From DougThegarden at invalid.com Sun Jan 1 11:23:04 2006 From: DougThegarden at invalid.com (Doug Thegarden) Date: Sun Jan 1 06:25:06 2006 Subject: [SpamCop-List] Re: Thunderbird OK with Headers In-Reply-To: References: Message-ID: MikeV06 wrote: > I am thinking about using Thunderbird for email. I know OL has a problem > with headers and just wondered if Thunderbird works OK when forwarding spam > to SC? > Works for me. And TB is at least standards compliant which Doubtlook isn't. Doug From n4jwyfo02 at sneakemail.com Sun Jan 1 13:46:55 2006 From: n4jwyfo02 at sneakemail.com (Aviatrix) Date: Sun Jan 1 08:50:03 2006 Subject: [SpamCop-List] Re: Spamcop causing problems In-Reply-To: References: Message-ID: Vanguard wrote: (Lots of good stuff snipped, for brevity) > If your father is unwilling to learn how his spam filtering works > (blacklists, bayesian filters, greylisting, whatever) and to configure > it the way he wants then get him to stop using those spam filters. The OP's father may not actually have that option. The OP is based in the UK. I presume his father is, too. I know of several UK ISPs that force their own spam filters onto their customers - i.e., the ISP uses blocklists to bounce or discard mail, and the mail never reaches the customer's POP3 mailbox. These ISPs do not give customers the choice of opting out of the spam filtering. The OP's father may need to change ISPs, or switch to a non-ISP mail account (Hotmail, Gmail, Yahoo, whatever) A. From nobody at nowhere.invalid Sun Jan 1 15:14:02 2006 From: nobody at nowhere.invalid (Steven Maesslein) Date: Sun Jan 1 09:15:03 2006 Subject: [SpamCop-List] Re: vCard References: <43B59989.521B56A8@Spamcop.net.dev.null> <43B6E2FB.8BD1A59C@Spamcop.net.dev.null> <43B6F561.7FAC@xyzzy.claranet.de> <43B6FCF0.8E6902E6@Spamcop.net.dev.null> Message-ID: On Sat, 31 Dec 2005 19:17:44 -0800, Mike Easter coughed into spamcop and left this in : > lock-ups that have required me to kill the firefox.exe process. And I've > even been forced to reboot Windows XP a few times.// That might explain it. I'm not using the Windows version of Firefox. I've found nothing untoward to report about the *Linux* version. -- Steve The average nutritional value of promises is roughly zero. From me at privacy.net Sun Jan 1 09:30:02 2006 From: me at privacy.net (MikeV06) Date: Sun Jan 1 10:35:03 2006 Subject: [SpamCop-List] Re: Thunderbird OK with Headers References: Message-ID: On Sun, 01 Jan 2006 11:23:04 +0000, Doug Thegarden wrote: > MikeV06 wrote: >> I am thinking about using Thunderbird for email. I know OL has a problem >> with headers and just wondered if Thunderbird works OK when forwarding spam >> to SC? >> > > Works for me. And TB is at least standards compliant which Doubtlook isn't. > > Doug Thank you, that is what I needed to know. Doing a Ctrl-U, etc. routine is not what I had in mind. From ng at bgdsv.co.uk Sun Jan 1 15:49:12 2006 From: ng at bgdsv.co.uk (Brian Gregory [UK]) Date: Sun Jan 1 10:50:02 2006 Subject: [SpamCop-List] Re: Thunderbird OK with Headers References: Message-ID: "MikeV06" wrote in message news:tnwu7e83bzy.dlg@mycomputer06.invalid.com... >I am thinking about using Thunderbird for email. I know OL has a problem > with headers and just wondered if Thunderbird works OK when forwarding > spam > to SC? In Outlook Express "Forward As Attachment" is the best way to forward some messages (you can do several at the same time) to SPAMCOP. Doesn't Outlook have this too? (It's on the "Message" menu in OE). -- Brian Gregory. (In the UK) ng@bgdsv.co.uk To email me remove the letter vee. From nobody at devnull.spamcop.net Sun Jan 1 09:57:26 2006 From: nobody at devnull.spamcop.net (WazoO) Date: Sun Jan 1 11:00:02 2006 Subject: [SpamCop-List] Re: Thunderbird OK with Headers References: Message-ID: "MikeV06" wrote in message news:tnwu7e83bzy.dlg@mycomputer06.invalid.com... > I am thinking about using Thunderbird for email. I know OL has a problem > with headers and just wondered if Thunderbird works OK when forwarding spam > to SC? How to use Thunderbird to report multiple emails, One user's step by step example http://forum.spamcop.net/forums/index.php?showtopic=5307 From nobody at devnull.spamcop.net Sun Jan 1 10:05:33 2006 From: nobody at devnull.spamcop.net (WazoO) Date: Sun Jan 1 11:10:03 2006 Subject: [SpamCop-List] Re: Thunderbird OK with Headers References: Message-ID: "Mike Easter" wrote in message news:dp7eb3$4ou$1@news.spamcop.net... > MikeV06 wrote: > > I am thinking about using Thunderbird for email. I know OL has a > > problem with headers and just wondered if Thunderbird works OK when > > forwarding spam to SC? > > It looks to me like SC's faq is in serious need of updating.... You think so? (Me thinking of the dozens and dozens of previous threads about something to do with a SpamCop FAQ, the tons of my e-mail archives on my attempts at getting some things added, changed, updated, deleted, etc.) > I guess everyone who could do some updating is obsessed with the web > interface. ???? not sure what the "web interface" thing is. The last "go round" on the www.spamcop.net web page(s) dealt with information on the reporting system ourages. > Somehow the web interface is immediately amedable to updating but the > webfaq is somehow impenetrable. Funny how that works. R.W. states that changes on the "official" FAQ now need to be walked though a corporate maze, to include legal ... so it mostly doesn't happen. > I think the solution to the whole thing is one of who is responsible. I > think the webfaq needs a 'signature' which sez --- "I am responsible for > keeping the webfaq up-to-date" -- Signed, XXX > > Once you have to show your 'face' about being responsible for something, > then everything starts getting better. Julian started it, Dollface was involved, R.W. picked it up, IronPort staff got involved ..... see above for "who's involved" these days. From nobody at nowhere.invalid Sun Jan 1 18:01:44 2006 From: nobody at nowhere.invalid (Steven Maesslein) Date: Sun Jan 1 12:05:03 2006 Subject: [SpamCop-List] Re: Thunderbird OK with Headers References: Message-ID: On Sun, 1 Jan 2006 15:49:12 -0000, Brian Gregory [UK] coughed into spamcop and left this in : > In Outlook Express "Forward As Attachment" is the best way to forward some > messages (you can do several at the same time) to SPAMCOP. Doesn't Outlook > have this too? (It's on the "Message" menu in OE). No. Outlook doesn't store e-mail as it came down the pipe. It breaks it up and messes around with it in order for it to conform with its own storage system, and is unable thereafter to reassemble the mail as it was received originally. Outlook is not designed primarily as a mail client in the sense that we (tinw) understand it, but as an Exchange client. -- Steve The box said: "Requires Windows 98/2000/XP/NT, or better." So, I installed LINUX! From vanguard.code at comcastNIX.net Sun Jan 1 12:29:13 2006 From: vanguard.code at comcastNIX.net (Vanguard) Date: Sun Jan 1 13:30:03 2006 Subject: [SpamCop-List] Re: Spamcop causing problems References: Message-ID: "Aviatrix" wrote in message news:dp8mgf$nav$1@news.spamcop.net... > Vanguard wrote: > > (Lots of good stuff snipped, for brevity) > > >> If your father is unwilling to learn how his spam filtering works >> (blacklists, bayesian filters, greylisting, whatever) and to configure >> it the way he wants then get him to stop using those spam filters. > > The OP's father may not actually have that option. If the father is running a local anti-spam filter, it is entirely their choice whether they run it or not and how to configure it. If it is a server-side filter provided by the e-mail service, the father can disable that option. If the e-mail provider does not permit the user to disable spam filtering, that e-mail provider is rude and violating the user's rights (but then the user agreed to that provider's contract which the user should read). > The OP is based in the UK. I presume his father is, too. > > I know of several UK ISPs that force their own spam filters onto their > customers - i.e., the ISP uses blocklists to bounce or discard mail, and > the mail never reaches the customer's POP3 mailbox. These ISPs do not > give customers the choice of opting out of the spam filtering. And they don't also provide whitelisting? No matter what spam filter solution I have used or trialed, whitelisting was always a requirement to eliminate false positives. > The OP's father may need to change ISPs, or switch to a non-ISP mail > account (Hotmail, Gmail, Yahoo, whatever) Could be. Sounds like the ISP is an idiot dictator. -- _______________________________________________________ ** Post replies to the newsgroup. Share with others. ** For e-mail, remove "NIX" and append "#VC811" to Subject. _______________________________________________________ From jg at coks.net Sun Jan 1 10:37:29 2006 From: jg at coks.net (jg) Date: Sun Jan 1 13:40:03 2006 Subject: [SpamCop-List] Re: vCard In-Reply-To: References: <43B59989.521B56A8@Spamcop.net.dev.null> <43B6E2FB.8BD1A59C@Spamcop.net.dev.null> <43B6F561.7FAC@xyzzy.claranet.de> <43B6FCF0.8E6902E6@Spamcop.net.dev.null> Message-ID: On 12/31/2005 7:17 PM Mike Easter scribbled: > jg wrote: > >>Mike Easter > > >>>I don't know whether it should be mentioned or not, but Scott Finney >>>who has a popular newsletter and is a powerful FireFox supporter, >>>suggests holding off on 1.5 in favor of earlier verisons. >>> >>>I don't have the ref handy; I'll check on that. >>> >> >>There are no problems w/ 1.5 at all > > > None according to the FF developers; but here's what SF sez: > > http://www.scotsnewsletter.com/75.htm#ff15 > > // I recommend holding off, at least temporarily, on installing Firefox > 1.5.-- somewhere early in the Release Candidates I began to encounter > problems. And I'm beginning to learn that I might not be alone in that. > The issues people are reporting to me are highly varied --I 've > personally seen 100% CPU spikes will Firefox is laboring at something -- > A memory leak is an errant programmatic process that over time may > gradually eat away at system resources. In worst-case scenarios, a > memory leak may cause an application to become unstable. -- That may not > be the case. I am, though, hearing sufficient reports about trouble to > be cautious. -- In most cases the Firefox freeze-ups unstick themselves > after a couple of minutes. But I have also experienced permanent > lock-ups that have required me to kill the firefox.exe process. And I've > even been forced to reboot Windows XP a few times.// > I've not had any problems vis a vis crashes or reboots. The memory leaks have been discussed for some time now and it doesn't happen to everyone. You can look at http://kb.mozillazine.org/Memory_Leak to see how it is being addressed - I rather like the idea that open source s/w is able to discuss problems and work on fixes faster than todays commercial packages. From MikeE at ster.invalid Sun Jan 1 10:45:45 2006 From: MikeE at ster.invalid (Mike Easter) Date: Sun Jan 1 13:50:02 2006 Subject: [SpamCop-List] Re: vCard References: <43B59989.521B56A8@Spamcop.net.dev.null> <43B6E2FB.8BD1A59C@Spamcop.net.dev.null> <43B6F561.7FAC@xyzzy.claranet.de> <43B6FCF0.8E6902E6@Spamcop.net.dev.null> Message-ID: jg wrote: > Mike Easter scribbled: >>>> holding off on 1.5 in favor of earlier >>>> verisons. > You can look at http://kb.mozillazine.org/Memory_Leak to see how it is > being addressed I saw that when I was checking out the 'debates' between those who luv opera vs those who luv FF. There's actually quite a lot of that. I don't know that that section on how to reduce memory usage addresses the issue of a /leak/. It doesn't sound like the developers agree that there's a leak even tho' they used the word. >- I rather like the idea that open source s/w is able > to discuss problems and work on fixes faster than todays commercial > packages. Especially if/when they can get it hammered out and solved. -- Mike Easter kibitzer, not SC admin From jg at coks.net Sun Jan 1 11:25:36 2006 From: jg at coks.net (jg) Date: Sun Jan 1 14:25:02 2006 Subject: [SpamCop-List] Re: vCard In-Reply-To: References: <43B59989.521B56A8@Spamcop.net.dev.null> <43B6E2FB.8BD1A59C@Spamcop.net.dev.null> <43B6F561.7FAC@xyzzy.claranet.de> <43B6FCF0.8E6902E6@Spamcop.net.dev.null> Message-ID: On 1/1/2006 10:45 AM Mike Easter scribbled: > I don't know that that section on how to reduce memory usage addresses > the issue of a /leak/. It doesn't sound like the developers agree that > there's a leak even tho' they used the word. This has confused me at times - I /think/ "they" use leak and usage interchangably. An exacting person such as yourself may take issue and have a valid point - dunno. In an ongoing thread over @ FF ng, there is talk of dlls not unloading at some point, implying it may be a Win problem with a reg hack to fix it. I've not had the problem - and I am memory deprived.... From mwnospam at comcast.net Sun Jan 1 14:44:07 2006 From: mwnospam at comcast.net (spamacyde) Date: Sun Jan 1 14:45:02 2006 Subject: [SpamCop-List] Bogus Spamvertised Web Links Message-ID: Is it possible for a spammer to provide a link that involves the IP address of a legitimate web site if they want to mess with the spam recipient or host of that web site? If the answer to the question above is yes, when spamcop deobfuscates links in a spam message, does it make an attempt to verify whether the links point to a "bad" website as oppossed to a "good" one? If the answer to the second question no, what do I need to do to protect myself when clicking on a link to verify that it goes to a "bad" site ie one that is trying to sell me potions as opposed to Fred's blog about pine trees or no site at all? Thanks. From jg at coks.net Sun Jan 1 12:00:09 2006 From: jg at coks.net (jg) Date: Sun Jan 1 15:00:02 2006 Subject: [SpamCop-List] Re: Bogus Spamvertised Web Links In-Reply-To: References: Message-ID: On 1/1/2006 11:44 AM spamacyde scribbled: > Is it possible for a spammer to provide a link that involves the IP address > of a legitimate web site if they want to mess with the spam recipient or > host of that web site? Isn't that a form of joejobbing - in which case, the answer to your question is yes? > > If the answer to the question above is yes, when spamcop deobfuscates links > in a spam message, does it make an attempt to verify whether the links > point to a "bad" website as oppossed to a "good" one? I'm not really qualified to give a definitive answer, but it would seem to be asking SC to do quite a bit more than it is set up for - how would it tell "good site" from "a bad site"? > > If the answer to the second question no, what do I need to do to protect > myself when clicking on a link to verify that it goes to a "bad" site ie one > that is trying to sell me