hjp Posted July 14, 2012 Share Posted July 14, 2012 Looks good this morning in Italy, quick and nimbble! Just wait a bit. I am getting Gateway timeouts now. I have not seen a change in 2 and half weeks . Link to comment Share on other sites More sharing options...
NewView Posted July 14, 2012 Share Posted July 14, 2012 On some web form spam submissions, it's still taking a loooong time to parse and then timing out necessitating revisiting the SpamCop page, at which point I'm seeing the Report Now option ... which AGAIN takes forever once clicked. *Sometimes* it goes through after clicking that, *sometimes* it take a loooong time again & times out again, & sometimes it reports the spam is too old ... on a spam I just received THAT day. SpamCop is still broken, apparently. Link to comment Share on other sites More sharing options...
ArtmakersWorlds Posted July 14, 2012 Share Posted July 14, 2012 I sent to early this morning and they went through fine. An hour later, time out time out time out. Oh well. Will try tonight. Link to comment Share on other sites More sharing options...
efa Posted July 14, 2012 Share Posted July 14, 2012 exactly, at first all gone, now got sigalarm, taking too long to process, aborted Link to comment Share on other sites More sharing options...
ratycaty Posted July 14, 2012 Share Posted July 14, 2012 I will say this its been almost a week, since I been able to process spamm. Today 1/3 of the spams I reported actually worked the rest are getting the gateway timeout. Not sure what is up but there still apears to be problems. Link to comment Share on other sites More sharing options...
mrmaxx Posted July 14, 2012 Author Share Posted July 14, 2012 I have to say I haven't bothered with trying to parse emails while this has been going on. I have simply used the VER interface of the email system to quick-report or just using the "report as spam" button in the webmail interface. THAT seems to be working nearly flawlessly, or maybe it's just submitting it to a quick-report queue. In any case, quick-reporting seems to be working (mostly -- occasionally I'll see a 10-15 second "hiccup" before a spam goes away.) Link to comment Share on other sites More sharing options...
SpamCopAdmin Posted July 14, 2012 Share Posted July 14, 2012 Yes, SpamCop performance is still erratic sometimes. I'm seeing the same things you are. On the bright side, things are running really well much of the time. Other notes... Old spam is old news. Please just delete anything over 24 hours old. The suspended users have all been reinstated. I can't take credit for that. Even when I was still having trouble getting into my admin tools, our lead engineer was able to dig directly into the database and reinstate the suspended users. He gave me a list of the email address so that I could notify them. Gotta like that! He really came through for us! - Don D'Minion - SpamCop Admin - - Service[at]Admin.SpamCop.net - . Link to comment Share on other sites More sharing options...
dra007 Posted July 14, 2012 Share Posted July 14, 2012 I am not going to do any detective work..but just say that this is really the most persistent spammer and throughout this incident the spam from them has gone up greatly, maybe someone else can find out who they are: http:// onrpnhfozy.medicpostb. ru/ (Administrator of network hosting website referenced in spam) To: heibaizhuli[at]yahoo. com. cn (Notes) Link to comment Share on other sites More sharing options...
Farelf Posted July 14, 2012 Share Posted July 14, 2012 medicpostb.ru registrant - protected behind http://www.reg.ru/whois/admin_contact Hosting 116.255.233.200 - ZhengZhou GIANT Computer Network Technology Co., Ltd no abuse.net record Landing page terse ("Server: Apache") Landing page does not suffer extended analysis (connection times out in process) Endless list of "alphabet soup" super-domains. Ownership? Anyone's guess at this stage. Russian Federation, India, China, North America? WOT Trustworthiness, vendor reliability, privacy and child safety of this site (medicpostb.ru) is very poor. medicpostb.ru Listed on URIBL black medicpostb.ru is on SURBL lists: JP WS Link to comment Share on other sites More sharing options...
efa Posted July 14, 2012 Share Posted July 14, 2012 It is important to say, that was not a DOS attack, but a load attack. From the information we have, the spammer used the same protocol and same mimic of normal users, so was not a DOS, and this complicate to the engineers distinguish good traffic from bad one. Engineers shoud discover from where came the bad traffic attack, hope more news on this regards. Link to comment Share on other sites More sharing options...
SpamCopAdmin Posted July 14, 2012 Share Posted July 14, 2012 a load attack. From the information we have, the spammer used the same protocol and same mimic of normal userPlease explain. I don't know what you mean by "same protocol." - Don D'Minion - SpamCop Admin - - Service[at]Admin.SpamCop.net - Link to comment Share on other sites More sharing options...
csouter Posted July 15, 2012 Share Posted July 15, 2012 I managed to report 32 spams through the web parser about an hour ago this morning. The process went quite quickly until the last four or five, when it slowed down appreciably. Those last few were quite slow, but there were no timeouts, and all my spam is cleared. Overall the process took about half an hour, reporting each spam manually, which is about right in my experience. Also, last night, I was finally able to access my mailhosts page, and re-enable quick reporting. Overall, I'm quite happy with the performance at the moment. BTW, I have one quick question. I'm sure someone will know the answer to this: Our individual reporting address are in this format: submit.XXXXXXXXXXXXXXXX[at]spam.spamcop.net IIRC, our quick reporting addresses are in the same format, except that they start with "quick" instead of "submit", which gives this format: quick.XXXXXXXXXXXXXXXX[at]spam.spamcop.net Am I correct? (I haven't used quick reporting for a few years, and I've forgotten how to set it up, or to find out what my quick reporting address is). Thanks in advance for any help or advice! [EDIT]: I just found the answer in the SpamCop FAQ, so just ignore my question. Sorry for any inconvenience! Link to comment Share on other sites More sharing options...
