From nobody at spamcop.net Wed Mar 1 02:24:34 2006 From: nobody at spamcop.net (N. Miller) Date: Wed Mar 1 05:30:15 2006 Subject: [SpamCop-List] Re: New spam-hosts are blocking spamcop DNS queries References: Message-ID: On Tue, 28 Feb 2006 20:54:10 -0500, Galen wrote: > I did notice a familiar face around here by the name of N. Miller. If you've > never visited their newsgroups then, well, he can probably attest to the > (trying to be nice to them here) familiarity with Usenet found in the > average poster. You can take a gander yourself if you'd like. If you've > never been there and are 'old school' newsgroup then, well, I'd suggest > windowsxp.general for a good indication. Hah! Wait until you intersperse or > snip! That's a great load of fun. Heh. About half the posters use the Web access, and can't find their way back to their posts. And the MSFT lovers who bash the old school Usenet posters can be downright snotty when the "religious" wars over top/bottom posting flare up! -- Norman ~Oh Lord, why have you come ~To Konnyu, with the Lion and the Drum From / at /.cn Thu Mar 2 00:30:21 2006 From: / at /.cn (Petzl) Date: Wed Mar 1 08:35:04 2006 Subject: [SpamCop-List] Mail server listed when Port 25 is blocked? Message-ID: 210.50.76.196 I know they are bouncining emails but it seems this email server is being reported for spamming Wondering if someone has not set mail hosts or is the server compromised ***ounce**** - These recipients of your message have been processed by the mail server: (X); Failed; 5.1.2 (bad destination system address) Remote MTA mail.(X): network error - SMTP protocol diagnostic: 550 Limit exceeded Found 210.50.76.196 in orbs recent cache, action (deny) (bl.spamcop.net) ******** Petzl From nobody at nowhere.invalid Wed Mar 1 14:51:26 2006 From: nobody at nowhere.invalid (Steven Maesslein) Date: Wed Mar 1 08:55:03 2006 Subject: [SpamCop-List] Re: New spam-hosts are blocking spamcop DNS queries References: Message-ID: On Tue, 28 Feb 2006 20:54:10 -0500, Galen coughed into spamcop and left this in : > My reply hidden, you'll have to hunt for it... Well, no, not really: LOL :) > [...] if that bit telling them where the response was located was NOT > there then every other day I'd get people telling me that top-posting > is the right place (umm, I'm not sure where they came up with that) That's default Outleak Suxpress behaviour for you... That particular virus dissemination engine^W^W^W mailer and newsreader has probably done more to destroy e-mail and USENET than any other piece of software in existence. > I'd get people posting back saying that they can't find my answer. You > probably think I'm kidding or exaggerating... Oh no, not at all. I've seen too many kl00bies in action who think that Internet Explorer or AOL *is* the Internet to think that you're kidding. > If you've never been there and are 'old school' newsgroup then, well, > I'd suggest windowsxp.general for a good indication. Hah! Wait until > you intersperse or snip! That's a great load of fun. Pass. Thanks anyway :) I have no reason whatsoever to saunter into a Microsoft newsgroup. I think the clue-vacuum might be hard to withstand. None of my PCs are infected with Windows, and Microsoft's licensing scheme is a huge swindle anyway. > So yeah, I suck... Sorry for treating you all like a bunch of newbies > but, well, that's generally what I seem to find the vast majority of > times I answer. I can understand that. However, while there's nothing wrong in being a newbie, that status is supposed to wear off after a certain amount of time, and yet you still get so-called IT professionals behaving like newbies for years on end. *sigh* > Can I blame it on having been dumbed down by years of end-user > support? Please? Ouch! That is one hell of an unenviable job. Buy yourself a waterproof cover for your keyboard. You'll need one to protect if from the drool soon :) -- Steve Profanity is the one language all programmers know best. From MikeE at ster.invalid Wed Mar 1 06:52:11 2006 From: MikeE at ster.invalid (Mike Easter) Date: Wed Mar 1 09:55:02 2006 Subject: [SpamCop-List] Re: Mail server listed when Port 25 is blocked? References: Message-ID: Petzl wrote: > I know they are bouncining emails but it seems this email server is > being reported for spamming 'it seems'? What does 'it seems' mean in this contect? What clues or evidence do you have about the server being a 'real' source of spam? The SC listing sez 210.50.76.196 listed in bl.spamcop.net will be delisted automatically in approximately 10 hours has sent mail to SpamCop spam traps users have reported system as a source of spam about 20 times administrator has already delisted this system once past 283.4 days, it has been listed 8 times for a total of 5.7 days I see a misdirected bounce from it in sightings from Dec. If it is hitting spamtraps with misdirected bounces, why couldn't it also be hitting reporters with misdirected bounces? > Wondering if someone has not set mail hosts or is the server > compromised ***ounce**** But you haven't expessed /why/ you are wondering that, on what basis. > - SMTP protocol diagnostic: 550 Limit exceeded Found 210.50.76.196 > in orbs recent cache, action (deny) (bl.spamcop.net) The principle output servers from iprimus 210.50.30.196 smtp01.syd.iprimus.net.au Y 5.5 5.1 210.50.76.196 smtp02.syd.iprimus.net.au Y 5.4 5.1 210.50.30.76 mx01.syd.iprimus.net.au Y 5.5 5.0 210.50.76.76 mx02.syd.iprimus.net.au Y 5.5 5.0 If you go to senderbase, you can find hundreds of other IPs with sufficient output to be 'noted' by senderbase, and many many of them are listed one place or another, including spamcop and CBL. I would say that iprimus isn't doing a good job of securing its user IPs which are generating spam. -- Mike Easter kibitzer, not SC admin From MikeE at ster.invalid Wed Mar 1 07:03:10 2006 From: MikeE at ster.invalid (Mike Easter) Date: Wed Mar 1 10:05:02 2006 Subject: [SpamCop-List] Re: New spam-hosts are blocking spamcop DNS queries References: Message-ID: Galen wrote: > I'm Galen - one of the Microsoft MVPs in the Shell/User category - and > frequently post many answers in the Microsoft Newsgroups. I specifically blame the MS MVPs for the sad state of affairs in the MS groups. There are plenty of other newsgroups full of clueless newbies posting questions and replies, and none are in the sad condition which the 'brilliant' MVP leadership has caused the MS groups to be in. When there are groups with newbies asking questions and gurus answering them, it is the gurus which ride herd on the group and teach them how to behave and how to participate in newsgroups. I don't know the basis for the MVPs either stupidly topposting themselves and setting a bad example for the newbies or not helping by giving good advice about posting properly. They *should be* striking a proper balance between helping/encouraging the groups reform to proper trimmed and contextualized posts but sometimes just letting some topposts go instead of continuously harping on the matter. Instead, newbies go the MS groups to learn about something, and they come out believing that top posting is the way to communicate in groups. Very bad MVPs and those MVPs have had an adverse affect on newsgroups as a whole. -- Mike Easter kibitzer, not SC admin From nobody at spamcop.net Wed Mar 1 10:05:51 2006 From: nobody at spamcop.net (Ellen) Date: Wed Mar 1 11:40:04 2006 Subject: [SpamCop-List] Re: Mail server listed when Port 25 is blocked? References: Message-ID: "Petzl" wrote in message news:du47lq$7nj$1@news.spamcop.net... > 210.50.76.196 > > I know they are bouncining emails but it seems this email server is being > reported for spamming > Wondering if someone has not set mail hosts or is the server compromised > ***ounce**** It was legit spam not a reporting error. Iprimus is aware of the problem and has taken actions to stop the problem. We have been talking to them. Ellen From wb8tyw at qsl.network Wed Mar 1 11:21:47 2006 From: wb8tyw at qsl.network (John E. Malmberg) Date: Wed Mar 1 12:25:03 2006 Subject: [SpamCop-List] Re: Need help To get our system setup correctly References: Message-ID: In article , "Eduard" writes: > What I was trying to say is that most of our lists exists for over 7 years > already, and when these lists were created, double-opt-in was the norm. We > did change theses lists afterwards, but we also have on some of our lists 20 > 000 members, who have subscribed to it. From a technical point of view I > agree that the best way forward would be to start a new clean list, but > unfortunately are we in a News environment, and people are already unwilling > to re-confirm there subscription. They are already mailing the editor of the > site to ask why they should reconfirm. Many of the mailing lists that I am on require a periodic positive confirmation that I still want to receive their mailings. A google search on the domains associated with this thread show that there is a news organization associated with the domains under discussion. You need to figure out how the spamtrap e-mail addresses got into the list. You should be able to isolate what e-mail addresses were subscribed to your lists from the period of time just before the spamcop.net listing appeared. That is assuming that it was a mailing list that triggered the listing. During that time period it should not have been a large number of new subscriptions unless you have a very high turnover rate. It is possible that a spammer was using your subscription process to try to identify a spamtrap, but it is more likely that the spamtrap got into your mailing list from an automated program, or from a purchased list. Viruses spoof spamtrap e-mail addresses all the time, and if you have an e-mail address that automatically adds the alleged from: address to a mailing list, with out requesting a confirmation with a unique code, then over time that mailing list will become loaded with spamtraps and spam victim's e-mail addresses. The other method that spammers will abuse a legitimate service is if it has a "refer a friend" form. There are apparently spammer tools that can use some of those web forms as if they are an open relay, especially if they allow a personalized message to be added to the referral. The spammer trick is to enter HTML into the message that makes the spam the most visible. The titles shown in the samples posted by the deputies look like ones most commonly found in get rich quick scams. This indicates that you may be mailing stuff that you are not aware of, even though I can not find any other reports of this. But be aware that many of the people who would post such public spam reports may not be accepting e-mail from I.P. addresses in your country or continent unless they white list the source. And also be aware that a large number of commercial spam filtering products just silently delete e-mail suspected to be spam. Usually when a real mail server is blocked for something other than backscatter, I can find such evidence. In this case, I have not been able to. And to add to the chorus, double-opt-in is spammer speak for being able to either get two spam runs to an e-mail address with out getting their e-mail rejected or that the recipiant had an insecure mail reader that tripped a web-bug to confirm delivery. Spammers routinely use that term to advertise lists that they sell to other spammers to to try to claim that what they do is not spamming. -John wb8tyw@qsl.network Personal Opinion Only From PossumTrot at dont.spam.me Wed Mar 1 09:41:23 2006 From: PossumTrot at dont.spam.me (Possum Trot) Date: Wed Mar 1 12:45:02 2006 Subject: [SpamCop-List] Re: [ot] Busted a telemarketer! References: Message-ID: "Ben" wrote in message news:dtr7m1$1qf$1@news.spamcop.net... >I busted me a telemarketer double-big-time and the State Attorney General >is going to speak with them. > >> > Two days after I placed the complaint with the AGO, I got a friendly > letter back thanking me for the report. It was a "we are moving forward on > your complaint" letter. They reminded me of some of the statutes and > regulations that were broken from my description and reminded me that I > have the right to sue for $500.00. > > The state I believe gets up to $10,000.00 per violation, kind of like the > FTC getting $11.000.00 per violation of Do-Not-Call. Unfortunately that > means I must get in line. But knowing that the AGO is interested may be > sufficient. > > I was a little surprised at their reply but encouraged nonetheless. > > Now, if we can only get that kind of traction against spammers. Ben, there are similar laws regarding spam sent to residents or through ISPs in the state of Washington, and the state Supreme Court has upheld the suits. At least one person in the Seattle area has collected on a judgment against spammers. The law is RCW 19.190. From nobody at spamcop.net Wed Mar 1 12:47:19 2006 From: nobody at spamcop.net (indigo) Date: Wed Mar 1 12:50:03 2006 Subject: [SpamCop-List] Re: Mail server listed when Port 25 is blocked? References: Message-ID: Ellen wrote: > > It was legit spam not a reporting error. "Legit spam"?! Both words in the same sentence? The horrors, the horrors...... From nobody at spamcop.net Wed Mar 1 12:56:52 2006 From: nobody at spamcop.net (Ellen) Date: Wed Mar 1 13:10:02 2006 Subject: [SpamCop-List] Re: Mail server listed when Port 25 is blocked? References: Message-ID: "indigo" wrote in message news:du4mne$iam$1@news.spamcop.net... > > > Ellen wrote: > > > > It was legit spam not a reporting error. > > "Legit spam"?! Both words in the same sentence? The horrors, the > horrors...... > > real? bona fide? downright dirty nasty scummy scammy spam? :-) Ellen From nobody at spamcop.net Wed Mar 1 13:13:11 2006 From: nobody at spamcop.net (indigo) Date: Wed Mar 1 13:15:03 2006 Subject: [SpamCop-List] Re: Mail server listed when Port 25 is blocked? References: Message-ID: Ellen wrote: > "indigo" wrote in message > news:du4mne$iam$1@news.spamcop.net... > > > > > > Ellen wrote: > > > > > > It was legit spam not a reporting error. > > > > "Legit spam"?! Both words in the same sentence? The horrors, the > > horrors...... > > > > > > real? bona fide? downright dirty nasty scummy scammy spam? > > :-) > Ah, much