Jump to content


  • Content Count

  • Joined

  • Last visited

Everything posted by showker

  1. showker

    PinkSheets Interested in Pump 'n Dump Spam

    EXCELLENT !! I'm glad someone posted that here. EXCELLENT ! I ran a 16-week article series on Pump-n-dump last year when the plague really ramped up. We went so far as to report the actual company, and investigate stock holders with large, recently purchased blocks of stock. We worked with SEC and Pinksheets. Working through Wachovia Securities and the SEC, many of the spamvertised companies were very thankful for our work. Each week a report was published lik this: http://www.user-groups.net/safenet/0604-22_stock_scam.html And during that time we got all kinds of mail from irate spammers who thought we were attacking their spam practices unfairly. We also got email from nearly a hundred computer users who had actually fallen prey to the scams and LOST THEIR MONEY. Since this is a user group web site, the articles were mentioned in some 1,500 user group newsletters around the world, and that publicity brought in a large gathering of spam reporters -- hopefully through that publicity we helped innocent users avoid losing their money. Anyway, through that series, by exposing enough of the spammers, we noticed a substantial drop in the number of stock scam spams. But now, they seem to have come back. The information above is EXCELLENT, and we'd like to mention it in a new article at UGNN.com if that's okay. Fred
  2. showker

    Spamming Forums

    I launched the "Design CAFE" and "Photoshop 911" forums around January 5th, and instantly had several spambots hitting the forums every day. We EVEN have a Captcha. However, spambots have become sophisticated enough to decipher captchas. Depending on WHICH forum software you use (we use vBulletin) there are several Open Soucrce plug-ins that have taken a different tact with separating the genuine humans from the low-life, sleeze-ball spammer spambots. The one we got asks a simple question. It requires thought on the part of the applicant. * "What is the last word in the previous paragraph?" * "What color are UPS delivery trucks?" Then in the code, you provide a selection of possible answers; caps, etc. You can also modify it to instruct the user what to type in. The bots can't figure this out -- like their owners, they are too stupid. So far (fingers crossed) it's been 100% effective. Another will show a small, simple picture of an object and ask "What is in the picture?" This has also been 100% effective. Check the support forums for the software you are using and I'm sure you'll find all sorts of possible solutions. Ours was listed in the http://www.vBulletin.com/ forum, and my server guru simply plugged it in and configured it. Presto! Spammers GONE. Of course, if the spammer IS human, then they can get in. But then they are easy to delete and block via IP blocking. Fred http://www.DTG-forums.com/
  3. Does anyone have a CLEAR step-by-step on locating a specific IP owner ??? SamSpade IP Lookup no longer works the way it used to. Most WHOIS is forged, bad phone numbers, etc. www.roundcircumference.com has been pounding me, and I want to contact their higher-ups. [Moderator edit - link broken]
  4. For the past two weeks, SpamCop's reports have not included the Link or Site advertised in the spam. Consequently, the reports have stopped reflecting the actual spammer.
  5. showker

    SpamCop Drops "Spamvertised" sites...

    FIRST: Quote: > ...This is exactly the type of thing discussed in the FAQ entry to which I > referred and many of the SpamCop Forum threads you'll find by > doing the search I suggested in my first reply to you. > Please do some reading there and then return here with any specific > questions you have about them You did not reference the forum thread, and I do not know what to 'search' for... all of the references returned when searching for "finding links" assume that SpamCop looks for and finds links embedded in the spam. Totally different issue, since this thread confirms that SpamCop does NOT find links embedded in spam. (Or, at least stopped finding them about two weeks or so ago.) CONFIRMED I just spent over an hour very carefully tracing and validating 8 new spams sent in by a spammer based at : http://hypotenuse.roundcircumference.com/ Each one spamvertised a 3rd party "affiliate" link, at a totally different domain. Each had an embedded graphic from that domain. Each had more than one additional link in the html of the spam. Every SpamCop.net report gave the SAME : > Finding links in message body > no links found See this for yourself at: http://www.spamcop.net/sc?id=z1167831047z6...df088347ceef85z All of the spam coming from this guy at hypotenuse.roundcircumference.com "say" they're being reported to :: abuse[at]ca.mci.com Obviously, "abuse[at]ca.mci.com" is not interested in stopping this guy. So, this thread is useless. Another spammer gone free.
  6. showker

    SpamCop Drops "Spamvertised" sites...

    Okay... I was just hit with another of "those" spams, and this time decided to actually document the problem. As you see in THIS screen capture... http://www.ugnn.com/pictures/spam_report.gif the actual SpamCop reporting says > Finding links in message body > no links found Yet looking at the actual text of the spam, you see there are AT LEAST THREE unique links, NONE OF WHICH are related in any way to the admin recipient of the report. I'll grab another one in the morning. Now it's getting dark, and I'm going home. :-) Good night. Fred
  7. showker

    SpamCop Drops "Spamvertised" sites...

