Jump to content


  • Content Count

  • Joined

  • Last visited

Everything posted by kae

  1. Geez, those spammers are really rude. First they sent me tons of email that says that I look stupid and they try to get me to click on a link that says it's an executable file. Now they're sending me email that says I'm a moron and they still want me to still click on a link that's an executible file. I guess they'll try anything to get a rise out of me. Ugg!
  2. kae

    SSL Encryption & Bayesian Spam Filters

    You might need to do some more investigation to find out how your spam tool integrates to the mail client and how it connects to the mail server. It could be a deficiency in the spam tool or just a mis-configuration of the tool. It's hard to tell without knowing more about the tool. I wouldn't be too surprised that the spam tool is deficient. As Wazoo says, there's a lot of deficient software sold to the unsuspecting. There are several ways to integrate with purchased software packages (like mail clients). Some add-on tools treat mail clients like black boxes and they interface themselves to that "black box" by sitting either in front of or behind the "black box". It sounds like this is how your tool is written, since you mentioned that it acts like a proxy. The nice thing about this method is that, as a developer, you don't need to have much knowledge about the mail client. This is often the best way and sometimes the only way to interface to a proprietary mail client. The problem with this is that a good spam tool would need to implement all the mail client/server interface types (like SSL, TLS, IMAP, POP3, etc). Another way to interface to a mail client is to use the mail client's API (if it has one)--This would be rare although some mail clients have APIs. In the past, I used a spam filter called spampal. The way it worked was that it ran as a kind of proxy tool. Upon installation it would insert itself between the mail client and the mail server. The mail client would connect to the spampal tool and then spampal would talk to the mail server (pop3 or imap). By doing this, it would allow spampal to process the mail message before the mail client got it. From your description, this sounds like how your spam tool works. A spam tool that operates as a proxy would have to be able to read the text of the mail in order to process the headers and/or the body of the message. For encrypted connections, the tool would have to decrypt the data coming in and possibly re-encrypt it on the way out to the mail client (or not depending on security). The only way to process the message data would be to read it while it passed through the spam tool. Any search for a spam tool would require that you make sure the tool handles TLS or SSL connections. It is possible that your tool has the ability and is just mis-configured. It is also possible that you may need to purchase additional software to handle this type of connection. The additional tool might need to be connected as a "black box" the the spam tool. Again it's hard to say without knowing the particulars about the spam tool. I guess this is why it's a good idea to be able to get a demo copy of the software before you purchase it, so that you can make sure it has all the needed requirements for communicating with all your mail servers. Not to sound like an advertisement (especially since I'm not affiliated with spamcop in any way except that I use spamcop as my spam tool), but spamcop seems to handle SSL. Just an added note.... Most spam tools probably operate as POP3 clients probably because they expect to only see each email message once. They probably expect to download and then remove the message from the server, rather than keeping track of what has been seen and processed.
  3. Thanks for the responses. As Wazoo pointed out, I was able to see that my reports were not being munged in the Preview Reports. I didn't know that the stored reports in the Tracking URL database are always munged, so that puzzlement was answered. Now I know that I'm not munging anything, which is good. I had put "retaliation" in quotes as a way of really saying that it didn't seem like much of a retaliation. I does certainly make it less personal to know that it was probably just picked randomly out of a list of email addresses. Thanks again!
  4. I have a general question about munged headers/addresses. I know that this has to have been asked before, but I can't find anything that addresses this in particular. There seems to be two sides to reporting email. The one side is reporting email as spam from webmail, the other side is "Reporting spam" using the mailsc.spamcop.net webform. The only munge option that I've seen is in the preferences tab of the mailsc.spamcop.net webform. I currently have that set to not munge my reports, but most of my reporting is from the webmail form (either reporting held mail or from the inbox) which generally comes from accounts that are different from my spamcop email account. When I first started my spamcop account, I chose to munge headers, then I got the impression from the forum (a while back) that munging wasn't good and that munged headers were not used for reporting but only for statistics. So, I went back and changed my preferences in the mailsc webform to not munge headers. Anyway, I've noticed that the spammers are now putting email addresses in their Subject lines. Here's a tracking URL: Sample Message. When you pull up the tracking URL, the email address is replaced with 'x' (even in the Subject line), but when you select the link "View Entire Message" the email information is put back. At least when I started writing this it was there. I'm assuming that the spammer is putting my email address in the Subject line so that they can tell who is reporting them. I guess my question is this: Am I still munging headers (since the email addresses are x'ed in the tracking URL), or am I no longer munging headers (since viewing the entire message shows the email) or at least it did show my email address? As a side note, the spammer also put my email address as the sender, which seems to always show.