better. Thanks, I was worried there for a second that the bad guys had finally gotten to you ;-) From remaker at cisco.com Wed Mar 1 10:51:18 2006 From: remaker at cisco.com (Phillip Remaker) Date: Wed Mar 1 13:55:03 2006 Subject: [SpamCop-List] 209.86.89.69 (earthlink) Message-ID: DNS lookups for 209.86.89.69 at bl.spamcop.net say it is a spammer. "Blocked - see http://www.spamcop.net/bl.shtml?209.86.89.69" But going to the URL http://www.spamcop.net/w3m?action=blcheck&ip=209.86.89.69 I see 209.86.89.69 not listed in bl.spamcop.net I had to poke a hole for that IP. But what happened? I ended up blocking earthlink users. I see a note on net abuse-sightings for 2/22... How did it not cycle out of the DNS lookup? From nobody at devnull.spamcop.net Wed Mar 1 11:21:14 2006 From: nobody at devnull.spamcop.net (Anonymous) Date: Wed Mar 1 14:25:03 2006 Subject: [SpamCop-List] Re: Need help To get our system setup correctly References: Message-ID: "John E. Malmberg" wrote... > It is possible that a spammer was using your subscription process to try > to > identify a spamtrap, but it is more likely that the spamtrap got into your > mailing list from an automated program, or from a purchased list. > > Viruses spoof spamtrap e-mail addresses all the time, and if you have an > e-mail address that automatically adds the alleged from: address to a > mailing > list, with out requesting a confirmation with a unique code, then over > time > that mailing list will become loaded with spamtraps and spam victim's > e-mail > addresses. I am having a hard time figuring out how the spammer or the virus above knows what the email address of the spamtrap is. When SpamCop chooses an email address for a spamtrap, don't they pick something difficult to guess? Then again, I get a fair number of webmaster@, sales@, and support@ spams on domains that have never had such email addresses, so perhaps some spamcop spamtraps use those easy-to-guess prefixes? G.M. From jeffg at spamcop.net Wed Mar 1 14:39:33 2006 From: jeffg at spamcop.net (Jeff G.) Date: Wed Mar 1 14:45:03 2006 Subject: [SpamCop-List] Re: 209.86.89.69 (earthlink) References: Message-ID: Phillip Remaker wrote: > DNS lookups for 209.86.89.69 at bl.spamcop.net say it is a spammer. At what nameserver(s), and when? > "Blocked - see http://www.spamcop.net/bl.shtml?209.86.89.69" > > But going to the URL > > http://www.spamcop.net/w3m?action=blcheck&ip=209.86.89.69 > > I see > > 209.86.89.69 not listed in bl.spamcop.net > > I had to poke a hole for that IP. But what happened? I ended up > blocking earthlink users. > > I see a note on net abuse-sightings for 2/22... How did it not cycle > out of the DNS lookup? "ISP does not wish to receive report regarding 209.86.89.69 ISP does not wish to receive reports regarding 209.86.89.69 - no date available" Report History for 209.86.89.69 shows: Submitted: Wednesday 2006/03/01 13:47:36 -0500: Warning: message 1FDk1S-0007dN-BP delayed 48 hours 1675714906 ( 209.86.89.69 ) To: abuse#abuse.earthlink.net[at]devnull.spamcop.net ------------------------------------------------------------------------ -------- Submitted: Tuesday 2006/02/28 18:18:02 -0500: Vadatabase Assistants Independent Contractor Application 1674787464 ( 209.86.89.69 ) To: abuse#abuse.earthlink.net[at]devnull.spamcop.net 1674787453 ( 209.86.89.69 ) To: spamcop[at]imaphost.com ------------------------------------------------------------------------ -------- Submitted: Tuesday 2006/02/28 18:17:19 -0500: PT& FT Telecommuting Virtual Assistant Positions Available!! 1674787146 ( http:// vadatabasetelecommutingjobs.blogspot.com/ ) To: abuse#google.com[at]devnull.spamcop.net 1674787145 ( 209.86.89.69 ) To: abuse#abuse.earthlink.net[at]devnull.spamcop.net 1674787129 ( 209.86.89.69 ) To: spamcop[at]imaphost.com ------------------------------------------------------------------------ -------- Submitted: Tuesday 2006/02/28 17:48:08 -0500: Tools Eng 1674768456 ( http:// www.groshassociates.com ) To: abuse#abuse.earthlink.net[at]devnull.spamcop.net 1674768454 ( 209.86.89.69 ) To: abuse#abuse.earthlink.net[at]devnull.spamcop.net 1674768453 ( 209.86.89.69 ) To: spamcop[at]imaphost.com ------------------------------------------------------------------------ -------- Submitted: Tuesday 2006/02/28 09:18:39 -0500: Vadatabase Assistants Independent Contractor Application 1674345820 ( 209.86.89.69 ) To: abuse#abuse.earthlink.net[at]devnull.spamcop.net 1674345819 ( 209.86.89.69 ) To: spamcop[at]imaphost.com 1674345817 ( 209.86.89.69 ) To: abuse[at]abuse.earthlink.net ------------------------------------------------------------------------ -------- Submitted: Tuesday 2006/02/28 09:17:50 -0500: PT& FT Telecommuting Virtual Assistant Positions Available!! 1674345211 ( http:// vadatabasetelecommutingjobs.blogspot.com/ ) To: abuse#google.com[at]devnull.spamcop.net 1674345205 ( 209.86.89.69 ) To: abuse#abuse.earthlink.net[at]devnull.spamcop.net 1674345174 ( 209.86.89.69 ) To: spamcop[at]imaphost.com 1674345147 ( 209.86.89.69 ) To: abuse[at]abuse.earthlink.net ------------------------------------------------------------------------ -------- Submitted: Tuesday 2006/02/28 05:16:39 -0500: [ROJO] dos frentes! 1674182032 ( http:// correo.yahoo.com.ar ) To: network-abuse[at]cc.yahoo-inc.com 1674182031 ( 209.86.89.69 ) To: abuse#abuse.earthlink.net[at]devnull.spamcop.net 1674181950 ( 209.86.89.69 ) To: [concealed user-defined recipient] 1674181896 ( 209.86.89.69 ) To: abuse[at]abuse.earthlink.net ------------------------------------------------------------------------ -------- Submitted: Monday 2006/02/27 22:28:23 -0500: [dharma_art] Ballets Russes 1673839474 ( 209.86.89.69 ) To: abuse#abuse.earthlink.net[at]devnull.spamcop.net ------------------------------------------------------------------------ -------- Submitted: Monday 2006/02/27 21:44:44 -0500: THIS WEEK, Comedian Derek Richards [at] Comedy Zone, Knoxville 1673810082 ( 209.86.89.69 ) To: abuse#abuse.earthlink.net[at]devnull.spamcop.net ------------------------------------------------------------------------ -------- Submitted: Wednesday 2006/02/22 17:07:12 -0500: Recruiting $250 per Job Search - Engineers/Manufacturing 1668144369 ( http:// www.goldstar-global.com/ ) To: abuse[at]interland.net 1668144367 ( http:// www.goldstar-global.com ) To: abuse[at]interland.net 1668144361 ( http:// www.goldstar-global.com/ ) To: abuse[at]interland.com 1668144360 ( http:// www.goldstar-global.com ) To: abuse[at]interland.com 1668144357 ( 209.86.89.69 ) To: abuse#abuse.earthlink.net[at]devnull.spamcop.net 1668144350 ( 209.86.89.69 ) To: spamcop[at]imaphost.com ------------------------------------------------------------------------ -------- Submitted: Wednesday 2006/02/22 15:34:08 -0500: NEXT WEEK, Comedian Derek Richards [at] Comedy Zone, Knoxville 1668075828 ( 209.86.89.69 ) To: abuse#abuse.earthlink.net[at]devnull.spamcop.net ------------------------------------------------------------------------ -------- Submitted: Wednesday 2006/02/22 14:42:14 -0500: AW 4&5 Change in Crime Reporting. 1668036491 ( http:// www.pacificbeat.net/ ) To: mole[at]devnull.spamcop.net 1668036484 ( 209.86.89.69 ) To: mole[at]devnull.spamcop.net ------------------------------------------------------------------------ -------- Submitted: Monday 2006/02/20 07:54:22 -0500: Fw: Help us choose America's top retail chain 1665207469 ( 209.86.89.69 ) To: abuse[at]abuse.earthlink.net ------------------------------------------------------------------------ -------- Submitted: Sunday 2006/02/19 06:17:56 -0500: Final Day of 2 for 1 Sale! Act NOW! 1664009971 ( 209.86.89.69 ) To: abuse#abuse.earthlink.net[at]devnull.spamcop.net ------------------------------------------------------------------------ -------- Submitted: Sunday 2006/02/19 06:15:07 -0500: "The Pendulum Works!/Crystal Master Gallery Opportunity!" 1664014272 ( 209.86.89.69 ) To: abuse#abuse.earthlink.net[at]devnull.spamcop.net ------------------------------------------------------------------------ -------- Submitted: Saturday 2006/02/18 06:44:34 -0500: Don't Miss the Mid-Month Blue Moon Sale! 1662879895 ( 209.86.89.69 ) To: abuse#abuse.earthlink.net[at]devnull.spamcop.net ------------------------------------------------------------------------ -------- Submitted: Thursday 2006/02/16 17:51:15 -0500: MidMonth Blue Moon Sale! 1660943063 ( 209.86.89.69 ) To: abuse#abuse.earthlink.net[at]devnull.spamcop.net ------------------------------------------------------------------------ -------- Submitted: Wednesday 2006/02/15 22:15:30 -0500: See What Your Body Says! 1659771241 ( 209.86.89.69 ) To: abuse#abuse.earthlink.net[at]devnull.spamcop.net ------------------------------------------------------------------------ -------- Submitted: Wednesday 2006/02/15 00:50:29 -0500: E-mail List Update and Events Update [5] 1658596988 ( 209.86.89.69 ) To: mole[at]devnull.spamcop.net ------------------------------------------------------------------------ -------- Submitted: Tuesday 2006/02/14 17:40:10 -0500: Exchange Links 1658250141 ( http:// www.floristsinalbany.com ) To: abuse[at]godaddy.com 1658250140 ( http:// www.albanyhindutemple.org ) To: abuse[at]bocacom.net 1658250139 ( 209.86.89.69 ) To: abuse#abuse.earthlink.net[at]devnull.spamcop.net 1658250138 ( 209.86.89.69 ) To: spamcop[at]imaphost.com 1658250134 ( 209.86.89.69 ) To: abuse[at]abuse.earthlink.net ------------------------------------------------------------------------ -------- Submitted: Tuesday 2006/02/14 02:04:37 -0500: I.A.T.S.E. West Coast Locals' Rally 1657551405 ( 209.86.89.69 ) To: abuse#abuse.earthlink.net[at]devnull.spamcop.net 1657551383 ( 209.86.89.69 ) To: spamcop[at]imaphost.com 1657551351 ( 209.86.89.69 ) To: abuse[at]abuse.earthlink.net ------------------------------------------------------------------------ -------- Submitted: Tuesday 2006/02/14 02:03:31 -0500: I.A.T.S.E. West Coast Locals' Rally 1657550599 ( 209.86.89.69 ) To: abuse#abuse.earthlink.net[at]devnull.spamcop.net 1657550595 ( 209.86.89.69 ) To: spamcop[at]imaphost.com 1657550587 ( 209.86.89.69 ) To: abuse[at]abuse.earthlink.net ------------------------------------------------------------------------ -------- Submitted: Tuesday 2006/02/14 02:02:58 -0500: I.A.T.S.E. West Coast Locals' Rally 1657549958 ( 209.86.89.69 ) To: abuse#abuse.earthlink.net[at]devnull.spamcop.net 1657549940 ( 209.86.89.69 ) To: spamcop[at]imaphost.com 1657549919 ( 209.86.89.69 ) To: abuse[at]abuse.earthlink.net ------------------------------------------------------------------------ -------- Submitted: Sunday 2006/02/12 22:14:26 -0500: Fw: , Boost Your Salary - Earn a Degree Online! 1656435080 ( 209.86.89.69 ) To: abuse[at]abuse.earthlink.net ------------------------------------------------------------------------ -------- Submitted: Saturday 2006/02/11 22:46:24 -0500: Blue Diamond Village Building Lot 1655602015 ( http:// www.realtor.com/lasvegas/pauline ) To: postmaster[at]homestore.com 1655602014 ( 209.86.89.69 ) To: abuse#abuse.earthlink.net[at]devnull.spamcop.net ------------------------------------------------------------------------ -------- Submitted: Friday 2006/02/03 21:25:26 -0500: feedback: 1646272621 ( 209.86.89.69 ) To: abuse#abuse.earthlink.net[at]devnull.spamcop.net 1646272619 ( 209.86.89.69 ) To: spamcop[at]imaphost.com ------------------------------------------------------------------------ -------- Submitted: Friday 2006/01/06 23:41:07 -0500: FW: WOW!!!!!!!!!!!!! THIS HITS HOME!!!!!!!! or just delete it 1612606737 ( 209.86.89.69 ) To: abuse#abuse.earthlink.net[at]devnull.spamcop.net 1612606736 ( 209.86.89.69 ) To: spamcop[at]imaphost.com -- Thanks and Best Regards, Jeff G. http://forum.spamcop.net/forums/index.php?act=findpost&pid=37585 From bar_n0ne at hotmail.com Wed Mar 1 13:44:18 2006 From: bar_n0ne at hotmail.com (Berny) Date: Wed Mar 1 14:45:07 2006 Subject: [SpamCop-List] Re: Need help To get our system setup correctly References: Message-ID: "Anonymous" wrote in message news:du4s8h$lpp$1@news.spamcop.net... > > I am having a hard time figuring out how the spammer or the virus above > knows > what the email address of the spamtrap is. When SpamCop chooses an email > address for a spamtrap, don't they pick something difficult to guess? > > Then again, I get a fair number of webmaster@, sales@, and support@ spams > on domains that have never had such email addresses, so perhaps some spamcop > spamtraps use those easy-to-guess prefixes? Some, including spammers claim that it is very easy nowadays to map spamtrap addresses, with a relatively small number of spam runs. Probably, the short time between hitting traps and getting listed is used in such a process. Nevertheless, if the OP's newsletters used a proper closed loop opt in process, then the only mails a spamtrap should receive are subscription confirmations, which is apparently inconsistent with reports of the type of spam (legit? spam) received according to Ellen. Further, so what, if a spamtrap is the webtmaster. etc [at] my.little.vanity.domain, why should that account get spam?. If the domain does no business and communicates with no one and is not advertized, then the only mail it should receive is from the hoster, registrar and maybe Internic. It's certainly a great way to get host/webmaster spams id'd fast. From jeffg at spamcop.net Wed Mar 1 14:52:18 2006 From: jeffg at spamcop.net (Jeff G.) Date: Wed Mar 1 14:55:02 2006 Subject: [SpamCop-List] Re: Need help To get our system setup correctly References: Message-ID: Anonymous wrote: > I am having a hard time figuring out how the spammer or the virus > above knows > what the email address of the spamtrap is. When SpamCop chooses an > email address for a spamtrap, don't they pick something difficult to > guess? Yes, but then they seed the addresses in places that include hidden areas on web pages, where humans aren't supposed to look. > Then again, I get a fair number of webmaster@, sales@, and support@ > spams on domains that have never had such email addresses, so perhaps > some spamcop spamtraps use those easy-to-guess prefixes? Those mailbox names are mandated (if the functions exist) by the RFC #2142 Mailbox Names for Common Services, not an Internet Standard yet, at http://www.rfc-editor.org/rfc/rfc2142.txt . -- Best Regards, Jeff G. http://forum.spamcop.net/forums/index.php?act=findpost&pid=37585 From MikeE at ster.invalid Wed Mar 1 12:09:30 2006 From: MikeE at ster.invalid (Mike Easter) Date: Wed Mar 1 15:10:03 2006 Subject: [SpamCop-List] Re: 209.86.89.69 (earthlink) References: Message-ID: Phillip Remaker wrote: > DNS lookups for 209.86.89.69 at bl.spamcop.net say it is a spammer. > > "Blocked - see http://www.spamcop.net/bl.shtml?209.86.89.69" Currently at senderbase the lookup sez it is listed http://www.senderbase.org/search?searchString=209.86.89.69 Real-time blacklists [ Click to view all ] bl.spamcop.net http://spamcop.net/w3m?action=checkblock&ip=209.86.89.69 But it is not unusual for some lookup to be incorrect compared to the spamcop.net web gizmo. > But going to the URL > > http://www.spamcop.net/w3m?action=blcheck&ip=209.86.89.69 > > I see > > 209.86.89.69 not listed in bl.spamcop.net That is also what I see at the spamcop web gizmo. > I had to poke a hole for that IP. But what happened? I ended up > blocking earthlink users. EL servers can easily get themselves blocklisted, since EL has a spamblocker which has an abusive configuration of performing challenges. The default configuration of the EL spamblocker is medium. EL's medium spamblocker is quite leaky. EL admin advises people who are unhappy with EL's leaky medium spamblocker setting to reconfigure to spamblocker high. EL's default configuration for spamblocker high is to send spamblocker medium spam to the known spam folder, to send whitelisteds to the Inbox, and to send everything else to the Suspect folder. Everything which lands in the suspect folder is challenged, which includes all of the spam which leaked past spamblocker medium. Those challenges are all going to bogus Froms and the bogus Froms include spamtraps and spamcop reporters. As a result, EL servers get blocklisted and EL customers have trouble with their mail delivery. I have not been able to convince the EL mail admins to use a default configuration on the spamblocker high setting to turn challenges off. Challenging spam is an abusive activity for a server, even if some of the spam has already been filtered. > I see a note on net abuse-sightings for 2/22... How did it not cycle > out of the DNS lookup? I'm sure the EL server gets itself listed and unlisted all the time. This recent discrepancy is most likely from being listed and unlisted again. -- Mike Easter kibitzer, not SC admin From nobody at devnull.spamcop.net Wed Mar 1 17:17:14 2006 From: nobody at devnull.spamcop.net (Brian Stevens) Date: Wed Mar 1 17:20:03 2006 Subject: [SpamCop-List] DBSBL (ip4r) blocks all incoming messages Message-ID: I run MS Windows 2000 Server/Exchange 2000 Server on a dynamic address and as long as I route outgoing mail through my ISP everything has been working fine. Incoming messages also reach me directly courtesy of DNS2Go.com's dynamic DNS service without problem. Recently I upgraded to Symantec Mail Security for MS Exchange version 5.0. This version allows me to block spammers using ip4r (DNSBL) lookups. I have the same software configuration running at several customer sites with static IPs and it has very successfully reduced spam. I always use the following black lists: bl.spamcop.net (see http://www.spamcop.net). sbl-xbl.spamhaus.org (see http://www.spamhaus.org) On my site when I try using these same black lists ALL incoming messages are rejected with "550 5.2.1 refused: spam site" no matter who sends the message. My IP is not listed on any BL sites and I do not have an open proxy. I use the MS ISA 2000 firewall and keep up to date on patch levels for all software. I know that starting a couple of years ago many black lists will refuse messages sent from dynamic IPs which is why I send through my ISP's servers now. So does using a DNSBL also block incoming mail from reaching a dynamic ip as well? So far I haven't found any evidence of this. From jeffg at spamcop.net Wed Mar 1 17:24:07 2006 From: jeffg at spamcop.net (Jeff G.) Date: Wed Mar 1 17:25:03 2006 Subject: [SpamCop-List] Re: DBSBL (ip4r) blocks all incoming messages References: Message-ID: Brian Stevens wrote: > So does using a DNSBL also block incoming mail > from reaching a dynamic ip as well? It shouldn't. I suggest interrogating that list's DNS servers and your ISP's DNS servers for that list's records manually from your server and from elsewhere, to see if you can determine why it appears to block all incoming mail. -- Best Regards, Jeff G. http://forum.spamcop.net/forums/index.php?act=findpost&pid=37585 From nobody at nowhere.invalid Wed Mar 1 23:45:44 2006 From: nobody at nowhere.invalid (Steven Maesslein) Date: Wed Mar 1 17:50:03 2006 Subject: [SpamCop-List] Re: DBSBL (ip4r) blocks all incoming messages References: Message-ID: On Wed, 1 Mar 2006 17:17:14 -0500, Brian Stevens coughed into spamcop and left this in : > I know that starting a couple of years ago many black lists will > refuse messages sent from dynamic IPs which is why I send through my > ISP's servers now. So does using a DNSBL also block incoming mail from > reaching a dynamic ip as well? So far I haven't found any evidence of > this. You're not going to like what I have to say but it has to be said. If you're not aware that the use of DNSBLs on an MX has nothing to do with and is in no way influenced by the IP address of that MX, you shouldn't be running an MX. Secondly, if the MX software you're using doesn't have the ability to use DNSBLs built-in and requires the use of a third-party extension, maybe you should be looking at something slightly more modern, like post-1980s. Thirdly, many here, myself included, are of the opinion that M$-sExchange shouldn't be exposed directly to a public network and that it should be front-ended by a real MTA such as Postfix, Exim or sendmail running on a Unix machine. In short, you're using an unsecure and feature-poor product on an unsecure O/S, while not knowing the mechanics of mail delivery. Believe me, you have bigger problems than trying to get your DNSBL extension not to reject all inbound mail. -- Steve Television -- a medium. So called because it is neither rare nor well done. -- Ernie Kovacs From nobody at devnull.spamcop.net Wed Mar 1 14:25:40 2006 From: nobody at devnull.spamcop.net (Anonymous) Date: Wed Mar 1 17:55:02 2006 Subject: [SpamCop-List] Re: Need help To get our system setup correctly References: Message-ID: "Jeff G." wrote in message news:du4u1j$n0d$1@news.spamcop.net... > Anonymous wrote: > >> I am having a hard time figuring out how the spammer or the virus >> above knows what the email address of the spamtrap is. When >> SpamCop chooses an email address for a spamtrap, don't they >> pick something difficult to guess? > > Yes, but then they seed the addresses in places that include hidden > areas on web pages, where humans aren't supposed to look. Correct me if my thinking has gone awry here... The above seems to imply that anyone who comes here complaining about how "somehow" he ended up with such spamtraps on his mailing list either ran a spambot that searches webpages for email addresses, or he bought a list from somebody who ran a spambot that searches webpages for email addresses. Such a spambot will find spamtraps, but they will be hidden in a crowd among a much larger number of non-spamtrap addresses. Thus I find it hard to believe that someone sneaky subscribed a spamtrap address (leaving aside the fact that such an address wouldn't respond to a confirmation email and thus would take itself of a well-managed list) or hard-coded the spamtrap address into a virus -- how would they know which address in their collection is the spamtrap? I also find it hard to believe that a virus got the spamtrap address from an outlook contacts list - how could it have gotten there? Am I thinking correctly here or am I missing something? G.M. From g.hyde at bigpond.net.au Thu Mar 2 09:34:50 2006 From: g.hyde at bigpond.net.au (Geoffrey Hyde) Date: Wed Mar 1 18:35:02 2006 Subject: [SpamCop-List] Another paypal phish - get it while it's still in existence! Message-ID: http://www.spamcop.net/sc?id=z888543457z03559936fd467438961242d0108db6d9z These guys are so dumb they should line themselves up for the mugshot camera. It's being sent to the spoof@ address as I speak, so it won't be active for long! Cheers ... Geoffrey Hyde From MikeE at ster.invalid Wed Mar 1 16:43:09 2006 From: MikeE at ster.invalid (Mike Easter) Date: Wed Mar 1 19:45:03 2006 Subject: [SpamCop-List] Re: Need help To get our system setup correctly References: Message-ID: Anonymous wrote: > Correct me if my thinking has gone awry here... I'm going to disregard everything you and Jeff or anyone else has said before here, because I don't understand what you and Jeff were talking about, so I'm going to respond more or less 'cold' -- except that I am assuming that the general context of what you are saying below is based on the fact that this thread is about a person who has servers which are putting out over a hundred mailing lists and which servers are getting themselves spamcop blocklisted because they hit spamcop spamtraps and nothing else, no other spamtraps, no reporters, no sightings, no other blocklists. As if 'some' mailing lists have a problem 'only' with spamcop spamtraps. Further, altho' it has been alleged that [some of] those mailing lists have some kind of acceptable 'process' for their creation and management, perhaps that only means that one or more out of over a hundred have proper creation and management processes while one or more of over a hundred is decidedly a dirty list. Maybe all but one is totally dirty. Maybe only one is dirty. Who knows? We only know that in the collection of lists there are dirty lists and we don't know how dirty they are or how wonderful some of the other lists are. > The above seems to imply that anyone who comes here complaining > about how "somehow" he ended up with such spamtraps on his > mailing list either ran a spambot that searches webpages for email > addresses, or he bought a list from somebody who ran a spambot > that searches webpages for email addresses. I wouldn't imply anything. The business of how spamtraps get onto a mailing list is anyone's guess. Maybe someone has some spamtrap addresses and forge subscribed them and there was no process for confirmation. Maybe the guardian of the mailing list bought some names to add to the mailing list. Maybe the guardian of the list is personally running a webspider spambot to put things onto the list. The business of how the list came to be dirty is that there was not a proper confirmation process prior to adding an address to a list. That part is actually very simple. > Such a spambot will > find spamtraps, but they will be hidden in a crowd among a much > larger number of non-spamtrap addresses. Correct, but I can't see where this is going. A spider harvests addresses. Some of them are spamtraps, some are not. So what? Or, so where does that take us? > Thus I find it hard to > believe that someone sneaky subscribed a spamtrap address > (leaving aside the fact that such an address wouldn't respond to > a confirmation email and thus would take itself of a well-managed > list) or hard-coded the spamtrap address into a virus -- how would > they know which address in their collection is the spamtrap? I also > find it hard to believe that a virus got the spamtrap address from > an outlook contacts list - how could it have gotten there? I have no idea what is going on in the sentences between 'Thus' and 'there?' > Am I thinking correctly here or am I missing something? Somehow I sense that you are trying to make something more complicated of something that is probably like what I described in 'I wouldn't imply anything." par. -- Mike Easter kibitzer, not SC admin From nospam at nospam.org Thu Mar 2 03:08:39 2006 From: nospam at nospam.org (Ejo) Date: Wed Mar 1 21:10:02 2006 Subject: [SpamCop-List] Sluggish response Message-ID: Submitting spam via the web-form is very slow at the moment. From nospam at nospam.org Thu Mar 2 03:18:47 2006 From: nospam at nospam.org (Ejo) Date: Wed Mar 1 21:20:03 2006 Subject: [SpamCop-List] Re: 209.86.89.69 (earthlink) In-Reply-To: References: Message-ID: Phillip Remaker wrote: > DNS lookups for 209.86.89.69 at bl.spamcop.net say it is a spammer. > > "Blocked - see http://www.spamcop.net/bl.shtml?209.86.89.69" > > But going to the URL > > http://www.spamcop.net/w3m?action=blcheck&ip=209.86.89.69 > > I see > > 209.86.89.69 not listed in bl.spamcop.net It is listed now. Another useful check is: http://openrbl.org/client/#209.86.89.69 and also here you'll see that the IP is listed in spamcop. Actually, the latter would be a useful check during the review of recent reports. I always want to see whether my submitted reports are picked up by the system and whether the list status in spamcop is unique compared to other lists. > > I had to poke a hole for that IP. But what happened? I ended up blocking > earthlink users. > > I see a note on net abuse-sightings for 2/22... How did it not cycle out of > the DNS lookup? > > From nobody at devnull.spamcop.net Thu Mar 2 11:56:44 2006 From: nobody at devnull.spamcop.net (Patto) Date: Wed Mar 1 22:00:03 2006 Subject: [SpamCop-List] Re: Sluggish response In-Reply-To: References: Message-ID: Ejo wrote: > Submitting spam via the web-form is very slow at the moment. Well, at least I get a response... An error occurred while processing your request. Reference #97.8c8f3554.1141267992.a87c193 From eddie at eddie.web Wed Mar 1 21:57:31 2006 From: eddie at eddie.web (eddie) Date: Wed Mar 1 22:00:06 2006 Subject: [SpamCop-List] Re: Sluggish response In-Reply-To: References: Message-ID: Ejo wrote: > Submitting spam via the web-form is very slow at the moment. I have worse than sluggish. I get an error. "An error occurred while processing your request. Reference #97.xxxxxxxxx..." (xed out for security reasons) From nobody at devnull.spamcop.net Wed Mar 1 22:11:23 2006 From: nobody at devnull.spamcop.net (Brian Stevens) Date: Wed Mar 1 22:15:03 2006 Subject: [SpamCop-List] Re: DBSBL (ip4r) blocks all incoming messages References: Message-ID: > If you're not aware that the use of DNSBLs on