Jump to content

Farelf

Forum Admin
  • Content Count

    7,012
  • Joined

  • Last visited

Everything posted by Farelf

  1. Yes, a tracking URL - http://forum.spamcop.net/forums/topic/4473-spamcop-glossary/#TURL You don't have to wait for a new problem instance, you can retrieve an old one through your "Past Reports". Just don't quote the link with the Report ID (useless to others) you have to go to the report, follow the link to the parse, and pick it up from there. The most common cause of "no date" recently has been goofy headers from goofy servers en-route. The "Received:" headers have to have both the IP address of the releasing server and a date-stamp from the receiving server (on the same line or continuation of the same line). The goofy headers split the information into two consecutive but separate headers. The parser can't work that out and will not offer to report if it can't determine that the age of the spam is within the allowable 48 hour window. There's no "fix" for that but lambasting the responsible parties and all their descendants in perpetuity is good catharsis. [edit] Ah, belay that about getting the Tracking URL from "Past Reports". "Past Reports" detail is only kept for sent and cancelled reports, the links to "no date" cases won't be saved in your history, just a note "No reports filed" with date and time. Sorry about that - you will need to wait for a new instance after all and to be sure to copy and save the Tracking URL link before quitting the parser page.
  2. whois.ripe.net 217.149.177.35 (nothing found) No reporting addresses found for 217.149.177.35, using devnull for tracking. % This is the RIPE Database query service. % The objects are in RPSL format. % % The RIPE Database is subject to Terms and Conditions. % See http://www.ripe.net/db/support/db-terms-conditions.pdf % Information related to '217.149.176.0 - 217.149.179.255' % Abuse contact for '217.149.176.0 - 217.149.179.255' is 'noc[at]unico.com.ru' inetnum: 217.149.176.0 - 217.149.179.255 netname: VGSU-NET descr: Volgograd State University country: RU admin-c: SIS19-RIPE tech-c: MVP44-RIPE status: ASSIGNED PA
  3. Farelf

    [Resolved] yahoo problems cant find headers

    Thanks - the key to success must be in the "compliant browser" then. I can confirm IE8 is NOT compliant. Perhaps subtle differences between PC and Mac text processing helps as well, unknown. The parser is shown in action in that Tacking URL I provided - https://www.spamcop.net/sc?id=z6064318009zcf76a76477789fb5d783375a67cbc9b7z You will see something similar every time you make a spam submission except there is a bit at the bottom where you can optionally add comments to the reports, optionally review the reports and (necessarily) either send the reports or cancel. After you have sent or cancelled reports they are stored for 90 days under your "Past Reports" tab on the member reporting page. You can access them from there through the listed ID numbers which gives you the (hopefully) anonymized spam with a link to the parse. When you pull up the parse from the link, you see something like the presentation above, with your Tracking URL (link) highlighted near the top. Let's know if you have any trouble unravelling any of that and we will help you sort it out - it is often useful, especially if you have "Show technical details" checked (on the reporting page) and especially if you want to safely discuss reporting problems and solutions/explanations referencing the specific spam.
  4. Just to mention a useful tool for fairly complete information on just about all aspects of domains of interest, to blow away any uncertainty, doubt and supposition, robtex.com. A particularly useful feature is the discovery and presentation of shared resources. Like: https://www.robtex.com/en/advisory/dns/net/spamcop/ and https://www.robtex.com/en/advisory/dns/com/inchlovers/ (latter same as 18asianz.com, etc., etc.). ISPs are not obliged to receive SC reports and those in the spam/exploit business seem to prefer not to.
  5. Farelf

