Jump to content

Farelf

Forum Admin
  • Posts

    7,012
  • Joined

  • Last visited

Posts posted by Farelf

  1. Hi again Steve. As Steve T says, quite simply you cannot dummy a submission to make the parser find something it couldn't do by itself and then send the report as if the parser had done it all. That's the "material changes" rule - http://www.spamcop.net/fom-serve/cache/283.html You can always use the parser to find reporting addresses with manually altered data but you can't alter the spam that is reported.

    Seems frustrating I know but SC relies on INTEGRITY which is closely guarded to maintain credibility and cooperation within the internet community. That's why those other tools are needed (instead of SC reports) and the SCbl handles only e-mail originating IP addresses, not web sites. Reports to the associated network admins are a courtesy only, in the hope they will take action to shut down the spammers abusing their services. In the case of websites that is the only SC action, no SCbl entry (though the SURBL, mentioned in one of those other topics indicated, does independently use SC spamvertized site data).

    The parser is completely unable to follow redirections but I suppose you might be entitled to add an additional report recipient or two (if you are a paying user) reflecting anything you have found out yourself. (You need to be more than a bit cautious about following redirections by the way.) But anyway, you might then have some difficulty explaining in notes to those additional recipients what is going on since the report won't be indicating their networks. Very few of them are highly motivated towards anti-spamming activity, sadly. And the report has no consequences for them, as said - except if they are actually hard-core spammers, then the consequences could be a bit negative.

  2. The reporting tool is missing the spamvertised website mentioned in the headers and the body of

    the spam below (my email and others obfuscated for privacy reasons). The name of the domain

    is workfor375.com. ...

    Hi ssybesma.

    Yes, unlike your browser, the parser won't take an implied link like WorkFor375.com and treat it as a link (which is one reason why the spammers/authors don't put in the full link) If it had the http:// bit in front of it, it would be processed. I dummied a submission (and cancelled it) - http://www.spamcop.net/sc?id=z5322915931za...00961daa75b681z

    You can see it would work then, but can't pick up the redirection.

    SpamCop is all about finding the e-mail source. You need to go to other tools to address the "spamvertized" links with full rigour. There are all sorts of problems and solutions associated with the links both innocent and spammy that can be found in a spam e-mail. See http://forum.spamcop.net/forums/index.php?showtopic=12362 for a recent discussion of another type of link resolution problem and some links to those other tools. See http://forum.spamcop.net/forums/index.php?showtopic=4085 for some background, if you haven't looked there already.

    Steve

  3. Spreadsheet with TABL codes - key entry 10/05/2012 9:00:00 AM (DD/MM/YYY regional setting) in PDT (-0700) zone. HOUR column, DAY and DATE by format (hh:ss, dddd & ddmm'yy). Other zones' HOUR, DAY & DATE by offset from key (1/24 increments). Copy, Paste into Notepad, Copy, Paste into Word, Ctrl-H find space, replace all (nothing) More button, Special button, find tab character, replace all, find paragraph mark, replace all.

    Zone Hour Day Date
    +1200 04:00 Friday 11May'12
    +1100 03:00 Friday 11May'12
    +1000 02:00 Friday 11May'12
    +0900 01:00 Friday 11May'12
    +0800 00:00 Friday 11May'12
    +0700 23:00 Thursday 10May'12
    +0600 22:00 Thursday 10May'12
    +0500 21:00 Thursday 10May'12
    +0400 20:00 Thursday 10May'12
    +0300 19:00 Thursday 10May'12
    +0200 18:00 Thursday 10May'12
    +0100 17:00 Thursday 10May'12
    0000 16:00 Thursday 10May'12
    -0100 15:00 Thursday 10May'12
    -0200 14:00 Thursday 10May'12
    -0300 13:00 Thursday 10May'12
    -0400 12:00 Thursday 10May'12
    -0500 11:00 Thursday 10May'12
    -0600 10:00 Thursday 10May'12
    -0700 09:00 Thursday 10May'12
    -0800 08:00 Thursday 10May'12
    -0900 07:00 Thursday 10May'12
    -1000 06:00 Thursday 10May'12
    -1100 05:00 Thursday 10May'12
    -1200 04:00 Thursday 10May'12
  4. ...I see gremlin said: OMFG... `dig vote.drbl.gremlin.ru soa` will answer your question.