an MX has nothing to do > with and is in no way influenced by the IP address of that MX, you > shouldn't be running an MX. My understanding was that it does a lookup of the sending server only but would it not be technically possible for a DNSBL to see who is asking and make to decision to reply that the message should be refused if the requestor was using a dynamic IP? There are bigots who believe that you can't be a responsible net citizen if you are on a dynamic IP. I will disagree until major ISP's like Rogers stop their highway robbery for static IPs. And yes I know why spammers like dynamic and proxies, etc. At one time Rogers provided me a static IP for $60/mth then they dropped support all together. Two years later they offer it again at $100 for a slower speed link!!! > Secondly, if the MX software you're using doesn't have the ability to > use DNSBLs built-in and requires the use of a third-party extension, > maybe you should be looking at something slightly more modern, like > post-1980s. Many small businesses still use Microsoft Small Business Server 2000 which includes Exchange 2000. Upgrading to SBS 2003 with Exchange 2003 would be nice but would require +$$$ for new hardware and software. I needed to upgrade my Symantec AntiVirus anyway so this kills two birds with one stone. > Thirdly, many here, myself included, are of the opinion that > M$-sExchange shouldn't be exposed directly to a public network and that > it should be front-ended by a real MTA such as Postfix, Exim or sendmail > running on a Unix machine. A front-end/back-end MX is slight overkill for a 5 user network. Why SBS 2000? Because I support it for a number of customers. Why Microsoft? Because many small and large businesses including the likes of Accenture find that using Microsoft products reduces their TCO. The installed base of MS SBS software which supports networks of up to 75 computers is a fast growing segment of the market. By using the included ISA firewall software on a dual NIC server, these networks can be adequately protected from Internet hackers and all violations can be logged to a SQL server for further evaluation. I have been supporting MS Exchange for 10 years and it gets the job done thank you. > In short, you're using an unsecure and feature-poor product on an > unsecure O/S, while not knowing the mechanics of mail delivery. > Believe me, you have bigger problems than trying to get your DNSBL > extension not to reject all inbound mail. Dozens of hackers from all over the world knock on my gateways every day but so far Microsoft with some help from Symantec is keeping them out. If you don't know some of the advantages of running Outlook on Exchange server then maybe you shouldn't be taking such a snobbish position. You won't find me trashing UNIX just because I support Microsoft. It has its place and I think many would agree that Microsoft does too. I certainly wouldn't want to go back to the monopolistic days when "IBM" and "computer" were synonymous terms. I also learned early in my career that the best technical product doesn't always win the market. That's why I decided in 1995 to join the Microsoft camp. I could see that the future was in small businesses just as in 1974 I decided the future was in personal computers when I started working for Datapoint. Datapoint's computers resembled the PC with an OS much like MS-DOS. Later they invented ARCNET and their next OS (around 1980), RMS was a cross between UNIX and Multics - very secure. Great stuff but dead today! From MikeE at ster.invalid Wed Mar 1 19:26:05 2006 From: MikeE at ster.invalid (Mike Easter) Date: Wed Mar 1 22:30:04 2006 Subject: [SpamCop-List] Re: 209.86.89.69 (earthlink) References: Message-ID: Ejo wrote: >> 209.86.89.69 not listed in bl.spamcop.net > > It is listed now. Another useful check is: At this moment, I can't access anything web spamcop.net, but it is listed in the DNS dns 69.89.86.209.bl.spamcop.net Canonical name: 69.89.86.209.bl.spamcop.net Addresses: 127.0.0.2 ... but I would like to see what the webgizmo sez. It's just that nothing is accessible http://www.spamcop.net/w3m?action=blcheck&ip=209.86.89.69 An error occurred while processing your request. Reference #97.c32f648.1141269862.c416396 -- Mike Easter kibitzer, not SC admin From Kilgallen at SpamCop.net Wed Mar 1 21:27:49 2006 From: Kilgallen at SpamCop.net (Larry Kilgallen) Date: Wed Mar 1 22:30:09 2006 Subject: [SpamCop-List] Re: Need help To get our system setup correctly References: Message-ID: In article , "Jeff G." writes: > Anonymous wrote: >> Then again, I get a fair number of webmaster@, sales@, and support@ >> spams on domains that have never had such email addresses, so perhaps >> some spamcop spamtraps use those easy-to-guess prefixes? > > Those mailbox names are mandated (if the functions exist) by the RFC > #2142 Mailbox Names for Common Services, not an Internet Standard yet, > at http://www.rfc-editor.org/rfc/rfc2142.txt . Gee, I read: organizations which support email exchanges with the Internet are encouraged to support AT LEAST each mailbox name for which the associated function exists within the organization. and to me "are encouraged" is quite different from "mandated". From jeffg at spamcop.net Wed Mar 1 22:36:48 2006 From: jeffg at spamcop.net (Jeff G.) Date: Wed Mar 1 22:40:03 2006 Subject: [SpamCop-List] Re: Sluggish response References: Message-ID: Ejo wrote: > Submitting spam via the web-form is very slow at the moment. http://forum.spamcop.net/forums/index.php?act=module&automodule=custom&page=stats appears to show that the performance of the SpamCop Parsing and Reporting Service went to hell in a handbasket around 21:40 EST -0500 (02:40 UTC -0000), 54 minutes ago. Its administrators are probably already aware of the issue. -- Best Regards, Jeff G. http://forum.spamcop.net/forums/index.php?act=findpost&pid=37585 From jeffg at spamcop.net Wed Mar 1 23:09:01 2006 From: jeffg at spamcop.net (Jeff G.) Date: Wed Mar 1 23:10:03 2006 Subject: [SpamCop-List] Re: Need help To get our system setup correctly References: Message-ID: Larry Kilgallen wrote: > In article , "Jeff G." > writes: >> Anonymous wrote: > >>> Then again, I get a fair number of webmaster@, sales@, and support@ >>> spams on domains that have never had such email addresses, so >>> perhaps some spamcop spamtraps use those easy-to-guess prefixes? >> >> Those mailbox names are mandated (if the functions exist) by the RFC >> #2142 Mailbox Names for Common Services, not an Internet Standard >> yet, at http://www.rfc-editor.org/rfc/rfc2142.txt . > > Gee, I read: > > organizations which support email exchanges with the > Internet are encouraged to support AT LEAST each mailbox name for > which the associated function exists within the organization. > > and to me "are encouraged" is quite different from "mandated". Sorry, I was not quite precise enough, and RFC2142 is not quite internally consistent enough and was not quite spellchecked enough. RFC2142 Section 1 specifically states that "if a given service is offerred[sic], then the associated mailbox name(es)[sic] must be supported, resulting in delivery to a recipient appropriate for the referenced service or role." So, if an organization offers web service, it must have a working webmaster@, if it offers to sell, it must have a working sales@, and if it offers support, it must have a working support@. -- Best Regards, Jeff G. http://forum.spamcop.net/forums/index.php?act=findpost&pid=37585 From jg at coks.net Wed Mar 1 20:40:39 2006 From: jg at coks.net (jg) Date: Wed Mar 1 23:40:03 2006 Subject: [SpamCop-List] Re: DBSBL (ip4r) blocks all incoming messages In-Reply-To: References: Message-ID: On 3/1/2006 7:11 PM Brian Stevens scribbled: > Dozens of hackers from all over the world knock on my gateways every day but > so far Microsoft with some help from Symantec is keeping them out. If you > don't know some of the advantages of running Outlook on Exchange server then > maybe you shouldn't be taking such a snobbish position. You won't find me > trashing UNIX just because I support Microsoft. It has its place and I think > many would agree that Microsoft does too. > whooo haaaa - the scent of a train wreck approaching.... From jeffg at spamcop.net Wed Mar 1 23:38:34 2006 From: jeffg at spamcop.net (Jeff G.) Date: Wed Mar 1 23:40:08 2006 Subject: [SpamCop-List] Re: Need help To get our system setup correctly References: Message-ID: Anonymous wrote: > "Jeff G." wrote in message > news:du4u1j$n0d$1@news.spamcop.net... > >> Anonymous wrote: >> >>> I am having a hard time figuring out how the spammer or the virus >>> above knows what the email address of the spamtrap is. When >>> SpamCop chooses an email address for a spamtrap, don't they >>> pick something difficult to guess? >> >> Yes, but then they seed the addresses in places that include hidden >> areas on web pages, where humans aren't supposed to look. > > Correct me if my thinking has gone awry here... > > The above seems to imply that anyone who comes here complaining > about how "somehow" he ended up with such spamtraps on his > mailing list either ran a spambot that searches webpages for email > addresses, or he bought a list from somebody who ran a spambot > that searches webpages for email addresses. Such a spambot will > find spamtraps, but they will be hidden in a crowd among a much > larger number of non-spamtrap addresses. Thus I find it hard to > believe that someone sneaky subscribed a spamtrap address > (leaving aside the fact that such an address wouldn't respond to > a confirmation email and thus would take itself of a well-managed > list) or hard-coded the spamtrap address into a virus -- how would > they know which address in their collection is the spamtrap? I also > find it hard to believe that a virus got the spamtrap address from > an outlook contacts list - how could it have gotten there? > > Am I thinking correctly here or am I missing something? Please consider the following scenario: Reporter A visits a particular page on a SpamCop website which contains a particular Spamtrap Email Address A. The page is cached on Reporter A's hard disk. Thief A develops or modifies Worm A that can send Thief A personal information from the hard disks of infected people. Reporter A gets infected with Worm A. Worm A sends Spamtrap Email Address A (among other data) to Thief A. Thief A sells Spamtrap Email Address A (among the email addresses collected) to Listdealer A. Listdealer A adds Spamtrap Email Address A to List A and then "cleans" List A by verifying that email messages to the list members would not immediately produce 500-series errors. An overaggressive sales weenie at Listdealer A sells List A to an overaggressive marketing weenie at Customer A of Anonymous as confirmed opt-in email addresses, using some mixture of lies, winks, and nudges. Both weenies get rewarded for their aggressiveness. Customer A sends an email campaign to List A sourced at IP Address A, including Spamtrap Email Address A. Spamtrap Email Address A receives one of the messages and causes IP Address A to be listed by the SCBL (or causes the existing listing to be extended to 24 hours from receipt). Ideally, Customer A gets terminated or at least fined, ISP A gets cleanup fees, both weenies get fired and/or taught lessons, and Thief A and Listdealer A get investigated. Alternatively: Customer A runs Insecure Mailing List A, allowing web-based signups without confirmation. Ruthless Competitor A learns of Customer A's practices, and forge-subscribes Spamtrap Email Address A to Insecure Mailing List A. Customer A sends an email campaign to Insecure Mailing List A sourced at IP Address A, including Spamtrap Email Address A. Spamtrap Email Address A receives one of the messages and causes IP Address A to be listed by the SCBL (or causes the existing listing to be extended to 24 hours from receipt). Ideally, Customer A gets terminated or at least fined, ISP A gets cleanup fees, and Ruthless Competitor A gets investigated. -- Thanks and Best Regards, Jeff G. http://forum.spamcop.net/forums/index.php?act=findpost&pid=37585 From nobody at nowhere.not Thu Mar 2 04:48:02 2006 From: nobody at nowhere.not (Robert Blair) Date: Wed Mar 1 23:50:06 2006 Subject: [SpamCop-List] Re: DBSBL (ip4r) blocks all incoming messages References: Message-ID: On Thu, 2 Mar 2006 03:11:23 UTC, "Brian Stevens" wrote: > Dozens of hackers from all over the world > knock on my gateways every day but so far > Microsoft with some help from Symantec is > keeping them out. Good. When I help my friends and neighbors I always install a router with a firewall between windows and the internet. While those routers are not always the best firewalls they are much better than using nothing and/or MS security software (sometimes I think MS and security is an oxymoron). > If you don't know some of the advantages of > running Outlook on Exchange server then maybe > you shouldn't be taking such a snobbish position. This is something else I do for my friends and neighbors. I always install a different email client and web browser, I do not let them use MS email or browser programs, too risky. > You won't find me trashing UNIX just because I > support Microsoft. It has its place and I > think many would agreethat Microsoft does too. I don't trash MS I just don't use their trash when it is not necessary. And MS puts out a lot of trash on the market. > I certainly wouldn't > want to go back to the monopolistic days when > "IBM" and "computer" were synonymous terms. The only thing that has change is the name. At one time it was IBM and computers now it is MS and computers. The difference I see is IBM tried to make a lot of money legally while MS does not care if it is legal or illegal as long as they make money. > I also learned early in my career that the best > technical product doesn't always win the market. That has been true forever. A lot of superior products have gone down to defeat by inferior products. What do we as consumers get out of that deal is we pay a lot of money for junk. -- Robert Blair From jeffg at spamcop.net Wed Mar 1 23:48:44 2006 From: jeffg at spamcop.net (Jeff G.) Date: Wed Mar 1 23:50:09 2006 Subject: [SpamCop-List] Re: Sluggish