From redford_stone at INVERSE_OF_COLDmail.com Thu Sep 1 08:29:39 2005 From: redford_stone at INVERSE_OF_COLDmail.com (Redstone) Date: Thu Sep 1 03:30:02 2005 Subject: [SpamCop-List] Re: Dumbest of the dumb References: Message-ID: "Pop" wrote in news:detin5$h84$1 @news.spamcop.net: >: > And a few egotistical bass turds who think everyone has to be an > expert before they can touch a keyboard, from the sound of it. > They forget they were newbies once too. Education, not whining > and moaning is what's needed, not castrating dummies like wrote > the above. Get real; your "cute" is rather "ugly". > > Hey, ding-dong.. re-read what I said.. I meant TERMINALLY DUMB. Meaning those who are NOT willing to LEARN anything about using PCs properly. I know I was a newbie once. I educated myself on PC usage, and I educated others.. I still do to this day. However, I still encounter people who refuse to do things like update their software or install a simple firewall/filter like ZoneAlarm. (And then come back to me complaining that their machine was compromised.) My words of what I originally wrote above is carefully chosen. The only "castrating dummy" seems to be yourself since you decided to not read what I wrote and drew a stupid conclusion. You could have inquired about what I meant and I would of gladly explained. Your "ugly" is still "ugly". It was not appreciated. From redford_stone at INVERSE_OF_COLDmail.com Thu Sep 1 08:33:07 2005 From: redford_stone at INVERSE_OF_COLDmail.com (Redstone) Date: Thu Sep 1 03:35:02 2005 Subject: [SpamCop-List] Re: Dumbest of the dumb References: <4314CEF9.B5C3816E@spamcop.net> Message-ID: Kenneth Brody wrote in news:4314CEF9.B5C3816E@spamcop.net: > > I see nothing in the quoted material suggesting the banning of newbies. > > There's a world of difference between "terminally dumb" and "newbie". > Education will not help the terminally dumb. > Thank you, Kenneth.. you interpreted my words correctly. Hey Pop, you can learn something from Kenneth here. ("Egotistical" indeed.) From redford_stone at INVERSE_OF_COLDmail.com Thu Sep 1 08:46:05 2005 From: redford_stone at INVERSE_OF_COLDmail.com (Redstone) Date: Thu Sep 1 03:50:02 2005 Subject: [SpamCop-List] Re: Cleaning up and preventing malware (was mypctuneup.com) References: Message-ID: Brian wrote in news:df3e94$tuh$1@news.spamcop.net: > > > ZoneAlarm is also good. I've used both and have a preference for > Sygate, but like I said, that will likely change soon once Symantec > gets their hands on it. Who knows what will evolve, but it most likely > will not be good. > Anyone remember good ol' ATguard? :-) From redford_stone at INVERSE_OF_COLDmail.com Thu Sep 1 08:52:48 2005 From: redford_stone at INVERSE_OF_COLDmail.com (Redstone) Date: Thu Sep 1 03:55:03 2005 Subject: [SpamCop-List] Re: And what's with frontline.net Spammer or just black hat? References: Message-ID: "Berny" wrote in news:deog5p$2ds$1@news.spamcop.net: > "Mainsleaze" from banddly.com,,, (Sounds like a Ralsky name) > > Pills, mortgages and eye surgery so far > > > Received several of these a few days ago.. LARTed and haven't received anything new so far. I believe they do have a Spamhaus listing. From redford_stone at INVERSE_OF_COLDmail.com Thu Sep 1 08:54:27 2005 From: redford_stone at INVERSE_OF_COLDmail.com (Redstone) Date: Thu Sep 1 03:55:04 2005 Subject: [SpamCop-List] Re: New bulletproof hosting, uk.geocities References: Message-ID: "Berny" wrote in news:deofnj$273$1@news.spamcop.net: > Between whatever securiyt weekness that allows mass creation of > spamvertizing sites and SC's steadfast refusal to parse > http://uk.geocities.com/*whatever*, means that the half life of these > spamsites is increased, because many of us would rather not go through > more hoops to LART these. > > Have you gone to Geocities webform to report it? Did it before and it worked.. though sometimes it took a bit longer than usual. From redford_stone at INVERSE_OF_COLDmail.com Thu Sep 1 09:08:16 2005 From: redford_stone at INVERSE_OF_COLDmail.com (Redstone) Date: Thu Sep 1 04:10:03 2005 Subject: [SpamCop-List] Spammer URL generator trashed. Message-ID: Trying to find a link in a spam for LARTing, I came across this: that one is just an 'ordinary' thread. The weirdness starts here http://snipurl.com/hd66 From: "Mike Easter" Date: Wed, 17 Aug 2005 13:30:05 -0700 Message-ID: <43039e41$0$66678$892e7fe2@authen.white.readfreenews.net> where I start trying to figure out what is going on with the regurgitation. I was all screwed up in the beginning because the OP was a comcast poster and the JLA condition comes from RR. But, the point is about the problems of webforums which feed into nntp newsgroups. What that has to do with 'this place' [trying to come back on topic] is that a good ie properly integrated webforum to newsgroup condition would be desirable for something like spamcop - but that many discussions about trying to do it, such as the recent one in news.software.readers seem to show up more problems than solutions -- even tho' many people would like to make it work properly. -- Mike Easter kibitzer, not SC admin From nobody at devnull.spamcop.net Thu Sep 1 10:01:44 2005 From: nobody at devnull.spamcop.net (Pop) Date: Thu Sep 1 09:05:03 2005 Subject: [SpamCop-List] Re: OT: Re: Cleaning up and preventing malware (was mypctuneup.com) References: Message-ID: "Pete Stephenson" wrote in message news:pete+usenet-7557BA.15315831082005@news.cesmail.net... : In article , : "Pop" wrote: : : > Boy I'm glad you'll never get to work on my system. You have a : > half assed idea of reality but apparently no true knowledge of : > what you're doing. Symantec and McAfee have nothing to do with : > malware being on a system to start with, and much more. : : I've found that Symantec and McAfee to be quite bloated and overpriced : for what they do. There are far better programs out there available : cheaper (or free) than those offered by Symantec/McAfee that do a better : job. ===> Yeah, I can agree with that if we're talking antivirus and maybe firewall stuff. I use one of the Symantec suites (SystemWorks) quite successfully and happily becaise it's more "turnkey" than the separate pieces and as long as a system is well maintained I don't find any problems with Symantec in particular; haven't used McAfee in a long time. I got the first suite as a gift and liked it so have kept the upgrades going so far. Not sure it's a permanent situation though. : : I've found Grisoft AVG to be a bit "lighter" in terms of resources than : Norton Antivirus, as well as being faster and detecting just as much : stuff. ===> Yup; that's what I usually advise others to use. It works well and is easy to use once they get used to it. I think it's more forgiving of os difficulties, too. : : SpyBot and Adaware are much better than many "commercial" spyware : removal programs I've tried. ===> Staples, for sure. I use them, plus Sypware Guard I think it is, and WinPatrol. : : Given a choice, I'd much prefer other software over Symantec and McAfee : products. If they user didn't pay for their software (i.e. with the : Norton Antivirus 30-day trial that comes with many new PCs), I advise : them to uninstall it and install AVG Free. If they have paid for it, I : recommend they run both, then uninstall Norton when the paid time period : expires. ===> Umm, I usually play that part by ear: It depends on the owner and what kind of attitudes they have. One of my problems with the original post was the implication that Norton for example was a must to remove and working on a system almost required its removal. Bad attitude and incorrect. I can agree with the cost issue but not the difficulty of running the software on a well mainatined machine. Personally I've used the Norton products since their days of free software and don't mind giving them back buck or two for their many years of free support. I even still use one of their old programs (chmod.com), believe it or not. I almost couldn't believe it was capable of running so well on XP et al, but it does and to date no other program does that stuff as easily or as quickly. And no, that's Peter Norton's chmod, not the Unix chmod. It does an operation to all folders with built in reduncancy check so it won't try to copy to the destination or itself. Small and fast. : : Just my $0.02. I've fixed and maintained several PCs without using any : commercial software at all, and they tend to run a bit better than those : with big-name security/anti-virus software. Maybe I've trained teh users : a bit better. :) ===> I wouldn't doubt that! Training is everything these days. Sometimes I can agree 100% with the whole para, sometimes I can't; depends on a lot of things such as speed, maintenance, etc., and what suite or parts thereof are being used for what. Regards, Pop : : -- : Pete Stephenson : HeyPete.com From nobody at devnull.spamcop.net Thu Sep 1 10:15:34 2005 From: nobody at devnull.spamcop.net (Pop) Date: Thu Sep 1 09:20:02 2005 Subject: [SpamCop-List] Re: OT: Re: Cleaning up and preventing malware (was mypctuneup.com) References: Message-ID: "Brian" wrote in message news:df5iku$bmq$1@news.spamcop.net... : Pete Stephenson wrote: : > In article , : > "Pop" wrote: : > : > : >>Boy I'm glad you'll never get to work on my system. You have a : >>half assed idea of reality but apparently no true knowledge of : >>what you're doing. Symantec and McAfee have nothing to do with : >>malware being on a system to start with, and much more. : > : > : > I've found that Symantec and McAfee to be quite bloated and overpriced : > for what they do. There are far better programs out there available : > cheaper (or free) than those offered by Symantec/McAfee that do a better : > job. : > : : This is the feeling of many people that deal with security. ===> It's also not the feeling of many people that deal with security. : : > I've found Grisoft AVG to be a bit "lighter" in terms of resources than : > Norton Antivirus, as well as being faster and detecting just as much : > stuff. : > : > SpyBot and Adaware are much better than many "commercial" spyware : > removal programs I've tried. : > : : Some people feel that because it's from BIG COMPANY that it's better. : Time and time again the opposite has proven to be true. ===> And some people don't feel that way. : : > Given a choice, I'd much prefer other software over Symantec and McAfee : > products. If they user didn't pay for their software (i.e. with the : > Norton Antivirus 30-day trial that comes with many new PCs), I advise : > them to uninstall it and install AVG Free. If they have paid for it, I : > recommend they run both, then uninstall Norton when the paid time period : > expires. : > : : I recommend they uninstall it even if they have just purchased it. It's : not a good idea to have two anti-virus or firewalls (other than Windows) : installed at the same time. This usually causes conflicts and you end up : with less protection. ===> I don't believe anyone has recommended running parallel anything here. Moot point, IMO. : : > Just my $0.02. I've fixed and maintained several PCs without using any : > commercial software at all, and they tend to run a bit better than those : > with big-name security/anti-virus software. Maybe I've trained teh users : > a bit better. :) : > : : I totally agree. I've worked on many computers over the years and have : had excellent results with the arsenal that I've mentioned. The scans : come up clean. The paid versions offer a little more functionality and : ease of operation, but they are not necessary. ===> Older ones will, that's definitely true. Not true of anything approaching the GHz rates though. Today's new apps are written for today's machines. You forget too that sometimes "necessary" is in the eye of the beholder. And how do you think the "big names" got their big names? It wasn't just marketing and never was. Talking a user into something they don't feel comfortable with, because you think you can show how smart you are, often leaves that user with an uncomfortable confidence in you. The computers run faster, : though my process also 'tunes' them. ===> Uhh, I respectfully submit that computers do not require "tuning". Tuning hasn't been required since they days of Brainiac. : : The training is also a key part. I usually work on people's computers : with them there. As I'm going through their computer I'm also showing : them how to "Practice Safe Hex." ===> And that's a great thing to do. : : No matter how much protection you provide - short of disabling Internet : access - the user always has control and can click the button that will : install some nasties. ===> True. But you can certainly make it more difficult to do. Even asking for a virus shouldn't result in a virus being placed on the machine without a notification. But then, like you said ... Regards, Pop : : : -- : Brian : SC.10.myspamgobbler@spamcowboy.net From nobody at nowhere.net Thu Sep 1 10:25:33 2005 From: nobody at nowhere.net (PJ6) Date: Thu Sep 1 09:30:03 2005 Subject: [SpamCop-List] FTC Message-ID: If I were to file a complaint with the FTC to take advantage of the CAN SPAM act, does it stand a chance of doing anything, or is this just a throwaway report that goes nowhere? https://rn.ftc.gov/pls/dod/wsolcq$.startup?Z_ORG_CODE=PU01 Paul From nobody at spamcop.net Thu Sep 1 10:54:28 2005 From: nobody at spamcop.net (indigo) Date: Thu Sep 1 09:55:03 2005 Subject: [SpamCop-List] Re: Cleaning up and preventing malware (was mypctuneup.com) References: Message-ID: Redstone wrote: > Brian wrote in > news:df3e94$tuh$1@news.spamcop.net: > > > > > > > ZoneAlarm is also good. I've used both and have a preference for > > Sygate, but like I said, that will likely change soon once Symantec > > gets their hands on it. Who knows what will evolve, but it most > > likely will not be good. > > > > Anyone remember good ol' ATguard? :-) Still use it at home. Love it. From MikeE at ster.invalid Thu Sep 1 08:16:12 2005 From: MikeE at ster.invalid (Mike Easter) Date: Thu Sep 1 10:20:03 2005 Subject: [SpamCop-List] Re: FTC References: Message-ID: PJ6 wrote: > If I were to file a complaint with the FTC to take advantage of