[SpamCop-List] Re: "Replica classic watches" spam.

[Mike Easter]

Geoffrey Hyde wrote:

> And then attempt to bewilder me by going into 'context' and 'real
> source'. When I asked about 'real source' I simply wanted to know if
> it was a known spamgang, not what your reply seemed to think I needed.

Calling a spamvertiser a spam *source* is not accurate.

A 'source' is an IP address as far back as the item can be traced.  The
contents of the spambody /may/ reflect the spamvertiser, an innocent
bystander, or a joejob victim.

Making sloppy assumptions and calling a spamvertiser provider or a
spamvertiser a spamsource is no more accurate than the problem of
failing to know the actual mechanics of how the spam was generated and
who has a contract with whom to do what.

There are all kinds of methodologies afoot by which spamvertiser
contract with 3rd parties to propagate viruses, create proxy trojans,
and marshall the trojans to enable spam generation and injection into
the smtp stream.

You cannot make assumptions of who is guilty of what.  You can only
define what you see by the evidence in your hand.  The spam you posted
the link for has an IP source and it has a spamvertiser.  The source has
a provider and the spamvertiser has a provider.

> Perhaps you can be bothered to use the CBL stuff - or whatever it is
> you setup on your computer's mailbox(es) to handle spam.  But for the
> relatively small amount I'm getting here, I think it's a bit much to
> expound in great detail, although I thank you for the information.

You might think it is a 'bit much' -- but you are complaining about spam
in your Inbox.  That's not a problem for me.

> As far as this particular spamgang goes, if it keeps coming I think
> I'll have to make a rule for OE to delete right off the server emails
> which have "replica" + "classic" + "watches" in the subject line.
> And before you ask, I know my version of OE has the ability to delete
> emails right off the server.

IMO it is a bad idea to delete anything sight unseen, off the server or
otherwise.  Also, some people make rules for OE to delete from server,
but it actually doesn't happen that way.  You should read a little bit
about deleting from server by OE somewhere like Tom Koch's site

http://www.insideoe.com/tips/rules.htm  Deleting messages without
downloading - Caution should be used when creating rules that delete
messages from the server without downloading them. [...] Also care must
be taken not to create a 'delete' rule based on conditions that require
the message be downloaded in order to test against the rule.

> What would be useful to know is if there's any way to check IP
> addresses of servers listed in headers so that OE could filter on the
> server emails coming from known ROKSO IP addresses

There you go again... confusing the IP of spamsources with ROKSO
spamvertisers.

>- I'd think not,
> as technically, one has to download header info first.  But if
> someone knows differently, please inform me as to how to do it.

OE has no capacity to look into the most valuable information in the
headerlines which include the most useful information of all, namely the
IPs in the Received tracelines.

For that you need a real spam filter.

I wouldn't even bother making any kind of rules for OE other than those
of whitelisting my friends and wanted mailing lists and putting
everything else in Junk if you can do that.  Or, alternatively you can
use OE's rules to slightly lessen your spam by sending the items not
addressed to you or whitelisted into Junk.

Those are very weak rules.  Other real filters like SpamPal can do a lot
more.

-- 
Mike Easter
kibitzer, not SC admin