From nobody at spamcop.net Wed Mar 1 02:24:34 2006 From: nobody at spamcop.net (N. Miller) Date: Wed Mar 1 05:30:15 2006 Subject: [SpamCop-List] Re: New spam-hosts are blocking spamcop DNS queries References: Message-ID: On Tue, 28 Feb 2006 20:54:10 -0500, Galen wrote: > I did notice a familiar face around here by the name of N. Miller. If you've > never visited their newsgroups then, well, he can probably attest to the > (trying to be nice to them here) familiarity with Usenet found in the > average poster. You can take a gander yourself if you'd like. If you've > never been there and are 'old school' newsgroup then, well, I'd suggest > windowsxp.general for a good indication. Hah! Wait until you intersperse or > snip! That's a great load of fun. Heh. About half the posters use the Web access, and can't find their way back to their posts. And the MSFT lovers who bash the old school Usenet posters can be downright snotty when the "religious" wars over top/bottom posting flare up! -- Norman ~Oh Lord, why have you come ~To Konnyu, with the Lion and the Drum From / at /.cn Thu Mar 2 00:30:21 2006 From: / at /.cn (Petzl) Date: Wed Mar 1 08:35:04 2006 Subject: [SpamCop-List] Mail server listed when Port 25 is blocked? Message-ID: 210.50.76.196 I know they are bouncining emails but it seems this email server is being reported for spamming Wondering if someone has not set mail hosts or is the server compromised ***ounce**** - These recipients of your message have been processed by the mail server: (X); Failed; 5.1.2 (bad destination system address) Remote MTA mail.(X): network error - SMTP protocol diagnostic: 550 Limit exceeded Found 210.50.76.196 in orbs recent cache, action (deny) (bl.spamcop.net) ******** Petzl From nobody at nowhere.invalid Wed Mar 1 14:51:26 2006 From: nobody at nowhere.invalid (Steven Maesslein) Date: Wed Mar 1 08:55:03 2006 Subject: [SpamCop-List] Re: New spam-hosts are blocking spamcop DNS queries References: Message-ID: On Tue, 28 Feb 2006 20:54:10 -0500, Galen coughed into spamcop and left this in : > My reply hidden, you'll have to hunt for it... Well, no, not really: LOL :) > [...] if that bit telling them where the response was located was NOT > there then every other day I'd get people telling me that top-posting > is the right place (umm, I'm not sure where they came up with that) That's default Outleak Suxpress behaviour for you... That particular virus dissemination engine^W^W^W mailer and newsreader has probably done more to destroy e-mail and USENET than any other piece of software in existence. > I'd get people posting back saying that they can't find my answer. You > probably think I'm kidding or exaggerating... Oh no, not at all. I've seen too many kl00bies in action who think that Internet Explorer or AOL *is* the Internet to think that you're kidding. > If you've never been there and are 'old school' newsgroup then, well, > I'd suggest windowsxp.general for a good indication. Hah! Wait until > you intersperse or snip! That's a great load of fun. Pass. Thanks anyway :) I have no reason whatsoever to saunter into a Microsoft newsgroup. I think the clue-vacuum might be hard to withstand. None of my PCs are infected with Windows, and Microsoft's licensing scheme is a huge swindle anyway. > So yeah, I suck... Sorry for treating you all like a bunch of newbies > but, well, that's generally what I seem to find the vast majority of > times I answer. I can understand that. However, while there's nothing wrong in being a newbie, that status is supposed to wear off after a certain amount of time, and yet you still get so-called IT professionals behaving like newbies for years on end. *sigh* > Can I blame it on having been dumbed down by years of end-user > support? Please? Ouch! That is one hell of an unenviable job. Buy yourself a waterproof cover for your keyboard. You'll need one to protect if from the drool soon :) -- Steve Profanity is the one language all programmers know best. From MikeE at ster.invalid Wed Mar 1 06:52:11 2006 From: MikeE at ster.invalid (Mike Easter) Date: Wed Mar 1 09:55:02 2006 Subject: [SpamCop-List] Re: Mail server listed when Port 25 is blocked? References: Message-ID: Petzl wrote: > I know they are bouncining emails but it seems this email server is > being reported for spamming 'it seems'? What does 'it seems' mean in this contect? What clues or evidence do you have about the server being a 'real' source of spam? The SC listing sez 210.50.76.196 listed in bl.spamcop.net will be delisted automatically in approximately 10 hours has sent mail to SpamCop spam traps users have reported system as a source of spam about 20 times administrator has already delisted this system once past 283.4 days, it has been listed 8 times for a total of 5.7 days I see a misdirected bounce from it in sightings from Dec. If it is hitting spamtraps with misdirected bounces, why couldn't it also be hitting reporters with misdirected bounces? > Wondering if someone has not set mail hosts or is the server > compromised ***ounce**** But you haven't expessed /why/ you are wondering that, on what basis. > - SMTP protocol diagnostic: 550 Limit exceeded Found 210.50.76.196 > in orbs recent cache, action (deny) (bl.spamcop.net) The principle output servers from iprimus 210.50.30.196 smtp01.syd.iprimus.net.au Y 5.5 5.1 210.50.76.196 smtp02.syd.iprimus.net.au Y 5.4 5.1 210.50.30.76 mx01.syd.iprimus.net.au Y 5.5 5.0 210.50.76.76 mx02.syd.iprimus.net.au Y 5.5 5.0 If you go to senderbase, you can find hundreds of other IPs with sufficient output to be 'noted' by senderbase, and many many of them are listed one place or another, including spamcop and CBL. I would say that iprimus isn't doing a good job of securing its user IPs which are generating spam. -- Mike Easter kibitzer, not SC admin From MikeE at ster.invalid Wed Mar 1 07:03:10 2006 From: MikeE at ster.invalid (Mike Easter) Date: Wed Mar 1 10:05:02 2006 Subject: [SpamCop-List] Re: New spam-hosts are blocking spamcop DNS queries References: Message-ID: Galen wrote: > I'm Galen - one of the Microsoft MVPs in the Shell/User category - and > frequently post many answers in the Microsoft Newsgroups. I specifically blame the MS MVPs for the sad state of affairs in the MS groups. There are plenty of other newsgroups full of clueless newbies posting questions and replies, and none are in the sad condition which the 'brilliant' MVP leadership has caused the MS groups to be in. When there are groups with newbies asking questions and gurus answering them, it is the gurus which ride herd on the group and teach them how to behave and how to participate in newsgroups. I don't know the basis for the MVPs either stupidly topposting themselves and setting a bad example for the newbies or not helping by giving good advice about posting properly. They *should be* striking a proper balance between helping/encouraging the groups reform to proper trimmed and contextualized posts but sometimes just letting some topposts go instead of continuously harping on the matter. Instead, newbies go the MS groups to learn about something, and they come out believing that top posting is the way to communicate in groups. Very bad MVPs and those MVPs have had an adverse affect on newsgroups as a whole. -- Mike Easter kibitzer, not SC admin From nobody at spamcop.net Wed Mar 1 10:05:51 2006 From: nobody at spamcop.net (Ellen) Date: Wed Mar 1 11:40:04 2006 Subject: [SpamCop-List] Re: Mail server listed when Port 25 is blocked? References: Message-ID: "Petzl" wrote in message news:du47lq$7nj$1@news.spamcop.net... > 210.50.76.196 > > I know they are bouncining emails but it seems this email server is being > reported for spamming > Wondering if someone has not set mail hosts or is the server compromised > ***ounce**** It was legit spam not a reporting error. Iprimus is aware of the problem and has taken actions to stop the problem. We have been talking to them. Ellen From wb8tyw at qsl.network Wed Mar 1 11:21:47 2006 From: wb8tyw at qsl.network (John E. Malmberg) Date: Wed Mar 1 12:25:03 2006 Subject: [SpamCop-List] Re: Need help To get our system setup correctly References: Message-ID: In article , "Eduard" writes: > What I was trying to say is that most of our lists exists for over 7 years > already, and when these lists were created, double-opt-in was the norm. We > did change theses lists afterwards, but we also have on some of our lists 20 > 000 members, who have subscribed to it. From a technical point of view I > agree that the best way forward would be to start a new clean list, but > unfortunately are we in a News environment, and people are already unwilling > to re-confirm there subscription. They are already mailing the editor of the > site to ask why they should reconfirm. Many of the mailing lists that I am on require a periodic positive confirmation that I still want to receive their mailings. A google search on the domains associated with this thread show that there is a news organization associated with the domains under discussion. You need to figure out how the spamtrap e-mail addresses got into the list. You should be able to isolate what e-mail addresses were subscribed to your lists from the period of time just before the spamcop.net listing appeared. That is assuming that it was a mailing list that triggered the listing. During that time period it should not have been a large number of new subscriptions unless you have a very high turnover rate. It is possible that a spammer was using your subscription process to try to identify a spamtrap, but it is more likely that the spamtrap got into your mailing list from an automated program, or from a purchased list. Viruses spoof spamtrap e-mail addresses all the time, and if you have an e-mail address that automatically adds the alleged from: address to a mailing list, with out requesting a confirmation with a unique code, then over time that mailing list will become loaded with spamtraps and spam victim's e-mail addresses. The other method that spammers will abuse a legitimate service is if it has a "refer a friend" form. There are apparently spammer tools that can use some of those web forms as if they are an open relay, especially if they allow a personalized message to be added to the referral. The spammer trick is to enter HTML into the message that makes the spam the most visible. The titles shown in the samples posted by the deputies look like ones most commonly found in get rich quick scams. This indicates that you may be mailing stuff that you are not aware of, even though I can not find any other reports of this. But be aware that many of the people who would post such public spam reports may not be accepting e-mail from I.P. addresses in your country or continent unless they white list the source. And also be aware that a large number of commercial spam filtering products just silently delete e-mail suspected to be spam. Usually when a real mail server is blocked for something other than backscatter, I can find such evidence. In this case, I have not been able to. And to add to the chorus, double-opt-in is spammer speak for being able to either get two spam runs to an e-mail address with out getting their e-mail rejected or that the recipiant had an insecure mail reader that tripped a web-bug to confirm delivery. Spammers routinely use that term to advertise lists that they sell to other spammers to to try to claim that what they do is not spamming. -John wb8tyw@qsl.network Personal Opinion Only From PossumTrot at dont.spam.me Wed Mar 1 09:41:23 2006 From: PossumTrot at dont.spam.me (Possum Trot) Date: Wed Mar 1 12:45:02 2006 Subject: [SpamCop-List] Re: [ot] Busted a telemarketer! References: Message-ID: "Ben" wrote in message news:dtr7m1$1qf$1@news.spamcop.net... >I busted me a telemarketer double-big-time and the State Attorney General >is going to speak with them. > >> > Two days after I placed the complaint with the AGO, I got a friendly > letter back thanking me for the report. It was a "we are moving forward on > your complaint" letter. They reminded me of some of the statutes and > regulations that were broken from my description and reminded me that I > have the right to sue for $500.00. > > The state I believe gets up to $10,000.00 per violation, kind of like the > FTC getting $11.000.00 per violation of Do-Not-Call. Unfortunately that > means I must get in line. But knowing that the AGO is interested may be > sufficient. > > I was a little surprised at their reply but encouraged nonetheless. > > Now, if we can only get that kind of traction against spammers. Ben, there are similar laws regarding spam sent to residents or through ISPs in the state of Washington, and the state Supreme Court has upheld the suits. At least one person in the Seattle area has collected on a judgment against spammers. The law is RCW 19.190. From nobody at spamcop.net Wed Mar 1 12:47:19 2006 From: nobody at spamcop.net (indigo) Date: Wed Mar 1 12:50:03 2006 Subject: [SpamCop-List] Re: Mail server listed when Port 25 is blocked? References: Message-ID: Ellen wrote: > > It was legit spam not a reporting error. "Legit spam"?! Both words in the same sentence? The horrors, the horrors...... From nobody at spamcop.net Wed Mar 1 12:56:52 2006 From: nobody at spamcop.net (Ellen) Date: Wed Mar 1 13:10:02 2006 Subject: [SpamCop-List] Re: Mail server listed when Port 25 is blocked? References: Message-ID: "indigo" wrote in message news:du4mne$iam$1@news.spamcop.net... > > > Ellen wrote: > > > > It was legit spam not a reporting error. > > "Legit spam"?! Both words in the same sentence? The horrors, the > horrors...... > > real? bona fide? downright dirty nasty scummy scammy spam? :-) Ellen From nobody at spamcop.net Wed Mar 1 13:13:11 2006 From: nobody at spamcop.net (indigo) Date: Wed Mar 1 13:15:03 2006 Subject: [SpamCop-List] Re: Mail server listed when Port 25 is blocked? References: Message-ID: Ellen wrote: > "indigo" wrote in message > news:du4mne$iam$1@news.spamcop.net... > > > > > > Ellen wrote: > > > > > > It was legit spam not a reporting error. > > > > "Legit spam"?! Both words in the same sentence? The horrors, the > > horrors...... > > > > > > real? bona fide? downright dirty nasty scummy scammy spam? > > :-) > Ah, much better. Thanks, I was worried there for a second that the bad guys had finally gotten to you ;-) From remaker at cisco.com Wed Mar 1 10:51:18 2006 From: remaker at cisco.com (Phillip Remaker) Date: Wed Mar 1 13:55:03 2006 Subject: [SpamCop-List] 209.86.89.69 (earthlink) Message-ID: DNS lookups for 209.86.89.69 at bl.spamcop.net say it is a spammer. "Blocked - see http://www.spamcop.net/bl.shtml?209.86.89.69" But going to the URL http://www.spamcop.net/w3m?action=blcheck&ip=209.86.89.69 I see 209.86.89.69 not listed in bl.spamcop.net I had to poke a hole for that IP. But what happened? I ended up blocking earthlink users. I see a note on net abuse-sightings for 2/22... How did it not cycle out of the DNS lookup? From nobody at devnull.spamcop.net Wed Mar 1 11:21:14 2006 From: nobody at devnull.spamcop.net (Anonymous) Date: Wed Mar 1 14:25:03 2006 Subject: [SpamCop-List] Re: Need help To get our system setup correctly References: Message-ID: "John E. Malmberg" wrote... > It is possible that a spammer was using your subscription process to try > to > identify a spamtrap, but it is more likely that the spamtrap got into your > mailing list from an automated program, or from a purchased list. > > Viruses spoof spamtrap e-mail addresses all the time, and if you have an > e-mail address that automatically adds the alleged from: address to a > mailing > list, with out requesting a confirmation with a unique code, then over > time > that mailing list will become loaded with spamtraps and spam victim's > e-mail > addresses. I am having a hard time figuring out how the spammer or the virus above knows what the email address of the spamtrap is. When SpamCop chooses an email address for a spamtrap, don't they pick something difficult to guess? Then again, I get a fair number of webmaster@, sales@, and support@ spams on domains that have never had such email addresses, so perhaps some spamcop spamtraps use those easy-to-guess prefixes? G.M. From jeffg at spamcop.net Wed Mar 1 14:39:33 2006 From: jeffg at spamcop.net (Jeff G.) Date: Wed Mar 1 14:45:03 2006 Subject: [SpamCop-List] Re: 209.86.89.69 (earthlink) References: Message-ID: Phillip Remaker wrote: > DNS lookups for 209.86.89.69 at bl.spamcop.net say it is a spammer. At what nameserver(s), and when? > "Blocked - see http://www.spamcop.net/bl.shtml?209.86.89.69" > > But going to the URL > > http://www.spamcop.net/w3m?action=blcheck&ip=209.86.89.69 > > I see > > 209.86.89.69 not listed in bl.spamcop.net > > I had to poke a hole for that IP. But what happened? I ended up > blocking earthlink users. > > I see a note on net abuse-sightings for 2/22... How did it not cycle > out of the DNS lookup? "ISP does not wish to receive report regarding 209.86.89.69 ISP does not wish to receive reports regarding 209.86.89.69 - no date available" Report History for 209.86.89.69 shows: Submitted: Wednesday 2006/03/01 13:47:36 -0500: Warning: message 1FDk1S-0007dN-BP delayed 48 hours 1675714906 ( 209.86.89.69 ) To: abuse#abuse.earthlink.net[at]devnull.spamcop.net ------------------------------------------------------------------------ -------- Submitted: Tuesday 2006/02/28 18:18:02 -0500: Vadatabase Assistants Independent Contractor Application 1674787464 ( 209.86.89.69 ) To: abuse#abuse.earthlink.net[at]devnull.spamcop.net 1674787453 ( 209.86.89.69 ) To: spamcop[at]imaphost.com ------------------------------------------------------------------------ -------- Submitted: Tuesday 2006/02/28 18:17:19 -0500: PT& FT Telecommuting Virtual Assistant Positions Available!! 1674787146 ( http:// vadatabasetelecommutingjobs.blogspot.com/ ) To: abuse#google.com[at]devnull.spamcop.net 1674787145 ( 209.86.89.69 ) To: abuse#abuse.earthlink.net[at]devnull.spamcop.net 1674787129 ( 209.86.89.69 ) To: spamcop[at]imaphost.com ------------------------------------------------------------------------ -------- Submitted: Tuesday 2006/02/28 17:48:08 -0500: Tools Eng 1674768456 ( http:// www.groshassociates.com ) To: abuse#abuse.earthlink.net[at]devnull.spamcop.net 1674768454 ( 209.86.89.69 ) To: abuse#abuse.earthlink.net[at]devnull.spamcop.net 1674768453 ( 209.86.89.69 ) To: spamcop[at]imaphost.com ------------------------------------------------------------------------ -------- Submitted: Tuesday 2006/02/28 09:18:39 -0500: Vadatabase Assistants Independent Contractor Application 1674345820 ( 209.86.89.69 ) To: abuse#abuse.earthlink.net[at]devnull.spamcop.net 1674345819 ( 209.86.89.69 ) To: spamcop[at]imaphost.com 1674345817 ( 209.86.89.69 ) To: abuse[at]abuse.earthlink.net ------------------------------------------------------------------------ -------- Submitted: Tuesday 2006/02/28 09:17:50 -0500: PT& FT Telecommuting Virtual Assistant Positions Available!! 1674345211 ( http:// vadatabasetelecommutingjobs.blogspot.com/ ) To: abuse#google.com[at]devnull.spamcop.net 1674345205 ( 209.86.89.69 ) To: abuse#abuse.earthlink.net[at]devnull.spamcop.net 1674345174 ( 209.86.89.69 ) To: spamcop[at]imaphost.com 1674345147 ( 209.86.89.69 ) To: abuse[at]abuse.earthlink.net ------------------------------------------------------------------------ -------- Submitted: Tuesday 2006/02/28 05:16:39 -0500: [ROJO] dos frentes! 1674182032 ( http:// correo.yahoo.com.ar ) To: network-abuse[at]cc.yahoo-inc.com 1674182031 ( 209.86.89.69 ) To: abuse#abuse.earthlink.net[at]devnull.spamcop.net 1674181950 ( 209.86.89.69 ) To: [concealed user-defined recipient] 1674181896 ( 209.86.89.69 ) To: abuse[at]abuse.earthlink.net ------------------------------------------------------------------------ -------- Submitted: Monday 2006/02/27 22:28:23 -0500: [dharma_art] Ballets Russes 1673839474 ( 209.86.89.69 ) To: abuse#abuse.earthlink.net[at]devnull.spamcop.net ------------------------------------------------------------------------ -------- Submitted: Monday 2006/02/27 21:44:44 -0500: THIS WEEK, Comedian Derek Richards [at] Comedy Zone, Knoxville 1673810082 ( 209.86.89.69 ) To: abuse#abuse.earthlink.net[at]devnull.spamcop.net ------------------------------------------------------------------------ -------- Submitted: Wednesday 2006/02/22 17:07:12 -0500: Recruiting $250 per Job Search - Engineers/Manufacturing 1668144369 ( http:// www.goldstar-global.com/ ) To: abuse[at]interland.net 1668144367 ( http:// www.goldstar-global.com ) To: abuse[at]interland.net 1668144361 ( http:// www.goldstar-global.com/ ) To: abuse[at]interland.com 1668144360 ( http:// www.goldstar-global.com ) To: abuse[at]interland.com 1668144357 ( 209.86.89.69 ) To: abuse#abuse.earthlink.net[at]devnull.spamcop.net 1668144350 ( 209.86.89.69 ) To: spamcop[at]imaphost.com ------------------------------------------------------------------------ -------- Submitted: Wednesday 2006/02/22 15:34:08 -0500: NEXT WEEK, Comedian Derek Richards [at] Comedy Zone, Knoxville 1668075828 ( 209.86.89.69 ) To: abuse#abuse.earthlink.net[at]devnull.spamcop.net ------------------------------------------------------------------------ -------- Submitted: Wednesday 2006/02/22 14:42:14 -0500: AW 4&5 Change in Crime Reporting. 1668036491 ( http:// www.pacificbeat.net/ ) To: mole[at]devnull.spamcop.net 1668036484 ( 209.86.89.69 ) To: mole[at]devnull.spamcop.net ------------------------------------------------------------------------ -------- Submitted: Monday 2006/02/20 07:54:22 -0500: Fw: Help us choose America's top retail chain 1665207469 ( 209.86.89.69 ) To: abuse[at]abuse.earthlink.net ------------------------------------------------------------------------ -------- Submitted: Sunday 2006/02/19 06:17:56 -0500: Final Day of 2 for 1 Sale! Act NOW! 1664009971 ( 209.86.89.69 ) To: abuse#abuse.earthlink.net[at]devnull.spamcop.net ------------------------------------------------------------------------ -------- Submitted: Sunday 2006/02/19 06:15:07 -0500: "The Pendulum Works!/Crystal Master Gallery Opportunity!" 1664014272 ( 209.86.89.69 ) To: abuse#abuse.earthlink.net[at]devnull.spamcop.net ------------------------------------------------------------------------ -------- Submitted: Saturday 2006/02/18 06:44:34 -0500: Don't Miss the Mid-Month Blue Moon Sale! 1662879895 ( 209.86.89.69 ) To: abuse#abuse.earthlink.net[at]devnull.spamcop.net ------------------------------------------------------------------------ -------- Submitted: Thursday 2006/02/16 17:51:15 -0500: MidMonth Blue Moon Sale! 1660943063 ( 209.86.89.69 ) To: abuse#abuse.earthlink.net[at]devnull.spamcop.net ------------------------------------------------------------------------ -------- Submitted: Wednesday 2006/02/15 22:15:30 -0500: See What Your Body Says! 1659771241 ( 209.86.89.69 ) To: abuse#abuse.earthlink.net[at]devnull.spamcop.net ------------------------------------------------------------------------ -------- Submitted: Wednesday 2006/02/15 00:50:29 -0500: E-mail List Update and Events Update [5] 1658596988 ( 209.86.89.69 ) To: mole[at]devnull.spamcop.net ------------------------------------------------------------------------ -------- Submitted: Tuesday 2006/02/14 17:40:10 -0500: Exchange Links 1658250141 ( http:// www.floristsinalbany.com ) To: abuse[at]godaddy.com 1658250140 ( http:// www.albanyhindutemple.org ) To: abuse[at]bocacom.net 1658250139 ( 209.86.89.69 ) To: abuse#abuse.earthlink.net[at]devnull.spamcop.net 1658250138 ( 209.86.89.69 ) To: spamcop[at]imaphost.com 1658250134 ( 209.86.89.69 ) To: abuse[at]abuse.earthlink.net ------------------------------------------------------------------------ -------- Submitted: Tuesday 2006/02/14 02:04:37 -0500: I.A.T.S.E. West Coast Locals' Rally 1657551405 ( 209.86.89.69 ) To: abuse#abuse.earthlink.net[at]devnull.spamcop.net 1657551383 ( 209.86.89.69 ) To: spamcop[at]imaphost.com 1657551351 ( 209.86.89.69 ) To: abuse[at]abuse.earthlink.net ------------------------------------------------------------------------ -------- Submitted: Tuesday 2006/02/14 02:03:31 -0500: I.A.T.S.E. West Coast Locals' Rally 1657550599 ( 209.86.89.69 ) To: abuse#abuse.earthlink.net[at]devnull.spamcop.net 1657550595 ( 209.86.89.69 ) To: spamcop[at]imaphost.com 1657550587 ( 209.86.89.69 ) To: abuse[at]abuse.earthlink.net ------------------------------------------------------------------------ -------- Submitted: Tuesday 2006/02/14 02:02:58 -0500: I.A.T.S.E. West Coast Locals' Rally 1657549958 ( 209.86.89.69 ) To: abuse#abuse.earthlink.net[at]devnull.spamcop.net 1657549940 ( 209.86.89.69 ) To: spamcop[at]imaphost.com 1657549919 ( 209.86.89.69 ) To: abuse[at]abuse.earthlink.net ------------------------------------------------------------------------ -------- Submitted: Sunday 2006/02/12 22:14:26 -0500: Fw: , Boost Your Salary - Earn a Degree Online! 1656435080 ( 209.86.89.69 ) To: abuse[at]abuse.earthlink.net ------------------------------------------------------------------------ -------- Submitted: Saturday 2006/02/11 22:46:24 -0500: Blue Diamond Village Building Lot 1655602015 ( http:// www.realtor.com/lasvegas/pauline ) To: postmaster[at]homestore.com 1655602014 ( 209.86.89.69 ) To: abuse#abuse.earthlink.net[at]devnull.spamcop.net ------------------------------------------------------------------------ -------- Submitted: Friday 2006/02/03 21:25:26 -0500: feedback: 1646272621 ( 209.86.89.69 ) To: abuse#abuse.earthlink.net[at]devnull.spamcop.net 1646272619 ( 209.86.89.69 ) To: spamcop[at]imaphost.com ------------------------------------------------------------------------ -------- Submitted: Friday 2006/01/06 23:41:07 -0500: FW: WOW!!!!!!!!!!!!! THIS HITS HOME!!!!!!!! or just delete it 1612606737 ( 209.86.89.69 ) To: abuse#abuse.earthlink.net[at]devnull.spamcop.net 1612606736 ( 209.86.89.69 ) To: spamcop[at]imaphost.com -- Thanks and Best Regards, Jeff G. http://forum.spamcop.net/forums/index.php?act=findpost&pid=37585 From bar_n0ne at hotmail.com Wed Mar 1 13:44:18 2006 From: bar_n0ne at hotmail.com (Berny) Date: Wed Mar 1 14:45:07 2006 Subject: [SpamCop-List] Re: Need help To get our system setup correctly References: Message-ID: "Anonymous" wrote in message news:du4s8h$lpp$1@news.spamcop.net... > > I am having a hard time figuring out how the spammer or the virus above > knows > what the email address of the spamtrap is. When SpamCop chooses an email > address for a spamtrap, don't they pick something difficult to guess? > > Then again, I get a fair number of webmaster@, sales@, and support@ spams > on domains that have never had such email addresses, so perhaps some spamcop > spamtraps use those easy-to-guess prefixes? Some, including spammers claim that it is very easy nowadays to map spamtrap addresses, with a relatively small number of spam runs. Probably, the short time between hitting traps and getting listed is used in such a process. Nevertheless, if the OP's newsletters used a proper closed loop opt in process, then the only mails a spamtrap should receive are subscription confirmations, which is apparently inconsistent with reports of the type of spam (legit? spam) received according to Ellen. Further, so what, if a spamtrap is the webtmaster. etc [at] my.little.vanity.domain, why should that account get spam?. If the domain does no business and communicates with no one and is not advertized, then the only mail it should receive is from the hoster, registrar and maybe Internic. It's certainly a great way to get host/webmaster spams id'd fast. From jeffg at spamcop.net Wed Mar 1 14:52:18 2006 From: jeffg at spamcop.net (Jeff G.) Date: Wed Mar 1 14:55:02 2006 Subject: [SpamCop-List] Re: Need help To get our system setup correctly References: Message-ID: Anonymous wrote: > I am having a hard time figuring out how the spammer or the virus > above knows > what the email address of the spamtrap is. When SpamCop chooses an > email address for a spamtrap, don't they pick something difficult to > guess? Yes, but then they seed the addresses in places that include hidden areas on web pages, where humans aren't supposed to look. > Then again, I get a fair number of webmaster@, sales@, and support@ > spams on domains that have never had such email addresses, so perhaps > some spamcop spamtraps use those easy-to-guess prefixes? Those mailbox names are mandated (if the functions exist) by the RFC #2142 Mailbox Names for Common Services, not an Internet Standard yet, at http://www.rfc-editor.org/rfc/rfc2142.txt . -- Best Regards, Jeff G. http://forum.spamcop.net/forums/index.php?act=findpost&pid=37585 From MikeE at ster.invalid Wed Mar 1 12:09:30 2006 From: MikeE at ster.invalid (Mike Easter) Date: Wed Mar 1 15:10:03 2006 Subject: [SpamCop-List] Re: 209.86.89.69 (earthlink) References: Message-ID: Phillip Remaker wrote: > DNS lookups for 209.86.89.69 at bl.spamcop.net say it is a spammer. > > "Blocked - see http://www.spamcop.net/bl.shtml?209.86.89.69" Currently at senderbase the lookup sez it is listed http://www.senderbase.org/search?searchString=209.86.89.69 Real-time blacklists [ Click to view all ] bl.spamcop.net http://spamcop.net/w3m?action=checkblock&ip=209.86.89.69 But it is not unusual for some lookup to be incorrect compared to the spamcop.net web gizmo. > But going to the URL > > http://www.spamcop.net/w3m?action=blcheck&ip=209.86.89.69 > > I see > > 209.86.89.69 not listed in bl.spamcop.net That is also what I see at the spamcop web gizmo. > I had to poke a hole for that IP. But what happened? I ended up > blocking earthlink users. EL servers can easily get themselves blocklisted, since EL has a spamblocker which has an abusive configuration of performing challenges. The default configuration of the EL spamblocker is medium. EL's medium spamblocker is quite leaky. EL admin advises people who are unhappy with EL's leaky medium spamblocker setting to reconfigure to spamblocker high. EL's default configuration for spamblocker high is to send spamblocker medium spam to the known spam folder, to send whitelisteds to the Inbox, and to send everything else to the Suspect folder. Everything which lands in the suspect folder is challenged, which includes all of the spam which leaked past spamblocker medium. Those challenges are all going to bogus Froms and the bogus Froms include spamtraps and spamcop reporters. As a result, EL servers get blocklisted and EL customers have trouble with their mail delivery. I have not been able to convince the EL mail admins to use a default configuration on the spamblocker high setting to turn challenges off. Challenging spam is an abusive activity for a server, even if some of the spam has already been filtered. > I see a note on net abuse-sightings for 2/22... How did it not cycle > out of the DNS lookup? I'm sure the EL server gets itself listed and unlisted all the time. This recent discrepancy is most likely from being listed and unlisted again. -- Mike Easter kibitzer, not SC admin From nobody at devnull.spamcop.net Wed Mar 1 17:17:14 2006 From: nobody at devnull.spamcop.net (Brian Stevens) Date: Wed Mar 1 17:20:03 2006 Subject: [SpamCop-List] DBSBL (ip4r) blocks all incoming messages Message-ID: I run MS Windows 2000 Server/Exchange 2000 Server on a dynamic address and as long as I route outgoing mail through my ISP everything has been working fine. Incoming messages also reach me directly courtesy of DNS2Go.com's dynamic DNS service without problem. Recently I upgraded to Symantec Mail Security for MS Exchange version 5.0. This version allows me to block spammers using ip4r (DNSBL) lookups. I have the same software configuration running at several customer sites with static IPs and it has very successfully reduced spam. I always use the following black lists: bl.spamcop.net (see http://www.spamcop.net). sbl-xbl.spamhaus.org (see http://www.spamhaus.org) On my site when I try using these same black lists ALL incoming messages are rejected with "550 5.2.1 refused: spam site" no matter who sends the message. My IP is not listed on any BL sites and I do not have an open proxy. I use the MS ISA 2000 firewall and keep up to date on patch levels for all software. I know that starting a couple of years ago many black lists will refuse messages sent from dynamic IPs which is why I send through my ISP's servers now. So does using a DNSBL also block incoming mail from reaching a dynamic ip as well? So far I haven't found any evidence of this. From jeffg at spamcop.net Wed Mar 1 17:24:07 2006 From: jeffg at spamcop.net (Jeff G.) Date: Wed Mar 1 17:25:03 2006 Subject: [SpamCop-List] Re: DBSBL (ip4r) blocks all incoming messages References: Message-ID: Brian Stevens wrote: > So does using a DNSBL also block incoming mail > from reaching a dynamic ip as well? It shouldn't. I suggest interrogating that list's DNS servers and your ISP's DNS servers for that list's records manually from your server and from elsewhere, to see if you can determine why it appears to block all incoming mail. -- Best Regards, Jeff G. http://forum.spamcop.net/forums/index.php?act=findpost&pid=37585 From nobody at nowhere.invalid Wed Mar 1 23:45:44 2006 From: nobody at nowhere.invalid (Steven Maesslein) Date: Wed Mar 1 17:50:03 2006 Subject: [SpamCop-List] Re: DBSBL (ip4r) blocks all incoming messages References: Message-ID: On Wed, 1 Mar 2006 17:17:14 -0500, Brian Stevens coughed into spamcop and left this in : > I know that starting a couple of years ago many black lists will > refuse messages sent from dynamic IPs which is why I send through my > ISP's servers now. So does using a DNSBL also block incoming mail from > reaching a dynamic ip as well? So far I haven't found any evidence of > this. You're not going to like what I have to say but it has to be said. If you're not aware that the use of DNSBLs on an MX has nothing to do with and is in no way influenced by the IP address of that MX, you shouldn't be running an MX. Secondly, if the MX software you're using doesn't have the ability to use DNSBLs built-in and requires the use of a third-party extension, maybe you should be looking at something slightly more modern, like post-1980s. Thirdly, many here, myself included, are of the opinion that M$-sExchange shouldn't be exposed directly to a public network and that it should be front-ended by a real MTA such as Postfix, Exim or sendmail running on a Unix machine. In short, you're using an unsecure and feature-poor product on an unsecure O/S, while not knowing the mechanics of mail delivery. Believe me, you have bigger problems than trying to get your DNSBL extension not to reject all inbound mail. -- Steve Television -- a medium. So called because it is neither rare nor well done. -- Ernie Kovacs From nobody at devnull.spamcop.net Wed Mar 1 14:25:40 2006 From: nobody at devnull.spamcop.net (Anonymous) Date: Wed Mar 1 17:55:02 2006 Subject: [SpamCop-List] Re: Need help To get our system setup correctly References: Message-ID: "Jeff G." wrote in message news:du4u1j$n0d$1@news.spamcop.net... > Anonymous wrote: > >> I am having a hard time figuring out how the spammer or the virus >> above knows what the email address of the spamtrap is. When >> SpamCop chooses an email address for a spamtrap, don't they >> pick something difficult to guess? > > Yes, but then they seed the addresses in places that include hidden > areas on web pages, where humans aren't supposed to look. Correct me if my thinking has gone awry here... The above seems to imply that anyone who comes here complaining about how "somehow" he ended up with such spamtraps on his mailing list either ran a spambot that searches webpages for email addresses, or he bought a list from somebody who ran a spambot that searches webpages for email addresses. Such a spambot will find spamtraps, but they will be hidden in a crowd among a much larger number of non-spamtrap addresses. Thus I find it hard to believe that someone sneaky subscribed a spamtrap address (leaving aside the fact that such an address wouldn't respond to a confirmation email and thus would take itself of a well-managed list) or hard-coded the spamtrap address into a virus -- how would they know which address in their collection is the spamtrap? I also find it hard to believe that a virus got the spamtrap address from an outlook contacts list - how could it have gotten there? Am I thinking correctly here or am I missing something? G.M. From g.hyde at bigpond.net.au Thu Mar 2 09:34:50 2006 From: g.hyde at bigpond.net.au (Geoffrey Hyde) Date: Wed Mar 1 18:35:02 2006 Subject: [SpamCop-List] Another paypal phish - get it while it's still in existence! Message-ID: http://www.spamcop.net/sc?id=z888543457z03559936fd467438961242d0108db6d9z These guys are so dumb they should line themselves up for the mugshot camera. It's being sent to the spoof@ address as I speak, so it won't be active for long! Cheers ... Geoffrey Hyde From MikeE at ster.invalid Wed Mar 1 16:43:09 2006 From: MikeE at ster.invalid (Mike Easter) Date: Wed Mar 1 19:45:03 2006 Subject: [SpamCop-List] Re: Need help To get our system setup correctly References: Message-ID: Anonymous wrote: > Correct me if my thinking has gone awry here... I'm going to disregard everything you and Jeff or anyone else has said before here, because I don't understand what you and Jeff were talking about, so I'm going to respond more or less 'cold' -- except that I am assuming that the general context of what you are saying below is based on the fact that this thread is about a person who has servers which are putting out over a hundred mailing lists and which servers are getting themselves spamcop blocklisted because they hit spamcop spamtraps and nothing else, no other spamtraps, no reporters, no sightings, no other blocklists. As if 'some' mailing lists have a problem 'only' with spamcop spamtraps. Further, altho' it has been alleged that [some of] those mailing lists have some kind of acceptable 'process' for their creation and management, perhaps that only means that one or more out of over a hundred have proper creation and management processes while one or more of over a hundred is decidedly a dirty list. Maybe all but one is totally dirty. Maybe only one is dirty. Who knows? We only know that in the collection of lists there are dirty lists and we don't know how dirty they are or how wonderful some of the other lists are. > The above seems to imply that anyone who comes here complaining > about how "somehow" he ended up with such spamtraps on his > mailing list either ran a spambot that searches webpages for email > addresses, or he bought a list from somebody who ran a spambot > that searches webpages for email addresses. I wouldn't imply anything. The business of how spamtraps get onto a mailing list is anyone's guess. Maybe someone has some spamtrap addresses and forge subscribed them and there was no process for confirmation. Maybe the guardian of the mailing list bought some names to add to the mailing list. Maybe the guardian of the list is personally running a webspider spambot to put things onto the list. The business of how the list came to be dirty is that there was not a proper confirmation process prior to adding an address to a list. That part is actually very simple. > Such a spambot will > find spamtraps, but they will be hidden in a crowd among a much > larger number of non-spamtrap addresses. Correct, but I can't see where this is going. A spider harvests addresses. Some of them are spamtraps, some are not. So what? Or, so where does that take us? > Thus I find it hard to > believe that someone sneaky subscribed a spamtrap address > (leaving aside the fact that such an address wouldn't respond to > a confirmation email and thus would take itself of a well-managed > list) or hard-coded the spamtrap address into a virus -- how would > they know which address in their collection is the spamtrap? I also > find it hard to believe that a virus got the spamtrap address from > an outlook contacts list - how could it have gotten there? I have no idea what is going on in the sentences between 'Thus' and 'there?' > Am I thinking correctly here or am I missing something? Somehow I sense that you are trying to make something more complicated of something that is probably like what I described in 'I wouldn't imply anything." par. -- Mike Easter kibitzer, not SC admin From nospam at nospam.org Thu Mar 2 03:08:39 2006 From: nospam at nospam.org (Ejo) Date: Wed Mar 1 21:10:02 2006 Subject: [SpamCop-List] Sluggish response Message-ID: Submitting spam via the web-form is very slow at the moment. From nospam at nospam.org Thu Mar 2 03:18:47 2006 From: nospam at nospam.org (Ejo) Date: Wed Mar 1 21:20:03 2006 Subject: [SpamCop-List] Re: 209.86.89.69 (earthlink) In-Reply-To: References: Message-ID: Phillip Remaker wrote: > DNS lookups for 209.86.89.69 at bl.spamcop.net say it is a spammer. > > "Blocked - see http://www.spamcop.net/bl.shtml?209.86.89.69" > > But going to the URL > > http://www.spamcop.net/w3m?action=blcheck&ip=209.86.89.69 > > I see > > 209.86.89.69 not listed in bl.spamcop.net It is listed now. Another useful check is: http://openrbl.org/client/#209.86.89.69 and also here you'll see that the IP is listed in spamcop. Actually, the latter would be a useful check during the review of recent reports. I always want to see whether my submitted reports are picked up by the system and whether the list status in spamcop is unique compared to other lists. > > I had to poke a hole for that IP. But what happened? I ended up blocking > earthlink users. > > I see a note on net abuse-sightings for 2/22... How did it not cycle out of > the DNS lookup? > > From nobody at devnull.spamcop.net Thu Mar 2 11:56:44 2006 From: nobody at devnull.spamcop.net (Patto) Date: Wed Mar 1 22:00:03 2006 Subject: [SpamCop-List] Re: Sluggish response In-Reply-To: References: Message-ID: Ejo wrote: > Submitting spam via the web-form is very slow at the moment. Well, at least I get a response... An error occurred while processing your request. Reference #97.8c8f3554.1141267992.a87c193 From eddie at eddie.web Wed Mar 1 21:57:31 2006 From: eddie at eddie.web (eddie) Date: Wed Mar 1 22:00:06 2006 Subject: [SpamCop-List] Re: Sluggish response In-Reply-To: References: Message-ID: Ejo wrote: > Submitting spam via the web-form is very slow at the moment. I have worse than sluggish. I get an error. "An error occurred while processing your request. Reference #97.xxxxxxxxx..." (xed out for security reasons) From nobody at devnull.spamcop.net Wed Mar 1 22:11:23 2006 From: nobody at devnull.spamcop.net (Brian Stevens) Date: Wed Mar 1 22:15:03 2006 Subject: [SpamCop-List] Re: DBSBL (ip4r) blocks all incoming messages References: Message-ID: > If you're not aware that the use of DNSBLs on an MX has nothing to do > with and is in no way influenced by the IP address of that MX, you > shouldn't be running an MX. My understanding was that it does a lookup of the sending server only but would it not be technically possible for a DNSBL to see who is asking and make to decision to reply that the message should be refused if the requestor was using a dynamic IP? There are bigots who believe that you can't be a responsible net citizen if you are on a dynamic IP. I will disagree until major ISP's like Rogers stop their highway robbery for static IPs. And yes I know why spammers like dynamic and proxies, etc. At one time Rogers provided me a static IP for $60/mth then they dropped support all together. Two years later they offer it again at $100 for a slower speed link!!! > Secondly, if the MX software you're using doesn't have the ability to > use DNSBLs built-in and requires the use of a third-party extension, > maybe you should be looking at something slightly more modern, like > post-1980s. Many small businesses still use Microsoft Small Business Server 2000 which includes Exchange 2000. Upgrading to SBS 2003 with Exchange 2003 would be nice but would require +$$$ for new hardware and software. I needed to upgrade my Symantec AntiVirus anyway so this kills two birds with one stone. > Thirdly, many here, myself included, are of the opinion that > M$-sExchange shouldn't be exposed directly to a public network and that > it should be front-ended by a real MTA such as Postfix, Exim or sendmail > running on a Unix machine. A front-end/back-end MX is slight overkill for a 5 user network. Why SBS 2000? Because I support it for a number of customers. Why Microsoft? Because many small and large businesses including the likes of Accenture find that using Microsoft products reduces their TCO. The installed base of MS SBS software which supports networks of up to 75 computers is a fast growing segment of the market. By using the included ISA firewall software on a dual NIC server, these networks can be adequately protected from Internet hackers and all violations can be logged to a SQL server for further evaluation. I have been supporting MS Exchange for 10 years and it gets the job done thank you. > In short, you're using an unsecure and feature-poor product on an > unsecure O/S, while not knowing the mechanics of mail delivery. > Believe me, you have bigger problems than trying to get your DNSBL > extension not to reject all inbound mail. Dozens of hackers from all over the world knock on my gateways every day but so far Microsoft with some help from Symantec is keeping them out. If you don't know some of the advantages of running Outlook on Exchange server then maybe you shouldn't be taking such a snobbish position. You won't find me trashing UNIX just because I support Microsoft. It has its place and I think many would agree that Microsoft does too. I certainly wouldn't want to go back to the monopolistic days when "IBM" and "computer" were synonymous terms. I also learned early in my career that the best technical product doesn't always win the market. That's why I decided in 1995 to join the Microsoft camp. I could see that the future was in small businesses just as in 1974 I decided the future was in personal computers when I started working for Datapoint. Datapoint's computers resembled the PC with an OS much like MS-DOS. Later they invented ARCNET and their next OS (around 1980), RMS was a cross between UNIX and Multics - very secure. Great stuff but dead today! From MikeE at ster.invalid Wed Mar 1 19:26:05 2006 From: MikeE at ster.invalid (Mike Easter) Date: Wed Mar 1 22:30:04 2006 Subject: [SpamCop-List] Re: 209.86.89.69 (earthlink) References: Message-ID: Ejo wrote: >> 209.86.89.69 not listed in bl.spamcop.net > > It is listed now. Another useful check is: At this moment, I can't access anything web spamcop.net, but it is listed in the DNS dns 69.89.86.209.bl.spamcop.net Canonical name: 69.89.86.209.bl.spamcop.net Addresses: 127.0.0.2 ... but I would like to see what the webgizmo sez. It's just that nothing is accessible http://www.spamcop.net/w3m?action=blcheck&ip=209.86.89.69 An error occurred while processing your request. Reference #97.c32f648.1141269862.c416396 -- Mike Easter kibitzer, not SC admin From Kilgallen at SpamCop.net Wed Mar 1 21:27:49 2006 From: Kilgallen at SpamCop.net (Larry Kilgallen) Date: Wed Mar 1 22:30:09 2006 Subject: [SpamCop-List] Re: Need help To get our system setup correctly References: Message-ID: In article , "Jeff G." writes: > Anonymous wrote: >> Then again, I get a fair number of webmaster@, sales@, and support@ >> spams on domains that have never had such email addresses, so perhaps >> some spamcop spamtraps use those easy-to-guess prefixes? > > Those mailbox names are mandated (if the functions exist) by the RFC > #2142 Mailbox Names for Common Services, not an Internet Standard yet, > at http://www.rfc-editor.org/rfc/rfc2142.txt . Gee, I read: organizations which support email exchanges with the Internet are encouraged to support AT LEAST each mailbox name for which the associated function exists within the organization. and to me "are encouraged" is quite different from "mandated". From jeffg at spamcop.net Wed Mar 1 22:36:48 2006 From: jeffg at spamcop.net (Jeff G.) Date: Wed Mar 1 22:40:03 2006 Subject: [SpamCop-List] Re: Sluggish response References: Message-ID: Ejo wrote: > Submitting spam via the web-form is very slow at the moment. http://forum.spamcop.net/forums/index.php?act=module&automodule=custom&page=stats appears to show that the performance of the SpamCop Parsing and Reporting Service went to hell in a handbasket around 21:40 EST -0500 (02:40 UTC -0000), 54 minutes ago. Its administrators are probably already aware of the issue. -- Best Regards, Jeff G. http://forum.spamcop.net/forums/index.php?act=findpost&pid=37585 From jeffg at spamcop.net Wed Mar 1 23:09:01 2006 From: jeffg at spamcop.net (Jeff G.) Date: Wed Mar 1 23:10:03 2006 Subject: [SpamCop-List] Re: Need help To get our system setup correctly References: Message-ID: Larry Kilgallen wrote: > In article , "Jeff G." > writes: >> Anonymous wrote: > >>> Then again, I get a fair number of webmaster@, sales@, and support@ >>> spams on domains that have never had such email addresses, so >>> perhaps some spamcop spamtraps use those easy-to-guess prefixes? >> >> Those mailbox names are mandated (if the functions exist) by the RFC >> #2142 Mailbox Names for Common Services, not an Internet Standard >> yet, at http://www.rfc-editor.org/rfc/rfc2142.txt . > > Gee, I read: > > organizations which support email exchanges with the > Internet are encouraged to support AT LEAST each mailbox name for > which the associated function exists within the organization. > > and to me "are encouraged" is quite different from "mandated". Sorry, I was not quite precise enough, and RFC2142 is not quite internally consistent enough and was not quite spellchecked enough. RFC2142 Section 1 specifically states that "if a given service is offerred[sic], then the associated mailbox name(es)[sic] must be supported, resulting in delivery to a recipient appropriate for the referenced service or role." So, if an organization offers web service, it must have a working webmaster@, if it offers to sell, it must have a working sales@, and if it offers support, it must have a working support@. -- Best Regards, Jeff G. http://forum.spamcop.net/forums/index.php?act=findpost&pid=37585 From jg at coks.net Wed Mar 1 20:40:39 2006 From: jg at coks.net (jg) Date: Wed Mar 1 23:40:03 2006 Subject: [SpamCop-List] Re: DBSBL (ip4r) blocks all incoming messages In-Reply-To: References: Message-ID: On 3/1/2006 7:11 PM Brian Stevens scribbled: > Dozens of hackers from all over the world knock on my gateways every day but > so far Microsoft with some help from Symantec is keeping them out. If you > don't know some of the advantages of running Outlook on Exchange server then > maybe you shouldn't be taking such a snobbish position. You won't find me > trashing UNIX just because I support Microsoft. It has its place and I think > many would agree that Microsoft does too. > whooo haaaa - the scent of a train wreck approaching.... From jeffg at spamcop.net Wed Mar 1 23:38:34 2006 From: jeffg at spamcop.net (Jeff G.) Date: Wed Mar 1 23:40:08 2006 Subject: [SpamCop-List] Re: Need help To get our system setup correctly References: Message-ID: Anonymous wrote: > "Jeff G." wrote in message > news:du4u1j$n0d$1@news.spamcop.net... > >> Anonymous wrote: >> >>> I am having a hard time figuring out how the spammer or the virus >>> above knows what the email address of the spamtrap is. When >>> SpamCop chooses an email address for a spamtrap, don't they >>> pick something difficult to guess? >> >> Yes, but then they seed the addresses in places that include hidden >> areas on web pages, where humans aren't supposed to look. > > Correct me if my thinking has gone awry here... > > The above seems to imply that anyone who comes here complaining > about how "somehow" he ended up with such spamtraps on his > mailing list either ran a spambot that searches webpages for email > addresses, or he bought a list from somebody who ran a spambot > that searches webpages for email addresses. Such a spambot will > find spamtraps, but they will be hidden in a crowd among a much > larger number of non-spamtrap addresses. Thus I find it hard to > believe that someone sneaky subscribed a spamtrap address > (leaving aside the fact that such an address wouldn't respond to > a confirmation email and thus would take itself of a well-managed > list) or hard-coded the spamtrap address into a virus -- how would > they know which address in their collection is the spamtrap? I also > find it hard to believe that a virus got the spamtrap address from > an outlook contacts list - how could it have gotten there? > > Am I thinking correctly here or am I missing something? Please consider the following scenario: Reporter A visits a particular page on a SpamCop website which contains a particular Spamtrap Email Address A. The page is cached on Reporter A's hard disk. Thief A develops or modifies Worm A that can send Thief A personal information from the hard disks of infected people. Reporter A gets infected with Worm A. Worm A sends Spamtrap Email Address A (among other data) to Thief A. Thief A sells Spamtrap Email Address A (among the email addresses collected) to Listdealer A. Listdealer A adds Spamtrap Email Address A to List A and then "cleans" List A by verifying that email messages to the list members would not immediately produce 500-series errors. An overaggressive sales weenie at Listdealer A sells List A to an overaggressive marketing weenie at Customer A of Anonymous as confirmed opt-in email addresses, using some mixture of lies, winks, and nudges. Both weenies get rewarded for their aggressiveness. Customer A sends an email campaign to List A sourced at IP Address A, including Spamtrap Email Address A. Spamtrap Email Address A receives one of the messages and causes IP Address A to be listed by the SCBL (or causes the existing listing to be extended to 24 hours from receipt). Ideally, Customer A gets terminated or at least fined, ISP A gets cleanup fees, both weenies get fired and/or taught lessons, and Thief A and Listdealer A get investigated. Alternatively: Customer A runs Insecure Mailing List A, allowing web-based signups without confirmation. Ruthless Competitor A learns of Customer A's practices, and forge-subscribes Spamtrap Email Address A to Insecure Mailing List A. Customer A sends an email campaign to Insecure Mailing List A sourced at IP Address A, including Spamtrap Email Address A. Spamtrap Email Address A receives one of the messages and causes IP Address A to be listed by the SCBL (or causes the existing listing to be extended to 24 hours from receipt). Ideally, Customer A gets terminated or at least fined, ISP A gets cleanup fees, and Ruthless Competitor A gets investigated. -- Thanks and Best Regards, Jeff G. http://forum.spamcop.net/forums/index.php?act=findpost&pid=37585 From nobody at nowhere.not Thu Mar 2 04:48:02 2006 From: nobody at nowhere.not (Robert Blair) Date: Wed Mar 1 23:50:06 2006 Subject: [SpamCop-List] Re: DBSBL (ip4r) blocks all incoming messages References: Message-ID: On Thu, 2 Mar 2006 03:11:23 UTC, "Brian Stevens" wrote: > Dozens of hackers from all over the world > knock on my gateways every day but so far > Microsoft with some help from Symantec is > keeping them out. Good. When I help my friends and neighbors I always install a router with a firewall between windows and the internet. While those routers are not always the best firewalls they are much better than using nothing and/or MS security software (sometimes I think MS and security is an oxymoron). > If you don't know some of the advantages of > running Outlook on Exchange server then maybe > you shouldn't be taking such a snobbish position. This is something else I do for my friends and neighbors. I always install a different email client and web browser, I do not let them use MS email or browser programs, too risky. > You won't find me trashing UNIX just because I > support Microsoft. It has its place and I > think many would agreethat Microsoft does too. I don't trash MS I just don't use their trash when it is not necessary. And MS puts out a lot of trash on the market. > I certainly wouldn't > want to go back to the monopolistic days when > "IBM" and "computer" were synonymous terms. The only thing that has change is the name. At one time it was IBM and computers now it is MS and computers. The difference I see is IBM tried to make a lot of money legally while MS does not care if it is legal or illegal as long as they make money. > I also learned early in my career that the best > technical product doesn't always win the market. That has been true forever. A lot of superior products have gone down to defeat by inferior products. What do we as consumers get out of that deal is we pay a lot of money for junk. -- Robert Blair From jeffg at spamcop.net Wed Mar 1 23:48:44 2006 From: jeffg at spamcop.net (Jeff G.) Date: Wed Mar 1 23:50:09 2006 Subject: [SpamCop-List] Re: Sluggish response References: Message-ID: Jeff G. wrote: > Ejo wrote: >> Submitting spam via the web-form is very slow at the moment. > > http://forum.spamcop.net/forums/index.php?act=module&automodule=custom&page=stats > appears to show that the performance of the SpamCop Parsing and > Reporting Service went to hell in a handbasket around 21:40 EST -0500 > (02:40 UTC -0000), 54 minutes ago. Its administrators are probably > already aware of the issue. It's been over two hours now. This appears to be a bigger problem than normal. :( -- Best Regards, Jeff G. http://forum.spamcop.net/forums/index.php?act=findpost&pid=37585 From scamper at trisk.com Wed Mar 1 22:48:06 2006 From: scamper at trisk.com (Garen Erdoisa) Date: Thu Mar 2 00:50:03 2006 Subject: [SpamCop-List] Re: Sluggish response In-Reply-To: References: Message-ID: Jeff G. wrote: > Jeff G. wrote: >> Ejo wrote: >>> Submitting spam via the web-form is very slow at the moment. >> > http://forum.spamcop.net/forums/index.php?act=module&automodule=custom&page=stats >> appears to show that the performance of the SpamCop Parsing and >> Reporting Service went to hell in a handbasket around 21:40 EST -0500 >> (02:40 UTC -0000), 54 minutes ago. Its administrators are probably >> already aware of the issue. > > It's been over two hours now. This appears to be a bigger problem than > normal. :( > It would seem so, looking at my mail logs, I'm seeing a bunch of outgoing messages to spamcop that show a deferred status due to connection timeouts with their mail servers. Looks like the outage started about Mar 2, 2006 02:47 GMT Definitely not typical of spamcop. From nobody at devnull.spamcop.net Thu Mar 2 01:12:36 2006 From: nobody at devnull.spamcop.net (Sofa King Tyred of Lar Ting) Date: Thu Mar 2 01:15:02 2006 Subject: [SpamCop-List] Re: Lighter side of spam In-Reply-To: References: Message-ID: Mike Easter wrote: > Not everyone uses the same kind of scorecard I use for playing the > spamhandling game. Few newsgroups have assets comparable to you, Mike. -- Help fight spam by "educating" the lax, zombie-hosting ISPs: http://pages.infinit.net/filmore/educateYourISP.htm From remaker at suespammers.org Wed Mar 1 23:25:12 2006 From: remaker at suespammers.org (Phillip Remaker) Date: Thu Mar 2 02:30:02 2006 Subject: [SpamCop-List] Re: 209.86.89.69 (earthlink) References: Message-ID: Thanks for the explanation. My problem was that the DNS gizmo was out of sync with the web gizmo. DNSSTUFF reports it blacklisted http://www.dnsstuff.com:8080/tools/ip4r.ch?ip=209.86.89.69 Webgizmo is not listed. http://www.spamcop.net/w3m?action=checkblock&ip=209.86.89.69 From nobody at devnull.spamcop.net Thu Mar 2 17:01:07 2006 From: nobody at devnull.spamcop.net (Patto) Date: Thu Mar 2 03:05:03 2006 Subject: [SpamCop-List] Re: Sluggish response In-Reply-To: References: Message-ID: Jeff G. wrote: > Jeff G. wrote: >> Ejo wrote: >>> Submitting spam via the web-form is very slow at the moment. >> > http://forum.spamcop.net/forums/index.php?act=module&automodule=custom&page=stats >> appears to show that the performance of the SpamCop Parsing and >> Reporting Service went to hell in a handbasket around 21:40 EST -0500 >> (02:40 UTC -0000), 54 minutes ago. Its administrators are probably >> already aware of the issue. > > It's been over two hours now. This appears to be a bigger problem than > normal. :( Seems to be back to normal now. From / at /.cn Thu Mar 2 19:24:01 2006 From: / at /.cn (Petzl) Date: Thu Mar 2 03:25:03 2006 Subject: [SpamCop-List] Re: Mail server listed when Port 25 is blocked? References: Message-ID: "Mike Easter" wrote in message news:du4cef$bhl$1@news.spamcop.net... > Petzl wrote: > I would say that iprimus isn't doing a good job of securing its user IPs > which are generating spam. This seems to me to be the worst of scenario's as the IP mentioned is an *email* server which has been compromised!!!! Iprimus blocks port 25 and all SpamCop reports accurately the source of spam so all IP's are secured (as long as the reporter has set up SpamCop properly, which Ellen tells me they have) This means all email addresses and names going through this server are collected and very possible "read" electronically. As you also know this has been happening from at least December 3rd last year. Iprimus have only just now worried about this after ignoring 1000's of individual reports telling them their server has been compromised Just another reason not to accept a compulsory email account from a "provider" Get the only Email address you will ever need http://www.spamcop.net/ces/individuals.shtml Petzl From / at /.cn Thu Mar 2 19:24:43 2006 From: / at /.cn (Petzl) Date: Thu Mar 2 03:25:08 2006 Subject: [SpamCop-List] Re: Mail server listed when Port 25 is blocked? References: Message-ID: "Ellen" wrote in message news:du4im4$fs4$1@news.spamcop.net... > > > "Petzl" wrote in message news:du47lq$7nj$1@news.spamcop.net... >> 210.50.76.196 >> >> I know they are bouncining emails but it seems this email server is being >> reported for spamming >> Wondering if someone has not set mail hosts or is the server compromised >> ***ounce**** > > It was legit spam not a reporting error. Iprimus is aware of the problem > and > has taken actions to stop the problem. We have been talking to them. > > Ellen > Thanks I already blamed them for not responding to abuse reports since December the 3rd 2005 (maybe before) Petzl From MikeE at ster.invalid Thu Mar 2 01:11:19 2006 From: MikeE at ster.invalid (Mike Easter) Date: Thu Mar 2 04:15:04 2006 Subject: [SpamCop-List] Re: 209.86.89.69 (earthlink) References: Message-ID: Phillip Remaker wrote: > Thanks for the explanation. My problem was that the DNS gizmo was > out of sync with the web gizmo. > > DNSSTUFF reports it blacklisted > > http://www.dnsstuff.com:8080/tools/ip4r.ch?ip=209.86.89.69 > > Webgizmo is not listed. > > http://www.spamcop.net/w3m?action=checkblock&ip=209.86.89.69 I'm sure the problem is due to it going on and off and on and off again and various databases lag behind. Currently both the webgizmo and my resolver's access are negative. dns 69.89.86.209.bl.spamcop.net No DNS for this address 209.86.89.69 not listed in bl.spamcop.net The most correct information is the webgizmo, even more correct than x.x.x.x.bl.spamcop.net -- and other db/s get their information from bl.spamcop.net. -- Mike Easter kibitzer, not SC admin From nobody at nowhere.invalid Thu Mar 2 11:33:31 2006 From: nobody at nowhere.invalid (Steven Maesslein) Date: Thu Mar 2 05:35:15 2006 Subject: [SpamCop-List] Re: DBSBL (ip4r) blocks all incoming messages References: Message-ID: On Wed, 1 Mar 2006 22:11:23 -0500, Brian Stevens coughed into spamcop and left this in : > Dozens of hackers from all over the world knock on my gateways every > day but so far Microsoft with some help from Symantec is keeping them > out. Thousands knock on mine every day but so far iptables and sendmail are keeping them out with nobody's help. 76,440 attempts locked out in January. 75,658 in February. 5,382 this month at 8am local time. That's just port 25. I stopped logging attacks on ports 135 & co. ages ago because of the sheer size of the log files generated. > If you don't know some of the advantages of running Outlook on > Exchange server then maybe you shouldn't be taking such a snobbish > position. I do recognise some of the advantages of running the Outlook/Exchange combo. In fact, in an int_RA_net environment it's quite good. However, as soon as you start talking Int_ER_net, it all falls to pieces because that's not what it was designed for - or at least if it was, they got many things horribly wrong - and the advantages are not just outweighed, but completely dwarfed by the massive drawbacks of connecting up to the 'Net something which thumbs its nose at RFCs. So, my attitude isn't snobbish, it's the result of (too many) years of dealing with problems that Outlook and Exchange generate for standards-compliant software. > You won't find me trashing UNIX just because I support Microsoft. And I'm not trashing Microsoft just because I use Unix (Linux, FreeBSD and Solaris flavours if you want to know). I think Microsoft does great products for people who don't want to learn about computing, but only as long as the computers they use aren't connected to a network of any kind. Once that happens, it's game over. > It has its place and I think many would agree that Microsoft does too. I do too. It just happens that Microsoft's place is nowhere near an Internet connection. > I certainly wouldn't want to go back to the monopolistic days when > "IBM" and "computer" were synonymous terms. Because "Microsoft" and "computer" aren't synonymous in most peoples' minds today? > I also learned early in my career that the best technical product > doesn't always win the market. It rarely does when trying to share the market an 800lb gorilla that has a competing product for sale (regardless of the fact that that competing product doesn't actually do what's written on the box). > That's why I decided in 1995 to join the Microsoft camp. I joined the Microsoft camp around 1989 because there were no real alternatives. The Atari ST and Amiga were fairly good machines technically (I should know, I used to repair them for a living) but they were basically no more than glorified game consoles. There wasn't much serious software available for them and I didn't have time to write it all myself. Macintosh computers were still way out of my range price-wise, so that left the PC. Aside from the problems in MS-DOS 4 leading to the swift release of version 4.01 with fixed memory management, I thought that MS-DOS was an all-round good product. I rarely ever had any problems with it. By 1996 Windows 95 had landed on computers, and the first version was complete and utter trash. OSR 2.1 was the first really usable system, and we had to wait until, what, late 1997 / early 1998 for that? Then came Windows 98 and IE5, and that's when the problems started for real. I wanted something on which I could actually get work done instead of having to spend vast amounts of money on add-on software to protect my PC and having to worry about getting infected anyway. That's why I chose to switch *AWAY* from Windows in 1999. I'm glad I did. Things have only gone downhill since then. > RMS was a cross between UNIX and Multics - very secure. Great stuff > but dead today! You want secure? You should consider one of the BSDs. They'll run on lower-end hardware than Windows and Exchange, they provide far more network- and security-related features and they don't cost a penny. -- Steve From g.hyde at bigpond.net.au Thu Mar 2 22:41:12 2006 From: g.hyde at bigpond.net.au (Geoffrey Hyde) Date: Thu Mar 2 07:45:03 2006 Subject: [SpamCop-List] Re: DBSBL (ip4r) blocks all incoming messages References: Message-ID: "Steven Maesslein" wrote in message news:slrne0difr.4jn.nobody@127.0.0.1... > I joined the Microsoft camp around 1989 because there were no real > alternatives. The Atari ST and Amiga were fairly good machines > technically (I should know, I used to repair them for a living) but they > were basically no more than glorified game consoles. There wasn't much > serious software available for them and I didn't have time to write it > all myself. Macintosh computers were still way out of my range > price-wise, so that left the PC. If you happen to be interested in what the Amiga crowd is doing, they're still going along over at www.amiga.de - pretty strongly by the looks of it. I'm just an Amiga fan, if you want serious technical help with anything Amiga, see if they've got any english version forums over there. Cheers ... Geoffrey Hyde From nobody at nowhere.invalid Thu Mar 2 15:47:27 2006 From: nobody at nowhere.invalid (Steven Maesslein) Date: Thu Mar 2 09:50:03 2006 Subject: [SpamCop-List] Re: DBSBL (ip4r) blocks all incoming messages References: Message-ID: On Thu, 2 Mar 2006 22:41:12 +1000, Geoffrey Hyde coughed into spamcop and left this in : > If you happen to be interested in what the Amiga crowd is doing, they're > still going along over at www.amiga.de - pretty strongly by the looks of it. I remember them from the days when I still had to ensure maintenance of Amigas *after* Commodore had been buried. > I'm just an Amiga fan, if you want serious technical help with anything > Amiga, see if they've got any english version forums over there. Kein Problem - ich spreche auch Deutsch :) -- Steve If money doesn't grow on trees then why do banks have branches? From pxpearson at spamxcop.net Thu Mar 2 08:33:45 2006 From: pxpearson at spamxcop.net (Peter Pearson) Date: Thu Mar 2 11:35:17 2006 Subject: [SpamCop-List] Re: DBSBL (ip4r) blocks all incoming messages References: Message-ID: Getting back on-topic: You seem to be saying 1. that your mail-receiving configuration works fine at other sites you maintain that happen to have static IP addresses, even with block lists enabled; 2. that this same configuration works fine at your dynamic-IP site as long as you don't turn on the block lists; 3. that when you turn on block lists at your dynamic-IP site, all incoming messages get rejected with "550 5.2.1 refused: spam site". Like you, I find it hard to imagine that blocklists purposely corrupt their answers based on the requester's IP address. Not being a mail-configuring guru (nor a Microsoft guru, but let's not start that again :-), I can only suggest (1) sending manual queries to the blocklists, to confirm that they give honest answers; (2) enabling a single blocklist, so there's no uncertainty about which blocklist might be giving a funny answer; or (3) inserting code to log diagnostic information. You probably thought of all that. I'm just trying to re-establish a little momentum in a non-flamewar direction. -- Remove the two x's to get a good email address. From eddie at eddie.web Thu Mar 2 14:54:48 2006 From: eddie at eddie.web (eddie) Date: Thu Mar 2 14:55:03 2006 Subject: [SpamCop-List] Funny - Chinese spam about Asian Flu Message-ID: I think it's hilarious that spam coming from China and with websites hosted by the Chinese are spamming for Asian (Chinese) flu drugs. This is almost as funny as Chinese spam advertising the best Narcotics. PT Barnum was way low in his estimate about the birth rate of suckers and, had he known, spammers. From anthony.edwards at uk.easynet.net Thu Mar 2 20:25:18 2006 From: anthony.edwards at uk.easynet.net (Anthony Edwards) Date: Thu Mar 2 15:30:02 2006 Subject: [SpamCop-List] Re: DBSBL (ip4r) blocks all incoming messages References: Message-ID: On Wed, 1 Mar 2006 22:11:23 -0500, Brian Stevens wrote: > Dozens of hackers from all over the world knock on my gateways every day but > so far Microsoft with some help from Symantec is keeping them out. If you > don't know some of the advantages of running Outlook on Exchange server then > maybe you shouldn't be taking such a snobbish position. The Outlook/Exchange groupware functionality (shared calendaring, etc) is indeed excellent, and some organisations find it indispensible. However, as others have also noted, I wouldn't personally connect a Microsoft Exchange Server directly to the public Internet, even (especially) in a corporate environment. Not particularly due to the security considerations, as I believe myself capable of absorbing sufficient clue to keep such an installation secure since I am paranoid about such things, but because a UNIX based MTA such as Exim or Postfix, together with a properly configured and maintained SpamAsssassin installation, can do a much better job at little or no financial cost of performing inbound spam filtering. I would front end such an installation, and run Exchange (if such were needed in the corporate environment in question) behind it. -- Anthony Edwards * anthony.edwards@uk.easynet.net Abuse Team Manager * Tel: 0800 053 0588 Easynet Ltd * DDI: 0161 227 0707 http://www.uk.easynet.net * Fax: 0845 333 4503 From kenbrody at spamcop.net Thu Mar 2 15:16:36 2006 From: kenbrody at spamcop.net (Kenneth Brody) Date: Thu Mar 2 15:40:03 2006 Subject: [SpamCop-List] Re: The issue of bounce versus reject References: <44036C3A.50B789E5@spamcop.net> <4403966F.CD32ACEF@spamcop.net> Message-ID: <440752A4.91E36B41@spamcop.net> "John E. Malmberg" wrote: > > Kenneth Brody wrote: [...] > > > In short, the only thing their SMTP server knows about you is the IP > > address that their DHCP has assigned to you, and (I suppose) the MAC > > address of your cablemodem. Their setup means that they have no way > > of knowing your true "from" address, and it also requires that they > > cannot reject e-mail from you at the SMTP level. > > That is correct, but mail from you in their I.P. space is outgoing from > what should be a trusted source to their SMTP server, so they should > trust you to provide a valid return e-mail address to send the bounce or > DSN to. _I_ do. However, what's to stop a spammer from doing differently? [...] > So there is no problem with outbound relaying and SMTP rejects as long > as you have valid information in your header. Again, I'm talking in terms of backscatter from spam, not legitimate e-mail. [...] > To prevent backscatter or silent deletion of messages, that mail server > must do all the spam rejection, and also have a list of valid e-mail > addresses that it should accept e-mail for. It also needs to be able to > handle the case of your mail server having a problem. Why should I have to send a list of all of my e-mail addresses to my ISP? [...] -- +-------------------------+--------------------+-----------------------------+ | Kenneth J. Brody | www.hvcomputer.com | | | kenbrody/at\spamcop.net | www.fptech.com | #include | +-------------------------+--------------------+-----------------------------+ Don't e-mail me at: From redford_stone at INVERSE_OF_COLDmail.com Thu Mar 2 21:16:52 2006 From: redford_stone at INVERSE_OF_COLDmail.com (Redstone) Date: Thu Mar 2 16:20:02 2006 Subject: [SpamCop-List] Re: Funny - Chinese spam about Asian Flu References: Message-ID: eddie wrote in news:du7iif$bvh$1@news.spamcop.net: > I think it's hilarious that spam coming from China and with websites > hosted by the Chinese are spamming for Asian (Chinese) flu drugs. > > This is almost as funny as Chinese spam advertising the best Narcotics. > > PT Barnum was way low in his estimate about the birth rate of suckers > and, had he known, spammers. > PT Barnum may be accurate. Think about the number of suckers dropping dead due to the poisons that spammer drug products contain. Buy a spamvertised product and you play with fire. From bar_n0ne at hotmail.com Thu Mar 2 16:17:25 2006 From: bar_n0ne at hotmail.com (Berny) Date: Thu Mar 2 17:20:04 2006 Subject: [SpamCop-List] Re: Funny - Chinese spam about Asian Flu References: Message-ID: "Redstone" wrote in message > > PT Barnum may be accurate. Think about the number of suckers dropping dead > due to the poisons that spammer drug products contain. > > > Buy a spamvertised product and you play with fire. > You mean they actually deliver something? From redford_stone at INVERSE_OF_COLDmail.com Thu Mar 2 22:57:46 2006 From: redford_stone at INVERSE_OF_COLDmail.com (Redstone) Date: Thu Mar 2 18:00:03 2006 Subject: [SpamCop-List] [NANAE] Plug-in Warns of Evil Web Sites Message-ID: Found this on NANAE: =================================== Subject: Plug-in Warns of Evil Web Sites From: "HeyBub" Newsgroups: news.admin.net-abuse.email "A company founded by several MIT engineers launched free Internet Explorer and Firefox plug-ins Wednesday that reveal dangerous Web sites listed by popular search engines. "With the plug-ins installed, users see green, yellow, or red tags beside hits in search results on Google, MSN, and Yahoo, said Boston-based SiteAdvisor. The tags -- red represents sites that heavily spam visitors, host spyware and adware, or hijack browser home pages -- give users a heads-up before they click on a link." http://www.informationweek.com/internet/showArticle.jhtml?articleID= 181401865 [http://tinyurl.com/k3thb] Available here: http://www.siteadvisor.com/preview/index.html Seems to work as advertised and, boy, is it informative! They even tabulate how much spam they received just by signing up at the site. ===== Installed it on my browser. Pretty nifty. You can even sign up to be a reviewer for the sites you visit. From redford_stone at INVERSE_OF_COLDmail.com Thu Mar 2 22:59:31 2006 From: redford_stone at INVERSE_OF_COLDmail.com (Redstone) Date: Thu Mar 2 18:00:06 2006 Subject: [SpamCop-List] Re: Funny - Chinese spam about Asian Flu References: Message-ID: "Berny" wrote in news:du7qtm$gso$1@news.spamcop.net: > > You mean they actually deliver something? > > Easy enough for them to throw some toadstool into a gel-capsule. From bar_n0ne at hotmail.com Thu Mar 2 17:05:18 2006 From: bar_n0ne at hotmail.com (Berny) Date: Thu Mar 2 18:10:03 2006 Subject: [SpamCop-List] Re: Funny - Chinese spam about Asian Flu References: Message-ID: "Redstone" wrote in message news:Xns977A9885A70FEtinlc@216.154.195.61... > "Berny" wrote in > news:du7qtm$gso$1@news.spamcop.net: > > > > > You mean they actually deliver something? > > > > > > > Easy enough for them to throw some toadstool into a gel-capsule. > Yabbut someones got to pay for and put a stamp on the capsule, Oh, I forgot, they've hacked the pitney bowes stampng machine also. From g.hyde at bigpond.net.au Fri Mar 3 09:52:33 2006 From: g.hyde at bigpond.net.au (Geoffrey Hyde) Date: Thu Mar 2 19:00:02 2006 Subject: [SpamCop-List] Re: DBSBL (ip4r) blocks all incoming messages References: Message-ID: "Steven Maesslein" wrote in message news:slrne0e1bv.9fr.nobody@127.0.0.1... > On Thu, 2 Mar 2006 22:41:12 +1000, Geoffrey Hyde coughed into spamcop > and left this in : >> I'm just an Amiga fan, if you want serious technical help with anything >> Amiga, see if they've got any english version forums over there. > > Kein Problem - ich spreche auch Deutsch :) Translation? I only speak English myself. :D Cheers ... Geoffrey Hyde From nobody at spamcop.net Thu Mar 2 18:18:25 2006 From: nobody at spamcop.net (N. Miller) Date: Thu Mar 2 21:20:02 2006 Subject: [SpamCop-List] Re: DBSBL (ip4r) blocks all incoming messages References: Message-ID: <13aueahyv89mk.dlg@news.spamcop.net> On Wed, 1 Mar 2006 22:11:23 -0500, Brian Stevens wrote: > There are bigots who believe that you > can't be a responsible net citizen if you are on a dynamic IP. That is a flawed statement. It isn't that I am a bigot who doesn't believe that you can't be a responsible net citizen on a dynamic IP address. It is that I am a pragmatist, for whom >99% of the email delivery attempts from Comcast (and other) dynamically hosted SMTP clients to my domain MX are _not_ from responsible net citizens; therefore, blocking such IP addresses is extremely effective at blocking spam delivery attempts. OTOH, _knowing_ that others will treat my SMTP relay client in the same fashion, I don't even attempt "ent-to-end" SMTP relaying; I use my ISP's SMTP server to handle my outbound email. -- Norman ~Oh Lord, why have you come ~To Konnyu, with the Lion and the Drum From nobody at spamcop.net Thu Mar 2 18:23:00 2006 From: nobody at spamcop.net (N. Miller) Date: Thu Mar 2 21:25:02 2006 Subject: [SpamCop-List] Re: DBSBL (ip4r) blocks all incoming messages References: Message-ID: <10faq96wrt3se$.dlg@news.spamcop.net> On Wed, 1 Mar 2006 22:11:23 -0500, Brian Stevens wrote: > If you > don't know some of the advantages of running Outlook on Exchange server then > maybe you shouldn't be taking such a snobbish position. The only advantage of using Outlook on an Exchange server is product integration. I get that by running Pegasus Mail with Mercury/32. -- Norman ~Oh Lord, why have you come ~To Konnyu, with the Lion and the Drum From nobody at spamcop.net Thu Mar 2 18:31:29 2006 From: nobody at spamcop.net (N. Miller) Date: Thu Mar 2 21:35:04 2006 Subject: [SpamCop-List] Re: DBSBL (ip4r) blocks all incoming messages References: Message-ID: On Fri, 3 Mar 2006 09:52:33 +1000, Geoffrey Hyde wrote: > "Steven Maesslein" wrote in message > news:slrne0e1bv.9fr.nobody@127.0.0.1... >> On Thu, 2 Mar 2006 22:41:12 +1000, Geoffrey Hyde coughed into spamcop >> and left this in : >>> I'm just an Amiga fan, if you want serious technical help with anything >>> Amiga, see if they've got any english version forums over there. >> Kein Problem - ich spreche auch Deutsch :) > Translation? I only speak English myself. :D His comprehension of German seems better than the disclaimer. Although I did, once, receive a correction over writing, "I can speak a little ***" for the native "***" speaker; he suggested that 'hanasemasu' was more appropriate than the 'hanashimasu' I had written. 'hanashimasu' = "I speak..." 'hanasemasu' = "I can speak..." When one is writing, one isn't speaking; technically. -- Norman ~Oh Lord, why have you come ~To Konnyu, with the Lion and the Drum From nobody at spamcop.net Thu Mar 2 19:38:53 2006 From: nobody at spamcop.net (N. Miller) Date: Thu Mar 2 22:40:04 2006 Subject: [SpamCop-List] Re: The issue of bounce versus reject References: <44036C3A.50B789E5@spamcop.net> Message-ID: <16rk0suhrntz.dlg@news.spamcop.net> On Mon, 27 Feb 2006 16:16:42 -0500, Kenneth Brody wrote: > Having read the recent "why not allow bounces" thread, the following > occurred to me... You seem to be confusing message submission servers with MX servers. Message submission servers generally accept email from MUAs ("Mail User Agents"), mostly; using some means of authenticating the connection. MX servers accept email from _any_ MTA ("Mail Transfer Agent"), regardless of the source, and without authenticating the connection. Because of the trust involved in a message submission connection, message submission server bounces are, mostly, legitimately sent to user accounts which are the actual source of the message. OTOH, MX servers can't use the same criteria for authenticating email sources as message submission servers can use; by design, MX servers have to accept incoming connections that message submission servers can refuse. So there is a much higher probability that the "Return-Path" email address will be forged in email from a "Mail Transfer Agent" than from a "Mail User Agent". Therefore, MX servers can't afford to accept all plausible email addresses, then turn around and bounce the undeliverables; those will, usually, go to the wrong places. The best method for an MX server to use is to check two lists: A. Valid local email addresses; reject email if the RCPT TO isn't valid. B. DNSBLs; reject all email from listed IP addresses. -- Norman ~Oh Lord, why have you come ~To Konnyu, with the Lion and the Drum From nobody at devnull.spamcop.net Fri Mar 3 15:40:33 2006 From: nobody at devnull.spamcop.net (Patto) Date: Fri Mar 3 01:45:13 2006 Subject: [SpamCop-List] An error occurred while processing your request. Message-ID: Same error as yesterday when trying to access spamcop.net From g.hyde at bigpond.net.au Fri Mar 3 19:40:11 2006 From: g.hyde at bigpond.net.au (Geoffrey Hyde) Date: Fri Mar 3 04:45:45 2006 Subject: [SpamCop-List] Fedora list spam with large attachment. Message-ID: http://www.spamcop.net/sc?id=z889520818zc21f147cfe3ed355899c5b92688b3f6az Okay, what the heck is this attachment in the spam - some application-octet or whatever SpamCop identified it as? And why are they sending it to me? It's obviously spam, and has been treated as such, SpamCop couldn't even say that the IP address was actually belonging to the server it purported to be from (got no name when trying the IP) so named it as source. Anyone else getting this kind of unwanted junk email? Cheers ... Geoffrey Hyde From MikeE at ster.invalid Fri Mar 3 01:58:31 2006 From: MikeE at ster.invalid (Mike Easter) Date: Fri Mar 3 05:00:34 2006 Subject: [SpamCop-List] Re: Fedora list spam with large attachment. References: Message-ID: Geoffrey Hyde wrote: www.spamcop.net/sc?id=z889520818zc21f147cfe3ed355899c5b92688b3f6az > > Okay, what the heck is this attachment in the spam - some > application-octet or whatever SpamCop identified it as? It is a viral propagation, virm/virmail, designed to look like a bounce which has a message.zip attachment which is b64 encoded. The source machine is 196.25.32.50 no rDNS of the .za Infodoor Networking which has problems with its contact information and SC wants to notify abuse@saix.net -- which is the way I would notify it. > And why are they sending it to me? It's obviously spam, and has been > treated as such, SpamCop couldn't even say that the IP address was > actually belonging to the server it purported to be from (got no name > when trying the IP) so named it as source. > > Anyone else getting this kind of unwanted junk email? You get viral propagations because your address is accessible at/by the infected propagator. Your AV agent may not be able to identify it because it is 'inside' a b64 encoded zip file. If you were handling it by opening it, the b64 would become decoded by your mail agent, then you would have to unzip the archive to find the executable. I haven't taken it down to the executable and characterized it yet. -- Mike Easter kibitzer, not SC admin From MikeE at ster.invalid Fri Mar 3 02:08:37 2006 From: MikeE at ster.invalid (Mike Easter) Date: Fri Mar 3 05:10:26 2006 Subject: [SpamCop-List] Re: Fedora list spam with large attachment. References: Message-ID: Mike Easter wrote: > I haven't taken it down to the executable and characterized it yet. The decoded b64 message.zip is a corrupt zip file which I can't unzip with Iceows. I can look at the hex of the front of it and tell that its executable would be message.scr, but I can't characterize the virus in its zipped form with my AV. -- Mike Easter kibitzer, not SC admin From g.hyde at bigpond.net.au Fri Mar 3 20:30:49 2006 From: g.hyde at bigpond.net.au (Geoffrey Hyde) Date: Fri Mar 3 05:35:09 2006 Subject: [SpamCop-List] Re: Fedora list spam with large attachment. References: Message-ID: I dunno if it's worth doing anything with. Apparently the ISP I'm with believes I should get sent any and all email addressed to me unless I want to sign up for their spam filter. Attachments included apparently. What I find really weird is that they won't even devote any of the vast amount of computing power they have available on their network to finding and removing viral attachments from spam - "because, it might be a legitimate attachment" - what I'm thinking of that is, if someone has to send you something that's executable, they surely have another means than email by now. Cheers ... Geoffrey Hyde "Mike Easter" wrote in message news:du94io$7ep$1@news.spamcop.net... > Mike Easter wrote: > >> I haven't taken it down to the executable and characterized it yet. > > The decoded b64 message.zip is a corrupt zip file which I can't unzip > with Iceows. I can look at the hex of the front of it and tell that its > executable would be message.scr, but I can't characterize the virus in > its zipped form with my AV. > > -- > Mike Easter > kibitzer, not SC admin > From aviatrix at lists.org.gg Fri Mar 3 10:42:11 2006 From: aviatrix at lists.org.gg (Aviatrix) Date: Fri Mar 3 05:45:04 2006 Subject: [SpamCop-List] Re: Fedora list spam with large attachment. In-Reply-To: References: Message-ID: Geoffrey Hyde wrote: > What I find really weird is that they won't even devote any of the vast > amount of computing power they have available on their network to finding > and removing viral attachments from spam - "because, it might be a > legitimate attachment" - what I'm thinking of that is, if someone has to > send you something that's executable, they surely have another means than > email by now. Some ISPs enforce spam/virus filtering on their customers, whether the customers like it or not (causing some genuine mail to be lost). Some ISPs offer spam/virus filtering as an optional add-on service, either paid-for or free of charge (mine offers it free of charge). Some ISPs take the view that if customers want spam/virus filtering they should make their own arrangements. Yours obviously belongs in the third group. Personally I have no problem with that - I DO have a problem with the first group (especially if, like some ISPs I know, they just discard suspected spam/viruses without letting anyone know) From MikeE at ster.invalid Fri Mar 3 02:52:31 2006 From: MikeE at ster.invalid (Mike Easter) Date: Fri Mar 3 05:55:02 2006 Subject: [SpamCop-List] Re: Fedora list spam with large attachment. References: Message-ID: Mike Easter wrote: > The decoded b64 message.zip is a corrupt zip file which I can't unzip > with Iceows. I can look at the hex of the front of it and tell that > its executable would be message.scr, but I can't characterize the > virus in its zipped form with my AV. I sent the corrupt zip to VirusTotal for their multiple AV agent analysis. NOD32 found the archive damaged, and 4 of them could see the MyDoom.M worm inside the damaged .zip. One said suspicious, 17 said negative. Results of a file scan This is a report processed by VirusTotal on 03/03/2006 at 11:28:08 (CET) after scanning the file "message.zip" file. Antivirus Version Update Result AntiVir 6.33.1.53 03.03.2006 Worm/Mydoom.M Avast 4.6.695.0 03.02.2006 Win32:Mydoom-M AVG 718 03.02.2006 no virus found Avira 6.33.1.53 03.03.2006 Worm/Mydoom.M BitDefender 7.2 03.03.2006 no virus found CAT-QuickHeal 8.00 03.02.2006 (Suspicious) - DNAScan ClamAV devel-20060126 03.02.2006 Worm.Mydoom.M DrWeb 4.33 03.03.2006 no virus found eTrust-InoculateIT 23.71.92 03.03.2006 no virus found eTrust-Vet 12.4.2104 03.03.2006 no virus found Ewido 3.5 03.02.2006 no virus found Fortinet 2.71.0.0 03.02.2006 no virus found F-Prot 3.16c 03.03.2006 no virus found Kaspersky 4.0.2.24 03.03.2006 no virus found McAfee 4709 03.02.2006 no virus found NOD32v2 1.1426 03.03.2006 archive damaged Norman 5.70.10 03.02.2006 no virus found Panda 9.0.0.4 03.03.2006 no virus found Sophos 4.03.0 03.03.2006 no virus found Symantec 8.0 03.03.2006 no virus found TheHacker 5.9.5.105 03.03.2006 no virus found UNA 1.83 03.02.2006 no virus found VBA32 3.10.5 03.02.2006 no virus found -- Mike Easter kibitzer, not SC admin From MikeE at ster.invalid Fri Mar 3 03:11:51 2006 From: MikeE at ster.invalid (Mike Easter) Date: Fri Mar 3 06:15:03 2006 Subject: [SpamCop-List] Re: Fedora list spam with large attachment. References: Message-ID: Aviatrix wrote: > Some ISPs offer spam/virus filtering as an optional add-on service, > either paid-for or free of charge (mine offers it free of charge). EL's options for the spamfiltering and virus filtering are included or free. The spamfiltering can be off, medium, or high -- the virus filtering off or on. The 'standard' spamfilter is leaky, the virus filter has a rare false positive. I can't recall the last time I saw a false negative virm slip thru'.. If EL's proprietary frontend TotalAccess is installed, which I would never do, there is a plethora of other 'filtering' options, ranging from parental controls to antiphish to antispyware to antipopups. -- Mike Easter kibitzer, not SC admin From MikeE at ster.invalid Fri Mar 3 03:20:33 2006 From: MikeE at ster.invalid (Mike Easter) Date: Fri Mar 3 06:25:02 2006 Subject: [SpamCop-List] Re: Fedora list spam with large attachment. References: Message-ID: Mike Easter wrote: > The source machine is 196.25.32.50 no rDNS of the .za Infodoor > Networking Back in 2005 June 7, someone using that IP accessed a guest book and signed their name and email address. Zakithi Sinethemba Ngongoma zakithingongoma@hotmail.com Since the IP is most likely dynamic and the information is so stale, that data is most likely completely worthless. I don't advise signing guestbooks like that, unless you are /really/ looking for penpals. -- Mike Easter kibitzer, not SC admin From / at /.cn Fri Mar 3 22:49:17 2006 From: / at /.cn (Petzl) Date: Fri Mar 3 06:50:02 2006 Subject: [SpamCop-List] Re: Fedora list spam with large attachment. References: Message-ID: "Geoffrey Hyde" wrote in message news:du95sv$817$1@news.spamcop.net... >I dunno if it's worth doing anything with. Apparently the ISP I'm with >believes I should get sent any and all email addressed to me unless I want >to sign up for their spam filter. Another good reason to NOT accept the email address your ISP forces on one. You do need to consider a SpamCop email address, the only one you will ever need. Ask your provider for a refund for a supposed "service" you no longer need and should not pay for Get the only Email address you will ever need http://www.spamcop.net/ces/individuals.shtml Petzl From MikeE at ster.invalid Fri Mar 3 04:04:44 2006 From: MikeE at ster.invalid (Mike Easter) Date: Fri Mar 3 07:05:04 2006 Subject: [SpamCop-List] Re: Fedora list spam with large attachment. References: Message-ID: Mike Easter wrote: > Geoffrey Hyde wrote: >> Okay, what the heck is this attachment in the spam - some >> application-octet or whatever SpamCop identified it as? > > It is a viral propagation, virm/virmail, designed to look like a > bounce which has a message.zip attachment which is b64 encoded. Continuing my string of replies in this thread. This item also demonstrates a precautionary suggestion -- that you should not 'count on' your provider's or your own AV agents to protect you from virms. I have an additional 'crude' security measure called a BigFile rule. The bigfile is any email over a certain size gets message ruled into its own BigFile folder so that it can be handled with caution. Naturally you could handle this item without a bigfile rule -- because there are so many ways that you would be able to tell that this mail isn't something you want to handle carelessly, but having multiple layers to warn you of a problem is of some value since the majority of agents didn't identify this propagation even after the b64 decoding. MyDoom.M is also associated with installing a backdoor Zincite.A trojan which // Attempts to contact other infected systems by probing random IP addresses on port 1034. If an infected system is found, its IP address will be stored for possible future use. // When running the backdoor, the backdoor listens on TCP port 1034 for incoming connections. When remote attackers connect, they can: Download and execute files. Get the Trojan's saved list of other infected IP addresses. Stop the backdoor process. . -- Mike Easter kibitzer, not SC admin From nospam at nospam.nl Fri Mar 3 13:32:53 2006 From: nospam at nospam.nl (geo_splash_12) Date: Fri Mar 3 07:35:03 2006 Subject: [SpamCop-List] telefonica.es Message-ID: Which IP blocks are associated with telefonica.es and auna.es? These guys are slowly becoming a nuisance, and in senderbase I can't even find the proper whois information because they probably (like kornet) scattered over the entire IP4 spectrum. From MikeE at ster.invalid Fri Mar 3 04:55:05 2006 From: MikeE at ster.invalid (Mike Easter) Date: Fri Mar 3 07:55:04 2006 Subject: [SpamCop-List] Re: telefonica.es References: Message-ID: geo_splash_12 wrote: > Which IP blocks are associated with telefonica.es and auna.es? These > guys are slowly becoming a nuisance, and in senderbase I can't even > find the proper whois information because they probably (like kornet) > scattered over the entire IP4 spectrum. The output IPs listed at senderbase are 194.224.58.62 mail2.telefonica.es Y 4.9 4.3 212.170.236.199 sceest04.correodeempresas.telefonica.es Y 3.8 3.6 212.170.236.196 sceest03.correodeempresas.telefonica.es Y 3.7 3.5 212.170.236.86 sceent03.correodeempresas.telefonica.es Y 2.1 2.2 212.170.236.84 sceent01.correodeempresas.telefonica.es Y 3.0 2.2 212.170.236.85 sceent02.correodeempresas.telefonica.es Y 2.6 2.1 62.81.52.14 dulcesa.red.retevision.es Y 0.0 3.9 62.81.27.241 bcnfwl02.retevision.es Y 3.9 3.6 62.81.119.50 junta-icatm51456-meri.red.retevision.es Y 2.7 3.5 62.81.72.58 mtorres-ic60731-pamp.red.retevision.es Y 3.7 3.3 62.81.52.178 copiti-ic12891-vale.red.retevision.es Y 3.4 2.9 62.81.80.10 giahsa-ic-huel.red.retevision.es Y 2.6 2.8 62.81.26.74 nadal-ic11446-barc.red.retevision.es Y 3.4 2.8 62.81.92.66 momework-ic27411-alic.red.retevision.es Y 0.0 2.7 62.81.102.6 endesa-ic72593-sevi.red.retevision.es Y 2.7 2.6 62.81.119.10 junta-icatm6415-meri.red.retevision.es Y 3.0 2.4 62.81.55.94 calderinox-ic64373-sevi.red.retevision.es Y 0.0 2.3 62.81.55.50 emasesa-ic.red.retevision.es Y 0.0 2.3 62.81.84.98 lomonaco-ic38847-gran.red.retevision.es Y 0.0 2.3 62.81.90.26 schglo-ic104929-bar2.red.retevision.es Y 2.9 2.3 62.81.70.10 hpenisc-ic13727-cast.red.retevision.es Y 2.7 2.2 62.81.84.26 romysim-ic-gran.red.retevision.es Y 2.8 2.2 inetnum: 62.81.0.0 - 62.81.127.255 netname: RETENET descr: AUNA S.A.U, route: 62.81.0.0/16 descr: Retevision SA origin: AS16338 route: 212.170.0.0/16 descr: Telefonica Data Espan~a origin: AS3352 route: 194.224.0.0/16 descr: IBERNET descr: Telefonica transmision de datos, Internet Network origin: AS3352 You can take those AS#s to someplace like potaroo and determine the IPs associated. -- Mike Easter kibitzer, not SC admin From nospam at nospam.nl Fri Mar 3 16:30:43 2006 From: nospam at nospam.nl (geo_splash_12) Date: Fri Mar 3 10:35:04 2006 Subject: [SpamCop-List] Re: telefonica.es In-Reply-To: References: Message-ID: Mike Easter wrote: > geo_splash_12 wrote: > >>Which IP blocks are associated with telefonica.es and auna.es? These >>guys are slowly becoming a nuisance, and in senderbase I can't even >>find the proper whois information because they probably (like kornet) >>scattered over the entire IP4 spectrum. > > > The output IPs listed at senderbase are > > 194.224.58.62 mail2.telefonica.es Y 4.9 4.3 > 212.170.236.199 sceest04.correodeempresas.telefonica.es Y 3.8 3.6 > 212.170.236.196 sceest03.correodeempresas.telefonica.es Y 3.7 3.5 > 212.170.236.86 sceent03.correodeempresas.telefonica.es Y 2.1 2.2 > 212.170.236.84 sceent01.correodeempresas.telefonica.es Y 3.0 2.2 > 212.170.236.85 sceent02.correodeempresas.telefonica.es Y 2.6 2.1 > > > 62.81.52.14 dulcesa.red.retevision.es Y 0.0 3.9 > 62.81.27.241 bcnfwl02.retevision.es Y 3.9 3.6 > 62.81.119.50 junta-icatm51456-meri.red.retevision.es Y 2.7 3.5 > 62.81.72.58 mtorres-ic60731-pamp.red.retevision.es Y 3.7 3.3 > 62.81.52.178 copiti-ic12891-vale.red.retevision.es Y 3.4 2.9 > 62.81.80.10 giahsa-ic-huel.red.retevision.es Y 2.6 2.8 > 62.81.26.74 nadal-ic11446-barc.red.retevision.es Y 3.4 2.8 > 62.81.92.66 momework-ic27411-alic.red.retevision.es Y 0.0 2.7 > 62.81.102.6 endesa-ic72593-sevi.red.retevision.es Y 2.7 2.6 > 62.81.119.10 junta-icatm6415-meri.red.retevision.es Y 3.0 2.4 > 62.81.55.94 calderinox-ic64373-sevi.red.retevision.es Y 0.0 2.3 > 62.81.55.50 emasesa-ic.red.retevision.es Y 0.0 2.3 > 62.81.84.98 lomonaco-ic38847-gran.red.retevision.es Y 0.0 2.3 > 62.81.90.26 schglo-ic104929-bar2.red.retevision.es Y 2.9 2.3 > 62.81.70.10 hpenisc-ic13727-cast.red.retevision.es Y 2.7 2.2 > 62.81.84.26 romysim-ic-gran.red.retevision.es Y 2.8 2.2 > > > inetnum: 62.81.0.0 - 62.81.127.255 > netname: RETENET > descr: AUNA S.A.U, > route: 62.81.0.0/16 > descr: Retevision SA > origin: AS16338 > > route: 212.170.0.0/16 > descr: Telefonica Data Espan~a > origin: AS3352 > > route: 194.224.0.0/16 > descr: IBERNET > descr: Telefonica transmision de datos, Internet Network > origin: AS3352 > > > You can take those AS#s to someplace like potaroo and determine the IPs > associated. > > This is not what I see, the spams from telefonica.es do come from for instance: 80.34.54.48 80.58.210.67 83.43.185.178 83.44.1.204 83.53.229.176 83.58.202.60 auna.es IPs are for instance: 82.159.80.85 82.159.17.168 Ejo From MikeE at ster.invalid Fri Mar 3 08:47:48 2006 From: MikeE at ster.invalid (Mike Easter) Date: Fri Mar 3 11:50:04 2006 Subject: [SpamCop-List] Re: telefonica.es References: Message-ID: geo_splash_12 wrote: > Mike Easter wrote: >> The output IPs listed at senderbase are >> >> 194.224.58.62 mail2.telefonica.es Y 4.9 4.3 >> 62.81.52.14 dulcesa.red.retevision.es Y 0.0 3.9 > This is not what I see, the spams from telefonica.es do come from for > instance: > > 80.34.54.48 > 80.58.210.67 > 83.43.185.178 > 83.44.1.204 > 83.53.229.176 > 83.58.202.60 user IPs - RIMA -- it has many more besides those 80. & 83. > auna.es IPs are for instance: > > 82.159.80.85 > 82.159.17.168 User IPs in this family inetnum: 82.158.138.0 - 82.159.127.255 netname: MADRITEL descr: PROVIDER descr: Madritel MADRITEL has many more blocks besides those 82.158 & .159 -- Mike Easter kibitzer, not SC admin From nospam at nospam.nl Fri Mar 3 18:08:26 2006 From: nospam at nospam.nl (geo_splash_12) Date: Fri Mar 3 12:10:03 2006 Subject: [SpamCop-List] Re: telefonica.es In-Reply-To: References: Message-ID: Mike: dshield is a nice tool to do this, thus http://www.dshield.org/ipinfo.php?ip=83.43.185.178&Submit=Submit tells me where 83.43.185.178 is located and the fine line of horse manure around that IP. Ejo Mike Easter wrote: > geo_splash_12 wrote: > >>Mike Easter wrote: > > >>>The output IPs listed at senderbase are >>> >>>194.224.58.62 mail2.telefonica.es Y 4.9 4.3 > > >>>62.81.52.14 dulcesa.red.retevision.es Y 0.0 3.9 > > >>This is not what I see, the spams from telefonica.es do come from for >>instance: >> >>80.34.54.48 >>80.58.210.67 >>83.43.185.178 >>83.44.1.204 >>83.53.229.176 >>83.58.202.60 > > > user IPs - RIMA -- it has many more besides those 80. & 83. > > >>auna.es IPs are for instance: >> >>82.159.80.85 >>82.159.17.168 > > > User IPs in this family > > inetnum: 82.158.138.0 - 82.159.127.255 > netname: MADRITEL > descr: PROVIDER > descr: Madritel > > MADRITEL has many more blocks besides those 82.158 & .159 > From MikeE at ster.invalid Fri Mar 3 09:32:37 2006 From: MikeE at ster.invalid (Mike Easter) Date: Fri Mar 3 12:35:02 2006 Subject: [SpamCop-List] Re: telefonica.es References: Message-ID: geo_splash_12 wrote: > Mike: dshield is a nice tool to do this, thus > > http://www.dshield.org/ipinfo.php?ip=83.43.185.178&Submit=Submit > > tells me where 83.43.185.178 is located and the fine line of horse > manure around that IP. Yes, but that is just one little block inetnum: 83.40.201.0 - 83.45.92.255 netname: RIMA There are many scores of such blocks of various sizes. If you do whois -h whois.ripe.net rima you will see a huge output of tons of such blocks. I was going to extract a list of just the 'inetnum' lines for RIMA and MADRITEL. Madritel's is much shorter, I'll use it as an example. inetnum: 213.37.0.0 - 213.37.65.255 inetnum: 213.37.110.0 - 213.37.131.245 inetnum: 213.37.108.88 - 213.37.108.119 inetnum: 213.37.66.0 - 213.37.107.255 inetnum: 213.37.150.0 - 213.37.251.255 inetnum: 213.37.253.0 - 213.37.255.255 inetnum: 213.37.132.0 - 213.37.149.255 inetnum: 82.158.0.0 - 82.158.95.255 inetnum: 82.158.96.0 - 82.158.135.255 inetnum: 82.158.138.0 - 82.159.127.255 -- Mike Easter kibitzer, not SC admin From MikeE at ster.invalid Fri Mar 3 09:47:41 2006 From: MikeE at ster.invalid (Mike Easter) Date: Fri Mar 3 12:50:03 2006 Subject: [SpamCop-List] Re: telefonica.es References: Message-ID: Mike Easter wrote: > > whois -h whois.ripe.net rima > > you will see a huge output of tons of such blocks. I was going to > extract a list of just the 'inetnum' lines for RIMA and MADRITEL. > Madritel's is much shorter, I'll use it as an example. This is less than half of RIMA's inetnum: 217.125.156.0 - 217.125.157.255 inetnum: 217.125.192.0 - 217.125.255.255 inetnum: 217.125.160.0 - 217.125.191.255 inetnum: 217.125.152.0 - 217.125.155.255 inetnum: 213.98.181.0 - 213.98.181.255 inetnum: 213.98.182.0 - 213.98.183.255 inetnum: 213.98.184.0 - 213.98.191.255 inetnum: 213.98.192.0 - 213.98.255.255 inetnum: 213.4.44.0 - 213.4.45.255 inetnum: 213.0.64.0 - 213.0.71.255 inetnum: 213.0.0.0 - 213.0.3.255 inetnum: 195.57.120.0 - 195.57.123.255 inetnum: 195.55.248.0 - 195.55.251.255 inetnum: 217.125.150.0 - 217.125.151.255 inetnum: 217.125.149.0 - 217.125.149.255 inetnum: 80.58.100.0 - 80.58.104.63 inetnum: 217.125.158.0 - 217.125.159.255 inetnum: 80.58.32.0 - 80.58.55.255 inetnum: 80.26.148.0 - 80.26.150.255 inetnum: 195.55.93.0 - 195.55.99.255 inetnum: 195.57.76.0 - 195.57.80.255 inetnum: 212.170.0.0 - 212.170.26.255 inetnum: 213.4.0.0 - 213.4.27.255 inetnum: 217.125.0.0 - 217.125.148.255 inetnum: 195.55.216.0 - 195.55.222.255 inetnum: 80.59.0.0 - 80.59.255.255 inetnum: 80.58.0.0 - 80.58.24.255 inetnum: 213.98.0.0 - 213.98.180.255 inetnum: 80.58.124.0 - 80.58.125.255 inetnum: 80.58.86.0 - 80.58.97.255 inetnum: 80.58.64.0 - 80.58.84.255 inetnum: 80.58.128.0 - 80.58.159.255 inetnum: 80.58.105.0 - 80.58.109.255 inetnum: 80.58.240.0 - 80.58.249.255 inetnum: 80.32.0.0 - 80.35.255.255 inetnum: 80.58.255.0 - 80.58.255.255 inetnum: 80.58.99.32 - 80.58.99.47 inetnum: 80.58.63.192 - 80.58.63.199 inetnum: 80.58.63.0 - 80.58.63.15 inetnum: 80.58.253.0 - 80.58.253.255 inetnum: 80.58.62.0 - 80.58.62.255 inetnum: 80.58.184.0 - 80.58.184.255 inetnum: 80.58.185.0 - 80.58.185.255 inetnum: 80.58.186.0 - 80.58.186.255 inetnum: 80.58.192.0 - 80.58.192.31 inetnum: 80.58.192.128 - 80.58.192.255 inetnum: 80.58.63.32 - 80.58.63.63 inetnum: 80.58.251.0 - 80.58.251.255 inetnum: 80.58.252.0 - 80.58.252.255 inetnum: 80.58.187.0 - 80.58.187.63 inetnum: 80.58.187.64 - 80.58.187.95 inetnum: 80.58.187.128 - 80.58.187.191 inetnum: 80.58.187.192 - 80.58.187.223 inetnum: 80.58.192.32 - 80.58.192.47 inetnum: 80.58.192.48 - 80.58.192.63 inetnum: 80.58.254.0 - 80.58.254.127 inetnum: 80.58.63.64 - 80.58.63.95 inetnum: 80.58.188.0 - 80.58.188.63 inetnum: 80.58.193.0 - 80.58.193.31 inetnum: 80.58.236.0 - 80.58.239.255 inetnum: 81.47.237.0 - 81.47.237.41 inetnum: 80.58.85.0 - 80.58.85.255 inetnum: 81.32.0.0 - 81.34.255.255 inetnum: 80.58.31.0 - 80.58.31.255 inetnum: 80.58.160.0 - 80.58.163.255 inetnum: 80.58.164.0 - 80.58.167.255 inetnum: 80.58.120.0 - 80.58.120.127 inetnum: 80.58.196.0 - 80.58.197.127 inetnum: 80.58.197.128 - 80.58.199.127 inetnum: 80.58.232.0 - 80.58.235.255 inetnum: 80.58.220.0 - 80.58.227.255 inetnum: 80.58.63.128 - 80.58.63.191 inetnum: 80.58.63.200 - 80.58.63.255 inetnum: 213.96.0.0 - 213.96.255.255 inetnum: 213.97.0.0 - 213.97.255.255 inetnum: 217.126.0.0 - 217.126.255.255 inetnum: 217.127.0.0 - 217.127.255.255 inetnum: 81.47.0.0 - 81.47.19.135 inetnum: 81.47.64.0 - 81.47.83.135 inetnum: 80.58.63.16 - 80.58.63.31 inetnum: 80.58.121.0 - 80.58.123.255 inetnum: 80.58.118.0 - 80.58.119.255 inetnum: 80.58.112.0 - 80.58.114.23 inetnum: 80.58.206.0 - 80.58.207.255 inetnum: 81.47.237.42 - 81.47.237.255 inetnum: 81.46.0.0 - 81.46.3.255 inetnum: 80.58.117.0 - 80.58.117.63 inetnum: 80.58.120.128 - 80.58.120.255 inetnum: 81.46.61.0 - 81.46.63.255 inetnum: 80.58.208.0 - 80.58.219.255 inetnum: 81.45.128.0 - 81.45.151.255 -- Mike Easter kibitzer, not SC admin From nospam at nospam.nl Fri Mar 3 19:02:00 2006 From: nospam at nospam.nl (geo_splash_12) Date: Fri Mar 3 13:05:02 2006 Subject: [SpamCop-List] Re: telefonica.es In-Reply-To: References: Message-ID: Mike Easter wrote: > Mike Easter wrote: > >>whois -h whois.ripe.net rima >> >>you will see a huge output of tons of such blocks. I was going to >>extract a list of just the 'inetnum' lines for RIMA and MADRITEL. >>Madritel's is much shorter, I'll use it as an example. > > > This is less than half of RIMA's > > inetnum: 217.125.156.0 - 217.125.157.255 > inetnum: 217.125.192.0 - 217.125.255.255 > inetnum: 217.125.160.0 - 217.125.191.255 > inetnum: 217.125.152.0 - 217.125.155.255 > inetnum: 213.98.181.0 - 213.98.181.255 > inetnum: 213.98.182.0 - 213.98.183.255 > inetnum: 213.98.184.0 - 213.98.191.255 > inetnum: 213.98.192.0 - 213.98.255.255 > inetnum: 213.4.44.0 - 213.4.45.255 > inetnum: 213.0.64.0 - 213.0.71.255 > inetnum: 213.0.0.0 - 213.0.3.255 > inetnum: 195.57.120.0 - 195.57.123.255 > inetnum: 195.55.248.0 - 195.55.251.255 > inetnum: 217.125.150.0 - 217.125.151.255 > inetnum: 217.125.149.0 - 217.125.149.255 > inetnum: 80.58.100.0 - 80.58.104.63 > inetnum: 217.125.158.0 - 217.125.159.255 > inetnum: 80.58.32.0 - 80.58.55.255 > inetnum: 80.26.148.0 - 80.26.150.255 > inetnum: 195.55.93.0 - 195.55.99.255 > inetnum: 195.57.76.0 - 195.57.80.255 > inetnum: 212.170.0.0 - 212.170.26.255 > inetnum: 213.4.0.0 - 213.4.27.255 > inetnum: 217.125.0.0 - 217.125.148.255 > inetnum: 195.55.216.0 - 195.55.222.255 > inetnum: 80.59.0.0 - 80.59.255.255 > inetnum: 80.58.0.0 - 80.58.24.255 > inetnum: 213.98.0.0 - 213.98.180.255 > inetnum: 80.58.124.0 - 80.58.125.255 > inetnum: 80.58.86.0 - 80.58.97.255 > inetnum: 80.58.64.0 - 80.58.84.255 > inetnum: 80.58.128.0 - 80.58.159.255 > inetnum: 80.58.105.0 - 80.58.109.255 > inetnum: 80.58.240.0 - 80.58.249.255 > inetnum: 80.32.0.0 - 80.35.255.255 > inetnum: 80.58.255.0 - 80.58.255.255 > inetnum: 80.58.99.32 - 80.58.99.47 > inetnum: 80.58.63.192 - 80.58.63.199 > inetnum: 80.58.63.0 - 80.58.63.15 > inetnum: 80.58.253.0 - 80.58.253.255 > inetnum: 80.58.62.0 - 80.58.62.255 > inetnum: 80.58.184.0 - 80.58.184.255 > inetnum: 80.58.185.0 - 80.58.185.255 > inetnum: 80.58.186.0 - 80.58.186.255 > inetnum: 80.58.192.0 - 80.58.192.31 > inetnum: 80.58.192.128 - 80.58.192.255 > inetnum: 80.58.63.32 - 80.58.63.63 > inetnum: 80.58.251.0 - 80.58.251.255 > inetnum: 80.58.252.0 - 80.58.252.255 > inetnum: 80.58.187.0 - 80.58.187.63 > inetnum: 80.58.187.64 - 80.58.187.95 > inetnum: 80.58.187.128 - 80.58.187.191 > inetnum: 80.58.187.192 - 80.58.187.223 > inetnum: 80.58.192.32 - 80.58.192.47 > inetnum: 80.58.192.48 - 80.58.192.63 > inetnum: 80.58.254.0 - 80.58.254.127 > inetnum: 80.58.63.64 - 80.58.63.95 > inetnum: 80.58.188.0 - 80.58.188.63 > inetnum: 80.58.193.0 - 80.58.193.31 > inetnum: 80.58.236.0 - 80.58.239.255 > inetnum: 81.47.237.0 - 81.47.237.41 > inetnum: 80.58.85.0 - 80.58.85.255 > inetnum: 81.32.0.0 - 81.34.255.255 > inetnum: 80.58.31.0 - 80.58.31.255 > inetnum: 80.58.160.0 - 80.58.163.255 > inetnum: 80.58.164.0 - 80.58.167.255 > inetnum: 80.58.120.0 - 80.58.120.127 > inetnum: 80.58.196.0 - 80.58.197.127 > inetnum: 80.58.197.128 - 80.58.199.127 > inetnum: 80.58.232.0 - 80.58.235.255 > inetnum: 80.58.220.0 - 80.58.227.255 > inetnum: 80.58.63.128 - 80.58.63.191 > inetnum: 80.58.63.200 - 80.58.63.255 > inetnum: 213.96.0.0 - 213.96.255.255 > inetnum: 213.97.0.0 - 213.97.255.255 > inetnum: 217.126.0.0 - 217.126.255.255 > inetnum: 217.127.0.0 - 217.127.255.255 > inetnum: 81.47.0.0 - 81.47.19.135 > inetnum: 81.47.64.0 - 81.47.83.135 > inetnum: 80.58.63.16 - 80.58.63.31 > inetnum: 80.58.121.0 - 80.58.123.255 > inetnum: 80.58.118.0 - 80.58.119.255 > inetnum: 80.58.112.0 - 80.58.114.23 > inetnum: 80.58.206.0 - 80.58.207.255 > inetnum: 81.47.237.42 - 81.47.237.255 > inetnum: 81.46.0.0 - 81.46.3.255 > inetnum: 80.58.117.0 - 80.58.117.63 > inetnum: 80.58.120.128 - 80.58.120.255 > inetnum: 81.46.61.0 - 81.46.63.255 > inetnum: 80.58.208.0 - 80.58.219.255 > inetnum: 81.45.128.0 - 81.45.151.255 > > Mike -- this will do the trick (and I haven't yet installed a whois to verify this all). Mucho Gracias -- Ejo From MikeE at ster.invalid Fri Mar 3 10:07:23 2006 From: MikeE at ster.invalid (Mike Easter) Date: Fri Mar 3 13:10:03 2006 Subject: [SpamCop-List] Re: telefonica.es References: Message-ID: geo_splash_12 wrote: > Which IP blocks are associated with telefonica.es and auna.es? Because there are so many little pieces and parts to the rima and madritel user IP blocks, it would be easier to just use something like blackholes.us or nerd-zz and just block all of Spain. If you have correspondents in .es you could whitelist domains, IP blocks, or addies. The examples of IPs you listed earlier would not have been filtered well by my filters, as only one appeared in CBL and one in SCbl -- but I haven't been getting .es spam leakage, so your spam must be different from mine. Whether or not a country filter would work for you - since you are .nl and maybe you get more Euro spam - I don't know. It depends on how much .es unknown goodmail you get. -- Mike Easter kibitzer, not SC admin From wb8tyw at qsl.network Fri Mar 3 12:40:34 2006 From: wb8tyw at qsl.network (John E. Malmberg) Date: Fri Mar 3 13:45:04 2006 Subject: [SpamCop-List] Re: The issue of bounce versus reject References: <44036C3A.50B789E5@spamcop.net> <4403966F.CD32ACEF@spamcop.net> <440752A4.91E36B41@spamcop.net> Message-ID: <1ncKK$MUemdg@eisner.encompasserve.org> In article <440752A4.91E36B41@spamcop.net>, Kenneth Brody writes: > "John E. Malmberg" wrote: >> >> Kenneth Brody wrote: > [...] >> >> > In short, the only thing their SMTP server knows about you is the IP >> > address that their DHCP has assigned to you, and (I suppose) the MAC >> > address of your cablemodem. Their setup means that they have no way >> > of knowing your true "from" address, and it also requires that they >> > cannot reject e-mail from you at the SMTP level. >> >> That is correct, but mail from you in their I.P. space is outgoing from >> what should be a trusted source to their SMTP server, so they should >> trust you to provide a valid return e-mail address to send the bounce or >> DSN to. > > _I_ do. However, what's to stop a spammer from doing differently? With some ISP's, nothing. This is known as a multi-hop exploit where the spammer uses a zombie to realy through the ISP's mail server. Other ISPs use rate limiting, where only x mails per time period will go out, and some use DNSBls on the input to their internal mail servers to alert support people if one of their I.P. addresses is listed for sending spam. Some ISP's require that the sender use the e-mail address that they provide, in which case you can not use their mail server for smart-hosting or an external gateway. > [...] >> So there is no problem with outbound relaying and SMTP rejects as long >> as you have valid information in your header. > > Again, I'm talking in terms of backscatter from spam, not legitimate > e-mail. Backscatter from a multi-hop exploit will get reported to the abuse address of the mail server on the network with a security problem. That network administrator should fix the problem. Based on what I saw last year on my broadband ISP's internal forum, several other popular ISPs in the U.S. have a hair trigger on blocking mail servers used in multi-hop exploits in their local databases, and it requires some hoop jumping to get out of them. MAPS now has a spamtrap based system that will list for some period of time after a spamtrap hit. And that system will list the outputs of multi-hop exploits. So while some spammers will use multi-hop exploits, they generally will avoid the ISP's that take quick action on those reports. Now if only those ISP's would take the same quick action on the zombies that are going direct to MX... > [...] >> To prevent backscatter or silent deletion of messages, that mail server >> must do all the spam rejection, and also have a list of valid e-mail >> addresses that it should accept e-mail for. It also needs to be able to >> handle the case of your mail server having a problem. > > Why should I have to send a list of all of my e-mail addresses to my ISP? Is incoming e-mail coming to them through that ISP directly from the Internet? This would mean that the MX record for those domains is pointing at your ISP's mail server, and that mail server would have to know it was OK to relay e-mail to those domains to your internal mail server. In order to do that without backscatter or silent deleting of undelivered messages the internet facing mail server needs to know the delivery state for each recipiant. Some forwarding servers know how to probe to see if the internal mail server is accepting e-mail for an address before the SMTP dialog is complete. In that case the internet facing mail server may not need to know all the e-mail addresses for the domain. -John wb8tyw@qsl.network Personal Opinion Only From g.hyde at bigpond.net.au Sat Mar 4 16:04:14 2006 From: g.hyde at bigpond.net.au (Geoffrey Hyde) Date: Sat Mar 4 01:05:04 2006 Subject: [SpamCop-List] Should this be cut from the email before submitting? Message-ID: http://www.spamcop.net/sc?id=z890126486z8c06db28654b2d5f5143c0154580a556z In the Outlook Express client I use, there was a Message ID and Date line that was displayed by Outlook Express for this spam. Spamcop didn't parse this part or munge anything to do with it, but is there anything a spammer can glean from these lines that would mean I'd have to cut it out of the message body? I'm hoping this is just more faked (and annoying) header lines, but I'm not sure so it was, again, submitted as-is. Cheers ... Geoffrey Hyde From / at /.cn Sat Mar 4 18:37:51 2006 From: / at /.cn (Petzl) Date: Sat Mar 4 02:40:13 2006 Subject: [SpamCop-List] Re: Should this be cut from the email before submitting? References: Message-ID: "Geoffrey Hyde" wrote in message news:dubaku$mho$1@news.spamcop.net... > http://www.spamcop.net/sc?id=z890126486z8c06db28654b2d5f5143c0154580a556z > > In the Outlook Express client I use, there was a Message ID and Date line > that was displayed by Outlook Express for this spam. Spamcop didn't parse > this part or munge anything to do with it, but is there anything a spammer > can glean from these lines that would mean I'd have to cut it out of the > message body? > > I'm hoping this is just more faked (and annoying) header lines, but I'm > not sure so it was, again, submitted as-is. > Please do not use a real email address in newsgroups unless it is a bullet proof SpamCop one I would not worry about it your email address has already been taken and will be circulated to many other spammers which mean your email address will be attacked more and more Your best defence from spammers is attack and by reporting through SpamCop means an abuse report is sent to the listed owner of that IP meaning there is a good chance the hole the spammer is crawling through is closed It is also a good idea to get a SpamCop email address the one bigpong force on you is next to useless Get the only Email address you will ever need http://www.spamcop.net/ces/individuals.shtml Petzl From scamper at trisk.com Sat Mar 4 00:47:15 2006 From: scamper at trisk.com (Garen Erdoisa) Date: Sat Mar 4 02:50:04 2006 Subject: [SpamCop-List] Re: Should this be cut from the email before submitting? In-Reply-To: References: Message-ID: Geoffrey Hyde wrote: > http://www.spamcop.net/sc?id=z890126486z8c06db28654b2d5f5143c0154580a556z > > In the Outlook Express client I use, there was a Message ID and Date line > that was displayed by Outlook Express for this spam. Spamcop didn't parse > this part or munge anything to do with it, but is there anything a spammer > can glean from these lines that would mean I'd have to cut it out of the > message body? > > I'm hoping this is just more faked (and annoying) header lines, but I'm not > sure so it was, again, submitted as-is. > > > Cheers ... > > Geoffrey Hyde > > > If you check the original message (raw format), I suspect what you'll find is a single tab character on the header line immediately following the Subject: header. The spamcop parser misinterprets this tab character as a "blank" line, and treats anything that follows the tab character as part of the message body instead of a continuation of the message header. I reported this problem to deputies a while back. I guess they haven't gotten around to fixing it yet. The problem doesn't have much of an effect on where reports are sent, it just makes the parser look kinda weird for such messages. Garen From g.hyde at bigpond.net.au Sat Mar 4 17:49:13 2006 From: g.hyde at bigpond.net.au (Geoffrey Hyde) Date: Sat Mar 4 02:50:08 2006 Subject: [SpamCop-List] Re: Should this be cut from the email before submitting? References: Message-ID: "Petzl" wrote in message news:dubg4j$pb3$1@news.spamcop.net... > > "Geoffrey Hyde" wrote in message > news:dubaku$mho$1@news.spamcop.net... >> http://www.spamcop.net/sc?id=z890126486z8c06db28654b2d5f5143c0154580a556z > It is also a good idea to get a SpamCop email address the one bigpong > force on you is next to useless > Get the only Email address you will ever need > http://www.spamcop.net/ces/individuals.shtml If I want your recommendations for an email address I'm sure I'd know to ask. Thanks anyway, but at this stage in time I'm not interested in another email address to deal with. Cheers ... Geoffrey Hyde From scamper at trisk.com Sat Mar 4 02:23:46 2006 From: scamper at trisk.com (Garen Erdoisa) Date: Sat Mar 4 04:25:05 2006 Subject: [SpamCop-List] Re: Should this be cut from the email before submitting? In-Reply-To: References: Message-ID: Garen Erdoisa wrote: > Geoffrey Hyde wrote: >> http://www.spamcop.net/sc?id=z890126486z8c06db28654b2d5f5143c0154580a556z >> >> In the Outlook Express client I use, there was a Message ID and Date >> line that was displayed by Outlook Express for this spam. Spamcop >> didn't parse this part or munge anything to do with it, but is there >> anything a spammer can glean from these lines that would mean I'd have >> to cut it out of the message body? >> >> I'm hoping this is just more faked (and annoying) header lines, but >> I'm not sure so it was, again, submitted as-is. >> >> >> Cheers ... >> >> Geoffrey Hyde >> >> >> > > If you check the original message (raw format), I suspect what you'll > find is a single tab character on the header line immediately following > the Subject: header. > > The spamcop parser misinterprets this tab character as a "blank" line, > and treats anything that follows the tab character as part of the > message body instead of a continuation of the message header. > > I reported this problem to deputies a while back. I guess they haven't > gotten around to fixing it yet. The problem doesn't have much of an > effect on where reports are sent, it just makes the parser look kinda > weird for such messages. > > Garen Some additional info: For the record, the proper syntax for header folding is defined in RFC2822 para: 2.2.2 and 2.2.3 To re-verify that spamcop's parser is misinterpreting a single tab on a header line as a blank line, I just re-submitted a spam (and canceled the report) with a tab inserted after the Subject: header line As expected, spamcop's parser misinterpreted the tab as a blank line and treated the header lines following that tab as part of the message body for parsing purposes. Here is the tracker: http://members.spamcop.net/sc?id=z890177471zad74dde34e2fe3f4a7383bae6b0ee29bz RFC2822 para: 2.2.2 states that either a tab (ASCII 9) or white space (ASCII 32) are treated as "white space characters" for the purpose of header folding. RFC2822 para: 2.2.3 defines that using a CRLF followed by a White space character should be treated as "header folding". I suppose this spamcop parsing error could be abused by spammers, though I haven't seen any evidence of it thus far. It's probably only a matter of time. Garen From g.hyde at bigpond.net.au Sat Mar 4 21:38:48 2006 From: g.hyde at bigpond.net.au (Geoffrey Hyde) Date: Sat Mar 4 06:40:15 2006 Subject: [SpamCop-List] Re: Should this be cut from the email before submitting? References: Message-ID: "Garen Erdoisa" wrote in message news:dubm7i$sma$1@news.spamcop.net... > Garen Erdoisa wrote: > Here is the tracker: > http://members.spamcop.net/sc?id=z890177471zad74dde34e2fe3f4a7383bae6b0ee29bz That tracking URL is something only you could view. I'd need to know your account/pwd. And I don't think that would be a good idea at all. Please post the TRACKING URL from the appropriate page if using that. > RFC2822 para: 2.2.2 states that either a tab (ASCII 9) or white space > (ASCII 32) are treated as "white space characters" for the purpose of > header folding. What I'd like to know is why it seems a lot of countries don't even know about RFC standards, let alone follow them, the same goes for software vendors and mailhost software programmers. > RFC2822 para: 2.2.3 defines that using a CRLF followed by a White space > character should be treated as "header folding". RFC this, RFC that - I believe one poster claimed that there was no such thing as "RFC" standards, cause they didn't actually exist or were not voted on. (Don't remember which, exactly.) > I suppose this spamcop parsing error could be abused by spammers, though I > haven't seen any evidence of it thus far. It's probably only a matter of > time. It may get abused insofar as the mailserver software (and the individual mailservers handling emails at various points) would allow it. And I'm sure if the spammers are found to be abusing it, that those people running SpamCop would eventually find out about it and alter their parsing algorithm to take it into account. Cheers ... Geoffrey Hyde From scamper at trisk.com Sat Mar 4 05:37:05 2006 From: scamper at trisk.com (Garen Erdoisa) Date: Sat Mar 4 07:40:02 2006 Subject: [SpamCop-List] Re: Should this be cut from the email before submitting? In-Reply-To: References: Message-ID: Geoffrey Hyde wrote: > "Garen Erdoisa" wrote in message > news:dubm7i$sma$1@news.spamcop.net... >> Garen Erdoisa wrote: > >> Here is the tracker: >> http://members.spamcop.net/sc?id=z890177471zad74dde34e2fe3f4a7383bae6b0ee29bz > > That tracking URL is something only you could view. I'd need to know your > account/pwd. And I don't think that would be a good idea at all. Please > post the TRACKING URL from the appropriate page if using that. My bad. You can also just replace "members" with "www" to get a tracking URL that anyone can use when you see that. http://www.spamcop.net/sc?id=z890177471zad74dde34e2fe3f4a7383bae6b0ee29bz Regards; >[snip] Garen From uheep2 at comcast.net Sat Mar 4 09:04:21 2006 From: uheep2 at comcast.net (Alex Gitlin) Date: Sat Mar 4 09:05:03 2006 Subject: [SpamCop-List] what happens when I report spam? Message-ID: I would really like to know what happens when I report spam? Do authorities really go after the spammer? Are there any repercussions for the spammer? I've been filing reports for months through spamcop, but the amount of inbound spam has not decreased, although it's probably naive to assume that it would. And finally, can anyone tell me how I could block emails originating in certain parts of the world? Thanks in advance, Alex. From MikeE at ster.invalid Sat Mar 4 06:41:48 2006 From: MikeE at ster.invalid (Mike Easter) Date: Sat Mar 4 09:45:03 2006 Subject: [SpamCop-List] Re: what happens when I report spam? References: Message-ID: Alex Gitlin wrote: > I would really like to know what happens when I report spam? You are notifying the providers for the spamsource and the spamvertiser. You are also contributing the spamsource IP toward being listed in the SCbl, spamcop blocklist, a very dynamic blocklist of spamsources based on 5.3 million spams per week last week. The concept is that providers for spamsource should be motivated to stop the spamsourcing by their IP and that spamvertiser providers should be motivated to stop providing webspace to a spam supporter. In practice that rarely happens. > Do > authorities really go after the spammer? No. Spamcop is a parsing and reporting and blocklisting service, not an authority. It is also a mail service which provides filtering and facilitates reporting. > Are there any repercussions > for the spammer? 'Spammer' is a vague term in that context. Typically the 'spammer' - as in the injector of the email into the smtp stream toward your mailbox - isn't known at all. So I say spamsource, which is the IP to which the spam can be traced, and spamvertiser which is the site or other payload being promoted in the spam. There's an implication that since the spamvertiser benefits from the spam, that there must be some kind of spam support role there. These days the spamsource is most often a user IP which is proxified for abuse. These days the spamvertiser has a cozy relationship with the provider. > I've been filing reports for months through spamcop, but the amount of > inbound spam has not decreased, although it's probably naive to > assume that it would. There isn't anything about reporting spam that has much of a direct effect on reducing your spamload. Normally a spamcop report munges the To address and other parts that might disclose who is reporting. Sometimes some spam reporters handle their spam badly in order to report it and that bad handling can actually increase their spam. > And finally, can anyone tell me how I could block emails originating > in certain parts of the world? There are lists, such as blackholes.us and nerd-zz or xx.countries.nerd.dk which facilitate dnsbl blocking of the IP of many countries. -- Mike Easter kibitzer, not SC admin From vanguard.news at yahooNIX.com Sat Mar 4 09:25:33 2006 From: vanguard.news at yahooNIX.com (Vanguard) Date: Sat Mar 4 10:30:03 2006 Subject: [SpamCop-List] Re: what happens when I report spam? References: Message-ID: "Alex Gitlin" wrote in message news:duc6p2$5u5$1@news.spamcop.net... >I would really like to know what happens when I report spam? Do >authorities really go after the spammer? Are there any repercussions for >the spammer? > > I've been filing reports for months through spamcop, but the amount of > inbound spam has not decreased, although it's probably naive to assume > that it would. > > And finally, can anyone tell me how I could block emails originating in > certain parts of the world? SpamCop simply sends a report to the spam source notifying about the offense. If you got a postcard in your mailbox from no one with legal authority in your area telling you to mow your lawn, do you go running over to your lawn mower? The report only has effect if the recipient is a responsible provider that actually wants to stop spam and has the resources available to do so. There are no cops at SpamCop. If you want the report to go somewhere that might actually have some legal affect against spammers, send a copy of the SpamCop report to the FTC at spam@uce.gov. SpamCop used to include sending them a copy but the FTC got so deluged that they requested SpamCop to cease sending them copies of spam, but you could send a copy to them. Obviously the FTC is a US gov't entity and can probably only go after an abuser using resources within the US. Go into Preferences in your SpamCop account and include any e-mail addresses that you want to include for recipients to get a copy of the spam report. By reporting to SpamCop, you help to update its blacklist. Same for other users reporting spam to SpamCop. That means the users are helping themselves to update the blacklist (and presumably you are using the SpamCop blacklist). You will have far more effect in updating the SpamCop blacklist than you will by reporting spam to the "authorities". -- __________________________________________________ Post replies to the newsgroup. Share with others. For e-mail: Remove "NIX" and add "#VN" to Subject. __________________________________________________ From jg at coks.net Sat Mar 4 07:32:58 2006 From: jg at coks.net (jg) Date: Sat Mar 4 10:30:09 2006 Subject: [SpamCop-List] Re: what happens when I report spam? In-Reply-To: References: Message-ID: On 3/4/2006 6:41 AM Mike Easter scribbled: > There isn't anything about reporting spam that has much of a direct > effect on reducing your spamload. Normally a spamcop report munges the > To address and other parts that might disclose who is reporting. > Sometimes some spam reporters handle their spam badly in order to report > it and that bad handling can actually increase their spam. Along this line, I stopped reporting spam about a month or so ago. I had been getting upwards of 100 a day, usual flavor of meds, p&d, mort, etc. I ceased for a while since I found out my ISP (cox) was dropping all my outbound spam reports, making reporting via email to spamcop, the FDA, the SEC, etc. impossible. I intended to 1.) See if I could get cox to allow my reports out (haven't gotten a human being that understands the issue yet) 2.) Look into another alternative for an ISP - cox has the monopoly in my hood so cable is out if I change, which leaves me with SBC dsl or maybe someother, that someother not having shown up yet. I'd rather the someother than SBC since SBC is an alleged spam supporter and tied in with yahoo. Since stopping the reports, spam dropped to 2-3 a day at times, average 10-12 a day. Last week , I parsed a spam through SC to look up the sender and reported it via the web. Next day, I had 40 spam come in overnight. I get the feeliing there might be a relationship between reporting and spam volume but I don't know where it is... > >> And finally, can anyone tell me how I could block emails originating >> in certain parts of the world? > > There are lists, such as blackholes.us and nerd-zz or > xx.countries.nerd.dk which facilitate dnsbl blocking of the IP of many > countries. > A 3rd party prog like SpamPal can be used to filter out whole countries... From nospam at nospam.org Sat Mar 4 17:19:52 2006 From: nospam at nospam.org (Ejo) Date: Sat Mar 4 11:20:03 2006 Subject: [SpamCop-List] Re: what happens when I report spam? In-Reply-To: References: Message-ID: Alex Gitlin wrote: > I would really like to know what happens when I report spam? Do authorities > really go after the spammer? Are there any repercussions for the spammer? Your report may be used to maintain a blocklist of IP numbers that is used by many providers to determine whether an incoming mail is a spam. Authorities do usually not care about spamcop, the repercussions for the spammer is that his IP may be listed in the SC blocklist. > > I've been filing reports for months through spamcop, but the amount of > inbound spam has not decreased, although it's probably naive to assume that > it would. The answer is yes it sometimes help to report spam, but oftentimes I see no effect on the total amount of inbound spam. > > And finally, can anyone tell me how I could block emails originating in > certain parts of the world? Your mail server or client should do this, there are block lists for many countries. > > Thanks in advance, > Alex. Ejo From tmcgraw at spamcop.net Sat Mar 4 08:54:15 2006 From: tmcgraw at spamcop.net (Tim McGraw) Date: Sat Mar 4 11:55:03 2006 Subject: [SpamCop-List] Re: Should this be cut from the email before submitting? In-Reply-To: References: Message-ID: Petzl wrote: >> > Please do not use a real email address in newsgroups unless it is a bullet > proof SpamCop one I was unaware of a "requirement" for email addresses used to post here. OTOH I have seen "friendly" advice offered to those who use real addys, solicited or not. For his part Geoffrey munged his "reply to" address - and most tests show that is the address most commonly lifted by spambots. From stephenbye at byedesign.freeserve.co.uk Sat Mar 4 19:10:35 2006 From: stephenbye at byedesign.freeserve.co.uk (Stephen Bye) Date: Sat Mar 4 14:15:16 2006 Subject: [SpamCop-List] Re: Funny - Chinese spam about Asian Flu References: Message-ID: "Redstone" wrote in message news:Xns977A871E1185Dtinlc@216.154.195.61... > > PT Barnum may be accurate. Think about the number of suckers dropping dead > due to the poisons that spammer drug products contain. > > > Buy a spamvertised product and you play with fire. > And it must be very risky indeed to buy prescription drugs from someone who can't spell! From kjz at despammed.com Sat Mar 4 20:22:05 2006 From: kjz at despammed.com (Karl-Josef Ziegler) Date: Sat Mar 4 14:25:03 2006 Subject: [SpamCop-List] Spamcop capitulation before spammer? Message-ID: tracking URL: http://www.spamcop.net/sc?id=z887651010z7d46879cb764e39a8650fe111519594fz Report sent to: kuvayv-badcow@devnull.spamcop.net What's the meaning of this? Yes, it was clearly one of Leos medz spams. Has spamcop now capitulated before one of the biggest and worst spammers on this planet ('The Godfather of Spam') because he has found ABSOLUTELY bullet-proof hosting and every LART only will be a totally waste of time? - kjz From nobody at spamcop.net Sat Mar 4 12:53:49 2006 From: nobody at spamcop.net (N. Miller) Date: Sat Mar 4 15:55:15 2006 Subject: [SpamCop-List] Re: Should this be cut from the email before submitting? References: Message-ID: <264m52d1fedy$.dlg@news.spamcop.net> On Sat, 04 Mar 2006 08:54:15 -0800, Tim McGraw wrote: > Petzl wrote: >> Please do not use a real email address in newsgroups unless it is a bullet >> proof SpamCop one > I was unaware of a "requirement" for email addresses used to post here. > OTOH I have seen "friendly" advice offered to those who use real addys, > solicited or not. > > For his part Geoffrey munged his "reply to" address - and most tests > show that is the address most commonly lifted by spambots. Actually, in my experience, it is the "From:" email address in NNTP headers which is lifted by the harvesters, not the "Reply-To:" email address. Most NNTP servers give up the "From:" email address in an XOVER command, but not the "Reply-To:" email address. My "Reply-To:" email address is not munged, and I have yet to get spam at that email address. -- Norman ~Oh Lord, why have you come ~To Konnyu, with the Lion and the Drum From jeffg at spamcop.net Sat Mar 4 15:37:15 2006 From: jeffg at spamcop.net (Jeff G.) Date: Sat Mar 4 16:00:02 2006 Subject: [SpamCop-List] Re: what happens when I report spam? References: Message-ID: jg wrote: > On 3/4/2006 6:41 AM Mike Easter scribbled: >> There isn't anything about reporting spam that has much of a direct >> effect on reducing your spamload. Normally a spamcop report munges >> the To address and other parts that might disclose who is reporting. >> Sometimes some spam reporters handle their spam badly in order to >> report it and that bad handling can actually increase their spam. > > Along this line, I stopped reporting spam about a month or so ago. I > had been getting upwards of 100 a day, usual flavor of meds, p&d, > mort, etc. I ceased for a while since I found out my ISP (cox) was > dropping all my outbound spam reports, making reporting via email to > spamcop, the FDA, > the SEC, etc. > impossible. I intended to 1.) See if I could get cox to allow my > reports out (haven't gotten a human being that understands the issue > yet) As I wrote in my reply to "E-Mail spam submittals blocked by your ISP" at http://forum.spamcop.net/forums/index.php?showtopic=2782&view=findpost&p=30553 , you may want to tell them (cox) simply "Since you insist that you are better at protecting me and the Internet from spam, starting tomorrow morning I will be sending you all the spam that you won't let me report via email to SpamCop, so that you may do a better job at reporting and filtering using that spam." -- Best Regards, Jeff G. http://forum.spamcop.net/forums/index.php?act=findpost&pid=37585 From jg at coks.net Sat Mar 4 13:57:58 2006 From: jg at coks.net (jg) Date: Sat Mar 4 16:55:04 2006 Subject: [SpamCop-List] Re: what happens when I report spam? In-Reply-To: References: Message-ID: On 3/4/2006 12:37 PM Jeff G. scribbled: > jg wrote: >> On 3/4/2006 6:41 AM Mike Easter scribbled: >>> There isn't anything about reporting spam that has much of a direct >>> effect on reducing your spamload. Normally a spamcop report munges >>> the To address and other parts that might disclose who is reporting. >>> Sometimes some spam reporters handle their spam badly in order to >>> report it and that bad handling can actually increase their spam. >> Along this line, I stopped reporting spam about a month or so ago. I >> had been getting upwards of 100 a day, usual flavor of meds, p&d, >> mort, etc. I ceased for a while since I found out my ISP (cox) was >> dropping all my outbound spam reports, making reporting via email to >> spamcop, the FDA, >> the SEC, etc. >> impossible. I intended to 1.) See if I could get cox to allow my >> reports out (haven't gotten a human being that understands the issue >> yet) > > As I wrote in my reply to "E-Mail spam submittals blocked by your ISP" > at > http://forum.spamcop.net/forums/index.php?showtopic=2782&view=findpost&p=30553 , > you may want to tell them (cox) simply "Since you insist that you are > better at protecting me and the Internet from spam, starting tomorrow > morning I will be sending you all the spam that you won't let me report > via email to SpamCop, so that you may do a better job at reporting and > filtering using that spam." > >From one Jeff G. to another, thanks for the input. Sorry I missed your post in the forum - I am sorta like Mike E. re: Fora - and I have seen enough on the subject via NNTP, save your suggestion, which while it may seem a good idea, my guess is it is likely to failure since I cannot send out /any/ spam, it seems, via fwrd. Then again, maybe cox will accept such if addressed to themselves - will give that a go. I like your approach - telling them verbally that I was going to move my account didn't phase them much... From jg at coks.net Sat Mar 4 14:02:58 2006 From: jg at coks.net (jg) Date: Sat Mar 4 17:00:03 2006 Subject: [SpamCop-List] Re: Spamcop capitulation before spammer? In-Reply-To: References: Message-ID: On 3/4/2006 11:22 AM Karl-Josef Ziegler scribbled: > tracking URL: > > http://www.spamcop.net/sc?id=z887651010z7d46879cb764e39a8650fe111519594fz > > Report sent to: > > kuvayv-badcow@devnull.spamcop.net > > What's the meaning of this? Yes, it was clearly one of Leos medz spams. > Has spamcop now capitulated before one of the biggest and worst spammers > on this planet ('The Godfather of Spam') because he has found ABSOLUTELY > bullet-proof hosting and every LART only will be a totally waste of time? > > - kjz Capitulate from what? I know less than most on this subject, but seems to me that: 1.) Larting bad cow and the source is pretty much useless. 2.) devnull is for stats only, yes? What else can SC do - call out the Marines (I don't mean to be a smart ass here)? From kjz at despammed.com Sat Mar 4 23:18:29 2006 From: kjz at despammed.com (Karl-Josef Ziegler) Date: Sat Mar 4 17:20:02 2006 Subject: [SpamCop-List] Re: Spamcop capitulation before spammer? In-Reply-To: References: Message-ID: jg wrote: > I know less than most on this subject, but seems to me that: > 1.) Larting bad cow and the source is pretty much useless. > 2.) devnull is for stats only, yes? No upstream to lart? No authorities interested? http://www.ago.state.ma.us/sp.cfm?pageid=986&id=1502 There is a court order and spammy sent more spams as before? How powerful is the American justice? From jg at coks.net Sat Mar 4 14:30:18 2006 From: jg at coks.net (jg) Date: Sat Mar 4 17:30:03 2006 Subject: [SpamCop-List] Re: Spamcop capitulation before spammer? In-Reply-To: References: Message-ID: On 3/4/2006 2:18 PM Karl-Josef Ziegler scribbled: > jg wrote: > >> I know less than most on this subject, but seems to me that: >> 1.) Larting bad cow and the source is pretty much useless. >> 2.) devnull is for stats only, yes? > > No upstream to lart? No authorities interested? For these guys, upstream doesn't seem to care - that is what the term "bulletproof" means. This gang has been at work for quite a while and no one seems to know what to do yet. > > http://www.ago.state.ma.us/sp.cfm?pageid=986&id=1502 So Leo moves to New Hampshire and listwashes Mass... > > There is a court order and spammy sent more spams as before? How > powerful is the American justice? About as powerful as ever - unfortunately, the system works 2 ways, and the accused can tie up the courts for years, something spammers are good at. One reason lawyers are 2nd only to spam in attracting hate... From not at home.today Sat Mar 4 22:31:29 2006 From: not at home.today (Ant) Date: Sat Mar 4 17:35:02 2006 Subject: [SpamCop-List] Re: Should this be cut from the email before submitting? References: Message-ID: "Tim McGraw" wrote: > For his part Geoffrey munged his "reply to" address - and most tests > show that is the address most commonly lifted by spambots. Really? I've always understood it to be the "From". The reason being that "Reply-To" may not always be present, and some nntp header retrieval commands may not always include it. From tmcgraw at spamcop.net Sat Mar 4 15:03:20 2006 From: tmcgraw at spamcop.net (Tim McGraw) Date: Sat Mar 4 18:05:02 2006 Subject: [SpamCop-List] Re: Should this be cut from the email before submitting? In-Reply-To: References: Message-ID: Ant wrote: > "Tim McGraw" wrote: > >> For his part Geoffrey munged his "reply to" address - and most tests >> show that is the address most commonly lifted by spambots. > > Really? No, not really. I mis-remembered a long-ago post on nanae. Mea culpa and all that. These days you can't be too careful and some light Googling reveals today's best practice is to munge anything that has an '@' sign. That said, I don't spend a lot of time obsessing over munging an address - no matter how hard you work to protect it, one of your bonehead "trusted" correspondents will eventually get an address-scraping virm. In fact, despite having an sc addy since 1998 I'm pretty indiscriminate with my email addresses (altho I use sneakemail when it makes sense). If we modify our behavior to the extreme then the terroris - er, I mean the spammers, have won. From nobody at spamcop.net Sat Mar 4 15:46:29 2006 From: nobody at spamcop.net (N. Miller) Date: Sat Mar 4 18:50:04 2006 Subject: [SpamCop-List] Re: what happens when I report spam? References: Message-ID: <5drrtb6r3knm.dlg@news.spamcop.net> On Sat, 04 Mar 2006 07:32:58 -0800, jg wrote: > Since stopping the reports, spam dropped to 2-3 a day at times, average > 10-12 a day. Last week , I parsed a spam through SC to look up the > sender and reported it via the web. > Next day, I had 40 spam come in overnight. > I get the feeliing there might be a relationship between reporting and > spam volume but I don't know where it is... Since I stopped sending "munged" reports, and allow SpamCop to send notifies without obfuscating user information in the spam, I have seen spam to two SBC Yahoo! DSL accounts drop by about 50%. -- Norman ~Oh Lord, why have you come ~To Konnyu, with the Lion and the Drum From jg at coks.net Sat Mar 4 16:38:37 2006 From: jg at coks.net (jg) Date: Sat Mar 4 19:40:04 2006 Subject: [SpamCop-List] Re: what happens when I report spam? In-Reply-To: <5drrtb6r3knm.dlg@news.spamcop.net> References: <5drrtb6r3knm.dlg@news.spamcop.net> Message-ID: On 3/4/2006 3:46 PM N. Miller scribbled: > On Sat, 04 Mar 2006 07:32:58 -0800, jg wrote: > >> Since stopping the reports, spam dropped to 2-3 a day at times, average >> 10-12 a day. Last week , I parsed a spam through SC to look up the >> sender and reported it via the web. >> Next day, I had 40 spam come in overnight. >> I get the feeliing there might be a relationship between reporting and >> spam volume but I don't know where it is... > > Since I stopped sending "munged" reports, and allow SpamCop to send > notifies without obfuscating user information in the spam, I have seen spam > to two SBC Yahoo! DSL accounts drop by about 50%. > /Really/ - why would that be? and thanks for the thought... From nospam at nospam.org Sun Mar 5 02:13:39 2006 From: nospam at nospam.org (Ejo) Date: Sat Mar 4 20:15:03 2006 Subject: [SpamCop-List] Re: what happens when I report spam? In-Reply-To: <5drrtb6r3knm.dlg@news.spamcop.net> References: <5drrtb6r3knm.dlg@news.spamcop.net> Message-ID: N. Miller wrote: > On Sat, 04 Mar 2006 07:32:58 -0800, jg wrote: > >> Since stopping the reports, spam dropped to 2-3 a day at times, average >> 10-12 a day. Last week , I parsed a spam through SC to look up the >> sender and reported it via the web. >> Next day, I had 40 spam come in overnight. >> I get the feeliing there might be a relationship between reporting and >> spam volume but I don't know where it is... > > Since I stopped sending "munged" reports, and allow SpamCop to send > notifies without obfuscating user information in the spam, I have seen spam > to two SBC Yahoo! DSL accounts drop by about 50%. > What may be the case is that you inadvertently ended up at some digest that is causing spam in your inbox. If you report that type of spam then at least the digest administrators or their ISP are/is notified through spamcop, and sometimes you get off their digest distribution list which reduces the amount of incoming spam. But this is rare, for me this happened only once or twice in the last few years. I don't know why my name ends up in some digests, it may be a poor design of the subscriptions method, prone to being misused by pranksters. Actually, I don't care about the amount of incoming spam, it varies between 50 and 250 per day. What the heck, this is a few minutes of processing time, spampal and spamassissin are very efficient. What I more care about is a reduction of the amount of false positives, valid e-mails from colleagues at work or customers detected as spam which still happens with about 0.1% of all received e-mail. False negatives don't bother me that much, and they are the first on my list to be reported to spamcop. Ejo From uheep2 at comcast.net Sun Mar 5 00:22:09 2006 From: uheep2 at comcast.net (Alex Gitlin) Date: Sun Mar 5 00:25:16 2006 Subject: [SpamCop-List] Re: what happens when I report spam? References: Message-ID: Mike, Thanks for your detailed reply. > No. Spamcop is a parsing and reporting and blocklisting service, not an > authority. It is also a mail service which provides filtering and > facilitates reporting. More on this please: do I need to get a separate email account w/Spamcop (and if so, how) or would it work in conjunction with my ISP and current mail server? I'm on comcast, using Outlook Express. Not sure if I have any leverage at all to tell comcast to block out emails from certain IPs, let alone countries/continents... Alex From abuse at whathostingshould.be Sun Mar 5 00:23:56 2006 From: abuse at whathostingshould.be (Galen) Date: Sun Mar 5 00:25:30 2006 Subject: [SpamCop-List] Re: New spam-hosts are blocking spamcop DNS queries References: Message-ID: In news:du4d33$cpq$1@news.spamcop.net, Mike Easter had this to say: My reply is an Easter Egg: > I specifically blame the MS MVPs for the sad state of affairs in the > MS groups. Fine but let's be honest. I'll be honest with you. First, I've been missing - swamped with work so I'm late. Second, the addition of the new MVPs in mass amounts as of late has (and I'm trying to be both polite and honest) "watered down" the wine so to speak. *grins* I have a unique enough trait. I say it like it is while trying to be polite about it. Truth be told there have been some who've been awarded that, well, probably shouldn't have been in MY opinion and while they may be good in their fields they lack the awareness of Usenet that they should have had in MY opinion. So, to that, I say that I agree to some extent. *is on a new crusade - killing off some of the scamming web hosting companies - so has been swamped but has clients and not ONE spam complaint yet!* I am tired but happy. I'm running at a loss but, well, that's to be expected. No spammers though. ;) Galen -- http://www.whathostingshould.be - We are what hosting SHOULD be. From / at /.cn Sun Mar 5 16:24:22 2006 From: / at /.cn (Petzl) Date: Sun Mar 5 00:25:36 2006 Subject: [SpamCop-List] Re: Should this be cut from the email before submitting? References: Message-ID: "Tim McGraw" wrote in message news:ducgnl$b9u$1@news.spamcop.net... > Petzl wrote: >>> >> Please do not use a real email address in newsgroups unless it is a >> bullet proof SpamCop one > > I was unaware of a "requirement" for email addresses used to post here. > OTOH I have seen "friendly" advice offered to those who use real addys, > solicited or not. > > For his part Geoffrey munged his "reply to" address - and most tests show > that is the address most commonly lifted by spambots. Most spambot/spiders just target the from address leaving the reply one alone (this is not always the case) From abuse at whathostingshould.be Sun Mar 5 02:21:07 2006 From: abuse at whathostingshould.be (Galen) Date: Sun Mar 5 02:25:17 2006 Subject: [SpamCop-List] Re: Spamcop capitulation before spammer? References: Message-ID: In news:dud487$nbb$1@news.spamcop.net, jg had this to say: My reply is at the bottom of your sent message: > About as powerful as ever - unfortunately, the system works 2 ways, > and > the accused can tie up the courts for years, something spammers are > good at. One reason lawyers are 2nd only to spam in attracting hate... That URL was .ma.us? *grins* I own a few handguns and live just up the road in Maine. ;) Piss enough Mainers off and they'll generally take care of it. Ah well... -- http://www.whathostingshould.be - We are what hosting SHOULD be. From nospam at nospam.org Sun Mar 5 09:46:03 2006 From: nospam at nospam.org (Ejo) Date: Sun Mar 5 03:50:16 2006 Subject: [SpamCop-List] Re: what happens when I report spam? In-Reply-To: References: Message-ID: Alex Gitlin wrote: > Mike, > > Thanks for your detailed reply. > >> No. Spamcop is a parsing and reporting and blocklisting service, not an >> authority. It is also a mail service which provides filtering and >> facilitates reporting. > > More on this please: do I need to get a separate email account w/Spamcop > (and if so, how) or would it work in conjunction with my ISP and current > mail server? I'm on comcast, using Outlook Express. Not sure if I have any > leverage at all to tell comcast to block out emails from certain IPs, let > alone countries/continents... > > Alex > > Dear Alex I don't know what comcast e-mail servers do for you, it may be the case that there is blocklist information already in the header of your e-mail. Outlook normally doesn't show you the entire header, but I guess that it must be possible to design a filter in outlook that checks certain elements in the header. Perhaps consider to check http://ejos.blogspot.com/2005/11/why-do-we-get-spam-how-do-you-fight-it.html including other spam related articles in that blogspot. Whether you want spamcop to handle your mail is another question. This is a separate issue from using their blocklist, which is for free. It is also a separate issue from using their spam reporting service, which does require a subscription. Ejo From nobody at spamcop.net Sun Mar 5 01:49:09 2006 From: nobody at spamcop.net (N. Miller) Date: Sun Mar 5 04:50:48 2006 Subject: [SpamCop-List] Re: what happens when I report spam? References: <5drrtb6r3knm.dlg@news.spamcop.net> Message-ID: <1masqrm1yfkz5$.dlg@news.spamcop.net> On Sat, 04 Mar 2006 16:38:37 -0800, jg wrote: > On 3/4/2006 3:46 PM N. Miller scribbled: >> On Sat, 04 Mar 2006 07:32:58 -0800, jg wrote: >>> Since stopping the reports, spam dropped to 2-3 a day at times, average >>> 10-12 a day. Last week , I parsed a spam through SC to look up the >>> sender and reported it via the web. >>> Next day, I had 40 spam come in overnight. >>> I get the feeliing there might be a relationship between reporting and >>> spam volume but I don't know where it is... >> Since I stopped sending "munged" reports, and allow SpamCop to send >> notifies without obfuscating user information in the spam, I have seen spam >> to two SBC Yahoo! DSL accounts drop by about 50%. > /Really/ - why would that be? > and thanks for the thought... If you have a problem with listwashing, keep on sending munged reports! ;) -- Norman ~Oh Lord, why have you come ~To Konnyu, with the Lion and the Drum From nobody at spamcop.net Sun Mar 5 02:00:31 2006 From: nobody at spamcop.net (N. Miller) Date: Sun Mar 5 05:05:38 2006 Subject: [SpamCop-List] Re: what happens when I report spam? References: <5drrtb6r3knm.dlg@news.spamcop.net> Message-ID: On Sun, 05 Mar 2006 02:13:39 +0100, Ejo wrote: > N. Miller wrote: >> On Sat, 04 Mar 2006 07:32:58 -0800, jg wrote: >>> Since stopping the reports, spam dropped to 2-3 a day at times, average >>> 10-12 a day. Last week , I parsed a spam through SC to look up the >>> sender and reported it via the web. >>> Next day, I had 40 spam come in overnight. >>> I get the feeliing there might be a relationship between reporting and >>> spam volume but I don't know where it is... >> Since I stopped sending "munged" reports, and allow SpamCop to send >> notifies without obfuscating user information in the spam, I have seen spam >> to two SBC Yahoo! DSL accounts drop by about 50%. > What may be the case is that you inadvertently ended up at some digest > that is causing spam in your inbox. If you report that type of spam then > at least the digest administrators or their ISP are/is notified through > spamcop, and sometimes you get off their digest distribution list which > reduces the amount of incoming spam. But this is rare, for me this > happened only once or twice in the last few years. I don't know why my > name ends up in some digests, it may be a poor design of the > subscriptions method, prone to being misused by pranksters. > > Actually, I don't care about the amount of incoming spam, it varies > between 50 and 250 per day. What the heck, this is a few minutes of > processing time, spampal and spamassissin are very efficient. What I > more care about is a reduction of the amount of false positives, valid > e-mails from colleagues at work or customers detected as spam which > still happens with about 0.1% of all received e-mail. False negatives > don't bother me that much, and they are the first on my list to be > reported to spamcop. I has probably been about five years since I got on some kind of "digest" list. I believe it was from a mall contest entry; the spam suddenly started coming in just after using that email address; and it wasn't proxy spam. Since the spam was at a level I wasn't comfortable with, and I was about to ditch that account, I decided to try the unsubscribe links. They actually worked. After three months of SpamCop reports doing zip, three days of unsubscribes cut that account's spam volume by 80%. Most of the spam I see now is proxy spam. I decided to stop sending munged reports as a test. I suspect listwashing. In actual fact, I stopped trying to report all spam from those accounts, due to the volume, and only report what I felt I could handle in the time available. If I reported only false negatives, though, I'd be filing two, maybe three SpamCop complaints a week on those two 'pacbell.net' accounts. As it is, my total spam reports, to date, sent for two Juno accounts, two SBC ('pacbell.net') accounts, a MyRealBox account, and a Netscape Mail account come to: 35. For another Juno account, and my Dark Horse Comics email account: 77 and 48, respectively (for the year to date). The heaviest volume has been on two other 'pacbell.net' accounts. -- Norman ~Oh Lord, why have you come ~To Konnyu, with the Lion and the Drum From g.hyde at bigpond.net.au Sun Mar 5 21:35:03 2006 From: g.hyde at bigpond.net.au (Geoffrey Hyde) Date: Sun Mar 5 06:40:14 2006 Subject: [SpamCop-List] Re: Spamcop capitulation before spammer? References: Message-ID: "Galen" wrote in message news:due3gg$745$1@news.spamcop.net... > That URL was .ma.us? *grins* I own a few handguns and live just up the > road in Maine. ;) Piss enough Mainers off and they'll generally take care > of it. (fiction) Now *that* would make for an interesting CSI programme! A serial killer that targets spammers. :D You could yet get some mileage out of these spammers! At their expense, fictionally, of course. (/fiction) The reality is that most spammers are as far away as possible from US shores ... Cheers ... Geoffrey Hyde From AHaumer_gmxnet at nopspam.invalid Sun Mar 5 13:33:28 2006 From: AHaumer_gmxnet at nopspam.invalid (Anton Haumer) Date: Sun Mar 5 07:35:03 2006 Subject: [SpamCop-List] SC down? Message-ID: <440ADA98.F7B6E964@nopspam.invalid> sent a bunch of spam by mail about 6 hours ago, nothing happens ... SC reporting down? -- Toni From nospam at nospam.zootal.ihatespam.com Sun Mar 5 10:23:19 2006 From: nospam at nospam.zootal.ihatespam.com (Ook) Date: Sun Mar 5 13:30:10 2006 Subject: [SpamCop-List] Spamcop does not find url in spam? Message-ID: I posted the spam in spamcop.spam. Towards the bottom of the spam is a link. In the details of the parse I see: Resolving link obfuscation http://ca.geocities.com/timeworker7321/ And that it all. This is a valid link that forwards to http://www.brighterideaworks.com/lj/, which appears to be another money judgement processing site. Is spamcop missing this link, or am I not understanding what it is doing? From jeffg at spamcop.net Sun Mar 5 14:50:22 2006 From: jeffg at spamcop.net (Jeff G.) Date: Sun Mar 5 14:55:03 2006 Subject: [SpamCop-List] Re: Spamcop does not find url in spam? References: Message-ID: Ook wrote: > Resolving link obfuscation > http://ca.geocities.com/timeworker7321/ > > And that it all... Is spamcop missing this link, or am > I not understanding what it is doing? Yes, the SpamCop Parser is missing this link, and many others of the form CC.geocities.com (where CC is a Country Code) or just geocities.com, and has been doing so for many months. The programmers are apparently aware of the problem, but haven't seen fit to fix it yet. :( More info in my "FAQ Entry: The Link Analysis Process" at http://forum.spamcop.net/forums/index.php?showtopic=4345 . -- Best Regards, Jeff G. http://forum.spamcop.net/forums/index.php?act=findpost&pid=37585 From philip at pch.home.cs.vu.nl Sun Mar 5 23:50:56 2006 From: philip at pch.home.cs.vu.nl (Philip Homburg) Date: Sun Mar 5 17:55:14 2006 Subject: [SpamCop-List] Re: Why not allow bounces? They are required by RFC822! References: <43FD963B.3607@xyzzy.claranet.de> Message-ID: <1al9lvr3g29ednrtvib80b5md0@inews_id.stereo.hq.phicoh.net> In article <43FD963B.3607@xyzzy.claranet.de>, Frank Ellermann wrote: >All it takes is one forwarder to see why: A sends to B, and B >forwards to C, a third party unrelated to B. > >B rejects 99% of all junk. 1 of 100 junk mails makes it to C. >C rejects 99% of all junk. Not the same 99% as B, therefore C >might reject some of the 1% slipping through B. > >If B gets the reject from C its SMTP session with A is history. >Therefore B is forced to create a bounce back to A, and this >can be backscatter if the Return-Path was forged. > >B cannot silently discard the mail as junk only because it was >rejected by C, this rejection can be something harmless like >"over quota". And then the legit sender A wants to know that >his mail didn't make it. In today's Internet there are a number of ways of dealing with this problem: 1) C never rejects a message forwarded by B. I do this with my ISP provided e-mail account. I forward all mail to my local mail server, and all mail gets accepted. 2) B rewrites the envelope from. 3) B only proxies for C, and does not actually relay (store and forward) the mail. 4) B stores the reject mail in a special place, suspends forwarding (generating 4xy error for incoming mail) and notifies C. There are probably lots of other options. I like options 1 and 3 best. -- That was it. Done. The faulty Monk was turned out into the desert where it could believe what it liked, including the idea that it had been hard done by. It was allowed to keep its horse, since horses were so cheap to make. -- Douglas Adams in Dirk Gently's Holistic Detective Agency From nospam at nospam.zootal.ihatespam.com Sun Mar 5 16:15:34 2006 From: nospam at nospam.zootal.ihatespam.com (Ook) Date: Sun Mar 5 19:15:03 2006 Subject: [SpamCop-List] Dictionary attack is starting, what to do? Message-ID: I'm worried...I had to shut down my domain emberts.com because the spam inflow exceeded 5000 spams a day. Most of it was dictionary attack stuff - common names @emberts.com, rather then actual addresses that were in use. So, now I have another domain I use for email. A while ago I started to get spam to some of the legit names, I'm guessing that someone I corresponded with got a virus and I was in their address book. Now the spam inflow is starting to follow the same pattern, and I'm wondering how long before I hit the 5000 spams a day level and finally get so sick of it I move on to another domain. Spam filtering? Not an option - I've yet to find a product that can filter out 10 legit emails from 10,000 spams. Now what? How do you stop this from happening? From pantheus at suespammers.org Sun Mar 5 17:03:29 2006 From: pantheus at suespammers.org (Ken) Date: Sun Mar 5 20:05:04 2006 Subject: [SpamCop-List] Re: Dictionary attack is starting, what to do? References: Message-ID: On Sun, 05 Mar 2006 16:15:34 -0800, Ook wrote: > I'm worried...I had to shut down my domain emberts.com because the spam > inflow exceeded 5000 spams a day. Most of it was dictionary attack stuff - > common names @emberts.com, rather then actual addresses that were in use. > Spam filtering? Not an option - I've yet to find a product that can filter > out 10 legit emails from 10,000 spams. > > Now what? How do you stop this from happening? Go to your server config and STOP wildcard acceptance. Allow only the valid user names ! This might be your host's cPanel or setup screens, usually email handling. Wildcard open is dangerous! as you are seeing. Ken From scamper at trisk.com Sun Mar 5 18:15:03 2006 From: scamper at trisk.com (Garen Erdoisa) Date: Sun Mar 5 20:15:02 2006 Subject: [SpamCop-List] Re: Dictionary attack is starting, what to do? In-Reply-To: References: Message-ID: Ook wrote: > I'm worried...I had to shut down my domain emberts.com because the spam > inflow exceeded 5000 spams a day. Most of it was dictionary attack stuff - > common names @emberts.com, rather then actual addresses that were in use. > > So, now I have another domain I use for email. A while ago I started to get > spam to some of the legit names, I'm guessing that someone I corresponded > with got a virus and I was in their address book. Now the spam inflow is > starting to follow the same pattern, and I'm wondering how long before I hit > the 5000 spams a day level and finally get so sick of it I move on to > another domain. > > Spam filtering? Not an option - I've yet to find a product that can filter > out 10 legit emails from 10,000 spams. > > Now what? How do you stop this from happening? > > I wouldn't rule out spam filtering as an option. You just have to maintain perspective and treat it as one of many tools in your spam fighting arsenal. You can't stop all of the attempts to send spam to you. I doubt anyone can do that at this point, short of giving up on email all together. However you can use various combinations of blocking, whitelisting and filtering to cut down on the volume you have to deal with as a human. Let the computer do the rest of the work. I personally have to deal with about 2000 spams a month hitting my own and my wife's email accounts. I have a friend that runs his own domain who also had a spam volume similar to yours, with give or take 10000 spams per day when he came to me for help with his spam filtering. (this was over 2 years ago). In the coarse of the last 30 months we've managed to cut that down to about 1500/day that he has to deal with on his domain. The stats are still dropping, abet slowly. This is the method I use, and it similar to the method I helped him get setup. 1) Configure your mail server to use SPF (Sender Policy Framework) to reject email that fails a sender policy check. I.E.: email with a forged from address. 2) Configure your mail server to reject emails sent to addresses that don't exist on your system. 3) If you choose to use DNS blocklists (optional) use the server access list to allow bypassing of those blocklists for addresses you specify. ie: abuse@, postmaster@, and any alias you wish to assign to forward to your real email address. example using sendmail access lists entries to have certain email bypass the DNS blocklists. /etc/mail/access Spam:abuse@example.com FRIEND Spam:postmaster@example.com FRIEND Spam:xalkdjfklar@example.com FRIEND /etc/aliases xalkdjfklar: realemailaddress This will allow you to use aliased email addresses to give out to various mailing lists you wish to receive email from, letting those lists get past the server blocks as an "authorized subscription" alias, while still honoring the server blocks for email that isn't in the list of exceptions. This also lets you track who is giving away your email addresses, since only you know who you gave the addresses to. It's also much easier to change access list entries for an alias to deny, then issue a new alias. I.E.: if the above alias were given out without your consent you could change the access list entry to something like this: /etc/mail/access To:xalkdjfklar@example.com ERROR:"550 Routing address disabled due to unauthorized disclosure to third parties" Then issue a new alias, and/or take the person to task for disclosing the address they were given. 4) for mail that gets past the server level blocks, run both Bayesian filtering and maybe some other filtering system to sort email into goodmail and various other folders for badmail. In my case, I use procmail as an MDA, and in my procmail scripts I have it using "bogofilter" (a Bayesian filter) to test incoming mail. Bayesian filters have to be trained, and it takes a while (about a month) to get them to a point where they can reliabally sort your goodmail from the spam. Once trained though, they do extremely well at sorting your mail and err on the side of putting spam in with your goodmail instead of the other way. With bogofilter, I have it set so that only email that scores as 99% likely to be spam gets flagged as such. Anything from 0% to 98.9% gets flagged as not-spam. After running it for over 2 years now, I have to retrain the filter maybe 2-3 times a month for spam that was incorrectly filed in with my goodmail. The last time I found goodmail in with the spam was over 6 months ago, and my whitelisting sorted that out. I also follow up the Bayesian filtering with custom procmail recipes that allow for white listing email from known good sources. Any email that isn't whitelisted and also is marked by the Bayesian filter as spam, gets fed to a spamfilter. In my case I use spambouncer because that set of filters is already based on procmail. But you could use just about any other filter you wish. If your spamfilter is capable of doing so, have it auto forward spam it detects on to a place like spamcop for further processing/reporting. Using this gauntlet of filtering techniques, the spam that actually makes it into my inbox is maybe 2-3 per month, and I haven't seen any goodmail get dropped into my spam folder now in the last several months, though I do scan the subject lines for goodmail before deleting it. Response from various filtering techniques can vary a lot, and nothing is perfect, since by it's very nature any spam filtering you do is going to be robotic. I know that my methods for fighting spam probably will not help the vast majority of people who have to rely on an email service provider. But since I do run my own domain, my spam fighting methods work for me, and have pretty much solved the problem for me and for my friend. Since you apparently run your own domain as well, I hope this helps you with your problem, or if not at least gives you some food for thought. There are more spam fighting methods out there than I could cover in a lifetime of study at this point. You pretty much just have to look over what is available then come up with something that works for you, probably involving at least some customization. I'm currently looking at setting up domain keys as well, since I see that more servers are starting to use domain keys to have their server sign outgoing email. Once setup, that will provide yet another tool in my spam fighting arsenal. Garen From tmcgraw at spamcop.net Sun Mar 5 19:14:58 2006 From: tmcgraw at spamcop.net (Tim McGraw) Date: Sun Mar 5 22:15:04 2006 Subject: [SpamCop-List] Re: Yahoo and AOL Plan Would Charge Senders a Fee to Route In-Reply-To: References: <200602230616.1fcesN7KQ3Nl3pK1@gideon.mail.atl.earthlink.net> Message-ID: USA Today wrote: > The 50-company coalition, which includes MoveOn.org Civic Action and the AFL-CIO, claim the service creates a "two-tiered Internet" in which affluent mass e-mailers pay an e-mail tax. (AOL on Friday said it will not charge legitimate non-profits and advocacy groups to have their e-mails certified and delivered. Related item: AOL won't charge non-profits for delivery of e-mail) > > > > "It's unfortunate MoveOn played it this way," Gingras says. "The folks who get beyond the rhetoric believe our technology is a sensible approach." http://www.usatoday.com/tech/news/computersecurity/2006-03-05-goodmail_x.htm From nobody at devnull.spamcop.net Mon Mar 6 12:30:52 2006 From: nobody at devnull.spamcop.net (Patto) Date: Sun Mar 5 22:35:03 2006 Subject: [SpamCop-List] Re: Spamcop capitulation before spammer? In-Reply-To: References: Message-ID: Geoffrey Hyde wrote: > > The reality is that most spammers are as far away as possible from US shores > ... > > > Cheers ... > > Geoffrey Hyde Like in Florida...? From g.hyde at bigpond.net.au Mon Mar 6 13:47:38 2006 From: g.hyde at bigpond.net.au (Geoffrey Hyde) Date: Sun Mar 5 22:50:02 2006 Subject: [SpamCop-List] Re: Spamcop capitulation before spammer? References: Message-ID: Last I checked, Florida was a part of the continental USA. Or are you alluding to something? Cheers ... Geoffrey Hyde "Patto" wrote in message news:dugad9$dhr$1@news.spamcop.net... > Geoffrey Hyde wrote: >> >> The reality is that most spammers are as far away as possible from US >> shores ... >> >> >> Cheers ... >> >> Geoffrey Hyde > > Like in Florida...? From nospam at nospam.zootal.ihatespam.com Sun Mar 5 20:23:15 2006 From: nospam at nospam.zootal.ihatespam.com (Ook) Date: Sun Mar 5 23:20:02 2006 Subject: [SpamCop-List] Re: Dictionary attack is starting, what to do? References: Message-ID: "Ken" wrote in message news:pan.2006.03.06.01.03.29.383134@suespammers.org... > On Sun, 05 Mar 2006 16:15:34 -0800, Ook wrote: > >> I'm worried...I had to shut down my domain emberts.com because the spam >> inflow exceeded 5000 spams a day. Most of it was dictionary attack >> stuff - >> common names @emberts.com, rather then actual addresses that were in use. > >> Spam filtering? Not an option - I've yet to find a product that can >> filter >> out 10 legit emails from 10,000 spams. >> >> Now what? How do you stop this from happening? > > Go to your server config and STOP wildcard acceptance. Allow only the > valid user names ! This might be your host's cPanel or setup screens, > usually email handling. Wildcard open is dangerous! as you are seeing. > > Ken > I hate to do this - I have maybe 50 different email addresses coming into the domain, and it would be a PITA to set a seperate account for each one. I may not have a choice, I think some spammer put my domain on one of those "million addresses" CDs. .....another domain shot to hell thanks to the spammers! From AHaumer_gmxnet at nopspam.invalid Mon Mar 6 07:08:43 2006 From: AHaumer_gmxnet at nopspam.invalid (Anton Haumer) Date: Mon Mar 6 01:10:04 2006 Subject: [SpamCop-List] SC reporting down ? Message-ID: <440BD1EB.DC383C16@nopspam.invalid> sent a bunch of spam by mail about 6 hours ago, nothing happens ... is SC reporting down? -- Toni From g.hyde at bigpond.net.au Mon Mar 6 16:11:34 2006 From: g.hyde at bigpond.net.au (Geoffrey Hyde) Date: Mon Mar 6 01:15:03 2006 Subject: [SpamCop-List] Re: Dictionary attack is starting, what to do? References: Message-ID: "Ook" wrote in message news:dugd81$fct$1@news.spamcop.net... > I hate to do this - I have maybe 50 different email addresses coming into > the domain, and it would be a PITA to set a seperate account for each one. > I may not have a choice, I think some spammer put my domain on one of > those "million addresses" CDs. .....another domain shot to hell > thanks to the spammers! You need to consider various forms of limiting the amount of addresses they can try at one go. Set a script up if your mailserver allows it that prevents any connection from trying (and thus possibly verifying) more than one email address every 2-5 minutes - at that rate they will take forever to try all of your possible addresses. If you've got sufficient understanding of scripting you could also set it to start rejecting any IP addresses that cumulatively ask for more than X addresses per hour/day/week. This will really get in the way of their attempts to harvest your addresses. You might notice a pattern in the servers trying addresses, if so, you can set a blocklist for the worst offenders. DO, however, setup your server to reject during the SMTP transaction, not to receive and forward on any messages back to supposed senders. That is called backscatter and is one of the worst possible forms of spam delivery, and it is considered abusive behaviour on the part of the server trying to send such messages, and it should never happen if your mailserver is properly setup to reject during the transaction. If you can configure it to, have it reject any servers which have bad HELOs or invalid names when looked up. Please note that I have not run a mailserver myself, however, I've seen other people telling mailserver owners to take security precautions such as these and I thought it would benefit you to know of them. I do not take responsibility for any inaccurate information and can not solve configuration problems. Cheers ... Geoffrey Hyde From markbuckles at spamcop.net Mon Mar 6 00:49:16 2006 From: markbuckles at spamcop.net (markbuckles@spamcop.net) Date: Mon Mar 6 03:50:12 2006 Subject: [SpamCop-List] Trash Folder Not Emptied Message-ID: Under Maintenance Operations, I have the Trash Folder set to be purged after one day, and for maintenance operations to be performed upon login, but the trash file never gets purged. Is there some other setting that must be selected? Thanks, Mark Buckles San Diego From markbuckles at spamcop.net Mon Mar 6 00:59:39 2006 From: markbuckles at spamcop.net (markbuckles@spamcop.net) Date: Mon Mar 6 04:00:03 2006 Subject: [SpamCop-List] Re: Trash Folder Not Emptied References: Message-ID: Oops I think I posted this to the wrong forum, sorry! On Mon, 06 Mar 2006 00:49:16 -0800, wrote: > Under Maintenance Operations, I have the Trash > Folder set to be purged after one day, and for > maintenance operations to be performed upon > login, but the trash file never gets purged. > > Is there some other setting that must be selected? > > Thanks, > Mark Buckles > San Diego -- Using Opera's revolutionary e-mail client: http://www.opera.com/mail/ From nobody at nowhere.invalid Mon Mar 6 12:42:11 2006 From: nobody at nowhere.invalid (Steven Maesslein) Date: Mon Mar 6 06:45:04 2006 Subject: [SpamCop-List] Re: Dictionary attack is starting, what to do? References: Message-ID: On Sun, 5 Mar 2006 20:23:15 -0800, Ook coughed into spamcop and left this in : > I hate to do this - I have maybe 50 different email addresses coming into > the domain, and it would be a PITA to set a seperate account for each one. You don't have to. Simply create ONE account and make the 49 other addresses aliases of it. -- Steve A computer without Windows is like a chocolate cake without mustard From nobody at nowhere.invalid Mon Mar 6 12:46:04 2006 From: nobody at nowhere.invalid (Steven Maesslein) Date: Mon Mar 6 06:50:02 2006 Subject: [SpamCop-List] Re: Spamcop capitulation before spammer? References: Message-ID: Line order left the way you seem to like it... On Mon, 6 Mar 2006 13:47:38 +1000, Geoffrey Hyde coughed into spamcop and left this in : proportion of whom are in the USA. something like 200 "people" (I use the term loosely here), a large He's probably alluding to the fact that 90% of spam originates with > Last I checked, Florida was a part of the continental USA. Or are you > alluding to something? -- Steve From Nobody at SpamCop.devnull.diespammerdie.net Mon Mar 6 08:51:25 2006 From: Nobody at SpamCop.devnull.diespammerdie.net (Michael Brennan) Date: Mon Mar 6 09:55:03 2006 Subject: [SpamCop-List] Re: Yahoo and AOL Plan Would Charge Senders a Fee to Route References: <200602230616.1fcesN7KQ3Nl3pK1@gideon.mail.atl.earthlink.net> Message-ID: <440C4C6D.6DE060D2@SpamCop.devnull.diespammerdie.net> Tim McGraw wrote: > > USA Today wrote: > > The 50-company coalition, which includes MoveOn.org Civic Action and the AFL-CIO, claim the service creates a "two-tiered Internet" in which affluent mass e-mailers pay an e-mail tax. (AOL on Friday said it will not charge legitimate non-profits and advocacy groups to have their e-mails certified and delivered. Related item: AOL won't charge non-profits for delivery of e-mail) > > > > > > > > "It's unfortunate MoveOn played it this way," Gingras says. "The folks who get beyond the rhetoric believe our technology is a sensible approach." > > http://www.usatoday.com/tech/news/computersecurity/2006-03-05-goodmail_x.htm [Quoting the article] "Goodmail has developed a system that guarantees delivery, with the cooperation of the ISP. Marketers are willing to pay for that," he says." This is two ISP's with 50% of the subscriber base, selling out their subscribers to the marketers. This is pay-to-spam, pre-sanctified by U-CAN-SPAM. And if you're a subscriber, too bad. You get your eyes spammed out, and if you don't like it, you can, as someone so eloquently put it, "vote with your feet." Except there'll be no other choices, when the commercial ISP's are all on board, and everyone else's access has been rolled up or shut out. It'll be just like cable TV, another "predators' ball" -- and I can't believe you're cheerleading these guys. Michael From vrapp at polyscience.com Mon Mar 6 10:52:21 2006 From: vrapp at polyscience.com (Vadim Rapp) Date: Mon Mar 6 11:55:02 2006 Subject: [SpamCop-List] usenet spam - why not report to senders isp Message-ID: http://www.spamcop.net/sc?id=z891585406zc98a2d46d659ddd07b9d1d5d9d0032a4z Usenet spam soliciting orders at sender's hotmail.co.uk address. Sc did not send report to hotmail. Shouldn't it? thanks, Vadim Rapp From tmcgraw at spamcop.net Mon Mar 6 09:28:08 2006 From: tmcgraw at spamcop.net (Tim McGraw) Date: Mon Mar 6 12:30:02 2006 Subject: [SpamCop-List] Re: Yahoo and AOL Plan Would Charge Senders a Fee to Route In-Reply-To: <440C4C6D.6DE060D2@SpamCop.devnull.diespammerdie.net> References: <200602230616.1fcesN7KQ3Nl3pK1@gideon.mail.atl.earthlink.net> <440C4C6D.6DE060D2@SpamCop.devnull.diespammerdie.net> Message-ID: Michael Brennan wrote: >> USA Today wrote: >>> The 50-company coalition, which includes MoveOn.org Civic Action and the AFL-CIO, claim the service creates a "two-tiered Internet" in which affluent mass e-mailers pay an e-mail tax. (AOL on Friday said it will not charge legitimate non-profits and advocacy groups to have their e-mails certified and delivered. Related item: AOL won't charge non-profits for delivery of e-mail) >>> >>> >>> >>> "It's unfortunate MoveOn played it this way," Gingras says. "The folks who get beyond the rhetoric believe our technology is a sensible approach." >> http://www.usatoday.com/tech/news/computersecurity/2006-03-05-goodmail_x.htm > > [Quoting the article] > > "Goodmail has developed a system that guarantees delivery, with the > cooperation of the ISP. Marketers are willing to pay for that," he > says." > > This is two ISP's with 50% of the subscriber base, selling out their > subscribers to the marketers. This is pay-to-spam, pre-sanctified by > U-CAN-SPAM. And if you're a subscriber, too bad. You get your eyes > spammed out, and if you don't like it, you can, as someone so eloquently > put it, "vote with your feet." "FACT: Spammers can not pay to reach AOL and Yahoo! email inboxes." http://www.goodmailsystems.com/certifiedmail/index.php Quite a few similarities between this and SenderBase, actually. > Except there'll be no other choices, when the commercial ISP's are all > on board, and everyone else's access has been rolled up or shut out. Fat chance. And quite a doomsday position IMHO. > It'll be just like cable TV, another "predators' ball" -- and I can't > believe you're cheerleading these guys. I'm not "cheerleading these guys" - I'm sickened over MoveOn, et.al. and their emotional pandering and outright lies. They do not understand what Goodmail does (and apparently neither do you). From nobody at devnull.spamcop.net Mon Mar 6 09:19:52 2006 From: nobody at devnull.spamcop.net (Anonymous) Date: Mon Mar 6 12:30:08 2006 Subject: [SpamCop-List] What happens when I report spam without munging? References: <5drrtb6r3knm.dlg@news.spamcop.net> Message-ID: "N. Miller" wrote in message news:5drrtb6r3knm.dlg@news.spamcop.net... > On Sat, 04 Mar 2006 07:32:58 -0800, jg wrote: > Since I stopped sending "munged" reports, and allow SpamCop to send > notifies without obfuscating user information in the spam, I have seen > spam > to two SBC Yahoo! DSL accounts drop by about 50%. Doing that is a bit of a gamble. You are letting multiple spam sources know that your email address is one that will get them reported. What will they do with that info? We know by experience that the vast majority of them will either ignore it or "listwash" - remove you from the list and keep spamming everyone else. We also know by anecdote that some spammers take revenge by mailbombing that address, using it as the "from" address in a spam run, etc. It is a question of balancing a good chance of a moderate benefit (less spam) with a small chance of a larger harm (revenge). Is it worth the risk? In my opinion, the answer is yes in cases where the name and email address don't identify you and you are willing to abandon it if needed, and no in cases where the address identifies your real name or is published many places and would be inconvenient to abandon. One could argue that allowing yourself to be listwashed is selfish - it reduces your spam without helping others. I don't see that as a valid criticism unless the critic is also willing to criticize anyone choosing to not report some spam. It should also be noted that even if you do choose to munge, the munging can't be perfect and some spammers will still be able to figure out who you are, thus putting you at a (smaller) risk of revenge. If even a small risk is unacceptable to you, you should report to spamcop without sending reports to any spam sources. G.M. (G u y M.) From bar_n0ne at hotmail.com Mon Mar 6 11:41:36 2006 From: bar_n0ne at hotmail.com (Berny) Date: Mon Mar 6 12:45:03 2006 Subject: [SpamCop-List] Some spam stats from a large(ish) company Message-ID: Some stats from a large Multi-National employer which may be of interest, sorry to have to attach a small GIF. Basically since Dec 2005 incoming mail has increased from 4.5 to 6 MM messages per day (monthly averages of Dec, Jan. and Feb.) of which 74% gets a spam score of 90 and is silently dropped at the MTA's before the remaining 26% is passed on. They estimate that 50% of the remaining traffic is "legitimate" or "good" mail, and try to help the users configure spam filters on their MUA's to sort this remainder into junk and not-junk. By their estimates, then, some 86% of inbound mail is spam. Of course no one will ever know, since the supposed badmail is simply dropped on the floor, or to emphasize a point, 74% of mail is silently dropped at the MTA. (Yes, that means close to 4.5MM mails are simply "disappeared" daily.) I bet this is quite typical for this size of enterprise. begin 666 inmail.gif M1TE&.#=A-@&^`/<``````( ```" `(" ````@( `@ " @,# P,#-" 46'&A/(( #`U.F+#E2I"^?0DK7LPR@>/'COL:9DR9,6+ E3/;O'RY9&?-H#4#('5S;%Z7 M?!-#ABQYM>O7L&/+GDV[MNW;N'/KWLW[-6<$"8"O%M[[MM*G+Y/<*VV2H$J6 MI#9IDK2INJ;KV+-KW\Z]N_9)X"=)__>.79)Y2>33JU^?_;RF\>SCJY=^'KW\ M^]7SY^]N'7O_^P"6]YYYFZ"D%TVCB207064]5Y(420`AX8045FCAA1AFJ.&% M!'0(1(<@ABCBB"26:&*)$IZHXHHL@OAABS"*N.&,--9H8X52M.,<3*,MM9)! M+WDF28HQ%KDBD20B8N223#;IY)-0QDAAE$L"@CXSW$M]5@:D*C9DX D M5)8)8B(=*DD`FF:VZ>:;*6$60[$I4I>H@:F@V/FV200 MB=RHZ**,-NKHHY!JR*:A*@;B89];\DC*CC\V2%.AE$HIH200*I%$$E(HH>JJ MK+;JZJNPQO\JZZRTUFKKK;CF*L6NJ9HZ:8C !!NJG!XFHN5Q+@7ZW*"?DCDL MBQ(BL44KU+K21AMN7*OMMMQVZ^VWX(8K[KCDEFONN>%2J^ZZZE[;BB17`ALL M,,-:VJ&Q?FK*Z5*>[@7JLRH"@00`9-CRR\%_)*SPP@PW[/##$$J^^7_3)5*)XB$R"LAP.3@? ^--=L\\TXYZSS MSCSW[///0 (P;1]]\__-""#8W_8,,-EV=NL^XW=-ZS\ GK;@/N"K? M0@NWXXZTY[YS?L/QO/?N>^ _N,"YYBXD#KWAWH>^H%>+I62ZR*CCF^E8!;'N M7,HLO0Y[B+*3H? /&PR0L T#M `YY)(SFL)N, `7+ QTE@/;SA)V@Q;T+WD2 MV( &(MB"AF4N@0ISP0`XH+^=!6YA#006H9P/8.DS M&?L&XK[FA.EN79N?B(+PM?U)@ -W2!@'_UIP@QLP#'=&_$,0A5B"("81<#: M7!$MA[C:[6\#&T#>'UJP`3L<,7(),V##_M:"$E10@,93&/)TE[ *:A%W%2SB M$XOW@^ I; !93-@=+`V'EA<^*8;YF:)"J"0I^)9&?#@G PRW\[0\VD( 9 MA<@\_?VA?USD7_\&P,E+YF\`)=@?)V]W!TY&48T.+. O[ " /+9Q`PW[9/]< MP(%0NH"+^@ M@!;8P8P;J$$;QG<50-:K6#(4"0T-N2Q$XI!E.@Q"$AQYQ6M:S6H'-WS4 MIC"5P 3&JLD![!6JR:Q@29]Z39%*X!=GY>)3O8K,7^#Q#FWHXA^$2^T40[Q#27U3T;R;M9T2OA47_M7&3^0-I,EDP6;_]\JJE MO:E*M\K)O^7O;X[5'Q"7/PE-/VPQ?[9H ::9-CR6# "P?;OA %V@1T,>%LN_L$/&F!> M50?0X %H('\?_"46Y4G5&OR OV4=@0:\V (-+%.NL&3>3"OX7&NR=@"P'1U4 M!H*$^;%I;^'<$7RO)E_0*O61_$N>@3G,`F4R+V$LP%T-])N_&CRW?RPXL8F+ M!\D6C& $N'LQXG[+T.9J4)0#/5XT,3F *&-/_\25'*@/?N #96Z1NI#4GYT= MN$4L2D ">/[#E&_GP.6E5,>D2Q3L?HPI]VZ6G'4+4Y&1JL[1-DZ+5@1<[9[W MO_O=#X":IASF%/?!"R)P=_MC8/%\P.7(`7!POP,U[D@(.E9K6HV0+%Z8CU=" M+=X:BDC;F#TX1NQBWY*%;?AMBWJ@9N[X![TWO8R]SW.*7QXV!NW\,Q-<*,9+W@XVW2VT18Q*4QH MD?D.ZKZM%NVC4CH)8_\0N ?-QG*C+7S<+7^YP:^MP%]ME^\,6]G;O;W9- M?8X>^2&)_&_8\=!^(HPUMAE.<9]5[]I-%]S3A58[J)^;9Y7+7>>JOD JDNT/ M9 !")'H>*D8'N7W/+FK)R=ZR2A.8ZXB[7-4]%[@HVMQL$=]>WN_N;O#5<8I* MSQSO(@[WJ+_-!TCBBV&\KL^D8[OSNKLJ+G;6]C^(4?:@LY_DV589O, M\A^2R+P)E* $2+,CV.IH/;ZW^_6!MQF7$P?)"%IT`-W&HP_F[ ,66'D?RN,< M[C.N.)G><:+[U0!56U #_ST/]J#;`A*TUC1FOS?M_6Z6R4%>7V$V>* 23)C_ M'^Q X"W:8'F^+2"AQSIZ(U94C%3$G*AMWO"YNUQS"[,[Z")I33=P$FEU!F8) MTWLLX /G9T(U0V/%8S.]]UV:)T%M8 <1N%7[Y <*Z&O=%GW3US:GDUDB)WDD MYV_;IT-[(S--%4E9$UHQ0*B!SA5Y4M(LX)$U *2I$1EY +38T"Z4SLZ M: .WU (&A#PA5 ) Z#\NUVM&Z$L\^ -N5C.YI493Y4 CX$HRQ3R;`SG 1(.S MIC@LY3=_$%D9)E)U$ %V,(8<\#/15 M``9,4?5D"E,"' 13UN1 '&2$+W8X+Z8P*'5)&U4"*25"0[=V\[4WCE12;H!2_!1/JQ1/ MMC4!J82(&T!@?L!AV;1%7T9;D64+OE!;;"\\., MFK=5O;A!];1!,#4!=S !Q/_T2'X0@X+&4B-@!R[8!A\FE.P8`1$404#99IS4 M9!+89OX%374P`JNT/* 4.IZ44@S5!A/PB!%E5Z6U,$WE,9-U45HY`=2T51YC M![7$,#?9!IXH7!L`?QPD3)'U"S=UD13HEO6$4G!91FFX?!Y#DL5(AY%GAR&H M?8X',"7H"W!5`R7%`=F"4O$43S8Y`?[WEW_C@N/G!W7 24+YD_ESABG5/W;0 MF9.E`>G8B'[ `AO FAI 8*Q)7:O)F@+U6.[T!_YG5T"$D0@31CAY!]>D?A)F M!WM$8S_P0 MC3'X)21-0BP@9425P"W<2:7J:"$F!EV^A,`,127&1)-E!1#I2/"L P-V![H*1F^4=$@/-@ MY/8''+"&^F,#'/ \EX20_AA,E@E*=F"30R1/,_5 ? :8=B"8>6-]CW:'*WF> MPY*>*?<'NU<[R+-$P+E'U#-'%F<\6@2J!!G*CA^DO>8AO/41["&1!/O,P+"=3=V<[_P,P.5A7>"SW M<$L7=SJC<],W/T#UIT*GDLH(6CRJ:YC "0>:WF=:M:J6"3=&A4:B.DIE$Z.9+Z=:)Z?U0'=[ES/WXP!IDZ MF"''J2D9:;4*JM2FD+W)<=JZ0@JI,!H3.H_4K=LZKMSZ,-FZK>&*,-^IJ7XJ MJT,5J)7'DO.3!)M@,'9P"[^ KV\53&*I1/RJ,&TZ,6VZKZTX?L%D![[@"QOC M"[9@, =C"P?KL =S"Q2+KP>3D!MS87ZPL>+G!QICL.3GL0IYL/!V80F[,1N; MLG8@CBG;LN4W1I,U;_EJ"UK I]77KO_7AZ.?:F3KM 4;P 5 RP5;`+1;,+1" M6[1(6[1'F[1!F[1.Z[-;, 9C\+14Z[13Z[1<0 9D$+1$:[1=6[5@2[5+.[1A MZ[-85+9@>[1;J[1>N[0>ARC0JC[2.JO4VBR M%YQG`@!!T+=!``1]*R&! M&[@5\KB,)Y, .Y##% M5%S%5GS%6)S%6KS%7-S%7OS%8!S&8CS&9%S&7(R^,*+#=5B\M'J\%!PB07P/ MNW(/HS!]0! %6O"XI/"Z>L/$Q?''@!S(@CS(LW$`AGS(B)S(!X ;_XK, M&]* NB>BQ@(QMVS\O4R!OW L">VP!5IP#T><"/1Z#^]AQ/<&!)R,``=0#X[< MRJ[\RK UP`*20 M!(E@P)) "@E@Q,HV(JBLR]9\S=B$LO>/\/$[7#@_]W,A2W;FWTDJ"+'4B#''^XA6NT.N]WGWOWGACSWDB.V"*"*NT@XO4@"4GPQ(A,Z8"> MZJ]\Z(9^#J;0!;#>":;P#N; "9/ ">8PSW^](H(-VP\=K^(@+] MSGQN['Z.[+U=W,MMR(5NZ*]P"J;@"4S0Z-7^[.]P#_.-R);.S=[.(N >W9H] M[KQN*?9BUZ9^R,>N[NO>[NX.[Z?@"5Y0!54@Z]5.L[ZK-W&WNUI?MZ_\D MO;,L8M0H4NP,[]OLWN[N\ Y@[@E=0/%6X 77SNRN8 N('-S+O?'9_.]U?=YR MG7USOB+!@-1*O=0'<.Z[O;YJON9,W_1.K]]*'_7S/?53WN^)G-_SG>B=(.U5 MX FG\ [[;LBVL.66SNZU4 M7?M^6?@\\3^Y%+O!';@_4S;NQ"RWP3-]]OO G M3\\I[_"*3/53'^AEO]RN@._0W@6,W@5?3O/^MW2'T&^= MG\DV/2+S0NZ2,-_HKO=[K]#$W?>QG?E"[RL-\)SV[MAYS\\\SA@D_YS[W[%C[41)A0X<*#`P\,;+>-P$0"B2A> MO!AH(I!$[?[]0_#/GCV1'P&0*OGQ(TD`*E6.1" )"!",,VU>M#D3(\69DMK] M/-#NX<]V`XT>19I4Z5*F39T^A1I5:E)7KEZ]>W7JE*O6HJU4]D77KU['ETKYM]S9>O;C[RMRYB5V]=IL(S]2$H'O\2XZG MY8@"2C+HSF.P00:M@]"5+K+KP@NMQC)KH PE*\\\!Y]::[76*&HOKMGHBL^V MO7);<23\,-JDGE&DB&(FQ38Y8$8ID-!).2D^!#+(TUHALI5[7"E%-%=,Z8(* M)[L(*THA,TNOHA%K,O& D4A*\:Z5\M)MRQ;BTB05<0,S3'LD<0L)&+U('Y:OYY9Z,WJM;O@>X>8XV'77K^D"\: M?\3R*SJ?2]*GLA:USWV/DY[\__0W)58]:6()1$JR+@B5!CY%;WMKQ0/#X@FN=(4+4/)=][JW0J>0 M(H-ON5*)`JB2`8:P@".D6DYN(JM[R*]6"DR6LG@HD!>^\!X-M")3JJC#&2(J M:0]%TWAI"I,B&/=X^- =%5*,O)RDI,4 MGDW4QO^32VHJDP($(2?MDP`DCBP24A#*`<@QG!,^,8^_Q&8VM;E-;G;3F]\$ M)SM;3GO<,IQ04HT1^]A.:G4(` M73[BL-4IDV#,].3[H$D*+=3(CI+08R2-HD)(4I$5OW3@& 5"CDU(00CII$0E M% 4W1A*I@3!3`+=4NE*6MM2E+X5I3&4Z4YJVM)\W7=7?N)4$`"1!`2FU1Q)0 M$J;EK<0>""5A33:!@'N,8A218,S$'$:*WU"5JD[%JE,EM56NSBFK<7+4+QTU M5E*,E1.%^DHG'B6%( 1!"!]=0CN[0(9)8G624D# 7-BW);[_]M6O?P5L8 4[ M6,(*5C>'1>R72#(7!.!5J(?5VD&;^3Y8C8(4"[-C$"A%J4T(RK.?!6UH13M: MTI;6M*<-U!2FH"C64F$*2U""$I+05K=^=%&$"I06=-M0*=2GH(D%;G"%.USB M$O=JQ44LEQ#0+?D$++)&16H2P<8J=@BO,5.M*CZUNUWN8G.L<@-O>"U0 M80FP#<),VJH(2G!";KNLJU,GV9*30;:P]\5O?@MKW^,B5RXPV=))FJL^R,8D MH5="@A1FI ERD$U6$>UNA"6R5DG N=CBXFO.<<)"%C$TQAA=1 M1ZY"`[0#7DY(`A&1T,8XR&'A[FGS'M8JZ&]GO&4NV^>OR=7R;NQ1X\*MCR\Y M'A&/2CR*8#YXR&^6\(7!6XGRTE([5J!79][;B4UH0ASK>.4O=9C-*]>WRX=& M-' %RN61D'EU-QX)0F&7$P3"V=+QM2PWN4A#3M,0R8H*+WA+\=Y2=%J'UBD)27):0PBY$?>-1 ML77 QT'TTN#,](2+3$,O: _)VTNKJ.$KX5._9+FZ+LF_;L.UE?Q=H*&VJ[RA+M=%Y7PFS;]_L<][/VE`YS[+OVV!\BE<-Q[!WNO@QLVQE7. MDKS2%R\8!TF[C?OOH0:\10,G>$VD8/ WNS?AXJVSHK;W<]Z]4\@3YXO'[[$% MF-7JV =0S#U(D@21P#H^(;?'R =TV:J#9.1C'G.;`I4$C7N]5GAID['?#?4M MD&0+``@;W/.B<:'N/* 'V#D`#B!S1=,FQK-DK[ M^B5;*,C(H6[Z)(R$ZJ?G&E[_`7O ]YW,_\@6.)IS/A/#E_7PVC4K>.F6*#M? M+N&Z,FM8RVI6XV=3OOA$>L@!H%_ MXR:AU*?>GQ>6D-+V]T]_^NFO?V /M]@`)[";$SZ"(SY.J+[CVZ;H\SFYZ0)" M8;RND* )(;5)4D#IHT +M+ZLPCY64XG:,RK/8Q$0/+_Q$R $0#\1/,%:>S7R M`Y.0BS?7TPL/E+KU&[/,8T$1##/U,;::"\!E&D!FLQ$#-,#CJ\#O$B_R*B\F M4,+F([HAC#Y\RJKKLZ?L*RK/VSPP:1,;W#^^^"62N*RL`PD11+WO\T#S"ZIA M(XFO:PD$V )W:_^)^=N^$3R_=W,]W7.]F?L]FULF33"AJHFCMK@4($ CPBLQ M3JBJ[!(R0RS"; ,ZQANO1\PV!?2F*.2F*+2K>Z*\,.RMG:._O+C">R [SQ,) M#[P-O"L[>P@4P7$]M8.UVO,^O$.=L+FU+5F8*[.WCA(<4H ]4L"K-Z0Z[W.W M'^D_?\O#'B08EF$+&V&-LB& PR@;G2$^.3%$X^BJA,DTZG,4Y4/"QG,2)53" M(YL01FD4+CBK&.?E-LXNN ^3BE%HWK'C8O' M<%N1@O! #A2HM?,@O0JH)("YX/H_'B0@^T#&U8B>X"B,1""'!&@'4+.@GJ-+D9PNZB1$NC%-=;-URCM6&C2<5J-7K[ M+X%4B7O;M4?K"U-B'PYDM9H4"03@Q4GR((7T.^!KD8>Z=$^\^*V85)Z[3*R8 MG+?_3"["-$:C&DXD,(]:X)I@.HQ-5!6#B1XY*2MJ["HV(QO:"H+.="^QI )" M,;&QTJJL$@51`"L%M/^3(N2JL8*4E[S1VMM/:G$Y$JS/$[%)]XS/NNP++>NK MH PV7CN90E5/8@1.IO1!MYB9RYJFY4B"4:B'/D,3.U*"\KP3Y$B"2RU3L\+4 M3RU/&X7/N>11^U@)UZ/''/2O/'5--&Q/NM#1>HM'FJ3+N-1!`!10Z%JVFB@Q M_W 828@$=C"3:5*;P@/5.K'08U763Q55G.31FL0WNGC#0]TR=F.>V#RN/+6U M'@T)-&PW'D72:DG4PM35Q#F,_TB$J8P3Q\'*9777=V76.^R4`VB[K.LX4K"U MWJ)#SF,ZUUNZ+= X52VNS&NBD?L(!?7-L&E#O-N"8>/%;LG7;A&)\V2J@9+_ M6%-%MG%=TL#;5;:H(V'BIV*%3G@EV9*-E&9]"5TY*=_.BF#SI>#QK=I$P^ ,QN"%#$X14N 1Z=LKL9&L MA.#QM%W ->$45N$5-BW 7AF$8XV!%99[3I9H0+B'HY*PID& 6]N$?!N(@ M)BT7CN$B-F*E#%#KQ4L;]AO84-H'_MX>%N(IIN(J/BTB/N(LUF)QK=[291\F M'A'&D9F,;-?8M>(S1F,KQO_B+69C&)YA`]F$!$@`/K0CZ.3ACI)B/H;D2!YB'P7D2CXT049@%SFP MQXG4`Z@'F4B"ZY*$22@QR*S@4RY/W[+D5?:_',1D)>;836Z,DV"%46BJC]V) M=-7E7>;E7O;EAE&,7Q;F829F75:,8S[F8E;F7T[F83[F.Q782V;E594QO/Q MTH4T99-EJ6JAA_@/!<8I)2HA?AJ\<0[G<^ZGY[FIZTHO((WA0)UFXX)G+TMB M+XZT'\0)26B@>K '-&&<<@;H@!;H@380(!B8<+WDN8UGX:WG;!:\'):$.I9C M@J;_Z(JV:(R8RFOM+_WBZ([VZ(\.5W$;,VP&O'O>YFPQ#$G8!K(9IHMVZ9<. M:)N(YH6FZ59;+I).MH?.VYM8(ICVZ9\>O+(IDP("Z6K&2X4NXJ(^N=29U;QC M2%@VZ4+>EZEI::"VZJO>Z;\AC(\UZ)J:J7.N*73F)Z_V:B5ZJ93B%IP.OI.V M)*QVZ[=FCZJ1AFV("#JVZRF[Z[S6Z[WFZ[[VZ[\&[, 6;#K.IH[)F )G[4)!LK:6V6:L<6[=$F;??9VYWP M6X%N*\V6C5AMHT$&[=*6[=FF;=))[8ON6^(LO-86RDU2&VRV]NG0KNWA+N?; M?A;8P>&,,.Z SNV94 3>_O^@,EMKX;;HG@YH1$C7_B'NO"4`[$8$Z@;H]NCI MY-X@OR7OBLYMV'AN?D0?S\[IQ7[I=1Z\[R;G[1:1< [N=%9G< 9O9@MA(%AO M66UOZ19 X([OOTF$2-#EG$M7Y%B<70;JUG4?[-;E.LH9!:^CEZ;P2$B,#&>+ M8=()7:9OITW7B2YNC0!PZ!YP`WYO`W?IOU%I.MZ&T*EO3&$+;=@&J&%_IM-D$ M.MX$,K[H`^%L9"+P1>WO@8;:!(#R=BB';]ZGG*!LC7C&)""'AR (8_/=)HJ3 MJR3_@.VEZ"=/@/3ZC_32S+3AB)G0;9]P!U(0BBW0`M!M(>=4;:%:F"?2)ZT& M`LT,VIY:'.(,A!V##(' .P!@!="]AP3@A#)_'2$*<]6!XZB&ZTO?!'>0K:\$ MW0GMJ$K?L4V8A+)!<<5H!U)0@)T#]C&HA2T8C+21AI=VF';@EK#I*)X"@$F M3DD`]-F:A/X(FU8@`S*PA3% %2T@C$ H\@/23*?;*1M1K;A3@#;A!&F/F2 0 M:G>X=6V7@E;@12G0]5".[RQ)-]_^;)T&:JAMAR#8*:,GE=M(5?6E?'AQ_;W%4C^EE MA_:=Z[A[,$XR$ BF_XW^2-=M((Q0A_@#4(!)LO>@H*9@^!\S=QBHV[E B?J1 MT\5#YH:9D2T<`8 (,'D$G?B3@O2 +G>F"@I2F)DF8KI6D (),,XM,!)]$H[B M*WF3)X.&-1+0)06DO^&AK\>3,?KI?G6E;_:SC8 #2'EB;Q.]X1;_H./^TV3=HD2D*(C0 MJM466QB3*$T2\RK61 )SMOOW[\ _>_;">@5 BJQ7KV,!I$TK-H$D`D"PTJUK M$$@02>VD\-TII14K+1&V;$DRZMZFPYIPYDS2[IZ63?>6;B*U14N[=I'FVK6+ M,]*XC:3_#B31PHKP@:51[B7)V&X28R"2BA*^1XI4*RU:2)&+V_DW@43DVB4I MGB31IG8\>TK8@N T*588@0!((JG>J-H56_$\3(HS<+I:Y3KV"E8L6K-HW?YC MVS:L/;ARP]._JS/!\'8'1JE4>J_5?DEH\E@]Q &1R(% ;%)@9ILHF%H[Y#B( MR'CU'813(N,D\%@[1#V6&E_U),&5)#@%D=,F"=RC7W$',+C->(%8&%,BVY # M!!*,"3?99%I(40\K*XXRXHA<9391=:.MV$Z),]*X57E?P9?>66.UM=9[\-D3 M%WA.`@=$( E-(@F9."&1!%]::)($$DA$0>:(%087"9F2&&>=_YTY=NGE5C@F M0J>=QDE!)E]1W*E((@B:B*>=.%FGB21R\HE0(D7.E1-(@;Y99W&Q,1IH3G4V M.JE!,LJ52%?_(#"EE>I9R9Y[5XK%):GAA9EH(+$UQJ:G11J4:*6]MKGGI&8> METBNC-VIZX&2$G"KL,36*E BB# VT*[*&F=JG\$E&MNMR4X[D*D'IKHJ>JU6 M^1Z6[,XZW[AT<7N7KMCB=!6SU\8KE[[VQD;?O_L2U&^?74HKL%WEHNH5NF.I MNYY:[64IUI;P(EQ7(/,2E&A!SEZ,U<'U<M> M*;&[%8?,\I'4#5,),5FQNO7NV7'+/3?=I6ZU,-5D M/;R62BIA-*5:"!S@6]V%&WXXSSF1,]8!#K=EM:QNJQ6?-'(ZC3CFF6N.5<:! MY)5JXQ!#_AX`J[(KW^:IJ[XZ3!D[>H]Y$:=E-<6M9@G?)EJ-YS'K.@-[>>^J M=Y[(B4IT94_HKQ)-EN 3'8 ``,IK66*^U5M_/?;9:[\]]]U[_SWXX8L_/OGA M:Q066*(7'7&L5E+L$9V)BCH__?7;?S_^^0.;4/[]^^]_H@#UOP$2<'\$/. ! M]V= !#*03(K_4(02E "2>XC%=,JCG?NPEK4$<+"#'OP@"$,HPA&2L(0F/"$* M4ZC"%;*PA2Y\(0Q?Z#R'67!MTFN7N]AVNQWRL(<^_"$0@RC$(1*QB$8\(A*3 MJ$0AUJZ&>P.<6-B"GK_.,3:26]Y8QD%&M%H MDQN&48QB)*,;C4BQF<5QAV1L8QU[>, References: Message-ID: Vadim Rapp wrote: > http://www.spamcop.net/sc?id=z891585406zc98a2d46d659ddd07b9d1d5d9d0032a4z > > Usenet spam soliciting orders at sender's hotmail.co.uk address. Sc did > not send report to hotmail. Shouldn't it? > Spamcop no longer sends reports in respect of email addresses found within the body of spam emails - for very good reasons: Many spammers insert the recipient's address into their messages (as in "This message was sent to you-at-domain" or "Dear you-at-domain"). Cases where the email address in the message actually belongs to the spammer are very rare. You can always send a report manually... that's what I would do. From nobody at devnull.spamcop.net Mon Mar 6 10:01:31 2006 From: nobody at devnull.spamcop.net (Anonymous) Date: Mon Mar 6 13:10:08 2006 Subject: [SpamCop-List] Re: Need help To get our system setup correctly References: Message-ID: "Jeff G." wrote in message news:du5st3$asp$1@news.spamcop.net... > Anonymous wrote: >> "Jeff G." wrote in message >> news:du4u1j$n0d$1@news.spamcop.net... >> >>> Anonymous wrote: >>> >>>> I am having a hard time figuring out how the spammer or the virus >>>> above knows what the email address of the spamtrap is. When >>>> SpamCop chooses an email address for a spamtrap, don't they >>>> pick something difficult to guess? >>> >>> Yes, but then they seed the addresses in places that include hidden >>> areas on web pages, where humans aren't supposed to look. >> >> Correct me if my thinking has gone awry here... >> >> The above seems to imply that anyone who comes here complaining >> about how "somehow" he ended up with such spamtraps on his >> mailing list either ran a spambot that searches webpages for email >> addresses, or he bought a list from somebody who ran a spambot >> that searches webpages for email addresses. Such a spambot will >> find spamtraps, but they will be hidden in a crowd among a much >> larger number of non-spamtrap addresses. Thus I find it hard to >> believe that someone sneaky subscribed a spamtrap address >> (leaving aside the fact that such an address wouldn't respond to >> a confirmation email and thus would take itself of a well-managed >> list) or hard-coded the spamtrap address into a virus -- how would >> they know which address in their collection is the spamtrap? I also >> find it hard to believe that a virus got the spamtrap address from >> an outlook contacts list - how could it have gotten there? >> >> Am I thinking correctly here or am I missing something? > > Please consider the following scenario: > Reporter A visits a particular page on a SpamCop website which contains > a particular Spamtrap Email Address A. > The page is cached on Reporter A's hard disk. > Thief A develops or modifies Worm A that can send Thief A personal > information from the hard disks of infected people. > Reporter A gets infected with Worm A. > Worm A sends Spamtrap Email Address A (among other data) to Thief A. > Thief A sells Spamtrap Email Address A (among the email addresses > collected) to Listdealer A. > Listdealer A adds Spamtrap Email Address A to List A and then "cleans" > List A by verifying that email messages to the list members would not > immediately produce 500-series errors. > An overaggressive sales weenie at Listdealer A sells List A to an > overaggressive marketing weenie at Customer A of Anonymous as confirmed > opt-in email addresses, using some mixture of lies, winks, and nudges. > Both weenies get rewarded for their aggressiveness. > Customer A sends an email campaign to List A sourced at IP Address A, > including ...(among the other email addresses collected)... >Spamtrap Email Address A. > Spamtrap Email Address A receives one of the messages and causes IP > Address A to be listed by the SCBL (or causes the existing listing to be > extended to 24 hours from receipt). > Ideally, Customer A gets terminated or at least fined, ISP A gets > cleanup fees, both weenies get fired and/or taught lessons, and Thief A > and Listdealer A get investigated. Ah. Thief A can use a worm instead of a website-spidering spambot. The spamtrap addresses are still lost in a crowd of non-spamtrap addresses, though. > Alternatively: > Customer A runs Insecure Mailing List A, allowing web-based signups > without confirmation. > Ruthless Competitor A learns of Customer A's practices, and > forge-subscribes Spamtrap Email Address A to Insecure Mailing List A. It seems to me that he can only forge-subscribe the crowd of non-spamtrap addresses that the spamtrap addresses are hidden in. To specfically forge-subscribe a spamtrap address, he has to know what that address is, and he has no way of knowing that. All methods for finding spamtrap addresses discussed so far also find many more non-spamtrap addresses, with no way to differentiate between the two. > Customer A sends an email campaign to Insecure Mailing List A sourced at > IP Address A, including Spamtrap Email Address A. ...(among the other email addresses collected)... > Spamtrap Email Address A receives one of the messages and causes IP > Address A to be listed by the SCBL (or causes the existing listing to be > extended to 24 hours from receipt). > Ideally, Customer A gets terminated or at least fined, ISP A gets > cleanup fees, and Ruthless Competitor A gets investigated. ...especially because he had to have spammed the crowd of non-spamtraps that the spamtraps are hidden among, and many of those are real people who never asked to be on the list. Any way you look at it, if your mailing list contains spamtraps that didn't subscribe (spamtraps never do) it almost certainly contains many more non-spamtraps that didn't subscribe. G.M. From nousenetspam at zootal.nospam.com Mon Mar 6 10:16:34 2006 From: nousenetspam at zootal.nospam.com (Matthew L Reed) Date: Mon Mar 6 13:20:02 2006 Subject: [SpamCop-List] Re: Dictionary attack is starting, what to do? References: Message-ID: "Steven Maesslein" wrote in message news:slrne0o80j.56c.nobody@127.0.0.1... > On Sun, 5 Mar 2006 20:23:15 -0800, Ook coughed into spamcop and left > this in : > >> I hate to do this - I have maybe 50 different email addresses coming into >> the domain, and it would be a PITA to set a seperate account for each >> one. > > You don't have to. Simply create ONE account and make the 49 other > addresses aliases of it. > Looks like I'll be doing this real soon. Today's spam intake is at a record high, and it's only 10am. I think the spam flood gates are about to open up, I've been watching the spam intake grow geometrically for the last week. And people wonder why we hate spammers so much...grumble...I'd like to find out who is responsible for the distribution of my domain to the spam lists and....well...this is probalby not a good place to discuss what I'd like to do, but I guarantee it would not be pleasant . From jeffg at spamcop.net Mon Mar 6 13:30:35 2006 From: jeffg at spamcop.net (Jeff G.) Date: Mon Mar 6 13:35:03 2006 Subject: [SpamCop-List] Re: Need help To get our system setup correctly References: Message-ID: Anonymous wrote: > "Jeff G." wrote in message > news:du5st3$asp$1@news.spamcop.net... >> Alternatively: >> Customer A runs Insecure Mailing List A, allowing web-based signups >> without confirmation. >> Ruthless Competitor A learns of Customer A's practices, and >> forge-subscribes Spamtrap Email Address A to Insecure Mailing List A. > > It seems to me that he can only forge-subscribe the crowd of > non-spamtrap addresses that the spamtrap addresses are hidden in. To > specfically forge-subscribe a spamtrap address, he has to know what > that address > is, and he has no way of knowing that. All methods for finding > spamtrap addresses discussed so far also find many more non-spamtrap > addresses, with no way to differentiate between the two. It appears that some of the addresses are easier to find than you have been led to believe. -- Best Regards, Jeff G. http://forum.spamcop.net/forums/index.php?act=findpost&pid=37585 From nobody at devnull.spamcop.net Mon Mar 6 10:55:55 2006 From: nobody at devnull.spamcop.net (Anonymous) Date: Mon Mar 6 14:00:02 2006 Subject: [SpamCop-List] RFC 2142 and sales@, support@, webmaster@ References: Message-ID: "Jeff G." wrote in message news:du5r4v$9t6$1@news.spamcop.net... > RFC2142 is not quite > internally consistent enough and was not quite spellchecked enough. > > RFC2142 Section 1 specifically states that "if a given service is > offerred[sic], then the associated mailbox name(es)[sic] must be > supported, resulting in delivery to a recipient appropriate for the > referenced service or role." So, if an organization offers web service, > it must have a working webmaster@, if it offers to sell, it must have a > working sales@, and if it offers support, it must have a working > support@. Leaving aside the fact that the world has changed since 1997 and that section 9 (Security Considerations) foresees the current situation where a working postmaster@ address is flooded with spam, I would argue that there is a current de-facto standard, and that it is contained not in RFC 2142 but rather in the "Listing Policy" section at [ http://www.rfc-ignorant.org/ ]. Note that RFC-Ignorant references RFC 2142 at http://www.rfc-ignorant.org/rfcs/rfc2142.php but only requires that the highlighted portions be obeyed. There is a good reason why there needs to be an abuse@ address; abusability. If someone at example.com is abusing email, Usenet, etc., one shouldn't have to wonder where to send an abuse report. Likewise for Postmaster and technical issues. The reason why anyone should be required to maintain a sales@ email address is far less clear. The RFC system shouldn't tell someone how to operate their business, and if they only want to accept web or phone enquiries, that is -- literally -- their business. G.M. (G u y M a c o n) From nobody at devnull.spamcop.net Mon Mar 6 11:34:42 2006 From: nobody at devnull.spamcop.net (Anonymous) Date: Mon Mar 6 14:40:03 2006 Subject: [SpamCop-List] Re: Need help To get our system setup correctly References: Message-ID: "Jeff G." wrote in message news:duhv5d$fmf$1@news.spamcop.net... > Anonymous wrote: >> "Jeff G." wrote in message >> news:du5st3$asp$1@news.spamcop.net... >>> Alternatively: >>> Customer A runs Insecure Mailing List A, allowing web-based signups >>> without confirmation. >>> Ruthless Competitor A learns of Customer A's practices, and >>> forge-subscribes Spamtrap Email Address A to Insecure Mailing List A. >> >> It seems to me that he can only forge-subscribe the crowd of >> non-spamtrap addresses that the spamtrap addresses are hidden in. To >> specfically forge-subscribe a spamtrap address, he has to know what >> that address >> is, and he has no way of knowing that. All methods for finding >> spamtrap addresses discussed so far also find many more non-spamtrap >> addresses, with no way to differentiate between the two. > > It appears that some of the addresses are easier to find than you have > been led to believe. Easier to find than all the non-spamtrap mailtos on the web, or are you talking about some as-yet-undefined way that a spambot/virus/human can differentiate a spamtrap address from a non-spamtrap address? I don't think that spamtraps are hard to find. I think that spamtrap addresses are hard to identify. That makes them hard to find without also finding a much larger number of non-spamtrap addresses. G.M. From jeffg at spamcop.net Mon Mar 6 14:44:52 2006 From: jeffg at spamcop.net (Jeff G.) Date: Mon Mar 6 14:45:03 2006 Subject: [SpamCop-List] Re: Need help To get our system setup correctly References: Message-ID: Anonymous wrote: > "Jeff G." wrote in message > news:duhv5d$fmf$1@news.spamcop.net... >> Anonymous wrote: >>> "Jeff G." wrote in message >>> news:du5st3$asp$1@news.spamcop.net... >>>> Alternatively: >>>> Customer A runs Insecure Mailing List A, allowing web-based signups >>>> without confirmation. >>>> Ruthless Competitor A learns of Customer A's practices, and >>>> forge-subscribes Spamtrap Email Address A to Insecure Mailing List >>>> A. >>> >>> It seems to me that he can only forge-subscribe the crowd of >>> non-spamtrap addresses that the spamtrap addresses are hidden in. >>> To specfically forge-subscribe a spamtrap address, he has to know >>> what that address >>> is, and he has no way of knowing that. All methods for finding >>> spamtrap addresses discussed so far also find many more non-spamtrap >>> addresses, with no way to differentiate between the two. >> >> It appears that some of the addresses are easier to find than you >> have been led to believe. > > Easier to find than all the non-spamtrap mailtos on the web, Yes. > or are > you talking about some as-yet-undefined way that a spambot/virus/human > can differentiate a spamtrap address from a non-spamtrap address? Yes, I am. A human-identifiable spamtrap address. > I don't think that spamtraps are hard to find. I think that spamtrap > addresses are hard to identify. That makes them hard to find without > also finding a much larger number of non-spamtrap addresses. Then you appear not to be looking hard enough. I'd rather not expose them by spelling out in excruciating detail how to find them. -- Best Regards, Jeff G. http://forum.spamcop.net/forums/index.php?act=findpost&pid=37585 From jeffg at spamcop.net Mon Mar 6 14:58:24 2006 From: jeffg at spamcop.net (Jeff G.) Date: Mon Mar 6 15:00:04 2006 Subject: [SpamCop-List] Re: RFC 2142 and sales@, support@, webmaster@ References: Message-ID: Anonymous wrote: > "Jeff G." wrote in message > news:du5r4v$9t6$1@news.spamcop.net... > >> RFC2142 is not quite >> internally consistent enough and was not quite spellchecked enough. >> >> RFC2142 Section 1 specifically states that "if a given service is >> offerred[sic], then the associated mailbox name(es)[sic] must be >> supported, resulting in delivery to a recipient appropriate for the >> referenced service or role." So, if an organization offers web >> service, it must have a working webmaster@, if it offers to sell, it >> must have a working sales@, and if it offers support, it must have a >> working support@. > > Leaving aside the fact that the world has changed since 1997 and > that section 9 (Security Considerations) foresees the current > situation where a working postmaster@ address is flooded with spam, > I would argue that there is a current de-facto standard, and that > it is contained not in RFC 2142 but rather in the "Listing Policy" > section at [ http://www.rfc-ignorant.org/ ]. Note that RFC-Ignorant > references RFC 2142 at http://www.rfc-ignorant.org/rfcs/rfc2142.php > but only requires that the highlighted portions be obeyed. That's just for their abuse zone. They could easily have webmaster, sales, and support zones if a few people were able to convince Derek that they needed it. > There is a good reason why there needs to be an abuse@ address; > abusability. If someone at example.com is abusing email, Usenet, > etc., one shouldn't have to wonder where to send an abuse report. > Likewise for Postmaster and technical issues. The reason why > anyone should be required to maintain a sales@ email address is > far less clear. The RFC system shouldn't tell someone how to > operate their business, and if they only want to accept web > or phone enquiries, that is -- literally -- their business. I'm not telling you how to operate your business, but I wouldn't turn away potential customers emailing sales@, current customers emailing support@, and dead link reporters emailing webmaster@ if I were you. -- Best Regards, Jeff G. http://forum.spamcop.net/forums/index.php?act=findpost&pid=37585 From nobody at nowhere.invalid Mon Mar 6 21:14:30 2006 From: nobody at nowhere.invalid (Steven Maesslein) Date: Mon Mar 6 15:15:03 2006 Subject: [SpamCop-List] Re: Some spam stats from a large(ish) company References: Message-ID: On Mon, 6 Mar 2006 11:41:36 -0600, Berny coughed into spamcop and left this in : > begin 666 inmail.gif > M1TE&.#=A-@&^`/<``````( ```" `(" ````@( `@ " @,# P,# M`& @`( @`* @`, @`. @``! `"! `$! `&! `(! `*! `,! `.! ``!@`"!@ > ... Please do not send binaries to this newsgroup. -- Steve From nobody at nowhere.invalid Mon Mar 6 21:16:18 2006 From: nobody at nowhere.invalid (Steven Maesslein) Date: Mon Mar 6 15:20:02 2006 Subject: [SpamCop-List] Re: Dictionary attack is starting, what to do? References: Message-ID: On Mon, 6 Mar 2006 10:16:34 -0800, Matthew L Reed coughed into spamcop and left this in : > And people wonder why we hate spammers so much...grumble...I'd like to find > out who is responsible for the distribution of my domain to the spam lists Verislime. If it's a .com or .net domain, anyone can download the full list of currently registered domains from verislime. -- Steve From bar_n0ne at hotmail.com Mon Mar 6 15:06:11 2006 From: bar_n0ne at hotmail.com (Berny) Date: Mon Mar 6 16:10:02 2006 Subject: [SpamCop-List] Re: Some spam stats from a large(ish) company References: Message-ID: "Steven Maesslein" wrote in message news:slrne0p616.d7c.nobody@127.0.0.1... > On Mon, 6 Mar 2006 11:41:36 -0600, Berny coughed into spamcop and left > this in : > > > begin 666 inmail.gif > > M1TE&.#=A-@&^`/<``````( ```" `(" ````@( `@ " @,# P,# > M`& @`( @`* @`, @`. @``! `"! `$! `&! `(! `*! `,! `.! ``!@`"!@ > > ... > > Please do not send binaries to this newsgroup. > > -- > Steve Apologies. Generally I don't, this one was small, and no link to the graph was available, I suppose I could have presented the graph as a table. (below) Data are: Month Daily Email Volume (Millions) Dec. 05 4.5 Jan. 06 5 Feb. 06 6 From pantheus at suespammers.org Mon Mar 6 14:18:15 2006 From: pantheus at suespammers.org (Ken) Date: Mon Mar 6 17:20:03 2006 Subject: [SpamCop-List] Re: Dictionary attack is starting, what to do? References: Message-ID: On Mon, 06 Mar 2006 21:16:18 +0100, Steven Maesslein wrote: > On Mon, 6 Mar 2006 10:16:34 -0800, Matthew L Reed coughed into spamcop > and left this in : > >> And people wonder why we hate spammers so much...grumble...I'd like to find >> out who is responsible for the distribution of my domain to the spam lists > > Verislime. > > If it's a .com or .net domain, anyone can download the full list of > currently registered domains from verislime. Gee, One might wonder if the sale of Verisign to PayPal had anything to do with it... From dfm2a3l0t2 at spymac.com Mon Mar 6 18:17:33 2006 From: dfm2a3l0t2 at spymac.com (D.F. Manno) Date: Mon Mar 6 18:20:03 2006 Subject: [SpamCop-List] Re: Yahoo and AOL Plan Would Charge Senders a Fee to Route References: <200602230616.1fcesN7KQ3Nl3pK1@gideon.mail.atl.earthlink.net> <440C4C6D.6DE060D2@SpamCop.devnull.diespammerdie.net> Message-ID: In article , Tim McGraw wrote: > "FACT: Spammers can not pay to reach AOL and Yahoo! email inboxes." > http://www.goodmailsystems.com/certifiedmail/index.php "The Goodmail service will NOT increase the amount of spam consumers receive. CertifiedEmail messages will be delivered only from senders that have obtained prior permission from recipients. CertifiedEmail is only for permissioned email from accredited senders who must meet strict qualifying criteria ..." Their check cleared. -- D.F. Manno dfm2a3l0t2@spymac.com In the republic of mediocrity genius is dangerous. (Robert G. Ingersoll) From nobody at devnull.spamcop.net Mon Mar 6 13:03:38 2006 From: nobody at devnull.spamcop.net (Anonymous) Date: Mon Mar 6 19:05:02 2006 Subject: [SpamCop-List] Re: RFC 2142 and sales@, support@, webmaster@ References: Message-ID: "Jeff G." wrote in message news:dui491$ir2$1@news.spamcop.net... > Anonymous wrote: >> I would argue that there is a current de-facto standard, and that >> it is contained not in RFC 2142 but rather in the "Listing Policy" >> section at [ http://www.rfc-ignorant.org/ ]. Note that RFC-Ignorant >> references RFC 2142 at http://www.rfc-ignorant.org/rfcs/rfc2142.php >> but only requires that the highlighted portions be obeyed. > > That's just for their abuse zone. They could easily have webmaster, > sales, and support zones if a few people were able to convince Derek > that they needed it. Convincing him to list someone at rfc-ignorant.org because they don't have a sales@ email address would be, IMO, a pretty hard thing to sell. >> There is a good reason why there needs to be an abuse@ address; >> abusability. If someone at example.com is abusing email, Usenet, >> etc., one shouldn't have to wonder where to send an abuse report. >> Likewise for Postmaster and technical issues. The reason why >> anyone should be required to maintain a sales@ email address is >> far less clear. The RFC system shouldn't tell someone how to >> operate their business, and if they only want to accept web >> or phone enquiries, that is -- literally -- their business. > > I'm not telling you how to operate your business, but I wouldn't turn > away potential customers emailing sales@, current customers emailing > support@, and dead link reporters emailing webmaster@ if I were you. Good advice, but as written, RFC 2142 doesn't advise. It requires. And, in my opinion, it does so without any justification. G.M. From kenbrody at spamcop.net Mon Mar 6 17:29:18 2006 From: kenbrody at spamcop.net (Kenneth Brody) Date: Mon Mar 6 20:25:02 2006 Subject: [SpamCop-List] Server is listed, but SpamCop doesn't say why Message-ID: <440CB7BE.FBF83854@spamcop.net> http://www.spamcop.net/w3m?action=checkblock&ip=64.31.80.65 This shows 64.31.80.65 listed, but it doesn't say why. It doesn't say anything about spamtraps, number of e-mails and so on. Is there any way to find out why it's listed? ========== 64.31.80.65 listed in bl.spamcop.net (127.0.0.2) If there are no reports of ongoing objectionable email from this system it will be delisted automatically in a short time. Automatic delisting [...] Listing History System has been listed for less than 24 hours. Dispute Listing If you are the administrator of this system and you are sure this listing is erroneous, you may request that we review the listing. Because everyone wants to dispute their listing, regardless of merit, we reserve the right to ignore meritless disputes. Dispute listing of 64.31.80.65 ========== -- +-------------------------+--------------------+-----------------------------+ | Kenneth J. Brody | www.hvcomputer.com | | | kenbrody/at\spamcop.net | www.fptech.com | #include | +-------------------------+--------------------+-----------------------------+ Don't e-mail me at: From / at /.cn Tue Mar 7 12:55:02 2006 From: / at /.cn (Petzl) Date: Mon Mar 6 21:00:02 2006 Subject: [SpamCop-List] Re: Server is listed, but SpamCop doesn't say why References: <440CB7BE.FBF83854@spamcop.net> Message-ID: "Kenneth Brody" wrote in message news:440CB7BE.FBF83854@spamcop.net... > http://www.spamcop.net/w3m?action=checkblock&ip=64.31.80.65 > > This shows 64.31.80.65 listed, but it doesn't say why. It doesn't say > anything about spamtraps, number of e-mails and so on. Is there any > way to find out why it's listed? > > ========== > 64.31.80.65 listed in bl.spamcop.net (127.0.0.2) > It's been spewing filth but only/mainly reported via "mole" reporting If you are a spamcop member you should be able to see why here http://mailsc.spamcop.net/mcgi?action=showhistory;slice=issueid;val=69276646 Be ready to avert your eyes much of the reports are explicit From devnull at spamcop.net Mon Mar 6 21:02:26 2006 From: devnull at spamcop.net (Frog Prince) Date: Mon Mar 6 21:05:02 2006 Subject: [SpamCop-List] Re: Yahoo and AOL Plan Would Charge Senders a Fee to Route References: <200602230616.1fcesN7KQ3Nl3pK1@gideon.mail.atl.earthlink.net> <440C4C6D.6DE060D2@SpamCop.devnull.diespammerdie.net> Message-ID: "D.F. Manno" | > "FACT: Spammers can not pay to reach AOL and Yahoo! email inboxes." | > http://www.goodmailsystems.com/certifiedmail/index.php | | "The Goodmail service will NOT increase the amount of spam consumers receive. | CertifiedEmail messages will be delivered only from senders that have obtained | prior permission from recipients. CertifiedEmail is only for permissioned email | from accredited senders who must meet strict qualifying criteria ..." | | Their check cleared. But but but ... will they still love us in the morning? From nobody at devnull.spamcop.net Tue Mar 7 12:10:52 2006 From: nobody at devnull.spamcop.net (Patto) Date: Mon Mar 6 22:10:02 2006 Subject: [SpamCop-List] Re: usenet spam - why not report to senders isp In-Reply-To: References: Message-ID: Aviatrix wrote: > Vadim Rapp wrote: > >> http://www.spamcop.net/sc?id=z891585406zc98a2d46d659ddd07b9d1d5d9d0032a4z >> >> Usenet spam soliciting orders at sender's hotmail.co.uk address. Sc did >> not send report to hotmail. Shouldn't it? >> > > ... Cases where the > email address in the message actually belongs to the spammer are very > rare. You can always send a report manually... that's what I would do. Not so rare - 419 spammers/scammers *want* to be contacted via these addresses, so I always report them manually (or via user-added addresses). From nobody at devnull.spamcop.net Tue Mar 7 12:13:55 2006 From: nobody at devnull.spamcop.net (Patto) Date: Mon Mar 6 22:15:03 2006 Subject: [SpamCop-List] Re: Some spam stats from a large(ish) company In-Reply-To: References: Message-ID: Berny wrote: > "Steven Maesslein" wrote in message > news:slrne0p616.d7c.nobody@127.0.0.1... >> On Mon, 6 Mar 2006 11:41:36 -0600, Berny coughed into spamcop and left >> this in : >> >>> begin 666 inmail.gif >>> M1TE&.