    Okay... here's an example: In the spam Cop report results I see this: Please make sure this email IS spam: From: "Rosetta Kirk" <gazwisconsinliftvot[at]wisconsinlift.com> (Don't be the "little guy" in the club) ------------F21CED3BBB48D3B Content-Type: text/plain; charset=Windows-1252 View full message Here is the TRACKING URL noted by SpamCop for "future reference" From: "Rosetta Kirk" <gazwisconsinliftvot[at]wisconsinlift.com> (Don't be the "little guy" in the club) View full message http://www.spamcop.net/sc?id=z1167110244z7...0432aa483eb663z Report spam to: Re: (Administrator of network where email originates) To: abuse[at]tpnet.pl (Notes) Re: (Third party interested in email source) To: Cyveillance spam collection (Notes) Re: User Notification (Notes) ### ...and, there's a button to click to "Send Report" That's it. So, I've sent the report to the "abuse" guy at tpnet.jpl, and the "third party" who is at the SAME IP ADDRESS. Yet, buried down in the spam is the link to the actual spammer <a href="http://www.olelukoe.net/?90&GJj7GJG5DFG0HKgf"> Read more testimonals about this marveouls product here! </a> olelukoe.net = (Zhejiang China) ... the spammer is in China, NOT -- a server in Poland So, SpamCop has reported this incident to an admin in Poland, when the actual spammer SHOULD have been reported to an admin in China. I've only seen this start in the past two weeks or so. I'm just wondering why the change in reporting. It's sort of like when you report a murder, you identify the street where the murder occurred, rather than the murderer who committed the crime. Does that make sense?
  8. showker

    SpamCop Drops "Spamvertised" sites...

    No, no, no... that's not at all what I refer to. Over the entire history of SpamCop reporting, the report would always return with included links... they would include "admin of websites referenced in spam" along with the offending links. (These 'offending' links would be the actual spammer's site that the spam wants you to click to -- as opposed to *who* sent the spam -- as we know, *who* sent the spam is usually a forged address that leads nowhere.) However, in the past two weeks or so, these sites "referenced in the spam" have been OMITTED from the reports. So the admins of those sites have NOT received SpamCop comlaints. In the case of Phishing -- this defeats the entire purpose of SpamCop reports, because the 'spoofed' victim -- be it eBay or Paypal, or whoever -- have not been alerted. Worse yet, the admins of the servers and networks hosting the phisher have not been alerted either. Only the admin of the network where the spam originated. So, that's the question -- How come SpamCop no longer references links within the message of the spam?
  9. Site is down. Now merely says "Bad Gateway" So, someone must not have been happy with the project.
  10. showker

    so-called "Online Pharmacy"

    But wait! How can that be? If the spammer sends 25 million spams which say "Click Here" A million people click the link when they check their email at 8 am EST... Does not fit the definition of DoS? Not prosecutable in court. The million people are simply doing what the email requested. AND... who might become 'victims' ? They're certainly not vicitms if they rely on a spam-friendly ISP... everyone has a choice. This would be a strong 'learning experience' telling them to move to a more reputable ISP. I dare say that if such an (unplausable) event should take place, you would not get a single complaint. Who would they complain to ? And what would they say? "Hello, Police: someone just knocked out my illegal phishing site." or "Judge, these people are preventing me from selling illegal drugs into the U.S. from my non tax-paying business off shore -- after I sent 25-million unsolicited emails in bulk -- to addresses I harvested off the internet." I would like to see that one in court.
  11. showker

    Amazing reduction in Spam

    How do you do that??? ( http://www.knob.com/spam/ ) I'd like to start one of my own! I'm seeing the same kinds or rise and fall in my spam as well.
  12. showker

    so-called "Online Pharmacy"

    Here, here! I second that motion. Or.... a million people do exactly what the spam requests... click the link ... all at the SAME time. Bingo. spam site gone... probably taking a bunch of the others down the tubes with it... along with one angry ISP, who just might be more careful who they host. Well, maybe not.
  13. showker

    BotNet scenario

    All the more reason to deploy an "FFB" than one single entity. No matter how good the criminals are, they couldn't go after hundreds of thousands of individual users for retaliation -- even if they could find out who they are. :-) See: http://www.paulgraham.com/ffb.html
  14. showker

    I want to block all of Joker.com

    Actually, not an 'individual' but one with a dedicated server hosting a number of client web sites. So, thank you -- I stand corrected that the IP blocking thing does me no good, and I'm wasting my time looking them up and adding them to the server's block list. :-( other suggestions?
  15. showker

