From jeffg at spamcop.net Tue Nov 1 00:11:48 2005 From: jeffg at spamcop.net (Jeff G.) Date: Tue Nov 1 00:15:03 2005 Subject: [SpamCop-List] Re: SPF record + domain literal format References: Message-ID: "wayne" wrote in message news:x4zmoty436.fsf@footbone.schlitt.net... > In "HOLLO Peter Mr. \(ICM Rt.\)" writes: > > Besides I would like to ask what is your opinion about x.y@ipaddress type > > receiving. > > > > Do you usually configure it ? If yes then did it cause any problem ? > > I do not accept IP literals in email addresses, and I haven't had any > problems. Even the rfc-ignorant.org folks aren't anal enough to > consider rejecting IP literals to be a problem. IIRC an ippostmaster zone was proposed, but there was little support for it. And BTW, the syntax is "postmaster@[127.0.0.1]". -- Best Regards, Jeff G. I have been a SpamCop User/Member/Customer since 1999 and am a Moderator of the new web-based forums (now the primary method for getting help, http://forum.spamcop.net). Please contact me via Forum. From jeffg at spamcop.net Tue Nov 1 00:21:57 2005 From: jeffg at spamcop.net (Jeff G.) Date: Tue Nov 1 00:30:04 2005 Subject: [SpamCop-List] Re: EBAY spoofed message forgery or really from ebay??? References: Message-ID: "Patto" wrote in message news:djskoq$ktq$1@news.spamcop.net... > One way to identify forgeries is when the address you as 'Dear EBay > member'. If it's from EBay, PayPal, your bank, or whatever, they most > likely address you with your name. PayPal pledged to do this for email they send me. -- Best Regards, Jeff G. I have been a SpamCop User/Member/Customer since 1999 and am a Moderator of the new web-based forums (now the primary method for getting help, http://forum.spamcop.net). Please contact me via Forum only. From jeffg at spamcop.net Tue Nov 1 00:25:40 2005 From: jeffg at spamcop.net (Jeff G.) Date: Tue Nov 1 00:30:06 2005 Subject: [SpamCop-List] Re: EBAY spoofed message forgery or really from ebay??? References: Message-ID: "Ken Knull" wrote in message news:pan.2005.10.28.16.53.49.132666@suespammers.org... > spoof@ebay.com (or spoof@paypal.com) ... > You likely won't be the only one sending them, but they actually do > something with / about them, if nothing more than learn of the phishers > amd tell you whether it is or isn't from them. They likely forward the most egregious ones to their land sharks. -- Best Regards, Jeff G. I have been a SpamCop User/Member/Customer since 1999 and am a Moderator of the new web-based forums (now the primary method for getting help, http://forum.spamcop.net). Please contact me via Forum only. From nobody at xyzzy.claranet.de Tue Nov 1 07:23:33 2005 From: nobody at xyzzy.claranet.de (Frank Ellermann) Date: Tue Nov 1 01:30:03 2005 Subject: [SpamCop-List] Re: Dubious FAQ entry 166.html References: <435FB6B0.4B76@xyzzy.claranet.de> <43606545.1E96@xyzzy.claranet.de> <436293F7.24FA@xyzzy.claranet.de> <43643119.7458@xyzzy.claranet.de> <436449D9.3358@xyzzy.claranet.de> <43652DAC.30B7@xyzzy.claranet.de> <43654580.5429@xyzzy.claranet.de> <43662C7E.6A67@xyzzy.claranet.de> Message-ID: <436709E5.6097@xyzzy.claranet.de> Mike Easter wrote: > the original html always has the plaintext version of the > html in accompaniment and before the html. Does that mean OE "cannot" send HTML only and uses always a multipart/alternative text/html + text/plain for HTML ? > Unless the original picture was /attached/, in which case > its number would be 1.1 or so instead of 2.3 Your example was "attached" (= separate part), you said "not embedded" (UUE). I took it that you were talking about a picture in the original mail (=> 2.x parts in the forwarded mail). Did I miss something here, e.g. OE cannot "simple-forward" mail incl. attachments, the forwarder has to re-attach the detached original attachment manually ? For "simple forward" read "OE's unusual forwarding with an ersatz-header" (instead of a complete message/rfc822) Bye, Frank From MikeE at ster.invalid Tue Nov 1 01:13:49 2005 From: MikeE at ster.invalid (Mike Easter) Date: Tue Nov 1 04:15:07 2005 Subject: [SpamCop-List] Re: Dubious FAQ entry 166.html References: <435FB6B0.4B76@xyzzy.claranet.de> <43606545.1E96@xyzzy.claranet.de> <436293F7.24FA@xyzzy.claranet.de> <43643119.7458@xyzzy.claranet.de> <436449D9.3358@xyzzy.claranet.de> <43652DAC.30B7@xyzzy.claranet.de> <43654580.5429@xyzzy.claranet.de> <43662C7E.6A67@xyzzy.claranet.de> <436709E5.6097@xyzzy.claranet.de> Message-ID: Frank Ellermann wrote: > Mike Easter wrote: > >> the original html always has the plaintext version of the >> html in accompaniment and before the html. > > Does that mean OE "cannot" send HTML only and uses always > a multipart/alternative text/html + text/plain for HTML ? Correct. Plaintext first. >> Unless the original picture was /attached/, in which case >> its number would be 1.1 or so instead of 2.3 > > Your example was "attached" (= separate part), you said > "not embedded" (UUE). I took it that you were talking > about a picture in the original mail (=> 2.x parts in the > forwarded mail). This named example was one in which the original sender sent as html, which has 2 parts, the plaintext part and the html part, and attached a graphic as an attachment, making a 3rd part, a b64 encoded graphic. The recipient forwarder forwarded that item, consisting of the original sender's two parts and another forwarded part, the b64 encoded graphic. The graphic was attached to the forwarder's mail, matching its header delimitor. The original sender's plaintext + html version was above that and delimited with its own 'internal' nested delimitors. > Did I miss something here, e.g. OE cannot "simple-forward" > mail incl. attachments, the forwarder has to re-attach the > detached original attachment manually ? OE's forwarding of items with attachments forwards 'simply'. No need to reattach. I'm just 'remarking' of my surprise that the structure is consistent with the attachment 'moving' from the first sender's delimitors to the second sender's delimitors. I guess it makes sense. That's the way it would be with plaintext with a graphic attachment, so it might as well be that way with an html [plaintext + html] with a graphic. So, in a sense, in the case of the forwarder of an html item with a graphic attached, the forwarder's OE 'automatically' detaches the graphic from the sender's mail and reattaches it to the forwarded mail. Because the delimitor on the attachment is the delimitor named in the headers of the forwarder's mail. > For "simple forward" read "OE's unusual forwarding with > an ersatz-header" (instead of a complete message/rfc822) I'm beginning to think about posting a couple of examples as trackers. -- Mike Easter kibitzer, not SC admin From MikeE at ster.invalid Tue Nov 1 01:28:59 2005 From: MikeE at ster.invalid (Mike Easter) Date: Tue Nov 1 04:30:05 2005 Subject: [SpamCop-List] Re: What Happened Here? References: <43668D01.6AD546B7@SpamCop.net.dev.null> Message-ID: Jeff G. wrote: > "Mike Easter" >> If you are doing a domainname registration information attack, you do >> that with yesnic, and I think the best way to do it is with the form >> process at internic.http://wdprs.internic.net/ Whois Data Problem >> Report System > > Already done. Also, please see > http://www.rfc-ignorant.org/tools/lookup.php?domain=mort60sec.net&full=1 Of course the processes which unfold as a result of the internic submission are altogether different than the ref-ignorant entries. Also, I'm not clear on the rfc-i entry for that domainname which sez 'bogusmx removed'. The domainname itself doesn't have an MX or a routable A record, and the nameservice has changed since yesterday so that all 5 of the nameservers are at the same IP and they all time out. It is effectively currently dead, since it doesn't have nameservice. Since the nameserver domainnames are reg'd to the same person and same address, it might be worthwhile to similarly 'attack' the nameservice USAELENDER.COM of whois.opensrs.net ie Tucows. -- Mike Easter kibitzer, not SC admin From mikeyhsd at sport.rr.com Tue Nov 1 09:17:10 2005 From: mikeyhsd at sport.rr.com (mikeyhsd) Date: Tue Nov 1 10:20:03 2005 Subject: [SpamCop-List] black list reporting Message-ID: where do you send ddresses to for black list reporting. am getting 20-30 emails a day from this idiot. all in unreadable hen scratching. I will not install a language pack just to red this garbage. Re: 125.57.106.93 (Administrator of network where email originates) To: ip@cjdream.com (Notes) To: ip@dreamline.co.kr (Notes) Re: http://www.gyakuten5.net/?dog (Administrator of network hosting website referenced in spam) To: abuse@elim.net (Notes) it ws using a yahoo mail account from australia, got it cancelled. every mail has been reported to spam cop reporting. mikeyhsd@sport.rr.com From spambait at whodat.net Tue Nov 1 10:36:33 2005 From: spambait at whodat.net (Darrel Toepfer) Date: Tue Nov 1 11:40:03 2005 Subject: [SpamCop-List] Server Authentication is busted Message-ID: Looks to be down again since after 10am Central time... Have reports I need to complete... From nobody at spamcop.net Tue Nov 1 11:40:24 2005 From: nobody at spamcop.net (Anti-Spam) Date: Tue Nov 1 11:45:03 2005 Subject: [SpamCop-List] Reporting user database down? Message-ID: Cookies invalidated and unable to log in. -- Bring in the death penalty for repeat spammers. Non-functional spambait addr: info9@duetddcpj.net (generated by Webpoison) From spambait at whodat.net Tue Nov 1 10:41:29 2005 From: spambait at whodat.net (Darrel Toepfer) Date: Tue Nov 1 11:45:08 2005 Subject: [SpamCop-List] Re: Reporting user database down? In-Reply-To: References: Message-ID: Anti-Spam wrote: > Cookies invalidated and unable to log in. Preceded by "gateway timeout"... Appears to be working again though... From nobody at spamcop.net Tue Nov 1 15:25:03 2005 From: nobody at spamcop.net (Ellen) Date: Tue Nov 1 15:30:06 2005 Subject: [SpamCop-List] 11/1/2005 Maint Window Message-ID: Maintenance Window Nov 1, 2005 During the period 14:00-18:00 -0800 we will have an outage of about 45 minutes for the installation of new hardware for the reporting system. Thank you for your patience. The email system will not affected by this maintenance window. Ellen SpamCop follow/ups to SpamCop Please propagate to the forums From nospam at nospam.nl Tue Nov 1 22:25:57 2005 From: nospam at nospam.nl (geo_splash_12) Date: Tue Nov 1 16:30:02 2005 Subject: [SpamCop-List] Re: black list reporting In-Reply-To: References: Message-ID: mikeyhsd wrote: > where do you send ddresses to for black list reporting. > > am getting 20-30 emails a day from this idiot. all in unreadable hen > scratching. I will not install a language pack just to red this garbage. > > > Re: 125.57.106.93 (Administrator of network where email originates) > To: ip@cjdream.com (Notes) > To: ip@dreamline.co.kr (Notes) > > Re: http://www.gyakuten5.net/?dog (Administrator of network hosting > website referenced in spam) > To: abuse@elim.net (Notes) > > it ws using a yahoo mail account from australia, got it cancelled. > > every mail has been reported to spam cop reporting. > > mikeyhsd@sport.rr.com Please show us spamcop tracking url so that we understand what you're talking about. From nobody at spamcop.net Tue Nov 1 17:56:25 2005 From: nobody at spamcop.net (Ellen) Date: Tue Nov 1 18:00:07 2005 Subject: [SpamCop-List] Maint Window completed Message-ID: The maintenance window scheduled for 11/1/2005 has been completed. Thanks! Ellen SpamCop follow/ups to SpamCop Please propagate to the forums From mikeyhsd at sport.rr.com Tue Nov 1 18:24:06 2005 From: mikeyhsd at sport.rr.com (mikeyhsd) Date: Tue Nov 1 19:25:03 2005 Subject: [SpamCop-List] Re: black list reporting References: Message-ID: will post the reporting link tomorrow. when i get more mails. mikeyhsd@sport.rr.com "geo_splash_12" wrote in message news:dk8mh7$u9o$1@news.spamcop.net... > mikeyhsd wrote: >> where do you send ddresses to for black list reporting. >> >> am getting 20-30 emails a day from this idiot. all in unreadable hen >> scratching. I will not install a language pack just to red this garbage. >> >> >> Re: 125.57.106.93 (Administrator of network where email originates) >> To: ip@cjdream.com (Notes) >> To: ip@dreamline.co.kr (Notes) >> >> Re: http://www.gyakuten5.net/?dog (Administrator of network hosting >> website referenced in spam) >> To: abuse@elim.net (Notes) >> >> it ws using a yahoo mail account from australia, got it cancelled. >> >> every mail has been reported to spam cop reporting. >> >> mikeyhsd@sport.rr.com > > Please show us spamcop tracking url so that we understand what you're > talking about. From borgholio at storymind.com Tue Nov 1 17:00:44 2005 From: borgholio at storymind.com (Borgholio) Date: Tue Nov 1 20:05:03 2005 Subject: [SpamCop-List] No more 3rd party reporting for me Message-ID: Specifically, forwarding spam to the FTC or FDA or whatever. I'm only going to forward phishing, Nigerian, and other similar scams. I'm getting so much spam now, that although Spamcop's paid service is working VERY well, forwarding it to many 3rd parties results in bounce messages due to the sheer volume of SPAM I'm trying to forward. It's too much hassle breaking it up into various categories, then each category into chunks small enough to forward. I'll settle for Spamcop reporting. From jeffg at spamcop.net Tue Nov 1 22:27:17 2005 From: jeffg at spamcop.net (Jeff G.) Date: Tue Nov 1 22:45:04 2005 Subject: [SpamCop-List] Re: Maint Window completed References: Message-ID: "Ellen" wrote in message news:dk8rvg$17l$1@news.spamcop.net... > The maintenance window scheduled for 11/1/2005 has been completed. Thanks! ... > Please propagate to the forums Done. The actual maintenance-induced downtime appears to have been between about 14:10 and 14:55 PST -0800, between about 17:10 and 17:55 EST -0500, and between about 22:10 and 22:55 UTC -0000. Thanks to the engineers and support staff who kept the downtime within the announced window and duration! -- Best Regards, Jeff G. I have been a SpamCop User/Member/Customer since 1999 and am a Moderator of the new web-based forums (now the primary method for getting help, http://forum.spamcop.net). Please contact me via Forum only. From jeffg at spamcop.net Tue Nov 1 23:06:29 2005 From: jeffg at spamcop.net (Jeff G.) Date: Tue Nov 1 23:10:03 2005 Subject: [SpamCop-List] Re: Reporting user database down? References: Message-ID: "Darrel Toepfer" wrote in message news:dk85vf$lp2$2@news.spamcop.net... > Anti-Spam wrote: > > Cookies invalidated and unable to log in. > Preceded by "gateway timeout"... Appears to be working again though... Right. This is one of the many instances of unannounced downtime (outages) in the past five days that I have been documenting in the "Graphic & Link added" Topic at http://forum.spamcop.net/forums/index.php?showtopic=5235 , beginning at http://forum.spamcop.net/forums/index.php?showtopic=5235&view=findpost&p=35077 . I take my info from the SpamCop Statistics graph at http://alpha.cesmail.net/graphics/spamstats.gif on my off-site page "SpamCop.net - Total spam report volume mock-up" at http://forum.spamcop.net/forums/index.php?showtopic=5247 . -- Best Regards, Jeff G. I have been a SpamCop User/Member/Customer since 1999 and am a Moderator of the new web-based forums (now the primary method for getting help, http://forum.spamcop.net). Please contact me via Forum only. From jeffg at spamcop.net Tue Nov 1 23:25:54 2005 From: jeffg at spamcop.net (Jeff G.) Date: Tue Nov 1 23:40:03 2005 Subject: [SpamCop-List] Re: What Happened Here? References: <43668D01.6AD546B7@SpamCop.net.dev.null> Message-ID: "Mike Easter" wrote: > Jeff G. wrote: > > Also, please see > > > http://www.rfc-ignorant.org/tools/lookup.php?domain=mort60sec.net&full=1 > Also, I'm not clear on the rfc-i entry for that domainname which sez > 'bogusmx removed'. > > The domainname itself doesn't have an MX or a routable A record, and the > nameservice has changed since yesterday so that all 5 of the nameservers > are at the same IP and they all time out. > > It is effectively currently dead, since it doesn't have nameservice. I am deeply saddened by the loss of effective nameservice for the mort60sec.net domain. NOT!!! Seriously, mort60sec.net had an A record yesterday pointing into the 192.168.x.y type of RFC1918-prohibited IP Address space, which is why the submission worked at the time. Then bad stuff started happening to that domain's nameservice. > Since the nameserver domainnames are reg'd to the same person and same > address, it might be worthwhile to similarly 'attack' the nameservice > USAELENDER.COM of whois.opensrs.net ie Tucows. If I could just get Tucows' whois.opensrs.net to respond more than ~20% of the time, that would be helpful. :) Ok, fine, Paul Shupak appears to have beat me to an RFCI whois listing of usaelender.com, but looking at http://www.rfc-ignorant.org/tools/detail.php?domain=usaelender.com&submitted=1130552149&table=whois , why would mta213.mail.dcn.yahoo.com (in its role as mx2.mail.yahoo.com) wait until after the DATA was complete before replying "554 delivery error: dd This user doesn't have a yahoo.ca account (ronaldhentington@yahoo.ca) [-5] - mta213.mail.dcn.yahoo.com"? Thanks and Best Regards, Jeff G. I have been a SpamCop User/Member/Customer since 1999 and am a Moderator of the new web-based forums (now the primary method for getting help, http://forum.spamcop.net). Please contact me via Forum only. From nospam at nospam.nl Wed Nov 2 06:38:28 2005 From: nospam at nospam.nl (geo_splash_12) Date: Wed Nov 2 00:40:02 2005 Subject: [SpamCop-List] Re: No more 3rd party reporting for me In-Reply-To: References: Message-ID: Borgholio wrote: > Specifically, forwarding spam to the FTC or FDA or whatever. I'm only > going to forward phishing, Nigerian, and other similar scams. I'm > getting so much spam now, that although Spamcop's paid service is > working VERY well, forwarding it to many 3rd parties results in bounce > messages due to the sheer volume of SPAM I'm trying to forward. It's > too much hassle breaking it up into various categories, then each > category into chunks small enough to forward. I'll settle for Spamcop > reporting. Facing a similar problem, my approach is to report only that spam that isn't already listed in other major blocklists like spamhaus xbl+sbl, sorbs, spews, ahbl and dsbl and when it doesn't originate from china or korea. This cuts down my spamcop usage. It is all done by scripts that look in the header of e-mails, it would be a nightmare to manually sort it out. Ejo From borgholio at storymind.com Tue Nov 1 21:52:19 2005 From: borgholio at storymind.com (Borgholio) Date: Wed Nov 2 00:55:03 2005 Subject: [SpamCop-List] Re: No more 3rd party reporting for me In-Reply-To: References: Message-ID: geo_splash_12 wrote: > Borgholio wrote: > >> Specifically, forwarding spam to the FTC or FDA or whatever. I'm only >> going to forward phishing, Nigerian, and other similar scams. I'm >> getting so much spam now, that although Spamcop's paid service is >> working VERY well, forwarding it to many 3rd parties results in bounce >> messages due to the sheer volume of SPAM I'm trying to forward. It's >> too much hassle breaking it up into various categories, then each >> category into chunks small enough to forward. I'll settle for Spamcop >> reporting. > > > Facing a similar problem, my approach is to report only that spam that > isn't already listed in other major blocklists like spamhaus xbl+sbl, > sorbs, spews, ahbl and dsbl and when it doesn't originate from china or > korea. This cuts down my spamcop usage. > > It is all done by scripts that look in the header of e-mails, it would > be a nightmare to manually sort it out. > > Ejo Since I use all the blacklists in my Spamcop filter system, I could simply manually report spam that slips through. That'd be a pretty good indicator that it's not already on major blacklists. :) From nobody at example.com Wed Nov 2 09:55:10 2005 From: nobody at example.com (John Smith) Date: Wed Nov 2 05:01:07 2005 Subject: [SpamCop-List] Spammer? Poplist.fr Message-ID: I've received an invitation "to confirm [my] subscription" to Poplist.fr, which (according to their web site) is an e-mail marketing company. Naturally, I never subscribed. But surprisingly, they say that if I don't confirm my subscription, they won't mail me again. If you received such an e-mail and want to report it as spam, you are within your rights to do so. But I'm not going to report it because I'd rather receive spam like this (which will go away if I ignore it) than the kind of junk I currently receive. (By the way, this company does everything is in French. I translated the quote.) From bar_n0ne at hotmail.com Wed Nov 2 14:06:49 2005 From: bar_n0ne at hotmail.com (Berny) Date: Wed Nov 2 05:11:15 2005 Subject: [SpamCop-List] Re: Spammer? Poplist.fr References: Message-ID: "John Smith" wrote in message news:dka2du$ko6$1@news.spamcop.net... > I've received an invitation "to confirm [my] subscription" to > Poplist.fr, which (according to their web site) is an e-mail marketing > company. Naturally, I never subscribed. But surprisingly, they say that > if I don't confirm my subscription, they won't mail me again. > > If you received such an e-mail and want to report it as spam, you are > within your rights to do so. But I'm not going to report it because I'd > rather receive spam like this (which will go away if I ignore it) than > the kind of junk I currently receive. > > (By the way, this company does everything is in French. I translated the > quote.) All over NANAE today too, I'm beginning to think it's a cheap-ass way to advertise their newsletter. I also received this. http://groups.google.ca/group/news.admin.net-abuse.email/browse_thread/thread/953d33e9449837ad/1098cfee6fc411ba?hl=en#1098cfee6fc411ba sorry, but I'm sure OE and other newsreaders will break up the link. From nobody at nowhere.invalid Wed Nov 2 11:14:50 2005 From: nobody at nowhere.invalid (Steven Maesslein) Date: Wed Nov 2 05:15:08 2005 Subject: [SpamCop-List] Re: Spammer? Poplist.fr References: Message-ID: On Wed, 02 Nov 2005 09:55:10 +0000, John Smith coughed into spamcop and left this in : > But surprisingly, they say that if I don't confirm my subscription, > they won't mail me again. In that case, they're doing the Right Thing(tm). > If you received such an e-mail and want to report it as spam, you are > within your rights to do so. It makes a refreshing change to see an e-mail marketer doing the Right Thing(tm) for once. Reporting requests for confirmation as spam is not exactly going to encourage this correct MO. -- Steve Let's call it an accidental feature. -- Larry Wall From nobody at xyzzy.claranet.de Wed Nov 2 11:04:15 2005 From: nobody at xyzzy.claranet.de (Frank Ellermann) Date: Wed Nov 2 05:20:13 2005 Subject: [SpamCop-List] Website down (?) Message-ID: <43688F1F.FEA@xyzzy.claranet.de> Hi, apparently the Web site is down (10:00 GMT, and it was already down from my POV at 6:00 GMT). Ping okay, and quick reports work. Bye, Frank From nobody at xyzzy.claranet.de Wed Nov 2 12:58:59 2005 From: nobody at xyzzy.claranet.de (Frank Ellermann) Date: Wed Nov 2 07:05:03 2005 Subject: [SpamCop-List] Re: Website down (?) References: <43688F1F.FEA@xyzzy.claranet.de> Message-ID: <4368AA03.4B93@xyzzy.claranet.de> > apparently the Web site is down No, it's not, it was only _very_ slow to show up. It forced me to learn the art of reporting with two windows: First window to report the "next" pending submission, oldest to newer, secondary windows opened with links in the SC confirmation mails, newest to older. Bye, Frank From mikeyhsd at sport.rr.com Wed Nov 2 07:21:44 2005 From: mikeyhsd at sport.rr.com (mikeyhsd) Date: Wed Nov 2 08:25:05 2005 Subject: [SpamCop-List] Re: black list reporting References: Message-ID: here is a link http://www.spamcop.net/sc?id=z822386771z92c697c6b7c3ad934c08cab7c6e46adez mikeyhsd@sport.rr.com "mikeyhsd" wrote in message news:dk90v5$42h$1@news.spamcop.net... > will post the reporting link tomorrow. when i get more mails. > > mikeyhsd@sport.rr.com > "geo_splash_12" wrote in message > news:dk8mh7$u9o$1@news.spamcop.net... >> mikeyhsd wrote: >>> where do you send ddresses to for black list reporting. >>> >>> am getting 20-30 emails a day from this idiot. all in unreadable hen >>> scratching. I will not install a language pack just to red this garbage. >>> >>> >>> Re: 125.57.106.93 (Administrator of network where email originates) >>> To: ip@cjdream.com (Notes) >>> To: ip@dreamline.co.kr (Notes) >>> >>> Re: http://www.gyakuten5.net/?dog (Administrator of network hosting >>> website referenced in spam) >>> To: abuse@elim.net (Notes) >>> >>> it ws using a yahoo mail account from australia, got it cancelled. >>> >>> every mail has been reported to spam cop reporting. >>> >>> mikeyhsd@sport.rr.com >> >> Please show us spamcop tracking url so that we understand what you're >> talking about. > From nobody at spamcop.net Wed Nov 2 09:22:39 2005 From: nobody at spamcop.net (Ellen) Date: Wed Nov 2 09:25:06 2005 Subject: [SpamCop-List] System outages/instability Message-ID: Morning folks -- yes we are having system problems and operations/engineering is working the issues. You may see failures trying to log-in or other error messages. Please do not try to change your password as this will not solve the problem. The problems will probably continue sporadically. There is no ETA right now for complete resolution but this is being treated by everyone as a priority 1 situation. Thank you for your patience! The email system is not affected. I suppose the good news is that there will still be shiney new spams to report after the problems are resolved -- and that is also the bad news .... Ellen SpamCop follow-ups to SpamCop Please propagate to the forums From nospam at nospam.org Wed Nov 2 15:42:37 2005 From: nospam at nospam.org (geo_splash_12) Date: Wed Nov 2 09:45:03 2005 Subject: [SpamCop-List] Re: black list reporting In-Reply-To: References: Message-ID: mikeyhsd wrote: > here is a link > http://www.spamcop.net/sc?id=z822386771z92c697c6b7c3ad934c08cab7c6e46adez I do not understand the first few header lines where the spamcop parser complains about IP 10.93.46.16. Where does this come from, is this correct? Furthermore the link shows that abuse reports were sent to the administrators of 125.57.108.71 (in the .kr domain), but apparently this IP is not listed within spamcop. (Korean / Chinese spam is almost impossible to get rid off, maybe consider to install your own specific filters for this problem. Finally abuse reports are sent because of a link within the spam, 211.112.18.18 which is within the elim.com domain. Ejo From jeffg at spamcop.net Wed Nov 2 10:31:17 2005 From: jeffg at spamcop.net (Jeff G.) Date: Wed Nov 2 10:35:03 2005 Subject: [SpamCop-List] Re: System outages/instability References: Message-ID: "Ellen" wrote in message news:dkai7l$sj1$1@news.spamcop.net... > Morning folks -- yes we are having system problems and > operations/engineering is working the issues. ... > Please propagate to the forums Done. -- Best Regards, Jeff G. I have been a SpamCop User/Member/Customer since 1999 and am a Moderator of the new web-based forums (now the primary method for getting help, http://forum.spamcop.net). Please contact me via Forum only. From bill6 at wanadoo.fr Wed Nov 2 17:31:07 2005 From: bill6 at wanadoo.fr (cd) Date: Wed Nov 2 11:25:04 2005 Subject: [SpamCop-List] help u ? Message-ID: error I obtain : No userid found, sorry. Copyright (C) 1998-2005, IronPort Systems, Inc. All rights reserved. HTML4 / CSS2 Firefox recommended - Policies and Disclaimers putRow Table 'prefs' was not locked with LOCK TABLES (1100)/sc? putRow Table 'prefs' was not locked with LOCK TABLES (1100)/sc? cd From bill6 at wanadoo.fr Wed Nov 2 18:01:13 2005 From: bill6 at wanadoo.fr (cd) Date: Wed Nov 2 11:55:02 2005 Subject: [SpamCop-List] error message when "unsend report" Message-ID: Gateway Timeout The proxy server did not receive a timely response from the upstream server. Reference #1.93ec0f50.1130950178.977ea92 From bill6 at wanadoo.fr Wed Nov 2 18:06:55 2005 From: bill6 at wanadoo.fr (cd) Date: Wed Nov 2 12:05:03 2005 Subject: [SpamCop-List] Unreported Spam Saved: Report Now = message report : Message-ID: Gateway Timeout The proxy server did not receive a timely response from the upstream server. Reference #1.93ec0f50.1130950735.980cbb9 From nospam at dev.null Wed Nov 2 19:02:06 2005 From: nospam at dev.null (No Spam) Date: Wed Nov 2 12:05:07 2005 Subject: [SpamCop-List] Re: What Happened Here? In-Reply-To: References: <43668D01.6AD546B7@SpamCop.net.dev.null> Message-ID: Mike Easter wrote: > Michael Brennan" <"Michael Brennan Nobody wrote: > >>Regarding a Report Here: >> > > www.spamcop.net/sc?id=z821657304z827f981d88b239c3f1866b40f5ae8639z > >>I got the original parse back in the SpamCop Autoreply and saw that >>the SpamCop parser hadn't been able to resolve a spampage in the >>advertisement, > snip... > >>http://ream2gn.mort60sec.net/3/index/omega/i6eetdt > snip... > > > If you are doing a domainname registration information attack, you do > that with yesnic, and I think the best way to do it is with the form > process at internic.http://wdprs.internic.net/ Whois Data Problem > Report System > > > Same party (all whois details as at time of reporting from WDPRS report) saving-your-money.net - Reported 16/07/2005 via WDPRS (still active) Domain Name: SAVING-YOUR-MONEY.NET Registrar: ENOM, INC. Whois Server: whois.enom.com Referral URL: http://www.enom.com Name Server: NS1.XZMAK.COM Name Server: NS2.XZMAK.COM Name Server: NS3.XZMAK.COM Name Server: NS4.XZMAK.COM Name Server: NS6.XZMAK.COM Status: REGISTRAR-LOCK Updated Date: 06-jul-2005 Creation Date: 06-jul-2005 Expiration Date: 06-jul-2006 REGISTRAR WHOIS: Registration Service Provided By: NameCheap.com Contact: support@NameCheap.com Visit: http://www.namecheap.com/ Domain name: saving-your-money.net Registrant Contact: American Financial Ronald Hentington (americanfinancial2005@yahoo.co.uk) +1.2063384168 Fax: +1.2063384168 759 Mount Pleasant Road Toronto, ON M4S 2N4 CA .... EASYRATE-LOANS.COM Reported 03/07/2005 via WDPRS (still active!!) Domain Name: EASYRATE-LOANS.COM Registrar: TUCOWS INC. Whois Server: whois.opensrs.net Referral URL: http://domainhelp.tucows.com Name Server: NS1.XZMAK.COM Name Server: NS2.XZMAK.COM Name Server: NS3.XZMAK.COM Name Server: NS4.XZMAK.COM Name Server: NS5.XZMAK.COM Name Server: NS6.XZMAK.COM Status: ACTIVE Updated Date: 15-jun-2005 Creation Date: 14-jun-2005 Expiration Date: 14-jun-2006 WHOIS INFORMATION AS OF 2005/07/03 13:45:20 REGISTRAR WHOIS: Registrant: America Financial 759 Mount Pleasant Road Toronto, Ontario M4S 2N4 CA Domain name: EASYRATE-LOANS.COM Administrative Contact: Hentington, Ronald americanfinancial2005@yahoo.co.uk 759 Mount Pleasant Road Toronto, Ontario M4S 2N4 CA +1.2063384168 Fax: +1.2063384168 EASYRATE-LOANS.COM Reported 03/07/2005 via WDPRS (Now on hold) Domain Name: XZMAK.COM Registrar: TUCOWS INC. Whois Server: whois.opensrs.net Referral URL: http://domainhelp.tucows.com Name Server: NS1.XZMAK.COM Name Server: NS2.XZMAK.COM Name Server: NS3.XZMAK.COM Name Server: NS4.XZMAK.COM Name Server: NS5.XZMAK.COM Name Server: NS6.XZMAK.COM Status: ACTIVE Updated Date: 15-jun-2005 Creation Date: 14-jun-2005 Expiration Date: 14-jun-2006 WHOIS INFORMATION AS OF 2005/07/03 13:45:23 REGISTRAR WHOIS: Registrant: America Financial 759 Mount Pleasant Road Toronto, Ontario M4S 2N4 CA Domain name: XZMAK.COM Administrative Contact: Hentington, Ronald americanfinancial2005@yahoo.co.uk 759 Mount Pleasant Road Toronto, Ontario M4S 2N4 CA +1.2063384168 Fax: +1.2063384168 Now the interesting thing: Address is that of a bookshop!! Bookstore is well publisized on the internet and most likely source of stolen details: http://www.google.com/search?hl=en&lr=&q=%22759+Mount+Pleasant%22++Toronto&btnG=Search Interesting caveat: Since reports were filed, Contact Editions (the bookshop has moved). However, party has a record of fraulent "borrowing" of addresses http://www.obliquity.com/computer/spambait/theft11.html Re tel nr +1.2063384168: http://www.numberingplans.com/?page=analysis&sub=phonenr says: Information on phone number range +1 206 338XXXX Number billable as geographic number Country or destination United States City or exchange location Seattle, WA Original network provider* International Telcom, Ltd. - Wa So, yes, Jegg G's comment is extremely appropriate and I agree: "If I could just get Tucows' whois.opensrs.net to respond more than ~20% of the time, that would be helpful. :) " Cheers E From nospam at nospam.org Wed Nov 2 18:21:23 2005 From: nospam at nospam.org (geo_splash_12) Date: Wed Nov 2 12:25:03 2005 Subject: [SpamCop-List] Re: black list reporting In-Reply-To: <07nhm1d3q8qh12669tsqr75urcal0junfq@4ax.com> References: <07nhm1d3q8qh12669tsqr75urcal0junfq@4ax.com> Message-ID: Kenneth Loafman wrote: > On Wed, 02 Nov 2005 15:42:37 +0100, geo_splash_12 > wrote: > > >>mikeyhsd wrote: >> >>>here is a link >>>http://www.spamcop.net/sc?id=z822386771z92c697c6b7c3ad934c08cab7c6e46adez >> >>I do not understand the first few header lines where the spamcop parser >>complains about IP 10.93.46.16. Where does this come from, is this correct? >> >>Furthermore the link shows that abuse reports were sent to the >>administrators of 125.57.108.71 (in the .kr domain), but apparently this >>IP is not listed within spamcop. >> >>(Korean / Chinese spam is almost impossible to get rid off, maybe >>consider to install your own specific filters for this problem. >> >>Finally abuse reports are sent because of a link within the spam, >>211.112.18.18 which is within the elim.com domain. > > > 10.93.46.16 is thrown away because its part of a private network, not > routable. Possibly part of the rr.com internal net. In that case there might be something like a router configuration problem in the network, something like a linux mail handler returning a local network IP in the mail header rather than the IP number assigned to the subnet handled by the router. > > 0.0.0.0/8 - broadcast network > 10.0.0.0/8 - RFC 1918 private network > 127.0.0.0/8 - loopback network > 169.254.0.0/16 - link local network > 172.16.0.0/12 - RFC 1918 private network > 192.0.2.0/24 - TEST-NET network > 192.168.0/16 - RFC 1918 private network > 224.0.0.0/4 - class D multicast network > 240.0.0.0/5 - class E reserved network > 248.0.0.0/5 - reserved network > > Another SC poster put this together. Thanks. > > ...Ken From nobody at spamcop.net Wed Nov 2 10:30:22 2005 From: nobody at spamcop.net (N. Miller) Date: Wed Nov 2 13:35:05 2005 Subject: [SpamCop-List] Re: Spammer? Poplist.fr References: Message-ID: On Wed, 02 Nov 2005 09:55:10 +0000, John Smith wrote: > I've received an invitation "to confirm [my] subscription" to > Poplist.fr, which (according to their web site) is an e-mail marketing > company. Naturally, I never subscribed. But surprisingly, they say that > if I don't confirm my subscription, they won't mail me again. > > If you received such an e-mail and want to report it as spam, you are > within your rights to do so. But I'm not going to report it because I'd > rather receive spam like this (which will go away if I ignore it) than > the kind of junk I currently receive. > > (By the way, this company does everything is in French. I translated the > quote.) You have no way to know whether they bought a list, and are trying to clean it up (bad thing), or somebody attempted to "forge subscribe" you to the list, and they were just verifying the subscription request (good thing). Given the fact that you can't distinguish the one from the other, you should just treat it as the result of a "forge subscription" attempt, and that the list manager is trying to do the "right thing". -- Norman ~Win dain a lotica, En vai tu ri, Si lo ta ~Fin dein a loluca, En dragu a sei lain ~Vi fa-ru les shutai am, En riga-lint From jeffg at spamcop.net Wed Nov 2 14:44:03 2005 From: jeffg at spamcop.net (Jeff G.) Date: Wed Nov 2 14:55:09 2005 Subject: [SpamCop-List] Re: black list reporting References: <07nhm1d3q8qh12669tsqr75urcal0junfq@4ax.com> Message-ID: "geo_splash_12" wrote in message news:dkasik$2uu$1@news.spamcop.net... > Kenneth Loafman wrote: > > On Wed, 02 Nov 2005 15:42:37 +0100, geo_splash_12 > > wrote: > > > > > >>mikeyhsd wrote: > >> > >>>here is a link > >>>http://www.spamcop.net/sc?id=z822386771z92c697c6b7c3ad934c08cab7c6e46 adez > >> > >>I do not understand the first few header lines where the spamcop parser > >>complains about IP 10.93.46.16. Where does this come from, is this correct? > >> > >>Furthermore the link shows that abuse reports were sent to the > >>administrators of 125.57.108.71 (in the .kr domain), but apparently this > >>IP is not listed within spamcop. > >> > >>(Korean / Chinese spam is almost impossible to get rid off, maybe > >>consider to install your own specific filters for this problem. > >> > >>Finally abuse reports are sent because of a link within the spam, > >>211.112.18.18 which is within the elim.com domain. > > > > > > 10.93.46.16 is thrown away because its part of a private network, not > > routable. Possibly part of the rr.com internal net. > > In that case there might be something like a router configuration > problem in the network, something like a linux mail handler returning a > local network IP in the mail header rather than the IP number assigned > to the subnet handled by the router. It is part of the rr.com internal net. rr.com generally has several mailservers process an incoming email message before it is delivered to the intended recipient, and some of those are on its internal network. This is nothing to be concerned about. -- Best Regards, Jeff G. I have been a SpamCop User/Member/Customer since 1999 and am a Moderator of the new web-based forums (now the primary method for getting help, http://forum.spamcop.net). Please contact me via Forum only. From tnathan at idyllicsys.com Wed Nov 2 20:32:24 2005 From: tnathan at idyllicsys.com (Ted Nathan) Date: Wed Nov 2 20:35:03 2005 Subject: [SpamCop-List] Spoofed Message Causing ISP shutdowns Message-ID: I am new to this group, but I have a problem and this seemed to be the first logical place to look for an answer. I have a client who had a marketing company create a news piece from distribution via e-mail. Unfortunately, it was sent out prematurely and to people who did not ask for it, thus it was spam. They understand the mistake that was made, especially when Google and Microsoft start screaming at you. So this was strike one. A few days later, some kid out of France sent the exact same announcement out as spam again. Microsoft and Google and others called the ISP and had them shutdown. And it happened again today. What can i do to protect my client from this happening again? I know how to stop spam from coming in and going out of my clients' networks, but how do you every kid in the world from shutting down your business? TIA Ted From tnathan at idyllicsys.com Wed Nov 2 20:32:24 2005 From: tnathan at idyllicsys.com (Ted Nathan) Date: Wed Nov 2 20:40:02 2005 Subject: [SpamCop-List] Spoofed Message Causing ISP shutdowns Message-ID: I am new to this group, but I have a problem and this seemed to be the first logical place to look for an answer. I have a client who had a marketing company create a news piece from distribution via e-mail. Unfortunately, it was sent out prematurely and to people who did not ask for it, thus it was spam. They understand the mistake that was made, especially when Google and Microsoft start screaming at you. So this was strike one. A few days later, some kid out of France sent the exact same announcement out as spam again. Microsoft and Google and others called the ISP and had them shutdown. And it happened again today. What can i do to protect my client from this happening again? I know how to stop spam from coming in and going out of my clients' networks, but how do you every kid in the world from shutting down your business? TIA Ted From mwnospam at comcast.net Wed Nov 2 21:31:56 2005 From: mwnospam at comcast.net (spamacyde) Date: Wed Nov 2 21:35:03 2005 Subject: [SpamCop-List] Messages with No Subject Header and No Message Body (Again) Message-ID: Over the past three days, 95% of the spam I've been getting contains no message subject and no body. This supports my contention that spammy's motivations are political rather than financial. Or perhaps spammy is pissed off at my reporting efforts. Anybody else experiencing a rash of blank emails? From MikeE at ster.invalid Wed Nov 2 18:58:01 2005 From: MikeE at ster.invalid (Mike Easter) Date: Wed Nov 2 22:00:02 2005 Subject: [SpamCop-List] Re: Spoofed Message Causing ISP shutdowns References: Message-ID: Ted Nathan wrote: > I am new to this group, but I have a problem and this seemed to be the > first logical place to look for an answer. Bear in mind that there are skeptics in here. Including me. > I have a client who had a marketing company create a news piece from > distribution via e-mail. Unfortunately, it was sent out prematurely > and to people who did not ask for it, thus it was spam. Some people say, 'Once a spammer always a spammer; the spammer just tries to figure out ways to cover hir tracks.' > They > understand the mistake that was made, especially when Google and > Microsoft start screaming at you. So this was strike one. It doesn't matter whether it was google or MS or spamcop or whoever. Unsolicited mail is going to get reported various ways. There are blocklists for spamsources and their are also blocklists such as spews which target the spamvertiser. > A few days later, some kid out of France sent the exact same > announcement out as spam again. Now you are alleging what? That your spamvertiser client commissioned a spammer to use a .fr spamsource? That all of a sudden the once spammer is now a victim of a joe-job pretending to be spamvertising your client? Of the two, it is more likely that your client is the spamvertiser and the spamsource is somehow the .fr 'kid'. > Microsoft and Google and others called > the ISP and had them shutdown. And it happened again today. That's what happens when you are spamvertised and your website provider doesn't believe the hokey spamvertiser story. Antispammers have heard spammer lies before. The first 2 rules about spammers is that spammers lie. > What can i do to protect my client from this happening again? I think your client's reputation is shot. I think your client should get out of the spamvertising business. Maybe they should consider sinking some big bucks into a snail mail campaign. That is 'legitimate' unsolicited bulk marketing mailing. > I know > how to stop spam from coming in and going out of my clients' networks, You haven't proven that to anyone involved yet. > but how do you every kid in the world from shutting down your > business? How to you keep every spammer in the world from screaming, "I've been joe-jobbed! I didn't send out the spam spamvertising my product." The answer is, I guess you don't. No one is interested in hearing the spamvertiser joejob story unless you can prove it, which you can't. -- Mike Easter kibitzer, not SC admin From MikeE at ster.invalid Wed Nov 2 19:00:52 2005 From: MikeE at ster.invalid (Mike Easter) Date: Wed Nov 2 22:05:04 2005 Subject: [SpamCop-List] Re: Messages with No Subject Header and No Message Body (Again) References: Message-ID: spamacyde wrote: > Over the past three days, 95% of the spam I've been getting contains > no message subject and no body. This supports my contention that > spammy's motivations are political rather than financial. Or perhaps > spammy is pissed off at my reporting efforts. Anybody else > experiencing a rash of blank emails? Not I. Anytime you think there is some kind of extra special unique situation going on, you should consider the more likely possibities. It isn't likely that someone is intentionally spewing out payload-less spams. It is more likely that something is broken. Some zombies are very fragile. If the zombie is b0rken, its performance is whacky. -- Mike Easter kibitzer, not SC admin From g.hyde at bigpond.net.au Thu Nov 3 13:45:26 2005 From: g.hyde at bigpond.net.au (Geoffrey Hyde) Date: Wed Nov 2 22:50:06 2005 Subject: [SpamCop-List] Re: Spoofed Message Causing ISP shutdowns References: Message-ID: "Mike Easter" wrote in message news:dkbubq$lbe$1@news.spamcop.net... > Ted Nathan wrote: > >> I am new to this group, but I have a problem and this seemed to be the >> first logical place to look for an answer. > > Bear in mind that there are skeptics in here. Including me. I'm pretty skeptical, too. Especially after checking his posting host and the from address listed on the news message. They both resolve to apparently unrelated hosts. >> I have a client who had a marketing company create a news piece from >> distribution via e-mail. Unfortunately, it was sent out prematurely >> and to people who did not ask for it, thus it was spam. > > Some people say, 'Once a spammer always a spammer; the spammer just > tries to figure out ways to cover hir tracks.' Either that or someone needs another award. >> They >> understand the mistake that was made, especially when Google and >> Microsoft start screaming at you. So this was strike one. > > It doesn't matter whether it was google or MS or spamcop or whoever. > Unsolicited mail is going to get reported various ways. There are > blocklists for spamsources and their are also blocklists such as spews > which target the spamvertiser. Fact is they probably encountered someone new to spamming, as it seems such people are commonplace. Then this person comes here and tries to get himself off. I rather doubt it'll be happy days for him anytime soon. >> A few days later, some kid out of France sent the exact same >> announcement out as spam again. > > Now you are alleging what? That your spamvertiser client commissioned a > spammer to use a .fr spamsource? That all of a sudden the once spammer > is now a victim of a joe-job pretending to be spamvertising your client? > Of the two, it is more likely that your client is the spamvertiser and > the spamsource is somehow the .fr 'kid'. Either that or they are their partner in spamming. It sounds just as likely as a legitimate corporation accidentally hiring a spammer to do their marketing work, and promptly getting landed in the SCBL et al like a fish hooked by a worm on a fishing line. >> Microsoft and Google and others called >> the ISP and had them shutdown. And it happened again today. > > That's what happens when you are spamvertised and your website provider > doesn't believe the hokey spamvertiser story. Antispammers have heard > spammer lies before. The first 2 rules about spammers is that spammers > lie. Rule #3, if spammer complains that they're not lying refer them to rules #1 and #2. >> What can i do to protect my client from this happening again? > > I think your client's reputation is shot. I think your client should > get out of the spamvertising business. Maybe they should consider > sinking some big bucks into a snail mail campaign. That is 'legitimate' > unsolicited bulk marketing mailing. They should announce a "going out of buisness" sale, or advertise their real estate that they own for sale or rent. Or if they're renting, see if they can avoid getting entangled in their renter's penalty clause. Other than that probably quit being a target. >> I know >> how to stop spam from coming in and going out of my clients' networks, > > You haven't proven that to anyone involved yet. It probably means they filter their incoming mail for junk like most spammers probably would, so this spamcop report is just another spam item to them. If they want to prove they're legitimate and have some kind of legitimate reason to be mailing people who do want their news letter, let them prove it. >> but how do you every kid in the world from shutting down your >> business? > > How to you keep every spammer in the world from screaming, "I've been > joe-jobbed! I didn't send out the spam spamvertising my product." > > The answer is, I guess you don't. > > No one is interested in hearing the spamvertiser joejob story unless you > can prove it, which you can't. It would be interesting indeed, if he tries to prove it. I really was wondering if this guy was a spammer trying to get off the SCBL et al. -- Cheers ... Geoffrey Hyde From MikeE at ster.invalid Wed Nov 2 19:45:50 2005 From: MikeE at ster.invalid (Mike Easter) Date: Wed Nov 2 22:50:11 2005 Subject: [SpamCop-List] Re: Spoofed Message Causing ISP shutdowns References: Message-ID: Just so we can talk about some real stuff instead of some kind of imaginary hypothesis. Ted Nathan wrote: > I have a client who had a marketing company create a news piece from > distribution via e-mail. What was the website being spamvertised? that is, provide a link. > So this was strike one. Does that mean that a website provider shut them down? Which one? > A few days later, some kid out of France sent the exact same > announcement out as spam again. Does that mean that you can actually name the 'kid'? Or are you just making something up? If you can't name the kid, name the IP address that you are alleging sent out spam against the wishes of your client. > Microsoft and Google and others called > the ISP and had them shutdown. Does that mean that another different website provider shut down the spamvertised site again, or the same website provider shut down the same spamvertising website again? > And it happened again today. Does that mean that your spamvertising client has been shut down for spamvertising 3 times? By the same website provider or by different ones? Is your client listed in spamhaus in the Registry of Known Spam Operations database of professional spam operations that have been terminated by a minimum of 3 Internet Service Providers for spam offenses? Is your role in all of this to be lied to by your spamvertising client who is claiming to be innocent of spamvertising, or what? > What can i do to protect my client from this happening again? What exactly are you claiming is 'happening'? Explain in exact detail what you mean 'happening again'. Presumably this http://www.idyllicsys.com/default.htm is 'you' which domainname is registered to Ted Nathan -- ie the company who has the as yet unnamed spamvertiser client. Who/what is the client? -- Mike Easter kibitzer, not SC admin From MikeE at ster.invalid Wed Nov 2 20:09:09 2005 From: MikeE at ster.invalid (Mike Easter) Date: Wed Nov 2 23:10:03 2005 Subject: [SpamCop-List] Re: Spoofed Message Causing ISP shutdowns References: Message-ID: Geoffrey Hyde wrote: > Especially after checking his posting > host and the from address listed on the news message. They both > resolve to apparently unrelated hosts. His posting host is just an EarthLink cable modem running on TW/RR infrastructure in Michigan, while his posted address is that of his company's domainname and mailserver, which company is also based in MI. Nothing odd about all that. -- Mike Easter kibitzer, not SC admin From nospam at nospam.nl Thu Nov 3 05:25:00 2005 From: nospam at nospam.nl (geo_splash_12) Date: Wed Nov 2 23:30:02 2005 Subject: [SpamCop-List] Re: Spoofed Message Causing ISP shutdowns In-Reply-To: References: Message-ID: Ted Nathan wrote: > I am new to this group, but I have a problem and this seemed to be the > first logical place to look for an answer. > > I have a client who had a marketing company create a news piece from > distribution via e-mail. Unfortunately, it was sent out prematurely > and to people who did not ask for it, thus it was spam. They > understand the mistake that was made, especially when Google and > Microsoft start screaming at you. So this was strike one. > > A few days later, some kid out of France sent the exact same > announcement out as spam again. Microsoft and Google and others called > the ISP and had them shutdown. And it happened again today. > > What can i do to protect my client from this happening again? I know > how to stop spam from coming in and going out of my clients' networks, > but how do you every kid in the world from shutting down your > business? If you want to start a discussion in this newsgroup, then we certainly would like to see a tracking URL of the e-mail examples that you discuss. > > TIA > > Ted From Nobody at SpamCop.net.dev.null Wed Nov 2 22:31:22 2005 From: Nobody at SpamCop.net.dev.null (Michael Brennan) Date: Wed Nov 2 23:35:03 2005 Subject: [SpamCop-List] "Doctor" Slides Past Postini Message-ID: <4369929A.9545752E@SpamCop.net.dev.null> Posters to another newsgroup on an ISP that uses Postini filtering services are expressing frustration that they can't keep Leo Kuvayev's "Doctor"/"Online Pharmaceuticals" drug spams out of their mailboxes. Postini is apparently ineffectual at keeping them out. Leo's ring has a username list courtesy of a dictionary attack Michael Lindsay executed about 18 months ago. Recent example that I received: http://www.spamcop.net/sc?id=z821549247z6e7fe470733e39184cc65980fec5587cz Is there anything special about these spams, that would enable them to evade Postini's filtering? Michael B. From Nobody at SpamCop.net.dev.null Wed Nov 2 22:37:33 2005 From: Nobody at SpamCop.net.dev.null (Michael Brennan) Date: Wed Nov 2 23:40:02 2005 Subject: [SpamCop-List] Telenor Rogers Up Message-ID: <4369940D.7F40987C@SpamCop.net.dev.null> I manually LARTed Telenor.net after a SpamCop note indicated they don't accept SpamCop reports "unmunged", or don't accept them at all. After about three days, I did get the right response from their abuse desk. ____________________________________________________________ >From : Telenor Abuse Response Team Sent : Wednesday, November 2, 2005 4:40 AM To : x CC : abuse@telenor.net Subject : Your Open Proxy Hosts Spamrun | | | Inbox At 23:44 CEST 2005-10-28 wrote: > Gentlemen: > > > Attached is a SpamCop notice I just sent up. Your server is being used for > spamruns. Please secure your server, thanks. > > > Best regards, > Michael Brennan > > _________________________________________________ > > > Help | Site Map We have added a block to this account, which we believe will stop further problems of this kind. The customer will also be notified. Please excuse the inconvenience. -- Abuse Response Team abuse@telenor.net Telenor _________________________________________________________________ Their response would seem to entitle Telenor to a white hat. Michael From spamcop-list-at-news.spamcop.net at musaic.net Thu Nov 3 07:26:14 2005 From: spamcop-list-at-news.spamcop.net at musaic.net (St - Musaic.Net) Date: Thu Nov 3 01:26:38 2005 Subject: [SpamCop-List] Telenor Rogers Up In-Reply-To: <4369940D.7F40987C@SpamCop.net.dev.null> References: <4369940D.7F40987C@SpamCop.net.dev.null> Message-ID: <253246689.20051103072614@musaic.net> > Their response would seem to entitle Telenor to a white hat. I am not sure - they are certainly slow taking down spamvertised sites unless the offender also sent spam from their network. This is a known trick amongst Scandinavian spammers: Spam from one network, make sure it is not affiliated with Telenor, spamvertised site is not taken down (except when illegal). We have seen sites alive for months this way - even a notorious slimming "remedy" spammer Rune Olav Halvorsrud got away with it spamvertising a bunch of illegal sites, illegal because the "companies" he spamvertised didn't exist *etc* *etc* Telenor did not act on any spam complaint unless the _mail_ was sent thru their servers. It didn't count that it the _websites_ had Telenor IPs assigned... Whitehat? Slow? Clueless? -- St PS! Michael, you added your comment below Telenor's signature limiter - which means that when replying to you message, everything except your comment was quoted (and I had to manually add it to the reply). May I recommend you to please edit your quotations a bit... ;) From Nobody at SpamCop.net.dev.null Thu Nov 3 00:44:44 2005 From: Nobody at SpamCop.net.dev.null (Michael Brennan) Date: Thu Nov 3 01:45:03 2005 Subject: [SpamCop-List] Re: Neat Package -- Nobody to Report To? References: <4362AD03.E5E72107@SpamCop.net.dev.null> <43665BA4.4E08B61F@SpamCop.net.dev.null> Message-ID: <4369B1DC.216FBDCA@SpamCop.net.dev.null> Mike Easter wrote: > > Michael Brennan" > > Mike Easter wrote: > > > In order to keep the agencies in usably fresh > > product, I'd still have to sort and forward the items manually by > > content. > > I have no idea what that sentence means. I mean that sorting is content-based. Pharmacy spams go to one list (FDA, for their anti-diversion project, SpamCop parser, etc.), "phony Rolex" spams go to another (FBI CyberCrime, for the FBI's counterfeit-merchandise project, plus SpamCop and others), "mortgage" phishes to yet another (Secret Service FCD, Netcraft, BankSafeOnline U.K., SpamCop, etc.); and of course all the lists include Postini, which filters for my ISP (I don't use their service, but I don't mind feeding it), and the UCE group at FTC. That sorting has to be done manually. Then I send all the like-kind spams together as one "send" to each list, which is kept separately as an OE addressbook group. Michael From jg at coks.net Wed Nov 2 23:00:32 2005 From: jg at coks.net (jg) Date: Thu Nov 3 02:00:03 2005 Subject: [SpamCop-List] Re: Messages with No Subject Header and No Message Body (Again) In-Reply-To: References: Message-ID: On 11/2/2005 7:00 PM Mike Easter scribbled: > spamacyde wrote: > >>Over the past three days, 95% of the spam I've been getting contains >>no message subject and no body. This supports my contention that >>spammy's motivations are political rather than financial. Or perhaps >>spammy is pissed off at my reporting efforts. Anybody else >>experiencing a rash of blank emails? > > > Not I. > > Anytime you think there is some kind of extra special unique situation > going on, you should consider the more likely possibities. > > It isn't likely that someone is intentionally spewing out payload-less > spams. It is more likely that something is broken. > > Some zombies are very fragile. If the zombie is b0rken, its performance > is whacky. > Having read that, I need to chime in that I have been getting an inordinate (for me) number of said blank crap in the past week - so something must indeed be borken - maybe a BIG zombie... From Nobody at SpamCop.net.dev.null Thu Nov 3 01:00:51 2005 From: Nobody at SpamCop.net.dev.null (Michael Brennan) Date: Thu Nov 3 02:05:03 2005 Subject: [SpamCop-List] Re: Neat Package -- Nobody to Report To? References: <4362AD03.E5E72107@SpamCop.net.dev.null> <43665BA4.4E08B61F@SpamCop.net.dev.null> Message-ID: <4369B5A3.80C72E28@SpamCop.net.dev.null> "Jeff G." wrote: > > "Mike Easter" wrote in message > news:dk67su$kf7$1@news.spamcop.net... > > Michael Brennan" > > > In order to keep the agencies in usably fresh > > > product, I'd still have to sort and forward the items manually by > > > content. > > > > I have no idea what that sentence means. > > I think Michael is talking about doing manual sorting so that he can > keep sending the appropriate fresh spam (product) to the appropriate > Federal Agencies (FTC, FDA, FBI, etc.) Yes, exactly. Thanks. Sometimes time isn't necessarily of the essence, but I began to think in terms of timeliness when dealing with "pump & dump" spams that came in a few hours before the scheduled start of trading in New York. I wanted to make sure the SEC got those timely. On second thought, I might have forwarded them to the NASD or the NYSE as well. Talk about spoiling someone's play -- the exchanges can make that happen. Michael From g.hyde at bigpond.net.au Thu Nov 3 17:00:45 2005 From: g.hyde at bigpond.net.au (Geoffrey Hyde) Date: Thu Nov 3 02:10:02 2005 Subject: [SpamCop-List] Re: "Doctor" Slides Past Postini References: <4369929A.9545752E@SpamCop.net.dev.null> Message-ID: I'm not an expert by any means, it sounds like you're filtering at a client-side level, unless you have access to some server-side filtering software (which is what most mailhost software for ISP applications lacks) really the only other thing I know of is to find the injecting IP and follow up with a formal complaint to the owner of that address. Which SpamCop has already done for you. The other thing that worries me is one spam is not much to worry about and it also is not much to go on either. Perhaps if you had multiple spams for people to examine they could give you a better idea of what to block. If the mail filtering software for the clients has some kind of filtering setup, you can set it up to reject these mails based on keywords in the message body of the spam. Pharmecuticals would be a good one, but if you don't have filtering software try googling for something, there are plenty of programs designed to filter out spam on the internet. A trainable filter can usually weed out spams like this with bogus keywords in the message body, or at least can be trained to recognize them. Cheers ... Geoffrey Hyde "Michael Brennan" wrote in message news:4369929A.9545752E@SpamCop.net.dev.null... > Posters to another newsgroup on an ISP that uses Postini filtering > services are expressing frustration that they can't keep Leo Kuvayev's > "Doctor"/"Online Pharmaceuticals" drug spams out of their mailboxes. > Postini is apparently ineffectual at keeping them out. Leo's ring has > a username list courtesy of a dictionary attack Michael Lindsay executed > about 18 months ago. > > Recent example that I received: > > http://www.spamcop.net/sc?id=z821549247z6e7fe470733e39184cc65980fec5587cz > > Is there anything special about these spams, that would enable them to > evade Postini's filtering? > > Michael B. From Nobody at SpamCop.net.dev.null Thu Nov 3 03:05:41 2005 From: Nobody at SpamCop.net.dev.null (Michael Brennan) Date: Thu Nov 3 04:10:23 2005 Subject: [SpamCop-List] Re: "Doctor" Slides Past Postini References: <4369929A.9545752E@SpamCop.net.dev.null> Message-ID: <4369D2E5.248C5F34@SpamCop.net.dev.null> Geoffrey Hyde wrote: > > I'm not an expert by any means, it sounds like you're filtering at a > client-side level, unless you have access to some server-side filtering > software (which is what most mailhost software for ISP applications lacks) > really the only other thing I know of is to find the injecting IP and follow > up with a formal complaint to the owner of that address. Which SpamCop has > already done for you. Postini supposedly filters on the server side. ISP reroutes to Postini, who filters and sends it back. > The other thing that worries me is one spam is not much to worry about and > it also is not much to go on either. Perhaps if you had multiple spams for > people to examine they could give you a better idea of what to block. Well, as it happens, I just got another one since I posted that, and I reported it here: http://www.spamcop.net/sc?id=z822669466z253d826558df28c70266e653934148daz > A trainable filter > can usually weed out spams like this with bogus keywords in the message > body, or at least can be trained to recognize them. I made the same suggestion to the people on the other newsgroup who were complaining about these spams from this particular spammer, which appear to be unique in their ability consistently to defeat whatever Postini is doing. Regards, Michael From nobody at xyzzy.claranet.de Thu Nov 3 14:22:40 2005 From: nobody at xyzzy.claranet.de (Frank Ellermann) Date: Thu Nov 3 08:25:03 2005 Subject: [SpamCop-List] Re: Geocities problem still unsolved References: <43663619.A9@xyzzy.claranet.de> Message-ID: <436A0F20.4804@xyzzy.claranet.de> > the geocities link problem is (again ?) as bad as always, Today's statistics: 27 + 41 + 13 + 24 + 50 = 155 reloads for 5 geospam reports, that's 31 reloads per report. Bye From MikeE at ster.invalid Thu Nov 3 07:29:06 2005 From: MikeE at ster.invalid (Mike Easter) Date: Thu Nov 3 10:30:04 2005 Subject: [SpamCop-List] Re: Neat Package -- Nobody to Report To? References: <4362AD03.E5E72107@SpamCop.net.dev.null> <43665BA4.4E08B61F@SpamCop.net.dev.null> <4369B1DC.216FBDCA@SpamCop.net.dev.null> Message-ID: Michael Brennan wrote: > Mike Easter wrote: >> >> Michael Brennan" >>> Mike Easter wrote: > > >> >>> In order to keep the agencies in usably fresh >>> product, I'd still have to sort and forward the items manually by >>> content. >> >> I have no idea what that sentence means. > > I mean that sorting is content-based. Pharmacy spams go to one list > (FDA, for their anti-diversion project, SpamCop parser, etc.), "phony > Rolex" spams go to another (FBI CyberCrime, for the FBI's > counterfeit-merchandise project, plus SpamCop and others), "mortgage" > phishes to yet another (Secret Service FCD, Netcraft, BankSafeOnline > U.K., SpamCop, etc.); and of course all the lists include Postini, > which filters for my ISP (I don't use their service, but I don't mind > feeding it), and the UCE group at FTC. > > That sorting has to be done manually. Then I send all the like-kind > spams together as one "send" to each list, which is kept separately as > an OE addressbook group. Now I understand, but.... Well, call me a 'grizzled old doubting Thomas' -- who has also learned on which battlefields or skirmishes to sacrifice my troops and where to not waste my efforts. I don't honestly believe that the FDA, FBI, FCD, et al actually open the spams which they are sent, but instead I think it is more likely that they are 'processed' by some kind of automated gizmo looking for something that they are currently 'working on'. And everything which isn't pertinent to what they are working on is just put into the big fat pile of stuff they aren't working on. Given that hypothetical scenario, that means that all of the effort you are going to to characterize and sort your spam into referral piles is 'wasted' -- depending upon your or my definition of wasted. It isn't wasted if you just like to be very very orderly, but it is probably wasted in terms of how well you have used your time sorting your spam for someone else who isn't looking at the results of the sorting. And that someone else probably has much more efficient methods for finding what they are looking for that your own sorting and characterizing methods. That being sed.... It would probably work just as well for you to create a little text which explains that you haven't sorted your spam and that you are sending it all to the various agencies -- and let them sort it out for themselves. That is, the FDA wouldn't be just getting pharm spam, the FDA would be getting all your spam. The financial crimes FCD wouldn't be getting just the mortgage spam, they would be getting all your spam. Color me skeptical, but it doesn't make much sense to me to have a human bean 'manually' handling all his spam, so as to have his human touch on what he sends to some big bad machine which is able to comb thru' millions of items an hour looking for just what it wants. That is, I don't think your activities represent one human spam recipient sending a copy of something to one human FDA agent. -- Mike Easter kibitzer, not SC admin From MikeE at ster.invalid Thu Nov 3 07:48:39 2005 From: MikeE at ster.invalid (Mike Easter) Date: Thu Nov 3 10:50:02 2005 Subject: [SpamCop-List] Re: "Doctor" Slides Past Postini References: <4369929A.9545752E@SpamCop.net.dev.null> Message-ID: Michael Brennan wrote: www.spamcop.net/sc?id=z821549247z6e7fe470733e39184cc65980fec5587cz > > Is there anything special about these spams, that would enable them to > evade Postini's filtering? Michael Brennan wrote: > Well, as it happens, I just got another one since I posted that, and I > reported it here: > www.spamcop.net/sc?id=z822669466z253d826558df28c70266e653934148daz I can't answer the question the way you posed it as a postini issue, but I can address the specifics of those two spams with a generality. For me, the most important characteristic of a spam is its headers; and my spamfilter 'likes' [and uses] blocklists. Those two spams were both sourced from IPs which are listed 'all over the place' -- that is, each had an IP in the headers and which the server received the item from, which was multilisted as an abused proxy/trojan spamsource. The IP of the 2nd was listed in CBL [spamtrap hits as a proxy/trojan] which puts it into SBL-XBL, another popular blocklist, NJABL-proxies [spamtrap hits as proxy/trojan] and SCbl [spamtrap and reporter as spamsource]. It was also listed in other blocklists, but those are the majors which a good filter could be paying attention to. The IP of the first was listed in CBL, DNSBL, SBL-XBL, and others. I didn't look at the spambody to see if it had body characteristics which might've been found by my filter's body plugin, because I don't like to look at spambodies unnecessarily. It wouldn't be necessary for my filter to even look at the body to tag it as a spam because of the blocklisted condition found in the headers. -- Mike Easter kibitzer, not SC admin From jg at coks.net Thu Nov 3 08:11:23 2005 From: jg at coks.net (jg) Date: Thu Nov 3 11:10:02 2005 Subject: [SpamCop-List] Re: Neat Package -- Nobody to Report To? In-Reply-To: <4369B5A3.80C72E28@SpamCop.net.dev.null> References: <4362AD03.E5E72107@SpamCop.net.dev.null> <43665BA4.4E08B61F@SpamCop.net.dev.null> <4369B5A3.80C72E28@SpamCop.net.dev.null> Message-ID: On 11/2/2005 11:00 PM Michael Brennan scribbled: forwarded them to the NASD or the NYSE as well. Talk about spoiling > someone's play -- the exchanges can make that happen. > > Michael I've not seen anywhere that the NYSE gets actively involved. Have you? I do know that the NASD doesn't want to hear /anything/ unless the spam is proven to be from a NASD member - so says their site, or so /said/ their site - I haven't revisited it in a while. It makes sense - they have their own fish to fry with lame brokers, telemarketers, and so=called advisors... From nobody at xyzzy.claranet.de Thu Nov 3 18:03:44 2005 From: nobody at xyzzy.claranet.de (Frank Ellermann) Date: Thu Nov 3 12:05:03 2005 Subject: [SpamCop-List] Re: "Doctor" Slides Past Postini References: <4369929A.9545752E@SpamCop.net.dev.null> Message-ID: <436A42F0.38B2@xyzzy.claranet.de> Mike Easter wrote: > my spamfilter 'likes' [and uses] blocklists. Those two > spams were both sourced from IPs which are listed 'all > over the place' You checked this about 11 hours after Michael reported it, so maybe it was different when this stuff hit "postini" - just a random thought. Bye, Frank From MikeE at ster.invalid Thu Nov 3 09:37:22 2005 From: MikeE at ster.invalid (Mike Easter) Date: Thu Nov 3 12:40:03 2005 Subject: [SpamCop-List] Re: "Doctor" Slides Past Postini References: <4369929A.9545752E@SpamCop.net.dev.null> <436A42F0.38B2@xyzzy.claranet.de> Message-ID: Frank Ellermann wrote: > Mike Easter wrote: > >> my spamfilter 'likes' [and uses] blocklists. Those two >> spams were both sourced from IPs which are listed 'all >> over the place' > > You checked this about 11 hours after Michael reported it, > so maybe it was different when this stuff hit "postini" - > just a random thought. Yeah, I tho't about that, but there wasn't any perfect way to address that issue. 218.238.26.80 got listed in cbl 2005-10-31 05:00 GMT -- but 220.84.164.47 didn't get listed there until 2005-11-03 07:00 GMT However, 220.84.164.47 got listed in DSBL last 2004 Oct, and it got listed in NJABL-proxies Sun Oct 24 06:22:23 2004 EST Since my filter uses both cbl & njabl [indirectly] as well as a number of others, it would have tagged both of those. Or, said another way, just using spamhaus sbl-xbl, which embraces cbl & njabl as well as blitzed, would have solved the problem. -- Mike Easter kibitzer, not SC admin From redford_stone at INVERSE_OF_COLDmail.com Thu Nov 3 18:35:31 2005 From: redford_stone at INVERSE_OF_COLDmail.com (Redstone) Date: Thu Nov 3 13:40:03 2005 Subject: [SpamCop-List] Re: Dave/Null not such a popular reporting address any longer References: <435FD71A.D1D5FCA0@SpamCop.net.dev.null> Message-ID: Steven Maesslein wrote in news:slrndm3ut5.3ra.nobody@127.0.0.1: > > They can pull "kr." out of the root DNS servers... > They can.. but they wont yank a complete country out. > Before: > > $ dig @a.root-servers.net kr in soa > > ; <<>> DiG 9.3.1 <<>> @a.root-servers.net kr in soa > ; (1 server found) > ;; global options: printcmd > ;; Got answer: > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 49051 > ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 7, ADDITIONAL: 9 > > ;; QUESTION SECTION: > ;kr. IN SOA > > ;; AUTHORITY SECTION: > kr. 172800 IN NS A.DNS.kr. > kr. 172800 IN NS C.DNS.kr. > kr. 172800 IN NS B.DNS.kr. > kr. 172800 IN NS D.DNS.kr. > kr. 172800 IN NS E.DNS.kr. > kr. 172800 IN NS F.DNS.kr. > kr. 172800 IN NS G.DNS.kr. > > ;; ADDITIONAL SECTION: > A.DNS.kr. 172800 IN A 202.30.50.50 > C.DNS.kr. 172800 IN A 203.248.240.141 > B.DNS.kr. 172800 IN A 211.216.50.130 > D.DNS.kr. 172800 IN A 203.255.234.103 > E.DNS.kr. 172800 IN AAAA 2001:dcc:5::100 > E.DNS.kr. 172800 IN A 202.30.124.100 > F.DNS.kr. 172800 IN A 210.94.0.15 > G.DNS.kr. 172800 IN AAAA 2001:dc5:a::1 > G.DNS.kr. 172800 IN A 202.31.190.1 > > ;; Query time: 135 msec > ;; SERVER: 198.41.0.4#53(198.41.0.4) > ;; WHEN: Fri Oct 28 12:19:16 2005 > ;; MSG SIZE rcvd: 304 > > > Afterwards: > > $ dig @a.root-servers.net kr in soa > > ; <<>> DiG 9.3.1 <<>> @a.root-servers.net kr in soa > ; (1 server found) > ;; global options: printcmd > ;; Got answer: > ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 16462 > ;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0 > > ;; QUESTION SECTION: > ;kr. IN SOA > > ;; AUTHORITY SECTION: > . 86400 IN SOA A.ROOT-SERVERS.NET. > NSTLD.VERISIGN-GRS.COM. 2005102701 1800 900 604800 86400 > > ;; Query time: 135 msec > ;; SERVER: 198.41.0.4#53(198.41.0.4) > ;; WHEN: Fri Oct 28 12:19:49 2005 > ;; MSG SIZE rcvd: 95 > > >:o) > Show off. :-) From redford_stone at INVERSE_OF_COLDmail.com Thu Nov 3 18:35:33 2005 From: redford_stone at INVERSE_OF_COLDmail.com (Redstone) Date: Thu Nov 3 13:40:07 2005 Subject: [SpamCop-List] Re: Dave/Null not such a popular reporting address any longer References: <435FD71A.D1D5FCA0@SpamCop.net.dev.null> Message-ID: "Geoffrey Hyde" wrote in news:djst5q$pp5$2@news.spamcop.net: > > And yet, they appear to have quite successfully setup a network that > allows spammers to easily target people outside of kornet/shinbiro ... > Probably because their routers probably still have the default password for admin access? > > Wow, I wonder what they'd say if somene handed them a trace utility > and a frequency tracer for the physical lines, and told them where to > go to find and fix the problem servers??? Or did they just happen to > be so bad at server installation that they accidentally forgot to > write down where these servers were installed. I smell a Korean rat > here, quite possibly the main nest. > I do too. It just goes beyond logic that they would be THAT clueless about this. > > Either they are very bad at managing their internet systems, or they > don't really care what our problems with their systems are. > My feeling has shifted between these two.. but usually average in between. On the one hand why care if they are making money, and why bother learning how to manage if there is nothing to care about. Simply plug and play, and that is it. > > From what you're telling me here, that could take a while. Do > you want to snail mail them some really big hints? ;) > I'm going to save my stamps. They've already received enough hints from enough people. :-) From porpoise1954 at yahoo.co.uk Thu Nov 3 18:24:42 2005 From: porpoise1954 at yahoo.co.uk (Porpoise) Date: Thu Nov 3 13:45:02 2005 Subject: [SpamCop-List] Ping Mike E Message-ID: Mike, Can you make any sense out of this? I can't quite figga what I'm looking at........ http://www.spamcop.net/sc?id=z822825219zde4c34f6e5134c1955396a200fe3351ez From MikeE at ster.invalid Thu Nov 3 10:56:16 2005 From: MikeE at ster.invalid (Mike Easter) Date: Thu Nov 3 14:00:03 2005 Subject: [SpamCop-List] Re: "Doctor" Slides Past Postini References: <4369929A.9545752E@SpamCop.net.dev.null> <4369D2E5.248C5F34@SpamCop.net.dev.null> Message-ID: Michael Brennan wrote: > Postini supposedly filters on the server side. ISP reroutes to > Postini, who filters and sends it back. The problem with that arrangement is that the healthiest and most efficient way to filter something at the server level would be to reject something very early in the transaction; namely in this case the sending IP could be the basis for the rejection at the gitgo. But that would depend upon the recipient server being able to reject the mail from the sending spamsource dynamic IP. But, if you have some kind of arrangement by which an ISP has accepted a mail for delivery, rejecting doesn't work any more, so then the only thing you can do with *everything* is to 'process it' and tag it as spam or not. That is, server level filtering is 'worthless' in that scenario you described. The recipient would want their server to do *zero* filtering, and the client should take care of all of their own filter-tagging with a client side filter. You can configure your own client side filter much better than most servers offer you; with the exception of a service such as spamcop's mail service. The server level filter in your described configuration wouldn't be able to reject mail correctly, so there is nothing healthy the server can do. Else it would belatedly bounce to bogus From or possibly lose goodmail. > I made the same suggestion to the people on the other newsgroup who > were complaining about these spams from this particular spammer, > which appear to be unique in their ability consistently to defeat > whatever Postini is doing. I don't know what postini is doing for the people who are complaining, but if I'm understanding the configuration correctly, the only thing you would want the server-side filter to do would be to tag the item for sorting. You wouldn't want it to do anything else. If I were going to be receiving all of my spam tagged for 'sorting' - I would rather be using my own client filter which would be much more configurable to my tastes than someone else's server. -- Mike Easter kibitzer, not SC admin From redford_stone at INVERSE_OF_COLDmail.com Thu Nov 3 19:09:42 2005 From: redford_stone at INVERSE_OF_COLDmail.com (Redstone) Date: Thu Nov 3 14:10:03 2005 Subject: [SpamCop-List] Re: chinese spam References: Message-ID: "mikeyhsd" wrote in news:djt8jd$9i$1 @news.spamcop.net: > seeing as how it is in chinese, I hve no REAL idea what it is. > but it has been reported to phishing.org to be safe. Can't be faulted for erring on the side of caution. :-) From redford_stone at INVERSE_OF_COLDmail.com Thu Nov 3 19:14:41 2005 From: redford_stone at INVERSE_OF_COLDmail.com (Redstone) Date: Thu Nov 3 14:15:04 2005 Subject: [SpamCop-List] Telenor Rogers Up References: <4369940D.7F40987C@SpamCop.net.dev.null> Message-ID: "St - Musaic.Net" wrote in news:mailman.115.1130999192.169.spamcop-list@news.spamcop.net: > > Whitehat? Slow? Clueless? > Probably greyhat. I'm not sure, but it would depend on what their TOS states. It may be out of date. ISPs used to kick out spammers if they sent spam using the ISP's own network. However, it became a grey area when it was only a hosted site. (As that the TOS made no mention about spamvertised hosted sites.) From redford_stone at INVERSE_OF_COLDmail.com Thu Nov 3 19:26:30 2005 From: redford_stone at INVERSE_OF_COLDmail.com (Redstone) Date: Thu Nov 3 14:30:02 2005 Subject: [SpamCop-List] Re: Spoofed Message Causing ISP shutdowns References: Message-ID: "Mike Easter" wrote in news:dkbubq$lbe$1@news.spamcop.net: > Ted Nathan wrote: > >> I am new to this group, but I have a problem and this seemed to be >> the first logical place to look for an answer. > > Bear in mind that there are skeptics in here. Including me. > Am too. But am willing to give the benefit of the doubt sometimes. > >> They >> understand the mistake that was made, especially when Google and >> Microsoft start screaming at you. So this was strike one. > > It doesn't matter whether it was google or MS or spamcop or whoever. > Unsolicited mail is going to get reported various ways. There are > blocklists for spamsources and their are also blocklists such as spews > which target the spamvertiser. > MS and Google doesn't say anything unless they received a signficant amount of spam implicating a particular source. There must of been thousands if it got their attention and over a significant period of time too. From redford_stone at INVERSE_OF_COLDmail.com Thu Nov 3 19:35:05 2005 From: redford_stone at INVERSE_OF_COLDmail.com (Redstone) Date: Thu Nov 3 14:40:04 2005 Subject: [SpamCop-List] Re: Unreported Spam Saved: Report Now = message report : References: Message-ID: "cd" wrote in news:dkaran$20k$1@news.spamcop.net: > Gateway Timeout > The proxy server did not receive a timely response from the upstream > server. Reference #1.93ec0f50.1130950735.980cbb9 > > > These errors happen to me occasionally. I just wait about 5-15 minutes and it is fine after that. From nospam at nospam.nl Thu Nov 3 20:42:05 2005 From: nospam at nospam.nl (geo_splash_12) Date: Thu Nov 3 14:45:02 2005 Subject: [SpamCop-List] Re: Ping Mike E In-Reply-To: References: Message-ID: Porpoise wrote: > Mike, > > Can you make any sense out of this? I can't quite figga what I'm looking > at........ > > http://www.spamcop.net/sc?id=z822825219zde4c34f6e5134c1955396a200fe3351ez > > > Perhaps an incomplete mail header, or something that hasn't left a local domain. From redford_stone at INVERSE_OF_COLDmail.com Thu Nov 3 19:57:04 2005 From: redford_stone at INVERSE_OF_COLDmail.com (Redstone) Date: Thu Nov 3 15:00:03 2005 Subject: [SpamCop-List] Re: Messages with No Subject Header and No Message Body (Again) References: Message-ID: jg wrote in news:dkccf2$sdk$1@news.spamcop.net: > On 11/2/2005 7:00 PM Mike Easter scribbled: > >> spamacyde wrote: >> >>>Over the past three days, 95% of the spam I've been getting contains >>>no message subject and no body. This supports my contention that >>>spammy's motivations are political rather than financial. Or perhaps >>>spammy is pissed off at my reporting efforts. Anybody else >>>experiencing a rash of blank emails? >> >> >> Not I. >> >> Anytime you think there is some kind of extra special unique >> situation going on, you should consider the more likely possibities. >> >> It isn't likely that someone is intentionally spewing out >> payload-less spams. It is more likely that something is broken. >> >> Some zombies are very fragile. If the zombie is b0rken, its >> performance is whacky. >> > Having read that, I need to chime in that I have been getting an > inordinate (for me) number of said blank crap in the past week - so > something must indeed be borken - maybe a BIG zombie... > About 10% of the spam I receive is like that. (It is even more broken than that since it sometimes chews up the spammer's fake headers too.) Either way, it is a disappointment to the spammer since all those zombies will be on the SCBL for spams without a payload. :-) From MikeE at ster.invalid Thu Nov 3 11:57:09 2005 From: MikeE at ster.invalid (Mike Easter) Date: Thu Nov 3 15:00:08 2005 Subject: [SpamCop-List] Re: Ping Mike E References: Message-ID: Porpoise wrote: > Mike, > > Can you make any sense out of this? I can't quite figga what I'm > looking at........ > www.spamcop.net/sc?id=z822825219zde4c34f6e5134c1955396a200fe3351ez It would be useful to know what mailbox you found that in. The structure of the topheader is from a server directly into a mailbox. [or alternatively a faulty server which didn't get its line stamped]. This would make the most sense if it were found in the mailbox of someone whose server were mx.kundenserver.de That mailbox would be being advised by the kundenserver.de server that the kundenserver server had received an item from 200.88.87.1 [which rDNS 1samana87.codetel.net.do] and calling itself srenterprises.co.uk in its helo. That item which kundenserver received allegedly contained a virus which the server stripped. The secondary or inline headers represent the headers of the mail which contained the virm. So, then, the kundenserver notified the 'mailbox' of the receipt of an item which was/ had been/ viral. If you didn't get that from a kundenserver mailbox or from someone who has a kundenserver mailbox, then I need to have some more information. -- Mike Easter kibitzer, not SC admin From dfm2a3l0t2 at spymac.com Thu Nov 3 15:21:36 2005 From: dfm2a3l0t2 at spymac.com (D.F. Manno) Date: Thu Nov 3 15:25:03 2005 Subject: [SpamCop-List] [C&C] Responsible Spam Message-ID: A sample: > From: Maybelline Kane > Subject: What time is it? > > Hey, you, I'm blond, gorgeous, and I just turned 18! I set up a webcam in my > bedroom so people could watch me 24/7! However, the more I thought about it, > the more the whole thing seemed kind of creepy and demeaning. So I scrapped > that idea. -- D.F. Manno | dfm2a3l0t2@spymac.com But I'd rather be a free man in my grave Than living as a puppet or a slave. -Jimmy Cliff From redford_stone at INVERSE_OF_COLDmail.com Thu Nov 3 20:22:57 2005 From: redford_stone at INVERSE_OF_COLDmail.com (Redstone) Date: Thu Nov 3 15:25:09 2005 Subject: [SpamCop-List] Re: Geocities problem still unsolved References: <43663619.A9@xyzzy.claranet.de> <436A0F20.4804@xyzzy.claranet.de> Message-ID: Frank Ellermann wrote in news:436A0F20.4804 @xyzzy.claranet.de: >> the geocities link problem is (again ?) as bad as always, > > Today's statistics: 27 + 41 + 13 + 24 + 50 = 155 reloads > for 5 geospam reports, that's 31 reloads per report. Bye > It was okay, up until today. I give up after 5 reloads. I don't get it as to why it is only the Geocities sites it is having a problem with. Is there a null character somewhere or what? From redford_stone at INVERSE_OF_COLDmail.com Thu Nov 3 20:26:58 2005 From: redford_stone at INVERSE_OF_COLDmail.com (Redstone) Date: Thu Nov 3 15:30:03 2005 Subject: [SpamCop-List] [MEDIA] Sony CD Copy Protection Seems To Rely On Hacker Rootkit Message-ID: http://news.bbc.co.uk/2/hi/technology/4400148.stm http://tinyurl.com/8hkzz http://www.informationweek.com/story/showArticle.jhtml?articleID=173402523 http://tinyurl.com/dnyzq It is enough that we are fighting zombies already. Now Sony is trying to turn people's PCs into semi-zombies with these rootkits. Punishing those people who BUY their CDs rather than download the pirated ones is not a way to conduct business. From nobody at spamcop.net Thu Nov 3 12:48:51 2005 From: nobody at spamcop.net (N. Miller) Date: Thu Nov 3 15:50:02 2005 Subject: [SpamCop-List] Re: Messages with No Subject Header and No Message Body (Again) References: Message-ID: On Wed, 2 Nov 2005 21:31:56 -0500, spamacyde wrote: > Over the past three days, 95% of the spam I've been getting contains no > message subject and no body. This supports my contention that spammy's > motivations are political rather than financial. Or perhaps spammy is > pissed off at my reporting efforts. Anybody else experiencing a rash of > blank emails? You should never read more into spam then the spammer put into it. I got my blanks, though not as many, commencing about March 13, 2005. To an SBC Yahoo! DSL Service sub account. SpamGuar marked it as spam from the beginning, and never missed once. A lot of Comcast users have been pelted by that kind of spam. http://www.broadbandreports.com/forum/remark,14679759 My mother just got two, yesterday; also an SBC Yahoo! DSL Service account. Like mine, SpamGuard tagged these as spam, and moved them to the Bulk folder. I have forwarded them to SC, and will process them RSN. http://www.spamcop.net/sc?id=z822895002zf5bbf95208c038868bd26f20feac1262z http://www.spamcop.net/sc?id=z822896184z1423657b5e0367960d3580a56eb87d73z -- Norman ~Win dain a lotica, En vai tu ri, Si lo ta ~Fin dein a loluca, En dragu a sei lain ~Vi fa-ru les shutai am, En riga-lint From porpoise1954 at yahoo.co.uk Thu Nov 3 22:30:06 2005 From: porpoise1954 at yahoo.co.uk (Porpoise) Date: Thu Nov 3 17:35:03 2005 Subject: [SpamCop-List] Re: Ping Mike E References: Message-ID: "Mike Easter" wrote in message news:dkdq2l$mi8$1@news.spamcop.net... > Porpoise wrote: >> Mike, >> >> Can you make any sense out of this? I can't quite figga what I'm >> looking at........ >> > > www.spamcop.net/sc?id=z822825219zde4c34f6e5134c1955396a200fe3351ez > > It would be useful to know what mailbox you found that in. It was received in an address at the srenterprises.co.uk domain served by the kundenserver mailservers (mailhosted). > > The structure of the topheader is from a server directly into a mailbox. > [or alternatively a faulty server which didn't get its line stamped]. That's the first strange bit I noticed > > This would make the most sense if it were found in the mailbox of > someone whose server were mx.kundenserver.de That's the case here > > That mailbox would be being advised by the kundenserver.de server that > the kundenserver server had received an item from 200.88.87.1 [which > rDNS 1samana87.codetel.net.do] and calling itself srenterprises.co.uk in > its helo. That's the first bit known to be fake, as that domain is where the mail was received and is nowhere near that IP (it's hosted at 1and1 [which is the kundenserver connection]) > > That item which kundenserver received allegedly contained a virus which > the server stripped Which is the next odd bit as I don't have the server anti-virus set - I usually get them in all their glory. > The secondary or inline headers represent the > headers of the mail which contained the virm. > > So, then, the kundenserver notified the 'mailbox' of the receipt of an > item which was/ had been/ viral. Which is odd - as I don't have the AV set on the server for any of the mailboxes at any of the domains I administer. > > > If you didn't get that from a kundenserver mailbox or from someone who > has a kundenserver mailbox, then I need to have some more information. Well, yes it was from a mailbox served by the kundenserver MXes - but I've never seen this type of occurrence before; it's decidedly odd, that's why I thought I'd put it up here for investigation. The only thing I could think of is that maybe they've got some sort of override for some certain type of virus or something, that does the AV bit on that particular virus even if the user has the server AV disabled!?! From MikeE at ster.invalid Thu Nov 3 14:53:31 2005 From: MikeE at ster.invalid (Mike Easter) Date: Thu Nov 3 17:55:02 2005 Subject: [SpamCop-List] Re: Ping Mike E References: Message-ID: Porpoise wrote: > "Mike Easter" > It was received in an address at the srenterprises.co.uk domain > served by the kundenserver mailservers (mailhosted). Ah, so. That makes sense. That explains the 'choice' of bogus helo by the source. >> That mailbox would be being advised by the kundenserver.de server >> that the kundenserver server had received an item from 200.88.87.1 >> [which rDNS 1samana87.codetel.net.do] and calling itself >> srenterprises.co.uk in its helo. > > That's the first bit known to be fake, as that domain is where the > mail was received and is nowhere near that IP > (it's hosted at 1and1 [which is the kundenserver connection]) Well, yes. Genuine fakiness in a helo is a dead giveaway. However, sometimes some things helo however they feel like -- not as a 'forgery' or intense bogosity, but rather as a 'moniker' or handle. In this case the 200.88.87.1 is of Santo Domingo in lacnic turf, so calling itself anything .uk is genuine fakiness bogosity not a 'moniker'. >> That item which kundenserver received allegedly contained a virus >> which the server stripped > > Which is the next odd bit as I don't have the server anti-virus set - > I usually get them in all their glory. I can't address your relationship with your server, but I can give you another example. EL has a 'policy' about handling virms that anytime they want, they can choose to turn on the virus blocker, whether I want it on or not. They call that an 'emergency' condition - but clearly an ISP considers it their perogative to handle incoming viral propagations however they feel like. >> The secondary or inline headers represent the >> headers of the mail which contained the virm. >> >> So, then, the kundenserver notified the 'mailbox' of the receipt of >> an item which was/ had been/ viral. > > Which is odd - as I don't have the AV set on the server for any of the > mailboxes at any of the domains I administer. I'm sticking to my theory. The other thing is that servers make mistakes about viruses based on non-viral structures. >> If you didn't get that from a kundenserver mailbox or from someone >> who has a kundenserver mailbox, then I need to have some more >> information. > > Well, yes it was from a mailbox served by the kundenserver MXes - but > I've never seen this type of occurrence before; it's decidedly odd, > that's why I thought I'd put it up here for investigation. The only > thing I could think of is that maybe they've got some sort of > override for some certain type of virus or something, that does the > AV bit on that particular virus even if the user has the server AV > disabled!?! Sure, for any of several reasons. It is possible you might get some information from them about it -- or maybe they don't want to talk about it -- or the people who know don't talk and the people who talk don't know. -- Mike Easter kibitzer, not SC admin From crappy.trappy at ntlworld.com Fri Nov 4 00:09:33 2005 From: crappy.trappy at ntlworld.com (Tim) Date: Thu Nov 3 19:10:04 2005 Subject: [SpamCop-List] Re: Messages with No Subject Header and No Message Body (Again) In-Reply-To: References: Message-ID: spamacyde wrote: > Anybody else experiencing a rash of blank emails? A spammer firing blanks? Perhaps they should try their own W|@GRA ;) From not at home.today Fri Nov 4 01:01:11 2005 From: not at home.today (Ant) Date: Thu Nov 3 20:05:04 2005 Subject: [SpamCop-List] Re: Geocities problem still unsolved References: <43663619.A9@xyzzy.claranet.de> <436A0F20.4804@xyzzy.claranet.de> Message-ID: "Redstone" wrote: > Frank Ellermann wrote: >>> the geocities link problem is (again ?) as bad as always, >> >> Today's statistics: 27 + 41 + 13 + 24 + 50 = 155 reloads >> for 5 geospam reports, that's 31 reloads per report. Bye > > It was okay, up until today. I give up after 5 reloads. I no longer bother to refresh. It's a waste of my time. > I don't get it as to why it is only the Geocities sites it is > having a problem with. It also has trouble with others - notably the nick-nock-net. Previously it was chinatietong, but mostly those go through ok now. > Is there a null character somewhere No. Just plain-text URLs with no strange characters. > or what? That's what I'd like to know. No one from Spamcop has said a dicky-bird about it here. From g.hyde at bigpond.net.au Fri Nov 4 12:01:40 2005 From: g.hyde at bigpond.net.au (Geoffrey Hyde) Date: Thu Nov 3 21:15:03 2005 Subject: [SpamCop-List] Re: [MEDIA] Sony CD Copy Protection Seems To Rely On Hacker Rootkit References: Message-ID: I wonder if Sony is deliberately trying to help viruses and hackers get onto our computers? There are a whole bunch of phrases I can't use here but they're uncommonly apt phrases which would otherwise describe exactly how I feel. -- Cheers ... Geoffrey Hyde "Redstone" wrote in message news:Xns97037EA6B301Ftinlc@216.154.195.61... > http://news.bbc.co.uk/2/hi/technology/4400148.stm > http://tinyurl.com/8hkzz > > > http://www.informationweek.com/story/showArticle.jhtml?articleID=173402523 > http://tinyurl.com/dnyzq > > > It is enough that we are fighting zombies already. Now Sony is trying to > turn people's PCs into semi-zombies with these rootkits. Punishing those > people who BUY their CDs rather than download the pirated ones is not a > way > to conduct business. > From nobody at devnull.spamcop.net Fri Nov 4 11:29:30 2005 From: nobody at devnull.spamcop.net (Patto) Date: Thu Nov 3 21:30:02 2005 Subject: [SpamCop-List] Re: Messages with No Subject Header and No Message Body (Again) In-Reply-To: References: Message-ID: spamacyde wrote: > Over the past three days, 95% of the spam I've been getting contains no > message subject and no body. This supports my contention that spammy's > motivations are political rather than financial. Or perhaps spammy is > pissed off at my reporting efforts. Anybody else experiencing a rash of > blank emails? Over at the Microsoft Outlook newsgroups there are literally hundreds of users complaining about blank spam. Most of them have never seen any before, so I think there really *is* more blank spam than before. Why? - Who cares! These messages are so easily filtered; either by BLs or other means. I haven't seen any for over a half year. From MikeE at ster.invalid Thu Nov 3 19:35:17 2005 From: MikeE at ster.invalid (Mike Easter) Date: Thu Nov 3 22:40:03 2005 Subject: [SpamCop-List] Re: Spoofed Message Causing ISP shutdowns References: Message-ID: Ted Nathan wrote: > I have a client who had a marketing company create a news piece from > distribution via e-mail. I guess a little skepticism about his innocent spammer client caused that person to run away. Hopefully in the future he will be a little more circumspect of spammish clients. -- Mike Easter kibitzer, not SC admin From nobody at nowhere.not Fri Nov 4 04:12:46 2005 From: nobody at nowhere.not (Robert Blair) Date: Thu Nov 3 23:15:02 2005 Subject: [SpamCop-List] Re: [MEDIA] Sony CD Copy Protection Seems To Rely On Hacker Rootkit References: Message-ID: On Fri, 4 Nov 2005 02:01:40 UTC, "Geoffrey Hyde" wrote: > I wonder if Sony is deliberately trying to help viruses and hackers get onto > our computers? My understanding is that they have removed the "stealth" feature so other no-goodniks can not use that feature to hide their trojans. But the damage has been done and I would imagine that the virus/trojans writers have already started to look at the code to see what they can do. Still I think it is a very bad idea and Sony should not be doing this. There is at least one other company doing the same thing so I would expect more companies doing it but have not been found out yet. -- Robert Blair From jeffg at spamcop.net Thu Nov 3 23:41:22 2005 From: jeffg at spamcop.net (Jeff G.) Date: Thu Nov 3 23:55:02 2005 Subject: [SpamCop-List] Re: Spoofed Message Causing ISP shutdowns References: Message-ID: "Ted Nathan" wrote in message news:jcpim1lb4id2va4cge82o3orqfjhp5mnvu@4ax.com... > I am new to this group, but I have a problem and this seemed to be the > first logical place to look for an answer. > > I have a client who had a marketing company create a news piece from > distribution via e-mail. Unfortunately, it was sent out prematurely > and to people who did not ask for it, thus it was spam. They > understand the mistake that was made, especially when Google and > Microsoft start screaming at you. So this was strike one. > > A few days later, some kid out of France sent the exact same > announcement out as spam again. Microsoft and Google and others called > the ISP and had them shutdown. And it happened again today. > > What can i do to protect my client from this happening again? I know > how to stop spam from coming in and going out of my clients' networks, > but how do you every kid in the world from shutting down your > business? IF your client is truly innocent (a big IF given the skepticism of the crowd that has already replied to you), the best way to prove that is to put up a notice in large type at every webpage and image advertised in the email messages sent by the "kid out of France" that your client is the victim of a Joe Job (see http://forum.spamcop.net/forums/index.php?showtopic=4473&st=0&p=29916&#Joe for details), and what actions you and/or your client are taking or have taken to stop the Joe Job. Of course, posting details (hard facts) would help to convince us. -- Best Regards, Jeff G. I have been a SpamCop User/Member/Customer since 1999 and am a Moderator of the new web-based forums (now the primary method for getting help, http://forum.spamcop.net). Please contact me via Forum only. From jeffg at spamcop.net Thu Nov 3 23:49:51 2005 From: jeffg at spamcop.net (Jeff G.) Date: Fri Nov 4 00:00:02 2005 Subject: [SpamCop-List] Re: Neat Package -- Nobody to Report To? References: <4362AD03.E5E72107@SpamCop.net.dev.null> <43665BA4.4E08B61F@SpamCop.net.dev.null> <4369B5A3.80C72E28@SpamCop.net.dev.null> Message-ID: "jg" wrote in message news:dkdcnt$eji$1@news.spamcop.net... > On 11/2/2005 11:00 PM Michael Brennan scribbled: > > On second thought, I might have > > forwarded them to the NASD or the NYSE as well. Talk about spoiling > > someone's play -- the exchanges can make that happen. > I've not seen anywhere that the NYSE gets actively involved. Have you? > I do know that the NASD doesn't want to hear /anything/ unless the spam > is proven to be from a NASD member - so says their site, or so /said/ > their site - I haven't revisited it in a while. It makes sense - they > have their own fish to fry with lame brokers, telemarketers, and > so=called advisors... Perhaps I am way off base here, but it seems to me that the only stocks that pump&dumpers can really make money with are penny stocks, which by and large are traded OTC or on NASDAQ. When I have time, I report suspected pump&dumpers to Enforcement@SEC.GOV and ombuds@nasd.com. -- Best Regards, Jeff G. I have been a SpamCop User/Member/Customer since 1999 and am a Moderator of the new web-based forums (now the primary method for getting help, http://forum.spamcop.net). Please contact me via Forum only. From jeffg at spamcop.net Thu Nov 3 23:55:10 2005 From: jeffg at spamcop.net (Jeff G.) Date: Fri Nov 4 00:00:07 2005 Subject: [SpamCop-List] Re: Neat Package -- Nobody to Report To? References: <4362AD03.E5E72107@SpamCop.net.dev.null> <43665BA4.4E08B61F@SpamCop.net.dev.null> <4369B1DC.216FBDCA@SpamCop.net.dev.null> Message-ID: "Mike Easter" wrote in message news:dkdac3$cvk$1@news.spamcop.net... > It would probably work just as well for you to create a little text > which explains that you haven't sorted your spam and that you are > sending it all to the various agencies -- and let them sort it out for > themselves. Of course, if any reader does that and gets a reply from a human along the lines of "Please stop sending us all your spam, we only want ____", please comply and tell the rest of us so that we can also comply. -- Thanks and Best Regards, Jeff G. I have been a SpamCop User/Member/Customer since 1999 and am a Moderator of the new web-based forums (now the primary method for getting help, http://forum.spamcop.net). Please contact me via Forum only. From nobody at spamcop.net Fri Nov 4 09:44:06 2005 From: nobody at spamcop.net (nospam) Date: Fri Nov 4 00:45:02 2005 Subject: [SpamCop-List] Re: Messages with No Subject Header and No Message Body (Again) References: Message-ID: in article dke8rr$v76$1@news.spamcop.net, Tim at crappy.trappy@ntlworld.com wrote on 11/4/05 4:09 AM: > spamacyde wrote: >> Anybody else experiencing a rash of blank emails? > > A spammer firing blanks? Perhaps they should try their own W|@GRA ;) Umm, no, I think it's the Spur-M that they would want in this case. V1@6r@ could still leave shooting blanks. ;-) From nobody at spamcop.net Fri Nov 4 09:46:16 2005 From: nobody at spamcop.net (nospam) Date: Fri Nov 4 00:50:03 2005 Subject: [SpamCop-List] Re: [MEDIA] Sony CD Copy Protection Seems To Rely On Hacker Rootkit References: Message-ID: in article TECQXhvKj0FX-pn2-OvYNxTLrdXxL@dsl-206-55-144-107.tstonramp.com, Robert Blair at nobody@nowhere.not wrote on 11/4/05 8:12 AM: SNIP > There is at least one other company doing the same thing Who ? (please) >so I would > expect more companies doing it but have not been found out yet. > From nobody at nowhere.not Fri Nov 4 06:11:35 2005 From: nobody at nowhere.not (Robert Blair) Date: Fri Nov 4 01:15:03 2005 Subject: [SpamCop-List] Re: [MEDIA] Sony CD Copy Protection Seems To Rely On HackerRootkit References: Message-ID: On Fri, 4 Nov 2005 05:46:16 UTC, nospam wrote: > SNIP > > > There is at least one other company doing the same thing > > Who ? (please) Universal Music This information is from the DShield mailing list. There has been a discussion on the list since the first of the month. It seems that some people have known about this for some time but it is just now being made public. > >so I would > > expect more companies doing it but have not been found out yet. -- Robert Blair From nobody at devnull.spamcop.net Fri Nov 4 02:27:34 2005 From: nobody at devnull.spamcop.net (Glenn Daniels) Date: Fri Nov 4 02:30:02 2005 Subject: [SpamCop-List] Re: Messages with No Subject Header and No Message Body (Again) References: Message-ID: "nospam" wrote in message news:BF90DDE5.1635D%nobody@spamcop.net... > in article dke8rr$v76$1@news.spamcop.net, Tim at crappy.trappy@ntlworld.com > wrote on 11/4/05 4:09 AM: > > > spamacyde wrote: > >> Anybody else experiencing a rash of blank emails? > > > > A spammer firing blanks? Perhaps they should try their own W|@GRA ;) > > Umm, no, I think it's the Spur-M that they would want in this case. V1@6r@ > could still leave shooting blanks. ;-) > Still OT, but in this context: This rather Freudian forgery was archived here on 10/13/2005: "Received: from spermatorrhoea (192.168.229.37)" as the "source" of the spew... Oh my fur and whiskers! Oh! From kjz at despammed.com Fri Nov 4 08:43:44 2005 From: kjz at despammed.com (Karl-Josef Ziegler) Date: Fri Nov 4 02:45:02 2005 Subject: [SpamCop-List] Re: Geocities problem still unsolved In-Reply-To: <43663619.A9@xyzzy.claranet.de> References: <43663619.A9@xyzzy.claranet.de> Message-ID: Frank Ellermann wrote: > *1: minus the time to whois-RFCI and WDPRS alishaanddanny.info, > mystery-suspense.info, and kinesisman.info [[ Re:ally Leo, > it's fine that you now understand German postal codes, but > the +49 phone numbers are still stupid, I can check this ]] And Leos spamvertized websites are another problem. Leo seems to have a 'shield or block' installed so Spamcop's DNS lookups also failed for these sites. - kjz From nobody at xyzzy.claranet.de Fri Nov 4 09:27:43 2005 From: nobody at xyzzy.claranet.de (Frank Ellermann) Date: Fri Nov 4 03:30:04 2005 Subject: [SpamCop-List] LK (was: Geocities problem still unsolved) References: <43663619.A9@xyzzy.claranet.de> Message-ID: <436B1B7F.7FB5@xyzzy.claranet.de> Karl-Josef Ziegler wrote: [alishaanddanny.info, mystery-suspense.info, kinesisman.info] > Leo seems to have a 'shield or block' installed so Spamcop's > DNS lookups also failed for these sites. Does it ? IIRC reports about these sites were sent, but I didn't note the tracker URLs anywhere (Oct 30). A fresher set (unfortunately I found no obvious whois data problems): angelobovis.info Registrant Name:Fernando Teles netprocom.info Registrant Organization:quakeclub nigerianmasses.info Registrant Street1:Rua Lameiros, 12 zvia.info Registrant City:Sande-GMR Registrant State/Province:NA The names he picks Registrant Postal Code:4805-619 are often really Registrant Country:PT funny. Registrant Phone:+351.968582807 Bye, Frank Registrant Email:fernando@quakeclub.net From nobody at xyzzy.claranet.de Fri Nov 4 09:37:25 2005 From: nobody at xyzzy.claranet.de (Frank Ellermann) Date: Fri Nov 4 03:40:02 2005 Subject: [SpamCop-List] Re: Geocities problem still unsolved References: <43663619.A9@xyzzy.claranet.de> <436A0F20.4804@xyzzy.claranet.de> Message-ID: <436B1DC5.75D3@xyzzy.claranet.de> Ant wrote: >> or what? > That's what I'd like to know. No one from Spamcop has said a > dicky-bird about it here. Yes, it makes no sense as a "geocities-conspiracy" - if Yahoo! doesn't like SC reports they could disable it. So if it's no conspiracy it must be excessive technical incompetence on the side of Ironport. Did they fire Julian or what ? Bye, Frank From nobody at xyzzy.claranet.de Fri Nov 4 10:05:07 2005 From: nobody at xyzzy.claranet.de (Frank Ellermann) Date: Fri Nov 4 04:10:03 2005 Subject: [SpamCop-List] Re: "Doctor" Slides Past Postini References: <4369929A.9545752E@SpamCop.net.dev.null> <436A42F0.38B2@xyzzy.claranet.de> Message-ID: <436B2443.2087@xyzzy.claranet.de> Mike Easter wrote: > 218.238.26.80 got listed in cbl 2005-10-31 05:00 GMT [...] Oops, I didn't know that it's possible to get a timestamp for these entries: http://www.spamhaus.org/query/bl?ip=218.238.26.80 links to http://cbl.abuseat.org/lookup.cgi?ip=218.238.26.80 Today it says 2005-11-04 01:00 GMT (+/- 30 minutes). Apparently a rather volatile list. > using spamhaus sbl-xbl, which embraces cbl & njabl > as well as blitzed, would have solved the problem. Explained on http://www.spamhaus.org/xbl/index.lasso - I still have to add these links on my rxwhois page, so far I've done that only for the RHSBLs (RFCI and SURBL) Bye, Frank From kjz at despammed.com Fri Nov 4 10:25:38 2005 From: kjz at despammed.com (Karl-Josef Ziegler) Date: Fri Nov 4 04:30:02 2005 Subject: [SpamCop-List] Re: LK In-Reply-To: <436B1B7F.7FB5@xyzzy.claranet.de> References: <43663619.A9@xyzzy.claranet.de> <436B1B7F.7FB5@xyzzy.claranet.de> Message-ID: Frank Ellermann wrote: > Karl-Josef Ziegler wrote: > > [alishaanddanny.info, mystery-suspense.info, kinesisman.info] > >> Leo seems to have a 'shield or block' installed so Spamcop's >> DNS lookups also failed for these sites. > > Does it ? IIRC reports about these sites were sent, but I > didn't note the tracker URLs anywhere (Oct 30). Sometimes the DNS is working but most times e.g. http://www.spamcop.net/sc?id=z823040147z10d10619bddaa277728aa4520c8bd719z the resolving is blocked. - kjz From nobody at xyzzy.claranet.de Fri Nov 4 11:13:53 2005 From: nobody at xyzzy.claranet.de (Frank Ellermann) Date: Fri Nov 4 05:15:58 2005 Subject: [SpamCop-List] Re: LK References: <43663619.A9@xyzzy.claranet.de> <436B1B7F.7FB5@xyzzy.claranet.de> Message-ID: <436B3461.2273@xyzzy.claranet.de> Karl-Josef Ziegler wrote: > Sometimes the DNS is working but most times e.g. > http://www.spamcop.net/sc?id=z823040147z10d10619bddaa277728aa4520c8bd719z > the resolving is blocked. Hm, that bdfilmachjk.nobleblues.com is different from the geocities problem, for the former SC explicitly says "IP not found", and you get the same result if you put only the FQDN into the Web report form. With "geocities" the Web form immediately finds the IP, and SC doesn't claim "IP not found" in a spam report, it just doesn't resolve it without displaying any reason :-( Interesting, with ns1-90.akam.net I get also no answer: http://vweb.nass.com.au/cgi-bin/dnslookup?data=bdfilmachjk.nobleblues.com&server=ns1-90.akam.net Dito ns1-93.akam.net and 1-73.akam.net (three random name servers found in the whois entry for spamcop.net) But with a plain host bdfilmachjk.nobleblues.com or a http://vweb.nass.com.au/cgi-bin/dnslookup?data=bdfilmachjk.nobleblues.com I get an IP 222.122.63.88. What's a good strategy to fix this, users configuring their own favourite NS to be used by SC maybe ? Bye From kjz at despammed.com Fri Nov 4 11:41:58 2005 From: kjz at despammed.com (Karl-Josef Ziegler) Date: Fri Nov 4 05:45:04 2005 Subject: [SpamCop-List] Re: LK In-Reply-To: <436B3461.2273@xyzzy.claranet.de> References: <43663619.A9@xyzzy.claranet.de> <436B1B7F.7FB5@xyzzy.claranet.de> <436B3461.2273@xyzzy.claranet.de> Message-ID: Frank Ellermann schrieb: > Interesting, with ns1-90.akam.net I get also no answer: > > http://vweb.nass.com.au/cgi-bin/dnslookup?data=bdfilmachjk.nobleblues.com&server=ns1-90.akam.net > > Dito ns1-93.akam.net and 1-73.akam.net (three random > name servers found in the whois entry for spamcop.net) Maybe, Leo is blocking resolves from the whole Akamai net range? - kjz From MikeE at ster.invalid Fri Nov 4 02:58:45 2005 From: MikeE at ster.invalid (Mike Easter) Date: Fri Nov 4 06:00:02 2005 Subject: [SpamCop-List] Re: LK References: <43663619.A9@xyzzy.claranet.de> <436B1B7F.7FB5@xyzzy.claranet.de> <436B3461.2273@xyzzy.claranet.de> Message-ID: Frank Ellermann wrote: > Karl-Josef Ziegler wrote: > >> Sometimes the DNS is working but most times e.g. >> http://www.spamcop.net/sc?id=z823040147z10d10619bddaa277728aa4520c8bd719z >> the resolving is blocked. I don't think you can analyze very easily when SC's resolving is blocked. SC sometimes chooses to not try to resolve something, sometimes SC tries to resolve but fails. When SC tries to resolve and fails, the condition of 'resolvability' may vary. Of course, it could not resolve for anyone beause of lost nameservice, it could also just have very very funky nameservice which times out, which is typically the case for the ones which SC tries to resolve but fails. That is the case for this particular url. > Hm, that bdfilmachjk.nobleblues.com is different from > the geocities problem, for the former SC explicitly says > "IP not found", and you get the same result if you put > only the FQDN into the Web report form. This is what SC was saying at the time it parsed the tracker above for me Resolving link obfuscation http://bdfilmachjk.nobleblues.com/?egachjkxssrybdzgvfilm Host bdfilmachjk.nobleblues.com (checking ip) IP not found ; bdfilmachjk.nobleblues.com discarded as fake. Tracking link: http://bdfilmachjk.nobleblues.com/?egachjkxssrybdzgvfilm No recent reports, no history available Cannot resolve http://bdfilmachjk.nobleblues.com/?egachjkxssrybdzgvfilm > With "geocities" the Web form immediately finds the IP, > and SC doesn't claim "IP not found" in a spam report, it > just doesn't resolve it without displaying any reason :-( > > Interesting, with ns1-90.akam.net I get also no answer: I'm not entirely sure that using the nameservers for spamcop.net is the same as what nameservers spamcop uses for its resolving. In the case of my provider EL, the nameservice which EL 'provides' for me by DHCP is not at all the same nameservers as the ones for earthlink.net. EL's nameservers are itchy and scratchy --whereas the nameservers it gives me are ns1 & ns2 & ns3. > http://vweb.nass.com.au/cgi-bin/dnslookup?data=bdfilmachjk.nobleblues.com&server=ns1-90.akam.net > > Dito ns1-93.akam.net and 1-73.akam.net (three random > name servers found in the whois entry for spamcop.net) > > But with a plain host bdfilmachjk.nobleblues.com or a > http://vweb.nass.com.au/cgi-bin/dnslookup?data=bdfilmachjk.nobleblues.com > I get an IP 222.122.63.88. When I want to 'analyze' what is SC's problem with resolving when I can resolve it myself, I go to dnsstuff which can perform an analysis of the dns timing and what is wrong with it. There's a lot wrong with that url's nameservice http://www.dnsstuff.com/tools/dnstime.ch?name=bdfilmachjk.nobleblues.com&type=A timeouts, Average of all 4 nameservers: 915ms (plus 6062ms overhead). Score: F > What's a good strategy to fix this, users configuring > their own favourite NS to be used by SC maybe ? Bye I think the SC philosophy is that it shouldn't spend very much time trying to resolve a url which has very flakey nameservice. I agree. This is all about the business of notifying spamvertisers. SC's notification of spamvertisers is very unsatisfactory to me -- that is, it isn't the way I would be notifying. SC doesn't do anything about determining the blackhattedness of the derived notify. I would rather do my own determining of how to notify about a spamvertiser. I can notify much much better than SC. I can resolve urls better, I can determine the blackhattedness better, I can determine the notifies better, because I can determine upstreams and such as that based on the unresponsive character of the spamvertiser based on listings in spamhaus and spews. -- Mike Easter kibitzer, not SC admin From elg at none.com Fri Nov 4 08:23:50 2005 From: elg at none.com (El Guapo) Date: Fri Nov 4 09:25:03 2005 Subject: [SpamCop-List] Re: [MEDIA] Sony CD Copy Protection Seems To Rely On Hacker Rootkit References: Message-ID: "Robert Blair" wrote in message news:TECQXhvKj0FX-pn2-OvYNxTLrdXxL@dsl-206-55-144-107.tstonramp.com... > On Fri, 4 Nov 2005 02:01:40 UTC, "Geoffrey Hyde" > wrote: > My understanding is that they have removed the "stealth" feature so > other no-goodniks can not use that feature to hide their trojans. But > the damage has been done and I would imagine that the virus/trojans > writers have already started to look at the code to see what they can > do. Here is an article saying exactly what you are describing... http://informationweek.com/story/showArticle.jhtml?articleID=173402819 From jg at coks.net Fri Nov 4 07:31:49 2005 From: jg at coks.net (jg) Date: Fri Nov 4 10:30:03 2005 Subject: [SpamCop-List] Re: Neat Package -- Nobody to Report To? In-Reply-To: References: <4362AD03.E5E72107@SpamCop.net.dev.null> <43665BA4.4E08B61F@SpamCop.net.dev.null> <4369B5A3.80C72E28@SpamCop.net.dev.null> Message-ID: On 11/3/2005 8:49 PM Jeff G. scribbled: > "jg" wrote in message > news:dkdcnt$eji$1@news.spamcop.net... > >>On 11/2/2005 11:00 PM Michael Brennan scribbled: >> >>>On second thought, I might have >>>forwarded them to the NASD or the NYSE as well. Talk about spoiling >>>someone's play -- the exchanges can make that happen. >> >>I've not seen anywhere that the NYSE gets actively involved. Have > > you? > >> I do know that the NASD doesn't want to hear /anything/ unless the > > spam > >>is proven to be from a NASD member - so says their site, or so /said/ >>their site - I haven't revisited it in a while. It makes sense - they >>have their own fish to fry with lame brokers, telemarketers, and >>so=called advisors... > > > Perhaps I am way off base here, but it seems to me that the only stocks > that pump&dumpers can really make money with are penny stocks, which by > and large are traded OTC or on NASDAQ. When I have time, I report > suspected pump&dumpers to Enforcement@SEC.GOV and ombuds@nasd.com. > You made it to 1st, Jeff, and are quite correct - one does not pump and dump a listed stock. But from the NASD site: "Remember, though, that NASD can only regulate the actions of its member brokerage firms and their employees. While all U.S. brokerage firms have to be members of NASD to do business with the public, most problem spams are likely sent to you by non-regulated businesses or individuals. You can check out if the firm or individual spamming you is registered with NASD on our Web site. If you think that the problem spammers may be registered with NASD, you can forward spam or junk e-mail recommending that you invest in a stock or other investment to spam@nasd.com. If the spammers are not registered with NASD, you can forward spam (junk e-mail) or copies of message board postings to enforcement@sec.gov." At the end of the day, I tend to agree with Mike E. that this is largely a waste of time - I can't see how the government can handle the sheer volume. That said, I do send spam to the SEC and FDA anyway... From jg at coks.net Fri Nov 4 07:37:01 2005 From: jg at coks.net (jg) Date: Fri Nov 4 10:40:03 2005 Subject: [SpamCop-List] Re: Messages with No Subject Header and No Message Body (Again) In-Reply-To: References: Message-ID: On 11/3/2005 9:44 PM nospam scribbled: > in article dke8rr$v76$1@news.spamcop.net, Tim at crappy.trappy@ntlworld.com > wrote on 11/4/05 4:09 AM: > > >>spamacyde wrote: >> >>>Anybody else experiencing a rash of blank emails? >> >>A spammer firing blanks? Perhaps they should try their own W|@GRA ;) > > > Umm, no, I think it's the Spur-M that they would want in this case. V1@6r@ > could still leave shooting blanks. ;-) > Back onto topic here, what with the rise of volume in these blanks, maybe its time for SC to revisit the topic of reporting spam with no body, which it still doesn't accept. AFAIK, adding [no body} or somesuch to the original item is still against the rules, isn't it? From jeffg at spamcop.net Fri Nov 4 11:00:06 2005 From: jeffg at spamcop.net (Jeff G.) Date: Fri Nov 4 11:05:03 2005 Subject: [SpamCop-List] Re: Geocities problem still unsolved References: <43663619.A9@xyzzy.claranet.de> <436A0F20.4804@xyzzy.claranet.de> <436B1DC5.75D3@xyzzy.claranet.de> Message-ID: "Frank Ellermann" wrote in message news:436B1DC5.75D3@xyzzy.claranet.de... > Did they fire Julian or what ? Not as far as I know. Julian's "Credits and thanks" page at http://www.spamcop.net/fom-serve/cache/138.html has never mentioned him to my knowledge (one would assume that he would get some credit if that page left his control), he is still listed on http://forum.spamcop.net/forums/index.php?showtopic=4351&st=0&p=29132&#entry29132 , http://www.julianhaight.com/ still says "I work mainly on my popular web site, SpamCop.net", and his resume still says "I still act as the main force behind SpamCop". -- Best Regards, Jeff G. I have been a SpamCop User/Member/Customer since 1999 and am a Moderator of the new web-based forums (now the primary method for getting help, http://forum.spamcop.net). Please contact me via Forum only. From jeffg at spamcop.net Fri Nov 4 11:06:28 2005 From: jeffg at spamcop.net (Jeff G.) Date: Fri Nov 4 11:10:03 2005 Subject: [SpamCop-List] Re: Messages with No Subject Header and No Message Body (Again) References: Message-ID: "jg" wrote in message news:dkfv3e$tnk$1@news.spamcop.net... > AFAIK, adding [no body} or > somesuch to the original item is still against the rules, isn't it? Technically, it is. However, with all the posts recommending it here and elsewhere, no one in an official capacity has posted anything like "don't do that." -- Best Regards, Jeff G. I have been a SpamCop User/Member/Customer since 1999 and am a Moderator of the new web-based forums (now the primary method for getting help, http://forum.spamcop.net). Please contact me via Forum only. From MikeE at ster.invalid Fri Nov 4 08:19:15 2005 From: MikeE at ster.invalid (Mike Easter) Date: Fri Nov 4 11:20:04 2005 Subject: [SpamCop-List] Re: Geocities problem still unsolved References: <43663619.A9@xyzzy.claranet.de> Message-ID: Frank Ellermann wrote: > http://www.spamcop.net/sc?id=z821661459z909b906c2a68f7e8504bfa42ec4e7eedz > http://www.spamcop.net/sc?id=z821661226z4c62448db45738855b335d11cbb85c67z > http://www.spamcop.net/sc?id=z821661225z5870e9b9821bed134f51c36f59719e9ez > http://www.spamcop.net/sc?id=z821661226z4c62448db45738855b335d11cbb85c67z I don't have anything helpful to add here just now except a data point or observation. When I ran each of those 4 trackers one time each, SC resolved the 2nd one's url 'right away'. When I put each of the spamvertised links into the parser naked http://in.geocities.com/phoebe_rega/?in=lobo.ixqb http://it.geocities.com/ned_fellows/?lyr=runj http://de.geocities.com/oren_maxey/?nm=dxlklsb http://in.geocities.com/phoebe_rega/?in=lobo.ixqb SC promptly resolved all 4 of them and provided a reporting address, so it is not a matter of SC resolver being blocked. Why SC is deobfuscating but not resolving them except occasionally is unknown to me, but perhaps it is by design. That is, I am of the theory that SC 'chooses' to not resolve spamvertised links sometimes for some reason of resource priorities or something. -- Mike Easter kibitzer, not SC admin From jg at coks.net Fri Nov 4 08:34:07 2005 From: jg at coks.net (jg) Date: Fri Nov 4 11:35:02 2005 Subject: [SpamCop-List] Re: Geocities problem still unsolved In-Reply-To: References: <43663619.A9@xyzzy.claranet.de> Message-ID: On 11/4/2005 8:19 AM Mike Easter scribbled:> it is not a matter of SC resolver being blocked. > > Why SC is deobfuscating but not resolving them except occasionally is > unknown to me, but perhaps it is by design. > > That is, I am of the theory that SC 'chooses' to not resolve > spamvertised links sometimes for some reason of resource priorities or > something. > > I can report the same behavior with spam other than geocities. I tripped upon a trick - SC doesn't resolve in a report. Visit any odd bookmark (in same tab if applicable) and go back to SC report screen via the back arrow and often, the screen repaints /with/ a resolution of links. Probable resource husbanding... From nobody at nowhere.invalid Fri Nov 4 17:38:00 2005 From: nobody at nowhere.invalid (Steven Maesslein) Date: Fri Nov 4 11:40:02 2005 Subject: [SpamCop-List] Re: Messages with No Subject Header and No Message Body (Again) References: Message-ID: On Fri, 04 Nov 2005 07:37:01 -0800, jg coughed into spamcop and left this in : > Back onto topic here, what with the rise of volume in these blanks, > maybe its time for SC to revisit the topic of reporting spam with no > body, which it still doesn't accept. AFAIK, adding [no body} or > somesuch to the original item is still against the rules, isn't it? Quick-submitting them works fine. -- Steve guru, n: A computer owner who can read the manual. From jg at coks.net Fri Nov 4 08:42:30 2005 From: jg at coks.net (jg) Date: Fri Nov 4 11:45:02 2005 Subject: [SpamCop-List] Re: Messages with No Subject Header and No Message Body (Again) In-Reply-To: References: Message-ID: On 11/4/2005 8:38 AM Steven Maesslein scribbled: > On Fri, 04 Nov 2005 07:37:01 -0800, jg coughed into spamcop and left > this in : > > >>Back onto topic here, what with the rise of volume in these blanks, >>maybe its time for SC to revisit the topic of reporting spam with no >>body, which it still doesn't accept. AFAIK, adding [no body} or >>somesuch to the original item is still against the rules, isn't it? > > > Quick-submitting them works fine. > Could be - I don't quick report. Isn't that for paid members? From zypher at spamcop.net Fri Nov 4 10:43:58 2005 From: zypher at spamcop.net (Ron B.) Date: Fri Nov 4 11:45:09 2005 Subject: [SpamCop-List] [Media] FBI Says Man Created Zombie