#=A-@&^`/<``````( ```" `(" ````@( `@ " @,# P,#>> M`& @`( @`* @`, @`. @``! `"! `$! `&! `(! `*! `,! `.! ``!@`"!@ >>> ... >> Please do not send binaries to this newsgroup. >> >> -- >> Steve > > Apologies. Generally I don't, this one was small, and no link to the graph > was available... You can always use http://imageshack.us/ From nobody at devnull.spamcop.net Tue Mar 7 12:25:04 2006 From: nobody at devnull.spamcop.net (Patto) Date: Mon Mar 6 22:25:03 2006 Subject: [SpamCop-List] Double login Message-ID: I use http://mailsc.spamcop.net/ and when I first go to the site, I am prompted to login with my spamcop email address and password. This is saved in a permanent cookie, so I don't have to type it each time. When I go to tab Held Email I am already logged in, and I don't have to do it again. In fact every tab behaves that way, except Webmail. When I go there I have to login again - this time I have to type the full address and password, as this section does not keep it in a cookie. This is very annoying; is there a way that this could be corrected? From vanderdecker at hotmail.INVALID Mon Mar 6 22:51:24 2006 From: vanderdecker at hotmail.INVALID (vanderdecker@hotmail.INVALID) Date: Mon Mar 6 22:55:04 2006 Subject: [SpamCop-List] "... Truncate" warning Message-ID: Is there any way to have the pasted message automatically truncated, avoiding the warning? From jeffg at spamcop.net Mon Mar 6 22:47:42 2006 From: jeffg at spamcop.net (Jeff G.) Date: Mon Mar 6 23:05:03 2006 Subject: [SpamCop-List] Re: Double login References: Message-ID: Patto wrote: > I use http://mailsc.spamcop.net/ and when I first go to the site, I am > prompted to login with my spamcop email address and password. This is > saved in a permanent cookie, so I don't have to type it each time. > > When I go to tab Held Email I am already logged in, and I don't have > to do it again. In fact every tab behaves that way, except Webmail. > When I go there I have to login again - this time I have to type the > full address and password, as this section does not keep it in a > cookie. > > This is very annoying; is there a way that this could be corrected? No, sorry, although they have the same userid and password for your account, those are almost completely separate systems, run by different people in different places, and they don't trust each other. -- Best Regards, Jeff G. http://forum.spamcop.net/forums/index.php?act=findpost&pid=37585 From jeffg at spamcop.net Mon Mar 6 23:10:33 2006 From: jeffg at spamcop.net (Jeff G.) Date: Mon Mar 6 23:15:03 2006 Subject: [SpamCop-List] Re: RFC 2142 and sales@, support@, webmaster@ References: Message-ID: Anonymous wrote: > "Jeff G." wrote in message > news:dui491$ir2$1@news.spamcop.net... >> Anonymous wrote: > >>> I would argue that there is a current de-facto standard, and that >>> it is contained not in RFC 2142 but rather in the "Listing Policy" >>> section at [ http://www.rfc-ignorant.org/ ]. Note that RFC-Ignorant >>> references RFC 2142 at http://www.rfc-ignorant.org/rfcs/rfc2142.php >>> but only requires that the highlighted portions be obeyed. >> >> That's just for their abuse zone. They could easily have webmaster, >> sales, and support zones if a few people were able to convince Derek >> that they needed it. > > Convincing him to list someone at rfc-ignorant.org because they don't > have a sales@ email address would be, IMO, a pretty hard thing to > sell. How about security@ or noc@? Stronger cases could be made for those. >>> There is a good reason why there needs to be an abuse@ address; >>> abusability. If someone at example.com is abusing email, Usenet, >>> etc., one shouldn't have to wonder where to send an abuse report. >>> Likewise for Postmaster and technical issues. The reason why >>> anyone should be required to maintain a sales@ email address is >>> far less clear. The RFC system shouldn't tell someone how to >>> operate their business, and if they only want to accept web >>> or phone enquiries, that is -- literally -- their business. >> >> I'm not telling you how to operate your business, but I wouldn't turn >> away potential customers emailing sales@, current customers emailing >> support@, and dead link reporters emailing webmaster@ if I were you. > > Good advice, but as written, RFC 2142 doesn't advise. It requires. > And, in my opinion, it does so without any justification. Please feel free to take that up with D. Crocker, the Internet Mail Consortium, and/or the Network Working Group of the Internet Engineering Task Force that drafted and approved RFC 2142, and to write your own version with fewer addresses or less stringent language. But until you get that RFC changed or obsoleted, you will be expected to comply with it. -- Thanks and Best Regards, Jeff G. http://forum.spamcop.net/forums/index.php?act=findpost&pid=37585 From jeffg at spamcop.net Mon Mar 6 23:13:58 2006 From: jeffg at spamcop.net (Jeff G.) Date: Mon Mar 6 23:20:03 2006 Subject: [SpamCop-List] Re: "... Truncate" warning References: Message-ID: vanderdecker@hotmail.INVALID wrote: > Is there any way to have the pasted message automatically truncated, > avoiding the warning? The warning is there for your safety. Fully-automatic full reporting is not supported. -- Best Regards, Jeff G. http://forum.spamcop.net/forums/index.php?act=findpost&pid=37585 From jeffg at spamcop.net Mon Mar 6 23:22:24 2006 From: jeffg at spamcop.net (Jeff G.) Date: Mon Mar 6 23:25:03 2006 Subject: [SpamCop-List] Re: Double login References: Message-ID: Patto wrote: > I use http://mailsc.spamcop.net/ and when I first go to the site, I am > prompted to login with my spamcop email address and password. This is > saved in a permanent cookie, so I don't have to type it each time. > > When I go to tab Held Email I am already logged in, and I don't have > to do it again. In fact every tab behaves that way, except Webmail. > When I go there I have to login again - this time I have to type the > full address and password, as this section does not keep it in a > cookie. > > This is very annoying; is there a way that this could be corrected? No, sorry, although they have the same userid and password for your account, those are almost completely separate systems, run by different people in different places, and the systems have not been configured to trust each other. -- Best Regards, Jeff G. http://forum.spamcop.net/forums/index.php?act=findpost&pid=37585 P.S. Sorry for the possible double reply. From jg at coks.net Mon Mar 6 20:56:36 2006 From: jg at coks.net (jg) Date: Mon Mar 6 23:55:02 2006 Subject: [SpamCop-List] Re: Double login In-Reply-To: References: Message-ID: On 3/6/2006 7:47 PM Jeff G. scribbled: > Patto wrote: >> I use http://mailsc.spamcop.net/ and when I first go to the site, I am >> prompted to login with my spamcop email address and password. This is >> saved in a permanent cookie, so I don't have to type it each time. >> >> When I go to tab Held Email I am already logged in, and I don't have >> to do it again. In fact every tab behaves that way, except Webmail. >> When I go there I have to login again - this time I have to type the >> full address and password, as this section does not keep it in a >> cookie. >> >> This is very annoying; is there a way that this could be corrected? > > No, sorry, although they have the same userid and password for your > account, those are almost completely separate systems, run by different > people in different places, and they don't trust each other. > why not just set up a POP account to SC server using TBird? From redbourn at bezeqint.net Tue Mar 7 08:29:12 2006 From: redbourn at bezeqint.net (Michael Redbourn) Date: Tue Mar 7 01:30:02 2006 Subject: [SpamCop-List] forwarding multiple spams attachments Message-ID: Hi, I won't mention that I tried sending both single and multiple spams yesterday and got no return email because you already know that :-) My two questions are .. Is it OK via OE to send multiple spams as one attachment ? An if so does it matter what I write in the subject line ? thanks, Mike From jg at coks.net Mon Mar 6 22:48:18 2006 From: jg at coks.net (jg) Date: Tue Mar 7 01:50:02 2006 Subject: [SpamCop-List] Re: "... Truncate" warning In-Reply-To: References: Message-ID: On 3/6/2006 8:13 PM Jeff G. scribbled: > vanderdecker@hotmail.INVALID wrote: >> Is there any way to have the pasted message automatically truncated, >> avoiding the warning? > > The warning is there for your safety. Fully-automatic full reporting is > not supported. > errrrr - Jeff, in words for a 6 year old, if you would...I'm assuming OP is referring to input of large spam via the web feeder- what are you referring to/I'm clueless to? From jg at coks.net Mon Mar 6 22:57:03 2006 From: jg at coks.net (jg) Date: Tue Mar 7 01:55:03 2006 Subject: [SpamCop-List] Re: forwarding multiple spams attachments In-Reply-To: References: Message-ID: On 3/6/2006 10:29 PM Michael Redbourn scribbled: > Hi, > > I won't mention that I tried sending both single and multiple spams > yesterday and got no return email because you already know that :-) > Maybe your ISP is dropping them on the floor - mine does > My two questions are .. > > Is it OK via OE to send multiple spams as one attachment ? do you mean as a function of OE? don't think so - and OE mangles attachments anyway... From edb2000 at spamcop.net Mon Mar 6 23:34:32 2006 From: edb2000 at spamcop.net (Don Wannit) Date: Tue Mar 7 02:35:03 2006 Subject: [SpamCop-List] Re: Yahoo and AOL Plan Would Charge Senders a Fee to Route In-Reply-To: References: <200602230616.1fcesN7KQ3Nl3pK1@gideon.mail.atl.earthlink.net> Message-ID: AOL may say that this new system will not penalize email senders who do not pay the new toll, and would merely allow those who pay to sidestep the normal AOL spam filtering, but today I have several hundred rejects that show otherwise. Brand-new behavior at AOL as of the 1st of this month: The monthly Mailman administrivial "reminder" email sent to list members has been rejected at SMTP from every AOL address after the first 50. All of the AOL addresses after the lucky first 50 have now been marked by Mailman bounce processing as suspected bad addresses. The rejection message from AOL reads: >>> RCPT To:<[screen_name]@aol.com> <<< 452 REQUESTED ACTION NOT TAKEN: TOO MANY RECIPIENTS <[screen_name]@aol.com>... Deferred: 452 REQUESTED ACTION NOT TAKEN: TOO MANY RECIPIENTS This rejection error message is for a single recipient on a separate email, but after 50 individual emails have been sent already to AOL addresses. We're using a slow machine, sending about 30 messages per minute. Tortoise speed, to be sure. Sending those initial 50 messages was spread out over a couple of minutes. I'm wondering if it has to be spaced out more, just to get past this new AOL shakedown. For those not familiar with Mailman list software, please note that Mailman sends each message individually (VERP addressing to identify bounces) so there is only a single recipient on every list message. Of course every single address on the list is there because the user replied or clicked to confirm a unique and un-guessable token, all conveniently automated by the open source Mailman list management software. We're doing things the right way, and our list members (teachers) have been receiving our mail for some time. Up until now. We have applied for, and have received, the AOL "blessing" to be whitelisted as a responsible source for sending email to AOL members. This was long before AOL announced the new GoodMail program... So as far as I can tell from here, the new AOL "GoodMail" program does not give paying spammers a short-cut around possible spam filtering. On the contrary, it now imposes a very real limit on the number of messages that a single sender can send into AOL space within some unspecified period of time. If we pay per message, I assume we can avoid this penalty. But isn't this exactly what AOL claimed would *not* be true? -- Don Wannit A paid SpamCop user since 1999 From redbourn at bezeqint.net Tue Mar 7 09:39:07 2006 From: redbourn at bezeqint.net (Michael Redbourn) Date: Tue Mar 7 02:40:03 2006 Subject: [SpamCop-List] Re: forwarding multiple spams attachments References: Message-ID: Hi, I meant if I send an email with 50 attachments then can spamcop process them ? I could use the BAT ? thanks Mike "jg" wrote in message news:dujama$ahr$1@news.spamcop.net... > On 3/6/2006 10:29 PM Michael Redbourn scribbled: > >> Hi, >> >> I won't mention that I tried sending both single and multiple spams >> yesterday and got no return email because you already know that :-) >> > > Maybe your ISP is dropping them on the floor - mine does > >> My two questions are .. >> >> Is it OK via OE to send multiple spams as one attachment ? > > do you mean as a function of OE? > don't think so - and OE mangles attachments anyway... From nobody at spamcop.net Tue Mar 7 00:34:41 2006 From: nobody at spamcop.net (N. Miller) Date: Tue Mar 7 03:35:03 2006 Subject: [SpamCop-List] Re: forwarding multiple spams attachments References: Message-ID: <11nzn7i2pqrai$.dlg@news.spamcop.net> On Tue, 7 Mar 2006 08:29:12 +0200, Michael Redbourn wrote: > Hi, > > I won't mention that I tried sending both single and multiple spams > yesterday and got no return email because you already know that :-) > > My two questions are .. > > Is it OK via OE to send multiple spams as one attachment ? > > An if so does it matter what I write in the subject line ? > > thanks, > > Mike If you can find a way to make MS Outlook Express send multiple email messags as attachments, SpamCop will accept them. There is an upper limit to the number of attachments, and to the total message size. Whichever limit is hit first. Unfortunately, I don't know of a way to make MS Outlook Express forward email messages as attachments, other than one email message at a time. I believe the limits are outlined in the FAQ, but I have never hit them. I use Pegasus Mail, which does allow multiple message attachments. I just put "UBE" in my subject line. -- Norman ~Oh Lord, why have you come ~To Konnyu, with the Lion and the Drum From nobody at spamcop.net Tue Mar 7 00:52:07 2006 From: nobody at spamcop.net (N. Miller) Date: Tue Mar 7 03:55:05 2006 Subject: [SpamCop-List] Re: forwarding multiple spams attachments References: Message-ID: <7p86spyq16ty$.dlg@news.spamcop.net> On Mon, 06 Mar 2006 22:57:03 -0800, jg wrote: > On 3/6/2006 10:29 PM Michael Redbourn scribbled: >> Hi, >> >> I won't mention that I tried sending both single and multiple spams >> yesterday and got no return email because you already know that :-) >> > Maybe your ISP is dropping them on the floor - mine does >> My two questions are .. >> >> Is it OK via OE to send multiple spams as one attachment ? > do you mean as a function of OE? > don't think so - and OE mangles attachments anyway... It doesn't seem to mangle headers, and that is the most important aspect of the attached email which the SpamCop parser uses. Actually, I just looked at the identical email, sent as an attachment to the same email account, using Pegasus Mail for the first, and MS Outlook Express for the second. Even setting MSOE to send plain text, it sent two parts. The second part looks no different from the Pegasus Mail attachment. -- Norman ~Oh Lord, why have you come ~To Konnyu, with the Lion and the Drum From n4jwyfo02 at sneakemail.com Tue Mar 7 08:53:15 2006 From: n4jwyfo02 at sneakemail.com (Aviatrix) Date: Tue Mar 7 03:55:11 2006 Subject: [SpamCop-List] Re: Double login In-Reply-To: References: Message-ID: Patto wrote: > When I go to tab Held Email I am already logged in, and I don't have to > do it again. In fact every tab behaves that way, except Webmail. When I > go there I have to login again - this time I have to type the full > address and password, as this section does not keep it in a cookie. Doesn't it? It does for me.... From philip at pch.home.cs.vu.nl Tue Mar 7 09:53:41 2006 From: philip at pch.home.cs.vu.nl (Philip Homburg) Date: Tue Mar 7 04:30:02 2006 Subject: [SpamCop-List] Re: Yahoo and AOL Plan Would Charge Senders a Fee to Route References: <200602230616.1fcesN7KQ3Nl3pK1@gideon.mail.atl.earthlink.net> Message-ID: In article , Don Wannit wrote: >The rejection message from AOL reads: > > >>> RCPT To:<[screen_name]@aol.com> ><<< 452 REQUESTED ACTION NOT TAKEN: TOO MANY RECIPIENTS ><[screen_name]@aol.com>... Deferred: 452 REQUESTED ACTION >NOT TAKEN: TOO MANY RECIPIENTS > >This rejection error message is for a single recipient >on a separate email, but after 50 individual emails have >been sent already to AOL addresses. A 4xy error is not a rejection. It is supposed to signal a temporary failure. Of course AOL may be abusing this feature. I don't think there is anything wrong with AOL customers having to use a hotmail or a gmail account to subscribe to mailing lists. I always subscribe tagged e-mail addresses without a spam filter to mailing lists. But that is probably far to complicated for AOL customers. -- That was it. Done. The faulty Monk was turned out into the desert where it could believe what it liked, including the idea that it had been hard done by. It was allowed to keep its horse, since horses were so cheap to make. -- Douglas Adams in Dirk Gently's Holistic Detective Agency From redbourn at bezeqint.net Tue Mar 7 11:44:47 2006 From: redbourn at bezeqint.net (Michael Redbourn) Date: Tue Mar 7 04:50:37 2006 Subject: [SpamCop-List] Re: forwarding multiple spams attachments References: <11nzn7i2pqrai$.dlg@news.spamcop.net> Message-ID: > If you can find a way to make MS Outlook Express send multiple email > messags as attachments, SpamCop will accept them. There is an upper limit > to the number of attachments, and to the total message size. Whichever > limit is hit first. Unfortunately, I don't know of a way to make MS > Outlook > Express forward email messages as attachments, other than one email > message > at a time. I believe the limits are outlined in the FAQ, but I have never > hit them. > > I use Pegasus Mail, which does allow multiple message attachments. I just > put "UBE" in my subject line. > > -- > Norman > ~Oh Lord, why have you come > ~To Konnyu, with the Lion and the Drum It would seem that one just does tag all (I put all the spam in a 'spam' folder' as they come in) and then hit 'forward'. An email opens up with all the attachements. thanks, Mike From nobody at nowhere.invalid Tue Mar 7 11:47:02 2006 From: nobody at nowhere.invalid (Steven Maesslein) Date: Tue Mar 7 05:50:16 2006 Subject: [SpamCop-List] Re: forwarding multiple spams attachments References: <11nzn7i2pqrai$.dlg@news.spamcop.net> Message-ID: On Tue, 7 Mar 2006 00:34:41 -0800, N. Miller coughed into spamcop and left this in <11nzn7i2pqrai$.dlg@news.spamcop.net>: > Unfortunately, I don't know of a way to make MS Outlook Express > forward email messages as attachments, other than one email message at > a time. Select the messages you want to forward together, right-click on one of them and select "Forward as attachment". -- Steve genius, n: A chemist who discovers a laundry additive that rhymes with "bright". From redbourn at bezeqint.net Tue Mar 7 15:54:55 2006 From: redbourn at bezeqint.net (Michael Redbourn) Date: Tue Mar 7 09:00:04 2006 Subject: [SpamCop-List] Re: forwarding multiple spams attachments References: Message-ID: I checked how much I have credited to me from SpamCop and then sent spam via attachment and the amount remains the same. Almost 24 hrs now and no return email vis a vis attachments that I've sent :-( Either SpamCop has a problem right now or it's my ISP I don't mind submitting around 10 a day manually but not 50 regards, Mike "jg" wrote in message news:dujama$ahr$1@news.spamcop.net... > On 3/6/2006 10:29 PM Michael Redbourn scribbled: > >> Hi, >> >> I won't mention that I tried sending both single and multiple spams >> yesterday and got no return email because you already know that :-) >> > > Maybe your ISP is dropping them on the floor - mine does > >> My two questions are .. >> >> Is it OK via OE to send multiple spams as one attachment ? > > do you mean as a function of OE? > don't think so - and OE mangles attachments anyway... From jg at coks.net Tue Mar 7 06:32:50 2006 From: jg at coks.net (jg) Date: Tue Mar 7 09:30:04 2006 Subject: [SpamCop-List] Re: forwarding multiple spams attachments In-Reply-To: References: Message-ID: On 3/7/2006 5:54 AM Michael Redbourn scribbled: > I checked how much I have credited to me from SpamCop and then sent spam via > attachment and the amount remains the same. > > Almost 24 hrs now and no return email vis a vis attachments that I've sent > :-( > > Either SpamCop has a problem right now or it's my ISP > As Norman mentioned, there is a limit on total size - I believe it is 100k per email, someone else here can verify that - I can't find it in the FAQ right now. And do ask your ISP before you spend a lot more time mailing out - I didn't know for several months until I started bcc'ng myself and getting no delivery. From nobody at devnull.spamcop.net Tue Mar 7 08:36:15 2006 From: nobody at devnull.spamcop.net (Maggie's Mom) Date: Tue Mar 7 10:40:03 2006 Subject: [SpamCop-List] what a nerve... Message-ID: http://www.spamcop.net/sc?id=z892155815z784ff349a28833cb09de350bcfb4c9d5z comes with a subject like this: Internet hackers crew webhack - www.web-hack.ru Ref: 80061 and a text like this: Dear Sir/Madam, Hello! We are internet hackers crew - Web-hack. We propose you for sale some interesting things: - private exploits - http://forum.web-hack.ru - stolen credit cards and bank accounts - http://forum.web-hack.ru - we infect users pc's with your trojan for low prices (10000 infected pc's for 25$) - http://forum.web-hack.ru - bulletproof domains and hosting - http://forum.web-hack.ru Best offer - bulletproof domain + hosting this hosting for any scam/fraud and nobody will close it! For more information look at - http://forum.web-hack.ru P.S. We are registering bulletproof domains on our partner site http://www.r01.ru/ there we have "our" people to guarantee stability of our domains and hosting so any organization like spamhaus.org cannot down our hosting and domains. We are now spaming 5 000 000 people look out the domain is alive as always and never gonna be down !! Please go and order our services at: http://forum.web-hack.ru Msg-ID: 39186 Aside from getting it reported - any authorities out there that could use it to lock the bastards up? Out of curiosity: has anybody else received a jewel like above, or is it just my luck? As ever, - Maggie's Mom. From bar_n0ne at hotmail.com Tue Mar 7 09:43:12 2006 From: bar_n0ne at hotmail.com (Berny) Date: Tue Mar 7 10:45:03 2006 Subject: [SpamCop-List] Re: what a nerve... References: Message-ID: "Maggie's Mom" wrote in message news:duk9a2$rst$1@news.spamcop.net... > http://www.spamcop.net/sc?id=z892155815z784ff349a28833cb09de350bcfb4c9d5z > > comes with a subject like this: > Internet hackers crew webhack - www.web-hack.ru Ref: 80061 > >SNIPPED most likely a "joe job" against one of the mentioned sites, I believe this is part of a Russian extortion gang, this style of message has appeared before. Usually, these spammers and their targets all have dirty hands, LART away From spamcop at 1bigthink.com Tue Mar 7 11:03:57 2006 From: spamcop at 1bigthink.com (spamcop) Date: Tue Mar 7 11:04:10 2006 Subject: {Spam!!!} [SpamCop-List] what a nerve... In-Reply-To: References: Message-ID: <6.2.3.4.0.20060307110020.0c3b7008@mxt.1bigthink.com> At 10:36 AM 3/7/2006, you wrote: >http://www.spamcop.net/sc?id=z892155815z784ff349a28833cb09de350bcfb4c9d5z > >comes with a subject like this: >Internet hackers crew webhack - www.web-hack.ru Ref: 80061 > >and a text like this: >Dear Sir/Madam, Hello! We are internet hackers crew - Web-hack. We propose >you for sale some interesting things: - private exploits - >http://forum.web-hack.ru - stolen credit cards and bank accounts - >http://forum.web-hack.ru - we infect users pc's with your trojan for low >prices (10000 infected pc's for 25$) - http://forum.web-hack.ru - >bulletproof domains and hosting - http://forum.web-hack.ru Best offer - >bulletproof domain + hosting this hosting for any scam/fraud and nobody will >close it! For more information look at - http://forum.web-hack.ru P.S. We >are registering bulletproof domains on our partner site http://www.r01.ru/ >there we have "our" people to guarantee stability of our domains and hosting >so any organization like spamhaus.org cannot down our hosting and domains. >We are now spaming 5 000 000 people look out the domain is alive as always >and never gonna be down !! Please go and order our services at: >http://forum.web-hack.ru Msg-ID: 39186 > >Aside from getting it reported - any authorities out there that could use it >to lock the bastards up? >Out of curiosity: has anybody else received a jewel like above, or is it >just my luck? > >As ever, - Maggie's Mom. > Hello Maggie's Mom! Are you in the US? You might want to try http://www.ic3.gov/ . I'm not feeling too crazy about reporting anything to my government or law enforcement as of late, however; It's funny how they tend to treat third-party reporters of criminal activities as suspects nowadays. With all the spying going on, I just as soon go build my own wind turbine way out in the woods in a log cabin and hunt for dinner. Come find me NSA! Halla, Halla! From edb2000 at spamcop.net Tue Mar 7 08:37:40 2006 From: edb2000 at spamcop.net (Don Wannit) Date: Tue Mar 7 11:40:02 2006 Subject: [SpamCop-List] Re: Yahoo and AOL Plan Would Charge Senders a Fee to Route In-Reply-To: References: <200602230616.1fcesN7KQ3Nl3pK1@gideon.mail.atl.earthlink.net> Message-ID: Philip Homburg wrote: > In article , > Don Wannit wrote: > >>The rejection message from AOL reads: >> >> >>>>>RCPT To:<[screen_name]@aol.com> >> >><<< 452 REQUESTED ACTION NOT TAKEN: TOO MANY RECIPIENTS >><[screen_name]@aol.com>... Deferred: 452 REQUESTED ACTION >>NOT TAKEN: TOO MANY RECIPIENTS >> >>This rejection error message is for a single recipient >>on a separate email, but after 50 individual emails have >>been sent already to AOL addresses. > > > A 4xy error is not a rejection. It is supposed to signal a temporary failure. > Of course AOL may be abusing this feature. > Yes, I am guessing that without having paid the highway toll, we are limited to sending 50 emails into AOL space within an unspecified interval, and they use the temporary failure status so we'll retry later, after the holding time in the penalty box has expired. Giving them the benefit of the doubt (which may be doubtful), both delayed and un-delayed incoming email might go through the same spam and virm filtering/tagging/blocking whether or not the email fee is paid. Other speculation is that paying the toll bypasses spam filtering, maybe even virm blocking. Might be that AOL users will be out of luck, just as you say, or they can sign up with a Hotmail or Gmail address instead of AOL. -- Don Wannit A paid SpamCop user since 1999 From nobody at spamcop.net Tue Mar 7 09:19:22 2006 From: nobody at spamcop.net (N. Miller) Date: Tue Mar 7 12:20:02 2006 Subject: [SpamCop-List] Re: forwarding multiple spams attachments References: <11nzn7i2pqrai$.dlg@news.spamcop.net> Message-ID: <1x7x9gm9sbr4n$.dlg@news.spamcop.net> On Tue, 7 Mar 2006 11:47:02 +0100, Steven Maesslein wrote: > On Tue, 7 Mar 2006 00:34:41 -0800, N. Miller coughed into spamcop and > left this in <11nzn7i2pqrai$.dlg@news.spamcop.net>: >> Unfortunately, I don't know of a way to make MS Outlook Express >> forward email messages as attachments, other than one email message at >> a time. > Select the messages you want to forward together, right-click on one of > them and select "Forward as attachment". Ah, well. I suppose I would have learned that on my own, if I used MSOE for much more than an occasional test. My preferred mailer is Pegasus Mail. I can drag and drop, so I can forward multiple email messages from multiple folders. Perhaps MSOE allows that, as well? -- Norman ~Oh Lord, why have you come ~To Konnyu, with the Lion and the Drum From kenbrody at spamcop.net Tue Mar 7 13:35:57 2006 From: kenbrody at spamcop.net (Kenneth Brody) Date: Tue Mar 7 13:45:03 2006 Subject: [SpamCop-List] Re: Server is listed, but SpamCop doesn't say why References: <440CB7BE.FBF83854@spamcop.net> Message-ID: <440DD28D.8A0CB6F7@spamcop.net> Petzl wrote: > > "Kenneth Brody" wrote in message > news:440CB7BE.FBF83854@spamcop.net... > > http://www.spamcop.net/w3m?action=checkblock&ip=64.31.80.65 > > > > This shows 64.31.80.65 listed, but it doesn't say why. It doesn't say > > anything about spamtraps, number of e-mails and so on. Is there any > > way to find out why it's listed? > > > > ========== > > 64.31.80.65 listed in bl.spamcop.net (127.0.0.2) > > > It's been spewing filth but only/mainly reported via "mole" reporting > If you are a spamcop member you should be able to see why here > http://mailsc.spamcop.net/mcgi?action=showhistory;slice=issueid;val=69276646 > Be ready to avert your eyes much of the reports are explicit Thanks for the pointer. Is there a way I can find out why, given the following two "received" lines ===== Received: from source ([64.31.80.65]) by exprod6mx168.postini.com ([64.18.5.10]) with SMTP; Sun, 26 Feb 2006 18:53:54 EST Received: from friend (52.201.101-84.rev.gaoland.net [84.101.201.52]) by mail.fptechnologies.com (8.12.9/8.12.9) with ESMTP id k1R0R8N1034263 for ; Sun, 26 Feb 2006 19:27:11 -0500 (EST) ===== that SpamCop lists 64.31.80.65 as the source, rather than 84.101.201.52? -- +-------------------------+--------------------+-----------------------------+ | Kenneth J. Brody | www.hvcomputer.com | | | kenbrody/at\spamcop.net | www.fptech.com | #include | +-------------------------+--------------------+-----------------------------+ Don't e-mail me at: From nobody at nowhere.invalid Tue Mar 7 20:19:32 2006 From: nobody at nowhere.invalid (Steven Maesslein) Date: Tue Mar 7 14:20:02 2006 Subject: [SpamCop-List] Re: forwarding multiple spams attachments References: <11nzn7i2pqrai$.dlg@news.spamcop.net> <1x7x9gm9sbr4n$.dlg@news.spamcop.net> Message-ID: On Tue, 7 Mar 2006 09:19:22 -0800, N. Miller coughed into spamcop and left this in <1x7x9gm9sbr4n$.dlg@news.spamcop.net>: > I can drag and drop, so I can forward multiple email messages from > multiple folders. Perhaps MSOE allows that, as well? I couldn't tell you. I haven't used MSOE in years, preferring this any day of the week: http://sylpheed.good-day.net -- Steve In the 60's people took acid to make the world weird. Now the world is weird and people take Prozac to make it normal. From redbourn at bezeqint.net Tue Mar 7 23:30:26 2006 From: redbourn at bezeqint.net (Michael Redbourn) Date: Tue Mar 7 16:35:03 2006 Subject: [SpamCop-List] Re: forwarding multiple spams attachments References: Message-ID: > And do ask your ISP before you spend a lot more time mailing out - I > didn't know for several months until I started bcc'ng myself and getting > no delivery. Well that's a good idea - I'll blind copy myself and see what happens. My ISP would most likely just push me from department to department. I would have thought that ISPs would want to stop spam ? thanks Mike From nobody at spamcop.net Tue Mar 7 16:44:21 2006 From: nobody at spamcop.net (indigo) Date: Tue Mar 7 16:45:03 2006 Subject: [SpamCop-List] Re: Yahoo and AOL Plan Would Charge Senders a Fee to Route References: <200602230616.1fcesN7KQ3Nl3pK1@gideon.mail.atl.earthlink.net> Message-ID: Don Wannit wrote: > Might be that AOL users will be out of luck, just as you say, > or they can sign up with a Hotmail or Gmail address instead > of AOL. If what you've written is true, I hope AOL ceases to exist as a result. Would serve them right. Can you imagine the outrage of millions of users when they find out they can't get email they want? From g.hyde at bigpond.net.au Wed Mar 8 08:25:41 2006 From: g.hyde at bigpond.net.au (Geoffrey Hyde) Date: Tue Mar 7 17:30:03 2006 Subject: [SpamCop-List] Re: what a nerve... References: Message-ID: "Maggie's Mom" wrote in message news:duk9a2$rst$1@news.spamcop.net... > http://www.spamcop.net/sc?id=z892155815z784ff349a28833cb09de350bcfb4c9d5z > > comes with a subject like this: > Internet hackers crew webhack - www.web-hack.ru Ref: 80061 Itneresting ... To the CIA, perhaps ... > Aside from getting it reported - any authorities out there that could use > it to lock the bastards up? > Out of curiosity: has anybody else received a jewel like above, or is it > just my luck? You could always ring up the CIA department and ask if they want to do anything about it - although I don't know if you'll get anything except confusion or laughter out of them. Apart from that the best bet you'd have would be to contact law enforcement agencies that have previously expressed an interest in such things. Cheers ... Geoffrey Hyde From porpoise1954 at yahoo.co.uk Tue Mar 7 23:00:15 2006 From: porpoise1954 at yahoo.co.uk (Porpoise) Date: Tue Mar 7 18:05:03 2006 Subject: [SpamCop-List] Re: RFC 2142 and sales@, support@, webmaster@ References: Message-ID: "Jeff G." wrote in message news:duj14i$4f9$1@news.spamcop.net... > Anonymous wrote: >> "Jeff G." wrote in message >> Good advice, but as written, RFC 2142 doesn't advise. It requires. >> And, in my opinion, it does so without any justification. > > Please feel free to take that up with D. Crocker, the Internet Mail > Consortium, and/or the Network Working Group of the Internet Engineering > Task Force that drafted and approved RFC 2142, and to write your own > version with fewer addresses or less stringent language. But until you > get that RFC changed or obsoleted, you will be expected to comply with > it. > If and when it ever _actually_ becomes a standard - of course................. From bar_n0ne at hotmail.com Tue Mar 7 17:13:56 2006 From: bar_n0ne at hotmail.com (Berny) Date: Tue Mar 7 18:15:04 2006 Subject: [SpamCop-List] Re: what a nerve... References: Message-ID: "Geoffrey Hyde" wrote in message news:dul1b9$a8t$1@news.spamcop.net... > > "Maggie's Mom" wrote in message > news:duk9a2$rst$1@news.spamcop.net... > > http://www.spamcop.net/sc?id=z892155815z784ff349a28833cb09de350bcfb4c9d5z > > > > comes with a subject like this: > > Internet hackers crew webhack - www.web-hack.ru Ref: 80061 > > Itneresting ... To the CIA, perhaps ... come on guys,(gals too) don't you think Law Enforcement and the CIA also get these spams? These are either a troll for wannabe hacker lusers, or joe jobs , like the carder-something spams a while back From porpoise1954 at yahoo.co.uk Tue Mar 7 23:12:25 2006 From: porpoise1954 at yahoo.co.uk (Porpoise) Date: Tue Mar 7 18:15:10 2006 Subject: [SpamCop-List] Re: forwarding multiple spams attachments References: Message-ID: "jg" wrote in message news:dujama$ahr$1@news.spamcop.net... > On 3/6/2006 10:29 PM Michael Redbourn scribbled: > >> Hi, >> >> I won't mention that I tried sending both single and multiple spams >> yesterday and got no return email because you already know that :-) >> > > Maybe your ISP is dropping them on the floor - mine does That's possible > >> My two questions are .. >> >> Is it OK via OE to send multiple spams as one attachment ? > > do you mean as a function of OE? > don't think so - and OE mangles attachments anyway... Yes you can - OE handles them as attachments just fine. OL, OTOH, does mangle them generally. From porpoise1954 at yahoo.co.uk Tue Mar 7 23:17:31 2006 From: porpoise1954 at yahoo.co.uk (Porpoise) Date: Tue Mar 7 18:20:03 2006 Subject: [SpamCop-List] Re: forwarding multiple spams attachments References: <11nzn7i2pqrai$.dlg@news.spamcop.net> Message-ID: "N. Miller" wrote in message news:11nzn7i2pqrai$.dlg@news.spamcop.net... > On Tue, 7 Mar 2006 08:29:12 +0200, Michael Redbourn wrote: > >> Mike > > If you can find a way to make MS Outlook Express send multiple email > messags as attachments, SpamCop will accept them. There is an upper limit > to the number of attachments, and to the total message size. Whichever > limit is hit first. Unfortunately, I don't know of a way to make MS > Outlook > Express forward email messages as attachments, other than one email > message > at a time. I believe the limits are outlined in the FAQ, but I have never > hit them. For OE, select the messages you want to attach, then then put the address you want to send them to in the To: box - It's as simple as that! The max number is governed by external sources (recipient/ISP/filters - whatever) not OE itself. From n4jwyfo02 at sneakemail.com Wed Mar 8 00:30:26 2006 From: n4jwyfo02 at sneakemail.com (Aviatrix) Date: Tue Mar 7 19:35:03 2006 Subject: [SpamCop-List] Re: Server is listed, but SpamCop doesn't say why In-Reply-To: <440DD28D.8A0CB6F7@spamcop.net> References: <440CB7BE.FBF83854@spamcop.net> <440DD28D.8A0CB6F7@spamcop.net> Message-ID: Kenneth Brody wrote: > Thanks for the pointer. Is there a way I can find out why, given the > following two "received" lines > > ===== > Received: from source ([64.31.80.65]) by exprod6mx168.postini.com ([64.18.5.10]) with SMTP; > Sun, 26 Feb 2006 18:53:54 EST > Received: from friend (52.201.101-84.rev.gaoland.net [84.101.201.52]) > by mail.fptechnologies.com (8.12.9/8.12.9) with ESMTP id k1R0R8N1034263 > for ; Sun, 26 Feb 2006 19:27:11 -0500 (EST) > ===== > > that SpamCop lists 64.31.80.65 as the source, rather than 84.101.201.52? > There are others here who are a lot more technical than me and who will probably give you chapter and verse... but I suspect (because this is something that used to happen with one of my ISPs) that there is *something* in those "received" lines that causes Spamcop to trip over and give up looking further - that "something" being some incorrect syntax or other misconfiguration. From nobody at spamcop.net Wed Mar 8 14:26:55 2006 From: nobody at spamcop.net (Anony Mouse) Date: Tue Mar 7 20:30:02 2006 Subject: [SpamCop-List] Return to active duty Message-ID: <440E32DF.10908@spamcop.net> Greetings All It has been a long time... Some spammers never learn and a recent growth of spam getting though my isp's filters and an attack by a residivist spammer means I am returning to active duty. Anony Mouse From jg at coks.net Tue Mar 7 17:39:28 2006 From: jg at coks.net (jg) Date: Tue Mar 7 20:40:03 2006 Subject: [SpamCop-List] Re: forwarding multiple spams attachments In-Reply-To: References: <11nzn7i2pqrai$.dlg@news.spamcop.net> <1x7x9gm9sbr4n$.dlg@news.spamcop.net> Message-ID: On 3/7/2006 11:19 AM Steven Maesslein scribbled: > On Tue, 7 Mar 2006 09:19:22 -0800, N. Miller coughed into spamcop and > left this in <1x7x9gm9sbr4n$.dlg@news.spamcop.net>: > >> I can drag and drop, so I can forward multiple email messages from >> multiple folders. Perhaps MSOE allows that, as well? > > I couldn't tell you. I haven't used MSOE in years, preferring this any > day of the week: http://sylpheed.good-day.net > the screenshot sure /looks/ like TBird, from afar... From MikeE at ster.invalid Tue Mar 7 17:48:25 2006 From: MikeE at ster.invalid (Mike Easter) Date: Tue Mar 7 20:50:02 2006 Subject: [SpamCop-List] Re: Server is listed, but SpamCop doesn't say why References: <440CB7BE.FBF83854@spamcop.net> <440DD28D.8A0CB6F7@spamcop.net> Message-ID: Kenneth Brody wrote: > Thanks for the pointer. Is there a way I can find out why, given the > following two "received" lines > > ===== > Received: from source ([64.31.80.65]) by exprod6mx168.postini.com > ([64.18.5.10]) with SMTP; Sun, 26 Feb 2006 18:53:54 EST > Received: from friend (52.201.101-84.rev.gaoland.net [84.101.201.52]) > by mail.fptechnologies.com (8.12.9/8.12.9) with ESMTP id > k1R0R8N1034263 for ; Sun, 26 Feb 2006 19:27:11 -0500 (EST) > ===== > > that SpamCop lists 64.31.80.65 as the source, rather than > 84.101.201.52? If we are going to talk about dissecting or parsing headerlines, let's don't talk about partial lines. Let's talk about the whole spam from which you derived those lines. Post the tracking URL for the spam parsing of the spam which contained the lines from which those two lines were extracted. We can't see SC making a mistake in the parse if you don't post the tracker for the parse. If you don't have a tracking URL, you make one by submitting the spam which contains those lines, performing any necessary mungeing prior to submission if it is not excessive, copying the tracking URL, cancelling the report, and pasting the tracker in here. -- Mike Easter kibitzer, not SC admin From MikeE at ster.invalid Tue Mar 7 18:00:19 2006 From: MikeE at ster.invalid (Mike Easter) Date: Tue Mar 7 21:00:03 2006 Subject: [SpamCop-List] Re: forwarding multiple spams attachments References: Message-ID: Michael Redbourn wrote: > I won't mention that I tried sending both single and multiple spams > yesterday and got no return email because you already know that :-) How would I know that? > Is it OK via OE to send multiple spams as one attachment ? Yes. OE calls it 'forward as attachment'. > An if so does it matter what I write in the subject line ? I leave the subject empty. -- Mike Easter kibitzer, not SC admin From MikeE at ster.invalid Tue Mar 7 18:03:12 2006 From: MikeE at ster.invalid (Mike Easter) Date: Tue Mar 7 21:05:03 2006 Subject: [SpamCop-List] Re: forwarding multiple spams attachments References: Message-ID: Michael Redbourn wrote: > I meant if I send an email with 50 attachments then can spamcop > process them ? Most likely yes. > I could use the BAT ? The faq describes submitting one item to the parser for the Bat, it doesn't describe forwarding as attachment http://www.spamcop.net/fom-serve/cache/228.html To get the full text of an HTML message from TheBat email software in preparation for pasting into SpamCop Also, you are top-posting instead of trimming and contextualizing. That isn't going to work for effective newsgroup correspondence. -- Mike Easter kibitzer, not SC admin From MikeE at ster.invalid Tue Mar 7 18:06:09 2006 From: MikeE at ster.invalid (Mike Easter) Date: Tue Mar 7 21:10:04 2006 Subject: [SpamCop-List] Re: forwarding multiple spams attachments References: Message-ID: jg wrote: > Michael Redbourn >> Is it OK via OE to send multiple spams as one attachment ? > > do you mean as a function of OE? > don't think so - and OE mangles attachments anyway... Wrong. OE is an excellent tool to use to submit by forward as attachment or to use to copy and paste a spam with complete headers and unrendered into the webparser. There is no mangling of attachments, whatever that means. -- Mike Easter kibitzer, not SC admin From nobody at devnull.spamcop.net Wed Mar 8 11:04:21 2006 From: nobody at devnull.spamcop.net (Patto) Date: Tue Mar 7 21:10:10 2006 Subject: [SpamCop-List] Re: Double login In-Reply-To: References: Message-ID: jg wrote: > On 3/6/2006 7:47 PM Jeff G. scribbled: > >> Patto wrote: >>> I use http://mailsc.spamcop.net/ and when I first go to the site, I am >>> prompted to login with my spamcop email address and password. This is >>> saved in a permanent cookie, so I don't have to type it each time. >>> >>> When I go to tab Held Email I am already logged in, and I don't have >>> to do it again. In fact every tab behaves that way, except Webmail. >>> When I go there I have to login again - this time I have to type the >>> full address and password, as this section does not keep it in a >>> cookie. >>> >>> This is very annoying; is there a way that this could be corrected? >> No, sorry, although they have the same userid and password for your >> account, those are almost completely separate systems, run by different >> people in different places, and they don't trust each other. >> > why not just set up a POP account to SC server using TBird? Good idea - thanks for the suggestion! From MikeE at ster.invalid Tue Mar 7 18:09:06 2006 From: MikeE at ster.invalid (Mike Easter) Date: Tue Mar 7 21:10:16 2006 Subject: [SpamCop-List] Re: forwarding multiple spams attachments References: <11nzn7i2pqrai$.dlg@news.spamcop.net> Message-ID: Michael Redbourn wrote: > It would seem that one just does tag all (I put all the spam in a > 'spam' folder' as they come in) and then hit 'forward'. > > An email opens up with all the attachements. No. If you use OE and 'forward' -- you will not get the desired result. If you meant to say something else, you should have said it more accurately by properly trimming and contextualizing. Bad communication in newsgroups causes a lot of confusion. -- Mike Easter kibitzer, not SC admin From MikeE at ster.invalid Tue Mar 7 18:12:12 2006 From: MikeE at ster.invalid (Mike Easter) Date: Tue Mar 7 21:15:03 2006 Subject: [SpamCop-List] Re: forwarding multiple spams attachments References: <11nzn7i2pqrai$.dlg@news.spamcop.net> <1x7x9gm9sbr4n$.dlg@news.spamcop.net> Message-ID: N. Miller wrote: > Steven Maesslein wrote: >> N. Miller >>> Unfortunately, I don't know of a way to make MS Outlook Express >>> forward email messages as attachments, other than one email message >>> at a time. > >> Select the messages you want to forward together, right-click on one >> of them and select "Forward as attachment". Exactly correct. > My preferred mailer is > Pegasus Mail. I can drag and drop, so I can forward multiple email > messages from multiple folders. Perhaps MSOE allows that, as well? Do not use the term 'forward' when discussing OE. The only term in this context is 'forward as attachment'. There must be no confusion. You said "forward". That is wrong. You cannot forward. -- Mike Easter kibitzer, not SC admin From nobody at devnull.spamcop.net Wed Mar 8 11:11:16 2006 From: nobody at devnull.spamcop.net (Patto) Date: Tue Mar 7 21:15:09 2006 Subject: [SpamCop-List] Re: what a nerve... In-Reply-To: References: Message-ID: Maggie's Mom wrote: > http://www.spamcop.net/sc?id=z892155815z784ff349a28833cb09de350bcfb4c9d5z > > ... > Out of curiosity: has anybody else received a jewel like above, or is it > just my luck? I don't know; I rarely read my spam. Except for some 419 spams for my amusement - it sometimes really amazes me with what new stories these guys come up all the time! From MikeE at ster.invalid Tue Mar 7 18:13:42 2006 From: MikeE at ster.invalid (Mike Easter) Date: Tue Mar 7 21:15:14 2006 Subject: [SpamCop-List] Re: forwarding multiple spams attachments References: Message-ID: Michael Redbourn wrote: >> And do ask your ISP before you spend a lot more time mailing out - I >> didn't know for several months until I started bcc'ng myself and >> getting no delivery. > > Well that's a good idea - I'll blind copy myself and see what happens. You are citing, but you aren't attributing. You need to show who said "And do ask your ISP..." -- Mike Easter kibitzer, not SC admin From MikeE at ster.invalid Tue Mar 7 18:42:37 2006 From: MikeE at ster.invalid (Mike Easter) Date: Tue Mar 7 21:45:04 2006 Subject: [SpamCop-List] Re: what a nerve... References: Message-ID: Maggie's Mom wrote: > Internet hackers crew webhack - www.web-hack.ru Ref: 80061 There have been a number of online magazine articles about the goings on at www.web-hack.ru. Google it up and see what has been said. I think most of the articles are about 7-8 months old. LE law enforcement doesn't often seem to be inspired to infiltrate and investigate potential crime. They seem to have their hands full with real and currently existing, already performed, exploits. Their interest in future potential exploits is often slim to none. -- Mike Easter kibitzer, not SC admin From nobody at spamcop.net Tue Mar 7 19:05:05 2006 From: nobody at spamcop.net (N. Miller) Date: Tue Mar 7 22:10:03 2006 Subject: [SpamCop-List] Re: forwarding multiple spams attachments References: <11nzn7i2pqrai$.dlg@news.spamcop.net> <1x7x9gm9sbr4n$.dlg@news.spamcop.net> Message-ID: On Tue, 7 Mar 2006 18:12:12 -0800, Mike Easter wrote: > Do not use the term 'forward' when discussing OE. The only term in this > context is 'forward as attachment'. There must be no confusion. > > You said "forward". That is wrong. You cannot forward. Damn! Busted! Again! ;) Now where did I put the beer mustard? -- Norman ~Oh Lord, why have you come ~To Konnyu, with the Lion and the Drum From tmcgraw at spamcop.net Tue Mar 7 19:41:55 2006 From: tmcgraw at spamcop.net (Tim McGraw) Date: Tue Mar 7 22:45:03 2006 Subject: [SpamCop-List] Re: Return to active duty In-Reply-To: <440E32DF.10908@spamcop.net> References: <440E32DF.10908@spamcop.net> Message-ID: Anony Mouse wrote: > Greetings All > > It has been a long time... > > Some spammers never learn and a recent growth of spam getting though my > isp's filters and an attack by a residivist spammer means I am returning > to active duty. > > Anony Mouse Welcome back to the forward regiment. You can never cut and run from spam! From redford_stone at INVERSE_OF_COLDmail.com Wed Mar 8 06:03:58 2006 From: redford_stone at INVERSE_OF_COLDmail.com (Redstone) Date: Wed Mar 8 01:05:06 2006 Subject: [SpamCop-List] Re: what a nerve... References: Message-ID: "Maggie's Mom" wrote in news:duk9a2$rst$1@news.spamcop.net: > http://www.spamcop.net/sc?id=z892155815z784ff349a28833cb09de350bcfb4c9d > 5z > > > Aside from getting it reported - any authorities out there that could > use it to lock the bastards up? > Out of curiosity: has anybody else received a jewel like above, or is > it just my luck? > I did. It appears to be a joe-job. Only reported the IP address from which the spam originated. From redford_stone at INVERSE_OF_COLDmail.com Wed Mar 8 06:07:45 2006 From: redford_stone at INVERSE_OF_COLDmail.com (Redstone) Date: Wed Mar 8 01:10:02 2006 Subject: [SpamCop-List] Re: SC reporting down ? References: <440BD1EB.DC383C16@nopspam.invalid> Message-ID: Anton Haumer wrote in news:440BD1EB.DC383C16@nopspam.invalid: > sent a bunch of spam by mail about 6 hours ago, > nothing happens ... is SC reporting down? What is it you are expecting to happen? From redbourn at bezeqint.net Wed Mar 8 08:19:33 2006 From: redbourn at bezeqint.net (Michael Redbourn) Date: Wed Mar 8 01:20:03 2006 Subject: [SpamCop-List] Re: forwarding multiple spams attachments References: Message-ID: Ok - here's the scoop. My ISP was dropping my emails to Spamcop. I forwarded the attachments last night (using OE) but via hotmail and sent a bc to myself. I got the blind copy immediately and today I got a response from Spamcop. So this seems to be very good news ! If your ISP drops mail to Spamcop send it via hotmail or some other web based account. Thanks for all the help ! Mike "Michael Redbourn" wrote in message news:duj98o$9jc$1@news.spamcop.net... > Hi, > > I won't mention that I tried sending both single and multiple spams > yesterday and got no return email because you already know that :-) > > My two questions are .. > > Is it OK via OE to send multiple spams as one attachment ? > > An if so does it matter what I write in the subject line ? > > thanks, > > Mike > From edb2000 at spamcop.net Tue Mar 7 22:34:58 2006 From: edb2000 at spamcop.net (Don Wannit) Date: Wed Mar 8 01:35:04 2006 Subject: [SpamCop-List] Re: Yahoo and AOL Plan Would Charge Senders a Fee to Route In-Reply-To: References: <200602230616.1fcesN7KQ3Nl3pK1@gideon.mail.atl.earthlink.net> Message-ID: indigo wrote: > Don Wannit wrote: > >>Might be that AOL users will be out of luck, just as you say, >>or they can sign up with a Hotmail or Gmail address instead >>of AOL. > > > If what you've written is true, I hope AOL ceases to exist as a result. > Would serve them right. Can you imagine the outrage of millions of users > when they find out they can't get email they want? > > To be sure, there already are many mailing list managers that have a very "thin skin" w.r.t. certain ISP/hosts. Some well respected personages on the 'net such as Chuq von Rospach and many others will bend over backwards to make a mailing list accessible to all, but will write off the poor users condemned to certain problematic ISP/hosts without wasting time on them, knowing that it it would truly be wasted time. AOL is already among those problematic ISP/hosts for some list managers. It's about to become such for many more. As for the outrage of millions of users, I strongly suspect that rather than outrage of millions, it will be frustration of the cluefull few who remember that they actually did sign up for a mailing list and click on the confirmation link^1, compared to the audible collective sigh of relief from the millions whose inboxes may (or may not) contain less spam than before. I still say that "know the sender" is the only solution to spam. "Charge the sender" is using the wrong tool for the job. Yes, there are many valid reasons for anonymity, and I'm not sure how to reconcile the need for accountability with the need for anonymity. But what we've got now with the SMTP protocol as it stands today (with relevant RFC's actually observed) definitely doesn't cut it. ^1 Many's the time I as admin receive an irate email from an AOL luser complaining about the "spam" they received from my server, where that supposed spam was the "please confirm that you did sign up for this mailing list" opt-in confirmation, and the complaint comes from the same IP as the original sign-up submission. -- Don Wannit A paid SpamCop user since 1999 From sache at grignon.inra.fr Wed Mar 8 08:47:45 2006 From: sache at grignon.inra.fr (Ivan Sache) Date: Wed Mar 8 02:50:03 2006 Subject: [SpamCop-List] Re: what a nerve... References: Message-ID: Hello, In article , Patto wrote: > I don't know; I rarely read my spam. Except for some 419 spams for my > amusement - it sometimes really amazes me with what new stories these > guys come up all the time! You are not the only one. These guys were awarded the Ig Nobel prize of literature 2005 "for creating and then using e-mail to distribute a bold series of short stories, thus introducing millions of readers to a cast of rich characters ‹ General Sani Abacha, Mrs. Mariam Sanni Abacha, Barrister Jon A Mbeki Esq." See: Don't miss the 419 scammers anthem: Boring lottery scams seem to be more and more popular here and "genuine" 419 short stories ("next of kin" et al.) are less and less frequent. Regards Ivan From nobody at devnull.spamcop.net Wed Mar 8 02:11:57 2006 From: nobody at devnull.spamcop.net (WazoO) Date: Wed Mar 8 03:15:03 2006 Subject: [SpamCop-List] Re: forwarding multiple spams attachments References: Message-ID: "Michael Redbourn" wrote in message news:dult1q$r6g$1@news.spamcop.net... > Ok - here's the scoop. > > My ISP was dropping my emails to Spamcop. You say "was" .... does this mean that they have stopped? Or are you suggesting that bezeqint.net be added to the list of ISPs currently found in; "E-Mail spam submittals blocked by your ISP" http://forum.spamcop.net/forums/index.php?showtopic=2782 ?????? From jeffg at spamcop.net Wed Mar 8 04:24:06 2006 From: jeffg at spamcop.net (Jeff G.) Date: Wed Mar 8 04:35:02 2006 Subject: [SpamCop-List] Re: "... Truncate" warning References: Message-ID: Jeff G. wrote: > vanderdecker@hotmail.INVALID wrote: >> Is there any way to have the pasted message automatically truncated, >> avoiding the warning? > > The warning is there for your safety. Fully-automatic full reporting > is not supported. Oops, I left off "No, sorry, " at the beginning of that. The last sentence was for those who might be trying to automate full reporting, and who might be getting stuck on the warning. Sorry for any confusion. -- Best Regards, Jeff G. http://forum.spamcop.net/forums/index.php?act=findpost&pid=37585 From / at /.cn Wed Mar 8 20:45:55 2006 From: / at /.cn (Petzl) Date: Wed Mar 8 04:50:44 2006 Subject: [SpamCop-List] Re: Return to active duty References: <440E32DF.10908@spamcop.net> Message-ID: "Anony Mouse" wrote in message news:440E32DF.10908@spamcop.net... > Greetings All > > It has been a long time... > > Some spammers never learn and a recent growth of spam getting though my > isp's filters and an attack by a residivist spammer means I am returning > to active duty. > > Anony Mouse Wondered where you went Welcome back Petzl From someone at somewhere.com Wed Mar 8 09:58:23 2006 From: someone at somewhere.com (someone) Date: Wed Mar 8 05:05:34 2006 Subject: [SpamCop-List] Can we stop our email keeps getting blocked Message-ID: Our internet site - is a human edited Internet directory. Each category within the directory is a mini portal containing ranked sites, the latest news releases, the latest blog releases, ranked applicable products (similar to Froogle) and so on. Each week, our researchers create several new categories, and then visit hundreds of web stes looking for suitable sites to invite to join the directory category. Where we find suitable quality sites, with a contact us, or enquiries email, we email them to invite them to list with us. Listing sites and products within our directory is free. Sign up rates from these emails are extremely high - between 20% and 45% of those who read the email, sign up within 24 hours. For administrative efficiency, we send these emails once a week. Total volume is somewhere between 1,000 and 3,000 emails. And this seems to trigger spam cop as the mail volumes suddenly go up from a couple of dozen support emails a day to a couple of thousand in an hour. By the time we receive bounced emails saying the IP address is blocked by Spam Cop, the block has always been removed. We do not consider we are spamming as we only target those directly applciable to the category created and only those with an open invite to email them on their web site. Is there any way of preventing Spam Cop from blocking us? From nobody at nowhere.invalid Wed Mar 8 11:56:59 2006 From: nobody at nowhere.invalid (Steven Maesslein) Date: Wed Mar 8 06:00:13 2006 Subject: [SpamCop-List] Re: forwarding multiple spams attachments References: <11nzn7i2pqrai$.dlg@news.spamcop.net> <1x7x9gm9sbr4n$.dlg@news.spamcop.net> Message-ID: On Tue, 07 Mar 2006 17:39:28 -0800, jg coughed into spamcop and left this in : >> I couldn't tell you. I haven't used MSOE in years, preferring this any >> day of the week: http://sylpheed.good-day.net >> > the screenshot sure /looks/ like TBird, from afar... >From nearer it looks quite dissimilar. It certainly feels worlds apart from T'bird. For one thing, it builds from source in about 2 minutes here... Sylpheed gives you the safety of T'bird, more standards compliance, PGP functions without the need for extensions, but no built-in junk filtering. The Unix version does, however, leave a hook open for external filtering. Not sure about the Windows port. I've been using it since version 0.5.something. Nearly 5 years. http://sylpheed.good-day.net/sylpheed/v0.5/ -- Steve Experience is something you don't get until just after you need it. From nobody at nowhere.invalid Wed Mar 8 12:00:49 2006 From: nobody at nowhere.invalid (Steven Maesslein) Date: Wed Mar 8 06:05:03 2006 Subject: [SpamCop-List] Re: Can we stop our email keeps getting blocked References: Message-ID: On Wed, 8 Mar 2006 09:58:23 -0000, someone coughed into spamcop and left this in : > Is there any way of preventing Spam Cop from blocking us? Yes. Stop spamming. -- Steve Recorded message on an answerphone: "This is not an answering machine, this is a telepathic thought-recording device. After the tone, think about your name, your number, and your reason for calling.... and I'll think about returning your call." From MikeE at ster.invalid Wed Mar 8 03:09:23 2006 From: MikeE at ster.invalid (Mike Easter) Date: Wed Mar 8 06:10:03 2006 Subject: [SpamCop-List] Re: Can we stop our email keeps getting blocked References: Message-ID: someone wrote: > Our internet site - > Where we find suitable quality sites, with a contact us, or enquiries > email, we email them to invite them to list with us. Clearly this is going to cause huge problems for your mailserver. You are mass mailing unsolicited emails to the mailto/s you find on websites. That is exactly what spammers do. > For administrative efficiency, we send these emails once a week. Total > volume is somewhere between 1,000 and 3,000 emails. This is the volume and frequency of your unsolicited mail campaign. Spam campaign. > And this seems to > trigger spam cop Spamcop isn't 'triggered' by your mail volume fluctuations. Spamcop's blocklisting is triggered by the reporters who are reporting spam - whether those reporters are people or spamtraps whose addresses you scraped from the websites. > By the > time we receive bounced emails saying the IP address is blocked by > Spam Cop, the block has always been removed. SpamCop doesn't block mail. SpamCop is a parsing and reporting service. That service maintains a list of spamsources. Recipients use servers which use the SC blocklist to defend themselves against the unsolicited mail/spam which spamsources have become listed, as yours does. > We do not consider we are spamming Spammers never consider /their/ spam to be spam. Spammers are always thinking spam is someone else's spam. Your spam is spam. Your unsolicited mail is spam. Just because your campaign finds exposed mailto/s and similar on a website doesn't mean that the site has given you permission to email them about whatever you are promoting. Just because you are promoting a listing on your site and you think everyone wants it doesn't mean that you have any right to spam people about it. > Is there any way of preventing Spam Cop from blocking us? No. You are spamming, you should be listed, and your mail provider should take away your mail account for mailing and your website provider should take away your website for supporting spamming. -- Mike Easter kibitzer, not SC admin From nobody at nowhere.invalid Wed Mar 8 12:23:09 2006 From: nobody at nowhere.invalid (Steven Maesslein) Date: Wed Mar 8 06:25:03 2006 Subject: [SpamCop-List] Re: Can we stop our email keeps getting blocked References: Message-ID: > On Wed, 8 Mar 2006 09:58:23 -0000, someone coughed into spamcop and left > this in : > >> Is there any way of preventing Spam Cop from blocking us? On Wed, 8 Mar 2006 12:00:49 +0100, Steven Maesslein coughed into spamcop and left this in : > Yes. > > Stop spamming. Apologies for the self-f'up, but there's one detail I ought to expand on. Spamcop does not block your mail and could't do so even if it wanted to. Spamcop *is*, among other things, a list of IP addresses from which spam has been reported either by SpamCop's users or as a result of the spam hitting SpamCop's own spam traps. Third party networks can use this list of IP addresses in order to decide what they're going to do with inbound mail. If a machine attempting to deliver a message is on an IP address on the SpamCop BL then the network receiving the mail can choose to accept and then tag the message as potential spam, or even to reject the message outright. The point is, it's the networks to which you're sending your solicitations that are doing the rejecting, not SpamCop. This means that people have been reporting your solicitations as spam, or that you've been sending them to spam traps. This said, without the IP address in question, we have no way of knowing exactly what's going on. Your call. -- Steve Anarchy may not be the best form of government, but it's better than no government at all. From jeffg at spamcop.net Wed Mar 8 06:29:16 2006 From: jeffg at spamcop.net (Jeff G.) Date: Wed Mar 8 06:35:04 2006 Subject: [SpamCop-List] Re: RFC 2142 and sales@, support@, webmaster@ References: Message-ID: Porpoise wrote: > "Jeff G." wrote in message > news:duj14i$4f9$1@news.spamcop.net... >> Anonymous wrote: >>> "Jeff G." wrote in message > >>> Good advice, but as written, RFC 2142 doesn't advise. It requires. >>> And, in my opinion, it does so without any justification. >> >> Please feel free to take that up with D. Crocker, the Internet Mail >> Consortium, and/or the Network Working Group of the Internet >> Engineering Task Force that drafted and approved RFC 2142, and to >> write your own version with fewer addresses or less stringent >> language. But until you get that RFC changed or obsoleted, you will >> be expected to comply with it. >> > > If and when it ever _actually_ becomes a standard - of > course................. OK, if you want to play that game, your MX mail.jtfreesurf.co.uk violates Internet Standard #3 Section 5.2.7 and Internet Standard #11 Sections 6.3 and C.6 by not accepting email to postmaster[at]mail.jtfreesurf.co.uk. -- Best Regards, Jeff G. http://forum.spamcop.net/forums/index.php?act=findpost&pid=37585 From jeffg at spamcop.net Wed Mar 8 06:41:32 2006 From: jeffg at spamcop.net (Jeff G.) Date: Wed Mar 8 06:45:03 2006 Subject: [SpamCop-List] Re: Can we stop our email keeps getting blocked References: Message-ID: "someone" wrote: Oh, I see, you can dish it out, but you can't take it? Chicken! OBTW, that's a real email address. Learn how to munge. > sites, with a contact us, or enquiries > email, we email them to invite them to list with us. IOW, you spam them. > Is there any way of preventing Spam Cop from blocking us? SpamCop does not block you. The SCBL lists your mailserver's IP Address. You can stop the listing by stopping your spamming ways. Please see "FAQ Entry: Am I Running Mailing Lists Responsibly?" at http://forum.spamcop.net/forums/index.php?showtopic=779 -- Thanks and Best Regards, Jeff G. http://forum.spamcop.net/forums/index.php?act=findpost&pid=37585 From redbourn at bezeqint.net Wed Mar 8 14:08:37 2006 From: redbourn at bezeqint.net (Michael Redbourn) Date: Wed Mar 8 07:10:03 2006 Subject: [SpamCop-List] Re: forwarding multiple spams attachments References: Message-ID: I am not an expert on this - so sorry :-( If I submit via my ISP then the emails don't get to SpamCop If I submit via a hotmail account then they arrive - just tried it 10 mins ago and it's repeatable. So yes I think that my ISP should be added - bezeqint.net Didn't see on the link how to add it ? I must 'add' however that some replies to my original posting were extremely aggresive ! Not 'flames' but close ! Why don't you know ? You should ! etc To those that posted in this way - please understand that many people posting are trying to stop spam (and are even very computer literate) but are not 'experts' in this field or in posting to newsgroups of this kind. thanks, Mike "WazoO" wrote in message news:dum3kc$vc5$1@news.spamcop.net... > "Michael Redbourn" wrote in message > news:dult1q$r6g$1@news.spamcop.net... >> Ok - here's the scoop. >> >> My ISP was dropping my emails to Spamcop. > > You say "was" .... does this mean that they have stopped? > > Or are you suggesting that bezeqint.net be added to the > list of ISPs currently found in; > "E-Mail spam submittals blocked by your ISP" > http://forum.spamcop.net/forums/index.php?showtopic=2782 > ?????? > > From MikeE at ster.invalid Wed Mar 8 04:19:51 2006 From: MikeE at ster.invalid (Mike Easter) Date: Wed Mar 8 07:20:02 2006 Subject: [SpamCop-List] Re: forwarding multiple spams attachments References: Message-ID: Michael Redbourn wrote: > I am not an expert on this - so sorry :-( You are top-posting again. It is better if you do /not/ begin typing right after you hit reply. What you are supposed to do after you hit 'reply' is to begin trimming and do not trim away the attribution line which contains the name of the person you are citing. Then you trim away all of the remarks which you aren't going to reply to, naturally that includes signatures. Notice that I left your name at the top, and I reply to your different sentences in different place and remove everything else. Then you place your remarks in context under those to which you are replying. That provides you a second chance to read the words to which you are replying. > To those that posted in this way - please understand that many people > posting are trying to stop spam (and are even very computer literate) > but are not 'experts' in this field or in posting to newsgroups of > this kind. Please understand that we are all trying to communicate with each other. Newsgroup communication is different from person to person conversation or telephone conversation and works best when it is 'structured' properly. http://members.fortunecity.com/nnqweb/nquote.html news.newusers.questions - Quoting Style in Newsgroup Postings - This document is a description of the traditionally accepted "quoting style" in Usenet newsgroup postings. -- Mike Easter kibitzer, not SC admin From nobody at nowhere.invalid Wed Mar 8 14:45:21 2006 From: nobody at nowhere.invalid (Steven Maesslein) Date: Wed Mar 8 08:50:13 2006 Subject: [SpamCop-List] Re: forwarding multiple spams attachments References: Message-ID: On Wed, 8 Mar 2006 14:08:37 +0200, Michael Redbourn coughed into spamcop and left this in : > I am not an expert on this - so sorry :-( Expert on what? There's no context above your reply. Please learn how to post. http://linux.sgms-centre.com/misc/netiquette.php -- Steve There is a theory which states that if ever anybody discovers exactly what the Universe is for and why it is here, it will instantly disappear and be replaced by something even more bizarre and inexplicable. There is another theory which states that this has already happened. From nobody at spamcop.net Wed Mar 8 15:40:31 2006 From: nobody at spamcop.net (me-no-no) Date: Wed Mar 8 10:45:03 2006 Subject: [SpamCop-List] Re: Double login References: Message-ID: "Aviatrix" wrote in message news:dujhlr$evr$1@news.spamcop.net... > Patto wrote: >> When I go to tab Held Email I am already logged in, and I don't have to >> do it again. In fact every tab behaves that way, except Webmail. When I >> go there I have to login again - this time I have to type the full >> address and password, as this section does not keep it in a cookie. > Doesn't it? > It does for me.... It *used* to for me too - It suddenly disappeared a while back, and I have never been able to get it to remember the Webmail user/pw combi since :-( Anyone, able/care to elaborate on why it used to work, and/or i apparently still working for some ? Ciao Meno From jeffg at spamcop.net Wed Mar 8 10:58:10 2006 From: jeffg at spamcop.net (Jeff G.) Date: Wed Mar 8 11:00:02 2006 Subject: [SpamCop-List] Re: what a nerve... References: Message-ID: Maggie's Mom wrote: > Dear Sir/Madam, Hello! We are internet hackers crew - Web-hack. We Please do not post spam bodies or the clickable links therein to any group here but spamcop.spam. -- Thanks and Best Regards, Jeff G. http://forum.spamcop.net/forums/index.php?act=findpost&pid=37585 From kenbrody at spamcop.net Wed Mar 8 11:25:34 2006 From: kenbrody at spamcop.net (Kenneth Brody) Date: Wed Mar 8 11:35:04 2006 Subject: [SpamCop-List] Re: Server is listed, but SpamCop doesn't say why References: <440CB7BE.FBF83854@spamcop.net> <440DD28D.8A0CB6F7@spamcop.net> Message-ID: <440F057E.DEB2D194@spamcop.net> Mike Easter wrote: [...] > If we are going to talk about dissecting or parsing headerlines, let's > don't talk about partial lines. > > Let's talk about the whole spam from which you derived those lines. > > Post the tracking URL for the spam parsing of the spam which contained > the lines from which those two lines were extracted. We can't see SC > making a mistake in the parse if you don't post the tracker for the > parse. > > If you don't have a tracking URL, you make one by submitting the spam > which contains those lines, performing any necessary mungeing prior to > submission if it is not excessive, copying the tracking URL, cancelling > the report, and pasting the tracker in here. Yes, I should know better than to simply post two lines from the header. (Twenty lashes with a wet noodle for me.) http://www.spamcop.net/sc?id=z892850909z98f28be0e7d1769b2c3a28b19a79745az ========== [...] > Possible open relay: 64.31.80.65 > Yum, this spam is fresh! > Message is 0 hours old > 64.31.80.65 not listed in relays.ordb.org. [...] > If reported today, reports would be sent to: > Re: 64.31.80.65 (Automated open-relay testing system(s)) > > Internal spamcop handling: (relays) That's the IP address that got listed the other day. (It's currently not listed.) I have manually tested for an open relay, and my tests didn't show an open relay. When I tested this the other day, it also said "Possible open relay" and "Automated open-relay testing system(s)". Is there any reason that this should still be appearing? Shouldn't the tests have been complete by now, and either showed it is or isn't open? > > Re: 69.118.116.86 (Administrator of network where email originates) > > abuse@cv.net > > Re: 69.118.116.86 (Third party interested in email source) > > spamcop@imaphost.com Those IP addresses are me, the real source of this e-mail. ========== Once again, thanks for the help. -- +-------------------------+--------------------+-----------------------------+ | Kenneth J. Brody | www.hvcomputer.com | | | kenbrody/at\spamcop.net | www.fptech.com | #include | +-------------------------+--------------------+-----------------------------+ Don't e-mail me at: From kenbrody at spamcop.net Wed Mar 8 11:29:18 2006 From: kenbrody at spamcop.net (Kenneth Brody) Date: Wed Mar 8 11:35:13 2006 Subject: [SpamCop-List] Re: Can we stop our email keeps getting blocked References: Message-ID: <440F065E.91C827D3@spamcop.net> someone wrote: [...] > Is there any way of preventing Spam Cop from blocking us? Well, given that SpamCop can't block you in the first place (unless the recipient is a SpamCop address), you can't prevent it. :-) However, if you were to give the actual message that you got by the other system (and it is this other system's administrator that has blocked you, not SpamCop, regardless of any message to the contrary in the bounce message), then someone here may be able to help explain what is going on. Without any specific information from you, no one can give you a specific answer. Finally, given that your e-mail basically says "we spam people", I'm not surprised that you are listed. -- +-------------------------+--------------------+-----------------------------+ | Kenneth J. Brody | www.hvcomputer.com | | | kenbrody/at\spamcop.net | www.fptech.com | #include | +-------------------------+--------------------+-----------------------------+ Don't e-mail me at: From MikeE at ster.invalid Wed Mar 8 09:20:19 2006 From: MikeE at ster.invalid (Mike Easter) Date: Wed Mar 8 12:20:03 2006 Subject: [SpamCop-List] Re: Server is listed, but SpamCop doesn't say why References: <440CB7BE.FBF83854@spamcop.net> <440DD28D.8A0CB6F7@spamcop.net> <440F057E.DEB2D194@spamcop.net> Message-ID: Kenneth Brody wrote: > Yes, I should know better than to simply post two lines from the > header. (Twenty lashes with a wet noodle for me.) > www.spamcop.net/sc?id=z892850909z98f28be0e7d1769b2c3a28b19a79745az That item doesn't contain those lines you mentioned before: Abbreviated Received tracelines *comment from unknown (192.168.1.101) by blade4.cesmail.net *serves you from (HELO fptech.com) (64.31.80.65) by mailgate.cesmail.net *serves you from mail by fptech.com *serves you from [216.154.195.36] (helo=mailgate.cesmail.net) by fptech.com *serves you from unknown (HELO epsilon.cesmail.net) (192.168.1.40) by mailgate.cesmail.net *serves you from (ool-45767456.dyn.optonline.net [69.118.116.86]) by webmail.spamcop.net *source, is you > When I tested this the other day, it also > said "Possible open relay" and "Automated open-relay testing > system(s)". Is there any reason that this should still be appearing? I don't know for sure, but I think that if you aren't mailhosted and SC is finding relays that it is going to consider them possibly open. > Shouldn't the tests have been complete by now, and either showed it > is or isn't open? As above. > Those IP addresses are me, the real source of this e-mail. Which is correct. -- Mike Easter kibitzer, not SC admin From nobody at devnull.spamcop.net Wed Mar 8 09:30:46 2006 From: nobody at devnull.spamcop.net (Anonymous) Date: Wed Mar 8 12:35:02 2006 Subject: [SpamCop-List] Re: Can we stop our email keeps getting blocked References: Message-ID: "someone" wrote in message news:dum9vh$3m1$1@news.spamcop.net... > Each week, our researchers ... visit hundreds of web stes ... to invite... > Where we find suitable quality sites, with a contact us, or enquiries > email, > we email them to invite them... > We do not consider we are spamming... > Is there any way of preventing Spam Cop from blocking us? Yes. All you need to do is to figure out a way to make sure that everyone you email agrees with your opinion that you are not spamming. Do that, and nobody will report you to Spamcop. Problem solved. Or you can keep doing what you are doing and discover the hard way that there are other blocklists that target persistent spammers and are a lot harder to get off of. Experience is a harsh teacher, but some people will accept no other. G.M. From porpoise1954 at yahoo.co.uk Wed Mar 8 18:14:19 2006 From: porpoise1954 at yahoo.co.uk (Porpoise) Date: Wed Mar 8 13:15:01 2006 Subject: [SpamCop-List] Re: Can we stop our email keeps getting blocked References: Message-ID: "Steven Maesslein" wrote in message news:slrne0teb1.4oc.nobody@127.0.0.1... > On Wed, 8 Mar 2006 09:58:23 -0000, someone coughed into spamcop and left > this in : > >> Is there any way of preventing Spam Cop from blocking us? > > Yes. > > Stop spamming. > i.e. just email each one seperately! From tmcgraw at spamcop.net Wed Mar 8 10:26:05 2006 From: tmcgraw at spamcop.net (Tim McGraw) Date: Wed Mar 8 13:30:03 2006 Subject: [SpamCop-List] Re: Can we stop our email keeps getting blocked In-Reply-To: References: Message-ID: someone wrote: > Our internet site - is a human edited Internet directory. Each category > within the directory is a mini portal containing ranked sites, the latest > news releases, the latest blog releases, ranked applicable products (similar > to Froogle) and so on. > > Each week, our researchers create several new categories, and then visit > hundreds of web stes looking for suitable sites to invite to join the > directory category. > > Where we find suitable quality sites, with a contact us, or enquiries email, > we email them to invite them to list with us. Listing sites and products > within our directory is free. Sign up rates from these emails are extremely > high - between 20% and 45% of those who read the email, sign up within 24 > hours. > > For administrative efficiency, we send these emails once a week. Total > volume is somewhere between 1,000 and 3,000 emails. And this seems to > trigger spam cop as the mail volumes suddenly go up from a couple of dozen > support emails a day to a couple of thousand in an hour. By the time we > receive bounced emails saying the IP address is blocked by Spam Cop, the > block has always been removed. > > We do not consider we are spamming as we only target those directly > applciable to the category created and only those with an open invite to > email them on their web site. > > Is there any way of preventing Spam Cop from blocking us? Does the subject of your outbound mail have the term "link exchange"? From jg at coks.net Wed Mar 8 10:49:36 2006 From: jg at coks.net (jg) Date: Wed Mar 8 13:50:03 2006 Subject: [SpamCop-List] Re: forwarding multiple spams attachments In-Reply-To: References: Message-ID: On 3/7/2006 6:06 PM Mike Easter scribbled: > jg wrote: >> Michael Redbourn > >>> Is it OK via OE to send multiple spams as one attachment ? >> do you mean as a function of OE? >> don't think so - and OE mangles attachments anyway... > > Wrong. OE is an excellent tool to use to submit by forward as > attachment or to use to copy and paste a spam with complete headers and > unrendered into the webparser. > > There is no mangling of attachments, whatever that means. > What was meant was problems with OL, not OE, your most excellent client. Since I don't use either one, I was only reporting what I see when I get mail from my clueless friends. Thought I had already been corrected here... From abuse at whathostingshould.be Wed Mar 8 13:55:54 2006 From: abuse at whathostingshould.be (Galen) Date: Wed Mar 8 14:00:03 2006 Subject: [SpamCop-List] Re: Can we stop our email keeps getting blocked References: Message-ID: In news:dum9vh$3m1$1@news.spamcop.net, someone had this to say: My reply is at the bottom of your sent message: > Is there any way of preventing Spam Cop from blocking us? Doesn't matter I don't think? If they stop adding you to the blacklist for spamming, well, they'd not be the SC I know. However someone else would. I know that if any of my sites got your UCE I'd add you to the blacklists manually after the second offense and there are quite a few email addresses that that would effect. Of course we'd just blackhole it via IP address and not bother bugging the folks at SC. Given the nature of the people I host I'd say that that would be the least of your worries. They aren't many but they're a idealistic group of folks and more than likely going to do stuff like 1) complain to me 2) complain to your hosting company 3) complain to your hosting company's data center 4) complain to your upstream bandwidth provider(s) 5) generally make it known that they're unhappy with your ways... Just my two cents. Galen -- http://www.whathostingshould.be - We are what hosting SHOULD be. From nobody at spamcop.net Thu Mar 9 08:56:17 2006 From: nobody at spamcop.net (Anony Mouse) Date: Wed Mar 8 15:00:03 2006 Subject: [SpamCop-List] Re: Return to active duty References: <440E32DF.10908@spamcop.net> Message-ID: <440F36E1.4070809@spamcop.net> Petzl wrote: > "Anony Mouse" wrote in message > news:440E32DF.10908@spamcop.net... > >>Greetings All >> >>It has been a long time... >> >>Some spammers never learn and a recent growth of spam getting though my >>isp's filters and an attack by a residivist spammer means I am returning >>to active duty. >> >>Anony Mouse > > > Wondered where you went > Welcome back > > Petzl > > That four letter word work. Now I am retired at 46. From nobody at spamcop.net Thu Mar 9 09:04:22 2006 From: nobody at spamcop.net (Anony Mouse) Date: Wed Mar 8 15:05:03 2006 Subject: [SpamCop-List] Re: Return to active duty References: <440E32DF.10908@spamcop.net> Message-ID: <440F38C6.1050909@spamcop.net> Tim McGraw wrote: > Anony Mouse wrote: > >> Greetings All >> >> It has been a long time... >> >> Some spammers never learn and a recent growth of spam getting though >> my isp's filters and an attack by a residivist spammer means I am >> returning to active duty. >> >> Anony Mouse > > > Welcome back to the forward regiment. > > You can never cut and run from spam! That is true. I have still been keeping an eye on things. Now it is time to turn isp filtering off again and renew some old love hate relationships. That is I love to hate them. I note it was only January 2005 since I last posted here. Anyway let the fun begin... From MikeE at ster.invalid Wed Mar 8 12:53:28 2006 From: MikeE at ster.invalid (Mike Easter) Date: Wed Mar 8 15:55:03 2006 Subject: [SpamCop-List] Re: forwarding multiple spams attachments References: Message-ID: jg wrote: > Mike Easter scribbled: >> jg wrote: >>> OE mangles attachments >> There is no mangling of attachments, > Thought I had already been corrected here... I read [pronounce reed] and reply to messages in chronological main thread/subject order, not by subthread order within a topic. I read [pronouce red] and replied to your message before I read the N. Miller message correcting your OE remark, which came chronologically later. On some rare occasions I could/should read all of the messages in a thread before replying to any of them, but that would be slightly less convenient. In this case I was away from the ng a few days, so maybe I should've done it differently. And I definitely don't care to discuss reading messages by thread/reference structure rather than chronologically by subject [except when the subject changes]. Unless someone *really* wants to debate the thread vs chronology issue. As far as I can tell, there are very few people who do it the same way I do -- so I don't have any real interest in trying to convert others. -- Mike Easter kibitzer, not SC admin From nobody at devnull.spamcop.net Wed Mar 8 10:03:58 2006 From: nobody at devnull.spamcop.net (Anonymous) Date: Wed Mar 8 16:25:02 2006 Subject: [SpamCop-List] Re: RFC 2142 and sales@, support@, webmaster@ References: Message-ID: "Porpoise" wrote in message news:dul3da$bdh$1@news.spamcop.net... > > "Jeff G." wrote in message > news:duj14i$4f9$1@news.spamcop.net... >> Anonymous wrote: >>> "Jeff G." wrote in message > >>> Good advice, but as written, RFC 2142 doesn't advise. It requires. >>> And, in my opinion, it does so without any justification. >> >> Please feel free to take that up with D. Crocker, the Internet Mail >> Consortium, and/or the Network Working Group of the Internet Engineering >> Task Force that drafted and approved RFC 2142, and to write your own >> version with fewer addresses or less stringent language. But until you >> get that RFC changed or obsoleted, you will be expected to comply with >> it. > > If and when it ever _actually_ becomes a standard - of > course................. That argument would be more compelling if not for the fact that so much of the Internet is based on RFCs, not standards. A quick look at http://www.dns.net/dnsrd/rfc/ will show this. Some RFCs are de-facto standards in the sense that your attempts to use some or all of the Internet will fail if you violate them. Some are near-universal and those who violate them cause a huge amount of trouble. Some are widely ignored and nobody complains about it. That's why every domain I control has a working abuse@ and postmaster@ address that a human reads and responds to, but none of them -- including the ones that sell things -- has a sales@ address. Yes, that is a technical violation of RFC 2142 but nobody cares. G.M. From Kilgallen at SpamCop.net Wed Mar 8 15:31:14 2006 From: Kilgallen at SpamCop.net (Larry Kilgallen) Date: Wed Mar 8 16:35:03 2006 Subject: [SpamCop-List] Re: RFC 2142 and sales@, support@, webmaster@ References: In article , "Anonymous" writes: > Some RFCs are de-facto standards > in the sense that your attempts to use some or all of the Internet will fail > if you violate them. And some are reverse-standards such that the Internet will fail if you follow them. Such as the bit about sending back to the From address if email cannot be delivered. From redbourn at bezeqint.net Wed Mar 8 23:53:35 2006 From: redbourn at bezeqint.net (Michael Redbourn) Date: Wed Mar 8 16:55:03 2006 Subject: [SpamCop-List] Re: forwarding multiple spams attachments References: Message-ID: "Mike Easter" wrote in message news:dumi4j$903$1@news.spamcop.net... > Michael Redbourn wrote: >> I am not an expert on this - so sorry :-( > > You are top-posting again. It is better if you do /not/ begin typing > right after you hit reply. > > What you are supposed to do after you hit 'reply' is to begin trimming > and do not trim away the attribution line which contains the name of the > person you are citing. Ok thank you - I will try to do better. I thought that top-posting meant - top of the thread. regards, Michael From MikeE at ster.invalid Wed Mar 8 14:38:23 2006 From: MikeE at ster.invalid (Mike Easter) Date: Wed Mar 8 17:40:04 2006 Subject: [SpamCop-List] Re: forwarding multiple spams attachments References: Message-ID: Michael Redbourn wrote: > "Mike Easter" >> What you are supposed to do after you hit 'reply' is to begin >> trimming and do not trim away the attribution line which contains >> the name of the person you are citing. > > Ok thank you - I will try to do better. Perfect. Thanks. -- Mike Easter kibitzer, not SC admin From nobody at devnull.spamcop.net Wed Mar 8 17:29:27 2006 From: nobody at devnull.spamcop.net (Maggie's Mom) Date: Wed Mar 8 19:30:03 2006 Subject: [SpamCop-List] Re: what a nerve... References: Message-ID: Sorry! I did not know. - Maggie's Mom. "Jeff G." wrote in message news:dumuum$ghp$1@news.spamcop.net... > Maggie's Mom wrote: >> Dear Sir/Madam, Hello! We are internet hackers crew - Web-hack. We > > Please do not post spam bodies or the clickable links therein to any > group here but spamcop.spam. > > -- > Thanks and Best Regards, Jeff G. > http://forum.spamcop.net/forums/index.php?act=findpost&pid=37585 > From kthog at example.com Wed Mar 8 17:03:46 2006 From: kthog at example.com (K. Thog) Date: Wed Mar 8 19:50:03 2006 Subject: [SpamCop-List] A mailman opt-in plus confirmation mailing list is spam? Message-ID: When a user subscribes and then doesn't have the wherewithal to unsubscribe, he might decide to complain to SpamCop. Now a (potentially) legitimate discussion email list is blocked and there's no way to find out who it was or what email was included with the complaint. What's the solution? There's an impasse, unless details can be provided to the accused so their (now very annoyed) system administrators can take steps to deal with the issue. Comments much appreciated. From porpoise1954 at yahoo.co.uk Thu Mar 9 01:09:06 2006 From: porpoise1954 at yahoo.co.uk (Porpoise) Date: Wed Mar 8 20:10:02 2006 Subject: [SpamCop-List] Re: RFC 2142 and sales@, support@, webmaster@ References: Message-ID: "Jeff G." wrote in message news:dumf83$6vi$1@news.spamcop.net... > Porpoise wrote: >> "Jeff G." wrote in message >> news:duj14i$4f9$1@news.spamcop.net... >>> >> >> If and when it ever _actually_ becomes a standard - of >> course................. > > OK, if you want to play that game, your MX mail.jtfreesurf.co.uk > violates Internet Standard #3 Section 5.2.7 and Internet Standard #11 > Sections 6.3 and C.6 by not accepting email to > postmaster[at]mail.jtfreesurf.co.uk. That's probably because there are no MX records Jersey Telecom do not provide email services for their customers - only connection services. From porpoise1954 at yahoo.co.uk Thu Mar 9 01:09:57 2006 From: porpoise1954 at yahoo.co.uk (Porpoise) Date: Wed Mar 8 20:15:02 2006 Subject: [SpamCop-List] Re: Double login References: Message-ID: "me-no-no" wrote in message news:dumtt0$g0t$1@news.spamcop.net... > "Aviatrix" wrote in message > news:dujhlr$evr$1@news.spamcop.net... >> Patto wrote: > >>> When I go to tab Held Email I am already logged in, and I don't have to >>> do it again. In fact every tab behaves that way, except Webmail. When I >>> go there I have to login again - this time I have to type the full >>> address and password, as this section does not keep it in a cookie. > >> Doesn't it? > >> It does for me.... > > It *used* to for me too - It suddenly disappeared a while back, and I have > never been able to get it to remember the Webmail user/pw combi since :-( > Anyone, able/care to elaborate on why it used to work, and/or i apparently > still working for some ? > Windows update!?! From porpoise1954 at yahoo.co.uk Thu Mar 9 01:21:45 2006 From: porpoise1954 at yahoo.co.uk (Porpoise) Date: Wed Mar 8 20:25:03 2006 Subject: [SpamCop-List] Re: forwarding multiple spams attachments References: Message-ID: "Mike Easter" wrote in message news:dung7j$qvv$1@news.spamcop.net... > > And I definitely don't care to discuss reading messages by > thread/reference structure rather than chronologically by subject > [except when the subject changes]. > > Unless someone *really* wants to debate the thread vs chronology issue. > As far as I can tell, there are very few people who do it the same way I > do -- so I don't have any real interest in trying to convert others. > Ermmm.... You know Mike, I don't even understand what you just sed there 8>|| My OE lists the threads chronologically. That is to say, they are threaded *and* chronological..... That is to say, they are listed chronologically with all the threads automagically expanded already...... Are you saying, you read all the "top-level" messages (unexpanded) first, and then expand the threads and read the replies??!!?? From porpoise1954 at yahoo.co.uk Thu Mar 9 01:28:46 2006 From: porpoise1954 at yahoo.co.uk (Porpoise) Date: Wed Mar 8 20:30:02 2006 Subject: [SpamCop-List] Re: A mailman opt-in plus confirmation mailing list is spam? References: Message-ID: "K. Thog" wrote in message news:duntuq$39i$1@news.spamcop.net... > > When a user subscribes and then doesn't have the wherewithal to > unsubscribe, > he might decide to complain to SpamCop. > > Now a (potentially) legitimate discussion email list is blocked and > there's > no way to find out who it was or what email was included with the > complaint. > > What's the solution? There's an impasse, unless details can be provided to > the accused so their (now very annoyed) system administrators can take > steps to deal with the issue. > > Comments much appreciated. AFAIK one report from one user wouldn't be sufficient to get an IP listed. And, if you don't know who it was that "subscribed and then doesn't have the wherewithall to unsubscribe" how do you know that "a user subscribed and then didn't have the wherewithall to unsubscribe and might have complained to SpamCop" (whatever that means)? Of course, some people here might be able to help with a bit more useful information if you weren't expecting them to be using their crystal balls to determine what IP is actually under discussion. From nobody at spamcop.net Thu Mar 9 14:31:41 2006 From: nobody at spamcop.net (Anony Mouse) Date: Wed Mar 8 20:35:02 2006 Subject: [SpamCop-List] Spam filters are off. Message-ID: <440F857D.9080503@spamcop.net> Greetings All I have turn filtering off. The fun begins. Time to sort out the first targets. The Russians seem like the most likely targets. It seems that they have never stop attacking my inbox. As I am known to attack more than one target not just spammy gets my full attention. ICANN is still seen as a good target. Several years ago I began attacking this organisation. Vinton Cerf once said to me that he supports spammy. This really pissed me off and I set about making sure he did care and eventually the Whois reporting system was created. Obviously I was not the only one pushing ICANN. I think the Whois reporting system is not working. I think it is time to deal to ICANN again. The Senate is the key. The system needs to been tightened up and the registries need to be stopped from supporting spammy. Many registries support spammy. They know who they are. They make a lot of money from spammy. They ignore the losses through fraud. Spammies favourite trick is to register domains with stolen credit card information. My findings from past experience are that it takes far to long close domains. I am looking for comments from those who have been useing the Whois reporting system over the last year. By the way the last time I used the whois reporting system was 30/12/04. Who are the worst registries? I have spanked (For want of a better word) several of them before and I will again. Is anyone keeping track of the time it takes to close a domain? Can any one person make a differance? I think so and I think it is time to show spammy again. Without trying to sound arrogant I think I have made a differance in the past and will again. Certainly I have reduced the amount of spam in my inbox to virtually nil before. Finally something I have done in the past is to use pollitical clout through embassies in this coutry. Last time I was active I did not persue this much. It was effective at the time and I think it is time follow this avenue again. Anony Mouse From MikeE at ster.invalid Wed Mar 8 17:51:17 2006 From: MikeE at ster.invalid (Mike Easter) Date: Wed Mar 8 20:55:02 2006 Subject: [SpamCop-List] Re: A mailman opt-in plus confirmation mailing list is spam? References: Message-ID: K. Thog wrote: > When a user subscribes and then doesn't have the wherewithal to > unsubscribe, he might decide to complain to SpamCop. That would be against the rules -- that is, if a person subscribed by a confirmed or verifiable by unique token opt-in to something like a mailing list, and then at some later time decided to report the mailing list items as spam. However, usually when some mailsender claims that the recipient has 'subscribed' -- the fact is that the sender has no such confirmed and verifiable unique token by which the subscription process was properly verified. That is, the sender is claiming the recipient is subscribed, but in fact the recipient is /not/ verifiably and confirmationally opted-in. > Now a (potentially) legitimate discussion email list is blocked and > there's no way to find out who it was or what email was included with > the complaint. While it is true that the reporting process does not 'directly' provide the recipient of the report with the address of the reporter, the 'appropriate' recipient of the report can dispute any notification. > What's the solution? There's an impasse, unless details can be > provided to the accused so their (now very annoyed) system > administrators can take steps to deal with the issue. The SpamCop derived notification recipient of a report receives a link to the evidence on which the report is based. The recipient of a report can dispute the veracity of a report -- that it should not have been reported as spam. If a spamcop reporter is 'fraudulently' or erroneously reporting as spam that which is not, the reporter can be banned, suspended, fined, or otherwise disciplined. The reporter is required to agree that: http://www.spamcop.net/anonsignup.shtml // If I break these rules, SpamCop will immediately and permanently revoke my access to SpamCop. I will use SpamCop only on email which is unsolicited, bulk email. // In addition, reporters are not supposed to report mailing list items -- there is a different process for that http://www.spamcop.net/fom-serve/cache/14.html // Some examples of messages which should not be reported as spam: Spam sent to mailing lists Spam sent to mail lists/groups must not be reported using SpamCop except by the list owner. // > Comments much appreciated. You haven't stated the IP address of what is at issue so that someone can comment on how/who/ what address/ SpamCop would notify about a reported item sourced by that IP. -- Mike Easter kibitzer, not SC admin From vanguard.news at yahooNIX.com Wed Mar 8 20:35:42 2006 From: vanguard.news at yahooNIX.com (Vanguard) Date: Wed Mar 8 21:40:02 2006 Subject: [SpamCop-List] Re: Spam filters are off. References: <440F857D.9080503@spamcop.net> Message-ID: "Anony Mouse" wrote in message news:440F857D.9080503@spamcop.net... Was there a point to all of this beyond ego stroking? From vanguard.news at yahooNIX.com Wed Mar 8 20:39:41 2006 From: vanguard.news at yahooNIX.com (Vanguard) Date: Wed Mar 8 21:40:10 2006 Subject: [SpamCop-List] Re: A mailman opt-in plus confirmation mailing list is spam? References: Message-ID: "K. Thog" wrote in message news:duntuq$39i$1@news.spamcop.net... > > When a user subscribes and then doesn't have the wherewithal to > unsubscribe, > he might decide to complain to SpamCop. > > Now a (potentially) legitimate discussion email list is blocked and > there's > no way to find out who it was or what email was included with the > complaint. > > What's the solution? There's an impasse, unless details can be provided to > the accused so their (now very annoyed) system administrators can take > steps to deal with the issue. SpamCop doesn't block anything. The mail recipient chose to use the SpamCop blacklist but obviously doesn't have to. There are LOTS of blacklists out there but obviously they aren't all used (I won't touch SPEWS which one day will end up listing the entire IP address range). How can a mailing list be legitimate if it doesn't have an unsubcribe function, either by sending the appropriate commands in the body to the listserver or by submitting a request to an admin? Obviously it is NOT a legitimate mailing list if a user that elected to participate cannot also elect to NOT participate any longer. Fix your mailing list! It's not SpamCop's fault nor responsibility to fix your mailing list server. -- __________________________________________________ Post replies to the newsgroup. Share with others. For e-mail: Remove "NIX" and add "#VN" to Subject. __________________________________________________ From MikeE at ster.invalid Wed Mar 8 19:03:23 2006 From: MikeE at ster.invalid (Mike Easter) Date: Wed Mar 8 22:05:03 2006 Subject: [SpamCop-List] Re: forwarding multiple spams attachments References: Message-ID: Porpoise wrote: > "Mike Easter" >> Unless someone *really* wants to debate the thread vs chronology >> issue. As far as I can tell, there are very few people who do it the >> same way I do -- so I don't have any real interest in trying to >> convert others. >> > > Ermmm.... You know Mike, I don't even understand what you just sed > there 8>|| > > My OE lists the threads chronologically. That is to say, they are > threaded *and* chronological..... That is to say, they are listed > chronologically with all the threads automagically expanded > already...... One important threading condition of OE is the configuration OE/ View/ Current view/ Group messages by conversation. I do not use that function. When that function or configuration is 'off' that means that OE does *not* use the References: information in the header to sort by. When I have that threading function turned off, that means that I sort by Subject, which 'secondarily' sorts by date - which means that a 'thread' - as long as the subject of the thread doesn't change - is sorted primarily by its subject and secondarily by its timestamp. That means that I read any given subject thread chronologically. The chronlogical order of a thread is different in many cases that the 'thread' order of a thread. The thread which we are discussing here has about 7 subthreads which can be seen in various forks if I group by conversation - where conversation in this context means grouping by References: header. For me, the thread has only one 'string' or sorting. The subject is sorted by timestamp. That is all. There are no 7 subthreads of References hierarchy. > Are you saying, you read all the "top-level" messages (unexpanded) > first, and then expand the threads and read the replies??!!?? I'm saying that there is no expanding or unexpanding. I have no expanding and unexpanding function in that mode. There is no Group by conversation. If you will access that feature on your OE and turn it off, you will see how I don't thread. Then, in order to solve any problem of total disorganization, you should sort by subject. When you sort by subject, you will discover that there is another order to the subjects. All of the messages with that subject will be in order chronologically. I have gotten deeply into these discussions in another newsgroup in the past, namely news.software.readers. At the time of that discussion, I believed that OE's threading method was 'broken' or inferior -- but since then I have discovered that all newsreaders thread by References: line the same -- and therefore it is my opinion that they are /all/ inferior -- that is, to my taste. I prefer to not sort by that hierarchy - but to sort purely by Subject primarily, to keep all of the items of a subject together, and then to put them in order by chronology -- not by References: to each other. I can tell about the References by how people are being cited. Of course, sometimes it happens that a particular thread will not maintain the same Subject. When the subject changes I have to shift over to Group by conversation to maintain the thread's order -- at least until the subject changing condition settles back down to the same subject again - then I will shift by out of Group by conversation to my normal ordering. -- Mike Easter kibitzer, not SC admin From eddie at eddie.web Wed Mar 8 22:10:24 2006 From: eddie at eddie.web (eddie) Date: Wed Mar 8 22:15:02 2006 Subject: [SpamCop-List] Re: "... Truncate" warning In-Reply-To: References: Message-ID: vanderdecker@hotmail.INVALID wrote: > Is there any way to have the pasted message automatically truncated, > avoiding the warning? I don't think so. If you truncate it yourself you would then have to add some kind of note and even that might be illegal. The only "major" modifications that we can make is to decrypt base64 spam and only then when a specific note is attached as dictated by SC. At least that was the rule a while ago. Otherwise you are allowed "minor" changes only, and I would assume truncating spam is not minor. I think that the warning is a minor thing. You should consider automatic reporting as I use, in which, I assume, the spam is truncated autormatically without a message. I submit nearly all my spam from the spamcop mail server directly to the spam reporting server. From nobody at spamcop.net Wed Mar 8 21:07:02 2006 From: nobody at spamcop.net (N. Miller) Date: Thu Mar 9 00:10:02 2006 Subject: [SpamCop-List] Re: Can we stop our email keeps getting blocked References: Message-ID: On Wed, 8 Mar 2006 09:58:23 -0000, someone wrote: > Our internet site - is a human edited Internet directory. Each category > within the directory is a mini portal containing ranked sites, the latest > news releases, the latest blog releases, ranked applicable products (similar > to Froogle) and so on. > > Each week, our researchers create several new categories, and then visit > hundreds of web stes looking for suitable sites to invite to join the > directory category. I just got a connection attempt which initiated an SMTP transaction with "EHLO www-goto.com". Rejected for being listed by Spamhaus. On the one hand, I really don't think it is you; it came from an Indian provider. On the other hand, it seems like a similar service to yours. I don't run a web site, though I have a couple of PWPs. I don't do this for money, and don't care about being ranked by Google, and similar. I am also rude sort of guy, and don't want to hear from such services. I just plugged their /24 into my router ACL. They won't even raise my SMTP banner, now. I know that I am not the only person on the Internet who would do something like that. -- Norman ~Oh Lord, why have you come ~To Konnyu, with the Lion and the Drum From jeffg at spamcop.net Wed Mar 8 23:59:41 2006 From: jeffg at spamcop.net (Jeff G.) Date: Thu Mar 9 00:30:03 2006 Subject: [SpamCop-List] Re: forwarding multiple spams attachments References: Message-ID: Mike Easter wrote: > Porpoise wrote: >> "Mike Easter" > >>> Unless someone *really* wants to debate the thread vs chronology >>> issue. As far as I can tell, there are very few people who do it the >>> same way I do -- so I don't have any real interest in trying to >>> convert others. >>> >> >> Ermmm.... You know Mike, I don't even understand what you just sed >> there 8>|| >> >> My OE lists the threads chronologically. That is to say, they are >> threaded *and* chronological..... That is to say, they are listed >> chronologically with all the threads automagically expanded >> already...... > > One important threading condition of OE is the configuration OE/ View/ > Current view/ Group messages by conversation. I do not use that > function. When that function or configuration is 'off' that means > that OE does *not* use the References: information in the header to > sort by. > > When I have that threading function turned off, that means that I sort > by Subject, which 'secondarily' sorts by date - which means that a > 'thread' - as long as the subject of the thread doesn't change - is > sorted primarily by its subject and secondarily by its timestamp. > > That means that I read any given subject thread chronologically. The > chronlogical order of a thread is different in many cases that the > 'thread' order of a thread. The thread which we are discussing here > has about 7 subthreads which can be seen in various forks if I group > by conversation - where conversation in this context means grouping by > References: header. > > For me, the thread has only one 'string' or sorting. The subject is > sorted by timestamp. That is all. There are no 7 subthreads of > References hierarchy. > >> Are you saying, you read all the "top-level" messages (unexpanded) >> first, and then expand the threads and read the replies??!!?? > > I'm saying that there is no expanding or unexpanding. I have no > expanding and unexpanding function in that mode. There is no Group by > conversation. If you will access that feature on your OE and turn it > off, you will see how I don't thread. Then, in order to solve any > problem of total disorganization, you should sort by subject. When > you sort by subject, you will discover that there is another order to > the subjects. All of the messages with that subject will be in order > chronologically. > > I have gotten deeply into these discussions in another newsgroup in > the past, namely news.software.readers. At the time of that > discussion, I believed that OE's threading method was 'broken' or > inferior -- but since then I have discovered that all newsreaders > thread by References: line the same -- and therefore it is my opinion > that they are /all/ inferior -- that is, to my taste. I prefer to > not sort by that hierarchy - but to sort purely by Subject primarily, > to keep all of the items of a subject together, and then to put them > in order by chronology -- not by References: to each other. I can > tell about the References by how people are being cited. > > Of course, sometimes it happens that a particular thread will not > maintain the same Subject. When the subject changes I have to shift > over to Group by conversation to maintain the thread's order -- at > least until the subject changing condition settles back down to the > same subject again - then I will shift by out of Group by > conversation to my normal ordering. I use OE to read this group, spamcop.mail, and other groups like spamcop.spam when the mood strikes me. In OE, I DO use "Group Messages by Conversation" because I like the way the messages are presented. I sort from newest thread on top to oldest on the bottom, and OE sorts to messages in a thread by subthread, and chronologically from oldest message on top to newest on the bottom. This allows me to easily read subthreads as cohesive units, easily follow what's going on by reading each new message from top to bottom in my window, and easily refer to parent conversations going much farther back than some people quote. This also allows me to spot new problems right up at the top as soon as I enter the group. Once my use of the spacebar gets me to a message I've already read (or the last new message before it), I use a [View] "Next Unread Message" Button or Ctrl+U to find new posts to old threads and subthreads. I will typically start drafting a reply to any message I feel like replying to, and then read all of the replies to that message before posting or discarding my reply. -- Best Regards, Jeff G. http://forum.spamcop.net/forums/index.php?act=findpost&pid=37585 From scamper at trisk.com Wed Mar 8 22:35:18 2006 From: scamper at trisk.com (Garen Erdoisa) Date: Thu Mar 9 00:35:03 2006 Subject: [SpamCop-List] Re: Double login In-Reply-To: References: Message-ID: me-no-no wrote: > "Aviatrix" wrote in message > news:dujhlr$evr$1@news.spamcop.net... >> Patto wrote: > >>> When I go to tab Held Email I am already logged in, and I don't have to >>> do it again. In fact every tab behaves that way, except Webmail. When I >>> go there I have to login again - this time I have to type the full >>> address and password, as this section does not keep it in a cookie. > >> Doesn't it? > >> It does for me.... > > It *used* to for me too - It suddenly disappeared a while back, and I have > never been able to get it to remember the Webmail user/pw combi since :-( > Anyone, able/care to elaborate on why it used to work, and/or i apparently > still working for some ? That happened to me using the firefox browser a while ago. I managed to fix it by deleting the entries stored in the firefox password manager related to spamcop.net, then let firefox pick up the new info the next time I logged on. Haven't seen any further problems with that. > > Ciao > Meno > > Garen From AHaumer_gmxnet at nopspam.invalid Thu Mar 9 06:39:40 2006 From: AHaumer_gmxnet at nopspam.invalid (Anton Haumer) Date: Thu Mar 9 00:40:02 2006 Subject: [SpamCop-List] Re: SC reporting down ? References: <440BD1EB.DC383C16@nopspam.invalid> Message-ID: <440FBF9C.C4C5DE7@nopspam.invalid> Redstone wrote: > > Anton Haumer wrote in > news:440BD1EB.DC383C16@nopspam.invalid: > > > sent a bunch of spam by mail about 6 hours ago, > > nothing happens ... is SC reporting down? > > What is it you are expecting to happen? An email from SC "SpamCop is now ready to process your spam." Toni From nobody at spamcop.net Wed Mar 8 23:29:35 2006 From: nobody at spamcop.net (RandallW) Date: Thu Mar 9 02:30:02 2006 Subject: [SpamCop-List] Domainsbyproxy Message-ID: Anyone have an opinion on this service? I sense irony that they claim they protect people from spammers, since THEY seem to allow spammers to use them! From edb2000 at spamcop.net Thu Mar 9 00:29:36 2006 From: edb2000 at spamcop.net (Don Wannit) Date: Thu Mar 9 03:30:07 2006 Subject: [SpamCop-List] Re: A mailman opt-in plus confirmation mailing list is spam? In-Reply-To: References: Message-ID: Vanguard wrote: > How can a mailing list be legitimate if it doesn't have an unsubcribe > function, either by sending the appropriate commands in the body to the > listserver or by submitting a request to an admin? Obviously it is NOT > a legitimate mailing list if a user that elected to participate cannot > also elect to NOT participate any longer. Fix your mailing list! It's > not SpamCop's fault nor responsibility to fix your mailing list server. The O.P. stated that Gnu Mailman is the list management software in use. By default, Mailman automatically includes a clickable unsubscribe link in the email headers of every message sent out to the list. It also facilitates automatically including that information in the footer of every message sent to the list (and does so by default, although you can change the configuration so it does not). When an email address is submitted to be added to the list, Mailman sends a confirmation message to the address. The confirmation message contains a unique randomly-generated token which must be included in any response from the user in order to confirm the intention to subscribe. If the user does not respond to the confirmation message with the token, then after a timeout period the submission is dropped. No list email is sent to the user until and unless the confirmation token is sent back, or the unique confirmation URL link clicked on. After the confirmation is received back from the user, a welcoming message is automatically sent back which contains instructions for changing personal settings, unsubscribing, etc. This message usually says "Keep this for your records". Many users do not. That's their problem. But it's not important, because each and every email sent to the list contains much the same information in the headers and the footer, so even if the user tosses the Welcome message, the information is always right there. Each and every email message sent to list subscribers, who each had to go out of their way to confirm the subscription, does contain the information about how to unsubscribe from the mailing list. No matter how clearly this is spelled out to the user, there always will be some number of users who do not read. So, in the case of a properly run mailing list using the Gnu Mailman software to manage the list, I do strongly take issue with your knee-jerk statement "Fix your mailing list!". In such a case, it really *is* SpamCop's fault if a SC user reports a mailing list email from a list to which they did confirm their subscription, because they can't be bothered to unsubscribe like they're supposed to. This kind of misuse of SC should, according to the SC TOS, result in permanent banning of the user from SC. While it is possible to add email addresses to a Mailman-run list without the address owner positively confirming it, that is not the normal configuration. Mailman is designed to make it easy to run a mailing list responsibly, right out-of-the-box (well, out-of-the-zip-file). Using a list manager package such as Mailman is a likely indication of running a responsible list. It's irresponsible to jump down the O.P.'s throat without knowing the facts. How about asking for more information before flaming?? -- Don Wannit A paid SpamCop user since 1999 From caroljean52 at yahoo.com Thu Mar 9 02:28:14 2006 From: caroljean52 at yahoo.com (caroljean52) Date: Thu Mar 9 04:30:03 2006 Subject: [SpamCop-List] Re: Can we stop our email keeps getting blocked References: Message-ID: "someone" : > For administrative efficiency, we send these emails once a week. Total > volume is somewhere between 1,000 and 3,000 emails. And I assume you're sending the same form letter to everybody. And I'm assuming that you want them to pay you to be listed in your directory. (Otherwise you'd just go ahead and include them.) Yep, I sure would report that as spam if I got one of your mailings. I do have a directory-type site myself (small scale hobby type though) and frequently get contacted by other webmasters about listing their site on mine. I'll use my directory of free recipe sites some specific examples. (Of course there are *so* many recipe sites out there that I am nowhere close to needing to go out of my way to search for things to include, so I'm in a bit different position than you are.) 1) A big travel agency wants me to list them because they offer restaurant tours around Southern California. The email is totally impersonal and was probably sent out the way yours are, a few thousand at a time. Not only are these bulk, but obviously their so-called targeting is way off the mark. Maybe they think "food is food" but I'm only interested in restaurant sites *if* they include some of their recipes online. (Most don't.) The travel agency doesn't even give me links to the restaurants--they're just selling tour packages. Yep, I'll report this one as spam. 2) At the opposite end of the spectrum are emails like one I received just today. A lady wrote telling me that she has posted some old public domain candy cookbooks on her site and thinks these would be of interest to me. This was a *personal message* from someone who very clearly did more than just glance at my site. She took the time to see that her new online content is *exactly* the sort of site I'm interested in including in my directory--and sure enough, she's getting a personal reply and a thank you from me. Of course there are lots of emails somewhere in the middle. I probably won't report them for spamming but I probably will just ignore and delete them... Maybe you should try having your staff who are out there looking for sites you want to contact write individual messages as they come across them rather than just collecting addresses by the hundreds. (Or do you just pay them by how many addresses they find for you--in which case you'll probably find your list isn't nearly as well targeted as you think it is!) Carol Pocatello, Idaho From redford_stone at INVERSE_OF_COLDmail.com Thu Mar 9 10:25:30 2006 From: redford_stone at INVERSE_OF_COLDmail.com (Redstone) Date: Thu Mar 9 05:30:03 2006 Subject: [SpamCop-List] Re: SC reporting down ? References: <440BD1EB.DC383C16@nopspam.invalid> <440FBF9C.C4C5DE7@nopspam.invalid> Message-ID: Anton Haumer wrote in news:440FBF9C.C4C5DE7@nopspam.invalid: > > An email from SC > "SpamCop is now ready to process your spam." > > Toni Oh okay.. you do the SpamCop-by-email reporting. With me, I use the web interface. And I did notice sluggish response Saturday and into Sunday. Funny though.. The weekend stats didn't show any particular heavy load. From g.hyde at bigpond.net.au Thu Mar 9 20:57:04 2006 From: g.hyde at bigpond.net.au (Geoffrey Hyde) Date: Thu Mar 9 06:00:03 2006 Subject: [SpamCop-List] Ignored Received line - and does amazon.net have an abuse address? Message-ID: http://www.spamcop.net/sc?id=z893355528z2e840845419455dd5a5f0c97cfacb319z In this particular spam email, the parser ignores one Received: line, and skips ahead to the next line in the "chain" - which it verifies is a chain. I'm not sure how to explain this, but isn't it possible that the chain got forged where SpamCop ignored the bad Received: line? Is there some hidden decoding sequence in the algorithm whereby SpamCop finds a mailserver really is chained through, even though a different mailserver could have stamped a bad Received: line in there? Also, is there a specific spam email abuse address for the people at amazon.com - the website the spam email was attempting to look like it is from? Cheers ... Geoffrey Hyde From gezgin at spamcop.net Thu Mar 9 15:03:15 2006 From: gezgin at spamcop.net (gezgin) Date: Thu Mar 9 08:05:03 2006 Subject: [SpamCop-List] Re: Ignored Received line - and does amazon.net have an abuse address? References: Message-ID: "Geoffrey Hyde" wrote > Also, is there a specific spam email abuse address for the people at > amazon.com - the website the spam email was attempting to look like it is > from? I use stop-spoofing@amazon.com However I believe they prefer the complete message with all the headers rather than SpamCop reports. (Like PayPal.) -- Bob http://www.kanyak.com From MikeE at ster.invalid Thu Mar 9 07:20:27 2006 From: MikeE at ster.invalid (Mike Easter) Date: Thu Mar 9 10:25:02 2006 Subject: [SpamCop-List] Re: Ignored Received line - and does amazon.net have an abuse address? References: Message-ID: Geoffrey Hyde wrote: spamcop.net/sc?id=z893355528z2e840845419455dd5a5f0c97cfacb319z Abbreviated Received tracelines *comment from mail.itbs.com.tw ([203.70.207.59]) by imta03ps.mx.bigpond.com *relay? from User (unknown [24.104.61.178]) by mail.itbs.com.tw *source? 