Jump to content


  • Content Count

  • Joined

  • Last visited

Everything posted by kae

  1. kae

    Spamcop Down?

    I reported a lot of spam messages in my Held folder and I just got a lot of failures (35 failures) with this message: SpamCop encountered errors while saving spam for processing: SpamCop could not find your spam message in this email: The problem is that these messages had bodies. I haven't see a spam report yet. I'm not sure what to put in this message that would be helpful as there isn't any report link. There was one message that was written in Chinese. I wonder if that caused the problem. I'm not sure if the problem is because of the heavy load or that something that I reported caused the failures of all of the succeeding messages. It seems like all the messages that were reported had bodies, Here is one of the messages: Moderator Edit: Entire spam sample deleted, post (and several replies) were merged into this existing Topic, as subject matter was a result of the Reporting system being hosed / off-line ...
  2. Well, I went back and looked and saw that I still had the entry in my Public Keyring. When I tried to View or Delete, I get the error that there is more than one entry. When I try to select Details, it says invalid key. It is behaving the same as before. Like nothing changed. I guess I was totally wrong about how PGP integrates with Horde. It seemed to make so much sense that it worked that way too. That's what I get for trying to guess the workings inside the black box.
  3. The way to get to the Horde PGP options on Spamcop is to choose Options from the top INBOX view and then under the "Other Options" header column choose the "PGP Options". Under PGP Options there are three sections: check box options called "PGP Options", PGP Public Keyring, and the user's "PGP Public/Private Keys". Just to explain a little on my particular problem and I think this matches the other problem too. The PGP Public Keyring is per User data (ie. each spamcop Horde/IMP user that uses PGP has one). This Keyring is like a cache for any public keys that the users requires for decoding any email sent to that spamcop user. The keyring is not a PGP key server, it's just a little file/database of collected public keys that have been downloaded from the public pgp.net key servers. What happened in my situation is that when I tried to import my public keys, I only got one of them. I then imported all of them. Ooops! Now my per-user PGP Public Keyring file/database has two entries for one of the keys. Each key has an email address and an eight digit Hex Public Key ID. It's not that I have two keys with my email address: it's that I have two public keys that have the same eight digit Hex Public Key ID. IMHO, that's a bug in how keys are placed into the keyring file/database. I don't know, but my guess is that the bug is not in Horde, but in the GNUPG version on the spamcop webserver. Another wild guess on my part is that there is probably an area on the webservers where the per user data resides and the per user PGP Public Keyring file is somewhere in that per user directory structure. I'm assuming that the admins at spamcop installed gnupg just like normal and didn't do much if any re-write of the code. So, my guess is that the GnuPG data area is in a subdirectory called ".gnupg" in the per user area and the file in question is either the trustdb.gpg file or the pubring.gpg file, but I would guess that the problem is in the trustdb.gpg file and not the pubring.gpg file as the pubring.gpg file holds the generated public keys. Anyway, when I looked at the Horde CVS tree. I think the PGP stuff is in framework/Crypt/Crypt and I think the source code is in a file called pgp.php while the S/MIME stuff is in the smime.php file. I don't think this duplicate KeyID is a Horde/IMP problem (just my guess), but probably the bug is in GnuPG allowing two KeyID's to be imported. The problem with Horde is that the web interface doesn't allow for manipulation of the underlying file data which supports GnuPG. Did any of that make sense? It's probably easier to use the new SMTP-auth mode and then the PGP data will sit in the user's domain of responsibility. Unless someone at spamcop wants to field PGP Public Keyring corruption issues and do the file removal by hand. It wouldn't be a hard request. A shell scri_pt could do: cd /PerUserDataArea/User/.gnupg rm trustdb.gpg would probably do it, but unless an option is added to Horde's PGP Options page, it's a manual operation.
