Jump to content

Clydesdale

Members
  • Content Count

    8
  • Joined

  • Last visited

Community Reputation

0 Neutral

About Clydesdale

  • Rank
    Newbie
  1. Ahh... Now I get it. Thanks! Interesting that they make it spamcop. I guess they don't like spamcop much - a good thing.
  2. petzl, Thank you for the response. I'm not as up as I should be on these things. I understand your botnet attack explanation and the link showing it. I still don't understand why, or how, the word "spamcop" is in the spammer's spam email header. This seems to be recent and only in this set of spam emails that are arriving.
  3. Just received another, similar, spam with spamcop in the header. The header is below. Bold text mine. From YadaYadaYada[at]copitima.com Sat Dec 21 17:09:18 2013 X-Apparently-To: blahblahblah[at]yahoo.com via 98.138.85.24; Sat, 21 Dec 2013 17:09:18 -0800 Return-Path: <YadaYadaYada[at]copitima.com> X-YahooFilteredBulk: 218.210.2.92 Received-SPF: softfail (transitioning domain of copitima.com does not designate 218.210.2.92 as permitted sender) X-YMailISG: MRlFIiwWLDsK9gESvtAgxgPb9S_pBXmeWrNykLenQGbalAKK Mf3bhnZYPEm6ibtY6gm.ZyNOhGmohENj_xAS6QnbTMZG9DP4mqrWWgeLYh0P UKRlqp2zNPwjF0ZAw1S8DjXHSqqkJzcpr15QBP8rSWOcFwPKK3z0zpGcjKu0 rEbFJDduHQFGI8fKsTUJBmnale0tlfieBEbi1v8LWM5RjOvy1GKV.j9tyqnA gjzPCqnVM2aS979ar8WTd_kFQxQxcqVdmG84wH54q4xmOJBMRxaEXihD_feA WqKjOMYlS4Kp0UQ_lcfMZQuILYclIn6WMc87Hqt7HrUUOxFQExqj7hPXVaC8 VdGMymkE2JgT1t1Oyl8HYTW.ouKqPEcG8MelfStWOfaP6cK6AAyMQP9lkt.9 wUYLDUhBOzZ1KY1.7fOHQvIFixL9y3lRAycwR3srJXOXzqKbJg5av9xoD2Gb 3PCChhW2J2AXe8be8ZKQaUcMcGEB9OCYnQUdfjvpGrWsiLF8wluWmFlR27ql N4sZZ6AqOMDtdttpH2lJLJT1RRJpE7D2nMMAeGPfs_aB4VPIygs_JdyVNdCC vRke6HTQ7yWenPvZVTlI2NfpZsGdYD9y2TWLstY21ghp95hmdtjWhNBwMhcw fSveKcenw1hcmqCq8e8UEW3oa3HZJAI2o8r4KCFm81ZO314jYWavEqKT.kcf Jy.do_Kv8Pe8H3auo5d34.nNjD3qXaiyWZJ1UlxeOXHSWsCHqeztwE28bnou AQnbaiZvjTxBG512LLkUE.8cWzTeLOT6.9yGpwvfSFNLi_P7LlifVC5Wpkhl g.gDZi2nUhId9KtbWSpbCoHQyOEV5fULPWcIPpV3c05ckhnvyiaaCWzGIoNF lbGhyTGm9uxR3C53bEBDi32lBcPZTNgieZTleY._aq05SmE_mjA8NdkD0u_C T2WCEKhSx8a42Wc61TENRC4ksnziRtPK1bXKhBoZ8_z3idLZ59h95cEVNSr2 .2KoU8cwPWklT5.40aNXIpaQ1HGMHnMTWbVcN4BTq2Iqga6TLpNGjxK_TRBl hI35C9ptSClUA03NEK8wR1FYIDPfzwi3npa0QyU5Q282MNY7m5eMr8XmPS4z S6JOkfgoX3wOr34yv38nmHmNEvcHYtXJ3l5BSYs4N8n8esE6pmw80qqt7YUw lAlxDiFjTpS6xE259ljZrVl7sNplDdvgtXcfVHpd2b3ekWMVNJ.woF1EKpH8 oJ5JLwg72E0MEaZ5BAG6RUMd6fW6tSkiojsh3nI- X-Originating-IP: [218.210.2.92] Authentication-Results: mta1349.mail.gq1.yahoo.com from=copitima.com; domainkeys=neutral (no sig); from=copitima.com; dkim=neutral (no sig) Received: from 127.0.0.1 (EHLO spamcop.net) (218.210.2.92) by mta1349.mail.gq1.yahoo.com with SMTP; Sat, 21 Dec 2013 17:09:15 -0800 Received: by mail.hosting.com (Postfix, from uid 1) id 50A4A1989AE; Sun, Dec 22 2013 01:04:56 +0000 (UTC) To: blahblahblah[at]yahoo.com From: YadaYadaYada[at]copitima.com Subject: Very cheat phentermine for you MIME-Version: 1.0 Message-Id: <1387674296.50A4A1989AE[at]mail.hosting.com> Content-Type: multipart/alternative; boundary="4B1F63CFBB4-176502668" Date: Sun, Dec 22 2013 01:04:56 +0000 (UTC) Content-Length: 654