the > CAN SPAM act, does it stand a chance of doing anything, or is this > just a throwaway report that goes nowhere? I don't think that 'you can spam' is a very worthwhile act. If ask me the dichotomy or choice between 'a chance of doing anything' vs a 'report that goes nowhere' -- I would vote for a 'qualified' nowhere over /doing/ anything. However, that being sed, I do think that the FTC amasses a big pile of digital information, and that some 'ones' may use that pile to look thru' when they are working on some 'project' or case or research or something. I don't think that the information /goes/ nowhere -- it goes into a pile which /is/ worth more than nothing.. > https://rn.ftc.gov/pls/dod/wsolcq$.startup?Z_ORG_CODE=PU01 I certainly wouldn't be filling out that form. If anything, I would be including a copy of my spams to spam@uce.gov - The information at the link you posted for which a/the preceding link is here http://www.ftc.gov/bcp/conline/edcams/spam/index.html -- has a lot more 'positive' or favorable 'attitude' about canspam than most other more critical information you might choose to read. Start with the links here http://spamlinks.net/legal.htm#us-nat-active CAN-SPAM, or S.877 / HR 2214 is now active in the US. It fails to address the main issues with spam, that spam is sent unsolicited, and in bulk. .. and then follow those links to the various sites which discuss the problems with canspam. The one at spamhaus is pretty good. -- Mike Easter kibitzer, not SC admin From nobody at spamcop.net Thu Sep 1 09:49:12 2005 From: nobody at spamcop.net (Ellen) Date: Thu Sep 1 10:20:05 2005 Subject: [SpamCop-List] Re: Cleaning up and preventing malware (was mypctuneup.com) References: Message-ID: -- "Mike Easter" wrote in message news:df4u8r$tev$1@news.spamcop.net... > > Some other places which welcome HJT logs are Tom Coyote's webforum > http://forums.tomcoyote.org/index.php?showforum=27 HijackThis Logs and > Spyware/Malware Removal > > There's a HJT tutorial place > http://hometown.aol.co.uk/jrmc137/hjttutorial/tutorial.htm HijackThis > Tutorial - How to Analyse a HijackThis log > > The tutorial place was liked by many folks posting to spyware info > http://forums.spywareinfo.com/index.php? which also accepts HJT logs. > > Iamnotageek also has a HJT gizmo, but that forum gets on some people's > nerves [including mine] because of its integration [usurpation/theft] > with NNTP causing some trouble in the usenet groups. > Thanks Ellen From nobody at spamcop.net Thu Sep 1 09:59:27 2005 From: nobody at spamcop.net (Ellen) Date: Thu Sep 1 10:20:07 2005 Subject: [SpamCop-List] Re: Cleaning up and preventing malware (was mypctuneup.com) References: Message-ID: "Redstone" wrote in message news:Xns96C47D412F45tinlc@216.154.195.61... > > > > Anyone remember good ol' ATguard? :-) > On my yes, I really loved the old atguard and used it for years :-) Ellen From kjz at despammed.com Thu Sep 1 19:10:49 2005 From: kjz at despammed.com (Karl-Josef Ziegler) Date: Thu Sep 1 12:15:03 2005 Subject: [SpamCop-List] Re: FTC In-Reply-To: References: Message-ID: PJ6 wrote: > If I were to file a complaint with the FTC to take advantage of the CAN SPAM > act, does it stand a chance of doing anything, or is this just a throwaway > report that goes nowhere? For me it seems that all these reports are going in a large 'spam database'. Maybe that this database is analyzed from time to time by some government organizations. - kjz From click1510 at earthlink.net Thu Sep 1 14:03:49 2005 From: click1510 at earthlink.net (CO-DBA-SC-EL) Date: Thu Sep 1 16:05:04 2005 Subject: [SpamCop-List] Re: Track TCP/IP transmissions made by background processes References: Message-ID: I suggest you try the Security forum at www.broadbandreports.com. Read the forum FAQ before posting. There are active helpers there. -- C_O "Jeff" wrote in message news:detdr1$ecs$1@news.spamcop.net... > Thanks! I'll give it a try! > > "Doug Thegarden" wrote in message > news:detdno$e8t$2@news.spamcop.net... >> Jeff wrote: >> > I have some background processes that are running that I can't stop. >> > When I try to stop them, they simply spawn a new process and rename >> > themselves as a .exe file with a random 7 character filename. Neither >> > ad-aware nor Microsoft's spyware software detects them, nor does >> > Norton Antivirus. I'm assuming these programs are either sending or >> > receiving transmissions over the internet without me knowing. Is >> > there a way to find out if they're transmitting or receiving data >> > over the internet? >> > >> >> TCPView will list all the processes and tell you where they are going. >> http://www.sysinternals.com/Utilities/TcpView.html >> >> Doug > > From MikeE at ster.invalid Thu Sep 1 18:09:54 2005 From: MikeE at ster.invalid (Mike Easter) Date: Thu Sep 1 20:10:02 2005 Subject: [SpamCop-List] Re: outblaze bulk mailer? References: <3kvhu2-brv.ln1@news.invalid.99computer> Message-ID: Mike wrote: www.spamcop.net/sc?id=z801715901z949efe8305a957cccb51521a30011140z Your email provider alleges: "You have received this message in accordance with the published terms and conditions for your being provided with this email account. If you do not wish to receive promotions from this advertiser again please click here, your request will be honored within 10 days." Where click here = newsletter-mail-unsubscribe@dm1.outblaze.com www.spamcop.net/sc?id=z802035950zbf0b123e9e6828e463210a0934005b06z Similarly: "You have received this message in accordance with the published terms and conditions for your being provided with this email account. If you do not wish to receive promotions from this advertiser again please click here, your request will be honored within 10 days." with the same click here outblaze bulk mail unsub. It appears that in outblaze's opinion, your mail.comaccount allows some unlimited number of partners to require you to unsub from each of their spams. It will be interesting to see what happens when spamcop fires off report missives to them, in a sense 'threatening' them with blocklisting because a spamcop reporter is reporting these items as spam -- whereas apparently they - outblaze/mail.com - consider themselves entitled to allow their partners to require you to unsub under their bulk mail agreements with the spamvertisers and you the client. Presumably that is why mail.com sends you the informational bulk mail permissions link; somehow that is supposed to convince you that you have given the partners of outblaze/mail.com permission to require this opting out practice. Evidence that outblaze thinks it is OK because it is outblaze's bulk mailer which is sending you the spams, not that of the spamvertiser. Tres interesant. -- Mike Easter kibitzer, not SC admin From zypher at spamcop.net Thu Sep 1 20:38:40 2005 From: zypher at spamcop.net (Ron B.) Date: Thu Sep 1 20:40:04 2005 Subject: [SpamCop-List] Burn Survivor Mailing List Message-ID: http://www.spamcop.net/sc?id=z802056257zc273fc326aff613279fdc2bb7d65b378z points to a canceled Spamcop report. I am not a member of the list nor ever even heard of it. Is this an attempt to confirm my e-mail addy? If so, it was sent to my Spamcop account. From MikeE at ster.invalid Thu Sep 1 18:44:45 2005 From: MikeE at ster.invalid (Mike Easter) Date: Thu Sep 1 20:45:03 2005 Subject: [SpamCop-List] Re: outblaze bulk mailer? References: <3kvhu2-brv.ln1@news.invalid.99computer> Message-ID: Mike Easter wrote: > Your email provider alleges: > > "You have received this message in accordance with the published terms > Evidence that outblaze thinks it is OK because it is outblaze's bulk > mailer which is sending you the spams, not that of the spamvertiser. > > Tres interesant. http://snipurl.com/hdpo Snurled googlegroups of 8 message thread starting here Newsgroups: news.admin.net-abuse.email Subject: Outblaze.com Spams Outblaze Customers for Known Spammer Message-ID: Date: Wed, 31 Aug 2005 04:47:14 GMT 'hot off the press' - perhaps the thread is still ongoing. The thread shows several paid, not free, mail.com clients who are supposed to be getting the ad-free service who are getting spammed at the behest of outblaze for the known spammer www.DatingSecretsOnline.com [evidence in sightings] as well as your realage, which has a lot more in sightings than the other one. It seems the nanaeites are confused by their allegiance to Suresh and outblaze as alleged 'good guys' and this obvious abuse of the paid mail.com accounts. I'm not sure that my reading of the privacy and bulk mail policies convince me that they have the right to optout spam you even if you are a free account. I think I would contact truste to see what they think about these 'anti-privacy' and opt-out policies. I notice that Suresh isn't jumping up and clearing the air about the whole mess. Maybe someone will claim it was some kind of mistake. Or that Suresh's company has gone over to the dark side. -- Mike Easter kibitzer, not SC admin From MikeE at ster.invalid Thu Sep 1 19:17:15 2005 From: MikeE at ster.invalid (Mike Easter) Date: Thu Sep 1 21:20:04 2005 Subject: [SpamCop-List] Re: outblaze bulk mailer? References: <3kvhu2-brv.ln1@news.invalid.99computer> Message-ID: Mike Easter wrote: > I think I would contact truste to see what they think about these > 'anti-privacy' and opt-out policies. Disregard any suggestions about truste. This problem with outblaze has nothing to do with truste stickers on websites and what truste can police about that. This issue is purely about whether or not your agreement with mailcom/outblaze allows them to optout spam you for their various bulkmailing list agreements they are calling newsletters -- which could be unlimited in scope or rather 'range' or numbers. As a general rule, an email provider such as an ISP feels that they have the right to send you 'newsletters' of various sorts, some of which you can opt out of and some of which you can't. For example, EL has a rather complex policy. EL sez I can opt out [in advance] of being contacted by email, telephone, and postal mail for various EL 'marketing and informational' communications. Each of those is individually configured. I can similarly separately opt out of having EL purchase information about me from third parties [!]. I am currently opted out of all of that. I cannot opt out of receiving 'administrative' communications about my EL account. Those 'administrative' communications from EL and similarly from RR often contained some very non-administrative information, and each such administrative 'spam' item identifies itself as an administrative item. EL also has a huge privacy policy page, some of which isn't altogether 'private'. I am presently opted in to the Elink newsletter, which is a different subscription method from the above discussion. -- Mike Easter kibitzer, not SC admin From Kilgallen at SpamCop.net Thu Sep 1 21:56:19 2005 From: Kilgallen at SpamCop.net (Larry Kilgallen) Date: Thu Sep 1 22:00:03 2005 Subject: [SpamCop-List] Re: Burn Survivor Mailing List References: Message-ID: In article , "Ron B." writes: > http://www.spamcop.net/sc?id=z802056257zc273fc326aff613279fdc2bb7d65b378z > > points to a canceled Spamcop report. > I am not a member of the list nor ever even heard of it. I got one too. > Is this an attempt to confirm my e-mail addy? > If so, it was sent to my Spamcop account. From JG at coks.net Thu Sep 1 20:19:31 2005 From: JG at coks.net (JG) Date: Thu Sep 1 22:20:02 2005 Subject: [SpamCop-List] Spam arrives marked read, showing as being forwarded Message-ID: Per the subject line, whats this nitwit driving at?: http://www.spamcop.net/sc?id=z802051630ze1d0d3cbd820e46e23d966ee1bf1130fz So the x-Mozilla headers are forged to indicate already read, don't know which line controls the forwarded indication but its there somewhere. I know in all likelyhood theres no good answer to this, but gotta ask WTF anyway. Is it just looking to fool filters? From tfm3 at nospam.teleproc.com Thu Sep 1 22:58:49 2005 From: tfm3 at nospam.teleproc.com (Thomas Mooney) Date: Thu Sep 1 23:00:03 2005 Subject: [SpamCop-List] blackholes.us Message-ID: I'm having trouble accessing the blackholes.us site. That includes the web-site and the blocklists. Does anyone have any information about what's going on there? Thanks, -- TFM3 Note: Spam-resistant e-mail address From spamcop2.5.kuch at recursor.net Fri Sep 2 03:34:12 2005 From: spamcop2.5.kuch at recursor.net (Robert) Date: Fri Sep 2 02:35:11 2005 Subject: [SpamCop-List] No source IP address found, cannot proceed. Message-ID: http://members.spamcop.net/sc?id=z802124442z380c48a0502d63be54dba57c5528b9e3z Getting a lot of these reports back. Looks like either a glitch with the parser or another obfuscating technique from spammy. I don't know a lot about SMTP headers, so I can't spot the error. Any suggestions? From nobody at nowhere.invalid Fri Sep 2 10:24:23 2005 From: nobody at nowhere.invalid (Steven Maesslein) Date: Fri Sep 2 03:25:29 2005 Subject: [SpamCop-List] Re: No source IP address found, cannot proceed. References: Message-ID: On Fri, 02 Sep 2005 02:34:12 -0400, Robert coughed into spamcop and left this in : > http://members.spamcop.net/sc?id=z802124442z380c48a0502d63be54dba57c5528b9e3z You might want to post the URL that starts with "www" rather than "members" in the future - only *you* can view that page. > Getting a lot of these reports back. Looks like either a glitch with > the parser or another obfuscating technique from spammy. > > I don't know a lot about SMTP headers, so I can't spot the error. Yahpoo's Received: header looks malformed. The parser can't parse it, andf since the next one down was inserted by the spammer there's every chance it's a forgery, and it refers to an RFC1918 IP address anyway. Therefore, SC can't trace the origin of the mail. -- Steve Doctors can be frustrating. You wait six weeks for an appointment and he says, "I wish you'd come to me sooner." From mwnospam at comcast.net Fri Sep 2 04:30:30 2005 From: mwnospam at comcast.net (spamacyde) Date: Fri Sep 2 03:35:04 2005 Subject: [SpamCop-List] Re: No source IP address found, cannot proceed. References: Message-ID: How easy is it to forge headers? What percentage of headers