    What does this mean? How can I contact them?...

    Gremlin was referring to the blacklisting checking and removal procedure, outlined at http://gremlin.ru/soft/drbl/en/faq.html#howtogetout (and the bits above that section) - which is all a touch technical for this Windows end-user but presumably within the range of stuff handled routinely by a network administrator (ordinarily the level necessary to confidently resolve these matters). He was pointing the way to the "responsible email address" in the DNS record of domain drbl.gremlin.ru - though that may not be contactable from a location within the blacklist.

    User gremlin might better be contactable via Personal Message - just go to his profile by clicking on his username in his post above then select the PM link - but no guarantee.

    Needless to say, nothing at all to do with SpamCop but of interest to some members here.

  5. Some high-volume spammers use the same list for both their target "To:" address and the forged "From:" and/or "Reply-to:" address. The differences in the use of the forged address and the "To:" addresses from that same list are that there might be tens of thousands (or more) different "To:" addresses, all using the same "Reply-to:" address (for one or more complete spam runs) - and that they seem to rotate the "Reply-to:" addresses fairly regularly. But of course the actual IP addresses (there will be many) of the sender will be totally wrong for the purported sender email address (just the one for this type).

    Yes, it seems uncanny to receive a spam apparently from yourself or with reply to yourself (if doing "long" reporting you never forget the first time, those doing "quick" reporting probably don't even notice) but usually it doesn't happen very often, your address has been picked out of the very big pool when it is your "turn" to be the forged sender.

    The fun starts when they have a bad list (they don't care, they're not paying for the volume of mail), with valid domains but abandoned or otherwise invalid user parts of the address. Then you stand to receive many thousands of misdirected bounces from clueless mail admins returning all that "undelivered mail" to your innocent address. I don't think that (in the usual case) the backscatter is deliberate, much of it consists of simple NDRs without the original spam - depends on the policy of the "bouncer". But it still happens, apparently, although the RFC which gave the practice some justification has been superseded for years.

    There is also some thought that another type of spammer, using a crafted low-volume approach, might specifically use your own address as sender to try to get through your mail filters (any whitelisting you might have of your own address).

    One way or another, just about anyone should certainly anticipate seeing spam from (or reply to) themselves, at least occasionally. Sender validation checks, greylisting, message-ID verification (for bounces), who knows what else, might eventually eliminate much of it - perhaps those are starting to do that already.

  6. Sadly missed.

    The Miss Betsy username was also a family familiar name/nickname and harks back to the old novel The History of Miss Betsy Thoughtless and its protagonist yet nothing could be further from the character of our Miss Betsy than the younger version of the literary character. We chuckled over the unconscious irony of it, she and I - because selfish and insensitive she was not (nor ever had been, it can be guaranteed). I liked to kid her about the IMHO thing, pointing out that self-professed humility is a most unreliable assertion (as any behaviourist would attest) - yet for her it was true. She was certainly about manners - good manners - and if that was her only legacy it would be enough but she gave so much more besides - including the sharing of her relevant technical competence ("fluency" she liked to call it), the possession of which she always denied and surely believed she didn't have though of course she did. And, whatever she did, she did it with kindness.

    Yes, she is missed, is Miss Betsy.

  7. Ah, I see (maybe) - the nslookup query is supposed to say which zone added your IP address but all the txt record for 138.134.89.24.vote.drbl.gremlin.ru says is

    text = "spam source"

    and 138.134.89.24.work.drbl.network-1.ru says

    text = "vote.drbl.gremlin.ru[at]ns.gremlin.ru:spam source"

    Which you construe to mean it was gremlin.ru themselves that added you and presumably need to be contacted - and so would I. That address would be av[at]gremlin.ru (whois.ripn.net).

