Help - Search - Members - Calendar
Full Version: chello doesnt take action..
SpamCop Discussion > Discussions & Observations > SpamCop Lounge
john1000
Hi can someone tell me what else i can do against a spammer/and my ISP cause nothing works.
The story.....

For a few weeks now im getting mail from a spammer located at 80.57.52.231
Im reporting my ass off here and at some point a employe of chello indicated i could better send the full email copy to abuse[at]chello so its reported twice....that was his idea because its not always certain emails arrive...

After about 15 mails (4 of them were infected) a whole bunch of phonecalls,promises that they will warn him, and a day ago they called me to say it wasnt a spammer but he was infected and they gave him a few hours to cleanup and get some kind of protection on his computer...
but now im getting a mail again....and again its infected...

Now tell me....what to do about this ""spam" if a lowlife ISP like chello doesnt do his work properly ?
Miss Betsy
See "Need help with upstream" in this forum - that may help you.

Miss Betsy
StevenUnderwood
Well, if you were using the spamcop blocking list you would not be getting that junk:
QUOTE
80.57.52.231 listed in bl.spamcop.net (127.0.0.2)
In the past 59.9 days, it has been listed 22 times for a total of 44.0 days


Thank you for your reporting, it is keeping the junk from reaching me wink.gif
john1000
ive send you a message miss betsy..
StevenUnderwood
In reply to john1000's PM, the primary function of the spamcop reporting service is to feed the spamcop blocking list. For more information, start at the FAQ. Spamcop goes one step further, however, and alerts the ISP that spam has been received from one of their IP addresses.

Typically, your mail server (ISP or company) would be configured to query this list every time a server tried to send an email message to it. The spamcop email service also uses the spamcop bl (and others) to hold suspected spam in a held mail folder. I believe you can also get third party software to install on your local machine which does something similiar.
john1000
well steven thats all great but that doesnt work.....cause as the mentioned ip turns up at the blocked list how can i recieve mails ?

No offence but we are not all that smart as you !
so sending me to the faq page is great reading stuff ,reading about programs and server stuff but what if its all habracadabra...
explaining something isnt the same as telling me howto ... sad.gif
turetzsr
QUOTE(john1000 @ Jul 16 2004, 02:57 PM)
<snip>
sending me to the faq page is great reading stuff ,reading about programs and server stuff but what if its all habracadabra...
explaining something isnt the same as telling me howto ... sad.gif

Hi, john1000,
...Steven probably did not mean to imply that you could do anything about this problem by yourself. It is the responsibility of your e-mail provider to determine how to keep the spam from reaching you. However, some e-mail providers prefer to not get involved in that activity. If that is the case for you, you may wish to consider finding a different e-mail provider who can do it.
john1000
well im using spambully and as far i can tell i can configure it in that way people must be approved to mail...or something like that....
still figuring out how it works...
StevenUnderwood
Thanks Steve T for the clarification.

john1000...

Your choices for using the spamcop dnsbl (and/or others) is:
  • to request that your ISP start using them
  • change email providers (spamcop is only one)
  • use an email application that processes your mail before your email client sees it to either delete or move it to an alternate location
I do not have a need for the third one, so have no reccomendation there.

The system you are contemplating is also known as challenge/response. It may help to keep your inbox clean, but because most spam and viruses use forged from addresses, you will be sending your spam and viruses to other innocent users. This could possibly also get your machine on the same spammer blocklists so people could not receive your messages or get your account shutdown for sending (actually redirecting) viruses.
john1000
well this is the only way for me to do something,btw....as the system of spamcop always indicates....no reporting of bounced mails...so why should i make it harder on myself using this type...
And my spammer is listed but still sends mails....
john1000
and im still receiving spam from 80.57.52.231 and my isp chello.nl isnt doing anything..... mad.gif mad.gif mad.gif mad.gif mad.gif mad.gif mad.gif mad.gif mad.gif mad.gif mad.gif mad.gif mad.gif mad.gif mad.gif mad.gif mad.gif
keythumper
try SpamAssassin, OR find a better ISP.
You get what you pay for.
I like what companies like Telus have started doing. They nolonger let their users access to port 25, unless they route via the Telus mail servers. Wish our company did this.

--
Gary
john1000
I wasnt sure how to call it all but most of you remember my previous post about a spammer at 80.57.52.231
well after getting atleast 25 mails from which about 7 were infected with dirty scripting were now at the point that even my isp doesnt believe that the spam mail comes originaly from 80.57.52.231

So where does this leaves me ?
All the mails i got from 80.57.52.231 were submitted to spamcop and the sytem was clear on where it came from...

But it gets a problem if i cannot convince my isp..
So can spamcop be fooled in this way cause the employe of the helpdesk said that if the spammer (infected or not) comes from another network other then chello he can create false ip addresses like 80.57.52.231 ,and what a coincidence huh...

The person of the ip knew he was infected and admitted it also and was even shut off for a few days.
But after that it all started again....
I knew it was him because of the names used and they were the same, and thats not a coincidence.................it was him im sure of it.

So can someone,or even anyone from spamcop explain this in a not to technical way so i can discuss this with my isp the next time the mails start to come...