PC Networks, Sold Access Message-ID: FBI Says Man Created Zombie PC Networks, Sold Access POSTED: 10:00 am CST November 4, 2005 LOS ANGELES -- The FBI has arrested a Los Angeles-area man accused of creating and selling "armies of computers" designed to launch electronic attacks and send tons of spam. The government said it's the first prosecution of its kind in the nation. A 17-count indictment contends Jeanson James Ancheta wrote and spread malicious computer code in order to gain control of legions of infected computers, then sold access to hackers and spammers. Ancheta also allegedly made money by installing adware on the computers, known as "botnets." The indictment charges conspiracy, money laundering, transmission of code to a government computer and accessing a protected computer to commit fraud. The government said Ancheta's programs infected computers at a Navy weapons center and some Defense Department computers. Conviction on all counts could mean a 50-year prison term. Copyright 2005 by The Associated Press. All rights reserved. This material may not be published, broadcast, rewritten or redistributed. From MikeE at ster.invalid Fri Nov 4 09:03:49 2005 From: MikeE at ster.invalid (Mike Easter) Date: Fri Nov 4 12:05:03 2005 Subject: [SpamCop-List] Re: Messages with No Subject Header and No Message Body (Again) References: Message-ID: jg wrote: > Steven Maesslein scribbled: >> Quick-submitting them works fine. >> > Could be - I don't quick report. Isn't that for paid members? It is for approved submitters who also much be mailhosted. I didn't know that quick worked for unmodified empty spams, but it makes a lot of sense. The empty and quick submitted spam doesn't need its body analyzed anyway or in any way. So maybe the parser just 'stops' before it even determines if it is empty or not. -- Mike Easter kibitzer, not SC admin From MikeE at ster.invalid Fri Nov 4 09:09:17 2005 From: MikeE at ster.invalid (Mike Easter) Date: Fri Nov 4 12:10:03 2005 Subject: [SpamCop-List] Re: Geocities problem still unsolved References: <43663619.A9@xyzzy.claranet.de> Message-ID: jg wrote: > Mike Easter >> Why SC is deobfuscating but not resolving them except occasionally is >> unknown to me, but perhaps it is by design. >> >> That is, I am of the theory that SC 'chooses' to not resolve >> spamvertised links sometimes for some reason of resource priorities >> or something. >> >> > I can report the same behavior with spam other than geocities. I > tripped upon a trick - SC doesn't resolve in a report. Visit any odd > bookmark (in same tab if applicable) and go back to SC report screen > via the back arrow and often, the screen repaints /with/ a resolution > of links. > Probable resource husbanding... Every time this topic comes up gives me a chance to 'vote for' my opinion of how the reporting parser could/should be optionally configured. It could be configured to optionally statistic all deobfuscated links without resolving them by providing a 'do not resolve spamvertised links' to the reporter and let those deob/ed but unresolved links be reported to a devnull address. That way a lot of resources would be conserved, a lot more spamvertisers would be statistic-paged, sc-surbl would scrape a lot more spamvertisers aiding more spamvertiser tag/blocking by more people using the sc-surbl, and a lot less blackhatted providers would be provided copies of spams in spamreports. The business of spamcop reporters handing over their spam to blackhat spamvertiser providers is not actually a very healthy configuration, munged or not. -- Mike Easter kibitzer, not SC admin From nobody at nowhere.invalid Fri Nov 4 18:30:48 2005 From: nobody at nowhere.invalid (Steven Maesslein) Date: Fri Nov 4 12:35:02 2005 Subject: [SpamCop-List] Re: Messages with No Subject Header and No Message Body (Again) References: Message-ID: On Fri, 04 Nov 2005 08:42:30 -0800, jg coughed into spamcop and left this in : >> Quick-submitting them works fine. >> > Could be - I don't quick report. Isn't that for paid members? It's possible, yes. I *am* a paid member. -- Steve Television -- a medium. So called because it is neither rare nor well done. -- Ernie Kovacs From nobody at spamcop.net Fri Nov 4 12:35:01 2005 From: nobody at spamcop.net (indigo) Date: Fri Nov 4 12:40:02 2005 Subject: [SpamCop-List] Re: Messages with No Subject Header and No Message Body (Again) References: Message-ID: N. Miller wrote: > > A lot of Comcast users have been pelted by that kind of spam. I've been getting those for almost a year. Barely any headers either. I always assumed they were coming from within the comcast network via a zombied machine since there are no headers to indicate it ever left the comcast servers. From nobody at spamcop.net Fri Nov 4 12:37:05 2005 From: nobody at spamcop.net (indigo) Date: Fri Nov 4 12:40:12 2005 Subject: [SpamCop-List] Re: Messages with No Subject Header and No Message Body (Again) References: Message-ID: Patto wrote: > Over at the Microsoft Outlook newsgroups there are literally hundreds > of users complaining about blank spam. Most of them have never seen > any before, so I think there really *is* more blank spam than before. > Why? - Who cares! These messages are so easily filtered; either by > BLs or other means. I haven't seen any for over a half year. Spampal doesn't catch them.......at least on my home machine. From borgholio at storymind.com Fri Nov 4 09:41:21 2005 From: borgholio at storymind.com (Borgholio) Date: Fri Nov 4 12:45:03 2005 Subject: [SpamCop-List] Wow...that was FAST! Message-ID: Sent a manual report yesterday to a Russian ISP regarding a Nigerian scammer using a .ru address. Woke up this morning to find this: ????????????. The spamer's account has been disabled. ? ?????????, ?????. ?????? ????????? ????????????? ???????? ??????? Mail.Ru ??? ???????, ??????????, ????????? ????????? ?????????. ??? ???????? ???????? ? ?????? ????????? ??????????? ??????????? ?????: http://www.mail.ru/cgi-bin/support ??? ????????? ???????? ?????? ?????? ????????? ????????????? ???????? ??????? Mail.Ru ?????????? ??? ??????? ??????? ? ?????? http://win.mail.ru/cgi-bin/supportmark?Time=04.11.2005-12:28&Email=borgholio@hotmail.com borgholio@hotmail.com, Friday, November 4, 2005, 2:18:57 AM, ?? ???????? ?????? ? ?????: [Fwd: I Seek For Your Consent] >> Nigerian scammer with a mail.ru email address. --------------------------- I must say, that was FAST! From jg at coks.net Fri Nov 4 09:44:25 2005 From: jg at coks.net (jg) Date: Fri Nov 4 12:45:10 2005 Subject: [SpamCop-List] Re: Geocities problem still unsolved In-Reply-To: References: <43663619.A9@xyzzy.claranet.de> Message-ID: On 11/4/2005 9:09 AM Mike Easter scribbled:> > > Every time this topic comes up gives me a chance to 'vote for' my > opinion of how the reporting parser could/should be optionally > configured. > Happy to have given you an opportunity... From MikeE at ster.invalid Fri Nov 4 09:47:37 2005 From: MikeE at ster.invalid (Mike Easter) Date: Fri Nov 4 12:50:03 2005 Subject: [SpamCop-List] Parser configuration option proposal Message-ID: There are several problems which could have a common, easily implemented solution. The problems are: o SC's body parsing frequently encounters difficulties in resolving deobfuscated spamvertiser links o Unresolved spamvertisers are currently not statistic-paged, and thus are not sc-surbl scraped o Spamvertiser providers are very very frequently blackhat, and SC makes very little blackhat provider notification management or avoidance in the routing database process o Giving blackhat providers copies of spam, munged or not, is not in the best interest of spammees in general or reporters in specific The 'easily'* implemented solution to all of these would be to provide a reporter with an optional configuration to 'do not resolve/notify spamvertisers' - the normal or standard configuration would remain as an option - in the don't resolve configuration, the parsers resources would be greatly conserved - in don't resolve, the parser would only deobfuscate the spamvertiser link - in don't resolve, the parser would report the spamvertiser to a devnull address and post the spamvertiser on the statistics page - in don't resolve the reporter can always uncheck the devnull notify for an IB This new configuration would provide the following benefits o SC's resources would be conserved, which is apparently needed sometimes o SC reporter spam would not be 'handled' or seen by blackhat spamvertiser providers and their cohorts o Many many more spamvertisers would be provided to the statistic page for sc-surbl scraping o Many more sc-surbl blocklist users would benefit from the SC reports * 'easily implemented' is always in the mind of the beholder who isn't the one who is having to do the 'easy' implementing -- Mike Easter kibitzer, not SC admin From nobody at spamcop.net Fri Nov 4 13:02:58 2005 From: nobody at spamcop.net (indigo) Date: Fri Nov 4 13:05:04 2005 Subject: [SpamCop-List] Re: Wow...that was FAST! References: Message-ID: Borgholio wrote: > Sent a manual report yesterday to a Russian ISP regarding a Nigerian > scammer using a .ru address. Good boy! You're learning to keep your 419 crap out of .social! Keep up the good work and you may get a lollipop ;-) From nobody at devnull.spamcop.net Fri Nov 4 14:26:00 2005 From: nobody at devnull.spamcop.net (Glenn Daniels) Date: Fri Nov 4 14:30:10 2005 Subject: [SpamCop-List] Re: Messages with No Subject Header and No Message Body (Again) References: Message-ID: "indigo" wrote in message news > > Spampal doesn't catch them.......at least on my home machine. > Responding to a request for a filter "rule" for these for OE users several days ago in alt.spam, I blathered: Lessee... You navigate Tools > Message Rules > Mail. Click on "New...". In the "Conditions" pane, check the boxes for "Where the From line contains people" and "Where the message body contains specific words". In the "Actions" pane select "Delete" (or action of your choosing as flag or mark ignored). In the "Description" pane, click on the link "contains people". In the popup window, "Add" the person "@". After adding "@", click on "Options" and select "Does not contain". Click "OK". In the "Description" pane, click on the link "contains specific words". In the popup window, "Add" the word "." Click on "Options" and select "Does not contain". Click "OK". In the "Description" pane, click on the link "and". Select "or" as in "messages meet any of these criteria". Click on "OK". You now have a filter rule that triggers if there is no "From:", or if there is no "@" in the "From:" header, or if there is no spam body, as in there is no "." in the spam body. No rule is perfect, so you might want to check the items this filter snags for a time to ensure you don't trash legit mails in error. Maybe this is what you were asking for, maybe not. Maybe this rule does not work: I don't happen to have any emails handy that meet the criteria to test the rule. The rule is useless for anything that contains an "@" in the "From:" header or a "." in the message body. ... As yet no one has commented or said this does not pick these boogers, but I have not been seeing any so I have no testable specimens to work with... hth and hand, Glenn From nobody at devnull.spamcop.net Fri Nov 4 14:29:00 2005 From: nobody at devnull.spamcop.net (Sofa King Tyred of Lar Ting) Date: Fri Nov 4 14:30:24 2005 Subject: [SpamCop-List] Re: Geocities problem still unsolved In-Reply-To: References: <43663619.A9@xyzzy.claranet.de> Message-ID: Mike Easter wrote: [snip] > When I put each of the spamvertised links into the parser naked > > http://in.geocities.com/phoebe_rega/?in=lobo.ixqb > http://it.geocities.com/ned_fellows/?lyr=runj > http://de.geocities.com/oren_maxey/?nm=dxlklsb > http://in.geocities.com/phoebe_rega/?in=lobo.ixqb > > SC promptly resolved all 4 of them and provided a reporting address, so > it is not a matter of SC resolver being blocked. > > Why SC is deobfuscating but not resolving them except occasionally is > unknown to me, but perhaps it is by design. I'd volunteer a theory that it's a bug that is a result of the complexity of the parsing software. Perhaps the bug is understood by Julian and just not worth the effort to fix. As much as people have complained, I can't imagine that it's being ignored for any other reason. -- Help fight spam by "educating" the lax, zombie-hosting ISPs: http://pages.infinit.net/filmore/educateYourISP.htm From nobody at spamcop.net Fri Nov 4 16:03:17 2005 From: nobody at spamcop.net (indigo) Date: Fri Nov 4 16:05:04 2005 Subject: [SpamCop-List] Re: Messages with No Subject Header and No Message Body (Again) References: Message-ID: Glenn Daniels wrote: > "indigo" wrote in message news > > > > Spampal doesn't catch them.......at least on my home machine. > > > > Responding to a request for a filter "rule" for these for OE users > several days ago in alt.spam, I blathered: Thanks for the help, but a sufficient number of spams somehow slips thru spampal that I just keep the preview pane off and "mark read" and "delete" those emails that don't come from anyone I recognize. From MikeE at ster.invalid Fri Nov 4 13:43:33 2005 From: MikeE at ster.invalid (Mike Easter) Date: Fri Nov 4 16:45:07 2005 Subject: [SpamCop-List] Re: Messages with No Subject Header and No Message Body (Again) References: Message-ID: indigo wrote: > Patto wrote: >> Why? - Who cares! These messages are so easily filtered; either by >> BLs or other means. I haven't seen any for over a half year. > > Spampal doesn't catch them.......at least on my home machine. Naturally we all get different spam, but spampal misses very very few of my spams, and most of them are caught by the blocklists. What blocklists are you using? I use spamhaus sbl+xbl [which includes sbl, cbl, njabl, & blitzed] + ordb, scbl, & sorbs or do you use a preconfigured strategy - [safe, med, aggressive]? do you use country blocks? do you use any extra ie unlisted dsnbl/s? For my own mail, I can whitelist any mail which comes from 'strange' places, like one of my mailing lists. That allows me to keep the filter tight enough without catching any goodmail. -- Mike Easter kibitzer, not SC admin From nobody at spamcop.net Fri Nov 4 17:01:50 2005 From: nobody at spamcop.net (indigo) Date: Fri Nov 4 17:05:03 2005 Subject: [SpamCop-List] Re: Messages with No Subject Header and No Message Body (Again) References: Message-ID: Mike Easter wrote: > indigo wrote: > > Patto wrote: > > >> Why? - Who cares! These messages are so easily filtered; either by > >> BLs or other means. I haven't seen any for over a half year. > > > > Spampal doesn't catch them.......at least on my home machine. > > Naturally we all get different spam, but spampal misses very very few > of my spams, and most of them are caught by the blocklists. > > What blocklists are you using? > > I use spamhaus sbl+xbl [which includes sbl, cbl, njabl, & blitzed] + > ordb, scbl, & sorbs > I believe I am using the exact same set of lists. But I'm on Spamcast, not Earthlink or whatever ISP you use, if that makes a difference.........if I had to guess I think about 20% of my spam slips thru Spampal. From nobody at xyzzy.claranet.de Sat Nov 5 00:10:33 2005 From: nobody at xyzzy.claranet.de (Frank Ellermann) Date: Fri Nov 4 18:15:05 2005 Subject: [SpamCop-List] Re: Messages with No Subject Header and No Message Body (Again) References: Message-ID: <436BEA69.4F7A@xyzzy.claranet.de> Mike Easter wrote: > It is for approved submitters who also much be mailhosted. It was the opposite for me, I configured mailhosts immediately after an "accident" (40 quick reports to my own ISP when SC had an obscure DNS problem confusing the ordinary chain test). Maybe it's a MUST (RfC upper case) now, minimally a SHOULD. > maybe the parser just 'stops' before it even determines > if it is empty or not. Yes, from my POV that's a feature. Bye, Frank From nobody at xyzzy.claranet.de Sat Nov 5 00:23:21 2005 From: nobody at xyzzy.claranet.de (Frank Ellermann) Date: Fri Nov 4 18:25:04 2005 Subject: [SpamCop-List] Re: Parser configuration option proposal References: Message-ID: <436BED69.6FE6@xyzzy.claranet.de> Mike Easter wrote: > o Unresolved spamvertisers are currently not > statistic-paged, and thus are not sc-surbl scraped SURBL doesn't use scraping anymore, it now has a more direct access on SC: Bye, Frank From nobody at xyzzy.claranet.de Sat Nov 5 00:28:34 2005 From: nobody at xyzzy.claranet.de (Frank Ellermann) Date: Fri Nov 4 18:30:03 2005 Subject: [SpamCop-List] Re: Geocities problem still unsolved References: <43663619.A9@xyzzy.claranet.de> Message-ID: <436BEEA2.844@xyzzy.claranet.de> Mike Easter wrote: > That is, I am of the theory that SC 'chooses' to not resolve > spamvertised links sometimes for some reason of resource > priorities or something. Yes, it's very different from "no IP found, discarded a fake". And it always works for ??.geocities.com as single line query. Bye, Frank From nospam at dev.null Sat Nov 5 01:42:42 2005 From: nospam at dev.null (No Spam) Date: Fri Nov 4 18:45:02 2005 Subject: [SpamCop-List] Re: Wow...that was FAST! In-Reply-To: References: Message-ID: indigo wrote: > Borgholio wrote: > >>Sent a manual report yesterday to a Russian ISP regarding a Nigerian >>scammer using a .ru address. > > > Good boy! You're learning to keep your 419 crap out of .social! Keep up the > good work and you may get a lollipop ;-) > > Social so quiet, I might just head off to aa419.org for a few laughs :-0 From nobody at xyzzy.claranet.de Sat Nov 5 00:49:16 2005 From: nobody at xyzzy.claranet.de (Frank Ellermann) Date: Fri Nov 4 18:50:02 2005 Subject: [SpamCop-List] Re: LK References: <43663619.A9@xyzzy.claranet.de> <436B1B7F.7FB5@xyzzy.claranet.de> <436B3461.2273@xyzzy.claranet.de> Message-ID: <436BF37C.45C0@xyzzy.claranet.de> Mike Easter wrote: > I'm not entirely sure that using the nameservers for > spamcop.net is the same as what nameservers spamcop uses > for its resolving. Probably not, and I misinterpreted the dig-style of output: It was the usual "I don't talk with unknown strangers about other unknown strangers" answer. Some name servers (try to) answer everything from anybody. Most don't and only tell you where to find the root servers (for queries about stuff that's not in their zone) - I missed that in the dig-style, because I normally see nslookup-style. > I go to dnsstuff which can perform an analysis of the dns > timing and what is wrong with it. There's a lot wrong with > that url's nameservice ACK, that's a much better plan. Bye, Frank From nobody at xyzzy.claranet.de Sat Nov 5 01:12:32 2005 From: nobody at xyzzy.claranet.de (Frank Ellermann) Date: Fri Nov 4 19:15:03 2005 Subject: [SpamCop-List] Re: Geocities problem still unsolved References: <43663619.A9@xyzzy.claranet.de> <436A0F20.4804@xyzzy.claranet.de> <436B1DC5.75D3@xyzzy.claranet.de> Message-ID: <436BF8F0.5E5C@xyzzy.claranet.de> Jeff G. wrote: >> Did they fire Julian or what ? > Not as far as I know. Then he should really do something about the geocitie issue. It's no special personal vendetta when I try to report them, it's a very simple strategy: With a catch-all it's easy to filter spam to bogus addresses. Either my ISP already "knew" that it's spam and inserted a tag, or it's "unidentified" spam. And the latter might be generally interesting, therefore I submit it for "manual" reporting, less than 10 per day. Of course I don't look _into_ this "unidentified" spam before submitting it - the subject is enough to catch typos. Unfortunately the geocities spam is often "unidentified", so it shows up again and again in my rare manual reports. > "I still act as the main force behind SpamCop". He could forcefully add ??.geocities.com to SC's /etc/hosts as far as I'm concerned. Or offer a reason for this odd geocities-behaviour in the output of the technical details. Or decree that geocities is an IB. But ignoring hundreds of questions and complaints here for months is IMO wrong. Bye, Frank From MikeE at ster.invalid Fri Nov 4 16:18:18 2005 From: MikeE at ster.invalid (Mike Easter) Date: Fri Nov 4 19:20:02 2005 Subject: [SpamCop-List] Re: Parser configuration option proposal References: <436BED69.6FE6@xyzzy.claranet.de> Message-ID: Frank Ellermann wrote: > Mike Easter wrote: > >> o Unresolved spamvertisers are currently not >> statistic-paged, and thus are not sc-surbl scraped > > SURBL doesn't use scraping anymore, it now has a more > direct access on SC: I've read everything about sc and sc2 surbl available since Feb at gmane.mail.spam.rbl.surbl by using the gmane newsserver-- and I can't find a description of any different method of data collection for sc2 than sc-surbl -- and the description at the surbl website remains unchanged. How exactly is it getting 'more direct' access? Even if it were being channeled directly somewhere that sc2-surbl could access, what is being channeled 'has to be' what is being channeled to the stats page. In any case, it is my 'conviction' or impression that any spamvertised links which are not resolved and are thus not reported are not made accessible to sc or sc2-surbl -- so any improvement on SC's end of making them available [statistics page or otherwise] to sc or sc2-surbl would be the same improvement I was describing. Or even better. That is, the better sc2 is doing, the better better an improvement in SC's providing spamvertiser links would be. -- Mike Easter kibitzer, not SC admin From nobody at spamcop.net Sat Nov 5 07:30:09 2005 From: nobody at spamcop.net (nospam) Date: Fri Nov 4 22:35:19 2005 Subject: [SpamCop-List] Re: Neat Package -- Nobody to Report To? References: <4362AD03.E5E72107@SpamCop.net.dev.null> <43665BA4.4E08B61F@SpamCop.net.dev.null> <4369B5A3.80C72E28@SpamCop.net.dev.null> Message-ID: in article dkfupn$ti1$1@news.spamcop.net, jg at jg@coks.net wrote on 11/4/05 7:31 PM: > On 11/3/2005 8:49 PM Jeff G. scribbled: SNIP > That said, I do send spam to the SEC and FDA anyway... Well, I used to, but with the new default ticked "on" for user supplied 3d Party reporting addresses, I had to turn that off. I was forgetting to untick too mony non-securities spams. It becomes too much work to add manual LARTS for all the Pimp and Dump stuff. From jg at coks.net Fri Nov 4 21:17:34 2005 From: jg at coks.net (jg) Date: Sat Nov 5 00:20:17 2005 Subject: [SpamCop-List] Re: Neat Package -- Nobody to Report To? In-Reply-To: References: <4362AD03.E5E72107@SpamCop.net.dev.null> <43665BA4.4E08B61F@SpamCop.net.dev.null> <4369B5A3.80C72E28@SpamCop.net.dev.null> Message-ID: On 11/4/2005 7:30 PM nospam scribbled: > in article dkfupn$ti1$1@news.spamcop.net, jg at jg@coks.net wrote on 11/4/05 > 7:31 PM: > > >>On 11/3/2005 8:49 PM Jeff G. scribbled: > > SNIP > >>That said, I do send spam to the SEC and FDA anyway... > > > Well, I used to, but with the new default ticked "on" for user supplied 3d > Party reporting addresses, I had to turn that off. I was forgetting to > untick too mony non-securities spams. It becomes too much work to add manual > LARTS for all the Pimp and Dump stuff. > Well, tnx for the heads up on 'user supplied' use - last I looked, and as a free reporter, I was allowed only 2 user supplied addys - but then it could well have been a brain fart. BTW, to me, manual LARTed means going outside the SC environment. Do you mean that you regard checking a 'user supplied' addy as a LART? Since I munge via SC, I don't view it as LARTing, but I'm just a lurker... From nobody at xyzzy.claranet.de Sat Nov 5 08:13:31 2005 From: nobody at xyzzy.claranet.de (Frank Ellermann) Date: Sat Nov 5 02:15:02 2005 Subject: [SpamCop-List] Re: Parser configuration option proposal References: <436BED69.6FE6@xyzzy.claranet.de> Message-ID: <436C5B9B.2039@xyzzy.claranet.de> Mike Easter wrote: > How exactly is it getting 'more direct' access? No idea, magic organized by Jeff and Julian. Polling the stats page with http once per minute (?) only to determine new entries was a hack. Whatever they do now should be something more direct, and I hope it's not limited to the new http://www.spamcop.net/w3m?action=inprogress;type=www reports, but also covers URLs found in older spam. Something like a "ping" (as for updated blogs) could make sense, if SC is the active part. Or a named pipe from SC to SURBL (= permanent connection). More or less any protocol can transport "URL + timestamp". They could do it with UDP, but they won't without some heavy crypto ;-) > In any case, it is my 'conviction' or impression that > any spamvertised links which are not resolved and are > thus not reported are not made accessible to sc or sc2 Probably. If it really has no IP SURBL wouldn't want it. Bye, Frank From redford_stone at INVERSE_OF_COLDmail.com Sat Nov 5 10:50:41 2005 From: redford_stone at INVERSE_OF_COLDmail.com (Redstone) Date: Sat Nov 5 05:55:23 2005 Subject: [SpamCop-List] Re: Geocities problem still unsolved References: <43663619.A9@xyzzy.claranet.de> <436A0F20.4804@xyzzy.claranet.de> <436B1DC5.75D3@xyzzy.claranet.de> <436BF8F0.5E5C@xyzzy.claranet.de> Message-ID: Frank Ellermann wrote in news:436BF8F0.5E5C@xyzzy.claranet.de: > [snip] > > He could forcefully add ??.geocities.com to SC's /etc/hosts > as far as I'm concerned. Or offer a reason for this odd > geocities-behaviour in the output of the technical details. > > Or decree that geocities is an IB. But ignoring hundreds > of questions and complaints here for months is IMO wrong. > > Bye, Frank > > He could. But he may not do it for various reasons. Namely Geocities' lackluster response. From redford_stone at INVERSE_OF_COLDmail.com Sat Nov 5 10:52:34 2005 From: redford_stone at INVERSE_OF_COLDmail.com (Redstone) Date: Sat Nov 5 05:55:40 2005 Subject: [SpamCop-List] Re: [MEDIA] Sony CD Copy Protection Seems To Rely On HackerRootkit References: Message-ID: "Robert Blair" wrote in news:TECQXhvKj0FX-pn2- mJM7JdfPnr4E@dsl-206-55-144-107.tstonramp.com: > > Universal Music > > This information is from the DShield mailing list. There has been a > discussion on the list since the first of the month. It seems that > some people have known about this for some time but it is just now > being made public. > Guess enough people began to notice these hidden files being installed without proper permission. From redford_stone at INVERSE_OF_COLDmail.com Sat Nov 5 10:53:34 2005 From: redford_stone at INVERSE_OF_COLDmail.com (Redstone) Date: Sat Nov 5 05:55:43 2005 Subject: [SpamCop-List] Re: Wow...that was FAST! References: Message-ID: Borgholio wrote in news:dkg6fr$1md$1@news.spamcop.net: > Sent a manual report yesterday to a Russian ISP regarding a Nigerian > scammer using a .ru address. Woke up this morning to find this: > Knocking out a drop box.. easy as pie for any sysadmin. From borgholio at storymind.com Sat Nov 5 04:36:42 2005 From: borgholio at storymind.com (Borgholio) Date: Sat Nov 5 07:40:02 2005 Subject: [SpamCop-List] Re: Wow...that was FAST! In-Reply-To: References: Message-ID: Redstone wrote: > Borgholio wrote in > news:dkg6fr$1md$1@news.spamcop.net: > > >>Sent a manual report yesterday to a Russian ISP regarding a Nigerian >>scammer using a .ru address. Woke up this morning to find this: >> > > > Knocking out a drop box.. easy as pie for any sysadmin. > Yeah but the fact that it's a Russian sysadmin is what amazes me. :) From nobody at spamcop.net Sat Nov 5 06:44:28 2005 From: nobody at spamcop.net (John Anderson) Date: Sat Nov 5 07:45:03 2005 Subject: [SpamCop-List] Please make sure this email IS spam: Message-ID: Please make sure this email IS spam: Now, what does that mean when asked this by Spamcop? If I didn't want it, did not ask for it, is it not SPAM? I have wondered this for a long time! John Anderson Registered Spamcop User From nobody at spamcop.net Sat Nov 5 06:49:30 2005 From: nobody at spamcop.net (John Anderson) Date: Sat Nov 5 07:50:03 2005 Subject: [SpamCop-List] Re: black list reporting References: Message-ID: "geo_splash_12" wrote in message news:dkaj9g$t7a$1@news.spamcop.net... > mikeyhsd wrote: >> here is a link >> http://www.spamcop.net/sc?id=z822386771z92c697c6b7c3ad934c08cab7c6e46adez > > I do not understand the first few header lines where the spamcop parser > complains about IP 10.93.46.16. Where does this come from, is this > correct? > > Furthermore the link shows that abuse reports were sent to the > administrators of 125.57.108.71 (in the .kr domain), but apparently this > IP is not listed within spamcop. > > (Korean / Chinese spam is almost impossible to get rid off, maybe consider > to install your own specific filters for this problem. > > Finally abuse reports are sent because of a link within the spam, > 211.112.18.18 which is within the elim.com domain. > > Ejo I used to get a lot of Chinese/Korean spam, even sometimes Russian. My cure was to change providers, dumping the old e-mail altogether, but was going to dump the address anyway, but wanted a better high speed account. My old isp had no other idea, other than to change my e-mail id. My new isp uses Spam Assassian. I bet there is still mail being sent to my old account today, and it has been several years since I changed! John Anderson From nobody at spamcop.net Sat Nov 5 06:58:41 2005 From: nobody at spamcop.net (John Anderson) Date: Sat Nov 5 08:00:04 2005 Subject: [SpamCop-List] Re: Bounce messages References: Message-ID: "Mike Easter" wrote in message news:djtc38$2ge$1@news.spamcop.net... > We are usurping a thread started by someone about an entirely different > topic, but that's OK. It is still about bouncing, but you didn't > include a bounce message. > > Mike Nel wrote: >> WazoO, I am presuming that you are somehow involved with SpamCop. My >> apologies if you are not. > > I'm not WazoO, but the way newsgroups and other community forums work is > that you post a message and whoever wants to can comment on it. > >> I have NEVER subscribed to SpamCop, and I am definitely not involved >> in any "Spam" activities. However, today I try and send a pricing >> request to one of my suppliers - one I use on a regular basis - and I >> get a bounce-back claiming that my email address has been blacklisted >> by SpamCop. > > It is very important that you understand what is going on when a mail > 'bounces' - a vague term requiring some guess work absent the delivery > status notification information. > > When you try to email something, it is trying to go out from some server > to which you are subscribed and you haven't named. When it tries to go > from that unnamed server to someone else's server, that of your > recipient, you recipient's server may employ some kind of spam filter or > spamblocking system to defend against spamsources. > > If your mail is blocked, it is blocked by your recipient's server. Not > spamcop. > I had a problem with IP blocking of one of my sites, but solved it with my host. I don't use the site's e-mail very often, but sometimes I do. When one is hosted on a "shared server" that can happen. My former ISP had a problem at one time with IP blocking and put a message about it on their home page, that anyone sending spam would lose their account. Again, the host can solve the problem and get the blocking removed, or even, if neccessary, change the IP number. My old ISP did change IP numbers now and then for their e-mail, maybe to solve such a problem! John Anderson From MikeE at ster.invalid Sat Nov 5 05:12:08 2005 From: MikeE at ster.invalid (Mike Easter) Date: Sat Nov 5 08:15:04 2005 Subject: [SpamCop-List] Re: Please make sure this email IS spam: References: Message-ID: John Anderson wrote: > Please make sure this email IS spam: > > Now, what does that mean when asked this by Spamcop? That is a last chance to prevent making a mistake. SpamCop reporters make mistakes all the time. They report their own providers, they report items which are not spam, they fail to read the rules. They fail to reread the rules when the rules change. When you are looking at the result of the parse of a spam, you are looking at information about the item from a different perspective which allows you to re-evaluate what you have fed the parser. "Free users who break one of the rules will be immediately banned from SpamCop" Paying members can be fined or banned.. http://www.spamcop.net/fom-serve/cache/143.html What if I break the rule(s)? > If I didn't want it, did not ask for it, is it not SPAM? Discussing what is a good definition of spam can have many nuances. I prefer this definition http://www.mail-abuse.com/spam_def.html MAPS' Definition of "spam" even tho' maps is unpopular with some people. Spamhaus is more popular and has a similar one http://www.spamhaus.org/definition.html What is 'spamcop reportable' has its own definitions http://www.spamcop.net/fom-serve/cache/14.html On what type of email should I (not) use SpamCop? You should be familiar with all of the contents of the faq/s and how to navigate them from the site map http://www.spamcop.net/sitemap.shtml -- Mike Easter kibitzer, not SC admin From Kilgallen at SpamCop.net Sat Nov 5 08:15:11 2005 From: Kilgallen at SpamCop.net (Larry Kilgallen) Date: Sat Nov 5 09:20:07 2005 Subject: [SpamCop-List] Re: Please make sure this email IS spam: References: Message-ID: In article , "John Anderson" writes: > Please make sure this email IS spam: > > Now, what does that mean when asked this by Spamcop? > If I didn't want it, did not ask for it, is it not SPAM? > > I have wondered this for a long time! Some humans type faster than they think. From noemail at here.org Sat Nov 5 09:45:50 2005 From: noemail at here.org (travis) Date: Sat Nov 5 10:50:29 2005 Subject: [SpamCop-List] Feature Request: Unreported Spam Saved Message-ID: On the main page, where it says "Unreported Spam Saved: Report Now", it REALLY needs to have a feature that shows HOW MANY unreported spam are actually saved. PLEASE add that :( From gezgin at spamcop.net Sat Nov 5 19:00:48 2005 From: gezgin at spamcop.net (Gezgin) Date: Sat Nov 5 12:05:20 2005 Subject: [SpamCop-List] Re: Feature Request: Unreported Spam Saved References: Message-ID: "travis" wrote in message news:dkik3e$hit$1@news.spamcop.net... > On the main page, where it says "Unreported Spam Saved: > Report Now", it > REALLY needs to have a feature that shows HOW MANY > unreported spam are > actually saved. > PLEASE add that :( Seconded. -- Bob Kanyak's Doghouse http://www.kanyak.com From nobody at nowhere.not Sat Nov 5 17:53:00 2005 From: nobody at nowhere.not (Robert Blair) Date: Sat Nov 5 12:55:03 2005 Subject: [SpamCop-List] Re: [MEDIA] Sony CD Copy Protection Seems To Rely On HackerRootkit References: Message-ID: On Sat, 5 Nov 2005 10:52:34 UTC, Redstone wrote: > > This information is from the DShield mailing list. There has been a > > discussion on the list since the first of the month. It seems that > > some people have known about this for some time but it is just now > > being made public. > > > > Guess enough people began to notice these hidden files being installed > without proper permission. I don't know who found it first or why but I doubt it was a "normal" user. This copy protection scheme had a rootkit that hid all of its files from any of the standard anti-virus/trojan/ads programs. There are now people telling others to go buy the Sony CDs and use the rootkit, I would imagine that the virus/trojan/ads writers have also started to do the same thing. -- Robert Blair From nobody at nowhere.not Sat Nov 5 17:59:46 2005 From: nobody at nowhere.not (Robert Blair) Date: Sat Nov 5 13:00:03 2005 Subject: [SpamCop-List] Re: Feature Request: Unreported Spam Saved References: Message-ID: On Sat, 5 Nov 2005 15:45:50 UTC, "travis" wrote: > On the main page, where it says "Unreported Spam Saved: Report Now", it > REALLY needs to have a feature that shows HOW MANY unreported spam are > actually saved. I have requested a way to delete the top most item of "Unreported Spam" (currently you can only delete all "Unreported Spam") but nothing has changed. So while we are one the subject of "Unreported Spam" again I will make the request again. Please. -- Robert Blair From jeffg at spamcop.net Sat Nov 5 13:31:31 2005 From: jeffg at spamcop.net (Jeff G.) Date: Sat Nov 5 13:35:03 2005 Subject: [SpamCop-List] Re: Reporting user database down? References: Message-ID: I wrote Tuesday 2005/11/01 23:06 EST -0500: > I take my info from the SpamCop Statistics graph at > http://alpha.cesmail.net/graphics/spamstats.gif on my off-site page > "SpamCop.net - Total spam report volume mock-up" at > http://forum.spamcop.net/forums/index.php?showtopic=5247 . As I wrote in http://forum.spamcop.net/forums/index.php?showtopic=5235&view=findpost&p=35524 , "At present, apha.cesmail.net is responding to ping, but not HTTP. That's why the graph isn't showing up. I've sent notifications to JT." All of the graphs referred to by the four links in the bottom "Total spam report volume" section of the Statistics page http://www.spamcop.net/spamstats.shtml are of course having the same problem. Best Regards, Jeff G. I have been a SpamCop User/Member/Customer since 1999 and am a Moderator of the new web-based forums (now the primary method for getting help, http://forum.spamcop.net). Please contact me via Forum only. From devnull at spamcop.net Sat Nov 5 15:02:16 2005 From: devnull at spamcop.net (Frog Prince) Date: Sat Nov 5 15:05:12 2005 Subject: [SpamCop-List] Re: Feature Request: Unreported Spam Saved References: Message-ID: "Robert Blair" | | > On the main page, where it says "Unreported Spam Saved: Report Now", it | > REALLY needs to have a feature that shows HOW MANY unreported spam are | > actually saved. | | I have requested a way to delete the top most item of "Unreported | Spam" (currently you can only delete all "Unreported Spam") but | nothing has changed. | | So while we are one the subject of "Unreported Spam" again I will make | the request again. Please. Yea the number left to report and the option to delet those that are too old to report would save me time and effort. From jeffg at spamcop.net Sat Nov 5 16:40:00 2005 From: jeffg at spamcop.net (Jeff G.) Date: Sat Nov 5 16:45:15 2005 Subject: [SpamCop-List] Re: Reporting user database down? Message-ID: I wrote Saturday 2005/11/05 13:31 EST -0500: > I wrote Tuesday 2005/11/01 23:06 EST -0500: > > I take my info from the SpamCop Statistics graph at > > http://alpha.cesmail.net/graphics/spamstats.gif on my off-site page > > "SpamCop.net - Total spam report volume mock-up" at > > http://forum.spamcop.net/forums/index.php?showtopic=5247 . > > As I wrote in > http://forum.spamcop.net/forums/index.php?showtopic=5235&view=findpost&p=35524 , > "At present, apha.cesmail.net is responding to ping, but not HTTP. > That's why the graph isn't showing up. I've sent notifications to JT." > All of the graphs referred to by the four links in the bottom "Total > spam report volume" section of the Statistics page > http://www.spamcop.net/spamstats.shtml are of course having the same > problem. I'm sorry, in my haste to notify you I misspelled "alpha" as "apha". -- Thanks and Best Regards, Jeff G. I have been a SpamCop User/Member/Customer since 1999 and am a Moderator of the new web-based forums (now the primary method for getting help, http://forum.spamcop.net). Please contact me via Forum only, as PMs and Emails may be posted, reported, and/or ridiculed. From nospam at nospam.nl Sat Nov 5 23:35:37 2005 From: nospam at nospam.nl (geo_splash_12) Date: Sat Nov 5 17:40:10 2005 Subject: [SpamCop-List] Re: Please make sure this email IS spam: In-Reply-To: References: Message-ID: Mike Easter wrote: > What is 'spamcop reportable' has its own definitions > http://www.spamcop.net/fom-serve/cache/14.html On what type of email > should I (not) use SpamCop? On this web site you will read: > We define spam as Unsolicited Bulk Email (UBE). To be considered spam, a message must be: > > 1. Unsolicited (I didn't request it explicitly or implicitly); and, > 2. Bulk (the same message was sent to many people at once). I don't want to change the definition of spam, but just want to remark that in reality the one who submits spam to spamcop must have had a reasonable suspicion that a received e-mail is unsolicited and must have had a reasonable suspicion that it is bulk. Oftentimes reasonable suspicion is a gray area because the recipient couldn't tell whether a particular spam was addressed only to him (so that it isn't bulk) or he may have forgotten he asked the e-mail to be sent. On basis of counting input from different user reports and information retrieved by mail traps and possibly other information sources the spamcop system finally decides whether IP addresses used by the spammer should be listed. What about the unlisted cases, were they no spam? Also, as we all know, errors are made during the reporting process varying from silly mistakes to more severe cases of harassment because of an e-mail war the recipient may have been involved in. And apparently in some of these cases fines need issued or spamcop user accounts need to be revoked. The longer you think about it, the more gray any definition of spam becomes, and this is one of the reasons why in general spam is so hard to fight, and why sometimes it is easy to fight. Section 1343 in Laws: Cases and Codes, U.S. Code, Title 18 is perhaps equally effective for cases as a result of fraudulent e-mails sent by a spammers, see also: http://caselaw.lp.findlaw.com/scripts/ts_search.pl?title=18&sec=1343 Ejo From porpoise1954 at yahoo.co.uk Sat Nov 5 22:52:40 2005 From: porpoise1954 at yahoo.co.uk (Porpoise) Date: Sat Nov 5 17:55:07 2005 Subject: [SpamCop-List] Re: Feature Request: Unreported Spam Saved References: Message-ID: "Gezgin" wrote in message news:dkiokg$jmi$1@news.spamcop.net... > "travis" wrote in message > news:dkik3e$hit$1@news.spamcop.net... >> On the main page, where it says "Unreported Spam Saved: Report Now", it >> REALLY needs to have a feature that shows HOW MANY unreported spam are >> actually saved. >> PLEASE add that :( > > Seconded. Thirded. From Kilgallen at SpamCop.net Sat Nov 5 16:55:18 2005 From: Kilgallen at SpamCop.net (Larry Kilgallen) Date: Sat Nov 5 18:00:03 2005 Subject: [SpamCop-List] Re: Please make sure this email IS spam: References: Message-ID: In article , geo_splash_12 writes: > Oftentimes reasonable suspicion is a gray area because the recipient > couldn't tell whether a particular spam was addressed only to him (so > that it isn't bulk) Don't worry about that part - SpamCop amalgamates reports from many sources to determine that. > or he may have forgotten he asked the e-mail to be sent. Anybody in that position should _not_ be reporting spam, since it diminishes the reputation of spamfighters everywhere. From joseph_k at invalid.com Sat Nov 5 15:32:44 2005 From: joseph_k at invalid.com (Joseph_K) Date: Sat Nov 5 18:35:02 2005 Subject: [SpamCop-List] webforum down? Message-ID: <16gqm1pofm4ukjrr1enlukns85v4r6dmv6@4ax.com> Getting this error message from the web forum: mySQL query error: DELETE FROM ipb_sessions WHERE member_id=152 mySQL error: Can't open file: 'ipb_sessions.MYI'. (errno: 145) mySQL error code: Date: Saturday 05th of November 2005 06:30:31 PM From nobody at devnull.spamcop.net Sat Nov 5 18:35:24 2005 From: nobody at devnull.spamcop.net (Miss Betsy) Date: Sat Nov 5 18:35:07 2005 Subject: [SpamCop-List] Re: Please make sure this email IS spam: References: Message-ID: "geo_splash_12" wrote in message news:dkjc3t$svn$1@news.spamcop.net... > Mike Easter wrote: > > > What is 'spamcop reportable' has its own definitions > > http://www.spamcop.net/fom-serve/cache/14.html On what type of email > > should I (not) use SpamCop? The basic definition of spam is unsolicited and unwanted. The unwanted is defined by the reporter. However, various blocklists narrow that definition. It depends on the blocklist criteria whether a particular email is 'spam'. Most blocklists say that it is unsolicited bulk email. That excludes unsolicited commercial email that is an individual email. Whether it is reported or not depends on where it is sent. A resume sent to the wrong address (sales for instance) can be considered spam while the same resume sent to jobs company is not considered spam. Those who use blocklists know what the criteria are and whether or not they want to use a particular blocklist (or how they want to use it). Miss Betsy an almost new internet user From MikeE at ster.invalid Sat Nov 5 15:47:32 2005 From: MikeE at ster.invalid (Mike Easter) Date: Sat Nov 5 18:50:03 2005 Subject: [SpamCop-List] Re: Please make sure this email IS spam: References: Message-ID: The maps definition doesn't use the word bulk. The recipient typically can't verify bulkiness. The very carefully structured definition at maps deals with 'bulkiness' from a different angle. // An electronic message is "spam" IF: (1) the recipient's personal identity and context are irrelevant because the message is equally applicable to many other potential recipients; AND (2) the recipient has not verifiably granted deliberate, explicit, and still-revocable permission for it to be sent; AND (3) the transmission and reception of the message appears to the recipient to give a disproportionate benefit to the sender. // The discussion that follows those words is critical to their interpretation. An example is the last sentence in the discussion "Content is irrelevant except to the extent necessary to determine personal applicability, consent, and benefit." http://www.mail-abuse.com/spam_def.html -- Mike Easter kibitzer, not SC admin From nobody at devnull.spamcop.net Sat Nov 5 18:50:22 2005 From: nobody at devnull.spamcop.net (Miss Betsy) Date: Sat Nov 5 18:50:11 2005 Subject: [SpamCop-List] Re: webforum down? References: <16gqm1pofm4ukjrr1enlukns85v4r6dmv6@4ax.com> Message-ID: "Joseph_K" wrote in message news:16gqm1pofm4ukjrr1enlukns85v4r6dmv6@4ax.com... > Getting this error message from the web forum: Ditto. Miss Betsy From nobody at spamcop.net Sun Nov 6 00:08:54 2005 From: nobody at spamcop.net (StampOutSpam) Date: Sat Nov 5 19:10:02 2005 Subject: [SpamCop-List] E-mail from Don (Re: mailhosts configured) and missing data Message-ID: Don e-mailed me about needing to configure mailhosts, and disabled my account. The test message that was supposed to come in an hour took about half a day, but that's not the weird part. Don's e-mail is gone! I searched all the folders in Mozilla and it's not there. Now I'm worried about other e-mails that may be missing. I've done the mailhosts configuration, so my reporting account (StampOutSpam) can be restored. From MikeE at ster.invalid Sat Nov 5 16:35:05 2005 From: MikeE at ster.invalid (Mike Easter) Date: Sat Nov 5 19:40:03 2005 Subject: [SpamCop-List] Re: E-mail from Don (Re: mailhosts configured) and missing data References: Message-ID: StampOutSpam wrote: > Don e-mailed me about needing to configure mailhosts, and disabled my > account. That would cause me to presume you might've been reporting your own provider as a spamsource. Long before there was any such thing as mailhosts, SC reporters have needed to have cognizance of what mailheaders look like, and what part of those headers belong to your own provider or 'mailhost'. Then, when you are reporting spam, that the reporter be sufficiently responsible to look at what/who you are reporting as a spamsource, and don't report your recognized provider. I don't think the SC reporter should plead 'ignorance' to the appearance or 'foreign-ness' of mailheaders or who/what part of those headers belong to their provider. Maybe someone 'off the street' who isn't a spam reporter can say they don't need knowledge of mailheaders or their providers header stamp, but not a responsible SC reporter. > The test message that was supposed to come in an hour took > about half a day, but that's not the weird part. OK. > Don's e-mail is > gone! I'm going to interpret that as meaning that you can't see it when you look for it. > I searched all the folders in Mozilla and it's not there. Now > I'm worried about other e-mails that may be missing. I've done the > mailhosts configuration, so my reporting account (StampOutSpam) can > be restored. OK I hear what you are saying.... Are you successfully communicating in the mailhost configuration process? So that the conclusion of the configuration steps are mutually understood to be completed? -- Mike Easter kibitzer, not SC admin From SC.10.myspamgobbler at spamcowboy.net Sat Nov 5 16:44:35 2005 From: SC.10.myspamgobbler at spamcowboy.net (Brian) Date: Sat Nov 5 19:50:03 2005 Subject: [SpamCop-List] Re: E-mail from Don (Re: mailhosts configured) and missing data In-Reply-To: References: Message-ID: StampOutSpam wrote: > Don e-mailed me about needing to configure mailhosts, and disabled my > account. The test message that was supposed to come in an hour took > about half a day, but that's not the weird part. Don's e-mail is gone! > I searched all the folders in Mozilla and it's not there. Now I'm > worried about other e-mails that may be missing. In Mozilla's View menu\Messages, make sure All is checked, not Unread. I'm assuming this is the same menu setup as Mozilla Thunderbird. -- Brian SC.10.myspamgobbler@spamcowboy.net From nobody at spamcop.net Sun Nov 6 01:23:17 2005 From: nobody at spamcop.net (StampOutSpam) Date: Sat Nov 5 20:25:02 2005 Subject: [SpamCop-List] Re: E-mail from Don (Re: mailhosts configured) and missing data References: Message-ID: > Are you successfully communicating in the mailhost configuration > process? So that the conclusion of the configuration steps are mutually > understood to be completed? The mailhost configuration is done. >> Don's e-mail is gone! > > I'm going to interpret that as meaning that you can't see it when you > look for it. It was in my inbox before I gave up waiting for the test message, and when I checked later, the e-mail he sent wasn't in any of the mail folders. I didn't delete it, and if it was deleted by accident, I didn't delete it individually from the trash. If this is data corruption, it's unusually specific. I've had mail folders go bad, but then they won't open or there are big chunks of data missing. From nobody at spamcop.net Sun Nov 6 01:31:23 2005 From: nobody at spamcop.net (StampOutSpam) Date: Sat Nov 5 20:35:02 2005 Subject: [SpamCop-List] Re: E-mail from Don (Re: mailhosts configured) and missing data References: Message-ID: >> Don's e-mail is gone! >> I searched all the folders in Mozilla and it's not there. > In Mozilla's View menu\Messages, make sure All is checked, not Unread. It's configured to show all messages as usual, and any messages not shown in the regular window should be in the search window. I checked SpamCop Webmail, but the message wasn't there either. From nobody at devnull.spamcop.net Sat Nov 5 20:14:14 2005 From: nobody at devnull.spamcop.net (WazoO) Date: Sat Nov 5 21:15:03 2005 Subject: [SpamCop-List] Re: webforum down? References: <16gqm1pofm4ukjrr1enlukns85v4r6dmv6@4ax.com> Message-ID: "Miss Betsy" wrote in message news:dkjgep$vge$1@news.spamcop.net... > > Ditto. > > Miss Betsy Check the Announcements .... per my usual 'learn by doing' ..... it's back up .... From nobody at spamcop.net Sun Nov 6 08:19:07 2005 From: nobody at spamcop.net (nospam) Date: Sat Nov 5 23:20:25 2005 Subject: [SpamCop-List] Re: Neat Package -- Nobody to Report To? References: <4362AD03.E5E72107@SpamCop.net.dev.null> <43665BA4.4E08B61F@SpamCop.net.dev.null> <4369B5A3.80C72E28@SpamCop.net.dev.null> Message-ID: in article dkhf61$vnj$1@news.spamcop.net, jg at jg@coks.net wrote on 11/5/05 9:17 AM: > On 11/4/2005 7:30 PM nospam scribbled: > >> in article dkfupn$ti1$1@news.spamcop.net, jg at jg@coks.net wrote on 11/4/05 >> 7:31 PM: >> >> >>> On 11/3/2005 8:49 PM Jeff G. scribbled: >> >> SNIP >> >>> That said, I do send spam to the SEC and FDA anyway... >> >> >> Well, I used to, but with the new default ticked "on" for user supplied 3d >> Party reporting addresses, I had to turn that off. I was forgetting to >> untick too mony non-securities spams. It becomes too much work to add manual >> LARTS for all the Pimp and Dump stuff. >> > Well, tnx for the heads up on 'user supplied' use - last I looked, and > as a free reporter, I was allowed only 2 user supplied addys - but then > it could well have been a brain fart. > BTW, to me, manual LARTed means going outside the SC environment. Do > you mean that you regard checking a 'user supplied' addy as a LART? > Since I munge via SC, I don't view it as LARTing, but I'm just a lurker... You're right, they're not LARTS, just fodder, although when Mike Lindsey? was spamming the sh*t out of me from Calpop, then MCI and then SBC and ... I forget, I was adding LARTS to the higher ups, and customer/investor relations etc. in these outfits. Usually I just have the special addresses for my pet peeve of the month, PHISHes, or PumP&Dump, or Drugs. BTW you can have up to 4 addresses as a free reporter. From nobody at xyzzy.claranet.de Sun Nov 6 05:56:50 2005 From: nobody at xyzzy.claranet.de (Frank Ellermann) Date: Sun Nov 6 00:10:05 2005 Subject: [SpamCop-List] Re: Please make sure this email IS spam: References: Message-ID: <436D8D12.7DCA@xyzzy.claranet.de> Mike Easter wrote: > That is a last chance to prevent making a mistake. > SpamCop reporters make mistakes all the time. Yes, my two mistakes this year (so far) were both results of the same script filtering "huge" mails incl. potential mail worms (MZ and PK parts). This filter "assumes" that I manually check what it found to be "too big" or otherwise suspicious. For months it was 100% spam, therefore I got used to "select all" + "forward" + "JHD" without really checking it. At the same time the number of spams violating my personal "too big" rule increased from a handful per day to about 50% of all spam I get (in other words the average spam size this year is apparently _much_ bigger than in 2004). So far no problem, big spam is still spam. But then somebody posted a mail with an attached ZIP on the only mailing list where I can't disable to get mail copies... :-( Yes, I've white listed this list, but only in a whitelist filter _behind_ the popstop.cmd script. Script saw "UE" (i.e. PK) => added to the folder with truncated "big mails". About 30 other "big spams" made it to this folder. Stupid user (me) sees what he always sees, "all" subjects tagged as spam... "all" = the first eight visible in the window, not "all" = 30. Stupid user (me) clicks "select all" + "forward" + JHD + "send". Oops. In another episode with the same script it was a JPG I sent to me from another account. In that case I forgot to white list an X-Envelope-To for intentionally "big mails". Oops, I dit it again. Apologies sent, script fixed, etc., but it's always possible to screw up somehow. With (I'm not sure) about 500 reports per day that's a false positive rate of more than 0.01% this year, IMO rather poor. Bye, Frank From nobody at nowhere.invalid Sun Nov 6 11:03:33 2005 From: nobody at nowhere.invalid (Steven Maesslein) Date: Sun Nov 6 05:06:11 2005 Subject: [SpamCop-List] Re: Please make sure this email IS spam: References: Message-ID: On Sat, 5 Nov 2005 18:35:24 -0500, Miss Betsy coughed into spamcop and left this in : > Most blocklists say that it is unsolicited bulk email. That > excludes unsolicited commercial email that is an individual email. Exactly. I tend to define spam as unsolicited and either bulk or promotional. So if someone sends just lil' old me a mail touting some product or other, I still consider it as unwanted advertising and will report it as the spam that it is. -- Steve Hurewitz's Memory Principle: The chance of forgetting something is directly proportional to ..... to ........ uh .............. From spambait at whodat.net Sun Nov 6 04:28:20 2005 From: spambait at whodat.net (Darrel Toepfer) Date: Sun Nov 6 05:30:23 2005 Subject: [SpamCop-List] Re: webforum down? In-Reply-To: References: <16gqm1pofm4ukjrr1enlukns85v4r6dmv6@4ax.com> Message-ID: WazoO wrote: > "Miss Betsy" wrote in message > news:dkjgep$vge$1@news.spamcop.net... > >>Ditto. >> >>Miss Betsy > > > Check the Announcements .... per my usual 'learn by > doing' ..... it's back up .... Looks like the entire thing is down now... --- An error occurred while processing your request. Reference #97.206a1cd.1131272864.2cced67 From nobody at devnull.spamcop.net Sun Nov 6 08:14:19 2005 From: nobody at devnull.spamcop.net (WazoO) Date: Sun Nov 6 09:15:20 2005 Subject: [SpamCop-List] Re: webforum down? References: <16gqm1pofm4ukjrr1enlukns85v4r6dmv6@4ax.com> Message-ID: "Darrel Toepfer" wrote in message news:dkkls0$hr1$1@news.spamcop.net... > WazoO wrote: > > > Check the Announcements .... per my usual 'learn by > > doing' ..... it's back up .... > > Looks like the entire thing is down now... > > An error occurred while processing your request. > Reference #97.206a1cd.1131272864.2cced67 Your downtime reference relates to www.spamcop.net .. This thread is about http://forum.spamcop.net/forums/ The second now includes a graphic in its banner line to show the (lack of) activity of the first in an attempt to answer the "is it down" question before it gets asked. From nobody at spamcop.net Sun Nov 6 16:34:32 2005 From: nobody at spamcop.net (me-no-no) Date: Sun Nov 6 11:35:20 2005 Subject: [SpamCop-List] Re: Feature Request: Unreported Spam Saved References: Message-ID: "Frog Prince" wrote in message news:dkj35e$ok2$1@news.spamcop.net... > "Robert Blair" > | > | > On the main page, where it says "Unreported Spam Saved: Report Now", > it > | > REALLY needs to have a feature that shows HOW MANY unreported spam are > | > actually saved.> | I have requested a way to delete the top most item of "Unreported > | Spam" (currently you can only delete all "Unreported Spam") but > | nothing has changed. > | > | So while we are one the subject of "Unreported Spam" again I will make > | the request again. Please. > Yea the number left to report and the option to delet those that are too > old > to report would save me time and effort. and.... Another "pretty please" for this feature to be added or amended - Thanx I A. Ciao Meno From nospam at nospam.nl Sun Nov 6 18:47:00 2005 From: nospam at nospam.nl (geo_splash_12) Date: Sun Nov 6 12:50:10 2005 Subject: [SpamCop-List] Re: Feature Request: Unreported Spam Saved In-Reply-To: References: Message-ID: travis wrote: > On the main page, where it says "Unreported Spam Saved: Report Now", it > REALLY needs to have a feature that shows HOW MANY unreported spam are > actually saved. > > PLEASE add that :( You don't need this option, because, if you would check past reports you get to see the ones that are not yet reported. Ejo From jg at coks.net Sun Nov 6 10:00:09 2005 From: jg at coks.net (jg) Date: Sun Nov 6 13:00:03 2005 Subject: [SpamCop-List] Re: Neat Package -- Nobody to Report To? In-Reply-To: References: <4362AD03.E5E72107@SpamCop.net.dev.null> <43665BA4.4E08B61F@SpamCop.net.dev.null> <4369B5A3.80C72E28@SpamCop.net.dev.null> Message-ID: On 11/5/2005 8:19 PM nospam scribbled: BTW you can have up to 4 addresses as a free reporter. > Good to know, tnx jg From jg at coks.net Sun Nov 6 10:44:14 2005 From: jg at coks.net (jg) Date: Sun Nov 6 13:45:02 2005 Subject: [SpamCop-List] One for dave null... Message-ID: http://www.spamcop.net/sc?id=z823833942z36f6fb52cd52ac148cbd0ae894bab641z Is there anything odd about this spam ? Aside the SC lack of obfuscation issue, is this a case of spammy dummy (redundant) or spammy trickery? I speaking of the multi notifies... tnx From jg at coks.net Sun Nov 6 10:48:40 2005 From: jg at coks.net (jg) Date: Sun Nov 6 13:50:02 2005 Subject: [SpamCop-List] comcor.ru Message-ID: http://www.spamcop.net/sc?id=z823836091zd9dac5602941e4096cc1913ba9d1496cz The above addy has just popped up in recent (past 2 weeks) spam. Are they new to the block or just reaching my ISP? spam is regular Leo stuff... From 79ytka802 at sneakemail.com Sun Nov 6 21:17:12 2005 From: 79ytka802 at sneakemail.com (Aviatrix) Date: Sun Nov 6 16:20:22 2005 Subject: [SpamCop-List] "You are very good, thank you!" Message-ID: You are probably all going to tick me off for opening spam, but... here we go: In the last few days I have been getting some VERY strange messages. Always in plain text with no attachments, always with one of two subject lines - "Unsubscribe" or "Help Pakistan Children", always with the same content: "Hello (or sometime "good afternoon"), you are very good, thank you." Sources have varied from British Telecom to some server in China. What is the point? From zypher at spamcop.net Sun Nov 6 15:54:21 2005 From: zypher at spamcop.net (Ron B.) Date: Sun Nov 6 16:55:02 2005 Subject: [SpamCop-List] Re: "You are very good, thank you!" In-Reply-To: References: Message-ID: Aviatrix wrote: > You are probably all going to tick me off for opening spam, but... here > we go: > > In the last few days I have been getting some VERY strange messages. > Always in plain text with no attachments, always with one of two subject > lines - "Unsubscribe" or "Help Pakistan Children", always with the same > content: "Hello (or sometime "good afternoon"), you are very good, thank > you." Sources have varied from British Telecom to some server in China. > > What is the point? > Any URL's to click? From 79ytka802 at sneakemail.com Sun Nov 6 22:00:22 2005 From: 79ytka802 at sneakemail.com (Aviatrix) Date: Sun Nov 6 17:05:03 2005 Subject: [SpamCop-List] Re: "You are very good, thank you!" In-Reply-To: References: Message-ID: Ron B. wrote: > Any URL's to click? Nope. Nothing at all. Just a plain text message. A. From zypher at spamcop.net Sun Nov 6 16:02:20 2005 From: zypher at spamcop.net (Ron B.) Date: Sun Nov 6 17:05:14 2005 Subject: [SpamCop-List] Re: "You are very good, thank you!" In-Reply-To: References: Message-ID: Aviatrix wrote: > > > Ron B. wrote: > >> Any URL's to click? > > > Nope. Nothing at all. Just a plain text message. > > A. Bizzare! From MikeE at ster.invalid Sun Nov 6 14:09:03 2005 From: MikeE at ster.invalid (Mike Easter) Date: Sun Nov 6 17:10:03 2005 Subject: [SpamCop-List] Re: One for dave null... References: Message-ID: jg wrote: > http://www.spamcop.net/sc?id=z823833942z36f6fb52cd52ac148cbd0ae894bab641z > > Is there anything odd about this spam ? Did you examine the spambody? > Aside the SC lack of > obfuscation issue, is this a case of spammy dummy (redundant) or > spammy trickery? How do you mean? And there isn't a lack of deobfuscation in what I saw. SC deobfuscated. Resolving link obfuscation http://rvoked.strongbeauty.net/?kltcshxwpwpykgunbpzpoldhciw Host rvoked.strongbeauty.net (checking ip) IP not found ; rvoked.strongbeauty.net discarded as fake. http://rvoked.strongbeauty.net/?kltcshxwykgunbpzpoldhciw Host rvoked.strongbeauty.net (checking ip) IP not found ; rvoked.strongbeauty.net discarded as fake. <html part> http://gornsg.nestleimages.com/?eudvbnxwpwpybvduulzpofdihqc Host gornsg.nestleimages.com (checking ip) IP not found ; gornsg.nestleimages.com discarded as fake. http://acjjwu.nnedbestforyou.info/?aeqoboxwyrighnhzpoufovqt Host acjjwu.nnedbestforyou.info (checking ip) IP not found ; acjjwu.nnedbestforyou.info discarded as fake. > I speaking of the multi notifies... There are no multinotifies. SC notifies kornet about the proxysource. Nothing else. Neither in your SC recommended reports nor what the parser showed me. The only multinotify was what you added to your provider and uce.gov There are 'multi-spamvertiser' links, none notified. There are two versions, the text/plain version part of the multipart, and the text/html part of the multipart. So, if your mua/OE is configured to render the html, it ignores the plaintext version and you see one set of links, andb/but if your mua/OE is configured to read plaintext only, you see a different set of links. SC deobfuscates both versions, 2 links per version, but fails to resolve any of them. My resolver resolves the html version links to the .kr 61.111.255.134 which is spamhaused and thus is unresponsive and not worth notifying. The plaintext version links don't resolve. There is nothing worth notifying lost by SC not resolving the html links -- except that nothing in the spam makes it to sc-surbl. If the parser were reconfigured with my 'do not resolve' recommendation, the links would have been provided to sc-surbl. SC's notifies for spamvertisers aren't valuable and largely disregarded by SC, but if the parser were reconfigured, the surbl databasing of the spamvertiser links would have been worthwhile. -- Mike Easter kibitzer, not SC admin From MikeE at ster.invalid Sun Nov 6 14:13:44 2005 From: MikeE at ster.invalid (Mike Easter) Date: Sun Nov 6 17:15:04 2005 Subject: [SpamCop-List] Re: "You are very good, thank you!" References: <dklrsj$776$1@news.spamcop.net> Message-ID: <dklv6l$9bf$1@news.spamcop.net> Aviatrix wrote: > You are probably all going to tick me off for opening spam, but... > here we go: If you are going to talk about a spam you decided to read, you should post its tracker, not 'describe' it. > In the last few days I have been getting some VERY strange messages. > Always in plain text with no attachments, always with one of two > subject lines - "Unsubscribe" or "Help Pakistan Children", always > with the same content: "Hello (or sometime "good afternoon"), you are > very good, thank you." Sources have varied from British Telecom to > some server in China. > > What is the point? The whole spam is infinitely more valuable than a vague description of one. In the first place, a description isn't the actual item, but an 'imaginary' or hypothetical fuzzy allusion of something. In the second place, 'interpreting' an item doesn't start with the body, it starts with the headers. I never even look at any unsolicited item by starting with its body -- so when you start by 'describing' a body, you start from 'nowhere'. If you post the tracker, the first thing which will be examined is its headers. Only after the header examination is it worthwhile to even 'bother with' examining the body, and then the only body which is worth talking about is the *real* body, not a described imaginary hypothetical body. -- Mike Easter kibitzer, not SC admin From nobody at devnull.spamcop.net Sun Nov 6 17:15:03 2005 From: nobody at devnull.spamcop.net (Glenn Daniels) Date: Sun Nov 6 17:15:10 2005 Subject: [SpamCop-List] Re: "You are very good, thank you!" References: <dklrsj$776$1@news.spamcop.net> Message-ID: <dklv86$9bm$1@news.spamcop.net> "Aviatrix" wrote in message > You are probably all going to tick me off for opening spam, but... here > we go: > > In the last few days I have been getting some VERY strange messages. > Always in plain text with no attachments, always with one of two subject > lines - "Unsubscribe" or "Help Pakistan Children", always with the same > content: "Hello (or sometime "good afternoon"), you are very good, thank > you." Sources have varied from British Telecom to some server in China. > > What is the point? > 1). Look closely: They are proof of the feasibility of time travel? 2). Think spanked spammer: think it is a personal blessing for you to receive such kind words from one as may trespass against the privacy of your Inbox? 3). You have a grateful, but secretive, admirer? 4). Spamsender has OCD, working through a ritual handwashing with serious thought to some aggressive listwashing before getting another website nuked for spamvending? 5). Other, not mentionable? When was there ever a "point" to spamsending? Smile, <G> From nobody at devnull.spamcop.net Sun Nov 6 17:57:44 2005 From: nobody at devnull.spamcop.net (Glenn Daniels) Date: Sun Nov 6 18:00:11 2005 Subject: [SpamCop-List] Re: "You are very good, thank you!" References: <dklrsj$776$1@news.spamcop.net> <dklv6l$9bf$1@news.spamcop.net> Message-ID: <dkm1o7$b42$1@news.spamcop.net> "Mike Easter" wrote > Aviatrix wrote: > > You are probably all going to tick me off for opening spam, but... > > here we go: > > If you are going to talk about a spam you decided to read, you should > post its tracker, not 'describe' it. > > > In the last few days I have been getting some VERY strange messages. > > Always in plain text with no attachments, always with one of two > > subject lines - "Unsubscribe" or "Help Pakistan Children", always > > with the same content: "Hello (or sometime "good afternoon"), you are > > very good, thank you." Sources have varied from British Telecom to > > some server in China. > > > > What is the point? > > The whole spam is infinitely more valuable than a vague description of > one. In the first place, a description isn't the actual item, but an > 'imaginary' or hypothetical fuzzy allusion of something. In the second > place, 'interpreting' an item doesn't start with the body, it starts > with the headers. I never even look at any unsolicited item by starting > with its body -- so when you start by 'describing' a body, you start > from 'nowhere'. > > If you post the tracker, the first thing which will be examined is its > headers. Only after the header examination is it worthwhile to even > 'bother with' examining the body, and then the only body which is worth > talking about is the *real* body, not a described imaginary hypothetical > body. > Think in terms of "this does not feel spammy". The impersonal element weighs heavily toward spammishness. Although these "items" come with the usual fare of forged headers and abused open proxies, not one as yet has tripped into a spamtrap and is available in NANAS for discussion. They are not clearly abusive in any way. These come across as personal. Childish, like writing on the blackboard as a penance, but they all source from the same computer, apparently in Korea, and they don't appear to be the work of either bot or zombie. I am not calling them spam. They are /not/ UCE. And as best I can tell, /not/ UBE. And I am /not/ sure they are even SpamCop reportable. So, there may be no tracker to relate to, as even though they are abuse, I am not calling spam. If and when one pops up in a spamtrap, that could change. But these are more simply targeted and individually handcrafted and gift wrapped "gems". Not all are so blessed as to recieve such things. As it is rather less than clear that they qualify as "spam", I empathize with Aviatrix' hesitancy about discussing these here, but would entertain taking it up by email. <G> From devnull at spamcop.net Sun Nov 6 18:10:01 2005 From: devnull at spamcop.net (Frog Prince) Date: Sun Nov 6 18:15:06 2005 Subject: [SpamCop-List] Re: Feature Request: Unreported Spam Saved References: <dkik3e$hit$1@news.spamcop.net> <dklfin$ttn$1@news.spamcop.net> Message-ID: <dkm2jk$cpc$1@news.spamcop.net> "geo_splash_12" | > On the main page, where it says "Unreported Spam Saved: Report Now", it | > REALLY needs to have a feature that shows HOW MANY unreported spam are | > actually saved. | > | > PLEASE add that :( | | You don't need this option, because, if you would check past reports you | get to see the ones that are not yet reported. Requires additional and unnecessary steps on the part of the reporter and more bandwidth to no advantage to either spam cop or the reporter. The requested features would improve the report's ability to report spam faster and reduce the amount of processing time and bandwidth required of the server. From not at home.today Sun Nov 6 23:35:25 2005 From: not at home.today (Ant) Date: Sun Nov 6 18:40:07 2005 Subject: [SpamCop-List] Re: "You are very good, thank you!" References: <dklrsj$776$1@news.spamcop.net> <dklv6l$9bf$1@news.spamcop.net> Message-ID: <dkm403$ef7$1@news.spamcop.net> "Mike Easter" wrote: > Aviatrix wrote: >> You are probably all going to tick me off for opening spam, but... >> here we go: > > If you are going to talk about a spam you decided to read, you should > post its tracker, not 'describe' it. Here's one of mine: http://www.spamcop.net/sc?id=z823813026zae1d3ace9430c2b5c9ed6983657097a6z >> What is the point? Looks like the doofus is testing his spamware. There's no payload. I've received several, but reported only two. One was from a comcast box listed in sorbs, and this was from xs4all (unlisted in any BL). "ISP has indicated spam will cease; ISP resolved this issue sometime after Sun, 6 Nov 2005 16:49:07 UTC" "Message is 0 hours old" <--[at the time I parsed it] ... "If reported today, reports would be sent to:" "Re: 213.84.50.88 (Administrator of IP block - statistics only)" I presume that although the parser gave a reporting address, but did not offer to send reports, the IP still counted towards the SCBL? From MikeE at ster.invalid Sun Nov 6 15:53:09 2005 From: MikeE at ster.invalid (Mike Easter) Date: Sun Nov 6 18:55:03 2005 Subject: [SpamCop-List] Re: "You are very good, thank you!" References: <dklrsj$776$1@news.spamcop.net> <dklv6l$9bf$1@news.spamcop.net> <dkm1o7$b42$1@news.spamcop.net> Message-ID: <dkm512$f6a$1@news.spamcop.net> Glenn Daniels wrote: > "Mike Easter" >> If you post the tracker, > And I am /not/ sure they are even SpamCop reportable. > > So, there may be no tracker to relate to, It isn't necessary to report an item to create a tracker for it. You parse the item, copy the tracker, cancel the report, and paste the tracker here. If mungeing prior to parsing is necessary, it should be described in accompaniment with the tracker or blatantly obvious in the viewing. -- Mike Easter kibitzer, not SC admin From spamcop-list-at-news.spamcop.net at musaic.net Mon Nov 7 00:57:54 2005 From: spamcop-list-at-news.spamcop.net at musaic.net (St - Musaic.Net) Date: Sun Nov 6 18:58:17 2005 Subject: [SpamCop-List] "You are very good, thank you!" In-Reply-To: <dklrsj$776$1@news.spamcop.net> References: <dklrsj$776$1@news.spamcop.net> Message-ID: <991652319.20051107005754@musaic.net> > In the last few days I have been getting some VERY strange messages. > Always in plain text with no attachments, always with one of two subject > lines - "Unsubscribe" or "Help Pakistan Children", always with the same > content: "Hello (or sometime "good afternoon"), you are very good, thank > you." Sources have varied from British Telecom to some server in China. > > What is the point? It could be a 419 variety - is someone mayne trying to place a bait? What happens if you reply (using a safe and unknown address)? Try hit'em with "Thank you very much for these encouraging words! Please enlighten me, what is this is all about?"? You might receive further attention from the scammer(s), like "Oh Thank God, by God's Grace I finally reached you!" and so-on-blah-blah-blah... -- St From not at home.today Mon Nov 7 00:16:15 2005 From: not at home.today (Ant) Date: Sun Nov 6 19:20:14 2005 Subject: [SpamCop-List] Re: "You are very good, thank you!" References: <dklrsj$776$1@news.spamcop.net> <dklv6l$9bf$1@news.spamcop.net> <dkm1o7$b42$1@news.spamcop.net> Message-ID: <dkm6cl$g6l$1@news.spamcop.net> "Glenn Daniels" wrote: > Think in terms of "this does not feel spammy". The impersonal > element weighs heavily toward spammishness. Although these > "items" come with the usual fare of forged headers and abused > open proxies, not one as yet has tripped into a spamtrap and > is available in NANAS for discussion. They are not clearly > abusive in any way. They most certainly are abusive; they are spam. > These come across as personal. Childish, like writing on the > blackboard as a penance, but they all source from the same > computer, apparently in Korea, and they don't appear to > be the work of either bot or zombie. I am not calling them > spam. They are /not/ UCE. And as best I can tell, /not/ UBE. > And I am /not/ sure they are even SpamCop reportable. I've received six since 2 Nov. I consider them UBE, and will report them if they fall within my reporting time window. From nobody at devnull.spamcop.net Sun Nov 6 19:28:21 2005 From: nobody at devnull.spamcop.net (Glenn Daniels) Date: Sun Nov 6 19:30:03 2005 Subject: [SpamCop-List] Re: "You are very good, thank you!" References: <dklrsj$776$1@news.spamcop.net> <dklv6l$9bf$1@news.spamcop.net> <dkm403$ef7$1@news.spamcop.net> Message-ID: <dkm725$ggb$1@news.spamcop.net> "Ant" wrote in message > "Mike Easter" wrote: ... > > Aviatrix wrote: ... > Here's one of mine: > http://www.spamcop.net/sc?id=z823813026zae1d3ace9430c2b5c9ed6983657097a6z > > >> What is the point? > My point is, unless time travel is possible, you can't be receiving such messages. -g From MikeE at ster.invalid Sun Nov 6 16:30:25 2005 From: MikeE at ster.invalid (Mike Easter) Date: Sun Nov 6 19:35:02 2005 Subject: [SpamCop-List] Re: "You are very good, thank you!" References: <dklrsj$776$1@news.spamcop.net> <dklv6l$9bf$1@news.spamcop.net> <dkm403$ef7$1@news.spamcop.net> Message-ID: <dkm76u$gno$1@news.spamcop.net> Ant wrote: > Here's one of mine: www.spamcop.net/sc?id=z823813026zae1d3ace9430c2b5c9ed6983657097a6z There are several in sightings like that. All they have in common is a very similar body,.a future early Dec Date line, and the fact that they arrive without a msgid, so the recipient server stamps it with a recipient-type mid. They come from user IPs, not servers, and about half the time the user IP is cbl listed for hitting spamtraps. One of the ones examined is spamcop listed and they tend to come from IPs in the ripe or Euro RIR. > I presume that although the parser gave a reporting address, but did > not offer to send reports, the IP still counted towards the SCBL? Something seems funky about that parser handling - it is one thing to not send a report for something which the provider doesn't want to hear about, but it would seem that the parser should provide you with a chance to report or cancel to determine whether or not the source 'non-report' should count toward the SCbl. If you don't approve a report, even tho' a report might not be sent because of the preference of the provider, an unapproved parsing result won't count toward the SCbl. That is, the appearance of the verbose on your tracker would imply that since the provider is claiming spam will cease, the report doesn't count. That isn't the way it is supposed to work. I think something is wrong. -- Mike Easter kibitzer, not SC admin From nobody at devnull.spamcop.net Sun Nov 6 19:30:55 2005 From: nobody at devnull.spamcop.net (Pop) Date: Sun Nov 6 19:35:09 2005 Subject: [SpamCop-List] Re: Feature Request: Unreported Spam Saved References: <dkik3e$hit$1@news.spamcop.net> <dklfin$ttn$1@news.spamcop.net> <dkm2jk$cpc$1@news.spamcop.net> Message-ID: <dkm77o$gns$1@news.spamcop.net> "Frog Prince" <devnull@spamcop.net> wrote in message news:dkm2jk$cpc$1@news.spamcop.net... : "geo_splash_12" : : | > On the main page, where it says "Unreported Spam Saved: Report Now", it : | > REALLY needs to have a feature that shows HOW MANY unreported spam are : | > actually saved. : | > : | > PLEASE add that :( : | : | You don't need this option, because, if you would check past reports you : | get to see the ones that are not yet reported. : : Requires additional and unnecessary steps on the part of the reporter and : more bandwidth to no advantage to either spam cop or the reporter. : : The requested features would improve the report's ability to report spam : faster and reduce the amount of processing time and bandwidth required of : the server. : : : Yeah, I'd vote for something similar too, OR to at least throw away the ones that have gotten too old to report anyway. Whenever I find I have unerported spam, it's always an oversight on my part somehow, and it's unreportable anyway because it's too old. I DO find the unreported spam handy sometimes because if I mailed a bunch of spam in and haven't gotten the notices back yet, if I happen to be on the site and they're processed, I can just take care of it all while I'm there. Then the notices don't go out, spam got reported, and bandwidth's saved. But if I hve to wade thru a bunch of "tool old", well, it defeats the use of it all. For me, anyway. Pop From 79ytka802 at sneakemail.com Mon Nov 7 00:35:59 2005 From: 79ytka802 at sneakemail.com (Aviatrix) Date: Sun Nov 6 19:40:02 2005 Subject: [SpamCop-List] Re: "You are very good, thank you!" In-Reply-To: <dklv6l$9bf$1@news.spamcop.net> References: <dklrsj$776$1@news.spamcop.net> <dklv6l$9bf$1@news.spamcop.net> Message-ID: <dkm7h9$gur$1@news.spamcop.net> Mike Easter wrote: > If you post the tracker, the first thing which will be examined is its > headers. Only after the header examination is it worthwhile to even > 'bother with' examining the body, and then the only body which is worth > talking about is the *real* body, not a described imaginary hypothetical > body. What do you mean by "imaginary hypothetical body"? As I already said it's plain ASCII, and I don't think there is any way you can "imagine" something that is there right in front of your eyes in plain ASCII! Seeing you asked...: http://www.spamcop.net/sc?id=z823917051z0761189a0a42cdb1943c93854b5c42e3z http://www.spamcop.net/sc?id=z823917054z14c0a78c37a8df909c95ff22b24ad03fz http://www.spamcop.net/sc?id=z823917491zbb14ad414a34f98adea0954c6986f6d8z From g.hyde at bigpond.net.au Mon Nov 7 10:34:29 2005 From: g.hyde at bigpond.net.au (Geoffrey Hyde) Date: Sun Nov 6 19:40:09 2005 Subject: [SpamCop-List] Re: "You are very good, thank you!" References: <dklrsj$776$1@news.spamcop.net> <dklv86$9bm$1@news.spamcop.net> Message-ID: <dkm7j9$gv4$1@news.spamcop.net> "Glenn Daniels" <nobody@devnull.spamcop.net> wrote in message news:dklv86$9bm$1@news.spamcop.net... You forgot: 0.1) Spammer is a clueless git! 0.2) Spammer is a clueless redneck git! (for those spammers who feel they don't fit into the above category) 0.3) Spammer is harvesting new email addresses to spam. 0.4) Spammer is trolling, and this UBE will continue. 0.5) Other, please [FITB] ... I could go on, but I'm sure there's lots of reasons we haven't come up with yet! :-P > 1). Look closely: They are proof of the feasibility of time travel? > 2). Think spanked spammer: think it is a personal blessing for > you to receive such kind words from one as may trespass > against the privacy of your Inbox? > 3). You have a grateful, but secretive, admirer? > 4). Spamsender has OCD, working through a ritual handwashing > with serious thought to some aggressive listwashing before getting > another website nuked for spamvending? > 5). Other, not mentionable? > > When was there ever a "point" to spamsending? When some [censored] spammer invented the idea. Unfortunately, like most ideas fuelled by the internet it gathered momentum and is still snowballing out of control to this day. Cheers ... Geoffrey Hyde From MikeE at ster.invalid Sun Nov 6 17:04:58 2005 From: MikeE at ster.invalid (Mike Easter) Date: Sun Nov 6 20:05:03 2005 Subject: [SpamCop-List] Re: "You are very good, thank you!" References: <dklrsj$776$1@news.spamcop.net> <dklv6l$9bf$1@news.spamcop.net> <dkm7h9$gur$1@news.spamcop.net> Message-ID: <dkm97n$hsl$1@news.spamcop.net> Aviatrix wrote: > Mike Easter wrote: >> the only body which >> is worth talking about is the *real* body, not a described imaginary >> hypothetical body. > What do you mean by "imaginary hypothetical body"? I 'like to' [tend to] use those imaginary hypothetical words to exaggerate the 'non-existence' of some described 'alleged' item which hasn't been held forth 'in reality' yet with something like a tracker. As long as it has only been described instead of actually exhibited, it isn't actually 'real' yet - except in /your/ mind or cognizance. I hope to motivate the 'imaginer' who hasn't proven the existence yet, to post the tracker. www.spamcop.net/sc?id=z823917051z0761189a0a42cdb1943c93854b5c42e3z www.spamcop.net/sc?id=z823917054z14c0a78c37a8df909c95ff22b24ad03fz www.spamcop.net/sc?id=z823917491zbb14ad414a34f98adea0954c6986f6d8z Now, there're some real ones. All 3 of them fit the prototype described earlier. None of those sources are cbl, one is scbl. I would say that someone is 'exercising' their spamware and injection method. By using a small body, the trial run would go faster. My theory is that the actual body content is irrelevent. It just needs to be something, but not much. They are hitting spamtraps and are sufficiently numerous that about 5 have appeared in sightings already and recently, in addition to the ones being talked about here. -- Mike Easter kibitzer, not SC admin From not at home.today Mon Nov 7 02:50:15 2005 From: not at home.today (Ant) Date: Sun Nov 6 21:55:20 2005 Subject: [SpamCop-List] Re: "You are very good, thank you!" References: <dklrsj$776$1@news.spamcop.net> <dklv6l$9bf$1@news.spamcop.net> <dkm403$ef7$1@news.spamcop.net> <dkm76u$gno$1@news.spamcop.net> Message-ID: <dkmfdc$mp0$1@news.spamcop.net> "Mike Easter" wrote: > There are several in sightings like that. All they have in common is a > very similar body,.a future early Dec Date line, I didn't notice the early date. > and the fact that they > arrive without a msgid, so the recipient server stamps it with a > recipient-type mid. They come from user IPs, not servers, and about > half the time the user IP is cbl listed for hitting spamtraps. One of > the ones examined is spamcop listed and they tend to come from IPs in > the ripe or Euro RIR. I have at least a couple of comcast (arin) ones. >> I presume that although the parser gave a reporting address, but did >> not offer to send reports, the IP still counted towards the SCBL? > > Something seems funky about that parser handling - it is one thing to > not send a report for something which the provider doesn't want to hear > about, but it would seem that the parser should provide you with a > chance to report or cancel to determine whether or not the source > 'non-report' should count toward the SCbl. Yes, the parser gave me no options to do anything (no checkboxes or buttons). My earlier comcast spam (also with a future date) did not have this problem. > If you don't approve a > report, even tho' a report might not be sent because of the preference > of the provider, an unapproved parsing result won't count toward the > SCbl. > > That is, the appearance of the verbose on your tracker would imply that > since the provider is claiming spam will cease, the report doesn't > count. > > That isn't the way it is supposed to work. I think something is wrong. Looks that way. I wondered if "statistics only" counted for a block, as stated here: "Re: 213.84.50.88 (Administrator of IP block - statistics only)" Presumably not, unless something has changed. From jg at coks.net Sun Nov 6 22:19:31 2005 From: jg at coks.net (jg) Date: Mon Nov 7 01:20:03 2005 Subject: [SpamCop-List] Re: One for dave null... In-Reply-To: <dkluts$92m$1@news.spamcop.net> References: <dkliqf$2mq$1@news.spamcop.net> <dkluts$92m$1@news.spamcop.net> Message-ID: <dkmri3$skt$1@news.spamcop.net> On 11/6/2005 2:09 PM Mike Easter scribbled: > jg wrote: > > http://www.spamcop.net/sc?id=z823833942z36f6fb52cd52ac148cbd0ae894bab641z > >>Is there anything odd about this spam ? > > > Did you examine the spambody? No, not beyond the source - I don't like to read spam... > >Aside the SC lack of >>obfuscation issue, is this a case of spammy dummy (redundant) or >>spammy trickery? > > > How do you mean? And there isn't a lack of deobfuscation in what I saw. > SC deobfuscated. My orig. link above will not resolve for me - don't know why, so I can't revisit this report at the moment But seems like I was trying to say, whats the point of multi fake spamverts (I misspoke the notify word)? > >>I speaking of the multi notifies... misspeaking... > > > There are 'multi-spamvertiser' links, none notified. > > There are two versions, the text/plain version part of the multipart, > and the text/html part of the multipart. So, if your mua/OE is > configured to render the html, it ignores the plaintext version and you > see one set of links, andb/but if your mua/OE is configured to read > plaintext only, you see a different set of links. er, hmmm..their point? > > SC deobfuscates both versions, 2 links per version, but fails to resolve > any of them. I take deobfuscate to mean derive a URL that is resolvable - how do you know you deobfuscated without a resolution? I will now put on my helmet in case my ignorance is showing... > > My resolver resolves the html version links to the .kr 61.111.255.134 > which is spamhaused and thus is unresponsive and not worth notifying. > The plaintext version links don't resolve. so 2 weren't fake - whatever > > There is nothing worth notifying lost by SC not resolving the html > links -- except that nothing in the spam makes it to sc-surbl. > Well, I knew /something/ was odd - SC goes to dev null and I go to the FTC - similiar piles? I've been getting virtually the same spam daily for about 2 weeks now, with the same spamverts from sources bouncing all around the far east with an occasional stop in so. america and dada (?). Kornet is a pretty common thread, and I suddenly got 5-6 Paypals in 2 days (normal Paypal flow is 1 a month or so}... > If the parser were reconfigured with my 'do not resolve' recommendation, > the links would have been provided to sc-surbl. SC's notifies for > spamvertisers aren't valuable and largely disregarded by SC, but if the > parser were reconfigured, the surbl databasing of the spamvertiser links > would have been worthwhile. > Any reason SC wouldn't do this? From MikeE at ster.invalid Mon Nov 7 05:07:08 2005 From: MikeE at ster.invalid (Mike Easter) Date: Mon Nov 7 08:10:23 2005 Subject: [SpamCop-List] Re: One for dave null... References: <dkliqf$2mq$1@news.spamcop.net> <dkluts$92m$1@news.spamcop.net> <dkmri3$skt$1@news.spamcop.net> Message-ID: <dknjhq$ctk$1@news.spamcop.net> jg wrote: > Mike Easter scribbled: >> Did you examine the spambody? > > No, not beyond the source - I don't like to read spam... Yabbut, if you are going to 'discuss it' here -- you will need to prepare for the discussion somehow. The source examination would be adequate if you can interpret that exam 'as if' you had opened the spam in more than one configuration, ie render vs not render the html. > But seems like I was trying to say, whats the point of multi fake > spamverts (I misspoke the notify word)? I don't like to spend /too/ much time imagining why spammers do or 'think' what they do. Perhaps to mislead the antispammer with the revoked domain links in the plaintext. The links were named rvoked.strongbeauty.net. The domainname was reg'd Oct 29, changed Nov 5 and is currently revoked. >> There are two versions, the text/plain version part of the multipart, >> and the text/html part of the multipart. So, if your mua/OE is >> configured to render the html, it ignores the plaintext version and >> you see one set of links, andb/but if your mua/OE is configured to >> read plaintext only, you see a different set of links. > > er, hmmm..their point? See above. >> SC deobfuscates both versions, 2 links per version, but fails to >> resolve any of them. > > I take deobfuscate to mean derive a URL that is resolvable - how do > you know you deobfuscated without a resolution? The steps to resolving-notifying are: - find the links - deobfuscate the links - resolve the links - derive the notify for the IP resolved Typically SC finds & deobfuscates. What happens after that varies. >> If the parser were reconfigured with my 'do not resolve' >> recommendation, the links would have been provided to sc-surbl. >> SC's notifies for spamvertisers aren't valuable and largely >> disregarded by SC, but if the parser were reconfigured, the surbl >> databasing of the spamvertiser links would have been worthwhile. >> > > Any reason SC wouldn't do this? I can't think of any beyond the first step of the trouble of code writing, which trouble could possibly be insurmountable. However, it seems to me that the advantages are so large, that it would be worth the trouble to consider. To reiterate from my post news:dkluts$92m$1@news.spamcop.net Parser configuration option proposal Mike Easter wrote: > o SC's resources would be conserved, which is apparently needed > sometimes > o SC reporter spam would not be 'handled' or seen by blackhat > spamvertiser providers and their cohorts > o Many many more spamvertisers would be provided to the statistic > page for sc-surbl scraping > o Many more sc-surbl blocklist users would benefit from the SC > reports The spamvertised links on the stats page show the notified and the link, they don't show the resolved IP. It is my presumption that the sc-surbl processing handles the resolving or nonresolving issue, which most assuredly must be very dynamic in the case of spam. The surbl blocklist users would include SC mail clients if SC's implementation of SA includes the surbl plugin. -- Mike Easter kibitzer, not SC admin From kenbrody at spamcop.net Mon Nov 7 09:52:47 2005 From: kenbrody at spamcop.net (Kenneth Brody) Date: Mon Nov 7 10:20:02 2005 Subject: [SpamCop-List] Re: "You are very good, thank you!" References: <dklrsj$776$1@news.spamcop.net> <dklu2d$89n$1@news.spamcop.net> <dkludg$8f4$1@news.spamcop.net> <dkluhc$8pp$1@news.spamcop.net> Message-ID: <436F6A3F.462FCB83@spamcop.net> "Ron B." wrote: > > Aviatrix wrote: > > > > > > Ron B. wrote: > > > >> Any URL's to click? > > > > > > Nope. Nothing at all. Just a plain text message. > > > > A. > > Bizzare! Without complete source, including full headers, we can only guess. It could be an attempt to verify addresses via return-receipt. -- +-------------------------+--------------------+-----------------------------+ | Kenneth J. Brody | www.hvcomputer.com | | | kenbrody/at\spamcop.net | www.fptech.com | #include <std_disclaimer.h> | +-------------------------+--------------------+-----------------------------+ Don't e-mail me at: <mailto:ThisIsASpamTrap@gmail.com> From kenbrody at spamcop.net Mon Nov 7 09:56:46 2005 From: kenbrody at spamcop.net (Kenneth Brody) Date: Mon Nov 7 10:20:09 2005 Subject: [SpamCop-List] Which comes first: SpamAssassin or Blacklist? Message-ID: <436F6B2E.B4B4F020@spamcop.net> Which filter comes first: SpamAssassin or Blacklist? I didn't have a chance to report any spam from my held mail folder this weekend, and this morning I see that almost all of the (1700+) spams there are marked as blocked due to SpamAssassin, rather than blocked by a blacklist. Is this because SpamAssassin's filters come before blacklists, or is it because hundreds of spams made it past all of my active blacklists? -- +-------------------------+--------------------+-----------------------------+ | Kenneth J. Brody | www.hvcomputer.com | | | kenbrody/at\spamcop.net | www.fptech.com | #include <std_disclaimer.h> | +-------------------------+--------------------+-----------------------------+ Don't e-mail me at: <mailto:ThisIsASpamTrap@gmail.com> From jg at coks.net Mon Nov 7 07:58:41 2005 From: jg at coks.net (jg) Date: Mon Nov 7 11:00:02 2005 Subject: [SpamCop-List] Re: One for dave null... In-Reply-To: <dknjhq$ctk$1@news.spamcop.net> References: <dkliqf$2mq$1@news.spamcop.net> <dkluts$92m$1@news.spamcop.net> <dkmri3$skt$1@news.spamcop.net> <dknjhq$ctk$1@news.spamcop.net> Message-ID: <dkntg1$idc$1@news.spamcop.net> On 11/7/2005 5:07 AM Mike Easter scribbled: > > Typically SC finds & deobfuscates. What happens after that varies. > > One more time, if you would - how does one know one has deobfuscated if there is no resolve? Doesn't every link have to be somewhere? From spam_hjp at yahoo.com Mon Nov 7 12:10:46 2005 From: spam_hjp at yahoo.com (Jim) Date: Mon Nov 7 12:15:03 2005 Subject: [SpamCop-List] Re: Which comes first: SpamAssassin or Blacklist? In-Reply-To: <436F6B2E.B4B4F020@spamcop.net> References: <436F6B2E.B4B4F020@spamcop.net> Message-ID: <dko1qs$l6r$1@news.spamcop.net> Kenneth Brody wrote: > Which filter comes first: SpamAssassin or Blacklist? > > A good question. I have also noticed almost all my spam is caught by SpamAssassin whereas before it was SCBL. Has there been a changed or has SC changed rules again before listing. From pxpearson at spamxcop.net Mon Nov 7 09:18:56 2005 From: pxpearson at spamxcop.net (Peter Pearson) Date: Mon Nov 7 12:20:03 2005 Subject: [SpamCop-List] News: Australian government fights zombies Message-ID: <dko29s$lc8$1@news.spamcop.net> The Australian Communications and Media Authority has launched a program to track down and clean up zombies: http://www.acma.gov.au/ACMAINTER.65674:STANDARD:686928489:pc=PC_100266 I wonder whether they'll let Spamcop help. -- Remove the two x's to get a good email address. From MikeE at ster.invalid Mon Nov 7 09:52:16 2005 From: MikeE at ster.invalid (Mike Easter) Date: Mon Nov 7 12:55:03 2005 Subject: [SpamCop-List] Re: One for dave null... References: <dkliqf$2mq$1@news.spamcop.net> <dkluts$92m$1@news.spamcop.net> <dkmri3$skt$1@news.spamcop.net> <dknjhq$ctk$1@news.spamcop.net> <dkntg1$idc$1@news.spamcop.net> Message-ID: <dko48d$mqp$1@news.spamcop.net> jg wrote: > Mike Easter scribbled: > >> >> Typically SC finds & deobfuscates. What happens after that varies. >> >> > One more time, if you would - how does one know one has deobfuscated > if there is no resolve? Deobfuscation consists of unescaping or performing other 'decodings' of an obfuscated url so that it becomes satisfactory to be submitted to a resolver. > Doesn't every link have to be somewhere? I don't know how you mean. If a link doesn't resolve to an IP, it is 'nowhere' ie doesn't exist accessibly. -- Mike Easter kibitzer, not SC admin From nobody at nowhere.invalid Mon Nov 7 19:01:13 2005 From: nobody at nowhere.invalid (Steven Maesslein) Date: Mon Nov 7 13:05:02 2005 Subject: [SpamCop-List] Re: Which comes first: SpamAssassin or Blacklist? References: <436F6B2E.B4B4F020@spamcop.net> Message-ID: <slrndmv5j9.7m9.nobody@127.0.0.1> On Mon, 07 Nov 2005 09:56:46 -0500, Kenneth Brody coughed into spamcop and left this in <436F6B2E.B4B4F020@spamcop.net>: > Which filter comes first: SpamAssassin or Blacklist? That depends on your server's setup, but most of the time it's blocklists that are hit first. If the inbound mail isn't rejected because it's coming from a blocklisted IP address, the MTA allows the remote server to send the DATA. That DATA can be passed through the SA milter and possibly rejected before the exchange is terminated, or it can be stuffed through SA by the local delivery agent. -- Steve Television -- a medium. So called because it is neither rare nor well done. -- Ernie Kovacs From remaker at cisco.com Mon Nov 7 10:04:53 2005 From: remaker at cisco.com (Phillip Remaker) Date: Mon Nov 7 13:05:10 2005 Subject: [SpamCop-List] Third Party Message-ID: <dko505$nan$1@news.spamcop.net> On my account ("remaker") spam reports have recently set " Forwarded Spam (User defined recipient) " to be checked by default. Nothing I do in preferences changes this fact. I've erased and re-added Public standard report recipients I've set and unset the 3rd party report default radio buttons By they still remian checked for every spam. I either have to manually uncheack them for each spam or remove 3rd part reporting. If it matters, my 3rd party report recipients are 419.fcd@usss.treas.gov, reportphishing@antiphishing.org, webcomplaints@ora.fda.gov,uce@ftc.gov And yes, I know uce@ftc.gov does not read spamcop reports. From MikeE at ster.invalid Mon Nov 7 12:44:17 2005 From: MikeE at ster.invalid (Mike Easter) Date: Mon Nov 7 15:45:02 2005 Subject: [SpamCop-List] Re: Which comes first: SpamAssassin or Blacklist? References: <436F6B2E.B4B4F020@spamcop.net> Message-ID: <dkoeau$s16$1@news.spamcop.net> Kenneth Brody wrote: > Which filter comes first: SpamAssassin or Blacklist? I was reading in the forums the other day and the word was that SA comes first and someone thinks that is more efficient, but I don't get it. It would seem that blocklists on the header would be much more efficient than anything which required digestion of the body or DATA part of the mail. It also seems that if you did blocklists first and the spam was tagged, that you wouldn't even have to do the SA scoring. But, if you configure your server so that you are going to 'do it all' - blocklists and SA - before you are 'done', then I guess the order wouldn't help the efficiency one way or the other. -- Mike Easter kibitzer, not SC admin From nobody at devnull.spamcop.net Mon Nov 7 16:46:10 2005 From: nobody at devnull.spamcop.net (WazoO) Date: Mon Nov 7 17:50:03 2005 Subject: [SpamCop-List] Re: Third Party References: <dko505$nan$1@news.spamcop.net> Message-ID: <dkolfi$fr$1@news.spamcop.net> "Phillip Remaker" <remaker@cisco.com> wrote in message news:dko505$nan$1@news.spamcop.net... > On my account ("remaker") spam reports have recently set " Forwarded Spam > (User defined recipient) " to be checked by default. > > Nothing I do in preferences changes this fact. > > I've erased and re-added Public standard report recipients > > I've set and unset the 3rd party report default radio buttons > > By they still remian checked for every spam. I either have to manually > uncheack them for each spam or remove 3rd part reporting. Pinned: Reporting defaults have changed http://forum.spamcop.net/forums/index.php?showtopic=5277 Problem with user reports, programmed user-reports default to "ON" http://forum.spamcop.net/forums/index.php?showtopic=5280 From MikeE at ster.invalid Mon Nov 7 15:47:25 2005 From: MikeE at ster.invalid (Mike Easter) Date: Mon Nov 7 18:50:04 2005 Subject: [SpamCop-List] Re: Third Party References: <dko505$nan$1@news.spamcop.net> <dkolfi$fr$1@news.spamcop.net> Message-ID: <dkop29$2cn$1@news.spamcop.net> WazoO wrote: > "Phillip Remaker" >> Nothing I do in preferences changes this fact. >> >> I've erased and re-added Public standard report recipients >> >> I've set and unset the 3rd party report default radio buttons >> >> By they still remian checked for every spam. I either have to >> manually uncheack them for each spam or remove 3rd part reporting. > > Pinned: Reporting defaults have changed > http://forum.spamcop.net/forums/index.php?showtopic=5277 > Problem with user reports, programmed user-reports default to "ON" > http://forum.spamcop.net/forums/index.php?showtopic=5280 The 2nd link points to the first and the first link has several different issues in it which lead to confusion. I think it would be better to not muddle this topic's confusion with the forum topic's confusion, altho' they are related. Temporarily disregarding what is being discussed in 5277 above, Phillip's problem described here is an inability to configure the checks for additional notifies, not 3rd party as the subject sez and his Preferences efforts say. For free users, the preference is limited to 3rd party notifies, which are different from additonal or user defined notifies. That is, altho' Phillip chose to name this Subject Third Party, he is actually talking about pay subscriber additional notifies or rather 'User Defined Recipient' . To isolate a Jeff G item about that, we can look at http://forum.spamcop.net/forums/index.php?showtopic=5152 -- because Jeff is perfectly clear on the difference between Third Party Reports and User Defined Recipients. <JG> I hereby suggest a User Defined Recipient Report Default section near the 3rd party report default section of the Reporting preferences AKA Report Handling Options page. </JG> -- Mike Easter kibitzer, not SC admin From nobody at devnull.spamcop.net Tue Nov 8 00:17:45 2005 From: nobody at devnull.spamcop.net (Gaetor) Date: Mon Nov 7 19:20:03 2005 Subject: [SpamCop-List] Spam pretending to be from my own email address Message-ID: <dkoqqv$3du$1@news.spamcop.net> I have recently started to receive this ... it takes the annoyance factor to a whole new level! I know most issues, blocking, etc work on IP addresses and email addresses are considered irrelevant, but can anyone advise on whether reporting this will in some/any way backfire as my address appears as the 'from' in the header? From MikeE at ster.invalid Mon Nov 7 16:40:28 2005 From: MikeE at ster.invalid (Mike Easter) Date: Mon Nov 7 19:45:04 2005 Subject: [SpamCop-List] Re: Spam pretending to be from my own email address References: <dkoqqv$3du$1@news.spamcop.net> Message-ID: <dkos5n$41a$1@news.spamcop.net> Gaetor wrote: > can > anyone advise on whether reporting this will in some/any way backfire > as my address appears as the 'from' in the header? No backfire adverse effect of reporting. Except.... But.... And.... Spams with your address in the From are annoying and have some very minor 'side effects'. Those which go to some other people who use some very foolish and ineffective antispam rules might cause those foolish frustrated spam recipients to use their 'Blocik sender' function against their spam. Then your address becomes blocked by those recipients. If there should be or become a concurrence of such foolish blocksenders and someone you would be emailing, your mail could be blocked by them. That is so unlikely a combination of events as to not be worth talking about. No one should be using the From of spam to be making any kinds of rules or lists, because spam Froms are derived from the same kinds of places as spam To/s. The 'but' is; SC reports standard munge all kinds of occurrences of addresses in the headers. However, that standard mungeing doesn't include the From address. The SC notifies are sent to providers for source and spamvertisers. Some people concern themselves about what kind of information contained within a spam is sent to those who might be 'in cahoots' with the spammer - so they don't like to see their address going that way. SC's faq rules on material changes only describe the additional mungeing of your name in the body, not the header. It doesn't work to try to get approval for breaking a faq rule in this forum, so you are left to either submit the spam as is unmunged, break the rule and munge your address on the basis of a different part of the faq rule which defines when and how the body mungeing might [and might not] be done, eg for those providers who don't accept munged spam, or not submit the spam at all if you are concerned about the address appearing in the hands of certain providers. -- Mike Easter kibitzer, not SC admin From ben.de+SCnews at spamcop.net Mon Nov 7 16:51:25 2005 From: ben.de+SCnews at spamcop.net (Ben) Date: Mon Nov 7 19:55:02 2005 Subject: [SpamCop-List] Re: [media] political candidates online In-Reply-To: <djmlga$fn4$1@news.spamcop.net> References: <djmlga$fn4$1@news.spamcop.net> Message-ID: <dkosqd$4b2$1@news.spamcop.net> caroljean52 wrote: > From an article in yesterday's Seattle Times > http://seattletimes.nwsource.com/html/businesstechnology/2002579531_paul24.html An unsolicited email from a politician shall result in a vote for the opposition, or a write-in for none. From me at privacy.net Tue Nov 8 01:21:00 2005 From: me at privacy.net (Michael R N Dolbear) Date: Mon Nov 7 20:25:04 2005 Subject: [SpamCop-List] Re: Which comes first: SpamAssassin or Blacklist? References: <436F6B2E.B4B4F020@spamcop.net> <dkoeau$s16$1@news.spamcop.net> Message-ID: <01c5e400$ac5c7300$LocalHost@default> Mike Easter <MikeE@ster.invalid> wrote [...] > It would seem that blocklists on the header would be much more efficient > than anything which required digestion of the body or DATA part of the > mail. It also seems that if you did blocklists first and the spam was > tagged, that you wouldn't even have to do the SA scoring. > > But, if you configure your server so that you are going to 'do it all' - > blocklists and SA - before you are 'done', then I guess the order > wouldn't help the efficiency one way or the other. "It all depends what you mean by efficiency" eg a blocklist lookup can be quite slow. Spamcop mail was set up to (a) always calculate the SA score and (b) set up SA so SA didn't use any blocklists itself. Thus SA uses only cpu and that can be improved by installing a faster server whereas little can be done about how fast a BL lookup responds (though local copies of some BLs have been suggested). If Spamcop mail now checks SA then checks the specified BLs until it gets a hit then this speeds up things compared with the previous "check SA last" setup. -- Mike D From MikeE at ster.invalid Mon Nov 7 17:38:01 2005 From: MikeE at ster.invalid (Mike Easter) Date: Mon Nov 7 20:40:03 2005 Subject: [SpamCop-List] Re: Which comes first: SpamAssassin or Blacklist? References: <436F6B2E.B4B4F020@spamcop.net> <dkoeau$s16$1@news.spamcop.net> <01c5e400$ac5c7300$LocalHost@default> Message-ID: <dkovhl$62e$1@news.spamcop.net> Michael R N Dolbear wrote: > Mike Easter >> But, if you configure your server so that you are going to 'do it >> all' - blocklists and SA - before you are 'done', then I guess the >> order wouldn't help the efficiency one way or the other. > > "It all depends what you mean by efficiency" eg a blocklist lookup can > be quite slow. Yes, I can imagine that, but actually, it shouldn't be. In terms of what is happening, a dnsbl lookup should be extremely efficient; that is the reason that dnsbl/s became so popular. Of course, what is in theory and what is in reality are two different things. > Spamcop mail was set up to (a) always calculate the SA score and (b) > set up SA so SA didn't use any blocklists itself. Once could debate the 'purpose' or gain or 'meaning' of (a). One could also have a big debate about the 'purpose' of the SC spamfilter/tagger. One side of the debate might choose to argue that the purpose should 'simply' be the tagging of an item as meeting the definition of 'to be tagged' by the configuration of the user. If an item 'only' needed to be tagged if it met the definition and the definition was saying 'if an item is listed in the SCbl it shall be tagged' - then there would be no purpose in doing a SA score and there would be no purpose in performing some pokey slow accessing other dnsbl. The item is tagged on the basis of the scbl and the job is over. > Thus SA uses only > cpu and that can be improved by installing a faster server whereas > little can be done about how fast a BL lookup responds (though local > copies of some BLs have been suggested). That was a mighty 'quick' consideration of local caching of some bl/s. It would be my assumption that the entire dnsbl business would be hugely variable, with some results instantaneous and some results waiting for the dnsbl server to get around to answering, much less giving a result. > If Spamcop mail now checks SA then checks the specified BLs until it > gets a hit then this speeds up things compared with the previous > "check SA last" setup. I understand what you are saying about 'multitasking' efficiencies -- but if you really want efficiency, one could structure the sequence and the 'requirements' accordingly. Why does everything need a SA score? OK. Let's say that an SA score comes 'cheap' in terms of resources, altho' I rather doubt that is very true. I would imagine that a SA score is demanding of resources. It might not take very long, but it is using resources like mad while it is being processed. The fast dnsbl/s should come first. The slow dnsbl/s should be cached. The SA score can run concurrently and maybe aborted if something else is positive before it is started or completed. -- Mike Easter kibitzer, not SC admin From jeffg at spamcop.net Mon Nov 7 20:38:35 2005 From: jeffg at spamcop.net (Jeff G.) Date: Mon Nov 7 20:45:02 2005 Subject: [SpamCop-List] Re: Third Party References: <dko505$nan$1@news.spamcop.net> Message-ID: <dkovop$6bf$1@news.spamcop.net> "Phillip Remaker" <remaker@cisco.com> wrote in message news:dko505$nan$1@news.spamcop.net... > And yes, I know uce@ftc.gov does not read spamcop reports. Please make that spam@uce.gov. -- Thanks and Best Regards, Jeff G. I have been a SpamCop User/Member/Customer since 1999 and am a Moderator of the new web-based forums (now the primary method for getting help, http://forum.spamcop.net). Please contact me via Forum only. From jeffg at spamcop.net Mon Nov 7 20:41:43 2005 From: jeffg at spamcop.net (Jeff G.) Date: Mon Nov 7 20:45:10 2005 Subject: [SpamCop-List] Re: Third Party References: <dko505$nan$1@news.spamcop.net> <dkolfi$fr$1@news.spamcop.net> <dkop29$2cn$1@news.spamcop.net> Message-ID: <dkovop$6bf$2@news.spamcop.net> "Mike Easter" <MikeE@ster.invalid> wrote in message news:dkop29$2cn$1@news.spamcop.net... > To isolate a Jeff G item about that, we can look at > http://forum.spamcop.net/forums/index.php?showtopic=5152 -- because > Jeff is perfectly clear on the difference between Third Party Reports > and User Defined Recipients. > > <JG> I hereby suggest a User Defined Recipient Report Default section > near the 3rd party report default section of the Reporting preferences > AKA Report Handling Options page. </JG> Thanks, Mike. It is worth mentioning that the global User Defined Recipient Report Default changed from "Unchecked" to "Checked" with the last code implementation, that a bug fix has been submitted for it, and that lots of us are anxiously awaiting the implementation of that bug fix. -- Best Regards, Jeff G. I have been a SpamCop User/Member/Customer since 1999 and am a Moderator of the new web-based forums (now the primary method for getting help, http://forum.spamcop.net). Please contact me via Forum only. From mwnospam at comcast.net Mon Nov 7 20:52:53 2005 From: mwnospam at comcast.net (spamacyde) Date: Mon Nov 7 20:55:03 2005 Subject: [SpamCop-List] Could Spamcop Provide Phone Numbers in the Techinical Details? Message-ID: <dkp0dk$6po$1@news.spamcop.net> It would be nice if Spamcop provided phone number of the offending ISP's abuse departments in the technical details. They should first try to provide toll free numbers. Then non-toll free numbers. Then general numbers not necessarily associated with the abuse department. I know how to get these from Arin, when they are available. Spamcop would just be saving me some extra work. Thanks in advance, Spamcop. From MikeE at ster.invalid Mon Nov 7 18:08:59 2005 From: MikeE at ster.invalid (Mike Easter) Date: Mon Nov 7 21:10:03 2005 Subject: [SpamCop-List] Re: Could Spamcop Provide Phone Numbers in the Techinical Details? References: <dkp0dk$6po$1@news.spamcop.net> Message-ID: <dkp1bn$77u$1@news.spamcop.net> spamacyde wrote: > It would be nice if Spamcop provided phone number of the offending > ISP's abuse departments in the technical details. Why do you say that? SC id/s the source provider's IP. That IP is examined in the regional registrar's db for a contact email address. In that sequence, there are 2 target functions. To contribute the source IP to the SCbl and to notify by email some appropriate contact that there has been a SC reporter report. The business of creating an appropriate telno contact db corresponding to IPs doesn't even seem to me like a good idea. My own connectivity, email, and newsgroup provider doesn't even provide me with a useful telno to correspond. Telephone correspondence is hugely resource intensive, even if human contact isn't part of the configuration. > They should first > try to provide toll free numbers. Then non-toll free numbers. Then > general numbers not necessarily associated with the abuse department. I disagree. > I know how to get these from Arin, when they are available. Spamcop > would just be saving me some extra work. I would hope that you would use good judgment about calling telno/s that are found in the admin and tech contact listings in the RIR whois. Spamsources are most often proxified users. Spamvertisers are most often somewhere not accessible by tel. Name a specific spam example with a tracker and what telno you would call and what would be the purpose of your conversation. That way we can have a discussion about something specific, not something fuzzy. -- Mike Easter kibitzer, not SC admin From kenbrody at spamcop.net Mon Nov 7 21:50:08 2005 From: kenbrody at spamcop.net (Kenneth Brody) Date: Mon Nov 7 22:05:09 2005 Subject: [SpamCop-List] Re: Which comes first: SpamAssassin or Blacklist? References: <436F6B2E.B4B4F020@spamcop.net> <slrndmv5j9.7m9.nobody@127.0.0.1> Message-ID: <43701260.7CC83DE@spamcop.net> Steven Maesslein wrote: > > On Mon, 07 Nov 2005 09:56:46 -0500, Kenneth Brody coughed into spamcop > and left this in <436F6B2E.B4B4F020@spamcop.net>: > > > Which filter comes first: SpamAssassin or Blacklist? > > That depends on your server's setup, Well, "my server" is SpamCop in this case. > but most of the time it's > blocklists that are hit first. If the inbound mail isn't rejected > because it's coming from a blocklisted IP address, the MTA allows the > remote server to send the DATA. That DATA can be passed through the SA > milter and possibly rejected before the exchange is terminated, or it > can be stuffed through SA by the local delivery agent. -- +-------------------------+--------------------+-----------------------------+ | Kenneth J. Brody | www.hvcomputer.com | | | kenbrody/at\spamcop.net | www.fptech.com | #include <std_disclaimer.h> | +-------------------------+--------------------+-----------------------------+ Don't e-mail me at: <mailto:ThisIsASpamTrap@gmail.com> From remaker at suespammers.org Tue Nov 8 00:05:37 2005 From: remaker at suespammers.org (Phillip Remaker) Date: Tue Nov 8 03:10:31 2005 Subject: [SpamCop-List] Re: Third Party References: <dko505$nan$1@news.spamcop.net> <dkolfi$fr$1@news.spamcop.net> <dkop29$2cn$1@news.spamcop.net> <dkovop$6bf$2@news.spamcop.net> Message-ID: <dkpm8b$l5j$1@news.spamcop.net> > Thanks, Mike. It is worth mentioning that the global User Defined > Recipient Report Default changed from "Unchecked" to "Checked" with the > last code implementation, Ahhhh!! THAT is the problem. > that a bug fix has been submitted for it, and > that lots of us are anxiously awaiting the implementation of that bug > fix. OK, good news. Another option I would like if any development is continuing: Instead of taking me to a page that shows a "report now" link as the default, always take me to the next report in queue. AS it is my process is Log in start Click report now <wait> Click Sumbit <wait> repeat. I would like it if each time I clicked SUBMIT, to showed me a confirmation FOLLOWED BY my next report to be submitted. This would cut out one wait in my cycle. AS it is, I bracth forward 10-12 spams at a time and then step through them. I never use the paste-in method.... From nobody at nowhere.invalid Tue Nov 8 11:00:46 2005 From: nobody at nowhere.invalid (Steven Maesslein) Date: Tue Nov 8 05:06:00 2005 Subject: [SpamCop-List] Re: Spam pretending to be from my own email address References: <dkoqqv$3du$1@news.spamcop.net> Message-ID: <slrndn0tqe.42s.nobody@127.0.0.1> On Tue, 08 Nov 2005 00:17:45 +0000, Gaetor coughed into spamcop and left this in <dkoqqv$3du$1@news.spamcop.net>: > I have recently started to receive this ... it takes the annoyance > factor to a whole new level! I know most issues, blocking, etc work on > IP addresses and email addresses are considered irrelevant, but can > anyone advise on whether reporting this will in some/any way backfire as > my address appears as the 'from' in the header? It's been going on for years. In fact I'm surprised there's someone out there who has only just seen it. No sane admin takes a blind bit of notice of the "From:" address of spam. Just think that other people out there have been receiving spam with your address in the "From:" header for as long as you've been receiving spam at that address (if spammers have the address they'll use it anywhere in their spam), and nothing untoward has happened to you because of it. LART away, don't worry about it. -- Steve Don't be irreplaceable. If you can't be replaced, you can't be promoted. From nobody at nowhere.invalid Tue Nov 8 11:05:11 2005 From: nobody at nowhere.invalid (Steven Maesslein) Date: Tue Nov 8 05:10:19 2005 Subject: [SpamCop-List] Re: Which comes first: SpamAssassin or Blacklist? References: <436F6B2E.B4B4F020@spamcop.net> <slrndmv5j9.7m9.nobody@127.0.0.1> <43701260.7CC83DE@spamcop.net> Message-ID: <slrndn0u2n.42s.nobody@127.0.0.1> On Mon, 07 Nov 2005 21:50:08 -0500, Kenneth Brody coughed into spamcop and left this in <43701260.7CC83DE@spamcop.net>: >> > Which filter comes first: SpamAssassin or Blacklist? >> >> That depends on your server's setup, > > Well, "my server" is SpamCop in this case. I think you'll find that it's still IP-based filtering that occurs before content filtering. I say that because I sometimes see identical spams in my "Held Mail" folder, one of which was diverted because it came from a spammy IP, and the other because of a high SA score. If SA was invoked first then both spams would be blocked because of a high SA score and the IP-based tests wouldn't occur. It also makes sense to do the IP-based parsing first because it's bound to be less resource-hungry than SA. -- Steve "Politics is supposed to be the second oldest profession. I have come to realize that it bears a very close resemblance to the first." From spam_hjp at yahoo.com Tue Nov 8 05:36:24 2005 From: spam_hjp at yahoo.com (Jim) Date: Tue Nov 8 05:40:13 2005 Subject: [SpamCop-List] Re: Which comes first: SpamAssassin or Blacklist? In-Reply-To: <43701260.7CC83DE@spamcop.net> References: <436F6B2E.B4B4F020@spamcop.net> <slrndmv5j9.7m9.nobody@127.0.0.1> <43701260.7CC83DE@spamcop.net> Message-ID: <dkpv3e$pfj$1@news.spamcop.net> > >> >>> Which filter comes first: SpamAssassin or Blacklist? >> That depends on your server's setup, > > Well, "my server" is SpamCop in this case. > Same here for server. I am a paid subscriber and I fetch my held Spam and it appears to be a switch between SA and SC on how the Spam is tagged. > From bar_n0ne at hotmail.com Tue Nov 8 14:46:48 2005 From: bar_n0ne at hotmail.com (Berny) Date: Tue Nov 8 05:50:02 2005 Subject: [SpamCop-List] Re: Which comes first: SpamAssassin or Blacklist? References: <436F6B2E.B4B4F020@spamcop.net> <slrndmv5j9.7m9.nobody@127.0.0.1> <43701260.7CC83DE@spamcop.net> <dkpv3e$pfj$1@news.spamcop.net> Message-ID: <dkpvms$prf$1@news.spamcop.net> "Jim" <spam_hjp@yahoo.com> wrote in message news:dkpv3e$pfj$1@news.spamcop.net... > > > > >> > >>> Which filter comes first: SpamAssassin or Blacklist? > >> That depends on your server's setup, > > > > Well, "my server" is SpamCop in this case. > > > Same here for server. I am a paid subscriber and I fetch my held Spam and it appears to be a > switch between SA and SC on how the Spam is tagged. > > Shouldn't this be asked in .mail? or the appropriate forum for mail users? Mostly what you will find here is speculation by non SC mail-account holders. This is also off topic here. f'ups to .mail From anthony.edwards at uk.easynet.net Tue Nov 8 13:27:41 2005 From: anthony.edwards at uk.easynet.net (Anthony Edwards) Date: Tue Nov 8 08:30:10 2005 Subject: [SpamCop-List] Re: Could Spamcop Provide Phone Numbers in the Techinical Details? References: <dkp0dk$6po$1@news.spamcop.net> Message-ID: <dkq94c$dn$1@news.spamcop.net> On Mon, 7 Nov 2005 20:52:53 -0500, spamacyde <mwnospam@comcast.net> wrote: > It would be nice if Spamcop provided phone number of the offending ISP's > abuse departments in the technical details. They should first try to > provide toll free numbers. Then non-toll free numbers. Then general > numbers not necessarily associated with the abuse department. You would generally find that even white hat ISPs would simply request, in the event that you did make contact by telephone with a member of the abuse team in respect of an Unsolicited Bulk Email related issue, that you put your complaint in writing by email to the abuse mailbox. That would certainly be the response in the event that you called here. -- Anthony Edwards * anthony.edwards@uk.easynet.net Abuse Team Manager * Tel: 0800 053 0588 Easynet Ltd * DDI: 0161 227 0707 http://www.uk.easynet.net * Fax: 0845 333 4503 From mwnospam at comcast.net Tue Nov 8 09:48:13 2005 From: mwnospam at comcast.net (spamacyde) Date: Tue Nov 8 09:50:10 2005 Subject: [SpamCop-List] Spam from Spamcop? Message-ID: <dkqdrb$2vr$1@news.spamcop.net> The ISP that this spam was reported to seems to be Spamcop. Please explain: http://www.spamcop.net/sc?id=z824494507zd419170266e274df02dcf91a34d68c57z From nobody at devnull.spamcop.net Tue Nov 8 09:55:08 2005 From: nobody at devnull.spamcop.net (Glenn Daniels) Date: Tue Nov 8 09:55:02 2005 Subject: [SpamCop-List] Re: Spam from Spamcop? References: <dkqdrb$2vr$1@news.spamcop.net> Message-ID: <dkqe7r$39m$1@news.spamcop.net> "spamacyde" wrote in message > The ISP that this spam was reported to seems to be Spamcop. Please explain: > > http://www.spamcop.net/sc?id=z824494507zd419170266e274df02dcf91a34d68c57z > > The addy spamcop/at/adelphia.net happens to be the working name for their abuse desk. Notifies to abuse/at/adelphia.net are redirected there anyway, so it saves a step to notify the "working" abuse desk directly. -glenn From nobody at spamcop.net Tue Nov 8 11:27:52 2005 From: nobody at spamcop.net (Ellen) Date: Tue Nov 8 12:15:03 2005 Subject: [SpamCop-List] Re: Spam from Spamcop? References: <dkqdrb$2vr$1@news.spamcop.net> Message-ID: <dkqm62$9bl$1@news.spamcop.net> "spamacyde" <mwnospam@comcast.net> wrote in message news:dkqdrb$2vr$1@news.spamcop.net... > The ISP that this spam was reported to seems to be Spamcop. Please explain: > > http://www.spamcop.net/sc?id=z824494507zd419170266e274df02dcf91a34d68c57z > > They asked that the reports we send them be sent to the special address: spamcop@adelphia.net so we made a change in the system to do that. There are other ISPs who have made similar requests. Ellen SpamCop From nicholasjhiggins at btinternet.com Tue Nov 8 18:42:12 2005 From: nicholasjhiggins at btinternet.com (Nicholas Higgins) Date: Tue Nov 8 13:40:03 2005 Subject: [SpamCop-List] Spoofed email address Message-ID: <dkqran$em8$1@news.spamcop.net> Hi I might sound really 'thick' but I have no idea how the spam reporting works