  4. Hello, When cutting and pasting headers from the most recent versions of daily spam emails I've noticed that spamcop is mentioned in the headers of all of these emails. Why would the line "Received: from 127.0.0.1 (EHLO spamcop.net) (81.3.142.201) by mta1445.mail.ne1.yahoo.com with SMTP; Sat, 21 Dec 2013 23:33:04 +0000" be in the header? Why is the spamcop name in the header? The full header of my latest spam email with my email address munged is below. The bold font is mine. From yadayadayada[at]nortom.com Sat Dec 21 15:33:04 2013 X-Apparently-To: blahblahblah[at]yahoo.com via 98.138.85.21; Sat, 21 Dec 2013 23:33:04 +0000 Return-Path: <yadayadayada[at]nortom.com> X-YahooFilteredBulk: 81.3.142.201 Received-SPF: permerror (encountered permanent error during SPF processing of domain of nortom.com) X-YMailISG: wd9iGmYWLDtSt_u0glv6ASZDbf04DgWGG7F_Gs.p8Vnnk0ar EOAP5e5GG8zq5G298QyI0ahKKipYR1T3ERzvGdQb8nKUIQJpszqR5zmA.Udp 2rkwZNk01xqO9H7PBb4aC3g3CvkF3uwAkzvmvSz4dRFIu4vfemgISIGiMCs_ x7INKH.6Jz1iNPECxTIwh6BHOi72Qn3v0u3oznd980EC2cgTvQl5AJnCYz57 keX5d3pNV1lG9ceKo8z3ZNdw4Qv6yu5bszKwfpA_FyX6x5IHXx9Hx2COgos2 LCD2WECMGItqu2GRhj.cWfhoys_n6seIdfC2oXUljch5tfBCFlDLcAkhM6UB 2wNU6za9RZ4ODOCYOMsHeEThvt6kb_Wq.3u53ItO9HQ7d.FdVn3dtlSo4rkR I1NBCaeVkz0SJUeG5ej.Ltuus390HTa.V0ztXnmnt21iVVcenpSf1HyzUvGk E.q2xlGrv0n0JPSHL3.DHAwcPJ_ZfdWaADsa93o3pGs4iLnUul_tRZXGf_sv dE7_OlBj4MVTYnK6_jOQJJgo4E6WxC33gCrhghbaW9v_7PAhL3TsBkwW_H94 ZOfgo1wQ5rzb2lozO6vI4.asldVGU3fRImIMq.JKkkrsjkAKbEoSAvb2txzw UPM1TnqrAmC8GjD3z_ogpSDoZZG41pO4lCHt8OQxrc8B2._j.5P7krCT_5iW mmPAZG0h.HV.KBXd6nFrpKYYTzYlO_vZOPMNwHWYt2OyHGE5FIBBkYLSBg92 8YRV3vz0IWY4mQio4hJLJF1eha31o9tdnh9RNvZU71GvAzYpAraa51jsKlIQ PAuaOg3bhCnSz4vLy7y8Ze.NkJQ3SrJ9KAjXxJuym9peWQapV_mECHyCxS_i BFHRPXzEM_T8gsUdfZRGZUlE_GpHYGJ5sjRDY6hGm6Kk16ekZZYdQKWMEvpB IC1dKYtWig2rf_kOjaYu.zJKEhEtAY.VZ9AQTtjSiPLjYqrS5Ks5CCDRZLwW 4_HLuPMVj1gVyQFS5X0xu_s2ZF3rweTPbqN4bTLC153O5JfU5VzcOjXC3zKg 5MwkpyKvr332NqUsh8mQVDa20lcMiCRjJM4Pnl0STdYgB06nfBi_jmkicLkm 6EJmFIRxDSN4HbSlQxVbL6yCISPjyh_EHixeKgtV35adRuB_a6h8_PThLgWa .snRsKL7Tmsywd2sY9xd2IvGwJXPdMQAkhAe7AIcEbm542JiqrXbs4r5nuyQ uEuNTKWgmrL_cmcGxhqwDD9NbkACOE.zJ7doDb7HxdIriXpRMYz0oPqlcQ_o 5HT.cdv9yKtMrLW08QyGla3tlKIJzgRS8mOpL0fRZXAfi52B7C3dYDa0Xg-- X-Originating-IP: [81.3.142.201] Authentication-Results: mta1445.mail.ne1.yahoo.com from=nortom.com; domainkeys=neutral (no sig); from=nortom.com; dkim=neutral (no sig) Received: from 127.0.0.1 (EHLO spamcop.net) (81.3.142.201) by mta1445.mail.ne1.yahoo.com with SMTP; Sat, 21 Dec 2013 23:33:04 +0000 Received: by mail.hosting.com (Postfix, from uid 1) id 653DB664470; Sat, Dec 21 2013 23:32:41 +0000 (UTC) To: blahblahblah[at]yahoo.com From: yadayadayada[at]nortom.com Subject: SilkRoad products by credit card MIME-Version: 1.0 Message-Id: <1387668761.653DB664470[at]mail.hosting.com> Content-Type: multipart/alternative; boundary="197365567D6-302315864" Date: Sat, Dec 21 2013 23:32:41 +0000 (UTC) Content-Length: 601 The email contents contains three links with what seems like version decoding in the URL text, but not in the link. Below is the text only. The link doesn't have the www241 value in it. The wwwXXX number is different in each spam email. Main: www241.approved-pharmacy-cop.net Mirror: www241.atlantic-drugs.com Affiliates your spam traffic accepted: www241.rxtitans.com Would this be a joe-job? They arrive about five times per day and are pretty nonsensical - as if they are begging to have them reported to spamcop. Thanks in advance.
  5. Great discussion, all. Thanks for all of the info. And thanks for the patience with putting up with me being relatively clueless when it comes to this stuff. I was getting frustrated, having heard that some spammers rotate their IP numbers, then thinking that I was seeing that confirmed when I did SenderBase lookups on spam that I report. Now for me to side-track (hopefully not already throughly discussed already). What is it that I need to be sure that I am not one of the people with a 'bot' on his computer sending spam? If discussed already a link will be great. I use ZoneAlarm firewall and AntiVir virus protection as well as Microsoft's Defender. I have a tenant in my garage apartment who leaves his computer on 24/7, is connected to my FIOS via secure wireless, and I have no idea what virus protection, etc., he has. Any preferred programs for detecting the problems? Any free?
  6. I obviously made a mistake by only posting SenderBase results from one IP address that I reported. I should have posted ten or twenty so that some were not dynamic and the discussion wouldn't be focused on that. So you think that all spam (little letters to once again try to not side track the discussion) houses are simply clueless? About a year ago, when the Blue Frog stuff was going on, a link to a spammer bulliten board was posted in a Blue Frog discussion (not on this site, I believe on some kind of security site). The posts were kind of fascinating, people trying to sell their e-mail lists, etc. Then there were the ones who stated that they rotated through IP addresses to avoid being blocked by sites like SpamCop. So the spammers claim that this is what they do but we actually know that the sites are all just clueless and the spammers are lying?
  7. Thanks for the quick response. And, yes, I am a novice at spam, not knowing all of the terms, etc. This is why I still didn't have an answer after looking through the FAQs, and really didn't know where to look. I'll read them again. Hopefully I'll be able to get out of them how one particular URL (many, actually, it seems) can have so many spam servers yet rarely, if ever, be listed in the BlockList. I'll see what I can find. Thanks again, Steve
