From jeffg at spamcop.net Tue Nov 1 00:11:48 2005 From: jeffg at spamcop.net (Jeff G.) Date: Tue Nov 1 00:15:03 2005 Subject: [SpamCop-List] Re: SPF record + domain literal format References: Message-ID: "wayne" wrote in message news:x4zmoty436.fsf@footbone.schlitt.net... > In "HOLLO Peter Mr. \(ICM Rt.\)" writes: > > Besides I would like to ask what is your opinion about x.y@ipaddress type > > receiving. > > > > Do you usually configure it ? If yes then did it cause any problem ? > > I do not accept IP literals in email addresses, and I haven't had any > problems. Even the rfc-ignorant.org folks aren't anal enough to > consider rejecting IP literals to be a problem. IIRC an ippostmaster zone was proposed, but there was little support for it. And BTW, the syntax is "postmaster@[127.0.0.1]". -- Best Regards, Jeff G. I have been a SpamCop User/Member/Customer since 1999 and am a Moderator of the new web-based forums (now the primary method for getting help, http://forum.spamcop.net). Please contact me via Forum. From jeffg at spamcop.net Tue Nov 1 00:21:57 2005 From: jeffg at spamcop.net (Jeff G.) Date: Tue Nov 1 00:30:04 2005 Subject: [SpamCop-List] Re: EBAY spoofed message forgery or really from ebay??? References: Message-ID: "Patto" wrote in message news:djskoq$ktq$1@news.spamcop.net... > One way to identify forgeries is when the address you as 'Dear EBay > member'. If it's from EBay, PayPal, your bank, or whatever, they most > likely address you with your name. PayPal pledged to do this for email they send me. -- Best Regards, Jeff G. I have been a SpamCop User/Member/Customer since 1999 and am a Moderator of the new web-based forums (now the primary method for getting help, http://forum.spamcop.net). Please contact me via Forum only. From jeffg at spamcop.net Tue Nov 1 00:25:40 2005 From: jeffg at spamcop.net (Jeff G.) Date: Tue Nov 1 00:30:06 2005 Subject: [SpamCop-List] Re: EBAY spoofed message forgery or really from ebay??? References: Message-ID: "Ken Knull" wrote in message news:pan.2005.10.28.16.53.49.132666@suespammers.org... > spoof@ebay.com (or spoof@paypal.com) ... > You likely won't be the only one sending them, but they actually do > something with / about them, if nothing more than learn of the phishers > amd tell you whether it is or isn't from them. They likely forward the most egregious ones to their land sharks. -- Best Regards, Jeff G. I have been a SpamCop User/Member/Customer since 1999 and am a Moderator of the new web-based forums (now the primary method for getting help, http://forum.spamcop.net). Please contact me via Forum only. From nobody at xyzzy.claranet.de Tue Nov 1 07:23:33 2005 From: nobody at xyzzy.claranet.de (Frank Ellermann) Date: Tue Nov 1 01:30:03 2005 Subject: [SpamCop-List] Re: Dubious FAQ entry 166.html References: <435FB6B0.4B76@xyzzy.claranet.de> <43606545.1E96@xyzzy.claranet.de> <436293F7.24FA@xyzzy.claranet.de> <43643119.7458@xyzzy.claranet.de> <436449D9.3358@xyzzy.claranet.de> <43652DAC.30B7@xyzzy.claranet.de> <43654580.5429@xyzzy.claranet.de> <43662C7E.6A67@xyzzy.claranet.de> Message-ID: <436709E5.6097@xyzzy.claranet.de> Mike Easter wrote: > the original html always has the plaintext version of the > html in accompaniment and before the html. Does that mean OE "cannot" send HTML only and uses always a multipart/alternative text/html + text/plain for HTML ? > Unless the original picture was /attached/, in which case > its number would be 1.1 or so instead of 2.3 Your example was "attached" (= separate part), you said "not embedded" (UUE). I took it that you were talking about a picture in the original mail (=> 2.x parts in the forwarded mail). Did I miss something here, e.g. OE cannot "simple-forward" mail incl. attachments, the forwarder has to re-attach the detached original attachment manually ? For "simple forward" read "OE's unusual forwarding with an ersatz-header" (instead of a complete message/rfc822) Bye, Frank From MikeE at ster.invalid Tue Nov 1 01:13:49 2005 From: MikeE at ster.invalid (Mike Easter) Date: Tue Nov 1 04:15:07 2005 Subject: [SpamCop-List] Re: Dubious FAQ entry 166.html References: <435FB6B0.4B76@xyzzy.claranet.de> <43606545.1E96@xyzzy.claranet.de> <436293F7.24FA@xyzzy.claranet.de> <43643119.7458@xyzzy.claranet.de> <436449D9.3358@xyzzy.claranet.de> <43652DAC.30B7@xyzzy.claranet.de> <43654580.5429@xyzzy.claranet.de> <43662C7E.6A67@xyzzy.claranet.de> <436709E5.6097@xyzzy.claranet.de> Message-ID: Frank Ellermann wrote: > Mike Easter wrote: > >> the original html always has the plaintext version of the >> html in accompaniment and before the html. > > Does that mean OE "cannot" send HTML only and uses always > a multipart/alternative text/html + text/plain for HTML ? Correct. Plaintext first. >> Unless the original picture was /attached/, in which case >> its number would be 1.1 or so instead of 2.3 > > Your example was "attached" (= separate part), you said > "not embedded" (UUE). I took it that you were talking > about a picture in the original mail (=> 2.x parts in the > forwarded mail). This named example was one in which the original sender sent as html, which has 2 parts, the plaintext part and the html part, and attached a graphic as an attachment, making a 3rd part, a b64 encoded graphic. The recipient forwarder forwarded that item, consisting of the original sender's two parts and another forwarded part, the b64 encoded graphic. The graphic was attached to the forwarder's mail, matching its header delimitor. The original sender's plaintext + html version was above that and delimited with its own 'internal' nested delimitors. > Did I miss something here, e.g. OE cannot "simple-forward" > mail incl. attachments, the forwarder has to re-attach the > detached original attachment manually ? OE's forwarding of items with attachments forwards 'simply'. No need to reattach. I'm just 'remarking' of my surprise that the structure is consistent with the attachment 'moving' from the first sender's delimitors to the second sender's delimitors. I guess it makes sense. That's the way it would be with plaintext with a graphic attachment, so it might as well be that way with an html [plaintext + html] with a graphic. So, in a sense, in the case of the forwarder of an html item with a graphic attached, the forwarder's OE 'automatically' detaches the graphic from the sender's mail and reattaches it to the forwarded mail. Because the delimitor on the attachment is the delimitor named in the headers of the forwarder's mail. > For "simple forward" read "OE's unusual forwarding with > an ersatz-header" (instead of a complete message/rfc822) I'm beginning to think about posting a couple of examples as trackers. -- Mike Easter kibitzer, not SC admin From MikeE at ster.invalid Tue Nov 1 01:28:59 2005 From: MikeE at ster.invalid (Mike Easter) Date: Tue Nov 1 04:30:05 2005 Subject: [SpamCop-List] Re: What Happened Here? References: <43668D01.6AD546B7@SpamCop.net.dev.null> Message-ID: Jeff G. wrote: > "Mike Easter" >> If you are doing a domainname registration information attack, you do >> that with yesnic, and I think the best way to do it is with the form >> process at internic.http://wdprs.internic.net/ Whois Data Problem >> Report System > > Already done. Also, please see > http://www.rfc-ignorant.org/tools/lookup.php?domain=mort60sec.net&full=1 Of course the processes which unfold as a result of the internic submission are altogether different than the ref-ignorant entries. Also, I'm not clear on the rfc-i entry for that domainname which sez 'bogusmx removed'. The domainname itself doesn't have an MX or a routable A record, and the nameservice has changed since yesterday so that all 5 of the nameservers are at the same IP and they all time out. It is effectively currently dead, since it doesn't have nameservice. Since the nameserver domainnames are reg'd to the same person and same address, it might be worthwhile to similarly 'attack' the nameservice USAELENDER.COM of whois.opensrs.net ie Tucows. -- Mike Easter kibitzer, not SC admin From mikeyhsd at sport.rr.com Tue Nov 1 09:17:10 2005 From: mikeyhsd at sport.rr.com (mikeyhsd) Date: Tue Nov 1 10:20:03 2005 Subject: [SpamCop-List] black list reporting Message-ID: where do you send ddresses to for black list reporting. am getting 20-30 emails a day from this idiot. all in unreadable hen scratching. I will not install a language pack just to red this garbage. Re: 125.57.106.93 (Administrator of network where email originates) To: ip@cjdream.com (Notes) To: ip@dreamline.co.kr (Notes) Re: http://www.gyakuten5.net/?dog (Administrator of network hosting website referenced in spam) To: abuse@elim.net (Notes) it ws using a yahoo mail account from australia, got it cancelled. every mail has been reported to spam cop reporting. mikeyhsd@sport.rr.com From spambait at whodat.net Tue Nov 1 10:36:33 2005 From: spambait at whodat.net (Darrel Toepfer) Date: Tue Nov 1 11:40:03 2005 Subject: [SpamCop-List] Server Authentication is busted Message-ID: Looks to be down again since after 10am Central time... Have reports I need to complete... From nobody at spamcop.net Tue Nov 1 11:40:24 2005 From: nobody at spamcop.net (Anti-Spam) Date: Tue Nov 1 11:45:03 2005 Subject: [SpamCop-List] Reporting user database down? Message-ID: Cookies invalidated and unable to log in. -- Bring in the death penalty for repeat spammers. Non-functional spambait addr: info9@duetddcpj.net (generated by Webpoison) From spambait at whodat.net Tue Nov 1 10:41:29 2005 From: spambait at whodat.net (Darrel Toepfer) Date: Tue Nov 1 11:45:08 2005 Subject: [SpamCop-List] Re: Reporting user database down? In-Reply-To: References: Message-ID: Anti-Spam wrote: > Cookies invalidated and unable to log in. Preceded by "gateway timeout"... Appears to be working again though... From nobody at spamcop.net Tue Nov 1 15:25:03 2005 From: nobody at spamcop.net (Ellen) Date: Tue Nov 1 15:30:06 2005 Subject: [SpamCop-List] 11/1/2005 Maint Window Message-ID: Maintenance Window Nov 1, 2005 During the period 14:00-18:00 -0800 we will have an outage of about 45 minutes for the installation of new hardware for the reporting system. Thank you for your patience. The email system will not affected by this maintenance window. Ellen SpamCop follow/ups to SpamCop Please propagate to the forums From nospam at nospam.nl Tue Nov 1 22:25:57 2005 From: nospam at nospam.nl (geo_splash_12) Date: Tue Nov 1 16:30:02 2005 Subject: [SpamCop-List] Re: black list reporting In-Reply-To: References: Message-ID: mikeyhsd wrote: > where do you send ddresses to for black list reporting. > > am getting 20-30 emails a day from this idiot. all in unreadable hen > scratching. I will not install a language pack just to red this garbage. > > > Re: 125.57.106.93 (Administrator of network where email originates) > To: ip@cjdream.com (Notes) > To: ip@dreamline.co.kr (Notes) > > Re: http://www.gyakuten5.net/?dog (Administrator of network hosting > website referenced in spam) > To: abuse@elim.net (Notes) > > it ws using a yahoo mail account from australia, got it cancelled. > > every mail has been reported to spam cop reporting. > > mikeyhsd@sport.rr.com Please show us spamcop tracking url so that we understand what you're talking about. From nobody at spamcop.net Tue Nov 1 17:56:25 2005 From: nobody at spamcop.net (Ellen) Date: Tue Nov 1 18:00:07 2005 Subject: [SpamCop-List] Maint Window completed Message-ID: The maintenance window scheduled for 11/1/2005 has been completed. Thanks! Ellen SpamCop follow/ups to SpamCop Please propagate to the forums From mikeyhsd at sport.rr.com Tue Nov 1 18:24:06 2005 From: mikeyhsd at sport.rr.com (mikeyhsd) Date: Tue Nov 1 19:25:03 2005 Subject: [SpamCop-List] Re: black list reporting References: Message-ID: will post the reporting link tomorrow. when i get more mails. mikeyhsd@sport.rr.com "geo_splash_12" wrote in message news:dk8mh7$u9o$1@news.spamcop.net... > mikeyhsd wrote: >> where do you send ddresses to for black list reporting. >> >> am getting 20-30 emails a day from this idiot. all in unreadable hen >> scratching. I will not install a language pack just to red this garbage. >> >> >> Re: 125.57.106.93 (Administrator of network where email originates) >> To: ip@cjdream.com (Notes) >> To: ip@dreamline.co.kr (Notes) >> >> Re: http://www.gyakuten5.net/?dog (Administrator of network hosting >> website referenced in spam) >> To: abuse@elim.net (Notes) >> >> it ws using a yahoo mail account from australia, got it cancelled. >> >> every mail has been reported to spam cop reporting. >> >> mikeyhsd@sport.rr.com > > Please show us spamcop tracking url so that we understand what you're > talking about. From borgholio at storymind.com Tue Nov 1 17:00:44 2005 From: borgholio at storymind.com (Borgholio) Date: Tue Nov 1 20:05:03 2005 Subject: [SpamCop-List] No more 3rd party reporting for me Message-ID: Specifically, forwarding spam to the FTC or FDA or whatever. I'm only going to forward phishing, Nigerian, and other similar scams. I'm getting so much spam now, that although Spamcop's paid service is working VERY well, forwarding it to many 3rd parties results in bounce messages due to the sheer volume of SPAM I'm trying to forward. It's too much hassle breaking it up into various categories, then each category into chunks small enough to forward. I'll settle for Spamcop reporting. From jeffg at spamcop.net Tue Nov 1 22:27:17 2005 From: jeffg at spamcop.net (Jeff G.) Date: Tue Nov 1 22:45:04 2005 Subject: [SpamCop-List] Re: Maint Window completed References: Message-ID: "Ellen" wrote in message news:dk8rvg$17l$1@news.spamcop.net... > The maintenance window scheduled for 11/1/2005 has been completed. Thanks! ... > Please propagate to the forums Done. The actual maintenance-induced downtime appears to have been between about 14:10 and 14:55 PST -0800, between about 17:10 and 17:55 EST -0500, and between about 22:10 and 22:55 UTC -0000. Thanks to the engineers and support staff who kept the downtime within the announced window and duration! -- Best Regards, Jeff G. I have been a SpamCop User/Member/Customer since 1999 and am a Moderator of the new web-based forums (now the primary method for getting help, http://forum.spamcop.net). Please contact me via Forum only. From jeffg at spamcop.net Tue Nov 1 23:06:29 2005 From: jeffg at spamcop.net (Jeff G.) Date: Tue Nov 1 23:10:03 2005 Subject: [SpamCop-List] Re: Reporting user database down? References: Message-ID: "Darrel Toepfer" wrote in message news:dk85vf$lp2$2@news.spamcop.net... > Anti-Spam wrote: > > Cookies invalidated and unable to log in. > Preceded by "gateway timeout"... Appears to be working again though... Right. This is one of the many instances of unannounced