[SpamCop-List] Re: One for dave null...

Sun Nov 6 22:19:31 EST 2005

On 11/6/2005 2:09 PM Mike Easter scribbled:

> jg wrote:
> 
> http://www.spamcop.net/sc?id=z823833942z36f6fb52cd52ac148cbd0ae894bab641z
> 
>>Is there anything odd about this spam ?
> 
> 
> Did you examine the spambody?

No, not beyond the source - I don't like to read spam...

> 
>Aside the SC lack of
>>obfuscation issue, is this a case of spammy dummy (redundant) or
>>spammy trickery?
> 
> 
> How do you mean?  And there isn't a lack of deobfuscation in what I saw.
> SC deobfuscated.

My orig. link above will not resolve for me - don't know why, so I can't
revisit this report at the moment
But seems like I was trying to say, whats the point of multi fake
spamverts (I misspoke the notify word)?

> 
>>I speaking of the multi notifies...

misspeaking...
> 
> 
> There are 'multi-spamvertiser' links, none notified.
> 
> There are two versions, the text/plain version part of the multipart,
> and the text/html part of the multipart.  So, if your mua/OE is
> configured to render the html, it ignores the plaintext version and you
> see one set of links, andb/but if your mua/OE is configured to read
> plaintext only, you see a different set of links.

er, hmmm..their point?
> 
> SC deobfuscates both versions, 2 links per version, but fails to resolve
> any of them.

I take deobfuscate to mean derive a URL that is resolvable - how do you
know you deobfuscated without a resolution?
I will now put on my helmet in case my ignorance is showing...

> 
> My resolver resolves the html version links to the .kr 61.111.255.134
> which is spamhaused and thus is unresponsive and not worth notifying.
> The plaintext version links don't resolve.

so 2 weren't fake - whatever

> 
> There is nothing worth notifying lost by SC not resolving the html
> links -- except that nothing in the spam makes it to sc-surbl.
> 

Well, I knew /something/ was odd - SC goes to dev null and I go to the
FTC - similiar piles?
I've been getting virtually the same spam daily for about 2 weeks now,
with the same spamverts from sources bouncing all around the far east
with an occasional stop in so. america and dada (?).  Kornet is a pretty
common thread, and I suddenly got 5-6 Paypals in 2 days (normal Paypal
flow is 1 a month or so}...

> If the parser were reconfigured with my 'do not resolve' recommendation,
> the links would have been provided to sc-surbl.  SC's notifies for
> spamvertisers aren't valuable and largely disregarded by SC, but if the
> parser were reconfigured, the surbl databasing of the spamvertiser links
> would have been worthwhile.
> 

Any reason SC wouldn't do this?