Jump to content


Forum Admin
  • Content Count

  • Joined

  • Last visited

Everything posted by Farelf

  1. Farelf

    Paste decoded email body in second box:

    I've experimented in using the part of "View Source" representing the HTML rendition of the message from (my) Yahoo mail. The parser didn't mind it but neither did it find and analyse the the links. The trial was with a Facebook nag mail which, according to the headers was "Content-Type: multipart/alternative;" and the "View Source" rendition contains none of the requisite boundary declarations in the body so I suppose that is never going to work. It just might work with other content types, I don't know.
  2. Farelf

    Paste decoded email body in second box:

    "View Source" inhcludes the HTML representation of the message (including links) or it does if your Yahoo works the same as mine - but it seems there are some differences. Just search the source page for some plain text phrase from the message body - something from near the top for preference - and it should highlight the appropriate part of the page. Whether or not you can paste that part of the source (just a fraction of the total) into the submission form and have it accepted by the parser is something I don't know.[at]turetzsr - Steve it was originally FAR more than just "inserting a blank line" - you may recall the parse said something about "correcting bizzaro headers" when the 2-part submission form was used. Maybe it still does, maybe it no longer matters (though Outlook headers remain an issue for e-mail submissions). I don't know. But certainly there is no need to use that special purpose form for Yahoo submissions and there may be some risk of mangling the headers in some instances if it is (mis)used. No real effort involved in inserting the requisite breaks between header and body parts using the single box form, in my view, and safer. Of course I agree the links are not SC's "main game" but understand those who feel that going after the spam message "payload" is worthwhile. While SC may not be effective against complicit hosts in that regard, the SURBL feed taken from SC report data has some actual leverage. And not all hosts are complicit. But I don't think I would bother in the Yahoo case. Unless that selection of the Body part of "View Source" actually works as a paste-in for the parser (and SC staff don't object).
  3. Farelf

    Paste decoded email body in second box:

    Body or headers or both? What is the "second box"? You should just use the single box version of the webform submission form - the 2 box outlook/eudora workaround form shouldn't be used/necessary/applicable. I'm probably misunderstanding the question/intent. Aaagh ... in any event a nightmare with "Basic Mail" webmail (which may not be the same as "Classic" but it is what I'm using anyway). FULL Headers: Need to open the spam (not generally recommended but there seems to be no way around it). Then in the header section, click on "Full Headers". The result looks OK but when copying and pasting, the CR-LFs are lost. Those need to be (manually) restored before the headers are 'parseable'. Easy enough to do but you will probably need to keep referring to the webpage "Full Headers" display because Yahoo headers and fairly verbose. After the headers you need to insert a blank line or two and then some sort of BODY. I suppose you could right-click the (open) message, select "View Source" and pick the message body out of that but that is even worse than sorting out the headers. I would confine myself to copying and pasting the plain text, myself - below the blank line(s) following the headers. Reporting any significant volume this way requires real dedication and considerable stamina. Here's an example (non-spam) of Yahoo full headers as pulled out of a display page using the above method:
  4. Spamcop.net mail now uses IronPort filters. The appliance support page for filtering is: http://www.cisco.com/c/en/us/support/security/email-security-appliance/tsd-products-support-series-home.html - and I note from general observation that some appliance-using clients point their user base to the report address for undetected spam (and there's a report address there for false positives too, if copies can somehow be retrieved by end users). Intended for use by NOC-type people but, as said, in some networks the user base is also encouraged to share in the fun. No doubt some spamcop.net account users will prefer to continue reporting any "leakers" through SC, but others may be enjoying the (relative) absence of spam under the new arrangement and happy to help refine the IronPort filtering. FWIW then, the current addresses per the above link are: Cisco IronPort Anti-spam Report undetected spam to: spam[at]access.ironport.com Report false-positives to: ham[at]access.ironport.com
  5. Farelf

    wrongly parsed header?

