Jump to content


  • Content Count

  • Joined

  • Last visited

Everything posted by PeterJ

  1. PeterJ

    Messages not Filtered - Why?

    Wazoo, SteveUnderwood, and others: I updated this possible FAQ today (6/25). I know everyone is distracted with the SpamCop website layout changes, no biggie. If any other SpamCop mail users have input please comment. PeterJ
  2. PeterJ

    Messages not Filtered - Why?

    yeah, keep an eye out for this, I do not know if a message can have both or not. Maybe this has been mentioned elsewhere but what we really need for the FAQs is a SpamCop Wiki! Anyone agree? PeterJ
  3. PeterJ

    Messages not Filtered - Why?

    Ok, here is what I have for starters. I need Email users to help me correct it now. SteveUnderwood you have a mail account I know for sure. Anyone who can help revise what I have here, that would be great. PeterJ Edited 6/25/04 to include info from SteveUnderwood ============================================= There are 4 primary reasons why email received by your SpamCop email account may be 'slipping past' the provided filters: 1) The available filters may not be selected or may be misconfigured for your account. Resolution: To double check your filtering settings please log into SpamCop's web mail, then click: Options>>SpamCop Tools>>Select your email filtering blacklists. The resulting screen provides you with the means to turn on and off SpamAssassin filtering, set a "SpamAssassin Limit", and select the blacklists you would like to use. Bear in mind that even with SpamAssassin and all blacklists turned off, the SpamCop mail service still adds at least the following headers to your email: X-spam-Checker-Version: X-spam-Level: X-spam-Status: X-SpamCop-Checked: 2) The whitelist for your SpamCop email account contains the domain or email address indicated in the "From:" header of the received message and therefore it was routed to your inbox. Resolution: When SpamCop does get a match contained within your whitelist it adds the header "X-SpamCop-Whitelisted:" to the message displaying the specific whitelist entry. The following example shows how a whitelisted email address is displayed in the headers: X-spam-Checker-Version: SpamAssassin 2.63 (2004-01-11) on blade6 X-spam-Level: X-spam-Status: hits=0.0 tests=none version=2.63 X-SpamCop-Checked: X-SpamCop-Whitelisted: yourname[at]spamcop.invalid Check the headers of the message you received in your inbox to see if they contain the "X-SpamCop-Whitelisted:" header and then determine if you want or need to modify your whitelist. To modify your SpamCop whitelist settings please log into SpamCop's web mail, then click Options>>SpamCop Tools>>Manage your personal whitelist. The resulting screen provides you with the means to add and delete entries from your whitelist. (Note that it is possible to have both the "X-SpamCop-Whitelisted:" and "X-SpamCop-Disposition:" headers in the same message. When this occurs, since there was a match with a white list entry the message is routed to your inbox.) 3) None of the IP addresses that SpamCop examined in the headers of the message you received were represented in any of the blacklists that you currently have turned on for your account. Resolution and Explanation: When SpamCop holds a message because it matches one of your selected blacklists it adds "X-SpamCop-Disposition:" to the headers of the message. This indicates which blacklist (or if it was SpamAssassin) caused the message to be held. The following is an example where tripped the Brazil blacklist and caused the message to be held. X-SpamCop-Checked: X-SpamCop-Disposition: Blocked brazil.blackholes.us (Note that when there is a blacklist specified in the "X-SpamCop-Disposition:" line, the last IP listed on the "X-SpamCop-Checked:" line is the IP that was found in the blacklist.) If a message arrived in your inbox