  5. I have three filters for this, but I think the filter #3 is the one that works for all cases. I have three because when I tried one and it missed a message I created another one. They are as follows: 1) koi8 rule which is Body contains "koi8-r" Deliver to folder INBOX.Held Mail 2) charset=koi8-r Body contains "charset=koi8-r" Deliver to INBOX.Held Mail 3) Any koi8 Subject Contains "koi8-r" or To Contains "koi8-r" or From Contains "koi8-r" or Destination Contains "koi8-r" or Source Contains "koi8-r" or Participant Contains "koi8-r" or Body Contains "koi8-r" or Self-Defined Header "Content-Type:" Contains "koi8-r" Deliver to folder INBOX.Held Mail The last rule is a catch-all and probably the only one needed. The catch is that these filters work only on the webmail application. They also only seem to be applied when transitioning into the mailbox. What I mean by that is that they don't seem to be applied when the INBOX refreshes. The behaviour that I've seen is that you must either press the INBOX icon and cause the INBOX to reload. The webmail standard refresh does not seem to apply the filters. I have all four choices marked in the Options/filters: Apply filter rules upon logging on? checked Apply filter rules whenever INBOX is displayed? checked Allow filter rules to be applied in any mailbox? checked Show the filter icon on the menubar? checked I also chose the Additional settings options under the Existing Filter Rules as: Display detailed notification when each filter is applied? Filter Options: Filter All Messages By displaying detailed notification when each filter is applied, you can see when the filter is applied in Webmail. It is my understanding (from the FAQ) that there are no user defined filters that get applied to incoming mail except the blacklist and the greylist option and the whitelist. I hope that helps someone. I think the SpamCop AutoResponder usually only contains the From and the Subject headers, the rest is usually just Received headers. Maybe you could just exclude the AutoResponder from the filter? Just a thought. I haven't encountered that problem because I have another app that removes all the SpamCop AutoReponder emails and squirrels them off to a folder that I keep for a while. That action causes the AutoResponder messages to appear as deleted to webmail. The tool runs every 10-15 minutes.
  6. Thanks for your reply Miss Betsy. It did answer the munging question I had. It confirms that my reports still munge (or expunge) my email address out of the headers. At this point, my reason for reporting is to be as helpful as possible in order to get the spam reported. If that means it's better to not munge, then I'd opt for that. I'm assuming at this point that not munging reports adds additional places that will accept my spamcop reports. The only "retaliation" that I've gotten is that once in a while a spammer sends out a bunch of email spoofing the from address with my email address. When that happens, I usually get about 60-100 return messages for email addresses that are either no longer valid or whose inbox is full. It usually only lasts for a day and then it's back to my normal load of unsolicited email. I do have my "spam Munging" preference set to "Leave spam copies intact", which brings up the question, how to I get the reporting engine to stop munging? I looked through the webmail options and didn't see anything that talked about munging, so I'm guessing that the spamcop reporting preference page must drive the reporting engine, but I guess if that's the case, is there a known problem with changing the munge/mole/unmunge preferences? Maybe once you choose, then that's the option you have to stay with. You were right Miss Betsy, it did bring up more questions. ugh. Sorry about that. I'll go back and do some more searching in the forum and FAQ. Maybe there's something there. I know this isn't the first time this has come up and I swear that I've read this in the forum somewhere. Thanks again! I did find this on mole reporting, which is the forum discussion that I wrongly remembered as munged reports. Miss Betsy correctly pointed out that it was "mole reporting" that only updates the statistics and not the block list. My bad. Maybe I should send a Problem report?
  7. Thank you! That was what I wanted. Now I understand how I got switched to Indexed mode when I started out in Standard mode and now I know how to switch back. Thanks!
  8. I haven't been on the forum for a while (six months or so) and I've noticed that I can only see one or two replies in a discussion thread and then a thread list (in a box called "Posts in this topic") of the other messages that are not displayed. The forum interface used to display pages of reply messages to a discussion thread, but now I'm only getting one or two messages and the thread list. I figure I must have done something to change this, but I can't figure out what I did. I did a search for "forum thread", "display threads on forum" and "Posts in this topic" but I can't find anything that talks about this option. I also looked in "My Controls" and I couldn't find any kind of display option to display pages instead of a thread list. I also looked in the Forum FAQ for any kind of option for the thread list, but couldn't find it. I looked for a target on the page that might switch the display to showing pages instead of a thread list, but I don't see anything. Can anyone point me in the right direction to change this option or is it an option that can be changed back?
  9. kae