  4. I setup my PGP (Pretty Good Privacy) (that's for the search engine that can't do three letter searches) Public Keyring and ended up loading two public keys for one of my email addresses. This apparently causes a problem with Pretty Good Privacy (PGP) in the area of looking up a public key. Why it allows two identical keys to be loaded would seem to be a bug in the data integrety area....anyway.... Okay, stop laughing, yes, I'm an idiot. I didn't know what I was doing when I was loading the public keys. I've tried to remove the Public key from the Public Keyring, but I can't remove the public key because it says that it doesn't expect two entries to be returned for the email address key. It's expecting a 1-1 relationship and it gets a 1-N (where N is 2). I know that somewhere in the bowels of the webmail system there is a file that has the Public Keyring. From my futile attemps to fix it myself, I'm guessing that there isn't a way to fix this using the webmail interface (which is all I have) and that it will take some kind administrator's very valuable time to go and remove the Public Keyring file. Is there a way that I can fix this myself? Is there a way to request this from a webmail administrator and how would I do that? Is this the right place in the forum to post this request? Thanks for listening. Moderator Edit: merged this new post into an existing Topic that covers the same ground. PM sent to advise of the Move/Merge.
  5. Just saw this thread. Cool! I tried it and it works great! Thanks!
  6. I got your email and sent you a reply. It didn't say anything about a resource file. When I clicked on the PDF file in the test message it came up and the Preview program was able to see it. I'm the one that sent the original email. It was a CC that I sent myself and it ended up on spamcop from one of my POP3 machines. I sent it using Apple's email program. I put in some of the information in a reply above, but it may not be enough. The PDF was created with Adobe Illustrator. I don't see a specific file that was sent as a "resource file". It looks fine on the Mac, but shows some extra boxes on the Spamcop webmail app. I also tried to see if Safari (Apple's web browser) worked better, but I get the same behavior on Safari (same resource fork stuff and Preview comes back with no file error). BTW. The webmail interface doesn't look so good on Safari. In Safari, after I login, I see icons but no buttons at the top of the screen. If I select a few icons, the bottom part of the buttons get redrawn and I can see them, but it doesn't look like the old interface. Ahhh, I just figured out that if you widen the window, it looks correct. There is something different about how the buttons get moved around on the page when the window is narrower than it needs to be. All the browsers have the same behavior when the window is too narrow, but Safari just messes up the buttons and icons in a different way than the other browsers. Tell me if I can help by sending you anything. This is not a show stopper for me, I just thought I'd let you know. I think I need to go to bed now, I don't think I'm making sense anymore.
  7. I'm running a PowerPC Power Mac G5 with OS X 10.4.7. The email has a group of files attached (PDF, and several JPG files). The webmail app makes it look like there is a zip file that surrounds the entire file bunch. I can see the actual source of the file. It looks like this: --Apple-Mail-33--766178402 Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset=US-ASCII; delsp=yes; format=flowed A bunch of text is here --Apple-Mail-33--766178402 Content-Type: multipart/appledouble; boundary=Apple-Mail-34--766178401 Content-Disposition: inline --Apple-Mail-34--766178401 Content-Transfer-Encoding: base64 Content-Type: application/applefile; name=UtilityClosetArea.pdf Content-Disposition: inline; filename=UtilityClosetArea.pdf Lots of base 64 code is here. Presumably the PDF file. --Apple-Mail-34--766178401 Content-Transfer-Encoding: base64 Content-Type: application/pdf; x-mac-type=50444620; x-unix-mode=0644; x-mac-creator=4341524F; name=UtilityClosetArea.pdf Content-Disposition: inline; filename=UtilityClosetArea.pdf base 64 --Apple-Mail-34--766178401-- --Apple-Mail-33--766178402 Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset=US-ASCII; format=flowed --Apple-Mail-33--766178402 Content-Transfer-Encoding: base64 Content-Type: image/jpeg; x-mac-type=4A504547; x-unix-mode=0644; name=DSC_0125.jpg Content-Disposition: inline; filename=DSC_0125.jpg several more base 64 jpg pictures ending with --Apple-Mail-33--766178402 Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset=US-ASCII; delsp=yes; format=flowed some text here. --Apple-Mail-33--766178402-- I'm not sure where the resource file is in there.
