Jump to content

spam from Turkey and spammer's tricks to screw with the Spamcop parser...


goldeneye

Recommended Posts

Has anyone dealt with ISPs in Turkey recently - as I've gotten a pair of spams which point to a Turkish provider - and apparently the homepage of that provider is in Turkish only...

http://www.spamcop.net/sc?id=z4967246657ze...c99a2f652a2031z

http://www.spamcop.net/sc?id=z4966067162z9...a221fa2608ffd9z

Also the abuse address for the server being misused to send the spam isn't pointing to an abuse mailbox - is this common?

These types of spams were apparently started when Romanian servers were involved, but now it appears that Romania clamped down on them and they now have moved operations to Turkey apparently.

Now, those damn spammers added at least one "Content-type: #" to screw up the damn parser, so I had to remove those lines so that Spamcop can properly parse it... Secondly, the damn spammers also fudged the URLs with apparent "blank" characters or things like "j" to screw with the parser - and in the first case, spamcop read the "blank" character as an extra forward slash in the URL which forced me to resubmit by editing and removing the "invisible character" or converting the "escaped" character.

Anyone else dealt with those types of spams recently that forced them to resubmit?

Link to comment
Share on other sites

Has anyone dealt with ISPs in Turkey recently - as I've gotten a pair of spams which point to a Turkish provider

...Not I, sorry, won't be able to help you there.
- and apparently the homepage of that provider is in Turkish only...
...Since I haven't used this I can't personally recommend it but you could try http://www.worldlingo.com/en/microsoft/web...translator.html.
Also the abuse address for the server being misused to send the spam isn't pointing to an abuse mailbox - is this common?
...Well, I have seen that on occasion. Gives me pause -- certainly a spammer would do that!
Now, those damn spammers added at least one "Content-type: #" to screw up the damn parser, so I had to remove those lines so that Spamcop can properly parse it... Secondly, the damn spammers also fudged the URLs with apparent "blank" characters or things like "j" to screw with the parser - and in the first case, spamcop read the "blank" character as an extra forward slash in the URL which forced me to resubmit by editing and removing the "invisible character" or converting the "escaped" character.

<snip>

...Please cancel the results of those parses!!! See SpamCop FAQ (link near top left of every SpamCop Forum page) entry labeled "Material changes to spam."
Link to comment
Share on other sites

Looks like SC is continuing to explore and modify reporting addresses for the email source, as can be seen from http://www.spamcop.net/sc?action=rcache;ip=205.204.86.113 and http://www.spamcop.net/sc?action=rcache;ip=205.204.86.105 - looks like only upstream reporting would be sent out currently/in future.

As Steve T says, that's the only area you can legitimately report through SC for the examples shown - modifying spam to "help the parser" is the biggest, baddest no-no in the rules for reporting. But you can use SC to discover the detail for independent or personal reports (just be sure to cancel sending of SC reports).

The TOS for Sayfa.NET (in English) are at: http://hosting.sayfa.net/tos.php

The Turkish hosting.sayfa.net index page may be translated to English using

http://translate.google.com.au/translate?h...ting.sayfa.net/

The address of that link without the shortening of the display is

http://translate.google.com.au/translate?hl=en&sl=tr&u=http://hosting.sayfa.net/

Any other page can be translated by changing the URI address at the end.

A little off-topic here but (many) other languages can be accommodated by changing the tr term in the sl=tr expression in the link to whatever 2 character ISO 639-1 language designator is required.

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...