    [Resolved] yahoo problems cant find headers

    Great news ArtmakersWorlds, thanks for passing it on! Will mark this as resolved. But, it won't work for everyone (well, it doesn't work for me, neither pasting in a copy of the "Full Header" view, nor pasting a copy of the "Printable View"). I guess it depends on the version of Yahoo mail and the browser. I get the "undifferentiated mess" for "Full Header" (as discussed) and only the abreviated headers and no proper message body in the "Printable View". You can illustrate the data (text pasted in) by posting a Tracking URL from the top of the parser page when you make a submission - or retrieve it from your "Past Reports" (not the report ID, need to open the report, go to the "Parse" view and copy the link from the top of the page. We don't do external images here - refer to the "Help" file, bottom of any Forum page. You must be using the current version of Yahoo mail and a "supported browser"? PC/Laptop or mobile device? Anyway, if you're up-to-date, sounds like a potent argument for those of us hanging on to legacy versions to "go with the flow". Certainly no fun trying to report with whatever they've done to the elder version(s)/"unsupported browser".
  6. Sounds like it could be a spambot (or two) and your address(es) are on one or two "lists" - or not, spambot operations don't necessarily depend on a high proportion of functional target addresses which is part of their menace to the internet, the sheer waste of resource. Just guessing, based on behaviour and probability in the absence of any disclosure of IP addresses involved. If, when you report, you notice in the parser results that the source IP address is flagged as being on the CBL, that is a good thing - it means the network has access to detailed information about the hacking of their resources (in addition to the very detailed information about specific breakout instances provided through SC reports to them). A potent combination. It might not seem so at the time but it HAS to be doing some good - if the network is actually trying to (re)assert control. If the network is (largely) successful in getting them out, they will move to other hosts. Depressing but it seems to be a cycle we have to endure. Or, it could be part of some out of control "campaign". That would be theoretically easier to address (since the perpetrators are not hidden criminals, merely obscure). An account (free) with SenderScore.org and the lookup tool and information available there might help put a spotlight on them.
  7. There was no insincerity in anything I posted Lancer and if you have managed to construe otherwise then I am sorry but must decline blame, praise is not belittlement and common difficulty is no cause for division. You are correct that the "Content-Type:" header must not be altered under the provisions of the "Material changes to spam" reference already provided however if you receive spam without that header or with the other content types noted within that header then you should not have difficulty with any (plain text) links in the body. SpamCop long ago decided not to try closely matching the great profusion of non-standard approaches to non-text messaging foisted upon the users of the great mail service providers (a disparity in budgets for one thing), consequently there are many instances where the parser cannot resolve all material presented in the changeable environment. SC staff do request development resources for the parser and I am sure would be open to suggestions for their future bids - especially in relation to the Yahoo matter which has become chronic. I shall move this topic to the "Reporting Help" section where they are more likely to see it and where, incidentally, there are many other topics touching on the reporting of spam received from/through Yahoo. You could see from at least one of those that I no longer consider Yahoo spam worth the effort of SC reporting as things stand - an alternative (though not mutually exclusive) is using the Yahoo internal spam reporting system, while we lack the ease with which we formerly reported it to SC (just my opinion and admittedly doesn't address those "payload" links). Yes, spammers know full well that their efforts are resented which is why they have ramped up their efforts, using robots and (largely) hijacked resources so that with minimal effort and outlay they can multiply negligible rates of return into some sort of subsistence-level aggregate. Here is CISCO's "Overview" of global spam, note that the volume thoroughly dwarfs that of legitimate messaging: http://www.senderbase.org/static/spam/
  8. Ah, Lancer, you are another victim of Yahoo's relentless pursuit of "improvement" by way of kaizen. Trust me, you have done very well to extract the full headers in "parseable" form - don't sell yourself short, many will have read that in your second post and be full of admiration. Including me. If you refer to http://forum.spamcop.net/forums/topic/12713-forwarding-as-attachment-from-new-yahoo/ you will see that a way was found to make e-mail submissions (forward as attachment), only for it to be mercilessly snatched away by the next round of improvements. Possibly. It may still work for some, the version of Yahoo mail comes into it, also the browser and browser settings and (if I recall correctly) some details such as JavaScrіpt being enabled - I lost track long ago. Successful e-mail submission overcomes your problem by passing on the whole message format (headers and body) to the SpamCop parser. If you can't do that, you can only get the plain text links in the body of the paste-in spam accepted by the parser if the header item "Content-Type:" is missing or has the values "text/plain" or "text/html". I think. But certainly NOT "multipart/alternative", as is in your example. I too operate mainly in a state of numinous incomprehension. Steve
  9. The body is incomplete, not in the required message format. The headers include: Content-Type: multipart/alternative; boundary="----=MailPart0000_0010_C46147BD" The parser is looking for that boundary (and some subsidiary content statements) and the closing boundary (----=MailPart0000_0010_C46147BD--) in the body. It can't interpret your plain text substitution without those for that content type. This is a slightly complicated area of arcane lore and I'm a bit stupid with it too - can't say that I understand it in the necessary detail myself. You need to be able to view (and copy) the "Message Source" (or equivalent terminology) within your mail client to retrieve the full format of the message body. There's no real point IMO in learning enough about it to 1) "re-engineer" the format or 2) alter the Content-Type: header since that - potentially in the first case or actually in the second - steps onto the forbidden ground of "helping the parser" ("Material changes to spam"). It should be no problem if you could make your submissions by e-mail. But more and more networks are happy to let a little spam in but none out (not even to SpamCop). Hysteresis in the filter heuristics or simple self-interest, I'm not sure. I suppose intermediaries in the routing come into it as well - it's amazing anything goes anywhere, "thanks" to spammers. But you could try? JMO This topic might be more appropriately placed in the "Reporting Problems" forum section - might move it there yet, depending how the discussion develops.
  10. Farelf

