the statistics page. The business of notifying the providers for spamsources and for spamvertisers is a courtesy to the provider - many of whom don't want to hear about it or are blackhat or both. So, I don't think that 'helping' SC notify spamvertisers is a big plus. I would rather see the spam submission system be designed so as to provide the standard reporters an option to identify spamvertiser links to be put on the spamcop stats page to be harvested by the sc-surbl instead of notifying them. -- Mike Easter kibitzer, not SC admin From MikeE at ster.invalid Sun May 15 13:09:39 2005 From: MikeE at ster.invalid (Mike Easter) Date: Sun May 15 15:10:03 2005 Subject: [SpamCop-List] Re: "Cannot resolve http://www.promovendas.org" References: Message-ID: Mike Easter wrote: > The feed of spam into spamcop by -1- standard reporters -2- quick > reporters and -3- spamtraps performs the number 1 major function of > feeding the SCbl for spamsources, the minor function of feeding > possible smtp relays, a thing of the past, into smtp relay testers, > and the minor function of posting spamvertisers to the statistics > page. The last minor function is only a product of the standard reporters, not the quick or spamtraps. -- Mike Easter kibitzer, not SC admin From usenet2 at DE.LETE.THISljvideo.com Sun May 15 22:20:39 2005 From: usenet2 at DE.LETE.THISljvideo.com (Larry J.) Date: Sun May 15 17:25:22 2005 Subject: [SpamCop-List] Re: "Cannot resolve http://www.promovendas.org" References: Message-ID: Waiving the right to remain silent, nobody@devnull.spamcop.net (Fernando) said: > Wake up people, SpamCop is losing ground! > > We should get more involved in manually (trying) to trace these > spam gang connections and offer higher quality reports, quick! SC is becoming usless because of the parsing difficulties, and now the ridiculous limits on spam size. Every other spam I attempt to put into the web parser returns an error of being too large. Many of them are no more than a few dozen lines long. -- Larry J. - Remove spamtrap in ALLCAPS to e-mail The United States is the greatest country in the world..! Twenty-five million illegal aliens can't be wrong. From not at home.today Mon May 16 00:44:56 2005 From: not at home.today (Ant) Date: Sun May 15 18:50:05 2005 Subject: [SpamCop-List] Re: "Cannot resolve http://www.promovendas.org" References: Message-ID: "Larry J." wrote: > Waiving the right to remain silent, nobody@devnull.spamcop.net > (Fernando) said: > >> Wake up people, SpamCop is losing ground! >> >> We should get more involved in manually (trying) to trace these >> spam gang connections and offer higher quality reports, quick! > > SC is becoming usless because of the parsing difficulties, The primary SC function is to determine the spam sender rather than the criminal gangs behind the operation. The parser's never failed for me in that respect. > and now the ridiculous limits on spam size. Every other spam I > attempt to put into the web parser returns an error of being too > large. The limit is 50 kilobytes, which I think is reasonable. Most large spams are image attachments, so it doesn't matter if the parser truncates them. > Many of them are no more than a few dozen lines long. In which case any links will be parsed despite the truncation. I've not seen spam where the text/html part comes after embedded images. From nobody at devnull.spamcop.net Sun May 15 19:07:50 2005 From: nobody at devnull.spamcop.net (WazoO) Date: Sun May 15 19:10:03 2005 Subject: [SpamCop-List] Re: "Cannot resolve http://www.promovendas.org" References: Message-ID: "Mike Easter" wrote in message news:d65vee$j73$1@news.spamcop.net... > Fernando wrote: > > Cannot resolve http://www.promovendas.org > > I don't know if you have any interest in researching some of these > issues, but I think they are educational; and one of the main reasons I > started messing around with the hobby or sport of spamfighting was for > its educational value. Post/part of thread inserted into the Forum at http://forum.spamcop.net/forums/index.php?showtopic=4175 under the "How to Use ... Research Tools" ... the only 'difference' is that I did include a link to a set of captured screenshots ... one to help illustrate what the words were trying to convey, second such that the data would exist somewhere further down the road that matched your explanation (domain dies, IPs change, goes legit, whatever ..) Scott replied with permission to let that bit of HTML stand. From nospam at dev.null Mon May 16 02:19:22 2005 From: nospam at dev.null (Anty Spam) Date: Sun May 15 19:25:03 2005 Subject: [SpamCop-List] Re: 419 scam reporting at FBI References: Message-ID: "Larry J." wrote in message news:Xns965376CD0C907larrythefrog@216.154.195.61... > Where to send 419 scams to the FBI..? > > I've tried 419@fbi.gov and fraud@fbi.gov. Both bounce. > > -- > Larry J. - Remove spamtrap in ALLCAPS to e-mail > > "Ninety eight percent of the adults in this country > are decent, hardworking, honest Americans. It's the > other lousy two percent that get all the publicity. > But then, we elected them." > -Lily Tomlin Hi Look at http://419legal.org Even though a South African site, the membership list includes law enforcement officers in the USA. Mail is 419@419legal.org. Be sure to include headers. Also a lot of scam baiters etc. Cheers E From jay at advertisnet.com Sun May 15 19:55:30 2005 From: jay at advertisnet.com (Jay Teutenberg) Date: Sun May 15 20:00:04 2005 Subject: [SpamCop-List] Re: Blocklisted References: Message-ID: "Mike Easter" wrote in message news:d5vi8e$4aj$1@news.spamcop.net... > Socks the Whitehouse Cat wrote: >> "Mike Easter" > >>> but when it isn't currently listed you can't get any history. >>> Deputies can look back at the IP's listing history. > > That statement turned out to be wrong. The admin for an IP can get its > listing history. http://www.spamcop.net/fom-serve/cache/94.html I went to this link, logged in, went to control center, put in one of my ips from the report email I got: IPs reported in past hour: 216.176.174.20 216.176.173.181 216.176.166.220 but all the report will tell me is that spam has been reported from these ips in the last 5 days or so, not in the last hour. And there doesnt seem to be any way to get detailed info. The 174.20 and 173.181 dont have port 25 available to them, (other than our own smtp-auth server, those ips are local dial up ports), does that mean that they are proxying on some other port? Is it not possible to block outgoing mail by taking away port 25 anymore? Thanks, Jay From MikeE at ster.invalid Sun May 15 18:15:38 2005 From: MikeE at ster.invalid (Mike Easter) Date: Sun May 15 20:15:02 2005 Subject: [SpamCop-List] Re: "Cannot resolve http://www.promovendas.org" References: Message-ID: WazoO wrote: > Post/part of thread inserted into the Forum at > http://forum.spamcop.net/forums/index.php?showtopic=4175 > under the "How to Use ... Research Tools" ... the > only 'difference' is that I did include a link to a > set of captured screenshots ... one to help illustrate > what the words were trying to convey, Kuhl.[ie kewl] > second > such that the data would exist somewhere further > down the road that matched your explanation > (domain dies, IPs change, goes legit, whatever ..) > Scott replied with permission to let that bit of > HTML stand. Scott? I don't see anything after your post. -- Mike Easter kibitzer, not SC admin From MikeE at ster.invalid Sun May 15 18:23:18 2005 From: MikeE at ster.invalid (Mike Easter) Date: Sun May 15 20:25:02 2005 Subject: [SpamCop-List] Re: Blocklisted References: Message-ID: Jay Teutenberg wrote: > I went to this link, logged in, went to control center, put in one of > my > ips from the report email I got: > > IPs reported in past hour: > 216.176.174.20 > 216.176.173.181 > 216.176.166.220 c174-p20.advertisnet.com c173-p181.advertisnet.com 8of4.advertisnet.com You can see things I can't see because you admin for the IPs > but all the report will tell me is that spam has been reported from > these ips in the last 5 days or so, not in the last hour. And there > doesnt seem to be any way > to get detailed info. The 174.20 and 173.181 dont have port 25 > available to them, > (other than our own smtp-auth server, those ips are local dial up > ports), does that > mean that they are proxying on some other port? Is it not possible > to block outgoing > mail by taking away port 25 anymore? I don't have access to the spam; but if a user IP were sending out something via the smtp server, SC would name the user IP, not the server. If the item is coming from a reporter's report, you should be getting the reports containing the spam. But not if it's from a spamtrap. Did you turn your spamcop reports on? Oh, wait; I can check that myself.... ISP does not wish to receive reports regarding 216.176.166.220 - no date available I suggest you turn on the SC reports. -- Mike Easter kibitzer, not SC admin From spam_hjp at yahoo.com Sun May 15 21:53:29 2005 From: spam_hjp at yahoo.com (Jim) Date: Sun May 15 20:55:03 2005 Subject: [SpamCop-List] german spam Message-ID: I can't believe this comcast IP (68.36.241.189)is not listed at SC. I have received about 20 different spams in german (my guess) today and have reported them all. I see it listed here http://www.njabl.org/cgi-bin/lookup.cgi?query=68.36.241.189 http://www.spamcop.net/sc?id=z763946916zda95e941dec2422e5006d198b41badf4z Volume Statistics for this IP Magnitude Vol Change vs. Average Last day 1.6 -100% Last 30 days 1.8 1074% Average 0.7 From MikeE at ster.invalid Sun May 15 19:17:51 2005 From: MikeE at ster.invalid (Mike Easter) Date: Sun May 15 21:20:03 2005 Subject: [SpamCop-List] Re: german spam References: Message-ID: Jim wrote: > I can't believe this comcast IP (68.36.241.189)is not listed at SC. > I have received about 20 different spams in german (my guess) today > and have reported them all. > > I see it listed here > http://www.njabl.org/cgi-bin/lookup.cgi?query=68.36.241.189 The njabl listing is just about it being a dynamic -- that has nothing to do with it being spammish. It is also spews listed because it is a comcast user IP and spews has listed 'all' of the comcast user IPs and just left holes for the servers. The sorbs and jammd .6 is also about dynamic. I don't know why your numerous reports wouldn't eventually lead to it being listed. -- Mike Easter kibitzer, not SC admin From wb8tyw at qsl.network Sun May 15 22:33:17 2005 From: wb8tyw at qsl.network (John E. Malmberg) Date: Sun May 15 21:35:03 2005 Subject: [SpamCop-List] Re: german spam In-Reply-To: References: Message-ID: Mike Easter wrote: > Jim wrote: > >>I can't believe this comcast IP (68.36.241.189)is not listed at SC. >>I have received about 20 different spams in german (my guess) today >>and have reported them all. >> >>I see it listed here >>http://www.njabl.org/cgi-bin/lookup.cgi?query=68.36.241.189 > > The njabl listing is just about it being a dynamic -- that has nothing > to do with it being spammish. It is also spews listed because it is a > comcast user IP and spews has listed 'all' of the comcast user IPs and > just left holes for the servers. The sorbs and jammd .6 is also about > dynamic. > > I don't know why your numerous reports wouldn't eventually lead to it > being listed. If it is the same spam that has been hitting the moderator queue of a mailing list I am on, I have been told that it is sober-p, and because it appears to be a self contained spam sender, not a relay it is not showing up in the open proxy/open relay lists. So far it also seems to be avoiding the spamtrap driven DNSbls also. My guess is that each instance only targets a small number of e-mail addresses, which it then attacks over and over again. See my post in .geeks if someone has found a SpamAssassin rule to detect it and backscatter from the mail servers that are abusively bouncing it. -John wb8tyw@qsl.network Personal Opinion Only From MikeE at ster.invalid Sun May 15 19:45:49 2005 From: MikeE at ster.invalid (Mike Easter) Date: Sun May 15 21:45:03 2005 Subject: [SpamCop-List] Re: german spam References: Message-ID: posted in sc & geeks f/up geeks John E. Malmberg wrote: > See my post in .geeks if someone has found a SpamAssassin rule to > detect it and backscatter from the mail servers that are abusively > bouncing it. The other day a much detested trollish nanae individual named Moris came up with an excellent regex creation for some issue that was nanae posted. Everyone was astounded that Moris was actually good for something. Maybe if you put the item [propagation's headers & body] in sightings and then asked about it in nanae, Moris would come up with a regex for it. -- Mike Easter kibitzer, not SC admin From wb8tyw at qsl.network Sun May 15 22:46:18 2005 From: wb8tyw at qsl.network (John E. Malmberg) Date: Sun May 15 21:50:02 2005 Subject: [SpamCop-List] Re: Blocklisted In-Reply-To: References: Message-ID: Jay Teutenberg wrote: > IPs reported in past hour: > 216.176.174.20 > 216.176.173.181 > 216.176.166.220 > > but all the report will tell me is that spam has been reported from these ips > in the last 5 days or so, not in the last hour. And there doesnt seem to be any > way to get detailed info. The 174.20 and 173.181 dont have port 25 available to > them, (other than our own smtp-auth server, those ips are local dial up ports), > does that mean that they are proxying on some other port? It could be, one case is if the spam was sent through a web or other type of mailer that spamcop.net has marked as a trusted relay. > Is it not possible to block outgoing mail by taking away port 25 anymore? Not completely, and there are many companies that are in violation of SEC or other regulations if there is any way to send any electronic message with out a copy being archived. You also have to look for automatically configured socks proxies and SMTP auth on odd ports to be complete. Now I can not look at spamcop.net data like Mike can, but a search on google groups is showing that spammers are forging your domain in spam runs. I am getting a hit on 216.176.166.220: + WSFF open relays and more: will-spam-for-food.eu.org -> 127.0.0.1 Known spammers (advertisnet.com) - Send questions to http://dynamic.rfc1149.net/wsff?ip=216.176.166.220 I went to their web site, and could not find any other information than that. I would recommend looking for three types of activity. 1. Make sure that you do not have a customer/affiliate that is hosting a web site with you, but spamming through a different network. 2. Infected machine or an internal user that is trying to make some money spamming on the side. 3. Find out more about what is being listed. The few reports that I checked from news.admin.net-abuse.e-mail showed no evidence that the spammer was even trying to fool the spamcop parser. Instead they were trying to make it look like the message originated from your domain but not the I.P. ranges that you specified. This usually indicates that either spammers think that your domain name will be whitelisted, or they are trying to do a joe-job. So I would recommend contacting the WSFF site and find out why they consider you known spammers. -John wb8tyw@qsl.network Personal Opinion Only From MikeE at ster.invalid Sun May 15 20:25:15 2005 From: MikeE at ster.invalid (Mike Easter) Date: Sun May 15 22:25:03 2005 Subject: [SpamCop-List] Re: Blocklisted References: Message-ID: John E. Malmberg wrote: > Now I can not look at spamcop.net data like Mike can, Huh? -- Mike Easter kibitzer, not SC admin From wb8tyw at qsl.network Mon May 16 00:09:05 2005 From: wb8tyw at qsl.network (John E. Malmberg) Date: Sun May 15 23:10:04 2005 Subject: [SpamCop-List] Re: Blocklisted In-Reply-To: References: Message-ID: Mike Easter wrote: > John E. Malmberg wrote: > >>Now I can not look at spamcop.net data like Mike can, I am not a paying member, so my access to data is now limited to seeing if an I.P. is listed or not, not any of the evidence headers. Unless things have changed again, since I last attempted to look. Of course, I may be making an incorrect assumption about your status. -John wb8tyw@qsl.network Personal Opinion Only From bruce.lippert at you.crossbred-raffish-fuck-knuckle.net Mon May 16 06:45:10 2005 From: bruce.lippert at you.crossbred-raffish-fuck-knuckle.net (Bruce Lippert) Date: Sun May 15 23:50:03 2005 Subject: [SpamCop-List] Re: "Cannot resolve http://www.promovendas.org" References: Message-ID: <3e679f307f534067ae764d84c937a1f0@you.sleepyheaded-ill-proportioned-cow.com> Steven Maesslein, wrote: > On Sun, 15 May 2005 15:52:21 +0000 (UTC), Fernando coughed into > spamcop and left this in : > >> Kadaitcha Man wrote: >> >>> No. nic.br is, IMBO, accountable. >> >> I'll not sit and wait for them. Let's do our part and make SpamCop a >> better tool. >> >> Does SpamCop accept help to better find these sources? > > Fernando, don't waste your time with Kadaitcha Man. He(?) is a > well-known troll who's already been ridiculed in NANAE, and killfiled > by every man and his dog. You'd be well advised to do likewise. > > Just a suggestion of course. > > Point is, I wouldn't have seen it had you not responded to its post... So, that aside, did Kadaitcha Man have a valid point or not? From bar_n0ne at hotmail.com Mon May 16 09:58:17 2005 From: bar_n0ne at hotmail.com (Berny) Date: Mon May 16 01:00:02 2005 Subject: [SpamCop-List] Re: german spam and a warning about IB websites References: Message-ID: "John E. Malmberg" wrote in message news:d68t8u$46k$1@news.spamcop.net... > Mike Easter wrote: > > Jim wrote: > > > >>I can't believe this comcast IP (68.36.241.189)is not listed at SC. > >>I have received about 20 different spams in german (my guess) today > >>and have reported them all. > >> > >>I see it listed here > >>http://www.njabl.org/cgi-bin/lookup.cgi?query=68.36.241.189 > > > > The njabl listing is just about it being a dynamic -- that has nothing > > to do with it being spammish. It is also spews listed because it is a > > comcast user IP and spews has listed 'all' of the comcast user IPs and > > just left holes for the servers. The sorbs and jammd .6 is also about > > dynamic. > > > > I don't know why your numerous reports wouldn't eventually lead to it > > being listed. > > If it is the same spam that has been hitting the moderator queue of a > mailing list I am on, I have been told that it is sober-p, and because > it appears to be a self contained spam sender, not a relay it is not > showing up in the open proxy/open relay lists. > > So far it also seems to be avoiding the spamtrap driven DNSbls also. My > guess is that each instance only targets a small number of e-mail > addresses, which it then attacks over and over again. > > See my post in .geeks if someone has found a SpamAssassin rule to detect > it and backscatter from the mail servers that are abusively bouncing it. > > -John > wb8tyw@qsl.network > Personal Opinion Only We were the "from" on a series of these, (-- hehe reported SHELL for abusive bounces), but, considering the small size and duration of bounces (about 5 over 2 hours, then no more), I think John is right about small runs. By the way Most of the links I have seen in Stats from these and that I have received of this crap are to innocents, usually major news organizations, (Die Zeit, Spiegel etc.... equivalent to NYTimes/Time or Newsweek). Others I don;t recognize, but they are probably IB also. So!! Folks, unless you know better,please uncheck the links in these "German" spams. From jay at advertisnet.com Mon May 16 01:18:13 2005 From: jay at advertisnet.com (Jay Teutenberg) Date: Mon May 16 01:20:03 2005 Subject: [SpamCop-List] Re: Blocklisted References: Message-ID: "Mike Easter" wrote in message news:d68p1p$1co$1@news.spamcop.net... > Jay Teutenberg wrote: >> I went to this link, logged in, went to control center, put in one of >> my >> ips from the report email I got: >> >> IPs reported in past hour: >> 216.176.174.20 >> 216.176.173.181 >> 216.176.166.220 > > c174-p20.advertisnet.com > c173-p181.advertisnet.com > 8of4.advertisnet.com I used the link you posted in a prev msg, it requires numeric format, > You can see things I can't see because you admin for the IPs still didnt show any details >> but all the report will tell me is that spam has been reported from >> these ips in the last 5 days or so, not in the last hour. And there >> doesnt seem to be any way >> to get detailed info. The 174.20 and 173.181 dont have port 25 >> available to them, >> (other than our own smtp-auth server, those ips are local dial up >> ports), does that >> mean that they are proxying on some other port? Is it not possible >> to block outgoing >> mail by taking away port 25 anymore? > > I don't have access to the spam; but if a user IP were sending out > something via the smtp server, SC would name the user IP, not the > server. > > If the item is coming from a reporter's report, you should be getting > the reports containing the spam. But not if it's from a spamtrap. > > Did you turn your spamcop reports on? > > Oh, wait; I can check that myself.... > > ISP does not wish to receive reports regarding 216.176.166.220 - no date > available > > I suggest you turn on the SC reports. I believe I have everything set correctly in isp area preferences, there must be a different area Im missing. > > > -- > Mike Easter > kibitzer, not SC admin > From MikeE at ster.invalid Sun May 15 23:55:59 2005 From: MikeE at ster.invalid (Mike Easter) Date: Mon May 16 01:55:03 2005 Subject: [SpamCop-List] Re: Blocklisted References: Message-ID: Jay Teutenberg wrote: > still didnt show any details A non-admin like me can't see any information about an unlisted IP, but the faq http://www.spamcop.net/fom-serve/cache/94.html sez "Anyone may receive summary reports about any netspace they specify. To receive reports, first create an ISP account. " and "In addition, your ISP account allows you to spot-check any IP address for recent reports." You already have an account, so you should be able to see summary reports and recent reports on any specific IP. That isn't a copy of the spam I don't think, but you would normally get a copy of a spam with every report if your preferences aren't marked to not get reports. >> ISP does not wish to receive reports regarding 216.176.166.220 - no >> date available >> >> I suggest you turn on the SC reports. > > I believe I have everything set correctly in isp area preferences, > there must be a different area Im missing. You would go in here http://www.spamcop.net/fom-serve/cache/266.html Change your preferences here. http://members.spamcop.net/mcgi?action=prefmenu -- Mike Easter kibitzer, not SC admin From nobody at devnull.spamcop.net Mon May 16 01:56:41 2005 From: nobody at devnull.spamcop.net (WazoO) Date: Mon May 16 02:00:03 2005 Subject: [SpamCop-List] Re: "Cannot resolve http://www.promovendas.org" References: Message-ID: "Mike Easter" wrote in message news:d68ojd$113$1@news.spamcop.net... > WazoO wrote: > > http://forum.spamcop.net/forums/index.php?showtopic=4176 > > > Kuhl.[ie kewl] The conversions between HTML, BBCode, back to HTML, etc. drops a but of the coloring effects ... have to touch it up a bit fo better match, but .. data captured and viewable was the main motive. Thanks for the concurrence .. > > Scott replied with permission to let that bit of > > HTML stand. > > Scott? I don't see anything after your post. I shoved that in at the bottom of the screen shot bit .. got bit by the HTML, BBCode, HTML stuff there also ... took a few tries to get it to 'show' correctly. From nobody at devnull.spamcop.net Mon May 16 02:32:05 2005 From: nobody at devnull.spamcop.net (Cat) Date: Mon May 16 02:35:04 2005 Subject: [SpamCop-List] Re: german spam In-Reply-To: References: Message-ID: Jim wrote: > I can't believe this comcast IP (68.36.241.189)is not listed at SC. I > have received about 20 different spams in german (my guess) today and > have reported them all. > > I see it listed here > http://www.njabl.org/cgi-bin/lookup.cgi?query=68.36.241.189 Over the past two days, I've gotten an excessive amount of similar spam that all reports back to Verizon. I've probably had over 50 of these just in the past 48 hours, all reporting back to Verizon. This is on top of the crap I'm still getting from the Consumer Reports spammer through extremely spam friendly XO. I've counted at least 64 unsolicited e-mails from the XO spammer (minus a few more that I received before keeping up with the number) and many more from the same spammer through previous ISPs. There's even a Spamhaus RBL listing for XO. I don't know how well Verizon deals with spam, so I don't know how long it will take to get the German spammer kicked off there. From bar_n0ne at hotmail.com Mon May 16 11:59:19 2005 From: bar_n0ne at hotmail.com (Berny) Date: Mon May 16 03:00:02 2005 Subject: [SpamCop-List] Re: german spam References: Message-ID: "Cat" wrote in message news:d69esp$fcl$1@news.spamcop.net... > Jim wrote: > > I can't believe this comcast IP (68.36.241.189)is not listed at SC. I > > have received about 20 different spams in german (my guess) today and > > have reported them all. > > > > I see it listed here > > http://www.njabl.org/cgi-bin/lookup.cgi?query=68.36.241.189 > > > > Over the past two days, I've gotten an excessive amount of similar spam > that all reports back to Verizon. I've probably had over 50 of these > just in the past 48 hours, all reporting back to Verizon. This is on top > of the crap I'm still getting from the Consumer Reports spammer through > extremely spam friendly XO. I've counted at least 64 unsolicited e-mails > from the XO spammer (minus a few more that I received before keeping up > with the number) and many more from the same spammer through previous > ISPs. There's even a Spamhaus RBL listing for XO. I don't know how well > Verizon deals with spam, so I don't know how long it will take to get > the German spammer kicked off there. Mine came from the UAE's ISP, emirates.net, somebody suggested it was connected with a virus, sobig, though outside of the virus supplying an smtp engine I don't see the connection. Most of the links are to Media (newspaper articles) and must be IB's, although I imagine the articles relate to the intended message, if any. And yah, you got the CR guy kicked from SBCGlobal, but now XO and Whoa seem to be quite happy to provide him with connectivity. checking whis now and then the company name seems to be morphing from Software Factory Solutions to SFSFL, but he still has his mailbox in Laval Quebec. (Way back it used to be in Nanaimo, BC Canada). Know any one of influence at XO? He sends me up to a dozen of these nearly identical turdlets a day. From nobody at xyzzy.claranet.de Mon May 16 10:32:34 2005 From: nobody at xyzzy.claranet.de (Frank Ellermann) Date: Mon May 16 03:35:03 2005 Subject: [SpamCop-List] Re: german spam References: Message-ID: <42884C92.6735@xyzzy.claranet.de> Berny wrote: > somebody suggested it was connected with a virus, sobig, Sober-G, the same Nazi-Botnet we've seen last year. There's an election in a German state soon. Clueless ISPs failed to force their customers to clean their systems last time... :-( Bye, Frank From MikeE at ster.invalid Mon May 16 01:46:17 2005 From: MikeE at ster.invalid (Mike Easter) Date: Mon May 16 03:45:02 2005 Subject: [SpamCop-List] Re: "Cannot resolve http://www.promovendas.org" References: Message-ID: WazoO wrote: >> Scott? I don't see anything after your post. > > I shoved that in at the bottom of the screen shot bit .. > got bit by the HTML, BBCode, HTML stuff there > also ... took a few tries to get it to 'show' correctly. Ah, so. From dnsstuff. Goodonhim. -- Mike Easter kibitzer, not SC admin From nobody at xyzzy.claranet.de Mon May 16 10:43:04 2005 From: nobody at xyzzy.claranet.de (Frank Ellermann) Date: Mon May 16 03:45:10 2005 Subject: [SpamCop-List] Re: p***.dip.t-dialin.net abuse contact References: Message-ID: <42884F08.3F31@xyzzy.claranet.de> Mike Easter wrote: > whois -h whois.abuse.net p54b3f388.dip.t-dialin.net ... > abuse@t-dialin.net (for t-dialin.net) Same abuse desk as @t-online.de > you would have to argue that point in routing. Pointless, reported years ago to deputies@, they don't support special rules based on names. It's of course not funny at the moment with numerous Nazi-Bots firing, abuse@t-ipnet forwards complaints, but this procedure will take days (today's a national holiday in Germany). > your argument can't be that 'if an IP rDNSes to > t-dialin.net then SC should notify abuse@t-online.de' - > because that isn't how the algorithm works. The algorithm is stupid, and what T-Com (DTAG) does is also stupid. Just block the complete DTAG backbone :-( Bye. Frank From spam at spam.no.not.spam Mon May 16 10:57:54 2005 From: spam at spam.no.not.spam (sparkle) Date: Mon May 16 04:00:03 2005 Subject: [SpamCop-List] Abuse questions Message-ID: In another post I read this: [QUOTE] We were the "from" on a series of these, (-- hehe reported SHELL for abusive bounces), but, considering the small size and duration of bounces (about 5 over 2 hours, then no more) [/QUOTE] What is an abusive bounce and how do I report them? I get a lot of bounces for mail I never sent. Are they abusive bounces? :) xxx From nobody at xyzzy.claranet.de Mon May 16 11:08:14 2005 From: nobody at xyzzy.claranet.de (Frank Ellermann) Date: Mon May 16 04:20:02 2005 Subject: [SpamCop-List] Re: interesting article on anti-spam tactics from some ISPs References: Message-ID: <428854EE.1F99@xyzzy.claranet.de> Sofa King Tyred of Lar Ting wrote: > http://www.enterpriseitplanet.com/security/features/article.php/3500541 Blocking port 25 is like watching the stable after the horse was stolen. Silly article, the layout sucks. But I like this: > http://pages.infinit.net/filmore/educateYourISP.htm Bye, Frank From MikeE at ster.invalid Mon May 16 02:29:30 2005 From: MikeE at ster.invalid (Mike Easter) Date: Mon May 16 04:30:02 2005 Subject: [SpamCop-List] Re: Abuse questions References: Message-ID: sparkle wrote: > What is an abusive bounce and how do I report them? I get a lot of > bounces for mail I never sent. Are they abusive bounces? Yes. When a server accepts a mail for delivery with your addy as the bogus From and then belatedly decides that it can't deliver and 'turns around' and creates a newmail and has to address that newmail to the innocently bystanding forged From, then the server is performing a role of propagating viruses or spams which /always/ are made with forged From. That is a misdirected belated 'bounce'. The server should've rejected the mail from the sender rather than accepting it. That behavior is now spamcop reportable, whereas in the past it was not. http://www.spamcop.net/fom-serve/cache/14.html -- On what type of email should I (not) use SpamCop? -- Messages which may be reported: -- Misdirected bounces Misdirected virus notifications Misdirected vacation emails Misdirected challenges from challenge/response spam filtering systems -- Mike Easter kibitzer, not SC admin From bar_n0ne at hotmail.com Mon May 16 13:45:55 2005 From: bar_n0ne at hotmail.com (Berny) Date: Mon May 16 04:50:14 2005 Subject: [SpamCop-List] Re: Abuse questions References: Message-ID: "sparkle" wrote in message news:d69jq7$djo$0@pita.alt.net... > In another post I read this: > > [QUOTE] > We were the "from" on a series of these, (-- hehe reported SHELL for abusive > bounces), but, considering the small size and duration of bounces (about 5 > over 2 hours, then no more) > [/QUOTE] > > What is an abusive bounce and how do I report them? I get a lot of bounces > for mail I never sent. Are they abusive bounces? > > :) xxx yep, usually if you have enough of the spam in the bounce to determine the source IP and, that it could not have been your IP (most likely not even any domain you have access to) then if somebody bounces these spam and viri back to you, it is abusive and reportable. From spam at spam.no.not.spam Mon May 16 12:01:00 2005 From: spam at spam.no.not.spam (sparkle) Date: Mon May 16 05:05:11 2005 Subject: [SpamCop-List] Re: Abuse questions References: Message-ID: Mike Easter MikeE@ster.invalid, wrote in message 69lhd$jq6$1@news.spamcop.net: > sparkle wrote: >> What is an abusive bounce and how do I report them? I get a lot of >> bounces for mail I never sent. Are they abusive bounces? > > Yes. When a server accepts a mail for delivery with your addy as the > bogus From and then belatedly decides that it can't deliver and 'turns > around' and creates a newmail and has to address that newmail to the > innocently bystanding forged From, then the server is performing a > role of propagating viruses or spams which /always/ are made with > forged From. That is a misdirected belated 'bounce'. The server > should've rejected the mail from the sender rather than accepting it. > > That behavior is now spamcop reportable, whereas in the past it was > not. Wow, great. I'm sick of the noise from these things. > http://www.spamcop.net/fom-serve/cache/14.html Perfect. :) xxx > -- On what type of > email should I (not) use SpamCop? -- Messages which may be reported: > -- Misdirected bounces > Misdirected virus notifications > Misdirected vacation emails > Misdirected challenges from challenge/response spam filtering systems From jay at advertisnet.com Mon May 16 09:51:02 2005 From: jay at advertisnet.com (Jay Teutenberg) Date: Mon May 16 09:50:03 2005 Subject: [SpamCop-List] Re: Blocklisted References: Message-ID: thanks Mike, Im hoping your reading this in a graphical env, Ive c/p in what Im seeing... "Mike Easter" wrote in message news:d69chi$dld$1@news.spamcop.net... > Jay Teutenberg wrote: >> still didnt show any details > > A non-admin like me can't see any information about an unlisted IP, but > the faq http://www.spamcop.net/fom-serve/cache/94.html sez "Anyone may > receive summary reports about any netspace they specify. To receive > reports, first create an ISP account. " and "In addition, your ISP > account allows you to spot-check any IP address for recent reports." > > You already have an account, so you should be able to see summary > reports and recent reports on any specific IP. That isn't a copy of the > spam I don't think, but you would normally get a copy of a spam with > every report if your preferences aren't marked to not get reports. maybe once I turn up the right preference, Ive cut/pasted in the reports Im getting now, which dont have details. >>> ISP does not wish to receive reports regarding 216.176.166.220 - no >>> date available >>> >>> I suggest you turn on the SC reports. >> >> I believe I have everything set correctly in isp area preferences, >> there must be a different area Im missing. > > You would go in here http://www.spamcop.net/fom-serve/cache/266.html went there, see this: ----------------------------------------- SpamCop FAQ : Help for abuse-desks and administrators : How can I control what type of reports I receive? SpamCop now allows selection of report types. You can elect to accept or refuse reports depending on their type (source of mail, web hosting, open relays, etc..). Also, you can refuse any report if the user has not agreed to reveal all header information, including recipient email addresses. If you don't yet have an ISP password, refer to the link in any SpamCop report to retrieve one. Once you have a password,.. Change your preferences here. ------------------------------------------------------- > Change your preferences here. > http://members.spamcop.net/mcgi?action=prefmenu that is the htref behind the 'change your preferences here' link at the bottom, which takes me to this: ------------------------------------ ISP Preferences General Settings Chose what types of reports you would like to receive. Change Password Make it a good one, and change it frequently. ------------------------------------------------------ I changed my pw, went into general settings, which shows me this: ------------------------------- Change password Configure alerts Report munging Accept munged reports (default) Refuse Munged Reports Refuse reports which include munged headers. SpamCop obliterates recipient information from reports by default. If you cannot accept reports in this format, you may use this option to refuse reports unless the user reporting agrees to reveal the full headers. This option is not recommended, as many users will refuse to send any reports rather than reveal their email address. Periodic Summary Reports Frequency: Disabled Hourly Daily Sort: Most recent first IP number Severity SpamCop can produce daily or hourly summaries of all report of spam - including normally-silent "mole reports" and trap receipts. Network ranges are taken from an internal cache of whois records as well as ranges you have explicitly registed to receive reports about. Report Type selection If you are bothered by reports which reference your network without authorization, you may disable some report types while ensureing that relevant reports still reach you. a.. source (Administrator of network where email originates) Refuse Accept b.. www (Administrator of network hosting website referenced in spam) Refuse Accept c.. email (Administrator of network hosting email address referenced in spam) Refuse Accept d.. relay (Administrator of network with open relays) Refuse Accept e.. notify (User defined recipient) Refuse Accept f.. ns (Name server for spamvertised domain) Refuse Accept g.. intermediary (Administrator interested in intermediary handling of spam) Refuse Accept -------------------------------------------- as you can see, all notifications are enabled. clicking into the 'configure alerts' at the top of the page shows this: ------------------------------------------ Add/Change alert email Enter new alert email address - a short message (suitable for pagers) will be sent to confirm deliverability and ownership of this address: Alert email address: Send alert when.. IPs are block-listed IPs are reported as spam sources Both Neither -------------------------------- although the text box with 'pagerconf' inside only appears when I c/p into this message. Sorry if Im being dense, do you see an option I have configured wrong? thanks, Jay > > > -- > Mike Easter > kibitzer, not SC admin > begin 666 cat-small.gif M1TE&.#EA$@`.`*$``/\`_P```/__SHR*C"'Y! $`````+ `````2``X```(Y M1(Z@RR8#AT")A1>%WM-R3E77%(Y;H%S'QZ+.&,6:^VIQUJ43^]&(?3LM5IA@ .+F7B'0U)'HU9*C$*`#L` ` end From MikeE at ster.invalid Mon May 16 08:56:05 2005 From: MikeE at ster.invalid (Mike Easter) Date: Mon May 16 10:55:03 2005 Subject: [SpamCop-List] Re: Blocklisted References: Message-ID: Jay Teutenberg wrote: > thanks Mike, Im hoping your reading this in a graphical env, Ive c/p > in > what Im seeing... I have graphical capabilities here, but all you posted was a plaintext copy of the screen [plus a little gif] -- I'm not seeing what you were seeing, nor is that a good way to work out the situation. > Sorry if Im being dense, do you see an option I have configured wrong? I can't help -- it still sez your 216.176.166.220 refuses reports. You need to contact admin here http://www.spamcop.net/fom-serve/cache/91.html or here deputies spamcop.net -- Mike Easter kibitzer, not SC admin From gezgin at spamcop.net Mon May 16 19:11:33 2005 From: gezgin at spamcop.net (Gezgin) Date: Mon May 16 11:15:02 2005 Subject: [SpamCop-List] MAILER-DAEMON failure notices Message-ID: Is anyone else suddenly getting a lot of "MAILER-DAEMON failure notices" about messages that you never sent? -- Bob Kanyak's Doghouse http://www.kanyak.com From Kilgallen at SpamCop.net Mon May 16 11:31:38 2005 From: Kilgallen at SpamCop.net (Larry Kilgallen) Date: Mon May 16 11:35:03 2005 Subject: [SpamCop-List] Re: MAILER-DAEMON failure notices References: Message-ID: In article , "Gezgin" writes: > Is anyone else suddenly getting a lot of "MAILER-DAEMON > failure notices" about messages that you never sent? Not suddenly at all. For me they are a steady stream of spam. If this is new to you, it looks like your email address just got picked up by spammers as a good "From:" address to be abused by clueless "MAILER_DAEMON" owners. From Kilgallen at SpamCop.net Mon May 16 11:32:43 2005 From: Kilgallen at SpamCop.net (Larry Kilgallen) Date: Mon May 16 11:35:11 2005 Subject: [SpamCop-List] Re: MAILER-DAEMON failure notices References: Message-ID: In article , Kilgallen@SpamCop.net (Larry Kilgallen) writes: > In article , "Gezgin" writes: >> Is anyone else suddenly getting a lot of "MAILER-DAEMON >> failure notices" about messages that you never sent? > > Not suddenly at all. For me they are a steady stream of spam. > > If this is new to you, it looks like your email address just > got picked up by spammers as a good "From:" address to be > abused by clueless "MAILER_DAEMON" owners. And in my biased understanding, those clueless "MAILER_DAEMON" owners are all Unix people, since Daemon is a Unix term. From nobody at spamcop.net Mon May 16 11:46:52 2005 From: nobody at spamcop.net (Ellen) Date: Mon May 16 12:10:03 2005 Subject: [SpamCop-List] Re: Blocklisted References: Message-ID: "Jay Teutenberg" wrote in message news:d6a8e7$us7$1@news.spamcop.net... > thanks Mike, Im hoping your reading this in a graphical env, Ive c/p in > what Im seeing... > Hi -- if you would write to us at deputies admin.spamcop.net and include your IP range, the name on your ISP account and the problem/issue we will take a look at it. Ellen SpamCop From korhojy at POISSPAMMIThotmail.com Mon May 16 22:01:04 2005 From: korhojy at POISSPAMMIThotmail.com (Jyri Korhonen) Date: Mon May 16 14:05:02 2005 Subject: [SpamCop-List] Re: MAILER-DAEMON failure notices References: Message-ID: "Larry Kilgallen" wrote: > And in my biased understanding, those clueless "MAILER_DAEMON" > owners are all Unix people, since Daemon is a Unix term. I'm afraid that in this case your bias needs adjustment. Commercial email server software can use "MAILER-DAEMON" even if it has nothing to do with Unix. Novell GroupWise is a good example. From nobody at spamcop.net Mon May 16 14:45:50 2005 From: nobody at spamcop.net (Ellen) Date: Mon May 16 16:50:03 2005 Subject: [SpamCop-List] Re: MAILER-DAEMON failure notices References: Message-ID: "Gezgin" wrote in message news:d6ad6n$2b9$1@news.spamcop.net... > Is anyone else suddenly getting a lot of "MAILER-DAEMON > failure notices" about messages that you never sent? > yes Ellen From nobody at spamcop.net Mon May 16 15:02:26 2005 From: nobody at spamcop.net (Dar) Date: Mon May 16 17:05:02 2005 Subject: [SpamCop-List] Re: MAILER-DAEMON failure notices References: Message-ID: > "Gezgin" wrote in message > news:d6ad6n$2b9$1@news.spamcop.net... > > Is anyone else suddenly getting a lot of "MAILER-DAEMON > > failure notices" about messages that you never sent? Yes, and almost all the bounced messages I'm receiving, when they include the original headers, refer to: http://story.news.yahoo.com/news?tmpl=story&cid=1093&e=1&u=/pcworld/120846 Most include a German language text line and then a link. Dar From nobody at spamcop.net Mon May 16 15:04:31 2005 From: nobody at spamcop.net (Dar) Date: Mon May 16 17:05:11 2005 Subject: [SpamCop-List] Re: MAILER-DAEMON failure notices References: Message-ID: > Yes, and almost all the bounced messages I'm receiving, when they > include the original headers, refer to: > > http://story.news.yahoo.com/news?tmpl=story&cid=1093&e=1&u=/pcworld/120846 > > Most include a German language text line and then a link. > > Dar I have some examples if anyone wishes to see what it looks like. Dar From nttp.sc.s at bigsleep.org Tue May 17 03:12:22 2005 From: nttp.sc.s at bigsleep.org (Blammo) Date: Mon May 16 22:15:03 2005 Subject: [SpamCop-List] Re: comcast "selling" illegal cable descramblers References: <18p5qu5w31fdi$.dlg@news.spamcop.net> Message-ID: On 15 May 2005 eddie entered spamcop and left news:pan.2005.05.15.16.27.46.386000@eddie.web: > I have also noticed, lately, a sharp increase in comcast spew. I guess > they have let their guard down. For a while their spam level was quite > low. > Funny how that happens shortly after removing the global block. -- | Ric | From bar_n0ne at hotmail.com Tue May 17 10:25:25 2005 From: bar_n0ne at hotmail.com (Berny) Date: Tue May 17 01:30:02 2005 Subject: [SpamCop-List] Re: MAILER-DAEMON failure notices References: Message-ID: "Dar" wrote in message news:d6b1sv$ho9$1@news.spamcop.net... > > Yes, and almost all the bounced messages I'm receiving, when they > > include the original headers, refer to: > > > > http://story.news.yahoo.com/news?tmpl=story&cid=1093&e=1&u=/pcworld/120846 > > > > Most include a German language text line and then a link. > > > > Dar > > > I have some examples if anyone wishes to see what it looks like. > > Dar Don't Bother everybody seems to be getting them. From nobody at nowhere.invalid Tue May 17 12:42:40 2005 From: nobody at nowhere.invalid (Steven Maesslein) Date: Tue May 17 05:45:02 2005 Subject: [SpamCop-List] dk.tiscali.com and "trusted relay" status Message-ID: Tracker URL: http://www.spamcop.net/sc?id=z764485672z4c746bd1b6e7bf8dd10ada9560976671z Webmail submitted to tiscali.dk from Benin IP address on Sat, 19 Mar 2005 10:16:35 +0100. (Tell me this isn't a 419....) Mail exits tiscali's network and gets forwarded to SC on 16 May 2005 20:43:43 -0000. That's nearly 2 months. No wonder SC doesn't want to report this! Given that cpmail.dk.tiscali.com [212.54.64.159] held onto the mail for so long and that it is such a well-known, prolific source of 419 spam(*), maybe that host's status as "trusted relay" should be revoked so that the SC parser treats *it* as the source of spam, which it is given that tiscali.dk don't seem to care. Of course, that would result in tiscali's outbound relay getting listed, but I think the general reaction would be deafening cheers and much merriment... (*) - http://tinyurl.com/9vk66 (expands to a search on NANAS) -- Steve Which is worse: ignorance or apathy? Who knows? Who cares? From bitch at moan.grumble Tue May 17 05:42:41 2005 From: bitch at moan.grumble (bitch and moan) Date: Tue May 17 05:45:12 2005 Subject: [SpamCop-List] Re: Blocklisted References: Message-ID: Ellen nobody@spamcop.net, wrote in message 6agbi$5i9$1@news.spamcop.net: > Hi -- if you would write to us at deputies admin.spamcop.net Huh? You mean deputies@admin.spamcop.net, yes? deputies@admin.spamcop.net deputies@admin.spamcop.net deputies@admin.spamcop.net deputies@admin.spamcop.net HTH & HAND From bar_n0ne at hotmail.com Tue May 17 15:30:13 2005 From: bar_n0ne at hotmail.com (Berny) Date: Tue May 17 06:35:05 2005 Subject: [SpamCop-List] Re: RE:SPAM from your block: 69.67.72.021 [#2446202] -- XO.COM re"CONSUMER RESEARCH CORP" SPAMMING (from ,help) References: Message-ID: "Steve Johnson" wrote in message news:mailman.2.1116324909.169.spamcop-help@news.spamcop.net... > > Hi Kevin, > > Thanks for the info & sorry to bother you, I too work in support & know how that > goes... but if you read my email you would know I have tried emailing and calling > abuse & your net ops, etc., several times and have had no response at best - so I > thought I'd try a few other email addresses. > > Yes I do have a 'further question,' can you open a ticket on this issue since your > abuse will not take action or even acknowledge that this is your block - what does > that tell me?! Maybe someone in support could investigate why you continue to allow > huge amounts of SPAMMING activity from your IP block: 69.67.72.0/21 ??? > > Thanks. > > > --- support@xo.com wrote: > > > > Hello Steve, > > > > Thank you for your email. > > > > You will need to direct this situation to our Network Investigations department > > for any possible resolution or addressing of this situation. They can be reached > > through http://support.xo.com/abuse or abuse@xo.com. > > > > Let us know if you have any further questions. > > > > Customer Care is available 24 hours a day, 7 days a week to assist you. For the > > most efficient handling of your inquiries, submit a trouble ticket from the XO > > Gateway (go to http://admin.xo.com, select 'Care' and then 'Contact Customer > > Support'). You may also contact Customer Care over the phone by calling > > 888-575-6398. > > > > Best regards, > > Kevin C. > > Web Site Hosting Support Team > > XO Communications > > > > --Original Message-- > > From: steevian@yahoo.com > > Date: 05/17/05 > > To: support@xo.com > > Subject: SPAM from your block: 69.67.72.021[#2446202] > > > > This e-mail message is a reply to a Web page using the > > form2mail script. The reply was generated by a web page > > at xo.com. > > > > > > Subject: SPAM from your block: 69.67.72.021 > > > > > > > > ADMIN KEY:s65jfk35 > > First Name: Steve > > Last Name: Johnson > > Company Name: na > > Address 1: na > > Address 2: > > City: na > > State: WI > > Zip: 53706 > > Phone: (111)222-3333 ext: > > Fax: -- > > Email: steevian@yahoo.com > > > > > > > > Comments: > > TO SPAMCOP, cc XO: > > > > According to this, the block where SPAM is coming from "69.67.72.0/21" belongs to > > XO: > > > > http://www.cidr-report.org/cgi-bin/as-report?as=AS2828 > > > > I have called XO about 4 times and all I get is them totally denying this block > > isnot theirs & one person in their Ops even laughed at the suggestion. > > > > Anyone who is interested, please help me in pressuring "XO" to try a little harder > > to be a responsible ISP, thanks! > > > > Here's a small sample of the intense SPAMMING from this "XO CUSTOMER:" > > > > > > --- Money to shop wrote: > > > X-Apparently-To: steevian@yahoo.com via 206.190.37.237; Tue, 17 > > > May 2005 00:37:17 -0700 > > > X-YahooFilteredBulk: 69.67.72.70 > > > Authentication-Results: mta273.mail.scd.yahoo.com > > > from=jxpzfbc.tradepointone.com; domainkeys=neutral (no sig) > > > X-Originating-IP: [69.67.72.70] > > > Return-Path: > > > Received: from 69.67.72.70 (EHLO eicmssgnq.tradepointone.com) > > > (69.67.72.70) > > > by mta273.mail.scd.yahoo.com with SMTP; Tue, 17 May 2005 00:34:59 > > > -0700 > > > From: "Money to shop" > > > To: > > > Subject: Start secret shopping today > > > Date: Tue, 17 May 2005 00:37:42 -0800 > > > MIME-Version: 1.0 > > > Content-Type: text/html; > > > Content-Length: 1478 > > > > > > > > > --- Money to shop wrote: > > > X-Apparently-To: steevian@yahoo.com via 206.190.37.30; Tue, 17 > > > May 2005 00:56:26 -0700 > > > X-YahooFilteredBulk: 69.67.72.67 > > > Authentication-Results: mta217.mail.scd.yahoo.com > > > from=dkjxsxzwkod.tradepointone.com; domainkeys=neutral (no sig) > > > X-Originating-IP: [69.67.72.67] > > > Return-Path: > > > Received: from 69.67.72.67 (EHLO hibibivv.tradepointone.com) > > > (69.67.72.67) > > > by mta217.mail.scd.yahoo.com with SMTP; Tue, 17 May 2005 00:56:18 > > > -0700 > > > From: "Money to shop" > > > To: > > > Subject: Get a one thousand dollar gift card to shop with > > > Date: Tue, 17 May 2005 00:59:01 -0800 > > > MIME-Version: 1.0 > > > Content-Type: text/html; > > > Content-Length: 1509 > > > > > > > > > --- Mowers wrote: > > > X-Apparently-To: steevian@yahoo.com via 206.190.37.25; Mon, 16 > > > May 2005 22:16:07 -0700 > > > X-YahooFilteredBulk: 69.67.72.59 > > > Authentication-Results: mta110.mail.scd.yahoo.com > > > from=jhyrujgwvmu.freeserving.com; domainkeys=neutral (no sig) > > > X-Originating-IP: [69.67.72.59] > > > Return-Path: > > > Received: from 69.67.72.59 (EHLO dwxprco.freeserving.com) > > > (69.67.72.59) > > > by mta110.mail.scd.yahoo.com with SMTP; Mon, 16 May 2005 22:15:28 > > > -0700 > > > From: "Mowers" > > > To: > > > Subject: Get a top name lawn tractor FREE*! > > > Date: Mon, 16 May 2005 22:18:09 -0800 > > > MIME-Version: 1.0 > > > Content-Type: text/html; > > > Content-Length: 1506 > > > > > > > > > --- Consumer Feedback wrote: > > > X-Apparently-To: steevian@yahoo.com via 206.190.37.22; Mon, 16 > > > May 2005 19:36:44 -0700 > > > X-YahooFilteredBulk: 69.67.72.61 > > > Authentication-Results: mta317.mail.scd.yahoo.com > > > from=nxjjjgidssf.tradepointone.com; domainkeys=neutral (no sig) > > > X-Originating-IP: [69.67.72.61] > > > Return-Path: > > > Received: from 69.67.72.61 (EHLO nxjjjgidssf.tradepointone.com) > > > (69.67.72.61) > > > by mta317.mail.scd.yahoo.com with SMTP; Mon, 16 May 2005 19:36:06 > > > -0700 > > > From: "Consumer Feedback" > > > > > > To: > > > Subject: This amazing new Cell phone could be yours Free! > > > Date: Mon, 16 May 2005 19:38:46 -0800 > > > MIME-Version: 1.0 > > > Content-Type: text/html; > > > Content-Length: 1492 > > > > > > > > > --- Satellite offer wrote: > > > X-Apparently-To: steevian@yahoo.com via 206.190.37.30; Mon, 16 > > > May 2005 15:09:33 -0700 > > > X-YahooFilteredBulk: 69.67.72.21 > > > Authentication-Results: mta183.mail.dcn.yahoo.com > > > from=udyuqzm.servingones.com; domainkeys=neutral (no sig) > > > X-Originating-IP: [69.67.72.21] > > > Return-Path: > > > Received: from 69.67.72.21 (EHLO vsgwsqbrgli.servingones.com) > > > (69.67.72.21) > > > by mta183.mail.dcn.yahoo.com with SMTP; Mon, 16 May 2005 15:09:07 > > > -0700 > > > From: "Satellite offer" > > > To: > > > Subject: All you need and a lifetime subscription to Sirius > > > Satellite! > > > Date: Mon, 16 May 2005 15:11:43 -0800 > > > MIME-Version: 1.0 > > > Content-Type: text/html; > > > Content-Length: 1520 > __________________________________ > Yahoo! Mail Mobile > Take Yahoo! Mail with you! Check email on your mobile phone. > http://mobile.yahoo.com/learn/mail From nobody at devnull.spamcop.net Tue May 17 06:35:45 2005 From: nobody at devnull.spamcop.net (Cat) Date: Tue May 17 06:40:06 2005 Subject: [SpamCop-List] Re: german spam In-Reply-To: References: Message-ID: Berny wrote: > "Cat" wrote in message > news:d69esp$fcl$1@news.spamcop.net... > >>Jim wrote: >> >>>I can't believe this comcast IP (68.36.241.189)is not listed at SC. I >>>have received about 20 different spams in german (my guess) today and >>>have reported them all. >>> >>>I see it listed here >>>http://www.njabl.org/cgi-bin/lookup.cgi?query=68.36.241.189 >> >> >> >>Over the past two days, I've gotten an excessive amount of similar spam >>that all reports back to Verizon. I've probably had over 50 of these >>just in the past 48 hours, all reporting back to Verizon. This is on top >>of the crap I'm still getting from the Consumer Reports spammer through >>extremely spam friendly XO. I've counted at least 64 unsolicited e-mails >>from the XO spammer (minus a few more that I received before keeping up >>with the number) and many more from the same spammer through previous >>ISPs. There's even a Spamhaus RBL listing for XO. I don't know how well >>Verizon deals with spam, so I don't know how long it will take to get >>the German spammer kicked off there. > > > Mine came from the UAE's ISP, emirates.net, somebody suggested it was > connected with a virus, sobig, though outside of the virus supplying an smtp > engine I don't see the connection. Most of the links are to Media (newspaper > articles) and must be IB's, although I imagine the articles relate to the > intended message, if any. > > And yah, you got the CR guy kicked from SBCGlobal, but now XO and Whoa seem > to be quite happy to provide him with connectivity. checking whis now and > then the company name seems to be morphing from Software Factory Solutions > to SFSFL, but he still has his mailbox in Laval Quebec. (Way back it used to > be in Nanaimo, BC Canada). > > Know any one of influence at XO? He sends me up to a dozen of these nearly > identical turdlets a day. Ok, here's what I have for addresses where I have been forwarding XO complaints: abuse@xo.com, hostmaster@CONCENTRIC.NET, hostmaster@CNCHOST.COM, ipadmin@eng.xo.com, prdesk@xo.com, webmaster@xo.com, customer.care@xo.com, support@xo.com, webcare@xo.com, cxsupportd@xo.com They finally sent me a support ticket number, but that hasn't gotten any results yet. I'm up to a count of 76 of these so far and threatening to send them a bill for $50/spam if only I know a good billing address and how to put together an official looking bill for them. I also took a guess at possible user names for XO's top officers and sent it to the addresses below, none of which have bounced: carl.grivner@xo.com, wayne.rehberger@xo.com, lee.weiner@xo.com, bill.garrahan@xo.com, heather.gold@xo.com, doug.sobieski@xo.com, terri.burke@xo.com, rob.geller@xo.com, mark.faris@xo.com, matt.harty@xo.com, ron.scott@xo.com, carlgrivner@xo.com, waynerehberger@xo.com, leeweiner@xo.com, billgarrahan@xo.com, heathergold@xo.com, dougsobieski@xo.com, terriburke@xo.com, robgeller@xo.com, markfaris@xo.com, mattharty@xo.com, ronscott@xo.com From nobody at devnull.spamcop.net Tue May 17 06:36:47 2005 From: nobody at devnull.spamcop.net (Cat) Date: Tue May 17 06:40:15 2005 Subject: [SpamCop-List] Re: german spam In-Reply-To: References: Message-ID: Berny wrote: > Know any one of influence at XO? He sends me up to a dozen of these nearly > identical turdlets a day. Ok, here's what I have for addresses where I have been forwarding XO complaints: abuse@xo.com, hostmaster@CONCENTRIC.NET, hostmaster@CNCHOST.COM, ipadmin@eng.xo.com, prdesk@xo.com, webmaster@xo.com, customer.care@xo.com, support@xo.com, webcare@xo.com, cxsupportd@xo.com