kris

no longer changing my email in headers to x

91 posts in this topic

Several more using the trick that lets the SpamCop userid survive the reporting process


https://www.spamcop.net/sc?id=z6243949949zed0edf63d87569cdf37704de86058fcbz

In the example from the above report, [xyz] replaces my SpamCop userid:

Content-Type: application/x-compressed; name="invitation_[xyz].zip"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="invitation_[xyz].zip"

 

Share this post


Link to post
Share on other sites

The spam using the "userid.zip" attachment trick to preserve the reporter userid through Spamcop's report obfuscation is now improved so it's also evading my local ISP's spam filter (which looks things up at Spamcop).

 

I used to be reporting that stuff out of the graymail folder.  Now I'm reporting it out of the Inbox at my ISP (the one where Spamcop forwards all my 'user[at]spamcop' email, which is now almost entirely spam.

 

What puzzles me is why doesn't Spamcop use Spamcop to filter crap into graymail? 

 

Anyhow, the new 'userid.zip' anti-obfuscation trick is saved for Spamcop's attention at

https://www.spamcop.net/sc?id=z6244386794z19a0257e60911b5702b8b9e4b6c16597z

 

Share this post


Link to post
Share on other sites

Three more for the collection, in hopes someone reading this knows if SpamCop has opened a bug report for this spammer workaround.

These are all from spam that got past the usually effective graymail system at my ISP, by the way (which does rely on SpamCop)

-- more of them every day.

 

PROBLEM IS: 

[SpamCop userid].zip is included in the spam and survives in automatically generated SpamCop report:

https://www.spamcop.net/sc?id=z6244979018z74cbd37c9494cc9a1f81dedf5023d628z
https://www.spamcop.net/sc?id=z6244979599z97c9f40baee05ebe3a18a4227d52c9a8z
https://www.spamcop.net/sc?id=z6244979678zff7939c4ac7fa223b1d5f244909c81b4z

______________

EXAMPLE FROM spam

Content-Type: application/octet-stream; name="changes_[SpamCop userid].zip"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="changes_[SpamCop userid].zip"

 

Share this post


Link to post
Share on other sites

Oh, welll, from the advanced preferences page:

 

"It has become painfully obvious that spammers are able to identify your email address by using tracking codes - even after SpamCop's attempts to munge them. It has also become plain that even the largest and most well-respected ISPs forward complaints intact to the accused....."

Anyone know more about these "tracking codes"?

Share this post


Link to post
Share on other sites

A tracking code could be anything returned to, in this case, the spammer.  I would venture to say every mass emailer uses them, so there is lots of information available. Tracking codes are how websites keep track of which pages you visit so they can customize your experience. Tracking codes can be used so that the emailer knows if you open (and we assume) read an email. Codes can be included in links to know "it was you" that clicked on a link.  Lots of information available, try Google.

By including unique information somewhere in the email, the report which includes the spam, could tell the spammer who received the reported email (spam). For example a hidden 8 digit number could be the sequence # telling them which email address in their file is involved.

This is why I don't bother. It may seem odd to some but until the volume of spam comes close to DOS, sending spam to my domain is fine. All the directory attacks just feed the block lists.  Over the years "Bob" has gotten lots and lots of emails (spam). The stuff that makes it through is easily handled. When I have time I sort the spam (Rx, stock Scam, phishing, fake merchandise, job offers, sw piracy).  When I don't have time, I just report it all.  If I have even less time, the spam just goes on the floor.

And yes I have had 2 (I think) DOS attacks, several thousand emails an hour for several hours. Different strokes for different folks.

Share this post


Link to post
Share on other sites
On 05/06/2016 at 8:07 AM, Lking said:

A tracking code could be anything returned to, in this case, the spammer.  I would venture to say every mass emailer uses them, so there is lots of information available. Tracking codes are how websites keep track of which pages you visit so they can customize your experience. Tracking codes can be used so that the emailer knows if you open (and we assume) read an email. Codes can be included in links to know "it was you" that clicked on a link.  Lots of information available, try Google.

By including unique information somewhere in the email, the report which includes the spam, could tell the spammer who received the reported email (spam). For example a hidden 8 digit number could be the sequence # telling them which email address in their file is involved.

This is why I don't bother. It may seem odd to some but until the volume of spam comes close to DOS, sending spam to my domain is fine. All the directory attacks just feed the block lists.  Over the years "Bob" has gotten lots and lots of emails (spam). The stuff that makes it through is easily handled. When I have time I sort the spam (Rx, stock Scam, phishing, fake merchandise, job offers, sw piracy).  When I don't have time, I just report it all.  If I have even less time, the spam just goes on the floor.

And yes I have had 2 (I think) DOS attacks, several thousand emails an hour for several hours. Different strokes for different folks.

 

On 05/06/2016 at 5:50 AM, hank said:

Oh, welll, from the advanced preferences page:

 

"It has become painfully obvious that spammers are able to identify your email address by using tracking codes - even after SpamCop's attempts to munge them. It has also become plain that even the largest and most well-respected ISPs forward complaints intact to the accused....."