potions as opposed to Fred's blog about pine trees > or no site at all? Use a secure browser and disallow script execution, s/w downloading/installation, etc. Others here will advise to not click the link at all if you are not sure of it, which is good advice... > > Thanks. > > From jg at coks.net Sun Jan 1 12:10:59 2006 From: jg at coks.net (jg) Date: Sun Jan 1 15:10:02 2006 Subject: [SpamCop-List] SC problems... Message-ID: http://www.spamcop.net/sc?id=z850400310zcea8c542a83d8c72633414f203e9810az Aside, the comcor spam vert seems to have changed his med format for the new year. Lately, just about every other parse has to be resubmitted to get link resolution (1st parse just ignores link(s)). This comcor spammer, who seems to be on some kind of month long roll, at least through cox.net, seems to give SC harder time than others. Is there a reason for this? And am I wasting my time in canceling and resubmitting? It doesn't seem to be having much effect anyway... From Nobody at Spamcop.net.dev.null Sun Jan 1 15:15:01 2006 From: Nobody at Spamcop.net.dev.null (Michael Brennan) Date: Sun Jan 1 16:20:03 2006 Subject: [SpamCop-List] Re: vCard (was: Malformed Spamlink or New Type?) References: <43B59989.521B56A8@Spamcop.net.dev.null> <43B6E2FB.8BD1A59C@Spamcop.net.dev.null> <43B6F561.7FAC@xyzzy.claranet.de> <43B6FCF0.8E6902E6@Spamcop.net.dev.null> Message-ID: <43B84655.E8A46AEC@Spamcop.net.dev.null> Steven Maesslein wrote: > > On Sat, 31 Dec 2005 15:49:36 -0600, Michael Brennan coughed into spamcop > and left this in <43B6FCF0.8E6902E6@Spamcop.net.dev.null>: > > > last summer I looked at FlashPeak SlimBrowser > > before discarding it and loading Firefox. > > There have been two updates of Firefox (one major) since 1.0.6. > > 1.5 is no longer beta, it was released - last month I think. I've been > using it for a while and it seems to run well. > My OS is Win 98. I think I'm not supported beyond FF 1.0.4, but I installed 1.0.6 anyway when I got the constant nags (the nags continue) to see if it would run, keeping the 1.0.4. instal.exe file handy on media. So far, it runs okay, but I'm a bit resource-challenged at only 160 megs of RAM and a 300-MHz P-II MMX CPU. FF is a little slow out of the gate on boot, and the pages load fairly leisurely, but that may be my 26.4K (nailed-up) dialup connection. I don't plan to install any later versions of FF. Michael From n4jwyfo02 at sneakemail.com Sun Jan 1 21:24:00 2006 From: n4jwyfo02 at sneakemail.com (Aviatrix) Date: Sun Jan 1 16:25:03 2006 Subject: [SpamCop-List] Re: Spamcop causing problems In-Reply-To: References: Message-ID: Vanguard wrote: > And they don't also provide whitelisting? No matter what spam filter > solution I have used or trialed, whitelisting was always a requirement > to eliminate false positives. No - some of them don't. They just have one central spam filter for all their customers, and that's what customers are stuck with. Sadly we haven't heard from the OP since his original post. If he were to come back here and tell us who is father's ISP is and how is mail is routed (direct, or via a forwarding address) then I guess one of us here in the UK might be able to give him some more advice. I know the UK ISP market reasonably well, and I'm probably not the only one here who does. From Nobody at Spamcop.net.dev.null Sun Jan 1 15:28:15 2006 From: Nobody at Spamcop.net.dev.null (Michael Brennan) Date: Sun Jan 1 16:30:03 2006 Subject: [SpamCop-List] Parava Networks, UUNet, and MCI Message-ID: <43B8496F.1AB4B562@Spamcop.net.dev.null> Concerning this spamitem, http://www.spamcop.net/sc?id=z850378097z3a8f2a43d12712623d31e50a5f21a7eez I dug a little and found that the spamlink is hosted by Parava.net, which in turn appears to be part of UUNet Technologies and MCI. Can someone elucidate the relationship among Parava Networks, UUNet Technologies, and MCI? Side Issue: In my "additional remarks" section of my submitted report, I retrieved as much info from SamSpade.org on the spamlink as I could, but I don't see the comments when I pull up the report from SpamCop's server using the tracking URL link. What happens to those comments? Where do they go? Chasing down who Parava is, which appears to be the end of the line (error msgs etc.) when chasing many spamlinks, I was able to pull up this page from SamSpade: Server Used: [ whois.arin.net ] 65.210.194.2 = [ host2.parava.net ] OrgName: UUNET Technologies Inc. OrgID: UU Address: 22001 Loudoun County Parkway City: Ashburn StateProv: VA PostalCode: 20147 Country: US NetRange: 65.192.0.0 - 65.223.255.255 CIDR: 65.192.0.0/11 NetName: UUNET65 NetHandle: NET-65-192-0-0-1 Parent: NET-65-0-0-0-0 NetType: Direct Allocation NameServer: AUTH03.NS.UU.NET NameServer: AUTH00.NS.UU.NET Comment: ADDRESSES WITHIN THIS BLOCK ARE NON-PORTABLE RegDate: 2000-10-27 Updated: 2002-02-13 RTechHandle: OA12-ARIN RTechName: UUnet Technologies Inc. Technologies RTechPhone: 1-800-900-0241 RTechEmail: help4u@mci.com OrgAbuseHandle: ABUSE3-ARIN OrgAbuseName: abuse OrgAbusePhone: 1-800-900-0241 OrgAbuseEmail: abuse-mail@mci.com OrgNOCHandle: OA12-ARIN OrgNOCName: UUnet Technologies Inc. Technologies OrgNOCPhone: 1-800-900-0241 OrgNOCEmail: help4u@mci.com OrgTechHandle: SWIPP-ARIN OrgTechName: swipper OrgTechPhone: 1-800-900-0241 OrgTechEmail: swipper@mci.com CustName: Parava Networks Address: 6009 Richmond Avenue City: Houston StateProv: TX PostalCode: 77057 Country: US RegDate: 2001-09-20 Updated: 2003-05-30 NetRange: 65.210.194.0 - 65.210.194.63 CIDR: 65.210.194.0/26 NetName: UU-65-210-194 NetHandle: NET-65-210-194-0-1 Parent: NET-65-192-0-0-1 NetType: Reassigned Comment: RegDate: 2001-09-20 Updated: 2003-05-30 RTechHandle: OA12-ARIN RTechName: UUnet Technologies Inc. Technologies RTechPhone: 1-800-900-0241 RTechEmail: help4u@mci.com OrgAbuseHandle: ABUSE3-ARIN OrgAbuseName: abuse OrgAbusePhone: 1-800-900-0241 OrgAbuseEmail: abuse-mail@mci.com OrgNOCHandle: OA12-ARIN OrgNOCName: UUnet Technologies Inc. Technologies OrgNOCPhone: 1-800-900-0241 OrgNOCEmail: help4u@mci.com OrgTechHandle: SWIPP-ARIN OrgTechName: swipper OrgTechPhone: 1-800-900-0241 OrgTechEmail: swipper@mci.com ARIN WHOIS database last updated 2005-12-31 19: 10 Any comments on these players? I have seen it said several times on this newsgroup and others that UUNet and MCI are black hats. Parava Networks certainly seems to be. Michael From MikeE at ster.invalid Sun Jan 1 13:35:49 2006 From: MikeE at ster.invalid (Mike Easter) Date: Sun Jan 1 16:40:03 2006 Subject: [SpamCop-List] Re: Bogus Spamvertised Web Links References: Message-ID: spamacyde wrote: > Is it possible for a spammer to provide a link that involves the IP > address of a legitimate web site if they want to mess with the spam > recipient or host of that web site? Innocent bystander IB links are frequently included in spambodies. A SC reporter is supposed to uncheck any IBs which SC doesn't know should be considered an IB and there is a faq on that http://www.spamcop.net/fom-serve/cache/126.html How should I select the recipients for my spam report? // Spammers will often include innocent parties' addresses in spam in an effort to confuse and discredit. [...] These are "innocent bystanders" and should not be reported as spammers. Make sure these boxes are unchecked if you are not fairly sure the address in question is being used by the spammer. // > If the answer to the question above is yes, when spamcop deobfuscates > links in a spam message, does it make an attempt to verify whether > the links point to a "bad" website as oppossed to a "good" one? Yes and No -- if a URL is /known/ to be an IB or there are other causes of a URL to not lead to a SC notify which has been entered into the db. But, SC doesn't otherwise have some kind of 'artificial intelligence' which it uses to 'derive' that a found URL is an IB vs a payload URL. It is dependent upon human deputy admins to enter db information or on SC reporters to determine IBness. > If the answer to the second question no, what do I need to do to > protect myself when clicking on a link to verify that it goes to a > "bad" site ie one that is trying to sell me potions as opposed to > Fred's blog about pine trees or no site at all? If it is your intention to notify about a body's spamvertised site and you can't tell from the context of the unrendered spam, the next step in the process of evaluating a spam is to carefully render it after you have determined what security precautions you should take before doing so. Some would call that 'opening' the spam, securely. If you have rendered the content of the spambody and you still can't tell the IB from the spamvertiser, you can find one of several ways to determine what is at the URL payload site or any redirection or frame handling from/at the payload site. You can do that using a GET function from a console, or you can do that with a websniffer site, or you can do that with a browser which has been properly secured. One would hope that that entire process doesn't profit the spammer more than it hurts hir. If you are going to all of that trouble just to notify a blackhat provider who is going to be handing over the report evidence to the spammer and not taking some action against the spammer, then you are wasting your time and you might be aiding the spamvertiser with ad profit and whatever advantage may be gained by getting the evidence of your report. Some spams could do without reporting of the spamvertiser to the SC derived notify. I am of the opinion that it should be the option of the reporter whether or not the website should be reported to the SC derived website provider -- in addition to putting the spamvertised site on the statistics page and/or submitted to the sc-surbl. -- Mike Easter kibitzer, not SC admin From Nobody at Spamcop.net.dev.null Sun Jan 1 15:47:14 2006 From: Nobody at Spamcop.net.dev.null (Michael Brennan) Date: Sun Jan 1 16:50:03 2006 Subject: [SpamCop-List] Re: Parava Networks, UUNet, and MCI References: <43B8496F.1AB4B562@Spamcop.net.dev.null> Message-ID: <43B84DE2.3F6502E0@Spamcop.net.dev.null> Michael Brennan wrote: > > Concerning this spamitem, > > http://www.spamcop.net/sc?id=z850378097z3a8f2a43d12712623d31e50a5f21a7eez > Furthermore, I chased another spamlink in a sex-drug spamitem http://www.spamcop.net/sc?id=z850377854zf2a6f13007e35fefd66b4a5d5c29399bz and got another "creepylink" that traced back to another group similarly structured around UUNet and MCI: (from the "add'l comments" section) Server Used: [ whois.crsnic.net ] http://creepy.extra-prevent.com/ = [ 221.7.209.67 ] !!! whois.itsyourdomain.com failed to respond *** displaying Referrer's Records (whois.crsnic.net): Whois Server Version 1.3 Domain names in the .com and .net domains can now be registered with many different competing registrars. Go to http://www.internic.net for detailed information. Domain Name: EXTRA-PREVENT.COM Registrar: INNERWISE INC. D/B/A ITSYOURDOMAIN.COM Whois Server: whois.itsyourdomain.com Referral URL: http://www.itsyourdomain.com Name Server: NS1.NAMECOP.NET Name Server: NS2.NAMECOP.NET Name Server: NS6.NAMECOP.NET Status: REGISTRAR-LOCK Updated Date: 30-dec-2005 Creation Date: 11-dec-2005 Expiration Date: 11-dec-2006 >>> Last update of whois database: Sun 1 Jan 2006 02: 31: 08 EST <<< Further lookup on itsyourdomain.com shows following msg: Server Used: [ whois.crsnic.net ] ITSYOURDOMAIN.COM = [ 63.85.86.16 ] !!! whois.itsyourdomain.com failed to respond *** Lookup of the IP [ 63.85.86.16 ] gives info: Server Used: [ whois.arin.net ] 63.85.86.16 = [ www.itsyourdomain.com ] OrgName: UUNET Technologies Inc. OrgID: UU Address: 22001 Loudoun County Parkway City: Ashburn StateProv: VA PostalCode: 20147 Country: US NetRange: 63.64.0.0 - 63.127.255.255 CIDR: 63.64.0.0/10 NetName: UUNET63 NetHandle: NET-63-64-0-0-1 Parent: NET-63-0-0-0-0 NetType: Direct Allocation NameServer: AUTH03.NS.UU.NET NameServer: AUTH00.NS.UU.NET Comment: ADDRESSES WITHIN THIS BLOCK ARE NON-PORTABLE RegDate: 1999-01-22 Updated: 2003-01-23 RTechHandle: OA12-ARIN RTechName: UUnet Technologies Inc. Technologies RTechPhone: 1-800-900-0241 RTechEmail: help4u@mci.com OrgAbuseHandle: ABUSE3-ARIN OrgAbuseName: abuse OrgAbusePhone: 1-800-900-0241 OrgAbuseEmail: abuse-mail@mci.com OrgNOCHandle: OA12-ARIN OrgNOCName: UUnet Technologies Inc. Technologies OrgNOCPhone: 1-800-900-0241 OrgNOCEmail: help4u@mci.com OrgTechHandle: SWIPP-ARIN OrgTechName: swipper OrgTechPhone: 1-800-900-0241 OrgTechEmail: swipper@mci.com OrgName: Innerwise Inc. OrgID: INER Address: 1005 W. Wise Road City: Schaumburg StateProv: IL PostalCode: 60193 Country: US NetRange: 63.85.86.0 - 63.85.86.255 CIDR: 63.85.86.0/24 NetName: UU-63-85-86 NetHandle: NET-63-85-86-0-1 Parent: NET-63-64-0-0-1 NetType: Reallocated Comment: RegDate: 2000-08-23 Updated: 2000-08-23 RTechHandle: TC553-ARIN RTechName: Cucci Ted RTechPhone: 1-847-895-3989 RTechEmail: tcucci@innerwise.com ARIN WHOIS database last updated 2005-12-31 19: 10 Regards, Michael From MikeE at ster.invalid Sun Jan 1 13:53:50 2006 From: MikeE at ster.invalid (Mike Easter) Date: Sun Jan 1 16:55:02 2006 Subject: [SpamCop-List] Re: Parava Networks, UUNet, and MCI References: <43B8496F.1AB4B562@Spamcop.net.dev.null> Message-ID: Michael Brennan wrote: > Concerning this spamitem, > www.spamcop.net/sc?id=z850378097z3a8f2a43d12712623d31e50a5f21a7eez There seems to be some confusion here. That tracker is about this spamvertiser http://catastrophic.extra-clinic.com dns catastrophic.extra-clinic.com Canonical name: extra-clinic.com Aliases: catastrophic.extra-clinic.com Addresses: 61.234.235.12 = CRTC 221.7.209.67 = CNC-GL inetnum: 61.232.0.0 - 61.237.255.255 netname: CRTC country: CN descr: CHINA RAILWAY TELECOMMUNICATIONS CENTER inetnum: 221.7.209.0 - 221.7.209.255 netname: CNC-GL-INTER-3 country: CN descr: CNC Guilin INternet network > I dug a little and found that the spamlink is hosted by Parava.net, > which in turn appears to be part of UUNet Technologies and MCI. Subject: Parava Networks, UUNet, and MCI > Can someone elucidate the relationship among Parava Networks, UUNet > Technologies, and MCI? There's nothing in this tracker about that; and the tracker shows the reports would be going to the .cn provider Re: http://catastrophic.extra-clinic.com (Administrator of network hosting website referenced in spam) postmaster@chinatietong.com crnet_mgr@chinatietong.com crnet_tec@chinatietong.com > 65.210.194.2 = [ host2.parava.net ] As a separate issue, we could talk about 65.210.194.2 rDNS host2.parava.net -- which must have been in some other spam. Here is its structure: whois -h whois.arin.net 65.210.194.2 ... UUNET Technologies, Inc. 65.192.0.0 - 65.223.255.255 OrgAbuseEmail: abuse-mail@mci.com Parava Networks 65.210.194.0 - 65.210.194.63 OrgAbuseEmail: abuse-mail@mci.com You can also do an abuse.net reg'd notifies on