are forged? Are we going to look forward to seeing more and more forged headers? "Steven Maesslein" wrote in message news:slrndhfvh7.3e0.nobody@127.0.0.1... > On Fri, 02 Sep 2005 02:34:12 -0400, Robert coughed into spamcop and left > this in : > > > http://members.spamcop.net/sc?id=z802124442z380c48a0502d63be54dba57c5528b9e3z > > You might want to post the URL that starts with "www" rather than > "members" in the future - only *you* can view that page. > > > Getting a lot of these reports back. Looks like either a glitch with > > the parser or another obfuscating technique from spammy. > > > > I don't know a lot about SMTP headers, so I can't spot the error. > > Yahpoo's Received: header looks malformed. The parser can't parse it, > andf since the next one down was inserted by the spammer there's every > chance it's a forgery, and it refers to an RFC1918 IP address anyway. > > Therefore, SC can't trace the origin of the mail. > > -- > Steve > > Doctors can be frustrating. You wait six weeks for an > appointment and he says, "I wish you'd come to me sooner." From spamcop2.5.kuch at recursor.net Fri Sep 2 04:35:54 2005 From: spamcop2.5.kuch at recursor.net (Robert) Date: Fri Sep 2 03:40:04 2005 Subject: [SpamCop-List] Re: No source IP address found, cannot proceed. In-Reply-To: References: Message-ID: Steven Maesslein wrote: > On Fri, 02 Sep 2005 02:34:12 -0400, Robert coughed into spamcop and left > this in : > > >>http://members.spamcop.net/sc?id=z802124442z380c48a0502d63be54dba57c5528b9e3z > > > You might want to post the URL that starts with "www" rather than > "members" in the future - only *you* can view that page. > > >>Getting a lot of these reports back. Looks like either a glitch with >>the parser or another obfuscating technique from spammy. >> >>I don't know a lot about SMTP headers, so I can't spot the error. > > > Yahpoo's Received: header looks malformed. The parser can't parse it, > andf since the next one down was inserted by the spammer there's every > chance it's a forgery, and it refers to an RFC1918 IP address anyway. > > Therefore, SC can't trace the origin of the mail. > Sorry - http://www.spamcop.net/sc?id=z802124442z380c48a0502d63be54dba57c5528b9e3z From MikeE at ster.invalid Fri Sep 2 03:05:16 2005 From: MikeE at ster.invalid (Mike Easter) Date: Fri Sep 2 05:06:02 2005 Subject: [SpamCop-List] Re: No source IP address found, cannot proceed. References: Message-ID: Robert wrote: www.spamcop.net/sc?id=z802124442z380c48a0502d63be54dba57c5528b9e3z The original item has a line^1 at the top which is not a valid headerline so I removed that and parsed it with a non-mailhosted account which parses successfully. http://www.spamcop.net/sc?id=z802156923z8c1489c0bfc7930132bc639e0b69a8b6z Report Spam to: Re: 202.57.91.35 (Administrator of network where email originates) To: cmmarimla@pldt.com.ph (Notes) Re: http://www.cwxd.downtowarea.com (Administrator of network hosting website referenced in spam) To: abuse@kornet.net (Notes) ^1 The bad line is >From - Fri Sep 02 02:26:07 2005 A valid headerline must have a name or title with no spaces and ending with colon space followed by the value or content of the field. But that error or spurious headerline isn't what is causing this problem with the original parse: Parsing header: 0: Received: from 202.57.91.35 (HELO mahan2000.com) (202.57.91.35) by mta105.rog.mail.scd.yahoo.com with SMTP; Thu, 01 Sep 2005 23:25:11 -0700 No unique hostname found for source: 202.57.91.35 Possible forgery. Supposed receiving system not associated with any of your mailhosts That part of SC's verbose, which you can't always interpret at face value, seems to be saying that it isn't happy with the 'by' field of what is supposed to be a mailhosted account. That is /not/ the same way SC performs on the same line for my non-mailhosted parse. Parsing header: Received: from 202.57.91.35 (HELO mahan2000.com) (202.57.91.35) by mta105.rog.mail.scd.yahoo.com with SMTP; Thu, 01 Sep 2005 23:25:11 -0700 202.57.91.35 found host 202.57.91.35 = adsl-57.91.35.info.com.ph (cached) Possible spammer: 202.57.91.35 Received line accepted SC then proceeds to id the IP as a cbl listed proxy and stops chaining. -- Mike Easter kibitzer, not SC admin From MikeE at ster.invalid Fri Sep 2 03:22:14 2005 From: MikeE at ster.invalid (Mike Easter) Date: Fri Sep 2 05:25:23 2005 Subject: [SpamCop-List] Re: No source IP address found, cannot proceed. References: Message-ID: Mike Easter wrote: > The original item has a line^1 at the top which is not a valid > headerline so I removed that and parsed it with a non-mailhosted > account which parses successfully. Apparently SC has encountered such a line sufficiently frequently that the algorithm accepts it and parses equally well for a non-mailhosted account with the line present or absent. This parse has the 'bad' line present and is successful with exactly the same results as the previous posting. www.spamcop.net/sc?id=z802163457z336eea141e4d83e4071b7484bb8e4a2ez So, this issue is entirely about SC not liking the top Received line for the mailhosted account while accepting it for the non-mailhosted one. Perhaps yahoo has changed its configuration from that when the mailhost configuration was performed. -- Mike Easter kibitzer, not SC admin From redford_stone at INVERSE_OF_COLDmail.com Fri Sep 2 12:32:59 2005 From: redford_stone at INVERSE_OF_COLDmail.com (Redstone) Date: Fri Sep 2 07:35:21 2005 Subject: [SpamCop-List] Re: blackholes.us References: Message-ID: "Thomas Mooney" wrote in news:df8f54$1l2$1@news.spamcop.net: > I'm having trouble accessing the blackholes.us site. That includes > the web-site and the blocklists. Does anyone have any information > about what's going on there? > > Thanks, > Can't raise it either from my end. Not sure what is up. Could be either maintenance or DDOS. Most likely the former. I'd give it about 24 hours to see if it comes back up. From spamcop-list-at-news.spamcop.net at musaic.net Fri Sep 2 14:50:34 2005 From: spamcop-list-at-news.spamcop.net at musaic.net (St - Musaic.Net) Date: Fri Sep 2 07:51:06 2005 Subject: [SpamCop-List] blackholes.us In-Reply-To: References: Message-ID: <358600087.20050902135034@musaic.net> > Can't raise it either from my end. Not sure what is up. Could be either > maintenance or DDOS. Most likely the former. I'd give it about 24 hours to > see if it comes back up. Well...don't hold your breath...my anti-spam system utilized blackholes.us I see from my logs that last update was 10th of august 2005. After that date my system has not been having any conversation with blackholes.us. Blackholes is gone, I am afraid... If you want a list of ip address allocations by country, go here: http://www.completewhois.com/statistics/country_statistics.htm NOTE: This is NOT a blocklist! -- St From bar_n0ne at hotmail.com Fri Sep 2 18:30:42 2005 From: bar_n0ne at hotmail.com (Berny) Date: Fri Sep 2 09:35:03 2005 Subject: [SpamCop-List] Re: New bulletproof hosting, uk.geocities References: Message-ID: "Redstone" wrote in message news:Xns96C493F9A378tinlc@216.154.195.61... > "Berny" wrote in > SNIPPED > > Have you gone to Geocities webform to report it? Did it before and it > worked.. though sometimes it took a bit longer than usual. > Hoops!!, now for several weeks the jerks at uk.geocities have had their thumbs up their bums while they play whack a mole with a 2 day reaction time. From no at spam.invalid Fri Sep 2 09:40:52 2005 From: no at spam.invalid (Michael Wise) Date: Fri Sep 2 11:45:03 2005 Subject: [SpamCop-List] blackholes.us References: Message-ID: In article , "St - Musaic.Net" wrote: > > Can't raise it either from my end. Not sure what is up. Could be either > > maintenance or DDOS. Most likely the former. I'd give it about 24 hours to > > see if it comes back up. > > Well...don't hold your breath...my anti-spam system utilized blackholes.us > I see from my logs that last update was 10th of august 2005. After that > date my system has not been having any conversation with blackholes.us. > > Blackholes is gone, I am afraid... > > If you want a list of ip address allocations by country, go here: > http://www.completewhois.com/statistics/country_statistics.htm > NOTE: This is NOT a blocklist! If you're looking for China/Korea info, you can get it from my site, which is kept more current that the blackholes.us data anyway. http://www.okean.com/asianspamblocks.html --Mike From nobody at spamcop.net Fri Sep 2 09:44:22 2005 From: nobody at spamcop.net (Ellen) Date: Fri Sep 2 12:40:02 2005 Subject: [SpamCop-List] Re: No source IP address found, cannot proceed. References: Message-ID: "Robert" wrote in message news:df8ros$8j4$1@news.spamcop.net... > http://members.spamcop.net/sc?id=z802124442z380c48a0502d63be54dba57c5528b9e3z > > Getting a lot of these reports back. Looks like either a glitch with > the parser or another obfuscating technique from spammy. > > I don't know a lot about SMTP headers, so I can't spot the error. > > Any suggestions? Appears that yahoo/Rogers changed the naming scheme for the mailservers. They used to be of the format matnnn.rog.mail.re2.yahoo.com and are now of the format matnnn.rog.mail.scd.yahoo.com I updated the mailhost. Let me know if you see any other failures to parse the top header. Ellen SpamCop From big_mart_98 at yahoo.com Fri Sep 2 19:10:44 2005 From: big_mart_98 at yahoo.com (Martin Edwards) Date: Fri Sep 2 13:10:04 2005 Subject: [SpamCop-List] Re: Burn Survivor Mailing List In-Reply-To: References: Message-ID: Larry Kilgallen wrote: > In article , "Ron B." writes: > >>http://www.spamcop.net/sc?id=z802056257zc273fc326aff613279fdc2bb7d65b378z >> >>points to a canceled Spamcop report. >>I am not a member of the list nor ever even heard of it. > > > I got one too. > > >>Is this an attempt to confirm my e-mail addy? >>If so, it was sent to my Spamcop account. My guess is that it was phishing, clever though. From MikeE at ster.invalid Fri Sep 2 17:43:37 2005 From: MikeE at ster.invalid (Mike Easter) Date: Fri Sep 2 19:45:03 2005 Subject: [SpamCop-List] Re: Email with no body - claims to be from blade4.cesmail.net References: Message-ID: G u y M a c o n wrote: > Here is an interesting email I got. Pasting a spam [header and/or body] into a discussion group is not the way to communicate about such an item. The proper way is to submit the item to the parser, copy the tracking url, submit or cancel the report as appropriate, and then paste that tracker into the discussion group. That particular item without a body would provide this tracker copied from the top of the parse which doesn't offer to submit a report Here is your TRACKING URL - it may be saved for future reference: http://www.spamcop.net/sc?id=z802377132ze06f9ff18c803abbebd7cafc2b9df015z That's what you should have posted here instead of what you did. > It had no body at all, so SpamCop > refused to take the report until I added a body with my own text. And that, an empty body spam, is what you found so 'interesting'? OK. The interesting part of that to me is that it is 'controversial' about whether or not we should add some text to the body to facilitate the parser's response to offer to report the item. In the forums, an admin makes such a recommendation. However, the forums are not an official faq. The official faq describes what material changes to a spam are permissible and which are not -- and it does /not/ name adding text to the body as permissible. And, the cardinal element of the material changes faq page is all about not doing anything to cause SC to find [which implies to report] an IP which it wouldn't otherwise find/report. Adding body text is a material change causing SC to find/report an IP which it wouldn't otherwise. If whoever is in control of the faq doesn't change the faq, I don't think that Jeff's blessing for making a material change which appears in the forum is good enough to permit such a change. Faq changes are sometimes made 'instantaneously' -- some other faq changes are never made regardless of how many times they are discussed. This issue is a faq change which has been discussed, emphasized, criticized, documented, etc and no such faq change has ever come into being. http://www.spamcop.net/fom-serve/cache/283.html Do not make any material changes to spam before submitting or parsing which may cause SpamCop to find a link, address or URL it normally would not, by design, find. -- Mike Easter kibitzer, not SC admin From MikeE at ster.invalid Fri Sep 2 17:54:59 2005 From: MikeE at ster.invalid (Mike Easter) Date: Fri Sep 2 19:55:03 2005 Subject: [SpamCop-List] Re: Email with no body - claims to be from blade4.cesmail.net References: Message-ID: G u y M a c o n wrote: > Did Spamcop add the Message-ID and From, or was that somethin the > spammer did? Many servers which receive an item with no mid will add their own, and when I see an mid with the characteristics of a receiving server, such as here, I assume that the mid was added by the recipient server [as I assume here] unless I have some evidence to the contrary. However, spammers can forge such lines and can make an mid of their choosing. Servers don't normally add Froms even if absent. This item went from the proxy 220.76.123.170 thru' the spamcop system which added the xlines [and presumably mid] and then to your oco mailbox. -- Mike Easter kibitzer, not SC admin From mwnospam at comcast.net Fri Sep 2 21:33:21 2005 From: mwnospam at comcast.net (spamacyde) Date: Fri Sep 2 20:35:17 2005 Subject: [SpamCop-List] blackholes.us References: Message-ID: Is it easy to configure Outlook Express to reject mail from the IP addresses listed on your site? "Michael Wise" wrote in message news:no-79C57E.08405102092005@news.cesmail.net... > In article , > "St - Musaic.Net" wrote: > > > > Can't raise it either from my end. Not sure what is up. Could be either > > > maintenance or DDOS. Most likely the former. I'd give it about 24 hours to > > > see if it comes back up. > > > > Well...don't hold your breath...my anti-spam system utilized blackholes.us > > I see from my logs that last update was 10th of august 2005. After that > > date my system has not been having any conversation with blackholes.us. > > > > Blackholes