From g.hyde at bigpond.net.au Sat Oct 1 13:54:52 2005 From: g.hyde at bigpond.net.au (Geoffrey Hyde) Date: Fri Sep 30 22:55:03 2005 Subject: [SpamCop-List] Re: What the blazes happened here? References: Message-ID: "Mike Easter" wrote in message news:dhjd8h$r7c$1@news.spamcop.net... > Geoffrey Hyde wrote: > > www.spamcop.net/sc?id=z810628202zaf678942fb9d8fe752b4526c0b4f9903z > >> This is apparently some *very weird* and not-funny bounce message (I >> considered it for a bit, and reported it as spam - if their >> mailserver's broken or compromised, they better godamn well fix it >> fast!! - from a news posting I sent to LUGNET news server. > > I wouldn't have reported it as spam. It is some kind of problem with a > mailing list item. The normal SC mungeing interferes a little bit with > trying to interpret it.. If you want an unmunged email to analyze, please email me, as my address is not intentionally hidden, I handle spams on a case-by-case basis as I get them. I'm not posting using a mailing list, I'm posting using a NNTP server, which, as far as I know, is supposed to be a direct connection to the lugnet news server in question, therefore unless someone else received it through an unlikely echo off some compromised server, it's what I consider to be spam. The LUGNET mailserver is not supposed to send me anything back except an authorisation message, which I click a link in to take me to the the post authorisation screen. >> The posting attached is mine, yes, but I don't know what the hell it >> is they're playing with as far as the bounce message goes. And FWIW, >> it succeeded in being posted so LUGNET received it okay, don't know >> why this mailserver bounced it back. > > You email the LUG and the lug remails your item. Then, when someone on > the list has a mail problem, ideally the problem would go back to the > lug. But instead, you got the bounce. I don't know how a posting I made got onto a mailing list when I was supposed to have connected to a news server. News servers, in my experience, do not normally regurgitate posts to other people's mailservers or news clients, therefore the treatment of this bounce message as spam. I do know that some people use "news-by-mail" however that is not what I use, and if this has caused me to be an unlucky recipient of someone else's email, it's still spam IMHO. >> If a SC admin (or deputy) has valid reason to believe this is not spam >> please fill me in on as to why, and perhaps I'll consider having it >> cancelled. Until then it sounds like a duck, walks like a duck, >> looks like a duck (IE is spam) and will remain reported until I find >> reason to believe otherwise. > > You can't actually cancel a report. The ntc.net.pk server 202.83.174.53 > was reported as a spamsource. It is not currently listed in the SCbl > and so it doesn't currently have a SC 'problem' from your report or > others which might have occurred because of a misdirected bounce.. I'm glad, because time and repeated spam emails it's sending out will tell what happened here. If indeed it's not a spamsource, then great, they fixed the problem with the bounce to me. And that's fine. > The LUG tried to send your listitem to 664@nu.edu.pk and mail for > nu.edu.pk is handled by mail3.nu.edu.pk and lhr.nu.edu.pk - The headers > for the LUG mail minus some addresses due to SC mungeing can be seen at > your tracker. What you mean is the LUGNET news server picked this item up, and mailed it out on someone else's mailing list address, and somehow, by doing so, enabled me to get spammed by it. It's never happened to me before, and I don't know why it should suddenly start now, I have no valid reason that this message is sent to me, therefore I still consider what I got as spam. > If you/I engage the nu.edu.pk server in an smtp transaction it will > appear to accept mail addressed to 644 and it also appears to accept > mail addressed to a bogus username. Then after actually accepting that > mail, if it can't handle it, it is forcing itself to have to point its > bounce at something in the headers of the LUG mailer. "It's spam, but not as we know it, Jim" If it's going to bounce mail anywhere I fail to see why it should bounce it to me, I'm not (a) a LUGNET Admin, (b) an intended recipient, nor am I (c) a person in charge of the server who can fix this sort of problem. Therefore, I repeat, it IS TO ME, a SPAM email. And it will remain so. > Those headers say that you are the From and that the Sender is the LUG > and that the Reply-To is yours. > > Naturally it would have been better if the DSN went to the LUG and not > each of tho members of the list. Suboptimal handling of mailing list > items which bounce is very problematic. So I'd have to email someone at LUGNET who deals with this kind of problem? Sheesh! I wish they would get this "suboptimal" problem fixed up ASAP. > Your report will result in Amir Hanif in Islamabad getting the SC report > because he is the admin contact for National Telecom Corporation listed > in apnic for ntc.net.pk which is the netblock over the mail in and out > for nu.edu.pk which is National University of Computer & Engineering in > Lahore. Well, perhaps he will be able to explain things a bit better. As to the rest of your posts, I can't see what you're talking about very clearly. But it's plain the admins running the mailing list need to get better control over where it bounces messages to. Otherwise they're going to wind up having random people reported for having other people spammed, including myself. -- Cheers ... Geoffrey Hyde From nobody at spamcop.net Sat Oct 1 04:36:08 2005 From: nobody at spamcop.net (Claudio Valderrama C.) Date: Sat Oct 1 03:35:07 2005 Subject: [SpamCop-List] savvis.net Message-ID: Hello, does anyone know if savvis.net is trustable? I ask this because abuse at savvis.net refuses munged reports but I don't have knowledge whether they allow spammers to listwash or simple are too inflexible. Thanks. C. -- Claudio Valderrama C. SW developer, consultant. http://www.cvalde.net - http://www.firebirdsql.org From DougThegarden at invalid.com Sat Oct 1 10:01:40 2005 From: DougThegarden at invalid.com (Doug Thegarden) Date: Sat Oct 1 04:05:02 2005 Subject: [SpamCop-List] Spammer's self appraisal Message-ID: At the bottom of today's mortgage spam was the most honest self-appraisal yet: "If you prefer to be left out of this superfluous offer go here." Doug ;-) From porpoise1954 at yahoo.co.uk Sat Oct 1 10:38:31 2005 From: porpoise1954 at yahoo.co.uk (Porpoise) Date: Sat Oct 1 04:41:05 2005 Subject: [SpamCop-List] Re: savvis.net References: Message-ID: "Claudio Valderrama C." wrote in message news:dhle3c$1jd$1@news.spamcop.net... > Hello, does anyone know if savvis.net is trustable? > I ask this because abuse at savvis.net refuses munged reports but I don't > have knowledge whether they allow spammers to listwash or simple are too > inflexible. > Thanks. Look here: http://news.bbc.co.uk/1/hi/technology/3634572.stm From nobody at nowhere.invalid Sat Oct 1 12:24:06 2005 From: nobody at nowhere.invalid (Steven Maesslein) Date: Sat Oct 1 05:25:40 2005 Subject: [SpamCop-List] Re: savvis.net References: Message-ID: On Sat, 1 Oct 2005 03:36:08 -0400, Claudio Valderrama C. coughed into spamcop and left this in : > Hello, does anyone know if savvis.net is trustable? Not by a long chalk. This is a mirror of a site put up by a former employee of savvis. The original domain was later "stolen" by savvis via udrp. http://www.spamblocked.com/mirrors/www.savvis.info/ http://groups.google.com/group/news.admin.net-abuse.email/msg/870b3d7128442015?dmode=source In a nutshell, leaked memos made it clear that savvis knew full well that their network was a spam sewer, that they were profiting from spammers because they pay high bandwidth costs, and that official policy was to boot just enough of the small-time spammers to drop off the SpamHaus.org top 10 list. Yechhhh! Also look here: http://tinyurl.com/95p43 (expands to a search on NANAS). -- Steve unix soit qui mal y pense From redford_stone at INVERSE_OF_COLDmail.com Sat Oct 1 11:12:05 2005 From: redford_stone at INVERSE_OF_COLDmail.com (Redstone) Date: Sat Oct 1 06:15:03 2005 Subject: [SpamCop-List] Re: Pump & Dump--why? References: <290920050916518028%news@REMOVECAPSalanharper.com> <433C27AD.AE65876@spamcop.net> <433D42A8.9C5FB150@spamcop.net> Message-ID: Kenneth Brody wrote in news:433D42A8.9C5FB150 @spamcop.net: > > Perhaps it's a combination of both things I listed? Choice "A" leaves > the pumpers stuck with worthless paper, leading to choice (B). > According to Indigo, it appears to be more towards option B. Still, its quite a waste of resources to get people to actually go out and do the actual purchase (and not many would care for it if it can't be bought online.) From redford_stone at INVERSE_OF_COLDmail.com Sat Oct 1 11:14:55 2005 From: redford_stone at INVERSE_OF_COLDmail.com (Redstone) Date: Sat Oct 1 06:15:06 2005 Subject: [SpamCop-List] Re: Pump & Dump--why? References: <290920050916518028%news@REMOVECAPSalanharper.com> <433C27AD.AE65876@spamcop.net> Message-ID: "indigo" wrote in news:dhk4pj$a45$1@news.spamcop.net: > > I'm not sure how effective P&D's ever were -- they mostly pump penny > stocks (OTCBB or pink sheet stocks) which are not terribly easy to > purchase, especially online. Anyone smart enough to know how to do it > isn't likely to fall for the spam pumps IMO. The paid pumpers and > bashers on the Yahoo Finance message boards are much more effective > IRL. > > I think that early (several years ago) it was more practical since that not that many people were doing stock purchases online. But as you state, if this is indeed as difficult to get online, it won't be terribly effective. (Profits would be quite marginal.) The attempt through spam is almost sure to just get their trojaned hosts BLed for nothing. From redford_stone at INVERSE_OF_COLDmail.com Sat Oct 1 12:06:19 2005 From: redford_stone at INVERSE_OF_COLDmail.com (Redstone) Date: Sat Oct 1 07:10:25 2005 Subject: [SpamCop-List] Re: savvis.net References: Message-ID: "Porpoise" wrote in news:dhlhui$53j$1@news.spamcop.net: > > "Claudio Valderrama C." wrote in message > news:dhle3c$1jd$1@news.spamcop.net... >> Hello, does anyone know if savvis.net is trustable? >> I ask this because abuse at savvis.net refuses munged reports but I >> don't have knowledge whether they allow spammers to listwash or >> simple are too inflexible. >> Thanks. > > Look here: > http://news.bbc.co.uk/1/hi/technology/3634572.stm > > "As rumours about Savvis and the spammers grew on the internet, executives discussed different ways of keeping the customers and whether they could hide them by changing their names or their computer IP addresses." And why they ended up on the SPEWS sh!t list. "One of the Vice Presidents told me, 'Take no action against any Cable & wireless customer - they are profitable and they are off limits.'" Meaning the CEOs KNEW what they were doing. They KNEW these spammers were trouble. They KNEW that their "customers" were dubious in nature. But profits came before common sense and had some megalomaniacal misconception that they were just "too big" to be blacklisted. "Savvis itself says the company is firmly anti-spam, and Rob McCormick, the Chief Executive Officer, told the BBC that Savvis does have an excellent reputation for being anti-spam." Rule 1. "He disputed the figure of $2 million a month revenue from the spammers, and said the actual figure is only a tenth of that amount." $200,000 per month? Hardly "profitable".. considering there was an active campaign to bring spammers on board to their network. Again, looks like Rule 1. "Mr McCormick said the problem stemmed entirely from the spammers they inherited from C&W. 'The previous owner of that company allowed something to exist for a long period of time, and people are expecting that a few months after the acquisition of a bankrupt company it's suddenly our fault.'" When a company like Cable & Witless goes bankrupt, you have to ask why.. especially if one is going to purchase their assets. So C&W just happened to leave out their spammer infestation on their disclosure? Rule 1. "'Savvis does not believe illegal spamming is good....". As opposed to what? Legal spamming? WTF?? Savvis still blackhat, IMO.. From redford_stone at INVERSE_OF_COLDmail.com Sat Oct 1 12:09:59 2005 From: redford_stone at INVERSE_OF_COLDmail.com (Redstone) Date: Sat Oct 1 07:10:39 2005 Subject: [SpamCop-List] Re: www.Blackholes.US References: Message-ID: "St - Musaic.Net" wrote in news:mailman.88.1128101008.169.spamcop-list@news.spamcop.net: > > Message from http://www.blackholes.us: > "Disk crashed. Wierd things happened. Back online very soon now..." > > Ok... > Glad to hear they are not out-of-business for good. (Almost what happened to OpenRBL.) From redford_stone at INVERSE_OF_COLDmail.com Sat Oct 1 12:13:27 2005 From: redford_stone at INVERSE_OF_COLDmail.com (Redstone) Date: Sat Oct 1 07:15:04 2005 Subject: [SpamCop-List] Re: Pump & Dump--why? References: <290920050916518028%news@REMOVECAPSalanharper.com> Message-ID: "Bill Beyer" wrote in news:dhjosn$34l$1@news.spamcop.net: > > The majority of pump & dump I've taken the time to actually read > lately has a disclaimer that states that the company has been paid x > amount of dollars, not shares in the pumped stock. Now I know spammers > lie but if they're getting paid in cash instead of shares of stock > then I don't think they care what the stock does. All it takes is a > good sales pitch to get someone to believe that the price of the stock > can be materially changed by a spam campaign and then the spammers go > to work. Technically I guess this wouldn't be classified as a pump & > dump but they all get reported regardless. > > Why should spammers pay if they could steal instead? Rule 1. From bar_n0ne at hotmail.com Sat Oct 1 16:13:54 2005 From: bar_n0ne at hotmail.com (Berny) Date: Sat Oct 1 07:15:06 2005 Subject: [SpamCop-List] Re: savvis.net References: Message-ID: "Redstone" wrote in message news:Xns96E229C6A69CFtinlc@216.154.195.61... > "Porpoise" wrote in > news:dhlhui$53j$1@news.spamcop.net: > > > > > "Claudio Valderrama C." wrote in message > > news:dhle3c$1jd$1@news.spamcop.net... > >> Hello, does anyone know if savvis.net is trustable? > >> I ask this because abuse at savvis.net refuses munged reports but I > >> don't have knowledge