Jump to content

Tim P

Members
  • Content Count

    50
  • Joined

  • Last visited

Everything posted by Tim P

  1. This phishing link was in one of my spams: http://www.google.com/url?q=http://www.goo...SLR4KqaQhIp9e9y which redirects to: http://mofklqbc4f.da.ru/3fi96g6di13232di79SLR4KqaQhIp9e9y But I'd really like to know how to get this without resorting to following a browser link and looking at the resulting packet data log. SC did not determine this link. It wouldn't go beyond Google.
  2. Tim P

    EMail problem?

    Emails popped between then and now. Hope it stays fixed.
  3. Tim P

    EMail problem?

    Well, now the mail is left on server at Yahoo! again, with all those downloading errors. What gives?
  4. Tim P

    EMail problem?

    Moderator Edit: this post was also split out from where the user posted it .. then merged into "this" discussion about "today's" events ... Problem cleared this end. Just wanted to update the group that my Yahoo! accounts were popped just now.
  5. Tim P

    EMail problem?

    Moderator Edit: This and another post were split out from the 2-year-old Pinned item that it was posted into .. then merged into this Discussion about events happening "today".... PM sent to advise of the move/merge .... Yahoo! is not being popped from my account either. I figured it had something to do with changes at Yahoo! since a reported exploit was being propagated through their webmail server on Wednesday. Anyone know anything more about this and some changes that may have happened at Yahoo! as a result? That could have something to do with this *pop* issue. Actually wanted to add also that there was a message that did get through which was grabbed by my antivirus scanner and the culprit could have been from that same Yahoo! vulnerability exploit. But it's too late to check that as the message was already deleted. Tim P. Thanks
  6. http://www.spamcop.net/sc?id=z754553313z3f...4ec2f8a6241859z spam from this outfit has always parsed correctly, until this one. error (relevant parsing lines shown): . 4: Received: from 216.171.217.252 (EHLO ns1.eprosender.com) (216.171.217.252) by mta168.mail.re2.yahoo.com with SMTP; Wed, 20 Apr 2005 06:00:33 -0700 Hostname verified: ns1.eprosender.com Trusted site mailgate.cesmail.net received mail from 216.171.217.252 5: Received: from ns1.eprosender.com (localhost.eprosender.com [127.0.0.1]) by ns1.eprosender.com (8.12.10/8.12.7) with ESMTP id j3KCurqJ082519 for <x>; Wed, 20 Apr 2005 05:56:53 -0700 (PDT) (envelope-from nate[at]ns1.eprosender.com) Internal handoff or trivial forgery No source IP address found, cannot proceed. Add/edit your mailhost configuration Finding full email headers Submitting spam via email (may work better) Example: What spam headers should look like Nothing to do. Wrong....216.171.217.252 has ALWAYS parsed as the source of this spam. What changed? Upon further review: http://mailsc.spamcop.net/mcgi?action=show...id;val=44082974 shows all successful reports, some of which were mine.
  7. To further clarify, if one has set up a pop from another server, i.e. Yahoo! to spamcop.net, those emails have not been popped from their server, i.e. Yahoo!. Those emails should still be on their servers and get popped into spamcop as the backlog is worked through. One may find their "unpopped" email either way. If you didn't remember your other account, now is the time to take notes or dig out that old password...
  8. In the past, such problems tend to resolve in a little time. It only takes a little patience. The login page still appears blank so I surmise that the mail backlog is being handled at the moment. When the server catches up, it will become available. Usually it's the reporting side servers that are borked. This webmail problem is unusual.
  9. This is a 419 spam, which is being misparsed as "too-old". It is not the first one that I have had. why is the parser accepting garbage lines with old dates?? http://mailsc.spamcop.net/sc?id=z802345019...9624e628007644z particularly see this: . Received: from smtp.mailix.net ([216.148.213.132]) by ibm36aec.bellsouth.net with ESMTP id <20050902200831.GXEJ12677.ibm36aec.bellsouth.net[at]smtp.mailix.net>; Fri, 2 Sep 2005 16:08:31 -0400 . next hop: . Received: from [192.168.8.8] (helo=localhost) by smtp.mailix.net with asmtp (Exim 4.24-H) id 1E3txK-0005MC-C7; Sat, 13 Aug 2005 04:13:38 -0700 . "Sat, 13 Aug 2005 04:13:38 -0700" <- WRONG My hosts file is configured properly and has been since its inception. Pay particular attention to the Bellsouth header. That is my mailhost's server which has the proper time stamp. The next received header is not giving the proper date, time and it should be at least be ignored. It looks like either a forged line or a config problem at that mailserver. The parser accepted the date from that last header above as a valid date. That is wrong, since my mailserver didnt get any email until today, the date should be trusted *only* at my mailserver. But even so, why is that last line being trusted? "Received: from [192.168.8.8] (helo=localhost)" being reported by a supposed trusted server (if "smtp.mailix.net" is trusted, that is). That should automatically throw it out as garbage since there is no valid source ip being recorded. In other words - a mailserver will record the source IP correctly at the SMTP transaction but nobody would expect a "local net ip". Indeed, that connection should have been rejected outright. Since there has been some recent conversation on forged dates, too old to report spam, I am inclined to believe that a spammer has found an exploit. Do the deputies confer? Tim P
  10. Parsed at this time, thanks.
  11. IMAP is so much easier to sort the mail and report via website. I did not have any problems with it and have done this for about two years. That changed today when I noticed that the mail client program would move the items around, but it would not show that they were being moved to a folder. It appeared like the spam was being moved - but "it just disappeared" When I looked in the folder that I directed it to go, the mail was *gone*. But, in light of todays discussion of a sluggish server-something was up. I verified that the mail was actually moved from the webmail side, and that the reporting side was working (held mail report checks). Is this a related symptom of the recent server trouble? Just have to verify that the problem is not on my end, thats all. It does show in the client program - but after a very long delay (something never seen here before). I use the IMAP (secure) connection at imap.cesmail.net. Should I reset that to imap.spamcop.net? as that cesmail domain may be phased out soon., so I've seen in the FAQ. Didn't get a round-tuit.
  12. Tim P