John
dbiel
Have you gone through the MailHost configuration? If not, you should.
Yes IP addresses can be easily forged. The mailhost identification procedure helps to clearly identify the valid IP addresses that the mail has past through and discards any that are associated with your mail service and ignores any except the one from which your mail service first recieved the message.
Another potential problem area is web sites that are adverstised within the body of the message. Many times these are valid sites that have nothing to do with the spam itself and if fact are victims of that very same spam. These sites are sometimes reported in error as the parser can't tell the difference between the victim and the guilty and the individual reporting does not take the time to carefully review the reports before sending them. I hope that his helps some
the following is the current information on the IP address you posted.
QUOTE
80.57.52.231 listed in bl.spamcop.net (127.0.0.2)


Causes of listing
SpamCop users have reported system as a source of spam less than 10 times in the past week

Additional potential problems
(these factors do not directly result in spamcop listing)

Listing History
In the past 73.6 days, it has been listed 27 times for a total of 53.4 days
Miss Betsy
If the spam is the same spam, then it is possible the spammer found another infected machine. The only way it would be the same infected machine is if the IP address is the same. Even then, it could be another infected machine using the same IP address.

So, it probably is the same spammer, but he may not be using the same machine to deliver.

Miss Betsy
john1000
well my main question realy was...can spamcop be fooled..
cause if thats the case it would be the perfect way to spam for the rest of your life....
so even i can do it dbiel ?
sending thousands of mails ?
Find that hard to believe ....... sad.gif
Wazoo
You're asking questions in the abstract. Please provide a Tracking URL of one of these that you've parsed or show some headers to show what you've got.
turetzsr
QUOTE(john1000 @ Jul 30 2004, 04:25 PM)
well my main question realy was...can spamcop be fooled..
cause if thats the case it would be the perfect way to spam for the rest of your life....
so even i can do it dbiel ?
sending thousands of mails ?
Find that hard to believe ....... sad.gif
*
...IIUC, one of Julian's great missions is to stay ahead of the spammers. Thus, little projects such as the SpamCop Mailhosts process are born.
...You're probably familiar with PC viruses and the various products available to avoid and/ or clean them. Virus makers are forever trying to beat, and sometimes succeed in fooling, the anti-virus products. Anti-virus toolmakers are forever reacting to these new virus strategies. Something similar goes on in the spammer / anti-spammer world.
...Those of us who use the internet are far more indebted to people like Julian (and those who help him) than is generally appreciated. biggrin.gif <big g, that they are around!>
john1000
well unfortunate ive deleted the last received spam mails otherwise i posted it here.
but that is what im trying to say...reported at spamcop and it simply shows that it originates from 80.57.52.231,no doubt about that....that is was the report says.
so the question is,is that accurate ?

Cause my isp is saying......yes customer i know you reported it ,and yes it says 80.57.52.231....but sir believe me it ....its not coming from him....

well to make it more clearer...its the same like that iraqi idiot who's famous by now with..."believe me....there are no americans nearby and we are winning...."

how true is it when the spamcop report says ip...80.57.52.231
So ?
Wazoo
Again, you're asking abstract ... without seeing the data, the parse, all the details, there is no way to offer an answer to your question.
dbiel
QUOTE
how true is it when the spamcop report says ip...80.57.52.231


Please note Wazoo's reply
QUOTE
You're asking questions in the abstract. Please provide a Tracking URL of one of these that you've parsed or show some headers to show what you've got.


Without that information your question is imposible to answer.
Too bad that you deleted the mail so that you are unable to post it.

Remember that the parcer is a tool. It is not perfect and it DOES make mistakes, thats the whole reason why we are told to review the results of the parce before actually sending out the reports. Dispite what I have just said, I should also say that the parcer does an extremely good job and I do not know of anything that works better.
john1000
okay here it is....
spammer is busy again...

url...
http://www.spamcop.net/sc?id=z578840707z09...7c25718e18f777z

And who can tell...?
is it realy send by IP 80.57.52.231 ?
Wazoo
With only one IP / link in the header, there's no way one could argue where this one came from. On the other hand, there's no way anyone could be confused by where it came from, so one has to ask, how close are these headers to what's really being sent to cello abuse folks? Not going to accuse you of manufacturing a set of headers, but if this is the real thing, there's not much to discuss, debate, or analyze .. which is also why something doesn't smell quite right here .... how often does anyone see a set of headers that contains only a single Received: line??
john1000
okay call me an idiot for not understandinf this tut.....
but the other previous ones are the same ....simple and not that long.
so please wazoo.....send by that IP or not ?
Yes or no...?
Wazoo
Again, based on your sample, the only way it did not come from that IP is if the cello servers are really screwed up and are inserting that IP as the Received From: address onto anything it touches ... or you've got a spammer that has direct control over either cello's e-mail server (or your e-mail application on your system) and can sweet talk the app into accepting some direct text input and add the resulting output file directly into the Incoming E-Mail spool .... and if spammer has this kind of access, control, and capability, one would think he/she would be really, really busy doing something a bit higher order than pushing some spam.