whether they allow spammers to listwash or > >> simple are too inflexible. > >> Thanks. Well , I hate to admit it but I no longer have a problem with being listwashed, I wish more spammers would do it. That being said, it is only a personal wish to reduce my spam. As far as I am concerned a listwashing spammer is a spammer, and needs to be stopped. My recent experience, though , is that spammers don't listwash, even the ones at spammis. From Kilgallen at SpamCop.net Sat Oct 1 07:18:28 2005 From: Kilgallen at SpamCop.net (Larry Kilgallen) Date: Sat Oct 1 07:20:03 2005 Subject: [SpamCop-List] Re: savvis.net References: Message-ID: In article , Redstone writes: > When a company like Cable & Witless goes bankrupt, you have to ask why.. > especially if one is going to purchase their assets. When all you SpamCop readers purchase the assets of a firm, keep in mind you are also purchasing the liabilities (reputation). From Kilgallen at SpamCop.net Sat Oct 1 07:20:17 2005 From: Kilgallen at SpamCop.net (Larry Kilgallen) Date: Sat Oct 1 07:25:04 2005 Subject: [SpamCop-List] Re: www.Blackholes.US References: Message-ID: In article , Redstone writes: > Glad to hear they are not out-of-business for good. (Almost what happened > to OpenRBL.) Can you say exactly what _did_ happen to OpenRBL behind the scenes ? From redford_stone at INVERSE_OF_COLDmail.com Sat Oct 1 12:22:06 2005 From: redford_stone at INVERSE_OF_COLDmail.com (Redstone) Date: Sat Oct 1 07:25:06 2005 Subject: [SpamCop-List] Question for everyone about SBC/Pacbell Message-ID: Quick question to everyone out there.. Is anyone still receiving trojaned open-proxy spam originating from SBC/Pacbell DSL IP space? The reason I ask is that a week ago I received an email from SBC (my ISP) stating that "port 25" blocking will be enforced as means of curtailing spam from their network. And it has been a while since I received any spam coming out of SBC/Pacbell DSL space. From redford_stone at INVERSE_OF_COLDmail.com Sat Oct 1 12:33:04 2005 From: redford_stone at INVERSE_OF_COLDmail.com (Redstone) Date: Sat Oct 1 07:35:03 2005 Subject: [SpamCop-List] Re: www.Blackholes.US References: Message-ID: Kilgallen@SpamCop.net (Larry Kilgallen) wrote in news:EwNmG3lVCxhY@eisner.encompasserve.org: > In article , Redstone > writes: > >> Glad to hear they are not out-of-business for good. (Almost what >> happened to OpenRBL.) > > Can you say exactly what _did_ happen to OpenRBL behind the scenes ? > I can only state what I heard from what I read here and on NANAE.. Something about it simply crashing and the owner not wanting to go through the effort (difficulty) of bringing it back online again. (Seems like he had it on "automatic" for all this time.. quite a feat.) From porpoise1954 at yahoo.co.uk Sat Oct 1 14:23:15 2005 From: porpoise1954 at yahoo.co.uk (Porpoise) Date: Sat Oct 1 08:25:03 2005 Subject: [SpamCop-List] Re: Pump & Dump--why? References: <290920050916518028%news@REMOVECAPSalanharper.com> <433C27AD.AE65876@spamcop.net> Message-ID: "Redstone" wrote in message news:Xns96E221102E9D6tinlc@216.154.195.61... > > The attempt through spam is almost sure to just get their trojaned hosts > BLed for nothing. > Yeah! Make 'em BLeed........... [;-)> From g.hyde at bigpond.net.au Sun Oct 2 00:12:42 2005 From: g.hyde at bigpond.net.au (Geoffrey Hyde) Date: Sat Oct 1 09:15:03 2005 Subject: [SpamCop-List] Re: What the blazes happened here? References: Message-ID: "Mike Easter" wrote in message news:dhl2td$rnp$1@news.spamcop.net... > Geoffrey Hyde wrote: > >> I'm not posting using a mailing list, I'm posting using a NNTP server, >> which, as far as I know, is supposed to be a direct connection to the >> lugnet news server in question, therefore unless someone else >> received it through an unlikely echo off some compromised server, >> it's what I consider to be spam. The LUGNET mailserver is not >> supposed to send me anything back except an authorisation message, >> which I click a link in to take me to the the post authorisation >> screen. A lot of snippage, and I noticed this line in the headers after a look in it: Received: by ntc.net.pk with Internet Mail Service (5.5.2656.59) id ; Fri, 30 Sep 2005 12:54:12 +0500 How can I tell if this is a genuinely inserted line or a pathetic attempt to make something look legitimate? SpamCop (correctly, afaik) ignored it because there was no From. As for the munging the only munging I noticed was an where my email address usually is. It still is spam because I'm pretty sure a properly configured mailserver known to be handling list traffic would not have me identified as the sender, it would have itself as the sender or a specially configured reply-to address. -- Cheers ... Geoffrey Hyde From nobody at xyzzy.claranet.de Sat Oct 1 18:49:02 2005 From: nobody at xyzzy.claranet.de (Frank Ellermann) Date: Sat Oct 1 11:55:04 2005 Subject: [SpamCop-List] Re: The (in)famous "Re[n]" spam References: <433AD35A.65A@xyzzy.claranet.de> <433C29BA.5FBD@xyzzy.claranet.de> Message-ID: <433EAFEE.6EB@xyzzy.claranet.de> [Update] > http://rfc-ignorant.org/tools/lookup.php?domain=enewstodaylive26mail.com > http://rfc-ignorant.org/tools/lookup.php?domain=enewstodayli27vemail.com > http://rfc-ignorant.org/tools/lookup.php?domain=enewsto28daylivemail.com There was also a "25" in this shawnts@popaccount.com series: http://rfc-ignorant.org/tools/lookup.php?domain=enewsto25daylivemail.com The next run is asdfsdfg78@yahoo.com - apparently the domains went just online (manual SC reports sent to a Chinese hoster): http://rfc-ignorant.org/tools/lookup.php?domain=alargebasket.com http://rfc-ignorant.org/tools/lookup.php?domain=afinepurchase.com http://rfc-ignorant.org/tools/lookup.php?domain=afineasset.com http://rfc-ignorant.org/tools/lookup.php?domain=alotofgoods.com Now it's whois.enom.com, unfortunately I don't see a whois data problem, and mail-abuse@yahoo-inc didn't answer yet. For the name servers protectitdomaindns.com he sticked to Joker, using protectitdomains@popaccount.com for the *-C addresses. Billing address is still domainz@web2mail.com , Frank From alain.guimberteau at laposte.net Sat Oct 1 23:29:33 2005 From: alain.guimberteau at laposte.net (Alain Guimberteau) Date: Sat Oct 1 16:30:17 2005 Subject: [SpamCop-List] Re: Unreported Spam Saved: Report Now - Timing Out References: Message-ID: the same since few days : Gateway Timeout The proxy server did not receive a timely response from the upstream server. Reference #1.c4926054.1128196774.1207fa5 "Kenneth Loafman" a écrit dans le message de news: um5ri1l60il5lt49f1ro20428u9mse73et@4ax.com... > On Sun, 18 Sep 2005 08:53:28 +0100, "David" wrote: > >> >>"David" wrote in message >>news:dgh2uj$8pb$1@news.spamcop.net... >>> Live reporting works perfectly - but trying to process spams sent in by >>> email times out : >>> >>> Gateway Timeout >>> The proxy server did not receive a timely response from the upstream >>> server. >>> Reference #1.4509fdd5.1126960831.10fae6c >>> >> >>24-hours on - This is still giving the same result - anyone else having >>this >>problem ? > > I'm getting something similar to that, but its manifesting itself in the > inability to get to mailsc.spamcop.net, probably due to the rapid DNS > swapping they do at Akamai. Since yesterday there have been 7 instances > where mailsc did not resolve, but later did. > > Thinking about setting up my own caching DNS again. > > ...Ken From philip at pch.home.cs.vu.nl Sun Oct 2 00:32:30 2005 From: philip at pch.home.cs.vu.nl (Philip Homburg) Date: Sat Oct 1 17:50:08 2005 Subject: [SpamCop-List] Re: IBM spamming? References: Message-ID: In article , Mike Easter wrote: > - I am satisfied to be a /passive/ but pledged antispammer, discarding >*all* [not just some] spam unread and unopened Wow, what kind of technology do you use to determine with 100% (yes really 100%, not just 99.9%) accuracy whether an e-mail is spam or not? I'm not going take the risk of deleting real mail unopened because it might be spam. Logical conclusion: some amount of spam has to be read to be classified as spam. -- That was it. Done. The faulty Monk was turned out into the desert where it could believe what it liked, including the idea that it had been hard done by. It was allowed to keep its horse, since horses were so cheap to make. -- Douglas Adams in Dirk Gently's Holistic Detective Agency From nobody at spamcop.net Sat Oct 1 23:45:59 2005 From: nobody at spamcop.net (N. Miller) Date: Sun Oct 2 01:50:04 2005 Subject: [SpamCop-List] Re: Question for everyone about SBC/Pacbell References: Message-ID: On Sat, 1 Oct 2005 11:22:06 +0000 (UTC), Redstone wrote: > Quick question to everyone out there.. > > Is anyone still receiving trojaned open-proxy spam originating from > SBC/Pacbell DSL IP space? > > The reason I ask is that a week ago I received an email from SBC (my ISP) > stating that "port 25" blocking will be enforced as means of curtailing > spam from their network. And it has been a while since I received any spam > coming out of SBC/Pacbell DSL space. I get about one-tenth as much proxy spam from SBC space (including all nine SBC domains) as I did a year ago. Until last March, SBC was ahead of, then, for a while, equal to Comcast as a proxy spam source. Now they are way behind Comcast. Indeed, indications are that Comcast is now the number one source of proxy spam among the U.S. HSI providers. I can add up my Bellsouth, SBC, USWest/Qwest, and Verizon proxy spam, and throw in Charter, Cox, Optimum Online, and Road Runner for good measure, and only just come short of equaling the proxy spam which comes from Comcast customers. I don't know if all of the block port 25 outbound; SBC, of course, and, I think Bellsouth. -- Norman ~Win dain a lotica, En vai tu ri, Si lo ta ~Fin dein a loluca, En dragu a sei lain ~Vi fa-ru les shutai am, En riga-lint From nobody at spamcop.net Sat Oct 1 23:59:34 2005 From: nobody at spamcop.net (N. Miller) Date: Sun Oct 2 02:00:03 2005 Subject: [SpamCop-List] Re: What the blazes happened here? References: Message-ID: <17dwn5r1hd7p6.dlg@news.spamcop.net> On Sat, 1 Oct 2005 23:12:42 +1000, Geoffrey Hyde wrote: > A lot of snippage, and I noticed this line in the headers after a look in > it: > > Received: by ntc.net.pk with Internet Mail Service (5.5.2656.59) id > ; Fri, 30 Sep 2005 12:54:12 +0500 > > How can I tell if this is a genuinely inserted line or a pathetic attempt to > make something look legitimate? SpamCop (correctly, afaik) ignored it > because there was no From. I am not familiar with the mail program, but it could be legitimate. Consider the following, out of context: Received: from Spooler by aosake.net (Mercury/32 v4.01b) ID MO000002; 11 Sep 2005 12:16:23 -0700 Received: from spooler by aosake.net (Mercury/32 v4.01b); 11 Sep 2005 12:15:32 -0700 I know how Mercury/32 works well enough to describe how they came to be. Here is the tracker so you can see them in context: http://www.spamcop.net/sc?id=z811128972za1f55e6617782f1d8924d1944e756e3dz SpamCop ignores them because they contain no useful information regarding identifying the source of the message, not because they are certain pathetic forgeries. -- Norman ~Win dain a lotica, En vai tu ri, Si lo ta ~Fin dein a loluca, En dragu a sei lain ~Vi fa-ru les shutai am, En riga-lint From nobody at spamcop.net Sun Oct 2 00:07:42 2005 From: nobody at spamcop.net (N. Miller) Date: Sun Oct 2 02:10:04 2005 Subject: [SpamCop-List] Re: IBM spamming? References: Message-ID: On Sat, 1 Oct 2005 23:32:30 +0200, Philip Homburg wrote: > In article , > Mike Easter wrote: >> - I am satisfied to be a /passive/ but pledged antispammer, discarding >>*all* [not just some] spam unread and unopened > Wow, what kind of technology do you use to determine with 100% (yes really > 100%, not just 99.9%) accuracy whether an e-mail is spam or not? > I'm not going take the risk of deleting real mail unopened because it > might be spam. > Logical conclusion: some amount of spam has to be read to be classified as > spam. Visual inspection rules: Is it from somebody I know? Yes? It isn't spam. No, do the headers show a reasonable source for the email (i.e., not a proxy SMTP client connecting to my mailhost)? Yes? It isn't spam. No, it is spam. By visual inspection of subject lines, something that can't be easily described, else it could equally easily be coded as a filter, I can readily see what is spam. On occasion I have missed ham in the first pass. I could easily use the message source (MSOE, Mozilla, Thunderbird), or header preview (Pegasus Mail) to check on the source. Even on the Dark Horse Comics web mail server I need not open the actual spam item; check the box, enter the destination email address, click on the "Redirect" button, and it arrives with original headers intact. -- Norman ~Win dain a lotica, En vai tu ri, Si lo ta ~Fin dein a loluca, En dragu a sei lain ~Vi fa-ru les shutai am, En riga-lint From philip at pch.home.cs.vu.nl Sun Oct 2 10:04:32 2005 From: philip at pch.home.cs.vu.nl (Philip Homburg) Date: Sun Oct 2 03:20:33 2005 Subject: [SpamCop-List] Re: IBM spamming? References: Message-ID: <7q4enbnog57vgdb055gpo8p3t0@inews_id.stereo.hq.phicoh.net> In article , N. Miller wrote: >Is it from somebody I know? Yes? It isn't spam. No, do the headers show a >reasonable source for the email (i.e., not a proxy SMTP client connecting >to my mailhost)? Yes? It isn't spam. No, it is spam. How am I supposed to know what reasonable sources are for e-mail from China? Some people do run their own mail servers on DSL lines? Do you suggest that I delete real mail from those people unopened in some mistaken believe that opening spam is harmful in any way? -- That was it. Done. The faulty Monk was turned out into the desert where it could believe what it liked, including the idea that it had been hard done by. It was allowed to keep its horse, since horses were so cheap to make. -- Douglas Adams in Dirk Gently's Holistic Detective Agency From AHaumer_gmxnet at nopspam.invalid Sun Oct 2 11:48:46 2005 From: AHaumer_gmxnet at nopspam.invalid (Anton Haumer) Date: Sun Oct 2 04:51:14 2005 Subject: [SpamCop-List] munging not sufficient Message-ID: <433F9EEE.E884EFB6@nopspam.invalid> Sometimes I get spam in which the spammer fakes my own email-address as from-address. SC sends reports to the right addresses, but it leaves the faked from-address unmunged indictaing the source of the report ... although