response References: Message-ID: Jeff G. wrote: > Ejo wrote: >> Submitting spam via the web-form is very slow at the moment. > > http://forum.spamcop.net/forums/index.php?act=module&automodule=custom&page=stats > appears to show that the performance of the SpamCop Parsing and > Reporting Service went to hell in a handbasket around 21:40 EST -0500 > (02:40 UTC -0000), 54 minutes ago. Its administrators are probably > already aware of the issue. It's been over two hours now. This appears to be a bigger problem than normal. :( -- Best Regards, Jeff G. http://forum.spamcop.net/forums/index.php?act=findpost&pid=37585 From scamper at trisk.com Wed Mar 1 22:48:06 2006 From: scamper at trisk.com (Garen Erdoisa) Date: Thu Mar 2 00:50:03 2006 Subject: [SpamCop-List] Re: Sluggish response In-Reply-To: References: Message-ID: Jeff G. wrote: > Jeff G. wrote: >> Ejo wrote: >>> Submitting spam via the web-form is very slow at the moment. >> > http://forum.spamcop.net/forums/index.php?act=module&automodule=custom&page=stats >> appears to show that the performance of the SpamCop Parsing and >> Reporting Service went to hell in a handbasket around 21:40 EST -0500 >> (02:40 UTC -0000), 54 minutes ago. Its administrators are probably >> already aware of the issue. > > It's been over two hours now. This appears to be a bigger problem than > normal. :( > It would seem so, looking at my mail logs, I'm seeing a bunch of outgoing messages to spamcop that show a deferred status due to connection timeouts with their mail servers. Looks like the outage started about Mar 2, 2006 02:47 GMT Definitely not typical of spamcop. From nobody at devnull.spamcop.net Thu Mar 2 01:12:36 2006 From: nobody at devnull.spamcop.net (Sofa King Tyred of Lar Ting) Date: Thu Mar 2 01:15:02 2006 Subject: [SpamCop-List] Re: Lighter side of spam In-Reply-To: References: Message-ID: Mike Easter wrote: > Not everyone uses the same kind of scorecard I use for playing the > spamhandling game. Few newsgroups have assets comparable to you, Mike. -- Help fight spam by "educating" the lax, zombie-hosting ISPs: http://pages.infinit.net/filmore/educateYourISP.htm From remaker at suespammers.org Wed Mar 1 23:25:12 2006 From: remaker at suespammers.org (Phillip Remaker) Date: Thu Mar 2 02:30:02 2006 Subject: [SpamCop-List] Re: 209.86.89.69 (earthlink) References: Message-ID: Thanks for the explanation. My problem was that the DNS gizmo was out of sync with the web gizmo. DNSSTUFF reports it blacklisted http://www.dnsstuff.com:8080/tools/ip4r.ch?ip=209.86.89.69 Webgizmo is not listed. http://www.spamcop.net/w3m?action=checkblock&ip=209.86.89.69 From nobody at devnull.spamcop.net Thu Mar 2 17:01:07 2006 From: nobody at devnull.spamcop.net (Patto) Date: Thu Mar 2 03:05:03 2006 Subject: [SpamCop-List] Re: Sluggish response In-Reply-To: References: Message-ID: Jeff G. wrote: > Jeff G. wrote: >> Ejo wrote: >>> Submitting spam via the web-form is very slow at the moment. >> > http://forum.spamcop.net/forums/index.php?act=module&automodule=custom&page=stats >> appears to show that the performance of the SpamCop Parsing and >> Reporting Service went to hell in a handbasket around 21:40 EST -0500 >> (02:40 UTC -0000), 54 minutes ago. Its administrators are probably >> already aware of the issue. > > It's been over two hours now. This appears to be a bigger problem than > normal. :( Seems to be back to normal now. From / at /.cn Thu Mar 2 19:24:01 2006 From: / at /.cn (Petzl) Date: Thu Mar 2 03:25:03 2006 Subject: [SpamCop-List] Re: Mail server listed when Port 25 is blocked? References: Message-ID: "Mike Easter" wrote in message news:du4cef$bhl$1@news.spamcop.net... > Petzl wrote: > I would say that iprimus isn't doing a good job of securing its user IPs > which are generating spam. This seems to me to be the worst of scenario's as the IP mentioned is an *email* server which has been compromised!!!! Iprimus blocks port 25 and all SpamCop reports accurately the source of spam so all IP's are secured (as long as the reporter has set up SpamCop properly, which Ellen tells me they have) This means all email addresses and names going through this server are collected and very possible "read" electronically. As you also know this has been happening from at least December 3rd last year. Iprimus have only just now worried about this after ignoring 1000's of individual reports telling them their server has been compromised Just another reason not to accept a compulsory email account from a "provider" Get the only Email address you will ever need http://www.spamcop.net/ces/individuals.shtml Petzl From / at /.cn Thu Mar 2 19:24:43 2006 From: / at /.cn (Petzl) Date: Thu Mar 2 03:25:08 2006 Subject: [SpamCop-List] Re: Mail server listed when Port 25 is blocked? References: Message-ID: "Ellen" wrote in message news:du4im4$fs4$1@news.spamcop.net... > > > "Petzl" wrote in message news:du47lq$7nj$1@news.spamcop.net... >> 210.50.76.196 >> >> I know they are bouncining emails but it seems this email server is being >> reported for spamming >> Wondering if someone has not set mail hosts or is the server compromised >> ***ounce**** > > It was legit spam not a reporting error. Iprimus is aware of the problem > and > has taken actions to stop the problem. We have been talking to them. > > Ellen > Thanks I already blamed them for not responding to abuse reports since December the 3rd 2005 (maybe before) Petzl From MikeE at ster.invalid Thu Mar 2 01:11:19 2006 From: MikeE at ster.invalid (Mike Easter) Date: Thu Mar 2 04:15:04 2006 Subject: [SpamCop-List] Re: 209.86.89.69 (earthlink) References: Message-ID: Phillip Remaker wrote: > Thanks for the explanation. My problem was that the DNS gizmo was > out of sync with the web gizmo. > > DNSSTUFF reports it blacklisted > > http://www.dnsstuff.com:8080/tools/ip4r.ch?ip=209.86.89.69 > > Webgizmo is not listed. > > http://www.spamcop.net/w3m?action=checkblock&ip=209.86.89.69 I'm sure the problem is due to it going on and off and on and off again and various databases lag behind. Currently both the webgizmo and my resolver's access are negative. dns 69.89.86.209.bl.spamcop.net No DNS for this address 209.86.89.69 not listed in bl.spamcop.net The most correct information is the webgizmo, even more correct than x.x.x.x.bl.spamcop.net -- and other db/s get their information from bl.spamcop.net. -- Mike Easter kibitzer, not SC admin From nobody at nowhere.invalid Thu Mar 2 11:33:31 2006 From: nobody at nowhere.invalid (Steven Maesslein) Date: Thu Mar 2 05:35:15 2006 Subject: [SpamCop-List] Re: DBSBL (ip4r) blocks all incoming messages References: Message-ID: On Wed, 1 Mar 2006 22:11:23 -0500, Brian Stevens coughed into spamcop and left this in : > Dozens of hackers from all over the world knock on my gateways every > day but so far Microsoft with some help from Symantec is keeping them > out. Thousands knock on mine every day but so far iptables and sendmail are keeping them out with nobody's help. 76,440 attempts locked out in January. 75,658 in February. 5,382 this month at 8am local time. That's just port 25. I stopped logging attacks on ports 135 & co. ages ago because of the sheer size of the log files generated. > If you don't know some of the advantages of running Outlook on > Exchange server then maybe you shouldn't be taking such a snobbish > position. I do recognise some of the advantages of running the Outlook/Exchange combo. In fact, in an int_RA_net environment it's quite good. However, as soon as you start talking Int_ER_net, it all falls to pieces because that's not what it was designed for - or at least if it was, they got many things horribly wrong - and the advantages are not just outweighed, but completely dwarfed by the massive drawbacks of connecting up to the 'Net something which thumbs its nose at RFCs. So, my attitude isn't snobbish, it's the result of (too many) years of dealing with problems that Outlook and Exchange generate for standards-compliant software. > You won't find me trashing UNIX just because I support Microsoft. And I'm not trashing Microsoft just because I use Unix (Linux, FreeBSD and Solaris flavours if you want to know). I think Microsoft does great products for people who don't want to learn about computing, but only as long as the computers they use aren't connected to a network of any kind. Once that happens, it's game over. > It has its place and I think many would agree that Microsoft does too. I do too. It just happens that Microsoft's place is nowhere near an Internet connection. > I certainly wouldn't want to go back to the monopolistic days when > "IBM" and "computer" were synonymous terms. Because "Microsoft" and "computer" aren't synonymous in most peoples' minds today? > I also learned early in my career that the best technical product > doesn't always win the market. It rarely does when trying to share the market an 800lb gorilla that has a competing product for sale (regardless of the fact that that competing product doesn't actually do what's written on the box). > That's why I decided in 1995 to join the Microsoft camp. I joined the Microsoft camp around 1989 because there were no real alternatives. The Atari ST and Amiga were fairly good machines technically (I should know, I used to repair them for a living) but they were basically no more than glorified game consoles. There wasn't much serious software available for them and I didn't have time to write it all myself. Macintosh computers were still way out of my range price-wise, so that left the PC. Aside from the problems in MS-DOS 4 leading to the swift release of version 4.01 with fixed memory management, I thought that MS-DOS was an all-round good product. I rarely ever had any problems with it. By 1996 Windows 95 had landed on computers, and the first version was complete and utter trash. OSR 2.1 was the first really usable system, and we had to wait until, what, late 1997 / early 1998 for that? Then came Windows 98 and IE5, and that's when the problems started for real. I wanted something on which I could actually get work done instead of having to spend vast amounts of money on add-on software to protect my PC and having to worry about getting infected anyway. That's why I chose to switch *AWAY* from Windows in 1999. I'm glad I did. Things have only gone downhill since then. > RMS was a cross between UNIX and Multics - very secure. Great stuff > but dead today! You want secure? You should consider one of the BSDs. They'll run on lower-end hardware than Windows and Exchange, they provide far more network- and security-related features and they don't cost a penny. -- Steve From g.hyde at bigpond.net.au Thu Mar 2 22:41:12 2006 From: g.hyde at bigpond.net.au (Geoffrey Hyde) Date: Thu Mar 2 07:45:03 2006 Subject: [SpamCop-List] Re: DBSBL (ip4r) blocks all incoming messages References: Message-ID: "Steven Maesslein" wrote in message news:slrne0difr.4jn.nobody@127.0.0.1... > I joined the Microsoft camp around 1989 because there were no real > alternatives. The Atari ST and Amiga were fairly good machines > technically (I should know, I used to repair them for a living) but they > were basically no more than glorified game consoles. There wasn't much > serious software available for them and I didn't have time to write it > all myself. Macintosh computers were still way out of my range > price-wise, so that left the PC. If you happen to be interested in what the Amiga crowd is doing, they're still going along over at www.amiga.de - pretty strongly by the looks of it. I'm just an Amiga fan, if you want serious technical help with anything Amiga, see if they've got any english version forums over there. Cheers ... Geoffrey Hyde From nobody at nowhere.invalid Thu Mar 2 15:47:27 2006 From: nobody at nowhere.invalid (Steven Maesslein) Date: Thu Mar 2 09:50:03 2006 Subject: [SpamCop-List] Re: DBSBL (ip4r) blocks all incoming messages References: Message-ID: On Thu, 2 Mar 2006 22:41:12 +1000, Geoffrey Hyde coughed into spamcop and left this in : > If you happen to be interested in what the Amiga crowd is doing, they're > still going along over at www.amiga.de - pretty strongly by the looks of it. I remember them from the days when I still had to ensure maintenance of Amigas *after* Commodore had been buried. > I'm just an Amiga fan, if you want serious technical help with anything > Amiga, see if they've got any english version forums over there. Kein Problem - ich spreche auch Deutsch :) -- Steve If money doesn't grow on trees then why do banks have branches? From pxpearson at spamxcop.net Thu Mar 2 08:33:45 2006 From: pxpearson at spamxcop.net (Peter Pearson) Date: Thu Mar 2 11:35:17 2006 Subject: [SpamCop-List] Re: DBSBL (ip4r) blocks all incoming messages References: Message-ID: Getting back on-topic: You seem to be saying 1. that your mail-receiving configuration works fine at other sites you maintain that happen to have static IP addresses, even with block lists enabled; 2. that this same configuration works fine at your dynamic-IP site as long as you don't turn on the block lists; 3. that when you turn on block lists at your dynamic-IP site, all incoming messages get rejected with "550 5.2.1 refused: spam site". Like you, I find it hard to imagine that blocklists purposely corrupt their answers based on the requester's IP address. Not being a mail-configuring guru (nor a Microsoft guru, but let's not start that again :-), I can only suggest (1) sending manual queries to the blocklists, to confirm that they give honest answers; (2) enabling a single blocklist, so there's no uncertainty about which blocklist might be giving a funny answer; or (3) inserting code to log diagnostic information. You probably thought of all that. I'm just trying to re-establish a little momentum in a non-flamewar direction. -- Remove the two x's to get a good email address. From eddie at eddie.web Thu Mar 2 14:54:48 2006 From: eddie at eddie.web (eddie) Date: Thu Mar 2 14:55:03 2006 Subject: [SpamCop-List] Funny - Chinese spam about Asian Flu Message-ID: I think it's hilarious that spam coming from China and with websites hosted by the Chinese are spamming for Asian (Chinese) flu drugs. This is almost as funny as Chinese spam advertising the best Narcotics. PT Barnum was way low in his