the rDNS whois -h whois.abuse.net host2.parava.net ... abuse@mci.com valdes@parava.net postmaster@parava.net (for parava.net) You can also consider the responsiveness of the IP address to see how it is blocklisted, where we find it to be spews listed, but spews is down right now, so I can't tell /why/ or how its spews listing came to be. However, a spews listing is always a good reason to consider notifying an upstream adjacency or a parent. We would consider the uunet relationship to be the parent and also to be the ASN = UUNET - AS 701 So, everything points to notifying the mci addresses, abuse-mail and abuse at uunet in addition to the parava notifies. -- Mike Easter kibitzer, not SC admin From MikeE at ster.invalid Sun Jan 1 14:05:41 2006 From: MikeE at ster.invalid (Mike Easter) Date: Sun Jan 1 17:10:03 2006 Subject: [SpamCop-List] Re: Parava Networks, UUNet, and MCI References: <43B8496F.1AB4B562@Spamcop.net.dev.null> <43B84DE2.3F6502E0@Spamcop.net.dev.null> Message-ID: Michael Brennan wrote: www.spamcop.net/sc?id=z850377854zf2a6f13007e35fefd66b4a5d5c29399bz > > and got another "creepylink" that traced back to another group > similarly structured around UUNet and MCI: This is another example of something which has nothing to do with uunet/mci according to my resolving and SC's resolving http://creepy.extra-prevent.com/ = 221.7.209.67 Resolving link obfuscation http://creepy.extra-prevent.com/ Host creepy.extra-prevent.com (checking ip) = 221.7.209.67 .... where 221.7.209.67 is a .cn, not a uunet/mci Re: http://creepy.extra-prevent.com/ (Administrator of network hosting website referenced in spam) glxk@gxcc.com.cn inetnum: 221.7.209.0 - 221.7.209.255 netname: CNC-GL-INTER-3 descr: CNC Guilin INternet network admin-c: XK43-AP = glxk@gxcc.com.cn tech-c: XK43-AP -- Mike Easter kibitzer, not SC admin From MikeE at ster.invalid Sun Jan 1 14:10:10 2006 From: MikeE at ster.invalid (Mike Easter) Date: Sun Jan 1 17:15:04 2006 Subject: [SpamCop-List] Re: Parava Networks, UUNet, and MCI References: <43B8496F.1AB4B562@Spamcop.net.dev.null> <43B84DE2.3F6502E0@Spamcop.net.dev.null> Message-ID: Michael Brennan wrote: > Domain Name: EXTRA-PREVENT.COM > Registrar: INNERWISE INC. D/B/A ITSYOURDOMAIN.COM itsyourdomain is the domainname registrar for the spamvertised site. Doing a DNS on the domainname registrar is not productive > ITSYOURDOMAIN.COM = [ 63.85.86.16 ] Finding the provider for the domainname registrar's IP is also not productive whois -h whois.arin.net 63.85.86.16 ... UUNET Technologies, Inc. 63.64.0.0 - 63.127.255.255 Innerwise Inc. 63.85.86.0 - 63.85.86.255 Don't go down that road. -- Mike Easter kibitzer, not SC admin From usa at yourface.com Sun Jan 1 17:46:00 2006 From: usa at yourface.com (GuitarMan) Date: Sun Jan 1 17:50:04 2006 Subject: [SpamCop-List] Anyway to get this reported? Message-ID: I paste the following into the submission window and then press the Process Spam button and get the following error: SpamCop v 1.514 Copyright (C) 1998-2005, IronPort Systems, Inc. All rights reserved. Here is your TRACKING URL - it may be saved for future reference: http://www.spamcop.net/sc?id=blahblahblah (hidden on purpose) No source IP address found, cannot proceed. Add/edit your mailhost configuration Finding full email headers Submitting spam via email (may work better) Example: What spam headers should look like Nothing to do. Here is what is pasted to submit: Path: nwrdny02.gnilink.net!cycny02.gnilink.net!gnilink.net!cycny01.gnilink.net!hwmnpeer01.lga!hwmedia!hw-filter.lga!fe13.lga.POSTED!2ce0aac1!not-for-mail From: "Proudtobehonest@GOODEALERS.COM" Subject: ZzZzZzZ TURN $5 INTO $15,000 IN ONLY 30 DAYS!READ IT!!$F Newsgroups: 24hoursupport.helpdesk Sender: "Proudtobehonest@GOODEALERS.COM" Organization: Proudtobehonest@GOODEALERS.COM X-Priority: 3 X-Library: Indy 9.00.10 Lines: 278 Message-ID: X-Complaints-To: abuse@100ProofNews.com NNTP-Posting-Date: Sun, 01 Jan 2006 14:57:36 MST Date: Mon, 2 Jan 2006 23:02:20 +0100 Xref: news.verizon.net 24hoursupport.helpdesk:892861 X-Received-Date: Sun, 01 Jan 2006 16:57:35 EST (nwrdny02.gnilink.net) PAYPAL MAGIC!!! TURN $5 INTO $15,000 IN ONLY 30 DAYS...HERES HOW! This is a Money Scheme and Not, I repeat... This is Not a Scam!!! You have most likely seen or heard about this project on TV programs such as 20/20 and Oprah, or you may have read about it in the Wall Street Journal. If not, here it is below - revealed to you in step-by-step detail. This program is by no means new. It has been in existence in many forms for at least a decade. But in the early days, it required a lot more time and effort, as well as an investment of a few hundred dollars. However thanks to PayPal and the Internet, the investment is now virtually ZERO! And what's more, the entire process is FASTER, EASIER, and MORE LUCRATIVE than it has EVER been! Below is the email sent to me: How to Turn $5 into $15,000 in 30 Days with PayPal I WAS SHOCKED WHEN I SAW HOW MUCH MONEY CAME FLOODING INTO MY PAYPAL ACCOUNT I turned $5 into $14,706 within the first 30 days of operating the business plan that I am about to reveal to you free of charge. If you decide to take action on the following instructions, I will GUARANTEE that you will enjoy a similar return! STILL NEED PROOF? Here are just 3 testimonials from the countless individuals who decided to invest nothing more than $5 and half an hour of their time to participate in this program: "What an amazing plan! I followed your instructions just 3 weeks ago, and although I haven't made 15 grand yet, I'm already up to $9,135. I'm absolutely gob smacked." -Pam Whittemore , Ohio "Well, what can I say?... THANK YOU SO MUCH! I sent 40 e-mail's out like you said and then I just forgot about the whole thing. To be honest, I didn't really think anything would come of it. But when I checked my paypal account a week later, there was over $5,000 in After 30 days I now have over $11,000 to spend! I can't thank you enough!"-Juan Tovar, NY,NY "I was shocked when I saw how much money came flooding into my paypal account. Within 3 weeks my account balance has ballooned to $12,449. At first I thought there had been some sort of error with my account!" -Richard Barrie , Boulder,CO The only things you will need are: An email address. A Business PayPal account with at least $5 deposited in it, and just 15 to 30 minutes of your time. This program takes just half an hour to set up. After that, there is absolutely no work whatsoever to do on your part. You have absolutely NOTHING to lose, and there is NO LIMIT to the amount of income you can generate from this one single business program. Let's get started, just follow the instructions exactly as set out below and then prepare yourself for a HUGE influx of cash over the next 30 days! Here's what you need to do. . . REQUIREMENTS [THESE INSTRUCTIONS MUST BE FOLLOWED VERBATUM FOR THIS TO WORK] #1) an email address #2) a Premier or Business PayPal account Now follow the steps: 1-4 STEP #1 - Setting up your FREE PayPal Account It's extremely safe and very easy to set up a FREE PayPal account! Copy and paste this to the address bar https://www.paypal.com (notice the secure "https" within the link) Be sure to sign up for a free PREMIER or BUSINESS account (and not just a PERSONAL account) otherwise you won't be able to receive credit card payments from other people. STEP #2 - Sending PayPal money "It is an undeniable law of the universe that we must first give in order to receive." Now all you have to do is send $5.00 by way of PayPal to each of the six email addresses listed below. After setting up your free paypal account and confirming or verifying YOUR ACCOUNT AND putting (five Dollars) $5.00 into your Paypal Account use the Account tab on Paypal to send $5.00 to each of the Names on the List then move the top one and place yours in the #5 spot on the list of names #1-#5. Remember your name becomes #5. Make sure the subject of the payment says... *PLEASE PUT ME ON YOUR EMAIL LIST* (this keeps the program 100% legal.. so please don't forget!) Note: (If you do not see the full email address for the 5 members, just hit reply to this email and they will show up.) (Just in case you still haven't opened your PayPal account yet, use this link to open one in your name), https://www.paypal.com #1) flashingsnake_721@hotmail.com #2) gigervy@hotmail.com #3) fuspow@yahoo.co.uk #4) terribird@voila.fr #5) honestman123@lycos.com Remember, all of this is ABSOLUTELY LEGAL! You are creating a service! A Business... An Email List Service Business If you have any doubts, please refer to Title 18 Sec. 1302 & 1241 of the United States Postal laws. STEP #3 - Adding Your Email Address After you send your five $1.00 payments, it's your turn to add your email address to the list! Take the #1) email off the list that you see above, move the other addresses up one (5 becomes 4 & 4 becomes 3, etc) then put YOUR email address (the one used in your PayPal account) as #5) on the list. **MAKE SURE THE EMAIL YOU SUPPLY IS EXACTLY AS IT APPEARS IN YOUR PAYPAL ACCOUNT.** STEP #4 - Copy Message to 200 Newgroups, message boards,etc...... The Pure Joy of Receiving PayPal Money! You are now ready to post your copy of this message, to at least 200 newsgroups, message boards, etc. (I think there are close to 32,000 groups) All you need is 200, but remember, the more you post, the more money you make - as well as everyone else on the list! In this situation your job is to let as many people see this letter as possible. So they will make you and me rich!!!! You can even start posting the moment your email is confirmed. Payments will still appear in your PayPal account even while your bank account is being confirmed. HOW TO POST TO NEWSGROUPS & MESSAGE BOARDS Step #1) You do not need to re-type this entire letter to do your own posting. Simply put your CURSOR at the beginning of this letter and drag your CURSOR to the bottom of this document, and select 'copy' from the edit menu. This will copy the entire letter into your computer's temporary memory. Step #2) Open a blank 'Notepad' file and place your cursor at the top of the blank page. From the 'Edit' menu select 'Paste'. This will paste a copy of the letter into notepad so that you can add your email to the list. Or copy to a Word Document. and Place in the email upon completion. Step #3) Save your new Notepad file as a .txt file. If you want to do your postings in different sittings, you'll always have this file to go back to. Step #4) Use Netscape or Internet Explorer and try searching for various newsgroups, on-line forums, message boards, bulletin boards, chat sites, discussions, discussion groups, online communities, etc. EXAMPLE: go to any search engine like yahoo.com, google.com, altavista.com, excite.com - then search with subjects like? millionaire message board? or money making message board? or opportunity message board? or money making discussions? or business bulletin board? or money making forum? etc. You will find thousands & thousands of message boards. Click them one by one then you will find the option to post a new message. Step #5) Visit these message boards and post this article as a new message by highlighting the text of this letter and selecting 'Paste' from the 'Edit' menu. Fill in the Subject, this will be the header that everyone sees as they scroll thru the list of postings in a particular group, click the post message button. You're done with your first one! Congratulations! THAT'S IT!! All you have to do is jump to different newsgroups and post away. After you get the hang of it, it will take about 30 seconds for each newsgroup! REMEMBER, THE MORE NEWSGROUPS AND/OR MESSAGE BOARDS YOU POST IN, THE MORE MONEY YOU WILL MAKE!! BUT YOU HAVE TO POST A MINIMUM OF 200** That's it! You will begin receiving money within days! **JUST MAKE SURE THE EMAIL YOU SUPPLY IS EXACTLY AS IT APPEARS ON PAYPAL.** Explanation of why it works so well: $$$$$ NOW THE WHY PART: Out of 200 postings, say I receive only 5 replies (a very low example). So then I Made $5.00 with my email at #5 on the letter. Now, each of the 5 persons who just sent me $1.00 make the MINIMUM 200 postings, each with my email at #5 and only 5 persons respond to each of the original 5, that is another $25.00 for me, now those 25 each make 200 MINIMUM posts with my email at #4 and only 5 replies each, I will bring in an additional $125.00! Now, those 125 persons turn around and post the MINIMUM 200 with my email at #3 and only receive 5 replies each, I will make an additional $625.00! OK, now here is the fun part, each of those 625 persons post a MINIMUM 200 letters with my email at #2 and they only receive 5 replies that just made me $3,125.00!!! Those 3,125 persons will all deliver this message to 200 newsgroups with my email at #1 and if still 5 persons per 200 newsgroups react I will receive $15,625.00! With an original investment of only $5.00! AMAZING!! When your email is no longer on the list, you just take latest posting in the newsgroups, and send out another $5.00 to emails on the list, putting your email at number 5 again. And start posting again. The thing to remember is, thousands of people all over the world are joining the internet and reading these articles everyday, JUST LIKE YOU are now!! So can you afford $5.00?? And see if it really works?? I think so? People have said, what if the plan is played out and no one sends you the money? So what are the chances of that happening when there are tons of new honest users and new honest people who are joining the internet and newsgroups everyday and are willing to give it a try? Estimates are at 20,000 to 50,000 new users everyday, with thousands of those joining the actual Internet. Remember, play FAIRLY and HONESTLY and this will work. This really isn't another one of those crazy scams! As long as people FOLLOW THROUGH with sending out $5.00, it works! With warm wishes, bless you and your loved ones, https://www.paypal.com $$$$$ REMEMBER, IT IS 100% LEGAL! DON'T PASS THIS UP --------------= Posted using GrabIt =---------------- ------= Binary Usenet downloading made easy =--------- -= Get GrabIt for free from http://www.shemes.com/ =- . . From MikeE at ster.invalid Sun Jan 1 14:56:47 2006 From: MikeE at ster.invalid (Mike Easter) Date: Sun Jan 1 18:00:02 2006 Subject: [SpamCop-List] Re: Anyway to get this reported? References: Message-ID: GuitarMan wrote: > I paste the following into the submission window and then press the > Process Spam button and get the following error: > > SpamCop v 1.514 Copyright (C) 1998-2005, IronPort Systems, Inc. All > rights reserved. > Here is your TRACKING URL - it may be saved for future reference: > http://www.spamcop.net/sc?id=blahblahblah (hidden on purpose) Whenever you want to talk about the result of a parse, posting the tracker