spamtrap63

Members
  • Content count

    5
  • Joined

  • Last visited

Community Reputation

0 Neutral

About spamtrap63

  • Rank
    Newbie

Recent Profile Visitors

414 profile views
  1. I don't think that would be much use - Spamcop cannot process IPv6 addresses. They have been aware of the issue for over 10 years, but trying to blacklist trillions of addresses and modify the databases to cope is a serious amount of work, far above what a shoestring budget could support.
  2. I sympathize, but these confirmations are important to help avoid false positives. This won't help everyone, but I solved this problem using my mail server - incoming mail is piped to a program I wrote to analyze the contents, and if it's a spamcop confirmation, sends the embedded url and code to another program that impersonates a browser, waits a few seconds to give spamcop servers time to catch up (as they aren't always ready), then goes to the url, clicks "Send spam Report(s) Now" and logs the results. This happens many thousands of times every day for all the high scoring, and checked greymail I submit. (Fortunately only ever have a handful of greymail to deal with). I spent years developing my systems to work with Spamcop's, so if they change something, I would either have a lot of work to do, or have to give up! So far, I've submitted over 4 million spams, and also unpacked and analyzed 280,000 messages containing js, jse, wsf, vbs, infected ole attachments to expose 18,000 unique hidden urls of compromised websites so they can also be reported and help to clean up the net. If only all ISPs around the world would actually act on these reports, the net really could be a cleaner place. Those that don't comply could then be marginalized and be forced to comply or remain blocked.
  3. I've managed to completely automate the process and have solved the ipv6 problem, simply by unwrapping the headers, and replace any ipv6 "Received:" fields with "X-Received-ipv6" using the Perl's Regexp::IPv6 package: use Regexp::IPv6 qw($IPv6_re); # replace received fields if ipv6 for spamcop sub filteripv6($) { my $msg=shift; $msg=~s/\r\n/\n/gs; $msg=~s/\r/\n/gs; my ($header,$body) = $msg=~/^(.*?)\n\n(.*)$/s; $header=~s/\n[ \t]+/\t/gs; # unwrap my [at]aHeader=split(/\n/, $header); my $NewHeader=""; foreach my $line ([at]aHeader) { if ($line =~ /^Received:/i) { if ($line =~ /$IPv6_re/) { $line =~ s/^Received:/X-Received-ipv6:/i; } } $line=~s/\t/\n\t/sg; # rewrap $NewHeader.=$line. "\n"; } $msg=$NewHeader."\n".$body; return($msg); } With a bit of work in php it could be added to squirrelmail's spamcop plugin. I can't imagine that it would be too difficult for spamcop to use this to parse and skip ipv6s until the new code is ready.
  4. Hi, I was hoping to be able to report this directly to spamcop, but not easy to contact them. I just submitted a new sample, and the mail analyser did not apparently pick up the url contained in the body, which I reproduce here because it is small: -----------------76F973CC666399.6ofq8qrS Content-Type: application/octet-stream; name="unduly.rtf" Content-Transfer-Encoding: base64 e1xydGYxXGFuc2lcYW5zaWNwZzEyNTJcZGVmZjBcZGVmbGFuZzEwMzN7XGZvbnR0Ymx7XGYwXGZu aWxcZmNoYXJzZXQwIENhbGlicmk7fX0NCntcY29sb3J0YmwgO1xyZWQwXGdyZWVuMFxibHVlMjU1 O30NCntcKlxnZW5lcmF0b3IgTXNmdGVkaXQgNS40MS4yMS4yNTA5O31cdmlld2tpbmQ0XHVjMVxw YXJkXHNhMjAwXHNsMjc2XHNsbXVsdDFcbGFuZzlcZjBcZnMyMntcZmllbGR7XCpcZmxkaW5zdHtI WVBFUkxJTksgImh0dHA6Ly81NS0xMS5jbiJ9fXtcZmxkcnNsdHtcdWxcY2YxIGh0dHA6Ly81NS0x MS5jbn19fVxmMFxmczIyICAtIGJ1eSB2aWFncmEsIGNpYWxpcywgbGV2aXRyYSBhbmQgb3RoZXIg bWVkc1xwYXINCn0= -----------------76F973CC666399.6ofq8qrS-- and this rtf file decodes to simply: {\rtf1\ansi\ansicpg1252\deff0\deflang1033{\fonttbl{\f0\fnil\fcharset0 Calibri;}} {\colortbl ;\red0\green0\blue255;} {\*\generator Msftedit 5.41.21.2509;}\viewkind4\uc1\pard\sa200\sl276\slmult1\lang9\f0\fs22{\field{\*\fldinst{HYPERLINK "http://55-11.cn"}}{\fldrslt{\ul\cf1 ht tp://55-11.cn} }}\f0\fs 22 - buy viagra, cialis, levitra and other meds\par The url is plain unobfuscated text so should have been noticed! Could someone please forward this on to the developer(s) ? Cheers, Andy. [edit 'clickable' link broken]