estimate about the birth rate of suckers and, had he known, spammers. From anthony.edwards at uk.easynet.net Thu Mar 2 20:25:18 2006 From: anthony.edwards at uk.easynet.net (Anthony Edwards) Date: Thu Mar 2 15:30:02 2006 Subject: [SpamCop-List] Re: DBSBL (ip4r) blocks all incoming messages References: Message-ID: On Wed, 1 Mar 2006 22:11:23 -0500, Brian Stevens wrote: > Dozens of hackers from all over the world knock on my gateways every day but > so far Microsoft with some help from Symantec is keeping them out. If you > don't know some of the advantages of running Outlook on Exchange server then > maybe you shouldn't be taking such a snobbish position. The Outlook/Exchange groupware functionality (shared calendaring, etc) is indeed excellent, and some organisations find it indispensible. However, as others have also noted, I wouldn't personally connect a Microsoft Exchange Server directly to the public Internet, even (especially) in a corporate environment. Not particularly due to the security considerations, as I believe myself capable of absorbing sufficient clue to keep such an installation secure since I am paranoid about such things, but because a UNIX based MTA such as Exim or Postfix, together with a properly configured and maintained SpamAsssassin installation, can do a much better job at little or no financial cost of performing inbound spam filtering. I would front end such an installation, and run Exchange (if such were needed in the corporate environment in question) behind it. -- Anthony Edwards * anthony.edwards@uk.easynet.net Abuse Team Manager * Tel: 0800 053 0588 Easynet Ltd * DDI: 0161 227 0707 http://www.uk.easynet.net * Fax: 0845 333 4503 From kenbrody at spamcop.net Thu Mar 2 15:16:36 2006 From: kenbrody at spamcop.net (Kenneth Brody) Date: Thu Mar 2 15:40:03 2006 Subject: [SpamCop-List] Re: The issue of bounce versus reject References: <44036C3A.50B789E5@spamcop.net> <4403966F.CD32ACEF@spamcop.net> Message-ID: <440752A4.91E36B41@spamcop.net> "John E. Malmberg" wrote: > > Kenneth Brody wrote: [...] > > > In short, the only thing their SMTP server knows about you is the IP > > address that their DHCP has assigned to you, and (I suppose) the MAC > > address of your cablemodem. Their setup means that they have no way > > of knowing your true "from" address, and it also requires that they > > cannot reject e-mail from you at the SMTP level. > > That is correct, but mail from you in their I.P. space is outgoing from > what should be a trusted source to their SMTP server, so they should > trust you to provide a valid return e-mail address to send the bounce or > DSN to. _I_ do. However, what's to stop a spammer from doing differently? [...] > So there is no problem with outbound relaying and SMTP rejects as long > as you have valid information in your header. Again, I'm talking in terms of backscatter from spam, not legitimate e-mail. [...] > To prevent backscatter or silent deletion of messages, that mail server > must do all the spam rejection, and also have a list of valid e-mail > addresses that it should accept e-mail for. It also needs to be able to > handle the case of your mail server having a problem. Why should I have to send a list of all of my e-mail addresses to my ISP? [...] -- +-------------------------+--------------------+-----------------------------+ | Kenneth J. Brody | www.hvcomputer.com | | | kenbrody/at\spamcop.net | www.fptech.com | #include | +-------------------------+--------------------+-----------------------------+ Don't e-mail me at: From redford_stone at INVERSE_OF_COLDmail.com Thu Mar 2 21:16:52 2006 From: redford_stone at INVERSE_OF_COLDmail.com (Redstone) Date: Thu Mar 2 16:20:02 2006 Subject: [SpamCop-List] Re: Funny - Chinese spam about Asian Flu References: Message-ID: eddie wrote in news:du7iif$bvh$1@news.spamcop.net: > I think it's hilarious that spam coming from China and with websites > hosted by the Chinese are spamming for Asian (Chinese) flu drugs. > > This is almost as funny as Chinese spam advertising the best Narcotics. > > PT Barnum was way low in his estimate about the birth rate of suckers > and, had he known, spammers. > PT Barnum may be accurate. Think about the number of suckers dropping dead due to the poisons that spammer drug products contain. Buy a spamvertised product and you play with fire. From bar_n0ne at hotmail.com Thu Mar 2 16:17:25 2006 From: bar_n0ne at hotmail.com (Berny) Date: Thu Mar 2 17:20:04 2006 Subject: [SpamCop-List] Re: Funny - Chinese spam about Asian Flu References: Message-ID: "Redstone" wrote in message > > PT Barnum may be accurate. Think about the number of suckers dropping dead > due to the poisons that spammer drug products contain. > > > Buy a spamvertised product and you play with fire. > You mean they actually deliver something? From redford_stone at INVERSE_OF_COLDmail.com Thu Mar 2 22:57:46 2006 From: redford_stone at INVERSE_OF_COLDmail.com (Redstone) Date: Thu Mar 2 18:00:03 2006 Subject: [SpamCop-List] [NANAE] Plug-in Warns of Evil Web Sites Message-ID: Found this on NANAE: =================================== Subject: Plug-in Warns of Evil Web Sites From: "HeyBub" Newsgroups: news.admin.net-abuse.email "A company founded by several MIT engineers launched free Internet Explorer and Firefox plug-ins Wednesday that reveal dangerous Web sites listed by popular search engines. "With the plug-ins installed, users see green, yellow, or red tags beside hits in search results on Google, MSN, and Yahoo, said Boston-based SiteAdvisor. The tags -- red represents sites that heavily spam visitors, host spyware and adware, or hijack browser home pages -- give users a heads-up before they click on a link." http://www.informationweek.com/internet/showArticle.jhtml?articleID= 181401865 [http://tinyurl.com/k3thb] Available here: http://www.siteadvisor.com/preview/index.html Seems to work as advertised and, boy, is it informative! They even tabulate how much spam they received just by signing up at the site. ===== Installed it on my browser. Pretty nifty. You can even sign up to be a reviewer for the sites you visit. From redford_stone at INVERSE_OF_COLDmail.com Thu Mar 2 22:59:31 2006 From: redford_stone at INVERSE_OF_COLDmail.com (Redstone) Date: Thu Mar 2 18:00:06 2006 Subject: [SpamCop-List] Re: Funny - Chinese spam about Asian Flu References: Message-ID: "Berny" wrote in news:du7qtm$gso$1@news.spamcop.net: > > You mean they actually deliver something? > > Easy enough for them to throw some toadstool into a gel-capsule. From bar_n0ne at hotmail.com Thu Mar 2 17:05:18 2006 From: bar_n0ne at hotmail.com (Berny) Date: Thu Mar 2 18:10:03 2006 Subject: [SpamCop-List] Re: Funny - Chinese spam about Asian Flu References: Message-ID: "Redstone" wrote in message news:Xns977A9885A70FEtinlc@216.154.195.61... > "Berny" wrote in > news:du7qtm$gso$1@news.spamcop.net: > > > > > You mean they actually deliver something? > > > > > > > Easy enough for them to throw some toadstool into a gel-capsule. > Yabbut someones got to pay for and put a stamp on the capsule, Oh, I forgot, they've hacked the pitney bowes stampng machine also. From g.hyde at bigpond.net.au Fri Mar 3 09:52:33 2006 From: g.hyde at bigpond.net.au (Geoffrey Hyde) Date: Thu Mar 2 19:00:02 2006 Subject: [SpamCop-List] Re: DBSBL (ip4r) blocks all incoming messages References: Message-ID: "Steven Maesslein" wrote in message news:slrne0e1bv.9fr.nobody@127.0.0.1... > On Thu, 2 Mar 2006 22:41:12 +1000, Geoffrey Hyde coughed into spamcop > and left this in : >> I'm just an Amiga fan, if you want serious technical help with anything >> Amiga, see if they've got any english version forums over there. > > Kein Problem - ich spreche auch Deutsch :) Translation? I only speak English myself. :D Cheers ... Geoffrey Hyde From nobody at spamcop.net Thu Mar 2 18:18:25 2006 From: nobody at spamcop.net (N. Miller) Date: Thu Mar 2 21:20:02 2006 Subject: [SpamCop-List] Re: DBSBL (ip4r) blocks all incoming messages References: Message-ID: <13aueahyv89mk.dlg@news.spamcop.net> On Wed, 1 Mar 2006 22:11:23 -0500, Brian Stevens wrote: > There are bigots who believe that you > can't be a responsible net citizen if you are on a dynamic IP. That is a flawed statement. It isn't that I am a bigot who doesn't believe that you can't be a responsible net citizen on a dynamic IP address. It is that I am a pragmatist, for whom >99% of the email delivery attempts from Comcast (and other) dynamically hosted SMTP clients to my domain MX are _not_ from responsible net citizens; therefore, blocking such IP addresses is extremely effective at blocking spam delivery attempts. OTOH, _knowing_ that others will treat my SMTP relay client in the same fashion, I don't even attempt "ent-to-end" SMTP relaying; I use my ISP's SMTP server to handle my outbound email. -- Norman ~Oh Lord, why have you come ~To Konnyu, with the Lion and the Drum From nobody at spamcop.net Thu Mar 2 18:23:00 2006 From: nobody at spamcop.net (N. Miller) Date: Thu Mar 2 21:25:02 2006 Subject: [SpamCop-List] Re: DBSBL (ip4r) blocks all incoming messages References: Message-ID: <10faq96wrt3se$.dlg@news.spamcop.net> On Wed, 1 Mar 2006 22:11:23 -0500, Brian Stevens wrote: > If you > don't know some of the advantages of running Outlook on Exchange server then > maybe you shouldn't be taking such a snobbish position. The only advantage of using Outlook on an Exchange server is product integration. I get that by running Pegasus Mail with Mercury/32. -- Norman ~Oh Lord, why have you come ~To Konnyu, with the Lion and the Drum From nobody at spamcop.net Thu Mar 2 18:31:29 2006 From: nobody at spamcop.net (N. Miller) Date: Thu Mar 2 21:35:04 2006 Subject: [SpamCop-List] Re: DBSBL (ip4r) blocks all incoming messages References: Message-ID: On Fri, 3 Mar 2006 09:52:33 +1000, Geoffrey Hyde wrote: > "Steven Maesslein" wrote in message > news:slrne0e1bv.9fr.nobody@127.0.0.1... >> On Thu, 2 Mar 2006 22:41:12 +1000, Geoffrey Hyde coughed into spamcop >> and left this in : >>> I'm just an Amiga fan, if you want serious technical help with anything >>> Amiga, see if they've got any english version forums over there. >> Kein Problem - ich spreche auch Deutsch :) > Translation? I only speak English myself. :D His comprehension of German seems better than the disclaimer. Although I did, once, receive a correction over writing, "I can speak a little ***" for the native "***" speaker; he suggested that 'hanasemasu' was more appropriate than the 'hanashimasu' I had written. 'hanashimasu' = "I speak..." 'hanasemasu' = "I can speak..." When one is writing, one isn't speaking; technically. -- Norman ~Oh Lord, why have you come ~To Konnyu, with the Lion and the Drum From nobody at spamcop.net Thu Mar 2 19:38:53 2006 From: nobody at spamcop.net (N. Miller) Date: Thu Mar 2 22:40:04 2006 Subject: [SpamCop-List] Re: The issue of bounce versus reject References: <44036C3A.50B789E5@spamcop.net> Message-ID: <16rk0suhrntz.dlg@news.spamcop.net> On Mon, 27 Feb 2006 16:16:42 -0500, Kenneth Brody wrote: > Having read the recent "why not allow bounces" thread, the following > occurred to me... You seem to be confusing message submission servers with MX servers. Message submission servers generally accept email from MUAs ("Mail User Agents"), mostly; using some means of authenticating the connection. MX servers accept email from _any_ MTA ("Mail Transfer Agent"), regardless of the source, and without authenticating the connection. Because of the trust involved in a message submission connection, message submission server bounces are, mostly, legitimately sent to user accounts which are the actual source of the message. OTOH, MX servers can't use the same criteria for authenticating email sources as message submission servers can use; by design, MX servers have to accept incoming connections that message submission servers can refuse. So there is a much higher probability that the "Return-Path" email address will be forged in email from a "Mail Transfer Agent" than from a "Mail User Agent". Therefore, MX servers can't afford to accept all plausible email addresses, then turn around and bounce the undeliverables; those will, usually, go to the wrong places. The best method for an MX server to use is to check two lists: A. Valid local email addresses; reject email if the RCPT TO isn't valid. B. DNSBLs; reject all email from listed IP addresses. -- Norman ~Oh Lord, why have you come ~To Konnyu, with the Lion and the Drum From nobody at devnull.spamcop.net Fri Mar 3 15:40:33 2006 From: nobody at devnull.spamcop.net (Patto) Date: Fri Mar 3 01:45:13 2006 Subject: [SpamCop-List] An error occurred while processing your request. Message-ID: Same error as yesterday when trying to access spamcop.net From g.hyde at bigpond.net.au Fri Mar 3 19:40:11 2006 From: g.hyde at bigpond.net.au (Geoffrey Hyde) Date: Fri Mar 3 04:45:45 2006 Subject: [SpamCop-List] Fedora list spam with large attachment. Message-ID: http://www.spamcop.net/sc?id=z889520818zc21f147cfe3ed355899c5b92688b3f6az Okay, what the heck is this attachment in the spam - some application-octet or whatever SpamCop identified it as? And why are they sending it to me? It's obviously spam, and has been treated as such, SpamCop couldn't even say that the IP address was actually belonging to the server it purported to be from (got no name when trying the IP) so named it as source. Anyone else getting this kind of unwanted junk email? Cheers ... Geoffrey Hyde From MikeE at ster.invalid Fri Mar 3 01:58:31 2006 From: MikeE at ster.invalid (Mike Easter) Date: Fri Mar 3 05:00:34 2006 Subject: [SpamCop-List] Re: Fedora list spam with large attachment. References: Message-ID: Geoffrey Hyde wrote: www.spamcop.net/sc?id=z889520818zc21f147cfe3ed355899c5b92688b3f6az > > Okay, what the heck is this attachment in the spam - some > application-octet or whatever SpamCop identified it as? It is a viral propagation, virm/virmail, designed to look like a bounce which has a message.zip attachment which is b64 encoded. The source machine is 196.25.32.50 no rDNS of the .za Infodoor Networking which has problems with its contact information and SC wants to notify abuse@saix.net -- which is the way I would notify it. > And why are they sending it to me? It's obviously