Now, on a completely different tack .... the included Base-64 content in your sample decodes to the following;

QUOTE
Norton AntiVirus heeft de bijlage verwijderd: Part-2.zip.
De dreiging W32.Netsky.Z[at]mm is gedetecteerd in de bijlage.


Can you say .. yet another mis-configured anti-virus product that's sending out bad data to the (assumedly) "Forged" addresses in the header?

But even this seems odd based on the "From:" address used in what you offered as your sample, as one would think that this type of message would have come from a cello server, vice Microsoft .... again, something is not quite right ....
DavidT
I've got an explanation...IMO, the headers represent a message that was infected with the Netsky worm, but that has had it's infection stripped by Norton AntiVirus.

The headers also tell us that the infected message was sent from a dynamic IP address, either dialup, DSL, or cable connected. This IP has been reported many times by SpamCop users over the last few months:

"In the past 75.8 days, it has been listed 28 times for a total of 53.8 days"

But as I look at the History, I'm pretty sure that those are all worm-related Subjects, so none of these reports should have been filed in the first place, because the system is NOT supposed to be used to report infected email, which isn't really spam!

So no, I don't think that the system is being fooled. Some SpamCop user who receives their mail at the Chello system is reporting another Chello user's IP because it's sending them infected messages.

BTW, I Googled, and came up with a blog entry (in Dutch) that deals with this situation...perhaps "john1000" can help us by translating? Here's the link:

http://www.euroblog.nl/wp-trackback.php/27

dt
DavidT
QUOTE(Wazoo @ Aug 1 2004, 08:14 AM)
Can you say .. yet another mis-configured anti-virus product that's sending out bad data to the (assumedly) "Forged" addresses in the header?
*


No...in this case, it appears that an individual user's installation of Norton AV is doing exactly what it's supposed to do, which is to strip out infections as the messages arrive. The ".txt" artifact is a Dutch version of what Norton AV handled messages look like on my machine, so I'm sure that my analysis (see my previous reply) is correct.

dt
john1000
well naturaly my norton trashes the effected parts but should that be of any influence ?

And whats a "mis-configured anti-virus product "

As for the "all worm-related Subjects, so none of these reports should have been filed in the first place, because the system is NOT supposed to be used to report infected email, which isn't really spam"

Ive submitted all his mails,... i got atleast 25 and 6 or 7 was with attachment.
So that means DavidT that they were not all infected mails and as you suggest should not be reported...

But if it was so ....where ever a mail comes from,a lot of spammers are spamming using some kind of server to send it all.
so who's server ?
Probably one with a zero security.
If your still following this.........with this all in mind.....reporting every spam mail should also help finding hacked servers.

but as i understand....to be sure i have to wait untill a normal spammail comes without attachments,i will post it when it comes...
DavidT
QUOTE(john1000 @ Aug 1 2004, 09:27 AM)
well naturaly my norton trashes the effected parts but should that be of any influence?

I don't understand your question. I explained that the example you gave us was an infected email message that your Norton had rendered harmless. SpamCop properly parsed the headers, but this kind of message should NOT be reported (see below).
QUOTE
And whats a "mis-configured anti-virus product "
I didn't say that....Wazoo did, but I think he was confused.
QUOTE
Ive submitted all his mails,... i got atleast 25 and 6 or 7 was with attachment.
So that means DavidT that they were not all infected mails and as you suggest should not be reported...

I don't just suggest it...it is in the official SpamCop FAQ here:

On what type of email should I (not) use SpamCop?

where you'll see:

"virus infected emails are not spam regardless of whether you know the originating party or not"

QUOTE
But if it was so ....where ever a mail comes from,a lot of spammers are spamming using some kind of server to send it all.
so who's server ?

Wait....in the example you've given us, there are lots of worm-infected messages coming from that IP address...but that's not "a server" -- in the case of "worms" like this, the worm has it's own "SMTP engine" built into it, and so it makes direct connections with the MX of the recipient's system. So, that's why the headers were so sparse, because the infected computer didn't go through any normal oubtound mail servers.
QUOTE
but as i understand....to be sure i have to wait untill a normal spammail comes without attachments,i will post it when it comes...

OK...post the tracking link when you have one and we will try to answer any questions you have about it.

dt
Wazoo
QUOTE
I didn't say that....Wazoo did, but I think he was confused.

What!?!?! Me without a clue!?!?! hehehehe ... yep, I should turn this thing off today .. dropped off a computer last nite, found my Mom in pain, apparently tripped over soething while mowing the yard .. spent about 3 hours last night in the emergency room with her ... turns out that she's allergic to the pain meds they gave her to get her through the night ... woke up this morning with her hollering through the window to wake me up, (dog had gotten excited during a thunderstorm, knocked over a stack of computers, which knocked a phone off its base ...) turns out Dad was headed off to get her new presciption and had been involved in a car accident .... I haven't been all that focused here with all the phone calls here to find out their status (they've unplugged their phone <g>) .... apologies for the mistakes ...
john1000
well never mind it all,i understand...
il post again when i get a clean mail....
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.
Invision Power Board © 2001-2014 Invision Power Services, Inc.