Jump to content

Spamcop Compromised


photoshop911

Recommended Posts

For about 8 hours yesterday, Wednesday, September 5th, my Spamcop was totally unreliable, very sluggish -- taking 2 to 3 minutes to act on a command, not sending mail, etc.

This morning I find I'm BLOCKED by several networks because of "Spamming"

I couldn't even get into THIS FORUM

It let me sign in, but then said "You do not have permission to view this content"

(When using my spamcop account and address)

Now I cannot reach anyone -- I've posted false positives, etc., to no avail.

The admin of THIS FORUM will not even answer my email.

What gives.

IF YOU WONDER if I'm a spammer, Search http://www.ugnn.com/ for the word "Spamcop"

:-(

Signed : NOT HAPPY CAMPER

Link to comment
Share on other sites

For about 8 hours yesterday, Wednesday, September 5th, my Spamcop was totally unreliable ... not sending mail, etc.
...Assuming you are referring to SpamCop e-mail: as reported in SpamCop Forum article Trouble with webmail.
This morning I find I'm BLOCKED by several networks because of "Spamming"
...Assuming that you wrote "I'm BLOCKED" as shorthand for SpamCop e-mail is blocked: could you please post the "blocked" message you are receiving and tell us from whom you are getting it? There is a known problem with Hotmail -- see pinned SpamCop Forum article "Hotmail blocking CESmail outbound mailserver".
I couldn't even get into THIS FORUM

It let me sign in, but then said "You do not have permission to view this content"

(When using my spamcop account and address)

...You were using your SpamCop Forum account (not your SpamCop e-mail account), correct? If so, I fail to understand what could have caused that. I'm glad it cleared up and you are now able to post here.
Now I cannot reach anyone -- I've posted false positives, etc., to no avail.
...Sorry, can you explain more what you mean by this? Whom are you trying to reach and by what medium? What false positives did you post, where and for what purpose?
The admin of THIS FORUM will not even answer my email.

<snip>

...Whom are you trying to reach? Wazoo, the Forum Admin, has been offline for many months, now. Farelf (aka Steve) seems to have taken over much of his work, at least whatever he has powers to do. FYI, PM (Personal Message) is the preferred means of communicating privately with each other here.
Link to comment
Share on other sites

For about 8 hours yesterday, Wednesday, September 5th, my Spamcop was totally unreliable, very

What gives.

IF YOU WONDER if I'm a spammer, Search http://www.ugnn.com/ for the word "Spamcop"

:-(

Signed : NOT HAPPY CAMPER

Not had ay troubles here (?) I'm a SpamCop email usec

Just in vase you should reset your reset your firewall. Watch what tries to access the internet, if you don't know google it to find out

Then security scan your computer

It may just be your provider had a hiccup

If you have a windows computer try to clean up your registry CCleaner does this (in tools).

WinOptimizer is available for free - WATCH what they try to install, they try to insert a lot of malware in form of tool bars replace search and so on. The program is very good at cleaning the junk from your computer registry though.

Link to comment
Share on other sites

...This morning I find I'm BLOCKED by several networks because of "Spamming"

I couldn't even get into THIS FORUM

It let me sign in, but then said "You do not have permission to view this content"

(When using my spamcop account and address). ...

Hi Fred,

First and clearly the most significant: sounds like your own SC e-mail account could be compromised. Have you contacted the e-mail side with such a suspicion? And/or re-set your SC e-mail password? You had (possible/suspected) problems along those lines at least once before. Or, as Steve T has said, it could be symptomatic of one or either of the several concurrent mail problems to which he provided links.

Next (with emphasis because we are dealing with different accounts from this point), denied forum permissions is usually (I would have said certainly) a sign that your FORUM (only) account is banned, OR (under some circumstances) your posting IP-address is abuse-filtered or, ditto, your forum e-mail registration address. None of which is the case with either of your current forum accounts. Your previous "duplicate" forum account, ugnn, was banned back in 2008 by the looks.