is gone, I am afraid... > > > > If you want a list of ip address allocations by country, go here: > > http://www.completewhois.com/statistics/country_statistics.htm > > NOTE: This is NOT a blocklist! > > > If you're looking for China/Korea info, you can get it from my site, > which is kept more current that the blackholes.us data anyway. > > > http://www.okean.com/asianspamblocks.html > > > --Mike From MikeE at ster.invalid Fri Sep 2 18:51:42 2005 From: MikeE at ster.invalid (Mike Easter) Date: Fri Sep 2 20:55:04 2005 Subject: [SpamCop-List] blackholes.us References: Message-ID: spamacyde wrote: > Is it easy to configure Outlook Express to reject mail from the IP > addresses listed on your site? When you stick a remark 'up in the air' up there which isn't in context to anything, it lacks 'meaning'. That forces the reader of a contextless remark to pay particular attention to every single element of the /content/ of your contextless remark. Then your remark sez 'configure OE to reject mail' -- which is worse than contextless. It is senseless. OE doesn't 'reject' mail. Reject is a term applied to a recipient server which can reject an smtp transaction with a sending IP. The other elements of your question is about 'IP addresses listed on your site' -- but since there is no context, it isn't even apparent what or who you are talking to about whatever. That forces someone to have to imaginatively reconstruct what you didn't handle properly in the first place. I suppose we should fix it all up to look something like this. spamacyde wrote: > "Michael Wise" >> If you're looking for China/Korea info, you can get it from my site, >> which is kept more current that the blackholes.us data anyway. >> http://www.okean.com/asianspamblocks.html > Is it easy to configure Outlook Express to reject mail from the IP > addresses listed on your site? If I had seen something like that, maybe I wouldn't have gotten so 'aggravated' and 'attacked' your OE 'reject mail' remark, and tried to be a little more gentle and interpret it as a filtering question. OE is extremely weak in its message rules for handling spam. If you were using a proxy like SpamPal, you could exclude quite a variety of countries. If you were running a server, you could use something like Michael provides, as did Matthew Evans of blackholes. The trimmed contextualization which I created above but which you didn't do when you topposted conveys the meaning of your question much much better than what you did. -- Mike Easter kibitzer, not SC admin From nobody at spamcop.net Fri Sep 2 19:39:15 2005 From: nobody at spamcop.net (N. Miller) Date: Fri Sep 2 21:40:05 2005 Subject: [SpamCop-List] Re: No source IP address found, cannot proceed. References: Message-ID: <1vx653n4jd5xb$.dlg@news.spamcop.net> On Fri, 2 Sep 2005 09:24:23 +0200, Steven Maesslein wrote: > Yahpoo's Received: header looks malformed. The parser can't parse it, > andf since the next one down was inserted by the spammer there's every > chance it's a forgery, and it refers to an RFC1918 IP address anyway. > > Therefore, SC can't trace the origin of the mail. The Yahoo! Received: header line looks just like the ones that SC parses just fine when I submit them. The next Received: header line looks exactly like any internal hand off which appears in legitimate email which leaves my server for my ISP's SMTP AUTH server for relay. http://www.spamcop.net/sc?id=z802403040z5c30c4ab5694aaedbffb79e4b26a6d4bz -- Norman ~Win dain a lotica, En vai tu ri, Si lo ta ~Fin dein a loluca, En dragu a sei lain ~Vi fa-ru les shutai am, En riga-lint From nobody at spamcop.net Fri Sep 2 19:45:21 2005 From: nobody at spamcop.net (N. Miller) Date: Fri Sep 2 21:50:05 2005 Subject: [SpamCop-List] blackholes.us References: Message-ID: On Fri, 2 Sep 2005 20:33:21 -0400, spamacyde wrote: > Is it easy to configure Outlook Express to reject mail from the IP addresses > listed on your site? It is impossible for Outlook Express, or any other MUA to "reject" email; if the term "reject" is in the normal SMTP context. OE can only download email from a POP3 server, or, delete it from the server under specific, limited conditions. Most importanly, OE can't examine the "Received" header line of email, so it can't even find IP addresses in email headers. Even with a client which can find IP addresses in email headers, most clients can't distinguish between the MTA <> MX transaction, and earlier transactions. This means that it can be possible to dump email for a blacklisted IP address when that should not happen; as when a residential customer email is sent from a listed source IP address, but goes through a legitimate ISP mail server. -- Norman ~Win dain a lotica, En vai tu ri, Si lo ta ~Fin dein a loluca, En dragu a sei lain ~Vi fa-ru les shutai am, En riga-lint From nobody at spamcop.net Fri Sep 2 19:57:07 2005 From: nobody at spamcop.net (N. Miller) Date: Fri Sep 2 22:00:03 2005 Subject: [SpamCop-List] Re: Email with no body - claims to be from blade4.cesmail.net References: Message-ID: <1rte6us7m10ca$.dlg@news.spamcop.net> On Fri, 2 Sep 2005 16:43:37 -0700, Mike Easter wrote: > And, the cardinal element of the material changes faq page is all about > not doing anything to cause SC to find [which implies to report] an IP > which it wouldn't otherwise find/report. Adding body text is a material > change causing SC to find/report an IP which it wouldn't otherwise. I can only guess that SC doesn't offer to report blank body spam because it is similar in nature to DFNs, AV bounces, and C/R challenges; all of which were, at one time, not reportable. At the current time, all of the above, collectively called, "backscatter", are now reportable; except for blank body email. Given that blank body email seems to be a result of broken spamware, maybe it is time to rethink the issue. Or not...if a blank body is the result of broken spamware, it should be reportable; but it is possible that blank body email is the result of some misadventure by a non-spamming sender, and that should not be reported. I guess I just don't know how to answer the issue. It would be a bad thing to mis-report innocent email senders; but surely the recipient would recognize by the headers if the sender is an innocent party. But I can't say that all SC reporters are careful, as well. I guess I will just not recommend doing it... -- Norman ~Win dain a lotica, En vai tu ri, Si lo ta ~Fin dein a loluca, En dragu a sei lain ~Vi fa-ru les shutai am, En riga-lint From MikeE at ster.invalid Fri Sep 2 20:43:13 2005 From: MikeE at ster.invalid (Mike Easter) Date: Fri Sep 2 22:45:03 2005 Subject: [SpamCop-List] Re: Email with no body - claims to be from blade4.cesmail.net References: <1rte6us7m10ca$.dlg@news.spamcop.net> Message-ID: N. Miller wrote: > Mike Easter wrote: > I can only guess that SC doesn't offer to report blank body spam > because it is similar in nature to DFNs, AV bounces, and C/R > challenges; all of which were, at one time, not reportable. No. I think that the parser is configured to assume that if the body is blank that the item has been improperly submitted. I don't /think/ I have a problem with the current configuration of the parser not wanting to report a spam -- altho' my judgment would be that if I were the one choosing the default configuration, that I would have the parser 'warn' the reporter that the spam showed no body and that that might represent an error in submission, but I would have the parser offer to make the report on the source. Unless I were the 'boss' and I didn't think that empty spams should be reported; in which case I would address that issue in the faq. If I were the boss and I tho't that it was OK if empty spams were reported for the various reasons which are that most empty spams look 'exactly' like regular spams except for the missing body. That is, I consider an empty spam to be a payloaded spam 'wannabe'. A spam error for which the sooner the IP source is blocklisted the better will be our spamfiltering agents. > At the current time, all of the above, collectively called, > "backscatter", are now reportable; except for blank body email. I don't think backscatter issues are the same as empty spam at all. > I guess I will just not recommend doing it... My little 'diatribe' about reporting empty spam by materially changing the body to 'force' a report seems against the faq isn't because I'm against reporting empty spam. I'm in favor of reporting empty spam. What I'm against is having an inconsistent 'attitude' about what the faq sez about material changes. If the powers that be actually want 'us' tinu to be making material changes to spam to report empty spam, then something should change. The faq should condone materially changing the missing spambody; or the parser should 'choose' to handle the empty spam differently by offering to report it with a warning that something might be wrong. The business of the parser handling the item so that the reporter is forced to make a material change which isn't condoned by the faq is a bad configuration for both the faq and the parser, and the boss is supposed to be in charge of both the faq and the parser. So, my gripe about this empty spam issue is that the boss isn't doing a good job about handling it. And 'you' can tell him I sed so, whoever you is. -- Mike Easter kibitzer, not SC admin From nobody at devnull.spamcop.net Fri Sep 2 23:37:23 2005 From: nobody at devnull.spamcop.net (WazoO) Date: Fri Sep 2 23:40:04 2005 Subject: [SpamCop-List] Re: Email with no body - claims to be from blade4.cesmail.net References: Message-ID: "Mike Easter" wrote in message news:dfao2f$gmg$1@news.spamcop.net... > > The interesting part of that to me is that it is 'controversial' about > whether or not we should add some text to the body to facilitate the > parser's response to offer to report the item. > > In the forums, an admin makes such a recommendation. However, the > forums are not an official faq. The official faq describes what > material changes to a spam are permissible and which are not -- and it > does /not/ name adding text to the body as permissible. In all fairness (and to back up Mike Easter's thoughts) ... http://forum.spamcop.net/forums/index.php?showtopic=4821&view=findpost&p=32362 > If whoever is in control of the faq doesn't change the faq, I don't > think that Jeff's blessing for making a material change which appears in > the forum is good enough to permit such a change. Faq changes are > sometimes made 'instantaneously' -- some other faq changes are never > made regardless of how many times they are discussed. This issue is a > faq change which has been discussed, emphasized, criticized, documented, > etc and no such faq change has ever come into being. There's been many more of "us" offering the same suggestion ... I picked it up from newsgroup traffic years ago ...Some FAQ changes I can state that I was involved with, submitting data, justification, usually suggested changes .. and (most of) those changes happened. Other FAQ changes have been made out of the blue, only noted when someone pointed them out or I 'discovered' the change while researching something else. Some changes just aren't going to happen This one in particular, as I conjecture in the referenced Forum post and you suggest above, is at least partially based on the inexperience of some in the handling of their spam. That some talk about their "blank spam" and then produce a 20 pound load of HTML infested e-mail body is just one episodic scenario. Those users that come in talking about how they submit their "spam headers" and wondering why they always see errors in the parse results .... on and on ... From edb2000 at spamcop.net Fri Sep 2 23:05:24 2005 From: edb2000 at spamcop.net (Don Wannit) Date: Sat Sep 3 01:10:03 2005 Subject: [SpamCop-List] Wow! Message-ID: This recent hardware infusion is making a big difference! I just got this result in a spam parse: >Yum, this spam is fresh! >Message is -1 hours old Now that's fast spam processing! :-) http://www.spamcop.net/sc?id=z802443402z309a80dacdeda529d6204e4da05ea83bz -- Don Wannit A paid SpamCop user since 1999 From bjoeg at *spammer*bjoeg.dk Sat Sep 3 06:55:04 2005 From: bjoeg at *spammer*bjoeg.dk (Bjarke Andersen) Date: Sat Sep 3 02:00:04 2005 Subject: [SpamCop-List] LOL @ Inkline Global Message-ID: InkLineGlobal, for many a trusted Ink provider, for me a spammer that suddenly emerged in my mailbox. Since many trusted this company I was kinda thinking, that maybe someone just typed my email address by accident, but today I found som funny small proof in the cleartext message. Look at the path name of the gif file, apparently they dont want to hide that they are in fact spamming, rather than "newsletting". -- Bjarke Andersen - Freelance SpamKiller http://www.cdt.org/speech/spam/030319spamreport.shtml (How to prevent) Wanna reply by email? Remove the spammer in address From nobody at nowhere.invalid Sat Sep 3 11:38:01 2005 From: nobody at nowhere.invalid (Steven Maesslein) Date: Sat Sep 3 04:40:09 2005 Subject: [SpamCop-List] blackholes.us References: Message-ID: On Fri, 2 Sep 2005 20:33:21 -0400, spamacyde coughed into spamcop and left this in : > Is it easy to configure Outlook Express to reject mail from the IP > addresses listed on your site? On whose site? There's no context above your comments to know what you're on about. However, the answer is no. Mail rejection takes place server-side, not client-side, so by the time any mailer sees the mail it's too late, the mail can't be rejected. It can only be bounced, which is a Bad Thing(tm) anyway. -- Steve Linux: the choice of a GNU generation -- ksh @ cis . ufl . edu put this on Tshirts in '93 From no at spam.invalid Sat Sep 3 09:27:21 2005 From: no at spam.invalid (Michael Wise) Date: Sat Sep 3 11:30:07 2005 Subject: [SpamCop-List] blackholes.us References: Message-ID: In article , "spamacyde" wrote: ... > > > Blackholes is gone, I am afraid... > > > > > > If you want a list of ip address allocations by country, go here: > > > http://www.completewhois.com/statistics/country_statistics.htm > > > NOTE: This is NOT a blocklist! > > > > > > If you're looking for China/Korea