    Reporting Errors

    "Failed to load spam header:735795885 / 0xxxxxxxxxxxxxxxxxxxxxxxxxxxx putRow Table 'thrash.unreported' doesn't exist (1146)/sc?id=zxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxz" Reload from last tab....back in again. Whats going on?
  13. Tim P

    Slow Reporting

    No rashes, per se. But the reporting side just got slammed from my perspective. Worked fine throughout the day and then..... Gateway timeout.... Site not responding from other parts of the net. Something choking the system? The graphics of todays volumes shows a hole for a brief period. Oh, one more thing I wasn't expecting. I've had to re'log in to submit a report on several occasions. That is unusual.
  14. Tim P

    Blacklist redundancy

    Although it is rare, there have been times that a new listing hasn't propagated through all the lists yet. I had a spam that was blocked by cbl, but not by xbl.
  15. A workaround would be to change your filtering blacklists by checking on the Spamassassin and increase it's threshold to the highest setting (whatever that may be). That should pass all but the highest scoring stuff, but it will also include the URIBL lists in the header added by spamassassin. An example of a header line added by spamassassin: X-spam-Status: hits=6.1 tests=FORGED_RCVD_HELO,RCVD_ILLEGAL_IP, RCVD_NUMERIC_HELO,URIBL_OB_SURBL,URIBL_SBL,URIBL_WS_SURBL version=3.0.0 -------------------------------------------------------------------------- "URIBL_OB_SURBL" "URIBL_SBL" "URIBL_WS_SURBL" There are some other URIBL's too. ".... _SURBL"
  16. Tim P

    Does it ever end ?

    Yes, quite right. I meant Bcc: Just didn't re-edit the post.
  17. Tim P

    Personal Whitelist Problem

    From my own experience with Yahoo!...sometimes they do changes, or alterations, to the headers that affect the way my email client handles them. It seems that, yet another change at Yahoo! has been implemented and your current whitelist filter is no longer valid. Just a guess, but that seems to be what this situation is. I dont know what all the fuss here is really about though...
  18. Tim P

    Too Many Links??