Yes, I see now that you have created a newer duplicate forum account (the one you are now posting from - back in January). That's a no-no, always has been, always will be, as Wazoo told you when the ugnn account was banned (refer SECTION 3 - Maintaining & Updating Your Account, in the Forum Account section).

You can PM me as to your reasons and to nominate which one of your two currently active accounts you want to remain - but one of them has to go (to be "banned", meaning all posts will remain just the second account, one or the other, will become inactive). Apologies for making this "public" but it has all been done privately before, evidently to no avail, and perhaps others need to be reminded/know as well - AND it might be relevant to your problem with the use of this forum which will be of general concern to forum members.

So, which account did you try? Looks to me like you logged into both photoshop911 and ugnn. The other one (presently active) has not been accessed since January (a week after you created this photoshop911 account). The banned one would give the "You do not have permission to view this content" response you have noted. And one of the others will do the same shortly. Banned accounts have minimal privileges, a guest can see more of the forum posts (which is to say the same as almost all active members).

Link to comment
Share on other sites

First and clearly the most significant: sounds like your own SC e-mail account could be compromised. Have you contacted the e-mail side with such a suspicion? And/or re-set your SC e-mail password? You had (possible/suspected) problems along those lines at least once before. Or, as Steve T has said, it could be symptomatic of one or either of the several concurrent mail problems to which he provided links.

I do not think it was compromised, at least in any way that I have control over. I log directly into the site email. IT IS NOT popping. I use a Mac, no zombies or Trojans that could be sending the mail.

Changing the password after the fact doesn't help this misery.

I am frequently the victim of "Joe jobs" ... where the spammer sends a ton of spam supposedly 'from' my spamcop account. Yes, it's happened before. I'm such a visible spam fighter, and now with Knujon going after ICANN -- I've got a big red TARGET painted on my back.

Apple's Mac.com mail system sent back the SPAMCOP IP address, NOT my IP address.

That issue is DIFFERENT from this forum issue. I only came to the forum for help... except :

Next (with emphasis because we are dealing with different accounts from this point), denied forum permissions is usually (I would have said certainly) a sign that your FORUM (only) account is banned,

When I logged into the FORUMS in order to ask questions and get help, my ID and Passworld were accepted as always. Except then once in, there was an ERROR passed "You do not have permission" ... I thought "What's with this???" and figured it was due to this situation.

I searched on down through my accounts file and saw the Photoshop911 forum account. Since UGN was dead, this must be the one I was using. I operate forums too ... www.DTG-Forums.com ... and it's misery removing the black-hat SEO operators who register in dozens and dozens of accounts. However ...

On YOUR forum ERROR REPLY there are FOUR "remedy" links ... one of them is : "...START ANOTHER ACCOUNT" ... if that's a That's a no-no, then you shouldn't be telling users to do that as a remedy to getting blocked.

OR (under some circumstances) your posting IP-address is abuse-filtered or, ditto, your forum e-mail registration address.

I dont' understand that. The IP address being blocked by two entities is not MY machine/provider address... but one somewhere else.

None of which is the case with either of your current forum accounts. Your previous "duplicate" forum account, ugnn, was banned back in 2008 by the looks.

I don't understand this. I've used the UGN many times here since 2008. I don't even remember any problems in 2008 -- what they were about or what -- to my recolection I've never done anything to get banned here.

Since nearly the beginning of spamcop I've been an avid supporter and evangelist. Want proof? Go to http://www.UGNN.com/ and search for "spamcop.com" (something like 700 files) ... with my articles in 60-seconds.com and DTG Magazine supporting and promoting SpamCop there's no way of telling how many subscribers I've sent.

This is not evidence of someone "bad" or who should be banned, or who should not get a little help when the spam cartels fight back.

I think Julian would agree -- he as much as said so in our discussions together at the 2000 FTC spam CON in Washington D.C.

You can PM me as to your reasons and to nominate

What is this and how do I do it ?

How can I see what "Wazoo" told me when the UGNN account was banned, and why it was banned. How do I find that? I really don't remember that episode, although you're right -- I've been slammed by spammers many times.

Thanks again for the help so far.