24.104.61.178 rDNS www.resolve.org 203.70.207.59 rDNS se207059.nhri.org.tw mail.itbs.com.tw DNS 203.70.207.59 SC parse determines the source to be the resolve IP and 203 to be a relay MTA. The resolve lives in here: whois -h whois.arin.net 24.104.61.178 ... BLAZENET 24.104.0.0 - 24.104.159.255 abuse@blazenet.net RESOLVE 24.104.61.176 - 24.104.61.183 abuse@blazenet.net And there is a website for resolve - The National Infertility Association in Bethesda.since '74 http://www.resolve.org/site/PageServer I don't particularly like that result, even tho' 203 is a server, and my notify would be to the providers for both of those IPs because I don't think that /normal/ mail should be going from resolve thru' the .tw server. Senderbase shows the 203 to be an output server for nhri which is a .tw National Health Research Institutes with a website http://www.nhri.org.tw/index/eindex.php3 In addition, PSBL shows another spam just like this one, hitting a spamtrap. I think it would be better if a SC deputy would 'untrust' the .tw server so that the server will be shown as source, and potentially listed, which will cause whatever is wrong with the insecurity to get straightened out. > In this particular spam email, the parser ignores one Received: line, > and skips ahead to the next line in the "chain" - which it verifies > is a chain. I'm not sure how to explain this, but isn't it possible > that the chain got forged where SpamCop ignored the bad Received: > line? It is standard practice for lines which are not Received tracelines to be ignored. The tracelines are the Received: from lines, whereas the Received: by lines are not tracelines. That isn't what is going wrong in this parse. What is going wrong in this parse is that SC is trusting the .tw MTA to be a server, which it is. That results in the chain going back to the resolve IP. But, in my opinion, that mail handling should be normally handled otherwise and it isn't a 'healthy' handling between health related entities. > Is there some hidden decoding sequence in the algorithm whereby > SpamCop finds a mailserver really is chained through, even though a > different mailserver could have stamped a bad Received: line in there? The mechanism by which SC chains down from the top line to the bottom line in this issue is a normal algorithmic order. SC compares the upper from field IP with the lower by field domainname to determine their match and SC also considers the role of the IP and domainname to be a server in its experience, including whether or not the server has been sent to relay testers. All of that experience caused SC to judge the IP to be a server and for the chain to be intact. But my point is that it is a 'strange' chain that I don't like. > Also, is there a specific spam email abuse address for the people at > amazon.com - the website the spam email was attempting to look like > it is from? Here are amazon's instructions for that http://www.amazon.com/exec/obidos/tg/browse/-/15362281/002-6934330-9880069 Report Spoofed E-mails To Amazon.com -- Mike Easter kibitzer, not SC admin From kenbrody at spamcop.net Thu Mar 9 10:55:33 2006 From: kenbrody at spamcop.net (Kenneth Brody) Date: Thu Mar 9 11:20:03 2006 Subject: [SpamCop-List] Re: A mailman opt-in plus confirmation mailing list is spam? References: Message-ID: <44104FF5.3B12F450@spamcop.net> Vanguard wrote: > > "K. Thog" wrote in message > news:duntuq$39i$1@news.spamcop.net... > > > > When a user subscribes and then doesn't have the wherewithal to > > unsubscribe, he might decide to complain to SpamCop. Well, as posted elsewhere, reporting legitimate e-mail is against SpamCop's rules, and can get the reported banned from SpamCop. [...] > How can a mailing list be legitimate if it doesn't have an unsubcribe > function, either by sending the appropriate commands in the body to the > listserver or by submitting a request to an admin? Obviously it is NOT a > legitimate mailing list if a user that elected to participate cannot also > elect to NOT participate any longer. Fix your mailing list! It's not > SpamCop's fault nor responsibility to fix your mailing list server. You've obviously never run a mailing list. There are plenty of legit mailing lists out there with people too stupid/lazy to unsubscribe when they decide they no longer want to receive it. Some people will simply post repeated "unsubscribe" e-mails to the list (which is how many lists _used_ to handle automated unsubscribes), and then complain that they still get mailings. Others will simply delete the messages for a while, and when they get tired of that, will start complaining. I have seen this on more than one list, even though the lists often add a link at the bottom of every message on how to unsubscribe or change your list options. -- +-------------------------+--------------------+-----------------------------+ | Kenneth J. Brody | www.hvcomputer.com | | | kenbrody/at\spamcop.net | www.fptech.com | #include | +-------------------------+--------------------+-----------------------------+ Don't e-mail me at: From nobody at devnull.spamcop.net Wed Mar 8 14:54:30 2006 From: nobody at devnull.spamcop.net (Anonymous) Date: Thu Mar 9 11:25:02 2006 Subject: [SpamCop-List] Re: RFC 2142 and sales@, support@, webmaster@ References: Message-ID: "Larry Kilgallen" wrote in message news:PgTGvGZd+vAZ@eisner.encompasserve.org... > In article , "Anonymous" > writes: > >> Some RFCs are de-facto standards >> in the sense that your attempts to use some or all of the Internet will >> fail >> if you violate them. > > And some are reverse-standards such that the Internet will fail if you > follow them. Such as the bit about sending back to the From address > if email cannot be delivered. Excellent example! That one has the double badness of being something that seems reasonable if you don't give it too much thought. Make that triple badness; it also worked just fine when there were only a hundred or so geeks using email and testing various "features." Guy M. From jg at coks.net Thu Mar 9 08:43:52 2006 From: jg at coks.net (jg) Date: Thu Mar 9 11:45:03 2006 Subject: [SpamCop-List] Re: A mailman opt-in plus confirmation mailing list is spam? In-Reply-To: References: Message-ID: On 3/9/2006 12:29 AM Don Wannit scribbled: > The O.P. stated that Gnu Mailman is the list management software in use. > By default, Mailman automatically includes a clickable unsubscribe link > in the email headers of every message sent out to the list. It also > facilitates automatically including that information in the footer > of every message sent to the list (and does so by default, although > you can change the configuration so it does not). > Just in passing, Dave, I did not see Mailman mentioned in the thread - might I have lost a message? From jg at coks.net Thu Mar 9 08:50:51 2006 From: jg at coks.net (jg) Date: Thu Mar 9 11:50:02 2006 Subject: [SpamCop-List] Re: forwarding multiple spams attachments In-Reply-To: References: Message-ID: On 3/8/2006 12:53 PM Mike Easter scribbled: ...I don't have any real interest in trying to convert others. > what a difference a few days makes... From MikeE at ster.invalid Thu Mar 9 09:10:17 2006 From: MikeE at ster.invalid (Mike Easter) Date: Thu Mar 9 12:10:02 2006 Subject: [SpamCop-List] Re: forwarding multiple spams attachments References: Message-ID: jg wrote: > Mike Easter scribbled: > ...I don't have any real interest in trying to convert others. > what a difference a few days makes... I don't have any interest in trying to convert others in how they sort or thread news messages for /themselves/ as they read them. I /do/ have an interest in converting others to clarified and egalilitarian and effectively structured newsgroup posting to /others/ in the form of trimmed and contextualized. How you organize your desk doesn't affect our conversation here, but how we work together to meaningfully and clearly order our interaction together does. -- Mike Easter kibitzer, not SC admin From porpoise1954 at yahoo.co.uk Thu Mar 9 17:16:45 2006 From: porpoise1954 at yahoo.co.uk (Porpoise) Date: Thu Mar 9 12:20:03 2006 Subject: [SpamCop-List] Re: A mailman opt-in plus confirmation mailing list is spam? References: Message-ID: "Don Wannit" wrote in message news:duop1h$jmq$1@news.spamcop.net... > > Using a list manager package such as Mailman is a likely > indication of running a responsible list. It's irresponsible > to jump down the O.P.'s throat without knowing the facts. > > How about asking for more information before flaming?? Perhaps the problem lies with the submission form itself rather than the maillist software. If it's susceptible to allowing bots to auto-submit adresses, then it's highly probable that it will end up hitting spamtraps. You need to ensure that addresses can only be submitted by humans. From porpoise1954 at yahoo.co.uk Thu Mar 9 17:24:54 2006 From: porpoise1954 at yahoo.co.uk (Porpoise) Date: Thu Mar 9 12:30:02 2006 Subject: [SpamCop-List] Re: forwarding multiple spams attachments References: Message-ID: "Mike Easter" wrote in message news:duo5t5$8ok$1@news.spamcop.net... > Of course, sometimes it happens that a particular thread will not > maintain the same Subject. When the subject changes I have to shift > over to Group by conversation to maintain the thread's order -- at least > until the subject changing condition settles back down to the same > subject again - then I will shift by out of Group by conversation to my > normal ordering. Ah well..... Each to their own... 8>) From nobody at spamcop.net Thu Mar 9 17:28:47 2006 From: nobody at spamcop.net (me-no-no) Date: Thu Mar 9 12:30:13 2006 Subject: [SpamCop-List] Re: Can we stop our email keeps getting blocked References: Message-ID: "N. Miller" wrote in message news:whkdb5lquc3e$.dlg@news.spamcop.net... > I just got a connection attempt which initiated an SMTP transaction with > "EHLO www-goto.com". Rejected for being listed by Spamhaus. On the one > hand, I really don't think it is you; > it came from an Indian provider. Meet - Somnath Bharti - A very unsavoury character - to put it mildly ! http://www.spamhaus.org/rokso/listing.lasso?-op=cn&spammer=Topsites%20/%20Somnath%20Bharti%20/%20Madgen%20Solutions ( http://tinyurl.com/zwlkd ) Full details of scams, tactics & more at:- http://www.dynamoo.com/diary/topsites_topsitez_us.htm ( http://tinyurl.com/skpv ) Ciao Meno From vanguard.news at yahooNIX.com Thu Mar 9 11:44:54 2006 From: vanguard.news at yahooNIX.com (Vanguard) Date: Thu Mar 9 12:45:03 2006 Subject: [SpamCop-List] Re: A mailman opt-in plus confirmation mailing list is spam? References: Message-ID: "Don Wannit" wrote in message news:duop1h$jmq$1@news.spamcop.net... > Vanguard wrote: >> How can a mailing list be legitimate if it doesn't have an unsubcribe >> function, either by sending the appropriate commands in the body to the >> listserver or by submitting a request to an admin? Obviously it is NOT a >> legitimate mailing list if a user that elected to participate cannot also >> elect to NOT participate any longer. Fix your mailing list! It's not >> SpamCop's fault nor responsibility to fix your mailing list server. > > The O.P. stated that Gnu Mailman is the list management software in use. > By default, Mailman automatically includes a clickable unsubscribe link > in the email headers of every message sent out to the list. It also > facilitates automatically including that information in the footer > of every message sent to the list (and does so by default, although > you can change the configuration so it does not). I misread the OP's post. I thought "user ... doesn't have the wherewithal to unsubscribe" meant that there was no option presented or available to the recipient to remove themself from the mailing list. I guess it meant the user was too stupid to figure out how to unsubscribe. From vanguard.news at yahooNIX.com Thu Mar 9 11:49:25 2006 From: vanguard.news at yahooNIX.com (Vanguard) Date: Thu Mar 9 12:50:02 2006 Subject: [SpamCop-List] Re: A mailman opt-in plus confirmation mailing list is spam? References: Message-ID: "jg" wrote in message news:duplqh$5a8$1@news.spamcop.net... > On 3/9/2006 12:29 AM Don Wannit scribbled: > > > >> The O.P. stated that Gnu Mailman is the list management software in use. >> By default, Mailman automatically includes a clickable unsubscribe link >> in the email headers of every message sent out to the list. It also >> facilitates automatically including that information in the footer >> of every message sent to the list (and does so by default, although >> you can change the configuration so it does not). >> > > Just in passing, Dave, I did not see Mailman mentioned in the thread - > might I have lost a message? Not in the body of the message but it is mentioned in the Subject header. However, I'm not familiar with bulk mailers so it didn't mean anything to me, especially since it was not capitalized to present the word as a noun. jg figures the OP was talking about GNU Mailman (http://www.gnu.org/software/mailman/index.html). -- __________________________________________________ Post replies to the newsgroup. Share with others. For e-mail: Remove "NIX" and add "#VN" to Subject. __________________________________________________ From newspost at deletethispart.hypercreations.com Thu Mar 9 18:05:50 2006 From: newspost at deletethispart.hypercreations.com (D. T.) Date: Thu Mar 9 13:10:03 2006 Subject: [SpamCop-List] Re: Domainsbyproxy References: Message-ID: "RandallW" wrote in news:duolgu$hnr$1@news.spamcop.net: > Anyone have an opinion on this service? I sense irony that they claim > they protect people from spammers, since THEY seem to allow spammers > to use them! They're really GoDaddy. And yes, they do indeed allow spammers to hide behind their anonymous domain registrations....I've got proof. I've been in touch with the President's Office at GoDaddy over this and they've not taken any action against the offenders. DT From spamcop at 1bigthink.com Thu Mar 9 13:14:34 2006 From: spamcop at 1bigthink.com (spamcop) Date: Thu Mar 9 13:14:45 2006 Subject: [SpamCop-List] Re: A mailman opt-in plus confirmation mailing list is spam? In-Reply-To: References: Message-ID: <6.2.3.4.0.20060309131246.05a4f838@mxt.1bigthink.com> At 12:49 PM 3/9/2006, you wrote: >"jg" wrote in message news:duplqh$5a8$1@news.spamcop.net... >>On 3/9/2006 12:29 AM Don Wannit scribbled: >> >> >> >>>The O.P. stated that Gnu Mailman is the list management software in use. >>>By default, Mailman automatically includes a clickable unsubscribe link >>>in the email headers of every message sent out to the list. It also >>>facilitates automatically including that information in the footer >>>of every message sent to the list (and does so by default, although >>>you can change the configuration so it does not). >> >>Just in passing, Dave, I did not see Mailman mentioned in the thread - >>might I have lost a message? > > >Not in the body of the message but it is mentioned in the Subject >header. However, I'm not familiar with bulk mailers so it didn't >mean anything to me, especially since it was not capitalized to >present the word as a noun. jg figures the OP was talking about GNU >Mailman (http://www.gnu.org/software/mailman/index.html). Of course you realize that any Outlook/Outlook Express user is not going to be able to see this because Microsoft hides all the header information and changes the name of the label within the menus and changes the menus within it's held from version to version! Can you tell I HATE Outlook/Outlook Express? From porpoise1954 at yahoo.co.uk Thu Mar 9 18:58:45 2006 From: porpoise1954 at yahoo.co.uk (Porpoise) Date: Thu Mar 9 14:00:04 2006 Subject: [SpamCop-List] Re: A mailman opt-in plus confirmation mailing list is spam? References: Message-ID: "spamcop" wrote in message news:mailman.21.1141928087.16519.spamcop-list@news.spamcop.net... > At 12:49 PM 3/9/2006, you wrote: > >>"jg" wrote in message news:duplqh$5a8$1@news.spamcop.net... >>>On 3/9/2006 12:29 AM Don Wannit scribbled: >>> >> >>Not in the body of the message but it is mentioned in the Subject header. >>However, I'm not familiar with bulk mailers so it didn't mean anything to >>me, especially since it was not capitalized to present the word as a noun. >>jg figures the OP was talking about GNU Mailman >>(http://www.gnu.org/software/mailman/index.html). > > Of course you realize that any Outlook/Outlook Express user is not going > to be able to see this because Microsoft hides all the header information > and changes the name of the label within the menus and changes the menus > within it's held from version to version! He said Subject header. Which of course *is* displayed. Along with: From: Reply-To: Organisation: Date: Newsgroup: Subject: And if you want to see the Internet Headers it's quite easy to do that too: Path: news.spamcop.net!not-for-mail From: spamcop Newsgroups: spamcop Subject: Re: [SpamCop-List] Re: A mailman opt-in plus confirmation mailing list is spam? Date: Thu, 09 Mar 2006 13:14:34 -0500 Organization: SpamCop Lines: 31 Message-ID: References: Reply-To: Mailing list to mirror the spamcop newsgroup NNTP-Posting-Host: localhost.news.spamcop.net Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii; format=flowed; x-avg-checked=avg-ok-766C70DA X-Trace: news.spamcop.net 1141928087 9999 127.0.0.1 (9 Mar 2006 18:14:47 GMT) X-Complaints-To: news@news.spamcop.net NNTP-Posting-Date: Thu, 9 Mar 2006 18:14:47 +0000 (UTC) To: Mailing list to mirror the spamcop newsgroup Return-Path: Delivered-To: mailman-spamcop-list@news.spamcop.net X-Spam-Checker-Version: SpamAssassin 3.1.0 (2005-09-13) on blade1 X-Spam-Level: X-Spam-Status: hits=0.0 tests=none version=3.1.0 X-Mailer: QUALCOMM Windows Eudora Version 6.2.3.4 In-Reply-To: X-1bigthink.com-MailScanner-Information: Please contact dnsadmin-at-1bigthink.com for more information X-1bigthink.com-MailScanner: Found to be clean X-1bigthink.com-MailScanner-SpamCheck: not spam X-1bigthink.com-MailScanner-From: spamcop@1bigthink.com X-BeenThere: spamcop-list@news.spamcop.net X-Mailman-Version: 2.1.1 Precedence: list List-Id: Mailing list to mirror the spamcop newsgroup List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Xref: news.spamcop.net spamcop:155441 From gordon at usenet2.hostroute.co.uk Thu Mar 9 20:05:00 2006 From: gordon at usenet2.hostroute.co.uk (Gordon Hudson) Date: Thu Mar 9 15:10:03 2006 Subject: [SpamCop-List] Re: Domainsbyproxy References: Message-ID: "D. T." wrote in message news:Xns97817138DE2A1newsaddresshypercrea@216.154.195.61... > "RandallW" wrote in > news:duolgu$hnr$1@news.spamcop.net: > >> Anyone have an opinion on this service? I sense irony that they claim >> they protect people from spammers, since THEY seem to allow spammers >> to use them! > > They're really GoDaddy. And yes, they do indeed allow spammers to hide > behind their anonymous domain registrations....I've got proof. I've been > in > touch with the President's Office at GoDaddy over this and they've not > taken any action against the offenders. > I refuse point plank to provide a domain "privacy service". Most of the customers who ask for this service are up to something in my experience. From nobody at devnull.spamcop.net Thu Mar 9 09:11:01 2006 From: nobody at devnull.spamcop.net (Anonymous) Date: Thu Mar 9 17:35:02 2006 Subject: [SpamCop-List] Re: RFC 2142 and sales@, support@, webmaster@ References: Message-ID: "Porpoise" wrote... > > "Jeff G." wrote... > >> OK, if you want to play that game, your MX mail.jtfreesurf.co.uk >> violates Internet Standard #3 Section 5.2.7 and Internet Standard #11 >> Sections 6.3 and C.6 by not accepting email to >> postmaster[at]mail.jtfreesurf.co.uk. > > That's probably because there are no MX records Not according to DNS Report: http://www.dnsreport.com/tools/dnsreport.ch?domain=jtfreesurf.co.uk Error: At least one of your MX records points to an IP address that is not a public IP. The problem IP(s) are: 127.0.0.1 If you don't have a mailserver, there should be no MX record at all, not a bogus MX record to an unroutable IP address. You also have your Start of Authority (SOA) that says that your master (primary) name server is set to localhost. That's wrong too. There is another problem, but it is your ISPs fault (unless you are running your own nameserver). ns2.jtibs.net [212.9.0.136] and ns1.jtibs.net [212.9.0.135] are open DNS servers that do recursive lookups for domains they are not authoritative for. This is a Bad Thing because it can be used in a DOS attack. The attacker sends a bunch of large forged UDP "fire and forget" packets that are queries for the victims host, and with a long TTL. The open nameserver then starts hammering the victim from its cache - an amplification attack. Get a bunch of zombies to trigger a bunch of open nameservers and you can do some real damage. G.M. (G u y M a c o n) From g.hyde at bigpond.net.au Fri Mar 10 09:05:14 2006 From: g.hyde at bigpond.net.au (Geoffrey Hyde) Date: Thu Mar 9 18:10:03 2006 Subject: [SpamCop-List] "Cannot send mail to SMTP service" error when sending report. Message-ID: http://www.spamcop.net/sc?id=z893753714z156a6ca5be3da686cd401733c261a66az An error that was like the one in the title happened when I tried to send this SpamCop report. What does it mean, and does it mean I need to refile the report, or will SpamCop automatically try to complete the reporting process itself? Cheers ... Geoffrey Hyde From porpoise1954 at yahoo.co.uk Thu Mar 9 23:10:49 2006 From: porpoise1954 at yahoo.co.uk (Porpoise) Date: Thu Mar 9 18:15:06 2006 Subject: [SpamCop-List] Re: RFC 2142 and sales@, support@, webmaster@ References: Message-ID: "Anonymous" wrote in message news:duqaf0$jpa$1@news.spamcop.net... > > "Porpoise" wrote... >> >> "Jeff G." wrote... >> >>> OK, if you want to play that game, your MX mail.jtfreesurf.co.uk >>> violates Internet Standard #3 Section 5.2.7 and Internet Standard #11 >>> Sections 6.3 and C.6 by not accepting email to >>> postmaster[at]mail.jtfreesurf.co.uk. >> >> That's probably because there are no MX records > > Not according to DNS Report: > http://www.dnsreport.com/tools/dnsreport.ch?domain=jtfreesurf.co.uk > Error: At least one of your MX records points to an IP address that > is not a public IP. The problem IP(s) are: 127.0.0.1 > > If you don't have a mailserver, there should be no MX record at all, > not a bogus MX record to an unroutable IP address. > > You also have your Start of Authority (SOA) that says that your > master (primary) name server is set to localhost. That's wrong too. > > There is another problem, but it is your ISPs fault (unless you are > running your own nameserver). ns2.jtibs.net [212.9.0.136] and > ns1.jtibs.net [212.9.0.135] are open DNS servers that do recursive > lookups for domains they are not authoritative for. > > This is a Bad Thing because it can be used in a DOS attack. > The attacker sends a bunch of large forged UDP "fire and forget" > packets that are queries for the victims host, and with a long TTL. > The open nameserver then starts hammering the victim from its > cache - an amplification attack. Get a bunch of zombies to > trigger a bunch of open nameservers and you can do some real damage. > Try reading that page again: ************* OK. All of your MX records are host names (as opposed to IP addresses, which are not allowed in MX records). NOTE: You only have 1 MX record. If your primary mail server is down or unreachable, there is a chance that mail may have troubles reaching you. In the past, mailservers would usually re-try E-mail for up to 48 hours. But many now only re-try for a couple of hours. If your primary mailserver is very reliable (or can be fixed quickly if it goes down), having just one mailserver may be acceptable. OK. The IPs of all of your mail server(s) have reverse DNS (PTR) entries. RFC1912 2.1 says you should have a reverse DNS for all your mail servers. It is strongly urged that you have them, as many mailservers will not accept mail from mailservers with no reverse DNS entry. Note that this information is cached, so if you changed it recently, it will not be reflected here (see the www.DNSstuff.com Reverse DNS Tool for the current data). The reverse DNS entries are: 1.0.0.127.in-addr.arpa localhost. [TTL=86400] ERROR: I could not complete a connection to any of your mailservers!localhost: Timed out [Last data sent: [Did not connect]]If this is a timeout problem, note that the DNS report only waits about 40 seconds for responses, so your mail may work fine in this case but you will need to use testing tools specifically designed for such situations. ********* All of which is because there is no public mailservice - the 1 MX is internal (which is why it's 1.0.0.127) to the telco to which it belongs i.e. Jersey Telecoms. Who, as I have previously stated, do not provide mail services - only internet access. From eddie at eddie.web Thu Mar 9 18:19:00 2006 From: eddie at eddie.web (eddie) Date: Thu Mar 9 18:20:03 2006 Subject: [SpamCop-List] Re: "Cannot send mail to SMTP service" error when sending report. In-Reply-To: References: Message-ID: Geoffrey Hyde wrote: > http://www.spamcop.net/sc?id=z893753714z156a6ca5be3da686cd401733c261a66az > > An error that was like the one in the title happened when I tried to send > this SpamCop report. What does it mean, and does it mean I need to refile > the report, or will SpamCop automatically try to complete the reporting > process itself? > > > Cheers ... > > Geoffrey Hyde > > > I have the same error. I have seen it before, on occasion. It appears that no reports are beomg sent, since they are still in the que, so I suggest waiting and resubmitting. I trust that your message and my reply will alert someone that the system is broken. From johnl at in.newsgroup.only Thu Mar 9 23:25:33 2006 From: johnl at in.newsgroup.only (JohnL) Date: Thu Mar 9 18:30:02 2006 Subject: [SpamCop-List] Re: "Cannot send mail to SMTP service" error when sending report. References: Message-ID: eddie wrote in news:duqd5c$lno$1@news.spamcop.net: > I trust that your message and my reply will alert someone that the > system is broken. Appears to be working again now. From nobody at spamcop.net Thu Mar 9 20:36:11 2006 From: nobody at spamcop.net (Claudio Valderrama C.) Date: Thu Mar 9 18:35:02 2006 Subject: [SpamCop-List] Re: "Cannot send mail to SMTP service" error when sending report. References: Message-ID: "Geoffrey Hyde" wrote in message news:duqcbb$l5g$1@news.spamcop.net... > http://www.spamcop.net/sc?id=z893753714z156a6ca5be3da686cd401733c261a66az > > An error that was like the one in the title happened when I tried to send > this SpamCop report. What does it mean, and does it mean I need to refile > the report, or will SpamCop automatically try to complete the reporting > process itself? I'm getting it for hours for any message, whether I click on direct links returned by SC after forwarding spam or by logging in the site and following the REPORT SPAM link. The exact message I get is: Cannot send mail:smtpOpen: connect to smtp server failed (Connection refused) Leave this page open and try 'reload' in a few minutes C. -- Claudio Valderrama C. SW developer, consultant. http://www.cvalde.net - http://www.firebirdsql.org From nobody at spamcop.net Thu Mar 9 20:36:35 2006 From: nobody at spamcop.net (Claudio Valderrama C.) Date: Thu Mar 9 18:35:09 2006 Subject: [SpamCop-List] Re: Domainsbyproxy References: Message-ID: "RandallW" wrote in message news:duolgu$hnr$1@news.spamcop.net... > Anyone have an opinion on this service? I sense irony that they claim they > protect people from spammers, since THEY seem to allow spammers to use them! I purchased it when I got my domain two years ago because I was tired of spammers getting my real info from the whois server. Since I run a free tech site, I wanted to minimize the effort fighting spam. But I agree that some people may be using it in the other direction: to hide their contact data because they want to do illegal activities. I finally abandoned godaddy for three reasons: - I'm morally upset with some opinions in Bob Parsons' web - They decided to cache your CC information. Gosh, amazon and paypal already have my CC and I don't want to raise the risk: the more sites that have your full payment info, the more likely someone can break just one of those sites and get the CC information. - I discovered that the domainsbyproxy service doesn't work as SC filters or the filters offered by netaddress.com (where I pay for an account). You will see that GoDaddy filters stop almost everything. When I tried to transfer my domain away from godaddy, I had to confirm a message the new registrar sent. Even after disabling completely domainsbyproxy filters, the message didn't come. I had to cancel to service and bingo: the new registrar really was sending the confirmation message. Then I became paranoid and assumed something is going beyond mere antispam filters. To show you their filters are effective, they block anything. I even was unable to send myself a message through domainsbyproxy because it never reached me. Does that tell you something? Further, they make hard for you to report spammer's activity. C. -- Claudio Valderrama C. SW developer, consultant. http://www.cvalde.net - http://www.firebirdsql.org From kthog at example.com Thu Mar 9 15:51:52 2006 From: kthog at example.com (K. Thog) Date: Thu Mar 9 18:40:02 2006 Subject: [SpamCop-List] Re: A mailman opt-in plus confirmation mailing list is spam? References: Message-ID: Vanguard wrote: > Not in the body of the message but it is mentioned in the Subject header. > However, I'm not familiar with bulk mailers so it didn't mean anything to > me, especially since it was not capitalized to present the word as a noun. > jg figures the OP was talking about GNU Mailman > (http://www.gnu.org/software/mailman/index.html). Yes, I was talking about GNU MailMan. Or Mailman. Or however the GNU mailing list manager is supposed to be referred. From g.hyde at bigpond.net.au Fri Mar 10 09:38:35 2006 From: g.hyde at bigpond.net.au (Geoffrey Hyde) Date: Thu Mar 9 18:40:08 2006 Subject: [SpamCop-List] UPDATE Re: "Cannot send mail to SMTP service" error when sending report. References: Message-ID: Update: System has for reasons not known to me apparently cancelled this spam message. If it is possible, I would like this spam message to be reported "as-is" if it can be determined by a Deputy that the report(s) should go through. Cheers ... Geoffrey Hyde "Geoffrey Hyde" wrote in message news:duqcbb$l5g$1@news.spamcop.net... > http://www.spamcop.net/sc?id=z893753714z156a6ca5be3da686cd401733c261a66az > > An error that was like the one in the title happened when I tried to send > this SpamCop report. What does it mean, and does it mean I need to refile > the report, or will SpamCop automatically try to complete the reporting > process itself? > > > Cheers ... > > Geoffrey Hyde > > > From kthog at example.com Thu Mar 9 16:07:47 2006 From: kthog at example.com (K. Thog) Date: Thu Mar 9 18:55:05 2006 Subject: [SpamCop-List] Re: A mailman opt-in plus confirmation mailing list is spam? References: Message-ID: Vanguard wrote: > SpamCop doesn't block anything. The mail recipient chose to use the > SpamCop > blacklist but obviously doesn't have to. There are LOTS of blacklists out > there but obviously they aren't all used (I won't touch SPEWS which one > day will end up listing the entire IP address range). That's a question of pedantics. If you want to be pedantic about it, here you go: the many *participating* server admins who *consult* SpamCop's RBL are the ones blocking email. I know SpamCop has to make the distinction for legal reasons; now, why are you doing it? On the other hand, now that you know I know precisely what you meant, and now that you know that I am perfectly aware of how RBLs operate, I will continue to use the colloquial form and you will now know that I am not simply ignorant of the technicalities involved, since pedantics no longer need apply to that facet of our discussion. Fair enough? > How can a mailing list be legitimate if it doesn't have an unsubcribe > function, either by sending the appropriate commands in the body to the > listserver or by submitting a request to an admin? Obviously it is NOT a A GNU Mailman mailing list is not a legitimate mailing list? :-) That's a pretty snap judgement on your part. What happens when a user simply chooses not to unsubscribe from a normal mailman mailing list, and instead decides to report it to SpamCop as spam? I would hope that SpamCop's detection routines will find the list-management features in the header and reject the complaint as illegitimate... or at least notify the owner of the complaint.. Right? I mean, for less than 10 complaints, wouldn't it be better to act as a facilitator rather than a massive retaliatory strikeforce that could be impacting legitimate, non-spam business operations? I'll tell you what happens then: businesses with savvy admins will be forced to build a chain of differently-purposed IP addresses to ensure that important one-on-one communications don't get blocked by lazy users and an over-zealous blacklist like SpamCop. SpamCop will be factored into the cost of doing business and then.. ignored. > legitimate mailing list if a user that elected to participate cannot also > elect to NOT participate any longer. Fix your mailing list! It's not > SpamCop's fault nor responsibility to fix your mailing list server. Of course it isn't, and I wasn't implying that it was. On the other hand, it *is* SpamCop's responsibility to at least do rudimentary verification of the accuracy of the reports. So long as SpamCop is saying they've done that duty, then great. I have no problem. For the record, I was one of the most fervent supporters of ORBS (and then ORBZ) until they shut down, of the MAPS RBL, of all blacklists. However, we all measure our success rate in terms of acceptable collateral damage, and *your* default-guilty stance goes against simple legal and moral principle. You should work hard to *minimize* collateral damage, and deal with outsiders who are otherwise trying to find out what's going on. So what is the point of me posting here and going to great lengths to establish temporary credibility as a savvy user? My point is I'd like to find out what SpamCop's stance towards outsiders like myself is so I can decide whether to cooperate with the company or simply take measures so I'll never become collateral damage in the future. From porpoise1954 at yahoo.co.uk Fri Mar 10 00:02:37 2006 From: porpoise1954 at yahoo.co.uk (Porpoise) Date: Thu Mar 9 19:05:03 2006 Subject: [SpamCop-List] Re: A mailman opt-in plus confirmation mailing list is spam? References: Message-ID: "K. Thog" wrote in message news:duqf1i$m41$2@news.spamcop.net... > Vanguard wrote: > >> SpamCop doesn't block anything. The mail recipient chose to use the >> SpamCop >> blacklist but obviously doesn't have to. There are LOTS of blacklists >> out >> there but obviously they aren't all used (I won't touch SPEWS which one >> day will end up listing the entire IP address range). > **RANT SNIPPED for brevity** Did you ensure the security of the web-submittal form? Or is it, perhaps open to abuse by bots, and therein lies your problem? (If bots are able to auto-optin loads of addresses automatically). If you use a web-form method for subscription, it needs to be implimented in such a way that only a human manually inputting the address is able to subscribe the address to the list in the first place. Here's a useful link with info on how to make forms secure against bots: http://phpsec.org/articles/2005/text-captcha.html From bar_n0ne at hotmail.com Thu Mar 9 18:44:47 2006 From: bar_n0ne at hotmail.com (Berny) Date: Thu Mar 9 19:45:03 2006 Subject: [SpamCop-List] Re: "Cannot send mail to SMTP service" error when sending report. References: Message-ID: "Claudio Valderrama C." wrote in message news:duqduh$mdl$1@news.spamcop.net... > "Geoffrey Hyde" wrote in message > news:duqcbb$l5g$1@news.spamcop.net... > > http://www.spamcop.net/sc?id=z893753714z156a6ca5be3da686cd401733c261a66az > > > > An error that was like the one in the title happened when I tried to send > > this SpamCop report. What does it mean, and does it mean I need to refile > > the report, or will SpamCop automatically try to complete the reporting > > process itself? > > I'm getting it for hours for any message, whether I click on direct links > returned by SC after forwarding spam or by logging in the site and following > the REPORT SPAM link. The exact message I get is: > > Cannot send mail:smtpOpen: connect to smtp server failed (Connection > refused) > Leave this page open and try 'reload' in a few minutes > > C. > -- > Claudio Valderrama C. > SW developer, consultant. > http://www.cvalde.net - http://www.firebirdsql.org > > Shit happens, Usually a system problem of some kind at SpamCop You may have noticed submission stats hit the floor if this persists (statistics page) ot on the forum pages From MikeE at ster.invalid Thu Mar 9 16:51:42 2006 From: MikeE at ster.invalid (Mike Easter) Date: Thu Mar 9 19:55:04 2006 Subject: [SpamCop-List] Re: A mailman opt-in plus confirmation mailing list is spam? References: Message-ID: K. Thog wrote: > What happens when a user simply chooses not to unsubscribe from a > normal mailman mailing list, and instead decides to report it to > SpamCop as spam? That is supposed to be prevented by requiring the reporter to be aware of the rules under potential penalty of discipline and 'weeding out' problem reporters. > I would hope that SpamCop's detection routines will find the > list-management features in the header and reject the complaint as > illegitimate... No such detection mechanism. > or at least notify the owner of the complaint.. If you would say what IP we are talking about, someone can say how the SC notify would be made. Presently we are trying to talk about some theorectical mailing list server's IP address. Very often the admin of a server needs to make some arrangements with SC to be notified about a particular IP because the mechanism for the SC notify is to notify the regional internet registrar like arin's contact for the IP block. If SC were notifying the source provider for your news message it would be notifying abuse@telus.com based on the arin contact for Stentor whois -h whois.arin.net 142.179.100.170 ... OrgName: Stentor National Integrated Communications Network NetRange: 142.179.0.0 - 142.179.255.255 RAbuseEmail: abuse@telus.com in that particular case it is the same as the abuse.net contact for the bc.hsia.telus.net whois -h whois.abuse.net s142-179-100-170.bc.hsia.telus.net ... abuse@telus.net (for bc.hsia.telus.net) but it doesn't always work like that. > Of course it isn't, and I wasn't implying that it was. On the other > hand, it *is* SpamCop's responsibility to at least do rudimentary > verification of the accuracy of the reports. So long as SpamCop is > saying they've done that duty, then great. I have no problem. There is no such rudimentary or otherwise 'verification of the accuracy of the reports'. It is up to the entity which is receiving the report to verify if the report is accurate and to dispute those which are not. > My point is I'd like > to find out what SpamCop's stance towards outsiders like myself is so > I can decide whether to cooperate with the company or simply take > measures so I'll never become collateral damage in the future. SC's admins are very cooperative with the admins of servers and there is a whole section of the faq designed to facilitate communication and cooperation. http://www.spamcop.net/fom-serve/cache/75.html Help for abuse-desks and administrators -- Mike Easter kibitzer, not SC admin From abuse at whathostingshould.be Thu Mar 9 20:05:58 2006 From: abuse at whathostingshould.be (Galen) Date: Thu Mar 9 20:10:02 2006 Subject: [SpamCop-List] Re: Return to active duty References: <440E32DF.10908@spamcop.net> Message-ID: In news:440E32DF.10908@spamcop.net, Anony Mouse had this to say: My reply is at the bottom of your sent message: > Greetings All > > It has been a long time... > > Some spammers never learn and a recent growth of spam getting though > my isp's filters and an attack by a residivist spammer means I am > returning to active duty. > > Anony Mouse Any chance you're also the fella from the WHT forums or just a similar nick? Galen (a.k.a. KGIII) -- http://www.whathostingshould.be - We are what hosting SHOULD be. From MikeE at ster.invalid Thu Mar 9 17:15:13 2006 From: MikeE at ster.invalid (Mike Easter) Date: Thu Mar 9 20:15:03 2006 Subject: [SpamCop-List] Re: A mailman opt-in plus confirmation mailing list is spam? References: Message-ID: K. Thog wrote: > What's the solution? What's the IP address in question? Until we start talking about a /real/ IP address we aren't talking about a real problem, just some noise making about some hypothetical vague undescribed non-problem. -- Mike Easter kibitzer, not SC admin From kthog at example.com Thu Mar 9 18:09:33 2006 From: kthog at example.com (K. Thog) Date: Thu Mar 9 20:55:03 2006 Subject: [SpamCop-List] Re: A mailman opt-in plus confirmation mailing list is spam? References: Message-ID: Porpoise wrote: > **RANT SNIPPED for brevity** > > Did you ensure the security of the web-submittal form? Or is it, perhaps > open to abuse by bots, and therein lies your problem? (If bots are able to > auto-optin loads of addresses automatically). If you use a web-form method > for subscription, it needs to be implimented in such a way that only a > human manually inputting the address is able to subscribe the address to > the list in the first place. > > Here's a useful link with info on how to make forms secure against bots: > http://phpsec.org/articles/2005/text-captcha.html No, it's all secured against bots, and no Apache logs show mass-subscribe activity. When a user is subscribed via the web interface, an email with a cryptographic hash is sent. As far as I can tell there's no way for a bot to auto-subscribe people without being able to intercept their email. :( Interesting link though. :) From jg at coks.net Thu Mar 9 21:51:46 2006 From: jg at coks.net (jg) Date: Fri Mar 10 00:50:12 2006 Subject: [SpamCop-List] Re: forwarding multiple spams attachments In-Reply-To: References: Message-ID: On 3/9/2006 9:10 AM Mike Easter scribbled: > I /do/ have an interest in converting others to clarified and > egalilitarian and effectively structured newsgroup posting to /others/ > in the form of trimmed and contextualized. tink you mispeld egalitarian... > > How you organize your desk doesn't affect our conversation here, but how > we work together to meaningfully and clearly order our interaction > together does. > Indeed. Been to Borega Springs, then, was it? From nobody at spamcop.net Thu Mar 9 22:07:58 2006 From: nobody at spamcop.net (N. Miller) Date: Fri Mar 10 01:10:02 2006 Subject: [SpamCop-List] Re: A mailman opt-in plus confirmation mailing list is spam? References: Message-ID: On Thu, 09 Mar 2006 16:07:47 -0800, K. Thog wrote: > What happens when a user simply chooses not to unsubscribe from a normal > mailman mailing list, and instead decides to report it to SpamCop as spam? I would expect that the recipient of the complaint would file their own complaint with SpamCop. As has been pointed out, an SC user will lose their reporting privileges over false complaints. > I would hope that SpamCop's detection routines will find the list-management > features in the header and reject the complaint as illegitimate... or at > least notify the owner of the complaint.. Right? I mean, for less than 10 > complaints, wouldn't it be better to act as a facilitator rather than a > massive retaliatory strikeforce that could be impacting legitimate, > non-spam business operations? I would hope that the SpamCop parser ignores anything which doesn't pertain directly to identifying the message source, else it will cease to be a useful tool for dealing with spam. How hard to you think it would be for spammers to forge mailman headers? They forge everything else forgeable in email headers. > I'll tell you what happens then: businesses with savvy admins will be forced > to build a chain of differently-purposed IP addresses to ensure that > important one-on-one communications don't get blocked by lazy users and an > over-zealous blacklist like SpamCop. SpamCop will be factored into the cost > of doing business and then.. ignored. If you are referring to spam complaints, should SC complaints be ignored I would just go back to manual notifies, and creating my own local block list based on ignored complaints. If you are referring to the use of the SCBL, I already "ignore" it in the sense that I use it as was intended; i.e., not to reject email, but to score its probable "spamminess". -- Norman ~Oh Lord, why have you come ~To Konnyu, with the Lion and the Drum From nobody at devnull.spamcop.net Fri Mar 10 15:24:54 2006 From: nobody at devnull.spamcop.net (Patto) Date: Fri Mar 10 01:30:03 2006 Subject: [SpamCop-List] Re: Double login In-Reply-To: References: Message-ID: Garen Erdoisa wrote: > me-no-no wrote: >> "Aviatrix" wrote in message >> news:dujhlr$evr$1@news.spamcop.net... >>> Patto wrote: >>>> When I go to tab Held Email I am already logged in, and I don't have to >>>> do it again. In fact every tab behaves that way, except Webmail. When I >>>> go there I have to login again - this time I have to type the full >>>> address and password, as this section does not keep it in a cookie. >>> Doesn't it? >>> It does for me.... >> It *used* to for me too - It suddenly disappeared a while back, and I have >> never been able to get it to remember the Webmail user/pw combi since :-( >> Anyone, able/care to elaborate on why it used to work, and/or i apparently >> still working for some ? > > That happened to me using the firefox browser a while ago. I managed to > fix it by deleting the entries stored in the firefox password manager > related to spamcop.net, then let firefox pick up the new info the next > time I logged on. Haven't seen any further problems with that. Thanks for that - did that (and lots of other old, outdated, and duplicate entries), and now userid and password is present whenever I go to SC webmail :) From smcgarrett at hawaii.com Fri Mar 10 00:34:11 2006 From: smcgarrett at hawaii.com (Steve McGarrett) Date: Fri Mar 10 01:35:03 2006 Subject: [SpamCop-List] Re: Domainsbyproxy In-Reply-To: References: Message-ID: Claudio Valderrama C. wrote: > I purchased it when I got my domain two years ago because I was tired of > spammers getting my real info from the whois server. Since I run a free tech > site, I wanted to minimize the effort fighting spam. I do that by using a unique email address only for domain registrations, and changing it annually (at a time when there are no upcoming renewals). Spam is easily filtered and can be aggressively reported via SpamCop. Out here in the boonies, snail mail delivery comes around about 4:30 in the afternoon, making a PO Box a must for most businesses. My phone calls are filtered with caller ID and voicemail (I'm out of the office over half the time), and my FAX line refuses to answer calls with anonymous or blocked caller ID. So listing my real contact info doesn't present many problems. The only time I've needed a service like this was when I was hired to capture an expiring generic domain name from a local client's local competitor (think Wendy's taking hamburgers dot com from McDonald's, at one millionth scale). The client wanted the domain to lie fallow for a year before using it, and I wanted to avoid getting either of us in the middle of a battle of duelling lawyers (even though I made sure we were in the right and had the meanest trial lawyer in the state as another client). Fortunately, my client's competitor was so clueless that he never noticed he'd lost the domain until his competitor started advertising it. > I finally abandoned godaddy for three reasons: > - They decided to cache your CC information. Gosh, amazon and paypal already > have my CC and I don't want to raise the risk: the more sites that have your > full payment info, the more likely someone can break just one of those sites > and get the CC information. That's why I use Discover and their free secure account numbers feature. This generates unique card numbers, complete with CIDs, tied to your account. Once a given vendor uses a secure account number to charge your account, any attempt by a different vendor to use that number is automatically rejected. You can even use a generated number for recurring offline transactions, although obviously not ones that require the physical presence of the card. I used this when we rented my daughter's flute when she started school band. It's gotten to the point that I get upset with sites that *don't* cache my CC. I understand that some MC and Visa accounts offer a similar feature, but it depends on the issuing bank. Aloha, McGarrett "LART 'em, Danno!" From edb2000 at spamcop.net Thu Mar 9 22:37:45 2006 From: edb2000 at spamcop.net (Don Wannit) Date: Fri Mar 10 01:40:03 2006 Subject: [SpamCop-List] Re: A mailman opt-in plus confirmation mailing list is spam? In-Reply-To: References: Message-ID: Porpoise wrote: > > "Don Wannit" wrote in message > news:duop1h$jmq$1@news.spamcop.net... > >> >> Using a list manager package such as Mailman is a likely >> indication of running a responsible list. It's irresponsible >> to jump down the O.P.'s throat without knowing the facts. >> >> How about asking for more information before flaming?? > > > Perhaps the problem lies with the submission form itself rather than the > maillist software. If it's susceptible to allowing bots to auto-submit > adresses, then it's highly probable that it will end up hitting > spamtraps. You need to ensure that addresses can only be submitted by > humans. It is the responsibility of those who run spamtraps to ensure that they are not triggered by the very confirmation requests sent to the email address to confirm that the signup is intentional. Especially since this positive confirmation is the mark of a responsiblly run mailing list. This is why fully-automatic spamtrap quick-reporting is not a good idea. It's an invitation for some miscreant to submit the spamtrap address (gleaned from the usual hidden locations that are well known but not discussed openly) to a mailing list signup form, and thereby get that mailing list blacklisted by sending the confirmation request to the spamtrap address. Just as it is supposed to do. -- Don Wannit A paid SpamCop user since 1999 From g.hyde at bigpond.net.au Fri Mar 10 17:28:24 2006 From: g.hyde at bigpond.net.au (Geoffrey Hyde) Date: Fri Mar 10 02:30:03 2006 Subject: [SpamCop-List] SpamCop devnulls report. Message-ID: http://www.spamcop.net/sc?id=z894008722zb13d20e5a9c67e23a1abc00905ce1abbz This report contained some strange attachment which made weird characters on the message window - I reported it because SC identified the source IP in the headers as being an open proxy. Is it right to report open proxy mailservers that send out virus/trojan attachments? I sure think so! They shouldn't be sending me viruses/trojans at any rate. Because this was devnulled to internal SC addresses, I don't think there's much to worry about except on the statistics page. Cheers ... Geoffrey Hyde From MikeE at ster.invalid Fri Mar 10 00:03:05 2006 From: MikeE at ster.invalid (Mike Easter) Date: Fri Mar 10 03:05:03 2006 Subject: [SpamCop-List] Re: SpamCop devnulls report. References: Message-ID: Geoffrey Hyde wrote: > /sc?id=z894008722zb13d20e5a9c67e23a1abc00905ce1abbz > I reported it because SC > identified the source IP in the headers as being an open proxy. You can report it whether it was sourced from an IP listed as an open proxy or not. > Is it right to report open proxy mailservers that send out > virus/trojan attachments? It is right to report virms whether or not open proxy. The current SC faq position on reporting virms http://www.spamcop.net/fom-serve/cache/14.html Viruses are another form of spam and may be reported to SpamCop as such. > Because this was devnulled to internal SC addresses, I don't think > there's much to worry about except on the statistics page. It is devnulled because SC's reporting addy for 196.25.32.50 source bounces too much. SC is using johans@igubu.saix.net the admin/tech for infodoor, when I think it should be using abuse@saix.net for the routing.because of both AS5713 and organisation: ORG-TSL2-AFRINIC org-name: Telkom SA Limited remarks: abuse e-mail: -- Mike Easter kibitzer, not SC admin From MikeE at ster.invalid Fri Mar 10 00:14:24 2006 From: MikeE at ster.invalid (Mike Easter) Date: Fri Mar 10 03:15:02 2006 Subject: [SpamCop-List] Re: forwarding multiple spams attachments References: Message-ID: jg wrote: >Mike Easter scribbled: >> egalilitarian > tink you mispeld egalitarian... You are correct I did. > Indeed. Been to Borega Springs, then, was it? tink you mispeld Borrego Springs, at least the one I know, in the Anza Borrego Desert http://snipurl.com/nefk snurled googlemap to Borrego Springs, CA US in San Diego County, CA. -- Mike Easter kibitzer, not SC admin From MikeE at ster.invalid Fri Mar 10 00:45:43 2006 From: MikeE at ster.invalid (Mike Easter) Date: Fri Mar 10 03:50:01 2006 Subject: [SpamCop-List] Re: A mailman opt-in plus confirmation mailing list is spam? References: Message-ID: K. Thog wrote: > When a user subscribes and then doesn't have the wherewithal to > unsubscribe, he might decide to complain to SpamCop. > Comments much appreciated. You come in here accusing by implication a reporter of making a bad report, but you don't name any IP which was so reported. You claim to be admin/ing a reported mailserver, but you don't provide the tracking url to the evidence of a report which would have been provided to the IP's SC reporting address. You claim to be interested in interacting positively about spamcop report issues, but you have shown no sign that you have properly registered yourself to be a recipient of the spamcop reports described above http://www.spamcop.net/fom-serve/cache/94.html How can I get SpamCop reports about my network? Until there is some real evidence of some bad report, you are just making useless noise about nothing and your so-called subscribed mailing list may just be a spamlist for all I know and see here. -- Mike Easter kibitzer, not SC admin From aviatrix at lists.org.gg Fri Mar 10 14:49:34 2006 From: aviatrix at lists.org.gg (Aviatrix) Date: Fri Mar 10 09:50:13 2006 Subject: [SpamCop-List] Re: Domainsbyproxy In-Reply-To: References: Message-ID: RandallW wrote: > Anyone have an opinion on this service? I sense irony that they claim they > protect people from spammers, since THEY seem to allow spammers to use them! There would be no need for domains-by-proxy and other privacy services if only the .com world followed the example of .uk. - The .uk whois contains names and postal addresses but no email addresses - Private individuals with non-trading web sites may opt to have their postal address omitted from the Whois. The .uk registry will usually act very promptly if anyone reports abuse of this facility I believe a lot of people use domains-by-proxy type services for no other reason than to keep their email address from public view. The solution IMHO would be to keep email addresses out of Whois entries. From jg at coks.net Fri Mar 10 07:52:45 2006 From: jg at coks.net (jg) Date: Fri Mar 10 10:50:03 2006 Subject: [SpamCop-List] Re: forwarding multiple spams attachments In-Reply-To: References: Message-ID: On 3/10/2006 12:14 AM Mike Easter scribbled > > tink you mispeld Borrego Springs, at least the one I know, in the Anza > Borrego Desert http://snipurl.com/nefk snurled googlemap to Borrego > Springs, CA US in San Diego County, CA. > > Yep - too lazy to look it up. From MikeE at ster.invalid Fri Mar 10 08:10:17 2006 From: MikeE at ster.invalid (Mike Easter) Date: Fri Mar 10 11:10:03 2006 Subject: [SpamCop-List] Re: forwarding multiple spams attachments References: Message-ID: jg wrote: > Mike Easter scribbled >> >> the one I know, in the >> Anza Borrego Desert http://snipurl.com/nefk snurled googlemap to >> Borrego Springs, CA US in San Diego County, CA. >> > Yep - too lazy to look it up. Blurbs about Borrego - // Borrego Springs is certainly one of the most scenic desert resort areas of California. The desert valleys are bordered by 9,000 foot mountain peaks [...] Some have said that Borrego Springs is what Palm Springs was 50 years ago - peaceful, quiet, relaxing. There are no stoplights in Borrego. [...] total population of 2,535 // Normally at this time of year I could post a nifty little beautiful warm weather report for Borrego, unfortunately it is a bit chilly, windy, and wet today. But that will make the desert flowers bloom a little later. Awesome. -- Mike Easter kibitzer, not SC admin From jg at coks.net Fri Mar 10 08:54:14 2006 From: jg at coks.net (jg) Date: Fri Mar 10 11:55:04 2006 Subject: [SpamCop-List] Re: forwarding multiple spams attachments In-Reply-To: References: Message-ID: On 3/10/2006 8:10 AM Mike Easter scribbled:> > > Normally at this time of year I could post a nifty little beautiful warm > weather report for Borrego, unfortunately it is a bit chilly, windy, and > wet today. But that will make the desert flowers bloom a little later. > Awesome. > Camped out there few years back in April - six pack of beer left on a picnic table froze overnight. Pretty country... From MikeE at ster.invalid Fri Mar 10 09:01:20 2006 From: MikeE at ster.invalid (Mike Easter) Date: Fri Mar 10 12:05:03 2006 Subject: [SpamCop-List] Re: forwarding multiple spams attachments References: Message-ID: jg wrote: >Mike Easter scribbled: >> warm weather report for Borrego, unfortunately it is a bit chilly, >> windy, and wet today. > Camped out there few years back in April - six pack of beer left on a > picnic table froze overnight. The desert is normally nippy at night, but that was a seriously unusual cold snap 20 YEAR WEATHER AVERAGES MONTH HIGH LOW RAIN January 69.6 42.7 1.19 February 73.3 45.6 1.00 March 76.7 49.5 .78 April 83.4 53.4 .26 May 92.2 60.2 .09 June 101.8 67.8 .01 July 106.9 75.2 .33 August 105.9 75.1 .69 September 99.8 69.1 .48 October 89.7 60.9 .34 November 77.1 50.1 .76 December 68.7 43.3 .92 -- Mike Easter kibitzer, not SC admin From nobody at devnull.spamcop.net Thu Mar 9 14:38:12 2006 From: nobody at devnull.spamcop.net (Anonymous) Date: Fri Mar 10 12:25:03 2006 Subject: [SpamCop-List] Re: Domainsbyproxy References: Message-ID: "Gordon Hudson" wrote in message news:duq1pe$ece$1@news.spamcop.net... > I refuse point plank to provide a domain "privacy service". > Most of the customers who ask for this service are up to something in my > experience. Gotta make sure that abused women with restraining orders against stalkers can't have their own web pages... Better put a stop to unpopular political websites as well! From jeffg at spamcop.net Fri Mar 10 12:43:01 2006 From: jeffg at spamcop.net (Jeff G.) Date: Fri Mar 10 12:45:05 2006 Subject: [SpamCop-List] Re: Domainsbyproxy References: Message-ID: D. T. wrote: > "RandallW" wrote in > news:duolgu$hnr$1@news.spamcop.net: > >> Anyone have an opinion on this service? I sense irony that they >> claim they protect people from spammers, since THEY seem to allow >> spammers to use them! > > They're really GoDaddy. And yes, they do indeed allow spammers to hide > behind their anonymous domain registrations....I've got proof. I've > been in touch with the President's Office at GoDaddy over this and > they've not taken any action against the offenders. I'd like to see that proof. -- Thanks and Best Regards, Jeff G. http://forum.spamcop.net/forums/index.php?act=findpost&pid=37585 From nobody at devnull.spamcop.net Fri Mar 10 09:39:59 2006 From: nobody at devnull.spamcop.net (Anonymous) Date: Fri Mar 10 12:45:14 2006 Subject: [SpamCop-List] Re: A mailman opt-in plus confirmation mailing list is spam? References: Message-ID: "K. Thog" wrote >I am perfectly aware of how RBLs operate > So what is the point of me posting here and going to great lengths to > establish temporary credibility as a savvy user? I find the above claims difficult to reconcile with your failure to tell us what IP was reported or to provide a tracking url to the report which you claim was improperly filed. G.M. From nobody at devnull.spamcop.net Fri Mar 10 09:40:04 2006 From: nobody at devnull.spamcop.net (Anonymous) Date: Fri Mar 10 12:45:22 2006 Subject: [SpamCop-List] Re: A mailman opt-in plus confirmation mailing list is spam? References: Message-ID: "Don Wannit" wrote... > It's an invitation for some miscreant to submit > the spamtrap address (gleaned from the usual hidden locations > that are well known but not discussed openly) to a mailing > list signup form If the spamtrap addresses are "well known" and can be found by "some miscreant", perhaps someone should address that as being a real problem in the way spamtraps are administered. Treating the confirmations from a GNU Mailman mailing list as spam is a very bad thing to do, but letting net-abusers find out the spamtrap email addresses is also a bad thing to do. G.M. From jeffg at spamcop.net Fri Mar 10 12:57:14 2006 From: jeffg at spamcop.net (Jeff G.) Date: Fri Mar 10 13:00:02 2006 Subject: [SpamCop-List] Re: A mailman opt-in plus confirmation mailing list is spam? References: Message-ID: Anonymous wrote: > letting net-abusers find out > the spamtrap email addresses is ... a bad thing to do. No, it's not. The net-abusers, whether they be spider bot or human, find the SpamCop spamtrap email addresses when they scrape web sites. Then they use those email addresses. Then SpamCop catches them and causes their IP Addresses to be listed in the SCBL. Then we users of the SCBL don't get subsequent spam from their IP Addresses. That is the whole point behind SpamCop spamtrap email addresses - keeping email messages from web scrapers out of our email inboxes. I believe that there are safeguards built into the SpamCop spamtrap reception systems to except mailing list software that uses confirmed opt-in. -- Best Regards, Jeff G. http://forum.spamcop.net/forums/index.php?act=findpost&pid=37585 From jeffg at spamcop.net Fri Mar 10 12:59:12 2006 From: jeffg at spamcop.net (Jeff G.) Date: Fri Mar 10 13:00:10 2006 Subject: [SpamCop-List] Re: A mailman opt-in plus confirmation mailing list is spam? References: Message-ID: Vanguard wrote: > I misread the OP's post. I thought "user ... doesn't have the > wherewithal to unsubscribe" meant that there was no option presented > or available to the recipient to remove themself from the mailing > list. I guess it meant the user was too stupid to figure out how to > unsubscribe. I think you're correct, the OP was using one of those kinder, gentler insults. :) -- Best Regards, Jeff G. http://forum.spamcop.net/forums/index.php?act=findpost&pid=37585 From vanguard.news at yahooNIX.com Fri Mar 10 12:09:55 2006 From: vanguard.news at yahooNIX.com (Vanguard) Date: Fri Mar 10 13:10:03 2006 Subject: [SpamCop-List] Re: A mailman opt-in plus confirmation mailing list is spam? References: Message-ID: "spamcop" wrote in message news:mailman.21.1141928087.16519.spamcop-list@news.spamcop.net... > At 12:49 PM 3/9/2006, you wrote: > >>"jg" wrote in message news:duplqh$5a8$1@news.spamcop.net... >>>On 3/9/2006 12:29 AM Don Wannit scribbled: >>> >>> >>> >>>>The O.P. stated that Gnu Mailman is the list management software in use. >>>>By default, Mailman automatically includes a clickable unsubscribe link >>>>in the email headers of every message sent out to the list. It also >>>>facilitates automatically including that information in the footer >>>>of every message sent to the list (and does so by default, although >>>>you can change the configuration so it does not). >>> >>>Just in passing, Dave, I did not see Mailman mentioned in the thread - >>>might I have lost a message? >> >> >>Not in the body of the message but it is mentioned in the Subject header. >>However, I'm not familiar with bulk mailers so it didn't mean anything to >>me, especially since it was not capitalized to present the word as a noun. >>jg figures the OP was talking about GNU Mailman >>(http://www.gnu.org/software/mailman/index.html). > > Of course you realize that any Outlook/Outlook Express user is not going > to be able to see this because Microsoft hides all the header information The Subject field is one of the headers is *is* presented by Outlook Express. Outlook does NOT support newsgroups so why even bother to mention it? What does reading the headers have to do with reading the Subject header (which is shown) and the body of the post? > and changes the name of the label within the menus Posts do not change the menues in whatever NNTP client is used for viewing a post. Only YOU know what you meant to say. > and changes the menus within it's held from version to version! "within it's held"? "Held" means what? Other than bug fixes, name me a single product that has been enhanced or improved through versioning that doesn't change some aspect of the program in its behavior or interface. It's a new version. Gee, something changed. Duh. > Can you tell I HATE Outlook/Outlook Express? Apparently you also hate all software. From jg at coks.net Fri Mar 10 10:52:09 2006 From: jg at coks.net (jg) Date: Fri Mar 10 13:50:03 2006 Subject: [SpamCop-List] Re: forwarding multiple spams attachments In-Reply-To: References: Message-ID: On 3/10/2006 9:01 AM Mike Easter scribbled: > jg wrote: >> Mike Easter scribbled: > >>> warm weather report for Borrego, unfortunately it is a bit chilly, >>> windy, and wet today. > >> Camped out there few years back in April - six pack of beer left on a >> picnic table froze overnight. > > The desert is normally nippy at night, but that was a seriously unusual > cold snap > > 20 YEAR WEATHER AVERAGES > > MONTH HIGH LOW RAIN > January 69.6 42.7 1.19 > February 73.3 45.6 1.00 > March 76.7 49.5 .78 > April 83.4 53.4 .26 > May 92.2 60.2 .09 > June 101.8 67.8 .01 > July 106.9 75.2 .33 > August 105.9 75.1 .69 > September 99.8 69.1 .48 > October 89.7 60.9 .34 > November 77.1 50.1 .76 > December 68.7 43.3 .92 > > > > > It was an unusual year - went to see the wildflowers but there weren't any yet. No, the beer didn't freeze /solid/ but it had a chunk in it. And there was a film of ice on the outside of the tent. From tmcgraw at spamcop.net Fri Mar 10 11:42:33 2006 From: tmcgraw at spamcop.net (Tim McGraw) Date: Fri Mar 10 14:45:03 2006 Subject: [SpamCop-List] Re: Domainsbyproxy In-Reply-To: References: Message-ID: Gordon Hudson wrote: > > I refuse point plank to provide a domain "privacy service". > Most of the customers who ask for this service are up to something in my > experience. Like spews.org? From nobody at spamcop.net Fri Mar 10 20:52:06 2006 From: nobody at spamcop.net (me-no-no) Date: Fri Mar 10 15:55:03 2006 Subject: [SpamCop-List] Re: Double login References: Message-ID: "Patto" wrote in message news:dur664$4tj$1@news.spamcop.net... > Garen Erdoisa wrote: >> me-no-no wrote: >>> "Aviatrix" wrote in message >>> news:dujhlr$evr$1@news.spamcop.net... >>>> Patto wrote: >>>>> When I go to tab Held Email I am already logged in, and I don't have >>>>> to do it again. In fact every tab behaves that way, except Webmail. >>>>> When I go there I have to login again - this time I have to type the >>>>> full address and password, as this section does not keep it in a >>>>> cookie. >>>> Doesn't it? >>>> It does for me.... >>> It *used* to for me too - It suddenly disappeared a while back, and I >>> have never been able to get it to remember the Webmail user/pw combi >>> since :-( >>> Anyone, able/care to elaborate on why it used to work, and/or i >>> apparently still working for some ? >> >> That happened to me using the firefox browser a while ago. I managed to >> fix it by deleting the entries stored in the firefox password manager >> related to spamcop.net, then let firefox pick up the new info the next >> time I logged on. Haven't seen any further problems with that. > > Thanks for that - did that (and lots of other old, outdated, and duplicate > entries), and now userid and password is present whenever I go to SC > webmail :) Anyone know if this works for, or any similar solution for XP / IE 6 ? Thankx. Ciao Meno From MikeE at ster.invalid Fri Mar 10 13:05:44 2006 From: MikeE at ster.invalid (Mike Easter) Date: Fri Mar 10 16:10:02 2006 Subject: [SpamCop-List] Re: forwarding multiple spams attachments References: Message-ID: jg wrote: > It was an unusual year - went to see the wildflowers but there weren't > any yet. The best years for Borrego desert wildflowers are those in which the winter is rainier than usual, and then they are abundant sometime between Jan and Mar - depending on the desert weather after the winter rains. This dry year isn't/ hasn't been/ a very good year for the flowers either. Also, if you got up into the mountains for your camping it is going to be a lot colder at night. The Santa Rosas come into northwest Anza Borrego; I think the highest ones inside the 600,000 acre park area are only about 5000+ feet - but San Jacinto to the northwest of the park is about 10,000 ft -- and it has that nifty climate changing tramway from the hot Palm Springs desert to coldness near the top. There are desert bighorn sheep in those Borrego mountains, which is where 'borrego' comes from.. > No, the beer didn't freeze /solid/ but it had a chunk in it. And > there was a film of ice on the outside of the tent. -- Mike Easter kibitzer, not SC admin From nobody at devnull.spamcop.net Fri Mar 10 09:50:52 2006 From: nobody at devnull.spamcop.net (Anonymous) Date: Fri Mar 10 18:00:03 2006 Subject: [SpamCop-List] Re: RFC 2142 and sales@, support@, webmaster@ References: Message-ID: "Porpoise" wrote in message news:duqcn9$lfh$1@news.spamcop.net... > > "Anonymous" wrote in message > news:duqaf0$jpa$1@news.spamcop.net... >> >> "Porpoise" wrote... >>> >>> "Jeff G." wrote... >>> >>>> OK, if you want to play that game, your MX mail.jtfreesurf.co.uk >>>> violates Internet Standard #3 Section 5.2.7 and Internet Standard #11 >>>> Sections 6.3 and C.6 by not accepting email to >>>> postmaster[at]mail.jtfreesurf.co.uk. >>> >>> That's probably because there are no MX records >> >> Not according to DNS Report: >> http://www.dnsreport.com/tools/dnsreport.ch?domain=jtfreesurf.co.uk >> Error: At least one of your MX records points to an IP address that >> is not a public IP. The problem IP(s) are: 127.0.0.1 >> >> If you don't have a mailserver, there should be no MX record at all, >> not a bogus MX record to an unroutable IP address. >> >> You also have your Start of Authority (SOA) that says that your >> master (primary) name server is set to localhost. That's wrong too. >> >> There is another problem, but it is your ISPs fault (unless you are >> running your own nameserver). ns2.jtibs.net [212.9.0.136] and >> ns1.jtibs.net [212.9.0.135] are open DNS servers that do recursive >> lookups for domains they are not authoritative for. >> >> This is a Bad Thing because it can be used in a DOS attack. >> The attacker sends a bunch of large forged UDP "fire and forget" >> packets that are queries for the victims host, and with a long TTL. >> The open nameserver then starts hammering the victim from its >> cache - an amplification attack. Get a bunch of zombies to >> trigger a bunch of open nameservers and you can do some real damage. >> > > Try reading that page again: > > ************* > OK. All of your MX records are host names (as opposed to IP addresses, > which are not allowed in MX records). > > NOTE: You only have 1 MX record. If your primary mail server is down or > unreachable, there is a chance that mail may have troubles reaching you. > In the past, mailservers would usually re-try E-mail for up to 48 hours. > But many now only re-try for a couple of hours. If your primary mailserver > is very reliable (or can be fixed quickly if it goes down), having just > one mailserver may be acceptable. > > OK. The IPs of all of your mail server(s) have reverse DNS (PTR) entries. > RFC1912 2.1 says you should have a reverse DNS for all your mail servers. > It is strongly urged that you have them, as many mailservers will not > accept mail from mailservers with no reverse DNS entry. Note that this > information is cached, so if you changed it recently, it will not be > reflected here (see the www.DNSstuff.com Reverse DNS Tool for the current > data). The reverse DNS entries are: > > 1.0.0.127.in-addr.arpa localhost. [TTL=86400] > > ERROR: I could not complete a connection to any of your > mailservers!localhost: Timed out [Last data sent: [Did not connect]]If > this is a timeout problem, note that the DNS report only waits about 40 > seconds for responses, so your mail may work fine in this case but you > will need to use testing tools specifically designed for such situations. > ********* Try reading that page again: http://www.dnsreport.com/tools/dnsreport.ch?domain=jtfreesurf.co.uk Error: At least one of your MX records points to an IP address that is not a public IP. The problem IP(s) are: 127.0.0.1 is not a public IP Note that these IPs are not reachable, which can cause extra resource usage, slight mail delays, and possibly bounced mail. > All of which is because there is no public mailservice - the 1 MX is > internal (which is why it's 1.0.0.127) to the telco to which it belongs > i.e. Jersey Telecoms. Who, as I have previously stated, do not provide > mail services - only internet access. And again I tell you that if you don't have a mailserver on the Internet, there should be no MX record at all in your DNS record, not a bogus MX record to an unroutable IP address. And again I tell you that your SOA should not say that your primary nameserver is localhost. And again I tell you that you have two open DNS servers and that this is a Bad Thing. G.M. From porpoise1954 at yahoo.co.uk Fri Mar 10 23:40:14 2006 From: porpoise1954 at yahoo.co.uk (Porpoise) Date: Fri Mar 10 18:45:02 2006 Subject: [SpamCop-List] Re: RFC 2142 and sales@, support@, webmaster@ References: Message-ID: "Anonymous" wrote in message news:dut089$82d$1@news.spamcop.net... > > "Porpoise" wrote in message > news:duqcn9$lfh$1@news.spamcop.net... >> >> "Anonymous" wrote in message >> news:duqaf0$jpa$1@news.spamcop.net... >>> >>> "Porpoise" wrote... >>>> >>>> "Jeff G." wrote... >>>> >>>>> OK, if you want to play that game, your MX mail.jtfreesurf.co.uk >>>>> violates Internet Standard #3 Section 5.2.7 and Internet Standard #11 >>>>> Sections 6.3 and C.6 by not accepting email to >>>>> postmaster[at]mail.jtfreesurf.co.uk. >>>> >>>> That's probably because there are no MX records >>> >>> Not according to DNS Report: >>> http://www.dnsreport.com/tools/dnsreport.ch?domain=jtfreesurf.co.uk >>> Error: At least one of your MX records points to an IP address that >>> is not a public IP. The problem IP(s) are: 127.0.0.1 >>> >>> If you don't have a mailserver, there should be no MX record at all, >>> not a bogus MX record to an unroutable IP address. >>> >>> You also have your Start of Authority (SOA) that says that your >>> master (primary) name server is set to localhost. That's wrong too. >>> >>> There is another problem, but it is your ISPs fault (unless you are >>> running your own nameserver). ns2.jtibs.net [212.9.0.136] and >>> ns1.jtibs.net [212.9.0.135] are open DNS servers that do recursive >>> lookups for domains they are not authoritative for. >>> >>> This is a Bad Thing because it can be used in a DOS attack. >>> The attacker sends a bunch of large forged UDP "fire and forget" >>> packets that are queries for the victims host, and with a long TTL. >>> The open nameserver then starts hammering the victim from its >>> cache - an amplification attack. Get a bunch of zombies to >>> trigger a bunch of open nameservers and you can do some real damage. >>> >> >> Try reading that page again: >> >> ************* >> OK. All of your MX records are host names (as opposed to IP addresses, >> which are not allowed in MX records). >> >> NOTE: You only have 1 MX record. If your primary mail server is down or >> unreachable, there is a chance that mail may have troubles reaching you. >> In the past, mailservers would usually re-try E-mail for up to 48 hours. >> But many now only re-try for a couple of hours. If your primary >> mailserver is very reliable (or can be fixed quickly if it goes down), >> having just one mailserver may be acceptable. >> >> OK. The IPs of all of your mail server(s) have reverse DNS (PTR) entries. >> RFC1912 2.1 says you should have a reverse DNS for all your mail servers. >> It is strongly urged that you have them, as many mailservers will not >> accept mail from mailservers with no reverse DNS entry. Note that this >> information is cached, so if you changed it recently, it will not be >> reflected here (see the www.DNSstuff.com Reverse DNS Tool for the current >> data). The reverse DNS entries are: >> >> 1.0.0.127.in-addr.arpa localhost. [TTL=86400] >> >> ERROR: I could not complete a connection to any of your >> mailservers!localhost: Timed out [Last data sent: [Did not connect]]If >> this is a timeout problem, note that the DNS report only waits about 40 >> seconds for responses, so your mail may work fine in this case but you >> will need to use testing tools specifically designed for such situations. >> ********* > > Try reading that page again: > > http://www.dnsreport.com/tools/dnsreport.ch?domain=jtfreesurf.co.uk > > Error: At least one of your MX records points to an IP address that is not > a public IP. > The problem IP(s) are: 127.0.0.1 is not a public IP > Note that these IPs are not reachable, which can cause extra resource > usage, slight > mail delays, and possibly bounced mail. > >> All of which is because there is no public mailservice - the 1 MX is >> internal (which is why it's 1.0.0.127) to the telco to which it belongs >> i.e. Jersey Telecoms. Who, as I have previously stated, do not provide >> mail services - only internet access. > > And again I tell you that if you don't have a mailserver on the Internet, > there should be no MX record at all in your DNS record, not a bogus MX > record to an unroutable IP address. > > And again I tell you that your SOA should not say that your primary > nameserver is localhost. > > And again I tell you that you have two open DNS servers and that this > is a Bad Thing. > > G.M. And I tell you, I don't own any MX servers. However, the backbone provider, whose system it is, does, and they do not provide a public mail service. I suggest you take up any issues with them directly: Information related to '212.9.0.0 - 212.9.0.127' inetnum: 212.9.0.0 - 212.9.0.127 netname: JERSEY-TELECOM descr: JERSEY Telecom descr: Jersey, Channel Islands country: GB admin-c: JT954-RIPE tech-c: JT954-RIPE rev-srv: ns1.jtibs.net rev-srv: ns2.jtibs.net status: ASSIGNED PA notify: ripe@jerseytelecom.com mnt-by: JE-TEL-MNT changed: gill.bonner@jerseytelecom.com 20010813 changed: ripe-dbm@ripe.net 20040429 source: RIPE role: JT ADMIN address: Jersey Telecom address: P.O. Box 53 address: St Helier address: Jersey phone: +44 1534 882882 fax-no: +44 1534 882883 e-mail: ripe@jerseytelecom.com remarks: trouble: please email trouble reports to ripe@jerseytelecom.com admin-c: AA1195-RIPE admin-c: CP3625-RIPE tech-c: AA1195-RIPE tech-c: CP3625-RIPE nic-hdl: JT954-RIPE notify: ripe@jerseytelecom.com mnt-by: JE-TEL-MNT changed: chris.prouten@jerseytelecom.com 20040106 changed: chris.prouten@jerseytelecom.com 20040520 source: RIPE % Information related to '212.9.0.0/19AS8681' route: 212.9.0.0/19 descr: Jersey Telecom - CIDR block 1 descr:
origin: AS8681 mnt-by: AS8681-MNT changed: peter@elmail.co.uk 19980708 source: RIPE http://www.dnsstuff.com/tools/lookup.ch?name=jerseytelecom.co.uk&type=ALL http://www.dnsstuff.com/tools/lookup.ch?name=jtfreesurf.co.uk&type=ALL From nobody at devnull.spamcop.net Fri Mar 10 15:10:31 2006 From: nobody at devnull.spamcop.net (Anonymous) Date: Fri Mar 10 18:55:02 2006 Subject: [SpamCop-List] Re: A mailman opt-in plus confirmation mailing list is spam? References: Message-ID: Jeff G. wrote... > Anonymous wrote: > >>Don Wannit wrote... >> >>> It's an invitation for some miscreant to submit >>> the spamtrap address (gleaned from the usual hidden locations >>> that are well known but not discussed openly) to a mailing >>> list signup form >> >>If the spamtrap addresses are "well known" and can be found by >>"some miscreant", perhaps someone should address that as being a >>real problem in the way spamtraps are administered. >> >>Treating the confirmations from a GNU Mailman mailing list as >>spam is a very bad thing to do, but letting net-abusers find out >>the spamtrap email addresses is also a bad thing to do. > > No, it's not. The net-abusers, whether they be spider bot or human, > find the SpamCop spamtrap email addresses when they scrape web sites. > Then they use those email addresses. Then SpamCop catches them and > causes their IP Addresses to be listed in the SCBL. Then we users of > the SCBL don't get subsequent spam from their IP Addresses. That is the > whole point behind SpamCop spamtrap email addresses - keeping email > messages from web scrapers out of our email inboxes. I believe that > there are safeguards built into the SpamCop spamtrap reception systems > to except mailing list software that uses confirmed opt-in. Look at Don's comment again. He clearly isn't talking about finding spamtraps in the sense of finding a large number of email addresses that include some "lost in the crowd" spamtraps but with no way for anyone looking at the list to know which ones are spamtraps. He clearly implied that the spamtraps are "well known" in the sense that somebody knows that email address X is a spamtrap, not in the sense that someone knows that there is one or more spamtraps hidden among many non-spamtraps. I thought that the phrase "net-abusers find out the spamtrap email addresses" was clear, but if you can think of a phrasing that is better, I will use that. BTW, I am a long-time reader and occasional participant who is very much aware of how the system works. G.M. From porpoise1954 at yahoo.co.uk Sat Mar 11 00:19:24 2006 From: porpoise1954 at yahoo.co.uk (Porpoise) Date: Fri Mar 10 19:25:03 2006 Subject: [SpamCop-List] Re: A mailman opt-in plus confirmation mailing list is spam? References: Message-ID: "Anonymous" wrote in message news:dut3ek$a53$1@news.spamcop.net... > > BTW, I am a long-time reader and occasional participant who is very much > aware of how the system works. > > G.M. But you still haven't provided the affected IP so that everyone can look at the *actual* issue, rather than some hypothetical one. From edb2000 at spamcop.net Fri Mar 10 20:07:12 2006 From: edb2000 at spamcop.net (Don Wannit) Date: Fri Mar 10 23:10:03 2006 Subject: [SpamCop-List] Re: A mailman opt-in plus confirmation mailing list is spam? In-Reply-To: References: Message-ID: Jeff G. wrote: > I believe that > there are safeguards built into the SpamCop spamtrap reception systems > to except mailing list software that uses confirmed opt-in. > I would hope so, and that's what I'm not sure of. The requirement for such safeguards is absolute, hence my point. Since we (tinw) want/encourage/force mailing list administrators to send a confirmation request to the email address before sending any list traffic, then it is fundamental that the confirmation request not automatically trigger a SC or other RBL listing. -- Don Wannit A paid SpamCop user since 1999 From edb2000 at spamcop.net Fri Mar 10 20:18:01 2006 From: edb2000 at spamcop.net (Don Wannit) Date: Fri Mar 10 23:20:03 2006 Subject: [SpamCop-List] Re: A mailman opt-in plus confirmation mailing list is spam? In-Reply-To: References: Message-ID: Anonymous wrote: > Jeff G. wrote... > > >>Anonymous wrote: >> >> >>>Don Wannit wrote... >>> >>> >>>>It's an invitation for some miscreant to submit >>>>the spamtrap address (gleaned from the usual hidden locations >>>>that are well known but not discussed openly) to a mailing >>>>list signup form >>> >>>If the spamtrap addresses are "well known" and can be found by >>>"some miscreant", perhaps someone should address that as being a >>>real problem in the way spamtraps are administered. >>> >>>Treating the confirmations from a GNU Mailman mailing list as >>>spam is a very bad thing to do, but letting net-abusers find out >>>the spamtrap email addresses is also a bad thing to do. >> >>No, it's not. The net-abusers, whether they be spider bot or human, >>find the SpamCop spamtrap email addresses when they scrape web sites. >>Then they use those email addresses. Then SpamCop catches them and >>causes their IP Addresses to be listed in the SCBL. Then we users of >>the SCBL don't get subsequent spam from their IP Addresses. That is the >>whole point behind SpamCop spamtrap email addresses - keeping email >>messages from web scrapers out of our email inboxes. I believe that >>there are safeguards built into the SpamCop spamtrap reception systems >>to except mailing list software that uses confirmed opt-in. > > > Look at Don's comment again. He clearly isn't talking about finding > spamtraps in the sense of finding a large number of email addresses that > include some "lost in the crowd" spamtraps but with no way for anyone > looking at the list to know which ones are spamtraps. He clearly implied > that the spamtraps are "well known" in the sense that somebody knows that > email address X is a spamtrap, not in the sense that someone knows that > there is one or more spamtraps hidden among many non-spamtraps. I thought > that the phrase "net-abusers find out the spamtrap email addresses" was > clear, but if you can think of a phrasing that is better, I will use that. > > BTW, I am a long-time reader and occasional participant who is very much > aware of how the system works. > > G.M. Apparently I was ambiguous, or perhaps overly subtle. I did *not* say that the spamtrap addresses are well known. Read again; I said that the kinds of places the spamtrap addresses are hidden are well known, at least among certain circles. Like the people who gather them into the "Million Email Addresses" CDs, and the people who put them out there to be gathered. The whole point of a spamtrap is that the email address is gibberish random characters, which will not be encountered in a dictionary attack, nor by constructing compounds of words and numbers, nor by conceivable typos. It must be an email address that can NEVER be sent email by anyone making an honest mistake. This means that a useful spamtrap address can never be any of the following: - a potential role account, such as "sales", "info", etc., even if the domain in question has never had such an address for real - common names or words which might be used as a legitimate email address by someone at a different domain, but get hit by a typo on the domain part of the email address on innocent mail sent by someone's grandmother - an old email address that you had years ago and have not used in a long time As for where the spamtrap addresses are to be found, well, if you don't know by now don't worry about it. Maybe go back and re-read The Purloined Letter for a start? But the baddies sure know, and pranksters as well -- otherwise the spamtrap addresses would never receive any email at all, right? ;-) -- Don Wannit A paid SpamCop user since 1999 From edb2000 at spamcop.net Fri Mar 10 20:22:50 2006 From: edb2000 at spamcop.net (Don Wannit) Date: Fri Mar 10 23:25:02 2006 Subject: [SpamCop-List] Re: A mailman opt-in plus confirmation mailing list is spam? In-Reply-To: References: Message-ID: Vanguard wrote: > The Subject field is one of the headers is *is* presented by Outlook > Express. Outlook does NOT support newsgroups so why even bother to > mention it? What does reading the headers have to do with reading the > Subject header (which is shown) and the body of the post? > >> and changes the name of the label within the menus > > > Posts do not change the menues in whatever NNTP client is used for > viewing a post. Only YOU know what you meant to say. > >> and changes the menus within it's held from version to version! > > > "within it's held"? "Held" means what? Other than bug fixes, name me a > single product that has been enhanced or improved through versioning > that doesn't change some aspect of the program in its behavior or > interface. It's a new version. Gee, something changed. Duh. Umm, I think you are mixing together two different things. The original discussion was about email messages sent by the GNU Mailman mailing list management software, and how the instructions to unsubscribe are typically contained in each message. Both in the email headers and in a footer at the bottom of the message. And how many users can't be bothered to read those instructions, so they report as spam a message from a list they explicitly subscribed to (and confirmed, per best practice). You seem to be talking about a news reader, and NNTP headers, which is a different topic. When you change the topic in a newsgroup thread, it's customary to change the Subject: header in the news article, and mention that you did so. -- Don Wannit A paid SpamCop user since 1999 From MikeE at ster.invalid Fri Mar 10 20:53:18 2006 From: MikeE at ster.invalid (Mike Easter) Date: Fri Mar 10 23:55:03 2006 Subject: [SpamCop-List] Re: A mailman opt-in plus confirmation mailing list is spam? References: Message-ID: Don Wannit wrote: > This means that a useful spamtrap address can never be > any of the following: Without getting into any of the specifics about spamtrap addresses which are known by many around here, I once asked in this newsgroup about the philosophy of spamcop spamtraps, whether they should be very random usernames so as to 'never' occur in a so-called dictionary attack, very common usernames so as to 'routinely' occur in so-called dictionary attacks -- and similar 'extremes'. At that time the answer from Ellen was 'yes'. That is, that there are all different philosophical kinds of spamtrap addresses. The only requirement as I understand it is that the addy has never been used by anyone for any purpose, so that its 'exposure' has never been to subscribe to anything, including free-for-all or anything else. The fact that a spamtrap address may have been found by a miscreant and used to forge subscribe to anything is not eliminated from the rack of the wide range of possibilities for such spamtrap addies. I don't think that spamtraps are manually eliminated by deputies who find them forge subscribed in confirmation hits. In fact, I don't think spamtrap addies are manually eliminated for any reason -- even if the reason might be that the spamtrap addy does not appear to be a 'secret' any more. My concept of a dictionary attack is that the 'dictionary' is made up of many many usernames scraped from various places including millions CDs coupled with alternative domainnames scraped from similar very many such places. The dictionary is /not/ made of dictionary type words. -- Mike Easter kibitzer, not SC admin From edb2000 at spamcop.net Fri Mar 10 21:28:17 2006 From: edb2000 at spamcop.net (Don Wannit) Date: Sat Mar 11 00:30:03 2006 Subject: [SpamCop-List] Re: A mailman opt-in plus confirmation mailing list is spam? In-Reply-To: References: Message-ID: Mike Easter wrote: > The only requirement as I understand it is that the addy has never been > used by anyone for any purpose, so that its 'exposure' has never been to > subscribe to anything, including free-for-all or anything else. The > fact that a spamtrap address may have been found by a miscreant and used > to forge subscribe to anything is not eliminated from the rack of the > wide range of possibilities for such spamtrap addies. To be sure. However, my worry is automated spamtraps that add IPs to blocklists without sanity-checking, either by smart enough software or by humans. If you create a spamtrap address "info" at some domain name which is public, even if you have never published or revealed the address "info@that-domain", that address might receive email from an innocent sender. > > I don't think that spamtraps are manually eliminated by deputies who > find them forge subscribed in confirmation hits. In fact, I don't think > spamtrap addies are manually eliminated for any reason -- even if the > reason might be that the spamtrap addy does not appear to be a 'secret' > any more. This is the problem. If some prankster finds a spamtrap address by rummaging around in the places where spammers go digging for email addresses, and pastes it into the email field on a subscription form somewhere, then the responsibly-run list will send a brief email to that address saying something of the form: Someone (we hope it was you) submitted your email address to subscribe to our email list. To make sure that this is your intention, please click on this link to confirm: http:||some.server/confirm.php?token-876123hdsasf9a7szcxvcxv23 Or, reply to this message, being sure to leave the subject line intact so we see that magic token to prove that it's you. If you did not intend to subscribe, simply ignore this message, with our apologies for the intrusion. I really hope that this confirmation request does not trigger a blocklist entry for the sending IP. > > My concept of a dictionary attack is that the 'dictionary' is made up of > many many usernames scraped from various places including millions CDs > coupled with alternative domainnames scraped from similar very many such > places. The dictionary is /not/ made of dictionary type words. > Yes, exactly. A "dictionary attack" means applying individual strings from a list, as well as combinations of those strings. A robust dictionary attack will have word lists in many languages, and slang terms, and every email ID ever seen. That's why Fred with userid "fr3dy-b0y" over at domain1.com can cause the name "fr3dy-b0y" to be tried at every domain, even though it is not a word or combination of words in any language I know... -- Don Wannit A paid SpamCop user since 1999 From MikeE at ster.invalid Fri Mar 10 21:49:39 2006 From: MikeE at ster.invalid (Mike Easter) Date: Sat Mar 11 00:50:02 2006 Subject: [SpamCop-List] Re: A mailman opt-in plus confirmation mailing list is spam? References: Message-ID: Don Wannit wrote: > Mike Easter wrote: > However, my worry is automated spamtraps that add > IPs to blocklists without sanity-checking, either by smart enough > software or by humans. I have discussed my concerns about some ramifications of spamtraps here in the past. My view was different from yours I think, at least in the first 'example' -- but the same in the 2nd. > If you create a spamtrap address "info" at > some domain name which is public, even if you have never published > or revealed the address "info@that-domain", that address might > receive email from an innocent sender. I do not understand why you say that -- and so you are launching that particular argument from a premise which I do not accept as fact. >> I don't think that spamtraps are manually eliminated by deputies who >> find them forge subscribed in confirmation hits. In fact, I don't >> think spamtrap addies are manually eliminated for any reason -- even >> if the reason might be that the spamtrap addy does not appear to be >> a 'secret' any more. > > This is the problem. If some prankster finds a spamtrap address by > rummaging around in the places where spammers go digging for email > addresses, and pastes it into the email field on a subscription > form somewhere, then the responsibly-run list will send a brief > email to that address saying something of the form: Yes, indeedy. > Someone (we hope it was you) submitted your email address > I really hope that this confirmation request does not trigger > a blocklist entry for the sending IP. Yes, it would. If it hit a spamcop reporter, the reporter is not supposed to report it if s/he reads it and plays by the rules. If it hit a spamtrap, then the spamtrap would report it and the source would be counted toward the SCbl. In addition to that counting, it is very important to realize that no provider is going to get a notify from a spamtrap hit -- so as a result another safeguard is removed, namely that of the reported having an opportunity to receive a link to the evidence of the report. Ellen has stated that spamtraps make less mistakes than reporters. >> My concept of a dictionary attack > Yes, exactly. -- Mike Easter kibitzer, not SC admin From MikeE at ster.invalid Fri Mar 10 22:04:54 2006 From: MikeE at ster.invalid (Mike Easter) Date: Sat Mar 11 01:05:03 2006 Subject: [SpamCop-List] Re: A mailman opt-in plus confirmation mailing list is spam? References: Message-ID: Mike Easter wrote: > Don Wannit wrote: >> Someone (we hope it was you) submitted your email address > >> I really hope that this confirmation request does not trigger >> a blocklist entry for the sending IP. > > Yes, it would. If it hit a spamcop reporter, the reporter is not > supposed to report it if s/he reads it and plays by the rules. If it > hit a spamtrap, then the spamtrap would report it and the source would > be counted toward the SCbl. What is supposed to counteract this problem of forged spamtrap subscriptions is that the bulk subscription mailers have much more 'reputation' or traffic points or weight to go into the SCbl denominator to prevent some small number of false spamtrap hits from causing a listing -- and that any such listing result would be temporary -- and that any server which got itself blocked and made a query would have a deputy examine the evidence, which would include the spamtraps, and s/he would 'uncount' any spamtrap confirmations. A forged spamtrap confirmation mistake which doesn't cause a listing is moot. I think a deputy would probably tell you that it is very uncommon for a mailing list to become SCbl listed by forged spamtrap subscribes. Oh, yeah. There's another problem with forged spamtrap subscriptions. That is that spamtrap hits count more than reporter hits. -- Mike Easter kibitzer, not SC admin From edb2000 at spamcop.net Fri Mar 10 22:17:11 2006 From: