Jump to content

Naive Question


dra007

Recommended Posts

I have a rather naive question, I recieve the same spam (same content and apparently same routing) on two different servers...

On one of them the spam is filtered and reported as spam to both me and the abuse[at]ISP. In the filtered server, the spam attack has abaited somewhat even though I reported less of it to spamcop. Is it possible that the spammer has access to Spamcop data base or some means of confirming how the spam reaches me?

Link to comment
Share on other sites

I've got no idea why you may think you're special ... seeing the "same" spam across several accounts/ISPs/hosts is nothing new, and even the 15 that just showed up in one of my HotMail accounts ... all the "same" spam, all to the "same" address, all via different routes .... some "To:" me, some BCC:'d me, and 2 of those "From:" me ... my point is, when you've got these lowlife suckers charging other idiots to "deliver 5 million spams" .. I'm just not sure how you can factor in that "you're the lone target" ...

Just because you're paranoid doesn't mean that they're not out to get you, but take a step back and look at the whole picture before getting too worked up. Take a look at those "addresses" .... it seems so silly these days, but I do find it funny when researching an issue like this for someone else, that person came back with his e-mail account "name" was "Ron" .... and he just couldn't believe that no one else had taken it before he signed up with his ISP .... I'm not suggesting that your ID's are that simple, but ... are they that difficult to come up with for a "dictionary" type spammer, and that includes things like your name here, just a few letters followed by numbers ... way to easy for the spammer to scri_pt out.

Link to comment
Share on other sites

I'm not suggesting that your ID's are that simple, but ... are they that difficult to come up with for a "dictionary" type spammer, and that includes things like your name here, just a few letters followed by numbers ... way to easy for the spammer to scri_pt out.

True enough...but if your argument is true, the likelihood that it would have ended up on a spammer list would have been as great 8 years ago as 4 weeks ago, right?

Also it would be as likely to have ended up on several spammer list rather than just one? Right?

Since none of the above happened the likelihood that your argument is true becomes quite small, there are other factors that enter the equation such as name being used not being the same and the attack coinciding for 5 different names, I am only looking at this as a scientist trying to develop a rational hypothesis. Maybe begging for a rational answer is a wrong approach!

Link to comment
Share on other sites

i believe the guy started out saying it may be a naive question. So why be a jerk about it? are you special, I think not. Not everyone knows "all" about this stuff.

Are you not here to help people who don't know better? get over yourself jerk.

Link to comment
Share on other sites

i believe the guy started out saying it may be a naive question. xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx Not everyone knows "all" about this stuff.

Are you not here to help people who don't know better? xxxxxxxxxxxx

All of the post that is worth quoting.

Yes, no one knows all about what happens - especially about spammers.

And dra007 has been told numerous times that spammers do not target one person for maliciousness. If those email addresses suddenly started getting spam, then they were either published somewhere where the spammer picked them up or that someone (not a spammer) deliberately signed hir up on a spammer's list.

I suppose there is a faint possibility that dra007 had dealings offline with a spammer in which the spammer got annoyed and started spamming hir. If someone who knows about email were really retaliating, there are other ways s/he would use instead of spam. And a spammer, if he set out to be annoying, could probably deliver hundreds of spam per hour, not the ordinary load that dra007 is describing.

Is it possible that the spammer has access to Spamcop data base or some means of confirming how the spam reaches me?

If it were not for dra007's other posts that suggest that s/he is really naive and paranoid, I would suspect a deliberate attempt to discredit spamcop by trolling here. And Wazoo did not answer this part. No, there is no chance that the spammer has access to the spamcop data base. Yes, there are methods that the spammer can determine by spamcop reports which address the spam was sent to. Not that anyone has ever proven that the spammers use those methods or that if they do use them, what they do with the data except to listwash that address. People who are more knowledgeable, report with greater accuracy, and are more open with their addresses, than dra007 are no longer retaliated against by the spammers. They were in the beginning and it wasn't by more spam.

In addition, scientifically, there is no evidence that s/he is a spammer's specific target any more than anyone else who receives spam is. S/he has not researched (at least presented the results of research) of whether these emails can be googled or what mailing lists or purchases were made 4 months ago or other methods of determining how the spammer could possibly get those addresses. For instance, it could be that a dictionary spammer just picked them up. He probably hasn't sold them yet because the spam is all similar.

So the answer was helpful. Your post was neither helpful nor added anything to the discussion.

Miss Betsy

Link to comment
Share on other sites

I have a rather naive question, I recieve the same spam (same content and apparently same routing) on two different servers...