They finally sent me a support ticket number, but that hasn't gotten any results yet. I'm up to a count of 76 of these so far and threatening to send them a bill for $50/spam if only I know a good billing address and how to put together an official looking bill for them. I also took a guess at possible user names for XO's top officers and sent it to the addresses below, none of which have bounced: carl.grivner@xo.com, wayne.rehberger@xo.com, lee.weiner@xo.com, bill.garrahan@xo.com, heather.gold@xo.com, doug.sobieski@xo.com, terri.burke@xo.com, rob.geller@xo.com, mark.faris@xo.com, matt.harty@xo.com, ron.scott@xo.com, carlgrivner@xo.com, waynerehberger@xo.com, leeweiner@xo.com, billgarrahan@xo.com, heathergold@xo.com, dougsobieski@xo.com, terriburke@xo.com, robgeller@xo.com, markfaris@xo.com, mattharty@xo.com, ronscott@xo.com From nobody at devnull.spamcop.net Tue May 17 06:39:01 2005 From: nobody at devnull.spamcop.net (Cat) Date: Tue May 17 06:45:03 2005 Subject: [SpamCop-List] Re: SPAM from your block: 69.67.72.021 [#2446202] -- XO.COM re"CONSUMER RESEARCH CORP" SPAMMING (from ,help) In-Reply-To: References: Message-ID: Berny wrote: > For the > >>>most efficient handling of your inquiries, submit a trouble ticket from > > the XO > >>>Gateway (go to http://admin.xo.com, select 'Care' and then 'Contact > > Customer > >>>Support'). You may also contact Customer Care over the phone by calling >>>888-575-6398. Thanks for posting this. I'll try this new number since I haven't gotten results from the other number I found for XO abuse. From steevian at yahoo.com Tue May 17 06:58:57 2005 From: steevian at yahoo.com (Steve Johnson) Date: Tue May 17 08:59:00 2005 Subject: [SpamCop-List] Re XO.COM IP Block: 69.67.72.0/21 -- "Consumer Research Corp" SPAM Message-ID: <20050517125857.43850.qmail@web51304.mail.yahoo.com> Thanks Scott, That's good news, but FYI this has been going on for months! I would not be calling you or writing here if it were a short-term thing. If something is not done soon I will be complaining for starters to the Attorney General in your state & many others. I don't appreciate being lied to or brushed off when I have a very legitimate complaint, you are supposed to be a responsible ISP. I read your TOS & it would be great if you could enforce this for your SPAMMING customers! Thanks for the response! Steve. --- support@xo.com wrote: > > Hello Steve, > > Thank you for the response. Our Network Investigations Department handles > concerns on a case by case, first come first serve basis. We have received > numerous contacts within the last couple days about this same issue and belive me > our Network Investigations Department is working to resolve this issue. They may > not have made it to your email inquiries as of yet, but they will eventually. > > If you have any additional questions, Customer Care is available 24 hours a day, 7 > days a week to assist you. For the most efficient handling of your inquiries, > submit a trouble ticket from the XO Gateway (go to http://admin.xo.com, select > 'Care' and then 'Contact Customer Support'). You may also contact Customer Care > over the phone by calling 888-575-6398. > > Best regards, > Scott H. > Web Site Hosting Support Team > XO Communications __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com From MikeE at ster.invalid Tue May 17 07:24:54 2005 From: MikeE at ster.invalid (Mike Easter) Date: Tue May 17 09:25:02 2005 Subject: [SpamCop-List] Re: dk.tiscali.com and "trusted relay" status References: Message-ID: Steven Maesslein wrote: www.spamcop.net/sc?id=z764485672z4c746bd1b6e7bf8dd10ada9560976671z < snip 58 day tiscali delay of 419 > > That's nearly 2 months. No wonder SC doesn't want to report this! > Given that cpmail.dk.tiscali.com [212.54.64.159] held onto the mail > for so long and that it is such a well-known, prolific source of 419 > spam(*), maybe that host's status as "trusted relay" should be revoked > so that the SC parser treats *it* as the source of spam, which it is > given that tiscali.dk don't seem to care. Of course, that would result > in tiscali's outbound relay getting listed, but I think the general > reaction would be deafening cheers and much merriment... We were just discussing tiscali in another thread in which I couldn't convince the poster that the item got stuck there news://news.spamcop.net/d63l2m$b5e$1@news.spamcop.net From: "Michael Scheidell" Newsgroups: spamcop Subject: forged dates fool spamcop? Date: Fri, 13 May 2005 21:10:04 -0400 -- Mike Easter kibitzer, not SC admin From nobody at nowhere.invalid Tue May 17 16:36:10 2005 From: nobody at nowhere.invalid (Steven Maesslein) Date: Tue May 17 09:40:04 2005 Subject: [SpamCop-List] Re: dk.tiscali.com and "trusted relay" status References: Message-ID: On Tue, 17 May 2005 06:24:54 -0700, Mike Easter coughed into spamcop and left this in : > We were just discussing tiscali in another thread in which I couldn't > convince the poster that the item got stuck there > news://news.spamcop.net/d63l2m$b5e$1@news.spamcop.net Yep. Same server. Methinks this server has big problems (other than being in *.tiscali.com which is a big enough problem in its own right) being overloaded with 419 junk sent from various AFRINIC countries. Speaking of which, does anyone have a comprehensive list of IP space actually under the responsibilitiy of AFRINIC now? I'd like to block the lot since I've never ever seen anything of value come out of there. -- Steve Cat, n: Lapwarmer with built-in buzzer. From MikeE at ster.invalid Tue May 17 07:53:58 2005 From: MikeE at ster.invalid (Mike Easter) Date: Tue May 17 09:55:07 2005 Subject: [SpamCop-List] Re: dk.tiscali.com and "trusted relay" status References: Message-ID: Steven Maesslein wrote: > Speaking of which, does anyone have a comprehensive list of IP space > actually under the responsibilitiy of AFRINIC now? I'd like to block > the lot since I've never ever seen anything of value come out of > there. Karsten Self keeps track of things by ASN and other 'tricks' and one of his posts includes these blocks of afrinic: 165.146.0.0/16 AFRINIC African Network Information Center 66.18.64.0/19 AFRINIC African Network Information Center 165.165.0.0/16 AFRINIC African Network Information Center Those were spamsources and then there's the 41/8 -- Mike Easter kibitzer, not SC admin From nobody at spamcop.net Tue May 17 10:09:27 2005 From: nobody at spamcop.net (Ellen) Date: Tue May 17 09:55:18 2005 Subject: [SpamCop-List] Re: dk.tiscali.com and "trusted relay" status References: Message-ID: "Steven Maesslein" wrote in message news:slrnd8jf4g.3e6.nobody@127.0.0.1... > Tracker URL: > http://www.spamcop.net/sc?id=z764485672z4c746bd1b6e7bf8dd10ada9560976671z > Thanks Ellen From bar_n0ne at hotmail.com Tue May 17 19:05:15 2005 From: bar_n0ne at hotmail.com (Berny) Date: Tue May 17 10:10:07 2005 Subject: [SpamCop-List] Re: [SC-Help] Re: THEHOTTESTTHINGAROUND.COM - "Consumer Research Corp"SPAM References: Message-ID: following this up to .spamcop where it probably belongs sorry for the repeat in .help I got lazy "Ellen" wrote in message news:d6ct26$lj3$2@news.spamcop.net... > > > "Steve Johnson" wrote in message > news:mailman.0.1116317184.169.spamcop-help@news.spamcop.net... > > > > Hello Ellen, > > > > Can you please tell me where you were able to find this info and if you > know who to > > talk to at "XO.com" I would appreaciate that info also, I haven't had much > luck with > > them, they gave me a big laugh and 'click' on the phone last time. > > The information came from checking route-views using telnet: > > http://www.routeviews.org/ > > You can try http://www.fixedorbit.com/search.htm altho I have found them to > be inaccurate from time to time as they don't seem to update as often as > they should. Once you get the AS number from fixedorbit, you can use this > url to pull up the details from the cidr-report -- just change the number > after the AS in the url to the one you are interested in: > > http://www.cidr-report.org/cgi-bin/as-report?as=AS2828&view=4637 > > halfway down the page is a list of the ranges announced by the ASN. So you > would want to use that to check to see if the block was really announced by > the ASN or if fixedorbit was out of date. There is probably a less painful > way to do this but as I just telnet into route-views I don't know what that > is. You can also try one or more of the looking glass sites -- just remember > that the results you are getting are for that looking glass only; here is a > link to a bunch of them: > > http://www.traceroute.org/#Looking Glass > > So for example you could try the qwest USA one and put in the IP and select > BGP for the query type. You might want to try a few of them geographically > scattered to make sure that you got complete information. You can then look > up the ASNs at fixedorbit to see who they belong to or use ARIN/RIPE/etc to > look up that information. In any case you need to sanity check the > information that you have gathered. > > > > > > The listing at SPAMHAUS > http://www.spamhaus.org/sbl/sbl.lasso?query=SBL12587 refers > > to a different range, are you suggesting "Quang Dangtran - Whoa Medical" > is > > responsible for this? > > yes > > The Rokso listing is for the /20: > Address Range 69.67.64.0 - 69.67.79.255What I rerouted was > 69.67.72.0/2169.67.72.0 - 69.67.79.255Which is a subset of the /20.I see > 69.67.64.0/21 as being announced by AS701 which is mci.com. XO should be > well aware of what is happening -- there are over 3000 reports for the last > week for 69.67.72.0/24. > > > > > Any idea on who "Roger Graves DATAMONITOR-BUSSINESS-INFORMATION" is?? > > nope, no idea -- I tend to not be able to keep track of the names and > aliases of all those spammers as I am, in general, very bad at retaining > names. A select few however I have no problem with :-) > > > Ellen > > From nobody at nowhere.invalid Tue May 17 17:57:23 2005 From: nobody at nowhere.invalid (Steven Maesslein) Date: Tue May 17 11:00:04 2005 Subject: [SpamCop-List] AFRINIC (was: dk.tiscali.com and "trusted relay" status) References: Message-ID: On Tue, 17 May 2005 06:53:58 -0700, Mike Easter coughed into spamcop and left this in : > Karsten Self keeps track of things by ASN and other 'tricks' and one of > his posts includes these blocks of afrinic: > > 165.146.0.0/16 AFRINIC African Network Information Center > 66.18.64.0/19 AFRINIC African Network Information Center > 165.165.0.0/16 AFRINIC African Network Information Center I have what started out as a list of Nigerian space but which expanded to include other 419-spewers in Africa well before these ranges were handed over from ARIN/RIPE to AFRINIC (see below) > and then there's the 41/8 Duly added - thanks :) ; THIS ZONE NOW CONTAINS AFRINIC SPACE AS AND WHEN IT'S FOUND $GENERATE 32-63 $.96.166.12 A 127.0.0.2 *.41 IN A 127.0.0.2 *.235.56.62 IN A 127.0.0.2 *.236.56.62 IN A 127.0.0.2 $GENERATE 244-248 *.$.56.62 A 127.0.0.2 $GENERATE 32-63 *.$.173.62 A 127.0.0.2 $GENERATE 160-191 *.$.193.62 A 127.0.0.2 *.178.70.63 IN A 127.0.0.2 *.58.73.63 IN A 127.0.0.2 *.193.100.63 IN A 127.0.0.2 *.138.103.63 IN A 127.0.0.2 $GENERATE 64-127 $.139.106.63 A 127.0.0.2 $GENERATE 140-143 *.$.103.63 A 127.0.0.2 $GENERATE 168-175 $.245.109.63 A 127.0.0.2 $GENERATE 128-255 $.248.109.63 A 127.0.0.2 *.154.122.63 IN A 127.0.0.2 *.30.110.64 IN A 127.0.0.2 *.31.110.64 IN A 127.0.0.2 $GENERATE 16-31 $.64.110.64 A 127.0.0.2 *.76.110.64 IN A 127.0.0.2 *.77.110.64 IN A 127.0.0.2 *.81.110.64 IN A 127.0.0.2 $GENERATE 16-31 $.93.110.64 A 127.0.0.2 *.147.110.64 IN A 127.0.0.2 *.91.209.65 IN A 127.0.0.2 *.92.209.65 IN A 127.0.0.2 *.31.110.66 IN A 127.0.0.2 $GENERATE 16-23 $.7.178.66 A 127.0.0.2 $GENERATE 32-47 $.7.178.66 A 127.0.0.2 *.55.178.66 IN A 127.0.0.2 *.62.178.66 IN A 127.0.0.2 *.20.205.66 IN A 127.0.0.2 *.129.88.80 IN A 127.0.0.2 *.130.88.80 IN A 127.0.0.2 *.131.88.80 IN A 127.0.0.2 $GENERATE 0-31 $.132.88.80 A 127.0.0.2 $GENERATE 40-95 $.132.88.80 A 127.0.0.2 $GENERATE 104-111 $.132.88.80 A 127.0.0.2 $GENERATE 128-247 $.132.88.80 A 127.0.0.2 $GENERATE 0-127 $.133.88.80 A 127.0.0.2 $GENERATE 0-71 $.134.88.80 A 127.0.0.2 $GENERATE 0-207 $.136.88.80 A 127.0.0.2 $GENERATE 216-255 $.136.88.80 A 127.0.0.2 $GENERATE 0-191 $.137.88.80 A 127.0.0.2 $GENERATE 200-255 $.137.88.80 A 127.0.0.2 $GENERATE 0-223 $.138.88.80 A 127.0.0.2 $GENERATE 0-7 $.139.88.80 A 127.0.0.2 $GENERATE 16-47 $.139.88.80 A 127.0.0.2 $GENERATE 64-79 $.139.88.80 A 127.0.0.2 $GENERATE 96-239 $.139.88.80 A 127.0.0.2 *.140.88.80 IN A 127.0.0.2 $GENERATE 0-15 $.141.88.80 A 127.0.0.2 $GENERATE 32-159 $.141.88.80 A 127.0.0.2 $GENERATE 0-191 $.142.88.80 A 127.0.0.2 $GENERATE 128-255 $.143.88.80 A 127.0.0.2 $GENERATE 144-148 *.$.88.80 A 127.0.0.2 $GENERATE 0-207 $.179.88.80 A 127.0.0.2 *.150.88.80 IN A 127.0.0.2 $GENERATE 0-199 $.151.88.80 A 127.0.0.2 $GENERATE 216-255 $.151.88.80 A 127.0.0.2 $GENERATE 0-63 $.152.88.80 A 127.0.0.2 $GENERATE 128-215 $.152.88.80 A 127.0.0.2 $GENERATE 240-255 $.152.88.80 A 127.0.0.2 *.153.88.80 IN A 127.0.0.2 $GENERATE 32-63 $.154.88.80 A 127.0.0.2 $GENERATE 72-87 $.154.88.80 A 127.0.0.2 $GENERATE 96-111 $.154.88.80 A 127.0.0.2 $GENERATE 0-167 $.155.88.80 A 127.0.0.2 *.136.247.80 IN A 127.0.0.2 *.137.247.80 IN A 127.0.0.2 $GENERATE 32-255 $.141.247.80 A 127.0.0.2 *.142.247.80 IN A 127.0.0.2 $GENERATE 16-39 $.147.247.80 A 127.0.0.2 $GENERATE 64-111 $.147.247.80 A 127.0.0.2 *.151.247.80 IN A 127.0.0.2 *.153.247.80 IN A 127.0.0.2 $GENERATE 0-63 $.156.247.80 A 127.0.0.2 $GENERATE 128-143 $.156.247.80 A 127.0.0.2 *.157.247.80 IN A 127.0.0.2 *.159.247.80 IN A 127.0.0.2 $GENERATE 0-15 *.$.248.80 A 127.0.0.2 $GENERATE 32-47 *.$.250.80 A 127.0.0.2 $GENERATE 48-63 $.40.255.80 A 127.0.0.2 $GENERATE 96-111 $.40.255.80 A 127.0.0.2 *.43.255.80 IN A 127.0.0.2 $GENERATE 0-7 $.46.255.80 A 127.0.0.2 $GENERATE 16-32 $.46.255.80 A 127.0.0.2 $GENERATE 64-71 $.46.255.80 A 127.0.0.2 $GENERATE 32-47 *.$.18.81 A 127.0.0.2 $GENERATE 0-31 $.194.23.81 A 127.0.0.2 $GENERATE 64-95 $.194.23.81 A 127.0.0.2 $GENERATE 128-191 $.194.23.81 A 127.0.0.2 $GENERATE 208-255 $.194.23.81 A 127.0.0.2 *.195.23.81 IN A 127.0.0.2 $GENERATE 0-135 $.196.23.81 A 127.0.0.2 $GENERATE 0-15 *.$.24.81 A 127.0.0.2 *.192.81 IN A 127.0.0.2 *.6.199.81 IN A 127.0.0.2 $GENERATE 72-75 *.$.199.81 A 127.0.0.2 $GENERATE 80-87 *.$.199.81 A 127.0.0.2 *.90.199.81 IN A 127.0.0.2 *.94.199.81 IN A 127.0.0.2 *.95.199.81 IN A 127.0.0.2 *.248.199.81 IN A 127.0.0.2 *.249.199.81 IN A 127.0.0.2 $GENERATE 0-127 *.$.128.82 A 127.0.0.2 *.2.110.193 IN A 127.0.0.2 *.3.110.193 IN A 127.0.0.2 $GENERATE 0-65 *.$.189.193 A 127.0.0.2 *.128.189.193 IN A 127.0.0.2 *.26.220.193 IN A 127.0.0.2 $GENERATE 0-95 $.30.220.193 A 127.0.0.2 $GENERATE 0-95 $.31.220.193 A 127.0.0.2 $GENERATE 0-127 $.45.220.193 A 127.0.0.2 $GENERATE 0-127 $.47.220.193 A 127.0.0.2 $GENERATE 0-63 $.77.220.193 A 127.0.0.2 $GENERATE 0-63 $.187.220.193 A 127.0.0.2 $GENERATE 128-159 $.187.220.193 A 127.0.0.2 *.22.8.195 IN A 127.0.0.2 *.13.137.195 IN A 127.0.0.2 *.14.137.195 IN A 127.0.0.2 $GENERATE 224-255 *.$.166.195 A 127.0.0.2 *.176.219.195 IN A 127.0.0.2 *.23.196 IN A 127.0.0.2 *.206.196 IN A 127.0.0.2 *.163.88.209 IN A 127.0.0.2 *.84.101.209 IN A 127.0.0.2 *.164.159.209 IN A 127.0.0.2 *.240.198.209 IN A 127.0.0.2 *.241.198.209 IN A 127.0.0.2 $GENERATE 16-31 $.242.198.209 A 127.0.0.2 $GENERATE 96-109 $.242.198.209 A 127.0.0.2 $GENERATE 128-159 $.242.198.209 A 127.0.0.2 $GENERATE 240-255 $.246.198.209 A 127.0.0.2 *.2.96.212 IN A 127.0.0.2 *.3.96.212 IN A 127.0.0.2 *.4.96.212 IN A 127.0.0.2 *.28.96.212 IN A 127.0.0.2 *.29.96.212 IN A 127.0.0.2 *.30.96.212 IN A 127.0.0.2 $GENERATE 64-95 *.$.100.212 A 127.0.0.2 $GENERATE 64-95 $.132.165.212 A 127.0.0.2 *.135.165.212 IN A 127.0.0.2 $GENERATE 16-23 $.140.165.212 A 127.0.0.2 $GENERATE 64-255 $.140.165.212 A 127.0.0.2 *.141.165.212 IN A 127.0.0.2 $GENERATE 0-63 $.147.165.212 A 127.0.0.2 $GENERATE 128-191 $.147.165.212 A 127.0.0.2 *.62.140.213 IN A 127.0.0.2 *.63.140.213 IN A 127.0.0.2 $GENERATE 64-95 *.$.181.213 A 127.0.0.2 $GENERATE 96-103 *.$.185.213 A 127.0.0.2 *.106.185.213 IN A 127.0.0.2 *.112.185.213 IN A 127.0.0.2 $GENERATE 0-63 $.113.185.213 A 127.0.0.2 *.124.185.213 IN A 127.0.0.2 *.135.187.213 IN A 127.0.0.2 *.145.187.213 IN A 127.0.0.2 *.96.232.213 IN A 127.0.0.2 *.193.255.213 IN A 127.0.0.2 $GENERATE 0-159 $.195.255.213 A 127.0.0.2 *.198.255.213 IN A 127.0.0.2 *.199.255.213 IN A 127.0.0.2 $GENERATE 104-111 *.$.72.216 A 127.0.0.2 $GENERATE 128-143 $.147.129.216 A 127.0.0.2 *.159.129.216 IN A 127.0.0.2 *.174.133.216 IN A 127.0.0.2 $GENERATE 8-15 $.164.139.216 A 127.0.0.2 $GENERATE 24-39 $.164.139.216 A 127.0.0.2 $GENERATE 139-159 $.164.139.216 A 127.0.0.2 $GENERATE 208-215 $.164.139.216 A 127.0.0.2 $GENERATE 240-255 $.164.139.216 A 127.0.0.2 *.165.139.216 IN A 127.0.0.2 *.166.139.216 IN A 127.0.0.2 *.167.139.216 IN A 127.0.0.2 $GENERATE 32-39 $.170.139.216 A 127.0.0.2 $GENERATE 232-239 $.170.139.216 A 127.0.0.2 $GENERATE 32-39 $.172.139.216 A 127.0.0.2 $GENERATE 24-31 $.176.139.216 A 127.0.0.2 $GENERATE 40-47 $.176.139.216 A 127.0.0.2 $GENERATE 56-63 $.176.139.216 A 127.0.0.2 $GENERATE 80-95 $.176.139.216 A 127.0.0.2 $GENERATE 104-119 $.176.139.216 A 127.0.0.2 $GENERATE 144-151 $.176.139.216 A 127.0.0.2 *.177.139.216 IN A 127.0.0.2 *.180.139.216 IN A 127.0.0.2 $GENERATE 16-31 $.181.139.216 A 127.0.0.2 $GENERATE 48-255 $.181.139.216 A 127.0.0.2 $GENERATE 144-175 $.132.147.216 A 127.0.0.2 $GENERATE 96-111 $.200.236.216 A 127.0.0.2 $GENERATE 96-111 $.202.236.216 A 127.0.0.2 *.205.236.216 IN A 127.0.0.2 $GENERATE 128-191 $.222.236.216 A 127.0.0.2 $GENERATE 0-31 $.195.250.216 A 127.0.0.2 $GENERATE 64-127 $.195.250.216 A 127.0.0.2 *.221.250.216 IN A 127.0.0.2 *.222.250.216 IN A 127.0.0.2 *.176.252.216 IN A 127.0.0.2 *.177.252.216 IN A 127.0.0.2 $GENERATE 0-127 $.231.252.216 A 127.0.0.2 *.245.252.216 IN A 127.0.0.2 $GENERATE 128-191 $.163.10.217 A 127.0.0.2 $GENERATE 224-255 $.163.10.217 A 127.0.0.2 $GENERATE 0-31 $.166.10.217 A 127.0.0.2 $GENERATE 48-79 $.166.10.217 A 127.0.0.2 *.169.10.217 IN A 127.0.0.2 *.170.10.217 IN A 127.0.0.2 *.171.10.217 IN A 127.0.0.2 $GENERATE 0-63 $.173.10.217 A 127.0.0.2 $GENERATE 0-31 $.182.10.217 A 127.0.0.2 *.184.10.217 IN A 127.0.0.2 $GENERATE 80-95 *.$.14.217 A 127.0.0.2 $GENERATE 0-127 $.124.15.217 A 127.0.0.2 $GENERATE 0-7 $.241.20.217 A 127.0.0.2 $GENERATE 16-31 $.241.20.217 A 127.0.0.2 $GENERATE 40-215 $.241.20.217 A 127.0.0.2 $GENERATE 0-55 $.242.20.217 A 127.0.0.2 $GENERATE 24-63 $.243.20.217 A 127.0.0.2 *.52.217 IN A 127.0.0.2 *.53.217 IN A 127.0.0.2 *.54.217 IN A 127.0.0.2 *.55.217 IN A 127.0.0.2 $GENERATE 64-79 *.$.78.217 A 127.0.0.2 $GENERATE 0-15 *.$.117.217 A 127.0.0.2 $GENERATE 144-183 $.3.146.217 A 127.0.0.2 $GENERATE 224-255 $.3.146.217 A 127.0.0.2 $GENERATE 64-127 $.4.146.217 A 127.0.0.2 *.5.146.217 IN A 127.0.0.2 $GENERATE 0-127 $.6.146.217 A 127.0.0.2 $GENERATE 160-191 $.6.146.217 A 127.0.0.2 *.7.146.217 IN A 127.0.0.2 $GENERATE 0-127 $.8.146.217 A 127.0.0.2 *.9.146.217 IN A 127.0.0.2 $GENERATE 128-255 $.10.46.217 A 127.0.0.2 $GENERATE 0-127 $.11.146.217 A 127.0.0.2 *.12.146.217 IN A 127.0.0.2 *.13.146.217 IN A 127.0.0.2 $GENERATE 0-127 $.14.146.217 A 127.0.0.2 $GENERATE 0-127 $.15.146.217 A 127.0.0.2 $GENERATE 0-39 $.16.146.217 A 127.0.0.2 $GENERATE 140-144 *.$.194.217 A 127.0.0.2 $GENERATE 0-223 $.147.194.217 A 127.0.0.2 *.156.194.217 IN A 127.0.0.2 $GENERATE 16-79 $.157.194.217 A 127.0.0.2 $GENERATE 96-240 $.157.194.217 A 127.0.0.2 ; .BF - BURKINA FASO *.130.52.212 IN A 127.0.0.2 ; .BJ - BENIN $GENERATE 224-239 *.$.91.81 A 127.0.0.2 *.178.220.193 IN A 127.0.0.2 ; .CI - IVORY COAST $GENERATE 128-255 $.64.201.196 A 127.0.0.2 *.65.201.196 IN A 127.0.0.2 *.188.220.193 IN A 127.0.0.2 $GENERATE 96-127 *.$.136.213 A 127.0.0.2 ; .ET - ETHIOPIA $GENERATE 64-95 *.$.55.213 A 127.0.0.2 ; .ML - MALI $GENERATE 80-95 *.$.200.196 A 127.0.0.2 $GENERATE 96-111 *.$.64.217 A 127.0.0.2 ; .SN - SENEGAL *.99.1.196 IN A 127.0.0.2 $GENERATE 192-255 *.$.207.196 A 127.0.0.2 $GENERATE 64-95 *.$.154.213 A 127.0.0.2 ; .TG - TOGO? $GENERATE 64-79 *.$.248.80 A 127.0.0.2 -- Steve In the 60's people took acid to make the world weird. Now the world is weird and people take Prozac to make it normal. From nobody at devnull.spamcop.net Tue May 17 17:55:10 2005 From: nobody at devnull.spamcop.net (Pop) Date: Tue May 17 17:00:03 2005 Subject: [SpamCop-List] Sanity check on my ISP Message-ID: Hi guys 'n' gals, http://www.spamcop.net/sc?id=z764680765z331d95054ba42d829b861d38dcb4499dz leads to a spam that purports to have come from my own ISP. The first time I parsed it, the only thing it found was my ISP. After parsing a second time, it added chinatietong as a spamvertised web site. Only I couldn't report it, because I had cancelled the one that only showed my ISP. I was just at Past Reports, and using the Parse button there, it again ONLY finds usadatanet (no chinatietong): Reportid: xxxxxxxTo: cancelled@devnull.spamcop.net Would anyone knowledgeable care to take a guess as to whether my own ISP was compromised to send that, or does it look like a zombied machine, or just a bit of spammer foolery? If my ISP is spammy, it's new. Thanks in advance, Pop From nobody at devnull.spamcop.net Tue May 17 18:02:57 2005 From: nobody at devnull.spamcop.net (Pop) Date: Tue May 17 17:05:03 2005 Subject: [SpamCop-List] EAsy Question: Message-ID: I was just at Past Reports and realized something: I passed it off as nothing, but still wonder: I was able to see the entire spam, unmunged. Can anyone else see that? Then I went back to the Report ID and clicked "View Entire Message" I think it offers, down the page a ways: THAT showed unmunged information, too: Can anyone else see THAT? If so, I probably just lost an account's usability! Well, NOW I'm confused: I just went back to be sure the View Entire Message was worded right, and NOW it's showing the munged information again. Honest, I'm not making this up! I guess I'll find out soon enough, but ... did I expose my address or not? Also, just for GPs I thought I'd mention I'm getting a LOT of body-less spams from kornet lately, and chinatietong about every other one, but with bodies. Thanks, Pop -- --- If I said it, I meant it. If you said it, I heard it. If I meant it, I said it. If you meant it, how am I supposed to know? From david at paridox.com Tue May 17 15:08:38 2005 From: david at paridox.com (David Rubinstein) Date: Tue May 17 17:10:02 2005 Subject: [SpamCop-List] Blocklisted Message-ID: Dear Deputies, We have a user somewhere on our servers that is sending mail to spam traps. Our servers are setup to identify every piece of mail with a UID/GID in the headers, if you could kindly lookup who is causing the spam trap block I would appreciate it. web18.thehostingnet.com 66.6.223.240 Thanks, David Technical Support Web-hosting-support.com -- Using Opera's revolutionary e-mail client: http://www.opera.com/m2/ From nobody at spamcop.net Tue May 17 18:19:59 2005 From: nobody at spamcop.net (Ellen) Date: Tue May 17 17:25:03 2005 Subject: [SpamCop-List] Re: Blocklisted References: Message-ID: "David Rubinstein" wrote in message news:opsqxucow9d9vcy1@localhost.localdomain... Dear Deputies, We have a user somewhere on our servers that is sending mail to spam traps. Our servers are setup to identify every piece of mail with a UID/GID in the headers, if you could kindly lookup who is causing the spam trap block I would appreciate it. web18.thehostingnet.com 66.6.223.240 Reponded in email Ellen From nobody at nowhere.invalid Wed May 18 01:02:55 2005 From: nobody at nowhere.invalid (Steven Maesslein) Date: Tue May 17 18:05:03 2005 Subject: [SpamCop-List] Re: dk.tiscali.com and "trusted relay" status References: Message-ID: On Tue, 17 May 2005 15:36:10 +0200, Steven Maesslein coughed into spamcop and left this in : > Speaking of which, does anyone have a comprehensive list of IP space > actually under the responsibilitiy of AFRINIC now? I'd like to block the > lot since I've never ever seen anything of value come out of there. This will get you the IP ranges transferred fron RIPE to AFRINIC: $ whois -h whois.ripe.net AFRINIC-NET-TRANSFERRED-20050223 | grep "^inetnum:" And this will get you the ranges transferred from ARIN to AFRINIC: $ whois -h whois.arin.net -- n "AFRINIC-*" I'm building a BIND zone for this combined data and can post it here for those interested. -- Steve Anarchy may not be the best form of government, but it's better than no government at all. From MikeE at ster.invalid Tue May 17 16:26:13 2005 From: MikeE at ster.invalid (Mike Easter) Date: Tue May 17 18:30:03 2005 Subject: [SpamCop-List] Re: Sanity check on my ISP References: Message-ID: Pop wrote: www.spamcop.net/sc?id=z764680765z331d95054ba42d829b861d38dcb4499dz When I examined that tracker it was breaking the chain prematurely and naming your provider. If reported today, reports would be sent to: Re: 81.193.145.106 > Would anyone knowledgeable care to take a guess as to > whether my own ISP was compromised to send that, or > does it look like a zombied machine, or just a bit of > spammer foolery? If my ISP is spammy, it's new. None of the above. Parser burp/bug/error. I like to create experimental 'models' or forgeries to demonstrate the problem. Here's an item based on the original which is much simpler and demonstrates the same parser error. Abbreviated summary of Received lines *comment from (mxb.usadatanet.net [69.67.254.10]) by blade1.usadatanet.net *serves you from bl4-145-106.dsl.telepac.pt [81.193.145.106] by mxb.usadatanet.net *sourceline http://www.spamcop.net/sc?id=z764718063z1c9e939c4342f15227dec9b16d3297c4z If reported today, reports would be sent to: Re: 69.67.254.10 There may be any number of ways to modify those headers very slightly and achieve a correct parse. Here's one http://www.spamcop.net/sc?id=z764718508z109ac9b93cc0a3882255e8a7d0a61047z If reported today, reports would be sent to: Re: 81.193.145.106 -- Mike Easter kibitzer, not SC admin From MikeE at ster.invalid Tue May 17 16:47:25 2005 From: MikeE at ster.invalid (Mike Easter) Date: Tue May 17 18:50:02 2005 Subject: [SpamCop-List] Re: Sanity check on my ISP References: Message-ID: Oops. Wrong paste Mike Easter wrote: > Pop wrote: > www.spamcop.net/sc?id=z764680765z331d95054ba42d829b861d38dcb4499dz > > When I examined that tracker it was breaking the chain prematurely and > naming your provider. If reported today, reports would be sent to: Re: 69.67.254.10 (Administrator of network where email originates) abuse@usadatanet.net postmaster@usadatanet.net That is the paste of the tracker of the parser wanting to notify your provider. -- Mike Easter kibitzer, not SC admin From nobody at devnull.spamcop.net Tue May 17 18:53:12 2005 From: nobody at devnull.spamcop.net (WazoO) Date: Tue May 17 18:55:03 2005 Subject: [SpamCop-List] Re: EAsy Question: References: Message-ID: "Pop" wrote in message news:d6dm5v$7dh$1@news.spamcop.net... > I was just at Past Reports and realized something: I > passed it off as nothing, but still wonder: > I was able to see the entire spam, unmunged. Can > anyone else see that? The timing is described a little differently, but ... the subject recently came up in a Forum discussion, me making the charge that a user was pre-minging his submittals .. basing that on the kinds of results you just hit on ... I was educated, Ellen admitted some surprise, then added some bits to straighten 'all' of us out .. starts at http://forum.spamcop.net/forums/index.php?showtopic=4137&view=findpost&p=27937 From nobody at spamcop.net Tue May 17 20:03:00 2005 From: nobody at spamcop.net (R) Date: Tue May 17 19:05:03 2005 Subject: [SpamCop-List] Re: EAsy Question: References: Message-ID: Pop, I just looked at your past report, http://www.spamcop.net/sc?id=z764680765z331d95054ba42d829b861d38dcb4499dz;action=display And in "To" and "CC" all I saw was a bunch of x's "Pop" wrote in message news:d6dm5v$7dh$1@news.spamcop.net... > I was able to see the entire spam, unmunged. Can anyone else see that? > From nobody at spamcop.net Tue May 17 20:18:21 2005 From: nobody at spamcop.net (R) Date: Tue May 17 19:20:02 2005 Subject: [SpamCop-List] Useless Spam? Message-ID: I am getting one of these every day or so. It comes from a different domain every time, with different "TO" and "FROM" fields as well. It is always the same -- an ad for drugs, with a link that does not work. The link is obfuscated, and IE cannot interpret it. SpamCop cannot deobfuscate it, either. I find it strange that OUTLOOK does manage to get the IMG SRC http://www.spamcop.net/mcgi?action=gettrack&reportid=1427300641 What's the point here? Are they from a stupid spammer who cannot get the link right? Are they from someone who is confirming my email address when OUTLOOK downloads the image? Should I continue to report them when I get them, or delete them unopened? I cannot get OUTLOOK to do anything with it without opening it. Thanks for the advice R From MikeE at ster.invalid Tue May 17 17:35:16 2005 From: MikeE at ster.invalid (Mike Easter) Date: Tue May 17 19:40:03 2005 Subject: [SpamCop-List] Re: Useless Spam? References: Message-ID: R wrote: > http://www.spamcop.net/mcgi?action=gettrack&reportid=1427300641 That is a link for a reportid which only allows /you/ to see the spamitem not /us/. If you use that reportid you can work yourself into a place where you can access the tracker for the parser and the spam which will allow /us/ to see what you are talking about. When you click the link you pasted, there's a 'Parse' link at the top of the spam display - Click that. That will take you to a display of the parse which has a tracking url at the top; it looks like this http://www.spamcop.net/sc?id=z764735900z0d10a9eb8f1c84e773f0ef1c3b22711cz Copy that thing and paste it here and we can see what you are talking about. You won't have to describe anything. -- Mike Easter kibitzer, not SC admin From nobody at devnull.spamcop.net Wed May 18 10:35:36 2005 From: nobody at devnull.spamcop.net (Filip) Date: Tue May 17 19:40:13 2005 Subject: [SpamCop-List] X-MDaemon-Deliver-To header not masked Message-ID: Hi guys, My Mdaemon mail server uses flag X-MDaemon-Deliver-To flag to identify the final receipient. This flag is not masked out in the reports, revealing a real email address at my domain. See these examples: http://www.spamcop.net/sc?id=z764730835z3459769545f263d6db7e83e8f08cf0c5z http://www.spamcop.net/sc?id=z764730823z725e3366f4b780408381b856bdb87342z Is there anything that can be done about this? Regards, Filip From MikeE at ster.invalid Tue May 17 17:50:31 2005 From: MikeE at ster.invalid (Mike Easter) Date: Tue May 17 19:55:03 2005 Subject: [SpamCop-List] Re: X-MDaemon-Deliver-To header not masked References: Message-ID: Filip wrote: > My Mdaemon mail server uses flag X-MDaemon-Deliver-To flag to > identify the final receipient. This flag is not masked out in the > reports, revealing a real email address at my domain. > > See these examples: > http://www.spamcop.net/sc?id=z764730835z3459769545f263d6db7e83e8f08cf0c5z > http://www.spamcop.net/sc?id=z764730823z725e3366f4b780408381b856bdb87342z > > Is there anything that can be done about this? IMO you could interpret the rule faq about Material changes to spam in a way which would allow you to pre-munge that line before submitting it to the parser. For example, you could delete the line. As a general rule, deputies don't like to give permission to change a spam in any way which isn't covered directly by the faq, and the faq is about mungeing your address in the body of a link, not deleting a headerline. However, you aren't helping the faq to identify anything. http://www.spamcop.net/fom-serve/cache/283.html Material changes to spam -- It is okay to munge your personal email address contained within links in the body of the spam, if SpamCop does not find and munge them, with one exception. If a report is going to an abuse desk that does not accept munged reports, you must not make even these minor changes to the spam. -- Mike Easter kibitzer, not SC admin From hans at salvisberg.invalid Wed May 18 03:45:32 2005 From: hans at salvisberg.invalid (Hans Salvisberg) Date: Tue May 17 20:35:03 2005 Subject: [SpamCop-List] X-Recipient header not masked, either In-Reply-To: References: Message-ID: Hi Filip, I privately reported a similar problem with the X-Recipient header added by SpamVault. Ellen told me a week ago that she had "passed this to the programmers to take a look at", but I haven't heard back from anyone yet. Removing these headers, as Mike suggested, is not a good solution. At one domain I often receive spam at one TO address (if at all) plus one or more BCC addresses. If it weren't for the X-Recipient header, all copies would be identical, because the spammer sent ONE message to multiple addresses. However, on my end, each copy goes into a different mailbox. I receive MULTIPLE pieces of spam and I sure want to report each one of them! Let's hope they can solve this! Hans P.S. I find that the X-Recipient header is munged, if it happens to show the same address as the To header, but not otherwise. From nobody at devnull.spamcop.net Tue May 17 21:13:11 2005 From: nobody at devnull.spamcop.net (WazoO) Date: Tue May 17 21:15:02 2005 Subject: [SpamCop-List] Re: Useless Spam? References: Message-ID: "R" wrote in message news:d6du06$dl2$1@news.spamcop.net... > > The link is obfuscated, and IE cannot interpret it. SpamCop cannot > deobfuscate it, either. > Gennerally, these types of constructs are embedded in a "javascript" warpper .. and the SpamCOp parser doesn't "do" javascript .. though this is just a generalization, not seeing your specific spam ... there may be more to the issue (and if one assumes the Outlook/Eudora hack being invovled ....) > I find it strange that OUTLOOK does manage to get the IMG SRC > You might find some enlightenment by jumping over to http://forum.spamcop.net/forums/index.php?showtopic=4164&view=findpost&p=28054 more data then added to the Glossary entry off the Forum FAQ ... > Are they from someone who is confirming my email address > when OUTLOOK downloads the image? Should I continue > to report them when I get them, or delete them unopened? > > I cannot get OUTLOOK to do anything with it without opening it. Again, the Forum FAQ includes the www.spamcop.net Help/FAQ data ... check the links on "How to get full headers ..." ... or Google the SpamCop archives/Forum for Outlook ... it's not like this is a "new problem" ..... and of course, you say nothing about which version of Outlook is running, each has its issues, but Outlook 2003 offered some capability in changing the way MIME was handled (though still dependant on the way it was installed, how the Exchange server is configured if installed in "Corporate" mode, etc.) From steevian at yahoo.com Tue May 17 21:21:52 2005 From: steevian at yahoo.com (Steve Johnson) Date: Tue May 17 23:21:59 2005 Subject: Fwd: [SpamCop-List] Re XO.COM IP Block: 69.67.72.0/21 - "Consumer Research Corp" SPAM Message-ID: <20050518032152.58541.qmail@web51305.mail.yahoo.com> Is anyone else getting SPAM from this XO block: 69.67.72.0/21 and also had any luck with XO as far as even a response? Thanks. --- Steve Johnson wrote: > Date: Tue, 17 May 2005 05:58:57 -0700 (PDT) > From: Steve Johnson > CC: UCE@FTC.Gov > Subject: [SpamCop-List] > Re XO.COM IP Block: 69.67.72.0/21 -- "Consumer Research Corp" SPAM > To: Steve Johnson > > Thanks Scott, > > That's good news, but FYI this has been going on for months! I would not be > calling > you or writing here if it were a short-term thing. > > If something is not done soon I will be complaining for starters to the Attorney > General in your state & many others. > > I don't appreciate being lied to or brushed off when I have a very legitimate > complaint, you are supposed to be a responsible ISP. I read your TOS & it would > be > great if you could enforce this for your SPAMMING customers! > > Thanks for the response! > > > Steve. > > > --- support@xo.com wrote: > > > > Hello Steve, > > > > Thank you for the response. Our Network Investigations Department handles > > concerns on a case by case, first come first serve basis. We have received > > numerous contacts within the last couple days about this same issue and belive > me > > our Network Investigations Department is working to resolve this issue. They > may > > not have made it to your email inquiries as of yet, but they will eventually. > > > > If you have any additional questions, Customer Care is available 24 hours a day, > 7 > > days a week to assist you. For the most efficient handling of your inquiries, > > submit a trouble ticket from the XO Gateway (go to http://admin.xo.com, select > > 'Care' and then 'Contact Customer Support'). You may also contact Customer Care > > over the phone by calling 888-575-6398. > > > > Best regards, > > Scott H. > > Web Site Hosting Support Team > > XO Communications > > __________________________________________________ > Do You Yahoo!? > Tired of spam? Yahoo! Mail has the best spam protection around > http://mail.yahoo.com > _______________________________________________ > SpamCop-List mailing list > SpamCop-List@news.spamcop.net > http://news.spamcop.net/mailman/listinfo/spamcop-list > __________________________________ Yahoo! Mail Mobile Take Yahoo! Mail with you! Check email on your mobile phone. http://mobile.yahoo.com/learn/mail From nobody at devnull.spamcop.net Wed May 18 13:33:21 2005 From: nobody at devnull.spamcop.net (Patto) Date: Tue May 17 23:35:06 2005 Subject: [SpamCop-List] Rolex spam - URL never parsed Message-ID: http://www.spamcop.net/sc?id=z764799374zb35a00fa38f8be64e8052b3468410426z For weeks and weeks I am getting these fake Rolex spams, and SpamCop is consistently unable to parse these URLs, even when pasting the extracted URL into the parser's window. If I get the IP address via Sam Spade, that can be parsed by SC. Why not the URL? From wb8tyw at qsl.network Wed May 18 00:46:29 2005 From: wb8tyw at qsl.network (John E. Malmberg) Date: Tue May 17 23:50:02 2005 Subject: Fwd: [SpamCop-List] Re XO.COM IP Block: 69.67.72.0/21 - "Consumer Research Corp" SPAM In-Reply-To: References: Message-ID: Steve Johnson wrote: > Is anyone else getting SPAM from this XO block: 69.67.72.0/21 and also had any luck > with XO as far as even a response? http://www.moensted.dk/spam/?addr=69.67.72.0&Submit=Submit + SBL Spamhaus Block List: sbl.spamhaus.org -> 127.0.0.2 http://www.spamhaus.org/SBL/sbl.lasso?query=SBL12587 Which starts out: > 69.67.64.0/20 is listed on the Register Of Known Spam Operations > ROKSO) database as being assigned to, under the control of, or > providing service to a known professional spam operation run by > Quang Dangtran - Whoa Medical. > Whoa USA Inc > Mar 30, 2005: > hijacking U.S.-based trojaned PC's/Proxies to relay spam - a felony > violation of several U.S. computer crime laws. I do not think any of the mail servers that I get mail on will accept anything from that range as long as it is in the SBL. I do not see any mention of XO in the spamhaus.org listing. -John wb8tyw@qsl.network Personal Opinion Only From nobody at devnull.spamcop.net Wed May 18 00:09:49 2005 From: nobody at devnull.spamcop.net (WazoO) Date: Wed May 18 00:10:03 2005 Subject: [SpamCop-List] Re: Rolex spam - URL never parsed References: Message-ID: "Patto" wrote in message news:d6ed22$nqs$1@news.spamcop.net... > http://www.spamcop.net/sc?id=z764799374zb35a00fa38f8be64e8052b3468410426z > > For weeks and weeks I am getting these fake Rolex spams, and SpamCop is > consistently unable to parse these URLs, even when pasting the extracted > URL into the parser's window. If I get the IP address via Sam Spade, > that can be parsed by SC. Why not the URL? SpamCop Parsing and Reporting Service New! SpamCop reporting of spamvertized sites - some philosophy http://forum.spamcop.net/forums/index.php?showtopic=4085 From bar_n0ne at hotmail.com Wed May 18 10:47:31 2005 From: bar_n0ne at hotmail.com (Berny) Date: Wed May 18 01:50:02 2005 Subject: [SpamCop-List] Re XO.COM IP Block: 69.67.72.0/21 - "ConsumerResearch Corp" SPAM References: Message-ID: "Steve Johnson" wrote in message news:mailman.4.1116386519.169.spamcop-list@news.spamcop.net... > > Is anyone else getting SPAM from this XO block: 69.67.72.0/21 and also had any luck > with XO as far as even a response? > > Thanks. First Question: Yes Second: NO From steevian at yahoo.com Wed May 18 00:54:21 2005 From: steevian at yahoo.com (Steve Johnson) Date: Wed May 18 02:54:27 2005 Subject: [SpamCop-List] Re XO.COM Block: 69.67.72.0/21 - "Consumer Research Corp" SPAM -- VA Attorney Gen: CONSUMER@OAG.State.VA.US Message-ID: <20050518065422.23661.qmail@web51304.mail.yahoo.com> Well it's probably a waste of time, but in addition to bugging XO.COM I've started to email copies of the SPAM to the "Virginia Attorney General" & if anyone wants it their address is: CONSUMER@OAG.State.VA.US -------------------------------- Berny bar_n0ne at hotmail.com Wed May 18 10:47:31 EDT 2005 "Steve Johnson" wrote in message news:mailman.4.1116386519.169.spamcop-list at news.spamcop.net... > > Is anyone else getting SPAM from this XO block: 69.67.72.0/21 and also had any luck > with XO as far as even a response? > > Thanks. First Question: Yes Second: NO __________________________________ Yahoo! Mail Mobile Take Yahoo! Mail with you! Check email on your mobile phone. http://mobile.yahoo.com/learn/mail From korhojy at POISSPAMMIThotmail.com Wed May 18 12:11:22 2005 From: korhojy at POISSPAMMIThotmail.com (Jyri Korhonen) Date: Wed May 18 04:15:02 2005 Subject: [SpamCop-List] Listed, but when and why Message-ID: Web page http://www.spamcop.net/w3m?action=checkblock&ip=212.86.0.4 says "212.86.0.4 not listed in bl.spamcop.net" Nslookup says: Name: 4.0.86.212.bl.spamcop.net Address: 127.0.0.2 Senderbase tells that this IP is listed in SCBL http://www.senderbase.org/?searchBy=ipaddress&sb=1&searchString=212.86.0.4 It would be nice to see some details on SpamCop's own pages. From bar_n0ne at hotmail.com Wed May 18 13:35:59 2005 From: bar_n0ne at hotmail.com (Berny) Date: Wed May 18 04:40:02 2005 Subject: [SpamCop-List] Re: XO.COM Block: 69.67.72.0/21 SPAM, also hosting "UnsubscribeNow" SCAMsite References: Message-ID: XO's hat is getting blacker by the minute. Caught this in the SC stats page around 08:30 Zulu time: abuse@xo.com 14.10 min. http://www.unsubscribenow.com/ and abuse@xo.com 14.10 min. http://www.unsubscribenow.org/about.php and abuse@xo.com 14.10 min. http://www.unsubscribenow.net/ Seems like XO is trying to compete with chinatietong, kornet, hana's, cnc-noc'kers and others for spammer business. Both in the case of the CD spammer, and unsubscribenow, the least amount of diligence would have kept them off their networks, so one can only conclude they want the business. Anyone with NANAE connections want to escalate this to them? I don't have newsgroup server access. From nobody at nowhere.invalid Wed May 18 11:46:11 2005 From: nobody at nowhere.invalid (Steven Maesslein) Date: Wed May 18 04:50:23 2005 Subject: [SpamCop-List] Re: Listed, but when and why References: Message-ID: On Wed, 18 May 2005 11:11:22 +0300, Jyri Korhonen coughed into spamcop and left this in : > says "212.86.0.4 not listed in bl.spamcop.net" > > Nslookup says: > > Name: 4.0.86.212.bl.spamcop.net > Address: 127.0.0.2 Old data cached in nameservers, most likely. $ host 4.0.86.212.bl.spamcop.net Host 4.0.86.212.bl.spamcop.net not found: 3(NXDOMAIN) -- Steve Experience is something you don't get until just after you need it. From none at none.none Wed May 18 07:54:00 2005 From: none at none.none (Pete) Date: Wed May 18 07:55:04 2005 Subject: [SpamCop-List] Spamcop is becoming unusuable Message-ID: Pretty soon it'll be easier to do this stuff manually. It's becoming a rare thing to see a URL that spamcop will parse. Give me hope for the future since my yearly membership is about up and I'm trying to decide whether or not it's worth it to buy it again. From MikeE at ster.invalid Wed May 18 06:23:10 2005 From: MikeE at ster.invalid (Mike Easter) Date: Wed May 18 08:25:04 2005 Subject: [SpamCop-List] Re: Re XO.COM Block: 69.67.72.0/21 - "Consumer Research Corp" SPAM -- VAAttorney Gen: CONSUMER@OAG.State.VA.US References: Message-ID: Steve Johnson wrote: >> Is anyone else getting SPAM from this XO block: 69.67.72.0/21 and >> also had any luck with XO as far as even a response? I don't understand [exactly] what/how much XO has to 'do with' 69.67.72.0/21, except for being the notify in the routing for 69.67.72.0/24 because they are the notify for AS2828 because the 69.67.64.0/20 which is Whoa is spewed and spamhaused. I see these threads: Newsgroups: spamcop.help Subject: RE:SPAM from your block: 69.67.72.021 [#2446202] -- XO.COM re "CONSUMER RESEARCH CORP" SPAMMING Date: Tue, 17 May 2005 03:15:02 -0700 (PDT) Message-ID: and Newsgroups: spamcop Subject: Fwd: [SpamCop-List] Re XO.COM IP Block: 69.67.72.0/21 - "Consumer Research Corp" SPAM Date: Tue, 17 May 2005 20:21:52 -0700 (PDT) Message-ID: and Newsgroups: spamcop.help Subject: [SC-Help] Re: THEHOTTESTTHINGAROUND.COM - "Consumer Research Corp" SPAM Date: Tue, 17 May 2005 01:06:17 -0700 (PDT) Message-ID: which show items sourced from 69.67.72.61 & 69.67.72.21 & 69.67.72.59 which all come from this /24 Whoa/ Roger Graves suballocation whois -h whois.arin.net 69.67.72.0 ... Whoa USA Inc 69.67.64.0 - 69.67.79.255 Roger Graves DATAMONITOR-BUSSINESS-INFORMATION 69.67.72.0 - 69.67.72.255 and in which you cite a lookup for AS2828 which shows XO and Ellen as telling you and confirming that Whoa is responsible for the netblock in question. In this item: news://news.spamcop.net/mailman.0.1116317184.169.spamcop-help@news.spamcop.net you cite some kind of communication with Ellen in which she explains some bgp information about AS2828 being upstream from 69.67.72.0/21 -- I can confirm that whois.cymru.com sez the ASN for 69.67.72.0 is AS2828. There is also this routing information about the /24 routeid:14209431 69.67.72.0 - 69.67.72.255 to:abuse@xo.com Administrator interested in all reports Wednesday, May 11, 2005 3:52:27 AM -0700 [Note added by 68.217.2.192 (adsl-217-2-192.asm.bellsouth.net)] AS2828 -whoa --http://www.spamhaus.org/sbl/sbl.lasso?query=SBL12587 ROKSO -- Quang Dangtran - Whoa Medical ASN2828 -- xo There is a S1128 spews listing for a /20 escalated from a /32 1, 69.67.67.3, Quang Dangtran / fahawn.com / poiuytrewq03.com 1, 69.67.64.0/20, Quang Dangtran / OASISVN.COM / Whoa USA Inc (HE.net feed) There is a SBL12587 for the 69.67.64.0/20 ROKSO for Quang Dangtran - Whoa Medical. and the spamhaus listing shows some of the suballocations of the Whoa /20 from 69.67.64.0 to 69.67.64.239 to 15 different blocks. It seems that you are carrying on as if XO were the owner of the netblock space, like Whoa is. "Steve Johnson" wrote in message news:mailman.1.1116320474.169.spamcop-help@news.spamcop.net... > According to this, the block where SPAM is coming from "69.67.72.0/21" belongs to > XO: > > http://www.cidr-report.org/cgi-bin/as-report?as=AS2828 The AS allocation is not the same thing as the arin registration. What you would be trying to do would be to get XO to not have some kind of unknown business relationship with Whoa because of the business relationships which Whoa has. That is a fine goal, but it isn't going to lead to XO carrying on a correspondence with you about your complaints about spam; and if you spam the XO 'people' with a long bitchlist, then you are acting abusively. -- Mike Easter kibitzer, not SC admin From MikeE at ster.invalid Wed May 18 06:59:13 2005 From: MikeE at ster.invalid (Mike Easter) Date: Wed May 18 09:00:03 2005 Subject: [SpamCop-List] Re: Spamcop is becoming unusuable References: Message-ID: Pete wrote: > Pretty soon it'll be easier to do this stuff manually. It's becoming > a rare thing to see a URL that spamcop will parse. Give me hope for > the future since my yearly membership is about up and I'm trying to > decide whether or not it's worth it to buy it again. Do you think the notification of the spamvertiser providers is a valuable thing? Or, is it the posting of the spamvertised url/s to the statistics page which you find valuable/useful? There is no spamcop blocklisting consequence of the notification of the spamvertiser providers as there is of spamsources. In my spam, the notification of the spamvertiser providers very often would be going to a nonresponsive or blackhat provider, which I don't think is a particularly valuable notify. Getting the url on the statistics page would be good, but other than that I can't see that it matters whether those nonresponsive or blackhats are notified or not. -- Mike Easter kibitzer, not SC admin From Kilgallen at SpamCop.net Wed May 18 08:59:23 2005 From: Kilgallen at SpamCop.net (Larry Kilgallen) Date: Wed May 18 09:00:14 2005 Subject: [SpamCop-List] Re: Spamcop is becoming unusuable References: Message-ID: In article , "Pete" writes: > Pretty soon it'll be easier to do this stuff manually. It's becoming a rare > thing to see a URL that spamcop will parse. I believe the main value of SpamCop is compiling the SCBL. From nobody at devnull.spamcop.net Wed May 18 10:11:24 2005 From: nobody at devnull.spamcop.net (Pop) Date: Wed May 18 09:15:03 2005 Subject: [SpamCop-List] Thanks, appreciate it Re: EAsy Question: References: Message-ID: That's all; just thank you. "R" wrote in message news:d6dt3h$crj$1@news.spamcop.net... > Pop, > > I just looked at your past report, > http://www.spamcop.net/sc?id=z764680765z331d95054ba42d829b861d38dcb4499dz;action=display > > And in "To" and "CC" all I saw was a bunch of x's > > "Pop" wrote in message > news:d6dm5v$7dh$1@news.spamcop.net... >> I was able to see the entire spam, unmunged. Can >> anyone else see that? >> > > From nobody at devnull.spamcop.net Wed May 18 10:29:51 2005 From: nobody at devnull.spamcop.net (Pop) Date: Wed May 18 09:30:03 2005 Subject: [SpamCop-List] Re: EAsy Question: References: Message-ID: "WazoO" wrote in message news:d6dskp$cje$1@news.spamcop.net... > "Pop" wrote in message > news:d6dm5v$7dh$1@news.spamcop.net... >> I was just at Past Reports and realized something: >> I >> passed it off as nothing, but still wonder: >> I was able to see the entire spam, unmunged. Can >> anyone else see that? > > The timing is described a little differently, but ... > the subject recently came up in a Forum > discussion, me making the charge that a user > was pre-minging his submittals .. basing that > on the kinds of results you just hit on ... I > was educated, Ellen admitted some surprise, > then added some bits to straighten 'all' of us > out .. starts at > http://forum.spamcop.net/forums/index.php?showtopic=4137&view=findpost&p=27937 > > Hmm, not sure I understand, but I -think- I got a handle on what was said there. I have to assume (ass-etc) everything's OK and that I didn't expose anything from the responses, but ... from this end, guess I'll have to tuck it away as an "aberration". I didn't touch the message in any way so it was 100 % unmunged as submitted, by email, unless transmission garbled something, but I used the SC link to go back to it and didn't copy/paste anything. Well, other than obviously the Past Results thing which, from another post, I assume is my own personal number and not viewable by anyone else unless I give out the info somehow which, fortunately, I didn't. Thanks anyway; I'll go back later and see if that link makes more sense when I'm more alert. I'll re-check my allegations too, to see if I can replicate them from another spam. No time right now. Regards, Pop From nobody at devnull.spamcop.net Wed May 18 10:47:10 2005 From: nobody at devnull.spamcop.net (Pop) Date: Wed May 18 09:50:03 2005 Subject: [SpamCop-List] Re: Sanity check on my ISP References: Message-ID: "Mike Easter" wrote in message news:d6ds9u$c7c$1@news.spamcop.net... > Oops. Wrong paste > > Mike Easter wrote: >> Pop wrote: >> www.spamcop.net/sc?id=z764680765z331d95054ba42d829b861d38dcb4499dz >> >> When I examined that tracker it was breaking the >> chain prematurely and >> naming your provider. > > If reported today, reports would be sent to: > Re: 69.67.254.10 (Administrator of network where > email originates) > abuse@usadatanet.net > postmaster@usadatanet.net > > That is the paste of the tracker of the parser > wanting to notify your > provider. > Sooo, I assume when you said in the -oops-: "None of the above. Parser burp/bug/error." it still applies? Or Or are you implying that it looks like a probably accurate parse and usadatanet's a good "hit" as far as SCs concerned? I forgot to mention they've just gone thru a humongous nationwide software upgrade, so something could be amiss, I suppose. Regards, Pop From nospam at nospam.nl Wed May 18 17:20:27 2005 From: nospam at nospam.nl (geo_splash_12) Date: Wed May 18 10:25:03 2005 Subject: [SpamCop-List] bounce spam Message-ID: Lately I'm getting some german spam that comes with a lot of bounces: http://www.spamcop.net/sc?id=z764956657z9dd57944066989a8094c14059bc01e9fz http://www.spamcop.net/sc?id=z764720843za1b77eec78103edd791b6a569c6de363z http://www.spamcop.net/sc?id=z764220132zbc7876dd2ce488487c4b73c606eab871z I hate spam, and especially when it is German and extreme right. But, what is causing this, a new virus? Ejo From nobody at spamcop.net Wed May 18 16:39:11 2005 From: nobody at spamcop.net (TimeLord) Date: Wed May 18 10:45:03 2005 Subject: [SpamCop-List] Re: bounce spam References: Message-ID: "geo_splash_12" wrote in message news:d6fiv7$gi3$1@news.spamcop.net... > Lately I'm getting some german spam that comes with a lot of bounces: > > http://www.spamcop.net/sc?id=z764956657z9dd57944066989a8094c14059bc01e9fz > http://www.spamcop.net/sc?id=z764720843za1b77eec78103edd791b6a569c6de363z > http://www.spamcop.net/sc?id=z764220132zbc7876dd2ce488487c4b73c606eab871z > > I hate spam, and especially when it is German and extreme right. But, what > is causing this, a new virus? > > Ejo http://www.cooltechzone.com/index.php?option=content&task=view&id=1291 Kev From bar_n0ne at hotmail.com Wed May 18 20:05:46 2005 From: bar_n0ne at hotmail.com (Berny) Date: Wed May 18 11:10:03 2005 Subject: [SpamCop-List] wierdest "failure to LART spamvertizer failure yet! Message-ID: clipped from the parse page (because a tracker may show a different parse: Resolving link obfuscation http://rds.yahoo.com/s=6533972/k=computer/v=8/sid=z/l=ws1/r=1/ss=97477683/ipc=us/she=0/h=0/sig=0520hnhgaq560/exp=932154139/*-http://google.com.s1gns.net/mortgage.asp Yahoo redirection = http://google.com.s1gns.net/mortgage.asp host google.com.s1gns.net (checking ip) = 61.138.3.113 host 61.138.3.113 (getting name) no name http://rds.yahoo.com/s=3173298/k=computer/v=1/sid=w/l=ws1/r=1/ss=01028613/ipc=us/she=0/h=0/sig=9748rplmj46/exp=026228129/*-http://google.com.s1gns.net/deletion.asp Yahoo redirection = http://google.com.s1gns.net/deletion.asp host google.com.s1gns.net (checking ip) = 61.138.3.113 host 61.138.3.113 (getting name) no name Please make sure this email IS spam: ..... as you can see the parser de-obfuscated, pounded it's way through the redirect, found the IP, and stoppped there! I've never seen that before, either it doesn't try, or tries and fails, but tries, succeeds and the doesn't bother, is a new one. tracker: http://www.spamcop.net/sc?id=z764979409z3d8ab92faa649b5913ce805090c5b1bez From nospam at nospam.nl Wed May 18 18:14:16 2005 From: nospam at nospam.nl (geo_splash_12) Date: Wed May 18 11:15:03 2005 Subject: [SpamCop-List] Re: bounce spam In-Reply-To: References: Message-ID: TimeLord wrote: > "geo_splash_12" wrote in message > news:d6fiv7$gi3$1@news.spamcop.net... > >>Lately I'm getting some german spam that comes with a lot of bounces: >> >>http://www.spamcop.net/sc?id=z764956657z9dd57944066989a8094c14059bc01e9fz >>http://www.spamcop.net/sc?id=z764720843za1b77eec78103edd791b6a569c6de363z >>http://www.spamcop.net/sc?id=z764220132zbc7876dd2ce488487c4b73c606eab871z >> >>I hate spam, and especially when it is German and extreme right. But, what >>is causing this, a new virus? >> >>Ejo > > > http://www.cooltechzone.com/index.php?option=content&task=view&id=1291 > > Kev > > tnx! From notformail0405 at comcast.net Wed May 18 14:20:34 2005 From: notformail0405 at comcast.net (Gunter Herrmann) Date: Wed May 18 13:25:03 2005 Subject: [SpamCop-List] Re: Deputies: SC clock might need resetting In-Reply-To: References: Message-ID: Hi! Don Wannit wrote: > or as they say, "Clock Police!" > > Reports I just submitted seconds ago are showing up in the > Past Reports history of recent reports with a datetime of > roughly 25 minutes earlier than I submitted them. I use an ntp client on my linux system, so my clock is always in sync with 3 atomic clocks. Spamcop could use the same approach. brgds -- Gunter Herrmann Naples, Florida, USA From nobody at spamcop.net Wed May 18 15:32:38 2005 From: nobody at spamcop.net (Ellen) Date: Wed May 18 14:40:03 2005 Subject: [SpamCop-List] Re: Listed, but when and why