it should not contain the "X-SpamCop-Disposition:" header (unless it also contains the "X-SpamCop-Whitelisted:" header. See section 2 of this FAQ.) The message will have the header "X-SpamCop-Checked:" that indicates all the IP addresses SpamCop checked against your selected blacklists. Possible resolutions include reporting the spam message that slipped through in an effort to get the IP address listed in SpamCop's blacklist, reviewing the blacklists you have enabled for your account, or double-checking the headers to see if SpamCop missed the responsible IP address. It is possible that the IP address responsible for sending the message was added to the SpamCop's blacklist after you received it. In this case as long as the IP address remains on the SpamCop's blacklist and you have elected to use the SpamCop blacklist, then future mails from this IP address will be routed to your "Held Mail" folder. 4) The SpamAssassin score computed for the message is lower than the "SpamAssassin Limit" you have set in your SpamCop Email account settings. Resolution and Explanation: Description of SpamAssassin as taken from SpamCop's web mail interface: --Headers related to SpamCop's SpamAssassin implementation-- X-spam-Checker-Version: SpamAssassin 2.63 (2004-01-11) on blade2.cesmail.net X-spam-Level: ** X-spam-Status: hits=2.6 tests=FORGED_YAHOO_RCVD,FROM_NO_USER, HTML_FONTCOLOR_UNKNOWN,HTML_FONT_INVISIBLE,HTML_MESSAGE,NO_REAL_NAME version=2.63 X-SpamCop-Checked: X-SpamCop-Disposition: SpamAssassin X-spam-Checker-Version: Indicates the SpamAssassin version in use, blade server that mail passed through (and date installed/upgraded?) X-spam-Level: Number of asterisks match the "hits" number from "X-spam-Status:" (rounded down) X-spam-Status: Indicates the score that was computed as the "hits" number for this particular message and the tests that were positive and contributing towards the overall score. Note that it is possible for a "hits" number to be negative and also that the individual scores of each test are not displayed but are configurable by administration if needed. In the above example the numbers assigned to the individual tests listed add up to 2.6. X-SpamCop-Checked: The IP addresses that SpamCop checked against your selected blacklists (if any), not relevant to SpamAssassin. X-SpamCop-Disposition: Indicates the reason why SpamCop held your mail. If this line indicates SpamAssassin then the "SpamAssassin Limit" setting for your account is less than or equal to the "hits" number indicated on the "X-spam-Status:" header line. An example of a possible message arriving in your inbox: X-spam-Checker-Version: SpamAssassin 2.63 (2004-01-11) on blade2.cesmail.net X-spam-Level: ** X-spam-Status: hits=2.6 tests=FORGED_YAHOO_RCVD,FROM_NO_USER, HTML_FONTCOLOR_UNKNOWN,HTML_FONT_INVISIBLE,HTML_MESSAGE,NO_REAL_NAME version=2.63 X-SpamCop-Checked: Using the above example, let’s assume that your "SpamAssassin Limit" is set to "3." After checking the headers of the message you can see that SpamAssassin only gave the message a score of "2.6" and since your limit is set at "3", the message was not routed to your "held mail" folder. Possible resolutions include lowering the "SpamAssassin Limit" setting for your account or suggesting improvements to SpamCop's SpamAssassin rules/tests. Neither one of these resolutions by themselves is perfect. A balance between the number you choose as your "SpamAssassin Limit" and changes made to SpamAssassin by SpamCop administrators will always be the case. Beware that setting your "SpamAssassin Limit" too low, perhaps at "1", can result in increased false positives. Providing feedback and building consensus in SpamCop's Email forum is likely the best way to encourage SpamCop administrators to implement a custom rule or other desired change to SpamCop's SpamAssassin implementation.
  4. PeterJ