:-)

SAMPLE OF ALLEGED spam THEY ACCUSED ME OF SENDING

>----------------------------

> Received: from c60.cesmail.net (c60.cesmail.net [216.154.195.49])

> by DELETED with ESMTP id DELETED

> (version=TLSv1/SSLv3 cipher=RC4-SHA bits=128 verify=NOT)

> for <DELETED>; Wed, 05 Sep 2012 03:28:01 -0400

> Received: from unknown (HELO smtprelay1.cesmail.net) ([192.168.1.111])

> by c60.cesmail.net with ESMTP; 05 Sep 2012 03:27:26 -0400

> Received: from User (198-101-205-111.static.cloud-ips.com [198.101.205.111])

> by smtprelay1.cesmail.net (Postfix) with ESMTPA id DELETED;

> Wed, 5 Sep 2012 03:10:18 -0400 (EDT)

> Reply-To: <barr_evansthomas4[at]yahoo.co.jp>

> From: "Barrister Evans Thomas"<barr_evansthomas[at]yahoo.co.jp>

> Subject: With Due Respect

> Date: Wed, 5 Sep 2012 07:10:22 -0000

> X-Mailer: Microsoft Outlook Express 6.00.2600.0000

> X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000

> Message-Id: DELETED

> To: DELETED

>

Link to comment
Share on other sites

> Received: from User (198-101-205-111.static.cloud-ips.com [198.101.205.111])

> by smtprelay1.cesmail.net (Postfix) with ESMTPA id DELETED;

> Wed, 5 Sep 2012 03:10:18 -0400 (EDT)

> Reply-To: <barr_evansthomas4[at]yahoo.co.jp>

> From: "Barrister Evans Thomas"<barr_evansthomas[at]yahoo.co.jp>

> Subject: With Due Respect

> Date: Wed, 5 Sep 2012 07:10:22 -0000

> X-Mailer: Microsoft Outlook Express 6.00.2600.0000

> X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000

> Message-Id: DELETED

> To: DELETED

>

log in required to see spam reports for IP 198.101.205.111

http://mailsc.spamcop.net/mcgi?action=show...mp;query_type=4

Check your sent email box log in again

http://webmail.spamcop.net/horde/imp/mailb...INBOX.sent-mail

Link to comment
Share on other sites

....Assuming that you wrote "I'm BLOCKED" as shorthand for SpamCop e-mail is blocked: could you please post the "blocked" message you are receiving and tell us from whom you are getting it?

YES... my SpamCop email address is BLOCKED, but by IP address, not "Showker"

You can clearly see that my IP address is NOT the IP address that's been blocked. (You got admin tools, you can see it in my profile!)

Here's one --

> Thank you for contacting Proofpoint's IP Reputation department

> via our website.

> We have received a number of spam messages from

> 216.154.195.49,

> and this is why your IP address has been added to our block list.

I wrote back saying that the spam was not from my address, they responded:

> In short, we shall not be removing this IP address from

> our list(s) at the present moment in time, as your

> current issue is still in need of a definitive resolution

So I turned that one over to legal.

THEN :

> Please note that this IP address is currently listed on

> (at least) 1 other blacklist (please see either

> http://www.mxtoolbox.com/SuperTool.aspx?ac...a216.154.195.49

> or

> http://www.robtex.com/ip/216.154.195.49.html#blacklists

> for further details).

>

I also think AOL is blocking -- AOL users don't get the mail,

and GoDaddy users.

So now I'm really depressed and frustrated ... I've relied on this address for a dozen years, and, according to Knujon, have reported over 15,000 unique spammer's addresses in the last year alone.