References: Message-ID: "Jyri Korhonen" wrote in message news:d6etbb$2i4$1@news.spamcop.net... > Web page > > http://www.spamcop.net/w3m?action=checkblock&ip=212.86.0.4 > > says "212.86.0.4 not listed in bl.spamcop.net" > > Nslookup says: > > Name: 4.0.86.212.bl.spamcop.net > Address: 127.0.0.2 > You have to remember that the blocklist mirrors and the bl web lookup page update as slightly different times. This can lead to the sort of discrepancy you see. While the update process for the mirrors and the webpage try to keep well synchronized they can be out of sync. The SenderBase page updates much less frequently. The listing delisting history for this IP is: Listing history for past 30 days: listed: 5/18/2005 7:24:17 AM -0400 delisted: 5/18/2005 3:48:24 AM -0400 listed: 5/17/2005 4:39:01 PM -0400 Ellen From nobody at spamcop.net Wed May 18 15:34:44 2005 From: nobody at spamcop.net (Ellen) Date: Wed May 18 14:40:13 2005 Subject: [SpamCop-List] Re: bounce spam References: Message-ID: "geo_splash_12" wrote in message news:d6fiv7$gi3$1@news.spamcop.net... > Lately I'm getting some german spam that comes with a lot of bounces: > > http://www.spamcop.net/sc?id=z764956657z9dd57944066989a8094c14059bc01e9fz > http://www.spamcop.net/sc?id=z764720843za1b77eec78103edd791b6a569c6de363z > http://www.spamcop.net/sc?id=z764220132zbc7876dd2ce488487c4b73c606eab871z > > I hate spam, and especially when it is German and extreme right. But, > what is causing this, a new virus? > > Ejo That is sober.q sending those spams. http://www.f-secure.com/v-descs/sober_q.shtml Ellen From MikeE at ster.invalid Wed May 18 12:58:46 2005 From: MikeE at ster.invalid (Mike Easter) Date: Wed May 18 15:00:04 2005 Subject: [SpamCop-List] Re: Sanity check on my ISP References: Message-ID: "Pop" > Sooo, I assume when you said in the -oops-: > "None of the above. Parser burp/bug/error." > it still applies? Or Everything I sed in news://news.spamcop.net/d6dr27$b98$1@news.spamcop.net stays except the line after > If reported today, reports would be sent to: in which I meant to cite what the parser sed for /your/ tracker. The parser sed to your tracker at the time If reported today, reports would be sent to: Re: 69.67.254.10 (Administrator of network where email originates) abuse@usadatanet.net postmaster@usadatanet.net In the post above, I pasted the correct answer which I got by forging the headers instead of what your tracker sed, so I came back with the oops and corrected that.. > Or are you implying that it looks like a probably > accurate parse and usadatanet's a good "hit" as far as > SCs concerned? No. The parser was wrong. But now it has been fixed; which is why I wanted to paste what it said at the time correctly Your tracker: http://www.spamcop.net/sc?id=z764680765z331d95054ba42d829b861d38dcb4499dz Present result Re: 81.193.145.106 (Administrator of network where email originates) abuse@mail.telepac.pt postmaster@mail.telepac.pt which is the correct answer. As is often the case, these parser bugs get 'fixed' while they are being discussed. > I forgot to mention they've just gone thru a humongous > nationwide software upgrade, so something could be > amiss, I suppose. Sometimes the parser will make a mistake if it is unfamiliar with a server. -- Mike Easter kibitzer, not SC admin From MikeE at ster.invalid Wed May 18 13:17:01 2005 From: MikeE at ster.invalid (Mike Easter) Date: Wed May 18 15:20:03 2005 Subject: [SpamCop-List] Re: Deputies: SC clock might need resetting References: Message-ID: Gunter Herrmann wrote: > I use an ntp client on my linux system, so my clock is always > in sync with 3 atomic clocks. > Spamcop could use the same approach. Speaking of atomic clocks lets me drift offtopic.... I was visiting the NIST site yesterday and was reading about their work on little tiny atomic clocks about the site of a grain of rice! Amazing. They are going to be able to accomplish manufacture of those little chips in multiples as a wafer, so they can do a bunch of them at one time like other computer chips. The other interesting article there was the one which explained how an atomic clock worked by comparing it to pushing a child's swing 'properly' so that the child swings higher and higher, and that causes the child to laugh louder. Very cute. Good analogy. Oscillating electomagnetic push [local oscillator] is you pushing the swing according to the swing's pendulum moment [atom's period of oscillation]. Higher and higher the swing is the atoms' amplitude of oscillation. The louder the child's laughter we hear is the 'power' of the laser light beam traversing the atoms in the gas. Chip-Scale Vapor-Cell Atomic Clocks at NIST http://tf.nist.gov/timefreq/ofm/smallclock/BasicQuestions.htm Basic Questions and Answers about Chip-Scale Atomic Clocks "The fabrication process designed at NIST allows many components of the physics package to be made at one time on large (6 inch) wafers. Since it's essentially just as easy to make an entire wafer of components as it is to make one, this advance allows for a huge savings in fabrication cost. In addition, once a wafer of each component has been made, the clocks can all be assembled together by just stacking the wafers, bonding them together and then dicing the stacked structure into individual components. We expect that several thousand individual clock physics packages could be made with one single process sequence." -- Mike Easter kibitzer, not SC admin From noah.boddie at newsgroup.nospam Wed May 18 17:13:49 2005 From: noah.boddie at newsgroup.nospam (Dwayne Conyers) Date: Wed May 18 16:15:04 2005 Subject: [SpamCop-List] usen.ad.jp ?? Message-ID: Is this a Japanese spam outfit -- u send ad ??? -- The Runaway Bride Shoppe http://www.cafepress.com/dwacon/601709 From MikeE at ster.invalid Wed May 18 14:34:45 2005 From: MikeE at ster.invalid (Mike Easter) Date: Wed May 18 16:35:03 2005 Subject: [SpamCop-List] Re: usen.ad.jp ?? References: Message-ID: Dwayne Conyers wrote: Eek! Same nntp posting host, same OE version number, same html newsgroup posting. It is a very simple fix. OE/ Tools/ Options/ Send tab/ News Sending Format section at the bottom - check Plain Text radio button, which deselects HTML. I went looking for a screenshot to display the setting, but I couldn't find one quickly. -- Mike Easter kibitzer, not SC admin From noah.boddie at newsgroup.nospam Wed May 18 17:36:37 2005 From: noah.boddie at newsgroup.nospam (Dwayne Conyers) Date: Wed May 18 16:40:03 2005 Subject: [SpamCop-List] Re: usen.ad.jp ?? References: Message-ID: "Mike Easter" wrote in message news:d6g8t7$3vl$1@news.spamcop.net... > Dwayne Conyers wrote: > > Eek! Same nntp posting host, same OE version number, same html > newsgroup posting. > > It is a very simple fix. OE/ Tools/ Options/ Send tab/ News Sending > Format section at the bottom - check Plain Text radio button, which > deselects HTML. > > I went looking for a screenshot to display the setting, but I couldn't > find one quickly. > > -- > Mike Easter > kibitzer, not SC admin > My fault -- I installed Thunderbird but still tryign to figure out configuration of the news plugins. I'll get it. Sorry! -- I Shave With Occams Razor http://www.dwacon.com From 79ytka802 at sneakemail.com Wed May 18 23:31:49 2005 From: 79ytka802 at sneakemail.com (Aviatrix) Date: Wed May 18 17:35:02 2005 Subject: [SpamCop-List] Dictionary attack on @spamcop.net addresses? Message-ID: (Sample posted to .spam) My household has three email accounts @spamcop.net. The three addresses are used exclusively for having mail forwarded TO them, none of them have ever been published or been used in outbound email. Today I noticed that all three addresses have been getting spam that was sent to them directly. They all had three things in common: - They were BCCd to our addresses - The "to" addresses were OTHER addresses @spamcop.net - They were in German Is somebody systematically spamming everything from aaron-at-spamcop to zebedee-at-spamcop? From jay at advertisnet.com Wed May 18 18:06:20 2005 From: jay at advertisnet.com (Jay Teutenberg) Date: Wed May 18 18:05:02 2005 Subject: [SpamCop-List] Re: Blocklisted References: Message-ID: The final solution to my not being able to enable my reports, from Ellen@spamcop, -------------------- Hi -- in order for you to get regular full SC reports I have to do a system reports database add which is what I did below -- this is not somthing that you can do. I just sent you a "test" SpamCop report so you can see what one looks like. ------------------- I knew I hadnt manually set something which said I didnt want summary reports.. Thanks Mike, Jay "Mike Easter" wrote in message news:d69chi$dld$1@news.spamcop.net... > Jay Teutenberg wrote: >> still didnt show any details > > A non-admin like me can't see any information about an unlisted IP, but > the faq http://www.spamcop.net/fom-serve/cache/94.html sez "Anyone may > receive summary reports about any netspace they specify. To receive > reports, first create an ISP account. " and "In addition, your ISP > account allows you to spot-check any IP address for recent reports." > > You already have an account, so you should be able to see summary > reports and recent reports on any specific IP. That isn't a copy of the > spam I don't think, but you would normally get a copy of a spam with > every report if your preferences aren't marked to not get reports. > >>> ISP does not wish to receive reports regarding 216.176.166.220 - no >>> date available >>> >>> I suggest you turn on the SC reports. >> >> I believe I have everything set correctly in isp area preferences, >> there must be a different area Im missing. > > You would go in here http://www.spamcop.net/fom-serve/cache/266.html > Change your preferences here. > http://members.spamcop.net/mcgi?action=prefmenu > > > -- > Mike Easter > kibitzer, not SC admin > From spam_hjp at yahoo.com Wed May 18 19:04:45 2005 From: spam_hjp at yahoo.com (Jim) Date: Wed May 18 18:05:15 2005 Subject: [SpamCop-List] German spam Message-ID: I got about 6 spams today after about getting 20 the other day. This spam is coming in on comcast 68.36.241.189. I do get some on other IP but I can not understand why this comcast IP does not get listed. Could it have any thing to do with it being a trusted site on why it does not get listed? Volume Statistics for this IP Magnitude Vol Change vs. Average Last day 3.0 2681% Last 30 days 2.6 1144% Average 1.5 Third-party Certification Bonded Sender? Not Bonded TRUSTe Privacy Seal? Jim From nobody at devnull.spamcop.net Wed May 18 18:30:30 2005 From: nobody at devnull.spamcop.net (Cat) Date: Wed May 18 18:35:03 2005 Subject: [SpamCop-List] Re: Re XO.COM Block: 69.67.72.0/21 - "Consumer Research Corp" SPAM -- VAAttorney Gen: CONSUMER@OAG.State.VA.US In-Reply-To: References: Message-ID: Mike Easter wrote: > Steve Johnson wrote: > >>>Is anyone else getting SPAM from this XO block: 69.67.72.0/21 and >>>also had any luck with XO as far as even a response? > > > I don't understand [exactly] what/how much XO has to 'do with' > 69.67.72.0/21, except for being the notify in the routing for > 69.67.72.0/24 because they are the notify for AS2828 because the > 69.67.64.0/20 which is Whoa is spewed and spamhaused. In traceroute, XO is the direct upstream from the spammer. The last IP in traceroute is the spammer with the one directly above that being XO, so they definitely get connectivity through XO. There's no one else to notify in between those. I've had 82 unsolicited e-mails from them in the past few weeks, and I'm absolutely sick if it. From eddie at eddie.web Wed May 18 19:44:29 2005 From: eddie at eddie.web (eddie) Date: Wed May 18 18:45:02 2005 Subject: [SpamCop-List] Re: Dictionary attack on @spamcop.net addresses? References: Message-ID: On Wed, 18 May 2005 22:31:49 +0100, Aviatrix scratched out the following: > (Sample posted to .spam) > > My household has three email accounts @spamcop.net. The three addresses > are used exclusively for having mail forwarded TO them, none of them have > ever been published or been used in outbound email. > > Today I noticed that all three addresses have been getting spam that was > sent to them directly. > > They all had three things in common: > > - They were BCCd to our addresses > - The "to" addresses were OTHER addresses @spamcop.net - They were in > German > > Is somebody systematically spamming everything from aaron-at-spamcop to > zebedee-at-spamcop? It's no doubt the new sober virus with Nazi spew. Spam is getting political these days. http://www.cooltechzone.com/index.php?option=content&task=view&id=1291 -- Once movie theaters gave out steak knives Today they confiscate them From eddie at eddie.web Wed May 18 19:47:13 2005 From: eddie at eddie.web (eddie) Date: Wed May 18 18:50:02 2005 Subject: [SpamCop-List] Re: Spamcop is becoming unusuable References: Message-ID: On Wed, 18 May 2005 07:59:23 -0500, Larry Kilgallen scratched out the following: > In article , "Pete" > writes: >> Pretty soon it'll be easier to do this stuff manually. It's becoming a >> rare thing to see a URL that spamcop will parse. > > I believe the main value of SpamCop is compiling the SCBL. Quite true, but without users, there will be no SCBL, right? I suffer through reporting at times but I don't think I would leave SC. However, if too many users get frustrated and leave, the database would be seriously reduced in volume. SC should be doing all it can to support and aid its userbase to encourage them to stay and keep reporting spam. -- Once movie theaters gave out steak knives Today they confiscate them From MikeE at ster.invalid Wed May 18 16:51:10 2005 From: MikeE at ster.invalid (Mike Easter) Date: Wed May 18 18:55:03 2005 Subject: [SpamCop-List] Re: German spam References: Message-ID: Jim wrote: > I got about 6 spams today after about getting 20 the other day. > This spam is coming in on comcast 68.36.241.189. I do get some on > other IP but I can not understand why this comcast IP does not get > listed. Could it have any thing to do with it being a trusted site > on why it does not get listed? SpamCop has been accused of 'that' in nanae - where 'that' is/means handling issues for IronPort clients differently than normal IPs. But nanae-ites are always accursing [Sigmund slip] SC of /something/ - most of the time 'they' [accursing nana-ites] don't know what they're talking about.. I'm not sure/ don't know/ who has what kinds of relationships with whom. Bonded Sender is IronPort's email certification program, and this page's banner sez Bonded Sender Program powered by IronPort certified by TrustE. http://www.bondedsender.com/ So, if IronPort were going to have any kind of 'relationship' about an IP it seems like it would be for a Bonded Sender one, not a TrustE one. .. whereas the TrustE or rather TRUSTe seal is some kind of certification provided to a *website* according to whether or not the website plays by some truste privacy rules. Nothing about spamming. I don't know why 68.36.241.189 rDNS pcp09993671pcs.narlington.nj.comcast.net would have some kind of truste sticker -- since it doesn't have anything to do with websites and doesn't even have a port 80. > Volume Statistics for this IP > Magnitude Vol Change vs. Average > Last day 3.0 2681% > Last 30 days 2.6 1144% > Average 1.5 Yes; a jump from 1.5 to 3.0 is huge, 20x. Seems like it would be showing up somewhere. It isn't listed any more places than it was the other day when you asked. > Third-party Certification > Bonded Sender? Not Bonded > TRUSTe Privacy Seal? You can research those from IronPort's site, where you copied from - a different page. -- Mike Easter kibitzer, not SC admin From MikeE at ster.invalid Wed May 18 16:55:22 2005 From: MikeE at ster.invalid (Mike Easter) Date: Wed May 18 19:00:03 2005 Subject: [SpamCop-List] Re: Blocklisted References: Message-ID: Jay Teutenberg wrote: > The final solution to my not being able to enable my reports, from > Ellen@spamcop, > -------------------- Good. > Hi -- in order for you to get regular full SC reports I have to do a > system reports database add which is what I did below -- this is not > somthing that you can do. I just sent you a "test" SpamCop report so > you can see what one looks like. > ------------------- The website gizmo sure makes it look like the admin sed they didn't want reports -- which I copied here earlier. > I knew I hadnt manually set something which said I didnt want summary > reports.. You are saying specifically summary reports. It would seem that summary reports would be a different kind of report getting than getting spamcop reports. But, then, I'm out here as a non SC admin and a non-ISP admin -- so what do I know. > Thanks Mike, > Jay YW. I hope you are getting regular SC reports too, besides getting summary reports. -- Mike Easter kibitzer, not SC admin From MikeE at ster.invalid Wed May 18 17:01:00 2005 From: MikeE at ster.invalid (Mike Easter) Date: Wed May 18 19:05:03 2005 Subject: [SpamCop-List] Re: Re XO.COM Block: 69.67.72.0/21 - "Consumer Research Corp" SPAM -- VAAttorney Gen: CONSUMER@OAG.State.VA.US References: Message-ID: Cat wrote: > Mike Easter wrote: >> Steve Johnson wrote: >> >>>> Is anyone else getting SPAM from this XO block: 69.67.72.0/21 and >>>> also had any luck with XO as far as even a response? >> >> >> I don't understand [exactly] what/how much XO has to 'do with' >> 69.67.72.0/21, except for being the notify in the routing for >> 69.67.72.0/24 because they are the notify for AS2828 because the >> 69.67.64.0/20 which is Whoa is spewed and spamhaused. > > > > In traceroute, XO is the direct upstream from the spammer. The last IP > in traceroute is the spammer with the one directly above that being > XO, so they definitely get connectivity through XO. There's no one > else to notify in between those. I've had 82 unsolicited e-mails from > them in the past few weeks, and I'm absolutely sick if it. You can be unhappy about getting spam from an IP in Whoa's netblock, and you can notify Whoa's upstream because Whoa is non-responsive and spews and spamhaus listed and route listed by SC, and you can even try to get spews to broaden any unlisted Whoa netspace, but I doubt if you would be able to get spews [or spamhaus] to list XO because XO provides upstream allocation or services to Whoa who spews does list. I also doubt/disagree if XO should be expected to correspond back with spamcop reporters about what is going on with Whoa netspace spam. I also disagree with spamming an XO bitchlist about not corresponding with spamcop reporters about Whoa space spam. -- Mike Easter kibitzer, not SC admin From Kilgallen at SpamCop.net Wed May 18 19:06:41 2005 From: Kilgallen at SpamCop.net (Larry Kilgallen) Date: Wed May 18 19:10:03 2005 Subject: [SpamCop-List] Re: Spamcop is becoming unusuable References: Message-ID: In article , eddie writes: > On Wed, 18 May 2005 07:59:23 -0500, Larry Kilgallen scratched out the > following: > >> In article , "Pete" >> writes: >>> Pretty soon it'll be easier to do this stuff manually. It's becoming a >>> rare thing to see a URL that spamcop will parse. >> >> I believe the main value of SpamCop is compiling the SCBL. > > Quite true, but without users, there will be no SCBL, right? > I suffer through reporting at times but I don't think I would leave SC. > However, if too many users get frustrated and leave, the database would be > seriously reduced in volume. SC should be doing all it can to support and > aid its userbase to encourage them to stay and keep reporting spam. Knowing the SCBL gets fed is what keeps me as a user. From nobody at spamcop.net Wed May 18 21:01:08 2005 From: nobody at spamcop.net (R) Date: Wed May 18 20:00:03 2005 Subject: [SpamCop-List] Re: Useless Spam? References: Message-ID: "Mike Easter" wrote in message news:d6dv3m$ej4$1@news.spamcop.net... > That is a link for a reportid which only allows /you/ to see the > spamitem not /us/. Oops. Sorry about that. http://www.spamcop.net/sc?id=z764724937zf329e0f422eeef239fc654b4a89e90d8z There is no JavaScript. I'll tell outlook to leave a copy on the server so I can submit the next one without the Outlook hack. Renee From nobody at devnull.spamcop.net Wed May 18 20:00:23 2005 From: nobody at devnull.spamcop.net (Cat) Date: Wed May 18 20:05:04 2005 Subject: [SpamCop-List] Re: Re XO.COM Block: 69.67.72.0/21 - "Consumer Research Corp" SPAM -- VAAttorney Gen: CONSUMER@OAG.State.VA.US In-Reply-To: References: Message-ID: Mike Easter wrote: > You can be unhappy about getting spam from an IP in Whoa's netblock, and > you can notify Whoa's upstream because Whoa is non-responsive and spews > and spamhaus listed and route listed by SC, and you can even try to get > spews to broaden any unlisted Whoa netspace, but I doubt if you would be > able to get spews [or spamhaus] to list XO because XO provides upstream > allocation or services to Whoa who spews does list. I also > doubt/disagree if XO should be expected to correspond back with spamcop > reporters about what is going on with Whoa netspace spam. I've been submitting manual complaints about these since sending through SpamCop wasn't helping and so that I could finally get a trouble ticket number. Both the spammer's 69.67.72.0/20 and the XO IP the next hop above them (206.173.204.234/32) are listed in the Spamhaus SBL, so I'm not sure why you say that XO isn't listed in Spamhaus since 206.173.204.234/32 comes up as XO in traceroute. 69.67.72.0/20 Spamhaus RBL listing: http://www.spamhaus.org/sbl/sbl.lasso?query=SBL12587 206.173.204.234/32 Spamhaus RBL listing: http://www.spamhaus.org/sbl/sbl.lasso?query=SBL26626 > I also > disagree with spamming an XO bitchlist about not corresponding with > spamcop reporters about Whoa space spam. First of all, I'm not sending bitch lists because they aren't replying to SpamCop complaints. I'm sending bitch lists because they're completely ignoring the problem with both SpamCop complaints and manual complaints and have previously attempted to deny their involvement as the immediate upstream provider. Notifying a bitch list of addresses is an absolute last resort measure that has worked well for me in the past when complaints went otherwise unnoticed. I finally got a trouble ticket number after copying several of them to the support address. I also called the support number and finally got my complaint escalated to the department over the abuse department through that after pointing out that traceroute shows that XO is the upstream of the spammer. From windsorfoxNOSPAM at cox.net Wed May 18 20:18:58 2005 From: windsorfoxNOSPAM at cox.net (WindsorFox[SS]) Date: Wed May 18 20:20:03 2005 Subject: [SpamCop-List] Re: Grow up In-Reply-To: References: Message-ID: Socks the Whitehouse Cat wrote: > "sbb78247" wrote in > news:d653b2.2d0.1@133.256.1.103.MISMATCH: > > > >>BAAAAAAHAHAHAHHAHAHAHAHA!! what a maroon >> >>if you hate free speach so much, why don't you live in say cuba? > > > PLONK > That sounds familiar..... From nobody at spamcop.net Wed May 18 20:55:23 2005 From: nobody at spamcop.net (Ellen) Date: Wed May 18 21:00:03 2005 Subject: [SpamCop-List] Re: Blocklisted References: Message-ID: "Mike Easter" wrote in message news:d6gh4r$arm$1@news.spamcop.net... > > The website gizmo sure makes it look like the admin sed they didn't want > reports -- which I copied here earlier. There were a couple of different email addresses -- not sure what you saw for which address but I think we have it nailed down now. > YW. I hope you are getting regular SC reports too, besides getting > summary reports. yes Ellen From sbb78247 at stilldon'tfuckincare.invalid Wed May 18 21:09:21 2005 From: sbb78247 at stilldon'tfuckincare.invalid (sbb78247) Date: Wed May 18 21:10:03 2005 Subject: [SpamCop-List] Re: Grow up References: Message-ID: WindsorFox[SS] wrote: > Socks the Whitehouse Cat wrote: >> "sbb78247" wrote in >> news:d653b2.2d0.1@133.256.1.103.MISMATCH: >> >> >> >>> BAAAAAAHAHAHAHHAHAHAHAHA!! what a maroon >>> >>> if you hate free speach so much, why don't you live in say cuba? >> >> >> PLONK >> > > > That sounds familiar..... to who? From MikeE at ster.invalid Wed May 18 19:38:10 2005 From: MikeE at ster.invalid (Mike Easter) Date: Wed May 18 21:40:03 2005 Subject: [SpamCop-List] Re: Useless Spam? References: Message-ID: R wrote: www.spamcop.net/sc?id=z764724937zf329e0f422eeef239fc654b4a89e90d8z > > There is no JavaScript. > I'll tell outlook to leave a copy on the server so I can submit the > next one without the > Outlook hack. Yeah, that's a problem for interpreting body parse problems. Once upon a time, the original spam was build like this: X-Content-Type: multipart/related; boundary="----=_Part_26388143_13857671.1425273506863" but then, the original spam was converted by the Office mail agent into a MAPI format for office, destroying the original structure. Then, the destroyed spam's MAPI condition was 're-converted' into html for display. Then, you fed the destroyed spam's mapi conversion's html into spamcop's parser. Then, the parser did an Outlook Eudora hack on the converted converted conversion. SpamCop-note: Converted to text/html by SpamCop (outlook/eudora hack) Converting the converted converted conversion into a converted converted converted conversion. And now, you want to talk about the html condition of the multiconverted^4 body. R wrote: > The link is obfuscated, and IE cannot interpret it. SpamCop cannot > deobfuscate it, either. That seems kinda silly to me. -- Mike Easter kibitzer, not SC admin From MikeE at ster.invalid Wed May 18 20:00:57 2005 From: MikeE at ster.invalid (Mike Easter) Date: Wed May 18 22:05:03 2005 Subject: [SpamCop-List] Re: Re XO.COM Block: 69.67.72.0/21 - "Consumer Research Corp" SPAM -- VAAttorney Gen: CONSUMER@OAG.State.VA.US References: Message-ID: Cat wrote: > Mike Easter wrote: >> but I >> doubt if you would be able to get spews [or spamhaus] to list XO >> because XO provides upstream allocation or services to Whoa who >> spews does list. That is incorrect/wrong. Spamhaus /is/ listing the XO 206.173.204.234 rDNS 206.173.204.234.ptr.us.xo.net for routing the Whoa in SBL26626 > I've been submitting manual complaints about these since sending > through SpamCop wasn't helping and so that I could finally get a > trouble ticket number. > > Both the spammer's 69.67.72.0/20 and the XO IP the next hop above them > (206.173.204.234/32) are listed in the Spamhaus SBL, so I'm not sure > why you say that XO isn't listed in Spamhaus since 206.173.204.234/32 > comes up as XO in traceroute. You are correct. XO is spamhaus listed for routing the Whoa.and for being the AS2828 for Whoa's spamhaus [and spewed] space. > 69.67.72.0/20 Spamhaus RBL listing: > http://www.spamhaus.org/sbl/sbl.lasso?query=SBL12587 > > 206.173.204.234/32 Spamhaus RBL listing: > http://www.spamhaus.org/sbl/sbl.lasso?query=SBL26626 Correct for both. >> I also >> disagree with spamming an XO bitchlist about not corresponding with >> spamcop reporters about Whoa space spam. > > > First of all, I'm not sending bitch lists because they aren't replying > to SpamCop complaints. I'm sending bitch lists because they're > completely ignoring the problem with both SpamCop complaints and > manual complaints and have previously attempted to deny their > involvement as the immediate upstream provider. Notifying a bitch > list of addresses is an absolute last resort measure that has worked > well for me in the past when complaints went otherwise unnoticed. > > I finally got a trouble ticket number after copying several of them to > the support address. I also called the support number and finally got > my complaint escalated to the department over the abuse department > through that after pointing out that traceroute shows that XO is the > upstream of the spammer. Good. I think the 'bitch' against XO would be their non-responsiveness to their own spamhaus condition [that single IP], which derives [at spamhaus, not just at spamcop's routing or a spamcop reporter's traceroute or bgp] from the Whoa relationship/routing. The case against XO [vis this Whoa situation] is made stronger by spamhaus's listing of the single /32. That is, spamhaus's decision to list. That is an interesting example of the difference between how the conservative but thorough spamhaus and staff goes about something compared to the 'independent' spews. -- Mike Easter kibitzer, not SC admin From eddie at eddie.web Wed May 18 23:07:09 2005 From: eddie at eddie.web (eddie) Date: Wed May 18 22:10:03 2005 Subject: [SpamCop-List] Re: Spamcop is becoming unusuable References: Message-ID: On Wed, 18 May 2005 18:06:41 -0500, Larry Kilgallen scratched out the following: > > Knowing the SCBL gets fed is what keeps me as a user. That puts us on the same page - but I still get annoyed when spammers find new ways around the parsing engines. -- Once movie theaters gave out steak knives Today they confiscate them From usenet2 at DE.LETE.THISljvideo.com Thu May 19 05:01:54 2005 From: usenet2 at DE.LETE.THISljvideo.com (Larry J.) Date: Thu May 19 00:05:02 2005 Subject: [SpamCop-List] Re: German spam References: Message-ID: Waiving the right to remain silent, Jim said: > I got about 6 spams today after about getting 20 the other day. I had a barrage of them, about 10 per day for three days straight. Today, it miraculously stopped - hopefully for good. -- Larry J. - Remove spamtrap in ALLCAPS to e-mail The United States is the greatest country in the world..! Twenty-five million illegal aliens can't be wrong. From nobody at spamcop.net Wed May 18 22:12:28 2005 From: nobody at spamcop.net (NerdRevenge) Date: Thu May 19 00:15:04 2005 Subject: [SpamCop-List] Re: German spam References: Message-ID: "Mike Easter" wrote in message news:d6ggt0$agg$1@news.spamcop.net... > Jim wrote: >> I got about 6 spams today after about getting 20 the other day. >> This spam is coming in on comcast 68.36.241.189. I do get some on >> other IP but I can not understand why this comcast IP does not get >> listed. Could it have any thing to do with it being a trusted site >> on why it does not get listed? > > SpamCop has been accused of 'that' in nanae - where 'that' is/means > handling issues for IronPort clients differently than normal IPs. But > nanae-ites are always accursing [Sigmund slip] SC of /something/ - most > of the time 'they' [accursing nana-ites] don't know what they're talking > about.. I'm not sure/ don't know/ who has what kinds of relationships > with whom. Mike's Translation: Comcast pays Spamcop/Iron port to not get listed for their spam. > > Bonded Sender is IronPort's email certification program, and this page's > banner sez Bonded Sender Program powered by IronPort certified by > TrustE. http://www.bondedsender.com/ So, if IronPort were going to > have any kind of 'relationship' about an IP it seems like it would be > for a Bonded Sender one, not a TrustE one. > > .. whereas the TrustE or rather TRUSTe seal is some kind of > certification provided to a *website* according to whether or not the > website plays by some truste privacy rules. Nothing about spamming. I > don't know why 68.36.241.189 rDNS > pcp09993671pcs.narlington.nj.comcast.net would have some kind of truste > sticker -- since it doesn't have anything to do with websites and > doesn't even have a port 80. > >> Volume Statistics for this IP >> Magnitude Vol Change vs. Average >> Last day 3.0 2681% >> Last 30 days 2.6 1144% >> Average 1.5 > > Yes; a jump from 1.5 to 3.0 is huge, 20x. Seems like it would be > showing up somewhere. It isn't listed any more places than it was the > other day when you asked. > >> Third-party Certification >> Bonded Sender? Not Bonded >> TRUSTe Privacy Seal? > > You can research those from IronPort's site, where you copied from - a > different page. > > > -- > Mike Easter > kibitzer, not SC admin > From nobody at devnull.spamcop.net Thu May 19 15:04:39 2005 From: nobody at devnull.spamcop.net (Patto) Date: Thu May 19 01:05:03 2005 Subject: [SpamCop-List] Re: Rolex spam - URL never parsed In-Reply-To: References: Message-ID: WazoO wrote: > "Patto" wrote in message > news:d6ed22$nqs$1@news.spamcop.net... > >>http://www.spamcop.net/sc?id=z764799374zb35a00fa38f8be64e8052b3468410426z >> >>For weeks and weeks I am getting these fake Rolex spams, and SpamCop is >>consistently unable to parse these URLs, even when pasting the extracted >>URL into the parser's window. If I get the IP address via Sam Spade, >>that can be parsed by SC. Why not the URL? > > > SpamCop Parsing and Reporting Service > New! SpamCop reporting of spamvertized sites - some philosophy > http://forum.spamcop.net/forums/index.php?showtopic=4085 Thanks for the link; it does contain some info answering my question. (Although I was tempted to stop reading at the sentence "the 'net' was originally built by and for the U.S. Government".) From mrcics2000-spamcop-nomail at nomail.yahoo.com Thu May 19 01:07:01 2005 From: mrcics2000-spamcop-nomail at nomail.yahoo.com (Mike B) Date: Thu May 19 01:10:02 2005 Subject: [SpamCop-List] Spam or did I mess up mailhosts? Message-ID: I'm in the process of switching from one ISP to another. As part of this process, I've set up my old email account (attglobal.net or prserv.net) to forward to my new email account (ev1.net). I updated my mailhosts. Then I got this piece of spam and it is trying to report to ev1.net?? http://www.spamcop.net/sc?id=z765210038z61105290d4e8f52aed1a59963a0b08a9z Advice or insight is appreciated. Thanks -- Mike B From SCNews.5.myspamgobbler at spamgourmet.com Wed May 18 23:17:15 2005 From: SCNews.5.myspamgobbler at spamgourmet.com (Brian (SnSR)) Date: Thu May 19 01:20:02 2005 Subject: [SpamCop-List] Re: German spam In-Reply-To: References: Message-ID: NerdRevenge wrote: > "Mike Easter" wrote in message > news:d6ggt0$agg$1@news.spamcop.net... > >>Jim wrote: >> >>>I got about 6 spams today after about getting 20 the other day. >>>This spam is coming in on comcast 68.36.241.189. I do get some on >>>other IP but I can not understand why this comcast IP does not get >>>listed. Could it have any thing to do with it being a trusted site >>>on why it does not get listed? >> >>SpamCop has been accused of 'that' in nanae - where 'that' is/means >>handling issues for IronPort clients differently than normal IPs. But >>nanae-ites are always accursing [Sigmund slip] SC of /something/ - most >>of the time 'they' [accursing nana-ites] don't know what they're talking >>about.. I'm not sure/ don't know/ who has what kinds of relationships >>with whom. > > > > Mike's Translation: > > Comcast pays Spamcop/Iron port to not get listed for their spam. > Actually, the way I read it, is that for each spam that is reported over a threshold amount, Ironport deducts $20 from the bond that was provided. I haven't thoroughly looked over their business model. It is possible that the bond is not large enough so that a spammer could pay the bond, do a spam run that brings in more revenue than what the bond costs because they pass through filters from being a bonded sender. Then, when this domain no longer works, move to a different domain and do another Bonded Sender spam run. Thereby, allowing Ironport to be a spam supporter. Where the money goes, I do not know. I did recently read that Ironport partnered up with another company that was going to administer the bonded sender part of their system. These questions need to be addressed. But the way I perceive it, SpamCop reports are not treated any differently for Bonded Senders as any of the other spam reports, other than they are a revenue source for some entity. From SCNews.5.myspamgobbler at spamgourmet.com Wed May 18 23:43:50 2005 From: SCNews.5.myspamgobbler at spamgourmet.com (Brian (SnSR)) Date: Thu May 19 01:45:03 2005 Subject: [SpamCop-List] Re: Spam or did I mess up mailhosts? In-Reply-To: References: Message-ID: Mike B wrote: > I'm in the process of switching from one ISP to another. As part of this > process, I've set up my old email account (attglobal.net or prserv.net) to > forward to my new email account (ev1.net). I updated my mailhosts. > > Then I got this piece of spam and it is trying to report to ev1.net?? > > http://www.spamcop.net/sc?id=z765210038z61105290d4e8f52aed1a59963a0b08a9z > > Advice or insight is appreciated. > > Thanks Received: from 32.97.166.40 (ev1s-66-98-128-30.ev1servers.net[66.98.128.30] is possibly where the problem stems. It's stating that it received from a prserv.net address but in actuality, is coming from ev1servers.net. Mike or someone else can fill you in better, but it looks to me like the forwarding causes the headers to be messed up such that it appears to be forged. From 79ytka802 at sneakemail.com Thu May 19 09:10:36 2005 From: 79ytka802 at sneakemail.com (Aviatrix) Date: Thu May 19 03:15:03 2005 Subject: [SpamCop-List] Re: Dictionary attack on @spamcop.net addresses? In-Reply-To: References: Message-ID: eddie wrote: > > It's no doubt the new sober virus with Nazi spew. Spam is getting > political these days. > http://www.cooltechzone.com/index.php?option=content&task=view&id=1291 > Thanks - but it wasn't the content I was concerned with, it was the fact that they seem to be targeting addresses @spamcop.net From ng.fjxrp at jondh.me.uk Thu May 19 09:42:41 2005 From: ng.fjxrp at jondh.me.uk (Jon (spamtrap)) Date: Thu May 19 03:45:03 2005 Subject: [SpamCop-List] Re: Latest Google tool References: Message-ID: > Hmm, I thought the advertisements *were* the overwhelming and > distracting content. > > > Once the content is removed from a Web site, you will see all of the > > original ads, unencumbered by annoying content. > > Interesting. I wonder if someone will reverse engineer their program so > it can be reversed in its behavior. Instead of only showing the ads, it > would instead remove the ads. Nah, there already exists ad-block > software. Heh heh!! Perhaps we should send the idea to Google - maybe /they/ will take it seriously too ;o) -- Please don't mail ng.fjxrp@jondh.me.uk as it is a spamtrap. From newandrew at rump.dk Thu May 19 08:55:58 2005 From: newandrew at rump.dk (Andrew Engels Rump (formerly Leif Andrew Rump)) Date: Thu May 19 04:00:03 2005 Subject: [SpamCop-List] Re: Spamcop is becoming unusuable References: Message-ID: After drinking 3 Pan Galactic Gargle Blasters, Kilgallen@SpamCop.net (Larry Kilgallen) mumbled in news:jJmD1$$kNDdM@eisner.encompasserve.org: > In article , "Pete" > writes: >> Pretty soon it'll be easier to do this stuff manually. It's >> becoming a rare thing to see a URL that spamcop will parse. > I believe the main value of SpamCop is compiling the SCBL. Sure is, but it is much easier/faster (for my automated program) to recognize a spam by the spamvertized URL, than trying to figure out by looking at the content. Andrew -- *** The opinions expressed are not necessarily those of my employer. *** * Software Engineer Andrew Engels Rump * BLIK og ROERarbejderforbundet * * Immerkaer 42, 2650 Hvidovre * Tlf: +45 3638 3638, Fax: +45 3638 3639 * Home: N55?41'38.9" E12?29'08.6" (WGS 84) Work: N55?39'50.9" E12?27'47.4" E-mail: mailto:newandrew@rump.dk WWW http://www.rump.dk/homepage/andrew/ From 0rio85a02 at sneakemail.com Thu May 19 00:58:32 2005 From: 0rio85a02 at sneakemail.com (Fred k) Date: Thu May 19 04:00:13 2005 Subject: [SpamCop-List] DomainKey Message-ID: Does anybody have insight as to the feasibility of Yahoo's DomainKey enhancement? What is the impact on server resource? Will latency become a noticeable issue? http://antispam.yahoo.com/domainkeys#a3 Thanks Fred k From MikeE at ster.invalid Thu May 19 02:19:43 2005 From: MikeE at ster.invalid (Mike Easter) Date: Thu May 19 04:20:03 2005 Subject: [SpamCop-List] Re: Spam or did I mess up mailhosts? References: Message-ID: Mike B wrote: > I'm in the process of switching from one ISP to another. As part of > this process, I've set up my old email account (attglobal.net or > prserv.net) to forward to my new email account (ev1.net). I updated > my mailhosts. > > Then I got this piece of spam and it is trying to report to ev1.net?? > www.spamcop.net/sc?id=z765210038z61105290d4e8f52aed1a59963a0b08a9z > > Advice or insight is appreciated. Abbreviated Received lines *comment from in9.prserv.net [32.97.166.49] by mail.ev1.net *serves you from 32.97.166.40 (ev1s-66-98-128-30.ev1servers.net[66.98.128.30]) by prserv.net *sourceline, forwarder from [187.119.99.111] by 32.97.166.40 *bogusline, timestamp +23h The source was 66.98.128.30 rDNS ev1s-66-98-128-30.ev1servers.net which is a proxified spamsource listed in several db/s including spamcop and cbl. SC offers to report it to ev1. That's fine. You aren't reporting your own server, you are reporting an ev1 user spamsource to your own provider. -- Mike Easter kibitzer, not SC admin From MikeE at ster.invalid Thu May 19 02:25:31 2005 From: MikeE at ster.invalid (Mike Easter) Date: Thu May 19 04:30:03 2005 Subject: [SpamCop-List] Re: Spam or did I mess up mailhosts? References: Message-ID: Brian (SnSR) wrote: > Received: from 32.97.166.40 > (ev1s-66-98-128-30.ev1servers.net[66.98.128.30] is possibly where the > problem stems. That's the sourceline. An ev1 client, incidentally, which our OP also is. > It's stating that it received from a prserv.net address but in > actuality, is coming from ev1servers.net. The format of the line above is: Received from helo (rDNS [sou.rce.ip]) The helo is bogus 32.97.166.40 and that is used in the bogus line below it. The source ip is 66.98.128.30 which is/ happens to be/ an ev1 user IP, like our OP and like the mailbox of the topline of the Rcceiveds. But, the parse as I saw it is correct. Report Spam to: Re: 66.98.128.30 (Administrator of network where email originates) To: abuse@ev1.net (Notes) > Mike or someone else can fill you in better, but it looks to me like > the forwarding causes the headers to be messed up such that it > appears to be forged. -- Mike Easter kibitzer, not SC admin From MikeE at ster.invalid Thu May 19 02:32:12 2005 From: MikeE at ster.invalid (Mike Easter) Date: Thu May 19 04:35:03 2005 Subject: [SpamCop-List] Re: Spamcop is becoming unusuable References: Message-ID: Andrew Engels Rump (formerly Leif Andrew Rump) wrote: > Sure is, but it is much easier/faster (for my automated program) to > recognize a spam by the spamvertized URL, than trying to figure out > by looking at the content. I think the contribution of spamcop reporters to the sc-surbl is worthwhile. This contribution comes about by the publishing by spamcop of reported spamvertised url/s to the statistics page where sc-surbl scrapes it. I think the parser should be reconfigured so that SC reporters can optionally 'statistic' each identified link in SC's parse of the body; without the parser having to resolve the IP or derive the notify addresses. By giving every identified link some kind of devnull statistic notify address, the reporter could select that for every spamvertiser, but not for any innocent bystanders which are found. Thus all spamvertisers would be sent to the statistics page instead of just the ones which SC feels like or is able to or has time to resolve. -- Mike Easter kibitzer, not SC admin From MikeE at ster.invalid Thu May 19 02:44:20 2005 From: MikeE at ster.invalid (Mike Easter) Date: Thu May 19 04:45:28 2005 Subject: [SpamCop-List] Re: DomainKey References: Message-ID: Fred k wrote: > Does anybody have insight as to the feasibility of Yahoo's DomainKey > enhancement? What is the impact on server resource? Will latency > become a noticeable issue? > > http://antispam.yahoo.com/domainkeys#a3 I think that kind of resolution can happen very fast. In the long run, domainkeys will be a big aid against spoofing. In the shortrun, servers won't be stopping non-domainkeyed items because there are too many of them; and spammers can domainkey themselves and already are. The business of a server having to deal with non-compliance of the sending IP for something as basic as rDNS for example has been a problem for years, and many admins haven't even been able to reject on that simple basis, much less noncompliance or conformity with DomainKey. What will probably happen in the medium run vis spam management and domainkeys will be that the domainkey information will be used to contribute to the score of an item. -- Mike Easter kibitzer, not SC admin From MikeE at ster.invalid Thu May 19 02:46:01 2005 From: MikeE at ster.invalid (Mike Easter) Date: Thu May 19 04:50:16 2005 Subject: [SpamCop-List] Re: Dictionary attack on @spamcop.net addresses? References: Message-ID: Aviatrix wrote: > Thanks - but it wasn't the content I was concerned with, it was the > fact that they seem to be targeting addresses @spamcop.net The sobers I've been reading about don't dictionary. They are typical about scraping from various sources. -- Mike Easter kibitzer, not SC admin From spam at spam.no.not.spam Thu May 19 12:39:39 2005 From: spam at spam.no.not.spam (sparkle) Date: Thu May 19 05:40:02 2005 Subject: [SpamCop-List] Re: Spam or did I mess up mailhosts? References: Message-ID: Mike Easter MikeE@ster.invalid, wrote in message 6hihs$3fc$1@news.spamcop.net: > The helo is bogus How can you tell? :) xxx From MikeE at ster.invalid Thu May 19 04:19:28 2005 From: MikeE at ster.invalid (Mike Easter) Date: Thu May 19 06:20:02 2005 Subject: [SpamCop-List] Re: Spam or did I mess up mailhosts? References: Message-ID: sparkle wrote: > Mike Easter >> The helo is bogus > > How can you tell? Depending on how you mean, I recognized the 'format' or structure of the line to be Received: from helo (rDNS [sou.rce.ip] by receiving.domainname The helo should 'reflect' the identity of the sender, rather than be made up and false. The helo is like saying 'Hello, I'm Mike.' I shouldn't be saying 'Hello, I'm sparkle' if I'm not -- and I certainly shouldn't be saying 'Hello, I'm 45678' or 'Hello, I'm 32.97.166.40' which is what happened here. Ideally, the helo should contain the domainname, and if the server has sufficient resources, it can check or verify the domainname of the helo with its IP What usually happens is that the helo is 'accepted' and recorded as the helo, the IP is recorded, and the rDNS lokup of the IP is also recorded in the stamp. That is what happened here. Received: from 32.97.166.40 (ev1s-66-98-128-30.ev1servers.net[66.98.128.30]) by prserv.net The ev1servers.net IP shouldn't be calling itself by any 'IP looking' helo, but by a 'normal looking' domainname containing name. In this case, we might wonder why the prserv.net server should be accepting mail sent directly from a user IP instead of a proper server, and we might wonder whether ev1 should be letting its spam propagating proxified users be free to use their port 25 to email direct to MX. -- Mike Easter kibitzer, not SC admin From bar_n0ne at hotmail.com Thu May 19 15:29:38 2005 From: bar_n0ne at hotmail.com (Berny) Date: Thu May 19 06:30:02 2005 Subject: [SpamCop-List] Re: Spamcop is becoming unusuable References: Message-ID: "Larry Kilgallen" wrote in message news:L+xMj$Wbs4K1@eisner.encompasserve.org... > > Knowing the SCBL gets fed is what keeps me as a user. I also like to think the DURBL used by spam assassin and other Milters is being fed, the utility of the SCBL is becoming limited by the diffuseness of the sources nowadays. From nobody at spamcop.net Thu May 19 09:26:37 2005 From: nobody at spamcop.net (R) Date: Thu May 19 08:25:02 2005 Subject: [SpamCop-List] Re: Useless Spam? References: Message-ID: So, here's one I kept on the server so Outlook couldn't do whatever it does to it: http://www.spamcop.net/sc?id=z765302221z04f93220957eed83ebd3b1ee7152bcdaz I discovered the URL "works" from Comcast web email, even though it doesn't work from Outlook. Not only that, but when I submit the original form of the thing, Spamcop seems to have no trouble deobfuscating it. At least this particular website. That answers my questions. Thanks for pointing out that I can't really depend on ANYTHING in outlook. Not even the URLS (how strange!) R From t15vp8102 at sneakemail.com Thu May 19 14:30:12 2005 From: t15vp8102 at sneakemail.com (tc) Date: Thu May 19 09:35:03 2005 Subject: [SpamCop-List] Suggestion?: resolving sandiest.net and others Message-ID: It seems like for ages now that there is a class of spamvertized uri's that spamcop notes but never reports; http://sandiest.net would be one example. Unfortunately, details as to why specific uri's are dropped are seldom given. However, using a few of the simpler probing tools on http://sandiest.net, One finds that the http server is returning a 403 (Forbidden) response. Presuming spamcop is using the same methodology as these tools AND presuming no other problems, I presume this 403 response would lead spamcop to believe the site has been shut down. With a little bit of experimentation though, it would appear that if the probe is an http GET request with a User-Agent header of a real browser, a 200 response with all the spammy html is returned. For my experiment, I used an agent of: Mozilla/4.0 (compatible; MSIE 6.0; Windows 98; OD ISP Generic; .NET CLR 1.0.3705; .NET CLR 1.1.4322) So, the suggestions are: 1) if you're not supplying an agent for a probe, please consider doing so 2) please try to work on supplying better details when a uri is rejected Thanks From nobody at spamcop.net Thu May 19 09:28:24 2005 From: nobody at spamcop.net (Ellen) Date: Thu May 19 10:30:03 2005 Subject: [SpamCop-List] Re: German spam References: Message-ID: "Brian (SnSR)" wrote in message news:d6h7hn$rg9$1@news.spamcop.net... > > Where the money goes, I do not know. I did recently read that Ironport > partnered up with another company that was going to administer the > bonded sender part of their system. > Please see the BondedSender website: http://bondedsender.com for information on the current status of the program with respect to IronPort. It says, in part, " IronPort and Return Path announced that the companies have signed a partnership agreement where Return Path will take over all operational, marketing and development activities for the Bonded Sender Program. As part of the transaction, IronPort will continue to provide infrastructure for the program ... " Additional information can be found here where there are links to articles: http://www.returnpath.biz/?flash=no Ellen SpamCop From nobody at spamcop.net Thu May 19 09:33:51 2005 From: nobody at spamcop.net (Ellen) Date: Thu May 19 10:30:14 2005 Subject: [SpamCop-List] Re: Spam or did I mess up mailhosts? References: Message-ID: "Mike B" wrote in message news:d6h6tq$r2e$1@news.spamcop.net... > I'm in the process of switching from one ISP to another. As part of this > process, I've set up my old email account (attglobal.net or prserv.net) to > forward to my new email account (ev1.net). I updated my mailhosts. > > Then I got this piece of spam and it is trying to report to ev1.net?? > > http://www.spamcop.net/sc?id=z765210038z61105290d4e8f52aed1a59963a0b08a9z > > Advice or insight is appreciated. > The only headers in your submission are ones that indicate that the spam was injected at ev1. The database indicates about 20 reports in the last week for the IP 66.98.128.30 all advertising some sort of golf and spa trip. Those look to be consistent with what you are reporting. Your mailhosts appear to be fine. Ellen From MikeE at ster.invalid Thu May 19 08:59:07 2005 From: MikeE at ster.invalid (Mike Easter) Date: Thu May 19 11:00:04 2005 Subject: [SpamCop-List] Re: Suggestion?: resolving sandiest.net and others References: Message-ID: tc wrote: > Unfortunately, details as to why specific uri's are dropped > are seldom given. Correct. > However, using a few of the simpler probing tools on > http://sandiest.net, One finds that the http server is returning a > 403 (Forbidden) response. Using a GET tool instead of a webbrowser can be a useful strategy in the investigation of a spamlink, but... > Presuming spamcop is using the same > methodology as these tools That presumption is incorrect. Your browser or your webtool does resolve the hostname and then contacts the webserver there and gives the path to download the data there -- which the browser would render for you but the webtool does not. That is *not* what SC does when it finds a link. SC deobfuscates the link and then it attempts to resolve it, or else it chooses to not attempt to resolve it -- for unknown reasons which can only be guessed at. If it succeeds in resolving it to an IP, then it uses its logic to determine the notify for that IP. If there's no resolution to an IP there can't be a notify. > AND presuming no other problems, I presume > this 403 response would lead spamcop to believe the site has been > shut down. SC does not perform the operation of trying to contact the webserver for the url. There is a webserver at the IP 222.47.183.89 no rDNS which http://sandiest.net resolves to. That webserver currently serves 19 different domainnames.which do not include sandiest [at this time]. When you access the webserver with the name and the path, the webserver gives you the 403 and shows you its webpage information for that. The proper result for SC on http://sandiest.net should be the resolution to 222.47.183.89 which it would want to notify at Reporting addresses: postmaster@chinatietong.com crnet_mgr@chinatietong.com crnet_tec@chinatietong.com The failure to resolve the IP to the chinatietong notifies is no great loss. That IP along with its /24 is spews1 listed. I wouldn't notify chinatietong of anything. But if SC resolves the url to the IP, it would offer to notify whether there's a 403 at the webserver or not. -- Mike Easter kibitzer, not SC admin From mrcics2000-spamcop-nomail at nomail.yahoo.com Thu May 19 11:50:00 2005 From: mrcics2000-spamcop-nomail at nomail.yahoo.com (Mike B) Date: Thu May 19 11:55:03 2005 Subject: [SpamCop-List] Re: Spam or did I mess up mailhosts? References: Message-ID: Thank you to all who took the time to respond. How weird is it that the first spam I wish to report since switching to a new ISP originates from that same ISP? LOL -- Mike B From eddie at eddie.web Thu May 19 12:52:01 2005 From: eddie at eddie.web (eddie) Date: Thu May 19 11:55:14 2005 Subject: [SpamCop-List] Unregistered subdomains? Message-ID: I just got a spew with the following URL http://[random].orangeiagce.com I have seen many of these URLs in which the subdomain is a long random string, but I always thought that each might be registered. Apparently this is not the case - they must allow any and all subdomains to be used without additional registration. Anyway, because of one idiot, an oxymoron for a spammer, it's clear that only the main domain is registered and even SC recognizes this. -- Once movie theaters gave out steak knives Today they confiscate them From porpoise1954 at yahoo.co.uk Thu May 19 18:14:08 2005 From: porpoise1954 at yahoo.co.uk (Porpoise) Date: Thu May 19 12:20:02 2005 Subject: [SpamCop-List] Re: Spam or did I mess up mailhosts? References: Message-ID: "Mike B" wrote in message news:d6icjd$jhd$1@news.spamcop.net... > Thank you to all who took the time to respond. How weird is it that the > first spam I wish to report since switching to a new ISP originates from > that same ISP? LOL Well, unless you're American, that would be........... irony! From nobody at spamcop.net Thu May 19 10:31:58 2005 From: nobody at spamcop.net (NerdRevenge) Date: Thu May 19 12:35:03 2005 Subject: [SpamCop-List] Re: German spam References: Message-ID: "Brian (SnSR)" wrote in message news:d6h7hn$rg9$1@news.spamcop.net... > NerdRevenge wrote: >> "Mike Easter" wrote in message >> news:d6ggt0$agg$1@news.spamcop.net... >> >>>Jim wrote: >>> >>>>I got about 6 spams today after about getting 20 the other day. >>>>This spam is coming in on comcast 68.36.241.189. I do get some on >>>>other IP but I can not understand why this comcast IP does not get >>>>listed. Could it have any thing to do with it being a trusted site >>>>on why it does not get listed? >>> >>>SpamCop has been accused of 'that' in nanae - where 'that' is/means >>>handling issues for IronPort clients differently than normal IPs. But >>>nanae-ites are always accursing [Sigmund slip] SC of /something/ - most >>>of the time 'they' [accursing nana-ites] don't know what they're talking >>>about.. I'm not sure/ don't know/ who has what kinds of relationships >>>with whom. >> >> >> >> Mike's Translation: >> >> Comcast pays Spamcop/Iron port to not get listed for their spam. >> > > Actually, the way I read it, is that for each spam that is reported over a > threshold amount, Ironport deducts $20 from the bond that was provided. > > I haven't thoroughly looked over their business model. It is possible that > the bond is not large enough so that a spammer could pay the bond, do a > spam run that brings in more revenue than what the bond costs because they > pass through filters from being a bonded sender. Then, when this domain no > longer works, move to a different domain and do another Bonded Sender spam > run. Thereby, allowing Ironport to be a spam supporter. > > Where the money goes, I do not know. I did recently read that Ironport > partnered