    Messages not Filtered - Why?

    sure, I will post some writing here for critique.
  5. You mean SpamAssassin 3.0 (pre-release notes are posted in the Lounge.) I think that the improvement to SA that will benefit SC mail users the most is the URIDNSBL code that has been added. JT could try SA's SPF with a very low contributing score and solicit feedback if and when he implements SA v3.0 - URIDNSBL rules. These do DNSBL lookups on URLs, allowing URLs found in the message body to be used in spam determination. Added the SURBL blocklist (http://www.surbl.org/).
  6. I think this topic is complicated and want to take some time to outline why. First we need to remember that people get mail accounts with SpamCop for a variety of reasons. The three reasons off the top of my head are: a) To have an IMAP mail account For ease of reporting spam c) To utilize the spam filtering options provided with the account SpamCop mail users likely weigh these three benefits (and others) of SpamCop mail differently. This means that some individuals may not care as much about filtering that SpamCop mail provides as others. Most of the spam slipping through filters has been attributed to SpamCop's SpamAssassin implementation. Here are some points regarding SpamAssassin and SpamCop: 1) We are currently using SpamAssassin version 2.63 with no bayesian filtering (there was some talk about bayesian filtering in some of the posts in this thread that maybe implied it's use. It is not currently turned on.) 2) SpamAssassin requires tweaking over time to maintain its effectiveness by the incorporation of updated or additional rules. (One can argue that this is less important or even perhaps not necessary if you are also using SpamAssassin's bayesian filtering.) 3) JT has to ensure that any changes he makes to SpamCop's SpamAssassin implementation do not adversely effect the stability of the mail service. He also has to balance "false positives" and "false negatives." (That being said it is my opinion that on average he is conservative with regards to tweaking SpamCop's production install of SpamAssassin.) 4) When a new version of SpamAssassin is released it will obviously include many of the tried and true tweaks that SA administrators have been using with the previous verison. SpamAssassin 3.0 is near to being released, right now they have a 3.0 pre-release available, see my post in the lounge here: http://forum.spamcop.net/forums/index.php?showtopic=1892 5) Assuming that JT will continue to use SpamAssassin then he will no doubt move to verison 3.0 when it is officially released. SpamCop users of SA will no doubt find that version 3.0 will score spam more effectively than verison 2.63 and might need to adjust their SA # in their settings. Remember that over time even verison 3.0 of SpamAssassin will begin to lose its effectiveness if not tweaked. I am an optimist, however. I think SpamAssassin 3.0 will make a lot of SpamCop mail users happy if JT implements it. I think JT does a great job managing the mail system and have no doubts that it is hard to balance the concerns that I have written about above. Everyone is going to have a different opinion as to whether they are getting what they paid for, as for me I have no doubt that I am getting a good deal. The best thing we can do as mail users is provide feedback like this thread where multiple people are expressing similar concerns. Should JT add a custom rule to SC's SA so that the German spam is caught? I do not know, but he could. One last thought: Maybe we need a FAQ entry for SpamCop Mail users, titled - "Why are these messages slipping past SpamCop's filters?" Granted the answer is complicated, but it could cover the basics regarding how to look at the headers to see what IPs were examined by SpamCop, what score SA gave it, and whether or not the user had it whitelisted. PeterJ
  7. I am posting information regarding SpamAssassin 3.0 here in the lounge so if people need or want to refer to the specifics, it is available. The quote below is from Daniel Quinlan's post to SpamAssassin's general mailing list on 6/19/2004. It can be viewed in context here: http://thread.gmane.org/gmane.mail.spam.sp...n.general/51560
  8. PeterJ

    Exact duplicate spam

    Care to mention what was unique about them? Just the routing I assume. I DO receive exact duplicate and triplicate spam and I also receive near duplicate and near triplicate spam. Right now I am reporting all spam I receive as I am not about to examine the message source every time I receive two or three messages that appear similar to determine whether they are in fact unique. Unless someone from SpamCop asks me not to, this is how I am going to continue to handle them. It is possible that some abuse desks may believe I am an idiot for reporting a particular piece of spam three times--caused by address being listed three times in the "Bcc:" field, but no one will ever know how many copies I actually received except the spammer and I (maybe not even the spammer perhaps.) This is of course assuming that the particular abuse desk notices first and then actually cares that I sent them three reports.
  9. PeterJ

    Fora or newsgroups?

    Although it was certainly mentioned that the spamcop .mail newsgroups would be discontinued, it is atill alive today, however it receives very little traffic. Someone posted today with an IMAP question.
  10. I do not know. Maybe you are not reporting yourself and there is a simply a problem with the milwaukee mx such that when you report spam that invloves the milwaukee mx those and only those spams get reported to ameritech while ones that traverse the kalamazoo mx do not? OR Maybe this particular spammer has forged the headers well enough to foul up your reporting and you are reporting yourself. (If this is the case then it is a good example as to why the SpamCop "mailhosts" concept was started.) This is just my speculation, perhaps someone with more experience than myself can figure it out from here. It helps that you have posted the headers.
  11. Thanks for sending those. I ran both of the emails you sent (and also posted the headers for) through my SpamCop account with my SBC/Yahoo mailhosts setup and I get reports that want to go to China at and I am not much of an expert on headers at all, but from what I see, you have reported yourself. If I am wrong, please someone correct me. Remember that if you have SBC/Ameritech/Yahoo it is normal to see stuff like this: This is a legitimate handoff of YOUR mail servers. I do not know why the Milwaukee MX is listed as an open relay however.
  12. One other thing I thought of that you might be interested in. Marjolein (who frequents the SpamCop newsgroups) has some nice information regarding what steps one could take when starting with a "fresh" email address to try and prevent/limit spam. You might find some of this useful: http://banspam.javawoman.com/index.html If you happen to have one of the spams around in your trash that triggered a report to I would like to see the headers. Just trying to keep abreast of what my ISP is or is NOT doing correctly...it cannot hurt to be informed. Can you please post the spam to the SpamCop .spam newsgroup or email it to me at sx6000 AT ameritech.net? Thanks.
  13. That is a shame. HillsCap (a participant here and in the newsgroups) just posted similar sentiments in the SpamCop NewsGroup under the conversation "Nag Page." I have never used my "primary account email addy" from SBC for anything, what I try to do is keep my primary email address and ISP separate for the most part. I have started to use some of the sub accounts they allow for more or less throw away purposes. Having a SpamCop email address has certainly helped me move from ISP to ISP over the last several years. You can always get a SpamCop mail account ($30/year still I think) if SBC's mail services do not work out for you and only use SBC for providing your internet access.
  14. PeterJ

