Jump to content


  • Content Count

  • Joined

  • Last visited

Everything posted by washmail

  1. Thanks Wazoo, that makes complete sense - my MailHosts could do with a tweak. Sorry, I didn't have time to search for the other, no doubt parallel example. Nor did I think of looking at the tech details for clues - definitely rusty due to lack of spam these days ;-) [Added for anyone interested; This was a MailHosts problem caused by my service provider switching me to an alternative Unix server option which thereby changed some related addresses. The spam concerned was then succesfully reported - see http://www.spamcop.net/sc?id=z2587756130za...f471973bdaa411z ] pseudo-sub-topic ended.
  2. I'm having a similar (?) problem with the last 2 submissions I've made (I believe they're from 2 different sources). Both were made manually. I'm certain I've done nothing wrong... http://www.spamcop.net/sc?id=z2587181818zb...6553d0e4857342z Error given: 'No source IP address found, cannot proceed.' Does anyone have a possible explanation? [Edited to correct the URL given - washmail]
  3. I received what I believed to be one of those typical panic-creating 'warnings' that go around, claiming to warn recipients that emails titled "xxx" contain a virus that will destroy your hard drive's contents, and that such has been supposedly confirmed by respected anti-virus companies, Microsoft etc. as very dangerous, and that no current protection is available. As is usual I deleted this 'warning' email without a second thought. However today, a few days later, I received a number of such warned-about(?) emails titled "HallMark Greeting Card". What was most strange about them is that I was unable to view any of the headers on my email control monitor 'MailWasher' - something not previously experienced. I've no idea how this has been achieved... I sent the first one through to SpamCop to examine the headers, and later reported all of them. Sure enough one of them contained an invalid reverse DNS, but the virus scan was clear despite there being a fairly large attachment to each called "postcard.zip". At this stage this is not on my Service Provider's blocklist(s) (which they are using is unknown). My SP appears to use excellent blocklist(s) as I encounter almost no false positives or false negatives. So far the SPs from whom the emails originate are all South African, so this may not (yet) be of international concern. Not surprisingly the SP involved with hallmark[dot]com is refusing any related SC reports. Is it possible that this is a real new threat, and that there is any truth in the warning received? I doubt it, but thought it would be interesting to share this experience and to learn from any feedback. To view: http://www.spamcop.net/sc?id=z2087717778zf...9560e6fa571eb3z
  4. I decided I was probably well enough protected to download a specimen, so did so on one of my less vital pcs. Contrary to previous results, my AV reported the following; Viruses found in the attached files. The file postcard.zip: Trojan horse SpamTool.BZL. The attachment was moved to the virus vault. It's probably the same / similar content as the first example, but of course couldn't be properly examined by the SC AV due to the truncation. This specimen can be examined (without attachment) at: http://www.spamcop.net/sc?id=z2106980622z4...79e8108d8f1de6z
  5. Ok, that seems to be the answer. Although MailWasher doesn't appear to have a Kb limitation, it only allows the first 800 lines to be viewed, and that must also apply to its SC reporting feature (they were mostly short lines). So I will need to find another way to view a new example safely without MailWasher (the Recycle Bin feature also truncates), and hope that it's not larger than 50Kb. But DavidT is probably right - it's unlikely to be anything worth the time...