up with another company that was going to administer the bonded > sender part of their system. > > These questions need to be addressed. But the way I perceive it, SpamCop > reports are not treated any differently for Bonded Senders as any of the > other spam reports, other than they are a revenue source for some entity. I would tend to disagree with you on that last part. Before I had revived a daily spam from a 'bonded' sender for months. I reported, but the spam still kept coming. Before long I had been able to get others to report this same spam they had received also to spamcop. The IP address from spammy had not changed once. Then I got on here and started looking to see if that IP was listed or had a history of spam abuse. NOTHING Therefore I conclude if you pay Spamcop/Ironport it is okay to spam and not get listed From drewlt at hotmail.com Thu May 19 12:05:08 2005 From: drewlt at hotmail.com (Andrew) Date: Thu May 19 13:05:03 2005 Subject: [SpamCop-List] Rejected because SpamCop marked this message as SPAM Message-ID: Hello - I apologize, because I'm sure this has been answered before, but search returned nothing and looking over the posts available, I'm still not clear on what's going on there. My users started getting these messages today: -------------------------- SMTP error occurred while sending message to following recipient(s) remoteuser@remotedomain.com 553 5.3.0 Rejected because SpamCop marked this message as SPAM - View additional information at http://spamcop.net/bl.shtml?165.236.236.194 -------------------------- What does this message mean? I'm taking it as remotedomain.com has SpamCop checking on their mailserver (as do we), and either it is scanning the message (which i didn't think was available for SpamCop) or we somehow got on SpamCop's blacklist and are now unable to send emails to anyone that checks the SpamCop database. But, as noted in another post, I cannot find any detail on how my IP got on the blacklist. I have singed up for the reports of my IP's (hourly) as suggested in yet another post, but have not received one yet. I just want to know the date/time or message header that triggered the blacklisting. Emails sent off to SpamCop for information, but this seems like such a simple and common request that I must be missing something. help? Thanks -Andrew From drewlt at hotmail.com Thu May 19 12:10:51 2005 From: drewlt at hotmail.com (Andrew) Date: Thu May 19 13:10:02 2005 Subject: [SpamCop-List] Re: Rejected because SpamCop marked this message as SPAM References: Message-ID: OK, received a report from SpamCop: ------------------------------------ [ SpamCop V1.446 Summary Report ] -- See footer for key to columns and notes about this report -- IP_Address Start/Length Trap User Mole Simp Comments RDNS 165.236.236.194 May 19 05h/0 14 0 0 0 blocklisted concord1.concordenergy.com. ------------------------------------ The 14 under 'Trap' - Trap: Messages received at traps. is a little more useful, but still doesn't help me track down when/who triggered the blacklist (blocklist). :) -Andrew "Andrew" wrote in message news:d6igsk$mug$1@news.spamcop.net... > Hello - I apologize, because I'm sure this has been answered before, but > search returned nothing and looking over the posts available, I'm still > not clear on what's going on there. > > My users started getting these messages today: > -------------------------- > SMTP error occurred while sending message to following recipient(s) > remoteuser@remotedomain.com > 553 5.3.0 Rejected because SpamCop marked this message as SPAM - View > additional information at http://spamcop.net/bl.shtml?165.236.236.194 > -------------------------- > > What does this message mean? > I'm taking it as remotedomain.com has SpamCop checking on their mailserver > (as do we), and either it is scanning the message (which i didn't think > was available for SpamCop) or we somehow got on SpamCop's blacklist and > are now unable to send emails to anyone that checks the SpamCop database. > > But, as noted in another post, I cannot find any detail on how my IP got > on the blacklist. I have singed up for the reports of my IP's (hourly) as > suggested in yet another post, but have not received one yet. > > I just want to know the date/time or message header that triggered the > blacklisting. > > Emails sent off to SpamCop for information, but this seems like such a > simple and common request that I must be missing something. > > help? > > Thanks > -Andrew > > From nttp.sc.s at bigsleep.org Thu May 19 18:34:44 2005 From: nttp.sc.s at bigsleep.org (Blammo) Date: Thu May 19 13:35:02 2005 Subject: [SpamCop-List] Re: Unregistered subdomains? References: Message-ID: On 19 May 2005 eddie entered spamcop and left news:pan.2005.05.19.15.52.00.852000@eddie.web: > Anyway, because of one idiot, an oxymoron for a spammer, it's clear that > only the main domain is registered and even SC recognizes this. > You don't register a subdomain. -- | Ric | From MikeE at ster.invalid Thu May 19 11:42:15 2005 From: MikeE at ster.invalid (Mike Easter) Date: Thu May 19 13:45:02 2005 Subject: [SpamCop-List] Re: Rejected because SpamCop marked this message as SPAM References: Message-ID: Andrew wrote: > Hello - I apologize, because I'm sure this has been answered before, > but search returned nothing and looking over the posts available, I'm > still not clear on what's going on there. If you follow the link which the DSN provided you get a huge amount of information. > My users started getting these messages today: > -------------------------- > SMTP error occurred while sending message to following recipient(s) > remoteuser@remotedomain.com > 553 5.3.0 Rejected because SpamCop marked this message as SPAM - View > additional information at http://spamcop.net/bl.shtml?165.236.236.194 > -------------------------- > > What does this message mean? Surely you can see the link in what you posted which leads to a page which starts "SpamCop Blocking List - Was your email blocked?" -- that is, when an IP is SCbl/ed that link leads to a page which explains it and provides a link to another page which provides more explanation which is - Information about the reasons for listing (blocking) your mail server (165.236.236.194) - http://www.spamcop.net/w3m?action=blcheck&ip=165.236.236.194 - which has information like "System has sent mail to SpamCop spam traps in the past week [..] If there are no reports of ongoing objectionable email from this system it will be delisted automatically in approximately 15 hours." The first link tells about how servers hit spamtraps such as misdirected autoreplies.and that provides another link about autorespnders at http://www.spamcop.net/fom-serve/cache/329.html Why are auto responders bad? -- which also has sublinks. In addition, there's a useful faq http://www.spamcop.net/fom-serve/cache/357.html If my IP is listed, does it mean I am a spammer or my ISP hosts spammers? > I'm taking it as remotedomain.com has SpamCop checking on their > mailserver (as do we), and either it is scanning the message (which i > didn't think was available for SpamCop) or we somehow got on > SpamCop's blacklist and are now unable to send emails to anyone that > checks the SpamCop database. Your server 165.236.236.194 rDNS concord1.concordenergy.com is SCbl listed. Those who use the SCbl will be blocking or tagging your server's mails. > But, as noted in another post, I cannot find any detail on how my IP > got on the blacklist. I have singed up for the reports of my IP's > (hourly) as suggested in yet another post, but have not received one > yet. When your server hits spamtraps it doesn't get reports. A spamtrap is an address which has never been exposed as a 'real' address, and mail going to spamtraps means that your server is addressing mail to a never exposed address. One cause of that is if your server accepts a mail for delivery which has a bogus From [such as spam and viral propagations use] and that bogus From belongs to a spamtrap. Then, after your server accepts the mail, it belatedly attempts a so-called 'bounce' which is actually a newmail addressed to the bogus From. Then, that newmail hits the spamcop spamtrap in sufficient numbers, and that causes your server to become listed for abusive behavior. Hopefully the result will be that you reconfigure your server to not abusively newmail bogus Froms. > I just want to know the date/time or message header that triggered the > blacklisting. Generally you don't get much information about items to spamtraps, but you can communicate here http://www.spamcop.net/fom-serve/cache/91.html How can I contact a real person about this? - or an email address > Emails sent off to SpamCop for information, but this seems like such a > simple and common request that I must be missing something. > > help? You are provided with a wealth of information by following the links which the DSN starts you off with. -- Mike Easter kibitzer, not SC admin From MikeE at ster.invalid Thu May 19 11:52:18 2005 From: MikeE at ster.invalid (Mike Easter) Date: Thu May 19 13:55:03 2005 Subject: [SpamCop-List] Re: Rejected because SpamCop marked this message as SPAM References: Message-ID: Andrew wrote: > additional information at http://spamcop.net/bl.shtml?165.236.236.194 You can also follow sublinks around to more information about how whacky your server is at senderbase Report on IP address: 165.236.236.194 Volume Statistics for this IP Magnitude Vol Change vs. Average Last day 3.5 1448% Last 30d 2.7 140% Average 2.3 In the past day, your server is cranking out 14x as much traffic as usual. Maybe you should be looking at your logs. -- Mike Easter kibitzer, not SC admin From nobody at spamcop.net Thu May 19 12:26:43 2005 From: nobody at spamcop.net (N. Miller) Date: Thu May 19 14:30:03 2005 Subject: [SpamCop-List] Re: Unregistered subdomains? References: Message-ID: On Thu, 19 May 2005 11:52:01 -0400, eddie wrote: > I just got a spew with the following URL > http://[random].orangeiagce.com > > I have seen many of these URLs in which the subdomain is a long random > string, but I always thought that each might be registered. Apparently > this is not the case - they must allow any and all subdomains to be used > without additional registration. > Anyway, because of one idiot, an oxymoron for a spammer, it's clear that > only the main domain is registered and even SC recognizes this. Any domain owner can create an infinite number of subdomains without further registration. The person who controls 'example.com' can create '*.example.com' by a DNS record entry. Many domains do just that; create a wildcard subdomain. -- Norman ~Win dain a lotica, En vai tu ri, Si lo ta ~Fin dein a loluca, En dragu a sei lain ~Vi fa-ru les shutai am, En riga-lint From nobody at spamcop.net Thu May 19 12:31:03 2005 From: nobody at spamcop.net (N. Miller) Date: Thu May 19 14:35:03 2005 Subject: [SpamCop-List] Re: Spam or did I mess up mailhosts? References: Message-ID: <1kh6f6lj4f8kr$.dlg@news.spamcop.net> On Thu, 19 May 2005 10:50:00 -0500, Mike B wrote: > Thank you to all who took the time to respond. How weird is it that the > first spam I wish to report since switching to a new ISP originates from > that same ISP? LOL I can't remember my first spam when I switched from Astragate to PacBell. But I did, frequently, send SpamCop notifies to PacBell, and subsequently to SBC (which bought PacBell). I have never reported my ISP's servers, only their abusive customers. -- Norman ~Win dain a lotica, En vai tu ri, Si lo ta ~Fin dein a loluca, En dragu a sei lain ~Vi fa-ru les shutai am, En riga-lint From nobody at spamcop.net Thu May 19 12:33:35 2005 From: nobody at spamcop.net (N. Miller) Date: Thu May 19 14:35:13 2005 Subject: [SpamCop-List] Re: German spam References: Message-ID: <11ar4213a96c8$.dlg@news.spamcop.net> On Thu, 19 May 2005 09:31:58 -0700, NerdRevenge wrote: > Therefore I conclude if you pay Spamcop/Ironport it is okay to spam and not > get listed Logical fallacy: "post hoc ergo propter hoc"; "after that, therefore because of that". -- Norman ~Win dain a lotica, En vai tu ri, Si lo ta ~Fin dein a loluca, En dragu a sei lain ~Vi fa-ru les shutai am, En riga-lint From nobody at spamcop.net Thu May 19 17:18:54 2005 From: nobody at spamcop.net (Ellen) Date: Thu May 19 16:25:04 2005 Subject: [SpamCop-List] Re: Rejected because SpamCop marked this message as SPAM References: Message-ID: "Andrew" wrote in message news:d6igsk$mug$1@news.spamcop.net... > Hello - I apologize, because I'm sure this has been answered before, but > search returned nothing and looking over the posts available, I'm still not > clear on what's going on there. > > My users started getting these messages today: > -------------------------- > SMTP error occurred while sending message to following recipient(s) > remoteuser@remotedomain.com > 553 5.3.0 Rejected because SpamCop marked this message as SPAM - View > additional information at http://spamcop.net/bl.shtml?165.236.236.194 > -------------------------- > The IP is listed because it is sending spam to the spamtraps -- looks like a worm/virus/trojan infection. I have just started seeing this oddball forged Received header at the bottom of spams in the last day (or so). I have no idea which of the many virus/worms/trojans/pieces of ratware is adding it: Received: from thorough.paplinox.us (name.paplinox.us [before.vatican.va]) by turn.vatical.va (8.12.4/8.12.7) with ESMTP id just.vatican.ca Ellen SpamCop From nobody at nowhere.invalid Thu May 19 23:26:29 2005 From: nobody at nowhere.invalid (Steven Maesslein) Date: Thu May 19 16:30:02 2005 Subject: [SpamCop-List] Re: German spam References: <11ar4213a96c8$.dlg@news.spamcop.net> Message-ID: On Thu, 19 May 2005 11:33:35 -0700, N. Miller coughed into spamcop and left this in <11ar4213a96c8$.dlg@news.spamcop.net>: > Logical fallacy: "post hoc ergo propter hoc"; "after that, therefore > because of that". The West Wing, Season 1, Episode 2 :) -- Steve Seen in the classified ads: COMPLETE SET OF ENCYCLOPEDIA BRITANNICA. 45 VOLUMES. EXCELLENT CONDITION. $1000 OR BEST OFFER. NO LONGER NEEDED. MARRIED. WIFE KNOWS EVERYTHING. From drewlt at hotmail.com Thu May 19 15:43:52 2005 From: drewlt at hotmail.com (Andrew) Date: Thu May 19 16:45:04 2005 Subject: [SpamCop-List] Re: Rejected because SpamCop marked this message as SPAM References: Message-ID: Thank you for the quick response Mike - Let me see if I understand what could be causing this: --First, I am blacklisted because my server sent 1 or more messages to a SpamCop 'spam trap' which is a bogus address that triggers the blacklisting. --This can be caused by viruses, as well as the various types of auto-responders. (Say the auto-responder I have if a virus is detected) <-- guessing this would be the culprit. The first step I will do is to disable the virus auto-responder. Of course, it would be nice to be able to search the logs for the spam trap email address so I can see exactly what caused it. Do you think there is any chance of that? Thanks again. -Andrew "Mike Easter" wrote in message news:d6ij5n$or2$1@news.spamcop.net... > Andrew wrote: >> Hello - I apologize, because I'm sure this has been answered before, >> but search returned nothing and looking over the posts available, I'm >> still not clear on what's going on there. > > If you follow the link which the DSN provided you get a huge amount of > information. > >> My users started getting these messages today: >> -------------------------- >> SMTP error occurred while sending message to following recipient(s) >> remoteuser@remotedomain.com >> 553 5.3.0 Rejected because SpamCop marked this message as SPAM - View >> additional information at http://spamcop.net/bl.shtml?165.236.236.194 >> -------------------------- >> >> What does this message mean? > > Surely you can see the link in what you posted which leads to a page > which starts "SpamCop Blocking List - Was your email blocked?" -- that > is, when an IP is SCbl/ed that link leads to a page which explains it > and provides a link to another page which provides more explanation > which is - Information about the reasons for listing (blocking) your > mail server (165.236.236.194) - > http://www.spamcop.net/w3m?action=blcheck&ip=165.236.236.194 - which has > information like "System has sent mail to SpamCop spam traps in the past > week [..] If there are no reports of ongoing objectionable email from > this system it will be delisted automatically in approximately 15 > hours." > > The first link tells about how servers hit spamtraps such as misdirected > autoreplies.and that provides another link about autorespnders at > http://www.spamcop.net/fom-serve/cache/329.html Why are auto responders > bad? -- which also has sublinks. > > In addition, there's a useful faq > http://www.spamcop.net/fom-serve/cache/357.html If my IP is listed, > does it mean I am a spammer or my ISP hosts spammers? > >> I'm taking it as remotedomain.com has SpamCop checking on their >> mailserver (as do we), and either it is scanning the message (which i >> didn't think was available for SpamCop) or we somehow got on >> SpamCop's blacklist and are now unable to send emails to anyone that >> checks the SpamCop database. > > Your server 165.236.236.194 rDNS concord1.concordenergy.com is SCbl > listed. Those who use the SCbl will be blocking or tagging your > server's mails. > >> But, as noted in another post, I cannot find any detail on how my IP >> got on the blacklist. I have singed up for the reports of my IP's >> (hourly) as suggested in yet another post, but have not received one >> yet. > > When your server hits spamtraps it doesn't get reports. A spamtrap is > an address which has never been exposed as a 'real' address, and mail > going to spamtraps means that your server is addressing mail to a never > exposed address. One cause of that is if your server accepts a mail for > delivery which has a bogus From [such as spam and viral propagations > use] and that bogus From belongs to a spamtrap. Then, after your server > accepts the mail, it belatedly attempts a so-called 'bounce' which is > actually a newmail addressed to the bogus From. > > Then, that newmail hits the spamcop spamtrap in sufficient numbers, and > that causes your server to become listed for abusive behavior. > > Hopefully the result will be that you reconfigure your server to not > abusively newmail bogus Froms. > >> I just want to know the date/time or message header that triggered the >> blacklisting. > > Generally you don't get much information about items to spamtraps, but > you can communicate here http://www.spamcop.net/fom-serve/cache/91.html > How can I contact a real person about this? - or an email address > >> Emails sent off to SpamCop for information, but this seems like such a >> simple and common request that I must be missing something. >> >> help? > > You are provided with a wealth of information by following the links > which the DSN starts you off with. > > > > -- > Mike Easter > kibitzer, not SC admin > From MikeE at ster.invalid Thu May 19 15:35:56 2005 From: MikeE at ster.invalid (Mike Easter) Date: Thu May 19 17:40:03 2005 Subject: [SpamCop-List] Re: Rejected because SpamCop marked this message as SPAM References: Message-ID: Andrew wrote: > Thank you for the quick response Mike - YW, but pay careful attention to Ellen the deputy. She can see the evidence, I'm just reading and citing the faq and guessing. > Let me see if I understand what could be causing this: > --First, I am blacklisted because my server sent 1 or more messages > to a SpamCop 'spam trap' which is a bogus address that triggers the > blacklisting. --This can be caused by viruses, as well as the various > types of auto-responders. Significantly more than 1 message; the formula for how many spamtrap hits it takes depends upon 'reputation' number as described here http://www.spamcop.net/fom-serve/cache/297.html What is the SpamCop Blocking List (SCBL)? - SCBL Rules But, other than that, yes. > (Say the auto-responder I have if a virus is detected) <-- guessing > this would be the culprit. > > The first step I will do is to disable the virus auto-responder. Of > course, it would be nice to be able to search the logs for the spam > trap email address so I can see exactly what caused it. Do you think > there is any chance of that? No I don't think the deputy is going to give you the IP of the trap. Neither of us is looking at the headers of the item which hit the spamtrap, but Ellen did and posted this: news://news.spamcop.net/d6isk0$vsg$1@news.spamcop.net The parser is designed to not name a server if it is relaying from a user IP. That is, if a user mailed a spam thru' the server [not the usual way for spam to be generated these days] and hit a spamtrap, the parser is designed to name the user IP behind the server as the source, not the server. The parser can make a mistake and name the server when it relays a user's spam if it is unfamiliar with the server or if the server's Received tracelines are configured badly. The usual situation for user IPs propagating virms or spam is that they do not use the server, so that common situation wouldn't cause the server to get listed. The usual cause of a server getting listed is something that it is doing itself, such as misdirected bounces, autoresponders, etc. If I'm understanding Ellen's words correctly, it may be that your server is infected with a virus. Ellen wrote: > The IP is listed because it is sending spam to the spamtraps -- looks > like a worm/virus/trojan infection. -- Mike Easter kibitzer, not SC admin From nobody at devnull.spamcop.net Thu May 19 17:54:28 2005 From: nobody at devnull.spamcop.net (WazoO) Date: Thu May 19 17:55:03 2005 Subject: [SpamCop-List] Re: Rejected because SpamCop marked this message as SPAM References: Message-ID: "Andrew" wrote in message news:d6itqa$14b$1@news.spamcop.net... > Thank you for the quick response Mike - > > Let me see if I understand what could be causing this: > --First, I am blacklisted because my server sent 1 or more messages to a > SpamCop 'spam trap' which is a bogus address that triggers the blacklisting. > --This can be caused by viruses, as well as the various types of > auto-responders. > (Say the auto-responder I have if a virus is detected) <-- guessing this > would be the culprit. Miss Betsy has gone to a lot of work to develop a FAQ that offers much to try to point things out .. please see http://forum.spamcop.net/forums/index.php?showtopic=972 From nobody at devnull.spamcop.net Thu May 19 18:20:00 2005 From: nobody at devnull.spamcop.net (Cat) Date: Thu May 19 18:20:02 2005 Subject: [SpamCop-List] Re: Re XO.COM Block: 69.67.72.0/21 - "Consumer Research Corp" SPAM -- VAAttorney Gen: CONSUMER@OAG.State.VA.US In-Reply-To: References: Message-ID: Mike Easter wrote: > That is incorrect/wrong. > > Spamhaus /is/ listing the XO 206.173.204.234 rDNS > 206.173.204.234.ptr.us.xo.net for routing the Whoa in SBL26626 Yeah, I had wondered why you originally said it wasn't in there/ > You are correct. XO is spamhaus listed for routing the Whoa.and for > being the AS2828 for Whoa's spamhaus [and spewed] space. I finally got someone on the phone today at XO with half a brain who actually admitted that their abuse admins were only looking at the last IP in traceroute, ignoring that the next hop up is XO. I also reminded him about their Spamhaus SBL listing because of this spammer. His reply, "Yes, we know about that. There isn't an ISP that isn't listed in there." You should have heard my laughter on the phone. I also pointed out that my own ISP isn't listed in there and that there are plenty of reputable ISPs that aren't listed in Spamhaus or any other major block list since they actually do something about their spammers. He claims that he put a note on my trouble ticket for them to look over it again and to actually look at the whole traceroute this time. He admitted after looking at a full traceroute that it was definitely XO's downstream customer. From nobody at spamcop.net Thu May 19 17:13:53 2005 From: nobody at spamcop.net (N. Miller) Date: Thu May 19 19:15:02 2005 Subject: [SpamCop-List] Re: German spam References: <11ar4213a96c8$.dlg@news.spamcop.net> Message-ID: On Thu, 19 May 2005 22:26:29 +0200, Steven Maesslein wrote: > On Thu, 19 May 2005 11:33:35 -0700, N. Miller coughed into spamcop and > left this in <11ar4213a96c8$.dlg@news.spamcop.net>: > >> Logical fallacy: "post hoc ergo propter hoc"; "after that, therefore >> because of that". > > The West Wing, Season 1, Episode 2 :) Don't watch it. Somebody threw it at me no long ago. -- Norman ~Win dain a lotica, En vai tu ri, Si lo ta ~Fin dein a loluca, En dragu a sei lain ~Vi fa-ru les shutai am, En riga-lint From nobody at xyzzy.claranet.de Fri May 20 04:29:48 2005 From: nobody at xyzzy.claranet.de (Frank Ellermann) Date: Thu May 19 21:35:03 2005 Subject: [SpamCop-List] Bounce errror flag Message-ID: <428D3D8C.4016@xyzzy.claranet.de> Hi, finally starting to miss something, the feedback from SC, I checked and had a "bounce flag". Test mail, got it, clicked on "resolved", so far it's clear (I hope). Only, it's not really "resolved", I've no idea why my ISP bounced an SC feedback mail. Speculating, sometimes (rarely) SC feedback is tagged as ***SPAM*** if there are too many known spam subjects in this mail. Now with the Sober.Q pest they might have done something that's seriously wrong resulting in bounces. Or I screwed up in some obscure way. It would be nice to see the complete bounce (link on the error page) and not only its subject. Otherwise all I can do is ask my postmaster why he might have rejected a mail from SC to my feedback address. Bye, Frank From eddie at eddie.web Thu May 19 23:04:15 2005 From: eddie at eddie.web (eddie) Date: Thu May 19 22:05:03 2005 Subject: [SpamCop-List] spoof@ebay.com refuses SC reports??? Message-ID: Well then I hope these phishes cause some people to sue eBay I have never used eBay, never will, and this is certainly one reason why To not accept a report detailing a phish? Since this is eBay's policy, from now on I will not even report an eBay phish to the sender's ISP or the ISP of the URL. Let eBay eat cake. I will ignore them, as they choose to ignore SC. I will simply delete eBay phish scams with no reporting at all. -- Once movie theaters gave out steak knives Today they confiscate them From eddie at eddie.web Thu May 19 23:06:56 2005 From: eddie at eddie.web (eddie) Date: Thu May 19 22:10:03 2005 Subject: [SpamCop-List] Re: Unregistered subdomains? References: Message-ID: On Thu, 19 May 2005 17:34:44 +0000, Blammo scratched out the following: > On 19 May 2005 eddie entered spamcop and left > news:pan.2005.05.19.15.52.00.852000@eddie.web: > >> Anyway, because of one idiot, an oxymoron for a spammer, it's clear that >> only the main domain is registered and even SC recognizes this. >> >> > You don't register a subdomain. Yes, but if you type in a random subdomain name for, let's say diddly.example.com, you get a "Not Found" That means that the ISP must know what's going on, right? None of my websites accept random subdomains and I don't think my ISP allows wildcards, but I really haven't checked. If I were an ISP, I would be suspicious. -- Once movie theaters gave out steak knives Today they confiscate them From nobody at spamcop.net Thu May 19 20:18:37 2005 From: nobody at spamcop.net (Ellen) Date: Thu May 19 22:25:02 2005 Subject: [SpamCop-List] Re: Rejected because SpamCop marked this message as SPAM References: Message-ID: "Mike Easter" wrote in message news:d6j0rr$3e7$1@news.spamcop.net... > > The usual situation for user IPs propagating virms or spam is that they > do not use the server, so that common situation wouldn't cause the > server to get listed. The usual cause of a server getting listed is > something that it is doing itself, such as misdirected bounces, > autoresponders, etc. If I'm understanding Ellen's words correctly, it > may be that your server is infected with a virus. > Hard to say if it's the server sending or a user behind the server or a user sending around the server. The only useful header shows the trap getting the spam from that IP. Some servers don't stamp a header showing the user to mailserver handoff, some do. The message is spam and it is not a bounce/OOO/AV notification. Unfortunately some of the newer infections are smarthosting. Ellen From porpoise1954 at yahoo.co.uk Fri May 20 04:59:39 2005 From: porpoise1954 at yahoo.co.uk (Porpoise) Date: Thu May 19 23:05:02 2005 Subject: [SpamCop-List] Re: Unregistered subdomains? References: Message-ID: "eddie" wrote in message news:pan.2005.05.20.02.06.56.455000@eddie.web... > On Thu, 19 May 2005 17:34:44 +0000, Blammo scratched out the following: > >> On 19 May 2005 eddie entered spamcop and left >> news:pan.2005.05.19.15.52.00.852000@eddie.web: >> >>> Anyway, because of one idiot, an oxymoron for a spammer, it's clear that >>> only the main domain is registered and even SC recognizes this. >>> >>> >> You don't register a subdomain. > Yes, but if you type in a random subdomain name for, let's say > diddly.example.com, you get a "Not Found" > That means that the ISP must know what's going on, right? > None of my websites accept random subdomains and I don't think my ISP > allows wildcards, but I really haven't checked. If I were an ISP, I would > be suspicious. I think, what he was trying to say, is that, a subdomain doesn't have a seperate IP address (using * as a non-defined example) not indicating that the domain was using wildcard subdomains. i.e. rDNS for = 146.82.218.134 and rDNS for = "Sorry, members.spamcop.net is not an IP address............" A subdomain is not the same thing as a domain - it merely points to a sub-directory of the main domain. Whereas, if were registered as a domain in it's own right, it would have it's own IP address. Subdomains are often/usually used to indicate that the user is accessing a different part of the site (or different subject matter other than the main part). I have several subdomains for different areas of sites myself. Quite legitimate and in no way related to what spammers may or may not do. From nttp.sc.s at bigsleep.org Fri May 20 04:07:52 2005 From: nttp.sc.s at bigsleep.org (Blammo) Date: Thu May 19 23:10:02 2005 Subject: [SpamCop-List] Re: Unregistered subdomains? References: Message-ID: On 19 May 2005 eddie entered spamcop and left news:pan.2005.05.20.02.06.56.455000@eddie.web: >> You don't register a subdomain. > Yes, but if you type in a random subdomain name for, let's say > diddly.example.com, you get a "Not Found" > That means that the ISP must know what's going on, right? > None of my websites accept random subdomains and I don't think my ISP > allows wildcards, but I really haven't checked. If I were an ISP, I would > be suspicious. > I know what you mean, just not wanting to go into too much detail. You register a domain, and the registrar assigns that name to a domain name server who then assigns the actual IP for that name. Subdomains are either CNAMES or Address records, a MX is supposed to be an Address record. The ISP only knows what's going on if they are in complete control of the name server for that domain, often times as with large hosting providers, the client controls the name server. So if diddly.example.com doesn't resolve, it simply means that it hasn't been defined, example.com needs to be registered, but bo.diddly.example.com can resolve where diddly.example.com doesn't, and they can be all different IPs. Some spammers seem to be able to do some very strange things with domains, and I don't know all the gory details, but you often have to do some trial and error digging to figure out what they are doing. And don't confuse subdomains with reverse lookups (PTR), even though a PTR can be a subdomain, these are in different records, sometimes they can be combined but technically they are different records. That's why sometimes they don't match. I caught one idiot using "localhost" for a PTR, it's pretty easy to block the idiots, if every ISP blocked the idiots we'd all get half the spam, or maybe we'd just be rid of the idiots. -- | Ric | From nttp.sc.s at bigsleep.org Fri May 20 04:21:39 2005 From: nttp.sc.s at bigsleep.org (Blammo) Date: Thu May 19 23:25:02 2005 Subject: [SpamCop-List] Re: Unregistered subdomains? References: Message-ID: On 19 May 2005 Porpoise entered spamcop and left news:d6jk02$goc$1@news.spamcop.net: > Subdomains are often/usually used to indicate that the user is > accessing a different part of the site (or different subject matter > other than the main part). I have several subdomains for different > areas of sites myself. Quite legitimate and in no way related to what > spammers may or may not do. > Not really, the subdomain does nothing on its own, except for HTTP/1.1 where the browser sends the Host header so the web server, if so configured, can redirect it. In other words virtual hosting. Browsers that don't support HTTP/1.1 don't send the Host header, so for them virtual hosts don't work. As per my other post, this has nothing to do with IP addresses or regristration. But this does point out that different subdomains can return different pages/sites than the IP would. -- | Ric | From news_svaardt at hotmail_NOSPAM_.com Fri May 20 13:33:56 2005 From: news_svaardt at hotmail_NOSPAM_.com (Steve) Date: Thu May 19 23:35:02 2005 Subject: [SpamCop-List] SpamCop Fails to parse mail-headers Message-ID: I've noticed recently that "harrisondm.com" is being used as a gateway for SPAM - the mail header shown below (which SPAM Cop can't handle) has an incorrectly formed Received line - the 2nd one: Received: by hdblast05.harrisondm.com id hhhqck075j02; Thu, 19 May 2005 04:11:45 -0700 (envelope-from ) As such, this SPAMer falls though various SPAM checks (even Hotmail's). X-Message-Status: n X-SID-PRA: Univ.Of Phoenix X-SID-Result: TempError X-Message-Info: JGTYoYF78jGB+jF52/4kqgdCL2KdwmSq8PDvmXE2yIU= Received: from hdblast05.harrisondm.com ([64.124.62.74]) by mc3-f23.hotmail.com with Microsoft SMTPSVC(6.0.3790.211); Thu, 19 May 2005 03:15:01 -0700 Received: by hdblast05.harrisondm.com id hhhqck075j02; Thu, 19 May 2005 04:11:45 -0700 (envelope-from ) Date: Thu, 19 May 2005 04:11:45 -0700 From: Univ. Of Phoenix Date: Thu, 19 May 2005 04:11:45 -0700 To: abuse@hotmail.com Return-Path: Message-Id: Subject: Discover UOP's Flexible Degree Programs Content-type: text/html; X-OriginalArrivalTime: 19 May 2005 10:15:01.0159 (UTC) FILETIME=[9DF20370:01C55C5B] From wb8tyw at qsl.network Fri May 20 00:51:30 2005 From: wb8tyw at qsl.network (John E. Malmberg) Date: Thu May 19 23:55:02 2005 Subject: [SpamCop-List] Re: spoof@ebay.com refuses SC reports??? In-Reply-To: References: Message-ID: eddie wrote: > Well then I hope these phishes cause some people to sue eBay > I have never used eBay, never will, and this is certainly one reason why > To not accept a report detailing a phish? > Since this is eBay's policy, from now on I will not even report an eBay > phish to the sender's ISP or the ISP of the URL. > Let eBay eat cake. I will ignore them, as they choose to ignore SC. > I will simply delete eBay phish scams with no reporting at all. According to what can be determined from reading the instructions instructions at ebay: The spoof(at)ebay.com and paypal.com addresses are parsers that can only deal with messages forwarded to them intact in the same way that spam can be forwarded to spamcop.net These addresses can not deal with spamcop.net formatted reports and if you send them anything other than the spam in the format that the ebay/paypal parser expects it will simply send an auto-reply that it could not parse the message. -John wb8tyw@qsl.network Personal Opinion Only From nttp.sc.s at bigsleep.org Fri May 20 04:58:40 2005 From: nttp.sc.s at bigsleep.org (Blammo) Date: Fri May 20 00:00:04 2005 Subject: [SpamCop-List] Re: spoof@ebay.com refuses SC reports??? References: Message-ID: On 19 May 2005 eddie entered spamcop and left news:pan.2005.05.20.02.04.14.161000@eddie.web: > Well then I hope these phishes cause some people to sue eBay > I have never used eBay, never will, and this is certainly one reason why > To not accept a report detailing a phish? > Since this is eBay's policy, from now on I will not even report an eBay > phish to the sender's ISP or the ISP of the URL. > Let eBay eat cake. I will ignore them, as they choose to ignore SC. > I will simply delete eBay phish scams with no reporting at all. > > I mostly agree, however I do send PayPal spoofs to spoof@paypal.com. Spamcop isn't really set up to notify for phish, it's trying to report a URL. If you want to report phish, you really need to do this on your own. It's not really fair to judge them based on the fact that they refuse Spamcop reports about a message they have no involvement in. http://www.paypal.com/cgi-bin/webscr?cmd=_security-center-outside "Protect yourself from fraudulent emails Emails that seem to be from a well-known company can put you at risk. Forward suspicious emails to: spoof@paypal.com" I know you didn't mention PayPal, but that's what I mostly get. I think I saw something on eBay about this, but I really don't know if they have a reporting address. -- | Ric | From wb8tyw at qsl.network Fri May 20 01:03:59 2005 From: wb8tyw at qsl.network (John E. Malmberg) Date: Fri May 20 00:05:02 2005 Subject: [SpamCop-List] Re: Rejected because SpamCop marked this message as SPAM In-Reply-To: References: Message-ID: Andrew wrote: > Thank you for the quick response Mike - > > The first step I will do is to disable the virus auto-responder. Of course, > it would be nice to be able to search the logs for the spam trap email > address so I can see exactly what caused it. Do you think there is any > chance of that? After you get the virus auto-responder shut off, complain loudly to the software vendor that they even had that as an option. All such notifications that are going out side of your network at not going to anyone that had anything to do with sending the virus. This has been the case for several years and any anti-virus provider, or mail server software provider that does not know that is incompetent. So there is no reason for any competent anti-virus provider or mail server software provider to even provide it as an option. And anyone that is operating a mail server should also know that. Please understand that one of my e-mail addresses has is still recovering from getting mail bombed with virus detected and other backscatter from mail servers that are not using SMTP rejects. At some times the backscatter was approaching 20 message per second. The internet facing mail server should determine if it is going to deliver the message or not at the time that the SMTP transaction is open, and then use the appropriate SMTP reject codes to accept or deny the message. It should never accept a message and then generate a bounce or a virus detected response to the alleged from address, as over 99% of undeliverable messages are from viruses and spam with forged addresses. Most mail server systems on the internet will use SMTP rejects only to indicate non-delivery. If your mail server can not be configured in that way, complain loudly to your software vendor about them not being compatible with the way that internet e-mail needs to work. -John wb8tyw@qsl.network Personal Opinion Only From MikeE at ster.invalid Thu May 19 22:10:34 2005 From: MikeE at ster.invalid (Mike Easter) Date: Fri May 20 00:15:03 2005 Subject: [SpamCop-List] Re: SpamCop Fails to parse mail-headers References: Message-ID: Steve wrote: > I've noticed recently that "harrisondm.com" is being used as a > gateway for SPAM - the mail header shown below (which SPAM Cop can't > handle) has an incorrectly formed Received line - the 2nd one: The better way to communicate about a parse is to post the tracker for the parse of the item - even if the parse fails in some way. > Received: by hdblast05.harrisondm.com id hhhqck075j02; Thu, 19 May > 2005 04:11:45 -0700 (envelope-from ) That line is not what I call a 'Received: traceline'. Tracelines start with 'Received: from' -- the 'Received: by' lines are not the same thing. > As such, this SPAMer falls though various SPAM checks (even > Hotmail's). Reformatting what you pasted in here and submitting it to the parser isn't nearly as informative as working with the tracker. Here is my tracker for that http://www.spamcop.net/sc?id=z765563282z9c86bdaa01826df1ab45a4607f9b39b9z The parse properly ignores a received by line and names 64.124.62.74 rDNS hdblast05.harrisondm.com as the spamsource. The ones in sightings which are similar to that are promoting universities/schools.and the IP is listed in several db/s, including spamcop. If you mean that you think the IP is supposed to be an output server and is supposed to be stamping a line to demonstrate a user IP behind it, that may be so, but the current situation is that that IP should be named as the spamsource and it should be listed. -- Mike Easter kibitzer, not SC admin From Vanguard at domain.invalid Fri May 20 01:03:59 2005 From: Vanguard at domain.invalid (Vanguard) Date: Fri May 20 01:05:03 2005 Subject: [SpamCop-List] Re: SpamCop Fails to parse mail-headers References: Message-ID: "Steve" wrote in message news:d6jlr3$hvf$1@news.spamcop.net... > I've noticed recently that "harrisondm.com" is being used as a gateway > for SPAM - the mail header shown below (which SPAM Cop can't handle) > has an incorrectly formed Received line - the 2nd one: Received: from hdblast05.harrisondm.com ([64.124.62.74]) by mc3-f23.hotmail.com ... Received: by hdblast05.harrisondm.com ... Why would the trace go any further back than the topmost (last) Received header. Obviously the prior Received header is bogus or deliberately malformed. The "by" host in the second Received header is the same as the "from" host in the first Received header so that is as far as tracing needs to progress. Blacklisting 64.124.62.74 (above.net) should be sufficient if enough spam gets pumped through there since its own running that relay and should get informed regarding their spam spewage. How do you know it is a relay or "gateway"? Could be just some internal relaying withing Above.net. Above.net probably doesn't want to show the internal relaying between their mail servers. Could be one of their customers simply lying in the HELO/EHLO that the domain is hdblast05.harrisondm.com (whose IP from the rDNS shows it is allocated to Above.net). The spamming [trojanized] customer of Above.net probably doesn't care about generating a valid Received header. You sure the spam parser didn't declare the the second Received header was bogus or malformed and that's why it decided not to use it? We don't know since you didn't copy/paste what the parser actually said and you didn't provide the link to that report. Sure looks like only the topmost Received header can be used for tracing. From Vanguard at domain.invalid Fri May 20 01:09:52 2005 From: Vanguard at domain.invalid (Vanguard) Date: Fri May 20 01:10:03 2005 Subject: [SpamCop-List] Re: spoof@ebay.com refuses SC reports??? References: Message-ID: "eddie" wrote in message news:pan.2005.05.20.02.04.14.161000@eddie.web... > Well then I hope these phishes cause some people to sue eBay > I have never used eBay, never will, and this is certainly one reason > why > To not accept a report detailing a phish? > Since this is eBay's policy, from now on I will not even report an > eBay > phish to the sender's ISP or the ISP of the URL. > Let eBay eat cake. I will ignore them, as they choose to ignore SC. > I will simply delete eBay phish scams with no reporting at all. Don't send them the SpamCop report. Copying them when originally sending the phish mail to SpamCopy (i.e., send it to SpamCop and to eBay, and later select the other recipients in the parser report). Also, you might want to report phish mails separately to the e-mail address listed at http://www.antiphishing.org which is ran my Microsoft, eBay, VISA, GeoTrust, and other sponsors in the fight against phish mails. There are several recipient to which I send copies of spam, phish, or fraud mails which cannot accept the modified copy of the that e-mail the SpamCop sends out. -- ____________________________________________________________ ** Post your replies to the newsgroup - Share with others ** For e-mail Reply: remove "DELETE", add "~VN56~" to Subject. ____________________________________________________________ From nobody at nowhere.invalid Fri May 20 10:59:13 2005 From: nobody at nowhere.invalid (Steven Maesslein) Date: Fri May 20 04:00:04 2005 Subject: [SpamCop-List] Re: Unregistered subdomains? References: Message-ID: On Thu, 19 May 2005 22:06:56 -0400, eddie coughed into spamcop and left this in : > Yes, but if you type in a random subdomain name for, let's say > diddly.example.com, you get a "Not Found" Past the domain registered in whois, it's nothing to do with domain registration. It's DNS beyond that point. -- Steve Sign spotted outside a second hand shop: WE EXCHANGE ANYTHING - BICYCLES, WASHING MACHINES, ETC. WHY NOT BRING YOUR WIFE ALONG AND GET A WONDERFUL BARGAIN? From nobody at nowhere.invalid Fri May 20 12:24:53 2005 From: nobody at nowhere.invalid (Steven Maesslein) Date: Fri May 20 05:25:10 2005 Subject: [SpamCop-List] URLs found by parser not being acted upon Message-ID: It seems to me that most of these URLs not being acted upon are URLs spamvertised in mortgage spam. Isn't Robert Soloway responsible for a huge chunk of this? If so, the lack of action from SpamCop could have something to do with Soloway's ongoing "problems" with Microsoft... BTW, for those in need of a laugh: http://www.spamis.cc/ -- Steve God prefers spiritual fruit, not religious nuts... From nospam at nospam.nl Fri May 20 15:12:57 2005 From: nospam at nospam.nl (geo_splash_12) Date: Fri May 20 08:15:07 2005 Subject: [SpamCop-List] Re: bounce spam In-Reply-To: References: Message-ID: Ellen wrote: > "geo_splash_12" wrote in message > news:d6fiv7$gi3$1@news.spamcop.net... > >>Lately I'm getting some german spam that comes with a lot of bounces: >> >>http://www.spamcop.net/sc?id=z764956657z9dd57944066989a8094c14059bc01e9fz >>http://www.spamcop.net/sc?id=z764720843za1b77eec78103edd791b6a569c6de363z >>http://www.spamcop.net/sc?id=z764220132zbc7876dd2ce488487c4b73c606eab871z >> >>I hate spam, and especially when it is German and extreme right. But, >>what is causing this, a new virus? >> >>Ejo > > > That is sober.q sending those spams. > > http://www.f-secure.com/v-descs/sober_q.shtml > > Ellen > > > I just received the following, is this right what they are suggesting? Should I not respond to these crazy bounce spams and delete them right away? Hello SpamCop user, We have bounced a lot of mail that was sent to us from a spoofed IP-address which is apparently in real y?ur IP-address. We have bounced this unsolicited mail due to the fact that the mail contained destination mail-addresses unknown to us. The mail was probably sent to us because of SOBER.P or SOBER.Q worms active on other hosts not in our control. We are sorry to have caused any inconvenience. We ask you to reconsider your reporting to SpamCop and we hope that you will decide to withdraw your reporting to SpamCop and inform SpamCop about your decision. Kind regards, Getronics-PinkRoccade -- Please use the link below to review the report in question: http://www.spamcop.net/mcgi?action=showhistory;slice=reportid;val=1427747485 From wb8tyw at qsl.network Fri May 20 08:55:31 2005 From: wb8tyw at qsl.network (John E. Malmberg) Date: Fri May 20 09:00:04 2005 Subject: [SpamCop-List] Re: bounce spam References: Message-ID: In article , geo_splash_12 writes: > > I just received the following, is this right what they are suggesting? > Should I not respond to these crazy bounce spams and delete them right away? > > Hello SpamCop user, > > We have bounced a lot of mail that was sent to us from a spoofed > IP-address which is apparently in real yóur IP-address. > We have bounced this unsolicited mail due to the fact that the mail > contained destination mail-addresses unknown to us. > The mail was probably sent to us because of SOBER.P or SOBER.Q worms > active on other hosts not in our control. > We are sorry to have caused any inconvenience. > We ask you to reconsider your reporting to SpamCop and we hope that you > will decide to withdraw your reporting to SpamCop and inform SpamCop > about your decision. > > Kind regards, > > Getronics-PinkRoccade By bouncing such e-mail instead of using SMTP rejects the mail server administrator is participating in a denial of service attack on the rest of the internet. By continuing to report them either through spamcop.net or manually, you will put pressure on them to change their system to one that is compatible with the rest of the internet. If you choose to respond to them tell them that almost all mail servers systems on the internet only use SMTP rejects for undeliverable e-mail and that the few that are bouncing messages are participating in a denial of service attack on the innocent domains that are forged by spam and viruses. If they do not know how to configure their systems to so that the internet facing mail server can use SMTP rejects, they should contact their vendor. Since this is the normal configuration for Internet e-mail, their vendor should have a way to do this. If not, then they have paid their vendor for a defective product. For every site that says that they are too large to do this economically, a larger site can usually be found that does do and does so because it costs them less to maintain. So that argument does not hold water. -John wb8tyw@qsl.network Personal Opinion Only From MikeE at ster.invalid Fri May 20 07:14:47 2005 From: MikeE at ster.invalid (Mike Easter) Date: Fri May 20 09:15:03 2005 Subject: [SpamCop-List] Re: bounce spam References: Message-ID: geo_splash_12 wrote: >>> Lately I'm getting some german spam that comes with a lot of >>> bounces: >>> >>> http://www.spamcop.net/sc?id=z764956657z9dd57944066989a8094c14059bc01e9fz I only looked at one. > I just received the following, is this right what they are suggesting? They are explaining what they did; but what they did, they did wrong. > Should I not respond to these crazy bounce spams and delete them > right away? > > Hello SpamCop user, > > We have bounced a lot of mail that was sent to us from a spoofed > IP-address which is apparently in real y?ur IP-address. That isn't accurate. They accepted mail with a bogus From, which is the usual condition of spam and viral propagations, and then newmailed you about a condition of the mail. In the beginning, this item -- Subject: Dresden Bombing Is To Be Regretted Enormously -- sourced (as03d013.dialin.vianetworks.nl [212.61.6.13]) was received by kadaster.nl who belatedly newmail 'bounced' it to the From so you spamcop reported the kadaster server.which is megaplex.nl > We have bounced this unsolicited mail due to the fact that the mail > contained destination mail-addresses unknown to us. They shouldn't be 'bouncing' by accepting and abusively newmailing to the bogus From. They should be rejecting the mail during the transaction. > The mail was probably sent to us because of SOBER.P or SOBER.Q worms > active on other hosts not in our control. Correct. > We are sorry to have caused any inconvenience. But not sorry enough to reconfigure to stop doing that? > We ask you to reconsider your reporting to SpamCop and we hope that > you will decide to withdraw your reporting to SpamCop and inform > SpamCop > about your decision. Those newmail abusive belated bounces to bogus Froms are reportable and will cause the servers which do that to become spamcop blocklisted which will interfere with their customers' mail service. At the present time 80.79.97.214 rDNS gw11.megaplex.nl is not SCbl listed.yet. > -- Please use the link below to review the report in question: That's a report for Delivery Notification: Delivery has failed which is what the item I looked at was about. -- Mike Easter kibitzer, not SC admin From nospam at nospam.nl Fri May 20 16:26:44 2005 From: nospam at nospam.nl (geo_splash_12) Date: Fri May 20 09:30:04 2005 Subject: [SpamCop-List] Re: bounce spam In-Reply-To: References: Message-ID: John E. Malmberg wrote: > In article , > geo_splash_12 writes: > >>I just received the following, is this right what they are suggesting? >>Should I not respond to these crazy bounce spams and delete them right away? >> >>Hello SpamCop user, >> >>We have bounced a lot of mail that was sent to us from a spoofed >>IP-address which is apparently in real y?ur IP-address. >>We have bounced this unsolicited mail due to the fact that the mail >>contained destination mail-addresses unknown to us. >>The mail was probably sent to us because of SOBER.P or SOBER.Q worms >>active on other hosts not in our control. >>We are sorry to have caused any inconvenience. >>We ask you to reconsider your reporting to SpamCop and we hope that you >>will decide to withdraw your reporting to SpamCop and inform SpamCop >>about your decision. >> >>Kind regards, >> >>Getronics-PinkRoccade > > > By bouncing such e-mail instead of using SMTP rejects the mail server > administrator is participating in a denial of service attack on the rest of the > internet. > > By continuing to report them either through spamcop.net or manually, you will > put pressure on them to change their system to one that is compatible with the > rest of the internet. > > If you choose to respond to them tell them that almost all mail servers systems > on the internet only use SMTP rejects for undeliverable e-mail and that the > few that are bouncing messages are participating in a denial of service > attack on the innocent domains that are forged by spam and viruses. > > If they do not know how to configure their systems to so that the internet > facing mail server can use SMTP rejects, they should contact their vendor. > Since this is the normal configuration for Internet e-mail, their vendor should > have a way to do this. If not, then they have paid their vendor for a > defective product. > > For every site that says that they are too large to do this economically, a > larger site can usually be found that does do and does so because it costs them > less to maintain. So that argument does not hold water. > > -John > wb8tyw@qsl.network > Personal Opinion Only Ok John (and Mike), I will respond to them, thanks for explaining. From noah.boddie at newsgroup.nospam Fri May 20 11:01:50 2005 From: noah.boddie at newsgroup.nospam (Dwayne Conyers) Date: Fri May 20 10:05:02 2005 Subject: [SpamCop-List] Wise Guys... Message-ID: Getting spam from someone posing as "system administrator" of our company saying to click a link in the mail... since I'm sys admin and the only user of our system... it is an obvious spoof. Also getting, messages thta a mail I supposedly sent didn't go and to click a link to go to the inbox... well, I know better than that... I'm starting to understand how people are getting duped and their systems spoofed into spam zombies... -- The Runaway Bride Shoppe http://www.cafepress.com/dwacon/601709 From wb8tyw at qsl.network Fri May 20 11:26:56 2005 From: wb8tyw at qsl.network (John E. Malmberg) Date: Fri May 20 11:30:02 2005 Subject: [SpamCop-List] Re: Wise Guys... References: Message-ID: In article , "Dwayne Conyers" writes: > Getting spam from someone posing as "system administrator" of our company > saying to click a link in the mail... since I'm sys admin and the only user > of our system... it is an obvious spoof. > > Also getting, messages thta a mail I supposedly sent didn't go and to click > a link to go to the inbox... well, I know better than that... On my system I can click on such links and the worse that will happen is that the spammer's web server might record the hit. There is no reason that software needs to be vulnerable to people falling for such spoofs. > I'm starting to understand how people are getting duped and their systems > spoofed into spam zombies... I would recommend seeing if you can configure your mail server to SMTP reject any outside e-mail that is pretending to come from either a role account on your network or a user that does not exist on your network. For internal infections generating such spoofs, you can only easily eliminate the ones spoofing non-existant role acounts. I have noticed that many networks have a policy that the manditory or typical role e-mail addresses are receive only and never generate mail. By adopting that policy, you might have a chance of either filtering internal infections or training users which ones are real or not. Of course using sbl-xbl.spamhaus.org along with dul.dnsbl.sorbs.net as a DNSBL seems to also cause rejection of most of these worms. Failing that, divert such messages to someone like you that knows better. And if they do not know better, at least has the sense not to admit to being a system administrator and infecting their company and naming it on to a