    The parser can show you the logic used in parsing your headers. Go to your reportting account preferences from your member log-in page and check "Show technical data" under "Reporting preferences" (Under the "Preferences" tab). Also check "Show technical details" under the "Report spam" tab (where you past-in/review your spam submission). You wil then see notes for the parse, including things like "Internal handoff" and "ignored" where it has worked down through the headers, within your hosting. When it hits the edge of "your" network it will note something like "Nothing trusted past this point" and will nominate the first IP address past that as the spam source, You don't need to resubmit spam (once the preferences have "taken hold") simply pick up any reuired example from your "Past reports" tab (by clicking on the Report ID from the display - which covers up to 90 days' worth of them). Note you can discuss the detail in these forums by posting the Tracking URL from (near) the head of the parses you can pull up that way (that URL is clearly specified and is not quite the same as the page URL for the display). Tracking URLs are the preferred way to query, discuss and comment on these matters (and give you an extra layer of security when doing so). Might seem a bit complicated/daunting at first but you will get on top of it in no time, just needs a litte "exploration" for familiarity and confidence. Regards, Steve S
  6. Thanks AJR, you've answered your own question then? Marking this "Resolved". Incidentally I've broken those links you posted (copied and pasted) for the www.717777.net/ URI. No doubt it was taken down by the time you posted but, since it is/was a spam "payload", best not to re-publicize it, eh? Especially not here. Using a Tracking URL is the best way to discuss "your" spam - that avoids all sorts of actual and potential problems. Please keep in mind "next time".
  7. We cannot help you with that Peter - SC is nothing to do with APEWS, see our FAQ on that at http://forum.spamcop.net/forums/topic/13802-apews-removal/ and also read some of the earlier entries in this topic (to which this now merged) for our impression of APEWS (that would take some time, maybe just the previous one). (PMs sent to previous 2 posters about the move of their "topics" to this master thread - but it seems the standard mode is "dump and run", until demonstrated otherwise this thread should be regarded more in the way of sanitary engineering than of education.)
  8. Thanks to previous respondents. We resent posters presuming, against all advice, to use our forums as a public noticeboard for the Anonymous Postmasters in the faint hope that one of their Admins might stumble across it and take some action. From our point of view that is very close to any other form of spam, even more so if the author simply drops his post and runs, never to return. However we are anti-spam and happy to help anyone with spam-related problems. If you are having problems sending mail through mail.howyee.com ( it is unlikely the cause will be the APEWS listing (any network using that for mail blocking is too clueless to stay in business) - and you are presently not listed in any major RBL. Have a look at your DNS records. Is your SPF authority actually what you intend? Looks to me like it is authorizing relays from an uncommonly wide range - and perhaps not the range intended by the irregular CIDR notation presently specified in that record. Also the nameservers point several other servers/domains to (SUEBUY.COM and LI398-161.MEMBERS.LINODE.COM). Is that deliberate? Why? If you wish to discuss your problems with mail transit, feel free to return. If you simply want APEWS de-listing THIS IS NOT THE PLACE.
  9. I hit the "refresh/show" link for (after pasting the IP address into submission form on my members' page) and instead of "No valid email addresses found, sorry!" it currently shows - - after referencing abuse.net and then picking up a redirection "order". That would seem to be the network's preferred abuse address for SpamCop reports and replaces the previous devnulled address. In some cases SC might go for the abuse address(es) from the ARIN database instead of the network preferred address, no doubt that network preferred address is monitored (for bounces, evidence of listwashing, etc.). As for the difference between Org(anization) and R(esource) ARIN records, I think we find the answers in ARIN - https://www.arin.net/resources/restful-interfaces.html - go down to the presentation "ARIN's Database Records" and click on the "Abuse POC" (Point of Contact) under Org ID and similarly "Resource Abuse POC" under Resource. In the "About POCs" in that presentation, it is clarified - So, it seems the same Org records populate all instances of that Organization's database entries while the Resource records may be added for a specific instance - and where different could be considered deliberately so. Well, that's how I interpret the materials BICBW.
  10. Farelf