    Spammers using my email address

    Here is someone who used bayesian based filtering to sort incoming bounces and remove requests related to a joe job: http://sourceforge.net/forum/message.php?msg_id=1832024
  15. My ISP is SBC as well. Have you configured mailhosts for your reporting? If you are trying mailhosts then you should probably have at least two entries like mine called "SBC" and "Yahoo." Here is some stuff that I know (perhaps some of it is relevant ) 1) is Ameritech's Milwaukee, WI MX http://www.spamcop.net/w3m?action=checkblock&ip= 2) Also currently listed is Ameritech's Kalamazoo, MI MX at http://www.spamcop.net/w3m?action=checkblock&ip= 3) 3 other Ameritech MX IP addresses are NOT listed on the SCBL right now. 4) About a month ago I noticed that almost all the Ameritech MXs were listed and contacted a deputy to see if it was accurate. It turned out that an SBC (Ameritech) residential customer was running a misconfigured mail server from their home. The deputies removed the IPs in question from the SCBL and I assume either warned the user or cancelled his/her account. 5) Sometime during the last week the mailhost entries for Ameritech were reorganized so that they are lumped under the name "SBC", however two relevant mailhosts for Ameritech still exist under the name "Yahoo." If you are trying to use mailhosts, your configuration may not be correct. You may in fact be reporting yourself. Can you post either some headers of a message in question or a tracking link to one of your reported messages please?
  16. PeterJ

    Exact duplicate spam

    Ok, I understand now. This is not what I am seeing as I do not forward any email *from* my SpamCop mail account. It appears that most exact duplicate and exact triplicate spam I receive is as a result of my email address being listed twice or three times in the Bcc field of a particular piece of spam. If someone has any ideas on the following as further discussion I am interested: 1) My concern with whether or not abuse desks might get frustrated with receiving what seems like duplicate reports for the same spam. If the bcc method was used to send me duplicate or triplicate spam then how does anyone else know I received multiple copies versus simply reporting the same spam 3 times by accident. 2) If I receive exact triplicates and report each copy, does this help the IP stay on the BL any longer than reporting a single copy? 3) Does the SpamCop TOS ask that I not report the same spam three times if I received three identical copies? Or is the parser smart enough to discard the additional reports? Thanks.
  17. PeterJ

    Exact duplicate spam

    dra007-- I am not sure where you are going with this, maybe you could elaborate. Are you referring to my side attempts to send myself exact duplicate mail or are you referring to spam that I reference in my original post? I do not know how I could accidentally duplicate the spam messages I receive by accesing my mail using IMAP at imap.spamcop.net
  18. PeterJ

    Exact duplicate spam

    I was wrong about my tests with Horde Imp under SpamCop with regards to sending myself exact duplicate mail. I came *very* close and with some more tries and some luck I probably could get exact dups. Instead my brief tests showed that my most recent received line usually differed by one second with each message and in another case the received lines differed only by the qmail # as follows: Received: (qmail 27029 invoked from network); 10 Jun 2004 15:13:14 -0000 Received: (qmail 27022 invoked from network); 10 Jun 2004 15:13:14 -0000 Maybe with some luck I could get "exact dups" from SpamCop's Hord Imp when sending to myself, but hopefully this shows instead that JT has got SpamCop's mail configured well in this regard. Sorry for the digression here in "help"
  19. PeterJ