reporter of a nationally read newspaper. :-) -John wb8tyw@qsl.network Personal Opinion Only From nobody at spamcop.net Fri May 20 11:00:29 2005 From: nobody at spamcop.net (Dar) Date: Fri May 20 13:05:03 2005 Subject: [SpamCop-List] Re: Wise Guys... References: Message-ID: > Getting spam from someone posing as "system administrator" of our company > saying to click a link in the mail... since I'm sys admin and the only user > of our system... it is an obvious spoof. > > Also getting, messages thta a mail I supposedly sent didn't go and to click > a link to go to the inbox... well, I know better than that... > > I'm starting to understand how people are getting duped and their systems > spoofed into spam zombies... > > > -- > The Runaway Bride Shoppe > http://www.cafepress.com/dwacon/601709 > It's a virus or worm. I have admin, etc., spam filtered to protect clients. Dar From porpoise1954 at yahoo.co.uk Fri May 20 19:12:22 2005 From: porpoise1954 at yahoo.co.uk (Porpoise) Date: Fri May 20 13:20:03 2005 Subject: [SpamCop-List] Re: Unregistered subdomains? References: Message-ID: "Blammo" wrote in message news:Xns965BCF25B608Cblammo@216.154.195.61... > On 19 May 2005 Porpoise entered spamcop and left > news:d6jk02$goc$1@news.spamcop.net: > >> Subdomains are often/usually used to indicate that the user is >> accessing a different part of the site (or different subject matter >> other than the main part). I have several subdomains for different >> areas of sites myself. Quite legitimate and in no way related to what >> spammers may or may not do. >> > > Not really, the subdomain does nothing on its own, except for HTTP/1.1 > where the browser sends the Host header so the web server, if so > configured, can redirect it. In other words virtual hosting. Browsers that > don't support HTTP/1.1 don't send the Host header, so for them virtual > hosts don't work. > As per my other post, this has nothing to do with IP addresses or > regristration. But this does point out that different subdomains can > return > different pages/sites than the IP would. Hmmm... I kinda thought that was more-or-less what I sed ;-) From steevian at yahoo.com Fri May 20 11:49:36 2005 From: steevian at yahoo.com (Steve Johnson) Date: Fri May 20 13:49:44 2005 Subject: [SpamCop-List] Re: XO.COM Block: 69.67.72.0/21 - "Consumer Research Corp" SPAM -- VA Attorney Gen: CONSUMER@OAG.State.VA.US Message-ID: <20050520174936.62583.qmail@web51305.mail.yahoo.com> Yes the traceroute absolutely confirms it's XO's block. I talked to XO and they had the nerve to referr me to 'ARIN' and they said they checked ARIN while I was on the phone & told me 'well sorry Arin says this is not XO's IP'... I laughed like hell & told them they are so pathetic, etc., and asked if this is their only way they can look up their own IP's???!!! I then referred them to a CIDR report - http://www.cidr-report.org/cgi-bin/as-report?as=as2828 69.67.72.0/21 4637 2828 - or told them to try a simple traceroute, there was no real response & as usual I got no where so anyone who has had luck with XO I congradulate you! If anyone's interested I've been forwarding email complaints to the "VA Attorney General" in case by chance someone out there in govt is interested: CONSUMER at OAG.State.VA.US Steve. Mike Easter wrote: > Steve Johnson wrote: > >>>Is anyone else getting SPAM from this XO block: 69.67.72.0/21 and >>>also had any luck with XO as far as even a response? > > > I don't understand [exactly] what/how much XO has to 'do with' > 69.67.72.0/21, except for being the notify in the routing for > 69.67.72.0/24 because they are the notify for AS2828 because the > 69.67.64.0/20 which is Whoa is spewed and spamhaused. In traceroute, XO is the direct upstream from the spammer. The last IP in traceroute is the spammer with the one directly above that being XO, so they definitely get connectivity through XO. There's no one else to notify in between those. I've had 82 unsolicited e-mails from them in the past few weeks, and I'm absolutely sick if it. ----- > That is incorrect/wrong. > > Spamhaus /is/ listing the XO 206.173.204.234 rDNS > 206.173.204.234.ptr.us.xo.net for routing the Whoa in SBL26626 Yeah, I had wondered why you originally said it wasn't in there/ > You are correct. XO is spamhaus listed for routing the Whoa.and for > being the AS2828 for Whoa's spamhaus [and spewed] space. I finally got someone on the phone today at XO with half a brain who actually admitted that their abuse admins were only looking at the last IP in traceroute, ignoring that the next hop up is XO. I also reminded him about their Spamhaus SBL listing because of this spammer. His reply, "Yes, we know about that. There isn't an ISP that isn't listed in there." You should have heard my laughter on the phone. I also pointed out that my own ISP isn't listed in there and that there are plenty of reputable ISPs that aren't listed in Spamhaus or any other major block list since they actually do something about their spammers. He claims that he put a note on my trouble ticket for them to look over it again and to actually look at the whole traceroute this time. He admitted after looking at a full traceroute that it was definitely XO's downstream customer. __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com From Vanguard at domain.invalid Fri May 20 13:58:40 2005 From: Vanguard at domain.invalid (Vanguard) Date: Fri May 20 14:00:03 2005 Subject: [SpamCop-List] Backscatter - report it as spam? Message-ID: Is "backscatter" when a mail server spews out bounces for undeliverable e-mail but sends it to the falsified e-mail address used by the spam source? A spammer spews their crap and uses my e-mail address. The destination is invalid so that mail server rejects it. Instead of using the Received headers to determine that the From, Reply-To, Return-Path, or Sender are valid, they often just use those fields to spew back their NDR (non-delivery report). Sometimes the NDR has the spam attached and sometimes not. How should these unintelligently delivered bounces be handled as regard to them being spam or not? From mrichter at cpl.net Fri May 20 12:13:11 2005 From: mrichter at cpl.net (Mike Richter) Date: Fri May 20 14:15:02 2005 Subject: [SpamCop-List] Re: Backscatter - report it as spam? In-Reply-To: References: Message-ID: Vanguard wrote: > Is "backscatter" when a mail server spews out bounces for undeliverable > e-mail but sends it to the falsified e-mail address used by the spam > source? A spammer spews their crap and uses my e-mail address. The > destination is invalid so that mail server rejects it. Instead of using > the Received headers to determine that the From, Reply-To, Return-Path, > or Sender are valid, they often just use those fields to spew back their > NDR (non-delivery report). Sometimes the NDR has the spam attached and > sometimes not. How should these unintelligently delivered bounces be > handled as regard to them being spam or not? From a (mostly) happy SpamCop user, not an offiical. No, do not report them as spam; they are not spam. They are certainly not bulk, since each is sent individually - though it is incorrectly addressed. They are clearly not "commercial" either. They do not qualify. You can always try to have the offending ISP correct its procedures, but don't hold your breath for action. Mike -- mrichter@cpl.net http://www.mrichter.com/ From porpoise1954 at yahoo.co.uk Fri May 20 20:26:11 2005 From: porpoise1954 at yahoo.co.uk (Porpoise) Date: Fri May 20 14:30:04 2005 Subject: [SpamCop-List] Re: URLs found by parser not being acted upon References: Message-ID: "Steven Maesslein" wrote in message news:slrnd8rb75.3lo.nobody@127.0.0.1... > It seems to me that most of these URLs not being acted upon are URLs > spamvertised in mortgage spam. Isn't Robert Soloway responsible for a > huge chunk of this? If so, the lack of action from SpamCop could have > something to do with Soloway's ongoing "problems" with Microsoft... > > BTW, for those in need of a laugh: http://www.spamis.cc/ > What a load of b*****ks! From Vanguard at domain.invalid Fri May 20 14:37:59 2005 From: Vanguard at domain.invalid (Vanguard) Date: Fri May 20 14:40:03 2005 Subject: [SpamCop-List] Re: Backscatter - report it as spam? References: Message-ID: "Mike Richter" wrote in message news:d6l9bh$gnp$1@news.spamcop.net... > Vanguard wrote: >> Is "backscatter" when a mail server spews out bounces for >> undeliverable e-mail but sends it to the falsified e-mail address >> used by the spam source? A spammer spews their crap and uses my >> e-mail address. The destination is invalid so that mail server >> rejects it. Instead of using the Received headers to determine that >> the From, Reply-To, Return-Path, or Sender are valid, they often just >> use those fields to spew back their NDR (non-delivery report). >> Sometimes the NDR has the spam attached and sometimes not. How >> should these unintelligently delivered bounces be handled as regard >> to them being spam or not? > > From a (mostly) happy SpamCop user, not an offiical. > > No, do not report them as spam; they are not spam. They are certainly > not bulk, since each is sent individually - though it is incorrectly > addressed. They are clearly not "commercial" either. They do not > qualify. > > You can always try to have the offending ISP correct its procedures, > but don't hold your breath for action. > > Mike > -- > mrichter@cpl.net > http://www.mrichter.com/ > I understand your point. However, and especially if the e-mail provider includes a copy of the original spam, if a spammer is sending thousands of messages with a falsified return e-mail address which some or many hit the same e-mail provider that returns a large number of them, how does that obviate that e-mail provider from themself being a spammer? They were an accomplice, perhaps unwitting, in distributing that spam. It's an old trick to spew spam where the From header is the actual intended targets for the spam and have their spewage bounce off some e-mail provider. If the NDR does not include the original message (so the spam could not be included) then, yes, it is just a single NDR sent from that e-mail provider. However, I have seen hundreds of NDRs returned to me because the spammer hit the same e-mail provider with lots of invalid recipients there. In that case, the e-mail provider is slamming me with hundreds of NDRs of which none were solicited. Since the e-mail provider is sending out hundreds of NDRs, to me or as an aggregate to many innocents, and since it was initiated by the spammer but accompliced by the e-mail provider, how does that not itself qualify as spam? It is being sent out in bulk by the e-mail provider. I might only get one copy of a spam but does not obviate it from being spam since it was sent out in bulk by the sender, and the sender in this case happens to be the e-mail provider bouncing out those spam-initiated NDRs. When an e-mail provider gets a message that is not deliverable (e.g., user doesn't exist), what are the correct procedures that they should use to route their NDR message? Just using the From, Reply-To, or any other sender-modifiable header will obviously fail for spam since the spammer is not going to use their own real e-mail address. Should they be checking that the domain for the sender is somewhere included when tracing back through the [non-bogus] Received headers? I am curious as to what would be considered the correct procedures, rules, mechanisms, or algorithms used by an e-mail provider to prevent innocents from getting slammed with lots of NDRs, some of which might actually contain a copy of the original message (so the spam gets delivered by the e-mail provider abused by the spammer). Even if the abetted spam delivery is not to be reported through SpamCop, should the sending mail service still be alerted with a complaint that they are spewing out NDRs to innocents simply because the spammer's current false e-mail addresses are for those innocents until such time that the sending mail service institutes "correct procedures"? Also, just because it looks like an NDR doesn't mean it really is an NDR. It just might be spam in disguise. The sending server (the "from" host) in the last Received header (added by my mail server) might itself be the spam source and their "spam" is a fake NDR with the spam attached or included inline. From nobody at nowhere.invalid Fri May 20 21:44:16 2005 From: nobody at nowhere.invalid (Steven Maesslein) Date: Fri May 20 14:45:03 2005 Subject: [SpamCop-List] Re: Backscatter - report it as spam? References: Message-ID: On Fri, 20 May 2005 11:13:11 -0700, Mike Richter coughed into spamcop and left this in : > No, do not report them as spam; they are not spam. They are certainly > not bulk, since each is sent individually - though it is incorrectly > addressed. They are clearly not "commercial" either. They do not qualify. Actually, they do. http://mailsc.spamcop.net/fom-serve/cache/14.html -- Steve #define BITCOUNT(x) (((BX_(x)+(BX_(x)>>4)) & 0x0F0F0F0F) % 255) #define BX_(x) ((x) - (((x)>>1)&0x77777777) - (((x)>>2)&0x33333333) - (((x)>>3)&0x11111111)) -- really weird C code to count the number of bits in a word From Merlyn at Spamcop.net Fri May 20 15:44:35 2005 From: Merlyn at Spamcop.net (Merlyn) Date: Fri May 20 14:45:13 2005 Subject: [SpamCop-List] Re: XO.COM Block: 69.67.72.0/21 - "Consumer Research Corp" SPAM -- VAAttorney Gen: CONSUMER@OAG.State.VA.US References: Message-ID: "Steve Johnson" wrote in message news:mailman.7.1116611384.169.spamcop-list@news.spamcop.net... > > Yes the traceroute absolutely confirms it's XO's block. I talked to XO > and they had > the nerve to referr me to 'ARIN' and they said they checked ARIN while I > was on the > phone & told me 'well sorry Arin says this is not XO's IP'... I laughed > like hell & > told them they are so pathetic, etc., and asked if this is their only way > they can > look up their own IP's???!!! I then referred them to a CIDR report - > > http://www.cidr-report.org/cgi-bin/as-report?as=as2828 > 69.67.72.0/21 4637 2828 > > - or told them to try a simple traceroute, there was no real response & as > usual I > got no where so anyone who has had luck with XO I congradulate you! > > If anyone's interested I've been forwarding email complaints to the "VA > Attorney > General" in case by chance someone out there in govt is interested: > CONSUMER at OAG.State.VA.US > > Steve. > > According to Arin: Whois query whois.arin.net by IP address: '69.67.72.0' 'whois -h whois.arin.net 69.67.72.0' Whoa USA Inc WHOA-USA-INC (NET-69-67-64-0-1) Roger Graves DATAMONITOR-BUSSINESS-INFORMATION (NET-69-67-72-0-1) 'whois -h whois.arin.net NET-69-67-72-0-1' Whois query whois.arin.net by CustName: 'Roger Graves' 'whois -h whois.arin.net Roger Graves' Roger Graves DATAMONITOR-BUSSINESS-INFORMATION (NET-69-67-72-0-1) 69.67.72.0 - 69.67.72.255 Roger Graves Dba SBC066140139192030217 (NET-66-140-139-192-1) 66.140.139.192 - 66.140.139.199 # ARIN WHOIS database, last updated 2005-05-19 19:10 # Enter ? for additional hints on searching ARIN's WHOIS database. Like Mike said, >> I don't understand [exactly] what/how much XO has to 'do with' etc..... Looks like these netblocks are registered to whomever ARIN says they are registered to. They are not registered to XO according to ARIN Block em and forget em! -- Regards, Merlyn A Spamcop advocate No emails this account is for newsgroups only People demand freedom of speech to make up for the freedom of thought which they avoided From MikeE at ster.invalid Fri May 20 12:55:33 2005 From: MikeE at ster.invalid (Mike Easter) Date: Fri May 20 15:00:02 2005 Subject: [SpamCop-List] Re: Backscatter - report it as spam? References: Message-ID: Vanguard wrote: > Is "backscatter" when a mail server spews out bounces for > undeliverable e-mail but sends it to the falsified e-mail address > used by the spam source? Yes. > A spammer spews their crap and uses my > e-mail address. The destination is invalid so that mail server > rejects it. Not rejects. The server accepts the item and that is the end of that transaction. The opportunity to reject was missed. Then, the server is 'standing there' holding an item and it doesn't know what to do with it. So it 'decides' to create a newmail addressed to the From. That is very stupid and abusive server behavior. > Instead of using the Received headers to determine that > the From, Reply-To, Return-Path, or Sender are valid, they often just > use those fields to spew back their NDR (non-delivery report). The NDR gets addressed to some bogus address > Sometimes the NDR has the spam attached and sometimes not. How > should these unintelligently delivered bounces be handled as regard > to them being spam or not? They are spamcop reportable as 'spamcop spam'. Whether one wants to argue about various definitions of spam or not, the issue as regards spamcop is whether or not it is reportable. Not all forms of unwanted email abuse fit the same spam definitions -- so, if we skip over the 'spam' term then we can just say that backscatter is spamcop reportable -- whatever it is. Virus propagations are also spamcop reportable - whatever they are. We can't call everything we don't want in our mailbox 'spam' because there are so many different kinds of spam already. -- Mike Easter kibitzer, not SC admin From Vanguard at domain.invalid Fri May 20 15:01:10 2005 From: Vanguard at domain.invalid (Vanguard) Date: Fri May 20 15:05:02 2005 Subject: [SpamCop-List] Re: Backscatter - report it as spam? References: Message-ID: "Steven Maesslein" wrote in message news:slrnd8sc00.7d3.nobody@127.0.0.1... > On Fri, 20 May 2005 11:13:11 -0700, Mike Richter coughed into spamcop > and left this in : > >> No, do not report them as spam; they are not spam. They are certainly >> not bulk, since each is sent individually - though it is incorrectly >> addressed. They are clearly not "commercial" either. They do not >> qualify. > > Actually, they do. > > http://mailsc.spamcop.net/fom-serve/cache/14.html What *is* the definition of "backscatter"? I've Googled around and haven't found anything that seems appropriate. I know some of the DNSBLs will list an ISP or e-mail provider due to backscatter. I'm only guessing that spewing out unintelligently routed NDRs, especially if they include the original spam as an attachment or inline of the body, is what is this backscatter that I see mentioned. I cannot visit the provided link since that requires logging in (which might require having a SpamCop *e-mail* account). I only have the freebie reporting account. So I don't what might be discussed at that link. I did find: http://www.spamcop.net/fom-serve/cache/14.html so maybe it has the same content. It says not to report spam for "Email that is obviously sent innocently to an incorrect address." I don't see that qualifies for an e-mail provider that is re-spewing spam back to a falsified e-mail address. The e-mail provider is obviously not innocent regarding spammer tricks. It does say to report spam to "misdirected bounces". Okay, but can SpamCop's parser actually handle NDR's whether they are legit bounces or disguised spam? Should I bother if the original message (i.e., spam) is not included as an attachment or inline with the body of the message? From Vanguard at domain.invalid Fri May 20 15:06:54 2005 From: Vanguard at domain.invalid (Vanguard) Date: Fri May 20 15:10:02 2005 Subject: [SpamCop-List] Re: Backscatter - report it as spam? References: Message-ID: "Vanguard" wrote in message news:d6lc5n$irb$1@news.spamcop.net... > "Steven Maesslein" wrote in message > news:slrnd8sc00.7d3.nobody@127.0.0.1... >> On Fri, 20 May 2005 11:13:11 -0700, Mike Richter coughed into spamcop >> and left this in : >> >>> No, do not report them as spam; they are not spam. They are >>> certainly >>> not bulk, since each is sent individually - though it is incorrectly >>> addressed. They are clearly not "commercial" either. They do not >>> qualify. >> >> Actually, they do. >> >> http://mailsc.spamcop.net/fom-serve/cache/14.html > > > What *is* the definition of "backscatter"? I've Googled around and > haven't found anything that seems appropriate. I know some of the > DNSBLs will list an ISP or e-mail provider due to backscatter. I'm > only guessing that spewing out unintelligently routed NDRs, especially > if they include the original spam as an attachment or inline of the > body, is what is this backscatter that I see mentioned. > > I cannot visit the provided link since that requires logging in (which > might require having a SpamCop *e-mail* account). I only have the > freebie reporting account. So I don't what might be discussed at that > link. I did find: > > http://www.spamcop.net/fom-serve/cache/14.html > > so maybe it has the same content. It says not to report spam for > "Email that is obviously sent innocently to an incorrect address." I > don't see that qualifies for an e-mail provider that is re-spewing > spam back to a falsified e-mail address. The e-mail provider is > obviously not innocent regarding spammer tricks. It does say to > report spam to "misdirected bounces". Okay, but can SpamCop's parser > actually handle NDR's whether they are legit bounces or disguised > spam? Should I bother if the original message (i.e., spam) is not > included as an attachment or inline with the body of the message? Ah, I see what are the "correct procedures" now. According to http://www.spamcop.net/fom-serve/cache/329.html: ---- Problem: Misdirected bounces Description: When a mail server accepts a message and later decides that it can't deliver the message, it is required to send back a bounce email to the sender of the original message. These bounce emails are often misdirected. Solution: Upgrade and/or configure your mail server software so that this situation is never encountered. Configure your software to either reject messages during delivery or accept them permanently. Do not let your software make choices about delivery after it has accepted a message. ---- So rejection on delivery is the solution rather than accepting on delivery and rejecting later. That forces the sending mail server to deliver an NDR back to the *connected* sender rather than rely on the receiving mail server to sometime later send the NDR to the *reported* sender. From steevian at yahoo.com Fri May 20 13:19:38 2005 From: steevian at yahoo.com (Steve Johnson) Date: Fri May 20 15:20:30 2005 Subject: [SpamCop-List] Re: XO.COM Block: 69.67.72.0/21 - "Consumer Research Corp" SPAM -- VAAttorney Gen: CONSUMER@OAG.State.VA.US Message-ID: <20050520191938.83740.qmail@web51302.mail.yahoo.com> I don't see your point, are you really saying these are not XO's IP's?? FYI, ARIN is as good only as the info that it gets! Yes "according to ARIN" the info shows as it does, but that does not mean it is correct, there are many times when ARIN has outdated info or data, ARIN depends on ISP's to keep the info up to date and accurate!!! Normally ARIN receives correct and accurate info from a responsible ISP, in this case it looks like XO chooses to be a scum bag organization and send incorrect information to ARIN & are probably trying to hide the fact that they do own this block. CIDR and BGP are absolutely accurage & there's no hiding anything from their records, also a simple TRACEROUTE confirms that this block is owned by XO. XO has even confirmed this when pressed on the issue but will first try to lie their way out of it, and it looks like for the most part they are ignoring the thousands of complaints they are receiving from SPAM from this IP block. Steve. ------------- According to Arin: Whois query whois.arin.net by IP address: '69.67.72.0' 'whois -h whois.arin.net 69.67.72.0' Whoa USA Inc WHOA-USA-INC (NET-69-67-64-0-1) Roger Graves DATAMONITOR-BUSSINESS-INFORMATION (NET-69-67-72-0-1) 'whois -h whois.arin.net NET-69-67-72-0-1' Whois query whois.arin.net by CustName: 'Roger Graves' 'whois -h whois.arin.net Roger Graves' Roger Graves DATAMONITOR-BUSSINESS-INFORMATION (NET-69-67-72-0-1) 69.67.72.0 - 69.67.72.255 Roger Graves Dba SBC066140139192030217 (NET-66-140-139-192-1) 66.140.139.192 - 66.140.139.199 # ARIN WHOIS database, last updated 2005-05-19 19:10 # Enter ? for additional hints on searching ARIN's WHOIS database. Like Mike said, >> I don't understand [exactly] what/how much XO has to 'do with' etc..... Looks like these netblocks are registered to whomever ARIN says they are registered to. They are not registered to XO according to ARIN Block em and forget em! -- Regards, Merlyn __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com From usenet2 at DE.LETE.THISljvideo.com Fri May 20 21:00:21 2005 From: usenet2 at DE.LETE.THISljvideo.com (Larry J.) Date: Fri May 20 16:05:03 2005 Subject: [SpamCop-List] Re: URLs found by parser not being acted upon References: Message-ID: Waiving the right to remain silent, Steven Maesslein said: > BTW, for those in need of a laugh: http://www.spamis.cc/ That's an unreachable URL. -- Larry J. - Remove spamtrap in ALLCAPS to e-mail The United States is the greatest country in the world..! Twenty-five million illegal aliens can't be wrong. From nobody at devnull.spamcop.net Fri May 20 16:03:48 2005 From: nobody at devnull.spamcop.net (Cat) Date: Fri May 20 16:05:14 2005 Subject: [SpamCop-List] Re: XO.COM Block: 69.67.72.0/21 - "Consumer Research Corp" SPAM -- VAAttorney Gen: CONSUMER@OAG.State.VA.US In-Reply-To: References: Message-ID: Merlyn wrote: > Like Mike said, > > >>>I don't understand [exactly] what/how much XO has to 'do with' etc..... > > > Looks like these netblocks are registered to whomever ARIN says they are > registered to. > > They are not registered to XO according to ARIN > > Block em and forget em! They're a downstream of Xo. Unfortunately, the idiots at XO just look at the last IP then claim "it's not ours. I told the last guy I had on the phone to look one hop above that and read off the IP to him. Then he says, "Oh. Yeah, that IS ours. Whoever told you it wasn't was just looking at the last IP." From Kilgallen at SpamCop.net Fri May 20 16:05:40 2005 From: Kilgallen at SpamCop.net (Larry Kilgallen) Date: Fri May 20 16:10:03 2005 Subject: [SpamCop-List] Re: Backscatter - report it as spam? References: Message-ID: In article , "Vanguard" writes: > "Steven Maesslein" wrote in message > news:slrnd8sc00.7d3.nobody@127.0.0.1... >> On Fri, 20 May 2005 11:13:11 -0700, Mike Richter coughed into spamcop >> and left this in : >> >>> No, do not report them as spam; they are not spam. They are certainly >>> not bulk, since each is sent individually - though it is incorrectly >>> addressed. They are clearly not "commercial" either. They do not >>> qualify. >> >> Actually, they do. >> >> http://mailsc.spamcop.net/fom-serve/cache/14.html > > > What *is* the definition of "backscatter"? I've Googled around and > haven't found anything that seems appropriate. I know some of the > DNSBLs will list an ISP or e-mail provider due to backscatter. I'm only > guessing that spewing out unintelligently routed NDRs, especially if > they include the original spam as an attachment or inline of the body, > is what is this backscatter that I see mentioned. Including the original item is irrelevant. Routing is irrelevant. The only entity that should be sending _email_ about non-delivery is the putative sender's own email server, in response to an inline reject during the SMTP dialog. That server has the wherewithall to determine whose mail was rejected and notify that originator in the proper manner. For some systems that notification may be other than by email. From nobody at devnull.spamcop.net Fri May 20 16:18:30 2005 From: nobody at devnull.spamcop.net (Cat) Date: Fri May 20 16:20:03 2005 Subject: [SpamCop-List] Re: XO.COM Block: 69.67.72.0/21 - "Consumer Research Corp" SPAM -- VA Attorney Gen: CONSUMER@OAG.State.VA.US In-Reply-To: References: Message-ID: (Top posting corrected) Steve Johnson wrote: > Mike Easter wrote: > >>Steve Johnson wrote: >> >> >>>>Is anyone else getting SPAM from this XO block: 69.67.72.0/21 and >>>>also had any luck with XO as far as even a response? >> >> >>I don't understand [exactly] what/how much XO has to 'do with' >>69.67.72.0/21, except for being the notify in the routing for >>69.67.72.0/24 because they are the notify for AS2828 because the >>69.67.64.0/20 which is Whoa is spewed and spamhaused. > > > > > In traceroute, XO is the direct upstream from the spammer. The last IP > in traceroute is the spammer with the one directly above that being XO, > so they definitely get connectivity through XO. There's no one else to > notify in between those. I've had 82 unsolicited e-mails from them in > the past few weeks, and I'm absolutely sick if it. > > ----- > > > >>That is incorrect/wrong. >> >>Spamhaus /is/ listing the XO 206.173.204.234 rDNS >>206.173.204.234.ptr.us.xo.net for routing the Whoa in SBL26626 > > > Yeah, I had wondered why you originally said it wasn't in there/ > > > >>You are correct. XO is spamhaus listed for routing the Whoa.and for >>being the AS2828 for Whoa's spamhaus [and spewed] space. > > > > I finally got someone on the phone today at XO with half a brain who > actually admitted that their abuse admins were only looking at the last > IP in traceroute, ignoring that the next hop up is XO. I also reminded > him about their Spamhaus SBL listing because of this spammer. His reply, > "Yes, we know about that. There isn't an ISP that isn't listed in there." > Yes the traceroute absolutely confirms it's XO's block. I talked to XO and they had > the nerve to referr me to 'ARIN' and they said they checked ARIN while I was on the > phone & told me 'well sorry Arin says this is not XO's IP'... I laughed like hell & > told them they are so pathetic, etc., and asked if this is their only way they can > look up their own IP's???!!! I then referred them to a CIDR report - > > http://www.cidr-report.org/cgi-bin/as-report?as=as2828 > 69.67.72.0/21 4637 2828 > > - or told them to try a simple traceroute, there was no real response & as usual I > got no where so anyone who has had luck with XO I congradulate you! > > If anyone's interested I've been forwarding email complaints to the "VA Attorney > General" in case by chance someone out there in govt is interested: > CONSUMER at OAG.State.VA.US > > Steve. You aren't quoting correctly. I posted the above in reply to Mike Easter, but you're incorrectly attributing those comments to him. Part of the problem here is that you insist on top posting your replies. Please do not top post. Most of the posters here read read these messages through a newsgroup. When you have conversation in a forum such as this, it's much easier to keep the conversation in logical order if you post your own comments in line below each quoted point and snip out the parts you aren't replying to. Notice how the others here post their comments in line below the points they're quoting and snip out the rest. Also, proper author attribution and >> both help. Now to reply to your actual post, if you read the other posts in this thread (which would be made easier if you would subscribe to the newsgroup instead of reading through the mailing list), you'll notice that Mike admitted he was mistaken about the IPs and that the part you quoted above was my reply to him not his reply. He did look at that again and realize that the last IP above the spammer IP was XO, which proves that XO provides connectivity as the spammer's upstream. -Cat From nobody at devnull.spamcop.net Fri May 20 16:22:31 2005 From: nobody at devnull.spamcop.net (WazoO) Date: Fri May 20 16:25:03 2005 Subject: [SpamCop-List] Re: Backscatter - report it as spam? References: Message-ID: "Vanguard" wrote in message news:d6lc5n$irb$1@news.spamcop.net... > > What *is* the definition of "backscatter"? I've Googled around and > haven't found anything that seems appropriate. One set of definitions provided in the SpamCop Glossary, found as link in the Forum FAQ ... presently it's the first item in that Topic as a matter of fact ... see "Backscatter, Blowback, Misdirected Bounces" in http://forum.spamcop.net/forums/index.php?showtopic=2530 From Kilgallen at SpamCop.net Fri May 20 16:43:10 2005 From: Kilgallen at SpamCop.net (Larry Kilgallen) Date: Fri May 20 16:45:03 2005 Subject: [SpamCop-List] Re: Backscatter - report it as spam? References: Message-ID: In article , "WazoO" writes: > "Vanguard" wrote in message > news:d6lc5n$irb$1@news.spamcop.net... >> >> What *is* the definition of "backscatter"? I've Googled around and >> haven't found anything that seems appropriate. > > One set of definitions provided in the SpamCop Glossary, > found as link in the Forum FAQ ... presently it's the first > item in that Topic as a matter of fact ... see > "Backscatter, Blowback, Misdirected Bounces" in > http://forum.spamcop.net/forums/index.php?showtopic=2530 And here I thought I had killfiled those who promote the web forum rather than answering questions... From nobody at nowhere.invalid Fri May 20 23:55:15 2005 From: nobody at nowhere.invalid (Steven Maesslein) Date: Fri May 20 17:00:03 2005 Subject: [SpamCop-List] Re: URLs found by parser not being acted upon References: Message-ID: On Fri, 20 May 2005 20:00:21 +0000 (UTC), Larry J. coughed into spamcop and left this in : > Waiving the right to remain silent, Steven Maesslein > said: > >> BTW, for those in need of a laugh: http://www.spamis.cc/ > > That's an unreachable URL. Works fine from here. $ dig www.spamis.cc ; <<>> DiG 9.3.0 <<>> www.spamis.cc ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 7052 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 0 ;; QUESTION SECTION: ;www.spamis.cc. IN A ;; ANSWER SECTION: www.spamis.cc. 14373 IN A 210.51.197.71 ;; AUTHORITY SECTION: spamis.cc. 14373 IN NS ns2.steadypimpin.com. spamis.cc. 14373 IN NS ns1.steadypimpin.com. ;; Query time: 2 msec ;; SERVER: 192.168.1.1#53(192.168.1.1) ;; WHEN: Fri May 20 22:51:58 2005 ;; MSG SIZE rcvd: 99 Mind you, it's on China Netcom so you could have firewalled it completely from where you are. I just shut off my port 25 from them. -- Steve There's no place like ~ From nobody at devnull.spamcop.net Fri May 20 17:27:33 2005 From: nobody at devnull.spamcop.net (WazoO) Date: Fri May 20 17:30:03 2005 Subject: [SpamCop-List] Re: Backscatter - report it as spam? References: Message-ID: "Larry Kilgallen" wrote in message news:qeEUZu7Ij2eC@eisner.encompasserve.org... > In article , "WazoO" writes: > > "Vanguard" wrote in message > > news:d6lc5n$irb$1@news.spamcop.net... > >> > >> What *is* the definition of "backscatter"? I've Googled around and > >> haven't found anything that seems appropriate. > > > > One set of definitions provided in the SpamCop Glossary, > > found as link in the Forum FAQ ... presently it's the first > > item in that Topic as a matter of fact ... see > > "Backscatter, Blowback, Misdirected Bounces" in > > http://forum.spamcop.net/forums/index.php?showtopic=2530 > > And here I thought I had killfiled those who promote the web forum > rather than answering questions... Whatever ... of note is that the same user has in fact been posting in both locations also. As a matter of fact, I had just replied to one of his posts "over there" with some feedback I'd just received from Ellen on his query about Report History data ... So as he was already "in the vicinity" and couldn't seem to apply a Google search ...????? Geeze Larry, even your infamous "would send" response is in that FAQ .... From spam at spam.no.not.spam Sat May 21 01:29:36 2005 From: spam at spam.no.not.spam (sparkle) Date: Fri May 20 18:30:02 2005 Subject: [SpamCop-List] Re: Backscatter - report it as spam? References: Message-ID: Mike Richter mrichter@cpl.net, wrote in message 6l9bh$gnp$1@news.spamcop.net: > Vanguard wrote: >> Is "backscatter" when a mail server spews out bounces for >> undeliverable e-mail but sends it to the falsified e-mail address >> used by the spam source? A spammer spews their crap and uses my >> e-mail address. The destination is invalid so that mail server >> rejects it. Instead of using the Received headers to determine that >> the From, Reply-To, Return-Path, or Sender are valid, they often >> just use those fields to spew back their NDR (non-delivery report). >> Sometimes the NDR has the spam attached and sometimes not. How >> should these unintelligently delivered bounces be handled as regard >> to them being spam or not? > > From a (mostly) happy SpamCop user, not an offiical. > > No, do not report them as spam; they are not spam. They are certainly > not bulk, since each is sent individually - though it is incorrectly > addressed. They are clearly not "commercial" either. They do not > qualify. You're an idiot. I asked the question and a nice person who knows far more than you do gave me a link to SC. Abusive bounces are reportable as spam to spamcop because they are a big problem. Maybe you should learn your shit before you try to proudly display that you don't know your shit at all. :) xxx From kjz at despammed.com Sat May 21 01:31:00 2005 From: kjz at despammed.com (Karl-Josef Ziegler) Date: Fri May 20 18:35:02 2005 Subject: [SpamCop-List] Re: Unregistered subdomains? In-Reply-To: References: Message-ID: eddie wrote: > I just got a spew with the following URL > http://[random].orangeiagce.com BTW, of course it's Leo again: orangeiagce.com ---> 61.28.55.41 ---> SBL27144 ---> Leo Kuvayev /Bad Cow - kjz From nstrom at ananzi.co.za Fri May 20 21:12:33 2005 From: nstrom at ananzi.co.za (Nathan Strom) Date: Fri May 20 20:15:02 2005 Subject: [SpamCop-List] Re: URLs found by parser not being acted upon References: Message-ID: On Fri, 20 May 2005 11:24:53 +0200, Steven Maesslein wrote in : >It seems to me that most of these URLs not being acted upon are URLs >spamvertised in mortgage spam. Isn't Robert Soloway responsible for a >huge chunk of this? If so, the lack of action from SpamCop could have >something to do with Soloway's ongoing "problems" with Microsoft... I'm seeing this too, frequently with the following spamvertised URLs: http://ecomomics.net/ http://www.h1gh3r.com/ FWIW, I've had a spamcop account for a few years, and started using it again a few days ago after a long break. I noticed that if I keep reloading the parse page, eventually it will figure out the URLs. I'm sure Julian doesn't want the bandwidth hit from all the reloading, so hopefully this bug should get fixed sometime soon. From nstrom at ananzi.co.za Fri May 20 21:40:22 2005 From: nstrom at ananzi.co.za (Nathan Strom) Date: Fri May 20 20:40:02 2005 Subject: [SpamCop-List] Re: usen.ad.jp ?? References: Message-ID: On Wed, 18 May 2005 16:13:49 -0400, "Dwayne Conyers" wrote in : > > >Is this a Japanese spam outfit -- u send ad ??? Nope, USEN is a major Japanese cable company and broadband ISP. Your standard fare, 100mbit home connections for USD$30 a month :) They're a legit ISP, and are probably more likely to hold open proxies than professional spammers, though you never know. From not at home.today Sat May 21 03:01:18 2005 From: not at home.today (Ant) Date: Fri May 20 21:05:02 2005 Subject: [SpamCop-List] Re: URLs found by parser not being acted upon References: Message-ID: "Nathan Strom" wrote: > On Fri, 20 May 2005 11:24:53 +0200, Steven Maesslein > wrote in : > >>It seems to me that most of these URLs not being acted upon are URLs >>spamvertised in mortgage spam. Isn't Robert Soloway responsible for a >>huge chunk of this? If so, the lack of action from SpamCop could have >>something to do with Soloway's ongoing "problems" with Microsoft... He's made an appearance in NANAE. Popcorn sales have rocketed! > I'm seeing this too, frequently with the following spamvertised URLs: Same here. > http://ecomomics.net/ China Railway Telecoms. > http://www.h1gh3r.com/ Heilongjiang province, China NetCom. Both unresponsive. I wonder if SC is limiting the number of reports sent to these, seeing that it's pointless traffic? If so, I wish the parser would say so. > FWIW, I've had a spamcop account for a few years, and started using it again a > few days ago after a long break. I noticed that if I keep reloading the parse > page, eventually it will figure out the URLs. I'm sure Julian doesn't want the > bandwidth hit from all the reloading, so hopefully this bug should get fixed > sometime soon. For some value of "soon". I first mentioned this in mid-March. From nobody at xyzzy.claranet.de Sat May 21 04:42:40 2005 From: nobody at xyzzy.claranet.de (Frank Ellermann) Date: Fri May 20 21:50:04 2005 Subject: [SpamCop-List] Re: Backscatter - report it as spam? References: Message-ID: <428E9210.7AF@xyzzy.claranet.de> sparkle wrote: > You're an idiot. No, he's not. > Abusive bounces are reportable as spam ..^^^^^^^ Abusive. Like say "I know it's a mail worm, but I bounce it". Or "I know it's spam, but I bounce it". Or "I know that the address is forged, but bouncing is no big problem on my side". That's abusive. But if all you know is "no such user here" it starts to get messy, kill legit mail only because there was a typo in the To-address ? Many mailers can reject mail to unknown users (=> no backscatter), but have a serious problem with "user over quota" (=> backscatter). > Maybe you should learn your shit before you try to proudly > display that you don't know your shit at all. The "shit" as you say was changed this year, and the shitty FAQ page says very clearly that users should use SPF (or DK) to protect their addresses against forgery. If you have no SPF FAIL policy the receiver normally cannot know which case it is, typo or abuse. So IMHO you SHOULD NOT report unless you have a FAIL policy, or if the receiver must know that it's abusive. Bye, Frank From nobody at xyzzy.claranet.de Sat May 21 05:30:25 2005 From: nobody at xyzzy.claranet.de (Frank Ellermann) Date: Fri May 20 22:40:02 2005 Subject: [SpamCop-List] Re: bounce spam References: Message-ID: <428E9D41.1C3@xyzzy.claranet.de> geo_splash_12 wrote: > is this right what they are suggesting? > Should I not respond to these crazy bounce spams and delete > them right away? >| We have bounced a lot of mail that was sent to us from a >| spoofed IP-address That answers the first question, "spoofed IP-address" is almost always bad science fiction, if it's about mail. For your second question I propose that you protect your domain with a SPF FAIL sender policy. If they then still bounce it to you instead of rejecting it report it as the spam it is. In theory SC allows to report "backscatter" even without a SPF FAIL policy. That was an utter dubious move, SMTP without most bounces does not work reliably. Bye, Frank -- http://e-com.ic.gc.ca/epic/internet/inecic-ceac.nsf/en/gv00329e.html From spam at spam.no.not.spam Sat May 21 06:34:40 2005 From: spam at spam.no.not.spam (sparkle) Date: Fri May 20 23:35:04 2005 Subject: [SpamCop-List] Re: Backscatter - report it as spam? References: <428E9210.7AF@xyzzy.claranet.de> Message-ID: Frank Ellermann nobody@xyzzy.claranet.de, wrote in message 28E9210.7AF@xyzzy.claranet.de: > IMHO Who cares? :) xxx From eddie at eddie.web Sat May 21 00:39:04 2005 From: eddie at eddie.web (eddie) Date: Fri May 20 23:40:02 2005 Subject: [SpamCop-List] Re: spoof@ebay.com refuses SC reports??? References: Message-ID: On Thu, 19 May 2005 23:51:30 -0400, John E. Malmberg scratched out the following: > eddie wrote: >> Well then I hope these phishes cause some people to sue eBay I have >> never used eBay, never will, and this is certainly one reason why To not >> accept a report detailing a phish? Since this is eBay's policy, from now >> on I will not even report an eBay phish to the sender's ISP or the ISP >> of the URL. Let eBay eat cake. I will ignore them, as they choose to >> ignore SC. I will simply delete eBay phish scams with no reporting at >> all. > > According to what can be determined from reading the instructions > instructions at ebay: > > The spoof(at)ebay.com and paypal.com addresses are parsers that can only > deal with messages forwarded to them intact in the same way that spam can > be forwarded to spamcop.net > > These addresses can not deal with spamcop.net formatted reports and if you > send them anything other than the spam in the format that the ebay/paypal > parser expects it will simply send an auto-reply that it could not parse > the message. > > -John > wb8tyw@qsl.network > Personal Opinion Only Thanks for the info. My rule is simple. If someone will not accept an SC report copied to them, then why should I got out of my way to help them? They, not I are the ones being scammed. I never fall for this stuff. It should be in their best interest to accept any and all legit information that would help them do business and avoid scams, phishes, etc. It's up to the eBays of the world to accept an SC report and then, if necessary, contact me directly. But for me to go out of my way? Never. I am attempting to do them a favor and they reject it, so I accept their rejection and no longer bother informing them at all. If it's an account or bank that I actually use or do business with, I will report it, but eBay? Forget it. I personally consider them and Paypay unworthy of attention. -- Once movie theaters gave out steak knives Today they confiscate them From Kilgallen at SpamCop.net Fri May 20 23:41:28 2005 From: Kilgallen at SpamCop.net (Larry Kilgallen) Date: Fri May 20 23:45:03 2005 Subject: [SpamCop-List] Re: Backscatter - report it as spam? References: <428E9210.7AF@xyzzy.claranet.de> Message-ID: In article <428E9210.7AF@xyzzy.claranet.de>, Frank Ellermann writes: >> Abusive bounces are reportable as spam > ..^^^^^^^ > Abusive. Like say "I know it's a mail worm, but I bounce it". > Or "I know it's spam, but I bounce it". Or "I know that the > address is forged, but bouncing is no big problem on my side". > > That's abusive. But if all you know is "no such user here" it > starts to get messy, kill legit mail only because there was a > typo in the To-address ? Many mailers can reject mail to > unknown users (=> no backscatter), but have a serious problem > with "user over quota" (=> backscatter). If there is such a defect in software, it should be corrected. From baloo at ursine.ca Fri May 20 21:48:25 2005 From: baloo at ursine.ca (Paul Johnson) Date: Sat May 21 00:10:03 2005 Subject: [SpamCop-List] Re: Backscatter - report it as spam? References: Message-ID: <9ln2m2-57q.ln1@ursine.ca> Vanguard wrote: > Is "backscatter" when a mail server spews out bounces for undeliverable > e-mail but sends it to the falsified e-mail address used by the spam > source? It's not spam, but it is something you should probably make the postmaster there aware of, especially since there's a way to do that that *doesn't* backscatter. http://ursine.ca/Rejecting_Viruses_The_Right_Way > A spammer spews their crap and uses my e-mail address. The > destination is invalid so that mail server rejects it. Instead of using > the Received headers to determine that the From, Reply-To, Return-Path, > or Sender are valid, they often just use those fields to spew back their > NDR (non-delivery report). Sometimes the NDR has the spam attached and > sometimes not. No, what postmasters should *really* be doing is making their mail servers do all the sanity checking for mail at SMTP time instead of accepting it and changing their mind after the fact like the RFCs tell you. Nothing should be getting a 250 after DATA unless it's been through a virus scanner (if virus positive, then 554 or 550) and is a valid user (otherwise 550 it). If you can't do that, 450 time. -- Paul Johnson Email and Instant Messenger (Jabber): baloo@ursine.ca http://ursine.ca/~baloo/ From mrichter at cpl.net Fri May 20 23:00:12 2005 From: mrichter at cpl.net (Mike Richter) Date: Sat May 21 01:05:02 2005 Subject: [SpamCop-List] Re: Backscatter - report it as spam? In-Reply-To: References: <428E9210.7AF@xyzzy.claranet.de> Message-ID: Larry Kilgallen wrote: > In article <428E9210.7AF@xyzzy.claranet.de>, Frank Ellermann writes: > > >>>Abusive bounces are reportable as spam >> >>..^^^^^^^ >>Abusive. Like say "I know it's a mail worm, but I bounce it". >>Or "I know it's spam, but I bounce it". Or "I know that the >>address is forged, but bouncing is no big problem on my side". >> >>That's abusive. But if all you know is "no such user here" it >>starts to get messy, kill legit mail only because there was a >>typo in the To-address ? Many mailers can reject mail to >>unknown users (=> no backscatter), but have a serious problem >>with "user over quota" (=> backscatter). > > > If there is such a defect in software, it should be corrected. Indeed, it should - but many things (e.g., pathogens) should be acted on but are not reportable via SC. In fact, I said: "You can always try to have the offending ISP correct its procedures, but don't hold your breath for action." Again, the bounce itself is not spam. I cannot follow the link; though I have a paid account, it is only for WWW reporting and does not work on the mail server. Mike -- mrichter@cpl.net http://www.mrichter.com/ From nobody at devnull.spamcop.net Sat May 21 01:54:02 2005 From: nobody at devnull.spamcop.net (WazoO) Date: Sat May 21 01:55:02 2005 Subject: [SpamCop-List] Re: Backscatter - report it as spam? References: <428E9210.7AF@xyzzy.claranet.de> Message-ID: "Mike Richter" wrote in message news:d6mf8l$8td$1@news.spamcop.net... > > Again, the bounce itself is not spam. I cannot follow the link; though I > have a paid account, it is only for WWW reporting and does not work on > the mail server. http://mailsc.spamcop.net/fom-serve/cache/14.html is the same page seen at http://www.spamcop.net/fom-serve/cache/14.html From wb8tyw at qsl.network Sat May 21 03:06:25 2005 From: wb8tyw at qsl.network (John E. Malmberg) Date: Sat May 21 02:10:02 2005 Subject: [SpamCop-List] Re: spoof@ebay.com refuses SC reports??? In-Reply-To: References: Message-ID: eddie wrote: > > Thanks for the info. My rule is simple. If someone will not accept an SC > report copied to them, then why should I got out of my way to help them? Those spoof reporting e-mail addresses are not a "someone" it is just an automatic parser that only accepts a very simple to forward format. Would you try to notify the deputies of a problem by e-mailing to your spamcop.net reporting e-mail address? Ebay and Paypal want to do their own processing of the unmunged spam so all it takes is forwarding the spam as attachment to them at the same time that it is submitted to the FTC refridgerator. Now if you are complaining about a abuse or postmaster addresses refusing a report and making you jump through hoops, then I would agree that domain deserves a listing in RFC-IGNORANT.ORG. I really do not care about ebay or paypal, what I am concerned about is making problems for the spammers, and forwarding the phishes to the spoof address is just part of that. I also submit the source IPs for open proxy testing, and if applicable to dialup pools. Both of those methods probably have more impact on blocking the spammer's spew to other networks than the spamcop.net listing. -John wb8tyw@qsl.network Personal Opinion Only From wb8tyw at qsl.network Sat May 21 03:15:55 2005 From: wb8tyw at qsl.network (John E. Malmberg) Date: Sat May 21 02:20:02 2005 Subject: [SpamCop-List] Re: Backscatter - report it as spam? In-Reply-To: References: <428E9210.7AF@xyzzy.claranet.de> Message-ID: Mike Richter wrote: > Indeed, it should - but many things (e.g., pathogens) should be acted on > but are not reportable via SC. In fact, I said: > "You can always try to have the offending ISP correct its procedures, > but don't hold your breath for action." Mike, The rules have been officially changed, and both worms and worm-poop are now allowed to be reported through spamcop.net. So are bounces to e-mail that the spam reporter did not cause to be sent. http://www.spamcop.net/fom-serve/cache/14.html -John wb8tyw@qsl.network Personal Opinion Only From baloo at ursine.ca Sat May 21 01:49:31 2005 From: baloo at ursine.ca (Paul Johnson) Date: Sat May 21 04:10:08 2005 Subject: [SpamCop-List] Re: Backscatter - report it as spam? References: <428E9210.7AF@xyzzy.claranet.de> Message-ID: John E. Malmberg wrote: > Mike Richter wrote: > >> Indeed, it should - but many things (e.g., pathogens) should be acted on >> but are not reportable via SC. In fact, I said: >> "You can always try to have the offending ISP correct its procedures, >> but don't hold your breath for action." > > Mike, > > The rules have been officially changed, and both worms and worm-poop are > now allowed to be reported through spamcop.net. > > So are bounces to e-mail that the spam reporter did not cause to be sent. Interesting...it's about time! -- Paul Johnson Email and Instant Messenger (Jabber): baloo@ursine.ca http://ursine.ca/~baloo/ From spam at spam.no.not.spam Sat May 21 14:41:02 2005 From: spam at spam.no.not.spam (sparkle) Date: Sat May 21 07:45:03 2005 Subject: [SpamCop-List] Re: Backscatter - report it as spam? References: <428E9210.7AF@xyzzy.claranet.de> Message-ID: Paul Johnson baloo@ursine.ca, wrote in message p53m2-9l3.ln1@ursine.ca: > John E. Malmberg wrote: >> The rules have been officially changed, and both worms and worm-poop >> are now allowed to be reported through spamcop.net. >> >> So are bounces to e-mail that the spam reporter did not cause to be >> sent. > > Interesting...it's about time! I think it's an excellent idea. ISPs should take more responsibility for continuing to allow infected machines to connect to their network. Many AUPs have 'network abuse' clauses - it's about time ISPs were forced to implement those clauses. :) xxx From Munger_joe at newsguy.com Sat May 21 09:09:38 2005 From: Munger_joe at newsguy.com (Munger Joe) Date: Sat May 21 08:15:02 2005 Subject: [SpamCop-List] Re: Backscatter - report it as spam? References: Message-ID: On Fri, 20 May 2005 14:06:54 -0500, "Vanguard" wrote: >So rejection on delivery is the solution rather than accepting on >delivery and rejecting later. That forces the sending mail server to >deliver an NDR back to the *connected* sender rather than rely on the >receiving mail server to sometime later send the NDR to the *reported* >sender. Fancy meeting you here. :-) That's not quite how it works. The sending mailserver will have already accepted the email from the sender. When the destination server rejects the email, the sending server will then send a bounce (NDR) to the address the sender used in the Mail From command. Either way the bounce goes to the "reported" sender. But, the spam with the forged sender addresses seldom goes through a sending mailserver, it gets sent by zombies. When it gets rejected by the destination server no bounce will be sent, the spammer will just move on to the next address in the list. Same thing when viruses use their own built in SMTP engine, when the destination server rejects it, that's the end of the story. Joe From BNRAGMAOKKXT at spammotel.com Sat May 21 13:51:55 2005 From: BNRAGMAOKKXT at spammotel.com (Canopus) Date: Sat May 21 08:55:03 2005 Subject: [SpamCop-List] Re: Backscatter - report it as spam? References: Message-ID: sparkle on 20/05/2005 wrote: > Abusive bounces are reportable as spam to > spamcop because they are a big problem. So how do you report them? Whenever I have attempted to report them to SpamCop I get an error message from SC stating that it is a bounce and I should not report bounces and there is no option to continue reporting it. Rob From bar_n0ne at hotmail.com Sat May 21 18:07:19 2005 From: bar_n0ne at hotmail.com (Berny) Date: Sat May 21 09:10:03 2005 Subject: [SpamCop-List] Re: Backscatter - report it as spam? References: Message-ID: "Canopus" wrote in message news:d6nata$n9m$1@news.spamcop.net... > sparkle on 20/05/2005 wrote: > > > Abusive bounces are reportable as spam to > > spamcop because they are a big problem. > > So how do you report them? Whenever I have attempted to report them to > SpamCop I get an error message from SC stating that it is a bounce and > I should not report bounces and there is no option to continue > reporting it. > > Rob It seems you haven't tried lately. I haven't seen "seems to be a bounce" complaints for some time now. From spam at spam.no.not.spam Sat May 21 16:10:50 2005 From: spam at spam.no.not.spam (sparkle) Date: Sat May 21 09:15:03 2005 Subject: [SpamCop-List] Re: Backscatter - report it as spam? References: Message-ID: Canopus BNRAGMAOKKXT@spammotel.com, wrote in message 6nata$n9m$1@news.spamcop.net: > sparkle on 20/05/2005 wrote: > >> Abusive bounces are reportable as spam to >> spamcop because they are a big problem. > > So how do you report them? Via email as an attachment. How do you report them? :) xxx > Whenever I have attempted to report them > to SpamCop I get an error message from SC stating that it is a bounce > and I should not report bounces and there is no option to continue > reporting it. > > Rob From MikeE at ster.invalid Sat May 21 07:28:22 2005 From: MikeE at ster.invalid (Mike Easter) Date: Sat May 21 09:30:03 2005 Subject: [SpamCop-List] Re: Backscatter - report