Jump to content


  • Content Count

  • Joined

  • Last visited

Everything posted by jseymour

  1. jseymour

    MEDIA: Major ISP's declare war on zombies

    The article appears to be a distilled version of the Anti-spam Technical Alliance (ASTA) Recommendations that were released yesterday. Among the many recommendations are rate limits for outbound mail. They suggest limits of 150 per hour or 500 per day. I've got a large family, but it's not that large! All in all, I'd say this is a good thing. If the spammers have to infect more machines and send fewer messages per zombie, then it'll make their job that much harder. And that's the name of the game. We provide the pressure. They are forced to adapt. Eventually, the cost to do business will rise to the point that the spammers will have to get real jobs...
  2. Some of the messages forwarded from my Yahoo address to Spamcop are not getting parsed via Mailhosts properly. They are coming via the 206.190.36.* IP block - which is apparently not part of the Yahoo mailhost. Here are a handful of recent samples (all dutifully quick-reported - sorry, Yahoo) http://www.spamcop.net/sc?id=z518666160zfd...c181059f4c4db5z from mta168.mail.re2.yahoo.com ( http://www.spamcop.net/sc?id=z518666151z7e...746e9d14c7bb38z from mta154.mail.re2.yahoo.com ( http://www.spamcop.net/sc?id=z518497522zed...75c086a1265dfaz from mta184.mail.re2.yahoo.com ( http://www.spamcop.net/sc?id=z518497517ze9...35514ccd33dcbcz from mta168.mail.re2.yahoo.com ( http://www.spamcop.net/sc?id=z518497513z53...edb9c39d788b72z from mta120.mail.re2.yahoo.com ( http://www.spamcop.net/sc?id=z518497506za7...03fee9e5031352z from mta174.mail.re2.yahoo.com (
  3. Ah, yes. That would be me. I sent a message on Monday at 3:57pm Pacific Time with a Subject of "mailhosts: New IP's being used by Yahoo (?)" It contained essentially the same content as my first post in this thread.
  4. As expected (hoped?), the FTC seems to have come to the correct conclusion regarding a Do-Not-spam list. From Reuters (via Yahoo): 'Do Not spam' List Will Not Work - FTC
  5. I don't know what to tell you, but this comment seems to be coming up a lot recently. The address I have showing is Deputies <at> admin.spamcop.net .... but I see listings that show Deputies <at> spamcop.net ... I'd trust that both of these are mapped to the same InBox, but ...???? Hmmm.... I sent it to deputies <at> spamcop.net - just like Ellen's post said to. They might - but it's hit and miss. The majority of messages forwarded from Yahoo seem to come from a known server. However, some (perhaps about a third) come from the "new" IP's that Spamcop doesn't know about. If I get ambitious, I'll do some experimentation...
  6. Just to bring some quasi-closure to this issue... I never heard back from the deputies, but I switched my setup so that Spamcop POPs my Yahoo account instead of Yahoo doing the forwarding. This seems to have worked around the problem. I prefer forwarding, but this is an adequate solution for me...
  7. jseymour

    reporting sites?

    It's too easy for a spammer to use somebody else's image, so it's not safe to report the image host. As for the acronym question, I'll defer to The Powers That Be to answer that one...
  8. Thanks. I've dropped an email to the deputies... I don't recall seeing the "X-Received" message - but that's probably because it's not bright pink like the other important stuff... However, the X-Yahoo-Forwarded message is normal. When you use Yahoo's forwarding, they add that line to indicate the forwarding. Spamcop ignores it as it's not relevant to the parse. Since I send my reports unmunged, though, I'm not sure if it's merely ignored or actually deleted. Received line #2 is the line Yahoo added. It shows a spoofed HELO and the true source of the spam. However, the problem I'm reporting is on Received line #1. It indicates that Yahoo sent the message to Spamcop - however the IP address in question is not known to Spamcop's Yahoo mailhost.
  9. jseymour

    Open SPAM messages

    I'm pretty sure that turning off OE's preview pane is not required if you're viewing in plain text.
  10. jseymour

    Message Bouncing - Why?

    Any idea what the problem is? I recall a transient problem several days ago that resulted in Spamcop rejecting forwarded emails for a couple hours. The problem (to my knowledge) has not repeated. It's not unusual for mailing lists to drop addresses from their list if one of the messages bounces. You probably just need to resubscribe and hope that whatever bug caused the original outage does not reappear... P.S.: I munged your addresses in my reply - you might want to edit your post to do the same.
  11. jseymour

    Open SPAM messages

    Be careful, though. "Highlighting the spam" will (by default) preview the message in the preview pane - and this is often enough to trigger web bugs. A better solution in OE is to view all messages in plain text. It garbles some HTML messages, but most will remain readable. An even better solution is to switch to a mail client that has better options for such things. I prefer (and use) Mozilla - as you can specifically instruct it not to load remote images, yet keep the HTML formatting intact. As for munging: I'm one of those reporters who sends all reports unmunged. The risks are retribution and increased spam - but I consider those to be small. The benefits are an increased respectability for Spamcop reports in general.
  12. jseymour

    Spamtrap addresses

    This is true. However, the verification can still be done during the SMTP dialog using LDAP lookups or equivalent. I suppose in giant mail systems such as Yahoo's, these remote lookups could be too much of a burden - but for normal (or even large) mail servers, the delay and network traffic should not be too high. I am of the opinion that mail servers should first reject with a 550 (or equivalent) during the SMTP session. Based on the percentage of forged From addresses I see, I would say that if they are unable to do this, dropping the message on the floor is preferred over sending a bounce. This is also true - but it's a very poor excuse for not rejecting. Essentially that argument says, "In order to make dictionary attacks harder, I think it's better to send unsolicited messages to innocent bystanders."
  13. jseymour