On one of them the spam is filtered and reported as spam to both me and the abuse[at]ISP.

The spammers are targeting every server that will accept e-mail from them.

Now what do you mean by spam filtered?

The mail servers that I have to use that use "confent" filtering get a continuous stream of spam. And until they stop accepting e-mail from known spam sources, I expect that there will still be continuous spam from that source. That mail server is averaging 10 spams per day that get through the content filters. Other users of the mail server are complaining that the content filtering is dropping real e-mails.

The mail server that I use that does not have any content filtering except for virus removal, gets little spam, but is now up to about 1 to 2 per day. That spam is submitted to spamcop.net to determine it's source.

And then it is submitted to MAPS-DUL if it looks like a dynamic address, and to MAPS-OPS if it looks like an open proxy. If it looks like a DHCP address and is missing from SORBS, it is submitted there.

Certain networks are no longer accepted by that postmaster, and if spam comes from a new netblock by that network, then that postmaster is notified and that network is no longer reachable by them.

A future version of the mail server software by that postmaster should allow the setting up of the system to check the I.P. addresses that URLs resolve to, if the e-mail is on a more aggressive DNSbl, or has a bad rDNS, and then issue an SMTP reject.

In the filtered server, the spam attack has abaited somewhat even though I reported less of it to spamcop. Is it possible that the spammer has access to Spamcop data base or some means of confirming how the spam reaches me?

Spammers seem to attack any address they find. There are reports on N.A.N-A.* that some of the spammers are spamming usenet message IDs. These are strings like a8f0uf2sif0sf9s9sppal3280[at]example.com.

A reduction of spam mainly comes from the mail server operator deciding enough is enough, and stop accepting any e-mail from spam infested address ranges.

When done using conservative DNSbls, and local blocking lists, the only thing that the users will notice is that most of the spam is gone.

If you have not disabled return receipts with out prompting on your e-mail client, there is one pump and dump stock spammer that is using them to confirm that you received their spew.

Also if anyone on your network uses a mail program that displays the pictures in the spam, those pictures are typically on the spammers server, and the access of them tells the spammer that they got through your networks spam filtering. It can also give out more details such as the e-mail address that read the spam.

I have seen some of my imaginary domains show up in the CC: lists of spam.

As far as retaliation, I have only seen one spammer respond to a LART with either more spam or what appeared to be a virus. Most do not bother. There are now too many spam reporters for them to take the time for a personal attack. It apparently used to be different..

The amount of spam that you get is going to vary based on the competence of your postmaster at keeping spam out of the mail server, how widely exposed your e-mail address is on the internet, and how easily guessable it is on a dictionary attack.

I would refer you again to the pinned topic on the "Cost of spam" that is now apparently pinned in the lounge.

-John

Personal Opinion Only

Link to comment
Share on other sites

thank you John, that was very enlightening, what buffles me is that the spam is coming from reputable ISPs like comcast and road runner, I am beginning to suspect that some of these may be whitelisted because reporting them does not stop the spam....But I am beginning to understand, and I am not paranoic or haven't reached the point of hopelessness, otherwise I would stop showing up here..

As for newsgroups, I do go to one where there are very threatening people and some sound like knowledgeble hackers, even though I tried to hide my true identity, I suspected all along that that may be a source of my recent attacks...

Link to comment
Share on other sites

I'm not suggesting that your ID's are that simple, but ... are they that difficult to come up with for a "dictionary" type spammer, and that includes things like your name here, just a few letters followed by numbers ... way to easy for the spammer to scri_pt out.

True enough...but if your argument is true, the likelihood that it would have ended up on a spammer list would have been as great 8 years ago as 4 weeks ago, right?

Also it would be as likely to have ended up on several spammer list rather than just one? Right?

You're asking me to explain the spammer mind, which of course I just don't have a clue. With the work involved in trying to keep ahead of all the filters, blocks, etc., knowing that there are people out there with nothingbetter to do than spend the time in atempting to track you down, even identify you personally, if possiblem I can't even figure out where the "easy money" thing comes into play for the majority of the spam I recieve. Based on data provided in alleged interviews elsewhere, the only "easy thing" to it seems to be from the top spammers such as Ralsky, who stated that he would send "your" spam to "his" 250 million plus "opt-in" e-mail addresses for a mere $25,0000 USD .. he takes "your" money, gives you some kind of a list that shows the alleged 250 million plus e-mail sent ... and "you" sit back and wait for the riches to roll in ... I fond it so hard to believe that there's enough idiots out there that would buy enough of the spammed crap to ever get "you" your $25,000 USD back .. and yet, the spam continues ...???