so please excuse my ignorance! My domain host has advised me that it looks as though my domain name has been spoofed as I am receiving emails from 'me' to 'me' - i.e. someone is using an email address that doesn't actually exist in my business, but email is appearing in my inbox that is marketing spam from another company although it looks like it's from me sent to me. (Hope that makes sense!). Anyhow, I have received mail twice with two different email addresses, both of which I've reported to spamcop, but I'm wondering what happens next? I'm also really concerned that my domain is being abused in this way and wonder whether this person or organisation is able to send others email that look like they're coming from me? What if, in future, I want to create an email address that does actually contain the addresses they're using e.g. a support@ or admin@ address - will their abuse affect me being able to do this. Sorry if I seem a bit 'green' - it's because I am - I'm a business owner with a website, not an internet specialist! Any help much appreciated Heidi Sinclair From baloo at ursine.ca Tue Nov 8 11:35:28 2005 From: baloo at ursine.ca (baloo@ursine.ca) Date: Tue Nov 8 15:10:03 2005 Subject: [SpamCop-List] Re: Spoofed email address References: <dkqran$em8$1@news.spamcop.net> Message-ID: <09b743-plh.ln1@ursine.ca> Nicholas Higgins <nicholasjhiggins@btinternet.com> wrote: > My domain host has advised me that it looks as though my domain name has > been spoofed as I am receiving emails from 'me' to 'me' - i.e. someone is > using an email address that doesn't actually exist in my business, but email > is appearing in my inbox that is marketing spam from another company > although it looks like it's from me sent to me. (Hope that makes sense!). Yup, email has minimal protection against From: header forgery. About the only thing on the block for this right now is SPF. More information about how to implement this for your domain is at http://spf.pobox.com/ > Anyhow, I have received mail twice with two different email addresses, both > of which I've reported to spamcop, but I'm wondering what happens next? I'm > also really concerned that my domain is being abused in this way and wonder > whether this person or organisation is able to send others email that look > like they're coming from me? Yes. Legal and ethical considerations aside, anybody can claim to be anybody else in email fairly trivially. > What if, in future, I want to create an email address that does > actually contain the addresses they're using e.g. a support@ or > admin@ address - will their abuse affect me being able to do > this. No. From MikeE at ster.invalid Tue Nov 8 12:10:51 2005 From: MikeE at ster.invalid (Mike Easter) Date: Tue Nov 8 15:15:03 2005 Subject: [SpamCop-List] Re: Spoofed email address References: <dkqran$em8$1@news.spamcop.net> Message-ID: <dkr0o6$jsh$1@news.spamcop.net> Putting a near bottomline up at the top. Nicholas Higgins [or Heidi Sinclair] wrote: > What if, in future, I want to create an email address > that does actually contain the addresses they're using e.g. a > support@ or admin@ address - will their abuse affect me being able to > do this. No. Nicholas Higgins wrote: > I might sound really 'thick' but I have no idea how the spam > reporting works so please excuse my ignorance! How spam works is also how email works. > My domain host has advised me that it looks as though my domain name > has been spoofed as I am receiving emails from 'me' to 'me' - i.e. > someone is using an email address that doesn't actually exist in my > business, but email is appearing in my inbox that is marketing spam > from another company although it looks like it's from me sent to me. When 'we' look at spam, we don't pay [much or any] attention to the From line. There are many elements which are typically forged in spam, the >From is #1. > (Hope that makes sense!). Anyhow, I have received mail twice with two > different email addresses, both of which I've reported to spamcop, > but I'm wondering what happens next? SpamCop SC is a parsing and reporting service. It is designed to determine the source of a mail [not the From] and count that source toward the SCbl SC blocklist and notify the provider for that spamsource -- where the 'provider' is the regional internet registrar listed contact for the netblock of the IP address of the source.. In addition, SC also sometimes notifies the provider for the IP address of a spamvertised website. IP address vs email address vs persona or handle Your posting IP address: 86.141.148.131 Your posting From address: nicholasjhiggins@btinternet.com Your posting 'sig' at the bottom: Heidi Sinclair What happens next is greatly influenced by what those providers choose to do. Whatever the providers may choose to do, spamsources as IP addresses get listed in the SCbl and people and servers use the scbl to tag, 'block', or even reject spam as part of a spam defense strategy. > I'm also really concerned that > my domain is being abused in this way and wonder whether this person > or organisation is able to send others email that look like they're > coming from me? Anyone can send a mail with whatever they like in the From. > What if, in future, I want to create an email address > that does actually contain the addresses they're using e.g. a > support@ or admin@ address - will their abuse affect me being able to > do this. No. > Sorry if I seem a bit 'green' - it's because I am - I'm a > business owner with a website, not an internet specialist! > > Any help much appreciated > Heidi Sinclair -- Mike Easter kibitzer, not SC admin From nobody at devnull.spamcop.net Tue Nov 8 20:05:03 2005 From: nobody at devnull.spamcop.net (Miss Betsy) Date: Tue Nov 8 20:05:29 2005 Subject: [SpamCop-List] Re: Spoofed email address References: <dkqran$em8$1@news.spamcop.net> Message-ID: <dkrhum$tmv$1@news.spamcop.net> "Nicholas Higgins" <nicholasjhiggins@btinternet.com> wrote in message news:dkqran$em8$1@news.spamcop.net... > Hi > > I might sound really 'thick' but I have no idea how the spam reporting works > so please excuse my ignorance! Don't worry about sounding thick - just don't feel insulted if others agree with you. These people will help you to understand. spam reporting has to do with IP addresses, not email addresses. Spammers use forged email addresses in the 'from' and the return path all the time. Nobody pays any attention to the from or return path who deals with spam on a professional basis. It happens all the time. Usually, it quits after a couple of days when the spammer starts using some other forgery. Miss Betsy An almost new internet user From nobody at devnull.spamcop.net Tue Nov 8 20:06:21 2005 From: nobody at devnull.spamcop.net (Miss Betsy) Date: Tue Nov 8 20:10:02 2005 Subject: [SpamCop-List] Re: Spam pretending to be from my own email address References: <dkoqqv$3du$1@news.spamcop.net> Message-ID: <dkri14$tq2$1@news.spamcop.net> "Gaetor" <nobody@devnull.spamcop.net> wrote in message news:dkoqqv$3du$1@news.spamcop.net... > I have recently started to receive this ... it takes the annoyance > factor to a whole new level! I know most issues, blocking, etc work on > IP addresses and email addresses are considered irrelevant, but can > anyone advise on whether reporting this will in some/any way backfire as > my address appears as the 'from' in the header? Nobody pays any attention to the 'from'. Miss Betsy an almost new internet user From noemail at here.org Tue Nov 8 21:07:36 2005 From: noemail at here.org (travis) Date: Tue Nov 8 22:10:03 2005 Subject: [SpamCop-List] Re: Feature Request: Unreported Spam Saved References: <dkik3e$hit$1@news.spamcop.net> <dklfin$ttn$1@news.spamcop.net> Message-ID: <dkrp5t$1ld$1@news.spamcop.net> "geo_splash_12" <nospam@nospam.nl> wrote in message news:dklfin$ttn$1@news.spamcop.net... > travis wrote: >> On the main page, where it says "Unreported Spam Saved: Report Now", it >> REALLY needs to have a feature that shows HOW MANY unreported spam are >> actually saved. >> >> PLEASE add that :( > > You don't need this option, because, if you would check past reports you > get to see the ones that are not yet reported. > > Ejo that does help, i wasn't aware that was there... thanks! From nobody at devnull.spamcop.net Wed Nov 9 14:56:35 2005 From: nobody at devnull.spamcop.net (Patto) Date: Wed Nov 9 01:00:19 2005 Subject: [SpamCop-List] Re: ReportPhish.org ? In-Reply-To: <div9dl$rcs$1@news.spamcop.net> References: <div9dl$rcs$1@news.spamcop.net> Message-ID: <dks32i$6hi$2@news.spamcop.net> Patto wrote: > I have been reporting all phishes to the address specified at > http://www.reportphish.org/ for a few weeks now. But I have started > wondering if this is really worth the effort. They do not say anything > on their website _what_ they are actually doing with these reports. > > Does anybody here know something more about ReportPhish.org than the > little information that can be found on their website? An update: the report email address at ReportPhish.org now bounces. From MikeE at ster.invalid Tue Nov 8 22:46:53 2005 From: MikeE at ster.invalid (Mike Easter) Date: Wed Nov 9 01:50:04 2005 Subject: [SpamCop-List] Re: ReportPhish.org ? References: <div9dl$rcs$1@news.spamcop.net> <dks32i$6hi$2@news.spamcop.net> Message-ID: <dks60m$8f1$1@news.spamcop.net> Patto wrote: > An update: the report email address at ReportPhish.org now bounces. Marjolein's [remember Marjolein?] pick http://banspam.javawoman.com/index.html was antiphishing http://www.antiphishing.org/ Look it over and see what you think. They have a database at the site, an email reporting addy reportphishing@antiphishing.org and quite a bit of resources. I've never heard of reportphish. I've heard of antiphishing. -- Mike Easter kibitzer, not SC admin From philip at pch.home.cs.vu.nl Wed Nov 9 10:40:42 2005 From: philip at pch.home.cs.vu.nl (Philip Homburg) Date: Wed Nov 9 05:01:06 2005 Subject: [SpamCop-List] Re: Which comes first: SpamAssassin or Blacklist? References: <436F6B2E.B4B4F020@spamcop.net> <dkoeau$s16$1@news.spamcop.net> <01c5e400$ac5c7300$LocalHost@default> <dkovhl$62e$1@news.spamcop.net> Message-ID: <25knfkplj32c54tkek4kacu143@inews_id.stereo.hq.phicoh.net> In article <dkovhl$62e$1@news.spamcop.net>, Mike Easter <MikeE@ster.invalid> wrote: >> If Spamcop mail now checks SA then checks the specified BLs until it >> gets a hit then this speeds up things compared with the previous >> "check SA last" setup. > >I understand what you are saying about 'multitasking' efficiencies -- >but if you really want efficiency, one could structure the sequence and >the 'requirements' accordingly. Why does everything need a SA score? >OK. Let's say that an SA score comes 'cheap' in terms of resources, >altho' I rather doubt that is very true. I would imagine that a SA >score is demanding of resources. It might not take very long, but it is >using resources like mad while it is being processed. An important aspect is the percentage of spam that is blocked only by SA. If that percentage grows above 50, you don't gain all that much by moving SA to the end. To get predictable performance, a large site needs local copies of all DNSBLs that are used. For SA the performance is always predictable. I don't know how effective the CBL is compared to SA, but after filtering using the CBL, all other commonly used DNSBLs seem quite ineffective compared to SA (as tuned by my ISP). -- That was it. Done. The faulty Monk was turned out into the desert where it could believe what it liked, including the idea that it had been hard done by. It was allowed to keep its horse, since horses were so cheap to make. -- Douglas Adams in Dirk Gently's Holistic Detective Agency From MikeE at ster.invalid Wed Nov 9 05:39:10 2005 From: MikeE at ster.invalid (Mike Easter) Date: Wed Nov 9 08:40:05 2005 Subject: [SpamCop-List] Re: Which comes first: SpamAssassin or Blacklist? References: <436F6B2E.B4B4F020@spamcop.net> <dkoeau$s16$1@news.spamcop.net> <01c5e400$ac5c7300$LocalHost@default> <dkovhl$62e$1@news.spamcop.net> <25knfkplj32c54tkek4kacu143@inews_id.stereo.hq.phicoh.net> Message-ID: <dksu5q$ksm$1@news.spamcop.net> Philip Homburg wrote: > An important aspect is the percentage of spam that is blocked only by > SA. > If that percentage grows above 50, you don't gain all that much by > moving > SA to the end. To get predictable performance, a large site needs > local copies of all DNSBLs that are used. For SA the performance is > always predictable. When I watch dnsstuff's dnsbl lookup gizmo 'zoom' thru' 263 dnsbl/s and display tiny numbers of ms to get the result from each of them, it causes me to think that the dnsbl/s are generally instantaneous. Also, whenever I use a dnsbl directly I always get instantaneous results. Also, dnsstuff doesn't usually cache the dnsbl/s. When it does, it just records '0' beside the time spot, so you can tell what is fast and what is cached. Of course, if you ask it again right after you've asked it for the same IP, everything is cached. > I don't know how effective the CBL is compared to SA, but after > filtering using the CBL, all other commonly used DNSBLs seem quite > ineffective compared to SA (as tuned by my ISP). CBL lists a lot of my spams' IPs, but I use spamhaus sbl-xbl, which embraces cbl + blitzed + njabl + sbl, so I take care of cbl with that and thus it doesn't show up in my spamfilter logs anymore. I'm just arguing that for my own spam, quite a lot of it is caught by the dnsbl/s, and I certainly don't use 263 of them. And that the dnsbl/s are very very fast. My own spamfilter's 'equivalency' to SA is a regex body filter plugin, and that filter seems so 'complex' in comparison to the simplicity of using the IPs in the header. That is, to me it seems simpler to use the IP/s in the header against a dnsbl db than to use a 'morass' of regex 'stuff' on a big pile of spambody data. I would say that significantly more than 50% of my spam is caught by other than the regex body filter, but then I'm using a lot of country filtration which someone else might not be able to do. -- Mike Easter kibitzer, not SC admin From redford_stone at INVERSE_OF_COLDmail.com Wed Nov 9 13:48:43 2005 From: redford_stone at INVERSE_OF_COLDmail.com (Redstone) Date: Wed Nov 9 08:50:03 2005 Subject: [SpamCop-List] Re: [MEDIA] Sony CD Copy Protection Seems To Rely On HackerRootkit References: <Xns97037EA6B301Ftinlc@216.154.195.61> <dkeg1g$35f$1@news.spamcop.net> <TECQXhvKj0FX-pn2-OvYNxTLrdXxL@dsl-206-55-144-107.tstonramp.com> <BF90DE68.1635E%nobody@spamcop.net> <TECQXhvKj0FX-pn2-mJM7JdfPnr4E@dsl-206-55-144-107.tstonramp.com> <Xns97051D4241CC4tinlc@216.154.195.61> <TECQXhvKj0FX-pn2-41gGcOWKuyNn@dsl-206-55-144-107.tstonramp.com> Message-ID: <Xns97093B2348704tinlc@216.154.195.61> "Robert Blair" <nobody@nowhere.not> wrote in news:TECQXhvKj0FX-pn2- 41gGcOWKuyNn@dsl-206-55-144-107.tstonramp.com: > > I don't know who found it first or why but I doubt it was a "normal" > user. This copy protection scheme had a rootkit that hid all of its > files from any of the standard anti-virus/trojan/ads programs. There > are now people telling others to go buy the Sony CDs and use the > rootkit, I would imagine that the virus/trojan/ads writers have also > started to do the same thing. > > I wouldn't doubt that the virus writers are out there now looking into this with interest. Sony did them a favor by installing the very files they need to do their damage. Meaning all they need to do is to make a virus with a smaller payload. From redford_stone at INVERSE_OF_COLDmail.com Wed Nov 9 13:50:38 2005 From: redford_stone at INVERSE_OF_COLDmail.com (Redstone) Date: Wed Nov 9 08:55:02 2005 Subject: [SpamCop-List] Re: Wow...that was FAST! References: <dkg6fr$1md$1@news.spamcop.net> <Xns97051D6D81B53tinlc@216.154.195.61> <dki90m$rb7$2@news.spamcop.net> Message-ID: <Xns97093B76B9D21tinlc@216.154.195.61> Borgholio <borgholio@storymind.com> wrote in news:dki90m$rb7$2 @news.spamcop.net: > > > Yeah but the fact that it's a Russian sysadmin is what amazes me. :) Good point. It is already impossible trying to get their attention regarding zombies on their networks. From bar_n0ne at hotmail.com Wed Nov 9 18:53:10 2005 From: bar_n0ne at hotmail.com (Berny) Date: Wed Nov 9 09:55:07 2005 Subject: [SpamCop-List] sheesh, Tripod is even more parse resistant than geocities Message-ID: <dkt2gn$na9$1@news.spamcop.net> Arghh, I really wanna inconvenience Lycos exploiting spammers, and get them on the SURBL. From kenbrody at spamcop.net Wed Nov 9 10:26:01 2005 From: kenbrody at spamcop.net (Kenneth Brody) Date: Wed Nov 9 10:30:03 2005 Subject: [SpamCop-List] Highest SpamAssassin scores Message-ID: <43721509.34638D2B@spamcop.net> I just posted to .spam a spam with a SpamAssassin score of 53.4 (though "held mail" shows the score as "50"). X-Spam-Status: hits=53.4 tests=DATE_IN_FUTURE_96_XX,DATE_SPAMWARE_Y2K, ... X-SpamCop-Disposition: Blocked SpamAssassin=50 See subject "SpamAssassin score of 53.4" for full text. -- +-------------------------+--------------------+-----------------------------+ | Kenneth J. Brody | www.hvcomputer.com | | | kenbrody/at\spamcop.net | www.fptech.com | #include <std_disclaimer.h> | +-------------------------+--------------------+-----------------------------+ Don't e-mail me at: <mailto:ThisIsASpamTrap@gmail.com> From MikeE at ster.invalid Wed Nov 9 08:03:47 2005 From: MikeE at ster.invalid (Mike Easter) Date: Wed Nov 9 11:05:03 2005 Subject: [SpamCop-List] Re: Highest SpamAssassin scores References: <43721509.34638D2B@spamcop.net> Message-ID: <dkt6ku$u2a$1@news.spamcop.net> Kenneth Brody wrote: > I just posted to .spam a spam with a SpamAssassin score of 53.4 > (though "held mail" shows the score as "50"). I'm not clear on how that works. What you posted in .spam is b64 encoded and the encoding contains links. Something is b64 decoding so that SA can see what is inside. I didn't know it worked like that. -- Mike Easter kibitzer, not SC admin From philip at pch.home.cs.vu.nl Wed Nov 9 17:55:51 2005 From: philip at pch.home.cs.vu.nl (Philip Homburg) Date: Wed Nov 9 12:00:03 2005 Subject: [SpamCop-List] Re: Which comes first: SpamAssassin or Blacklist? References: <436F6B2E.B4B4F020@spamcop.net> <dkovhl$62e$1@news.spamcop.net> <25knfkplj32c54tkek4kacu143@inews_id.stereo.hq.phicoh.net> <dksu5q$ksm$1@news.spamcop.net> Message-ID: <pem62cc1q2t6u33b6uspfpca57@inews_id.stereo.hq.phicoh.net> In article <dksu5q$ksm$1@news.spamcop.net>, Mike Easter <MikeE@ster.invalid> wrote: >When I watch dnsstuff's dnsbl lookup gizmo 'zoom' thru' 263 dnsbl/s and >display tiny numbers of ms to get the result from each of them, it >causes me to think that the dnsbl/s are generally instantaneous. Also, >whenever I use a dnsbl directly I always get instantaneous results. Strange. When I use a script the queries about a dozen RBLs, it does not finish in under 1 second. >CBL lists a lot of my spams' IPs, but I use spamhaus sbl-xbl, which >embraces cbl + blitzed + njabl + sbl, so I take care of cbl with that >and thus it doesn't show up in my spamfilter logs anymore. I think that CBL is the most effective part of SBL-XBL, so I call it CBL. -- That was it. Done. The faulty Monk was turned out into the desert where it could believe what it liked, including the idea that it had been hard done by. It was allowed to keep its horse, since horses were so cheap to make. -- Douglas Adams in Dirk Gently's Holistic Detective Agency From nobody at devnull.spamcop.net Wed Nov 9 12:32:32 2005 From: nobody at devnull.spamcop.net (Glenn Daniels) Date: Wed Nov 9 12:35:03 2005 Subject: [SpamCop-List] Re: ReportPhish.org ? References: <div9dl$rcs$1@news.spamcop.net> <dks32i$6hi$2@news.spamcop.net> Message-ID: <dktbrg$26i$1@news.spamcop.net> "Patto" wrote in message > > I have been reporting all phishes to the address specified at > > http://www.reportphish.org/ for a few weeks now. But I have started > > wondering if this is really worth the effort. They do not say anything > > on their website _what_ they are actually doing with these reports. > > > > Does anybody here know something more about ReportPhish.org than the > > little information that can be found on their website? > > An update: the report email address at ReportPhish.org now bounces. Fantastic! Pursuing your allegation that Report/at/ReportPhish.org was bouncing, I sent them a link to a "secure" phishing site that I was previously unable to impact using numerous other phish reporting resources. Within hours they have had the site rendered "404 compliant". I have, thanks to your post, a valued "new" resource in my phish reporting stable. Excellent! Thanks much for the tip, -glenn From nobody at nowhere.not Wed Nov 9 23:09:58 2005 From: nobody at nowhere.not (Robert Blair) Date: Wed Nov 9 18:10:02 2005 Subject: [SpamCop-List] Re: [MEDIA] Sony CD Copy Protection Seems To Rely On HackerRootkit References: <Xns97037EA6B301Ftinlc@216.154.195.61> <dkeg1g$35f$1@news.spamcop.net> <TECQXhvKj0FX-pn2-OvYNxTLrdXxL@dsl-206-55-144-107.tstonramp.com> <BF90DE68.1635E%nobody@spamcop.net> <TECQXhvKj0FX-pn2-mJM7JdfPnr4E@dsl-206-55-144-107.tstonramp.com> <Xns97051D4241CC4tinlc@216.154.195.61> <TECQXhvKj0FX-pn2-41gGcOWKuyNn@dsl-206-55-144-107.tstonramp.com> <Xns97093B2348704tinlc@216.154.195.61> Message-ID: <TECQXhvKj0FX-pn2-jrh3dKUd5WdX@dsl-206-55-144-107.tstonramp.com> On Wed, 9 Nov 2005 13:48:43 UTC, Redstone <redford_stone@INVERSE_OF_COLDmail.com> wrote: > > I don't know who found it first or why but I doubt it was a "normal" > > user. This copy protection scheme had a rootkit that hid all of its > > files from any of the standard anti-virus/trojan/ads programs. There > > are now people telling others to go buy the Sony CDs and use the > > rootkit, I would imagine that the virus/trojan/ads writers have also > > started to do the same thing. > > I wouldn't doubt that the virus writers are out there now looking into > this with interest. Sony did them a favor by installing the very files > they need to do their damage. Meaning all they need to do is to make a > virus with a smaller payload. If you want to see what Sony is putting people through to uninstall this rootkit see. http://www.sysinternals.com/blog/2005/11/sony-you-dont-reeeeaaaally-wa nt-to_09.html -- Robert Blair From nobody at devnull.spamcop.net Wed Nov 9 17:23:19 2005 From: nobody at devnull.spamcop.net (WazoO) Date: Wed Nov 9 18:25:06 2005 Subject: [SpamCop-List] SpamCop Forum is down Message-ID: <dku0d7$d4g$1@news.spamcop.net> It actually went down for a bit early this morning with some SQL errors showing ... then I couldn't even talk to the server. JT was notified, but said that it'd be a couple of hours before he could get anything done. Strangely, something happened and it was back on-line about 15 minutes later ...??? I got caught up, did some grocery shopping .. came back, caught up again, got around to making some coffee, poured a cup, and promptly fell asleep ... Jeff G. called to advise that there were some sever issues with the Forum .. killed off that 'exciting' game I'd fallen asleep playing, logged onto the Forum and found that the 'user' experience wasn't near as bad as the Admin issues. Anyway, I had stated that I had been becoming suspicious of a drive problem, looking at some system message log files, I'm convinced of that now ... kicked an e-mail to JT ... last thing seen on the forum server was; Broadcast message from root (console) (Wed Nov 9 17:26:10 2005): The system is going down for reboot NOW! and it has yet to come back up .. I still can't login in directly either ... so have to make an assumption that either an fsck is in operation at present or even that a hard drive replacement is under way (no response from JT yet) Just posting what I know, guessing at some other things, best I can do for now from here .... From nobody at devnull.spamcop.net Wed Nov 9 17:53:42 2005 From: nobody at devnull.spamcop.net (WazoO) Date: Wed Nov 9 18:55:08 2005 Subject: [SpamCop-List] Re: SpamCop Forum is down References: <dku0d7$d4g$1@news.spamcop.net> Message-ID: <dku266$e4d$1@news.spamcop.net> "WazoO" <nobody@devnull.spamcop.net> wrote in message news:dku0d7$d4g$1@news.spamcop.net... > > suspicious of a drive problem, looking at some system > message log files, I'm convinced of that now ... kicked > an e-mail to JT ... last thing seen on the forum server was; > > Broadcast message from root (console) (Wed Nov 9 17:26:10 2005): > The system is going down for reboot NOW! > > and it has yet to come back up .. I still can't login in directly > either ... so have to make an assumption that either an > fsck is in operation at present or even that a hard drive > replacement is under way (no response from JT yet) > Just posting what I know, guessing at some other things, > best I can do for now from here .... JT is on-site ... gave me a guess, I'll stretch it a bit and say that estimated time of repair/return is suggested around 1830 -6 GMT .... From anthony.edwards at uk.easynet.net Thu Nov 10 00:40:31 2005 From: anthony.edwards at uk.easynet.net (Anthony Edwards) Date: Wed Nov 9 19:45:05 2005 Subject: [SpamCop-List] Re: Highest SpamAssassin scores References: <43721509.34638D2B@spamcop.net> <dkt6ku$u2a$1@news.spamcop.net> Message-ID: <dku4tv$fcn$1@news.spamcop.net> On Wed, 9 Nov 2005 08:03:47 -0800, Mike Easter <MikeE@ster.invalid> wrote: > I'm not clear on how that works. What you posted in .spam is b64 > encoded and the encoding contains links. > > Something is b64 decoding so that SA can see what is inside. I didn't > know it worked like that. SpamAssasin has been able to decode Base64 encoded messages/mail parts since at least 2002, and possibly before that. In recent versions, Perl module MIME::Base64 is used. -- Anthony Edwards * anthony.edwards@uk.easynet.net Abuse Team Manager * Tel: 0800 053 0588 Easynet Ltd * DDI: 0161 227 0707 http://www.uk.easynet.net * Fax: 0845 333 4503 From nobody at devnull.spamcop.net Wed Nov 9 19:35:15 2005 From: nobody at devnull.spamcop.net (WazoO) Date: Wed Nov 9 20:40:20 2005 Subject: [SpamCop-List] Forum is up Was: Re: SpamCop Forum is down References: <dku0d7$d4g$1@news.spamcop.net> Message-ID: <dku84j$heg$1@news.spamcop.net> "WazoO" <nobody@devnull.spamcop.net> wrote in message news:dku0d7$d4g$1@news.spamcop.net... > > Broadcast message from root (console) (Wed Nov 9 17:26:10 2005): > The system is going down for reboot NOW! > > and it has yet to come back up .. I still can't login in directly > either ... so have to make an assumption that either an > fsck is in operation at present or even that a hard drive > replacement is under way (no response from JT yet) > Just posting what I know, guessing at some other things, > best I can do for now from here .... Other than a bit of cryptic "working on it" message ... problem has been resolved. From MikeE at ster.invalid Wed Nov 9 18:19:14 2005 From: MikeE at ster.invalid (Mike Easter) Date: Wed Nov 9 21:20:02 2005 Subject: [SpamCop-List] Re: Highest SpamAssassin scores References: <43721509.34638D2B@spamcop.net> <dkt6ku$u2a$1@news.spamcop.net> <dku4tv$fcn$1@news.spamcop.net> Message-ID: <dkuamt$ite$1@news.spamcop.net> Anthony Edwards wrote: > Mike Easter >> Something is b64 decoding so that SA can see what is inside. I >> didn't know it worked like that. > > SpamAssasin has been able to decode Base64 encoded messages/mail parts > since at least 2002, and possibly before that. In recent versions, > Perl module MIME::Base64 is used. I couldn't find it introduced in the history of the versions at the apache site [which covers versions pre-apache, even providing links to filter.plx] -- but from reading newsgroup messages where someone was crafting their own SA b64 decoder in Feb 2002 and the module being in place in May 2002, it must have been introduced between those - somewhere in the versions from 2.1 to 2.3. The apache site calls those 'ancient' releases. Pre-apache is 2.4 - 2.64 and apache starts with 3. There's some quaint info in those history pages, ie the prehistory http://spamassassin.apache.org/prehistory/ SpamAssassin Prehistory: filter.plx -- Mike Easter kibitzer, not SC admin From porpoise1954 at yahoo.co.uk Thu Nov 10 02:29:51 2005 From: porpoise1954 at yahoo.co.uk (Porpoise) Date: Wed Nov 9 21:35:03 2005 Subject: [SpamCop-List] Re: [MEDIA] Sony CD Copy Protection Seems To Rely On HackerRootkit References: <Xns97037EA6B301Ftinlc@216.154.195.61> <dkeg1g$35f$1@news.spamcop.net> <TECQXhvKj0FX-pn2-OvYNxTLrdXxL@dsl-206-55-144-107.tstonramp.com> <BF90DE68.1635E%nobody@spamcop.net> <TECQXhvKj0FX-pn2-mJM7JdfPnr4E@dsl-206-55-144-107.tstonramp.com> <Xns97051D4241CC4tinlc@216.154.195.61> <TECQXhvKj0FX-pn2-41gGcOWKuyNn@dsl-206-55-144-107.tstonramp.com> <Xns97093B2348704tinlc@216.154.195.61> <TECQXhvKj0FX-pn2-jrh3dKUd5WdX@dsl-206-55-144-107.tstonramp.com> Message-ID: <dkubbp$j70$1@news.spamcop.net> "Robert Blair" <nobody@nowhere.not> wrote in message news:TECQXhvKj0FX-pn2-jrh3dKUd5WdX@dsl-206-55-144-107.tstonramp.com... > > > If you want to see what Sony is putting people through to uninstall > this rootkit see. > > http://www.sysinternals.com/blog/2005/11/sony-you-dont-reeeeaaaally-wa > nt-to_09.html Yeah right! If they think I'm going to throw away my CD collection just because I move to another country, they're F*^%ING STUPID!! From jg at coks.net Wed Nov 9 20:09:27 2005 From: jg at coks.net (jg) Date: Wed Nov 9 23:10:05 2005 Subject: [SpamCop-List] Re: Highest SpamAssassin scores In-Reply-To: <dkuamt$ite$1@news.spamcop.net> References: <43721509.34638D2B@spamcop.net> <dkt6ku$u2a$1@news.spamcop.net> <dku4tv$fcn$1@news.spamcop.net> <dkuamt$ite$1@news.spamcop.net> Message-ID: <dkuh26$m36$1@news.spamcop.net> On 11/9/2005 6:19 PM Mike Easter scribbled: > Anthony Edwards wrote: > >>Mike Easter > > >>>Something is b64 decoding so that SA can see what is inside. I >>>didn't know it worked like that. >> >>SpamAssasin has been able to decode Base64 encoded messages/mail parts >>since at least 2002, and possibly before that. In recent versions, >>Perl module MIME::Base64 is used. > > > I couldn't find it introduced in the history of the versions at the > apache site [which covers versions pre-apache, even providing links to > filter.plx] -- but from reading newsgroup messages where someone was > crafting their own SA b64 decoder in Feb 2002 and the module being in > place in May 2002, it must have been introduced between those - > somewhere in the versions from 2.1 to 2.3. The apache site calls those > 'ancient' releases. Pre-apache is 2.4 - 2.64 and apache starts with 3. > > There's some quaint info in those history pages, ie the prehistory > http://spamassassin.apache.org/prehistory/ SpamAssassin Prehistory: > filter.plx > Thanks, Mike, for leading me to this quote from: http://web.archive.org/web/19981212012604/antispam.shmooze.net/: "Mandate: To make our lives easier, to rid our respective subnets of abusive idiots, and to form a cohesive, albeit ad-hoc response to net.spam. To discuss methods/options, whether far-flung, excessive, or pragmatic of dealing with noise. Policies: The list is open to public posting, but all members have carte-blanche to react with extreme prejudice to anyone else attempting to post kife to it. Any member can subscribe others to this list. The idea is to have this movement propegate via the grapevine. Rules: &ltheh, heh> We make `em up as we go along. The only stipulation is whatever you/we do, try not to wing any bystanders. So far the members of this list have kept their actions on an even keel, and the response from subnets/domains/hosts with we've been in contact has been favourable. We've had some innovative ideas come through here so far. Everyone is invited to contribute in any way they can. We're all busy people, let's just hope for a future where we waste less time on dealing with other people's junk." The good old days... From jg at coks.net Wed Nov 9 20:11:46 2005 From: jg at coks.net (jg) Date: Wed Nov 9 23:10:17 2005 Subject: [SpamCop-List] Re: Highest SpamAssassin scores In-Reply-To: <dkuh26$m36$1@news.spamcop.net> References: <43721509.34638D2B@spamcop.net> <dkt6ku$u2a$1@news.spamcop.net> <dku4tv$fcn$1@news.spamcop.net> <dkuamt$ite$1@news.spamcop.net> <dkuh26$m36$1@news.spamcop.net> Message-ID: <dkuh6h$m49$1@news.spamcop.net> On 11/9/2005 8:09 PM jg scribbled:>> > > Thanks, Mike, for leading me to this quote from: > http://web.archive.org/web/19981212012604/antispam.shmooze.net/: > and this one - http://web.archive.org/web/19981202203121/antispam.shmooze.net/spamdrive/ From jg at coks.net Wed Nov 9 21:37:46 2005 From: jg at coks.net (jg) Date: Thu Nov 10 00:40:02 2005 Subject: [SpamCop-List] Re: ReportPhish.org ? In-Reply-To: <dktbrg$26i$1@news.spamcop.net> References: <div9dl$rcs$1@news.spamcop.net> <dks32i$6hi$2@news.spamcop.net> <dktbrg$26i$1@news.spamcop.net> Message-ID: <dkum7p$on6$1@news.spamcop.net> On 11/9/2005 9:32 AM Glenn Daniels scribbled: > "Patto" wrote in message > >>An update: the report email address at ReportPhish.org now bounces. > > > Fantastic! Pursuing your allegation that Report/at/ReportPhish.org > was bouncing, I sent them a link to a "secure" phishing site that > I was previously unable to impact using numerous other > phish reporting resources. Within hours they have had the site > rendered "404 compliant". > > I have, thanks to your post, a valued "new" resource in my > phish reporting stable. Excellent! > > Thanks much for the tip, > -glenn > > Errr...Pursuing the allegations of bouncing, you sent them a link? Could/would you elaborate on the methodology here? From jg at coks.net Wed Nov 9 22:01:58 2005 From: jg at coks.net (jg) Date: Thu Nov 10 01:05:02 2005 Subject: [SpamCop-List] In stereo... Message-ID: <dkunl5$pc3$1@news.spamcop.net> Same payloads, same time: http://www.spamcop.net/sc?id=z825126722zc1460f4b313ecc60bf406c796c1f8e06z http://www.spamcop.net/sc?id=z825127031z171c51084e50857b83455514e2f65469z This more or less the norm, or is there some thing/where else to report? From jg at coks.net Wed Nov 9 22:04:52 2005 From: jg at coks.net (jg) Date: Thu Nov 10 01:05:12 2005 Subject: [SpamCop-List] Re: In stereo... In-Reply-To: <dkunl5$pc3$1@news.spamcop.net> References: <dkunl5$pc3$1@news.spamcop.net> Message-ID: <dkunqj$pc3$2@news.spamcop.net> On 11/9/2005 10:01 PM jg scribbled: > Same payloads, same time: > > http://www.spamcop.net/sc?id=z825126722zc1460f4b313ecc60bf406c796c1f8e06z > http://www.spamcop.net/sc?id=z825127031z171c51084e50857b83455514e2f65469z > > This more or less the norm, or is there some thing/where else to report? BTW, bulanov, trud, and fedoruk must be busy guys lately... From bar_n0ne at hotmail.com Thu Nov 10 14:01:27 2005 From: bar_n0ne at hotmail.com (Berny) Date: Thu Nov 10 05:06:10 2005 Subject: [SpamCop-List] Re: [MEDIA] Sony CD Copy Protection Seems To Rely On HackerRootkit References: <Xns97037EA6B301Ftinlc@216.154.195.61> <dkeg1g$35f$1@news.spamcop.net> <TECQXhvKj0FX-pn2-OvYNxTLrdXxL@dsl-206-55-144-107.tstonramp.com> <BF90DE68.1635E%nobody@spamcop.net> <TECQXhvKj0FX-pn2-mJM7JdfPnr4E@dsl-206-55-144-107.tstonramp.com> <Xns97051D4241CC4tinlc@216.154.195.61> <TECQXhvKj0FX-pn2-41gGcOWKuyNn@dsl-206-55-144-107.tstonramp.com> <Xns97093B2348704tinlc@216.154.195.61> <TECQXhvKj0FX-pn2-jrh3dKUd5WdX@dsl-206-55-144-107.tstonramp.com> <dkubbp$j70$1@news.spamcop.net> <ozchzhq02-A8BF38.18491509112005@frylock.local> Message-ID: <dkv5pr$pq$1@news.spamcop.net> "David Dean" <ozchzhq02@sneakemail.com> wrote in message news:ozchzhq02-A8BF38.18491509112005@frylock.local... > In article <dkubbp$j70$1@news.spamcop.net>, > "Porpoise" <porpoise1954@yahoo.co.uk> wrote: > > > Yeah right! If they think I'm going to throw away my CD collection just > > because I move to another country, they're F*^%ING STUPID!! > > You mean like DVD region codes? > > -- > -David > > Nihil curo de ista tua stulta superstitione. It's because of crap like that region code (burns me, because I move between the americas, europe and asia a lot) that I fully support piracy these days these assholes want you to be renting when you thought you bought. They'd really prefer (and have tried) that libraries pay and charge royalties. and that you not lend books or other media, and if they could they'd charge you if you have guests over to watch tv. From nobody at nowhere.invalid Thu Nov 10 11:03:00 2005 From: nobody at nowhere.invalid (Steven Maesslein) Date: Thu Nov 10 05:07:15 2005 Subject: [SpamCop-List] Re: [MEDIA] Sony CD Copy Protection Seems To Rely On HackerRootkit References: <Xns97037EA6B301Ftinlc@216.154.195.61> <dkeg1g$35f$1@news.spamcop.net> <TECQXhvKj0FX-pn2-OvYNxTLrdXxL@dsl-206-55-144-107.tstonramp.com> <BF90DE68.1635E%nobody@spamcop.net> <TECQXhvKj0FX-pn2-mJM7JdfPnr4E@dsl-206-55-144-107.tstonramp.com> <Xns97051D4241CC4tinlc@216.154.195.61> <TECQXhvKj0FX-pn2-41gGcOWKuyNn@dsl-206-55-144-107.tstonramp.com> <Xns97093B2348704tinlc@216.154.195.61> <TECQXhvKj0FX-pn2-jrh3dKUd5WdX@dsl-206-55-144-107.tstonramp.com> <dkubbp$j70$1@news.spamcop.net> <ozchzhq02-A8BF38.18491509112005@frylock.local> Message-ID: <slrndn66mk.3o5.nobody@127.0.0.1> On Wed, 09 Nov 2005 18:49:15 -0800, David Dean coughed into spamcop and left this in <ozchzhq02-A8BF38.18491509112005@frylock.local>: > You mean like DVD region codes? Who cares about those with a region-free DVD player? -- Steve Cat, n: Lapwarmer with built-in buzzer. From bar_n0ne at hotmail.com Thu Nov 10 14:22:56 2005 From: bar_n0ne at hotmail.com (Berny) Date: Thu Nov 10 05:25:31 2005 Subject: [SpamCop-List] Re: [MEDIA] Sony CD Copy Protection Seems To Rely On HackerRootkit References: <Xns97037EA6B301Ftinlc@216.154.195.61> <dkeg1g$35f$1@news.spamcop.net> <TECQXhvKj0FX-pn2-OvYNxTLrdXxL@dsl-206-55-144-107.tstonramp.com> <BF90DE68.1635E%nobody@spamcop.net> <TECQXhvKj0FX-pn2-mJM7JdfPnr4E@dsl-206-55-144-107.tstonramp.com> <Xns97051D4241CC4tinlc@216.154.195.61> <TECQXhvKj0FX-pn2-41gGcOWKuyNn@dsl-206-55-144-107.tstonramp.com> <Xns97093B2348704tinlc@216.154.195.61> <TECQXhvKj0FX-pn2-jrh3dKUd5WdX@dsl-206-55-144-107.tstonramp.com> <dkubbp$j70$1@news.spamcop.net> <ozchzhq02-A8BF38.18491509112005@frylock.local> <slrndn66mk.3o5.nobody@127.0.0.1> Message-ID: <dkv728$1np$1@news.spamcop.net> "Steven Maesslein" <nobody@nowhere.invalid> wrote in message news:slrndn66mk.3o5.nobody@127.0.0.1... > On Wed, 09 Nov 2005 18:49:15 -0800, David Dean coughed into spamcop and > left this in <ozchzhq02-A8BF38.18491509112005@frylock.local>: > > > You mean like DVD region codes? > > Who cares about those with a region-free DVD player? > > -- > Steve > > Cat, n: > Lapwarmer with built-in buzzer. > Because now many DVD's check for that and a number of them fail in that case. I have several (yes we bought the fsckers from a large reputable dealer in North America) that will not play on my region free player. This started a year or so ago. It's become a crap shoot. It seems nowadays you need a player that can be set to pretend to be in the desired region. Now we are constrained to watching on the PC (there is no sofa, and an 17" screen is not the same) Luckily we could download the movie with shareaza, I think this will become our preferred methof of obtaining movies, if I have to watch it on the PC anyway. and I guess I will only download sony artists from now, and avoid their rootkit (my daughter bought an Ipod), If we ever get a DVD burner, we can make our own region free playable copies. So RIAA, you are shooting yourselves in the foot by being too greedy. From nobody at nowhere.invalid Thu Nov 10 11:49:03 2005 From: nobody at nowhere.invalid (Steven Maesslein) Date: Thu Nov 10 05:50:02 2005 Subject: [SpamCop-List] Re: [MEDIA] Sony CD Copy Protection Seems To Rely On HackerRootkit References: <Xns97037EA6B301Ftinlc@216.154.195.61> <dkeg1g$35f$1@news.spamcop.net> <TECQXhvKj0FX-pn2-OvYNxTLrdXxL@dsl-206-55-144-107.tstonramp.com> <BF90DE68.1635E%nobody@spamcop.net> <TECQXhvKj0FX-pn2-mJM7JdfPnr4E@dsl-206-55-144-107.tstonramp.com> <Xns97051D4241CC4tinlc@216.154.195.61> <TECQXhvKj0FX-pn2-41gGcOWKuyNn@dsl-206-55-144-107.tstonramp.com> <Xns97093B2348704tinlc@216.154.195.61> <TECQXhvKj0FX-pn2-jrh3dKUd5WdX@dsl-206-55-144-107.tstonramp.com> <dkubbp$j70$1@news.spamcop.net> <ozchzhq02-A8BF38.18491509112005@frylock.local> <slrndn66mk.3o5.nobody@127.0.0.1> <dkv728$1np$1@news.spamcop.net> Message-ID: <slrndn69cv.4a0.nobody@127.0.0.1> On Thu, 10 Nov 2005 14:22:56 +0400, Berny coughed into spamcop and left this in <dkv728$1np$1@news.spamcop.net>: >> > You mean like DVD region codes? >> >> Who cares about those with a region-free DVD player? > > Because now many DVD's check for that and a number of them fail in that > case. Actually, the DVD - being a passive object - can't check for anything. My guess is that these DVDs set a further "this disc can't be played in a region-free player" attribute in a VMGM pre-command on players that support it in their virtual machine. > If we ever get a DVD burner, we can make our own region free playable > copies. DVD burners are cheap nowadays ($50 ballpark) and blank media is also cheap ($0.30 a pop). The software I use for reworking DVDs (such as shrinking the video stream so a movie fits on a single-layer DVD?R) is totally free. I'd go for it ASAP. > So RIAA, you are shooting yourselves in the foot by being too greedy. Indeed. -- Steve Notice spotted in a field: THE FARMER ALLOWS WALKERS TO CROSS THE FIELD FOR FREE, BUT THE BULL CHARGES From nobody at devnull.spamcop.net Thu Nov 10 07:49:29 2005 From: nobody at devnull.spamcop.net (Glenn Daniels) Date: Thu Nov 10 07:50:05 2005 Subject: [SpamCop-List] Re: ReportPhish.org ? References: <div9dl$rcs$1@news.spamcop.net> <dks32i$6hi$2@news.spamcop.net> <dktbrg$26i$1@news.spamcop.net> <dkum7p$on6$1@news.spamcop.net> Message-ID: <dkvfko$68r$1@news.spamcop.net> "jg" wrote in message > On 11/9/2005 9:32 AM Glenn Daniels scribbled: > > > "Patto" wrote in message > > > > >>An update: the report email address at ReportPhish.org now bounces. > > > > > > Fantastic! Pursuing your allegation that Report/at/ReportPhish.org > > was bouncing, I sent them a link > > ... > Errr...Pursuing the allegations of bouncing, you sent them a link? > Could/would you elaborate on the methodology here? It was simple really, I created a new mail, pasted the link in it, and sent it! How complicated is that? Had it bounced, I lost nothing and confirmed the belief that the addy was no longer working. It did not "bounce", so the addy /might/ be working. I can't /know/ that it works, as my ISP silently and apparently arbitrarily "drops" some outgoing mail. Anyway, fwiw, that site was nuked. Pleased with the outcome of my "test", I sent them (by email?) links to several other problematic phishing sites as have resisted all other efforts, and they also now are showing "404 compliant" pages. So by reason of magical thinking, at least for my purposes, the addy does not "bounce". For you, who knows, maybe it "bounces". Sorry about that: "spam" happens! Cheers, glenn From nobody at spamcop.net Thu Nov 10 06:56:03 2005 From: nobody at spamcop.net (John Anderson) Date: Thu Nov 10 08:00:05 2005 Subject: [SpamCop-List] Re: [MEDIA] Sony CD Copy Protection Seems To Rely On HackerRootkit References: <Xns97037EA6B301Ftinlc@216.154.195.61> <dkeg1g$35f$1@news.spamcop.net> <TECQXhvKj0FX-pn2-OvYNxTLrdXxL@dsl-206-55-144-107.tstonramp.com> <BF90DE68.1635E%nobody@spamcop.net> <TECQXhvKj0FX-pn2-mJM7JdfPnr4E@dsl-206-55-144-107.tstonramp.com> <Xns97051D4241CC4tinlc@216.154.195.61> <TECQXhvKj0FX-pn2-41gGcOWKuyNn@dsl-206-55-144-107.tstonramp.com> <Xns97093B2348704tinlc@216.154.195.61> <TECQXhvKj0FX-pn2-jrh3dKUd5WdX@dsl-206-55-144-107.tstonramp.com> <dkubbp$j70$1@news.spamcop.net> Message-ID: <dkvg10$6hn$1@news.spamcop.net> "Porpoise" <porpoise1954@yahoo.co.uk> wrote in message news:dkubbp$j70$1@news.spamcop.net... > > "Robert Blair" <nobody@nowhere.not> wrote in message > news:TECQXhvKj0FX-pn2-jrh3dKUd5WdX@dsl-206-55-144-107.tstonramp.com... > >> >> >> If you want to see what Sony is putting people through to uninstall >> this rootkit see. >> >> http://www.sysinternals.com/blog/2005/11/sony-you-dont-reeeeaaaally-wa >> nt-to_09.html > > Yeah right! If they think I'm going to throw away my CD collection just > because I move to another country, they're F*^%ING STUPID!! > I had to copy and paste the url, here is a tiny url: http://tinyurl.com/bpr64 From porpoise1954 at yahoo.co.uk Thu Nov 10 13:20:10 2005 From: porpoise1954 at yahoo.co.uk (Porpoise) Date: Thu Nov 10 08:25:03 2005 Subject: [SpamCop-List] Re: [MEDIA] Sony CD Copy Protection Seems To Rely On HackerRootkit References: <Xns97037EA6B301Ftinlc@216.154.195.61> <dkeg1g$35f$1@news.spamcop.net> <TECQXhvKj0FX-pn2-OvYNxTLrdXxL@dsl-206-55-144-107.tstonramp.com> <BF90DE68.1635E%nobody@spamcop.net> <TECQXhvKj0FX-pn2-mJM7JdfPnr4E@dsl-206-55-144-107.tstonramp.com> <Xns97051D4241CC4tinlc@216.154.195.61> <TECQXhvKj0FX-pn2-41gGcOWKuyNn@dsl-206-55-144-107.tstonramp.com> <Xns97093B2348704tinlc@216.154.195.61> <TECQXhvKj0FX-pn2-jrh3dKUd5WdX@dsl-206-55-144-107.tstonramp.com> <dkubbp$j70$1@news.spamcop.net> <ozchzhq02-A8BF38.18491509112005@frylock.local> Message-ID: <dkvhf6$7c1$1@news.spamcop.net> "David Dean" <ozchzhq02@sneakemail.com> wrote in message news:ozchzhq02-A8BF38.18491509112005@frylock.local... > In article <dkubbp$j70$1@news.spamcop.net>, > "Porpoise" <porpoise1954@yahoo.co.uk> wrote: > >> Yeah right! If they think I'm going to throw away my CD collection just >> because I move to another country, they're F*^%ING STUPID!! > > You mean like DVD region codes? Yes!! I DO!!! EXACTLY!!!! They take absolutely NO account of multi-national/lingual families or the fact that it's SUPPOSED to be a free-market economy - which means I should be able to buy a DVD wherever I happen to be travelling, and be able to play it wherever I happen to be travelling. I shouldn't have to have seperate players for every region!!!!! $#$^$%&^%#&&^^^*&&^**&&U(*&* I feel really strongly about being dictated to in this fashion. Yes, prosecute the piraters by all means, but don't try and confuse the issue by making people pay through the nose via regionalisation and calling it anti-piracy measures. From porpoise1954 at yahoo.co.uk Thu Nov 10 13:24:12 2005 From: porpoise1954 at yahoo.co.uk (Porpoise) Date: Thu Nov 10 08:25:17 2005 Subject: [SpamCop-List] Re: [MEDIA] Sony CD Copy Protection Seems To Rely On HackerRootkit References: <Xns97037EA6B301Ftinlc@216.154.195.61> <dkeg1g$35f$1@news.spamcop.net> <TECQXhvKj0FX-pn2-OvYNxTLrdXxL@dsl-206-55-144-107.tstonramp.com> <BF90DE68.1635E%nobody@spamcop.net> <TECQXhvKj0FX-pn2-mJM7JdfPnr4E@dsl-206-55-144-107.tstonramp.com> <Xns97051D4241CC4tinlc@216.154.195.61> <TECQXhvKj0FX-pn2-41gGcOWKuyNn@dsl-206-55-144-107.tstonramp.com> <Xns97093B2348704tinlc@216.154.195.61> <TECQXhvKj0FX-pn2-jrh3dKUd5WdX@dsl-206-55-144-107.tstonramp.com> <dkubbp$j70$1@news.spamcop.net> <ozchzhq02-A8BF38.18491509112005@frylock.local> <dkv5pr$pq$1@news.spamcop.net> Message-ID: <dkvhmn$7ee$1@news.spamcop.net> "Berny" <bar_n0ne@hotmail.com> wrote in message news:dkv5pr$pq$1@news.spamcop.net... > > "David Dean" <ozchzhq02@sneakemail.com> wrote in message > news:ozchzhq02-A8BF38.18491509112005@frylock.local... >> In article <dkubbp$j70$1@news.spamcop.net>, >> "Porpoise" <porpoise1954@yahoo.co.uk> wrote: >> >> > Yeah right! If they think I'm going to throw away my CD collection just >> > because I move to another country, they're F*^%ING STUPID!! >> >> You mean like DVD region codes? >> >> -- >> -David >> >> Nihil curo de ista tua stulta superstitione. > > It's because of crap like that region code (burns me, because I move > between > the americas, europe and asia a lot) that I fully support piracy these > days SNAP!! They have absolutely NO consideration for people who are not single-location/single-language families. I quite often buy DVDs while working/holidaying in Thailand for example..... generally, they don't tend to have region 2 discs.... > > > these assholes want you to be renting when you thought you bought. They'd > really prefer (and have tried) that libraries pay and charge royalties. > and > that you not lend books or other media, and if they could they'd charge > you > if you have guests over to watch tv. Yes quite! The sooner these robbing bastard companies get their cum-uppance the better. I'm right behind the EU and their attempts to stop all this anti-consumer crap. From porpoise1954 at yahoo.co.uk Thu Nov 10 13:25:33 2005 From: porpoise1954 at yahoo.co.uk (Porpoise) Date: Thu Nov 10 08:30:03 2005 Subject: [SpamCop-List] Re: [MEDIA] Sony CD Copy Protection Seems To Rely On HackerRootkit References: <Xns97037EA6B301Ftinlc@216.154.195.61> <dkeg1g$35f$1@news.spamcop.net> <TECQXhvKj0FX-pn2-OvYNxTLrdXxL@dsl-206-55-144-107.tstonramp.com> <BF90DE68.1635E%nobody@spamcop.net> <TECQXhvKj0FX-pn2-mJM7JdfPnr4E@dsl-206-55-144-107.tstonramp.com> <Xns97051D4241CC4tinlc@216.154.195.61> <TECQXhvKj0FX-pn2-41gGcOWKuyNn@dsl-206-55-144-107.tstonramp.com> <Xns97093B2348704tinlc@216.154.195.61> <TECQXhvKj0FX-pn2-jrh3dKUd5WdX@dsl-206-55-144-107.tstonramp.com> <dkubbp$j70$1@news.spamcop.net> <ozchzhq02-A8BF38.18491509112005@frylock.local> <slrndn66mk.3o5.nobody@127.0.0.1> Message-ID: <dkvhp9$7o7$1@news.spamcop.net> "Steven Maesslein" <nobody@nowhere.invalid> wrote in message news:slrndn66mk.3o5.nobody@127.0.0.1... > On Wed, 09 Nov 2005 18:49:15 -0800, David Dean coughed into spamcop and > left this in <ozchzhq02-A8BF38.18491509112005@frylock.local>: > >> You mean like DVD region codes? > > Who cares about those with a region-free DVD player? What? Like the one you can't get for your laptop because it isn't available???? Kind of defeats the whole object of a laptop being portable, doesn't it? From porpoise1954 at yahoo.co.uk Thu Nov 10 13:37:48 2005 From: porpoise1954 at yahoo.co.uk (Porpoise) Date: Thu Nov 10 08:40:03 2005 Subject: [SpamCop-List] Re: [MEDIA] Sony CD Copy Protection Seems To Rely On HackerRootkit References: <Xns97037EA6B301Ftinlc@216.154.195.61> <dkeg1g$35f$1@news.spamcop.net> <TECQXhvKj0FX-pn2-OvYNxTLrdXxL@dsl-206-55-144-107.tstonramp.com> <BF90DE68.1635E%nobody@spamcop.net> <TECQXhvKj0FX-pn2-mJM7JdfPnr4E@dsl-206-55-144-107.tstonramp.com> <Xns97051D4241CC4tinlc@216.154.195.61> <TECQXhvKj0FX-pn2-41gGcOWKuyNn@dsl-206-55-144-107.tstonramp.com> <Xns97093B2348704tinlc@216.154.195.61> <TECQXhvKj0FX-pn2-jrh3dKUd5WdX@dsl-206-55-144-107.tstonramp.com> <dkubbp$j70$1@news.spamcop.net> <ozchzhq02-A8BF38.18491509112005@frylock.local> <slrndn66mk.3o5.nobody@127.0.0.1> <dkvhp9$7o7$1@news.spamcop.net> Message-ID: <dkvig8$84i$1@news.spamcop.net> "Porpoise" <porpoise1954@yahoo.co.uk> wrote in message news:dkvhp9$7o7$1@news.spamcop.net... > > "Steven Maesslein" <nobody@nowhere.invalid> wrote in message > news:slrndn66mk.3o5.nobody@127.0.0.1... >> On Wed, 09 Nov 2005 18:49:15 -0800, David Dean coughed into spamcop and >> left this in <ozchzhq02-A8BF38.18491509112005@frylock.local>: >> >>> You mean like DVD region codes? >> >> Who cares about those with a region-free DVD player? > > What? Like the one you can't get for your laptop because it isn't > available???? Kind of defeats the whole object of a laptop being portable, > doesn't it? Another scenario: I have movie A which I've watched so many times, I'm now sick of it. I know, I'll swap it for a different one with my friend in France. Oh, crap! we can't because he's region 3 and I'm region 2 (at the moment). Still, there is one consolation being region 2, at least I can get Japanese ones......... From porpoise1954 at yahoo.co.uk Thu Nov 10 13:43:33 2005 From: porpoise1954 at yahoo.co.uk (Porpoise) Date: Thu Nov 10 08:45:04 2005 Subject: [SpamCop-List] Re: [MEDIA] Sony CD Copy Protection Seems To Rely On HackerRootkit References: <Xns97037EA6B301Ftinlc@216.154.195.61> <dkeg1g$35f$1@news.spamcop.net> <TECQXhvKj0FX-pn2-OvYNxTLrdXxL@dsl-206-55-144-107.tstonramp.com> <BF90DE68.1635E%nobody@spamcop.net> <TECQXhvKj0FX-pn2-mJM7JdfPnr4E@dsl-206-55-144-107.tstonramp.com> <Xns97051D4241CC4tinlc@216.154.195.61> <TECQXhvKj0FX-pn2-41gGcOWKuyNn@dsl-206-55-144-107.tstonramp.com> <Xns97093B2348704tinlc@216.154.195.61> <TECQXhvKj0FX-pn2-jrh3dKUd5WdX@dsl-206-55-144-107.tstonramp.com> <dkubbp$j70$1@news.spamcop.net> <ozchzhq02-A8BF38.18491509112005@frylock.local> <slrndn66mk.3o5.nobody@127.0.0.1> <dkvhp9$7o7$1@news.spamcop.net> <dkvig8$84i$1@news.spamcop.net> Message-ID: <dkvir1$885$1@news.spamcop.net> "Porpoise" <porpoise1954@yahoo.co.uk> wrote in message news:dkvig8$84i$1@news.spamcop.net... > > > Another scenario: > > I have movie A which I've watched so many times, I'm now sick of it. I > know, I'll swap it for a different one with my friend in France. Oh, crap! > we can't because he's region 3 and I'm region 2 (at the moment). Still, > there is one consolation being region 2, at least I can get Japanese > ones......... Of course, one way of enabling "people-power" would be for everyone to boycott all Sony products until they desist. From nobody at nowhere.invalid Thu Nov 10 14:53:01 2005 From: nobody at nowhere.invalid (Steven Maesslein) Date: Thu Nov 10 08:55:03 2005 Subject: [SpamCop-List] Re: [MEDIA] Sony CD Copy Protection Seems To Rely On HackerRootkit References: <Xns97037EA6B301Ftinlc@216.154.195.61> <dkeg1g$35f$1@news.spamcop.net> <TECQXhvKj0FX-pn2-OvYNxTLrdXxL@dsl-206-55-144-107.tstonramp.com> <BF90DE68.1635E%nobody@spamcop.net> <TECQXhvKj0FX-pn2-mJM7JdfPnr4E@dsl-206-55-144-107.tstonramp.com> <Xns97051D4241CC4tinlc@216.154.195.61> <TECQXhvKj0FX-pn2-41gGcOWKuyNn@dsl-206-55-144-107.tstonramp.com> <Xns97093B2348704tinlc@216.154.195.61> <TECQXhvKj0FX-pn2-jrh3dKUd5WdX@dsl-206-55-144-107.tstonramp.com> <dkubbp$j70$1@news.spamcop.net> <ozchzhq02-A8BF38.18491509112005@frylock.local> <slrndn66mk.3o5.nobody@127.0.0.1> <dkvhp9$7o7$1@news.spamcop.net> Message-ID: <slrndn6k5t.7n9.nobody@127.0.0.1> On Thu, 10 Nov 2005 13:25:33 -0000, Porpoise coughed into spamcop and left this in <dkvhp9$7o7$1@news.spamcop.net>: > What? Like the one you can't get for your laptop because it isn't > available???? Kind of defeats the whole object of a laptop being portable, > doesn't it? Huh? Use an open-source player (like xine, ogle or mplayer) with libdvdcss (also open source) and it couldn't care less what zone the DVD is supposedly for. -- Steve Just remember: when you go to court, you are trusting your fate to twelve people that weren't smart enough to get out of jury duty! From porpoise1954 at yahoo.co.uk Thu Nov 10 14:06:48 2005 From: porpoise1954 at yahoo.co.uk (Porpoise) Date: Thu Nov 10 09:10:05 2005 Subject: [SpamCop-List] Re: [MEDIA] Sony CD Copy Protection Seems To Rely On HackerRootkit References: <Xns97037EA6B301Ftinlc@216.154.195.61> <dkeg1g$35f$1@news.spamcop.net> <TECQXhvKj0FX-pn2-OvYNxTLrdXxL@dsl-206-55-144-107.tstonramp.com> <BF90DE68.1635E%nobody@spamcop.net> <TECQXhvKj0FX-pn2-mJM7JdfPnr4E@dsl-206-55-144-107.tstonramp.com> <Xns97051D4241CC4tinlc@216.154.195.61> <TECQXhvKj0FX-pn2-41gGcOWKuyNn@dsl-206-55-144-107.tstonramp.com> <Xns97093B2348704tinlc@216.154.195.61> <TECQXhvKj0FX-pn2-jrh3dKUd5WdX@dsl-206-55-144-107.tstonramp.com> <dkubbp$j70$1@news.spamcop.net> <ozchzhq02-A8BF38.18491509112005@frylock.local> <slrndn66mk.3o5.nobody@127.0.0.1> <dkvhp9$7o7$1@news.spamcop.net> <slrndn6k5t.7n9.nobody@127.0.0.1> Message-ID: <dkvk6k$9bs$1@news.spamcop.net> "Steven Maesslein" <nobody@nowhere.invalid> wrote in message news:slrndn6k5t.7n9.nobody@127.0.0.1... > On Thu, 10 Nov 2005 13:25:33 -0000, Porpoise coughed into spamcop and > left this in <dkvhp9$7o7$1@news.spamcop.net>: > >> What? Like the one you can't get for your laptop because it isn't >> available???? Kind of defeats the whole object of a laptop being >> portable, >> doesn't it? > > Huh? > > Use an open-source player (like xine, ogle or mplayer) with libdvdcss > (also open source) and it couldn't care less what zone the DVD is > supposedly for. > How does that operate with the firmware regioncoding of the DVD player itself? From MikeE at ster.invalid Thu Nov 10 06:16:52 2005 From: MikeE at ster.invalid (Mike Easter) Date: Thu Nov 10 09:20:03 2005 Subject: [SpamCop-List] Re: In stereo... References: <dkunl5$pc3$1@news.spamcop.net> Message-ID: <dkvkof$9nr$1@news.spamcop.net> jg wrote: > Same payloads, same time: www.spamcop.net/sc?id=z825126722zc1460f4b313ecc60bf406c796c1f8e06z www.spamcop.net/sc?id=z825127031z171c51084e50857b83455514e2f65469z spams sourced from 2 different proxies pharm spamvertising at kukqwy.info > is there some thing/where else to > report? Not really. kukqwy.info DNS 82.138.63.64 of .ru Comcor abuse.net reg'd abuse@teliacarrier.com abuse@comcor.ru postmaster@comcor.ru (for comcor.ru) 82.138.63.64 is spamhaused as the /30 and spewed as the /18 comcor.ru has 8 SBL listings and lots in spews http://www.spamhaus.org/SBL/sbl.lasso?query=SBL28550 http://spews.org/html/S2188.html comcor is AS8732 whose upstream adjacency is AS3216 SOVAM-AS Golden Telecom, Moscow, Russia abuse@sovam.com which sovam is also teleross and whose upstreams are cw & level3 As a general rule, you can consider such providers with extensive spews and spamhaus listings to be unresponsive, and I wouldn't imagine sovam would be interested in hearing about the spamvertisers of comcor or its unresponsiveness and I certainly wouldn't imagine that cw or level3 would be interested in hearing about their downstream Sovam's downstream comcor being unresponsive. This is an example of how a SC notify of the spamvertiser, if it had been resolved, would be expected to be meaningless and would be simply handing over a copy of the spam evidence to a blackhat. However, it would have been useful for the spamvertised site to go to the surbl db. -- Mike Easter kibitzer, not SC admin From nobody at nowhere.invalid Thu Nov 10 15:25:05 2005 From: nobody at nowhere.invalid (Steven Maesslein) Date: Thu Nov 10 09:30:06 2005 Subject: [SpamCop-List] Re: [MEDIA] Sony CD Copy Protection Seems To Rely On HackerRootkit References: <Xns97037EA6B301Ftinlc@216.154.195.61> <dkeg1g$35f$1@news.spamcop.net> <TECQXhvKj0FX-pn2-OvYNxTLrdXxL@dsl-206-55-144-107.tstonramp.com> <BF90DE68.1635E%nobody@spamcop.net> <TECQXhvKj0FX-pn2-mJM7JdfPnr4E@dsl-206-55-144-107.tstonramp.com> <Xns97051D4241CC4tinlc@216.154.195.61> <TECQXhvKj0FX-pn2-41gGcOWKuyNn@dsl-206-55-144-107.tstonramp.com> <Xns97093B2348704tinlc@216.154.195.61> <TECQXhvKj0FX-pn2-jrh3dKUd5WdX@dsl-206-55-144-107.tstonramp.com> <dkubbp$j70$1@news.spamcop.net> <ozchzhq02-A8BF38.18491509112005@frylock.local> <slrndn66mk.3o5.nobody@127.0.0.1> <dkvhp9$7o7$1@news.spamcop.net> <slrndn6k5t.7n9.nobody@127.0.0.1> <dkvk6k$9bs$1@news.spamcop.net> Message-ID: <slrndn6m21.8ai.nobody@127.0.0.1> On Thu, 10 Nov 2005 14:06:48 -0000, Porpoise coughed into spamcop and left this in <dkvk6k$9bs$1@news.spamcop.net>: >> Use an open-source player (like xine, ogle or mplayer) with libdvdcss >> (also open source) and it couldn't care less what zone the DVD is >> supposedly for. > > How does that operate with the firmware regioncoding of the DVD player > itself? It doesn't interact with the region coding of the DVD drive at all. The software asks the DVD drive for data that's on the DVD and the DVD gives that data out. libdvdcss descrambles it if need be. Only commercial software - often supplied with DVD drives - interrogates the drive to find out its region and compare it with the region of the DVD. -- Steve A lot of money is tainted. 'Taint yours and 'taint mine. From redford_stone at INVERSE_OF_COLDmail.com Thu Nov 10 20:12:24 2005 From: redford_stone at INVERSE_OF_COLDmail.com (Redstone) Date: Thu Nov 10 15:15:09 2005 Subject: [SpamCop-List] Re: [MEDIA] Sony CD Copy Protection Seems To Rely On HackerRootkit References: <Xns97037EA6B301Ftinlc@216.154.195.61> <dkeg1g$35f$1@news.spamcop.net> <TECQXhvKj0FX-pn2-OvYNxTLrdXxL@dsl-206-55-144-107.tstonramp.com> <BF90DE68.1635E%nobody@spamcop.net> <TECQXhvKj0FX-pn2-mJM7JdfPnr4E@dsl-206-55-144-107.tstonramp.com> <Xns97051D4241CC4tinlc@216.154.195.61> <TECQXhvKj0FX-pn2-41gGcOWKuyNn@dsl-206-55-144-107.tstonramp.com> <Xns97093B2348704tinlc@216.154.195.61> <TECQXhvKj0FX-pn2-jrh3dKUd5WdX@dsl-206-55-144-107.tstonramp.com> Message-ID: <Xns970A7C317B9C2tinlc@216.154.195.61> "Robert Blair" <nobody@nowhere.not> wrote in news:TECQXhvKj0FX-pn2- jrh3dKUd5WdX@dsl-206-55-144-107.tstonramp.com: > > > If you want to see what Sony is putting people through to uninstall > this rootkit see. > > http://www.sysinternals.com/blog/2005/11/sony-you-dont-reeeeaaaally-wa > nt-to_09.html > > Just saw. And what is worse is that the uninstall solution is not completely stable either. With this in mind, most people will not go through the process to get it off their machines which is what the execs at Sony hope. Datafellows has their own analysis on this: http://www.f-secure.com/v-descs/xcp_drm.shtml From redford_stone at INVERSE_OF_COLDmail.com Thu Nov 10 20:17:50 2005 From: redford_stone at INVERSE_OF_COLDmail.com (Redstone) Date: Thu Nov 10 15:20:04 2005 Subject: [SpamCop-List] Re: [MEDIA] Sony CD Copy Protection Seems To Rely On HackerRootkit References: <Xns97037EA6B301Ftinlc@216.154.195.61> <dkeg1g$35f$1@news.spamcop.net> <TECQXhvKj0FX-pn2-OvYNxTLrdXxL@dsl-206-55-144-107.tstonramp.com> <BF90DE68.1635E%nobody@spamcop.net> <TECQXhvKj0FX-pn2-mJM7JdfPnr4E@dsl-206-55-144-107.tstonramp.com> <Xns97051D4241CC4tinlc@216.154.195.61> <TECQXhvKj0FX-pn2-41gGcOWKuyNn@dsl-206-55-144-107.tstonramp.com> <Xns97093B2348704tinlc@216.154.195.61> <TECQXhvKj0FX-pn2-jrh3dKUd5WdX@dsl-206-55-144-107.tstonramp.com> <dkubbp$j70$1@news.spamcop.net> <ozchzhq02-A8BF38.18491509112005@frylock.local> <dkv5pr$pq$1@news.spamcop.net> Message-ID: <Xns970A7D1D5F8BEtinlc@216.154.195.61> "Berny" <bar_n0ne@hotmail.com> wrote in news:dkv5pr$pq$1@news.spamcop.net: > > It's because of crap like that region code (burns me, because I move > between the americas, europe and asia a lot) that I fully support > piracy these days > > There are multiregion players out there. (Or you could just get a cheap player and do some reverse engineering to disable the region restriction.) However, I can't support piracy.. particularly with the bombardment of "cheep s0ftwar3" spams I receive daily. :-p > these assholes want you to be renting when you thought you bought. > They'd really prefer (and have tried) that libraries pay and charge > royalties. and that you not lend books or other media, and if they > could they'd charge you if you have guests over to watch tv. > Which is why they need to change their business model. Again, selling CDs for $18 for just 1 good musical number and their other 10 being junk is just bad business. I think paying a fair price per downloadable song is the best way to go. That way you get what you want. From redford_stone at INVERSE_OF_COLDmail.com Thu Nov 10 20:20:51 2005 From: redford_stone at INVERSE_OF_COLDmail.com (Redstone) Date: Thu Nov 10 15:25:03 2005 Subject: [SpamCop-List] Re: [MEDIA] Sony CD Copy Protection Seems To Rely On HackerRootkit References: <Xns97037EA6B301Ftinlc@216.154.195.61> <dkeg1g$35f$1@news.spamcop.net> <TECQXhvKj0FX-pn2-OvYNxTLrdXxL@dsl-206-55-144-107.tstonramp.com> <BF90DE68.1635E%nobody@spamcop.net> <TECQXhvKj0FX-pn2-mJM7JdfPnr4E@dsl-206-55-144-107.tstonramp.com> <Xns97051D4241CC4tinlc@216.154.195.61> <TECQXhvKj0FX-pn2-41gGcOWKuyNn@dsl-206-55-144-107.tstonramp.com> <Xns97093B2348704tinlc@216.154.195.61> <TECQXhvKj0FX-pn2-jrh3dKUd5WdX@dsl-206-55-144-107.tstonramp.com> <dkubbp$j70$1@news.spamcop.net> <ozchzhq02-A8BF38.18491509112005@frylock.local> <slrndn66mk.3o5.nobody@127.0.0.1> <dkv728$1np$1@news.spamcop.net> <slrndn69cv.4a0.nobody@127.0.0.1> Message-ID: <Xns970A7DA0520D9tinlc@216.154.195.61> Steven Maesslein <nobody@nowhere.invalid> wrote in news:slrndn69cv.4a0.nobody@127.0.0.1: > > Actually, the DVD - being a passive object - can't check for anything. > My guess is that these DVDs set a further "this disc can't be played in > a region-free player" attribute in a VMGM pre-command on players that > support it in their virtual machine. > I could of sworn there were players that had switchable regions. From redford_stone at INVERSE_OF_COLDmail.com Thu Nov 10 20:24:33 2005 From: redford_stone at INVERSE_OF_COLDmail.com (Redstone) Date: Thu Nov 10 15:25:14 2005 Subject: [SpamCop-List] Re: [Media] FBI Says Man Created Zombie PC Networks, Sold Access References: <dkg34e$es$1@news.spamcop.net> Message-ID: <Xns970A7E40CE51Ftinlc@216.154.195.61> "Ron B." <zypher@spamcop.net> wrote in news:dkg34e$es$1@news.spamcop.net: > > The indictment charges conspiracy, money laundering, transmission of > code to a government computer and accessing a protected computer to > commit fraud. > Just goes to show that these guys (spammers, virus writers, etc.) appear to already be troublemakers with the law before doing this botnet crap. From borgholio at storymind.com Thu Nov 10 12:29:38 2005 From: borgholio at storymind.com (Borgholio) Date: Thu Nov 10 15:30:03 2005 Subject: [SpamCop-List] Re: [MEDIA] Sony CD Copy Protection Seems To Rely On HackerRootkit In-Reply-To: <Xns970A7DA0520D9tinlc@216.154.195.61> References: <Xns97037EA6B301Ftinlc@216.154.195.61> <dkeg1g$35f$1@news.spamcop.net> <TECQXhvKj0FX-pn2-OvYNxTLrdXxL@dsl-206-55-144-107.tstonramp.com> <BF90DE68.1635E%nobody@spamcop.net> <TECQXhvKj0FX-pn2-mJM7JdfPnr4E@dsl-206-55-144-107.tstonramp.com> <Xns97051D4241CC4tinlc@216.154.195.61> <TECQXhvKj0FX-pn2-41gGcOWKuyNn@dsl-206-55-144-107.tstonramp.com> <Xns97093B2348704tinlc@216.154.195.61> <TECQXhvKj0FX-pn2-jrh3dKUd5WdX@dsl-206-55-144-107.tstonramp.com> <dkubbp$j70$1@news.spamcop.net> <ozchzhq02-A8BF38.18491509112005@frylock.local> <slrndn66mk.3o5.nobody@127.0.0.1> <dkv728$1np$1@news.spamcop.net> <slrndn69cv.4a0.nobody@127.0.0.1> <Xns970A7DA0520D9tinlc@216.154.195.61> Message-ID: <dl0ajf$khq$1@news.spamcop.net> Redstone wrote: > Steven Maesslein <nobody@nowhere.invalid> wrote in > news:slrndn69cv.4a0.nobody@127.0.0.1: > > > >>Actually, the DVD - being a passive object - can't check for anything. >>My guess is that these DVDs set a further "this disc can't be played in >>a region-free player" attribute in a VMGM pre-command on players that >>support it in their virtual machine. >> > > > I could of sworn there were players that had switchable regions. > My DVD drive on my computer does. However, you can only switch it 5 times before it permanently freezes it at whatever region you selected. :-/ From redford_stone at INVERSE_OF_COLDmail.com Thu Nov 10 21:15:42 2005 From: redford_stone at INVERSE_OF_COLDmail.com (Redstone) Date: Thu Nov 10 16:20:04 2005 Subject: [SpamCop-List] [MEDIA] Hackers use Sony BMG to hide on PCs Message-ID: <Xns970A86ECD8110tinlc@216.154.195.61> http://news.yahoo.com/s/nm/20051110/wr_nm/sony_hack_dc http://tinyurl.com/8fpz7 "AMSTERDAM (Reuters) - A computer security firm said on Thursday it had discovered the first virus that uses music publisher Sony BMG's controversial CD copy-protection software to hide on PCs and wreak havoc." Certainly came out in record time. Sony/BMG along with scumware maker First4Internet can safely be placed in the same category we place spammers, spyware companies, and the other dregs in. Keep it up Sony, this couldn't have happened at a better moment where you're beginning to lose market share to your competitors. What's next on the agenda? Offer Ralsky a position as an IT manager? How about Rizler as CFO? From g.hyde at bigpond.net.au Fri Nov 11 09:59:28 2005 From: g.hyde at bigpond.net.au (Geoffrey Hyde) Date: Thu Nov 10 19:10:23 2005 Subject: [SpamCop-List] Re: [MEDIA] Hackers use Sony BMG to hide on PCs References: <Xns970A86ECD8110tinlc@216.154.195.61> Message-ID: <dl0n93$u76$1@news.spamcop.net> "Redstone" <redford_stone@INVERSE_OF_COLDmail.com> wrote in message news:Xns970A86ECD8110tinlc@216.154.195.61... > http://news.yahoo.com/s/nm/20051110/wr_nm/sony_hack_dc > http://tinyurl.com/8fpz7 > > > "AMSTERDAM (Reuters) - A computer security firm said on Thursday it had > discovered the first virus that uses music publisher Sony BMG's > controversial CD copy-protection software to hide on PCs and wreak > havoc." [snip] Does anyone know if it can self-install without the presence of the Sony rootkit? Or does it have to have the rootkit present? -- Cheers ... Geoffrey Hyde From porpoise1954 at yahoo.co.uk Fri Nov 11 01:35:13 2005 From: porpoise1954 at yahoo.co.uk (Porpoise) Date: Thu Nov 10 20:40:23 2005 Subject: [SpamCop-List] Re: [MEDIA] Sony CD Copy Protection Seems To Rely On HackerRootkit References: <Xns97037EA6B301Ftinlc@216.154.195.61> <dkeg1g$35f$1@news.spamcop.net> <TECQXhvKj0FX-pn2-OvYNxTLrdXxL@dsl-206-55-144-107.tstonramp.com> <BF90DE68.1635E%nobody@spamcop.net> <TECQXhvKj0FX-pn2-mJM7JdfPnr4E@dsl-206-55-144-107.tstonramp.com> <Xns97051D4241CC4tinlc@216.154.195.61> <TECQXhvKj0FX-pn2-41gGcOWKuyNn@dsl-206-55-144-107.tstonramp.com> <Xns97093B2348704tinlc@216.154.195.61> <TECQXhvKj0FX-pn2-jrh3dKUd5WdX@dsl-206-55-144-107.tstonramp.com> <dkubbp$j70$1@news.spamcop.net> <ozchzhq02-A8BF38.18491509112005@frylock.local> <dkv5pr$pq$1@news.spamcop.net> <Xns970A7D1D5F8BEtinlc@216.154.195.61> Message-ID: <dl0shv$2af$1@news.spamcop.net> "Redstone" <redford_stone@INVERSE_OF_COLDmail.com> wrote in message news:Xns970A7D1D5F8BEtinlc@216.154.195.61... > "Berny" <bar_n0ne@hotmail.com> wrote in > news:dkv5pr$pq$1@news.spamcop.net: > > >> >> It's because of crap like that region code (burns me, because I move >> between the americas, europe and asia a lot) that I fully support >> piracy these days >> >> > > There are multiregion players out there. (Or you could just get a cheap > player and do some reverse engineering to disable the region > restriction.) However, I can't support piracy.. particularly with the > bombardment of "cheep s0ftwar3" spams I receive daily. :-p I don't support piracy either, but region encoding has nothing to do with preventing piracy. >> these assholes want you to be renting when you thought you bought. >> They'd really prefer (and have tried) that libraries pay and charge >> royalties. and that you not lend books or other media, and if they >> could they'd charge you if you have guests over to watch tv. >> > > > Which is why they need to change their business model. Again, selling > CDs for $18 for just 1 good musical number and their other 10 being junk > is just bad business. I think paying a fair price per downloadable song > is the best way to go. That way you get what you want. Just so long as you can play it whenever and wherever you want......... From porpoise1954 at yahoo.co.uk Fri Nov 11 01:36:16 2005 From: porpoise1954 at yahoo.co.uk (Porpoise) Date: Thu Nov 10 20:40:46 2005 Subject: [SpamCop-List] Re: [MEDIA] Sony CD Copy Protection Seems To Rely On HackerRootkit References: <Xns97037EA6B301Ftinlc@216.154.195.61> <dkeg1g$35f$1@news.spamcop.net> <TECQXhvKj0FX-pn2-OvYNxTLrdXxL@dsl-206-55-144-107.tstonramp.com> <BF90DE68.1635E%nobody@spamcop.net> <TECQXhvKj0FX-pn2-mJM7JdfPnr4E@dsl-206-55-144-107.tstonramp.com> <Xns97051D4241CC4tinlc@216.154.195.61> <TECQXhvKj0FX-pn2-41gGcOWKuyNn@dsl-206-55-144-107.tstonramp.com> <Xns97093B2348704tinlc@216.154.195.61> <TECQXhvKj0FX-pn2-jrh3dKUd5WdX@dsl-206-55-144-107.tstonramp.com> <dkubbp$j70$1@news.spamcop.net> <ozchzhq02-A8BF38.18491509112005@frylock.local> <slrndn66mk.3o5.nobody@127.0.0.1> <dkv728$1np$1@news.spamcop.net> <slrndn69cv.4a0.nobody@127.0.0.1> <Xns970A7DA0520D9tinlc@216.154.195.61> Message-ID: <dl0sju$2at$1@news.spamcop.net> "Redstone" <redford_stone@INVERSE_OF_COLDmail.com> wrote in message news:Xns970A7DA0520D9tinlc@216.154.195.61... > Steven Maesslein <nobody@nowhere.invalid> wrote in > news:slrndn69cv.4a0.nobody@127.0.0.1: > > >> >> Actually, the DVD - being a passive object - can't check for anything. >> My guess is that these DVDs set a further "this disc can't be played in >> a region-free player" attribute in a VMGM pre-command on players that >> support it in their virtual machine. >> > > I could of sworn there were players that had switchable regions. Yes. You can change regions up to 5 times. On the 5th change, it is then locked in to that region. From sorcerer2 at hotmail.com Thu Nov 10 20:48:09 2005 From: sorcerer2 at hotmail.com (Sir Sorcerer) Date: Thu Nov 10 20:50:03 2005 Subject: [SpamCop-List] Rumor: Spamcop spamvertised websites future Message-ID: <BF996289.3FC%sorcerer2@hotmail.com> Folks, Rumor has it, that in time, the Spamcop spamvertised websites will only list domain names, NOT the full domain + URI. If this is true, could Spamcop representatives contact spamcop at oitc.com so we can discuss workarounds. Thanks, Tom From nobody at devnull.spamcop.net Fri Nov 11 11:46:32 2005 From: nobody at devnull.spamcop.net (Patto) Date: Thu Nov 10 21:50:08 2005 Subject: [SpamCop-List] Feature request - IP address Message-ID: <dl10m8$4ls$1@news.spamcop.net> I know there is not much hope that any feature requests will be met these days; I do not even know if any development is taking place at spamcop.net I'll try it anyway. Here is an example of what I am going to talk about http://www.spamcop.net/sc?id=z824747132z508622cde503b4f377e3a30f05a0269ez The spam website is http://lavieen-r.cx/j/ and the report for it is going to kitamura@hitmail.cc I am very suspicious of this reporting address, and I would like to do some investigation on my own. It would be VERY convenient if SpamCop would give me the IP address here, instead of only the URL. Without the IP address I have to open an extra tool, such as Sam Spade, to find the IP address. Could SpamCop - please - print the IP address of spamvertized web sites on the confirmation page? I am actually pretty sure that in the olden days that was the case; why was it removed? From Kilgallen at SpamCop.net Thu Nov 10 21:16:47 2005 From: Kilgallen at SpamCop.net (Larry Kilgallen) Date: Thu Nov 10 22:20:03 2005 Subject: [SpamCop-List] Re: Rumor: Spamcop spamvertised websites future References: <BF996289.3FC%sorcerer2@hotmail.com> Message-ID: <0giEaaGhrugj@eisner.encompasserve.org> In article <BF996289.3FC%sorcerer2@hotmail.com>, Sir Sorcerer <sorcerer2@hotmail.com> writes: > Rumor has it, that in time, the Spamcop spamvertised websites will only list > domain names, NOT the full domain + URI. > > If this is true, could Spamcop representatives contact spamcop at oitc.com > so we can discuss workarounds. So if that rumor were true, you are unwilling to discuss in public why such obfuscation in reports would be a bad idea ? That gives the impression of spammer support. From jeffg at spamcop.net Thu Nov 10 23:00:04 2005 From: jeffg at spamcop.net (Jeff G.) Date: Thu Nov 10 23:05:08 2005 Subject: [SpamCop-List] Re: Feature request - IP address References: <dl10m8$4ls$1@news.spamcop.net> Message-ID: <dl1515$6ph$1@news.spamcop.net> "Patto" <nobody@devnull.spamcop.net> wrote in message news:dl10m8$4ls$1@news.spamcop.net... > It would be VERY convenient if SpamCop > would give me the IP address here, instead of only the URL. Have you tried showing technical details? -- Thanks and Best Regards, Jeff G. I have been a SpamCop User/Member/Customer since 1999 and am a Moderator of the new web-based forums (now the primary method for getting help, http://forum.spamcop.net). Please contact me via Forum only. From gezgin at spamcop.net Fri Nov 11 06:50:39 2005 From: gezgin at spamcop.net (Gezgin) Date: Thu Nov 10 23:55:03 2005 Subject: [SpamCop-List] Re: [MEDIA] Sony CD Copy Protection Seems To Rely On HackerRootkit References: <Xns97037EA6B301Ftinlc@216.154.195.61> <dkeg1g$35f$1@news.spamcop.net> <TECQXhvKj0FX-pn2-OvYNxTLrdXxL@dsl-206-55-144-107.tstonramp.com> <BF90DE68.1635E%nobody@spamcop.net> <TECQXhvKj0FX-pn2-mJM7JdfPnr4E@dsl-206-55-144-107.tstonramp.com> <Xns97051D4241CC4tinlc@216.154.195.61> <TECQXhvKj0FX-pn2-41gGcOWKuyNn@dsl-206-55-144-107.tstonramp.com> <Xns97093B2348704tinlc@216.154.195.61> <TECQXhvKj0FX-pn2-jrh3dKUd5WdX@dsl-206-55-144-107.tstonramp.com> <dkubbp$j70$1@news.spamcop.net> <ozchzhq02-A8BF38.18491509112005@frylock.local> <slrndn66mk.3o5.nobody@127.0.0.1> <dkv728$1np$1@news.spamcop.net> <slrndn69cv.4a0.nobody@127.0.0.1> <Xns970A7DA0520D9tinlc@216.154.195.61> <dl0ajf$khq$1@news.spamcop.net> Message-ID: <dl17v0$8ag$1@news.spamcop.net> "Borgholio" <borgholio@storymind.com> wrote >> I could of sworn there were players that had switchable >> regions. > My DVD drive on my computer does. However, you can only > switch it 5 times before it permanently freezes it at > whatever region you selected. :-/ I think they all do that. My solution is to have two drives. I keep the burner in region two ('cause that's where I am) and the other in region 1 ('cause I buy a lot of DVDs from Amazon in the US). -- Bob Kanyak's Doghouse http://www.kanyak.com From Ilgaz at spamcop.net Fri Nov 11 08:35:11 2005 From: Ilgaz at spamcop.net (Ilgaz Ocal) Date: Fri Nov 11 01:40:03 2005 Subject: [SpamCop-List] Re: ReportPhish.org ? References: <dks60m$8f1$1@news.spamcop.net> Message-ID: <dl1e2v$b48$1@news.spamcop.net> On 2005-11-09 08:46:53 +0200, "Mike Easter" <MikeE@ster.invalid> said: > Patto wrote: > >> An update: the report email address at ReportPhish.org now bounces. > > Marjolein's [remember Marjolein?] pick > http://banspam.javawoman.com/index.html was antiphishing > http://www.antiphishing.org/ > > Look it over and see what you think. They have a database at the site, > an email reporting addy reportphishing@antiphishing.org and quite a bit > of resources. > > I've never heard of reportphish. I've heard of antiphishing. I liked the antiphishing.org evil, huge corparate logos as supporters :) You know, hit the evil with more evil. I get a lot of phishing mail and keep reporting them. Maybe they will do something? Also as I see Ebay insists rejecting spamcop reports and I don't think Cyvelliance reporting to them, I plan to revoke my paypal account. It gives me a "not caring" image you know. Ilgaz From borgholio at storymind.com Thu Nov 10 22:36:34 2005 From: borgholio at storymind.com (Borgholio) Date: Fri Nov 11 01:40:14 2005 Subject: [SpamCop-List] Re: [MEDIA] Sony CD Copy Protection Seems To Rely On HackerRootkit In-Reply-To: <dl17v0$8ag$1@news.spamcop.net> References: <Xns97037EA6B301Ftinlc@216.154.195.61> <dkeg1g$35f$1@news.spamcop.net> <TECQXhvKj0FX-pn2-OvYNxTLrdXxL@dsl-206-55-144-107.tstonramp.com> <BF90DE68.1635E%nobody@spamcop.net> <TECQXhvKj0FX-pn2-mJM7JdfPnr4E@dsl-206-55-144-107.tstonramp.com> <Xns97051D4241CC4tinlc@216.154.195.61> <TECQXhvKj0FX-pn2-41gGcOWKuyNn@dsl-206-55-144-107.tstonramp.com> <Xns97093B2348704tinlc@216.154.195.61> <TECQXhvKj0FX-pn2-jrh3dKUd5WdX@dsl-206-55-144-107.tstonramp.com> <dkubbp$j70$1@news.spamcop.net> <ozchzhq02-A8BF38.18491509112005@frylock.local> <slrndn66mk.3o5.nobody@127.0.0.1> <dkv728$1np$1@news.spamcop.net> <slrndn69cv.4a0.nobody@127.0.0.1> <Xns970A7DA0520D9tinlc@216.154.195.61> <dl0ajf$khq$1@news.spamcop.net> <dl17v0$8ag$1@news.spamcop.net> Message-ID: <dl1e5n$b60$1@news.spamcop.net> Gezgin wrote: > "Borgholio" <borgholio@storymind.com> wrote > >>> I could of sworn there were players that had switchable regions. >> >> My DVD drive on my computer does. However, you can only switch it 5 >> times before it permanently freezes it at whatever region you >> selected. :-/ > > > I think they all do that. My solution is to have two drives. I keep the > burner in region two ('cause that's where I am) and the other in region > 1 ('cause I buy a lot of DVDs from Amazon in the US). > It bugs the hell out of me, honestly. While I never need to actually switch regions, the fact that they think they can only let me do it a set number of times is insulting. From Ilgaz at spamcop.net Fri Nov 11 08:40:13 2005 From: Ilgaz at spamcop.net (Ilgaz Ocal) Date: Fri Nov 11 01:45:03 2005 Subject: [SpamCop-List] Re: "You are very good, thank you!" References: <436F6A3F.462FCB83@spamcop.net> Message-ID: <dl1ecd$b48$2@news.spamcop.net> On 2005-11-07 16:52:47 +0200, Kenneth Brody <kenbrody@spamcop.net> said: > "Ron B." wrote: >> >> Aviatrix wrote: >>> >>> >>> Ron B. wrote: >>> >>>> Any URL's to click? >>> >>> >>> Nope. Nothing at all. Just a plain text message. >>> >>> A. >> >> Bizzare! > > Without complete source, including full headers, we can only guess. It > could be an attempt to verify addresses via return-receipt. I have seen couple of real weird messages to my yahoo mail with subjects like (20) (19) etc. Weirdness? Truely empty messages. No body. 90% chance some spammer testing their new software , if server bounces them IMHO. Ilgaz From nobody at spamcop.net Fri Nov 11 11:18:05 2005 From: nobody at spamcop.net (nospam) Date: Fri Nov 11 02:20:04 2005 Subject: [SpamCop-List] Re: Wow...that was FAST! References: <dkg6fr$1md$1@news.spamcop.net> <Xns97051D6D81B53tinlc@216.154.195.61> <dki90m$rb7$2@news.spamcop.net> <Xns97093B76B9D21tinlc@216.154.195.61> Message-ID: <BF9A2E6D.16426%nobody@spamcop.net> in article Xns97093B76B9D21tinlc@216.154.195.61, Redstone at redford_stone@INVERSE_OF_COLDmail.com wrote on 11/9/05 5:50 PM: > Borgholio <borgholio@storymind.com> wrote in news:dki90m$rb7$2 > @news.spamcop.net: > >> >> >> Yeah but the fact that it's a Russian sysadmin is what amazes me. :) > > > Good point. It is already impossible trying to get their attention > regarding zombies on their networks. > >From conversations with several correspondents in Russia, few private (basically home users) copies of Win/(anything) are sourced from M$, generally they are pirated and "improved" by the vendors. Improvement here in most cases means it runs generally faster on slower hardware. Now, that could mean users are running a Win95 with some XP graphics for all I know. Anyway, It does amaze me how little zombie spam comes from Russia compared to SpamCast and other USA broadband networks, since (As I understand it) most home PC OS's are compromised out of the box so to speak. I have the feeling that the Bot writers and herders and OS piraters are basically the same bunch, and perhaps they try to avoid shitting in their own front yard. From nobody at devnull.spamcop.net Fri Nov 11 16:31:43 2005 From: nobody at devnull.spamcop.net (Patto) Date: Fri Nov 11 02:35:03 2005 Subject: [SpamCop-List] Re: Feature request - IP address In-Reply-To: <dl1515$6ph$1@news.spamcop.net> References: <dl10m8$4ls$1@news.spamcop.net> <dl1515$6ph$1@news.spamcop.net> Message-ID: <dl1hcv$d12$1@news.spamcop.net> Jeff G. wrote: > "Patto" <nobody@devnull.spamcop.net> wrote in message > news:dl10m8$4ls$1@news.spamcop.net... >> It would be VERY convenient if SpamCop >> would give me the IP address here, instead of only the URL. > > Have you tried showing technical details? Wow - in the many years I have been using spamcop I have never noticed this checkbox. It lists a little more than what I need, but it serves my purpose. Thanks! From nobody at spamcop.net Fri Nov 11 11:41:08 2005 From: nobody at spamcop.net (nospam) Date: Fri Nov 11 02:45:03 2005 Subject: [SpamCop-List] Re: [MEDIA] Sony CD Copy Protection Seems To Rely On Hacker Rootkit References: <Xns97037EA6B301Ftinlc@216.154.195.61> <dkeg1g$35f$1@news.spamcop.net> <TECQXhvKj0FX-pn2-OvYNxTLrdXxL@dsl-206-55-144-107.tstonramp.com> <BF90DE68.1635E%nobody@spamcop.net> <TECQXhvKj0FX-pn2-mJM7JdfPnr4E@dsl-206-55-144-107.tstonramp.com> <Xns97051D4241CC4tinlc@216.154.195.61> <TECQXhvKj0FX-pn2-41gGcOWKuyNn@dsl-206-55-144-107.tstonramp.com> <Xns97093B2348704tinlc@216.154.195.61> <TECQXhvKj0FX-pn2-jrh3dKUd5WdX@dsl-206-55-144-107.tstonramp.com> <dkubbp$j70$1@news.spamcop.net> <ozchzhq02-A8BF38.18491509112005@frylock.local> <dkv5pr$pq$1@news.spamcop.net> <Xns970A7D1D5F8BEtinlc@216.154.195.61> Message-ID: <BF9A33D4.16427%nobody@spamcop.net> in article Xns970A7D1D5F8BEtinlc@216.154.195.61, Redstone at redford_stone@INVERSE_OF_COLDmail.com wrote on 11/11/05 12:17 AM: > "Berny" <bar_n0ne@hotmail.com> wrote in > news:dkv5pr$pq$1@news.spamcop.net: > > >> >> It's because of crap like that region code (burns me, because I move >> between the americas, europe and asia a lot) that I fully support >> piracy these days >> >> > > There are multiregion players out there. (Or you could just get a cheap > player and do some reverse engineering to disable the region > restriction.) However, I can't support piracy.. particularly with the > bombardment of "cheep s0ftwar3" spams I receive daily. :-p OK, I should explain. I don't support commercial piracy, ie piracy and sale for profit. Sharing on the other hand... > Which is why they need to change their business model. Again, selling > CDs for $18 for just 1 good musical number and their other 10 being junk > is just bad business. I think paying a fair price per downloadable song > is the best way to go. That way you get what you want. Maybe for you, but some albums are just good all over. It's also a pisser to see legal tapes sold for a fraction of the cost of a CD or DVD, when the production and manufacturing costs are an order of magnitude higher. I personally don't lke downloading music, I generally like and prefer to buy an album, except in those cases where I am forced to buy 14 crap works for one good one. Also, realistically the vast majority of consumers worldwide do not have access to PC's and Broadband. The Business model now is to try to get revenue wherever possible without regard to long standing business practices. (you bought something, it's yours) It's still a profitable business, but perhaps not if the stars and producers need to make sooo much money. And how Metallica and plenty of others sell anything has always been a mystery to me. I wouldn't bring it home even if it was free. Hasn't anyone noticed that the ones who seem the most worried by "piracy" and sharing, are not the artists whose livelyhoods are precarious? From redford_stone at INVERSE_OF_COLDmail.com Fri Nov 11 08:26:30 2005 From: redford_stone at INVERSE_OF_COLDmail.com (Redstone) Date: Fri Nov 11 03:30:29 2005 Subject: [SpamCop-List] Re: [MEDIA] Hackers use Sony BMG to hide on PCs References: <Xns970A86ECD8110tinlc@216.154.195.61> <dl0n93$u76$1@news.spamcop.net> Message-ID: <Xns970B483AA154tinlc@216.154.195.61> "Geoffrey Hyde" <g.hyde@bigpond.net.au> wrote in news:dl0n93$u76$1 @news.spamcop.net: > > Does anyone know if it can self-install without the presence of the Sony > rootkit? Or does it have to have the rootkit present? > > You mean the viruses? I would think it would install regardless. If it was there, it would take advantage of the rootkit, otherwise it will do it like other viruses. From redford_stone at INVERSE_OF_COLDmail.com Fri Nov 11 08:30:16 2005 From: redford_stone at INVERSE_OF_COLDmail.com (Redstone) Date: Fri Nov 11 03:35:05 2005 Subject: [SpamCop-List] Re: [MEDIA] Sony CD Copy Protection Seems To Rely On HackerRootkit References: <Xns97037EA6B301Ftinlc@216.154.195.61> <dkeg1g$35f$1@news.spamcop.net> <TECQXhvKj0FX-pn2-OvYNxTLrdXxL@dsl-206-55-144-107.tstonramp.com> <BF90DE68.1635E%nobody@spamcop.net> <TECQXhvKj0FX-pn2-mJM7JdfPnr4E@dsl-206-55-144-107.tstonramp.com> <Xns97051D4241CC4tinlc@216.154.195.61> <TECQXhvKj0FX-pn2-41gGcOWKuyNn@dsl-206-55-144-107.tstonramp.com> <Xns97093B2348704tinlc@216.154.195.61> <TECQXhvKj0FX-pn2-jrh3dKUd5WdX@dsl-206-55-144-107.tstonramp.com> <dkubbp$j70$1@news.spamcop.net> <ozchzhq02-A8BF38.18491509112005@frylock.local> <dkv5pr$pq$1@news.spamcop.net> <Xns970A7D1D5F8BEtinlc@216.154.195.61> <dl0shv$2af$1@news.spamcop.net> Message-ID: <Xns970B52711D08tinlc@216.154.195.61> "Porpoise" <porpoise1954@yahoo.co.uk> wrote in news:dl0shv$2af$1@news.spamcop.net: > > I don't support piracy either, but region encoding has nothing to do > with preventing piracy. > True, it doesn't.. Pirates would make copies regardless of region. > > Just so long as you can play it whenever and wherever you > want......... > Portability is/was the selling point for CDs to begin with. Kill off that feature and we might as well go back to LPs. From redford_stone at INVERSE_OF_COLDmail.com Fri Nov 11 08:38:22 2005 From: redford_stone at INVERSE_OF_COLDmail.com (Redstone) Date: Fri Nov 11 03:40:04 2005 Subject: [SpamCop-List] Re: [MEDIA] Sony CD Copy Protection Seems To Rely On HackerRootkit References: <Xns97037EA6B301Ftinlc@216.154.195.61> <dkeg1g$35f$1@news.spamcop.net> <TECQXhvKj0FX-pn2-OvYNxTLrdXxL@dsl-206-55-144-107.tstonramp.com> <BF90DE68.1635E%nobody@spamcop.net> <TECQXhvKj0FX-pn2-mJM7JdfPnr4E@dsl-206-55-144-107.tstonramp.com> <Xns97051D4241CC4tinlc@216.154.195.61> <TECQXhvKj0FX-pn2-41gGcOWKuyNn@dsl-206-55-144-107.tstonramp.com> <Xns97093B2348704tinlc@216.154.195.61> <TECQXhvKj0FX-pn2-jrh3dKUd5WdX@dsl-206-55-144-107.tstonramp.com> <dkubbp$j70$1@news.spamcop.net> <ozchzhq02-A8BF38.18491509112005@frylock.local> <dkv5pr$pq$1@news.spamcop.net> <Xns970A7D1D5F8BEtinlc@216.154.195.61> <BF9A33D4.16427%nobody@spamcop.net> Message-ID: <Xns970B68736B68tinlc@216.154.195.61> nospam <nobody@spamcop.net> wrote in news:BF9A33D4.16427%nobody@spamcop.net: > > Maybe for you, but some albums are just good all over. It's also a > pisser to see legal tapes sold for a fraction of the cost of a CD or > DVD, when the production and manufacturing costs are an order of > magnitude higher. > Gee, are those old tapes still being produced? I don't see electronic stores selling much in terms of tape players nowadays. :-) > I personally don't lke downloading music, I generally like and prefer > to buy an album, except in those cases where I am forced to buy 14 > crap works for one good one. Also, realistically the vast majority of > consumers worldwide do not have access to PC's and Broadband. > There used to music stores that had a service where you could choose specific music and they would burn in custom CDs at the cashier. > The Business model now is to try to get revenue wherever possible > without regard to long standing business practices. (you bought > something, it's yours) It's still a profitable business, but perhaps > not if the stars and producers need to make sooo much money. And how > Metallica and plenty of others sell anything has always been a mystery > to me. I wouldn't bring it home even if it was free. > It all goes up their noses anyways. Worried that they won't be able to toke a hit in their limos with rolled up $100 bills. :-p > > Hasn't anyone noticed that the ones who seem the most worried by > "piracy" and sharing, are not the artists whose livelyhoods are > precarious? > > See above. :-) From redford_stone at INVERSE_OF_COLDmail.com Fri Nov 11 08:39:36 2005 From: redford_stone at INVERSE_OF_COLDmail.com (Redstone) Date: Fri Nov 11 03:40:18 2005 Subject: [SpamCop-List] Re: [MEDIA] Sony CD Copy Protection Seems To Rely On HackerRootkit References: <Xns97037EA6B301Ftinlc@216.154.195.61> <dkeg1g$35f$1@news.spamcop.net> <TECQXhvKj0FX-pn2-OvYNxTLrdXxL@dsl-206-55-144-107.tstonramp.com> <BF90DE68.1635E%nobody@spamcop.net> <TECQXhvKj0FX-pn2-mJM7JdfPnr4E@dsl-206-55-144-107.tstonramp.com> <Xns97051D4241CC4tinlc@216.154.195.61> <TECQXhvKj0FX-pn2-41gGcOWKuyNn@dsl-206-55-144-107.tstonramp.com> <Xns97093B2348704tinlc@216.154.195.61> <TECQXhvKj0FX-pn2-jrh3dKUd5WdX@dsl-206-55-144-107.tstonramp.com> <dkubbp$j70$1@news.spamcop.net> <ozchzhq02-A8BF38.18491509112005@frylock.local> <slrndn66mk.3o5.nobody@127.0.0.1> <dkv728$1np$1@news.spamcop.net> <slrndn69cv.4a0.nobody@127.0.0.1> <Xns970A7DA0520D9tinlc@216.154.195.61> <dl0sju$2at$1@news.spamcop.net> Message-ID: <Xns970B6BCA7433tinlc@216.154.195.61> "Porpoise" <porpoise1954@yahoo.co.uk> wrote in news:dl0sju$2at$1 @news.spamcop.net: > > Yes. You can change regions up to 5 times. On the 5th change, it is then > locked in to that region. > > Locked permanently, or can it be modified upon reboot? From porpoise1954 at yahoo.co.uk Fri Nov 11 09:22:44 2005 From: porpoise1954 at yahoo.co.uk (Porpoise) Date: Fri Nov 11 04:25:02 2005 Subject: [SpamCop-List] Re: [MEDIA] Sony CD Copy Protection Seems To Rely On HackerRootkit References: <Xns97037EA6B301Ftinlc@216.154.195.61> <dkeg1g$35f$1@news.spamcop.net> <TECQXhvKj0FX-pn2-OvYNxTLrdXxL@dsl-206-55-144-107.tstonramp.com> <BF90DE68.1635E%nobody@spamcop.net> <TECQXhvKj0FX-pn2-mJM7JdfPnr4E@dsl-206-55-144-107.tstonramp.com> <Xns97051D4241CC4tinlc@216.154.195.61> <TECQXhvKj0FX-pn2-41gGcOWKuyNn@dsl-206-55-144-107.tstonramp.com> <Xns97093B2348704tinlc@216.154.195.61> <TECQXhvKj0FX-pn2-jrh3dKUd5WdX@dsl-206-55-144-107.tstonramp.com> <dkubbp$j70$1@news.spamcop.net> <ozchzhq02-A8BF38.18491509112005@frylock.local> <dkv5pr$pq$1@news.spamcop.net> <Xns970A7D1D5F8BEtinlc@216.154.195.61> <dl0shv$2af$1@news.spamcop.net> <Xns970B52711D08tinlc@216.154.195.61> Message-ID: <dl1nut$kme$1@news.spamcop.net> "Redstone" <redford_stone@INVERSE_OF_COLDmail.com> wrote in message news:Xns970B52711D08tinlc@216.154.195.61... > "Porpoise" <porpoise1954@yahoo.co.uk> wrote in > news:dl0shv$2af$1@news.spamcop.net: > >> Just so long as you can play it whenever and wherever you >> want......... >> > > Portability is/was the selling point for CDs to begin with. Kill off > that feature and we might as well go back to LPs. And cassette tapes for the car.......... From nobody at nowhere.invalid Fri Nov 11 10:50:08 2005 From: nobody at nowhere.invalid (Steven Maesslein) Date: Fri Nov 11 04:56:05 2005 Subject: [SpamCop-List] Re: [MEDIA] Sony CD Copy Protection Seems To Rely On HackerRootkit References: <Xns97037EA6B301Ftinlc@216.154.195.61> <dkeg1g$35f$1@news.spamcop.net> <TECQXhvKj0FX-pn2-OvYNxTLrdXxL@dsl-206-55-144-107.tstonramp.com> <BF90DE68.1635E%nobody@spamcop.net> <TECQXhvKj0FX-pn2-mJM7JdfPnr4E@dsl-206-55-144-107.tstonramp.com> <Xns97051D4241CC4tinlc@216.154.195.61> <TECQXhvKj0FX-pn2-41gGcOWKuyNn@dsl-206-55-144-107.tstonramp.com> <Xns97093B2348704tinlc@216.154.195.61> <TECQXhvKj0FX-pn2-jrh3dKUd5WdX@dsl-206-55-144-107.tstonramp.com> <dkubbp$j70$1@news.spamcop.net> <ozchzhq02-A8BF38.18491509112005@frylock.local> <slrndn66mk.3o5.nobody@127.0.0.1> <dkv728$1np$1@news.spamcop.net> <slrndn69cv.4a0.nobody@127.0.0.1> <Xns970A7DA0520D9tinlc@216.154.195.61> <dl0sju$2at$1@news.spamcop.net> <Xns970B6BCA7433tinlc@216.154.195.61> Message-ID: <slrndn8qag.hkc.nobody@127.0.0.1> On Fri, 11 Nov 2005 08:39:36 +0000 (UTC), Redstone coughed into spamcop and left this in <Xns970B6BCA7433tinlc@216.154.195.61>: >> Yes. You can change regions up to 5 times. On the 5th change, it is then >> locked in to that region. > > Locked permanently, or can it be modified upon reboot? Locked permanently unless it's sent to the manufacturer who has the gizmo to reset the counter in an NVRAM somewhere. -- Steve guru, n: A computer owner who can read the manual. From Nobody at Spamcop.net.dev.null Fri Nov 11 04:35:26 2005 From: Nobody at Spamcop.net.dev.null (Michael Brennan) Date: Fri Nov 11 05:40:23 2005 Subject: [SpamCop-List] Odd Source Line Message-ID: <437473EE.1475A8D3@Spamcop.net.dev.null> In a lot of "mortgage" phishes that use Base 64, I've noticed a certain line being used in the source that reads, <td height="8">Xmong. Npos alter. almonsted nocks </td> Example: http://www.spamcop.net/sc?id=z825523999z304c0beebeb0f40087ef1cc29e3058aaz Does anyone know what this is? I've seen it numerous times when looking for IMG SRC lines in spams having .GIF files. TIA, Michael From porpoise1954 at yahoo.co.uk Fri Nov 11 12:03:36 2005 From: porpoise1954 at yahoo.co.uk (Porpoise) Date: Fri Nov 11 07:05:04 2005 Subject: [SpamCop-List] Re: [MEDIA] Sony CD Copy Protection Seems To Rely On HackerRootkit References: <Xns97037EA6B301Ftinlc@216.154.195.61> <dkeg1g$35f$1@news.spamcop.net> <TECQXhvKj0FX-pn2-OvYNxTLrdXxL@dsl-206-55-144-107.tstonramp.com> <BF90DE68.1635E%nobody@spamcop.net> <TECQXhvKj0FX-pn2-mJM7JdfPnr4E@dsl-206-55-144-107.tstonramp.com> <Xns97051D4241CC4tinlc@216.154.195.61> <TECQXhvKj0FX-pn2-41gGcOWKuyNn@dsl-206-55-144-107.tstonramp.com> <Xns97093B2348704tinlc@216.154.195.61> <TECQXhvKj0FX-pn2-jrh3dKUd5WdX@dsl-206-55-144-107.tstonramp.com> <dkubbp$j70$1@news.spamcop.net> <ozchzhq02-A8BF38.18491509112005@frylock.local> <slrndn66mk.3o5.nobody@127.0.0.1> <dkv728$1np$1@news.spamcop.net> <slrndn69cv.4a0.nobody@127.0.0.1> <Xns970A7DA0520D9tinlc@216.154.195.61> <dl0sju$2at$1@news.spamcop.net> <Xns970B6BCA7433tinlc@216.154.195.61> Message-ID: <dl21ck$pdk$1@news.spamcop.net> "Redstone" <redford_stone@INVERSE_OF_COLDmail.com> wrote in message news:Xns970B6BCA7433tinlc@216.154.195.61... > "Porpoise" <porpoise1954@yahoo.co.uk> wrote in news:dl0sju$2at$1 > @news.spamcop.net: > > >> >> Yes. You can change regions up to 5 times. On the 5th change, it is then >> locked in to that region. >> >> > > > Locked permanently, or can it be modified upon reboot? > Locked permanently (or until you get an unlock code from the manufacturer - after you've explained how you came to change region so many times). From porpoise1954 at yahoo.co.uk Fri Nov 11 12:04:25 2005 From: porpoise1954 at yahoo.co.uk (Porpoise) Date: Fri Nov 11 07:10:03 2005 Subject: [SpamCop-List] Re: [MEDIA] Sony CD Copy Protection Seems To Rely On HackerRootkit References: <Xns97037EA6B301Ftinlc@216.154.195.61> <dkeg1g$35f$1@news.spamcop.net> <TECQXhvKj0FX-pn2-OvYNxTLrdXxL@dsl-206-55-144-107.tstonramp.com> <BF90DE68.1635E%nobody@spamcop.net> <TECQXhvKj0FX-pn2-mJM7JdfPnr4E@dsl-206-55-144-107.tstonramp.com> <Xns97051D4241CC4tinlc@216.154.195.61> <TECQXhvKj0FX-pn2-41gGcOWKuyNn@dsl-206-55-144-107.tstonramp.com> <Xns97093B2348704tinlc@216.154.195.61> <TECQXhvKj0FX-pn2-jrh3dKUd5WdX@dsl-206-55-144-107.tstonramp.com> <dkubbp$j70$1@news.spamcop.net> <ozchzhq02-A8BF38.18491509112005@frylock.local> <slrndn66mk.3o5.nobody@127.0.0.1> <dkv728$1np$1@news.spamcop.net> <slrndn69cv.4a0.nobody@127.0.0.1> <Xns970A7DA0520D9tinlc@216.154.195.61> <dl0sju$2at$1@news.spamcop.net> <Xns970B6BCA7433tinlc@216.154.195.61> <slrndn8qag.hkc.nobody@127.0.0.1> Message-ID: <dl21e5$pgm$1@news.spamcop.net> "Steven Maesslein" <nobody@nowhere.invalid> wrote in message news:slrndn8qag.hkc.nobody@127.0.0.1... > On Fri, 11 Nov 2005 08:39:36 +0000 (UTC), Redstone coughed into spamcop > > guru, n: > A computer owner who can read the manual. No, no. A guru is someone who doesn't need the manual........ ;-) From kenbrody at spamcop.net Fri Nov 11 10:18:23 2005 From: kenbrody at spamcop.net (Kenneth Brody) Date: Fri Nov 11 10:35:03 2005 Subject: [SpamCop-List] Re: [MEDIA] Hackers use Sony BMG to hide on PCs References: <Xns970A86ECD8110tinlc@216.154.195.61> <dl0n93$u76$1@news.spamcop.net> <Xns970B483AA154tinlc@216.154.195.61> Message-ID: <4374B63F.E262FBF6@spamcop.net> Redstone wrote: > > "Geoffrey Hyde" <g.hyde@bigpond.net.au> wrote in news:dl0n93$u76$1 > @news.spamcop.net: > > > > > Does anyone know if it can self-install without the presence of the Sony > > rootkit? Or does it have to have the rootkit present? > > > > > > You mean the viruses? I would think it would install regardless. If it was > there, it would take advantage of the rootkit, otherwise it will do it like > other viruses. s/it will do it like other viruses/it will install the rootkit/ -- +-------------------------+--------------------+-----------------------------+ | Kenneth J. Brody | www.hvcomputer.com | | | kenbrody/at\spamcop.net | www.fptech.com | #include <std_disclaimer.h> | +-------------------------+--------------------+-----------------------------+ Don't e-mail me at: <mailto:ThisIsASpamTrap@gmail.com> From MikeE at ster.invalid Fri Nov 11 07:58:29 2005 From: MikeE at ster.invalid (Mike Easter) Date: Fri Nov 11 11:00:03 2005 Subject: [SpamCop-List] Re: Odd Source Line References: <437473EE.1475A8D3@Spamcop.net.dev.null> Message-ID: <dl2f30$13k$1@news.spamcop.net> Michael Brennan wrote: > In a lot of "mortgage" phishes that use Base 64, I've noticed a > certain line being used in the source that reads, > > <td height="8">Xmong. Npos alter. almonsted nocks </td> > > Example: > www.spamcop.net/sc?id=z825523999z304c0beebeb0f40087ef1cc29e3058aaz > > Does anyone know what this is? I've seen it numerous times when > looking for IMG SRC lines in spams having .GIF files. Your selected squeamish ossifrage message isn't just a line in the html body. In the item you posted, it is the entire plaintext multipart. Content-Type: text/plain; Charset = "us-ascii" Content-Transfer-Encoding: 7bit Xmong. Npos alter. almonsted nocks The ROT13 is Kzbat. Acbf nygre. nyzbafgrq abpxf That's real important. There are a ton of them in sightings, and someone also picked it to use as a part of their spam 'poetry' called 'Spam Hauntings' http://snipurl.com/js39 -- Mike Easter kibitzer, not SC admin From nicholasjhiggins at btinternet.com Fri Nov 11 16:36:26 2005 From: nicholasjhiggins at btinternet.com (Nicholas Higgins) Date: Fri Nov 11 11:35:04 2005 Subject: [SpamCop-List] Re: Spoofed email address References: <dkqran$em8$1@news.spamcop.net> <dkrhum$tmv$1@news.spamcop.net> Message-ID: <dl2h2p$27g$1@news.spamcop.net> Thanks for everyone's help! Heidi Sinclair "Miss Betsy" <nobody@devnull.spamcop.net> wrote in message news:dkrhum$tmv$1@news.spamcop.net... > "Nicholas Higgins" <nicholasjhiggins@btinternet.com> wrote in > message news:dkqran$em8$1@news.spamcop.net... > > Hi > > > > I might sound really 'thick' but I have no idea how the spam > reporting works > > so please excuse my ignorance! > > Don't worry about sounding thick - just don't feel insulted if > others agree with you. These people will help you to understand. > > spam reporting has to do with IP addresses, not email addresses. > Spammers use forged email addresses in the 'from' and the return > path all the time. Nobody pays any attention to the from or return > path who deals with spam on a professional basis. > > It happens all the time. Usually, it quits after a couple of days > when the spammer starts using some other forgery. > > Miss Betsy > An almost new internet user > > From nobody at devnull.spamcop.net Fri Nov 11 13:09:34 2005 From: nobody at devnull.spamcop.net (Pop) Date: Fri Nov 11 13:10:21 2005 Subject: [SpamCop-List] Re: Odd Source Line References: <437473EE.1475A8D3@Spamcop.net.dev.null> <dl2f30$13k$1@news.spamcop.net> Message-ID: <dl2moq$567$1@news.spamcop.net> "Mike Easter" <MikeE@ster.invalid> wrote in message news:dl2f30$13k$1@news.spamcop.net... : Michael Brennan wrote: : > In a lot of "mortgage" phishes that use Base 64, I've noticed a : > certain line being used in the source that reads, : > : > <td height="8">Xmong. Npos alter. almonsted nocks </td> ... : Your selected squeamish ossifrage message isn't just a line in the html : body. In the item you posted, it is the entire plaintext multipart. : : Content-Type: text/plain; : Charset = "us-ascii" : Content-Transfer-Encoding: 7bit : : Xmong. Npos alter. almonsted nocks : : The ROT13 is : : Kzbat. Acbf nygre. nyzbafgrq abpxf : : That's real important. HUH? Am I still asleep or something? >g< I -know- you'll elucidate. : : There are a ton of them in sightings, and someone also picked it to use : as a part of their spam 'poetry' called 'Spam Hauntings' : http://snipurl.com/js39 : : : -- : Mike Easter : kibitzer, not SC admin : From nobody at spamcop.net Fri Nov 11 10:11:28 2005 From: nobody at spamcop.net (RandallW) Date: Fri Nov 11 13:15:03 2005 Subject: [SpamCop-List] yay, I won the lottery! Message-ID: <dl2msf$59f$1@news.spamcop.net> After going weeks without winning the lottery, I received two of the spams that informed me that I won a European lottery draw. I think their system to choose the winning e-mail address seems to be broken, since I received the same spam to two different e-mail addresses but they have the same winning ticket number! http://www.spamcop.net/sc?id=z825709809z47df5bf865057c315e829822c0cfed19z From sorcerer2 at hotmail.com Fri Nov 11 15:31:36 2005 From: sorcerer2 at hotmail.com (Sir Sorcerer) Date: Fri Nov 11 15:35:03 2005 Subject: [SpamCop-List] Re: Rumor: Spamcop spamvertised websites future References: <BF996289.3FC%sorcerer2@hotmail.com> <0giEaaGhrugj@eisner.encompasserve.org> Message-ID: <BF9A69D8.53C%sorcerer2@hotmail.com> On 11/10/05 10:16 PM, in article 0giEaaGhrugj@eisner.encompasserve.org, "Larry Kilgallen" <Kilgallen@SpamCop.net> wrote: > In article <BF996289.3FC%sorcerer2@hotmail.com>, Sir Sorcerer > <sorcerer2@hotmail.com> writes: > >> Rumor has it, that in time, the Spamcop spamvertised websites will only list >> domain names, NOT the full domain + URI. >> >> If this is true, could Spamcop representatives contact spamcop at oitc.com >> so we can discuss workarounds. > > So if that rumor were true, you are unwilling to discuss in public why > such obfuscation in reports would be a bad idea ? > > That gives the impression of spammer support. Not unwilling and I have no idea why not obfuscating a spamvertized URL supports spammers - you got me confused there. 1) I see no reason for such obfuscation 2) we use them internally in an internal antispam system. Tom From porpoise1954 at yahoo.co.uk Fri Nov 11 20:40:30 2005 From: porpoise1954 at yahoo.co.uk (Porpoise) Date: Fri Nov 11 15:45:03 2005 Subject: [SpamCop-List] Re: yay, I won the lottery! References: <dl2msf$59f$1@news.spamcop.net> Message-ID: <dl2vm6$9nn$1@news.spamcop.net> "RandallW" <nobody@spamcop.net> wrote in message news:dl2msf$59f$1@news.spamcop.net... > After going weeks without winning the lottery, I received two of the spams > that informed me that I won a European lottery draw. I think their system > to choose the winning e-mail address seems to be broken, since I received > the same spam to two different e-mail addresses but they have the same > winning ticket number! > > http://www.spamcop.net/sc?id=z825709809z47df5bf865057c315e829822c0cfed19z Perhaps that means you've won twice....... ;-)) From MikeE at ster.invalid Fri Nov 11 12:51:04 2005 From: MikeE at ster.invalid (Mike Easter) Date: Fri Nov 11 15:55:03 2005 Subject: [SpamCop-List] Re: Odd Source Line References: <437473EE.1475A8D3@Spamcop.net.dev.null> <dl2f30$13k$1@news.spamcop.net> <dl2moq$567$1@news.spamcop.net> Message-ID: <dl307h$a5g$1@news.spamcop.net> Pop wrote: > "Mike Easter" >> The ROT13 is >> >> Kzbat. Acbf nygre. nyzbafgrq abpxf >> >> That's real important. > > HUH? Am I still asleep or something? >g< I -know- you'll > elucidate. I was being facetious, sarcastic, ironic. -- Mike Easter kibitzer, not SC admin From nobody at nowhere.not Fri Nov 11 21:12:04 2005 From: nobody at nowhere.not (Robert Blair) Date: Fri Nov 11 16:15:03 2005 Subject: [SpamCop-List] Re: [MEDIA] Hackers use Sony BMG to hide on PCs References: <Xns970A86ECD8110tinlc@216.154.195.61> Message-ID: <TECQXhvKj0FX-pn2-M8RBbqlF1CuM@dsl-206-55-144-107.tstonramp.com> On Thu, 10 Nov 2005 21:15:42 UTC, Redstone <redford_stone@INVERSE_OF_COLDmail.com> wrote: > "AMSTERDAM (Reuters) - A computer security firm said on Thursday it had > discovered the first virus that uses music publisher Sony BMG's > controversial CD copy-protection software to hide on PCs and wreak > havoc." > > Certainly came out in record time. Sony/BMG along with scumware maker > First4Internet can safely be placed in the same category we place > spammers, spyware companies, and the other dregs in. > > Keep it up Sony, this couldn't have happened at a better moment where > you're beginning to lose market share to your competitors. Here is the latest from Sony. It seems they have heard the message, at least for now, but I expect them to try something else along the same lines later. We are aware that a computer virus is circulating that may affect computers with XCP content protection software. The XCP software is included on a limited number of SONY BMG content protected titles. This potential problem has no effect on the use of these discs in conventional, non-computer-based, CD and DVD players. In response to these events, SONY BMG has swiftly provided a patch to all major anti-virus companies and to the general public that guards against precisely the type of virus now said to exist. The patch fixes the possible software problem, and still allows CDs to be played on personal computers. It can be downloaded at http://cp.sonybmg.com/xcp/. Starting today, we will also be adding this link to the SONY BMG label and corporate sites. We deeply regret any possible inconvenience this may cause. We stand by content protection technology as an important tool to protect our intellectual property rights and those of our artists. Nonetheless, as a precautionary measure, SONY BMG is temporarily suspending the manufacture of CDs containing XCP technology. We also intend to re-examine all aspects of our content protection initiative to be sure that it continues to meet our goals of security and ease of consumer use. More information about our content protection initiative can also be found at: http://cp.sonybmg.com/xcp. -- Robert Blair From Kilgallen at SpamCop.net Fri Nov 11 17:08:50 2005 From: Kilgallen at SpamCop.net (Larry Kilgallen) Date: Fri Nov 11 18:10:03 2005 Subject: [SpamCop-List] Re: Rumor: Spamcop spamvertised websites future References: <BF996289.3FC%sorcerer2@hotmail.com> <0giEaaGhrugj@eisner.encompasserve.org> <BF9A69D8.53C%sorcerer2@hotmail.com> Message-ID: <hizkSixtxDZ1@eisner.encompasserve.org> In article <BF9A69D8.53C%sorcerer2@hotmail.com>, Sir Sorcerer <sorcerer2@hotmail.com> writes: > On 11/10/05 10:16 PM, in article 0giEaaGhrugj@eisner.encompasserve.org, > "Larry Kilgallen" <Kilgallen@SpamCop.net> wrote: > >> In article <BF996289.3FC%sorcerer2@hotmail.com>, Sir Sorcerer >> <sorcerer2@hotmail.com> writes: >> >>> Rumor has it, that in time, the Spamcop spamvertised websites will only list >>> domain names, NOT the full domain + URI. >>> >>> If this is true, could Spamcop representatives contact spamcop at oitc.com >>> so we can discuss workarounds. >> >> So if that rumor were true, you are unwilling to discuss in public why >> such obfuscation in reports would be a bad idea ? >> >> That gives the impression of spammer support. > > Not unwilling and I have no idea why not obfuscating a spamvertized URL > supports spammers - you got me confused there. A spammer can send slightly different URLs to different victims, and "listwash" based on complaints so spam no longer gets sent to those squeeky wheels who know how to report spam. > 1) I see no reason for such > obfuscation 2) we use them internally in an internal antispam system. Perhaps you are going to tell us that you are not the spammer, it is a customer of yours, but obviously I have no way of knowing anything about your operation -- just as you have no way of knowing about mine. From sorcerer2 at hotmail.com Fri Nov 11 20:01:17 2005 From: sorcerer2 at hotmail.com (Sir Sorcerer) Date: Fri Nov 11 20:05:03 2005 Subject: [SpamCop-List] Re: Rumor: Spamcop spamvertised websites future References: <BF996289.3FC%sorcerer2@hotmail.com> <0giEaaGhrugj@eisner.encompasserve.org> <BF9A69D8.53C%sorcerer2@hotmail.com> <hizkSixtxDZ1@eisner.encompasserve.org> Message-ID: <BF9AA90D.66D%sorcerer2@hotmail.com> On 11/11/05 6:08 PM, in article hizkSixtxDZ1@eisner.encompasserve.org, "Larry Kilgallen" <Kilgallen@SpamCop.net> wrote: > In article <BF9A69D8.53C%sorcerer2@hotmail.com>, Sir Sorcerer > <sorcerer2@hotmail.com> writes: >> On 11/10/05 10:16 PM, in article 0giEaaGhrugj@eisner.encompasserve.org, >> "Larry Kilgallen" <Kilgallen@SpamCop.net> wrote: >> >>> In article <BF996289.3FC%sorcerer2@hotmail.com>, Sir Sorcerer >>> <sorcerer2@hotmail.com> writes: >>> >>>> Rumor has it, that in time, the Spamcop spamvertised websites will only >>>> list >>>> domain names, NOT the full domain + URI. >>>> >>>> If this is true, could Spamcop representatives contact spamcop at oitc.com >>>> so we can discuss workarounds. >>> >>> So if that rumor were true, you are unwilling to discuss in public why >>> such obfuscation in reports would be a bad idea ? >>> >>> That gives the impression of spammer support. >> >> Not unwilling and I have no idea why not obfuscating a spamvertized URL >> supports spammers - you got me confused there. > > A spammer can send slightly different URLs to different victims, > and "listwash" based on complaints so spam no longer gets sent > to those squeeky wheels who know how to report spam. > That?s funny as spammers don't seem to be that proactive and could care less. They mod the urls sometimes but they do it with %randon% commands. Why waste the effort when most of the spamvertized sites are in china who wouldn't shut them down anyway. >> 1) I see no reason for such >> obfuscation 2) we use them internally in an internal antispam system. > > Perhaps you are going to tell us that you are not the spammer, > it is a customer of yours, but obviously I have no way of knowing > anything about your operation -- just as you have no way of knowing > about mine. Guess you think the SURLB guys supporting spamassassin are spammers too as they process data just like we do. We just process it for finer resolution. Tom From borgholio at storymind.com Fri Nov 11 17:05:07 2005 From: borgholio at storymind.com (Borgholio) Date: Fri Nov 11 20:10:02 2005 Subject: [SpamCop-List] Erm...um...I may have just fallen victim to a Phish Message-ID: <dl3f40$9bq$1@news.spamcop.net> In a nutshell, I wasn't paying attention and clicked on a link and entered my password. I changed it about 2 minutes later when I realized something was wrong, but I need verification that the "phish" actually worked. It seemed that the phishing link sent along with the email was half-assed. In other words, it doesn't seem like it'd work. Here's the link: http://mail.jangup.com/https://signin.ebay.com/ws/eBayISAPI.dllSignIn.php?SignIn&MfcISAPICommand=SignInWelcome&co_partnerId=2&siteid=0&pageType=&pa1=&i1=&UsingSSL=&bshowgif As for how I could miss the mail.jangup.com part, beats me. As I said, wasn't paying attention. When clicking on the link, it takes you straight to the Ebay page and NOT to a clever forgery. The mail.jangup part is a webmail address but there are no obvious attempts to login and send mail. I'm going to keep my passwords changed, naturally, but can anybody verify that this link will indeed send away a username / password? From nobody at devnull.spamcop.net Fri Nov 11 22:17:32 2005 From: nobody at devnull.spamcop.net (Glenn Daniels) Date: Fri Nov 11 22:20:04 2005 Subject: [SpamCop-List] Re: Erm...um...I may have just fallen victim to a Phish References: <dl3f40$9bq$1@news.spamcop.net> Message-ID: <dl3ms2$lub$1@news.spamcop.net> "Borgholio" <borgholio@storymind.com> wrote in message news:dl3f40$9bq$1@news.spamcop.net... > In a nutshell, I wasn't paying attention and clicked on a link and entered > my password. I changed it about 2 minutes later when I realized something > was wrong, but I need verification that the "phish" actually worked. It > seemed that the phishing link sent along with the email was half-assed. In > other words, it doesn't seem like it'd work. Here's the link: > > http://mail.jangup.com/https://signin.ebay.com/ws/eBayISAPI.dllSignIn.php?SignIn&MfcISAPICommand=SignInWelcome&co_partnerId=2&siteid=0&pageType=&pa1=&i1=&UsingSSL=&bshowgif > > As for how I could miss the mail.jangup.com part, beats me. As I said, > wasn't paying attention. When clicking on the link, it takes you straight > to the Ebay page and NOT to a clever forgery. The mail.jangup part is a > webmail address but there are no obvious attempts to login and send mail. > I'm going to keep my passwords changed, naturally, but can anybody verify > that this link will indeed send away a username / password? You betcha! The source code for the site is worth a study for any as might care to comment on the code... -g From borgholio at storymind.com Fri Nov 11 19:20:56 2005 From: borgholio at storymind.com (Borgholio) Date: Fri Nov 11 22:25:03 2005 Subject: [SpamCop-List] Re: Erm...um...I may have just fallen victim to a Phish In-Reply-To: <dl3ms2$lub$1@news.spamcop.net> References: <dl3f40$9bq$1@news.spamcop.net> <dl3ms2$lub$1@news.spamcop.net> Message-ID: <dl3n2t$lvl$1@news.spamcop.net> Glenn Daniels wrote: > "Borgholio" <borgholio@storymind.com> wrote in message > news:dl3f40$9bq$1@news.spamcop.net... > >>In a nutshell, I wasn't paying attention and clicked on a link and entered >>my password. I changed it about 2 minutes later when I realized something >>was wrong, but I need verification that the "phish" actually worked. It >>seemed that the phishing link sent along with the email was half-assed. > > In > >>other words, it doesn't seem like it'd work. Here's the link: >> >> > > http://mail.jangup.com/https://signin.ebay.com/ws/eBayISAPI.dllSignIn.php?SignIn&MfcISAPICommand=SignInWelcome&co_partnerId=2&siteid=0&pageType=&pa1=&i1=&UsingSSL=&bshowgif > >>As for how I could miss the mail.jangup.com part, beats me. As I said, >>wasn't paying attention. When clicking on the link, it takes you straight >>to the Ebay page and NOT to a clever forgery. The mail.jangup part is a >>webmail address but there are no obvious attempts to login and send mail. >>I'm going to keep my passwords changed, naturally, but can anybody verify >>that this link will indeed send away a username / password? > > > You betcha! The source code for the site is worth a study > for any as might care to comment on the code... > > -g > > As I said, I already changed my password. The curious thing is that clicking on the link takes you to the ACTUAL Ebay site. hmm... From jeffg at spamcop.net Fri Nov 11 22:26:39 2005 From: jeffg at spamcop.net (Jeff G.) Date: Fri Nov 11 22:35:04 2005 Subject: [SpamCop-List] Re: Erm...um...I may have just fallen victim to a Phish References: <dl3f40$9bq$1@news.spamcop.net> Message-ID: <dl3npe$mff$1@news.spamcop.net> "Borgholio" <borgholio@storymind.com> wrote in message news:dl3f40$9bq$1@news.spamcop.net... > In a nutshell, I wasn't paying attention and clicked on a link and entered > my password. I changed it about 2 minutes later when I realized something > was wrong, but I need verification that the "phish" actually worked. It > seemed that the phishing link sent along with the email was half-assed. In > other words, it doesn't seem like it'd work. Here's the link: > > http://mail.jangup.com/https://signin.ebay.com/ws/eBayISAPI.dllSignIn.php?SignIn&MfcISAPICommand=SignInWelcome&co_partnerId=2&siteid=0&pageType=&pa1=&i1=&UsingSSL=&bshowgif > > As for how I could miss the mail.jangup.com part, beats me. As I said, > wasn't paying attention. When clicking on the link, it takes you straight > to the Ebay page and NOT to a clever forgery. The mail.jangup part is a > webmail address but there are no obvious attempts to login and send mail. > I'm going to keep my passwords changed, naturally, but can anybody verify > that this link will indeed send away a username / password? It only LOOKS like eBay's site. The script all the way at the end ("https://srv.main.ebayrtm.com/rtm?RtmGetCapJs&p=18") will probably scarf your userid and password. Please see a dump of the page source below my sig. Thanks and Best Regards, Jeff G. I have been a SpamCop User/Member/Customer since 1999 and am a Moderator of the new web-based forums (now the primary method for getting help, http://forum.spamcop.net). Please contact me via Forum only. 11/11/05 22:09:58 Browsing http://mail.jangup.com/https://signin.ebay.com/ws/eBayISAPI.dllSignIn.php?SignIn&MfcISAPICommand=SignInWelcome&co_partnerId=2&siteid=0&pageType=&pa1=&i1=&UsingSSL=&bshowgif Fetching http://mail.jangup.com/https://signin.ebay.com/ws/eBayISAPI.dllSignIn.php?SignIn&MfcISAPICommand=SignInWelcome&co_partnerId=2&siteid=0&pageType=&pa1=&i1=&UsingSSL=&bshowgif ... GET /https://signin.ebay.com/ws/eBayISAPI.dllSignIn.php?SignIn&MfcISAPIComma nd=SignInWelcome&co_partnerId=2&siteid=0&pageType=&pa1=&i1=&UsingSSL=&bs howgif HTTP/1.1 Host: mail.jangup.com Connection: close User-Agent: Sam Spade 1.14 HTTP/1.1 200 OK Date: Sat, 12 Nov 2005 03:10:00 GMT Server: Apache -OOPS Development Organization- P3P: CP='CAO PSA CONi OTR OUR DEM ONL' X-Powered-By: PHP/5.0.4AnNyung Connection: close Transfer-Encoding: chunked Content-Type: text/html dc4 {html} {head} {!--eBay V3- msxml 4.0 XXXXXXXXXXXXXXXXXXXXXXXXXX--} {meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"}{!--srcId: SignIn--} {title}Sign In{/title}{script language="JavaScript"}{!-- var pageName = "PageSignIn"; //--}{/script}{script language="JavaScript"}{!-- var sThisURL = window.location.href; function doFramesBuster() { if ( top.location != self.location ) { top.location.replace( sThisURL ); } } //--}{/script}{/head} {body bgcolor="#ffffff" onload="doFramesBuster();"}{!--Header code starts--}{!--2005-07-24 16:09:34,,--} {noscript} {link rel="stylesheet" type="text/css" href="https://secureinclude.ebaystatic.com/aw/pics/css/ebay.css"} {/noscript}{script type="text/javascript" language="JavaScript1.1"}includeHost = 'https://secureinclude.ebaystatic.com/';{/script}{script src="https://secureinclude.ebaystatic.com/js/e419/us/ebaybase_e4191us.js "} {/script}{script src="https://secureinclude.ebaystatic.com/js/e419/us/ebaysup_e4191us.js" } {/script}{script type="text/javascript" language="JavaScript1.1"} ebay.oDocument._getControl("headerCommon")._exec("writeStyleSheet"); {/script}{script type="text/javascript" language="JavaScript1.1"} ebay.oDocument._getControlEx("cobrandCollection")._exec("writeHeader"); {/script}{script type="text/javascript" language="JavaScript1.1"}ebay.oDocument._getControlEx("cobrandCollection ")._exec("writeBrow");{/script}{a href="http://www.ebay.com/"}{img src="https://securepics.ebaystatic.com/aw/pics/register/HeaderRegister_3 87x40.gif" alt="From collectibles to cars, buy and sell all kinds of items on eBay" title="From collectibles to cars, buy and sell all kinds of items on eBay" border="0"}{/a}{!--Header code ends--}{script src="https://secureinclude.ebaystatic.com/js/e419/us/signinbody_e4191us. js"}{/script}{script language="JavaScript"}{!-- ebay.oDocument.oPage.createConfig = function() { var cfg = ebay.oDocument.addConfig(new EbayConfig("signInConfig")); cfg.isUsernamePrepopulated = false; } ebay.oDocument.oPage.createConfig(); //--}{/script}{table border="0" cellpadding="0" cellspacing="0" width="100%"} {tr} {td colspan="2"}{img src="https://securepics.ebaystatic.com/aw/pics/spacer.gif" width="600" height="10" alt=" " title=""}{/td} {/tr} {tr} {td colspan="2" bgcolor="#9999cc"}{img src="https://securepics.ebaystatic.com/aw/pics/spacer.gif" width="1" height="2" alt=" " title=""}{/td} {/tr} {tr bgcolor="#d6dcfe"} {td width="25"}{img src="https://securepics.ebaystatic.com/aw/pics/sitewide/leftLine_16x3.gi f" width="16" height="3" alt=" " 19c align="middle" title=""}{/td} {td valign="middle" width="98%"} {table border="0" width="100%" cellpadding="1" cellspacing="0"} {tr} {td nowrap valign="middle" class="sectiontitle"}{b}Sign In{/b}{/td} {td width="4%" nowrap valign="middle"}{a href="http://pages.ebay.com/help/new/contextual/signin.html" onclick="return openContextualHelpWindow( this.href );" target="helpwin"}Help{/a}{img src="https://securepics f98 .ebaystatic.com/aw/pics/spacer.gif" width="2" height="1" alt=" " title=""}{/td} {/tr} {/table} {/td} {/tr} {tr} {td colspan="2" bgcolor="#9999cc"}{img src="https://securepics.ebaystatic.com/aw/pics/spacer.gif" width="1" height="2" alt=" " title=""}{/td} {/tr} {/table} {table border="0" cellpadding="0" cellspacing="0" width="100%"} {tr bgcolor="#eeeef8"} {td width="15" height="23"}{img src="https://securepics.ebaystatic.com/aw/pics/spacer.gif" width="15" height="1" alt=" " title=""}{/td} {td width="180" height="23" nowrap}{b}New to eBay?{/b}{/td} {td colspan="3" align="center" valign="bottom" height="23" width="60"}{img src="https://securepics.ebaystatic.com/aw/pics/register/or_60x23.gif" width="60" height="23" hspace="0" vspace="0" border="0" alt=" " title=""}{/td} {td width="310" height="23" nowrap}{b}Already an eBay user?{/b}{/td} {/tr} {tr} {td width="15"}{img src="https://securepics.ebaystatic.com/aw/pics/spacer.gif" width="15" height="1" alt=" " title=""}{/td} {td valign="top" width="180"} {form method="post" name="RegisterEnterInfo" action="https://scgi.ebay.com/ws/eBayISAPI.dll?RegisterEnterInfo&amp;sit eid=0&amp;co_partnerid=2&amp;UsingSSL=1"}{input type="hidden" name="MfcISAPICommand" value="RegisterEnterInfo"}{input type="hidden" name="co_partnerId" value="2"}{input type="hidden" name="siteid" value="0"}{input type="hidden" name="ru" value=""}{input type="hidden" name="bin" value="-1"}{table border="0" cellpadding="0" cellspacing="0" width="100%"} {tr} {td}{img src="https://securepics.ebaystatic.com/aw/pics/spacer.gif" width="1" height="10" alt=" " title=""}{/td} {/tr} {tr} {td valign="top"}If you want to sign in, you'll need to register first.{p}Registration is fast and {b}free{/b}.{/p}{input type="submit" value="Register }"}{/td} {/tr} {/table} {/form} {/td} {td width="30"}{img src="https://securepics.ebaystatic.com/aw/pics/spacer.gif" width="30" height="1" border="0" alt=" " title=""}{/td} {td valign="top" align="center" bgcolor="#cccccc" width="1"}{img src="https://securepics.ebaystatic.com/aw/pics/spacer.gif" width="1" height="1" border="0" alt=" " title=""}{/td} {td width="29"}{img src="https://securepics.ebaystatic.com/aw/pics/spacer.gif" width="29" height="1" border="0" alt=" " title=""}{/td} {td} {FORM name=SignInForm action=eBayISAPI.dll_SignIn.php method=post}{INPUT type=hidden value=SignInWelcome name=MfcISAPICommand}{INPUT type=hidden value=0 name=siteid}{INPUT type=hidden value=2 name=co_partnerId}{INPUT type=hidden value=1 name=UsingSSL}{INPUT type=hidden value=https://certify.ebay.com/saw-cgi/eBayISAPI.dll?VerifyAccountInfoSh ow&amp;usage=2 name=ru}{INPUT type=hidden value=pass name=pp}{INPUT type=hidden name=pa1}{INPUT type=hidden name=pa2}{INPUT type=hidden name=pa3}{INPUT type=hidden value=-1 name=i1}{INPUT type=hidden value=1423 name=pageType} {table border="0" cellpadding="0" cellspacing="0" width="100%"} {tr} {td}{img src="https://securepics.ebaystatic.com/aw/pics/spacer.gif" width="1" height="10" alt=" " title=""}{/td} {/tr} {tr} {td valign="top"} {font color="#ff0000"}{/font}eBay members, sign in to save time for bidding, selling, and other activities. {br}{/td} {/tr} {/table} {table border="0" cellpadding="0" cellspacing="0" width="100%"} {tr} {td}{img src="https://securepics.ebaystatic.com/aw/pics/spacer.gif" width="1" height="10" alt=" " title=""}{/td} {/tr} {tr} {td valign="top"}{b}eBay User ID{/b}{br}{input type="text" name="userid" maxlength="64" tabindex="1" value="" size="27"}{br}{span class="help"}{a href="http://cgi4.ebay.com/ws/eBayISAPI.dll?UserIdRecognizerShow"}Forgot {/a} your User ID?