    Spamtrap addresses

    This is partly a terminology problem. I define bounce to be a message sent to the From address. Meanwhile, a reject occurs during the SMTP session and is the only proper way to inform the sender that his message wasn't delivered. The justification I always hear is that bounces represent somebody else's spam - and thus you are not allowed to report it. If the reporter is reporting real bounces (to be real, they must be in response to his own sent messages), then he's probably reporting real email - and his reporting privileges will soon be suspended. I guess the point I'm trying to make is: Spamtraps are a great tool for detecting spam runs, but seem to be easy to abuse, so should be treated with kid gloves...
  14. jseymour

    How can I prevent our server from being listed

    I wouldn't dream of using the Spamcop list as an all-out blocklist. I think it works well when used as input to a content filter such as SpamAssassin, but I think it's got an unacceptable number of false positives to be used without a whitelist. I use these blocklists - which I consider safe: relays.ordb.org list.dsbl.org dul.dnsbl.sorbs.net cbl.abuseat.org
  15. jseymour

    Spamtrap addresses

    You are right. That is the point of spamtraps and it works like a charm. However, I was addressing its capacity for abuse. Imagine a scenario where a malicious person gathers up a series of spamtraps (which is quite easy). He can then send out a spam run - or perhaps even a run targeted to addresses known to bounce - forging those spamtraps as the "From" address. The end result is a flood of bounces to the spamtraps. If sent through an open proxy, these bounces will not inconvenience the spammer at all - however they'll get lots of "innocent" bystanders added to the SCBL. (I put "innocent" in quotes because some would say they're guilty of bouncing and that's good enough to get them listed). Now the question becomes: If Spamcop users can't report bounces, does Spamcop ignore bounces sent to spamtraps? If so, then the scenario I addressed above becomes a non-issue. If not, then Spamcop has an disturbing double-standard...
  16. jseymour

    Spamtrap addresses

    I, too, have been wondering if this is the case... Spamtraps are fine on the surface - but like everything else in the world, you have to ask "How easily can this be abused?" Unfortunately, I think the answer is "very easily!" I put a spamtrap address on one of my web sites awhile back - but I would never consider automating its use. I receive spam directed to it once in awhile, but if that volume ever went up, I'd dump it and create a new one - just because of the possibility it had been compromised...
  17. There are a few possibiilities. One likely cause is that your mail server's IP address got listed in the Spamcop blocklist. As a result, everything that Spamcop looks at for you is held. Since you've already verified that it's because of the SCBL, you should next check the "X-Spamcop-Checked" header line. The last IP is the one found on the blocklist. If it's yours, then this is the problem.
  18. jseymour

    Mozilla plugin?

    Not quite what you're looking for, but I use Mozilla's IMAP support to drag messages directly to my Spamcop Held Mail folder. From there, I use the VER page to quick-report them. Not quite the instant-gratification of a "report this" button, but it's pretty swift and painless once you get used to it. I believe this requires a paid account, though...
  19. jseymour

    SpamCop Problems

    ...You appear to have misunderstood -- spam traps are "secret" in that they are never used to send real e-mail, they are only posted on web sites (and perhaps other places?) so that worms can harvest them and place them on "lists of e-mail addresses one can spam." I think you missed his point (which I consider valid)... While spamtraps are "secret", they also must be made public so that spammers can harvest them. If a malicious person gets hold of one, he could send messages out with that address in the From: address and trick someone into responding to it. I assume that the trap addresses are rotated periodically so that this is not a problem - however I have no assurance of that. Additionally, a spammer could send out a spam run with spamtraps in the From address. Messages sent to invalid addresses on "broken" mail servers would then cause non-delivery reports to be sent to the spamtraps. ("broken" in this context includes at least Microsoft Exchange 5.5 and 2000 - which cannot reject messages to invalid recipients during the SMTP session. But that is a rant for another time)
  20. jseymour

    Piracy reporting

    A *person* is smart. People are dumb, panicky, dangerous animals and you know it.
  21. This is not the right metric to worry about. The question is: What percent of non-spam messages would get blocked by such a filter? In general, though, I support your idea. I'm starting to warm up to the idea of SPF. Until it proves itself, though, the filter would have to be implemented as just a spam Assassin rule with a relatively low value.
  22. jseymour

    1 Billion SPAMs reported?

    Actually, the system has sent a billion reports (assuming they started counting with report #1). Based on my experience, that probably represents "only" around 200 million spams.
  23. jseymour

    Reporting preferences; Technical Details

    I get technical output about half the time. I assume its either a bug or one (or more?) of the servers running some debug code. I've been assuming it will go away someday - but it's never been enough of an issue for me to complain about it. Looks like I picked the wrong week to stop sniffing glue.
  24. One of the "problems" with this forum (and Spamcop in general) is that the people who make the effort to hang out here and answer questions are rabid anti-spammers. As a result, they (in general) do not tolerate people speaking ill of their precious Spamcop. You were right to fear asking your question - but you asked it in the right "tone of voice", so I doubt you'll get harrassed... Now. Having said all that... I don't have personal experience with Bigpond, but the SPEWS listing is damning! Your only recourse may be to switch to a different ISP. Sorry...
  25. OK. How about they are required (requested?) by the current RFC's and should not be reported for following the rules currently in place. Yup. Much better. And if somebody's going to actually change the wording on that page, could you fix the "your's" to "yours".