is all you are supposed to post -- not 'keep it a secret' and then post the usenet spam here in a discussion group, which you are *not* supposed to do. You are not supposed to post spam into the discussion groups. The best thing to do with a spam is to use the parser on it and post its tracker, not 'blahblahblah'. The only other alternative is to post the item in the ng spamcop.spam - which screws up the format unless you post it as an attachment. > Here is what is pasted to submit: > > Path: That is a usenet message. Reporting usenet spam is mostly a waste of time, and SC doesn't do a great job of parsing them, because its algorithm is very very simplistic. -- Mike Easter kibitzer, not SC admin From nobody at nowhere.invalid Mon Jan 2 00:01:47 2006 From: nobody at nowhere.invalid (Steven Maesslein) Date: Sun Jan 1 18:05:02 2006 Subject: [SpamCop-List] Re: vCard (was: Malformed Spamlink or New Type?) References: <43B59989.521B56A8@Spamcop.net.dev.null> <43B6E2FB.8BD1A59C@Spamcop.net.dev.null> <43B6F561.7FAC@xyzzy.claranet.de> <43B6FCF0.8E6902E6@Spamcop.net.dev.null> <43B84655.E8A46AEC@Spamcop.net.dev.null> Message-ID: On Sun, 01 Jan 2006 15:15:01 -0600, Michael Brennan coughed into spamcop and left this in <43B84655.E8A46AEC@Spamcop.net.dev.null>: > My OS is Win 98. I think I'm not supported beyond FF 1.0.4, Not true. http://www.mozilla.com/firefox/system-requirements.html > FF is a little slow out of the gate on boot, That's because, unlike Internet Exploder, it isn't loaded when the OS boots. It's one of those things called an "application" that's only loaded when you ask for it :o) > and the pages load fairly leisurely, but that may be my 26.4K > (nailed-up) dialup connection. That probably has something to do with it. On a laptop with similar muscle to your machine, FF 1.0.7 (haven't installed 1.5 on it yet) displays pages fairly quickly - but it is hooked up to a DSL connection with 10mbps down. -- Steve If the designers of X-window built cars, there would be no fewer than five steering wheels hidden about the cockpit, none of which followed the same principles -- but you'd be able to shift gears with your car stereo. Useful feature, that, -- From the programming notebooks of a heretic, 1990. From nobody at nowhere.invalid Mon Jan 2 00:06:40 2006 From: nobody at nowhere.invalid (Steven Maesslein) Date: Sun Jan 1 18:10:03 2006 Subject: [SpamCop-List] Re: Anyway to get this reported? References: Message-ID: On Sun, 1 Jan 2006 17:46:00 -0500, GuitarMan coughed into spamcop and left this in : > I paste the following into the submission window and then press the > Process Spam button and get the following error: > > SpamCop v 1.514 Copyright (C) 1998-2005, IronPort Systems, Inc. All rights > reserved. > Here is your TRACKING URL - it may be saved for future reference: > http://www.spamcop.net/sc?id=blahblahblah (hidden on purpose) > > No source IP address found, cannot proceed. A) Please do not post spam in here. Post it to the spamcop.spam newsgroup and point to it from your message sent here. B) There is no source IP address in the piece of usenet spam you provided. C) AFAIK, Spamcop no longer parses usenet postings anyway. Its main purpose is for reporting *e-mail* spam. -- Steve What's the definition of a will? (It's a dead giveaway). From MikeE at ster.invalid Sun Jan 1 15:13:45 2006 From: MikeE at ster.invalid (Mike Easter) Date: Sun Jan 1 18:15:03 2006 Subject: [SpamCop-List] Re: Anyway to get this reported? References: Message-ID: GuitarMan wrote: > Here is what is pasted to submit: SC's parser is not going to help you with that item, it does not have an nntp posting host line. The only thing you can do with that is to manually notify the news provider for the message if you are skilled enough to determine that from the path. It is difficult to determine which lines are bogus in a news message. For example, the Path doesn't appear to have bogosity in it, but the source newsserver line is unfamiliar to me. I am somewhat doubtful as to the veracity of the X-complaints-to line, but you could notify it and let them figure out if their notify is bogus. > Path: nwrdny02.gnilink.net!cycny02.gnilink.net! gnilink.net! cycny01.gnilink.net! hwmnpeer01.lga! hwmedia! hw-filter.lga! fe13.lga.POSTED! 2ce0aac1! not-for-mail I've put spaces after the bangs in the Path so that it will wrap. You read the path backwards from the 'hw' section to your own gnilink. > Message-ID: That correlates with the Path information. > X-Complaints-To: abuse@100ProofNews.com That's possible, I don't know. If it were true, it would be a good way to report this. > https://www.paypal.com You could notify paypal that their system is being used for a Ponzi scheme. > #1) flashingsnake_721@hotmail.com > #2) gigervy@hotmail.com > #3) fuspow@yahoo.co.uk > #4) terribird@voila.fr > #5) honestman123@lycos.com You could notify those email providers that those clients are using their accounts for an illegal activity. -- Mike Easter kibitzer, not SC admin From nobody at xyzzy.claranet.de Mon Jan 2 00:23:57 2006 From: nobody at xyzzy.claranet.de (Frank Ellermann) Date: Sun Jan 1 18:30:02 2006 Subject: [SpamCop-List] Re: Anyway to get this reported? References: Message-ID: <43B8648D.58F0@xyzzy.claranet.de> GuitarMan wrote: > Here is your TRACKING URL - it may be saved for future reference: > http://www.spamcop.net/sc?id=blahblahblah (hidden on purpose) Bad idea, the tracking URL is the best way to discuss issues. If you never get that far you can post spam in the "spam" NG and discuss it here with a pointer by subject. Or better as followup to your own example switching from NG spamcop.spam to NG spamcop = here, that creates the proper references as pointer. But never post spam here. > No source IP address found, cannot proceed. Your spam is no mail, it's a news article. SC is very stupid wrt news... > Add/edit your mailhost configuration ..forget this for news spam, it's only relevant for mail... > Here is what is pasted to submit: > Path: > nwrdny02.gnilink.net!cycny02.gnilink.net!gnilink.net!cycny01.gnilink.net!hwmnpeer01.lga!hwmedia!hw-filter.lga!fe13.lga.POSTED!2ce0aac1!not-for-mail If that really is it (without tracking URL impossible to judge, it could be an oddity of your attempt to post it here). If it really is it something destroyed the Path header field. It should be Path: nwrd... (etc. all in one long line) or if the header field is folded (multi-line) all other lines need white space at the begin: Path: nwrd... That would do. It's not the one long line you got, but it is a proper folding recognized by SC. If you really tried only... Path: nwrd... ...SC is forced to "think" that nwrd... is no header field or in other words the begin of the spam body (ignoring all other header fields after the Path). > X-Complaints-To: abuse@100ProofNews.com Otherwise (no Path folding oddity in your real submission) SC normally just takes X-Complaints-To for news spam, but... > NNTP-Posting-Date: Sun, 01 Jan 2006 14:57:36 MST ...AFAIK it insists on a NNTP-Posting-Host header field. You don't have that, a hopeless case. Your own news server might be the problem (gnilink.net), talk to your news master about the obscure ...!hwmnpeer01.lga!... (etc.) part in the Path. From nobody at nowhere.invalid Mon Jan 2 00:33:29 2006 From: nobody at nowhere.invalid (Steven Maesslein) Date: Sun Jan 1 18:35:02 2006 Subject: [SpamCop-List] Re: Anyway to get this reported? References: Message-ID: On Sun, 1 Jan 2006 15:13:45 -0800, Mike Easter coughed into spamcop and left this in : >> #1) flashingsnake_721@hotmail.com >> #2) gigervy@hotmail.com >> #3) fuspow@yahoo.co.uk >> #4) terribird@voila.fr >> #5) honestman123@lycos.com > > You could notify those email providers that those clients are using > their accounts for an illegal activity. Yahoo, hotmail and wanadoo - they're *really* going to jump on that one :o) Lycos, OTOH, has its MXen with outblaze, which must be the one and only white-hat ISP in Asia. -- Steve Male cadavers are incapable of yielding testimony. From MikeE at ster.invalid Sun Jan 1 15:34:14 2006 From: MikeE at ster.invalid (Mike Easter) Date: Sun Jan 1 18:35:04 2006 Subject: [SpamCop-List] Re: Anyway to get this reported? References: Message-ID: Mike Easter wrote: > I am somewhat doubtful as to the veracity of the X-complaints-to line, > but you could notify it and let them figure out if their notify is > bogus. Now I am more confident that that is a good place to notify for this >> X-Complaints-To: abuse@100ProofNews.com > > That's possible, I don't know. If it were true, it would be a good > way to report this. because it all fits together with the path and the mid and other similar items I've found from searching. There is a 100proofnews provider and they provide to individuals and to ISPs.and others needing multiple accounts. -- Mike Easter kibitzer, not SC admin From nobody at xyzzy.claranet.de Mon Jan 2 00:39:52 2006 From: nobody at xyzzy.claranet.de (Frank Ellermann) Date: Sun Jan 1 18:45:02 2006 Subject: [SpamCop-List] Re: vCard References: <43B59989.521B56A8@Spamcop.net.dev.null> <43B6E2FB.8BD1A59C@Spamcop.net.dev.null> <43B6F561.7FAC@xyzzy.claranet.de> <43B6FCF0.8E6902E6@Spamcop.net.dev.null> <43B84655.E8A46AEC@Spamcop.net.dev.null> Message-ID: <43B86848.601B@xyzzy.claranet.de> Michael Brennan wrote: > I'm a bit resource-challenged at only 160 megs of RAM and a > 300-MHz P-II MMX CPU. My box is worse, tnx for info, now I know that testing FF would be a waste of time. If you disable the odd Netscape 4.x idea of "style sheets" it isn't too bad (Edit -> Pref -> Advanced -> enable style sheets), On my box Netcape 4.x is already too slow, I use it only for hard cases where Netcape 3.x is seriously lost (Javascript or obscure https issues). Bye, Frank From nobody at xyzzy.claranet.de Mon Jan 2 00:57:19 2006 From: nobody at xyzzy.claranet.de (Frank Ellermann) Date: Sun Jan 1 19:00:03 2006 Subject: [SpamCop-List] Re: SC problems... References: Message-ID: <43B86C5F.6342@xyzzy.claranet.de> jg wrote: > And am I wasting my time in canceling and resubmitting? If you do it now (12 hours later), yes: dfhrgfh.info (-654-21-): .multi.surbl.org It's already on 5 of 6 SURBLs, incl. 1 = SC.surbl.org. You can check this with `host dfhrgfh.info.SC.surbl.org` : | dfhrgfh.info.sc.surbl.org = 127.0.0.2 Listed on SC.surbl. Or `host dfhrgfh.info.multi.surbl.org` : | dfhrgfh.info.multi.surbl.org = 127.0.0.118 118 = 2 +4 +16 +32 + 64 = 2^1 +2^2 +2^4 +2^5 +2^6, the 1 in 2^1 stands for "listed on SC.surbl" in the MULTI output. -- Frank From MikeE at ster.invalid Sun Jan 1 16:06:19 2006 From: MikeE at ster.invalid (Mike Easter) Date: Sun Jan 1 19:10:03 2006 Subject: [SpamCop-List] Re: vCard References: <43B59989.521B56A8@Spamcop.net.dev.null> <43B6E2FB.8BD1A59C@Spamcop.net.dev.null> <43B6F561.7FAC@xyzzy.claranet.de> <43B6FCF0.8E6902E6@Spamcop.net.dev.null> <43B84655.E8A46AEC@Spamcop.net.dev.null> <43B86848.601B@xyzzy.claranet.de> Message-ID: Frank Ellermann wrote: > Michael Brennan wrote: > >> I'm a bit resource-challenged at only 160 megs of RAM and a >> 300-MHz P-II MMX CPU. > > My box is worse, tnx for info, now I know that testing FF would > be a waste of time. If you disable the odd Netscape 4.x idea > of "style sheets" it isn't too bad (Edit -> Pref -> Advanced -> > enable style sheets), > > On my box Netcape 4.x is already too slow, I use it only for > hard cases where Netcape 3.x is seriously lost (Javascript or > obscure https issues). Has anyone tried any of the operas? Either current or older versions which are available in the archives? http://www.opera.com/download/ Opera 8.51 for Windows, English (US) version - Show other languages and platforms http://arc.opera.com/pub/opera/ These are the Opera FTP archives for older versions of Opera. There's a not insignificant contingent which prefers opera to FF. -- Mike Easter kibitzer, not SC admin From MikeE at ster.invalid Sun Jan 1 16:17:06 2006 From: MikeE at ster.invalid (Mike Easter) Date: Sun Jan 1 19:20:03 2006 Subject: [SpamCop-List] Re: vCard References: <43B59989.521B56A8@Spamcop.net.dev.null> <43B6E2FB.8BD1A59C@Spamcop.net.dev.null> <43B6F561.7FAC@xyzzy.claranet.de> <43B6FCF0.8E6902E6@Spamcop.net.dev.null> <43B84655.E8A46AEC@Spamcop.net.dev.null> <43B86848.601B@xyzzy.claranet.de> Message-ID: Mike Easter wrote: > Has anyone tried any of the operas? Either current or older versions > which are available in the archives? Here's a note from a ng post 2004 May 23 // IME, a major issue with running Opera on older Pentium-class systems is memory. Opera 7 may not be happy with 16 megs, but for me, it ran well on a P100 with 64 and Win98 SE lite. As I recall, Matthew would have problems with O7 where I wouldn't not because he was using Win95, but because 7.x wants more memory than 6.06. // Newsgroups: opera.general Subject: Re: Opera turmed into Shit Date: Sun, 23 May 2004 16:59:19 +0000 (UTC) Message-ID: http://snipurl.com/l7iy snurled gg to the thread -- Mike Easter kibitzer, not SC admin From g.hyde at bigpond.net.au Mon Jan 2 10:53:57 2006 From: g.hyde at bigpond.net.au (Geoffrey Hyde) Date: Sun Jan 1 19:55:02 2006 Subject: [SpamCop-List] Very suspicious spam email. Message-ID: http://www.spamcop.net/sc?id=z850489359zb3d9b4a9fd85fbd15c4e959233b1a988z Following this one up, SpamCop sends abuse reports to abuse AT gblx DOT net - which isn't, AFAIK, a paypal owned site or abuse email. I reported it as spam but put a warning notice in the 'comments' field, as I'm not sure if this was actually from paypal. I also forwarded it onto spoof AT paypal DOT com but as yet have not received a reply back from them. As to why I reported it, if it really IS from paypal they should have informed me by now with an email from their spoof address. Cheers ... Geoffrey Hyde From MikeE at ster.invalid Sun Jan 1 17:17:15 2006 From: MikeE at ster.invalid (Mike Easter) Date: Sun Jan 1 20:20:03 2006 Subject: [SpamCop-List] Re: Very suspicious spam email. References: Message-ID: Geoffrey Hyde wrote: www.spamcop.net/sc?id=z850489359zb3d9b4a9fd85fbd15c4e959233b1a988z Subject: Very suspicious spam email. Before you 'read' the interior of an unknown mail [ideally, or even its subject/from, for that matter] you should look at its headers to begin to characterize things before you start reading what a spammer wants you to read. It is sourced from 206.165.246.84 rDNS email-84.paypal.com That is pretty likely to be from paypal, yes? Then it has list-unsubscribe headers, like a paypal mailing list item. So, now that we are comfortable assuming the item is from paypal, we open and read it accordingly. Too many people open unknown mails to determine what they are. That is a bad practice; they shouldn't be opening anything that hasn't already had its headers analyzed. And if its headers contain bogosity and other spammishness, the body