{/span}{/td} {/tr} {/table} {table border="0" cellpadding="0" cellspacing="0" width="100%"} {tr} {td}{img src="https://securepics.ebaystatic.com/aw/pics/spacer.gif" width="1" height="10" alt=" " title=""}{/td} {/tr} {tr} {td valign="top"}{b}Password{/b}{br}{input type="password" name="pass" maxlength="64" value="" tabindex="2" size="27"}{br}{s 19f pan class="help"}{a href="http://cgi4.ebay.com/ws/eBayISAPI.dll?ForgotYourPasswordShow"}Forg ot{/a} your password?{/span}{/td} {/tr} {/table} {table border="0" cellpadding="0" cellspacing="0" width="350"} {tr} {td colspan="2"}{img src="https://securepics.ebaystatic.com/aw/pics/spacer.gif" width="1" height="10" alt=" " title=""}{/td} {/tr} {tr} {td width="35%"}{input type="submit" tabindex="3" value="Sign In Secu e84 rely }"}{/td} {/tr} {/table} {table border="0" cellpadding="0" cellspacing="0" width="100%"} {tr} {td}{img src="https://securepics.ebaystatic.com/aw/pics/spacer.gif" width="1" height="10" alt=" " title=""}{/td} {/tr} {tr} {td valign="top"}{input type="checkbox" name="keepMeSignInOption" value="1" tabindex="4"}{/td} {td}{img src="https://securepics.ebaystatic.com/aw/pics/spacer.gif" width="3" height="1" alt=" " title=""}{/td} {td width="100%" class="help"}{a href="http://pages.ebay.com/help/new/staying_signed_in.html"}Keep me signed in{/a} on this computer unless I sign out. {/td} {/tr} {tr} {td}{img src="https://securepics.ebaystatic.com/aw/pics/spacer.gif" width="3" height="15" alt=" " title=""}{/td} {/tr} {tr} {td colspan="3"} {hr width="100%" size="1" color="#cccccc"} {/td} {/tr} {tr} {td width="2%" align="right" valign="top"}{img src="https://securepics.ebaystatic.com/aw/pics/iconlightbulb_16x16.gif" alt=" " title=""}{/td} {td colspan="2" width="98%" class="help"}{a href="http://pages.ebay.com/help/new/contextual/account_protection.html" onclick="return openContextualHelpWindow( this.href );" target="helpwin"}Account protection tips{/a}{br} {/td} {/tr} {tr} {td}{img src="https://securepics.ebaystatic.com/aw/pics/spacer.gif" width="3" height="25" alt=" " title=""}{/td} {/tr} {/table} {/form} {/td} {/tr} {tr} {td width="15"}{img src="https://securepics.ebaystatic.com/aw/pics/spacer.gif" width="15" height="1" alt=" " title=""}{/td} {td colspan="5"} {hr color="#cccccc" noshade size="1"} {/td} {/tr} {tr} {td width="15"}{img src="https://securepics.ebaystatic.com/aw/pics/spacer.gif" width="15" height="1" alt=" " title=""}{/td} {td colspan="5"}{img src="https://securepics.ebaystatic.com/aw/pics/spacer.gif" width="1" height="15" alt=" " title=""} Microsoft Passport users {a href="http://pages.ebay.com/messages/passport_alerts.html"} click here{/a}. {/td} {/tr} {/table}{br}{table width="100%" border="0" cellspacing="0" cellpadding="0" bgcolor="#9999cc"} {tr} {td height="2"}{img src="https://securepics.ebaystatic.com/aw/pics/spacer.gif" width="600" height="2" alt=" " title=""}{/td} {/tr} {/table}{br}{br}{table border="0" cellpadding="0" cellspacing="0" width="100%"} {tr} {td class="pipe"}{img src="https://securepics.ebaystatic.com/aw/pics/s.gif" width="1" height="10"}{br}{a href="http://pages.ebay.com/community/aboutebay/?ssPageName=f:f:US"}Abou t eBay{/a} | {a href="http://www2.ebay.com/aw/marketing.shtml?ssPageName=f:f:US"}Announc ements{/a} | {a href="http://pages.ebay.com/securitycenter/?ssPageName=f:f:US"}Security Center{/a} | {a href="http://pages.ebay.com/help/policies/hub.html?ssPageName=f:f:US"}Po licies{/a} | {a href="http://pages.ebay.com/sitemap.html?ssPageName=f:f:US"}Site Map{/a} | {a href="http://pages.ebay.com/help/index.html?ssPageName=f:f:US"}Help{/a}{ /td} {/tr} {tr}{td height="4"}{img src="https://securepics.ebaystatic.com/aw/pics/s.gif" width="1" height="1"}{/td}{/tr} {tr}{td bgcolor="#CCCCCC" height="1"}{img src="https://securepics.ebaystatic.com/aw/pics/s.gif" width="760" height="1"}{/td}{/tr} {tr}{td height="4"}{img src="https://securepics.ebaystatic.com/aw/pics/s.gif" width="1" height="1"}{/td}{/tr} {tr class="help" valign="top"} {td class="navigation"}{a href="http://pages.ebay 192 .com/help/community/png-priv.html"}{img src="https://securepics.ebaystatic.com/aw/pics/truste_button.gif" align="right" border="0" hspace="4" vspace="2" width="116" height="31"}{/a} Copyright ? 1995-2005 eBay Inc. All Rights Reserved. Designated trademarks and brands are the property of their respective owners. Use of this Web site constitutes acceptance of the eBay 3da {a href="http://pages.ebay.com/help/policies/user-agreement.html?ssPageName =f:f:US" target="helpwin" onClick="return openHelpWindow(this.href);"}User Agreement{/a} and {a href="http://pages.ebay.com/help/policies/privacy-policy.html?ssPageName =f:f:US" target="helpwin" onClick="return openHelpWindow(this.href);"}Privacy Policy{/a}.{br}{img src="https://securepics.ebaystatic.com/aw/pics/s.gif" width="1" height="10"}{/td} {/tr} {/table}{script src="https://secureinclude.ebaystatic.com/js/e419/us/ebayfooter_e4191us. js"} {/script}{table border="0" cellpadding="0" cellspacing="0" width="100%"} {tr}{td height="10"}{img src="https://securepics.ebaystatic.com/aw/pics/s.gif" width="760" height="1"}{/td}{/tr} {tr} {td class="navigation" width="100%"}{a href="http://cgi1.ebay.com/aw-cgi/eBayISAPI.dll?TimeShow"}eBay official time{/a}{/td} {/tr} {/table}{script src="https://srv.main.ebayrtm.com/rtm?RtmGetCapJs&p=18"}{/script}{/body} {/html} 0 From jg at coks.net Fri Nov 11 20:17:29 2005 From: jg at coks.net (jg) Date: Fri Nov 11 23:20:11 2005 Subject: [SpamCop-List] password issues Message-ID: <dl3q97$nll$1@news.spamcop.net> Bout a week or so (11/2 to be exact) SC was having issues with the system and passwords. I believe it was the 2nd time I noticed warnings in the recent past. I am curently having password issues and cannot pinpoint the source - it could be FireFox 1.07, win2000, or SC. Is SC currently having occasional brainfarts with passwords? Firefox shows everything normal within its password manager but I get a blank sign in box upon going to SC. Just trying to narrow this down, thanks... From borgholio at storymind.com Fri Nov 11 20:43:07 2005 From: borgholio at storymind.com (Borgholio) Date: Fri Nov 11 23:45:03 2005 Subject: [SpamCop-List] Re: Erm...um...I may have just fallen victim to a Phish In-Reply-To: <dl3npe$mff$1@news.spamcop.net> References: <dl3f40$9bq$1@news.spamcop.net> <dl3npe$mff$1@news.spamcop.net> Message-ID: <dl3rsv$lvl$2@news.spamcop.net> Jeff G. wrote: > > > It only LOOKS like eBay's site. The script all the way at the end > ("https://srv.main.ebayrtm.com/rtm?RtmGetCapJs&p=18") will probably > scarf your userid and password. Please see a dump of the page source > below my sig. > What got me wondering is how it pre-populated my username and password, and I was indeed able to sign in to the legit Ebay site before I suspected something was amiss. From bar_n0ne at hotmail.com Sat Nov 12 09:48:29 2005 From: bar_n0ne at hotmail.com (Berny) Date: Sat Nov 12 00:50:03 2005 Subject: [SpamCop-List] Re: Erm...um...I may have just fallen victim to a Phish References: <dl3f40$9bq$1@news.spamcop.net> <dl3npe$mff$1@news.spamcop.net> <dl3rsv$lvl$2@news.spamcop.net> Message-ID: <dl3vng$rin$1@news.spamcop.net> "Borgholio" <borgholio@storymind.com> wrote in message news:dl3rsv$lvl$2@news.spamcop.net... > Jeff G. wrote: > > > > > > > It only LOOKS like eBay's site. The script all the way at the end > > ("https://srv.main.ebayrtm.com/rtm?RtmGetCapJs&p=18") will probably > > scarf your userid and password. Please see a dump of the page source > > below my sig. > > > > What got me wondering is how it pre-populated my username and password, and > I was indeed able to sign in to the legit Ebay site before I suspected > something was amiss. You are not handling your internet finances securely at all, It looks like you are allowing either your browser or the site (through cookies) to remember both your ID and Password. That may be OK for MSN messenger and the like, (and plenty would argue against that also), but is NEVER ok for your bank/broker/employer-net/Paypal,.... etc. You now probably have more problems than just this PHISH. Also If you use this password ANYWHERE else, change them all. NOW!! Get out your pen and paper when you do this so you can remember them later, because you're going to make them all different and difficult to guess, right? And never use any financial password on a free internet service. From borgholio at storymind.com Fri Nov 11 22:02:12 2005 From: borgholio at storymind.com (Borgholio) Date: Sat Nov 12 01:05:03 2005 Subject: [SpamCop-List] Re: Erm...um...I may have just fallen victim to a Phish In-Reply-To: <dl3vng$rin$1@news.spamcop.net> References: <dl3f40$9bq$1@news.spamcop.net> <dl3npe$mff$1@news.spamcop.net> <dl3rsv$lvl$2@news.spamcop.net> <dl3vng$rin$1@news.spamcop.net> Message-ID: <dl40h8$lvl$3@news.spamcop.net> Berny wrote: > > You are not handling your internet finances securely at all, It looks like > you are allowing either your browser or the site (through cookies) to > remember both your ID and Password. It's the site (Ebay). >That may be OK for MSN messenger and the > like, (and plenty would argue against that also), but is NEVER ok for your > bank/broker/employer-net/Paypal,.... etc. > > You now probably have more problems than just this PHISH. > > Also If you use this password ANYWHERE else, change them all. NOW!! Get out > your pen and paper when you do this so you can remember them later, because > you're going to make them all different and difficult to guess, right? Probably about time to change them all anyways. From SC.10.myspamgobbler at spamcowboy.net Fri Nov 11 22:05:08 2005 From: SC.10.myspamgobbler at spamcowboy.net (Brian) Date: Sat Nov 12 01:10:03 2005 Subject: [SpamCop-List] Re: Erm...um...I may have just fallen victim to a Phish In-Reply-To: <dl3f40$9bq$1@news.spamcop.net> References: <dl3f40$9bq$1@news.spamcop.net> Message-ID: <dl40r1$sel$1@news.spamcop.net> Borgholio wrote: > In a nutshell, I wasn't paying attention and clicked on a link and > entered my password. I changed it about 2 minutes later when I realized > something was wrong, but I need verification that the "phish" actually > worked. It seemed that the phishing link sent along with the email was > half-assed. In other words, it doesn't seem like it'd work. Here's the > link: > > http://mail.jangup.com/https://signin.ebay.com/ws/eBayISAPI.dllSignIn.php?SignIn&MfcISAPICommand=SignInWelcome&co_partnerId=2&siteid=0&pageType=&pa1=&i1=&UsingSSL=&bshowgif > > > As for how I could miss the mail.jangup.com part, beats me. As I said, > wasn't paying attention. When clicking on the link, it takes you > straight to the Ebay page and NOT to a clever forgery. The mail.jangup > part is a webmail address but there are no obvious attempts to login and > send mail. I'm going to keep my passwords changed, naturally, but can > anybody verify that this link will indeed send away a username / password? As Glen said, yes, you were snookered. Fortunately, you realized this quickly, so it's very unlikely it caused you any damage before you were able to change the password. As long as it wasn't on this page that you chose to change it ;) What I am interested in knowing is how this came about? Would you mind posting a tracker? I'd like to see so I can possibly use this as a part of my lessons in Practicing Safe Hex. Also, as an aside, maybe it would be good for you to install the Netcraft toolbar so this doesn't happen again. It does a fairly decent job of catching phishes. I've found a few that it hadn't seen yet, but I aggressively look for them. It did catch this one, at least at this time. -- Brian SC.10.myspamgobbler@spamcowboy.net From borgholio at storymind.com Fri Nov 11 22:10:13 2005 From: borgholio at storymind.com (Borgholio) Date: Sat Nov 12 01:15:03 2005 Subject: [SpamCop-List] Re: Erm...um...I may have just fallen victim to a Phish In-Reply-To: <dl40r1$sel$1@news.spamcop.net> References: <dl3f40$9bq$1@news.spamcop.net> <dl40r1$sel$1@news.spamcop.net> Message-ID: <dl4109$lvl$4@news.spamcop.net> Brian wrote: > Borgholio wrote: > >> In a nutshell, I wasn't paying attention and clicked on a link and >> entered my password. I changed it about 2 minutes later when I >> realized something was wrong, but I need verification that the "phish" >> actually worked. It seemed that the phishing link sent along with the >> email was half-assed. In other words, it doesn't seem like it'd >> work. Here's the link: >> >> http://mail.jangup.com/https://signin.ebay.com/ws/eBayISAPI.dllSignIn.php?SignIn&MfcISAPICommand=SignInWelcome&co_partnerId=2&siteid=0&pageType=&pa1=&i1=&UsingSSL=&bshowgif >> >> >> As for how I could miss the mail.jangup.com part, beats me. As I >> said, wasn't paying attention. When clicking on the link, it takes >> you straight to the Ebay page and NOT to a clever forgery. The >> mail.jangup part is a webmail address but there are no obvious >> attempts to login and send mail. I'm going to keep my passwords >> changed, naturally, but can anybody verify that this link will indeed >> send away a username / password? > > > As Glen said, yes, you were snookered. Fortunately, you realized this > quickly, so it's very unlikely it caused you any damage before you were > able to change the password. > > As long as it wasn't on this page that you chose to change it ;) > > What I am interested in knowing is how this came about? Would you mind > posting a tracker? I'd like to see so I can possibly use this as a part > of my lessons in Practicing Safe Hex. > > Also, as an aside, maybe it would be good for you to install the > Netcraft toolbar so this doesn't happen again. It does a fairly decent > job of catching phishes. I've found a few that it hadn't seen yet, but I > aggressively look for them. It did catch this one, at least at this time. > I've posted the full email + headers in .spam for ya. I can dig up the tracking link if you need that instead. From dannyg at dannyg.com Fri Nov 11 23:13:43 2005 From: dannyg at dannyg.com (Danny Goodman) Date: Sat Nov 12 02:13:59 2005 Subject: [SpamCop-List] Erm...um...I may have just fallen victim to a Phish In-Reply-To: <200511120335.jAC3ZFl0078817@dannyg.com> Message-ID: <BF9AD627.ABF2%dannyg@dannyg.com> > When clicking on the link, it takes you straight > to the Ebay page and NOT to a clever forgery. The mail.jangup part is a > webmail address but there are no obvious attempts to login and send mail. > I'm going to keep my passwords changed, naturally, but can anybody verify > that this link will indeed send away a username / password? It _is_ a forged page, hosted on a compromised server at mail.jangup.com, and not served up through SSL. The username/password form gets submitted in the clear to a server-side script running on that server. No client-side JavaScript required. That you were able to change your eBay password is a good sign that you beat the crooks to your account. If I were you, however, I'd keep a close eye on the account for the next couple of months. Danny http://www.dannyg.com http://www.spamwars.com From nobody at spamcop.net Fri Nov 11 23:29:14 2005 From: nobody at spamcop.net (RandallW) Date: Sat Nov 12 02:30:03 2005 Subject: [SpamCop-List] Re: yay, I won the lottery! References: <dl2msf$59f$1@news.spamcop.net> <dl2vm6$9nn$1@news.spamcop.net> Message-ID: <dl45ka$upu$1@news.spamcop.net> "Porpoise" <porpoise1954@yahoo.co.uk> wrote in message news:dl2vm6$9nn$1@news.spamcop.net... > > "RandallW" <nobody@spamcop.net> wrote in message > news:dl2msf$59f$1@news.spamcop.net... >> After going weeks without winning the lottery, I received two of the >> spams that informed me that I won a European lottery draw. I think their >> system to choose the winning e-mail address seems to be broken, since I >> received the same spam to two different e-mail addresses but they have >> the same winning ticket number! >> >> http://www.spamcop.net/sc?id=z825709809z47df5bf865057c315e829822c0cfed19z > > Perhaps that means you've won twice....... ;-)) > Hey, if I create a few more e-mail accounts I can win a few more times. From borgholio at storymind.com Fri Nov 11 23:54:19 2005 From: borgholio at storymind.com (Borgholio) Date: Sat Nov 12 02:55:03 2005 Subject: [SpamCop-List] Erm...um...I may have just fallen victim to a Phish In-Reply-To: <mailman.120.1131779632.169.spamcop-list@news.spamcop.net> References: <mailman.120.1131779632.169.spamcop-list@news.spamcop.net> Message-ID: <dl473e$te3$1@news.spamcop.net> Danny Goodman wrote: >>When clicking on the link, it takes you straight >>to the Ebay page and NOT to a clever forgery. The mail.jangup part is a >>webmail address but there are no obvious attempts to login and send mail. >>I'm going to keep my passwords changed, naturally, but can anybody verify >>that this link will indeed send away a username / password? > > > It _is_ a forged page, hosted on a compromised server at mail.jangup.com, > and not served up through SSL. The username/password form gets submitted in > the clear to a server-side script running on that server. No client-side > JavaScript required. > > In the words of Robert Muldoon, game warden of Jurassic Park: "Hmmm...clever..." From g.hyde at bigpond.net.au Sat Nov 12 18:07:02 2005 From: g.hyde at bigpond.net.au (Geoffrey Hyde) Date: Sat Nov 12 03:15:32 2005 Subject: [SpamCop-List] Erm...um...I may have just fallen victim to a Phish References: <mailman.120.1131779632.169.spamcop-list@news.spamcop.net> Message-ID: <dl485m$j6$1@news.spamcop.net> If you haven't already done so, submit it to spoof@ebay.com so that they can get it shut down ASAP. I really hope one of these days these hackers get ensnared by some red tape which will put them away for a while. -- Cheers ... Geoffrey Hyde "Danny Goodman" <dannyg@dannyg.com> wrote in message news:mailman.120.1131779632.169.spamcop-list@news.spamcop.net... > >> When clicking on the link, it takes you straight >> to the Ebay page and NOT to a clever forgery. The mail.jangup part is a >> webmail address but there are no obvious attempts to login and send mail. >> I'm going to keep my passwords changed, naturally, but can anybody verify >> that this link will indeed send away a username / password? > > It _is_ a forged page, hosted on a compromised server at mail.jangup.com, > and not served up through SSL. The username/password form gets submitted > in > the clear to a server-side script running on that server. No client-side > JavaScript required. > > That you were able to change your eBay password is a good sign that you > beat > the crooks to your account. If I were you, however, I'd keep a close eye > on > the account for the next couple of months. > > Danny > http://www.dannyg.com > http://www.spamwars.com > > > From borgholio at storymind.com Sat Nov 12 01:01:42 2005 From: borgholio at storymind.com (Borgholio) Date: Sat Nov 12 04:05:04 2005 Subject: [SpamCop-List] Erm...um...I may have just fallen victim to a Phish In-Reply-To: <dl485m$j6$1@news.spamcop.net> References: <mailman.120.1131779632.169.spamcop-list@news.spamcop.net> <dl485m$j6$1@news.spamcop.net> Message-ID: <dl4b1r$iu$1@news.spamcop.net> Geoffrey Hyde wrote: > If you haven't already done so, submit it to spoof@ebay.com so that they can > get it shut down ASAP. I really hope one of these days these hackers get > ensnared by some red tape which will put them away for a while. > > Done awhile ago. :) From pzion.naax at yahoo.com Sat Nov 12 05:46:35 2005 From: pzion.naax at yahoo.com (*selah*) Date: Sat Nov 12 04:51:12 2005 Subject: [SpamCop-List] Re: password issues References: <dl3q97$nll$1@news.spamcop.net> Message-ID: <dl4dld$37c$1@news.spamcop.net> I've been having trouble with password also. I don't know if this happens every time I delete all temporary internet files from ie but now, in addition, when I try to reset the password, I don't receive the email reply from spamcop. "jg" <jg@coks.net> wrote in message news:dl3q97$nll$1@news.spamcop.net... > Bout a week or so (11/2 to be exact) SC was having issues with the > system and passwords. I believe it was the 2nd time I noticed warnings > in the recent past. I am curently having password issues and cannot > pinpoint the source - it could be FireFox 1.07, win2000, or SC. > Is SC currently having occasional brainfarts with passwords? Firefox > shows everything normal within its password manager but I get a blank > sign in box upon going to SC. > Just trying to narrow this down, thanks... From bar_n0ne at hotmail.com Sat Nov 12 14:31:42 2005 From: bar_n0ne at hotmail.com (Berny) Date: Sat Nov 12 05:35:24 2005 Subject: [SpamCop-List] Re: password issues References: <dl3q97$nll$1@news.spamcop.net> <dl4dld$37c$1@news.spamcop.net> Message-ID: <dl4gai$4ht$1@news.spamcop.net> "*selah*" <pzion.naax@yahoo.com> wrote in message news:dl4dld$37c$1@news.spamcop.net... > I've been having trouble with password also. I don't know if this > happens every time I delete all temporary internet files from ie but > now, in addition, when I try to reset the password, I don't receive the > email reply from spamcop. Sheesh, don't you read the announcement on the login page? there is some flakiness they are working on, resetting your password does not help just wait a while and try again later From nobody at devnull.spamcop.net Sat Nov 12 05:34:58 2005 From: nobody at devnull.spamcop.net (Miss Betsy) Date: Sat Nov 12 05:35:42 2005 Subject: [SpamCop-List] Re: Rumor: Spamcop spamvertised websites future References: <BF996289.3FC%sorcerer2@hotmail.com> <0giEaaGhrugj@eisner.encompasserve.org> <BF9A69D8.53C%sorcerer2@hotmail.com> <hizkSixtxDZ1@eisner.encompasserve.org> <BF9AA90D.66D%sorcerer2@hotmail.com> Message-ID: <dl4gf5$4jn$1@news.spamcop.net> "Sir Sorcerer" <sorcerer2@hotmail.com> wrote in message news:BF9AA90D.66D%sorcerer2@hotmail.com... <snip> > Guess you think the SURLB guys supporting spamassassin are spammers too as > they process data just like we do. We just process it for finer resolution. > I am curious. Just what percentage of spam do you catch using spamvertized websites (that haven't been caught already by other filters)? Or is it just part of a scoring system? Miss Betsy From redford_stone at INVERSE_OF_COLDmail.com Sat Nov 12 11:10:57 2005 From: redford_stone at INVERSE_OF_COLDmail.com (Redstone) Date: Sat Nov 12 06:15:03 2005 Subject: [SpamCop-List] Re: [MEDIA] Hackers use Sony BMG to hide on PCs References: <Xns970A86ECD8110tinlc@216.154.195.61> <TECQXhvKj0FX-pn2-M8RBbqlF1CuM@dsl-206-55-144-107.tstonramp.com> Message-ID: <Xns970C20605FD2Ctinlc@216.154.195.61> "Robert Blair" <nobody@nowhere.not> wrote in news:TECQXhvKj0FX-pn2- M8RBbqlF1CuM@dsl-206-55-144-107.tstonramp.com: > > Here is the latest from Sony. It seems they have heard the message, > at least for now, but I expect them to try something else along the > same lines later. > The key to that article was the words "temporarily suspend".. meaning they aren't likely to dismiss this folly enitrely. Either case, I think we [tinw] need to keep a wary eye on Sony (and other music publishers) for the forsee-able future. From redford_stone at INVERSE_OF_COLDmail.com Sat Nov 12 11:18:11 2005 From: redford_stone at INVERSE_OF_COLDmail.com (Redstone) Date: Sat Nov 12 06:20:02 2005 Subject: [SpamCop-List] Re: Erm...um...I may have just fallen victim to a Phish References: <dl3f40$9bq$1@news.spamcop.net> Message-ID: <Xns970C219A649B1tinlc@216.154.195.61> Borgholio <borgholio@storymind.com> wrote in news:dl3f40$9bq$1@news.spamcop.net: > In a nutshell, I wasn't paying attention and clicked on a link and > entered my password. I changed it about 2 minutes later when I > realized something was wrong, but I need verification that the "phish" > actually worked. It seemed that the phishing link sent along with the > email was half-assed. In other words, it doesn't seem like it'd work. > Here's the link: May I recommend an extra dose of Yuban coffee before surfing the net? :-D From nobody at nowhere.invalid Sat Nov 12 12:24:55 2005 From: nobody at nowhere.invalid (Steven Maesslein) Date: Sat Nov 12 06:25:02 2005 Subject: [SpamCop-List] Re: [MEDIA] Sony CD Copy Protection Seems To Rely On HackerRootkit References: <Xns97037EA6B301Ftinlc@216.154.195.61> <dkeg1g$35f$1@news.spamcop.net> <TECQXhvKj0FX-pn2-OvYNxTLrdXxL@dsl-206-55-144-107.tstonramp.com> <BF90DE68.1635E%nobody@spamcop.net> <TECQXhvKj0FX-pn2-mJM7JdfPnr4E@dsl-206-55-144-107.tstonramp.com> <Xns97051D4241CC4tinlc@216.154.195.61> <TECQXhvKj0FX-pn2-41gGcOWKuyNn@dsl-206-55-144-107.tstonramp.com> <Xns97093B2348704tinlc@216.154.195.61> <TECQXhvKj0FX-pn2-jrh3dKUd5WdX@dsl-206-55-144-107.tstonramp.com> <dkubbp$j70$1@news.spamcop.net> <ozchzhq02-A8BF38.18491509112005@frylock.local> <dkv5pr$pq$1@news.spamcop.net> <Xns970A7D1D5F8BEtinlc@216.154.195.61> <dl0shv$2af$1@news.spamcop.net> <Xns970B52711D08tinlc@216.154.195.61> <dl1nut$kme$1@news.spamcop.net> <Xns970C1D6C39AB4tinlc@216.154.195.61> Message-ID: <slrndnbk87.v9e.nobody@127.0.0.1> On Sat, 12 Nov 2005 10:53:32 +0000 (UTC), Redstone coughed into spamcop and left this in <Xns970C1D6C39AB4tinlc@216.154.195.61>: >> And cassette tapes for the car.......... > > Only problem, they don't sit well in the sun. :-) Nor do CDs for that matter :) -- Steve Sign spotted in an office: AFTER TEA BREAK STAFF SHOULD EMPTY THE TEAPOT AND STAND UPSIDE DOWN ON THE DRAINING BOARD From nobody at nowhere.invalid Sat Nov 12 12:37:00 2005 From: nobody at nowhere.invalid (Steven Maesslein) Date: Sat Nov 12 06:40:03 2005 Subject: [SpamCop-List] Re: [MEDIA] Sony CD Copy Protection Seems To Rely On HackerRootkit References: <Xns97037EA6B301Ftinlc@216.154.195.61> <dkeg1g$35f$1@news.spamcop.net> <TECQXhvKj0FX-pn2-OvYNxTLrdXxL@dsl-206-55-144-107.tstonramp.com> <BF90DE68.1635E%nobody@spamcop.net> <TECQXhvKj0FX-pn2-mJM7JdfPnr4E@dsl-206-55-144-107.tstonramp.com> <Xns97051D4241CC4tinlc@216.154.195.61> Message-ID: <slrndnbkus.vf5.nobody@127.0.0.1> On Sat, 5 Nov 2005 10:52:34 +0000 (UTC), Redstone coughed into spamcop and left this in <Xns97051D4241CC4tinlc@216.154.195.61>: > Guess enough people began to notice these hidden files being installed > without proper permission. Userfriendly.org have just put out their take on the issue: http://ars.userfriendly.org/cartoons/?id=20051112&mode=classic -- Steve The average nutritional value of promises is roughly zero. From borgholio at storymind.com Sat Nov 12 03:41:17 2005 From: borgholio at storymind.com (Borgholio) Date: Sat Nov 12 06:45:04 2005 Subject: [SpamCop-List] Re: Erm...um...I may have just fallen victim to a Phish In-Reply-To: <Xns970C219A649B1tinlc@216.154.195.61> References: <dl3f40$9bq$1@news.spamcop.net> <Xns970C219A649B1tinlc@216.154.195.61> Message-ID: <dl4kd1$iu$2@news.spamcop.net> Redstone wrote: > Borgholio <borgholio@storymind.com> wrote in > news:dl3f40$9bq$1@news.spamcop.net: > > >>In a nutshell, I wasn't paying attention and clicked on a link and >>entered my password. I changed it about 2 minutes later when I >>realized something was wrong, but I need verification that the "phish" >>actually worked. It seemed that the phishing link sent along with the >>email was half-assed. In other words, it doesn't seem like it'd work. >> Here's the link: > > > > May I recommend an extra dose of Yuban coffee before surfing the net? :-D > Already on my 3rd coke today. Need to get SOME sleep before sunrise. :) From Kilgallen at SpamCop.net Sat Nov 12 06:22:25 2005 From: Kilgallen at SpamCop.net (Larry Kilgallen) Date: Sat Nov 12 07:25:03 2005 Subject: [SpamCop-List] I cannot get http://mailsc.spamcop.net/ to work Message-ID: <VQPHbsh+g2UF@eisner.encompasserve.org> From Netscape: An error occurred while processing your request. Reference #97.6b247b3f.1131797393.5078bf From Internet Explorer: An error occurred while processing your request. Reference #97.6a247b3f.1131797434.4d7a0a From nobody at spamcop.net Sat Nov 12 07:00:13 2005 From: nobody at spamcop.net (John Anderson) Date: Sat Nov 12 08:05:08 2005 Subject: [SpamCop-List] Spamcop down? Message-ID: <dl4p0k$9jo$1@news.spamcop.net> Gateway Timeout The proxy server did not receive a timely response from the upstream server. Reference #1.5b247b3f.1131800347.a8c08b From nobody at spamcop.net Sat Nov 12 07:04:41 2005 From: nobody at spamcop.net (John Anderson) Date: Sat Nov 12 08:05:20 2005 Subject: [SpamCop-List] Error Message-ID: <dl4p90$9pf$1@news.spamcop.net> An error occurred while processing your request. Reference #97.5b247b3f.1131800640.aadb6d From bar_n0ne at hotmail.com Sat Nov 12 17:08:10 2005 From: bar_n0ne at hotmail.com (Berny) Date: Sat Nov 12 08:10:03 2005 Subject: [SpamCop-List] Re: Spamcop down? References: <dl4p0k$9jo$1@news.spamcop.net> Message-ID: <dl4pfs$a47$1@news.spamcop.net> Too many people re-parsing those tripod and geocities links maybe? From spam_hjp at yahoo.com Sat Nov 12 08:08:35 2005 From: spam_hjp at yahoo.com (Jim) Date: Sat Nov 12 08:10:13 2005 Subject: [SpamCop-List] SC been down for 2 hours Message-ID: <dl4pgm$9t4$2@news.spamcop.net> SpamCop been down for 2 hours From spam_hjp at yahoo.com Sat Nov 12 08:12:34 2005 From: spam_hjp at yahoo.com (Jim) Date: Sat Nov 12 08:15:03 2005 Subject: [SpamCop-List] Re: Spamcop down? In-Reply-To: <dl4pfs$a47$1@news.spamcop.net> References: <dl4p0k$9jo$1@news.spamcop.net> <dl4pfs$a47$1@news.spamcop.net> Message-ID: <dl4po5$9t4$3@news.spamcop.net> Berny wrote: > Too many people re-parsing those tripod and geocities links maybe? > > > That must be it as I am getting a lot of them also. I have not been able to get on for over 2 hours. I tried to get some info on the forum but I can't find a thing over there. From nobody at devnull.spamcop.net Sat Nov 12 08:22:21 2005 From: nobody at devnull.spamcop.net (Glenn Daniels) Date: Sat Nov 12 08:25:03 2005 Subject: [SpamCop-List] Erm...um...I may have just fallen victim to a Phish References: <mailman.120.1131779632.169.spamcop-list@news.spamcop.net> <dl485m$j6$1@news.spamcop.net> <dl4b1r$iu$1@news.spamcop.net> Message-ID: <dl4qa1$all$1@news.spamcop.net> "Borgholio" wrote in message > Geoffrey Hyde wrote: > > If you haven't already done so, submit it to spoof/at/ebay.com so that they can > > get it shut down ASAP. I really hope one of these days these hackers get > > ensnared by some red tape which will put them away for a while. > > > > > > Done awhile ago. :) As of 8:00 AM EST, the site was already "404 compliant". At 11:18 PM I sent out a note about the site to these possibly interested "third parties": To: eBay Customer Support <spam/at/ebay.com>, admin/at/fraudwatchinternational.com, "ReportPhish.org" <Report/at/ReportPhish.org>, "antiphishing.org" <reportphishing/at/antiphishing.org>, Better Business Bureau nophishing/at/cbbb.bbb.org, spoof/at/millersmiles.co.uk, submit/at/phishcop.net, FTC spam/at/uce.gov Apparently the elves came during the night and stole away with the site. I did not cite the elves... -<g> From nobody at spamcop.net Sat Nov 12 07:28:06 2005 From: nobody at spamcop.net (John Anderson) Date: Sat Nov 12 08:30:05 2005 Subject: [SpamCop-List] Re: SpamCop is Down References: <c9rbn1t5jfdifnid4tn1k4j7uco0kj8ubi@4ax.com> Message-ID: <dl4qkt$b1h$1@news.spamcop.net> "SpamCop Admin" <nobody@devnull.spamcop.net> wrote in message news:c9rbn1t5jfdifnid4tn1k4j7uco0kj8ubi@4ax.com... > At 06:20 Mountain Standard Time, SpamCop is completely down. I don't > know what the problem is, but the pagers have been set off. Now we > wait. > > - Don D'Minion - SpamCop Admin - Spammers attacked the building, shut the servers down? From bar_n0ne at hotmail.com Sat Nov 12 17:37:40 2005 From: bar_n0ne at hotmail.com (Berny) Date: Sat Nov 12 08:40:03 2005 Subject: [SpamCop-List] Re: Spamcop down? References: <dl4p0k$9jo$1@news.spamcop.net> <dl4pfs$a47$1@news.spamcop.net> <dl4po5$9t4$3@news.spamcop.net> Message-ID: <dl4r77$bc9$1@news.spamcop.net> "Jim" <spam_hjp@yahoo.com> wrote in message news:dl4po5$9t4$3@news.spamcop.net... > Berny wrote: > > Too many people re-parsing those tripod and geocities links maybe? > > > > > > > > That must be it as I am getting a lot of them also. I have not been able to get on for over 2 > hours. I tried to get some info on the forum but I can't find a thing over there. I can't even get there, the only link I have is the www.spamcop.net link, the cookies take care of the rest and I use the help Item to get to the fora. I have no direct link to the fora From nobody at nowhere.invalid Sat Nov 12 14:39:51 2005 From: nobody at nowhere.invalid (Steven Maesslein) Date: Sat Nov 12 08:40:13 2005 Subject: [SpamCop-List] Re: Spamcop down? References: <dl4p0k$9jo$1@news.spamcop.net> <dl4pfs$a47$1@news.spamcop.net> Message-ID: <slrndnbs57.1vt.nobody@127.0.0.1> On Sat, 12 Nov 2005 17:08:10 +0400, Berny coughed into spamcop and left this in <dl4pfs$a47$1@news.spamcop.net>: ><!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> ><HTML><HEAD> ><META http-equiv=3DContent-Type content=3D"text/html; = > charset=3Diso-8859-1"> ><META content=3D"MSHTML 6.00.2800.1522" name=3DGENERATOR> ><STYLE></STYLE> ></HEAD> ><BODY bgColor=3D#ffffff> ><DIV><FONT face=3DArial size=3D2> >{snip} Very interesting. -- Steve "POLICE STATION TOILET STOLEN...Cops have nothing to go on." From bar_n0ne at hotmail.com Sat Nov 12 17:45:50 2005 From: bar_n0ne at hotmail.com (Berny) Date: Sat Nov 12 08:50:02 2005 Subject: [SpamCop-List] Re: Spamcop down? References: <dl4p0k$9jo$1@news.spamcop.net> <dl4pfs$a47$1@news.spamcop.net> <slrndnbs57.1vt.nobody@127.0.0.1> Message-ID: <dl4rmi$bnd$1@news.spamcop.net> "Steven Maesslein" <nobody@nowhere.invalid> wrote in message news:slrndnbs57.1vt.nobody@127.0.0.1... > On Sat, 12 Nov 2005 17:08:10 +0400, Berny coughed into spamcop and left > this in <dl4pfs$a47$1@news.spamcop.net>: > > ><!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> > ><HTML> >{snip} > > Very interesting. > > -- > Steve > > "POLICE STATION TOILET STOLEN...Cops have nothing to go on." Shit! I have OE set to plain text only. (Although I don' see how the above is interesting.) one of the posts I replied to was all HTML as I discovered when replying, maybe that's when it snuck in. But I thought I had deleted all of it. Do let me know if this isn't plaintext From jeffg at spamcop.net Sat Nov 12 08:48:27 2005 From: jeffg at spamcop.net (Jeff G.) Date: Sat Nov 12 09:20:50 2005 Subject: [SpamCop-List] Re: SC been down for 2 hours References: <dl4pgm$9t4$2@news.spamcop.net> Message-ID: <dl4tei$cle$1@news.spamcop.net> "Jim" <spam_hjp@yahoo.com> wrote in message news:dl4pgm$9t4$2@news.spamcop.net... > SpamCop been down for 2 hours Make that 3 hours now. You can track it with http://forum.spamcop.net/forums/index.php?showtopic=5247 QUOTE(SpamCopAdmin in http://forum.spamcop.net/forums/index.php?showtopic=5247 @ Nov 12 2005, 08:23 AM EST -0500) "At 06:20 Mountain Standard Time, SpamCop is completely down. I don't know what the problem is, but the pagers have been set off. Now we wait. - Don D'Minion - SpamCop Admin -" Please note that only the SpamCop Parsing and Reporting Service is affected. The outage appears to have started around 05:55 EST -0500 (10:55 UTC -0000, 02:55 PST -0800). -- Thanks and Best Regards, Jeff G. I have been a SpamCop User/Member/Customer since 1999 and am a Moderator of the new web-based forums (now the primary method for getting help, http://forum.spamcop.net). Please contact me via Forum only. From jeffg at spamcop.net Sat Nov 12 09:18:45 2005 From: jeffg at spamcop.net (Jeff G.) Date: Sat Nov 12 09:21:04 2005 Subject: [SpamCop-List] Re: SC been down for 2 hours References: <dl4pgm$9t4$2@news.spamcop.net> <dl4tei$cle$1@news.spamcop.net> Message-ID: <dl4tk6$crp$1@news.spamcop.net> "Jeff G." <jeffg@spamcop.net> wrote in message news:dl4tei$cle$1@news.spamcop.net... > "Jim" <spam_hjp@yahoo.com> wrote in message > news:dl4pgm$9t4$2@news.spamcop.net... > > SpamCop been down for 2 hours > > Make that 3 hours now. Sorry about the time on that post (gremlins took about 27min). -- Best Regards, Jeff G. I have been a SpamCop User/Member/Customer since 1999 and am a Moderator of the new web-based forums (now the primary method for getting help, http://forum.spamcop.net). Please contact me via Forum only. From porpoise1954 at yahoo.co.uk Sat Nov 12 14:36:49 2005 From: porpoise1954 at yahoo.co.uk (Porpoise) Date: Sat Nov 12 09:40:07 2005 Subject: [SpamCop-List] Re: [MEDIA] Sony CD Copy Protection Seems To Rely On HackerRootkit References: <Xns97037EA6B301Ftinlc@216.154.195.61> <dkeg1g$35f$1@news.spamcop.net> <TECQXhvKj0FX-pn2-OvYNxTLrdXxL@dsl-206-55-144-107.tstonramp.com> <BF90DE68.1635E%nobody@spamcop.net> <TECQXhvKj0FX-pn2-mJM7JdfPnr4E@dsl-206-55-144-107.tstonramp.com> <Xns97051D4241CC4tinlc@216.154.195.61> <TECQXhvKj0FX-pn2-41gGcOWKuyNn@dsl-206-55-144-107.tstonramp.com> <Xns97093B2348704tinlc@216.154.195.61> <TECQXhvKj0FX-pn2-jrh3dKUd5WdX@dsl-206-55-144-107.tstonramp.com> <dkubbp$j70$1@news.spamcop.net> <ozchzhq02-A8BF38.18491509112005@frylock.local> <dkv5pr$pq$1@news.spamcop.net> <Xns970A7D1D5F8BEtinlc@216.154.195.61> <dl0shv$2af$1@news.spamcop.net> <Xns970B52711D08tinlc@216.154.195.61> <dl1nut$kme$1@news.spamcop.net> <Xns970C1D6C39AB4tinlc@216.154.195.61> Message-ID: <dl4uoq$drl$1@news.spamcop.net> "Redstone" <redford_stone@INVERSE_OF_COLDmail.com> wrote in message news:Xns970C1D6C39AB4tinlc@216.154.195.61... > "Porpoise" <porpoise1954@yahoo.co.uk> wrote in news:dl1nut$kme$1 > @news.spamcop.net: > >> >> And cassette tapes for the car.......... >> >> > > > Only problem, they don't sit well in the sun. :-) Errrmmmm... Neither do CDs.......!!?? From jeffg at spamcop.net Sat Nov 12 10:10:42 2005 From: jeffg at spamcop.net (Jeff G.) Date: Sat Nov 12 10:15:18 2005 Subject: [SpamCop-List] Re: SC been down for 2 hours References: <dl4pgm$9t4$2@news.spamcop.net> <dl4tei$cle$1@news.spamcop.net> Message-ID: <dl50nj$fh5$1@news.spamcop.net> "Jeff G." <jeffg@spamcop.net> wrote in message news:dl4tei$cle$1@news.spamcop.net... > "Jim" <spam_hjp@yahoo.com> wrote in message > news:dl4pgm$9t4$2@news.spamcop.net... > > SpamCop been down for 2 hours > > Make that 3 hours now. You can track it with > http://forum.spamcop.net/forums/index.php?showtopic=5247 It appears to have been back up since 09:40 EST -0500 (14:40 UTC -0000, 06:40 PST -0800, half an hour ago). -- Best Regards, Jeff G. I have been a SpamCop User/Member/Customer since 1999 and am a Moderator of the new web-based forums (now the primary method for getting help, http://forum.spamcop.net). Please contact me via Forum only. From jeffg at spamcop.net Sat Nov 12 10:11:46 2005 From: jeffg at spamcop.net (Jeff G.) Date: Sat Nov 12 10:15:37 2005 Subject: [SpamCop-List] Re: SC been down for 2 hours References: <dl4pgm$9t4$2@news.spamcop.net> <dl4tei$cle$1@news.spamcop.net> Message-ID: <dl50nj$fh5$2@news.spamcop.net> "Jeff G." <jeffg@spamcop.net> wrote in message news:dl4tei$cle$1@news.spamcop.net... > "Jim" <spam_hjp@yahoo.com> wrote in message > news:dl4pgm$9t4$2@news.spamcop.net... > > SpamCop been down for 2 hours > > Make that 3 hours now. You can track it with > http://forum.spamcop.net/forums/index.php?showtopic=5247 It appears to have been back up since 09:40 EST -0500 (14:40 UTC -0000, 06:40 PST -0800, half an hour ago). -- Best Regards, Jeff G. I have been a SpamCop User/Member/Customer since 1999 and am a Moderator of the new web-based forums (now the primary method for getting help, http://forum.spamcop.net). Please contact me via Forum only. From jg at coks.net Sat Nov 12 07:46:16 2005 From: jg at coks.net (jg) Date: Sat Nov 12 10:45:03 2005 Subject: [SpamCop-List] Re: password issues In-Reply-To: <dl4gai$4ht$1@news.spamcop.net> References: <dl3q97$nll$1@news.spamcop.net> <dl4dld$37c$1@news.spamcop.net> <dl4gai$4ht$1@news.spamcop.net> Message-ID: <dl52kl$gsl$1@news.spamcop.net> On 11/12/2005 2:31 AM Berny scribbled: > "*selah*" <pzion.naax@yahoo.com> wrote in message > news:dl4dld$37c$1@news.spamcop.net... > >>I've been having trouble with password also. I don't know if this >>happens every time I delete all temporary internet files from ie but >>now, in addition, when I try to reset the password, I don't receive the >>email reply from spamcop. > > > Sheesh, don't you read the announcement on the login page? there is some > flakiness they are working on, resetting your password does not help > > just wait a while and try again later > > Which is why I didn't reset mine, having made a mental note of that back around 11/2, but you say wait /awhile/ - still not working this A.M. I see a bunch of posts about problems - guess I'll take a look at them... From jg at coks.net Sat Nov 12 07:56:14 2005 From: jg at coks.net (jg) Date: Sat Nov 12 10:55:03 2005 Subject: [SpamCop-List] Re: password issues In-Reply-To: <dl52kl$gsl$1@news.spamcop.net> References: <dl3q97$nll$1@news.spamcop.net> <dl4dld$37c$1@news.spamcop.net> <dl4gai$4ht$1@news.spamcop.net> <dl52kl$gsl$1@news.spamcop.net> Message-ID: <dl537b$h8g$1@news.spamcop.net> On 11/12/2005 7:46 AM jg scribbled: >>Sheesh, don't you read the announcement on the login page? there is some >>flakiness they are working on, resetting your password does not help >> >>just wait a while and try again later >> >> > > Which is why I didn't reset mine, having made a mental note of that back > around 11/2, but you say wait /awhile/ - still not working this A.M. I > see a bunch of posts about problems - guess I'll take a look at them... Well, all I see is 'system down' posts, so I guess /awhile/ will be a longer while... But my problem started last evening, not 'a couple-3 hours ago'... From jeffg at spamcop.net Sat Nov 12 11:08:13 2005 From: jeffg at spamcop.net (Jeff G.) Date: Sat Nov 12 11:10:08 2005 Subject: [SpamCop-List] Re: SC been down for 2 hours References: <dl4pgm$9t4$2@news.spamcop.net> <dl4tei$cle$1@news.spamcop.net> <dl50nj$fh5$2@news.spamcop.net> Message-ID: <dl5423$i01$1@news.spamcop.net> "Jeff G." <jeffg@spamcop.net> wrote in message news:dl50nj$fh5$2@news.spamcop.net... > "Jeff G." <jeffg@spamcop.net> wrote in message > news:dl4tei$cle$1@news.spamcop.net... > > "Jim" <spam_hjp@yahoo.com> wrote in message > > news:dl4pgm$9t4$2@news.spamcop.net... > > > SpamCop been down for 2 hours > > > > Make that 3 hours now. You can track it with > > http://forum.spamcop.net/forums/index.php?showtopic=5247 > > It appears to have been back up since 09:40 EST -0500 (14:40 UTC -0000, > 06:40 PST -0800, half an hour ago). [quote=SpamCopAdmin,Nov 12 2005, 10:55 AM EST -0500] "The system is back up now. There may be some email delays while the system works through the backlog of spam, but everything is working normally again. - Don D'Minion - SpamCop Admin -" -- Best Regards, Jeff G. I have been a SpamCop User/Member/Customer since 1999 and am a Moderator of the new web-based forums (now the primary method for getting help, http://forum.spamcop.net). Please contact me via Forum only. From jeffg at spamcop.net Sat Nov 12 11:12:25 2005 From: jeffg at spamcop.net (Jeff G.) Date: Sat Nov 12 11:15:04 2005 Subject: [SpamCop-List] Re: password issues References: <dl3q97$nll$1@news.spamcop.net> <dl4dld$37c$1@news.spamcop.net> <dl4gai$4ht$1@news.spamcop.net> <dl52kl$gsl$1@news.spamcop.net> <dl537b$h8g$1@news.spamcop.net> Message-ID: <dl5499$ikd$1@news.spamcop.net> "jg" <jg@coks.net> wrote in message news:dl537b$h8g$1@news.spamcop.net... > Well, all I see is 'system down' posts, so I guess /awhile/ will be a > longer while... > But my problem started last evening, not 'a couple-3 hours ago'... Your problem appears to be specific to your account. Please email a SpamCop Admin via service[at]admin.spamcop.net . -- Thanks and Best Regards, Jeff G. I have been a SpamCop User/Member/Customer since 1999 and am a Moderator of the new web-based forums (now the primary method for getting help, http://forum.spamcop.net). Please contact me via Forum only. From jg at coks.net Sat Nov 12 08:45:14 2005 From: jg at coks.net (jg) Date: Sat Nov 12 11:45:03 2005 Subject: [SpamCop-List] Re: password issues In-Reply-To: <dl5499$ikd$1@news.spamcop.net> References: <dl3q97$nll$1@news.spamcop.net> <dl4dld$37c$1@news.spamcop.net> <dl4gai$4ht$1@news.spamcop.net> <dl52kl$gsl$1@news.spamcop.net> <dl537b$h8g$1@news.spamcop.net> <dl5499$ikd$1@news.spamcop.net> Message-ID: <dl5638$jti$1@news.spamcop.net> On 11/12/2005 8:12 AM Jeff G. scribbled: > "jg" <jg@coks.net> wrote in message > news:dl537b$h8g$1@news.spamcop.net... > >>Well, all I see is 'system down' posts, so I guess /awhile/ will be a >>longer while... >>But my problem started last evening, not 'a couple-3 hours ago'... > > > Your problem appears to be specific to your account. Please email a > SpamCop Admin via service[at]admin.spamcop.net . > Thanks, Jeff, I'll do that... From nobody at spamcop.net Sat Nov 12 21:09:07 2005 From: nobody at spamcop.net (nospam) Date: Sat Nov 12 12:10:04 2005 Subject: [SpamCop-List] Now PHISHES are also for Internet and Email passwords Message-ID: <BF9C0A73.16471%nobody@spamcop.net> I don't have the tracker, but no matter. Different from sms.ac and hi5 methods, I received a PHISH spam today, in the style of the usual bank/ebay/Paypal PHISHES, but it was purportedly to verify my ISP account. It was very primitive, so I'm not sure exactly what they were after. The PHISH site was linked through a google redirect (How do I LART that?) the "visible" link was my.isp.com/something (No, that's not the name of my ISP) It was so badly done that almost no one would be fooled, but then so were bank PHISHes not so long ago, and they still got their victims. From nobody at spamcop.net Sat Nov 12 21:16:50 2005 From: nobody at spamcop.net (nospam) Date: Sat Nov 12 12:20:02 2005 Subject: [SpamCop-List] Anyone getting "hosting acknowledgement" Message-ID: <BF9C0C42.16472%nobody@spamcop.net> Purportedly acknowledging reciept of paymen of some $250.00 for some bogus registration and hosting purpotedly with: Century21RmRealty (almost nothing in Google), and no A record for the supposedly registered name. The From is Bogus enough (ie obviously bogus name and domain), but while the first of these had a link to review my transaction at Century21gmRealty.com the second had a link to leakingbrainfluid.com Hardly going to inspire me to believe such a transaction took place, or motivate me to look it up. From SC.10.myspamgobbler at spamcowboy.net Sat Nov 12 09:18:28 2005 From: SC.10.myspamgobbler at spamcowboy.net (Brian) Date: Sat Nov 12 12:25:02 2005 Subject: [SpamCop-List] Re: Now PHISHES are also for Internet and Email passwords In-Reply-To: <BF9C0A73.16471%nobody@spamcop.net> References: <BF9C0A73.16471%nobody@spamcop.net> Message-ID: <dl589h$l6e$1@news.spamcop.net> nospam wrote: > I don't have the tracker, but no matter. > > Different from sms.ac and hi5 methods, > > I received a PHISH spam today, in the style of the usual bank/ebay/Paypal > PHISHES, but it was purportedly to verify my ISP account. > > It was very primitive, so I'm not sure exactly what they were after. > > The PHISH site was linked through a google redirect (How do I LART that?) > > the "visible" link was my.isp.com/something (No, that's not the name of my > ISP) > > It was so badly done that almost no one would be fooled, but then so were > bank PHISHes not so long ago, and they still got their victims. > Passwords to an ISP account are valuable for sending out spam among other things. There are lots of passwords stored in emails. What was the URL of the redirect. Parse that and manually LART. And it would be a lot easier to see the tracker so more of us can work on it. There are a few of us that focus on phishing. -- Brian SC.10.myspamgobbler@spamcowboy.net From usenet2 at DE.LETE.THISljvideo.com Sat Nov 12 18:23:53 2005 From: usenet2 at DE.LETE.THISljvideo.com (Larry J.) Date: Sat Nov 12 13:25:04 2005 Subject: [SpamCop-List] Re: yay, I won the lottery! References: <dl2msf$59f$1@news.spamcop.net> Message-ID: <Xns970C73EAE6C5Athefrogprince@216.154.195.61> Waiving the right to remain silent, "RandallW" <nobody@spamcop.net> said: > After going weeks without winning the lottery, I received two of > the spams that informed me that I won a European lottery draw. I > think their system to choose the winning e-mail address seems to > be broken, since I received the same spam to two different > e-mail addresses but they have the same winning ticket number! There was one recently claiming "WINNER" in the Washington State Lottery, but administered by a URL in Australia, and prize claim from a URL in Romania - or something like that... One would have to be brick-stoopid to click any of those links... -- Larry J. - Remove spamtrap in ALLCAPS to e-mail "I've come here to enjoy nature. Don't talk to me about the environment!" - 'Denny Crane' From nobody at nowhere.invalid Sat Nov 12 20:00:06 2005 From: nobody at nowhere.invalid (Steven Maesslein) Date: Sat Nov 12 14:05:08 2005 Subject: [SpamCop-List] Re: Spamcop down? References: <dl4p0k$9jo$1@news.spamcop.net> <dl4pfs$a47$1@news.spamcop.net> <slrndnbs57.1vt.nobody@127.0.0.1> <dl4rmi$bnd$1@news.spamcop.net> Message-ID: <slrndncetm.2bo.nobody@127.0.0.1> On Sat, 12 Nov 2005 17:45:50 +0400, Berny coughed into spamcop and left this in <dl4rmi$bnd$1@news.spamcop.net>: > one of the posts I replied to was all HTML as I discovered when replying, > maybe that's when it snuck in. But I thought I had deleted all of it. > > Do let me know if this isn't plaintext It was. Advance warning - my memory of OE may be flaky since it's probably about 6 years since I got anywhere near that abomination. Go to Tools / Options... / Send tab. UNCHECK the option that says "Reply to messages in the format in which they were sent" or words to that effect. If it is left checked, even if new messages are sent out in plain text, replies to HTML crud will go out as HTML crud. -- Steve The only person to get all of his work done by Friday was Robinson Crusoe From nobody at nowhere.invalid Sat Nov 12 20:02:29 2005 From: nobody at nowhere.invalid (Steven Maesslein) Date: Sat Nov 12 14:05:21 2005 Subject: [SpamCop-List] Anyone here speak Magyar / Hungarian? Message-ID: <slrndncf25.2bo.nobody@127.0.0.1> Got this back from t-online.hu but have no friggin' idea what it says: Tisztelt Lev?l?r?! Level?t k?retlen lev?lnek kategoriz?lta rendszer?nk. K?rj?k, k?ldje el azt ism?telten r?sz?nkre ?gy, hogy a t?rgy mez?be ?rja be az al?bbiakat: "Megism?telt lev?l T-online-nak". Meg?rt?s?t k?sz?nj?k. -- Steve And 1.1.81 is officially BugFree(tm), so if you receive any bug-reports on it, you know they are just evil lies. -- Linus Torvalds From nobody at nowhere.invalid Sat Nov 12 20:11:47 2005 From: nobody at nowhere.invalid (Steven Maesslein) Date: Sat Nov 12 14:15:02 2005 Subject: [SpamCop-List] Re: SpamCop is Down References: <c9rbn1t5jfdifnid4tn1k4j7uco0kj8ubi@4ax.com> <n54cn1965f28itfomhlctpbjusrb8ri9qu@4ax.com> Message-ID: <slrndncfjj.2bo.nobody@127.0.0.1> On Sat, 12 Nov 2005 08:56:46 -0700, SpamCop Admin coughed into spamcop and left this in <n54cn1965f28itfomhlctpbjusrb8ri9qu@4ax.com>: > The system is back up now. > > There may be some email delays while the system works through the > backlog of spam, but everything is working normally again. Can you share any information on what brought it down in the first place? -- Steve Anarchy may not be the best form of government, but it's better than no government at all. From DougThegarden at invalid.com Sat Nov 12 19:34:56 2005 From: DougThegarden at invalid.com (Doug Thegarden) Date: Sat Nov 12 14:40:03 2005 Subject: [SpamCop-List] Re: Anyone here speak Magyar / Hungarian? In-Reply-To: <slrndncf25.2bo.nobody@127.0.0.1> References: <slrndncf25.2bo.nobody@127.0.0.1> Message-ID: <dl5g6q$pb4$1@news.spamcop.net> Steven Maesslein wrote: > Got this back from t-online.hu but have no friggin' idea what it > says: > > Tisztelt Lev?l?r?! > > Level?t k?retlen lev?lnek kategoriz?lta rendszer?nk. K?rj?k, k?ldje > el azt ism?telten r?sz?nkre ?gy, hogy a t?rgy mez?be ?rja be az > al?bbiakat: "Megism?telt lev?l T-online-nak". > > Meg?rt?s?t k?sz?nj?k. > Foreignword.com translates it as: Dear Epistle! Level?t unsolicited epistle categorizes system. Please , send off that repeatedly our part so , that the topic glebe writes be the mentioned below " reduplicated epistle T online nak ". Knowing thank you. I'm afraid I don't know anyone that can translate the result. Doug From borgholio at storymind.com Sat Nov 12 11:46:18 2005 From: borgholio at storymind.com (Borgholio) Date: Sat Nov 12 14:50:03 2005 Subject: [SpamCop-List] Erm...um...I may have just fallen victim to a Phish In-Reply-To: <dl4qa1$all$1@news.spamcop.net> References: <mailman.120.1131779632.169.spamcop-list@news.spamcop.net> <dl485m$j6$1@news.spamcop.net> <dl4b1r$iu$1@news.spamcop.net> <dl4qa1$all$1@news.spamcop.net> Message-ID: <dl5gqb$pkl$1@news.spamcop.net> Glenn Daniels wrote: > "Borgholio" wrote in message > >>Geoffrey Hyde wrote: >> >>>If you haven't already done so, submit it to spoof/at/ebay.com so that > > they can > >>>get it shut down ASAP. I really hope one of these days these hackers > > get > >>>ensnared by some red tape which will put them away for a while. >>> >>> >> >>Done awhile ago. :) > > > As of 8:00 AM EST, the site was already "404 compliant". > > At 11:18 PM I sent out a note about the site to these > possibly interested "third parties": > To: > eBay Customer Support <spam/at/ebay.com>, > admin/at/fraudwatchinternational.com, > "ReportPhish.org" <Report/at/ReportPhish.org>, > "antiphishing.org" <reportphishing/at/antiphishing.org>, > Better Business Bureau nophishing/at/cbbb.bbb.org, > spoof/at/millersmiles.co.uk, > submit/at/phishcop.net, > FTC spam/at/uce.gov > > Apparently the elves came during the night and stole away > with the site. I did not cite the elves... > > -<g> > > Well it seems that Ebay is quite aggressive when it comes to spoofing. I like. From nobody at devnull.spamcop.net Sat Nov 12 14:32:37 2005 From: nobody at devnull.spamcop.net (WazoO) Date: Sat Nov 12 15:35:07 2005 Subject: [SpamCop-List] Re: Spamcop down? References: <dl4p0k$9jo$1@news.spamcop.net> <dl4pfs$a47$1@news.spamcop.net> <dl4po5$9t4$3@news.spamcop.net> <dl4r77$bc9$1@news.spamcop.net> Message-ID: <dl5jh7$r6h$1@news.spamcop.net> "Berny" <bar_n0ne@hotmail.com> wrote in message news:dl4r77$bc9$1@news.spamcop.net... > > I can't even get there, the only link I have is the www.spamcop.net link, > the cookies take care of the rest and I use the help Item to get to the > fora. > > I have no direct link to the fora Forum itself, which now includes a small graphic uptop showing the Parsing & Reporting system status .. an attempt at stopping all the "is it down" questions before they start ... http://forum.spamcop.net/forums/ Portal page found at http://forum.spamcop.net/forums/index.php?act=home Single-page access point to the SpamCop FAQ found at http://forum.spamcop.net/forums/index.php?showtopic=2238 KnowledgeBase view of the SpamCop FAQ being built at http://forum.spamcop.net/forums/index.php?act=faq From zorrofox at Safe-mail.net Sat Nov 12 15:41:13 2005 From: zorrofox at Safe-mail.net (zorrofox@Safe-mail.net) Date: Sat Nov 12 15:41:17 2005 Subject: [SpamCop-List] Dead Organization Message-ID: <N1-i3cg97h7Z3@Safe-mail.net> http://news.spamcop.net/pipermail/spamcop-help/2000-December/000699.html The above URL is a dead organization. Spamcop is successful, this organization is dead. Its links go nowhere. Keeping this page up is speaking ill of the dead. Consider removing this page, your objective was successful. From MikeE at ster.invalid Sat Nov 12 13:18:57 2005 From: MikeE at ster.invalid (Mike Easter) Date: Sat Nov 12 16:20:04 2005 Subject: [SpamCop-List] Re: Dead Organization References: <mailman.121.1131828078.169.spamcop-list@news.spamcop.net> Message-ID: <dl5m7p$spj$1@news.spamcop.net> zorrofox@Safe-mail.net wrote: > news.spamcop.net/pipermail/spamcop-help/2000-December/000699.html That is a link to an archived message posted to spamcop.help claiming to have been posted from a website [which is a curious statement even in 2000 Dec] and containing an alleged spam sourced from excite.com promoting reclaimyourpower.com website. > The above URL is a dead organization. I presume you are referring to the spamvertised link inside the body of the posted mail/spam; not the actual link you posted, which is quite alive and part of the spamcop pipermail mailing list archive. > Spamcop is successful, this > organization is dead. Spamcop is a parsing and reporting service, a maintainer of the SCbl, and a mail service providing spamfiltering and reporting. > Its links go nowhere. reclaimyourpower.com currently resolves and has current domainname registration. There is a webserver at the IP which refers tolb1.youbettersearch.com. Perhaps you mean that you once controlled the domainname and the contents of the site in 2000 Dec but you don't anymore. > Keeping this page up is > speaking ill of the dead. Archives are archives. They archive old information. There is nothing about what was posted on that page which affected reclaimyourpower.com one way or another. If the poster reported the spam to a provider and a provider took action against the site, it must have been on the basis of the result of the provider's investigation of acceptable use or terms of service. SC only reports spamvertisers. > Consider removing this page, your objective > was successful. Don't be silly. It is an archive of a message which appeared in a newsgroup's mailing list. -- Mike Easter kibitzer, not SC admin From jeffg at spamcop.net Sat Nov 12 16:35:14 2005 From: jeffg at spamcop.net (Jeff G.) Date: Sat Nov 12 16:40:03 2005 Subject: [SpamCop-List] Re: Dead Organization References: <mailman.121.1131828078.169.spamcop-list@news.spamcop.net> Message-ID: <dl5n6l$t8n$1@news.spamcop.net> <zorrofox@Safe-mail.net> wrote in message news:mailman.121.1131828078.169.spamcop-list@news.spamcop.net... > http://news.spamcop.net/pipermail/spamcop-help/2000-December/000699.html > > The above URL is a dead organization. Spamcop is successful, this organization is dead. Its links go nowhere. Keeping this page up is speaking ill of the dead. Consider removing this page, your objective was successful. Which organization is dead? Which URL do you object to? -- Thanks and Best Regards, Jeff G. I have been a SpamCop User/Member/Customer since 1999 and am a Moderator of the new web-based forums (now the primary method for getting help, http://forum.spamcop.net). Please contact me via Forum only. From h9vzc2i02 at sneakemail.com Sat Nov 12 13:56:24 2005 From: h9vzc2i02 at sneakemail.com (Anon_) Date: Sat Nov 12 17:00:03 2005 Subject: [SpamCop-List] Re: Dead Organization References: <mailman.121.1131828078.169.spamcop-list@news.spamcop.net> <dl5n6l$t8n$1@news.spamcop.net> Message-ID: <dl5ocn$trk$1@news.spamcop.net> "Jeff G." <jeffg@spamcop.net> wrote in message news:dl5n6l$t8n$1@news.spamcop.net... > <zorrofox@Safe-mail.net> wrote in message > news:mailman.121.1131828078.169.spamcop-list@news.spamcop.net... > > > http://news.spamcop.net/pipermail/spamcop-help/2000-December/000699.html > > > > The above URL is a dead organization. Spamcop is successful, this > organization is dead. Its links go nowhere. Keeping this page up is > speaking ill of the dead. Consider removing this page, your objective > was successful. > ** Clicking on the link above DOES work. There have been current posts about SC itself being down for several hours - is that what the OP was crying about? I submitted spam to the parser at 10:40 AM PST today and got a response at 10:45 AM so it seems that SC is now working. -- A SpamCop user and forum reader, Not Admin *** > Which organization is dead? Which URL do you object to? > > -- > Thanks and Best Regards, Jeff G. > I have been a SpamCop User/Member/Customer since 1999 and am a > Moderator of the new web-based forums (now the primary method for > getting help, http://forum.spamcop.net). Please contact me via Forum > only. > From MikeE at ster.invalid Sat Nov 12 15:08:48 2005 From: MikeE at ster.invalid (Mike Easter) Date: Sat Nov 12 18:10:07 2005 Subject: [SpamCop-List] Re: Dead Organization References: <mailman.121.1131828078.169.spamcop-list@news.spamcop.net> <dl5n6l$t8n$1@news.spamcop.net> Message-ID: <dl5slo$eu$1@news.spamcop.net> Jeff G. wrote: > Which organization is dead? Which URL do you object to? I think he's sad because http://www.reclaimyourpower.com/ is defunct as a spamvertiser. -- Mike Easter kibitzer, not SC admin From jg at coks.net Sat Nov 12 20:40:08 2005 From: jg at coks.net (jg) Date: Sat Nov 12 23:40:20 2005 Subject: [SpamCop-List] Re: Anyone here speak Magyar / Hungarian? In-Reply-To: <dl5g6q$pb4$1@news.spamcop.net> References: <slrndncf25.2bo.nobody@127.0.0.1> <dl5g6q$pb4$1@news.spamcop.net> Message-ID: <dl6fvk$ato$1@news.spamcop.net> On 11/12/2005 11:34 AM Doug Thegarden scribbled: > Steven Maesslein wrote: > >>Got this back from t-online.hu but have no friggin' idea what it >>says: >> >>Tisztelt Lev?l?r?! >> >>Level?t k?retlen lev?lnek kategoriz?lta rendszer?nk. K?rj?k, k?ldje >>el azt ism?telten r?sz?nkre ?gy, hogy a t?rgy mez?be ?rja be az >>al?bbiakat: "Megism?telt lev?l T-online-nak". >> >>Meg?rt?s?t k?sz?nj?k. >> > > > Foreignword.com translates it as: > > Dear Epistle! Level?t unsolicited epistle categorizes system. Please , > send off that repeatedly our part so , that the topic glebe writes be > the mentioned below " reduplicated epistle T online nak ". Knowing thank > you. > > I'm afraid I don't know anyone that can translate the result. > > Doug try bablefish?? From bar_n0ne at hotmail.com Sun Nov 13 09:05:37 2005 From: bar_n0ne at hotmail.com (Berny) Date: Sun Nov 13 00:10:05 2005 Subject: [SpamCop-List] Re: Spamcop down? References: <dl4p0k$9jo$1@news.spamcop.net> <dl4pfs$a47$1@news.spamcop.net> <slrndnbs57.1vt.nobody@127.0.0.1> <dl4rmi$bnd$1@news.spamcop.net> <slrndncetm.2bo.nobody@127.0.0.1> Message-ID: <dl6hj4$bqo$1@news.spamcop.net> "Steven Maesslein" <nobody@nowhere.invalid> wrote in message news:slrndncetm.2bo.nobody@127.0.0.1... SNIP > UNCHECK the option that says "Reply to messages in the format in which > they were sent" or words to that effect. If it is left checked, even if > new messages are sent out in plain text, replies to HTML crud will go > out as HTML crud. Done. Thanks Steven! From egyr05 at prodigy.net.mx Sun Nov 13 00:21:24 2005 From: egyr05 at prodigy.net.mx (enrique gonzalez) Date: Sun Nov 13 01:25:05 2005 Subject: [SpamCop-List] Invite me Message-ID: <dl6m19$e30$1@news.spamcop.net> Please invite me From borgholio at storymind.com Sat Nov 12 23:19:57 2005 From: borgholio at storymind.com (Borgholio) Date: Sun Nov 13 02:20:05 2005 Subject: [SpamCop-List] Re: Invite me In-Reply-To: <dl6m19$e30$1@news.spamcop.net> References: <dl6m19$e30$1@news.spamcop.net> Message-ID: <dl6pes$fn5$1@news.spamcop.net> enrique gonzalez wrote: > Please invite me > > I'm sorry, this event is for family and close friends only. If you seek quality entertainment, I can recommend many a fine place in Las Vegas, Nevada. From nobody at spamcop.net Sat Nov 12 23:21:41 2005 From: nobody at spamcop.net (Dar) Date: Sun Nov 13 02:25:03 2005 Subject: [SpamCop-List] Re: Invite me References: <dl6m19$e30$1@news.spamcop.net> <dl6pes$fn5$1@news.spamcop.net> Message-ID: <dl6pia$fqo$1@news.spamcop.net> "Borgholio" <borgholio@storymind.com> wrote in message news:dl6pes$fn5$1@news.spamcop.net... > enrique gonzalez wrote: > > Please invite me > > > > > > I'm sorry, this event is for family and close friends only. If you seek > quality entertainment, I can recommend many a fine place in Las Vegas, Nevada. Personally, I prefer Key West. During non-hurricane season, of course. Dar From nobody at spamcop.net Sat Nov 12 23:44:29 2005 From: nobody at spamcop.net (RandallW) Date: Sun Nov 13 02:45:03 2005 Subject: [SpamCop-List] Re: yay, I won the lottery! References: <dl2msf$59f$1@news.spamcop.net> <Xns970C73EAE6C5Athefrogprince@216.154.195.61> Message-ID: <dl6qss$gbr$1@news.spamcop.net> "Larry J." <usenet2@DE.LETE.THISljvideo.com> wrote in message news:Xns970C73EAE6C5Athefrogprince@216.154.195.61... > Waiving the right to remain silent, "RandallW" > <nobody@spamcop.net> said: > >> After going weeks without winning the lottery, I received two of >> the spams that informed me that I won a European lottery draw. I >> think their system to choose the winning e-mail address seems to >> be broken, since I received the same spam to two different >> e-mail addresses but they have the same winning ticket number! > > There was one recently claiming "WINNER" in the Washington State > Lottery, but administered by a URL in Australia, and prize claim from > a URL in Romania - or something like that... > > One would have to be brick-stoopid to click any of those links... > > -- I'll betcha they pay in Canadian $. From borgholio at storymind.com Sun Nov 13 00:17:50 2005 From: borgholio at storymind.com (Borgholio) Date: Sun Nov 13 03:20:27 2005 Subject: [SpamCop-List] Re: Invite me In-Reply-To: <dl6pia$fqo$1@news.spamcop.net> References: <dl6m19$e30$1@news.spamcop.net> <dl6pes$fn5$1@news.spamcop.net> <dl6pia$fqo$1@news.spamcop.net> Message-ID: <dl6srd$hlj$1@news.spamcop.net> Dar wrote: > "Borgholio" <borgholio@storymind.com> wrote in message > news:dl6pes$fn5$1@news.spamcop.net... > >>enrique gonzalez wrote: >> >>>Please invite me >>> >>> >> >>I'm sorry, this event is for family and close friends only. If you seek >>quality entertainment, I can recommend many a fine place in Las Vegas, > > Nevada. > > Personally, I prefer Key West. During non-hurricane season, of course. > > Dar > > After the recent hurricane season I think it should be renamed to Key East. :) From pzion.naax at yahoo.com Sun Nov 13 04:28:09 2005 From: pzion.naax at yahoo.com (*selah*) Date: Sun Nov 13 03:30:03 2005 Subject: [SpamCop-List] Re: password issues References: <dl3q97$nll$1@news.spamcop.net> <dl4dld$37c$1@news.spamcop.net> <dl4gai$4ht$1@news.spamcop.net> Message-ID: <dl6teb$hvk$1@news.spamcop.net> Excuuuuuse me - but there is nothing about password trouble on the 1st page I go to www.spamcop.net nor the 2nd (after trying to login) http://www.spamcop.net/mcgi. Nor on the 3rd http://forum.spamcop.net/forums/index.php? (looking to the help forum to see if there have been system problems.) I've been trying to reset the password for over a week. (Our old password didn't function.) "Berny" <bar_n0ne@hotmail.com> wrote in message news:dl4gai$4ht$1@news.spamcop.net... > > "*selah*" <pzion.naax@yahoo.com> wrote in message > news:dl4dld$37c$1@news.spamcop.net... > > I've been having trouble with password also. I don't know if this > > happens every time I delete all temporary internet files from ie but > > now, in addition, when I try to reset the password, I don't receive the > > email reply from spamcop. > > Sheesh, don't you read the announcement on the login page? there is some > flakiness they are working on, resetting your password does not help > > just wait a while and try again later > > From bar_n0ne at hotmail.com Sun Nov 13 12:49:34 2005 From: bar_n0ne at hotmail.com (Berny) Date: Sun Nov 13 03:50:03 2005 Subject: [SpamCop-List] Re: password issues References: <dl3q97$nll$1@news.spamcop.net> <dl4dld$37c$1@news.spamcop.net> <dl4gai$4ht$1@news.spamcop.net> <dl6teb$hvk$1@news.spamcop.net> Message-ID: <dl6un1$in1$1@news.spamcop.net> "*selah*" <pzion.naax@yahoo.com> wrote in message news:dl6teb$hvk$1@news.spamcop.net... > Excuuuuuse me - but there is nothing about password trouble on the 1st > page I go to www.spamcop.net nor the 2nd (after trying to login) > http://www.spamcop.net/mcgi. Nor on the 3rd > http://forum.spamcop.net/forums/index.php? (looking to the help forum to > see if there have been system problems.) I've been trying to reset the > password for over a week. (Our old password didn't function.) > From the www.spamcop.net front page: News: (Last Modified: Wed Nov 2 14:30:04 2005 GMT Wednesday, November 02, 2005 6:30:04 PM +0400) (Email-account news) 11/2/2005 Sporadic System Problems We are having sporadic system problems which you may see as failure to be able to log-in or other error messages. Please do not change your password as this will not resolve the problem. Operations and engineering are working on the issues. We thank you for your patience while we track this down. The spamcop email system is not affected and continues to operate. Postmasters, please limit forgery blow-back: From DougThegarden at invalid.com Sun Nov 13 09:16:36 2005 From: DougThegarden at invalid.com (Doug Thegarden) Date: Sun Nov 13 04:20:03 2005 Subject: [SpamCop-List] Re: Invite me In-Reply-To: <dl6m19$e30$1@news.spamcop.net> References: <dl6m19$e30$1@news.spamcop.net> Message-ID: <dl70bb$jed$1@news.spamcop.net> enrique gonzalez wrote: > Please invite me > > You're welcome Doug From DougThegarden at invalid.com Sun Nov 13 09:20:01 2005 From: DougThegarden at invalid.com (Doug Thegarden) Date: Sun Nov 13 04:25:03 2005 Subject: [SpamCop-List] Re: Anyone here speak Magyar / Hungarian? In-Reply-To: <dl6fvk$ato$1@news.spamcop.net> References: <slrndncf25.2bo.nobody@127.0.0.1> <dl5g6q$pb4$1@news.spamcop.net> <dl6fvk$ato$1@news.spamcop.net> Message-ID: <dl70hp$jmm$1@news.spamcop.net> jg wrote: > On 11/12/2005 11:34 AM Doug Thegarden scribbled: > >> Steven Maesslein wrote: >> >>> Got this back from t-online.hu but have no friggin' idea what it >>> says: >>> >>> Tisztelt Lev?l?r?! >>> >>> Level?t k?retlen lev?lnek kategoriz?lta rendszer?nk. K?rj?k, k?ldje >>> el azt ism?telten r?sz?nkre ?gy, hogy a t?rgy mez?be ?rja be az >>> al?bbiakat: "Megism?telt lev?l T-online-nak". >>> >>> Meg?rt?s?t k?sz?nj?k. >>> >> >> Foreignword.com translates it as: >> >> Dear Epistle! Level?t unsolicited epistle categorizes system. Please , >> send off that repeatedly our part so , that the topic glebe writes be >> the mentioned below " reduplicated epistle T online nak ". Knowing thank >> you. >> >> I'm afraid I don't know anyone that can translate the result. > > try bablefish?? Babblefish doesn't do Hungarian or Foreignword English AFAIK Doug From nobody at nowhere.invalid Sun Nov 13 10:41:41 2005 From: nobody at nowhere.invalid (Steven Maesslein) Date: Sun Nov 13 04:46:18 2005 Subject: [SpamCop-List] Re: Anyone here speak Magyar / Hungarian? References: <slrndncf25.2bo.nobody@127.0.0.1> <dl5g6q$pb4$1@news.spamcop.net> <dl6fvk$ato$1@news.spamcop.net> Message-ID: <slrndne2il.3oh.nobody@127.0.0.1> On Sat, 12 Nov 2005 20:40:08 -0800, jg coughed into spamcop and left this in <dl6fvk$ato$1@news.spamcop.net>: > try bablefish?? babelfish doesn't "do" Hungarian. -- Steve If at first you don't succeed, redefine success. From DougThegarden at invalid.com Sun Nov 13 09:47:11 2005 From: DougThegarden at invalid.com (Doug Thegarden) Date: Sun Nov 13 04:50:37 2005 Subject: [SpamCop-List] Re: yay, I won the lottery! In-Reply-To: <dl6qss$gbr$1@news.spamcop.net> References: <dl2msf$59f$1@news.spamcop.net> <Xns970C73EAE6C5Athefrogprince@216.154.195.61> <dl6qss$gbr$1@news.spamcop.net> Message-ID: <dl724m$kde$1@news.spamcop.net> RandallW wrote: > "Larry J." <usenet2@DE.LETE.THISljvideo.com> wrote in message > news:Xns970C73EAE6C5Athefrogprince@216.154.195.61... >> Waiving the right to remain silent, "RandallW" >> <nobody@spamcop.net> said: >> >>> After going weeks without winning the lottery, I received two of >>> the spams that informed me that I won a European lottery draw. I >>> think their system to choose the winning e-mail address seems to >>> be broken, since I received the same spam to two different >>> e-mail addresses but they have the same winning ticket number! >> There was one recently claiming "WINNER" in the Washington State >> Lottery, but administered by a URL in Australia, and prize claim from >> a URL in Romania - or something like that... >> >> One would have to be brick-stoopid to click any of those links... >> >> -- > > I'll betcha they pay in Canadian $. > Probably Turkish ? at 1.3million to the US $ DOug From jhb at vbe.com Sun Nov 13 05:30:01 2005 From: jhb at vbe.com (Jim) Date: Sun Nov 13 06:35:21 2005 Subject: [SpamCop-List] MailWasher Pro 5.0 Limit? Message-ID: <dl783q$o70$1@news.spamcop.net> Is there a limit to the number of spam msgs that can be submitted to SpamCop via MailWasher Pro at any given time? When I try transmitting more than 3 or 4 msgs the transmission is terminated by the server and none of my msgs make it to SpamCop. When transmitting just a couple of msgs everything is fine. Thanks! Jim From nobody at nowhere.invalid Sun Nov 13 13:13:36 2005 From: nobody at nowhere.invalid (Steven Maesslein) Date: Sun Nov 13 07:15:05 2005 Subject: [SpamCop-List] Truth in advertising :o) Message-ID: <slrndnebfg.6eb.nobody@127.0.0.1> Pirate software spam. From: Mishap T. Hibachi Some major mishap.... -- Steve A clear conscience is usually the sign of a bad memory. From AHaumer_gmxnet at nopspam.invalid Sun Nov 13 15:08:22 2005 From: AHaumer_gmxnet at nopspam.invalid (Anton Haumer) Date: Sun Nov 13 09:10:02 2005 Subject: [SpamCop-List] Re: MailWasher Pro 5.0 Limit? References: <dl783q$o70$1@news.spamcop.net> Message-ID: <437748D6.D6636054@nopspam.invalid> Jim schrieb: > > Is there a limit to the number of spam msgs that can be submitted to SpamCop > via MailWasher Pro at any given time? When I try transmitting more than 3 > or 4 msgs the transmission is terminated by the server and none of my msgs > make it to SpamCop. When transmitting just a couple of msgs everything is > fine. > > Thanks! > > Jim Definitely not, I'm also using MailWasher to submit as many messages as necessary and it wokrs fine. Problems with your mailserver? Toni From jg at coks.net Sun Nov 13 07:56:35 2005 From: jg at coks.net (jg) Date: Sun Nov 13 10:55:27 2005 Subject: [SpamCop-List] Re: password issues In-Reply-To: <dl6un1$in1$1@news.spamcop.net> References: <dl3q97$nll$1@news.spamcop.net> <dl4dld$37c$1@news.spamcop.net> <dl4gai$4ht$1@news.spamcop.net> <dl6teb$hvk$1@news.spamcop.net> <dl6un1$in1$1@news.spamcop.net> Message-ID: <dl7nk1$v66$1@news.spamcop.net> On 11/13/2005 12:49 AM Berny scribbled: > From the www.spamcop.net front page: > > News: (Last Modified: Wed Nov 2 14:30:04 2005 GMT Wednesday, November 02, > 2005 6:30:04 PM +0400) (Email-account news) > > 11/2/2005 Sporadic System Problems > We are having sporadic system problems which you may see as failure to be > able to log-in or other error messages. Please do not change your password > as this will not resolve the problem. Easy, Berny, IIRC that is/was on the 1st reporting input page, not the home page of SC. selah has a point in that you can'/couldn't see that without signing in, which you can't do if p/w is borken. I /don't/ see that message there this A.M. at all... From responseguard at hotmail.com Sun Nov 13 09:33:20 2005 From: responseguard at hotmail.com (Bob W.) Date: Sun Nov 13 12:35:09 2005 Subject: [SpamCop-List] spamhaus pwebtech.com and MLM scammers mentorswin.com Message-ID: <responseguard-CD01D6.09331913112005@news.cesmail.net> Pegasus Web Tehchnologies, pwebtech.com, is home of the MLM scammers at mentorswin.com, a perpetual spamhaus. Countless abuse reports to pwebtech were autoacked with no follow-up, and the spam continued. After hurling insults at the abuse address, a human finally replied requesting the spammed address for "removal". (This, of course, why pwebtech.com refuses munged reports.) No response to my reply condemning listwashing. They obviously know what they're doing. SC-cc'd reports to nlayer.net and above.net are being ignored. I've had more than enough. SC sez: 69.72.218.250 not listed in dnsbl.njabl.org 69.72.218.250 not listed in dnsbl.njabl.org 69.72.218.250 not listed in cbl.abuseat.org 69.72.218.250 not listed in dnsbl.sorbs.net 69.72.218.250 not listed in relays.ordb.org. 69.72.218.250 not listed in accredit.habeas.com 69.72.218.250 not listed in plus.bondedsender.org 69.72.218.250 not listed in iadb.isipp.com How is this possible? I get 1 or 2 spams from mentorswin.com every day, sent to an address that's on the most ancient of spamming lists. Anyone else getting spewed on by these morons? From zorrofox at Safe-mail.net Sun Nov 13 12:47:57 2005 From: zorrofox at Safe-mail.net (zorrofox@Safe-mail.net) Date: Sun Nov 13 12:48:01 2005 Subject: [SpamCop-List] Re: Dead Organization Message-ID: <N1-2SnMiehlo-@Safe-mail.net> Secret to Reclaim Your Power is the dead organization and their URL is http://www.reclaimyourpower.com/. Spamcop URL is http://news.spamcop.net/pipermail/spamcop-help/2000-December/000699.html The above is the answer to > Which organization is dead? Which URL do you object to? -------- Original Message -------- From: "Jeff G." <jeffg@spamcop.net> Apparently from: spamcop-list-bounces-+zorrofox=safe-mail.net@news.spamcop.net To: zorrofox@safe-mail.net Subject: [SpamCop-List] Re: Dead Organization Date: Sat, 12 Nov 2005 16:35:14 -0500 > <zorrofox@Safe-mail.net> wrote in message > news:mailman.121.1131828078.169.spamcop-list@news.spamcop.net... > > > http://news.spamcop.net/pipermail/spamcop-help/2000-December/000699.html > > > > The above URL is a dead organization. Spamcop is successful, this > organization is dead. Its links go nowhere. Keeping this page up is > speaking ill of the dead. Consider removing this page, your objective > was successful. > > Which organization is dead? Which URL do you object to? > > -- > Thanks and Best Regards, Jeff G. > I have been a SpamCop User/Member/Customer since 1999 and am a > Moderator of the new web-based forums (now the primary method for > getting help, http://forum.spamcop.net). Please contact me via Forum > only. > > _______________________________________________ > SpamCop-List mailing list > SpamCop-List@news.spamcop.net > http://news.spamcop.net/mailman/listinfo/spamcop-list From big_mart_98 at yahoo.com Sun Nov 13 18:04:26 2005 From: big_mart_98 at yahoo.com (Martin Edwards) Date: Sun Nov 13 13:05:03 2005 Subject: [SpamCop-List] Re: Anyone here speak Magyar / Hungarian? In-Reply-To: <slrndne2il.3oh.nobody@127.0.0.1> References: <slrndncf25.2bo.nobody@127.0.0.1> <dl5g6q$pb4$1@news.spamcop.net> <dl6fvk$ato$1@news.spamcop.net> <slrndne2il.3oh.nobody@127.0.0.1> Message-ID: <dl7v51$37k$1@news.spamcop.net> Steven Maesslein wrote: > On Sat, 12 Nov 2005 20:40:08 -0800, jg coughed into spamcop and left > this in <dl6fvk$ato$1@news.spamcop.net>: > > >>try bablefish?? > > > babelfish doesn't "do" Hungarian. > The Devil was in the harbour. He was killing lots of people. From jg at coks.net Sun Nov 13 10:28:23 2005 From: jg at coks.net (jg) Date: Sun Nov 13 13:30:04 2005 Subject: [SpamCop-List] Re: password issues In-Reply-To: <dl7nk1$v66$1@news.spamcop.net> References: <dl3q97$nll$1@news.spamcop.net> <dl4dld$37c$1@news.spamcop.net> <dl4gai$4ht$1@news.spamcop.net> <dl6teb$hvk$1@news.spamcop.net> <dl6un1$in1$1@news.spamcop.net> <dl7nk1$v66$1@news.spamcop.net> Message-ID: <dl80gk$3tc$1@news.spamcop.net> On 11/13/2005 7:56 AM jg scribbled: > On 11/13/2005 12:49 AM Berny scribbled: > > >> From the www.spamcop.net front page: >> >>News: (Last Modified: Wed Nov 2 14:30:04 2005 GMT Wednesday, November 02, >>2005 6:30:04 PM +0400) (Email-account news) >> >>11/2/2005 Sporadic System Problems >>We are having sporadic system problems which you may see as failure to be >>able to log-in or other error messages. Please do not change your password >>as this will not resolve the problem. > > > Easy, Berny, IIRC that is/was on the 1st reporting input page, not the > home page of SC. > selah has a point in that you can'/couldn't see that without signing in, > which you can't do if p/w is borken. > I /don't/ see that message there this A.M. at all... apologies, it is on the report input page again - I'd swear it wasn't there earlier today, but I don't swear on Sunday... From usenet2 at DE.LETE.THISljvideo.com Sun Nov 13 18:52:11 2005 From: usenet2 at DE.LETE.THISljvideo.com (Larry J.) Date: Sun Nov 13 13:55:03 2005 Subject: [SpamCop-List] Re: Invite me References: <dl6m19$e30$1@news.spamcop.net> Message-ID: <Xns970D78BEC1796thefrogprince@216.154.195.61> Waiving the right to remain silent, "enrique gonzalez" <egyr05 @prodigy.net.mx> said: > Please invite me Okay. BYOB. -- Larry J. - Remove spamtrap in ALLCAPS to e-mail "I've come here to enjoy nature. Don't talk to me about the environment!" - 'Denny Crane' From sorcerer2 at hotmail.com Sun Nov 13 13:58:20 2005 From: sorcerer2 at hotmail.com (Sir Sorcerer) Date: Sun Nov 13 14:00:02 2005 Subject: [SpamCop-List] Re: Rumor: Spamcop spamvertised websites future References: <BF996289.3FC%sorcerer2@hotmail.com> <0giEaaGhrugj@eisner.encompasserve.org> <BF9A69D8.53C%sorcerer2@hotmail.com> <hizkSixtxDZ1@eisner.encompasserve.org> <BF9AA90D.66D%sorcerer2@hotmail.com> <dl4gf5$4jn$1@news.spamcop.net> Message-ID: <BF9CF6FC.8E1%sorcerer2@hotmail.com> On 11/12/05 5:34 AM, in article dl4gf5$4jn$1@news.spamcop.net, "Miss Betsy" <nobody@devnull.spamcop.net> wrote: > "Sir Sorcerer" <sorcerer2@hotmail.com> wrote in message > news:BF9AA90D.66D%sorcerer2@hotmail.com... > <snip> >> Guess you think the SURLB guys supporting spamassassin are > spammers too as >> they process data just like we do. We just process it for finer > resolution. >> > > I am curious. Just what percentage of spam do you catch using > spamvertized websites (that haven't been caught already by other > filters)? Or is it just part of a scoring system? > > Miss Betsy > > After DNSbls (SC, SBL/XBL, ORDB, SORBS, NJABL, a local one and a few others) and after some other types of content. We stop an additional 29% by using content rules created from and algorithm of our which is applied to a large number of url sources. We have a 28 hour running window and have around 2100 fingerprints at any one time. We have found these require no need of scoring. Tom From nobody at nowhere.spamlovers.com Sun Nov 13 11:29:57 2005 From: nobody at nowhere.spamlovers.com (NOC Areeda.com) Date: Sun Nov 13 14:30:03 2005 Subject: [SpamCop-List] Verisgn Payment Not working? Message-ID: <dl847l$620$1@news.spamcop.net> Hi, I've been trying to add fuel. I much prefer Verisign over PayPal but haven't been able to for a week now. I just get an error like: Data Entry Error Please correct the following errors. Entry Value Description Transaction Type * Merchant Error. Please use a valid Transaction Type (A, D, or S). Login Name * Merchant Identification Error. Login is required. Anybody have any clues for me. Joe From jeffg at spamcop.net Sun Nov 13 14:52:11 2005 From: jeffg at spamcop.net (Jeff G.) Date: Sun Nov 13 15:05:04 2005 Subject: [SpamCop-List] Re: Verisgn Payment Not working? References: <dl847l$620$1@news.spamcop.net> Message-ID: <dl866u$70f$1@news.spamcop.net> "NOC Areeda.com" <nobody@nowhere.spamlovers.com> wrote in message news:dl847l$620$1@news.spamcop.net... > Hi, > > I've been trying to add fuel. I much prefer Verisign over PayPal but > haven't been able to for a week now. > > I just get an error like: > > Data Entry Error > Please correct the following errors. > Entry Value Description > Transaction Type * Merchant Error. Please use a valid Transaction Type > (A, D, or S). > Login Name * Merchant Identification Error. Login is required. > > > Anybody have any clues for me. To expedite response to your problem, please email a SpamCop Admin via service<at>admin.spamcop.net. -- Thanks and Best Regards, Jeff G. I have been a SpamCop User/Member/Customer since 1999 and am a Moderator of the new web-based forums (now the primary method for getting help, http://forum.spamcop.net). Please contact me via Forum only. From jeffg at spamcop.net Sun Nov 13 15:29:21 2005 From: jeffg at spamcop.net (Jeff G.) Date: Sun Nov 13 15:30:02 2005 Subject: [SpamCop-List] Re: Dead Organization References: <mailman.122.1131904084.169.spamcop-list@news.spamcop.net> Message-ID: <dl87n3$7oe$1@news.spamcop.net> I wrote: > > <zorrofox@Safe-mail.net> wrote in message > > news:mailman.121.1131828078.169.spamcop-list@news.spamcop.net... > > > http://news.spamcop.net/pipermail/spamcop-help/2000-December/000699.html > > > > > > The above URL is a dead organization. Spamcop is successful, this > > organization is dead. Its links go nowhere. Keeping this page up is > > speaking ill of the dead. Consider removing this page, your objective > > was successful. > > > > Which organization is dead? Which URL do you object to? <zorrofox@Safe-mail.net> wrote in message news:mailman.122.1131904084.169.spamcop-list@news.spamcop.net... > Secret to Reclaim Your Power is the dead organization and their URL is http://www.reclaimyourpower.com/. Spamcop URL is http://news.spamcop.net/pipermail/spamcop-help/2000-December/000699.html OK, so "Secret to Reclaim Your Power" is dead. Their old URL http://www.reclaimyourpower.com/ appears to have been picked up by North American Internet, LLC, and appears now to refresh to to scammy-looking cookielicious search page http://lb1.youbettersearch.com/index/Site=d3d3LnJlY2xhaW15b3VycG93ZXIuY29t and have the following registration details: whois -h whois.itsyourdomain.com reclaimyourpower.com ... The Data in ItsYourDomain's WHOIS database is provided by ItsYourDomain.com for information purposes, and to assist persons in obtaining information about or related to a domain name registration record. ItsYourDomain.com does not guarantee its accuracy. By submitting a WHOIS query, you agree that you will use this Data only for lawful purposes and that, under no circumstances will you use this Data to: (1) allow, enable, or otherwise support the transmission of mass unsolicited, commercial advertising or solicitations via e-mail (spam); or (2) enable high volume, automated, electronic processes that apply to ItsYourDomain.com, its systems, or its customers. ItsYourDomain reserves the right to modify these terms at any time.By submitting this query, you agree to abide by this policy. Domain: reclaimyourpower.com Registrant North American Internet, LLC North American Internet, LLC nai@ureach.com 5201 Kingston Pike, Suite 6323 Knoxville, TN 37919 US +1.8778936910 +1.8778936910 (FAX) Administrative North American Internet, LLC North American Internet, LLC nai@ureach.com 5201 Kingston Pike, Suite 6323 Knoxville, TN 37919 US +1.8778936910 +1.8778936910 (FAX) Billing North American Internet, LLC North American Internet, LLC nai@ureach.com 5201 Kingston Pike, Suite 6323 Knoxville, TN 37919 US +1.8778936910 +1.8778936910 (FAX) Technical North American Internet, LLC North American Internet, LLC nai@ureach.com 5201 Kingston Pike, Suite 6323 Knoxville, TN 37919 US +1.8778936910 +1.8778936910 (FAX) Record created on April 15, 2005 Record last updated on April 22, 2005 Record expires on April 15, 2006 Domain Name Servers: ns5.itsyourdomain.com ns6.itsyourdomain.com Your initial comments are also reflected in SpamCop's archive for this list/newsgroup/forum for this month http://news.spamcop.net/pipermail/spamcop-list/2005-November/ at http://news.spamcop.net/pipermail/spamcop-list/2005-November/106316.html and http://news.spamcop.net/pipermail/spamcop-list/2005-November/106339.html , and this message should also be reflected there as soon as I post it. Readers can make their own decisions about what to believe. Why do you care whether or not a post from nearly five years ago is stil visible on the Internet? If you wish an exception to the policy of not removing anything from the list archives, please email news@news.spamcop.net. -- Thanks and Best Regards, Jeff G. I have been a SpamCop User/Member/Customer since 1999 and am a Moderator of the new web-based forums (now the primary method for getting help, http://forum.spamcop.net). Please contact me via Forum only. From jeffg at spamcop.net Sun Nov 13 15:33:52 2005 From: jeffg at spamcop.net (Jeff G.) Date: Sun Nov 13 15:40:02 2005 Subject: [SpamCop-List] Re: MailWasher Pro 5.0 Limit? References: <dl783q$o70$1@news.spamcop.net> Message-ID: <dl883c$820$1@news.spamcop.net> "Jim" <jhb@vbe.com> wrote in message news:dl783q$o70$1@news.spamcop.net... > Is there a limit to the number of spam msgs that can be submitted to SpamCop > via MailWasher Pro at any given time? When I try transmitting more than 3 > or 4 msgs the transmission is terminated by the server and none of my msgs > make it to SpamCop. When transmitting just a couple of msgs everything is > fine. MailWasher Pro 5.0 should be following the normal submission limits of 50,000 bytes per attached spam message and 100,000 bytes per submission. -- Best Regards, Jeff G. I have been a SpamCop User/Member/Customer since 1999 and am a Moderator of the new web-based forums (now the primary method for getting help, http://forum.spamcop.net). Please contact me via Forum only. From jeffg at spamcop.net Sun Nov 13 15:47:16 2005 From: jeffg at spamcop.net (Jeff G.) Date: Sun Nov 13 15:50:03 2005 Subject: [SpamCop-List] Re: password issues References: <dl3q97$nll$1@news.spamcop.net> <dl4dld$37c$1@news.spamcop.net> <dl4gai$4ht$1@news.spamcop.net> <dl6teb$hvk$1@news.spamcop.net> Message-ID: <dl88ol$8e6$1@news.spamcop.net> "*selah*" <pzion.naax@yahoo.com> wrote in message news:dl6teb$hvk$1@news.spamcop.net... > Excuuuuuse me - but there is nothing about password trouble on the 1st > page I go to www.spamcop.net nor the 2nd (after trying to login) > http://www.spamcop.net/mcgi. Nor on the 3rd > http://forum.spamcop.net/forums/index.php? (looking to the help forum to > see if there have been system problems.) I've been trying to reset the > password for over a week. (Our old password didn't function.) So I guess you missed "Unless you've actually forgotten your password, there is probably no need to reset it. Check the Help forum first to see if there is a current system problem" on the "Forgot your password?" page http://www.spamcop.net/denied.shtml , where "Help forum" is a link to http://forum.spamcop.net/forums/index.php? -- Thanks and Best Regards, Jeff G. I have been a SpamCop User/Member/Customer since 1999 and am a Moderator of the new web-based forums (now the primary method for getting help, http://forum.spamcop.net). Please contact me via Forum only. From nobody at nowhere.spamlovers.com Sun Nov 13 13:05:20 2005 From: nobody at nowhere.spamlovers.com (NOC Areeda.com) Date: Sun Nov 13 16:10:02 2005 Subject: [SpamCop-List] Re: Verisgn Payment Not working? In-Reply-To: <dl866u$70f$1@news.spamcop.net> References: <dl847l$620$1@news.spamcop.net> <dl866u$70f$1@news.spamcop.net> Message-ID: <dl89qg$93l$1@news.spamcop.net> Thanks Jeff, I just did that. Joe > > To expedite response to your problem, please email a SpamCop Admin via > service<at>admin.spamcop.net. > From MikeE at ster.invalid Sun Nov 13 13:33:21 2005 From: MikeE at ster.invalid (Mike Easter) Date: Sun Nov 13 16:35:04 2005 Subject: [SpamCop-List] Re: spamhaus pwebtech.com and MLM scammers mentorswin.com References: <responseguard-CD01D6.09331913112005@news.cesmail.net> Message-ID: <dl8bep$a1j$1@news.spamcop.net> Bob W. wrote: > 69.72.218.250 rDNS server01.mentorswin.com of Pegasus Web arin abuse@pwebtech.com abuse.net reg'd abuse@pwebtech.com reg@pwebtech.com abuse@nlayer.net abuse@above.net jason@pwebtech.com (for pwebtech.com) - SC notifies abuse@above.net abuse@pwebtech.com abuse@nlayer.net because of reg and jason redirects 69.72.218.250 SCbl/ed for reporter reports In the past 169.7 days, it has been listed 33 times for a total of 33.4 days also listed in DNSBLNETAUT1 (127.0.0.2) & AHBL (127.0.0.4) & AMMDNSBL -- which aren't heavyweights If you wanted to notify the Pegasus AS25653 upstream adjacency for 'non-responsiveness', which isn't strictly true, as they responded with an offer to listwash, it would be AS4436 AS-NLAYER - nLayer Comm abuse@nlayer.net Having a server listed in SCbl is not an insignificant listing; and it appears to be the only output server for mentorswin -- Mike Easter kibitzer, not SC admin From MikeE at ster.invalid Sun Nov 13 13:39:04 2005 From: MikeE at ster.invalid (Mike Easter) Date: Sun Nov 13 16:40:01 2005 Subject: [SpamCop-List] Re: spamhaus pwebtech.com and MLM scammers mentorswin.com References: <responseguard-CD01D6.09331913112005@news.cesmail.net> <dl8bep$a1j$1@news.spamcop.net> Message-ID: <dl8bpf$a69$1@news.spamcop.net> Mike Easter wrote: > SC notifies abuse@above.net abuse@pwebtech.com > abuse@nlayer.net because of reg and jason redirects > AS4436 AS-NLAYER - nLayer Comm abuse@nlayer.net Which is being notified already by the SC abuse.net notifies. -- Mike Easter kibitzer, not SC admin From pzion.naax at yahoo.com Sun Nov 13 17:45:29 2005 From: pzion.naax at yahoo.com (*selah*) Date: Sun Nov 13 16:50:03 2005 Subject: [SpamCop-List] Re: password issues References: <dl3q97$nll$1@news.spamcop.net> <dl4dld$37c$1@news.spamcop.net> <dl4gai$4ht$1@news.spamcop.net> <dl6teb$hvk$1@news.spamcop.net> <dl6un1$in1$1@news.spamcop.net> Message-ID: <dl8c5c$afj$1@news.spamcop.net> This is what is currently on my www.spamcop.net page: NEWS:Postmasters, please limit forgery blow-back: Delayed bounces, virus notices, vacation messages More.. Nothing about password problems. "Berny" <bar_n0ne@hotmail.com> wrote in message news:dl6un1$in1$1@news.spamcop.net... > > "*selah*" <pzion.naax@yahoo.com> wrote in message > news:dl6teb$hvk$1@news.spamcop.net... > > Excuuuuuse me - but there is nothing about password trouble on the 1st > > page I go to www.spamcop.net nor the 2nd (after trying to login) > > http://www.spamcop.net/mcgi. Nor on the 3rd > > http://forum.spamcop.net/forums/index.php? (looking to the help forum to > > see if there have been system problems.) I've been trying to reset the > > password for over a week. (Our old password didn't function.) > > > From the www.spamcop.net front page: > > News: (Last Modified: Wed Nov 2 14:30:04 2005 GMT Wednesday, November 02, > 2005 6:30:04 PM +0400) (Email-account news) > > 11/2/2005 Sporadic System Problems > We are having sporadic system problems which you may see as failure to be > able to log-in or other error messages. Please do not change your password > as this will not resolve the problem. > > Operations and engineering are working on the issues. We thank you for your > patience while we track this down. > > The spamcop email system is not affected and continues to operate. > > > > > > Postmasters, please limit forgery blow-back: > > > From pzion.naax at yahoo.com Sun Nov 13 17:48:31 2005 From: pzion.naax at yahoo.com (*selah*) Date: Sun Nov 13 16:50:16 2005 Subject: [SpamCop-List] Re: password issues References: <dl3q97$nll$1@news.spamcop.net> <dl4dld$37c$1@news.spamcop.net> <dl4gai$4ht$1@news.spamcop.net> <dl6teb$hvk$1@news.spamcop.net> <dl88ol$8e6$1@news.spamcop.net> Message-ID: <dl8cb1$ahf$1@news.spamcop.net> "Jeff G." <jeffg@spamcop.net> wrote in message news:dl88ol$8e6$1@news.spamcop.net... > "*selah*" <pzion.naax@yahoo.com> wrote in message > news:dl6teb$hvk$1@news.spamcop.net... > > Excuuuuuse me - but there is nothing about password trouble on the 1st > > page I go to www.spamcop.net nor the 2nd (after trying to login) > > http://www.spamcop.net/mcgi. Nor on the 3rd > > http://forum.spamcop.net/forums/index.php? (looking to the help forum > to > > see if there have been system problems.) I've been trying to reset the > > password for over a week. (Our old password didn't function.) > > > So I guess you missed "Unless you've actually forgotten your password, > there is probably no need to reset it. Check the Help forum first to see > if there is a current system problem" on the "Forgot your password?" > page http://www.spamcop.net/denied.shtml , where "Help forum" is a link > to http://forum.spamcop.net/forums/index.php? So I guess you missed: > > Nor on the 3rd > > http://forum.spamcop.net/forums/index.php? (looking to the help forum > to > > see if there have been system problems.) in my post. From jeffg at spamcop.net Sun Nov 13 17:37:10 2005 From: jeffg at spamcop.net (Jeff G.) Date: Sun Nov 13 17:40:05 2005 Subject: [SpamCop-List] Re: password issues References: <dl3q97$nll$1@news.spamcop.net> <dl4dld$37c$1@news.spamcop.net> <dl4gai$4ht$1@news.spamcop.net> <dl6teb$hvk$1@news.spamcop.net> <dl6un1$in1$1@news.spamcop.net> <dl8c5c$afj$1@news.spamcop.net> Message-ID: <dl8f7d$c5h$1@news.spamcop.net> "*selah*" <pzion.naax@yahoo.com> wrote in message news:dl8c5c$afj$1@news.spamcop.net... [top posting corrected] > "Berny" <bar_n0ne@hotmail.com> wrote in message > news:dl6un1$in1$1@news.spamcop.net... > > From the www.spamcop.net front page: > > > > News: (Last Modified: Wed Nov 2 14:30:04 2005 GMT Wednesday, November > 02, > > 2005 6:30:04 PM +0400) (Email-account news) > > > > 11/2/2005 Sporadic System Problems [top posting corrected] > This is what is currently on my www.spamcop.net page: > NEWS:Postmasters, please limit forgery blow-back: > Delayed bounces, virus notices, vacation messages More.. > > Nothing about password problems. What do you see after "News: (Last Modified:"? Please stop top posting, as it is considered bad netiquette and gets the conversation out of order. -- Thanks and Best Regards, Jeff G. I have been a SpamCop User/Member/Customer since 1999 and am a Moderator of the new web-based forums (now the primary method for getting help, http://forum.spamcop.net). Please contact me via Forum only. From jeffg at spamcop.net Sun Nov 13 17:54:29 2005 From: jeffg at spamcop.net (Jeff G.) Date: Sun Nov 13 18:05:10 2005 Subject: [SpamCop-List] Re: password issues References: <dl3q97$nll$1@news.spamcop.net> <dl4dld$37c$1@news.spamcop.net> <dl4gai$4ht$1@news.spamcop.net> <dl6teb$hvk$1@news.spamcop.net> <dl88ol$8e6$1@news.spamcop.net> <dl8cb1$ahf$1@news.spamcop.net> Message-ID: <dl8goa$d2n$1@news.spamcop.net> "*selah*" <pzion.naax@yahoo.com> wrote in message news:dl8cb1$ahf$1@news.spamcop.net... > So I guess you missed: > > > > Nor on the 3rd > > > http://forum.spamcop.net/forums/index.php? (looking to the help > forum > > to > > > see if there have been system problems.) > > in my post. "SpamCop Discussion latest news: Parsing & Reporting System Was Down" doesn't qualify as a system problem? How about my Pinned Announcement "System outages/instability" quoting Ellen's post of Wed, 2 Nov 2005 09:22:39 -0500 in this Forum (among others) with the subject "System outages/instability"? Most of that post was as follows: "yes we are having system problems and operations/engineering is working the issues. You may see failures trying to log-in or other error messages. Please do not try to change your password as this will not solve the problem. The problems will probably continue sporadically. There is no ETA right now for complete resolution but this is being treated by everyone as a priority 1 situation. Thank you for your patience!" That post has not yet been contradicted in public by a SpamCop Admin or Deputy. -- Thanks and Best Regards, Jeff G. I have been a SpamCop User/Member/Customer since 1999 and am a Moderator of the new web-based forums (now the primary method for getting help, http://forum.spamcop.net). Please contact me via Forum only. From zorrofox at Safe-mail.net Sun Nov 13 18:05:21 2005 From: zorrofox at Safe-mail.net (zorrofox@Safe-mail.net) Date: Sun Nov 13 18:05:27 2005 Subject: [SpamCop-List] Re: Dead Organization Message-ID: <N1-yQQ7gzGn2q@Safe-mail.net> Thank you for the update of the new owners of reclaimyourpower.com. -------- Original Message -------- From: "Jeff G." <jeffg@spamcop.net> Apparently from: spamcop-list-bounces-+zorrofox=safe-mail.net@news.spamcop.net To: zorrofox@safe-mail.net Subject: Re: [SpamCop-List] Re: Dead Organization Date: Sun, 13 Nov 2005 15:29:21 -0500 > I wrote: > > > <zorrofox@Safe-mail.net> wrote in message > > > news:mailman.121.1131828078.169.spamcop-list@news.spamcop.net... > > > > > http://news.spamcop.net/pipermail/spamcop-help/2000-December/000699.html > > > > > > > > The above URL is a dead organization. Spamcop is successful, this > > > organization is dead. Its links go nowhere. Keeping this page up is > > > speaking ill of the dead. Consider removing this page, your > objective > > > was successful. > > > > > > Which organization is dead? Which URL do you object to? > > <zorrofox@Safe-mail.net> wrote in message > news:mailman.122.1131904084.169.spamcop-list@news.spamcop.net... > > Secret to Reclaim Your Power is the dead organization and their URL is > http://www.reclaimyourpower.com/. Spamcop URL is > http://news.spamcop.net/pipermail/spamcop-help/2000-December/000699.html > > OK, so "Secret to Reclaim Your Power" is dead. Their old URL > http://www.reclaimyourpower.com/ appears to have been picked up by North > American Internet, LLC, and appears now to refresh to to scammy-looking > cookielicious search page > http://lb1.youbettersearch.com/index/Site=d3d3LnJlY2xhaW15b3VycG93ZXIuY29t > and have the following registration details: > > whois -h whois.itsyourdomain.com reclaimyourpower.com ... > The Data in ItsYourDomain's WHOIS database is provided by > ItsYourDomain.com > for information purposes, and to assist persons in obtaining information > about or related to a domain name registration record. > ItsYourDomain.com > does not guarantee its accuracy. By submitting a WHOIS query, you agree > that you will use this Data only for lawful purposes and that, under no > circumstances will you use this Data to: (1) allow, enable, or otherwise > support the transmission of mass unsolicited, commercial advertising or > solicitations via e-mail (spam); or (2) enable high volume, automated, > electronic processes that apply to ItsYourDomain.com, its systems, or > its > customers. ItsYourDomain reserves the right to modify these terms at any > time.By submitting this query, you agree to abide by this policy. > > > Domain: reclaimyourpower.com > > Registrant > North American Internet, LLC > North American Internet, LLC > nai@ureach.com > 5201 Kingston Pike, Suite 6323 > Knoxville, TN 37919 US > +1.8778936910 > +1.8778936910 (FAX) > > Administrative > North American Internet, LLC > North American Internet, LLC > nai@ureach.com > 5201 Kingston Pike, Suite 6323 > Knoxville, TN 37919 US > +1.8778936910 > +1.8778936910 (FAX) > > Billing > North American Internet, LLC > North American Internet, LLC > nai@ureach.com > 5201 Kingston Pike, Suite 6323 > Knoxville, TN 37919 US > +1.8778936910 > +1.8778936910 (FAX) > > Technical > North American Internet, LLC > North American Internet, LLC > nai@ureach.com > 5201 Kingston Pike, Suite 6323 > Knoxville, TN 37919 US > +1.8778936910 > +1.8778936910 (FAX) > > Record created on April 15, 2005 > Record last updated on April 22, 2005 > Record expires on April 15, 2006 > > Domain Name Servers: > ns5.itsyourdomain.com > ns6.itsyourdomain.com > > Your initial comments are also reflected in SpamCop's archive for this > list/newsgroup/forum for this month > http://news.spamcop.net/pipermail/spamcop-list/2005-November/ at > http://news.spamcop.net/pipermail/spamcop-list/2005-November/106316.html > and > http://news.spamcop.net/pipermail/spamcop-list/2005-November/106339.html > , and this message should also be reflected there as soon as I post it. > Readers can make their own decisions about what to believe. Why do you > care whether or not a post from nearly five years ago is stil visible on > the Internet? > > If you wish an exception to the policy of not removing anything from the > list archives, please email news@news.spamcop.net. > > -- > Thanks and Best Regards, Jeff G. > I have been a SpamCop User/Member/Customer since 1999 and am a > Moderator of the new web-based forums (now the primary method for > getting help, http://forum.spamcop.net). Please contact me via Forum > only. > > _______________________________________________ > SpamCop-List mailing list > SpamCop-List@news.spamcop.net > http://news.spamcop.net/mailman/listinfo/spamcop-list From g.hyde at bigpond.net.au Mon Nov 14 09:11:51 2005 From: g.hyde at bigpond.net.au (Geoffrey Hyde) Date: Sun Nov 13 18:15:02 2005 Subject: [SpamCop-List] Ralsky et al still spamming ... Message-ID: <dl8h7l$di6$1@news.spamcop.net> http://www.spamcop.net/sc?id=z826533845za51d89ba13b2363bac9760e07313de26z Just received this crudload of software "offers" in the email this morning. Stuff which would more than likely be packed with the usual trojans and zombification viruses. Cheers ... Geoffrey Hyde From jeffg at spamcop.net Sun Nov 13 19:06:56 2005 From: jeffg at spamcop.net (Jeff G.) Date: Sun Nov 13 19:25:29 2005 Subject: [SpamCop-List] Re: Verisgn Payment Not working? References: <dl847l$620$1@news.spamcop.net> <06ifn1h0mq5gtvo7efto760saghdotfuj9@4ax.com> Message-ID: <dl8l9b$fta$1@news.spamcop.net> "SpamCop Admin" <nobody@devnull.spamcop.net> wrote in message news:06ifn1h0mq5gtvo7efto760saghdotfuj9@4ax.com... > Handled by email... > > NOC Areeda.com wrote: > >-I've been trying to add fuel. I much prefer Verisign over PayPal but > >-haven't been able to for a week now. > > I just used VeriSign to add fuel to my test account using both Firefox > 1.0.6 and Netscape 7.2 and everything worked fine. > > On the other hand, the error message you sent clearly indicates a > problem between them and us. > > I'm trying to figure out what might be happening. > > - Don D'Minion - SpamCop Admin - Thank you, Don! -- Best Regards, Jeff G. I have been a SpamCop User/Member/Customer since 1999 and am a Moderator of the new web-based forums (now the primary method for getting help, http://forum.spamcop.net). Please contact me via Forum only. From egyr05 at prodigy.net.mx Sun Nov 13 19:05:53 2005 From: egyr05 at prodigy.net.mx (enrique gonzalez) Date: Sun Nov 13 20:10:06 2005 Subject: [SpamCop-List] Re: Invite me References: <dl6m19$e30$1@news.spamcop.net> <dl6pes$fn5$1@news.spamcop.net> <dl6pia$fqo$1@news.spamcop.net> <dl6srd$hlj$1@news.spamcop.net> Message-ID: <dl8ntv$h5s$1@news.spamcop.net> Oh.....!! well I guess I was in the wrong group I was tring to get invited to gmail.... but any way have fun....! "Borgholio" <borgholio@storymind.com> escribió en el mensaje news:dl6srd$hlj$1@news.spamcop.net... > Dar wrote: >> "Borgholio" <borgholio@storymind.com> wrote in message >> news:dl6pes$fn5$1@news.spamcop.net... >> >>>enrique gonzalez wrote: >>> >>>>Please invite me >>>> >>>> >>> >>>I'm sorry, this event is for family and close friends only. If you seek >>>quality entertainment, I can recommend many a fine place in Las Vegas, >> >> Nevada. >> >> Personally, I prefer Key West. During non-hurricane season, of course. >> >> Dar >> >> > > After the recent hurricane season I think it should be renamed to Key > East. :) From MikeE at ster.invalid Sun Nov 13 17:31:35 2005 From: MikeE at ster.invalid (Mike Easter) Date: Sun Nov 13 20:35:03 2005 Subject: [SpamCop-List] Re: Invite me References: <dl6m19$e30$1@news.spamcop.net> <dl6pes$fn5$1@news.spamcop.net> <dl6pia$fqo$1@news.spamcop.net> <dl6srd$hlj$1@news.spamcop.net> <dl8ntv$h5s$1@news.spamcop.net> Message-ID: <dl8pde$i1o$1@news.spamcop.net> enrique gonzalez wrote: > Oh.....!! well I guess I was in the wrong group I was tring to get > invited to gmail.... but any way have fun....! There's a gmail-invites group here http://groups.google.com/group/Gmail-Invites -- Mike Easter kibitzer, not SC admin From nobody at devnull.spamcop.net Sun Nov 13 20:08:04 2005 From: nobody at devnull.spamcop.net (WazoO) Date: Sun Nov 13 21:10:03 2005 Subject: [SpamCop-List] Re: Invite me References: <dl6m19$e30$1@news.spamcop.net> <dl6pes$fn5$1@news.spamcop.net> <dl6pia$fqo$1@news.spamcop.net> <dl6srd$hlj$1@news.spamcop.net> <dl8ntv$h5s$1@news.spamcop.net> Message-ID: <dl8ri4$j2f$1@news.spamcop.net> "enrique gonzalez" <egyr05@prodigy.net.mx> wrote in message news:dl8ntv$h5s$1@news.spamcop.net... > Oh.....!! well I guess I was in the wrong group I was tring to get invited > to gmail.... but any way have fun....! You attempted registering in the Forum with the above address. That account is still waiting for the Validation process to be completed. You then generated another account and did go through the process on that account. You then posted your "Invite me" request in the Forum at http://forum.spamcop.net/forums/index.php?showtopic=4239 20 minutes later, you jump into these newsgroups and post your "Invite me" thing which has no connection to anything going in this newsgroup. Not sure how you could confuse NNTP stuff with Forum stuff ..... and why one wouldn't return to the original spot the request was generated ...????? From nobody at devnull.spamcop.net Sun Nov 13 21:24:16 2005 From: nobody at devnull.spamcop.net (Miss Betsy) Date: Sun Nov 13 21:25:03 2005 Subject: [SpamCop-List] Re: Rumor: Spamcop spamvertised websites future References: <BF996289.3FC%sorcerer2@hotmail.com> <0giEaaGhrugj@eisner.encompasserve.org> <BF9A69D8.53C%sorcerer2@hotmail.com> <hizkSixtxDZ1@eisner.encompasserve.org> <BF9AA90D.66D%sorcerer2@hotmail.com> <dl4gf5$4jn$1@news.spamcop.net> <BF9CF6FC.8E1%sorcerer2@hotmail.com> Message-ID: <dl8sf3$jjv$1@news.spamcop.net> "Sir Sorcerer" <sorcerer2@hotmail.com> wrote in message news:BF9CF6FC.8E1%sorcerer2@hotmail.com... > On 11/12/05 5:34 AM, in article dl4gf5$4jn$1@news.spamcop.net, "Miss Betsy" > <nobody@devnull.spamcop.net> wrote: > <snip> > > I am curious. Just what percentage of spam do you catch using > > spamvertized websites (that haven't been caught already by other > > filters)? Or is it just part of a scoring system? > > > > Miss Betsy > > > > > After DNSbls (SC, SBL/XBL, ORDB, SORBS, NJABL, a local one and a few others) > and after some other types of content. We stop an additional 29% by using > content rules created from and algorithm of our which is applied to a large > number of url sources. We have a 28 hour running window and have around 2100 > fingerprints at any one time. We have found these require no need of > scoring. That's interesting. Thanks! Miss Betsy From nobody at xyzzy.claranet.de Mon Nov 14 06:19:52 2005 From: nobody at xyzzy.claranet.de (Frank Ellermann) Date: Mon Nov 14 00:25:20 2005 Subject: [SpamCop-List] Re: Dead Organization References: <mailman.121.1131828078.169.spamcop-list@news.spamcop.net> <dl5m7p$spj$1@news.spamcop.net> Message-ID: <43781E78.1415@xyzzy.claranet.de> Mike Easter wrote: > an archived message posted to spamcop.help claiming to have > been posted from a website [which is a curious statement even > in 2000 Dec] I've no idea when that feature was removed, but it was later - I used it for my first questions in help... ;-) Apparently it still existed in April 2002: http://news.spamcop.net/pipermail/spamcop-help/2002-April/001511.html I'm too lazy to check May etc. for spamcop-help@news.spamcop Bye, Frank From nobody at xyzzy.claranet.de Mon Nov 14 06:38:26 2005 From: nobody at xyzzy.claranet.de (Frank Ellermann) Date: Mon Nov 14 00:40:03 2005 Subject: [SpamCop-List] Re: Odd Source Line References: <437473EE.1475A8D3@Spamcop.net.dev.null> <dl2f30$13k$1@news.spamcop.net> <dl2moq$567$1@news.spamcop.net> <dl307h$a5g$1@news.spamcop.net> Message-ID: <437822D2.2FF9@xyzzy.claranet.de> Mike Easter wrote: > I was being facetious, sarcastic, ironic. Something like ;-> ? Last time I saw a similar problem the author explained: "I'm English - I'm excused from using mandatory smileys" (or similar, neither Google nor GMaNe find the source ;-) Bye, Frank From nobody at xyzzy.claranet.de Mon Nov 14 07:38:26 2005 From: nobody at xyzzy.claranet.de (Frank Ellermann) Date: Mon Nov 14 01:45:17 2005 Subject: [SpamCop-List] Re: Geocities problem still unsolved References: <43663619.A9@xyzzy.claranet.de> <436A0F20.4804@xyzzy.claranet.de> <Xns97037DF897D25tinlc@216.154.195.61> <dkebuk$15a$1@news.spamcop.net> <436B1DC5.75D3@xyzzy.claranet.de> <dkg0jp$uhf$1@news.spamcop.net> <436BF8F0.5E5C@xyzzy.claranet.de> <Xns97051CF0D642Dtinlc@216.154.195.61> Message-ID: <437830E2.1B28@xyzzy.claranet.de> Redstone wrote: [Why does Julian not fix the broken parser ?] > But he may not do it for various reasons. > Namely Geocities' lackluster response. I've found a workaroud (hundreds of reloads are boring): 1 - Finish all other pending manual reports (not geocities) 2 - Copy offending geocities URL to clipboard 3 - Open "report spam" Web form in a second window 4 - Paste geocities URL and click "process spam" 5 - Copy report address network-abuse@cc.yahoo-inc.com to clipboard (steps 2..5 unnecessary if you have saved network-abuse@cc.yahoo-inc.com elsewhere) 6 - still in the second window go to http://www.spamcop.net/mcgi?action=showadvanced 7 - paste report address into "Public standard report recipients" and save the modified preferences 8 - in the first window "reload", now the report address network-abuse@cc.yahoo-inc.com is shown 9 - send report, finish all other pending geocities reports 10 - remove network-abuse@cc.yahoo-inc.com again from "Public standard report recipients" in preferences Not precisely straight forward. Another strategy would be to keep the "Public standard report recipients", and disable it manually for non-geocities reports. But even the complete 10 steps are faster than hundreds of reloads. Bye, Frank From pzion.naax at yahoo.com Mon Nov 14 02:52:08 2005 From: pzion.naax at yahoo.com (*selah*) Date: Mon Nov 14 01:55:06 2005 Subject: [SpamCop-List] Re: password issues References: <dl3q97$nll$1@news.spamcop.net> <dl4dld$37c$1@news.spamcop.net> <dl4gai$4ht$1@news.spamcop.net> <dl6teb$hvk$1@news.spamcop.net> <dl6un1$in1$1@news.spamcop.net> <dl8c5c$afj$1@news.spamcop.net> <dl8f7d$c5h$1@news.spamcop.net> Message-ID: <dl9c6g$v3c$1@news.spamcop.net> "Jeff G." <jeffg@spamcop.net> wrote in message news:dl8f7d$c5h$1@news.spamcop.net... > What do you see after "News: (Last Modified:"? There is nothing on the page that says "news: (Last Modified:" This is the page: Help | Site Map | Text size: - + Report Spam Filtered Email Blocking List Statistics Login SpamCop is the premier service for reporting spam. SpamCop determines the origin of unwanted email and reports it to the relevant Internet service providers. By reporting spam, you have a positive impact on the problem. Reporting unsolicited email also helps feed spam filtering systems, including, but not limited to, SpamCop's own service. REPORT SPAM Report spam to help Internet providers cut spam off at the source. Register Now GET SPAM-FREE EMAIL Professional-grade SpamCop email accounts feature spam reporting, customizable spam and virus filtering and simultaneous Webmail, POP and IMAP access. Learn More USE FREE BLOCKING LIST Use the SpamCop DNS-based Blocking List with your own mailserver and get safe and effective spam filtering for free. Learn How Legal / Technical description REPORTED FOR SPAMMING? Find out about SpamCop reports and spam blocking, email deliverability problems and what you can do to ensure that your mail will get through. Learn More GET HELP Get information from SpamCop's extensive FAQ and active user community. Help Home Donate to SpamCop's Legal Defense fund. NEWS:Postmasters, please limit forgery blow-back: Delayed bounces, virus notices, vacation messages More.. Copyright (C) 1998-2005, IronPort Systems, Inc. All rights reserved. HTML4 / CSS2 Firefox recommended - Policies and Disclaimers From bar_n0ne at hotmail.com Mon Nov 14 10:55:35 2005 From: bar_n0ne at hotmail.com (Berny) Date: Mon Nov 14 02:00:03 2005 Subject: [SpamCop-List] Re: Geocities problem still unsolved References: <43663619.A9@xyzzy.claranet.de> <436A0F20.4804@xyzzy.claranet.de> <Xns97037DF897D25tinlc@216.154.195.61> <dkebuk$15a$1@news.spamcop.net> <436B1DC5.75D3@xyzzy.claranet.de> <dkg0jp$uhf$1@news.spamcop.net> <436BF8F0.5E5C@xyzzy.claranet.de> <Xns97051CF0D642Dtinlc@216.154.195.61> <437830E2.1B28@xyzzy.claranet.de> Message-ID: <dl9cdb$v7m$1@news.spamcop.net> "Frank Ellermann" <nobody@xyzzy.claranet.de> wrote in message news:437830E2.1B28@xyzzy.claranet.de... > Redstone wrote: > > [Why does Julian not fix the broken parser ?] > > But he may not do it for various reasons. > > Namely Geocities' lackluster response. > > I've found a workaroud (hundreds of reloads are boring): > > SNIPPED We should add to that lycos, the behaviour for tripod.com websites is exactly similar. The problem is, that while this gets a LART to Yahoo, or Lycos, it does not register the site on SURBL (or was that DURBL). I also wish some remark like SC only parses 1/100 instances of geocities or tripod sites, because even flaky tietong sites are mostly getting parsed nowadays. As it is the behaviour seems too focussed to be a bug. From pzion.naax at yahoo.com Mon Nov 14 03:01:38 2005 From: pzion.naax at yahoo.com (*selah*) Date: Mon Nov 14 02:05:04 2005 Subject: [SpamCop-List] Re: password issues References: <dl3q97$nll$1@news.spamcop.net> <dl4dld$37c$1@news.spamcop.net> <dl4gai$4ht$1@news.spamcop.net> <dl6teb$hvk$1@news.spamcop.net> <dl88ol$8e6$1@news.spamcop.net> <dl8cb1$ahf$1@news.spamcop.net> <dl8goa$d2n$1@news.spamcop.net> Message-ID: <dl9coa$vi9$1@news.spamcop.net> "Jeff G." <jeffg@spamcop.net> wrote in message news:dl8goa$d2n$1@news.spamcop.net... > "SpamCop Discussion latest news: Parsing & Reporting System Was Down" > doesn't qualify as a system problem? How about my Pinned Announcement The text that appears on my screen for that post is: Nov 13 2005, 05:53 PM In: Parsing & Reporting Sys... By: Jeff G. I would suggest that there be an announcement in large letters at the top of the help page - or preferably on the login page. From pzion.naax at yahoo.com Mon Nov 14 03:03:07 2005 From: pzion.naax at yahoo.com (*selah*) Date: Mon Nov 14 02:05:20 2005 Subject: [SpamCop-List] Re: password issues References: <dl3q97$nll$1@news.spamcop.net> <dl4dld$37c$1@news.spamcop.net> <dl4gai$4ht$1@news.spamcop.net> <dl6teb$hvk$1@news.spamcop.net> <dl6un1$in1$1@news.spamcop.net> <dl8c5c$afj$1@news.spamcop.net> <dl8f7d$c5h$1@news.spamcop.net> Message-ID: <dl9cr3$vjo$1@news.spamcop.net> Are you people involved in running spamcop - or do you just like to sit around and act superior to newbees and nick-pick their posts? "Jeff G." <jeffg@spamcop.net> wrote in message news:dl8f7d$c5h$1@news.spamcop.net... > "*selah*" <pzion.naax@yahoo.com> wrote in message > news:dl8c5c$afj$1@news.spamcop.net... > [top posting corrected] > > "Berny" <bar_n0ne@hotmail.com> wrote in message > > news:dl6un1$in1$1@news.spamcop.net... > > > From the www.spamcop.net front page: > > > > > > News: (Last Modified: Wed Nov 2 14:30:04 2005 GMT Wednesday, > November > > 02, > > > 2005 6:30:04 PM +0400) (Email-account news) > > > > > > 11/2/2005 Sporadic System Problems > > [top posting corrected] > > This is what is currently on my www.spamcop.net page: > > NEWS:Postmasters, please limit forgery blow-back: > > Delayed bounces, virus notices, vacation messages More.. > > > > Nothing about password problems. > > What do you see after "News: (Last Modified:"? > > Please stop top posting, as it is considered bad netiquette and gets the > conversation out of order. > > -- > Thanks and Best Regards, Jeff G. > I have been a SpamCop User/Member/Customer since 1999 and am a > Moderator of the new web-based forums (now the primary method for > getting help, http://forum.spamcop.net). Please contact me via Forum > only. > From pzion.naax at yahoo.com Mon Nov 14 03:05:07 2005 From: pzion.naax at yahoo.com (*selah*) Date: Mon Nov 14 02:05:28 2005 Subject: [SpamCop-List] Re: password issues References: <dl3q97$nll$1@news.spamcop.net> <dl4dld$37c$1@news.spamcop.net> <dl4gai$4ht$1@news.spamcop.net> <dl6teb$hvk$1@news.spamcop.net> <dl6un1$in1$1@news.spamcop.net> <dl8c5c$afj$1@news.spamcop.net> <dl8f7d$c5h$1@news.spamcop.net> Message-ID: <dl9cur$vkp$1@news.spamcop.net> Or are you spammers trying to turn people off to spamcop? "Jeff G." <jeffg@spamcop.net> wrote in message news:dl8f7d$c5h$1@news.spamcop.net... > "*selah*" <pzion.naax@yahoo.com> wrote in message > news:dl8c5c$afj$1@news.spamcop.net... > [top posting corrected] > > "Berny" <bar_n0ne@hotmail.com> wrote in message > > news:dl6un1$in1$1@news.spamcop.net... > > > From the www.spamcop.net front page: > > > > > > News: (Last Modified: Wed Nov 2 14:30:04 2005 GMT Wednesday, > November > > 02, > > > 2005 6:30:04 PM +0400) (Email-account news) > > > > > > 11/2/2005 Sporadic System Problems > > [top posting corrected] > > This is what is currently on my www.spamcop.net page: > > NEWS:Postmasters, please limit forgery blow-back: > > Delayed bounces, virus notices, vacation messages More.. > > > > Nothing about password problems. > > What do you see after "News: (Last Modified:"? > > Please stop top posting, as it is considered bad netiquette and gets the > conversation out of order. > > -- > Thanks and Best Regards, Jeff G. > I have been a SpamCop User/Member/Customer since 1999 and am a > Moderator of the new web-based forums (now the primary method for > getting help, http://forum.spamcop.net). Please contact me via Forum > only. > From pzion.naax at yahoo.com Mon Nov 14 03:11:29 2005 From: pzion.naax at yahoo.com (*selah*) Date: Mon Nov 14 02:15:03 2005 Subject: [SpamCop-List] Re: password issues References: <dl3q97$nll$1@news.spamcop.net> <dl4dld$37c$1@news.spamcop.net> <dl4gai$4ht$1@news.spamcop.net> <dl6teb$hvk$1@news.spamcop.net> <dl6un1$in1$1@news.spamcop.net> <dl8c5c$afj$1@news.spamcop.net> <dl8f7d$c5h$1@news.spamcop.net> <dl9cr3$vjo$1@news.spamcop.net> Message-ID: <dl9dap$dp$1@news.spamcop.net> nit-pick "*selah*" <pzion.naax@yahoo.com> wrote in message news:dl9cr3$vjo$1@news.spamcop.net... > Are you people involved in running spamcop - or do you just like to sit > around and act superior to newbees and nick-pick their posts? > > "Jeff G." <jeffg@spamcop.net> wrote in message > news:dl8f7d$c5h$1@news.spamcop.net... > > "*selah*" <pzion.naax@yahoo.com> wrote in message > > news:dl8c5c$afj$1@news.spamcop.net... > > [top posting corrected] > > > "Berny" <bar_n0ne@hotmail.com> wrote in message > > > news:dl6un1$in1$1@news.spamcop.net... > > > > From the www.spamcop.net front page: > > > > > > > > News: (Last Modified: Wed Nov 2 14:30:04 2005 GMT Wednesday, > > November > > > 02, > > > > 2005 6:30:04 PM +0400) (Email-account news) > > > > > > > > 11/2/2005 Sporadic System Problems > > > > [top posting corrected] > > > This is what is currently on my www.spamcop.net page: > > > NEWS:Postmasters, please limit forgery blow-back: > > > Delayed bounces, virus notices, vacation messages More.. > > > > > > Nothing about password problems. > > > > What do you see after "News: (Last Modified:"? > > > > Please stop top posting, as it is considered bad netiquette and gets > the > > conversation out of order. > > > > -- > > Thanks and Best Regards, Jeff G. > > I have been a SpamCop User/Member/Customer since 1999 and am a > > Moderator of the new web-based forums (now the primary method for > > getting help, http://forum.spamcop.net). Please contact me via Forum > > only. > > > From nobody at spamcop.net Sun Nov 13 23:32:01 2005 From: nobody at spamcop.net (RandallW) Date: Mon Nov 14 02:35:05 2005 Subject: [SpamCop-List] Re: Ralsky et al still spamming ... References: <dl8h7l$di6$1@news.spamcop.net> Message-ID: <dl9ehf$10k$1@news.spamcop.net> "Geoffrey Hyde" <g.hyde@bigpond.net.au> wrote in message news:dl8h7l$di6$1@news.spamcop.net... > http://www.spamcop.net/sc?id=z826533845za51d89ba13b2363bac9760e07313de26z > > Just received this crudload of software "offers" in the email this > morning. Stuff which would more than likely be packed with the usual > trojans and zombification viruses. > I suppose his crud would still exist for months/years even if he drove off a cliff tomorrow. From nospam at nospam.nl Mon Nov 14 09:21:33 2005 From: nospam at nospam.nl (geo_splash_12) Date: Mon Nov 14 03:25:09 2005 Subject: [SpamCop-List] Re: MailWasher Pro 5.0 Limit? In-Reply-To: <dl783q$o70$1@news.spamcop.net> References: <dl783q$o70$1@news.spamcop.net> Message-ID: <dl9heg$2jr$1@news.spamcop.net> Jim wrote: > Is there a limit to the number of spam msgs that can be submitted to SpamCop > via MailWasher Pro at any given time? When I try transmitting more than 3 > or 4 msgs the transmission is terminated by the server and none of my msgs > make it to SpamCop. When transmitting just a couple of msgs everything is > fine. > > Thanks! > > Jim Occasionally I saw that Mailwasher got the hickups when you process large volumes of e-mail. This occurred after being a week away and when there are 1000 e-mails with more than 90% spam waiting. It is not smtp server dependent, and it occurs for different pop servers either at home or at work. This is one of the reasons why I switched to other tools, spampal being one of them, although spampal isn't 100% stable either. Ejo -- http://ejos.blogspot.com From jeffg at spamcop.net Mon Nov 14 03:17:10 2005 From: jeffg at spamcop.net (Jeff G.) Date: Mon Nov 14 03:30:02 2005 Subject: [SpamCop-List] Re: password issues References: <dl3q97$nll$1@news.spamcop.net> <dl4dld$37c$1@news.spamcop.net> <dl4gai$4ht$1@news.spamcop.net> <dl6teb$hvk$1@news.spamcop.net> <dl88ol$8e6$1@news.spamcop.net> <dl8cb1$ahf$1@news.spamcop.net> <dl8goa$d2n$1@news.spamcop.net> <dl9coa$vi9$1@news.spamcop.net> Message-ID: <dl9hmh$2n4$1@news.spamcop.net> "*selah*" <pzion.naax@yahoo.com> wrote in message news:dl9coa$vi9$1@news.spamcop.net... > I would suggest that there be an announcement in large letters at the > top of the help page - or preferably on the login page. Assuming that you are talking about www.spamcop.net, the people who have control over its content can be reached via email address service[at]admin.spamcop.net. They chose not to make important announcements available intuitively to people who aren't logged in, unless they use the special URL http://www.spamcop.net/?code=news , possibly because the front page looks better without the dirty laundry. -- Best