    Cell phone txt msg spam

    Thanks Farelf. That's good to know. Maybe I will start writing that letter right now.
  10. As Farelf said, the robots.txt file is only used by those robots/spiders that choose to follow it. I've seen sites that use several methods, but all require manual entry of something the allows the message to be valid. What I mean by that is that a person must either type in the correct email address or they must edit the email address in order to correct explicit errors in the email address or they must type in a correct interpretation of text in an image to complete the transaction. Here are some examples: 1) I've seen web pages that have pictures of email addresses instead of text. This requires the person to manually type the email address into their mail program. 2) I've seen people use things like blocks of repeated characters in their host or user name and then specifically request the character block to be removed to form the correct address. Like: bobbyXXXsocks[at]mydomainXXX.com (remove the XXX blocks). 3) There are services that show you a picture of text which is difficult for a machine to parse and then will only do the action (send the email) if you type in the correct translation of the text. Those are my suggestions.
  11. kae

    Cell phone txt msg spam

    So far, I've been unsuccessful in getting anywhere with reporting SMS-based spam messages. My wireless company (AT&T) appears to have nothing in place to help. I think the From numbers are probably nonsensical numbers and just made up for the message or they are from unregistered wireless numbers. The actual text of the messages contain possible targets to complain about. When I was with Verizon, I never received any unsolicited SMS messages, but within the first week of switching to AT&T (before I had ever sent an SMS message, I received four unsolicited SMS messages. I don't know if this means that Verizon has blocking software in place for unsolicited SMS messages or if I was just lucky to get listed somewhere when I switched to AT&T (or some other reason I haven't thought of yet). Anyway... From: "1 (010) 100-001" and "1 (011) 100-002", I got messages that talked about "lists AT quickfind DOT com" and trying to get me to confirm my subscription request to some list called cingulardb_jmhmedia_GAF which I never requested. You would think that AT&T would know more information about it since they bought Cingular Wireless and thus it would probably be a list that they should know about. From: "362-45", I got messages from Herman AT pookiebears.com asking me to chat with them at Jeannine.yeahthecharmingfu.com and a second message from Gagnon AT ragerlaw.com saying they saw my profile and thought I was cute and asking me to chat with them at Lynnette.ijustcantclosemy.com When I've called AT&T they appear to have no suggestions except to tell me to reply with "STOP" or some other form of telling them to not send anymore SMS messages. I tried to respond once, but my "STOP" was only returned back as "NO SUCH USER". I decided from that one experience that it's probably not useful to reply to any of these unsolicited SMS-based messages. So far, I've only gotten about six messages, but if it continues, I plan on sending a letter to the FCC and the FTC to at least alert them to the problem (as if they don't already know). I doubt that anything will be done with just one letter from me (I'm not that important), but if they get enough, maybe they'll make an attempt. I've been out of telephony for a while, but it appears that SMS-based messages are a lot like email in that they don't appear to check to see if the sender exists and they seem to accept messages from anyone. I'm guessing that SMS-based messages will become a new frontier for spammers to do their thing. I think it will become just as hard for service providers to filter SMS-based messages as it is for ISP's to filter spam (sorry Hormel). That's just my 2 cents.
  12. kae

    Filter Match not matching

    Correction ... That sentence should have read: The regular expression you gave might evaluate to: one asterisk followed by zero or more numeric 1's followed by zero or more at signs followed by anything (even nothing).
  13. kae