    That is not unusual for me to get hundreds of such disposable urls going back to 202.102.230.36 or 37. There are several others of recent, but not the several thousands that would be imposing to try to follow up with each one. It appears to me as a trend that is becoming more popular. As the url gets identified and listed, the spamgang moves on to another url which wasn't used but has been predetermined way in advance. I get the Brazilian ROKSO spammer crap that has a pattern of RANDOMWORD-numeric digit- RANDOMWORD. info It used to resolve to an address ip in Brazil. The url's keep changing. Now it has started appearing at another particular IP address, in Korea. It just shows you how hard these scum are trying to evade spamsite url filtering and being identified by hiding/cloning behind the name of some other notorious spammer. Unless there is a combined pool of spammers doing this, it may become impossible to identify the culprit(s). I am glad to see that the spamcop continues to progress with these tactics and continues to "dent" the spammer crap but it is frustrating to keep seeing the "too many links" message or the "no links found" when all the spammers' are doing is changing the coding by a "base 64" header line or other encoding header to fool the parser to not detect such links. That was new to me also: The plain message was gibberish when viewed at the webserver online, but if the message was treated as unencoded, the url link was in plain sight. There should have been no confusion on this. Oftentimes, the Yahoo server I route through correctly IDs this as BADURLLIST=spamcrap.com and spamcop doesn't detect any spamvertized links, or cannot resolve the links that were found. Yahoo is not perfect either in this regards as one of the bogus/innocent links sometimes matches a BADURLLIST=innocentsite.com, but it appears to have the resources to find the correct target link much more consistently. That is the critical problem IMHO that spamcop is having but there is progress. This is not new to the spammers who browse this forum so it is probably not giving anything away. I have other methods.
  19. Tim P

    Does it ever end ?

    For a consumer oriented viewpoint, it would also be good practice to give a "uniquely identifiable" email address for each business contact..... Not to promote any email service in particular, I have used a service that generates such email addresses and provides a very efficient way of whitelisting by tagging the header with that info. It is much easier and it has worked for me for over three years now. I have literally hundreds of such addresses given out and have not received "one" spam email with the exception of spam to the one posted in public and you can guess which one that is! These are "semi-disposable" depending upon how careful one is about informing the business contact to avoid sharing that email address with any one else. Since my dealings online have been to legitimate businesses, I have not had one single problem with spammers whatsoever . Businesses are very careful about divulging email addresses these days anyway - but that responsibility I share. I have ensured that the email I do receive is coming to me because I asked for it - mailing lists, etc. I document each email address with the expected folder path of it's origins. My personal spammed box (1 email, 1 ISP) is solely for family and friends so it is real easy to guess who the spammers are. Iwill not bow to them by giving up my personal email, but instead will continue to report their abuse. Just my input, and a question about what qualifies as UBE sent to many people. It is not easy to tell to whom that spam was sent to. In particular, how would one tell that a spam was sent to multiple recipients when it is clearly a spam message? I get some with an email address that is not mine but nevertheless I received it. Is this a message sent to me by Bb copy? Messages sent by Bb are hidden from others in the headers (from what I understand). I will report these and continue to do so unless someone can show that the hundreds of messages I receive daily (Literally) are NOT UBE messages sent to multiple parties. Clarification please....
  20. It should prove an interesting exorcize to newbies to review what the headers of such looped messages look like... Snail-mail can do the same (from my own experience). Only there are yellow forwarding addresses pasted one on top of another. When someone noticed that " this mail is looping" and fixed the problem, I got a letter with 10 of them.
  21. Why are there duplicate entries for the same party? Clearly they are one and the same. Re: 216.29.43.31 (Administrator of network where email originates) To: abuse[at]cogentco.com (Notes) Re: 216.29.43.31 (Third party interested in email source) To: abuse[at]cogentco.com (Notes)
  22. http://www.spamcop.net/sc?id=z695881370z45...6a14a38261b625z I'm getting these "bounce" messages from spammer(/s) who do nothing but taunt SC reporters. They believe that by forging these...(who knows why?) they can hopscotch their bogus crap to the rest of us without impunity. No... it is not spam sent to someone else. It was deliberately sent to me. Has anyone run into this stupid spammer trick? Hard to imagine that this is unique at all. I can, and do, report these to the abuse desks on my own.....but I want to have reports sent directly from SC to these scumbags so they cant hide from their internet access providers (and thus avoid getting kicked offline). Isn't that part of what SC is designed for? Some of these same 'bouncers' are involved with the criminal fraud on the net. (I will not reveal any proof of that info here) I'm tired of obtaining : "message looks like a bounce, will not report. Do not report bounces as spam" :angry: Please fix this. http://dnsstuff.com/tools/mail.ch?domain=M...0ns.everzen.com Getting MX record for ns.everzen.com... Received an NXDOMAIN response. This means that the ns.everzen.com domain does not exist! No mail can be sent to it. Please fix the parser to detect these forgeries and generate reports as usual. It would add to the statistics and chase the spammer from hiding from his/her provider. Unless someone has a better idea?......
  23. Tim P