  8. I'm not sure this is a new or an old problem (or a problem with the browser), but I received an email from a Mac and I'm reading it on my Mac and there is a PDF file that is in the email as an attachment. There is a box that says This message contains a Macintosh file. The Macintosh resource fork can be downloaded <link removed> HERE. The contents of the Macintosh file are below. When I select the <link removed> HERE link, a new windows comes up and asks me if I want to open the file with Preview (the Mac's PDF viewer program), when I say "Okay" I get a message that says "File error. Couldn't open the file." I'm not sure if that's new or it's always worked that way. I think what's happening is that the file isn't getting downloaded to the mac so the Preview program can look at the file. I've tried it using the standard Safari browser and the Firefox browser and the behaviour is the same on both browsers. Again I'm not sure if this is a new or an old problem as I just noticed it. It's not a big deal since I usually retreive email from spamcop to my local machine and then look at it. Moderator Edit: Links removed as it appeared to possibly be private (?) No actual idea, as I only got to a login screen, but ... rather than tempt fate ....
  9. This email was received by my ISP email address that I don't give out or use on the internet. I don't opt-in, I don't subscribe to anything with it. I use another account on another ISP for all that trash. Anyway, I've started to receive some spam messages on this email account (very few and very far between, but I've received a few and I've reported them). In the past few months, I've received more, not tons, but more. Where I used to get one a year, it seems that in the past month or two I've gotten two or three spam emails. Yeah, I know I'm whining about this, but I figure that someone has finally scooped my "unadvertised" email from somewhere and added it to a spam list and now my ISP has my email address on their spam list. Anyway, I digress.... You can check out the spam yourself at: Spamcop report I added comments to my spam report which went like this: I'm not sure why I've removed personal information since there appears to be personal information all over the spam headers, but I figured that it was the "right" thing to do, however futile. I received an email at my unadvertised ISP email address that was advertising my ISP's services. At first I wasn't going to report it because I thought that it might be just a service announcement from my ISP, but it wasn't sent to my ISP assigned email address, which is where I receive all email from my ISP. Instead, it was sent to an email address that I created when I joined. I've never given the email address out and only occasionally (like maybe once a year) I get something that's like spam. I did some nslookups and some whois lookups to see if the IP address was associated with my ISP. I had a hard time linking the IP address to my ISP, so I started thinking that this may be from some advertiser that they hired to spam for them. The funny thing was the email came from a domain that was like <my ISP>info.com or something. Anyway, I tossed the thought around in my head (yeah, it's pretty empty up there) and I decided to report it and low and behold my ISP responded with some email asking me for more information saying that they were going to get to the bottom of this and investigate. Here is the email asking for my participation. The names have been changed to protect the guilty. So, I'm an idiot and I responded to them using my real email address at my ISP and thinking that his is really interested in figuring this out. I'm an idiot on three counts.I'm thinking that they are going to do something. I sent email using my unadvertised ISP email account. My email address is all over the headers because the marketing department tears it apart and uses it in the header for bounces. Why did he ask me for my email in the first place? If spamcop sends him a link to the message, then he already had all the information he needed. It doesn't take a rocket scientist to figure this out. Even an empty headed idiot like me can figure this out albeit, after the fact. This is his response: Now his first email asking for my cooperation in his investigation told me in no uncertain terms that the marketing department doesn't spam anyone that hasn't opt'd in. I know he read my response because he says that the marketing department doesn't send spam to "alternate" email accounts. He obviously knows that the email account that I'm reporting is an "alternate" account and not my "main", "ISP assigned" email address. His response tells me that they spam their own customers until they opt out, which is a violation of their own terms of use. Sounds like a We just make the rules, we don't have to follow them kind of operation to me. Anyway, I sent him this response. I guess I'm wondering if I did the right thing to report it or if I should have just deleted it. I think I'm a little too miffed about this to be objective. If they aren't spamming, then why did they setup a different domain that isn't linked (or at least I couldn't see that it was linked) to their own domain? Why don't they send the "opt-in" and "valid" emails from their own domain? Seems fishy to me. What is your opinion?