spam, and has been > treated as such, SpamCop couldn't even say that the IP address was > actually belonging to the server it purported to be from (got no name > when trying the IP) so named it as source. > > Anyone else getting this kind of unwanted junk email? You get viral propagations because your address is accessible at/by the infected propagator. Your AV agent may not be able to identify it because it is 'inside' a b64 encoded zip file. If you were handling it by opening it, the b64 would become decoded by your mail agent, then you would have to unzip the archive to find the executable. I haven't taken it down to the executable and characterized it yet. -- Mike Easter kibitzer, not SC admin From MikeE at ster.invalid Fri Mar 3 02:08:37 2006 From: MikeE at ster.invalid (Mike Easter) Date: Fri Mar 3 05:10:26 2006 Subject: [SpamCop-List] Re: Fedora list spam with large attachment. References: Message-ID: Mike Easter wrote: > I haven't taken it down to the executable and characterized it yet. The decoded b64 message.zip is a corrupt zip file which I can't unzip with Iceows. I can look at the hex of the front of it and tell that its executable would be message.scr, but I can't characterize the virus in its zipped form with my AV. -- Mike Easter kibitzer, not SC admin From g.hyde at bigpond.net.au Fri Mar 3 20:30:49 2006 From: g.hyde at bigpond.net.au (Geoffrey Hyde) Date: Fri Mar 3 05:35:09 2006 Subject: [SpamCop-List] Re: Fedora list spam with large attachment. References: Message-ID: I dunno if it's worth doing anything with. Apparently the ISP I'm with believes I should get sent any and all email addressed to me unless I want to sign up for their spam filter. Attachments included apparently. What I find really weird is that they won't even devote any of the vast amount of computing power they have available on their network to finding and removing viral attachments from spam - "because, it might be a legitimate attachment" - what I'm thinking of that is, if someone has to send you something that's executable, they surely have another means than email by now. Cheers ... Geoffrey Hyde "Mike Easter" wrote in message news:du94io$7ep$1@news.spamcop.net... > Mike Easter wrote: > >> I haven't taken it down to the executable and characterized it yet. > > The decoded b64 message.zip is a corrupt zip file which I can't unzip > with Iceows. I can look at the hex of the front of it and tell that its > executable would be message.scr, but I can't characterize the virus in > its zipped form with my AV. > > -- > Mike Easter > kibitzer, not SC admin > From aviatrix at lists.org.gg Fri Mar 3 10:42:11 2006 From: aviatrix at lists.org.gg (Aviatrix) Date: Fri Mar 3 05:45:04 2006 Subject: [SpamCop-List] Re: Fedora list spam with large attachment. In-Reply-To: References: Message-ID: Geoffrey Hyde wrote: > What I find really weird is that they won't even devote any of the vast > amount of computing power they have available on their network to finding > and removing viral attachments from spam - "because, it might be a > legitimate attachment" - what I'm thinking of that is, if someone has to > send you something that's executable, they surely have another means than > email by now. Some ISPs enforce spam/virus filtering on their customers, whether the customers like it or not (causing some genuine mail to be lost). Some ISPs offer spam/virus filtering as an optional add-on service, either paid-for or free of charge (mine offers it free of charge). Some ISPs take the view that if customers want spam/virus filtering they should make their own arrangements. Yours obviously belongs in the third group. Personally I have no problem with that - I DO have a problem with the first group (especially if, like some ISPs I know, they just discard suspected spam/viruses without letting anyone know) From MikeE at ster.invalid Fri Mar 3 02:52:31 2006 From: MikeE at ster.invalid (Mike Easter) Date: Fri Mar 3 05:55:02 2006 Subject: [SpamCop-List] Re: Fedora list spam with large attachment. References: Message-ID: Mike Easter wrote: > The decoded b64 message.zip is a corrupt zip file which I can't unzip > with Iceows. I can look at the hex of the front of it and tell that > its executable would be message.scr, but I can't characterize the > virus in its zipped form with my AV. I sent the corrupt zip to VirusTotal for their multiple AV agent analysis. NOD32 found the archive damaged, and 4 of them could see the MyDoom.M worm inside the damaged .zip. One said suspicious, 17 said negative. Results of a file scan This is a report processed by VirusTotal on 03/03/2006 at 11:28:08 (CET) after scanning the file "message.zip" file. Antivirus Version Update Result AntiVir 6.33.1.53 03.03.2006 Worm/Mydoom.M Avast 4.6.695.0 03.02.2006 Win32:Mydoom-M AVG 718 03.02.2006 no virus found Avira 6.33.1.53 03.03.2006 Worm/Mydoom.M BitDefender 7.2 03.03.2006 no virus found CAT-QuickHeal 8.00 03.02.2006 (Suspicious) - DNAScan ClamAV devel-20060126 03.02.2006 Worm.Mydoom.M DrWeb 4.33 03.03.2006 no virus found eTrust-InoculateIT 23.71.92 03.03.2006 no virus found eTrust-Vet 12.4.2104 03.03.2006 no virus found Ewido 3.5 03.02.2006 no virus found Fortinet 2.71.0.0 03.02.2006 no virus found F-Prot 3.16c 03.03.2006 no virus found Kaspersky 4.0.2.24 03.03.2006 no virus found McAfee 4709 03.02.2006 no virus found NOD32v2 1.1426 03.03.2006 archive damaged Norman 5.70.10 03.02.2006 no virus found Panda 9.0.0.4 03.03.2006 no virus found Sophos 4.03.0 03.03.2006 no virus found Symantec 8.0 03.03.2006 no virus found TheHacker 5.9.5.105 03.03.2006 no virus found UNA 1.83 03.02.2006 no virus found VBA32 3.10.5 03.02.2006 no virus found -- Mike Easter kibitzer, not SC admin From MikeE at ster.invalid Fri Mar 3 03:11:51 2006 From: MikeE at ster.invalid (Mike Easter) Date: Fri Mar 3 06:15:03 2006 Subject: [SpamCop-List] Re: Fedora list spam with large attachment. References: Message-ID: Aviatrix wrote: > Some ISPs offer spam/virus filtering as an optional add-on service, > either paid-for or free of charge (mine offers it free of charge). EL's options for the spamfiltering and virus filtering are included or free. The spamfiltering can be off, medium, or high -- the virus filtering off or on. The 'standard' spamfilter is leaky, the virus filter has a rare false positive. I can't recall the last time I saw a false negative virm slip thru'.. If EL's proprietary frontend TotalAccess is installed, which I would never do, there is a plethora of other 'filtering' options, ranging from parental controls to antiphish to antispyware to antipopups. -- Mike Easter kibitzer, not SC admin From MikeE at ster.invalid Fri Mar 3 03:20:33 2006 From: MikeE at ster.invalid (Mike Easter) Date: Fri Mar 3 06:25:02 2006 Subject: [SpamCop-List] Re: Fedora list spam with large attachment. References: Message-ID: Mike Easter wrote: > The source machine is 196.25.32.50 no rDNS of the .za Infodoor > Networking Back in 2005 June 7, someone using that IP accessed a guest book and signed their name and email address. Zakithi Sinethemba Ngongoma zakithingongoma@hotmail.com Since the IP is most likely dynamic and the information is so stale, that data is most likely completely worthless. I don't advise signing guestbooks like that, unless you are /really/ looking for penpals. -- Mike Easter kibitzer, not SC admin From / at /.cn Fri Mar 3 22:49:17 2006 From: / at /.cn (Petzl) Date: Fri Mar 3 06:50:02 2006 Subject: [SpamCop-List] Re: Fedora list spam with large attachment. References: Message-ID: "Geoffrey Hyde" wrote in message news:du95sv$817$1@news.spamcop.net... >I dunno if it's worth doing anything with. Apparently the ISP I'm with >believes I should get sent any and all email addressed to me unless I want >to sign up for their spam filter. Another good reason to NOT accept the email address your ISP forces on one. You do need to consider a SpamCop email address, the only one you will ever need. Ask your provider for a refund for a supposed "service" you no longer need and should not pay for Get the only Email address you will ever need http://www.spamcop.net/ces/individuals.shtml Petzl From MikeE at ster.invalid Fri Mar 3 04:04:44 2006 From: MikeE at ster.invalid (Mike Easter) Date: Fri Mar 3 07:05:04 2006 Subject: [SpamCop-List] Re: Fedora list spam with large attachment. References: Message-ID: Mike Easter wrote: > Geoffrey Hyde wrote: >> Okay, what the heck is this attachment in the spam - some >> application-octet or whatever SpamCop identified it as? > > It is a viral propagation, virm/virmail, designed to look like a > bounce which has a message.zip attachment which is b64 encoded. Continuing my string of replies in this thread. This item also demonstrates a precautionary suggestion -- that you should not 'count on' your provider's or your own AV agents to protect you from virms. I have an additional 'crude' security measure called a BigFile rule. The bigfile is any email over a certain size gets message ruled into its own BigFile folder so that it can be handled with caution. Naturally you could handle this item without a bigfile rule -- because there are so many ways that you would be able to tell that this mail isn't something you want to handle carelessly, but having multiple layers to warn you of a problem is of some value since the majority of agents didn't identify this propagation even after the b64 decoding. MyDoom.M is also associated with installing a backdoor Zincite.A trojan which // Attempts to contact other infected systems by probing random IP addresses on port 1034. If an infected system is found, its IP address will be stored for possible future use. // When running the backdoor, the backdoor listens on TCP port 1034 for incoming connections. When remote attackers connect, they can: Download and execute files. Get the Trojan's saved list of other infected IP addresses. Stop the backdoor process. . -- Mike Easter kibitzer, not SC admin From nospam at nospam.nl Fri Mar 3 13:32:53 2006 From: nospam at nospam.nl (geo_splash_12) Date: Fri Mar 3 07:35:03 2006 Subject: [SpamCop-List] telefonica.es Message-ID: Which IP blocks are associated with telefonica.es and auna.es? These guys are slowly becoming a nuisance, and in senderbase I can't even find the proper whois information because they probably (like kornet) scattered over the entire IP4 spectrum. From MikeE at ster.invalid Fri Mar 3 04:55:05 2006 From: MikeE at ster.invalid (Mike Easter) Date: Fri Mar 3 07:55:04 2006 Subject: [SpamCop-List] Re: telefonica.es References: Message-ID: geo_splash_12 wrote: > Which IP blocks are associated with telefonica.es and auna.es? These > guys are slowly becoming a nuisance, and in senderbase I can't even > find the proper whois information because they probably (like kornet) > scattered over the entire IP4 spectrum. The output IPs listed at senderbase are 194.224.58.62 mail2.telefonica.es Y 4.9 4.3 212.170.236.199 sceest04.correodeempresas.telefonica.es Y 3.8 3.6 212.170.236.196 sceest03.correodeempresas.telefonica.es Y 3.7 3.5 212.170.236.86 sceent03.correodeempresas.telefonica.es Y 2.1 2.2 212.170.236.84 sceent01.correodeempresas.telefonica.es Y 3.0 2.2 212.170.236.85 sceent02.correodeempresas.telefonica.es Y 2.6 2.1 62.81.52.14 dulcesa.red.retevision.es Y 0.0 3.9 62.81.27.241 bcnfwl02.retevision.es Y 3.9 3.6 62.81.119.50 junta-icatm51456-meri.red.retevision.es Y 2.7 3.5 62.81.72.58 mtorres-ic60731-pamp.red.retevision.es Y 3.7 3.3 62.81.52.178 copiti-ic12891-vale.red.retevision.es Y 3.4 2.9 62.81.80.10 giahsa-ic-huel.red.retevision.es Y 2.6 2.8 62.81.26.74 nadal-ic11446-barc.red.retevision.es Y 3.4 2.8 62.81.92.66 momework-ic27411-alic.red.retevision.es Y 0.0 2.7 62.81.102.6 endesa-ic72593-sevi.red.retevision.es Y 2.7 2.6 62.81.119.10 junta-icatm6415-meri.red.retevision.es Y 3.0 2.4 62.81.55.94 calderinox-ic64373-sevi.red.retevision.es Y 0.0 2.3 62.81.55.50 emasesa-ic.red.retevision.es Y 0.0 2.3 62.81.84.98 lomonaco-ic38847-gran.red.retevision.es Y 0.0 2.3 62.81.90.26 schglo-ic104929-bar2.red.retevision.es Y 2.9 2.3 62.81.70.10 hpenisc-ic13727-cast.red.retevision.es Y 2.7 2.2 62.81.84.26 romysim-ic-gran.red.retevision.es Y 2.8 2.2 inetnum: 62.81.0.0 - 62.81.127.255 netname: RETENET descr: AUNA S.A.U, route: 62.81.0.0/16 descr: Retevision SA origin: AS16338 route: 212.170.0.0/16 descr: Telefonica Data Espan~a origin: AS3352 route: 194.224.0.0/16 descr: IBERNET descr: Telefonica transmision de datos, Internet Network origin: AS3352 You can take those AS#s to someplace like potaroo and determine the IPs associated. -- Mike Easter kibitzer, not SC admin From nospam at nospam.nl Fri Mar 3 16:30:43 2006 From: nospam at nospam.nl (geo_splash_12) Date: Fri Mar 3 10:35:04 2006 Subject: [SpamCop-List] Re: telefonica.es In-Reply-To: References: Message-ID: Mike Easter wrote: > geo_splash_12 wrote: > >>Which IP blocks are associated with telefonica.es and auna.es? These >>guys are slowly becoming a nuisance, and in senderbase I can't even >>find the proper whois information because they probably (like kornet) >>scattered over the entire IP4 spectrum. > > > The output IPs listed at senderbase are > > 194.224.58.62 mail2.telefonica.es Y 4.9 4.3 > 212.170.236.199 sceest04.correodeempresas.telefonica.es Y 3.8 3.6 > 212.170.236.196 sceest03.correodeempresas.telefonica.es Y 3.7 3.5 > 212.170.236.86 sceent03.correodeempresas.telefonica.es Y 2.1 2.2 > 212.170.236.84 sceent01.correodeempresas.telefonica.es Y 3.0 2.2 > 212.170.236.85 sceent02.correodeempresas.telefonica.es Y 2.6 2.1 > > > 62.81.52.14 dulcesa.red.retevision.es Y 0.0 3.9 > 62.81.27.241 bcnfwl02.retevision.es Y 3.9 3.6 > 62.81.119.50 junta-icatm51456-meri.red.retevision.es Y 2.7 3.5 > 62.81.72.58 mtorres-ic60731-pamp.red.retevision.es Y 3.7 3.3 > 62.81.52.178 copiti-ic12891-vale.red.retevision.es Y 3.4 2.9 > 62.81.80.10 giahsa-ic-huel.red.retevision.es Y 2.6 2.8 > 62.81.26.74 nadal-ic11446-barc.red.retevision.es Y 3.4 2.8 > 62.81.92.66 momework-ic27411-alic.red.retevision.es Y 0.0 2.7 > 62.81.102.6 endesa-ic72593-sevi.red.retevision.es Y 2.7 2.6 > 62.81.119.10 junta-icatm6415-meri.red.retevision.es Y 3.0 2.4 > 62.81.55.94 calderinox-ic64373-sevi.red.retevision.es Y 0.0 2.3 > 62.81.55.50 emasesa-ic.red.retevision.es Y 0.0 2.3 > 62.81.84.98 