    [Resolved] yahoo problems cant find headers

    ArtmakersWorlds, What you post is the "undifferentiated mess" I mentioned in my previous post in this topic (and some extra bits which are not part of the headers). I detailed there the work necessary to break-out the headers (only) into a "parsable" submission - and the mandatory body or substitute for the actual body. That would result in (pasting the product into the SC members' webpage submission form): https://www.spamcop.net/sc?id=z6064318009zcf76a76477789fb5d783375a67cbc9b7z (Your results, should you have replicated the work, might have been different since the above is not mailhosted, I haven't the stamina to look into that, but it would certainly have worked for you.) The break-out process is straight-forward but I still don't think it is worth the effort. I don't believe the copy/paste from the raw "Full Headers" view in Yahoo webmail as it is currently provided would ever have been parsable without that extra work. It is Yahoo that has changed from a compliant presentation to that we now see. Some points: I used WordPad, pasting your data in as plain text. That allows you to search for the headers by looking for the colon character - : - which follows each header declaration and allows the discovery of all the headers (the colon also occurs in date:time formats which you simply skip over). WordPad plain text format means you don't have to concern yourself with indented continuation lines - lines are continuous in that format anyway. The "Content-Type: text/html;" means you can simply copy or replace the body with plain text (as can be seen through the Tracking URL above) - it is not so simple with other Content-Types, as covered in my earlier post. It seems Yahoo will stop at little/nothing to force users into the technically non-compliant "upgrade" of their mail service, we have both experienced that. Does any of this make sense to you?
  11. Good news, thanks for the feedback. Maybe someone at the sending end wised up, maybe that run just finished. Marking resolved.
  12. Looking at limestonenetworks.com's AUP - https://www.limestonenetworks.com/about/acceptable-use-policy.html - it seems unusually blunt and robust. They are specifically adverse to having their IP addresses on RBLs, such as the SCbl. I'm guessing they're no strangers to having their facilities abused. Started life providing gaming servers, so I suppose that's so. More lately they moved to cloud hosting which has its challenges too. You might find the network is prepared to work with you to overcome this? They may be even more a victim in all of this than yourself. It could hardly make things worse to try them, if SC can't help - but the routing of SC reports is certainly a factor to be considered, given the behaviours you suspect, also any subsequent dispersal of the reports by the network - though only they would know that part. Or, given they have their own abuse reporting process (online form) they may ignore other sources, particularly if AUP enforcement is potentially involved - but any increases in abuse following SC reports would be a contrary indication for that. Don't give up. Maybe a source IP address or two from that abuse would assist any "here" with an interest in progressing further investigation.
  13. There are all sorts of ways they could track individual report submissions (such as an identifying code in the message body or even the headers), if the spammer got a copy of the report, but why would they bother? "Retribution" is a bit old hat these days (it's mostly about high volumes and/or pyramids of "affiliates", no need/time for finesse). Still, "targeted" spam exists. SC staff keep an eye open for SC reports being used to "game" the system - mostly for the opposite reason, that is for spammers tracking complainers so they can remove them from their lists - AKA "listwashing". This is a reporting question, moving this (and your other post on the same topic, which I will merge and "hide") to the reporting section for further consideration.
  14. Farelf

