Jump to content


  • Content Count

  • Joined

  • Last visited

Everything posted by amenex

  1. Here are the headers: > Return-Path: <rampartsm9[at]oaline.com> > Delivered-To: spamcop-net-[munged][at]spamcop.net > Received: (qmail 7207 invoked from network); 3 Feb 2009 11:59:12 -0000 > X-spam-Checker-Version: SpamAssassin 3.2.4 (2008-01-01) on blade4 > X-spam-Level: **** > X-spam-Status: hits=4.5 tests=MIME_QP_LONG_LINE,RDNS_NONE,TW_WT,URIBL_SBL version=3.2.4 > Received: from unknown ( > by blade4.cesmail.net with QMQP; 3 Feb 2009 11:59:12 -0000 > Received: from unknown (HELO PHRRDKTQ) ( > by mx70.cesmail.net with SMTP; 3 Feb 2009 11:59:10 -0000 > Received: by VKQCR.nmroqoauvrd.com (Postfix, from userid 80) > id KK42SRAP3M; Tue, 3 Feb 2009 19:59:09 +0800 > To: shinybluegrasshopper[at]spamcop.net > Subject: Give your couple some heat wtvoxu boeih > Reply-to: rampartsm9[at]oaline.com > From: "Noe Grimes" <31tcmcfq2723[at]oaline.com> > Message-ID: <527032188.70702468046195[at]rampartsm9> > MIME-Version: 1.0 > Content-type: text/plain; charset=windows-1251 > Date: Tue, 3 Feb 2009 19:59:09 +0800 > X-Priority: 3 > X-MSMail-Priority: Normal > X-Mailer: PHP > X-MimeOLE: Produced By phpBB2 > Content-Transfer-Encoding: quoted-printable > X-SpamCop-Checked: > X-SpamCop-Disposition: Blocked cbl.abuseat.org I'm not grumbling about the fact that it's been tagged as blocked by cbl.abuseat.org. It's the addressee: shinybluegrasshopper[at]spamcop.net - my spamcop username appears only in the [munged] second line of the headers: > > Delivered-To: spamcop-net-[munged][at]spamcop.net Why am I receiving this email ? It's not been filtered because I've set the filter trigger at five *'s (*****) and this spam has only four. There seems to be no hint as to why my Inbox is the lucky recipient. The first "received by" is nmroqoauvrd.com, a nonexistent domain ... George Langford amenex
  2. DavidT wrote: > Your question about the addressing is easily explained....a lot of spam gets > sent out using the BCC (blind carbon copy) method, so anyone's address > could appear in the "To" box and yet your address was on a BCC list that > you're not seeing. Arghhh. > However, the message in question should have wound up in the Held mail > folder...not in your Inbox, unless perhaps you haven't got all of the Blacklists > selected in your options? I've got the relocation to Held Mail on hold - I checked the "Tag Only" box so my filters will intercept the stuff that's guaranteed to be spam. > I'd also recommend a SpamAssassin setting of 4, rather than the default of 5. > That should help route more stuff to your Held folder as well.....but do go into > your options and make sure that all of the Blacklists are turned on. They're all on - but just tag the spams. I'm trying to design the filters so they don't mis-identify legitimate emails. I've got mail coming from several domains, and they all receive this BCC junk, so I'm filtering mail to "[at]domain" that has a SpamAssassin rating of ***** and worse. If I relax that, then a playful email might end up in my PsuedoHeldMail box. Is there any other way of catching BCC mail with a filter setting ? Thanks, George Langford amenex
  3. 'Farelf' wrote: > Thanks for advising on the wash-up George, marking this resolved. Followup: Worked like a charm, but I had to mark spamassassin as tag-only, or it would gobble up all the stuff intended for the "HeldMail02" folder and cram it into the standard "HeldMail01" folder. So far today, 100% of the spams in the "HeldMail02" folder are addressed to "myusername" or "almostmyusername" [at]spamcop.net. George Langford amenex
  4. After years of reporting phishes, spam etc. with my name & spamcop.net address in the clear, it looks as though essentially 100% of the spam in my Held Mail folder is addressed directly to my spamcop.net address or to a list of spamcop.net addresses of which my address is a member. As either I alone or auto-replies from anti-phishing groups send mail to my spamcop.net address, it would appear that I could use a Held Mail folder to accumulate the spam stuff, and which I would not need to peruse for accidentally flagged mail (such as legitimate new mail from gmail, yahoo, msn, hotmail, aol, etc.). I would have to whitelist the very few exceptions, of course. I 'spose I could do this myself by turning off all spam filters and then blacklisting mail addressed to spamcop.net, but I don't see any option for doing that. George Langford amenex[at]spamcop.net