    Exact duplicate spam

    Cool. I just checked some of mine and I could only find one where my email address was listed twice under the "To:" header. I presume that on the others it was duplicated using Bcc. Interesting to note the differences between mail servers or clients on this... I just logged into Horde Imp with my SpamCop account and confirmed that I can send myself duplicate or triplicate messages by either using To:, Cc:, and Bcc: OR by simply typing my email address twice in the To: field. Apparently, Horde Imp is not as discriminatory as what you just tested with Yahoo. Using the Thunderbird mail client I cannot send myself duplicate or triplicate messages by any method that I tried similarly in Horde Imp. I am not sure if this is because of the client or because of my ISP's SMTP server. I was more concerned with whether or not abuse desk might get frustrated with receiving what seems like duplicate reports for the same spam. If the bcc method was used to send me duplicate or triplicate spam then how does anyone else know I received multiple copies versus simply reporting the same spam 3 times by accident. If I receive exact triplicates and report it three times, does this help the IP stay on teh BL any longer than reporting it once?
  20. PeterJ

    Exact duplicate spam

    Let's define some terms for ease of use: Exact duplicate (or triplicate, I have not seen more yet): The message source for each is *exactly* the same, every single character is identical. Near duplicate (or triplicate, etc.): The message source for each are not *exactly* the same. For example the received lines may be the only difference. Is no one else receiving exact duplicate spam but me? Note that I only use IMAP mail, not POP, might be relevant... Yeah, the problem is spam spewing
  21. PeterJ

    Mozilla plugin?

    This has been posted and answered several times at Mozillazine from the looks of a quick search. This thread sums it up pretty good: http://forums.mozillazine.org/viewtopic.ph...ghlight=spamcop I think it would be a useful extension to Thunderbird for many users (although I would not likely use it), however no one has taken the time to create it. Also checked the extensions here and did not see anything like this.
  22. Two possible ways of catching this spam include bayesian filtering methods or the detection of known bad URIs (see my post here.) Since bayesian filtering has already been hashed out with JT and we cannot expect a repeat soon, then (you) we are left with a few alternatives. One is to implement bayesian filtering of your own to complement SpamCop's filtering (or replace it.) Another is to encourage JT to increase SpamCop's SA filtering ability by improving it in all ways possible except bayesian filtering. The most effective addition I can think of at this time to SpamCop's SA would be URI RBL checking. In my other post if you follow the link, one individual states that with 3 URI RBLS running it hits 50% of spam received. Extremely low FP rates are being seen with these RBLs as well. Several products are available for free that will run bayesian filtering on IMAP folders for free. Two that come to mind are Spambayes and PopFile (IMAP support is young with the latter.) On the possiblity of a switch to Dspam... If I understand this product correctly it is a bayesian based filtering system, so my guess is that JT would be wary. I am currently exploring the possiblity of not relying on SpamCop's filtering and simply running my own bayesian IMAP filter on a server that will running 24x7. Then training simply occurs when I move incorrectly classified messages with either my client or SpamCop webmail.
  23. In the hopes that this topic will not die it is worthwhile to note that Jeff Chan's SURBL has become a popular and accepted rule/test for use with SpamAssassin. Since SpamCop users are the ones taking the time to report links in spam, it only seems appropriate to allow them to reap the benefits of this by implementing URI checking in SpamCop's current SA setup. Granted this will not benefit all SpamCop users, only the ones who have mail accounts with SpamCop. Brief and recent replies from two knowledgable SA people regarding the effectiveness of the SURBL and other URI checking is here: http://thread.gmane.org/gmane.mail.spam.sp...n.general/49921
  24. The OP's issue sounds the same as the known intermittent issue discussed here: http://forum.spamcop.net/forums/index.php?showtopic=999 With the exception that when the OP tried to report the 3 spam messages again they still received the errors (which previoulsy no one has experienced...I believe.) Note that JT is aware of this intermittent issue.
  25. PeterJ

    Paypal Phish

    Perhaps some people are indeed receiving spam from Paypal these days, but currently they are updating account info and therefore have sent out a mesage as follows: This was sent from "support[at]paypal.com" and is real. Perhaps with all the phishing these days some SC users are reporting this message by mistake. Checking the IP here: http://www.spamcop.net/w3m?action=checkblock&ip= reveals that at least one person reported the same message I quoted above: Looking a little further, why is PayPal sending from a Korea server? Perhaps deserves to be listed for other reasons, but as far as I can tell the PayPal mail coming from there is legitimate.