  6. No, not in this case. Fortunately MailWasher has a 'Recycle Bin' feature; here's the text from the recovered email: Subject: Fwd: Big Virus on its way Just beware! Freda Send to everyone you know. This has been validated on snopes, = check it out for yourself. It will DESTROY your computer. Tell the kids = and grandkids too!!! Please read the message below. It may save your computer! Subject: FW: SNOPES HAS CONFIRM - BIG VIRUS COMING !!! PLEASE READ = & FORWARD !!! =20 =20 (http://www .snopes.com/computer/virus/postcard.asp) Hi All, I checked with Norton Anti-Virus, and they are gearing up for = this virus! I checked Snopes (URL above:), and it is for real!! Get this E-mail message sent around to your contacts ASAP. PLEASE FORWARD THIS WARNING AMONG FRIENDS, FAMILY AND CONTACTS! You should be alert during the next few days. Do not open any = message with an attachment entitled=20 'POSTCARD FROM HALLMARK,' regardless of who sent it to you. It is = a virus which opens=20 A POSTCARD IMAGE, which 'burns' the whole hard disc C of your = computer. This virus will be=20 received from someone who has your e-mail address in his/her = contact list. This is the reason why you need to send this e-mail to all your contacts. It is better to = receive this message 25 times than to receive=20 the virus and open it. If you receive a mail called' POSTCARD,' even though sent to = you by a friend, do not open it!=20 Shut down your computer immediately. This is the worst virus = announced by CNN. =20 It has been classified by Microsoft as the most destructive virus = ever. This virus was discovered by McAfee yesterday, and there is no repair yet for this kind of = virus. This virus simply destroys the Zero Sector of the Hard Disc, where the vital = information is kept. COPY THIS E-MAIL, AND SEND IT TO YOUR FRIENDS. REMEMBER: IF YOU = SEND IT TO THEM, YOU WILL BENEFIT ALL OF US Snopes lists all the names it could come in. =20
  7. That's what I did originally, but the parser always truncates larger emails - unless there's a way to prevent that, the zip cannot be of use to anyone here. I thought I could try fudging the header myself, but leave the body intact. I presume doing so is considered too long & messy for the forums. So unless there's another way I will post it on a page at one of my domains and supply a (broken) link. That's if I find a way to get it properly.... In the meantime, we've had some feedback from colleagues who are now also concerned by the same situation. As both the 'warning' and the spam are definately making their rounds locally, I think the spammer may have seen the same 'warning' and decided to play with the idea. We're suggesting that the warning at least is almost certainly false.
  8. I thought of offering a copy of such an email at a temporary box, but some 'fun-loving' idiot visiting these shores would probably delete it or do who knows what. If it's not objected to, I plan to later add the full header concerned to this thread (that's if I receive another example, can find a way to view the header, and if it's not too long for my technical options). Or does someone have another idea for capturing it and passing it on complete? (I won't download it.) In the meantime I've asked the author of MailWasher to investigate the associated view-header problem. Unfortunately in my experience most of these "Chicken Little" type participants never seem to learn anything from feedback, and as they're usually clients, I'd rather not rock the income boat.
  9. As best as I can understand it, spamjadoo[dot]com appears to claim that they can accurately identify resent spam based on the reply's delay duration, but what you explain above makes it (IMO) likely that such ability would be short lived at best. Fortunately senders of any such false positives would at least receive a server response. I am unfortunately unable to participate further. Best wishes for all your anti-spam endevours.
  10. This thread branches off in new directions from the previous thread "Tackling the world's worst..." (viewing from post #25 would suffice) at http://forum.spamcop.net/forums/index.php?...9152&st=20# spamjadoo[dot]com hasn't responded to my long list of questions, so I've looked beyond for other automated, harmless bouncing options. It appears to me that the main tool of advantage in these type of spam eradicating options on offer is what is referred to as greylisting at server level, a system used to technically identify spam resulting in high eradication success rates. I found a number of articles which discuss this method. I recommend starting with the short article at greylisting[dot]org which also debates it's long term effectiveness. There seems to be quite a bit of software available for server level implementation, but not much could be found regarding individual MX outsourcing to services offering this method. I'm awaiting a response from the only other one I've found so far that seems to fit the need - seiretto[dot]com in the UK. But the question is does greylisting deliver what it promises?
  11. washmail