  5. StevenUnderwood wrote: > You should be able to setup a client filter for that. If you set it up in webmail, it is only activated when you are logged into webmail. Log into webmail and click the filter button at the top. OK - After considerable effort, which included eliminating all my blocklists and emptying my 2200-entry blacklist file, I managed to set up a simple series of filters which send the spam that is addressed to my primary SpamCop account to a new "HeldMail02" folder. This was an elegant solution that StevenUnderwood suggested. However, getting the filters to function correctly was tricky. Evidently, if I check the box to stop filtering after a rule is satisfied, the S/W stops filtering altogether, even if the rule isn't satisfied. After I unchecked all such boxes in my train of filter steps, I achieved the desired results. Now the bad stuff ends up where I want it to go. > However, since it is spam and ending up in your Held Mail folder anyway, I would just report it. That wasn't the point. I was having to read through the bodies of all 200-spams-per-day, looking for legitimate email that was getting flagged by the blocklists or my blacklist. I then added them to my whitelist. New contacts might have gotten reported as spam if I wasn't extremely careful. Now my primary Held Mail folder will contain only what I choose to add to my blacklist (presently empty), and my "HeldMail02" folder will gather stuff that's guaranteed to be spam, except for stuff from the deputies ... such as my annual bill. I can modify the filter train to account for those. Thanks, George Langford amenex
  6. Wazoo wondered out loud: > I've read and re-read it a half-dozen times, and I don't really understand what you're asking. Everything in my Held Mail folder is addressed to amenex[at]spamcop.net or to [mailing-list-at] spamcop.net. That's probably the result of my persistent reporting of phishes. Perhaps some is the result of my regular spam reporting. I'm not complaining about the cause. If I could filter everything addressed to (not from) an email address at spamcop.net into my Held Mail folder and cancel all the other filters I'm presently using, then a very few spams would stay in my Inbox, and I'd have next to zero legitimate emails in my Held Mail folder. I'd still have to whitelist emails that _I_ sent to amenex [at] spamcop.net, as well as replies from the anti-phishing groups, but those are easy to spot from their Subject lines. Thanks for asking for clarification. George Langford amenex
  7. After weeks of effort listing IP's and domains of spammers in my personal blacklist, I am finding that new spams from these sources continue to appear in my Inbox and are not being transferred to my Held Mail folder. My intent is to dig these spams out of my Inbox, where they hide amongst legitimate emails, and to move them into my Held Mail folder, where I am willing to dig out the few legitimate emails that come from the black hat domains & IP addresses and to whitelist their senders. However, many new spams continue to appear in my Inbox in spite of the listing of their domains and IP addresses in my Personal Blacklist. Is there an activation box for my personal blacklist somewhere ? amenex
  8. Here's a tracking URL for a spam that only appeared in my Held Mail after I had placed its sender in my personal blacklist at least twice: http://www.spamcop.net/sc?id=z1526205850zf...e34fac13e5f640z I started this thread after making a search on the SpamCop forums & FAQ's for the term: "personal blacklist." There was only one hit, irrelevant to my concern. Whattaya mean, "... haven't heard of anyone plugging IP addresses into [the personal blacklist]" ? What's that list for, anyway ? I feel that I can be as draconian as I wish, even to listing partial IP addresses, in the hope of shifting blackhat stuff that somehow escapes my selection of _all_ (one exception) of the blacklists that SpamCop offers. That exception is the Spamhaus PBL which manages only to shift my own emails into Held Mail and no one else's. Greylisting does not work for forwarded emails. We already discussed that. When I find spam in my Inbox, I dig out _all_ the IP addresses and domain names that I can find associated with that spam, whether forged or not. I even dig out the spamvertised domains and _their_ ISP's. No one escapes my wrath. There has been no reduction in false positives and no increase in false negatives as yet. amenex
  9. amenex

    How is this possible?