    [Resolved] yahoo problems cant find headers

    Probably not helpful but my Yahoo webmail account cornered me into "upgrading" to Yahoo7 and now badgers me - 'You're seeing Basic Mail because you're using an unsupported Internet browser.' (IE8). Well, as mentioned elsewhere, using the "Full Headers" option on that "Basic Mail" rendition of the opened message then copying and pasting that into an editor as plain text, breaking out the header lines in the undifferentiated mess that results (by inserting a CR-LF at the beginning of each subsequent header line) I end up with parsable result to paste into the webform submission box. Not that I actually recommend such a rigmarole, but to continue ... Also, as mentioned elsewhere, the body can be recovered from the "View Source" display (a right-click option), being a small part in HTML rendition of the full page but it is not the same as message format and although the parser doesn't totally choke on it, there is no way it is going to find links without "re-engineering" the body, (but it may insert warning messages - after it has successfully parsed the headers, 'Finding links in message body' ... 'Parsing text part' ... 'error: couldn't parse head' ... 'Message body parser requires full, accurate copy of message' - that can all be ignored if exactly as shown). Some message body is required, if the message body is "multipart/alternative" you can't just substitute a note. Here's a cancelled (non-spam) message which shows the way to truncate those body types - simply open a boundary as defined by the boundary declaration in the headers then immediately close it (by repeating it with the addition two dashes at the end). That avoids those warnings and gives reassurance you haven't maybe butchered the headers somewhere in the copy-paste-breakout-copy process. https://www.spamcop.net/sc?id=z6061510521z5b500437ce335de0e14f1f087d2503b2z If things have changed for you so that you are only able to replicate the above process then you can still report (on message sources at least). But that would be getting a bit insane IMO - simply not worth the effort, as noted Yahoo have their own spam control you should feed instead. Which is another reason for them to be so bloody difficult (inventing their own non-compliant messaging standards on the fly) I suppose. JMO - Steve
  15. Farelf

    My "joke" for today

    Some spambot activity seen from AS15756 (CJSC Caravan-Telecom) through 217.23.143.0/24 (CleanTalk search on 217.23.143, nothing on SFS or BotScout) - obviously they're trying relatively hard to keep that node at 217.23.143.156 clean. Nothing much on SenderBase, could be a bit to learned through an account-enabled search on SenderScore - but as you say, "Life is too short ...". Any more from them (and they're not resiling from further, quite to the contrary) I would simply add an appropriate note to your "user" comments to go to their abuse desks (something like "e-mail address NEVER used or supplied by domain users, no validation of it obtained by your sender, address not obtained by any legitimate means.")
  16. Farelf