    Preventing Spam or..

    You may also want to try placing a link to http://www.spampoison.com/ on your website. (No need to break this link - bots are welcome to digest it. ) To quote from their website (which generates new, random links offered for use to each visitor); "These links will redirect email harvesting bots to trap sites that will feed it with an almost infinite loop of dynamically generated fake email addresses, mostly on known spammer owned domains! This will render their harvested lists practically useless and of no commercial value." I've got one of those websites that offer literally hundreds of legitimate email links, and despite the negative opinions that abound about this method's long term effectiveness, it continues to work in my experience. It also stopped the abused web forms I and many others on our server were receiving. Sometimes we still get spam via web form, but only once per instance... I went as far as generating my own random list of 10000 nonsense email addresses too. My partner then added some known spammers' addresses, as well as naming the links to such webpage "...poison.htm". All this appears to have helped further, either poisoning the lists or causing the bots to abort and 'flee'. But talking of shooting ourselves in the collective foot, we also inadvertantly help educate up and coming spammers by offering such solutions publicly. Such is the cycle. [Edited for accuracy and extra info]
  12. washmail

    SpamCop Does More Harm Than Good

    There's also the different types of spammers. When I first started reporting I had a fair number of 'over-zealous businesses' type spammers who were just trying to cash in on the opportunities of mass emailing, often not realizing the consequences. These quickly disappeared, with a few needing an extra push such as phoning or writing to them directly with threats of SC reporting & the consequences. (The only exception for us was the online software dealer ashampoo.com , and I give their domain without concern as they deserve the mention. The end solution was simply to blacklist their domain.) So in this respect, spam WAS conquered via spam Cop. I decided to take the 'brave' route of not munging my reports in order to get past those ISPs refusing to accept such, but it definitely did increase my spam iro the career spammers. It got worse when I gave detailed reports, and eventually even personal. I take my hat off to those that keep reporting year after year. They've made a serious difference for everyone. Perhaps some BL contributions have now become more automated though. I'm thinking of gmail in particular with their 'report spam' feature; just a simple click. Although considering how many unknowing individuals may report their friends if annoyed with them today etc., who knows how much it may be a contaminated process as well. I don't know if gmail (or any other independent public systems) share/combine their BLs. (IMO) What is really needed is a re-design of the whole system. Unfortunately that requires a degree of cooperation seldom seen in the world. And the dynamics of spam activity will continue to challenge regardless.
  13. Please bear with me - there is much info to share here. For those unaware, the world’s worst spammer (occasionally dropping to second worst) for many years according to spamhaus.org has been one Leo Kuvayev (of both Russian and American origin) otherwise known as ‘Bad Cow’. Along with his associates he’s responsible for much of our collective ‘unsolvable’ spam which a number of people have referred to here and elsewhere, including the wares of what’s known as ‘the .pdf spammer’ and ‘the stock exchange spammer’. After much research, ‘signature’ identification (e.g.: ‘Canadian Pharmacy’ – not the real company of course) etc., my colleague and I determined that he was responsible for ALL the cyclic spam we were still receiving (after essentially eliminating all other concerns, mostly through the SpamCop service). His wide ‘trade’ also includes 419 scams, offering sexual aids, phishing, ‘love’ message links delivering zombie bot generating viruses, and replicas, employment, software and fashion offers. My colleague supplies domain and email services, so this has been a fairly extensive problem for us and the clients concerned. We tried everything we could think of to deal with this, some of which led to volatile, denial of service type reactions. (And we believe he’s capable of far worse!) Until recently our best success was when we supplied detailed, undeniable info on every SpamCop report (and where possible IN THE ISP’S GEOGRAPHIC LANGUAGE!) in the hope of forcing those ISPs that willingly or otherwise cooperate with him to face the grim realities. This was exhausting, and later resulted in him only sending us spam from sources involving his ‘most preferred’ ISPs. Then I noticed that my email service’s spam filters were getting much better at the job (the best threshold and aggression settings need to be determined first), no doubt due to