  10. You are right. A few years ago, I was getting a lot of spam advertising DirecTV and I sent some of it to DirecTV asking if they were sending it to me. They said no, they don't advertise that way, so I started reporting the spam figuring that it wasn't DirecTV. I should extend the same courtesy to any entity that I've had prior dealings. They may not know that their service is being advertised by spamming and it lets them investigate their own marketing and advertising. From the last coorespondence I'm not sure I'll hear from them again, but if I do I'll also take Andrew's advice and assist them in any way they need. Thanks Miss. Betsy and Andrew Actually, thanks to everyone that responded.
  11. I got this email from the head of security. I had to wonder if this guy was really working for my ISP or not, so I called my ISP and verified that yes indeed he was the head of security. It surprised me that he needed to ask me for my email addresses and couldn't get them on his own. Hmmm.... Strange. It worries me when he says "we appreciate you bringing this to our attention so we can research what happened" and "we appreciate you bringing to our attention an issue that needs addressed." It makes me wonder if they'll just make sure that every possible customer email address gets the email. It would help if they made it clear that they have this other company that does their marketing. My reply was this.
  12. I didn't see interland when I searched. Maybe I'm doing the wrong thing to lookup information; however, it seemed to match the spamcop parse pretty close though. This is the command I ran: $ whois -h whois.arin.net Level 3 Communications, Inc. LVLT-ORG-69-44 (NET-69-44-0-0-1) - Endai Corporation WLCO-TWC02085640-ENDAI-NETWORKS (NET-69-45-16-0-1) - I followed that with these two commands to see information on both networks: $ whois -h whois.arin.net !NET-69-44-0-0-1 $ whois -h whois.arin.net !NET-69-45-16-0-1 That's where I saw the abuse addresses for level3.com. All the email for Endai seemed to go to the same email address. I should probably stop using whois.
  13. That's why I debated on what to do. I get spam advertising DirecTV all the time. I have a relationship with DirecTV too, but those advertisements don't come from DirecTV they come from some unknown IP addresses, so I report them. I decided that if I could see that the IP address was owned by my ISP, then I wouldn't report it. I started doing nslookups and whois lookups to figure out who owned the IP( that it came from. The thing that made my decision was that the IP address that it came from didn't look like it was owned by my ISP but by some other organization named level3.com. The links to unsubscribe pointed to this other organization even though the advertising links pointed to my ISP, so I decided that I would report it. I wasn't too surprised when the spamcop parse came up with the abuse address of my ISP because there were html links in the email pointing to my ISP's web data. I'm interested to hear what the deputies have to say too. As of now, I still think that I should have reported it, but only because I couldn't link the info domain name with my ISP (nslookup and whois are probably not the best tools to use to find domain ownership). If I could have linked it to my ISP, then I would have just unsubscribed and not reported it. I'm just interested in what the "right" course of action should have been. I got this email from my ISP's Security Engineer so I guess I'll see what they say. I'm thinking that my ISP hired a firm to do email advertisement for them, but that is total speculation on my part. It still could be an organization in the ISP. I think they have concentric do their billing and online account status.
  14. No Prob. I just had noticed it and searched and found that you knew about it and had fixed it at one point. Things are lookin' up. I did a search and actually found what I was looking for. Yahooooooooooo!