shouldn't be rendered before it is inspected for the risks of its content. So, now we're opening a paypal missive. What does it turn out to be? It is an informational and promotional about what's up with paypal .au vs paypal the regular, a Calif. corp. So, yes, it is meant for you to read and digest the 'meaning' of the paypal.au transition. > Following this one up, SpamCop sends abuse reports to abuse AT gblx > DOT > net - which isn't, AFAIK, a paypal owned site or abuse email. The source 206.165.246.84 rDNS email-84.paypal.com lives in here whois -h whois.arin.net 206.165.246.84 ... OrgName: Global Crossing NetRange: 206.165.0.0 - 206.165.255.255 OrgAbuseEmail: abuse@gblx.net > I > reported it as spam but put a warning notice in the 'comments' field, > as I'm not sure if this was actually from paypal. I also forwarded > it onto spoof AT paypal DOT com but as yet have not received a reply > back from them. I think a better strategy is to have a 'practice' or routine for handling unknown mail in which you analyze it by its headers first, and then depending upon your 'sense' of it by the headers, you may then for 'honest' headers evaluate the content of the body. In this case, SC can help you with the header analysis and sez this about the source host 206.165.246.84 = email-84.paypal.com > As to why I reported it, if it really IS from paypal they should have > informed me by now with an email from their spoof address. I don't know what that sentence means. -- Mike Easter kibitzer, not SC admin From mwnospam at comcast.net Sun Jan 1 20:54:47 2006 From: mwnospam at comcast.net (spamacyde) Date: Sun Jan 1 20:55:03 2006 Subject: [SpamCop-List] Re: Bogus Spamvertised Web Links References: Message-ID: "Mike Easter" wrote in message news:dp9hvj$736$1@news.spamcop.net... > spamacyde wrote: > > Is it possible for a spammer to provide a link that involves the IP > > address of a legitimate web site if they want to mess with the spam > > recipient or host of that web site? > > Innocent bystander IB links are frequently included in spambodies. A SC > reporter is supposed to uncheck any IBs which SC doesn't know should be > considered an IB and there is a faq on that > http://www.spamcop.net/fom-serve/cache/126.html How should I select the > recipients for my spam report? > > // Spammers will often include innocent parties' addresses in spam in an > effort to confuse and discredit. [...] These are "innocent bystanders" > and should not be reported as spammers. Make sure these boxes are > unchecked if you are not fairly sure the address in question is being > used by the spammer. // > > > If the answer to the question above is yes, when spamcop deobfuscates > > links in a spam message, does it make an attempt to verify whether > > the links point to a "bad" website as oppossed to a "good" one? > > Yes and No -- if a URL is /known/ to be an IB or there are other causes > of a URL to not lead to a SC notify which has been entered into the db. > But, SC doesn't otherwise have some kind of 'artificial intelligence' > which it uses to 'derive' that a found URL is an IB vs a payload URL. > It is dependent upon human deputy admins to enter db information or on > SC reporters to determine IBness. > > > If the answer to the second question no, what do I need to do to > > protect myself when clicking on a link to verify that it goes to a > > "bad" site ie one that is trying to sell me potions as opposed to > > Fred's blog about pine trees or no site at all? > > If it is your intention to notify about a body's spamvertised site and > you can't tell from the context of the unrendered spam, the next step in > the process of evaluating a spam is to carefully render it after you > have determined what security precautions you should take before doing > so. Some would call that 'opening' the spam, securely. > > If you have rendered the content of the spambody and you still can't > tell the IB from the spamvertiser, you can find one of several ways to > determine what is at the URL payload site or any redirection or frame > handling from/at the payload site. You can do that using a GET function > from a console, or you can do that with a websniffer site, or you can do > that with a browser which has been properly secured. > > One would hope that that entire process doesn't profit the spammer more > than it hurts hir. If you are going to all of that trouble just to > notify a blackhat provider who is going to be handing over the report > evidence to the spammer and not taking some action against the spammer, > then you are wasting your time and you might be aiding the spamvertiser > with ad profit and whatever advantage may be gained by getting the > evidence of your report. > > Some spams could do without reporting of the spamvertiser to the SC > derived notify. > > I am of the opinion that it should be the option of the reporter whether > or not the website should be reported to the SC derived website > provider -- in addition to putting the spamvertised site on the > statistics page and/or submitted to the sc-surbl. > > > -- > Mike Easter > kibitzer, not SC admin > From nobody at xyzzy.claranet.de Mon Jan 2 03:05:53 2006 From: nobody at xyzzy.claranet.de (Frank Ellermann) Date: Sun Jan 1 21:10:03 2006 Subject: [SpamCop-List] Re: Very suspicious spam email. References: Message-ID: <43B88A81.70A4@xyzzy.claranet.de> Geoffrey Hyde wrote: > As to why I reported it, if it really IS from paypal they > should have informed me by now with an email from their > spoof address. Legit, see Mike's detailed answer. It's also their style to address the nightmare of different laws by "local" paypal sites. Another good point, they use your name, the phishers would try to get away with "dear paypal customer". One dark spot, paypal.com has an SPF policy, and you might be used to get a PASS for legit paypal mail. Now they forgot to publish an SPF policy for their new email.paypal.com.au domain. Just tell them that you want a PASS if you miss it. Bye, Frank From usa at yourface.com Sun Jan 1 21:43:44 2006 From: usa at yourface.com (GuitarMan) Date: Sun Jan 1 21:45:02 2006 Subject: [SpamCop-List] Re: Anyway to get this reported? References: Message-ID: Thank you everyone for your help and suggestions... From bar_n0ne at hotmail.com Mon Jan 2 09:09:10 2006 From: bar_n0ne at hotmail.com (Berny) Date: Mon Jan 2 00:10:09 2006 Subject: [SpamCop-List] Re: Spamcop causing problems (fscking TROLLS and newsgroup spammers) References: Message-ID: "Aviatrix" wrote in message news:dp9h9f$6gh$1@news.spamcop.net... > Vanguard wrote: > SNIP > Sadly we haven't heard from the OP since his original post. If he were > to come back here and tell us ...SNIPPED Are you guys serious? Come on , the OP was a TROL:L, like spam the tone, sound, style and nature of these biweekly missives are far too similar to each other to be coincidence. Yes we do get posters with a real beef, (actual and similar situations) but their letters don't have this dreary sameness. I've been watching these kind of missive for a long time, 1)They NEVER have the rejection message, 2) They NEVER identify sending or, receiving ISP, or any email address. 2)They always involve som sob story with a , sick, old infirm, handicapped etc. relation. 3) The Poster claims NEVER to have spammed, well they spammed the newsgroup about weekly it looks like.. 4) The OP NEVER returns For the future I suggest a simple boilerplate that suggests reading the FAQ's and that they should be thankful their infirm relations ISP rejected their mail instead of dropping it in the bit bucket so they wouldn't just think their old relative died becaues of unresponsiveness. From nobody at devnull.spamcop.net Mon Jan 2 14:27:45 2006 From: nobody at devnull.spamcop.net (Patto) Date: Mon Jan 2 00:30:03 2006 Subject: [SpamCop-List] Re: How can I report SPAM *without* opening the e-mail? In-Reply-To: References: Message-ID: Andy Miller wrote: > Hi, > > I use MS Outlook. I'm happy to do the Options-Headers thing and report all > headers but I really don't like actually opening the SPAM mail. Sure I have > virus scanners but still I don't like opening mail that was unsolicited and > from an unknown source. > > I read somewhere that forwarding from Outlook wasn't "good enough" but even > if it were the operation of forwarding would open the e-mail. > > Can't I just send in a report with the whole *unopened* e-mail as an > attachment? > > Thanks, > Andy I use OL Spamcop with Outlook 2003. It's a quick download, easy install, and highly configurable. From MikeE at ster.invalid Sun Jan 1 21:31:21 2006 From: MikeE at ster.invalid (Mike Easter) Date: Mon Jan 2 00:35:03 2006 Subject: [SpamCop-List] Re: Spamcop causing problems (fscking TROLLS and newsgroup spammers) References: Message-ID: Berny wrote: > Are you guys serious? > > Come on , the OP was a TROL:L, like spam the tone, sound, style and > nature of these biweekly missives are far too similar to each other > to be coincidence. I disagree. David Matthews is a real person with a real email addy and a real website, 2 in fact, related to his profession as a mountain walk leader. That person is the right age to have an elderly father. And his personal information is available on the websites and the domainname registrations. > 1)They NEVER have the rejection message, > > 2) They NEVER identify sending or, receiving ISP, or any email > address. > > 2)They always involve som sob story with a , sick, old infirm, > handicapped etc. relation. > > 3) The Poster claims NEVER to have spammed, well they spammed the > newsgroup about weekly it looks like.. > > 4) The OP NEVER returns The business about how the stereotypical person who has had their email blocked 'behaves' in terms of not presenting the IP address 'properly' doesn't prove they are a troll -- and the business about someone showing up here and getting the sense of what it is all about and then leaving is without filling in the details also not so very surprising. I respond to some possible trolls sometimes -- I don't think this was one of them. Besides reading the headers, I also read the 'handwriting' of a poster. -- Mike Easter kibitzer, not SC admin From g.hyde at bigpond.net.au Mon Jan 2 15:49:15 2006 From: g.hyde at bigpond.net.au (Geoffrey Hyde) Date: Mon Jan 2 00:50:03 2006 Subject: [SpamCop-List] Re: Very suspicious spam email. References: <43B88A81.70A4@xyzzy.claranet.de> Message-ID: It might be their 'style' to do things this or that way but how do I know for sure until they prove or disprove it? Spammers have in the past attempted to simulate real websites, and a country code trick was used more than once to fool people. As this email looks to me, it is *very* badly done, there are a whole bunch of things I don't like about their supposed 'style' of writing - that also suggest if this is them they need their marketing and contact emails updated, or if it is not them that it is a very clever spammer operating behind the site. If it smells bad, I see no harm in SC reporting it, if they are genuinely paypal they will let me know. It's extremely fishy for a paypal email like this to have an abuse address outside of their main paypal domain, especially considering all their currently known abuse addresses goto abuse AT paypal DOT com or similar EG the spoof AT paypal DOT com etc. Cheers ... Geoffrey Hyde "Frank Ellermann" wrote in message news:43B88A81.70A4@xyzzy.claranet.de... > Geoffrey Hyde wrote: > >> As to why I reported it, if it really IS from paypal they >> should have informed me by now with an email from their >> spoof address. > > Legit, see Mike's detailed answer. It's also their style > to address the nightmare of different laws by "local" paypal > sites. Another good point, they use your name, the phishers > would try to get away with "dear paypal customer". > > One dark spot, paypal.com has an SPF policy, and you might > be used to get a PASS for legit paypal mail. Now they forgot > to publish an SPF policy for their new email.paypal.com.au > domain. Just tell them that you want a PASS if you miss it. > > Bye, Frank > From vanguard.code at comcastNIX.net Sun Jan 1 23:49:24 2006 From: vanguard.code at comcastNIX.net (Vanguard) Date: Mon Jan 2 00:50:07 2006 Subject: [SpamCop-List] Re: Spamcop causing problems (fscking TROLLS and newsgroup spammers) References: Message-ID: "Berny" wrote in message news:dpachp$mcd$1@news.spamcop.net... > > Are you guys serious? > > Come on , the OP was a TROL:L, like spam the tone, sound, style and nature > of these biweekly missives are far too similar to each other to be > coincidence. > > Yes we do get posters with a real beef, (actual and similar situations) > but > their letters don't have this dreary sameness. I've been watching these > kind > of missive for a long time, > > 1)They NEVER have the rejection message, > > 2) They NEVER identify sending or, receiving ISP, or any email address. > > 2)They always involve som sob story with a , sick, old infirm, handicapped > etc. relation. > > 3) The Poster claims NEVER to have spammed, well they spammed the > newsgroup > about weekly it looks like.. > > 4) The OP NEVER returns > > For the future I suggest a simple boilerplate that suggests reading the > FAQ's and that they should be thankful their infirm relations ISP > rejected > their mail instead of dropping it in the bit bucket so they wouldn't just > think their old relative died becaues of unresponsiveness. Work in support for awhile (or just participate in newsgroups for a long time) and you would realize that there are LOTS of dumb users out there, and most are dumb on the same topics. Would you like to count how many times different users have asked the same old tired and highly repeated question on how to get Outlook Express to stop blocking attachments? Yeah, it's right there but the users are took f..king stupid or lazy to ever bother looking at the options of a program to effect changes to its behavior. I don't often answer those posts anymore but sometimes I do. Depends on my mood and time available. Have you counted how many "valid" questions (according to whatever is your criteria) have been asked by an OP that never returns or never replies after reading the replies from others? If you need the OP to reply to stroke your ego, Usenet is not for you. It is rare that the OP comes back to give thanks, damnation, or in anyway follows up on their post. Yes, there are many posters who post about someone else's problem but since they are not trained as support personnel they haven't a clue about what information they should gather and divulge in their post. I have a mother-in-law that when I get to the second sentence of a dumbed down explanation has her lost already. Yes, there are folks that have a natural and strong resistance to technology or are just too lazy