    Head line at Spamcop

    That one parses fine for me - here is parse (not mailhosted, mailhosted should look a little different but same result). BUT you should use ONE-PART form, the two windows form may give wrong results. https://www.spamcop.net/sc?id=z6059966310z56b3102541bc79cd780bfbc6ce8b4b84z Carefully compare this one with what you get - post your tracking URL if you can't see the difference - but note you need to include the spam BODY. You must have spam BODY in submission. Even if it is only blank line(s) after headers and "[no body]" like I have done. Parser message can be confusing, it will say headers incomplete when all is wrong is it cannot find body of spam. That is because without the body it cannot be sure it has seen all the headers. DO NOT use 2 windows form, use 1 window form (and include spam BODY after blank line or lines below headers as discussed). This has found the spammer but it may not be reliable all the time when you use the wrong form. I think both cases are the fault of o2.pl when "softfail" is used - something to do with "transitioning jhaxlzs[at]przetakiewicz.pl" or maybe it is a bug in the parser. Maybe SC staff can tell why what look like valid "Received: from" headers are not accepted. Here are non-mailhosted parses for each: https://www.spamcop.net/sc?id=z6059976141zbea828f112361baddcf0677e56811dfbz https://www.spamcop.net/sc?id=z6059986460z03a41055b4fc00bd71a64a8ad5e6d269z
  17. Farelf

    Head line at Spamcop

    Agree with all comments to date. Here is a tracking URL for those headers for a non-mailhosted account (and if the continuation lines were not mangled) - the parser works fine with that data: https://www.spamcop.net/sc?id=z6058242317zc5a43a24f4ec8407be7c425ffe80dc02z (reports cancelled by me but routing shown) I'm guessing you tried an e-mail submission to your SECRET submission address (don't show that address here!!). Did you "forward as attachment"? That is the only way it will work. What are the results if you paste the headers (and body) into the submission form (via https://members.spamcop.net/)?
  18. Welcome Mike - it's taken a long time for your first post, I acknowledge the concern reflected by that. Further nag sent ... also about the broken link in the forum home page - that is "What is SpamCop.net?" which was, essentially, the content recaptured now in http://forum.spamcop.net/forums/topic/14783-what-is-spamcop/ The earlier "goes nowhere" link on the homepage "Where to get Help" was to dbiel's entry in the SCWiki which was an expanded version of the same material. Some of the additional Wiki material was the links the SC Facebook and Twitter pages which have not been updated in ages (so have been left out of the new link). Also included were more straight-forward links to the e-mail addresses of SC Deputies and SC Admin. We have always been a little coy about shouting those, possibly imagining attacks that might result, mostly to encourage initial contact (and sometimes resolution) through the forum without overloading the staff. But those addresses have been promulgated many times in many topics over time so, subject to Richard's and Don's approval, I propose to add them to the "new" topic above. Steve [update] approval given, additions to "What is ..." topic incorporated, that topic now includes relevant detail from the "Where to get help" SCWiki article.
  19. Farelf

    R.I.P. Ellen

    Ah, that is so sad, thanks for the heads up, Tony ... for those that have not seen the tribute: Rest in peace Ellen ... and thanks.
  20. An amended version of the Custom Pages redirected original, lost in the October 2014 changes, incorporating the relevant "Where to get Help" detail from the SCWiki. Do not overlook the Forum general help file - http://forum.spamcop.net/forums/index.php?app=core&module=help SpamCop is a comprehensive service offering something for everyone in the fight against spam. In this case, COP stands for Citizen On Patrol. SpamCop Reporters patrol their mailboxes and report the spam inside. SpamCop has the following component Services and Systems: Parsing & Reporting Service Blocking List Service (SCBL) Frequently Asked Questions (FAQ) www.spamcop.net hyperlinked (Original) Frequently Asked Questions (FAQ) single-page access (much expanded) Forum Portal Page Glossary Index Page entrance to the whole thing! An alternative view suggests the following analogy; SpamCop works exactly like the credit reporting agencies, and since most people understand how that works; SpamCop == Credit Reporting Agency SpamCop Users == Various Financial Entities that report credit info ISP using SpamCop to handle incoming email == Dealership using credit report information to decide whether or not to give you the car loan Read at least one of these following entries prior to posting your query, complaint, rant, whatever. Failure to note the basic concepts may result in getting an answer that you'd probably rather not see/read! How-to Post a Question - Short Forum Use, General Intro - not so short How To Ask Questions The Smart Way - long/off-site(not SpamCop.net affiliated - just a heck of an explanation of the obvious) Note their Disclaimer!!! How to use the SpamCop.net support Forum If any/all of this existing pile of resources doesn't resolve the issue, answer the question, make you happy, then there is the option to directly contact the extremely small handfull of overworked SpamCop Staff. Two currently (and historically) handling queries are: SpamCopAdmin -- Don D'Minion/Argyle - SpamCop Administrative affairs, also serves as a Deputy * email address: service[at]admin.spamcop.net Richard W -- Richard/R.W. - Deputy (SpamCop Reporting and legacy email) * email address: deputies[at]admin.spamcop.net For an issue with the Parsing & Reporting / Blocking List systems; How do I contact a SpamCop Representative?
  21. Farelf