Anyone know more about these "tracking codes"?

there was no tracking code in message.
Tricking codes are "invisible" images in HTML mail which have unique numbers assiged to your email address.
sometimes a unique code on spam
Your email address has been found either by dictionary attack or one of your friends has a compromised computer.
https://www.spamcop.net/sc?id=z6246114078z8e6c38330124db76fbfb0ff051dcf1afz
14.189.154.196 is an open proxy meaning it's a Botnet attack host.
http://www.abuseat.org/lookup.cgi?ip=14.189.154.196

IP Address 14.189.154.196 is listed in the CBL. It shows signs of being infected with a spam sending trojan, malicious link or some other form of botnet.

It was last detected at 2016-06-05 07:00 GMT (+/- 30 minutes), approximately 17 hours, 30 minutes ago.

This IP is infected (or NATting for a computer that is infected) with the Conficker botnet.
TO REMOVE INFECTION
Norton Power Eraser is a Windows free tool and doesn't require installation. It just needs to be downloaded and run.
https://security.symantec.com/nbrt/npe.aspx

VN seems to have a lot of Botnet infects (means clients have compromised computers in he control of criminals.
The ISP needs to contact their customer have them do a Malware scan and Change log-on to a more secure password!

Share this post


Link to post
Share on other sites

In the copies of the headers of spam received by me, sent to the administrators of the spammer accounts, I see my email address properly mugged out ( Showing the proper <X> 's in place of my address ) in the usual places, but I'm also seeing my full email address ( with the @ replaced by = ) in the "Return-path" linkages and in the "unsubscribe" linkages. This defeats the purpose of mugging out my email address at all.  That the <X> 's show up says the mugging process is going on, but that the full email address with just the @ changed to = says the mugg is incomplete. Should really mugg the (    )@(    ) both parts separately. I know, and have sort of suspected the SPAMMERS probably have or could have encoded the address into the MANY OBFUSGATION STRINGS already present in the spam emails, but why make it easy on them to just leave it out there for them to grasp as they please, like just plucking your prize roses.

It certainly gets ME off their lists, but does Nuttin' to stop them from the spamming they are doing to others. Of course, they could also send my address to other spammers on a list of, "Caution this guy's an active SpamCop member" don't spam him or he'll get ya blocklisted.... Cool For Me, but as the "Soup Natzie" on the Seinfield Comedy says "No Soup For You!!!" Sorry.

Share this post


Link to post
Share on other sites

Yeah, I gather Spamcop has given up on really hiding the identity of people reporting.

And the spammers are happy to spam addresses@spamcop

and Spamcop is, I think, the only mail account I have that doesn't filter identifiable crap into a graymail folder.

I see lines like "ID:" plus the "unsubscribe" links with apparently unique alphanumeric strings in them

Seems like the more spam I report, the more I get.

The people who bought Spamcop seem to have a business model I'm less and less happy with supporting.

 

What's "gamut spam"?  Someone mentioned earlier that "gamut spam" doesn't get worse if they can ID the reporter, I think.

 

??

Share this post


Link to post
Share on other sites

Google is your friend.

 

Share this post


Link to post
Share on other sites

Google wasn't finding anything useful when I tried it, that's why I asked here.  Still doesn't.

I get 37 results quoting the string "gamut spam" none particularly helpful.

How do you identify "gamut spam" and how do you tell there's no worry about identifying the reporter of "gamut spam"?

I see it's from a "Gamut BOT infection"
www.bleepingcomputer.com/forums/t/528236/gamut-bot-infection-cbl-blacklisted/
Mar 21, 2014 - Our mail server has been blacklisted for Gamut BOT infection (simple spam bot thats spams on smtp port). The server is running Windows ...

--------end sample--------

 

 

Edited by hank

Share this post


Link to post
Share on other sites
On 6/13/2016 at 8:18 AM, hank said:

What's "gamut spam"?  Someone mentioned earlier that "gamut spam" doesn't get worse if they can ID the reporter, I think.

??

Your question was "What is gamut spam? As your last post would indicate that Google did answer that question.

I was not able to divine you other questions.  I have been divorced several times, so it is well documented that I can not read minds.

Share this post


Link to post
Share on other sites

It was Richard W (also an admin) on May 4th who told me here

Quote

... this does look to be gamut spam, so the reports are not going back to the spammer/bot operator.  But it is a door we need to get closed again.

Richard

I'm wondering how one can identify "gamut spam" to know the reports aren't going back to the spammer.

Honest, I've tried to find the answer elsewhere.

Don't worry about replying if you can't answer.   I know lots of people who can't answer that, I've tried to ask around.

I'm leaving the question here hoping to attract the attention -- eventually -- of someone who can answer.

To repeat:  how to tell which spam reports are not going to go back to the spammer, so editing out personally identifiable info isn't a problem.

Share this post


Link to post
Share on other sites
2 hours ago, hank said:

To repeat:  how to tell which spam reports are not going to go back to the spammer, so editing out personally identifiable info isn't a problem.

I don't think there's any way of determining that.

Share this post


Link to post
Share on other sites

Maybe Richard W will revisit this at some point and be able to explain what he meant.

Patience.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now