Regards, Jeff G. I have been a SpamCop User/Member/Customer since 1999 and am a Moderator of the new web-based forums (now the primary method for getting help, http://forum.spamcop.net). Please contact me via Forum only. From porpoise1954 at yahoo.co.uk Mon Nov 14 08:37:30 2005 From: porpoise1954 at yahoo.co.uk (Porpoise) Date: Mon Nov 14 03:40:03 2005 Subject: [SpamCop-List] Re: password issues References: <dl3q97$nll$1@news.spamcop.net> <dl4dld$37c$1@news.spamcop.net> <dl4gai$4ht$1@news.spamcop.net> <dl6teb$hvk$1@news.spamcop.net> <dl6un1$in1$1@news.spamcop.net> <dl8c5c$afj$1@news.spamcop.net> <dl8f7d$c5h$1@news.spamcop.net> <dl9c6g$v3c$1@news.spamcop.net> Message-ID: <dl9ift$32t$1@news.spamcop.net> "*selah*" <pzion.naax@yahoo.com> wrote in message news:dl9c6g$v3c$1@news.spamcop.net... > > "Jeff G." <jeffg@spamcop.net> wrote in message > news:dl8f7d$c5h$1@news.spamcop.net... >> What do you see after "News: (Last Modified:"? > > There is nothing on the page that says "news: (Last Modified:" There is when I look: Add fuel to your account Please help support this service - buy some reporting fuel today. Fuel is used as you report spam to bypass the nag screen. Unreported Spam Saved: Report Now You have submitted spam which has not yet been reported. Please avoid re-reporting spam. If you have already reported this spam or do not want to report it, please make sure to click "cancel" instead of submitting the report! Remove all unreported spam Forward your spam to: xxxxxx or: Paste entire spam (headers, blank line, body) - or - single address (one line only): Show technical details Select outlook/eudora workaround form News: (Last Modified: Wed Nov 2 14:30:04 2005 GMT Wed, 2 Nov 2005 14:30:04 UTC) (Email-account news) 11/2/2005 Sporadic System Problems We are having sporadic system problems which you may see as failure to be able to log-in or other error messages. Please do not change your password as this will not resolve the problem. Operations and engineering are working on the issues. We thank you for your patience while we track this down. The spamcop email system is not affected and continues to operate. Postmasters, please limit forgery blow-back: Delayed bounces, virus notices, vacation messages More.. From g.hyde at bigpond.net.au Mon Nov 14 19:02:07 2005 From: g.hyde at bigpond.net.au (Geoffrey Hyde) Date: Mon Nov 14 04:05:03 2005 Subject: [SpamCop-List] Re: Ralsky et al still spamming ... References: <dl8h7l$di6$1@news.spamcop.net> <dl9ehf$10k$1@news.spamcop.net> Message-ID: <dl9jqf$3r0$1@news.spamcop.net> "RandallW" <nobody@spamcop.net> wrote in message news:dl9ehf$10k$1@news.spamcop.net... > > "Geoffrey Hyde" <g.hyde@bigpond.net.au> wrote in message > news:dl8h7l$di6$1@news.spamcop.net... >> http://www.spamcop.net/sc?id=z826533845za51d89ba13b2363bac9760e07313de26z >> >> Just received this crudload of software "offers" in the email this >> morning. Stuff which would more than likely be packed with the usual >> trojans and zombification viruses. >> > > I suppose his crud would still exist for months/years even if he drove off > a cliff tomorrow. If I had any money to waste, I'd bet on it. <g> Cheers ... Geoffrey Hyde From nobody at nowhere.invalid Mon Nov 14 10:58:41 2005 From: nobody at nowhere.invalid (Steven Maesslein) Date: Mon Nov 14 05:01:03 2005 Subject: [SpamCop-List] Re: password issues References: <dl3q97$nll$1@news.spamcop.net> <dl4dld$37c$1@news.spamcop.net> <dl4gai$4ht$1@news.spamcop.net> <dl6teb$hvk$1@news.spamcop.net> <dl6un1$in1$1@news.spamcop.net> <dl8c5c$afj$1@news.spamcop.net> <dl8f7d$c5h$1@news.spamcop.net> <dl9cr3$vjo$1@news.spamcop.net> <dl9dap$dp$1@news.spamcop.net> Message-ID: <slrndngnuh.3tf.nobody@127.0.0.1> On Mon, 14 Nov 2005 03:11:29 -0500, *selah* coughed into spamcop and left this in <dl9dap$dp$1@news.spamcop.net>: > nit-pick What a good way you have of asking for help. *PLONK* -- Steve If you don't pay your exorcist, do you get repossessed? From jhb at vbe.com Mon Nov 14 04:25:35 2005 From: jhb at vbe.com (Jim) Date: Mon Nov 14 05:30:30 2005 Subject: [SpamCop-List] Re: MailWasher Pro 5.0 Limit? References: <dl783q$o70$1@news.spamcop.net> <dl9heg$2jr$1@news.spamcop.net> Message-ID: <dl9oo8$6au$1@news.spamcop.net> I switched my submissions to another smtp server and all is well. Thanks for the input! Jim "geo_splash_12" <nospam@nospam.nl> wrote in message news:dl9heg$2jr$1@news.spamcop.net... > Jim wrote: > >> Is there a limit to the number of spam msgs that can be submitted to >> SpamCop via MailWasher Pro at any given time? When I try transmitting >> more than 3 or 4 msgs the transmission is terminated by the server and >> none of my msgs make it to SpamCop. When transmitting just a couple of >> msgs everything is fine. >> >> Thanks! >> >> Jim > > Occasionally I saw that Mailwasher got the hickups when you process large > volumes of e-mail. This occurred after being a week away and when there > are 1000 e-mails with more than 90% spam waiting. It is not smtp server > dependent, and it occurs for different pop servers either at home or at > work. This is one of the reasons why I switched to other tools, spampal > being one of them, although spampal isn't 100% stable either. > > Ejo > -- > http://ejos.blogspot.com From redford_stone at INVERSE_OF_COLDmail.com Mon Nov 14 10:38:08 2005 From: redford_stone at INVERSE_OF_COLDmail.com (Redstone) Date: Mon Nov 14 05:40:02 2005 Subject: [SpamCop-List] Re: Geocities problem still unsolved References: <43663619.A9@xyzzy.claranet.de> <436A0F20.4804@xyzzy.claranet.de> <Xns97037DF897D25tinlc@216.154.195.61> <dkebuk$15a$1@news.spamcop.net> <436B1DC5.75D3@xyzzy.claranet.de> <dkg0jp$uhf$1@news.spamcop.net> <436BF8F0.5E5C@xyzzy.claranet.de> <Xns97051CF0D642Dtinlc@216.154.195.61> <437830E2.1B28@xyzzy.claranet.de> <dl9cdb$v7m$1@news.spamcop.net> Message-ID: <Xns970E1AD1D511Ftinlc@216.154.195.61> "Berny" <bar_n0ne@hotmail.com> wrote in news:dl9cdb$v7m$1@news.spamcop.net: >> SNIPPED > > We should add to that lycos, the behaviour for tripod.com websites is > exactly similar. > > The problem is, that while this gets a LART to Yahoo, or Lycos, it > does not register the site on SURBL (or was that DURBL). > > I also wish some remark like SC only parses 1/100 instances of > geocities or tripod sites, because even flaky tietong sites are mostly > getting parsed nowadays. As it is the behaviour seems too focussed to > be a bug. > > > > SCURBL? Been doing manual reports through their abuse form on Geocities and Tripod until this problem is fixed. From redford_stone at INVERSE_OF_COLDmail.com Mon Nov 14 10:40:03 2005 From: redford_stone at INVERSE_OF_COLDmail.com (Redstone) Date: Mon Nov 14 05:45:03 2005 Subject: [SpamCop-List] Re: [MEDIA] Sony CD Copy Protection Seems To Rely On HackerRootkit References: <Xns97037EA6B301Ftinlc@216.154.195.61> <dkeg1g$35f$1@news.spamcop.net> <TECQXhvKj0FX-pn2-OvYNxTLrdXxL@dsl-206-55-144-107.tstonramp.com> <BF90DE68.1635E%nobody@spamcop.net> <TECQXhvKj0FX-pn2-mJM7JdfPnr4E@dsl-206-55-144-107.tstonramp.com> <Xns97051D4241CC4tinlc@216.154.195.61> <TECQXhvKj0FX-pn2-41gGcOWKuyNn@dsl-206-55-144-107.tstonramp.com> <Xns97093B2348704tinlc@216.154.195.61> <TECQXhvKj0FX-pn2-jrh3dKUd5WdX@dsl-206-55-144-107.tstonramp.com> <dkubbp$j70$1@news.spamcop.net> <ozchzhq02-A8BF38.18491509112005@frylock.local> <dkv5pr$pq$1@news.spamcop.net> <Xns970A7D1D5F8BEtinlc@216.154.195.61> <dl0shv$2af$1@news.spamcop.net> <Xns970B52711D08tinlc@216.154.195.61> <dl1nut$kme$1@news.spamcop.net> <Xns970C1D6C39AB4tinlc@216.154.195.61> <dl4uoq$drl$1@news.spamcop.net> Message-ID: <Xns970E1B247AA34tinlc@216.154.195.61> "Porpoise" <porpoise1954@yahoo.co.uk> wrote in news:dl4uoq$drl$1 @news.spamcop.net: >> >> >> Only problem, they don't sit well in the sun. :-) > > Errrmmmm... Neither do CDs.......!!?? > > > (Response includes Steven Maesslein too.) True .. CDs don't enjoy prolonged exposure, but CDs last a bit longer than tapes do in the sun. :-) From redford_stone at INVERSE_OF_COLDmail.com Mon Nov 14 10:44:47 2005 From: redford_stone at INVERSE_OF_COLDmail.com (Redstone) Date: Mon Nov 14 05:45:25 2005 Subject: [SpamCop-List] Re: Ralsky et al still spamming ... References: <dl8h7l$di6$1@news.spamcop.net> <dl9ehf$10k$1@news.spamcop.net> <dl9jqf$3r0$1@news.spamcop.net> Message-ID: <Xns970E1BF249F07tinlc@216.154.195.61> "Geoffrey Hyde" <g.hyde@bigpond.net.au> wrote in news:dl9jqf$3r0$1@news.spamcop.net: >>> http://www.spamcop.net/sc? id=z826533845za51d89ba13b2363bac9760e07313d >>> e26z >>> >>> Just received this crudload of software "offers" in the email this >>> morning. Stuff which would more than likely be packed with the usual >>> trojans and zombification viruses. >>> >> >> I suppose his crud would still exist for months/years even if he >> drove off a cliff tomorrow. > > If I had any money to waste, I'd bet on it. <g> > > It appears that Ralsky is back to his old tricks. (Though I am not receiving as much as before.) Seems that whatever the feds did, it was not enough to take him out completely. From redford_stone at INVERSE_OF_COLDmail.com Mon Nov 14 10:48:14 2005 From: redford_stone at INVERSE_OF_COLDmail.com (Redstone) Date: Mon Nov 14 05:50:02 2005 Subject: [SpamCop-List] Re: spamhaus pwebtech.com and MLM scammers mentorswin.com References: <responseguard-CD01D6.09331913112005@news.cesmail.net> Message-ID: <Xns970E1C87F77B9tinlc@216.154.195.61> Hey Bob, do you still have your megahuge map of spammers? Could you please post the link again? From MikeE at ster.invalid Mon Nov 14 04:49:21 2005 From: MikeE at ster.invalid (Mike Easter) Date: Mon Nov 14 07:50:21 2005 Subject: [SpamCop-List] Re: Geocities problem still unsolved References: <43663619.A9@xyzzy.claranet.de> <436A0F20.4804@xyzzy.claranet.de> <Xns97037DF897D25tinlc@216.154.195.61> <dkebuk$15a$1@news.spamcop.net> <436B1DC5.75D3@xyzzy.claranet.de> <dkg0jp$uhf$1@news.spamcop.net> <436BF8F0.5E5C@xyzzy.claranet.de> <Xns97051CF0D642Dtinlc@216.154.195.61> <437830E2.1B28@xyzzy.claranet.de> <dl9cdb$v7m$1@news.spamcop.net> Message-ID: <dla148$b5f$1@news.spamcop.net> Berny wrote: > The problem is, that while this gets a LART to Yahoo, or Lycos, it > does not register the site on SURBL (or was that DURBL). Spam URI Realtime Blocklists http://www.surbl.org/ However, the adaptation of my suggested optional parser configuration would. news://news.spamcop.net/dkg6rq$327$1@news.spamcop.net Subject: Parser configuration option proposal Date: Fri, 4 Nov 2005 09:47:37 -0800 However, that proposal would not be notifying, which is what Frank's method does. -- Mike Easter kibitzer, not SC admin From MikeE at ster.invalid Mon Nov 14 05:02:21 2005 From: MikeE at ster.invalid (Mike Easter) Date: Mon Nov 14 08:05:08 2005 Subject: [SpamCop-List] Re: password issues References: <dl3q97$nll$1@news.spamcop.net> <dl4dld$37c$1@news.spamcop.net> <dl4gai$4ht$1@news.spamcop.net> <dl6teb$hvk$1@news.spamcop.net> <dl88ol$8e6$1@news.spamcop.net> <dl8cb1$ahf$1@news.spamcop.net> <dl8goa$d2n$1@news.spamcop.net> <dl9coa$vi9$1@news.spamcop.net> <dl9hmh$2n4$1@news.spamcop.net> Message-ID: <dla1sl$bo4$1@news.spamcop.net> Jeff G. wrote: > "*selah*" >> I would suggest that there be an announcement in large letters at the >> top of the help page - or preferably on the login page. > They chose not to make important > announcements available intuitively to people who aren't logged in, Naturally that would result in a Catch-22 regarding problems with "We are having sporadic system problems which you may see as failure to be able to log-in or other error messages. Please do not change your password as this will not resolve the problem." Perhaps there should be a link to http://www.spamcop.net/?code=news on the front page for those who aren't logged in. > unless they use the special URL http://www.spamcop.net/?code=news , > possibly because the front page looks better without the dirty > laundry. -- Mike Easter kibitzer, not SC admin From MikeE at ster.invalid Mon Nov 14 05:34:52 2005 From: MikeE at ster.invalid (Mike Easter) Date: Mon Nov 14 08:35:04 2005 Subject: [SpamCop-List] Re: Geocities problem still unsolved References: <43663619.A9@xyzzy.claranet.de> <436A0F20.4804@xyzzy.claranet.de> <Xns97037DF897D25tinlc@216.154.195.61> <dkebuk$15a$1@news.spamcop.net> <436B1DC5.75D3@xyzzy.claranet.de> <dkg0jp$uhf$1@news.spamcop.net> <436BF8F0.5E5C@xyzzy.claranet.de> <Xns97051CF0D642Dtinlc@216.154.195.61> <437830E2.1B28@xyzzy.claranet.de> <dl9cdb$v7m$1@news.spamcop.net> <Xns970E1AD1D511Ftinlc@216.154.195.61> Message-ID: <dla3pj$cpt$1@news.spamcop.net> Redstone wrote: > "Berny" >> The problem is, that while this gets a LART to Yahoo, or Lycos, it >> does not register the site on SURBL (or was that DURBL). > SCURBL? What gets posted to the stats page - Spamvertised Web Sites http://www.spamcop.net/w3m?action=inprogress;type=www ... gets db/ed to the sc-surbl - sc.surbl.org Data "Source data for the sc.surbl.org spam URI list comes from reports sent to SpamCop." http://www.surbl.org/data.html Front page with frames http://www.surbl.org/ Spam URI Realtime Blocklists SA 2.6x can use the SpamCopURI to filter on those surbl listings, SA 3.x can use multiple different URL [uri] blocklists including that surbl has multiple lists, sc-surbl, ws-surbl, etc for other sources besides the SpamCop derived one. Currently surbl has 6 different sources and also 6 different returns for each of them Other filters than SA can also use the surbl/s. One important point is that SC is completely and totally toothless in its own function regarding spamvertisers. The spamvertiser doesn't even have to listen to the noise of spamcop reports, much less take any kind of action. Unlike spamsource issues, for which there is a SCbl, there is no consequence [spamcop-wise] of being a spamvertiser. If spamhaus or spews haven't decided to list a spamvertising IP, there is no adverse consequence to spamvertising. So, surbl is a valuable resource in spamfighting and filtering. SpamCop should be doing everything in its power to help the listing function for the sc-surbl. When SC fails to put reported the spamvertisers for its reported spam on its statistics page, it is hurting the sc-surbl functionality and helping the spamvertiser. SC should modify its parser to get more spamvertisers [unresolved in my opinion] to the stats page. -- Mike Easter kibitzer, not SC admin From nobody at nowhere.invalid Mon Nov 14 14:37:23 2005 From: nobody at nowhere.invalid (Steven Maesslein) Date: Mon Nov 14 08:40:02 2005 Subject: [SpamCop-List] Re: [MEDIA] Sony CD Copy Protection Seems To Rely On HackerRootkit References: <Xns97037EA6B301Ftinlc@216.154.195.61> <dkeg1g$35f$1@news.spamcop.net> <TECQXhvKj0FX-pn2-OvYNxTLrdXxL@dsl-206-55-144-107.tstonramp.com> <BF90DE68.1635E%nobody@spamcop.net> <TECQXhvKj0FX-pn2-mJM7JdfPnr4E@dsl-206-55-144-107.tstonramp.com> <Xns97051D4241CC4tinlc@216.154.195.61> <slrndnbkus.vf5.nobody@127.0.0.1> <Xns970E1B679A021tinlc@216.154.195.61> Message-ID: <slrndnh4oj.8f6.nobody@127.0.0.1> On Mon, 14 Nov 2005 10:41:35 +0000 (UTC), Redstone coughed into spamcop and left this in <Xns970E1B679A021tinlc@216.154.195.61>: >> Userfriendly.org have just put out their take on the issue: >> >> http://ars.userfriendly.org/cartoons/?id=20051112&mode=classic > > LOL! This is certainly to have some far reaching effects in the forseeable > future. Lucky Sony. :-) They're not done with Sony yet :o) http://ars.userfriendly.org/cartoons/?id=20051114&mode=classic -- Steve The box said: "Requires Windows 98/2000/XP/NT, or better." So, I installed LINUX! From MikeE at ster.invalid Mon Nov 14 05:42:16 2005 From: MikeE at ster.invalid (Mike Easter) Date: Mon Nov 14 08:45:03 2005 Subject: [SpamCop-List] Re: Geocities problem still unsolved References: <43663619.A9@xyzzy.claranet.de> <436A0F20.4804@xyzzy.claranet.de> <Xns97037DF897D25tinlc@216.154.195.61> <dkebuk$15a$1@news.spamcop.net> <436B1DC5.75D3@xyzzy.claranet.de> <dkg0jp$uhf$1@news.spamcop.net> <436BF8F0.5E5C@xyzzy.claranet.de> <Xns97051CF0D642Dtinlc@216.154.195.61> <437830E2.1B28@xyzzy.claranet.de> <dl9cdb$v7m$1@news.spamcop.net> <Xns970E1AD1D511Ftinlc@216.154.195.61> <dla3pj$cpt$1@news.spamcop.net> Message-ID: <dla47f$d6d$1@news.spamcop.net> Mike Easter wrote: > SpamCop should be doing everything in its power to help the listing > function for the sc-surbl. When SC fails to put reported the > spamvertisers for its reported spam on its statistics page, it is > hurting the sc-surbl functionality and helping the spamvertiser. Oops. A little jumble there. Delete the first 'reported' When SC fails to put the spamvertisers for its reported spam on its statistics page, it is hurting the sc-surbl functionality and helping the spamvertiser [evade the sc-surbl listing]. > SC should modify its parser to get more spamvertisers [unresolved in > my opinion] to the stats page. IMO, all spamvertisers for reported spam, resolved or unresolved, which are not unchecked by the reporter as IB, should go to the stats page. -- Mike Easter kibitzer, not SC admin From bar_n0ne at hotmail.com Mon Nov 14 17:58:11 2005 From: bar_n0ne at hotmail.com (Berny) Date: Mon Nov 14 09:00:03 2005 Subject: [SpamCop-List] Re: Geocities problem still unsolved References: <43663619.A9@xyzzy.claranet.de> <436A0F20.4804@xyzzy.claranet.de> <Xns97037DF897D25tinlc@216.154.195.61> <dkebuk$15a$1@news.spamcop.net> <436B1DC5.75D3@xyzzy.claranet.de> <dkg0jp$uhf$1@news.spamcop.net> <436BF8F0.5E5C@xyzzy.claranet.de> <Xns97051CF0D642Dtinlc@216.154.195.61> <437830E2.1B28@xyzzy.claranet.de> <dl9cdb$v7m$1@news.spamcop.net> <Xns970E1AD1D511Ftinlc@216.154.195.61> <dla3pj$cpt$1@news.spamcop.net> <dla47f$d6d$1@news.spamcop.net> Message-ID: <dla55m$dil$1@news.spamcop.net> "Mike Easter" <MikeE@ster.invalid> wrote in message news:dla47f$d6d$1@news.spamcop.net... > Mike Easter wrote: > SNIP > IMO, all spamvertisers for reported spam, resolved or unresolved, which > are not unchecked by the reporter as IB, should go to the stats page. Frank Ellerman recently stated that SURBL gets its URLS in a different way now, and no longer relies on the stats page. However, I bet it still relies on the URL parsing,offering a notify, and being checked for a notify. Otherwise there would be no way for a reporter to bypass IB's. The stat's page fed a very limited subset of Spamvertised URLs namely only URLs reported from very fresh spam. Apparently the new method is a direct feed of some sort. negotiated between Ironport and SURBL. From bar_n0ne at hotmail.com Mon Nov 14 18:11:22 2005 From: bar_n0ne at hotmail.com (Berny) Date: Mon Nov 14 09:15:02 2005 Subject: [SpamCop-List] Re: Geocities problem still unsolved References: <43663619.A9@xyzzy.claranet.de> <436A0F20.4804@xyzzy.claranet.de> <Xns97037DF897D25tinlc@216.154.195.61> <dkebuk$15a$1@news.spamcop.net> <436B1DC5.75D3@xyzzy.claranet.de> <dkg0jp$uhf$1@news.spamcop.net> <436BF8F0.5E5C@xyzzy.claranet.de> <Xns97051CF0D642Dtinlc@216.154.195.61> <437830E2.1B28@xyzzy.claranet.de> <dl9cdb$v7m$1@news.spamcop.net> <Xns970E1AD1D511Ftinlc@216.154.195.61> <dla3pj$cpt$1@news.spamcop.net> <dla47f$d6d$1@news.spamcop.net> <dla55m$dil$1@news.spamcop.net> Message-ID: <dla5uf$e64$1@news.spamcop.net> "Berny" <bar_n0ne@hotmail.com> wrote in message news:dla55m$dil$1@news.spamcop.net... > Of course most of what I said earlier is mainly speculation. as SC does not tell. From MikeE at ster.invalid Mon Nov 14 06:21:34 2005 From: MikeE at ster.invalid (Mike Easter) Date: Mon Nov 14 09:25:02 2005 Subject: [SpamCop-List] Re: Geocities problem still unsolved References: <43663619.A9@xyzzy.claranet.de> <436A0F20.4804@xyzzy.claranet.de> <Xns97037DF897D25tinlc@216.154.195.61> <dkebuk$15a$1@news.spamcop.net> <436B1DC5.75D3@xyzzy.claranet.de> <dkg0jp$uhf$1@news.spamcop.net> <436BF8F0.5E5C@xyzzy.claranet.de> <Xns97051CF0D642Dtinlc@216.154.195.61> <437830E2.1B28@xyzzy.claranet.de> <dl9cdb$v7m$1@news.spamcop.net> <Xns970E1AD1D511Ftinlc@216.154.195.61> <dla3pj$cpt$1@news.spamcop.net> <dla47f$d6d$1@news.spamcop.net> <dla55m$dil$1@news.spamcop.net> Message-ID: <dla6h5$eis$1@news.spamcop.net> Berny wrote: > "Mike Easter" >> IMO, all spamvertisers for reported spam, resolved or unresolved, >> which are not unchecked by the reporter as IB, should go to the >> stats page. > > Frank Ellerman recently stated that SURBL gets its URLS in a > different way now, and no longer relies on the stats page. However, > I bet it still relies on the URL parsing,offering a notify, and being > checked for a notify. Otherwise there would be no way for a reporter > to bypass IB's. Of course. When Frank expressed that the sc-surbl/s were no longer scraped from the page, I posited that wherever and however surbl was getting them, what they would be getting would be the same as what was posted on the stats page. We're only discussing the semantics of how they are 'scraped' or derived. > The stat's page fed a very limited subset of Spamvertised URLs namely > only URLs reported from very fresh spam. Apparently the new method is > a direct feed of some sort. negotiated between Ironport and SURBL. The important point is that whatever the method that it contain all of the spamvertisers, not just some small subset which SC resolved, or chose to resolve, or decided to resolve, or managed to resolve. All of the spamvertiser should be made available to surbl. Forget about resolving them. If surbl wants to resolve them, let them. The surbl lists both the domainname and the resolved IP, as I understand it. What surbl wants to do with unresolved spamvertiser URLs is surbl's business. -- Mike Easter kibitzer, not SC admin From MikeE at ster.invalid Mon Nov 14 06:31:25 2005 From: MikeE at ster.invalid (Mike Easter) Date: Mon Nov 14 09:35:02 2005 Subject: [SpamCop-List] Re: Geocities problem still unsolved References: <43663619.A9@xyzzy.claranet.de> <436A0F20.4804@xyzzy.claranet.de> <Xns97037DF897D25tinlc@216.154.195.61> <dkebuk$15a$1@news.spamcop.net> <436B1DC5.75D3@xyzzy.claranet.de> <dkg0jp$uhf$1@news.spamcop.net> <436BF8F0.5E5C@xyzzy.claranet.de> <Xns97051CF0D642Dtinlc@216.154.195.61> <437830E2.1B28@xyzzy.claranet.de> <dl9cdb$v7m$1@news.spamcop.net> <Xns970E1AD1D511Ftinlc@216.154.195.61> <dla3pj$cpt$1@news.spamcop.net> <dla47f$d6d$1@news.spamcop.net> <dla55m$dil$1@news.spamcop.net> Message-ID: <dla73k$evf$1@news.spamcop.net> Berny wrote: > The stat's page fed a very limited subset of Spamvertised URLs namely > only URLs reported from very fresh spam. I thought the stats page *displayed* only relatively fresh links, in the last 30 minutes, aging them off very quickly. "Lists IP or address and quantity for reported spam within the last 30 minutes". The page doesn't describe it as displaying a 'limited subset' -- altho' it certainly could be. The stats information falls into that so-called 'undiscussable' category, so it isn't likely that we will get cleared up on it. But, the thrust of my argument is not about what is or isn't on 'the page' -- the thrust of my argument is about getting both resolved and unresolved spamvertisers into the sc-surbl. I'm just using the stats page as a method of talking about the fact that unresolved spamvertisers are not reported, not reported to, not stat paged, not fed to the sc-surbl, not nothin'. All of the spamvertisers, resolved or unresolved, which aren't unchecked by the reporter, should be fed to the sc-surbl. It is my current opinion that only the resolved and reported spamvertisers are fed. -- Mike Easter kibitzer, not SC admin From nobody at spamcop.net Mon Nov 14 08:50:43 2005 From: nobody at spamcop.net (Ellen) Date: Mon Nov 14 10:15:05 2005 Subject: [SpamCop-List] Re: password issues References: <dl3q97$nll$1@news.spamcop.net> <dl4dld$37c$1@news.spamcop.net> <dl4gai$4ht$1@news.spamcop.net> <dl6teb$hvk$1@news.spamcop.net> <dl6un1$in1$1@news.spamcop.net> <dl8c5c$afj$1@news.spamcop.net> <dl8f7d$c5h$1@news.spamcop.net> <dl9c6g$v3c$1@news.spamcop.net> Message-ID: <dla9dq$g51$1@news.spamcop.net> "*selah*" <pzion.naax@yahoo.com> wrote in message news:dl9c6g$v3c$1@news.spamcop.net... > > "Jeff G." <jeffg@spamcop.net> wrote in message > news:dl8f7d$c5h$1@news.spamcop.net... > > What do you see after "News: (Last Modified:"? > > There is nothing on the page that says "news: (Last Modified:" > > This is the page: > > Help | Site Map | Text size: - + > > Report Spam Filtered Email Blocking List Statistics Login > SpamCop is the premier service for reporting spam. SpamCop determines > the origin of unwanted email and reports it to the relevant Internet > service providers. By reporting spam, you have a positive impact on the > problem. Reporting unsolicited email also helps feed spam filtering > systems, including, but not limited to, SpamCop's own service. > Thanks -- I have opened a bug on this. Ellen SpamCop From jg at coks.net Mon Nov 14 07:23:26 2005 From: jg at coks.net (jg) Date: Mon Nov 14 10:25:04 2005 Subject: [SpamCop-List] Re: password issues In-Reply-To: <dl9ift$32t$1@news.spamcop.net> References: <dl3q97$nll$1@news.spamcop.net> <dl4dld$37c$1@news.spamcop.net> <dl4gai$4ht$1@news.spamcop.net> <dl6teb$hvk$1@news.spamcop.net> <dl6un1$in1$1@news.spamcop.net> <dl8c5c$afj$1@news.spamcop.net> <dl8f7d$c5h$1@news.spamcop.net> <dl9c6g$v3c$1@news.spamcop.net> <dl9ift$32t$1@news.spamcop.net> Message-ID: <dlaa1q$gj5$1@news.spamcop.net> On 11/14/2005 12:37 AM Porpoise scribbled: > 11/2/2005 Sporadic System Problems > We are having sporadic system problems which you may see as failure to be > able to log-in or other error messages. Please do not change your password > as this will not resolve the problem. > > Operations and engineering are working on the issues. We thank you for your > patience while we track this down. > > The spamcop email system is not affected and continues to operate. > > Postmasters, please limit forgery blow-back: > Delayed bounces, virus notices, vacation messages More.. > > I don't know the reason and don't intend to extend this thread, but as I noted earlier, this /does not/ seem to appear in every screen - I see it upon 1st sign on in the input screen @ members.spamcop.net but after submitting a report, it doesn't seem to return. This is just to try and help clarify any confusion as to where the statement (about sys problems) appears and why some folks may miss it... From nobody at xyzzy.claranet.de Mon Nov 14 17:39:03 2005 From: nobody at xyzzy.claranet.de (Frank Ellermann) Date: Mon Nov 14 11:45:07 2005 Subject: [SpamCop-List] Re: Geocities problem still unsolved References: <43663619.A9@xyzzy.claranet.de> <436A0F20.4804@xyzzy.claranet.de> <Xns97037DF897D25tinlc@216.154.195.61> <dkebuk$15a$1@news.spamcop.net> <436B1DC5.75D3@xyzzy.claranet.de> <dkg0jp$uhf$1@news.spamcop.net> <436BF8F0.5E5C@xyzzy.claranet.de> <Xns97051CF0D642Dtinlc@216.154.195.61> <437830E2.1B28@xyzzy.claranet.de> <dl9cdb$v7m$1@news.spamcop.net> Message-ID: <4378BDA7.696D@xyzzy.claranet.de> Berny wrote: > The problem is, that while this gets a LART to Yahoo, or > Lycos, it does not register the site on SURBL True. OTOH ??.geocities.com is whitelited on SURBL (there are some non-spam usages of this hoster), so that's no loss. For tripod it's different, the URLs there have the form spammy.tripod.com (unlike ??.geocities.com/spammy/ ), and SURBL can now list spammy.tripod.com without hitting any innocent.tripod.com (unlike ??.geocities.com/innocent/ ) So for tripod.com I stick to the "repeated reload" trick. Sooner or later it works, and from my POV tripod.com is still rare. For geocities I've now reduced it to about 15 attempts, if it then still doesn't work I use the "preferences" kludge. > the behaviour seems too focussed to be a bug Hard to tell without an official statement from SpamCop's management. Bye, Frank From nobody at devnull.spamcop.net Mon Nov 14 11:04:22 2005 From: nobody at devnull.spamcop.net (WazoO) Date: Mon Nov 14 12:05:02 2005 Subject: [SpamCop-List] Re: password issues References: <dl3q97$nll$1@news.spamcop.net> <dl4dld$37c$1@news.spamcop.net> <dl4gai$4ht$1@news.spamcop.net> <dl6teb$hvk$1@news.spamcop.net> <dl6un1$in1$1@news.spamcop.net> <dl8c5c$afj$1@news.spamcop.net> <dl8f7d$c5h$1@news.spamcop.net> <dl9c6g$v3c$1@news.spamcop.net> <dla9dq$g51$1@news.spamcop.net> Message-ID: <dlag2m$jnp$1@news.spamcop.net> "Ellen" <nobody@spamcop.net> wrote in message news:dla9dq$g51$1@news.spamcop.net... > > > This is the page: > > > > Help | Site Map | Text size: - + > > > > Report Spam Filtered Email Blocking List Statistics Login > > SpamCop is the premier service for reporting spam. SpamCop determines > > the origin of unwanted email and reports it to the relevant Internet > > service providers. By reporting spam, you have a positive impact on the > > problem. Reporting unsolicited email also helps feed spam filtering > > systems, including, but not limited to, SpamCop's own service. > > Thanks -- I have opened a bug on this. ???? That there is a difference between the contents of a "Welcome" page and a "Logged In" page doesn't really strike me as a "bug" ???? On the other hand, noting that the Forum page now has a link showing the Parsing & Reporting system status .. and that even survived a hard drive failure where some of the Forum functions didn't work. While looking at things this morning, I added the same data to the Portal page I created .... http://forum.spamcop.net/forums/index.php?act=home Official or not, it's still another resource that is identified in the official SpamCop.net FAQ, Help pages, IronPort documentation, on and on .... Put it to some good use ... From MikeE at ster.invalid Mon Nov 14 09:32:05 2005 From: MikeE at ster.invalid (Mike Easter) Date: Mon Nov 14 12:35:12 2005 Subject: [SpamCop-List] Re: password issues References: <dl3q97$nll$1@news.spamcop.net> <dl4dld$37c$1@news.spamcop.net> <dl4gai$4ht$1@news.spamcop.net> <dl6teb$hvk$1@news.spamcop.net> <dl6un1$in1$1@news.spamcop.net> <dl8c5c$afj$1@news.spamcop.net> <dl8f7d$c5h$1@news.spamcop.net> <dl9c6g$v3c$1@news.spamcop.net> <dla9dq$g51$1@news.spamcop.net> <dlag2m$jnp$1@news.spamcop.net> Message-ID: <dlahmb$mjt$1@news.spamcop.net> WazoO wrote: > "Ellen" >>> SpamCop is the premier service for reporting spam. >> Thanks -- I have opened a bug on this. > > ???? That there is a difference between the contents of a "Welcome" > page and a "Logged In" page doesn't really strike me as a "bug" ???? We are discussing the 'fine' point of a *website* link to access to the important news that there is a pw problem if you aren't logged in with your pw. > http://forum.spamcop.net/forums/index.php?act=home > Official or not, it's still another resource While I applaud every effort to make the forum as comprehensive as it can possibly be, there is also a concept that important information should be obtained by those who never visit the forum. That information can come from the website or the ng/s as well. The information should be available to those who never visit the ng/s /or/ the forum. -- Mike Easter kibitzer, not SC admin From nobody at devnull.spamcop.net Mon Nov 14 12:28:03 2005 From: nobody at devnull.spamcop.net (WazoO) Date: Mon Nov 14 13:30:07 2005 Subject: [SpamCop-List] Re: password issues References: <dl3q97$nll$1@news.spamcop.net> <dl4dld$37c$1@news.spamcop.net> <dl4gai$4ht$1@news.spamcop.net> <dl6teb$hvk$1@news.spamcop.net> <dl6un1$in1$1@news.spamcop.net> <dl8c5c$afj$1@news.spamcop.net> <dl8f7d$c5h$1@news.spamcop.net> <dl9c6g$v3c$1@news.spamcop.net> <dla9dq$g51$1@news.spamcop.net> <dlag2m$jnp$1@news.spamcop.net> <dlahmb$mjt$1@news.spamcop.net> Message-ID: <dlakvj$o49$1@news.spamcop.net> "Mike Easter" <MikeE@ster.invalid> wrote in message news:dlahmb$mjt$1@news.spamcop.net... > > We are discussing the 'fine' point of a *website* link to access to the > important news that there is a pw problem if you aren't logged in with > your pw. Yet the reason for my adding the graphic link was based in the historical fact that the "news" link doesn't seem to be touched in a timely fashion to begin with. Even the "few" entries dealing with the system being down are rarely followed up with "fixed" status note. As stated in my documenting this addition, it was placed there to try to head off all the "is it down" questions. Julian rarely posted "news" as he was elbows deep in resolving issues. Deputies aren't around all the time 'reporting' and from appearances, not all of them gave the ability to "touch" the web pages to provide these updates. IronPort staffers that are maintaining the systems haven't made their presence known anywhere (though no one has yet actually taken credit for that last monster font entry on password issues a while back.) > > http://forum.spamcop.net/forums/index.php?act=home > > Official or not, it's still another resource > > While I applaud every effort to make the forum as comprehensive as it > can possibly be, there is also a concept that important information > should be obtained by those who never visit the forum. Technically, the referenced page isn't "the forum" per se, just an entry page that does contain Forum postings .... recall, it was built and and provided as a possible spot for newcomers to find and get some quick answers .... based on complaints from folks that didn't find data needed on the existing "welcome" page (hmmm, sound familiar?) > That information can come from the website or the ng/s as well. The > information should be available to those who never visit the ng/s /or/ > the forum. The opportune word here thus far is "links" ..... where to get data. The background is once again dealing with web pages that never seem to get updated. And as above, even if a "news" link was added to the "welcome" page, that the "news" isn't there won't help much. That the "parsing & reporting system is down" announcements have shown up in the Forum Announcements much quicker than any "official" entry is pretty much a historical fact. You'll note that all of the "limited" drops (assumedly based on re-booting of systems) has never been mentioned in the "news" link, and newsgroup traffic has been generated by those unfortunate few that tried to logon/report during those blank spots .... From MikeE at ster.invalid Mon Nov 14 11:05:02 2005 From: MikeE at ster.invalid (Mike Easter) Date: Mon Nov 14 14:05:09 2005 Subject: [SpamCop-List] Re: password issues References: <dl3q97$nll$1@news.spamcop.net> <dl4dld$37c$1@news.spamcop.net> <dl4gai$4ht$1@news.spamcop.net> <dl6teb$hvk$1@news.spamcop.net> <dl6un1$in1$1@news.spamcop.net> <dl8c5c$afj$1@news.spamcop.net> <dl8f7d$c5h$1@news.spamcop.net> <dl9c6g$v3c$1@news.spamcop.net> <dla9dq$g51$1@news.spamcop.net> <dlag2m$jnp$1@news.spamcop.net> <dlahmb$mjt$1@news.spamcop.net> <dlakvj$o49$1@news.spamcop.net> Message-ID: <dlan4l$pne$1@news.spamcop.net> WazoO wrote: > "Mike Easter" >> We are discussing the 'fine' point of a *website* link to access to >> the important news that there is a pw problem if you aren't logged >> in with your pw. > > Yet the reason for my adding the graphic link was based in the > historical fact that the "news" link doesn't seem to be touched > in a timely fashion to begin with. And therein lies the issue of what is a bug or whatever you might want to call a need for a recommendation that someone look at the somehows of how something/s get done. Some SC *webpages* are continuously updated in realtime automagically, such as the stats page http://www.spamcop.net/w3m?action=inprogress;type=www which shows things input only minutes ago. That process of page realtime immediate updating doesn't require approval by the IronPort legal staff or anything else. A different type of example chosen to illustrate the point of timely information happening on a webpage. Altho' I wasn't watching the dynamics of the information release in the webforum, I'm sure it was extremely timely and uptodate. There was also very timely outage and upage information in the ng/s. There was an important webpage deficiency. We are talking about that. I think there should be a 'concept' and authority enhanced with a protocol about where and how to post 'important' news. One, two, three, four. That posting concept isn't just the forum. It also isn't just the ng/s. That's what I was trying to say. I can't speak for Ellen, I don't know exactly what /she/ was trying to say. -- Mike Easter kibitzer, not SC admin From MikeE at ster.invalid Mon Nov 14 12:36:50 2005 From: MikeE at ster.invalid (Mike Easter) Date: Mon Nov 14 15:40:17 2005 Subject: [SpamCop-List] Re: password issues References: <dl3q97$nll$1@news.spamcop.net> <dl4dld$37c$1@news.spamcop.net> <dl4gai$4ht$1@news.spamcop.net> <dl6teb$hvk$1@news.spamcop.net> <dl6un1$in1$1@news.spamcop.net> <dl8c5c$afj$1@news.spamcop.net> <dl8f7d$c5h$1@news.spamcop.net> <dl9c6g$v3c$1@news.spamcop.net> <dla9dq$g51$1@news.spamcop.net> <dlag2m$jnp$1@news.spamcop.net> <dlahmb$mjt$1@news.spamcop.net> <dlakvj$o49$1@news.spamcop.net> <dlan4l$pne$1@news.spamcop.net> Message-ID: <dlasgn$tf7$1@news.spamcop.net> Mike Easter wrote: > Some SC *webpages* are continuously updated in realtime automagically, > such as the stats page Some SC webpages are updated by a deputy human, indirectly. When a deputy edit updates the routing information, it is accessible as webpage information. How hard would it be for a deputy to have access to editing a news 'database' which information is reflected on a SC webpage of news? -- Mike Easter kibitzer, not SC admin From nobody at spamcop.net Mon Nov 14 15:36:18 2005 From: nobody at spamcop.net (Ellen) Date: Mon Nov 14 15:50:03 2005 Subject: [SpamCop-List] Re: password issues References: <dl3q97$nll$1@news.spamcop.net> <dl4dld$37c$1@news.spamcop.net> <dl4gai$4ht$1@news.spamcop.net> <dl6teb$hvk$1@news.spamcop.net> <dl6un1$in1$1@news.spamcop.net> <dl8c5c$afj$1@news.spamcop.net> <dl8f7d$c5h$1@news.spamcop.net> <dl9c6g$v3c$1@news.spamcop.net> <dla9dq$g51$1@news.spamcop.net> <dlag2m$jnp$1@news.spamcop.net> Message-ID: <dlat83$tvs$1@news.spamcop.net> "WazoO" <nobody@devnull.spamcop.net> wrote in message news:dlag2m$jnp$1@news.spamcop.net... > "Ellen" <nobody@spamcop.net> wrote in message > news:dla9dq$g51$1@news.spamcop.net... > > > > Thanks -- I have opened a bug on this. > > ???? That there is a difference between the contents of a "Welcome" > page and a "Logged In" page doesn't really strike me as a "bug" ???? It strikes me as bug when I have a system note up there saying there are intermittent system problems and not to try to get a new password and the person who isn't logged in and is about to try to log in can't see it and can't get logged in. > > On the other hand, noting that the Forum page now has a link > showing the Parsing & Reporting system status .. and that even > survived a hard drive failure where some of the Forum functions > didn't work. While looking at things this morning, I added the > same data to the Portal page I created .... > http://forum.spamcop.net/forums/index.php?act=home > Official or not, it's still another resource that is identified in > the official SpamCop.net FAQ, Help pages, IronPort > documentation, on and on .... Put it to some good use ... > > Put what to some good use? Tell people to look at the stats pages to see if the system is up or not? Ellen SpamCop From nobody at spamcop.net Mon Nov 14 15:42:40 2005 From: nobody at spamcop.net (Ellen) Date: Mon Nov 14 15:50:25 2005 Subject: [SpamCop-List] Re: password issues References: <dl3q97$nll$1@news.spamcop.net> <dl4dld$37c$1@news.spamcop.net> <dl4gai$4ht$1@news.spamcop.net> <dl6teb$hvk$1@news.spamcop.net> <dl6un1$in1$1@news.spamcop.net> <dl8c5c$afj$1@news.spamcop.net> <dl8f7d$c5h$1@news.spamcop.net> <dl9c6g$v3c$1@news.spamcop.net> <dla9dq$g51$1@news.spamcop.net> <dlag2m$jnp$1@news.spamcop.net> <dlahmb$mjt$1@news.spamcop.net> <dlakvj$o49$1@news.spamcop.net> Message-ID: <dlat83$tvs$2@news.spamcop.net> "WazoO" <nobody@devnull.spamcop.net> wrote in message news:dlakvj$o49$1@news.spamcop.net... > > Yet the reason for my adding the graphic link was based in the > historical fact that the "news" link doesn't seem to be touched > in a timely fashion to begin with. Really? well I make a hell of an effort to update that page when there is something to say. Of coure when there is an unscheduled system failure I can't update the page. Sorry that you think that the link is not being updated in a timely fashion. >Even the "few" entries dealing > with the system being down are rarely followed up with "fixed" > status note. As stated in my documenting this addition, it was > placed there to try to head off all the "is it down" questions. When the news disappears then you can assume that the problem is fixed. > > Julian rarely posted "news" as he was elbows deep in resolving > issues. Deputies aren't around all the time 'reporting' and from > appearances, not all of them gave the ability to "touch" the web > pages to provide these updates. We all have the ability to change the news actually. And we tend to be around pretty close to 24/7 altho on weekends perhaps less so. When we see system problems *and* the system is up sufficiently to update the page we do and post -- else we post here. > > You'll note that all of the "limited" drops > (assumedly based on re-booting of systems) has never been mentioned > in the "news" link Oddly enough if the webservers are down or access to them is unavailable then we can't update the news. We try to keep the news as timely as possible. Ellen SpamCop SpamCop From nobody at spamcop.net Mon Nov 14 15:46:00 2005 From: nobody at spamcop.net (Ellen) Date: Mon Nov 14 15:50:32 2005 Subject: [SpamCop-List] Re: password issues References: <dl3q97$nll$1@news.spamcop.net> <dl4dld$37c$1@news.spamcop.net> <dl4gai$4ht$1@news.spamcop.net> <dl6teb$hvk$1@news.spamcop.net> <dl6un1$in1$1@news.spamcop.net> <dl8c5c$afj$1@news.spamcop.net> <dl8f7d$c5h$1@news.spamcop.net> <dl9c6g$v3c$1@news.spamcop.net> <dla9dq$g51$1@news.spamcop.net> <dlag2m$jnp$1@news.spamcop.net> <dlahmb$mjt$1@news.spamcop.net> <dlakvj$o49$1@news.spamcop.net> <dlan4l$pne$1@news.spamcop.net> Message-ID: <dlat83$tvs$3@news.spamcop.net> "Mike Easter" <MikeE@ster.invalid> wrote in message news:dlan4l$pne$1@news.spamcop.net... > > That's what I was trying to say. I can't speak for Ellen, I don't know > exactly what /she/ was trying to say. > > I don't know precisely what you are referring to but when I have news to post on the webpage I post it. If I know about a maint window or other upcoming event I post it. If I know about ongoing issues that might intermittently cause system issues I post it. If the system doesn't allow me to log-in then I can't get to the webpage to post anything. Do I post about things that have happened and are over? No, not usually. I do also post here in the newsgroups about any events that I am aware of. Ellen SpamCop From MikeE at ster.invalid Mon Nov 14 13:02:02 2005 From: MikeE at ster.invalid (Mike Easter) Date: Mon Nov 14 16:05:03 2005 Subject: [SpamCop-List] Re: password issues References: <dl3q97$nll$1@news.spamcop.net> <dl4dld$37c$1@news.spamcop.net> <dl4gai$4ht$1@news.spamcop.net> <dl6teb$hvk$1@news.spamcop.net> <dl6un1$in1$1@news.spamcop.net> <dl8c5c$afj$1@news.spamcop.net> <dl8f7d$c5h$1@news.spamcop.net> <dl9c6g$v3c$1@news.spamcop.net> <dla9dq$g51$1@news.spamcop.net> <dlag2m$jnp$1@news.spamcop.net> <dlahmb$mjt$1@news.spamcop.net> <dlakvj$o49$1@news.spamcop.net> <dlan4l$pne$1@news.spamcop.net> <dlat83$tvs$3@news.spamcop.net> Message-ID: <dlatvv$upe$1@news.spamcop.net> Ellen wrote: > "Mike Easter" >> That's what I was trying to say. I can't speak for Ellen, I don't >> know exactly what /she/ was trying to say. > > I don't know precisely what you are referring to but when I have news > to post on the webpage I post it. If I know about a maint window or > other upcoming event I post it. If I know about ongoing issues that > might intermittently cause system issues I post it. If the system > doesn't allow me to log-in then I can't get to the webpage to post > anything. Do I post about things that have happened and are over? No, > not usually. I do also post here in the newsgroups about any events > that I am aware of. I only meant that my discussion with WazoO which stemmed from his remark to your 'bug' remark was expressing /my/ point of view, and was not meant to try to express your point of view when you said: Ellen wrote: > Thanks -- I have opened a bug on this. -- Mike Easter kibitzer, not SC admin From h9vzc2i02 at sneakemail.com Mon Nov 14 13:12:46 2005 From: h9vzc2i02 at sneakemail.com (Anon_) Date: Mon Nov 14 16:15:03 2005 Subject: [SpamCop-List] Re: Now PHISHES are also for Internet and Email passwords References: <BF9C0A73.16471%nobody@spamcop.net> Message-ID: <dlauiq$v72$1@news.spamcop.net> "nospam" <nobody@spamcop.net> wrote in message news:BF9C0A73.16471%nobody@spamcop.net... > I don't have the tracker, but no matter. > > Different from sms.ac and hi5 methods, > > I received a PHISH spam today, in the style of the usual bank/ebay/Paypal > PHISHES, but it was purportedly to verify my ISP account. > > It was very primitive, so I'm not sure exactly what they were after. > > The PHISH site was linked through a google redirect (How do I LART that?) > > the "visible" link was my.isp.com/something (No, that's not the name of my > ISP) > **** Were you aware that there really IS an ISP whose url is <isp.com>?? So be careful what dummy ISP you use. -- A SpamCop user and forum reader, Not Admin *** > It was so badly done that almost no one would be fooled, but then so were > bank PHISHes not so long ago, and they still got their victims. > From pzion.naax at yahoo.com Mon Nov 14 17:49:56 2005 From: pzion.naax at yahoo.com (*selah*) Date: Mon Nov 14 16:50:03 2005 Subject: [SpamCop-List] Re: password issues References: <dl3q97$nll$1@news.spamcop.net> <dl4dld$37c$1@news.spamcop.net> <dl4gai$4ht$1@news.spamcop.net> <dl6teb$hvk$1@news.spamcop.net> <dl6un1$in1$1@news.spamcop.net> <dl8c5c$afj$1@news.spamcop.net> <dl8f7d$c5h$1@news.spamcop.net> <dl9c6g$v3c$1@news.spamcop.net> <dla9dq$g51$1@news.spamcop.net> Message-ID: <dlb0pn$kn$1@news.spamcop.net> Thanks. "Ellen" <nobody@spamcop.net> wrote in message news:dla9dq$g51$1@news.spamcop.net... > > > "*selah*" <pzion.naax@yahoo.com> wrote in message > news:dl9c6g$v3c$1@news.spamcop.net... > > > > "Jeff G." <jeffg@spamcop.net> wrote in message > > news:dl8f7d$c5h$1@news.spamcop.net... > > > What do you see after "News: (Last Modified:"? > > > > There is nothing on the page that says "news: (Last Modified:" > > > > This is the page: > > > > Help | Site Map | Text size: - + > > > > Report Spam Filtered Email Blocking List Statistics Login > > SpamCop is the premier service for reporting spam. SpamCop determines > > the origin of unwanted email and reports it to the relevant Internet > > service providers. By reporting spam, you have a positive impact on the > > problem. Reporting unsolicited email also helps feed spam filtering > > systems, including, but not limited to, SpamCop's own service. > > > > Thanks -- I have opened a bug on this. > > Ellen > SpamCop > > From jeffg at spamcop.net Mon Nov 14 15:37:28 2005 From: jeffg at spamcop.net (Jeff G.) Date: Mon Nov 14 17:55:03 2005 Subject: [SpamCop-List] Re: password issues References: <dl3q97$nll$1@news.spamcop.net> <dl4dld$37c$1@news.spamcop.net> <dl4gai$4ht$1@news.spamcop.net> <dl6teb$hvk$1@news.spamcop.net> <dl6un1$in1$1@news.spamcop.net> <dl8c5c$afj$1@news.spamcop.net> <dl8f7d$c5h$1@news.spamcop.net> <dl9c6g$v3c$1@news.spamcop.net> <dl9ift$32t$1@news.spamcop.net> <dlaa1q$gj5$1@news.spamcop.net> Message-ID: <dlb4e8$2qu$1@news.spamcop.net> "jg" <jg@coks.net> wrote in message news:dlaa1q$gj5$1@news.spamcop.net... > On 11/14/2005 12:37 AM Porpoise scribbled: > > 11/2/2005 Sporadic System Problems > I don't know the reason and don't intend to extend this thread, but as I > noted earlier, this /does not/ seem to appear in every screen - I see it > upon 1st sign on in the input screen @ members.spamcop.net but after > submitting a report, it doesn't seem to return. > This is just to try and help clarify any confusion as to where the > statement (about sys problems) appears and why some folks may miss it... It will return if you click on the "Report Spam" Tab in the top left corner. It appears to have been removed from results pages due to some misplaced concern for clutter vs. relevancy. -- Best Regards, Jeff G. I have been a SpamCop User/Member/Customer since 1999 and am a Moderator of the new web-based forums (now the primary method for getting help, http://forum.spamcop.net). Please contact me via Forum only. From jeffg at spamcop.net Mon Nov 14 15:40:47 2005 From: jeffg at spamcop.net (Jeff G.) Date: Mon Nov 14 17:55:20 2005 Subject: [SpamCop-List] Re: password issues References: <dl3q97$nll$1@news.spamcop.net> <dl4dld$37c$1@news.spamcop.net> <dl4gai$4ht$1@news.spamcop.net> <dl6teb$hvk$1@news.spamcop.net> <dl6un1$in1$1@news.spamcop.net> <dl8c5c$afj$1@news.spamcop.net> <dl8f7d$c5h$1@news.spamcop.net> <dl9c6g$v3c$1@news.spamcop.net> <dla9dq$g51$1@news.spamcop.net> <dlag2m$jnp$1@news.spamcop.net> Message-ID: <dlb4e9$2qu$2@news.spamcop.net> "WazoO" <nobody@devnull.spamcop.net> wrote in message news:dlag2m$jnp$1@news.spamcop.net... > "Ellen" <nobody@spamcop.net> wrote in message > news:dla9dq$g51$1@news.spamcop.net... > > > > > This is the page: > > > > > > Help | Site Map | Text size: - + > > > > > > Report Spam Filtered Email Blocking List Statistics Login > > > SpamCop is the premier service for reporting spam. SpamCop determines > > > the origin of unwanted email and reports it to the relevant Internet > > > service providers. By reporting spam, you have a positive impact on the > > > problem. Reporting unsolicited email also helps feed spam filtering > > > systems, including, but not limited to, SpamCop's own service. > > > > Thanks -- I have opened a bug on this. > > ???? That there is a difference between the contents of a "Welcome" > page and a "Logged In" page doesn't really strike me as a "bug" ???? To my mind, it is a "bug" in that Members and Customers that have problems logging in can't see the News that explains why they might be having those problems. Thanks to Ellen for opening "a bug on this". -- Best Regards, Jeff G. I have been a SpamCop User/Member/Customer since 1999 and am a Moderator of the new web-based forums (now the primary method for getting help, http://forum.spamcop.net). Please contact me via Forum only. From blacklist-me at davjam.org Mon Nov 14 23:50:23 2005 From: blacklist-me at davjam.org (David Bolt) Date: Mon Nov 14 18:55:03 2005 Subject: [SpamCop-List] Re: [MEDIA] Sony CD Copy Protection Seems To Rely On HackerRootkit References: <Xns97037EA6B301Ftinlc@216.154.195.61> <dkeg1g$35f$1@news.spamcop.net> <TECQXhvKj0FX-pn2-OvYNxTLrdXxL@dsl-206-55-144-107.tstonramp.com> <BF90DE68.1635E%nobody@spamcop.net> <TECQXhvKj0FX-pn2-mJM7JdfPnr4E@dsl-206-55-144-107.tstonramp.com> <Xns97051D4241CC4tinlc@216.154.195.61> <TECQXhvKj0FX-pn2-41gGcOWKuyNn@dsl-206-55-144-107.tstonramp.com> <Xns97093B2348704tinlc@216.154.195.61> <TECQXhvKj0FX-pn2-jrh3dKUd5WdX@dsl-206-55-144-107.tstonramp.com> <dkubbp$j70$1@news.spamcop.net> <ozchzhq02-A8BF38.18491509112005@frylock.local> <slrndn66mk.3o5.nobody@127.0.0.1> <dkv728$1np$1@news.spamcop.net> <slrndn69cv.4a0.nobody@127.0.0.1> <Xns970A7DA0520D9tinlc@216.154.195.61> <dl0sju$2at$1@news.spamcop.net> <Xns970B6BCA7433tinlc@216.154.195.61> <dl21ck$pdk$1@news.spamcop.net> Message-ID: <VceKheV$KSeDFwlH@dev.null.davjam.org> On Fri, 11 Nov 2005, Porpoise <porpoise1954@yahoo.co.uk> wrote:- >Locked permanently (or until you get an unlock code from the manufacturer - >after you've explained how you came to change region so many times). Unless you've a Lite-ON drive, which includes some Sony drives. There's a very useful utility that comes in very useful when using different region DVDs: <URL:http://dhc014.rpc1.org/LtnRPC/> Regards, David Bolt -- Member of Team Acorn checking nodes at 50 Mnodes/s: http://www.distributed.net/ AMD1800 1Gb WinXP/SuSE 9.3 | AMD1300 512Mb SuSE 9.0 | AMD2400 256Mb SuSE 9.0 AMD2400 768Mb SuSE 10.0 | Falcon 14Mb TOS 4.02 | STE 4Mb TOS 1.62 RPC600 129Mb RISCOS 3.6 | A3010 4Mb RISCOS 3.11 | A4000 4Mb RISCOS 3.11 From g.hyde at bigpond.net.au Tue Nov 15 10:32:43 2005 From: g.hyde at bigpond.net.au (Geoffrey Hyde) Date: Mon Nov 14 19:35:04 2005 Subject: [SpamCop-List] Re: [MEDIA] Sony CD Copy Protection Seems To Rely On HackerRootkit References: <Xns97037EA6B301Ftinlc@216.154.195.61> <dkeg1g$35f$1@news.spamcop.net> <TECQXhvKj0FX-pn2-OvYNxTLrdXxL@dsl-206-55-144-107.tstonramp.com> <BF90DE68.1635E%nobody@spamcop.net> <TECQXhvKj0FX-pn2-mJM7JdfPnr4E@dsl-206-55-144-107.tstonramp.com> <Xns97051D4241CC4tinlc@216.154.195.61> <TECQXhvKj0FX-pn2-41gGcOWKuyNn@dsl-206-55-144-107.tstonramp.com> <Xns97093B2348704tinlc@216.154.195.61> <TECQXhvKj0FX-pn2-jrh3dKUd5WdX@dsl-206-55-144-107.tstonramp.com> <dkubbp$j70$1@news.spamcop.net> <ozchzhq02-A8BF38.18491509112005@frylock.local> <slrndn66mk.3o5.nobody@127.0.0.1> <dkv728$1np$1@news.spamcop.net> <slrndn69cv.4a0.nobody@127.0.0.1> <Xns970A7DA0520D9tinlc@216.154.195.61> <dl0sju$2at$1@news.spamcop.net> <Xns970B6BCA7433tinlc@216.154.195.61> <dl21ck$pdk$1@news.spamcop.net> <VceKheV$KSeDFwlH@dev.null.davjam.org> Message-ID: <dlbad8$67p$1@news.spamcop.net> "David Bolt" <blacklist-me@davjam.org> wrote in message news:VceKheV$KSeDFwlH@dev.null.davjam.org... > On Fri, 11 Nov 2005, Porpoise <porpoise1954@yahoo.co.uk> wrote:- > >>Locked permanently (or until you get an unlock code from the >>manufacturer - >>after you've explained how you came to change region so many times). > > Unless you've a Lite-ON drive, which includes some Sony drives. There's > a very useful utility that comes in very useful when using different > region DVDs: Yes but installing some Sony drives also means a rootkit gets installed. I am not supporting Sony's abuse of my computer, nor will I support them helping viruses and trojans to infect my computer. Cheers ... Geoffrey Hyde From jg at coks.net Mon Nov 14 17:06:07 2005 From: jg at coks.net (jg) Date: Mon Nov 14 20:05:04 2005 Subject: [SpamCop-List] Grand Opening!!! Message-ID: <dlbc6b$79k$1@news.spamcop.net> http://www.spamcop.net/sc?id=z827029059zc21c657d6a2fdb967ad3f293da1ce586z come and get your free toaster... From nobody at spamcop.net Tue Nov 15 06:28:35 2005 From: nobody at spamcop.net (nospam) Date: Mon Nov 14 21:30:19 2005 Subject: [SpamCop-List] Re: password issues References: <dl3q97$nll$1@news.spamcop.net> <dl4dld$37c$1@news.spamcop.net> <dl4gai$4ht$1@news.spamcop.net> <dl6teb$hvk$1@news.spamcop.net> <dl6un1$in1$1@news.spamcop.net> <dl8c5c$afj$1@news.spamcop.net> <dl8f7d$c5h$1@news.spamcop.net> <dl9c6g$v3c$1@news.spamcop.net> <dla9dq$g51$1@news.spamcop.net> <dlag2m$jnp$1@news.spamcop.net> <dlat83$tvs$1@news.spamcop.net> Message-ID: <BF9F3093.164E0%nobody@spamcop.net> in article dlat83$tvs$1@news.spamcop.net, Ellen at nobody@spamcop.net wrote on 15/11/05 12:36 AM: SNIP > It strikes me as bug when I have a system note up there saying there are > intermittent system problems and not to try to get a new password and the > person who isn't logged in and is about to try to log in can't see it and > can't get logged in. > > SNIP > > Put what to some good use? Tell people to look at the stats pages to see if > the system is up or not? My $.02, I had been seeing the announcement about password problems for sometime. By the time it actually happened to me (yah, it hit me) I simply waited a while, and indeed later everything worked normally again. So that News/announcement bit in it's location is fine, and any regular reporter (at least those that don't go directly to their spam from an emailed link), would, or should have been aware of the problem before they were affected. So It's my opinion that SC did OK in advising it's user community. The only Further step might have been to post the notice in the login/update page before people fruitlessly tried to monkey with their passwords. From MikeE at ster.invalid Mon Nov 14 18:36:56 2005 From: MikeE at ster.invalid (Mike Easter) Date: Mon Nov 14 21:40:03 2005 Subject: [SpamCop-List] Re: Grand Opening!!! References: <dlbc6b$79k$1@news.spamcop.net> Message-ID: <dlbhjs$a7q$1@news.spamcop.net> jg wrote: www.spamcop.net/sc?id=z827029059zc21c657d6a2fdb967ad3f293da1ce586z > > come and get your free toaster... Naturally I had to inspect that to see if there was [should be 'were'] anything about a free toaster in there. Seems like it was back in the 50s or so when grand openings or new bank accounts would give you a free toaster or food mixer or some similar -- but nooooo. No here. There was a grand pharm spam opening, but no free toaster. So I decided to editorialize on something else. Your cox headers are 'dumb' -- for lack of a better word. from fed1rmgxi02.cox.net ([221.2.158.80]) by fed1rmmtai17.cox.net from aol.com ([221.2.158.80]) by fed1rmgxi02.cox.net Those headers are wrong, a lie. And the lie was created by the cox stamp, not the spammer. I don't have a bunch of your headers to look at, only this one, but I think I recall that they routinely look like this, dumb. The situation is that the source is the likely unlisted .cn proxy 221.2.158.80 -- but the handling sequence which isn't properly reflected in the headers because cox screws it up, is that the sourceIP uses the aol.com HELO and some cox MX which remains 'invisible' received it. Then it is silently passed along to some unknown number of cox MTAs. Then finally, one MTA passes it to another which decides to make a proper traceline, the bottom one. Then that MTA gives it to another server which stamps its line 'stupidly'. That top line looks like a forged line, because it sez one IP, the source, and another different name, the server from which it got the item. That is not a proper way to stamp a line. If I were an automated parser, that kind of behavior would make me crazy. No wonder SC wants everyone to be mailhosted -- to help cope with some ridiculous server behaviors like cox. -- Mike Easter kibitzer, not SC admin From nobody at xyzzy.claranet.de Tue Nov 15 08:06:54 2005 From: nobody at xyzzy.claranet.de (Frank Ellermann) Date: Tue Nov 15 02:10:04 2005 Subject: [SpamCop-List] Re: Grand Opening!!! References: <dlbc6b$79k$1@news.spamcop.net> <dlbhjs$a7q$1@news.spamcop.net> Message-ID: <4379890E.5DF4@xyzzy.claranet.de> Mike Easter wrote: > from fed1rmgxi02.cox.net ([221.2.158.80]) by fed1rmmtai17.cox.net > from aol.com ([221.2.158.80]) by fed1rmgxi02.cox.net > Those headers are wrong, a lie. And the lie was created by > the cox stamp, not the spammer. The client said "HELO aol.com" and the server noted it as is, so far it's as you said not very smart, but it's not "wrong": Greedy systems may not want to spend the time to check this. T-Online uses the same stategy. In a distant past some admins were proud of the number of SMTP sessions they could handle simultaneously, but I disgress. The next (last) timestamp is a lie, because 221.2.158.80 isn't the IP of fed1rmgxi02.cox.net, that line _should_ be from fed1rmgxi02.cox.net ([68.6.19.243]) by fed1rmmtai17.cox.net instead of from fed1rmgxi02.cox.net ([221.2.158.80]) by fed1rmmtai17.cox.net Two liars, the spammer with a bogus HELO, fed1rmmtai17.cox.net with a bogus IP for fed1rmgxi02.cox.net. But the latter (= the MX) got it right, in its minimalistic approach. > That is not a proper way to stamp a line. If I were an > automated parser, that kind of behavior would make me crazy. > No wonder SC wants everyone to be mailhosted -- to help cope > with some ridiculous server behaviors like cox. ACK. But this strange behaviour can have a plausible reason, maybe fed1rmgxi02.cox.net has two IPs, one public IP to talk as server with clients (fed1rmgxi02.cox.net = 68.6.19.243), and a private IP to talk internally (COX LAN) as client with MDAs like fed1rmmtai17.cox.net. Not exactly convincing, fed1rmmtai17.cox.net = 68.230.241.42 has also a public IP, they could talk using the Internet. But you guessed that there are other "hidden" hops between those two hosts, e.g. an AV-system, and then you'd get that picture: I n t e r n e t spammer ("aol.com") 221.2.158.80 | C O X L A N V fed1rmgxi02.cox.net 68.6.19.243 ~ aa.bb.cc.dd (private IP) | V aa.bb.cc.ee (AV system) | V fed1rmmtai17.cox.net 68.230.241.42 ~ aa.bb.cc.ff (private IP) The "proper" way to stamp this would be: from aol.com ([221.2.158.80]) by fed1rmgxi02.cox.net from fed1rmgxi02.cox.net ([aa.bb.cc.dd]) by secret.AV.hidden from secret.AV.hidden ([aa.b.cc.dd.ee]) by fed1rmmtai17.cox.net We could "decree" that secret.AV.hidden should be smart and use the public IP in its stamp, s/aa,bb.cc.dd/68.6.19.243/ But for fed1rmmtai17.cox.net it's hopeless, aa.bb.cc.ee simply has no public IP, it also has no proper FQDN in this example. The secret.AV.hidden infrastructure is nobody's business, it's as the name says hidden and secret. Last but not least proper stamps with private IPs won't help a parser for its chain test. Let's say that fed1rmmtai17.cox.net could do better, but "just say the truth" is no option and won't help. Bye, Frank From nobody at xyzzy.claranet.de Tue Nov 15 08:33:36 2005 From: nobody at xyzzy.claranet.de (Frank Ellermann) Date: Tue Nov 15 02:40:03 2005 Subject: [SpamCop-List] Re: password issues References: <dl3q97$nll$1@news.spamcop.net> <dl4dld$37c$1@news.spamcop.net> <dl4gai$4ht$1@news.spamcop.net> <dl6teb$hvk$1@news.spamcop.net> <dl6un1$in1$1@news.spamcop.net> <dl8c5c$afj$1@news.spamcop.net> <dl8f7d$c5h$1@news.spamcop.net> <dl9c6g$v3c$1@news.spamcop.net> <dla9dq$g51$1@news.spamcop.net> <dlag2m$jnp$1@news.spamcop.net> <dlahmb$mjt$1@news.spamcop.net> <dlakvj$o49$1@news.spamcop.net> <dlat83$tvs$2@news.spamcop.net> Message-ID: <43798F50.16BD@xyzzy.claranet.de> Ellen wrote: > Really? well I make a hell of an effort to update that page > when there is something to say. Of coure when there is an > unscheduled system failure I can't update the page. Works fine from my POV. Of course I rarely look at the news when there are no problems, and if there are problems I look first in the NGs. Besides sooner or later all news make it also to the NGs. Wazoo's "green thumb" is also nice for a first impression of the system state. Bye, Frank From redford_stone at INVERSE_OF_COLDmail.com Tue Nov 15 08:30:49 2005 From: redford_stone at INVERSE_OF_COLDmail.com (Redstone) Date: Tue Nov 15 03:35:20 2005 Subject: [SpamCop-List] Re: Geocities problem still unsolved References: <43663619.A9@xyzzy.claranet.de> <436A0F20.4804@xyzzy.claranet.de> <Xns97037DF897D25tinlc@216.154.195.61> <dkebuk$15a$1@news.spamcop.net> <436B1DC5.75D3@xyzzy.claranet.de> <dkg0jp$uhf$1@news.spamcop.net> <436BF8F0.5E5C@xyzzy.claranet.de> <Xns97051CF0D642Dtinlc@216.154.195.61> <437830E2.1B28@xyzzy.claranet.de> <dl9cdb$v7m$1@news.spamcop.net> <Xns970E1AD1D511Ftinlc@216.154.195.61> <dla3pj$cpt$1@news.spamcop.net> Message-ID: <Xns970F53C5A846tinlc@216.154.195.61> "Mike Easter" <MikeE@ster.invalid> wrote in news:dla3pj$cpt$1@news.spamcop.net: > [snip] > So, surbl is a valuable resource in spamfighting and filtering. > SpamCop should be doing everything in its power to help the listing > function for the sc-surbl. When SC fails to put reported the > spamvertisers for its reported spam on its statistics page, it is > hurting the sc-surbl functionality and helping the spamvertiser. > > SC should modify its parser to get more spamvertisers [unresolved in > my opinion] to the stats page. > > Ah, so it is a small database of the spamvertised URLs being reported through SpamCop. Too bad they are only accepting the newest spams. I only report once every 24 or 48 hours at a time. From nobody at xyzzy.claranet.de Tue Nov 15 09:35:09 2005 From: nobody at xyzzy.claranet.de (Frank Ellermann) Date: Tue Nov 15 03:40:02 2005 Subject: [SpamCop-List] Re: Geocities problem still unsolved References: <43663619.A9@xyzzy.claranet.de> <436A0F20.4804@xyzzy.claranet.de> <Xns97037DF897D25tinlc@216.154.195.61> <dkebuk$15a$1@news.spamcop.net> <436B1DC5.75D3@xyzzy.claranet.de> <dkg0jp$uhf$1@news.spamcop.net> <436BF8F0.5E5C@xyzzy.claranet.de> <Xns97051CF0D642Dtinlc@216.154.195.61> <437830E2.1B28@xyzzy.claranet.de> <dl9cdb$v7m$1@news.spamcop.net> <4378BDA7.696D@xyzzy.claranet.de> Message-ID: <43799DBD.51E@xyzzy.claranet.de> My "algorithm" to force geocities reports in ten steps with two browser windows was lame, here's a simplified version: 1 - finish other (not geocities) reports 2 - click "preferences" 3 - click "report handling options" (= advanced preferences) 4 - copy and paste to "public standard recipients", proposal: network-abuse@cc.yahoo-inc.com,guidelines@yahoo-inc.com,geo-abuse@cc.yahoo-inc.com The 1st address is what SC would use (proposed by ARIN), the 2nd and 3rd address are proposed by abuse.net for geocities. Don't use abuse@geocities.com, it's blocked. 5 - click "save" for the modified preferences 6 - click "report spam" 7 - click "report now" for the pending geocities crap 8 - finish geocities reports 9 - repeat step 2 and 3, remove "public standard recipients" 10 - repeat step 5 (= save old preferences without geocities) Okay, still 10 steps, but all in one browser window. Bye, Frank From jhb at vbe.com Tue Nov 15 03:34:41 2005 From: jhb at vbe.com (Jim) Date: Tue Nov 15 04:35:03 2005 Subject: [SpamCop-List] The Language of Spam??? Message-ID: <dlca3k$nh0$1@news.spamcop.net> I'm curious. I get about 50 spam msgs per day. I can't recall the last time I received one that was not in English. Is this stuff targeted geographically? Or is English the language of choice for spammers worldwide? Jim From caroljean52 at yahoo.com Tue Nov 15 02:31:05 2005 From: caroljean52 at yahoo.com (caroljean52) Date: Tue Nov 15 05:35:08 2005 Subject: [SpamCop-List] Re: The Language of Spam??? References: <dlca3k$nh0$1@news.spamcop.net> Message-ID: <dlcddb$p2h$1@news.spamcop.net> "Jim" <jhb@vbe.com> wrote in message news:dlca3k$nh0$1@news.spamcop.net... > I'm curious. I get about 50 spam msgs per day. I can't recall the last > time I received one that was not in English. Is this stuff targeted > geographically? Or is English the language of choice for spammers > worldwide? I don't think your average spammer bothers to even try to target geographically, at least when it comes to .com/.net addresses... At least a third of my spam is foreign language--these days usually Vietnamese and Chinese, with a smattering of German. (Used to get a lot of Spanish and Russian, but not so much for a while.) Have no clue what the Chinese language ones (as opposed to the ones in English sent from China) are trying to sell, but the Vietnamese ones all seem to be legitimate (other than for spamming!!) businesses trying to market their products to consumers in the vicinity of Hanoi! I've gotten stuff advertising florists, restaurants, travel agents, etc. Since I live clear across the Pacific from them--and don't even speak Vietnamese!--I'm not likely to give them a call even if I did want the service they're offering. (Not that I'd do business with a spammer in any case.) Carol Seattle USA From bar_n0ne at hotmail.com Tue Nov 15 15:23:14 2005 From: bar_n0ne at hotmail.com (Berny) Date: Tue Nov 15 06:25:05 2005 Subject: [SpamCop-List] Re: The Language of Spam??? References: <dlca3k$nh0$1@news.spamcop.net> <dlcddb$p2h$1@news.spamcop.net> Message-ID: <dlcgf5$qls$1@news.spamcop.net> It is strange, there are those here that have complained of huge amounts of Korean etc. spam, but I can probably count the number of spam I have ever recieved in any language besides english on my fingers and toes. from some 300/day, maybe a handful of German ones over the years and even fewer with oriental characters one or 2 Arabic., oh, and a a couple of Spanish ones. (I did live in South America a while, and had an internet account). I think it just depends which millions CD's your name is on. Some Internet research outfit claimed that P&D spams had stopped after a recent botnet was shutdown, I never noticed. Go figure. From nobody at nowhere.invalid Tue Nov 15 12:53:07 2005 From: nobody at nowhere.invalid (Steven Maesslein) Date: Tue Nov 15 06:55:06 2005 Subject: [SpamCop-List] Re: [MEDIA] Sony CD Copy Protection Seems To Rely On HackerRootkit References: <Xns97037EA6B301Ftinlc@216.154.195.61> <dkeg1g$35f$1@news.spamcop.net> <TECQXhvKj0FX-pn2-OvYNxTLrdXxL@dsl-206-55-144-107.tstonramp.com> <BF90DE68.1635E%nobody@spamcop.net> <TECQXhvKj0FX-pn2-mJM7JdfPnr4E@dsl-206-55-144-107.tstonramp.com> <Xns97051D4241CC4tinlc@216.154.195.61> <slrndnbkus.vf5.nobody@127.0.0.1> <Xns970E1B679A021tinlc@216.154.195.61> <slrndnh4oj.8f6.nobody@127.0.0.1> <Xns970F577D1A2Etinlc@216.154.195.61> Message-ID: <slrndnjj13.56k.nobody@127.0.0.1> On Tue, 15 Nov 2005 08:32:11 +0000 (UTC), Redstone coughed into spamcop and left this in <Xns970F577D1A2Etinlc@216.154.195.61>: >> http://ars.userfriendly.org/cartoons/?id=20051114&mode=classic > > Should of put a C&C on that one. :-) It's userfriendly.org - doesn't that qualify for auto-C&C status? They're still having a go at Sony BTW... http://ars.userfriendly.org/cartoons/?id=20051115&mode=classic -- Steve Before you criticize someone, you should walk a mile in their shoes. That way, when you criticize them, you're a mile away and you have their shoes. From nobody at nowhere.invalid Tue Nov 15 12:54:23 2005 From: nobody at nowhere.invalid (Steven Maesslein) Date: Tue Nov 15 06:55:35 2005 Subject: [SpamCop-List] Re: The Language of Spam??? References: <dlca3k$nh0$1@news.spamcop.net> <dlcddb$p2h$1@news.spamcop.net> Message-ID: <slrndnjj3f.56k.nobody@127.0.0.1> On Tue, 15 Nov 2005 02:31:05 -0800, caroljean52 coughed into spamcop and left this in <dlcddb$p2h$1@news.spamcop.net>: > I don't think your average spammer bothers to even try to target > geographically, at least when it comes to .com/.net addresses... Even with a ccTLD spammers couldn't care less. I get loads of Russian and Asian stuff to a .fr address. -- Steve Before you criticize someone, you should walk a mile in their shoes. That way, when you criticize them, you're a mile away and you have their shoes. From g.hyde at bigpond.net.au Tue Nov 15 22:01:41 2005 From: g.hyde at bigpond.net.au (Geoffrey Hyde) Date: Tue Nov 15 07:05:05 2005 Subject: [SpamCop-List] Fresh phish! GET YOUR FRESH PHISH HERE!! ;) Message-ID: <dlcin0$rvs$1@news.spamcop.net> http://www.spamcop.net/sc?id=z827214886z055a7b061fcca524bef2f0d070ef0197z It would appear someone is still interested in some variant on the Nigerian bank phish scam, where they leave some poor sap holding the unfortunate result of money disappearing from their bank account. Cheers ... Geoffrey Hyde From nobody at nowhere.invalid Tue Nov 15 13:09:04 2005 From: nobody at nowhere.invalid (Steven Maesslein) Date: Tue Nov 15 07:10:02 2005 Subject: [SpamCop-List] Re: Fresh phish! GET YOUR FRESH PHISH HERE!! ;) References: <dlcin0$rvs$1@news.spamcop.net> Message-ID: <slrndnjjv0.5i8.nobody@127.0.0.1> On Tue, 15 Nov 2005 22:01:41 +1000, Geoffrey Hyde coughed into spamcop and left this in <dlcin0$rvs$1@news.spamcop.net>: > It would appear someone is still interested in some variant on the Nigerian > bank phish scam, where they leave some poor sap holding the unfortunate > result of money disappearing from their bank account. Ooh - just look at that airplane, it's flying! How unusual... -- Steve Always the dullness of the fool is the whetstone of the wits. -- William Shakespeare, "As You Like It" From jg at coks.net Tue Nov 15 08:19:05 2005 From: jg at coks.net (jg) Date: Tue Nov 15 11:20:07 2005 Subject: [SpamCop-List] Re: Grand Opening!!! In-Reply-To: <dlbhjs$a7q$1@news.spamcop.net> References: <dlbc6b$79k$1@news.spamcop.net> <dlbhjs$a7q$1@news.spamcop.net> Message-ID: <dld1m5$3r6$1@news.spamcop.net> On 11/14/2005 6:36 PM Mike Easter scribbled: > Naturally I had to inspect that to see if there was [should be 'were'] > anything about a free toaster in there. Naturally, its well known hereabouts you like to read spam (more sophmoric jesting)... > So I decided to editorialize on something else. surprise... > > Your cox headers are 'dumb' -- for lack of a better word. > That is not a proper way to stamp a line. If I were an automated > parser, that kind of behavior would make me crazy. No wonder SC wants > everyone to be mailhosted -- to help cope with some ridiculous server > behaviors like cox. > > /My/ cox headers - no mea culpa... Since they're not *my* doing, I won't take affront. Now that you've reamed cox a new one, do you suggest I fwd your editorial to the offending parties or just dump the ISP all together? From nospam at dev.null Tue Nov 15 19:06:25 2005 From: nospam at dev.null (No Spam) Date: Tue Nov 15 12:10:03 2005 Subject: [SpamCop-List] Re: Fresh phish! GET YOUR FRESH PHISH HERE!! ;) In-Reply-To: <slrndnjjv0.5i8.nobody@127.0.0.1> References: <dlcin0$rvs$1@news.spamcop.net> <slrndnjjv0.5i8.nobody@127.0.0.1> Message-ID: <dld4ij$5c2$1@news.spamcop.net> Steven Maesslein wrote: > On Tue, 15 Nov 2005 22:01:41 +1000, Geoffrey Hyde coughed into spamcop > and left this in <dlcin0$rvs$1@news.spamcop.net>: > > >>It would appear someone is still interested in some variant on the Nigerian >>bank phish scam, where they leave some poor sap holding the unfortunate >>result of money disappearing from their bank account. > > > Ooh - just look at that airplane, it's flying! How unusual... > Sureeeeeee :-) Only thing "unusual" is the source, USA. X-Originating-IP: [66.178.81.5] "--- smart whois on "66.178.81" OrgName: New Skies Satellites N.V. OrgID: NWSK Address: 8000 Gainsford Ct City: Bristow StateProv: VA PostalCode: 20136 Country: US " Normally via hotmail/msn/yahoo/<rand=freemailserver>, but X-Originating-IP being IL/NG/NL/UK As such US here unusual, unless New Skies has some Europe/African subnet... From nospam at dev.null Tue Nov 15 19:11:19 2005 From: nospam at dev.null (No Spam) Date: Tue Nov 15 12:15:04 2005 Subject: [SpamCop-List] Re: The Language of Spam??? In-Reply-To: <dlca3k$nh0$1@news.spamcop.net> References: <dlca3k$nh0$1@news.spamcop.net> Message-ID: <dld4rn$5c2$2@news.spamcop.net> Jim wrote: > I'm curious. I get about 50 spam msgs per day. I can't recall the last > time I received one that was not in English. Is this stuff targeted > geographically? Or is English the language of choice for spammers > worldwide? > > Jim > > Does 419 count? "I don,t really know who you are ,but peace be unto you as you read this letter. My Instinct tells me that I cant trust you by my proposition." :-) From nospam at dev.null Tue Nov 15 19:22:35 2005 From: nospam at dev.null (No Spam) Date: Tue Nov 15 12:25:03 2005 Subject: [SpamCop-List] Re: Ralsky et al still spamming ... In-Reply-To: <Xns970E1BF249F07tinlc@216.154.195.61> References: <dl8h7l$di6$1@news.spamcop.net> <dl9ehf$10k$1@news.spamcop.net> <dl9jqf$3r0$1@news.spamcop.net> <Xns970E1BF249F07tinlc@216.154.195.61> Message-ID: <dld5gt$5vl$1@news.spamcop.net> Redstone wrote: > "Geoffrey Hyde" <g.hyde@bigpond.net.au> wrote in > news:dl9jqf$3r0$1@news.spamcop.net: > > > >>>>http://www.spamcop.net/sc? > > id=z826533845za51d89ba13b2363bac9760e07313d > >>>>e26z >>>> >>>>Just received this crudload of software "offers" in the email this >>>>morning. Stuff which would more than likely be packed with the usual >>>>trojans and zombification viruses. >>>> >>> >>>I suppose his crud would still exist for months/years even if he >>>drove off a cliff tomorrow. >> >>If I had any money to waste, I'd bet on it. <g> >> >> > > > It appears that Ralsky is back to his old tricks. (Though I am not > receiving as much as before.) Seems that whatever the feds did, it was > not enough to take him out completely. > In fact her is still VERY much active. Just did the WDPRS on him and his again today. Have a special set letter etc. Sometimes I wish I had a can of Leo Spray (special bug spray) From kenbrody at spamcop.net Tue Nov 15 10:13:15 2005 From: kenbrody at spamcop.net (Kenneth Brody) Date: Tue Nov 15 12:50:02 2005 Subject: [SpamCop-List] Re: Fresh phish! GET YOUR FRESH PHISH HERE!! ;) References: <dlcin0$rvs$1@news.spamcop.net> Message-ID: <4379FB0B.5CCEC21F@spamcop.net> Geoffrey Hyde wrote: > > http://www.spamcop.net/sc?id=z827214886z055a7b061fcca524bef2f0d070ef0197z > > It would appear someone is still interested in some variant on the Nigerian > bank phish scam, where they leave some poor sap holding the unfortunate > result of money disappearing from their bank account. My understanding of this scam is: Their "client" sends you a certified check for payment of an invoice. Let's say it's $10,000. You deposit it into your account, and, being a certified check, the bank makes the funds available to you next day. You then wire the scammers $9,000 (keeping your 10%) into their offshore account. A few days later, your bank finds out that the "certified check" was a forgery, and takes back the $10,000 from your account, leaving you out the $9,000 in cash you sent overseas. You could have $1.97 in your account, and they still get $9,000 out of you with this scam. It's much more efficient than a Nigerian scam. -- +-------------------------+--------------------+-----------------------------+ | Kenneth J. Brody | www.hvcomputer.com | | | kenbrody/at\spamcop.net | www.fptech.com | #include <std_disclaimer.h> | +-------------------------+--------------------+-----------------------------+ Don't e-mail me at: <mailto:ThisIsASpamTrap@gmail.com> From asterix at no_where.net Tue Nov 15 20:02:01 2005 From: asterix at no_where.net (Asterix) Date: Tue Nov 15 14:05:02 2005 Subject: [SpamCop-List] Re: Fresh phish! GET YOUR FRESH PHISH HERE!! ;) References: <dlcin0$rvs$1@news.spamcop.net> Message-ID: <1h633hw.13bpl7r1bo49c7N%asterix@no_where.net> Geoffrey Hyde <g.hyde@bigpond.net.au> wrote: > http://www.spamcop.net/sc?id=z827214886z055a7b061fcca524bef2f0d070ef0197z > > It would appear someone is still interested in some variant on the Nigerian > bank phish scam, where they leave some poor sap holding the unfortunate > result of money disappearing from their bank account. Have you too noticed that lately, virtually all Nigerian scams, business proposals and lotery scams are sent through hotmail or yahoo, like the one above. mine are 99%+ from hotmail the last month. -- I recommend Macs to my friends, and Windows machines to those whom I don't mind billing by the hour From MikeE at ster.invalid Tue Nov 15 11:15:33 2005 From: MikeE at ster.invalid (Mike Easter) Date: Tue Nov 15 14:20:07 2005 Subject: [SpamCop-List] Re: Broken reporting address - btbroadband References: <dldb43$95c$1@news.spamcop.net> Message-ID: <dldc4a$9t5$1@news.spamcop.net> Posting to spamcop and spamcop.spam, f/ups to spamcop. .spam is just for posting spam, not for discussing it. spamcop for discussing, but not posting spam It isn't necessary to post the spam, this tracker for your item is better than what you posted in .spam http://www.spamcop.net/w3m?i=z1556896631z2f3fd292cea6be9ae56912a1cab769dfz That tracker shows that SC's notify for 81.137.237.72 is currently bt@admin.spamcop.net for its own reports and that is where this item was reported. Roy Lewallen wrote: > Your message > > To: btbroadband.abuse@bt.com > Subject: [SpamCop (81.137.237.72) id:1556896631]Pre-approved > Application #ebluxdL644639 > Sent: Tue, 15 Nov 2005 18:17:41 -0000 > > did not reach the following recipient(s): > > btbroadband.abuse@bt.com on Tue, 15 Nov 2005 18:17:41 -0000 > The e-mail account does not exist at the organization this > message > was sent to. Check the e-mail address, or contact the recipient > directly to find out the correct address. > <I2KM11-UKBR.domain1.systemhost.net #5.1.1> According to the SC records, bt's reports are handled internally. According to ripe, the notify is abuse@btopenworld.com According to abuse.net the notify is abuse@btopenworld.com abuse@bt.net (for btopenworld.com) It is not clear to me where the broadband notify you are posting about came from. -- Mike Easter kibitzer, not SC admin From MikeE at ster.invalid Tue Nov 15 11:23:24 2005 From: MikeE at ster.invalid (Mike Easter) Date: Tue Nov 15 14:25:05 2005 Subject: [SpamCop-List] Re: Fresh phish! GET YOUR FRESH PHISH HERE!! ;) References: <dlcin0$rvs$1@news.spamcop.net> <1h633hw.13bpl7r1bo49c7N%asterix@no_where.net> Message-ID: <dldcj1$a9l$1@news.spamcop.net> Asterix wrote: > Have you too noticed that lately, virtually all Nigerian scams, > business proposals and lotery scams are sent through hotmail or > yahoo, like the one above. mine are 99%+ from hotmail the last month. Last month there was a significant discussion in nanae subject "Hotmail - Home of the 419" -- Mike Easter kibitzer, not SC admin From nobody at spamcop.net Tue Nov 15 14:26:29 2005 From: nobody at spamcop.net (Ellen) Date: Tue Nov 15 15:05:03 2005 Subject: [SpamCop-List] Re: Broken reporting address - btbroadband References: <dldb43$95c$1@news.spamcop.net> <dldc4a$9t5$1@news.spamcop.net> Message-ID: <dldetn$bpg$1@news.spamcop.net> "Mike Easter" <MikeE@ster.invalid> wrote in message news:dldc4a$9t5$1@news.spamcop.net... > > That tracker shows that SC's notify for 81.137.237.72 is currently > bt@admin.spamcop.net for its own reports and that is where this item was > reported. > I am trying to get in touch with BT to get the bounce fixed or the address changed Ellen SpamCop From nospam at dev.null Tue Nov 15 22:17:12 2005 From: nospam at dev.null (No Spam) Date: Tue Nov 15 15:20:03 2005 Subject: [SpamCop-List] Re: Fresh phish! GET YOUR FRESH PHISH HERE!! ;) In-Reply-To: <dldcj1$a9l$1@news.spamcop.net> References: <dlcin0$rvs$1@news.spamcop.net> <1h633hw.13bpl7r1bo49c7N%asterix@no_where.net> <dldcj1$a9l$1@news.spamcop.net> Message-ID: <dldfob$cam$1@news.spamcop.net> Mike Easter wrote: > Asterix wrote: > > >>Have you too noticed that lately, virtually all Nigerian scams, >>business proposals and lotery scams are sent through hotmail or >>yahoo, like the one above. mine are 99%+ from hotmail the last month. > > > Last month there was a significant discussion in nanae subject > "Hotmail - Home of the 419" > > And amazingly this had made a LOT of abuse reporting issues go away ;-) Had about a 5% chance of getting through. Now about 5% of not getting through... But urghhhhhhh!! Back to Yahoo. Where do they catch their abuse desk staff? Picked up on a 419 used Yahoo email address on a fake bank site. Mailed them and stated "Commercial usage, Advance fee fraud etc etc" in report, their own ToS being violated, gave urls - .... and avoided saying anything that may mislead the party on the Yahoo abuse desk from even "....** thinking spam **...." ..then they asked for headers of the spam!! They cannot proceed etc etc. (WHAT SPAM?) Sent reply mail that this is not a spam issue, but abuse/commercial usage/advance fee fraud related. Then reply asking for headers of the spam!! They cannot proceed etc etc. Sob!!! From DougThegarden at invalid.com Tue Nov 15 16:46:47 2005 From: DougThegarden at invalid.com (Doug Thegarden) Date: Tue Nov 15 17:25:04 2005 Subject: [SpamCop-List] Re: The Language of Spam??? In-Reply-To: <slrndnjj3f.56k.nobody@127.0.0.1> References: <dlca3k$nh0$1@news.spamcop.net> <dlcddb$p2h$1@news.spamcop.net> <slrndnjj3f.56k.nobody@127.0.0.1> Message-ID: <dldmv2$g6o$1@news.spamcop.net> Steven Maesslein wrote: > On Tue, 15 Nov 2005 02:31:05 -0800, caroljean52 coughed into spamcop and > left this in <dlcddb$p2h$1@news.spamcop.net>: > >> I don't think your average spammer bothers to even try to target >> geographically, at least when it comes to .com/.net addresses... > > Even with a ccTLD spammers couldn't care less. I get loads of Russian > and Asian stuff to a .fr address. > Its curious that everyone here seems to get lots of spam. Is that because you leave your filtering off so you can monitor and report or is it that you just get lots of spam? The reason I ask is that I get very little spam - a handful of messages a day. I have ISPs that filter with SpamAssassin or Mailscanner and the handful that is left gets picked up by my mail client and thrown in the trash bin. I did notice that when I did spamcop reporting my spam level went up and when I stopped it went back down again. Which leaves me wondering whether the 300 a day you guys are talking about vs my <10 a day is because you are regularly reporting and I'm not. Doug From blacklist-me at davjam.org Tue Nov 15 22:06:13 2005 From: blacklist-me at davjam.org (David Bolt) Date: Tue Nov 15 17:35:03 2005 Subject: [SpamCop-List] Re: [MEDIA] Sony CD Copy Protection Seems To Rely On HackerRootkit References: <Xns97037EA6B301Ftinlc@216.154.195.61> <dkeg1g$35f$1@news.spamcop.net> <TECQXhvKj0FX-pn2-OvYNxTLrdXxL@dsl-206-55-144-107.tstonramp.com> <BF90DE68.1635E%nobody@spamcop.net> <TECQXhvKj0FX-pn2-mJM7JdfPnr4E@dsl-206-55-144-107.tstonramp.com> <Xns97051D4241CC4tinlc@216.154.195.61> <TECQXhvKj0FX-pn2-41gGcOWKuyNn@dsl-206-55-144-107.tstonramp.com> <Xns97093B2348704tinlc@216.154.195.61> <TECQXhvKj0FX-pn2-jrh3dKUd5WdX@dsl-206-55-144-107.tstonramp.com> <dkubbp$j70$1@news.spamcop.net> <ozchzhq02-A8BF38.18491509112005@frylock.local> <slrndn66mk.3o5.nobody@127.0.0.1> <dkv728$1np$1@news.spamcop.net> <slrndn69cv.4a0.nobody@127.0.0.1> <Xns970A7DA0520D9tinlc@216.154.195.61> <dl0sju$2at$1@news.spamcop.net> <Xns970B6BCA7433tinlc@216.154.195.61> <dl21ck$pdk$1@news.spamcop.net> <VceKheV$KSeDFwlH@dev.null.davjam.org> <dlbad8$67p$1@news.spamcop.net> Message-ID: <GPk+FEGVvleDFw3c@dev.null.davjam.org> On Tue, 15 Nov 2005, Geoffrey Hyde <g.hyde@bigpond.net.au> wrote:- > >"David Bolt" <blacklist-me@davjam.org> wrote in message >news:VceKheV$KSeDFwlH@dev.null.davjam.org... >> On Fri, 11 Nov 2005, Porpoise <porpoise1954@yahoo.co.uk> wrote:- >> >>>Locked permanently (or until you get an unlock code from the >>>manufacturer - >>>after you've explained how you came to change region so many times). >> >> Unless you've a Lite-ON drive, which includes some Sony drives. There's >> a very useful utility that comes in very useful when using different >> region DVDs: > >Yes but installing some Sony drives also means a rootkit gets installed. I >am not supporting Sony's abuse of my computer, nor will I support them >helping viruses and trojans to infect my computer. How does installing a _drive_ mean a rootkit gets installed? It's not as if a DVD-RW actually needs any software from the manufacturer of the drive. If you're talking about other software supplied with the drive, that's a completely different situation. Regards, David Bolt -- Member of Team Acorn checking nodes at 50 Mnodes/s: http://www.distributed.net/ AMD1800 1Gb WinXP/SuSE 9.3 | AMD1300 512Mb SuSE 9.0 | AMD2400 256Mb SuSE 9.0 AMD2400 768Mb SuSE 10.0 | Falcon 14Mb TOS 4.02 | STE 4Mb TOS 1.62 RPC600 129Mb RISCOS 3.6 | A3010 4Mb RISCOS 3.11 | A4000 4Mb RISCOS 3.11 From nobody at devnull.spamcop.net Tue Nov 15 21:32:31 2005 From: nobody at devnull.spamcop.net (WazoO) Date: Tue Nov 15 22:35:02 2005 Subject: [SpamCop-List] Re: password issues References: <dl3q97$nll$1@news.spamcop.net> <dl4dld$37c$1@news.spamcop.net> <dl4gai$4ht$1@news.spamcop.net> <dl6teb$hvk$1@news.spamcop.net> <dl6un1$in1$1@news.spamcop.net> <dl8c5c$afj$1@news.spamcop.net> <dl8f7d$c5h$1@news.spamcop.net> <dl9c6g$v3c$1@news.spamcop.net> <dla9dq$g51$1@news.spamcop.net> <dlag2m$jnp$1@news.spamcop.net> <dlahmb$mjt$1@news.spamcop.net> <dlakvj$o49$1@news.spamcop.net> <dlat83$tvs$2@news.spamcop.net> Message-ID: <dle98g$pnk$1@news.spamcop.net> "Ellen" <nobody@spamcop.net> wrote in message news:dlat83$tvs$2@news.spamcop.net... > > "WazoO" <nobody@devnull.spamcop.net> wrote in message > news:dlakvj$o49$1@news.spamcop.net... > > > > Yet the reason for my adding the graphic link was based in the > > historical fact that the "news" link doesn't seem to be touched > > in a timely fashion to begin with. > > Really? well I make a hell of an effort to update that page when there is > something to say. Of coure when there is an unscheduled system failure I > can't update the page. Sorry that you think that the link is not being > updated in a timely fashion. No idea why you seem to have taken all this as some kind of personal attack. You've been around as long / longer than I have, so I'm at a loss as to why you would have an issue with the historical reality of things like "system status" .... many were the times of seeing literally hundreds of posts from those that didn't bother to read the previous hundreds of posts about "is it down?" the red "putrow errors", the "password doesn't work" threads .. on and on .. the numerous times that suggestions and offers were put up to host an off-site page that did nothing but offer the "current status" of the www.spamcop.net web site ... I refuse to believe that you don't recall any of this stuff going on (and repeated numerous times over the years. > >Even the "few" entries dealing > > with the system being down are rarely followed up with "fixed" > > status note. As stated in my documenting this addition, it was > > placed there to try to head off all the "is it down" questions. > > When the news disappears then you can assume that the problem is fixed. And that's the same answer I just used in response to yet another query from a Forum user ... just pointing to the past with the "fix" simply being that the bug disappeared, things worked, etc. ... yet, this isn't the light that this thread was started on, simply another facet of the way things have been for years. > > Julian rarely posted "news" as he was elbows deep in resolving > > issues. Deputies aren't around all the time 'reporting' and from > > appearances, not all of them gave the ability to "touch" the web > > pages to provide these updates. > > We all have the ability to change the news actually. And we tend to be > around pretty close to 24/7 altho on weekends perhaps less so. When we see > system problems *and* the system is up sufficiently to update the page we do > and post -- else we post here. Yet, it is the system availabilty and the "news" about that availability that is being talked about. The fact that "you" can't post because the system is down is part of what my statements included, and again, we're talking over the years, long before the pages in question were made available to anyone besides Julian himself (or JT after that bit of split) > > You'll note that all of the "limited" drops > > (assumedly based on re-booting of systems) has never been mentioned > > in the "news" link > > Oddly enough if the webservers are down or access to them is unavailable > then we can't update the news. We try to keep the news as timely as > possible. and again, that's exactly what I was talking about. I'm sorry you want to make this all a personal thing, but ... my perspective is at a system level, which includes all parts of the spamcop.net system. From jg at coks.net Tue Nov 15 20:00:37 2005 From: jg at coks.net (jg) Date: Tue Nov 15 23:00:19 2005 Subject: [SpamCop-List] people respond to this? Message-ID: <dleaph$qim$1@news.spamcop.net> http://www.spamcop.net/sc?id=z827506511z6aae52fa34ac23bf7b235f85595df14bz This is a particularly noxious piece of spam. I could work with Maria's husband. Can anyone suggest a good URL to report it to? Doesn't sound like FTC material and doubt the FBI is into escort services... tnx... From zypher at spamcop.net Tue Nov 15 22:11:31 2005 From: zypher at spamcop.net (Ron B.) Date: Tue Nov 15 23:15:03 2005 Subject: [SpamCop-List] Re: people respond to this? In-Reply-To: <dleaph$qim$1@news.spamcop.net> References: <dleaph$qim$1@news.spamcop.net> Message-ID: <dlebhm$r3e$1@news.spamcop.net> jg wrote: > http://www.spamcop.net/sc?id=z827506511z6aae52fa34ac23bf7b235f85595df14bz > > This is a particularly noxious piece of spam. > I could work with Maria's husband. Um, I doubt that Maria and what's-her-name exist. Both the sender and website are in China. (I've gotten the exact same piece of trash; unless you live close to me, someone [read spammer] is lying.) > Can anyone suggest a good URL to report it to? > Doesn't sound like FTC material and doubt the FBI is into escort services... > tnx... Try spam@uce.gov From jg at coks.net Tue Nov 15 20:25:42 2005 From: jg at coks.net (jg) Date: Tue Nov 15 23:25:03 2005 Subject: [SpamCop-List] Re: people respond to this? In-Reply-To: <dlebhm$r3e$1@news.spamcop.net> References: <dleaph$qim$1@news.spamcop.net> <dlebhm$r3e$1@news.spamcop.net> Message-ID: <dlec8i$rk2$1@news.spamcop.net> On 11/15/2005 8:11 PM Ron B. scribbled: > jg wrote: > >>http://www.spamcop.net/sc?id=z827506511z6aae52fa34ac23bf7b235f85595df14bz >> >>This is a particularly noxious piece of spam. >>I could work with Maria's husband. > > > Um, I doubt that Maria and what's-her-name exist. Both the sender and > website are in China. (I've gotten the exact same piece of trash; > unless you live close to me, someone [read spammer] is lying.) > > Try spam@uce.gov um, Thanks, Ron, I didn't really think Maria was in the hood, per se. I doubt, however, the Chinese are sitting over there thinking this kind of crap up. Their strength is in collecting $ from fat cats somewhere else and alowing them to use their net for this transmission. But I couldn't get beyond cn on this one. I didn't check the site diectly. These mutts just get ruder and ruder as time goes by... From nobody at devnull.spamcop.net Wed Nov 16 13:25:27 2005 From: nobody at devnull.spamcop.net (Patto) Date: Tue Nov 15 23:30:02 2005 Subject: [SpamCop-List] Spam or not? Message-ID: <dlecbo$rn4$1@news.spamcop.net> http://www.spamcop.net/sc?id=z827513617zf94c29788b30a4d53f9c975999684216z It seems to come from Corel, but I never had any business with them. On the other hand they have recently acquired JASC, of which I was a customer. Do I report it, or simply unsubscribe (which I expect to be honored) ? From nobody at devnull.spamcop.net Wed Nov 16 03:25:37 2005 From: nobody at devnull.spamcop.net (Glenn Daniels) Date: Wed Nov 16 03:30:02 2005 Subject: [SpamCop-List] Re: Spam or not? References: <dlecbo$rn4$1@news.spamcop.net> Message-ID: <dleqdd$3jo$1@news.spamcop.net> "Patto" > http://www.spamcop.net/sc?id=z827513617zf94c29788b30a4d53f9c975999684216z > > It seems to come from Corel, but I never had any business with them. On > the other hand they have recently acquired JASC, of which I was a customer. > > Do I report it, or simply unsubscribe (which I expect to be honored) ? I subscribed to receive email from Jasc. When Jasc became Corel, my existing subscription was extended by Corel. You may have missed one or more emails detailing the changeover, but if you had a subscription and did not cancel it, I /think/ it is still good. I don't think it is "spam". I think the only way you see it is if you solicited it. If you no longer want it, cancel your subscription. I recently upgraded to "Corel" Paint Shop Pro X. I intend to continue my subscription, but I do believe they would honor a cancel in good faith. FWIW, you posted a "live" tracker. You should either cancel it or go ahead and report it before someone else makes your choice for you. Thanks, Glenn From nobody at nowhere.invalid Wed Nov 16 10:00:03 2005 From: nobody at nowhere.invalid (Steven Maesslein) Date: Wed Nov 16 04:05:03 2005 Subject: [SpamCop-List] Re: The Language of Spam??? References: <dlca3k$nh0$1@news.spamcop.net> <dlcddb$p2h$1@news.spamcop.net> <slrndnjj3f.56k.nobody@127.0.0.1> <dldmv2$g6o$1@news.spamcop.net> Message-ID: <slrndnlt8j.43h.nobody@127.0.0.1> On Tue, 15 Nov 2005 16:46:47 +0000, Doug Thegarden coughed into spamcop and left this in <dldmv2$g6o$1@news.spamcop.net>: > Its curious that everyone here seems to get lots of spam. Is that > because you leave your filtering off so you can monitor and report or is > it that you just get lots of spam? The address I was alluding to is a role account which shouldn't be filtered (I'm a sysadmin). On my home server it dropped sharply last week from 2500-3000 spams/day of which maybe 20 got through to around 1000 spams/day of which 4 or 5 get through. -- Steve Why is it that people say they slept like a baby when babies wake up every two hours? From MikeE at ster.invalid Wed Nov 16 05:53:17 2005 From: MikeE at ster.invalid (Mike Easter) Date: Wed Nov 16 08:55:03 2005 Subject: [SpamCop-List] Re: what is the differents References: <dld6qu$6k3$1@news.spamcop.net> <dld8fr$7mj$1@news.spamcop.net> <dlen98$1i2$1@news.spamcop.net> Message-ID: <dlfdke$e0f$1@news.spamcop.net> blabla@bla.com wrote: > to do the same, the are you sure shit etc etc. I just want a list > with the mails i send and say once yes. I don?t give a sh*t about who > its reporting to are what i have send. There is no such thing as a 'regular' reporter, paid or not, who doesn't have to approve each report's parse result. The purpose of that approval is to oversee parsing errors which can report your own provider or other errors. It also provides an opportunity to deselect any innocent bystanders which appear in the spambody and to note which spamvertisers SC has failed to resolve, to enable manual notification or discussion. > I know what i?m reporting, and just want simple send a report wihtout > sitting 30 minutes behind my desktop to verify the messages. If you only want to report the spamsources for the SCbl and forego any reporting of the spamvertisers, you can quick report. With the quick report submission, there is no parse approval oversight or approval. Whatever the parse result for the spamsource is immediately reported. There is also no spamvertiser reporting. The spamvertisers are ignored. You receive a SC notice of what spamsource was reported and a tracker. Quick reporting requires being configured for mailhosting and admin approval. And we are still discussing this thread in the wrong newsgroup. Crossposting to spamcop and .mail, f/ups to spamcop. -- Mike Easter kibitzer, not SC admin From nospam at dev.null Wed Nov 16 19:39:47 2005 From: nospam at dev.null (No Spam) Date: Wed Nov 16 12:40:27 2005 Subject: [SpamCop-List] Re: people respond to this? In-Reply-To: <dleaph$qim$1@news.spamcop.net> References: <dleaph$qim$1@news.spamcop.net> Message-ID: <dlfqt5$lmj$1@news.spamcop.net> jg wrote: > http://www.spamcop.net/sc?id=z827506511z6aae52fa34ac23bf7b235f85595df14bz > > This is a particularly noxious piece of spam. > I could work with Maria's husband. > Can anyone suggest a good URL to report it to? > Doesn't sound like FTC material and doubt the FBI is into escort services... > tnx... Hi This is www.adultactioncam.com, cloaked behind a disposable fronting domain. In cahoots with OpenSRS/Tucows and Source Investments Inc on Teleglobe. Try the following: Use a secure OS such as Linux/Unix or secure URL tool and leech the link: I have done this below, snipping out a lot of junk. When Tucows/OpenSRS started going bad, Adultactioncam were one the first ones to hop on the bandwagon. Tucows senior management (right at the top) KNOWS about this, compliments of "me". I have shown with evidence their client's record, the reason as to WHY they should not be afforded privacy protection etc etc. Also a record longer that my arm of "wilfully supplied inaccurate whois details" ... and they live happily with a privacy protection on OpenSRS. OpenSRS also knows WHAT adultactioncam.com does, how they market etc etc. Anybody requiring Evidence of Notification, ping me. Maybe time for a class action suite against a registrar? OpenSRS is after all the registered owner of ADULTACTIONCAM.COM. OpenSRS IS aware of the situation. OpenSRS has an agreement with their client, not with you :-) The same can be said about SOurce Investments and Teleglobe. They KNOW about this situation. (In fact they saw to it that I was listwashed) Also see http://www.kiks.org/shameandhonor.asp Do you have children that may inadvertently open these spams? If so, Kiks will support you BIG TIME. They are just waiting for a mail from you... (unfortunately I am not local, I live in a "backward" country where we do not have giants like TeleGlobe, OpenSRS etc. However we have 419legal.org and many arrests. Does that say something.. :-) (Kiks mention the situation is ongoing since mid last year. I have evidence going back longer ...) Related keywords: "Futurecast Media" "datecam.com" "Adultactioncash.com" About Adultactioncam.com: www.adultactioncam.com [66.198.36.17] --- 11/16/05 17:17:57 GMT --- performing WHOIS on "66.198.36.17", please wait... --- contacting server whois.arin.net --- smart whois on "66.198.36" Teleglobe Inc. TELEGLOBE-4BLK (NET-66-198-0-0-1) 66.198.0.0 - 66.198.191.255 Source Investments Inc. SOURCE-INVEST-TGB (NET-66-198-36-0-1) 66.198.36.0 - 66.198.37.255 --- performing WHOIS on "NET-66-198-36-0-1", please wait... --- contacting server whois.arin.net OrgName: Source Investments Inc. OrgID: SOURC-28 Address: 616 Carlin Road City: Satsuma StateProv: FL PostalCode: 32189 Country: US NetRange: 66.198.36.0 - 66.198.37.255 CIDR: 66.198.36.0/23 NetName: SOURCE-INVEST-TGB NetHandle: NET-66-198-36-0-1 Parent: NET-66-198-0-0-1 NetType: Reassigned Comment: RegDate: 2004-07-28 Updated: 2004-07-28 RTechHandle: DBA66-ARIN RTechName: Bailey, Donald RTechPhone: +1-888-229-7110 RTechEmail: noc@source-investments.com OrgTechHandle: DBA66-ARIN OrgTechName: Bailey, Donald OrgTechPhone: +1-888-229-7110 OrgTechEmail: noc@source-investments.com # ARIN WHOIS database, last updated 2005-11-15 19:10 # Enter ? for additional hints on searching ARIN's WHOIS database. Domain Name: ADULTACTIONCAM.COM Registrar: TUCOWS INC. Whois Server: whois.opensrs.net Referral URL: http://domainhelp.tucows.com Name Server: NS1.ADULTACTIONCAM.COM Name Server: NS2.ADULTACTIONCAM.COM Status: REGISTRAR-LOCK Updated Date: 25-apr-2005 Creation Date: 21-oct-2003 Expiration Date: 21-oct-2007 Registrant: Contactprivacy.com 96 Mowat Ave Toronto, ON M6K 3M1 CA ---------------------------------------------------------------------------------------- "--- 11/16/05 16:56:49 GMT --- reading URL http://nearbygirls.com/hot/ --- contacting host nearbygirls.com [221.11.134.49] on port 80 HTTP/1.0 200 OK Server: Apache/2.0.53 (Fedora) Last-Modified: Wed, 09 Nov 2005 04:27:48 GMT ETag: "81c08a-ab2a-4f813900" Accept-Ranges: bytes Content-Length: 43818 Content-Type: text/html; charset=UTF-8 Connection: close <HTML> <HEAD> <...snip........ </tr> </table> </form> <form name="regsubmit" action="http://www.adultactioncam.com/?r=aac87908&s=register" !!!!!!!!!!!!!!!^^^^^^^^^^^^^^^^^^^^^^ method="POST"> <input type="hidden" name="un" value=""> <input type="hidden" name="pw" value=""> ...snip ................. </TR> </TABLE> </BODY> </HTML> --- connection closed" From stephen at serverforce.net Wed Nov 16 18:19:05 2005 From: stephen at serverforce.net (Stephen Marsh) Date: Wed Nov 16 13:20:04 2005 Subject: [SpamCop-List] Coded e-mail address Message-ID: <dlft6p$mtv$1@news.spamcop.net> Hi all, I'm trying to report spam via SpamCop, I've created an account however I can't see a reporting e-mail anywhere, on any of the pages. Any help would be appreciated. Thanks From nobody at devnull.spamcop.net Wed Nov 16 12:39:47 2005 From: nobody at devnull.spamcop.net (WazoO) Date: Wed Nov 16 13:40:05 2005 Subject: [SpamCop-List] Re: Coded e-mail address References: <dlft6p$mtv$1@news.spamcop.net> Message-ID: <dlfudj$nh7$1@news.spamcop.net> "Stephen Marsh" <stephen@serverforce.net> wrote in message news:dlft6p$mtv$1@news.spamcop.net... > > I'm trying to report spam via SpamCop, I've created an account however I > can't see a reporting e-mail anywhere, on any of the pages. Any help would > be appreciated. First guess might be that you managed to create an ISP account, which would be used to "handle" SpamCop.net reports / complaints. This would normally be identified as being logged into "your ISP Control Center" .. but you didn't mention this in your query. Either try again with a new account or send an e-mail to service <at> admin.spamcop.net to have some bits flipped on this existing account. From nobody at spamcop.net Wed Nov 16 14:41:21 2005 From: nobody at spamcop.net (indigo) Date: Wed Nov 16 14:45:04 2005 Subject: [SpamCop-List] *snurk* Message-ID: <dlg212$pj7$1@news.spamcop.net> Well, right now I am not single anymore and it feels great. Similarly, last week I was even luckier, and trust me, i'm not Casanova http://bedslime.com/extra/galz/ Oh baby, I can't wait to sign up for a dating site called bedslime! Just think of all the hot women waiting for me there! ;-) From spamcop-list-at-news.spamcop.net at musaic.net Wed Nov 16 20:58:45 2005 From: spamcop-list-at-news.spamcop.net at musaic.net (St - Musaic.Net) Date: Wed Nov 16 14:59:03 2005 Subject: [SpamCop-List] *snurk* In-Reply-To: <dlg212$pj7$1@news.spamcop.net> References: <dlg212$pj7$1@news.spamcop.net> Message-ID: <15610294448.20051116205845@musaic.net> Indigo: > Well, right now I am not single anymore and it feels great. > Similarly, last week I was even luckier, and trust me, i'm not Casanova Indigo - would you agree your message looks like a spam? Your two first lines looks like something that could be present in a spam. And then you add a spammer's URL...and your message just became a complete spam! Thanks! -- St From edo.amin at gmail.com Wed Nov 16 23:22:11 2005 From: edo.amin at gmail.com (EA) Date: Wed Nov 16 16:25:03 2005 Subject: [SpamCop-List] Am I blocked? and what's next? Message-ID: <dlg7ud$sre$1@news.spamcop.net> To spamcop.net staff: I realize that Spamcop.net received a lot of mail, but please read this through. About 24 hours ago I received a message from some mail server with the subject: Returned mail: Your email is being blocked by SpamCop. And no further meaningful content. Since then, all mail that's sent to my domain reshet.co.il goes nowhere and does not bounce. I received no notification from Spamcop as such, and looking in Spamcop.net I could find no clue how to proceed. Though I have a domain to my name, I have no mail servers. I have no servers, I am not an ISP, not even an admin. I am a journalist and in fact have written often on spam. I am also a paying customer of webmail.spamcop.net, since a couple of years. Thank you for your advice and your help. Ido edo.amin@gmail.com From Kilgallen at SpamCop.net Wed Nov 16 15:39:55 2005 From: Kilgallen at SpamCop.net (Larry Kilgallen) Date: Wed Nov 16 16:40:03 2005 Subject: [SpamCop-List] Re: Am I blocked? and what's next? References: <dlg7ud$sre$1@news.spamcop.net> Message-ID: <WNHBc58fvg8U@eisner.encompasserve.org> In article <dlg7ud$sre$1@news.spamcop.net>, EA <edo.amin@gmail.com> writes: > About 24 hours ago I received a message from some mail server with the > subject: > Returned mail: Your email is being blocked by SpamCop. > And no further meaningful content. If by "no further meaningful content" you mean there were numbers and symbols you have redacted, then you left out the good stuff. > Since then, all mail that's sent to my domain reshet.co.il goes nowhere > and does not bounce. That would seem to be a different issue than sending mail _from_ your machine, which you described initially. > I received no notification from Spamcop as such, and looking in > Spamcop.net I could find no clue how to proceed. Proceeding requires IP addresses which you did not provide. > Though I have a domain to my name, I have no mail servers. > I have no servers, I am not an ISP, not even an admin. Then you need to discuss this with your ISP. From edo.amin at gmail.com Thu Nov 17 00:02:12 2005 From: edo.amin at gmail.com (EA) Date: Wed Nov 16 17:05:02 2005 Subject: [SpamCop-List] Re: Am I blocked? and what's next? In-Reply-To: <WNHBc58fvg8U@eisner.encompasserve.org> References: <dlg7ud$sre$1@news.spamcop.net> <WNHBc58fvg8U@eisner.encompasserve.org> Message-ID: <437BAC64.8020502@gmail.com> Thank you Larry for the prompt reply, are you a Spamcop employee? Larry Kilgallen wrote: > In article <dlg7ud$sre$1@news.spamcop.net>, EA <edo.amin@gmail.com> writes: > >> About 24 hours ago I received a message from some mail server with the >> subject: >> Returned mail: Your email is being blocked by SpamCop. >> And no further meaningful content. > > If by "no further meaningful content" you mean there were numbers and > symbols you have redacted, then you left out the good stuff. Since the message was between my lawyers and myself I regret that I had to have certain words deleted. But here is most of it: The original message was received at Wed, 16 Nov 2005 00:11:00 +0200 (IST) from IGLD-84-228-186-30.inter.net.il [84.228.186.30] ----- The following addresses had permanent delivery errors ----- <[deleted]@vblaw.com> <[deleted]@vblaw.com> Reporting-MTA: dns; nitzan.inter.net.il Arrival-Date: Wed, 16 Nov 2005 00:11:00 +0200 (IST) Final-Recipient: RFC822; [deleted]@vblaw.com Action: failed Status: 5.1.1 Remote-MTA: DNS; vbmail.vblaw.com Diagnostic-Code: SMTP; 550 5.7.1 Your email is being blocked by SpamCop. Last-Attempt-Date: Wed, 16 Nov 2005 00:11:05 +0200 (IST) Final-Recipient: RFC822; [deleted]@vblaw.com Action: failed Status: 5.1.1 Remote-MTA: DNS; vbmail.vblaw.com Diagnostic-Code: SMTP; 550 5.7.1 Your email is being blocked by SpamCop. Last-Attempt-Date: Wed, 16 Nov 2005 00:11:04 +0200 (IST) Subject: [deleted] From: [deleted] <[deleted]@reshet.co.il> Date: Wed, 16 Nov 2005 00:10:46 +0200 To: [deleted] CC: [deleted] > >> Since then, all mail that's sent to my domain reshet.co.il goes nowhere >> and does not bounce. > > That would seem to be a different issue than sending mail _from_ > your machine, which you described initially. Mail does not get delivered if it is "From:" reshet.co.il or "To:" it. > >> I received no notification from Spamcop as such, and looking in >> Spamcop.net I could find no clue how to proceed. > > Proceeding requires IP addresses which you did not provide. Processing requires the IP address of the domain name reshet.co.il? I looked it up online, here is what I found: 216.57.232.15 (the A record for reshet.co.il) > >> Though I have a domain to my name, I have no mail servers. >> I have no servers, I am not an ISP, not even an admin. > > Then you need to discuss this with your ISP. > The initial message from my ISP, and it mentioned Spamcop - that's why I thought I would ask here. Indeed I will call my ISP and ask if I'm blocked, and on what grounds. Thanks again, Ido From edo.amin at gmail.com Thu Nov 17 00:17:34 2005 From: edo.amin at gmail.com (EA) Date: Wed Nov 16 17:20:04 2005 Subject: [SpamCop-List] Re: Am I blocked? and what's next? In-Reply-To: <WNHBc58fvg8U@eisner.encompasserve.org> References: <dlg7ud$sre$1@news.spamcop.net> <WNHBc58fvg8U@eisner.encompasserve.org> Message-ID: <437BAFFE.40402@gmail.com> Correction: mail "From:" reshet.co.il seems to be delivered. It is mail "To:" reshet.co.il that does not get delivered. From bill_beyer at excite.cXoYmZ Wed Nov 16 14:18:38 2005 From: bill_beyer at excite.cXoYmZ (Bill Beyer) Date: Wed Nov 16 17:20:17 2005 Subject: [SpamCop-List] announcement for our members Message-ID: <dlgb7l$uvt$1@news.spamcop.net> http://www.spamcop.net/sc?id=z827743513zf980d5e844735a686bb7f72c0d0dcaebz Looks like some folks pissed off spammy. From DougThegarden at invalid.com Wed Nov 16 17:21:32 2005 From: DougThegarden at invalid.com (Doug Thegarden) Date: Wed Nov 16 17:45:04 2005 Subject: [SpamCop-List] Another one bites the dust! Message-ID: <dlgck7$vq0$1@news.spamcop.net> http://news.bbc.co.uk/1/hi/england/cambridgeshire/4442772.stm Spammer jailed for ?1.6m net scam An internet spammer convicted of running a ?1.6m e-mail scam from a bedroom in his father's house has been jailed for six years. Peter Francis-Macrae, of St Neots, Cambs, was found guilty of threatening to kill and blackmail. The 23-year-old was also convicted of threatening to destroy or damage property, concealing criminal property and fraudulent trading. He had offered thousands of e-mail and website names when he had no right. Attack servers And when victims complained, he threatened to destroy their internet systems by sending millions of spam e-mails. Peterborough Crown Court heard he also threatened to fire-bomb the headquarters of the county's trading standards department and petrol-bomb his local police headquarters. When internet policing group Nominet posted warnings about his activities, he responded by saying he would attack its servers. Francis-Macrae, who made more than ?100,000 per week from the scam, spent ?28,000 on designer clothes and on learning to fly helicopters, the court heard. 'Lie using internet' During the trial, Francis-Macrae defied Judge Nicholas Coleman QC by refusing to reveal where he hid up to ?425,000, saying Cambridgeshire Police would "steal" it. After sentencing, Pc Jody Faro said: "This investigation highlights just how easy it can be to deceive and lie to people using the internet." Francis-Macrae was found guilty of two counts of fraudulent trading, one of concealing criminal property, two of making threats to kill, one charge of threatening to destroy or damage property and one count of blackmail. The 23-year-old was cleared of two charges of making threats to kill. From tony at tonynelsonphoto.com Wed Nov 16 16:42:43 2005 From: tony at tonynelsonphoto.com (tnfoto) Date: Wed Nov 16 17:45:22 2005 Subject: [SpamCop-List] blocked forwarding email Message-ID: <dlgckr$vq4$1@news.spamcop.net> Somehow I've gotten on the Spamcop blocking list. (I blame a too large party invitation about 6 months ago when this started!) I hesitate to post the details of the message on a public forum here and have emailed Spamcop about it with all the details but haven't gotten any response yet and am looking for advice. Here's the basic situation. I have a website for my business (I'm a commercial photographer) hosted by Earthlink who gives me a number of email addresses at my site, i.e. myname@mynamephotography.com. I set it to forward email to my main email address at my home ISP which is a inexpensive local company that tells me they do not use Spamcop's service. Periodically, email coming to me gets blocked & bounces back to the sender. Emails directly to my home address go through just fine and, after I set it to forward to another address (@yahoo.com), these forward & go through just fine. Earthlink also claims to NOT use Spamcop. If neither my ISP or Earthlink use Spamcop, how could they be blocking it?? Assuming one of them is actually wrong, which one is it? Spamcop's dispute page says it should clear up after 24 hours but it's been 3 days currently, though I'll occasionally test it by sending myself email from my Yahoo acct & it will sometimes go through - then 5 minutes later unsuccessfully. And, why is it INCOMING mail that's being blocked? This is driving me crazy and, as is probably obvious, I'm not a tech expert. Is there a way to actually talk to a person at Spamcop to try to figure it out. No phone #s seem to be listed & I'm not getting response from the emails. Any advice would be appreciated. Thanks! Tony From nobody at spamcop.net Wed Nov 16 17:43:05 2005 From: nobody at spamcop.net (indigo) Date: Wed Nov 16 17:45:30 2005 Subject: [SpamCop-List] *snurk* References: <dlg212$pj7$1@news.spamcop.net> <mailman.124.1132171144.169.spamcop-list@news.spamcop.net> Message-ID: <dlgcls$vq9$1@news.spamcop.net> St - Musaic.Net wrote: > Indigo: > > Well, right now I am not single anymore and it feels great. > > Similarly, last week I was even luckier, and trust me, i'm not > > Casanova > > Indigo - would you agree your message looks like a spam? Your two > first lines looks like something that could be present in a spam. > And then you add a spammer's URL...and your message just became a > complete spam! > > Thanks! Well sheesh, it wouldn't have been funny if I had left out the URL...... From edo.amin at gmail.com Thu Nov 17 00:48:56 2005 From: edo.amin at gmail.com (EA) Date: Wed Nov 16 17:50:04 2005 Subject: [SpamCop-List] Re: Am I blocked? and what's next? In-Reply-To: <WNHBc58fvg8U@eisner.encompasserve.org> References: <dlg7ud$sre$1@news.spamcop.net> <WNHBc58fvg8U@eisner.encompasserve.org> Message-ID: <437BB758.7050008@gmail.com> Things seem to be back to normal. Is this the result of our discussion? From caroljean52 at yahoo.com Wed Nov 16 14:52:22 2005 From: caroljean52 at yahoo.com (caroljean52) Date: Wed Nov 16 17:55:03 2005 Subject: [SpamCop-List] Re: Fresh phish! GET YOUR FRESH PHISH HERE!! ;) References: <dlcin0$rvs$1@news.spamcop.net> <1h633hw.13bpl7r1bo49c7N%asterix@no_where.net> <dldcj1$a9l$1@news.spamcop.net> <dldfob$cam$1@news.spamcop.net> Message-ID: <dlgd78$od$1@news.spamcop.net> "No Spam" <nospam@dev.null> wrote: > Then reply asking for headers of the spam!! They cannot proceed etc etc. Maybe they want to know for sure that this actually was a real spam and not you getting back at somebody by inserting their address into the text of a 419 message. Carol Seattle USA From MikeE at ster.invalid Wed Nov 16 14:55:46 2005 From: MikeE at ster.invalid (Mike Easter) Date: Wed Nov 16 18:00:03 2005 Subject: [SpamCop-List] Re: Am I blocked? and what's next? References: <dlg7ud$sre$1@news.spamcop.net> Message-ID: <dlgddh$109$1@news.spamcop.net> EA wrote: > To spamcop.net staff: I am not a spamcop employee or volunteer admin. > Returned mail: Your email is being blocked by SpamCop. That bit of information is patently false. A lie. SpamCop SC does not block anyone's mail, except that it blocks/tags/filters mail for spamcop email clients. SC is a parsing and reporting service and a maintainer of the SCbl blocklist. Some servers or individuals use that blocklist in one way or another to help them with their spam management. As a journalist you can surely appreciate the fact that accuracy in language is imperative. If there is no accuracy, there might as well be no language. > Since then, all mail that's sent to my domain reshet.co.il goes > nowhere and does not bounce. EA wrote: > Correction: mail "From:" reshet.co.il seems to be delivered. It is > mail "To:" reshet.co.il that does not get delivered. Now that we've eliminated SC as the 'cause' of a mail delivery problem, we are left to work on what is the real cause or even if there is a real mail delivery problem. Your first returned message containing false information that you posted must have been information about mail from one server to another server, but you said that message was allegedly about a mail /from/ you, not /to/ you. Your correction is describing a problem with mail /to/ you, not /from/ you. We need to get straight on what the problem really is. > Though I have a domain to my name, I have no mail servers. > I have no servers, I am not an ISP, not even an admin. Mail addressed to a username at reshet.co.il would be handled by mail1 or mail2.catalog.com whose IPs are under Washita Comm in OK USA whereas your connectivity for your nntp posting IP is .inter.net.il under Euronet. > I am a journalist and in fact have written often on spam. > I am also a paying customer of webmail.spamcop.net, since a couple of > years. Mail /to/ a spamcop mail customer could be affected by spamcop services by way of tagging or sorting into a 'blocked' classification, but that mail wouldn't be lost. -- Mike Easter kibitzer, not SC admin From nospam at dev.null Thu Nov 17 01:06:17 2005 From: nospam at dev.null (No Spam) Date: Wed Nov 16 18:10:32 2005 Subject: [SpamCop-List] Re: Fresh phish! GET YOUR FRESH PHISH HERE!! ;) In-Reply-To: <dlgd78$od$1@news.spamcop.net> References: <dlcin0$rvs$1@news.spamcop.net> <1h633hw.13bpl7r1bo49c7N%asterix@no_where.net> <dldcj1$a9l$1@news.spamcop.net> <dldfob$cam$1@news.spamcop.net> <dlgd78$od$1@news.spamcop.net> Message-ID: <dlge18$19u$1@news.spamcop.net> caroljean52 wrote: > "No Spam" <nospam@dev.null> wrote: > >>Then reply asking for headers of the spam!! They cannot proceed etc etc. > > > Maybe they want to know for sure that this actually was a real spam and not > you getting back at somebody by inserting their address into the text of a > 419 message. > > Carol > Seattle USA > > Valid comment. However, each mail is accompanied with bullet proof evidence of: Commercial usage of Yahoo email (TOS violation) Fake site (easy enough to proove and as such TOS violation) etc etc As such, no, this is not the reason :-( From nospam at dev.null Thu Nov 17 01:14:58 2005 From: nospam at dev.null (No Spam) Date: Wed Nov 16 18:15:03 2005 Subject: [SpamCop-List] *snurk* In-Reply-To: <dlgcls$vq9$1@news.spamcop.net> References: <dlg212$pj7$1@news.spamcop.net> <mailman.124.1132171144.169.spamcop-list@news.spamcop.net> <dlgcls$vq9$1@news.spamcop.net> Message-ID: <dlgehk$1sg$1@news.spamcop.net> indigo wrote: > St - Musaic.Net wrote: > >> Indigo: >> >>>Well, right now I am not single anymore and it feels great. >>>Similarly, last week I was even luckier, and trust me, i'm not >>>Casanova >> >> Indigo - would you agree your message looks like a spam? Your two >> first lines looks like something that could be present in a spam. >> And then you add a spammer's URL...and your message just became a >>complete spam! >> >> Thanks! > > > Well sheesh, it wouldn't have been funny if I had left out the URL...... > > .... which in turn is again www.adultactioncam.com This is covered in another thread: "people respond to this?" by JG (2005/11/16 06:00 AM) I have done the full analasys of this crowd in that thread ... ...