to learn anymore. Those "I just want to use the damn thing" users who want computers to act as predictably as a washing machine won't be the ones coming here to ask questions because they won't know how to get here, won't know the community or netiquette, and really don't care about here because they have someone else to ask for help. I guess if you don't want to get caught up in what you think is a troll post, the best solution is not to participate at all. However, since you did participate, and if it was a troll, he got you, too. Hah hah! -- _______________________________________________________ ** Post replies to the newsgroup. Share with others. ** For e-mail, remove "NIX" and append "#VC811" to Subject. _______________________________________________________ From jg at coks.net Sun Jan 1 21:53:13 2006 From: jg at coks.net (jg) Date: Mon Jan 2 00:55:03 2006 Subject: [SpamCop-List] Re: SC problems... In-Reply-To: <43B86C5F.6342@xyzzy.claranet.de> References: <43B86C5F.6342@xyzzy.claranet.de> Message-ID: On 1/1/2006 3:57 PM Frank Ellermann scribbled: > If you do it now (12 hours later), yes: didn't notice the time frame at the time, but the question wasn't time specific, more rhetorical... > > dfhrgfh.info (-654-21-): .multi.surbl.org > > It's already on 5 of 6 SURBLs, incl. 1 = SC.surbl.org. > > You can check this with `host dfhrgfh.info.SC.surbl.org` : > > | dfhrgfh.info.sc.surbl.org = 127.0.0.2 > > Listed on SC.surbl. Or `host dfhrgfh.info.multi.surbl.org` : > > | dfhrgfh.info.multi.surbl.org = 127.0.0.118 > > 118 = 2 +4 +16 +32 + 64 = 2^1 +2^2 +2^4 +2^5 +2^6, the 1 > in 2^1 stands for "listed on SC.surbl" in the MULTI output. /That/ is complete greek to me - I'm not an admin, nor an IT guy... But thanks for the input - bye, jg From g.hyde at bigpond.net.au Mon Jan 2 15:58:01 2006 From: g.hyde at bigpond.net.au (Geoffrey Hyde) Date: Mon Jan 2 01:00:04 2006 Subject: [SpamCop-List] Re: Very suspicious spam email. References: Message-ID: "Mike Easter" wrote in message news:dp9uuo$fhr$1@news.spamcop.net... > Geoffrey Hyde wrote: > www.spamcop.net/sc?id=z850489359zb3d9b4a9fd85fbd15c4e959233b1a988z >> As to why I reported it, if it really IS from paypal they should have >> informed me by now with an email from their spoof address. > > I don't know what that sentence means. Most forwarded messages to their spoof address will usually have replies which come back from that same address. Also, a lot of people seem to think that I know who owns what address, and that I trust DNS info given out by servers. However, I'm not too trusting of them, as I can't know all possible address registrants, and if it doesn't look plausible, I have to know why it would be plausible in order to trust that sort of information. If I don't know why ... Well, you get the general idea - I think most people on the internet are far TOO trusting of sites, I don't work it that way unless I have factual data that supports the theory. Cheers ... Geoffrey Hyde From bar_n0ne at hotmail.com Mon Jan 2 09:58:00 2006 From: bar_n0ne at hotmail.com (Berny) Date: Mon Jan 2 01:00:06 2006 Subject: [SpamCop-List] Re: Spamcop causing problems (fscking TROLLS and newsgroup spammers) References: Message-ID: "Mike Easter" wrote in message news:dpadr5$n2q$1@news.spamcop.net... > Berny wrote: > > SNIP. > > I disagree. David Matthews is a real person with a real email addy and > a real website, 2 in fact, related to his profession as a mountain walk > leader. That person is the right age to have an elderly father. And > his personal information is available on the websites and the domainname > registrations. > SNIP > > The business about how the stereotypical person who has had their email > blocked 'behaves' in terms of not presenting the IP address 'properly' > doesn't prove they are a troll -- and the business about someone showing > up here and getting the sense of what it is all about and then leaving > is without filling in the details also not so very surprising. > > I respond to some possible trolls sometimes -- I don't think this was > one of them. > > Besides reading the headers, I also read the 'handwriting' of a poster. That.s also what I look at, I find too many of these have the same "handwriting" style. Maybe this OP was genuine, Maybe it was Mr. Matthews, also Maybe not, perhaps you know more than I. From vanguard.code at comcastNIX.net Mon Jan 2 00:21:54 2006 From: vanguard.code at comcastNIX.net (Vanguard) Date: Mon Jan 2 01:25:02 2006 Subject: [SpamCop-List] Re: Very suspicious spam email. References: Message-ID: "Geoffrey Hyde" wrote in message news:dp9tk6$emh$1@news.spamcop.net... > http://www.spamcop.net/sc?id=z850489359zb3d9b4a9fd85fbd15c4e959233b1a988z > > Following this one up, SpamCop sends abuse reports to abuse AT gblx DOT > net - which isn't, AFAIK, a paypal owned site or abuse email. I reported > it as spam but put a warning notice in the 'comments' field, as I'm not > sure if this was actually from paypal. I also forwarded it onto spoof AT > paypal DOT com but as yet have not received a reply back from them. > > As to why I reported it, if it really IS from paypal they should have > informed me by now with an email from their spoof address. Go to https://www.paypal.com/au/. Click on the "Product Disclosure ... ARBN ..." link on the right side. Unfortunately Paypal decided to go through Doubleclick for the link which is, in my opinion, very stupid for any so-called "official" announcment. All but one tag pointed to paypal.com to get the image file. The one that did not point to Paypal (link.p0.com) looks like a web bug to track if you ever opened their e-mail (domain registration says the registrant is Yesmail, http://www.yesmail.com/), but then, like an educated e-mail user, the option to block linked images in your e-mail client is already enabled. There are no tags to links to take you anywhere, so it is an information-only e-mail. If you really are a PayPal customer then it is even less likely that it is spam (as your contract with them permits them to send you notification unless there is an option to disable those), and if you are a PayPal customer then falsely accused them of spamming you since it is highly likely that you agreed to get those notifications. PayPal did violate one principal of good e-mail, however: they did NOT include a plain-text MIME part in their HTML-formatted message. Of course, there may be an option in the configuration of your PayPal account that specified in what format you want their notifications, but HTML-formatted e-mails should always include a plain-text MIME part (some anti-spam products will increase the spam rating for HTML-formatted e-mails without a plain-text part). >From the Received header (the one that YOUR mail server got), The IP address (see http://www.dnsstuff.com/tools/whois.ch?ip=206.165.246.84) is allocated to Global Crossing. If you do a traceroute on email-84.paypal.com, again you are going through glbx.net (http://www.dnsstuff.com/tools/tracert.ch?ip=email-84.paypal.com). That is by glbx.net is listed as a recipient of your spam report. Looks like a legitimate PayPal notification that they sent through Yesmail services which got delivered through Global Crossing. If you are a PayPal customer, you probably just falsely accused them of spamming. I don't recall ever getting a human-written response from sending a suspect mail to their spoof e-mail address. I don't think it was spam because you never did mention NOT being a Paypal member. -- _______________________________________________________ ** Post replies to the newsgroup. Share with others. ** For e-mail, remove "NIX" and append "#VC811" to Subject. _______________________________________________________ From bar_n0ne at hotmail.com Mon Jan 2 13:00:20 2006 From: bar_n0ne at hotmail.com (Berny) Date: Mon Jan 2 04:05:06 2006 Subject: [SpamCop-List] shopping spree and claim your free (whatever) is back Message-ID: On MCI, Only now (Lindsey?) is sending from China, but the sites are hosted at MCI.(again) Interestingly the turdlets arrive almost simultaneously with 2 adultactioncam.com turdlets, about 4 times a day. (those ones with multiple zombie hosted redirectors) Wonder if Lindsey has hooked up with the blah-blah-cam crowd now? one of many: http://www.spamcop.net/sc?id=z850648244zc052fa7b29fa231ca1dda9a71bd5c964z new spamvertizing names every day, same small subset of IP's From redford_stone at INVERSE_OF_COLDmail.com Mon Jan 2 12:14:01 2006 From: redford_stone at INVERSE_OF_COLDmail.com (Redstone) Date: Mon Jan 2 07:15:03 2006 Subject: [SpamCop-List] Re: Anyone come across those nasty WMFs? References: <43B59989.521B56A8@Spamcop.net.dev.null> <43B6F057.5799@xyzzy.claranet.de> Message-ID: Frank Ellermann wrote in news:43B6F057.5799 @xyzzy.claranet.de: > Redstone wrote: > >> I've heard that spammers are beginning to employ them, >> but haven't seen it personally. > > I've read that the new "Google redirection greeting card" > crap tries this, but the one I got was already a dead > link. The link in my case ended with ".exe", so maybe > it wasn't a WMF. > It tried to download an executable it seems. (Good thing that the link was dead.) Seems whatever boobytrapped image you tried to look at worked. > If it was, then cutting the association for *.wmf won't > get it. > > MS offers a hard way to deregister the broken DLL: > > http://www.microsoft.com/technet/security/advisory/912840.mspx > > US-CERT mumbled something about a "file magic" (like MZ > for executable files or PK for ZIP), but apparently WMF > has no such magic, or I didn't get their idea. > > http://www.kb.cert.org/vuls/id/181038 > http://en.wikipedia.org/wiki/Windows_Metafile > > Frank > The crappy thing is that it is a VERY temporary workaround. My images and metafiles are registered with another program (ACDsee).. not sure if it helps any, but I'm not taking an chances. From redford_stone at INVERSE_OF_COLDmail.com Mon Jan 2 12:20:00 2006 From: redford_stone at INVERSE_OF_COLDmail.com (Redstone) Date: Mon Jan 2 07:20:03 2006 Subject: [SpamCop-List] Re: straight spammer error or some trickery attempt gone astray? References: Message-ID: "Mike Easter" wrote in news:dp6q3h$q64$1 @news.spamcop.net: > Or maybe it happened somewhere in between in the > handling between the spamsource and your mailserver. > Nah.. don't give the spammers that much credit. More like b0rken spamware. If I had a nickle for every spam I received missing something critical (namely the URL itself)... From nobody at devnull.spamcop.net Mon Jan 2 07:41:59 2006 From: nobody at devnull.spamcop.net (Miss Betsy) Date: Mon Jan 2 07:45:03 2006 Subject: [SpamCop-List] Re: Very suspicious spam email. References: Message-ID: "Vanguard" wrote in message news:dpagq2$ovt$1@news.spamcop.net... > If you are a PayPal customer, you > probably just falsely accused them of spamming. I have a hard time deciding about some PayPal emails also. I am not a regular user of PayPal, but had to sign up in order to use my credit card so I do get legitimate ones occasionally. I generally ignore them since I am not interested. If I need to use them again, the rules or whatever will probably have been changed and I can find out then. I did have one that said that my account had been repeatedly attempted access and that if it wasn't me, to do something. It sure looked legitimate (in the headers and message source), but at the time, I didn't have the time to look up passwords, etc. and go to the site and see what was going on. Probably not a good idea to procrastinate. I don't usually report the ones I am unsure of, though I follow the reasoning that the OP had. Legitimate sites that are often spoofed ought to insure that when one gets a legitimate email from them, that there is no question. Reporting it shows that, at least, one person was confused. While I don't think the spoof submission would be answered, IMHO, the spamcop report ought to have been if it was legitimate. Miss Betsy From g.hyde at bigpond.net.au Mon Jan 2 23:47:57 2006 From: g.hyde at bigpond.net.au (Geoffrey Hyde) Date: Mon Jan 2 08:50:03 2006 Subject: [SpamCop-List] Re: Very suspicious spam email. References: Message-ID: "Miss Betsy" wrote in message news:dpb6vi$4fv$1@news.spamcop.net... > "Vanguard" wrote in message > news:dpagq2$ovt$1@news.spamcop.net... > >> If you are a PayPal customer, you >> probably just falsely accused them of spamming. > I don't usually report the ones I am unsure of, though I follow the > reasoning that the OP had. Legitimate sites that are often spoofed > ought to insure that when one gets a legitimate email from them, > that there is no question. Reporting it shows that, at least, one > person was confused. While I don't think the spoof submission > would be answered, IMHO, the spamcop report ought to have been if > it was legitimate. IMHO, in the case of a popular site like PayPal, they ought to insure (or is ensure a better word?) that they are seen to be coming from the one source site. If they are not, they risk confusion amongst members who don't regularly use PayPal. I would consider myself a medium to low-use customer as I don't often visit their site unless I have a specific reason to, like send or receive money ... It is therefore highly suspect of a PayPal email (genuine or not) to have abuse addresses that the intended recipient is unfamiliar with. I also have very little time or practical use to go wading through pages and pages of TOU documents just to find one small relevant paragraph that might help me decide an email's legitimacy or not. I originally read the first couple of paragraphs of PayPal's TOU, and skipped down till I found the "I agree" button. Why? Because it is very long-winded, it's impractical to expect someone to be reading the whole document in one pass. The same could be said of Microsoft's EULAs. But enough of that, I am heartily sick and tired of having to judge every single email on it's merits and 'might be legitimate' points. I'd really like it if SC could tell me if it's analysis code tells it this was a legitimate email. Or if there is a site that could do that for me. It's really a lot of work having to track down URLs, check server listings, and so forth. Cheers ... Geoffrey Hyde From bar_n0ne at hotmail.com Mon Jan 2 18:24:34 2006 From: bar_n0ne at hotmail.com (Berny) Date: Mon Jan 2 09:25:02 2006 Subject: [SpamCop-List] Re: Very suspicious spam email. References: Message-ID: "Geoffrey Hyde" wrote in message news:dpbaub$6gk$1@news.spamcop.net... SNIP > But enough of that, I am heartily sick and tired of having to judge every > single email on it's merits and 'might be legitimate' points. I'd really > like it if SC could tell me if it's analysis code tells it this was a > legitimate email. Or if there is a site that could do that for me. It's > really a lot of