info, you can get it from my site, > > which is kept more current that the blackholes.us data anyway. > > > > > > http://www.okean.com/asianspamblocks.html > Is it easy to configure Outlook Express to reject mail from the IP addresses > listed on your site? Probably not. The info I have up is designed for server-level blocking. --Mike From JG at coks.net Sat Sep 3 09:59:54 2005 From: JG at coks.net (JG) Date: Sat Sep 3 12:00:02 2005 Subject: [SpamCop-List] spam within spam? Message-ID: http://www.spamcop.net/sc?id=z802580531z2b2ca020ac2a78d746472e2c055f36d6z Opening the message shows a simple spamvert for dialup. Looking at the source it shows some ebay tripe built in - is this just part of a nonsensical body filler or is this something else? From MikeE at ster.invalid Sat Sep 3 11:09:59 2005 From: MikeE at ster.invalid (Mike Easter) Date: Sat Sep 3 13:10:03 2005 Subject: [SpamCop-List] Re: spam within spam? References: Message-ID: JG wrote: www.spamcop.net/sc?id=z802580531z2b2ca020ac2a78d746472e2c055f36d6z > Opening the message shows a simple spamvert for dialup. Looking at > the source it shows some ebay tripe built in - is this just part of a > nonsensical body filler or is this something else? If you routinely open your spam and read it, you must have some purpose in mind. What exactly is your intention when you open a spam? What sort of investigation do you do before you open it? How are you configured to assure that opening spam does not benefit the spamvertiser more than it does /not/ benefit the spamvertiser. Do you have an 'algorithm' or a decision tree to represent any particular strategies to be employed depending upon what you find when you investigate the interior of a spam? How do 'we' know that your purposes in opening spams are 'honorable' from a spamfighting point of view. Or... are you a 'spamreader' who is curious about what spam says and because of such curiosity and interest you also go to visit spamvertised sites and occasionally purchase something from a spamvertiser? Any spamreader, whether they are a spam reporter or not, is 'suspect' about their intentions and purposes [in my book] especially if they have not proven themselves to be pledged and able to never aid a spammer by their actions. The item in question has a different plaintext content than its html content which are in multiparts. 'Studying' the content of the portion of the spam judged to be not associated with the payload is 'kinda crazy' -- but I suppose a person could make a pastime of it. In this case the ebay material falls into the category of 'junk' not associated with the payload, except that the junk also contains an enigmatic link to the payload site. The payload is the html part which also contains 'curiosities' which you can study if you are so motivated. The payload links appear slightly different in what you see than the link which isn't seen; for example you see http://ltpx.shop4depot.com but you connect to http://brhq.shop4depot.com/ - Approximately how much time do you think you should be spending on that curiosity? In addition, you see http://trlsqpy.shop4depot.com/r/ but you connect to http://zdwd.shop4depot.com/r/ -- we should probably spend a lot of time here talking about all that . SC identifies the enigmatic link in the plaintext part as well as the links above which are the 'connecting' links. The links themselves redirect to shop4emporium.info -- which if you are going to spend any time 'dissecting' the content of the spam should be considered to be the true payload target -- which is at the same IP as all of the above 202.65.111.128 -- namely a spamhaus listed .hk /32 Somehow there needs to be a 'balance' in the business of studying spambody content. The paypal 'misdirecting' red herring of the plaintext portion of the body is 'echoed' in the bogus lines in the header, which have also have paypal bogosity. You could spend a great deal of wasted time discussing why the spammer constructed the bogus header lines the way s/he did and why construct the spambody the way s/he did. Surely you don't think that is a good way for us to spend our time in this discussion group. I would rather accuse you of being a spamreader who might be reading spam insecurely and visiting spammer websites curiously. Then we can argue about that instead of how the spam was put together and why it was put together that way. -- Mike Easter kibitzer, not SC admin From MikeE at ster.invalid Sat Sep 3 11:42:38 2005 From: MikeE at ster.invalid (Mike Easter) Date: Sat Sep 3 13:45:04 2005 Subject: [SpamCop-List] Re: spam within spam? References: Message-ID: Mike Easter wrote: > The paypal 'misdirecting' red herring of the > plaintext portion of the body is 'echoed' in the bogus lines in the > header, which have also have paypal bogosity. Should say -- the ebay misdirecting red herring of the plaintext body is echoed in the bogus line in the header, which has paypal bogosity. -- Mike Easter kibitzer, not SC admin From RobertTaylor at SpamCop.net Sat Sep 3 14:46:14 2005 From: RobertTaylor at SpamCop.net (Robert Taylor) Date: Sat Sep 3 13:50:03 2005 Subject: [SpamCop-List] Att'n. Mike Easter: Scammers Cashing in on Katrina Message-ID: Hello Mike, I assume you're aware of the efforts on the part of spammers to divert relief funds for the Katrina tragedy to their own pockets. A friend connected to the Red Cross asked me if I knew of anyone who might help, or recommend someone who might help, to counter this despicable business, either directly, or simply in the form of advice. Given your knowledge and skill in interpreting and tracing eMail headers, the thought occurred to me that you might be willing to contact Red Cross and offer whatever ideas, suggestions or help your schedule and commitments might allow. According to a pair of exchanges over in another news group, it seems that, despite their best intentions, R. C. may not be handling the matter too well. Please forgive what might appear to be a personal liberty in this request; no such liberty intended, just looking for the best person who might help in what is clearly a good--and desperate--cause. Regards, Robert (eMail addy is valid) -- eMail: RobertTaylor@SpamCop.net Web-Address: http://users.rcn.com/robertt.nh.ultranet/Web-SitePg1.htm From verdy_p at wanadoo.fr Sat Sep 3 02:31:27 2005 From: verdy_p at wanadoo.fr (Philippe Verdy (n.o-s.p.a.m+abuse)) Date: Sat Sep 3 14:35:06 2005 Subject: [SpamCop-List] Re: Anyone read Norwegian here? References: Message-ID: > From: "Anti-Spam" > X-Trace: news.spamcop.net 1125330871 16196 216.95.192.200 (29 Aug 2005 > 15:54:31 GMT) > > (...message snipped...) > Bring in the death penalty for repeat spammers. Your signature brings nothing to this newsgroup, is unproductive, and its political implications are completely out of topic, and does not give more information to people reading them, notably because they may be opposed to your argument. Although many may have very radical opinions about how spammers should be prosecuted, I doubt anyone would approve your offending "suggestion" (especially those in countries where death penalty is banned, or even not applicable to misbehavior which is not within the application field of criminal laws). So please, either change your "suggestion" which is chocking for death penalty opponents into something more neutral and realist, or just don't suggest anything against spammers: let judges and juries decide on the nature of the offence and on the penalty to apply. The problem is definitely not in the penalty to apply, but in the lack of judiciary actions against spammers. We are here in this group to help identifying spammers, and provide proofs of offence to help authorities taking the necessary measures to locate and prosecute them if needed. Not all spams are of criminal nature, most of them are just unfair or illegal commercial practices. They are spams, what they "sell" may be illegal, but we are not there to judge their authors (notably, MOST effective spam sources are innocent people that don't even know that their PC is infected by viral spamware, and that just complain to their ISP when they feel their Internet connection is too slow, or that don't know exactly what to do to cleanup their PC: they seek the assistance of their ISP, and we are here to report them to their ISP, so that the ISP can identify the infected sources and mnimize the dammage to the network.) So it will be more productive to say something else, such as "Let's prosecute spammers and bring them out of the net: I don't support what they do, I collect proofs of actions against them, and will report all of them." For now, your signature, when it is read repeatedly in your messages posted to public groups, has an impact which is SIMILAR to what YOU can feel when receiving unsollicitated porn content through spam. It is also irrespective to your readers, and does not help improving your own image. The rest of your message may not be taken seriously if you don't respect your readers, and it does not help improving the image of this whole newsgroup. So be serious, remove this sentence from your public postings (keep it for your private postings if you want, but then assume privately all its implications about yourself). Thanks. -- Philippe. From MikeE at ster.invalid Sat Sep 3 13:16:32 2005 From: MikeE at ster.invalid (Mike Easter) Date: Sat Sep 3 15:20:02 2005 Subject: [SpamCop-List] Re: Att'n. Mike Easter: Scammers Cashing in on Katrina References: Message-ID: Robert Taylor wrote: > According to a pair of > exchanges over in another news group, it seems that, despite their > best intentions, R. C. may not be handling the matter too well. I would be interested in seeing that discussion. Where is it? A working email for me is mike.easter@gmail.com -- Mike Easter kibitzer, not SC admin From spamcop-list-at-news.spamcop.net at musaic.net Sat Sep 3 23:27:00 2005 From: spamcop-list-at-news.spamcop.net at musaic.net (St - Musaic.Net) Date: Sat Sep 3 16:27:54 2005 Subject: [SpamCop-List] Anyone read Norwegian here? In-Reply-To: References: Message-ID: <858578764.20050903222700@musaic.net> > Kan dere f?lge opp denne p? vanlig vis, med kopi til abuse@basefarm.com? > Klagen p? spam ble sendt inn av xxx@reports.spamcop.net "Please handle this complaint in accordance with AUP and report back to abuse@basefarm.com The incident was reported by xxx@reports.spamcop.net" -- St From spamcop2.5.kuch at recursor.net Sat Sep 3 18:38:43 2005 From: spamcop2.5.kuch at recursor.net (Robert) Date: Sat Sep 3 17:40:08 2005 Subject: [SpamCop-List] Re: No source IP address found, cannot proceed. In-Reply-To: References: Message-ID: Ellen wrote: > "Robert" wrote in message > news:df8ros$8j4$1@news.spamcop.net... > > http://members.spamcop.net/sc?id=z802124442z380c48a0502d63be54dba57c5528b9e3z > >>Getting a lot of these reports back. Looks like either a glitch with >>the parser or another obfuscating technique from spammy. >> >>I don't know a lot about SMTP headers, so I can't spot the error. >> >>Any suggestions? > > > > Appears that yahoo/Rogers changed the naming scheme for the mailservers. > They used to be of the format > matnnn.rog.mail.re2.yahoo.com and are now of the format > matnnn.rog.mail.scd.yahoo.com I updated the mailhost. Let me know if you > see any other failures to parse the top header. > > > > Ellen > > SpamCop > > no problems since your update. Thanks. From JG at coks.net Sat Sep 3 17:21:19 2005 From: JG at coks.net (JG) Date: Sat Sep 3 19:20:04 2005 Subject: [SpamCop-List] Re: spam within spam? In-Reply-To: References: Message-ID: On 9/3/2005 10:09 AM Mike Easter scribbled: > JG wrote: > www.spamcop.net/sc?id=z802580531z2b2ca020ac2a78d746472e2c055f36d6z > > >>Opening the message shows a simple spamvert for dialup. Looking at >>the source it shows some ebay tripe built in - is this just part of a >>nonsensical body filler or is this something else? > > > If you routinely open your spam and read it, you must have some purpose > in mind. What exactly is your intention when you open a spam? What > sort of investigation do you do before you open it? How are you > configured to assure that opening spam does not benefit the spamvertiser > more than it does /not/ benefit the spamvertiser. Never /said/ I routinely open spam /but/ if the obfuscation is such that one can't tell what the subject is from viewing the souce(I send meds to FDA, pump and dump to SEC) opening the spam usually tells me what is really going on. > > Do you have an 'algorithm' or a decision tree to represent any > particular strategies to be employed depending upon what you find when > you investigate the interior of a spam? How do 'we' know that your > purposes in opening spams are 'honorable' from a spamfighting point of > view. I don't know - what does that mean? Honorable spamfighting as opposed to /what/ ? WTF could I be doing dishonorably? > > Or... are you a 'spamreader' who is curious about what spam says and > because of such curiosity and interest you also go to visit spamvertised > sites and occasionally purchase something from a spamvertiser? Hardly, Mike, tho I suppose there exist such dimwits - you are free to check out my reporting record should you desire/have the ability. What on earth gave you the idea I open spam to read them? I went to college - I can read a book if I want... > > Any spamreader, whether they are a spam reporter or not, is 'suspect' > about their intentions and purposes [in my book] especially if they have > not proven themselves to be pledged and able to never aid a spammer by > their actions. Huh? > > > The item in question has a different plaintext content than its html > content which are in multiparts. 