    Yes, I think the BB code interprets a later version of HTML that expects CSS to set the column width attributes and is defaulting to "100%". Nothing "we" can do about accessing/altering that stuff that I can see offhand. [edit] Well, we could enable HTML but that doesn't affect the width thing - worse, we lose the borders in HTML tables (another CSS-set attribute, I guess). But easier to create 100% width, no-border tables using that external table generator.
  11. Farelf


    Or (eliminating whitespace by putting all code on the one line): Sample Heading Row 1 Column 1 Row 1 Column 2 Row 2 Column 1 Row 2 Column 2 Horrible, isn't it? If there was a way to enable HTML we could use a table generator like http://www.tablesgenerator.com/html_tables
  12. Thanks for the feedback (and your candour - that will help others looking here for answers) - a good result then Note I have further munged the submission address you posted earlier. The code is "secret" and opinions vary on the risk of revealing it but if you find some joker submitting spam on your account and it becomes a nuisance then ask Don for a new submission address. Only you can complete the report process past the submission stage so it wouldn't be more than a nuisance, hopefully.
  13. Just which sign-in is being accessed may have some bearing in some cases. No doubt there have been changes in terms of error messages etc. but I currently see these options, assuming they all still work (I use 2a. only - simpler if the browser is set to "remember" credentials - on a non-shared PC! - I'm a little uncertain about how the others are processed): 1. https://www.spamcop.net/mcgi?action=loginform;returnurl=%2Fanonsignup.shtml (requires cookies) 2. https://members.spamcop.net//anonsignup.shtml ("HTTP basic auth") 2a. http://members.spamcop.net/ (produces the sign-in/"Authentication Required" pop-up of the above unless already logged in during the same browser session) 3. https://www.spamcop.net/ces/members.shtml (spamcop.net e-mail account users, hit the "Report Ѕpam" link) When the cookie expires subsequent to option 1. sign-in there can be confusion (unless something a little more tidy/automatic has been instituted lately) - but it simply requires accessing the page and re-setting the cookie. I guess the other thing to remember is that the reporting account "username" is the original e-mail address specified when starting the account - NOT the reporting alias/handle and NOT any subsequent contact e-mail address. I suppose, if 2. or 2a. fails, an alternative would be to try 1. (unless cookies are disabled for the browser) and vice-versa. I don't know, just something I would try. Otherwise straight to Don D'Minion.
  14. Farelf

    Spaghetti and beans

    Ah, it's just a touch of whimsy, to be sure. Can't recall the Asimov story but surely we are talking about deuterium oxide 2H2O or D2O. Not all water is the same, that's heavy water (higher SG: 1.107, higher MP: 3.82 °C, higher BP: 101.4 °C, than H20). It was thought for a while it might be the elixir of life, not sure why, perhaps just optimism (anything that rare had to be good). On closer examination it turned out to be toxic, in ways that are still imperfectly understood. Investigation is hampered by the expense of the stuff. Anyone wishing to OD on it would need to have deep pockets (and great patience, it would take a while) - or be an exceptional thief (and patient). But it wouldn't hurt to cook with it, occasionally, for the sort of reasons Napoleon III used aluminium cutlery.
  15. Hi hatters, People have occasionally had problems with MailWasher - settings unaccountably changing or some-such. Double check you settings and if nothing found write to Don D'Minion (SpamCop Admin) at spamcop[at]spro.net - with the full error message and context and your reporting account details (do not post those here). Steve
  16. Sounds like the sort of thing which the Spamhaus "snowshoe" list might eventually catch - http://www.spamhaus.org/css/ - it takes fairly special resources to address snowshoeing efficiently and I think that's well beyond the capability of the SCbl UNLESS heaps of reporters just keep on reporting, or the spammers' lists include SC spamtraps (note What is the SpamCop Blocking List (SCbl)?). If you have a "paid" reporting account you can look at the report histories of those IP addresses to see how many other reporters are making submissions. The spamstats - https://www.spamcop.net/spamstats.shtml - can give you an impression of how much spam traffic is passing through those networks (especially Ѕpam reports vs. email volume which, with a little guesswork, gives some clue as to the liklihood of future SCbl listing. And the links from those stats to the SenderBase analysis of the net range/network gives more detailed analysis. SenderBase can be generally-directly interrogated from http://www.senderbase.org/ as well. If the spammers are illegally hacking the sending serververs, then SC reports to the abused networks will generally - but not always - help, especially if the addresses are also on the CBL (shown in both the parse and the SenderBase analysis) and you mention that in the report notes to the abuse addresses. The CBL links often include specific advice to the network on disinfecting suborned servers. spam payload "spamvertized" domains are a potential weak link for snowshoe operations and SC reports go to the hosts of those (the first re-direction link at least) to invite their attention to the supposed abuse of their terms of use. We know from complaints made from (more or less innocent) domain owners/registrants on this forum that can be effective, sometimes rather too effective. A certain amount of SC spamvertizing "observations" are also picked up by the independent-specialiazied SURBL to list offending domains. "Complainterator" (seach the internet and this forum for that name) is a non-SC approach discussed here frequently, another is "KnujOn", either/both are certainly additional tools that might be used and there are members of this forum who use (or used) one or both. There's a lot that can be done (without becoming too obsessive) but SC reporting still has a part to play IMO - even if the results are not immediately apparent or spectacular.
  17. Farelf