  8. ...their removal instructions are lame because there is no postmaster[at]gremlin.ru....
    The point is you need to interrogate the data to find out who added you to the bl and write to them, not gremlin, per the FAQ http://gremlin.ru/soft/drbl/en/faq.html#howtogetout. Now just how you go about that interrogation is way out of my experience and knowledge levels, despite the illustration given in that FAQ. And it doesn't help that "the list of known zones and their respective contacts" from the FAQ returns a 404.

    I'm sort of with Rick on the significance of your listing - if there's no evidence of effective blocking it is probably not an issue - but the fact is someone has "voted" you on to the bl, presumably on the basis of mail they didn't want and they (at least) will continue to block you and (maybe) so too some other mail/network admins. It then depends on your type of business just how much of a liability that might become. I can't see you being taken off that list anytime ever without requesting it and maybe not even then - but I haven't looked through the FAQ in detail.

    If you have any concerns that gremlin.ru is not legitimate, you would need to address them to valli.org for explanation or reassurance. I see they nominate several bls as scam operations in their listings but not gremlin.ru.

  9. Hi Brad, your query has drawn no response so far so to get something happening ...

    Merged with this lengthy topic - have you skimmed through it already?

    Have you looked at http://www.greylisting.org/forums/index.php ?

    That comes up 404 not found -- any new pointer?

    Just trying to read up on everything before asking questions here.

    (Mine is -- after I approved a message that appears in the graylist, and an hour goes by and it never shows up anywhere, can I still find it somehow or urge it to appear?)

    I'll keep reading.

    Oops on the link. Not offhand - bit pressed for time at the moment but I would try it on the wayback machine - http://web.archive.org/web/20080615193326/...orums/index.php - look for a distinctive phrase or two and search the internet to see if the content has been moved somewhere else or whether the same topics are covered elsewhere. The latest archive copy is June 2008 which is a bit ancient but maybe enough to indicate some search terms.
  10. Leon Mayne has announced a new version (presently in Beta) of SpamGrabber - for Outlook 10.

    From newsgroups

    From: "Leon Mayne" <not[at]available.com>

    Newsgroups: spamcop

    Subject: Beta testers required

    Date: Tue, 7 Sep 2010 22:27:13 +0100

    Organization: SpamCop

    Sorry for the spammy link to an antispam newsgroup, but I've finally got

    round to writing a new version of SpamGrabber (formerly OLSpamCop) which

    works with Outlook 2010 and I was wondering if the good folks here could do

    a quick test for me to make sure it isn't knackered? Site is

    http://www.spamgrabber.org

    Brief news: SoftScan was bought out by Symantec, who have their own spam

    reporting application aqnd have therefore dumped support of SpamGrabber.

    This was a mixed blessing, because:

    1) It means the project no longer has a licence for Outlook Redemption (but

    irrelevant as I've written the new version to use built-in objects), but

    2) It means the project can finally be open source (code is available at

    http://code.google.com/p/spamgrabber/)

    HTH,

    Leon.

    Deputy Richard has amended the SC FAQ at http://www.spamcop.net/fom-serve/cache/122.html

  11. Does Exchange 2007/2010's Quarantine suffer from the same issue, spam is presented to Outlook as an NDR with send-again to access the original message. (It's possible to save the original email to disk as an attachment via VBA and then add that attachment to a new message - is there a definitive test case to see if that messes up the headers?)

    Also, do any of the suggested programs have the ability to process said NDR to get the original spam message (spamsource silently failed).

    Hi CGretski,

    I think you will need to liaise with Don (SC Admin) on this - service[at]admin.spamcop.net

    As you will have noted, Outlook sometimes shuffles the order of the "Received:" lines when there are multiple occurrences. Definitive tests have shown this is an unacceptable risk for the reliable identification of the source. It *sounds* like the handling you talk of might be safe but I just don't know. Other members of the forum will be better able to comment but if your reports ride in on Outlook, Don will need to be happy with the process. We have expert Exchange users and hopefully one of them can contribute something a little more meaningful to assist you.