NOW here's what I cannot figure out . . .

here's what they said was the reason I'm blocked :

>----------------------------

> Received: from c60.cesmail.net (c60.cesmail.net [216.154.195.49])

> by DELETED with ESMTP id DELETED

> (version=TLSv1/SSLv3 cipher=RC4-SHA bits=128 verify=NOT)

> for <DELETED>; Wed, 05 Sep 2012 03:28:01 -0400

> Received: from unknown (HELO smtprelay1.cesmail.net) ([192.168.1.111])

> by c60.cesmail.net with ESMTP; 05 Sep 2012 03:27:26 -0400

> Received: from User (198-101-205-111.static.cloud-ips.com [198.101.205.111])

> by smtprelay1.cesmail.net (Postfix) with ESMTPA id DELETED;

> Wed, 5 Sep 2012 03:10:18 -0400 (EDT)

> Reply-To: <barr_evansthomas4[at]yahoo.co.jp>

> From: "Barrister Evans Thomas"<barr_evansthomas[at]yahoo.co.jp>

> Subject: With Due Respect

> Date: Wed, 5 Sep 2012 07:10:22 -0000

> X-Mailer: Microsoft Outlook Express 6.00.2600.0000

> X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000

> Message-Id: DELETED

> To: DELETED

>

Yet here's a sample of the mail I'm testing with friends

to try and sniff out the problems ...

> Received: from unknown (HELO epsilon2) ([192.168.1.60])

> by c60.cesmail.net with ESMTP; 06 Sep 2012 08:39:35 -0400

> Received: from unknown (HELO epsilon2) ([192.168.1.60])

> by c60.cesmail.net with ESMTP; 06 Sep 2012 08:39:35 -0400

> Received: from pool-72-66-230-57.ronkva.east.verizon.net

> (pool-72-66-230-57.ronkva.east.verizon.net [72.66.230.57]) by

> webmail.spamcop.net (Horde MIME library) with HTTP;

> hu, 06 Sep 2012 08:39:35 -0400

> Date: Thu, 06 Sep 2012 08:39:35 -0400

> From: showker[at]spamcop.net

> To: Z Han <zbea[at]mac.com>

> Subject: RE: Mystery

> MIME-Version: 1.0

> Content-Disposition: inline

> Content-Transfer-Encoding: 7bit

> User-Agent: Internet Messaging Program (IMP) H3 (4.1.4)

NOTE: the '216' blocked IP is NOT in the header. What's that mean???

AOL is not sending bounce messages.

But the recipient didn't get the email.

GoDaddy hosted web site addresses didn't send bounces either,

But the recipient didn't get the email.

I've contacted the other two lists mentioned by Proofpoint,

but no response.

NOTE : the "robtex.com" one is using a WhoIS masking service,

and that raises a few flags too!

:-(

Link to comment
Share on other sites

Now it's getting really crazy . . .

I went in to change my password ... not finding that in the HORDE interface, I went to www.spamcop.net to read the docs to find out how to change the password.

So I did a SEARCH in the HELP section ...

here's the response GOOGLE SENT :

> GOOGLE : We're sorry...

>

> ... but your computer or network may be sending automated queries.

> To protect our users, we can't process your request right now.

> See Google Help for more information.

Someone else go there and try the SEARCH mechanism and

see if Google sends YOU the same response.

Link to comment
Share on other sites

...

On YOUR forum ERROR REPLY there are FOUR "remedy" links ... one of them is : "...START ANOTHER ACCOUNT" ... if that's a That's a no-no, then you shouldn't be telling users to do that as a remedy to getting blocked. ...

Fred, in all the long history of this forum you are undoubtedly unique in having (presently) two current and one banned accounts. That advice is for those with banned accounts only. It used to be that the majority of banned accounts were started by those who had not completed registration (hadn't responded to their confirmation e-mails). If registration is not completed within a certain period, the account is banned. If they try to access the account after that time, the advice is valid - get another account (and complete all the steps) if you want to participate. One part left out - they would need another registration e-mail address. The same address cannot be used for two accounts, even if one is banned.

...

OR (under some circumstances) your posting IP-address is abuse-filtered or, ditto, your forum e-mail registration address.

I dont' understand that. The IP address being blocked by two entities is not MY machine/provider address... but one somewhere else. ...

In addition to banning (=minimal privileges) FORUM membership can be blocked by IP address/range and/or e-mail address or domain. None of that blocking (IP/domain) applies to any of your FORUM accounts. What is happening to your access elsewhere on the internet is a different thing, from what you say.