'Studying' the content of the portion > of the spam judged to be not associated with the payload is 'kinda > crazy' -- but I suppose a person could make a pastime of it. In this > case the ebay material falls into the category of 'junk' not associated > with the payload, except that the junk also contains an enigmatic link > to the payload site. Yes, enigmatic - the purpose of my post, which I canceled a few minutes later - but you saw it and flipped out over me looking. I use Thunderbird and it is set to not allow any execution of anything in the message, so I feel fairly secure in opening the message. How do you tell the spam is offering a list of meds if you can't see it in the source?? > > The payload is the html part which also contains 'curiosities' which you > can study if you are so motivated. The payload links appear slightly > different in what you see than the link which isn't seen; for example > you see http://ltpx.shop4depot.com but you connect to > http://brhq.shop4depot.com/ - Approximately how much time do you think > you should be spending on that curiosity? In addition, you see > http://trlsqpy.shop4depot.com/r/ but you connect to > http://zdwd.shop4depot.com/r/ -- we should probably spend a lot of time > here talking about all that . Glad the sarcasm is ended - see above... > > SC identifies the enigmatic link in the plaintext part as well as the > links above which are the 'connecting' links. The links themselves > redirect to shop4emporium.info -- which if you are going to spend any > time 'dissecting' the content of the spam should be considered to be the > true payload target -- which is at the same IP as all of the above > 202.65.111.128 -- namely a spamhaus listed .hk /32 > > Somehow there needs to be a 'balance' in the business of studying > spambody content. The paypal 'misdirecting' red herring of the > plaintext portion of the body is 'echoed' in the bogus lines in the > header, which have also have paypal bogosity. You could spend a great > deal of wasted time discussing why the spammer constructed the bogus > header lines the way s/he did and why construct the spambody the way > s/he did. > > Surely you don't think that is a good way for us to spend our time in > this discussion group. I would rather accuse you of being a spamreader > who might be reading spam insecurely and visiting spammer websites > curiously. Then we can argue about that instead of how the spam was put > together and why it was put together that way. Cripe, did that piss you off that much? I was curious of what the intent was. I report too much of this shit to spend that much time analyzing it to death... > > From JG at coks.net Sat Sep 3 17:22:55 2005 From: JG at coks.net (JG) Date: Sat Sep 3 19:25:02 2005 Subject: [SpamCop-List] Re: spam within spam? In-Reply-To: References: Message-ID: On 9/3/2005 10:42 AM Mike Easter scribbled: > Mike Easter wrote: > >>The paypal 'misdirecting' red herring of the >>plaintext portion of the body is 'echoed' in the bogus lines in the >>header, which have also have paypal bogosity. > > > Should say -- the ebay misdirecting red herring of the plaintext body > is echoed in the bogus line in the header, which has paypal bogosity. > > I didn't even see the paypal - I don't spend all that time looking since I'm not in law enforcement. From JG at coks.net Sat Sep 3 17:26:49 2005 From: JG at coks.net (JG) Date: Sat Sep 3 19:30:03 2005 Subject: [SpamCop-List] Re: spam within spam? In-Reply-To: References: Message-ID: On 9/3/2005 10:42 AM Mike Easter scribbled: > Mike Easter wrote: > >>The paypal 'misdirecting' red herring of the >>plaintext portion of the body is 'echoed' in the bogus lines in the >>header, which have also have paypal bogosity. > > > Should say -- the ebay misdirecting red herring of the plaintext body > is echoed in the bogus line in the header, which has paypal bogosity. > > Maybe I'll just spend my time cutting and pasting neutral discussions on the various virtues of s/w packages rather than discuss the subject of the group - if I were a spammer, I could Google M$ IE and flood the group with misinformation until I was shut off. Then I'd go over to alt.spam and read about Brad... From JG at coks.net Sat Sep 3 17:29:27 2005 From: JG at coks.net (JG) Date: Sat Sep 3 19:30:07 2005 Subject: [SpamCop-List] Re: spam within spam? In-Reply-To: References: Message-ID: On 9/3/2005 4:21 PM JG scribbled: > On 9/3/2005 10:09 AM Mike Easter scribbled: > >>If you routinely open your spam and read it, you must have some purpose >>in mind. What exactly is your intention when you open a spam? What >>sort of investigation do you do before you open it? How are you >>configured to assure that opening spam does not benefit the spamvertiser >>more than it does /not/ benefit the spamvertiser. > > > Never /said/ I routinely open spam /but/ if the obfuscation is such that > one can't tell what the subject is from viewing the souce(I send meds to > FDA, pump and dump to SEC) opening the spam usually tells me what is > really going on. > > If you know a better way to spot a meds list I'm all ears... From RobertTaylor at SpamCop.net Sat Sep 3 21:00:06 2005 From: RobertTaylor at SpamCop.net (Robert Taylor) Date: Sat Sep 3 20:00:02 2005 Subject: [SpamCop-List] Re: Att'n. Mike Easter: Scammers Cashing in on Katrina References: Message-ID: In news:dfcsqh$nvp$1@news.spamcop.net, Mike Easter sent: > Robert Taylor wrote: >> According to a pair of >> exchanges over in another news group, it seems that, despite their >> best intentions, R. C. may not be handling the matter too well. > > I would be interested in seeing that discussion. Where is it? > > A working email for me is mike.easter@gmail.com news.grc.com group: grc.security thread: scammers hit web in Katrina's wake A little under the weather at the moment (surgery). I'll be in touch. Regards, Robert -- eMail: RobertTaylor@SpamCop.net From 9ucs5y001 at sneakemail.com Sat Sep 3 19:00:06 2005 From: 9ucs5y001 at sneakemail.com (DS) Date: Sat Sep 3 21:05:03 2005 Subject: [SpamCop-List] Re: Track TCP/IP transmissions made by background processes References: Message-ID: "Jeff" wrote in message news:detbe5$ci8$1@news.spamcop.net... >I have some background processes that are running that I can't stop. When >I try to stop them, they > simply spawn a new process and rename themselves as a .exe file with a > random 7 character filename. > Neither ad-aware nor Microsoft's spyware software detects them, nor does > Norton Antivirus. I'm > assuming these programs are either sending or receiving transmissions over > the internet without me > knowing. Is there a way to find out if they're transmitting or receiving > data over the internet? I finished cleaning up my sister-in-law's computer that was behaving like this. It turns out that it was infected with both VX2 and SAH. To clear it out, I had to resort to the Windows boot/install/recovery console and delete the root culprit executable. It was loading at winlogon time via the WinLogon/Notify method. I was lucky--if that didn't work, it was re-imaging time for her HD. DS From MikeE at ster.invalid Sat Sep 3 19:19:24 2005 From: MikeE at ster.invalid (Mike Easter) Date: Sat Sep 3 21:20:02 2005 Subject: [SpamCop-List] Re: spam within spam? References: Message-ID: JG wrote: >> Mike Easter >>> If you routinely open your spam and read it, you must have some >>> purpose in mind. What exactly is your intention when you open a >>> spam? What sort of investigation do you do before you open it? >>> How are you configured to assure that opening spam does not benefit >>> the spamvertiser more than it does /not/ benefit the spamvertiser. >> >> >> Never /said/ I routinely open spam /but/ if the obfuscation is such >> that one can't tell what the subject is from viewing the souce(I >> send meds to FDA, pump and dump to SEC) opening the spam usually >> tells me what is really going on. >> >> > > If you know a better way to spot a meds list I'm all ears... If you are going to open your spams, I would inspect the message source before I did that, so that you will know how it is constructed before you open it. You will also have to decide if you are going to open the items offline, since you are presumably going to be rendering any html which is inside. Alternatively, if you are sufficiently skilled at reading or interpreting raw unrendered html, you could do your inspections on the unrendered condition. In addition to opening spams and reading them, you will also have to determine the content of the ultimate website after any redirectors -- because sometimes the apparent content of the spam isn't what the website is all about. This issue about the presumed Or perhaps the better and quicker strategy would be to simply use the parser to 'extract' the links and then use a tool, either online or console based to GET the website's content and make your judgment as to pharm spams. The stock spams typically don't have a payload website associated. I'm not altogether sure that the profit which is provided to the spammer by tickling the website is balanced by the debatable 'value' of providing the information to the FDA or SEC -- but since I can't prove that one way or the other it becomes a personal choice of the particular spamfighter. That is, your actions are profitting the spammer. Depending upon how you do it, you may also be 'inviting' more spam with webbugs. Ostensibly you are gaining some uknown something or other in the spamfighting effort by giving stock spams to the SEC and pharm spams to the FDA -- but I actually rather doubt that you are succeeding in doing anything of consequence there. So, then what we have left, in the example of the pharm spam, since it involves a website hit, is positive benefit to the spammer as a combination of whatever webbugs you tickle if you open the spam insecurely - plus whatever advertiser profits you give to the spammer by either visiting the website or tickling it with a GET function - to be somehow counterbalanced by some effect against the spammer by giving the spam to the FDA and SEC. I'm concerned that that counterbalance is zero -- so the spammer has a net gain as a result of your spamfighting efforts which involve opening the spam and/or visiting the website to determine what is going on there. Perhaps you would be better off to just send everything blindly to the FDA and SEC and not investigate anything. I realize that sounds zany, but I think the spammer is winning the investigation battle. -- Mike Easter kibitzer, not SC admin From MikeE at ster.invalid Sat Sep 3 19:27:10 2005 From: MikeE at ster.invalid (Mike Easter) Date: Sat Sep 3 21:30:03 2005 Subject: [SpamCop-List] Re: spam within spam? References: Message-ID: Dave Lerner wrote: > Mike Easter >> Any spamreader, whether they are a spam reporter or not, is 'suspect' > But isn't this getting > rather paranoid? > > "spamreaders"? Are you serious? :D Spamreading is 'generally' bad. The vast majority of spam recipients need to have their spam 'automagically' put into a junk folder for them so that they aren't confronted with spamsubjects and spamfroms in their inbox, and they need to be deleting it all unopened, not determining what is and isn't spam by reading subjects, froms, and sometimes interiors of spams mixed in with their goodmail. The inbox is no place for spam to be landing. The world is full of spamwhiners and spamhaters who are also spamreaders and spam profitters. Spam reporters are also spamwhiners and spamhaters and spamreaders. I can't sit and look over the shoulder of every single spamreader or spamreporter to determine for myself whether or how they should be handling their spam, except that in general spamreading works to the advantage of the spammer. > Do you really think the people who buy Viagra or low-rate mortgages > advertised in spam are going to come here and ask technical questions > about the spam? I think there is a tremendous overlap between spamwhiners, spamhaters, spamreaders, spamreporters, and spamprofitters. It is very hard to sort them out, except that I know that those who delete all of their spam unopened because it has been put into a junk folder by an effective filter are not profitting spammers. Any variety of spamreader, reporter or not, is at least partially suspect because I can't police how they go about reading their spam. -- Mike Easter kibitzer, not SC admin From MikeE at ster.invalid Sat Sep 3 19:47:57 2005 From: MikeE at ster.invalid (Mike Easter) Date: Sat Sep 3 21:50:03 2005 Subject: [SpamCop-List] Re: Att'n. Mike Easter: Scammers Cashing in on Katrina References: Message-ID: Robert Taylor wrote: > Mike Easter >> Robert Taylor wrote: >>> According to a pair of >>> exchanges over in another news group, it seems that, despite their >>> best intentions, R. C. may not be handling the matter too well. >> >> I would be interested in seeing that discussion. Where is it? > news.grc.com > group: grc.security > thread: scammers hit web in Katrina's wake That method of discussing the issue by describing emails isn't going to work. The whole enchilada needs to be posted, and that's not the right place to do it. There's no point in even discussing the items [at least to me] if it isn't posted in its entirety somewhere -- for example there's a nana [news.admin.net-abuse.