<form name="regsubmit" action="http://www.adultactioncam.com/?r=aac86749&s=register" method="POST">... From MikeE at ster.invalid Wed Nov 16 15:15:28 2005 From: MikeE at ster.invalid (Mike Easter) Date: Wed Nov 16 18:20:03 2005 Subject: [SpamCop-List] Re: announcement for our members References: <dlgb7l$uvt$1@news.spamcop.net> Message-ID: <dlgeif$1vg$1@news.spamcop.net> Bill Beyer wrote: www.spamcop.net/sc?id=z827743513zf980d5e844735a686bb7f72c0d0dcaebz Before we even read the body content of a spam, we look at its headers which show a no rDNS .eg source under Nile Online which is SCbl/ed for reports and spamtraps but not currently listed as an abused proxy/trojan. Additionally there is a bogus helo and a bogus Received line -- but since those 'bogosities' aren't misleading, they could be simply due to a misconfigured server. In any case, only the source is SCbl/ed That is an item alleging to be about child pr0n, which almost always makes me think about a joejob. It doesn't provide a website, but instead has a yahoo from and an rcn 'payload' contact email address. > Looks like some folks pissed off spammy. Which folks? Similar items to that appear in sightings, but I find no online persona history for either of the addresses blckjak101@yahoo.com or jkeon@rcn.com which would be what is being jobbed or the real payload if it isn't bogus. -- Mike Easter kibitzer, not SC admin From nospam at dev.null Thu Nov 17 01:16:04 2005 From: nospam at dev.null (No Spam) Date: Wed Nov 16 18:20:16 2005 Subject: [SpamCop-List] Re: *snurk* In-Reply-To: <dlg212$pj7$1@news.spamcop.net> References: <dlg212$pj7$1@news.spamcop.net> Message-ID: <dlgejk$1sg$2@news.spamcop.net> indigo wrote: > Well, right now I am not single anymore and it feels great. > > Similarly, last week I was even luckier, and trust me, i'm not Casanova > > http://bedslime.com/extra/galz/ > > Oh baby, I can't wait to sign up for a dating site called bedslime! Just > think of all the hot women waiting for me there! ;-) > > ... and that ladies and gentlemen answers JG's question "people respond to this?" :-) From nobody at devnull.spamcop.net Wed Nov 16 17:24:45 2005 From: nobody at devnull.spamcop.net (WazoO) Date: Wed Nov 16 18:25:02 2005 Subject: [SpamCop-List] Re: blocked forwarding email References: <dlgckr$vq4$1@news.spamcop.net> Message-ID: <dlgf3t$2cs$1@news.spamcop.net> "tnfoto" <tony@tonynelsonphoto.com> wrote in message news:dlgckr$vq4$1@news.spamcop.net... > Somehow I've gotten on the Spamcop blocking list. (I blame a too large > party invitation about 6 months ago when this started!) I hesitate to post > the details of the message on a public forum here and have emailed Spamcop > about it with all the details but haven't gotten any response yet and am > looking for advice. > > Is there a way to actually talk to a person at Spamcop to try to figure it > out. No phone #s seem to be listed & I'm not getting response from the > emails. Any advice would be appreciated. This is one of those situations where if you aren't going to post the actual details, there isn't much that anyone can help you with On the other hand, there is a wealth of information available at the Forum from other folks with issues that did "reveal" the information needed, much more data in the versions of the SpamCop FAQ found there (one could assume that you have already availed yourself to the official FAQ found via the Help button on the www.spamcop.net web site and for some reason couldn't find your answers there.??) Try going to http://forum.spamcop.net/forums/ and see if you don't have better luck finding answers. Easier all around if you'd just get specific, but .... From MikeE at ster.invalid Wed Nov 16 15:38:18 2005 From: MikeE at ster.invalid (Mike Easter) Date: Wed Nov 16 18:40:02 2005 Subject: [SpamCop-List] Re: blocked forwarding email References: <dlgckr$vq4$1@news.spamcop.net> Message-ID: <dlgft9$2pu$1@news.spamcop.net> tnfoto wrote: > Somehow I've gotten on the Spamcop blocking list. There is nothing that follows below that supports that contention. > Periodically, email coming to me gets blocked & bounces back > to the sender. That is not a consequence of "I've gotten on the Spamcop blocking ist" -- you've got it backwards. re "bounces back" - Very often the term 'bounces' is ambiguous, but we will temporarily use it anyway. That means that a mail from a sender's server addressed to myname@mynamephotography.com is rejected possibly during the smtp transaction with the mynamephotography.com's server, hereafter called MNP's server. If MNP's server rejects the mailitem, possibly based on some spamcontrol measure, then the sender's server would tell the sender 'something' - optimally the sender would receive a message from hir own server which contains text describing the blocking action which was taken on that mail. That process is based on a smtp rejection, and the sender gets their information from their sending server. It is also possibly for the sender to receive a so-called bounce, or 'belated' bounce, which is a newmail addressed to the From of the sender's mail if MNP's receiving server accepts a mail for delivery and then determines that it doesn't want to deliver the mail it accepted. Under those circumstances, the sender gets their information from the recipient server instead of their sending server. If the server you are using to receive mail for MNP is using some spam control measure which is causing some of your recipients to have their mail rejected because they are listed on a spam blocklist, that is a very healthy process, because those senders need to find out why they are listed. If the server you are using to receive mail for MNP is using some spam control measure which causes it to send belated newmails to sender Froms, that is a very unhealthy process, because those newmails can go to forged Froms and abuse them. > Earthlink also claims to NOT > use Spamcop. EL definitely doesn't use SC. > If neither my ISP or Earthlink use Spamcop, how could they be > blocking it?? Did I miss something or snip something here? Up there I was talking about the server you hire, pay for, to receive mail for MNP's mail. What does any of this have to do with SpamCop? > Is there a way to actually talk to a person at Spamcop to try to > figure it out. I would say 'no'. Especially if whatever you are wanting to talk about has nothing to do with SC. -- Mike Easter kibitzer, not SC admin From bill_beyer at excite.cXoYmZ Wed Nov 16 15:40:13 2005 From: bill_beyer at excite.cXoYmZ (Bill Beyer) Date: Wed Nov 16 18:45:03 2005 Subject: [SpamCop-List] Re: announcement for our members References: <dlgb7l$uvt$1@news.spamcop.net> <dlgeif$1vg$1@news.spamcop.net> Message-ID: <dlgg0m$2sd$1@news.spamcop.net> "Mike Easter" <MikeE@ster.invalid> wrote in message news:dlgeif$1vg$1@news.spamcop.net... > Bill Beyer wrote: > www.spamcop.net/sc?id=z827743513zf980d5e844735a686bb7f72c0d0dcaebz > > Before we even read the body content of a spam, we look at its headers > which show a no rDNS .eg source under Nile Online which is SCbl/ed for > reports and spamtraps but not currently listed as an abused > proxy/trojan. Additionally there is a bogus helo and a bogus Received > line -- but since those 'bogosities' aren't misleading, they could be > simply due to a misconfigured server. In any case, only the source is > SCbl/ed > > That is an item alleging to be about child pr0n, which almost always > makes me think about a joejob. It doesn't provide a website, but > instead has a yahoo from and an rcn 'payload' contact email address. > > > Looks like some folks pissed off spammy. > > Which folks? Similar items to that appear in sightings, but I find no > online persona history for either of the addresses blckjak101@yahoo.com > or jkeon@rcn.com which would be what is being jobbed or the real payload > if it isn't bogus. > > -- > Mike Easter > kibitzer, not SC admin I received 4 of these messages on 2 different email accounts with 3 different email addresses in the body of the spam. Googling the email addresses revealed very little about them other than the fact that 1 of them was a valid address used as a replyto in a craigslist ad. My assumption is that the names being used in the spew are the ones being joe jobbed therefore the ones who pissed off spammy. Here are the trackers for the other 3 if you care to look at them. http://www.spamcop.net/sc?id=z827822307z552d7bc3ed8f99dc1541d5209de5260dz http://www.spamcop.net/sc?id=z827743516z3d4e540a28f9b17b0786bce3a53f839fz http://www.spamcop.net/sc?id=z827743515z266100717d26c32492e615252072bebfz From MikeE at ster.invalid Wed Nov 16 15:51:14 2005 From: MikeE at ster.invalid (Mike Easter) Date: Wed Nov 16 18:55:03 2005 Subject: [SpamCop-List] Re: blocked forwarding email References: <dlgckr$vq4$1@news.spamcop.net> Message-ID: <dlgglh$3a2$1@news.spamcop.net> tnfoto wrote: > Earthlink also claims to NOT > use Spamcop. EL also does not 'bounce' or reject mail based on spamminess. EL accepts all of its users' spam. That spam can be handled in one of 3 different ways, or 4 depending upon how you are counting. EL user spam which is known as spam to EL can be automatically deleted unseen by its recipient. EL known spam can be saved in a spam folder for the recipient to inspect, ignore, play with, whatever. That saved spam is eventually deleted automatically, and does not count against the EL users' mailbox. EL known spam can be passed to the user unfiltered and untagged. That's 3 already. EL received spam which is not recognized as spam can be handled in one of 2 ways -- if not whitelisted it can be placed in a suspect folder -- or not. Is that 5 or 4 ways? In no case does EL cause any bouncing based on a spamcondition. -- Mike Easter kibitzer, not SC admin From MikeE at ster.invalid Wed Nov 16 16:06:13 2005 From: MikeE at ster.invalid (Mike Easter) Date: Wed Nov 16 19:10:04 2005 Subject: [SpamCop-List] Re: announcement for our members References: <dlgb7l$uvt$1@news.spamcop.net> <dlgeif$1vg$1@news.spamcop.net> <dlgg0m$2sd$1@news.spamcop.net> Message-ID: <dlghhk$41e$1@news.spamcop.net> Bill Beyer wrote: > "Mike Easter" >> That is an item alleging to be about child pr0n, which almost always >> makes me think about a joejob. The other thing I think about is a sting. > I received 4 of these messages on 2 different email accounts with 3 > different email addresses in the body of the spam. Googling the email > addresses revealed very little about them other than the fact that 1 > of them was a valid address used as a replyto in a craigslist ad. My > assumption is that the names being used in the spew are the ones > being joe jobbed therefore the ones who pissed off spammy. Here are > the trackers for the other 3 if you care to look at them. > > http://www.spamcop.net/sc?id=z827822307z552d7bc3ed8f99dc1541d5209de5260dz > http://www.spamcop.net/sc?id=z827743516z3d4e540a28f9b17b0786bce3a53f839fz > http://www.spamcop.net/sc?id=z827743515z266100717d26c32492e615252072bebfz What I find 'striking' about all 4 of these is that the source IP in every instance is only listed for hitting spamtraps or spamreporters, not for being an open proxy. That means we are dealing with a 'fresh' source in every instance. That's cute. If I temporarily disregard that you found a posting history and instead assume that the various payload addresses are of the throwaway variety, I lean toward it not being a joejob, because otherwise we would have heard more about some 'joe' or another. I'm going with a sting. I recommend that you not try to acquire any child pr0n from those addresses. That's a joke, Bill, unless you're into child pr0n, in which case, disregard the advice or the joke :-) -- Mike Easter kibitzer, not SC admin From MikeE at ster.invalid Wed Nov 16 16:17:52 2005 From: MikeE at ster.invalid (Mike Easter) Date: Wed Nov 16 19:20:03 2005 Subject: [SpamCop-List] Re: blocked forwarding email References: <dlgckr$vq4$1@news.spamcop.net> Message-ID: <dlgi7f$4et$1@news.spamcop.net> Here's a possibility for you. We're talking about a mail from Customer to Photo which I've renamed from MNP. tnfoto wrote: > Here's the basic situation. I have a website for my business (I'm a > commercial photographer) hosted by Earthlink who gives me a number of > email addresses at my site, i.e. myname@mynamephotography.com. I set > it to forward email to my main email address at my home ISP which is > a inexpensive local company that tells me they do not use Spamcop's > service. Periodically, email coming to me gets blocked & bounces back > to the sender. That is, a mail trying to make it from Customer to Photo and forwarded on to homeISP gets 'bounced' [which might be a newmail addressed to Customer, from the mail's From] The dirty bird [listed IP] in the route is/ could be/ the EL server. The server using a blocklist is/ could be/ homeISP, which only disavows SCbl, you didn't say they disavowed any kind of blocklisting or rejecting or bouncing. So, one mechanism is the Customer or Customer's server being blocklisted by homeISP, and the other mechanism is EL's server being blocklisted by homeISP. None of this has anything to do with SC . We are still awaiting any evidence or information to justify even discussing such a possibility. Also, none of it has anything to do with your recipient Photo server being listed anywhere. You or your server's IP being blocklisted somewhere doesn't have any effect on the mail you receive. -- Mike Easter kibitzer, not SC admin From bill_beyer at excite.cXoYmZ Wed Nov 16 16:33:08 2005 From: bill_beyer at excite.cXoYmZ (Bill Beyer) Date: Wed Nov 16 19:35:04 2005 Subject: [SpamCop-List] Re: announcement for our members References: <dlgb7l$uvt$1@news.spamcop.net> <dlgeif$1vg$1@news.spamcop.net> <dlgg0m$2sd$1@news.spamcop.net> <dlghhk$41e$1@news.spamcop.net> Message-ID: <dlgj3s$4ur$1@news.spamcop.net> "Mike Easter" <MikeE@ster.invalid> wrote in message news:dlghhk$41e$1@news.spamcop.net... > Bill Beyer wrote: > > "Mike Easter" > > >> That is an item alleging to be about child pr0n, which almost always > >> makes me think about a joejob. > > The other thing I think about is a sting. > > > I received 4 of these messages on 2 different email accounts with 3 > > different email addresses in the body of the spam. Googling the email > > addresses revealed very little about them other than the fact that 1 > > of them was a valid address used as a replyto in a craigslist ad. My > > assumption is that the names being used in the spew are the ones > > being joe jobbed therefore the ones who pissed off spammy. Here are > > the trackers for the other 3 if you care to look at them. > > > > > http://www.spamcop.net/sc?id=z827822307z552d7bc3ed8f99dc1541d5209de5260dz > > > http://www.spamcop.net/sc?id=z827743516z3d4e540a28f9b17b0786bce3a53f839fz > > > http://www.spamcop.net/sc?id=z827743515z266100717d26c32492e615252072bebfz > > What I find 'striking' about all 4 of these is that the source IP in > every instance is only listed for hitting spamtraps or spamreporters, > not for being an open proxy. That means we are dealing with a 'fresh' > source in every instance. That's cute. > > If I temporarily disregard that you found a posting history and instead > assume that the various payload addresses are of the throwaway variety, > I lean toward it not being a joejob, because otherwise we would have > heard more about some 'joe' or another. > > I'm going with a sting. I recommend that you not try to acquire any > child pr0n from those addresses. > > That's a joke, Bill, unless you're into child pr0n, in which case, > disregard the advice or the joke :-) > > -- > Mike Easter > kibitzer, not SC admin I thought about the sting aspect as well but it just seemed too random for a really effective sting unless the FBI is just trolling for child pr0n enthusiasts. Not being a member of either of the aforementioned groups I don't know the first thing about stings so I gravitated towards the joe job aspect. I can just see the hundreds of outraged emails filling up the inboxes of the victims. Obviously the sender is sophisticated enough to get the spew through the filters by jumping ISPs and avoiding open proxies so that seems to indicate someone who is somewhat adept at spamming. I received 3 at 1 account which is on an ISP that utilizes the SCBl and 1 at an account on a totally unrelated provider which very clearly doesn't. Both accounts receive a significant amount of spam but not very often the same spam so the sender has tapped into at least a couple of lists. From g.hyde at bigpond.net.au Thu Nov 17 11:33:42 2005 From: g.hyde at bigpond.net.au (Geoffrey Hyde) Date: Wed Nov 16 20:35:02 2005 Subject: [SpamCop-List] Re: Fresh phish! GET YOUR FRESH PHISH HERE!! ;) References: <dlcin0$rvs$1@news.spamcop.net> <4379FB0B.5CCEC21F@spamcop.net> Message-ID: <dlgmnl$76u$1@news.spamcop.net> "Kenneth Brody" <kenbrody@spamcop.net> wrote in message news:4379FB0B.5CCEC21F@spamcop.net... > Geoffrey Hyde wrote: >> >> http://www.spamcop.net/sc?id=z827214886z055a7b061fcca524bef2f0d070ef0197z >> >> It would appear someone is still interested in some variant on the >> Nigerian >> bank phish scam, where they leave some poor sap holding the unfortunate >> result of money disappearing from their bank account. > > My understanding of this scam is: > > Their "client" sends you a certified check for payment of an invoice. > Let's say it's $10,000. You deposit it into your account, and, being a > certified check, the bank makes the funds available to you next day. > You then wire the scammers $9,000 (keeping your 10%) into their offshore > account. A few days later, your bank finds out that the "certified > check" was a forgery, and takes back the $10,000 from your account, > leaving you out the $9,000 in cash you sent overseas. I wonder, since it's been sent to someone technically in Australia (me), if it's worth my bother to forward it onto ASIO or some other anti-spam government agency here? I'm not familiar with the anit-spam agencies in Australia, or even if they exist. > You could have $1.97 in your account, and they still get $9,000 out of > you with this scam. It's much more efficient than a Nigerian scam. Not if I don't send them an email - only a complete idiot would do something like that. :) Cheers ... Geoffrey Hyde From jg at coks.net Wed Nov 16 18:00:19 2005 From: jg at coks.net (jg) Date: Wed Nov 16 21:00:03 2005 Subject: [SpamCop-List] Re: people respond to this? In-Reply-To: <dlfqt5$lmj$1@news.spamcop.net> References: <dleaph$qim$1@news.spamcop.net> <dlfqt5$lmj$1@news.spamcop.net> Message-ID: <dlgo3v$7sb$1@news.spamcop.net> On 11/16/2005 9:39 AM No Spam scribbled: > Try the following: > > Use a secure OS such as Linux/Unix or secure URL tool and leech the link: > Just how does one "leech" the link? thanks jg From jg at coks.net Wed Nov 16 19:04:52 2005 From: jg at coks.net (jg) Date: Wed Nov 16 22:05:03 2005 Subject: [SpamCop-List] Re: *snurk* In-Reply-To: <dlgejk$1sg$2@news.spamcop.net> References: <dlg212$pj7$1@news.spamcop.net> <dlgejk$1sg$2@news.spamcop.net> Message-ID: <dlgrsv$9oa$1@news.spamcop.net> On 11/16/2005 3:16 PM No Spam scribbled: > ... and that ladies and gentlemen answers JG's question > "people respond to this?" > > :-) No - but snurk gives me a clue, but I don't unix/php right now - bit over my head, I'm afraid, as is your term leech in OP. From jg at coks.net Wed Nov 16 19:23:42 2005 From: jg at coks.net (jg) Date: Wed Nov 16 22:25:03 2005 Subject: [SpamCop-List] Re: Another one bites the dust! In-Reply-To: <dlgck7$vq0$1@news.spamcop.net> References: <dlgck7$vq0$1@news.spamcop.net> Message-ID: <dlgt09$ac5$1@news.spamcop.net> On 11/16/2005 9:21 AM Doug Thegarden scribbled: > http://news.bbc.co.uk/1/hi/england/cambridgeshire/4442772.stm > Sounds like he's been seen @ alt.spam... From nobody at spamcop.net Thu Nov 17 05:52:11 2005 From: nobody at spamcop.net (me-no-no) Date: Thu Nov 17 00:55:04 2005 Subject: [SpamCop-List] Re: people respond to this? References: <dleaph$qim$1@news.spamcop.net> <dlfqt5$lmj$1@news.spamcop.net> Message-ID: <dlh5q7$el1$1@news.spamcop.net> "No Spam" <nospam@dev.null> wrote in message news:dlfqt5$lmj$1@news.spamcop.net... > jg wrote: >> http://www.spamcop.net/sc?id=z827506511z6aae52fa34ac23bf7b235f85595df14bz > > This is www.adultactioncam.com, cloaked behind a disposable fronting > domain. In cahoots with OpenSRS/Tucows and Source Investments Inc on > Teleglobe. Interesting discussion over at nanae relating to these low-life:- http://groups.google.co.uk/group/news.admin.net-abuse.email/browse_frm/thread/6eb6244a01f9eabc/9234c160b1142350?hl=en#9234c160b1142350 http://tinyurl.com/csr9d See also the datecam-dot-com connection et al :- http://groups.google.co.uk/groups?q=datecam.com+&hl=en Ciao Meno From jeffg at spamcop.net Thu Nov 17 00:54:25 2005 From: jeffg at spamcop.net (Jeff G.) Date: Thu Nov 17 00:55:25 2005 Subject: [SpamCop-List] Re: blocked forwarding email References: <dlgckr$vq4$1@news.spamcop.net> <dlgglh$3a2$1@news.spamcop.net> Message-ID: <dlh5ui$elo$1@news.spamcop.net> "Mike Easter" <MikeE@ster.invalid> wrote in message news:dlgglh$3a2$1@news.spamcop.net... > tnfoto wrote: > > > Earthlink also claims to NOT > > use Spamcop. > > EL also does not 'bounce' or reject mail based on spamminess. I have evidence that EL and its under-the-radar subsidiary PeoplePC do delayed-bounce and challenge for the following reasons (spaced out vertically due to internal spacing in the evidence): 552 Quota violation for x@[EL Mindspring Business Customer Domain] (where IIRC Mindspring was purchased by EL some years ago) x@mindspring.com SMTP error from remote mailer after RCPT TO:x@mindspring.com: host mx08.mindspring.com [207.69.200.30]: 554 This mailbox is full. Please try again later. for x@mindspring.com x@example.com SMTP error from remote mailer after RCPT TO:x@example.com: host mail.example.com [10.0.0.1]: 5xx Go Away for a good reason like not a valid username, over quota, etc. (where x@example.com is a forwardee of an EL or Mindspring commercial customer) This message was generated automatically by EarthLink's mail systems. We're sorry, but we can no longer accept email at the address: x@mail.earthlink.net If you wish to email this EarthLink customer, please address your email to: x@earthlink.net Thank you. [spamblocker challenge] I apologize for this automatic reply to your email. To control spam, I now allow incoming messages only from senders I have approved beforehand. If you would like to be added to my list of approved senders, please fill out the short request form (see link below). Once I approve you, I will receive your original message in my inbox. You do not need to resend your message. I apologize for this one-time inconvenience. Click the link below to fill out the request: https://webmail.pas.earthlink.net/wam/addme?a=x@earthlink.net&id=[challenge ID string] A message that you sent could not be delivered to one or more of its recipients. This is a permanent error. The following address(es) failed: spamtrap@[EL Business Customer Domain] SMTP error from remote mailer after end of data: host mx00-dom.earthlink.net [207.217.120.57]: 554 forwarding loop, mail is looping [PeoplePC spaminator challenge] This is an automatic reply to your email message to x@peoplepc.com This email address is protected by PeoplePC spaminator. Your email message has b een redirected to a "Suspect Email" folder for x@peoplepc.com. In order for your messa ge to be moved to this recipient's Inbox, he or she must add your email address to a list of allowed senders. Click the link below to request that x@peoplepc.com add you to this list. https://webmail.peoplepc.com/wam/addme?a=x@peoplepc.com&id=[challenge ID string] -- Best Regards, Jeff G. I have been a SpamCop User/Member/Customer since 1999 and am a Moderator of the new web-based forums (now the primary method for getting help, http://forum.spamcop.net). Please contact me via Forum. From edo.amin at gmail.com Thu Nov 17 08:05:50 2005 From: edo.amin at gmail.com (EA) Date: Thu Nov 17 01:10:03 2005 Subject: [SpamCop-List] Blocked again In-Reply-To: <WNHBc58fvg8U@eisner.encompasserve.org> References: <dlg7ud$sre$1@news.spamcop.net> <WNHBc58fvg8U@eisner.encompasserve.org> Message-ID: <437C1DBE.3040902@gmail.com> Larry, Immediately following our last exchange the problem seemed to be fixed an email got through. Shortly later the problem has returned - no email gets forwarded through reshet.co.il addresses (x@reshet.co.il). I am going to talk to Catalog.com, who does the reshet.co.il mail forwarding, and who hosts reshet.co.il since about two decades. Is reshet.co.il on any Spamcop list maintained and/or offered to ISPs such as Catalog? EA From nobody at spamcop.net Thu Nov 17 10:06:40 2005 From: nobody at spamcop.net (nospam) Date: Thu Nov 17 01:10:20 2005 Subject: [SpamCop-List] Re: people respond to this? References: <dleaph$qim$1@news.spamcop.net> <dlfqt5$lmj$1@news.spamcop.net> Message-ID: <BFA206B0.16522%nobody@spamcop.net> in article dlfqt5$lmj$1@news.spamcop.net, No Spam at nospam@dev.null wrote on 16/11/05 9:39 PM: > > Hi > > This is www.adultactioncam.com, cloaked behind a disposable fronting > domain. In cahoots with OpenSRS/Tucows and Source Investments Inc on > Teleglobe. Rest Snipped, I'd say 50% of my (considerable) spam is now connected with adultaction*.com. Considering the incredible resources these a**holes and their affiliates are stealing from probably thousands of clients of ISP's with their DNS Nameserver Botnets, , Redirector Botnets, and of course Spamming Botnets, not to mention Popserver resources etc. sucked up from clients, it is incredible that no big ISP takes Teleglobe, or or sleazeball registrars to task. I'm sure there are technical means of communicating displeasure that ISP's could carry out if they really wanted to. Recalling the brouhaha between Level3 and was it Charter? recently, it seems to me they could. I have the feeling that ordinary clients, no matter how many, are irrelevant in the business models of ISP's and registrars, and that at the end of the day spam is profitable for all of them. Particularly, spam is profitable for registrars, I don't believe for a moment that ordinary legit business could profitably support all the registrars out there. It's a business that can only grow hugely during the introduction of the web phase and quickly saturates in the market. Even during the heady dotcom boom, I'd say a major portion of registrar profits came from domain parkers, or the effective extortion by domain parkers of business owners. That whole business sector is full of sleazeballs. The public seems to be becoming aware of this and that's why business on the web is suffering stunted growth these days. From edo.amin at gmail.com Thu Nov 17 08:09:27 2005 From: edo.amin at gmail.com (EA) Date: Thu Nov 17 01:10:28 2005 Subject: [SpamCop-List] Re: Am I blocked? and what's next? In-Reply-To: <dlgddh$109$1@news.spamcop.net> References: <dlg7ud$sre$1@news.spamcop.net> <dlgddh$109$1@news.spamcop.net> Message-ID: <437C1E97.4000601@gmail.com> Mike, Thanks. I believe I understand most of what you write. Well, as a journalist the main point I notice is this: if X was sending messages to the world claiming I (EA) stop your (Mike) mail, I would first deny it, and claim X is simply telling untrue things about me, and if I was in the email business, I would probably threaten court action. The problem itself seems to have returned. I will contact Catalog. It could have helped if I had a straightforward statement from Spamcop that reshet.co.il is not on any blocking list. But even without that, Catalog will probably give me some sort of answer, however relevant, and then the story will have another thread spawned. Mike Easter wrote: > EA wrote: > Your correction is describing a problem with mail /to/ you, not /from/ > you. > > We need to get straight on what the problem really is. Well, you read my correction correctly, and we are on the same page now. > >> Though I have a domain to my name, I have no mail servers. >> I have no servers, I am not an ISP, not even an admin. > > Mail addressed to a username at reshet.co.il would be handled by mail1 > or mail2.catalog.com whose IPs are under Washita Comm in OK USA whereas > your connectivity for your nntp posting IP is .inter.net.il under > Euronet. Yes, it occurred to me to contact Catalog, and they might be blocking my mail, but would a large ISP tell the world that Spamcop blocks my email - out of the blue? If so, I'm sure Spamcop would have something to say about this. > Mail /to/ a spamcop mail customer could be affected by spamcop services > by way of tagging or sorting into a 'blocked' classification, but that > mail wouldn't be lost. Spamcop does not handle all reshet.co.il email. The mail in question is not found to be "held". Thanks, EA From MikeE at ster.invalid Wed Nov 16 22:10:46 2005 From: MikeE at ster.invalid (Mike Easter) Date: Thu Nov 17 01:15:03 2005 Subject: [SpamCop-List] Re: blocked forwarding email References: <dlgckr$vq4$1@news.spamcop.net> <dlgglh$3a2$1@news.spamcop.net> <dlh5ui$elo$1@news.spamcop.net> Message-ID: <dlh6t5$fj1$1@news.spamcop.net> Jeff G. wrote: > "Mike Easter" >> EL also does not 'bounce' or reject mail based on spamminess. > > I have evidence that EL and its under-the-radar subsidiary PeoplePC do > delayed-bounce and challenge for the following reasons (spaced out > vertically due to internal spacing in the evidence): I can't speak for peoplepc, which is in fact a little sister of EL, I suspect that its required frontend may also be like EL's totalaccess frontend. In EL, the frontend is optional. In peoplepc, it is required. However, any point about challenges is well taken. EL does optionally challenge. However that is configurable by the user. Unfortunately it is the default for anyone who selects the 'high' setting for the spamblocker. > 552 Quota violation for x@[EL Mindspring Business Customer Domain] > (where IIRC Mindspring was purchased by EL some years ago) There are gobs and gobs of mindspring EL users. In fact, there are probably more mindspring rDNS IPs than any other kind of EL. The most common thing is an EL email address and a mindspring IP rDNS. And/But there are plenty of those who were mindspring email and who retain their old mindspring email address. But a quota violation or full mailbox isn't the same as a bounce for spamminess, so that doesn't count. > x@mindspring.com > SMTP error from remote mailer after RCPT TO:x@mindspring.com: > host mx08.mindspring.com [207.69.200.30]: 554 This mailbox is > full. Please try again later. for x@mindspring.com Full mailbox, not spamminess. > x@example.com > SMTP error from remote mailer after RCPT TO:x@example.com: > host mail.example.com [10.0.0.1]: 5xx Go Away for a good reason > like not a valid username, over quota, etc. > (where x@example.com is a forwardee of an EL or Mindspring commercial > customer) Not spamminess. > This message was generated automatically by EarthLink's mail systems. > > We're sorry, but we can no longer accept email at the address: > x@mail.earthlink.net Bad address. Not spamminess. > If you wish to email this EarthLink customer, please address your > email to: > x@earthlink.net > > Thank you. > > > [spamblocker challenge] > I apologize for this automatic reply to your email. > > To control spam, I now allow incoming messages only from senders I > have approved beforehand. > > If you would like to be added to my list of approved senders, please > fill out the short request form (see link below). Once I approve you, > I will receive your original message in my inbox. You do not need to > resend your message. I apologize for this one-time inconvenience. > > Click the link below to fill out the request: > > https://webmail.pas.earthlink.net/wam/addme?a=x@earthlink.net&id=[challenge > ID string] Yes. That is the challenge gizmo. But, that isn't actually a 'bounce' officially. The mail has been accepted, but undelivered. It will never be actually bounced. > A message that you sent could not be delivered to one or more of its > recipients. This is a permanent error. The following address(es) > failed: > > spamtrap@[EL Business Customer Domain] > SMTP error from remote mailer after end of data: > host mx00-dom.earthlink.net [207.217.120.57]: > 554 forwarding loop, mail is looping That isn't spamminess. That is a handling error. I saw one of those in EL help group recently. > [PeoplePC spaminator challenge] > This is an automatic reply to your email message to x@peoplepc.com > > This email address is protected by PeoplePC spaminator. Your email > message has b > een redirected to a "Suspect Email" folder for x@peoplepc.com. In > order for your messa > ge to be moved to this recipient's Inbox, he or she must add your > email address > to a list of allowed senders. So, it looks like peoplepc is using EL's old spaminator and its challenges. Spaminator is what EL used to call what they are now calling spamblocker. I don't know enough about peoplepc to know if it has all of the same options as EL. for its mail. It has a number of different 'features' as a cheaper product, eg no free telephone support for anything other than install and billing. All other tel support is $2/min. It also doesn't have news, and as I mentioned, it has a required frontend. So thus isn't available for macs or linuxes. > Click the link below to request that x@peoplepc.com add you to this > list. > https://webmail.peoplepc.com/wam/addme?a=x@peoplepc.com&id=[challenge > ID string] -- Mike Easter kibitzer, not SC admin From MikeE at ster.invalid Wed Nov 16 22:35:43 2005 From: MikeE at ster.invalid (Mike Easter) Date: Thu Nov 17 01:40:02 2005 Subject: [SpamCop-List] Re: Am I blocked? and what's next? References: <dlg7ud$sre$1@news.spamcop.net> <dlgddh$109$1@news.spamcop.net> <437C1E97.4000601@gmail.com> Message-ID: <dlh8bt$gdq$1@news.spamcop.net> EA wrote: > Thanks. I believe I understand most of what you write. I think it is very important that we distinguish this: EA wrote: > About 24 hours ago I received a message from some mail server with the > subject: > Returned mail: Your email is being blocked by SpamCop. > And no further meaningful content. from this: > Since then, all mail that's sent to my domain reshet.co.il goes > nowhere and does not bounce. The first is an inaccurate 'description' or statement about a mail item *sourced* from your IP. The second is an observation by you about mail addressed *to* your domainname. Those *to* a domainname vs sourced *from* an IP address are completely different issues and actually have no relationship to each other. Very often they aren't even performed by the same server. Whereas I can query for the MX or input server for reshet.co.il, I don't know what mail output server you use which might experience difficulty with its outgoing mail, as you described in the first example above .... .... which is not at all related to the second issue, which I think is /actually/ the one bothering you currently. > The problem itself seems to have returned. Where 'the problem' I will have to guess is the second description, not the first description. I don't like to muddle them up, because they are completely unrelated. > I will contact Catalog. It could have helped if I had a > straightforward statement from Spamcop that reshet.co.il is not on > any blocking list. SpamCop doesn't list anything by domainname. It only lists things by IP address. No one conversing here has any clue about any IP address which might or might not be listed. You have not shared even the name of your output server which might have had mail blocked in the first word example yet. It is not wise for me to assume that your mail's output server/s is/are the same as the output servers for catalog.com. If they were, catalog has 8 output servers 209.217.36.155 fife-smtp.catalog.com 209.217.50.103 smtp-andy.catalog.com 216.57.232.10 virt1.catalog.com 209.217.36.11 neptune.catalog.com 209.217.46.30 trump.catalog.com 209.217.52.101 barracuda.catalog.com 209.217.36.24 barracuda.catalog.com 209.217.50.102 barracuda.catalog.com *if* your mail went *OUT* those servers and *if* one of those servers were blocklisted by some blocklist of which there are hundreds and *if* someone were using that blocklist to block mail and *if* that server said that the mail were blocked because of the spamcop blocklist - then the first example words might inaccurately occur. But, that isn't the problem, and none of those servers are currently listed anywhere. The *problem* is that you are having intermittent trouble *receiving* mail -- which problem has nothing to do with *YOU* being blocklisted. I don't know how to emphasize this very important difference any more emphatically. -- Mike Easter kibitzer, not SC admin From MikeE at ster.invalid Wed Nov 16 23:27:02 2005 From: MikeE at ster.invalid (Mike Easter) Date: Thu Nov 17 02:30:05 2005 Subject: [SpamCop-List] Re: Am I blocked? and what's next? References: <dlg7ud$sre$1@news.spamcop.net> <dlgddh$109$1@news.spamcop.net> <437C1E97.4000601@gmail.com> <dlh8bt$gdq$1@news.spamcop.net> Message-ID: <dlhbc4$hpc$1@news.spamcop.net> Mike Easter wrote: > It is not wise for me to assume that your mail's output server/s > is/are the same as the output servers for catalog.com. If they were, > catalog has 8 output servers However, if your mail's output servers were those of inter.net.il - who is your connectivity provider representing your nntp newsposting host, inter.net.il has a really lot more output servers than catalog com, in fact it has output servers for several different providers. inter.net.il also has quite a number of user IPs with sufficient spam activity to have output comparable to the normal mailserver, indicating that maybe inter.net.il doesn't tend to business about securing its spamsourcing user IPs. Those numerous spamsourcing inter.net.il user IPs are listed in several blocklists. For one example, 192.114.167.161 rDNS genie03-166-161.inter.net.il is listed in spamcop as a spamsource and cbl as a spamsource showing signs of proxy trojan condition. I'm guessing at the naming protocol in calling that a user IP compared to other naming styles for what appear to be the servers at inter.net.il The normal sequence. When mail leaves your computer, it is coming from the IP address which is either dynamically or statically 83.130.103.72, most likely dynamically, so then it changes after variable intervals. Then, it goes to some smtp server, whose name and IP address are unknown so far. Somewhere along the way it leaves that provider's IP address and tries to connect and hand off its mail to someone else's server. If that server thinks that the IP address which is trying to hand it mail is blocklisted, it might reject the mail. Ideally that rejection provides information about the IP of the sender and the blocklist and even the wouldbe receiving server. If the mail were rejected, then your sending server would tell you that. That would be a problem with the sending IP being blocklisted. Also, rejection of mail and the associated delivery status notification failed is a very healthy process. Here's another completely different story. A mail which is addressed to your email address, not IP, is lost for unknown reasons. Not rejected or bounced. Vanished. That has nothing to do with your IP being blocklisted by anything, spamcop or otherwise. In the normal sequence above, your dynamic IP could become a user IP which had been blocklisted. Then, you would have your outgoing mail blocked. In the completely different story, that lost mail has nothing to do with any such blocklisting. -- Mike Easter kibitzer, not SC admin From jeffg at spamcop.net Thu Nov 17 02:27:12 2005 From: jeffg at spamcop.net (Jeff G.) Date: Thu Nov 17 02:40:03 2005 Subject: [SpamCop-List] Re: Broken reporting address - btbroadband References: <dldb43$95c$1@news.spamcop.net> <dldc4a$9t5$1@news.spamcop.net> <dldetn$bpg$1@news.spamcop.net> Message-ID: <dlhc4d$i55$1@news.spamcop.net> "Ellen" <nobody@spamcop.net> wrote in message news:dldetn$bpg$1@news.spamcop.net... > "Mike Easter" <MikeE@ster.invalid> wrote in message > news:dldc4a$9t5$1@news.spamcop.net... > > That tracker shows that SC's notify for 81.137.237.72 is currently > > bt@admin.spamcop.net for its own reports and that is where this item was > > reported. > I am trying to get in touch with BT to get the bounce fixed or the address > changed Ellen, thanks for the effort. I thought you should know that btbroadband.abuse@bt.com (as forwarded from bt@admin.spamcop.net) was still bouncing about 4 hours ago (22:36 EST -0500, 03:26 UTC -0000), six minutes after I submitted a Report to be sent there. -- Best Regards, Jeff G. I have been a SpamCop User/Member/Customer since 1999 and am a Moderator of the new web-based forums (now the primary method for getting help, http://forum.spamcop.net). Please contact me via Forum only, as PMs and Emails may be posted, reported, and/or ridiculed. From edo.amin at gmail.com Thu Nov 17 12:45:47 2005 From: edo.amin at gmail.com (EA) Date: Thu Nov 17 05:50:23 2005 Subject: [SpamCop-List] Re: Am I blocked? and what's next? In-Reply-To: <dlh8bt$gdq$1@news.spamcop.net> References: <dlg7ud$sre$1@news.spamcop.net> <dlgddh$109$1@news.spamcop.net> <437C1E97.4000601@gmail.com> <dlh8bt$gdq$1@news.spamcop.net> Message-ID: <437C5F5B.2020201@gmail.com> Mike Easter wrote: > The first is an inaccurate 'description' or statement about a mail item > *sourced* from your IP. > > The second is an observation by you about mail addressed *to* your > domainname. > > Those *to* a domainname vs sourced *from* an IP address are completely > different issues and actually have no relationship to each other. Very > often they aren't even performed by the same server. Indeed, as in this case. > Whereas I can query for the MX or input server for reshet.co.il, I don't > know what mail output server you use which might experience difficulty > with its outgoing mail, as you described in the first example above .... I currently do not experience difficulty in outgoing email. The event I described was singular. > > .... which is not at all related to the second issue, which I think is > /actually/ the one bothering you currently. Yes. >> The problem itself seems to have returned. > > Where 'the problem' I will have to guess is the second description, not > the first description. I don't like to muddle them up, because they are > completely unrelated. Yes. > >> I will contact Catalog. It could have helped if I had a >> straightforward statement from Spamcop that reshet.co.il is not on >> any blocking list. > > SpamCop doesn't list anything by domainname. It only lists things by IP > address. No one conversing here has any clue about any IP address which > might or might not be listed. I fail to see how this relates to any IP at all - in the automatic email that mentioned Spamcop (from vbmail.vblaw.com) there was no mention of an IP. You have not shared even the name of your > output server which might have had mail blocked in the first word > example yet. I fail to see how my ISP's output server be linked or implicate my private domain? To better clarify, the output server I use is not reshet.co.il. No connection. I use anything, webmail included, and configure "From:" when available to x(at)reshet.co.il. > It is not wise for me to assume that your mail's output server/s is/are > the same as the output servers for catalog.com. They are definitely not! > > The *problem* is that you are having intermittent trouble *receiving* > mail -- which problem has nothing to do with *YOU* being blocklisted. Exactly 24 hours, then a brief lapse to normal, then no receiving again. > > I don't know how to emphasize this very important difference any more > emphatically. > > > Understood. Thanks for the thorough clarification. So now I am left with one extra thing to wonder about - what could have made vbmail.vblaw.com reject my mail to vblaw.com, and mention both reshet.co.il and Spamcop in its message? EA From edo.amin at gmail.com Thu Nov 17 12:49:43 2005 From: edo.amin at gmail.com (EA) Date: Thu Nov 17 05:50:46 2005 Subject: [SpamCop-List] Re: Am I blocked? and what's next? In-Reply-To: <dlhbc4$hpc$1@news.spamcop.net> References: <dlg7ud$sre$1@news.spamcop.net> <dlgddh$109$1@news.spamcop.net> <437C1E97.4000601@gmail.com> <dlh8bt$gdq$1@news.spamcop.net> <dlhbc4$hpc$1@news.spamcop.net> Message-ID: <437C6047.40906@gmail.com> Mike Easter wrote: > > > If the mail were rejected, then your sending server would tell you that. > That would be a problem with the sending IP being blocklisted. Also, > rejection of mail and the associated delivery status notification failed > is a very healthy process. If so, you certainly explained it better than the automatic mail though. And in that case, reshet.co.il has nothing to do with it. > Here's another completely different story. > > A mail which is addressed to your email address, not IP, is lost for > unknown reasons. Not rejected or bounced. Vanished. > > That has nothing to do with your IP being blocklisted by anything, > spamcop or otherwise. > In that case, this is just a strange coincidence. > In the normal sequence above, your dynamic IP could become a user IP > which had been blocklisted. Then, you would have your outgoing mail > blocked. > > In the completely different story, that lost mail has nothing to do with > any such blocklisting. > > Thanks. From nobody at xyzzy.claranet.de Thu Nov 17 11:58:07 2005 From: nobody at xyzzy.claranet.de (Frank Ellermann) Date: Thu Nov 17 06:00:02 2005 Subject: [SpamCop-List] BT's MAILER-DAEMON (was: Broken reporting address - btbroadband) References: <dldb43$95c$1@news.spamcop.net> <dldc4a$9t5$1@news.spamcop.net> <dldetn$bpg$1@news.spamcop.net> Message-ID: <437C623F.5A28@xyzzy.claranet.de> Ellen wrote: > I am trying to get in touch with BT to get the bounce fixed > or the address changed Still not working, but that wasn't my only point in the bug report. The filter catching auto-replies also doesn't work: The bounces (I just got another six) sail right through the "forward only replies from human beings" filter. But that postmaster@BT has a Return-path:<MAILER-DAEMON> instead of an empty return-path, s/h/it isn't sentient, it's a bot, you can /dev/null it. With my setup no problem, I can also /dev/null it, but for others it might be tricky if they don't want to report the "feedback" from BT via SC. Bye. Frank From nobody at devnull.spamcop.net Thu Nov 17 06:32:34 2005 From: nobody at devnull.spamcop.net (Miss Betsy) Date: Thu Nov 17 06:35:04 2005 Subject: [SpamCop-List] Re: Am I blocked? and what's next? References: <dlg7ud$sre$1@news.spamcop.net> <WNHBc58fvg8U@eisner.encompasserve.org> <437BB758.7050008@gmail.com> Message-ID: <dlhpn0$pka$1@news.spamcop.net> "EA" <edo.amin@gmail.com> wrote in message news:437BB758.7050008@gmail.com... > Things seem to be back to normal. > Is this the result of our discussion? No, it is not. The spamcop blocklist is entirely automatic. If an IP address is reported as sending spam, then the IP address goes on the blocklist. If an ISP is using the spamcop bl to block mail, then the sender of email from that IP address will get a rejection notice. As soon as the admin of that IP address addresses the problem and stops the spam (or the spammer takes a holiday) and no more spam is reported, then the IP address ages off the blocklist. If the email is not getting to you from someone else, it means that your ISP is using the spamcop blocklist and that the IP address your correspondent is using is sending spam. Since much spam nowadays is being sent through infected machines, it may mean that someone who is using that IP address has a trojan - not necessarily your correspondent. If your ISP stops using spamcop, then you will also get all the spam that IP address is sending as well as emails from your correspondent. If you are anxious to use email, you can set up a temporary Hotmail or Yahoo account. Miss Betsy From nobody at devnull.spamcop.net Thu Nov 17 06:41:39 2005 From: nobody at devnull.spamcop.net (Miss Betsy) Date: Thu Nov 17 06:45:02 2005 Subject: [SpamCop-List] Re: Am I blocked? and what's next? References: <dlg7ud$sre$1@news.spamcop.net> <dlgddh$109$1@news.spamcop.net> <437C1E97.4000601@gmail.com> <dlh8bt$gdq$1@news.spamcop.net> <437C5F5B.2020201@gmail.com> Message-ID: <dlhq81$q27$1@news.spamcop.net> "EA" <edo.amin@gmail.com> wrote in message news:437C5F5B.2020201@gmail.com... <snip> > So now I am left with one extra thing to wonder about - what could have > made vbmail.vblaw.com reject my mail to vblaw.com, and mention both > reshet.co.il and Spamcop in its message? Admins use all kinds of blocklists - public ones like spamcop and ones they compile. Sometimes they are lazy about the rejection message. You will have to ask vbmail why they have blocked email from the IP address you use. Miss Betsy From info at dHosted.com Thu Nov 17 14:14:06 2005 From: info at dHosted.com (DHosted Admin) Date: Thu Nov 17 08:15:07 2005 Subject: [SpamCop-List] My Hosting Companie Rulez Message-ID: <dlhvnv$tuv$4@news.spamcop.net> From info at dHosted.com Thu Nov 17 14:16:08 2005 From: info at dHosted.com (DHosted Admin) Date: Thu Nov 17 08:20:16 2005 Subject: [SpamCop-List] My peoples done care i'm goza advertize here anyway : Message-ID: <dlhvrp$ubn$4@news.spamcop.net> From info at dHosted.com Thu Nov 17 14:16:46 2005 From: info at dHosted.com (DHosted Admin) Date: Thu Nov 17 08:20:34 2005 Subject: [SpamCop-List] Free Mega Secure Hosting Message-ID: <dlhvt0$ubr$4@news.spamcop.net> From Support at dHosted.com Thu Nov 17 14:18:36 2005 From: Support at dHosted.com (Dhosted Support) Date: Thu Nov 17 08:20:50 2005 Subject: [SpamCop-List] Post 1000 Message to any Newsgroups Promoting my site and earn $250.00 Message-ID: <dli00d$ucf$4@news.spamcop.net> From tony at tonynelsonphoto.com Thu Nov 17 08:07:43 2005 From: tony at tonynelsonphoto.com (tnfoto) Date: Thu Nov 17 09:10:04 2005 Subject: [SpamCop-List] Re: blocked forwarding email References: <dlgckr$vq4$1@news.spamcop.net> <dlgi7f$4et$1@news.spamcop.net> Message-ID: <dli2rh$15q$1@news.spamcop.net> "Mike Easter" <MikeE@ster.invalid> wrote in message news:dlgi7f$4et$1@news.spamcop.net... > Here's a possibility for you. We're talking about a mail from Customer > to Photo which I've renamed from MNP. > > tnfoto wrote: > Thanks for your willingness to help here. Sorry if I'm not giving enough details. Given the spamminess of this whole thing, I'm just nervous about posting my IP address publicly. Hopefully this will make it all more clear if I just x-out some #s. Also, I understand the concepts pretty well here but, as must be obvious, this is technically a little beyond me. >> Here's the basic situation. I have a website for my business (I'm a >> commercial photographer) hosted by Earthlink who gives me a number of >> email addresses at my site, i.e. myname@mynamephotography.com. I set >> it to forward email to my main email address at my home ISP which is >> a inexpensive local company that tells me they do not use Spamcop's >> service. Periodically, email coming to me gets blocked & bounces back >> to the sender. > > That is, a mail trying to make it from Customer to Photo and forwarded > on to homeISP gets 'bounced' [which might be a newmail addressed to > Customer, from the mail's From] > > The dirty bird [listed IP] in the route is/ could be/ the EL server. > The server using a blocklist is/ could be/ homeISP, which only disavows > SCbl, you didn't say they disavowed any kind of blocklisting or > rejecting or bouncing. > > So, one mechanism is the Customer or Customer's server being blocklisted > by homeISP, and the other mechanism is EL's server being blocklisted by > homeISP. > I think this is likely the scenario. First of all, my IP address IS on Spamcop's BL. That was easy enough to check. Here's the message I get with a few names & numbers changed to protect the innocent... myname@homeisp.net SMTP error from remote mailer after MAIL FROM:<myname@mynamephoto.com>: host mail.homeisp.net [209.173.xxx.xxx]: xxx 5.7.1 Mail from 207.217.xxx.xxx refused by blackhole site bl.spamcop.net RBL > None of this has anything to do with SC . We are still awaiting any > evidence or information to justify even discussing such a possibility. > > Also, none of it has anything to do with your recipient Photo server > being listed anywhere. You or your server's IP being blocklisted > somewhere doesn't have any effect on the mail you receive. > But, if it's mail FROM Photo server (EL) that's being blocked by home ISP server (and they're wrong about not using SC), wouldn't the net effect be that I don't receive any incoming mail? > > -- > Mike Easter > kibitzer, not SC admin > From Kilgallen at SpamCop.net Thu Nov 17 09:13:46 2005 From: Kilgallen at SpamCop.net (Larry Kilgallen) Date: Thu Nov 17 10:15:21 2005 Subject: [SpamCop-List] Re: blocked forwarding email References: <dlgckr$vq4$1@news.spamcop.net> <dlgi7f$4et$1@news.spamcop.net> <dli2rh$15q$1@news.spamcop.net> Message-ID: <0VsQGxbooF64@eisner.encompasserve.org> In article <dli2rh$15q$1@news.spamcop.net>, "tnfoto" <tony@tonynelsonphoto.com> writes: > > "Mike Easter" <MikeE@ster.invalid> wrote in message > news:dlgi7f$4et$1@news.spamcop.net... >> Here's a possibility for you. We're talking about a mail from Customer >> to Photo which I've renamed from MNP. >> >> tnfoto wrote: >> > > Thanks for your willingness to help here. > Sorry if I'm not giving enough details. Given the spamminess of this whole > thing, I'm just nervous about posting my IP address publicly. Hopefully Presuming by spam you mean email spam, how does revealing an IP address harm anything ? From MikeE at ster.invalid Thu Nov 17 07:47:30 2005 From: MikeE at ster.invalid (Mike Easter) Date: Thu Nov 17 10:50:26 2005 Subject: [SpamCop-List] Re: blocked forwarding email References: <dlgckr$vq4$1@news.spamcop.net> <dlgi7f$4et$1@news.spamcop.net> <dli2rh$15q$1@news.spamcop.net> Message-ID: <dli8mi$443$1@news.spamcop.net> tnfoto wrote: > "Mike Easter" >> Here's a possibility for you. We're talking about a mail from >> Customer to Photo which I've renamed from MNP. >>> Here's the basic situation. I have a website for my business (I'm a >>> commercial photographer) hosted by Earthlink who gives me a number >>> of email addresses at my site, i.e. myname@mynamephotography.com. >>> I set it to forward email to my main email address at my home ISP >>> which is a inexpensive local company that tells me they do not use >>> Spamcop's service. Periodically, email coming to me gets blocked & >>> bounces back to the sender. >> >> That is, a mail trying to make it from Customer to Photo and >> forwarded on to homeISP gets 'bounced' [which might be a newmail >> addressed to Customer, from the mail's From] >> >> The dirty bird [listed IP] in the route is/ could be/ the EL server. >> The server using a blocklist is/ could be/ homeISP, which only >> disavows SCbl, you didn't say they disavowed any kind of >> blocklisting or rejecting or bouncing. >> >> So, one mechanism is the Customer or Customer's server being >> blocklisted by homeISP, and the other mechanism is EL's server being >> blocklisted by homeISP. > I think this is likely the scenario. First of all, my IP address IS > on Spamcop's BL. That was easy enough to check. Here's the message > I get with a few names & numbers changed to protect the innocent... > > myname@homeisp.net SMTP error from remote mailer after MAIL > FROM:<myname@mynamephoto.com>: > host mail.homeisp.net [209.173.xxx.xxx]: xxx 5.7.1 Mail from > 207.217.xxx.xxx refused by blackhole site bl.spamcop.net RBL One of the things that is very aggravating about this situation is that not only do you withhold very useful details which could be used to help you, but you also change critical elements of the story. What is just above this is your homeISPs server saying it is using spamcop's blocklist, whereas earlier you distinctly said: tnfoto wrote: > I set it to forward email to my main email address at my home ISP which is a inexpensive local company that tells me they do not use Spamcop's service. tnfoto then wrote: > But, if it's mail FROM Photo server (EL) that's being blocked by home > ISP server (and they're wrong about not using SC), wouldn't the net > effect be that I don't receive any incoming mail? Yes. If you are using an EL IP which is on the SCbl to try to send forwarded mail to homeISP and homeISP is using SCbl to reject mail, then homeISP would reject the forwarded mail based on the forwarding IP. That is an ugly situation where you have chosen to forward using an IP address which your own homeISP server is configured to reject. You should have some other arrangement. Either you should have your homeISP whitelist what you are forwarding from, or you should not forward to homeISP. A very important thing that you don't seem to understand is that you can get immensely more help if we were talking about a real thing instead of a description. -- Mike Easter kibitzer, not SC admin From jg at coks.net Thu Nov 17 07:53:06 2005 From: jg at coks.net (jg) Date: Thu Nov 17 10:55:04 2005 Subject: [SpamCop-List] Re: people respond to this? In-Reply-To: <BFA206B0.16522%nobody@spamcop.net> References: <dleaph$qim$1@news.spamcop.net> <dlfqt5$lmj$1@news.spamcop.net> <BFA206B0.16522%nobody@spamcop.net> Message-ID: <dli8td$48d$1@news.spamcop.net> On 11/16/2005 10:06 PM nospam scribbled: > > Even during the heady dotcom boom, I'd say a major portion of registrar > profits came from domain parkers, or the effective extortion by domain > parkers of business owners. That whole business sector is full of > sleazeballs. > > The public seems to be becoming aware of this and that's why business on > the web is suffering stunted growth these days. > No doubt. You didn't answer my earlier question on how one "leeches" out the info you did. Your input is appreciated. tnx, jg From MikeE at ster.invalid Thu Nov 17 08:10:34 2005 From: MikeE at ster.invalid (Mike Easter) Date: Thu Nov 17 11:15:03 2005 Subject: [SpamCop-List] Re: Am I blocked? and what's next? References: <dlg7ud$sre$1@news.spamcop.net> <dlgddh$109$1@news.spamcop.net> <437C1E97.4000601@gmail.com> <dlh8bt$gdq$1@news.spamcop.net> <437C5F5B.2020201@gmail.com> Message-ID: <dlia1r$4v7$1@news.spamcop.net> EA wrote: > Mike Easter wrote: >> The first is an inaccurate 'description' or statement about a mail >> item *sourced* from your IP. >> >> The second is an observation by you about mail addressed *to* your >> domainname. >> >> Those *to* a domainname vs sourced *from* an IP address are >> completely different issues and actually have no relationship to >> each other. Very often they aren't even performed by the same >> server. > > Indeed, as in this case. > >> Whereas I can query for the MX or input server for reshet.co.il, I >> don't know what mail output server you use which might experience >> difficulty with its outgoing mail, as you described in the first >> example above .... > > I currently do not experience difficulty in outgoing email. > The event I described was singular. Except that you are /still/ talking about it and dragging it into a conversation about something else and trying to 'influence' an explanation by bringing aspects of it up when we are supposed to be talking about something else altogether and completely different and unrelated. See below. >> .... which is not at all related to the second issue, which I think >> is /actually/ the one bothering you currently. > > Yes. > >>> The problem itself seems to have returned. >> >> Where 'the problem' I will have to guess is the second description, >> not the first description. I don't like to muddle them up, because >> they are completely unrelated. > > Yes. >>> I will contact Catalog. It could have helped if I had a >>> straightforward statement from Spamcop that reshet.co.il is not on >>> any blocking list. That is you saying you wish you knew if "reshet.co.il" is on a blocklist. >> SpamCop doesn't list anything by domainname. It only lists things >> by IP address. No one conversing here has any clue about any IP >> address which might or might not be listed. That is me saying that SC doesn't list by domainname. It lists by IP address. An IP address looks like 216.57.232.15 - which incidentally is the IP for reshet, and which incidentally isn't SCbl listed, not that that has anything to do with any mail you fail to receive. > I fail to see how this relates to any IP at all - in the automatic > email that mentioned Spamcop (from vbmail.vblaw.com) there was no > mention of an IP. That is you dragging something into the conversation about the 'singular' event which you should quit talking about in the middle of a discussion about you having trouble receiving mail. Don't you get it? > You have not shared even the name of your >> output server which might have had mail blocked in the first word >> example yet. > > I fail to see how my ISP's output server be linked or implicate my > private domain? If we persist in trying to talk about a mail from you being blocked, we would need to know its IP address or the IP address of its output server. If we would stop talking about that, then it wouldn't make any difference. > To better clarify, the output server I use is not reshet.co.il. No > connection. I use anything, webmail included, and configure "From:" > when available to x(at)reshet.co.il. What a From says has absolutely nothing to do with what some server might block based on a DNSBL like SpamCop's SCbl. >> The *problem* is that you are having intermittent trouble *receiving* >> mail -- which problem has nothing to do with *YOU* being blocklisted. > > Exactly 24 hours, then a brief lapse to normal, then no receiving > again. That is what you should focus on fixing. You should [temporarily] forget about any of your questions that have to do with any one single output mail of yours being blocked by vbmail.vblaw.com > So now I am left with one extra thing to wonder about - what could > have made vbmail.vblaw.com reject my mail to vblaw.com, and mention > both reshet.co.il and Spamcop in its message? We are spending a lot of lines talking about that. If I were having an ongoing intermittent problem with the mail to all of the usernames at a domain of mine being lost, dropped on the floor, in an unhealthy manner -- I would temporarily shift my focus to that problem and not concentrate on the very healthy normal process of some one single item being rejected and not lost at all. If you want to talk about a vblaw message, post the message itself in another thread and stop talking about a vague description of it in the thread where you are trying to talk about a problem of mail to your domain being lost. -- Mike Easter kibitzer, not SC admin From SC.10.myspamgobbler at spamcowboy.net Thu Nov 17 08:44:40 2005 From: SC.10.myspamgobbler at spamcowboy.net (Brian) Date: Thu Nov 17 11:50:04 2005 Subject: [SpamCop-List] Re: announcement for our members In-Reply-To: <dlgj3s$4ur$1@news.spamcop.net> References: <dlgb7l$uvt$1@news.spamcop.net> <dlgeif$1vg$1@news.spamcop.net> <dlgg0m$2sd$1@news.spamcop.net> <dlghhk$41e$1@news.spamcop.net> <dlgj3s$4ur$1@news.spamcop.net> Message-ID: <dlic6g$5v8$1@news.spamcop.net> Bill Beyer wrote: > "Mike Easter" <MikeE@ster.invalid> wrote in message > news:dlghhk$41e$1@news.spamcop.net... >> Bill Beyer wrote: >>> "Mike Easter" >>>> That is an item alleging to be about child pr0n, which almost always >>>> makes me think about a joejob. >> The other thing I think about is a sting. >> >>> I received 4 of these messages on 2 different email accounts with 3 >>> different email addresses in the body of the spam. Googling the email >>> addresses revealed very little about them other than the fact that 1 >>> of them was a valid address used as a replyto in a craigslist ad. My >>> assumption is that the names being used in the spew are the ones >>> being joe jobbed therefore the ones who pissed off spammy. Here are >>> the trackers for the other 3 if you care to look at them. >>> >>> >> http://www.spamcop.net/sc?id=z827822307z552d7bc3ed8f99dc1541d5209de5260dz >> http://www.spamcop.net/sc?id=z827743516z3d4e540a28f9b17b0786bce3a53f839fz >> http://www.spamcop.net/sc?id=z827743515z266100717d26c32492e615252072bebfz >> >> What I find 'striking' about all 4 of these is that the source IP in >> every instance is only listed for hitting spamtraps or spamreporters, >> not for being an open proxy. That means we are dealing with a 'fresh' >> source in every instance. That's cute. >> >> If I temporarily disregard that you found a posting history and instead >> assume that the various payload addresses are of the throwaway variety, >> I lean toward it not being a joejob, because otherwise we would have >> heard more about some 'joe' or another. >> >> I'm going with a sting. I recommend that you not try to acquire any >> child pr0n from those addresses. >> >> That's a joke, Bill, unless you're into child pr0n, in which case, >> disregard the advice or the joke :-) >> >> -- >> Mike Easter >> kibitzer, not SC admin > > I thought about the sting aspect as well but it just seemed too random for a > really effective sting unless the FBI is just trolling for child pr0n > enthusiasts. Not being a member of either of the aforementioned groups I > don't know the first thing about stings so I gravitated towards the joe job > aspect. I can just see the hundreds of outraged emails filling up the > inboxes of the victims. > > Obviously the sender is sophisticated enough to get the spew through the > filters by jumping ISPs and avoiding open proxies so that seems to indicate > someone who is somewhat adept at spamming. I received 3 at 1 account which > is on an ISP that utilizes the SCBl and 1 at an account on a totally > unrelated provider which very clearly doesn't. Both accounts receive a > significant amount of spam but not very often the same spam so the sender > has tapped into at least a couple of lists. > > All of the yahoo addresses are not valid, so I don't know about the sting, unless yahoo was not informed. Two of the spam items use yahoo only. The other addresses involved 'appear' to be valid still. -- Brian SC.10.myspamgobbler@spamcowboy.net From nobody at spamcop.net Thu Nov 17 09:06:11 2005 From: nobody at spamcop.net (Ellen) Date: Thu Nov 17 12:00:04 2005 Subject: [SpamCop-List] Re: BT's MAILER-DAEMON (was: Broken reporting address - btbroadband) References: <dldb43$95c$1@news.spamcop.net> <dldc4a$9t5$1@news.spamcop.net> <dldetn$bpg$1@news.spamcop.net> <437C623F.5A28@xyzzy.claranet.de> Message-ID: <dlicnd$6ie$1@news.spamcop.net> "Frank Ellermann" <nobody@xyzzy.claranet.de> wrote in message news:437C623F.5A28@xyzzy.claranet.de... > Ellen wrote: > > > I am trying to get in touch with BT to get the bounce fixed > > or the address changed > > Still not working, but that wasn't my only point in the bug > report. The filter catching auto-replies also doesn't work: > The problem should be fixed now. I had word from engineering that it got taken care of. Ellen From MikeE at ster.invalid Thu Nov 17 09:19:56 2005 From: MikeE at ster.invalid (Mike Easter) Date: Thu Nov 17 12:20:09 2005 Subject: [SpamCop-List] Re: announcement for our members References: <dlgb7l$uvt$1@news.spamcop.net> <dlgeif$1vg$1@news.spamcop.net> <dlgg0m$2sd$1@news.spamcop.net> <dlghhk$41e$1@news.spamcop.net> <dlgj3s$4ur$1@news.spamcop.net> <dlic6g$5v8$1@news.spamcop.net> Message-ID: <dlie3s$7e6$1@news.spamcop.net> Brian wrote: > All of the yahoo addresses are not valid, so I don't know about the > sting, unless yahoo was not informed. Two of the spam items use yahoo > only. The other addresses involved 'appear' to be valid still. While that seems to speak against the sting, it certainly doesn't speak for a joejob. -- Mike Easter kibitzer, not SC admin From MikeE at ster.invalid Thu Nov 17 09:41:43 2005 From: MikeE at ster.invalid (Mike Easter) Date: Thu Nov 17 12:45:03 2005 Subject: [SpamCop-List] Re: announcement for our members References: <dlgb7l$uvt$1@news.spamcop.net> <dlgeif$1vg$1@news.spamcop.net> <dlgg0m$2sd$1@news.spamcop.net> <dlghhk$41e$1@news.spamcop.net> <dlgj3s$4ur$1@news.spamcop.net> <dlic6g$5v8$1@news.spamcop.net> Message-ID: <dlifco$86o$1@news.spamcop.net> Brian wrote: > All of the yahoo addresses are not valid, so I don't know about the > sting, unless yahoo was not informed. Two of the spam items use yahoo > only. The other addresses involved 'appear' to be valid still. OK, my next guess is that this is simply a spam, neither joejob nor sting. The reason the spammer won't get arrested is that the product isn't really kiddy pr0n, but 'bogus' ie youthful legal posers. That is, it /is/ real spam with an email addy payload, but it actually /isn't/ kiddy pr0n. Then, the alternate possibility to that is that it is a real spam with an email addy payload and the product actually is some kind of kiddy pr0n. -- Mike Easter kibitzer, not SC admin From nobody at spamcop.net Thu Nov 17 22:23:43 2005 From: nobody at spamcop.net (nospam) Date: Thu Nov 17 13:25:10 2005 Subject: [SpamCop-List] Re: Am I blocked? and what's next? References: <dlg7ud$sre$1@news.spamcop.net> <dlgddh$109$1@news.spamcop.net> <437C1E97.4000601@gmail.com> <dlh8bt$gdq$1@news.spamcop.net> <dlhbc4$hpc$1@news.spamcop.net> Message-ID: <BFA2B36E.16542%nobody@spamcop.net> in article dlhbc4$hpc$1@news.spamcop.net, Mike Easter at MikeE@ster.invalid wrote on 17/11/05 11:27 AM: > A mail which is addressed to your email address, not IP, is lost for > unknown reasons. Not rejected or bounced. Vanished. > > That has nothing to do with your IP being blocklisted by anything, > spamcop or otherwise. > > > In the normal sequence above, your dynamic IP could become a user IP > which had been blocklisted. Then, you would have your outgoing mail > blocked. > > In the completely different story, that lost mail has nothing to do with > any such blocklisting. Actually Mike it might very well, I deal with several ISP's and mail services that score mail for spammishness after accepting it and if it meets the spam score it gets vanished. Some of these ISP's use or score with SCBL. Trouble is they rarely tell. From tony at tonynelsonphoto.com Thu Nov 17 12:34:00 2005 From: tony at tonynelsonphoto.com (tnfoto) Date: Thu Nov 17 13:35:04 2005 Subject: [SpamCop-List] Re: blocked forwarding email References: <dlgckr$vq4$1@news.spamcop.net> <dlgi7f$4et$1@news.spamcop.net> <dli2rh$15q$1@news.spamcop.net> <dli8mi$443$1@news.spamcop.net> Message-ID: <dliieq$a1p$1@news.spamcop.net> "Mike Easter" <MikeE@ster.invalid> wrote in message news:dli8mi$443$1@news.spamcop.net... > tnfoto wrote: >> "Mike Easter" > >>> Here's a possibility for you. We're talking about a mail from >>> Customer to Photo which I've renamed from MNP. > >>>> Here's the basic situation. I have a website for my business (I'm a >>>> commercial photographer) hosted by Earthlink who gives me a number >>>> of email addresses at my site, i.e. myname@mynamephotography.com. >>>> I set it to forward email to my main email address at my home ISP >>>> which is a inexpensive local company that tells me they do not use >>>> Spamcop's service. Periodically, email coming to me gets blocked & >>>> bounces back to the sender. >>> >>> That is, a mail trying to make it from Customer to Photo and >>> forwarded on to homeISP gets 'bounced' [which might be a newmail >>> addressed to Customer, from the mail's From] >>> >>> The dirty bird [listed IP] in the route is/ could be/ the EL server. >>> The server using a blocklist is/ could be/ homeISP, which only >>> disavows SCbl, you didn't say they disavowed any kind of >>> blocklisting or rejecting or bouncing. >>> >>> So, one mechanism is the Customer or Customer's server being >>> blocklisted by homeISP, and the other mechanism is EL's server being >>> blocklisted by homeISP. > >> I think this is likely the scenario. First of all, my IP address IS >> on Spamcop's BL. That was easy enough to check. Here's the message >> I get with a few names & numbers changed to protect the innocent... >> >> myname@homeisp.net SMTP error from remote mailer after MAIL >> FROM:<myname@mynamephoto.com>: >> host mail.homeisp.net [209.173.xxx.xxx]: xxx 5.7.1 Mail from >> 207.217.xxx.xxx refused by blackhole site bl.spamcop.net RBL > > One of the things that is very aggravating about this situation is that > not only do you withhold very useful details which could be used to help > you, but you also change critical elements of the story. What is just > above this is your homeISPs server saying it is using spamcop's > blocklist, whereas earlier you distinctly said: > > tnfoto wrote: >> I set it to forward email to my main email address at my home ISP > which is a inexpensive local company that tells me they do not use > Spamcop's service. > > tnfoto then wrote: >> But, if it's mail FROM Photo server (EL) that's being blocked by home >> ISP server (and they're wrong about not using SC), wouldn't the net >> effect be that I don't receive any incoming mail? > > Yes. If you are using an EL IP which is on the SCbl to try to send > forwarded mail to homeISP and homeISP is using SCbl to reject mail, then > homeISP would reject the forwarded mail based on the forwarding IP. > > That is an ugly situation where you have chosen to forward using an IP > address which your own homeISP server is configured to reject. > > You should have some other arrangement. Either you should have your > homeISP whitelist what you are forwarding from, or you should not > forward to homeISP. > > A very important thing that you don't seem to understand is that you can > get immensely more help if we were talking about a real thing instead of > a description. > > OK, here goes. Understand that any contradiction is purely coming from my lack of vocabulary in this area. And lack of understanding of what I should be paranoid about. Getting tagged as a spammer kind of freaks me out. Here's the actual message: tnphoto@mninter.net SMTP error from remote mailer after MAIL FROM:<tony@tonynelsonphoto.com>: host mail.mninter.net [209.173.229.149]: 550 5.7.1 Mail from 207.217.120.247 refused by blackhole site bl.spamcop.net RBL mninter is the old name of my ISP, Pixius. My old email address stayed the same when they changed names though there is no ISP MNInter any more. tonynelsonphoto.com is my EL hosted site. Thanks, Tony > > -- > Mike Easter > kibitzer, not SC admin > From MikeE at ster.invalid Thu Nov 17 10:41:45 2005 From: MikeE at ster.invalid (Mike Easter) Date: Thu Nov 17 13:45:02 2005 Subject: [SpamCop-List] Re: Am I blocked? and what's next? References: <dlg7ud$sre$1@news.spamcop.net> <dlgddh$109$1@news.spamcop.net> <437C1E97.4000601@gmail.com> <dlh8bt$gdq$1@news.spamcop.net> <dlhbc4$hpc$1@news.spamcop.net> <BFA2B36E.16542%nobody@spamcop.net> Message-ID: <dliit9$ab7$1@news.spamcop.net> nospam wrote: > MikeE@ster.invalid >> A mail which is addressed to your email address, not IP, is lost for >> unknown reasons. Not rejected or bounced. Vanished. Let us be crystal clear here. The subject of the conversation is the *relationship* or correlation or common causality between the OP's unknown *outsending* IP addy being spamcop blocklisted as reported in a 'singular' instance by vblaw and how that relates to all email *TO* a particular domainname of the OP being lost, dropped on the floor, vanishing, intermittently and presently. >> In the completely different story, that lost mail has nothing to do >> with any such blocklisting. > > Actually Mike it might very well, No, it might and very well does not. > I deal with several ISP's and mail > services that score mail for spammishness after accepting it and if > it meets the spam score it gets vanished. Some of these ISP's use or > score with SCBL. The ability to vanish spammish mail or to use the SCbl or any other tools such as SA or other blocklists or country blocks or whatever to cause mail to be considered spammish and vanish has nothing to do with what I have tried to make crystal clear above. If you are having trouble receiving mail, it is *NOT* because your sending, outgoing IP is blocklisted. When your sending outgoing mail is characterized by a blocklisted IP, it causes you to have difficulty successfully *SENDING* not difficulty successfully *RECEIVING*. This confusion must be contagious or something. My fingers are getting weary. -- Mike Easter kibitzer, not SC admin From nobody at spamcop.net Thu Nov 17 22:43:49 2005 From: nobody at spamcop.net (nospam) Date: Thu Nov 17 13:45:16 2005 Subject: [SpamCop-List] Re: people respond to this? References: <dleaph$qim$1@news.spamcop.net> <dlfqt5$lmj$1@news.spamcop.net> <BFA206B0.16522%nobody@spamcop.net> <dli8td$48d$1@news.spamcop.net> Message-ID: <BFA2B824.16543%nobody@spamcop.net> in article dli8td$48d$1@news.spamcop.net, jg at jg@coks.net wrote on 17/11/05 7:53 PM: > No doubt. > You didn't answer my earlier question on how one "leeches" out the info > you did. > Your input is appreciated. I didn't try, I think the OP was trying to say: visit the sites and allow yourself to be redirected to the payload and use netstat or some utility to discover where you wound up. All this using a hopefully safe browser and OS. But we'd best let the OP (me-no-no I think) elaborate From nobody at devnull.spamcop.net Thu Nov 17 12:46:18 2005 From: nobody at devnull.spamcop.net (WazoO) Date: Thu Nov 17 13:50:03 2005 Subject: [SpamCop-List] Re: Am I blocked? and what's next? References: <dlg7ud$sre$1@news.spamcop.net> <dlgddh$109$1@news.spamcop.net> <437C1E97.4000601@gmail.com> <dlh8bt$gdq$1@news.spamcop.net> <dlhbc4$hpc$1@news.spamcop.net> <BFA2B36E.16542%nobody@spamcop.net> <dliit9$ab7$1@news.spamcop.net> Message-ID: <dlij5q$an6$1@news.spamcop.net> "Mike Easter" <MikeE@ster.invalid> wrote in message news:dliit9$ab7$1@news.spamcop.net... > > This confusion must be contagious or something. My fingers are getting > weary. Maybe time to simply point to Miss Betsy's "Why am I Blocked?" FAQ entry and wait for a bit better question next time? Maybe the stumbling over the "How to ask a question" links might also have an impact on that next one? From nobody at devnull.spamcop.net Thu Nov 17 12:54:09 2005 From: nobody at devnull.spamcop.net (WazoO) Date: Thu Nov 17 13:55:02 2005 Subject: [SpamCop-List] Re: password issues References: <dl3q97$nll$1@news.spamcop.net> <dl4dld$37c$1@news.spamcop.net> <dl4gai$4ht$1@news.spamcop.net> <dl6teb$hvk$1@news.spamcop.net> <dl6un1$in1$1@news.spamcop.net> <dl8c5c$afj$1@news.spamcop.net> <dl8f7d$c5h$1@news.spamcop.net> <dl9c6g$v3c$1@news.spamcop.net> <dla9dq$g51$1@news.spamcop.net> <dlag2m$jnp$1@news.spamcop.net> <dlahmb$mjt$1@news.spamcop.net> <dlakvj$o49$1@news.spamcop.net> <dlat83$tvs$2@news.spamcop.net> <43798F50.16BD@xyzzy.claranet.de> Message-ID: <dlijkh$asr$1@news.spamcop.net> "Frank Ellermann" <nobody@xyzzy.claranet.de> wrote in message news:43798F50.16BD@xyzzy.claranet.de... > > Works fine from my POV. Of course I rarely look at the news > when there are no problems, and if there are problems I look > first in the NGs. I also hit the newsgroups prior to heading off to the Forum. Different posters, different views, different experiences .... > Wazoo's "green thumb" is also nice for a first impression of > the system state. And due to complaints about the link provided 'under' that graphic not working when www.spamcop.net was down (or having issues) I've changed that pointer to go to a "custom" page I built up to hold the cesmail images, such that the larger images are available no matter the state of the Parsing & Reporting system ... solving that long suggested off-site status monitor issue. From nobody at spamcop.net Thu Nov 17 22:59:40 2005 From: nobody at spamcop.net (nospam) Date: Thu Nov 17 14:00:03 2005 Subject: [SpamCop-List] Re: Am I blocked? and what's next? digressing References: <dlg7ud$sre$1@news.spamcop.net> <dlgddh$109$1@news.spamcop.net> <437C1E97.4000601@gmail.com> <dlh8bt$gdq$1@news.spamcop.net> <dlhbc4$hpc$1@news.spamcop.net> <BFA2B36E.16542%nobody@spamcop.net> <dliit9$ab7$1@news.spamcop.net> Message-ID: <BFA2BBDB.16548%nobody@spamcop.net> in article dliit9$ab7$1@news.spamcop.net, Mike Easter at MikeE@ster.invalid wrote on 17/11/05 10:41 PM: > > When your sending outgoing mail is characterized by a blocklisted IP, it > causes you to have difficulty successfully *SENDING* not difficulty > successfully *RECEIVING*. Sorry, you are entirely correct.I was thinking of any receiving system,and in particular his. I'm not entirely sure EA knows exactly how mail is received by himself, and he is taking great pains not to tell us. And systems using dynamic BL's have successfully blocked themselves in the past. (they forgot to whitelist themselves) It's kinda funny when it happens. I can, for example force mail to another internal user or myself (at work) to go via the outside world by addressing the mail to users-ldap-alias [at] my-isp.tld (that address shouldn't work for anyone), internal mail would go to users_mail_account [at] location.my-isp.tld. Anyway we are digressing. From MikeE at ster.invalid Thu Nov 17 11:11:14 2005 From: MikeE at ster.invalid (Mike Easter) Date: Thu Nov 17 14:15:03 2005 Subject: [SpamCop-List] Re: blocked forwarding email References: <dlgckr$vq4$1@news.spamcop.net> <dlgi7f$4et$1@news.spamcop.net> <dli2rh$15q$1@news.spamcop.net> <dli8mi$443$1@news.spamcop.net> <dliieq$a1p$1@news.spamcop.net> Message-ID: <dlikki$bq4$1@news.spamcop.net> tnfoto wrote: > "Mike Easter" >> tnfoto wrote: >>> "Mike Easter" >>>>> Here's the basic situation. I have a website for my business >>>>> (I'm a commercial photographer) hosted by Earthlink who gives me >>>>> a number of email addresses at my site, i.e. >>>>> I set it to forward email to my main email address at my home ISP >> Yes. If you are using an EL IP which is on the SCbl to try to send >> forwarded mail to homeISP and homeISP is using SCbl to reject mail, >> then homeISP would reject the forwarded mail based on the forwarding >> IP. >> >> That is an ugly situation where you have chosen to forward using an >> IP address which your own homeISP server is configured to reject. >> >> You should have some other arrangement. Either you should have your >> homeISP whitelist what you are forwarding from, or you should not >> forward to homeISP. > OK, here goes. This is going to work a lot better. > Here's the actual message: > tnphoto@mninter.net > SMTP error from remote mailer after MAIL > FROM:<tony@tonynelsonphoto.com>: > host mail.mninter.net [209.173.229.149]: 550 5.7.1 Mail from > 207.217.120.247 refused by blackhole site bl.spamcop.net RBL Yes indeed. The EL output server, which has a daily magnitude of output with the large exponent of 6 is currently SCbl listed. It is also in other blocklists, but the SC one is the 'worst' -- and the cause for the SC listing is 'backscatter' or misdirected bounces -- a very bad server behavior because it is very bad for big busy output servers to get themselves blocklisted. Sometimes that kind of thing causes a dialog between a spamcop deputy and an EL admin -- except that usually EL is very incompetent about looking after some business it should take care of promptly instead of not at all. "In the past 209.2 days, it has been listed 11 times for a total of 11.5 days" and it will autodelist in 14 hours. > mninter is the old name of my ISP, Pixius. My old email address > stayed the same when they changed names though there is no ISP > MNInter any more. tonynelsonphoto.com is my EL hosted site. The names are only important for their historic value. Mail for mninter.net is handled by mail.mninter.net of Pixius Comm which has a NetRange: 209.173.192.0 - 209.173.239.255 CIDR: 209.173.192.0/19, 209.173.224.0/20 If your Pixius allows you to whitelist, you should fix this problem that way. If they don't, you shouldn't forward your EL handled mail to them. -- Mike Easter kibitzer, not SC admin From kenbrody at spamcop.net Thu Nov 17 14:11:12 2005 From: kenbrody at spamcop.net (Kenneth Brody) Date: Thu Nov 17 14:15:20 2005 Subject: [SpamCop-List] Re: blocked forwarding email References: <dlgckr$vq4$1@news.spamcop.net> <dlgi7f$4et$1@news.spamcop.net> <dli2rh$15q$1@news.spamcop.net> <dli8mi$443$1@news.spamcop.net> <dliieq$a1p$1@news.spamcop.net> Message-ID: <437CD5D0.E8A11148@spamcop.net> tnfoto wrote: [...] > OK, here goes. Understand that any contradiction is purely coming from my > lack of vocabulary in this area. And lack of understanding of what I should > be paranoid about. Getting tagged as a spammer kind of freaks me out. > Here's the actual message: > tnphoto@mninter.net > SMTP error from remote mailer after MAIL > FROM:<tony@tonynelsonphoto.com>: > host mail.mninter.net [209.173.229.149]: 550 5.7.1 Mail from > 207.217.120.247 refused by blackhole site bl.spamcop.net RBL [...] Note: 207.217.120.247 is one of Earthlink's SMTP servers. http://www.spamcop.net/w3m?action=checkblock&ip=207.217.120.247 System has sent mail to SpamCop spam traps in the past week (spam traps are secret, no reports or evidence are provided by SpamCop) SpamCop users have reported system as a source of spam less than 10 times in the past week It appears this listing is caused by misdirected bounces. We have a FAQ which covers this topic: Why auto-responses are bad (Misdirected bounces). Please read this FAQ and heed the advice contained in it. It looks like Earthlink's mail server (which you use to send out e-mail) is misconfigured to "bounce" rather than "reject" bad e-mail. I believe that someone else explained earlier on the difference. You can also go to <http://www.spamcop.net/fom-serve/cache/329.html#bounces> to see the SpamCop's FAQ about this. -- +-------------------------+--------------------+-----------------------------+ | Kenneth J. Brody | www.hvcomputer.com | | | kenbrody/at\spamcop.net | www.fptech.com | #include <std_disclaimer.h> | +-------------------------+--------------------+-----------------------------+ Don't e-mail me at: <mailto:ThisIsASpamTrap@gmail.com> From MikeE at ster.invalid Thu Nov 17 11:16:00 2005 From: MikeE at ster.invalid (Mike Easter) Date: Thu Nov 17 14:20:03 2005 Subject: [SpamCop-List] Re: Am I blocked? and what's next? References: <dlg7ud$sre$1@news.spamcop.net> <dlgddh$109$1@news.spamcop.net> <437C1E97.4000601@gmail.com> <dlh8bt$gdq$1@news.spamcop.net> <dlhbc4$hpc$1@news.spamcop.net> <BFA2B36E.16542%nobody@spamcop.net> <dliit9$ab7$1@news.spamcop.net> <dlij5q$an6$1@news.spamcop.net> Message-ID: <dliktf$c6g$1@news.spamcop.net> WazoO wrote: > "Mike Easter" >> This confusion must be contagious or something. My fingers are >> getting weary. > > Maybe time to simply point to Miss Betsy's "Why am I > Blocked?" FAQ entry and wait for a bit better question > next time? That item isn't responsive to this situation. There isn't anything known to be blocked and blocked also isn't even the problem. I could be nonresponsive without causing someone to have to go search for evidence of a response where it wasn't. > Maybe the stumbling over the "How to ask a > question" links might also have an impact on that next one? I haven't found the perfect or even great how to ask a question to suit me yet either. There's a good 'essay' about how to ask a question, but it isn't designed for 'today's' typical encounter here or some other places either. -- Mike Easter kibitzer, not SC admin From nobody at xyzzy.claranet.de Thu Nov 17 20:17:04 2005 From: nobody at xyzzy.claranet.de (Frank Ellermann) Date: Thu Nov 17 14:20:19 2005 Subject: [SpamCop-List] Re: BT's MAILER-DAEMON References: <dldb43$95c$1@news.spamcop.net> <dldc4a$9t5$1@news.spamcop.net> <dldetn$bpg$1@news.spamcop.net> <437C623F.5A28@xyzzy.claranet.de> <dlicnd$6ie$1@news.spamcop.net> Message-ID: <437CD730.3216@xyzzy.claranet.de> Ellen wrote: > problem should be fixed now Thanks, no more BT bounces in the last nine hours... :-) From MikeE at ster.invalid Thu Nov 17 11:22:42 2005 From: MikeE at ster.invalid (Mike Easter) Date: Thu Nov 17 14:25:04 2005 Subject: [SpamCop-List] Re: blocked forwarding email References: <dlgckr$vq4$1@news.spamcop.net> <dlgi7f$4et$1@news.spamcop.net> <dli2rh$15q$1@news.spamcop.net> <dli8mi$443$1@news.spamcop.net> <dliieq$a1p$1@news.spamcop.net> Message-ID: <dlila1$ch7$1@news.spamcop.net> tnfoto wrote: > OK, here goes. BTW, if you had wanted to munge anything in this below, the usernames aren't at all useful for anything, whereas the domainnames and IPs are very useful in the evaluation. So a reasonable munge could be as below. It is also good for a munge to be 'self-evident' or if not, then described -- and it would be an extremely unusual situation to want or need to munge an IP address. I can't think of any offhand. > Here's the actual message: > munged@mninter.net > SMTP error from remote mailer after MAIL > FROM:<munged@tonynelsonphoto.com>: > host mail.mninter.net [209.173.229.149]: 550 5.7.1 Mail from > 207.217.120.247 refused by blackhole site bl.spamcop.net RBL -- Mike Easter kibitzer, not SC admin From tony at tonynelsonphoto.com Thu Nov 17 13:24:24 2005 From: tony at tonynelsonphoto.com (tnfoto) Date: Thu Nov 17 14:25:18 2005 Subject: [SpamCop-List] Re: blocked forwarding email References: <dlgckr$vq4$1@news.spamcop.net> <dlgi7f$4et$1@news.spamcop.net> <dli2rh$15q$1@news.spamcop.net> <dli8mi$443$1@news.spamcop.net> <dliieq$a1p$1@news.spamcop.net> <dlikki$bq4$1@news.spamcop.net> Message-ID: <dlild9$ci0$1@news.spamcop.net> Thanks to both of you. I'll start with Pixius. Some flunky at their customer service has told me they don't use Spamcop at all but clearly they must no know what they're talking about. "Mike Easter" <MikeE@ster.invalid> wrote in message news:dlikki$bq4$1@news.spamcop.net... > tnfoto wrote: >> "Mike Easter" >>> tnfoto wrote: >>>> "Mike Easter" > >>>>>> Here's the basic situation. I have a website for my business >>>>>> (I'm a commercial photographer) hosted by Earthlink who gives me >>>>>> a number of email addresses at my site, i.e. > >>>>>> I set it to forward email to my main email address at my home ISP > >>> Yes. If you are using an EL IP which is on the SCbl to try to send >>> forwarded mail to homeISP and homeISP is using SCbl to reject mail, >>> then homeISP would reject the forwarded mail based on the forwarding >>> IP. >>> >>> That is an ugly situation where you have chosen to forward using an >>> IP address which your own homeISP server is configured to reject. >>> >>> You should have some other arrangement. Either you should have your >>> homeISP whitelist what you are forwarding from, or you should not >>> forward to homeISP. > >> OK, here goes. > > This is going to work a lot better. > >> Here's the actual message: >> tnphoto@mninter.net >> SMTP error from remote mailer after MAIL >> FROM:<tony@tonynelsonphoto.com>: >> host mail.mninter.net [209.173.229.149]: 550 5.7.1 Mail from >> 207.217.120.247 refused by blackhole site bl.spamcop.net RBL > > Yes indeed. The EL output server, which has a daily magnitude of output > with the large exponent of 6 is currently SCbl listed. It is also in > other blocklists, but the SC one is the 'worst' -- and the cause for the > SC listing is 'backscatter' or misdirected bounces -- a very bad server > behavior because it is very bad for big busy output servers to get > themselves blocklisted. > > Sometimes that kind of thing causes a dialog between a spamcop deputy > and an EL admin -- except that usually EL is very incompetent about > looking after some business it should take care of promptly instead of > not at all. "In the past 209.2 days, it has been listed 11 times for a > total of 11.5 days" and it will autodelist in 14 hours. Funny thing here is that it seems to relist me immediately. Not exactly sure but, each of the last 3 days, I've tested it in the morning and it seemed to be back in order but, 5 minutes later, will be blocked again. Anyway, I've got some more ammo here to work with and, if Pixius doesn't help me again, I'll know where to try next. I did read the misdirected bounce FAQ but wasn't clear on what was actully happening so I'll go through it again too. Thanks. > >> mninter is the old name of my ISP, Pixius. My old email address >> stayed the same when they changed names though there is no ISP >> MNInter any more. tonynelsonphoto.com is my EL hosted site. > > The names are only important for their historic value. Mail for > mninter.net is handled by mail.mninter.net of Pixius Comm which has a > NetRange: 209.173.192.0 - 209.173.239.255 > CIDR: 209.173.192.0/19, 209.173.224.0/20 > > If your Pixius allows you to whitelist, you should fix this problem that > way. If they don't, you shouldn't forward your EL handled mail to them. > > > -- > Mike Easter > kibitzer, not SC admin > From MikeE at ster.invalid Thu Nov 17 11:30:28 2005 From: MikeE at ster.invalid (Mike Easter) Date: Thu Nov 17 14:35:03 2005 Subject: [SpamCop-List] Re: blocked forwarding email References: <dlgckr$vq4$1@news.spamcop.net> <dlgi7f$4et$1@news.spamcop.net> <dli2rh$15q$1@news.spamcop.net> <dli8mi$443$1@news.spamcop.net> <dliieq$a1p$1@news.spamcop.net> <dlikki$bq4$1@news.spamcop.net> <dlild9$ci0$1@news.spamcop.net> Message-ID: <dlilok$cvd$1@news.spamcop.net> tnfoto wrote: > Thanks to both of you. I'll start with Pixius. Some flunky at their > customer service has told me they don't use Spamcop at all but > clearly they must no know what they're talking about. What is the advantage to you of forwarding tonynelsonphoto.com to Pixius? Mail to tonynelsonphoto.com is handled by EL's servers and I'm sure EL would put them into a mailbox for access by you. -- Mike Easter kibitzer, not SC admin From MikeE at ster.invalid Thu Nov 17 11:40:28 2005 From: MikeE at ster.invalid (Mike Easter) Date: Thu Nov 17 14:45:09 2005 Subject: [SpamCop-List] Re: blocked forwarding email References: <dlgckr$vq4$1@news.spamcop.net> <dlgi7f$4et$1@news.spamcop.net> <dli2rh$15q$1@news.spamcop.net> <dli8mi$443$1@news.spamcop.net> <dliieq$a1p$1@news.spamcop.net> Message-ID: <dlimbb$dds$1@news.spamcop.net> tnfoto wrote: > tonynelsonphoto.com is my EL hosted site. What is a lot worse from a spam address exposure point of view is not the simple exposure of an addy here in the body of a news message in a specialty newsserver like spamcop, but you have naked mailto/s all over your site. Naked website mailto/s are the biggest source of spam that there is -- because the spambots harvest them so aggressively. You want someone who sees your site to be able to easily email you, but you don't want the spambots to scrape it. They go everywhere looking for the naked mailto. There are many sites which discuss countermeasures and configurations. Here is one with lots of links and easy alternatives http://spamlinks.net/prevent-spambots-hiding.htm Hiding from Spambots -- Mike Easter kibitzer, not SC admin From nobody at devnull.spamcop.net Thu Nov 17 21:30:12 2005 From: nobody at devnull.spamcop.net (Gaetor) Date: Thu Nov 17 16:30:03 2005 Subject: [SpamCop-List] Oh DHost - I Wanna S*ck ya! Message-ID: <dlisoa$h8e$1@news.spamcop.net> Dhost you must be getting really excited posting all this cr*p in here, what a big boy you are. But you do make one point very clear. Spam and idiots can't be effectively addressed via this kind of forum or 'reporting'. Having spent the last week on an 'anti-spam' exercise I have found that there are one or three effective things one can do to remove idiots from ones own and ones client's in-boxes and they don't depend on S/W solutions (who needs Spam (or more often than not not-Spam) with the word "Spam" concatted onto it ... wow! that really helps ... auto-junking, filtering?? who wants to trust someone else's algorithm to decide what one should or shouldn't read? ISPs as a whole don't give a Sh*t and can't even be be bothered to recommend the use of their own anti-spam tools when queried on the problem - let alone try to use their leverage to face up to the problem. My friend Dhost here with the very small male parts would make a fine introduction to a legitimate enquirer coming to this group hoping to find relief from the torrent of cr*p they're getting in their inbox - Own up Amis, there is no 'Technical solution' to moronism - at least not one that can be applied remotely or virtually. makes one wish wish for a moderator. don't it guys? From MikeE at ster.invalid Thu Nov 17 14:27:59 2005 From: MikeE at ster.invalid (Mike Easter) Date: Thu Nov 17 17:30:03 2005 Subject: [SpamCop-List] A different EL email problem Message-ID: <dlj05e$ji6$1@news.spamcop.net> Here's yet another EL mail problem -- also one which those who are involved at SpamCop have a hard time communicating with EL about. A major EL output server is currently listed in the SpamCop blocklist. 207.217.120.247 rDNS ovenbird.mail.pas.earthlink.net is currently listed in the SpamCop blocklist That has a significant affect on some percentage of the hundreds of thousands of mails output by that server daily, like mine or yours. People and providers with servers which use popular blocklists such as spamcop's may be rejecting or delaying mail delivery from that server. SpamCop's system automatically delists when the spamming problem stops, but there is no guarantee the condition which is causing this problem will end any time soon, as it most likely results from a stupidly abusive configuration of the EL server/s. Here are some other tidbits from the listing: <snip> If there are no reports of ongoing objectionable email from this system it will be delisted automatically in approximately 22 hours. System has sent mail to SpamCop spam traps in the past week It appears this listing is caused by misdirected bounces. We have a FAQ which covers this topic: Why auto-responses are bad (Misdirected bounces). Please read this FAQ and heed the advice contained in it. http://www.spamcop.net/fom-serve/cache/329.html#bounces <ME: Do you really think some EL admin is going to read a helpful faq and take its advice?> In the past 209.3 days, it has been listed 11 times for a total of 11.6 days Other hosts in this "neighborhood" with spam reports 207.217.120.53 207.217.120.246 207.217.120.253 </snip> The problem with my/our provider doing a bad job of configuring its server/s so that the server performs abusively toward spam reporters and spamtraps, is that the resultant blocklisting adversely affects my/our/your mail's delivery. Some systems reject or block abusive servers so as to bounce the mailitem during the transaction, some other systems 'gray list' abusive sources so as to cause delays in the delivery of their mail, and some systems are in an unhealthy configuration which causes them to drop spamsource ie blocklisted mail on the floor so that it doesn't bounce, it simply disappears. When EL receives items it recognizes as spam, it doesn't bounce reject them to the sending IP. It accepts the item, and if the recipient's mailbox is configured in the default configuration, the recipient never sees the item so it effectively disappears. However, EL's servers must be doing something bad if the server is actually listed for backscatter. I can't investigate the actual cause, I don't have access to the evidence against the EL server causing the blocklisting. That 'losing' of your mail described above may be happening to your mail or my mail if our recipients handle EL's blocklisted server similarly to the way EL handles its default user mailboxes. -- Mike Easter kibitzer, not SC admin From nospam at dev.null Fri Nov 18 00:29:12 2005 From: nospam at dev.null (No Spam) Date: Thu Nov 17 17:30:20 2005 Subject: [SpamCop-List] Re: Fresh phish! GET YOUR FRESH PHISH HERE!! ;) In-Reply-To: <dlgmnl$76u$1@news.spamcop.net> References: <dlcin0$rvs$1@news.spamcop.net> <4379FB0B.5CCEC21F@spamcop.net> <dlgmnl$76u$1@news.spamcop.net> Message-ID: <dlj07q$jip$1@news.spamcop.net> Geoffrey Hyde wrote: > I wonder, since it's been sent to someone technically in Australia (me), if > it's worth my bother to forward it onto ASIO or some other anti-spam > government agency here? I'm not familiar with the anit-spam agencies in > Australia, or even if they exist. > ..snip.. > > Geoffrey Hyde > > Best place for 419's are http://419legal.org It is one of the better and actually working sites specializing in this :-) An official police site with public as members, really digging out info via mechanisms best not mentioned here. Also as members are law enforcement officials and legal parties from all over. Ciao From MikeE at ster.invalid Thu Nov 17 14:35:20 2005 From: MikeE at ster.invalid (Mike Easter) Date: Thu Nov 17 17:40:03 2005 Subject: [SpamCop-List] Re: A different EL email problem References: <dlj05e$ji6$1@news.spamcop.net> Message-ID: <dlj0j8$jvg$1@news.spamcop.net> Mike Easter wrote: > Here's yet another EL mail problem Mentally cancel that, since the cancel mechanism may not take any more for the spamcop newsserver. I tried to cancel it, we'll see. That particular missive was supposed to go to a different newsserver, namely the EL one, and to a ng specific to the EL newsservers, and specific to EL mail support, namely earthlink.support.email.. We've been ragging on the EL support newsgroup over several issues the last few days, and this output server is just one more thing I was giving them a hard time about. -- Mike Easter kibitzer, not SC admin From nospam at dev.null Fri Nov 18 00:39:48 2005 From: nospam at dev.null (No Spam) Date: Thu Nov 17 17:40:19 2005 Subject: [SpamCop-List] Re: *snurk* In-Reply-To: <dlgrsv$9oa$1@news.spamcop.net> References: <dlg212$pj7$1@news.spamcop.net> <dlgejk$1sg$2@news.spamcop.net> <dlgrsv$9oa$1@news.spamcop.net> Message-ID: <dlj0rm$k5m$1@news.spamcop.net> jg wrote: > On 11/16/2005 3:16 PM No Spam scribbled: > > >>... and that ladies and gentlemen answers JG's question >>"people respond to this?" >> >>:-) > > > No - but snurk gives me a clue, but I don't unix/php right now - bit > over my head, I'm afraid, as is your term leech in OP. No worries. Essentially "leeching" is sucking off a web page or pages without a browser. Idea is to not obey java scripts etc that can manipulate your browser, just in case there are any nasties hidden on the page. Other Unix/Linux tools ported to windows include "wget" which does something similar - not sure how safe though? You can also try http://www.samspade.org/t which has a safe URL browser (although htis does not work on this page) Essentially by doing this we read the code and instructions of the web page and do not display it. This allows us to see the web we are actually contacting (posting to). Cheers PS: Watch out for them dates ;-) From nobody at devnull.spamcop.net Thu Nov 17 16:53:00 2005 From: nobody at devnull.spamcop.net (WazoO) Date: Thu Nov 17 17:55:07 2005 Subject: [SpamCop-List] Re: Am I blocked? and what's next? References: <dlg7ud$sre$1@news.spamcop.net> <dlgddh$109$1@news.spamcop.net> <437C1E97.4000601@gmail.com> <dlh8bt$gdq$1@news.spamcop.net> <dlhbc4$hpc$1@news.spamcop.net> <BFA2B36E.16542%nobody@spamcop.net> <dliit9$ab7$1@news.spamcop.net> <dlij5q$an6$1@news.spamcop.net> <dliktf$c6g$1@news.spamcop.net> Message-ID: <dlj1kc$kjp$1@news.spamcop.net> "Mike Easter" <MikeE@ster.invalid> wrote in message news:dliktf$c6g$1@news.spamcop.net... > WazoO wrote: > > "Mike Easter" > > >> This confusion must be contagious or something. My fingers are > >> getting weary. > > > > Maybe time to simply point to Miss Betsy's "Why am I > > Blocked?" FAQ entry and wait for a bit better question > > next time? > > That item isn't responsive to this situation. There isn't anything > known to be blocked and blocked also isn't even the problem. I could be > nonresponsive without causing someone to have to go search for evidence > of a response where it wasn't. Perspectives once again. The question made no sense, the 'explanation' made no sense .. so rather than trying to the hundredth time to explain, cajole, hint, point, whatever, point to something that documents the situation. Then deal with a (hopefully) more educated attempt at a question. > > Maybe the stumbling over the "How to ask a > > question" links might also have an impact on that next one? > > I haven't found the perfect or even great how to ask a question to suit > me yet either. There's a good 'essay' about how to ask a question, but > it isn't designed for 'today's' typical encounter here or some other > places either. Agreed, that's why I offer several links there, as a matter of fact. From nobody at devnull.spamcop.net Thu Nov 17 23:01:20 2005 From: nobody at devnull.spamcop.net (Gaetor) Date: Thu Nov 17 18:05:03 2005 Subject: [SpamCop-List] "Mike Easter,kibitzer, not SC admin" - you are a breath of fresh air in a fetid swamp Message-ID: <dlj236$l1p$1@news.spamcop.net> Mike, I'd like to say that reading through the postings you're a real mensch .. You're erudite, concerned and you go the extra mile to help people. I may be out of line here as I'm new to this anti-spam milarky, but I'm keen to learn and full of vim, so forgive a little 'youthful arrogance' if you will. But doesn't what you're saying again and again reinforce the concept that 'Anti-Spam S/W' 'Blacklists', 'Whitelists' ('Greylists' and 'NameYourFavoriteColourLists') are all (as Churchill said) 'mere fluff and flummery'. Without the major (and a significant number of the minor) service providers being forced to take the matter of Spam on board instead of fobbing everyone off with 'it's not our problem' at best - and ' use "BlockEveryThing.exe" - our favoured (and probably our commissioned and moneyEarning) solution of the week' - at worst, the real problem. Legislature has reacted both in the US and in Europe, as best as we can expect such dinosaur institutions to react to such dynamic problem in the space of time available. I'd like to see them do more, but I'd also like to see the community rise to this challenge effectively - and to have the support of the service providers who are caning in the cash after all- and to date are not stepping up effectively to to the challenge, not by a long way. From nobody at devnull.spamcop.net Thu Nov 17 18:04:40 2005 From: nobody at devnull.spamcop.net (Miss Betsy) Date: Thu Nov 17 18:05:19 2005 Subject: [SpamCop-List] Re: A different EL email problem References: <dlj05e$ji6$1@news.spamcop.net> <dlj0j8$jvg$1@news.spamcop.net> Message-ID: <dlj28m$l6e$1@news.spamcop.net> "Mike Easter" <MikeE@ster.invalid> wrote in message news:dlj0j8$jvg$1@news.spamcop.net... > Mike Easter wrote: > > Here's yet another EL mail problem > > Mentally cancel that, since the cancel mechanism may not take any more > for the spamcop newsserver. I tried to cancel it, we'll see. > > That particular missive was supposed to go to a different newsserver, > namely the EL one, and to a ng specific to the EL newsservers, and > specific to EL mail support, namely earthlink.support.email.. > > We've been ragging on the EL support newsgroup over several issues the > last few days, and this output server is just one more thing I was > giving them a hard time about. > Well, good for you! I had to do a challenge/response for an Earthlink customer not too long ago. I never heard whether that person accepted my email or not. But then I got a password confirmation email (that really wasn't) from Earthlink (and it really was). Even though I whined about the c/r, they did give me an abuse number. But it may not be bounces, it might be c/r's Miss Betsy From MikeE at ster.invalid Thu Nov 17 15:25:14 2005 From: MikeE at ster.invalid (Mike Easter) Date: Thu Nov 17 18:30:04 2005 Subject: [SpamCop-List] Re: "Mike Easter,kibitzer, not SC admin" - you are a breath of fresh air in a fetid swamp References: <dlj236$l1p$1@news.spamcop.net> Message-ID: <dlj3gp$m3i$1@news.spamcop.net> Gaetor wrote: > But doesn't what you're saying > again and again reinforce the concept that 'Anti-Spam S/W' > 'Blacklists', 'Whitelists' ('Greylists' and > 'NameYourFavoriteColourLists') are all (as Churchill said) 'mere > fluff and flummery'. Au contraire. My personal client side spamfilter sorts virtually 100% of my email perfectly. I never see spam in my inbox and I turn off my provider's spamfilter which would be extremely leaky if used. Regarding my own mail, spam is not a problem. What spam? If I wanted, it, all spam to my mailbox, would all be nonexistent - disappeared. Instead of 'simply' making it disappear, I spend a few seconds putting feeding the corraled spam to SpamCop to enhance the SCbl blocklisting ability - those spams I submit contribute to the 3 million spamitems which go toward the SC blocklist each week. That huge database of spamsources and the huge popularity of the SCbl makes it an extremely powerful tool in spam management. Probably billions of emails daily are aided by the SCbl and other similarly important such tools. Those who subscribe to the spamcop mail and reporting service similarly have their spam 'eliminated' with or without such reporting facilitated as well. > Without the major (and a significant number of > the minor) service providers being forced to take the matter of Spam > on board instead of fobbing everyone off with 'it's not our problem' > at best - and ' use "BlockEveryThing.exe" - our favoured (and > probably our commissioned and moneyEarning) solution of the week' - > at worst, the real problem. I doubt that you could imagine a properly designed legislative solution to spam -- in fact, I doubt that you could imagine a proper legislative *definition* of spam, much less a reasonably enforced solution. Since you have an opinion about something -- I have 2 questions for you. How do you personally manage your Inbox re spam? What kind of imaginary legislation would you envision to be helpful in this regard. -- Mike Easter kibitzer, not SC admin From nobody at devnull.spamcop.net Thu Nov 17 18:29:39 2005 From: nobody at devnull.spamcop.net (Miss Betsy) Date: Thu Nov 17 18:30:19 2005 Subject: [SpamCop-List] Re: "Mike Easter,kibitzer, not SC admin" - you are a breath of fresh air in a fetid swamp References: <dlj236$l1p$1@news.spamcop.net> Message-ID: <dlj3nh$m8q$1@news.spamcop.net> It is only going to happen when enough end users (or all users ) of the Internet understand that the *sending* end is the only one who can be responsible for sending or not sending spam. If the end user chooses an incompetent, irresponsible, or greedy email provider, then s/he can't expect to have reliable email. So far, too many ISPs are concerned about keeping the customer happy (or in the case of the corporate world, the boss, happy) rather than 'educating' them to be grown ups in the internet world. Miss Betsy From MikeE at ster.invalid Thu Nov 17 15:35:52 2005 From: MikeE at ster.invalid (Mike Easter) Date: Thu Nov 17 18:40:03 2005 Subject: [SpamCop-List] Re: A different EL email problem References: <dlj05e$ji6$1@news.spamcop.net> <dlj0j8$jvg$1@news.spamcop.net> <dlj28m$l6e$1@news.spamcop.net> Message-ID: <dlj44n$mko$1@news.spamcop.net> Miss Betsy wrote: > Well, good for you! Good for me. > I had to do a challenge/response for an Earthlink customer not too > long ago. Realize that as bad as the general concept of challenge response might be, EL's configurable mail situation is not nearly as bad as some others, and in fact it is very very flexible. Theoretically, EL would not be challenging any spam. It would only be challenging unknown goodmail. All of the spam would have been eliminated from challenges by the EL spam recognition system. Also realize that those challenges can be completely eliminated altogether by the EL user who configures to manage suspect mail some other way than challenging. So an EL user can configure to do no spam filtering. Or they can configure to not have a suspect folder, and in fact that is the default configuration [medium]. Or they can configure [high] to have a suspect folder [not whitelisted, not spam] their suspect folder to not challenge. Or they can configure high to challenge suspect [default high] Unfortunately, EL's known spamfilter is leaky, so those who configure for high spamfiltering and leave the default challenging in place will be challenging spam along with unknown goodmail. I also strongly advise those EL users I converse with in support to manage their suspect folder without challenging. Spam definitely shouldn't be challenged, and I don't believe unknown goodmail should be either. > I never heard whether that person accepted my email or > not. If you responded to the challenge, the mail went into their mailbox. > But then I got a password confirmation email (that really > wasn't) from Earthlink (and it really was). Even though I whined > about the c/r, they did give me an abuse number. I don't understand those sentences. > But it may not be bounces, it might be c/r's -- Mike Easter kibitzer, not SC admin From jg at coks.net Thu Nov 17 15:45:01 2005 From: jg at coks.net (jg) Date: Thu Nov 17 18:45:07 2005 Subject: [SpamCop-List] Re: *snurk* In-Reply-To: <dlj0rm$k5m$1@news.spamcop.net> References: <dlg212$pj7$1@news.spamcop.net> <dlgejk$1sg$2@news.spamcop.net> <dlgrsv$9oa$1@news.spamcop.net> <dlj0rm$k5m$1@news.spamcop.net> Message-ID: <dlj4i8$muq$1@news.spamcop.net> On 11/17/2005 2:39 PM No Spam scribbled:> actually contacting (posting to). > > Cheers > > PS: Watch out for them dates ;-) Not to worry, I'm down at the pub playng snooker with Maria's hubby. I'll have to reinstall Sam Spade (just upped to w2000 pro). When I had it before, I never used that function. Effectively, you are saying the URL is bogus and relays to another site or else it isn't bogus and contains links to somewhere else - si? Thanks, I'll check it out... jg. From jg at coks.net Thu Nov 17 15:54:35 2005 From: jg at coks.net (jg) Date: Thu Nov 17 18:55:03 2005 Subject: [SpamCop-List] Re: people respond to this? In-Reply-To: <BFA2B824.16543%nobody@spamcop.net> References: <dleaph$qim$1@news.spamcop.net> <dlfqt5$lmj$1@news.spamcop.net> <BFA206B0.16522%nobody@spamcop.net> <dli8td$48d$1@news.spamcop.net> <BFA2B824.16543%nobody@spamcop.net> Message-ID: <dlj546$nc2$1@news.spamcop.net> On 11/17/2005 10:43 AM nospam scribbled: > in article dli8td$48d$1@news.spamcop.net, jg at jg@coks.net wrote on > 17/11/05 7:53 PM: > > >>No doubt. >>You didn't answer my earlier question on how one "leeches" out the info >>you did. >>Your input is appreciated. > > > I didn't try, I think the OP was trying to say: visit the sites and allow > yourself to be redirected to the payload and use netstat or some utility to > discover where you wound up. All this using a hopefully safe browser and OS. > > But we'd best let the OP (me-no-no I think) elaborate > 1.) OP elaborated and is is essentially as you assumed. 2.) using Firefox on windoze 2000 pro is probably safe enough for a quick peek should I desire but I really don't desire to tread there and use netstat - having just gotten into w2000. I'll use a 3rd party utility to do that should I need to - I'm sick of reading spam much less going to a site. Seems that is what needs to be done to uncover the layers, I'll leave that crappolas to you guys... From jg at coks.net Thu Nov 17 16:05:58 2005 From: jg at coks.net (jg) Date: Thu Nov 17 19:05:03 2005 Subject: [SpamCop-List] Re: Oh DHost - I Wanna S*ck ya! In-Reply-To: <dlisoa$h8e$1@news.spamcop.net> References: <dlisoa$h8e$1@news.spamcop.net> Message-ID: <dlj5ph$npa$1@news.spamcop.net> On 11/17/2005 1:30 PM Gaetor scribbled: > My friend Dhost here with the very small male parts would make a fine > introduction to a legitimate enquirer coming to this group hoping to > find relief from the torrent of cr*p they're getting in their inbox - > Own up Amis, there is no 'Technical solution' to moronism - at least not > one that can be applied remotely or virtually. makes one wish wish for a > moderator. don't it guys? Well, yeah, ya think? You mean there's no moderator to these groups? I was curious about the blatant posts. Sheesh, netscape maintains one or two, and they're effectively dead. (netscape, not the moderators)... From MikeE at ster.invalid Thu Nov 17 16:26:10 2005 From: MikeE at ster.invalid (Mike Easter) Date: Thu Nov 17 19:30:02 2005 Subject: [SpamCop-List] Re: "Mike Easter,kibitzer, not SC admin" - you are a breath of fresh air in a fetid swamp References: <dlj236$l1p$1@news.spamcop.net> <dlj3gp$m3i$1@news.spamcop.net> Message-ID: <dlj731$oj6$1@news.spamcop.net> Mike Easter wrote: > I doubt that you could imagine a properly designed legislative > solution to spam -- in fact, I doubt that you could imagine a proper > legislative *definition* of spam, much less a reasonably enforced > solution. That sounds more rude than I meant it to be. I was trying to emphasize the point about how difficult legislation and enforcement would be. > What kind of imaginary legislation would you envision to be helpful in > this regard. I'll roll out a few 'items' I believe that spam can be defined in some useful ways, but I also believe that there is a huge problem with defining spam and that that huge problem has been addressed by a number of fine legal scholars. A serious example done by David Sorkin some years ago for a law review journal appears here. http://www.sorkin.org/articles/usf.html Technical and Legal Approaches to Unsolicited Electronic Mail, So, spam can be characterized somewhat usefully, but it will most likely not be that the *world* or major geopolitical portions of it are going to agree with the typical points of view of many antispammers -- so don't think that the position taken by anti-/s is going to carry the day, anymore than the mailbox subscribers 'own' or rule the postal service vis junk mail instead of the bulk mail marketers. IMO, the 'airways' of the internet should be managed somewhat similarly to the way some broadcast frequency airwaves are managed. I say you can't go around 'transmitting' email at will without a license -- any more than a private pilot can transmit from hir airplane to the tower or air traffic control without a radio operator license. However easy it may be to obtain such a license, the important thing about it is that you have to have it, you can lose it, and for certain types of responsibilities, you can be fined and or suspended. So, I say you have to be licensed to transmit/send email. If you operate a little server, you have to have a license, like a private pilot has to have a radio license. If you are an ISP, you have to have a license. If you are a backbone or anything in between, you have to have a license. They all carry/transmit mail traffic. The US and the EU get together in the same kinds of ways they have gotten together about such international issues as air transport and the radio waves about that and figure out a plan for enforcing a few rules. The first rule doesn't have anything to do with spam definitions. The first rule is that you can't transmit any unlicensed trafffic. No spam issues. We just need to enforce the structure; and the way that the structure is enforced is that the backbones are the first ones that are leaned on to enforce against carrying any unlicensed traffic and the 2nd ones to be leaned on about carrying any unlicensed traffic is one big ISP and one medium size ISP and little ISP. Each of those has to figure out how they will prevent the carrying of any unlicensed traffic on their system. -- Mike Easter kibitzer, not SC admin From g.hyde at bigpond.net.au Fri Nov 18 10:30:51 2005 From: g.hyde at bigpond.net.au (Geoffrey Hyde) Date: Thu Nov 17 19:35:03 2005 Subject: [SpamCop-List] Re: Come to my site PLLLLLEEEEEEASSSSE !!! References: <dlhvu2$uc1$4@news.spamcop.net> Message-ID: <dlj7bv$on3$1@news.spamcop.net> [sarcasm] Welcome, newsgroup spammers will be dealt with just as soon as we can work out where your originating IP address actually is! [/sarcasm] Spammy's gonna learn that when it comes to getting his ar$e kicked, he came to exactly the right place!! -- Cheers ... Geoffrey Hyde "Dhost Admin" <info@dhosted.com> wrote in message news:dlhvu2$uc1$4@news.spamcop.net... Yo Im doing my m8 a favor coz he wantz me to advertize his new web hosting service. http://www.dhosted.com/ His web hosting is f_king great - I am getting paid to promote this web site so heres the url: http://www.dhosted.com/ Matt !! I dont give a shit i'm gona advertize here anyway : http://www.dhosted.com/ I am getting paid to promote this web site so heres the url: http://www.dhosted.com/ Here is my site : http://www.dhosted.com/ Matt !! I dont give a shit i'm gona advertize here anyway : I am getting paid to promote this web site so heres the url: http://www.dhosted.com/ I am getting paid to promote this web site so heres the url: http://www.dhosted.com/ I am getting paid to promote this web site so heres the url: http://www.dhosted.com/ Here is my site : http://www.dhosted.com/ Matt !! From nobody at devnull.spamcop.net Thu Nov 17 20:03:30 2005 From: nobody at devnull.spamcop.net (Pop) Date: Thu Nov 17 20:05:03 2005 Subject: [SpamCop-List] Re: blocked forwarding email References: <dlgckr$vq4$1@news.spamcop.net> <dlgi7f$4et$1@news.spamcop.net> <dli2rh$15q$1@news.spamcop.net> <dli8mi$443$1@news.spamcop.net> <dliieq$a1p$1@news.spamcop.net> <dlimbb$dds$1@news.spamcop.net> Message-ID: <dlj98v$pq2$1@news.spamcop.net> I realize this thread probably isn't finished yet, but ... I'd just like to say that dialogs such as these are very, very informational and does SC a very large good. I just got a mail from a friend I turned onto SC a few months back and, paraphrased, it says essentially "Holy sh_t, NOW I understand what a lot of those FAQs things are talking about!" I've left out the "who the heck's this ... " stuff & comments accordingly ;=} . Nothing like watching someone else's problems to learn things you can't yet experience yourself, eh? Pop "Mike Easter" <MikeE@ster.invalid> wrote in message news:dlimbb$dds$1@news.spamcop.net... : tnfoto wrote: : > tonynelsonphoto.com is my EL hosted site. : : What is a lot worse from a spam address exposure point of view is not : the simple exposure of an addy here in the body of a news message in a : specialty newsserver like spamcop, but you have naked mailto/s all over : your site. : : Naked website mailto/s are the biggest source of spam that there is -- : because the spambots harvest them so aggressively. : : You want someone who sees your site to be able to easily email you, but : you don't want the spambots to scrape it. They go everywhere looking : for the naked mailto. : : There are many sites which discuss countermeasures and configurations. : Here is one with lots of links and easy alternatives : : http://spamlinks.net/prevent-spambots-hiding.htm Hiding from Spambots : : : -- : Mike Easter : kibitzer, not SC admin : From nospam at dev.null Fri Nov 18 04:40:17 2005 From: nospam at dev.null (No Spam) Date: Thu Nov 17 21:45:03 2005 Subject: [SpamCop-List] Re: people respond to this? In-Reply-To: <dli8td$48d$1@news.spamcop.net> References: <dleaph$qim$1@news.spamcop.net> <dlfqt5$lmj$1@news.spamcop.net> <BFA206B0.16522%nobody@spamcop.net> <dli8td$48d$1@news.spamcop.net> Message-ID: <dljeuj$sip$1@news.spamcop.net> jg wrote: > On 11/16/2005 10:06 PM nospam scribbled: > >>Even during the heady dotcom boom, I'd say a major portion of registrar >>profits came from domain parkers, or the effective extortion by domain >>parkers of business owners. That whole business sector is full of >>sleazeballs. >> >>The public seems to be becoming aware of this and that's why business on >>the web is suffering stunted growth these days. >> > > > No doubt. > You didn't answer my earlier question on how one "leeches" out the info > you did. > Your input is appreciated. > > tnx, > jg Confusius reigns supreme... "No Spam" is me, "nospam: is not :-) Serach for "wget win32" and look for a binary on the internet. Use this utility as: C:\tmp>\bin\wget http://nearbygirls.com/hot/ --04:31:24-- http://nearbygirls.com/hot/ => `index.html' Unfortunately link is now dead. But that will donwload the page for you. Now use an editor such as wordpad (I will not suggest vi.exe since this is a Unix editor :-) or UltraEdit or like to view. Alternatively Netdemon make a nice windows toolset: http://www.netdemon.net/ (good option for windows - simple yet effective, nice other net tools as well. Needs some tweaking though. Used to use it on windoze) This have an option to "web browse: which download the page into a text window. Many other ways exist ... I think the samspade tools has something similar..??? Cheers From crassusdevnullAThal at peeceedotorg.null.boink.plonk Fri Nov 18 03:10:03 2005 From: crassusdevnullAThal at peeceedotorg.null.boink.plonk (Michael Brennan) Date: Fri Nov 18 04:15:03 2005 Subject: [SpamCop-List] Re: Odd Source Line References: <437473EE.1475A8D3@Spamcop.net.dev.null> <dl2f30$13k$1@news.spamcop.net> <dl2moq$567$1@news.spamcop.net> <dl307h$a5g$1@news.spamcop.net> Message-ID: <437D9A6B.301BFD74@peeceedotorg.null.boink.plonk> Mike Easter wrote: > <snip> > > I was being facetious, sarcastic, ironic. > <snip> I asked a straight question. Never mind then. Michael From MikeE at ster.invalid Fri Nov 18 02:11:44 2005 From: MikeE at ster.invalid (Mike Easter) Date: Fri Nov 18 05:15:52 2005 Subject: [SpamCop-List] Re: Odd Source Line References: <437473EE.1475A8D3@Spamcop.net.dev.null> <dl2f30$13k$1@news.spamcop.net> <dl2moq$567$1@news.spamcop.net> <dl307h$a5g$1@news.spamcop.net> <437D9A6B.301BFD74@peeceedotorg.null.boink.plonk> Message-ID: <dlk9cv$a06$1@news.spamcop.net> Michael Brennan wrote: > Mike Easter wrote: >> I was being facetious, sarcastic, ironic. I was being facetious, sarcastic, ironic in my remark about the 'importance' of my own ROT 13 encryption of the insignificant cryptic recurrent spamtext in question. > I asked a straight question. Well, you asked a question. You can characterize it how you like. > Never mind then. OK. -- Mike Easter kibitzer, not SC admin From nobody at nowhere.invalid Fri Nov 18 12:05:27 2005 From: nobody at nowhere.invalid (Steven Maesslein) Date: Fri Nov 18 06:10:04 2005 Subject: [SpamCop-List] Re: "Mike Easter,kibitzer, not SC admin" - you are a breath of fresh air in a fetid swamp References: <dlj236$l1p$1@news.spamcop.net> Message-ID: <slrndnrdbn.ep0.nobody@127.0.0.1> On Thu, 17 Nov 2005 23:01:20 +0000, Gaetor coughed into spamcop and left this in <dlj236$l1p$1@news.spamcop.net>: > Legislature has reacted both in the US and in Europe, as best as we > can expect such dinosaur institutions to react to such dynamic problem > in the space of time available. Translation: they've done sweet FA. US legislation was bought by the DMA (Direct Marketing Association) with results absolutely predictable given who bought it. All CAN-SPAM has done is legalise a subset of spam and remove individuals' rights of action against spammers for the rest. Fat lot of good that is. In Europe the laws are toothless. For example, in the UK, only private mailboxes are protected while it is now perfectly legal to spam the crap out of business mailboxes. In France, confirmed opt-in is now mandatory but nobody enforces it, and French-run websites have to state who is hosting the site in their "legal information" page - like that's going to help prevent spamming, and can't anyone do a whois on the IP address anyway? What about elsewhere? How are CAN-SPAM and EU laws going to affect someone in, say, China, S. Korea, Brazil or Russia? As long as there are providers like CNC, kornet, telemar, MCI, savvis and SBC who don't care what their clients do as long as the bill is paid at the end of the month, you're not going to make a dent in the problem. In short, don't expect any anything remotely worthwhile ever to come from legislation. Legislation is made by people who have secretaries to wade through the junk mail at work and to give them printouts, and who probably don't even have a computer at home, let alone e-mail access, and who therefore don't have the faintest idea of what spam is (or probably what e-mail is for that matter) and what kind of a problem it really poses. And when you have slimy organisations paying politicians to vote this way or that way, the end result is completely skewed and bears no resemblance to what people really want. Nor is there currently any reason why this situation should change. As long as lawmakers are kept isolated from the problem, they can't see it for what it is, and quite frankly they have more important things to do, like running a country while getting rich on various gravy trains. So, there is no incentive for spammers to pack up shop and do something useful. No laws really prohibit them from spamming and they have spam- friendly providers - or they even organise themselves to become spam- friendly providers themselves (tekcom.ru). Next, as long as there are people using bootleg copies of MS-Windows out there who are scared to connect to windowsupdate.microsoft.com and pull down security patches (or are too ignorant to do it), who don't run an up-to-date antivirus (that costs money, like Windows itself, right?), who don't use an adequate firewall and who don't practise safe hex (like going to dodgy-looking pr0n sites with IE, all barriers down), there will be millions of vulnerable machines on the 'Net that spammers can use to send out their crud at zero cost, while transferring responsibility for the mess to the ISPs of the 0wn3d machines' rightful owners. I can't see this changing soon either. For that to change, everyone would need to acquire $clue suddenly (yeah, right) and/or Microsoft would have to produce a version of IE/Windows that wasn't a security Swiss cheese (yeah, right). So, not only do spammers have no real incentinve to do something legitimate, they also have a cost-effective way to do their damage *and* to have someone else left holding the bag. Speaking of responsibility, where does it really end up? The spammers transfer the responsibility to the ISPs connecting the zombie armies to the 'Net, but what do these ISPs do with it? Nothing. Most consumer ISPs spend their time lowering the cost of the subscription, meaning that there's no money to pay for competent and motivated abuse staff. I know of at least one ISP where there *is* no abuse staff, period. What next? Next in line are the ISPs whose subscribers are the recipients of the spam, because it is they who have control over the mail servers. They know that users don't like spam, so maybe they're willing to pay to have it filtered out? What a great idea! Let's fleece the users for spam protection *and* reduce bandwitch costs because we'll be rejecting 90% of inbound mail! Yes, but what about user xyz who sued us last month because we rejected mail from his grandmother with instructions on how to feed the goldfish, which croaked because the stupid kid mistook rat poison for goldfish food? Oh, crap, you're right. We don't have the money for this. Let's tell the users that we, ahem... "value their right to choose", and let them deal with it. That's why end users are left having to deal with the problem. If you, if *anyone*, can think of a way to change the current situation, then please let us (tinu) know! -- Steve There are three types of people in this world: - Those who can count - Those who can't -- Walter Dnes in NANAE, 2003-JUL-26. From nobody at xyzzy.claranet.de Fri Nov 18 13:14:27 2005 From: nobody at xyzzy.claranet.de (Frank Ellermann) Date: Fri Nov 18 07:15:07 2005 Subject: [SpamCop-List] Re: Oh DHost - I Wanna S*ck ya! References: <dlisoa$h8e$1@news.spamcop.net> Message-ID: <437DC5A3.2D10@xyzzy.claranet.de> Gaetor wrote: > Dhost you must be getting really excited posting all this > cr*p in here, I doubt it. S/h/it also posted in GMaNe's "junk", and here in all groups incl. "test". Stupid bot - actually a botnet, the IPs were all different from various ISPs. Bye, Frank From nobody at xyzzy.claranet.de Fri Nov 18 13:26:02 2005 From: nobody at xyzzy.claranet.de (Frank Ellermann) Date: Fri Nov 18 07:30:03 2005 Subject: [SpamCop-List] Re: A different EL email problem References: <dlj05e$ji6$1@news.spamcop.net> Message-ID: <437DC85A.2C5B@xyzzy.claranet.de> Mike Easter wrote: > <ME: Do you really think some EL admin is going to read a > helpful faq and take its advice?