it as spam? References: Message-ID: Munger Joe wrote: > Fancy meeting you here. :-) Thanks for dropping in -- I knew you would like it better than that forum ;-) -- Mike Easter kibitzer, not SC admin From nobody at xyzzy.claranet.de Sat May 21 17:52:13 2005 From: nobody at xyzzy.claranet.de (Frank Ellermann) Date: Sat May 21 10:55:03 2005 Subject: [SpamCop-List] Re: Backscatter - report it as spam? References: <428E9210.7AF@xyzzy.claranet.de> Message-ID: <428F4B1D.7B46@xyzzy.claranet.de> sparkle wrote: >> IMHO > Who cares? Don't know. Maybe Julian if ISPs start to ignore SpamCop reports again, because "misdirected bounces" based on the say so of SC users without proper sender policy are abuse. SMTP does not work reliably without "good" bounces, it's a bit too simple for this idea. Receivers must get a fair chance to identify forgeries without heavy artillery like virus scanners analyzing the mail while it's still sent. From Munger_joe at newsguy.com Sat May 21 12:08:08 2005 From: Munger_joe at newsguy.com (Munger Joe) Date: Sat May 21 11:10:02 2005 Subject: [SpamCop-List] Re: Backscatter - report it as spam? References: Message-ID: On Sat, 21 May 2005 06:28:22 -0700, "Mike Easter" wrote: >Munger Joe wrote: > >> Fancy meeting you here. :-) > >Thanks for dropping in -- I knew you would like it better than that >forum ;-) Lucky guess. ;-) The idea that spammers are delaying DNS lookups to foil filters that check body URLs against DNSBLs sounds pretty reasonable to me. Joe From mrichter at cpl.net Sat May 21 09:22:36 2005 From: mrichter at cpl.net (Mike Richter) Date: Sat May 21 11:25:02 2005 Subject: [SpamCop-List] Re: Backscatter - report it as spam? In-Reply-To: References: <428E9210.7AF@xyzzy.claranet.de> Message-ID: John E. Malmberg wrote: > Mike Richter wrote: > >> Indeed, it should - but many things (e.g., pathogens) should be acted >> on but are not reportable via SC. In fact, I said: >> "You can always try to have the offending ISP correct its procedures, >> but don't hold your breath for action." > > > Mike, > > The rules have been officially changed, and both worms and worm-poop are > now allowed to be reported through spamcop.net. > > So are bounces to e-mail that the spam reporter did not cause to be sent. > > http://www.spamcop.net/fom-serve/cache/14.html Thank you - and thanks to WazoO as well. I have read the new rules and am the wiser for them. Mike -- mrichter@cpl.net http://www.mrichter.com/ From eddie at eddie.web Sat May 21 12:49:44 2005 From: eddie at eddie.web (eddie) Date: Sat May 21 11:50:02 2005 Subject: [SpamCop-List] Re: spoof@ebay.com refuses SC reports??? References: Message-ID: On Sat, 21 May 2005 02:06:25 -0400, John E. Malmberg scratched out the following: > eddie wrote: >> >> Thanks for the info. My rule is simple. If someone will not accept an SC >> report copied to them, then why should I got out of my way to help them? > > Those spoof reporting e-mail addresses are not a "someone" it is just an > automatic parser that only accepts a very simple to forward format. > > Would you try to notify the deputies of a problem by e-mailing to your > spamcop.net reporting e-mail address? > > Ebay and Paypal want to do their own processing of the unmunged spam so > all it takes is forwarding the spam as attachment to them at the same time > that it is submitted to the FTC refridgerator. > > Now if you are complaining about a abuse or postmaster addresses refusing > a report and making you jump through hoops, then I would agree that domain > deserves a listing in RFC-IGNORANT.ORG. > > I really do not care about ebay or paypal, what I am concerned about is > making problems for the spammers, and forwarding the phishes to the spoof > address is just part of that. > > I also submit the source IPs for open proxy testing, and if applicable to > dialup pools. Both of those methods probably have more impact on blocking > the spammer's spew to other networks than the spamcop.net listing. > > -John > wb8tyw@qsl.network > Personal Opinion Only I am not arguing about that. As I noted, if the spoof were directed to me because I had an account with the company being phished, I would take the time to report it. But since I am really only getting spammed by the phisher, I add an abuse address of the company the phish is targetting, and no more. If they don't accept it, that's their loss IMHO. Eventually the phisher will be stopped when a legit customer gets ripped off or complains directly to them. I am a spam-fighter and all the other stuff is secondary. If I were eBay, I would want to get reports from SC about phishing, and would parse SC reports for that term. If it is found, I would contact the person at SC and ask for more info. It's eBay's job, not mine. -- Once movie theaters gave out steak knives Today they confiscate them From Vanguard at domain.invalid Sat May 21 12:13:52 2005 From: Vanguard at domain.invalid (Vanguard) Date: Sat May 21 12:15:03 2005 Subject: [SpamCop-List] Re: Backscatter - report it as spam? References: Message-ID: "Munger Joe" wrote in message news:lb6u8157amk50o4jd5r1i4a75saft2hutl@4ax.com... > On Fri, 20 May 2005 14:06:54 -0500, "Vanguard" > wrote: > >>So rejection on delivery is the solution rather than accepting on >>delivery and rejecting later. That forces the sending mail server to >>deliver an NDR back to the *connected* sender rather than rely on the >>receiving mail server to sometime later send the NDR to the *reported* >>sender. > > Fancy meeting you here. :-) I'm all over spreading my, um, fragance. > That's not quite how it works. The sending mailserver will have > already accepted the email from the sender. True. I didn't address that since the concern was the receiving mail server as the accomplice that was sending back newmails as NDRs. > When the destination server > rejects the email, the sending server will then send a bounce (NDR) to > the address the sender used in the Mail From command. Either way the > bounce goes to the "reported" sender. But the sending mail server had to accept the mail instead of reject it on delivery. At that point, it was then the receiving mail server and should have also rejected on delivery. I suppose a hacker could login using the correct credentials to queue up an outbound mail to an invalid destination e-mail address so the real owner of that account on that sending mail server would get the NDR from their own mail server, but that is a different problem and not a very big one, especially when compared against receiving mail servers that are sending out newmails as NDRs. > But, the spam with the forged > sender addresses seldom goes through a sending mailserver, it gets > sent > by zombies. When it gets rejected by the destination server no bounce > will be sent, the spammer will just move on to the next address in the > list. Presumably that means the sending mail server, which is a zombie, puts in a null value for the Return-Path header which tells the receiving mail server not to send a bounce. That would still eliminate getting the backscatter when the mail was attempting to get delivered to an invalid destination e-mail address. Even if the zombie didn't notify the receiving mail server not to bounce, it won't do anything with it because obviously it doesn't want to alert the user of the infected computer that they are running a trojan mailer daemon. For a bounce sent back due to a zombie sending the mail, and if the zombie used a bogus e-mail address, like reading them from the infected user's address book, should the receiving mail server send a bounce if the IP address of the sending mail server (aka zombie) doesn't provide an MX record to show there is a mail server there which that domain authorizes to send e-mail? I know AOL does something like this where they ask the sending domain if the IP address used to send the mail is for one of the mail servers allowed at that sending domain. The receiving host always knows the IP address of the sending host that connects to it. Also, why would a receiving mail server accept mails from an IP address that is dynamic (dial-up or cable/DSL)? I use SpamPal's MXblocking plug-in to eliminate any mails that are sourced from a dynamic IP address. This won't eliminate backscatter (coming back from a legit receiving mail server with a static IP address) but it eliminates the mail being sourced from a dial-up or cable/DSL broadband user (unless they get a static IP address). Obviously if SpamPal's plug-in can do it then so can an e-mail provider. Yeah, I know there are legitimate non-spamming users that want to run their own mail servers but in these days of high spam then they should be getting a static IP address (and some of those "legit" users of mail servers are actually violating their ISP's TOS regarding the running of servers). If they use a dynamic IP address, I won't be getting their mails. While some ISPs will block port 25 (or block it when some threshold is exceeded or spam reports filed), I would think they could also block sending mail servers that have dynamic IP addresses, or make it an option that the user could enable. If those running their own mail servers don't want to get lumped in with the zombies, they'll have to change to a static IP address. Would there be another solution for legit non-spamming servers so they could use dynamic IP addresses but NOT get lumped in with the zombies? I think Yahoo's DomainKeys requires the mail server user to also run a DNS server. However, why would someone using DomainKeys with an outbound signing MTA (or SPF instead) and a DNS server be using a dynamic IP address? -- ____________________________________________________________ ** Post your replies to the newsgroup - Share with others ** For e-mail Reply: remove "DELETE", add "~VN56~" to Subject. ____________________________________________________________ From bill_beyer at excite.cXoYmZ Sat May 21 10:46:43 2005 From: bill_beyer at excite.cXoYmZ (Bill Beyer) Date: Sat May 21 12:50:03 2005 Subject: [SpamCop-List] chinatietong Message-ID: A quick google of "chinatietong" came up with the following tidbit: "With a new leadership, Railcom plans to increase revenue by 30% a year and double profit in the next three years, telephone users 30% and 50% for broadband users. To achieve the goals, Railcom has set the strategy for competition with differentiated services and strengthening its position where it has an advantage, especially trunked radio, videoconferencing, MPLS VPN, Internet access and value added service. However, Railcom is suffering funding shortfall as it heavily relies on bank loans and carries a debt ratio of over 60%. Railcom is trying to sell stock to either domestic or foreign investors in 2-3 years to alleviate funding pressure. [www.chinatietong.com]" Evidently their growth plan includes taking as much money from spammers as possible and ignoring abuse reports. From Munger_joe at newsguy.com Sat May 21 14:44:20 2005 From: Munger_joe at newsguy.com (Munger Joe) Date: Sat May 21 13:50:03 2005 Subject: [SpamCop-List] Re: Backscatter - report it as spam? References: Message-ID: On Sat, 21 May 2005 11:13:52 -0500, "Vanguard" wrote: >"Munger Joe" wrote in message >news:lb6u8157amk50o4jd5r1i4a75saft2hutl@4ax.com... >> On Fri, 20 May 2005 14:06:54 -0500, "Vanguard" >> wrote: >> >>>So rejection on delivery is the solution rather than accepting on >>>delivery and rejecting later. That forces the sending mail server to >>>deliver an NDR back to the *connected* sender rather than rely on the >>>receiving mail server to sometime later send the NDR to the *reported* >>>sender. >> >> Fancy meeting you here. :-) > >I'm all over spreading my, um, fragance. > >> That's not quite how it works. The sending mailserver will have >> already accepted the email from the sender. > >True. I didn't address that since the concern was the receiving mail >server as the accomplice that was sending back newmails as NDRs. Hmm. What did that bit about "the *connected* sender" mean? >> When the destination server >> rejects the email, the sending server will then send a bounce (NDR) to >> the address the sender used in the Mail From command. Either way the >> bounce goes to the "reported" sender. > >But the sending mail server had to accept the mail instead of reject it >on delivery. At that point, it was then the receiving mail server and >should have also rejected on delivery. Why? At that point it doesn't know that the recipient address is invalid. > I suppose a hacker could login >using the correct credentials to queue up an outbound mail to an invalid >destination e-mail address so the real owner of that account on that >sending mail server would get the NDR from their own mail server, but >that is a different problem and not a very big one, especially when >compared against receiving mail servers that are sending out newmails as >NDRs. In most cases like that the hacker could use any return address he wanted. But in most cases spam with forged return addresses doesn't go through legit mailservers. >> But, the spam with the forged >> sender addresses seldom goes through a sending mailserver, it gets >> sent >> by zombies. When it gets rejected by the destination server no bounce >> will be sent, the spammer will just move on to the next address in the >> list. > >Presumably that means the sending mail server, which is a zombie, puts >in a null value for the Return-Path header which tells the receiving >mail server not to send a bounce. No. If that's what they did there wouldn't be a backscatter problem. > That would still eliminate getting >the backscatter when the mail was attempting to get delivered to an >invalid destination e-mail address. Even if the zombie didn't notify >the receiving mail server not to bounce, it won't do anything with it >because obviously it doesn't want to alert the user of the infected >computer that they are running a trojan mailer daemon. Well, sending a bounce wouldn't alert the user any more than sending a spam. There's just no reason for a spammer to send an email informing someone he's forged that one of the emails he tried to send using his forged address didn't get delivered. You know? It just makes no sense at all. Also, you should look up what "mailer daemon" means. This next paragraph has my head spinning. >For a bounce sent back due to a zombie sending the mail, and if the >zombie used a bogus e-mail address, like reading them from the infected >user's address book, should the receiving mail server send a bounce The receiving server will only send a bounce after it has accepted the email and then finds that it won't/can't deliver it. If it refuses the email it won't send a bounce. > if >the IP address of the sending mail server (aka zombie) doesn't provide >an MX record IP addresses don't have MX records. MX records are about receiving email, not sending it. > to show there is a mail server there which that domain >authorizes to send e-mail? The receiving server should refuse the email if there's something about the sender it doesn't like. > I know AOL does something like this where >they ask the sending domain if the IP address used to send the mail is >for one of the mail servers allowed at that sending domain. Yes, that's what SPF is about. It looks at the domain in the sender email address, and does a DNS lookup on that domain to see which IP addresses are allowed to send email for that domain. A fair number of domains have created their SPF records, but hardly anyone has actually implemented SPF on their incoming servers. I'm not really sure if I was following what you were saying or not. Sometimes you type too fast for me. ;-) Joe From bert at iphouse.com Sat May 21 18:52:51 2005 From: bert at iphouse.com (Bert Hyman) Date: Sat May 21 13:55:03 2005 Subject: [SpamCop-List] Re: spoof@ebay.com refuses SC reports??? References: Message-ID: In news:pan.2005.05.20.02.04.14.161000@eddie.web eddie wrote: > I will simply delete eBay phish scams with no reporting at all. Why not simply forward a copy to "spoof@ebay.com" at the same time you forward it to spamcop? Works for me. -- Bert Hyman St. Paul, MN bert@iphouse.com From MikeE at ster.invalid Sat May 21 12:39:02 2005 From: MikeE at ster.invalid (Mike Easter) Date: Sat May 21 14:40:03 2005 Subject: [SpamCop-List] Re: Backscatter - report it as spam? References: Message-ID: Vanguard wrote: > "Munger Joe" >> "Vanguard" >> But, the spam with the forged >> sender addresses seldom goes through a sending mailserver, it gets >> sent >> by zombies. When it gets rejected by the destination server no bounce >> will be sent, the spammer will just move on to the next address in >> the list. > > Presumably that means the sending mail server, which is a zombie, puts > in a null value for the Return-Path header which tells the receiving > mail server not to send a bounce. Joe was saying the zombie is sending direct to mx. There is no 'sending server' - not that the sending server is a zombie. Everything that came after that sentence seemed to be talking about some sending server zombie. > Also, why would a receiving mail server accept mails from an IP > address that is dynamic (dial-up or cable/DSL)? I use SpamPal's > MXblocking plug-in to eliminate any mails that are sourced from a > dynamic IP address. There is such a thing as legitimate dul/ed mailservers. I wouldn't mind using a mxblocking plugin for spampal and whitelisting legitimate dul servers if one of them came along; however, from looking at the mxblocker plugin, it is outdated and doesn't permit proper updating. I would rather use njabl [which it does] and sorbs [which it doesn't] -- and the fact that it has stuff about osirus and easynet shows how badly it is outdated. He should have made it configurable for the dul blocklists which one wants. > Obviously if > SpamPal's plug-in can do it then so can an e-mail provider. The ability to custom configure and enduser spamfilter is a different kind of configuration than the provider's configuration of a server. The provider can't custom configure for every user the way a user can custom configure for themselves. The provider is trying to reject mail. The end user is tagging [or tagging for deletion] mail which has already been accepted and delivered. There's a big difference. > If they use a dynamic IP address, I won't be getting > their mails. Okey dokey. -- Mike Easter kibitzer, not SC admin From nobody at devnull.spamcop.net Sat May 21 15:02:10 2005 From: nobody at devnull.spamcop.net (Maggie's Mom) Date: Sat May 21 16:05:03 2005 Subject: [SpamCop-List] Pfizer spam? Message-ID: I get one - two spam mails daily, all of it spamvertises Pfizer pharmaceuticals (cialis, viagra, etc). According both to Spamcop and to my own nosing around, most of it has a source in Europe or South America, and the spamvertised websites are located in China. I report all of it dutifully via Spamcop, of course. But - since a supposedly reputable firm like Pfizer is concerned, I would like to know if it is OK to forward the messages, displaying full headers and web site addresses, to Pfizer. If I posted my question in a wrong place, please forgive, as am for the most part lurker, and hardly ever a poster for the lack of experience in spam fighting. Cheers! - Maggie's Mom. From Vanguard at domain.invalid Sat May 21 16:12:46 2005 From: Vanguard at domain.invalid (Vanguard) Date: Sat May 21 16:15:03 2005 Subject: [SpamCop-List] Re: Backscatter - report it as spam? References: Message-ID: I was looking at the NDRs getting spewed out at the end (i.e., from the receiving mail server, the one that is the destination domain for the recipient e-mail address). The sending mail server just before that would get an immediate rejection. The destination mail server doesn't spew a newmail as an NDR. Instead the sending server before that spews the newmail NDR. I guess we're getting twisted up in what good mail servers do, what good mail servers should do, how to handle chaining (relaying), and what zombies do, so let's just discuss them as separate cases. ** Sender -> Recipient, NDR goes into sender's account, no backscatter A user sends an e-mail through their sending mail server but they had to authenticate to use it. Authentication could be logging in, reusing the POP3 login credentials, or just being authorized to use the network where is the sending mail server. The sending mail server (source) connects to the receiving mail server (destination) and attempts to transfer the message. During the mail session, the receiving mail server rejects the message as undeliverable. The receiving mail server never sends an newmail NDR. The newmail NDR that the sender gets in their mailbox is from their own mail server (i.e., the sending mail server issues the newmail NDR). If there is internal relaying going within the source and destination domains, that isn't the source of the backscatter problem. The destination mail server doesn't issue a newmail NDR. The source server issues the newmail NDR into the *account* that was used to send the message. What are in the headers that the sender put into their message are irrelevant (since that is the *data* sent in the DATA command). The headers in the message are NOT used to deliver the newmail NDR. The sending mail server puts its newmail NDR in the sending account's mailbox. In this scenario, the only way to get backscatter is if the receiving mail server issues newmail NDRs instead of immediately rejecting the mail on delivery (i.e., during the mail session). ** Zombie mailer -> Recipient, no NDR ever sent, no backscatter A trojan mailer program acting as an SMTP server (source) sends a message to a receiving mail server (destination). The receiving mail server rejects the delivery during the mail session. The receiving mail server never sent a newmail NDR so backscatter doesn't originate from there. The zombie doesn't listen for inbound e-mails, so even if the receiving mail server sent a newmail NDR then no one would get it and still no backscatter. After getting a rejection from the receiving mail server, the zombie isn't going to reveal itself by sending its own newmail NDR back to the user, so still no backscatter. It doesn't need to waste time employing a receiving mail server to see if the mail delivery got rejected and only then issue an NDR (which goes to somewhere else). The zombie is only going to spew newmail spam. It doesn't need "permission" from a receiving mail server (by a rejected delivery) to spew out its spam or bogus NDRs to disguise its spam. If the receiving mail server rejects on delivery, and since the zombie doesn't listen for inbound mails (so it won't bother resending NDRs sent to it), and because the zombie isn't spewing NDRs from the rejected mail session (since it would be spewing to those recipients in the first place), there wouldn't be a backscatter problem. That doesn't eliminate the zombie from spewing out its spam (which might be fake newmail NDRs) but that spam really isn't backscatter. It's just the original spam. Have you seen backscatter originate from zombied hosts? I've only seen it come from regular e-mail providers. ** 3rd party relay, backscatter still comes from receiving mail server Now comes the can of worms. I don't think backscatter occurs due to internal relaying of mails within a domain since those hosts are authorized to connect to each other. Even when a domain uses internal relaying, like to route mails to regional servers for their customers, the boundary server would still need to validate that the mail was deliverable in the first place (i.e., the boundary mail server knows that the recipient exists or not). Whatever receiving mail server connects to you would have to validate or reject delivery to prevent the problem of having to issue a newmail NDR from the final mail server that was disconnected from the mail session. For a large domain that uses internal relaying for regional distribution and load-balancing, are you sure that they have no way for their boundary server to validate delivery during the mail session with the sending host before handing it off to some internal relaying server? However, that's for internal relaying amonst cooperative and authorized servers. Your point is taken regarding 3rd party relaying where the mail must be accepted before it gets passed on. That's probably why SPF and Yahoo DomainKeys got proprosed. Out of curiosity, and other than anonymizing your e-mail by bouncing it through [open] mail servers (which get abused if they don't authenticate the sender), what is the point of using a 3rd party relay or proxy when *sending* e-mail? For receiving e-mail, I see the chaining problem and having to accept the mail when forwarding gets used. The sending mail server (source) connects to the forwarding service's mail server which accepts the e-mail. Then the forwarding service's mail server (relay) connects to the receiving mail server (destination) and only then is it known if the mail is deliverable or not. Forwarding has also caused heated discussions regarding SPF, too, and I don't remember how or if they solved that issue. Maybe Yahoo DomainKeys, in signing the messages, fixes that problem. The relay blindly accepts the mail so it doesn't issue an NDR to the sender. Then it attempts to deliver that mail to the receiving mail server that rejects it during the mail session. So the relay would have to issue the newmail NDR. If the relaying for forwarding mail server just blindly sends out its newmail NDR based on the headers in the message then they can be easily abused for backscatter by spammers, so that open relay can itself be made a spam source. So for relay or forwarding servers, how would you eliminate backscatter? They have to accept before they deliver. If the forwarding service only permitted the use of registered accounts where the user had to list a contact e-mail address that also got confirmed, and if sent its newmail NDRs to that account's contact e-mail address rather than use the headers in the message, wouldn't that eliminate backscatter? Obviously unregistered or open relays have always been a problem regarding spam so blacklists help there. While I will agree there is some need for anonymous e-mail, that doesn't mean the front end (the sender side) needs to be anonymous, so the anonymizing mail service still know to where it should deliver its newmail NDRs. From Kilgallen at SpamCop.net Sat May 21 16:43:36 2005 From: Kilgallen at SpamCop.net (Larry Kilgallen) Date: Sat May 21 16:45:03 2005 Subject: [SpamCop-List] Re: Pfizer spam? References: Message-ID: In article , "Maggie's Mom" writes: > I get one - two spam mails daily, all of it spamvertises Pfizer > pharmaceuticals (cialis, viagra, etc). According both to Spamcop and to my > own nosing around, most of it has a source in Europe or South America, and > the spamvertised websites are located in China. > > I report all of it dutifully via Spamcop, of course. But - since a > supposedly reputable firm like Pfizer is concerned, I would like to know if > it is OK to forward the messages, displaying full headers and web site > addresses, to Pfizer. Unless Pfizer has set up a special address for this, it seems like the same thing as complaining to _me_ each time a spammer sends something allegedly from _me_. Note that Microsoft, eBay, etc. _have_ set up special addresses to receive reports of spam sent by imposters. From MikeE at ster.invalid Sat May 21 15:26:59 2005 From: MikeE at ster.invalid (Mike Easter) Date: Sat May 21 17:30:03 2005 Subject: [SpamCop-List] Re: Pfizer spam? References: Message-ID: Maggie's Mom wrote: > I get one - two spam mails daily, all of it spamvertises Pfizer > pharmaceuticals (cialis, viagra, etc). > I would like to > know if it is OK to forward the messages, displaying full headers and > web site addresses, to Pfizer. Pfizer has some words and some actions about counterfeit drugs and spam http://www.pfizer.com/subsites/counterfeit_importation/related_links.html - - Counterfeit and Importation Home > Related Links -- Avoid Fake and Illegal "Generic" Viagra - Pfizer launches campaign to educate consumers about Web sites that sell fake Viagra (sildenafil citrate) and send spam. -- http://www.viagra.com/buyviagraonline/fakeviagra.asp?scope=main Tired of "Viagra" Spam? - So are we. Find out Pfizer's stance on spam, and get tips for reducing it. Not all of those links [such as Tired of "Viagra" Spam?] work properly for me. There's another family of Pfizer vs spamvertiser links here http://www.pfizer.com/subsites/counterfeit_importation/ with links to the news article publicity Pfizer and Microsoft Target Sellers of Illegal Viagra and International Spam Rings Pfizer Files Suit Against Operators of Eighteen Internet Sites Selling Illegal Copies of Lipitor? Pfizer Launches Campaign Against Sellers of Illegal Generic and Counterfeit Viagra and Senders of Viagra-Related Spam But nothing I see there is inviting you to send your spam to Pfizer. -- Mike Easter kibitzer, not SC admin From spam at spam.no.not.spam Sun May 22 00:38:24 2005 From: spam at spam.no.not.spam (sparkle) Date: Sat May 21 17:40:03 2005 Subject: [SpamCop-List] Re: Backscatter - report it as spam? References: <428E9210.7AF@xyzzy.claranet.de> <428F4B1D.7B46@xyzzy.claranet.de> Message-ID: Frank Ellermann nobody@xyzzy.claranet.de, wrote in message 28F4B1D.7B46@xyzzy.claranet.de: > sparkle wrote: > >>> IMHO >> Who cares? > > Don't know. Don't care. I have feeling you're a netloon. Bye. From spam at spam.no.not.spam Sun May 22 01:13:14 2005 From: spam at spam.no.not.spam (sparkle) Date: Sat May 21 18:15:03 2005 Subject: [SpamCop-List] savvis - black hat or white hat? Message-ID: I found this article: http://news.bbc.co.uk/1/hi/technology/3634572.stm It says savvis repented of its spams. If the Sept 04 article is true, why do I get spams from the savvis creeps? Oh, and it it says you people are "a small band of enthusiasts who patrol the net like voluntary cyber cops to eliminate spam". Hahahaha. :) xxx From nobody at devnull.spamcop.net Sat May 21 18:19:44 2005 From: nobody at devnull.spamcop.net (Maggie's Mom) Date: Sat May 21 19:20:03 2005 Subject: [SpamCop-List] Re: Pfizer spam? References: Message-ID: "Mike Easter" wrote in message news:d6o930$8j0$1@news.spamcop.net... > > But nothing I see there is inviting you to send your spam to Pfizer. > > -- > Mike Easter > kibitzer, not SC admin I agree 100% that Pfizer does not invite anybody to forward the viagra spam to Pfizer. I thought maybe they want to get little more active and get to the bottom of things to see who drags their good corporate name through the mud... Wouldn't you say it would be in the best interest of Pfizer and other pharmaceutical companies to cut the counterfeit drug trafficking? It does cut into their profit, after all. And we all know that for big pharma, profit is #1. All the rest of things are taken care of after profit. Besides, show me who has more pull in this reality: big pharma or some spam fighting agency? Cheers! - Maggie's Mom. From MikeE at ster.invalid Sat May 21 17:46:46 2005 From: MikeE at ster.invalid (Mike Easter) Date: Sat May 21 19:50:02 2005 Subject: [SpamCop-List] Re: Pfizer spam? References: Message-ID: Maggie's Mom wrote: > "Mike Easter" >> But nothing I see there is inviting you to send your spam to Pfizer. > > I agree 100% that Pfizer does not invite anybody to forward the > viagra spam to Pfizer. Maybe that sounded more 'flippant' than it was supposed to. When I investigate notifying the phishentity such as PayPal or banks or whatever about how to notify them that they are a phish -- I very often discover that either they don't want to hear about it at all, or they want the phish recipient to carefully examined all of the examples of phishes and if their phish is the same as what is on record, that they don't want to hear about it, or that the phishentity wants a phish submitted in some particular way. It is not at all unusual that some entity doesn't want to hear any more about the latest spam on something because they already have their own agenda about how they want to deal with it, and it doesn't include processing anymore spam information. > I thought maybe they want to get little more > active and get to the bottom of things to see who drags their good > corporate name through the mud... Did you miss the part of the links where I posted the lawsuits which Pfizer has engaged in two different families of attacks, those who are treading on their tradename in the name of the website and those who are selling counterfeit drugs? > Wouldn't you say it would be in > the best interest of Pfizer and other pharmaceutical companies to cut > the counterfeit drug trafficking? What I say isn't very important about determining whether or not Pfizer wants you to send copies of your spam. My point was that I turned quite a few Pfizer pages, probably about 30, and on none of those pages did they provide me with an email address to send them a copy of a spam. Somewhere along the way they suggested notifying some other enitity, such as the FDA. They also suggested 'contacting' Pfizer in 'your country' - but they weren't talking about email and they weren't talking about submitting spam. I'm just telling you what the website sez and where it sez it. > It does cut into their profit, > after all. And we all know that for big pharma, profit is #1. All the > rest of things are taken care of after profit. Besides, show me who > has more pull in this reality: big pharma or some spam fighting > agency? Big pharm no doubt. -- Mike Easter kibitzer, not SC admin From dfm2a3l0t2 at spymac.com Sat May 21 20:53:39 2005 From: dfm2a3l0t2 at spymac.com (D.F. Manno) Date: Sat May 21 19:55:02 2005 Subject: [SpamCop-List] Re: Pfizer spam? References: Message-ID: In article , "Maggie's Mom" wrote: > I agree 100% that Pfizer does not invite anybody to forward the viagra spam > to Pfizer. I thought maybe they want to get little more active and get to > the bottom of things to see who drags their good corporate name through the > mud... Wouldn't you say it would be in the best interest of Pfizer and > other pharmaceutical companies to cut the counterfeit drug trafficking? It > does cut into their profit, after all. And we all know that for big pharma, > profit is #1. All the rest of things are taken care of after profit. > Besides, show me who has more pull in this reality: big pharma or some spam > fighting agency? If a Russian mail-order pharmacy is using Chinese servers to send spam to U.S. addresses, what exactly do you expect Pfizer to be able to do? Or if the pharmacy is using thousands of zombie machines--machines the owners of which do not even know are compromised--how is Pfizer to act against that? -- D.F. Manno dfm2a3l0t2@spymac.com "The work goes on, the cause endures, the hope still lives and the dream will never die." From BNRAGMAOKKXT at spammotel.com Sun May 22 01:20:46 2005 From: BNRAGMAOKKXT at spammotel.com (Canopus) Date: Sat May 21 20:25:03 2005 Subject: [SpamCop-List] No Submission Returns from SpamCop Message-ID: ...and a very strange message when I log into the reporting page, quote: "Your email address, .com has returned a bounce: Subject: Delivery Status Notification (Failure) Reason: 5.4.7 - Delivery expired (message too old) 421-'aamta05-winn.mailhost.ntl.com connection refused from [64.74.133.248]' Well the address SpamCop is trying to send to is correct and working, I have no problems sending to it from other of my accounts. Every time I log on recently I've seen this message and clicked on the "Problem Solved" button as as far as I know there should be no problem my end. The only other thing I can think of is that my IP NTLWorld is blocking mail from SpamCop. The "message to old" reason seems a bit ridiculous, none of the spam submission replies should be more than two days old even if there had been a hiccup at SpamCop. Anyone else having this problem? From MikeE at ster.invalid Sat May 21 18:21:50 2005 From: MikeE at ster.invalid (Mike Easter) Date: Sat May 21 20:25:13 2005 Subject: [SpamCop-List] Re: savvis - black hat or white hat? References: Message-ID: sparkle wrote: > http://news.bbc.co.uk/1/hi/technology/3634572.stm > > It says savvis repented of its spams. If the Sept 04 article is true, > why do I get spams from the savvis creeps? savvis currently has 43 chunks of IPs listed in spamhaus - I don't know what the spews situation is. Some 8 of those chunks belong to ROKSO spammers. Surprisingly, cw.net has only 5 chunks, one of which is ROKSO. Steve Linford of spamhaus discusses savvis related issues from time to time in the ng nanae news.admin.net-abuse.email. > Oh, and it it says you people are "a small band of enthusiasts who > patrol the net like voluntary cyber cops to eliminate spam". Hahahaha. Actually that is more about spamhaus workers and spews influencers -- since spamvertisers are impacted by spamhaus and spews but not really by spamcop reporters. Spamcop's impact is its contribution to the SCbl - the stats page with spamvertisers doesn't hit very hard. -- Mike Easter kibitzer, not SC admin From wb8tyw at qsl.network Sat May 21 21:36:26 2005 From: wb8tyw at qsl.network (John E. Malmberg) Date: Sat May 21 20:40:02 2005 Subject: [SpamCop-List] Re: savvis - black hat or white hat? In-Reply-To: References: Message-ID: sparkle wrote: > I found this article: > > http://news.bbc.co.uk/1/hi/technology/3634572.stm > > It says savvis repented of its spams. If the Sept 04 article is true, why do > I get spams from the savvis creeps? Why not look up how many listings that Spamhaus still has for them if any? You can also look up an ISP in google with the word spam and sees what comes up. -John wb8tyw@qsl.network Personal Opinion Only From NoSpam at nospam.com Sat May 21 18:52:02 2005 From: NoSpam at nospam.com (NoSpam) Date: Sat May 21 20:45:03 2005 Subject: [SpamCop-List] Suspected Phishing Scam Targetting SpamCop Users. Message-ID: I find this to be a little disturbing. I received what I believe to be a Phishing Scam targetting SpamCop users. Recently, I started saving copies of every e-mail I received that I also reported to SpamCop. However, I recently received an e-mail from a Dave@pcprosinc.com claiming that I reported a message to SpamCop that should not have been since it was done in response to a resume that I had posted on the internet. However, looking back through the spam I had saved, NONE of them were related to a resume that I had posted on the internet. Now, it might be one thing if I do get a legitimate response to a resume posted on the internet where I am asking to be contacted specifically about jobs, but that does not mean I am asking to be contacted by everyone. But, it gets a little stranger and more suspicious. The e-mail also included a supposed link to the report in question and a request to cancel the complaint but, after clicking on the link that was supposed to take me to the supposed report, no report could be pulled up from SpamCop stating "Authorization failure, no username provided by server; action = showhistory." Even more suspicious, the e-mail states nothing about which resume I have posted nor where from nor what position, etc. It asks that I let him (Dave@pcprosinc.com) know if my resume was NOT posted on the internet and that his e-mail was sent in error. I also checked out www.pcprosinc.com to see if I could find out more about his supposed claims that he sent me a legitimate e-mail in response to a resume, but the website appears either new or limited in functionality. Ironically, under Mission Statement, it states, "PC Pros, Inc. is a high-tech company committed to providing the latest technological solutions to the employment industry while at the same time striving to uphold strong Christian values and principles." So, from the looks of it, it seems like this is a phishing scam targetting SpamCop users and people that have a resume posted on the internet. Here is the actual e-mail that was sent to me, minus the report link for security purposes (since it has my SpamCop ID number): Hello SpamCop user, This message should not have been reported as spam. Spam is unsolicited e-mail and when an e-mail is placed on a resume on the internet asking for responses, this is a valid response. If you do not want to receive responses to your resume, then you wouldn't post it on the internet. Please cancel this complaint. We do not like SPAM either, but it is frustrating when legitimate e-mail gets classified as spam just because you're not interested in the response. Again, this e-mail was sent as a response to your resume which was posted on the internet. If your resume was not posted on the Internet, then this is a serious error and would you please let us know this as soon as possible. Sincerely, Dave Phillips PC Pros, Inc. Dave@pcprosinc.com -- Please use the link below to review the report in question: (Link not shown for security purposes) I tried finding an e-mail to contact SpamCop about this, but I did not find any. So, I posted this here. From spam at spam.no.not.spam Sun May 22 03:48:04 2005 From: spam at spam.no.not.spam (sparkle) Date: Sat May 21 20:50:02 2005 Subject: [SpamCop-List] Re: savvis - black hat or white hat? References: Message-ID: John E. Malmberg wb8tyw@qsl.network, wrote in message 6ok6a$ftk$1@news.spamcop.net: > sparkle wrote: >> I found this article: >> >> http://news.bbc.co.uk/1/hi/technology/3634572.stm >> >> It says savvis repented of its spams. If the Sept 04 article is >> true, why do I get spams from the savvis creeps? > > Why not look up how many listings that Spamhaus still has for them if > any? > You can also look up an ISP in google with the word spam and sees what > comes up. True but then if I wanted the opinion of a search engine so I could discuss the pros and cons of making false statements with it, I'd have used one. :) xxx From spam at spam.no.not.spam Sun May 22 03:55:56 2005 From: spam at spam.no.not.spam (sparkle) Date: Sat May 21 21:00:03 2005 Subject: [SpamCop-List] Re: Suspected Phishing Scam Targetting SpamCop Users. References: Message-ID: NoSpam NoSpam@nospam.com, wrote in message 6okik$g6f$1@news.spamcop.net: > I find this to be a little disturbing. I received what I believe to > be a Phishing Scam targetting SpamCop users. Recently, I started > saving copies of every e-mail I received that I also reported to > SpamCop. However, I recently received an e-mail from a > Dave@pcprosinc.com claiming that I reported a message to SpamCop that > should not have been since it was done in response to a resume that I > had posted on the internet. However, looking back through the spam I > had saved, NONE of them were related Ooooh. I got one of those. The dude semed to be Dutch and claimed I too had reported a message that should not have been. I ignored him. I don't think it's "a Phishing Scam targetting SpamCop users", however I do think you are paranoid. >From reading the text you quoted, the spammer is justifying his spam. End of story. From spam at spam.no.not.spam Sun May 22 03:57:37 2005 From: spam at spam.no.not.spam (sparkle) Date: Sat May 21 21:00:14 2005 Subject: [SpamCop-List] Re: savvis - black hat or white hat? References: Message-ID: Mike Easter MikeE@ster.invalid, wrote in message 6ojar$fc4$1@news.spamcop.net: > sparkle wrote: >> http://news.bbc.co.uk/1/hi/technology/3634572.stm >> >> It says savvis repented of its spams. If the Sept 04 article is true, >> why do I get spams from the savvis creeps? > > savvis currently has 43 chunks of IPs listed in spamhaus - I don't > know what the spews situation is. Some 8 of those chunks belong to > ROKSO spammers. Surprisingly, cw.net has only 5 chunks, one of which > is ROKSO. Steve Linford of spamhaus discusses savvis related issues > from time to time in the ng nanae news.admin.net-abuse.email. > >> Oh, and it it says you people are "a small band of enthusiasts who >> patrol the net like voluntary cyber cops to eliminate spam". >> Hahahaha. > > Actually that is more about spamhaus workers and spews influencers -- > since spamvertisers are impacted by spamhaus and spews but not really > by spamcop reporters. Why is that? Is there a better way to report spam than spamcop? > Spamcop's impact is its contribution to the > SCbl - the stats page with spamvertisers doesn't hit very hard. I'm not with you. What do you mean "spamvertisers doesn't hit very hard"? :) xxx From nobody at spamcop.net Sat May 21 19:26:13 2005 From: nobody at spamcop.net (Yours Truly) Date: Sat May 21 21:30:03 2005 Subject: [SpamCop-List] Re: Pfizer spam? In-Reply-To: References: Message-ID: Maggie's Mom wrote about Pfizer spam I don't know whether it does any good, but pharmaceutical spam I always report to: webcomplaints@ora.fda.gov The "fda" is "Food and Drug Administration" From NoSpam at nospam.com Sat May 21 20:12:05 2005 From: NoSpam at nospam.com (NoSpam) Date: Sat May 21 22:05:03 2005 Subject: [SpamCop-List] UPDATE. References: Message-ID: UPDATE: I have contacted this Dave@pcprosinc.com and it seems that it was supposedly in reply to a message sent from ResumeBlaster.com and that he is just trying to clean up someone else's mess or something. NOT a phishing scam. "NoSpam" wrote in message news:d6okik$g6f$1@news.spamcop.net... >I find this to be a little disturbing. I received what I believe to be a >Phishing Scam targetting SpamCop users. Recently, I started saving copies of >every e-mail I received that I also reported to SpamCop. However, I recently >received an e-mail from a Dave@pcprosinc.com claiming that I reported a message >to SpamCop that should not have been since it was done in response to a resume >that I had posted on the internet. However, looking back through the spam I >had saved, NONE of them were related to a resume that I had posted on the >internet. Now, it might be one thing if I do get a legitimate response to a >resume posted on the internet where I am asking to be contacted specifically >about jobs, but that does not mean I am asking to be contacted by everyone. >But, it gets a little stranger and more suspicious. The e-mail also included a >supposed link to the report in question and a request to cancel the complaint >but, after clicking on the link that was supposed to take me to the supposed >report, no report could be pulled up from SpamCop stating "Authorization >failure, no username provided by server; action = showhistory." Even more >suspicious, the e-mail states nothing about which resume I have posted nor >where from nor what position, etc. It asks that I let him (Dave@pcprosinc.com) >know if my resume was NOT posted on the internet and that his e-mail was sent >in error. I also checked out www.pcprosinc.com to see if I could find out more >about his supposed claims that he sent me a legitimate e-mail in response to a >resume, but the website appears either new or limited in functionality. >Ironically, under Mission Statement, it states, "PC Pros, Inc. is a high-tech >company committed to providing the latest technological solutions to the >employment industry while at the same time striving to uphold strong Christian >values and principles." So, from the looks of it, it seems like this is a >phishing scam targetting SpamCop users and people that have a resume posted on >the internet. Here is the actual e-mail that was sent to me, minus the report >link for security purposes (since it has my SpamCop ID number): > > Hello SpamCop user, > This message should not have been reported as spam. Spam is unsolicited > e-mail and when an e-mail is placed on a resume on the internet asking for > responses, this is a valid response. If you do not want to receive responses > to your resume, then you wouldn't post it on the internet. Please cancel this > complaint. We do not like SPAM either, but it is frustrating when legitimate > e-mail gets classified as spam just because you're not interested in the > response. Again, this e-mail was sent as a response to your resume which was > posted on the internet. If your resume was not posted on the Internet, then > this is a serious error and would you please let us know this as soon as > possible. > > Sincerely, > > Dave Phillips > PC Pros, Inc. > Dave@pcprosinc.com > > -- > Please use the link below to review the report in question: > (Link not shown for security purposes) > > I tried finding an e-mail to contact SpamCop about this, but I did not find > any. So, I posted this here. > > > > From Vanguard at domain.invalid Sat May 21 22:06:46 2005 From: Vanguard at domain.invalid (Vanguard) Date: Sat May 21 22:10:03 2005 Subject: [SpamCop-List] Re: Backscatter - report it as spam? References: Message-ID: "Mike Easter" wrote in message news:d6nv85$2r8$1@news.spamcop.net... > Vanguard wrote: >> Also, why would a receiving mail server accept mails from an IP >> address that is dynamic (dial-up or cable/DSL)? I use SpamPal's >> MXblocking plug-in to eliminate any mails that are sourced from a >> dynamic IP address. > > There is such a thing as legitimate dul/ed mailservers. I wouldn't > mind > using a mxblocking plugin for spampal and whitelisting legitimate dul > servers if one of them came along; however, from looking at the > mxblocker plugin, it is outdated and doesn't permit proper updating. > > I would rather use njabl [which it does] and sorbs [which it > doesn't] -- > and the fact that it has stuff about osirus and easynet shows how > badly > it is outdated. He should have made it configurable for the dul > blocklists which one wants. I did bring this up in the SpamPal forum but the plug-in author, James *Day*, never joined in the thread (see http://www.spampalforums.org/phpBB2/viewtopic.php?t=7278). There might be a trick to getting the SORBS DUL used by the MXblocking plug-in but it is a hack. That plug-in has gone definitely gone stale and needs improvement in its UI or, at least, the ability to edit a config file that gets reflected in the UI. Apparently SORBS absorbed the EasyNet dynablock list (http://www.us.sorbs.net/news.shtml, news dated 25-Nov-2003)? As I understand, the EasyNet dynablock list stopped getting updated quite awhile ago (i.e., it is static and old). According to http://njabl.org/dynablock.html, NJABL is now maintaining that old EasyNet list but kept separate of their own DUL. I had the NJABL and EasyNet DULs selected in the MXblocking plug-in, but I'll try the hack mentioned in the Spampal forum post to redefine the MXEASYN entry in the config.dat file so it points to the SORBS list by replacing "MXEASYN YES dialup.ip.dynablock.easynet.nl 127.0.0.2" with "MXEASYN YES dul.dnsbl.sorbs.net 127.0.0.10". EasyNet will still be listed in the UI but it will use the SORBS DUL. It might work. However, since SORBS DUL merged in the EasyNET DUL whereas NJABL maintains its its DUL (dnsbl.njabl.org) separate of the old EasyNet DUL (dynablock.njabl.org), I'm wondering if I should include the SORBS DUL or just go with the NJABL DUL. Actually, I can't remember seeing a spam that originated from a dynamic IP and was sent directly to my mailbox (i.e., where the topmost or last Received header prepended by my ISP's mail server showed that a dynamic IP mail server connected to it). I'm not saying that I haven't gotten one but it would be so infrequent that I just don't remember it happening. I use the UserLogfile plug-in to keep track of spam-tagged messages but I don't keep them for more than a month (I wrote a batch file that I could schedule to periodically purge out the old logs since the UserLogfile plug-in doesn't expire and clean out old logs). Unfortunately the logs only keep a copy of the original message so the SpamPal headers aren't there to know why the message got tagged as spam. I'm not sure how effective this has been in eliminating spam from a dynamic IP running a mail server or zombie that has targeted my ISP's SMTP server as the destination mail server to spew its spam directly to me. Maybe my ISP doesn't accept mails from dynamic IP assigned "mail servers". My ISP won't divulge much regarding what anti-spam measures they employ. >> Obviously if >> SpamPal's plug-in can do it then so can an e-mail provider. > > The ability to custom configure and enduser spamfilter is a different > kind of configuration than the provider's configuration of a server. > The provider can't custom configure for every user the way a user can > custom configure for themselves. That's why I mentioned a "nice to have" option where the user could enable the MX blocking function (and maybe determine which DULs to use). Then the filtering is done server side instead of downloading and passing it through a client-side filter, like SpamPal. Unfortunately, lots of nice server-side features never show up simply because few users would understand what they were for, what they did, and the consequences of using them. No, it's not the job of the provider to wrest control away from the customer regarding mail handling and filtering but neither do they provide those functions to even give that control to their customers. When available, I prefer server-side solutions; otherwise, client-side solutions will have to suffice. However, the server-side solutions that eventually show up are a consequence of the client-side solutions that were needed before. -- ____________________________________________________________ ** Post your replies to the newsgroup - Share with others ** For e-mail Reply: remove "DELETE", add "~VN56~" to Subject. ____________________________________________________________ From MikeE at ster.invalid Sat May 21 20:09:21 2005 From: MikeE at ster.invalid (Mike Easter) Date: Sat May 21 22:10:14 2005 Subject: [SpamCop-List] Re: savvis - black hat or white hat? References: Message-ID: sparkle wrote: > Mike Easter >> Actually that is more about spamhaus workers and spews influencers -- >> since spamvertisers are impacted by spamhaus and spews but not really >> by spamcop reporters. > > Why is that? Is there a better way to report spam than spamcop? No; from a spamreporter's point of view there isn't. But there are many tools and organizations and subrosa 'organizations' that all play different parts in antispam efforts. Spamcop is a free and paid parsing and reporting service, spamcop is a paid mail filtering and tagging service, and spamcop is a free blocklist maintainer. In terms of 'weight' - the blocklist has significant weight. In terms of 'help' to spamcop reporters, the reporting function of the parser reporter has declined with evolution of spam. In the past there was a different effect of notifying sources and spamvertisers than there is today. >> Spamcop's impact is its contribution to the >> SCbl - the stats page with spamvertisers doesn't hit very hard. > > I'm not with you. What do you mean "spamvertisers doesn't hit very > hard"? All that happens to spamvertisers which are reported, not those which are not, which includes the huge proportion of spamcop reports which come from spamtraps and quick reporters, is that they are exposed on the statistics page. Nothing else vis spamcop happens to them. The only mild consequence of being exposed on the stats page is that sc-surbl 'sees' them there, scrapes them into its database, and publishes that db for those who use the sc-surbl to help with a spambody filter mechanism. That particular list or filter or db isn't a 'heavy' in the world of important databases. OTOH, spamhaus is a different 'system' and has a different 'audience'. Spamhaus also pays attention to what is going on at spamcop. According to Steve Linford, spamhaus has 450 million users, 200 million of which are behind ISPs. How spamhaus lists is different from the spamcop blocklist -- and spamhaus listings are hugely influential on spamvertiser providers. So, spamhaus is exceedingly powerful about spamvertisers. Spamcop is 'nothing' about spamvertisers. Spamcop is exceedingly frisky and dynamic about spamsources. Spamhaus has to pay attention to spamcop and other source information to find out what is going on with spamsources. Different strokes for different folks. -- Mike Easter kibitzer, not SC admin From nttp.sc.s at bigsleep.org Sun May 22 04:15:12 2005 From: nttp.sc.s at bigsleep.org (Blammo) Date: Sat May 21 23:20:02 2005 Subject: [SpamCop-List] Re: spoof@ebay.com refuses SC reports??? References: Message-ID: On 21 May 2005 Bert Hyman entered spamcop and left news:Xns965D832276B62VeebleFetzer@216.154.195.61: > Why not simply forward a copy to "spoof@ebay.com" at the same time you > forward it to spamcop? Works for me. > Well, as long as you're not also forwarding your spamcop reporting address to someone else. -- | Ric From spam at spam.no.not.spam Sun May 22 06:28:08 2005 From: spam at spam.no.not.spam (sparkle) Date: Sat May 21 23:30:02 2005 Subject: [SpamCop-List] Re: savvis - black hat or white hat? References: Message-ID: Mike Easter MikeE@ster.invalid, wrote in message 6opke$jpo$1@news.spamcop.net: > sparkle wrote: >> Mike Easter >> Actually that is more about spamhaus workers and spews > influencers -- >>> since spamvertisers are