edb2000 at spamcop.net (Don Wannit) Date: Sat Mar 11 01:20:02 2006 Subject: [SpamCop-List] Re: A mailman opt-in plus confirmation mailing list is spam? In-Reply-To: References: Message-ID: Mike Easter wrote: > Don Wannit wrote: > >>Mike Easter wrote: > >>If you create a spamtrap address "info" at >>some domain name which is public, even if you have never published >>or revealed the address "info@that-domain", that address might >>receive email from an innocent sender. > > > I do not understand why you say that -- and so you are launching that > particular argument from a premise which I do not accept as fact. What I'm saying here is that it would be irresponsible to create an automated spamtrap using any of many common role names such as "info". Hey, I've got a vanity domain, and I should never get any email to "postmaster" at this domain, since I've never published that address -- I'll just make it a spamtrap! (n.b. -- I'm still amazed at the amount of spam I get at my various postmaster addresses) Just because a particular email address has never been used at a domain, and has never been published, doesn't mean that every email sent to it is prima facie spam. -- Don Wannit A paid SpamCop user since 1999 From MikeE at ster.invalid Fri Mar 10 22:29:30 2006 From: MikeE at ster.invalid (Mike Easter) Date: Sat Mar 11 01:30:02 2006 Subject: [SpamCop-List] Re: A mailman opt-in plus confirmation mailing list is spam? References: Message-ID: Don Wannit wrote: > Just because a particular email address has never been used at > a domain, and has never been published, doesn't mean that every > email sent to it is prima facie spam. I don't want to argue about what kinds of philosophical usernames should be on spamtraps, but I don't agree that sending unsolicited mail to any address such as info@ is OK. Why should anyone or anything be emailing an unpublished info@ ? It sounds like you are 'requiring' the owner of a domainname to be disposing unreported any mails [or rather spams] which arrive at unpublished usernames which are 'common' like 'info' -- as opposed to reporting them as spam. I don't agree. -- Mike Easter kibitzer, not SC admin From edb2000 at spamcop.net Fri Mar 10 22:50:26 2006 From: edb2000 at spamcop.net (Don Wannit) Date: Sat Mar 11 01:55:03 2006 Subject: [SpamCop-List] Re: A mailman opt-in plus confirmation mailing list is spam? In-Reply-To: References: Message-ID: Don Wannit wrote: > As for where the spamtrap addresses are to be found, well, > if you don't know by now don't worry about it. Maybe go > back and re-read The Purloined Letter for a start? But the > baddies sure know, and pranksters as well -- otherwise > the spamtrap addresses would never receive any email at > all, right? ;-) BTW, consider a PC which is infected with a virus. This virus scans files on the hard drive for strings that look like an email address (contain "@"). Usually, this is an attempt to find "friends" of the PC user, so that the virus can propogate by sending itself to those addresses and appearing to come from the infected user, presumably known to those friends. Among the files on the local hard disk are cache files for web browsers, edit buffers, all sorts of things. These spamtrap addresses, which are hidden in places that people normally don't look, might be found in those local cache files, ready for the virus to find. And send spam or virm poop to. -- Don Wannit A paid SpamCop user since 1999 From edb2000 at spamcop.net Fri Mar 10 22:57:22 2006 From: edb2000 at spamcop.net (Don Wannit) Date: Sat Mar 11 02:00:02 2006 Subject: [SpamCop-List] Re: A mailman opt-in plus confirmation mailing list is spam? In-Reply-To: References: Message-ID: Mike Easter wrote: > Don Wannit wrote: > > >>Just because a particular email address has never been used at >>a domain, and has never been published, doesn't mean that every >>email sent to it is prima facie spam. > > > I don't want to argue about what kinds of philosophical usernames should > be on spamtraps, but I don't agree that sending unsolicited mail to any > address such as info@ is OK. > > Why should anyone or anything be emailing an unpublished info@ ? > > It sounds like you are 'requiring' the owner of a domainname to be > disposing unreported any mails [or rather spams] which arrive at > unpublished usernames which are 'common' like 'info' -- as opposed to > reporting them as spam. > > I don't agree. > > No, not at all! Abso-f*ckin-lutely report such spam! What I am saying is that would be irresponsible to set up an automated spamtrap on that address. Those addresses require a reporter to supervise the SC reports, and not let them go out automatically, sight unseen. If the SpamCop spamtraps are fully automated, with no human or clever software verification that the email really is spam, then I supremely hope that all traps are set *only* on gibberish email names set out to be scraped, and unlikely to be mis-typed by an innocent. This is a concept very closely related to the Innocent Bystander in a SpamCop report. Similarly, it should be an offense requiring banning for a SpamCop reporter to set up automatic submission from a common-but-unpublished address to a SpamCop quickreport. -- Don Wannit A paid SpamCop user since 1999 From MikeE at ster.invalid Fri Mar 10 23:12:47 2006 From: MikeE at ster.invalid (Mike Easter) Date: Sat Mar 11 02:15:02 2006 Subject: [SpamCop-List] Re: A mailman opt-in plus confirmation mailing list is spam? References: Message-ID: Don Wannit wrote: > These spamtrap addresses, which are hidden in places > that people normally don't look, might be found in > those local cache files, ready for the virus to find. > And send spam or virm poop to. Which would of course count as a spamtrap hit, which it should. -- Mike Easter kibitzer, not SC admin From MikeE at ster.invalid Fri Mar 10 23:19:10 2006 From: MikeE at ster.invalid (Mike Easter) Date: Sat Mar 11 02:20:02 2006 Subject: [SpamCop-List] Re: A mailman opt-in plus confirmation mailing list is spam? References: Message-ID: Don Wannit wrote: > Mike Easter wrote: >> Why should anyone or anything be emailing an unpublished info@ ? > What I am saying is that would be irresponsible to set up an > automated spamtrap on that address. I don't know. > I supremely hope that > all traps are set *only* on gibberish email names set out > to be scraped, and unlikely to be mis-typed by an innocent. I don't know. That definitely doesn't mean I agree. Hitting a spamtrap accidentally doesn't seem like the end of the world. > This is a concept very closely related to the Innocent Bystander > in a SpamCop report. Not at all. Not even a little bit. > Similarly, it should be an offense requiring banning for > a SpamCop reporter to set up automatic submission from a > common-but-unpublished address to a SpamCop quickreport. Heavens no. I completely disagree. A quickreport isn't even as serious as a spamtrap report, since it counts as a reporter report which has less weight than a spamtrap report. The automatic submission of a quickreport does make for an opportunity for error, to be sure -- but then any quick report has a potential for error, automatic or not. Banning based on an error would depend on how 'stupid' or egregious the error were. You would have to present a scenario in which that automatic reporting as described above created a very stupid badness or severe bad mess. -- Mike Easter kibitzer, not SC admin From edb2000 at spamcop.net Fri Mar 10 23:22:22 2006 From: edb2000 at spamcop.net (Don Wannit) Date: Sat Mar 11 02:25:03 2006 Subject: [SpamCop-List] Re: A mailman opt-in plus confirmation mailing list is spam? In-Reply-To: References: Message-ID: Mike Easter wrote: > Don Wannit wrote: > > >>These spamtrap addresses, which are hidden in places >>that people normally don't look, might be found in >>those local cache files, ready for the virus to find. >>And send spam or virm poop to. > > > Which would of course count as a spamtrap hit, which it should. Yup, precisely. There were some questions about how the spamtrap addresses could be encountered, if they are not easily guessable, which is why I mentioned that vector. Virm poop sent to a spamtrap address certainly should be counted as spam. But if a virm, or person, uses the encountered email address to maliciously subscribe the address to a mailing list, then it is vital that the confirmation email sent by the list to that email address, per responsible list management and best practice, *not* automatically trigger a hit. -- Don Wannit A paid SpamCop user since 1999 From edb2000 at spamcop.net Fri Mar 10 23:35:12 2006 From: edb2000 at spamcop.net (Don Wannit) Date: Sat Mar 11 02:40:03 2006 Subject: [SpamCop-List] Re: A mailman opt-in plus confirmation mailing list is spam? In-Reply-To: References: Message-ID: Mike Easter wrote: > I don't know. That definitely doesn't mean I agree. Hitting a spamtrap > accidentally doesn't seem like the end of the world. The problem is that SpamCop gives much higher weight to spamtrap hits than to reports monitored by a SC reporter. AND does not notify the relevant administrator(s) when the hit silently results in a blocklisting. >>Similarly, it should be an offense requiring banning for >>a SpamCop reporter to set up automatic submission from a >>common-but-unpublished address to a SpamCop quickreport. > > > Heavens no. I completely disagree. A quickreport isn't even as serious > as a spamtrap report, since it counts as a reporter report which has > less weight than a spamtrap report. > > The automatic submission of a quickreport does make for an opportunity > for error, to be sure -- but then any quick report has a potential for > error, automatic or not. Banning based on an error would depend on how > 'stupid' or egregious the error were. You would have to present a > scenario in which that automatic reporting as described above created a > very stupid badness or severe bad mess. Well, looking back at a situation about 1-1/2 years ago (as I recall), I found my own server listed due to quickreports reporting my own server due to a DNS timeout with unfortunate timing. There was quite a bit of discussion here at the time, including flamage without bothering to read the facts. After that time, I have not been a fan of quick-reporting, to put it mildly. Of course, this was before the MailHosts setup, and things are different now for the particular failure that caused my erroneous listing (due to quickreports, even if they were my own). To be sure, according to the published algorithm, a single quickreport should not result in a listing. However, AIUI even a single email to a SC spamtrap address results in a listing. I am cautioning against that hair-trigger sensitivity if there is no vetting or monitoring to ensure that innocent email does not trip the hair-trigger. -- Don Wannit A paid SpamCop user since 1999 From scamper at trisk.com Sat Mar 11 00:58:05 2006 From: scamper at trisk.com (Garen Erdoisa) Date: Sat Mar 11 03:00:04 2006 Subject: [SpamCop-List] Re: Double login In-Reply-To: References: Message-ID: me-no-no wrote: > "Patto" wrote in message > news:dur664$4tj$1@news.spamcop.net... >> Garen Erdoisa wrote: >>> me-no-no wrote: >>>> "Aviatrix" wrote in message >>>> news:dujhlr$evr$1@news.spamcop.net... >>>>> Patto wrote: >>>>>> When I go to tab Held Email I am already logged in, and I don't have >>>>>> to do it again. In fact every tab behaves that way, except Webmail. >>>>>> When I go there I have to login again - this time I have to type the >>>>>> full address and password, as this section does not keep it in a >>>>>> cookie. >>>>> Doesn't it? >>>>> It does for me.... >>>> It *used* to for me too - It suddenly disappeared a while back, and I >>>> have never been able to get it to remember the Webmail user/pw combi >>>> since :-( >>>> Anyone, able/care to elaborate on why it used to work, and/or i >>>> apparently still working for some ? >>> That happened to me using the firefox browser a while ago. I managed to >>> fix it by deleting the entries stored in the firefox password manager >>> related to spamcop.net, then let firefox pick up the new info the next >>> time I logged on. Haven't seen any further problems with that. >> Thanks for that - did that (and lots of other old, outdated, and duplicate >> entries), and now userid and password is present whenever I go to SC >> webmail :) You're welcome. I'm glad it fixed the problem for you. > > Anyone know if this works for, or any similar solution for XP / IE 6 ? > Thankx. > > Ciao > Meno > > I've never run into that problem with IE6, but that's probably because I don't use it much. You can clear stored passwords in IE6 by going to the tools/options menu, then select the content tab, then press the "Autocomplete" button in that requestor, then press the "clear passwords" This will clear all stored passwords, which means you'll have to re-logon to any sites where you were used to having IE6 do it for you, so make sure you have those passwords somewhere first. Caution: if you use IE6 on a shared account, you should turn off form and password caching as a matter of coarse. Password caching is on by default in many cases which can end up being a privacy and security risk if you use a shared account say at work to access bank records, HR records, etc. Garen From nobody at nowhere.invalid Sat Mar 11 10:37:21 2006 From: nobody at nowhere.invalid (Steven Maesslein) Date: Sat Mar 11 04:40:06 2006 Subject: [SpamCop-List] Re: Domainsbyproxy References: Message-ID: On Fri, 10 Mar 2006 14:49:34 +0000, Aviatrix coughed into spamcop and left this in : > I believe a lot of people use domains-by-proxy type services for no > other reason than to keep their email address from public view. The > solution IMHO would be to keep email addresses out of Whois entries. I run a site that *will* piss off spammers. For that reason alone the domain doesn't accept e-mail at all, and if my name and address were visible on whois it would be easy to google for several e-mail addresses I use. That site is one I wouldn't dream of using without it being cloaked by DBP. -- Steve Notice spotted in a field: THE FARMER ALLOWS WALKERS TO CROSS THE FIELD FOR FREE, BUT THE BULL CHARGES From nobody at nowhere.invalid Sat Mar 11 10:40:52 2006 From: nobody at nowhere.invalid (Steven Maesslein) Date: Sat Mar 11 04:45:13 2006 Subject: [SpamCop-List] Re: A mailman opt-in plus confirmation mailing list is spam? References: Message-ID: On Sat, 11 Mar 2006 00:19:24 -0000, Porpoise coughed into spamcop and left this in : > "Anonymous" wrote in message > news:dut3ek$a53$1@news.spamcop.net... > >> BTW, I am a long-time reader and occasional participant who is very much >> aware of how the system works. > > But you still haven't provided the affected IP so that everyone can look at > the *actual* issue, rather than some hypothetical one. Anonymous isn't the OP whose IP is SCBL'ed... -- Steve "Politics is supposed to be the second oldest profession. I have come to realize that it bears a very close resemblance to the first." From jeffg at spamcop.net Sat Mar 11 10:16:51 2006 From: jeffg at spamcop.net (Jeff G.) Date: Sat Mar 11 10:20:03 2006 Subject: [SpamCop-List] Re: Domainsbyproxy References: Message-ID: Steven Maesslein wrote: > On Fri, 10 Mar 2006 14:49:34 +0000, Aviatrix coughed into spamcop and > left this in : > >> I believe a lot of people use domains-by-proxy type services for no >> other reason than to keep their email address from public view. The >> solution IMHO would be to keep email addresses out of Whois entries. > > I run a site that *will* piss off spammers. For that reason alone the > domain doesn't accept e-mail at all, and if my name and address were > visible on whois it would be easy to google for several e-mail > addresses I use. That site is one I wouldn't dream of using without > it being cloaked by DBP. Do you consider test.DNSstuff.com [66.36.241.109] to be a spammer's? -- Thanks and Best Regards, Jeff G. http://forum.spamcop.net/forums/index.php?act=findpost&pid=37585 From vanguard.news at yahooNIX.com Sat Mar 11 09:40:45 2006 From: vanguard.news at yahooNIX.com (Vanguard) Date: Sat Mar 11 10:45:02 2006 Subject: [SpamCop-List] Re: A mailman opt-in plus confirmation mailing list is spam? References: Message-ID: "Don Wannit" wrote in message news:dutjas$k7k$1@news.spamcop.net... > Vanguard wrote: > >> The Subject field is one of the headers is *is* presented by Outlook >> Express. Outlook does NOT support newsgroups so why even bother to >> mention it? What does reading the headers have to do with reading the >> Subject header (which is shown) and the body of the post? >> >>> and changes the name of the label within the menus >> >> >> Posts do not change the menues in whatever NNTP client is used for >> viewing a post. Only YOU know what you meant to say. >> >>> and changes the menus within it's held from version to version! >> >> >> "within it's held"? "Held" means what? Other than bug fixes, name me a >> single product that has been enhanced or improved through versioning that >> doesn't change some aspect of the program in its behavior or interface. >> It's a new version. Gee, something changed. Duh. > > > Umm, I think you are mixing together two different things. The > original discussion was about email messages sent by the GNU Mailman > mailing list management software, and how the instructions to > unsubscribe are typically contained in each message. Both in the > email headers and in a footer at the bottom of the message. And > how many users can't be bothered to read those instructions, so > they report as spam a message from a list they explicitly subscribed > to (and confirmed, per best practice). > > You seem to be talking about a news reader, and NNTP headers, which > is a different topic. Yep. I was replying to the post by spamcop (yeah, real original moniker), not to Thog's. > When you change the topic in a newsgroup thread, it's customary > to change the Subject: header in the news article, and mention > that you did so. Unfortunately that will sometimes disconnect the subthread from the main thread because not all newsreaders, especially webnews-for-dummies interfaces, use the References header to group the messages in a thread. At one time (don't know if it still is true), Google Groups grouped by Subject instead of by References, so changing the Subject header resulting in slicing out the subthread into its own new thread. There are users that interface to Usenet using e-mail clients (i.e., mail-to-news gateways) that use e-mail client that don't use the References headers for grouping of related messages. Outlook is one of those. You should NOT change the Subject header unless you are deliberately attempting to slice out the subthread but that is very similar to a malcontent using the FollowUp-To header to furtively attempt to redirect any replies off to alt.test or somewhere else so the malcontent "wins" the argument. -- __________________________________________________ Post replies to the newsgroup. Share with others. For e-mail: Remove "NIX" and add "#VN" to Subject. __________________________________________________ From nobody at devnull.spamcop.net Sat Mar 11 11:33:57 2006 From: nobody at devnull.spamcop.net (POP) Date: Sat Mar 11 11:35:03 2006 Subject: [SpamCop-List] Ignoring NNFMP line to properly assign blame at border Message-ID: http://www.spamcop.net/sc?id=z895033266zd79cdf3a5dce5becbc41693c5e48333bz What does "Ignoring NNFMP line to properly assign blame at border" mean? First I've noticed it. Pop -- Ain't nuttin' new in the worl' enny more! From MikeE at ster.invalid Sat Mar 11 08:50:13 2006 From: MikeE at ster.invalid (Mike Easter) Date: Sat Mar 11 11:50:03 2006 Subject: [SpamCop-List] Re: Ignoring NNFMP line to properly assign blame at border References: Message-ID: POP wrote: >/sc?id=z895033266zd79cdf3a5dce5becbc41693c5e48333bz > > What does "Ignoring NNFMP line to properly assign blame at > border" mean? First I've noticed it. >From looking at the SC verbose and the lines in question, it appears that yahoo servers have their own style of stamping lines which includes the term 'with NNFMP' and which chaining just leads back to various other yahoo servers. So, SC sez, "I'm not paying any attention to all of that yahoo server NNFMP junk after/below the top line, but instead I'm going to blame the yahoo server which handed it over to the recipient." Typically the 'with' field refers to the software in question which is being used by the server. I have no idea what yahoo might've decided to call or use as NNFMP ware. Yahoo is claiming they have a right to correspond with you with that item because you are a user of yahoo photos. If you don't want to get that yahoo photo promotional, you would be better served to configure against it at yahoo than to SC report it. The 'style' of handling mainsleaze depends on each individual -- and some mainsleaze results from the entity such as yahoo believing, rightly or wrongly, that they have a right to be emailing you. -- Mike Easter kibitzer, not SC admin From porpoise1954 at yahoo.co.uk Sat Mar 11 16:54:27 2006 From: porpoise1954 at yahoo.co.uk (Porpoise) Date: Sat Mar 11 12:00:03 2006 Subject: [SpamCop-List] Re: A mailman opt-in plus confirmation mailing list is spam? References: Message-ID: "Steven Maesslein" wrote in message news:slrne156p4.49i.nobody@127.0.0.1... > On Sat, 11 Mar 2006 00:19:24 -0000, Porpoise coughed into spamcop and > left this in : > >> >> But you still haven't provided the affected IP so that everyone can look >> at >> the *actual* issue, rather than some hypothetical one. > > Anonymous isn't the OP whose IP is SCBL'ed... > Aaaahhh..... Ooops! Lost track there somewhere..... He just sounded so much like the OP, I didn't even notice it wasn't.... :-( From nobody at spamcop.net Sat Mar 11 12:24:41 2006 From: nobody at spamcop.net (RW) Date: Sat Mar 11 13:25:03 2006 Subject: [SpamCop-List] Re: A mailman opt-in plus confirmation mailing list is spam? In-Reply-To: References: Message-ID: Mike Easter wrote: > > I don't think that spamtraps are manually eliminated by deputies who > find them forge subscribed in confirmation hits. In fact, I don't think > spamtrap addies are manually eliminated for any reason -- even if the > reason might be that the spamtrap addy does not appear to be a 'secret' > any more. I'm going to jump in here even though this isn't the question that was forwarded to us, but is important. I'll answer 'our question' as well. I can't reveal circumstances, but yes, spamtraps are taken out of the equation if we are not comfortable with them remaining as traps. An example is a few users who have recently used traps as reply-to addresses in newsgroup posts. Because the addresses were now in the open and there was a chance they could be innocently used by others sending mail to them, they had to be removed from the trap list. There have been other situations where we've temporarily or permanently taken trap addresses or even entire trap domains out of service. We pride ourselves in the quality of our traps, in terms of not being over-exposed and not attracting accidental mail from the innocent outsider. Standard role addresses are excluded from traps. The question: "Can you please confirm or deny that such safeguards are in effect? If they are not in effect, can you please work on putting them into effect?" There are no standards in place for how a confirmation request is formed or worded, so there is no way to effectively put safeguards in place. If we were to key in on specific wording or a mail-man specific header line, that would be trivial to forge into spam to trick the parser into rejecting outright spam containing those forgeries. I've never had to deal with a listing caused by traps receiving confirmation requests from a user filling out a form with a trap address. Even if it were to happen, the one time would not cause the IP to be listed. If multiple confirmation requests are received, there is a problem on the subscription end in allowing a person to submit multiple subscription forms. The subscription software should be set up to limit mailing to an address more than once in a set period of time and ignoring multiple requests from the same IP. What does come into play is subscription confirmation requests generated by mailed in subscription requests, generated by spam/viruses hitting the subscription address with forged return addresses. The server responds with a confirmation to every email received. That problem is solved on the subscription end, again with rate limiting and some simple spam filtering. Richard From edb2000 at spamcop.net Sat Mar 11 11:02:14 2006 From: edb2000 at spamcop.net (Don Wannit) Date: Sat Mar 11 14:05:02 2006 Subject: [SpamCop-List] Re: A mailman opt-in plus confirmation mailing list is spam? In-Reply-To: References: Message-ID: RW wrote: > I can't reveal circumstances, but yes, spamtraps are taken out of the > equation if we are not comfortable with them remaining as traps. An > example is a few users who have recently used traps as reply-to > addresses in newsgroup posts. Because the addresses were now in the > open and there was a chance they could be innocently used by others > sending mail to them, they had to be removed from the trap list. There > have been other situations where we've temporarily or permanently taken > trap addresses or even entire trap domains out of service. > > [...snip...] > > I've never had to deal with a listing caused by traps receiving > confirmation requests from a user filling out a form with a trap > address. Even if it were to happen, the one time would not cause the IP > to be listed. If multiple confirmation requests are received, there is > a problem on the subscription end in allowing a person to submit > multiple subscription forms. The subscription software should be set up > to limit mailing to an address more than once in a set period of time > and ignoring multiple requests from the same IP. > > What does come into play is subscription confirmation requests generated > by mailed in subscription requests, generated by spam/viruses hitting > the subscription address with forged return addresses. The server > responds with a confirmation to every email received. > > That problem is solved on the subscription end, again with rate limiting > and some simple spam filtering. > > Richard Thank you, Richard. Your points address my concerns about the SC spamtraps. -- Don Wannit A paid SpamCop user since 1999 From edb2000 at spamcop.net Sat Mar 11 11:35:46 2006 From: edb2000 at spamcop.net (Don Wannit) Date: Sat Mar 11 14:40:03 2006 Subject: [SpamCop-List] Re: Domainsbyproxy In-Reply-To: References: Message-ID: Jeff G. wrote: > Do you consider test.DNSstuff.com [66.36.241.109] to be a spammer's? Do you consider test.DNSstuff.com's testing so that it can report potential problems with email setup to be a real attempt to send email, either ham or spam? -- Don Wannit A paid SpamCop user since 1999 From jeffg at spamcop.net Sat Mar 11 14:52:13 2006 From: jeffg at spamcop.net (Jeff G.) Date: Sat Mar 11 14:55:02 2006 Subject: [SpamCop-List] Re: Domainsbyproxy References: Message-ID: Don Wannit wrote: > Jeff G. wrote: >> Do you consider test.DNSstuff.com [66.36.241.109] to be a spammer's? > Do you consider test.DNSstuff.com's testing so that it can > report potential problems with email setup to be a real attempt > to send email, either ham or spam? No, but I do think that it is somewhat disingenuous in trying to send from <> to both postmaster and abuse in the same attempt, rather than separately as real DSNs would do. -- Best Regards, Jeff G. http://forum.spamcop.net/forums/index.php?act=findpost&pid=37585 From nobody at spamcop.net Sun Mar 12 00:36:46 2006 From: nobody at spamcop.net (me-no-no) Date: Sat Mar 11 19:40:07 2006 Subject: [SpamCop-List] Phishing - 15 days is OK by us ??? Message-ID: There are excuses and excuses - I thought I`d heard most ! However....... In response to a phisher lart regarding: http: //www.barclays.co.uk.customercare.goto.mabberas.com/r1/b/ - Currently live - hence intentional line break Whois Server: whois.alantron.com Referral URL: http://www.alantron.com Domain Name: MABBERAS.COM Registrar: ALANTRON BLTD. Whois Server: whois.alantron.com Referral URL: http://www.alantron.com Name Server: NSA34.SERVERBACKUP64.COM Name Server: GUEST1.ITALPAY.NET Name Server: GUEST2.ITALPAY.NET Status: ACTIVE Updated Date: 09-mar-2006 Creation Date: 27-dec-2005 Expiration Date: 27-dec-2006 Dear Sir, We are already informed about this. By our registration agreement and ICANN rules we are bound to wait 15 days for the domain owner to respond. We can only take appropriate action after that. Thanks for taking time to let us know about this scam. We will take necessary steps to prevent this on our behalf. Kind Regards Alantron Legal Team http://www.alantron.com Still live 2 days later - Ah well - Only another possible 13 days left for the phishers to carry on :-( Ciao Meno From nobody at devnull.spamcop.net Sat Mar 11 20:11:51 2006 From: nobody at devnull.spamcop.net (POP) Date: Sat Mar 11 20:15:02 2006 Subject: [SpamCop-List] Re: Ignoring NNFMP line to properly assign blame at border References: Message-ID: No trims because the content deserves to be repeated: Rest is Bottom posted "Mike Easter" wrote in message news:duuv3e$dfo$1@news.spamcop.net... > POP wrote: >>/sc?id=z895033266zd79cdf3a5dce5becbc41693c5e48333bz >> >> What does "Ignoring NNFMP line to properly assign blame at >> border" mean? First I've noticed it. > > From looking at the SC verbose and the lines in question, it > appears > that yahoo servers have their own style of stamping lines which > includes > the term 'with NNFMP' and which chaining just leads back to > various > other yahoo servers. > > So, SC sez, "I'm not paying any attention to all of that yahoo > server > NNFMP junk after/below the top line, but instead I'm going to > blame the > yahoo server which handed it over to the recipient." > > Typically the 'with' field refers to the software in question > which is > being used by the server. I have no idea what yahoo might've > decided to > call or use as NNFMP ware. > > Yahoo is claiming they have a right to correspond with you with > that > item because you are a user of yahoo photos. If you don't want > to get > that yahoo photo promotional, you would be better served to > configure > against it at yahoo than to SC report it. The 'style' of > handling > mainsleaze depends on each individual -- and some mainsleaze > results > from the entity such as yahoo believing, rightly or wrongly, > that they > have a right to be emailing you. > > > -- > Mike Easter > kibitzer, not SC admin Hmm, that makes sense now; good surmisal/explanation, I think. I'd about come to the same conclusions, in fact, but for entirely different reasons. Much as I dislike Yahoo! and their methodologies, I DO like some of the "special" stuff they give me because I'm such a "great customer", which I am not. I use nothing but their freebie stuff, but a year's worth of it comes with my DSL account, so ... for a year, anyway ... . They're a little like spamcop in that they manage to centralize a bunch of related tools and some of that's semi-useful, actually. It's not really free though; you do pay for it via having to let them snoop on you. Interesting part of that is, they're actually honest about spying on you! If you read far enough down thru the right section of the right FAQ in the right area about the right subject, about the right generality, they do tell you all about how they snoop et al. In fact, they even, in one place, justify their sending you to the Gators et al, and how their anti-spyware, firewalls, cookie managers purposely don't/can't detect what "they" say isn't spyware/malware/logware. At first blush I was pretty impressed with the "free" firewalls, av, etc. they were giving out, until I found out the GAIN/Gator etc. info. That sent me scurrying right no back to Symantec! . They've probably got me over a greasy barrel holding a container of fresh vaseline with most of their spams; they're careful to only "spam" me about stuff that's available "free" (and LOTS of 3rd party stuff!) that I have NOT used yet. You know, the "only people not in their right minds wouldn't take advantage of THIS fantastic offer instantly! crap so be certain to sign up NOW? But, I digress in my digressive rant; really, they're just so thorough that I thought I'd take a look at a couple of parsed spams from them and see what they looked like. And found that line I questioned. And that's why I feel that you surmised correctly. I havent' LARTed any of them, and probably won't, but ... I have been tempted to see if I could catch a bald-facedly-spam mail that could fit no mold other than spam, and thus my temporary interest. I'm sure there will be plenty of opportunity to LART at the end of a year when they come looking for money so I don't lose any of those "valuable" and "free" services!! Thanks Mike; guess I can go back to bed; learned something today . Sorry for being so wordy; the meds are working for a change. It feels so good when it stops hurting! Regards, Pop From MikeE at ster.invalid Sat Mar 11 17:13:03 2006 From: MikeE at ster.invalid (Mike Easter) Date: Sat Mar 11 20:15:13 2006 Subject: [SpamCop-List] Re: Phishing - 15 days is OK by us ??? References: Message-ID: me-no-no wrote: > There are excuses and excuses - I thought I`d heard most ! > However....... > In response to a phisher lart regarding: http: > //www.barclays.co.uk.customercare.goto.mabberas.com/r1/b/ - Currently > live - hence intentional line break You are spending time and electrons conversing with a domainname registrar for a spamvertiser which is being website hosted on an unrepsonsive .cn provider which is spamhaus listed for your spamvertiser IP and 5 others including a ROKSO, . www.barclays.co.uk.customercare.goto.mabberas.com = 211.97.71.213 211.97.71.213 = Ref: SBL38741 211.97.71.213/32 is listed on the Spamhaus Block List (SBL) CitiBusiness phish Current cnuninet.com spam problems Found 6 SBL listings for IPs under the responsibility of cnuninet.com CitiBusiness phish (target) ROKSO Leo Kuvayev / BadCow - Pharmacy Express - einitebore.com and others 220.198.184.0/21 spam sources, no rDNS yeman.cn www.goldgrid.com 211.92.45.0/24 loncin.com - Mr. Zhang (The Third Export Department) > We are already informed about this. By our registration agreement and > ICANN rules we are bound to wait 15 days for the domain owner to > respond. We can only take appropriate action after that. > Thanks for taking time to let us know about this scam. > We will take necessary steps to prevent this on our behalf. That is total baloney, but you are reporting to and seeing the response of the domainname registrar for mabberas.com -- domainname registrars are under no compulsion to do anything about their domainname registrant being a spamvertiser and typically there is nothing in their TOS or AUP that sez that the registrant can't spam. See http://www.alantron.com/eng/info/html/agreement.do DOMAIN NAME REGISTRATION AGREEMENT That agreement only sez that alantron won't spam mabberas. -- Mike Easter kibitzer, not SC admin From / at /.cn Sun Mar 12 13:24:35 2006 From: / at /.cn (Petzl) Date: Sat Mar 11 21:25:03 2006 Subject: [SpamCop-List] Re: Mail server listed when Port 25 is blocked? References: Message-ID: "Mike Easter" wrote in message news:du4cef$bhl$1@news.spamcop.net... > Petzl wrote: > >> I know they are bouncining emails but it seems this email server is >> being reported for spamming > > 'it seems'? What does 'it seems' mean in this contect? What clues or > evidence do you have about the server being a 'real' source of spam? > > The SC listing sez > > 210.50.76.196 listed in bl.spamcop.net > will be delisted automatically in approximately 10 hours > has sent mail to SpamCop spam traps > users have reported system as a source of spam about 20 times > administrator has already delisted this system once > past 283.4 days, it has been listed 8 times for a total of 5.7 days > > I see a misdirected bounce from it in sightings from Dec. [S] > If you go to senderbase, you can find hundreds of other IPs with > sufficient output to be 'noted' by senderbase, and many many of them are > listed one place or another, including spamcop and CBL. > > I would say that iprimus isn't doing a good job of securing its user IPs > which are generating spam. Probably this was the cause http://www.heise.de/english/newsticker/news/print/70330 ***** It had come to the attention of the company that spammers had established thousands of webmail addresses for sending out their advertising trash, iPrimus declared. The accounts in question had been blocked, the company added. In addition, the provider would bar any new accounts from being registered "until a permanent solution has been implemented," ***** Petzl From nobody at spamcop.net Sat Mar 11 19:56:33 2006 From: nobody at spamcop.net (RandallW) Date: Sat Mar 11 23:00:06 2006 Subject: [SpamCop-List] nac.net Message-ID: I received some spam that I sorted through the Spamcop parser; both the e-mail server and spamvertised site are hosted by Nac.net, but they refuse to received munged reports.....so I went to Nac.net, and what info is on their spam reporting page? They recommend using Spamcop to find the spam's ISP host. From g.hyde at bigpond.net.au Sun Mar 12 17:09:12 2006 From: g.hyde at bigpond.net.au (Geoffrey Hyde) Date: Sun Mar 12 02:10:13 2006 Subject: [SpamCop-List] Comerica bank phishing scam Message-ID: http://www.spamcop.net/sc?id=z895506345zdf1d2e81d14b2c9530ca303899804fb7z Can anyone tell me who the bank is that's referenced in this account phishing scam? I've never even heard of them until now. Cheers ... Geoffrey Hyde From jg at coks.net Sat Mar 11 23:26:34 2006 From: jg at coks.net (jg) Date: Sun Mar 12 02:25:02 2006 Subject: [SpamCop-List] Re: Comerica bank phishing scam In-Reply-To: References: Message-ID: On 3/11/2006 11:09 PM Geoffrey Hyde scribbled: > http://www.spamcop.net/sc?id=z895506345zdf1d2e81d14b2c9530ca303899804fb7z > > Can anyone tell me who the bank is that's referenced in this account > phishing scam? I've never even heard of them until now. > > > Cheers ... > > Geoffrey Hyde > > > Comerica is a major institution (U.S.) - insurance and banking. Comerica Park is where......google.....Detroit Tigers play... From MikeE at ster.invalid Sat Mar 11 23:29:46 2006 From: MikeE at ster.invalid (Mike Easter) Date: Sun Mar 12 02:30:02 2006 Subject: [SpamCop-List] Re: nac.net References: Message-ID: RandallW wrote: > I received some spam that I sorted through the Spamcop parser; both > the e-mail server and spamvertised site are hosted by Nac.net, but > they refuse to received munged reports.....so I went to Nac.net, and > what info is on their spam reporting page? > They recommend using Spamcop to find the spam's ISP host. That is not inconsistent, philosophically. An abuse desk could respect the quality of the spamcop parse while disagreeing with the concept or philosophy of mungeing the evidence at spamcop nac.net's faq and support pages have a lot of helpful antispam information, including a link to spamcop's site http://www.nac.net/spam/index.asp Spam Related Links: NAC SpamStomper filters spam from your email! SpamStomper FAQ Preventing Spam Reporting Spam Useful Links about spam: Fight Spam on the Internet! Death To Spam-a guide to dealing with unwanted email Coalition Against Unsolicited Commercial Email Spam Cop-offers a free service for reporting email abuse Stopping Spam-the O'Reilly book on dealing with email abuse *BUT* OTOH - a site could have all kinds of palaver about antispam attitudes and platitudes, while still providing listwashing information to their clients - which allegation was made in nanae here // From: "Steve Marlow" <@spamcop.net> Newsgroups: news.admin.net-abuse.email Subject: Net Access Corporation NAC.NET Message-ID: Date: Sat, 30 Jul 2005 02:47:50 GMT Net Access Corporation aka NAC.NET continues to exhibit a policy of passing abuse reports downstream to their customers for listwashing. See other posts regarding this problem in the abuse groups. This has gone on for years ... // and corroborated by another post in that same thread http://snipurl.com/nh71 Currently there are 4 listings in spamhaus for IPs and IP blocks under nac.net SBL38456 SBL38067 SBL34753 SBL28717 -- while none are ROKSOs, one listing is a /25 [128 IPs] and has been spamhaused since '05 Nov - so that suggests unresponsiveness from nac.net So, overall, I would say that the negative evidence against nac.net far outweighs the positive antispam links appearance. -- Mike Easter kibitzer, not SC admin From MikeE at ster.invalid Sat Mar 11 23:50:37 2006 From: MikeE at ster.invalid (Mike Easter) Date: Sun Mar 12 02:55:03 2006 Subject: [SpamCop-List] Re: Comerica bank phishing scam References: Message-ID: jg wrote: > Geoffrey Hyde >> Can anyone tell me who the bank is that's referenced in this account >> phishing scam? I've never even heard of them until now. > Comerica is a major institution (U.S.) - insurance and banking. > Comerica Park is where......google.....Detroit Tigers play... Comerica Park replacing the venerable Tiger Stadium, next door to Ford Field for the Lions and near Joe Louis Arena for the Red Wings. Featured in Driven [Sly Stallone] and rap videos. I think Comerica used to have some live tigers pacing around besides all the tiger statues. The bank [headquartered in Detroit in skyscraper Comerica Tower] paid $66 million in '98 for naming rights, that is, agreed to pay over 30 years. >From different places in the wonderful wikipedia, not google. -- Mike Easter kibitzer, not SC admin From nobody at spamcop.net Sat Mar 11 23:50:33 2006 From: nobody at spamcop.net (RandallW) Date: Sun Mar 12 02:55:12 2006 Subject: [SpamCop-List] Re: Comerica bank phishing scam References: Message-ID: "Geoffrey Hyde" wrote in message news:dv0hem$8ul$1@news.spamcop.net... > http://www.spamcop.net/sc?id=z895506345zdf1d2e81d14b2c9530ca303899804fb7z > > Can anyone tell me who the bank is that's referenced in this account > phishing scam? I've never even heard of them until now. > Comerica is a real company. From nobody at nowhere.invalid Sun Mar 12 12:50:20 2006 From: nobody at nowhere.invalid (Steven Maesslein) Date: Sun Mar 12 06:55:14 2006 Subject: [SpamCop-List] Paging SC admins - abuse@wanadoo.nl rejects abuse reports Message-ID: This is the Postfix program at host ibi.snt.nl. I'm sorry to have to inform you that your message could not be be delivered to one or more recipients. It's attached below. For further assistance, please send mail to If you do so, please include this problem report. You can delete your own text from the attached returned message. The Postfix program : host mxrelay.snt.nl[10.0.200.23] said: 552 Error: content rejected (in reply to end of DATA command) [message/delivery-status (393B)] Reporting-MTA: dns; ibi.snt.nl X-Postfix-Queue-ID: D6747A032 X-Postfix-Sender: rfc822; 1687161249@reports.spamcop.net Arrival-Date: Sun, 12 Mar 2006 11:00:00 +0100 (CET) Final-Recipient: rfc822; abuse_wanadoo@mailnj.custhelp.com Action: failed Status: 5.0.0 Diagnostic-Code: X-Postfix; host mxrelay.snt.nl[10.0.200.23] said: 552 Error: content rejected (in reply to end of DATA command) Date: Sun, 12 Mar 2006 10:50:49 +0100 From: xxxxxxxxxx@reports.spamcop.net To: abuse@wanadoo.nl Subject: [SpamCop (82.156.134.15) id:xxxxxxxxxx]We SelIs all Medss 0nkv50 [ SpamCop V1.520 ] This message is brief for your comfort. Please use links below for details. Email from 82.156.134.15 / Sun, 12 Mar 2006 10:50:49 +0100 http://www.spamcop.net/w3m?i=z1687161249z65e14cace692e4cccdb3b58da33f7d73z 82.156.134.15 is open proxy, see: http://www.spamcop.net/mky-proxies.html [ Offending message ] {snip spam} -- Steve drug, n: A substance which, when injected into a rat, produces a scientific paper. From nobody at nowhere.invalid Sun Mar 12 13:08:49 2006 From: nobody at nowhere.invalid (Steven Maesslein) Date: Sun Mar 12 07:10:03 2006 Subject: [SpamCop-List] Re: nac.net References: Message-ID: On Sat, 11 Mar 2006 19:56:33 -0800, RandallW coughed into spamcop and left this in : > I received some spam that I sorted through the Spamcop parser; both the > e-mail server and spamvertised site are hosted by Nac.net, but they refuse > to received munged reports.....so I went to Nac.net, and what info is on > their spam reporting page? > They recommend using Spamcop to find the spam's ISP host. Don't bother with nac.net - they make a black hole look positively radiant. -- Steve "Our enemies are innovative and resourceful, and so are we. They never stop thinking about new ways to harm our country and our people, and neither do we." -- President George W. Bush addressing the Pentagon, 05-AUG-2004 From jwjr at poSPAMSUCKSbox.com Sun Mar 12 09:44:04 2006 From: jwjr at poSPAMSUCKSbox.com (J. Weaver Jr.) Date: Sun Mar 12 09:45:02 2006 Subject: [SpamCop-List] Re: Comerica bank phishing scam In-Reply-To: References: Message-ID: Geoffrey Hyde wrote: > http://www.spamcop.net/sc?id=z895506345zdf1d2e81d14b2c9530ca303899804fb7z > > Can anyone tell me who the bank is that's referenced in this account > phishing scam? I've never even heard of them until now. They're based in Detroit. -JW From MikeE at ster.invalid Sun Mar 12 07:38:21 2006 From: MikeE at ster.invalid (Mike Easter) Date: Sun Mar 12 10:40:05 2006 Subject: [SpamCop-List] Re: Paging SC admins - abuse@wanadoo.nl rejects abuse reports References: Message-ID: Steven Maesslein wrote: > : host mxrelay.snt.nl[10.0.200.23] > said: 552 Error: content rejected (in reply to end of DATA > command) SC's notify for 82.156.134.15 c529c860f.cable.wanadoo.nl is abuse@wanadoo.nl When you get a 552 from some other address you didn't mail, it doesn't mean that the address you actually mailed didn't get the mail. OTOH, it also doesn't mean that they did. wanadoo.nl currently has 7 individual IPs listed at spamhaus, the oldest about 11 months. I would assume they did. I don't think SC has experience with the abuse@wanadoo.nl bouncing. If I forge a spam to show a wanadoo.nl source, SC doesn't mention bounces. -- Mike Easter kibitzer, not SC admin From nobody at nowhere.invalid Sun Mar 12 17:36:19 2006 From: nobody at nowhere.invalid (Steven Maesslein) Date: Sun Mar 12 11:40:05 2006 Subject: [SpamCop-List] Re: Paging SC admins - abuse@wanadoo.nl rejects abuse reports References: Message-ID: On Sun, 12 Mar 2006 07:38:21 -0800, Mike Easter coughed into spamcop and left this in : > I would assume they did. I don't think SC has experience with the > abuse@wanadoo.nl bouncing. If I forge a spam to show a wanadoo.nl > source, SC doesn't mention bounces. Precisely my point! It should, because what I posted was a report sent by spamcop to abuse@wanadoo.nl that bounced. -- Steve A conclusion is simply the place where someone got tired of thinking. From MikeE at ster.invalid Sun Mar 12 09:01:11 2006 From: MikeE at ster.invalid (Mike Easter) Date: Sun Mar 12 12:05:02 2006 Subject: [SpamCop-List] Re: Paging SC admins - abuse@wanadoo.nl rejects abuse reports References: Message-ID: Steven Maesslein wrote: > Mike Easter >> I would assume they did. I don't think SC has experience with the >> abuse@wanadoo.nl bouncing. If I forge a spam to show a wanadoo.nl >> source, SC doesn't mention bounces. > > Precisely my point! It should, because what I posted was a report sent > by spamcop to abuse@wanadoo.nl that bounced. But I'm proposing that abuse@wanadoo.nl got the mail, but it was the 'additional' copy of the mail which was sent on to abuse_wanadoo@mailnj.custhelp.com by the server at wanadoo.nl which was performed 'for' the abuse username to give to the abuse_wanadoo username which bounced. What do you care if the system makes 9 different copies to go different places and one of them bounces? - to exaggerate the point I'm trying to make.. mailnj.custhelp.com is a completely different place than wanadoo.nl. It's mail is handled by mailgwnj02.rightnowtech.com under CERFnet in San Diego; whereas wanadoo.nl's mail is Amsterdam. -- Mike Easter kibitzer, not SC admin From nobody at spamcop.net Sun Mar 12 10:19:17 2006 From: nobody at spamcop.net (N. Miller) Date: Sun Mar 12 13:20:02 2006 Subject: [SpamCop-List] Re: Ignoring NNFMP line to properly assign blame at border References: Message-ID: <1enc5ag9prgk7$.dlg@news.spamcop.net> On Sat, 11 Mar 2006 20:11:51 -0500, POP wrote: > They've probably got me over a greasy barrel holding a > container of fresh vaseline with most of their spams; they're > careful to only "spam" me about stuff that's available "free" > (and LOTS of 3rd party stuff!) that I have NOT used yet. You > know, the "only people not in their right minds wouldn't take > advantage of THIS fantastic offer instantly! crap so be > certain to sign up NOW? > But, I digress in my digressive rant; really, they're just so > thorough that I thought I'd take a look at a couple of parsed > spams from them and see what they looked like. And found that > line I questioned. And that's why I feel that you surmised > correctly. I havent' LARTed any of them, and probably won't, but > ... I have been tempted to see if I could catch a > bald-facedly-spam mail that could fit no mold other than spam, > and thus my temporary interest. I'm sure there will be plenty of > opportunity to LART at the end of a year when they come looking > for money so I don't lose any of those "valuable" and "free" > services!! I have had a free Yahoo! Mail account since 1999. I have been an AT&T Yahoo! HSI customer since Dec. 18, 2002, when it was the new "SBC Yahoo! DSL Service", a result of then SBC entering a contract with Yahoo! to provide a slew of Internet content services to SBC customers. While I signed up for "Yahoo! Delivers" in order to have free access to the Yahoo! SMTP/POP3 servers, that ended in the spring of 2002. Except for "Yahoo! Delivers", I have not received any Yahoo! promotional email. Not even after creating a Yahoo! Group, and using Yahoo! Messenger. -- Norman ~Oh Lord, why have you come ~To Konnyu, with the Lion and the Drum From nobody at nowhere.invalid Sun Mar 12 19:23:58 2006 From: nobody at nowhere.invalid (Steven Maesslein) Date: Sun Mar 12 13:25:02 2006 Subject: [SpamCop-List] False Alarm - was: Paging SC admins - abuse@wanadoo.nl rejects abuse reports References: Message-ID: On Sun, 12 Mar 2006 09:01:11 -0800, Mike Easter coughed into spamcop and left this in : > What do you care if the system makes 9 different copies to go different > places and one of them bounces? - to exaggerate the point I'm trying to > make.. Aaaaargh!! Good point. Note to self: engage brain before making recommendations... -- Steve "Politics is supposed to be the second oldest profession. I have come to realize that it bears a very close resemblance to the first." From jamie_usenet at yahoo.ca Sun Mar 12 17:25:09 2006 From: jamie_usenet at yahoo.ca (Jamie) Date: Sun Mar 12 17:30:13 2006 Subject: [SpamCop-List] Update Contact for caladan.net Message-ID: Hi would it be possible for one of the spamcop Deupties to update the contact email address for this ISP. When I submitted an abuse complaint via spamcop I got this auto-ack back again. It appears that they want all abuse complaints to be sent to abuse-issues@caladan.net Thanks, Jamie Received: (qmail 25752 invoked by uid 1004); 12 Mar 2006 22:19:02 -0000 Received: from unknown (HELO vmx2.spamcop.net) (204.15.82.29) by gawab.com with SMTP; 12 Mar 2006 22:19:02 -0000 Received: from sc-app3.ironport.com (HELO spamcop.net) (204.15.82.22) by vmx2.spamcop.net with SMTP; 12 Mar 2006 14:18:06 -0800 X-SpamCop-Reply-Ids: 1687735783 X-Spamcop-Return-Path: Received: from vmx2.spamcop.net (vmx2.spamcop.net [204.15.82.29]) by sc-app3.soma.ironport.com (Postfix) with ESMTP id 56E661429B for <1687735783@reports.spamcop.net>; Sun, 12 Mar 2006 14:17:05 -0800 (PST) Received: from usul.caladan.net (HELO usul.caladan.net.uk) (80.71.0.10) by vmx2.spamcop.net with ESMTP; 12 Mar 2006 14:17:05 -0800 Received: from usul.caladan.net.uk (localhost.localdomain [127.0.0.1]) by usul.caladan.net.uk (8.13.1/8.13.1) with ESMTP id k2CMH30b012454 for <1687735783@reports.spamcop.net>; Sun, 12 Mar 2006 22:17:03 GMT Received: (from mail@localhost) by usul.caladan.net.uk (8.13.1/8.13.1/Submit) id k2CMH3GR012453; Sun, 12 Mar 2006 22:17:03 GMT Date: Sun, 12 Mar 2006 22:17:03 GMT Message-Id: <200603122217.k2CMH3GR012453@usul.caladan.net.uk> To: "Justmeeee" <1687735783@reports.spamcop.net> From: abuse-robot@caladan.net Subject: RE: [SpamCop (84.234.22.5) id:1687735783]Forgotten Password Thank you for contacting Caladan to report an abuse issue. Please take the time to read this email, as it will help you and us to put a stop to system abuse. Due to the large volume of SPAM and UCE we receive at this address, it takes time to sort the genuine complaints out. To help you to help us, you can re-submit your email to a new address: abuse-issues at caladan.net Emails received at the new address will be processed a lot faster and you will receive a personal reply acknowledging receipt of your email with follow-ups advising you of what we find and any action taken. Emails to abuse@caladan.net will be dealt with, but you may not receive any further reply other than this automated response. Regards, Caladan Abuse Team From MikeE at ster.invalid Sun Mar 12 15:16:03 2006 From: MikeE at ster.invalid (Mike Easter) Date: Sun Mar 12 18:20:03 2006 Subject: [SpamCop-List] Re: Update Contact for caladan.net References: Message-ID: Jamie wrote: > When I submitted an abuse complaint via spamcop > I got this auto-ack > back again. It appears that they want all abuse complaints to be sent > to abuse-issues@caladan.net Except that the conditions have changed for the IP which this is about. At the time you reported reportid 1687735783 about the IP 84.234.22.5 - the notify was abuse@caladan.net Parsing input: 84.234.22.5 host 84.234.22.5 = server1.etglobalsolution.co.uk (cached) Routing details for 84.234.22.5 [refresh/show] Cached whois for 84.234.22.5 : abuse@caladan.net Using abuse net on abuse@caladan.net No abuse net record for caladan.net Using best contacts abuse@caladan.net However, now the IP lives in here: inetnum: 84.234.16.0 - 84.234.31.255 netname: NETRINO-SOV e-mail: luke@netrino.co.uk and refreshing the cache above now gives this result: Removing old cache entries. Tracking details Display data: "whois 84.234.22.5@whois.arin.net" (Getting contact from whois.arin.net ) Redirect to ripe Display data: "whois 84.234.22.5@whois.ripe.net" (Getting contact from whois.ripe.net) lm824-ripe = luke@netrino.co.uk whois.ripe.net 84.234.22.5 = luke@netrino.co.uk whois: 84.234.16.0 - 84.234.31.255 = luke@netrino.co.uk Routing details for 84.234.22.5 Using last resort contacts luke@netrino.co.uk There is no reg'd abuse.net entry. The way deputies deal with routing entry changes is by IP block, but you aren't presenting this as a suggestion or recommendation for an IP block routing change, you are trying to do it as a change from abuse@caladan.net to abuse-issues@caladan.net -- but it doesn't work like that. The mail you got about this was from 80.71.0.10 rDNS usul.caladan.net which lives in inetnum: 80.71.0.0 - 80.71.0.255 netname: CALADAN-TH descr: Caladan Communication London network please send abuse reports to: abuse@caladan.net abuse-mailbox: abuse@caladan.net which also has no reg'd abuse.net entry If caladan wants to change their reg'd abuse contact, they should do it by making the necessary changes at ripe and they should also register an abuse contact at abuse.net instead of trying to effect changes by sending people emails like that suggesting they resubmit. Ridiculous.. > Due to the large volume of SPAM and UCE we receive at this > address, it takes time to sort the genuine complaints out. > To help you to help us, you can re-submit your email to a new > address: abuse-issues at caladan.net > > Emails received at the new address will be processed a lot faster > and you will receive a personal reply acknowledging receipt of > your email with follow-ups advising you of what we find and any > action taken. Emails to abuse@caladan.net will be dealt with, > but you may not receive any further reply other than this > automated response. The business of how you want to handle your future notifies to caladan is up to you; you might want to leave the default as abuse@ and make an additional notified out of abuse-issues if you are interested in some kind of personal communication besides an autoack. I doubt if the deputy would be interested in changing the notify address for the /24 block 80.71.0.0 - 80.71.0.255 to abuse-issues as long as the ripe contact is taking mail. -- Mike Easter kibitzer, not SC admin From nobody at devnull.spamcop.net Sun Mar 12 20:28:48 2006 From: nobody at devnull.spamcop.net (POP) Date: Sun Mar 12 20:30:12 2006 Subject: [SpamCop-List] Re: Ignoring NNFMP line to properly assign blame at border References: <1enc5ag9prgk7$.dlg@news.spamcop.net> Message-ID: ... > > I have had a free Yahoo! Mail account since 1999. I have been > an AT&T > Yahoo! HSI customer since Dec. 18, 2002, when it was the new > "SBC Yahoo! > DSL Service", a result of then SBC entering a contract with > Yahoo! to > provide a slew of Internet content services to SBC customers. > While I > signed up for "Yahoo! Delivers" in order to have free access to > the Yahoo! > SMTP/POP3 servers, that ended in the spring of 2002. Except for > "Yahoo! > Delivers", I have not received any Yahoo! promotional email. > Not even after > creating a Yahoo! Group, and using Yahoo! Messenger. Yeah, actually I've got the same sort of deal only it's a yahoo-verizon thing. Technically they're not spamming me, but ... since I don't want, and didn't ask for, emails to tell me what "free" services I haven't tried yet, they come pretty close. I'm actually "buying" the services (and so is/has everyone else) by their methods of tracking my usages, especially when you go near any of the 3rd party stuff. In fact, they were responsible for the GAIN/Gator infestation I suffered thru, but that was my own mistake, too. It pays to be careful what you're clicking because some of those things can't be stopped without pulling the plug, and even then in this case, it was too late. Live and learn, as they say - it was an interesting learning experience about the very bottom of the barrels . IMO Yahoo is preying on the ignorance of their users; I don't like that. But, I do like, for awhile, some of the "freebies" they've got. Looks like the way DSL's going to go for a long time. Regards, Pop From g.hyde at bigpond.net.au Mon Mar 13 13:34:05 2006 From: g.hyde at bigpond.net.au (Geoffrey Hyde) Date: Sun Mar 12 22:35:11 2006 Subject: [SpamCop-List] Re: Ignoring NNFMP line to properly assign blame at border References: <1enc5ag9prgk7$.dlg@news.spamcop.net> Message-ID: "POP" wrote in message news:dv2hs9$dnd$1@news.spamcop.net... > Yeah, actually I've got the same sort of deal only it's a yahoo-verizon > thing. Technically they're not spamming me, but ... since I don't want, > and didn't ask for, emails to tell me what "free" services I haven't tried > yet, they come pretty close. I'm actually "buying" the services (and so > is/has everyone else) by their methods of tracking my usages, especially > when you go near any of the 3rd party stuff. In fact, they were > responsible for the GAIN/Gator infestation I suffered thru, but that was > my own mistake, too. It pays to be careful what you're clicking because > some of those things can't be stopped without pulling the plug, and even > then in this case, it was too late. Live and learn, as they say - it was > an interesting learning experience about the very bottom of the barrels > . > IMO Yahoo is preying on the ignorance of their users; I don't like that. > But, I do like, for awhile, some of the "freebies" they've got. Looks > like the way DSL's going to go for a long time. Personally, I wish the government would legislate or pass laws declaring that any and all forms of browser hijacking are illegal, this includes but is not limited to self-installing demo programs that try to use ActiveX or script controls to install themselves. Some of the advertising providers have a LOT to answer for, and I really hope the government brings a ton of bricks worth of legislation or laws down on them. The few that know how to circumvent such installation tricks are the lucky ones, I would say that not everyone on the internet learns quickly how to secure their browser against such threats. And it is up to the government to get people talking and drawing up laws that do something about it. It's a pity they're slow to move on this kind of thing. Cheers ... Geoffrey Hyde From caroljean52 at yahoo.com Sun Mar 12 22:56:02 2006 From: caroljean52 at yahoo.com (caroljean52) Date: Mon Mar 13 01:00:11 2006 Subject: [SpamCop-List] Sigh... New way of sending spam... Message-ID: Just got a 419 spam that was sent by using Yahoo's Announce Address. I've used Yahoo for years and never noticed that particular feature. (Is that just because it's not something I would ever use--or is it because it's new? I'm guessing new since I can't believe spammers wouldn't have exploited it earlier if it had been available.) Looks like the spammer could just import his address list and then send out these announcements. It would be a little labor intensive but hey, Yahoo popped this thing straight into my Inbox so a lot more messages would actually get through. At any rate, this is the first time I've ever seen spam sent as an address change message. Unfortunately, I'm sure it won't be the last... Carol Pocatello, Idaho From nobody at spamcop.net Mon Mar 13 00:42:38 2006 From: nobody at spamcop.net (RW) Date: Mon Mar 13 01:45:06 2006 Subject: [SpamCop-List] Re: Paging SC admins - abuse@wanadoo.nl rejects abuse reports In-Reply-To: References: Message-ID: Steven Maesslein wrote: > This is the Postfix program at host ibi.snt.nl. > > I'm sorry to have to inform you that your message could not be > be delivered to one or more recipients. It's attached below. As Mike mentioned, the address could aliase out to more than one recipient at their end, so it doesn't mean at least one didn't accept the mail. I see Don or Ellen reset their bounce counter earlier today to monitor this. Right now it's at 181 sent, 2 bounces. Richard From nobody at spamcop.net Mon Mar 13 00:48:09 2006 From: nobody at spamcop.net (RW) Date: Mon Mar 13 01:50:03 2006 Subject: [SpamCop-List] Re: Sigh... New way of sending spam... In-Reply-To: References: Message-ID: caroljean52 wrote: > Just got a 419 spam that was sent by using Yahoo's Announce Address. I've > used Yahoo for years and never noticed that particular feature. (Is that > just because it's not something I would ever use--or is it because it's new? > I'm guessing new since I can't believe spammers wouldn't have exploited it > earlier if it had been available.) Looks like the spammer could just import > his address list and then send out these announcements. It would be a little > labor intensive but hey, Yahoo popped this thing straight into my Inbox so a > lot more messages would actually get through. > > At any rate, this is the first time I've ever seen spam sent as an address > change message. Unfortunately, I'm sure it won't be the last... > > Carol > Pocatello, Idaho This has been going on for about a week now. It's causing Yahoo's servers all over the world to be bl'd because the mail comes from their IP with no earlier received lines. We've had quite the mail load this weekend over these, but we're holding firm that Yahoo is responsible and will have to solve the matter to get their servers delisted. Richard From nobody at spamcop.net Sun Mar 12 22:55:16 2006 From: nobody at spamcop.net (N. Miller) Date: Mon Mar 13 02:00:03 2006 Subject: [SpamCop-List] Re: Ignoring NNFMP line to properly assign blame at border References: <1enc5ag9prgk7$.dlg@news.spamcop.net> Message-ID: <1uq9gzao018xx$.dlg@news.spamcop.net> On Sun, 12 Mar 2006 20:28:48 -0500, POP wrote: > ... >> I have had a free Yahoo! Mail account since 1999. I have been >> an AT&T Yahoo! HSI customer since Dec. 18, 2002, when it was >> the new "SBC Yahoo! DSL Service", a result of then SBC entering >> a contract with Yahoo! to provide a slew of Internet content >> services to SBC customers. While I signed up for "Yahoo! >> Delivers" in order to have free access to the Yahoo! SMTP/POP3 >> servers, that ended in the spring of 2002. Except for "Yahoo! >> Delivers", I have not received any Yahoo! promotional email. >> Not even after creating a Yahoo! Group, and using Yahoo! >> Messenger. > Yeah, actually I've got the same sort of deal only it's a > yahoo-verizon thing. Properly, it is a "Verizon-Yahoo!" thing. Verizon, like AT&T (back when it was SBC), BT Internet, Rogers Cable, and SoftbankBB, has a contract with Yahoo! to provide Internet content. AFAIK, in each case, the TCP/IP transport provider is listed first. > Technically they're not spamming me, but > ... since I don't want, and didn't ask for, emails to tell me > what "free" services I haven't tried yet, they come pretty close. > I'm actually "buying" the services (and so is/has everyone else) > by their methods of tracking my usages, especially when you go > near any of the 3rd party stuff. In fact, they were responsible > for the GAIN/Gator infestation I suffered thru, but that was my > own mistake, too. It pays to be careful what you're clicking > because some of those things can't be stopped without pulling the > plug, and even then in this case, it was too late. Live and > learn, as they say - it was an interesting learning experience > about the very bottom of the barrels . > IMO Yahoo is preying on the ignorance of their users; I don't > like that. But, I do like, for awhile, some of the "freebies" > they've got. Looks like the way DSL's going to go for a long > time. I don't know about that last. I actually don't recall getting anything directly from Yahoo! over my migration to SBC Yahoo! DSL Services (which is now called, "AT&T Yahoo! HSI"), but I had already known, from my Yahoo! Mail free account about turning off the advertising. It caused a lot of consternation for other SBC customers who were migrating, and not aware of the automatic selection of advertising offered by Yahoo!. One has to go into the account management pages and explicitly opt out of a wad of advertising; even the Premium account has these pre-selected. Verizon offers Yahoo! as an option. You can get Verizon-MSN, Verizon-Yahoo!, or Verizon On-Line, last I checked. Neither Qwest, nor Spring offer such a deal. And those are the ILECs. I don't know of any CLECs with such a deal; I doubt that it is the future of DSL. And Rogers is a Canadian cable HSI provider with a Yahoo! contract, so it is conceivable that U.S. cable companies could get on that bandwagon. -- Norman ~Oh Lord, why have you come ~To Konnyu, with the Lion and the Drum From nobody at spamcop.net Sun Mar 12 23:13:03 2006 From: nobody at spamcop.net (RandallW) Date: Mon Mar 13 02:15:03 2006 Subject: [SpamCop-List] Re: nac.net References: Message-ID: "Mike Easter" wrote in message news:dv0ikj$9j0$1@news.spamcop.net... (partial snipping) > > Currently there are 4 listings in spamhaus for IPs and IP blocks under > nac.net SBL38456 SBL38067 SBL34753 SBL28717 -- while none are > ROKSOs, one listing is a /25 [128 IPs] and has been spamhaused since '05 > Nov - so that suggests unresponsiveness from nac.net > > So, overall, I would say that the negative evidence against nac.net far > outweighs the positive antispam links appearance. > > > -- > Mike Easter > kibitzer, not SC admin > Their FAQ page on spam doesn't even give their e-mail addy for abuse; they have an abuse@nac.net addy, but they don't make an effort to have it easily known. From MikeE at ster.invalid Mon Mar 13 04:24:12 2006 From: MikeE at ster.invalid (Mike Easter) Date: Mon Mar 13 07:25:17 2006 Subject: [SpamCop-List] Re: nac.net References: Message-ID: RandallW wrote: > "Mike Easter" >> So, overall, I would say that the negative evidence against nac.net >> far outweighs the positive antispam links appearance. > Their FAQ page on spam doesn't even give their e-mail addy for abuse; > they have an abuse@nac.net addy, but they don't make an effort to > have it easily known. The website is laid out with a site map and a contact section. The contact section has the abuse addy in 2 places. http://www.nac.net/contact.asp Contact Us Abuse Department: abuse@nac.net Contact Abuse - abuse@nac.net For network and email abuse complaints. The domainname is also reg'd with abuse.net whois -h whois.abuse.net nac.net ... abuse@nac.net (for nac.net) They also have a strong AUP/TOS http://www.nac.net/aup.asp Terms of Service But all of that just makes them look good on paper 'at their place' -- what is more important is their reputation which is seen at spamhaus and also what the admins who converse in nanae say. -- Mike Easter kibitzer, not SC admin From nobody at spamcop.net Mon Mar 13 11:25:52 2006 From: nobody at spamcop.net (indigo) Date: Mon Mar 13 11:30:05 2006 Subject: [SpamCop-List] Re: Comerica bank phishing scam References: Message-ID: Mike Easter wrote: >> Featured in Driven [Sly Stallone] Ugh...the absolutely worse and insipid car racing movie ever made.....besides being technically inaccurate. From MikeE at ster.invalid Mon Mar 13 08:36:10 2006 From: MikeE at ster.invalid (Mike Easter) Date: Mon Mar 13 11:40:01 2006 Subject: [SpamCop-List] Re: Comerica bank phishing scam References: Message-ID: indigo wrote: > Mike Easter wrote: >>> Featured in Driven [Sly Stallone] > > Ugh...the absolutely worse and insipid car racing movie ever > made.....besides being technically inaccurate. I never saw it. The reviews at imdb are more favorable than yours, and there are a lot of them. I only mentioned it because wikipedia said that Comerica Park was in the movie -- what the ballpark has to do with the racing or the movie I don't know. -- Mike Easter kibitzer, not SC admin From nobody at devnull.spamcop.net Fri Mar 10 16:01:21 2006 From: nobody at devnull.spamcop.net (Anonymous) Date: Mon Mar 13 11:40:10 2006 Subject: [SpamCop-List] Re: RFC 2142 and sales@, support@, webmaster@ References: Message-ID: "Porpoise" wrote... > > "Anonymous" wrote... >> >> And again I tell you that if you don't have a mailserver on the >> Internet, >> there should be no MX record at all in your DNS record, not a bogus MX >> record to an unroutable IP address. >> >> And again I tell you that your SOA should not say that your primary >> nameserver is localhost. >> >> And again I tell you that you have two open DNS servers and that this >> is a Bad Thing. > > And I tell you, I don't own any MX servers. However, the backbone > provider, whose system it is, does, and they do not provide a public mail > service. I suggest you take up any issues with them directly: You would have saved everyone a lot of wasted effort if, five posts back, you had resonded to the comment "...your MX mail.jtfreesurf.co.uk violates Internet Standard..." by saying "jtfreesurf.co.uk doesn't belong to me." By defending the bad practices of whoever the owner of jtfreesurf.co.uk is, you gave the impression that you own jtfreesurf.co.uk. G.M. your MX mail.jtfreesurf.co.uk >>>>> violates Internet Standard From nobody at devnull.spamcop.net Mon Mar 13 08:43:11 2006 From: nobody at devnull.spamcop.net (Anonymous) Date: Mon Mar 13 11:50:07 2006 Subject: [SpamCop-List] Re: A mailman opt-in plus confirmation mailing list is spam? References: Message-ID: "Porpoise" wrote in message news:dut54o$bga$1@news.spamcop.net... > > "Anonymous" wrote in message > news:dut3ek$a53$1@news.spamcop.net... >> > >> BTW, I am a long-time reader and occasional participant who is very much >> aware of how the system works. >> >> G.M. > > But you still haven't provided the affected IP so that everyone can look > at the *actual* issue, rather than some hypothetical one. You are confusing me with someone else. The original post/issue was from "K. Thog" posted on Wed, 08 Mar 2006 17:03:46 -0800 with Message-ID: . I am one of the fellows who asked him for that info. G.M. From nobody at spamcop.net Mon Mar 13 11:48:16 2006 From: nobody at spamcop.net (indigo) Date: Mon Mar 13 11:50:17 2006 Subject: [SpamCop-List] Re: Comerica bank phishing scam References: Message-ID: Mike Easter wrote: > indigo wrote: > > Mike Easter wrote: > >>> Featured in Driven [Sly Stallone] > > > > Ugh...the absolutely worse and insipid car racing movie ever > > made.....besides being technically inaccurate. > > I never saw it. The reviews at imdb are more favorable than yours, > and there are a lot of them. The racing scenes were truly ridiculous, cars can't do what they did in that movie (unless they had nitrous oxide bottle hidden somewhere ;-). > > I only mentioned it because wikipedia said that Comerica Park was in > the movie -- what the ballpark has to do with the racing or the movie > I don't know. The parking lot of the stadium was probably part of the racing circuit, that's very common for temporary street courses. There was a sports car race in D.C. last year that used part of the Redskin's old stadium lots. From jamie_usenet at yahoo.ca Mon Mar 13 11:53:56 2006 From: jamie_usenet at yahoo.ca (Jamie) Date: Mon Mar 13 12:00:06 2006 Subject: [SpamCop-List] Re: Update Contact for caladan.net References: Message-ID: "Mike Easter" wrote in message news:dv2a2r$9td$1@news.spamcop.net... > Except that the conditions have changed for the IP which this is about. > > At the time you reported reportid 1687735783 about the IP 84.234.22.5 - > the notify was abuse@caladan.net > > Parsing input: 84.234.22.5 > host 84.234.22.5 = server1.etglobalsolution.co.uk (cached) > Routing details for 84.234.22.5 > [refresh/show] Cached whois for 84.234.22.5 : abuse@caladan.net > Using abuse net on abuse@caladan.net > No abuse net record for caladan.net > Using best contacts abuse@caladan.net > > > However, now the IP lives in here: > inetnum: 84.234.16.0 - 84.234.31.255 > netname: NETRINO-SOV > e-mail: luke@netrino.co.uk > > and refreshing the cache above now gives this result: > Removing old cache entries. > > Tracking details > Display data: > "whois 84.234.22.5@whois.arin.net" (Getting contact from > whois.arin.net ) > Redirect to ripe > Display data: > "whois 84.234.22.5@whois.ripe.net" (Getting contact from > whois.ripe.net) > lm824-ripe = luke@netrino.co.uk > whois.ripe.net 84.234.22.5 = luke@netrino.co.uk > whois: 84.234.16.0 - 84.234.31.255 = luke@netrino.co.uk > Routing details for 84.234.22.5 > Using last resort contacts luke@netrino.co.uk > > There is no reg'd abuse.net entry. > > The way deputies deal with routing entry changes is by IP block, but you > aren't presenting this as a suggestion or recommendation for an IP block > routing change, you are trying to do it as a change from > abuse@caladan.net to abuse-issues@caladan.net -- but it doesn't work > like that. > > The mail you got about this was from 80.71.0.10 rDNS usul.caladan.net > which lives in > > inetnum: 80.71.0.0 - 80.71.0.255 > netname: CALADAN-TH > descr: Caladan Communication London network > please send abuse reports to: abuse@caladan.net > abuse-mailbox: abuse@caladan.net > > which also has no reg'd abuse.net entry > > If caladan wants to change their reg'd abuse contact, they should do it > by making the necessary changes at ripe and they should also register an > abuse contact at abuse.net instead of trying to effect changes by > sending people emails like that suggesting they resubmit. Ridiculous.. > >> Due to the large volume of SPAM and UCE we receive at this >> address, it takes time to sort the genuine complaints out. >> To help you to help us, you can re-submit your email to a new >> address: abuse-issues at caladan.net >> >> Emails received at the new address will be processed a lot faster >> and you will receive a personal reply acknowledging receipt of >> your email with follow-ups advising you of what we find and any >> action taken. Emails to abuse@caladan.net will be dealt with, >> but you may not receive any further reply other than this >> automated response. > > The business of how you want to handle your future notifies to caladan > is up to you; you might want to leave the default as abuse@ and make an > additional notified out of abuse-issues if you are interested in some > kind of personal communication besides an autoack. > > I doubt if the deputy would be interested in changing the notify address > for the /24 block 80.71.0.0 - 80.71.0.255 to abuse-issues as long as the > ripe contact is taking mail. > > > -- > Mike Easter > kibitzer, not SC admin > Well the whole Idea Mike is to make it as easy possible for the abuse teams to get the spamcop reports and process them. In this case they are asking that the reports be sent to abuse-issues@caladan.net for faster processing. If they need to change it by IP block then they can do it that way. Thats fine. So change the abuse contact for 80.71.0.0 - 80.71.0.255 to abuse-issues@caladan.net You are right that they can go to ripe.net and have the contact address updated but for the mean time SC can also update the contact address for that /24 in order to speed up the removal of a spammer from thier network. The deputies should be intrested in changing the notify address for the /24 if it means faster termination of a spammer off of thier network. Jamie From nobody at devnull.spamcop.net Mon Mar 13 09:26:37 2006 From: nobody at devnull.spamcop.net (Anonymous) Date: Mon Mar 13 12:30:03 2006 Subject: [SpamCop-List] Re: A mailman opt-in plus confirmation mailing list is spam? References: Message-ID: Don Wannit wrote... > > Mike Easter wrote: > >> Don Wannit wrote: >> >>>These spamtrap addresses, which are hidden in places >>>that people normally don't look, might be found in >>>those local cache files, ready for the virus to find. >>>And send spam or virm poop to. >> >> Which would of course count as a spamtrap hit, which it should. > > Yup, precisely. There were some questions about how the > spamtrap addresses could be encountered, if they are > not easily guessable, which is why I mentioned that vector. > > Virm poop sent to a spamtrap address certainly should > be counted as spam. > > But if a virm, or person, uses the encountered email > address to maliciously subscribe the address to a > mailing list, then it is vital that the confirmation > email sent by the list to that email address, per > responsible list management and best practice, *not* > automatically trigger a hit. Assuming (and I have seen no evidence that this is not true) that spammers, viruses or net-abuser have no way of identifying spamtraps, they would either have to be really luck guessers, or they would have to maliciously subscribe a huge number of non-spam- trap addresses with the spamtrap addresses hidden in the crowd. An email list that accepted such a huge number of subscriptions and then stupidly sent confirmation requests to a huge number of non- spamtrap address (plus some spamtrap addresses hidden in the crowd) *should* be on a short-term BL such as Spamcop. G.M. From porpoise1954 at yahoo.co.uk Mon Mar 13 18:19:32 2006 From: porpoise1954 at yahoo.co.uk (Porpoise) Date: Mon Mar 13 13:25:04 2006 Subject: [SpamCop-List] Re: RFC 2142 and sales@, support@, webmaster@ References: Message-ID: "Anonymous" wrote in message news:dv472u$a0j$1@news.spamcop.net... > > > You would have saved everyone a lot of wasted effort if, five posts back, > you had resonded to the comment "...your MX mail.jtfreesurf.co.uk violates > Internet Standard..." by saying "jtfreesurf.co.uk doesn't belong to me." > By > defending the bad practices of whoever the owner of jtfreesurf.co.uk is, > you > gave the impression that you own jtfreesurf.co.uk. > But if you had done your homework, you'd have already known that I (not being Jersey Telecom) was not the owner of jtfreesurf.co.uk or jerseytelecom.co.uk or jerseymail.co.uk or jtibs.co.uk. I never gave any indication that I was purporting to be the owner of those domains (and their various IPs and servers). In fact, in my very first response to your first "go" at the jtfreesurf MX situation, I stated that it was Jersey Telecom. Jersey Telecom do not provide email services for their customers - only connection services. I don't see anywhere in my responses where I ever said I was in any way shape or form anything to do with Jersey Telecom - other than partaking of their ADSL service. It was you who decided to go off on one, I just responded........ :-) EOT From newspost at deletethispart.hypercreations.com Mon Mar 13 21:01:58 2006 From: newspost at deletethispart.hypercreations.com (D. T.) Date: Mon Mar 13 16:05:04 2006 Subject: [SpamCop-List] Re: Domainsbyproxy References: Message-ID: "Jeff G." wrote in news:dusdre$rlu$1@news.spamcop.net: > D. T. wrote: >> They're really GoDaddy. And yes, they do indeed allow spammers to hide >> behind their anonymous domain registrations....I've got proof. I've >> been in touch with the President's Office at GoDaddy over this and >> they've not taken any action against the offenders. > > I'd like to see that proof. > OK...I'll contact you privately, Jeff, and show you the details. DT From not at home.today Mon Mar 13 23:49:37 2006 From: not at home.today (Ant) Date: Mon Mar 13 19:00:16 2006 Subject: [SpamCop-List] Re: Comerica bank phishing scam References: Message-ID: "indigo" wrote: > Mike Easter wrote: >> indigo wrote: >>> Ugh...the absolutely worse and insipid car racing movie ever >>> made.....besides being technically inaccurate. >> >> I never saw it. The reviews at imdb are more favorable than yours, >> and there are a lot of them. > > The racing scenes were truly ridiculous, cars can't do what they did in > that movie (unless they had nitrous oxide bottle hidden somewhere ;-). You could say that about most films. You have to suspend disbelief if you're familiar with a particular field in the real world. Recall the films with computer scenes not so long ago. There would be a full screen requesting a password in an edit box 2 inches high. Then inevitably there'd be the flashing message "access denied" in text that would fill the screen. I've worked on a variety of systems since the mid 1970s, and never seen such silly software! From not at home.today Mon Mar 13 23:54:25 2006 From: not at home.today (Ant) Date: Mon Mar 13 19:00:28 2006 Subject: [SpamCop-List] Re: Domainsbyproxy References: Message-ID: "D. T." wrote: > "Jeff G." wrote: >> D. T. wrote: >>> They're really GoDaddy. And yes, they do indeed allow spammers to hide >>> behind their anonymous domain registrations....I've got proof. I've >>> been in touch with the President's Office at GoDaddy over this and >>> they've not taken any action against the offenders. >> >> I'd like to see that proof. > > OK...I'll contact you privately, Jeff, and show you the details. This should be made public. Embarrass them in the trade press or other media into taking action. From Nobody at SpamCop.devnull.diespammerdie.net Mon Mar 13 19:29:33 2006 From: Nobody at SpamCop.devnull.diespammerdie.net (Michael Brennan) Date: Mon Mar 13 20:30:02 2006 Subject: [SpamCop-List] Re: Phishing - 15 days is OK by us ??? References: Message-ID: <44161C7D.48C22239@SpamCop.devnull.diespammerdie.net> Mike Easter wrote: > > You are spending time and electrons conversing with a domainname > CitiBusiness phish (target) > ROKSO Leo Kuvayev / BadCow - Pharmacy Express - einitebore.com and > others > 220.198.184.0/21 spam sources, no rDNS > yeman.cn > www.goldgrid.com > 211.92.45.0/24 loncin.com - Mr. Zhang (The Third Export Department) > > > That agreement only sez that alantron won't spam mabberas. "www.goldgrid.com 211.92.45.0/24 loncin.com - Mr. Zhang (The Third Export Department)" Wonder what Mr. Zhang's colleagues in the other two export departments are exporting...... SOS and MOSOS, maybe. Michael From Nobody at SpamCop.devnull.diespammerdie.net Mon Mar 13 19:38:20 2006 From: Nobody at SpamCop.devnull.diespammerdie.net (Michael Brennan) Date: Mon Mar 13 20:40:02 2006 Subject: [SpamCop-List] Spam Receipts? Message-ID: <44161E8C.ACA96836@SpamCop.devnull.diespammerdie.net> With reference to: http://www.spamcop.net/sc?id=z896972080ze55ededcf3e1f8f098e0811696463c02z Is there anything in the source code of this message that would display a receipt either on acceptance of the spam by my ISP's server, or on download, or on preview/view on my box? As I've explained to Mike Easter previously, I presort my spams before sending them off to SpamCop, so that all the spams reported in a single message will be of the same type (pill spammers, phony diploma spams, generic/other, phishes, etc.), which helps me when actually subbing the parsed SpamCop reports later on, when the headers and subject lines offer no clues about content. I usually comment for abuse desks on content when LARTing: "This msg is a "pharmacy"/"wonder-drug" UCE spam," "This msg is a criminal '419' solicitation and has been forwarded to LE," and so on. As a result, I usually prepare spams for forwarding to SpamCop while offline, for this reason. Any comments about ways that a receipt to the spammer could leak out while handling spams of the encaptioned type? Comments received gratefully, Michael From MikeE at ster.invalid Mon Mar 13 18:42:50 2006 From: MikeE at ster.invalid (Mike Easter) Date: Mon Mar 13 21:45:05 2006 Subject: [SpamCop-List] Re: Spam Receipts? References: <44161E8C.ACA96836@SpamCop.devnull.diespammerdie.net> Message-ID: Michael Brennan wrote: sc?id=z896972080ze55ededcf3e1f8f098e0811696463c02z > > > Is there anything in the source code of this message that would > display a receipt either on acceptance of the spam by my ISP's > server, or on download, or on preview/view on my box? No. The way that spam works is that the promotional information is in the b64 encoded .gif which is attached to the html; and the html works by providing you a link to click on to take you to the payload -- but it isn't a webbug configuration. The b64 .gif sez the Viagra, Cialis, Valium, Levitra, and Soma prices and asks you to click the graphic for 'no prescription required'. The payload site is at http://fnjovk.tablechair.info/?88050960 which resolves, shows a port 80, but doesn't give me a payload. However, in terms of spamhandling, you shouldn't be opening a spam in an insecure way online -- so that if the item /did/ contain something to your disadvantage your rendering of the html could cause a problem. That is, I would handle all of my spam in a way that wouldn't have the potential for causing problems. If I needed to render the html or if I needed to decode the b64 or whatever I needed to do to satisfy my reporting, I would handle securely. > As I've explained to Mike Easter previously, I presort my spams before > sending them off to SpamCop, so that all the spams reported in a > single message will be of the same type (pill spammers, phony diploma > spams, generic/other, phishes, etc.), which helps me when actually > subbing the parsed SpamCop reports later on, when the headers and > subject lines offer no clues about content. I usually comment for > abuse desks on content when LARTing: "This msg is a > "pharmacy"/"wonder-drug" UCE spam," "This msg is a criminal '419' > solicitation and has been forwarded to LE," and so on. I presume you are explaining why you might want to read a spam. Mostly I think the disadvantages of reading spam outweigh the advantages, but everyone has to play the game the way that trips their trigger or appeals to them. I think you are wasting your time and energy reading spam that could be spent more contructively - even if you are reading spam for your 'enjoyment' or curiosity. Or allegedly sorting it into report categories and notifying agencies who aren't really doing anything about that particular type of spam. > As a result, I usually prepare spams for forwarding to SpamCop while > offline, for this reason. I interpret that as saying that if you are going to open a spam, you do it offline. > Any comments about ways that a receipt to the spammer could leak out > while handling spams of the encaptioned type? My strategy which dates back to the days when OE's relationship with its IE rendering engine was even more insecure than it is today, was to examine the unrendered message body first, so that I knew what kind of html was inside. What it was going to do. How the spam was 'constructed' in terms of webbugs or whatever. If I were satisfied that I could render the html, either online or offline, without doing something I didn't want to do, then I opened it with OE rendering because that was more 'efficient'. If I didn't want to do that, I might take an item apart piece by piece. I might de-construct the b64 part and separately decode it. There are a lot of different ways of handling the parts of a piece of email or the parts of a multipart attachment besides doing it the way the spammer thinks you are going to do it. -- Mike Easter kibitzer, not SC admin From edb2000 at spamcop.net Mon Mar 13 20:14:09 2006 From: edb2000 at spamcop.net (Don Wannit) Date: Mon Mar 13 23:15:02 2006 Subject: [SpamCop-List] Re: A mailman opt-in plus confirmation mailing list is spam? In-Reply-To: References: Message-ID: Anonymous wrote: > Don Wannit wrote... > >>Mike Easter wrote: >> >> >>>Don Wannit wrote: >>> >>> >>>>These spamtrap addresses, which are hidden in places >>>>that people normally don't look, might be found in >>>>those local cache files, ready for the virus to find. >>>>And send spam or virm poop to. >>> >>>Which would of course count as a spamtrap hit, which it should. >> >>Yup, precisely. There were some questions about how the >>spamtrap addresses could be encountered, if they are >>not easily guessable, which is why I mentioned that vector. >> >>Virm poop sent to a spamtrap address certainly should >>be counted as spam. >> >>But if a virm, or person, uses the encountered email >>address to maliciously subscribe the address to a >>mailing list, then it is vital that the confirmation >>email sent by the list to that email address, per >>responsible list management and best practice, *not* >>automatically trigger a hit. > > > Assuming (and I have seen no evidence that this is > not true) that spammers, viruses or net-abuser have > no way of identifying spamtraps, they would either > have to be really luck guessers, or they would have > to maliciously subscribe a huge number of non-spam- > trap addresses with the spamtrap addresses hidden > in the crowd. An email list that accepted such a > huge number of subscriptions and then stupidly sent > confirmation requests to a huge number of non- > spamtrap address (plus some spamtrap addresses > hidden in the crowd) *should* be on a short-term > BL such as Spamcop. This is not the point. If a spamtrap automatically adds a source IP to a blocklist, then it would be trivial for someone to forge a subscription request purporting to be from the spamtrap, and thereby get the output IP for the mailing list added to the blocklist when it sends that confirmation request. I never said anything about huge numbers of addresses, or hiding a spamtrap address in a crowd of legitimate addresses. I'm not sure where you got that concept. The concern here is that spamtrap addresses are discoverable -- in fact, that's exactly how they end up on spammers' lists; if they were not discoverable they would not be of much use. It is quite simple to find spamtrap addresses if you know where to look, and know that they are spamtraps. Email address scrapers typically just gather the address, and don't care where it comes from. If someone knows the kinds of places that spamtrap addresses are typically hidden for scrapers to find, then it's trivial to find one and maliciously send it in a subscription request to a mailing list. Richard has answered my concern, without revealing too much, by saying that while the SC spamtraps do not (and can not) filter out legitimate confirmation requests, a single spamtrap hit will not trigger a SC listing. Other spamtraps may not be so resilient, and the ones that add an IP to a blocklist on a single hit and make it nearly impossible to get off are the ones that are worrisome, and make an inviting resource for a denial-of-service attack. -- Don Wannit A paid SpamCop user since 1999 From Nobody at SpamCop.devnull.diespammerdie.net Tue Mar 14 05:48:28 2006 From: Nobody at SpamCop.devnull.diespammerdie.net (Michael Brennan) Date: Tue Mar 14 06:50:15 2006 Subject: [SpamCop-List] Re: Spam Receipts? References: <44161E8C.ACA96836@SpamCop.devnull.diespammerdie.net> Message-ID: <4416AD8C.4687AF5F@SpamCop.devnull.diespammerdie.net> Mike Easter wrote: > > Michael Brennan wrote: > > sc?id=z896972080ze55ededcf3e1f8f098e0811696463c02z > > > > > > Is there anything in the source code of this message that would > > display a receipt either on acceptance of the spam by my ISP's > > server, or on download, or on preview/view on my box? > > No. The way that spam works is that the promotional information is in > the b64 encoded .gif which is attached to the html; and the html works > by providing you a link to click on to take you to the payload -- but it > isn't a webbug configuration. > Thanks, I was wondering about that. There was a reference in the sourcefile to a SRC, although it wasn't a typical IMG SRC line. I didn't know enough HTML to be able to tell whether that source reference might be configurable as a beacon. > > That is, I would handle all of my spam in a way that wouldn't have the > potential for causing problems. If I needed to render the html or if I > needed to decode the b64 or whatever I needed to do to satisfy my > reporting, I would handle securely. I do it offline, although sometimes OE surprises me. I turn the preview pane off when working with OE online, but occasionally have forgotten to change the window layout before going online, or have made an inadvertent double-click on a message while performing housekeeping while online, moving messages to other folders or retrieving sourcecode or headers from the "Properties" GUI. > I think the disadvantages of reading spam outweigh the advantages, I agree and try not to open a spam or let one open either online or off. But some of them -- the most sophisticated spamitems, which I mentally associate (even if no real evidence) with Leo K. -- assiduously renege any clues about the spam payload even when the source is inspected. All one sees is the padding and the encoded Base 64 .GIF gobbledygook, and the spam is carefully constructed to force the person handling it to open it to see what it is. Many times, a quick look at the subject line or the source code provides the necessary information for my routing decisions. As for whether agencies are doing anything about these spams, I can't help what they are doing or not doing, but try to feed the UCE's forward to someone who *could* do something about them, such as, in the case of stock-scamming "pump & dump" UCE's, the Securities and Exchange Commission, which usually returns at least an autoack. Some other LEO's and NGO's seem more or less inert. Miller-Smiles UK allegedly wants submissions concerning phishes but more often bounces; the only real signs of antiphishing life I've seen have come from Netcraft Toolbar, which is incentivizing the reportage of phishing URL's by passing out occasional door prizes. Microsoft Anti-Piracy snaps to with an autoack when spams offering cheep warez are forwarded, although Rolex's legal department has remained silent and unencouraging on the subject of cheap Chinese "Rolex" watches. I add Rolex as an info addee when forwarding those to the FBI, which has an anti-counterfeiting group interested in trademark infringement; they and Customs have occasionally raided companies doing business in those kinds of wares (and FEMA passed a lot of the seized contraband out to needy Orleanians after Hurricane "Katrina" -- China's contribution to hurricane relief!). Thanks for the information and the suggestions. Michael From jeffg at spamcop.net Tue Mar 14 11:05:12 2006 From: jeffg at spamcop.net (Jeff G.) Date: Tue Mar 14 11:10:04 2006 Subject: [SpamCop-List] Re: RFC 2142 and sales@, support@, webmaster@ References: Message-ID: Porpoise wrote: > "Jeff G." wrote in message > news:duj14i$4f9$1@news.spamcop.net... >> Anonymous wrote: >>> "Jeff G." wrote in message >>> Good advice, but as written, RFC 2142 doesn't advise. It requires. >>> And, in my opinion, it does so without any justification. >> Please feel free to take that up with D. Crocker, the Internet Mail >> Consortium, and/or the Network Working Group of the Internet >> Engineering Task Force that drafted and approved RFC 2142, and to >> write your own version with fewer addresses or less stringent >> language. But until you get that RFC changed or obsoleted, you will >> be expected to comply with it. > If and when it ever _actually_ becomes a standard - of > course................. By that, do you mean that RFCs that are not adopted as Internet Standards do not need to be followed, or that you or some organization with which you are affiliated have or has a policy of only following Internet Standards? If so, please explain why. -- Thanks and Best Regards, Jeff G. http://forum.spamcop.net/forums/index.php?act=findpost&pid=37585 From porpoise1954 at yahoo.co.uk Tue Mar 14 16:15:04 2006 From: porpoise1954 at yahoo.co.uk (Porpoise) Date: Tue Mar 14 11:20:03 2006 Subject: [SpamCop-List] Re: A mailman opt-in plus confirmation mailing list is spam? References: Message-ID: "Don Wannit" wrote in message news:dv5fuh$2mq$1@news.spamcop.net... > > > The concern here is that spamtrap addresses are > discoverable -- in fact, that's exactly how they > end up on spammers' lists; if they were not discoverable > they would not be of much use. All email addresses are "discoverable" but having "discovered" an address is one thing; knowing that a particular address (assuming that one of the smappers would actually read every single address that they farm ) is a spamtrap address is something else and extremely improbable. > It is quite simple to > find spamtrap addresses if you know where to look, and > know that they are spamtraps. Email address scrapers > typically just gather the address, and don't care where it > comes from. If someone knows the kinds of places that > spamtrap addresses are typically hidden for scrapers to > find, then it's trivial to find one and maliciously > send it in a subscription request to a mailing list. Extremely improbable. > > Other spamtraps may not be so resilient, and the ones that > add an IP to a blocklist on a single hit and make it nearly > impossible to get off are the ones that are worrisome, > and make an inviting resource for a denial-of-service > attack. In what way (by what mechanism) would a BL listing contribute to a DOS attack? On the other hand, spammers sending thousands of emails with forged From: addresses to addresses they know have autoresponders can instigate DOS attacks against the inboxes of those forged From: addresses, by getting the autoresponder to flood their mailboxes with thousands or even millions of emails in very short periods - thereby rendering them unusable; vis-a-vis Denial Of Service. Or another mechanism for DOS is when a ne'erdogood uses an automated script to keep loading a webpage with lots of images on it, thereby overloading the server and making it impossible for other users to access the site. There are other mechanisms, but I haven't seen any yet that could be instigated/result from an IP finding itself listed on a BL. If a mailserver admin decides to block the receipt of email from a particular sending IP (based on any number of factors, including, but not limited to, the use of any particular BL), that is his decision. It has nothing to do with whoever "compiles" the list, and it doesn't constitute a DOS. From porpoise1954 at yahoo.co.uk Tue Mar 14 16:58:50 2006 From: porpoise1954 at yahoo.co.uk (Porpoise) Date: Tue Mar 14 12:05:03 2006 Subject: [SpamCop-List] Re: RFC 2142 and sales@, support@, webmaster@ References: Message-ID: "Jeff G." wrote in message news:dv6pl6$oe0$1@news.spamcop.net... > Porpoise wrote: >> "Jeff G." wrote in message >> news:duj14i$4f9$1@news.spamcop.net... >>> Anonymous wrote: >>>> "Jeff G." wrote in message >>>> Good advice, but as written, RFC 2142 doesn't advise. It requires. >>>> And, in my opinion, it does so without any justification. >>> Please feel free to take that up with D. Crocker, the Internet Mail >>> Consortium, and/or the Network Working Group of the Internet >>> Engineering Task Force that drafted and approved RFC 2142, and to >>> write your own version with fewer addresses or less stringent >>> language. But until you get that RFC changed or obsoleted, you will >>> be expected to comply with it. >> If and when it ever _actually_ becomes a standard - of >> course................. > > By that, do you mean that RFCs that are not adopted as Internet > Standards do not need to be followed, or that you or some organization > with which you are affiliated have or has a policy of only following > Internet Standards? If so, please explain why. I mean that as the specifications and discussion documents that make up the RFCs actually become standards, then compliance becomes mandatory. Whilst they are still "suggested specifications" and "discussion" documents, they are not standards. I suggest you read the first few paragraphs of the document, where it says quite clearly - "This document specifies an Internet standards track protocol for the Internet community, and requests discussion and suggestions for improvements. Please refer to the current edition of the "Internet Official Protocol Standards" (STD 1) for the standardization state and status of this protocol. Distribution of this memo is unlimited." From tyler at beloit.edu Tue Mar 14 11:32:07 2006 From: tyler at beloit.edu (Tim Tyler) Date: Tue Mar 14 12:35:03 2006 Subject: [SpamCop-List] faking domain content? Message-ID: Spamcop experts, We recently received a spamcop notification that one of the offending messages of spam contained a url that linked back to one of our ip addresses on our campus. That link obvisoulsy doesn't work. But the spammers evidently registered a domain address and entered in one of our local ip addresses for it to be resolved to. Hence people think we are related when we have nothing to do with it. Is there something that we can do to prevent a local ip address from being mapped to a domain name by an unwanted outsider? Please cc: tyler@beloit.edu as I don't often read the news group postings. -thanks! Tim Tyler Network Engineer - Beloit College From nobody at devnull.spamcop.net Tue Mar 14 10:30:01 2006 From: nobody at devnull.spamcop.net (Eric) Date: Tue Mar 14 13:30:04 2006 Subject: [SpamCop-List] Re: A mailman opt-in plus confirmation mailing list is spam? In-Reply-To: References: Message-ID: Porpoise wrote: > All email addresses are "discoverable" but having "discovered" an > address is one thing; knowing that a particular address (assuming that > one of the smappers would actually read every single address that they > farm ) is a spamtrap address is something else and extremely improbable. Not to go into too much detail, but some spamtrap addresses are accompanied by a comment warning innocent users not to send email to that address because it is a spamtrap. "Smappers" would ignore that comment. A human might spot that comment and think "Hmmm. That's interesting. I know how I can abuse that." > > >> >> Other spamtraps may not be so resilient, and the ones that >> add an IP to a blocklist on a single hit and make it nearly >> impossible to get off are the ones that are worrisome, >> and make an inviting resource for a denial-of-service >> attack. > > > In what way (by what mechanism) would a BL listing contribute to a DOS > attack? Overloading a web server and flooding an inbox are not the only types of DOS. In the context of this thread, getting the output IP of a list server added to a DNSbl would be a Denial Of Service, would it not? From porpoise1954 at yahoo.co.uk Tue Mar 14 18:57:28 2006 From: porpoise1954 at yahoo.co.uk (Porpoise) Date: Tue Mar 14 14:00:07 2006 Subject: [SpamCop-List] Re: faking domain content? References: Message-ID: "Tim Tyler" wrote in message news:dv6umr$rmg$1@news.spamcop.net... > Spamcop experts, > We recently received a spamcop notification that one of the offending > messages of spam contained a url that linked back to one of our ip > addresses on our campus. That link obvisoulsy doesn't work. But the > spammers evidently registered a domain address and entered in one of our > local ip addresses for it to be resolved to. Hence people think we are > related when we have nothing to do with it. Is there something that we > can do to prevent a local ip address from being mapped to a domain name by > an unwanted outsider? > Please cc: tyler@beloit.edu as I don't often read the news group > postings. -thanks! > Tim Tyler > Network Engineer - Beloit College Rather than talking hypothetically, let's have the IP and look at the actual facts..... From MikeE at ster.invalid Tue Mar 14 11:08:57 2006 From: MikeE at ster.invalid (Mike Easter) Date: Tue Mar 14 14:10:03 2006 Subject: [SpamCop-List] Re: faking domain content? References: Message-ID: Tim Tyler wrote: > We recently received a spamcop notification that one of the offending > messages of spam contained a url that linked back to one of our ip > addresses on our campus. If you received a notification, it has a link to a tracking url so that we can see what you are talking about instead of a vague description of something or other. The tracking url looks like this http://www.spamcop.net/sc?id=z897512354z2440bc27bed7e9456f18167563c8bf03z and it can be used to access the original spamitem which was reported. > That link obvisoulsy doesn't work. What link? Why obviously doesn't work? I have no idea to what you are alluding. Except that it is a spamvertised url or perhaps an innocent bystander as a red herring or who knows what. Having your IP reported as a spamvertised link does not endanger it as far as being SpamCop blocklisted, but it can cause it to be published on the statistics page and fed into the sc-surbl - a list of spamvertised sites which some people use as an aid to identifying spam. > But the > spammers evidently registered a domain address and entered in one of > our local ip addresses for it to be resolved to. Hence people think > we are related when we have nothing to do with it. Somewhere along here it would be really useful to know what you are talking about. > Is there > something that we can do to prevent a local ip address from being > mapped to a domain name by an unwanted outsider? Huh? What are you talking about, exactly? > Please cc: tyler@beloit.edu as I don't often read the news group > postings. IMO, if you don't want to read here, you shouldn't be posting here. My netiquette links tell me that sort of request is rude. http://www.uwasa.fi/~ts/http/serveme.html Why "Reply by email, I don't read this newsgroup" gets flamed? http://www.cs.tut.fi/~jkorpela/usenet/mail-responses.html Why you shouldn't ask for E-mail responses on Usenet -- Mike Easter kibitzer, not SC admin From porpoise1954 at yahoo.co.uk Tue Mar 14 19:07:32 2006 From: porpoise1954 at yahoo.co.uk (Porpoise) Date: Tue Mar 14 14:10:12 2006 Subject: [SpamCop-List] Re: A mailman opt-in plus confirmation mailing list is spam? References: Message-ID: "Eric" wrote in message news:dv723a$thk$1@news.spamcop.net... > Overloading a web server and flooding an inbox are not the only > types of DOS. In the context of this thread, getting the output > IP of a list server added to a DNSbl would be a Denial Of Service, > would it not? No, it wouldn't. In what way does it deny service? If I, as a mailserver admin decide to use data from a BL (such as SCBL - or any number of other BLs) to block thousands of mails from a certain IP from getting into *my* mailboxes (as opposed to just tagging it into a spam folder), that is entirely my pjerogative (and could actually be saving me from a DOS). How does that constitute a DOS? How am I performing a DOS attack on you by not accepting all the shit being churned out by your servers? I'm not stopping anyone else from accepting them...... Speaking hypopthetically of course ;-) I'm not accusing you personally of churning out all this crap! ;-) From tmcgraw at spamcop.net Tue Mar 14 11:22:27 2006 From: tmcgraw at spamcop.net (Tim McGraw) Date: Tue Mar 14 14:25:03 2006 Subject: [SpamCop-List] Re: faking domain content? In-Reply-To: References: Message-ID: Tim Tyler wrote: > Spamcop experts, > We recently received a spamcop notification that one of the offending > messages of spam contained a url that linked back to one of our ip addresses > on our campus. You were lucky. http://www.dnsreport.com/tools/dnsreport.ch?domain=beloit.edu sez one or more of your mailservers does not accept mail to abuse (perhaps because you're routing it through your Barracuda spam firewall?). From wb8tyw at qsl.network Tue Mar 14 13:30:04 2006 From: wb8tyw at qsl.network (John E. Malmberg) Date: Tue Mar 14 14:35:04 2006 Subject: [SpamCop-List] Re: faking domain content? References: Message-ID: In article , "Tim Tyler" writes: > Spamcop experts, > We recently received a spamcop notification that one of the offending > messages of spam contained a url that linked back to one of our ip addresses > on our campus. That link obvisoulsy doesn't work. Did you inspect the machine that was assigned that I.P. address? > But the spammers > evidently registered a domain address and entered in one of our local ip > addresses for it to be resolved to. Hence people think we are related when > we have nothing to do with it. Is there something that we can do to prevent > a local ip address from being mapped to a domain name by an unwanted > outsider? No. And do not be so sure that you have nothing to do with the spam. It has been a spammer technique for the past several years to host web servers on compromised computers and point throw-away domains at them. They have been seen to rotate the domain name assignments so that a different I.P address resolves for the same domain. It has also been a spammer technique to host DNS servers on the compromised systems of other networks. The above techniques make it very hard to totally shutdown a spammer site. It also makes the spammer invulnerable to DDOS attacks that some will attempt to do on the spammer's alleged web host. There is at least one virus that is distributed by e-mail where the virus it self is not in the message, but the message contains a link that directs back to another infected computer. If a spam or a virus linked back to your network, and it is not an obvious joe-job, then it is likely that you have an infected machine. Now there are defensive measurs that a network can take to make it unatractive or somewhat unusable for spammers to use compromised machines. 