  12. ...Huh? Why would the source of the spam e-mail receive a report?
    Because they (network administrators) will (hopefully) work out where the (typically) bot-netted machine that is spewing the spam is in their network and cut it off. They're the only ones that can do that if a consumer-level dynamic link address is being used for internet connection by the offending machine.

    spam sending is prohibited by the 'rules' of the network owners, most spam comes from forged addresses and through zombie machines without the knowledge or agreement of the machine's owner. If they (machine owners) *are* doing it knowingly they will still be shut down - and may face prosecution as well. Some countries are thinking about making the owners of the machines responsible even if they don't know it has been taken over by the powers of evil (phrase used jokingly, most of us aren't quite that fanatical though there may be exceptions).

    If you want some background to how the spammers work you could do a lot worse than have a look at Rick Conner's website - http://www.rickconner.net/spamweb/ - where Rick explains it. There's plenty more information on these pages too.

  13. ...the link provided Farelf:

    http://www.foodplast.com/index.asp?page=31

    I found was quickly exhausted as an authority. ...

    Well yes, written by the makers apparently. They don't want to say too much in this era of product liability.
    ...Regarding your doctor experiencing tractor death, if true, then that is an unfortunate end. Since I have smoked many cigarettes then a smoking related disease is on the cards as a 'natural' end point. ...
    Just because my middle name is "Mendacity" people assume I might lie? Actually I'm not absolutely certain that killed him but it certainly made him very unwell and nothing further was heard from him. He was, no doubt, scheduled to live forever having sedulously applied advanced professional knowledge to the systematic elimination or avoidance of all known causes of chronic distemper.
    ...Regarding the old way of poaching - seems you and your army possibly have no problem with it (which ever one it is)yet, I expressed the method mentioned with perhaps seemingly unwarranted apparent prejudice, however I would have issues with the old way being stated as broadly 'easy' in juxtaposition. Statistically the number of eggs involved in any given poaching session is less than army sized, I think you would agree with that. As to the average, well ...
    I confess I was of the opinion that "the old way" was not exactly rocket science nor was any special skill involved, be it inherent, learned or practiced, but now you give me cause to reconsider. I can only imagine the effect this might have on those grizzled veterans of those long-ago sculleries should they learn of my possible change of heart (picture silent tears of gratitude welling from suddenly shining eyes and proceeding in halts and starts over craggy and stubbled cheeks - and yes, perhaps the occasional muffled sob).

    Ah, there is greatness in you QM, to wring such from those ancient hearts, so savage and morose.

  14. clingfilm is just cellulose?
    Then it wouldn't cling. Many types, many uses - read the recommended uses, trust the manufacturer (not to lie) and the good-intentioned but ultimately arbitrary standards. http://www.foodplast.com/index.asp?page=31 Life's a lottery, there are worse things around than cling film. But I still wouldn't regularly use any of it as a 'cooking vessel' (in contact with the cooking food). I can't see that any of it is tested and certified in that service That's maybe pushing the envelope.

    Been let down too often by 'emergent technology', old enough to remember DDT, thalidomide, etc. as well as those that are 'good' then 'bad' then 'good' again (for how long?), like gamophen soap. If we didn't evolve with it, there's a risk which somebody has deemed 'acceptable'. That's fair enough, none of us would be here if those risks were not taken all through the ages. Knew an MD once (one of a whole multi-generation family of MDs, not a crank) who earnestly cautioned against the use of aluminium cookware. Just about everyone (including me) ignored him. In the end we make our own calls. A tractor fell on him, still not sure what his 'point' was. Probably similar to my hesitation about cling film. Won't go into the discussion of "temperature", averages, transfer rates, chemical reactions and concentrations - at the end of the day it is, apparently, very low risk - and anyway we don't (most of us) get to choose the risk that ultimately takes us out.