the other occurences are munged. suggestion for improvement for SC ... Toni From bar_n0ne at hotmail.com Sun Oct 2 14:16:30 2005 From: bar_n0ne at hotmail.com (Berny) Date: Sun Oct 2 05:20:35 2005 Subject: [SpamCop-List] Re: munging not sufficient References: <433F9EEE.E884EFB6@nopspam.invalid> Message-ID: "Anton Haumer" wrote in message news:433F9EEE.E884EFB6@nopspam.invalid... > Sometimes I get spam in which the spammer > fakes my own email-address as from-address. > > SC sends reports to the right addresses, > but it leaves the faked from-address unmunged > indictaing the source of the report ... > although the other occurences are munged. > > suggestion for improvement for SC ... > > Toni In my experience, welkl formed From: and Reply to: addies along with cc:'d etc. have always been munged, have you gone back and looked at the actual report sent? (you can go to the past reports tab). In any case I really doubt it matters. The only thing I see spoammers scraping from SC reports are new addresses and aliases (they already have yours), new MX names, spamfilter scores to tune their spam with, and Recieved lines they may wish to use in faking mail routing. From nobody at nowhere.invalid Sun Oct 2 12:30:49 2005 From: nobody at nowhere.invalid (Steven Maesslein) Date: Sun Oct 2 05:35:03 2005 Subject: [SpamCop-List] Re: IBM spamming? References: <7q4enbnog57vgdb055gpo8p3t0@inews_id.stereo.hq.phicoh.net> Message-ID: On Sun, 2 Oct 2005 09:04:32 +0200, Philip Homburg coughed into spamcop and left this in <7q4enbnog57vgdb055gpo8p3t0@inews_id.stereo.hq.phicoh.net>: > How am I supposed to know what reasonable sources are for e-mail from > China? IME there are none. > Some people do run their own mail servers on DSL lines? Do you suggest > that I delete real mail from those people unopened in some mistaken believe > that opening spam is harmful in any way? If they run their mail servers on DSL lines with DHCP IP addresses the don't discard the mail, reject it at the SMTP level. -- Steve Everyone has a photographic memory. Some just don't have film. From AHaumer_gmxnet at nopspam.invalid Sun Oct 2 13:20:03 2005 From: AHaumer_gmxnet at nopspam.invalid (Anton Haumer) Date: Sun Oct 2 06:25:02 2005 Subject: [SpamCop-List] Re: munging not sufficient References: <433F9EEE.E884EFB6@nopspam.invalid> Message-ID: <433FB453.7E267817@nopspam.invalid> Berny wrote: > > > Sometimes I get spam in which the spammer > > fakes my own email-address as from-address. > > > > SC sends reports to the right addresses, > > but it leaves the faked from-address unmunged > > indictaing the source of the report ... > > although the other occurences are munged. > > > In my experience, welkl formed From: and Reply to: addies along with cc:'d > etc. have always been munged, have you gone back and looked at the actual > report sent? (you can go to the past reports tab). Yes I did - unmunged. > In any case I really doubt it matters. The only thing I see spoammers > scraping from SC reports are new addresses and aliases (they already have > yours), new MX names, spamfilter scores to tune their spam with, and > Recieved lines they may wish to use in faking mail routing. Yes I know but sometimes they try to verfiy the addresses ... Well, I prefer totally munged ;-) Toni From bar_n0ne at hotmail.com Sun Oct 2 15:24:55 2005 From: bar_n0ne at hotmail.com (Berny) Date: Sun Oct 2 06:25:11 2005 Subject: [SpamCop-List] Re: munging not sufficient References: <433F9EEE.E884EFB6@nopspam.invalid> <433FB453.7E267817@nopspam.invalid> Message-ID: "Anton Haumer" wrote in message news:433FB453.7E267817@nopspam.invalid... > Berny wrote: > > > > > Sometimes I get spam in which the spammer > > > fakes my own email-address as from-address. > > > > > > SC sends reports to the right addresses, > > > but it leaves the faked from-address unmunged > > > indictaing the source of the report ... > > > although the other occurences are munged. > > > > > In my experience, welkl formed From: and Reply to: addies along with cc:'d > > etc. have always been munged, have you gone back and looked at the actual > > report sent? (you can go to the past reports tab). > > Yes I did - unmunged. > > > In any case I really doubt it matters. The only thing I see spoammers > > scraping from SC reports are new addresses and aliases (they already have > > yours), new MX names, spamfilter scores to tune their spam with, and > > Recieved lines they may wish to use in faking mail routing. > > Yes I know > but sometimes they try to verfiy the addresses ... > > Well, I prefer totally munged ;-) > > Toni Intereresting, I couldn;t properly confirm since I am set to unmunged in my preferences, but I have a free account, so I get at least partially munged. There was a discussion about munging the from address a few years back and I'm sure it was munged at the time (after the discussion), but my spam's "reply to" and "from"s are unmunged, It looks like yours (and everybody elses) are also. From philip at pch.home.cs.vu.nl Sun Oct 2 14:21:14 2005 From: philip at pch.home.cs.vu.nl (Philip Homburg) Date: Sun Oct 2 07:50:16 2005 Subject: [SpamCop-List] Re: IBM spamming? References: <7q4enbnog57vgdb055gpo8p3t0@inews_id.stereo.hq.phicoh.net> Message-ID: <9s7lpeorft3nabni9prsehgbj3@inews_id.stereo.hq.phicoh.net> In article , Steven Maesslein wrote: >On Sun, 2 Oct 2005 09:04:32 +0200, Philip Homburg coughed into spamcop >and left this in ><7q4enbnog57vgdb055gpo8p3t0@inews_id.stereo.hq.phicoh.net>: > >> How am I supposed to know what reasonable sources are for e-mail from >> China? > >IME there are none. In my experience there are. Even in China, there are people foolish enough to use my software :-) (or, at least, ask questions about it). >> Some people do run their own mail servers on DSL lines? Do you suggest >> that I delete real mail from those people unopened in some mistaken believe >> that opening spam is harmful in any way? > >If they run their mail servers on DSL lines with DHCP IP addresses the >don't discard the mail, reject it at the SMTP level. What's the point rejecting e-mail just because of technicalities (dynamic, no reverse DNS, TTLs too short)? I refuse mail from IP addresses and netblock that send (too much) spam. No spam, no block. (And then there is the small problem that there no complete list of all netblocks that consists of dynamic addresses). -- That was it. Done. The faulty Monk was turned out into the desert where it could believe what it liked, including the idea that it had been hard done by. It was allowed to keep its horse, since horses were so cheap to make. -- Douglas Adams in Dirk Gently's Holistic Detective Agency From nobody at nowhere.invalid Sun Oct 2 17:05:23 2005 From: nobody at nowhere.invalid (Steven Maesslein) Date: Sun Oct 2 10:10:03 2005 Subject: [SpamCop-List] Re: IBM spamming? References: <7q4enbnog57vgdb055gpo8p3t0@inews_id.stereo.hq.phicoh.net> <9s7lpeorft3nabni9prsehgbj3@inews_id.stereo.hq.phicoh.net> Message-ID: On Sun, 2 Oct 2005 13:21:14 +0200, Philip Homburg coughed into spamcop and left this in <9s7lpeorft3nabni9prsehgbj3@inews_id.stereo.hq.phicoh.net>: > In my experience there are. Even in China, there are people foolish enough to > use my software :-) (or, at least, ask questions about it). I feel sorry for you. I'm lucky enough to have no reason to accept mail from most of APNIC and all of LACNIC, so most of those areas are in the firewall, and what isn't in the firewall is in the DNSBL. > What's the point rejecting e-mail just because of technicalities (dynamic, > no reverse DNS, TTLs too short)? Because a real mail server shouldn't have any of those characteristics. If a machine which does exhibit them is trying to send you mail, the chances are it's a zombified Windows machine trying to send you a virus or spam. -- Steve A group of cats is a "conceit". They'd like it to be called a "pride" but that would fool nobody. -- Morely Dotes in NANAE, 2-FEB-2004 From nobody at spamcop.net Sun Oct 2 10:20:56 2005 From: nobody at spamcop.net (N. Miller) Date: Sun Oct 2 12:25:05 2005 Subject: [SpamCop-List] Re: IBM spamming? References: <7q4enbnog57vgdb055gpo8p3t0@inews_id.stereo.hq.phicoh.net> Message-ID: On Sun, 2 Oct 2005 09:04:32 +0200, Philip Homburg wrote: > How am I supposed to know what reasonable sources are for e-mail from > China? Run the connecting SMTP client IP address through a service like OpenRBL. > Some people do run their own mail servers on DSL lines? Do you suggest > that I delete real mail from those people unopened in some mistaken believe > that opening spam is harmful in any way? You can do whatever floats your boat. No laws. OTOH, I do run an MTA on a dynamic IP address, but you aren't likely to find my dynamic IP address connecting to your server. The problem is, too many places have my IP address in a DUL, and too many places use DULs to vet their incoming SMTP connections. In order not to face blocks at AOL, and other, I use my ISP SMTP server as a "smarthost". My MTA > my ISP MTA > your MX. You can try to force people to return to the 1995 way of running email on the Internet, but that is not going to happen. Anybody running an MTA in dynamic IP address space, and trying to run end-to-end connections ("Direct-to-MX") instead of smarthosting is asking for connectivity problems, and unreliable email. Personally, I do open spam for inspection. But I do it in a "safe" reader (it doesn't do scripts, or remote image calls); and, generally, only to get to the entire message source (I can view headers without opening the item, but I still have to open the item to get to the raw code). However, it is possible to do things Mike Easter's way, if a little inconvenient for what I am trying to do. You have to tailor the way you handle email to meet your particular requirements; what works for Mike, or me, might not work for you. -- Norman ~Win dain a lotica, En vai tu ri, Si lo ta ~Fin dein a loluca, En dragu a sei lain ~Vi fa-ru les shutai am, En riga-lint From baloo at ursine.ca Mon Oct 3 11:31:58 2005 From: baloo at ursine.ca (baloo@ursine.ca) Date: Mon Oct 3 14:10:04 2005 Subject: [SpamCop-List] Re: Pump & Dump--why? References: <290920050916518028%news@REMOVECAPSalanharper.com> <433C27AD.AE65876@spamcop.net> Message-ID: Redstone wrote: > Kenneth Brody wrote in > news:433C27AD.AE65876@spamcop.net: > >> >> Perhaps not enough people fall for pump-and-dump nowadays to affect >> the price that much? >> >> Perhaps it's a "dump" instead, and they're simply trying to find >> enough people actually willing buy their shares? >> > > It is usually the case that not enough people fall for this scam. (Looks > like the education campaign have worked.) Well, this is a special case. Pump and dumps have been around almost as long as the stock market itself. The act itself is not legal and there have been movies (titles don't come to mind ATM) about people getting nailed for doing exactly that. From baloo at ursine.ca Mon Oct 3 12:20:27 2005 From: baloo at ursine.ca (baloo@ursine.ca) Date: Mon Oct 3 15:10:05 2005 Subject: [SpamCop-List] Re: IBM spamming? References: <7q4enbnog57vgdb055gpo8p3t0@inews_id.stereo.hq.phicoh.net> Message-ID: Steven Maesslein wrote: > If they run their mail servers on DSL lines with DHCP IP addresses the > don't discard the mail, reject it at the SMTP level. Problem: Large parts of North America have no other choice for internet connectivity or hosting. From baloo at ursine.ca Mon Oct 3 12:27:14 2005 From: baloo at ursine.ca (baloo@ursine.ca) Date: Mon Oct 3 15:10:09 2005 Subject: [SpamCop-List] Re: IBM spamming? References: <7q4enbnog57vgdb055gpo8p3t0@inews_id.stereo.hq.phicoh.net> Message-ID: <2p9813-v84.ln1@ursine.ca> N. Miller wrote: > You can do whatever floats your boat. No laws. OTOH, I do run an MTA on a > dynamic IP address, but you aren't likely to find my dynamic IP address > connecting to your server. The problem is, too many places have my IP > address in a DUL, and too many places use DULs to vet their incoming SMTP > connections. In order not to face blocks at AOL, and other, I use my ISP > SMTP server as a "smarthost". My MTA > my ISP MTA > your MX. I have my MTA set up to only use the smarthost if the destination site has the mistaken belief that dynamic IPs are always spammers. I don't run everything through the smarthost, because the site that operates that smarthost isn't trustworthy and frequently gets blocked by other sites. I'd switch in a heartbeat if there was any competition at all in my area. > You can try to force people to return to the 1995 way of running email on > the Internet, but that is not going to happen. Anybody running an MTA in > dynamic IP address space, and trying to run end-to-end connections > ("Direct-to-MX") instead of smarthosting is asking for connectivity > problems, and unreliable email. Yeah, but only sending to the ~2 dozen sites (looking at my logs) misconfigured badly enough to make it a problem. The rest of the net gets it right in this regaurd. From baloo at ursine.ca Mon Oct 3 12:37:57 2005 From: baloo at ursine.ca (baloo@ursine.ca) Date: Mon Oct 3 15:10:13 2005 Subject: [SpamCop-List] Re: www.Blackholes.US References: Message-ID: <5da813-v84.ln1@ursine.ca> Thomas Mooney wrote: >> Message from http://www.blackholes.us: >> "Disk crashed. Wierd things happened. Back online very soon now..." > > Hallelujah! > > My spam has increased five-fold since blackholes.us went toes up. China and > Korea, mostly. A smattering of Brazil. I have the zonefiles from last March if you want to throw them up on your own DNS servers for your use. From baloo at ursine.ca Mon Oct 3 12:41:34 2005 From: baloo at ursine.ca (baloo@ursine.ca) Date: Mon Oct 3 15:10:14 2005 Subject: [SpamCop-List] Re: www.Blackholes.US References: Message-ID: Redstone wrote: > (Seems like he had it on "automatic" for all this time.. quite a > feat.) That isn't surprising to me. All kinds of IPs came back as being owned by companies that haven't existed since the dot-com boom on OpenRBL... From someone at microsoft.com Mon Oct 3 22:09:01 2005 From: someone at microsoft.com (bob) Date: Mon Oct 3 21:10:03 2005 Subject: [SpamCop-List] added to block list and don't know why Message-ID: Our IP has hit SCbl and the IP is 66.12.37.217. I have no idea what is going on and a little upset at our domain server hostexcellence. They couldn't tell me anything and finally I telnet the mail server and find the SC block. In