  15. Did the date thing get fixed? If so, I think it's broken again. I got this email with the missing date when someone has "posted a reply to a topic that you have subscribed" in the forum. The spamcop webmail page shows the date as "Unknown Date". My version of Thunderbird installs a value of 0 for the date making it the Epoch (which is Dec 31, 1969 18:00:00 CST at my location). Here is the headers (I took my spamcop account out, at least I think I got all the references): Content-type: text/plain; charset="iso-8859-1" Delivered-To: &lt;x&gt; From: SpamCop Discussion &lt;news[at]news.spamcop.net&gt; MIME-Version: 1.0 Message-Id: &lt;57d75a$b3nis1[at]c60.cesmail.net&gt; Received: * (qmail 9267 invoked from network); 4 Aug 2006 05:31:32 -0000 * from unknown (HELO c60.cesmail.net) ( by blade5.cesmail.net with SMTP; 4 Aug 2006 05:31:32 -0000 * from unknown (HELO c60.cesmail.net) ([]) by c60.cesmail.net with SMTP; 04 Aug 2006 01:31:30 -0400 Return-Path: * &lt;news[at]news.spamcop.net&gt; * news[at]news.spamcop.net Subject: Topic Subscription Reply Notification ( SpamCop Discussion ) To: &lt;x&gt; X-IronPort-AV: i="4.07,209,1151899200"; d="scan'208"; a="373017473:sNHT107673932" X-Mailer: IPB PHP Mailer X-Priority: 3 X-spam-Checker-Version: SpamAssassin 3.1.1 (2006-03-10) on blade5 X-spam-Level: X-spam-Status: hits=-1.8 tests=ALL_TRUSTED,AWL version=3.1.1 X-SpamCop-Checked: Headers: Show Limited Headers I don't think it puts the "Date: " field in the headers.
  16. I was looking around the forums using Search and was really having trouble finding what I was looking for, which was if spamcop supports incoming SMTP from a spamcop user's email app using TLS or SSL. After much searching without finding anything, I started just poking around looking through forums for any hint of smtp setup information. I finally found one mention of what I was looking for and then I lost it and couldn't find it again. I think it was Jeff's setup page, but I swear I can't find that again. Anyway, I found another one from wazoo and copied the text string I was looking for and it is below: The SpamCop E-Mail system does not presently offer SMTP (outgoing) service. I tried these strings with search (all forums): spamcop SMTP setup spamcop SMTP support spamcop SMTP configure spamcop SMTP service and didn't get anything. If I type a part of the phrase above: system does not presently offer SMTP I finally get wazoo's post on the matter. I'm now wondering if all search strings get interpreted as "these words in this order exactly". Is this how the search works? Is there something wrong with the search engine? Is there something wrong with me? (Now be nice, I have this trouble with most search engines, so it's certainly possible that I'm just search inept, but at least be nice about it). Okay, I just confirmed that it's me that made the mistake. I did just try putting the word "AND" between those words and did find somethings. So, this search wants the and/or/not phrases apparently. I guess I should read the search FAQ. Anyway, what I was wondering is if there should be a pinned item about there not being any SMTP support for users to send mail from their email applications external to spamcop. Maybe I'll go look again and see if there's support now.
  17. I just saw Wazoo's post. I did notice that the search I was using wasn't like a google search. I'm glad I'm not the only one with Search'abilititus (that's trouble with the ability to find anything when searching). I worked on a project a while back that used lucene for searching. It was really fast. Has the forum dev team thought about trying it? It's 100% Java. Not sure if that would work for the spamcop web services side though. I'm not making a request to have spamcop provide a secure SMTP server that accepts email anywhere on the network. I know my ISP that I've had for 16 years (which all funnels through spamcop) didn't provide SMTP services for passing email unless the machine was hosted on their network. Now they provide TLS with a login and password. I'm sure that's probably breakable too. Anyway, I just thought it might be a good bullet point for either a pinned topic or a top level FAQ topic that spamcop does not provide for an outgoing SMTP server to put in client mail apps. Sounds like dbiel already added it. Thanks!
  18. I haven't talked to them, but I do have virus checking turned on and the "Remove attachments and continue delivery" selected; however according to their side note about virus scanning they say "Infected email is automatically tagged with an "X-Antivirus: Infected by" line in the message headers, indicating which virus/worm was found." I have seen messages that have viruses and they have (or at least had) been good about tagging the message. I'll ask them about it and see what they say. Thanks!