downtime (outages) in the past five days that I have been documenting in the "Graphic & Link added" Topic at http://forum.spamcop.net/forums/index.php?showtopic=5235 , beginning at http://forum.spamcop.net/forums/index.php?showtopic=5235&view=findpost&p=35077 . I take my info from the SpamCop Statistics graph at http://alpha.cesmail.net/graphics/spamstats.gif on my off-site page "SpamCop.net - Total spam report volume mock-up" at http://forum.spamcop.net/forums/index.php?showtopic=5247 . -- Best Regards, Jeff G. I have been a SpamCop User/Member/Customer since 1999 and am a Moderator of the new web-based forums (now the primary method for getting help, http://forum.spamcop.net). Please contact me via Forum only. From jeffg at spamcop.net Tue Nov 1 23:25:54 2005 From: jeffg at spamcop.net (Jeff G.) Date: Tue Nov 1 23:40:03 2005 Subject: [SpamCop-List] Re: What Happened Here? References: <43668D01.6AD546B7@SpamCop.net.dev.null> Message-ID: "Mike Easter" wrote: > Jeff G. wrote: > > Also, please see > > > http://www.rfc-ignorant.org/tools/lookup.php?domain=mort60sec.net&full=1 > Also, I'm not clear on the rfc-i entry for that domainname which sez > 'bogusmx removed'. > > The domainname itself doesn't have an MX or a routable A record, and the > nameservice has changed since yesterday so that all 5 of the nameservers > are at the same IP and they all time out. > > It is effectively currently dead, since it doesn't have nameservice. I am deeply saddened by the loss of effective nameservice for the mort60sec.net domain. NOT!!! Seriously, mort60sec.net had an A record yesterday pointing into the 192.168.x.y type of RFC1918-prohibited IP Address space, which is why the submission worked at the time. Then bad stuff started happening to that domain's nameservice. > Since the nameserver domainnames are reg'd to the same person and same > address, it might be worthwhile to similarly 'attack' the nameservice > USAELENDER.COM of whois.opensrs.net ie Tucows. If I could just get Tucows' whois.opensrs.net to respond more than ~20% of the time, that would be helpful. :) Ok, fine, Paul Shupak appears to have beat me to an RFCI whois listing of usaelender.com, but looking at http://www.rfc-ignorant.org/tools/detail.php?domain=usaelender.com&submitted=1130552149&table=whois , why would mta213.mail.dcn.yahoo.com (in its role as mx2.mail.yahoo.com) wait until after the DATA was complete before replying "554 delivery error: dd This user doesn't have a yahoo.ca account (ronaldhentington@yahoo.ca) [-5] - mta213.mail.dcn.yahoo.com"? Thanks and Best Regards, Jeff G. I have been a SpamCop User/Member/Customer since 1999 and am a Moderator of the new web-based forums (now the primary method for getting help, http://forum.spamcop.net). Please contact me via Forum only. From nospam at nospam.nl Wed Nov 2 06:38:28 2005 From: nospam at nospam.nl (geo_splash_12) Date: Wed Nov 2 00:40:02 2005 Subject: [SpamCop-List] Re: No more 3rd party reporting for me In-Reply-To: References: Message-ID: Borgholio wrote: > Specifically, forwarding spam to the FTC or FDA or whatever. I'm only > going to forward phishing, Nigerian, and other similar scams. I'm > getting so much spam now, that although Spamcop's paid service is > working VERY well, forwarding it to many 3rd parties results in bounce > messages due to the sheer volume of SPAM I'm trying to forward. It's > too much hassle breaking it up into various categories, then each > category into chunks small enough to forward. I'll settle for Spamcop > reporting. Facing a similar problem, my approach is to report only that spam that isn't already listed in other major blocklists like spamhaus xbl+sbl, sorbs, spews, ahbl and dsbl and when it doesn't originate from china or korea. This cuts down my spamcop usage. It is all done by scripts that look in the header of e-mails, it would be a nightmare to manually sort it out. Ejo From borgholio at storymind.com Tue Nov 1 21:52:19 2005 From: borgholio at storymind.com (Borgholio) Date: Wed Nov 2 00:55:03 2005 Subject: [SpamCop-List] Re: No more 3rd party reporting for me In-Reply-To: References: Message-ID: geo_splash_12 wrote: > Borgholio wrote: > >> Specifically, forwarding spam to the FTC or FDA or whatever. I'm only >> going to forward phishing, Nigerian, and other similar scams. I'm >> getting so much spam now, that although Spamcop's paid service is >> working VERY well, forwarding it to many 3rd parties results in bounce >> messages due to the sheer volume of SPAM I'm trying to forward. It's >> too much hassle breaking it up into various categories, then each >> category into chunks small enough to forward. I'll settle for Spamcop >> reporting. > > > Facing a similar problem, my approach is to report only that spam that > isn't already listed in other major blocklists like spamhaus xbl+sbl, > sorbs, spews, ahbl and dsbl and when it doesn't originate from china or > korea. This cuts down my spamcop usage. > > It is all done by scripts that look in the header of e-mails, it would > be a nightmare to manually sort it out. > > Ejo Since I use all the blacklists in my Spamcop filter system, I could simply manually report spam that slips through. That'd be a pretty good indicator that it's not already on major blacklists. :) From nobody at example.com Wed Nov 2 09:55:10 2005 From: nobody at example.com (John Smith) Date: Wed Nov 2 05:01:07 2005 Subject: [SpamCop-List] Spammer? Poplist.fr Message-ID: I've received an invitation "to confirm [my] subscription" to Poplist.fr, which (according to their web site) is an e-mail marketing company. Naturally, I never subscribed. But surprisingly, they say that if I don't confirm my subscription, they won't mail me again. If you received such an e-mail and want to report it as spam, you are within your rights to do so. But I'm not going to report it because I'd rather receive spam like this (which will go away if I ignore it) than the kind of junk I currently receive. (By the way, this company does everything is in French. I translated the quote.) From bar_n0ne at hotmail.com Wed Nov 2 14:06:49 2005 From: bar_n0ne at hotmail.com (Berny) Date: Wed Nov 2 05:11:15 2005 Subject: [SpamCop-List] Re: Spammer? Poplist.fr References: Message-ID: "John Smith" wrote in message news:dka2du$ko6$1@news.spamcop.net... > I've received an invitation "to confirm [my] subscription" to > Poplist.fr, which (according to their web site) is an e-mail marketing > company. Naturally, I never subscribed. But surprisingly, they say that > if I don't confirm my subscription, they won't mail me again. > > If you received such an e-mail and want to report it as spam, you are > within your rights to do so. But I'm not going to report it because I'd > rather receive spam like this (which will go away if I ignore it) than > the kind of junk I currently receive. > > (By the way, this company does everything is in French. I translated the > quote.) All over NANAE today too, I'm beginning to think it's a cheap-ass way to advertise their newsletter. I also received this. http://groups.google.ca/group/news.admin.net-abuse.email/browse_thread/thread/953d33e9449837ad/1098cfee6fc411ba?hl=en#1098cfee6fc411ba sorry, but I'm sure OE and other newsreaders will break up the link. From nobody at nowhere.invalid Wed Nov 2 11:14:50 2005 From: nobody at nowhere.invalid (Steven Maesslein) Date: Wed Nov 2 05:15:08 2005 Subject: [SpamCop-List] Re: Spammer? Poplist.fr References: Message-ID: On Wed, 02 Nov 2005 09:55:10 +0000, John Smith coughed into spamcop and left this in : > But surprisingly, they say that if I don't confirm my subscription, > they won't mail me again. In that case, they're doing the Right Thing(tm). > If you received such an e-mail and want to report it as spam, you are > within your rights to do so. It makes a refreshing change to see an e-mail marketer doing the Right Thing(tm) for once. Reporting requests for confirmation as spam is not exactly going to encourage this correct MO. -- Steve Let's call it an accidental feature. -- Larry Wall From nobody at xyzzy.claranet.de Wed Nov 2 11:04:15 2005 From: nobody at xyzzy.claranet.de (Frank Ellermann) Date: Wed Nov 2 05:20:13 2005 Subject: [SpamCop-List] Website down (?) Message-ID: <43688F1F.FEA@xyzzy.claranet.de> Hi, apparently the Web site is down (10:00 GMT, and it was already down from my POV at 6:00 GMT). Ping okay, and quick reports work. Bye, Frank From nobody at xyzzy.claranet.de Wed Nov 2 12:58:59 2005 From: nobody at xyzzy.claranet.de (Frank Ellermann) Date: Wed Nov 2 07:05:03 2005 Subject: [SpamCop-List] Re: Website down (?) References: <43688F1F.FEA@xyzzy.claranet.de> Message-ID: <4368AA03.4B93@xyzzy.claranet.de> > apparently the Web site is down No, it's not, it was only _very_ slow to show up. It forced me to learn the art of reporting with two windows: First window to report the "next" pending submission, oldest to newer, secondary windows opened with links in the SC confirmation mails, newest to older. Bye, Frank From mikeyhsd at sport.rr.com Wed Nov 2 07:21:44 2005 From: mikeyhsd at sport.rr.com (mikeyhsd) Date: Wed Nov 2 08:25:05 2005 Subject: [SpamCop-List] Re: black list reporting References: Message-ID: here is a link http://www.spamcop.net/sc?id=z822386771z92c697c6b7c3ad934c08cab7c6e46adez mikeyhsd@sport.rr.com "mikeyhsd" wrote in message news:dk90v5$42h$1@news.spamcop.net... > will post the reporting link tomorrow. when i get more mails. > > mikeyhsd@sport.rr.com > "geo_splash_12" wrote in message > news:dk8mh7$u9o$1@news.spamcop.net... >> mikeyhsd wrote: >>> where do you send ddresses to for black list reporting. >>> >>> am getting 20-30 emails a day from this idiot. all in unreadable hen >>> scratching. I will not install a language pack just to red this garbage. >>> >>> >>> Re: 125.57.106.93 (Administrator of network where email originates) >>> To: ip@cjdream.com (Notes) >>> To: ip@dreamline.co.kr (Notes) >>> >>> Re: http://www.gyakuten5.net/?dog (Administrator of network hosting >>> website referenced in spam) >>> To: abuse@elim.net (Notes) >>> >>> it ws using a yahoo mail account from australia, got it cancelled. >>> >>> every mail has been reported to spam cop reporting. >>> >>> mikeyhsd@sport.rr.com >> >> Please show us spamcop tracking url so that we understand what you're >> talking about. > From nobody at spamcop.net Wed Nov 2 09:22:39 2005 From: nobody at spamcop.net (Ellen) Date: Wed Nov 2 09:25:06 2005 Subject: [SpamCop-List] System outages/instability Message-ID: Morning folks -- yes we are having system problems and operations/engineering is working the issues. You may see failures trying to log-in or other error messages. Please do not try to change your password as this will not solve the problem. The problems will probably continue sporadically. There is no ETA right now for complete resolution but this is being treated by everyone as a priority 1 situation. Thank you for your patience! The email system is not affected. I suppose the good news is that there will still be shiney new spams to report after the problems are resolved -- and that is also the bad news .... Ellen SpamCop follow-ups to SpamCop Please propagate to the forums From nospam at nospam.org Wed Nov 2 15:42:37 2005 From: nospam at nospam.org (geo_splash_12) Date: Wed Nov 2 09:45:03 2005 Subject: [SpamCop-List] Re: black list reporting In-Reply-To: References: Message-ID: mikeyhsd wrote: > here is a link > http://www.spamcop.net/sc?id=z822386771z92c697c6b7c3ad934c08cab7c6e46adez I do not understand the first few header lines where the spamcop parser complains about IP 10.93.46.16. Where does this come from, is this correct? Furthermore the link shows that abuse reports were sent to the administrators of 125.57.108.71 (in the .kr domain), but apparently this IP is not listed within spamcop. (Korean / Chinese spam is almost impossible to get rid off, maybe consider to install your own specific filters for this problem. Finally abuse reports are sent because of a link within the spam, 211.112.18.18 which is within the elim.com domain. Ejo From jeffg at spamcop.net Wed Nov 2 10:31:17 2005 From: jeffg at spamcop.net (Jeff G.) Date: Wed Nov 2 10:35:03 2005 Subject: [SpamCop-List] Re: System outages/instability References: Message-ID: "Ellen" wrote in message news:dkai7l$sj1$1@news.spamcop.net... > Morning folks -- yes we are having system problems and > operations/engineering is working the issues. ... > Please propagate to the forums Done. -- Best Regards, Jeff G. I have been a SpamCop User/Member/Customer since 1999 and am a Moderator of the new web-based forums (now the primary method for getting help, http://forum.spamcop.net). Please contact me via Forum only. From bill6 at wanadoo.fr Wed Nov 2 17:31:07 2005 From: bill6 at wanadoo.fr (cd) Date: Wed Nov 2 11:25:04 2005 Subject: [SpamCop-List] help u ? Message-ID: error I obtain : No userid found, sorry. Copyright (C) 1998-2005, IronPort Systems, Inc. All rights reserved. HTML4 / CSS2 Firefox recommended - Policies and Disclaimers putRow Table 'prefs' was not locked with LOCK TABLES (1100)/sc? putRow Table 'prefs' was not locked with LOCK TABLES (1100)/sc? cd From bill6 at wanadoo.fr Wed Nov 2 18:01:13 2005 From: bill6 at wanadoo.fr (cd) Date: Wed Nov 2 11:55:02 2005 Subject: [SpamCop-List] error message when "unsend report" Message-ID: Gateway Timeout The proxy server did not receive a timely response from the upstream server. Reference #1.93ec0f50.1130950178.977ea92 From bill6 at wanadoo.fr Wed Nov 2 18:06:55 2005 From: bill6 at wanadoo.fr (cd) Date: Wed Nov 2 12:05:03 2005 Subject: [SpamCop-List] Unreported Spam Saved: Report Now = message report : Message-ID: Gateway Timeout The proxy server did not receive a timely response from the upstream server. Reference #1.93ec0f50.1130950735.980cbb9 From nospam at dev.null Wed Nov 2 19:02:06 2005 From: nospam at dev.null (No Spam) Date: Wed Nov 2 12:05:07 2005 Subject: [SpamCop-List] Re: What Happened Here? In-Reply-To: References: <43668D01.6AD546B7@SpamCop.net.dev.null> Message-ID: Mike Easter wrote: > Michael Brennan" <"Michael Brennan Nobody wrote: > >>Regarding a Report Here: >> > > www.spamcop.net/sc?id=z821657304z827f981d88b239c3f1866b40f5ae8639z > >>I got the original parse back in the SpamCop Autoreply and saw that >>the SpamCop parser hadn't been able to resolve a spampage in the >>advertisement, > snip... > >>http://ream2gn.mort60sec.net/3/index/omega/i6eetdt > snip... > > > If you are doing a domainname registration information attack, you do > that with yesnic, and I think the best way to do it is with the form > process at internic.http://wdprs.internic.net/ Whois Data Problem > Report System > > > Same party (all whois details as at time