work having to track down URLs, check server listings, and > so forth. I actually find SC a damn good authenticator and use it any time I get email about bank accounts etc. (not only phishes, but also legit ones from my bank), of course in those latter cases I don;t sent LARTS From MikeE at ster.invalid Mon Jan 2 06:51:56 2006 From: MikeE at ster.invalid (Mike Easter) Date: Mon Jan 2 09:55:03 2006 Subject: [SpamCop-List] Re: Very suspicious spam email. References: Message-ID: Geoffrey Hyde wrote: > But enough of that, I am heartily sick and tired of having to judge > every single email on it's merits and 'might be legitimate' points. Here are some snips from the item, trying to be brief but paste enough here: // Dear Geoffrey Hyde, PayPal, Inc. is pleased to announce that we are preparing to introduce PayPal Australia [...] Until PayPal Australia begins operating in February 2006, your customer relationship continues to be with PayPal, Inc. (a US company), [...] With the introduction of our new Australian company, your customer relationship will automatically be transferred to PayPal Australia which we anticipate will occur on 2 February 2006. [...] minor consequential changes to the User Agreement and its incorporated policies and the Privacy Policy If you do not wish to hold a PayPal Australia account and would prefer to continue your relationship with PayPal, Inc., you may only do so if you are a resident in the United States and your primary address in your PayPal account, as of 2 February 2006, is a legitimate postal address within the United States. If your primary address is not in the United States and you do not wish to receive services from PayPal Australia, you may close your account at any time, either before or after the transition. To modify your notification preferences, log in to your PayPal account, click the Profile sub-tab, then click the Notifications link under Account Information. // > I'd really like it if SC could tell me if it's analysis code tells it > this was a legitimate email. Or if there is a site that could do > that for me. My provider has a site to 'test' whether a spamvertised URL is from them. // Use this tool to determine if a web site is a legitimate EarthLink or EarthLink partner site. // http://support.earthlink.net/ Verify a Website! ... but I don't think that tool is particularly valuable -- since the unwitting recipient is going to open the mail and copy the URL from the rendered phish. Paypal doesn't have a gizmo for testing their mail. I just searched around for one. > It's really a lot of work having to track down URLs, > check server listings, and so forth. The SC reporter has a somewhat higher level of responsibility to be able to examine the headers and body of a mail to determine if it is spam or not than the average 'citizen' email recipient who is not a reporter -- Mike Easter kibitzer, not SC admin From mwnospam at comcast.net Mon Jan 2 09:58:38 2006 From: mwnospam at comcast.net (spamacyde) Date: Mon Jan 2 10:00:02 2006 Subject: [SpamCop-List] Spamcop Mistracking? Message-ID: I have a spam that asks me to click on http://1098.net. Spamcop says the ISP assoociated with it is Internap. If I ping 1098.net, then lookup the IP address with Arin, Arin says it's Go Daddy Software. Please explain. I reported the spam by pasting it in the form and I don't see a tracker on the resulting web page. Sorry From MikeE at ster.invalid Mon Jan 2 07:00:38 2006 From: MikeE at ster.invalid (Mike Easter) Date: Mon Jan 2 10:05:03 2006 Subject: [SpamCop-List] Re: Very suspicious spam email. References: Message-ID: Geoffrey Hyde wrote: > But enough of that, I am heartily sick and tired of having to judge > every single email on it's merits and 'might be legitimate' points. That could be very tedious if you have a lot of spam all mixed up together in your Inbox with your goodmail. That isn't the way I manage my Inbox. My inbox doesn't have any spam in it. All of my spam is in my Junk folder because its headers and interior body contents have been evaluated by SpamPal. SP uses my choice of dnsbl/s and its regex and other body plugins against my whitelisteds to comb the headers and body in a sophisticated fashion which is almost perfect and never has any false positives. Similarly, spamcop email subscribers have their mail well separated into spam and goodmail. This item would not have been in my Junk mail folder -- and if I don't recognize an item in my Inbox as spam vs goodmail, I check its headers first for veracity, finding bogosity there, I move it into Junk. Finding honesty in the header, I check its body for safety, then render it securely when appropriate and read what the content is about. I can't see how I would become 'sick and tired' of judging 'every singe email' -- because all of mine have been evaluated very well by SpamPal prior to arriving in the Junk folder or Inbox. -- Mike Easter kibitzer, not SC admin From MikeE at ster.invalid Mon Jan 2 07:11:44 2006 From: MikeE at ster.invalid (Mike Easter) Date: Mon Jan 2 10:15:03 2006 Subject: [SpamCop-List] Re: Spamcop Mistracking? References: Message-ID: spamacyde wrote: > I have a spam that asks me to click on http://1098.net. The tracker would be much better for this. > Spamcop > says the ISP assoociated with it is Internap. SC tells me the notify is godaddy Parsing input: http://1098.net Host 1098.net (checking ip) = 64.202.189.170 Reporting addresses: abuse@godaddy.com > If I ping 1098.net, > then lookup the IP address with Arin, Arin says it's Go Daddy > Software. Please explain. 1098.net DNS 64.202.189.170 OrgName: Go Daddy Software, Inc. NetRange: 64.202.160.0 - 64.202.191.255 RAbuseEmail: abuse@godaddy.com > I reported the spam by pasting it in the form and I don't see a > tracker on the resulting web page. Sorry The tracker is at the top of the form which you get when you perform the parse and it is time to report. After you report, that tracker isn't visible anymore -- so you have to copy the tracker before you report, or you have to reparse the same item again and copy the tracker and cancel the report. Or you can also access the tracker by going to your recent reports and using the reportid to access the tracker. It looks like: Here is your TRACKING URL - it may be saved for future reference: http://www.spamcop.net/sc?id=z850467288z3a3ab852bb72fd2264c6fd19b3fe5d3bz When you access by the reportid [from your past reports] you can click the reportid # which provides a view with a 'parse' at the top. That parse link can be copied, because it is also the tracker of the above configuration, while the aforementioned reportid link is of this configuration http://www.spamcop.net/mcgi?action=gettrack&reportid=1577656720 which we can't use in place of a tracker. -- Mike Easter kibitzer, not SC admin From nobody at nowhere.invalid Mon Jan 2 16:37:10 2006 From: nobody at nowhere.invalid (Steven Maesslein) Date: Mon Jan 2 10:40:02 2006 Subject: [SpamCop-List] Re: Very suspicious spam email. References: Message-ID: On Mon, 2 Jan 2006 23:47:57 +1000, Geoffrey Hyde coughed into spamcop and left this in : > they ought to insure (or is ensure a better word?) In the US they couldn't care less. Either will do in either context. In *real* English (g,d&r), "insure" means to take out an insurance policy, while "ensure" means to make sure of something. You "insure" your car, and you "ensure" that your insurance policy is up to date. -- Steve Reporter (to Mahatma Gandhi): "Mr. Gandhi, what do you think of Western civilisation?" Gandhi: "I think it would be a good idea." From devnull at spamcop.net Mon Jan 2 10:42:44 2006 From: devnull at spamcop.net (Frog Prince) Date: Mon Jan 2 10:45:02 2006 Subject: [SpamCop-List] Re: Very suspicious spam email. References: Message-ID: "Steven Maesslein" | > they ought to insure (or is ensure a better word?) | | In the US they couldn't care less. Either will do in either context. | | In *real* English (g,d&r), "insure" means to take out an insurance | policy, while "ensure" means to make sure of something. | | You "insure" your car, and you "ensure" that your insurance policy is up | to date. | In the USA Ensure is a trade name for a nutritional supplement and adult diapers. From MikeE at ster.invalid Mon Jan 2 08:05:24 2006 From: MikeE at ster.invalid (Mike Easter) Date: Mon Jan 2 11:10:04 2006 Subject: [SpamCop-List] Re: Very suspicious spam email. References: Message-ID: Frog Prince wrote: > "Steven Maesslein" > >>> they ought to insure (or is ensure a better word?) >> >> In the US they couldn't care less. Either will do in either context. While that is 'sorta' true, in terms of US usage as 'analyzed' by some wordsmiths, I would say that the misuse is not 'bilaterally symmetrical'. That what happens is that ensure is not a popular word, so insure gets used for both the financial and the 'make certain' usage - whereas ensure should be used for the latter. I'm quite certain that the usage of ensure in place of insure the financial doesn't happen in the US with any frequency. >> In *real* English (g,d&r), "insure" means to take out an insurance >> policy, while "ensure" means to make sure of something. >> >> You "insure" your car, and you "ensure" that your insurance policy >> is up to date. Yes. > In the USA Ensure is a trade name for a nutritional supplement and > adult diapers. And, as a consequence to the commercial application of the Ensure word, you get rather spectacular differences in how often the two words occur. Whereas, altho' ensure isn't used very much in US American English, because of the products, it googlehits 570 million to insure's 34 million hits. -- Mike Easter kibitzer, not SC admin From Nobody at Spamcop.net.dev.null Mon Jan 2 11:46:58 2006 From: Nobody at Spamcop.net.dev.null (Michael Brennan) Date: Mon Jan 2 12:50:04 2006 Subject: [SpamCop-List] Re: Parava Networks, UUNet, and MCI References: <43B8496F.1AB4B562@Spamcop.net.dev.null> <43B84DE2.3F6502E0@Spamcop.net.dev.null> Message-ID: <43B96712.CD1C7F21@Spamcop.net.dev.null> Mike Easter wrote: > > Michael Brennan wrote: > > > Domain Name: EXTRA-PREVENT.COM > > Registrar: INNERWISE INC. D/B/A ITSYOURDOMAIN.COM > > itsyourdomain is the domainname registrar for the spamvertised site. > > Doing a DNS on the domainname registrar is not productive > > > ITSYOURDOMAIN.COM = [ 63.85.86.16 ] > > Finding the provider for the domainname registrar's IP is also not > productive > > whois -h whois.arin.net 63.85.86.16 ... > UUNET Technologies, Inc. 63.64.0.0 - 63.127.255.255 > Innerwise Inc. 63.85.86.0 - 63.85.86.255 > > Don't go down that road. > I found some interesting references to Itsyourdomain.com and Innerwise Inc at this ROKSO address: http://www.spamhaus.org/rokso/evidence.lasso?rokso_id=ROK5532 but otherwise don't see the reason for your warning. You might have other knowledge of this outfit, I gather. It sounds like this might be a portal into some serious professional wire fraud, as evidenced by the letter at the bottom of the cited ROKSO record, involving virtual identities and entities all over the map, including the pain-in-the-butt "Ryan Kelly"/Jungle Ventures/Your-domain-here.com in Belize. So why do UUNet and MCI keep turning up? At some point the dirt is going to stick. Given their tactics in the long-distance market (numerous false-flagging operations designed to sweep up customers their crummy service has jaded in the past), I'm being driven slowly to the conclusion that MCI has a serious appetite for what financial analysts like to call, delicately, "lower-quality earnings". Michael From Nobody at Spamcop.net.dev.null Mon Jan 2 11:54:55 2006 From: Nobody at Spamcop.net.dev.null (Michael Brennan) Date: Mon Jan 2 12:55:03 2006 Subject: [SpamCop-List] Re: Parava Networks, UUNet, and MCI References: <43B8496F.1AB4B562@Spamcop.net.dev.null> <43B84DE2.3F6502E0@Spamcop.net.dev.null> Message-ID: <43B968EF.A90DC52B@Spamcop.net.dev.null> Mike Easter wrote: > > Michael Brennan wrote: > > www.spamcop.net/sc?id=z850377854zf2a6f13007e35fefd66b4a5d5c29399bz > > > > and got another "creepylink" that traced back to another group > > similarly structured around UUNet and MCI: > > This is another example of something which has nothing to do with > uunet/mci according to my resolving and SC's resolving > > > Re: http://creepy.extra-prevent.com/ (Administrator of network hosting > website referenced in spam) > glxk@gxcc.com.cn > > inetnum: 221.7.209.0 - 221.7.209.255 > netname: CNC-GL-INTER-3 > descr: CNC Guilin INternet network > admin-c: XK43-AP = glxk@gxcc.com.cn > tech-c: XK43-AP I'm not surprised at this guy's turning up again.....I guess my "whois" technique leaves something to be desired, but I did chase domain names and IP's as you can see by my earlier posts; I just got something different. I always uncheck the box next to glxk@gxcc.com.cn on my SpamCop reports, since I believe that this is the spammer himself. Do you happen to know who this is? I've thought it's one of the three Russians whose names come up a lot. As an aside, I saw a ROKSO entry some weeks ago that tied Ruslan Ibragimov to "Ryan Kelly" and Jungle Ventures in Belize. Michael From MikeE at ster.invalid Mon Jan 2 10:09:24 2006 From: MikeE at ster.invalid (Mike Easter) Date: Mon Jan 2 13:10:02 2006 Subject: [SpamCop-List] Re: Parava Networks, UUNet, and MCI References: <43B8496F.1AB4B562@Spamcop.net.dev.null> <43B84DE2.3F6502E0@Spamcop.net.dev.null> <43B968EF.A90DC52B@Spamcop.net.dev.null> Message-ID: Michael Brennan wrote: > Mike Easter wrote: >> Michael Brennan wrote: www.spamcop.net/sc?id=z850377854zf2a6f13007e35fefd66b4a5d5c29399bz >> Re: http://creepy.extra-prevent.com/ (Administrator of network >> hosting website referenced in spam) >> glxk@gxcc.com.cn > I always uncheck the box next to glxk@gxcc.com.cn on my SpamCop > reports, since I believe that this is the spammer himself. Do you > happen to know who this is? This is about 221.7.209.67 no rDNS in here inetnum: 221.7.209.0 - 221.7.209.255 descr: CNC Guilin INternet network That /24 is spamhaus listed http://www.spamhaus.org/SBL/sbl.lasso?query=SBL35677 // China Netcom Group Dirty Block: CNC Guilin Internet network Spam hosting. Massive numbers of spams with URIs hosted within this /24 reported via SpamCop (where it is the #1 reported spam host for the last week) and other sources. IP block has no rDNS, probably dynamic IPs. ISP, China Netcom Group Guilin, has minimal info in APNIC, and no abuse@ address registered with abuse.net. // > I've thought it's one of the three > Russians whose names come up a lot. If you go to the SBL link above, you will see a lot of /32s for Leo Kuvayev and others which got merged into the /24 on Dec 17. Spamhaus is pretty conservative. When it starts putting things into blocks, you can assume a lot of refractoriness and nonresponsiveness. -- Mike Easter