SpamCopAdmin Posted July 15, 2012 Share Posted July 15, 2012 Yes. The "quick" address is the same as the "submit" address, except one starts with "quick" and the other starts with "submit." - Don D'Minion - SpamCop Admin - - Service[at]Admin.SpamCop.net - . Link to comment Share on other sites More sharing options...
dra007 Posted July 15, 2012 Share Posted July 15, 2012 SC performance is still dismal, I am getting Gateway Timeouts and am unable to analyse or submit spam. The statistics also has not shown a significant improvement in the last 24 h. Are we going to see SC come back from this? Link to comment Share on other sites More sharing options...
csouter Posted July 15, 2012 Share Posted July 15, 2012 Yes. The "quick" address is the same as the "submit" address, except one starts with "quick" and the other starts with "submit." - Don D'Minion - SpamCop Admin - - Service[at]Admin.SpamCop.net - . Thanks, Don! Link to comment Share on other sites More sharing options...
efa Posted July 15, 2012 Share Posted July 15, 2012 Please explain. I don't know what you mean by "same protocol." I understood that the spammer sent spam mails like normal users, but they send a lot. In this sense is the same protocol and mimic of normal SC server load. Normally a DOS is different, the attacker "connect" the server so it has to open a socket for him (allocate memory, resources, and so on), then open another one, another one, and so on ... sometimes they send ping with garbage, but never close any socket, so is the server that has to timeout or dead, see: $ man 2 connect Link to comment Share on other sites More sharing options...
efa Posted July 15, 2012 Share Posted July 15, 2012 I'm trying to send the 2 day backlog of spams, I can send all with intermittent behavior. Some went through fastly, most take a long time (more than the promised 6 sec nag screen and the browser reload do not change the situation), few time end in gateway timeout where a reload finally sent. The "Send spam Report Now" button always sent in normal time, is the parsing phase that took lot of time, hope this help diagnosing. Note: As all the spams in these down days are about the same, with only 3 .ru and .ua spamvertized domains, I have the doubt that are innocent domains. Link to comment Share on other sites More sharing options...
gnarlymarley Posted July 15, 2012 Share Posted July 15, 2012 I'm trying to send the 2 day backlog of spams, I can send all with intermittent behavior. Some went through fastly, most take a long time (more than the promised 6 sec nag screen and the browser reload do not change the situation), few time end in gateway timeout where a reload finally sent. Note: As all the spams in these down days are about the same, with only 3 .ru and .ua spamvertized domains, I have the doubt that are innocent domains. Could it be divided out that your slow ones were in the RIPE area? Link to comment Share on other sites More sharing options...
efa Posted July 15, 2012 Share Posted July 15, 2012 Could it be divided out that your slow ones were in the RIPE area? RIPE area for the mail source IP or for the host of the spamvertized links? Link to comment Share on other sites More sharing options...
gnarlymarley Posted July 15, 2012 Share Posted July 15, 2012 RIPE area for the mail source IP or for the host of the spamvertized links? either/or. I do not have enough spam to tell for sure, but I think my slow ones might be having whois issues with RIPE. This will include both the mail source IP and the link host as the whois portion of the parser works the same on both. Link to comment Share on other sites More sharing options...
efa Posted July 15, 2012 Share Posted July 15, 2012 might be having whois issues with RIPE. This will include both the mail source IP and the link host as the whois portion of the parser works the same on both. mail source was: airtel.in, sanchernet.in, bol.net.in, saudi.net.sa, ttnet.net.tr and sjrb.ca so not all by RIPE. Update: for the last ones, all went through very fast Link to comment Share on other sites More sharing options...
SpamCopAdmin Posted July 15, 2012 Share Posted July 15, 2012 >- I understood that the spammer sent spam mails like normal users, but they send a lot. OK. I see what you mean. That hasn't happened for years. We still defend against it, but spammers haven't tried that trick for a long time. - Don D'Minion - SpamCop Admin - - Service[at]Admin.SpamCop.net - . Link to comment Share on other sites More sharing options...
hok Posted July 15, 2012 Share Posted July 15, 2012 Our individual reporting address are in this format: submit.XXXXXXXXXXXXXXXX[at]spam.spamcop.net IIRC, our quick reporting addresses are in the same format, except that they start with "quick" instead of "submit", which gives this format: quick.XXXXXXXXXXXXXXXX[at]spam.spamcop.net Am I correct? (I haven't used quick reporting for a few years, and I've forgotten how to set it up, or to find out what my quick reporting address is). Thanks in advance for any help or advice! [EDIT]: I just found the answer in the SpamCop FAQ, so just ignore my question. Sorry for any inconvenience! May I have the direct URL to quick reporting in SpamCop FAQ? Link to comment Share on other sites More sharing options...
gnarlymarley Posted July 15, 2012 Share Posted July 15, 2012 May I have the direct URL to quick reporting in SpamCop FAQ? I believe this is the URL they are talking about: http://forum.spamcop.net/scwik/QuickReporting/ Link to comment Share on other sites More sharing options...
efa Posted July 15, 2012 Share Posted July 15, 2012 That hasn't happened for years. We still defend against it, but spammers haven't tried that trick for a long time. I hope net engineer identified the account responsible of flooding, and maybe the source of the attack Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.