    One simply follows one's 'nose' and hopes for the best. There's no evidence that higher levels of concern materially increase survival - to the contrary stress is a killer. Be alert but not stressed (seem to have heard similar, somewhere ...). Won't go into norms and deviations and herd-species survival and lemmings either, too hard (for me) and too boring for most.

    And this is a long way from egg poaching. I've seen army kitchen staff, some not even trade qualified, some with very ordinary intelligence levels on casual observation, who could poach perfect eggs 'the old way'. All of them could. Consistently. Perhaps we're overthinking this? The herd went -> thataway.

  15. I find poaching an egg in clingfilm is fairly fool proof. (found it on a Rob Manuel webpage)

    For the real deal and comparisons (small language issue) see How to poach an egg
    The key here is microwaveable clingfilm (but I guess one would only make the mistake of trying the 'regular' stuff once), even so I would have some reservations about regular use of it in actual contact with the food. Meeting some regulatory/advisory authority's standards for the "migration of plasticizers from cling-film" is one thing - and direct contact (even if at only 100°C/212°F) is another. The good news is it is certainly safe for regular long-term use by politicians, ministers and directors of public health departments and the CEOs of microwaveable clingfilm manufacturers and their respective immediate families - in fact it should be compulsory.
  16. ...Greylisting just sends a temporary reject message to resend which a compliant mail server ("RFC 821") must do within a set time (30 t0 60 minutes?).
    There seems to be a diversity of practice and that is a potential snag. It may be that 5 minutes is now something of a defacto standard. But I've had some of my mail fail because the short retry time of my ISP (considerably less than that 5 minute region - and 100 retries or permanent rejection before giving up) was too short for the receiving site (not SC), which was expecting no less than 10 minutes between tries and was programmed to permanently reject if it got more than 3 retries in that time (an empirical figure that apparently kept actual/presumed spam levels way down). So yeah, both sender and receiver apparently need to be on something like the same 'wavelength' and I can see some conservatism on either side affecting delivery times and I can see that being variable.
  17. [mrmaxx] As supposed, more information has emerged on this problem - I've not followed it closely but it now seems instances of the Backdoor.Tidserv (Symantec)/ Backdoor:W32/TDSS (F-Secure)/ BKDR_TDSS (Trend) rootkit infection have been implicated. This (previously) infects a low-level driver, the unrelated kernel module patch in MS10-015 / KB977165 then causes the infected drivers to call invalid addresses and, in turn, that causes blue screens every time Windows boots up. The most commonly affected drivers are said to be atapi.sys, iastor.sys, idechndr.sys, ndis.sys, nvata.sys, vmscsi.sys. That information from http://www.symantec.com/connect/blogs/tidserv-and-ms10-015 with links to http://blogs.technet.com/msrc/archive/2010...g-ms10-015.aspx.

    So, getting back to the bootable state is just the start of the process, the infection has to be dealt with in that scenario, and then the 'guilty' patch applied all over again. This is apparently the same for all affected machines, including Vista, not just XP. Probably Vista machines aren't as much affected because the virus is fairly old (though its authors are obligingly updating it on the run according to some sources) or because Vista's paranoid by default 'Did you ask for this to be run? Do you really, really want to? querying of code execution actually stops some of the infection malarkey. I would like to think the latter - like airport security etc., hopefully the gross inconveniencing of the majority actually achieves something more than the sly gratification of the ungodly few.

    Are you on top of this now? Was that behind your problem? Hope you get paid for all of this. :D

  18. That doesn't appear to be a particularly general problem but I guess as the days pass there will be more comment appearing on internet searches. That update certainly went through without problem on SWMBO's Vista.

    I guess there is no way you can boot at all and 'revert' the updates? We've never had the blue screen situation so no idea how to access the recovery console in that circumstance. Not that it was the slightest use in the one situation we needed to try it - but that was an incomplete uninstall of an incompatible printer that was causing our problem, presumably a MS update would be a different matter.

×
×
  • Create New...