simple english what do we do to prevent this? I see the cause of the listing as: System has sent mail to SpamCop spam traps in the past week (spam traps are secret, no reports or evidence are provided by SpamCop). We don't use any auto-responders and I'm not sure what all the bouncing messages are about. We use basic Outlook for reading mail. Can anyone help us figure out how to get our outgoing mail service back and how to prevent this SC from blocking it in the future? Any help is greatly appreciated. From wb8tyw at qsl.network Mon Oct 3 23:25:37 2005 From: wb8tyw at qsl.network (John E. Malmberg) Date: Mon Oct 3 22:30:10 2005 Subject: [SpamCop-List] Re: added to block list and don't know why In-Reply-To: References: Message-ID: bob wrote: > Our IP has hit SCbl and the IP is 66.12.37.217. I have no idea what is > going on and a little upset at our domain server hostexcellence. They > couldn't tell me anything and finally I telnet the mail server and find the > SC block. > > In simple english what do we do to prevent this? I see the cause of the > listing as: System has sent mail to SpamCop spam traps in the past week > (spam traps are secret, no reports or evidence are provided by SpamCop). Spam trap data requires a deputy to summarize. I only have access to the same data as anyone on the internet. In order for a mail server to send to spam traps, it either must have a security breach or it must be misconfigured to bounce undelivered e-mail to innocent victims of spam/virus forgeries. > We don't use any auto-responders and I'm not sure what all the bouncing > messages are about. We use basic Outlook for reading mail. Can anyone help > us figure out how to get our outgoing mail service back and how to prevent > this SC from blocking it in the future? It really takes a sample of reported spam from that I.P. to determine what is the issue to be fixed. Sometimes it is caused by a user or administrator of the mail server doing something stupid with an anti-spam or anti-virus product. > Any help is greatly appreciated. Plugging your I.P. address into moensted: http://www.moensted.dk/spam/?addr=66.12.37.217&Submit=Submit It shows that not only is spamcop.net listing you so is the PSBL. Looking at your spamcop.net listing shows that hostmaster(at)gte.net is supposed to be handling issues with problems on your mail server. But mail to that address is bouncing. When mail to a role account on a mail server is bouncing that is an an obvious indication that something is wrong with the management of that network. Having e-mail to the designated abuse contact bouncing will eventually cause more than just spamcop.net users to be blocking that address. http://psbl.surriel.com/evidence?ip=66.12.37.217&action=Check+evidence This is showing an illegal drug scam that was sent on September 29 from the I.P. address that you gave. There are no forwarding headers that were added by that mail server. That is very bad. That indicates that criminals have control of that mail server and do what they want with it. The security breach is either directly on the server, or on a computer connected to it over what should be a secure connection. Now there is public evidence of two serious problems with that mail server, and you can use it when you call who ever you are paying to maintain that server. More data: http://ops.mail-abuse.com/cgi-bin/nph-ops-sview?66.12.37.217 Old evidence that a computer at this I.P. address was controlled by one or more criminals since May 2005. -John wb8tyw@qsl.network Personal Opinion Only From richard at zuidhofRemove.nl Tue Oct 4 11:37:03 2005 From: richard at zuidhofRemove.nl (Richard Zuidhof) Date: Tue Oct 4 04:40:05 2005 Subject: [SpamCop-List] What is Cyveillance giving back? Message-ID: I notice every Spamcop report I make is copied to Cyveillance (http://www.cyveillance.com/spam.htm). This has been done for quite a long time now but I have not noticed any benefit for the Spamcop users. I would suspect that a compancy sitting on so much data about spam now and then would publish statistics or research information. Maybe they can take a look at what a company like Netcraft does in the market for webservers and webhosting. I really like to know more about trends in what spam is reported. Richard From bar_n0ne at hotmail.com Tue Oct 4 14:02:48 2005 From: bar_n0ne at hotmail.com (Berny) Date: Tue Oct 4 05:06:12 2005 Subject: [SpamCop-List] Re: What is Cyveillance giving back? References: Message-ID: "Richard Zuidhof" wrote in message news:dhtevf$8ur$1@news.spamcop.net... > I notice every Spamcop report I make is copied to Cyveillance SNIP OK Folks, get ready to duck the flames, Deploy the NOMEX suits. From nobody at nowhere.invalid Tue Oct 4 12:06:04 2005 From: nobody at nowhere.invalid (Steven Maesslein) Date: Tue Oct 4 05:10:17 2005 Subject: [SpamCop-List] Re: What is Cyveillance giving back? References: Message-ID: On Tue, 04 Oct 2005 10:37:03 +0200, Richard Zuidhof coughed into spamcop and left this in : > I notice every Spamcop report I make is copied to Cyveillance > (http://www.cyveillance.com/spam.htm). This has been done for quite a > long time now but I have not noticed any benefit for the Spamcop > users. Cyveillance is not there to help SC users. They are employed by big companies to watch out for trademark infringement. Originally, a deal was struck between JH and Cyveillance whereby Cyveillance helped JH with the bandwidth costs in return for copies of spam reports for them to scrutinize. To start with, Cy got more than they bargained for and had to stop the supply of spam because they couldn't keep up with it :) There is another problem, however. Cy also has a web spider that crawls across the 'Net looking for trademark infringements, but the spider doesn't observe a site's "robots.txt" file designed to deny robots access to certain resources. As such, my own opinion of Cy is that they are as abusive as spammers in that respect and part of the problem, not part of the solution. As a user of a SC mail account, I have the possibility of *not* sending Cy copies of spam reports. I take advantage of that possibility, and they are denied access to my own servers by firewall policy. -- Steve Health nuts are going to feel stupid someday, lying in hospitals dying of nothing. From nobody at nowhere.invalid Tue Oct 4 12:09:59 2005 From: nobody at nowhere.invalid (Steven Maesslein) Date: Tue Oct 4 05:10:20 2005 Subject: [SpamCop-List] Re: What is Cyveillance giving back? References: Message-ID: On Tue, 4 Oct 2005 11:06:04 +0200, Steven Maesslein coughed into spamcop and left this in : > Cy also has a web spider that crawls across the 'Net looking for > trademark infringements, but the spider doesn't observe a site's > "robots.txt" file Apologies for the self-fup... I forgot to add that Cyveillance's spider also masquerades as a standard desktop browser (I forget whether it's IE or Moz but that's irrelevant) in an attempt to thwart protection that site owners might install based on the User-Agent string. -- Steve Are Linux users lemmings collectively jumping off of the cliff of reliable, well-engineered commercial software? -- Matt Welsh From bait-423c86b2-42ff9001 at good.julianhaight.com Tue Oct 4 04:46:35 2005 From: bait-423c86b2-42ff9001 at good.julianhaight.com (Chris F. Willoughby) Date: Tue Oct 4 06:50:24 2005 Subject: [SpamCop-List] Re: Public Spamtraps References: Message-ID: Not entirely sure why.. but the mailsc.spamcop.net page has one hidden on there somewhere as well. I only found it because I was trying to browse the site without using my mouse at the time. :) Chris "The 'Lost' Monster Is A Robot" wrote in message news:dhrp01$ao0$1@news.spamcop.net... > > > > I want to put some email links on my webpage with the title > "don't send email to these addresses unless you are a spammer." > I know of three email addresses that have asked for spam: > > uce@ftc.gov > spamrecycle@chooseyourmail.com > spamtrap@spambouncer.org > > Are here any others? > > > From Nobody at SpamCop.net.dev.null Tue Oct 4 08:44:02 2005 From: Nobody at SpamCop.net.dev.null (Michael Brennan) Date: Tue Oct 4 08:45:04 2005 Subject: [SpamCop-List] How to Rattle This Guy's Cage? Message-ID: <43427912.17EDB4B5@SpamCop.net.dev.null> I've been getting a number of "mortgage application" phish spams associated with Leo Kuvayev/Michael Lindsay type spams. Some number of the spamvertised sites trace back to this registration: Associated spamcop report: http://www.spamcop.net/sc?id=z811637287zf16e455984c1806593b4b6ccd4d3f786z Server Used: [ whois.yesnic.com ] http://www.t0wn.com = [ ] ----------------------------------------------- Queried Domain Information as follows ----------------------------------------------- Domain Name : t0wn.com : :Registrant: : Name : James Bright Email : jamesbright12345@netscape.net Address : 101 Thomas St. Zipcode : 98109 Nation : US Tel : 12062030586 Fax : : :Administrative Contact: : Name : James Bright Email : jamesbright12345@netscape.net Address : 101 Thomas St. Zipcode : 98109 Nation : US Tel : 12062030586 Fax : : :Technical Contact: : Name : James Bright Email : jamesbright12345@netscape.net Address : 101 Thomas St. Zipcode : 98109 Nation : US Tel : 12062030586 Fax : : :Name Servers: : : :Dates & Status: : Created Date 2005-10-01 14: 21: 49 EDT Updated Date 2005-10-01 14: 21: 49 EDT Valid Date 2006-10-01 14: 21: 49 EDT Status REGISTRAR-HOLD _____________________________________________________ Notice that there is no IP associated with this registration. This cheeseburger has been the registered webhost for spammy's little webform pages for some time, and I've yet to get hold of Netscape to wake them up that these spammers are using AOL and Netscape webmail addresses. This particular webmail account has been in use for about a month. My repeated attempts to LART manually get slapped down by Netscape.net -- I don't have an account there, so talk to the hand. Can they register a site like this? And can they keep it current, now that they're providing even less information than they did originally? Notice that registrant gives only a ZIP code in southern California (probably phony). More to the point, why are guys like this still around? Why are their pages even accessible? Michael From amenex at amenex.com Tue Oct 4 11:27:25 2005 From: amenex at amenex.com (George Langford, Sc.D.) Date: Tue Oct 4 10:27:28 2005 Subject: [SpamCop-List] Quick Reporting returns empty data Message-ID: <20051004102725.l2as4soo08soo0wo@webmail.spamcop.net> Better look at the Quick Reporting system this AM. Here's a typical notification: > SpamCop.net > Here are the results of your submission: > > Processing spam: From: > Subject: > > > Processing spam: From: > Subject: > > > Processing spam: From: > Subject: > > > Processing spam: From: > Subject: Amenex From nobody at devnull.spamcop.net Tue Oct 4 10:56:39 2005 From: nobody at devnull.spamcop.net (WazoO) Date: Tue Oct 4 11:00:04 2005 Subject: [SpamCop-List] Re: Quick Reporting returns empty data References: Message-ID: "George Langford, Sc.D." wrote in message news:mailman.91.1128436049.169.spamcop-list@news.spamcop.net... > Better look at the Quick Reporting system this AM. > > Here's a typical notification: > > > SpamCop.net > > Here are the results of your submission: With your example and the discussion on-going at http://forum.spamcop.net/forums/index.php?showtopic=5055 it does appear that the issue may be at JT's end .. There have been notifications sent out .... From nobody at spamcop.net Tue Oct 4 11:13:09 2005 From: nobody at spamcop.net (Ellen) Date: Tue Oct 4 11:25:04 2005 Subject: [SpamCop-List] Re: added to block list and don't know why References: Message-ID: "bob" wrote in message news:dhskmu$r77$1@news.spamcop.net... > Our IP has hit SCbl and the IP is 66.12.37.217. I have no idea what is > going on and a little upset at our domain server hostexcellence. They > couldn't tell me anything and finally I telnet the mail server and find the > SC block. > > In simple english what do we do to prevent this? I see the cause of the > listing as: System has sent mail to SpamCop spam traps in the past week > (spam traps are secret, no reports or evidence are provided by SpamCop). > > We don't use any auto-responders and I'm not sure what all the bouncing > messages are about. We use basic Outlook for reading mail. Can anyone help > us figure out how to get our outgoing mail service back and how to prevent > this SC from blocking it in the future? > > Any help is greatly appreciated. > > You apparently have an infected pc on your lan sending spam. You can write to me at deputies admin.spamcop.net for more details. Make sure to include the IP. Ellen SpamCop From MikeE at ster.invalid Tue Oct 4 09:33:32 2005 From: MikeE at ster.invalid (Mike Easter) Date: Tue Oct 4 11:35:02 2005 Subject: [SpamCop-List] Re: Quick Reporting returns empty data References: Message-ID: WazoO wrote: > "George Langford, Sc.D." >> Better look at the Quick Reporting system this AM. >> >> Here's a typical notification: >> >>> SpamCop.net >>> Here are the results of your submission: > > With your example and the discussion on-going at > http://forum.spamcop.net/forums/index.php?showtopic=5055 > it does appear that the issue may be at JT's end .. > There have been notifications sent out .... The forum discussion seems to be about problems with quick and webmail Oct 4, and/but I don't know how to interpret the timestamps on the posts, ie what offset they belong to I submitted a 'package' of 5 spams by email to quick at 7:23 AM PDT [UTC -0700] and they were all satisfactorily parsed and processed 7:28 AM same offset.. -- Mike Easter kibitzer, not SC admin From kenbrody at spamcop.net Tue Oct 4 12:39:12 2005 From: kenbrody at spamcop.net (Kenneth Brody) Date: Tue Oct 4 11:45:03 2005 Subject: [SpamCop-List] Strange "quick report" problem Message-ID: <4342A220.5C92A294@spamcop.net> I submitted several spams in my Inbox for quick reporting, and I got the following e-mail in reply: ========== SpamCop.net Here are the results of your submission: Processing spam: From: Subject: Processing spam: From: Subject: Processing spam: From: Subject: Processing spam: From: Subject: Processing spam: From: Subject: Processing spam: From: Subject: Processing spam: From: Subject: ========== -- +-------------------------+--------------------+-----------------------------+ | Kenneth J. Brody | www.hvcomputer.com | | | kenbrody/at\spamcop.net | www.fptech.com | #include | +-------------------------+--------------------+-----------------------------+ Don't e-mail me at: From me at privacy.net Tue Oct 4 18:09:33 2005 From: me at privacy.net (Will Wilkinson) Date: Tue Oct 4 12:10:02 2005 Subject: [SpamCop-List] Re: Quick Reporting returns empty data References: Message-ID: <2l6$rwx9kqQDFwTt@steely-glint.lancre.net> In message , Mike Easter writes >WazoO wrote: >> "George Langford, Sc.D." > >>> Better look at the Quick Reporting system this AM. >>> >>> Here's a typical notification: >>> >>>> SpamCop.net >>>> Here are the results of your submission: >> >> With your example and the discussion on-going at >> http://forum.spamcop.net/forums/index.php?showtopic=5055 >> it does appear that the issue may be at JT's end .. >> There have been notifications sent out .... > >The forum discussion seems to be about problems with quick and webmail >Oct 4, and/but I don't know how to interpret the timestamps on the >posts, ie what offset they belong to > >I submitted a 'package' of 5 spams by email to quick at 7:23 AM PDT >[UTC -0700] and they were all satisfactorily parsed and processed 7:28 >AM same offset.. > My quick reporting submissions via the webmail interface have all shown: error:No IP found Processing spam: From: Subject: Since 09:00 BST [UTC +0100] today. Also posted on the forum. Will -- lancre dot net - The personal domain of Will and Cath Wilkinson. Send e-mail to news dot will at lancre dot net PGP Fingerprint E089 1736 A023 9E5C AFA3 0B40 E5DC D80A 9E1F D521 Public key can be obtained from ldap://certserver.pgp.com From MikeE at ster.invalid Tue Oct 4 10:17:40 2005 From: MikeE at ster.invalid (Mike Easter) Date: Tue Oct 4 12:20:03 2005 Subject: [SpamCop-List] Re: How to Rattle This Guy's Cage? References: <43427912.17EDB4B5@SpamCop.net.dev.null> Message-ID: Michael Brennan wrote: > I've been getting a number of "mortgage application" phish spams > associated with Leo Kuvayev/Michael Lindsay type spams. Some number > of the spamvertised sites trace back to this registration: > > Associated spamcop report: www.spamcop.net/sc?id=z811637287zf16e455984c1806593b4b6ccd4d3f786z spamvertising http://ykllmd2.t0wn.com/savings.asp Does not resolve; t0wn.com does not have nameservice > Domain Name : t0wn.com > : :Registrant: : > Name : James Bright > Email : jamesbright12345@netscape.net > Address : 101 Thomas St. > Zipcode : 98109 > Nation : US > Tel : 12062030586 It is /possible/ to snail by street address and zip5, but not in this case. That address is undeliverable. usps.com: Find a ZIP + 4? Code By Address Results This is a non-deliverable address. Mail sent to this address will be returned. This address is NON-DELIVERABLE 101 THOMAS ST SEATTLE WA 98109 - 4813 > : :Name Servers: : > : :Dates & Status: : > Created Date 2005-10-01 14: 21: 49 EDT > Updated Date 2005-10-01 14: 21: 49 EDT > Valid Date 2006-10-01 14: 21: 49 EDT > Status REGISTRAR-HOLD > Notice that there is no IP associated with this registration. There is no IP because there is no nameservice currently. > these spammers are using AOL and Netscape webmail > addresses. I don't think you can make much out of that. > Can they register a site like this? You have a legitimate beef to internic/icann via yesnic if the registration info is bogus http://wdprs.internic.net/ This form allows Internet users to submit reports to ICANN-Accredited Registrars concerning incomplete or inaccurate Whois data. > Notice that registrant gives only a ZIP code in southern California > (probably phony). The zip is Seattle WA. What will happen probably is that the registrant will say there was a typo, either wrong street name/number or wrong zip. Registrant 'forgot' to provide city and state. IMO, internic/icann should 'enforce' against registrars who 'blatantly' fail to obtain a complete address, such as city and state. There is also a place to turn in a beef about the registrar yesnic http://reports.internic.net/cgi/registrars/problem-report.cgi If you have a problem with one of the registrars, you should first try to resolve it with that registrar. But, that 'presumes' the problem is financial or something between you and the registrar. In this case, your beef would be that the registrar is failing to comply with ICANN's requirements of being an accredited registrar "If you would like to submit a complaint about a registrar for ICANN's records, please use the form below. As a courtesy, the form will forward your complaint to the registrar for review and further handling. (Please note that there is no guarantee that the registrar will reply.)" > More to the point, why are guys like this still around? Why are their > pages even accessible? -- Mike Easter kibitzer, not SC admin From MikeE at ster.invalid Tue Oct 4 10:43:03 2005 From: MikeE at ster.invalid (Mike Easter) Date: Tue Oct 4 12:45:02 2005 Subject: [SpamCop-List] Re: IBM spamming? References: Message-ID: Belatedly answering this; I was out of town and not visiting newsgroups a few days. Philip Homburg wrote: > Mike Easter >> - I am satisfied to be a /passive/ but pledged antispammer, >> discarding *all* [not just some] spam unread and unopened > > Wow, what kind of technology do you use to determine with 100% (yes > really 100%, not just 99.9%) accuracy whether an e-mail is spam or > not? > > I'm not going take the risk of deleting real mail unopened because it > might be spam. > > Logical conclusion: some amount of spam has to be read to be > classified as spam. One can achieve the highest percentage of 'knowing' their spam from nonspam by having a very good user configured spamfilter which writes its analysis in the headers. I would 'train' that pledged passive antispammer to examine any mail considered 'uncertain' - where uncertain is based on the question of whether the 'reader' should consider the analysis by the spamfilter [such as SpamPal or SpamAssassin or such] in 'question' ie the spamfilter said it was spam and the reader is doubting it, or the spamfilter said it was ham and the reader is doubting that. Such 'questioning' could cause the would-be 'reader' of some uncertain item to analyze the item by its headers first. I do not think that 'simply' opening unknown or unfiltered or questionable items or items which have a From or a Subject which 'sounds' like real mail is the correct approach. If one is playing a 'game' with spammers and keeping score and giving the spammer points if you open a mail to read it to determine if it is spam or not, and not giving the spammer points if you never 'open' [which implies making a 'mistake' and opening a spam you thought was a 'real' mail], the trained pledged passive antispammer should be able to bat nearly 1000. The fact that one might have to occasionally inspect headers or even inspect the interior or body of some kind of suspicious unknown is not the same thing as mistakenly opening and rendering a spam. -- Mike Easter kibitzer, not SC admin From MikeE at ster.invalid Tue Oct 4 10:54:14 2005 From: MikeE at ster.invalid (Mike Easter) Date: Tue Oct 4 12:55:03 2005 Subject: [SpamCop-List] Re: munging not sufficient References: <433F9EEE.E884EFB6@nopspam.invalid> Message-ID: Anton Haumer wrote: > Sometimes I get spam in which the spammer > fakes my own email-address as from-address. Yes. > SC sends reports to the right addresses, > but it leaves the faked from-address unmunged Yes. > indictaing the source of the report ... > although the other occurences are munged. > > suggestion for improvement for SC ... SC leaves the From unmunged by design. IMO, I would interpret the rules about material changes to permit you to munge or delete the From, even tho' the rules do not say that 'precisely'. The rules say that you can munge your address in the body. The rules also state that if you do such mungeing, you have to 'declare it' and that you can't do such mungeing in the case of providers who don't accept mungeing. No deputy is going to make a declaration here which 'defies' anything which is stated in the faq -- that is, the faq is 'law' about material changes and if it isn't stated in the faq then it isn't officially approved even if it could be logically derived from what the faq permits. So, you are 'on your own' by mungeing your address in the From -- it isn't officially approved. I would also go by the rule that you can't even do that mungeing if the recipient doesn't accept mungeing and that you should declare it. Also, if a person is 'uncomfortable' about inadequate mungeing, they should also consider the fact that it is impossible for you to know with certainty that your 'persona' or address identity hasn't been concealed in a stealthy fashion somewhere in the header or body of the mail item. The only way you can be sure that you aren't providing your address to the report entity is to not send them a copy of the spam, like a mole reporter. Under that circumstance, what you would /like/ would be to be as 'important' as a spamtrap, whose reports do count but are not provided to the report addy -- not to be as 'unimportant' as a mole, whose reports /don't/ count and also aren't provided. -- Mike Easter kibitzer, not SC admin From AHaumer_gmxnet at nopspam.invalid Tue Oct 4 20:00:02 2005 From: AHaumer_gmxnet at nopspam.invalid (Anton Haumer) Date: Tue Oct 4 13:00:03 2005 Subject: [SpamCop-List] Re: munging not sufficient References: <433F9EEE.E884EFB6@nopspam.invalid> Message-ID: <4342B512.C614C2D1@nopspam.invalid> Mike Easter schrieb: > Also, if a person is 'uncomfortable' about inadequate mungeing, they > should also consider the fact that it is impossible for you to know with > certainty that your 'persona' or address identity hasn't been concealed > in a stealthy fashion somewhere in the header or body of the mail item. > The only way you can be sure that you aren't providing your address to > the report entity is to not send them a copy of the spam, like a mole > reporter. > > Under that circumstance, what you would /like/ would be to be as > 'important' as a spamtrap, whose reports do count but are not provided > to the report addy -- not to be as 'unimportant' as a mole, whose > reports /don't/ count and also aren't provided. > > -- > Mike Easter > kibitzer, not SC admin Thanks for your explanations. Well I'm unsure abput mungeing ... I could also consider: "If a spammer sees enough reports sent by me (unmunged!) he will avoid troubles and delete my address ..." Wrong? Toni From nobody at devnull.spamcop.net Tue Oct 4 13:01:30 2005 From: nobody at devnull.spamcop.net (WazoO) Date: Tue Oct 4 13:05:06 2005 Subject: [SpamCop-List] Re: Quick Reporting returns empty data References: Message-ID: "Mike Easter" wrote in message news:dhu7c8$lsh$1@news.spamcop.net... > WazoO wrote: > > > > With your example and the discussion on-going at > > http://forum.spamcop.net/forums/index.php?showtopic=5055 > > it does appear that the issue may be at JT's end .. > > There have been notifications sent out .... > > The forum discussion seems to be about problems with quick and webmail > Oct 4, and/but I don't know how to interpret the timestamps on the > posts, ie what offset they belong to I 'think' that as a Guest, the time displayed is 'probably' based on the server's time, i.e., Georgia .... GMT -5 ... > I submitted a 'package' of 5 spams by email to quick at 7:23 AM PDT > [UTC -0700] and they were all satisfactorily parsed and processed 7:28 > AM same offset.. Yeah, that's what I posted there sometime this morning, e-mail submittal worked fine, just something going on for the e-mail account users submitting from the web-mail accounts. From nobody at devnull.spamcop.net Tue Oct 4 13:04:00 2005 From: nobody at devnull.spamcop.net (WazoO) Date: Tue Oct 4 13:05:10 2005 Subject: [SpamCop-List] Re: Quick Reporting returns empty data References: Message-ID: Replying to cross-post this into the other newsgroups ... Don also posted this into the Forum discussion at http://forum.spamcop.net/forums/index.php?showtopic=5055 "SpamCop Admin" wrote in message news:nea5k1d2pmedts97o3aev1q24d9h0evehj@4ax.com... > Reporting from webmail is inserting a blank line between the header > lines and causing the parse to fail. > > I paged JeffT and sent him email about the problem. > > Unfortunately, that's all I can do. He is not up on IM, so he may be > away from his office. > > - Don D'Minion - SpamCop Admin - From MikeE at ster.invalid Tue Oct 4 12:07:05 2005 From: MikeE at ster.invalid (Mike Easter) Date: Tue Oct 4 14:10:04 2005 Subject: [SpamCop-List] Re: munging not sufficient References: <433F9EEE.E884EFB6@nopspam.invalid> <4342B512.C614C2D1@nopspam.invalid> Message-ID: Anton Haumer wrote: > Well I'm unsure abput mungeing ... > I could also consider: > "If a spammer sees enough reports sent by me (unmunged!) > he will avoid troubles and delete my address ..." > > Wrong? There are spammers and there are spammers and then there are spammers. Some spammers would like to believe that they have a legitimate mailing list which they bought and which they would like to improve by performing 'listwashing' - in which they /actually/ remove addresses which do not want that mail. Some other spammers would like for you to confuse those listwashing spammers with the other forms of list management, which is to move names around from one list to another. This class of spammer would consider list construction to be influenced by those who open their spam and read their spam and believe their spam and click on links in spam, including those links which are remove links. The vast majority of spammers are very simple in their list managment -- they only add addies, they never remove them or manage them in any way. They don't care if addies bounce, they don't care if addies try to remove, they don't care about anything except spewing spam to as many addresses as possible. They aren't paying postage. There is no need to remove dead or unwilling or any other kind of address. There are very very few spammers who go to the trouble of removing 'anti-s', but it occasionally does happen. Some antispammers cause spammers enough 'trouble' one way or another that the spammer would rather that those anti-s be removed from the list so they won't cause as much problem. There are even fewer spammers who would be inclined to try to retaliate against an anti- by some kind of revenge attack, which is