lomonaco-ic38847-gran.red.retevision.es Y 0.0 2.3 > 62.81.90.26 schglo-ic104929-bar2.red.retevision.es Y 2.9 2.3 > 62.81.70.10 hpenisc-ic13727-cast.red.retevision.es Y 2.7 2.2 > 62.81.84.26 romysim-ic-gran.red.retevision.es Y 2.8 2.2 > > > inetnum: 62.81.0.0 - 62.81.127.255 > netname: RETENET > descr: AUNA S.A.U, > route: 62.81.0.0/16 > descr: Retevision SA > origin: AS16338 > > route: 212.170.0.0/16 > descr: Telefonica Data Espan~a > origin: AS3352 > > route: 194.224.0.0/16 > descr: IBERNET > descr: Telefonica transmision de datos, Internet Network > origin: AS3352 > > > You can take those AS#s to someplace like potaroo and determine the IPs > associated. > > This is not what I see, the spams from telefonica.es do come from for instance: 80.34.54.48 80.58.210.67 83.43.185.178 83.44.1.204 83.53.229.176 83.58.202.60 auna.es IPs are for instance: 82.159.80.85 82.159.17.168 Ejo From MikeE at ster.invalid Fri Mar 3 08:47:48 2006 From: MikeE at ster.invalid (Mike Easter) Date: Fri Mar 3 11:50:04 2006 Subject: [SpamCop-List] Re: telefonica.es References: Message-ID: geo_splash_12 wrote: > Mike Easter wrote: >> The output IPs listed at senderbase are >> >> 194.224.58.62 mail2.telefonica.es Y 4.9 4.3 >> 62.81.52.14 dulcesa.red.retevision.es Y 0.0 3.9 > This is not what I see, the spams from telefonica.es do come from for > instance: > > 80.34.54.48 > 80.58.210.67 > 83.43.185.178 > 83.44.1.204 > 83.53.229.176 > 83.58.202.60 user IPs - RIMA -- it has many more besides those 80. & 83. > auna.es IPs are for instance: > > 82.159.80.85 > 82.159.17.168 User IPs in this family inetnum: 82.158.138.0 - 82.159.127.255 netname: MADRITEL descr: PROVIDER descr: Madritel MADRITEL has many more blocks besides those 82.158 & .159 -- Mike Easter kibitzer, not SC admin From nospam at nospam.nl Fri Mar 3 18:08:26 2006 From: nospam at nospam.nl (geo_splash_12) Date: Fri Mar 3 12:10:03 2006 Subject: [SpamCop-List] Re: telefonica.es In-Reply-To: References: Message-ID: Mike: dshield is a nice tool to do this, thus http://www.dshield.org/ipinfo.php?ip=83.43.185.178&Submit=Submit tells me where 83.43.185.178 is located and the fine line of horse manure around that IP. Ejo Mike Easter wrote: > geo_splash_12 wrote: > >>Mike Easter wrote: > > >>>The output IPs listed at senderbase are >>> >>>194.224.58.62 mail2.telefonica.es Y 4.9 4.3 > > >>>62.81.52.14 dulcesa.red.retevision.es Y 0.0 3.9 > > >>This is not what I see, the spams from telefonica.es do come from for >>instance: >> >>80.34.54.48 >>80.58.210.67 >>83.43.185.178 >>83.44.1.204 >>83.53.229.176 >>83.58.202.60 > > > user IPs - RIMA -- it has many more besides those 80. & 83. > > >>auna.es IPs are for instance: >> >>82.159.80.85 >>82.159.17.168 > > > User IPs in this family > > inetnum: 82.158.138.0 - 82.159.127.255 > netname: MADRITEL > descr: PROVIDER > descr: Madritel > > MADRITEL has many more blocks besides those 82.158 & .159 > From MikeE at ster.invalid Fri Mar 3 09:32:37 2006 From: MikeE at ster.invalid (Mike Easter) Date: Fri Mar 3 12:35:02 2006 Subject: [SpamCop-List] Re: telefonica.es References: Message-ID: geo_splash_12 wrote: > Mike: dshield is a nice tool to do this, thus > > http://www.dshield.org/ipinfo.php?ip=83.43.185.178&Submit=Submit > > tells me where 83.43.185.178 is located and the fine line of horse > manure around that IP. Yes, but that is just one little block inetnum: 83.40.201.0 - 83.45.92.255 netname: RIMA There are many scores of such blocks of various sizes. If you do whois -h whois.ripe.net rima you will see a huge output of tons of such blocks. I was going to extract a list of just the 'inetnum' lines for RIMA and MADRITEL. Madritel's is much shorter, I'll use it as an example. inetnum: 213.37.0.0 - 213.37.65.255 inetnum: 213.37.110.0 - 213.37.131.245 inetnum: 213.37.108.88 - 213.37.108.119 inetnum: 213.37.66.0 - 213.37.107.255 inetnum: 213.37.150.0 - 213.37.251.255 inetnum: 213.37.253.0 - 213.37.255.255 inetnum: 213.37.132.0 - 213.37.149.255 inetnum: 82.158.0.0 - 82.158.95.255 inetnum: 82.158.96.0 - 82.158.135.255 inetnum: 82.158.138.0 - 82.159.127.255 -- Mike Easter kibitzer, not SC admin From MikeE at ster.invalid Fri Mar 3 09:47:41 2006 From: MikeE at ster.invalid (Mike Easter) Date: Fri Mar 3 12:50:03 2006 Subject: [SpamCop-List] Re: telefonica.es References: Message-ID: Mike Easter wrote: > > whois -h whois.ripe.net rima > > you will see a huge output of tons of such blocks. I was going to > extract a list of just the 'inetnum' lines for RIMA and MADRITEL. > Madritel's is much shorter, I'll use it as an example. This is less than half of RIMA's inetnum: 217.125.156.0 - 217.125.157.255 inetnum: 217.125.192.0 - 217.125.255.255 inetnum: 217.125.160.0 - 217.125.191.255 inetnum: 217.125.152.0 - 217.125.155.255 inetnum: 213.98.181.0 - 213.98.181.255 inetnum: 213.98.182.0 - 213.98.183.255 inetnum: 213.98.184.0 - 213.98.191.255 inetnum: 213.98.192.0 - 213.98.255.255 inetnum: 213.4.44.0 - 213.4.45.255 inetnum: 213.0.64.0 - 213.0.71.255 inetnum: 213.0.0.0 - 213.0.3.255 inetnum: 195.57.120.0 - 195.57.123.255 inetnum: 195.55.248.0 - 195.55.251.255 inetnum: 217.125.150.0 - 217.125.151.255 inetnum: 217.125.149.0 - 217.125.149.255 inetnum: 80.58.100.0 - 80.58.104.63 inetnum: 217.125.158.0 - 217.125.159.255 inetnum: 80.58.32.0 - 80.58.55.255 inetnum: 80.26.148.0 - 80.26.150.255 inetnum: 195.55.93.0 - 195.55.99.255 inetnum: 195.57.76.0 - 195.57.80.255 inetnum: 212.170.0.0 - 212.170.26.255 inetnum: 213.4.0.0 - 213.4.27.255 inetnum: 217.125.0.0 - 217.125.148.255 inetnum: 195.55.216.0 - 195.55.222.255 inetnum: 80.59.0.0 - 80.59.255.255 inetnum: 80.58.0.0 - 80.58.24.255 inetnum: 213.98.0.0 - 213.98.180.255 inetnum: 80.58.124.0 - 80.58.125.255 inetnum: 80.58.86.0 - 80.58.97.255 inetnum: 80.58.64.0 - 80.58.84.255 inetnum: 80.58.128.0 - 80.58.159.255 inetnum: 80.58.105.0 - 80.58.109.255 inetnum: 80.58.240.0 - 80.58.249.255 inetnum: 80.32.0.0 - 80.35.255.255 inetnum: 80.58.255.0 - 80.58.255.255 inetnum: 80.58.99.32 - 80.58.99.47 inetnum: 80.58.63.192 - 80.58.63.199 inetnum: 80.58.63.0 - 80.58.63.15 inetnum: 80.58.253.0 - 80.58.253.255 inetnum: 80.58.62.0 - 80.58.62.255 inetnum: 80.58.184.0 - 80.58.184.255 inetnum: 80.58.185.0 - 80.58.185.255 inetnum: 80.58.186.0 - 80.58.186.255 inetnum: 80.58.192.0 - 80.58.192.31 inetnum: 80.58.192.128 - 80.58.192.255 inetnum: 80.58.63.32 - 80.58.63.63 inetnum: 80.58.251.0 - 80.58.251.255 inetnum: 80.58.252.0 - 80.58.252.255 inetnum: 80.58.187.0 - 80.58.187.63 inetnum: 80.58.187.64 - 80.58.187.95 inetnum: 80.58.187.128 - 80.58.187.191 inetnum: 80.58.187.192 - 80.58.187.223 inetnum: 80.58.192.32 - 80.58.192.47 inetnum: 80.58.192.48 - 80.58.192.63 inetnum: 80.58.254.0 - 80.58.254.127 inetnum: 80.58.63.64 - 80.58.63.95 inetnum: 80.58.188.0 - 80.58.188.63 inetnum: 80.58.193.0 - 80.58.193.31 inetnum: 80.58.236.0 - 80.58.239.255 inetnum: 81.47.237.0 - 81.47.237.41 inetnum: 80.58.85.0 - 80.58.85.255 inetnum: 81.32.0.0 - 81.34.255.255 inetnum: 80.58.31.0 - 80.58.31.255 inetnum: 80.58.160.0 - 80.58.163.255 inetnum: 80.58.164.0 - 80.58.167.255 inetnum: 80.58.120.0 - 80.58.120.127 inetnum: 80.58.196.0 - 80.58.197.127 inetnum: 80.58.197.128 - 80.58.199.127 inetnum: 80.58.232.0 - 80.58.235.255 inetnum: 80.58.220.0 - 80.58.227.255 inetnum: 80.58.63.128 - 80.58.63.191 inetnum: 80.58.63.200 - 80.58.63.255 inetnum: 213.96.0.0 - 213.96.255.255 inetnum: 213.97.0.0 - 213.97.255.255 inetnum: 217.126.0.0 - 217.126.255.255 inetnum: 217.127.0.0 - 217.127.255.255 inetnum: 81.47.0.0 - 81.47.19.135 inetnum: 81.47.64.0 - 81.47.83.135 inetnum: 80.58.63.16 - 80.58.63.31 inetnum: 80.58.121.0 - 80.58.123.255 inetnum: 80.58.118.0 - 80.58.119.255 inetnum: 80.58.112.0 - 80.58.114.23 inetnum: 80.58.206.0 - 80.58.207.255 inetnum: 81.47.237.42 - 81.47.237.255 inetnum: 81.46.0.0 - 81.46.3.255 inetnum: 80.58.117.0 - 80.58.117.63 inetnum: 80.58.120.128 - 80.58.120.255 inetnum: 81.46.61.0 - 81.46.63.255 inetnum: 80.58.208.0 - 80.58.219.255 inetnum: 81.45.128.0 - 81.45.151.255 -- Mike Easter kibitzer, not SC admin From nospam at nospam.nl Fri Mar 3 19:02:00 2006 From: nospam at nospam.nl (geo_splash_12) Date: Fri Mar 3 13:05:02 2006 Subject: [SpamCop-List] Re: telefonica.es In-Reply-To: References: Message-ID: Mike Easter wrote: > Mike Easter wrote: > >>whois -h whois.ripe.net rima >> >>you will see a huge output of tons of such blocks. I was going to >>extract a list of just the 'inetnum' lines for RIMA and MADRITEL. >>Madritel's is much shorter, I'll use it as an example. > > > This is less than half of RIMA's > > inetnum: 217.125.156.0 - 217.125.157.255 > inetnum: 217.125.192.0 - 217.125.255.255 > inetnum: 217.125.160.0 - 217.125.191.255 > inetnum: 217.125.152.0 - 217.125.155.255 > inetnum: 213.98.181.0 - 213.98.181.255 > inetnum: 213.98.182.0 - 213.98.183.255 > inetnum: 213.98.184.0 - 213.98.191.255 > inetnum: 213.98.192.0 - 213.98.255.255 > inetnum: 213.4.44.0 - 213.4.45.255 > inetnum: 213.0.64.0 - 213.0.71.255 > inetnum: 213.0.0.0 - 213.0.3.255 > inetnum: 195.57.120.0 - 195.57.123.255 > inetnum: 195.55.248.0 - 195.55.251.255 > inetnum: 217.125.150.0 - 217.125.151.255 > inetnum: 217.125.149.0 - 217.125.149.255 > inetnum: 80.58.100.0 - 80.58.104.63 > inetnum: 217.125.158.0 - 217.125.159.255 > inetnum: 80.58.32.0 - 80.58.55.255 > inetnum: 80.26.148.0 - 80.26.150.255 > inetnum: 195.55.93.0 - 195.55.99.255 > inetnum: 195.57.76.0 - 195.57.80.255 > inetnum: 212.170.0.0 - 212.170.26.255 > inetnum: 213.4.0.0 - 213.4.27.255 > inetnum: 217.125.0.0 - 217.125.148.255 > inetnum: 195.55.216.0 - 195.55.222.255 > inetnum: 80.59.0.0 - 80.59.255.255 > inetnum: 80.58.0.0 - 80.58.24.255 > inetnum: 213.98.0.0 - 213.98.180.255 > inetnum: 80.58.124.0 - 80.58.125.255 > inetnum: 80.58.86.0 - 80.58.97.255 > inetnum: 80.58.64.0 - 80.58.84.255 > inetnum: 80.58.128.0 - 80.58.159.255 > inetnum: 80.58.105.0 - 80.58.109.255 > inetnum: 80.58.240.0 - 80.58.249.255 > inetnum: 80.32.0.0 - 80.35.255.255 > inetnum: 80.58.255.0 - 80.58.255.255 > inetnum: 80.58.99.32 - 80.58.99.47 > inetnum: 80.58.63.192 - 80.58.63.199 > inetnum: 80.58.63.0 - 80.58.63.15 > inetnum: 80.58.253.0 - 80.58.253.255 > inetnum: 80.58.62.0 - 80.58.62.255 > inetnum: 80.58.184.0 - 80.58.184.255 > inetnum: 80.58.185.0 - 80.58.185.255 > inetnum: 80.58.186.0 - 80.58.186.255 > inetnum: 80.58.192.0 - 80.58.192.31 > inetnum: 80.58.192.128 - 80.58.192.255 > inetnum: 80.58.63.32 - 80.58.63.63 > inetnum: 80.58.251.0 - 80.58.251.255 > inetnum: 80.58.252.0 - 80.58.252.255 > inetnum: 80.58.187.0 - 80.58.187.63 > inetnum: 80.58.187.64 - 80.58.187.95 > inetnum: 80.58.187.128 - 80.58.187.191 > inetnum: 80.58.187.192 - 80.58.187.223 > inetnum: 80.58.192.32 - 80.58.192.47 > inetnum: 80.58.192.48 - 80.58.192.63 > inetnum: 80.58.254.0 - 80.58.254.127 > inetnum: 80.58.63.64 - 80.58.63.95 > inetnum: 80.58.188.0 - 80.58.188.63 > inetnum: 80.58.193.0 - 80.58.193.31 > inetnum: 80.58.236.0 - 80.58.239.255 > inetnum: 81.47.237.0 - 81.47.237.41 > inetnum: 80.58.85.0 - 80.58.85.255 > inetnum: 81.32.0.0 - 81.34.255.255 > inetnum: 80.58.31.0 - 80.58.31.255 > inetnum: 80.58.160.0 - 80.58.163.255 > inetnum: 80.58.164.0 - 80.58.167.255 > inetnum: 80.58.120.0 - 80.58.120.127 > inetnum: 80.58.196.0 - 80.58.197.127 > inetnum: 80.58.197.128 - 80.58.199.127 > inetnum: 80.58.232.0 - 80.58.235.255 > inetnum: 80.58.220.0 - 80.58.227.255 > inetnum: 80.58.63.128 - 80.58.63.191 > inetnum: 80.58.63.200 - 80.58.63.255 > inetnum: 213.96.0.0 - 213.96.255.255 > inetnum: 213.97.0.0 - 213.97.255.255 > inetnum: 217.126.0.0 - 217.126.255.255 > inetnum: 217.127.0.0 - 217.127.255.255 > inetnum: 81.47.0.0 - 81.47.19.135 > inetnum: 81.47.64.0 - 81.47.83.135 > inetnum: 80.58.63.16 - 80.58.63.31 > inetnum: 80.58.121.0 - 80.58.123.255 > inetnum: 80.58.118.0 - 80.58.119.255 > inetnum: 80.58.112.0 - 80.58.114.23 > inetnum: 80.58.206.0 - 80.58.207.255 > inetnum: 81.47.237.42 - 81.47.237.255 > inetnum: 81.46.0.0 - 81.46.3.255 > inetnum: 80.58.117.0 - 80.58.117.63 > inetnum: 80.58.120.128 - 80.58.120.255 > inetnum: 81.46.61.0 - 81.46.63.255 > inetnum: 80.58.208.0 - 80.58.219.255 > inetnum: 81.45.128.0 - 81.45.151.255 > > Mike -- this will do the trick (and I haven't yet installed a whois to verify this all). Mucho Gracias -- Ejo From MikeE at ster.invalid Fri Mar 3 10:07:23 2006 From: MikeE at ster.invalid (Mike Easter) Date: Fri Mar 3 13:10:03 2006 Subject: [SpamCop-List] Re: telefonica.es References: Message-ID: geo_splash_12 wrote: > Which IP blocks are associated with telefonica.es and auna.es? Because there are so many little pieces and parts to the rima and madritel user IP blocks, it would be easier to just use something like blackholes.us or nerd-zz and just block all of Spain. If you have correspondents in .es you could whitelist domains, IP blocks, or addies. The examples of IPs you listed earlier would not have been filtered well by my filters, as only one appeared in CBL and one in SCbl -- but I haven't been getting .es spam leakage, so your spam must be different from mine. Whether or not a country filter would work for you - since you are .nl and maybe you get more Euro spam - I don't know. It depends on how much .es unknown goodmail you get. -- Mike Easter kibitzer, not SC admin From wb8tyw at qsl.network Fri Mar 3 12:40:34 2006 From: wb8tyw at qsl.network (John E. Malmberg) Date: Fri Mar 3 13:45:04 2006 Subject: [SpamCop-List] Re: The issue of bounce versus reject References: <44036C3A.50B789E5@spamcop.net> <4403966F.CD32ACEF@spamcop.net> <440752A4.91E36B41@spamcop.net> Message-ID: <1ncKK$MUemdg@eisner.encompasserve.org> In article <440752A4.91E36B41@spamcop.net>, Kenneth Brody writes: > "John E. Malmberg" wrote: >> >> Kenneth Brody wrote: > [...] >> >> > In short, the only thing their SMTP server knows about you is the IP >> > address that their DHCP has assigned to you, and (I suppose) the MAC >> > address of your cablemodem. Their setup means that they have no way >> > of knowing your true "from" address, and it also requires that they >> > cannot reject e-mail from you at the SMTP level. >> >> That is correct, but mail from you in their I.P. space is outgoing from >> what should be a trusted source to their SMTP server, so they should >> trust you to provide a valid return e-mail address to send the bounce or >> DSN to. > > _I_ do. However, what's to stop a spammer from doing differently? With some ISP's, n