1. Block port 25 for outgoing connections to all but registered mail servers. If users need to access external mail servers, they should be using port 587 with encryption, or port 465 with encryption. If you are not doing that now, phase it in ASAP. And then monitor attempts to connect to port 25 for external mail servers, if an I.P. address makes several attempts, either the user has a configuration problem, or they have a malware infection. There is at least one type of malware in circulation that monitoring for unauthorized access to port 25 at the firewall is the only reliable way of detecting it. It is not being reliably detected by malware scans on the infected machines, and it will reload it self from other compromized machines if it is not totally irradicated. The only known sure method of irradicating this malware is to totally reload the infected machine from known good uninfected files. 2. Block port 53 for external queries except for your DNS servers. You are of course blocking ports 135-139 as a matter of standard practice. And you are monitoring to make sure that only your DHCP servers are present on your network of course. 3. Periodically rsync sbl-xbl.spamhaus.org, list.dsbl.org, and multihop.dsbl.org and see if any of your I.P. addresses are present. If you can not get rsync access to the entire sbl-xbl, some of it's components are available that way. 4. Make sure that all WAP points are secure. Unless you block all but registered mail servers and require a proxy server for external network access (which can be a pain), it is virtually impossible to prevent a spammer from hosting a web server on a compromised computer. > Please cc: tyler@beloit.edu as I don't often read the news group > postings. -thanks! I am unable to comply with that at this time. Someone else may relay this to you though. -John wb8tyw@qsl.network Personal Opinion Only From nobody at devnull.spamcop.net Tue Mar 14 10:20:20 2006 From: nobody at devnull.spamcop.net (Anonymous) Date: Tue Mar 14 14:40:03 2006 Subject: [SpamCop-List] Re: A mailman opt-in plus confirmation mailing list is spam? References: Message-ID: Don Wannit wrote > This is not the point. If a spamtrap automatically > adds a source IP to a blocklist, then it would be > trivial for someone to forge a subscription request > purporting to be from the spamtrap, and thereby get > the output IP for the mailing list added to the > blocklist when it sends that confirmation request. No. It would be far from trivial, because the bad guy doesn't know what addresses are spamtraps, and the mailing list won't accept subscriptions to what he does have, which is hundreds of thousands of harvested email addresses with a few spamtraps hidden among them. (and if the mailing list does send confirmations to hundreds of thousands of subscriptions all coming in at once it deserves to be listed). > I never said anything about huge numbers of addresses, Yes you did. You wrote "I said that the kinds of places the spamtrap addresses are hidden are well known, at least among certain circles. Like the people who gather them into the 'Million Email Addresses' CDs, and the people who put them out there to be gathered." Mentioning the people who put them out there to be gathered is a red herring; the spamtrap creators aren't going to subscribe mailing lists to their own spamtraps. Those who run them would very much like to identify and remove the spamtraps. Such a list would sell for a higher price. > or hiding a spamtrap address in a crowd of legitimate > addresses. I'm not sure where you got that concept. It is an inescapable consequence of the fact that it is easy to gather a crowd of legitimate addresses that include spamtrap address, but it is very, very hard to gather just the spamtrap addresses or to gather just the non-spamtrap addresses. > The concern here is that spamtrap addresses are > discoverable -- in fact, that's exactly how they > end up on spammers' lists; if they were not discoverable > they would not be of much use. It is quite simple to > find spamtrap addresses So far you are correct; just gather email addresses using a spambot, virus, etc. and you will find spamtrap addresses -- and a bunch of non-spamtrap addresses as well, with no way to tell them apart. >if you know where to look, and know that they are spamtraps. You have presented no evidence that anyone knows where to look this is so, or even a speculation as to how to differentiate between the two. > Email address scrapers typically just gather the address, and don't care > where it comes from. If they could to identify and remove the spamtraps, the list would command a higher price. > If someone knows the kinds of places that spamtrap addresses are > typically hidden for scrapers to find, then it's trivial to find one That is a tautology; they are easy to find if you know where they are. Isn't everything easy to find if you know where it is? > and maliciously send it in a subscription request to a mailing list. Assuming that they can find and identify spamtraps. Which they can't, unless the spamtrap creator is stupid. An intelligent spamtrap creator will hide spamtraps in places where nobody knows to look, and will not reveal the locations to anyone. > Other spamtraps may not be so resilient, and the ones that > add an IP to a blocklist on a single hit and make it nearly > impossible to get off are the ones that are worrisome, > and make an inviting resource for a denial-of-service > attack. Assuming that they can find and identify spamtraps. Do you have any evidence that they can? If your theory that spamtraps are easy to find were true, I would expect to see many legitimate confirmed mailing lists listed; that would be an effective way to damage the reputation of the blocklist in question. Has anyone seen this? I would also expect there to be lists-of-spamtraps for sale. Has anyone seen such a list for sale? >Richard has answered my concern, without revealing too >much, by saying that while the SC spamtraps do not (and >can not) filter out legitimate confirmation requests, >a single spamtrap hit will not trigger a SC listing. That should not have been sufficient to answer your concern. If your theory is correct and spamtraps are easy to find and identify, it would be a simple matter to subscribe ten or twenty of them to the same mailing list over several hours and from different places. We have been discussing how easy it is to hide a spamtrap and how hard it is to find it. Now let's consider the available countermeasures if one is found. Just off the top of my head I can think of several; [1] Grep the incoming spam for addresses that are well-known mailing lists. Examine them and stop using the spamtrap if a single forge-subscription confirmation comes in. (leave the spamtrap up, just ignore what comes in to it; this wastes the time of anyone misusing it). [2] Set up a process that looks for signs that a browser is looking at a page where you expect only spambots to be looking. Even if the bad guy makes his browser self-identify as being a spambot, real spambots will not typically download images or look at external CSS, JavaScript, or robots.txt files. [3] Change the spamtrap from one unguessable email address to another unguessable email address as soon as it starts getting incoming spam. Now the bad guy looking for spamtraps has to find them before any of his spambots or his buddy's spambots find them. [4] Every so often, close down one unguessable URL with a spamtrap on it and put up another unguessable URL elsewhere, changing the unguessable email address to another unguessable email address at the same time. Now the bad guy has to play whack-a-mole. [5] Put random time delays before reporting on some spamtraps. this will make it a lot harder to identify spamtraps by doing a binary search and looking for addresses that result in an instant listing. ...and that's just what I can think of in three minutes. -- G.M. ( G u y M a c o n ) From jeffg at spamcop.net Tue Mar 14 14:52:33 2006 From: jeffg at spamcop.net (Jeff G.) Date: Tue Mar 14 14:55:01 2006 Subject: [SpamCop-List] Re: Domainsbyproxy References: Message-ID: D. T. wrote: > "RandallW" wrote in > news:duolgu$hnr$1[at]news.spamcop.net: > >> Anyone have an opinion on this service? I sense irony that they >> claim they protect people from spammers, since THEY seem to allow >> spammers to use them! > > They're really GoDaddy. And yes, they do indeed allow spammers to hide > behind their anonymous domain registrations....I've got proof. I've > been in touch with the President's Office at GoDaddy over this and > they've not taken any action against the offenders. That is interesting in light of the following (munged for the web): Received: from smtpout13-02.prod.mesa1.secureserver.net ([68.178.232.6]) (envelope-sender ) by mx.my.domain (qmail-ldap-1.03) with SMTP for ; 14 Mar 2006 17:11:38 -0000 Received: (qmail 30077 invoked from network); 14 Mar 2006 17:11:38 -0000 Received: from unknown (HELO 5wldf91) (172.16.44.155) by smtpout13-02.prod.mesa1.secureserver.net with SMTP; 14 Mar 2006 17:11:38 -0000 Reply-To: From: "Godaddy Spam and Abuse Dept " To: "'Abuse Desk'" Subject: RE: [spam subject line] Date: Tue, 14 Mar 2006 10:11:33 -0700 Organization: Go Daddy Spam and Abuse Dept. X-Mailer: Microsoft Office Outlook, Build 11.0.5510 X-MIMEOLE: Produced By Microsoft MimeOLE V6.00.2900.2670 thread-index: AcZHeroS+eN+lrjaQI64nElb1Hc2qwADzvDw In-Reply-To: <008d01c6477a$a5877ce0$af10a8c0[at]testarmada> X-Nonspam: IP whitelist 68.178.232.6 Mime-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset=us-ascii Dear Abuse Desk, When you submitted your spam complaint against the hyipranks.com domain name you omitted or "munged" the email address that received the offending message from the email headers that you submitted. I am sure that this was done intentionally to hide this information from potential spammers. This is understandable and practiced by many individuals that submit spam complaint to Go Daddy and post offending messages to the anti-spam newsgroups. Occasionally a situation arises where we require the accused party to provide opt-in information for the individual that they sent the offending message to. This is the case for hyipranks.com. Can you supply the email address that received the offending message? This information will be passed on to the registrant with a warning that if they abuse the privilege of receiving this information in any way, their domain name will be immediately cancelled. If you have questions regarding this request please reply to this message or call me directly at 480-505-8800 extension 434. Thank you for your cooperation. Sincerely, Spam and Abuse Department GoDaddy.com ARID117 -----Original Message----- [copy of what I sent] -- Best Regards, Jeff G. http://forum.spamcop.net/forums/index.php?act=findpost&pid=37585 From jeffg at spamcop.net Tue Mar 14 15:00:32 2006 From: jeffg at spamcop.net (Jeff G.) Date: Tue Mar 14 15:05:02 2006 Subject: [SpamCop-List] Re: RFC 2142 and sales@, support@, webmaster@ References: Message-ID: Porpoise wrote: > "Jeff G." wrote in message > news:dv6pl6$oe0$1@news.spamcop.net... >> Porpoise wrote: >>> "Jeff G." wrote in message >>> news:duj14i$4f9$1@news.spamcop.net... >>>> Anonymous wrote: >>>>> "Jeff G." wrote in message >>>>> Good advice, but as written, RFC 2142 doesn't advise. It >>>>> requires. And, in my opinion, it does so without any >>>>> justification. >>>> Please feel free to take that up with D. Crocker, the Internet Mail >>>> Consortium, and/or the Network Working Group of the Internet >>>> Engineering Task Force that drafted and approved RFC 2142, and to >>>> write your own version with fewer addresses or less stringent >>>> language. But until you get that RFC changed or obsoleted, you >>>> will be expected to comply with it. >>> If and when it ever _actually_ becomes a standard - of >>> course................. >> By that, do you mean that RFCs that are not adopted as Internet >> Standards do not need to be followed, or that you or some >> organization with which you are affiliated have or has a policy of >> only following Internet Standards? If so, please explain why. > I mean that as the specifications and discussion documents that make > up the RFCs actually become standards, then compliance becomes > mandatory. Whilst they are still "suggested specifications" and > "discussion" documents, they are not standards. I suggest you read > the first few paragraphs of the document, where it says quite clearly > - > > "This document specifies an Internet standards track protocol for the > Internet community, and requests discussion and suggestions for > improvements. Please refer to the current edition of the "Internet > Official Protocol Standards" (STD 1) for the standardization state > and status of this protocol. Distribution of this memo is > unlimited." Please answer the question I posed. Is that a "yes" or a "no"? -- Thanks and Best Regards, Jeff G. http://forum.spamcop.net/forums/index.php?act=findpost&pid=37585 From nobody at devnull.spamcop.net Tue Mar 14 12:12:12 2006 From: nobody at devnull.spamcop.net (Eric) Date: Tue Mar 14 15:15:03 2006 Subject: [SpamCop-List] Re: A mailman opt-in plus confirmation mailing list is spam? In-Reply-To: References: Message-ID: Porpoise wrote: > > "Eric" wrote in message > news:dv723a$thk$1@news.spamcop.net... > >> Overloading a web server and flooding an inbox are not the only >> types of DOS. In the context of this thread, getting the output >> IP of a list server added to a DNSbl would be a Denial Of Service, >> would it not? > > > No, it wouldn't. In what way does it deny service? If I, as a > mailserver admin decide to use data from a BL (such as SCBL - or any > number of other BLs) to block thousands of mails from a certain IP from > getting into *my* mailboxes (as opposed to just tagging it into a spam > folder), that is entirely my pjerogative (and could actually be saving > me from a DOS). How does that constitute a DOS? How am I performing a > DOS attack on you by not accepting all the shit being churned out by > your servers? I'm not stopping anyone else from accepting them...... Whoa, stop with the knee-jerk reaction! Why is there this culture of "any criticism, no matter how constructive, is prima facie evidence of a spammer"?? True, you are not preventing others from receiving email from the list's outgoing server, but you are exploiting the fact that many admins do misuse the SCBL, and many list members are not in control of the configuration of their email system(s). In the knowledge that some number of list members are likely to be subject to admins who DO in fact use BL data to block email, you are constructively performing a DOS on the list affecting at least part of its readership. > > Speaking hypopthetically of course ;-) I'm not accusing you personally > of churning out all this crap! ;-) What makes you think I am churning out anything? From redford_stone at INVERSE_OF_COLDmail.com Tue Mar 14 21:32:36 2006 From: redford_stone at INVERSE_OF_COLDmail.com (Redstone) Date: Tue Mar 14 16:35:04 2006 Subject: [SpamCop-List] [MEDIA] 419er Mugged by Rubbers Message-ID: http://www.theregister.co.uk/2006/03/13/419_rubber_tragedy/ Just when you think that 419 scams couldn't become more stupid. From nobody at devnull.spamcop.net Tue Mar 14 12:08:47 2006 From: nobody at devnull.spamcop.net (Anonymous) Date: Tue Mar 14 17:25:02 2006 Subject: [SpamCop-List] Re: A mailman opt-in plus confirmation mailing list is spam? References: Message-ID: Eric wrote... > Not to go into too much detail, but some spamtrap addresses > are accompanied by a comment warning innocent users not to > send email to that address because it is a spamtrap. "Smappers" > would ignore that comment. A human might spot that comment and > think "Hmmm. That's interesting. I know how I can abuse that." Doing a quick Google search, I see a lot of what appear to be abusable spamtraps, but of course I have no way of knowing whether any of them are associated with a BL instead of an individual. http://www.google.com/search?q=do-not-send-email-to-this+spam-trap Not knowing the details, in my opinion SC spamtraps should be made easy to find by spambots and hard to find by humans, using techniques such as making it not display using the CSS display Property, putting it on a tiny image, overlaying it with an image, tiny textsize, white -on-white, locating it 32,000 pixels to the right, etc. One can also hide the links to the page the spamtrap is on using many of the same techniques. > Overloading a web server and flooding an inbox are not the only > types of DOS. In the context of this thread, getting the output > IP of a list server added to a DNSbl would be a Denial Of Service, > would it not? It would indeed deny someone access to a service, but a different term should be used, because "Denial Of Service" normally refers to denial at the attacked server, not some other servers deciding to not accept traffic from the attacked server. Either way, it is a Bad Thing and is an attack on the reputation of the DNSbl as well as the target. That's why I don't think the spamtraps should be visible to humans. G.M. From nobody at devnull.spamcop.net Tue Mar 14 15:12:54 2006 From: nobody at devnull.spamcop.net (Eric) Date: Tue Mar 14 18:15:02 2006 Subject: [SpamCop-List] Re: A mailman opt-in plus confirmation mailing list is spam? In-Reply-To: References: Message-ID: Anonymous wrote: > Eric wrote... > >>Overloading a web server and flooding an inbox are not the only >>types of DOS. In the context of this thread, getting the output >>IP of a list server added to a DNSbl would be a Denial Of Service, >>would it not? > > > It would indeed deny someone access to a service, but a different > term should be used, because "Denial Of Service" normally refers > to denial at the attacked server, not some other servers deciding > to not accept traffic from the attacked server. Either way, it is > a Bad Thing and is an attack on the reputation of the DNSbl as well > as the target. That's why I don't think the spamtraps should be > visible to humans. There are many mechanisms to cause the denial of or inability to deliver services. Bludgeoning the server is only one of them. There have been times (mostly pre-Akamai) during which SC users were effectively denied SC services because of DNS issues. Are you saying that the term "DOS" could only be applied to the DNS servers, and not to SC? Would you prefer the term "Partial Denial Of Service To Some Downstream Consumers Through Indirect Means"? From tmcgraw at spamcop.net Tue Mar 14 15:34:27 2006 From: tmcgraw at spamcop.net (Tim McGraw) Date: Tue Mar 14 18:35:03 2006 Subject: [SpamCop-List] Re: A mailman opt-in plus confirmation mailing list is spam? In-Reply-To: References: Message-ID: Eric wrote: > Anonymous wrote: >> Eric wrote... >> >>> Overloading a web server and flooding an inbox are not the only >>> types of DOS. In the context of this thread, getting the output >>> IP of a list server added to a DNSbl would be a Denial Of Service, >>> would it not? >> >> It would indeed deny someone access to a service, but a different >> term should be used, because "Denial Of Service" normally refers >> to denial at the attacked server, not some other servers deciding >> to not accept traffic from the attacked server. Either way, it is >> a Bad Thing and is an attack on the reputation of the DNSbl as well >> as the target. That's why I don't think the spamtraps should be >> visible to humans. > > There are many mechanisms to cause the denial of or inability > to deliver services. Bludgeoning the server is only one of them. If you could point to a definition that supports this definition of DoS this then this might be worth discussing. However, every definition I see defines a DoS attack as an intentional overload of requests in order to consume the bandwidth of the victim's network or computational resources. BLs don't do that, and you saying it's still a DoS doesn't make it so. From tmcgraw at spamcop.net Tue Mar 14 15:35:53 2006 From: tmcgraw at spamcop.net (Tim McGraw) Date: Tue Mar 14 18:40:04 2006 Subject: [SpamCop-List] Re: A mailman opt-in plus confirmation mailing list is spam? In-Reply-To: References: Message-ID: Eric wrote: > Anonymous wrote: > >> Eric wrote... >> >>> Overloading a web server and flooding an inbox are not the only >>> types of DOS. In the context of this thread, getting the output >>> IP of a list server added to a DNSbl would be a Denial Of Service, >>> would it not? >> >> >> It would indeed deny someone access to a service, but a different >> term should be used, because "Denial Of Service" normally refers >> to denial at the attacked server, not some other servers deciding >> to not accept traffic from the attacked server. Either way, it is >> a Bad Thing and is an attack on the reputation of the DNSbl as well >> as the target. That's why I don't think the spamtraps should be >> visible to humans. > > There are many mechanisms to cause the denial of or inability > to deliver services. Bludgeoning the server is only one of them. If you could point to reputable Web site that supports this definition of DoS then this might be worth discussing. However, every definition I see defines a DoS attack as an intentional overload of requests in order to consume the bandwidth of a victim's network or computational resources. BLs don't do that, and you saying it's still a DoS doesn't make it so. From nobody at devnull.spamcop.net Tue Mar 14 15:36:07 2006 From: nobody at devnull.spamcop.net (Anonymous) Date: Tue Mar 14 18:40:14 2006 Subject: [SpamCop-List] Re: A mailman opt-in plus confirmation mailing list is spam? References: Message-ID: Eric wrote... > There are many mechanisms to cause the denial of or inability > to deliver services. Bludgeoning the server is only one of them. > > There have been times (mostly pre-Akamai) during which SC users > were effectively denied SC services because of DNS issues. Are > you saying that the term "DOS" could only be applied to the > DNS servers, and not to SC? Excellent point. I retract my earlier statement. G.M. From nobody at devnull.spamcop.net Tue Mar 14 15:51:07 2006 From: nobody at devnull.spamcop.net (Eric) Date: Tue Mar 14 18:55:04 2006 Subject: [SpamCop-List] Re: A mailman opt-in plus confirmation mailing list is spam? In-Reply-To: References: Message-ID: Tim McGraw wrote: > Eric wrote: > >> There are many mechanisms to cause the denial of or inability >> to deliver services. Bludgeoning the server is only one of them. > > > If you could point to a definition that supports this definition of DoS > this then this might be worth discussing. However, every definition I > see defines a DoS attack as an intentional overload of requests in order > to consume the bandwidth of the victim's network or computational > resources. How about CERT? http://www.cert.org/tech_tips/denial_of_service.html Description This document provides a general overview of attacks in which the primary goal of the attack is to deny the victim(s) access to a particular resource. Included is information that may help you respond to such an attack. A "denial-of-service" attack is characterized by an explicit attempt by attackers to prevent legitimate users of a service from using that service. Examples include * attempts to "flood" a network, thereby preventing legitimate network traffic * attempts to disrupt connections between two machines, thereby preventing access to a service * attempts to prevent a particular individual from accessing a service * attempts to disrupt service to a specific system or person Please look at the last 3 definitions. All 3 support my use of the term DoS in this context. > BLs don't do that, and you saying it's still a DoS doesn't make it so. Knee-jerk reaction again. Until you did just now, no one claimed that the DNSbl was doing a DoS. The discussion is about how a someone could exploit a revealed spamtrap to effectively deny service to a list ("service" == "IP not listed in blocklist") or to one or more readers ("service" == "incoming email unimpeded by admin misusing DNSbl"). From porpoise1954 at yahoo.co.uk Tue Mar 14 23:50:29 2006 From: porpoise1954 at yahoo.co.uk (Porpoise) Date: Tue Mar 14 18:55:14 2006 Subject: [SpamCop-List] Re: RFC 2142 and sales@, support@, webmaster@ References: Message-ID: "Jeff G." wrote in message news:dv77d1$1h0$1@news.spamcop.net... > Porpoise wrote: >> "Jeff G." wrote in message >> news:dv6pl6$oe0$1@news.spamcop.net... >>> Porpoise wrote: >>> By that, do you mean that RFCs that are not adopted as Internet >>> Standards do not need to be followed, or that you or some >>> organization with which you are affiliated have or has a policy of >>> only following Internet Standards? If so, please explain why. >> I mean that as the specifications and discussion documents that make >> up the RFCs actually become standards, then compliance becomes >> mandatory. Whilst they are still "suggested specifications" and >> "discussion" documents, they are not standards. I suggest you read >> the first few paragraphs of the document, where it says quite clearly >> - >> >> "This document specifies an Internet standards track protocol for the >> Internet community, and requests discussion and suggestions for >> improvements. Please refer to the current edition of the "Internet >> Official Protocol Standards" (STD 1) for the standardization state >> and status of this protocol. Distribution of this memo is >> unlimited." > > Please answer the question I posed. Is that a "yes" or a "no"? It's not a yes or no question. Which RFCs are followed in practice can depend on what they are related to, whether they have actually become standards in terms of operational issues and what the current state of whatever the particular RFC relates to in terms of the current actual real-world situation is. The current situation regarding rejection/belated bounces being a point in question........ Also, different rules, regulations and privacy laws, etc. prevail in different jurisdictions. From porpoise1954 at yahoo.co.uk Wed Mar 15 00:00:15 2006 From: porpoise1954 at yahoo.co.uk (Porpoise) Date: Tue Mar 14 19:05:03 2006 Subject: [SpamCop-List] Re: A mailman opt-in plus confirmation mailing list is spam? References: Message-ID: "Anonymous" wrote in message news:dv7k1t$8lb$1@news.spamcop.net... > > Eric wrote... > >> There are many mechanisms to cause the denial of or inability >> to deliver services. Bludgeoning the server is only one of them. >> >> There have been times (mostly pre-Akamai) during which SC users >> were effectively denied SC services because of DNS issues. Are >> you saying that the term "DOS" could only be applied to the >> DNS servers, and not to SC? > > Excellent point. I retract my earlier statement. Hmm..... I think you'll find that there's a world of difference between a service being unavailable to to some service/hardware breakdown and a service being unobtainable due to malicious intervention by third parties. The former would be termed a service breakdown, the latter would be a Denial Of Service attack....... From nobody at devnull.spamcop.net Tue Mar 14 16:24:24 2006 From: nobody at devnull.spamcop.net (Eric) Date: Tue Mar 14 19:25:02 2006 Subject: [SpamCop-List] Re: A mailman opt-in plus confirmation mailing list is spam? In-Reply-To: References: Message-ID: Porpoise wrote: > Hmm..... I think you'll find that there's a world of difference between > a service being unavailable to to some service/hardware breakdown and a > service being unobtainable due to malicious intervention by third > parties. The former would be termed a service breakdown, the latter > would be a Denial Of Service attack....... Where did a hardware breakdown come into it? We're talking malicious deliberate action, not a bug/glitch/failure. From porpoise1954 at yahoo.co.uk Wed Mar 15 00:50:48 2006 From: porpoise1954 at yahoo.co.uk (Porpoise) Date: Tue Mar 14 19:55:02 2006 Subject: [SpamCop-List] Re: A mailman opt-in plus confirmation mailing list is spam? References: Message-ID: "Eric" wrote in message news:dv7mrp$aej$1@news.spamcop.net... > Porpoise wrote: > >> Hmm..... I think you'll find that there's a world of difference between a >> service being unavailable to to some service/hardware breakdown and a >> service being unobtainable due to malicious intervention by third >> parties. The former would be termed a service breakdown, the latter would >> be a Denial Of Service attack....... > > Where did a hardware breakdown come into it? We're talking > malicious deliberate action, not a bug/glitch/failure. It came into it here: > Eric wrote... >> There have been times (mostly pre-Akamai) during which SC users >> were effectively denied SC services because of DNS issues. Are you not reading your own posts? From avoozl at spamcop.net Tue Mar 14 16:55:19 2006 From: avoozl at spamcop.net (Chris F. Willoughby) Date: Tue Mar 14 19:55:13 2006 Subject: [SpamCop-List] nomaster again Message-ID: See http://www.spamcop.net/sc?id=z897709474zb1f0d9e028b9a458726921c106b7b233z Is this a lacnic problem or is it somewhere else? Chris From tmcgraw at spamcop.net Tue Mar 14 17:11:06 2006 From: tmcgraw at spamcop.net (Tim McGraw) Date: Tue Mar 14 20:15:03 2006 Subject: [SpamCop-List] Re: A mailman opt-in plus confirmation mailing list is spam? In-Reply-To: References: Message-ID: Eric wrote: > How about CERT? http://www.cert.org/tech_tips/denial_of_service.html > > Description > > This document provides a general overview of attacks in which the primary goal of the attack is to deny the victim(s) access to a particular resource. Included is information that may help you respond to such an attack. > > A "denial-of-service" attack is characterized by an explicit attempt by attackers to prevent legitimate users of a service from using that service. Examples include > > * attempts to "flood" a network, thereby preventing legitimate > network traffic > * attempts to disrupt connections between two machines, thereby > preventing access to a service > * attempts to prevent a particular individual from accessing a > service > * attempts to disrupt service to a specific system or person > > > Please look at the last 3 definitions. All 3 support my use of the > term DoS in this context. Disrupting a list hardly rises to anything discussed on that page. It's more like a denial of convenience; there is no guarantee to any list operator that their mail/posts will reach all recipients. Eric wrote: > Until you did just now, no one claimed that > the DNSbl was doing a DoS. > Don Wannit wrote: >> Other spamtraps may not be so resilient, and the ones that >> add an IP to a blocklist on a single hit and make it nearly >> impossible to get off are the ones that are worrisome, >> and make an inviting resource for a denial-of-service >> attack. The DNSbl is the cause of the so-called denial; the abused spamtrap is just the lever for that action. Eric wrote: > The discussion is about how a someone could > exploit a revealed spamtrap to effectively deny service to a list > ("service" == "IP not listed in blocklist") or to one or more readers > ("service" == "incoming email unimpeded by admin misusing DNSbl"). So, you're saying that the admin misusing a DNSbl filter is conducting a DoS? While the list suffers by not being able to deliver to all of its alleged subscribers, wouldn't the admin basically be "denying" a service to hir own users? From MikeE at ster.invalid Tue Mar 14 17:36:45 2006 From: MikeE at ster.invalid (Mike Easter) Date: Tue Mar 14 20:40:02 2006 Subject: [SpamCop-List] Re: nomaster again References: Message-ID: Chris F. Willoughby wrote: www.spamcop.net/sc?id=z897709474zb1f0d9e028b9a458726921c106b7b233z This is about the spamcop listed .br spamsource 201.41.195.189 no rDNS which SC sez Re: 201.41.195.189 (Administrator of network where email originates) nomaster@devnull.spamcop.net > Is this a lacnic problem or is it somewhere else? Well, it is one of those things a human can do better than an algorithm. SC wants to go from arin to lacnic, then at lacnic SC wants lacnic to give an addy for BTA17 which is the nic-hdl for the abuse contact. abuse-c: BTA17 but lacnic doesn't have that email information on record. A human knows to go to whois.registro.br - a subset of lacnic which pertains to this ,br IP block. But, it turns out that even the IP block information at registro.br doesn't have the BTA17 email address. So, a human can say, 'Hmmm. Let me see what else I can do.' So then the human decides to see if the strategy of using the AS8167 at registro.br will work. Which it does. It shows not only BTA17 but also another one which cropped up, BTC14 which is considered the owner/tech contact for the /15 block, even at lacnic whois -h whois.lacnic.net 201.41.195.189 inetnum: 201.40/15 aut-num: AS8167 abuse-c: BTA17 owner-c: BTC14 tech-c: BTC14 whois -h whois.registro.br as8167 nic-hdl-br: BTA17 person: Brasil Telecom S. A - Abuso e-mail: abuse@noc.brasiltelecom.net.br nic-hdl-br: BTC14 person: Brasil Telecom S. A. - CNRS e-mail: suporte@noc.brasiltelecom.net.br -- Mike Easter kibitzer, not SC admin From nobody at devnull.spamcop.net Tue Mar 14 17:48:49 2006 From: nobody at devnull.spamcop.net (Eric) Date: Tue Mar 14 20:50:03 2006 Subject: [SpamCop-List] Re: A mailman opt-in plus confirmation mailing list is spam? In-Reply-To: References: Message-ID: Tim McGraw wrote: > While the list suffers by not being able to deliver to all of its > alleged subscribers, wouldn't the admin basically be "denying" a service > to hir own users? You know what? This whole side issue is irrelevant. Fine, it's not a DoS, let's just call it a "Fred Job". It's not worth arguing about term to use to describe it. Not when that's a diversion to avoid discussing an issue. It's just a harmless prank that causes inconvenience to others. No skin off anyone's nose. Boys will be boys, after all. Just part of modern life. From tmcgraw at spamcop.net Tue Mar 14 17:54:26 2006 From: tmcgraw at spamcop.net (Tim McGraw) Date: Tue Mar 14 20:55:03 2006 Subject: [SpamCop-List] Re: A mailman opt-in plus confirmation mailing list is spam? In-Reply-To: References: Message-ID: Eric wrote: > Tim McGraw wrote: > >> While the list suffers by not being able to deliver to all of its >> alleged subscribers, wouldn't the admin basically be "denying" a >> service to hir own users? > > You know what? This whole side issue is irrelevant. Fine, it's > not a DoS, let's just call it a "Fred Job". It's not worth arguing > about term to use to describe it. Not when that's a diversion to > avoid discussing an issue. > > It's just a harmless prank that causes inconvenience to others. No > skin off anyone's nose. Boys will be boys, after all. Just part > of modern life. Thank the spammers. From MikeE at ster.invalid Tue Mar 14 19:08:18 2006 From: MikeE at ster.invalid (Mike Easter) Date: Tue Mar 14 22:10:03 2006 Subject: [SpamCop-List] Re: nomaster again References: Message-ID: Jeff G. wrote: > Chris F. Willoughby wrote: >> Is this a lacnic problem or is it somewhere else? > It's a combination problem. I would say that the problem is much more that of lacnic's output being excessive than anything else. I did this again and this time I used both SamSpade for Win and NetDemon's Win console for the whois, whereas before I had only used SS. With SS's, the output for both lacnic and registro.br on the IP was 'excessive' so they were both cutoff before completetion, and SS's console didn't say anything, it was just abruptly ended on both of them before getting down to the addies for the BTA17 or BTC14 With NetDemon's console, the information was more satisfactory and 'proper' for the whois on the IP for both lacnic and registro.br In the case of lacnic, the cutoff of the long and excessive output was 'announced': Answer from RIR truncated --- connection closed ... and so the information which would have been found at the 'bottom', namely the addies for the abuse and owner/tech wasn't found. In the case of registro.br, NetDemon provided sufficient 'room' or buffer for registro's response so that I could find the email addies for both BTA17 and BTC14 'down there', because registro.br's output was shorter or less than lacnic's. So, it turned out that it actually wasn't necessary to use the 'convenience' of the AS8167 information if you have sufficient buffer in the whois console making the query, and if registro.br were queried instead of lacnic. But, even tho' the buffer in NetDemon was considerably more than SS's, 'something' shut down or truncated the lacnic RIR answer before it was completed. And whatever that mechanism is for aborting the lacnic output must've been operative for SC as well. -- Mike Easter kibitzer, not SC admin From edb2000 at spamcop.net Tue Mar 14 23:09:46 2006 From: edb2000 at spamcop.net (Don Wannit) Date: Wed Mar 15 02:10:15 2006 Subject: [SpamCop-List] Re: A mailman opt-in plus confirmation mailing list is spam? In-Reply-To: References: Message-ID: Anonymous wrote: > Don Wannit wrote > > >>This is not the point. If a spamtrap automatically >>adds a source IP to a blocklist, then it would be >>trivial for someone to forge a subscription request >>purporting to be from the spamtrap, and thereby get >>the output IP for the mailing list added to the >>blocklist when it sends that confirmation request. > > No. It would be far from trivial, because the bad guy > doesn't know what addresses are spamtraps, and the > mailing list won't accept subscriptions to what he > does have, which is hundreds of thousands of harvested > email addresses with a few spamtraps hidden among them. > (and if the mailing list does send confirmations to > hundreds of thousands of subscriptions all coming in > at once it deserves to be listed). > The forging of an email sender address *is* trivial. That should be understood by any reader of this newsgroup. > >>I never said anything about huge numbers of addresses, > > > Yes you did. You wrote "I said that the kinds of places > the spamtrap addresses are hidden are well known, at > least among certain circles. Like the people who > gather them into the 'Million Email Addresses' CDs, > and the people who put them out there to be gathered." You are reading the words but not the sentence. The *kinds of places* are known to the people who compile the mass lists of addresses, because they are the kinds of places where email addresses can be harvested. Those people don't know for sure that a specific address is a spamtrap unless they look at its context, and their robots do not look at context. A different kind of person, even some of the readers of this newsgroup, *do* know the kinds of places where spamtrap addresses in particular, not real legitimate email addresses, are strewn. I strongly doubt that I am the only reader of this newsgroup who knows one specific place for certain where SpamCop spamtrap email addresses are placed to be found by harvesters. I never said that a prankster would need to send bogus subscriptions for all the addresses on a CD. I said that the people who make those CDs know the *kinds* of places to look for addresses. If they wrote their harvesting robots to be smarter than just looking for a string containing '@', it is certainly plausible to evaluate the context of that string to classify it as a potential spamtrap. Some of those addresses are labeled quite clearly and blatantly as spamtrap addresses. The robots ignore that labeling, which could lead to the address being included in a list of addresses. That's not what I'm talking about. (or writing about) > > Mentioning the people who put them out there to be > gathered is a red herring; the spamtrap creators aren't > going to subscribe mailing lists to their own spamtraps. > Those who run them would very much like to identify and > remove the spamtraps. Such a list would sell for a > higher price. This argument is a non sequitur. Or an even redder herring. > > >>or hiding a spamtrap address in a crowd of legitimate >>addresses. I'm not sure where you got that concept. > > > It is an inescapable consequence of the fact that it > is easy to gather a crowd of legitimate addresses that > include spamtrap address, but it is very, very hard to > gather just the spamtrap addresses or to gather just > the non-spamtrap addresses. I just did a simple Google search for a particular phrase, and got a list of 19 likely spamtrap addresses, just by looking for a phrase which is often nearby a spamtrap address left out for harvesting. No, I will not post here the search phrase I used. That's 19 possible addresses I could use if I wanted to cause grief for some list admin and for some portion of the readership of the list. > > >>The concern here is that spamtrap addresses are >>discoverable -- in fact, that's exactly how they >>end up on spammers' lists; if they were not discoverable >>they would not be of much use. It is quite simple to >>find spamtrap addresses > > > So far you are correct; just gather email addresses using > a spambot, virus, etc. and you will find spamtrap addresses > -- and a bunch of non-spamtrap addresses as well, with no > way to tell them apart. That's not the point. Perhaps it's gone over your head. > > >>if you know where to look, and know that they are spamtraps. > > > You have presented no evidence that anyone knows where to look > this is so, or even > a speculation as to how to differentiate between the two. If Ellen, Don, or Richard will give me permission, I would be happy to describe exactly how you yourself can find one of the places where SC sows its spamtrap email address seeds. I don't expect them to do so. There are other readers in this group who know, and not because they were told but because they encountered the spamtrap address themselves. You could do so yourself if you cared to think for a minute or two. > > >>Email address scrapers typically just gather the address, and don't care >>where it comes from. > > > If they could to identify and remove the spamtraps, the list > would command a higher price. Yeah, and if the snail-mail bulk mailers would cull duplicates, they would have marginal savings. For both types of mailing lists, the cost-benefit tradeoff is such that the duplicates and the spamtraps are not removed. > > >>If someone knows the kinds of places that spamtrap addresses are >>typically hidden for scrapers to find, then it's trivial to find one > > > That is a tautology; they are easy to find if you know where > they are. Isn't everything easy to find if you know where > it is? Your logic is flawed. Knowing the *kinds* of places to look is not the same as knowing a *specific place* to look. And in order to find one spamtrap address, I do not need to be able to find *all* spamtrap addresses. > > >>and maliciously send it in a subscription request to a mailing list. > > Assuming that they can find and identify spamtraps. > Which they can't, unless the spamtrap creator is stupid. > An intelligent spamtrap creator will hide spamtraps in > places where nobody knows to look, and will not reveal the > locations to anyone. A responsible spamtrap creator might put warning signs around the pitfall, so that innocent people don't accidentally fall in. The harvester robots ignore the warning, but people can find it. > > >>Other spamtraps may not be so resilient, and the ones that >>add an IP to a blocklist on a single hit and make it nearly >>impossible to get off are the ones that are worrisome, >>and make an inviting resource for a denial-of-service >>attack. > > > Assuming that they can find and identify spamtraps. > Do you have any evidence that they can? > If your theory that spamtraps are easy to find were true, I > would expect to see many legitimate confirmed mailing lists > listed; that would be an effective way to damage the reputation > of the blocklist in question. Has anyone seen this? I would > also expect there to be lists-of-spamtraps for sale. Has anyone > seen such a list for sale? Different (but tangentially related) topic, inappropriate argument. > > >>Richard has answered my concern, without revealing too >>much, by saying that while the SC spamtraps do not (and >>can not) filter out legitimate confirmation requests, >>a single spamtrap hit will not trigger a SC listing. > > > That should not have been sufficient to answer your concern. > If your theory is correct and spamtraps are easy to find and > identify, it would be a simple matter to subscribe ten or > twenty of them to the same mailing list over several hours > and from different places. It would. That would then require intervention by a human. As Richard stated. > > We have been discussing how easy it is to hide a spamtrap and > how hard it is to find it. Now let's consider the available > countermeasures if one is found. Just off the top of my head > I can think of several; > > [1] Grep the incoming spam for addresses that are well-known > mailing lists. Examine them and stop using the spamtrap if a > single forge-subscription confirmation comes in. (leave the > spamtrap up, just ignore what comes in to it; this wastes the > time of anyone misusing it). Richard explained that this is not realistically feasible. After-the-fact manual investigation can do this, but automating the process is just another arms race. > > [2] Set up a process that looks for signs that a browser is > looking at a page where you expect only spambots to be looking. > Even if the bad guy makes his browser self-identify as being > a spambot, real spambots will not typically download images > or look at external CSS, JavaScript, or robots.txt files. That augments the warning signs for a human surfer. It does not in any way affect someone who wants to find a spamtrap to exploit. > > [3] Change the spamtrap from one unguessable email address > to another unguessable email address as soon as it starts > getting incoming spam. Now the bad guy looking for spamtraps > has to find them before any of his spambots or his buddy's > spambots find them. Not relevant. The goal is not trying to find *all* spamtraps so that they can be removed from a list of spammees. The goal I posit is finding *one* spamtrap address to be exploited for the purpose of getting someone added to a BL. > > [4] Every so often, close down one unguessable URL with a > spamtrap on it and put up another unguessable URL elsewhere, > changing the unguessable email address to another unguessable > email address at the same time. Now the bad guy has to play > whack-a-mole. Wrong bad guy. > > [5] Put random time delays before reporting on some spamtraps. > this will make it a lot harder to identify spamtraps by doing > a binary search and looking for addresses that result in an > instant listing. > > ...and that's just what I can think of in three minutes. Perhaps your haste explains why you spent so long addressing a different problem. The topic at hand is not listwashing a list of spamtrap email addresses. The topic is the potential for using a spamtrap for causing mischief if the spamtrap is fully automated on a hair-trigger. -- Don Wannit A paid SpamCop user since 1999 From nobody at spamcop.net Tue Mar 14 23:25:32 2006 From: nobody at spamcop.net (RandallW) Date: Wed Mar 15 02:30:02 2006 Subject: [SpamCop-List] Re: [MEDIA] 419er Mugged by Rubbers References: Message-ID: "Redstone" wrote in message news:Xns978689CACEC49tinlc@216.154.195.61... > http://www.theregister.co.uk/2006/03/13/419_rubber_tragedy/ > > > Just when you think that 419 scams couldn't become more stupid. > The previous spam is impressive; his parents were devoured, but the father managed to survive the devourment only to die in a car accident. From avoozl at spamcop.net Wed Mar 15 02:37:17 2006 From: avoozl at spamcop.net (Chris F. Willoughby) Date: Wed Mar 15 05:40:16 2006 Subject: [SpamCop-List] Re: nomaster again References: Message-ID: "Mike Easter" wrote in message news:dv7r2j$d15$1@news.spamcop.net... > whois -h whois.lacnic.net 201.41.195.189 > > inetnum: 201.40/15 > aut-num: AS8167 > abuse-c: BTA17 > owner-c: BTC14 > tech-c: BTC14 > > whois -h whois.registro.br as8167 > > nic-hdl-br: BTA17 > person: Brasil Telecom S. A - Abuso > e-mail: abuse@noc.brasiltelecom.net.br > > nic-hdl-br: BTC14 > person: Brasil Telecom S. A. - CNRS > e-mail: suporte@noc.brasiltelecom.net.br > > -- > Mike Easter > kibitzer, not SC admin Very Odd I agree. I wonder if redirecting the parser to look at the other site would be helpful longterm? Chris From MikeE at ster.invalid Wed Mar 15 04:04:50 2006 From: MikeE at ster.invalid (Mike Easter) Date: Wed Mar 15 07:05:11 2006 Subject: [SpamCop-List] Re: nomaster again References: Message-ID: Chris F. Willoughby wrote: > Very Odd I agree. I wonder if redirecting the parser to look at the > other site would be helpful longterm? There are a number of times that the standard SC algorithmic approach to the RIRs doesn't quite work the way you would like. Nowadays there are 5; arin, ripe, apnic, afrinic, and lacnic, with afrinic being the newest. Lacnic was recognized in 2002, afrinic in 2005. But, under those 5 are other whois: whois.registro.br in lacnic, and also krnic or whois.nic.or.kr and whois.nic.ad.jp in apnic which are sometimes useful to access. There are actually quite a number of sub-registries with a whois query available. The main terms being, LIR for local internet registries and NIRs for national internet registries. So an ISP might obtain their allocation from an NIR, LIR, or RIR. The SC strategy for finding the correct RIR is based on the notion that if you go to arin with an IP, and it is under another RIR, that arin will make the proper referral -- but that system is flawed. Currently arin doesn't always refer properly to afrinic, which used to be under ripe. IMO, all of the 5 RIRs should function equally well to refer to the others. In one sense arin is just another RIR, it shouldn't have to be the main portal to which all queries go first. Theoretically one wouldn't have to look at some sub-RIR like .kr or .jp or .br to find something, but sometimes the sub-registries are useful. Perhaps the algorithm should be written to query the correct RIR first -- except that I reckon that the IPs under a given RIR are somewhat dynamic or fluid. If you query the IANA about how the spaces are 'distributed' -- such as http://www.iana.org/assignments/ipv4-address-space you find a very confusing lineup. And then there's the issue of IPv4 vs IPv6 -- Mike Easter kibitzer, not SC admin From nobody at nowhere.invalid Wed Mar 15 13:19:29 2006 From: nobody at nowhere.invalid (Steven Maesslein) Date: Wed Mar 15 07:20:02 2006 Subject: [SpamCop-List] Re: nomaster again References: Message-ID: On Wed, 15 Mar 2006 04:04:50 -0800, Mike Easter coughed into spamcop and left this in : > But, under those 5 are other whois: whois.registro.br in lacnic, and > also krnic or whois.nic.or.kr and whois.nic.ad.jp in apnic which are > sometimes useful to access. There re indeed LIR's under some RIR's, but this is not always the case. In fact I think that LACNIC and APNIC are the only 2. > sub-registries with a whois query available. The main terms being, LIR > for local internet registries and NIRs for national internet registries. ??? Never heard of a NIR before. KRNIC, CNNIC, JPNIC and AUNIC are known as *Local* Internet Registries, not National, even though they do happen to service individual countries. Next step up from them is APNIC, the RIR. > So an ISP might obtain their allocation from an NIR, LIR, or RIR. Not all networks are run by ISP's. Some are run by corporations such as IBM or GE, or government agencies like the US DoD. > The SC strategy for finding the correct RIR is based on the notion that > if you go to arin with an IP, and it is under another RIR, that arin > will make the proper referral -- but that system is flawed. Currently > arin doesn't always refer properly to afrinic, which used to be under > ripe. RIPE *and* ARIN. Currently, the parts of AfriNIC that were previously managed by ARIN are correctly changed in ARIN whois to include a referral to AfriNIC. Parts that used to be run by RIPE are not. > IMO, all of the 5 RIRs should function equally well to refer to the > others. In one sense arin is just another RIR, it shouldn't have to > be the main portal to which all queries go first. Agreed. It places an unnecessary burden on ARIN's whois servers. > Theoretically one wouldn't have to look at some sub-RIR like .kr or .jp > or .br to find something, but sometimes the sub-registries are useful. s/sub-RIR/LIR/ > Perhaps the algorithm should be written to query the correct RIR first That would be a major improvement. -- Steve Let's call it an accidental feature. -- Larry Wall From MikeE at ster.invalid Wed Mar 15 05:24:53 2006 From: MikeE at ster.invalid (Mike Easter) Date: Wed Mar 15 08:25:04 2006 Subject: [SpamCop-List] Re: nomaster again References: Message-ID: Steven Maesslein wrote: > Mike Easter >> The main terms being, >> LIR for local internet registries and NIRs for national internet >> registries. > > ??? > > Never heard of a NIR before. > > KRNIC, CNNIC, JPNIC and AUNIC are known as *Local* Internet > Registries, not National, even though they do happen to service > individual countries. I was parroting what the IANA sez, but the iana doesn't explain themselves. http://www.iana.org/ipaddress/ip-addresses.htm // ISPs obtain allocations of IP addresses from a local Internet registry (LIR) or national Internet registry (NIR), or from their appropriate Regional Internet Registry (RIR): // -- Mike Easter kibitzer, not SC admin From nobody at spamcop.net Wed Mar 15 08:54:56 2006 From: nobody at spamcop.net (John Anderson) Date: Wed Mar 15 09:55:02 2006 Subject: [SpamCop-List] Error when sending spam for processing Message-ID: An error occurred while processing your request. Reference #97.bc2c7b3f.1142434241.d14a52 >>>>>>>>>>>>>>>>> What does this mean? From nobody at devnull.spamcop.net Wed Mar 15 11:03:14 2006 From: nobody at devnull.spamcop.net (Anti-Spam) Date: Wed Mar 15 11:05:03 2006 Subject: [SpamCop-List] Re: Error when sending spam for processing References: Message-ID: "John Anderson" wrote in message news:dv99rk$8uu$1@news.spamcop.net... > An error occurred while processing your request. > Reference #97.bc2c7b3f.1142434241.d14a52 > > >>>>>>>>>>>>>>>>> > > What does this mean? > >From what I've observed, some transient server glitch. Waiting a bit and refreshing (and then resubmitting) seems to work for me. From nobody at devnull.spamcop.net Wed Mar 15 08:31:19 2006 From: nobody at devnull.spamcop.net (Anonymous) Date: Wed Mar 15 11:40:03 2006 Subject: [SpamCop-List] Re: A mailman opt-in plus confirmation mailing list is spam? References: Message-ID: Porpoise wrote... > >Eric wrote... >> >> Porpoise wrote: >> >>> Hmm..... I think you'll find that there's a world of difference between >>> a service being unavailable to to some service/hardware breakdown and a >>> service being unobtainable due to malicious intervention by third >>> parties. The former would be termed a service breakdown, the latter >>> would be a Denial Of Service attack....... >> >> Where did a hardware breakdown come into it? We're talking >> malicious deliberate action, not a bug/glitch/failure. > > It came into it here: > >> Eric wrote... >>> There have been times (mostly pre-Akamai) during which SC users >>> were effectively denied SC services because of DNS issues. It was my understanding that the DNS problems were because of an attack, not a hardware breakdown. I agree that general usage of the phrase "service breakdown" implies a hardware or software failure, not an attack of some kind. and that "Denial of Service attack" AKA "DOS Attack", "Denial of Service" or "DOS" implies an attack of some kind, not a hardware or software failure. I doubt that anyone here will disagree with those broad definitions. I read Eric as pointing out that a DOS can target DNS, and thus is a counterexample to any claim that all DOS attacks target the victim's server. G.M. From johannu at pyrogenesis.co.za Wed Mar 15 18:47:49 2006 From: johannu at pyrogenesis.co.za (Johann Ungerer) Date: Wed Mar 15 11:50:01 2006 Subject: [SpamCop-List] Blocking shared mailservers by IP is hugely disruptive Message-ID: Our hosting company's shared mail server has been blocked by spamcop on numerous occasions, but this is incredibly disruptive. We ourselves host 15 domains on this server and there must be well over 200 domains handled by this server. Blocking by IP is like trying to kill mosquitos with a shotgun. It would be far more useful to block domains, though I suppose the domain could be used and discarded after every blast. So there's no simple answer, but being the 'victim' of other spammers and therefore having all mails in a day bounce, is also unacceptable. regards, Johann From MikeE at ster.invalid Wed Mar 15 09:20:06 2006 From: MikeE at ster.invalid (Mike Easter) Date: Wed Mar 15 12:25:04 2006 Subject: [SpamCop-List] Re: Blocking shared mailservers by IP is hugely disruptive References: Message-ID: Johann Ungerer wrote: > Our hosting company's shared mail server has been blocked by spamcop > on numerous occasions, but this is incredibly disruptive. It is an important distinction to understand that SC makes a list. Others choose to use that list and/or others as a method of dealing with spam. If your output server is getting itself SCbl listed, you should be finding out why and correcting that, along with any other DNSbl lists it is getting itself onto. What is the IP in question? -- Mike Easter kibitzer, not SC admin From Kilgallen at SpamCop.net Wed Mar 15 11:27:41 2006 From: Kilgallen at SpamCop.net (Larry Kilgallen) Date: Wed Mar 15 12:30:02 2006 Subject: [SpamCop-List] Re: Blocking shared mailservers by IP is hugely disruptive References: Message-ID: <8GC2n0UtLMzu@eisner.encompasserve.org> In article , "Johann Ungerer" writes: > Our hosting company's shared mail server has been blocked by spamcop on Of course SpamCop has no ability to block any mail server, but those who receive email from that mail server may choose to do so based on the fact that it has been noted as a spam source. > numerous occasions, but this is incredibly disruptive. We ourselves host 15 > domains on this server and there must be well over 200 domains handled by > this server. Blocking by IP is like trying to kill mosquitos with a shotgun. The IP address is the only reliable basis for blocking, since it is the one item that cannot be falsified by dishonest spammers. But I wax tautological. Please get back to us when you have managed to cure the world of dishonest spammers. > It would be far more useful to block domains, though I suppose the domain > could be used and discarded after every blast. Discarding is not the issue. There is no reason to trust that the domain from which a message is purported to come bears any relation to the actual source. > So there's no simple answer, > but being the 'victim' of other spammers and therefore having all mails in a > day bounce, is also unacceptable. But there _is_ a solution. Do not share an IP address with spammers. Look carefully at the contract you signed for email service. Does it state in no uncertain terms that you will be liable for a $ 1000 fine for every spam message sent from your machine, even if via virus or trojan horse ? If not, then it is unlikely others who share that IP address have been put under such restrictions either, so there is little likelihood the spammers among them will be deterred. The other solution is to use a non-shared IP address. From tmcgraw at spamcop.net Wed Mar 15 10:26:38 2006 From: tmcgraw at spamcop.net (Tim McGraw) Date: Wed Mar 15 13:30:03 2006 Subject: [SpamCop-List] Re: A mailman opt-in plus confirmation mailing list is spam? In-Reply-To: References: Message-ID: Anonymous wrote: > > > > I read Eric as pointing out that a DOS can target DNS, and thus is a > counterexample to any claim that all DOS attacks target the victim's > server. I believe Eric had some good points to make about how a spamtrap could result in a false positive listing, but likening it to a DoS was a canard that didn't really help advance his argument. By his last posting I take it he felt the conversation was about semantics... but what conversation isn't? :) My claim was only that DoS attacks by definition target a victim's network *services* (DNS is one of many) and involves *massive* requests at the targeted system in order to consume bandwidth. Back to the subject, as has been noted a legitimate mailman opt-in is not spam, and sc reporters can lose their privileges by reporting such an email as spam. Does it still happen? Probably. Do spammers "work" to do this on a spamtrap? Most spammers in my experience can't and don't even bother to listwash, so I can't see them investing all this time to forge a list subscription even if they knew a spamtrap addy. elsewhere, K. Thog wrote: > A GNU Mailman mailing list is not a legitimate mailing list? :-) That's a > pretty snap judgement on your part. A mailman list - or any other list software - can be improperly configured. Just because the software driving it is one "brand" or another does not make a list "legitimate." From nobody at devnull.spamcop.net Wed Mar 15 10:42:25 2006 From: nobody at devnull.spamcop.net (Eric) Date: Wed Mar 15 13:45:03 2006 Subject: [SpamCop-List] Re: A mailman opt-in plus confirmation mailing list is spam? In-Reply-To: References: Message-ID: Tim McGraw wrote: > My claim was only that DoS attacks by definition target a victim's > network *services* (DNS is one of many) and involves *massive* requests > at the targeted system in order to consume bandwidth. Your claim is incorrect. You describe only one of several different types of Denial of Service attack. See the definitions at CERT, posted previously. > Back to the subject, as has been noted a legitimate mailman opt-in is > not spam, and sc reporters can lose their privileges by reporting such > an email as spam. Does a spamtrap lose its reporting privileges if it automatically reports a legitimate good-faith subscription confirmation? A human reporter would/could/should. > > Does it still happen? Probably. > > Do spammers "work" to do this on a spamtrap? Most spammers in my > experience can't and don't even bother to listwash, so I can't see them > investing all this time to forge a list subscription even if they knew a > spamtrap addy. Not relevant. Doesn't matter if spammers do or do not do this. The discussion is about a prankster, or a competitor, or a jilted gf, or anyone who wants to cause trouble. From nobody at devnull.spamcop.net Wed Mar 15 10:45:24 2006 From: nobody at devnull.spamcop.net (Eric) Date: Wed Mar 15 13:50:03 2006 Subject: [SpamCop-List] Re: A mailman opt-in plus confirmation mailing list is spam? In-Reply-To: References: Message-ID: Tim McGraw wrote: > So, you're saying that the admin misusing a DNSbl filter is conducting a > DoS? No, not what I'm saying at all. Please read more carefully. In this case the admin misusing a DNSbl is being manipulated by the real attacker. The attacker is conducting a DoS (all right, a "Fred Job"), using said admin as the mechanism. The admin is not doing the FJ, the attacker is. From nobody at devnull.spamcop.net Wed Mar 15 10:46:37 2006 From: nobody at devnull.spamcop.net (Eric) Date: Wed Mar 15 13:50:18 2006 Subject: [SpamCop-List] Re: A mailman opt-in plus confirmation mailing list is spam? In-Reply-To: References: Message-ID: Porpoise wrote: > > "Eric" wrote in message > news:dv7mrp$aej$1@news.spamcop.net... > >> Porpoise wrote: >> >>> Hmm..... I think you'll find that there's a world of difference >>> between a service being unavailable to to some service/hardware >>> breakdown and a service being unobtainable due to malicious >>> intervention by third parties. The former would be termed a service >>> breakdown, the latter would be a Denial Of Service attack....... >> >> >> Where did a hardware breakdown come into it? We're talking >> malicious deliberate action, not a bug/glitch/failure. > > > It came into it here: > >> Eric wrote... >> >>> There have been times (mostly pre-Akamai) during which SC users >>> were effectively denied SC services because of DNS issues. > > > Are you not reading your own posts? Do you have information that the distributed attacks causing DNS for SpamCop to be unavailable were actually caused by hardware failure? That's news to me. Please substantiate. From caroljean52 at yahoo.com Wed Mar 15 11:49:51 2006 From: caroljean52 at yahoo.com (caroljean52) Date: Wed Mar 15 13:50:24 2006 Subject: [SpamCop-List] Laugh of the day Message-ID: Just received an apology from one of my long-time spammers. (Every Friday, regular as clockwork.) "We, at ConcreteIron.com are extremely sorry for the email incident that occurred March 3rd. An invalid email list and mailing script had been uploaded to our email server by mistake. Please except our utmost apologies for the inconvenience that this unfortunate email problem caused last weekend. Also, please know that this was not intentional and will not happen again." Gee, it only took them about 3 YEARS to notice their "mistake." Carol Pocatello, Idaho From tmcgraw at spamcop.net Wed Mar 15 11:01:17 2006 From: tmcgraw at spamcop.net (Tim McGraw) Date: Wed Mar 15 14:05:02 2006 Subject: [SpamCop-List] Re: A mailman opt-in plus confirmation mailing list is spam? In-Reply-To: References: Message-ID: Eric wrote: > Tim McGraw wrote: > >> My claim was only that DoS attacks by definition target a victim's >> network *services* (DNS is one of many) and involves *massive* >> requests at the targeted system in order to consume bandwidth. > > Your claim is incorrect. You describe only one of several different > types of Denial of Service attack. See the definitions at CERT, > posted previously. I stand by my statement. Looks like we've agreed to disagree on something that wasn't even relevant to the op. >> Back to the subject, as has been noted a legitimate mailman opt-in is >> not spam, and sc reporters can lose their privileges by reporting such >> an email as spam. > > Does a spamtrap lose its reporting privileges if it automatically > reports a legitimate good-faith subscription confirmation? I believe RW addressed this concern. Short answer: it's never happened, and even if it did, one report does not = a sc listing. >> Does [reporting legitimate opt-ins] still happen? Probably. >> >> Do spammers "work" to do this on a spamtrap? Most spammers in my >> experience can't and don't even bother to listwash, so I can't see >> them investing all this time to forge a list subscription even if they >> knew a spamtrap addy. > > Not relevant. I'd say my comment is pretty relevant to the discussion of whether a spamtrap addy could be forge-subscribed to a legitimate list, which has been part of this conversation since Porpoise brought it up on 3/9. > Doesn't matter if spammers do or do not do this. > The discussion is about a prankster, or a competitor, or a > jilted gf, or anyone who wants to cause trouble. That was just one of many discussions in this thread, but it's hard to tell by the context whether you've changed it to human-entered opt-ins. I guess you did, since a jilted gf wouldn't enter the addy of a spamtrap. Or would they? Seriously, what is it you want to hear or know other than promoting the idea that a forge-subscribe using a spamtrap is a DoS (which certainly was never relevant to the topic)? The system isn't perfect. There, I said it. From nobody at devnull.spamcop.net Wed Mar 15 09:39:49 2006 From: nobody at devnull.spamcop.net (Anonymous) Date: Wed Mar 15 14:05:15 2006 Subject: [SpamCop-List] Re: A mailman opt-in plus confirmation mailing list is spam? References: Message-ID: Don Wannit wrote... > Anonymous wrote: > >> Don Wannit wrote >> >>>This is not the point. If a spamtrap automatically >>>adds a source IP to a blocklist, then it would be >>>trivial for someone to forge a subscription request >>>purporting to be from the spamtrap, and thereby get >>>the output IP for the mailing list added to the >>>blocklist when it sends that confirmation request. >> >> No. It would be far from trivial, because the bad guy >> doesn't know what addresses are spamtraps, and the >> mailing list won't accept subscriptions to what he >> does have, which is hundreds of thousands of harvested >> email addresses with a few spamtraps hidden among them. >> (and if the mailing list does send confirmations to >> hundreds of thousands of subscriptions all coming in >> at once it deserves to be listed). > > The forging of an email sender address *is* trivial. Please demonstrate by forging or explaining how to forge an email sender address when you don't know what it is. Remember, the claim that you are disagreeing with specifies the assumption that the bad guy doesn't know what addresses are spamtraps. > That should be understood by any reader of this newsgroup. I advise avoid references to "understanding" in situations where you appear to not understand the concept "because the bad guy doesn't know what addresses are spamtraps." > A different kind of person, even some of the readers of > this newsgroup, *do* know the kinds of places where > spamtrap addresses in particular, not real legitimate > email addresses, are strewn. I strongly doubt that I > am the only reader of this newsgroup who knows one > specific place for certain where SpamCop spamtrap > email addresses are placed to be found by harvesters. If the creators of spamcop spamtrap addresses aren't hiding them well enough, then the answer is to hide them better, not to let them be findable and then to deal with abuse of them after the fact. > I never said that a prankster would need to send > bogus subscriptions for all the addresses on a CD. *I* said that. I believe that I also specified something along the line of "assuming that the attacker can't find and identify spamtraps." Which they can't. > I said that the people who make those CDs know the > *kinds* of places to look for addresses. If they > wrote their harvesting robots to be smarter than just > looking for a string containing '@', it is certainly > plausible to evaluate the context of that string to > classify it as a potential spamtrap. If the creators of spamcop spamtrap addresses are leaving identifying characteristics, then the answer is to stop doing that. I can do it, why can't they? >>>or hiding a spamtrap address in a crowd of legitimate >>>addresses. I'm not sure where you got that concept. >> >> It is an inescapable consequence of the fact that it >> is easy to gather a crowd of legitimate addresses that >> include spamtrap address, but it is very, very hard to >> gather just the spamtrap addresses or to gather just >> the non-spamtrap addresses. > > I just did a simple Google search for a particular phrase, > and got a list of 19 likely spamtrap addresses, just > by looking for a phrase which is often nearby a spamtrap > address left out for harvesting. So you are saying that the spamtrap creators are too dimwitted to use a meta or a robots.txt to keep such phrases out of search engines? Or to use a graphic to display the phrase? Or to hide the spamtrap address with CSS or by putting a graphic over it? If so, they should hide the spamtraps better. I have no proof, but I think that they are *better* at hiding spamtraps then I am after 2 minutes of thinking about the problem. I have no proof, but I think that any spamtrap that you can find is not associated with Spamcop. (I can't speak for other BLs or for individuals; no doubt at least a few of them are idiots.) > No, I will not post here the search phrase I used. No need. I would require some sort of evidence before assuming that you are a liar. > That's 19 possible addresses I could use if I wanted to > cause grief for some list admin and for some portion of > the readership of the list. The fact that nobody appears to be doing that with the spamcop BL makes me think that none of those 19 addresses are associated with spamcop. >>>The concern here is that spamtrap addresses are >>>discoverable -- in fact, that's exactly how they >>>end up on spammers' lists; if they were not discoverable >>>they would not be of much use. It is quite simple to >>>find spamtrap addresses >> >> So far you are correct; just gather email addresses using >> a spambot, virus, etc. and you will find spamtrap addresses >> -- and a bunch of non-spamtrap addresses as well, with no >> way to tell them apart. > > That's not the point. Perhaps it's gone over your head. That's twice in one post that you have confused disagreement with lack of understanding. Please consider the possibility that I disagree because you are wrong instead of assuming that you are right and that anyone who disagrees must be stupid. >>>if you know where to look, and know that they are spamtraps. >> >> You have presented no evidence that anyone knows where to look >> this is so, or even >> a speculation as to how to differentiate between the two. > > If Ellen, Don, or Richard will give me permission, I would be > happy to describe exactly how you yourself can find one of the > places where SC sows its spamtrap email address seeds. I don't > expect them to do so. There are other readers in this group who > know, and not because they were told but because they encountered > the spamtrap address themselves. You could do so yourself if you > cared to think for a minute or two. Again, this assumes that they can't hide spamtraps as well as I can, despite my having no experience doing that. To demonstrate my ability to hide spamtraps, as soon as I finish this post I will hide ten unguessable email addresses on ten different websites that I control. If anyone here sends an email with the subject "foobar barbaz bazqux" to one of them, I will post here and let you know that I am not as good at hiding email addresses as I thought I was. >> Assuming that they can find and identify spamtraps. >> Which they can't, unless the spamtrap creator is stupid. >> An intelligent spamtrap creator will hide spamtraps in >> places where nobody knows to look, and will not reveal the >> locations to anyone. > > A responsible spamtrap creator might put warning signs around > the pitfall, so that innocent people don't accidentally fall > in. The harvester robots ignore the warning, but people can > find it. I can test that too. Five of my ten test email addresses will have warning signs around them that a human can read. >> >>>Other spamtraps may not be so resilient, and the ones that >>>add an IP to a blocklist on a single hit and make it nearly >>>impossible to get off are the ones that are worrisome, >>>and make an inviting resource for a denial-of-service >>>attack. >> >> Assuming that they can find and identify spamtraps. >> Do you have any evidence that they can? >> If your theory that spamtraps are easy to find were true, I >> would expect to see many legitimate confirmed mailing lists >> listed; that would be an effective way to damage the reputation >> of the blocklist in question. Has anyone seen this? I would >> also expect there to be lists-of-spamtraps for sale. Has anyone >> seen such a list for sale? > > Different (but tangentially related) topic, inappropriate argument. In other words, a valid argument that you are unable to refute. How do *you* explain the lack of large numbers of legitimate confirmed mailing lists being listed because of confirmation emails? Ater the bad guys a lot worse at finding spamcop spamtraps than you are? Did they suddenly decide not to attack spamcop in every way that they can think of because spamcop is costing them money? > The topic at hand is [...] the potential for using a spamtrap > for causing mischief if the spamtrap is fully automated on > a hair-trigger. ...and whether the spamtraps can be found and identified, a necessary precursor to causing the mischief. G.M. From tmcgraw at spamcop.net Wed Mar 15 11:03:21 2006 From: tmcgraw at spamcop.net (Tim McGraw) Date: Wed Mar 15 14:05:22 2006 Subject: [SpamCop-List] Re: A mailman opt-in plus confirmation mailing list is spam? In-Reply-To: References: Message-ID: Eric wrote: > Porpoise wrote: > >> Are you not reading your own posts? > > Do you have information that the distributed attacks causing DNS for > SpamCop to be unavailable were actually caused by hardware failure? > That's news to me. Please substantiate. It was well-known here. I'm sure you could Google the archives and find those discussions. Good luck! From tmcgraw at spamcop.net Wed Mar 15 11:06:25 2006 From: tmcgraw at spamcop.net (Tim McGraw) Date: Wed Mar 15 14:10:03 2006 Subject: [SpamCop-List] Re: A mailman opt-in plus confirmation mailing list is spam? In-Reply-To: References: Message-ID: Eric wrote: > Tim McGraw wrote: >> So, you're saying that the admin misusing a DNSbl filter is conducting >> a DoS? > > No, not what I'm saying at all. Please read more carefully. In this > case the admin misusing a DNSbl is being manipulated by the real > attacker. The attacker is conducting a DoS (all right, a "Fred Job"), > using said admin as the mechanism. The admin is not doing the FJ, > the attacker is. You wrote above, as an example, "incoming email unimpeded by admin misusing DNSbl." I'd say such an admin is a victim of his own ineptitude, and the service being denied (getting legitimate posts to a mail list) is to the admin's own users. You're welcome to spin that however you wish, but that's how I see it. From tmcgraw at spamcop.net Wed Mar 15 11:20:24 2006 From: tmcgraw at spamcop.net (Tim McGraw) Date: Wed Mar 15 14:25:02 2006 Subject: [SpamCop-List] Re: A mailman opt-in plus confirmation mailing list is spam? In-Reply-To: References: Message-ID: Tim McGraw wrote: > Eric wrote: >> Do you have information that the distributed attacks causing DNS for >> SpamCop to be unavailable were actually caused by hardware failure? >> That's news to me. Please substantiate. > > It was well-known here. Correction: Porpoise attributed it to a DoS on sc's DNS (I believe). And as I recall based on the discussion here, that was the reason sc had DNS failures. From tmcgraw at spamcop.net Wed Mar 15 11:40:50 2006 From: tmcgraw at spamcop.net (Tim McGraw) Date: Wed Mar 15 14:45:02 2006 Subject: [SpamCop-List] Re: A mailman opt-in plus confirmation mailing list is spam? In-Reply-To: References: Message-ID: Eric wrote: > Tim McGraw wrote: >> So, you're saying that the admin misusing a DNSbl filter is conducting >> a DoS? > > No, not what I'm saying at all. Please read more carefully. In this > case the admin misusing a DNSbl is being manipulated by the real > attacker. The attacker is conducting a DoS (all right, a "Fred Job"), > using said admin as the mechanism. The admin is not doing the FJ, > the attacker is. You wrote above, as an example of service "denied," the "incoming email unimpeded by admin misusing DNSbl." I'd say such an admin is a victim of his own ineptitude, and the service being denied (getting legitimate posts to a mail list) is primarily to the admin's own users. You're welcome to spin that however you wish, but that's how I see it. From nobody at devnull.spamcop.net Wed Mar 15 11:50:35 2006 From: nobody at devnull.spamcop.net (Eric) Date: Wed Mar 15 14:55:04 2006 Subject: [SpamCop-List] Re: A mailman opt-in plus confirmation mailing list is spam? In-Reply-To: References: Message-ID: Tim McGraw wrote: > Eric wrote: > >> Do you have information that the distributed attacks causing DNS for >> SpamCop to be unavailable were actually caused by hardware failure? >> That's news to me. Please substantiate. > > > It was well-known here. I'm sure you could Google the archives and find > those discussions. I do recall those discussions. It was not hardware failure, it was a concerted distributed attack which caused DNS servers for the SC domains to be unable to respond within the usual timeout period. It was one of the major reasons that SC adopted the Akamai web support. From tmcgraw at spamcop.net Wed Mar 15 11:52:13 2006 From: tmcgraw at spamcop.net (Tim McGraw) Date: Wed Mar 15 14:55:18 2006 Subject: [SpamCop-List] Re: A mailman opt-in plus confirmation mailing list is spam? In-Reply-To: References: Message-ID: Eric wrote: > Tim McGraw wrote: >> Eric wrote: >> >>> Do you have information that the distributed attacks causing DNS for >>> SpamCop to be unavailable were actually caused by hardware failure? >>> That's news to me. Please substantiate. >> >> It was well-known here. I'm sure you could Google the archives and >> find those discussions. > > I do recall those discussions. It was not hardware failure, it > was a concerted distributed attack which caused DNS servers for > the SC domains to be unable to respond within the usual timeout > period. It was one of the major reasons that SC adopted the > Akamai web support. Corrected... and agreed. From nobody at devnull.spamcop.net Wed Mar 15 11:54:13 2006 From: nobody at devnull.spamcop.net (Anonymous) Date: Wed Mar 15 14:55:28 2006 Subject: [SpamCop-List] Re: A mailman opt-in plus confirmation mailing list is spam? References: Message-ID: Tim McGraw wrote... > Tim McGraw wrote: > >> Eric wrote: >> >>> Do you have information that the distributed attacks causing DNS for >>> SpamCop to be unavailable were actually caused by hardware failure? >>> That's news to me. Please substantiate. >> >> It was well-known here. > > Correction: Porpoise attributed it to a DoS on sc's DNS (I believe). > > And as I recall based on the discussion here, that was the reason sc had > DNS failures. Is this the attack we are talking about? http://www.theregister.co.uk/2003/11/03/why_spamcop_got_yanked/ http://www.julianhaight.com/jokerstupidity.shtml http://mail.cesmail.net/jokerproblem.php http://it.slashdot.org/article.pl?sid=03/11/02/1453253 -G.M. From jeffg at spamcop.net Wed Mar 15 15:02:45 2006 From: jeffg at spamcop.net (Jeff G.) Date: Wed Mar 15 15:05:02 2006 Subject: [SpamCop-List] Re: Blocking shared mailservers by IP is hugely disruptive References: Message-ID: Johann Ungerer wrote: > Our hosting company's shared mail server has been blocked by spamcop > on numerous occasions, but this is incredibly disruptive. We > ourselves host 15 domains on this server and there must be well over > 200 domains handled by this server. Blocking by IP is like trying to > kill mosquitos with a shotgun. It would be far more useful to block > domains, though I suppose the domain could be used and discarded > after every blast. So there's no simple answer, but being the > 'victim' of other spammers and therefore having all mails in a day > bounce, is also unacceptable. I believe you are writing of orange.catalyst2.com (mail.pyrogenesis.co.za [84.18.207.4]). SpamCop's Parser writes "ISP does not wish to receive report regarding 84.18.207.4" and "No abuse net record for catalyst2.com". Report History follows: Submitted: Tuesday 2006/03/14 21:19:23 -0500: IN GOD WE TRUST!!!! 1689991423 ( 84.18.207.4 ) To: spamcop[at]imaphost.com 1689991422 ( 84.18.207.4 ) To: abuse[at]catalyst2.com ------------------------------------------------------------------------ -------- Submitted: Tuesday 2006/03/14 21:06:28 -0500: GREETINGS 1689994332 ( 84.18.207.4 ) To: spamcop[at]imaphost.com 1689994325 ( 84.18.207.4 ) To: abuse[at]catalyst2.com ------------------------------------------------------------------------ -------- Submitted: Monday 2006/03/13 03:04:31 -0500: Building a lasting trust 1688078925 ( 84.18.207.4 ) To: spamcop[at]imaphost.com 1688078922 ( 84.18.207.4 ) To: abuse[at]catalyst2.com ------------------------------------------------------------------------ -------- Submitted: Saturday 2006/03/11 14:40:10 -0500: IN GOD WE TRUST !!! 1686605435 ( 84.18.207.4 ) To: spamcop[at]imaphost.com 1686605428 ( 84.18.207.4 ) To: abuse[at]catalyst2.com ------------------------------------------------------------------------ -------- Submitted: Saturday 2006/03/11 07:56:35 -0500: IN GOD WE GOD !!! 1686291379 ( 84.18.207.4 ) To: abuse[at]catalyst2.com ------------------------------------------------------------------------ -------- Submitted: Saturday 2006/03/11 07:28:13 -0500: PRESS RELEASE 1686267121 ( 84.18.207.4 ) To: abuse[at]catalyst2.com ------------------------------------------------------------------------ -------- Submitted: Friday 2006/03/10 17:51:21 -0500: IN GOD WE TRUST 1685719504 ( 84.18.207.4 ) To: spamcop[at]imaphost.com 1685719503 ( 84.18.207.4 ) To: abuse[at]catalyst2.com ------------------------------------------------------------------------ -------- Submitted: Friday 2006/03/10 16:09:11 -0500: IN GOD WE TRUST 1685662819 ( 84.18.207.4 ) To: abuse[at]catalyst2.com ------------------------------------------------------------------------ -------- Submitted: Friday 2006/03/10 13:36:13 -0500: PRESS RELEASE 1685567916 ( 84.18.207.4 ) To: spamcop[at]imaphost.com 1685567911 ( 84.18.207.4 ) To: abuse[at]catalyst2.com ------------------------------------------------------------------------ -------- Submitted: Friday 2006/03/10 13:35:42 -0500: PRESS RELEASE 1685567774 ( 84.18.207.4 ) To: spamcop[at]imaphost.com 1685567767 ( 84.18.207.4 ) To: abuse[at]catalyst2.com ------------------------------------------------------------------------ -------- Submitted: Tuesday 2006/03/07 13:35:33 -0500: *****SPAM***** PART TIME JOB OFFER 1682307226 ( 84.18.207.4 ) To: spamcop[at]imaphost.com 1682307206 ( 84.18.207.4 ) To: abuse[at]catalyst2.com ------------------------------------------------------------------------ -------- Submitted: Monday 2006/02/27 10:38:26 -0500: CONTACT ME. 1673320748 ( 84.18.207.4 ) To: abuse[at]catalyst2.com ------------------------------------------------------------------------ -------- Submitted: Sunday 2006/02/26 23:08:02 -0500: Testament!!! 1672758757 ( 84.18.207.4 ) To: abuse[at]catalyst2.com ------------------------------------------------------------------------ -------- Submitted: Monday 2006/01/30 22:02:07 -0500: (URGENT INVESTMENT PROPOSAL) 1641424652 ( http:// www.yukos.com ) To: nikon[at]sibintek.net 1641424649 ( http:// www.yukos.com ) To: ter[at]sibintek.net 1641424647 ( http:// www.hoovers.com/yukos/--id__53700--/free... ) To: sas.abuse#sungard.com[at]devnull.spamcop.net 1641424646 ( 84.18.207.4 ) To: spamcop[at]imaphost.com 1641424644 ( 84.18.207.4 ) To: abuse[at]catalyst2.com ------------------------------------------------------------------------ -------- Submitted: Monday 2006/01/30 14:53:34 -0500: WORK FROM HOME WITH EASE 1641141458 ( 84.18.207.4 ) To: mole[at]devnull.spamcop.net ------------------------------------------------------------------------ -------- Submitted: Sunday 2006/01/22 21:03:26 -0500: [Norton AntiSpam] FROM: SENATOR TAWAR WADA (URGENT CONTACT) 1632004439 ( 84.18.207.4 ) To: abuse[at]catalyst2.com ------------------------------------------------------------------------ -------- Submitted: Sunday 2006/01/22 20:28:18 -0500: FROM: SENATOR TAWAR WADA (URGENT CONTACT) 1632093278 ( 84.18.207.4 ) To: spamcop[at]imaphost.com 1632093277 ( 84.18.207.4 ) To: abuse[at]catalyst2.com ------------------------------------------------------------------------ -------- Submitted: Sunday 2006/01/22 20:10:31 -0500: FROM: SENATOR TAWAR WADA (URGENT CONTACT) 1631967218 ( 84.18.207.4 ) To: abuse[at]catalyst2.com ------------------------------------------------------------------------ -------- Submitted: Sunday 2006/01/22 18:28:03 -0500: FROM: SENATOR TAWAR WADA (URGENT CONTACT) 1631901090 ( 84.18.207.4 ) To: spamcop[at]imaphost.com 1631901086 ( 84.18.207.4 ) To: abuse[at]catalyst2.com ------------------------------------------------------------------------ -------- Submitted: Wednesday 2006/01/11 10:06:43 -0500: work from home 1618054526 ( http:// www.avalontextiles.net ) To: abuse[at]schlund.de 1618054492 ( 84.18.207.4 ) To: spamcop[at]imaphost.com 1618054468 ( 84.18.207.4 ) To: abuse[at]catalyst2.com ------------------------------------------------------------------------ -------- Submitted: Tuesday 2006/01/10 13:10:24 -0500: work from home with ease 1617039486 ( Forwarded Spam ) To: [concealed user-defined recipient] 1617039483 ( 84.18.207.4 ) To: spamcop[at]imaphost.com 1617039469 ( 84.18.207.4 ) To: abuse[at]catalyst2.com Please also see: http://forum.spamcop.net/forums/index.php?showtopic=509 http://www.spamcop.net/bl.shtml?84.18.207.4 http://www.spamcop.net/w3m?action=blcheck&ip=84.18.207.4 (which includes "If there are no reports of ongoing objectionable email from this system it will be delisted automatically in approximately 4 hours." and "In the past 227.7 days, it has been listed 17 times for a total of 14.2 days"). -- Thanks and Best Regards, Jeff G. http://forum.spamcop.net/forums/index.php?act=findpost&pid=37585 From jeffg at spamcop.net Wed Mar 15 15:23:46 2006 From: jeffg at spamcop.net (Jeff G.) Date: Wed Mar 15 15:25:03 2006 Subject: [SpamCop-List] Re: A mailman opt-in plus confirmation mailing list is spam? References: Message-ID: Don Wannit wrote: > Anonymous wrote: >> Don Wannit wrote > some of the readers of > this newsgroup, *do* know the kinds of places where > spamtrap addresses in particular, not real legitimate > email addresses, are strewn. I'm one of them. > I strongly doubt that I > am the only reader of this newsgroup who knows one > specific place for certain where SpamCop spamtrap > email addresses are placed to be found by harvesters. No, you are not the only one. > If Ellen, Don, or Richard will give me permission, I would be > happy to describe exactly how you yourself can find one of the > places where SC sows its spamtrap email address seeds. I don't > expect them to do so. There are other readers in this group who > know, and not because they were told but because they encountered > the spamtrap address themselves. You could do so yourself if you > cared to think for a minute or two. I'm not so sure I would do it even with permission. This thread has given spammers and others more weapons, I'd rather not give them ammunition and a target on my back as well. :) -- Thanks and Best Regards, Jeff G. http://forum.spamcop.net/forums/index.php?act=findpost&pid=37585 From tmcgraw at spamcop.net Wed Mar 15 12:44:43 2006 From: tmcgraw at spamcop.net (Tim McGraw) Date: Wed Mar 15 15:45:02 2006 Subject: [SpamCop-List] Re: Blocking shared mailservers by IP is hugely disruptive In-Reply-To: References: Message-ID: Jeff G. wrote: > > Submitted: Saturday 2006/03/11 07:56:35 -0500: > IN GOD WE GOD !!! Can I get an amen? From nobody at devnull.spamcop.net Wed Mar 15 12:53:18 2006 From: nobody at devnull.spamcop.net (Eric) Date: Wed Mar 15 15:55:02 2006 Subject: [SpamCop-List] Re: A mailman opt-in plus confirmation mailing list is spam? In-Reply-To: References: Message-ID: Anonymous wrote: > Tim McGraw wrote... > > >>Tim McGraw wrote: >> >> >>>Eric wrote: >>> >>> >>>>Do you have information that the distributed attacks causing DNS for >>>>SpamCop to be unavailable were actually caused by hardware failure? >>>>That's news to me. Please substantiate. >>> >>>It was well-known here. >> >>Correction: Porpoise attributed it to a DoS on sc's DNS (I believe). >> >>And as I recall based on the discussion here, that was the reason sc had >>DNS failures. > > > Is this the attack we are talking about? > > http://www.theregister.co.uk/2003/11/03/why_spamcop_got_yanked/ > > http://www.julianhaight.com/jokerstupidity.shtml > > http://mail.cesmail.net/jokerproblem.php > > http://it.slashdot.org/article.pl?sid=03/11/02/1453253 No, that's a different incident, different cause. Here's one thread: http://groups.google.com/group/alt.spam/browse_thread/thread/71f5f4171095ed08/2574437c7f941a5f?lnk=st&q=spamcop+DNS+akamai&rnum=1&hl=en#2574437c7f941a5f (snurled: http://snipurl.com/nnfe ) And another: http://groups.google.com/group/alt.meditation.transcendental/browse_thread/thread/20e23fca52db0488/d1684a9b22d857c2?lnk=st&q=spamcop+DNS+ddos&rnum=4&hl=en#d1684a9b22d857c2 (snurled: http://snipurl.com/nnfm ) From MikeE at ster.invalid Wed Mar 15 13:15:34 2006 From: MikeE at ster.invalid (Mike Easter) Date: Wed Mar 15 16:20:02 2006 Subject: [SpamCop-List] Re: Blocking shared mailservers by IP is hugely disruptive References: Message-ID: Johann Ungerer wrote: > Our hosting company's shared mail server has been blocked by spamcop > on numerous occasions, but this is incredibly disruptive. Don't share a mailserver with spamsources. > We > ourselves host 15 domains on this server and there must be well over > 200 domains handled by this server. My information shows about 360 different website domains being hosted at 84.18.207.37 and all of the ones I looked at, which wasn't many, were using the same MX IP and nameservers. > Blocking by IP is like trying to > kill mosquitos with a shotgun. Don't be silly. DNSbl blocklisting by IP address is how it is done. There are hundreds of different blocklists which do it that way. > It would be far more useful to block > domains, Don't be ridiculous. The domainname of the what? The from? The rDNS on the IP sending the mail? > being the > 'victim' of other spammers and therefore having all mails in a day > bounce, is also unacceptable. Don't use a spammy IP for sending your mailout. Here is Bill Cole's advice which he calls "Clues for the Blocklisted" Snips below from a much larger collection of information http://www.scconsult.com/bill/dnsblhelp.html Blacklists, Blocklists, DNSBL's, and survival: -- Help! My IP address is listed on a DNSBL! -- How can you stop having your mail rejected due to a DNSBL listing? -- There are 3 basic strategies, listed in order of ease of execution: -- #1 Send mail from an address which isn't listed. -- Mike Easter kibitzer, not SC admin From nobody at spamcop.net Wed Mar 15 13:27:44 2006 From: nobody at spamcop.net (N. Miller) Date: Wed Mar 15 16:30:03 2006 Subject: [SpamCop-List] Re: Blocking shared mailservers by IP is hugely disruptive References: Message-ID: <1e064wdgpje45$.dlg@news.spamcop.net> On Wed, 15 Mar 2006 18:47:49 +0200, Johann Ungerer wrote: > Our hosting company's shared mail server has been blocked by spamcop on > numerous occasions, but this is incredibly disruptive. We ourselves host 15 > domains on this server and there must be well over 200 domains handled by > this server. Blocking by IP is like trying to kill mosquitos with a shotgun. > It would be far more useful to block domains, though I suppose the domain > could be used and discarded after every blast. So there's no simple answer, > but being the 'victim' of other spammers and therefore having all mails in a > day bounce, is also unacceptable. I find that blocking by IP address is far more effective than blocking by domain name. But, then, I am on the receiving end, not the sending end. If you can afford an IP address dedicated to your own mail server, you probably need to find other arrangements to send email. For my part, my mail server runs on a dynamic IP address assigned by my ISP. This is anathema to any of several lists, so I would have trouble sending email to the likes of AOL, and others blocking dynamic hosts. I get around it by using my ISP's mail server as a smart host. That is probably not the ideal solution for an enterprise. Surely there are affordable mail host services offering clean IP addresses, even with proper rDNS. -- Norman ~Oh Lord, why have you come ~To Konnyu, with the Lion and the Drum From nobody at spamcop.net Wed Mar 15 13:31:03 2006 From: nobody at spamcop.net (N. Miller) Date: Wed Mar 15 16:35:04 2006 Subject: [SpamCop-List] Re: [MEDIA] 419er Mugged by Rubbers References: Message-ID: <9m0cd62vfo8i.dlg@news.spamcop.net> On Tue, 14 Mar 2006 21:32:36 +0000 (UTC), Redstone wrote: > http://www.theregister.co.uk/2006/03/13/419_rubber_tragedy/ > > > Just when you think that 419 scams couldn't become more stupid. Trojans infesting the banks! Where is BoClean when you need them? -- Norman ~Oh Lord, why have you come ~To Konnyu, with the Lion and the Drum From nobody at devnull.spamcop.net Wed Mar 15 14:03:36 2006 From: nobody at devnull.spamcop.net (Anonymous) Date: Wed Mar 15 17:10:03 2006 Subject: [SpamCop-List] Re: A mailman opt-in plus confirmation mailing list is spam? References: Message-ID: Eric wrote... > Anonymous wrote: > >> Is this the attack we are talking about? >> >> http://www.theregister.co.uk/2003/11/03/why_spamcop_got_yanked/ >> >> http://www.julianhaight.com/jokerstupidity.shtml >> >> http://mail.cesmail.net/jokerproblem.php >> >> http://it.slashdot.org/article.pl?sid=03/11/02/1453253 > > > No, that's a different incident, different cause. > Here's one thread: > http://groups.google.com/group/alt.spam/browse_thread/thread/71f5f4171095ed08/2574437c7f941a5f?lnk=st&q=spamcop+DNS+akamai&rnum=1&hl=en#2574437c7f941a5f > (snurled: http://snipurl.com/nnfe ) Shortened: http://groups.google.com/group/alt.spam/browse_frm/thread/71f5f4171095ed08 > And another: > http://groups.google.com/group/alt.meditation.transcendental/browse_thread/thread/20e23fca52db0488/d1684a9b22d857c2?lnk=st&q=spamcop+DNS+ddos&rnum=4&hl=en#d1684a9b22d857c2 > (snurled: http://snipurl.com/nnfm ) Shortened: http://groups.google.com/group/alt.meditation.transcendental/browse_frm/thread/20e23fca52db0488 Also see: http://www.geek.com/news/geeknews/2003Sep/gee20030929021977.htm http://www.wilderssecurity.com/showthread.php?t=10761 http://news.zdnet.com/2100-1009_22-5082728.html It is a tribute to the engineers who design the system that antispam sites are usually up despite such attacks. From nobody at spamcop.net Wed Mar 15 17:20:20 2006 From: nobody at spamcop.net (indigo) Date: Wed Mar 15 17:25:02 2006 Subject: [SpamCop-List] Re: A mailman opt-in plus confirmation mailing list is spam? References: Message-ID: Tim McGraw wrote: > > > > Does a spamtrap lose its reporting privileges if it automatically > > reports a legitimate good-faith subscription confirmation? > > I believe RW addressed this concern. > > Short answer: it's never happened, and even if it did, one report does > not = a sc listing. > It's impossible for it to happen anyway! How can a spamtrap get a "legit" confirm message? From nobody at devnull.spamcop.net Wed Mar 15 14:32:17 2006 From: nobody at devnull.spamcop.net (Eric) Date: Wed Mar 15 17:35:03 2006 Subject: [SpamCop-List] Re: A mailman opt-in plus confirmation mailing list is spam? In-Reply-To: References: Message-ID: indigo wrote: > Tim McGraw wrote: > >>>Does a spamtrap lose its reporting privileges if it automatically >>>reports a legitimate good-faith subscription confirmation? >> >>I believe RW addressed this concern. >> >>Short answer: it's never happened, and even if it did, one report does >>not = a sc listing. >> > > > It's impossible for it to happen anyway! How can a spamtrap get a "legit" > confirm message? I thought the question was about a legitimate request to confirm that the subscription request was valid? The supposed subscription request is not legit, but the request to confirm it certainly would be. From eric at mirador.com Wed Mar 15 14:43:24 2006 From: eric at mirador.com (Eric Black) Date: Wed Mar 15 17:50:02 2006 Subject: [SpamCop-List] Re: A mailman opt-in plus confirmation mailing list is spam? References: Message-ID: <44189887.161D810F@mirador.com> Anonymous wrote: > Don Wannit wrote... > [snip] > Please demonstrate by forging or explaining how to > forge an email sender address when you don't know what > it is. Remember, the claim that you are disagreeing with > specifies the assumption that the bad guy doesn't know > what addresses are spamtraps. Again, I don't need to determine that a particular address is or is not a spamtrap. I just need to find one (numerous SC-related addresses are available for harvesters to find, some might be live, some might not be). No doubt there are SC-related addresses which are in no way "nearby" anything connecting them to SC. Maybe the ones closely associated with SC are not real live spamtraps at all. Maybe they are. If the spamtrap address turns out be inactive, and just left out there to pollute spammer lists, then it's just noise. If a teenager dials numbers and pulls the old "Do you have Prince Albert in a can?" or other silly stunt, does it matter if some of the numbers don't answer? The ones that do get through are no less an annoyance because some attempts failed. [snip] > > If the creators of spamcop spamtrap addresses aren't hiding > them well enough, then the answer is to hide them better, > not to let them be findable and then to deal with abuse of > them after the fact. > Indeed. Maybe the visible ones are all dead but still left out to be found, just to pollute email lists (like wpoison). > > >>That's 19 possible addresses I could use if I wanted to >>cause grief for some list admin and for some portion of >>the readership of the list. > > > The fact that nobody appears to be doing that with the > spamcop BL makes me think that none of those 19 addresses > are associated with spamcop. > Doesn't matter if they are or are not. They *might* be, and if my goal is to cause a spamtrap to trip, it doesn't matter in the slightest if most or all of them are dead. If one of them happens to be live, it serves the purpose. >> >>That's not the point. Perhaps it's gone over your head. > > > That's twice in one post that you have confused disagreement > with lack of understanding. Please consider the possibility > that I disagree because you are wrong instead of assuming > that you are right and that anyone who disagrees must be stupid. > I am not saying you are stupid. I am saying that you are disagreeing with the wrong thing, and the difference between what you are disagreeing with, and what I am saying, is what you are missing. I'm trying again to explain the difference. > To demonstrate my ability to hide spamtraps, as soon as I finish > this post I will hide ten unguessable email addresses on ten > different websites that I control. If anyone here sends an > email with the subject "foobar barbaz bazqux" to one of them, > I will post here and let you know that I am not as good at hiding > email addresses as I thought I was. Not a relevant test. It doesn't matter whether I can find *your* specific spamtrap addresses or not. That is not the claim. The claim is that if I can find at least one spamtrap address, anywhere, and if it happens to be a hair-trigger live spamtrap, I can exploit it to cause inconvenience for some victim. If what I think might be a spamtrap address turns out not to be, then it's just another random drive-by forged subscription of a dead address. But if it really is a live spamtrap address, it does not matter in the slightest if it is *your* spamtrap address. -- Don Wannit A paid SpamCop user since 1999 From nobody at spamcop.net Wed Mar 15 17:48:08 2006 From: nobody at spamcop.net (indigo) Date: Wed Mar 15 17:50:14 2006 Subject: [SpamCop-List] Re: A mailman opt-in plus confirmation mailing list is spam? References: Message-ID: Eric wrote: > indigo wrote: > > It's impossible for it to happen anyway! How can a spamtrap get a > > "legit" confirm message? > > > I thought the question was about a legitimate request > to confirm that the subscription request was valid? > The supposed subscription request is not legit, but > the request to confirm it certainly would be. After thinking about it more after I posted, I started to wonder whether I had missed something in the thread....perhaps if someone finds a spamtrap addy and _knows_ it's a spamtrap they could forge-subscribe the addy to a legit list. The confirm email would then be reported as spam by the spamtrap. So I guess you could just scrape the SC website and submit every addy you find to a legit list if you were out to get someone. From edb2000 at spamcop.net Wed Mar 15 14:50:38 2006 From: edb2000 at spamcop.net (Don Wannit) Date: Wed Mar 15 17:55:02 2006 Subject: [SpamCop-List] Re: A mailman opt-in plus confirmation mailing list is spam? References: Message-ID: <44189A36.12102532@spamcop.net> Jeff G. wrote: > I'm not so sure I would do it even with permission. This thread has > given spammers and others more weapons, I'd rather not give them > ammunition and a target on my back as well. :) > Yes, this is a problem. Of course, the good news is that if regular readers of news.spamcop don't see a potential for abuse, then those "others" might not, either. So since all this is impossible, and can never happen, there's no need to worry about it. -- Don Wannit A paid SpamCop user since 1999 From notgiven at nodomain.net Wed Mar 15 21:09:41 2006 From: notgiven at nodomain.net (C. S.) Date: Wed Mar 15 21:10:02 2006 Subject: [SpamCop-List] Re: Laugh of the day References: Message-ID: Sometime around Wed, 15 Mar 2006 11:49:51 -0700, "caroljean52" deemed it necessary to offer: > Just received an apology from one of my long-time spammers. (Every Friday, > regular as clockwork.) > > "We, at ConcreteIron.com are extremely sorry for the email incident that > occurred March 3rd. An invalid email list and mailing script had been > uploaded to our email server by mistake. Please except our utmost apologies > for the inconvenience that this unfortunate email problem caused last > weekend. Also, please know that this was not intentional and will not > happen again." "-except- our utmost apologies"?!? Cripes! > Gee, it only took them about 3 YEARS to notice their "mistake." > > Carol > Pocatello, Idaho > > > Just as goofy as the drivel that started coming back to me a few months ago. Seems 123Greetings.com has started to 'care,' after four to five years of spamming me. But at least they flatly state that they wanna listwash me: From: "Ujjal Kanti Kumar" Subject: Spamcop report id:1678245264 "Hello SpamCop user, Thank you for your message to 123greetings.com. I value the importance of your concern as I realize the inconvenience this may have caused you. We take your complaints seriously. Please let me know the email address to which the offending message was sent from or on behalf of 123greetings.com and I will have it permanently removed from our mailing list. Thanks for your cooperation. Regards, Ujjal" From MikeE at ster.invalid Wed Mar 15 18:49:54 2006 From: MikeE at ster.invalid (Mike Easter) Date: Wed Mar 15 21:50:03 2006 Subject: [SpamCop-List] Re: Why are you screwing with my mail? References: Message-ID: Posted to .mail & spamcop; f/ups to spamcop James Caldwell wrote: Newsgroups: spamcop.mail This is the wrong ng for your post. spamcop.mail is a group which was for people to interact about their spamcop mail accounts, which service is described here http://www.spamcop.net/ces/individuals.shtml SpamCop Email System for Individuals You are not posting about a spamcop mail issue, but about a spamcop blocklist effect. Your recipient chose to use the SCbl and as a result your mail's transmission to them was rejected. Rejection of mail during the transaction is a healthier effect than some other effects of spamfilters which result in mail being lost. I'm posting this to a general discussion group spamcop and making f/ups to there. Subject: Why are you screwing with my mail? The SCbl is a blocklist described here. http://www.spamcop.net/bl.shtml SpamCop Blocking List SpamCop doesn't block anything or screw with anyone's mail. It is a parsing and reporting system, the maintainer of the SCbl, and also provides a mail service for filtering and tagging spam. Your recipient rejected your mail as a method of their spam control. Your mail was rejected by your recipient's server because your EL earthlink output server was listed in the SCbl for abusive server behavior. More about that later. > SMTP error from remote mailer after RCPT TO:: > host mx-4.iquest.net [206.246.180.54]: 553 Blocked - see > http://www.spamcop.net/bl.shtml?209.86.89.70 That is a nicely informative information from the iquest server which is telling you that the EL server's IP caused the mail to be rejected because the EL IP was blocklisted in the SCbl spamcop blocklist. > ------ This is a copy of the message, including all the headers. Those headers aren't very helpful. They just say that your user IP which is a mindspring one gave the mail to the EL server. The problem is with the EL server which is blocklisted. Here's the current story on that EL IP 209.86.89.70 listed in bl.spamcop.net it will be delisted automatically in approximately 17 hours. users have reported system as a source of spam has been listed for less than 24 hours. Other hosts in this "neighborhood" with spam reports 209.86.89.63 209.86.89.64 209.86.89.65 209.86.89.66 209.86.89.92 <209.86.89.63 209.86.89.64 209.86.89.65 209.86.89.92 not listed> 209.86.89.66 listed in bl.spamcop.net will be delisted automatically in approximately 20 hours. has sent mail to SpamCop spam traps in the past week users have reported system as a source of spam has been listed for less than 24 hours. Both of those, .70 and .66, are EL output servers. Generally the SC parser avoids naming a server as a spamsource if there is a user IP behind it. Generally in the case of servers getting listed it is not for 'spam' per se, but some other abusive server behavior which is spamcop reportable. The most common server behaviors which are spamcop reportable are misdirected bounces and challenges. EL isn't configured for doing misdirected bounces, but it is definitely configured to perform challenges. That challenge behavior has been pointed out to EL as abusive many many many times in the past. I am an EL subscriber, and I have personally told EL about the problem of allowing users to configure to perform challenges to suspect mail -- numerous times in the EL support ng/s. In addition, whenever EL accepts a report about their servers performing abusive actions they find out about it. The problem is that EL's default medium spamblocker identifies known spam. That isn't a problem. However, the user can optionally configure to high spamblocker. When they do, the new default condition is to challenge the items which are not known spam and are not whitelisted. EL's known spam filter is 'leaky' -- resulting in spam getting past the known and into the Suspect folder. Spam From is bogus and is likely to be the addy of a spamcop reporter or a spamcop spamtrap. When the EL server sends a challenge to the spamcop reporter or the spamtrap, it is reportable. That reporting results in the EL server becoming spamcop blocklisted. That spamcop blocklisting causes your mail to get rejected. It