    Filter Match not matching

    I was searching for filtering problems and ran across this question. The regexp that is used by most Unix Shells (ksh, sh, bash, etc) is a little different than the actual regexp syntax defined in most function/method libraries. The function/method libraries are probably what is used in webmail. The expression that you wrote would work in most shells if you were searching for a file with that name, but may not match as a regexp because it differs from the syntax of a regexp as defined in most function/method manuals. One place that has a definition of regexp is the Wiki at (http://en.wikipedia.org/wiki/Regular_expression#Syntax), but the definition of the specific regexp parser used is probably best found in the manuals for the libraries being used. Regexp's have been around for a while so, looking at any regexp definition would probably be helpful in any case. Usually, in a regexp, the asterisk character means any number of the previous character. The asterisk at the beginning of your expression might just match an asterisk, but I'm not sure of that. Since, there is no previous character to the asterisk, the "previous character" method action can't be used, so I'm guessing that the starting asterisk is not used as a wild character, but is used as just an asterisk. In any case the regular expression you gave might evaluate to: one asterisk followed by zero or more numeric 1's followed by zero or more asterisks followed by anything (even nothing). If that is the correct interpretation, then the regular expression would not match your test case because: 1) There is no asterisk before the 1 2) The 1 isn't followed by an [at] sign This is just my interpretation of the regular expression that you gave in your example. In the example that you gave, I would write the regular expression in a different way. For your example, I would think you would have to write it this way: .*1.*[at].*\..* The .* matches any character of any length including zero (meaning that it matches nothing) followed by the single digit of "1" followed by again any character of any length including zero followed by the at sign followed by again any character of any length including zero followed by a single period followed by again any character of any length including zero. I would point out that this would even match the three character string: 1 [at] . (I had to add spaces for the forum parser.) I'm not sure what webmail uses, but michaelanglo made the comment that a regexp can contain POSIX compliant regular expressions. If that is true, you might be able to be pretty specific about your regular expressions.
  14. My webmail connection just refreshed and my entire Inbox is gone! Just wondered if anyone else experienced this or if it's just me.
  15. Hmmmm..... Well, I noticed this error on my Outlook 2003 client: So, I shutdown the outlook client, got interrupted by my daughter and had to help her with her math homework for about 20 minutes, and then when I started my outlook client the email came back. My webmail.spamcop.net client still showed no email in the Inbox (even when Outlook showed email in the Inbox), so I logged out of webmail and back in and the Inbox was back. I started seeing Outlook error messages back when the new mail server code went in, but most of them have been timeout messages. I reported them, but didn't give them too much more thought since they only seemed to be timeout messages. In any case, my Inbox is still intact and no messages appear to be lost. Crisis averted.
  16. I'm interested in the answer to this as well. I've had the same question about the Held Mail folder, but haven't had time to look for it in the FAQ or on the forum. I've often wondered if I need to report spam in the Held Mail folder, but so far I've decided that if it's held then it still might not be spam, so I report it anyway. I also get most of my mail by POP'ing it over from my ISP, but spammers are starting to spam me at my spamcop email address. The greylisting will at least help with that.
  17. I think TrevorB edited post #1 and added the "in-line" image comment after he fixed the problem that I reported that morning. Thanks TrevorB! turetzsr was right, I missed that line that said to use the "Problem" button to report problems. (i.e. don't post here). Thanks turetzsr, I missed that. The link that I gave pointed to a message in my Inbox, so unless you were logged in as me, then it wouldn't mean anything. I guess I gave the URL with the idea in mind that the "administrator" could probably read my email, but forgot that it's probably an internal index that the webmail system (horde?) uses and that decoding it to get to the actual message might be more trouble than it is worth. Sorry 'bout that. I think the initial display of an HTML message is usually raw HTML and as you stated an in-line image would look like "machine code gibberish." I kind of view this as a feature though, because I don't have to wait for images, applets, or other objects to load. If I want to see the html part of the message, most of the time, I can select the link to the html part and webmail/horde will pop open a new browser window and throw the HTML at the window and let the browser interpret it.
  18. I too saw this behavior in the beta phase. The difference in behavior is: In the previous version of webmail/horde if you actually looked at the contents of the email, meaning that you selected the email to display on the screen and was looking at the email and you chose the "Report as spam" link, then you were not prompted to confirm. The mail was reported without a confirmation and the next message was displayed. If you didn't look at the mail, rather you selected one or more check boxes on the index of the messages and chose "Report as spam", you were always asked to confirm. The above two behaviors was the same for the Inbox as well as the Held mail folder in the previous version of webmail/horde. In the new version of webmail/horde, you are asked to confirm any time you report spam. It's a pain if you are looking through individual messages because there's an extra step to confirm. I haven't found any webmail/horde option to change the behavior so it must have either been a compiled option to horde or a change in the code. I'm assuming that the software that drives the webmail pages is some version of horde, making it the "face" of spamcop's webmail.