*] newsgroup for sightings which is appropriate for posting spams for discussion. So, I'm going to pass on even getting involved in the discussion, unless I were to go over there and tell them that if they are going to discuss spams they should be posting them. But it seems the discussants are people who like to try to describe spams, so I'm staying out. -- Mike Easter kibitzer, not SC admin From not at home.today Sun Sep 4 03:45:49 2005 From: not at home.today (Ant) Date: Sat Sep 3 21:55:03 2005 Subject: [SpamCop-List] Re: spam within spam? References: Message-ID: "JG" wrote: > Cripe, did that piss you off that much? I was curious of what the > intent was. I report too much of this shit to spend that much time > analyzing it to death... Don't mind Mike; he froths at the mouth, although not usually this sarcastically, when someone "reads" a spam by allowing their mail agent to "open" it. He has a point in that some mail agents (e.g. OE) tend to be insecure when rendering html content. Apart from script or other (usually Microsoft) vulnerabilities which can be exploited when rendering an email, spams can contain web beacons which signal to the spammer that you opened the mail if you are online at the time. Also if you are "curious" about what's at the other end of a link, you may be tempted to click it, thus generating a hit for the spammer and possibly infecting your PC with malware if insecurely configured. I hardly think that anyone here is going to be seduced into buying spamvertized crap. To answer your original question; spammers obfuscate to get around filters, and try to mislead as to the true source of the mail. Of course we (ObTinw) say spammers are stupid, and this item, having a different plain-text and html part, is an obvious indicator of spam. From g.hyde at bigpond.net.au Sun Sep 4 14:33:04 2005 From: g.hyde at bigpond.net.au (Geoffrey Hyde) Date: Sat Sep 3 23:35:04 2005 Subject: [SpamCop-List] Re: www.mypctuneup.com References: Message-ID: I'm not sure if this is relevant, but one really good (and AFAICT, fairly safe) improvement newer PC's have over older ones is that they factory-install a BIOS chip which has Trend ChipAaway or some similar BIOS-based antivirus protection which prevents most exploits like this from running in the first place. I'm not saying it's the only protection one needs, as I most certainly do have Symantec's Norton Internet Security (which includes a Norton Antivirus program tailored for NIS) installed as well, but I sure wouldn't like to be without the chip protection which stops a lot of simpler virus infection methods dead in their tracks. It may be a bit overzealous, though a lot of the time I don't know if something I am prompted to install is something I want to trust or not, and I'm quite glad modern computer software and BIOSes are being updated to help block more common virus infection methods. -- Cheers ... Geoffrey Hyde "Jeff" wrote in message news:detet2$f32$1@news.spamcop.net... > That's SO NICE of these people to install software spy software on my > computer without my permission > and then offer a website with a free uninstall. I just noticed this crap > in my Add/Remove Programs > listing, and when I clicked on it, it wouldn't uninstall without a > connection to the internet. Then > it made me answer some questions and tried to pressure me to NOT uninstall > the software and when I > finally insisted on unintalling, it takes you to http://www.mypctuneup.com > where you have to > download more software to do the uninstall. I can't believe this is not > illegal. The FAQ on this > website claims that I gave them permission to install their spy software > which I most certainly did > not. > > Jeff > > From RobertTaylor at SpamCop.net Sun Sep 4 01:20:59 2005 From: RobertTaylor at SpamCop.net (Robert Taylor) Date: Sun Sep 4 00:25:03 2005 Subject: [SpamCop-List] Re: Att'n. Mike Easter: Scammers Cashing in on Katrina References: Message-ID: In news:dfdjoc$55m$1@news.spamcop.net, Mike Easter sent: > Robert Taylor wrote: >> Mike Easter > >>> Robert Taylor wrote: >>>> According to a pair of >>>> exchanges over in another news group, it seems that, despite their >>>> best intentions, R. C. may not be handling the matter too well. >>> >>> I would be interested in seeing that discussion. Where is it? > >> news.grc.com >> group: grc.security >> thread: scammers hit web in Katrina's wake > That method of discussing the issue by describing emails isn't going to > work. The whole enchilada needs to be posted, and that's not the right > place to do it. There's no point in even discussing the items [at least > to me] if it isn't posted in its entirety somewhere -- for example > there's a nana [news.admin.net-abuse.*] newsgroup for sightings which is > appropriate for posting spams for discussion. > > So, I'm going to pass on even getting involved in the discussion, unless > I were to go over there and tell them that if they are going to discuss > spams they should be posting them. But it seems the discussants are > people who like to try to describe spams, so I'm staying out. I understand. Of course, that decision is perforce entirely up to you, and I respect it. In citing the above thread, it was not my intention to suggest that you join it; I thought perhaps you might choose to do some independent investigation, e.g., with information supplied by Red Cross, but I see your point regarding the absence of some concrete material in an appropriate forum. Regards, Robert -- eMail: RobertTaylor@SpamCop.net Web-Address: http://users.rcn.com/robertt.nh.ultranet/Web-SitePg1.htm From JG at coks.net Sun Sep 4 00:32:47 2005 From: JG at coks.net (JG) Date: Sun Sep 4 02:35:04 2005 Subject: [SpamCop-List] Re: spam within spam? In-Reply-To: References: Message-ID: On 9/3/2005 6:19 PM Mike Easter scribbled: In hindsight: Mike Easter barked: > > >>>>If you routinely open your spam and read it, you must have some >>>>purpose in mind. What exactly is your intention when you open a >>>>spam? Not out of curiousity, I assure you. I ctrl/u for source and see: Subject: Your dreams come true today Mime-Version: 1.0 Content-Type: multipart/related; type="multipart/alternative"; boundary="=====================_88522554==.REL" --=====================_88522554==.REL Content-Type: multipart/alternative; boundary="=====================_75176944==.ALT" --=====================_75176944==.ALT Content-Type: text/plain; charset="iso-8859-1"; format=flowed Content-Transfer-Encoding: quoted-printable ! boo it's cellular or gogo in resumption and tomorrow not hereford and dexter not crimea try proverb or louver , upon the declaim or resistible but indefatigable see bolo see kraft a carlyle not added it's nairobi. --=====================_75176944==.ALT Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable 3D""

a ascription the struck or permissible some century or captain , hat and antiperspirant not plop it's projectile , epidemiology not snippy but cheap but auk it's bandit or canton and finland the straw , bennington a falcon. No, thanks; > For Deletion
--=====================_75176944==.ALT-- --=====================_88522554==.REL Content-Type: image/gif; name="hollywood.7.gif"; x-mac-type="1A903702"; x-mac-creator="8A491966" Content-ID: <9.0.0.86.0.35941329679831.28431184@conciliate.flashmail.com.6> Content-Transfer-Encoding: base64 Content-Disposition: inline; filename="hollywood.7.gif" R0lGODlh1QF9AJEAAP////8AAAAAzAAAACH5BAAAAAAALAAAAADVAX0AAAL/hI+py+0Po5y0 2ouz3rz7D4biSJbmiabqyrbuCzNDN8zxjef6zsf1bwP9EEGIbZioRYq9pvMJjfaKzE2waiQy lUup9wsOizHbA9JMnXHNirVyzWantckzAP4+Ysf8vv//UXYXN1ho8NaGRyco13j4CGl4RHc3 CXiJmam5IAiURpUVaZhEejV6ZooGGrm36foK29TJKdpKuEqaq8bK24ubGhssPPzyS3sqc0t0 vDxoWQicatxLXG19reG5hQp0CKd1xWUnWmmJ5Kkq3l3OXkmODR8vL2VbPH+Pn59T78Kv/w8w oMCBBAsaPIgwocKFDBs6fAgxosSJFCtavIgxo8aN/xw7evwIMqTIkSRLmjyJMqXKlSxbunwJ M6bMmTRr2ryJM6fOnTx7+vwJNKjQoUSLGj2KNKnSpUybOn0KNarUqVSp+jM4Dk2JqyK/Wcjq AWwGsSS+cW020esoEesIefskA49ZtUJ24Fp7ga6VORz0TvDbxi2FswXVEh7sjJIvwZKoARtx OMVdMpGNVH4AeMnZZ6q0ukv0Gaw2cOfIvk0nt+3ot+FWt0WdyI3sz6ADl5n2eLFj0OrqhAvN bZtvcHF3sZMtjjanVnNTD3nNWs1sb+l8G0Z3GnY55mujMaZuHO/xT3mox6X9HC7y3uj1mJdr Ppfj8M2q0E+srLH8Z95rJ/+frx8r5twS3h78ucWXge/EB9wi7i2nmDvTTWjgOuV51mAy++UX mHZ1MOicX6o9+N5vlDiHWoJYTCMecbENmF9u+vUnHo00IoigG3FgZxt+taDFHF3wKaeNXkN2 lqJnQtpnx3pGdhiggt+dyBeD0YFn4pDTKUkehh8qhyM1x9iHH4/SMHbmblDaiOZwO7rY4jK7 3MWiLudxSRp0ETYXIZ4QOqhYZnixyUycWH5p5XmzzUWkcI1u+aVhQE4JCZn34dZmpRyuuCmH gpGJDFoO5EbnlJztSWKJo1YpoYmRVvjhkZllNQ6PSLK2XHPkBWkhrU3W6qt120D3a2sN2Lqd m9n/LStJasoSV9qtweJ6JbXJangKfNG+yCSKrx5bGnvtFetriHBtd9lW6f4Fqzzr9jGZqO9W ZZlk7UoVb5j0lmUaDeXOu5Oe1u1LcMEGH4xwwgovzHDDDj8MccQSIxBAxdVUHMC+gkaEMcUZ f2GxASGL/PECI5Nw8gUpT7CyBC2jcisKAGMGw2Uzy3dJyC0/sTMAPafwcwRBNzA0AzubIqMJ NzuxNA2aWLwyxiV33DHJUptctdQ6V+1x1iNrrQDXVpfctdg+cw220TunfTbZbX/M9tVjb33s I9JcZ9yvWq03XLF+Birdqlm6JymFSC46LJwwP2023SQ/fgDbkWf89dWO/0NeucdEkw2125NT PjXcoTvQudqaZ5755JC/LXrdMCZ94JvvmarvjTkuGCWBNcYOjZj/zahpgJlE3TrmnHuuegIn a3386ssjv3rbpBd/tvPQfw59ynJXr3zz3H8ffSmOIGu3j9J6Kv6kYtaOLaHtx8hIlL322XQM xFsffc/3Jx829c9v3r/s+W+A0wOf5lSXugMaj3/hk9P4aDYnO6mJFoyw3Y9w5z5buA896muR rFyxv9T9z3TdU2AJvzdCrJ1OgPhD4fWqt7bmJZCBlyual3REs3fwLmmZyh2UhNdBC9ZHfbzz 4RB7B4vtYa97clMiE0X3vMaBTYlme9sSsda50P9pL4ZOtOLctHg8MF6xgaLKlpDQ1I1tgek7 wGpjdpY0rDzwilvtaIcae2UsSk2MJPXbox9l9sdAgmFjgiykIQ+JyEQqcpGMbKQjHwnJSIaB kF6gZAUsSRAR9bE29YLMVTCZD1ttsh+h6EIZ/0Iad9WNBfminRVQ+RAh/oEfXIkfu06JDe6w EpaQ4WVDbjStZfWLWdzIUKvKGBw9rAhmzqIgnGITs2G2Z5qIU5wcb1icPB7zQkbC4aN25KoL xUxOifsUcqABykxk8IgwMhQS5Te7eIbKiJw60frK90PZpYmWAupns+gZI0qxCBEZqudj0mS+ WuyQSRMc6D1zSSQPvXH/VzkMYqd8pxqJfgqctFrQMvOEu+JcFIjCu5Q3f2g7IYLqnpIaaT2b tbjdRBAfL5VSgnzZUJfikocbDV42V+qffI4qpyzF0Sp46lCLCrVO+JRXjqRE0nkiLaHxqKmG XleoHq5znjXSY3dkV9FT6VOoq0ToOwdl1CPGKakjPSVTzypVXIK1q57iqTXcaC101fFaHmzm eB7kt+pwaUkTzas1wdUlYf6UWXstVz7RIRq/BseOy1SmMNUBWMzGR2D/IqZZeuqRUboTIS/l SCuPIlrRCqO0GzmtH6WZST6FFraSrK1tb4vb3Op2t7ztrW9/C9zgCne4xC2ucY+L3OQqd7nM /22uc58L3ehKd7rUra51r4vd7Gp3u9ztrne/C97wine82hWAec2LgPMKIAHqZW9703teAMRX Ae+tr3rRa4D7rvcA+t2ve/XL3/dCAL//JbB8+3tgAtvXwAcucHsRTF8DS1jACd7vg+/rAAon OMDzzS+GOfzhCvs3wgsIsYgZvBEFjxjFDYZvgN3r4QZM2MUtjnGNW8xi9OrYwv5lcYFhbOMG 7zjIRGYwhYeM3ySPGMgzLvKKe8zjDE8Yyi+usoqFHGUigxjIN1byR5qsZSfT+MU+FvOWmfzk MldZy2qu8JhvzOYl41jOGo5zm4e85iCD2csy7vB8jUxlOHf5ySXu8P+g4dtmi6g5x4SW8p0h 7GEU4/nMUn6zoGl85QcAmsRw5rOl6xxhMOu50VjW9J9PzeVJvznRnl60oTvi6kJbOtQDJrWb f4zrSuf50iDOtK53HWk6m9jOcpb1pwM9alaf2tPJLvahg+1gZAsY1BqJdY1FXehXc/nZM940 r80M7DwzmwHezjW44xzmbXca2dde76PdPO4rM3rVS26yqMedYmfPedfWLvO9s2xje+t73eEW N7uNHW4NY9vb7061rTMd6xgmWeCcbcw9Se3rfYMEwMFk9sWPjOpQ81rJIbZvx/396mHjetrD Zvm8ET1yKKtY5TAXvuBdDvAf73jmU865nq0tuGCZ+5fn5C260cHb36QrfelMb7rTnw71qEt9 6lSnkrWvjvWzh33rUD+6178O9rA/pQAAOw== --=====================_88522554==.REL-- Now, doesn't that tell us all a lot about the spam? You'd never know that it was a mortgage spam from that mess, least I wouldn't. And SC parser doesn't enlighten anyone as to the content - could be a drug ring, maybe terrorists (eek), who knows. And you think it better that the unwashed masses just dump it and go on. Well, in a way you are probably correct. But some of us aren't content to just report the source through SC because, frankly, we're just pissing up a rope, regardless of what you say. 10 kornets a day and go away. Since you have started this biz, /way/ before I did, it has only gotten worse. And you continue to pound the table for ??? Yes, dimwits continue to look and buy. Remember Holden Caulfield? Nothing to be done about that - that is why spam lives. What sort of investigation do you do before you open it? I see a subject asking me if my penis is large enough and have to think about it a minute... >>>>How are you configured to assure that opening spam does not benefit >>>>the spamvertiser more than it does /not/ benefit the spamvertiser. I don't understand that question. I open a spam on my machine - I have my client set to not allow script execution nor to open any attachments. Furthermore, all spam has already been filtered to a separate folder. >>If you know a better way to spot a meds list I'm all ears... > > If you are going to open your spams, I would inspect the message source > before I did that, so that you will know how it is constructed before > you open it. I thought I had been through that. You will also have to decide if you are going to open the > items offline, since you are presumably going to be rendering any html > which is inside. Alternatively, if you are sufficiently skilled at > reading or interpreting raw unrendered html, you could do your > inspections on the unrendered condition. I don't understand your concern here - I haven't encountered that problem. My client sanitizes html automatically. > > In addition to opening spams and reading them, you will also have to > determine the content of the ultimate website after any redirectors -- > because sometimes the apparent content of the spam isn't what the > website is all about. This issue about the presumed Don't know why your sentence got cut off here, but I understand your question and that is wh I posted in the 1st place - the apparent content didn't look like the source. Beyond that, terms like redirectors lose me... > > Or perhaps the better and quicker strategy would be to simply use the > parser to 'extract' the links and then use a tool, either online or > console based to GET the website's content and make your judgment as to > pharm spams. I think it has been pretty well documented in this group that the "extractor" does a pretty piss poor job (on purpose, of course, since it is only interested in the source - The Holy Grail) with the spamverts. I haven't risen to the level of 'Getting" site contents yet. And, no, I /DO NOT/ visit any links offered (where did you get the idea I was visiting sites??). Interestingly enough, over in a Netscape group, there is an individual spouting off that he goes to /every/ link in spam so he can find the source and report it and is claiming almost total success. Claims that he gets feedback from kornet and cnc-noc (sp?) The stock spams typically don't have a payload website > associated. True, but the intent is often buried in alphabet soup, less than others... > > I'm not altogether sure that the profit which is provided to the spammer > by tickling the website is balanced by the debatable 'value' of > providing the information to the FDA or SEC -- but since I can't prove > that one way or the other it becomes a personal choice of the particular > spamfighter. How am I tickling anyone?? > > That is, your actions are profitting the spammer. Depending upon how > you do it, you may also be 'inviting' more spam with webbugs. Please explain... > Ostensibly you are gaining some uknown something or other in the > spamfighting effort by giving stock spams to the SEC and pharm spams to > the FDA -- but I actually rather doubt that you are succeeding in doing > anything of consequence there. Seems like another pile to throw something on, like SC lists, same effect... > > So, then what we have left, in the example of the pharm spam, since it > involves a website hit, is positive benefit to the spammer as a > combination of whatever webbugs you tickle if you open the spam > insecurely - plus whatever advertiser profits you give to the spammer by > either visiting the website or tickling it with a GET function - to be > somehow counterbalanced by some effect against the spammer by giving the > spam to the FDA and SEC. I'm concerned that that counterbalance is > zero -- so the spammer has a net gain as a result of your spamfighting > efforts which involve opening the spam and/or visiting