    Living with the blocklist?

    Hi prusswan, welcome. Usually, it will take more than a minority of errant users to get a particular server listed in the SCbl - see What is the SpamCop Blocking List (SCbl)? In most instances SC offers (by default) very detailed reports to mail administrators long before before any listing, allowing them to pinpoint those errant users. An exception might be when spamtraps (only) are tripped. Those have a higher weighting than human submissions and do not generate reports. In that instance, it is the result of serious spammers abusing the mail service and the IT department should be very much concerned (and already aware) about the typically huge demands on their network resources (also adversely affecting regular mail operations) by illegal user agents and involving who knows what other security issues in the network. In any event, listing in the SCbl is an "early warning" of network abuse, allowing mail administrators the opportunity to find and isolate the source(s) before continued abuse tips the mail service into more serious and unrelenting blocklists. Unlike most, removal from the SCbl is automatic and rapid (<24 hours) once the spam stops. Under the circumstances, bombarding the IT department is a very reasonable response from the inconvenienced genuine user group. They (the IT department) have been asleep at the wheel or are inadequately resourced to do their job (and need the complaints to prove it). P.S. Administrators (and users) can monitor block list status with http://www.senderbase.org/ ("Search IP, domain or a network owner") which will have the advantage of showing other outgoing servers in the network bloc and checks several other blocklists in addition to the SCbl - including the CBL (with a link to any listing detail there), the CBL being excellent for picking up evidence of server compromise (and usually providing helpful hints about the "disinfection" measures needed in that case). SC's own online real-time SCbl checker is at https://www.spamcop.net/bl.shtml which has other useful links.
  18. Farelf

    Spaghetti and beans

    Aaagh! Proteins and starches in excess - you fiend! I love such food, but it no longer loves me.
  19. Farelf

    Server blocked...

    Much later - ( - is still allocated to Glen Group but apparently no e-mail transits that block, sadly it seems they found it necessary to migrate that part of the business elsewhere. If spam ever did come from there, reports would still (probably) go to abuse[at]rackspace.com (for, abuse[at]glengroup.com (for glengroup.com) IS set up in abuse.net but the OrgAbuseEmail for that /27 in ARIN WHOIS data is nobody[at]example.com (for any/all Glen Group contact in that bloc actually) which doesn't currently matter since nothing externally discernible of any sort appears to be happening within the /27. Which might indicate the proper/intended use for nobody[at]example.com addresses in ARIN data which have been seen elsewhere, causing wonderment and consternation - especially when it related to spam sources (but that was not from Glen Group netspace that I can recall - and blessed if I can find the reports by forum search on "example.com" keyword now).
  20. Farelf

    Commercial 'search' spam?