> Their boss proudly posts worldwide that they don't understand SPF. At least they don't use what they don't understand, which won't help them to avoid bogus bounces, but with some minimal clue there are other ways to reduce backscatter. Bye, Frank From nobody at spamcop.net Fri Nov 18 12:43:14 2005 From: nobody at spamcop.net (I Hate Spam) Date: Fri Nov 18 07:40:02 2005 Subject: [SpamCop-List] Why Is 69.64.171.20 not listed? Message-ID: <dlki2u$e99$1@news.spamcop.net> Why Is 69.64.171.20 not listed? I see three separate reports, all for eBay phishing. This IP should be listed to protect other people. From nobody at spamcop.net Fri Nov 18 12:44:58 2005 From: nobody at spamcop.net (I Hate Spam) Date: Fri Nov 18 07:45:03 2005 Subject: [SpamCop-List] Re: Why Is 69.64.171.20 not listed? References: <dlki2u$e99$1@news.spamcop.net> Message-ID: <dlki68$ec8$1@news.spamcop.net> Phishing site is http://69.56.150.48/~wayne/edgarpaulalan/ And yes it has been larted. From nobody at spamcop.net Fri Nov 18 12:46:56 2005 From: nobody at spamcop.net (I Hate Spam) Date: Fri Nov 18 07:45:17 2005 Subject: [SpamCop-List] Re: Why Is 69.64.171.20 not listed? References: <dlki2u$e99$1@news.spamcop.net> <dlki68$ec8$1@news.spamcop.net> Message-ID: <dlki9t$ecj$1@news.spamcop.net> "I Hate Spam" <nobody@spamcop.net> wrote in message news:dlki68$ec8$1@news.spamcop.net... > Phishing site is http://69.56.150.48/~wayne/edgarpaulalan/ > And yes it has been larted. > > Sorry just spotted the other two reporters were moles. Shows what a waste ot time being a mole is! From nobody at devnull.spamcop.net Fri Nov 18 08:20:58 2005 From: nobody at devnull.spamcop.net (Miss Betsy) Date: Fri Nov 18 08:25:03 2005 Subject: [SpamCop-List] Re: A different EL email problem References: <dlj05e$ji6$1@news.spamcop.net> <dlj0j8$jvg$1@news.spamcop.net> <dlj28m$l6e$1@news.spamcop.net> <dlj44n$mko$1@news.spamcop.net> Message-ID: <dlkke7$fmf$1@news.spamcop.net> "Mike Easter" <MikeE@ster.invalid> wrote in message news:dlj44n$mko$1@news.spamcop.net... <snip> > > I never heard whether that person accepted my email or > > not. > > If you responded to the challenge, the mail went into their mailbox. It seems only good manners that if one challenged an email and accepted the challenge that they would reply. I have no confirmation that they did accept it (the way the form was written, it sounded as though they would have a choice of whether to accept it or mark it for blacklisting) I guess the next time I have an opportunity to email that address, I will find out. > > But then I got a password confirmation email (that really > > wasn't) from Earthlink (and it really was). Even though I whined > > about the c/r, they did give me an abuse number. > > I don't understand those sentences. > I got an email that said that it was an Earthlink password confirmation in the subject line - only it wasn't - though it didn't seem to be selling anything. I reported it to Earthlink (since it did come from an Earthlink IP address). I told them I didn't like the c/r and suspected that since the c/r was my last communication with Earthlink that the two unexpected emails were connected. Some abuse desks ignore abuse reports with criticism in them, however Earthlink did reply with an abuse report number. And I have not gotten any more suspect email from Earthlink (BTW, I do not receive very much spam on this email address - occasionally a [x] and very, very rarely one that advertises something else. I suspect that it was picked up by a virus rather than being harvested because it can no longer be harvested from a public site. It was, for a while, available in a file that had to be viewed with something like adobe, but then I only got Nigerian scam which I no longer get. And it was after a particularly long virus attack that the other spam started showing up.) And despite the fact that Earthlink tries to make the c/r only to real email, it still is possible that some of them are going to 'innocent' people who would report them as spam and get the c/r address on the blocklist. Particularly if the end user does not understand how to configure the filters. Does that make it any clearer? Miss Betsy From mark at nospam.com Fri Nov 18 08:44:57 2005 From: mark at nospam.com (mark) Date: Fri Nov 18 08:45:03 2005 Subject: [SpamCop-List] SpamCop Blocking SalesForce.com Message-ID: <dlklsq$gc6$1@news.spamcop.net> Why is SalesForce.com getting blocked? 204.14.234.14 --- CHECK -- BELOW --- Query bl.spamcop.net - 204.14.234.14 204.14.234.14 not listed in bl.spamcop.net --- BLOCK --- BELOW --- The following message to <good user> was undeliverable. The reason for the problem: 5.1.0 - Unknown address error 554-'Service unavailable; [204.14.234.14] blocked using bl.spamcop.net, reason: Blocked - see http://www.spamcop.net/bl.shtml?204.14.234.14' From nobody at spamcop.net Fri Nov 18 08:58:03 2005 From: nobody at spamcop.net (Anti-Spam) Date: Fri Nov 18 09:00:04 2005 Subject: [SpamCop-List] Re: SpamCop Blocking SalesForce.com References: <dlklsq$gc6$1@news.spamcop.net> Message-ID: <dlkmmt$h1j$1@news.spamcop.net> "mark" <mark@nospam.com> wrote in message news:dlklsq$gc6$1@news.spamcop.net... > Why is SalesForce.com getting blocked? 204.14.234.14 > > --- CHECK -- BELOW --- > > Query bl.spamcop.net - 204.14.234.14 > 204.14.234.14 not listed in bl.spamcop.net > > > --- BLOCK --- BELOW --- > > The following message to <good user> was undeliverable. > > The reason for the problem: > > 5.1.0 - Unknown address error 554-'Service unavailable; [204.14.234.14] > blocked using bl.spamcop.net, reason: Blocked - see > http://www.spamcop.net/bl.shtml?204.14.234.14' > 204.14.234.14 is not on currently on the Spamcop block list. One issue often seen in this newsgroup is the fact that a lot of servers are poorly configured, and tell people they're using one block list when its really another. <http://www.spamcop.net/w3m?action=checkblock&ip=204.14.234.14> -- Bring in the death penalty for repeat spammers. Non-functional spambait addr: theg@ojxoikolt.com (generated by Webpoison) From MikeE at ster.invalid Fri Nov 18 07:18:41 2005 From: MikeE at ster.invalid (Mike Easter) Date: Fri Nov 18 10:20:04 2005 Subject: [SpamCop-List] Re: SpamCop Blocking SalesForce.com References: <dlklsq$gc6$1@news.spamcop.net> Message-ID: <dlkrch$jlh$1@news.spamcop.net> mark wrote: > Why is SalesForce.com getting blocked? 204.14.234.14 > Query bl.spamcop.net - 204.14.234.14 > 204.14.234.14 not listed in bl.spamcop.net Which says that the IP isn't currently blocked. The history of currently unblocked IPs is no longer accessible to the public > [204.14.234.14] blocked using bl.spamcop.net, reason: Blocked - see > http://www.spamcop.net/bl.shtml?204.14.234.14' If that message is correct, and its form is healthier than some such messages which are not correct, then the IP was listed at the time the message was blocked, but since that time SC's automatic delisting process has delisted it. The IP has recently had some enormous mail output activity compared to its usual. I would wonder why that was: Senderbase keeps up with how many queries there are about an IP which can translate to a rough index of how much much mail output it has, which they express in orders of magnitude, like an exponent Report on IP address: 204.14.234.14 Volume Statistics for this IP Magnitude Vol Change vs. Average Last day 4.9 25588% Last 30d 3.3 702% Average 2.4 <use monofont for columns> Which results are roughly like saying that the IP usually puts out about 250 items per day, but its average over the last 30 days has been about 2000 per day and its average over the last day has been about 80,000 per day. You should wonder what is going on there. Whatever made it put out huge amounts of mail may have caused it to get blocklisted, but now it isn't. -- Mike Easter kibitzer, not SC admin From MikeE at ster.invalid Fri Nov 18 07:25:45 2005 From: MikeE at ster.invalid (Mike Easter) Date: Fri Nov 18 10:30:04 2005 Subject: [SpamCop-List] Re: Why Is 69.64.171.20 not listed? References: <dlki2u$e99$1@news.spamcop.net> Message-ID: <dlkrpp$js1$1@news.spamcop.net> I Hate Spam wrote: > Why Is 69.64.171.20 not listed? 69.64.171.20 listed in bl.spamcop.net it will be delisted automatically in approximately 19 hours has been listed for less than 24 hours 69.64.171.20 is an mx ( 10 ) for pogg.net SpamCop users have reported system -- Mike Easter kibitzer, not SC admin From MikeE at ster.invalid Fri Nov 18 07:30:14 2005 From: MikeE at ster.invalid (Mike Easter) Date: Fri Nov 18 10:35:03 2005 Subject: [SpamCop-List] Re: SpamCop Blocking SalesForce.com References: <dlklsq$gc6$1@news.spamcop.net> <dlkrch$jlh$1@news.spamcop.net> Message-ID: <dlks26$k47$1@news.spamcop.net> Mike Easter wrote: > Which says that the IP isn't currently blocked. The history of > currently unblocked IPs is no longer accessible to the public Bad language. Which says that the IP isn't currently *listed* [not blocked]. The history of currrently unlisted IPs is no longer accessible to the public. The SCbl *lists* -- it doesn't block. >> [204.14.234.14] blocked using bl.spamcop.net, reason: That says the recipient server blocked /using/ -- thus the SCbl lists, the recipient blocks. The server's automessage text was better language than mine. -- Mike Easter kibitzer, not SC admin From MikeE at ster.invalid Fri Nov 18 07:37:13 2005 From: MikeE at ster.invalid (Mike Easter) Date: Fri Nov 18 10:40:02 2005 Subject: [SpamCop-List] Re: Oh DHost - I Wanna S*ck ya! References: <dlisoa$h8e$1@news.spamcop.net> <dlj5ph$npa$1@news.spamcop.net> Message-ID: <dlksf9$kdt$1@news.spamcop.net> jg wrote: > You mean there's no moderator to these groups? Who the hell would want to moderate a news server or newsgroup? Even a robomoderator needs care and attendance, and the types of abuse which occur to the SC ng/s from open proxy abuse would be impossible to proactively moderate. There are some strategies by which you could make the ng/s more restrictive, but the cure would be worse than the disease -- just like taking away the cancel function as a strategy for ng misbehavior management comes at its own price. The best condition for newsgroups is pretty loose. -- Mike Easter kibitzer, not SC admin From jg at coks.net Fri Nov 18 08:08:34 2005 From: jg at coks.net (jg) Date: Fri Nov 18 11:10:03 2005 Subject: [SpamCop-List] Re: Oh DHost - I Wanna S*ck ya! In-Reply-To: <dlksf9$kdt$1@news.spamcop.net> References: <dlisoa$h8e$1@news.spamcop.net> <dlj5ph$npa$1@news.spamcop.net> <dlksf9$kdt$1@news.spamcop.net> Message-ID: <dlku6c$loc$1@news.spamcop.net> On 11/18/2005 7:37 AM Mike Easter scribbled: > jg wrote: > > >>You mean there's no moderator to these groups? > > > Who the hell would want to moderate a news server or newsgroup? Even a > robomoderator needs care and attendance, and the types of abuse which > occur to the SC ng/s from open proxy abuse would be impossible to > proactively moderate. > > There are some strategies by which you could make the ng/s more > restrictive, but the cure would be worse than the disease -- just like > taking away the cancel function as a strategy for ng misbehavior > management comes at its own price. > > The best condition for newsgroups is pretty loose. > > Well, actually, I thought it /was/ monitored due to the /lack/ of such crap (beyond mindless spamme requests). I can see your point, however... From jg at coks.net Fri Nov 18 08:13:11 2005 From: jg at coks.net (jg) Date: Fri Nov 18 11:15:04 2005 Subject: [SpamCop-List] Re: "Mike Easter,kibitzer, not SC admin" - you are a breath offresh air in a fetid swamp In-Reply-To: <dlj731$oj6$1@news.spamcop.net> References: <dlj236$l1p$1@news.spamcop.net> <dlj3gp$m3i$1@news.spamcop.net> <dlj731$oj6$1@news.spamcop.net> Message-ID: <dlkuf0$loc$2@news.spamcop.net> On 11/17/2005 4:26 PM Mike Easter scribbled: > Mike Easter wrote: > > >>I doubt that you could imagine a properly designed legislative >>solution to spam -- in fact, I doubt that you could imagine a proper >>legislative *definition* of spam, much less a reasonably enforced >>solution. > > > That sounds more rude than I meant it to be. I was trying to emphasize > the point about how difficult legislation and enforcement would be. > > You're wrong in thinking you were rude - you were not at all - unless being correct is rudeness... From MikeE at ster.invalid Fri Nov 18 08:32:02 2005 From: MikeE at ster.invalid (Mike Easter) Date: Fri Nov 18 11:35:05 2005 Subject: [SpamCop-List] Re: "Mike Easter,kibitzer, not SC admin" - you are a breath of fresh air in a fetid swamp References: <dlj236$l1p$1@news.spamcop.net> <dlj3gp$m3i$1@news.spamcop.net> <dlj731$oj6$1@news.spamcop.net> <dlkuf0$loc$2@news.spamcop.net> Message-ID: <dlkvm2$n21$1@news.spamcop.net> jg wrote: > Mike Easter : >> Mike Easter: >> >>> I doubt that you could imagine >> That sounds more rude than I meant it to be > You're wrong in thinking you were rude - you were not at all - unless > being correct is rudeness... It didn't feel rude when I was writing it, but when I read it, it sounded somewhat like I was challenging the person's 'competency' to be able to think of some solution ideas. And, the internet is full of the next great idea about what to do about spam. There are a lot of things I don't like about my own spiel about licensing smtp emissions and transmissions. -- Mike Easter kibitzer, not SC admin From jg at coks.net Fri Nov 18 09:08:46 2005 From: jg at coks.net (jg) Date: Fri Nov 18 12:10:03 2005 Subject: [SpamCop-List] internap.com Message-ID: <dll1n8$o4p$1@news.spamcop.net> This ISP is relatively new (to me) in my reports. I suppose I could try and find stats within SC space but am running off right now. Can anyone say which hat these guys wear? Thanks, jg From nobody at spamcop.net Fri Nov 18 17:11:40 2005 From: nobody at spamcop.net (I Hate Spam) Date: Fri Nov 18 12:10:17 2005 Subject: [SpamCop-List] Re: Why Is 69.64.171.20 not listed? References: <dlki2u$e99$1@news.spamcop.net> <dlkrpp$js1$1@news.spamcop.net> Message-ID: <dll1q9$o9r$1@news.spamcop.net> "Mike Easter" <MikeE@ster.invalid> wrote in message news:dlkrpp$js1$1@news.spamcop.net... >I Hate Spam wrote: >> Why Is 69.64.171.20 not listed? > > 69.64.171.20 listed in bl.spamcop.net > it will be delisted automatically in approximately 19 hours > has been listed for less than 24 hours > 69.64.171.20 is an mx ( 10 ) for pogg.net > SpamCop users have reported system > > > -- > Mike Easter > kibitzer, not SC admin I see that now. Shame it took so long to get listed. I hope not too many people were fooled by the phish From nobody at nowhere.invalid Fri Nov 18 18:33:40 2005 From: nobody at nowhere.invalid (Steven Maesslein) Date: Fri Nov 18 12:35:02 2005 Subject: [SpamCop-List] Re: internap.com References: <dll1n8$o4p$1@news.spamcop.net> Message-ID: <slrndns43k.lq9.nobody@127.0.0.1> On Fri, 18 Nov 2005 09:08:46 -0800, jg coughed into spamcop and left this in <dll1n8$o4p$1@news.spamcop.net>: > This ISP is relatively new (to me) in my reports. I suppose I could try > and find stats within SC space but am running off right now. > Can anyone say which hat these guys wear? Dark black. http://groups.google.com/group/news.admin.net-abuse.email/search?q=internap&start=0&scoring=d& -- Steve Light travels faster than sound. That is why some people appear bright until you hear them speak. From nobody at devnull.spamcop.net Fri Nov 18 14:07:14 2005 From: nobody at devnull.spamcop.net (Glenn Daniels) Date: Fri Nov 18 14:10:06 2005 Subject: [SpamCop-List] Re: Why Is 69.64.171.20 not listed? References: <dlki2u$e99$1@news.spamcop.net> <dlkrpp$js1$1@news.spamcop.net> <dll1q9$o9r$1@news.spamcop.net> Message-ID: <dll8o1$rla$1@news.spamcop.net> "I Hate Spam" wrote: > "Mike Easter" <MikeE@ster.invalid> wrote in message > news:dlkrpp$js1$1@news.spamcop.net... > >I Hate Spam wrote: > >> Why Is 69.64.171.20 not listed? > > > > 69.64.171.20 listed in bl.spamcop.net > > it will be delisted automatically in approximately 19 hours > > has been listed for less than 24 hours > > 69.64.171.20 is an mx ( 10 ) for pogg.net > > SpamCop users have reported system > > ... > I see that now. > Shame it took so long to get listed. > I hope not too many people were fooled by the phish > Hmmm... There is no phishing site at that URL at 2:00 PM EST. No way from here to know how long the site has been gone, but not much chance of anyone being fooled by a blank page. -g From wb8tyw at qsl.network Fri Nov 18 17:39:59 2005 From: wb8tyw at qsl.network (John E. Malmberg) Date: Fri Nov 18 17:40:04 2005 Subject: [SpamCop-List] Re: SpamCop Blocking SalesForce.com In-Reply-To: <dlkrch$jlh$1@news.spamcop.net> References: <dlklsq$gc6$1@news.spamcop.net> <dlkrch$jlh$1@news.spamcop.net> Message-ID: <dlll80$h50$1@news.spamcop.net> Mike Easter wrote: > mark wrote: > >>Why is SalesForce.com getting blocked? 204.14.234.14 > > >>Query bl.spamcop.net - 204.14.234.14 >>204.14.234.14 not listed in bl.spamcop.net > > > Which says that the IP isn't currently blocked. The history of > currently unblocked IPs is no longer accessible to the public > > >>[204.14.234.14] blocked using bl.spamcop.net, reason: Blocked - see >>http://www.spamcop.net/bl.shtml?204.14.234.14' > > > If that message is correct, and its form is healthier than some such > messages which are not correct, then the IP was listed at the time the > message was blocked, but since that time SC's automatic delisting > process has delisted it. > > The IP has recently had some enormous mail output activity compared to > its usual. I would wonder why that was: Unwrap the URL: http://groups.google.com/group/news.admin.net-abuse.sightings /browse_thread/thread/df3f9a6e6d369fbb/38718a524a88fc7e -John wb8tyw@qsl.network Personal Opinion Only From nobody at devnull.spamcop.net Fri Nov 18 18:28:23 2005 From: nobody at devnull.spamcop.net (Miss Betsy) Date: Fri Nov 18 18:30:05 2005 Subject: [SpamCop-List] Re: "Mike Easter,kibitzer, not SC admin" - you are a breath of fresh air in a fetid swamp References: <dlj236$l1p$1@news.spamcop.net> <dlj3gp$m3i$1@news.spamcop.net> <dlj731$oj6$1@news.spamcop.net> <dlkuf0$loc$2@news.spamcop.net> Message-ID: <dllo14$ilf$1@news.spamcop.net> "jg" <jg@coks.net> wrote in message news:dlkuf0$loc$2@news.spamcop.net... <snip> > You're wrong in thinking you were rude - you were not at all - unless > being correct is rudeness... Lots of ignorant people think it is. Miss Betsy an almost new internet user From nobody at devnull.spamcop.net Fri Nov 18 18:30:11 2005 From: nobody at devnull.spamcop.net (Miss Betsy) Date: Fri Nov 18 18:30:27 2005 Subject: [SpamCop-List] Re: Oh DHost - I Wanna S*ck ya! References: <dlisoa$h8e$1@news.spamcop.net> <dlj5ph$npa$1@news.spamcop.net> <dlksf9$kdt$1@news.spamcop.net> <dlku6c$loc$1@news.spamcop.net> Message-ID: <dllo4g$im5$1@news.spamcop.net> "jg" <jg@coks.net> wrote in message news:dlku6c$loc$1@news.spamcop.net... > On 11/18/2005 7:37 AM Mike Easter scribbled: > > > jg wrote: > > > > > >>You mean there's no moderator to these groups? > > <snip> > > The best condition for newsgroups is pretty loose. > > > > > Well, actually, I thought it /was/ monitored due to the /lack/ of such > crap (beyond mindless spamme requests). > I can see your point, however... The 'moderators' are the people who immediately report (to spamcop and manually) such posts. Miss Betsy From g.hyde at bigpond.net.au Sat Nov 19 10:12:01 2005 From: g.hyde at bigpond.net.au (Geoffrey Hyde) Date: Fri Nov 18 19:15:06 2005 Subject: [SpamCop-List] News: Rootkits a failure Message-ID: <dllqkk$k08$1@news.spamcop.net> http://www.informationweek.com/story/showArticle.jhtml?articleID=174400352 An article I chanced upon in Google news while I was searching for something else. It would appear that the computer security industry has had it's head firmly buried in the sand whilst Sony calmly strolls by with a rootkit in pocket. Cheers ... Geoffrey Hyde From SC.10.myspamgobbler at spamcowboy.net Fri Nov 18 17:01:46 2005 From: SC.10.myspamgobbler at spamcowboy.net (Brian) Date: Fri Nov 18 20:05:08 2005 Subject: [SpamCop-List] Re: News: Rootkits a failure In-Reply-To: <dllqkk$k08$1@news.spamcop.net> References: <dllqkk$k08$1@news.spamcop.net> Message-ID: <dlltml$l98$1@news.spamcop.net> Geoffrey Hyde wrote: > http://www.informationweek.com/story/showArticle.jhtml?articleID=174400352 > > An article I chanced upon in Google news while I was searching for something > else. > > It would appear that the computer security industry has had it's head firmly > buried in the sand whilst Sony calmly strolls by with a rootkit in pocket. > From the article: Curry offered up other excuses for his industry missing the rootkit boat. "Frankly, we were busy looking for where the [spyware] money was going," said Curry. "We weren't looking at legitimate industries." He also said that Computer Associates had the rootkit on its radar this summer, but didn't act. "CA did catch one of the earlier iterations of this rootkit in July, but we only saw a sample or two. It just wasn't very widespread. It wasn't a very big bell ringing." Now, however, it's a different story. -- Brian SC.10.myspamgobbler@spamcowboy.net From jg at coks.net Fri Nov 18 17:29:39 2005 From: jg at coks.net (jg) Date: Fri Nov 18 20:30:02 2005 Subject: [SpamCop-List] Re: internap.com In-Reply-To: <slrndns43k.lq9.nobody@127.0.0.1> References: <dll1n8$o4p$1@news.spamcop.net> <slrndns43k.lq9.nobody@127.0.0.1> Message-ID: <dllv2d$m9t$1@news.spamcop.net> On 11/18/2005 9:33 AM Steven Maesslein scribbled: > Dark black. > > http://groups.google.com/group/news.admin.net-abuse.email/search?q=internap&start=0&scoring=d& > Oh well, scratch 1 wasted LART - then again, maybe I'll get listwashed... hope springs eternal in the wasteland... From nobody at spamcop.net Sat Nov 19 06:43:43 2005 From: nobody at spamcop.net (nospam) Date: Fri Nov 18 21:45:05 2005 Subject: [SpamCop-List] Re: internap.com-has become a Penis enlargement business References: <dll1n8$o4p$1@news.spamcop.net> <slrndns43k.lq9.nobody@127.0.0.1> <dllv2d$m9t$1@news.spamcop.net> Message-ID: <BFA47A1F.166AE%nobody@spamcop.net> in article dllv2d$m9t$1@news.spamcop.net, jg at jg@coks.net wrote on 19/11/05 5:29 AM: > On 11/18/2005 9:33 AM Steven Maesslein scribbled: > >> Dark black. >> >> http://groups.google.com/group/news.admin.net-abuse.email/search?q=internap&s >> tart=0&scoring=d& >> > > Oh well, scratch 1 wasted LART - then again, maybe I'll get listwashed... > hope springs eternal in the wasteland... It looks like Internap has changed it's business direction From skiwi at spamcop.net Fri Nov 18 19:46:07 2005 From: skiwi at spamcop.net (Skiwi) Date: Fri Nov 18 22:50:04 2005 Subject: [SpamCop-List] how about THIS for a "it wasn't us spamming you, honest..." Message-ID: <dlm75v$q23$1@news.spamcop.net> http://www.christianmortgageusa.com/unsub.php?oid=873&name=ChristianMortgateUSA.com BS of course... From nobody at nowhere.not Sat Nov 19 04:14:34 2005 From: nobody at nowhere.not (Robert Blair) Date: Fri Nov 18 23:15:04 2005 Subject: [SpamCop-List] Re: News: Rootkits a failure References: <dllqkk$k08$1@news.spamcop.net> Message-ID: <TECQXhvKj0FX-pn2-Ce6beyWEOsQh@dsl-206-55-144-107.tstonramp.com> On Sat, 19 Nov 2005 00:12:01 UTC, "Geoffrey Hyde" <g.hyde@bigpond.net.au> wrote: > http://www.informationweek.com/story/showArticle.jhtml?articleID=174400352 > > An article I chanced upon in Google news while I was searching for something > else. > > It would appear that the computer security industry has had it's head firmly > buried in the sand whilst Sony calmly strolls by with a rootkit in pocket. Sony has recalled all of the CDs with the rootkit. So maybe others will be a little gun shy when it comes to this kind of copyright protection. -- Robert Blair From borgholio at storymind.com Fri Nov 18 20:48:27 2005 From: borgholio at storymind.com (Borgholio) Date: Fri Nov 18 23:50:04 2005 Subject: [SpamCop-List] Re: News: Rootkits a failure In-Reply-To: <TECQXhvKj0FX-pn2-Ce6beyWEOsQh@dsl-206-55-144-107.tstonramp.com> References: <dllqkk$k08$1@news.spamcop.net> <TECQXhvKj0FX-pn2-Ce6beyWEOsQh@dsl-206-55-144-107.tstonramp.com> Message-ID: <dlmaq7$rpv$1@news.spamcop.net> Robert Blair wrote: >So maybe others will be a little gun shy when it comes to this kind of copyright > protection. > HAHAHAHAHAHAHAHA!!! But no, seriously folks. From 96q7vwa02 at sneakemail.com Fri Nov 18 21:49:14 2005 From: 96q7vwa02 at sneakemail.com (Fred K.) Date: Sat Nov 19 02:00:28 2005 Subject: [SpamCop-List] Re: Rootkits a failure References: <dllqkk$k08$1@news.spamcop.net> Message-ID: <dlmi8q$var$1@news.spamcop.net> "Geoffrey Hyde" <g.hyde@bigpond.net.au> wrote in message news:dllqkk$k08$1@news.spamcop.net... > It would appear that the computer security industry has had it's head > firmly buried in the sand whilst Sony calmly strolls by with a rootkit in > pocket. > Cheers ... > Geoffrey Hyde People seem so surprised and upset over some event as such. Remember nothing is 100%. Even armored trucks and banks get robbed, albeit not often. As they say, absolute security is an oxy-moron. Fred k. From 96q7vwa02 at sneakemail.com Fri Nov 18 21:54:58 2005 From: 96q7vwa02 at sneakemail.com (Fred K.) Date: Sat Nov 19 02:00:53 2005 Subject: [SpamCop-List] Re: SpamCop Blocking SalesForce.com References: <dlklsq$gc6$1@news.spamcop.net> <dlkrch$jlh$1@news.spamcop.net> Message-ID: <dlmi8r$var$2@news.spamcop.net> "Mike Easter" <MikeE@ster.invalid> wrote in message news:dlkrch$jlh$1@news.spamcop.net... > mark wrote: > Report on IP address: 204.14.234.14 > > Volume Statistics for this IP > Magnitude Vol Change vs. Average > Last day 4.9 25588% > Last 30d 3.3 702% > Average 2.4 > > <use monofont for columns> > > Which results are roughly like saying that the IP usually puts out about > 250 items per day, but its average over the last 30 days has been about > 2000 per day and its average over the last day has been about 80,000 per > day. > > Mike Easter > kibitzer, not SC admin Mike Could you explain the relation (as I understand you saying) of Average 2.4 = 250/day, Last 30 days 3.3 = 2000/day etc? Thanks Fred k. From philip at pch.home.cs.vu.nl Sat Nov 19 15:01:30 2005 From: philip at pch.home.cs.vu.nl (Philip Homburg) Date: Sat Nov 19 09:20:19 2005 Subject: [SpamCop-List] Re: "Mike Easter,kibitzer, not SC admin" - you are a breath of fresh air in a fetid swamp References: <dlj236$l1p$1@news.spamcop.net> <slrndnrdbn.ep0.nobody@127.0.0.1> Message-ID: <qrcr3hskume92bd7vqlugua9t3@inews_id.stereo.hq.phicoh.net> In article <slrndnrdbn.ep0.nobody@127.0.0.1>, Steven Maesslein <nobody@nowhere.invalid> wrote: >In Europe the laws are toothless. For example, in the UK, only private >mailboxes are protected while it is now perfectly legal to spam the crap >out of business mailboxes. In France, confirmed opt-in is now mandatory >but nobody enforces it, and French-run websites have to state who is >hosting the site in their "legal information" page - like that's going >to help prevent spamming, and can't anyone do a whois on the IP address >anyway? Well, in .nl there used to be spammers who just sent spam to all .nl addresses on spam lists. They don't do that anymore. Probably because the risk of getting caught is to high. I hardly ever get spam specifically directed at .nl. For businesses spam is still a problem (from a legal point of view). However, small businesses get the same protection as consumers, so spamming businesses within the Dutch law is tricky. And there are plans to give employees the same protection as consumers. But that law is not there yet. >What about elsewhere? How are CAN-SPAM and EU laws going to affect >someone in, say, China, S. Korea, Brazil or Russia? As long as there are >providers like CNC, kornet, telemar, MCI, savvis and SBC who don't care >what their clients do as long as the bill is paid at the end of the >month, you're not going to make a dent in the problem. Most of the spam I get is targeted to people in the US. If the US cannot come up with an effective way to control spam within its borders than then the law is not going have much effect on other countries. Is law enforcement going to be effective against spam? Probably not because the problem is going to be solved at a different level. >In short, don't expect any anything remotely worthwhile ever to come >from legislation. Legislation is made by people who have secretaries to >wade through the junk mail at work and to give them printouts, and who >probably don't even have a computer at home, let alone e-mail access, >and who therefore don't have the faintest idea of what spam is (or >probably what e-mail is for that matter) and what kind of a problem it >really poses. And when you have slimy organisations paying politicians >to vote this way or that way, the end result is completely skewed and >bears no resemblance to what people really want. Yes. Anti-spam laws sort of depend on whether there is some sort of democracy or not. On the other hand, at some point large companies may figure out that they can't spam anyhow, but that spam does cost them money. Most consumers can tolerate lost e-mail messages much better then businesses. >Nor is there currently any reason why this situation should change. As >long as lawmakers are kept isolated from the problem, they can't see it >for what it is, and quite frankly they have more important things to do, >like running a country while getting rich on various gravy trains. The question here is: what is the economic impact of spam?. Is it really a big deal? If solving the spam problem saves a huge amount of money, it may become a priority. My guess is that losses due to spam are simply not high enough. >Speaking of responsibility, where does it really end up? > >The spammers transfer the responsibility to the ISPs connecting the >zombie armies to the 'Net, but what do these ISPs do with it? > >Nothing. Is it going to stay that way? Zombies are not just used to spam, but are also used for DoS attacks. Furthermore, zombies are also used to collect private information from the machines' owners. Both issues may become more important than spam. >Yes, but what about user xyz who sued us last month because we rejected >mail from his grandmother with instructions on how to feed the goldfish, >which croaked because the stupid kid mistook rat poison for goldfish >food? > >Oh, crap, you're right. We don't have the money for this. Let's tell the >users that we, ahem... "value their right to choose", and let them deal >with it. Hotmail, gmail, and whatnot prove that it is not that hard to set up an e-mail service independent of users' ISPs. If users care about spam filtering, they can buy it. >That's why end users are left having to deal with the problem. Dealing with spam at the client site is not a big deal from a technical point of view. Yes, you don't get any bandwidth savings. But in many broadband installations, spam is only very small fraction of the total bandwidth. >If you, if *anyone*, can think of a way to change the current situation, >then please let us (tinu) know! The use of viruses to create zombies was great trick. And we have not fully recovered from that blow. In the ideal case, by now, there would be 'dynamic hosts' lists that list all consumer IP addresses and that exclude all smarthosts. That would take care of the zombie problem. Then there is the bad php script problem, so we need lists of hosting providers as well. And finally, there is the 'smarthost without rate limiting problem'. However, there is no reason why those lists cannot become more complete. In the long run, block lists will catch if spammers do not move fast enough. I have the strong impression that spam levels are stabilizing. -- That was it. Done. The faulty Monk was turned out into the desert where it could believe what it liked, including the idea that it had been hard done by. It was allowed to keep its horse, since horses were so cheap to make. -- Douglas Adams in Dirk Gently's Holistic Detective Agency From nobody at devnull.spamcop.net Sat Nov 19 08:56:35 2005 From: nobody at devnull.spamcop.net (WazoO) Date: Sat Nov 19 10:00:06 2005 Subject: [SpamCop-List] Re: SpamCop Blocking SalesForce.com References: <dlklsq$gc6$1@news.spamcop.net> <dlkrch$jlh$1@news.spamcop.net> <dlmi8r$var$2@news.spamcop.net> Message-ID: <dlnef4$eiu$1@news.spamcop.net> "Fred K." <96q7vwa02@sneakemail.com> wrote in message news:dlmi8r$var$2@news.spamcop.net... > > "Mike Easter" <MikeE@ster.invalid> wrote in message > news:dlkrch$jlh$1@news.spamcop.net... > > > > Volume Statistics for this IP > > Magnitude Vol Change vs. Average > > Last day 4.9 25588% > > Last 30d 3.3 702% > > Average 2.4 > > > > Which results are roughly like saying that the IP usually puts out about > > 250 items per day, but its average over the last 30 days has been about > > 2000 per day and its average over the last day has been about 80,000 per > > day. > > Could you explain the relation (as I understand you saying) of Average 2.4 = > 250/day, Last 30 days 3.3 = 2000/day etc? NEW! SenderBase's "Magnitude" Explained http://forum.spamcop.net/forums/index.php?showtopic=4556 From MikeE at ster.invalid Sat Nov 19 07:52:40 2005 From: MikeE at ster.invalid (Mike Easter) Date: Sat Nov 19 10:55:11 2005 Subject: [SpamCop-List] Re: SpamCop Blocking SalesForce.com References: <dlklsq$gc6$1@news.spamcop.net> <dlkrch$jlh$1@news.spamcop.net> <dlmi8r$var$2@news.spamcop.net> Message-ID: <dlnho7$g4c$1@news.spamcop.net> Fred K. wrote: > "Mike Easter" >> Volume Statistics for this IP >> Magnitude Vol Change vs. Average >> Last day 4.9 25588% >> Last 30d 3.3 702% >> Average 2.4 >> Which results are roughly like saying that the IP usually puts out >> about 250 items per day, but its average over the last 30 days has >> been about 2000 per day and its average over the last day has been >> about 80,000 per day. > Could you explain the relation (as I understand you saying) of > Average 2.4 = 250/day, Last 30 days 3.3 = 2000/day etc? WazoO's forum link has a lot of explaining of the data which starts with the senderbase stats, so I'll leave your mathematic understanding to those pages and also to the pages at senderbase where they explain. Somewhere someone should say that the magnitude is the log of the value. However, I will also remark that I have been thoroughly attacked in nanae for using such senderbase stats, because there are email admins in there who have quite a bit of realworld experience in subscribing to such information from expensive commercial services and comparing that information with senderbase and who also have knowledge of the true realworld numbers of servers they control -- and they say that very often senderbase info is very far from the truth. The forum also mentions the rounding problem. But, senderbase is the only source of info I have about such things -- so I 'have to' [= choose to] use it, warts and all. In any case, if we assume 'some data' we want is at senderbase and if we further choose to use it with all of its inaccuracies, then, to me, I like to 'express' that data in a way which the everyman can 'see' for themselves. Just saying that a magnitude number is exponential isn't really good enough. I like to express it as simple numbers somehow. The first time I wanted to express some of those exponential or logrithmic type values, I went out to the garage and dug up an old sliderule of mine from college days because a sliderule has such handy e xponential and logrithmic conversion qualities. This time when I wanted to do it, I figgered that I must surely be able to use the little handy dandy calculator accessory in my Win98 - so I thinkered with it a little bit and found an easy way to convert the magnitude values to a real number. -- Mike Easter kibitzer, not SC admin From jg at coks.net Sat Nov 19 08:00:42 2005 From: jg at coks.net (jg) Date: Sat Nov 19 11:00:03 2005 Subject: [SpamCop-List] Re: internap.com-has become a Penis enlargement business In-Reply-To: <BFA47A1F.166AE%nobody@spamcop.net> References: <dll1n8$o4p$1@news.spamcop.net> <slrndns43k.lq9.nobody@127.0.0.1> <dllv2d$m9t$1@news.spamcop.net> <BFA47A1F.166AE%nobody@spamcop.net> Message-ID: <dlni3k$gbc$1@news.spamcop.net> On 11/18/2005 6:43 PM nospam scribbled: > > It looks like Internap has changed it's business direction > Which way? academic question... From anthony.edwards at uk.easynet.net Sat Nov 19 16:04:35 2005 From: anthony.edwards at uk.easynet.net (Anthony Edwards) Date: Sat Nov 19 11:05:03 2005 Subject: [SpamCop-List] Re: News: Rootkits a failure References: <dllqkk$k08$1@news.spamcop.net> Message-ID: <dlniej$gj5$1@news.spamcop.net> On Sat, 19 Nov 2005 10:12:01 +1000, Geoffrey Hyde <g.hyde@bigpond.net.au> wrote: > http://www.informationweek.com/story/showArticle.jhtml?articleID=174400352 > > An article I chanced upon in Google news while I was searching for something > else. > > It would appear that the computer security industry has had it's head firmly > buried in the sand whilst Sony calmly strolls by with a rootkit in pocket. http://img169.imageshack.us/img169/2540/hellokitty6na.jpg -- Anthony Edwards * anthony.edwards@uk.easynet.net Abuse Team Manager * Tel: 0800 053 0588 Easynet Ltd * DDI: 0161 227 0707 http://www.uk.easynet.net * Fax: 0845 333 4503 From anthony.edwards at uk.easynet.net Sat Nov 19 16:09:38 2005 From: anthony.edwards at uk.easynet.net (Anthony Edwards) Date: Sat Nov 19 11:10:03 2005 Subject: [SpamCop-List] Re: News: Rootkits a failure References: <dllqkk$k08$1@news.spamcop.net> <TECQXhvKj0FX-pn2-Ce6beyWEOsQh@dsl-206-55-144-107.tstonramp.com> Message-ID: <dlnio2$gj5$2@news.spamcop.net> On Sat, 19 Nov 2005 04:14:34 +0000 (UTC), Robert Blair <nobody@nowhere.not> wrote: > Sony has recalled all of the CDs with the rootkit. So maybe others > will be a little gun shy when it comes to this kind of copyright > protection. And perhaps the ultimate irony: http://yro.slashdot.org/article.pl?sid=05/11/17/1350209&tid=188&tid=158 http://yro.slashdot.org/article.pl?sid=05/11/15/1250229&tid=117&tid=188&tid=17 -- Anthony Edwards * anthony.edwards@uk.easynet.net Abuse Team Manager * Tel: 0800 053 0588 Easynet Ltd * DDI: 0161 227 0707 http://www.uk.easynet.net * Fax: 0845 333 4503 From jg at coks.net Sat Nov 19 09:09:43 2005 From: jg at coks.net (jg) Date: Sat Nov 19 12:10:03 2005 Subject: [SpamCop-List] Re: internap.com-has become a Penis enlargement business In-Reply-To: <dlni3k$gbc$1@news.spamcop.net> References: <dll1n8$o4p$1@news.spamcop.net> <slrndns43k.lq9.nobody@127.0.0.1> <dllv2d$m9t$1@news.spamcop.net> <BFA47A1F.166AE%nobody@spamcop.net> <dlni3k$gbc$1@news.spamcop.net> Message-ID: <dlnm51$ig4$1@news.spamcop.net> On 11/19/2005 8:00 AM jg scribbled: > On 11/18/2005 6:43 PM nospam scribbled: > > >>It looks like Internap has changed it's business direction >> > > Which way? > academic question... Skip that - I just noticed you changed the subject line last post... From jgriffitts at spamcop.net Sat Nov 19 14:47:24 2005 From: jgriffitts at spamcop.net (Jonathan Griffitts) Date: Sat Nov 19 16:50:13 2005 Subject: [SpamCop-List] SDF.org sporadically listed in bl.spamcop.net Message-ID: <XXieAQqs15fDFAMP@griffitts.org> It seems that the SDF public access Unix system, aka freeshell.org, has periodic run-ins with the Spamcop blocking list. This happened again yesterday, resulting in the following listing: -------------------------- 192.94.73.21 listed in bl.spamcop.net (127.0.0.2) If there are no reports of ongoing objectionable email from this system it will be delisted automatically in approximately 4 hours. Causes of listing * System has sent mail to SpamCop spam traps in the past week (spam traps are secret, no reports or evidence are provided by SpamCop) Additional potential problems (these factors do not directly result in spamcop listing) * DNS error: 192.94.73.21 is mx.freeshell.ORG but mx.freeshell.ORG is 192.94.73.22 instead of 192.94.73.21 * System administrator has already delisted this system once Because of the above problems, express-delisting is not available -------------------------- I'm a member of SDF, and I know they are NOT the least bit spam-friendly, quite the contrary. They go to considerable efforts to avoid being the source of any sort of spam or UCE, and they energetically enforce their anti-abuse policies. Please see: http://freeshell.org/index.cgi?abuse/abuse When this came up again yesterday, their administrators' attitude among about spamcop was: "There is nothing that you can do. Even if we dispute it and provide evidence they will not do a thing about it." There is obviously some bad history between SDF and spamcop, and SDF has given up even talking to spamcop. SDF people are spreading negative comments about spamcop. As a supporting member of both organizations, I hate to see this. Blocking SDF is the worst kind of false-positive error, because SDF should be a strong ally of spamcop. What's going on here? I will play go-between if I can understand the situation. If anyone knows the history, please feel free to email me privately if you find it appropriate. The email address in the headers is accurate. Thanks, -- Jonathan Griffitts AnyWare Engineering Boulder, CO, USA From MikeE at ster.invalid Sat Nov 19 14:11:24 2005 From: MikeE at ster.invalid (Mike Easter) Date: Sat Nov 19 17:15:03 2005 Subject: [SpamCop-List] Re: SDF.org sporadically listed in bl.spamcop.net References: <XXieAQqs15fDFAMP@griffitts.org> Message-ID: <dlo7ub$qoq$1@news.spamcop.net> Jonathan Griffitts wrote: > It seems that the SDF public access Unix system, aka freeshell.org, > has periodic run-ins with the Spamcop blocking list. There is no such thing as a whitelist for a DNSbl blocklist like SCbl. > 192.94.73.21 listed in bl.spamcop.net > * System has sent mail to SpamCop spam traps in the past week 192.94.73.21 rDNS mx.freeshell.ORG should stop sending unsolicited mail to spamtraps. They probably have something configured badly. Look at this page which describes a spamfilter which sends mail back to senders which don't exist. http://www.freeshell.org/index.cgi?faq?EMAIL?07 "rule against the host so that subsequent incoming messages will be sent back to their senders (in most cases the sender doesn't even exist!), If you have a server configured to create newmails addressed to the bogus From of spams, then it will backscatter and get itself listed on the SCbl. It will also get itself listed on other blocklists which maintain spamtraps. It will also hit spamcop reporters who will report it. SDF/freeshell has an abusive server. It needs to be reconfigured. If it its enough 'mean' spamtrap blocklisters to get itself listed on some blocklists which don't automatically delist, it will be in more trouble than the autodelisting SCbl. They should consdier the SCbl an 'early warning' of a poorly configured server which is performing abusively. > "There is nothing that you can do. Even if we dispute it and > provide evidence they will not do a thing about it." It is true that whining about being listed and talking about what a good guy you are won't get you delisted except when a listing is a mistake. I suspect there is no mistake in the SCbl listings. > Blocking SDF is the worst kind of > false-positive error, because SDF should be a strong ally of spamcop. My theory is that it isn't a false positive, but I don't have access to the evidence. > What's going on here? Bad freeshell server configuration it sounds like. -- Mike Easter kibitzer, not SC admin From Kilgallen at SpamCop.net Sat Nov 19 16:14:23 2005 From: Kilgallen at SpamCop.net (Larry Kilgallen) Date: Sat Nov 19 17:15:23 2005 Subject: [SpamCop-List] Re: SDF.org sporadically listed in bl.spamcop.net References: <XXieAQqs15fDFAMP@griffitts.org> Message-ID: <ryFbX45gg7PM@eisner.encompasserve.org> In article <XXieAQqs15fDFAMP@griffitts.org>, Jonathan Griffitts <jgriffitts@spamcop.net> writes: > Causes of listing > > * System has sent mail to SpamCop spam traps in the past week (spam > traps are secret, no reports or evidence are provided by SpamCop) > I'm a member of SDF, and I know they are NOT the least bit > spam-friendly, quite the contrary. They go to considerable efforts to > avoid being the source of any sort of spam or UCE, and they > energetically enforce their anti-abuse policies. Please see: > http://freeshell.org/index.cgi?abuse/abuse I see absolutely _nothing_ on that page indicating they eschew "accept-then-bounce" semantics. Since that is a frequent cause of mail sent to spamtraps, I would presume your organization has not bothered to worry about that source of spam generated by your system. As a member, you are in the best position to effect a change. > When this came up again yesterday, their administrators' attitude among > about spamcop was: > "There is nothing that you can do. Even if we dispute it and > provide evidence they will not do a thing about it." What do they say when asked about "accept-then-bounce" semantics ? > What's going on here? I will play go-between if I can understand the > situation. Please do. The abuse page you cite is silent on the issue. From MikeE at ster.invalid Sat Nov 19 14:34:30 2005 From: MikeE at ster.invalid (Mike Easter) Date: Sat Nov 19 17:35:02 2005 Subject: [SpamCop-List] Re: SDF.org sporadically listed in bl.spamcop.net References: <XXieAQqs15fDFAMP@griffitts.org> <dlo7ub$qoq$1@news.spamcop.net> Message-ID: <dlo99l$rda$1@news.spamcop.net> Mike Easter wrote: > Jonathan Griffitts wrote: >> It seems that the SDF public access Unix system, aka freeshell.org, >> has periodic run-ins with the Spamcop blocking list. >> 192.94.73.21 listed in bl.spamcop.net > >> * System has sent mail to SpamCop spam traps in the past week > > 192.94.73.21 rDNS mx.freeshell.ORG > > should stop sending unsolicited mail to spamtraps. They probably have > something configured badly. > > Look at this page which describes a spamfilter which sends mail back > to senders which don't exist. > http://www.freeshell.org/index.cgi?faq?EMAIL?07 and this page describes what sets up the problem: http://www.freeshell.org/index.cgi?faq?EMAIL?09 WHY IS INCOMING EMAIL SOMETIMES DELAYED? This is referred to as a 'Store and Forward' method, I have a theory that because of that configuration, the 'SMTP REJECT' words which are used about spam handling are not actually a reject during the transaction, because the transaction is closed by the store and forward process -- so the smtp reject will really become a belated 'bounce' where such bounce is a newmail to the bogus From. That's my theory, but I'm not the one running the freeshell server situation, so I can't say for sure. A deputy could comment on whether or not the server evidence looks like backscatter. -- Mike Easter kibitzer, not SC admin From nobody at xyzzy.claranet.de Sun Nov 20 00:28:27 2005 From: nobody at xyzzy.claranet.de (Frank Ellermann) Date: Sat Nov 19 18:30:07 2005 Subject: [SpamCop-List] Re: SDF.org sporadically listed in bl.spamcop.net References: <XXieAQqs15fDFAMP@griffitts.org> <dlo7ub$qoq$1@news.spamcop.net> <dlo99l$rda$1@news.spamcop.net> Message-ID: <437FB51B.1599@xyzzy.claranet.de> Mike Easter wrote: > A deputy could comment on whether or not the server evidence > looks like backscatter. These obscure "secret spamtraps" should have a SPF FAIL policy. Bye, Frank From nobody at xyzzy.claranet.de Sun Nov 20 00:31:33 2005 From: nobody at xyzzy.claranet.de (Frank Ellermann) Date: Sat Nov 19 18:35:03 2005 Subject: [SpamCop-List] Re: internap.com References: <dll1n8$o4p$1@news.spamcop.net> Message-ID: <437FB5D5.344C@xyzzy.claranet.de> jg wrote: > Can anyone say which hat these guys wear? Black. From MikeE at ster.invalid Sat Nov 19 15:59:01 2005 From: MikeE at ster.invalid (Mike Easter) Date: Sat Nov 19 19:00:04 2005 Subject: [SpamCop-List] Re: SDF.org sporadically listed in bl.spamcop.net References: <XXieAQqs15fDFAMP@griffitts.org> <dlo7ub$qoq$1@news.spamcop.net> <dlo99l$rda$1@news.spamcop.net> <437FB51B.1599@xyzzy.claranet.de> Message-ID: <dloe84$tp2$1@news.spamcop.net> Frank Ellermann wrote: > These obscure "secret spamtraps" should have a SPF FAIL policy. I'm not clear on how you mean. I'm assuming a spamtrap to be just a quickreporting mailbox, not a server with a policy. I think of a spf fail policy as something which is implemented by a server to reject on the basis of a mailfrom domainname vs the IP of the transaction. How would you work something for the spamtrap mailbox or quickreport submission parsing algorithm? How would you have a spamtrap use some kind of spf fail? Incidentally, freeshell.org's MX/output server doesn't have an SPF record. -- Mike Easter kibitzer, not SC admin From jgriffitts at spamcop.net Sat Nov 19 17:01:26 2005 From: jgriffitts at spamcop.net (Jonathan Griffitts) Date: Sat Nov 19 19:05:04 2005 Subject: [SpamCop-List] Re: SDF.org sporadically listed in bl.spamcop.net References: <XXieAQqs15fDFAMP@griffitts.org> <ryFbX45gg7PM@eisner.encompasserve.org> Message-ID: <t0MgojtWz7fDFAoU@griffitts.org> In article <ryFbX45gg7PM@eisner.encompasserve.org>, Larry Kilgallen writes >In article <XXieAQqs15fDFAMP@griffitts.org>, Jonathan Griffitts ><jgriffitts@spamcop.net> writes: . . . > >What do they say when asked about "accept-then-bounce" semantics ? I have just asked this question on the internal SDF forum. Please stand by. . . One suggestion was that some individual SDF user may have set up some kind of "vacation" response or other autoresponder, which then sent to the spamtrap. Is there any way we can find out the nature of the notes which landed in the spamtrap? I realize you want to keep the mailbox address secret, but if we're going to diagnose this it would be very to useful to know if you got back a rejection "bounce" message or some kind of autoresponse. I know that official SpamCop policy for this is "no evidence will be presented" but this seems obstructive to trying to diagnose the problem. -- Jonathan Griffitts AnyWare Engineering Boulder, CO, USA From MikeE at ster.invalid Sat Nov 19 16:31:30 2005 From: MikeE at ster.invalid (Mike Easter) Date: Sat Nov 19 19:35:03 2005 Subject: [SpamCop-List] Re: SDF.org sporadically listed in bl.spamcop.net References: <XXieAQqs15fDFAMP@griffitts.org> <ryFbX45gg7PM@eisner.encompasserve.org> <t0MgojtWz7fDFAoU@griffitts.org> Message-ID: <dlog51$usg$1@news.spamcop.net> Jonathan Griffitts wrote: > One suggestion was that some individual SDF user may have set up some > kind of "vacation" response or other autoresponder, which then sent to > the spamtrap. If a normal user behind a server initiate emails a piece of spam to a spamtrap, the parser by design is supposed to name the user IP behind the server as the source. The parser is designed to *not* name servers which are relaying mail from user IPs behind them as the source. It is possible for the parser to prematurely break the trace header chain and name the server instead, especially if the parser were both unfamiliar with the server in question and if the server also handled its lines badly. However, our suspicion here is that the server itself is configured to cause the backscatter, not some newmail generated by a user behind a server. > Is there any way we can find out the nature of the notes which landed > in the spamtrap? Sometimes deputies may look at the evidence and comment on whether or not it looks like backscatter. They certainly won't provide very much information from a spamtrap. However, my recommendation would be that the freeshell server admins eliminate all causes of backscatter, not try to figure out some specific one of them which got reported. > is "no evidence will be presented" but this seems obstructive to > trying to diagnose the problem. A lot of useful information to diagnose the problem of backscatter is provided on the SC website http://www.spamcop.net/reported.shtml Introduction to SpamCop for recipients of spam reports -- SpamCop FAQ : -- Help for abuse-desks and administrators -- http://www.spamcop.net/fom-serve/cache/108.html Robots: Mailing lists and autoresponders -- Why are auto responders bad? -- Mitigation techniques? http://www.spamcop.net/fom-serve/cache/329.html#spf -- Mike Easter kibitzer, not SC admin From jgriffitts at spamcop.net Sat Nov 19 18:54:01 2005 From: jgriffitts at spamcop.net (Jonathan Griffitts) Date: Sat Nov 19 20:55:11 2005 Subject: [SpamCop-List] Re: SDF.org sporadically listed in bl.spamcop.net References: <XXieAQqs15fDFAMP@griffitts.org> <ryFbX45gg7PM@eisner.encompasserve.org> <t0MgojtWz7fDFAoU@griffitts.org> <dlog51$usg$1@news.spamcop.net> Message-ID: <bEntUF05c9fDFAsX@griffitts.org> In article <dlog51$usg$1@news.spamcop.net>, Mike Easter writes >Jonathan Griffitts wrote: > >> One suggestion was that some individual SDF user may have set up some >> kind of "vacation" response or other autoresponder, which then sent to >> the spamtrap. > >If a normal user behind a server initiate emails a piece of spam to a >spamtrap, the parser by design is supposed to name the user IP behind >the server as the source. The parser is designed to *not* name servers >which are relaying mail from user IPs behind them as the source. I don't think I understand you completely, I think you may not grasp the configuration we're talking about here. SDF is a non-profit public access Unix system. It is not a normal ISP, but more of an old-fashioned central time-sharing system consisting of a cluster of Unix boxes. Approximately 24000 users log into a Unix shell (hence "freeshell.org") and run mail clients and of course many other things. Users are alowed to set up individual procmail scripts (though these are monitored and restricted in various ways). I'm not sure if user mail clients and procmail scripts may run in the same machine as the SMTP gateway to the outside world, but I suspect that they sometime do so. (It is also possible to get validated to use POP and SMTP to access email remotely -- I do this -- but most SDF users don't.) . . . >However, our suspicion here is that the server itself is configured to >cause the backscatter, not some newmail generated by a user behind a >server. Can I ask whether you have any specific basis for that suspicion? I'm just fishing for all possible information for debugging, so we don't have to guess. >> Is there any way we can find out the nature of the notes which landed >> in the spamtrap? > >Sometimes deputies may look at the evidence and comment on whether or >not it looks like backscatter. They certainly won't provide very much >information from a spamtrap. It would be extremely useful to get ANY kind of information of this sort. Please remember that I am trying to act as go-between to an organization that has a low opinion of spamcop. >However, my recommendation would be that the freeshell server admins >eliminate all causes of backscatter, not try to figure out some specific >one of them which got reported. Hmm. That's much easier said than done. As most technical types would agree, a few clues make the trouble-shooting process much easier and more likely to succeed. You seem to be saying "fix your problem or be blacklisted, but we won't provide the rudimentary clues about the nature of the problem." So SDF's (unpaid, volunteer) staff is asked to spend their time trying to guess what has happened and try out a fix without ever knowing whether they're fixing the right problem. You're asking them to spend a great deal of extra time because spamcop isn't able to provide basic feedback on the detected problem. If this is what has been said to the SDF admins in the past, I can see why they didn't react well. Put yourself in their shoes! It likely came across as uncooperative and high-handed. As a matter of fact, *I* find it disturbingly inappropriate and I've been a defender of spamcop for many years. This begs for a humble explanation of *why* that basic feedback is denied. The analogy that comes to my mind is the user who says "we saw an error, you must fix it!" but is unable to provide basic information about the problem. This happens often, but it's not a good way to make things happen, or to make a good impression. Whatever is happening with SDF only results in rare isolated incidents of blacklisting. I don't even know if the history has always been spamtrap incidents, or whether there have been different issues. One SDF admin told me that they have had some problems with users mis-reporting the source of UCE. SDF is strongly anti-spam. They have not waited to react to problems, but have worked pre-emptively to keep bulk email from being sent out. As far as anyone knows, SDF has *NEVER* been a source of UCE or spam. I hope spamcop people will consider treating SDF with respect. -- Jonathan Griffitts AnyWare Engineering Boulder, CO, USA From jgriffitts at spamcop.net Sat Nov 19 19:09:23 2005 From: jgriffitts at spamcop.net (Jonathan Griffitts) Date: Sat Nov 19 21:10:03 2005 Subject: [SpamCop-List] Re: SDF.org sporadically listed in bl.spamcop.net References: <XXieAQqs15fDFAMP@griffitts.org> <ryFbX45gg7PM@eisner.encompasserve.org> <t0MgojtWz7fDFAoU@griffitts.org> <dlog51$usg$1@news.spamcop.net> <bEntUF05c9fDFAsX@griffitts.org> Message-ID: <$ktk8L1Tr9fDFAKM@griffitts.org> This just in, an SDF admin has just received a message which says, in part: In any case, our user has not properly configured his SpamCop reporting account, which causes him to report his own service provider as a spam source. The problem is easily fixed and I have advised him about what needs to be done. In the meantime, I have suspended his reporting privileges so he can't report your server again. This is of course the classic SpamCop problem, but it doesn't seem consistent with the blacklisting report coming from the spamtraps. The SDF guy thinks this is related to yesterday's blacklist event, but I am guessing this comes from an unrelated report. -- Jonathan Griffitts AnyWare Engineering Boulder, CO, USA From MikeE at ster.invalid Sat Nov 19 18:40:07 2005 From: MikeE at ster.invalid (Mike Easter) Date: Sat Nov 19 21:45:04 2005 Subject: [SpamCop-List] Re: SDF.org sporadically listed in bl.spamcop.net References: <XXieAQqs15fDFAMP@griffitts.org> <ryFbX45gg7PM@eisner.encompasserve.org> <t0MgojtWz7fDFAoU@griffitts.org> <dlog51$usg$1@news.spamcop.net> <bEntUF05c9fDFAsX@griffitts.org> Message-ID: <dlonm6$2p8$1@news.spamcop.net> Jonathan Griffitts wrote: > Mike Easter writes >> Jonathan Griffitts wrote: >> >>> One suggestion was that some individual SDF user may have set up >>> some kind of "vacation" response or other autoresponder, which then >>> sent to the spamtrap. >> >> If a normal user behind a server initiate emails a piece of spam to a >> spamtrap, the parser by design is supposed to name the user IP behind >> the server as the source. The parser is designed to *not* name >> servers which are relaying mail from user IPs behind them as the >> source. > > I don't think I understand you completely, I think you may not grasp > the configuration we're talking about here. What I was describing above was a typical sequence of transactions in which the user mailclient transacts with hir smtp mailserver which properly stamps its lines as is required of a mailserver. Then, that mailserver undergoes an smtp transaction with some subsequent mailserver for transmission of a piece of mail from a user to the user's server to another server and then to another user. Each of those servers is supposed to stamp its traceline compliantly. In this particular case, we are assuming an imaginary freeshell based client, a freeshell server, some unnamed recipient server in front of a spamtrap, and a spamtrap recipient. What I was saying is that in that imaginary configuration, if the parser parses for the spamtrap, it would *not* name the freeshell server, but the freeshell user IP. The problem we are dealing with here is the listing of the freeshell *server*. However, if the freeshell server receives and accepts for delivery a piece of spam with a bogus spamtrap From and 'turns around' and newmails an unsolicited autoresponder mail to the spamtrap, the server will be the spamsource and will get listed -- which corresponds to the server listing we are discussing. > SDF is a non-profit public access Unix system. It doesn't matter if the abusive server is profit or non-profit, unix or windows. If it behaves abusively, it will get itself listed. > It is not a normal > ISP, but more of an old-fashioned central time-sharing system > consisting of a cluster of Unix boxes. It doesn't matter if it is a normal ISP or some other kind of email server. It is a server facing the internet handling mail and smtp transactions and stamping its tracelines. If it is behaving in an abusive way, it will get itself blocklisted. > Approximately 24000 users log into a Unix shell (hence > "freeshell.org") and run mail clients and of course many other > things. And, the mailserver thereof has a responsibility to be performing non-abusively. > Users are alowed to set up individual procmail scripts > (though these are monitored and restricted in various ways). I'm not > sure if user mail clients and procmail scripts may run in the same > machine as the SMTP gateway to the outside world, but I suspect that > they sometime do so. It shouldn't be all that hard to get your hands on a set of headers which involve this server so that we can discuss them. They don't have to be spam headers, they can be normal mail headers from a freeshell user account to anything outside that. >> However, our suspicion here is that the server itself is configured >> to cause the backscatter, not some newmail generated by a user >> behind a server. > > Can I ask whether you have any specific basis for that suspicion? I have already given you 2 separate links derived from the freeshell website to support that opinion. http://www.freeshell.org/index.cgi?faq?EMAIL?07 http://www.freeshell.org/index.cgi?faq?EMAIL?09 When I first presented those links, I also accompanied them with additional explanatory elaboration. > I'm > just fishing for all possible information for debugging, so we don't > have to guess. The absolute best person to be troubleshooting this problem is the admin for the freeshell server -- not you or me on the outside guessing about how it is configured. That same person should use the information from the other links which I provided which advise about bad configurations. > Please remember that I am trying to act as go-between to an > organization that has a low opinion of spamcop. There's a great tendency for those who get blocklisted and therefore mail interference to have a low opinion of the blocklisting entity. The blocklisted server admin should be doing a better job of preventing hir server hitting spamtraps. >> However, my recommendation would be that the freeshell server admins >> eliminate all causes of backscatter, not try to figure out some >> specific one of them which got reported. > > Hmm. That's much easier said than done. As most technical types > would agree, a few clues make the trouble-shooting process much > easier and more likely to succeed. The business of backscatter discussions and how server admins have to configure to prevent those problems is very very popular discussion fodder. > You seem to be saying "fix your problem or be blacklisted, but we > won't provide the rudimentary clues about the nature of the problem." Far more than 'rudimentary' clues have been given. We are talking about 5 different links so far. 2 of them at freeshell's site giving clues to the likelihood of backscatter and 3 of them at spamcop's site telling admins how to mitigate against backscatter. You seem to be hung up on not getting to see spamtrap evidence. If I personally had a piece of freeshell abusive backscatter, I would show it to you, but I don't. However, I don't doubt that a spamcop spamtrap received an unsolicited mail and I also feel quite confident that the spamcop spamtrap didn't ask for any mail from freeshell. That makes it unsolicited and abusive. The spamtraps reported the abusive mail in sufficient numbers to cause a listing. According to senderbase, freeshell's daily output of mail might be around 10,000 items from the one server we are talking about. In order for a server with those 'reputation points' or traffic history to become listed for hitting spamtraps, it would take some number. > So SDF's (unpaid, volunteer) staff is asked to spend their time > trying to guess what has happened and try out a fix without ever > knowing whether they're fixing the right problem. You are not characterizing the problem accurately. SDF is running a server handling many thousands of emails per day. That server should be configured correctly. It should have been configured correctly before it started hitting spamtraps. It is not SC's responsibility to configure the freeshell server for the server admins. The server admins are supposed to know how to configure a server. They do not have their server configured wisely. There are a number of known things wrong seen in dnsstuff and there is no SPF record. Whether they are free or paid, they have a responsibility to configure correctly. > You're asking them > to spend a great deal of extra time because spamcop isn't able to > provide basic feedback on the detected problem. No. I'm saying they shouldn't have to spend any extra time if they would configure correctly in the first place. If this is a backscatter issue, the spamcop spamtraps are the tip of an iceberg. They are abusing thousands and thousands of nonspamcop backscatter 'victims' and freeshell doesn't even know or care enough to prevent it. -- Mike Easter kibitzer, not SC admin From MikeE at ster.invalid Sat Nov 19 18:52:50 2005 From: MikeE at ster.invalid (Mike Easter) Date: Sat Nov 19 21:55:02 2005 Subject: [SpamCop-List] Re: SDF.org sporadically listed in bl.spamcop.net References: <XXieAQqs15fDFAMP@griffitts.org> <ryFbX45gg7PM@eisner.encompasserve.org> <t0MgojtWz7fDFAoU@griffitts.org> <dlog51$usg$1@news.spamcop.net> <bEntUF05c9fDFAsX@griffitts.org> <$ktk8L1Tr9fDFAKM@griffitts.org> Message-ID: <dlooe0$34n$1@news.spamcop.net> Jonathan Griffitts wrote: > This just in, an SDF admin has just received a message which says, in > part: > In any case, our user has not properly configured his SpamCop > reporting account, which causes him to report his own service > provider as a spam source. The problem is easily fixed and I > have advised him about what needs to be done. > > In the meantime, I have suspended his reporting privileges so > he can't report your server again. I'm reading that as a piece of information from a SC admin to an SDF admin about bad reporting. At this point, it is worth mentioning that there are several 'mechanisms' in place to deter bad reporting and reporting of one's own provider, even separate from the obvious fact that one shouldn't be reporting their own provider as a spam source and that every reporter has a higher level of responsibility about recognizing header information than the average user who has never seen a set of headers. In addition to the obvious 'don't report your own provider' and 'configuring for mailhosts will greatly reduce the chances of reporting your own provider' -- there is also the reporting process itself. If 192.94.73.21 mx.freeshell.ORG is reported as a source by a reporter, that report goes to eric@cirr.com because eric is the arin registered contact for the netblock of freeshell's server at OrgName: Donald A. Kassebaum Consulting Services NetRange: 192.94.73.0 - 192.94.73.255 CIDR: 192.94.73.0/24 and Eric would be provided with a copy of the item which was reported. Eric should handle that abuse report in a responsible way, and see that it was reporting freeshell's server and provide the appropriate feedback that a spamcop report was generated by an incompetent spamcop reporter who was reporting his own provider. > This is of course the classic SpamCop problem, but it doesn't seem > consistent with the blacklisting report coming from the spamtraps. You are correct. The bad reporting would be contributory to a listing problem, but the spamtraps are still a problem. > The SDF guy thinks this is related to yesterday's blacklist event, > but I am guessing this comes from an unrelated report. Everything adds up. Bad reporting should be eliminated and spamtrap hitting should be eliminated. -- Mike Easter kibitzer, not SC admin From Kilgallen at SpamCop.net Sat Nov 19 22:48:17 2005 From: Kilgallen at SpamCop.net (Larry Kilgallen) Date: Sat Nov 19 23:50:09 2005 Subject: [SpamCop-List] Re: SDF.org sporadically listed in bl.spamcop.net References: <XXieAQqs15fDFAMP@griffitts.org> <bEntUF05c9fDFAsX@griffitts.org> Message-ID: <73dg+ZSXFhSJ@eisner.encompasserve.org> In article <bEntUF05c9fDFAsX@griffitts.org>, Jonathan Griffitts <jgriffitts@spamcop.net> writes: > Approximately 24000 users log into a Unix shell (hence "freeshell.org") > and run mail clients and of course many other things. Users are alowed > to set up individual procmail scripts (though these are monitored and > restricted in various ways). I'm not sure if user mail clients and > procmail scripts may run in the same machine as the SMTP gateway to the > outside world, but I suspect that they sometime do so. But the abuse page you cited says nothing to prohibit those users from setting up autoresponders, which is most likely the abuse that got the IP address listed. (Misreporting cited in the message from SpamCop is _not_ the reason for the listing cited earlier.) > It would be extremely useful to get ANY kind of information of this > sort. Please remember that I am trying to act as go-between to an > organization that has a low opinion of spamcop. If they allow "autoresponders" they will always be at odds with Spamcop. >>However, my recommendation would be that the freeshell server admins >>eliminate all causes of backscatter, not try to figure out some specific >>one of them which got reported. > > Hmm. That's much easier said than done. As most technical types would > agree, a few clues make the trouble-shooting process much easier and > more likely to succeed. Start by prohibiting automation of email responses. > You seem to be saying "fix your problem or be blacklisted, but we won't > provide the rudimentary clues about the nature of the problem." So You have been told that backscatter is the problem, and apparently users are permitted to program autoresponders. Q.E.D. > SDF is strongly anti-spam. Not if they allow backscatter. > They have not waited to react to problems, > but have worked pre-emptively to keep bulk email from being sent out. As > far as anyone knows, SDF has *NEVER* been a source of UCE or spam. Backscatter ***IS*** spam. If they don't understand that, hope is lost. From nobody at spamcop.net Sat Nov 19 23:50:38 2005 From: nobody at spamcop.net (Ellen) Date: Sun Nov 20 00:00:04 2005 Subject: [SpamCop-List] Re: SDF.org sporadically listed in bl.spamcop.net References: <XXieAQqs15fDFAMP@griffitts.org> <ryFbX45gg7PM@eisner.encompasserve.org> <t0MgojtWz7fDFAoU@griffitts.org> Message-ID: <dlovs9$6uo$1@news.spamcop.net> "Jonathan Griffitts" <jgriffitts@spamcop.net> wrote in message news:t0MgojtWz7fDFAoU@griffitts.org... > In article <ryFbX45gg7PM@eisner.encompasserve.org>, Larry Kilgallen > writes > >In article <XXieAQqs15fDFAMP@griffitts.org>, Jonathan Griffitts > ><jgriffitts@spamcop.net> writes: > . . . > > > >What do they say when asked about "accept-then-bounce" semantics ? > > I have just asked this question on the internal SDF forum. Please stand > by. . . > > One suggestion was that some individual SDF user may have set up some > kind of "vacation" response or other autoresponder, which then sent to > the spamtrap. > > Is there any way we can find out the nature of the notes which landed in > the spamtrap? I realize you want to keep the mailbox address secret, > but if we're going to diagnose this it would be very to useful to know > if you got back a rejection "bounce" message or some kind of > autoresponse. I know that official SpamCop policy for this is "no > evidence will be presented" but this seems obstructive to trying to > diagnose the problem. > Have the administrator of the server write to deputies <at> admin.spamcop.net Ellen SpamCop From jgriffitts at spamcop.net Sat Nov 19 22:37:18 2005 From: jgriffitts at spamcop.net (Jonathan Griffitts) Date: Sun Nov 20 00:40:03 2005 Subject: [SpamCop-List] Re: SDF.org sporadically listed in bl.spamcop.net References: <XXieAQqs15fDFAMP@griffitts.org> <ryFbX45gg7PM@eisner.encompasserve.org> <t0MgojtWz7fDFAoU@griffitts.org> <dlog51$usg$1@news.spamcop.net> <bEntUF05c9fDFAsX@griffitts.org> <dlonm6$2p8$1@news.spamcop.net> Message-ID: <kKVC3x4OuAgDFACR@griffitts.org> In article <dlonm6$2p8$1@news.spamcop.net>, Mike Easter writes >Jonathan Griffitts wrote: >> Mike Easter writes >>> Jonathan Griffitts wrote: >>> >>>> One suggestion was that some individual SDF user may have set up >>>> some kind of "vacation" response or other autoresponder, which then >>>> sent to the spamtrap. >>> >>> If a normal user behind a server initiate emails a piece of spam to a >>> spamtrap, the parser by design is supposed to name the user IP behind >>> the server as the source. The parser is designed to *not* name >>> servers which are relaying mail from user IPs behind them as the >>> source. >> >> I don't think I understand you completely, I think you may not grasp >> the configuration we're talking about here. > >What I was describing above was a typical sequence of transactions in >which the user mailclient transacts with hir smtp mailserver which >properly stamps its lines as is required of a mailserver. Then, that >mailserver undergoes an smtp transaction with some subsequent mailserver >for transmission of a piece of mail from a user to the user's server to >another server and then to another user. Each of those servers is >supposed to stamp its traceline compliantly. > >In this particular case, we are assuming an imaginary freeshell based >client, a freeshell server, some unnamed recipient server in front of a >spamtrap, and a spamtrap recipient. > >What I was saying is that in that imaginary configuration, if the >parser parses for the spamtrap, it would *not* name the freeshell >server, but the freeshell user IP. The problem we are dealing with >here is the listing of the freeshell *server*. I understand you. What you have perhaps not absorbed is that this is not a "typical" modern configuration. See below. >> SDF is a non-profit public access Unix system. > >It doesn't matter if the abusive server is profit or non-profit, unix or >windows. If it behaves abusively, it will get itself listed. . . . Gee, that (and some snipped other comments) come across to me as gratuitously nasty slams. Please be careful about doing this, it could give SpamCop a reputation for arrogance. You have taken my explanation as some kind of defense of the SDF operation. In fact, I'm trying to describe the setup so you might understand my point. Since this is a centralized setup, the SMTP server and the user may well be running at the *same* IP address. I don't *know* if that is the case. I'm trying to suggest (again) that user activity including 'vacation' procmail scripts *could* be involved in the spamtrap reports. We can't really know that for sure without seeing *what* arrived in the spamtrap. >> Users are alowed to set up individual procmail scripts >> (though these are monitored and restricted in various ways). I'm not >> sure if user mail clients and procmail scripts may run in the same >> machine as the SMTP gateway to the outside world, but I suspect that >> they sometime do so. > >It shouldn't be all that hard to get your hands on a set of headers >which involve this server so that we can discuss them. They don't have >to be spam headers, they can be normal mail headers from a freeshell >user account to anything outside that. I can show you such a header, see below, but it proves very little. Other users run on other machines, and I have no idea where procmail scripts run. In fact it looks like my mail went out from a different MX IP than the one which was block listed yesterday. When I log in, my session will be attached to a random different machine in the cluster depending on system loading and on geography. All machines have access to the same shared filesystems so it makes no difference for the end-user. -------------------------------- Return-Path: <[redacted]@sdf.lonestar.org> Delivered-To: spamcop-net-jgriffitts@spamcop.net Received: (qmail 12715 invoked from network); 20 Nov 2005 03:46:03 -0000 X-Spam-Checker-Version: SpamAssassin 3.1.0 (2005-09-13) on blade4 X-Spam-Level: X-Spam-Status: hits=0.0 tests=none version=3.1.0 Received: from unknown (192.168.1.103) by blade4.cesmail.net with QMQP; 20 Nov 2005 03:46:03 -0000 Received: from xm.freeshell.org (HELO sdf.lonestar.org) (192.94.73.22) by mx53.cesmail.net with SMTP; 20 Nov 2005 03:46:03 -0000 Received: from sdf.lonestar.org (IDENT:[redacted]@otaku.freeshell.org [192.94.73.2]) by sdf.lonestar.org (8.13.1/8.12.10) with ESMTP id jAK3jWc6015155 for <jgriffitts@spamcop.net>; Sun, 20 Nov 2005 03:45:32 GMT Received: (from [redacted]@localhost) by sdf.lonestar.org (8.13.1/8.12.8/Submit) id jAK3jWgB029819 for jgriffitts@spamcop.net; Sun, 20 Nov 2005 03:45:32 GMT Date: Sun, 20 Nov 2005 03:45:32 GMT From: Jonathan Griffitts <[redacted]@sdf.lonestar.org> Message-Id: <200511200345.jAK3jWgB029819@sdf.lonestar.org> To: jgriffitts@spamcop.net Subject: Test note X-SpamCop-Checked: 192.168.1.103 192.94.73.22 192.94.73.2 -------------------------------- >>> However, our suspicion here is that the server itself is configured >>> to cause the backscatter, not some newmail generated by a user >>> behind a server. >> >> Can I ask whether you have any specific basis for that suspicion? > >I have already given you 2 separate links derived from the freeshell >website to support that opinion. I classify this as *general* basis, not specific. I'm not trying to be argumentative here, I just thought the plural "our suspicion" meant you had discussed this with someone who knew something specific. >The absolute best person to be troubleshooting this problem is the admin >for the freeshell server -- not you or me on the outside guessing about >how it is configured. > >That same person should use the information from the other links which I >provided which advise about bad configurations. I agree, but the best person to do this has written off any possibility of useful communication with spamcop. I was hoping to bridge the gap. . . . >There's a great tendency for those who get blocklisted and therefore >mail interference to have a low opinion of the blocklisting entity. The >blocklisted server admin should be doing a better job of preventing hir >server hitting spamtraps. This is more low-content material -- verging on ranting -- and I snipped even more of it. I want to respectfully observe that these comments would tend to insult and alienate the very people that you hope to influence. Rereading your full text, you show a clear presumption of incompetence at SDF which is surely insulting to them, and by extension to me. Is this your considered intent? It surely doesn't help convince anybody, and is more likely to induce defensiveness and a closed mind. It may also harm spamcop's image even if the offensive remarks are completely independent spamcop policy. End of digression, back to the real issues. . . . >> You seem to be saying "fix your problem or be blacklisted, but we >> won't provide the rudimentary clues about the nature of the problem." . . . >You seem to be hung up on not getting to see spamtrap evidence. Yes, because it would be so conclusively useful! It would become instantly obvious whether it came from a user autoresponder, or a bounce, or something else in the server configuration, or even a *real* case of UCE. Without this, we're all just making guesses about a complex situation. I know that you personally are not in a position to provide this, so please don't take my comments as any kind of criticism of you. My point is to explain why, in my view, it is not very reasonable to expect SDF's people to take action while witholding a crucial piece of evidence. At least it should be *explained* why the evidence is unavailable. > However, I don't doubt that a spamcop spamtrap >received an unsolicited mail and I also feel quite confident that the >spamcop spamtrap didn't ask for any mail from freeshell. I don't doubt it either and I would *like* to contribute to seeing that it doesn't happen again. >The spamtraps reported the abusive mail in sufficient numbers to cause a >listing. How many is that, approximately? Just an order-of-magnitude estimate? Are we talking about 100 notes, or 1000, or just 10? . . . >They do not have their server configured wisely. There are a number of >known things wrong seen in dnsstuff and there is no SPF record. Some of these things described as "wrong" or "unwise" are open to discussion (IMO) but let's not address that here. That would be a different thread. SDF are not "bad guys" and it's not appropriate to assume incompetence. Perhaps they have made mistakes, and if so we should try to help get the problems fixed. (I know for a fact that spamcop has also made mmistakes in the past, as have I personally, and so have most who ever tried to accomplish anything. Suspecting someone of a mistake doesn't give us moral superiority.) If you or anyone else can identify specific suggestions about improvements to SDF's configuration, I will be receptive and I will pass them along to those who can implement them. -- Jonathan Griffitts AnyWare Engineering Boulder, CO, USA From jgriffitts at spamcop.net Sun Nov 20 00:19:16 2005 From: jgriffitts at spamcop.net (Jonathan Griffitts) Date: Sun Nov 20 02:20:18 2005 Subject: [SpamCop-List] Re: SDF.org sporadically listed in bl.spamcop.net References: <XXieAQqs15fDFAMP@griffitts.org> <bEntUF05c9fDFAsX@griffitts.org> <73dg+ZSXFhSJ@eisner.encompasserve.org> Message-ID: <Kp75fG80NCgDFAEe@griffitts.org> In article <73dg+ZSXFhSJ@eisner.encompasserve.org>, Larry Kilgallen writes . . . >But the abuse page you cited says nothing to prohibit those users >from setting up autoresponders, which is most likely the abuse that >got the IP address listed. (Misreporting cited in the message from >SpamCop is _not_ the reason for the listing cited earlier.) . . . I tend to agree that autoresponders are a likely cause of Friday's listing. I will be raising this issue with SDF people, as far as I know it has never been discussed there before. -- Jonathan Griffitts AnyWare Engineering Boulder, CO, USA From nobody at xyzzy.claranet.de Sun Nov 20 10:42:20 2005 From: nobody at xyzzy.claranet.de (Frank Ellermann) Date: Sun Nov 20 04:46:08 2005 Subject: [SpamCop-List] Re: SDF.org sporadically listed in bl.spamcop.net References: <XXieAQqs15fDFAMP@griffitts.org> <t0MgojtWz7fDFAoU@griffitts.org> <dlog51$usg$1@news.spamcop.net> <bEntUF05c9fDFAsX@griffitts.org> <dlonm6$2p8$1@news.spamcop.net> <kKVC3x4OuAgDFACR@griffitts.org> Message-ID: <438044FC.6487@xyzzy.claranet.de> Jonathan Griffitts wrote: > If you or anyone else can identify specific suggestions about > improvements to SDF's configuration, I will be receptive and > I will pass them along to those who can implement them. Simple general suggestions: - don't accept mail to unknown users (and if you "must" do it anyway avoid later bounce messages to forged Return-Paths) - dito don't accept mail to "over quota" users - send auto-replies only to know (white-listed) addresses, otherwise (unknown) stick to the Return-Path (RfC 3834) - reject forged (SPF FAIL) Return-Paths directly at the MX. If you accepted spam give up all hope, you lose. Any accept- then-delete strategy is dangerous (FP), but accept-then-bounce to forged Return-Paths will get you blacklisted. It's a DDoS and as far as I'm concerned criminal negligence, the victims get thousands or those bogus bounces plus backscatter per day. Publish an SPF FAIL policy is all the victims can do, it's the one and only possible fix from their POV. The receiver might also be able to reject spam with other methods (DNSBLs etc.), but the only reliable way after the demise of RfC 821 is an SPF FAIL. Anything else is white or black magic. Post-821 SMTP is broken by design, it doesn't work as expected in a world where almost all mails are spams with forged Return-Paths. SPF is the only available fix: An SPF PASS result can still be spam, and most likely it _is_ spam, but at least the Return-Path isn't forged, bounce messages to a PASS cannot hit innocent bystaders. And of course I'd second it if you want SC's "secret spamtraps" protected by SPF FAIL policies. It's a royal PITA to discuss obscure problems without visible evidence. I'd also second it if you want to limit "backscatter reports" to SC users with an SPF FAIL policy - at the moment SC puts the whole blame on the receiving (= bouncing) system, this cannot work. Bye, Frank From nobody at xyzzy.claranet.de Sun Nov 20 11:31:18 2005 From: nobody at xyzzy.claranet.de (Frank Ellermann) Date: Sun Nov 20 05:40:28 2005 Subject: [SpamCop-List] Re: SDF.org sporadically listed in bl.spamcop.net References: <XXieAQqs15fDFAMP@griffitts.org> <dlo7ub$qoq$1@news.spamcop.net> <dlo99l$rda$1@news.spamcop.net> <437FB51B.1599@xyzzy.claranet.de> <dloe84$tp2$1@news.spamcop.net> Message-ID: <43805076.A4D@xyzzy.claranet.de> Mike Easter wrote: >> These obscure "secret spamtraps" should have a SPF FAIL >> policy. > I'm not clear on how you mean. > I'm assuming a spamtrap to be just a quickreporting mailbox, > not a server with a policy. Yes, something like auto-quick-reporting. A simple example is a domain with some "invisible" (for human users, but not for harvesters) addresses posted on Web-sites. Sooner or later the harvesters find it and send spam, so far it works as designed, a spam trap. But the spammers always need "plausible" Return-Paths, addresses surviving a simple call-back-verification. They look for such addresses in the same pool of addresses used for spamming. We often see their "probes" in the form of "empty spam" (if they test it up to DATA plus dot, lazy spammers might skip the DATA step in their call-back-test). If the "spam trap" survives the call-back-test it's ready to be abused as forged Return-Path. A smart spammer might go to the length to avoid SPF FAIL protected addresses, but that's beside the point here, let's assume s/h/it doesn't check this. In that case s/h/it will send spam MAIL FROM spam trap, the receiving system might have reasons to accept and bounce it (clueless vacation-script or whatever), the "spam trap" gets the bounce, and that's where we are now in this thread: Without a deputy everybody is lost what the real problem is, there's no evidence for "spam traps". Therefore it's better if spam trap addresses are SPF FAIL protected, because then both the spammer and the receiver have a decent chance to get it right: Smart spammers don't forge FAIL protected addresses, smart receivers reject SPF FAIL, and in both cases the clueless vacation-script would never see the MAIL FROM spam trap. After all SC's main purpose is to fight spam, not clueless vacation-scripts. That's what I meant. It's okay to report this vacation-script, that would result in some evidence. But the "spam traps" should try to stick to their main purpose, a trap for spam, not for backscatter. > How would you work something for the spamtrap mailbox or > quickreport submission parsing algorithm? Modifying the parser to detect an SPF FAIL after the fact is a nice idea, but unfortunately backscatter has no simple format allowing this. All you could do is to protect the "spam traps", i.e. use only SPF FAIL protected addresses as spam trap. > Incidentally, freeshell.org's MX/output server doesn't have > an SPF record. That's not the issue, it would only affect any MAIL FROM them, not the forged MAIL FROM spam trap _to_ them. It's perfectly okay to check SPF without publishing a policy (or vice versa): In their case if they'd reject FAIL protected MAIL FROM a spam trap they won't bounce or backscatter it later and stay out of trouble. Probably the spammer will avoid SPF FAIL protected MAIL FROM addresses, and then the whole problem doesn't exist. Bye, Frank From nobody at nowhere.invalid Sun Nov 20 11:38:54 2005 From: nobody at nowhere.invalid (Steven Maesslein) Date: Sun Nov 20 05:40:51 2005 Subject: [SpamCop-List] Re: SDF.org sporadically listed in bl.spamcop.net References: <XXieAQqs15fDFAMP@griffitts.org> <dlo7ub$qoq$1@news.spamcop.net> <dlo99l$rda$1@news.spamcop.net> <437FB51B.1599@xyzzy.claranet.de> Message-ID: <slrndo0khu.3ph.nobody@127.0.0.1> On Sun, 20 Nov 2005 00:28:27 +0100, Frank Ellermann coughed into spamcop and left this in <437FB51B.1599@xyzzy.claranet.de>: > These obscure "secret spamtraps" should have a SPF FAIL policy. I disagree. What's the point of a spamtrap if it rejects some of the most obvious spam? The whole point of a spamtrap is to give an indication of parts of the 'Net sending mail to recipients that obviously didn't (because couldn't) request it. Furthermore, if they did SMTP reject some inbound mail, the addresses would be in the notification sent by the machine further up the chain and would thus become known to people other than SpamCop staff. -- Steve Why do people pay to go up tall buildings and then put money in binoculars to look down at things on the ground? From Kilgallen at SpamCop.net Sun Nov 20 06:12:03 2005 From: Kilgallen at SpamCop.net (Larry Kilgallen) Date: Sun Nov 20 07:15:13 2005 Subject: [SpamCop-List] Re: SDF.org sporadically listed in bl.spamcop.net References: <XXieAQqs15fDFAMP@griffitts.org> <438044FC.6487@xyzzy.claranet.de> Message-ID: <6McnItL+39yh@eisner.encompasserve.org> In article <438044FC.6487@xyzzy.claranet.de>, Frank Ellermann <nobody@xyzzy.claranet.de> writes: > And of course I'd second it if you want SC's "secret spamtraps" > protected by SPF FAIL policies. It's a royal PITA to discuss > obscure problems without visible evidence. I'd also second it > if you want to limit "backscatter reports" to SC users with an > SPF FAIL policy - at the moment SC puts the whole blame on the > receiving (= bouncing) system, this cannot work. I disagree. SpamCop is merely the canary in the coal mine. The same misfits who are doing accept-then-bounce to innocent SpamCop spamtraps are still doing the same thing to _me_, at addresses that have nothing to do with SpamCop. While SPF might solve some such issues, it does not get them all. The fact that some purported source domain has SPF to say otherwise should _not_ get the misconfigured server off the hook, since that server is still sending spam to other addresses that do not have SPF. While locks on doors are nice, they should not be used in place of penalties for breaking and entering. From nobody at xyzzy.claranet.de Sun Nov 20 13:08:56 2005 From: nobody at xyzzy.claranet.de (Frank Ellermann) Date: Sun Nov 20 07:15:33 2005 Subject: [SpamCop-List] Re: SDF.org sporadically listed in bl.spamcop.net References: <XXieAQqs15fDFAMP@griffitts.org> <dlo7ub$qoq$1@news.spamcop.net> <dlo99l$rda$1@news.spamcop.net> <437FB51B.1599@xyzzy.claranet.de> <slrndo0khu.3ph.nobody@127.0.0.1> Message-ID: <43806758.33E4@xyzzy.claranet.de> Steven Maesslein wrote: >> These obscure "secret spamtraps" should have a SPF FAIL policy. > I disagree. What's the point of a spamtrap if it rejects some > of the most obvious spam? To publish a policy is completely unrelated to checking. You publish a policy for spammers (= "stay away from my addresses in your forged Return-Paths") and receivers (= "reject forged MAIL FROM me, don't backscatter later"). Of course the "spam trap" won't reject forged Return-Paths, almost all spam uses forged Return-Paths, and it's the point of the "spam trap" to catch this crap and auto-blacklist the sources. But it's not the point of a "spam trap" to catch backscatter from clueless vacation-scripts started by a say SDF.org-user. For that SC has the human reporters like you and me providing evidence to track down the problem without bothering Ellen. Maybe (?) I've explained it better in two later articles: <news://news.spamcop.net/43805076.A4D@xyzzy.claranet.de> = <http://news.spamcop.net/pipermail/spamcop-list/2005-November/106594.html> <news://news.spamcop.net/438044FC.6487@xyzzy.claranet.de> = <http://news.spamcop.net/pipermail/spamcop-list/2005-November/106593.html> Bye, Frank From Kilgallen at SpamCop.net Sun Nov 20 06:15:03 2005 From: Kilgallen at SpamCop.net (Larry Kilgallen) Date: Sun Nov 20 07:20:03 2005 Subject: [SpamCop-List] Re: SDF.org sporadically listed in bl.spamcop.net References: <XXieAQqs15fDFAMP@griffitts.org> <dlo7ub$qoq$1@news.spamcop.net> <dlo99l$rda$1@news.spamcop.net> <437FB51B.1599@xyzzy.claranet.de> <dloe84$tp2$1@news.spamcop.net> <43805076.A4D@xyzzy.claranet.de> Message-ID: <Q7$pX5MqRDhn@eisner.encompasserve.org> In article <43805076.A4D@xyzzy.claranet.de>, Frank Ellermann <nobody@xyzzy.claranet.de> writes: > After all SC's main purpose is to fight spam, not clueless > vacation-scripts. That's what I meant. > > It's okay to report this vacation-script, that would result > in some evidence. But the "spam traps" should try to stick > to their main purpose, a trap for spam, not for backscatter. But backscatter _is_ spam. It is exactly as much interruption to my day as any other sort of spam. The lack of a profit motive on the part of the person who spammed me does not remove that burden, just as funding appeals "for a good cause" are still spam. From nobody at xyzzy.claranet.de Sun Nov 20 13:40:30 2005 From: nobody at xyzzy.claranet.de (Frank Ellermann) Date: Sun Nov 20 07:45:03 2005 Subject: [SpamCop-List] Re: SDF.org sporadically listed in bl.spamcop.net References: <XXieAQqs15fDFAMP@griffitts.org> <dlo7ub$qoq$1@news.spamcop.net> <dlo99l$rda$1@news.spamcop.net> <437FB51B.1599@xyzzy.claranet.de> <dloe84$tp2$1@news.spamcop.net> <43805076.A4D@xyzzy.claranet.de> <Q7$pX5MqRDhn@eisner.encompasserve.org> Message-ID: <43806EBE.7447@xyzzy.claranet.de> Larry Kilgallen wrote: > But backscatter _is_ spam. A completely different kind of spam, as the OP pointed out SDF.org is "antispam" (at least wannabe). Spam from some zombie (or worms from an infected system) are a different category, not the same problem as backscatter. With zombies or worms blacklist the source IP, maybe inform the ISP (if it was a human reporter, not a spam trap), and be done with it, it's up to the ISP to educate his user. With backscatter it can be tricky to analyze the problem, it's much better if these cases are restricted to "human" reports with visible evidence. An SPF FAIL policy for "spam traps" won't guarantee this - after all the spammer and the receiver are free to ignore it - but it's more likely to catch "real" spam with this strategy. Besides I'm convinced that there are "legit" cases where backcatter is unavoidable without an SPF FAIL policy on the side of the alleged "Return-Path", and SPF checks on the side of the receiver. If you think that it's always avoidable without SPF please publish your secret recipe... <g> Bye, Frank From MikeE at ster.invalid Sun Nov 20 05:05:02 2005 From: MikeE at ster.invalid (Mike Easter) Date: Sun Nov 20 08:05:03 2005 Subject: [SpamCop-List] Re: SDF.org sporadically listed in bl.spamcop.net References: <XXieAQqs15fDFAMP@griffitts.org> <ryFbX45gg7PM@eisner.encompasserve.org> <t0MgojtWz7fDFAoU@griffitts.org> <dlog51$usg$1@news.spamcop.net> <bEntUF05c9fDFAsX@griffitts.org> <dlonm6$2p8$1@news.spamcop.net> <kKVC3x4OuAgDFACR@griffitts.org> Message-ID: <dlps9s$jt7$1@news.spamcop.net> Jonathan Griffitts wrote: > Mike Easter writes >> Jonathan Griffitts wrote: >>> Mike Easter writes >>>> Jonathan Griffitts wrote: >>>> >>>>> One suggestion was that some individual SDF user may have set up >>>>> some kind of "vacation" response or other autoresponder, which >>>>> then sent to the spamtrap. >>>> >>>> If a normal user behind a server initiate emails a piece of spam >>>> to a spamtrap, the parser by design is supposed to name the user >>>> IP behind the server as the source. The parser is designed to >>>> *not* name servers which are relaying mail from user IPs behind >>>> them as the source. Just what that par sez is demonstrable in the example headers you provided. If you as [redacted]@sdf.lonestar.org sends a spam to a spamtrap, or if you as redacted are configured to send an autoresponder which is handled by your SDF server [calling itself lonestar, which is not a good configuration] as having been initiated by /your/ IP address, then the parser correctly diagnoses that the item came from you, not the server. This tracker demonstrates that http://www.spamcop.net/sc?id=z829055680z998de42e4d44ecf7010cbce9394b42faz If reported today, reports would be sent to: Re: 192.94.73.2 (Administrator of network where email originates) eric@cirr.com The parser correctly parses past the server tracelines to name the source behind the server. >> It doesn't matter if the abusive server is profit or non-profit, >> unix or windows. If it behaves abusively, it will get itself listed. > Gee, that (and some snipped other comments) come across to me as > gratuitously nasty slams. Please be careful about doing this, it > could give SpamCop a reputation for arrogance. Abusive is a standard and non-pejorative term for misconfigured mailservers. Gratuitous, nasty, and arrogant aren't standard terms for a conversation without much difference of opinion. > You have taken my explanation as some kind of defense of the SDF > operation. In fact, I'm trying to describe the setup so you might > understand my point. You have taken my explanation of how a possibly misconfigured server can get itself blocklisted as gratuitous arrogant nastiness, or implied that. > Since this is a centralized setup, the SMTP server and the user may > well be running at the *same* IP address. If that were so, then that would be a bad configuration. However, that isn't the case for your headers. > We can't really know that for sure without seeing *what* > arrived in the spamtrap. Even when the SC admin was kind enough to make report headers available for public consumption, the nothing was made available from spamtraps. Even when an admin makes a comment on something they've looked at in the evidence, they only comment as to some general characterization such as type of spam or autoresponder or challenge. > I can show you such a header, see below, but it proves very little. The header provided proves that the SC parser knows the SDF server and trusts it to be a server. That condition disproves one of the possibilities that the parser made a mistake in parsing headers sourced from a user IP by prematurely breaking the chain and naming the server instead of the user. Those headers are valuable to our discussion. Thanks for providing them. > Return-Path: <[redacted]@sdf.lonestar.org> > Delivered-To: spamcop-net-jgriffitts@spamcop.net > I just thought the plural "our suspicion" > meant you had discussed this with someone who knew something specific. I should have said my suspicion as in 'my theory'. > I agree, but the best person to do this has written off any > possibility of useful communication with spamcop. I was hoping to > bridge the gap. That seems strange -- the deputies are typically most helpful. However, if the 'attitude' of a server admin is that SC should whitelist a server which is abusively misconfigured for its bounces and autoresponders, or that SC should always manually delist a server because it wasn't /really/ spamming, but doing something else, then the server's admin isn't going to be 'usefully communicating'. Some people only find useful the communication which suits them. Everything else has some other kind of unpleasant adjective. >> There's a great tendency for those who get blocklisted and therefore >> mail interference to have a low opinion of the blocklisting entity. >> The blocklisted server admin should be doing a better job of >> preventing hir server hitting spamtraps. > > This is more low-content material -- verging on ranting -- low content? ranting? It is a given that the server hit sufficient spamtraps to be listed. It shouldn't be doing that. We also now know that the parser isn't unfamiliar with the SDF server and trusts it to be a server, so there isn't some condition of mistake on a parse that is originating at a source IP behind the server. >> The spamtraps reported the abusive mail in sufficient numbers to >> cause a listing. > > How many is that, approximately? Just an order-of-magnitude estimate? > Are we talking about 100 notes, or 1000, or just 10? When I cite senderbase information, I do it in an effort to express the busy-ness of a server. SC doesn't say how it derives the 'busy-ness' of an IP address for what it calls 'reputation points', so we are dealing with an equation which lacks a numerator for its denominator. There is a whole page of 'fuzzy' information here http://www.spamcop.net/fom-serve/cache/297.html What is the SpamCop Blocking List (SCBL)? which describes how the calculations are done. If I don't know what SC uses for reputation points value for the server IP, then I don't know the order of magnitude for the spamtrap hits. It would be my assumption that it wouldn't take a hundred, more in the same order of magnitude of 10. > SDF are not "bad guys" and it's not appropriate to assume > incompetence. If I were a server admin and my server was handling tens of thousands of emails and it was getting itself SC blocklisted by hitting spamtraps, my sense of responsibility to the internet community at large would dictate that I recognize that my server is configured abusively and I would be extremely concerned that my server's behavior was affecting thousands -- not just my own users ability to send mail successfully to those using the spamcop blocklist. There is a lot of difference between the healthy use of smtp rejections which one page seemed to be describing, and the occurrence of 'belated bounces' to forged Froms. There is also a lot of difference in the degree of abusiveness of an out of office autoresponder problem causing some minor abuse and the 'massive' abuse of a lot of belated spambouncing. The SDF admin interacting with the SC admin could work on that. . -- Mike Easter kibitzer, not SC admin From MikeE at ster.invalid Sun Nov 20 05:21:48 2005 From: MikeE at ster.invalid (Mike Easter) Date: Sun Nov 20 08:25:03 2005 Subject: [SpamCop-List] Re: SDF.org sporadically listed in bl.spamcop.net References: <XXieAQqs15fDFAMP@griffitts.org> <ryFbX45gg7PM@eisner.encompasserve.org> <t0MgojtWz7fDFAoU@griffitts.org> <dlog51$usg$1@news.spamcop.net> <bEntUF05c9fDFAsX@griffitts.org> <dlonm6$2p8$1@news.spamcop.net> <kKVC3x4OuAgDFACR@griffitts.org> <dlps9s$jt7$1@news.spamcop.net> Message-ID: <dlpt9c$kfa$1@news.spamcop.net> Mike Easter wrote: > SC doesn't say how it derives the > 'busy-ness' of an IP address for what it calls 'reputation points', The faq describes 'how' queries to the SCbl influence those points for the numerator of an equation, but we have no idea of the magnitude. -- Mike Easter kibitzer, not SC admin From nobody at xyzzy.claranet.de Sun Nov 20 14:27:31 2005 From: nobody at xyzzy.claranet.de (Frank Ellermann) Date: Sun Nov 20 08:30:03 2005 Subject: [SpamCop-List] Re: SDF.org sporadically listed in bl.spamcop.net References: <XXieAQqs15fDFAMP@griffitts.org> <438044FC.6487@xyzzy.claranet.de> <6McnItL+39yh@eisner.encompasserve.org> Message-ID: <438079C3.250@xyzzy.claranet.de> Larry Kilgallen wrote: > The same misfits who are doing accept-then-bounce to innocent > SpamCop spamtraps are still doing the same thing to _me_, at > addresses that have nothing to do with SpamCop. You report spam, they get a report, can analyze the problem, and likely they can fix it. With a "spam trap" all they get is "oops, we're SCBLed". The obscure bug in RfC 1123 (and later 2821) is 16 years old, and until about 2002 the whole world believed that it's good to always try to accept mail, because if it doesn't work out you can later bounce it. The default case used to be good mail with good Return-Paths. That changed. But folks (postmaters) need some time to adapt, even SC needed some time, the new reporting policy for bounces was introduced this year. You can't expect that the whole world (of postmasters) jumps only because one Julian Haight says so. Some system setups out there _apparently_ worked for years without substantial changes, some DNSBLs added was good enough to get rid of most problems. That also changed. I've read yesterday that 72% of all PCs are infected by spyware. If that's correct I'd guess that half of those systems are zombies, and 36% of all PCs in the world are controlled by the enemy (or whoever, not the owner). It's different from the net 1989 (RfC 1123) or 2001 (RfC 2821), the old rules don't work anymore (in theory they never worked, but nobody noticed it before). So now it's time to enforce better rules, but that will need some time, probably years. SPF FAIL is the only available method to accelerate this process - publish it today, and if you're lucky and your spammer has some minimal clue s/h/it will forge other (unprotected) addresses. > The fact that some purported source domain has SPF to say > otherwise should _not_ get the misconfigured server off the > hook It doesn't. "My" spammer tested it for two weeks in August - I've reported all 14 * 500 bogus bounces, that got me a new record of 51 feedback mails, more feedback in two weeks than in four years of SC reporting. I've answered some of the most funny replies, e.g. tips that I should publish a FAIL policy. For the rest I still plan to send some boilerplate reply, but it's hard to write that: What should I say to somebody claiming "this is no spam, it's only a bounce, just delete it". Hard to find a polite answer. Bye, Frank From Kilgallen at SpamCop.net Sun Nov 20 08:00:20 2005 From: Kilgallen at SpamCop.net (Larry Kilgallen) Date: Sun Nov 20 09:05:11 2005 Subject: [SpamCop-List] Re: SDF.org sporadically listed in bl.spamcop.net References: <XXieAQqs15fDFAMP@griffitts.org> <dlo7ub$qoq$1@news.spamcop.net> <dlo99l$rda$1@news.spamcop.net> <437FB51B.1599@xyzzy.claranet.de> <slrndo0khu.3ph.nobody@127.0.0.1> <43806758.33E4@xyzzy.claranet.de> Message-ID: <JYUCHiNMOGuK@eisner.encompasserve.org> In article <43806758.33E4@xyzzy.claranet.de>, Frank Ellermann <nobody@xyzzy.claranet.de> writes: > But it's not the point of a "spam trap" to catch backscatter > from clueless vacation-scripts started by a say SDF.org-user. Why isn't it ? > For that SC has the human reporters like you and me providing > evidence to track down the problem without bothering Ellen. I diagree that spamming human reporters should be required to catch backscatter spammers. From Kilgallen at SpamCop.net Sun Nov 20 08:04:57 2005 From: Kilgallen at SpamCop.net (Larry Kilgallen) Date: Sun Nov 20 09:05:29 2005 Subject: [SpamCop-List] Re: SDF.org sporadically listed in bl.spamcop.net References: <XXieAQqs15fDFAMP@griffitts.org> <dlo7ub$qoq$1@news.spamcop.net> <dlo99l$rda$1@news.spamcop.net> <437FB51B.1599@xyzzy.claranet.de> <dloe84$tp2$1@news.spamcop.net> <43805076.A4D@xyzzy.claranet.de> <Q7$pX5MqRDhn@eisner.encompasserve.org> <43806EBE.7447@xyzzy.claranet.de> Message-ID: <4Zj+LrG5UDcI@eisner.encompasserve.org> In article <43806EBE.7447@xyzzy.claranet.de>, Frank Ellermann <nobody@xyzzy.claranet.de> writes: > Larry Kilgallen wrote: > >> But backscatter _is_ spam. > > A completely different kind of spam, as the OP pointed out > SDF.org is "antispam" (at least wannabe). All spammers redefine spam to be that which they do not do. > Spam from some > zombie (or worms from an infected system) are a different > category, not the same problem as backscatter. Why isn't it the same problem ? My day is interrupted by Unsolicited Bulk Email. The fact that the spammer does not profit from the venture is immaterial. > With zombies or worms blacklist the source IP, maybe inform > the ISP (if it was a human reporter, not a spam trap), and > be done with it, it's up to the ISP to educate his user. > > With backscatter it can be tricky to analyze the problem, > it's much better if these cases are restricted to "human" > reports with visible evidence. Backscatter is certainly not trickier to analyze than viruses. There is a whole industry doing nothing but analyzing viruses that are supported by Microsoft. The fact that someone saw a profit motive does not make viruses less tricky than Backscatter. > An SPF FAIL policy for "spam traps" won't guarantee this - > after all the spammer and the receiver are free to ignore > it - but it's more likely to catch "real" spam with this > strategy. Once again, any spam that interrupts my day is "real" spam. > Besides I'm convinced that there are "legit" cases where > backcatter is unavoidable without an SPF FAIL policy on > the side of the alleged "Return-Path", and SPF checks on > the side of the receiver. You and I have different views of "legit". From Kilgallen at SpamCop.net Sun Nov 20 08:13:06 2005 From: Kilgallen at SpamCop.net (Larry Kilgallen) Date: Sun Nov 20 09:15:04 2005 Subject: [SpamCop-List] Re: SDF.org sporadically listed in bl.spamcop.net References: <XXieAQqs15fDFAMP@griffitts.org> <438044FC.6487@xyzzy.claranet.de> <6McnItL+39yh@eisner.encompasserve.org> <438079C3.250@xyzzy.claranet.de> Message-ID: <nRBVu89QfL7P@eisner.encompasserve.org> In article <438079C3.250@xyzzy.claranet.de>, Frank Ellermann <nobody@xyzzy.claranet.de> writes: > Larry Kilgallen wrote: > >> The same misfits who are doing accept-then-bounce to innocent >> SpamCop spamtraps are still doing the same thing to _me_, at >> addresses that have nothing to do with SpamCop. > > You report spam, they get a report, can analyze the problem, > and likely they can fix it. With a "spam trap" all they get > is "oops, we're SCBLed". But their problem is the same, and they should have avoided it preemptively in their terms of service. > The obscure bug in RfC 1123 (and later 2821) is 16 years old, > and until about 2002 the whole world believed that it's good > to always try to accept mail, because if it doesn't work out > you can later bounce it. Some of us realized it earlier. The fact that earlier generations wrote something down as acceptable behavior does not make it so. > The default case used to be good mail with good Return-Paths. > That changed. But folks (postmaters) need some time to adapt, > even SC needed some time, the new reporting policy for bounces > was introduced this year. SpamCop policy presumably was changed in reaction to those running servers failing to "get it" on their own. > You can't expect that the whole world (of postmasters) jumps > only because one Julian Haight says so. No, they must change because spammers changed their tactics. None of us care particularly whether SpamCop spamtraps get hit. We care about whether _we_ get hit. > That also changed. I've read yesterday that 72% of all PCs > are infected by spyware. If that's correct I'd guess that > half of those systems are zombies, and 36% of all PCs in the > world are controlled by the enemy (or whoever, not the owner). And that should not be the problem of those of us not using PCs. > What should I say to somebody claiming "this is no spam, it's > only a bounce, just delete it". Hard to find a polite answer. Here is a polite answer: http://mailsc.spamcop.net/fom-serve/cache/329.html From jeffg at spamcop.net Sun Nov 20 14:40:51 2005 From: jeffg at spamcop.net (Jeff G.) Date: Sun Nov 20 14:50:15 2005 Subject: [SpamCop-List] Re: SDF.org sporadically listed in bl.spamcop.net References: <XXieAQqs15fDFAMP@griffitts.org> <438044FC.6487@xyzzy.claranet.de> <6McnItL+39yh@eisner.encompasserve.org> <438079C3.250@xyzzy.claranet.de> Message-ID: <dlqk00$un7$1@news.spamcop.net> "Frank Ellermann" <nobody@xyzzy.claranet.de> wrote in message news:438079C3.250@xyzzy.claranet.de... > What should I say to somebody claiming "this is no spam, it's > only a bounce, just delete it". Hard to find a polite answer. Here is my answer template: [Title], Thank you for your message. Referencing [Tracking URL] and [Tracking URL];action=display , the email message which I received, reviewed, determined to be reportable, and reported in a SpamCop Report via email to abuse@example.com on [Date] at and shortly before [Time with timezone], is a misdirected bounce, which should be avoided by using 500-series errors during the SMTP transaction. [If Applicable] It was also sent to email address [Bounce destination email address], which is not and never has been authorized for use on the example.invalid domain. Such misdirected bounces are now considered abusive and reportable by SpamCop per the "Messages which may be reported" section of "On what type of email should I (not) use SpamCop?" at http://www.spamcop.net/fom-serve/cache/14.html and the "Misdirected bounces" section of "Why are auto-responders (and delayed bounces) bad?" at http://www.spamcop.net/fom-serve/cache/329.html#bounces . [If Applicable] You can avoid sending misdirected bounces by avoiding sending NDRs entirely, specifically by applying "Update available in Exchange Server 5.5 to control whether the Internet Mail Service suppresses or delivers NDRs" per http://support.microsoft.com/default.aspx?scid=kb;en-us;837794 and using "Value data" of "10". [If Applicable] Also, where are the Received Header Lines for the original spam? How can you or we track the spammer who forged our user's email address and tried to spam your user without complete info in your bounce? Without the Received Header Lines for the original spam, we must conclude that the original spam came from inside your network. If you can't adjust your systems to bounce during the SMTP transaction, please at least provide the full headers and body of the me ssage in your bounces of messages from open proxies, and forward the missing pieces for this spam if you can find them. This month alone, we have been seeing and Reporting an average of 354 instances every day of misdirected bounces, challenges, and auto-responses to addresses matching andrew????