  19. Are you wanting problems reported here or only by using the "Problem" button? I saw this problem today where I received a message (from my mom) that when selected shows a blank browser page (i.e. the entire page is blank: no horde headers, no links, nothing). I tried this in Foxfire as well as IE7. If I select "view page source" the page that comes up has no html code in it. I haven't run any kind of sniffer on it to see what the network interaction is yet. I have to take my kids to school right now, but if the admins want to see the message here is the link that is used to display the message when logged into my spamcop webmail account. https://webmail.spamcop.net/horde/imp/messa...php?index=30428 I want to get on my other machine and see what I can pull down from pop/imap. I did report this using the "Problem" button. I wasn't sure. Okay, I'll put my fire resistant undies on. Flame away.
  20. Here's the Tracking URL: http://www.spamcop.net/sc?id=z1369372060zc...570a71ddcf3e2az The link that was discarded appears to work like this: http://{any old junk here in front}.kiosuoyon.cn/?elbdgjxowwvycizchcmafhkm translates to: http://{any old junk here in front}.kiosuoyon.cn/e/?elbdgjxowwvycizchcmafhkm and points to some Canadian pharmacy. It's like the junk in front of the kiosuoyon.cn makes the parser stop. Is there a way to catch this type of link obfuscation?
  21. Sorry for the bother. Feel free to delete the thread. It might help to reduce the useless information that comes out of the search engine when people search for this type of problem.
  22. You're right, they all look about the same so looking at one is pretty much enough. I've looked at about 20 different legit and spam emails from this ISP and the header munging is all the same. None of the headers (legit or spam) contain any routable IP address. All the headers from hosts external to the ISP seem to be left intact, but the hosts and IP addresses of any internal ISP host is either removed from the Received headers or the entire Received header is removed except for the last non-routable 172 or 10 IP addresses. I did read the post by ellen, but I hate to email the deputies because any problem I usually have isn't unique, but I guess this is "deputy worthy" so I'll send an email to them and see what they say. I wonder if this ISP just removes all their IP addresse so that no one will report them. I guess that's one way to make sure no one reports you for spamming. I wonder if that means that none of the spam that comes through this ISP is reportable (since they are munging the headers.) I guess I'll see what the deputies say. Thanks for looking at it!
  23. Thanks for moving this to the right place. mta2.egix.net and egix.net is in my mailhost configuration and I completed the configuration for both MX records (two emails). The host is in my mailhosts list and it looks complete. I looked at the SpamCop mailhost registration headers and those headers look the same (weird). It appears that this ISP (eGIX.net) removes all headers that are specific to them (ie. none of the mailhost host names or IP addresses appear in any email from this ISP). All this ISPs hosts/domain addresses and their Relaying IP addresses appear to be removed from all email headers before they get passed on to me. I guess that's one way to not get your IP addresses reported hmm. Will spamcop work with all those headers gone? Is this something that is known or is it something I should send to the deputies for special handling?
  24. I got one of those "[spamCop] Errors encountered" with the explanation of: SpamCop encountered errors while saving spam for processing: SpamCop could not find your spam message in this email: The problem is that I don't think I reported it by forwarding it like the explanations that I found in the Forum. I haven't forwarded email to my submit email address for months and it's rare when I do use it. If I do use it I still use the manual process and I don't use Outlook to do it anymore, I use Thunderbird if I forward it. It's just easier to let it accumulate in the Held Folder and report it all at once. I guess I'm wondering if the private submit address gets changed internally in spamcop to something different because it doesn't look the same as the one on the submit page. The one on the submit page looks like this: submit.{blahblahblahblahblah}[at]spam.spamcop.net The one in the email looks like it was sent to: ver.{me}+spamcop.net-{10 digits}-{32 hex digits}[at]spam.spamcop.net and doesn't look like the email address above. It it possible that this is the email address that's use by the internal Webmail reporting feature to report items from Webmail (Held or Inbox folders)? I sort of remember the Sender (MarianneHullns at betterhomesrealtygroup.com Marianne must have made some spammer angry huh.), but I am sure I reported it from the Held Mail list in Spamcop's Webmail, which is where I do most all of my reporting. The weird thing is the date on the email is about four hours ahead of me, which would put it somewhere in the atlantic ocean. Are there spamcop servers running four hours ahead of Central Standard Time? Oh, disregard that last question. Anyway, It's only one email failure so it's not like it's a big deal, but am I off my rocker or has a spammer figured out a way to post to my submit address? I wish I could send this to someone that could look at it and tell me what happened. I guess the question is: should I just drop it and let it go since I've only seen this once, or should I look into it further?
  25. kae

    Spamcop Down?

    Hmmm... Well apparently, all spam that I report is getting this kind of response. My guess is that it's probably a known problem (considering the increase in spam volume) and the administrators are probably trying to put out the fire. Ahh.. Thanks Telarin.