another matter. So, we have spammers and spammers and spammers -- then we have mungers and mungers and mungers. There is no mungeing. There is 'simple' spamcop mungeing. Then there is uber-mungeing - in which there is additional mungeing beyond what SC performs - then uber-uber-mungeing which is beyond what SC permits -- then uber-alles-mungeing in which the mungeing is beyond all reason, rendering the 'evidence' relatively worthless to many abuse desks, some of whom won't even accept SC standard mungeing. -- Mike Easter kibitzer, not SC admin From gezgin at spamcop.net Tue Oct 4 23:34:04 2005 From: gezgin at spamcop.net (Gezgin) Date: Tue Oct 4 15:35:03 2005 Subject: [SpamCop-List] Re: What is Cyveillance giving back? References: Message-ID: "Richard Zuidhof" wrote > I really like to know more about trends in what spam is > reported. Having contributed to Cyveillance since the outset, so would I. What good is it? -- Bob Kanyak's Doghouse http://www.kanyak.com From nobody at devnull.spamcop.net Tue Oct 4 15:36:21 2005 From: nobody at devnull.spamcop.net (WazoO) Date: Tue Oct 4 15:40:03 2005 Subject: [SpamCop-List] Re: munging not sufficient References: <433F9EEE.E884EFB6@nopspam.invalid> <4342B512.C614C2D1@nopspam.invalid> Message-ID: "Mike Easter" wrote in message news:dhugc4$sdq$1@news.spamcop.net... > Anton Haumer wrote: > > > Well I'm unsure abput mungeing ... > > I could also consider: > > "If a spammer sees enough reports sent by me (unmunged!) > > he will avoid troubles and delete my address ..." > > > > Wrong? > > There are spammers and there are spammers and then there are spammers. Added "over there" under the Parsing & Reporting Service block. Forum version of the SpamCop FAQ http://forum.spamcop.net/forums/index.php?showtopic=2238 This entry at "NEW! Insufficient Munging? Spammer 'Remove Lists'" http://forum.spamcop.net/forums/index.php?showtopic=5062 From blacklist-me at davjam.org Tue Oct 4 21:55:32 2005 From: blacklist-me at davjam.org (David Bolt) Date: Tue Oct 4 16:35:04 2005 Subject: [SpamCop-List] Re: What is Cyveillance giving back? References: Message-ID: On Tue, 4 Oct 2005, Steven Maesslein wrote:- >On Tue, 4 Oct 2005 11:06:04 +0200, Steven Maesslein coughed into spamcop >and left this in : > >> Cy also has a web spider that crawls across the 'Net looking for >> trademark infringements, but the spider doesn't observe a site's >> "robots.txt" file > >Apologies for the self-fup... > >I forgot to add that Cyveillance's spider also masquerades as a standard >desktop browser (I forget whether it's IE or Moz but that's irrelevant) >in an attempt to thwart protection that site owners might install based >on the User-Agent string. Doesn't everyone have something similar to the following in their .htaccess files? # CYVEILLANCE Grabbing on 2003-05-19 # Deny from 63.100.163.0/24 Deny from 63.148.99.0/24 Deny from 65.118.41.0/24 # Regards, David Bolt -- Member of Team Acorn checking nodes at 50 Mnodes/s: http://www.distributed.net/ AMD 1800 1Gb WinXP/SuSE 9.3 | AMD 2400 160Mb SuSE 8.1 | AMD 2400 256Mb SuSE 9.0 AMD 1300 512Mb SuSE 9.0 | Falcon 14Mb TOS 4.02 | STE 4Mb TOS 1.62 RPC600 129Mb RISCOS 3.6 | A3010 4Mb RISCOS 3.11 | A4000 4Mb RISCOS 3.11 From nobody at devnull.spamcop.net Tue Oct 4 18:03:17 2005 From: nobody at devnull.spamcop.net (Pop) Date: Tue Oct 4 17:05:03 2005 Subject: [SpamCop-List] Re: What is Cyveillance giving back? References: Message-ID: Do a search of the old threads; lots of discussion on it at one time. "Gezgin" wrote in message news:dhulfc$g9$1@news.spamcop.net... : "Richard Zuidhof" wrote : : > I really like to know more about trends in what spam is : > reported. : : Having contributed to Cyveillance since the outset, so would : I. : : What good is it? : : -- : Bob : : Kanyak's Doghouse : http://www.kanyak.com : From philip at pch.home.cs.vu.nl Wed Oct 5 00:58:38 2005 From: philip at pch.home.cs.vu.nl (Philip Homburg) Date: Tue Oct 4 18:20:13 2005 Subject: [SpamCop-List] Re: IBM spamming? References: Message-ID: In article , Mike Easter wrote: >I would 'train' that pledged passive antispammer to examine any mail >considered 'uncertain' - where uncertain is based on the question of >whether the 'reader' should consider the analysis by the spamfilter >[such as SpamPal or SpamAssassin or such] in 'question' ie the >spamfilter said it was spam and the reader is doubting it, or the >spamfilter said it was ham and the reader is doubting that. Such >'questioning' could cause the would-be 'reader' of some uncertain item >to analyze the item by its headers first. My ISP maintains a SpamAssassin configuration. >From what I read in the newsgroups, one of the big problems is false positives. Some organizations (like Yahoo) try to trigger as many SA rules as possible). On the other hand, I regularly get spam that triggers almost no SA rules. I don't use the e-mail account at my ISP for real mail (other than announcements from my ISP), so I don't how big the false positive problem really is. My guess is that I'm not going to blindly trust any SA analysis. So, what you are proposing is for me a complete waste of time. I can safely open an e-mail and classify it as spam in a few seconds. Studying the SA analysis takes much longer and provides me with no benefits other than that it satisfies my curiosity with respect to the accuracy of SA. -- That was it. Done. The faulty Monk was turned out into the desert where it could believe what it liked, including the idea that it had been hard done by. It was allowed to keep its horse, since horses were so cheap to make. -- Douglas Adams in Dirk Gently's Holistic Detective Agency From nobody at spamcop.net Tue Oct 4 16:47:51 2005 From: nobody at spamcop.net (N. Miller) Date: Tue Oct 4 18:50:08 2005 Subject: [SpamCop-List] Re: How to Rattle This Guy's Cage? References: <43427912.17EDB4B5@SpamCop.net.dev.null> Message-ID: <462oa8nyzhdz.dlg@news.spamcop.net> On Tue, 04 Oct 2005 07:44:02 -0500, Michael Brennan wrote: > Notice that registrant gives only a ZIP code in southern California > (probably phony). I know that the San Andreas fault is a strike/slip fault, and the western side is moving northward. But it really isn't moving fast enough to locate San Diego, CA in the vicinity of Seattle, WA any time within the lifetimes of my children's children's children's children. -- Norman ~Win dain a lotica, En vai tu ri, Si lo ta ~Fin dein a loluca, En dragu a sei lain ~Vi fa-ru les shutai am, En riga-lint From MikeE at ster.invalid Tue Oct 4 17:50:06 2005 From: MikeE at ster.invalid (Mike Easter) Date: Tue Oct 4 19:50:13 2005 Subject: [SpamCop-List] Re: IBM spamming? References: Message-ID: Philip Homburg wrote: > Mike Easter >> I would 'train' that pledged passive antispammer to examine any mail >> considered 'uncertain' - > My ISP maintains a SpamAssassin configuration. You and I are not having an 'agreeable' or compatible discussion because we've lost track of the original premises. You are arguing against /one/ of the items on a list of options I provided - and the list of options was a set of choices for some person to make. You chose the passive antispammer whose goal was to not open [or even to report, since that would be a more active antispammer] any spam and who would be configured with a user configured SA or SP type filter. Instead, what you are saying is that you would make a different choice than being that passive antispammer with a user configured filter - and further that you would choose to open some spam. I also have this same argument or discussion with advanced antispammers who would choose to open some spam. I have no way to tell silly spamreaders from other spam openers without observing them in action; so I can't call you a silly spamreader -- all I know is that you 'want to' open spam for some reason or another. > From what I read in the newsgroups, one of the big problems is false > positives. Some organizations (like Yahoo) try to trigger as many SA > rules as possible). On the other hand, I regularly get spam that > triggers almost no SA rules. That is one of the disadvantages to using a provider controlled spamfilter which you cannot configure yourself. My personal choice is to not even use my provider provided spamfilter. I turn it off. > I don't use the e-mail account at my ISP for real mail (other than > announcements from my ISP), so I don't how big the false positive > problem really is. My guess is that I'm not going to blindly trust > any SA analysis. I wouldn't blindly trust any spamfilter which I did not personally configure. And I don't 'blindly' trust even my own personally configured spamfilter. > So, what you are proposing is for me a complete waste of time. I can > safely open an e-mail and classify it as spam in a few seconds. I have no idea whether you can 'safely' open an email or not. I also have no idea what you do or think or how you behave mentally while you are reading the spam you are opening. > Studying the SA analysis takes much longer and provides me with no > benefits other than that it satisfies my curiosity with respect to > the accuracy of SA. It is of much less use to 'study' some SA analysis which you do not control. The purpose of studying a spamfilter's analysis is for purposes of reconfiguring the filter. If you can't reconfigure the filter, the studying doesn't provide much 'function' -- except to whine to the provider about how the spam filter is or is not configured. -- Mike Easter kibitzer, not SC admin From edb2000 at spamcop.net Tue Oct 4 21:16:38 2005 From: edb2000 at spamcop.net (Don Wannit) Date: Tue Oct 4 23:20:03 2005 Subject: [SpamCop-List] Yeah, right... Message-ID: Sent to my SC address; as if claiming to be sending spam on behalf of charities makes it OK. Of all the addresses to send it to, wouldn't you think a @ spamcop.net address would be least likely of all to fall for it?. http://www.spamcop.net/sc?id=z812079714z71e85c2f86e62db36513c19129c622e3z -- Don Wannit A paid SpamCop user since 1999 From bar_n0ne at hotmail.com Wed Oct 5 10:04:04 2005 From: bar_n0ne at hotmail.com (Berny) Date: Wed Oct 5 01:05:21 2005 Subject: [SpamCop-List] Re: munging not sufficient References: <433F9EEE.E884EFB6@nopspam.invalid> <4342B512.C614C2D1@nopspam.invalid> Message-ID: "WazoO" wrote in message news:dhuljm$pt$1@news.spamcop.net... > "Mike Easter" wrote in message > news:dhugc4$sdq$1@news.spamcop.net... > > Anton Haumer wrote: > > > > > Well I'm unsure abput mungeing ... > > > I could also consider: > > > "If a spammer sees enough reports sent by me (unmunged!) > > > he will avoid troubles and delete my address ..." > > > > > > Wrong? I have a suspicion that some of the big time US networked spammers (Lindsay for example) will remove some anti's from the lists they deliver to using "almost mainsleaze" services from companies like XO, and Spammis, er, Savvis, when SC reports become sufficiently annoying to these ISP's. but that is a small minority of overall spam, and the listwashing usually takes months to happen, and for all I know those ISP's simply block the sending of of any mail from their networks to aggressive complainers, doing the work for the spammer. Otherwise I would say Mike is right, most spammers list management consists of adding addresses whenever and wherever they find them. They don't even seem interested in removing duplicates. From edb2000 at spamcop.net Wed Oct 5 00:21:06 2005 From: edb2000 at spamcop.net (Don Wannit) Date: Wed Oct 5 02:25:05 2005 Subject: [SpamCop-List] Re: Public Spamtraps In-Reply-To: References: Message-ID: Dave Lerner wrote: > See Project Honeypot does look interesting. At my first reading of the various information on their web site, it looks like their goal is to collect information with potential use in prosecuting spammers (such as under CANSPAM, which explicitly makes harvesting email addresses illegal). I didn't see anything about feeding the caught spam injection IPs into a DNSbl. The closest I found is this passage in their discussion Message Board: > As soon as our volume of spam picks up we're also going to begin > sharing our data with other anti-spam services. For example, we've > already agreed to give any spamvertised URLs to the SURBL service. > We'd like to share our corpus of data with other open source > anti-spam projects in order to help the technical spam community as > well. Key to making the resource as valuable as possible is getting > as many honey pots installed as we can. We're off to a great start, > but probably need at least double the number of installed honey pots > before we're reliably capturing a sizable chunk of harvesters and > spammers on a virtually real-time basis. Sharing spamvertised URLs gleaned from spam sent to honeypot addresses is not at all the same as a DNSbl listing the IP addresses of the sources of those spam emails. Even though Project Honeypot is still a Public Beta, it sure would interest me, as a SpamCop email filtering service user, to have a DNSbl based on Project Honeypot to choose for deflecting/holding spam. Is there any official or semi-official notice by SpamCop of Project Honeypot? -- Don Wannit A paid SpamCop user since 1999 From edb2000 at spamcop.net Wed Oct 5 00:39:58 2005 From: edb2000 at spamcop.net (Don Wannit) Date: Wed Oct 5 02:40:03 2005 Subject: [SpamCop-List] Re: What is Cyveillance giving back? In-Reply-To: References: Message-ID: David Bolt wrote: > On Tue, 4 Oct 2005, Steven Maesslein wrote:- > > >>On Tue, 4 Oct 2005 11:06:04 +0200, Steven Maesslein coughed into spamcop >>and left this in : >> >> >>>Cy also has a web spider that crawls across the 'Net looking for >>>trademark infringements, but the spider doesn't observe a site's >>>"robots.txt" file >> >>Apologies for the self-fup... >> >>I forgot to add that Cyveillance's spider also masquerades as a standard >>desktop browser (I forget whether it's IE or Moz but that's irrelevant) >>in an attempt to thwart protection that site owners might install based >>on the User-Agent string. > > > Doesn't everyone have something similar to the following in their > .htaccess files? > > > # CYVEILLANCE Grabbing on 2003-05-19 > # > Deny from 63.100.163.0/24 > Deny from 63.148.99.0/24 > Deny from 65.118.41.0/24 > # > I had them also at address 216.32.64.10 which was hosted/colo by layeredtech.com at some point in the past. Any idea whether that's old data, or maybe an attempt by Cyveillance to do some scanning