@example.invalid (none of which are or ever have been authorized for use on the example.invalid domain) of spam sent through open proxies with forged Received Header Lines fingering [one of our MXs]. Please don't bounce spam from open proxies to your nonexistent users. Thanks and Best Regards, [Signature] ----- Original Message ----- [Original Message] Alternate language for other infractions includes: is a misdirected challenge ... SpamCop doesn't recommend CR (Challenge/Response) systems - they are now considered abusive and reportable by SpamCop per the "Messages which may be reported" section of "On what type of email should I (not) use SpamCop?" at http://www.spamcop.net/fom-serve/cache/14.html and the "Challenge/response spam filtering" section of "Why are auto-responders (and delayed bounces) bad?" at http://www.spamcop.net/fom-serve/cache/329.html#CR . is a misdirected auto-response, which should be avoided by using 500-series errors during the SMTP transaction. ... Such misdirected auto-responses are now considered abusive and reportable by SpamCop per the "Messages which may be reported" section of "On what type of email should I (not) use SpamCop?" at http://www.spamcop.net/fom-serve/cache/14.html and the "Traditional auto-responders" section of "Why are auto-responders (and delayed bounces) bad?" at http://www.spamcop.net/fom-serve/cache/329.html#responder . Best Regards, Jeff G. I have been a SpamCop User/Member/Customer since 1999 and am a Moderator of the new web-based forums (now the primary method for getting help, http://forum.spamcop.net). Please contact me via Forum only. From dwvbo91q4001 at sneakemail.com Mon Nov 21 01:17:24 2005 From: dwvbo91q4001 at sneakemail.com (Tim P.) Date: Mon Nov 21 23:11:44 2005 Subject: [SpamCop-List] Heads up: Joe Job fools spamcop parser Message-ID: <Xns9714C43C36D1Fdwvbo91q4001sneakema@216.154.195.61> Heads up admins. A spammer is using a portion of an email's header with a website domain embedded in it and it is fooling the parser to report spamvertized domains found in it. Following the header field that is found within the body of the email is an encoded text field. Supposedly the spammer is exploiting the parser to find the wrong link and the parser is not searching within the encoded text. Good thing I caught this one. sample is at: http://www.spamcop.net/sc?id=z829252701zb63334cd4da22793b7d71ba0ea889d34z -- --- Tim P. A very satisfied subscriber since 4/2002 From dwvbo91q4001 at sneakemail.com Mon Nov 21 01:21:04 2005 From: dwvbo91q4001 at sneakemail.com (Tim P.) Date: Mon Nov 21 23:12:04 2005 Subject: [SpamCop-List] Re: Heads up: Joe Job fools spamcop parser References: <Xns9714C43C36D1Fdwvbo91q4001sneakema@216.154.195.61> Message-ID: <Xns9714C4DB92265dwvbo91q4001sneakema@216.154.195.61> "Tim P." <dwvbo91q4001@sneakemail.com> wrote in news:Xns9714C43C36D1Fdwvbo91q4001sneakema@216.154.195.61: > http://www.spamcop.net/sc?id=z829252701zb63334cd4da22793b7d71ba0ea889d34z See post about joe on domain at: http://blogs.oldradio.net/archives/2005/11/16/here-we-go-again/ -- Tim P Very content SpamCop Subscriber since 4/2002 From dwvbo91q4001 at sneakemail.com Mon Nov 21 01:40:57 2005 From: dwvbo91q4001 at sneakemail.com (Tim P.) Date: Mon Nov 21 23:12:18 2005 Subject: [SpamCop-List] Re: Come to my site PLLLLLEEEEEEASSSSE !!! References: <dlhvu2$uc1$4@news.spamcop.net> <dlj7bv$on3$1@news.spamcop.net> Message-ID: <Xns9714C83A71F38dwvbo91q4001sneakema@216.154.195.61> "Geoffrey Hyde" <g.hyde@bigpond.net.au> wrote in news:dlj7bv$on3$1@news.spamcop.net: > [sarcasm] Welcome, newsgroup spammers will be dealt with just as soon > as we can work out where your originating IP address actually is! > [/sarcasm] > > Spammy's gonna learn that when it comes to getting his ar$e kicked, he > came to exactly the right place!! > It could be another joe??? -- Tim P Very content SpamCop Subscriber since 4/2002 From MikeE at ster.invalid Sun Nov 20 17:45:39 2005 From: MikeE at ster.invalid (Mike Easter) Date: Mon Nov 21 23:12:35 2005 Subject: [SpamCop-List] Re: Heads up: Joe Job fools spamcop parser References: <Xns9714C43C36D1Fdwvbo91q4001sneakema@216.154.195.61> Message-ID: <dlr8s0$2oq$1@news.spamcop.net> Tim P. wrote: > Heads up admins. Just to clarify the item so we can argue or discuss:. > A spammer is using a portion of an email's header with a website > domain embedded in it and it is fooling the parser to report > spamvertized domains found in it. Following the header field that is > found within the body of the email is an encoded text field. > Supposedly the spammer is exploiting the parser to find the wrong > link and the parser is not searching within the encoded text. Good > thing I caught this one. www.spamcop.net/sc?id=z829252701zb63334cd4da22793b7d71ba0ea889d34z That item is sourced from the spamsource proxy/trojan Guangdong .cn IP The tracker you posted is for a spam which is improperly constructed. The process of a mailreader's proper rendering should not result in the display of the link, by my calculations, but I'm concerned that you and I and the parser are seeing something differently. What I see at the tracker is/looks like/ a b64 encoded spambody, but whose content type is 'misrepresented' in the header as '7bit' If the '7bit' condition is 'remedied' or forged to say b64, the resultant spam is this: http://www.spamcop.net/sc?id=z829259064z38e7156f962f201cdbfdd3b9fe063766z which has a spambody like this [except in html]: LOST IN LOVE ? FIND YOUR WAY - THE EASY WAY! http://427.9uxbxgw4fgfter9rfr99fr99.unitarybn.info/?330 A year ago, the love of my life was involved in an extramarital affair, and wanted a separation. So I have been 'there', gone through 'it', and lived through what I would call "a living hell". When my relationship failed, I wanted to bring back my lover, as I felt deep in my heart that we should be together. But I did not know what went wrong and why things happened the way they did! Well meaning friends and associates tried to counsel me and do everything they could to help me. They did not answer my most pressing question - WHY? They did not tell me how I could stop the separation or how to re-unite with my loved one. They did not tell me how to stop all that pain and hurt. They did not tell me how I could achieve a harmonious and fulfilling relationship, for as long as I wished and exactly as I wanted it. The truth is you don't have to change a bit. You know all the answers and this book will help you to find them. http://130.9uxbxgw4fgfter9rfr99fr99.unitarybn.info/?883 where unitarybn.info is resolved by SC like this: Tracking link: http://427.9uxbxgw4fgfter9rfr99fr99.unitarybn.info/?330 Resolves to 58.177.249.223 Tracking link: http://130.9uxbxgw4fgfter9rfr99fr99.unitarybn.info/?883 Resolves to 58.177.249.223 with the resultant: Report Spam to: Re: 59.35.172.149 (Administrator of network where email originates) To: anti-spam#ns.chinanet.cn.net@devnull.spamcop.net (Notes) To: ct-abuse@abuse.sprint.net (Notes) To: abuse#gddc.com.cn@devnull.spamcop.net (Notes) Re: http://130.9uxbxgw4fgfter9rfr99fr99.unitarybn.i... (Administrator of network hosting website referenced in spam) To: fionat@ctihk.com (Notes) To: abuse@hkbn.net (Notes) To: abuse@ctimail.com (Notes) To: postmaster@ctihk.com (Notes) Re: http://427.9uxbxgw4fgfter9rfr99fr99.unitarybn.i... (Administrator of network hosting website referenced in spam) To: fionat@ctihk.com (Notes) To: abuse@hkbn.net (Notes) To: abuse@ctimail.com (Notes) To: postmaster@ctihk.com (Notes) <cancelled> So, how you and I are seeing that spam is entirely differently. -- Mike Easter kibitzer, not SC admin From pxpearson at spamxcop.net Sun Nov 20 17:49:17 2005 From: pxpearson at spamxcop.net (Peter Pearson) Date: Mon Nov 21 23:12:44 2005 Subject: [SpamCop-List] Re: Heads up: Joe Job fools spamcop parser References: <Xns9714C43C36D1Fdwvbo91q4001sneakema@216.154.195.61> Message-ID: <dlr921$2ut$1@news.spamcop.net> Tim P. wrote: ... > A spammer is using a portion of an email's header with a website domain > embedded in it and it is fooling the parser to report spamvertized domains > found in it. Following the header field that is found within the body of > the email is an encoded text field. Supposedly the spammer is exploiting > the parser to find the wrong link and the parser is not searching within > the encoded text. Good thing I caught this one. > > sample is at: > http://www.spamcop.net/sc?id=z829252701zb63334cd4da22793b7d71ba0ea889d34z Nobody's fooling the Spamcop parser: it's correctly identifying the site that injected the spam into the mail system. The fact that the body of the spam refers to an innocent party's domain is just a dirty spammer trick that no amount of clever parsing can prevent. -- Remove the two x's to get a good email address. From nobody at spamcop.net Mon Nov 21 06:07:40 2005 From: nobody at spamcop.net (nospam) Date: Mon Nov 21 23:12:52 2005 Subject: [SpamCop-List] Re: internap.com-has become a Penis enlargement business References: <dll1n8$o4p$1@news.spamcop.net> <slrndns43k.lq9.nobody@127.0.0.1> <dllv2d$m9t$1@news.spamcop.net> <BFA47A1F.166AE%nobody@spamcop.net> <dlni3k$gbc$1@news.spamcop.net> <dlnm51$ig4$1@news.spamcop.net> Message-ID: <BFA714AC.166E1%nobody@spamcop.net> in article dlnm51$ig4$1@news.spamcop.net, jg at jg@coks.net wrote on 19/11/05 9:09 PM: >> >>> It looks like Internap has changed it's business direction >>> >> >> Which way? >> academic question... > Skip that - I just noticed you changed the subject line last post... And Mortgages too, maybe they want to be an online Big Box Store From dwvbo91q4001 at sneakemail.com Mon Nov 21 02:38:25 2005 From: dwvbo91q4001 at sneakemail.com (Tim P.) Date: Mon Nov 21 23:13:06 2005 Subject: [SpamCop-List] Re: Heads up: Joe Job fools spamcop parser References: <Xns9714C43C36D1Fdwvbo91q4001sneakema@216.154.195.61> <dlr8s0$2oq$1@news.spamcop.net> Message-ID: <Xns9714D1F93ACF4dwvbo91q4001sneakema@216.154.195.61> "Mike Easter" <MikeE@ster.invalid> wrote in news:dlr8s0$2oq$1 @news.spamcop.net: > Tim P. wrote: >> Heads up admins. > > Just to clarify the item so we can argue or discuss:. > > with the resultant: > > Report Spam to: > Re: 59.35.172.149 (Administrator of network where email originates) > To: anti-spam#ns.chinanet.cn.net@devnull.spamcop.net (Notes) > To: ct-abuse@abuse.sprint.net (Notes) > To: abuse#gddc.com.cn@devnull.spamcop.net (Notes) > > Re: http://130.9uxbxgw4fgfter9rfr99fr99.unitarybn.i... (Administrator of > network hosting website referenced in spam) > To: fionat@ctihk.com (Notes) > To: abuse@hkbn.net (Notes) > To: abuse@ctimail.com (Notes) > To: postmaster@ctihk.com (Notes) > > Re: http://427.9uxbxgw4fgfter9rfr99fr99.unitarybn.i... (Administrator of > network hosting website referenced in spam) > To: fionat@ctihk.com (Notes) > To: abuse@hkbn.net (Notes) > To: abuse@ctimail.com (Notes) > To: postmaster@ctihk.com (Notes) > > <cancelled> > > So, how you and I are seeing that spam is entirely differently. > > No. Its just how the parser sees it initially. That, as you can see - is ^^^^^^ causing mis-reporting. Is it any wonder that any alteration of what you get is altering the spam from its original form. Its happening as evidenced by the blog at the third party's website. http://blogs.oldradio.net/archives/2005/11/16/here-we-go-again/ So, again, HEADS UP! -- Tim P Very content SpamCop Subscriber since 4/2002 From dwvbo91q4001 at sneakemail.com Mon Nov 21 02:40:39 2005 From: dwvbo91q4001 at sneakemail.com (Tim P.) Date: Mon Nov 21 23:13:15 2005 Subject: [SpamCop-List] Re: Heads up: Joe Job fools spamcop parser References: <Xns9714C43C36D1Fdwvbo91q4001sneakema@216.154.195.61> <dlr921$2ut$1@news.spamcop.net> Message-ID: <Xns9714D259BAC44dwvbo91q4001sneakema@216.154.195.61> Peter Pearson <pxpearson@spamxcop.net> wrote in news:dlr921$2ut$1@news.spamcop.net: > Tim P. wrote: > ... >> A spammer is using a portion of an email's header with a website >> domain embedded in it and it is fooling the parser to report >> spamvertized domains found in it. Following the header field that is >> found within the body of the email is an encoded text field. >> Supposedly the spammer is exploiting the parser to find the wrong >> link and the parser is not searching within the encoded text. Good >> thing I caught this one. >> >> sample is at: >> http://www.spamcop.net/sc?id=z829252701zb63334cd4da22793b7d71ba0ea889d >> 34z > > Nobody's fooling the Spamcop parser: it's correctly identifying > the site that injected the spam into the mail system. The fact > that the body of the spam refers to an innocent party's domain > is just a dirty spammer trick that no amount of clever parsing > can prevent. > Re-read what I wrote. It is just a NOTICE that the parser is being exploited by a spammer and it is a warning to review before sending as it is happening now. The poor sod is getting hammered by SpamCop reports and nobody wants to listen Sheesh! -- Tim P Very content SpamCop Subscriber since 4/2002 From MikeE at ster.invalid Sun Nov 20 19:34:31 2005 From: MikeE at ster.invalid (Mike Easter) Date: Mon Nov 21 23:13:25 2005 Subject: [SpamCop-List] Re: Heads up: Joe Job fools spamcop parser References: <Xns9714C43C36D1Fdwvbo91q4001sneakema@216.154.195.61> <dlr8s0$2oq$1@news.spamcop.net> Message-ID: <dlrf83$5o4$1@news.spamcop.net> Mike Easter wrote: > Just to clarify the item so we can argue or discuss:. I need to revise my clarification. I missed an empty line between a set of headers and the body which starts out with headers, but the whole thing is fundamentally misconstructed. First, let's do some chronology on some stupid spammer/joejobber tricks described here http://blogs.oldradio.net/archives/2005/01/14/i-hate-spammers/ Nostalgic Rumblings -- The Ramblings of an Old Man -- 1/14/2005 -- I hate spammers. Nest, let's go to the original posted tracker: www.spamcop.net/sc?id=z829252701zb63334cd4da22793b7d71ba0ea889d34z If reported today, reports would be sent to: Re: 59.35.172.149 (Administrator of network where email originates) anti-spam#ns.chinanet.cn.net@devnull.spamcop.net ct-abuse@abuse.sprint.net abuse#gddc.com.cn@devnull.spamcop.net Re: http://www.lofcom.com (Administrator of network hosting website referenced in spam) abuse@theplanet.com But that is not a good parse, and it is not a 'good' spam or a good joejob. If we play by the 'rules' for exactly what is seen at the tracker, the spam itself is a set of headers from 59.35.172.149 => yahoo => spamcop ... but contained within the body of the spamitem, we see a set of bogus headers allegedly from 36.89.125.72 allegedly helo/ing as verizon which is bogus and allegedly received by www.lofcom.com, which name is misinterpreted by SC as an enclosed link, which is part of what the Nostalgic ramblings blog is talking about. That's the job. Besides the entirely bogus headers 'contraption', we see that the bogus headers are 'arranged' above another body which is also misconstructed. It is that misconstructed body's relationship with the bogus headers which I was describing earlier. My reassessment is that an incompetent 'joejobber' - and I use the joejobber term loosely, because this is not a competent joejob, it is an absolutely mess. But as bad as the mess is, the result of the parse is that the provider for lofcom would be notified by a bad SC parse. So, #1 I fault what a poor job the joejobber has done; and #2 I fault what a poor job the parser has done on the poor spamming joejobber's work. -- Mike Easter kibitzer, not SC admin From MikeE at ster.invalid Sun Nov 20 19:44:23 2005 From: MikeE at ster.invalid (Mike Easter) Date: Mon Nov 21 23:13:33 2005 Subject: [SpamCop-List] Re: Heads up: Joe Job fools spamcop parser References: <Xns9714C43C36D1Fdwvbo91q4001sneakema@216.154.195.61> <dlr8s0$2oq$1@news.spamcop.net> <Xns9714D1F93ACF4dwvbo91q4001sneakema@216.154.195.61> Message-ID: <dlrfqj$629$1@news.spamcop.net> Tim P. wrote: > "Mike Easter" >> Tim P. wrote: >>> Heads up admins. >> >> Just to clarify the item so we can argue or discuss:. >> > >> with the resultant: >> >> Report Spam to: >> Re: 59.35.172.149 (Administrator of network where email originates) >> So, how you and I are seeing that spam is entirely differently. > No. Its just how the parser sees it initially. Actually, what I posted in that msg is /not/ how the parser sees it, but my reconstruction of the item which was in error; see the post where I retracted and amended what I said before. > So, again, HEADS UP! I'm concerned about a behavior of the parser to interpret anything it finds in anything resembling a spambody of the configuration www.string.tld to be an http://string.tld link. That is not a good configuration and it should be fixed. I think I'll send this little ol' thread to the deputies. -- Mike Easter kibitzer, not SC admin From dwvbo91q4001 at sneakemail.com Mon Nov 21 04:47:12 2005 From: dwvbo91q4001 at sneakemail.com (Tim P.) Date: Mon Nov 21 23:13:42 2005 Subject: [SpamCop-List] Re: Heads up: Joe Job fools spamcop parser References: <Xns9714C43C36D1Fdwvbo91q4001sneakema@216.154.195.61> <dlr8s0$2oq$1@news.spamcop.net> <dlrf83$5o4$1@news.spamcop.net> Message-ID: <Xns9714E7CE3CECCdwvbo91q4001sneakema@216.154.195.61> "Mike Easter" <MikeE@ster.invalid> wrote in news:dlrf83$5o4$1 @news.spamcop.net: > Mike Easter wrote: > > > My reassessment is that an incompetent 'joejobber' - and I use the > joejobber term loosely, because this is not a competent joejob, it is an > absolutely mess. > > But as bad as the mess is, the result of the parse is that the provider > for lofcom would be notified by a bad SC parse. > > So, #1 I fault what a poor job the joejobber has done; and #2 I fault > what a poor job the parser has done on the poor spamming joejobber's > work. > > > > This may have been a case of some spammers[1] redirecting[2] larts. Regardless of who is getting the lart, it may not be a true joe-job at all. [1] http://www.spamhaus.org/SBL/sbl.lasso?query=SBL34942 58.177.249.223/32 20-Nov-2005 11:50 GMT | SR04 ROKSO Alex Blood / Alexander Mosh / AlekseyB / Alex Polyakov [2] trying - but failing, in this case -- Tim P Very content SpamCop Subscriber since 4/2002 From dfm2a3l0t2 at spymac.com Mon Nov 21 00:42:59 2005 From: dfm2a3l0t2 at spymac.com (D.F. Manno) Date: Mon Nov 21 23:13:50 2005 Subject: [SpamCop-List] [C&C] I don't think she wants me that way... Message-ID: <dfm2a3l0t2-2C1D58.00425821112005@news.cesmail.net> Spam subject line: Be the man that your wife wants you to be. infirm -- D.F. Manno | dfm2a3l0t2@spymac.com I'm a thief in the house of love And I can't be trusted. -Bruce Springsteen From pete+usenet at heypete.com Sun Nov 20 21:47:20 2005 From: pete+usenet at heypete.com (Pete Stephenson) Date: Mon Nov 21 23:13:56 2005 Subject: [SpamCop-List] Re: [C&C] I don't think she wants me that way... References: <dfm2a3l0t2-2C1D58.00425821112005@news.cesmail.net> Message-ID: <pete+usenet-FF543A.21472020112005@news.cesmail.net> In article <dfm2a3l0t2-2C1D58.00425821112005@news.cesmail.net>, "D.F. Manno" <dfm2a3l0t2@spymac.com> wrote: > Spam subject line: > > Be the man that your wife wants you to be. infirm I dunno...some women might be into that. :) -- Pete Stephenson HeyPete.com From nobody at spamcop.net Mon Nov 21 00:12:20 2005 From: nobody at spamcop.net (RW) Date: Mon Nov 21 23:14:03 2005 Subject: [SpamCop-List] Re: Heads up: Joe Job fools spamcop parser In-Reply-To: <Xns9714C43C36D1Fdwvbo91q4001sneakema@216.154.195.61> References: <Xns9714C43C36D1Fdwvbo91q4001sneakema@216.154.195.61> Message-ID: <dlrofu$9nq$1@news.spamcop.net> Tim P. wrote: > Heads up admins. > > A spammer is using a portion of an email's header with a website domain > embedded in it and it is fooling the parser to report spamvertized domains > found in it. Following the header field that is found within the body of > the email is an encoded text field. Supposedly the spammer is exploiting > the parser to find the wrong link and the parser is not searching within > the encoded text. Good thing I caught this one. > > sample is at: > http://www.spamcop.net/sc?id=z829252701zb63334cd4da22793b7d71ba0ea889d34z > > -- > --- > Tim P. > A very satisfied subscriber since 4/2002 As others have pointed out, there is a blank line in the header which signifies the end of the header and the remainder is body. The URL appears after the linebreak so SC picks it up as body content and parses it. X-Blist-Pattern: 58.0.0.0 - 59.255.255.255 Received: from megachild (lof@chcgil2-ar4-4-34-311-006.chcgil2.dsl-verizon.net [36.89.125.72]) by www.lofcom.com (8.3.3/8.5.3) with ESMTP id MAA35927; Sun, 20 Nov 2005 13:01:32 -0500 It is not the spammer doing this. It is something in your SpamPal doing this as I see a blank line in some of the other spam you reported where the SpamPal line exists: X-SpamCop-Disposition: Blacklist msn.com X-P2P: SPAM X-SpamPal: SPAM P2Pplugin BODY ----201686557423192 Content-Type: text/plain; From nobody at spamcop.net Mon Nov 21 00:13:13 2005 From: nobody at spamcop.net (RW) Date: Mon Nov 21 23:14:13 2005 Subject: [SpamCop-List] Re: Heads up: Joe Job fools spamcop parser In-Reply-To: <dlrofu$9nq$1@news.spamcop.net> References: <Xns9714C43C36D1Fdwvbo91q4001sneakema@216.154.195.61> <dlrofu$9nq$1@news.spamcop.net> Message-ID: <dlrohi$9nq$2@news.spamcop.net> RW wrote: Sorry, guess I should have signed that. Richard SpamCop Deputy From Kilgallen at SpamCop.net Mon Nov 21 07:02:30 2005 From: Kilgallen at SpamCop.net (Larry Kilgallen) Date: Mon Nov 21 23:15:53 2005 Subject: [SpamCop-List] Re: SDF.org sporadically listed in bl.spamcop.net References: <XXieAQqs15fDFAMP@griffitts.org> <438044FC.6487@xyzzy.claranet.de> <6McnItL+39yh@eisner.encompasserve.org> <438079C3.250@xyzzy.claranet.de> <nRBVu89QfL7P@eisner.encompasserve.org> <4381998A.5ED3@xyzzy.claranet.de> Message-ID: <xqjPmtugF52s@eisner.encompasserve.org> In article <4381998A.5ED3@xyzzy.claranet.de>, Frank Ellermann <nobody@xyzzy.claranet.de> writes: > Larry Kilgallen wrote: > >>> until about 2002 the whole world believed that it's good >>> to always try to accept mail, because if it doesn't work >>> out you can later bounce it. > >> Some of us realized it earlier. > > Okay, SPF traces its ancestors via Danisch's RMX (2003) to > ideas published by Vixie and Green, the references say 2002, > but maybe it's older. > > In an old German mail abuse FAQ this issue is still treated > as a social instead of a technical problem. > > And some of "us" still think that they MUST bounce, because > RfC 2821 says so. It's not exactly obvious in this memo that > you should not accept MAIL FROM unknown strangers, if you > might be forced to bounce it later. > > It all depends on one word "indicated" in 2821, send error > reports to the originator as indicated by the Return-Path. No, it all depends on realizing that RFCs can be flawed, and that rejecting inline during the SMTP dialog overcomes this particular flaw. From Kilgallen at SpamCop.net Mon Nov 21 07:09:47 2005 From: Kilgallen at SpamCop.net (Larry Kilgallen) Date: Mon Nov 21 23:16:02 2005 Subject: [SpamCop-List] Re: SDF.org sporadically listed in bl.spamcop.net References: <XXieAQqs15fDFAMP@griffitts.org> <dlo7ub$qoq$1@news.spamcop.net> <dlo99l$rda$1@news.spamcop.net> <437FB51B.1599@xyzzy.claranet.de> <dloe84$tp2$1@news.spamcop.net> <43805076.A4D@xyzzy.claranet.de> <Q7$pX5MqRDhn@eisner.encompasserve.org> <43806EBE.7447@xyzzy.claranet.de> <4Zj+LrG5UDcI@eisner.encompasserve.org> <4381A4A7.306B@xyzzy.claranet.de> Message-ID: <gIP9Smw5pAwW@eisner.encompasserve.org> In article <4381A4A7.306B@xyzzy.claranet.de>, Frank Ellermann <nobody@xyzzy.claranet.de> writes: > Larry Kilgallen wrote: > >>> Spam from some zombie (or worms from an infected system) are >>> a different category, not the same problem as backscatter. > >> Why isn't it the same problem ? > > The solution can be completely different, with a zombie it's > "wipe hard disk, reinstall O/S, add available patches". With > backscatter it's probably more difficult. No, it is much simpler. Backscatter does not come from malevolent outsiders, it comes from incompetent insiders. I predict that soon after the first employee is fired for having an autoresponder in violation of company policy then the rate of backscatter will drop preciptously. For subscription services substitute "cancel service and charge a penalty fee". Of course those running the service in either case have to put a policy in place. >> My day is interrupted by Unsolicited Bulk Email. > > Oour POV is obvious, a report says "I don't want this, period." > > After that we need the cooperation of some "white hat" at the > other side to analyze and fix it. That won't happen without > some evidence if it's their backscatter problem, they can't > say "stupid customer is a zombie". They have to think and to > admit that it's their own problem, not only a stupid customer. If they take the "stupid customer is a zombie" approach, they are lost. For cases that truly _are_ zombies they should be applying the same approach as above, fine the customer when dismissing them (or fire the employee) and make sure those remaining know about it. > Without evidence the easy way out is "blame spamcop". After > they're ready with that tactics without SPF FAIL the next step > could be "delete instead of bounce", or for big systems to send Your emphasis on SPF is misplaced as far as out-of-band bounces is concerned. Once they accept mail, they should deliver it. End of story. > bounces from a separate IP where they can ignore the SCBL. And continue spamming ? You seem to not be on the side of spamfighters. >> You and I have different views of "legit". > > Maybe. I want that my mails never vanish in black holes, I > want to get an error report if there's a problem. For that > purpose I offer FAIL (forged, please reject) and PASS (legit). Rejecting inline accomplished the same goal. From mcwebber at my-deja.com Mon Nov 21 08:14:36 2005 From: mcwebber at my-deja.com (McWebber) Date: Mon Nov 21 23:16:16 2005 Subject: [SpamCop-List] Hotmail Message-ID: <dlsh58$kp8$1@news.spamcop.net> Why does Spamcop give Hotmail a "free pass" as it were and not hold them responsible for the constant stream of 419 and Lottery fraud spam coming from there as of late. (late being the past 6 months of so.) They could filter their outgoing mail to block it, but don't. Spamcop BL never lists Hotmail. They're like an open SMTP spam relay lately and their only reply to complaints quite often is denial: "Unfortunately, we cannot take action on the mail you sent us because it does not reference a Hotmail account." IMO, if Hotmail isn't going to take proper action to prevent the spam from being sent, they should be held responsible. -- McWebber No email replies read If someone tells you to forward an email to all your friends please forget that I'm your friend. From mcwebber at my-deja.com Mon Nov 21 08:25:20 2005 From: mcwebber at my-deja.com (McWebber) Date: Mon Nov 21 23:16:32 2005 Subject: [SpamCop-List] Re: SDF.org sporadically listed in bl.spamcop.net References: <XXieAQqs15fDFAMP@griffitts.org> <dlo7ub$qoq$1@news.spamcop.net> <dlo99l$rda$1@news.spamcop.net> <437FB51B.1599@xyzzy.claranet.de> <dloe84$tp2$1@news.spamcop.net> <43805076.A4D@xyzzy.claranet.de> <Q7$pX5MqRDhn@eisner.encompasserve.org> <43806EBE.7447@xyzzy.claranet.de> Message-ID: <dlshpc$l1k$1@news.spamcop.net> "Frank Ellermann" <nobody@xyzzy.claranet.de> wrote in message news:43806EBE.7447@xyzzy.claranet.de... > Larry Kilgallen wrote: > > > But backscatter _is_ spam. > > A completely different kind of spam, as the OP pointed out > SDF.org is "antispam" (at least wannabe). Spam from some > zombie (or worms from an infected system) are a different > category, not the same problem as backscatter. That's not true, if your email address is being forged by spammers as one of mine is. After blocking by DNSBL, it's the backscatter that is the problem. I know and anti-spammer that has his address routinely forged by spammers. He receives 5,000 backscatter messages vs. only 1,000 actual spam in a month. So, which is the bigger problem? -- McWebber "Richter points to the lack of legal action against his company as proof that he's operating appropriately." Information Week, November 10, 2003 From vrapp at polyscience.com Mon Nov 21 08:56:40 2005 From: vrapp at polyscience.com (Vadim Rapp) Date: Mon Nov 21 23:17:19 2005 Subject: [SpamCop-List] Spam or not? Message-ID: <dlsn78$nc8$1@news.spamcop.net> Company A has their email address X published on the website. Company B sends bulk email to X offering their products and services.The message is addressed to the sender, which probably means that it is bulk. The email is unsolicited, commercial, and bulk. However, if the set of recipients was created to be relevant, then the message is relevant - company A indeed might be interested in the services offered in the email. Is it spam or not? One reservation might be about being unsolicited. If company A publishes X as contact email, doesn't it mean that it is soliciting commercial contacts like the mentioned email? thanks, Vadim Rapp From porpoise1954 at yahoo.co.uk Mon Nov 21 15:11:41 2005 From: porpoise1954 at yahoo.co.uk (Porpoise) Date: Mon Nov 21 23:17:45 2005 Subject: [SpamCop-List] Re: Spam or not? References: <dlsn78$nc8$1@news.spamcop.net> Message-ID: <dlso8g$nuu$1@news.spamcop.net> "Vadim Rapp" <vrapp@polyscience.com> wrote in message news:dlsn78$nc8$1@news.spamcop.net... > Company A has their email address X published on the website. > > Company B sends bulk email to X offering their products and services.The > message is addressed to the sender, which probably means that it is bulk. > > The email is unsolicited, commercial, and bulk. However, if the set of > recipients was created to be relevant, then the message is relevant - > company A indeed might be interested in the services offered in the email. > > Is it spam or not? > > One reservation might be about being unsolicited. If company A publishes X > as contact email, doesn't it mean that it is soliciting commercial > contacts like the mentioned email? That raises one of the fundamental problems of quantifying/qualifying exactly what is spam. I have to deal with emails addressed to various addresses within our company (sales@, enquiries@, trade@, etc.) and whilst all the various Via6ra, etc. spams are easily categorised, it's not so easy when it comes to business enquiries. If we receive enquiries related to our business/products we buy/sell, then I would consider that a legitimate commercial enquiry which has clearly been accurately targeted. If, however, it came from a company offering to supply us with, say, sexy underwear, then I would treat it as spam and report it accordingly - as it quite clearly has been sent indiscriminately because it has absolutely nothing to do with our type of business. So, essentially, what is/isn't spam is basically in the eye of the beholder (to coin another well known phrase) in many cases. That's what defeats a lot of attempts at filtering commercial email (as opposed to private email). From kenbrody at spamcop.net Mon Nov 21 11:03:06 2005 From: kenbrody at spamcop.net (Kenneth Brody) Date: Mon Nov 21 23:18:01 2005 Subject: [SpamCop-List] Re: SDF.org sporadically listed in bl.spamcop.net References: <XXieAQqs15fDFAMP@griffitts.org> <dlo7ub$qoq$1@news.spamcop.net> <dlo99l$rda$1@news.spamcop.net> <437FB51B.1599@xyzzy.claranet.de> <dloe84$tp2$1@news.spamcop.net> <43805076.A4D@xyzzy.claranet.de> <Q7$pX5MqRDhn@eisner.encompasserve.org> Message-ID: <4381EFBA.2C0B441A@spamcop.net> Larry Kilgallen wrote: > > In article <43805076.A4D@xyzzy.claranet.de>, Frank Ellermann <nobody@xyzzy.claranet.de> writes: > > > After all SC's main purpose is to fight spam, not clueless > > vacation-scripts. That's what I meant. > > > > It's okay to report this vacation-script, that would result > > in some evidence. But the "spam traps" should try to stick > > to their main purpose, a trap for spam, not for backscatter. > > But backscatter _is_ spam. It is exactly as much interruption to > my day as any other sort of spam. The lack of a profit motive on > the part of the person who spammed me does not remove that burden, > just as funding appeals "for a good cause" are still spam. Not to mention that a spammer can turn your misconfigured server into a spam generator. Simply send an e-mail with a known-bad "to", and set the "from" to your intended destination. The server will then bounce your spam to your victim for you. -- +-------------------------+--------------------+-----------------------------+ | Kenneth J. Brody | www.hvcomputer.com | | | kenbrody/at\spamcop.net | www.fptech.com | #include <std_disclaimer.h> | +-------------------------+--------------------+-----------------------------+ Don't e-mail me at: <mailto:ThisIsASpamTrap@gmail.com> From mike at okean.invalid Mon Nov 21 08:59:40 2005 From: mike at okean.invalid (Michael Wise) Date: Mon Nov 21 23:19:01 2005 Subject: [SpamCop-List] Re: Am I blocked? and what's next? References: <dlg7ud$sre$1@news.spamcop.net> <dlgddh$109$1@news.spamcop.net> <437C1E97.4000601@gmail.com> <dlh8bt$gdq$1@news.spamcop.net> <437C5F5B.2020201@gmail.com> Message-ID: <mike-33060E.08593421112005@news.cesmail.net> In article <437C5F5B.2020201@gmail.com>, EA <edo.amin@gmail.com> wrote: > > SpamCop doesn't list anything by domainname. It only lists things by IP > > address. No one conversing here has any clue about any IP address which > > might or might not be listed. > > I fail to see how this relates to any IP at all Then you might consider giving up writing about spam, as dnsbl's relate to IP addresses; not domain names. > - in the automatic email > that mentioned Spamcop (from vbmail.vblaw.com) there was no mention of > an IP. Then fault the admin of vblaw.com. Rejection messages consist with whatever verbiage the admin of the rejecting server tells them to consist of. If the rejection message message says "message rejected, because the sky is red," it doesn't mean that's why the message was really rejected. The vblaw.com mail server saying your message was rejected by spamcop does not make it so. The only thing apparent here is the sloppy admin skills on the part of the email admin for vblaw.com. SC and other dnsbls do not reject messages; mail admins who use SC and other dnsbls often choose to reject based on whether the IP address of the sending email server is on the SC or any number of other dnsbl's...but that does not mean it is the dnsbl rejecting the message. When one configures their mail server(s) to reject email if it comes from an IP address included in a dnsbl like spamcop (like I do), the rejection message should be something like: "your mail was rejected because your host [xxx.xxx.xxx.xxx] is on the bl.spamcop.net blacklist. Send your questions to whitelisted@domain.com" Telling the world that spamcop is the one blocking the email is sloppy admin at best; a deliberate lie at worst. --Mike From nobody at nowhere.not Mon Nov 21 18:28:20 2005 From: nobody at nowhere.not (Robert Blair) Date: Mon Nov 21 23:20:14 2005 Subject: [SpamCop-List] Re: SDF.org sporadically listed in bl.spamcop.net References: <XXieAQqs15fDFAMP@griffitts.org> <438044FC.6487@xyzzy.claranet.de> <6McnItL+39yh@eisner.encompasserve.org> <438079C3.250@xyzzy.claranet.de> <nRBVu89QfL7P@eisner.encompasserve.org> <4381998A.5ED3@xyzzy.claranet.de> Message-ID: <TECQXhvKj0FX-pn2-mIBdrbdKmv64@dsl-206-55-144-107.tstonramp.com> On Mon, 21 Nov 2005 09:55:22 UTC, Frank Ellermann <nobody@xyzzy.claranet.de> wrote: > In a certain sense it's not only "acceptable" but "reqired" > for a robust and reliable mail service. Real errors MUST be > reported, otherwise you'd get black holes, where legit mails > are lost. Which we do not have. Email can get dropped for various reasons which have nothing to do with spam. To get a "robust and reliable mail service" you need to change the protocols. Email today can get dropped or duplicated because of the current protocol, it is not "robust and reliable". -- Robert Blair From nobody at nowhere.not Mon Nov 21 18:31:32 2005 From: nobody at nowhere.not (Robert Blair) Date: Mon Nov 21 23:20:23 2005 Subject: [SpamCop-List] Re: SDF.org sporadically listed in bl.spamcop.net References: <XXieAQqs15fDFAMP@griffitts.org> <438044FC.6487@xyzzy.claranet.de> <6McnItL+39yh@eisner.encompasserve.org> <438079C3.250@xyzzy.claranet.de> <nRBVu89QfL7P@eisner.encompasserve.org> <4381998A.5ED3@xyzzy.claranet.de> <xqjPmtugF52s@eisner.encompasserve.org> Message-ID: <TECQXhvKj0FX-pn2-xkOHBvBKfI7d@dsl-206-55-144-107.tstonramp.com> On Mon, 21 Nov 2005 13:02:30 UTC, Kilgallen@SpamCop.net (Larry Kilgallen) wrote: > No, it all depends on realizing that RFCs can be flawed, > and that rejecting inline during the SMTP dialog overcomes > this particular flaw. This works much better but does not work 100% of the time, I think all email servers should do it even if it is not perfect. It can fail for instance when there is an alternate email server that may get the message to relay later. -- Robert Blair From borgholio at storymind.com Mon Nov 21 10:51:38 2005 From: borgholio at storymind.com (Borgholio) Date: Mon Nov 21 23:21:28 2005 Subject: [SpamCop-List] Need help tracking down spam source. Message-ID: <dlt4vl$t11$2@news.spamcop.net> Full spam posted in .spam. Got an email where SC wants to send reports to: hornynews@hotmail.com. Obviously that's incorrect. I need help in finding the correct reporting address. Also, is there a way to get RIPE to correctly update their listing to show a valid contact address? I'll post the official routing request in .routing when we get this straightened out. Thanks! From nobody at xyzzy.claranet.de Mon Nov 21 09:34:25 2005 From: nobody at xyzzy.claranet.de (Frank Ellermann) Date: Mon Nov 21 23:24:01 2005 Subject: [SpamCop-List] Re: SDF.org sporadically listed in bl.spamcop.net References: <XXieAQqs15fDFAMP@griffitts.org> <438044FC.6487@xyzzy.claranet.de> <6McnItL+39yh@eisner.encompasserve.org> <438079C3.250@xyzzy.claranet.de> <dlqk00$un7$1@news.spamcop.net> Message-ID: <43818691.5E2F@xyzzy.claranet.de> Jeff G. wrote: >> What should I say to somebody claiming "this is no spam, it's >> only a bounce, just delete it". Hard to find a polite answer. > Here is my answer template: [...] Thanks, that's a good start. For my purposes I've to twist it a bit, pointing out how they could avoid this trouble by just rejecting SPF FAIL, and why sending IPs causing an SPF FAIL are suspicious and good candidates for some kind of greylisting. Plus a hint that the original report already said [bounce] in the subject with a link to the corresponding FAQ in the body. Bye, Frank From nobody at xyzzy.claranet.de Mon Nov 21 10:55:22 2005 From: nobody at xyzzy.claranet.de (Frank Ellermann) Date: Mon Nov 21 23:24:11 2005 Subject: [SpamCop-List] Re: SDF.org sporadically listed in bl.spamcop.net References: <XXieAQqs15fDFAMP@griffitts.org> <438044FC.6487@xyzzy.claranet.de> <6McnItL+39yh@eisner.encompasserve.org> <438079C3.250@xyzzy.claranet.de> <nRBVu89QfL7P@eisner.encompasserve.org> Message-ID: <4381998A.5ED3@xyzzy.claranet.de> Larry Kilgallen wrote: >> until about 2002 the whole world believed that it's good >> to always try to accept mail, because if it doesn't work >> out you can later bounce it. > Some of us realized it earlier. Okay, SPF traces its ancestors via Danisch's RMX (2003) to ideas published by Vixie and Green, the references say 2002, but maybe it's older. In an old German mail abuse FAQ this issue is still treated as a social instead of a technical problem. And some of "us" still think that they MUST bounce, because RfC 2821 says so. It's not exactly obvious in this memo that you should not accept MAIL FROM unknown strangers, if you might be forced to bounce it later. It all depends on one word "indicated" in 2821, send error reports to the originator as indicated by the Return-Path. In other words, you've already dropped the ball when this "indication" is a lie. My interpretation. Some postmasters disagree, a recent flamewar about this was on the RFCI-list. I'm far from sure that the author of 2821 intends to "fix" this in a future 2821bis, it has some serious consequences. > The fact that earlier generations wrote something down as > acceptable behavior does not make it so. In a certain sense it's not only "acceptable" but "reqired" for a robust and reliable mail service. Real errors MUST be reported, otherwise you'd get black holes, where legit mails are lost. The conclusion "you can't accept mails if you have no clue where to report potential errors later" is very different from what earlier generations did, "above all try to forward and deliver." If a service like mail is abused most of the time the best a server can do today is to reject mails, "if in doubt reject". That's radically different from "(try to) forward and deliver". > None of us care particularly whether SpamCop spamtraps get > hit. We care about whether _we_ get hit. Sure. And the theory of SC's reports is that there are some white hats trying to get it right. For the "spam traps" the theory is "blacklist as fast as possible, it's some source of bulk mail, sooner or later some evidence in the form of a human report will be available". It didn't work that way for SDF.org, and I've some doubts that the OP can convince them to fix an "unknown" problem. We'd have a lot of "fun" in the next years if this always depends on a deputy interpreting the "spam trap" evidence. Bye, Frak From nobody at xyzzy.claranet.de Mon Nov 21 11:42:47 2005 From: nobody at xyzzy.claranet.de (Frank Ellermann) Date: Mon Nov 21 23:24:18 2005 Subject: [SpamCop-List] Re: SDF.org sporadically listed in bl.spamcop.net References: <XXieAQqs15fDFAMP@griffitts.org> <dlo7ub$qoq$1@news.spamcop.net> <dlo99l$rda$1@news.spamcop.net> <437FB51B.1599@xyzzy.claranet.de> <dloe84$tp2$1@news.spamcop.net> <43805076.A4D@xyzzy.claranet.de> <Q7$pX5MqRDhn@eisner.encompasserve.org> <43806EBE.7447@xyzzy.claranet.de> <4Zj+LrG5UDcI@eisner.encompasserve.org> Message-ID: <4381A4A7.306B@xyzzy.claranet.de> Larry Kilgallen wrote: >> Spam from some zombie (or worms from an infected system) are >> a different category, not the same problem as backscatter. > Why isn't it the same problem ? The solution can be completely different, with a zombie it's "wipe hard disk, reinstall O/S, add available patches". With backscatter it's probably more difficult. > My day is interrupted by Unsolicited Bulk Email. Oour POV is obvious, a report says "I don't want this, period." After that we need the cooperation of some "white hat" at the other side to analyze and fix it. That won't happen without some evidence if it's their backscatter problem, they can't say "stupid customer is a zombie". They have to think and to admit that it's their own problem, not only a stupid customer. Without evidence the easy way out is "blame spamcop". After they're ready with that tactics without SPF FAIL the next step could be "delete instead of bounce", or for big systems to send bounces from a separate IP where they can ignore the SCBL. Eventually they might admit that it's a real problem and change their setup. That needs time. By what you say I get a vague impression that you're not interested to help them with a SPF FAIL policy, but it cannot work without it. They'd try one of the ersatz-solutions like "delete instead of bounce", that's the black hole scenario, SMTP is doomed if that's what most do. > You and I have different views of "legit". Maybe. I want that my mails never vanish in black holes, I want to get an error report if there's a problem. For that purpose I offer FAIL (forged, please reject) and PASS (legit). Bye, Frank From bar_n0ne at hotmail.com Mon Nov 21 15:40:11 2005 From: bar_n0ne at hotmail.com (Berny) Date: Mon Nov 21 23:24:24 2005 Subject: [SpamCop-List] Re: SDF.org sporadically listed in bl.spamcop.net References: <XXieAQqs15fDFAMP@griffitts.org> <dlo7ub$qoq$1@news.spamcop.net> <dlo99l$rda$1@news.spamcop.net> <437FB51B.1599@xyzzy.claranet.de> <dloe84$tp2$1@news.spamcop.net> <43805076.A4D@xyzzy.claranet.de> <Q7$pX5MqRDhn@eisner.encompasserve.org> <43806EBE.7447@xyzzy.claranet.de> <4Zj+LrG5UDcI@eisner.encompasserve.org> <4381A4A7.306B@xyzzy.claranet.de> Message-ID: <dlsbnb$icd$1@news.spamcop.net> "Frank Ellermann" <nobody@xyzzy.claranet.de> wrote in message news:4381A4A7.306B@xyzzy.claranet.de... SNIPPED >.They'd try one of > the ersatz-solutions like "delete instead of bounce", that's > the black hole scenario, SMTP is doomed if that's what most do. Sadly, that is the reality nowadays. It has already happened. Just from correspndence with my family I am finding some 5% of my legit mail is vanished. ( An a lot more spam) I am talking of in and outgoing mail here. My employer for example has several 10**4's of email users worldwide, who were getting anywhere from 0-300 spam a day depending on how long their addy was exposed to the internet. about a year ago they implemented some kind of PERL based filtering, and any mail scoring over a certain number simply is vanished, a lower tier of scores wind up marked as junk in some way. I believe this is common. My total spam was increasing on a kind of exponential curve up to that point and has resumed it's exponential growth again near the bottom of the curve (I'm back to 1997/98 again already). My hotmail was receiving some 20+ a day,and yahoo likewise, and about 2 years ago, the volume simply fell through the floor. I don't think the spam addressed to me stopped, it is simply vanished. The number of people bitching, why am I blocked has dropped amazingly from a couple of years ago. My conclusion is, a LOT of ISP's and organizations are spam filtering one way or another, and the vast majority of them simply drop the spam on the floor. And the trouble is , no one except mail admins will ever know. ---Please let me know if you did NOT see this. :) From nobody at nowhere.invalid Mon Nov 21 17:29:59 2005 From: nobody at nowhere.invalid (Steven Maesslein) Date: Mon Nov 21 23:24:33 2005 Subject: [SpamCop-List] Re: Spam or not? References: <dlsn78$nc8$1@news.spamcop.net> Message-ID: <slrndo3tg7.3ln.nobody@127.0.0.1> On Mon, 21 Nov 2005 08:56:40 -0600, Vadim Rapp coughed into spamcop and left this in <dlsn78$nc8$1@news.spamcop.net>: > One reservation might be about being unsolicited. If company A publishes X > as contact email, doesn't it mean that it is soliciting commercial contacts > like the mentioned email? No. The published contact mail X is for people wishing to get hold of company A about *their* (A's) products and services, not so that every spammer and his dog can try and sell A Viagra, Xanax, p3n1s enlargers, fake diplomas, 40 year-old Russian teen sluts and a loan to pay for everything. -- Steve Before you criticize someone, you should walk a mile in their shoes. That way, when you criticize them, you're a mile away and you have their shoes. From MikeE at ster.invalid Mon Nov 21 11:25:26 2005 From: MikeE at ster.invalid (Mike Easter) Date: Mon Nov 21 23:24:53 2005 Subject: [SpamCop-List] Re: Need help tracking down spam source. References: <dlt4vl$t11$2@news.spamcop.net> Message-ID: <dlt6v3$us6$1@news.spamcop.net> Borgholio wrote: > Full spam posted in .spam. This is the tracker, which is a better way to show the spam http://www.spamcop.net/sc?id=z829537998zca10e9d1d68b4c29623c440259918505z > Got an email where SC wants to send > reports to: hornynews@hotmail.com. That is derived from the ripe lookup on the .ro inetnum: 213.157.183.64 - 213.157.183.95 netname: RO-PALOMA admin-c: PM535-RIPE = hornynews@hotmail.com tech-c: PM535-RIPE > Obviously that's incorrect. Well, it is the reg'd ripe contact for ro-paloma, in more than one place and netblock. If you want the ASN situation it is AS8708 = Romania Data Systems = abuse@rdsnet.ro > I > need help in finding the correct reporting address. Also, is there a > way to get RIPE to correctly update their listing to show a valid > contact address? No. There isn't anything 'illegitimate' about a funky contact address in the RIRs. It might work just fine for ripe's purposes. -- Mike Easter kibitzer, not SC admin From MikeE at ster.invalid Mon Nov 21 12:07:09 2005 From: MikeE at ster.invalid (Mike Easter) Date: Mon Nov 21 23:25:00 2005 Subject: [SpamCop-List] Re: Need help tracking down spam source. References: <dlt4vl$t11$2@news.spamcop.net> <dlt6v3$us6$1@news.spamcop.net> Message-ID: <dlt9da$vvg$1@news.spamcop.net> Mike Easter wrote: > Borgholio wrote: >> Got an email where SC wants to send >> reports to: hornynews@hotmail.com. > > That is derived from the ripe lookup on the .ro > There isn't anything 'illegitimate' about a funky contact address > in the RIRs. > > It might work just fine for ripe's purposes. There really is a persona with that addy who has interacted in the past in game forums or chats. There isn't a paloma.ro domainname to match up with the two ro-paloma netblocks in ripe.. -- Mike Easter kibitzer, not SC admin From borgholio at storymind.com Mon Nov 21 12:11:44 2005 From: borgholio at storymind.com (Borgholio) Date: Mon Nov 21 23:25:27 2005 Subject: [SpamCop-List] Re: Need help tracking down spam source. In-Reply-To: <dlt9da$vvg$1@news.spamcop.net> References: <dlt4vl$t11$2@news.spamcop.net> <dlt6v3$us6$1@news.spamcop.net> <dlt9da$vvg$1@news.spamcop.net> Message-ID: <dlt9lr$vc8$1@news.spamcop.net> Mike Easter wrote: > Mike Easter wrote: > >>Borgholio wrote: > > >>>Got an email where SC wants to send >>> reports to: hornynews@hotmail.com. >> >>That is derived from the ripe lookup on the .ro > > >>There isn't anything 'illegitimate' about a funky contact address >>in the RIRs. >> >>It might work just fine for ripe's purposes. > > > There really is a persona with that addy who has interacted in the past > in game forums or chats. There isn't a paloma.ro domainname to match up > with the two ro-paloma netblocks in ripe.. > So it's legit? Sounds like the spammer's address to me... From MikeE at ster.invalid Mon Nov 21 12:31:57 2005 From: MikeE at ster.invalid (Mike Easter) Date: Mon Nov 21 23:25:45 2005 Subject: [SpamCop-List] Re: Need help tracking down spam source. References: <dlt4vl$t11$2@news.spamcop.net> <dlt6v3$us6$1@news.spamcop.net> <dlt9da$vvg$1@news.spamcop.net> <dlt9lr$vc8$1@news.spamcop.net> Message-ID: <dltarq$vt$1@news.spamcop.net> Borgholio wrote: > Mike Easter wrote: >> There really is a persona with that addy who has interacted in the >> past in game forums or chats. There isn't a paloma.ro domainname to >> match up with the two ro-paloma netblocks in ripe.. >> > > So it's legit? Sounds like the spammer's address to me... Well, 'legit' would imply responsive. We /are/ talking about a little /27 .ro netblock here whose contact has a funky addy -- the persona in game chats sounded kinda funky too. My philosophy about notifies is very different from SC's. If I wanted to contact that IP's provider I would use all of the addies, Potop Mirel AKA hornynews and both of the abuse.net reg'd addies for the ASN Romania Data Systems whois -h whois.abuse.net rdsnet.ro ... abuse@rdsnet.ro contact-tech@rdsnet.ro (for rdsnet.ro) My theory is that the chances of a language barrier or a notify not getting to exactly the place I want are significant, so I try to notify as many logical contacts as possible in that kind of situation. SC tends to want to pinpoint the exactly right one, and then use its experience with keeping track of bounces and routing ng help to pinpoint better for the routing db. My philosophy as an individual who isn't sending millions of notifies a week that a little bit of 'extra' notifying can't hurt. Obviously that can be carried to foolish extremes, but to me there's nothing wrong with the 3 addies we are talking about here. -- Mike Easter kibitzer, not SC admin From dwvbo91q4001 at sneakemail.com Mon Nov 21 23:54:52 2005 From: dwvbo91q4001 at sneakemail.com (Tim P.) Date: Mon Nov 21 23:28:37 2005 Subject: [SpamCop-List] Re: Heads up: Joe Job fools spamcop parser References: <Xns9714C43C36D1Fdwvbo91q4001sneakema@216.154.195.61> <dlrofu$9nq$1@news.spamcop.net> Message-ID: <Xns9715B63F17D61dwvbo91q4001sneakema@216.154.195.61> RW <nobody@spamcop.net> wrote in news:dlrofu$9nq$1@news.spamcop.net: > Tim P. wrote: >> Heads up admins. >> >> A spammer is using a portion of an email's header with a website >> domain embedded in it and it is fooling the parser to report >> spamvertized domains found in it. Following the header field that is >> found within the body of the email is an encoded text field. >> Supposedly the spammer is exploiting the parser to find the wrong >> link and the parser is not searching within the encoded text. Good >> thing I caught this one. >> >> sample is at: >> http://www.spamcop.net/sc?id=z829252701zb63334cd4da22793b7d71ba0ea889d >> 34z >> >> -- >> --- >> Tim P. >> A very satisfied subscriber since 4/2002 > > As others have pointed out, there is a blank line in the header which > signifies the end of the header and the remainder is body. The URL > appears after the linebreak so SC picks it up as body content and > parses it. > > X-Blist-Pattern: 58.0.0.0 - 59.255.255.255 > > Received: from megachild > (lof@chcgil2-ar4-4-34-311-006.chcgil2.dsl-verizon.net [36.89.125.72]) > by www.lofcom.com (8.3.3/8.5.3) with ESMTP id MAA35927; > Sun, 20 Nov 2005 13:01:32 -0500 > > > It is not the spammer doing this. It is something in your SpamPal > doing this as I see a blank line in some of the other spam you > reported where the SpamPal line exists: > > X-SpamCop-Disposition: Blacklist msn.com > X-P2P: SPAM > X-SpamPal: SPAM P2Pplugin BODY > > ----201686557423192 > Content-Type: text/plain; > No, that is exactly how the message got to me. The header below the spampal line is where the body starts. Some spammer sent it precisely like that. It would have been like that without the spampal process. -- Tim P Very content SpamCop Subscriber since 4/2002 From vr at myrealbox.com Mon Nov 21 18:25:55 2005 From: vr at myrealbox.com (Vadim Rapp) Date: Mon Nov 21 23:28:53 2005 Subject: [SpamCop-List] Re: Spam or not? References: <dlsn78$nc8$1@news.spamcop.net> <slrndo3tg7.3ln.nobody@127.0.0.1> Message-ID: <dltoi7$75l$1@news.spamcop.net> SM> The published contact mail X is for people wishing to get hold of SM> company A about *their* (A's) products and services, not so that every SM> spammer and his dog can try and sell A Viagra, Xanax, p3n1s enlargers, SM> fake diplomas, 40 year-old Russian teen sluts and a loan to pay for SM> everything. How about legitimate offers? For example (the real one, that actually triggered my original post), our company participated in an exhibition. Company B then buys the list of contact information from the exhibition organizers, or finds it on the websites of companies-participants, and sends to all of them bulk email offering their service, which is preparation for the next exhibition - "Improve your visibility!" This is not much different from a salesperson trying to get hold of our company executive to offer their services - the only actual difference is telephone instead of email as the medium. When they succeed, I tell them that we charge $250 for a conversation with a salesperson, waived if we accept the offer. I think if they want our time for consideration of their offer, they should buy it; which means that the above email is spam. But this may be too radical, after all, sales force approaching prospective clients hardly could be named unethical; after all, we have our sales too... Vadim Rapp From jgriffitts at spamcop.net Mon Nov 21 17:23:02 2005 From: jgriffitts at spamcop.net (Jonathan Griffitts) Date: Mon Nov 21 23:29:01 2005 Subject: [SpamCop-List] Re: SDF.org sporadically listed in bl.spamcop.net References: <XXieAQqs15fDFAMP@griffitts.org> <438044FC.6487@xyzzy.claranet.de> <6McnItL+39yh@eisner.encompasserve.org> <438079C3.250@xyzzy.claranet.de> Message-ID: <nnvScLXmTmgDFABA@griffitts.org> In article <438079C3.250@xyzzy.claranet.de>, Frank Ellermann writes . . . >The obscure bug in RfC 1123 (and later 2821) is 16 years old, >and until about 2002 the whole world believed that it's good >to always try to accept mail, because if it doesn't work out >you can later bounce it. > >The default case used to be good mail with good Return-Paths. >That changed. But folks (postmaters) need some time to adapt, >even SC needed some time, the new reporting policy for bounces >was introduced this year. > >You can't expect that the whole world (of postmasters) jumps >only because one Julian Haight says so. Some system setups >out there _apparently_ worked for years without substantial >changes, some DNSBLs added was good enough to get rid of most >problems. . . . This is exactly what's going on with the case in point (SDF). This operation has been around a long time. The user base are all people who like the traditional Unix shell account, none of this newfangled HTML or GUI stuff. (What can I say! I'm an ASCII kind of guy myself.) Facilities like procmail scripts, vacation autoresponders, etc. have always been part of their available features. I have never seen any suggestion there that there was anything undesirable about those things. There *ARE* effective controls to keep spam from being originated by a user, but nothing about backscatter. I'm trying to start that discussion in an internal SDF forum now. This is the education phase, to make everyone aware that there is a problem. Just for information, the immediate problems between SDF and spamcop seem to be resolved for the moment. The main SDF admin is now apparently communicating with spamcop deputies, and it sounds like they're reaching some kind of useful resolution. I'm not a party to that nor should I be, but my services as "go-between" are no longer needed. Unless I see something official about it at SDF, I *will* continue to rattle cages about autoresponders. -- Jonathan Griffitts AnyWare Engineering Boulder, CO, USA From jeffg at spamcop.net Mon Nov 21 20:26:06 2005 From: jeffg at spamcop.net (Jeff G.) Date: Mon Nov 21 23:29:08 2005 Subject: [SpamCop-List] Re: Am I blocked? and what's next? References: <dlg7ud$sre$1@news.spamcop.net> <dlgddh$109$1@news.spamcop.net> <437C1E97.4000601@gmail.com> <dlh8bt$gdq$1@news.spamcop.net> <437C5F5B.2020201@gmail.com> Message-ID: <dltsm6$908$1@news.spamcop.net> "EA" <edo.amin@gmail.com> wrote in message news:437C5F5B.2020201@gmail.com... > Mike Easter wrote: > >> I will contact Catalog. It could have helped if I had a > >> straightforward statement from Spamcop that reshet.co.il is not on > >> any blocking list. > > > > SpamCop doesn't list anything by domainname. It only lists things by IP > > address. No one conversing here has any clue about any IP address which > > might or might not be listed. > > I fail to see how this relates to any IP at all - in the automatic email > that mentioned Spamcop (from vbmail.vblaw.com) there was no mention of > an IP. That's only because the admin of vbmail.vblaw.com has not done a competent job of documenting exactlywhy a particular email message was blocked. From Kilgallen at SpamCop.net Mon Nov 21 20:13:17 2005 From: Kilgallen at SpamCop.net (Larry Kilgallen) Date: Mon Nov 21 23:29:17 2005 Subject: [SpamCop-List] Re: Spam or not? References: <dlsn78$nc8$1@news.spamcop.net> <slrndo3tg7.3ln.nobody@127.0.0.1> <dltoi7$75l$1@news.spamcop.net> Message-ID: <6ghY3vGdKXXD@eisner.encompasserve.org> In article <dltoi7$75l$1@news.spamcop.net>, "Vadim Rapp" <vr@myrealbox.com> writes: > SM> The published contact mail X is for people wishing to get hold of > SM> company A about *their* (A's) products and services, not so that every > SM> spammer and his dog can try and sell A Viagra, Xanax, p3n1s enlargers, > SM> fake diplomas, 40 year-old Russian teen sluts and a loan to pay for > SM> everything. > > How about legitimate offers? For example (the real one, that actually > triggered my original post), our company participated in an exhibition. > Company B then buys the list of contact information from the exhibition > organizers, or finds it on the websites of companies-participants, and sends > to all of them bulk email offering their service, which is preparation for > the next exhibition - "Improve your visibility!" Did those participants provide their contact information with the understanding that it would be used for that purposes. > This is not much different from a salesperson trying to get hold of our > company executive to offer their services - the only actual difference is > telephone instead of email as the medium. And that is a _very_ significant difference, since email contact is necessarily at the expense of the recipient. That is why spam is different from telemarketing. > When they succeed, I tell them > that we charge $250 for a conversation with a salesperson, waived if we > accept the offer. I think if they want our time for consideration of their > offer, they should buy it; which means that the above email is spam. But Certainly the email is spam. > this may be too radical, after all, sales force approaching prospective > clients hardly could be named unethical; after all, we have our sales too... Hopefully they do not spam. From jeffg at spamcop.net Mon Nov 21 23:02:10 2005 From: jeffg at spamcop.net (Jeff G.) Date: Mon Nov 21 23:29:34 2005 Subject: [SpamCop-List] Re: Am I blocked? and what's next? References: <dlg7ud$sre$1@news.spamcop.net> <dlgddh$109$1@news.spamcop.net> <437C1E97.4000601@gmail.com> <dlh8bt$gdq$1@news.spamcop.net> <437C5F5B.2020201@gmail.com> <dltsm6$908$1@news.spamcop.net> Message-ID: <dlu61q$jl3$1@news.spamcop.net> "Jeff G." <jeffg@spamcop.net> wrote in message news:dltsm6$908$1@news.spamcop.net... > exactlywhy Sorry, I meant "exactly why". :) -- Best Regards, Jeff G. I have been a SpamCop User/Member/Customer since 1999 and am a Moderator of the new web-based forums (now the primary method for getting help, http://forum.spamcop.net). Please contact me via Forum only. From wb8tyw at qsl.network Tue Nov 22 00:11:48 2005 From: wb8tyw at qsl.network (John E. Malmberg) Date: Tue Nov 22 00:15:03 2005 Subject: [SpamCop-List] Re: SDF.org sporadically listed in bl.spamcop.net In-Reply-To: <nnvScLXmTmgDFABA@griffitts.org> References: <XXieAQqs15fDFAMP@griffitts.org> <438044FC.6487@xyzzy.claranet.de> <6McnItL+39yh@eisner.encompasserve.org> <438079C3.250@xyzzy.claranet.de> <nnvScLXmTmgDFABA@griffitts.org> Message-ID: <dlu9ao$ptj$1@news.spamcop.net> Jonathan Griffitts wrote: > > Facilities like procmail scripts, vacation autoresponders, etc. have > always been part of their available features. I have never seen any > suggestion there that there was anything undesirable about those things. Vacation autoresponders are a criminal's friend. I have seen more than one interview with criminals that stated they use voicemail messages for determining what identities to spoof to steal from companies. One was notoriously successful in getting helpful people to mail confidential documents which where then used for other thefts. > There *ARE* effective controls to keep spam from being originated by a > user, but nothing about backscatter. > I'm trying to start that discussion in an internal SDF forum now. This > is the education phase, to make everyone aware that there is a problem. Consider this, during the one of the recent SOBER worm outbreaks, it forged my e-mail address. I received over 2000 bounce messages, most of them from 2 mail servers in less than 48 hours. At times 2 mail servers were each bouncing 20 worms per second because the worm was going through a dictionary of possible destination addresses. This means that all the users of that mail server were suffering through that attack, as I am sure it was impacting other mail delivery. SPF is not an option because I get my e-mail through a forwarding service which does not provide me with an outgoing SMTP relay for that domain name. So they can not use an SPF record to stop forgeries, and if the mail server that I get my e-mail on were to turn on SPF checks, they would have to exempt e-mail from my forwarding service from those checks. I have seen other reports of mail-servers and domains that have been knocked off the internet because of backscatter of forgeries. The most famous is the case of "test.com" which is a real domain. I have also seen plenty of reports of people losing legitimate and needed e-mail because backscatter from viruses and spam have filled up their mail quotas, and from a dialup connection, they could not delete them fast enough. Anything that is auto-responding to spam or viruses is participating in a Denial of Service attack against the internet. And IIRC, I saw discussions about Spamhaus.org listing systems for backscatter before Spamcop.net changed their policy. From monitoring news.admin.net-abuse.email on occasion, it appears that more than a few mail servers operators will implement local blocks on domains or ip ranges that produce backscatter. It also appears that some mail servers/spam filter systems prefer to just silently delete what they are blocking instead of generating SMTP rejects. So if someone is getting reject messages caused by either a server being compromised or backscatter, chances are good that some of their outgoing e-mail is also being silently deleted. One reason for the silent deletion is that it avoids cartooneys from people complaining about reject messages, because a mail administrator investigating a complaint can quietly whitelist the sender, request a retry, and close the call as not reproducible. -John wb8tyw@qsl.network Personal Opinion Only From nobody at nowhere.invalid Tue Nov 22 11:33:03 2005 From: nobody at nowhere.invalid (Steven Maesslein) Date: Tue Nov 22 05:35:08 2005 Subject: [SpamCop-List] Re: Spam or not? References: <dlsn78$nc8$1@news.spamcop.net> <slrndo3tg7.3ln.nobody@127.0.0.1> <dltoi7$75l$1@news.spamcop.net> Message-ID: <slrndo5suv.472.nobody@127.0.0.1> On Mon, 21 Nov 2005 18:25:55 -0600, Vadim Rapp coughed into spamcop and left this in <dltoi7$75l$1@news.spamcop.net>: > How about legitimate offers? For example (the real one, that actually > triggered my original post), our company participated in an exhibition. > Company B then buys the list of contact information from the exhibition > organizers, or finds it on the websites of companies-participants, and sends > to all of them bulk email offering their service, which is preparation for > the next exhibition - "Improve your visibility!" I would report it as spam. If I want someone to help "improve my visibility" I'll look for them. -- Steve The box said: "Requires Windows 98/2000/XP/NT, or better." So, I installed LINUX! From skiwi at spamcop.net Tue Nov 22 08:39:23 2005 From: skiwi at spamcop.net (Skiwi) Date: Tue Nov 22 11:40:02 2005 Subject: [SpamCop-List] Upgraded from Mozilla 1.7 to Thunderbird - and now *sometimes*getting "No Source IP" errors Message-ID: <dlvhjv$d26$1@news.spamcop.net> Hello, I have just upgraded from Mozilla 1.7 to Thunderbird - and now *sometimes* getting "No Source IP" errors - both through forwarding and cut&paste I really try hard to report the ones that get to my In Box (as the others are captured at the Spamcop filtering stage), for obvious reasons FOR EXAMPLE: one that gave an error: http://www.spamcop.net/sc?id=z829887346zfb071fa8832c3e18e2ae93ff89e08ea9z one that worked OK: http://www.spamcop.net/sc?id=z829888067z1bb96a0c33c1c0fc9d12d019fee12fedz I have had the smooth cut and paste (or forwarded) from the Mozilla 'source' ('CTRL+U', 'CTRL+A', 'CTRL+C', 'CTRL+W', 'M', ALT+TAB, 'CTRL+V') for so long, it was swwweeeetttiiiieee, and I am spoilt - so can't tell the difference between the headers as to what dies and what doesn't in the parser. Any direction appreciated. TIA! GREG... From MikeE at ster.invalid Tue Nov 22 08:54:51 2005 From: MikeE at ster.invalid (Mike Easter) Date: Tue Nov 22 11:55:03 2005 Subject: [SpamCop-List] Re: Upgraded from Mozilla 1.7 to Thunderbird - and now *sometimes* getting "No Source IP" errors References: <dlvhjv$d26$1@news.spamcop.net> Message-ID: <dlvign$dfo$1@news.spamcop.net> Skiwi wrote: Subject: Upgraded from Mozilla 1.7 to Thunderbird - and now *sometimes* getting "No Source IP" errors <snip> Possible forgery. Supposed receiving system not associated with any of your mailhosts Will not trust anything beyond this header </snip> > I have just upgraded from Mozilla 1.7 to Thunderbird - and now > *sometimes* getting "No Source IP" errors - both through forwarding > and cut&paste This problem below isn't related to some effect of the mua on the submission; it is about a mailhost condition. > one that gave an error: www.spamcop.net/sc?id=z829887346zfb071fa8832c3e18e2ae93ff89e08ea9z That is due to mailhost: Here is the same item parsed by a non-mailhost account: http://www.spamcop.net/sc?id=z829892864z9c064144d6ea72b57dfba7acebb7d0fdz Report Spam to: Re: 60.213.91.33 (Administrator of network where email originates) To: security@pub.sd.cninfo.net (Notes) To: ct-abuse@abuse.sprint.net (Notes) To: support@pub.sd.cninfo.net (Notes) To: postmaster@sd.cninfo.net (Notes) To: postmaster#cnc-noc.net@devnull.spamcop.net (Notes) To: abuse@cnc-noc.net (Notes) To: postmaster@pub.sd.cninfo.net (Notes) To: abuse@chinanet.cn.net (Notes) Re: http://effectgrowth.com (Administrator of network hosting website referenced in spam) To: spam@anet.net.tw (Notes) <cancelled> > Any direction appreciated. -- Mike Easter kibitzer, not SC admin From nobody at nowhere.invalid Tue Nov 22 18:05:42 2005 From: nobody at nowhere.invalid (Steven Maesslein) Date: Tue Nov 22 12:10:02 2005 Subject: [SpamCop-List] Re: Upgraded from Mozilla 1.7 to Thunderbird - and now *sometimes* getting "No Source IP" errors References: <dlvhjv$d26$1@news.spamcop.net> Message-ID: <slrndo6jv6.bav.nobody@127.0.0.1> On Tue, 22 Nov 2005 08:39:23 -0800, Skiwi coughed into spamcop and left this in <dlvhjv$d26$1@news.spamcop.net>: > I have just upgraded from Mozilla 1.7 to Thunderbird - and now > *sometimes* getting "No Source IP" errors - both through forwarding and > cut&paste Might have nothing to do with it but I'd lose the first line that starts with "From -" when reporting spam. They're not part of the spam itself, they're added to the mailspool by the local delivery agent running on your mailserver. -- Steve Light travels faster than sound. That is why some people appear bright until you hear them speak. From jg at coks.net Tue Nov 22 09:23:49 2005 From: jg at coks.net (jg) Date: Tue Nov 22 12:25:03 2005 Subject: [SpamCop-List] Re: Upgraded from Mozilla 1.7 to Thunderbird - and now *sometimes* getting "No Source IP" errors In-Reply-To: <dlvhjv$d26$1@news.spamcop.net> References: <dlvhjv$d26$1@news.spamcop.net> Message-ID: <dlvk3e$eh6$1@news.spamcop.net> On 11/22/2005 8:39 AM Skiwi scribbled: > I have had the smooth cut and paste (or forwarded) from the Mozilla > 'source' ('CTRL+U', 'CTRL+A', 'CTRL+C', 'CTRL+W', 'M', ALT+TAB, > 'CTRL+V') for so long, it was swwweeeetttiiiieee, and I am spoilt - so > can't tell the difference between the headers as to what dies and what > doesn't in the parser. > > Any direction appreciated. > > TIA! > GREG... I'd check out Mike's answer re: mailhost. I haven't had /any/ problems using TB 1.06 and haven't run into any such problems as you outline over in the TB ng. TB 1.5 is beta, isn't it? Anyway, I do exactly as you do and all goes well... From MikeE at ster.invalid Tue Nov 22 09:40:21 2005 From: MikeE at ster.invalid (Mike Easter) Date: Tue Nov 22 12:45:03 2005 Subject: [SpamCop-List] Re: Upgraded from Mozilla 1.7 to Thunderbird - and now *sometimes* getting "No Source IP" errors References: <dlvhjv$d26$1@news.spamcop.net> <slrndo6jv6.bav.nobody@127.0.0.1> Message-ID: <dlvl61$f5a$1@news.spamcop.net> Steven Maesslein wrote: > Might have nothing to do with it but I'd lose the first line that > starts with "From -" when reporting spam. They're not part of the > spam itself, they're added to the mailspool by the local delivery > agent running on your mailserver. I jumped on that noncompliant line in the past when troubleshooting a parse problem, but apparently Julian has the parser configured to lose/ignore it. -- Mike Easter kibitzer, not SC admin From zamowienia3 at o2.pl Tue Nov 22 22:03:55 2005 From: zamowienia3 at o2.pl (SPG) Date: Tue Nov 22 16:05:03 2005 Subject: [SpamCop-List] spamcop easily fooled, no source ip Message-ID: <dm013i$lc6$1@news.spamcop.net> Looks spamers learned how to fool spamcop. This is third spam I got today which can not be reported with spamcop: http://www.spamcop.net/sc?id=z829966353z2161dad4300e4e643e1cd936e3fa439dz Several months ago I pointed that spamcop should only process IP adresses in square brackets. But looks it want to get fooled by simple junk placed before real ones. Like in this case where real IP can be easily found: [66.69.49.123]. Is this so real hard to make spamcop aware fo IPs in square brackets only??? have nice day, zbiggy From majg12uk at SPAMBLOCKERyahoo.co.uk Tue Nov 22 21:17:22 2005 From: majg12uk at SPAMBLOCKERyahoo.co.uk (Mark Jones) Date: Tue Nov 22 16:20:02 2005 Subject: [SpamCop-List] Bounce error Message-ID: <dm01t1$lqo$1@news.spamcop.net> For the second time in two days I logged into my Spamcop reporting account and received the message "Bounce error. Your email address, majg12uk@yahoo.co.uk has returned a bounce: Subject: Delivery Status Notification (Failure) Reason: 5.4.7 - Delivery expired (message too old) [Default] 451-'mta121.mail.ukl.yahoo.com Resources temporarily unavailable. Please try again later. UP Email not accepted for policy reasons. Please visit http://help.yahoo.com/help/us/mail/defer/defer-04.html [#4.16.4:190].' Please ensure your email account is reliable, then click below: " The link at Yahoo! above mentions that certain emails are being blocked by Yahoo! if they contain phishing/fraud attempts or viruses. As auto-responses from ISPs often contain the original reported spam/phish these are sent back to my Yahoo! address this is most probably the cause of the bounce error. Is there any way this can be worked around? I don't want to click on the problem resolved button until it has been resolved but until then I can't report any more spam. Perhaps Spamcop can contact Yahoo! to stop this from happening using the "Contact us" link at the bottom of the Yahoo! page above as the form seems to designed for this purpose (unblocking mail senders from their anti-phishing/virus filters). Otherwise I will need to no longer use Spamcop to report phishing emails or open another Spamcop account with a non-Yahoo! email address and neither are preferable at the moment. Thanks a lot. -- Mark From jgriffitts at spamcop.net Tue Nov 22 14:21:24 2005 From: jgriffitts at spamcop.net (Jonathan Griffitts) Date: Tue Nov 22 16:25:03 2005 Subject: [SpamCop-List] Re: SDF.org sporadically listed in bl.spamcop.net References: <XXieAQqs15fDFAMP@griffitts.org> <438044FC.6487@xyzzy.claranet.de> <6McnItL+39yh@eisner.encompasserve.org> <438079C3.250@xyzzy.claranet.de> <nnvScLXmTmgDFABA@griffitts.org> <dlu9ao$ptj$1@news.spamcop.net> Message-ID: <8cTkSUBUv4gDFAgr@griffitts.org> In article <dlu9ao$ptj$1@news.spamcop.net>, John E. Malmberg writes . . . >Vacation autoresponders are a criminal's friend. I'm well aware of this, along with the classic answering machine message that says "I'm out of town for 2 weeks" which is so handy for burglars to know. . . . >Consider this, during the one of the recent SOBER worm outbreaks, it >forged my e-mail address. > >I received over 2000 bounce messages, most of them from 2 mail servers >in less than 48 hours. At times 2 mail servers were each bouncing 20 >worms per second because the worm was going through a dictionary of >possible destination addresses. For what it's worth, the BSD Unix "vacation" script, as available on SDF, keeps track of who it has sent responses to and will only send one copy to each email address. That helps prevent this sort of scenario, or the full denial of service scenarios you mentioned later in your note. (Don't misinterpret this, I'm am definitely NOT advocating use of "vacation"). There may be people on SDF who have used procmail to set up their own autoresponder of some kind. In that case, all bets are off. I'm working on trying to start the discussion about autoresponders in general, but it has just been a monologue from me so far. Beyond the SDF issue, I believe that MS Outlook supports some kind of "vacation" responder that is NOT that smart. I don't know for sure because I have never used Outlook. I have seen repeated "out of the office" autoresponses on the same day for business correspondence, and I think they came from Outlook. Also I see that sort of backscatter to mailing lists I subscribe to. . . . >SPF is not an option because I get my e-mail through a forwarding >service which does not provide me with an outgoing SMTP relay for that >domain name. I have the same problem with SPF. My primary email domain is used by many people who are all highly mobile with forwarding in all directions, and SPF is not an option until the forwarding issue is fixed. We just have the SPF record set to "?all" (unknown) at this point. -- Jonathan Griffitts AnyWare Engineering Boulder, CO, USA From MikeE at ster.invalid Tue Nov 22 13:23:38 2005 From: MikeE at ster.invalid (Mike Easter) Date: Tue Nov 22 16:25:14 2005 Subject: [SpamCop-List] Re: spamcop easily fooled, no source ip References: <dm013i$lc6$1@news.spamcop.net> Message-ID: <dm028l$m41$1@news.spamcop.net> SPG wrote: > Looks spamers learned how to fool spamcop. Not in this case. > This is third spam I got today which can not be reported with spamcop: www.spamcop.net/sc?id=z829966353z2161dad4300e4e643e1cd936e3fa439dz "Possible forgery. Supposed receiving system not associated with any of your mailhosts" There's a problem with your mailhost config. > Several months ago I pointed that spamcop should only process IP > adresses in square brackets. The parser is pretty smart about managing all different kinds of From: fields. Here is that spam parsed by a non-mailhosted account http://www.spamcop.net/sc?id=z829975824z3240ff29682109e9a3bada5166f1a6d6z Report Spam to: Re: 66.69.49.123 (Administrator of network where email originates) To: abuse@rr.com (Notes) Resolving link obfuscation http://de.geocities.com/codi52069stinky37037/ <cancelled> -- Mike Easter kibitzer, not SC admin From MikeE at ster.invalid Tue Nov 22 13:36:55 2005 From: MikeE at ster.invalid (Mike Easter) Date: Tue Nov 22 16:40:03 2005 Subject: [SpamCop-List] Re: Bounce error References: <dm01t1$lqo$1@news.spamcop.net> Message-ID: <dm031i$mjk$1@news.spamcop.net> Mark Jones wrote: > For the second time in two days I logged into my Spamcop reporting > account and received the message > > "Bounce error. Your email address, majg12uk@yahoo.co.uk has returned a > bounce: Subject: Delivery Status Notification (Failure) I still think you might be misinterpreting this problem. You think that when you report a phish that the reported is going to be replying to the reportid by sending a copy of the phish to the SCreportid address, and then SC is going to be sending you that item to your yahoo and then the yahoo is going to bounce it based on its phishiness. I think you should be looking at the item whose Subject is Delivery Status Notification (Failure) and see what it is that has received a 'hard bounce'. That hard bounce is a rejection. That means that whatever was the sender, such as the spamcop system forwarding or sending to you a reply from a reported, would be getting that rejection. Further; I don't think it at all likely that a phish reported would reply with a copy of the phish or even the phish's headers. I think there are some kind of possibilities that you haven't considered. It would be extremely useful to find out what has bounced. Why don't you email the deputies and see if you can find out what is bouncing. Or, if the headers of what is bouncing are attached to the yahoo notification, you can figure out a lot from the headers. I think it is entirely possible that the Subject of the item that is bouncing is Delivery Status Notification (Failure) -- rather than the DSN referring to the message itself. -- Mike Easter kibitzer, not SC admin From g.hyde at bigpond.net.au Wed Nov 23 08:06:11 2005 From: g.hyde at bigpond.net.au (Geoffrey Hyde) Date: Tue Nov 22 17:10:03 2005 Subject: [SpamCop-List] Re: SDF.org sporadically listed in bl.spamcop.net References: <XXieAQqs15fDFAMP@griffitts.org> <438044FC.6487@xyzzy.claranet.de> <6McnItL+39yh@eisner.encompasserve.org> <438079C3.250@xyzzy.claranet.de> <nnvScLXmTmgDFABA@griffitts.org> <dlu9ao$ptj$1@news.spamcop.net> <8cTkSUBUv4gDFAgr@griffitts.org> Message-ID: <dm04sk$nn6$1@news.spamcop.net> "Jonathan Griffitts" <jgriffitts@spamcop.net> wrote in message news:8cTkSUBUv4gDFAgr@griffitts.org... > In article <dlu9ao$ptj$1@news.spamcop.net>, John E. Malmberg writes > . . . >>Vacation autoresponders are a criminal's friend. > > I'm well aware of this, along with the classic answering machine message > that says "I'm out of town for 2 weeks" which is so handy for burglars > to know. On a side-track, does anyone know of some useful answering machine messages that do not reveal whether you're in or out during the holidays? I'm guessing this wouldn't fool the thief for long, with most of them finding targets by recon. Perhaps it would slow them down though. Cheers ... Geoffrey Hyde From majg12uk at SPAMBLOCKERyahoo.co.uk Tue Nov 22 22:14:56 2005 From: majg12uk at SPAMBLOCKERyahoo.co.uk (Mark Jones) Date: Tue Nov 22 17:15:03 2005 Subject: [SpamCop-List] Re: Bounce error References: <dm01t1$lqo$1@news.spamcop.net> <dm031i$mjk$1@news.spamcop.net> Message-ID: <dm058u$nvq$1@news.spamcop.net> Mike Easter wrote: > Mark Jones wrote: >> For the second time in two days I logged into my Spamcop reporting >> account and received the message >> >> "Bounce error. Your email address, majg12uk@yahoo.co.uk has returned a >> bounce: Subject: Delivery Status Notification (Failure) > > I still think you might be misinterpreting this problem. I don't dismiss the possibilty... > You think that when you report a phish that the reported is going to be > replying to the reportid by sending a copy of the phish to the > SCreportid address, and then SC is going to be sending you that item to > your yahoo and then the yahoo is going to bounce it based on its > phishiness. ...but I think in this case with respect you might be misinterpreting my explanation of the problem. I do not believe that the reported phisher is responding to the report. It is the ISP auto-responding to the report which is re-directed to me via Spamcop. I am quite sure that it is this auto-response that is causing the bounce as many such auto-responses are stored in my email account of which many contain the original reported email. Those of which are phishy will likely have tripped the filters on their way in and bounced back to Spamcop. These anti-phish filters appear to be a new thing at Yahoo. > I think you should be looking at the item whose Subject is Delivery > Status Notification (Failure) and see what it is that has received a > 'hard bounce'. > I think there are some kind of possibilities that you haven't > considered. It would be extremely useful to find out what has bounced. I don't have access to the bounce reports as they are being bounced from Yahoo to Spamcop. > Why don't you email the deputies and see if you can find out what is > bouncing. Or, if the headers of what is bouncing are attached to the > yahoo notification, you can figure out a lot from the headers. The notification is not from Yahoo - it is a Spamcop notification that I receive when I log in to Spamcop and the only info the system provides is that which I quoted in my OP. I will email the deputies as you suggest but if any Spamcop admins read this in the forum please still feel free to respond here as I will come back regularly over the next few days. Thanks -- Mark From MikeE at ster.invalid Tue Nov 22 14:36:30 2005 From: MikeE at ster.invalid (Mike Easter) Date: Tue Nov 22 17:40:03 2005 Subject: [SpamCop-List] Re: Bounce error References: <dm01t1$lqo$1@news.spamcop.net> <dm031i$mjk$1@news.spamcop.net> <dm058u$nvq$1@news.spamcop.net> Message-ID: <dm06h9$olr$1@news.spamcop.net> Mark Jones wrote: > Mike Easter wrote: >> I still think you might be misinterpreting this problem. > > I don't dismiss the possibilty... > >> You think that when you report a phish that the reported is going to By which 'reported' above I meant the provider to whom the phish is reported. I use the term 'reported' to mean 'reported to'. >> be replying to the reportid by sending a copy of the phish to the >> SCreportid address, and then SC is going to be sending you that item >> to your yahoo and then the yahoo is going to bounce it based on its >> phishiness. > > ...but I think in this case with respect you might be misinterpreting > my explanation of the problem. I don't think so, but I'm going to follow you again very closely. > I do not believe that the reported > phisher is responding to the report. Your report is notifying the provider for the source and the provider for the spamvertised phish url. Those are the reported (to)/s and that report is going to provide an address for the reportedto/s to reply, namely the reportid address. > It is the ISP auto-responding to > the report which is re-directed to me via Spamcop. Correct. We are on the same page. > I am quite sure > that it is this auto-response that is causing the bounce as many such > auto-responses are stored in my email account of which many contain > the original reported email. I just reviewed the report process -- which apparently you have configured for your system differently than I have for mine. I have my Preferences configured in the Report Handling Options in the 6th section "Report reply handling" to only forward replies from 'sentient' people. As a consequence of that configuration, I don't receive dumb 'autoacks' where an autoack is an automatically generated acknowlegement of the receipt of a mail. Generally autoacks are completely worthless, which is why SC allows you to configure to not get them. Now that I have reviewed that, I can see that an autoack to the original report which contains a copy of the 'offending message' would similarly contain the offending message. That offending message would trip the yahoo gizmo to bounce the mail. > Those of which are phishy will likely > have tripped the filters on their way in and bounced back to Spamcop. > These anti-phish filters appear to be a new thing at Yahoo. Far be it from me to tell someone else how to configure their Preferences, but if you would choose to only get replies from sentient beings you wouldn't be having this little bounce problem which would be being caused by useless autoacks to the offending message. Just what kind of autoack to that would you like to be 'reading' anyway? -- Mike Easter kibitzer, not SC admin From MikeE at ster.invalid Tue Nov 22 14:55:00 2005 From: MikeE at ster.invalid (Mike Easter) Date: Tue Nov 22 17:55:04 2005 Subject: [SpamCop-List] Re: Bounce error References: <dm01t1$lqo$1@news.spamcop.net> <dm031i$mjk$1@news.spamcop.net> <dm058u$nvq$1@news.spamcop.net> Message-ID: <dm07jv$p9b$1@news.spamcop.net> Mark Jones wrote: >>> "Bounce error. Your email address, majg12uk@yahoo.co.uk has >>> returned a bounce: Subject: Delivery Status Notification (Failure) I get this now, long winded version in the other post. >> Why don't you email the deputies and see if you can find out what is >> bouncing. If you are configured to get autoacks, and yahoo is configured to bounce the 'internal' phishes which compose the 'offending message' of the report, that is what the deputy is going to see. > I will email the deputies as you suggest I think I would change my suggestion now that I am 'hearing' [understanding] you are getting all autoacks. I would suggest you configure your preferences for sentient replies only. -- Mike Easter kibitzer, not SC admin From nobody at spamcop.net Tue Nov 22 19:14:02 2005 From: nobody at spamcop.net (Ellen) Date: Tue Nov 22 19:20:04 2005 Subject: [SpamCop-List] Re: Bounce error References: <dm01t1$lqo$1@news.spamcop.net> Message-ID: <dm0cge$s7e$1@news.spamcop.net> "Mark Jones" <majg12uk@SPAMBLOCKERyahoo.co.uk> wrote in message news:dm01t1$lqo$1@news.spamcop.net... > For the second time in two days I logged into my Spamcop reporting account > and received the message > > "Bounce error. Your email address, majg12uk@yahoo.co.uk has returned a > bounce: Subject: Delivery Status Notification (Failure) Reason: 5.4.7 - > Delivery expired (message too old) [Default] 451-'mta121.mail.ukl.yahoo.com > Resources temporarily unavailable. Please try again later. UP Email not > accepted for policy reasons. Please visit > http://help.yahoo.com/help/us/mail/defer/defer-04.html [#4.16.4:190].' > Please ensure your email account is reliable, then click below: " > The email being bounced is the message from SC saying it is ready to process your spam and containing the links to click to process the spams. I have no idea why yahoo gets that message hung up in it's filters. As far as I can remember, not having processed spams via email in a while, the original spams are not included in that email. I think their filters are strange. In any case, I think the simplest thing to do would be to log into the reporting website, click preferences in the navbar and change the email address that the system is going to send the responses to. Then click the button that resets the bounces. We are also writing to yahoo but I have no idea how long it will take for them to make a change or indeed if they will. Ellen SpamCop From majg12uk at SPAMBLOCKERyahoo.co.uk Wed Nov 23 00:40:09 2005 From: majg12uk at SPAMBLOCKERyahoo.co.uk (Mark Jones) Date: Tue Nov 22 19:45:03 2005 Subject: [SpamCop-List] Re: Bounce error References: <dm01t1$lqo$1@news.spamcop.net> <dm031i$mjk$1@news.spamcop.net> <dm058u$nvq$1@news.spamcop.net> <dm06h9$olr$1@news.spamcop.net> Message-ID: <dm0dp8$sv0$1@news.spamcop.net> Mike Easter wrote: > Mark Jones wrote: >> Mike Easter wrote: > By which 'reported' above I meant the provider to whom the phish is > reported. I use the term 'reported' to mean 'reported to'. Ah. I interpreted 'reported' as 'the one who was reported' i.e. spammer. Maybe 'reportee' is the right term? > I just reviewed the report process -- which apparently you have > configured for your system differently than I have for mine. > > I have my Preferences configured in the Report Handling Options in the > 6th section "Report reply handling" to only forward replies from > 'sentient' people. As a consequence of that configuration, I don't > receive dumb 'autoacks' where an autoack is an automatically generated > acknowlegement of the receipt of a mail. Generally autoacks are > completely worthless, which is why SC allows you to configure to not get > them. Yes that explains why we had a misunderstanding. > Far be it from me to tell someone else how to configure their > Preferences, but if you would choose to only get replies from sentient > beings you wouldn't be having this little bounce problem which would be > being caused by useless autoacks to the offending message. Just what > kind of autoack to that would you like to be 'reading' anyway? Not at all... your advice is sensible and appreciated and I'm not sure why I didn't think of that myself. I vaguely recall reading about the facility to configure auto-responses that way but it slipped my mind. I will do what you suggest in order to continue reporting. I still see this as a stop-gap solution, though, and hope Spamcop Admin can contact Yahoo to add Spamcop to their white-list (Spamcop are hardly likely to launch a phishing attack) but they may have reason to refuse that I am not aware. As to why I receive these reports, I elected that when I started using Spamcop as I was curious to see how different ISPs respond to the reports but it's old news now so I will turn it off. It would be useful to have the option to use it, though. Thanks. -- Mark From porpoise1954 at yahoo.co.uk Wed Nov 23 00:51:25 2005 From: porpoise1954 at yahoo.co.uk (Porpoise) Date: Tue Nov 22 19:55:03 2005 Subject: [SpamCop-List] Re: SDF.org sporadically listed in bl.spamcop.net References: <XXieAQqs15fDFAMP@griffitts.org> <438044FC.6487@xyzzy.claranet.de> <6McnItL+39yh@eisner.encompasserve.org> <438079C3.250@xyzzy.claranet.de> <nnvScLXmTmgDFABA@griffitts.org> <dlu9ao$ptj$1@news.spamcop.net> <8cTkSUBUv4gDFAgr@griffitts.org> <dm04sk$nn6$1@news.spamcop.net> Message-ID: <dm0efc$tac$1@news.spamcop.net> "Geoffrey Hyde" <g.hyde@bigpond.net.au> wrote in message news:dm04sk$nn6$1@news.spamcop.net... > > "Jonathan Griffitts" <jgriffitts@spamcop.net> wrote in message > news:8cTkSUBUv4gDFAgr@griffitts.org... >> In article <dlu9ao$ptj$1@news.spamcop.net>, John E. Malmberg writes >> . . . >>>Vacation autoresponders are a criminal's friend. >> >> I'm well aware of this, along with the classic answering machine message >> that says "I'm out of town for 2 weeks" which is so handy for burglars >> to know. > > On a side-track, does anyone know of some useful answering machine > messages that do not reveal whether you're in or out during the holidays? > "I'm sorry, I can't come to the phone right now but please leave a message and I'll get back to you." From porpoise1954 at yahoo.co.uk Wed Nov 23 00:56:19 2005 From: porpoise1954 at yahoo.co.uk (Porpoise) Date: Tue Nov 22 20:00:02 2005 Subject: [SpamCop-List] Re: SDF.org sporadically listed in bl.spamcop.net References: <XXieAQqs15fDFAMP@griffitts.org> <438044FC.6487@xyzzy.claranet.de> <6McnItL+39yh@eisner.encompasserve.org> <438079C3.250@xyzzy.claranet.de> <nnvScLXmTmgDFABA@griffitts.org> <dlu9ao$ptj$1@news.spamcop.net> <8cTkSUBUv4gDFAgr@griffitts.org> <dm04sk$nn6$1@news.spamcop.net> <dm0efc$tac$1@news.spamcop.net> Message-ID: <dm0eoi$te4$1@news.spamcop.net> "Porpoise" <porpoise1954@yahoo.co.uk> wrote in message news:dm0efc$tac$1@news.spamcop.net... > > "Geoffrey Hyde" <g.hyde@bigpond.net.au> wrote in message > news:dm04sk$nn6$1@news.spamcop.net... >> >> "Jonathan Griffitts" <jgriffitts@spamcop.net> wrote in message >> news:8cTkSUBUv4gDFAgr@griffitts.org... >>> In article <dlu9ao$ptj$1@news.spamcop.net>, John E. Malmberg writes >>> . . . >>>>Vacation autoresponders are a criminal's friend. >>> >>> I'm well aware of this, along with the classic answering machine message >>> that says "I'm out of town for 2 weeks" which is so handy for burglars >>> to know. >> >> On a side-track, does anyone know of some useful answering machine >> messages that do not reveal whether you're in or out during the holidays? >> > > > "I'm sorry, I can't come to the phone right now but please leave a message > and I'll get back to you." If you have another phone/mobile, you could also say; "Alternatively, if it's urgent, you can contact me via................." From majg12uk at SPAMBLOCKERyahoo.co.uk Wed Nov 23 01:06:42 2005 From: majg12uk at SPAMBLOCKERyahoo.co.uk (Mark Jones) Date: Tue Nov 22 20:10:03 2005 Subject: [SpamCop-List] Re: Bounce error References: <dm01t1$lqo$1@news.spamcop.net> <dm0cge$s7e$1@news.spamcop.net> Message-ID: <dm0fb0$trm$1@news.spamcop.net> Ellen wrote: > The email being bounced is the message from SC saying it is ready to > process your spam and containing the links to click to process the spams. I don't wish to question your conclusion as you probably have access to Spamcop data and the hard facts but Mike Easter and myself earlier in the thread thought we had worked out what the problem was... > I have no idea why yahoo gets that message hung up in it's filters. As far > as I can remember, not having processed spams via email in a while, the > original spams are not included in that email. I think their filters are > strange. If it isn't the ISP auto-responses tripping the filters but the Spamcop 'ready to process' emails from Spamcop then that is very weird as there is nothing in the Spamcop 'ready to process' emails that would in any way constitute a phish or spam! That would mean, I guess, these emails bouncing for every Spamcop user who uses a Yahoo account to report. > In any case, I think the simplest thing to do would be to log into the > reporting website, click preferences in the navbar and change the email > address that the system is going to send the responses to. I'm going to follow Mike Easter's suggestion now and switch 'Report reply handling' to 'Forward only replies from sentient people' and see if that stops the bounces. Then I will report another spam as soon as I get one and see if the 'ready to process' email causes the bounce. That way we can be sure which is causing it. > We are also writing to yahoo but I have no idea how long it will take for > them to make a change or indeed if they will. Hope they do. If they don't, let us know and I'll kick up a stink as a customer! :-) I will post a reply to my earlier email to Yahoo also (if I ever get one). Thanks -- Mark From MikeE at ster.invalid Tue Nov 22 17:23:19 2005 From: MikeE at ster.invalid (Mike Easter) Date: Tue Nov 22 20:25:03 2005 Subject: [SpamCop-List] Re: Bounce error References: <dm01t1$lqo$1@news.spamcop.net> <dm0cge$s7e$1@news.spamcop.net> <dm0fb0$trm$1@news.spamcop.net> Message-ID: <dm0ga1$uih$1@news.spamcop.net> Mark Jones wrote: > Ellen wrote: > >> The email being bounced is the message from SC saying it is ready to >> process your spam and containing the links to click to process the >> spams. > > I don't wish to question your conclusion as you probably have access > to Spamcop data and the hard facts but Mike Easter and myself earlier > in the thread thought we had worked out what the problem was... You and Mike Easter have a theory or opinion. Ellen has the absolute facts >> I have no idea why yahoo gets that message hung up in it's filters. >> As far as I can remember, not having processed spams via email in a >> while, the original spams are not included in that email. I think >> their filters are strange. Ellen is saying she is looking at a bounce of a ready to process. That is /no good/ from an email submission point of view -- regardless of whatever else yahoo might bounce including autoacks of reports, you have a problem if yahoo is going to bounce some or all of your ready to process mail. > If it isn't the ISP auto-responses tripping the filters but the > Spamcop 'ready to process' emails from Spamcop then that is very > weird as there is nothing in the Spamcop 'ready to process' emails > that would in any way constitute a phish or spam! You are correct -- that is very weird -- but heed what Ellen is saying. She isn't known to be delusional. > That would mean, I > guess, these emails bouncing for every Spamcop user who uses a Yahoo > account to report. So far we are talking about one account that Ellen has peeked into. A swallow does not a summer make. If it is a harbinger, then you are the first swallow of the summer. >> In any case, I think the simplest thing to do would be to log into >> the reporting website, click preferences in the navbar and change >> the email address that the system is going to send the responses to. That sounds like some good advice to follow if you have another account want your reports to work while this is getting worked out. > I'm going to follow Mike Easter's suggestion now and switch 'Report > reply handling' to 'Forward only replies from sentient people' and > see if that stops the bounces. I think that's a good idea to do whatevber else you do. -- Mike Easter kibitzer, not SC admin From majg12uk at SPAMBLOCKERyahoo.co.uk Wed Nov 23 01:25:35 2005 From: majg12uk at SPAMBLOCKERyahoo.co.uk (Mark Jones) Date: Tue Nov 22 20:30:03 2005 Subject: [SpamCop-List] Re: Bounce error References: <dm01t1$lqo$1@news.spamcop.net> <dm0cge$s7e$1@news.spamcop.net> <dm0fb0$trm$1@news.spamcop.net> Message-ID: <dm0ged$ulq$1@news.spamcop.net> I just received my next spam which was dutifully reported to Spamcop (coincidentally it was also a phish which was helpful). http://www.spamcop.net/sc?id=z830038162zea9d91cbf2375e4d487034305c8b24f4z Before reporting this I switched the 'Report reply handling' to 'Forward only replies from sentient people' as suggested my Mike Easter. The 'ready to process' email came through okay to my email account so that is not bouncing. I have had no problems with bounce errors at the Spamcop website either. So it appears that it is the ISP's auto-response that is triggering the filter-blocking. I note, though, that the original phishing email did not bounce when it first came to my Yahoo account - it was only filtered to my bulk email folder - so I am not sure exactly what criteria their filters are using to reject phishing emails. Hope that helps. -- Mark From majg12uk at SPAMBLOCKERyahoo.co.uk Wed Nov 23 01:31:07 2005 From: majg12uk at SPAMBLOCKERyahoo.co.uk (Mark Jones) Date: Tue Nov 22 20:35:03 2005 Subject: [SpamCop-List] Re: Bounce error References: <dm01t1$lqo$1@news.spamcop.net> <dm0cge$s7e$1@news.spamcop.net> <dm0fb0$trm$1@news.spamcop.net> <dm0ga1$uih$1@news.spamcop.net> Message-ID: <dm0gop$ulq$2@news.spamcop.net> Mike Easter wrote: > You are correct -- that is very weird -- but heed what Ellen is saying. > She isn't known to be delusional. I wouldn't ever suggest that and hope my posts are not being misinterpreted that way. -- Mark From majg12uk at SPAMBLOCKERyahoo.co.uk Wed Nov 23 01:37:18 2005 From: majg12uk at SPAMBLOCKERyahoo.co.uk (Mark Jones) Date: Tue Nov 22 20:40:02 2005 Subject: [SpamCop-List] Re: Bounce error References: <dm01t1$lqo$1@news.spamcop.net> <dm0cge$s7e$1@news.spamcop.net> <dm0fb0$trm$1@news.spamcop.net> <dm0ga1$uih$1@news.spamcop.net> Message-ID: <dm0h4c$ulq$3@news.spamcop.net> Mike Easter wrote: >Ellen is saying she is looking at a bounce of a ready to process. I thought that might be the case but didn't want to assume. > You are correct -- that is very weird -- but heed what Ellen is saying. > She isn't known to be delusional. I wouldn't ever suggest that and hope my posts are not being misinterpreted that way. Thanks. -- Mark From nobody at devnull.spamcop.net Wed Nov 23 12:45:32 2005 From: nobody at devnull.spamcop.net (Patto) Date: Tue Nov 22 22:50:02 2005 Subject: [SpamCop-List] Again: 401 - Authorization Required Message-ID: <dm0okt$2s9$1@news.spamcop.net> I was able to report 2 spam this morning, then I got a '401 - Authorization Required' error, and then no more response after that. From nobody at devnull.spamcop.net Tue Nov 22 22:25:02 2005 From: nobody at devnull.spamcop.net (WazoO) Date: Tue Nov 22 23:30:03 2005 Subject: [SpamCop-List] Re: Again: 401 - Authorization Required References: <dm0okt$2s9$1@news.spamcop.net> Message-ID: <dm0qv1$485$1@news.spamcop.net> "Patto" <nobody@devnull.spamcop.net> wrote in message news:dm0okt$2s9$1@news.spamcop.net... > I was able to report 2 spam this morning, then I got a '401 - > Authorization Required' error, and then no more response after that. http://forum.spamcop.net/forums/index.php?act=module&automodule=custom&page=stats A bit of discussion in the Announcements section there, also dealing with a previous thread in this newsgroup ... http://forum.spamcop.net/forums/index.php?showtopic=5288 From nobody at devnull.spamcop.net Wed Nov 23 14:06:12 2005 From: nobody at devnull.spamcop.net (Patto) Date: Wed Nov 23 00:10:03 2005 Subject: [SpamCop-List] Re: Again: 401 - Authorization Required In-Reply-To: <dm0qv1$485$1@news.spamcop.net> References: <dm0okt$2s9$1@news.spamcop.net> <dm0qv1$485$1@news.spamcop.net> Message-ID: <dm0tc5$5dv$1@news.spamcop.net> WazoO wrote: > "Patto" <nobody@devnull.spamcop.net> wrote in message > news:dm0okt$2s9$1@news.spamcop.net... >> I was able to report 2 spam this morning, then I got a '401 - >> Authorization Required' error, and then no more response after that. > > http://forum.spamcop.net/forums/index.php?act=module&automodule=custom&page=stats > > A bit of discussion in the Announcements section there, also > dealing with a previous thread in this newsgroup ... > http://forum.spamcop.net/forums/index.php?showtopic=5288 Thanks; it's already back up and working fine. From someone at microsoft.com Wed Nov 23 00:14:45 2005 From: someone at microsoft.com (Marc) Date: Wed Nov 23 00:15:02 2005 Subject: [SpamCop-List] mysterious email from bluebottle.com Message-ID: <dm0ts8$5pn$1@news.spamcop.net> Bluebottle.com itself does not appear to be particularly spammy, they provide an email service that includes an email address verification system so you only get emails from known senders. Anyone ever heard of them? http://www.bluebottle.com I get an email with the simple message "hi, ive a new mail address". No name, no nothing. There is a link to click on that brings you back to bluebottle and a little code attached to the end of the URL that I assume identifies the message and sender for verification. The message indeed traces back to the bona fide bluebottle.com site. Anyone seen this type of message? I suspect it is some type of spam. Maybe it is simply a way to confirm my email address is active. Otherwise it makes no sense, a spammer doesn't need to verify that I am real. Maybe it is a kind of sleight of hand advertising by bluebottle itself? My other reason for being suspicious is that bluebottle is hosted by xo.com. There's a red flag. But a red flag for what? From someone at microsoft.com Wed Nov 23 00:20:49 2005 From: someone at microsoft.com (Marc) Date: Wed Nov 23 00:25:02 2005 Subject: [SpamCop-List] Re: Fresh phish! GET YOUR FRESH PHISH HERE!! ;) References: <dlcin0$rvs$1@news.spamcop.net> Message-ID: <dm0u7k$63e$1@news.spamcop.net> "Geoffrey Hyde" <g.hyde@bigpond.net.au> wrote in message news:dlcin0$rvs$1@news.spamcop.net... > http://www.spamcop.net/sc?id=z827214886z055a7b061fcca524bef2f0d070ef0197z > > It would appear someone is still interested in some variant on the > Nigerian bank phish scam, where they leave some poor sap holding the > unfortunate result of money disappearing from their bank account. > > > Cheers ... > > Geoffrey Hyde I think it is a money order scam, not strictly speaking a nigeria 419 scam. Some bogus company in China sends you counterfeit postal money orders for as part of a "complicated international transcation involving high money matters", and you return a real money order to MACPHIL corp, minus your 10% cut. The post office may or may not recognize right away that the money order you have received is bad. From bar_n0ne at hotmail.com Wed Nov 23 09:25:03 2005 From: bar_n0ne at hotmail.com (Berny) Date: Wed Nov 23 00:30:02 2005 Subject: [SpamCop-List] Re: SDF.org sporadically listed in bl.spamcop.net References: <XXieAQqs15fDFAMP@griffitts.org> <438044FC.6487@xyzzy.claranet.de> <6McnItL+39yh@eisner.encompasserve.org> <438079C3.250@xyzzy.claranet.de> <nnvScLXmTmgDFABA@griffitts.org> <dlu9ao$ptj$1@news.spamcop.net> <8cTkSUBUv4gDFAgr@griffitts.org> <dm04sk$nn6$1@news.spamcop.net> <dm0efc$tac$1@news.spamcop.net> Message-ID: <dm0ufh$655$1@news.spamcop.net> "Porpoise" <porpoise1954@yahoo.co.uk> wrote in message news:dm0efc$tac$1@news.spamcop.net... > > "Geoffrey Hyde" <g.hyde@bigpond.net.au> wrote in message > news:dm04sk$nn6$1@news.spamcop.net... > > > > "Jonathan Griffitts" <jgriffitts@spamcop.net> wrote in message SNIP > > On a side-track, does anyone know of some useful answering machine > > messages that do not reveal whether you're in or out during the holidays? > > > > > "I'm sorry, I can't come to the phone right now but please leave a message > and I'll get back to you." "Hello, we are screening our calls and if we want to speak with you, we'll call you back." And then there is the one from Cheech and Chong, To a loud Background of Party Music: "Hello.......................Hello.......... " you can guess the rest. From nobody at devnull.spamcop.net Tue Nov 22 23:31:21 2005 From: nobody at devnull.spamcop.net (WazoO) Date: Wed Nov 23 00:35:03 2005 Subject: [SpamCop-List] Re: Again: 401 - Authorization Required References: <dm0okt$2s9$1@news.spamcop.net> <dm0qv1$485$1@news.spamcop.net> <dm0tc5$5dv$1@news.spamcop.net> Message-ID: <dm0urf$6fu$1@news.spamcop.net> "Patto" <nobody@devnull.spamcop.net> wrote in message news:dm0tc5$5dv$1@news.spamcop.net... > WazoO wrote: > > "Patto" <nobody@devnull.spamcop.net> wrote in message > > news:dm0okt$2s9$1@news.spamcop.net... > >> I was able to report 2 spam this morning, then I got a '401 - > >> Authorization Required' error, and then no more response after that. > > > > http://forum.spamcop.net/forums/index.php?act=module&automodule=custom&page=stats > > > > A bit of discussion in the Announcements section there, also > > dealing with a previous thread in this newsgroup ... > > http://forum.spamcop.net/forums/index.php?showtopic=5288 > > Thanks; it's already back up and working fine. Yes, Forum users already knew that also <g> From nobody at devnull.spamcop.net Wed Nov 23 06:28:57 2005 From: nobody at devnull.spamcop.net (Miss Betsy) Date: Wed Nov 23 06:30:08 2005 Subject: [SpamCop-List] Re: SDF.org sporadically listed in bl.spamcop.net References: <XXieAQqs15fDFAMP@griffitts.org> <438044FC.6487@xyzzy.claranet.de> <6McnItL+39yh@eisner.encompasserve.org> <438079C3.250@xyzzy.claranet.de> <nnvScLXmTmgDFABA@griffitts.org> <dlu9ao$ptj$1@news.spamcop.net> <8cTkSUBUv4gDFAgr@griffitts.org> <dm04sk$nn6$1@news.spamcop.net> Message-ID: <dm1jo3$ngv$1@news.spamcop.net> "Geoffrey Hyde" <g.hyde@bigpond.net.au> wrote in message news:dm04sk$nn6$1@news.spamcop.net... > > "Jonathan Griffitts" <jgriffitts@spamcop.net> wrote in message > news:8cTkSUBUv4gDFAgr@griffitts.org... > > In article <dlu9ao$ptj$1@news.spamcop.net>, John E. Malmberg writes > > . . . > >>Vacation autoresponders are a criminal's friend. > > > > I'm well aware of this, along with the classic answering machine message > > that says "I'm out of town for 2 weeks" which is so handy for burglars > > to know. > > On a side-track, does anyone know of some useful answering machine messages > that do not reveal whether you're in or out during the holidays? "This is xxx.xxxx. Please leave a message and we will return your call." - That is my standard message. On our answering machine, we can access it from wherever we are and delete messages. That prevents the telltale long wait for a beep. Miss Betsy From nobody at spamcop.net Wed Nov 23 06:32:11 2005 From: nobody at spamcop.net (Ellen) Date: Wed Nov 23 07:50:03 2005 Subject: [SpamCop-List] Re: Bounce error (long) References: <dm01t1$lqo$1@news.spamcop.net> <dm0cge$s7e$1@news.spamcop.net> <dm0fb0$trm$1@news.spamcop.net> <dm0ged$ulq$1@news.spamcop.net> Message-ID: <dm1odd$q03$1@news.spamcop.net> "Mark Jones" <majg12uk@SPAMBLOCKERyahoo.co.uk> wrote in message news:dm0ged$ulq$1@news.spamcop.net... > I just received my next spam which was dutifully reported to Spamcop > (coincidentally it was also a phish which was helpful). > > http://www.spamcop.net/sc?id=z830038162zea9d91cbf2375e4d487034305c8b24f4z > > Before reporting this I switched the 'Report reply handling' to 'Forward > only replies from sentient people' as suggested my Mike Easter. > 1) I am looking at the bounces in *your* account on the system. There is a bounce from 11/21/05 and another from 11/22/05. They are functionally the same. Neither has anything to do with phishes or responses from sentient beings or ISP autoresponses. 2) Your address is at yahoo.uk -- they may be running their own filters and mailservers. They may have foo'ed one up. 3) The mail being bounced has nothing to do with phishes -- they just send you to their general webpage explanation which they set up to cover the most common situations. I have pasted the bounce in it's entirety below (warning to the disinterested -- delete this now :-) I have attempted to mung your email address as well as other sensitive material such as your secret code. Aside to Mike E -- yeah there are times when I am delusional and this could be one of them -- esp if the stupid frozen hard as a rock turkey doesn't make major strides in becoming defrosted today in which case we will be at your front door for dinner tomorrow, but I digress ... Random afterthought -- I wonder if it was the devnull in the from -- every so often some admin decides to filter on from: nobody@ and/or devnull altho it has been quite a while since I have seen that ... Ellen SpamCop 11/21/2005 10:30:36 AM -0500 delete note First bounce received: Return-Path: <MAILER-DAEMON@sc-app5.soma.ironport.com> Received: from vmx1.spamcop.net (vmx1.spamcop.net [204.15.82.27]) by sc-app5.soma.ironport.com (Postfix) with ESMTP id D16542F8F1 for <spamid.x@bounces.spamcop.net>; Mon, 21 Nov 2005 07:28:36 -0800 (PST) Received: from unknown (0.0.0.0) by vmx1.spamcop.net with ; 21 Nov 2005 07:28:36 -0800 Date: 21 Nov 2005 07:28:36 -0800 To: spamid.x@bounces.spamcop.net From: Mail Delivery System <MAILER-DAEMON@vmx1.spamcop.net> Subject: Delivery Status Notification (Failure) MIME-Version: 1.0 Content-Type: multipart/report; report-type=delivery-status; boundary="18493695326147100.vmx1.spamcop.net" Message-Id: <20051121152836.D16542F8F1@sc-app5.soma.ironport.com> --18493695326147100.vmx1.spamcop.net content-type: text/plain The following message to <your registered SC email address> was undeliverable. The reason for the problem: 5.4.7 - Delivery expired (message too old) [Default] 451-'mta121.mail.ukl.yahoo.com Resources temporarily unavailable. Please try again later. UP Email not accepted for policy reasons. Please visit http://help.yahoo.com/help/ us/mail/defer/defer-04.html [#4.16.4:190].' --18493695326147100.vmx1.spamcop.net content-type: message/delivery-status Final-Recipient: rfc822;your registered SC email address Action: failed Status: 5.0.0 (permanent failure) Diagnostic-Code: smtp; 5.4.7 - Delivery expired (message too old) [Default] 451-'mta121.mail.ukl.yahoo.com Resources temporarily unavailable. Please try again later. UP Email not accepted for policy reasons. Please visit http:// help.yahoo.com/help/us/mail/defer/defer-04.html [#4.16.4:190].' (delivery attempts: 52) Reporting-MTA: dns; vmx1.spamcop.net --18493695326147100.vmx1.spamcop.net content-type: message/rfc822 From: SpamCop AutoResponder <spamcop@devnull.spamcop.net> To: <x> Subject: SpamCop has accepted 1 email for processing Date: Sat, 19 Nov 2005 15:28:29 GMT Message-ID: <spamidx@msgid.spamcop.net> Content-type: text/plain In-Reply-To: <437F447E.6020106@yahoo.co.uk> References: <437F447E.6020106@yahoo.co.uk> PLEASE HELP SUPPORT THIS SERVICE! SpamCop is free. However, if you like the service please pay for it: http://www.spamcop.net/upgradeaccount.shtml SpamCop is now ready to process your spam. Use links to finish spam reporting (members use cookie-login please!): http://www.spamcop.net/sc?id=z<x> The email which triggered this auto-response had the following headers: Return-Path: <your email address> Received: from vmx1.spamcop.net (vmx1.spamcop.net [204.15.82.27]) by sc-app1.soma.ironport.com (Postfix) with ESMTP id 7E5D71A73B for <submit.x@spam.spamcop.net>; Sat, 19 Nov 2005 07:26:55 -0800 (PST) Received: from smtp-out2.blueyonder.co.uk (195.188.213.5) by vmx1.spamcop.net with ESMTP; 19 Nov 2005 07:26:55 -0800 Received: from [82.44.93.142] ([82.44.93.142]) by smtp-out2.blueyonder.co.uk with Microsoft SMTPSVC(5.0.2195.6713); Sat, 19 Nov 2005 15:27:46 0000 Message-ID: <437F447E.6020106@yahoo.co.uk> Date: Sat, 19 Nov 2005 15:27:58 0000 From: <x> User-Agent: Debian Thunderbird 1.0.7 (X11/20051017) X-Accept-Language: en-us, en MIME-Version: 1.0 To: spoof@millersmiles.co.uk, submit.<x>@spam.spamcop.net, "uce@ftc.gov" <uce@ftc.gov> Subject: [Fwd: Job offer from GlobalIndustry available now.] Content-Type: multipart/mixed; boundary="------------080309010202090502030300" X-OriginalArrivalTime: 19 Nov 2005 15:27:46.0296 (UTC) FILETIME=[CAD8AF80:01C5ED1D] --18493695326147100.vmx1.spamcop.net-- Ellen SpamCop From nobody at spamcop.net Wed Nov 23 06:34:27 2005 From: nobody at spamcop.net (Ellen) Date: Wed Nov 23 07:50:15 2005 Subject: [SpamCop-List] Re: Again: 401 - Authorization Required References: <dm0okt$2s9$1@news.spamcop.net> Message-ID: <dm1ode$q03$2@news.spamcop.net> "Patto" <nobody@devnull.spamcop.net> wrote in message news:dm0okt$2s9$1@news.spamcop.net... > I was able to report 2 spam this morning, then I got a '401 - > Authorization Required' error, and then no more response after that. Appears there was a small burp last nite -- which I discovered when I read my mail this AM. Sorry folks. Ellen SpamCop From MikeE at ster.invalid Wed Nov 23 06:33:44 2005 From: MikeE at ster.invalid (Mike Easter) Date: Wed Nov 23 09:35:03 2005 Subject: [SpamCop-List] Re: Bounce error (long) References: <dm01t1$lqo$1@news.spamcop.net> <dm0cge$s7e$1@news.spamcop.net> <dm0fb0$trm$1@news.spamcop.net> <dm0ged$ulq$1@news.spamcop.net> <dm1odd$q03$1@news.spamcop.net> Message-ID: <dm1uk4$t2u$1@news.spamcop.net> Ellen wrote: > Aside to Mike E -- yeah there are times when I am delusional and this > could be one of them -- esp if the stupid frozen hard as a rock > turkey doesn't make major strides in becoming defrosted today in > which case we will be at your front door for dinner tomorrow, but I > digress ... If you come over to my house, you're going to have a pretty funny dinner. I'm only supposed to bring some pies and I'm also going to take extra beer -- so you can have plenty of pie and beer. There were two different ways I used to thaw a turkey besides in the refrigerator. One was putting it in cold water and changing the water periodically. The other was putting it in a 'cooler' (ice chest) - non-refrigerated - and putting a thermometer in there to make sure the air temperature around the turkey wasn't too warm. The reason I used to do the cooler thing was two reasons. Neither refrigerator ever has enough spare room for a turkey, and also because I keep both my refrigerators so close to freezing I figgered the turkey would never thaw out in there. Typically the frozen turkey in the close confines of an ice chest was surrounded by an air temperature of about 40? F or 4-5? C which is a safe refrigerator temperature. I preferred the ice chest over the water if I had a couple of days, because that way I didn't have to 'mess with it' and it gave me a place to keep the turkey not in the refrigerator. I also made some extra ice in the meantime, so that if the turkey got all thawed out, I would put ice chunks in the cooler to keep the temperature down to healthy levels. Instructions for making handy dandy large ice chunks available on request. -- Mike Easter kibitzer, not SC admin From nobody at nowhere.invalid Wed Nov 23 16:51:05 2005 From: nobody at nowhere.invalid (Steven Maesslein) Date: Wed Nov 23 10:55:02 2005 Subject: [SpamCop-List] Re: SDF.org sporadically listed in bl.spamcop.net References: <XXieAQqs15fDFAMP@griffitts.org> <438044FC.6487@xyzzy.claranet.de> <6McnItL+39yh@eisner.encompasserve.org> <438079C3.250@xyzzy.claranet.de> <nnvScLXmTmgDFABA@griffitts.org> <dlu9ao$ptj$1@news.spamcop.net> <8cTkSUBUv4gDFAgr@griffitts.org> <dm04sk$nn6$1@news.spamcop.net> <dm0efc$tac$1@news.spamcop.net> <dm0eoi$te4$1@news.spamcop.net> <mnu8o11ouoadckffauo9grii9ktvcfknt7@4ax.com> Message-ID: <slrndo93v9.9jc.nobody@127.0.0.1> On Wed, 23 Nov 2005 08:22:54 -0600, Kenneth Loafman coughed into spamcop and left this in <mnu8o11ouoadckffauo9grii9ktvcfknt7@4ax.com>: > Yes, but don't use your cell phone for the message. If a telemarketer > calls and gets that number, you have now "given" him access to your cell > phone as well. Nasty parasites! And risk being fined? IIRC, they can't slime cellphones. -- Steve FAILURE IS NOT AN OPTION. It comes bundled with Microsoft software. From nobody at spamcop.net Wed Nov 23 10:36:10 2005 From: nobody at spamcop.net (Ellen) Date: Wed Nov 23 11:45:03 2005 Subject: [SpamCop-List] Re: Bounce error (long) References: <dm01t1$lqo$1@news.spamcop.net> <dm0cge$s7e$1@news.spamcop.net> <dm0fb0$trm$1@news.spamcop.net> <dm0ged$ulq$1@news.spamcop.net> <dm1odd$q03$1@news.spamcop.net> <dm1uk4$t2u$1@news.spamcop.net> Message-ID: <dm2620$1t6$1@news.spamcop.net> "Mike Easter" <MikeE@ster.invalid> wrote in message news:dm1uk4$t2u$1@news.spamcop.net... > Ellen wrote: > > If you come over to my house, you're going to have a pretty funny > dinner. I'm only supposed to bring some pies and I'm also going to take > extra beer -- so you can have plenty of pie and beer. yeah we will have plenty of pie and beer also :-) > > There were two different ways I used to thaw a turkey besides in the > refrigerator. One was putting it in cold water and changing the water > periodically. The other was putting it in a 'cooler' (ice chest) - > non-refrigerated - and putting a thermometer in there to make sure the > air temperature around the turkey wasn't too warm. > Right now it is sitting on the countertop and I am glaring at it. If that fails to work it will go into a sink of cold water as soon as I clean all the dirty pie making utensils and pots out of the sink .... of course if I had remembered to buy a turkey last week I wouldn't be having so much fun today! Ellen From zamowienia3 at o2.pl Wed Nov 23 18:19:49 2005 From: zamowienia3 at o2.pl (SPG) Date: Wed Nov 23 12:05:02 2005 Subject: [SpamCop-List] Re: spamcop easily fooled, no source ip References: <dm013i$lc6$1@news.spamcop.net> <dm028l$m41$1@news.spamcop.net> Message-ID: <dm27b0$2mi$1@news.spamcop.net> Mike Easter wrote: > SPG wrote: >> Looks spamers learned how to fool spamcop. > > Not in this case. > >> This is third spam I got today which can not be reported with spamcop: > www.spamcop.net/sc?id=z829966353z2161dad4300e4e643e1cd936e3fa439dz > > "Possible forgery. Supposed receiving system not associated with any of > your mailhosts" > > There's a problem with your mailhost config. > >> Several months ago I pointed that spamcop should only process IP >> adresses in square brackets. > > The parser is pretty smart about managing all different kinds of From: > fields. > > Here is that spam parsed by a non-mailhosted account > > http://www.spamcop.net/sc?id=z829975824z3240ff29682109e9a3bada5166f1a6d6z > > Report Spam to: > Re: 66.69.49.123 (Administrator of network where email originates) > To: abuse@rr.com (Notes) > > Resolving link obfuscation > http://de.geocities.com/codi52069stinky37037/ > > <cancelled> > > > Thats right. How you do that? I still get no source IP message. greets, zbiggy (SPG and e-mail address belongs to spamer account I use for posting to newsgroups) From MikeE at ster.invalid Wed Nov 23 09:39:11 2005 From: MikeE at ster.invalid (Mike Easter) Date: Wed Nov 23 12:40:02 2005 Subject: [SpamCop-List] Re: spamcop easily fooled, no source ip References: <dm013i$lc6$1@news.spamcop.net> <dm028l$m41$1@news.spamcop.net> <dm27b0$2mi$1@news.spamcop.net> Message-ID: <dm29fq$3k0$1@news.spamcop.net> SPG wrote: > Mike Easter wrote: >> SPG wrote: >>> This is third spam I got today which can not be reported with >>> spamcop: >> www.spamcop.net/sc?id=z829966353z2161dad4300e4e643e1cd936e3fa439dz >> >> "Possible forgery. Supposed receiving system not associated with any >> of your mailhosts" >> >> There's a problem with your mailhost config. >> Here is that spam parsed by a non-mailhosted account >> >> http://www.spamcop.net/sc?id=z829975824z3240ff29682109e9a3bada5166f1a6d6z > Thats right. How you do that? I still get no source IP message. If your mailhost configuration as registered with spamcop doesn't match the mailhost configuration of the submitted item, then SC will break off the parse prematurely. Parsing header: 0: Received: from [213.241.68.194] (helo=noe.katowice.mtl.pl) by free.polbox.pl SC looks at that line and sees free.polbox.pl and if free.polbox.pl isn't the way your mailhost is configured, it sez Possible forgery. Supposed receiving system not associated with any of your mailhosts and then 'drops' that line. Having dropped the line, the result is No source IP address found, cannot proceed. so then SC provides a link for you to go fix or edit your mailhost configuration Add/edit your mailhost configuration http://www.spamcop.net/mcgi?action=mhedit I took the original spam from your tracker and parsed it with an account of mine which was not a mailhosted account. As a result, SC handles the item in the 'default' or non-mailhosted manner, which allows it to parse the item correctly. The best configuration is for spamcop to parse for a correctly configured mailhost. The worst or 'unsatisfactory' configuration is to try to parse an item for a mailhost configured user whose item is not consistent with the mailhost configuration. Neutral ground is for spamcop to parse for a nonmailhost configuration, which will usually parse correctly, and which was used for the demonstration purposes for this discussion. -- Mike Easter kibitzer, not SC admin From SC.10.myspamgobbler at spamcowboy.net Wed Nov 23 12:14:29 2005 From: SC.10.myspamgobbler at spamcowboy.net (Brian) Date: Wed Nov 23 15:20:02 2005 Subject: [SpamCop-List] Re: mysterious email from bluebottle.com In-Reply-To: <dm0ts8$5pn$1@news.spamcop.net> References: <dm0ts8$5pn$1@news.spamcop.net> Message-ID: <dm2iob$8sr$1@news.spamcop.net> Marc wrote: > Bluebottle.com itself does not appear to be particularly spammy, they > provide an email service that includes an email address verification system > so you only get emails from known senders. Anyone ever heard of them? > > http://www.bluebottle.com > > I get an email with the simple message "hi, ive a new mail address". No > name, no nothing. There is a link to click on that brings you back to > bluebottle and a little code attached to the end of the URL that I assume > identifies the message and sender for verification. The message indeed > traces back to the bona fide bluebottle.com site. > > Anyone seen this type of message? I suspect it is some type of spam. Maybe > it is simply a way to confirm my email address is active. Otherwise it makes > no sense, a spammer doesn't need to verify that I am real. Maybe it is a > kind of sleight of hand advertising by bluebottle itself? > > My other reason for being suspicious is that bluebottle is hosted by xo.com. > There's a red flag. But a red flag for what? > > Looks like they are spammers and easily used by spammers. From a quick perusal, it appears that they are responsible for backscatter if nothing else. Also, scroll down once on this page: http://www.extractorpro.com/setup_exp.htm , where you will find the following: If you need to get a POP3 Email account of SMTP server here are 2 providers to try: <snip> SMTP Server: secure.usermail.com http://www.bluebottle.com/ - This service works like usermail, but it is free. Their SMTP server uses a username and password to send email. Because of this their service is slightly slower, but you can use any email address you want in the sender's address. -- Brian SC.10.myspamgobbler@spamcowboy.net From nobody at nowhere.invalid Wed Nov 23 22:05:53 2005 From: nobody at nowhere.invalid (Steven Maesslein) Date: Wed Nov 23 16:10:02 2005 Subject: [SpamCop-List] Re: SDF.org sporadically listed in bl.spamcop.net References: <XXieAQqs15fDFAMP@griffitts.org> <438044FC.6487@xyzzy.claranet.de> <6McnItL+39yh@eisner.encompasserve.org> <438079C3.250@xyzzy.claranet.de> <nnvScLXmTmgDFABA@griffitts.org> <dlu9ao$ptj$1@news.spamcop.net> <8cTkSUBUv4gDFAgr@griffitts.org> <dm04sk$nn6$1@news.spamcop.net> <dm0efc$tac$1@news.spamcop.net> <dm0eoi$te4$1@news.spamcop.net> <mnu8o11ouoadckffauo9grii9ktvcfknt7@4ax.com> <slrndo93v9.9jc.nobody@127.0.0.1> <edb9o15bsruva7m3ceodkg6rbt4ojb3fdv@4ax.com> Message-ID: <slrndo9mdh.efr.nobody@127.0.0.1> On Wed, 23 Nov 2005 12:00:29 -0600, Kenneth Loafman coughed into spamcop and left this in <edb9o15bsruva7m3ceodkg6rbt4ojb3fdv@4ax.com>: > There are all sorts of exceptions for when they can and cannot call a cell > phone. Ughhhh... Over here they are banned from calling cellphones, period. Not that they'd want to anyway because the caller bears the full cost of the call. Furthermore, they can't say "we didn't know it was a cellphone" because all cellphone numbers - and nothing but cellphone numbers - have the "06" prefix. > Your best bet is to keep it as private as you can. Amen to that. I *NEVER* give my cellphone number out because I don't want to be SMS-spammed into oblivion. I only gave it out once, to an outfit with which I didn't even end up doing business, and guess what they started doing... -- Steve Don't worry about people stealing your ideas. If your ideas are any good, you'll have to ram them down people's throats. -- Howard Aiken From k5wls at INVALID.example.com Thu Nov 24 03:21:23 2005 From: k5wls at INVALID.example.com (Rick Matthews) Date: Wed Nov 23 22:25:03 2005 Subject: [SpamCop-List] Re: mysterious email from bluebottle.com References: <dm0ts8$5pn$1@news.spamcop.net> Message-ID: <Xns9717D93C97B9Fk5wlsINVALIDverizonn@216.154.195.61> "Marc" <someone@microsoft.com> wrote in news:dm0ts8$5pn$1@news.spamcop.net: > I get an email with the simple message "hi, ive a new mail address". > No name, no nothing. There is a link to click on that brings you back > to bluebottle and a little code attached to the end of the URL that I > assume identifies the message and sender for verification. The message > indeed traces back to the bona fide bluebottle.com site. I don't know anything about bluebottle, but that subject line is being used by the current Sober Worm variant. Specifically, the suject line is: hi,_ive_a_new_mail_address Every one that I've received (just in the past 4 or 5 days) has a 55,536 byte attachment and is infected with the worm. FWIW. Rick From g.hyde at bigpond.net.au Thu Nov 24 13:41:32 2005 From: g.hyde at bigpond.net.au (Geoffrey Hyde) Date: Wed Nov 23 22:45:02 2005 Subject: [SpamCop-List] Re: Bounce error (long) References: <dm01t1$lqo$1@news.spamcop.net> <dm0cge$s7e$1@news.spamcop.net> <dm0fb0$trm$1@news.spamcop.net> <dm0ged$ulq$1@news.spamcop.net> <dm1odd$q03$1@news.spamcop.net> Message-ID: <dm3cts$lkg$1@news.spamcop.net> "Ellen" <nobody@spamcop.net> wrote in message news:dm1odd$q03$1@news.spamcop.net... > Aside to Mike E -- yeah there are times when I am delusional and this > could > be one of them -- esp if the stupid frozen hard as a rock turkey doesn't > make major strides in becoming defrosted today in which case we will be at > your front door for dinner tomorrow, but I digress ... Do you have access to a microwave? Microwave defrosting can do wonders for a frozen turkey. ;-) Cheers ... Geoffrey Hyde From 96q7vwa02 at sneakemail.com Wed Nov 23 19:40:05 2005 From: 96q7vwa02 at sneakemail.com (Fred K.) Date: Wed Nov 23 23:45:03 2005 Subject: [SpamCop-List] Marriage of Browsers???? Message-ID: <dm3g7j$nef$1@news.spamcop.net> Browser developers team up to thwart hackers Security summit http://go.theregister.com/news/http://www.theregister.co.uk/2005/11/23/browser_security_summit/ Fred k. From jg at coks.net Wed Nov 23 20:55:35 2005 From: jg at coks.net (jg) Date: Wed Nov 23 23:55:02 2005 Subject: [SpamCop-List] Re: Marriage of Browsers???? In-Reply-To: <dm3g7j$nef$1@news.spamcop.net> References: <dm3g7j$nef$1@news.spamcop.net> Message-ID: <dm3h0e$nvu$1@news.spamcop.net> On 11/23/2005 8:40 PM Fred K. scribbled: > Browser developers team up to thwart hackers > Security summit > http://go.theregister.com/news/http://www.theregister.co.uk/2005/11/23/browser_security_summit/ > > Fred k. > > I see group sex, but fail to see marriage in this picture.... From edb2000 at spamcop.net Wed Nov 23 21:24:26 2005 From: edb2000 at spamcop.net (Don Wannit) Date: Thu Nov 24 00:25:02 2005 Subject: [SpamCop-List] Re: Spam or not? In-Reply-To: <slrndo5suv.472.nobody@127.0.0.1> References: <dlsn78$nc8$1@news.spamcop.net> <slrndo3tg7.3ln.nobody@127.0.0.1> <dltoi7$75l$1@news.spamcop.net> <slrndo5suv.472.nobody@127.0.0.1> Message-ID: <dm3iqa$p28$1@news.spamcop.net> Steven Maesslein wrote: > If I want someone to help "improve my visibility" I'll look for them. > Funny how most of these "improve your visibility" pitches are from people I've never heard of, and a Google search for them comes up empty, except for NANAE. I guess those "visibility improvement" people need to keep a low profile. Either that, or they should sell their services to each other :-) -- Don Wannit <edb2000 -at- spamcop.net> A paid SpamCop user since 1999 From 96q7vwa02 at sneakemail.com Wed Nov 23 22:23:03 2005 From: 96q7vwa02 at sneakemail.com (Fred K.) Date: Thu Nov 24 02:25:04 2005 Subject: [SpamCop-List] Re: Marriage of Browsers???? References: <dm3g7j$nef$1@news.spamcop.net> <dm3h0e$nvu$1@news.spamcop.net> Message-ID: <dm3pot$s6t$1@news.spamcop.net> "jg" <jg@coks.net> wrote in message news:dm3h0e$nvu$1@news.spamcop.net... > On 11/23/2005 8:40 PM Fred K. scribbled: > > I see group sex, but fail to see marriage in this picture.... Sex or marriage matters not, it is a step in the right direction and positive results are going to come out of it for everyone's benefit. Long overdue, competition is nice, but cooperation is good. Fred k. From nospam at nospam.org Thu Nov 24 10:53:37 2005 From: nospam at nospam.org (Ejo) Date: Thu Nov 24 04:55:31 2005 Subject: [SpamCop-List] Wow! Postbank spam Message-ID: <dm42ir$fq$1@news.spamcop.net> Haven't seen this one in a while, Postbank spam, this time from Russia. http://www.spamcop.net/sc?id=z830556336z6529549c626ab56e6f56914434f1c110z Ejo From nobody at nowhere.invalid Thu Nov 24 11:29:52 2005 From: nobody at nowhere.invalid (Steven Maesslein) Date: Thu Nov 24 05:30:14 2005 Subject: [SpamCop-List] Re: Spam or not? References: <dlsn78$nc8$1@news.spamcop.net> <slrndo3tg7.3ln.nobody@127.0.0.1> <dltoi7$75l$1@news.spamcop.net> <slrndo5suv.472.nobody@127.0.0.1> <dm3iqa$p28$1@news.spamcop.net> Message-ID: <slrndob5h0.ugn.nobody@127.0.0.1> On Wed, 23 Nov 2005 21:24:26 -0800, Don Wannit coughed into spamcop and left this in <dm3iqa$p28$1@news.spamcop.net>: > Funny how most of these "improve your visibility" pitches are from > people I've never heard of, and a Google search for them comes up > empty, except for NANAE. And ROKSO. "trafficmagnet.com", anyone? -- Steve Why do people pay to go up tall buildings and then put money in binoculars to look down at things on the ground? From nobody at spamcop.net Thu Nov 24 07:52:45 2005 From: nobody at spamcop.net (Ellen) Date: Thu Nov 24 09:30:03 2005 Subject: [SpamCop-List] Re: Bounce error (long) References: <dm01t1$lqo$1@news.spamcop.net> <dm0cge$s7e$1@news.spamcop.net> <dm0fb0$trm$1@news.spamcop.net> <dm0ged$ulq$1@news.spamcop.net> <dm1odd$q03$1@news.spamcop.net> <dm3cts$lkg$1@news.spamcop.net> Message-ID: <dm4im6$8k1$1@news.spamcop.net> "Geoffrey Hyde" <g.hyde@bigpond.net.au> wrote in message news:dm3cts$lkg$1@news.spamcop.net... > > Do you have access to a microwave? Microwave defrosting can do wonders for > a frozen turkey. ;-) > :-) Ellen From eatspamed at sympatico.ca Thu Nov 24 11:05:00 2005 From: eatspamed at sympatico.ca (Angelo Castellano posting) Date: Thu Nov 24 11:10:03 2005 Subject: [SpamCop-List] email request and yahoo Message-ID: <dm4obk$bhm$1@news.spamcop.net> Is there a way to have spamcop parse reply email addresses and addresses in the body of the text? Lately I have been getting lots of spam with the reply address having nothing to do with where the email was sent. Unless I manually post the web address, no action is taken. Yahoo. What a pain. They are the cause of most problems and nothing is being done. I get a lot of redirects on geocities and many reply addresses are yahoo.uk . Any ideas. : Angelo Castellano emails - statsone at sympatico dot gov : g