As far as getting on one or more of these lists, there are just way to many variables to point a stick into the ground and say "this is how it happened to you this time" ... I have no idea what your address is, what it looks like, how you use it, where it might be directly found, or if there are 400 other people using the same "name"[at]someotherISP....

Since none of the above happened the likelihood that your argument is true becomes quite small, there are other factors that enter the equation such as name being used not being the same and the attack coinciding for 5 different names, I am only looking at this as a scientist trying to develop a rational hypothesis. Maybe begging for a rational answer is a wrong approach!

A stated above, I'm not a spammer, I don't understand spammers, "rational" went out the window years ago for me. So if you're convinced that "none of the above applies" to you, then you can concoct any scenario you wish. Asking for "analysis" here on "your" scenario really can't be done, as no else but "you" can define the conditions and ground rules to define the analysis playing field.

Link to comment
Share on other sites

spam is coming from reputable ISPs like comcast and road runner,

yes and no ...look a bit closer and you'll see that most of the garbage isn't coming from the e-mail servers of these "fine" networks ... most of the crap these days is coming via customers of these reputable (your words, not mine) ISPs. Folks running without firewalls, folks that have not updated and applied known and advertised security patches, folks that blindly click on the "naked Anna Korna whoever" pictures and get upset when there isn't a naked female picture that shows up .... these are the computers that are being hijacked by the spammers of late to get their traffic out. The reason you "see" comcast and RR is because they are very large high speed cable network providers ....

even though I tried to hide my true identity, I suspected all along that that may be a source of my recent attacks...

here again, you're asking the other posters to hazard a guess as to just what you might mean, especially when you toss the word "tried" in there, suggesting that you didn't. At a minimum, posting in a newsgroup "may" offer up the IP of your computer/connection, how much more is offered up can only be defined by you defining your "tried" scenario .... and if "tried" means you failed even once, then all bets are off.

Link to comment
Share on other sites

i believe the guy started out saying it may be a naive question.

Possibly true, but on the other hand, this poster has made numerous post about this same scenario, that he is being targeted. This was seen to be another one of these posts.

So why be a jerk about it?

Apparently, your interpretation of an answer. You're certainly entitled to your opinion.

are you special, I think not.  Not everyone knows "all" about this stuff.

No I'm not special, just trying to answer a question. I made no attempt to go into "all" of this stuff, only made a couple of scenario examples. And from your remark, I take it you gained no new knowledge from these examples?

Are you not here to help people who don't know better?  get over yourself jerk.

I'm volunteering time to try to help, yes. But I can only work with data known to me, and there is just too much unknown in the original poster's description of the issue ... are the addresses mentioned something like dra007 and dra008 or something as wildly different as x9rt7563mko12 and Joe? I don't know and it's not my place to guess. Does dra007 use OE6SP1 configured to "read as plain text" of is he running wide open and passing back any embedded date by opening any and all of the pretty HTML encrusted crap sent to his InBoxes? I don't know and it's not my place to guess. Is dra007 making spam complaints/reports to those scum of the earth ISPs that are known (or at least definitly suspected of) to pass these complaints directly to the spammer involved? I don't know and it's not my place to guess. I could go on of course, but would it matter to you at this point?

Link to comment
Share on other sites

since you are curious here is a spam I just reported, it's typical of what I get every day:

Return-Path: <0gzryy[at]bellsouth.net>

Received: from mb2i1.ns.pitt.edu (mb2i1.ns.pitt.edu [136.142.185.162])

          by imap.srv.cis.pitt.edu with ESMTP (8.8.8/8.8.8/cisimap-7.2.2.4)

          ID <GAA09152[at]imap.srv.cis.pitt.edu> for <*me*[at]myISP>;

          Mon, 12 Apr 2004 06:05:13 -0400 (EDT)

Received: from CONVERSION-DAEMON by pitt.edu (PMDF V5.2-32 #41462)

id <01L8TZ4NFYN4009L63[at]mb2i1.ns.pitt.edu> for *me*[at]myISP :) ; Mon,

12 Apr 2004 06:05:11 EDT

Received: from c-67-173-138-123.client.comcast.net ([67.173.138.123])

by pitt.edu (PMDF V5.2-32 #41462)

with SMTP id <01L8TZ4LDRKE0025F7[at]mb2i1.ns.pitt.edu> for  *me*[at]myISP :) ;