    Yup; however, see this Spamcop discussion: http://forum.spamcop.net/forums/lofiversio....php/t8650.html My experience with a short (four hour) test of greylisting is that it greylisted one sender six times and six more senders one time each. About thirty spams got through from mail POP'ed from my various IP's. Greylisting works only on idiotic spam sent directly to my "user'[at]spamcop.net address. I have no idea how many folks got turned away at the door. George Langford (amenex)
  10. amenex

    How is this possible?

    Let's carry this a step further. Every day I get more-or-less the same pattern of spam content. I've applied all the blocklists that SpamCop offers, and I still have to scroll through about 250 spams a day in order to find the errors and whitelist the unfortunate few friendly emails that have a listed IP address. Put 2&2 together: 1. SpamCop looks up the true senders' IP addresses and records them. 2. My Smoothwall.org hardware firewall can be set to reject any of a [very long] list of black hat IP addresses. To arrive at this conclusion: SpamCop could keep track of the IP addresses that I personally have labeled as spam; let's say, that after I have reported xxx.xxx.xxx.xx# five times, that SpamCop simply bitbucket anything further from xxx.xxx.xxx.xx#. Once xxx.xxx.xxx.x## have been bitbucketed, henceforth bitbucket everything from the range xxx.xxx.xxx.###. Carry forward until all traffic from xxx.###.###.### gets bitbucketed. RIP. Put this another way: If I have reported a given IP block umpteen times for spamming, why should anything further from that source ever get placed into my Held mail folder ? amenex
  11. While in transition from one ISP host to another, I'll be wanting to POP emails down to my SpamCop.net account in order to cleanse them of spam with your fine service. However, I need several more lines in the table listing my POP3 servers in order to cover all the email accounts that I am passing through the SpamCop.net server. That table is here: https://webmail.spamcop.net/horde/imp/spamcop/popconfig.php Is there a limit on the number of these POP3 servers, or is it a simple matter to add a few lines to that table ? Thanks, George Langford amenex
  12. Not all is at it seems. The spam comes in so frequently now that I have trouble getting it all reported before downloading to my PC's. In order to back up my emails, I have resorted to downloading twice, once to each of two PC's. It's very hard to synchronize, as new messages come in while I'm downloading to the first PC (leaving the emails on the SpamCop server) and I have to check again after downloading the first batch before downloading (and emptying the SpamCop server) to the 2nd PC. Inevitably, a few emails are missed on the 1st PC, whose backup role is thereby somewhat compromised. I also end up with a few spams that sneak by in the interim. All this would be avoided if SpamCop could just devote a few bits of coding for some extra lines in that table. Remember, hard disk storage has gotten dramatically cheaper. My ISP originally let me use 1.5 GB of disk storage ... which got upgraded to 3 GB silently ... and which now stands at 600 GB for the same price per month as I originally paid for 1/400th as much space. On that basis, how much bandwidth is devoted to those bits of coding ? amenex George Langford
  13. Forwarding does the trick - this user resists using new features of S/W because of the often bewildering ambiguity of it all. Indefinite antecedents and all that. My new ISP's CPanel made the process of "adding a forwarder" childishly simple once I bit the bullet and ventured forth. "Forward your email to a destination of your choice" would have been far clearer. All it means is telling CPanel my SpamCop email address. Thanks ! George Langford amenex
  14. Wow, this sounds good. But I pop down 99% of my mail from other accounts. Won't greylisting create hassles with my other ISP's ? The only mail I get to my SpamCop email address is spam from idiots ... or my Held Mail digest, etc. and mail from the deputies after I screw up something ... amenex George Langford