  19. I've been scanning the forums and FAQ for an answer to the "No body provided, check format of submission" and I'm coming to the conclusion that if I get a "No Body" spam that I should just manually report it and add the "No Body" line in the body. I submitted these by forwarding them using Thunderbird. When I viewed the message source in TB, the message appeared to be only header that had a From line, but no subject and no message. I always thought these were "test" messages to see if they were valid email addresses. Anyway, I tried to report them and these are the results: 1) http://www.spamcop.net/sc?id=z976501007z24...3d4749cbd0e051z 2) http://www.spamcop.net/sc?id=z976500749za3...b8e1cb12c34511z 3) http://www.spamcop.net/sc?id=z976499779zf8...f73c43a3fba824z 4) http://www.spamcop.net/sc?id=z976498314z04...d2441968a6c290z No Body came with them that I can tell.
  20. I've been looking around the faq and searching for a way to do this, but haven't found anything yet. It seems like there are ways to block whatever is in the SCBL, but I want to be able to block entire netblocks, not just what's been reported. I would like to have a personal IP block list that allows me to have a list of netblocks that I want blocked. (gosh, that reminds me of "if a woodchuck could chuck wood.) The current personal blacklist only seems to allow email type addresses or domain names of the form (user[at]domain or [at]domain, or domain) which seems to only be checked on one of the From lines. This means that if I want all amazon.com mail, that I will also get spam emails that say they're from someone[at]amazon.com, but whose Received line IP address shows that it originates in korea. What I want is a personal netblock list that looks like this: - It takes a subnet in either a netblock format with a slash or a range between IP addresses. Of course the line above is reduntant, but the idea is to let the user specify either format for their IP range. This would allow me to block off entire netblocks that I should never be getting email from anyway. It's not constrained to a country or a pre-programmed range. If an IP address (in the specified range) appears in a Received line, it's moved to "Held Mail". I suppose you could have an option to have not only IPs from the email header flag the message as spam, but also weblinks in the body of the message that match the netblock range would be flagged as spam also. To be useful, this would have to be in the initial mail scan. It probably wouldn't be useful to make the user login to webmail and run something new (ie. like the filters work right now). As I said, I haven't found anything on spamcop that allows me to do this. I know that spampal will allow this, but I haven't found it here. Anyway, that's my wish for a feature.
  21. Cool. I knew I couldn't have been the only one asking for this. I hope it gets implemented.
  22. Is this just the weblink double dot problem or something else? I thought I read that the double dot problem was fixed. Tracking URL: http://www.spamcop.net/sc?id=z785822137z15...a0e79577367543z This link: http://dhxkxdkxjji.net%2e%20%2eucrnspvlwta...fo#zldcdxdk.com Appears to have parsed to: http://dhxkxdkxjji.net. which doesn't exist. The real link location should parse to: http://dhxkxdkxjji.net.ucrnspvlwtaqf3sr6kv.lactonichi.info which I got from using the above on IE 6.0.(ten thousand bugs fixed here only 10 billion to go).1323.yada.yada.yada.version. I saw this discussion somewhere on here, but couldn't find it. I just wondered if this is a new twist to link obfuscation or if it's the same old puzzle.
  23. kae

    link didn't parse

    Sorry about that. I totally spaced on the space (%20). I could have sworn that I saw http://...net.%2e, but it isn't there. I must have been dreaming. My apologies. Yes, I know I'm an idiot for looking at the link, but someone was going to do it. I guess it might as well have been me.
  24. kae

    A new style of link obfuscation?

    Thanks for the pointer; that's the one I read. I think I got the hint. (Wink)
  25. kae

    A new style of link obfuscation?

    I went looking for the mole information, but wasn't sure I found the right place. The place I found said that mole reports aren't counted toward blocklisting, but are shown in aggregate counts to ISPs that request them. Is that the right place? Does that mean that all my mole reporting doesn't do a thing to get a spammer listed in the blocklist? (edited to change blacklist to blocklist)