    Spamvertised Web Sites

    With the "title" of this topic being "Spamvertised Web Sites" I had no way of knowing the "BotNet Scenario" would be a more appropriate thread for discussions about spamvertised web sites. (I used search word : "spamvertised") Since the Spamvertised site is the focus of the spam, (understanding that not all spam advertises a web site; a.k.a. 'stocks pump & dump') why is it that no one is really inventing a way to use the spamvertised URL as a target for filtering. Someone earlier in the thread commented that the IP changes frequently or is unreliable. However , that shouldn't be an issue when talking DOMAIN blocking. The 'name' of the domain is blockable no matter where the DNS is. AOL blocks 'spammers' based on the domain name in conjunction to the domain's IP. One of my client's "domain" was blocked by AOL because of a zombie someone within the organization was inflicted with. Exhaustive means to get them white-listed with AOL prooved fruitless. So, I moved the domain to a totally different IP block, on a totally different ISP. Guess what? The domain still blocked. So, it stands to reason that if spamvertised www.My-PhArMa.com is a) blackholed, or blocked in the entire DNS system then that spamvertised domain is no longer usable. Several years back there was some interest in "FFB" or, "Filters that fight back" ... This was an excellent concept, and if it were implemented, we probably wouldn't be seeing ANY spam advertising a domain any more. See: http://www.paulgraham.com/ffb.html Note that was in 2003. At the time, I approached the 'inventer' with an offer to finance the full programming and testing of that "filter" as a "proof of concept". It was my intention to release the filter as "freeware" and encourage people to download and instal it. I was turned down due to the fears of reprisals from the underworld. Five other programmers also turned down the assignment due to the same fears. The "Anti-spam" community slammed the idea, calling it an "organized denial of service attack" (CAUCE and others) -- yet legal counsel advised it couldn't be prosecuted as a DOS because thousands of pings would all be coming from all different senders -- not trackable, much less prosecutable. I gave up. But when that person posted to this thread ... That was a clear vote of approval for such a filter program. How to deliver it to hundreds of thousands of computers is yet another challenge. But, as of today, I still believe the concept has real merit, and deserves to be tested. If it knocks out spam that advertises a web site -- porno, etc., then I'm all for it. Good day Fred
  16. showker

    I want to block all of Joker.com

    Okay... Sorry for the ambiguous 'question' ... Many spams, particularly blog spams, I track using SamSpade.org and various other tools, lead me to the spamvertised site being hosted on an IP number which is owned by Joker.com. I follow the domain TO its IP address, then using the IP Whois, find the address is registered to Joker. My question is actually simple: If I block THAT IP address -- I will be blocking that specific IP address... whether a dedicated IP, or a shared one. (Right?) Now, my ISP says I can put a 'star' to substitute the last THREE or SIX numbers of that IP, and it will ALSO block all the IPs under that block. Doing so, I would block the spammer's IP, along with anyone else sharing those blocks. (Right?) Is this a logical means of blocking anyone hosting on Joker? (For instance, if Joker is Domain Kiting, in order to deploy them, they would have to come under one of Joker's IP blocks. Right?) Guess I need a little help understanding IP addresses, IP blocks, and how the numbers relate to the entity owning the block. Thanks for any help on this. Fred
  17. I know it's off topic... I just wanted to say I applaud the moderaters, staff and others who answer questions and bring this forum to this level of excellence. BRAVO! You can delete it now. Fred
  18. showker

    Noticeable increase in spam

    FOLLOW UP I tracked five of the SAME emails this morning... to three different "honey pot" addresses, and found they ALL came from the SAME IP ... However, when tracking that IP I came up empty handed... Response said: > Server Used: [ none ] > ERROR: IP Range Reserved by IANA.org So, the big question is: ? How does the spammer use a "none" server to send spam, and ? What is a "reserved" IP by IANA, and ? Why would IANA allow this use of a "reserved" IP doesn't make sense. I think I should post this as a new topic. Fred
  19. showker

    Spamvertised Web Sites

    And that's a real shame -- the worst news you'll hear all day. The "Spamvertised" URL is the REASON for sending spam. If the Spamertised site got blocked soon after the spam barrage begins, then they lose that revenue stream -- the reason for sending the spam in the first place. Most spam comes from a handful of professional spammers. Clients hire those spammers to generate traffic to their web sites so they, themselves won't get caught. If the advertised site is blocked from some pretty big ISPs (AOL, Earthlink, Verizon, Comcast, etc.,) -- guess what -- they would stop hiring the spammers. Some might even demand their money back. That's why reporting email is ineffective and will NEVER stop the spam. (sheesh, why can't people understand that ??? ) Follow the money trail of online crime, and you'll find the criminal. Follow the messnger and you'll find a dead end. (sheesh, why can't people understand that ??? )
  20. showker

    Analyzing header

    So -- can you illustrate WHAT the "IP of injection" is ??? And, is that the IP one would BLOCK at server level?
  21. showker