is as 'simple' as that. Your provider is manufacturing abusive emails. You are trying to use the server which has being reported as abusive. Your recipient is using the SCbl to guard against spam and other abusive mail and your mail has become 'collateral damage' as a result of your recipient's spam strategies and modern day blocklisting of challenging servers. EL subscribers should be complaining to EL about running servers which get themselves blocklisted and which causes problems with their mail delivery. -- Mike Easter kibitzer, not SC admin From nobody at devnull.spamcop.net Thu Mar 16 12:10:30 2006 From: nobody at devnull.spamcop.net (Patto) Date: Wed Mar 15 22:10:04 2006 Subject: [SpamCop-List] Yahoo! Message-ID: http://www.spamcop.net/sc?id=z898529993zcd3ad61032a7429edd9b82417b9e568fz For almost a week I get this phis multiple times a day. The URL has been reported more than a dozen time, yet the site is still up. Are they actively supporting these scammers? From mrmeval at earthlink.net Wed Mar 15 22:12:28 2006 From: mrmeval at earthlink.net (James Caldwell) Date: Wed Mar 15 22:15:04 2006 Subject: [SpamCop-List] Re: Why are you screwing with my mail? References: Message-ID: I see. Spamcop is at fault. Wonderful system you have. Mike Easter wrote: > Posted to .mail & spamcop; f/ups to spamcop > > James Caldwell wrote: > Newsgroups: spamcop.mail > > This is the wrong ng for your post. spamcop.mail is a group which was > for people to interact about their spamcop mail accounts, which service > is described here http://www.spamcop.net/ces/individuals.shtml SpamCop > Email System for Individuals > > You are not posting about a spamcop mail issue, but about a spamcop > blocklist effect. Your recipient chose to use the SCbl and as a result > your mail's transmission to them was rejected. Rejection of mail during > the transaction is a healthier effect than some other effects of > spamfilters which result in mail being lost. > > I'm posting this to a general discussion group spamcop and making f/ups > to there. > > Subject: Why are you screwing with my mail? > > The SCbl is a blocklist described here. http://www.spamcop.net/bl.shtml > SpamCop Blocking List > > SpamCop doesn't block anything or screw with anyone's mail. It is a > parsing and reporting system, the maintainer of the SCbl, and also > provides a mail service for filtering and tagging spam. Your recipient > rejected your mail as a method of their spam control. Your mail was > rejected by your recipient's server because your EL earthlink output > server was listed in the SCbl for abusive server behavior. More about > that later. > >> SMTP error from remote mailer after RCPT TO:: >> host mx-4.iquest.net [206.246.180.54]: 553 Blocked - see >> http://www.spamcop.net/bl.shtml?209.86.89.70 > > That is a nicely informative information from the iquest server which is > telling you that the EL server's IP caused the mail to be rejected > because the EL IP was blocklisted in the SCbl spamcop blocklist. > >> ------ This is a copy of the message, including all the headers. > > Those headers aren't very helpful. They just say that your user IP > which is a mindspring one gave the mail to the EL server. The problem > is with the EL server which is blocklisted. > > Here's the current story on that EL IP > > 209.86.89.70 listed in bl.spamcop.net > it will be delisted automatically in approximately 17 hours. > users have reported system as a source of spam > has been listed for less than 24 hours. > Other hosts in this "neighborhood" with spam reports > 209.86.89.63 209.86.89.64 209.86.89.65 209.86.89.66 209.86.89.92 > > <209.86.89.63 209.86.89.64 209.86.89.65 209.86.89.92 not listed> > > 209.86.89.66 listed in bl.spamcop.net > will be delisted automatically in approximately 20 hours. > has sent mail to SpamCop spam traps in the past week > users have reported system as a source of spam > has been listed for less than 24 hours. > > Both of those, .70 and .66, are EL output servers. Generally the SC > parser avoids naming a server as a spamsource if there is a user IP > behind it. Generally in the case of servers getting listed it is not > for 'spam' per se, but some other abusive server behavior which is > spamcop reportable. The most common server behaviors which are spamcop > reportable are misdirected bounces and challenges. EL isn't configured > for doing misdirected bounces, but it is definitely configured to > perform challenges. > > That challenge behavior has been pointed out to EL as abusive many many > many times in the past. I am an EL subscriber, and I have personally > told EL about the problem of allowing users to configure to perform > challenges to suspect mail -- numerous times in the EL support ng/s. In > addition, whenever EL accepts a report about their servers performing > abusive actions they find out about it. > > The problem is that EL's default medium spamblocker identifies known > spam. That isn't a problem. However, the user can optionally configure > to high spamblocker. When they do, the new default condition is to > challenge the items which are not known spam and are not whitelisted. > EL's known spam filter is 'leaky' -- resulting in spam getting past the > known and into the Suspect folder. > > Spam From is bogus and is likely to be the addy of a spamcop reporter or > a spamcop spamtrap. When the EL server sends a challenge to the spamcop > reporter or the spamtrap, it is reportable. That reporting results in > the EL server becoming spamcop blocklisted. > > That spamcop blocklisting causes your mail to get rejected. It is as > 'simple' as that. Your provider is manufacturing abusive emails. You > are trying to use the server which has being reported as abusive. Your > recipient is using the SCbl to guard against spam and other abusive mail > and your mail has become 'collateral damage' as a result of your > recipient's spam strategies and modern day blocklisting of challenging > servers. > > EL subscribers should be complaining to EL about running servers which > get themselves blocklisted and which causes problems with their mail > delivery. > > > -- "I can get you a drink, A reverend or we could call for Air Support." --http://www.schlockmercenary.com From vanguard.news at yahooNIX.com Wed Mar 15 21:21:58 2006 From: vanguard.news at yahooNIX.com (Vanguard) Date: Wed Mar 15 22:25:03 2006 Subject: [SpamCop-List] Re: Blocking shared mailservers by IP is hugely disruptive References: Message-ID: "Johann Ungerer" wrote in message news:dv9gc4$cqt$1@news.spamcop.net... > Our hosting company's shared mail server has been blocked by spamcop on > numerous occasions, but this is incredibly disruptive. We ourselves host > 15 domains on this server and there must be well over 200 domains handled > by this server. Blocking by IP is like trying to kill mosquitos with a > shotgun. It would be far more useful to block domains, though I suppose > the domain could be used and discarded after every blast. So there's no > simple answer, but being the 'victim' of other spammers and therefore > having all mails in a day bounce, is also unacceptable. Why would anyone block by IP name? That is just a convenient string for YOU and other users. It has nothing to do with how *computers* get to a site. Computers use IP addresses. From MikeE at ster.invalid Wed Mar 15 19:36:38 2006 From: MikeE at ster.invalid (Mike Easter) Date: Wed Mar 15 22:40:02 2006 Subject: [SpamCop-List] Re: Why are you screwing with my mail? References: Message-ID: James Caldwell wrote: > I see. Spamcop is at fault. Wonderful system you have. No. EL is primarily at fault and abusive. iquest is secondarily 'at fault' for their configuration causing a slight inconvenience as it handles the EL server's abusive behavior result in a /healthy/ fashion, namely by rejecting the mail from an abusive server. If you had sent your mail to me, I would have received it, but my client side spamfilter would have tagged it as spam because of the SCbl listing. If you had been on my whitelist of known senders, it wouldn't even have been so tagged. SpamCop is functioning as intended. Different people use the SCbl differently. I don't think iquest's use of the SCbl is unhealthy. Iquest has a better system than EL's for handling its spam. If EL were to make a mistaken identification of a piece of mail as spam, that item would go into the recipient's known spam folder instead of being rejected. Because most EL subscribers have their spamfilter on the default mode which is medium and also causes the known spam to be deleted sight unseen, that 'misdiagnosed' spam which was in fact goodmail would have been lost. That's an unhealthy EL system as opposed to iquest's healthy one. It is healthier to reject a presumed spam item than it is to accept it, hide it, and delete it. EL accepts hides and deletes unless the EL subscriber configures differently. EL has a lot of bad behaviors if the EL subscriber doesn't know how to configure around them. EL has a lot of bad behaviors which affect nonsubscribers abusively, which they can't configure around. Instead, those bad EL behaviors get reported and those bad EL server behaviors cause trouble for EL's own subscribers. -- Mike Easter kibitzer, not SC admin From mrmeval at earthlink.net Wed Mar 15 23:53:14 2006 From: mrmeval at earthlink.net (James Caldwell) Date: Wed Mar 15 23:55:03 2006 Subject: [SpamCop-List] Re: Why are you screwing with my mail? References: Message-ID: Spamcop flags a server as blacklisted with no way to unlist it so I have to put up with not being able to send mail. I'd send Iquest a note but gee it's blocked there too. Wonderful system. Mike Easter wrote: > James Caldwell wrote: >> I see. Spamcop is at fault. Wonderful system you have. > > No. EL is primarily at fault and abusive. iquest is secondarily 'at > fault' for their configuration causing a slight inconvenience as it > handles the EL server's abusive behavior result in a /healthy/ fashion, > namely by rejecting the mail from an abusive server. > > If you had sent your mail to me, I would have received it, but my client > side spamfilter would have tagged it as spam because of the SCbl > listing. If you had been on my whitelist of known senders, it wouldn't > even have been so tagged. > > SpamCop is functioning as intended. Different people use the SCbl > differently. I don't think iquest's use of the SCbl is unhealthy. > > Iquest has a better system than EL's for handling its spam. If EL were > to make a mistaken identification of a piece of mail as spam, that item > would go into the recipient's known spam folder instead of being > rejected. Because most EL subscribers have their spamfilter on the > default mode which is medium and also causes the known spam to be > deleted sight unseen, that 'misdiagnosed' spam which was in fact > goodmail would have been lost. That's an unhealthy EL system as opposed > to iquest's healthy one. > > It is healthier to reject a presumed spam item than it is to accept it, > hide it, and delete it. EL accepts hides and deletes unless the EL > subscriber configures differently. > > EL has a lot of bad behaviors if the EL subscriber doesn't know how to > configure around them. EL has a lot of bad behaviors which affect > nonsubscribers abusively, which they can't configure around. Instead, > those bad EL behaviors get reported and those bad EL server behaviors > cause trouble for EL's own subscribers. > > -- "I can get you a drink, A reverend or we could call for Air Support." --http://www.schlockmercenary.com From vanguard.news at yahooNIX.com Wed Mar 15 23:01:14 2006 From: vanguard.news at yahooNIX.com (Vanguard) Date: Thu Mar 16 00:05:03 2006 Subject: [SpamCop-List] Re: Why are you screwing with my mail? References: Message-ID: "James Caldwell" wrote in message news:dval2t$48l$1@news.spamcop.net... >I see. Spamcop is at fault. Wonderful system you have. No. The problem is that YOU cannot read. The recipient that *uses* the SpamCop blocklist, or ANY blocklist, is "at fault" for deciding to assign spam filtering to another authority. Do you have spam filtering enabled on your Mindspring account? Gee, then any mails that get blocked as spam is Mindspring's fault rather than YOUR fault for enabling the spam filter option. YOU defining *any* rule in your e-mail client that filters any spam means YOU are at fault for using that rule, not the author of the e-mail program that provided the feature of rules that YOU could define. Duh, children just can't figure it out. From MikeE at ster.invalid Wed Mar 15 21:07:22 2006 From: MikeE at ster.invalid (Mike Easter) Date: Thu Mar 16 00:10:03 2006 Subject: [SpamCop-List] Re: Why are you screwing with my mail? References: Message-ID: James Caldwell wrote: > Spamcop flags a server as blacklisted with no way to unlist it so I > have to put up with not being able to send mail. I'd send Iquest a > note but gee it's blocked there too. If SC makes a 'mistake' -- which is possible under some conditions - a deputy can 'uncount' the mistaken reports. Mistakes can result from a parse breaking a chain prematurely, causing a server in front of a user IP to be named as source -- that isn't likely to happen with EL server configurations. I don't think it is very likely that a spamcop reporter who is making a mistake in submitting spam with the resultant reporting of their own provider could cause a mistaken listing or report, because the EL servers which are handling one part of EL mail handling are different from those handling output like this. A deputy isn't going to uncount reports which were made as a result of challenges hitting spamtraps or reporters. In any case, my guessing isn't important -- only a deputy can look into the evidence and see it and uncount anything which shouldn't have been counted, which is very unlikely. EL servers have been listed numerous places before including SCbl for their behaviors -- so it is most likely just another instance of an EL server being listed. Again. In the EL support groups where I gripe about this and warn my fellow EL subcribers, I advise all of them to get an alternate email provider, so that if they are having problems with mail completion that they can use their alternate. -- Mike Easter kibitzer, not SC admin From jeffg at spamcop.net Thu Mar 16 00:12:50 2006 From: jeffg at spamcop.net (Jeff G.) Date: Thu Mar 16 00:15:02 2006 Subject: [SpamCop-List] Re: Why are you screwing with my mail? References: Message-ID: James Caldwell wrote: > Wonderful system. Yes, it keeps email messages from EL's abusive servers out of my inbox. You can thank EL [mis]management - they are not providing the reliable email service you are paying for. -- Best Regards, Jeff G. http://forum.spamcop.net/forums/index.php?act=findpost&pid=37585 From jeffg at spamcop.net Thu Mar 16 00:15:10 2006 From: jeffg at spamcop.net (Jeff G.) Date: Thu Mar 16 00:20:03 2006 Subject: [SpamCop-List] Re: Laugh of the day References: Message-ID: C. S. wrote: > From: "Ujjal Kanti Kumar" > Subject: Spamcop report id:1678245264 > > "Hello SpamCop user, > > Thank you for your message to 123greetings.com. I value the > importance of your concern as I realize the inconvenience this may > have caused you. > > We take your complaints seriously. Please let me know the email > address to which the offending message was sent from or on behalf of > 123greetings.com and I will have it permanently removed from our > mailing list. > > Thanks for your cooperation. > > Regards, > Ujjal" *@* :) -- Best Regards, Jeff G. http://forum.spamcop.net/forums/index.php?act=findpost&pid=37585 From joseph_k at invalid.com Wed Mar 15 21:15:55 2006 From: joseph_k at invalid.com (Joseph K) Date: Thu Mar 16 00:20:13 2006 Subject: [SpamCop-List] Re: Yahoo! References: Message-ID: On Thu, 16 Mar 2006 12:10:30 +0900, Patto wrote: > http://www.spamcop.net/sc?id=z898529993zcd3ad61032a7429edd9b82417b9e568fz > > For almost a week I get this phis multiple times a day. The URL has been > reported more than a dozen time, yet the site is still up. Are they > actively supporting these scammers? Yahoo does host multiple spammers as part of their "Small Business" hosting system. Check out their Spamhaus records. Try sending your complaints to domains-abuse@yahoo-inc.com They tend to kill the discardable domains while keeping the spammer as a customer, but it is better than nothing. -- ---------+---------+---------+---------+---------+---------+---------+ Joseph K Seattle, WA, USA From nobody at spamcop.net Thu Mar 16 18:34:29 2006 From: nobody at spamcop.net (Anony Mouse) Date: Thu Mar 16 00:35:02 2006 Subject: [SpamCop-List] List Message-ID: <4418F8E5.3050605@spamcop.net> What do I do with the list of email/http refs that spammy sent from .kr to my email address? (Well 4.8030604@mydomain I have several that help me to track spammy. Most seeded by me.) Spammy makes mistakes. 4.4mb lots of harvested addies and where they came from... Mine came ICANN forums... How much is a 4.4mb list worth... :0 Just joking. It must be usefull to someone who knows spam better than I. Ellen??? Spamhaus? From redford_stone at INVERSE_OF_COLDmail.com Thu Mar 16 06:14:09 2006 From: redford_stone at INVERSE_OF_COLDmail.com (Redstone) Date: Thu Mar 16 01:15:02 2006 Subject: [SpamCop-List] Re: Laugh of the day References: Message-ID: C. S. wrote in news:cohh121073598fr2qftfrb650sarb0ufca@4ax.com: >> >> > > Just as goofy as the drivel that started coming back > to me a few months ago. Seems 123Greetings.com > has started to 'care,' after four to five years > of spamming me. But at least they flatly state that > they wanna listwash me: > They've been listwashing for a long time. Received spam from them several years ago. (Never requested, never signed up to receive any correspondence either.) Seems they have a habit of aquiring tainted email lists on the cheap. From nobody at spamcop.net Thu Mar 16 19:30:42 2006 From: nobody at spamcop.net (Anony Mouse) Date: Thu Mar 16 01:35:04 2006 Subject: [SpamCop-List] Re: List References: <4418F8E5.3050605@spamcop.net> Message-ID: <44190612.2080106@spamcop.net> Anony Mouse wrote: > What do I do with the list of email/http refs that spammy sent from .kr > to my email address? (Well 4.8030604@mydomain I have several that help > me to track spammy. Most seeded by me.) > > Spammy makes mistakes. > > 4.4mb lots of harvested addies and where they came from... > > Mine came ICANN forums... > > How much is a 4.4mb list worth... :0 Just joking. > It must be usefull to someone who knows spam better than I. > > Ellen??? > > Spamhaus? > Lots of bounce messages after spammy done the run. Get up to $8000 in guaranteed credit! Everyone gets accepted Dial: 1 800 566 8098 Open M-F 9am-6pm EST From pantheus at suespammers.org Wed Mar 15 23:18:29 2006 From: pantheus at suespammers.org (Ken) Date: Thu Mar 16 02:20:02 2006 Subject: [SpamCop-List] Ping: Pete Stephenson Message-ID: Pete, A few months ago you were defending Hurricane Electric ( he.net ) as being white hat and anti-spam, as you even moved your accounts there. Has something changed? I am getting daily spew from their servers, with spamversites hosted on cogentco.com Here's the latest, but its been going on for longer than I care to see, with no stop despite daily SC reports. http://www.spamcop.net/sc?id=z898646121z1a2f2ca57fb9700fd147547b240dfbe6z Any comment or help available? Ken From PossumTrot at dont.spam.me Thu Mar 16 07:35:23 2006 From: PossumTrot at dont.spam.me (Possum Trot) Date: Thu Mar 16 10:40:02 2006 Subject: [SpamCop-List] Virus encrypts documents, demands ransom Message-ID: The article suggests the virus is being spread in spam. Virus Encrypts Data, Demands Ransom Trojan horse asks you to pay $300 to regain access to your documents. http://www.pcworld.com/news/article/0,aid,125108,00.asp From nobody at devnull.spamcop.net Thu Mar 16 08:05:38 2006 From: nobody at devnull.spamcop.net (Anonymous) Date: Thu Mar 16 11:15:03 2006 Subject: [SpamCop-List] Re: A mailman opt-in plus confirmation mailing list is spam? References: Message-ID: indigo wrote... > After thinking about it more after I posted, I started to wonder whether I > had missed something in the thread....perhaps if someone finds a spamtrap > addy and _knows_ it's a spamtrap they could forge-subscribe the addy to a > legit list. The confirm email would then be reported as spam by the > spamtrap. That is correct. Abusing the system in that way assumes that someone can find and identify spamcop spamtraps. That, in turn, assumes that whoever is in charge of hiding the spamcop spamtraps is less skilled than I am, because I can hide them in such a way that they cannot be found. In like manner, those who claim that they can find and identify spamcop spamtraps are in effect claiming to be more skilled at finding spamcop spamtraps than any of spamcop's many attackers -- attackers who have come up with many clever ways of attacking the spamcop system and yet have not forge-subscribed any spamcop spamtraps to legitimate confirmed mailing lists. I have another theory; my theory is that those in charge of hiding the spamcop spamtraps are better at it than I am, and that those who claim that they can find and identify spamcop spamtraps are mistaken. Perhaps they have found other spamtraps, or perhaps someone at spamcop trusts them enough to tell them where to look, but I don't believe that they can find and identify spamcop spamtraps without some sort of special help. > So I guess you could just scrape the SC website and submit every > addy you find to a legit list if you were out to get someone. That would not work. If you can find spamcop spamtrap addresses by scraping the spamcop website, then the people in charge of hiding the spamcop spamtraps are idiots for hiding them in such an obvious place. Also, if you can find spamcop spamtrap addresses by scraping the spamcop website, so can spamcop's enemies, and yet we have not seen any of them manage to pull off the abuse described above. G.M. From bar_n0ne at hotmail.com Thu Mar 16 10:26:15 2006 From: bar_n0ne at hotmail.com (Berny) Date: Thu Mar 16 11:30:02 2006 Subject: [SpamCop-List] Re: Why are you screwing with my mail? References: Message-ID: "James Caldwell" wrote in message news:dval2t$48l$1@news.spamcop.net... > I see. Spamcop is at fault. Wonderful system you have. > > > Mike Easter wrote: > snipped No, Spamcop lists abusive mail sources, that's all, so it is at fault for doing that, You are at fault for your inability to read and understand. I, you or anyone could make a list of all email servers I didn;t like available, if someone used that to block emails , how is that the list makers fault? Got it? From nobody at spamcop.net Thu Mar 16 08:57:16 2006 From: nobody at spamcop.net (N. Miller) Date: Thu Mar 16 12:00:04 2006 Subject: [SpamCop-List] Re: Why are you screwing with my mail? References: Message-ID: On Wed, 15 Mar 2006 22:12:28 -0500, James Caldwell wrote: > I see. Spamcop is at fault. Wonderful system you have. Can't you read? Mike says that Earthlink is at fault. -- Norman ~Oh Lord, why have you come ~To Konnyu, with the Lion and the Drum From nobody at spamcop.net Thu Mar 16 08:58:25 2006 From: nobody at spamcop.net (N. Miller) Date: Thu Mar 16 12:00:15 2006 Subject: [SpamCop-List] Re: Why are you screwing with my mail? References: Message-ID: On Wed, 15 Mar 2006 23:53:14 -0500, James Caldwell wrote: > Spamcop flags a server as blacklisted with no way to unlist it so I have to > put up with not being able to send mail. I'd send Iquest a note but gee > it's blocked there too. > > Wonderful system. Yes. It is. Well, from the point of view of recipients, who want some control over what reaches their Inboxes. -- Norman ~Oh Lord, why have you come ~To Konnyu, with the Lion and the Drum From MikeE at ster.invalid Thu Mar 16 09:30:42 2006 From: MikeE at ster.invalid (Mike Easter) Date: Thu Mar 16 12:35:02 2006 Subject: [SpamCop-List] Re: Why are you screwing with my mail? References: Message-ID: N. Miller wrote: > James Caldwell wrote: > >>Spamcop is at fault. > Mike says that Earthlink is at fault. Presumably. EL is known to emit challenges. Challenges are SC reportable. EL has been SC listed before based on challenges and there is nothing that I know of currently funky with EL headers to open the door for errant reporting. But, an EL server haa also been errantly listed long ago and deputy delisted. Only a deputy can see the evidence, not I. I would bet a number of quatloos that EL is at fault with challenges. -- Mike Easter kibitzer, not SC admin From jg at coks.net Thu Mar 16 10:02:43 2006 From: jg at coks.net (jg) Date: Thu Mar 16 13:00:02 2006 Subject: [SpamCop-List] Re: Yahoo! In-Reply-To: References: Message-ID: On 3/15/2006 9:15 PM Joseph K scribbled: > On Thu, 16 Mar 2006 12:10:30 +0900, > Patto wrote: > >> http://www.spamcop.net/sc?id=z898529993zcd3ad61032a7429edd9b82417b9e568fz >> >> For almost a week I get this phis multiple times a day. The URL has been >> reported more than a dozen time, yet the site is still up. Are they >> actively supporting these scammers? > > Yahoo does host multiple spammers as part of their "Small Business" > hosting system. Check out their Spamhaus records. > Try sending your complaints to domains-abuse@yahoo-inc.com > They tend to kill the discardable domains while keeping the spammer as > a customer, but it is better than nothing. > I would /not/ classify that as better than nothing - its a total waste of effort. From nobody at devnull.spamcop.net Thu Mar 16 08:46:58 2006 From: nobody at devnull.spamcop.net (Anonymous) Date: Thu Mar 16 13:20:03 2006 Subject: [SpamCop-List] Re: A mailman opt-in plus confirmation mailing list is spam? References: <44189887.161D810F@mirador.com> Message-ID: Eric Black wrote... > Anonymous wrote: > >> Please demonstrate by forging or explaining how to >> forge an email sender address when you don't know what >> it is. Remember, the claim that you are disagreeing with >> specifies the assumption that the bad guy doesn't know >> what addresses are spamtraps. > > Again, I don't need to determine that a particular address > is or is not a spamtrap. I just need to find one That will not work if your goal is to forge-subscribe spamtraps to mailing lists. If you can't determine that a particular address is or is not a spamtrap, then you cannot harvest spamcop spamtrap email addresses without also harvesting many other non- spamtrap email addresses. The spamtrap addresses will be "lost in the crowd." Having that large collection of email addresses (with a few spamtraps in the collection, but you don't know which ones) is not sufficient to forge-subscribe the spamtraps to the lists. You can't forge-subscribe just the spamtraps, because you don't know which ones are spamtraps. You can't forge- subscribe the entire large collection because no legitimate mailing list will let you subscribe that many at once, and any mailing list that allowed that deserves to be listed. >> If the creators of spamcop spamtrap addresses aren't hiding >> them well enough, then the answer is to hide them better, >> not to let them be findable and then to deal with abuse of >> them after the fact. > > Indeed. Maybe the visible ones are all dead but still > left out to be found, just to pollute email lists (like wpoison). That would be a reasonable course of action for an intelligent spamtrap-hider; hide some fake spamtraps in places that are easy to find. That would stop at least some attackers from looking any farther. It would also fool some here into thinking that they can find spamcop spamtraps. > The claim is that if I can find at least one spamtrap address, > anywhere, and if it happens to be a hair-trigger live spamtrap, > I can exploit it to cause inconvenience for some victim. As explained above, finding one spamtrap address *and finding thousands of non-spamtraps at the same time* won't allow you to forge-subscribe it to a mailing list without somehow telling it apart from all the others. The list only allows you to subscribe N email addresses. How do you pick them without getting 100% non-spamtraps almost every time? > If what I think might be a spamtrap address turns out not to > be, then it's just another random drive-by forged subscription > of a dead address. Ah, but if you have a large number of those non-spamtrap addresses you can't randomly drive-by forge-subscribe them all; the mailing list won't let you do that. G.M. From nobody at devnull.spamcop.net Thu Mar 16 08:51:08 2006 From: nobody at devnull.spamcop.net (Anonymous) Date: Thu Mar 16 13:20:19 2006 Subject: [SpamCop-List] Re: Why are you screwing with my mail? References: Message-ID: James Caldwell wrot... > Spamcop flags a server as blacklisted with no way to unlist it Unlisting it is trivial. Simply stop sending email from it to people who don't want the email and who report that fact to Spamcop. Do that and the server will fall off the list in a few days. From bjtexas at hotmale.com Thu Mar 16 12:41:15 2006 From: bjtexas at hotmale.com (BJ) Date: Thu Mar 16 13:45:03 2006 Subject: [SpamCop-List] Re: Laugh of the day References: Message-ID: caroljean52 wrote: || Please except our utmost apologies for the || inconvenience that this unfortunate email problem caused last || weekend. Also, please know that this was not intentional and || will not happen again." || I list except their e-mail, its called a local blocklist, I will not accept it. BJ -- -- Read: http://home.swbell.net/bjtexas/SS/ "Although I have unlimited respect for facts, and delight in their discovery and appreciation, I have come to the obvious yet almost blasphemous view that, with respect to teaching, the facts just aren't that important." -- Jasper Rine, professor, University of California Berkeley From kenbrody at spamcop.net Thu Mar 16 14:05:38 2006 From: kenbrody at spamcop.net (Kenneth Brody) Date: Thu Mar 16 14:35:03 2006 Subject: [SpamCop-List] Re: Blocking shared mailservers by IP is hugely disruptive References: <8GC2n0UtLMzu@eisner.encompasserve.org> Message-ID: <4419B702.EA8A9E71@spamcop.net> Larry Kilgallen wrote: > > In article , "Johann Ungerer" writes: [...] > > numerous occasions, but this is incredibly disruptive. We ourselves host 15 > > domains on this server and there must be well over 200 domains handled by > > this server. Blocking by IP is like trying to kill mosquitos with a shotgun. > > The IP address is the only reliable basis for blocking, > since it is the one item that cannot be falsified by > dishonest spammers. But I wax tautological. Please > get back to us when you have managed to cure the world > of dishonest spammers. Yes, let's get back to the good old days, when all we had to deal with were the honest spammers. [...] -- +-------------------------+--------------------+-----------------------------+ | Kenneth J. Brody | www.hvcomputer.com | | | kenbrody/at\spamcop.net | www.fptech.com | #include | +-------------------------+--------------------+-----------------------------+ Don't e-mail me at: From abuse at whathostingshould.be Thu Mar 16 14:44:48 2006 From: abuse at whathostingshould.be (Galen) Date: Thu Mar 16 15:15:03 2006 Subject: [SpamCop-List] Well that didn't take long... Message-ID: Client just poof appeared... No pre-support questions. No contact prior. Never moved nameservers but KNEW (and this is when I started thinking it was going to be interesting) to use the nameserver address (in this case kgiii.info/~username/file.ext) to access the site which is information I intentionally didn't include in the welcome letters to any clients. So I have the advantage of seeing stuff in my logs which are checked quite often but this made me check more often. I do try to respect privacy and not review files but when I saw that in my logs I then decided I'd look because the name of the file was 005.php. I *almost* disabled the ability to send mail from the account but I decided I'd better wait as no evidence means no crime at that point. So I stayed awake and watched the spike in email and then three spamcop reports rolled in. Needless to say they're disabled. The domain they signed up with is: pontohost.com.br 3 reports in as many hours. No, no they won't be coming back online at this IP block. Any other hosts might be see the address again in the future I suppose so should be aware of it. It didn't take long at all. Pretty sad when one of your first clients (and we're pretty much keen on people providing proof - we consider SC reports proof in any cases I can think of - but spell out the terms pretty clearly on the site) is a spammer. In case you're really curious it was: http://kgiii.info/~pontohos/005.php Their account doesn't work any more. ;) So there's not much to see there anymore but that's the format it was sent through. Galen -- http://www.whathostingshould.be - We are what hosting SHOULD be. From nobody at devnull.spamcop.net Thu Mar 16 15:22:15 2006 From: nobody at devnull.spamcop.net (POP) Date: Thu Mar 16 15:25:03 2006 Subject: [SpamCop-List] Re: Virus encrypts documents, demands ransom References: Message-ID: "Possum Trot" wrote in message news:dvc0l4$rms$1@news.spamcop.net... > The article suggests the virus is being spread in spam. > > Virus Encrypts Data, Demands Ransom > > Trojan horse asks you to pay $300 to regain access to your > documents. > http://www.pcworld.com/news/article/0,aid,125108,00.asp > > Seems like that's just asking to be tracked down & arrested. They're brave spidiots, eh? Pop From redford_stone at INVERSE_OF_COLDmail.com Thu Mar 16 20:49:14 2006 From: redford_stone at INVERSE_OF_COLDmail.com (Redstone) Date: Thu Mar 16 15:50:03 2006 Subject: [SpamCop-List] Re: Virus encrypts documents, demands ransom References: Message-ID: "Possum Trot" wrote in news:dvc0l4$rms$1 @news.spamcop.net: > The article suggests the virus is being spread in spam. > > Virus Encrypts Data, Demands Ransom > > Trojan horse asks you to pay $300 to regain access to your documents. > http://www.pcworld.com/news/article/0,aid,125108,00.asp > > >From Russia with love.. Looks like much of the virus writing was outsourced too. From nobody at spamcop.net Thu Mar 16 16:23:04 2006 From: nobody at spamcop.net (indigo) Date: Thu Mar 16 16:25:03 2006 Subject: [SpamCop-List] Re: A mailman opt-in plus confirmation mailing list is spam? References: Message-ID: Anonymous wrote: > > That would not work. If you can find spamcop spamtrap addresses by > scraping the spamcop website, then the people in charge of hiding > the spamcop spamtraps are idiots for hiding them in such an obvious > place. Also, if you can find spamcop spamtrap addresses by > scraping the spamcop website, so can spamcop's enemies, and yet > we have not seen any of them manage to pull off the abuse described > above. > Sounds like a catch-22 to me....if they're so hard to find (impossible even), how can they manage to get onto a dirty list? From no.spam.4.me at xs4all.nl Thu Mar 16 22:25:09 2006 From: no.spam.4.me at xs4all.nl (Nico Bartels) Date: Thu Mar 16 16:25:17 2006 Subject: [SpamCop-List] Is this helping? Message-ID: Is this a 'Good Thing' or a 'Bad Thing'? http://www.bluesecurity.com -- |\ | | \|ico Panic now and avoid the rush! From nobody at none.inv Thu Mar 16 23:29:25 2006 From: nobody at none.inv (Knny) Date: Thu Mar 16 16:30:03 2006 Subject: [SpamCop-List] Email system Message-ID: Mes siulome: Karstai Prekybiniai stendai Statybine mediena Apdailos ir pirties medziaga Sodo ir laisvalaikio reikmenys Ivairios pakuotes Aliuminio profilio gaminiai http://www.medison.lt/index.php?lang=lt&mID=2 http://www.medison.lt/index.php?lang=lt&mID=3 http://www.medison.lt/index.php?lang=lt&mID=4 http://www.medison.lt/index.php?lang=lt&mID=5 http://www.medison.lt/index.php?lang=lt&mID=7 http://www.medison.lt/index.php?lang=lt&mID=8 http://www.medison.lt/index.php?lang=lt&mID=9 From MikeE at ster.invalid Thu Mar 16 13:47:00 2006 From: MikeE at ster.invalid (Mike Easter) Date: Thu Mar 16 16:50:02 2006 Subject: [SpamCop-List] Re: Is this helping? References: Message-ID: Nico Bartels wrote: > Is this a 'Good Thing' or a 'Bad Thing'? > http://www.bluesecurity.com As I said in a couple of Blue Frog posts in alt.spam recently: I will continue to recommend against using Blue Frog/ Blue Security because I don't trust its integrity or methodology Blue Security tells lies in its faq^0: - you will be protected from spam - spammers maximize their profits by cleansing their lists Blue Security steals its name from a registered^1 safe and lock company in La Jolla, CA Blue Security steals its Blue Poison Dart Frog (Dendrobates azureus) logo from Azureus^2 the BitTorrent app outfit. BlueFrog users report^3 to the BS forum about their spam increasing misfortunes since participating -- Dino Rubio, spiderdeet, whitehorse Blue Security is simply a profit oriented venture promoted by direct marketers and affiliates with the same shabby business practices as spammers and other direct marketers. ^2 http://azureus.sourceforge.net/ http://en.wikipedia.org/wiki/Azureus ^1 http://kepler.ss.ca.gov/corpdata/ShowAllList?QueryCorpNumber=C1906836 ^0 http://www.bluesecurity.com/blue-frog/products/faq.asp ^3 http://community.bluesecurity.com/webx?13@433.5hosaPQdhwZ.0@.3c4a0b9a/0 More from the BS faq ^1 What does Blue specifically consider to be spam? Blue Security believes that Blue Frog users should accept unsolicited mail if it is compliant with the US CANSPAM act, so presumably they would ask their direct marketing friends to remove the bluefroggers from the noncompliant lists while moving them to CANSPAM compliant lists. And, the spamvertisers who are inclined to listwash or listswap or listmove can do so, while the spamvertisers who are not inclined to wash will not do so. So, then bluefroggers will be moved from some lists to others. The net effect of being a bluefrogger will be to profit Blue Security and get more spam and get moved around on spamvertiser lists -- since it is spamvertisers that BS commiserates with and cooperates with and bargains with and apparently provides bluefrogger addresses to . ^1 All unsolicited illegal messages under the CANSPAM Act of 2003,including messages Sent to a harvested address Sent via a zombie With false or misleading header information With deceptive subject lines Without an opt-out mechanism -- Mike Easter kibitzer, not SC admin From MikeE at ster.invalid Thu Mar 16 13:49:31 2006 From: MikeE at ster.invalid (Mike Easter) Date: Thu Mar 16 16:50:14 2006 Subject: [SpamCop-List] Re: Email system References: Message-ID: Knny wrote: > Mes siulome: > Karstai > Prekybiniai stendai > Statybine mediena > Apdailos ir pirties medziaga > Sodo ir laisvalaikio reikmenys > Ivairios pakuotes > Aliuminio profilio gaminiai Sorry, my BabelFish and InterTran don't do Lithuanian to English. Can't help. -- Mike Easter kibitzer, not SC admin From nobody at devnull.spamcop.net Thu Mar 16 14:42:57 2006 From: nobody at devnull.spamcop.net (Anonymous) Date: Thu Mar 16 17:45:03 2006 Subject: [SpamCop-List] Re: Well that didn't take long... References: Message-ID: "Galen" wrote in message news:dvcgua$7vj$1@news.spamcop.net... > Client just poof appeared... No pre-support questions. No contact prior. > Never moved nameservers but KNEW (and this is when I started thinking it > was going to be interesting) to use the nameserver address (in this case > kgiii.info/~username/file.ext) to access the site which is information I > intentionally didn't include in the welcome letters to any clients. > > So I have the advantage of seeing stuff in my logs which are checked quite > often but this made me check more often. I do try to respect privacy and > not review files but when I saw that in my logs I then decided I'd look > because the name of the file was 005.php. I *almost* disabled the ability > to send mail from the account but I decided I'd better wait as no evidence > means no crime at that point. So I stayed awake and watched the spike in > email and then three spamcop reports rolled in. > > Needless to say they're disabled. > > The domain they signed up with is: > > pontohost.com.br > > 3 reports in as many hours. > > No, no they won't be coming back online at this IP block. Any other hosts > might be see the address again in the future I suppose so should be aware > of it. > > It didn't take long at all. Pretty sad when one of your first clients (and > we're pretty much keen on people providing proof - we consider SC reports > proof in any cases I can think of - but spell out the terms pretty clearly > on the site) is a spammer. > > In case you're really curious it was: > > http://kgiii.info/~pontohos/005.php > > Their account doesn't work any more. ;) So there's not much to see there > anymore but that's the format it was sent through. > > Galen > -- > http://www.whathostingshould.be - We are what hosting SHOULD be. I love the idea of a hosting company that pays attention to spamcop reports. I am not so much in love with the idea of a hosting company that assumes that everyone has javascript turned on. From nobody at devnull.spamcop.net Thu Mar 16 14:47:09 2006 From: nobody at devnull.spamcop.net (Anonymous) Date: Thu Mar 16 17:50:02 2006 Subject: [SpamCop-List] Re: A mailman opt-in plus confirmation mailing list is spam? References: Message-ID: indigo wrote... > > Anonymous wrote: >> >> That would not work. If you can find spamcop spamtrap addresses by >> scraping the spamcop website, then the people in charge of hiding >> the spamcop spamtraps are idiots for hiding them in such an obvious >> place. Also, if you can find spamcop spamtrap addresses by >> scraping the spamcop website, so can spamcop's enemies, and yet >> we have not seen any of them manage to pull off the abuse described >> above. > > Sounds like a catch-22 to me....if they're so hard to find (impossible > even), how can they manage to get onto a dirty list? You are confusing spamtraps with spam sources. Spamtraps are hard to find and identify, but spamtraps are not put on any "dirty lists." Spam sources are very easy to find (just check your inbox). Spam sources are put on "dirty lists" of IP addresses that have sent spam. As I have explained, it is very easy to collect a large number of non-spamtrap email addresses with a few spamtrap email addresses hidden among them. Just set a program loose on the web that searches for email addresses on webpages. The key point is that after you have done this you have no way of telling which ones are spamtraps. You also have no way of collecting only spamtrap email addresses -- if you could you could forge-subscribe them to mailing lists. You also have no way of collecting only non- spamtrap email addresses -- if you could you could spam all you want without being listed by spamcop. This is the basic method that makes spamcop work; anything you do to those millions of email addresses you collected you also do to the spamtrap email addresses -- because you can't tell them apart. Anything you do to the spamtrap email addresses you also do to those millions of email addresses you collected -- because you can't tell them apart. Imagine the following conversation between Dilbert and his Pointy-haired-boss (PHB)... PHB: We just got a contract to find and arrest every terrorist who arrives at the airport. Dilbert: How are you going to find the terrorists? PHB: That's easy! they all will be arriving at the airport! Dilbert: Yes, but they will be hidden in a much larger crowd of non-terrorists. PHB: You aren't paying attention. We just arrest everyone, thus insuring that we get all the terrorists. Dilbert: The jails won't hold that many arrestees. You need to be able to tell terrorists from non-terrorists. PHB: That's easy if you know where to look. You just look in the airport. All of the terrorists will arrive there. Dilbert: Collecting a huge crowd of non-terrorists with a few terrorists hiding in the crowd is easy. Finding just the terrorists is hard. Telling terrorists from non-terrorists is hard. PHB: I don't need to tell terrorists from non-terrorists. Besides, I only need to find a few of them to make the customer happy. Dilbert: How will you find even a few? PHB: They will be arriving at the airport! Dilbert: This has Long Day" written all over it... From porpoise1954 at yahoo.co.uk Fri Mar 17 00:31:33 2006 From: porpoise1954 at yahoo.co.uk (Porpoise) Date: Thu Mar 16 19:35:03 2006 Subject: [SpamCop-List] Re: Well that didn't take long... References: Message-ID: "Anonymous" wrote in message news:dvcpm4$da5$2@news.spamcop.net... > > "Galen" wrote in message > news:dvcgua$7vj$1@news.spamcop.net... >> -- >> http://www.whathostingshould.be - We are what hosting SHOULD be. > > I love the idea of a hosting company that pays attention to spamcop > reports. > > I am not so much in love with the idea of a hosting company that assumes > that > everyone has javascript turned on. Hmm... yeah...... bit difficult to navigate the site when the navigation method doesn't work......... From pxpearson at spamxcop.net Thu Mar 16 16:50:55 2006 From: pxpearson at spamxcop.net (Peter Pearson) Date: Thu Mar 16 19:50:03 2006 Subject: [SpamCop-List] Re: Is this helping? References: Message-ID: Nico Bartels wrote: > Is this a 'Good Thing' or a 'Bad Thing'? > http://www.bluesecurity.com > >From http://www.bluesecurity.com/solutions/overview.asp: >> Opt out requests are anonymous and do not reveal >> our customers' identifies or email addresses. How can one opt out without revealing one's email address? Is there any plausibility to this claim? -- Remove the two x's to get a good email address. From abuse at whathostingshould.be Thu Mar 16 21:23:24 2006 From: abuse at whathostingshould.be (Galen) Date: Thu Mar 16 21:25:03 2006 Subject: [SpamCop-List] Re: Well that didn't take long... References: Message-ID: In news:dvd01m$h4t$1@news.spamcop.net, Porpoise had this to say: My reply is at the bottom of your sent message: > "Anonymous" wrote in message > news:dvcpm4$da5$2@news.spamcop.net... >> >> "Galen" wrote in message >> news:dvcgua$7vj$1@news.spamcop.net... > >>> -- >>> http://www.whathostingshould.be - We are what hosting SHOULD be. >> >> I love the idea of a hosting company that pays attention to spamcop >> reports. >> >> I am not so much in love with the idea of a hosting company that >> assumes that >> everyone has javascript turned on. > > Hmm... yeah...... bit difficult to navigate the site when the > navigation method doesn't work......... Yup, won't be fixed until version 2.0 of the site's update. That's due out, well, HOPEFULLY this weekend assuming I have time. I'm going to include a text based linking method to navigate the site as well. That way, just in case, there is a way for people who don't use JavaScript to navigate. I might also play around with converting it to straight DHTML but that's a whole other story. And hosting means, to us at any rate, being responsible members of the internet community and one of the ways of doing this is to ensure that we're never given a title of "spam friendly hosts" or the likes. We lose a few clients because of the policy, I'm sure, but our policy seems to be effective at this point though, by the same token, we do our best to ensure "due process" with abuse reports. In this particular case there is absolutely no doubt that the offending party is/was guilty and there's absolutely no leeway in our TOS. We simply do not, nor will not, accept this. Given the lack of any additional content at their site, well, I'm inclined to think that they had every intention of doing nothing more with the site than what they did. Now if they'd only used one of the more lavish plans we'd have made more money on it. ;) The worst part is, now that that's been shown to be suspicious we're going to (again our internal policy) need to leave the payment in the payment processor account until we can verify that it's a legit account with a legit credit card. While we're still in our infancy as a company, though we've all be in and out of the industry in various ways for years, we'll even take the time to see what more we can accomplish. Unfortunately we didn't get a copy of the emails - just our admins telling us "yes it was from your IP address and it was legit" so we can't go much further (unless someone knows how to find the spams that were reported using my IP address for the mail server: 69.16.211.62 in case you want to know it) and we're not the owners of the DNS we now need to wait to be blacklisted... Hmm... I wonder if I can ping the middleman and see if I can get the IP address abuse directly and retain control of it? That'd make the process speedier and easier for us to take additional actions such as moving it up the ladder because we can pull raw logs and see their actual IP address they connected to (even if a proxy is used I understand) or if maybe I can attempt to prove to SC that we're the owners *lessees really or is that leasers?* who should be held accountable and the IP addresses technically just belong to our bandwidth providers? Any idea how I'd go about that? I know, for instance, that the company I'm through is just going to bit bucket the majority of complaints. They haven't the man-power really so unless someone really makes a stink they're not going to do a great deal. I doubt I'd have even heard a word about this for quite some time if I hadn't signed up with SC to get the reports as a third party that's interested. Grr... Maybe I need to lease a couple from a third party vendor as an owner and map them specifically to the mail... If this process were easier then I can think of a VAST number of hosting companies who are in the same boat I'm in who'd probably be more than willing to take control over such. At any rate, if someone can find the content of the spam (I can't seem to pull it - even out of raw log data) I'll happily take it even further if possible. Additionally, if someone can tell me HOW they found that data I'd not even bug you again about it. *grins* Thanks. If you wanted to see then: IMPORTANT NOTICE: Anyone hosting websites or services on our server that support spammers or cause any of our IP space to be listed in any of the various Spam Databases will have their server immediately removed from our network. The server will not be reconnected until such time that you agree to remove ANY and ALL traces of the offending material immediately upon reconnection and agree to allow us access to the server to confirm that all material has been COMPLETELY removed. Severe violations may result in immediate and permanent removal of the server from our network without notice to the customer. Any server guilty of a second violation WILL be immediately and permanently removed from our network without notice. http://www.whathostingshould.be/tos.html The site will be "fixed" soon so that JavaScript needn't be enabled as well as making keyboard navigation of the site easier for the physically impaired. (We actually had a complaint during the review process and take all such things into consideration.) Ah well, enough babble and bugging you all for now. Thanks for the help and we're trying to do our part. We're still small so it's not a very big part but I suppose every bit helps. Galen -- http://www.whathostingshould.be - We are what hosting SHOULD be. From nobody at devnull.spamcop.net Fri Mar 17 11:27:16 2006 From: nobody at devnull.spamcop.net (Patto) Date: Thu Mar 16 21:30:03 2006 Subject: [SpamCop-List] Re: Yahoo! In-Reply-To: References: Message-ID: jg wrote: > On 3/15/2006 9:15 PM Joseph K scribbled: > >> On Thu, 16 Mar 2006 12:10:30 +0900, >> Patto wrote: >> >>> http://www.spamcop.net/sc?id=z898529993zcd3ad61032a7429edd9b82417b9e568fz >>> >>> For almost a week I get this phis multiple times a day. The URL has been >>> reported more than a dozen time, yet the site is still up. Are they >>> actively supporting these scammers? >> Yahoo does host multiple spammers as part of their "Small Business" >> hosting system. Check out their Spamhaus records. >> Try sending your complaints to domains-abuse@yahoo-inc.com >> They tend to kill the discardable domains while keeping the spammer as >> a customer, but it is better than nothing. >> > I would /not/ classify that as better than nothing - its a total waste > of effort. I have finally reported the site via http://add.yahoo.com/fast/help/abuse/cgi_abuse and it is gone today! From g.hyde at bigpond.net.au Fri Mar 17 13:02:08 2006 From: g.hyde at bigpond.net.au (Geoffrey Hyde) Date: Thu Mar 16 22:05:03 2006 Subject: [SpamCop-List] Re: Well that didn't take long... References: Message-ID: So far, you've been talking about theoretical blocked spam emails, how about offering up some proof of reports that people can analyze? "Galen" wrote in message news:dvd6hp$kfk$1@news.spamcop.net... > Unfortunately we didn't get a copy of the emails - just our admins telling > us "yes it was from your IP address and it was legit" so we can't go much > further (unless someone knows how to find the spams that were reported > using my IP address for the mail server: 69.16.211.62 in case you want to > know it) and we're not the owners of the DNS we now need to wait to be > blacklisted... Hmm... I wonder if I can ping the middleman and see if I > can get the IP address abuse directly and retain control of it? That'd > make the process speedier and easier for us to take additional actions > such as moving it up the ladder because we can pull raw logs and see their > actual IP address they connected to (even if a proxy is used I understand) > or if maybe I can attempt to prove to SC that we're the owners *lessees > really or is that leasers?* who should be held accountable and the IP > addresses technically just belong to our bandwidth providers? Any idea how > I'd go about that? How do you explain the "yes it was from your IP address and it was legit" - portion of your sentence? I thought you were talking about confirmed spam emails. > I know, for instance, that the company I'm through is just going to bit > bucket the majority of complaints. They haven't the man-power really so > unless someone really makes a stink they're not going to do a great deal. > I doubt I'd have even heard a word about this for quite some time if I > hadn't signed up with SC to get the reports as a third party that's > interested. Grr... Maybe I need to lease a couple from a third party > vendor as an owner and map them specifically to the mail... Maybe you need to tell us something you're not telling us, like, you're not really a hosting company. Which is about all I am reading in the sentences from the above paragraph. If you're really a hosting company, you should be having real control of mail that you are responsible for. If you don't have that control you would be very unwise to assume facts which are not in your posession. > If this process were easier then I can think of a VAST number of hosting > companies who are in the same boat I'm in who'd probably be more than > willing to take control over such. I think if I were looking for a hosting company and saw this newsgroup thread about your site, that I'd be looking elsewhere for hosting. > At any rate, if someone can find the content of the spam (I can't seem to > pull it - even out of raw log data) I'll happily take it even further if > possible. Additionally, if someone can tell me HOW they found that data > I'd not even bug you again about it. *grins* Data not in your control can and will be subject to misinterpretation. Be sure of your facts before pointing the finger at someone. If you are really responsible for mail and you can verify that someone is abusing a mailserver set up on your network by misusing it to send spam emails, well and good - however, if you're misinterpreting facts, you need to get them straightened out first. Something is very fishy here, and I'd be interested to know what is really going on with your supposed hosting company. Cheers ... Geoffrey Hyde From MikeE at ster.invalid Thu Mar 16 20:07:31 2006 From: MikeE at ster.invalid (Mike Easter) Date: Thu Mar 16 23:10:02 2006 Subject: [SpamCop-List] Re: Well that didn't take long... References: Message-ID: Galen wrote: > (unless someone knows how to find the spams > that were reported using my IP address for the mail server: > 69.16.211.62 in case you want to know it) SC sends the notifies for that IP to liquidweb: Parsing input: 69.16.211.62 host 69.16.211.62 = creston.dailydns.com (cached) Reporting addresses: abuse@liquidweb.com based on the arin contact information: It is currently SC blocklisted. 69.16.211.62 rDNS creston.dailydns.com OrgName: Liquid Web NetRange: 69.16.192.0 - 69.16.223.255 OrgAbuseEmail: abuse@liquidweb.com whois -h whois.abuse.net liquidweb.com ... abuse@liquidweb.com whois -h rwhois.liquidweb.com 69.16.211.62 ... network:Network-Name:PROJECTPROJN-69.16.211.62 network:IP-Network:69.16.211.62/31 network:IP-Network-Block:69.16.211.62-69.16.211.63 network:Organization;I:PROJECTPROJN network:Org-Name:project.projnet.com 69.16.211.62 - IP hosts 92 Total Domains ... 69.16.211.62 listed in bl.spamcop.net will be delisted automatically in approximately 13 hours. users have reported system as a source of spam has been listed for less than 24 hours. http://www.whathostingshould.be - We are what hosting SHOULD be. www.whathostingshould.be DNS 69.16.211.62 G? Solutions or G^3 or G cubed Solutions = http://kgiii.info/ kgiii.info = 69.16.211.62 -- Mike Easter kibitzer, not SC admin From jeffg at spamcop.net Fri Mar 17 00:14:40 2006 From: jeffg at spamcop.net (Jeff G.) Date: Fri Mar 17 00:20:05 2006 Subject: [SpamCop-List] Re: Well that didn't take long... References: Message-ID: Galen wrote: > Unfortunately we didn't get a copy of the emails - just our admins > telling us "yes it was from your IP address and it was legit" so we > can't go much further (unless someone knows how to find the spams > that were reported using my IP address for the mail server: > 69.16.211.62 in case you want to know it) and we're not the owners of > the DNS we now need to wait to be blacklisted... Report History for 69.16.211.62 follows: Submitted: Thursday 2006/03/16 20:01:59 -0500: Pend?ncias 2006 junto a Receita Federal 1691876474 ( http:// wwreceitafazenda.net/atualizao2006/atual... ) To: soporte@arsys.es 1691876473 ( http:// wwreceitafazenda.net/atualizao2006/atual... ) To: postmaster@arsys.es 1691876471 ( 69.16.211.62 ) To: spamcop@imaphost.com 1691876465 ( 69.16.211.62 ) To: abuse@liquidweb.com ------------------------------------------------------------------------ -------- Submitted: Thursday 2006/03/16 18:31:14 -0500: =?iso-8859-1?q?Pend=EAncias_2006_junto_a_Receita_Federal?= 1691940566 ( http:// wwreceitafazenda.net/atualizao2006/atual... ) To: soporte@arsys.es 1691940565 ( http:// wwreceitafazenda.net/atualizao2006/atual... ) To: postmaster@arsys.es 1691940564 ( http:// lists.freebsd.org/mailman/listinfo/freeb... ) To: network-abuse@cc.yahoo-inc.com 1691940563 ( 69.16.211.62 ) To: spamcop@imaphost.com 1691940561 ( 69.16.211.62 ) To: abuse@liquidweb.com ------------------------------------------------------------------------ -------- Submitted: Thursday 2006/03/16 14:48:33 -0500: Pend?ncias 2006 junto a Receita Federal 1691674030 ( 69.16.211.62 ) To: abuse@liquidweb.com ------------------------------------------------------------------------ -------- Submitted: Thursday 2006/03/16 07:44:34 -0500: Pend?ncias 2006 junto a Receita Federal 1691337112 ( 69.16.211.62 ) To: abuse@liquidweb.com > Hmm... I wonder if I > can ping the middleman and see if I can get the IP address abuse > directly and retain control of it? That'd make the process speedier > and easier for us to take additional actions such as moving it up the > ladder because we can pull raw logs and see their actual IP address > they connected to (even if a proxy is used I understand) or if maybe > I can attempt to prove to SC that we're the owners *lessees really or > is that leasers?* who should be held accountable and the IP addresses > technically just belong to our bandwidth providers? Any idea how I'd > go about that? Please see "How can I get SpamCop reports about my network?" at http://www.spamcop.net/fom-serve/cache/94.html . -- Thanks and Best Regards, Jeff G. http://forum.spamcop.net/forums/index.php?act=findpost&pid=37585 From no.spam.4.me at xs4all.nl Fri Mar 17 06:56:38 2006 From: no.spam.4.me at xs4all.nl (Nico Bartels) Date: Fri Mar 17 01:00:04 2006 Subject: [SpamCop-List] Re: Is this helping? References: Message-ID: On Thu, 16 Mar 2006 13:47:00 -0800, "Mike Easter" wrote: >I will continue to recommend against using Blue Frog/ Blue Security >because I don't trust its integrity or methodology Thank you. You made it very clear to me. -- |\ | | \|ico Panic now and avoid the rush! From abuse at whathostingshould.be Fri Mar 17 01:04:49 2006 From: abuse at whathostingshould.be (Galen) Date: Fri Mar 17 01:05:04 2006 Subject: [SpamCop-List] Re: Well that didn't take long... References: Message-ID: In news:dvd8u0$lqf$1@news.spamcop.net, Geoffrey Hyde had this to say: > So far, you've been talking about theoretical blocked spam emails, > how about offering up some proof of reports that people can analyze? I'm not sure I follow (or maybe you're missing something) here... These are quite legit complaints and the IP should have been blocked and put on the blacklist. That was the correct thing to do by SC. I don't think that I need to prove that when you can see the IP address in the block list already? But here's an effort to do so with the evidence that I have. However... This is an example (addresses munged but fairly obvious) of the emails that I get: Return-path: <****** (at) admin.spamcop.net> Envelope-to: ******@whathostingshould.be Delivery-date: Thu, 16 Mar 2006 22:16:37 -0500 Received: from [204.15.82.126] (port=29769 helo=sc-smtp4-bulkmx.soma.ironport.com) by creston.dailydns.com with esmtp (Exim 4.52) id 1FK5S9-0001ZK-Io for ******@whathostingshould.be; Thu, 16 Mar 2006 22:16:37 -0500 Received: from sc-app3.ironport.com (HELO spamcop.net) ([204.15.82.22]) by sc-smtp4-bulkmx.soma.ironport.com with SMTP; 16 Mar 2006 19:16:32 -0800 From: SpamCop robot <*****@admin.spamcop.net> To: ******@whathostingshould.be Subject: [SpamCop summary report] Precedence: list Message-ID: Content-type: text/plain; format=fixed; Date: Fri, 17 Mar 2006 03:16:32 GMT X-Mailer: http://www.spamcop.net/ v1.527 X-ClamAntiVirus-Scanner: This mail is clean [ SpamCop V1.527 Summary Report ] -- See footer for key to columns and notes about this report -- IP_Address Start/Length Trap User Mole Simp Comments RDNS 69.16.211.62 Mar 16 06h/0 0 3 0 0 blocklisted creston.dailydns.com -- Key to Columns -- IP Address: The numeric address. Start: The first date (within the past week) that spam was reported to have originated from the IP address. Length: The duration of the incident in # of days Trap: Messages received at traps. User: Messages reported by registered users. Mole: Messages reported by registered users who prefer to remain anonymous. Simp: Simple reports - messages submitted by unregistered users. Comments: Notes reflect blocking-list status and issue-resolved status. RDNS: Reverse dns name of ip address (must pass forward and reverse) -- Summary Report Notes -- o All times are GMT, exact time of incident withheld. o Time of this report is: Fri Mar 17 03:16:32 2006 o To close an issue, or get more details, log into your account: http://www.spamcop.net/ o Issues are sorted with the newest reports first. Resolving new issues first heads off additional spam from in-progress sources. o This email is intended to be viewed with a fixed-width font. o This email was requested in your SpamCop preferences page - where it may be disabled. o This report is sent periodically, but only if there have been changes. It, the IP address, is clearly blocked and I agree that it SHOULD be (though we've suspended the account already) and isn't really the issue at all. It will fall off the BL soon enough. The issues are... A) It didn't take that long to get a spammer. B) His/her information was provided for other people in case they want to simply disallow/refund that person from using their hosting services. C) A request to get additional information as to methods of making this more seamless so that I can prevent the abusers from getting the head-start in the first place. The IP address, clearly listed in the email, is in the BL. What's there to prove??? I don't MIND that it's there - that's WHERE it belongs until I can show that it's been dealt with. The IP address theoretically belongs to me and my three partners. It is, then, our duty to ensure that I do what I can to assist in cleaning up the SPAMers in as timely a manner as possible. This process worked - the account is dealt with and the only "verification" I got was the people who get the actual report who didn't bother to notify me until I contacted them for more information and I'm inclined to believe them - but the process was longer than I would have liked it to be and allowed the offender to spew more trash across the 'net before I felt that I could be legitimate in stopping them. It's hardly theoretical. It exists - it's very real actually? http://www.spamcop.net/sc?track=69.16.211.62 For some evidence to show that I lease such: http://www.dnsreport.com/tools/dnsreport.ch?domain=kgiii.info (My domain) http://www.dnsreport.com/tools/dnsreport.ch?domain=whathostingshould.be (Our hosting company) We don't GET the actual SPAM reports and yet we're the first line of defense to be able to disable the offending account. We've best been able to get to the status of, "Third party interested in..." There is NO link to read the report, there is no link to verify that this is actually someone whom we host, there's the entirety of the letter above. If you read the above you'll see that the offense occurred at 0600 hours and three reports have been filed. That is, frankly, the only proof I have and I fail to see how it's theoretical when it's clearly in the blacklist and I certainly agree that's where it belongs (or at least belonged) and the log files clearly show that at/about that time the outbound mail with a number of packets going out rather quickly and while I do have that for evidence I don't think you're privy to that information as such would be in violation of my client's reasonable expectation of privacy as it contains information about other people as well. So, and I am not sure if this will come out nice or not, this whole theoretic stuff has taken far too much of my time and if you do have something that's going to assist me in doing the job of preventing abuse from our server please share it. For the love of God, share it!!! I've spent, already, a half dozen hours doing additional research on this whole process including authentication methods for the IP addresses all the way to simply buying an entire class C block. I am sooooooo going to (And please don't think I'm really trying to take it out on you - in fact I'm trying not to but fail to see what this post is going to do to help unless, of course, you're directly affiliated with SpamCop?) bill this SOB for my time. I don't think it will get paid but I do think that it will make me feel a bit better to actually author the invoice and send it... However, I'll keep spending time and money to ensure that this is done properly with both respect to the 'net community and to our clients. When, for instance, they finally do send me the copies of the actual reports I'm going to go to their registrar to file and official complaint and see if I can get it yanked (as registrars are able to do) from them. Do you not understand that I'm on (what I think is) your side? I'm trying to make sure that MY company doesn't offend YOU by allowing people to SPAM you. I want, simply, to be able to justify closing an account nearly instantly without having to go through all of this and I want to do that because I think you - yes YOU even though you're either a skeptic or just plain missing the idea behind this and insist on some sort of proof of my intent or evidence that I clearly don't have beyond what's given here or could have been found by looking in the blacklist on your own - have every right to expect that you can pick who and what emails you receive. That is, and though the price of bandwidth is inexpensive *coughs - for you guys - coughs* people are still paying for it and for their time in dealing with it and, so, that means that the SPAMer is stealing and I don't really want to be associated nor to have my company associated with a thief. They are stealing from you, they are stealing from me, they're violating the terms they agreed to with us at any rate, and they're violating what should be a reasonable expectation of privacy. I come here - since before we even opened the company officially - with every intent of making sure that we're one of the good guys and you approach me with this sort of crap? I'd plonk you and ignore you but I really think you're just not understanding so I'm trying to help. Now, if you want more evidence - scroll down... Find my signature... Click the link... Scroll down... See whom the company is owned by and where it leads... Go to SC's site and look for the IP address(es) both in my emails and from the WHOIS data you can get freely online. Poke around - they might have removed it by now but a report came in (some slow reporter - time of offense is still 0600 hrs) a while ago but doesn't seem to affect it as they go by the time it was sent and not by the last time it was reported (thank God or someone could report it a couple of days later IIRC). Want more evidence? Well, I suppose you could try asking people. You'd be amazed at the people who (even in here probably - I can point to one specifically but if he's interested he'll chime in) actually know who I am. I'm DOING all this work (free really as we're still running WAY in debt really though not much more than we'd be if we simply all bought our own separate hosting - interesting that) at what is actually an expense because I like you. Yes you. and I don't even know you! I'm pretty sure I should delete the last few paragraphs but I am selfish and those paragraphs somehow make me feel better and might actually help you to understand that not all hosting companies are monsters but are proactive and aggressive towards supporting both the rights of our clients and the expectations of the world at large. I somehow think you misunderstand... Again... Once more to make sure that it makes sense? 1) The IP address should have been blacklisted. 2) The due process was taken to the best of its ability. 3) The effort to streamline this (to get the reports directly) is the concern. 4) The person is guilty and will likely do so again - I've shared this alert with you. 5) I need help to ensure that I can deal with this again in the future as easily as it was this time as this time there was very little evidence without a LOT of digging and a longer pause between offense and action (about 8 hours total which is 7h 50m too long) being taken. We don't have a lot of clients - chasing this one down was easy. Add a dozen more and it's impossible for anything other than a super computer to pull the actual evidence from the raw logs. There's simply too much data and, even filtered, still not satisfactory evidence without the content of the offending email as well as its headers. 6) Our goals are simplistic - to do what should be done for both you and for our clients thus we ask here because here's a repository of knowledge and one of the most important bodies of action on SPAM/UCE on the internet. We COULD just say "piss off" and we're covered under the DMCA because we don't GET the reports and haven't any way of knowing. A host can't be held accountable for the actions of their clients unless they're aware of it. Sure, we can be blacklisted but, well, we all see how well that works. If it weren't for disabling the account they'd have the ability to still send SPAM and if no one else reported their last one it'd expire from the BL in 24 hours. Then again, you could make fraudulent complaints against our clients and we could just suspend them and say that we did that with any/all complaints until they, the client, proved they didn't do so. We, instead, aim to do our best for all of the people involved and there's an awful lot of people online. (Wow, that almost sounds like a tacky sales speech - please don't, I don't think I'd want to host you based on your post above.) So, well, there you have it. If you're offended by my response then, well, I'm offended that you didn't research before bleating about theoretical reports that I clearly stated we don't get. When I emailed the abuse department to ask if the complaints were legit... "Unfortunately we didn't get a copy of the emails - just our admins telling us "yes it was from your IP address and it was legit" so we can't go much further (unless someone knows how to find the spams that were reported using my IP address for the mail server: 69.16.211.62 in case you want to know it) and we're not the owners of the DNS we now need to wait to be blacklisted..." We didn't get a real report other than that of a complaint having been filed until some 7 hours after the blacklisting occurred. The report we get tells us, well, nothing other than at X hour someone filed a complaint about an email that was sent at X hour. We can't do a lot with that information and justify it. The sad thing is this was supposed to be taken care of and we were supposed to get the reports automatically forwarded to us. Now that we have had a chance to test it live, well, it's not working well enough and we're not going to take a sit-down approach to this. Even if I must pay, out of pocket, the IMMENSE sum to grab an entire C block for 7 years and then go through the hassle of reregistering everything then so be it. I'd really rather not but, well, YOU deserve that. Our clients, so few they are when I start doing the math on this one, deserve their emails to be delivered in a timely fashion. *grins* We'd really LIKE to avoid that expense but no, we will if we have to? I've ranted enough I suppose... Best of luck with doing whatever it is you do. Galen -- http://www.whathostingshould.be - We are what hosting SHOULD be. From abuse at whathostingshould.be Fri Mar 17 01:39:41 2006 From: abuse at whathostingshould.be (Galen) Date: Fri Mar 17 01:40:02 2006 Subject: [SpamCop-List] Re: Well that didn't take long... References: Message-ID: In news:dvdglb$prv$1@news.spamcop.net, Jeff G. had this to say: > Galen wrote: >> Unfortunately we didn't get a copy of the emails - just our admins >> telling us "yes it was from your IP address and it was legit" so we >> can't go much further (unless someone knows how to find the spams >> that were reported using my IP address for the mail server: >> 69.16.211.62 in case you want to know it) and we're not the owners of >> the DNS we now need to wait to be blacklisted... > > Report History for 69.16.211.62 follows: > > Submitted: Thursday 2006/03/16 20:01:59 -0500: > Pendências 2006 junto a Receita Federal > 1691876474 ( http:// wwreceitafazenda.net/atualizao2006/atual... ) To: > soporte@arsys.es > 1691876473 ( http:// wwreceitafazenda.net/atualizao2006/atual... ) To: > postmaster@arsys.es > 1691876471 ( 69.16.211.62 ) To: spamcop@imaphost.com > 1691876465 ( 69.16.211.62 ) To: abuse@liquidweb.com > > ------------------------------------------------------------------------ > -------- > > Submitted: Thursday 2006/03/16 18:31:14 -0500: > =?iso-8859-1?q?Pend=EAncias_2006_junto_a_Receita_Federal?= > 1691940566 ( http:// wwreceitafazenda.net/atualizao2006/atual... ) To: > soporte@arsys.es > 1691940565 ( http:// wwreceitafazenda.net/atualizao2006/atual... ) To: > postmaster@arsys.es > 1691940564 ( http:// lists.freebsd.org/mailman/listinfo/freeb... ) To: > network-abuse@cc.yahoo-inc.com > 1691940563 ( 69.16.211.62 ) To: spamcop@imaphost.com > 1691940561 ( 69.16.211.62 ) To: abuse@liquidweb.com > > ------------------------------------------------------------------------ > -------- > > Submitted: Thursday 2006/03/16 14:48:33 -0500: > Pendências 2006 junto a Receita Federal > 1691674030 ( 69.16.211.62 ) To: abuse@liquidweb.com > > ------------------------------------------------------------------------ > -------- > > Submitted: Thursday 2006/03/16 07:44:34 -0500: > Pendências 2006 junto a Receita Federal > 1691337112 ( 69.16.211.62 ) To: abuse@liquidweb.com > >> Hmm... I wonder if I >> can ping the middleman and see if I can get the IP address abuse >> directly and retain control of it? That'd make the process speedier >> and easier for us to take additional actions such as moving it up the >> ladder because we can pull raw logs and see their actual IP address >> they connected to (even if a proxy is used I understand) or if maybe >> I can attempt to prove to SC that we're the owners *lessees really or >> is that leasers?* who should be held accountable and the IP addresses >> technically just belong to our bandwidth providers? Any idea how I'd >> go about that? > > Please see "How can I get SpamCop reports about my network?" at > http://www.spamcop.net/fom-serve/cache/94.html . Thank you! I think? Where did you GET that information??? I've pressed EVERY single button and played with EVERY single option!?! I could NOT get that report at all. I created an ISP account when we first did this but, as I'm *JUST* the renter of the IP address I can't get it to say anything OTHER than third party which means I only get a very basic note (as included in another response just a few minutes ago so I'll save some bytes as I KNOW what bandwidth can cost these days) saying that, well, something was submitted.... Here's what I see on my "show routes" page: [delete] 69.16.211.62 69.16.211.62 Third party interested in daily aggregate summary reports [delete] 69.16.211.63 69.16.211.63 Third party interested in daily aggregate summary reports Those are my primary and secondary IP addresses and I don't own them but rather get them from my upstream provider who is, as you guessed it, the dailydns which is a fake (well it exists but it's not really accessible or anything) address mean to be there so resellers can hide that they're reselling someone else's bandwidth. Duh? We're all, in one way or another, reselling SOMETHING and bandwidth is always resold. I don't know one single independent hosting company that's actually a backbone provider. Now, when I click on the control center and go ahead and input the IP address (just the one in this case as there's been no routing troubles) I get back: 69.16.211.62 Most recent spam reported about 13 hours ago A review of the abuse.net's settings shows that (and SC's settings by the way) that only the domain can be the abuse address. That IP addresses are discarded which, really, isn't doing me a lot of good. The information you gave above is, really, all I need/want to be able to cancel an account when we get a spammer... Coupled with server logs I can easily pull out a time-frame and verify that the act took place and the account needs to be suspended. How do I get that information? I don't own the IP addresses and so the abuse address is different. It goes to my upstream provider and data center at LiquidWeb. I've pinged them but, well, they don't seem too keen on fixing it even though it's covered for at least the next year - paid for in full thanks... When I go ahead and click on the more information links I get, well, nothing and I'm guessing that's because the abuse address for that IP is set to something else. I don't want to be the ONLY one to get the complaints but without the stuff you gave above I can't really DO anything. It doesn't even tell me WHO it was or the referring URL or anything. It's just the report that I gave as "evidence" to the other person... I think I've clicked every single option on the site now... I'll keep clicking but, well, thanks. It reminds me (we bought PLENTY of bandwidth and space) to ask about setting up traps sometime... That should be interesting. Anyhow, thanks. I think? It didn't get me any further really but, well, it's interesting to say the least. Galen From nospam at nospam.org Fri Mar 17 08:22:11 2006 From: nospam at nospam.org (Ejo) Date: Fri Mar 17 02:25:05 2006 Subject: [SpamCop-List] My top 5! Message-ID: My top 5 of spam-words is: 1 growing 11.4% 2 trading 10.2% 3 top 9.9% 4 company 9.7% 5 trade 8.2% Ejo From abuse at whathostingshould.be Fri Mar 17 02:37:04 2006 From: abuse at whathostingshould.be (Galen) Date: Fri Mar 17 02:40:02 2006 Subject: [SpamCop-List] Re: Well that didn't take long... References: Message-ID: In news:dvdcm1$npa$1@news.spamcop.net, Mike Easter had this to say: Hey Mike, thanks again. Reply follows the email you sent. > Galen wrote: >> (unless someone knows how to find the spams >> that were reported using my IP address for the mail server: >> 69.16.211.62 in case you want to know it) > > SC sends the notifies for that IP to liquidweb: > > Parsing input: 69.16.211.62 > host 69.16.211.62 = creston.dailydns.com (cached) > Reporting addresses: > abuse@liquidweb.com > > based on the arin contact information: > > It is currently SC blocklisted. > > 69.16.211.62 rDNS creston.dailydns.com > > OrgName: Liquid Web > NetRange: 69.16.192.0 - 69.16.223.255 > OrgAbuseEmail: abuse@liquidweb.com > whois -h whois.abuse.net liquidweb.com ... > abuse@liquidweb.com > > whois -h rwhois.liquidweb.com 69.16.211.62 ... > network:Network-Name:PROJECTPROJN-69.16.211.62 > network:IP-Network:69.16.211.62/31 > network:IP-Network-Block:69.16.211.62-69.16.211.63 > network:Organization;I:PROJECTPROJN > network:Org-Name:project.projnet.com > > 69.16.211.62 - IP hosts 92 Total Domains ... > > > 69.16.211.62 listed in bl.spamcop.net > will be delisted automatically in approximately 13 hours. > users have reported system as a source of spam > has been listed for less than 24 hours. > > http://www.whathostingshould.be - We are what hosting SHOULD be. > www.whathostingshould.be DNS 69.16.211.62 > > G³ Solutions or G^3 or G cubed Solutions = http://kgiii.info/ > kgiii.info = 69.16.211.62 Yup, both belong (theoretically) to me - or at least I'm the only authorized person to use them at this point in time and for at least the next year though I can't imagine why I'd change it. If you root on whathostingshould.be you'll find, at the bottom of the pages, that the site's owned/operated by G³ Solutions (which is me...) and so I guess that makes me accountable for the trash that host with us when we don't catch 'em in time. I don't disagree with being blocked - in fact I'm GLAD that action was taken... I don't mind one bit - I'd do the same thing. What I would like to do is grab this SOB and wring his neck right about now but, barring that, I'd like to be able to act sooner and have confirmation beyond the vast amount of log reading, guesswork, and hours to go ahead and suspend an account legitimately. We can not, for instance, just suspend an account because someone complains about SPAM. We will not do it. However, the moment that person complaining shows a single shard of evidence that's valid to support their claim that the client sent them SPAM we will not hesitate for even a minute to disable or even outright ban their account. The content of the report was certainly enough evidence but all we got was: (Basically) IP_Address Start/Length Trap User Mole Simp Comments RDNS 69.16.211.62 new/0 0 1 0 0 creston.dailydns.com I can't SEE the reason or the reported email and there's no link to it? If we go back in time (I think it was actually the help section of this newsgroup) you'll find me rooting about for more information and so I approached my first line for contact and I was made to understand that I'd automatically get the reports directly even if I'd never bothered signing up as an ISP. I think they lied. I get, well, silly stuff that hasn't a bit of useful information in it. I want, very much, to deal with these people but can't without some sort of evidence and (in case you can't tell) the upstream providers really don't care too much about acting on abuse reports. I did the whole sign up as an ISP thing and no, that didn't work. We now see, live, what the results are... It turns out they're of no value other than saying "you got a report and no you can't read it" though Jeff pulled out one but I can't figure out how he did that??? I'm going to ping the upstream providers and the middleman - again - with some, I hope, decent words... Hopefully they'll read them and understand them and address the situation because *grins* it's pretty hard to be what hosting should be if you're unable to do a great deal about SPAMers... Anyhow, someone's watching so thank you whoever you are... They just removed us from the blacklist. http://www.spamcop.net/w3m?action=checkblock&ip=69.16.211.62 That's nice and all but I can't really see where I'm going to go next... You can bet your bottom dollar (though I suspect you PROBABLY shouldn't at this point - just in case) that there will never be an abuse issue that I don't go all out on. I have said - since day one - that I will deal with those personally and that if any of the support folks get a single complaint (they all can read it via IMAP) they are to call my cell and I will deal with it until we're large enough to have a consistent force with an established policy and hired employees well versed in it. Right now - we're small enough - I was able to spend a LONG time pouring over logs AND had already been queued to expect it given the method the user was using the services. Tomorrow, for example, if 20 folks sign up there's nothing we can do... Nothing... We get a report, just like what you saw above. That report is unable to help us and I can't seem to find a way to "spot check" the reports and get the actual listing of the offensive emails at all! *kicks something* Me? Personally? I'm online putting in 20 hour days. I'd check that SOB every hour minimal when something was a little suspicious and rely on the reports otherwise. One of the FIRST people we'll hire out for will be support desk and an abuse admin so that we can assure it's manned 24/7. We have all said that we agree - abuse is just as important to us as customer support. We value - at least I do - the inclusion of the domain in the blacklist. I haven't a SINGLE objection to that. Not ONE. SC was perfectly justified to blacklist us and the next time they do it you can bet (better use someone else's dollar on this one) bottom dollar that we'll be just as happy. I hope the rest of the 'net follows suit and blacklists us as well when that happens. Now... Next time I can't be sure - I'm not even able to really respond to the complaints as I'm just the "third party interested..." Without that evidence (and this time I accepted someone at the main office telling me that yes it was a legit complaint and also had some reasons and was able to pull access out from the logs) I can't just remove the offending account - in fact I don't even KNOW WHAT the offending account is. Now gimme an IP address and a time and I can pull it out of there with exactness and tell you for certain if it originated with us in all of the few minutes it takes to pull their logs and analyze 'em. I'll happily do that AND we'll happily corroborate and act on THEIR upstream provider because, well, you don't always get the true IP address while we do even if it's a proxy as it resolves to the real IP address much the same way as a number of scripts can show true IP address regardless of proxy (don't tell the proxy users the truth though, it will ruin their day) we can get them generally, or at least so far, via raw access logs. It takes, oh, 2 minutes to download, 30 seconds to run WebLog Expert, and 15 seconds to suspend an account. It takes, without that information, a wild guess, an approximate time frame, some help desk to say "yup *guffaw* we're pretty sure" (even though there's no evidence of them ever viewing the logs but I suppose they *could* hide that from my access level, and 12 hours. Without the ACTUAL content of the report we can't do ANYTHING normally. We were LUCKY this time and it's good too because it's helping us fix this problem and to have been lucky enough to have this happen pretty much RIGHT after going public online (some local customers but, well, I don't think they're going to SPAM but [chuckles] if they do then they too are subject to the same reactions) with one of our first customers? If there's anyone out there who's interested in hosting let this be something of a lesson that you can learn from watching us try to swim while doing it the right way. It's been quite a while and the abuse address at liquidweb hasn't responded at all. So, well, that tells you how effective it is for both the reporting parties and for me. I suspect, strongly, that they will but they're (just like every other DC with the true lease on the IP addresses) swamped. I don't want to give away trade secrets (well okay, not really) but 1/7 and the second one to sign up online was someone who was doing so with an intent to abuse the system and very well likely used a fraudulent method to pay us. It's not easy, it's not fun, it isn't profitable right away, and you'd better be ready to spend 90+ hours a week working to startup even WITH plenty of funds to support starting. The percentage of humans versus idiots is pretty low, there's a lot of scum out there so unless you're prepared to start off by losing oodles of cash to do it right, don't bother... *Has been authoring this email for a while* It looks like it's going to be better than I expected. Maybe an additional 24 bucks a year should be able to get us the IP address with our name on it from the looks of things. That's something I don't mind doing except the propagation period which might hose things for a bit... Grr... Ah well... Thanks again Mike, your answers have always been about 6" higher than my current grasp and make me stretch further which, honestly, is a good thing. Galen -- http://www.whathostingshould.be - We are what hosting SHOULD be. From abuse at whathostingshould.be Fri Mar 17 02:40:43 2006 From: abuse at whathostingshould.be (Galen) Date: Fri Mar 17 02:45:03 2006 Subject: [SpamCop-List] Re: My top 5! References: Message-ID: In news:dvdo2k$tn4$1@news.spamcop.net, Ejo had this to say: > My top 5 of spam-words is: > > 1 growing 11.4% > 2 trading 10.2% > 3 top 9.9% > 4 company 9.7% > 5 trade 8.2% > > Ejo You mean "enlarge" and "manhood" isn't in there? It's kind of funny as my wife sometimes gets them and, even funnier still, is when she's peeking over my shoulder and I get one and I turn to her and say, "What, so you ratted me out huh?" She says nice things to make me feel better but I'm still pretty sure someone ratted me out... :-( I generally sign my brother up for the snail-mail spam for Hair Club for Men type stuff... So, well, I guess I'm evil but it DOES have some entertainment value. Unfortunately I can't block based on those keywords as it'd kill legit mail. Can I ask an additional question? (Besides that one...) Do you have a percentage of your legit email versus your SPAM/UCE? -- http://www.whathostingshould.be - We are what hosting SHOULD be. From abuse at whathostingshould.be Fri Mar 17 02:51:26 2006 From: abuse at whathostingshould.be (Galen) Date: Fri Mar 17 02:55:04 2006 Subject: [SpamCop-List] Re: Is this helping? References: Message-ID: In news:dvcmcj$bfd$1@news.spamcop.net, Mike Easter had this to say: > More from the BS faq I was scrolling and reading and, well... Does anyone else see the entertainment value? (I'm in the mood to be happy - I've had enough of being annoyed for a day.) I should take this to the social NG (and if it continues I'll set the respond to address there or what not) but, well, that's just plain beautiful and yet another fantastic answer given by Mike. When we're rich and able to do so and we open our DC - we're gonna steal him away from his current employer if possible. *grins* At current levels and assuming about 50 million to start a decent data center we'll be able to open our own in about (with gross profits) in about 32000 years. Galen -- <> From nospam at nospam.org Fri Mar 17 08:51:38 2006 From: nospam at nospam.org (Ejo) Date: Fri Mar 17 02:55:15 2006 Subject: [SpamCop-List] Re: My top 5! In-Reply-To: References: Message-ID: Galen wrote: > In news:dvdo2k$tn4$1@news.spamcop.net, > Ejo had this to say: > >> My top 5 of spam-words is: >> >> 1 growing 11.4% >> 2 trading 10.2% >> 3 top 9.9% >> 4 company 9.7% >> 5 trade 8.2% >> >> Ejo > > You mean "enlarge" and "manhood" isn't in there? It's kind of funny as my > wife sometimes gets them and, even funnier still, is when she's peeking over > my shoulder and I get one and I turn to her and say, "What, so you ratted me > out huh?" She says nice things to make me feel better but I'm still pretty > sure someone ratted me out... :-( > > I generally sign my brother up for the snail-mail spam for Hair Club for Men > type stuff... So, well, I guess I'm evil but it DOES have some entertainment > value. Unfortunately I can't block based on those keywords as it'd kill > legit mail. > > Can I ask an additional question? (Besides that one...) Do you have a > percentage of your legit email versus your SPAM/UCE? > The table was part of this text "under construction": > Spam! > > Nowadays more than 80% of all incoming e-mail is spam which > causes many of us unwanted work cleaning up our inbox. > > Most e-mail software uses Baysian word filtering to detect spam, > the scores of words within an e-mail are added up and when the > ratio between bad and good exceeds a certain threshold e-mail is > considered to be junk. > > My top 5 of spam-words is: > > 1 growing 11.4% > 2 trading 10.2% > 3 top 9.9% > 4 company 9.7% > 5 trade 8.2% > > while my top 5 of non-spam words is: > > 1 van 52.1% > 2 ernst 38.1% > 3 delft 35.9% > 4 wrote: 34.8% > 5 het 33.4% > > "Van" and "het" are the Dutch equivalents for "From" and "The", > most of my legal e-mail is Dutch and spam is usually Asian or > English. > > The people that send me spam are aware of this technique and > they are getting better in disguising typical words like > "viagra" that only appear at the 2.2% level. Sometimes images > with text are used to transfer the message, or the message is > more sophostically hidden within an e-mail. > > Therefore additional tests are performed to check the validity > of e-mail; one of them is looking at the origin of the sender > and testing whether the originating internet address belongs > to a known spammer. > > The combination of all tests detects more than 99% of my junk. > Still to do the job right you have to manually check your mail > folders since less than 0.1% is legit e-mail that is wrongly > detected as junk mail. > > > Ejo From abuse at whathostingshould.be Fri Mar 17 04:44:17 2006 From: abuse at whathostingshould.be (Galen) Date: Fri Mar 17 04:45:38 2006 Subject: [SpamCop-List] Re: My top 5! References: Message-ID: In news:dvdppr$unn$1@news.spamcop.net, Ejo had this to say: > The table was part of this text "under construction": Sad but according to InformationWeek and NetworkWorld that's about average... I'm not sure why (and I get a VAST amount of email) my figures are likely higher. I'd guess - and keep in mind I use a real address for usenet posting so that's surely a part of it but I'm certain that there's companies with far more silly people - it's closer to 94% last month and that was down something like 2.4%... Yet, when taken into an alternate view - and this makes little sense to me - I have domains that are quite popular and yet the above statistic is only true with certain addresses? The emails I get from @commonfreemailtypedomains.tld (made that up but the point is there) are MAYBE 1/600 this month (I'm using calc.exe to figure this out so figure might be off a wee bit) for legit email. For, really just as popular in some regards, TLDs which aren't free-mail accounts I see maybe 1/500 or so that are SPAM. My kgiii.info domain gets a good 200 uniques (not that much but compared to a number of sites that's pretty decent) a day and has thousands of links across it and indexed. That number's down for the past month or two. It was nearing 500 per day with something like 5.6 page views per average. One day it ate 10.6 GB (I think they came from a DIGG type service but each and every last one was on an IP from a country that doesn't speak my language as their main language so it was just odd really as not one of them was a hack attempt and the port was just plain 80 and all the traffic was reading a blog page on WLM invites) in under 20 hours so I simply shut the databases down and sent the blog page to static HTML with it referring to that. It was not, really, all that nice. (No ads, no money for the traffic, just plain and simply expense.) The visits weren't the problem... It was the SPAM inbound making SQL entries... It was, sad but true, a bit under a $1500 dollar day. Education is best paid for it seems - we won't do THAT again. Anyhow, back on track, with the Gmail, Hotmail, and I guess that's all now that I look, I personally have something close to a 6/100 legit/SPAM or UCE email ratio... It's not impressive. They DO filter them out but it's not perfect and I doubt it ever will be. I still have to look at some of them... And yet with the domains it's really, fairly close to 100% legit except one and it's spam_here@example.com and what I use for SEO work. The irony is that the vast majority of the spam_here addresses are legit? I'd signed up to use that service and the email is legitimate in a VAST majority. Out of the thousands of emails that account gets daily (about 5k to 7.5k emails normally) maybe a couple each day of what I notice (I scan the address and subject lines as I mass delete 'em) appear to be illegitimate. Heck, having access to the mailserver's the stuff - I could block them but I'd end up blocking an entire range of ARIN names to the server's email so, well, I'll just let those leak through until they're busted and report them over and over again as it makes me feel better. Now, two questions seeing as you're seemingly so helpful. ;) I'd like to add this to some statistical databank. I get requests once in a blue moon but not lately. In fact, now that I think about it, not in ages... Are there any on-going spam research polls? Is there any evidence to support that the free-mail domain type stuff is swamped more often? It makes sense that it would be except I do sort of use them all in very similar manners. In fact if you look at the headers of this message you will see a real address is used. This address is fairly new but not at all unlike any of the other addresses. Galen -- http://www.whathostingshould.be - We are what hosting SHOULD be. From g.hyde at bigpond.net.au Fri Mar 17 20:41:08 2006 From: g.hyde at bigpond.net.au (Geoffrey Hyde) Date: Fri Mar 17 05:45:14 2006 Subject: [SpamCop-List] Another one of those software spams. Message-ID: http://www.spamcop.net/sc?id=z899358375zde5d7d3a1a987acc4d7c16ab004ebfe2z I was wondering why they are using names like "Repetitive B. Spreader" in the name field. Are they trying to say they're a bot, or are they running out of names they can actually use? Is this some kind of virus/trojan/worm effect? (IE an infected computer?) If so, is there a decodable source IP I might be able to notify manually about it? I think I'll go look into SpamHaus or other similar blocklists tomorrow, I'm a bit tired now, been doing a lot of things. Cheers ... Geoffrey Hyde From MikeE at ster.invalid Fri Mar 17 06:26:10 2006 From: MikeE at ster.invalid (Mike Easter) Date: Fri Mar 17 09:30:13 2006 Subject: [SpamCop-List] Re: Another one of those software spams. References: Message-ID: Geoffrey Hyde wrote: /sc?id=z899358375zde5d7d3a1a987acc4d7c16ab004ebfe2z > I was wondering why they are using names like "Repetitive B. > Spreader" in the name field. name field = From There are a great many strategies to cause the recipient who sees the item in hir Inbox and who is reading the Subject and the From to become more interested or curious or amused or bemused or any other 'sensation' that causes them to look inside. I argue to try to get all average spam recipients to not have spam Froms & Subjects in their Inbox and to play a 'game' in which the score is based on getting all of the spam into the Junk folder without having to handle it [which includes reading its From and Subject with human eyes connected to a human brain] and another score is given to the spammer when the human eyebrain is caused to open a spam and read what is inside. Where the opening is based on curiosity or interest or disgust or amazement or puzzlement or considering that the creator is totally daft. I read more of Geoffrey's spam than I do my own. 'Why they are using names like....' is to get you to open and read the spam. That's what the spamgame is all about. > Is this some kind of virus/trojan/worm effect? The source is a known proxytrojan IP listed in quite a lot of proxy db/s - blitzed, CBL, dsbl for socks4 & http over port 1080, 8080, njabl-proxy, moensted proxy, PSBL. spamtrap [tons of evidence since '05 Dec], spamcop [reporters and spamtraps 100 of last 180 days], plus a number of other lesser blocklists > (IE an infected > computer?) If so, is there a decodable source IP I might be able to > notify manually about it? I don't know what you mean there. Virms may infect user IPs which become proxytrojan spamsources or other uses for zombies. The spamvertised site is fakzlk31343ayxxs2xxa2xff.ficklymc.com at 61.129.113.162 at Shanghai Global Network which IP is spamhaused as the /32 for warez & pharm spam. So, from a scorecard point of view; I would have scored just fine. My client side spamfilter would've put that into the Junk folder without my human eyebrain falling on it, and the source IP would've been reported to the SCbl to keep it there. I wouldn't have been reading the spambody. Let's say I might've read the Xlines put in the spam's header by SpamPal. That doesn't count for the spammer, nor do other such inspections of the interior such as this one. Nor does it count against me to use a GET console to find out that the link's redirection to a different path /gnqps/?cmpid=524&affid=5827 doesn't mean a different provider -- but most likely is there to credit the spam injector for the hit. -- Mike Easter kibitzer, not SC admin From MikeE at ster.invalid Fri Mar 17 07:54:53 2006 From: MikeE at ster.invalid (Mike Easter) Date: Fri Mar 17 10:55:11 2006 Subject: [SpamCop-List] Re: Well that didn't take long... References: Message-ID: Galen wrote: > However... This is an example (addresses munged but fairly obvious) > of the emails that I get: > [ SpamCop V1.527 Summary Report ] > -- See footer for key to columns and notes about this report -- > > IP_Address Start/Length Trap User Mole Simp Comments > RDNS > > 69.16.211.62 Mar 16 06h/0 0 3 0 0 blocklisted > creston.dailydns.com Thanks for posting that. I've never seen one of those. Now filing what a summary report looks like. > C) A request to get additional information as to methods of > making this more seamless so that I can prevent the abusers from > getting the head-start in the first place. You need to see if you can get the reports which contain a link to the evidence for each report which is made for your IP based on the fact that it is the MX [and output server] for kgiii.info which you say is reg'd to you, but the publicly accessible information at eNom/afilias doesn't say that. It only talks about the registerfly.com information. The domainname whathostingshould.be also has that IP for its MX & presumably outgoing and your name and address do show up at the registrar for the .be domain at dns.be -- but only if you go to the dns.be site, not if you query the whois.afilias.info server. In the case of kgiii it doesn't even help if you go to the registerfly website, you only get registerfly information, ie the registerfly snail addy and telno. > The IP address theoretically belongs to me and my three partners. Not even close to correct. The IP address is under the block of liquidweb and that IP address is being used by perhaps a hundred other domains -- my information about that isn't complete or up-to-date. It is important to note that the rDNS is creston.dailydns.com -- which dailydns is also the nameservice and which dailydns registration is 'concealed' by privacyprotect at eNom registrar. >the only > "verification" I got was the people who get the actual report That would be liquidweb and whoever else they give their information to. > who > didn't bother to notify me until I contacted them for more > information and I'm inclined to believe them - but the process was > longer than I would have liked it to be and allowed the offender to > spew more trash across the 'net before I felt that I could be > legitimate in stopping them. I agree that it would be to your advantage to get information about reports that cause listing of your mail server. To get the information in the notify that liquidweb gets. > For some evidence to show that I lease such: This evidence isn't going to work to show that you lease such. > http://www.dnsreport.com/tools/dnsreport.ch?domain=kgiii.info > (My domain) The dns report shows a lot of useful information about the domainname, but nothing about you or your 'ownership' > http://www.dnsreport.com/tools/dnsreport.ch?domain=whathostingshould.be > (Our hosting company) Similar situation. The domainname registration is what should show something, and it is more difficult than usual to get any information for the 2 names we are discussing here -- altho' one of them I can use to find your personal information. > We don't GET the actual SPAM reports and yet we're the first line of > defense to be able to disable the offending account. It is true you don't get the reports -- and but there is more to who is in control of the IP than you are understanding. If you can get liquid web to cause the rDNS to become something that resembles you instead of whatever is dailydns.com, things would be a lot better. I can't get anything but privacy protection information about dailydns. There are some elements of this issue that reminds me of spammers or other illegal operations which are hiding behind privacy issues more than the average domainname registration. > We've best been > able to get to the status of, "Third party interested in..." There is > NO link to read the report, there is no link to verify that this is > actually someone whom we host, there's the entirety of the letter > above. Ah, so. Then you are /not/ going to be able to get what liquidweb gets. That is interesting. What do you know about dailydns which is the rDNS on the IP you claim is yours? The other IP which is yours, 69.16.211.63 - does rDNS to something useful for you, ns2.kgiii.info Maybe you should put everything you 'control' under that IP instead of .62 -- unless you can get liquidweb to change the rDNS for .62 for you. I'm going to snip away what came later, but you need to understand the SC notify process is based on the RIR based contact, in this case arin, and in this case liquidweb actually has its own whois, which SC does /not/ use, and that whois also doesn't say anything about kgiii or WHSB but instead it only mentions I:PROJECTPROJN & project.projnet.com & thecrazedking@aol.com The methodology which SC uses for its notifies doesn't bring up any address for you; and your name and snail address and gmail address don't turn up without some serious digging. -- Mike Easter kibitzer, not SC admin From MikeE at ster.invalid Fri Mar 17 08:07:00 2006 From: MikeE at ster.invalid (Mike Easter) Date: Fri Mar 17 11:10:03 2006 Subject: [SpamCop-List] Re: Well that didn't take long... References: Message-ID: Galen wrote: > Hey Mike, thanks again. Reply follows the email you sent. I didn't send an email. I only posted to the ng; reply to group, not reply to sender or reply to all > Yup, both belong (theoretically) to me - or at least I'm the only > authorized person to use them at this point in time and for at least > the next year though I can't imagine why I'd change it. If you root on > whathostingshould.be you'll find, at the bottom of the pages, that the > site's owned/operated by G? Solutions (which is me...) and so I guess > that makes me accountable for the trash that host with us when we > don't catch 'em in time. I know what the webpages say. What I described in the other post is what the registration information doesn't say, except at the website for one of the registrars. Because of the way the IP is under liquidweb, they are the provider SC notifies about that IP. And even tho' SC doesn't normally notify based on rDNS, what comes up on rDNS is dailydns. And what comes up on the domainnames for kgiii and WHSB also doesn't show you without going to a lot of trouble for one of them, and doesn't show you at all for the other, even if one goes to a lot of trouble. There is a lot of privacy going on in the registration. I don't think you are going to be getting any reports unless you can get liquidweb to give them to you, because liquidweb shows the IPs as belonging to the project.projnet.com entity which doesn't seem to have anything to do with you. Another problem is the offbeat domainnames of .be and .info -- which is full of cutesy and layers of privacy. Realize that when you are trying to run an operation and hide everything at the same time that some other entity is going to be getting the reports. There's no problem figuring out who liquidweb is and they are the arin registered owner of the netblock of your 2 IPs - and the one IP which is in trouble doesn't even rDNS to anything which is yours. And dailydns is some kind of secret privacy protected thing. -- Mike Easter kibitzer, not SC admin From MikeE at ster.invalid Fri Mar 17 08:40:55 2006 From: MikeE at ster.invalid (Mike Easter) Date: Fri Mar 17 11:45:03 2006 Subject: [SpamCop-List] Re: Well that didn't take long... References: Message-ID: Mike Easter wrote: > The domainname whathostingshould.be also has that IP for its MX & > presumably outgoing and your name and address do show up at the > registrar for the .be domain at dns.be -- but only if you go to the > dns.be site, not if you query the whois.afilias.info server. For that one, I meant to say not if you query the whois.dns.be server. The whois.afilias.info server is queried for kgiii.info and doesn't give anything, nor does the afilias or eNom or even the registerfly sites give anything about kgiii.info. It is shielded with registerfly -- sorta like dailydns is shielded by Whois Privacy Protection Service Only the website for dns.be gives some 'real' information about WHSB. -- Mike Easter kibitzer, not SC admin From tmcgraw at spamcop.net Fri Mar 17 09:25:03 2006 From: tmcgraw at spamcop.net (Tim McGraw) Date: Fri Mar 17 12:25:04 2006 Subject: [SpamCop-List] Listserv behavior Message-ID: I have been talking offline to a list manager who is one of many list managers for psu.edu where there are about 2000 lists. Their list server IP is listed on spamcop: > 128.118.141.59 listed in bl.spamcop.net (127.0.0.2) > > If there are no reports of ongoing objectionable email from this system it will be delisted automatically in approximately 20 hours. > Causes of listing > > * System has sent mail to SpamCop spam traps in the past week (spam traps are secret, no reports or evidence are provided by SpamCop) > > Additional potential problems > (these factors do not directly result in spamcop listing) > > * System administrator has already delisted this system once > > Because of the above problems, express-delisting is not available > Listing History > In the past 402.2 days, it has been listed 22 times for a total of 28.9 days This list manager showed me log entries where outbound posts on his list had been refused because the "sending" system was on spamcop. However, as a spamcop user these posts aren't blocked for me - but the "original" sending system (the poster's IP#) is if that system is blocked. My questions are these: - Are clueless system admins improperly using the scbl? Why is an IP at the end of the chain being blocked rather than the source/poster's IP#? - Could there be some "compromised" spamtraps out there being abused by a third party? From tmcgraw at spamcop.net Fri Mar 17 09:50:44 2006 From: tmcgraw at spamcop.net (Tim McGraw) Date: Fri Mar 17 12:55:03 2006 Subject: [SpamCop-List] Re: Listserv behavior In-Reply-To: References: Message-ID: Tim McGraw wrote: > > Why is an IP at the end of the chain being blocked rather than the source/poster's IP#? After thinking about this - that's clearly because that's the server trying to "hand off" the message to the receiving system. Duh. From jeffg at spamcop.net Fri Mar 17 16:11:38 2006 From: jeffg at spamcop.net (Jeff G.) Date: Fri Mar 17 16:15:04 2006 Subject: [SpamCop-List] Re: Well that didn't take long... References: Message-ID: Galen wrote: > In news:dvdglb$prv$1@news.spamcop.net, > Jeff G. had this to say: >> Report History for 69.16.211.62 follows: >> >> Submitted: Thursday 2006/03/16 20:01:59 -0500: > Thank you! I think? Where did you GET that information??? I've > pressed EVERY single button and played with EVERY single option!?! I > could NOT get that report at all. To get that information (Report History), you may do the following: 1. Log out of your SpamCop ISP Account or use a different browser or computer. 