of reporting from WDPRS report) saving-your-money.net - Reported 16/07/2005 via WDPRS (still active) Domain Name: SAVING-YOUR-MONEY.NET Registrar: ENOM, INC. Whois Server: whois.enom.com Referral URL: http://www.enom.com Name Server: NS1.XZMAK.COM Name Server: NS2.XZMAK.COM Name Server: NS3.XZMAK.COM Name Server: NS4.XZMAK.COM Name Server: NS6.XZMAK.COM Status: REGISTRAR-LOCK Updated Date: 06-jul-2005 Creation Date: 06-jul-2005 Expiration Date: 06-jul-2006 REGISTRAR WHOIS: Registration Service Provided By: NameCheap.com Contact: support@NameCheap.com Visit: http://www.namecheap.com/ Domain name: saving-your-money.net Registrant Contact: American Financial Ronald Hentington (americanfinancial2005@yahoo.co.uk) +1.2063384168 Fax: +1.2063384168 759 Mount Pleasant Road Toronto, ON M4S 2N4 CA .... EASYRATE-LOANS.COM Reported 03/07/2005 via WDPRS (still active!!) Domain Name: EASYRATE-LOANS.COM Registrar: TUCOWS INC. Whois Server: whois.opensrs.net Referral URL: http://domainhelp.tucows.com Name Server: NS1.XZMAK.COM Name Server: NS2.XZMAK.COM Name Server: NS3.XZMAK.COM Name Server: NS4.XZMAK.COM Name Server: NS5.XZMAK.COM Name Server: NS6.XZMAK.COM Status: ACTIVE Updated Date: 15-jun-2005 Creation Date: 14-jun-2005 Expiration Date: 14-jun-2006 WHOIS INFORMATION AS OF 2005/07/03 13:45:20 REGISTRAR WHOIS: Registrant: America Financial 759 Mount Pleasant Road Toronto, Ontario M4S 2N4 CA Domain name: EASYRATE-LOANS.COM Administrative Contact: Hentington, Ronald americanfinancial2005@yahoo.co.uk 759 Mount Pleasant Road Toronto, Ontario M4S 2N4 CA +1.2063384168 Fax: +1.2063384168 EASYRATE-LOANS.COM Reported 03/07/2005 via WDPRS (Now on hold) Domain Name: XZMAK.COM Registrar: TUCOWS INC. Whois Server: whois.opensrs.net Referral URL: http://domainhelp.tucows.com Name Server: NS1.XZMAK.COM Name Server: NS2.XZMAK.COM Name Server: NS3.XZMAK.COM Name Server: NS4.XZMAK.COM Name Server: NS5.XZMAK.COM Name Server: NS6.XZMAK.COM Status: ACTIVE Updated Date: 15-jun-2005 Creation Date: 14-jun-2005 Expiration Date: 14-jun-2006 WHOIS INFORMATION AS OF 2005/07/03 13:45:23 REGISTRAR WHOIS: Registrant: America Financial 759 Mount Pleasant Road Toronto, Ontario M4S 2N4 CA Domain name: XZMAK.COM Administrative Contact: Hentington, Ronald americanfinancial2005@yahoo.co.uk 759 Mount Pleasant Road Toronto, Ontario M4S 2N4 CA +1.2063384168 Fax: +1.2063384168 Now the interesting thing: Address is that of a bookshop!! Bookstore is well publisized on the internet and most likely source of stolen details: http://www.google.com/search?hl=en&lr=&q=%22759+Mount+Pleasant%22++Toronto&btnG=Search Interesting caveat: Since reports were filed, Contact Editions (the bookshop has moved). However, party has a record of fraulent "borrowing" of addresses http://www.obliquity.com/computer/spambait/theft11.html Re tel nr +1.2063384168: http://www.numberingplans.com/?page=analysis&sub=phonenr says: Information on phone number range +1 206 338XXXX Number billable as geographic number Country or destination United States City or exchange location Seattle, WA Original network provider* International Telcom, Ltd. - Wa So, yes, Jegg G's comment is extremely appropriate and I agree: "If I could just get Tucows' whois.opensrs.net to respond more than ~20% of the time, that would be helpful. :) " Cheers E From nospam at nospam.org Wed Nov 2 18:21:23 2005 From: nospam at nospam.org (geo_splash_12) Date: Wed Nov 2 12:25:03 2005 Subject: [SpamCop-List] Re: black list reporting In-Reply-To: <07nhm1d3q8qh12669tsqr75urcal0junfq@4ax.com> References: <07nhm1d3q8qh12669tsqr75urcal0junfq@4ax.com> Message-ID: Kenneth Loafman wrote: > On Wed, 02 Nov 2005 15:42:37 +0100, geo_splash_12 > wrote: > > >>mikeyhsd wrote: >> >>>here is a link >>>http://www.spamcop.net/sc?id=z822386771z92c697c6b7c3ad934c08cab7c6e46adez >> >>I do not understand the first few header lines where the spamcop parser >>complains about IP 10.93.46.16. Where does this come from, is this correct? >> >>Furthermore the link shows that abuse reports were sent to the >>administrators of 125.57.108.71 (in the .kr domain), but apparently this >>IP is not listed within spamcop. >> >>(Korean / Chinese spam is almost impossible to get rid off, maybe >>consider to install your own specific filters for this problem. >> >>Finally abuse reports are sent because of a link within the spam, >>211.112.18.18 which is within the elim.com domain. > > > 10.93.46.16 is thrown away because its part of a private network, not > routable. Possibly part of the rr.com internal net. In that case there might be something like a router configuration problem in the network, something like a linux mail handler returning a local network IP in the mail header rather than the IP number assigned to the subnet handled by the router. > > 0.0.0.0/8 - broadcast network > 10.0.0.0/8 - RFC 1918 private network > 127.0.0.0/8 - loopback network > 169.254.0.0/16 - link local network > 172.16.0.0/12 - RFC 1918 private network > 192.0.2.0/24 - TEST-NET network > 192.168.0/16 - RFC 1918 private network > 224.0.0.0/4 - class D multicast network > 240.0.0.0/5 - class E reserved network > 248.0.0.0/5 - reserved network > > Another SC poster put this together. Thanks. > > ...Ken From nobody at spamcop.net Wed Nov 2 10:30:22 2005 From: nobody at spamcop.net (N. Miller) Date: Wed Nov 2 13:35:05 2005 Subject: [SpamCop-List] Re: Spammer? Poplist.fr References: Message-ID: On Wed, 02 Nov 2005 09:55:10 +0000, John Smith wrote: > I've received an invitation "to confirm [my] subscription" to > Poplist.fr, which (according to their web site) is an e-mail marketing > company. Naturally, I never subscribed. But surprisingly, they say that > if I don't confirm my subscription, they won't mail me again. > > If you received such an e-mail and want to report it as spam, you are > within your rights to do so. But I'm not going to report it because I'd > rather receive spam like this (which will go away if I ignore it) than > the kind of junk I currently receive. > > (By the way, this company does everything is in French. I translated the > quote.) You have no way to know whether they bought a list, and are trying to clean it up (bad thing), or somebody attempted to "forge subscribe" you to the list, and they were just verifying the subscription request (good thing). Given the fact that you can't distinguish the one from the other, you should just treat it as the result of a "forge subscription" attempt, and that the list manager is trying to do the "right thing". -- Norman ~Win dain a lotica, En vai tu ri, Si lo ta ~Fin dein a loluca, En dragu a sei lain ~Vi fa-ru les shutai am, En riga-lint From jeffg at spamcop.net Wed Nov 2 14:44:03 2005 From: jeffg at spamcop.net (Jeff G.) Date: Wed Nov 2 14:55:09 2005 Subject: [SpamCop-List] Re: black list reporting References: <07nhm1d3q8qh12669tsqr75urcal0junfq@4ax.com> Message-ID: "geo_splash_12" wrote in message news:dkasik$2uu$1@news.spamcop.net... > Kenneth Loafman wrote: > > On Wed, 02 Nov 2005 15:42:37 +0100, geo_splash_12 > > wrote: > > > > > >>mikeyhsd wrote: > >> > >>>here is a link > >>>http://www.spamcop.net/sc?id=z822386771z92c697c6b7c3ad934c08cab7c6e46 adez > >> > >>I do not understand the first few header lines where the spamcop parser > >>complains about IP 10.93.46.16. Where does this come from, is this correct? > >> > >>Furthermore the link shows that abuse reports were sent to the > >>administrators of 125.57.108.71 (in the .kr domain), but apparently this > >>IP is not listed within spamcop. > >> > >>(Korean / Chinese spam is almost impossible to get rid off, maybe > >>consider to install your own specific filters for this problem. > >> > >>Finally abuse reports are sent because of a link within the spam, > >>211.112.18.18 which is within the elim.com domain. > > > > > > 10.93.46.16 is thrown away because its part of a private network, not > > routable. Possibly part of the rr.com internal net. > > In that case there might be something like a router configuration > problem in the network, something like a linux mail handler returning a > local network IP in the mail header rather than the IP number assigned > to the subnet handled by the router. It is part of the rr.com internal net. rr.com generally has several mailservers process an incoming email message before it is delivered to the intended recipient, and some of those are on its internal network. This is nothing to be concerned about. -- Best Regards, Jeff G. I have been a SpamCop User/Member/Customer since 1999 and am a Moderator of the new web-based forums (now the primary method for getting help, http://forum.spamcop.net). Please contact me via Forum only. From tnathan at idyllicsys.com Wed Nov 2 20:32:24 2005 From: tnathan at idyllicsys.com (Ted Nathan) Date: Wed Nov 2 20:35:03 2005 Subject: [SpamCop-List] Spoofed Message Causing ISP shutdowns Message-ID: I am new to this group, but I have a problem and this seemed to be the first logical place to look for an answer. I have a client who had a marketing company create a news piece from distribution via e-mail. Unfortunately, it was sent out prematurely and to people who did not ask for it, thus it was spam. They understand the mistake that was made, especially when Google and Microsoft start screaming at you. So this was strike one. A few days later, some kid out of France sent the exact same announcement out as spam again. Microsoft and Google and others called the ISP and had them shutdown. And it happened again today. What can i do to protect my client from this happening again? I know how to stop spam from coming in and going out of my clients' networks, but how do you every kid in the world from shutting down your business? TIA Ted From tnathan at idyllicsys.com Wed Nov 2 20:32:24 2005 From: tnathan at idyllicsys.com (Ted Nathan) Date: Wed Nov 2 20:40:02 2005 Subject: [SpamCop-List] Spoofed Message Causing ISP shutdowns Message-ID: I am new to this group, but I have a problem and this seemed to be the first logical place to look for an answer. I have a client who had a marketing company create a news piece from distribution via e-mail. Unfortunately, it was sent out prematurely and to people who did not ask for it, thus it was spam. They understand the mistake that was made, especially when Google and Microsoft start screaming at you. So this was strike one. A few days later, some kid out of France sent the exact same announcement out as spam again. Microsoft and Google and others called the ISP and had them shutdown. And it happened again today. What can i do to protect my client from this happening again? I know how to stop spam from coming in and going out of my clients' networks, but how do you every kid in the world from shutting down your business? TIA Ted From mwnospam at comcast.net Wed Nov 2 21:31:56 2005 From: mwnospam at comcast.net (spamacyde) Date: Wed Nov 2 21:35:03 2005 Subject: [SpamCop-List] Messages with No Subject Header and No Message Body (Again) Message-ID: Over the past three days, 95% of the spam I've been getting contains no message subject and no body. This supports my contention that spammy's motivations are political rather than financial. Or perhaps spammy is pissed off at my reporting efforts. Anybody else experiencing a rash of blank emails? From MikeE at ster.invalid Wed Nov 2 18:58:01 2005 From: MikeE at ster.invalid (Mike Easter) Date: Wed Nov 2 22:00:02 2005 Subject: [SpamCop-List] Re: Spoofed Message Causing ISP shutdowns References: Message-ID: Ted Nathan wrote: > I am new to this group, but I have a problem and this seemed to be the > first logical place to look for an answer. Bear in mind that there are skeptics in here. Including me. > I have a client who had a marketing company create a news piece from > distribution via e-mail. Unfortunately, it was sent out prematurely > and to people who did not ask for it, thus it was spam. Some people say, 'Once a spammer always a spammer; the spammer just tries to figure out ways to cover hir tracks.' > They > understand the mistake that was made, especially when Google and > Microsoft start screaming at you. So this was strike one. It doesn't matter whether it was google or MS or spamcop or whoever. Unsolicited mail is going to get reported various ways. There are blocklists for spamsources and their are also blocklists such as spews which target the spamvertiser. > A few days later, some kid out of France sent the exact same > announcement out as spam again. Now you are alleging what? That your spamvertiser client commissioned a spammer to use a .fr spamsource? That all of a sudden the once spammer is now a victim of a joe-job pretending to be spamvertising your client? Of the two, it is more likely that your client is the spamvertiser and the spamsource is somehow the .fr 'kid'. > Microsoft and Google and others called > the ISP and had them shutdown. And it happened again today. That's what happens when you are spamvertised and your website provider doesn't believe the hokey spamvertiser story. Antispammers have heard spammer lies before. The first 2 rules about spammers is that spammers lie. > What can i do to protect my client from this happening again? I think your client's reputation is shot. I think your client should get out of the spamvertising business. Maybe they should consider sinking some big bucks into a snail mail campaign. That is 'legitimate' unsolicited bulk marketing mailing. > I know > how to stop spam from coming in and going out of my clients' networks, You haven't proven that to anyone involved yet. > but how do you every kid in the world from shutting down your > business? How to you keep every spammer in the world from screaming, "I've been joe-jobbed! I didn't send out the spam spamvertising my product." The answer is, I guess you don't. No one is interested in hearing the spamvertiser joejob story unless you can prove it, which you can't. -- Mike Easter kibitzer, not SC admin From MikeE at ster.invalid Wed Nov 2 19:00:52 2005 From: MikeE at ster.invalid (Mike Easter) Date: Wed Nov 2 22:05:04 2005 Subject: [SpamCop-List] Re: Messages with No Subject Header and No Message Body (Again) References: Message-ID: spamacyde wrote: > Over the past three days, 95% of the spam I've been getting contains > no message subject and no body. This supports my contention that > spammy's motivations are political rather than financial. Or perhaps > spammy is pissed off at my reporting efforts. Anybody else > experiencing a rash of blank emails? Not I. Anytime you think there is some kind of extra special unique situation going on, you should consider the more likely possibities. It isn't likely that someone is intentionally spewing out payload-less spams. It is