the website to > determine what is going on there. I think you have made a lot of assumptions here and are a little off base. I never mentioned visiting any site, nor using GET (I am aware of the function, but don't know how to use it) so don't know where this is coming from. > > Perhaps you would be better off to just send everything blindly to the > FDA and SEC and not investigate anything. I realize that sounds zany, > but I think the spammer is winning the investigation battle. > Well, yeah, you are spending your time ranting at me about zilch when your knowledge, experience, and wit could be put to better use in the battle against spam. And seeing the effect that SC has had/is having on spam, I would, if I were you, get off the high horse you are kibbutzing. From JG at coks.net Sun Sep 4 00:46:17 2005 From: JG at coks.net (JG) Date: Sun Sep 4 02:45:02 2005 Subject: [SpamCop-List] Re: spam within spam? In-Reply-To: References: Message-ID: On 9/3/2005 6:27 PM Mike Easter scribbled: > > Spamreading is 'generally' bad. The vast majority of spam recipients > need to have their spam 'automagically' put into a junk folder for them > so that they aren't confronted with spamsubjects and spamfroms in their > inbox, and they need to be deleting it all unopened, not determining > what is and isn't spam by reading subjects, froms, and sometimes > interiors of spams mixed in with their goodmail. The inbox is no place > for spam to be landing. Sounds like '1984' or 'Animal Farm", but you have a point... > > The world is full of spamwhiners and spamhaters who are also spamreaders > and spam profitters. Spam reporters are also spamwhiners and spamhaters > and spamreaders. Here you have no point... > > I can't sit and look over the shoulder of every single spamreader or > spamreporter to determine for myself whether or how they should be > handling their spam, except that in general spamreading works to the > advantage of the spammer. > Rash generalization probably unsupported, an educated guess at best, probably true but not admissable,,, Dave opined, and I wholeheartedly concur : >>Do you really think the people who buy Viagra or low-rate mortgages >>advertised in spam are going to come here and ask technical questions >>about the spam? Mike demurred > > I think there is a tremendous overlap between spamwhiners, spamhaters, > spamreaders, spamreporters, and spamprofitters. It is very hard to sort > them out, except that I know that those who delete all of their spam > unopened because it has been put into a junk folder by an effective > filter are not profitting spammers. Any variety of spamreader, reporter > or not, is at least partially suspect because I can't police how they go > about reading their spam. There's a sound bite... From JG at coks.net Sun Sep 4 00:56:02 2005 From: JG at coks.net (JG) Date: Sun Sep 4 02:55:03 2005 Subject: [SpamCop-List] Re: spam within spam? In-Reply-To: References: Message-ID: On 9/3/2005 6:45 PM Ant scribbled: > "JG" wrote: > > >>Cripe, did that piss you off that much? I was curious of what the >>intent was. I report too much of this shit to spend that much time >>analyzing it to death... > > > Don't mind Mike; he froths at the mouth, although not usually this > sarcastically, I know he can go off, but this one threw me... when someone "reads" a spam by allowing their mail > agent to "open" it. He has a point in that some mail agents (e.g. OE) > tend to be insecure when rendering html content. Apart from script or > other (usually Microsoft) vulnerabilities which can be exploited when > rendering an email, spams can contain web beacons which signal to the > spammer that you opened the mail if you are online at the time. I could google it, but might you supply a link to an explanation of this? Also > if you are "curious" about what's at the other end of a link, you may > be tempted to click it, thus generating a hit for the spammer and > possibly infecting your PC with malware if insecurely configured Tnx, know that.. I hardly think that anyone here is going to be seduced into buying spamvertized crap. Good to know... > > To answer your original question; spammers obfuscate to get around > filters, and try to mislead as to the true source of the mail. Yes, I know that - the use of ebay /embedded/ was, to me, unique. Of course we (ObTinw) say spammers are stupid, and this item, having a different plain-text and html part, is an obvious indicator of spam. Thanks, we knew that from the beginning. Whats obtinw? And thanks, your time is appreciated. jg (can't say Jeff G. cuz name taken) From redford_stone at INVERSE_OF_COLDmail.com Sun Sep 4 09:47:38 2005 From: redford_stone at INVERSE_OF_COLDmail.com (Redstone) Date: Sun Sep 4 04:50:52 2005 Subject: [SpamCop-List] Re: New bulletproof hosting, uk.geocities References: Message-ID: "Berny" wrote in news:df9k64$mbi$1@news.spamcop.net: > > Hoops!!, now for several weeks the jerks at uk.geocities have had their > thumbs up their bums while they play whack a mole with a 2 day reaction > time. > > That's about average. However, the particular Geocities spammer stopped spamming since I was being tenacious enough to report EACH and every link. From MikeE at ster.invalid Sun Sep 4 03:17:02 2005 From: MikeE at ster.invalid (Mike Easter) Date: Sun Sep 4 05:20:45 2005 Subject: [SpamCop-List] Re: spam within spam? References: Message-ID: JG wrote: > Subject: Your dreams come true today I don't see why you felt that you had to paste in a spambody here to show that b64 encoded gif/s [or b64 encoded anything else] need to be b64 decoded and displayed before they can be read. But, even tho' you took up a lot of room posting that here, that posting wasn't as informative about the item as it would have been to post the tracker. In fact, if you had posted the tracker it would have been easier to see what the item was. > http://www.psarefi.net/?id=3Dp11 Payload site for the gif which sez Dear Sir/Madam, You're pre-approved for a $400,000 mortgage with a low fixed rate. Your credit is not a factor! We want you in our business! Please, complete the 45 sec. approval form clicking below. CLICK HERE TO ACTIVATE YOUR MORTGAGE The alleged optout link is here http://www.psarefi.net/book.php > Now, doesn't that tell us all a lot about the spam? You'd never know > that it was a mortgage spam from that mess, least I wouldn't. The business of safely and securely opening a spam which contains a gif is a quick way of seeing what the gif sez and what the links are; but I don't recommend insecurely opening and rendering unknown html mails when you don't know what is inside or whether or not you are securely configured. How can I know what some spamreader knows and doesn't know about inspecting spam prior to opening and rendering? Opening a spam or other unknown html mail can do all kinds of bad things to you if you are insecure and exploited. > And SC parser doesn't enlighten anyone as to the content - could be a > drug ring, maybe terrorists (eek), who knows. That is correct, the parser doesn't render a gif for youl > And you think it better that the unwashed masses just dump it and go > on. Yes I believe that the majority of spam recipients need to have their spam separated from their goodmail by a good filter so that it isn't in their inbox and they don't need to open any spam to find out if it is spam or not. At that point they can decide if they want to be a 'passive' antispammer by deleting all of the spam unopened and unread. If they want to take an additional step toward spamfighting and they don't know enough about handling spam securely, then they can feed their spams to the SC parser for reporting. The majority of them should not be opening spams allegedly for determining additional notifies, because their spam opening might be causing more harm than good if they don't know what they are doing. Sometimes you act like you don't know what you are doing. > Well, in a way you are probably correct. But some of us aren't > content > to just report the source through SC because, frankly, we're just > pissing up a rope, regardless of what you say. I'm not against people graduating from passively deleting all spams unopened to some variety of advanced spamfighting, but I don't believe that advanced spamfighting starts with opening and rendering spams insecurely or unsafely. > What sort of investigation do you do before you open it? > > I see a subject asking me if my penis is large enough and have to > think about it a minute... Ha! But that's not good enough. >>>>> How are you configured to assure that opening spam does not >>>>> benefit the spamvertiser more than it does /not/ benefit the >>>>> spamvertiser. > I don't understand that question. I open a spam on my machine - I > have > my client set to not allow script execution nor to open any > attachments. Furthermore, all spam has already been filtered to a > separate folder. The good news about having the spam prefiltered is that you already know it is spam before you start handling it. The security of not allowing script execution is a plus, but not opening the attachment can interfere with your being able to see the content of a gif, for example. >>> If you know a better way to spot a meds list I'm all ears... >> >> If you are going to open your spams, I would inspect the message >> source before I did that, so that you will know how it is >> constructed before you open it. > > I thought I had been through that. And then, if you can safely determine that the item can be opened, sometimes opening it and rendering it is quicker than taking it apart and decoding it 'piecemeal' like I had to do with what you posted here which you should have put a tracker for instead. > You will also have to decide if you are going to open the >> items offline, since you are presumably going to be rendering any >> html which is inside. Alternatively, if you are sufficiently >> skilled at reading or interpreting raw unrendered html, you could do >> your inspections on the unrendered condition. > > I don't understand your concern here - I haven't encountered that > problem. My client sanitizes html automatically. I think you should be very careful about assuming what 'sanitizes html' really means. I don't understand exactly what you mean compared to what I find out when I examine a message source of unrendered html. >> In addition to opening spams and reading them, you will also have to >> determine the content of the ultimate website after any redirectors >> -- because sometimes the apparent content of the spam isn't what the >> website is all about. This issue about the presumed Oops. I was going to say something about the presumed site not being what it seemed to be from the spam content, but the site was actually about what the html content said. > Don't know why your sentence got cut off here, but I understand your > question and that is wh I posted in the 1st place - the apparent > content didn't look like the source. Beyond that, terms like > redirectors lose me... A redirector is when the spambody contains a link, and spamcop determines the provider for the link, but the provider for that link isn't the provider for the link where the payload is. In this case for which you provided the tracker, there was a redirector, and the payload was at a different url than the body content, but the provider for the redirector and the payload site were the same, as it was all the same IP. >> Or perhaps the better and quicker strategy would be to simply use the >> parser to 'extract' the links and then use a tool, either online or >> console based to GET the website's content and make your judgment as >> to pharm spams. > > I think it has been pretty well documented in this group that the > "extractor" does a pretty piss poor job (on purpose, of course, since > it > is only interested in the source - The Holy Grail) with the spamverts. > I haven't risen to the level of 'Getting" site contents yet. OK. I'm not 'griping' about not evaluating whether or not the spamvertised site is really the payload site. But, some advanced spamfighters feel a need to check out what is at the site, and not very many like to click on the link and let the spam exercise their browser to take them there. > And, no, I /DO NOT/ visit any links offered (where did you get the > idea > I was visiting sites??). Because part of the same process which motivates one to open spams for investigation can lead the investigation to the redirectors and then the spamsite's payload. We are discussing the details of advancing the spamfight, which you have chosen to do. > Interestingly enough, over in a Netscape group, there is an individual > spouting off that he goes to /every/ link in spam so he can find the > source and report it and is claiming almost total success. Claims > that > he gets feedback from kornet and cnc-noc (sp?) Different spamfighters have different styles. And tales. > The stock spams typically don't have a payload website >> associated. > > True, but the intent is often buried in alphabet soup, less than > others... > >> >> I'm not altogether sure that the profit which is provided to the >> spammer by tickling the website is balanced by the debatable 'value' >> of providing the information to the FDA or SEC -- but since I can't >> prove that one way or the other it becomes a personal choice of the >> particular spamfighter. > > How am I tickling anyone?? If you aren't visiting the spamvertised site or using a GET function, then you aren't. I didn't know how far you were going with your investigation after you opened the spam. >> That is, your actions are profitting the spammer. Depending upon how >> you do it, you may also be 'inviting' more spam with webbugs. > > Please explain... If you don't GET or visit, you aren't tripping the counter at the site in that way. But if you open a spam online with a webbug, such as calling up a graphic from the website, you can 'telegraph' back to the spamsite that a particular graphic got called which can tell the spamsite that a particular mail got opened. >> Ostensibly you are gaining some uknown something or other in the >> spamfighting effort by giving stock spams to the SE