  8. Hello, I apologize if this has been discussed already. I did a **quick** search and couldn't find anything. I send pretty much every spam that I get to SpamCop and have been looking at the SpamCop Blocking List, then SenderBase report, for most of the spam that I report. I may be completely wrong here but it seems to me that there are quite a few spam houses that have figured out how to completely bypass SpamCop. They simply rotate through a block of spam server IP addresses, changing to the new address when the old one is being blocked. This may not be proof but here's an example. I reported/looked up IP 58.49.133.30 (reporting addresses = anti-spam[at]ns.chinanet.cn.net, postmaster[at]wh.hb.cn, spam_hb[at]public.wh.hb.cn, and abuse_hb[at]public.wh.hb.cn). Then I check the BlockList. The BlockList result is: "58.49.133.30 not listed in bl.spamcop.net" So I do a SenderBase lookup and get the below: address hostname DNS Verified Daily Magnitude Monthly Magnitude 125.113.143.216 216.143.113.125.broad.jh.zj.dynamic.163data.com.cn Y 0.0 4.1 218.85.57.97 97.57.85.218.broad.fz.fj.dynamic.163data.com.cn 0.0 3.9 61.177.186.61 61.186.177.61.broad.yz.js.dynamic.163data.com.cn 0.0 3.8 218.85.28.202 202.28.85.218.broad.fz.fj.dynamic.163data.com.cn Y 0.0 3.8 61.177.183.146 146.183.177.61.broad.yz.js.dynamic.163data.com.cn 4.5 3.7 59.61.128.119 119.128.61.59.broad.fz.fj.dynamic.163data.com.cn 0.0 3.7 222.64.94.36 36.94.64.222.broad.xw.sh.dynamic.163data.com.cn 0.0 3.7 59.56.195.122 122.195.56.59.broad.qz.fj.dynamic.163data.com.cn Y 0.0 3.6 59.61.215.242 242.215.61.59.broad.qz.fj.dynamic.163data.com.cn Y 0.0 3.6 221.225.151.2 2.151.225.221.broad.sz.js.dynamic.163data.com.cn 0.0 3.6 221.225.148.105 105.148.225.221.broad.sz.js.dynamic.163data.com.cn 0.0 3.6 222.64.32.159 159.32.64.222.broad.xw.sh.dynamic.163data.com.cn 3.1 3.6 221.224.200.201 201.200.224.221.broad.sz.js.dynamic.163data.com.cn 0.0 3.6 221.234.208.39 39.208.234.221.broad.wh.hb.dynamic.163data.com.cn 0.0 3.6 218.80.172.20 20.172.80.218.broad.xw.sh.dynamic.163data.com.cn 0.0 3.5 222.184.102.18 18.102.184.222.broad.ha.js.dynamic.163data.com.cn 4.2 3.5 222.187.181.128 128.181.187.222.broad.xz.js.dynamic.163data.com.cn 0.0 3.5 125.78.74.234 234.74.78.125.broad.qz.fj.dynamic.163data.com.cn Y 4.4 3.5 218.85.56.11 11.56.85.218.broad.fz.fj.dynamic.163data.com.cn 0.0 3.5 59.61.215.186 186.215.61.59.broad.qz.fj.dynamic.163data.com.cn Y 3.3 3.5 . . . (It goes on and on) Since the average Monthly Magnitude of all of these servers is between 3.5 and 3.6 yet many have a Daily Magnitude of 0.0 or 4.X, it looks like they are simply bypassing SpamCop's algorithm. Is this the case? I want to keep reporting spam but am starting to feel like the professional spam houses have defeated SpamCop's methods. Please tell me that this isn't true, or that SpamCop will lengthen the time for automatic removal so that spam houses can't so easily bypass SpamCop's removal algorithm. Sincerely, Steve
×