cooperative ISP partnerships. But still one has to monitor one’s spambucket constantly… Then I got the idea to try the following project (the best ideas are always the simple ones): * I’ve had my ‘Domains Service Provider’ create a pop access type spambucket (essentially it’s just another mailbox), so offering a wider range of control options. * This will shortly have its auto-reply feature working, allowing one to feedback to all ‘false positive’ sources (normal mail misidentified as spam) which are potential new clients, and among other options the opportunity to communicate politely with innocents who’s email addresses have been hijacked and who must now unfortunately also receive such auto-replies. * A period-adjustable auto-delete option will then also be added to such spambucket. * An elaborate setup and regular updating of one’s Whitelist is essential to keep the false positives to a minimum. And even in this experimental stage it can be seen quite clearly that THIS WORKS!!! No doubt there will be good days and bad ones, but a few weeks of work have resulted in a mere one or two false negatives (spam getting through) a day maximum, with only a couple of false positives who will in time be so advised automatically! This is on an account which until recently suffered up to 100 spams a day. And shortly I won’t have to look at any of it!! Of course this solution won’t work for every individual need, but is highly flexible and has much potential. As we know, most knowledgeable reporters discourage the use of auto-responders altogether, but perhaps it’s got new potential values here. One thing I’ve noticed – this won’t work well for those who are overly aggressive in the marketplace – good! One last discovery; There’s nothing new under the sun – I’ve just discovered a commercial version of ‘my’ idea at http:// www.mailporter.com/about.asp I can assure everyone that I am in no way connected with them. I don’t even know if they’re reliable or not… Hoping this can help many of you (Due to commitments I will not be monitoring this post for some time, so no replies can be offered. Also, please don’t write to my forum mailbox – it’s not monitored.) <Moderator Edit> Since you are not affiliated with them, you will not mind me breaking the link so that the searchbots do not get a hold of it. Also, I am going to merge your 2 topics into one to keep all discussion about the merits (or not) of your "plan" in one location.
  14. In all fairness I must just add that I did hear from them shortly after, and the test-server response of concern was due to them having not set me up yet. I got a very pleasant & professional response, & have sent back a long list of questions & concerns. We will see... But it's up to anyone interested to find out for themselves. I will only post again if there's serious concern (and do so in the correct forum for software issues).
  15. My Spamjadoo summary; Pros: * I consulted some professionals who thought the product's combined offers were impressive and unique, potentialy a best solution. * I googled it briefly and found only positive comment, including some professional opinion (from a user) which offered deeper insight, especially on their "greylisting" concept. * My sign up for free trial was responded to immediately. Cons: * The initial instructions seem to be in the wrong order (first importance placed last?); quite a concern for someone who's never adjusted his MX settings before... (still hasn't) * A suggestion to try their SMTP server first as a precaution made sense, but no SMTP address was given, and nothing obvious worked. The closest to connectivety I got was "550 Sender is Spammer" * An initial webform enquiry hasn't been answered 2 days later. * There's a lack of clear definition and needed basic info on the site. So not for me at this stage. But it's a glimmer of light... I'm done, topic, thread and all.
  16. Can't go into details, but there's been personal communication from the spammer for some time. I think he thinks I'm his toy or pet. Filtering is not the concern, but rather finding a maintenance free option without loosing too much (or anything - obviously preferred) on the false positive side.
  17. I've actually been using MailWasher for about 5 years (my spam problem is only a year old), and mostly report to SC that way - still the best tool I've had to date. But yes, it's a server level solution we're looking for. As resellers we're in the middle, so spamassassin is not directly useful to us in this instance - we have little true server access or knowledge. (However spamjadoo offers a direct intervention option, and solves(?) the bounce need, but of course it's too early to discuss this freshly discovered option(?) in any detail.) Incidentally my ISP and SP both use spamassassin, but this hasn't led to any of the 'permanent' type of solutions I've been trying to determine/obtain here, and the way my ISP has previously misused or very poorly configured spamassassin has left a bad taste in that respect. N.B.: I've recently been threatened, so am ending any further input on this thread at this stage. (EDITED for accuracy.)