from other than their well-known subnets? -- Don Wannit A paid SpamCop user since 1999 From bar_n0ne at hotmail.com Wed Oct 5 13:33:27 2005 From: bar_n0ne at hotmail.com (Berny) Date: Wed Oct 5 04:35:12 2005 Subject: [SpamCop-List] kornets bit bucket, finally overflowed Message-ID: Larts going to Dave Null now, the pretense of handling abuse seems to have ended. From nobody at nowhere.invalid Wed Oct 5 11:57:45 2005 From: nobody at nowhere.invalid (Steven Maesslein) Date: Wed Oct 5 05:00:33 2005 Subject: [SpamCop-List] Re: Yeah, right... References: Message-ID: On Tue, 04 Oct 2005 20:16:38 -0700, Don Wannit coughed into spamcop and left this in : > http://www.spamcop.net/sc?id=z812079714z71e85c2f86e62db36513c19129c622e3z That's Bobby Soloway again. Still spamming and therefore in contempt of a court order. -- Steve "Thank you for calling the Incontinence hotline. Please hold." From hcd5rma02 at sneakemail.com Wed Oct 5 12:11:38 2005 From: hcd5rma02 at sneakemail.com (Arne Bolen) Date: Wed Oct 5 05:16:18 2005 Subject: [SpamCop-List] Re: IBM spamming? References: <7q4enbnog57vgdb055gpo8p3t0@inews_id.stereo.hq.phicoh.net> <2p9813-v84.ln1@ursine.ca> Message-ID: wrote in: > I have my MTA set up to only use the smarthost if the destination site > has the mistaken belief that dynamic IPs are always spammers. I don't > run everything through the smarthost, because the site that operates > that smarthost isn't trustworthy and frequently gets blocked by other > sites. I'd switch in a heartbeat if there was any competition at all > in my area. You could look outside your own area. There are plenty of mail providers you could use as a smarthost. From baloo at ursine.ca Wed Oct 5 11:02:16 2005 From: baloo at ursine.ca (baloo@ursine.ca) Date: Wed Oct 5 13:10:04 2005 Subject: [SpamCop-List] Re: IBM spamming? References: <7q4enbnog57vgdb055gpo8p3t0@inews_id.stereo.hq.phicoh.net> <2p9813-v84.ln1@ursine.ca> Message-ID: Arne Bolen wrote: > You could look outside your own area. There are plenty of mail providers you > could use as a smarthost. The point is, I shouldn't have to pay someone else to do what I can do myself. From baloo at ursine.ca Wed Oct 5 12:48:24 2005 From: baloo at ursine.ca (baloo@ursine.ca) Date: Wed Oct 5 15:10:02 2005 Subject: [SpamCop-List] Re: How to Rattle This Guy's Cage? References: <43427912.17EDB4B5@SpamCop.net.dev.null> <462oa8nyzhdz.dlg@news.spamcop.net> Message-ID: N. Miller wrote: > On Tue, 04 Oct 2005 07:44:02 -0500, Michael Brennan wrote: > >> Notice that registrant gives only a ZIP code in southern California >> (probably phony). > > I know that the San Andreas fault is a strike/slip fault, and the western > side is moving northward. But it really isn't moving fast enough to locate > San Diego, CA in the vicinity of Seattle, WA any time within the lifetimes > of my children's children's children's children. Never mind that roughly two thirds of Oregon and Washington residents are idiots from California dragging us down, no? From redford_stone at INVERSE_OF_COLDmail.com Wed Oct 5 20:39:34 2005 From: redford_stone at INVERSE_OF_COLDmail.com (Redstone) Date: Wed Oct 5 15:40:04 2005 Subject: [SpamCop-List] Re: Pump & Dump--why? References: <290920050916518028%news@REMOVECAPSalanharper.com> <433C27AD.AE65876@spamcop.net> Message-ID: "Porpoise" wrote in news:dhlv42$c91$1 @news.spamcop.net: > > > Yeah! Make 'em BLeed........... [;-)> > > Now that is a clever play on words. :-) From redford_stone at INVERSE_OF_COLDmail.com Wed Oct 5 20:42:43 2005 From: redford_stone at INVERSE_OF_COLDmail.com (Redstone) Date: Wed Oct 5 15:45:03 2005 Subject: [SpamCop-List] Re: Question for everyone about SBC/Pacbell References: Message-ID: "N. Miller" wrote in news:oxw86majwfj2$.dlg@news.spamcop.net: > > I get about one-tenth as much proxy spam from SBC space (including all > nine SBC domains) as I did a year ago. Until last March, SBC was ahead > of, then, for a while, equal to Comcast as a proxy spam source. Now > they are way behind Comcast. Indeed, indications are that Comcast is > now the number one source of proxy spam among the U.S. HSI providers. > I can add up my Bellsouth, SBC, USWest/Qwest, and Verizon proxy spam, > and throw in Charter, Cox, Optimum Online, and Road Runner for good > measure, and only just come short of equaling the proxy spam which > comes from Comcast customers. I don't know if all of the block port 25 > outbound; SBC, of course, and, I think Bellsouth. > I think that the static IPs (those that have an SBC business account) still have port 25 access. (So BLing them would be an IP that sticks on the same trojaned host.) But either case, this is good news. Other than trying to crack for identity-theft, it seems that spammers will have little to no use for SBC DSL connection. From redford_stone at INVERSE_OF_COLDmail.com Wed Oct 5 20:48:58 2005 From: redford_stone at INVERSE_OF_COLDmail.com (Redstone) Date: Wed Oct 5 15:50:03 2005 Subject: [SpamCop-List] Re: kornets bit bucket, finally overflowed References: Message-ID: "Berny" wrote in news:di034p$pqn$1@news.spamcop.net: > Larts going to Dave Null now, the pretense of handling abuse seems to > have ended. > > > That is until the clueless on their network complain that they can't send email. From nobody at nowhere.invalid Wed Oct 5 22:51:37 2005 From: nobody at nowhere.invalid (Steven Maesslein) Date: Wed Oct 5 15:55:02 2005 Subject: [SpamCop-List] Re: kornets bit bucket, finally overflowed References: Message-ID: On Wed, 5 Oct 2005 19:48:58 +0000 (UTC), Redstone coughed into spamcop and left this in : > That is until the clueless on their network complain that they can't send > email. Isn't that the normal state of affairs anyway? :) -- Steve I don't approve of political jokes... I've seen too many of them get elected. From spamcop at 1bigthink.com Wed Oct 5 16:58:43 2005 From: spamcop at 1bigthink.com (spamcop) Date: Wed Oct 5 15:58:43 2005 Subject: [SpamCop-List] Re: How to Rattle This Guy's Cage? In-Reply-To: References: <43427912.17EDB4B5@SpamCop.net.dev.null> <462oa8nyzhdz.dlg@news.spamcop.net> Message-ID: <6.2.3.4.0.20051005155811.06d8bfc0@mxt.1bigthink.com> At 02:48 PM 10/5/2005, you wrote: >N. Miller wrote: > > On Tue, 04 Oct 2005 07:44:02 -0500, Michael Brennan wrote: > > > >> Notice that registrant gives only a ZIP code in southern California > >> (probably phony). > > > > I know that the San Andreas fault is a strike/slip fault, and the western > > side is moving northward. But it really isn't moving fast enough to locate > > San Diego, CA in the vicinity of Seattle, WA any time within the lifetimes > > of my children's children's children's children. > >Never mind that roughly two thirds of Oregon and Washington residents >are idiots from California dragging us down, no? They want you to Cali-fornicate! From blacklist-me at davjam.org Thu Oct 6 00:57:56 2005 From: blacklist-me at davjam.org (David Bolt) Date: Wed Oct 5 19:05:03 2005 Subject: [SpamCop-List] Re: What is Cyveillance giving back? References: Message-ID: On Tue, 4 Oct 2005, Don Wannit wrote:- >David Bolt wrote: >> # CYVEILLANCE Grabbing on 2003-05-19 >> # >> Deny from 63.100.163.0/24 >> Deny from 63.148.99.0/24 >> Deny from 65.118.41.0/24 Looks like time for a minor update is required. Now their entries are: Deny from 63.148.99.224/227 Deny from 65.118.41.192/27 Deny from 65.213.208.128/27 Deny from 65.222.176.96/27 >> # >> > > >I had them also at address 216.32.64.10 which was hosted/colo >by layeredtech.com at some point in the past. Any idea whether >that's old data, or maybe an attempt by Cyveillance to do some >scanning from other than their well-known subnets? No idea, although they could be. Then again, it may be someone completely different. Regards, David Bolt -- Member of Team Acorn checking nodes at 50 Mnodes/s: http://www.distributed.net/ AMD 1800 1Gb WinXP/SuSE 9.3 | AMD 2400 160Mb SuSE 8.1 | AMD 2400 256Mb SuSE 9.0 AMD 1300 512Mb SuSE 9.0 | Falcon 14Mb TOS 4.02 | STE 4Mb TOS 1.62 RPC600 129Mb RISCOS 3.6 | A3010 4Mb RISCOS 3.11 | A4000 4Mb RISCOS 3.11 From blacklist-me at davjam.org Thu Oct 6 01:37:43 2005 From: blacklist-me at davjam.org (David Bolt) Date: Wed Oct 5 19:40:02 2005 Subject: [SpamCop-List] Re: What is Cyveillance giving back? References: Message-ID: On Wed, 5 Oct 2005, David Bolt wrote:- >Deny from 63.148.99.224/227 Should be: Deny from 63.148.99.224/27 Regards, David Bolt -- Member of Team Acorn checking nodes at 50 Mnodes/s: http://www.distributed.net/ AMD 1800 1Gb WinXP/SuSE 9.3 | AMD 2400 160Mb SuSE 8.1 | AMD 2400 256Mb SuSE 9.0 AMD 1300 512Mb SuSE 9.0 | Falcon 14Mb TOS 4.02 | STE 4Mb TOS 1.62 RPC600 129Mb RISCOS 3.6 | A3010 4Mb RISCOS 3.11 | A4000 4Mb RISCOS 3.11 From nobody at spamcop.net Wed Oct 5 22:40:06 2005 From: nobody at spamcop.net (Claudio Valderrama C.) Date: Wed Oct 5 21:40:34 2005 Subject: [SpamCop-List] To abuse.net or not to abuse.net Message-ID: Hello, where can I find information (if one) of the criterion used by SC to decide whether to query abuse.net or not? I today filled a spam report http://members.spamcop.net/sc?id=z812408191zbf76c957c7b6a6ea5617a5ba6001fe6dz where the source domain is controlled by gtdinternet.com. The ISP is gray hat for me, but that's not the issue: SC gets the contact address from the whois (jolea at gtdinternet.com) an account that doesn't pay attention to emails. I don't understand under which rule SC doesn't query abuse.net, so I went to abuse.net and extracted manually the correct abuse addresses (even if the ISP pays lip service to spam fighting). Thus why doesn't SC go to abuse.net in this case? C. -- Claudio Valderrama C. SW developer, consultant. http://www.cvalde.net - http://www.firebirdsql.org From nobody at devnull.spamcop.net Thu Oct 6 11:38:37 2005 From: nobody at devnull.spamcop.net (Patto) Date: Wed Oct 5 21:40:52 2005 Subject: [SpamCop-List] Quick reporting: The e-mail address could not be found Message-ID: When trying to send spam to my quick report address, I get the following "The e-mail address could not be found. Perhaps the recipient moved to a different e-mail organization, or there was a mistake in the address. Check the address and try again." Anyone else experiencing problems with quick reporting? From nobody at spamcop.net Wed Oct 5 22:45:24 2005 From: nobody at spamcop.net (Claudio Valderrama C.) Date: Wed Oct 5 21:45:02 2005 Subject: [SpamCop-List] Re: kornets bit bucket, finally overflowed References: Message-ID: "Redstone" wrote in message news:Xns96E68261786E5tinlc@216.154.195.61... > "Berny" wrote in > news:di034p$pqn$1@news.spamcop.net: > > > Larts going to Dave Null now, the pretense of handling abuse seems to > > have ended. > > That is until the clueless on their network complain that they can't send > email. This rejection state would be already normal for any target relying on http://korea.services.net/ :-) It's a pity that a supposed developed country like South Korea doesn't want to put pressure on its ISPs to be more decent. C. From dwvbo91q4001 at sneakemail.com Thu Oct 6 05:26:54 2005 From: dwvbo91q4001 at sneakemail.com (Tim P.) Date: Thu Oct 6 00:30:04 2005 Subject: [SpamCop-List] Amusing notes added by spammer??? Message-ID: I found this written under added notes section when checking for report responses to user defined recip's: /quote/ Monday, October 03, 2005 09:59:19 -0500 [Note added by 24.162.23.52 (cpe-24-162-23-52.houston.res.rr.com)] No action required. Nothing we can do on this end. Tuesday, October 04, 2005 09:05:35 -0500 [Note added by 24.162.23.52 (cpe-24-162-23-52.houston.res.rr.com)] This message did not come from us. Tuesday, October 04, 2005 09:06:10 -0500 [Note added by 24.162.23.52 (cpe-24-162-23-52.houston.res.rr.com)] This message did not come from us. Tuesday, October 04, 2005 09:12:40 -0500 [Note added by 24.162.23.52 (cpe-24-162-23-52.houston.res.rr.com)] This message did not come from us. Tuesday, October 04, 2005 09:12:59 -0500 [Note added by 24.162.23.52 (cpe-24-162-23-52.houston.res.rr.com)] This message did not come from us. Tuesday, October 04, 2005 09:13:20 -0500 [Note added by 24.162.23.52 (cpe-24-162-23-52.houston.res.rr.com)] This message did not come from us. Tuesday, October 04, 2005 09:14:18 -0500 [Note added by 24.162.23.52 (cpe-24-162-23-52.houston.res.rr.com)] PFJI_____________________________________oned@bellsouth.net Tuesday, October 04, 2005 09:29:18 -0500 [Note added by 24.162.23.52 (cpe-24-162-23-52.houston.res.rr.com)] All i hear is wan wan wan i got emailed. Bah! My grandma gets more spam than you. This spam didn't come from our network girlymen with nothing more to do that watch other people's mail. Get a real job! Let's see i get 2 - 5 spam emails a day and 40 spamcop reports to deal with? Who's worse? Tuesday, October 04, 2005 09:31:52 -0500 [Note added by 24.162.23.52 (cpe-24-162-23-52.houston.res.rr.com)] All i hear is wan wan wan i got emailed. Bah! My grandma gets more spam than you. This spam didn't come from our network girlymen with nothing more to do that watch other people's mail. Get a real job! Let's see i get 2 - 5 spam emails a day and 40 spamcop reports to deal with? Who's worse? Tuesday, October 04, 2005 09:42:26 -0500 [Note added by 24.162.23.52 (cpe-24-162-23-52.houston.res.rr.com)] spammers cost me money and waste my time. Spamcop costs me money and wastes my time because it doesn't do anything in the long run. It's short term bandaids don't do anything really. In fact spamcop makes it so that spammers can charge higher prices because to send spam it's "harder" now. /endquote/ Funny how they never respond directly. What a dufus. -- Tim P Very content SpamCop Subscriber since 4/2002 From nobody at devnull.spamcop.net Thu Oct 6 14:30:23 2005 From: nobody at devnull.spamcop.net (Patto) Date: Thu Oct 6 00:35:02 2005 Subject: [SpamCop-List] Re: Quick reporting: The e-mail address could not be found In-Reply-To: References: Message-ID: Patto wrote: > When trying to send spam to my quick report address, I get the following > "The e-mail address could not be found. Perhaps the recipient moved to > a different e-mail organization, or there was a mistake in the address. > Check the address and try again." > > Anyone else experiencing problems with quick reporting? Resubmitting a few minutes later succeeded. From MikeE at ster.invalid Thu Oct 6 00:18:05 2005 From: MikeE at ster.invalid (Mike Easter) Date: Thu Oct 6 02:20:08 2005 Subject: [SpamCop-List] Re: To abuse.net or not to abuse.net References: Message-ID: Claudio Valderrama C. wrote: > Hello, where can I find information (if one) of the criterion used by > SC to decide whether to query abuse.net or not? I can't answer the 'why' - but for source, SC does the whois on the RIR and notifies the admin/tech role address unless the RIR shows an abuse contact. For spamvertiser, SC does the whois on the RIR and notifies the abuse.net reg'd contacts for the domainname of the admin/tech. That is the case even if there isn't a reg'd abuse.net contact, in which case SC would use the default postmaster address instead of the listed admin/tech addy. > I today filled a spam report spamcop.net/sc?id=z812408191zbf76c957c7b6a6ea5617a5ba6001fe6dz That report shows that pattern. lacnic admin/tech contact, not abuse.net for spamsource which means that SC uses jolea instead of administrador.red soporte abuse postmaster all at gtdinternet.com whereas for spamvertiser, SC uses the default pm which is /not/ listed at abuse.net [nor even recommended by abuse.net, which recommends abuse@ instead of pm@ for the default notify address] instead of the lacnic listed netadmin@TELEX.CL Personally, when I do manual notifies, I don't notify in the 'style' of spamcop. My approach is to derive an estimation of the hat color of the IP based on whether or not it is listed in 'responsiveness index' such as spews or spamhaus. Separate from the responsiveness index, I include a 'language index' -- for example these IPs are Chilean. I would like to have about 4 'logical' addresses for a lacnic such as .cl. The two IPs in this case are 201.238.224.50 no rDNS spamsource and 200.29.162.253 no rDNS spamvertiser. SC's choices are the lacnic listed contact jolea@gtdinternet.com for source and the 'unlisted' default postmaster@telex.cl for spamvertiser. Those IPs are not spews or spamhaus listed, so I would try to use multiple addresses for the providers, namely the lacnic listed contact/s plus any abuse.net listeds. In this case that would be source: jolea@gtdinternet.com [lacnic contact] plus the abuse.net listings administrador.red@gtdinternet.com soporte@gtdinternet.com abuse@gtdinternet.com postmaster@gtdinternet.com (for gtdinternet.com) and spamvertiser: netadmin@TELEX.CL + since the spamvertiser domainname doesn't have an abuse.net listing, I would also notify the ASN parent or upstream adjacency on the basis of no abuse.net listing 200.29.162.253 = ASN6535 = Chilesat Servicios Empresariales netadmin@CHILESAT.NET + abuse.net has no reg'd contacts listed Since the 'routing' parent of telex.cl also has no abuse.net listings, you could justify notifying their upstream AS6429 Core Internet AT&T Chile netadmin@IP.TELMEXCHILE.CL and that's about as far as you can go. But all that gives you 3 rational notifies for the spamvertiser and 5 rational notifies for the spamsource. > The ISP is gray hat for me, but that's not the issue: SC gets the > contact address from the whois (jolea at gtdinternet.com) an account > that doesn't pay attention to emails. I don't understand under which > rule SC doesn't query abuse.net, so I went to abuse.net and extracted > manually the correct abuse addresses (even if the ISP pays lip > service to spam fighting). That's good to notify the way you did. You could also add additionals for the spamvertiser. > Thus why doesn't SC go to abuse.net in this case? >From the beginning; I don't know 'why' -- I just know that the algorithm's notify strategy is different for spamsource vs spamvertisers. -- Mike Easter kibitzer, not SC admin From pete+usenet at heypete.com Thu Oct 6 01:55:16 2005 From: pete+usenet at heypete.com (Pete Stephenson) Date: Thu Oct 6 04:00:02 2005 Subject: [SpamCop-List] Not receiving email at SpamCop? Message-ID: Greetings all, Is there any way to still have SpamCop forward me mail in response to spam reports that I file, but send me any other messages? In other words, send mail addressed to [reportID]@reports.spamcop.net back to my private address, but things sent directly to heypete@spamcop.net should be bit-bucketed. Now that I've been working on getting better filters on my end, nearly 90% of the spam that I receive comes to my SpamCop address, which my server-level DNSbl filters aren't effective against...as SpamCop is clearly not blocked. I don't want to bother setting up filters on my actual SpamCop account, because I simply don't use the account and wouldn't want mail to pile up and waste disk space. Just binning/bouncing all mail except those in response to individual reports would be nice. Can this be done? Is there any way of maintaining the benefits of my account (i.e. quick reporting) without having to have the SpamCop email account? Maybe switch it over a reporting-only account, if such a thing exists (it's been a while since I've looked at the account options)? Cheers! -- Pete Stephenson HeyPete.com From nobody at nowhere.invalid Thu Oct 6 11:54:44 2005 From: nobody at nowhere.invalid (Steven Maesslein) Date: Thu Oct 6 04:56:05 2005 Subject: [SpamCop-List] Re: What is Cyveillance giving back? References: Message-ID: On Wed, 5 Oct 2005 23:57:56 +0100, David Bolt coughed into spamcop and left this in : > Looks like time for a minor update is required. Now their entries are: > > Deny from 63.148.99.224/227 > Deny from 65.118.41.192/27 > Deny from 65.213.208.128/27 > Deny from 65.222.176.96/27 Thanks for the update! I didn't have the last 2 ranges but have just duly added them to the firewall :) -- Steve "Thank you for calling the Incontinence hotline. Please hold." From Nobody at SpamCop.net.dev.null Thu Oct 6 06:41:35 2005 From: Nobody at SpamCop.net.dev.null (Michael Brennan) Date: Thu Oct 6 06:45:32 2005 Subject: [SpamCop-List] Re: How to Rattle This Guy's Cage? References: <43427912.17EDB4B5@SpamCop.net.dev.null> <462oa8nyzhdz.dlg@news.spamcop.net> Message-ID: <4344FF5F.79311033@SpamCop.net.dev.null> "N. Miller" wrote: > > On Tue, 04 Oct 2005 07:44:02 -0500, Michael Brennan wrote: > > > Notice that registrant gives only a ZIP code in southern California > > (probably phony). > > I know that the San Andreas fault is a strike/slip fault, and the western > side is moving northward. But it really isn't moving fast enough to locate > San Diego, CA in the vicinity of Seattle, WA any time within the lifetimes > of my children's children's children's children. > Thanks, guys, for the correction -- saw the "9" and thought it was another Newport Beach ZIP scribbled in by Michael Lindsay on the back of whatever postcards he uses to register his servers. Thanks for the suggestions about contacting yesnic and ICANN. Michael From Nobody at SpamCop.net.dev.null Thu Oct 6 06:47:50 2005 From: Nobody at SpamCop.net.dev.null (Michael Brennan) Date: Thu Oct 6 06:50:04 2005 Subject: [SpamCop-List] Whitehats That Refuse Munged Reports? Message-ID: <434500D6.87C4F68C@SpamCop.net.dev.null> I notice that Earthlink refuses munged reports and I was wondering whether to LART them manually, using my webmail account, or just check the box. Is there a group of ISP's that it's generally OK to report unmunged to? Someone mentioned sjrb.ca upthread as a white hat, Spammis as a black hat. We've already discussed the abominable Brazilians at cert.br -- I've started unchecking the box next to cert.br, it seems pointless LARTing them. But it seems there are other diligent ISP's with real antispam policies who just don't accept munged SpamCop reports. Who are they, for future reference? TIA, Michael From nobody at spamcop.net Thu Oct 6 10:28:01 2005 From: nobody at spamcop.net (Anti-Spam) Date: Thu Oct 6 09:40:22 2005 Subject: [SpamCop-List] Re: What is Cyveillance giving back? References: Message-ID: "Steven Maesslein" wrote in message news:slrndk4hfs.3uh.nobody@127.0.0.1... > On Tue, 04 Oct 2005 10:37:03 +0200, Richard Zuidhof coughed into spamcop > and left this in : > > > I notice every Spamcop report I make is copied to Cyveillance > > (http://www.cyveillance.com/spam.htm). This has been done for quite a > > long time now but I have not noticed any benefit for the Spamcop > > users. [...] > To start with, Cy got more than they bargained for and had to stop the > supply of spam because they couldn't keep up with it :) If they had to stop it, how come they're still included as a third party interested? Seems like a waste of CPU cycles, when the poor parser seems to have too much work as it is. Anyone have any theories? -- Bring in the death penalty for repeat spammers. Non-functional spambait addr: can43@ajhtxxi.net (generated by Webpoison) From MikeE at ster.invalid Thu Oct 6 08:13:17 2005 From: MikeE at ster.invalid (Mike Easter) Date: Thu Oct 6 10:15:03 2005 Subject: [SpamCop-List] Re: What is Cyveillance giving back? References: Message-ID: Anti-Spam wrote: > If they had to stop it, how come they're still > included as a third party interested? I think JH believes that they are or might be the enemy of his/our enemies. I think Cy pays for the information and are now configured to soak it up without gagging. > Seems > like a waste of CPU cycles, when the poor > parser seems to have too much work as it > is. I think adding the additional notified doesn't waste any processing cycles, altho' giving the individual reporter the option to not or notify Cy is a tiny insignificant sub-cycle. > Anyone have any theories? -- Mike Easter kibitzer, not SC admin From nobody at nowhere.not Thu Oct 6 15:52:57 2005 From: nobody at nowhere.not (Robert Blair) Date: Thu Oct 6 10:55:02 2005 Subject: [SpamCop-List] Re: How to Rattle This Guy's Cage? References: <43427912.17EDB4B5@SpamCop.net.dev.null> <462oa8nyzhdz.dlg@news.spamcop.net> Message-ID: On Wed, 5 Oct 2005 18:48:24 UTC, baloo@ursine.ca wrote: > > I know that the San Andreas fault is a strike/slip fault, and the western > > side is moving northward. But it really isn't moving fast enough to locate > > San Diego, CA in the vicinity of Seattle, WA any time within the lifetimes > > of my children's children's children's children. > > Never mind that roughly two thirds of Oregon and Washington residents > are idiots from California dragging us down, no? The loudest complainers are the newcomers to an area. I currently live in CA and visit WA because some of my and my wife's family still lives there. How long has your family been in WA and/or OR? -- Robert Blair From nobody at nowhere.not Thu Oct 6 15:58:04 2005 From: nobody at nowhere.not (Robert Blair) Date: Thu Oct 6 11:00:02 2005 Subject: [SpamCop-List] Re: Whitehats That Refuse Munged Reports? References: <434500D6.87C4F68C@SpamCop.net.dev.null> Message-ID: On Thu, 6 Oct 2005 10:47:50 UTC, Michael Brennan wrote: > I notice that Earthlink refuses munged reports and I was wondering > whether to LART them manually, using my webmail account, or just check > the box. I do not send spamcop unmunged reports. Sometimes, if I have time, I manually LART using sneakemail and munging. -- Robert Blair From JG at coks.net Thu Oct 6 09:16:50 2005 From: JG at coks.net (JG) Date: Thu Oct 6 11:15:04 2005 Subject: [SpamCop-List] Voronin meds... Message-ID: Sample, 1 of 10 or so with same notify, all from the far east, most "no mastered" by SC.. http://www.spamcop.net/sc?id=z812628222z05c5ac6f6447494f3ad9310fba3650d9z This spammer seemed to be a little extra busy this past evening - I doubt he's targeting me alone. This just a normal "spam run"? From JG at coks.net Thu Oct 6 09:21:48 2005 From: JG at coks.net (JG) Date: Thu Oct 6 11:20:03 2005 Subject: [SpamCop-List] Re: Amusing notes added by spammer??? In-Reply-To: References: Message-ID: On 10/5/2005 9:26 PM Tim P. scribbled: > > > Funny how they never respond directly. > > What a dufus. Curious - how does spammer get those reports and how does obvious spammer get to deny it? From blacklist-me at davjam.org Thu Oct 6 17:20:29 2005 From: blacklist-me at davjam.org (David Bolt) Date: Thu Oct 6 11:50:02 2005 Subject: [SpamCop-List] Re: What is Cyveillance giving back? References: Message-ID: On Thu, 6 Oct 2005, Anti-Spam wrote:- >"Steven Maesslein" wrote in message news:slrnd >k4hfs.3uh.nobody@127.0.0.1... >> On Tue, 04 Oct 2005 10:37:03 +0200, Richard Zuidhof coughed into spamcop >> and left this in : >> >> > I notice every Spamcop report I make is copied to Cyveillance >> > (http://www.cyveillance.com/spam.htm). This has been done for quite a >> > long time now but I have not noticed any benefit for the Spamcop >> > users. >[...] >> To start with, Cy got more than they bargained for and had to stop the >> supply of spam because they couldn't keep up with it :) > >If they had to stop it, how come they're still >included as a third party interested? When they first started accepting the reports, they couldn't cope with the volume, so they stopped accepting them. After adding the required hardware/bandwidth to cope with the volume, they started accepting them again. >Seems >like a waste of CPU cycles, when the poor >parser seems to have too much work as it >is. Whether they are included, or not, wouldn't make much of a noticeable difference to the how many CPU cycles the parser consumed. The parser still has to parse the spam to create the reports for all the other parties. If they weren't included, there would be a difference in the outgoing bandwidth, since there would be one less report sent per spam, but IIRC they are paying a little more than the bandwidth costs, dropping them would probably be a net loss to SpamCop. Regards, David Bolt -- Member of Team Acorn checking nodes at 50 Mnodes/s: http://www.distributed.net/ AMD 1800 1Gb WinXP/SuSE 9.3 | AMD 2400 160Mb SuSE 8.1 | AMD 2400 256Mb SuSE 9.0 AMD 1300 512Mb SuSE 9.0 | Falcon 14Mb TOS 4.02 | STE 4Mb TOS 1.62 RPC600 129Mb RISCOS 3.6 | A3010 4Mb RISCOS 3.11 | A4000 4Mb RISCOS 3.11 From pete+usenet at heypete.com Thu Oct 6 09:52:25 2005 From: pete+usenet at heypete.com (Pete Stephenson) Date: Thu Oct 6 11:55:03 2005 Subject: [SpamCop-List] Re: Not receiving email at SpamCop? References: Message-ID: In article , SpamCop Admin wrote: > Pete Stephenson wrote: > >-Is there any way to still have SpamCop forward me mail in response to > >-spam reports that I file, but send me any other messages? > >- > >-In other words, send mail addressed to [reportID]@reports.spamcop.net > >-back to my private address, but things sent directly to > >-heypete@spamcop.net should be bit-bucketed. > > Your SpamCop Email Filtering account is separate