2. Sign up for a Free SpamCop Reporting Account at http://www.spamcop.net/anonsignup.shtml using a different email address than the one used by your SpamCop ISP Account. 3. Log in to your Free SpamCop Reporting Account. 4. Invest a minimum of US$2 at http://www.spamcop.net/mcgi?action=paymenu to convert to a Paid SpamCop Reporting Account. 5. Browse directly to http://www.spamcop.net/mcgi?action=showhistory;slice=issueid;val=88724547 (or if you don't like cookies http://members.spamcop.net/mcgi?action=showhistory;slice=issueid;val=88724547 ) . SpamCop Email System Customers who don't like cookies may browse to http://mailsc.spamcop.net/mcgi?action=showhistory;slice=issueid;val=88724547 . 6. Other readers may click on the "[ report history ]" Link on http://www.spamcop.net/sc?track=69.16.211.62 , http://members.spamcop.net/sc?track=69.16.211.62 , or http://mailsc.spamcop.net/sc?track=69.16.211.62 , as appropriate, to get to one of the URLs shown in Step 5 above. I consolidated the above information from my post http://forum.spamcop.net/forums/index.php?showtopic=6038&st=30&p=41049&#entry41049 and some following posts. -- Best Regards, Jeff G. http://forum.spamcop.net/forums/index.php?act=findpost&pid=37585 From nobody at spamcop.net Fri Mar 17 16:28:49 2006 From: nobody at spamcop.net (indigo) Date: Fri Mar 17 16:30:03 2006 Subject: [SpamCop-List] Re: A mailman opt-in plus confirmation mailing list is spam? References: Message-ID: Anonymous wrote: > > You are confusing spamtraps with spam sources. I don't believe I am....... Spamtraps are hard to > find and identify, but spamtraps are not put on any "dirty lists." If as spamtrap isn't put on a list it will never get any email..... From nobody at devnull.spamcop.net Fri Mar 17 14:40:26 2006 From: nobody at devnull.spamcop.net (Anonymous) Date: Fri Mar 17 17:50:03 2006 Subject: [SpamCop-List] Re: A mailman opt-in plus confirmation mailing list is spam? References: Message-ID: indigo wrote... > > Anonymous wrote: >> >> You are confusing spamtraps with spam sources. > > I don't believe I am....... Looking back on my post, I realized that it as I who was confused. Sorry about that. From nobody at devnull.spamcop.net Fri Mar 17 14:50:43 2006 From: nobody at devnull.spamcop.net (Anonymous) Date: Fri Mar 17 17:55:03 2006 Subject: [SpamCop-List] Re: A mailman opt-in plus confirmation mailing list is spam? References: Message-ID: indigo wrote... > > Anonymous wrote: >> >> That would not work. If you can find spamcop spamtrap addresses by >> scraping the spamcop website, then the people in charge of hiding >> the spamcop spamtraps are idiots for hiding them in such an obvious >> place. Also, if you can find spamcop spamtrap addresses by >> scraping the spamcop website, so can spamcop's enemies, and yet >> we have not seen any of them manage to pull off the abuse described >> above. > > Sounds like a catch-22 to me....if they're so hard to find (impossible > even), how can they manage to get onto a dirty list? As I have explained several times, they are easy to find if you don't mind finding thousands of non-spamtrap address along with the few spamtrap addresses. Which is what spammers do. Which is why spamtraps get spam. And it is also how spamtraps get on the lists that spammers sell to each other. The key point -- which for some reason is being ignored here -- is that after you have gathered all of those email addresses you have no way of telling which ones are spamtraps. You have no way of collecting only spamtrap email addresses, which means that you cannot forge-subscribe the spamtraps to mailing lists -- because you don't know which ones to use. You have no way of collecting only non-spamtrap email addresses which means that cannot send spam only to email addresses that won't report you to Spamcop. You could try forge-subscribing all of the email addresses on your list, but no mailing list is going to accept hundreds of thousands of subscriptions all at once and all from the same IP address. From edb2000 at spamcop.net Fri Mar 17 15:05:35 2006 From: edb2000 at spamcop.net (Don Wannit) Date: Fri Mar 17 18:10:02 2006 Subject: [SpamCop-List] Re: A mailman opt-in plus confirmation mailing list is spam? In-Reply-To: References: Message-ID: Anonymous wrote: > The key point -- which for some reason is being ignored here -- is that > after you have gathered all of those email addresses you have no way of > telling which ones are spamtraps. No, the key point is that the goal need not be gathering all the email addresses you possibly can. The goal could be trying to use the one address you found that looks a mite suspicious, and using it. If it's live, bingo, you just caused trouble for someone. If it's dead, no big deal. You might have found the single address by looking at places which are readily accessible (else harvesters would not find the addresses) but which are not, by default, displayed in a user's browser window. No doubt there are "billions and billions" of addresses that you missed. Doesn't matter if you are only looking for one, any one, doesn't matter which one you use. Meta: This discussion has been dominated by misunderstandings and hasty, careless reading. -- Don Wannit "In theory, theory and practice are the same. In practice, they rarely are." From g.hyde at bigpond.net.au Sat Mar 18 11:04:31 2006 From: g.hyde at bigpond.net.au (Geoffrey Hyde) Date: Fri Mar 17 20:05:03 2006 Subject: [SpamCop-List] Re: Well that didn't take long... References: Message-ID: "Galen" wrote in message news:dvdjgu$rfi$1@news.spamcop.net... > In news:dvd8u0$lqf$1@news.spamcop.net, > Geoffrey Hyde had this to say: > >> So far, you've been talking about theoretical blocked spam emails, >> how about offering up some proof of reports that people can analyze? > > I'm not sure I follow (or maybe you're missing something) here... These > are quite legit complaints and the IP should have been blocked and put on > the blacklist. That was the correct thing to do by SC. I don't think that > I need to prove that when you can see the IP address in the block list > already? But here's an effort to do so with the evidence that I have. After reading Mike Easter's response to your response to me, I can say that's what was worrying me. Was your information properly setup so that it all came back to you, as it should do? If it doesn't and I happened to receive a future spam email purporting to be from your domain, and went off notifying "cluelessly", that incorrect information might cause problems. I don't normally investigate spam emails, unless there is something not right about the information that SC feeds me in it's reports. If you are to make sure I understand what your IP getting listed will mean, as far as action taken on a spam email, then you must make sure that the contact info comes back to you. I could, theoretically, accidentally report a spam email that was forged as coming from you - except for the fact that I've currently got a free SC account, which means that reporting will go to whatever SC determines is source IP. I do trust SC's information, however, if your domain registration information isn't right, that may cause problems should I not have time to properly investigate the spam emails. That is one reason I drop the weirder suspect reporting links here for further analysis. Hope you can help a lot further by getting that information straightened out. Cheers ... Geoffrey Hyde From porpoise1954 at yahoo.co.uk Sat Mar 18 13:31:32 2006 From: porpoise1954 at yahoo.co.uk (Porpoise) Date: Sat Mar 18 08:35:02 2006 Subject: [SpamCop-List] From: "[%from_name%]" <[%from_email%]> To: <[%to%]> Message-ID: http://www.spamcop.net/sc?id=z899597303ze7bd4eb0277eea29e1e696f9f5a291d8z Spammy forgotten to fill the variables?? From nospam at nospam.org Sat Mar 18 14:51:17 2006 From: nospam at nospam.org (Ejo) Date: Sat Mar 18 08:55:03 2006 Subject: [SpamCop-List] Re: From: "[%from_name%]" <[%from_email%]> To: <[%to%]> In-Reply-To: References: Message-ID: Porpoise wrote: > http://www.spamcop.net/sc?id=z899597303ze7bd4eb0277eea29e1e696f9f5a291d8z > > Spammy forgotten to fill the variables?? Yep, you see it all the time, buggy s/w to mail spam. From n4jwyfo02 at sneakemail.com Sat Mar 18 23:40:41 2006 From: n4jwyfo02 at sneakemail.com (Aviatrix) Date: Sat Mar 18 18:45:04 2006 Subject: [SpamCop-List] Re: From: "[%from_name%]" <[%from_email%]> To: <[%to%]> In-Reply-To: References: Message-ID: Porpoise wrote: > http://www.spamcop.net/sc?id=z899597303ze7bd4eb0277eea29e1e696f9f5a291d8z > > Spammy forgotten to fill the variables?? You get the same with subject lines some time... Subject: [message subject] From nobody at devnull.spamcop.net Sat Mar 18 20:07:57 2006 From: nobody at devnull.spamcop.net (nobody@devnull.spamcop.net) Date: Sat Mar 18 23:10:03 2006 Subject: [SpamCop-List] what can people tell me about LeadClick? Message-ID: I'm researching an article on LeadClick. I'm looking for information, insider gossip, etc. From gordon at usenet2.hostroute.co.uk Sun Mar 19 13:12:30 2006 From: gordon at usenet2.hostroute.co.uk (Gordon Hudson) Date: Sun Mar 19 08:15:02 2006 Subject: [SpamCop-List] Re: Domainsbyproxy References: Message-ID: "Anonymous" wrote in message news:duscmj$r0v$1@news.spamcop.net... > > "Gordon Hudson" wrote in message > news:duq1pe$ece$1@news.spamcop.net... > >> I refuse point plank to provide a domain "privacy service". >> Most of the customers who ask for this service are up to something in my >> experience. > > Gotta make sure that abused women with restraining orders against > stalkers can't have their own web pages... > > Better put a stop to unpopular political websites as well! > They can get a PO box if they don;t want their address listed. But they MUST have legal ownership by being the legal registrant. I feel so strongly about this I am personally losing hundreds of thousands of dollars a year in potential revenue (100% profit). From dws at dealing-with-spam.info Sun Mar 19 17:25:35 2006 From: dws at dealing-with-spam.info (D-W-S) Date: Sun Mar 19 11:30:17 2006 Subject: [SpamCop-List] Re: Virus encrypts documents, demands ransom References: Message-ID: Technomage Hawke wrote on Sun, 19 Mar 2006 09:23:40 -0700: > heh. > had one of those pop up on a room mates box. I had it broken and decrypted > in 2 minutes (if the author of that bug was smart, he would have used AES, > not RC-4) Rule #3 in action? :) From porpoise1954 at yahoo.co.uk Sun Mar 19 18:19:22 2006 From: porpoise1954 at yahoo.co.uk (Porpoise) Date: Sun Mar 19 13:20:13 2006 Subject: [SpamCop-List] Re: Domainsbyproxy References: Message-ID: "Gordon Hudson" wrote in message news:dvjlc1$56o$1@news.spamcop.net... > > > They can get a PO box if they don;t want their address listed. > But they MUST have legal ownership by being the legal registrant. > > I feel so strongly about this I am personally losing hundreds of thousands > of dollars a year in potential revenue (100% profit). Just as well there are no stalkers or anything where you are. Unlike in Europe, where the privacy laws prohibit displaying people's personal details to the general public. If the legal authorities need to know any personal data about a registree (address and phone number for example), they can just go and get a court order to make the Registrar disclose it to them [still no need for Tom, Dick, Uncle Tom Cobbly and all to know]. From porpoise1954 at yahoo.co.uk Sun Mar 19 18:40:46 2006 From: porpoise1954 at yahoo.co.uk (Porpoise) Date: Sun Mar 19 13:45:03 2006 Subject: [SpamCop-List] Anyone want to join the spammers?????? Message-ID: http://www.spamcop.net/sc?id=z900963980zb0e176df8853fdfd98a49f5608162fddz From jg at coks.net Sun Mar 19 14:15:58 2006 From: jg at coks.net (jg) Date: Sun Mar 19 17:15:03 2006 Subject: [SpamCop-List] Re: Anyone want to join the spammers?????? In-Reply-To: References: Message-ID: On 3/19/2006 10:40 AM Porpoise scribbled: > http://www.spamcop.net/sc?id=z900963980zb0e176df8853fdfd98a49f5608162fddz > not now, thanks - maybe later... From dannyg at dannyg.com Sun Mar 19 14:52:12 2006 From: dannyg at dannyg.com (Danny Goodman) Date: Sun Mar 19 17:52:17 2006 Subject: [SpamCop-List] Re: From: "[%from_name%]" <[%from_email%]> To: <[%to%]> In-Reply-To: <200603192215.k2JMFLEl054034@dannyg.com> Message-ID: > Spammy forgotten to fill the variables?? They'll do entire sets of headers: Danny http://www.dannyg.com http://www.spamwars.com From nobody at devnull.spamcop.net Sun Mar 19 18:54:38 2006 From: nobody at devnull.spamcop.net (POP) Date: Sun Mar 19 18:55:02 2006 Subject: [SpamCop-List] Re: Anyone want to join the spammers?????? References: Message-ID: "Porpoise" wrote in message news:dvk8kd$i8h$1@news.spamcop.net... > http://www.spamcop.net/sc?id=z900963980zb0e176df8853fdfd98a49f5608162fddz > Hmm, got a deal fer ya: For a one-up, I'm afraid I have to charge almost double what that one's charging, but ... IFF you want to get together with a few friends and buy any 5 or more of the same list, I'll sell each one for only HALF of what he's asking! Higher quantity, higher discounts! MO or cashier's checks only, no personal checks. Cash also acceptable and in fact preferred. Dont' hesitate; act now! You'll have feelings about having done it! Since these are specially customized for quantity, please allow extra time for delievery: approximately twice what it would normally take. I guarantee these lists WILL be indentical to the ones you've seen! Promise! Don't forget, these are the best prices you'll ever see! If you find them anywhere else cheaper, please notify me, prove it, and I'll give you ANOTHER 5% off on one each of each set of lists! Act now! This is a limitid thyme offur! Send 50% down payment to: Deals for Heels, Sunset City, Needit, Confusion 26969-0369 ATT: Head From g.hyde at bigpond.net.au Mon Mar 20 10:13:42 2006 From: g.hyde at bigpond.net.au (Geoffrey Hyde) Date: Sun Mar 19 19:15:02 2006 Subject: [SpamCop-List] Re: Listserv behavior References: <1ucr12lbuceot1rfggidvk6jd9d0n0dd12@4ax.com> Message-ID: "SpamCop Admin" wrote in message news:1ucr12lbuceot1rfggidvk6jd9d0n0dd12@4ax.com... > Tim McGraw wrote: > Some of the lists are responding to spam. Since about a zillion of > our spamtrap addresses are on spammer mailing lists, it's inevitable > that some of the responses will come to our traps and cause the server > to be listed. > > Once a list's subscription and posting addresses get on spammer > mailing lists, there is going to be trouble forever if the list > doesn't change its behaviour. > > Maybe only web subscriptions from now on, posting rejections go to the > list owner instead of the sender, etc. How clueless do they have to be before you ring up their real-life physically-located server host space and tell them what they need to do in order to get off of SC's lists? Do you feel that it would be advantageous in any way to gather up all of these listserv admins in a venue or venues and host training seminars that explain how to properly manage mailing lists and remove spam email addresses? Cheers ... Geoffrey Hyde From nobody at devnull.spamcop.net Mon Mar 20 11:04:07 2006 From: nobody at devnull.spamcop.net (Patto) Date: Sun Mar 19 21:05:12 2006 Subject: [SpamCop-List] At least one User Defined Recipient refuses munged reports. Message-ID: http://www.spamcop.net/sc?id=z901245408z6f68d4704d14dadb4a0e79b1317d234dz Just another scam with an email address; I usually analyze the email address and send a user-copied report to whoever is responsible for that addy. Now this time 'job@miratek-invest.com' [66.246.218.135] the report should be sent to 'abuse@nac.net', but it appears they refuse munged reports. No problem with me, but how do I make SC send an unmunged report? The only option I have is to uncheck abuse#nac.net@devnull.spamcop.net From scamper at trisk.com Sun Mar 19 19:08:53 2006 From: scamper at trisk.com (Garen Erdoisa) Date: Sun Mar 19 21:10:07 2006 Subject: [SpamCop-List] Re: At least one User Defined Recipient refuses munged reports. In-Reply-To: References: Message-ID: Patto wrote: > http://www.spamcop.net/sc?id=z901245408z6f68d4704d14dadb4a0e79b1317d234dz > > Just another scam with an email address; I usually analyze the email > address and send a user-copied report to whoever is responsible for that > addy. Now this time 'job@miratek-invest.com' [66.246.218.135] the > report should be sent to 'abuse@nac.net', but it appears they refuse > munged reports. No problem with me, but how do I make SC send an > unmunged report? The only option I have is to uncheck > abuse#nac.net@devnull.spamcop.net It's a setting in your preferences. Go to preferences, report handling options, then scroll down to "spam munging" and change the preference. From bill_beyer at excite.cXoYmZ Sun Mar 19 18:54:52 2006 From: bill_beyer at excite.cXoYmZ (Bill Beyer) Date: Sun Mar 19 21:55:03 2006 Subject: [SpamCop-List] Re: Another one of those software spams. References: Message-ID: "Geoffrey Hyde" wrote in message news:dve3o8$4dm$1@news.spamcop.net... > http://www.spamcop.net/sc?id=z899358375zde5d7d3a1a987acc4d7c16ab004ebfe2z > > I was wondering why they are using names like "Repetitive B. Spreader" in > the name field. Are they trying to say they're a bot, or are they running > out of names they can actually use? > > Is this some kind of virus/trojan/worm effect? (IE an infected computer?) > If so, is there a decodable source IP I might be able to notify manually > about it? > > I think I'll go look into SpamHaus or other similar blocklists tomorrow, I'm > a bit tired now, been doing a lot of things. > > > Cheers ... > > Geoffrey Hyde I believe this is just this particular spammers "signature" or MO for lack of a better term. He/they've been around for a long time doing porn spams morphing regular words into proper names in the From field then they disappeared for awhile and now they're back. I've been getting a few of them lately with names like Sear U. Miss and Possibly K. Secret. From abuse at whathostingshould.be Sun Mar 19 22:40:43 2006 From: abuse at whathostingshould.be (Galen) Date: Sun Mar 19 22:45:10 2006 Subject: [SpamCop-List] Re: Well that didn't take long... References: Message-ID: In news:dvf8nc$pup$1@news.spamcop.net, Jeff G. had this to say: > I consolidated the above information from my post > http://forum.spamcop.net/forums/index.php?showtopic=6038&st=30&p=41049&#entry41049 > and some following posts. Thank you much. I've got to wait next... I'm in the process of getting the abuse addresses changed to me and it seems that needs to wait until Monday at the earliest. I figured that was the best way to go as well as going ahead and updating the account at SpamCop. I sent the abuser a bill for $1250 USD for clean-up and for the time. I don't think they'll pay me but it sure felt nice to send it. Galen -- http://www.whathostingshould.be - We are what hosting SHOULD be. From nobody at devnull.spamcop.net Mon Mar 20 12:41:04 2006 From: nobody at devnull.spamcop.net (Patto) Date: Sun Mar 19 22:45:23 2006 Subject: [SpamCop-List] Reporting phishing sites to Yahoo! Message-ID: Yahoo! has now an easier way to report phising sites on their network http://add.yahoo.com/fast/help/us/domains/cgi_phishing I know the easiest (for us) would be if they'd just read SC reports, but since they seem incapable of doing that, above website reporting is still better than nothing. From vxpy7do02 at sneakemail.com Sun Mar 19 19:51:49 2006 From: vxpy7do02 at sneakemail.com (anon) Date: Sun Mar 19 22:55:10 2006 Subject: [SpamCop-List] Re: At least one User Defined Recipient refuses munged reports. References: Message-ID: "Garen Erdoisa" wrote in message news:dvl2rn$16d$2@news.spamcop.net... > Patto wrote: >> http://www.spamcop.net/sc?id=z901245408z6f68d4704d14dadb4a0e79b1317d234dz >> >> Just another scam with an email address; I usually analyze the email >> address and send a user-copied report to whoever is responsible for that >> addy. Now this time 'job@miratek-invest.com' [66.246.218.135] the report >> should be sent to 'abuse@nac.net', but it appears they refuse munged >> reports. No problem with me, but how do I make SC send an unmunged >> report? The only option I have is to uncheck >> abuse#nac.net@devnull.spamcop.net > *** Actually, the devnull means that no report of any kind is sent to nac. If you leave the devnull checked, your 'report' adds to the SCbl count, even if SC does not send out a report. -- A SpamCop user and forum reader, Not Admin *** > It's a setting in your preferences. > > Go to preferences, report handling options, then scroll down to "spam > munging" and change the preference. > From nobody at devnull.spamcop.net Mon Mar 20 13:25:23 2006 From: nobody at devnull.spamcop.net (Patto) Date: Sun Mar 19 23:30:03 2006 Subject: [SpamCop-List] Re: At least one User Defined Recipient refuses munged reports. In-Reply-To: References: Message-ID: Garen Erdoisa wrote: > Patto wrote: >> http://www.spamcop.net/sc?id=z901245408z6f68d4704d14dadb4a0e79b1317d234dz >> >> Just another scam with an email address; I usually analyze the email >> address and send a user-copied report to whoever is responsible for that >> addy. Now this time 'job@miratek-invest.com' [66.246.218.135] the >> report should be sent to 'abuse@nac.net', but it appears they refuse >> munged reports. No problem with me, but how do I make SC send an >> unmunged report? The only option I have is to uncheck >> abuse#nac.net@devnull.spamcop.net > > It's a setting in your preferences. > > Go to preferences, report handling options, then scroll down to "spam > munging" and change the preference. Thanks! I've changed my preferences to leave spam messages unchanged, then reported the same message again. Now SC says "abuse@nac.net does not wish to receive user-copied reports." OK, I give up... From MikeE at ster.invalid Sun Mar 19 20:50:46 2006 From: MikeE at ster.invalid (Mike Easter) Date: Sun Mar 19 23:55:02 2006 Subject: [SpamCop-List] Re: At least one User Defined Recipient refuses munged reports. References: Message-ID: Patto wrote: > /sc?id=z901245408z6f68d4704d14dadb4a0e79b1317d234dz > > Just another scam with an email address; I usually analyze the email > address and send a user-copied report to whoever is responsible for > that addy. Now this time 'job@miratek-invest.com' [66.246.218.135] > the report should be sent to 'abuse@nac.net', but it appears they > refuse munged reports. No problem with me, but how do I make SC send > an unmunged report? The only option I have is to uncheck > abuse#nac.net@devnull.spamcop.net The notify for job@miratek-invest.com spamvertised isn't so clearcut or rather simple. SC currently sez abuse@nac.net based on the MX for miratek-invest.com which is mail.identbox.com which is 66.246.218.135 which is OrgName: Net Access Corporation NetRange: 66.246.0.0 - 66.246.255.255 OrgAbuseEmail: abuse@nac.net and which MX rDNSes 343054.ds.nac.net and I agree that that is about as good as the notify is going to get. But... miratek-invest.com itself has several A records none of which have anything to do with NAC and/but it gets its nameservice from identbox nameservers.which nameservice IPs also are neither under NAC. If you look up the domainname registration for miratek-invest.com and the nameservers and MX identbox you find identbox doing its own nameservice, so that is as far back as that goes and the registration for the two is different, but they are by the same registrar. They also look like 'legitimate' registration information, but it looks to me like legitimately bogus, that is bogus looking legitimate -- as opposed to those domainname registrations which /look/ purely bogus Now, about those nameservers, which reminds me of something I saw in nanae today re proxified nameservers. 67.185.237.6 rDNS c-67-185-237-6.hsd1.in.comcast.net 72.240.196.214 rDNS cblmdm72-240-196-214.buckeyecom.net Those look like user IPs - perhaps proxified. Why does that domainname, which doesn't appear to have a website, need multiple addresses and proxified nameservers? Very puzzling. The first one has an old dsbl listing for testing positive for port 5747 socks4 and is a sorbs dynamic, and is also spamhaused for being a spam associated nameserver, the second one only has the described spamhaus condition. Funky little situation. -- Mike Easter kibitzer, not SC admin From g.hyde at bigpond.net.au Mon Mar 20 18:16:59 2006 From: g.hyde at bigpond.net.au (Geoffrey Hyde) Date: Mon Mar 20 03:20:03 2006 Subject: [SpamCop-List] Funny account phishing scam. Message-ID: http://www.spamcop.net/sc?id=z901466785z5017f3e91c1e767a33fbc9686c86ddd4z It would appear that they're trying to "phish" for my account details. Unfortunately, it will be quite some time, if not forever, before Telstra operates it's customer service handling out of saix.net - I really do wish these scammers would get a life. Cheers ... Geoffrey Hyde From sauron at wizardscorner.com Mon Mar 20 08:45:04 2006 From: sauron at wizardscorner.com (sauron) Date: Mon Mar 20 09:50:03 2006 Subject: [SpamCop-List] Spoofing Message-ID: I beleive I am now the victim of spoofing. I am getting email and failure notices apparently from my mail server. And someone(s) are attempting to log into my server using various login names etc. My server supports pop3 and web based email. I enabled the spam filter on the server, created a folder spam. All mail not on whitelist goes into the spam folder, which I check via web mail. I have tried to copy/paste email into spamcop, it appears that spamcop form don't like that - reports missing elements. ANy ideas?? From MikeE at ster.invalid Mon Mar 20 07:26:24 2006 From: MikeE at ster.invalid (Mike Easter) Date: Mon Mar 20 10:30:03 2006 Subject: [SpamCop-List] Re: Spoofing References: Message-ID: sauron wrote: > I beleive I am now the victim of spoofing. Spoofing means a lot of things. In the world of spam for the typical user, the usual occurrence is simply a condition of having ones own addy appear as the forged From. Then, some server recipients accept the forged From mail for delivery and then fail to deliver. Then those servers create a newmail addressed to the spam's forged From. > I am getting email and > failure notices apparently from my mail server. In the example above, the email failure notices would be coming from another server. The only kind of failure notices with your own 'persoanl' address in the From which you should see from your own server are those which result from the mail you address and send which fails with a rejection of the attempt of your own server to complete the transaction for your mailed item. If you are controlling your own server and seeing all of the mail which has any bogus Froms with your domainname, then you are going to see a lot more as a result of a spamrun which has your domainname attached to myriad usernames in the From, not just your personal one.. > And someone(s) are > attempting to log into my server using various login names etc. If you have a server and it is facing the internet, people are going to try to breach its security. The business of attempts to breach a server's security are a separate problem from these mail and failure notices you are talking about. In the beginning, we should keep that as a separate subject. > My > server supports pop3 and web based email. I enabled the spam filter > on the server, created a folder spam. All mail not on whitelist goes > into the spam folder, which I check via web mail. I have tried to > copy/paste email into spamcop, it appears that spamcop form don't > like that - reports missing elements. If you can't make the webparser work to submit a spam so that you can show us a tracker, then the next step is to paste it into a message in the newsgroup spamcop.spam. We are interested in seeing the complete headers of course and whatever body is attached. I see a website at http://www.slappys.net/ and I see that the primary mx for that domainname isn't blocklisted anywhere, and I tried a simple abuse.net script on the server at 66.210.14.250 which answers 220 mgmail.webcac.com ModusMail ESMTP Receiver Version 4.2.425.16 Ready and that relay test was negative. I didn't do any other security related probing or testing of that IP or the webserver for the page. -- Mike Easter kibitzer, not SC admin From joegill at removethis Mon Mar 20 10:55:57 2006 From: joegill at removethis (Joe Gill) Date: Mon Mar 20 11:00:03 2006 Subject: [SpamCop-List] A first! Spammed me @spamcop and spammed deputies too Message-ID: For the first time ever,( been a subscriber for a couple years), I was spammed @ my spamcop address. (Maybe I was before, but this one was blatant, my address was in the 'to;') It's weird because my spamcop address is only for reporting....I pull my mail from outside addresses to spamcop. What's really dumb about this one is: - All 9 addressed were @spamcop.net addresses! - They also spammed deputies@spamcop.net http://www.spamcop.net/sc?id=z901779543za796c244e80981389d52c942d9cce79fz From nobody at devnull.spamcop.net Fri Mar 17 17:45:06 2006 From: nobody at devnull.spamcop.net (Anonymous) Date: Mon Mar 20 11:25:03 2006 Subject: [SpamCop-List] Re: A mailman opt-in plus confirmation mailing list is spam? References: Message-ID: Don Wannit wrote... > No, the key point is that the goal need not be gathering all the > email addresses you possibly can. The goal could be trying to use > the one address you found that looks a mite suspicious, and using > it. If it's live, bingo, you just caused trouble for someone. > If it's dead, no big deal. Assuming that "no big deal" includes "no longer being able to forge- subscribe any email addresses to the mailing list." Unless the spamtrap-hider isn't an idiot, the chances of any one of those address you found "that look a mite suspicious" being spamcop spamtraps is so small that you will have to try to use thousands and thousands of the dead ones before chancing upon a live one. Long before that happens the mailing list will stop accepting your attempts, and long before *that* happens you will get tired of spending 80 hours per week looking for spamcop spamtrap email addresses and trying them to see if they are "live." The proof of this is the fact that no spamcop enemy has been able to do what you claim to be able to do with no problem. Do you really think that you are many orders of magnitude better at finding email addresses with a high probability of being spamtraps than they are? Or are you under the impression that they have decided not to try this particular attack because they suddenly became nice people? How do you explain nobody doing the thing that you claim is easy to do? From MikeE at ster.invalid Mon Mar 20 08:32:23 2006 From: MikeE at ster.invalid (Mike Easter) Date: Mon Mar 20 11:35:02 2006 Subject: [SpamCop-List] Re: A mailman opt-in plus confirmation mailing list is spam? References: Message-ID: Anonymous wrote: Date: Fri, 17 Mar 2006 17:45:06 -0800 NNTP-Posting-Date: Mon, 20 Mar 2006 16:21:18 +0000 (UTC) Tweet! Tweet! Tweet! Excuse me, I'm the volunteer courtesy clock policeman and we have a serious violation here. Either your clock is way outawhack, or there was some severe disturbance in the timing between the writing of your message and its arrival at news.spamcop.net. 63:81 minus 25:45 = 38:36 -- as in hh:mm -- Mike Easter kibitzer, not SC admin From garyong at kimeng.com Tue Mar 21 01:00:42 2006 From: garyong at kimeng.com (garyong@kimeng.com) Date: Mon Mar 20 11:59:00 2006 Subject: [SpamCop-List] GARY ONG POH CHUAN is out of the office. Message-ID: I will be out of the office starting 03/20/2006 and will not return until 04/03/2006. I will respond to your message when I return, from my National Call-up. From blacklist-me at davjam.org Mon Mar 20 17:59:16 2006 From: blacklist-me at davjam.org (David Bolt) Date: Mon Mar 20 13:35:03 2006 Subject: [SpamCop-List] Re: A mailman opt-in plus confirmation mailing list is spam? References: Message-ID: On Mon, 20 Mar 2006, Mike Easter wrote:- >Anonymous wrote: > >Date: Fri, 17 Mar 2006 17:45:06 -0800 >NNTP-Posting-Date: Mon, 20 Mar 2006 16:21:18 +0000 (UTC) > > >Tweet! Tweet! Tweet! > >Excuse me, I'm the volunteer courtesy clock policeman and we have a >serious violation here. > >Either your clock is way outawhack, or there was some severe disturbance >in the timing between the writing of your message and its arrival at >news.spamcop.net. There's the very distinct possibility, given the times involved, that the message was composed off-line just before leaving work, late Friday afternoon, and it wasn't actually sent until the next time news fetch was performed, which would be early Monday morning. The thing to note is that not everyone uses an online newsreader. The one I use downloads new articles, I compose replies to those I wish to reply to, and the replies are batch uploaded the next time I check for new articles. In theory, this could be anywhere upto an hour after I finish composing the reply, but is more often considerably less than an hour. The reason for the up-to one hour delay is that I use fetchnews/leafnode to collect news from multiple news servers and it does a news upload and fetch every 30 minute. My newsreader is also configured to fetch and upload news every 30 minutes but, as it's running on a separate machine, is not synchronised with fetchnews. This means that if I post an article just after my newsreader had just completed a fetch, the article won't be posted for another 30 minutes. If, when my newsreader uploads my posts, fetchnews has just completed its own fetch and upload, the article would have to wait upto another 30 minutes before being sent to SpamCop.. Regards, David Bolt -- Member of Team Acorn checking nodes at 50 Mnodes/s: http://www.distributed.net/ AMD1800 1Gb WinXP/SUSE 9.3 | AMD2400 256Mb SuSE 9.0 | A3010 4Mb RISCOS 3.11 AMD2400(32) 768Mb SUSE 10.0 | RPC600 129Mb RISCOS 3.6 | Falcon 14Mb TOS 4.02 AMD2600(64) 512Mb SUSE 10.0 | A4000 4Mb RISCOS 3.11 | STE 4Mb TOS 1.62 From usenet2 at DE.LETE.THISljvideo.com Mon Mar 20 18:44:19 2006 From: usenet2 at DE.LETE.THISljvideo.com (Larry J.) Date: Mon Mar 20 13:45:03 2006 Subject: [SpamCop-List] Re: GARY ONG POH CHUAN is out of the office. References: Message-ID: Waiving the right to remain silent, garyong@kimeng.com said: > I will be out of the office starting 03/20/2006 and will not > return until 04/03/2006. > > I will respond to your message when I return, from my National > Call-up. Isn't that special... -- Larry J. - Remove spamtrap in ALLCAPS to e-mail "I've come here to enjoy nature. Don't talk to me about the environment!" - 'Denny Crane' From MikeE at ster.invalid Mon Mar 20 11:06:19 2006 From: MikeE at ster.invalid (Mike Easter) Date: Mon Mar 20 14:10:03 2006 Subject: [SpamCop-List] Re: A mailman opt-in plus confirmation mailing list is spam? References: Message-ID: David Bolt wrote: > Mike Easter >> Anonymous wrote: >> >> Date: Fri, 17 Mar 2006 17:45:06 -0800 >> NNTP-Posting-Date: Mon, 20 Mar 2006 16:21:18 +0000 (UTC) >> or there was some severe >> disturbance in the timing between the writing of your message and >> its arrival at news.spamcop.net. > > There's the very distinct possibility, given the times involved, that > the message was composed off-line just before leaving work, late > Friday afternoon, and it wasn't actually sent until the next time > news fetch was performed, which would be early Monday morning. That is certainly a very plausible theory, and would count as a severe disturbance between the writing and the nntp arrival. > The thing to note is that not everyone uses an online newsreader. I understand the concept. It is entirely possible that in this case the nntp posting host is a business IP with the scenario you described. -- Mike Easter kibitzer, not SC admin From nobody at devnull.spamcop.net Mon Mar 20 11:31:44 2006 From: nobody at devnull.spamcop.net (Anonymous) Date: Mon Mar 20 14:35:02 2006 Subject: [SpamCop-List] Re: A mailman opt-in plus confirmation mailing list is spam? References: Message-ID: Mike Easter wrote... > David Bolt wrote: > >> There's the very distinct possibility, given the times involved, that >> the message was composed off-line just before leaving work, late >> Friday afternoon, and it wasn't actually sent until the next time >> news fetch was performed, which would be early Monday morning. > > That is certainly a very plausible theory, and would count as a severe > disturbance between the writing and the nntp arrival. > >> The thing to note is that not everyone uses an online newsreader. > > I understand the concept. It is entirely possible that in this case the > nntp posting host is a business IP with the scenario you described. And indeed that is what happened. At home I am a Linux user, but at my current employer I am using Windows, so I thought I would give Outlook express a try. Looking at the options I had "send and receive messages at startup checked and "send messaged immediately" unchecked. Given the fact that I am on a T1 and read spamcop newsgroups while burning EPROMS or waiting for a compile to finish, there is no need to batch my message posting. Thanks for pointing it out. G.M. From nobody at devnull.spamcop.net Mon Mar 20 11:37:00 2006 From: nobody at devnull.spamcop.net (Anonymous) Date: Mon Mar 20 14:40:02 2006 Subject: [SpamCop-List] Re: GARY ONG POH CHUAN is out of the office. References: Message-ID: wrote in message news:mailman.25.1142873942.16519.spamcop-list@news.spamcop.net... >I will be out of the office starting 03/20/2006 and will not return until > 04/03/2006. > > I will respond to your message when I return, from my National Call-up. Drat! As soon as I read the above I broke into Gary's office to steal some things, and all the good stuff - computer, red swingline, even the chair - was gone already! One of you guys beat me to it!! Oh well, at least I snagged a slightly used steelcase cubicle and a nice chair mat... :) From eddie at eddie.web Mon Mar 20 15:35:05 2006 From: eddie at eddie.web (eddie) Date: Mon Mar 20 15:40:03 2006 Subject: [SpamCop-List] What's with SC being unable to resolve geocities spam sites? Message-ID: When submitting spam directly from the SC mail to the reporting site, the geocities sites such as http://es.geocities.com/estebanAioIDyKr4/ show up in the report but take advantage of the well-know SC but that they do not show up with a reportatble ISP, which, in all cases is network-abuse@cc.yahoo-inc.com The typical address of the yahoo.com varies from country to country, but is always of the form http://xx.geocities.com/blah blah blah Is yahoo.com supporting these drug, money laundry sites or just stupid? Yes, if you put the offending website directly into the SC window, you will get the reporting address, but if you, like me, use the SC automatic reporting, transferring the spam from the SC mail site to the reporting site, you never get the yahoo address, which is an old bug, many year old, that has never been fixed. You get the typical SC blather: Finding links in message body Parsing text part Resolving link obfuscation http://es.geocities.com/estebanaioidykr4/ Please make sure this email IS spam: From: "Dale West" (Get that summer body here) either case the prophecy would not have come true. It is however her faulty judgment that made and no reporting address. As I noted, this is an old, well-known SC bug that yahoo is taking advantage of. When will this be fixed? Who knows. I am just noting that it continues to be a bug and is being taken advantage of. From MikeE at ster.invalid Mon Mar 20 13:30:29 2006 From: MikeE at ster.invalid (Mike Easter) Date: Mon Mar 20 16:35:03 2006 Subject: [SpamCop-List] Re: A mailman opt-in plus confirmation mailing list is spam? References: Message-ID: Anonymous wrote: > Thanks for pointing it > out. What else is a voluntary courtesy clock policeperson good for? Elth they wouldn't have given me thith whithle tweet tweet. :-) Next year I'm supposed ta' get a chromeplated one instead of this plastic model. -- Mike Easter kibitzer, not SC admin From robvettes at hotmail.com Mon Mar 20 19:37:59 2006 From: robvettes at hotmail.com (RV in DC) Date: Mon Mar 20 19:40:05 2006 Subject: [SpamCop-List] No responses from Spamcop Message-ID: I don't seem to be receiving any responses from Spamcop to my numerous submissions. This is only about 2 days now, but never had this problem before. Incoming e-mail is not being blocked to my knowledge. Is there a problem or something I need to do? TIA. From scamper at trisk.com Mon Mar 20 17:50:40 2006 From: scamper at trisk.com (Garen Erdoisa) Date: Mon Mar 20 19:55:04 2006 Subject: [SpamCop-List] Re: Spoofing In-Reply-To: References: Message-ID: sauron wrote: > I beleive I am now the victim of spoofing. I am getting email and failure > notices apparently from my mail server. And someone(s) are attempting to > log into my server using various login names etc. My server supports pop3 > and web based email. I enabled the spam filter on the server, created a > folder spam. All mail not on whitelist goes into the spam folder, which I > check via web mail. I have tried to copy/paste email into spamcop, it > appears that spamcop form don't like that - reports missing elements. ANy > ideas?? > > If you control your own DNS server, I'd recommend that you setup SPF (Sender Policy Framework) records if you haven't done so already. This can cut down on the bounces allot because servers that honor SPF will often just reject forged messages not from your site but claiming to be from your site directly during the SMTP transaction. If they accept such messages, they will often route the email to a spam folder. Either way you won't receive a bounce message in those cases because the mail was already treated as a forgery. For more info on SPF refer to: http://www.openspf.org/ This will not completely eliminate the bounces, but if any other admin questions you about it, you can then inform them that the email was using a forged from address and ask them why they didn't just reject the email using SPF? I have the same problem. I can honestly say that SPF has helped with cutting down the noise that I have to deal with regarding forged senders. It's not perfect solution but every little bit helps. I've also never had an admin question me about an email they received that had my domain forged into the headers. Those forgeries are easy to spot, and most competent admin will recognize them as such. Garen From MikeE at ster.invalid Mon Mar 20 16:57:16 2006 From: MikeE at ster.invalid (Mike Easter) Date: Mon Mar 20 20:00:03 2006 Subject: [SpamCop-List] Re: No responses from Spamcop References: Message-ID: RV in DC wrote: > I don't seem to be receiving any responses from Spamcop to my numerous > submissions. This is only about 2 days now, but never had this > problem before. Incoming e-mail is not being blocked to my > knowledge. Is there a problem or something I need to do? Recently there have been a few posts about that. Go to the webparser^1 logged in and see if there is an alert about mail bouncing and account suspended and links to reset ^1 http://www.spamcop.net/ -- Mike Easter kibitzer, not SC admin From jg at coks.net Mon Mar 20 18:10:54 2006 From: jg at coks.net (jg) Date: Mon Mar 20 21:10:03 2006 Subject: [SpamCop-List] Re: No responses from Spamcop In-Reply-To: References: Message-ID: On 3/20/2006 4:57 PM Mike Easter scribbled: > RV in DC wrote: >> I don't seem to be receiving any responses from Spamcop to my numerous >> submissions. This is only about 2 days now, but never had this >> problem before. Incoming e-mail is not being blocked to my >> knowledge. Is there a problem or something I need to do? > > Recently there have been a few posts about that. Go to the webparser^1 > logged in and see if there is an alert about mail bouncing and account > suspended and links to reset > > ^1 http://www.spamcop.net/ > And if that doesn't help, ask your ISP if they are blocking your outgoing reports... From redford_stone at INVERSE_OF_COLDmail.com Tue Mar 21 03:57:24 2006 From: redford_stone at INVERSE_OF_COLDmail.com (Redstone) Date: Mon Mar 20 23:00:03 2006 Subject: [SpamCop-List] Re: GARY ONG POH CHUAN is out of the office. References: Message-ID: "Anonymous" wrote in news:dvn096$598$1@news.spamcop.net: > > Drat! As soon as I read the above I broke into Gary's office to steal > some things, and all the good stuff - computer, red swingline, even > the chair - was gone already! One of you guys beat me to it!! > > Oh well, at least I snagged a slightly used steelcase cubicle and a > nice chair mat... > >:) > > > > I grabbed his slightly used fridge filled with cognac. It also had a wallet, but it was stuffed with IOUs. :-) From redford_stone at INVERSE_OF_COLDmail.com Tue Mar 21 04:00:01 2006 From: redford_stone at INVERSE_OF_COLDmail.com (Redstone) Date: Mon Mar 20 23:05:02 2006 Subject: [SpamCop-List] Re: A first! Spammed me @spamcop and spammed deputies too References: Message-ID: "Joe Gill" wrote in news:dvmja7$rvq$1@news.spamcop.net: > > What's really dumb about this one is: > - All 9 addressed were @spamcop.net addresses! > - They also spammed deputies@spamcop.net > > http://www.spamcop.net/sc?id=z901779543za796c244e80981389d52c942d9cce79 > fz > > > Remember Rule #3, Russell's Corollary. Looks like a phishing scam though. From redford_stone at INVERSE_OF_COLDmail.com Tue Mar 21 04:02:38 2006 From: redford_stone at INVERSE_OF_COLDmail.com (Redstone) Date: Mon Mar 20 23:05:15 2006 Subject: [SpamCop-List] Re: Funny account phishing scam. References: Message-ID: "Geoffrey Hyde" wrote in news:dvlodt$dct$1@news.spamcop.net: > http://www.spamcop.net/sc?id=z901466785z5017f3e91c1e767a33fbc9686c86ddd > 4z > > It would appear that they're trying to "phish" for my account details. > Unfortunately, it will be quite some time, if not forever, before > Telstra operates it's customer service handling out of saix.net - I > really do wish these scammers would get a life. > > > Cheers ... > > Geoffrey Hyde > > > > They just keep trying and trying and trying. I wonder how fast their response is declining now that more and more people are becoming clued in to this type of scam. From smcgarrett at hawaii.com Mon Mar 20 23:02:03 2006 From: smcgarrett at hawaii.com (Steve McGarrett) Date: Tue Mar 21 00:05:02 2006 Subject: [SpamCop-List] Re: A mailman opt-in plus confirmation mailing list is spam? In-Reply-To: References: Message-ID: Anonymous wrote: > Mike Easter wrote... >> David Bolt wrote: >> >>> There's the very distinct possibility, given the times involved, that >>> the message was composed off-line just before leaving work, late >>> Friday afternoon, and it wasn't actually sent until the next time >>> news fetch was performed, which would be early Monday morning. >> >> That is certainly a very plausible theory, and would count as a severe >> disturbance between the writing and the nntp arrival. > > And indeed that is what happened. Darn. Given the time of the post, my money was on it being The Doctor slipping through from SciFi. (And if he's such a great Time Lord, why did it take him a year to get across The Pond?) Aloha, McGarrett "LART 'em, Danno!" From bjorn_spam_route at hekneby.org Mon Mar 20 22:50:45 2006 From: bjorn_spam_route at hekneby.org (Bjorn Solberg) Date: Tue Mar 21 01:55:12 2006 Subject: [SpamCop-List] Spamcop reporting wrong email origin Message-ID: See http://www.spamcop.net/sc?id=z901784807z81a6878f7636594f38600be6bdd70cb2z The real sender is 85.84.177.132, but SC reports 204.152.186.177 - presumably because it's being sent to a mail list, so the chain gets broken at the 127.0.0.1 entry. Is there any way to add something to some configuration to fix this so it reports the correct sender for these messages? Thank you, Bjorn. From nobody at spamcop.net Mon Mar 20 23:19:26 2006 From: nobody at spamcop.net (N. Miller) Date: Tue Mar 21 02:20:03 2006 Subject: [SpamCop-List] Re: Spamcop reporting wrong email origin References: Message-ID: <1dhjmtzaqb092.dlg@news.spamcop.net> On Mon, 20 Mar 2006 22:50:45 -0800, Bjorn Solberg wrote: > See > http://www.spamcop.net/sc?id=z901784807z81a6878f7636594f38600be6bdd70cb2z > > The real sender is 85.84.177.132, but SC reports 204.152.186.177 - > presumably because it's being sent to a mail list, so the chain gets > broken at the 127.0.0.1 entry. Is there any way to add something to some > configuration to fix this so it reports the correct sender for these > messages? Are you the list owner? AFAIK, SC does not want list recipients to report to lists. -- Norman ~Oh Lord, why have you come ~To Konnyu, with the Lion and the Drum From dws at dealing-with-spam.info Tue Mar 21 09:20:27 2006 From: dws at dealing-with-spam.info (D-W-S) Date: Tue Mar 21 03:25:03 2006 Subject: [SpamCop-List] Re: GARY ONG POH CHUAN is out of the office. References: Message-ID: Redstone wrote on Tue, 21 Mar 2006 03:57:24 +0000 (UTC): > I grabbed his slightly used fridge filled with cognac. What kind of sicko puts cognac in a fridge anyway? Ah, okay, the type to send out OOO auto-replies to a mailing list. From dws at dealing-with-spam.info Tue Mar 21 09:21:39 2006 From: dws at dealing-with-spam.info (D-W-S) Date: Tue Mar 21 03:25:15 2006 Subject: [SpamCop-List] Re: Virus encrypts documents, demands ransom References: Message-ID: Technomage Hawke wrote on Mon, 20 Mar 2006 12:54:30 -0700: >> Rule #3 in action? :) > rule #3, never try to fool a professional admin. see rule 1. >:) Nah. Rule #3 is "spammers are stupid". Rule #1 is "spammers lie". From nobody at spamcop.net Tue Mar 21 00:41:41 2006 From: nobody at spamcop.net (RandallW) Date: Tue Mar 21 03:45:02 2006 Subject: [SpamCop-List] Re: GARY ONG POH CHUAN is out of the office. References: Message-ID: wrote in message news:mailman.25.1142873942.16519.spamcop-list@news.spamcop.net... >I will be out of the office starting 03/20/2006 and will not return until > 04/03/2006. > > I will respond to your message when I return, from my National Call-up. > > WHO ARE YOU!!!??? Ooops, just watched '24' a few hours ago....just got me in that mood. From g.hyde at bigpond.net.au Tue Mar 21 19:17:33 2006 From: g.hyde at bigpond.net.au (Geoffrey Hyde) Date: Tue Mar 21 04:20:03 2006 Subject: [SpamCop-List] Ridculously easy to spot account phishing scams. Message-ID: http://www.spamcop.net/sc?id=z902425445zcf6cd35def26cc5cc55ba76a9fcdd82fz Rule #1. My ISP would NEVER ask for my account details/username in an email. They'd call me. Rule #2. My ISP would NEVER send me a large ZIP file attachment. Rule #3. My ISP would NEVER be using saix.net as the abuse listing for account email problems. Rule #4. (Seems to be proving itself atm) Scammers are clueless. Cheers ... Geoffrey Hyde From dws at dealing-with-spam.info Tue Mar 21 10:45:33 2006 From: dws at dealing-with-spam.info (D-W-S) Date: Tue Mar 21 04:50:37 2006 Subject: [SpamCop-List] Re: Ridculously easy to spot account phishing scams. References: Message-ID: Geoffrey Hyde wrote on Tue, 21 Mar 2006 19:17:33 +1000: > Rule #4. (Seems to be proving itself atm) Scammers are clueless. That wouldn't be a problem if the targets of their scams weren't even more clueless... From dws at dealing-with-spam.info Tue Mar 21 10:50:00 2006 From: dws at dealing-with-spam.info (D-W-S) Date: Tue Mar 21 04:51:09 2006 Subject: [SpamCop-List] Re: Ridculously easy to spot account phishing scams. References: Message-ID: Geoffrey Hyde wrote on Tue, 21 Mar 2006 19:17:33 +1000: > Rule #1.... Incidentally, which rules are these? The only ones I know are the "Rules Of Spam" as kept by Patricia, the Rules-keeper: http://bruce.pennypacker.org/spamrules.html From MikeE at ster.invalid Tue Mar 21 02:04:55 2006 From: MikeE at ster.invalid (Mike Easter) Date: Tue Mar 21 05:05:43 2006 Subject: [SpamCop-List] Re: Spamcop reporting wrong email origin References: Message-ID: Bjorn Solberg wrote: www.spamcop.net/sc?id=z901784807z81a6878f7636594f38600be6bdd70cb2z Abbreviated Received tracelines *comment from public.xfree86.org (xf86a.isc.org [204.152.186.177] by maui53.famsolberg.com *list output from public.XFree86.org ( [127.0.0.1]) by public.xfree86.org *list relay from homeruninn.com (eu85-84-177-132.clientes.euskaltel.es [85.84.177.132]) by xfree86.org *source SC names 204.152.186.177 as source because of premature chainbreak. > The real sender is 85.84.177.132, but SC reports 204.152.186.177 - > presumably because it's being sent to a mail list, so the chain gets > broken at the 127.0.0.1 entry. No. The internal localhost line is ignored. The chain is broken because SC can't chain down from isc.org calling itself xfree86.org and the IP not being close enough to the MX for xfree86. The chain breaks because of failing what I call SC's 'MX step'. 204.152.186.177 rDNS xf86a.isc.org -- so SC is looking to chain that down to the 'by' field public.xfree86.org. Since they don't match, SC checks on the MX for xfree86.org which is mailhost.xfree86.org = 204.152.184.77 204.152.186.177 != 204.152.184.77 [does not equal] and also the two are not sufficiently close to the same. SC will tolerate some difference, say within the same C block, but not two C block hops from 186 to 184 Also, incidentally that IP isn't the mx for isc.org either, altho' that test is not performed. > Is there any way to add something to > some configuration to fix this so it reports the correct sender for > these messages? If all of your mail were being handled by a server which was configured like that, you would configure your mailhost configuration for it, so that SC could take this chain problem into account on a permanent basis. However, in this case the 'rule' which applies is that you shouldn't be reporting mailing list spam for this very reason. http://www.spamcop.net/fom-serve/cache/14.html -- On what type of email should I (not) use SpamCop? -- Spam sent to mailing lists -- List servers often show themselves as the source of the mail sent to it, not the originating user's IP address. Spam sent to mail lists/groups must not be reported using SpamCop except by the list owner. Subscribers may send a note to the list owner who can block the source from sending to the list or take responsibility for reporting the spam themselves. Also, the tracker you posted above was live, so I cancelled it. A live tracker is one which has been neither reported nor cancelled. To show us a tracker, you should feed the spamitem, copy the tracker, then cancel the report so that someone else can't cause trouble by reporting it. Report Spam to: Re: 204.152.186.177 (Administrator of network where email originates) -- Mike Easter kibitzer, not SC admin From g.hyde at bigpond.net.au Tue Mar 21 21:13:21 2006 From: g.hyde at bigpond.net.au (Geoffrey Hyde) Date: Tue Mar 21 06:20:14 2006 Subject: [SpamCop-List] Re: Ridculously easy to spot account phishing scams. References: Message-ID: Not spammer rules ... Rules of spotting spam. As defined by me. ;) And in any case we're not talking spammers, we're talking scammers. I don't lump the two together - at least the spammer is smart enough in the odd instance to actually make sure their website is up (IE resolves) before spamming me with it's presence. Not that I've ever visited one. And I'd be a lot more interested to find out if someone can tell me if that attachment .zip actually contains a virus or something equally bad. I NEVER open attachments from total strangers, and spammers/scammers, the whole lot, are all lumped together as far as that goes. The spam email (and attachment) will soon depart my system forever. Good riddance to bad rubbish. Cheers ... Geoffrey Hyde "D-W-S" wrote in message news:slrne1vj28.1a19.dws@dealing-with-spam.info... > Geoffrey Hyde wrote on Tue, 21 Mar 2006 19:17:33 +1000: > >> Rule #1.... > > Incidentally, which rules are these? > > The only ones I know are the "Rules Of Spam" as kept by Patricia, the > Rules-keeper: http://bruce.pennypacker.org/spamrules.html From porpoise1954 at yahoo.co.uk Tue Mar 21 11:20:00 2006 From: porpoise1954 at yahoo.co.uk (Porpoise) Date: Tue Mar 21 06:25:03 2006 Subject: [SpamCop-List] Re: Funny account phishing scam. References: Message-ID: "Redstone" wrote in message news:Xns978CCBEB8C48tinlc@216.154.195.61... > > > They just keep trying and trying and trying. I wonder how fast their > response is declining now that more and more people are becoming clued in > to this type of scam. > Yeah, they'll probably start using more "legitimate" scams like selling you DVDs that have a restrictive mechanism preventing you from watching them on any machine wherever in the world you happen to be............ Forcing you to have a seperate machine for each type (of prevention - read: region code). From MikeE at ster.invalid Tue Mar 21 03:45:03 2006 From: MikeE at ster.invalid (Mike Easter) Date: Tue Mar 21 06:45:03 2006 Subject: [SpamCop-List] Re: Ridculously easy to spot account phishing scams. References: Message-ID: Geoffrey Hyde wrote: > And I'd be a lot more interested to find out if someone can tell me > if that attachment .zip actually contains a virus or something > equally bad. The way I prefer to handle virms for characterization. I prefer to work with my AV agent with current uptodate .dat templates turned off. I access the virm from the mail's properties and isolate the b64 encoded zip which I save as a .b64. Then I use my b64 decoder on that, I like Iceows for its many features. That is an iteration of the old ArjFolder and it converts the .b64 to the .zip. Then I unzip the executable into a folder. If your AV is working in realtime it will interfere with that step because typically the AV doesn't like for you to be handling a viral template, and whenever you start decoding or unzipping one, it will holler or rather sanitize. Then I point the AV agent at the folder and ask it to characterize. I'm sure your b64/d zip file contains a virus/worm, but I didn't decode and unzip it and characterize it. I'm leaving that to you. You shouldn't really be afraid to handle them; they aren't magic. You just don't want to execute the executable you get after you unzip it. -- Mike Easter kibitzer, not SC admin From porpoise1954 at yahoo.co.uk Tue Mar 21 12:15:29 2006 From: porpoise1954 at yahoo.co.uk (Porpoise) Date: Tue Mar 21 07:20:03 2006 Subject: [SpamCop-List] Re: Ridculously easy to spot account phishing scams. References: Message-ID: "Geoffrey Hyde" wrote in message news:dvon8h$8e0$1@news.spamcop.net... > Not spammer rules ... Rules of spotting spam. As defined by me. ;) > > And in any case we're not talking spammers, we're talking scammers. I > don't lump the two together > and spammers/scammers, the whole lot, are all lumped together as far as > that goes. ???? <8-)( From MikeE at ster.invalid Tue Mar 21 04:28:54 2006 From: MikeE at ster.invalid (Mike Easter) Date: Tue Mar 21 07:30:03 2006 Subject: [SpamCop-List] Re: Ridculously easy to spot account phishing scams. References: Message-ID: Mike Easter wrote: > Geoffrey Hyde wrote: > > I'm sure your b64/d zip file contains a virus/worm, but I didn't > decode and unzip it and characterize it. I'm leaving that to you. > > You shouldn't really be afraid to handle them; they aren't magic. I changed my mind, I decided to mess with it to demonstrate VirusTotal. The executable was instruction.pif. My AV told me it was I-Worm/MyDoom-O I submitted it to a gizmo that runs a lot of different AV engines Antivirus Version Update Result AntiVir 6.34.0.53 03.21.2006 Worm/Mydoom.M Avast 4.6.695.0 03.17.2006 Win32:Mydoom-M AVG 386 03.20.2006 I-Worm/Mydoom.O Avira 6.34.0.53 03.21.2006 Worm/Mydoom.M BitDefender 7.2 03.21.2006 Win32.Mydoom.M@mm CAT-QuickHeal 8.00 03.20.2006 W32.Mydoom.M ClamAV devel-20060126 03.21.2006 Worm.Mydoom.M DrWeb 4.33 03.21.2006 Win32.HLLM.MyDoom.49 eTrust-InoculateIT 23.71.107 03.20.2006 Win32/MyDoom.O!Worm eTrust-Vet 12.4.2127 03.21.2006 Win32/Mydoom.O Ewido 3.5 03.21.2006 Worm.Mydoom.m Fortinet 2.71.0.0 03.21.2006 W32/Mydoom.M-dam F-Prot 3.16c 03.20.2006 W32/Mydoom.O@mm Ikarus 0.2.59.0 03.20.2006 Email-Worm.Win32.Mydoom.M Kaspersky 4.0.2.24 03.21.2006 Email-Worm.Win32.Mydoom.m McAfee 4722 03.20.2006 W32/Mydoom.o@MM NOD32v2 1.1452 03.20.2006 Win32/Mydoom.R Norman 5.70.10 03.21.2006 MyDoom.L@mm Panda 9.0.0.4 03.20.2006 W32/Mydoom.N.worm Sophos 4.03.0 03.21.2006 W32/MyDoom-O Symantec 8.0 03.21.2006 W32.Mydoom.M@mm TheHacker 5.9.6.116 03.20.2006 W32/Mydoom.O@MM UNA 1.83 03.20.2006 I-Worm.Mydoom.m VBA32 3.10.5 03.21.2006 Win32.HLLW.Mydoom.m I wouldn't have been able to handle it and submit it to the VirusTotal gizmo if my AV had been fully operational. -- Mike Easter kibitzer, not SC admin From sauron at wizardscorner.com Tue Mar 21 06:52:21 2006 From: sauron at wizardscorner.com (sauron) Date: Tue Mar 21 07:55:04 2006 Subject: [SpamCop-List] Re: Spoofing References: Message-ID: This may not be the place to put this. An example that I have found, it looks like a bounce. And there is not a user "Postmaster". Return-Path: Delivered-To: virtual-wizardscorner_com-spam@wizardscorner.com Received: (qmail 24151 invoked by uid 10003); 21 Mar 2006 11:29:34 -0000 Message-ID: <20060321112934.24150.qmail@ns22.webmasters.com> Received: (qmail 24145 invoked for bounce); 21 Mar 2006 11:29:33 -0000 Date: 21 Mar 2006 11:29:33 -0000 From: MAILER-DAEMON@ns22.webmasters.com To: MAILER-DAEMON@wizardscorner.com Subject: failure notice X-Spam-Filter: F27_Filter_Bounce X-Sent-To: mailer-daemon@wizardscorner.com Hi. This is the qmail-send program at ns22.webmasters.com. I'm afraid I wasn't able to deliver your message to the following addresses. This is a permanent error; I've given up. Sorry it didn't work out. : 207.228.225.128 does not like recipient. Remote host said: 550 sorry, your envelope recipient is in my badrcptto list (#5.7.1) Giving up on 207.228.225.128. --- Below this line is a copy of the message. Return-Path: Received: (qmail 24140 invoked by uid 10003); 21 Mar 2006 11:29:32 -0000 Date: 21 Mar 2006 11:29:32 -0000 Message-ID: <20060321112932.24137.qmail@ns22.webmasters.com> Reply-To: MAILER-DAEMON@wizardscorner.com To: certification@1-internet-courses.com From: postmaster@wizardscorner.com Subject: FAILURE Content-Type: multipart/alternative; boundary="--=T_BNCE-1505781008" X-Mailer: 4Admin(tm) Spam Filter by WEBMASTERS.COM (webmaster@wizardscorner.com) This is a multi-part message in MIME format. ----=T_BNCE-1505781008 Content-Type: text/plain; charset="ISO-8859-1" Content-Transfer-Encoding: 7bit Sorry, but your last message to webmaster@wizardscorner.com was rejected by our Spam Filter for the following reason: Your message contained an unwanted header. The unwanted header was: F7_Unwanted_Header: The Bat To ensure proper delivery, please use the following link within 24 hours to send your message again without filtering through our web based interface: If the entire URL above does not appear as a link, please copy it in its entirety and paste it into your web browser. If you did not send the original message, please disregard this notice, but know that someone is sending messages appearing to be from certification@1-internet-courses.com. We apologize for any inconvenience this may have caused. Thank you. ----- Original Message ----- PREMIER INFORMATION (PIFR) Climbs 100% plus since its IPO, just signing an agreement with TOP 10 in-surancee company in US (AccuQuote). The company is pleased and proud to be working with a wide range of clients that includes in-surancee industry leaders Transamerica In-surancee and John Hancock In-surancee, as well as leading online in-surancee br0ker AccuQuote. We Do Not See this slowing down, watch out this st0ck go crazy tomorrow. This is a Must Watch.. PREMIER INFORMATION (PIFR) A U.S. based company offers specialized information management serices to both the In surancee and Healthcare Industries. The services we provide are specific to each industry and designed for quick response and maximum security. Current Price: .45 Is this an Undiscovered Gem that is Positioned to Go Higher? P|easee R e a d the Following Announcement in its Entirety and Consider the Possibilities... Watch This One Trade Tomorrow! Premier Information Management, Inc. (PIFR), an emerging provider of information management services to the In-surancee and Healthcare industries, announced today that the company is providing information procurement and data migration services to several of the Top Twenty In-surancee Gr0ups, ranked according to the number of individual term life in-surancee policies issued by industry providers in 2004. (NAIC In-surancee Industry Data) "We are pleased and proud to be working with a wide range of clients that includes in-surancee industry leaders Transamerica In-surancee and John Hancock In-surancee, as well as leading online i-nsurancee br0ker AccuQuote," said Tom Miller, CEO of Premier Information. "We want to continue to stay focused on growing our core business, refining our operation model, and introducing new integrating technologies that help move our clients to more efficient, cost effective and secure business processes." Premier Information procures sensitive health information from medical providers as authorized from proposed claimants or their legal representatives, then utilizes Premier's patent-pending, proprietary PiImageX(TM) application to electronically transmit the information to the requesting in-surancee carrier and/or their registered broker/agents. PiImageX(TM) was developed specifically to increasee efficiencies associated with underwriting and claim processing by reducing record retrieval turnaround times by as much as 40%, cutting costs, increasing security and redefining the way mission critical information is being digitally transmitted in the in-surancee and healthcare industries. PiImageX(TM) is a proprietary rules-based application containing efficient workflow solutions that create an "assembly line" information management system for customized file conversions, index file scripting, encryption methodologies and simultaneous transmissions across various protocols to multiple en d users. These partnerships specifically allow Premier to obtain personal health information, as governed by the Health In-surancee Portability and Accountability Act of 1996 (HIPAA), and other applicable state laws and regulations. Global HealthCare Market Undergoing Digital Conversion Premier is an emerging provider of information management solutions to the global health care market, an industry that generates in excess of $2 tri||i0n a year. As of year-end 2005, the health care industry consumed an astonishing 17.9% of U.S. Gross Domestic Product making Healthcare and related industries a market of staggering size with tremendous growth potential for all of its participants. The health-care and in-surancee industries are undergoing a digital conversion and fast becoming businesses based on the transfer, storage and management of information. Premier's ability to procure, host and control the flow of sensitive, health information accurately, securely and efficiently through its suite of patent pending software applications is what distinguishes Premier from its competitors in this multi-bi||i0n d0||ar industry. Premier is extremely well positioned to take advantage of growth opportunities within the burgeoning healthcare and in-suranceemarkets. The demand for Premier's services is strong, recent industry data estimates that cost saavings for in-surancee companies and healthcare providers who invest in new technologies and management services range from $45 bi||i0n to $100 bi||i0n on an industry-wide basis. ----=T_BNCE-1505781008 Content-Type: text/html; Content-Disposition: inline Content-Transfer-Encoding: 7bit Sorry, but your last message to webmaster@wizardscorner.com was rejected by our Spam Filter for the following reason:

Your message contained an unwanted header. The unwanted header was:

F7_Unwanted_Header: The Bat

To ensure proper delivery, please use the following link within 24 hours to send your message again without filtering through our web based interface:


If you did not send the original message, please disregard this notice, but know that someone is sending messages appearing to be from certification@1-internet-courses.com. We apologize for any inconvenience this may have caused. Thank you.

----- Original Message -----

PREMIER INFORMATION (PIFR) Climbs 100% plus since its IPO, just signing an agreement with TOP 10 in-surancee company in US (AccuQuote). The company is pleased and proud to be working with a wide range of clients that includes in-surancee industry leaders Transamerica In-surancee and John Hancock In-surancee, as well as leading online in-surancee br0ker AccuQuote. We Do Not See this slowing down, watch out this st0ck go crazy tomorrow. This is a Must Watch.. PREMIER INFORMATION (PIFR) A U.S. based company offers specialized information management serices to both the In surancee and Healthcare Industries. The services we provide are specific to each industry and designed for quick response and maximum security. Current Price: .45 Is this an Undiscovered Gem that is Positioned to Go Higher? P|easee R e a d the Following Announcement in its Entirety and Consider the Possibilities... Watch This One Trade Tomorrow! Premier Information Management, Inc. (PIFR), an emerging provider of information management services to the In-surancee and Healthcare industries, announced today that the company is providing information procurement and data migration services to several of the Top Twenty In-surancee Gr0ups, ranked according to the number of individual term life in-surancee policies issued by industry providers in 2004. (NAIC In-surancee Industry Data) "We are pleased and proud to be working with a wide range of clients that includes in-surancee industry leaders Transamerica In-surancee and John Hancock In-surancee, as well as leading online i-nsurancee br0ker AccuQuote," said Tom Miller, CEO of Premier Information. "We want to continue to stay focused on growing our core business, refining our operation model, and introducing new integrating technologies that help move our clients to more efficient, cost effective and secure business processes." Premier Information procures sensitive health information from medical providers as authorized from proposed claimants or their legal representatives, then utilizes Premier's patent-pending, proprietary PiImageX(TM) application to electronically transmit the information to the requesting in-surancee carrier and/or their registered broker/agents. PiImageX(TM) was developed specifically to increasee efficiencies associated with underwriting and claim processing by reducing record retrieval turnaround times by as much as 40%, cutting costs, increasing security and redefining the way mission critical information is being digitally transmitted in the in-surancee and healthcare industries. PiImageX(TM) is a proprietary rules-based application containing efficient workflow solutions that create an "assembly line" information management system for customized file conversions, index file scripting, encryption methodologies and simultaneous transmissions across various protocols to multiple en d users. These partnerships specifically allow Premier to obtain personal health information, as governed by the Health In-surancee Portability and Accountability Act of 1996 (HIPAA), and other applicable state laws and regulations. Global HealthCare Market Undergoing Digital Conversion Premier is an emerging provider of information management solutions to the global health care market, an industry that generates in excess of $2 tri||i0n a year. As of year-end 2005, the health care industry consumed an astonishing 17.9% of U.S. Gross Domestic Product making Healthcare and related industries a market of staggering size with tremendous growth potential for all of its participants. The health-care and in-surancee industries are undergoing a digital conversion and fast becoming businesses based on the transfer, storage and management of information. Premier's ability to procure, host and control the flow of sensitive, health information accurately, securely and efficiently through its suite of patent pending software applications is what distinguishes Premier from its competitors in this multi-bi||i0n d0||ar industry. Premier is extremely well positioned to take advantage of growth opportunities within the burgeoning healthcare and in-suranceemarkets. The demand for Premier's services is strong, recent industry data estimates that cost saavings for in-surancee companies and healthcare providers who invest in new technologies and management services range from $45 bi||i0n to $100 bi||i0n on an industry-wide basis. ----=T_BNCE-1505781008-- "Garen Erdoisa" wrote in message news:dvnil5$hrn$1@news.spamcop.net... > sauron wrote: >> I beleive I am now the victim of spoofing. I am getting email and >> failure notices apparently from my mail server. And someone(s) are >> attempting to log into my server using various login names etc. My >> server supports pop3 and web based email. I enabled the spam filter on >> the server, created a folder spam. All mail not on whitelist goes into >> the spam folder, which I check via web mail. I have tried to copy/paste >> email into spamcop, it appears that spamcop form don't like that - >> reports missing elements. ANy ideas?? > > If you control your own DNS server, I'd recommend that you setup SPF > (Sender Policy Framework) records if you haven't done so already. This can > cut down on the bounces allot because servers that honor SPF will often > just reject forged messages not from your site but claiming to be from > your site directly during the SMTP transaction. If they accept such > messages, they will often route the email to a spam folder. Either way you > won't receive a bounce message in those cases because the mail was already > treated as a forgery. For more info on SPF refer to: > > http://www.openspf.org/ > > This will not completely eliminate the bounces, but if any other admin > questions you about it, you can then inform them that the email was using > a forged from address and ask them why they didn't just reject the email > using SPF? > > I have the same problem. I can honestly say that SPF has helped with > cutting down the noise that I have to deal with regarding forged senders. > It's not perfect solution but every little bit helps. > > I've also never had an admin question me about an email they received that > had my domain forged into the headers. Those forgeries are easy to spot, > and most competent admin will recognize them as such. > > Garen From MikeE at ster.invalid Tue Mar 21 07:01:10 2006 From: MikeE at ster.invalid (Mike Easter) Date: Tue Mar 21 10:05:08 2006 Subject: [SpamCop-List] Re: Spoofing References: Message-ID: sauron wrote: > This may not be the place to put this. This is definitely not the place to put a spam with complete headers and body. The best way to demonstrate something is to submit the item to the parser, copy the tracking URL from the top of the parse, cancel or report the item's report, and paste the tracker here. Spam examples are not allowed in the discussion groups. They may be posted into the non-discussion group spamcop.spam and then discussed here -- but the tracker is better. > An example that I have found, > it looks like a bounce. Yes, spam and virms may be designed to look like bounces. -- Mike Easter kibitzer, not SC admin From bjorn_spam_route at hekneby.org Tue Mar 21 07:38:29 2006 From: bjorn_spam_route at hekneby.org (Bjorn Solberg) Date: Tue Mar 21 10:40:03 2006 Subject: [SpamCop-List] Re: Spamcop reporting wrong email origin References: Message-ID: Mike Easter writes: [...] > However, in this case the 'rule' which applies is that you shouldn't be > reporting mailing list spam for this very reason. [...] Hm, that will make spam reporting a little more challenging, as my bayesian filter doesn't distinguish between mailing lists or regular email. I'll have to see if I can adjust the order of my mail processing then. Thank you Mike and Norman for the information and enlightenment in the rest of your message. Bjorn. From MikeE at ster.invalid Tue Mar 21 07:39:57 2006 From: MikeE at ster.invalid (Mike Easter) Date: Tue Mar 21 10:40:17 2006 Subject: [SpamCop-List] Re: Spoofing References: Message-ID: sauron wrote: > An example that I have found, > it looks like a bounce. And there is not a user "Postmaster". What you pasted here and in .spam is a mess of servers trying to talk to each other and doing a bad job of it, so I don't know what is really going on. Your end is and addy and registered domainname is wizardscorner.com.. There's another end or server called webmasters.com. However, and also, the domain registrar for wizardscorner is nettuner DBA webmasters. What a mess. I think you are trying to troubleshoot some kind of insecurity with your server without giving adequate information, and the servers involved are misconfigured. In my first theory, there was a spam whose source is unknown because the recipient server never stamped its line, but it accepted the spam for delivery. That's bad. There's an IP mentioned, 207.228.225.128 rDNS smtp3.superb.net which I don't know what it is, but see below Then, after accepting the spam for delivery, the server decided that it couldn't deliver for reasons that were described or named but not in evidence, such as bad rcpt to and The Bat in the headers -- which header elements are absent from anything here. Some other elements are a mentioned addressee certification@1-internet-courses.com which also appeared in a set of headers which were not stamped with a Received traceline, and 1-internet-courses.com MX is the above 207.228.225.128 rDNS smtp3.superb.net So, if the headers with the missing Rceived traceline are from the source to the superb.net server for the certification username, they are also claiming to be from the mailerdaemon or pm of wizardscorner. If that server which was never named in a Received traceline was the superb.net server for 1-internet-courses were to accept the stockspam for deliver and then never deliver it, but instead turn around and create a newmail to the wizardscorner. But that theory doesn't work, because the wizardscorner server never stamped a Received traceline either. That is, we are looking at a hierarchy of 2 levels of headers, neither of which has a proper Received traceline to help try to figure something out. -- Mike Easter kibitzer, not SC admin From MikeE at ster.invalid Tue Mar 21 07:46:18 2006 From: MikeE at ster.invalid (Mike Easter) Date: Tue Mar 21 10:50:02 2006 Subject: [SpamCop-List] Re: Spamcop reporting wrong email origin References: Message-ID: Bjorn Solberg wrote: > Mike Easter writes: >> However, in this case the 'rule' which applies is that you shouldn't >> be reporting mailing list spam for this very reason. > Hm, that will make spam reporting a little more challenging, as my > bayesian filter doesn't distinguish between mailing lists or regular > email. I'll have to see if I can adjust the order of my mail > processing then. I whitelist my mailing lists and put them into their own folder/s. The whitelisting is in front of, prior to, any spamfilter tagging. The foldering is done after the filter tagging by message ruling. It would not be possible for my mailing list items to be tagged as spam because of the filter's whitelist. That sounds confusing. I'll try again. My filter is SpamPal. My mailing lists along with a lot of others is whitelisted for SP to prevent their being tagged as spam. My mailuser agent is OE. It has message rules for the mailing list mail which puts it into its own folders. The tagged spam is put into the Junk folder. -- Mike Easter kibitzer, not SC admin From nobody at devnull.spamcop.net Tue Mar 21 08:12:01 2006 From: nobody at devnull.spamcop.net (Anonymous) Date: Tue Mar 21 11:20:02 2006 Subject: [SpamCop-List] Re: Ridculously easy to spot account phishing scams. References: Message-ID: Geoffrey Hyde wrote... > And I'd be a lot more interested to find out if someone can tell me if > that attachment .zip actually contains a virus or something equally bad. > I NEVER open attachments from total strangers, and spammers/scammers, the > whole lot, are all lumped together as far as that goes. Get a Knoppix CD. It boots directly to Linux from a CD and runs on a RAM disk; no access to the hard disk needed. Even if the virus could infect Linux (Trust me -- it can't), the infection would go away when you turned off the power. G.M. From joegill at removethis Tue Mar 21 11:46:17 2006 From: joegill at removethis (Joe Gill) Date: Tue Mar 21 11:50:03 2006 Subject: [SpamCop-List] Google indexes forum.spamcop.net Message-ID: Silly me... I ass-u-me 'd Google was not permitted to crawl forum.spamcop.net However ... It is ... and it does!!! I made an earlier post about a spam I received @ my spamcop.net address. I am very protective of that outside of Spamcop domain... I slipped up... I made postings in the Mailhosts System Configuration Forum and they are all out there for the world to see/search etc on Google.... Is that by intent/design? If not.... A) Can the file be put in place to STOP Google from indexing? B) Can someone contact Google to remove all indexes to the forums? From wb8tyw at qsl.network Tue Mar 21 11:34:22 2006 From: wb8tyw at qsl.network (John E. Malmberg) Date: Tue Mar 21 12:35:03 2006 Subject: [SpamCop-List] Re: GARY ONG POH CHUAN is out of the office. References: Message-ID: In article , "Anonymous" writes: > > wrote in message > news:mailman.25.1142873942.16519.spamcop-list@news.spamcop.net... >>I will be out of the office starting 03/20/2006 and will not return until >> 04/03/2006. >> >> I will respond to your message when I return, from my National Call-up. > > Drat! As soon as I read the above I broke into Gary's office to steal > some things, and all the good stuff - computer, red swingline, even the > chair - was gone already! One of you guys beat me to it!! Of course, instead of breaking in, it was easy to convince help-full co-worker to emergency ship it to the hotel where they thought a critical customer presentation was being done. Even got the passwords reset and the dialup phone numbers. You had to wait until lunch or for the office to close. And the guys that were routinely doing this 10 years ago will now charge big bucks to tell companies that did not read the papers on how they did it. The other side business is to send fake invoices claiming the absent employee authorized them. Apparently a lot of small businesses will pay these with out checking. > Oh well, at least I snagged a slightly used steelcase cubicle and a > nice chair mat... Too big to overnight. -John wb8tyw@qsl.network Personal Opinion Only From bill_beyer at excite.cXoYmZ Tue Mar 21 10:07:31 2006 From: bill_beyer at excite.cXoYmZ (Bill Beyer) Date: Tue Mar 21 13:05:03 2006 Subject: [SpamCop-List] Re: Ridculously easy to spot account phishing scams. References: Message-ID: "D-W-S" wrote in message news:slrne1vipt.1a19.dws@dealing-with-spam.info... > Geoffrey Hyde wrote on Tue, 21 Mar 2006 19:17:33 +1000: > > > Rule #4. (Seems to be proving itself atm) Scammers are clueless. > > That wouldn't be a problem if the targets of their scams weren't even > more clueless... I agree. As example, last Wed I received a Chase phish. The site is hosted on what appears to be a trojan compromised Comcast PC. I don't know if it's the trojan or just a stupid phisher but the .txt file where the information is stored is accessible via any browser from the site directory. So far over 35 Chase customers have given up their SSN, account number(s), PINs, answers to secret questions and email addresses. The site also logs their IP but not the userid or password they use to log in. Also interesting, the majority of clueless customers have .edu suffixes on their email addresses including well known institutions such as Penn State University and Virginia Military Institute. So either the phisher is specifically targeting .edu domains or the denizens of our higher learning institutions are exceptionally clueless. If it's the latter it doesn't bode well for our society. From jeffg at spamcop.net Tue Mar 21 13:54:31 2006 From: jeffg at spamcop.net (Jeff G.) Date: Tue Mar 21 14:10:04 2006 Subject: [SpamCop-List] Re: Google indexes forum.spamcop.net References: Message-ID: Joe Gill wrote: > Silly me... I ass-u-me 'd Google was not permitted to crawl > forum.spamcop.net > > However ... It is ... and it does!!! Yes, and usually better than the built-in search (especially for words of three or fewer letters). > I made an earlier post about a spam I received @ my spamcop.net > address. I am very protective of that outside of Spamcop domain... > > I slipped up... I made postings in the > Mailhosts System Configuration Forum > and they are all out there for the world to see/search etc on > Google.... > > Is that by intent/design? Yes, it appears to be. > If not.... > A) Can the file be put in place to STOP Google from indexing? > B) Can someone contact Google to remove all indexes to the forums? I don't think so. I think it would be more appropriate to just remove the confidential material. To that end, please contact me or Wazoo privately specifying that material. -- Thanks and Best Regards, Jeff G. http://forum.spamcop.net/forums/index.php?act=findpost&pid=37585 From nobody at spamcop.net Tue Mar 21 11:35:39 2006 From: nobody at spamcop.net (Eric) Date: Tue Mar 21 14:40:02 2006 Subject: [SpamCop-List] Re: Google indexes forum.spamcop.net In-Reply-To: References: Message-ID: Joe Gill wrote: > Silly me... I ass-u-me 'd Google was not permitted to crawl > forum.spamcop.net > > However ... It is ... and it does!!! This has been reported previously on the forum. See the thread from May 2005 at http://forum.spamcop.net/forums/index.php?showtopic=4086 From legy at BRISINet.hr Tue Mar 21 21:27:56 2006 From: legy at BRISINet.hr (Legy) Date: Tue Mar 21 15:30:14 2006 Subject: [SpamCop-List] IP blocked Message-ID: Hello, I have some problems with SPAMCOP. Few weeks ago I've register on SPAMCOP to send some spam mails I've recived. >From that day I have problems with spamcop (my ip is blacklisted). :( I've stop sending emails free days ago. But today someone probalye blacklisted me, so all my costumers have trobles. Can you tell me how to contact them to restart my listening. From jecsby at webtv.net Tue Mar 21 13:31:45 2006 From: jecsby at webtv.net (jean e) Date: Tue Mar 21 16:50:03 2006 Subject: [SpamCop-List] Re: No responses from Spamcop References: Message-ID: <8111-442070C1-1332@storefull-3152.bay.webtv.net> I had that same problem for a week. I wrote Spamcop & got an answer, from Don, who said that MSNTV l had bounced my mail & I had been suspended, He reinstated me. It's now working. ................... Jean From MikeE at ster.invalid Tue Mar 21 14:36:08 2006 From: MikeE at ster.invalid (Mike Easter) Date: Tue Mar 21 17:40:02 2006 Subject: [SpamCop-List] Re: IP blocked References: Message-ID: Legy wrote: > I have some problems with SPAMCOP. > Few weeks ago I've register on SPAMCOP to send some spam mails I've > recived. From that day I have problems with spamcop (my ip is > blacklisted). :( The best way to talk about a listed IP is to name it -- so that way any discussion doesn't have to play some kind of sleuth to talk about the issue. > I've stop sending emails free days ago. But today someone probalye > blacklisted me, so all my costumers have trobles. Can you tell me how > to contact them to restart my listening. Generally IPs which are SC blocklisted are not mistakes but spamsources. It is possible for a reporter to foolishly report hir own provider and for spamreporting to cause the provider to be SCbl listed. Here's some information for discussion about Croatian IPs in your range. You are currently posting from 83.139.75.215 rDNS dh75-215.xnet.hr which isn't listed, but which shows a big increase in senderbase activity. Its MX is mail.xnet.hr DNS 83.139.64.5 which also isn't SCbl listed and also shows an increase in senderbase. Other IPs in that family which are active in mail output are: 83.139.76.97 dh76-97.xnet.hr 83.139.83.59 dh83-59.xnet.hr CBL 83.139.73.148 dh73-148.xnet.hr 83.139.70.200 dh70-200.xnet.hr CBL 83.139.71.158 dh71-158.xnet.hr SCBL 83.139.73.46 dh73-46.xnet.hr CBL CBL means that IP is listed in that blocklist for hitting spamtraps and looking like a proxytrojan SCbl means that IP is SC blocklisted. So clearly some of your IPs which have significant output also have blocklisting problems. -- Mike Easter kibitzer, not SC admin From nobody at devnull.spamcop.net Wed Mar 22 09:40:04 2006 From: nobody at devnull.spamcop.net (Patto) Date: Tue Mar 21 19:45:04 2006 Subject: [SpamCop-List] No data / Too much data - how to go on from here? Message-ID: Submitted my overnight spam, started processing it, and at one point got the dreaded 'No data / Too much data' message: "You are most likely submitting a very large email. Please trim some of the unnecessary data (noting where this has been done) from this posting and try again. SpamCop will no longer accept email larger than 50.0K bytes. "Other possibilities: You may have a firewall which prevents HTTP POST commands, you may have linked to the wrong URL or your browser does not handle binary submissions correctly (try a different browser)." There are no buttons to cancel or do any other action. There is no tracker URL. When I go back to http://mailsc.spamcop.net/ I have only two options: 1) 'Report Now' (the next spam, that will lead again to the 'No data / Too much data' message; 2) 'Remove all unreported spam' to get rid of the 'No data / Too much data' message. Is this really how it is supposed to work? P.S. The largest spam message from the ones submitted is 6KB. From nobody at spamcop.net Tue Mar 21 21:22:10 2006 From: nobody at spamcop.net (Claudio Valderrama C.) Date: Tue Mar 21 20:20:03 2006 Subject: [SpamCop-List] Is SC aware of Afrinic? Message-ID: Hello, all. While my question may seem trivial. I have one example http://members.spamcop.net/sc?id=z903056580z39eca60b4885855fbfc456ea8ff3f939z where SC is querying arin, not afrinic. I went and queried arin manually. No records. Went to lacnic and it got automatically the information from afrinic. SC says "whois 196.218.30.237@whois.arin.net" (Getting contact from whois.arin.net ) nothing found However, if you query lacnic (or afrinic directly) you will get that 196.218.30.237 is a valid address and the provider is in Egypt. I found two contact addresses. C. -- Claudio Valderrama C. SW developer, consultant. http://www.cvalde.net - http://www.firebirdsql.org From mrmeval at earthlink.net Tue Mar 21 20:52:09 2006 From: mrmeval at earthlink.net (James Caldwell) Date: Tue Mar 21 20:55:02 2006 Subject: [SpamCop-List] Re: Why are you screwing with my mail? References: Message-ID: I'd hoped to get some positive responses. I get treated with some respect and technobabble and some disrespect and accusations of spamming. I sent mail from my account to a friend daily. Suddenly it's blocked and I'm not sure why. So far it's everyone but spamcops fault for this problem. Earthlink, it does help to spell out the name and Iquest are the two systems. I first have been told it's Iquest, then Earthlink, then it's my fault. Spamcop has a reputation you've lived up to. If you don't like these complaints then fix the problem. Otherwise you're as bad as the thing you're trying to stop. Vanguard wrote: > "James Caldwell" wrote in message > news:dval2t$48l$1@news.spamcop.net... >>I see. Spamcop is at fault. Wonderful system you have. > > No. The problem is that YOU cannot read. The recipient that *uses* the > SpamCop blocklist, or ANY blocklist, is "at fault" for deciding to assign > spam filtering to another authority. Do you have spam filtering enabled > on > your Mindspring account? Gee, then any mails that get blocked as spam is > Mindspring's fault rather than YOUR fault for enabling the spam filter > option. YOU defining *any* rule in your e-mail client that filters any > spam means YOU are at fault for using that rule, not the author of the > e-mail program that provided the feature of rules that YOU could define. > > Duh, children just can't figure it out. -- "I can get you a drink, A reverend or we could call for Air Support." --http://www.schlockmercenary.com From MikeE at ster.invalid Tue Mar 21 18:34:38 2006 From: MikeE at ster.invalid (Mike Easter) Date: Tue Mar 21 21:35:02 2006 Subject: [SpamCop-List] Re: Why are you screwing with my mail? References: Message-ID: James Caldwell wrote: > I'd hoped to get some positive responses. I get treated with some > respect and technobabble and some disrespect and accusations of > spamming. This thread was about an iquest server rejecting a mail from an EL EarthLink server 209.86.89.70 rDNS elasmtp-banded.atl.sa.earthlink.net because the EL server was SC blocklisted. The conjecture was that the basis for the server's listing was because EL servers periodically get SCbl listed because of the abusive server behavior of new emailing challenges to innocent bogus spam From addresses. Those challenges get reported by reporters and spamtraps. At the present time 209.86.89.70 is not listed. SCbl listings are temporary in that they automatically delist whenever the abusive behavior ceases -- and SCbl listings are based on mathematical formulas which would weigh favorably a server's reputation of sending non-spam mail against the reports of abuses such as challenges. At the time of my initial reply to your post which was now over 6 days ago, the IP's listing was due to expire in a mere 17 hours. So your little rant is going on some 5+ days after the condition we are discussing resolved -- and it is highly unlikely that your mail needed to be delayed at all, considering how many EL servers there are which were available to handle your mail. > I sent mail from my account to a friend daily. Suddenly it's blocked > and I'm not sure why. Your mail would have experienced a rejection which would have provided you with a bounce message from your own provider. Since EL has many servers, it would be trivial to remail the item which was rejected and expect that it would transmit successfully. > So far it's everyone but spamcops fault for this problem. Earthlink, > it does help to spell out the name and Iquest are the two systems. I > first have been told it's Iquest, then Earthlink, then it's my fault. Since you haven't cited anything contextually to support your statement 'then it's my fault' -- you must be making that part up. Iquest's responsibility is to make choices about how to defend itself against spam. Spamcop's responsibility is to maintain the SCbl on the basis of reports of spam and other abusive behavior. EL's responsibility is to not email abusive challenges. The responsibity of EL customers is to not configure their spamblocker to cause the EL abusive challenges, they could manage their suspect folders differently, as I do. > Spamcop has a reputation you've lived up to. The power of the SCbl blocklist is based on its popularity and usage, which is based on respect for its features, namely how dynamic it is in terms of quickly listing because of its reporters and spamtraps, and also how dynamic it is in terms of auto delisting. A blocklist is only as powerful as the depth and breadth of its usage by individuals and servers such as iquest. > If you don't like these > complaints then fix the problem. You made your complaints or remarks and you were explained the whys and wherefores of how it came to be that your mail experienced a very minor little bump in the road. -- Mike Easter kibitzer, not SC admin From jeffg at spamcop.net Tue Mar 21 21:57:59 2006 From: jeffg at spamcop.net (Jeff G.) Date: Tue Mar 21 22:00:03 2006 Subject: [SpamCop-List] Re: Is SC aware of Afrinic? References: Message-ID: Claudio Valderrama C. wrote: > Is SC aware of Afrinic? Yes, but ARIN seems to have forgotten about AfriNIC in some cases. I hope the database maintainers at ARIN are working to correct this, and I hope the programmers of the SpamCop Parsing and Reporting System are working to implement "When ARIN returns no records, ask AfriNIC" workaround logic. -- Best Regards, Jeff G. http://forum.spamcop.net/forums/index.php?act=findpost&pid=37585 From jg at coks.net Tue Mar 21 19:55:53 2006 From: jg at coks.net (jg) Date: Tue Mar 21 22:55:04 2006 Subject: [SpamCop-List] Paranoid reverse DNS passes Message-ID: http://www.spamcop.net/sc?id=z903185694zd4d5119c26d70b30caf16473866d39abz WTF is this about (I'm no admin)? From jg at coks.net Tue Mar 21 20:26:49 2006 From: jg at coks.net (jg) Date: Tue Mar 21 23:25:04 2006 Subject: [SpamCop-List] nl.iqarus.com Message-ID: http://www.spamcop.net/sc?id=z903188603zf40f2538d3e271e410d427dd183aaa78z per several spamverts in past few days, Mr. r.e*eden of above domaine is a busy guy. I am not an admin. Is this poor gent a zombie or what? From MikeE at ster.invalid Tue Mar 21 20:24:16 2006 From: MikeE at ster.invalid (Mike Easter) Date: Tue Mar 21 23:25:18 2006 Subject: [SpamCop-List] Re: Paranoid reverse DNS passes References: Message-ID: jg wrote: sc?id=z903185694zd4d5119c26d70b30caf16473866d39abz Subject: Paranoid reverse DNS passes A good place for describing what the post is about is in the body, so that a contextualized reply can pertain. The body contains a description of what the post is about -- the subject briefly encapsulates that information. A post question doesn't go only in the subject, it must also be found in the body. In fact, a question itself should be in the body, and the subject should be the 'subject' of/about the question. If you put the implied question only in the subject, then I have to copy and paste the subject into the body to give context to any answer about the issue. Not "If you want to know what the body of this message is about, you have to find that out from the subject, since it isn't to be found in the body." > WTF is this about (I'm no admin)? The short answer is to derive the rDNS of an IP, and then to derive the DNS of that name. Enhancing the explanation would get into the broad subject of how it all works, the mapping. The paranoid reverse is also referred to as a 'double reverse' -- which sounds more like a football play. In any case, paranoid reverse lookups are performed by some servers -- and some other people argue that this 'drill' doesn't really prove anything, nor is it required to hold true. Here is one such anti-double-reverse type discussion http://homepages.tesco.net/J.deBoynePollard/FGA/dns-avoid-double-reverse.html "double reverse lookup" is not a security measure. Another issue or question which flows from your 'wtf is this about?' - is 'why does SC perform that operation?' To me, it is just 'another piece of information' about an IP. The first piece of information is 'does the IP rDNS or does it not?' To me, the next piece of information is 'where does the IP live?' But, the sequence here is 'does it rDNS?' and the next question is, 'since/if it does rDNS, does that rDNS DNS to the original IP?' The mapping process is different for the two directions, which mapping can result in the same as the original IP.. My own dynamic user IP 'passes' the double reverse test. Your cox posting IP passes the double reverse test. -- Mike Easter kibitzer, not SC admin From MikeE at ster.invalid Tue Mar 21 20:53:09 2006 From: MikeE at ster.invalid (Mike Easter) Date: Tue Mar 21 23:55:04 2006 Subject: [SpamCop-List] Re: Paranoid reverse DNS passes References: Message-ID: Mike Easter wrote: > The short answer is to derive the rDNS of an IP, and then to derive > the DNS of that name. Along those lines, here was a very recent thread in nanae about how one might be misled by the rDNS The target was 208.63.41.11 Newsgroups: news.admin.net-abuse.email Subject: curious reverse DNS Message-ID: Date: Thu, 16 Mar 2006 17:48:30 GMT Depending upon which tool you use and how you do it, you soon discover that IP has 9 different rDNSes. It had 9 at the time of the discussion, now today it has 10. 11.41.63.208.in-addr.arpa PTR (Pointer) mail.mgsmp.com 11.41.63.208.in-addr.arpa PTR (Pointer) mail.cor-events.com 11.41.63.208.in-addr.arpa PTR (Pointer) mail.bercusonlaw.com 11.41.63.208.in-addr.arpa PTR (Pointer) mail.davidbercuson.com 11.41.63.208.in-addr.arpa PTR (Pointer) mail.lasercenterinc.com 11.41.63.208.in-addr.arpa PTR (Pointer) mail.sunsetwireless1.com 11.41.63.208.in-addr.arpa PTR (Pointer) mail.hugorodriguezlaw.com 11.41.63.208.in-addr.arpa PTR (Pointer) mail.dimensionstherapy.com 11.41.63.208.in-addr.arpa PTR (Pointer) mail.dimentionstherapy.com 11.41.63.208.in-addr.arpa PTR (Pointer) mail.dimensionstherapy4kids.com follows from that, do those rDNSes each and every one double reverse or pass the paranoid test?, and the answer is yes. With the most common tool I would use, I would get one answer, not 10. SC's tool also gets only one answer: Parsing input: 208.63.41.11 host 208.63.41.11 (getting name) = mail.dimensionstherapy.com. Since SC uses a cache, if you continue to ask the same question, you will continue to get that answer. In the mode of putting in a single IP into the parser, I don't know how or if one can clear the cache. -- Mike Easter kibitzer, not SC admin From scamper at trisk.com Tue Mar 21 22:01:07 2006 From: scamper at trisk.com (Garen Erdoisa) Date: Wed Mar 22 00:05:03 2006 Subject: [SpamCop-List] Attn: Deputies - Another example of a spammer trick that partlybreaks the spamcop parse Message-ID: http://www.spamcop.net/sc?id=z903201435z95a953f27c6fe567f111fde49c290e71z In this case, the spammer constructed the message such that it has an embedded CR in the real name portion of the From: and Reply-to: headers. When this spam is fed to the spamcop parser, the spamcop parser treats any information after that point as part of the message body, thus throwing away those headers. In this particular case, I don't think it messed up where the abuse reports were sent. But it seems possible to do. Garen From MikeE at ster.invalid Tue Mar 21 21:09:24 2006 From: MikeE at ster.invalid (Mike Easter) Date: Wed Mar 22 00:10:02 2006 Subject: [SpamCop-List] Re: nl.iqarus.com References: Message-ID: jg wrote: > http://www.spamcop.net/sc?id=z903188603zf40f2538d3e271e410d427dd183aaa78z > > per several spamverts in past few days, Mr. r.e*eden of above domaine > is a busy guy. > I am not an admin. Is this poor gent a zombie or what? That notify is about the spamvertised site http://043.poboxornoot.com which is a payload for knockoff watches, pens, etc. It is at the .nl /24 inetnum: 83.98.178.0 - 83.98.178.255 netname: NET-IQARUS-DC1 e-mail: r.eeden@nl.iqarus.com and that IP isn't spamhaused or spewed, but it has plenty of SC reports. SC notifies about spamvertisers don't carry much effect -- so I think of it as a courtesy. No SC consequences come from being a spamvertiser, except to go to the stats page and to be submitted to the sc-surbl. I don't know what your 'zombie' question means. That is the ripe reg'd address of the admin tech for the iqarus bloc, namely Reinier van Eeden. His address is also listed in abuse.net, which SC isn't using for this notify, along with the pm for iqarus. whois -h whois.abuse.net nl.iqarus.com ... postmaster@iqarus.com r.eeden@nl.iqarus.com (for iqarus.com) If you mean, is he doing anything about the spamvertised sites? I would say apparently not. It isn't necessarily up to him, per se, he is just the ripe and abuse.net listed contact addy. -- Mike Easter kibitzer, not SC admin From someone at microsoft.com Wed Mar 22 00:42:05 2006 From: someone at microsoft.com (JOhn Smith) Date: Wed Mar 22 00:45:06 2006 Subject: [SpamCop-List] Interesting spam hosting trick Message-ID: Haven't noticed this one before. I have been getting bombarded at several email accounts with a new crop of spam that is using various geocities sites -- when you arrive at the site, a script re-directs you to the actual spam site (usually a server in China). The particular geocities site changes daily. Ok, that's nothing new. But I saw an interesting twist with one of these. If you go to the site itself you see a page that appears legit, what appears to be an information site about arthritis, and nothing commercial: http://uk.geocities.com/lindseyblakey/ So if geocities investigates this is what they see -- an innocuous non-spamming web site. But the actual link in the spam mail contains some code appended to the end: http://uk.geocities.com/lindseyblakey/?reporezt2s8=cnkhujrwze&q=eznje5mzgtyw fyctiwmtq0mju When you click on this site with the code you end up at a different site (go ahead and click, I dont care if the spammer links it back to my email address). What appears to be happening is that embedded within the innocent-looking site is a javscript code that recognizes the code at the end of the URL and re-directs you to another web site. To make it more complicated, the source code itself is obscured. I have appended what I think may be the code at the end here. Would I be correct in guessing that this is javascript that parses the code appended to the end of the URL and then re-directs the viewer to the porn site? I would guess this would be very difficult for something like Spamcop to pick up and rather difficult to even report to geocities, because it is not obvious what is going on. -Marc From g.hyde at bigpond.net.au Wed Mar 22 16:03:23 2006 From: g.hyde at bigpond.net.au (Geoffrey Hyde) Date: Wed Mar 22 01:05:02 2006 Subject: [SpamCop-List] Another '419' scam ... Message-ID: http://www.spamcop.net/sc?id=z903259218zefaa462454206cc5350ee994f45a9acaz This one apparently had been tampered with on the headers below which my account's mailserver applied. When I went sniffing around a bit, as I was suspicious, I found that while the server names used in the improperly constructed header lines that SC ignored did indeed exist, that they did NOT match the host that SC picked out for the IP address in question. I do trust what SpamCop is telling me, I certainly won't be trusting what some scammer is trying to tell me. Cheers ... Geoffrey Hyde From g.hyde at bigpond.net.au Wed Mar 22 16:52:48 2006 From: g.hyde at bigpond.net.au (Geoffrey Hyde) Date: Wed Mar 22 01:55:11 2006 Subject: [SpamCop-List] Re: Funny account phishing scam. References: Message-ID: http://www.spamcop.net/sc?id=z903303246z6ba7c525c68195f141611325a333e4e9z "Redstone" wrote in message news:Xns978CCBEB8C48tinlc@216.154.195.61... > They just keep trying and trying and trying. I wonder how fast their > response is declining now that more and more people are becoming clued in > to this type of scam. As the fresh tracking URL at the top of this message suggests, they keep on trying regardless. I do wonder, however, what it would take to convince a really big ISP like Telstra to implement SPF (Sender Policy Framework) on their email servers. I talk to their customer service representatives occasionally, but they seem to think they've got far too little processing capacity for such things. Cheers ... Geoffrey Hyde From nobody at spamcop.net Tue Mar 21 23:19:21 2006 From: nobody at spamcop.net (RandallW) Date: Wed Mar 22 02:20:03 2006 Subject: [SpamCop-List] Re: Ridculously easy to spot account phishing scams. References: Message-ID: "D-W-S" wrote in message news:slrne1vj28.1a19.dws@dealing-with-spam.info... > The only ones I know are the "Rules Of Spam" as kept by Patricia, the > Rules-keeper: http://bruce.pennypacker.org/spamrules.html Eh. Less than 10 minutes ago I was reading up on the character George Costanza ( of Seinfeld ); his bio mentioned that one of the other characters used the alias 'Pennypacker' while trying to pose as a businessman. And now you mention a website with the name/phrase 'Pennypacker' in it. Not significant but a strange coincidence. From joseph_k at invalid.com Tue Mar 21 23:38:48 2006 From: joseph_k at invalid.com (Joseph K) Date: Wed Mar 22 02:40:05 2006 Subject: [SpamCop-List] Re: Spamcop reporting wrong email origin References: Message-ID: On Tue, 21 Mar 2006 07:38:29 -080