Mon, 12 Apr 2004 06:05:10 -0400 (EDT)

Received: from [229.18.153.121] by c-67-173-138-123.client.comcast.net with

SMTP; Tue, 13 Apr 2004 17:04:43 +0600

Date: Tue, 13 Apr 2004 17:04:43 +0000 (GMT)

From: Geoffrey Hankins <0gzryy[at]bellsouth.net>

Subject: the scientifically formulated product for your love tool! i

To:  *me*[at]myISP :)

Reply-to: Geoffrey Hankins <0gzryy[at]bellsouth.net>

Message-id: <p2$6--z-v3u021-b1z[at]o591dc>

MIME-version: 1.0

X-Mailer: Microsoft Outlook Express 5.00.2615.200

Content-type: multipart/alternative;

boundary="Boundary_(ID_9OC342t59f0giOgEq3trBw)"

X-Priority: 3

X-MSMail-priority: Normal

--Boundary_(ID_9OC342t59f0giOgEq3trBw)

Content-type: text/html;

Content-transfer-encoding: quoted-printable

<p align=3D"center">

<img src=3D"http://1st-herbal.biz/d/images/redbullet.gif">

<br><br>

<font face=3D"Arial, Helvetica, sans-serif" size=3D"3" style=3D"line-heigh=

t: 1.35em" color=3D"red">

  <b>Our DeerAntler+ Penis Enlargement Pills Will Expand, <br>

  Lengthen And Enlarge Your Penis 3+ Inches.<br>

  100% Satisfaction Guaranteed! Or Your Money Back!</b>

</font>

<br>

<br>

<font face=3D"Helvetica, Arial, sans-serif" style=3D"line-height: 1.35em">=

<b>

<font color=3D"#800000">

* Increase testosterone levels up to 500%<br>

* Prevent premature ejaculation<br>

* Enhance penis size up to 3 inches<br>

* Maintain harder, stronger erections for hours<br>

* Have amazing sex up to 20 times per day<br>

* Improve sexual stamina dramatically<br>

* Increase sexual self-confidence<br>

* Satisfy yourself and your lover like never before<br>

* 100% Safe To Take, With NO Side Effects<br>

* Fast Priority USPS Shipping WorldWide<br>

* Doctor Approved And Recommended<br>

* 100% Money Back Guarantee<br>

* FREE Bottle Of DeerAntler+ Worth Over $50<br>

</font></b><br>

<font size=3D"+2" style=3D"line-height: 1.35em" face=3D"Helvetica, Arial, =

sans-serif"><b>

<a href=3D"http://www.great-offerz.biz/d/?inkk" target=3D"_blank">

<font color=3D"#008000">CLICK HERE TO ENLARGE YOUR PENIS</font></a></b><fo=

nt color=3D"#008000">

</font><br>

<br>

<br>

<p align=3D"center">

<font size=3D"+2" style=3D"line-height: 1.35em" face=3D"Helvetica, Arial, =

sans-serif">

<a href=3D"http://cleveland.great-herb.us/1v3.html" target=3D"_blank">O=

pt me out</a>

</font></p>e tehf safbpdfvvovig fypxvoey e mctqzl xaeuvv

key miwwchhafcrkdy deidcfsp w

--Boundary_(ID_9OC342t59f0giOgEq3trBw)--

notice the <<Tue, 13 Apr 2004>> time stamp by comcast (not my ISP) in the header, for all I know it's still early Monday morning...can you explain this incosistency?

Link to comment
Share on other sites

and this is the report for the above spam, the 'reputable' comcast:

Tracking message source: 67.173.138.123:

Routing details for 67.173.138.123

[refresh/show] Cached whois for 67.173.138.123 : abuse[at]comcast.net

Using abuse net on abuse[at]comcast.net

abuse net comcast.net = abuse[at]comcast.net

Using best contacts abuse[at]comcast.net

Yum, this spam is fresh!

67.173.138.123 not listed in dnsbl.njabl.org

67.173.138.123 not listed in dnsbl.njabl.org

67.173.138.123 listed in cbl.abuseat.org ( 127.0.0.2 )

67.173.138.123 is an open proxy

67.173.138.123 not listed in plus.bondedsender.org

67.173.138.123 not listed in query.bondedsender.org

67.173.138.123 not listed in iadb.isipp.com

:P

somehow I have reported IPs in that neighbourhood every day for ..oh, a few weeks now..