...
None of which is the case with either of your current forum accounts. Your previous "duplicate" forum account, ugnn, was banned back in 2008 by the looks.

I don't understand this. I've used the UGN many times here since 2008. I don't even remember any problems in 2008 -- what they were about or what -- to my recolection I've never done anything to get banned here. ...

Trust me, that account has not been used to post here since it was banned and having two current accounts is reason enough for one of them to be banned. It must be getting confusing - I haven't named your other current account (the third one which was your first forum account), the one that you must choose between and the one you using now. Covered in PM to you. When you log in to read that, you will note I have provided link profiles for all three which might help you. You have to be logged in to see those.

...How can I see what "Wazoo" told me when the UGNN account was banned, and why it was banned. How do I find that? I really don't remember that episode, although you're right -- I've been slammed by spammers many times. ...
That confirmation was sent to the registered e-mail address for that account. Water under the bridge now (e-mail addresses are protected) but I can publicly confirm it was to the same domain as that used for this current (photoshop911) registration.
Link to comment
Share on other sites

Now it's getting really crazy . . .

I went in to change my password ... not finding that in the HORDE interface, I went to www.spamcop.net to read the docs to find out how to change the password.

So I did a SEARCH in the HELP section ...

here's the response GOOGLE SENT :

> GOOGLE : We're sorry...

>

> ... but your computer or network may be sending automated queries.

> To protect our users, we can't process your request right now.

> See Google Help for more information.

Someone else go there and try the SEARCH mechanism and

see if Google sends YOU the same response.

Fred, on all pages there are TWO search links/boxes, on some there are THREE. Only one of them is Google-driven. Try another, if you will. But surely, once you log in through http://webmail.spamcop.net/horde/imp/login.php you can get to your account maintenance area? Maybe enter through http://www.cesmail.net/? Some-one, another SC mail user, help! Any detailed instruction on e-mail account maintenance will probably be on-line in the e-mail pages, rather than the FAQs which are heavily slanted towards the parsing and reporting system.

The Google thing - yes I've seen that before (very occasionally) but not right now. If it persists for you it will be cause for concern, perhaps indicating more might be happening on "your" network than meets the eye. You are, after all, using a dynamically-allocated IP address here, goodness alone knows what its "history" might be. I see a few hits for it on http://multirbl.valli.org/dnsbl-lookup but nothing very alarming.

Link to comment
Share on other sites

No bother Fred. Your e-mail account is quite separate from your forum accounts except to the extent it is used as a registered address for a forum account - and for your reporting account since I gather you have the "integrated" e-mail and reporting subscription. That is, it is linked to three accounts: e-mail, forum and reporting. Passwords for all/any of the three can be changed (by you) independently.

This photoshop911 forum account will shortly be banned but you can continue posting with your remaining one (in accordance with your preference), which we should now confirm, so everyone can keep track, is showker. You don't have to change any of the passwords of any of the accounts as a consequence of this. Only change any password when you want to, when you're ready, for security assurance or if you have evidence that an account has been "hacked".

Of course there will be no point in logging in to your photoshop911 or ugnn banned accounts in future since they have even fewer permissions than an un-logged guest/visitor. By policy, banned accounts don't get deleted, they remain in the system.

Okay, off to emasculate photoshop911 now, continue as showker, once I figure out how to send e-mails to both registered addresses - as said I'm not the administrator here, just the pale shadow of one.

Link to comment
Share on other sites

No need... I got the emails and everything's cool . . . why not just DELETE those accounts, rather than banning?

Now, back to the battle of getting my name whitelisted in the various lists. Had email this morning from Proofpoint saying they removed me from their blacklist.

thanks for all the help.

Fred

Fred Showker, Editor/Publisher

DT&G Magazine --

TWENTY YEARS ONLINE : published digitally since 1988

---------------------------------------------------------------------------

* The Design & Publishing Center <http://www.graphic-design.com/>

* User Group Info Manager ...... <http://www.uugnn.com>

Co-Editor of Weekly online column since 1994

* Photoshop 911 ................ <http://www.photoshop911.com/>

---------------------------------------------------------------------------

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...