impacted by spamhaus and spews but not >>> really by spamcop reporters. >> >> Why is that? Is there a better way to report spam than spamcop? > > No; from a spamreporter's point of view there isn't. But there are > many tools and organizations and subrosa 'organizations' that all play > different parts in antispam efforts. Spamcop is a free and paid > parsing and reporting service, spamcop is a paid mail filtering and > tagging service, and spamcop is a free blocklist maintainer. > > In terms of 'weight' - the blocklist has significant weight. In terms > of 'help' to spamcop reporters, the reporting function of the parser > reporter has declined with evolution of spam. In the past there was a > different effect of notifying sources and spamvertisers than there is > today. > >>> Spamcop's impact is its contribution to the >>> SCbl - the stats page with spamvertisers doesn't hit very hard. >> >> I'm not with you. What do you mean "spamvertisers doesn't hit very >> hard"? > > All that happens to spamvertisers which are reported, not those which > are not, which includes the huge proportion of spamcop reports which > come from spamtraps and quick reporters, is that they are exposed on > the statistics page. Nothing else vis spamcop happens to them. The > only mild consequence of being exposed on the stats page is that > sc-surbl 'sees' them there, scrapes them into its database, and > publishes that db for those who use the sc-surbl to help with a > spambody filter mechanism. That particular list or filter or db isn't > a 'heavy' in the world of important databases. But they get 'trapped' anyway - in a way. I see. > OTOH, spamhaus is a different 'system' and has a different 'audience'. > Spamhaus also pays attention to what is going on at spamcop. > According to Steve Linford, spamhaus has 450 million users, 200 > million of which are behind ISPs. How spamhaus lists is different > from the spamcop blocklist -- and spamhaus listings are hugely > influential on spamvertiser providers. > > So, spamhaus is exceedingly powerful about spamvertisers. Spamcop is > 'nothing' about spamvertisers. Spamcop is exceedingly frisky and > dynamic about spamsources. Spamhaus has to pay attention to spamcop > and other source information to find out what is going on with > spamsources. Different strokes for different folks. Nice explanation. Thank you. :) xxx From nobody at xyzzy.claranet.de Sun May 22 06:43:19 2005 From: nobody at xyzzy.claranet.de (Frank Ellermann) Date: Sat May 21 23:50:03 2005 Subject: [SpamCop-List] Re: Backscatter - report it as spam? References: Message-ID: <428FFFD7.6DEF@xyzzy.claranet.de> Vanguard wrote: > That's probably why SPF and Yahoo DomainKeys got proprosed. Not the only constellation. A backup MX does not necessarily know which users exist or are over quota. So it forwards the stuff later, and if it finds that some mail can't be delivered it must create bounces, otherwise legit could be lost without any hint where and what the problem is. Its one and only chance was to reject it instead of accepting it in the first place, and for that it needs SPF or similar. > heated discussions regarding SPF, too, and I don't remember > how or if they solved that issue. You can only check it at the border, not later. The primary MX would know that its backup MX already checked, and so the backup is white listed (= don't check again) Mailing lists use their own address, and so the original sender address is not checked behind the mailing list border. And an old forwarder, neither white listed nor using its own address, will be out of business, just like open relays some years ago. Bye, Frank From nobody at devnull.spamcop.net Sun May 22 00:03:54 2005 From: nobody at devnull.spamcop.net (WazoO) Date: Sun May 22 00:05:03 2005 Subject: [SpamCop-List] Re: Suspected Phishing Scam Targetting SpamCop Users. References: Message-ID: "NoSpam" wrote in message news:d6okik$g6f$1@news.spamcop.net... > > I tried finding an e-mail to contact SpamCop about this, but I did not find any. > So, I posted this here. At your logged-in www.spamcop.ney page, the Help link at the top will eventually get you to the www.spamcop.net FAQ, under which you will eventually find the entry; How can I contact a SpamCop representative? http://www.spamcop.net/fom-serve/cache/401.html A single-page entry point for a much expanded form of this FAQ is found on the Forum at http://forum.spamcop.net/forums/index.php?showtopic=2238 From nobody at spamcop.net Sun May 22 05:24:34 2005 From: nobody at spamcop.net (nobody@spamcop.net) Date: Sun May 22 00:25:02 2005 Subject: [SpamCop-List] Where's oc3@devnull? Message-ID: I'm being flooded with spam from unreportable spammers that have stolen my personal information and are using it to push their scams. Where is this "oc3" server located? Tracking URLs: http://www.spamcop.net/sc?id=z766313381zc69bcb77781eb7527bdb42391bbadd16z http://www.spamcop.net/sc?id=z766312815ze89bd2dfabf6ca13f1749be69b9fff36z http://www.spamcop.net/sc?id=z766311011zf13f9e3f0a674cb707a7f22acbb3d00dz http://www.spamcop.net/sc?id=z766310372zac6cd27164089abd2f03a7be6de576bfz http://www.spamcop.net/sc?id=z766309640z590fb4b48a04f950623faa61aff7dbc1z http://www.spamcop.net/sc?id=z766308639z0fc4f452e3f757d18bebed14e9f8662az http://www.spamcop.net/sc?id=z766307334zdfcb398ebf8201414b0b535b095fc495z http://www.spamcop.net/sc?id=z765956208z5b918a8f714d534e2b1c664e3cac5330z http://www.spamcop.net/sc?id=z765950753zaaf22da98411bd9299b620b75f74569az http://www.spamcop.net/sc?id=z765945086zaa902b0a85a59888a92b92551094b7a1z http://www.spamcop.net/sc?id=z765846638zb224bfc286cb915f03e66cc016758ab1z http://www.spamcop.net/sc?id=z765845454zd2d573bd59a860f3bae4c045fc10083dz From NoSpam at nospam.com Sat May 21 23:51:10 2005 From: NoSpam at nospam.com (NoSpam) Date: Sun May 22 01:45:02 2005 Subject: [SpamCop-List] Thanks! References: Message-ID: Thanks! "WazoO" wrote in message news:d6p0ba$ng8$1@news.spamcop.net... > "NoSpam" wrote in message > news:d6okik$g6f$1@news.spamcop.net... >> >> I tried finding an e-mail to contact SpamCop about this, but I did not > find any. >> So, I posted this here. > > At your logged-in www.spamcop.ney page, the > Help link at the top will eventually get you to the > www.spamcop.net FAQ, under which you will > eventually find the entry; > How can I contact a SpamCop representative? > http://www.spamcop.net/fom-serve/cache/401.html > > A single-page entry point for a much expanded > form of this FAQ is found on the Forum at > http://forum.spamcop.net/forums/index.php?showtopic=2238 > > From nobody at devnull.spamcop.net Sun May 22 02:15:49 2005 From: nobody at devnull.spamcop.net (WazoO) Date: Sun May 22 02:20:02 2005 Subject: [SpamCop-List] Re: Where's oc3@devnull? References: Message-ID: wrote in message news:opsq5s682bj9qcfo@powermac.local... > I'm being flooded with spam from unreportable spammers that have stolen my > personal information and are using it to push their scams. Where is this > "oc3" server located? > > Tracking URLs: > > http://www.spamcop.net/sc?id=z766313381zc69bcb77781eb7527bdb42391bbadd16z Had you turned on "full Technical details" you'd have seen the following in the parse results ...??? One of the internal databases had been manually edited to send these reports to an internal collection point. Whether you'll get Deputy input on why is nebulous, but the included data suggests a possibility or two. Routing details for 66.63.190.15 Report routing for 66.63.190.15: oc3@devnull.spamcop.net http://www.spamcop.net/sc?action=showroute;ip=66.63.190.15;typecodes=4,16 Reports routes for 66.63.190.15: routeid:12908238 66.63.160.0 - 66.63.191.255 to:oc3@devnull.spamcop.net Administrator interested in all reports Saturday, January 15, 2005 7:43:10 AM -0600 [Note added by 216.127.43.94 (sam.julianhaight.com)] oc3 SBL12057 - ROKSO SBL19215- ROKSO From Kilgallen at SpamCop.net Sun May 22 08:58:05 2005 From: Kilgallen at SpamCop.net (Larry Kilgallen) Date: Sun May 22 09:00:13 2005 Subject: [SpamCop-List] Re: Pfizer spam? References: Message-ID: <$y1MR+cRKJUi@eisner.encompasserve.org> In article , "Maggie's Mom" writes: > I agree 100% that Pfizer does not invite anybody to forward the viagra spam > to Pfizer. I thought maybe they want to get little more active and get to > the bottom of things to see who drags their good corporate name through the > mud... Wouldn't you say it would be in the best interest of Pfizer and > other pharmaceutical companies to cut the counterfeit drug trafficking? It I have no way of knowing what would be in their _best_ interest. Perhaps they have some way of tracing worldwide production of the sale of pill-making machines but are still working on getting legal backing in whatever country is involved. It is not at all clear that people sending them spam copies would help -- after all they can get plenty of examples from the newsgroup news.admin.net-abuse.sightings. From Kilgallen at SpamCop.net Sun May 22 09:06:51 2005 From: Kilgallen at SpamCop.net (Larry Kilgallen) Date: Sun May 22 09:10:03 2005 Subject: [SpamCop-List] Re: Pfizer spam? References: Message-ID: In article , Yours Truly writes: > Maggie's Mom wrote about Pfizer spam > > > I don't know whether it does any good, but > pharmaceutical spam I always report to: > > webcomplaints@ora.fda.gov > > The "fda" is "Food and Drug Administration" Since the spam I read is not on the "web", I report to: otcfraud@cder.fda.gov The "otc" is "over the counter". Technically that does not include prescription drugs, but most of these spammers are offering to sell me something without a prescription. That counts, despite the lack of a physical "counter". From MikeE at ster.invalid Sun May 22 07:12:53 2005 From: MikeE at ster.invalid (Mike Easter) Date: Sun May 22 09:15:04 2005 Subject: [SpamCop-List] Re: Where's oc3@devnull? References: Message-ID: WazoO wrote: > wrote in message Before I comment below, from a housekeeping point of view, if you call yourself 'nobody at spamcop' with no handle attached to that, we won't be able to tell one nobody from another nobody here. Nobody at spamcop is commonly chosen as an email address, and that's fine, but it has to have some kind of nym [for pseudonym or handle or callsign or whatever you want to call it] 'attached' or in front of the email address. Picture a conversation in which I'm talking to 2 or 3 different nobodies who are also talking to each other. We wouldn't be able to keep it straight. WazoO is also using a popular email address around here, nobody at devnull spamcop, but he has WazoO in front and there is no ambiguity. In fact, my newsreader is configured to only display his WazoO and not even display the nobody at devnull. >> I'm being flooded with spam from unreportable spammers that have >> stolen my personal information and are using it to push their scams. >> Where is this "oc3" server located? www.spamcop.net/sc?id=z766313381zc69bcb77781eb7527bdb42391bbadd16z Interestingly that spam is straightup, the From = the source = the spamvertised website. There is no bogosity in any part, no forged Received lines, no abuse of trojanized proxies. It is pure 'in your face' - "I am a spammer and this is where I live and this is what I do". Sorta refreshing. By 'stolen my personal information' I suppose you must mean they put your addy in the To, and perhaps the Subject. > Routing details for 66.63.190.15 > Report routing for 66.63.190.15: oc3@devnull.spamcop.net > Saturday, January 15, 2005 7:43:10 AM -0600 > [Note added by 216.127.43.94 (sam.julianhaight.com)] > oc3 > SBL12057 - ROKSO > SBL19215- ROKSO Those SBLs and ROKSOs have since been brought up to date recently, SBL26974, but fundamentally they are the same, showing a /19 block about oc3network and also specifically Western Digital, and also specifically Ilan Mishan the ROKSO, Register of Known Spam Operations, whcih means that the professional has been terminated by at least 3 ISPs for spamming. The ROKSOs are 200 operations responsible for 80% of our spam. But oc3 and its providers are in worse shape than that over at spews. Whereas the spamhaus is about the 66.63.160.0/19 [the two listings are just for a /24 included in the /19], the spews listing is for a bunch of /19s and /24s and threatening Broadwing with more. S3013 oc3networks 1, 66.63.160.0 - 66.63.191.255, oc3networks.com (ASN'd - XO feed, had Broadwing feed, had pajo.net feed) 1, 216.31.171.0 - 216.31.171.255, oc3networks.com (MyPoints.Com (Intellipost) / Pajo) 1, 216.31.171.0 - 216.31.171.255, oc3networks.com (MyPoints.Com (Intellipost) / Pajo) 1, 216.140.37.0 - 216.140.37.255, oc3networks.com (Broadwing) 1, 216.140.30.0 - 216.140.41.255, Broadwing (oc3networks.com) 2, 216.140.20.0 - 216.140.51.255, Broadwing (oc3networks.com) 1, 216.141.101.0 - 216.141.101.255, oc3networks.com (Broadwing) 1, 216.141.97.0 - 216.141.105.255, Broadwing (oc3networks.com) 2, 216.141.87.0 - 216.141.115.255, Broadwing (oc3networks.com) 1, 72.11.128.0 - 72.11.159.255, oc3networks.com (ASN'd - Has Teleglobe feed, Had Mzima feed, Had level3 feed, had multi feeds) For a little lesson in interpreting what spews has done there, first we'll dispense with the top same /19 which is spamhaus listed.. Then the next is a /24 216 duplicated, then we see progression in which there was a /24 and then it was broadened to 12 /24s and then the spews2 indicates that they are threatening to broaden that to 32 /24s for Broadwing, which is routing for oc3. Then, the next little group shows it starting with oc3's /24, escalating to Broadwing's 9 (?) /24s, and then the spews2 shows they are threatening Broadwing with escalating that to 29 /24s. The last item is another /19 or 32 /24s. I don't know exactly why spews is doing those oddball numbers for in that 216.141 Broadwing. They have a /14 which is NetRange: 216.140.0.0 - 216.143.255.255 CIDR: 216.140.0.0/14 NetName: BROADWING-NET so I'm sure that's where spews is going incrementally. Maybe there's some spews psychology working there to approach it with the odd numbers. -- Mike Easter kibitzer, not SC admin From bar_n0ne at hotmail.com Sun May 22 18:25:00 2005 From: bar_n0ne at hotmail.com (Berny) Date: Sun May 22 09:30:04 2005 Subject: [SpamCop-List] Re: Pfizer spam? References: <$y1MR+cRKJUi@eisner.encompasserve.org> Message-ID: "Larry Kilgallen" wrote in message news:$y1MR+cRKJUi@eisner.encompasserve.org... > In article , "Maggie's Mom" writes: > > > I agree 100% that Pfizer does not invite anybody to forward the viagra spam > > to Pfizer. I thought maybe they want to get little more active and get to > > the bottom of things to see who drags their good corporate name through the > > mud... Wouldn't you say it would be in the best interest of Pfizer and > > other pharmaceutical companies to cut the counterfeit drug trafficking? It > > I have no way of knowing what would be in their _best_ interest. > Perhaps they have some way of tracing worldwide production of the > sale of pill-making machines but are still working on getting legal > backing in whatever country is involved. > > It is not at all clear that people sending them spam copies would > help -- after all they can get plenty of examples from the newsgroup > news.admin.net-abuse.sightings. It is also not at all clear that most people buying Viagra have much if any sophistication about spammers, or would find Pfizer besmirched enough by spammers to make them reconsider their purchase. It is not unlikely that Viagra spams actually enhance Pfizer sales, or that Pfizer may not even seriously object to "their name being dragged through the mud". That is all speculative, but these are definitely possibilities. After all, losing a sale or two to a phony pill presser, won't matter if the customer resolutely only buys branded Pfizer products thtrough a legitimate outlet henceforward. I have heard, (but have no way of knowing if this is true) from articles on the net that these pills are often fakes, effectively placebos at best. From MikeE at ster.invalid Sun May 22 07:44:09 2005 From: MikeE at ster.invalid (Mike Easter) Date: Sun May 22 09:45:03 2005 Subject: [SpamCop-List] Re: Where's oc3@devnull? References: Message-ID: Mike Easter wrote: > Whereas the spamhaus is about the 66.63.160.0/19 [the two listings are > just for a /24 included in the /19], the spews listing is for a bunch > of /19s and /24s and threatening Broadwing with more. > > S3013 > oc3networks Anyway, to summarize that with less CIDR nomenclature, we'll translate that to a /24 is one class C or 256 individual IPs and talk the listings in terms of class Cs. Spamhaus is listing 32 Cs. Spews is listing that 32 Cs, plus 12 + 9 + 32 = 53 additional Cs and threatening to expand to 40 more Cs. The other issue about all of this spamhaus and spews business is that you can consider spamhaused and spewed providers to be unresponsive. The typical action with unresponsive providers from spamcop's point of view is to devnull the notify. The spamsource still counts toward the blocklist, and the spamvertiser still goes to the stats page, just like it would if a non-devnulled provider had been notified -- so, except for the notification business, everything is the same. >From the point of view of someone who wants to do manual notifies, by the time you start graduating past the upstream of your spammer's parent, you start running into a general condition of nonresponsiveness. Here's the structure for the original IP which is source and spamvertiser [and From] whois -h whois.arin.net 66.63.190.119 ... OC3 Networks & Web Solutions, 66.63.160.0 - 66.63.191.255 Western Data Services 66.63.189.0 - 66.63.190.255 That shows Western Data's /24 under OC3's /19, 1 C under 32 Cs. Spamcop's notify stops at the devnull for the unresponsive OC3. The routing for OC3 is Broadwing, which we've told the story about, so some reporter might add Broadwing to their notifies, but if they were paying attention to the spews situation, they would see that Broadwing isn't going to be very responsive either. However, the manual notifier would include them and tell them why; because OC3 is non-responsive and spamhaused and spewed. If we take a fresh look at OC3's as29761 routing, we see Upstream Adjacent AS list AS6453 GLOBEINTERNET Teleglobe America Inc. abuse@Teleglobe.net AS11841 LINKLINE - LinkLINE Internet Access, Inc abuse@linkline.com So, I would be notifying teleglobe and linkline about oc3 and telling them that I was notifying them because oc3 is spewed and spamhaused and probably mention that broadwing is also seriously spewed for routing them. -- Mike Easter kibitzer, not SC admin From drewlt at hotmail.com Sun May 22 10:25:20 2005 From: drewlt at hotmail.com (Andrew) Date: Sun May 22 11:25:05 2005 Subject: [SpamCop-List] Re: Rejected because SpamCop marked this message as SPAM References: Message-ID: Thanks Ellen - I got a reply with a header of an offending message and it turns out it was a roaming laptop of our company that was infected with a virus. It has been cleaned and preventative measures put in place. Thanks again! :) -Andrew "Ellen" wrote in message news:d6jhkm$fan$1@news.spamcop.net... > > "Mike Easter" wrote in message > news:d6j0rr$3e7$1@news.spamcop.net... >> >> The usual situation for user IPs propagating virms or spam is that they >> do not use the server, so that common situation wouldn't cause the >> server to get listed. The usual cause of a server getting listed is >> something that it is doing itself, such as misdirected bounces, >> autoresponders, etc. If I'm understanding Ellen's words correctly, it >> may be that your server is infected with a virus. >> > > Hard to say if it's the server sending or a user behind the server or a > user > sending around the server. The only useful header shows the trap getting > the > spam from that IP. Some servers don't stamp a header showing the user to > mailserver handoff, some do. The message is spam and it is not a > bounce/OOO/AV notification. > > Unfortunately some of the newer infections are smarthosting. > > Ellen > > From wb8tyw at qsl.network Sun May 22 12:24:14 2005 From: wb8tyw at qsl.network (John E. Malmberg) Date: Sun May 22 11:25:18 2005 Subject: [SpamCop-List] Re: savvis - black hat or white hat? In-Reply-To: References: Message-ID: sparkle wrote: > Why is that? Is there a better way to report spam than spamcop? Advanced users only :-) Yes. See ordb.org, dsbl.org, njabl.org, and opm.blitzed.org and sorbs.net. If you can get a new dynamic pool listed, or a new open proxy/open relay listed it will protect far more mailboxes than a spamcop.net listing, and that will hurt the spammers even more. Especially getting a new dynamic pool listed. But do not submit listings to these dynamic pool services that they have already listed, or ones that you do not know for sure are dynamic pools. -John wb8tyw@qsl.network Personal Opinion Only From nobody at spamcop.net Sun May 22 16:40:47 2005 From: nobody at spamcop.net (StampOutSpam) Date: Sun May 22 11:45:02 2005 Subject: [SpamCop-List] Re: Where's oc3@devnull? References: Message-ID: > www.spamcop.net/sc?id=z766313381zc69bcb77781eb7527bdb42391bbadd16z > By 'stolen my personal information' I suppose > you must mean they put your addy in the To, and perhaps the Subject. They're putting home addresses into the bodies or subjects of the messages and pushing fake refinancing loans or whatever other junk they're peddling. It appears that it's about phishing for bank info, as the input forms on the Web sites are not connected to the database used by the spammers to send out their spam runs. > So, I would be notifying teleglobe and linkline about oc3 and telling > them that I was notifying them because oc3 is spewed and spamhaused and > probably mention that broadwing is also seriously spewed for routing > them. abuse@Teleglobe.net and abuse@linkline.com added to reports. From agent01413 at my-deja.com Sun May 22 17:49:11 2005 From: agent01413 at my-deja.com (Socks the Whitehouse Cat) Date: Sun May 22 12:50:03 2005 Subject: [SpamCop-List] Re: German spam References: Message-ID: "Mike Easter" wrote in news:d6ggt0$agg$1 @news.spamcop.net: > .. whereas the TrustE or rather TRUSTe seal is some kind of > certification provided to a *website* according to whether or not the > website plays by some truste privacy rules. Nothing about spamming. I > don't know why 68.36.241.189 rDNS i've reported numerous sites to TrustE for violating published privacy policies. TrustE (another name for a con doing prison time) has never so far as I know terminated a member for anything other than paying their fee on time. If the TrustE certificate holder's privacy policy says "if you give us your email address we will personally spam the bejesus out of it as well as give it away to every known spammer in the world", they will let the site keep the certification because their actions conform to policy. -- See NANAE kooks, including Barbara Schwarz: http://www.morningmist.org/nanae/kookfaq.html From MikeE at ster.invalid Sun May 22 11:03:17 2005 From: MikeE at ster.invalid (Mike Easter) Date: Sun May 22 13:05:03 2005 Subject: [SpamCop-List] Re: Where's oc3@devnull? References: Message-ID: StampOutSpam wrote: >> By 'stolen my personal information' I suppose >> you must mean they put your addy in the To, and perhaps the Subject. > > They're putting home addresses into the bodies or subjects of the > messages and pushing fake refinancing loans or whatever other junk > they're peddling. It appears that it's about phishing for bank info, > as the input forms on the Web sites are not connected to the database > used by the spammers to send out their spam runs. Hmm. I wonder where they got a correlation between your home address and email addy? You would have had to provide that to someone for that to hookup. -- Mike Easter kibitzer, not SC admin From nobody at devnull.spamcop.net Sun May 22 12:03:57 2005 From: nobody at devnull.spamcop.net (Maggie's Mom) Date: Sun May 22 13:05:15 2005 Subject: [SpamCop-List] Re: Pfizer spam? References: Message-ID: "Larry Kilgallen" wrote in message >> I don't know whether it does any good, but >> pharmaceutical spam I always report to: >> >> webcomplaints@ora.fda.gov >> >> The "fda" is "Food and Drug Administration" > > Since the spam I read is not on the "web", I report to: > > otcfraud@cder.fda.gov > > The "otc" is "over the counter". I knew about webcomplaints@ora.fda.gov, but I had no idea about otcfraud@cder.fda.gov. Thanks! By the way - does anybody do anything serious about the pharmaceutical spam? It seems to me that the so called "online pharmacies" (the illegitimate type) are multiplying like mushrooms after a good rain, and I bet there are enough bargain hunters to shop there and possibly get seriously hurt by unknown mixtures. The FDA is after and into everything else - how about the illegal pill peddlers? Cheers! - Maggie's Mom. From nobody at spamcop.net Sun May 22 11:36:46 2005 From: nobody at spamcop.net (N. Miller) Date: Sun May 22 13:40:04 2005 Subject: [SpamCop-List] Re: Where's oc3@devnull? References: Message-ID: On Sun, 22 May 2005 15:40:47 -0000, StampOutSpam wrote: >> www.spamcop.net/sc?id=z766313381zc69bcb77781eb7527bdb42391bbadd16z >> By 'stolen my personal information' I suppose >> you must mean they put your addy in the To, and perhaps the Subject. > > They're putting home addresses into the bodies or subjects of the messages > and pushing fake refinancing loans or whatever other junk they're > peddling. It appears that it's about phishing for bank info, as the input > forms on the Web sites are not connected to the database used by the > spammers to send out their spam runs. > >> So, I would be notifying teleglobe and linkline about oc3 and telling >> them that I was notifying them because oc3 is spewed and spamhaused and >> probably mention that broadwing is also seriously spewed for routing >> them. > > abuse@Teleglobe.net and abuse@linkline.com added to reports. I saw something like that from spammer Steve Goudreault to my mother. I have been trying to steer her toward the AddressGuard feature of the SBC-Y Internet service, shifting her subscriptions to specially tailored email addresses, so I can find out which of her subscription providers is selling her out. -- Norman ~Win dain a lotica, En vai tu ri, Si lo ta ~Fin dein a loluca, En dragu a sei lain ~Vi fa-ru les shutai am, En riga-lint From MikeE at ster.invalid Sun May 22 11:41:26 2005 From: MikeE at ster.invalid (Mike Easter) Date: Sun May 22 13:45:03 2005 Subject: [SpamCop-List] Re: Pfizer spam? References: Message-ID: Maggie's Mom wrote: > The FDA is > after and into everything else - how about the illegal pill peddlers? The FDA is not after and into everything else. The FDA does a fair amount about regulating the big pharms when they want to introduce a new prescription drug. The FDA doesn't do much of anything when it comes to various claims and fraudulent advertising by a wide assortment of food supplements, herbs, and potions -- except when something is out there being sold OTC and is killing people like flies and getting publicity; then they step in. When was the last time that happened? - some amino acid supplement. The FDA can't even keep the big pharms honest after a prescription drug is released -- they have no budget or mandate to be responsible for all of that OTC stuff, much less helping the big pharms deal with offshore sales of their products and counterfeit versions. -- Mike Easter kibitzer, not SC admin From wb8tyw at qsl.network Sun May 22 14:50:25 2005 From: wb8tyw at qsl.network (John E. Malmberg) Date: Sun May 22 13:55:02 2005 Subject: [SpamCop-List] Re: Pfizer spam? In-Reply-To: References: Message-ID: Maggie's Mom wrote: > > By the way - does anybody do anything serious about the pharmaceutical spam? There was an article about that in the last week or so that I saw, but I do not remember where. The employees operating the phones to take orders discovered that there now is no money to pay their salaries. > It seems to me that the so called "online pharmacies" (the illegitimate > type) are multiplying like mushrooms after a good rain, and I bet there are > enough bargain hunters to shop there and possibly get seriously hurt by > unknown mixtures. A link was published about a year ago which showed a laboratory tested them and found mostly inert substances and also fecal matter with insect parts. > The FDA is after and into everything else - how about the > illegal pill peddlers? Cheers! - Maggie's Mom. They seem to take quite a while to crack down on them if one only goes by what gets into the papers. As near as I can tell, the only ones actually buying from spammers is people that think that by buying an affiliate membership, they too can get rich from spamming. This seems to go in bursts after media reports of how much money that the spam kings are claiming to make, even though none of the reporters ever verify the spammer's claims. What actually seems the case is that most of the spammers spent their last $150 to $1000 for a spamming affiliate kit and it takes them about 3 to 6 months to discover that the person selling the kit never had any intention of paying them anything but a token commission and that they will never make anything back. And these scam victims will think that they can not report the scammer they bought the kit from because they know that they purchased the kit with the intent of breaking the law. One of the delaying tactics of the scam artists to explain to the victims why their spamming is not making any money is to blame the anti-spammers, and send them to the anti-spam forums to be trolls. But this type of pyramiding is what makes it cost a lot of money to sue the spammers, because you need to go through a couple of layers of scam victims who are broke to get the evidence on someone high enough in the scam to actually have any cash to collect. -John wb8tyw@qsl.network Personal Opinion Only From nobody at devnull.spamcop.net Sun May 22 14:15:10 2005 From: nobody at devnull.spamcop.net (WazoO) Date: Sun May 22 14:20:03 2005 Subject: [SpamCop-List] Re: Pfizer spam? References: Message-ID: "Maggie's Mom" wrote in message news:d6qe26$gfq$1@news.spamcop.net... > > I knew about webcomplaints@ora.fda.gov, but I had no idea about > otcfraud@cder.fda.gov. Thanks! The Forum FAQ includes links to other "lists" of reporting addresses http://forum.spamcop.net/forums/index.php?showtopic=2238 > By the way - does anybody do anything serious about the pharmaceutical spam? > It seems to me that the so called "online pharmacies" (the illegitimate > type) are multiplying like mushrooms after a good rain, and I bet there are > enough bargain hunters to shop there and possibly get seriously hurt by > unknown mixtures. The FDA is after and into everything else - how about the > illegal pill peddlers? Cheers! - Maggie's Mom. A forum poster just posted a link (actually the whole article was posted, but that's another story) that talks directly to your query .... http://www.startribune.com/stories/1556/5414466.html If you hit the Forum and check the Lounge area out, there have been a number of these busts identified ... or you could Google a bit and find many more, I've no doubt ... just gets back to how curious you really are Most of these U.S.Government agencies have their own .gov web-sites, most have a press-release page to show some of the things they've been up to ... From nobody at devnull.spamcop.net Sun May 22 14:25:13 2005 From: nobody at devnull.spamcop.net (WazoO) Date: Sun May 22 14:30:03 2005 Subject: [SpamCop-List] Re: Pfizer spam? References: Message-ID: "Larry Kilgallen" wrote in message news:vW$0vHiJZCG3@eisner.encompasserve.org... > > Since the spam I read is not on the "web", I report to: > > otcfraud@cder.fda.gov > > The "otc" is "over the counter". Technically that does not include > prescription drugs, but most of these spammers are offering to sell > me something without a prescription. That counts, despite the lack > of a physical "counter". Marjolein did a lot of heavy research when putting together her "Ban Spam" page http://banspam.javawoman.com/report3/drug1.html not going to try to replicate her work, just pointing out her comments on these two addresses; webcomplaints@ora.fda.gov - Not just for USA residents; use the reporting address also for spam obviously targeted at the US market e.g., offering medicines with names under which they are sold in the US otcfraud@cder.fda.gov - Over-the-Counter Drug Products: If you come across a suspected fraudulent nonprescription drug on the Internet, alert FDA by E-mail. If you are unsure whether a product can be sold over the counter in the USA, use the general FDA reporting address above From BNRAGMAOKKXT at spammotel.com Sun May 22 20:57:22 2005 From: BNRAGMAOKKXT at spammotel.com (Canopus) Date: Sun May 22 16:00:08 2005 Subject: [SpamCop-List] Re: No Submission Returns from SpamCop References: Message-ID: Canopus on 22/05/2005 wrote: > ...and a very strange message when I log into the reporting page, > quote: > > "Your email address, .com has returned a bounce: > Subject: Delivery Status Notification (Failure) > Reason: 5.4.7 - Delivery expired (message too old) > 421-'aamta05-winn.mailhost.ntl.com connection refused from > [64.74.133.248]' > > Well the address SpamCop is trying to send to is correct and working, > I have no problems sending to it from other of my accounts. Every > time I log on recently I've seen this message and clicked on the > "Problem Solved" button as as far as I know there should be no > problem my end. The only other thing I can think of is that my IP > NTLWorld is blocking mail from SpamCop. The "message to old" reason > seems a bit ridiculous, none of the spam submission replies should be > more than two days old even if there had been a hiccup at SpamCop. > > Anyone else having this problem? The problem seems to be continuing. I get two or three returns then none so I log in to SpamCop Reporting and see the above message again. My mail box for that account is empty, I have no problem sending myself a mail from another account to that one and it arrives almost immediately so why are SpamCop returns being bounced I ask myself...and anyone else who may have a clue? Confused and frustrated, Rob From nospam at dev.null Sun May 22 23:17:21 2005 From: nospam at dev.null (Anty Spam) Date: Sun May 22 16:20:02 2005 Subject: [SpamCop-List] Re: Suspected Phishing Scam Targetting SpamCop Users. References: Message-ID: "NoSpam" wrote in message news:d6okik$g6f$1@news.spamcop.net... > I find this to be a little disturbing. I received what I believe to be a > Phishing Scam targetting SpamCop users. Recently, I started saving copies of > every e-mail I received that I also reported to SpamCop. However, I recently > received an e-mail from a Dave@pcprosinc.com claiming that I reported a message > to SpamCop that should not have been since it was done in response to a resume > that I had posted on the internet. However, looking back through the spam I had > saved, NONE of them were related to a resume that I had posted on the internet. > Now, it might be one thing if I do get a legitimate response to a resume posted > on the internet where I am asking to be contacted specifically about jobs, but > that does not mean I am asking to be contacted by everyone. But, it gets a > little stranger and more suspicious. The e-mail also included a supposed link > to the report in question and a request to cancel the complaint but, after > clicking on the link that was supposed to take me to the supposed report, no > report could be pulled up from SpamCop stating "Authorization failure, no > username provided by server; action = showhistory." Even more suspicious, the > e-mail states nothing about which resume I have posted nor where from nor what > position, etc. It asks that I let him (Dave@pcprosinc.com) know if my resume > was NOT posted on the internet and that his e-mail was sent in error. I also > checked out www.pcprosinc.com to see if I could find out more about his supposed > claims that he sent me a legitimate e-mail in response to a resume, but the > website appears either new or limited in functionality. Ironically, under > Mission Statement, it states, "PC Pros, Inc. is a high-tech company committed to > providing the latest technological solutions to the employment industry while at > the same time striving to uphold strong Christian values and principles." So, > from the looks of it, it seems like this is a phishing scam targetting SpamCop > users and people that have a resume posted on the internet. Here is the actual > e-mail that was sent to me, minus the report link for security purposes (since > it has my SpamCop ID number): > > Hello SpamCop user, > This message should not have been reported as spam. Spam is unsolicited e-mail > and when an e-mail is placed on a resume on the internet asking for responses, > this is a valid response. If you do not want to receive responses to your > resume, then you wouldn't post it on the internet. Please cancel this > complaint. We do not like SPAM either, but it is frustrating when legitimate > e-mail gets classified as spam just because you're not interested in the > response. Again, this e-mail was sent as a response to your resume which was > posted on the internet. If your resume was not posted on the Internet, then > this is a serious error and would you please let us know this as soon as > possible. > > Sincerely, > > Dave Phillips > PC Pros, Inc. > Dave@pcprosinc.com > > -- > Please use the link below to review the report in question: > (Link not shown for security purposes) > > I tried finding an e-mail to contact SpamCop about this, but I did not find any. > So, I posted this here. > Amazing thing the internet .:-) Won't touch with a 10ft barge pole. Aslo Dave Phillips in whois! http://news.spamcop.net/pipermail/spamcop-list/2001-April/010111.html And todays whois: Domain Name: PCPROSINC.COM Administrative Contact: Mark Rogers mark@pcprosinc.net PC Pros, Inc. 14159 S. Mur-Len Rd Olathe, KS 66062 US Phone: 913-397-0260 Fax: 913-397-0663 From MikeE at ster.invalid Sun May 22 14:38:39 2005 From: MikeE at ster.invalid (Mike Easter) Date: Sun May 22 16:40:02 2005 Subject: [SpamCop-List] Re: No Submission Returns from SpamCop References: Message-ID: Canopus wrote: > ...and a very strange message when I log into the reporting page, > quote: The system is trying to tell you that it can't email you and it needs to be able to do that, have a good address. Where 'good address' means that it works for spamcop's mtx. > "Your email address, .com has returned a bounce: > Subject: Delivery Status Notification (Failure) > Reason: 5.4.7 - Delivery expired (message too old) > 421-'aamta05-winn.mailhost.ntl.com connection refused from > [64.74.133.248]' That means that 64.74.133.248 rDNS vmx1.spamcop.net tried to email your addy whose MX is 'aamta05-winn.mailhost.ntl.com' or mailhost.ntl.com or 212.250.162.8 -- but it didn't work out. It would appear the ntl was 'delaying' the item until it became too old That is, a 421 is a temporary rejection, meaning something like ' servers not available' -- but if the temporary rejection persists, then the 5.4.7 is a permanent rejection. > Well the address SpamCop is trying to send to is correct and working, > I have no problems sending to it from other of my accounts. I don't think it is about your addy or its mailbox, it looks like it is about your MX not liking SC's MTX. The SC server is listed on a couple of blocklists, blars and fiveten The fiveten one isn't accurate, see here http://www.five-ten-sg.com/blackhole.php?ip=64.74.133.248&Search=Search and the blars one isn't either -- apparently that IP used to be used for some spamvertisers. > Every > time I log on recently I've seen this message and clicked on the > "Problem Solved" button as as far as I know there should be no > problem my end. Your clicking 'problem solved' isn't going to make the ntl mx accept mail from the SC mtx. > The only other thing I can think of is that my IP > NTLWorld is blocking mail from SpamCop. Correct. >The "message to old" reason > seems a bit ridiculous, none of the spam submission replies should be > more than two days old even if there had been a hiccup at SpamCop. The too old is because the temporary rejections are leading to permanent rejections because of too old. > Anyone else having this problem? -- Mike Easter kibitzer, not SC admin From nospam at dev.null Sun May 22 23:41:14 2005 From: nospam at dev.null (Anty Spam) Date: Sun May 22 16:45:02 2005 Subject: [SpamCop-List] Gmail spammer addresses Message-ID: Hi All Has anybody noticed an unwillingness from Gmail to close spammer's accounts on Gmail. I sent a mail more than a month ago on xmasta@gmail.com complete with proof of spamming, domain whois details etc. Domain Name : oemers.com ::Registrant:: Name : ANTHONY CRIPPEN Email : xmasta@gmail.com Address : P.O. Box 5009 Pirae TAHITI Zipcode : NA Nation : PF Tel : (689) 435695 Fax : Zip done. Recently another user also picked up on this one. I have also reported cross.steven@gmail.com - with proof of spamming etc. Still alive! Domain name: THYROIDMIND.COM Administrative Contact: CROSS, STEVEN CROSS.STEVEN@GMAIL.COM 1000 GERRARD STREET EAST N/A TORONTO, ON M4M 3G6 CA 1.4164698107 Normally Yahoo! etc will pull a mailbox such as this in 24hrs with the proof I give them. Ditto Hotmail - only had a issue once that was resolved after I asked it be submitted to their supervisor. In fact most of the big name free mail account providers are too happy to do it. They all have something in their AUP's to cover it (including Gmail) The last thing we need is a well know name brand name venturing into something they do not understand. Your experiences? Thx AntySpam From MikeE at ster.invalid Sun May 22 14:49:19 2005 From: MikeE at ster.invalid (Mike Easter) Date: Sun May 22 16:50:03 2005 Subject: [SpamCop-List] Re: Gmail spammer addresses References: Message-ID: Anty Spam wrote: > Has anybody noticed an unwillingness from Gmail to close spammer's > accounts on Gmail. I've seen it discussed on nanae. > I sent a mail more than a month ago on xmasta@gmail.com > Zip done. Recently another user also picked up on this one. > I have also reported cross.steven@gmail.com - with proof of spamming > etc. Still alive! > Normally Yahoo! etc will pull a mailbox such as this in 24hrs with > the proof I give them. Ditto Hotmail - > Your experiences? Not personally. -- Mike Easter kibitzer, not SC admin From ob1db at spamcop.net Sun May 22 17:52:56 2005 From: ob1db at spamcop.net (David Butler) Date: Sun May 22 16:55:03 2005 Subject: [SpamCop-List] spammer fooling spamcop Message-ID: SC sez it cannot parse the source of this spam: Parsing input: izoxlqk.hyperlicks.com host izoxlqk.hyperlicks.com (checking ip) ip not found ; izoxlqk.hyperlicks.com discarded as fake. No recent reports, no history available "whois 221.11.133.41@whois.apnic.net" (Getting contact from whois.apnic.net mirror) Display data: Lookup ch455-ap@whois.apnic.net "whois ch455-ap@whois.apnic.net" (Getting contact from whois.apnic.net mirror) Display data: ch455-ap = whois.apnic.net 221.11.133.41 (nothing found) host 221.11.133.41 (getting name) no name No reporting addresses found for 221.11.133.41, using devnull for tracking. But Openrbl.org shows: Address: 221.11.133.41 resolved to izoxlqk.hyperlicks.com AS: [NO_ROUTE] Net 221/8 APNIC7 IP-Whois 221.11.133.41: (ARIN/APNIC7)[Querying whois.apnic.net] [whois.apnic.net] % [whois.apnic.net node-2] % Whois data copyright terms http://www.apnic.net/db/dbcopyright.html inetnum: 221.11.128.0 - 221.11.223.255 netname: CNCGROUP-HI descr: CNC Group Hainan province network descr: China Network Communications Group Corporation descr: No.156,Fu-Xing-Men-Nei Street, descr: Beijing 100031 country: CN admin-c: CH455-AP tech-c: CH455-AP remarks: service provider mnt-by: APNIC-HM mnt-lower: MAINT-CNCGROUP-HI changed: hm-changed#apnic.net 20030122 status: ALLOCATED PORTABLE source: APNIC role: CNCGroup Hostmaster e-mail: abuse@cnc-noc.netIs this a parser failure or something else ? From BNRAGMAOKKXT at spammotel.com Sun May 22 21:58:39 2005 From: BNRAGMAOKKXT at spammotel.com (Canopus) Date: Sun May 22 17:00:02 2005 Subject: [SpamCop-List] Re: No Submission Returns from SpamCop References: Message-ID: Mike Easter on 22/05/2005 wrote: > I don't think it is about your addy or its mailbox, it looks like it > is about your MX not liking SC's MTX. The SC server is listed on a > couple of blocklists, blars and fiveten This really is ridiculous then as ntlworld has requested copies of reports from SpamCop as a third party interested for its own (not very good) spam filtering and now it blocks the very site it request information from. Well if NTL is going to block/bounce messages from SC then I'm going to bug the hell out of them with email complaints every day and the first bona fid reply I get from them will in turn be replied to at High Priority. Imagine, they say they take spam seriously and are attempting to stem the flow of it then make life difficult for those that are supposedly working with them to the same effect. Rob From MikeE at ster.invalid Sun May 22 15:52:38 2005 From: MikeE at ster.invalid (Mike Easter) Date: Sun May 22 17:55:02 2005 Subject: [SpamCop-List] Re: No Submission Returns from SpamCop References: Message-ID: Canopus wrote: > Well if NTL is going to block/bounce messages from SC then I'm going > to bug the hell out of them with email complaints every day and the > first bona fid reply I get from them will in turn be replied to at > High Priority. Well certainly the troubleshooting should start with them. They need to know why/how that DSN got generated. -- Mike Easter kibitzer, not SC admin From MikeE at ster.invalid Sun May 22 16:01:27 2005 From: MikeE at ster.invalid (Mike Easter) Date: Sun May 22 18:05:03 2005 Subject: [SpamCop-List] Re: spammer fooling spamcop References: Message-ID: David Butler wrote: > SC sez it cannot parse the source of this spam: The apnic registrar information is slightly outawhack and SC is an algorithm, so that doesn't work. Apnic sez that the contact is CH455-AP, but the return for ch455 is ch444, which isn't the same thing, so from SC's point of view that answer isn't an answer. > Display data: > ch455-ap = That's where the answer isn't. > But Openrbl.org shows: > admin-c: CH455-AP > tech-c: CH455-AP That sez 455. > role: CNCGroup Hostmaster > e-mail: abuse@cnc-noc.net That isn't 455, you snipped away some of the data. person: CNCGroup Hostmaster nic-hdl: CH444-AP e-mail: abuse@cnc-noc.net Apnic only shows information for 444, even if you specifically ask it for 455, so SC comes up empty. -- Mike Easter kibitzer, not SC admin From nobody at devnull.spamcop.net Sun May 22 22:45:50 2005 From: nobody at devnull.spamcop.net (Miss Betsy) Date: Sun May 22 22:45:03 2005 Subject: [SpamCop-List] Re: No Submission Returns from SpamCop References: Message-ID: This does happen occasionally to other people. Sometimes you need to write to Don, the deputy, to get it fixed. IIRC, the address is deputies at admin. spamcop, but I am not sure. Miss Betsy From nospam at fuck-off-and-die.com Mon May 23 11:02:54 2005 From: nospam at fuck-off-and-die.com (Kadaitcha Man) Date: Mon May 23 00:20:03 2005 Subject: [SpamCop-List] Re: Gmail spammer addresses References: Message-ID: <938d903f286e4f1a972ba9383f1540c2@you.light-minded-gussied-burglar.net> Anty Spam, , the negative, emptied goldfish, and buyer of old clothes, illumined: > Hi All > > Has anybody noticed an unwillingness from Gmail to close spammer's > accounts on Gmail. > > I sent a mail more than a month ago on xmasta@gmail.com complete > with proof of spamming, domain whois details etc. > Domain Name : oemers.com > ::Registrant:: > Name : ANTHONY CRIPPEN > Email : xmasta@gmail.com > Address : P.O. Box 5009 Pirae TAHITI > Zipcode : NA > Nation : PF > Tel : (689) 435695 > Fax : > > Zip done. Recently another user also picked up on this one. > > I have also reported cross.steven@gmail.com - with proof of spamming > etc. Still alive! > Domain name: THYROIDMIND.COM > Administrative Contact: > CROSS, STEVEN CROSS.STEVEN@GMAIL.COM > 1000 GERRARD STREET EAST > N/A > TORONTO, ON M4M 3G6 > CA > 1.4164698107 > > Normally Yahoo! etc will pull a mailbox such as this in 24hrs with > the proof I give them. Ditto Hotmail - only had a issue once that was > resolved after I asked it be submitted to their supervisor. In fact > most of the big name free mail account providers are too happy to do > it. They all have something in their AUP's to cover it (including > Gmail) > > The last thing we need is a well know name brand name venturing into > something they do not understand. There is nothing in your post to indicate that the person whom you allege is a spammer has actually spammed with their gmail account. I suspect that you have tried to tell gmail that 1 + 1 = 2 in order to connect the mail account to the alleged spammer in the hope of getting the account terminated rather than providing actual direct evidence of spamming via the gmail account in question. If that is the case, kudos to gmail. I say that because if you did try a 1 + 1 = 2 closure without real evidence of spamming then you are a fucking cunt who is doing nothing other than carrying on a vendetta. I hope that one day some cunt does the same to you, you fucking cunt. HTH & HAND From nobody at spamcop.net Mon May 23 01:45:52 2005 From: nobody at spamcop.net (RW) Date: Mon May 23 02:50:03 2005 Subject: [SpamCop-List] Re: Gmail spammer addresses In-Reply-To: References: Message-ID: Anty Spam wrote: > Hi All > > Has anybody noticed an unwillingness from Gmail to close spammer's accounts > on Gmail. > > I sent a mail more than a month ago on xmasta@gmail.com complete with proof > of spamming, domain whois details etc. > Domain Name : oemers.com > ::Registrant:: > Name : ANTHONY CRIPPEN > Email : xmasta@gmail.com > Address : P.O. Box 5009 Pirae TAHITI > Zipcode : NA > Nation : PF > Tel : (689) 435695 > Fax : > > Zip done. Recently another user also picked up on this one. > > I have also reported cross.steven@gmail.com - with proof of spamming etc. > Still alive! > Domain name: THYROIDMIND.COM > Administrative Contact: > CROSS, STEVEN CROSS.STEVEN@GMAIL.COM > 1000 GERRARD STREET EAST > N/A > TORONTO, ON M4M 3G6 > CA > 1.4164698107 > > Normally Yahoo! etc will pull a mailbox such as this in 24hrs with the proof > I give them. Ditto Hotmail - only had a issue once that was resolved after I > asked it be submitted to their supervisor. In fact most of the big name free > mail account providers are too happy to do it. They all have something in > their AUP's to cover it (including Gmail) > > The last thing we need is a well know name brand name venturing into > something they do not understand. > > Your experiences? > > Thx > > AntySpam How do you know nothing has been done? Just because they are still using the address in a registration doesn't mean it exists. Richard From AHaumer_gmxnet at nospam.invalid Mon May 23 09:53:27 2005 From: AHaumer_gmxnet at nospam.invalid (Anton Haumer) Date: Mon May 23 02:55:03 2005 Subject: [SpamCop-List] SC has problems? Message-ID: <42917DE7.A5B61FAD@nospam.invalid> Does anybody encounter the same problem: by mail submitted spam is not shown for reporting ... nor getting mail notifications ... I do not see the "bounce flag", my email-address is working properly ... -- Regards, Toni From nobody at spamcop.net Mon May 23 09:48:47 2005 From: nobody at spamcop.net (me-no-no) Date: Mon May 23 03:50:02 2005 Subject: [SpamCop-List] Re: Pfizer spam? References: Message-ID: "Maggie's Mom" wrote in message news:d6qe26$gfq$1@news.spamcop.net... > > I bet there are enough bargain hunters to shop there and possibly get > seriously hurt by unknown mixtures. You win your bet :-) - (Posted to earlier thread Sub: Can you believe this). Ciao Meno > After a new batch of rolex/viagra/scams, I was doing a little research on simply-rx.net (rx1.dns889.com) currently rotating/resovling around the mulberry bush :-) nserver: rx1.dns889.com 200.149.11.35 nserver: rx2.dns889.com 200.149.11.35 nserver: rx3.dns889.com 200.155.191.26 nserver: rx4.dns889.com 200.155.191.26 etc - as per:- http://groups.google.co.uk/groups?hl=en&lr=&scoring=d&q=dns889.com&btnG=Search However, I was stopped dead in my tracks by:- http://www.jdrowell.com/archives/2005/01/simplyrxcom_suc.html (long thread). If you ever wondered who would purchase (or attempt to purchase - more like) at these scam-sites, just take a peek at a few messages at random. Many appear to gladly part with $200-400 + and not just complain about the spam - but also "wonder" if it is all a rip-off ? I remain - yours "speechless" for today ! Ciao Meno > > From AHaumer_gmxnet at nospam.invalid Mon May 23 13:37:43 2005 From: AHaumer_gmxnet at nospam.invalid (Anton Haumer) Date: Mon May 23 06:40:10 2005 Subject: [SpamCop-List] Re: SC has problems? References: <42917DE7.A5B61FAD@nospam.invalid> Message-ID: <4291B277.76673F82@nospam.invalid> Anton Haumer schrieb: > > Does anybody encounter the same problem: > by mail submitted spam is not shown for reporting ... > nor getting mail notifications ... > I do not see the "bounce flag", > my email-address is working properly ... > -- > Regards, Toni Amazing ... they just seem to have appeared ... Toni From BNRAGMAOKKXT at spammotel.com Mon May 23 12:49:37 2005 From: BNRAGMAOKKXT at spammotel.com (Canopus) Date: Mon May 23 07:50:02 2005 Subject: [SpamCop-List] Re: SC has problems? References: <42917DE7.A5B61FAD@nospam.invalid> <4291B277.76673F82@nospam.invalid> Message-ID: Anton Haumer on 23/05/2005 wrote: > Anton Haumer schrieb: > > > > Does anybody encounter the same problem: > > by mail submitted spam is not shown for reporting ... > > nor getting mail notifications ... > > I do not see the "bounce flag", > > my email-address is working properly ... > > -- > > Regards, Toni > > Amazing ... they just seem to have appeared ... > > Toni Lucky you. I have been having problems getting mail notifications about submissions for the past four days *and* getting the bounce flag notice. My mail address is OK, but, my IP ntlworld seems to have taken to bouncing/blocking mail from spamcop.net. Rob From BNRAGMAOKKXT at spammotel.com Mon May 23 12:53:04 2005 From: BNRAGMAOKKXT at spammotel.com (Canopus) Date: Mon May 23 07:55:03 2005 Subject: [SpamCop-List] Re: No Submission Returns from SpamCop References: Message-ID: Miss Betsy on 23/05/2005 wrote: > This does happen occasionally to other people. Sometimes you need > to write to Don, the deputy, to get it fixed. IIRC, the address is > deputies at admin. spamcop, but I am not sure. > > Miss Betsy Do you mean to say that this may not be my IP's fault? I've been bombarding them with complaints over the issue. Rob From eddie at eddie.web Mon May 23 12:35:11 2005 From: eddie at eddie.web (eddie) Date: Mon May 23 11:35:03 2005 Subject: [SpamCop-List] Silly software Message-ID: I has 6 or 7 pieces of spam queued up on SC to report One kept timing out and asking me to wait and try again. There is no way to simply cancel that one report and continue with the others Therefore the only solution is to give all the spammers a free pass this morning by canceling all the reports. Whoever wrote the software must never have used it himself, or this problem would have been solved a long time ago. Worse, http://gallanted.com has figured out how to get by SC's parser every time when the URL is in a piece of spam, even thought it resolves when pasted into the box directly. Between the timeout bug and http://gallanted.com who never gets reported, I wonder what the score is lately?? Any remedies would certainly be a good thing. -- Once movie theaters gave out steak knives Today they confiscate them From wb8tyw at qsl.network Mon May 23 13:02:05 2005 From: wb8tyw at qsl.network (John E. Malmberg) Date: Mon May 23 13:05:02 2005 Subject: [SpamCop-List] Re: Silly software References: Message-ID: In article , eddie writes: > I has 6 or 7 pieces of spam queued up on SC to report > One kept timing out and asking me to wait and try again. > There is no way to simply cancel that one report and continue with the > others > Therefore the only solution is to give all the spammers a free pass this > morning by canceling all the reports. > > Whoever wrote the software must never have used it himself, or this > problem would have been solved a long time ago. > Worse, http://gallanted.com has figured out how to get by SC's parser every time > when the URL is in a piece of spam, even thought it resolves when pasted > into the box directly. > Between the timeout bug and http://gallanted.com who never gets reported, > I wonder what the score is lately?? > > Any remedies would certainly be a good thing. Generally if I find a spam that is totally breaking the parser, and it appears to be a totally new problem that is not being discussed in the newsgroups, I send an e-mail to the deputies at spamcop.net with a technical