Link to comment
Share on other sites

and this is a report for an identical spam that followed:

Tracking message source: 62.211.203.111:

Routing details for 62.211.203.111

[refresh/show] Cached whois for 62.211.203.111 : abuse-bbb[at]telecomitalia.it

Using abuse net on abuse-bbb[at]telecomitalia.it

abuse net telecomitalia.it = postmaster[at]telecomitalia.it, abuse[at]nic.it, abuse[at]telecomitalia.it

Using best contacts postmaster[at]telecomitalia.it abuse[at]nic.it abuse[at]telecomitalia.it

Yum, this spam is fresh!

62.211.203.111 listed in dnsbl.njabl.org ( 127.0.0.3 )

62.211.203.111 listed in dnsbl.njabl.org ( 127.0.0.3 )

62.211.203.111 listed in cbl.abuseat.org ( 127.0.0.2 )

62.211.203.111 is an open proxy

62.211.203.111 not listed in plus.bondedsender.org

62.211.203.111 not listed in query.bondedsender.org

62.211.203.111 not listed in iadb.isipp.com

Finding links in message body

Header data found in body, aborting link detection

by the way, what does this mean? <<Header data found in body, aborting link detection>> :(

Link to comment
Share on other sites

by the way, what does this mean? <<Header data found in body, aborting link detection>>  :(

I've had that message when there is a boundary declared but not opened eg your earlier example had

boundary="Boundary_(ID_9OC342t59f0giOgEq3trBw)" [declaration]

...

--Boundary_(ID_9OC342t59f0giOgEq3trBw) [boundary open]

...

--Boundary_(ID_9OC342t59f0giOgEq3trBw)-- [boundary close]

Having the first without both of the others causes the parser some difficulty.

[Added] Nope, I misspoke, the parser handled both these when I check to replicate the error. Removing the blank line above the boundary opening (still) produces the "couldn't parse head error"

Finding links in message body

error: couldn't parse head

Message body parser requires full, accurate copy of message

The meaning of your error seems to indicate some critical header line(s) are duplicated or misplaced (similar to JeffG's pinned FAQ "Header Incomplete, Aborting", but I don't know, can't replicate. The parser is quite robust, tries to handle all sorts of mangling before resorting to any error messages.

Guess you will need to provide an example ...

Link to comment
Share on other sites

since you are curious here is a spam I just reported, it's typical of what I get every day:

As do I and most people here. I receive about 100 between 11:00 PM and 8:00 AM every day and currently another 100 or so through out the day. In the last 2 days (all the trash I keep) I have 8 messages that include "DeerAntler" alone.

notice the <<Tue, 13 Apr 2004>> time stamp by comcast (not my ISP) in the header, for all I know it's still early Monday morning...can you explain this incosistency?

Received: from [229.18.153.121] by c-67-173-138-123.client.comcast.net with

SMTP; Tue, 13 Apr 2004 17:04:43 +0600

That is a forged header. Spamcop does not believe it and reports the IP previous to it as seen here:

Tracking message source: 67.173.138.123:

Also, as stated elsewhere in this discussion, this is a client machine, probably infected and being used to relay the spam. No surprise there.

Link to comment
Share on other sites

First spam:

Received: from c-67-173-138-123.client.comcast.net ([67.173.138.123])

by pitt.edu (PMDF V5.2-32 #41462)

with SMTP id <01L8TZ4LDRKE0025F7[at]mb2i1.ns.pitt.edu> for  *me*[at]myISP  ;

Mon, 12 Apr 2004 06:05:10 -0400 (EDT)

Received: from [229.18.153.121] by c-67-173-138-123.client.comcast.net with

SMTP; Tue, 13 Apr 2004 17:04:43 +0600

Date: Tue, 13 Apr 2004 17:04:43 +0000 (GMT)

67.173.138.123 listed in cbl.abuseat.org ( 127.0.0.2 )

67.173.138.123 is an open proxy

Your spam was injected via this open proxy on a comcast "client" computer. Your issues with the dates showing in the lines below that are input by the spammer's sourcinbg system, be it the spammer's computer, or yet another hijacked computer in the mix, perhaps on the other side of the date-line. You are more than welcome to join in the ever-growing tirade against companies like Comcast that aren't taking control of their many "fine and reputable" clients and jerking their access until they fix their computers. Again, this is not a spam from "Comcast" directly, it's a compromised loose computer that's gewtting it's high-speed connection via the monthly check sent to Comcast by the computer's owner.

and this is a report for an identical spam that followed:

62.211.203.111 listed in cbl.abuseat.org ( 127.0.0.2 )

62.211.203.111 is an open proxy

and again, a compromised machine involved.

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...