  15. When my Inbox opens, there's a number just to the right of the word, Inbox. The number is in parentheses, and its value is almost always less than the count of email messages at the top right. In Held mail, the left hand count matches the right hand count. Might the disparity be due to a number of messages getting transferred to Held mail upon opening the Inbox ? George Langford amenex
  16. Alas, I use linux for tracking phishes. Oh, well. I tried tracking another phish today that was registered as ...mode.kg. Every time I tried WhoIs, I got a different list of five IP addresses. But the .kg registrar is broken - can't get the person's registration data. When I used tcptraceroute, I got different IP addresses every time I tried for the listed IP's. Hopeless. amenex
  17. Here's the link to the spam/phish at issue: http://www.spamcop.net/sc?id=z1329430016zd...dd0e11bf185f87z SpamCop says: > Resolving link obfuscation > http://session-4021028.nationalcity.com.dl...s/TreasuryMgmt/ > Host session-4021028.nationalcity.com.dllet.bz (checking ip) = > host = pD9E4072E.dip0.t-ipconnect.de (cached) WhoIs (http://centralops.net/co/DomainDossier.aspx) says: > canonical name session-4021028.nationalcity.com.dllet.bz. > aliases > addresses > > > > None of these IP's match SpamCop's WhoIs data ( My own 'puter tcptracerte'd the phisher's domain as follows: > Tracing the path to session-4021028.nationalcity.com.dllet.bz ( on TCP port 80 (www), 30 hops max ... > 11 dtag-level3-oc48.NewYork1.Level3.net ( 27.464 ms 28.382 ms 29.721 ms > 12 122.449 ms 121.048 ms 122.439 ms > 13 127.437 ms 123.784 ms 214.967 ms > 14 p508FDA03.dip.t-dialin.net ( [open] 170.089 ms 178.081 ms 179.967 ms This IP address ( doesn't match SpamCop's either. Registrant (http://www.belizenic.bz/): > ... redac ed > ... redacted > ... redacted > United States > Phone:143-50-914 Probably ID theft; phone number isn't a USA number, and I can Google the guy's address to a real estate transaction. > Domain Name: dllet.bz > Created on.............: 2007-06-08 06:33:41 > Expires on.............: 2008-06-08 06:33:41 > Record last updated on..: 2007-06-08 06:33:41 I've reported this domain countless times in the last few days. > Administrative Contact: ... redacted > Email: czubakowski817[at]yahoo.com Yahoo hasn't responded to my reports of this email as the phisher, either. ... > Domain servers in listed order: > ns1.smile-np.com > ns2.smile-np.com Neither of the above IP's matches Spamcop's; Googling reveals that smile-np.com is a known phisher/spammer that won't go away. WhoIs (http://centralops.net/co/DomainDossier.aspx) says: > canonical name ns1.smile-np.com. > aliases > addresses Different from the Belize registration ... WhoIs says: > canonical name ns2.smile-np.com > aliases > addresses Omigosh ! It matches Belizenic ! But not to my trace, nor SpamCop's. My routine with the Regions and National City phishes has been: 1. Use Venkman's java scri_pt Debugger to capture the sourcecode at the phishing site. 2. Perform a tcptraceroute with my debian-based PC. 3. Use Centralops' Domain Dossier to look up the WhoIs data for the original canonical domain name and for tcptraceroute's result. 4. Report and forward the phish to all the abuse addresses found, plus the various groups claiming an interest in stamping out phishers. I now discover that SpamCop is getting completely different data from mine. In the present case, I reported this phish as follows: To: jeff.sumner[at]nationalcity.com Cc: reyner[at]globalcon.net, abuse[at]t-ipnet.de, abuse[at]cox.net, network-abuse[at]cc.yahoo-inc.com, PIRT[at]castlecops.com, scams[at]fraudwatchinternational.com, reportphishing[at]antiphishing.org, spam[at]uce.gov You will note that somehow I managed to include abuse[at]t-ipnet.de with my apparently different IP address. SpamCop's routing details page offers no clues: > Reports routes for > routeid:27952578 - to:ripe.dtip[at]telekom.de > Administrator found from whois records > routeid:27952579 - to:abuse[at]t-ipnet.de > Administrator found