    Nothing to benefit the forces of the malign (though they should feel free to experiment in a confined, unventilated space, locked from the outside) - just, in these later stages, cautions, hard-learned lessons from the School of Life offered in the hope that others need not recapitulate the actual experiences to know the risks. But yes it has spiralled, in natural progression, way beyond the bounds. But certainly it remains a little geeky.
  21. Farelf

    Commercial 'search' spam?

    Don't know about mustard gas but you would certainly notice the hydrochloric acid vapour as it starts eating your lungs. My wife actually, deliberately, once mixed chlorine bleach and cloudy ammonia on the very reasonable assumption a more potent cleaning mixture would result for the be-grimed bathroom tiles. Chemistry can be SO unreasonable. Nasty, nasty stuff. She only did it the once but she coughs to this day, nearly 40 years later (she persisted though choking, apparently it worked fairly well as a cleanser, frantic husband probably being the only reason she didn't ever use it again). Around that time I also tried to convince a (diesel) power station maintenance foreman to use the breathing protection I provided when he poured conc. HCl for the coolant de-ionizer, a daily task. He preferred to cough blood but was very touched that someone actually cared. He was ex Kriegsmarine and possibly had some issues with survival. His boss was ex Kaiserliche Marine and had marginally better results in convincing "young" Kurt (he wore a mask thereafter, even with filters fitted, sometimes ... if he knew someone was watching). But whenever he delegated the job, he made very sure his man wore a mask - with the correct filters. People are funny. But mixing chlorine bleach and ammonia is not.
  22. Ah, good. Can't rely on SC reports adding to the SURBL (difficulty parsing URIs in the body sometimes, as we know, also "Quick" reports don't contribute) but it obviously does sort of work. More leverage, FWIW, on the lackadaisical/complicit shortening services and a tool to help divert/drop the mailbox spam load. CleanTalk (https://cleantalk.org/blacklists) currently lists mow.so too - CleanTalk lists are mostly for comment spam IIUC.
  23. Farelf


    Some later discussion - http://forum.spamcop.net/forums/topic/10304-reputation-check-please/ The code strings in the constant contact URIs could be anything but probably (mostly) track the referrer to your response. E-mail marketing is always going to be more than a little contentious within the demographic of this forum. A little de-mystification is going to be useful. Here is one supportive review - http://au.pcmag.com/e-mail-products/27210/review/constant-contact-email-marketing (negative reviews aren't hard to find either but probably don't go as far in explaining the process and supposed checks and balances). World Of Trust reviews are mixed but not generally supportive - https://www.mywot.com/en/scorecard/visitor.constantcontact.com The general quality of internet product/service review is low and notoriously prone to competitor "white-anting" - I would prefer the views of the forum members in the "later discussion" linked above, especially those who have used the service, and hopefully some of those might respond here - if not, I'm sure they wouldn't mind you PMing them for their informed opinions (and, with their consent, adding such comment to the dialogue "here" for broader dissemination).
  24. Farelf

    Commercial 'search' spam?

    Very droll. Can we get further off-topic? Of course we can! I just feel bound to mention, seriously, that (suspected) peptic/stomach ulcer sufferers tend to find all sorts of ways to "live with" their condition in preference to obtaining diagnosis and (these days) simple, no-fuss and effective treatment. Contrary to this very natural and entirely "human" tendency to avoid actually confronting the condition, they really, truly owe it to themselves and their loved ones to seek professional assistance, the earlier the better. Otherwise there are risks of progression to worse things. Very much worse. Trust me. Sorry to be a "wet blanket" but this touches (well, slams) close to home - when the wrong decision, delayed decision (or, more likely, the absence of decision) can, in the worst case, be disastrous - quite literally. So simple not to let it go so far. And, after that caveat, the Fuzzy White Russian sounds like fun Gin and tonic (once the certain sign of a "ruined digestion") gets a bit monotonous after a while.