    Craiglist joined spam

    Pointlesss - several possible scenarios and those involving Craigslist or a third party getting hold of your address might be of some small concern.
  22. Have you tried the "Person" address from whois.apnic.net for 116.128.0.0/10 - zhouxm[at]chinaunicom.cn ? The address is valid but the domain uses a catch-all and there's no way to guess in advance whether or not it is either active or responsive (but it's all I can come up with).
  23. Farelf

    wrongly parsed header?

    My earlier post didn't pick up that your account is currently "non-mailhosted", sorry for that, my comments there were a little "off-beam" as a result. I don't know that the timestamps play a part in the non-mailhosted parse logic - it is all/mostly about the validity of the relays used IIUC and, as such, may be fooled by "clever forgeries". The whole idea of mailhosting was to cut away that avenue of deception. It might be a good idea to review the pinned topics in the mailhosting forum, particularly http://forum.spamcop.net/forums/topic/4068-mailhost-system-configuration-explanation/. In your case then, mailhosting would always stop the analysis at the border of your own servers and I can see how that may be a problem. Your reports would then be effectively saying "why are you relaying spam to me?" rather than "why are you hosting this spammer?". I think most (large) networks simply silently drop the stuff instead of assisting with the identification and elimination of the perpetrator - which is surely a large part of the reason for the progressive decline in reliability of e-mail communication (as a result, 85-90% of messages are supposed spam and are unseen by humans but it still gobble up resources and such filtering is prone to some degree to false positives with real mail precariously carried in a minority sub-set). Part of the rationale for "bothering relays" (when reports are sent) is covered in SC FAQ (for network administrators and postmasters) https://www.spamcop.net/fom-serve/cache/99.html. The growth of botnets since the design of the original non-mailhosted parsing system no doubt contributes to the benefits of the mailhosted alternative. In any event, restricting reports to the entry point of your network (should you adopt mailhosting) has ramifications about which most of us know nothing. Perhaps you should talk direct to the SC staff - they may be able to advise - rather than you having to run the gauntlet of the "clever forgeries" which presumably are still out there (or, worse, give up on reporting).
  24. SC staff may be able to answer your query, meantime note my edit action applied to your post. When you post the "payload" of a spam message you are doing the spammer's work for him in spades. Furthermore you are jeopardizing the reputation of this website since external threat analyses will show any suspicious/malicious links and downgrade our safety assessment. Once more - if you want to discuss matters arising from reporting, do so through reference to the tracking URL found near the head of the parse results. That keeps any potential nasties at arms length, without exposing/broadcasting them directly in these pages. It is very disappointing when senior forum members neglect the basics of web safety in our own forum. Sorry, don't mean to pick on you Snowbat but others have done the same/similar before you and it is a continuing worry when it shouldn't be.
  25. Farelf

    ADMIN please help!!!!

    Hi Craig, In the event he doesn't see your post, try e-mailing Richard W at spamcop[at]richardw.ca or deputies[at]admin.spamcop.net.
×