from whois records Note that the routing details reported in the paragraph immediately above differ from the routing details that I quote at the top of this page. When I did a tcptraceroute again just this minute, I got another result altogether: > Tracing the path to session-4021028.nationalcity.com.dllet.bz ( on TCP port 80 (www), 30 hops max ... > 12 * ro-ccs-03.ro.intercable.net.ve ( 103.480 ms 103.698 ms > 13 * * * > 14 97.865 ms 98.581 ms 99.774 ms > 15 [open] 117.631 ms 106.192 ms 119.846 ms This phisher appears to have a dynamic method of changing registrations; is there any point in continuing to report these phishes ? amenex
  18. Aha ! Looks as though I should be reporting all five of those addresses. What about the smile-np.com and the dllet.bz domains ? They appear to remain immune to anti-phishing efforts. amenex
  19. My own emails started ending up in my Held Mail folder the other day, and so I started investigating. It turns out that there were three reasons that the dynamic IP address of my DSL server is listed on the dnsbl.sorbs.net blocklist: (1) Sending emails to a spamtrap address; (2) Open socks proxy; and (3) Using dynamic IP addresses without reverse DNS. They charge extra for static IP addresses ... but that's blackmail, as all I need for my server's IP address not to cause my emails to get blocked by users of the dnsbl.sorbs.net blocklist is for the canonical name of that server to be obtainable by WhoIs (if I understand this link: http://www.dnsstuff.com/info/revdns.htm). However, when I look up my current IP address in Domain Dossier I get this result: > canonical name h-74-0-115-202.phlapafg.dynamic.covad.net But when I do a TraceRoute, here is what results: > traceroute to (, 64 hops max, 44 byte packets ... snippage ... > 11 phlapa4lrs1-covad-2-1.wcg.net ( 10.216 ms 10.241 ms 10.888 ms > 12 * * * Looking in Domain Dossier for phlapa4lrs1-covad-2-1.wcg.net results in: > lookup failed phlapa4lrs1-covad-2-1.wcg.net Could not find an IP address for this domain name. But doing the reverse on works just fine. Is the point of the third reason for my ISP's listing in dnsbl.sorbs.net that TraceRoute doesn't complete ? How is it that Domain Dossier can find the canonical name from the IP address but not the IP address from the canonical name ... isn't that the opposite problem ? Is it a great deal of trouble for an ISP to set up reverse DNS service ? amenex
  20. DT has hit it on the nose - I sent myself a test email from my ISP's webmail service (Earthlink) and that sailed through without getting flagged. Here are the pertinent header lines: > X-Originating-IP: > X-SpamCop-Checked: is my DSL server's address - what my PC's connected to. is Earthlink's email server (elwamui-polski.atl.sa.earthlink.net). Quoting SORBS (regarding The first time I tried sending a test email through the Earthlink webmail interface, it got flagged by the dnsbl.sorbs.net blocklist, not for being dynamic, but for another reason (open SOCKS proxy) while my DSL modem was connected to a different netrange ( That sort of problem can be fixed by reconnecting the DSL modem; when I tried looking up instead of the open SOCKS proxy flag did not come up. Therefore, even though I had used Earthlink's webmail interface ( the email got flagged anyway because the routing went through that tainted DSL server ( I can live with an occasional bad day at Earthlink (such as that open SOCKS proxy) as it can be fixed by reconnecting the DSL modem. I was just reluctant to use the earthlink webmail interface as it had some quirky behavior early on. I'll give it another try now. Thanks for your help. amenex