more likely that something is broken. Some zombies are very fragile. If the zombie is b0rken, its performance is whacky. -- Mike Easter kibitzer, not SC admin From g.hyde at bigpond.net.au Thu Nov 3 13:45:26 2005 From: g.hyde at bigpond.net.au (Geoffrey Hyde) Date: Wed Nov 2 22:50:06 2005 Subject: [SpamCop-List] Re: Spoofed Message Causing ISP shutdowns References: Message-ID: "Mike Easter" wrote in message news:dkbubq$lbe$1@news.spamcop.net... > Ted Nathan wrote: > >> I am new to this group, but I have a problem and this seemed to be the >> first logical place to look for an answer. > > Bear in mind that there are skeptics in here. Including me. I'm pretty skeptical, too. Especially after checking his posting host and the from address listed on the news message. They both resolve to apparently unrelated hosts. >> I have a client who had a marketing company create a news piece from >> distribution via e-mail. Unfortunately, it was sent out prematurely >> and to people who did not ask for it, thus it was spam. > > Some people say, 'Once a spammer always a spammer; the spammer just > tries to figure out ways to cover hir tracks.' Either that or someone needs another award. >> They >> understand the mistake that was made, especially when Google and >> Microsoft start screaming at you. So this was strike one. > > It doesn't matter whether it was google or MS or spamcop or whoever. > Unsolicited mail is going to get reported various ways. There are > blocklists for spamsources and their are also blocklists such as spews > which target the spamvertiser. Fact is they probably encountered someone new to spamming, as it seems such people are commonplace. Then this person comes here and tries to get himself off. I rather doubt it'll be happy days for him anytime soon. >> A few days later, some kid out of France sent the exact same >> announcement out as spam again. > > Now you are alleging what? That your spamvertiser client commissioned a > spammer to use a .fr spamsource? That all of a sudden the once spammer > is now a victim of a joe-job pretending to be spamvertising your client? > Of the two, it is more likely that your client is the spamvertiser and > the spamsource is somehow the .fr 'kid'. Either that or they are their partner in spamming. It sounds just as likely as a legitimate corporation accidentally hiring a spammer to do their marketing work, and promptly getting landed in the SCBL et al like a fish hooked by a worm on a fishing line. >> Microsoft and Google and others called >> the ISP and had them shutdown. And it happened again today. > > That's what happens when you are spamvertised and your website provider > doesn't believe the hokey spamvertiser story. Antispammers have heard > spammer lies before. The first 2 rules about spammers is that spammers > lie. Rule #3, if spammer complains that they're not lying refer them to rules #1 and #2. >> What can i do to protect my client from this happening again? > > I think your client's reputation is shot. I think your client should > get out of the spamvertising business. Maybe they should consider > sinking some big bucks into a snail mail campaign. That is 'legitimate' > unsolicited bulk marketing mailing. They should announce a "going out of buisness" sale, or advertise their real estate that they own for sale or rent. Or if they're renting, see if they can avoid getting entangled in their renter's penalty clause. Other than that probably quit being a target. >> I know >> how to stop spam from coming in and going out of my clients' networks, > > You haven't proven that to anyone involved yet. It probably means they filter their incoming mail for junk like most spammers probably would, so this spamcop report is just another spam item to them. If they want to prove they're legitimate and have some kind of legitimate reason to be mailing people who do want their news letter, let them prove it. >> but how do you every kid in the world from shutting down your >> business? > > How to you keep every spammer in the world from screaming, "I've been > joe-jobbed! I didn't send out the spam spamvertising my product." > > The answer is, I guess you don't. > > No one is interested in hearing the spamvertiser joejob story unless you > can prove it, which you can't. It would be interesting indeed, if he tries to prove it. I really was wondering if this guy was a spammer trying to get off the SCBL et al. -- Cheers ... Geoffrey Hyde From MikeE at ster.invalid Wed Nov 2 19:45:50 2005 From: MikeE at ster.invalid (Mike Easter) Date: Wed Nov 2 22:50:11 2005 Subject: [SpamCop-List] Re: Spoofed Message Causing ISP shutdowns References: Message-ID: Just so we can talk about some real stuff instead of some kind of imaginary hypothesis. Ted Nathan wrote: > I have a client who had a marketing company create a news piece from > distribution via e-mail. What was the website being spamvertised? that is, provide a link. > So this was strike one. Does that mean that a website provider shut them down? Which one? > A few days later, some kid out of France sent the exact same > announcement out as spam again. Does that mean that you can actually name the 'kid'? Or are you just making something up? If you can't name the kid, name the IP address that you are alleging sent out spam against the wishes of your client. > Microsoft and Google and others called > the ISP and had them shutdown. Does that mean that another different website provider shut down the spamvertised site again, or the same website provider shut down the same spamvertising website again? > And it happened again today. Does that mean that your spamvertising client has been shut down for spamvertising 3 times? By the same website provider or by different ones? Is your client listed in spamhaus in the Registry of Known Spam Operations database of professional spam operations that have been terminated by a minimum of 3 Internet Service Providers for spam offenses? Is your role in all of this to be lied to by your spamvertising client who is claiming to be innocent of spamvertising, or what? > What can i do to protect my client from this happening again? What exactly are you claiming is 'happening'? Explain in exact detail what you mean 'happening again'. Presumably this http://www.idyllicsys.com/default.htm is 'you' which domainname is registered to Ted Nathan -- ie the company who has the as yet unnamed spamvertiser client. Who/what is the client? -- Mike Easter kibitzer, not SC admin From MikeE at ster.invalid Wed Nov 2 20:09:09 2005 From: MikeE at ster.invalid (Mike Easter) Date: Wed Nov 2 23:10:03 2005 Subject: [SpamCop-List] Re: Spoofed Message Causing ISP shutdowns References: Message-ID: Geoffrey Hyde wrote: > Especially after checking his posting > host and the from address listed on the news message. They both > resolve to apparently unrelated hosts. His posting host is just an EarthLink cable modem running on TW/RR infrastructure in Michigan, while his posted address is that of his company's domainname and mailserver, which company is also based in MI. Nothing odd about all that. -- Mike Easter kibitzer, not SC admin From nospam at nospam.nl Thu Nov 3 05:25:00 2005 From: nospam at nospam.nl (geo_splash_12) Date: Wed Nov 2 23:30:02 2005 Subject: [SpamCop-List] Re: Spoofed Message Causing ISP shutdowns In-Reply-To: References: Message-ID: Ted Nathan wrote: > I am new to this group, but I have a problem and this seemed to be the > first logical place to look for an answer. > > I have a client who had a marketing company create a news piece from > distribution via e-mail. Unfortunately, it was sent out prematurely > and to people who did not ask for it, thus it was spam. They > understand the mistake that was made, especially when Google and > Microsoft start screaming at you. So this was strike one. > > A few days later, some kid out of France sent the exact same > announcement out as spam again. Microsoft and Google and others called > the ISP and had them shutdown. And it happened again today. > > What can i do to protect my client from this happening again? I know > how to stop spam from coming in and going out of my clients' networks, > but how do you every kid in the world from shutting down your > business? If you want to start a discussion in this newsgroup, then we certainly would like to see a tracking URL of the e-mail examples that you discuss. > > TIA > > Ted From Nobody at SpamCop.net.dev.null Wed Nov 2 22:31:22 2005 From: Nobody at SpamCop.net.dev.null (Michael Brennan) Date: Wed Nov 2 23:35:03 2005 Subject: [SpamCop-List] "Doctor" Slides Past Postini Message-ID: <4369929A.9545752E@SpamCop.net.dev.null> Posters to another newsgroup on an ISP that uses Postini filtering services are expressing frustration that they can't keep Leo Kuvayev's "Doctor"/"Online Pharmaceuticals" drug spams out of their mailboxes. Postini is apparently ineffectual at keeping them out. Leo's ring has a username list courtesy of a dictionary attack Michael Lindsay executed about 18 months ago. Recent example that I received: http://www.spamcop.net/sc?id=z821549247z6e7fe470733e39184cc65980fec5587cz Is there anything special about these spams, that would enable them to evade Postini's filtering? Michael B. From Nobody at SpamCop.net.dev.null Wed Nov 2 22:37:33 2005 From: Nobody at SpamCop.net.dev.null (Michael Brennan) Date: Wed Nov 2 23:40:02 2005 Subject: [SpamCop-List] Telenor Rogers Up Message-ID: <4369940D.7F40987C@SpamCop.net.dev.null> I manually LARTed Telenor.net after a SpamCop note indicated they don't accept SpamCop reports "unmunged", or don't accept them at all. After about three days, I did get the right response from their abuse desk. ____________________________________________________________ >From : Telenor Abuse Response Team Sent : Wednesday, November 2, 2005 4:40 AM To : x CC : abuse@telenor.net Subject : Your Open Proxy Hosts Spamrun | | | Inbox At 23:44 CEST 2005-10-28 wrote: > Gentlemen: > > > Attached is a SpamCop notice I just sent up. Your server is being used for > spamruns. Please secure your server, thanks. > > > Best regards, > Michael Brennan > > _________________________________________________ > > > Help | Site Map We have added a block to this account, which we believe will stop further problems of this kind. The customer will also be notified. Please excuse the inconvenience. -- Abuse Response Team abuse@telenor.net Telenor _________________________________________________________________ Their response would seem to entitle Telenor to a white hat. Michael From spamcop-list-at-news.spamcop.net at musaic.net Thu Nov 3 07:26:14 2005 From: spamcop-list-at-news.spamcop.net at musaic.net (St - Musaic.Net) Date: Thu Nov 3 01:26:38 2005 Subject: [SpamCop-List] Telenor Rogers Up In-Reply-To: <4369940D.7F40987C@SpamCop.net.dev.null> References: <4369940D.7F40987C@SpamCop.net.dev.null> Message-ID: <253246689.20051103072614@musaic.net> > Their response would seem to entitle Telenor to a white hat. I am not sure - they are certainly slow taking down spamvertised sites unless the offender also sent spam from their network. This is a known trick amongst Scandinavian spammers: Spam from one network, make sure it is not affiliated with Telenor, spamvertised site is not taken down (except when illegal). We have seen sites alive for months this way - even a notorious slimming "remedy" spammer Rune Olav Halvorsrud got away with it spamvertising a bunch of illegal sites, illegal because the "companies" he spamvertised didn't exist *etc* *etc* Telenor did not act on any spam complaint unless the _mail_ was sent thru their servers. It didn't count that it the _websites_ had Telenor IPs assigned... Whitehat? Slow? Clueless? -- St PS! Michael, you added your comment below Telenor's signature limiter - which means that when replying to you message, everything except your comment was quoted (and I had to manually add it to the reply). May I recommend you to please edit your quotations a bit... ;) From Nobody at SpamCop.net.dev.null Thu Nov 3 00:44:44 2005 From: Nobody at SpamCop.net.dev.null (Michael Brennan) Date: Thu Nov 3 01:45:03 2005 Subject: [SpamCop-List] Re: Neat Package -- Nobody to Report To? References: <4362AD03.E5E72107@SpamCop.net.dev.null> <43665BA4.4E08B61F@SpamCop.net.dev.null> Message-ID: <4369B1DC.216FBDCA@SpamCop.net.dev.null> Mike Easter wrote: > > Michael Brennan" > > Mike Easter wrote: > > > In order to keep the agencies in usably fresh > > product, I'd still have to sort and forward the items manually by > > content. > > I have no idea what that sentence means. I mean that sorting is content-based. Pharmacy spams go to one list (FDA, for their anti-diversion project, SpamCop parser, etc.), "phony Rolex" spams go to another (FBI CyberCrime, for the FBI's counterfeit-merchandise project, plus SpamCop and others), "mortgage" phishes to yet another (Secret Service FCD, Netcraft, BankSafeOnline U.K., SpamCop, etc.); and of course all the lists include Postini, which filters for my ISP (I don't use their service, but I don't mind feeding it), and the UCE group at FTC. That sorting has to be done manually. Then I send all the like-kind spams together as one "send" to each list, which is kept separately as an OE addressbook group. Michael From jg at coks.net Wed Nov 2 23:00:32 2005 From: jg at coks.net (jg) Date: Thu Nov 3 02:00:03 2005 Subject: [SpamCop-List] Re: Messages with No Subject Header and No Message Body (Again) In-Reply-To: References: Message-ID: On 11/2/2005 7:00 PM Mike Easter scribbled: > spamacyde wrote: > >>Over the past three days, 95% of the spam I've been getting contains >>no message subject and no body. This supports my contention that >>spammy's motivations are political rather than financial. Or perhaps >>spammy is pissed off at my reporting efforts. Anybody else >>experiencing a rash of blank emails? > > > Not I. > > Anytime you think there is some kind of extra special unique situation > going on, you should consider the more likely possibities. > > It isn't likely that someone is intentionally spewing out payload-less > spams. It is more likely that something is broken. > > Some zombies are very fragile. If the zombie is b0rken, its performance > is whacky. > Having read that, I need to chime in that I have been getting an inordinate (for me) number of said blank crap in the past week - so something must indeed be borken - maybe a BIG zombie... From Nobody at SpamCop.net.dev.null Thu Nov 3 01:00:51 2005 From: Nobody at SpamCop.net.dev.null (Michael Brennan) Date: Thu Nov 3 02:05:03 2005 Subject: [SpamCop-List] Re: Neat Package -- Nobody to Report To? References: <4362AD03.E5E72107@SpamCop.net.dev.null> <43665BA4.4E08B61F@SpamCop.net.dev.null> Message-ID: <4369B5A3.80C72E28@SpamCop.net.dev.null> "Jeff G." wrote: > > "Mike Easter" wrote in message > news:dk67su$kf7$1@news.spamcop.net... > > Michael Brennan" > > > In order to keep the agencies in usably fresh > > > product, I'd still have to sort and forward the items manually by > > > content. > > > > I have no idea what that sentence means. > > I think Michael is talking about doing manual sorting so that he can > keep sending the appropriate fresh spam (product) to the appropriate > Federal Agencies (FTC, FDA, FBI, etc.) Yes, exactly. Thanks. Sometimes time isn't necessarily of the essence, but I began to think in terms of timeliness when dealing with "pump & dump" spams that came in a few hours before the scheduled start of trading in New York. I wanted to make sure the SEC got those timely. On second thought, I might have forwarded them to the NASD or the NYSE as well. Talk about spoiling someone's play -- the exchanges can make that happen. Michael From g.hyde at bigpond.net.au Thu Nov 3 17:00:45 2005 From: g.hyde at bigpond.net.au (Geoffrey Hyde) Date: Thu Nov 3 02:10:02 2005 Subject: [SpamCop-List] Re: "Doctor" Slides Past Postini References: <4369929A.9545752E@SpamCop.net.dev.null> Message-ID: I'm not an expert by any means, it sounds like you're filtering at a client-side level, unless you have access to some server-side filtering software (which is what most mailhost software for ISP applications lacks) really the only other thing I know of is to find the injecting IP and follow up with a formal complaint to the owner of that address. Which SpamCop has already done for you. The other thing that worries me is one spam is not much to worry about and it also is not much to go on either. Perhaps if you had multiple spams for people to examine they could give you a better idea of what to block. If the mail filtering software for the clients has some kind of filtering setup, you can set it up to reject these mails based on keywords in the message body of the spam. Pharmecuticals would be a good one, but if you don't have filtering software try googling for something, there are plenty of programs designed to filter out spam on the internet. A trainable filter can usually weed out spams like this with bogus keywords in the message body, or at least can be trained to recognize them. Cheers ... Geoffrey Hyde "Michael Brennan" wrote in message news:4369929A.9545752E@SpamCop.net.dev.null... > Posters to another newsgroup on an ISP that uses Postini filtering > services are expressing frustration that they can't keep Leo Kuvayev's > "Doctor"/"Online Pharmaceuticals" drug spams out of their mailboxes. > Postini is apparently ineffectual at keeping them out. Leo's ring has > a username list courtesy of a dictionary attack Michael Lindsay executed > about 18 months ago. > > Recent example that I received: > > http://www.spamcop.net/sc?id=z821549247z6e7fe470733e39184cc65980fec5587cz > > Is there anything special about these spams, that would enable them to > evade Postini's filtering? > > Michael B. From Nobody at SpamCop.net.dev.null Thu Nov 3 03:05:41 2005 From: Nobody at SpamCop.net.dev.null (Michael Brennan) Date: Thu Nov 3 04:10:23 2005 Subject: [SpamCop-List] Re: "Doctor" Slides Past Postini References: <4369929A.9545752E@SpamCop.net.dev.null> Message-ID: <4369D2E5.248C5F34@SpamCop.net.dev.null> Geoffrey Hyde wrote: > > I'm not an expert by any means, it sounds like you're filtering at a > client-side level, unless you have access to some server-side filtering > software (which is what most mailhost software for ISP applications lacks) > really the only other thing I know of is to find the injecting IP and follow > up with a formal complaint to the owner of that address. Which SpamCop has > already done for you. Postini supposedly filters on the server side. ISP reroutes to Postini, who filters and sends it back. > The other thing that worries me is one spam is not much to worry about and > it also is not much to go on either. Perhaps if you had multiple spams for > people to examine they could give you a better idea of what to block. Well, as it happens, I just got another one since I posted that, and I reported it here: http://www.spamcop.net/sc?id=z822669466z253d826558df28c70266e653934148daz > A trainable filter > can usually weed out spams like this with bogus keywords in the message > body, or at least can be trained to recognize them. I made the same suggestion to the people on the other newsgroup who were complaining about these spams from this particular spammer, which appear to be unique in their ability consistently to defeat whatever Postini is doing. Regards, Michael From nobody at xyzzy.claranet.de Thu Nov 3 14:22:40 2005 From: nobody at xyzzy.claranet.de (Frank Ellermann) Date: Thu Nov 3 08:25:03 2005 Subject: [SpamCop-List] Re: Geocities problem still unsolved References: <43663619.A9@xyzzy.claranet.de> Message-ID: <436A0F20.4804@xyzzy.claranet.de> > the geocities link problem is (again ?) as bad as always, Today's statistics: 27 + 41 + 13 + 24 + 50 = 155 reloads for 5 geospam reports, that's 31 reloads per report. Bye From MikeE at ster.invalid Thu Nov 3 07:29:06 2005 From: MikeE at ster.invalid (Mike Easter) Date: Thu Nov 3 10:30:04 2005 Subject: [SpamCop-List] Re: Neat Package -- Nobody to Report To? References: <4362AD03.E5E72107@SpamCop.net.dev.null> <43665BA4.4E08B61F@SpamCop.net.dev.null> <4369B1DC.216FBDCA@SpamCop.net.dev.null> Message-ID: Michael Brennan wrote: > Mike Easter wrote: >> >> Michael Brennan" >>> Mike Easter wrote: > > >> >>> In order to keep the agencies in usably fresh >>> product, I'd still have to sort and forward the items manually by >>> content. >> >> I have no idea what that sentence means. > > I mean that sorting is content-based. Pharmacy spams go to one list > (FDA, for their anti-diversion project, SpamCop parser, etc.), "phony > Rolex" spams go to another (FBI CyberCrime, for the FBI's > counterfeit-merchandise project, plus SpamCop and others), "mortgage" > phishes to yet another (Secret Service FCD, Netcraft, BankSafeOnline > U.K., SpamCop, etc.); and of course all the lists include Postini, > which filters for my ISP (I don't use their service, but I don't mind > feeding it), and the UCE group at FTC. > > That sorting has to be done manually. Then I send all the like-kind > spams together as one "send" to each list, which is kept separately as > an OE addressbook group. Now I understand, but.... Well, call me a 'grizzled old doubting Thomas' -- who has also learned on which battlefields or skirmishes to sacrifice my troops and where to not waste my efforts. I don't honestly believe that the FDA, FBI, FCD, et al actually open the spams which they are sent, but instead I think it is more likely that they are 'processed' by some kind of automated gizmo looking for something that they are currently 'working on'. And everything which isn't pertinent to what they are working on is just put into the big fat pile of stuff they aren't working on. Given that hypothetical scenario, that means that all of the effort you are going to to characterize and sort your spam into referral piles is 'wasted' -- depending upon your or my definition of wasted. It isn't wasted if you just like to be very very orderly, but it is probably wasted in terms of how well you have used your time sorting your spam for someone else who isn't looking at the results of the sorting. And that someone else probably has much more efficient methods for finding what they are looking for that your own sorting and characterizing methods. That being sed.... It would probably work just as well for you to create a little text which explains that you haven't sorted your spam and that you are sending it all to the various agencies -- and let them sort it out for themselves. That is, the FDA wouldn't be just getting pharm spam, the FDA would be getting all your spam. The financial crimes FCD wouldn't be getting just the mortgage spam, they would be getting all your spam. Color me skeptical, but it doesn't make much sense to me to have a human bean 'manually' handling all his spam, so as to have his human touch on what he sends to some big bad machine which is able to comb thru' millions of items an hour looking for just what it wants. That is, I don't think your activities represent one human spam recipient sending a copy of something to one human FDA agent. -- Mike Easter kibitzer, not SC admin From MikeE at ster.invalid Thu Nov 3 07:48:39 2005 From: MikeE at ster.invalid (Mike Easter) Date: Thu Nov 3 10:50:02 2005 Subject: [SpamCop-List] Re: "Doctor" Slides Past Postini References: <4369929A.9545752E@SpamCop.net.dev.null> Message-ID: Michael Brennan wrote: www.spamcop.net/sc?id=z821549247z6e7fe470733e39184cc65980fec5587cz > > Is there anything special about these spams, that would enable them to > evade Postini's filtering? Michael Brennan wrote: > Well, as it happens, I just got another one since I posted that, and I > reported it here: > www.spamcop.net/sc?id=z822669466z253d826558df28c70266e653934148daz I can't answer the question the way you posed it as a postini issue, but I can address the specifics of those two spams with a generality. For me, the most important characteristic of a spam is its headers; and my spamfilter 'likes' [and uses] blocklists. Those two spams were both sourced from IPs which are listed 'all over the place' -- that is, each had an IP in the headers and which the server received the item from, which was multilisted as an abused proxy/trojan spamsource. The IP of the 2nd was listed in CBL [spamtrap hits as a proxy/trojan] which puts it into SBL-XBL, another popular blocklist, NJABL-proxies [spamtrap hits as proxy/trojan] and SCbl [spamtrap and reporter as spamsource]. It was also listed in other blocklists, but those are the majors which a good filter could be paying attention to. The IP of the first was listed in CBL, DNSBL, SBL-XBL, and others. I didn't look at the spambody to see if it had body characteristics which might've been found by my filter's body plugin, because I don't like to look at spambodies unnecessarily. It wouldn't be necessary for my filter to even look at the body to tag it as a spam because of the blocklisted condition found in the headers. -- Mike Easter kibitzer, not SC admin From jg at coks.net Thu Nov 3 08:11:23 2005 From: jg at coks.net (jg) Date: Thu Nov 3 11:10:02 2005 Subject: [SpamCop-List] Re: Neat Package -- Nobody to Report To? In-Reply-To: <4369B5A3.80C72E28@SpamCop.net.dev.null> References: <4362AD03.E5E72107@SpamCop.net.dev.null> <43665BA4.4E08B61F@SpamCop.net.dev.null> <4369B5A3.80C72E28@SpamCop.net.dev.null> Message-ID: On 11/2/2005 11:00 PM Michael Brennan scribbled: forwarded them to the NASD or the NYSE as well. Talk about spoiling > someone's play -- the exchanges can make that happen. > > Michael I've not seen anywhere that the NYSE gets actively involved. Have you? I do know that the NASD doesn't want to hear /anything/ unless the spam is proven to be from a NASD member - so says their site, or so /said/ their site - I haven't revisited it in a while. It makes sense - they have their own fish to fry with lame brokers, telemarketers, and so=called advisors... From nobody at xyzzy.claranet.de Thu Nov 3 18:03:44 2005 From: nobody at xyzzy.claranet.de (Frank Ellermann) Date: Thu Nov 3 12:05:03 2005 Subject: [SpamCop-List] Re: "Doctor" Slides Past Postini References: <4369929A.9545752E@SpamCop.net.dev.null> Message-ID: <436A42F0.38B2@xyzzy.claranet.de> Mike Easter wrote: > my spamfilter 'likes' [and uses] blocklists. Those two > spams were both sourced from IPs which are listed 'all > over the place' You checked this about 11 hours after Michael reported it, so maybe it was different when this stuff hit "postini" - just a random thought. Bye, Frank From MikeE at ster.invalid Thu Nov 3 09:37:22 2005 From: MikeE at ster.invalid (Mike Easter) Date: Thu Nov 3 12:40:03 2005 Subject: [SpamCop-List] Re: "Doctor" Slides Past Postini References: <4369929A.9545752E@SpamCop.net.dev.null> <436A42F0.38B2@xyzzy.claranet.de> Message-ID: Frank Ellermann wrote: > Mike Easter wrote: > >> my spamfilter 'likes' [and uses] blocklists. Those two >> spams were both sourced from IPs which are listed 'all >> over the place' > > You checked this about 11 hours after Michael reported it, > so maybe it was different when this stuff hit "postini" - > just a random thought. Yeah, I tho't about that, but there wasn't any perfect way to address that issue. 218.238.26.80 got listed in cbl 2005-10-31 05:00 GMT -- but 220.84.164.47 didn't get listed there until 2005-11-03 07:00 GMT However, 220.84.164.47 got listed in DSBL last 2004 Oct, and it got listed in NJABL-proxies Sun Oct 24 06:22:23 2004 EST Since my filter uses both cbl & njabl [indirectly] as well as a number of others, it would have tagged both of those. Or, said another way, just using spamhaus sbl-xbl, which embraces cbl & njabl as well as blitzed, would have solved the problem. -- Mike Easter kibitzer, not SC admin From redford_stone at INVERSE_OF_COLDmail.com Thu Nov 3 18:35:31 2005 From: redford_stone at INVERSE_OF_COLDmail.com (Redstone) Date: Thu Nov 3 13:40:03 2005 Subject: [SpamCop-List] Re: Dave/Null not such a popular reporting address any longer References: <435FD71A.D1D5FCA0@SpamCop.net.dev.null> Message-ID: Steven Maesslein wrote in news:slrndm3ut5.3ra.nobody@127.0.0.1: > > They can pull "kr." out of the root DNS servers... > They can.. but they wont yank a complete country out. > Before: > > $ dig @a.root-servers.net kr in soa > > ; <<>> DiG 9.3.1 <<>> @a.root-servers.net kr in soa > ; (1 server found) > ;; global options: printcmd > ;; Got answer: > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 49051 > ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 7, ADDITIONAL: 9 > > ;; QUESTION SECTION: > ;kr. IN SOA > > ;; AUTHORITY SECTION: > kr. 172800 IN NS A.DNS.kr. > kr. 172800 IN NS C.DNS.kr. > kr. 172800 IN NS B.DNS.kr. > kr. 172800 IN NS D.DNS.kr. > kr. 172800 IN NS E.DNS.kr. > kr. 172800 IN NS F.DNS.kr. > kr. 172800 IN NS G.DNS.kr. > > ;; ADDITIONAL SECTION: > A.DNS.kr. 172800 IN A 202.30.50.50 > C.DNS.kr. 172800 IN A 203.248.240.141 > B.DNS.kr. 172800 IN A 211.216.50.130 > D.DNS.kr. 172800 IN A 203.255.234.103 > E.DNS.kr. 172800 IN AAAA 2001:dcc:5::100 > E.DNS.kr. 172800 IN A 202.30.124.100 > F.DNS.kr. 172800 IN A 210.94.0.15 > G.DNS.kr. 172800 IN AAAA 2001:dc5:a::1 > G.DNS.kr. 172800 IN A 202.31.190.1 > > ;; Query time: 135 msec > ;; SERVER: 198.41.0.4#53(198.41.0.4) > ;; WHEN: Fri Oct 28 12:19:16 2005 > ;; MSG SIZE rcvd: 304 > > > Afterwards: > > $ dig @a.root-servers.net kr in soa > > ; <<>> DiG 9.3.1 <<>> @a.root-servers.net kr in soa > ; (1 server found) > ;; global options: printcmd > ;; Got answer: > ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 16462 > ;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0 > > ;; QUESTION SECTION: > ;kr. IN SOA > > ;; AUTHORITY SECTION: > . 