  18. I'm currently looking at a service from spamjadoo[dot]com Their product appears to meet all related requirements and far, far more! Looks great... I'm waiting for costing info which doesn't appear on their site, but they do offer a free 30 day trial period. Does anyone want to offer an evaluation, advice etc.?
  19. Great. So it would seem that in order to make bouncing a potentially fair and legitimate practice, the receiving (I)SP concerned needs to be able to supply a more (modern) appropriate method of handling secondary-stage type bounce options.
  20. Excuse my ignorance, but surely it wouldn't be too difficult for servers to temporarily store the true sending server's identity (and email's reference?) while working post the DATA stage, and to use such info to then accurately bounce when necessary at such later stages? That design still works, or at least it does on my mailservers. I found it very useful for ensuring that replies from emails I sent to my clients would bypass my ISP's filters. (I eventually found it better to stop using my ISP's email services altogether. ) [Edited for neatness]
  21. Thanks, and the Wiki on NDR helped clarify your explanation. What I can't understand is why there would be different SMTP rules for the two different modes of the triggering and working of NDR; surely if the IP address path in the header could be used for the sending of a user configured bounce as well, this would result in a tremendous drop in disturbance for all concerned? No doubt there are good reasons for this differentiation. Can anyone offer further insight?
  22. I was considering the closing of a mailbox. It occured to me that by so doing I would effectively be creating the same traffic, albeit in a different form.
  23. Fair enough, the arguments are solid - I see now it's not a solution. From what I could determine a few posts down in the related topic referred to by Steve, one could get away with this method without being (successfully) reported, but what would that achieve; to use this method would indeed be selfish and merely be adding to the whole spam problem... At least having converted my spambucket into a pop mailbox, I'm now better able to 'manage' the spam. For those who don't know; this would allow one to use pop mailbox monitoring software which only views the text content of emails, thus making for fast, safe pre-editing of one's mailbox. I hope all will accept me offering a link for a very respected choice of such software; firetrust[dot]com (product is called MailWasher) N.B.: There are plans afoot to make MailWasher capable of accessing many spambuckets directly via IMAP access in future. (I'm not involved with their business - only hoping to help those who could use the app.) I would think there are a number of other worthy software options too. So ends my 'contribution' to this topic. At least I've learnt to do better research in future...
  24. This effectively makes all of the very large quantity of innocent parties worldwide who use verification-reply systems effectively spammers. As such, the word 'spammer' is certainly poorly defined. I will shortly be consulting with both my service provider and the SC deputies in this regard, and (if allowed) will post my findings etc. when concluded. Flexibility is a necessary advancement tool. An immediate possible option here that comes to mind is to include a suggestion to potential innocents in the auto-reply to blacklist the sending address if necessary. (As a smaller business, chances are that none of those receiving my auto-reply due to their address having been hijacked would ever have considered using my services anyway.) Also, in the case of the spammer 'Bad Cow' who (only) is affecting us so badly, he never uses the same address again as far as we can see, nor does he seem to ever use legitimate addresses (although the actual domains used in the addresses sometimes look like they may be real). I welcome such debate - it's essential to try to find middle-ground wherever possible.
  25. Yep, you caught me out - we're huge fans of Mailwasher, don't know what we would do without it - hence my SC name. Never really looked at their filters. Haven't been much into that - we've usually just identified manually, and now found our SP filters to be very efficient. But bounce bombs are a different matter... Off subject a bit, I've been communicating with Mailwasher's creator with a number of suggestions. One he plans to impliment (hopefully shortly) is IMAP access for other-than-inbox folders, I.E. access to one's spambucket!! I caught our ISP out doing all these things, and collected undeniable evidence! They're responsible directly or otherwise for the vast majority of our country's email traffic. Only when I threatened them with the press did they make efforts to correct some of it, but we're still waiting to see user-accessable spambuckets. Thanks for the info!