kibitzer, not SC admin From MikeE at ster.invalid Mon Jan 2 10:29:29 2006 From: MikeE at ster.invalid (Mike Easter) Date: Mon Jan 2 13:30:03 2006 Subject: [SpamCop-List] Re: Parava Networks, UUNet, and MCI References: <43B8496F.1AB4B562@Spamcop.net.dev.null> <43B84DE2.3F6502E0@Spamcop.net.dev.null> <43B96712.CD1C7F21@Spamcop.net.dev.null> Message-ID: Michael Brennan wrote: > Mike Easter wrote: >> Michael Brennan wrote: >> >>> Domain Name: EXTRA-PREVENT.COM >>> Registrar: INNERWISE INC. D/B/A ITSYOURDOMAIN.COM >> >> itsyourdomain is the domainname registrar for the spamvertised site. It is very important to understand the relationship between a domainname which is a spamvertised website and the domainname registrar which is not. The typical 'enforcement' responsibilities of domainname registrars is that they are expected to enforce against bogus information in the registration according to their ICANN responsibilities, but not very many of them enforce against the registrants for spamvertising. >> Doing a DNS on the domainname registrar is not productive >> >>> ITSYOURDOMAIN.COM = [ 63.85.86.16 ] >> >> Finding the provider for the domainname registrar's IP is also not >> productive >> >> whois -h whois.arin.net 63.85.86.16 ... >> UUNET Technologies, Inc. 63.64.0.0 - 63.127.255.255 >> Innerwise Inc. 63.85.86.0 - 63.85.86.255 >> >> Don't go down that road. What 'don't go down that road' means is that sending spam notifies to the domainname registrar isn't likely to be fruitful. I suppose that you can do it if you want, but don't be expecting that the registrar is going to be doing some enforcing about the spamming. >> > > > I found some interesting references to Itsyourdomain.com and Innerwise > Inc at this ROKSO address: > > http://www.spamhaus.org/rokso/evidence.lasso?rokso_id=ROK5532 That rokso is really about your-domains-here.com -- but there are registrants with the registrar and nameservers - which is another issue - itsyourdomain.com > but otherwise don't see the reason for your warning. You might have > other knowledge of this outfit, I gather. No I don't mean 'warning' -- I'm just trying to explain the role of the registrar for a domainname as opposed to the provider for the spamvertiser's webspace. The webspace provider is a completely different thing and has different 'responsibilities' than the domainname registrar. > It sounds like this might be a portal into some serious professional > wire fraud, as evidenced by the letter at the bottom of the cited > ROKSO record, involving virtual identities and entities all over the > map, including the pain-in-the-butt "Ryan Kelly"/Jungle > Ventures/Your-domain-here.com in Belize. The spamgang is an entity which has a domainname and a business and uses a provider's webspace. The domainname needs a registrar and nameservice. There is also a webserver software and its functionality. The 'method' of attacking the nameservice registration or the registration information of the spamvertiser should be kept 'in balance' -- considering what the 'expected' role of the domainname registrar is. It seems that you are treating the domainname registrar as if the registrar were the spammer. That is not correct. > So why do UUNet and MCI keep turning up? We've been discussing or debating here about how they don't keep turning up. Nothing you have posted in this thread with this subject shows me anything which has to do with those providers. You didn't even show what the mention of parava was all about yet. -- Mike Easter kibitzer, not SC admin From 96q7vwa02 at sneakemail.com Mon Jan 2 09:31:53 2006 From: 96q7vwa02 at sneakemail.com (Fred K.) Date: Mon Jan 2 13:35:04 2006 Subject: [SpamCop-List] Re: Very suspicious spam email. References: Message-ID: "Mike Easter" wrote in message news:dpbem9$88c$1@news.spamcop.net... > My provider has a site to 'test' whether a spamvertised URL is from > them. // Use this tool to determine if a web site is a legitimate > EarthLink or EarthLink partner site. // http://support.earthlink.net/ > Verify a Website! > Mike Easter > kibitzer, not SC admin > FYI My new PC-cillin Internet Security 2006 has a URL verification feature built in. I have used McAfee, Norton NIS 2005 but PC-cillin is the best and it is light in terms of system resources. I am switching all my computers from Norton as the subscriptions expire. Fred k. From MikeE at ster.invalid Mon Jan 2 10:48:24 2006 From: MikeE at ster.invalid (Mike Easter) Date: Mon Jan 2 13:50:03 2006 Subject: [SpamCop-List] Re: Parava Networks, UUNet, and MCI References: <43B8496F.1AB4B562@Spamcop.net.dev.null> <43B84DE2.3F6502E0@Spamcop.net.dev.null> <43B96712.CD1C7F21@Spamcop.net.dev.null> Message-ID: Mike Easter wrote: > Michael Brennan wrote: >> So why do UUNet and MCI keep turning up? > > We've been discussing or debating here about how they don't keep > turning up. Nothing you have posted in this thread with this subject > shows me anything which has to do with those providers. You didn't > even show what the mention of parava was all about yet. In the first tracker in the first post in this thread, the spamvertiser was http://catastrophic.extra-clinic.com The domainname registrar for extra-clinic.com is Registrar: PARAVA NETWORKS INC DBA REGISTRATEYA.COM NAAME.COM and the nameservers are Name Server: NS1.NAMESVA.COM Name Server: NS2.NAMESVA.COM and the registrar's website is at http://www.parava.net and the registrar's whois server is whois.parava.net parava.net's MX is mail.parava.net which DNS 65.210.194.2 whose rDNS is host2.parava.net As a consequence of that, you derived the providers for that IP's block whois -h whois.arin.net 65.210.194.2 ... UUNET Technologies, Inc. 65.192.0.0 - 65.223.255.255 Parava Networks 65.210.194.0 - 65.210.194.63 and I'm saying that the uunet/mci/parava 'connection' -- is very very 'roundabout' -- as the MX for a domainname registrar isn't 'connected' to the spam situation of one of the domainnames which is registered there. Ya' know whatta' mean, Gene? -- Mike Easter kibitzer, not SC admin From mwnospam at comcast.net Mon Jan 2 14:17:09 2006 From: mwnospam at comcast.net (spamacyde) Date: Mon Jan 2 14:20:02 2006 Subject: [SpamCop-List] Spamcop fails to resolve link Message-ID: This is for tracker: http://www.spamcop.net/sc?id=z850910536z9de25e6bbbd2b296dea83bab360b5515z The Spamcop parser failed to find the link http://m894.net. Seems pretty easy to me. Also when I look up the IP addresss associated with the link on arin.net, 63.251.92.195, I get Internap Network Services NETBLK-PNAP-11-99 (NET-63-251-0-0-1) 63.251.0.0 - 63.251.255.255 Gamedyne PNAP-SEF-GAMEDYNE-DC-01 (NET-63-251-0-0-2) 63.251.0.0 - 63.251.0.255 Well, which ISP is it? Thanks From mwnospam at comcast.net Mon Jan 2 14:49:06 2006 From: mwnospam at comcast.net (spamacyde) Date: Mon Jan 2 14:50:03 2006 Subject: [SpamCop-List] Re: Spamcop fails to resolve link References: Message-ID: Sorry, the info in the message above is imprecise. Please delete this message and the one above it. "spamacyde" wrote in message news:dpbu7k$hga$1@news.spamcop.net... > This is for tracker: > > http://www.spamcop.net/sc?id=z850910536z9de25e6bbbd2b296dea83bab360b5515z > > The Spamcop parser failed to find the link http://m894.net. > > Seems pretty easy to me. Also when I look up the IP addresss associated > with the link on arin.net, 63.251.92.195, > > I get > > Internap Network Services NETBLK-PNAP-11-99 (NET-63-251-0-0-1) > 63.251.0.0 - 63.251.255.255 > Gamedyne PNAP-SEF-GAMEDYNE-DC-01 (NET-63-251-0-0-2) > 63.251.0.0 - 63.251.0.255 > > Well, which ISP is it? > > Thanks > > From MikeE at ster.invalid Mon Jan 2 11:50:12 2006 From: MikeE at ster.invalid (Mike Easter) Date: Mon Jan 2 14:55:07 2006 Subject: [SpamCop-List] Re: Spamcop fails to resolve link References: Message-ID: spamacyde wrote: > This is for tracker: Good job! :-) www.spamcop.net/sc?id=z850910536z9de25e6bbbd2b296dea83bab360b5515z > > The Spamcop parser failed to find the link http://m894.net. Correct. The problem is that the spam wasn't properly constructed. SC pays attention to construction information in the mail's headers: Content-Type: text/html; charset="us-ascii" so SC expects to find a normal html construction in the spambody, but that doesn't happen. Instead there is a 'primitive' markup language. I'm not a markup language expert, so I don't know how to name it or characterize it, but it isn't 'legitimate' html, so the embedded html-ish link isn't recognized by SC. The question of whether SC should be able to find that link or not is a legitimate discussion here. If I recreate that spam and open it with my mailuser agent and its browser rendering engine operational, the item is 'correctly' rendered as the spammer intended > Seems pretty easy to me. Also when I look up the IP addresss > associated with the link on arin.net, 63.251.92.195, That's not what I get. I also don't get what SC got. Currently, as of this moment, I get 69.25.142.3 You can also get the notify information from SC, by putting in the link nakedly into the parser. Parsing input: http://m894.net Host m894.net (checking ip) = 64.74.96.243 host 64.74.96.243 (getting name) no name Reporting addresses: abuse@internap.com .... which you will notice is different from yours and mine. So, I would say there's some hocus-pocus going on with the nameservice, so we should attack that. > Internap Network Services NETBLK-PNAP-11-99 (NET-63-251-0-0-1) > 63.251.0.0 - 63.251.255.255 > Gamedyne PNAP-SEF-GAMEDYNE-DC-01 (NET-63-251-0-0-2) > 63.251.0.0 - 63.251.0.255 > > Well, which ISP is it? You did something wrong in your lookup. The IP you were working with was 63.251.92.195 which doesn't live in the Gamedyne block you are showing there, since the gamedyne block has a '0' or zero in the 3rd octet -- whereas your target has a '92' in the 3rd octet. For this exercise on the IP you got, we'll work this because the demonstration is similar: whois -h whois.arin.net 63.251.92.195 ... Internap Network Services 63.251.0.0 - 63.251.255.255 OrgAbuseEmail: abuse@internap.com eNom 63.251.92.192 - 63.251.92.255 OrgAbuseEmail: abuse@internap.com Notice that 'my' arin lookup which sez enom instead of gamedyne has a '92' in the 3rd octet. But, we are/ I am/ nattering over a faulty arin lookup, when we should be more interested in why you and I and SC all got different resolutions for the spamvertised site. Maybe it is because everything is so fresh: Domain Name: M894.NET Registrar: ENOM, INC. Whois Server: whois.enom.com Referral URL: http://www.enom.com Name Server: DNS1.NAME-SERVICES.COM Name Server: DNS2.NAME-SERVICES.COM Name Server: DNS3.NAME-SERVICES.COM Name Server: DNS4.NAME-SERVICES.COM Name Server: DNS5.NAME-SERVICES.COM Status: REGISTRAR-LOCK Updated Date: 01-jan-2006 Creation Date: 01-jan-2006 Expiration Date: 01-jan-2007 Maybe yesterday things were different. I resolved it several times, and every time I got this IP and this structure: Canonical name: m894.net Addresses: 69.25.142.3 which has a similar structure of parent and child as the one I did above: whois -h whois.arin.net 69.25.142.3 ... Internap Network Services 69.25.0.0 - 69.25.255.255 eNom 69.25.142.0 - 69.25.142.63 which has the same notifies BTW, I also ran it in SC several times, and SC's resolver always got a different IP than I Parsing input: http://m894.net Routing details for 64.74.96.243 Aha! now I'm getting differing and alternating results Parsing input: m894.net Host m894.net (checking ip) = 212.118.243.115 host 212.118.243.115 (getting name) no name I'll quit now, this variability could go on all day. -- Mike Easter kibitzer, not SC admin From kjz at despammed.com Mon Jan 2 21:00:58 2006 From: kjz at despammed.com (Karl-Josef Ziegler) Date: Mon Jan 2 15:05:02 2006 Subject: [SpamCop-List] Re: Spamcop fails to resolve link In-Reply-To: References: Message-ID: Mike Easter wrote: > Parsing input: http://m894.net > Host m894.net (checking ip) = 64.74.96.243 > host 64.74.96.243 (getting name) no name > Reporting addresses: > abuse@internap.com Without seeing the spam I will predict: It's a redirector from eNom/Internap to another website, this spamvertized website is for mortgage leadz and the spammer is A. P. from UA. - kjz From MikeE at ster.invalid Mon Jan 2 12:38:12 2006 From: MikeE at ster.invalid (Mike Easter) Date: Mon Jan 2 15:40:02 2006 Subject: [SpamCop-List] Re: Spamcop fails to resolve link References: Message-ID: Karl-Josef Ziegler wrote: > Mike Easter wrote: > >> Parsing input: http://m894.net >> Host m894.net (checking ip) = 64.74.96.243 >> host 64.74.96.243 (getting name) no name >> Reporting addresses: >> abuse@internap.com > > Without seeing the spam I will predict: > > It's a redirector from eNom/Internap to another website, > this spamvertized website is for mortgage leadz and the > spammer is A. P. from UA. http://m894.net redirects to http://o12933.com at 202.65.99.20 inetnum: 202.65.99.20 - 202.65.99.20 netname: BB099020 country: HK e-mail: wmma@hkabc.net spamhaused /32 http://www.spamhaus.org/SBL/sbl.lasso?query=SBL36175 payload is mortgage spamvertising The domainname is discussed in the long discussion about Alex Polyakov in this nanae message From: "Spam Reporting" Newsgroups: news.admin.net-abuse.email Subject: Re: Mortgage phisher and fake diploma spammer [LONG POST] Message-ID: <5pStf.40114$dO2.13105@newssvr29.news.prodigy.net> Date: Sun, 01 Jan 2006 15:18:25 GMT snurled googleup to that part of the long thread http://snipurl.com/l88g -- Mike Easter kibitzer, not SC admin From AHaumer_gmxnet at nopspam.invalid Mon Jan 2 21:50:40 2006 From: AHaumer_gmxnet at nopspam.invalid (Anton Haumer) Date: Mon Jan 2 15:55:03 2006 Subject: [SpamCop-List] SC down? Message-ID: <43B99220.9EAE4A61@nopspam.invalid> by mail submitted spam seems to vanish in a black hole, I get no messages back to finsh reporting ... -- Toni From MikeE at ster.invalid Mon Jan 2 13:05:38 2006 From: MikeE at ster.invalid (Mike Easter) Date: Mon Jan 2 16:10:04 2006 Subject: [SpamCop-List] Re: SC down? References: <43B99220.9EAE4A61@nopspam.invalid> Message-ID: Anton Haumer wrote: > by mail submitted spam seems to vanish in a black hole, > I get no messages back to finsh reporting ... I've email submitted two batches of spam today, one about 7 AM PST which was replied about 10 AM and one about 10 AM which hasn't been replied as of 1 PM. Times all PST = UTC -0800 Yesterday's and preceding all replied. -- Mike Easter kibitzer, not SC admin From mwnospam at comcast.net Mon Jan 2 16:17:45 2006 From: mwnospam at comcast.net (spamacyde) Date: Mon Jan 2 16:20:03 2006 Subject: [SpamCop-List] Re: Spamcop fails to resolve link References: Message-ID: Ok, I have no idea what "redirection" is. The link is not very cosmetic or enticing; spammy is just playing games, probably knows that I will report the message to Spamcop and probably rea