86400 IN SOA A.ROOT-SERVERS.NET. > NSTLD.VERISIGN-GRS.COM. 2005102701 1800 900 604800 86400 > > ;; Query time: 135 msec > ;; SERVER: 198.41.0.4#53(198.41.0.4) > ;; WHEN: Fri Oct 28 12:19:49 2005 > ;; MSG SIZE rcvd: 95 > > >:o) > Show off. :-) From redford_stone at INVERSE_OF_COLDmail.com Thu Nov 3 18:35:33 2005 From: redford_stone at INVERSE_OF_COLDmail.com (Redstone) Date: Thu Nov 3 13:40:07 2005 Subject: [SpamCop-List] Re: Dave/Null not such a popular reporting address any longer References: <435FD71A.D1D5FCA0@SpamCop.net.dev.null> Message-ID: "Geoffrey Hyde" wrote in news:djst5q$pp5$2@news.spamcop.net: > > And yet, they appear to have quite successfully setup a network that > allows spammers to easily target people outside of kornet/shinbiro ... > Probably because their routers probably still have the default password for admin access? > > Wow, I wonder what they'd say if somene handed them a trace utility > and a frequency tracer for the physical lines, and told them where to > go to find and fix the problem servers??? Or did they just happen to > be so bad at server installation that they accidentally forgot to > write down where these servers were installed. I smell a Korean rat > here, quite possibly the main nest. > I do too. It just goes beyond logic that they would be THAT clueless about this. > > Either they are very bad at managing their internet systems, or they > don't really care what our problems with their systems are. > My feeling has shifted between these two.. but usually average in between. On the one hand why care if they are making money, and why bother learning how to manage if there is nothing to care about. Simply plug and play, and that is it. > > From what you're telling me here, that could take a while. Do > you want to snail mail them some really big hints? ;) > I'm going to save my stamps. They've already received enough hints from enough people. :-) From porpoise1954 at yahoo.co.uk Thu Nov 3 18:24:42 2005 From: porpoise1954 at yahoo.co.uk (Porpoise) Date: Thu Nov 3 13:45:02 2005 Subject: [SpamCop-List] Ping Mike E Message-ID: Mike, Can you make any sense out of this? I can't quite figga what I'm looking at........ http://www.spamcop.net/sc?id=z822825219zde4c34f6e5134c1955396a200fe3351ez From MikeE at ster.invalid Thu Nov 3 10:56:16 2005 From: MikeE at ster.invalid (Mike Easter) Date: Thu Nov 3 14:00:03 2005 Subject: [SpamCop-List] Re: "Doctor" Slides Past Postini References: <4369929A.9545752E@SpamCop.net.dev.null> <4369D2E5.248C5F34@SpamCop.net.dev.null> Message-ID: Michael Brennan wrote: > Postini supposedly filters on the server side. ISP reroutes to > Postini, who filters and sends it back. The problem with that arrangement is that the healthiest and most efficient way to filter something at the server level would be to reject something very early in the transaction; namely in this case the sending IP could be the basis for the rejection at the gitgo. But that would depend upon the recipient server being able to reject the mail from the sending spamsource dynamic IP. But, if you have some kind of arrangement by which an ISP has accepted a mail for delivery, rejecting doesn't work any more, so then the only thing you can do with *everything* is to 'process it' and tag it as spam or not. That is, server level filtering is 'worthless' in that scenario you described. The recipient would want their server to do *zero* filtering, and the client should take care of all of their own filter-tagging with a client side filter. You can configure your own client side filter much better than most servers offer you; with the exception of a service such as spamcop's mail service. The server level filter in your described configuration wouldn't be able to reject mail correctly, so there is nothing healthy the server can do. Else it would belatedly bounce to bogus From or possibly lose goodmail. > I made the same suggestion to the people on the other newsgroup who > were complaining about these spams from this particular spammer, > which appear to be unique in their ability consistently to defeat > whatever Postini is doing. I don't know what postini is doing for the people who are complaining, but if I'm understanding the configuration correctly, the only thing you would want the server-side filter to do would be to tag the item for sorting. You wouldn't want it to do anything else. If I were going to be receiving all of my spam tagged for 'sorting' - I would rather be using my own client filter which would be much more configurable to my tastes than someone else's server. -- Mike Easter kibitzer, not SC admin From redford_stone at INVERSE_OF_COLDmail.com Thu Nov 3 19:09:42 2005 From: redford_stone at INVERSE_OF_COLDmail.com (Redstone) Date: Thu Nov 3 14:10:03 2005 Subject: [SpamCop-List] Re: chinese spam References: Message-ID: "mikeyhsd" wrote in news:djt8jd$9i$1 @news.spamcop.net: > seeing as how it is in chinese, I hve no REAL idea what it is. > but it has been reported to phishing.org to be safe. Can't be faulted for erring on the side of caution. :-) From redford_stone at INVERSE_OF_COLDmail.com Thu Nov 3 19:14:41 2005 From: redford_stone at INVERSE_OF_COLDmail.com (Redstone) Date: Thu Nov 3 14:15:04 2005 Subject: [SpamCop-List] Telenor Rogers Up References: <4369940D.7F40987C@SpamCop.net.dev.null> Message-ID: "St - Musaic.Net" wrote in news:mailman.115.1130999192.169.spamcop-list@news.spamcop.net: > > Whitehat? Slow? Clueless? > Probably greyhat. I'm not sure, but it would depend on what their TOS states. It may be out of date. ISPs used to kick out spammers if they sent spam using the ISP's own network. However, it became a grey area when it was only a hosted site. (As that the TOS made no mention about spamvertised hosted sites.) From redford_stone at INVERSE_OF_COLDmail.com Thu Nov 3 19:26:30 2005 From: redford_stone at INVERSE_OF_COLDmail.com (Redstone) Date: Thu Nov 3 14:30:02 2005 Subject: [SpamCop-List] Re: Spoofed Message Causing ISP shutdowns References: Message-ID: "Mike Easter" wrote in news:dkbubq$lbe$1@news.spamcop.net: > Ted Nathan wrote: > >> I am new to this group, but I have a problem and this seemed to be >> the first logical place to look for an answer. > > Bear in mind that there are skeptics in here. Including me. > Am too. But am willing to give the benefit of the doubt sometimes. > >> They >> understand the mistake that was made, especially when Google and >> Microsoft start screaming at you. So this was strike one. > > It doesn't matter whether it was google or MS or spamcop or whoever. > Unsolicited mail is going to get reported various ways. There are > blocklists for spamsources and their are also blocklists such as spews > which target the spamvertiser. > MS and Google doesn't say anything unless they received a signficant amount of spam implicating a particular source. There must of been thousands if it got their attention and over a significant period of time too. From redford_stone at INVERSE_OF_COLDmail.com Thu Nov 3 19:35:05 2005 From: redford_stone at INVERSE_OF_COLDmail.com (Redstone) Date: Thu Nov 3 14:40:04 2005 Subject: [SpamCop-List] Re: Unreported Spam Saved: Report Now = message report : References: Message-ID: "cd" wrote in news:dkaran$20k$1@news.spamcop.net: > Gateway Timeout > The proxy server did not receive a timely response from the upstream > server. Reference #1.93ec0f50.1130950735.980cbb9 > > > These errors happen to me occasionally. I just wait about 5-15 minutes and it is fine after that. From nospam at nospam.nl Thu Nov 3 20:42:05 2005 From: nospam at nospam.nl (geo_splash_12) Date: Thu Nov 3 14:45:02 2005 Subject: [SpamCop-List] Re: Ping Mike E In-Reply-To: References: Message-ID: Porpoise wrote: > Mike, > > Can you make any sense out of this? I can't quite figga what I'm looking > at........ > > http://www.spamcop.net/sc?id=z822825219zde4c34f6e5134c1955396a200fe3351ez > > > Perhaps an incomplete mail header, or something that hasn't left a local domain. From redford_stone at INVERSE_OF_COLDmail.com Thu Nov 3 19:57:04 2005 From: redford_stone at INVERSE_OF_COLDmail.com (Redstone) Date: Thu Nov 3 15:00:03 2005 Subject: [SpamCop-List] Re: Messages with No Subject Header and No Message Body (Again) References: Message-ID: jg wrote in news:dkccf2$sdk$1@news.spamcop.net: > On 11/2/2005 7:00 PM Mike Easter scribbled: > >> spamacyde wrote: >> >>>Over the past three days, 95% of the spam I've been getting contains >>>no message subject and no body. This supports my contention that >>>spammy's motivations are political rather than financial. Or perhaps >>>spammy is pissed off at my reporting efforts. Anybody else >>>experiencing a rash of blank emails? >> >> >> Not I. >> >> Anytime you think there is some kind of extra special unique >> situation going on, you should consider the more likely possibities. >> >> It isn't likely that someone is intentionally spewing out >> payload-less spams. It is more likely that something is broken. >> >> Some zombies are very fragile. If the zombie is b0rken, its >> performance is whacky. >> > Having read that, I need to chime in that I have been getting an > inordinate (for me) number of said blank crap in the past week - so > something must indeed be borken - maybe a BIG zombie... > About 10% of the spam I receive is like that. (It is even more broken than that since it sometimes chews up the spammer's fake headers too.) Either way, it is a disappointment to the spammer since all those zombies will be on the SCBL for spams without a payload. :-) From MikeE at ster.invalid Thu Nov 3 11:57:09 2005 From: MikeE at ster.invalid (Mike Easter) Date: Thu Nov 3 15:00:08 2005 Subject: [SpamCop-List] Re: Ping Mike E References: Message-ID: Porpoise wrote: > Mike, > > Can you make any sense out of this? I can't quite figga what I'm > looking at........ > www.spamcop.net/sc?id=z822825219zde4c34f6e5134c1955396a200fe3351ez It would be useful to know what mailbox you found that in. The structure of the topheader is from a server directly into a mailbox. [or alternatively a faulty server which didn't get its line stamped]. This would make the most sense if it were found in the mailbox of someone whose server were mx.kundenserver.de That mailbox would be being advised by the kundenserver.de server that the kundenserver server had received an item from 200.88.87.1 [which rDNS 1samana87.codetel.net.do] and calling itself srenterprises.co.uk in its helo. That item which kundenserver received allegedly contained a virus which the server stripped. The secondary or inline headers represent the headers of the mail which contained the virm. So, then, the kundenserver notified the 'mailbox' of the receipt of an item which was/ had been/ viral. If you didn't get that from a kundenserver mailbox or from someone who has a kundenserver mailbox, then I need to have some more information. -- Mike Easter kibitzer, not SC admin From dfm2a3l0t2 at spymac.com Thu Nov 3 15:21:36 2005 From: dfm2a3l0t2 at spymac.com (D.F. Manno) Date: Thu Nov 3 15:25:03 2005 Subject: [SpamCop-List] [C&C] Responsible Spam Message-ID: A sample: > From: Maybelline Kane > Subject: What time is it? > > Hey, you, I'm blond, gorgeous, and I just turned 18! I set up a webcam in my > bedroom so people could watch me 24/7! However, the more I thought about it, > the more the whole thing seemed kind of creepy and demeaning. So I scrapped > that idea. -- D.F. Manno | dfm2a3l0t2@spymac.com But I'd rather be a free man in my grave Than living as a puppet or a slave. -Jimmy Cliff From redford_stone at INVERSE_OF_COLDmail.com Thu Nov 3 20:22:57 2005 From: redford_stone at INVERSE_OF_COLDmail.com (Redstone) Date: Thu Nov 3 15:25:09 2005 Subject: [SpamCop-List] Re: Geocities problem still unsolved References: <43663619.A9@xyzzy.claranet.de> <436A0F20.4804@xyzzy.claranet.de> Message-ID: Frank Ellermann wrote in news:436A0F20.4804 @xyzzy.claranet.de: >> the geocities link problem is (again ?) as bad as always, > > Today's statistics: 27 + 41 + 13 + 24 + 50 = 155 reloads > for 5 geospam reports, that's 31 reloads per report. Bye > It was okay, up until today. I give up after 5 reloads. I don't get it as to why it is only the Geocities sites it is having a problem with. Is there a null character somewhere or what? From redford_stone at INVERSE_OF_COLDmail.com Thu Nov 3 20:26:58 2005 From: redford_stone at INVERSE_OF_COLDmail.com (Redstone) Date: Thu Nov 3 15:30:03 2005 Subject: [SpamCop-List] [MEDIA] Sony CD Copy Protection Seems To Rely On Hacker Rootkit Message-ID: http://news.bbc.co.uk/2/hi/technology/4400148.stm http://tinyurl.com/8hkzz http://www.informationweek.com/story/showArticle.jhtml?articleID=173402523 http://tinyurl.com/dnyzq It is enough that we are fighting zombies already. Now Sony is trying to turn people's PCs into semi-zombies with these rootkits. Punishing those people who BUY their CDs rather than download the pirated ones is not a way to conduct business. From nobody at spamcop.net Thu Nov 3 12:48:51 2005 From: nobody at spamcop.net (N. Miller) Date: Thu Nov 3 15:50:02 2005 Subject: [SpamCop-List] Re: Messages with No Subject Header and No Message Body (Again) References: Message-ID: On Wed, 2 Nov 2005 21:31:56 -0500, spamacyde wrote: > Over the past three days, 95% of the spam I've been getting contains no > message subject and no body. This supports my contention that spammy's > motivations are political rather than financial. Or perhaps spammy is > pissed off at my reporting efforts. Anybody else experiencing a rash of > blank emails? You should never read more into spam then the spammer put into it. I got my blanks, though not as many, commencing about March 13, 2005. To an SBC Yahoo! DSL Service sub account. SpamGuar marked it as spam from the beginning, and never missed once. A lot of Comcast users have been pelted by that kind of spam. http://www.broadbandreports.com/forum/remark,14679759 My mother just got two, yesterday; also an SBC Yahoo! DSL Service account. Like mine, SpamGuard tagged these as spam, and moved them to the Bulk folder. I have forwarded them to SC, and will process them RSN. http://www.spamcop.net/sc?id=z822895002zf5bbf95208c038868bd26f20feac1262z http://www.spamcop.net/sc?id=z822896184z1423657b5e0367960d3580a56eb87d73z -- Norman ~Win dain a lotica, En vai tu ri, Si lo ta ~Fin dein a loluca, En dragu a sei lain ~Vi fa-ru les shutai am, En riga-lint From porpoise1954 at yahoo.co.uk Thu Nov 3 22:30:06 2005 From: porpoise1954 at yahoo.co.uk (Porpoise) Date: Thu Nov 3 17:35:03 2005 Subject: [SpamCop-List] Re: Ping Mike E References: Message-ID: "Mike Easter" wrote in message news:dkdq2l$mi8$1@news.spamcop.net... > Porpoise wrote: >> Mike, >> >> Can you make any sense out of this? I can't quite figga what I'm >> looking at........ >> > > www.spamcop.net/sc?id=z822825219zde4c34f6e5134c1955396a200fe3351ez > > It would be useful to know what mailbox you found that in. It was received in an address at the srenterprises.co.uk domain served by the kundenserver mailservers (mailhosted). > > The structure of the topheader is from a server directly into a mailbox. > [or alternatively a faulty server which didn't get its line stamped]. That's the first strange bit I noticed > > This would make the most sense if it were found in the mailbox of > someone whose server were mx.kundenserver.de That's the case here > > That mailbox would be being advised by the kundenserver.de server that > the kundenserver server had received an item from 200.88.87.1 [which > rDNS 1samana87.codetel.net.do] and calling itself srenterprises.co.uk in > its helo. That's the first bit known to be fake, as that domain is where the mail was received and is nowhere near that IP (it's hosted at 1and1 [which is the kundenserver connection]) > > That item which kundenserver received allegedly contained a virus which > the server stripped Which is the next odd bit as I don't have the server anti-virus set - I usually get them in all their glory. > The secondary or inline headers represent the > headers of the mail which contained the virm. > > So, then, the kundenserver notified the 'mailbox' of the receipt of an > item which was/ had been/ viral. Which is odd - as I don't have the AV set on the server for any of the mailboxes at any of the domains I administer. > > > If you didn't get that from a kundenserver mailbox or from someone who > has a kundenserver mailbox, then I need to have some more information. Well, yes it was from a mailbox served by the kundenserver MXes - but I've never seen this type of occurrence before; it's decidedly odd, that's why I thought I'd put it up here for investigation. The only thing I could think of is that maybe they've got some sort of override for some certain type of virus or something, that does the AV bit on that particular virus even if the user has the server AV disabled!?! From MikeE at ster.invalid Thu Nov 3 14:53:31 2005 From: MikeE at ster.invalid (Mike Easter) Date: Thu Nov 3 17:55:02 2005 Subject: [SpamCop-List] Re: Ping Mike E References: Message-ID: Porpoise wrote: > "Mike Easter" > It was received in an address at the srenterprises.co.uk domain > served by the kundenserver mailservers (mailhosted). Ah, so. That makes sense. That explains the 'choice' of bogus helo by the source. >> That mailbox would be being advised by the kundenserver.de server >> that the kundenserver server had received an item from 200.88.87.1 >> [which rDNS 1samana87.codetel.net.do] and calling itself >> srenterprises.co.uk in its helo. > > That's the first bit known to be fake, as that domain is where the > mail was received and is nowhere near that IP > (it's hosted at 1and1 [which is the kundenserver connection]) Well, yes. Genuine fakiness in a helo is a dead giveaway. However, sometimes some things helo however they feel like -- not as a 'forgery' or intense bogosity, but rather as a 'moniker' or handle. In this case the 200.88.87.1 is of Santo Domingo in lacnic turf, so calling itself anything .uk is genuine fakiness bogosity not a 'moniker'. >> That item which kundenserver received allegedly contained a virus >> which the server stripped > > Which is the next odd bit as I don't have the server anti-virus set - > I usually get them in all their glory. I can't address your relationship with your server, but I can give you another example. EL has a 'policy' about handling virms that anytime they want, they can choose to turn on the virus blocker, whether I want it on or not. They call that an 'emergency' condition - but clearly an ISP considers it their perogative to handle incoming viral propagations however they feel like. >> The secondary or inline headers represent the >> headers of the mail which contained the virm. >> >> So, then, the kundenserver notified the 'mailbox' of the receipt of >> an item which was/ had been/ viral. > > Which is odd - as I don't have the AV set on the server for any of the > mailboxes at any of the domains I administer. I'm sticking to my theory. The other thing is that servers make mistakes about viruses based on non-viral structures. >> If you didn't get that from a kundenserver mailbox or from someone >> who has a kundenserver mailbox, then I need to have some more >> information. > > Well, yes it was from a mailbox served by the kundenserver MXes - but > I've never seen this type of occurrence before; it's decidedly odd, > that's why I thought I'd put it up here for investigation. The only > thing I could think of is that maybe they've got some sort of > override for some certain type of virus or something, that does the > AV bit on that particular virus even if the user has the server AV > disabled!?! Sure, for any of several reasons. It is possible you might get some information from them about it -- or maybe they don't want to talk about it -- or the people who know don't talk and the people who talk don't know. -- Mike Easter kibitzer, not SC admin From crappy.trappy at ntlworld.com Fri Nov 4 00:09:33 2005 From: crappy.trappy at ntlworld.com (Tim) Date: Thu Nov 3 19:10:04 2005 Subject: [SpamCop-List] Re: Messages with No Subject Header and No Message Body (Again) In-Reply-To: References: Message-ID: spamacyde wrote: > Anybody else experiencing a rash of blank emails? A spammer firing blanks? Perhaps they should try their own W|@GRA ;) From not at home.today Fri Nov 4 01:01:11 2005 From: not at home.today (Ant) Date: Thu Nov 3 20:05:04 2005 Subject: [SpamCop-List] Re: Geocities problem still unsolved References: <43663619.A9@xyzzy.claranet.de> <436A0F20.4804@xyzzy.claranet.de> Message-ID: "Redstone" wrote: > Frank Ellermann wrote: >>> the geocities link problem is (again ?) as bad as always, >> >> Today's statistics: 27 + 41 + 13 + 24 + 50 = 155 reloads >> for 5 geospam reports, that's 31 reloads per report. Bye > > It was okay, up until today. I give up after 5 reloads. I no longer bother to refresh. It's a waste of my time. > I don't get it as to why it is only the Geocities sites it is > having a problem with. It also has trouble with others - notably the nick-nock-net. Previously it was chinatietong, but mostly those go through ok now. > Is there a null character somewhere No. Just plain-text URLs with no strange characters. > or what? That's what I'd like to know. No one from Spamcop has said a dicky-bird about it here. From g.hyde at bigpond.net.au Fri Nov 4 12:01:40 2005 From: g.hyde at bigpond.net.au (Geoffrey Hyde) Date: Thu Nov 3 21:15:03 2005 Subject: [SpamCop-List] Re: [MEDIA] Sony CD Copy Protection Seems To Rely On Hacker Rootkit References: Message-ID: I wonder if Sony is deliberately trying to help viruses and hackers get onto our computers? There are a whole bunch of phrases I can't use here but they're uncommonly apt phrases which would otherwise describe exactly how I feel. -- Cheers ... Geoffrey Hyde "Redstone" wrote in message news:Xns97037EA6B301Ftinlc@216.154.195.61... > http://news.bbc.co.uk/2/hi/technology/4400148.stm > http://tinyurl.com/8hkzz > > > http://www.informationweek.com/story/showArticle.jhtml?articleID=173402523 > http://tinyurl.com/dnyzq > > > It is enough that we are fighting zombies already. Now Sony is trying to > turn people's PCs into semi-zombies with these rootkits. Punishing those > people who BUY their CDs rather than download the pirated ones is not a > way > to conduct business. > From nobody at devnull.spamcop.net Fri Nov 4 11:29:30 2005 From: nobody at devnull.spamcop.net (Patto) Date: Thu Nov 3 21:30:02 2005 Subject: [SpamCop-List] Re: Messages with No Subject Header and No Message Body (Again) In-Reply-To: References: Message-ID: spamacyde wrote: > Over the past three days, 95% of the spam I've been getting contains no > message subject and no body. This supports my contention that spammy's > motivations are political rather than financial. Or perhaps spammy is > pissed off at my reporting efforts. Anybody else experiencing a rash of > blank emails? Over at the Microsoft Outlook newsgroups there are literally hundreds of users complaining about blank spam. Most of them have never seen any before, so I think there really *is* more blank spam than before. Why? - Who cares! These messages are so easily filtered; either by BLs or other means. I haven't seen any for over a half year. From MikeE at ster.invalid Thu Nov 3 19:35:17 2005 From: MikeE at ster.invalid (Mike Easter) Date: Thu Nov 3 22:40:03 2005 Subject: [SpamCop-List] Re: Spoofed Message Causing ISP shutdowns References: Message-ID: Ted Nathan wrote: > I have a client who had a marketing company create a news piece from > distribution via e-mail. I guess a little skepticism about his innocent spammer client caused that person to run away. Hopefully in the future he will be a little more circumspect of spammish clients. -- Mike Easter kibitzer, not SC admin From nobody at nowhere.not Fri Nov 4 04:12:46 2005 From: nobody at nowhere.not (Robert Blair) Date: Thu Nov 3 23:15:02 2005 Subject: [SpamCop-List] Re: [MEDIA] Sony CD Copy Protection Seems To Rely On Hacker Rootkit References: Message-ID: On Fri, 4 Nov 2005 02:01:40 UTC, "Geoffrey Hyde" wrote: > I wonder if Sony is deliberately trying to help viruses and hackers get onto > our computers? My understanding is that they have removed the "stealth" feature so other no-goodniks can not use that feature to hide their trojans. But the damage has been done and I would imagine that the virus/trojans writers have already started to look at the code to see what they can do. Still I think it is a very bad idea and Sony should not be doing this. There is at least one other company doing the same thing so I would expect more companies doing it but have not been found out yet. -- Robert Blair From jeffg at spamcop.net Thu Nov 3 23:41:22 2005 From: jeffg at spamcop.net (Jeff G.) Date: Thu Nov 3 23:55:02 2005 Subject: [SpamCop-List] Re: Spoofed Message Causing ISP shutdowns References: Message-ID: "Ted Nathan" wrote in message news:jcpim1lb4id2va4cge82o3orqfjhp5mnvu@4ax.com... > I am new to this group, but I have a problem and this seemed to be the > first logical place to look for an answer. > > I have a client who had a marketing company create a news piece from > distribution via e-mail. Unfortunately, it was sent out prematurely > and to people who did not ask for it, thus it was spam. They > understand the mistake that was made, especially when Google and > Microsoft start screaming at you. So this was strike one. > > A few days later, some kid out of France sent the exact same > announcement out as spam again. Microsoft and Google and others called > the ISP and had them shutdown. And it happened again today. > > What can i do to protect my client from this happening again? I know > how to stop spam from coming in and going out of my clients' networks, > but how do you every kid in the world from shutting down your > business? IF your client is truly innocent (a big IF given the skepticism of the crowd that has already replied to you), the best way to prove that is to put up a notice in large type at every webpage and image advertised in the email messages sent by the "kid out of France" that your client is the victim of a Joe Job (see http://forum.spamcop.net/forums/index.php?showtopic=4473&st=0&p=29916&#Joe for details), and what actions you and/or your client are taking or have taken to stop the Joe Job. Of course, posting details (hard facts) would help to convince us. -- Best Regards, Jeff G. I have been a SpamCop User/Member/Customer since 1999 and am a Moderator of the new web-based forums (now the primary method for getting help, http://forum.spamcop.net). Please contact me via Forum only. From jeffg at spamcop.net Thu Nov 3 23:49:51 2005 From: jeffg at spamcop.net (Jeff G.) Date: Fri Nov 4 00:00:02 2005 Subject: [SpamCop-List] Re: Neat Package -- Nobody to Report To? References: <4362AD03.E5E72107@SpamCop.net.dev.null> <43665BA4.4E08B61F@SpamCop.net.dev.null> <4369B5A3.80C72E28@SpamCop.net.dev.null> Message-ID: "jg" wrote in message news:dkdcnt$eji$1@news.spamcop.net... > On 11/2/2005 11:00 PM Michael Brennan scribbled: > > On second thought, I might have > > forwarded them to the NASD or the NYSE as well. Talk about spoiling > > someone's play -- the exchanges can make that happen. > I've not seen anywhere that the NYSE gets actively involved. Have you? > I do know that the NASD doesn't want to hear /anything/ unless the spam > is proven to be from a NASD member - so says their site, or so /said/ > their site - I haven't revisited it in a while. It makes sense - they > have their own fish to fry with lame brokers, telemarketers, and > so=called advisors... Perhaps I am way off base here, but it seems to me that the only stocks that pump&dumpers can really make money with are penny stocks, which by and large are traded OTC or on NASDAQ. When I have time, I report suspected pump&dumpers to Enforcement@SEC.GOV and ombuds@nasd.com. -- Best Regards, Jeff G. I have been a SpamCop User/Member/Customer since 1999 and am a Moderator of the new web-based forums (now the primary method for getting help, http://forum.spamcop.net). Please contact me via Forum only. From jeffg at spamcop.net Thu Nov 3 23:55:10 2005 From: jeffg at spamcop.net (Jeff G.) Date: Fri Nov 4 00:00:07 2005 Subject: [SpamCop-List] Re: Neat Package -- Nobody to Report To? References: <4362AD03.E5E72107@SpamCop.net.dev.null> <43665BA4.4E08B61F@SpamCop.net.dev.null> <4369B1DC.216FBDCA@SpamCop.net.dev.null> Message-ID: "Mike Easter" wrote in message news:dkdac3$cvk$1@news.spamcop.net... > It would probably work just as well for you to create a little text > which explains that you haven't sorted your spam and that you are > sending it all to the various agencies -- and let them sort it out for > themselves. Of course, if any reader does that and gets a reply from a human along the lines of "Please stop sending us all your spam, we only want ____", please comply and tell the rest of us so that we can also comply. -- Thanks and Best Regards, Jeff G. I have been a SpamCop User/Member/Customer since 1999 and am a Moderator of the new web-based forums (now the primary method for getting