    Forged bounce messages

    Do you mean in this part in the other forged bounce?: ------------------------------------------------------------- . From: "Postmaster" <postmaster[at]yahoo.com> Reply-To: "Postmaster" <postmaster[at]yahoo.com> To: x, x, x, x, x, x, x, x, x, x, x . ------------------------------------------------------------- Let me dig up the original and see.... Yep....all are to separate recipients. Also, the *bounce* message doesn't have a copy of the original message containing any headers at all. Or in the bounced email sent back by MAILER-DAEMON[at]ns.everzen.com?: --------------------------------------------------------------------------------- . Return-Path: <x> Received: (qmail 20737 invoked from network); 24 Nov 2004 02:21:13 -0000 Received: from c-24-131-59-34.mw.client2.attbi.com (HELO compuserve.com) (24.131.59.34) by aote.net with SMTP; 24 Nov 2004 02:21:12 -0000 Date: Tue, 23 Nov 2004 08:21:55 +0000 From: 1pepper <x> . ---------------------------------------------------------------------------------- Checking the original now....It does indeed have both fields with my email address. The From fileld also does not have my real name (the name I use as a From name). I got a bit hasty to report this one. My mind must've been somewhere else at the time. BTW Happy Thanksgiving everyone!
  24. Tim P

    Forged bounce messages

    Apparently this link is misleading then: http://dnsstuff.com/tools/mail.ch?domain=M...0ns.everzen.com I've seen forged bounces enough to know who and why... missed the ip (209.97.207.114) and didn't follow through when the "looks like a bounce" message came up. I made a mistake. However, there are others I have pursued, and they are forged bounces: http://forum.spamcop.net/forums/index.php?showtopic=2976 A response from Richard about another bounce message: http://www.spamcop.net/sc?id=z690869826z56...000f8264f51b2ez " It is a fake bounce, but not because of the reasons you cite. Bounces can go to two addresses if the envelope and from are different on the original mail.. However, I would expect a Yahoo bounce to come from a Yahoo server; and, I wouldn't expect to see an obviously forged received line in a bounce (from Yahoo):..." < snip > I had reasoned that bounces cannot go back to multiple recipients unless the same message was interpreted to come from multiple senders... This reads that two email addresses, one in the " from:" and one in the "reply to:" address, are notified. But this doesnt explain more than two recipients getting the bounce message. These forged bounce exploits should parse as spam and that has nothing to do with bounces and viruses. I was simply requesting a tweak to the parser to foil this exploit. Guess more forged bounces will get sent to deputies
  25. Tim P

    Do you need a used Rolex watch?

    Oh nooo, not during the Christma$ $eas$on..... That would be sacreligious. You should wrap him up in neat christmas present packaging first...
×