description of the problem, along with a tracker if one is available. For non-emergency conditions, (and most are non-emergencies), If a response is needed, I usually get one with in 72 hours. -John wb8tyw@qsl.network Personal Opinion Only From eddie at eddie.web Mon May 23 14:46:26 2005 From: eddie at eddie.web (eddie) Date: Mon May 23 13:50:03 2005 Subject: [SpamCop-List] Re: Silly software References: Message-ID: On Mon, 23 May 2005 12:02:05 -0500, John E. Malmberg scratched out the following: > In article , > eddie writes: >> I has 6 or 7 pieces of spam queued up on SC to report One kept timing >> out and asking me to wait and try again. There is no way to simply >> cancel that one report and continue with the others >> Therefore the only solution is to give all the spammers a free pass this >> morning by canceling all the reports. >> >> Whoever wrote the software must never have used it himself, or this >> problem would have been solved a long time ago. Worse, >> http://gallanted.com has figured out how to get by SC's parser every >> time when the URL is in a piece of spam, even thought it resolves when >> pasted into the box directly. >> Between the timeout bug and http://gallanted.com who never gets >> reported, I wonder what the score is lately?? >> >> Any remedies would certainly be a good thing. > > Generally if I find a spam that is totally breaking the parser, and it > appears to be a totally new problem that is not being discussed in the > newsgroups, I send an e-mail to the deputies at spamcop.net with a > technical description of the problem, along with a tracker if one is > available. > > For non-emergency conditions, (and most are non-emergencies), If a > response is needed, I usually get one with in 72 hours. > > -John > wb8tyw@qsl.network > Personal Opinion Only Both these problems (not being able to cancel an individual item and the parser problem) have been reported before, many times. I suppose they are not considered important enough yet. My rule is that eventually a problem becomes big enough to be fixed or it goes away. I am only a user and deal with problems as best as I can. However, I do write software, and always use my own software before any of my customers get to use it. I learned that from MS - where it's called "eating your own dogfood" -- Once movie theaters gave out steak knives Today they confiscate them From borgholio at storymind.com Mon May 23 12:28:13 2005 From: borgholio at storymind.com (Borgholio) Date: Mon May 23 14:30:03 2005 Subject: [SpamCop-List] Question about Spamcop IMAP mail service Message-ID: If I have Spamcop's IMAP service access all my POP3 accounts is there an option to have it only download mail that I specifically mark as "not spam"? From Kilgallen at SpamCop.net Mon May 23 14:51:27 2005 From: Kilgallen at SpamCop.net (Larry Kilgallen) Date: Mon May 23 14:55:03 2005 Subject: [SpamCop-List] Re: Silly software References: Message-ID: In article , eddie writes: > Whoever wrote the software must never have used it himself, or this > problem would have been solved a long time ago. Whoever makes a statement like that must never have maintained a complex piece of software, or more important, _managed_ that activity. In all such software, priority of defects must be considered. If I were prioritizing possible SpamCop defects, I would say that the inability to file a particular report ranks pretty low and sending a report to the wrong ISP ranks pretty high. It is not like SpamCop is lacking spam submissions. From eddie at eddie.web Mon May 23 16:55:24 2005 From: eddie at eddie.web (eddie) Date: Mon May 23 16:00:03 2005 Subject: [SpamCop-List] Re: Silly software References: Message-ID: On Mon, 23 May 2005 13:51:27 -0500, Larry Kilgallen scratched out the following: > In article , eddie > writes: > >> Whoever wrote the software must never have used it himself, or this >> problem would have been solved a long time ago. > Whoever makes a statement like that must never have maintained a complex > piece of software, or more important, _managed_ that activity. > Not true. In fact, I not only did that, I used my own software and paid attention to every detail. Perhaps because I am a perfectionist, I never let them slip by me. I found them before my users did almost all the time. FYI I was involved in the original MSN software back in the early 90s as well as other software. > In all such software, priority of defects must be considered. That's Microsoft's policy. It's OK, but an awful lot of bugs get through. Some are never fixed. > > If I were prioritizing possible SpamCop defects, I would say that the > inability to file a particular report ranks pretty low and sending a > report to the wrong ISP ranks pretty high. I agree. Do we have that problem? Sending a report to the wrong ISP? I wasn't aware of that problem. > It is not like SpamCop is lacking spam submissions. I was making a point about two issues that have been reported ad naseum and still exist. Keeping problems from disappearing is another important issue with software. Prioritizing them is one thing, letting them slide is another. If too many spammers find out how to get through the parser then we have a big problem. Better to solve them before they grow, and fester, right. I am not knocking SC, just being an Archie Goodwin to a Nero Wolfe, so to speak. -- Once movie theaters gave out steak knives Today they confiscate them From nospam at dev.null Mon May 23 23:47:55 2005 From: nospam at dev.null (Anty Spam) Date: Mon May 23 16:50:03 2005 Subject: [SpamCop-List] Re: Gmail spammer addresses References: <938d903f286e4f1a972ba9383f1540c2@you.light-minded-gussied-burglar.net> Message-ID: "Kadaitcha Man" wrote in message news:938d903f286e4f1a972ba9383f1540c2@you.light-minded-gussied-burglar.net... > Anty Spam, , the negative, emptied goldfish, and buyer of > old clothes, illumined: > ...snip... > > There is nothing in your post to indicate that the person whom you allege is > a spammer has actually spammed with their gmail account. I suspect that you > have tried to tell gmail that 1 + 1 = 2 in order to connect the mail account > to the alleged spammer in the hope of getting the account terminated rather > than providing actual direct evidence of spamming via the gmail account in > question. > > If that is the case, kudos to gmail. I say that because if you did try a 1 + > 1 = 2 closure without real evidence of spamming then you are a fucking cunt > who is doing nothing other than carrying on a vendetta. I hope that one day > some cunt does the same to you, you fucking cunt. > > HTH & HAND > Reports are all of the format: Party abc@def.xyz is a spammer... Explanation of a mail address being the first step in registering spam domains etc Sample whois details of spam domain.... List of additional domains with same whois .... URL's of similar abuse/spams reported via web... Additonal info if applicable (Ex: abc@def.xyz was ddd@def.xyz till they canned that account or whatever) Complete sample of received spam This normally works with all big name mail providers. From nobody at devnull.spamcop.net Mon May 23 16:49:36 2005 From: nobody at devnull.spamcop.net (WazoO) Date: Mon May 23 16:50:18 2005 Subject: [SpamCop-List] Re: Question about Spamcop IMAP mail service References: Message-ID: "Borgholio" wrote in message news:d6t7bt$83m$1@news.spamcop.net... > If I have Spamcop's IMAP service access all my POP3 accounts is there an > option to have it only download mail that I specifically mark as "not spam"? Mixing terms, protocols, etc. IMAP would be a connection you set up with your e-mail app to 'look' at the mail sitting in your account on the SpamCop e-mail server. If you have the SpamCop server POPing your e-mail from other servers, this is not handled with an IMAP connection, rather a standard POP connection that will handle the e-mail found in that other InBox, either downloading or downloading and leaving a copy, depending on your configuration ... but again, for 'expert' answers, you need to hit the spamcop.mail newsgroup or hit the web-based Forum. From nobody at devnull.spamcop.net Mon May 23 16:55:07 2005 From: nobody at devnull.spamcop.net (WazoO) Date: Mon May 23 17:00:02 2005 Subject: [SpamCop-List] Re: No Submission Returns from SpamCop References: Message-ID: "Canopus" wrote in message news:d6sg70$p6i$1@news.spamcop.net... > Miss Betsy on 23/05/2005 wrote: > > > This does happen occasionally to other people. Sometimes you need > > to write to Don, the deputy, to get it fixed. IIRC, the address is > > deputies at admin. spamcop, but I am not sure. > > > > Miss Betsy > > Do you mean to say that this may not be my IP's fault? I've been > bombarding them with complaints over the issue. > > Rob Don has responded over in the Forum with this; http://forum.spamcop.net/forums/index.php?showtopic=4263 aamta03-winn.mailhost.ntl.com is rejecting all mail from 64.74.133.248. I'm getting the same bounces from ntlworld.com users trying to reset their passwords. I'm trying to contact them but I'm not hopeful. All I can suggest is that users hammer them until they fix it. - Don - From nospam at dev.null Mon May 23 23:55:45 2005 From: nospam at dev.null (Anty Spam) Date: Mon May 23 17:00:14 2005 Subject: [SpamCop-List] Re: Gmail spammer addresses References: Message-ID: "RW" wrote in message news:d6ru6l$eoa$1@news.spamcop.net... > Anty Spam wrote: > >Hi All > > > >Has anybody noticed an unwillingness from Gmail to close spammer's accounts > >on Gmail. ....snip.. > > How do you know nothing has been done? Just because they are still > using the address in a registration doesn't mean it exists. > > Richard Mail account from which I remind spammer what he is doing is wrong and pointing to the relevant laws. Mail address changes a lot of course. While this may sound stupid, it is amazing how many cases of stolen identity crop up with spammers where the luckless victim is all to glad to assist in scapping all the spam domains falsely connected to his address/mail. Also how many invalid addresses :-) Mentioned Gmail accounts do not bounce. From nttp.sc.s at bigsleep.org Mon May 23 22:27:07 2005 From: nttp.sc.s at bigsleep.org (Blammo) Date: Mon May 23 17:30:02 2005 Subject: [SpamCop-List] Re: Where's oc3@devnull? References: Message-ID: On 22 May 2005 Mike Easter entered spamcop and left news:d6qe0j$gem$1@news.spamcop.net: > StampOutSpam wrote: > >>> By 'stolen my personal information' I suppose >>> you must mean they put your addy in the To, and perhaps the Subject. >> >> They're putting home addresses into the bodies or subjects of the >> messages and pushing fake refinancing loans or whatever other junk >> they're peddling. It appears that it's about phishing for bank info, >> as the input forms on the Web sites are not connected to the database >> used by the spammers to send out their spam runs. > > Hmm. I wonder where they got a correlation between your home address > and email addy? You would have had to provide that to someone for that > to hookup. > I suspect it may be from a virus. I have a growing list of ROKSO that have information they should not have been able to get otherwise. -- | Ric | From nttp.sc.s at bigsleep.org Mon May 23 22:41:00 2005 From: nttp.sc.s at bigsleep.org (Blammo) Date: Mon May 23 17:45:03 2005 Subject: [SpamCop-List] Re: Silly software References: Message-ID: On 23 May 2005 eddie entered spamcop and left news:pan.2005.05.23.19.55.23.653000@eddie.web: >> >> If I were prioritizing possible SpamCop defects, I would say that the >> inability to file a particular report ranks pretty low and sending a >> report to the wrong ISP ranks pretty high. > > I agree. Do we have that problem? Sending a report to the wrong ISP? I > wasn't aware of that problem. > Gee, I think that's the #1 complaint against Spamcop. I get this error too, clicking on the links in the eMail reply eventually gets you to the problem report which you can cancel, or you can continue to report the remaining, or cancel all and resubmit. By process of elimination you can figure out the problem report and send a copy to deputies. -- | Ric | From nospam at fuck-off-and-die.com Tue May 24 04:43:29 2005 From: nospam at fuck-off-and-die.com (Kadaitcha Man) Date: Mon May 23 18:00:03 2005 Subject: [SpamCop-List] Re: Gmail spammer addresses References: <938d903f286e4f1a972ba9383f1540c2@you.light-minded-gussied-burglar.net> Message-ID: Anty Spam, , the pasty-faced, inanimate vassal, and vagrant who regulates the workings of the watermeadows, alluded: > "Kadaitcha Man" wrote in message news:938d903f286e4f1a972ba9383f1540c2@you.light-minded-gussied-burglar.net.. . >> Anty Spam, , the negative, emptied goldfish, and >> buyer of old clothes, illumined: >> > ...snip... >> >> There is nothing in your post to indicate that the person whom you >> allege is a spammer has actually spammed with their gmail account. I >> suspect that you have tried to tell gmail that 1 + 1 = 2 in order to >> connect the mail account to the alleged spammer in the hope of >> getting the account terminated rather than providing actual direct >> evidence of spamming via the gmail account in question. >> >> If that is the case, kudos to gmail. I say that because if you did >> try a 1 + 1 = 2 closure without real evidence of spamming then you >> are a fucking cunt who is doing nothing other than carrying on a >> vendetta. I hope that one day some cunt does the same to you, you >> fucking cunt. >> >> HTH & HAND >> > > Reports are all of the format: > > Party abc@def.xyz is a spammer... > Explanation of a mail address being the first step in registering spam > domains etc > Sample whois details of spam domain.... > List of additional domains with same whois .... > URL's o From nospam at fuck-off-and-die.com Tue May 24 04:53:30 2005 From: nospam at fuck-off-and-die.com (Kadaitcha Man) Date: Mon May 23 18:10:02 2005 Subject: [SpamCop-List] Re: Gmail spammer addresses References: <938d903f286e4f1a972ba9383f1540c2@you.light-minded-gussied-burglar.net> Message-ID: <081bfe713ffa40d2b57ed2ada36f3ce8@you.synthetic-phallic-gossipmonger.org> Anty Spam, , the obscene, myopathic degenerate, and supervisor of nothing in particular, hurled: > "Kadaitcha Man" wrote in message news:938d903f286e4f1a972ba9383f1540c2@you.light-minded-gussied-burglar.net.. . >> Anty Spam, , the negative, emptied goldfish, and >> buyer of old clothes, illumined: >> >> There is nothing in your post to indicate that the person whom you >> allege is a spammer has actually spammed with their gmail account. I >> suspect that you have tried to tell gmail that 1 + 1 = 2 in order to >> connect the mail account to the alleged spammer in the hope of >> getting the account terminated rather than providing actual direct >> evidence of spamming via the gmail account in question. >> >> If that is the case, kudos to gmail. I say that because if you did >> try a 1 + 1 = 2 closure without real evidence of spamming then you >> are a fucking cunt who is doing nothing other than carrying on a >> vendetta. I hope that one day some cunt does the same to you, you >> fucking cunt. >> >> HTH & HAND >> > > Reports are all of the format: > > Party abc@def.xyz is a spammer. > Explanation of a mail address being the first step in registering spam > domains etc > Sample whois details of spam domain. > List of additional domains with same whois. > URL's of similar From nospam at fuck-off-and-die.com Tue May 24 04:57:20 2005 From: nospam at fuck-off-and-die.com (Kadaitcha Man) Date: Mon May 23 18:15:04 2005 Subject: [SpamCop-List] Re: Gmail spammer addresses References: <938d903f286e4f1a972ba9383f1540c2@you.light-minded-gussied-burglar.net> Message-ID: <7eb51a2c39804a938ddfc1d053350c5e@you.subjective-stiffened-walrus.org> Anty Spam, , the dizzy, mud-beplastered hog badger, and prosthetist, whimpered: I'll try a third time. Freaking buggy newsserver. > "Kadaitcha Man" wrote in message > news:938d903f286e4f1a972ba9383f1540c2@you.light-minded-gussied-burglar.net >> Anty Spam, , the negative, emptied goldfish, and >> buyer of old clothes, illumined: >> >> There is nothing in your post to indicate that the person whom you >> allege is a spammer has actually spammed with their gmail account. I >> suspect that you have tried to tell gmail that 1 + 1 = 2 in order to >> connect the mail account to the alleged spammer in the hope of >> getting the account terminated rather than providing actual direct >> evidence of spamming via the gmail account in question. >> >> If that is the case, kudos to gmail. I say that because if you did >> try a 1 + 1 = 2 closure without real evidence of spamming then you >> are a fucking cunt who is doing nothing other than carrying on a >> vendetta. I hope that one day some cunt does the same to you, you >> fucking cunt. >> >> HTH & HAND >> > > Reports are all of the format: > > Party abc@def.xyz is a spammer. > Explanation of a mail address being the first step in registering spam > domains etc > Sample whois details of spam domain. > List of additional domains with same whois. > URL's of similar abuse/spams reported via web. > Additonal info if applicable (Ex: abc@def.xyz was ddd@def.xyz till > they canned that account or whatever) > Complete sample of received spam > > This normally works with all big name mail providers. Well, like I said; kudos to gmail, you fucking vindictive cuntflap. It's about time a provider applied commonsense and fair play to your scurrilous netKKKopping reports. Go on, do a "Hills Capital/Spam Reporting"-type hissy fit and claim I'm spam friendly merely because I say you're a cunt for relying on fuckwits to be unable to see through your netKKKopping scam. Go on. You know you want to. From nobody at spamcop.net Mon May 23 19:00:53 2005 From: nobody at spamcop.net (Ellen) Date: Mon May 23 18:25:03 2005 Subject: [SpamCop-List] Re: Question about Spamcop IMAP mail service References: Message-ID: "Borgholio" wrote in message news:d6t7bt$83m$1@news.spamcop.net... > If I have Spamcop's IMAP service access all my POP3 accounts is there an > option to have it only download mail that I specifically mark as "not spam"? If you have a SpamCop email account (@spamcop.net, @cesmail.net @cqmail.net) you can have the system pop all your various email addresses. Then you can use a mail client on your computer that has IMAP capability such as OE or one of the others, to access all that mail that is now on the SpamCop mailserver. Email that hits one of the blocklists that you have enabled will fall into the held mail box and the other mail will be in your inbox. This is the simplified explanation -- you have various options you can set thru the mail website. There are various faqs here: http://www.spamcop.net/fom-serve/cache/289.html and also in the forums: http://forum.spamcop.net Ellen SpamCop From eddie at eddie.web Mon May 23 19:45:32 2005 From: eddie at eddie.web (eddie) Date: Mon May 23 18:50:03 2005 Subject: [SpamCop-List] Re: Silly software References: Message-ID: On Mon, 23 May 2005 21:41:00 +0000, Blammo scratched out the following: snip >> I agree. Do we have that problem? Sending a report to the wrong ISP? I >> wasn't aware of that problem. >> >> > Gee, I think that's the #1 complaint against Spamcop. I believe that most ISPs say this, but I think most ISPs are guilty :) I always check the ISPs to which my SC reports go and they are always correct, based on past history. I already have them memorized because it's almost always the same ISPs. > > I get this error too, clicking on the links in the eMail reply > eventually gets you to the problem report which you can cancel, or you > can continue to report the remaining, or cancel all and resubmit. By > process of elimination you can figure out the problem report and send a > copy to deputies. One or two spammers do not show up, no matter how many times I refresh. But the problem I had earlier is that when the parser times out over and over again, there is no button to cancel just that one submission. I had to cancel a bunch of potential reports. SC needs an "Abort this report" button when the parser times out, so we can report the rest of them. That's what I meant by "Silly". It's like Catch 22 the way it works now. Again, I am not being negative. Maybe a bit sarcastic, but that's not the same. I am a confirmed SC user who started with SC at the very beginning. -- Once movie theaters gave out steak knives Today they confiscate them From nobody at xyzzy.claranet.de Tue May 24 05:23:37 2005 From: nobody at xyzzy.claranet.de (Frank Ellermann) Date: Mon May 23 22:25:03 2005 Subject: [SpamCop-List] Re: Silly software References: Message-ID: <42929029.4047@xyzzy.claranet.de> eddie wrote: > One kept timing out and asking me to wait and try again. > There is no way to simply cancel that one report and continue > with the others Not quite, you don't reach "pending reports" in this situation on the Web page, but you can click on the other report links in SC's feedback mail. Or paste and copy these links one by one to your browser if your mail reader doesn't support links. Bye From nospam at dev.null Tue May 24 05:40:40 2005 From: nospam at dev.null (Anty Spam) Date: Mon May 23 22:45:02 2005 Subject: [SpamCop-List] Re: Gmail spammer addresses References: Message-ID: "Anty Spam" wrote in message news:d6qqrp$pa9$1@news.spamcop.net... > Hi All > > Has anybody noticed an unwillingness from Gmail to close spammer's accounts > on Gmail. > > I sent a mail more than a month ago on xmasta@gmail.com complete with proof > of spamming, domain whois details etc. > Domain Name : oemers.com > ::Registrant:: > Name : ANTHONY CRIPPEN > Email : xmasta@gmail.com > Address : P.O. Box 5009 Pirae TAHITI > Zipcode : NA > Nation : PF > Tel : (689) 435695 > Fax : > > Zip done. Recently another user also picked up on this one. > > I have also reported cross.steven@gmail.com - with proof of spamming etc. > Still alive! > Domain name: THYROIDMIND.COM > Administrative Contact: > CROSS, STEVEN CROSS.STEVEN@GMAIL.COM > 1000 GERRARD STREET EAST > N/A > TORONTO, ON M4M 3G6 > CA > 1.4164698107 > > Normally Yahoo! etc will pull a mailbox such as this in 24hrs with the proof > I give them. Ditto Hotmail - only had a issue once that was resolved after I > asked it be submitted to their supervisor. In fact most of the big name free > mail account providers are too happy to do it. They all have something in > their AUP's to cover it (including Gmail) > > The last thing we need is a well know name brand name venturing into > something they do not understand. > > Your experiences? > > Thx > > AntySpam > > Hmmm, look like I treaded treaded on a toe. :-) Anyway, just had 7 more mails addresses terminated. Interestingly one was trying to phish using fake headers that were injected, but using those for the provider he used to register his initial mail address with. Real Darwin award material. Just shows the mentality. Now I have some work to do :-) From zypher at spamcop.net Tue May 24 01:35:08 2005 From: zypher at spamcop.net (Ron B.) Date: Tue May 24 01:40:03 2005 Subject: [SpamCop-List] FTC to push ISPs for zombie crackdown Message-ID: <4292BD0C.1090501@spamcop.net> Commentary--Remote-controlled "zombie" networks operated by bottom-feeding spammers have become a serious problem that requires more industry action, the Federal Trade Commission is expected to announce on Tuesday. http://news.zdnet.com/2100-1009_22-5716576.html From nobody at spamcop.net Mon May 23 23:50:58 2005 From: nobody at spamcop.net (A.J.) Date: Tue May 24 01:55:03 2005 Subject: [SpamCop-List] Re: savvis - black hat or white hat? References: Message-ID: "sparkle" wrote in message : > I found this article: > > http://news.bbc.co.uk/1/hi/technology/3634572.stm > > It says savvis repented of its spams. If the Sept 04 article is true, why do > I get spams from the savvis creeps? > > Oh, and it it says you people are "a small band of enthusiasts who patrol > the net like voluntary cyber cops to eliminate spam". Hahahaha. > > :) xxx BLACK. Very black. "Repenting" was just another instance of Rule #1. Any action taken to make that repentance appear legitimate was just for show. -- A.J. Evidence shows Cyveillance abuse internet resources. I recommend unchecking their box in SpamCop reports. Cyveillance are part of the problem. They are not part of the solution. From porpoise1954 at yahoo.co.uk Tue May 24 10:43:34 2005 From: porpoise1954 at yahoo.co.uk (Porpoise) Date: Tue May 24 04:50:25 2005 Subject: [SpamCop-List] Re: savvis - black hat or white hat? References: Message-ID: "A.J." wrote in message news:d6ufc3$1vo$1@news.spamcop.net... > "sparkle" wrote in message > : >> I found this article: > > BLACK. > > Very black. > > "Repenting" was just another instance of Rule #1. Any action taken to > make > that repentance appear legitimate was just for show. Interestingly, hacking attempts still regularly show up in my firewall logs from any number of Savvis IPs........ Could be that someone else on my ISPs dynamically static (to coin Mike's phrase ;-)) ADSL IP pool has been compromised and whenever I get assigned that particular IP, these probes show up.......... From nospam at dev.null Tue May 24 13:13:19 2005 From: nospam at dev.null (Anty Spam) Date: Tue May 24 06:15:03 2005 Subject: [SpamCop-List] Re: FTC to push ISPs for zombie crackdown References: <4292BD0C.1090501@spamcop.net> Message-ID: "Ron B." wrote in message news:4292BD0C.1090501@spamcop.net... > Commentary--Remote-controlled "zombie" networks operated by > bottom-feeding spammers have become a serious problem that requires more > industry action, the Federal Trade Commission is expected to announce on > Tuesday. > > http://news.zdnet.com/2100-1009_22-5716576.html While clamping down on private mail server might be a good thing as regards novices and the unenlightened, is does put you at the mercy of the ISP where the real novices hide out. No private blacklist of undesirables etc . All the nice toys that are associated with an own mail server are gone. Thats a bit like throwing out the baby with the bath water, not? I just spent the past day teaching an ISP's techie how to read headers. Ouch! But the overall idea needs support. Nothing like a bit of accountability. Cheers Anty From nospam at fuck-off-and-die.com Tue May 24 17:26:27 2005 From: nospam at fuck-off-and-die.com (Kadaitcha Man) Date: Tue May 24 06:45:03 2005 Subject: [SpamCop-List] Re: FTC to push ISPs for zombie crackdown References: <4292BD0C.1090501@spamcop.net> Message-ID: Anty Spam, , the steroidal, ill-natured diarrhea face, and homosexual hair dresser, indicted: > "Ron B." wrote in message > news:4292BD0C.1090501@spamcop.net... >> Commentary--Remote-controlled "zombie" networks operated by >> bottom-feeding spammers have become a serious problem that requires >> more industry action, the Federal Trade Commission is expected to >> announce on Tuesday. >> >> http://news.zdnet.com/2100-1009_22-5716576.html > > While clamping down on private mail server might be a good thing as > regards novices and the unenlightened, is does put you at the mercy > of the ISP where the real novices hide out. > > No private blacklist of undesirables etc . All the nice toys that are > associated with an own mail server are gone. > > Thats a bit like throwing out the baby with the bath water, not? > > I just spent the past day teaching an ISP's techie how to read > headers. Ouch! > I tend to agree, however if port-blocking is applied it should only be applied to dynamic IPs, assuming that dynamic IPs are responsible for the vast bulk of spam that gets around. Many ISPs offer a "business" class service with a fixed IP so getting your mail server back should be a matter of incremental cost and small inconvenience. I despise port-blocking but do not run my own mail server. I will not sign up with any provider who blocks ports - no matter how noble their reasons might be to themselves. It smacks of their failure to apply their TOS and terminate accounts. The point being, if you police your network properly without invading anyone's privacy then there should be no reason to block any ports. But then again, port-blocking is easy to circumvent. It's nothing that a cheap tunnel won't fix. > But the overall idea needs support. Nothing like a bit of > accountability. That's why I like spamcop's idea of reporting trojan/virus spam <-- maybe there is the answer - wider use of blacklists and more widespread reporting of trojan/virus/zombie machines. Whilst the ISP can't necessarily tell the customer how to fix the problem of a compromised machine, the ISP can certainly block mail from the associated account until the ISP reasonably believes the issue has been resolved by the user in one way or another. From nobody at devnull.spamcop.net Tue May 24 09:31:37 2005 From: nobody at devnull.spamcop.net (Sofa King Tyred of Lar Ting) Date: Tue May 24 08:35:02 2005 Subject: [SpamCop-List] Re: FTC to push ISPs for zombie crackdown In-Reply-To: References: <4292BD0C.1090501@spamcop.net> Message-ID: <42931EA9.3090505@devnull.spamcop.net> Anty Spam wrote: > But the overall idea needs support. Nothing like a bit of accountability. Senderbase has been providing the data to the general public for a long time. I'm glad the FTC is trying to raise the bar, but government agencies are generally incompetent when it comes to technological strategies (just like the DOJ with its integration efforts for a 50-state Registered Sex Offender database -- the asst attorney general said on national TV yesterday that it's based on technology the *DOJ* developed -- *right* which low-bidding contractor, or since when is the DOJ in the software development business?). I'd like to see the government push for something along the lines of certified software for internet connectivity, since in a way its unfair to put all the blame on the ISPs. Pinch me... -- Help fight spam by "educating" the lax, zombie-hosting ISPs: http://pages.infinit.net/filmore/educateYourISP.htm From BNRAGMAOKKXT at spammotel.com Tue May 24 13:49:42 2005 From: BNRAGMAOKKXT at spammotel.com (Canopus) Date: Tue May 24 08:50:06 2005 Subject: [SpamCop-List] Re: No Submission Returns from SpamCop References: Message-ID: SpamCop Admin on 23/05/2005 wrote: > aamta03-winn.mailhost.ntl.com is rejecting all mail from > 64.74.133.248. I'm getting the same bounces from ntlworld.com users > trying to reset their passwords. > > I'm trying to contact them but I'm not hopeful. All I can suggest is > that users hammer them until they fix it. > > - Don - Trying to contact them through their web forms, the only way besides costly phone calls, is a nightmare and the only replies I get are, quote in part: "Due to the security procedures we have in place at ntl:, in compliance with the Data Protection Act, we cannot accept any change of information regarding customer's personal or account details via e-mail. "In order to maintain security we ask our customers to call us on 0800 052 2000 or 0044 1256 751 045 if calling from outside the UK and we can then proceed with the relevant changes. "Our customer service team will be more than happy to explain or resolve any billing queries or make changes to your account or package and provide details once the relevant checks have been passed...." Which as you can see is totally irrelevant to the topic. Either no one is bothering to read the feedback or they are using these rote replies to avoid answering the question. NTL users who are having this problem may like to try the forum at http://www.chetnet.co.uk/portal/ where I have heard some very helpful people with contacts inside NTL hang out. Rob From BNRAGMAOKKXT at spammotel.com Tue May 24 13:51:34 2005 From: BNRAGMAOKKXT at spammotel.com (Canopus) Date: Tue May 24 08:55:03 2005 Subject: [SpamCop-List] Re: No Submission Returns from SpamCop References: Message-ID: WazoO on 23/05/2005 wrote: > "Canopus" wrote in message > news:d6sg70$p6i$1@news.spamcop.net... > > Miss Betsy on 23/05/2005 wrote: > > > > > This does happen occasionally to other people. Sometimes you need > > > to write to Don, the deputy, to get it fixed. IIRC, the address > > > is deputies at admin. spamcop, but I am not sure. > > > > > > Miss Betsy > > > > Do you mean to say that this may not be my IP's fault? I've been > > bombarding them with complaints over the issue. > > > > Rob > > Don has responded over in the Forum with this; > http://forum.spamcop.net/forums/index.php?showtopic=4263 > aamta03-winn.mailhost.ntl.com is rejecting all mail from > 64.74.133.248. I'm getting the same bounces from ntlworld.com users > trying to reset their passwords. > > I'm trying to contact them but I'm not hopeful. All I can suggest is > that users hammer them until they fix it. > > - Don - Thanks. Don's reply turned up here after I posted the above. Rob From nobody at nowhere.invalid Tue May 24 16:05:26 2005 From: nobody at nowhere.invalid (Steven Maesslein) Date: Tue May 24 09:10:03 2005 Subject: [SpamCop-List] Re: FTC to push ISPs for zombie crackdown References: <4292BD0C.1090501@spamcop.net> <42931EA9.3090505@devnull.spamcop.net> Message-ID: On Tue, 24 May 2005 08:31:37 -0400, Sofa King Tyred of Lar Ting coughed into spamcop and left this in <42931EA9.3090505@devnull.spamcop.net>: > I'd like to see the government push for something along the lines of > certified software for internet connectivity, since in a way its unfair > to put all the blame on the ISPs. Pinch me... Microsoft would buy a certification in less than a nanosecond and we'd all be back to square one. -- Steve Don't be irreplaceable. If you can't be replaced, you can't be promoted. From wb8tyw at qsl.network Tue May 24 10:59:12 2005 From: wb8tyw at qsl.network (John E. Malmberg) Date: Tue May 24 11:00:05 2005 Subject: [SpamCop-List] Re: FTC to push ISPs for zombie crackdown References: <4292BD0C.1090501@spamcop.net> Message-ID: In article , "Anty Spam" writes: > > "Ron B." wrote in message > news:4292BD0C.1090501@spamcop.net... >> Commentary--Remote-controlled "zombie" networks operated by >> bottom-feeding spammers have become a serious problem that requires more >> industry action, the Federal Trade Commission is expected to announce on >> Tuesday. >> >> http://news.zdnet.com/2100-1009_22-5716576.html > > While clamping down on private mail server might be a good thing as regards > novices and the unenlightened, is does put you at the mercy of the ISP where > the real novices hide out. I have not yet read the article, but in general a network owner should have have all I.P. addresses for real mail servers registered with them to be exempted from port blocking. A web based form can be set up for users with fixed addresses to whitelist themselves in real time. No one should be attempting direct to external MX from a DHCP address these days, and connections to mail through non-ISP mail servers should be using port 587. I have been stating for a few years now that any residential user that is still using port 25 for a non-ISP mail server is on borrowed time, and they need to switch to the RFC specified port and make sure it works while they still have a fallback to port 25. >From what I have seen, many ISPs will put in the port 25 blocks with out any advance notice to their customers. And I suspect that it is because some larger ISP that they must exchange mail with told them that they were not going to block just the DHCP zombies that they were going to block the entire ISP because of the spew. > No private blacklist of undesirables etc . All the nice toys that are > associated with an own mail server are gone. Have you ever seen what just one zombie can do to a cable modem segment? I have seen one effectively wipe out internet access to several small towns. And what was even more annoying is that spamcop.net was showing that abuse reports had been sent identifying the zombie to the ISP at least 24 hours before the outage occured, yet the tech support at the ISP had not been notified to take action. It still took them an hour to lock it down once they were notified by phone. It should have taken them only a few minutes. There are several TCP/IP ports that can not be left open on a broadband network if any Microsoft based machines might be connected with out a firewall. If an ISP leaves these ports open, every time a new exploit of them comes out, all broadand users of that ISP effectively will have no internet access for the first 4 to 8 hours of the outbreak, maybe longer. I suspect that in many cases the only reason that port 25 is still not blocked is that the corporate management of the ISP has not looked at a line item as to how much extra leaving it open is costing them in support calls, system capacity, bandwidth charges, and customer refunds. > Thats a bit like throwing out the baby with the bath water, not? If an ISP is set up to quarantine a zombie automatically and immediately on either getting an abuse/postmaster or major DNSbl listing of it, then they can probably get away with leaving port 25 open. At least one person that claimed to be from an ISP had such an automated system set up. If it takes them more than minutes to react, then in that time lag, spew from that zombie can be wiping out access to potentially thousands of their paying customers. VPN connections intermittently dropped, file transfers terminated. All sorts of problems. Personally I would rather have port 25 blocked than to have to deal with the slowdowns and outages everytime someone in the three townships around me depends on a virus scanner to protect them from the next virus outbreak, and it does not. I can communcate just fine with every external mail server that I send through using port 25, and I can easily smart host output through the ISP's mail server if I choose. The thing not to do, is restrict customers to using an ISP supplied e-mail address when smart hosting through the ISP's mail servers. That basically does almost nothing to stop multi-hop spam, it just breaks smart hosting. > I just spent the past day teaching an ISP's techie how to read headers. > Ouch! Which underscores how ISP's are simply not equiped to deal with the zombie issue. Blocking the exploited ports is a simple enough concept for them to understand. Requiring more requires better service than a residential ISP knows how to supply. If you watch re-runs of Green Acres, you will quickly see that many of the broadband ISPs are trying to run their business like the fictional Hooterville phone company or worse. > But the overall idea needs support. Nothing like a bit of accountability. That was one of the major flaws in Can-Spam or it's enforcement. It should have made the executives of any US ISP that was providing any of the network accesses used by the spammer either through hosting, routing, or ignoring zombie reports criminally liable for the spew that came from them. My guess is that one public arrest would cause all the spammers and spam support to be immediately removed nationwide. -John wb8tyw@qsl.network Personal Opinion Only From eddie at eddie.web Tue May 24 12:37:03 2005 From: eddie at eddie.web (eddie) Date: Tue May 24 11:40:04 2005 Subject: [SpamCop-List] Re: Silly software References: <42929029.4047@xyzzy.claranet.de> Message-ID: On Tue, 24 May 2005 04:23:37 +0200, Frank Ellermann scratched out the following: > eddie wrote: > >> One kept timing out and asking me to wait and try again. There is no way >> to simply cancel that one report and continue with the others > > Not quite, you don't reach "pending reports" in this situation on the Web > page, but you can click on the other report links in SC's feedback mail. > Or paste and copy these links one by one to your browser if your mail > reader doesn't support links. Bye When I get a "sigalarm" from the server, there are no buttons on top - there is nowhere to go but to use the "back" button on the browser, which sometimes works and also sometimes times out. The fastest alternative is to log out, log back in and go to the report page. But I still cannot cancel the "bad" spam that chokes the parser. Yes, I can manually copy and past dozens of pieces of spam, but that's not my wont. If SC won't do it automaticall, I simply give the spammers a free ride for that session. There is no way to remove a single item from the parser once you commit it, and if you get two in a row, as I did this morning, it simply takes too much time. Computers are supposed to reduce labor. :) I trust that eventually this will be fixed. Again, it would be better if those who write the software are forced to use it. But nothing is perfect. -- Once movie theaters gave out steak knives Today they confiscate them From porpoise1954 at yahoo.co.uk Tue May 24 17:36:19 2005 From: porpoise1954 at yahoo.co.uk (Porpoise) Date: Tue May 24 11:45:03 2005 Subject: [SpamCop-List] Re: FTC to push ISPs for zombie crackdown References: <4292BD0C.1090501@spamcop.net> <42931EA9.3090505@devnull.spamcop.net> Message-ID: "Sofa King Tyred of Lar Ting" wrote in message news:42931EA9.3090505@devnull.spamcop.net... > Anty Spam wrote: >> But the overall idea needs support. Nothing like a bit of accountability. > > Senderbase has been providing the data to the general public for a long > time. Unfortunately, the "general public" wouldn't have a clue as to who/what senderbase is. If you're talking about supplying information to the "general public", you're talking TV, radio & national press! > > I'd like to see the government push for something along the lines of > certified software for internet connectivity, since in a way its unfair to > put all the blame on the ISPs. Pinch me... Or maybe they ought to include it as part of the "computer driving licence" criteria........... From usenet2 at DE.LETE.THISljvideo.com Tue May 24 17:28:41 2005 From: usenet2 at DE.LETE.THISljvideo.com (Larry J.) Date: Tue May 24 12:30:04 2005 Subject: [SpamCop-List] Re: FTC to push ISPs for zombie crackdown References: <4292BD0C.1090501@spamcop.net> Message-ID: Waiving the right to remain silent, Kadaitcha Man said: > I despise port-blocking but do not run my own mail server. I > will not sign up with any provider who blocks ports - no matter > how noble their reasons might be to themselves. It smacks of > their failure to apply their TOS and terminate accounts. The > point being, if you police your network properly without > invading anyone's privacy then there should be no reason to > block any ports. ISPs could approach this in the same manner as credit card issuers. When a suspicious amount of spending is detected, the customer is contacted and asked if the activity is genuine. -- Larry J. - Remove spamtrap in ALLCAPS to e-mail The United States is the greatest country in the world..! Twenty-five million illegal aliens can't be wrong. From news at 127.0.0.1 Tue May 24 11:14:06 2005 From: news at 127.0.0.1 (Schmide) Date: Tue May 24 13:15:02 2005 Subject: [SpamCop-List] Re: SC has problems? References: <42917DE7.A5B61FAD@nospam.invalid> <4291B277.76673F82@nospam.invalid> Message-ID: I've been loosing mail. I check some boxes from a yahoo group that gets caught. Select forward and whitlist. Today 3 of 4 mails show up. The one I cared about didn't show up. lol. Lost. I looked at the page after the action and there were 4 id's listed as forwarded. Shucks. From nobody at devnull.spamcop.net Tue May 24 11:59:47 2005 From: nobody at devnull.spamcop.net (Schmide) Date: Tue May 24 14:00:02 2005 Subject: [SpamCop-List] Lost Email Message-ID: I seem to not be getting some of my forwards from spamcop. I've got some forwards processed after the lost email. Could someone lookup Queued message 140976 for release and sender for whitelisting This is one of the lost emails for me schmide at sc net From BNRAGMAOKKXT at spammotel.com Tue May 24 19:44:10 2005 From: BNRAGMAOKKXT at spammotel.com (Canopus) Date: Tue May 24 14:45:07 2005 Subject: [SpamCop-List] Re: No Submission Returns from SpamCop References: Message-ID: Canopus on 24/05/2005 wrote: > NTL users who are having this problem may like to try the forum at > http://www.chetnet.co.uk/portal/ > where I have heard some very helpful people with contacts inside NTL > hang out. > > Rob Well after signing up with that forum and posting a polite and factual message there I was informed that my post had been pulled due to the forum being for technical support only. However, the administrator who pulled my message and informed me about it did then go on to make a few inquiries, I quote his message to me under this paragraph, but, please note what he says, this is neither an official nor unofficial NTL answer, it is just one individual also trying to figure out what is going on. So, quote: "Rightly or wrongly I cannot judge, and this is categorically not an official or unofficial ntl: answer in any way. "It appears that the IP 64.74.133.248 is listed in several different "offender's lists" as being an originator of the the German spam (Sober.Q) apparently ntl: are not alone as an ISP in listing that IP. "This may explain the situation." I cannot see in any way that spamcop.net is the originator of Sober.Q, it looks as if a major Joe Job has been pulled on spamcop.net. Rob From MikeE at ster.invalid Tue May 24 13:25:47 2005 From: MikeE at ster.invalid (Mike Easter) Date: Tue May 24 15:30:06 2005 Subject: [SpamCop-List] Re: No Submission Returns from SpamCop References: Message-ID: Canopus wrote: > "It appears that the IP 64.74.133.248 is listed in several different > "offender's lists" as being an originator of the the German spam > (Sober.Q) apparently ntl: are not alone as an ISP in listing that IP. That is a meaningless statement without naming any such 'offender list'. A thorough lookup of all of the lists in which 64.74.133.248 appears shows only blars, fiveten, an internap blackholes.us, and a country list for .us I saw a Dutch reference to a list I'd never heard of, but the page/site was dead, so I don't know what that was about. Newsgroups: nl.internet.misbruik From: Bas Janssen Subject: Re: [ANN] dns blocklist voor spammende sober.p hosts Message-ID: Date: 17 May 2005 11:08:53 GMT -- Mike Easter kibitzer, not SC admin From nobody at devnull.spamcop.net Tue May 24 15:31:46 2005 From: nobody at devnull.spamcop.net (WazoO) Date: Tue May 24 15:35:03 2005 Subject: [SpamCop-List] Re: No Submission Returns from SpamCop References: Message-ID: "Canopus" wrote in message news:d6vslq$s1k$1@news.spamcop.net... > > "It appears that the IP 64.74.133.248 is listed in several different > "offender's lists" as being an originator of the the German spam > (Sober.Q) apparently ntl: are not alone as an ISP in listing that IP. > > "This may explain the situation." > > I cannot see in any way that spamcop.net is the originator of Sober.Q, > it looks as if a major Joe Job has been pulled on spamcop.net. First of all, you are cross-posting into two newsgroups. Not needed. I'm only replying in spamcop, stripping off the spamcop.help group ... Next, I'm actually pretty doubtful about the explanation offered. For another look at where spamcop "is" listed, try http://www.moensted.dk/spam/?addr=64.74.133.248&Submit=Submit And of course, there's rfc-ignorant ... from appearances, there is a BL in use, but also just as apparently, some of the tech folks aren't up to full speed on the whole picture. From MikeE at ster.invalid Tue May 24 13:47:05 2005 From: MikeE at ster.invalid (Mike Easter) Date: Tue May 24 15:50:04 2005 Subject: [SpamCop-List] Re: No Submission Returns from SpamCop References: Message-ID: Mike Easter wrote: > I saw a Dutch reference to a list I'd never heard of, but the > page/site was dead, so I don't know what that was about. > Message-ID: The Dutch sober.p dnsbl in question is sober-p.dnsbl.hostingxs.nl -- and 64.74.133.248 is not currently listed there dns 248.133.74.64.sober-p.dnsbl.hostingxs.nl No DNS for this address and it gives a positive test result: dns 2.0.0.127.sober-p.dnsbl.hostingxs.nl Canonical name: 2.0.0.127.sober-p.dnsbl.hostingxs.nl Addresses: 127.0.0.2 -- Mike Easter kibitzer, not SC admin From dannyg at dannyg.com Tue May 24 15:07:14 2005 From: dannyg at dannyg.com (Danny Goodman) Date: Tue May 24 17:07:27 2005 Subject: [SpamCop-List] Re: FTC to push ISPs for zombie crackdown In-Reply-To: <200505241950.j4OJoBje061939@dannyg.com> Message-ID: > Or maybe they ought to include it as part of the "computer driving licence" > criteria........... Reminds me of a slide I showed in jest at last January's "Spam and Law Conference": http://spamwars.com/image/emailHandbook.jpg Danny http://www.dannyg.com http://www.spamwars.com From porpoise1954 at yahoo.co.uk Tue May 24 23:11:19 2005 From: porpoise1954 at yahoo.co.uk (Porpoise) Date: Tue May 24 17:20:02 2005 Subject: [SpamCop-List] Re: FTC to push ISPs for zombie crackdown References: Message-ID: "Danny Goodman" wrote in message news:mailman.9.1116968849.169.spamcop-list@news.spamcop.net... > >> Or maybe they ought to include it as part of the "computer driving >> licence" >> criteria........... > > Reminds me of a slide I showed in jest at last January's "Spam and Law > Conference": > > http://spamwars.com/image/emailHandbook.jpg No, no.... I meant the *real* computer driving licence: http://www.ecdl.co.uk/ From BNRAGMAOKKXT at spammotel.com Tue May 24 22:44:59 2005 From: BNRAGMAOKKXT at spammotel.com (Canopus) Date: Tue May 24 17:45:02 2005 Subject: [SpamCop-List] Re: No Submission Returns from SpamCop References: Message-ID: WazoO on 24/05/2005 wrote: > First of all, you are cross-posting into two newsgroups. > Not needed. I'm only replying in spamcop, stripping > off the spamcop.help group ... > > Next, I'm actually pretty doubtful about the explanation > offered. For another look at where spamcop "is" listed, > try http://www.moensted.dk/spam/?addr=64.74.133.248&Submit=Submit > And of course, there's rfc-ignorant ... from appearances, > there is a BL in use, but also just as apparently, some > of the tech folks aren't up to full speed on the whole > picture. Sorry about the cross posts,I hadn't noticed that Don had cross posted info and followed on from him. I cannot say I'm too hot on all these block lists, was just passing on info I received that *may* explain what is going on with NTL. However, aren't all the block lists listed at the above site dealing with spam? The admin of Chetnet who's message to me I quoted seemed to be referring to some "offenders lists" which deal with virus propagation...or are they the same? Rob From MikeE at ster.invalid Tue May 24 16:00:27 2005 From: MikeE at ster.invalid (Mike Easter) Date: Tue May 24 18:05:02 2005 Subject: [SpamCop-List] Re: No Submission Returns from SpamCop References: Message-ID: Mike Easter wrote: > The Dutch sober.p dnsbl in question is sober-p.dnsbl.hostingxs.nl -- > and 64.74.133.248 is not currently listed there Another Dutch virus dnsbl for which the SC server is negative: dns 248.133.74.64.virbl.dnsbl.bit.nl No DNS for this address dns 2.0.0.127.virbl.dnsbl.bit.nl Canonical name: 2.0.0.127.virbl.dnsbl.bit.nl Addresses: 127.0.0.2 Reading the Dutch newsgroups is... errr.... mmm... difficult for me. http://groups.google.dk/groups?q=sober-p.dnsbl.hostingxs.nl+&hl=en&btnG=Google+Search Google groups Denmark search on 'sober-p.dnsbl.hostingxs.nl' Let me see, here I am, extremely weak in both German and Spanish, and only enough French and Latin to help me with crossword puzzles, and I'm reading the Dutch newsgroups on the Danish googlegroups. What's wrong with this picture? -- Mike Easter kibitzer, not SC admin From MikeE at ster.invalid Tue May 24 16:10:57 2005 From: MikeE at ster.invalid (Mike Easter) Date: Tue May 24 18:15:02 2005 Subject: [SpamCop-List] Re: No Submission Returns from SpamCop References: Message-ID: The SC server which is listed is the one which sends out notifies. If one looks thru' nana-sightings you can see reports of that server which are SC notifies. There are a number of nana-ites who consider SC notifies to be spam. Perhaps it is possible for a SC reporter to report a virus propagation, including the propagation, and for the notify to go out including in the evidence attached sufficient viral template for the notify to trigger virus alerts; then that would somehow lead to a listing of the server. -- Mike Easter kibitzer, not SC admin From panoptes at iquest.net Tue May 24 18:11:20 2005 From: panoptes at iquest.net (Daniel W. Johnson) Date: Tue May 24 18:15:18 2005 Subject: [SpamCop-List] Re: spammer fooling spamcop References: Message-ID: <1gx2sw8.5ixw4m14tkip4N%panoptes@iquest.net> Mike Easter wrote: > Apnic only shows information for 444, even if you specifically ask it > for 455, so SC comes up empty. This is what I see when I check Apnic for CH455-AP: role: CNCGroup Hostmaster e-mail: abuse@cnc-noc.net address: No.156,Fu-Xing-Men-Nei Street, address: Beijing,100031,P.R.China nic-hdl: CH455-AP phone: +86-10-82993155 fax-no: +86-10-82993102 country: CN admin-c: CH444-AP tech-c: CH444-AP changed: abuse@cnc-noc.net 20041119 mnt-by: MAINT-CNCGROUP source: APNIC person: CNCGroup Hostmaster nic-hdl: CH444-AP e-mail: abuse@cnc-noc.net address: No.156,Fu-Xing-Men-Nei Street, address: Beijing,100031,P.R.China phone: +86-10-82993155 fax-no: +86-10-82993144 country: CN changed: abuse@cnc-noc.net 20041220 mnt-by: MAINT-CNCGROUP source: APNIC Is a role record like CH455-AP supposed to have its own admin and tech contacts? Even so, I wouldn't expect CH444-AP in the admin-c and tech-c of CH455-AP to cause any more trouble than CH455-AP showing up in the admin-c and tech-c of 221.11.133.42 (CNCGROUP-HI). Yes, I've had some of these, too. http://www.spamcop.net/sc?id=z767360669z22da7236eb7cf85e0bcfc787704e71afz -- Daniel W. Johnson panoptes@iquest.net http://members.iquest.net/~panoptes/ 039 53 36 N / 086 11 55 W From MikeE at ster.invalid Tue May 24 16:11:54 2005 From: MikeE at ster.invalid (Mike Easter) Date: Tue May 24 18:15:25 2005 Subject: [SpamCop-List] Re: No Submission Returns from SpamCop References: Message-ID: Mike Easter wrote: > The SC server which is listed is the one which sends out notifies. -- Mike Easter kibitzer, not SC admin From 0rio85a02 at sneakemail.com Tue May 24 15:23:57 2005 From: 0rio85a02 at sneakemail.com (Fred k) Date: Tue May 24 18:25:04 2005 Subject: [SpamCop-List] Hoorah for Hackers Message-ID: Underground showdown: defacers take on phishers Kapow! http://go.theregister.com/news/http://www.theregister.co.uk/2005/05/22/defacers_take_on_phishers_in_underground_showdown Fred k From eddie at eddie.web Tue May 24 20:03:45 2005 From: eddie at eddie.web (eddie) Date: Tue May 24 19:05:02 2005 Subject: [SpamCop-List] question on parser timeout Message-ID: When I get parser timeouts - sigalarm - I dump all my pending reports figuring someone else will eventually report them But what if I didn't do them semi-manually as I usuall do? If I had just submitted them for automatic reports (report this as spam) what would happen? Would I ever find out that the parse died and nothing happened? I ask this because I wonder how many spammers are getting by this way. Although the parser times out on the URL, the fact is that even the spammer doesn't get reported. The entire report dies. And, in my case, so do all the others. Is this a serious issue or just something that comes with the territory as spammers find ways to get around our SW.??? -- Once movie theaters gave out steak knives Today they confiscate them From zypher at spamcop.net Tue May 24 19:45:46 2005 From: zypher at spamcop.net (Ron B.) Date: Tue May 24 19:50:03 2005 Subject: [SpamCop-List] Re: FTC to push ISPs for zombie crackdown In-Reply-To: <4292BD0C.1090501@spamcop.net> References: <4292BD0C.1090501@spamcop.net> Message-ID: Ron B. wrote: > Commentary--Remote-controlled "zombie" networks operated by > bottom-feeding spammers have become a serious problem that requires more > industry action, the Federal Trade Commission is expected to announce on > Tuesday. > > http://news.zdnet.com/2100-1009_22-5716576.html Is this really going to help? I doubt it. While the U.S. provides the largest sources of spam, even if all ISP's effectively closed off port 25 to their users, the spam would just be "outsourced" overseas, especially China. Would not slow the slime by more then a drop (if at all). From MikeE at ster.invalid Tue May 24 19:11:46 2005 From: MikeE at ster.invalid (Mike Easter) Date: Tue May 24 21:15:03 2005 Subject: [SpamCop-List] Re: FTC to push ISPs for zombie crackdown References: <4292BD0C.1090501@spamcop.net> Message-ID: Ron B. wrote: >> Commentary--Remote-controlled "zombie" networks operated by >> bottom-feeding spammers have become a serious problem that requires >> more industry action, the Federal Trade Commission is expected to >> announce on Tuesday. > Is this really going to help? Every little bit helps. The idea that if you stop something it will just happen some other way so why bother stopping anything isn't the way to get things stopped or throttled or rechanneled and to then develop additional different guards. -- Mike Easter kibitzer, not SC admin From nobody at spamcop.net Tue May 24 19:54:11