    Noticeable increase in spam

    Another frequent one... several dozen since yesterday. But I doubt you'll find the actual spammer -- I believe it's a zombie propagated to user PCs. I've done a bit of hand tracking on that one and it does bounce around quite a bit all over the world. This is another of those cases where the SPAMVERTISER should be the trail, and NOT the sender. If you follow the money trail up the chain, it comes back to a Canadian attempting to get associate fees from one of the bigger online pharmacys. The host of which will not respond, and denies that they're hosting the spamvertised site. /-(
  22. showker

    My Emails blocked by "Spam Cop"

    Richard, you are an "innocent victim" ... and should find a better host. Freeserve.co.uk has shown up in dozens and dozens of spams and blog spam postings over the past two months. Unfortunately, Freeserve allows users to set up a "free" hosting account -- and therefore is open for botspammers. I was getting no satisfaction from SpamCoop, after several HUNDRED spams to "Freeserve" sites -- so, I began reporting them manually directly to the abuse admins of Freeserve. I was able to get many of them shut down -- however, Freeserve obviously didn't change their policy, so for every one I shut down, there are six more to take their place. I gave up and blocked the ENTIRE Freeserve nation from our servers. Plunk! Gone. So, you got blocked in the process. Sorry. Get a host with some principles. :-)
  23. Okay... now I think we're getting someplace. Here is the results of that check: I submitted : SpamCop Said: > Statistics: > listed in bl.spamcop.net ( > > More Information.. > not listed in dnsbl.njabl.org > not listed in dnsbl.njabl.org > not listed in cbl.abuseat.org > not listed in dnsbl.sorbs.net > not listed in relays.ordb.org. Which obviously means that I accidentally let one of my OWN emails get "Reported" to SpamCop via the "REPORT AS spam" button in the "HELD MAIL" section !!!! And, I knew that would happen because there are so many it's difficult to check each one several times a day. SO -- the BIG question is: HOW do I get REMOVED from the bl.spamcop.net ???? AND... WHICH if any, of the OTHER black lists should I subscribe to??? (Since I removed the bl.spamcop.net in the "SpamCop Tools" won't it cease filtering and trapping the spam from my mail?) Thanks for the above-and-beyond-the-call-of-duty help. Fred
  24. The problem went away, now it's back. I inquired: >> How do I get it to STOP filtering -- >> that's MY server, and I assure you we are NOT spammers. Then Mr. Underwood said: > Unless you turn off the bl.spamcop.net check, you can > not get it to stop filtering on an IP address. I do not understand. HOW do I turn "OFF" the "bl.spamcop.net check" ??? I believe some low-life spammer has been spoofing my domain, making it appear that spam has come from our server. Then Mr. Underwood said: > Also, either spam is coming from your server (possible virus > or trojan) or you are reporting yourself using quick reporting. My admin looked and said there are no holes in the system. He ALSO has not gotten any SpamCop reports. So he says. Mr. Underwood also said: > If you are reporting, I would configure mailhosts and > make sure that ALL servers your email travel through > are included within the mailhost configuration. Sorry... to seem so stupid... but again I don't understand. How do I "configure mailhosts" to accomplish what you suggest??? and then. . . > you have the same tools I do if you have a spamcop email > account with the associated reporting account. > Place the IP address (only) into the paste-it-in parser and > look at the report history link. Where would I find the "paste-it-in parser" ? I looked at the SpamCop "Reports" and none of them contained our IP numbers. Should they if we got reported? In essence: I need to WHITELIST my IP addresses, right? I also need to somehow get my server removed from the black-list, and somehow white-listed... is this correct?
  25. Okay... thanks for your speedy reply. I was not disagreeing to disagree. ... > You can agree or not. ... > If all of the messages that were held looked like the above ... > (had in the headers), that is why they were held. No. It's just that it was the only example I had saved. How do I get it to STOP filtering -- that's MY server, and I assure you we are NOT spammers. There were many others from all kinds of other ISPs (IP blocks) that are known safe and not usually over in the spam folder. Like DOZENS of them, not just this one. For instance SpamCop was putting mail into the "Held" folder from all kinds of sources that I've been getting "safely" for ages -- from major known "good" sources, like www.Apple.com, to small ISPs with personal email accounts that would not be filtered. The Adobe Acrobat PDF list was one as well. Unless SpamCop has started blocking Apple.com and Adobe.com (Which sometimes I think it SHOULD!) That's why I was so alarmed -- and resolved it must be some sort of software change on the SpamCop side. Otherwise I never log into this forum. (In fact I had to dig and dig to find my password.) SpamCop has always worked flawlessly until now. (With the exception of the POP mail back to me not working.) I'll watch carefully over the next few days and see if it clears up. By the way... how did you get this forum to put the QUOTES into those fancy boxes? Thanks again for responding. Fred See: http://www.aacug.org/UCE/FTC_1.html (Meet spam Cop)