help, http://forum.spamcop.net). Please contact me via Forum only. From nobody at spamcop.net Fri Nov 4 09:44:06 2005 From: nobody at spamcop.net (nospam) Date: Fri Nov 4 00:45:02 2005 Subject: [SpamCop-List] Re: Messages with No Subject Header and No Message Body (Again) References: Message-ID: in article dke8rr$v76$1@news.spamcop.net, Tim at crappy.trappy@ntlworld.com wrote on 11/4/05 4:09 AM: > spamacyde wrote: >> Anybody else experiencing a rash of blank emails? > > A spammer firing blanks? Perhaps they should try their own W|@GRA ;) Umm, no, I think it's the Spur-M that they would want in this case. V1@6r@ could still leave shooting blanks. ;-) From nobody at spamcop.net Fri Nov 4 09:46:16 2005 From: nobody at spamcop.net (nospam) Date: Fri Nov 4 00:50:03 2005 Subject: [SpamCop-List] Re: [MEDIA] Sony CD Copy Protection Seems To Rely On Hacker Rootkit References: Message-ID: in article TECQXhvKj0FX-pn2-OvYNxTLrdXxL@dsl-206-55-144-107.tstonramp.com, Robert Blair at nobody@nowhere.not wrote on 11/4/05 8:12 AM: SNIP > There is at least one other company doing the same thing Who ? (please) >so I would > expect more companies doing it but have not been found out yet. > From nobody at nowhere.not Fri Nov 4 06:11:35 2005 From: nobody at nowhere.not (Robert Blair) Date: Fri Nov 4 01:15:03 2005 Subject: [SpamCop-List] Re: [MEDIA] Sony CD Copy Protection Seems To Rely On HackerRootkit References: Message-ID: On Fri, 4 Nov 2005 05:46:16 UTC, nospam wrote: > SNIP > > > There is at least one other company doing the same thing > > Who ? (please) Universal Music This information is from the DShield mailing list. There has been a discussion on the list since the first of the month. It seems that some people have known about this for some time but it is just now being made public. > >so I would > > expect more companies doing it but have not been found out yet. -- Robert Blair From nobody at devnull.spamcop.net Fri Nov 4 02:27:34 2005 From: nobody at devnull.spamcop.net (Glenn Daniels) Date: Fri Nov 4 02:30:02 2005 Subject: [SpamCop-List] Re: Messages with No Subject Header and No Message Body (Again) References: Message-ID: "nospam" wrote in message news:BF90DDE5.1635D%nobody@spamcop.net... > in article dke8rr$v76$1@news.spamcop.net, Tim at crappy.trappy@ntlworld.com > wrote on 11/4/05 4:09 AM: > > > spamacyde wrote: > >> Anybody else experiencing a rash of blank emails? > > > > A spammer firing blanks? Perhaps they should try their own W|@GRA ;) > > Umm, no, I think it's the Spur-M that they would want in this case. V1@6r@ > could still leave shooting blanks. ;-) > Still OT, but in this context: This rather Freudian forgery was archived here on 10/13/2005: "Received: from spermatorrhoea (192.168.229.37)" as the "source" of the spew... Oh my fur and whiskers! Oh! From kjz at despammed.com Fri Nov 4 08:43:44 2005 From: kjz at despammed.com (Karl-Josef Ziegler) Date: Fri Nov 4 02:45:02 2005 Subject: [SpamCop-List] Re: Geocities problem still unsolved In-Reply-To: <43663619.A9@xyzzy.claranet.de> References: <43663619.A9@xyzzy.claranet.de> Message-ID: Frank Ellermann wrote: > *1: minus the time to whois-RFCI and WDPRS alishaanddanny.info, > mystery-suspense.info, and kinesisman.info [[ Re:ally Leo, > it's fine that you now understand German postal codes, but > the +49 phone numbers are still stupid, I can check this ]] And Leos spamvertized websites are another problem. Leo seems to have a 'shield or block' installed so Spamcop's DNS lookups also failed for these sites. - kjz From nobody at xyzzy.claranet.de Fri Nov 4 09:27:43 2005 From: nobody at xyzzy.claranet.de (Frank Ellermann) Date: Fri Nov 4 03:30:04 2005 Subject: [SpamCop-List] LK (was: Geocities problem still unsolved) References: <43663619.A9@xyzzy.claranet.de> Message-ID: <436B1B7F.7FB5@xyzzy.claranet.de> Karl-Josef Ziegler wrote: [alishaanddanny.info, mystery-suspense.info, kinesisman.info] > Leo seems to have a 'shield or block' installed so Spamcop's > DNS lookups also failed for these sites. Does it ? IIRC reports about these sites were sent, but I didn't note the tracker URLs anywhere (Oct 30). A fresher set (unfortunately I found no obvious whois data problems): angelobovis.info Registrant Name:Fernando Teles netprocom.info Registrant Organization:quakeclub nigerianmasses.info Registrant Street1:Rua Lameiros, 12 zvia.info Registrant City:Sande-GMR Registrant State/Province:NA The names he picks Registrant Postal Code:4805-619 are often really Registrant Country:PT funny. Registrant Phone:+351.968582807 Bye, Frank Registrant Email:fernando@quakeclub.net From nobody at xyzzy.claranet.de Fri Nov 4 09:37:25 2005 From: nobody at xyzzy.claranet.de (Frank Ellermann) Date: Fri Nov 4 03:40:02 2005 Subject: [SpamCop-List] Re: Geocities problem still unsolved References: <43663619.A9@xyzzy.claranet.de> <436A0F20.4804@xyzzy.claranet.de> Message-ID: <436B1DC5.75D3@xyzzy.claranet.de> Ant wrote: >> or what? > That's what I'd like to know. No one from Spamcop has said a > dicky-bird about it here. Yes, it makes no sense as a "geocities-conspiracy" - if Yahoo! doesn't like SC reports they could disable it. So if it's no conspiracy it must be excessive technical incompetence on the side of Ironport. Did they fire Julian or what ? Bye, Frank From nobody at xyzzy.claranet.de Fri Nov 4 10:05:07 2005 From: nobody at xyzzy.claranet.de (Frank Ellermann) Date: Fri Nov 4 04:10:03 2005 Subject: [SpamCop-List] Re: "Doctor" Slides Past Postini References: <4369929A.9545752E@SpamCop.net.dev.null> <436A42F0.38B2@xyzzy.claranet.de> Message-ID: <436B2443.2087@xyzzy.claranet.de> Mike Easter wrote: > 218.238.26.80 got listed in cbl 2005-10-31 05:00 GMT [...] Oops, I didn't know that it's possible to get a timestamp for these entries: http://www.spamhaus.org/query/bl?ip=218.238.26.80 links to http://cbl.abuseat.org/lookup.cgi?ip=218.238.26.80 Today it says 2005-11-04 01:00 GMT (+/- 30 minutes). Apparently a rather volatile list. > using spamhaus sbl-xbl, which embraces cbl & njabl > as well as blitzed, would have solved the problem. Explained on http://www.spamhaus.org/xbl/index.lasso - I still have to add these links on my rxwhois page, so far I've done that only for the RHSBLs (RFCI and SURBL) Bye, Frank From kjz at despammed.com Fri Nov 4 10:25:38 2005 From: kjz at despammed.com (Karl-Josef Ziegler) Date: Fri Nov 4 04:30:02 2005 Subject: [SpamCop-List] Re: LK In-Reply-To: <436B1B7F.7FB5@xyzzy.claranet.de> References: <43663619.A9@xyzzy.claranet.de> <436B1B7F.7FB5@xyzzy.claranet.de> Message-ID: Frank Ellermann wrote: > Karl-Josef Ziegler wrote: > > [alishaanddanny.info, mystery-suspense.info, kinesisman.info] > >> Leo seems to have a 'shield or block' installed so Spamcop's >> DNS lookups also failed for these sites. > > Does it ? IIRC reports about these sites were sent, but I > didn't note the tracker URLs anywhere (Oct 30). Sometimes the DNS is working but most times e.g. http://www.spamcop.net/sc?id=z823040147z10d10619bddaa277728aa4520c8bd719z the resolving is blocked. - kjz From nobody at xyzzy.claranet.de Fri Nov 4 11:13:53 2005 From: nobody at xyzzy.claranet.de (Frank Ellermann) Date: Fri Nov 4 05:15:58 2005 Subject: [SpamCop-List] Re: LK References: <43663619.A9@xyzzy.claranet.de> <436B1B7F.7FB5@xyzzy.claranet.de> Message-ID: <436B3461.2273@xyzzy.claranet.de> Karl-Josef Ziegler wrote: > Sometimes the DNS is working but most times e.g. > http://www.spamcop.net/sc?id=z823040147z10d10619bddaa277728aa4520c8bd719z > the resolving is blocked. Hm, that bdfilmachjk.nobleblues.com is different from the geocities problem, for the former SC explicitly says "IP not found", and you get the same result if you put only the FQDN into the Web report form. With "geocities" the Web form immediately finds the IP, and SC doesn't claim "IP not found" in a spam report, it just doesn't resolve it without displaying any reason :-( Interesting, with ns1-90.akam.net I get also no answer: http://vweb.nass.com.au/cgi-bin/dnslookup?data=bdfilmachjk.nobleblues.com&server=ns1-90.akam.net Dito ns1-93.akam.net and 1-73.akam.net (three random name servers found in the whois entry for spamcop.net) But with a plain host bdfilmachjk.nobleblues.com or a http://vweb.nass.com.au/cgi-bin/dnslookup?data=bdfilmachjk.nobleblues.com I get an IP 222.122.63.88. What's a good strategy to fix this, users configuring their own favourite NS to be used by SC maybe ? Bye From kjz at despammed.com Fri Nov 4 11:41:58 2005 From: kjz at despammed.com (Karl-Josef Ziegler) Date: Fri Nov 4 05:45:04 2005 Subject: [SpamCop-List] Re: LK In-Reply-To: <436B3461.2273@xyzzy.claranet.de> References: <43663619.A9@xyzzy.claranet.de> <436B1B7F.7FB5@xyzzy.claranet.de> <436B3461.2273@xyzzy.claranet.de> Message-ID: Frank Ellermann schrieb: > Interesting, with ns1-90.akam.net I get also no answer: > > http://vweb.nass.com.au/cgi-bin/dnslookup?data=bdfilmachjk.nobleblues.com&server=ns1-90.akam.net > > Dito ns1-93.akam.net and 1-73.akam.net (three random > name servers found in the whois entry for spamcop.net) Maybe, Leo is blocking resolves from the whole Akamai net range? - kjz From MikeE at ster.invalid Fri Nov 4 02:58:45 2005 From: MikeE at ster.invalid (Mike Easter) Date: Fri Nov 4 06:00:02 2005 Subject: [SpamCop-List] Re: LK References: <43663619.A9@xyzzy.claranet.de> <436B1B7F.7FB5@xyzzy.claranet.de> <436B3461.2273@xyzzy.claranet.de> Message-ID: Frank Ellermann wrote: > Karl-Josef Ziegler wrote: > >> Sometimes the DNS is working but most times e.g. >> http://www.spamcop.net/sc?id=z823040147z10d10619bddaa277728aa4520c8bd719z >> the resolving is blocked. I don't think you can analyze very easily when SC's resolving is blocked. SC sometimes chooses to not try to resolve something, sometimes SC tries to resolve but fails. When SC tries to resolve and fails, the condition of 'resolvability' may vary. Of course, it could not resolve for anyone beause of lost nameservice, it could also just have very very funky nameservice which times out, which is typically the case for the ones which SC tries to resolve but fails. That is the case for this particular url. > Hm, that bdfilmachjk.nobleblues.com is different from > the geocities problem, for the former SC explicitly says > "IP not found", and you get the same result if you put > only the FQDN into the Web report form. This is what SC was saying at the time it parsed the tracker above for me Resolving link obfuscation http://bdfilmachjk.nobleblues.com/?egachjkxssrybdzgvfilm Host bdfilmachjk.nobleblues.com (checking ip) IP not found ; bdfilmachjk.nobleblues.com discarded as fake. Tracking link: http://bdfilmachjk.nobleblues.com/?egachjkxssrybdzgvfilm No recent reports, no history available Cannot resolve http://bdfilmachjk.nobleblues.com/?egachjkxssrybdzgvfilm > With "geocities" the Web form immediately finds the IP, > and SC doesn't claim "IP not found" in a spam report, it > just doesn't resolve it without displaying any reason :-( > > Interesting, with ns1-90.akam.net I get also no answer: I'm not entirely sure that using the nameservers for spamcop.net is the same as what nameservers spamcop uses for its resolving. In the case of my provider EL, the nameservice which EL 'provides' for me by DHCP is not at all the same nameservers as the ones for earthlink.net. EL's nameservers are itchy and scratchy --whereas the nameservers it gives me are ns1 & ns2 & ns3. > http://vweb.nass.com.au/cgi-bin/dnslookup?data=bdfilmachjk.nobleblues.com&server=ns1-90.akam.net > > Dito ns1-93.akam.net and 1-73.akam.net (three random > name servers found in the whois entry for spamcop.net) > > But with a plain host bdfilmachjk.nobleblues.com or a > http://vweb.nass.com.au/cgi-bin/dnslookup?data=bdfilmachjk.nobleblues.com > I get an IP 222.122.63.88. When I want to 'analyze' what is SC's problem with resolving when I can resolve it myself, I go to dnsstuff which can perform an analysis of the dns timing and what is wrong with it. There's a lot wrong with that url's nameservice http://www.dnsstuff.com/tools/dnstime.ch?name=bdfilmachjk.nobleblues.com&type=A timeouts, Average of all 4 nameservers: 915ms (plus 6062ms overhead). Score: F > What's a good strategy to fix this, users configuring > their own favourite NS to be used by SC maybe ? Bye I think the SC philosophy is that it shouldn't spend very much time trying to resolve a url which has very flakey nameservice. I agree. This is all about the business of notifying spamvertisers. SC's notification of spamvertisers is very unsatisfactory to me -- that is, it isn't the way I would be notifying. SC doesn't do anything about determining the blackhattedness of the derived notify. I would rather do my own determining of how to notify about a spamvertiser. I can notify much much better than SC. I can resolve urls better, I can determine the blackhattedness better, I can determine the notifies better, because I can determine upstreams and such as that based on the unresponsive character of the spamvertiser based on listings in spamhaus and spews. -- Mike Easter kibitzer, not SC admin From elg at none.com Fri Nov 4 08:23:50 2005 From: elg at none.com (El Guapo) Date: Fri Nov 4 09:25:03 2005 Subject: [SpamCop-List] Re: [MEDIA] Sony CD Copy Protection Seems To Rely On Hacker Rootkit References: Message-ID: "Robert Blair" wrote in message news:TECQXhvKj0FX-pn2-OvYNxTLrdXxL@dsl-206-55-144-107.tstonramp.com... > On Fri, 4 Nov 2005 02:01:40 UTC, "Geoffrey Hyde" > wrote: > My understanding is that they have removed the "stealth" feature so > other no-goodniks can not use that feature to hide their trojans. But > the damage has been done and I would imagine that the virus/trojans > writers have already started to look at the code to see what they can > do. Here is an article saying exactly what you are describing... http://informationweek.com/story/showArticle.jhtml?articleID=173402819 From jg at coks.net Fri Nov 4 07:31:49 2005 From: jg at coks.net (jg) Date: Fri Nov 4 10:30:03 2005 Subject: [SpamCop-List] Re: Neat Package -- Nobody to Report To? In-Reply-To: References: <4362AD03.E5E72107@SpamCop.net.dev.null> <43665BA4.4E08B61F@SpamCop.net.dev.null> <4369B5A3.80C72E28@SpamCop.net.dev.null> Message-ID: On 11/3/2005 8:49 PM Jeff G. scribbled: > "jg" wrote in message > news:dkdcnt$eji$1@news.spamcop.net... > >>On 11/2/2005 11:00 PM Michael Brennan scribbled: >> >>>On second thought, I might have >>>forwarded them to the NASD or the NYSE as well. Talk about spoiling >>>someone's play -- the exchanges can make that happen. >> >>I've not seen anywhere that the NYSE gets actively involved. Have > > you? > >> I do know that the NASD doesn't want to hear /anything/ unless the > > spam > >>is proven to be from a NASD member - so says their site, or so /said