  21. I'm using the DSL service provided by Earthlink. Earthlink webmail came along as part of the deal. My actual connection is served by Covad (owned in turn by Earthlink). When I send an email through the Earthlink webmail, that server gets flagged as already described. When I send an email through my Voicenet webmail account, the Covad server is part of the chain and so that email gets flagged because of the tainted Covad server. If I switch off my DSL modem, wait a while, and switch back on, I get another server in a different netblock, and that server causes the email to get flagged. All because I use the dnsbl.sorbs.net blocklist to block spam in my SpamCop.net webmail. That's not what's bothering me. It's that my emails are getting flagged (and possibly blocked) by my customers' spam filters, at least the ones also using the dnsbl.sorbs.net blocklist. For my cc's to myself to end up in my Inbox, I have to whitelist all my email addresses' otherwise, they end up in SpamCop's Held Mail. I agree that Earthlink/Covad aren't running their email servers responsibly. Cluelessly seems to be more to the point. I am not running these webmail servers - I am just a customer sending emails one at a time, with as many as three cc's to other parties, and I'm trying to find a knowledgable person at my ISP. The reason for my questions to SpamCop is that I want to know what is possible (reverse DNS ?). If reverse DNS is a no sweat process for Domain Dossier, then why can't Earthlink/Covad do the same ? As far as I can tell, they only have 1000 of these dynamic servers between them (Covad:; Earthlink: Those are the netblocks to which I find my DSL connection made most of the time. If I do not shut off my DSL modem, then the IP address stays the same for the entire time I'm connected.
  22. There seems to be a diode in the lookup process. Domain Dossier has no trouble associating a canonical name with the IP address of one of Covad's servers ... but TraceRoute can't find that name, because Covad hasn't set up reverse DNS. There seems to be a step missing ... and Domain Dossier uses that step. If Domain Dossier has access to that key step, can't Earthlink/Covad access it, too ? Here's what happens when I use the canonical name of that server: So TraceRoute gets just as far whether I ask for the route to the server by its IP address or by the canonical name. And if I try to acces that server myself, using venkman's java scri_pt Debugger, I get nothing. If I do the same thing with my website server's canonical name, I get an index file saying that there's no website configured at that address (because mine is one of about a thousand on that server). You might guess that my website's server isn't on the dnsbl.sorbs.net blocklist !
  23. Here are three sets of recent pertinent header lines: X-SpamCop-Checked: X-SpamCop-Disposition: Blocked dnsbl.sorbs.net ( is an "Open SOCKS Proxy Server" as well as "Dynamic IP Space") X-SpamCop-Checked: X-SpamCop-Disposition: Blocked dnsbl.sorbs.net ( is in a database of "servers sending to spamtrap addresses") X-SpamCop-Checked: X-SpamCop-Whitelisted: amenex ( is "Dynamic IP Space") As Earthlink/Covad have about 1000 servers between them, if I persuade them to install (is that the right term ?) reverse DNS service, I'll go from have zero chance of getting an untainted server to a finite chance, given that "Open SOCKS Proxy Server" and "server sending to spamtrap addresses" probably don't apply to 100% of the IP addresses in their net ranges.
  24. I'm just a DSL customer trying to run a small business ... and it's not cool to be showing up on a blocklist. No, I am not running a server. I'm using a SmoothWall.org hardware firewall, so it's unlikely that there's a server chugging away secretly in the background. And my LinkSYS router (also a firewall) isn't blinking unless I ask for stuff to come in or choose to upload stuff. Yes, it's the outgoing mail that's getting flagged, whether I send it through Webmail Service A ... or another webmail service B ... or SpamCop.net's webmail service C. However I send the email, it still all goes through the DSL server.
  25. Hello SpamCop ! It's back - the "enter your full email address" failure message. I entered my full, correct email address _and_ my full and correct password w/o Caps Lock on and _still_ SpamCop won't let me login to my email account. In the past, I was told that this was 'cuz of slowness at the SpamCop end, but it's 11:30 AM, past "break" time and before lunch. Why so busy ? amenex