This particular spam won't stop

[Carl-L]

For weeks now I've been receiving one particular piece of spam advertising "Save up to 80% on ED drugs" at the top, and "Any item priced less than $2.18 a pop" at the bottom, with the usual camoflage-spelled Cialis, Viagra, Levitra in the middle.

Always the same format... a tri-colored box (colors differ). Curiously, only once or twice have they had a validly formatted contact website! I must have reported 3 or 4 dozen of these. Once they reportedly came from India, sometimes I see a chinanet address in there somewhere.

Any way to stop these? They're getting past the SpamCop filters and X-spam (which is, I believe, a Bellsouth filter).

[Wazoo]

No Tracking URL provided, so not much that can be offered for specifics.

"The SpamCop filters" is kind of nebulous, considering there are a number of configuration settings available.

Best guess, you're like everyone else, and that spam is coming in via compromised end-user systems, usually connected to high-speed Cable/DSL connections ... extend this to encompass the SpamCopDNSBL, blocking there won't occur until enough reports on that specific IP address are accumulated .. and perhaps your 'address' is towards the top of the spew recipient list that your pet spammer is using, such that your complaints only serve to possibly stop the flow for the 80,000 other users that are further down that address list ...??? Again, just pulling stuff out of the air here ....

[dzaidle]

If the source(s) of the spam are, indeed, overseas (I am assuming you are in North America), you might consider trying a solution that works well for me: block all email that sources outside North America (based on IP address). I have been doing this for several years now, and it traps/eliminates 70-80 percent of spam.

Obviously, this solution will not work for everyone. In my case, I do not have any legitimate communication with anyone overseas, therefore any email souced from an overseas server is spam. I therefore only receive/filter/report spam from North American servers (about 70 percent of it from Comcast). Since reporting spam to (most) overseas server operators is pointless (few will do anything about it), there is no net loss and such spam as I do report is more likely to be acted on.

I actually block IP ranges rather than individual addresses. Basically, anything registered under APNIC, LACNIC, or RIPE goes into the bit bucket.

Just a thought.

[turetzsr]

bellsouth.net,Apr 29 2005, 06:26 PM]For weeks now I've been receiving one particular piece of spam advertising "Save up to 80% on ED drugs" at the top, and "Any item priced less than $2.18 a pop" at the bottom, with the usual camoflage-spelled Cialis, Viagra, Levitra in the middle.

Always the same format... a tri-colored box (colors differ). Curiously,  only once or twice have they had a validly formatted contact website! I must have reported 3 or 4 dozen of these. Once they reportedly came from India, sometimes I see a chinanet address in there somewhere.

27412[/snapback]

...Please forgive me if I'm telling you something you already know (but I think at least it might clarify things for casual visitors) but although these multiple copies of spam all look pretty much the same, to SpamCop they are different because they came from different IP addresses and/ or at different times.

If the source(s) of the spam are, indeed, overseas (I am assuming you are in North America), you might consider trying a solution that works well for me: block all email that sources outside North America (based on IP address). I have been doing this for several years now, and it traps/eliminates 70-80 percent of spam.

<snip>

I actually block IP ranges rather than individual addresses. Basically, anything registered under APNIC, LACNIC, or RIPE goes into the bit bucket.

27416[/snapback]

...Sounds a lot like the "blackholes" block lists. <g>

[dzaidle]

You mean I invented blackholes? Quick, where's the patent office! I smell money!

[Jeff G.]

You mean I invented blackholes? Quick, where's the patent office! I smell money! 

27419[/snapback]

Not exactly. Please see Blackholes.us, and similar sites rbl.cluecentral.net and The South Korean Network Blocking List.

[shmengie]

... Since reporting spam to (most) overseas server operators is pointless (few will do anything about it), there is no net loss and such spam as I do report is more likely to be acted on. ...

27416[/snapback]

I recieve spam more rarely from the same ip address across the pond than here in the US.

Comcast customers are the most frequent repeat offenders.

Maybe Asian ISPs have more "dynamic" ip addresses???

Websites hosted in china seem to be the least likely to be terminated tho.

[dzaidle]

I do not block individual IP addresses, I block entire IP *ranges* for overseas servers. For example, I block the entire range (i.e. all IP addresses) 193.0.0.0 - 193.255.255.255, which is registered under RIPE. SInce I receive no legitimate email from anyone on a server registered under RIPE (or APNIC or LACNIC), therefore all email from those IP ranges is spam.

Typically, the ratio of spam I receive vs. those trapped by the preceding is around 30:70--for every 100 spam received, 30 are from domestic (North American) servers, 70 from overseas, so, I only see/report the 30. Of the thirty, sometimes up to 3/4 come from Comcast servers. I am toying with blocking all Comcast-sourced mail and auto-replying with a bounce message that tells legitimate senders the reason their mail will not be accepted. I know, bad idea, but I still like to think about it.

[Miss Betsy]

It seems as though you can't reject email at the server level so it would be a bad idea to send an automatic email to Comcast customers.

It would be a little more work, but couldn't you direct all Comcast email to one place and then send a canned reply to each legitimate email you find? I once did send an email to all Comcast acquaintances telling them that all the porn spam I received came from Comcast servers. Don't think it did any good. However, if it is email that you would respond to, you could always include a paragraph about how email from Comcast is usually not legitimate and that if they don't receive an answer from you, that it is because their email was overlooked in all the spam from Comcast. Maybe they will get the hint.

Miss Betsy

[dzaidle]

Actually, that would be quite easy (at least the redirect part) since legitimate Comcast mail would have Comcast.net in the FROM field. spam sent through Comcast servers always has a forged FROM field.

[agsteele]

Actually, that would be quite easy (at least the redirect part) since legitimate Comcast mail would have Comcast.net in the FROM field. spam sent through Comcast servers always has a forged FROM field.

27473[/snapback]

This sounds a bit like using SPF (Sender Policy Framework).

Andrew

p.s. I'm not an advocate for SPF :-)

[Miss Betsy]

This discussion is getting too technical for me possibly.

My impression from the first post was that the poster did not have access to a server because he knew that sending an automatic 'bounce' message was not a good idea which means he would be sending a 'bounce' email not rejecting.

I thought that 'redirect' had to do with computers sending email to other computers not to do filtering after receiving the email in some kind of email reader (which is what I was suggesting).

It would be quite easy to filter out the legitimate comcast emails (if your email reader can do that & I think that Mailwasher can filter on domain name). And to have a canned paragraph condemning comcast for sending so much spam that you added to every comcast email reply.

If he has a server, then there is no problem at all since the message goes back to the computer that sent it, not the forged address. If it is a legitimate email, the person gets a message. If it is not, then I am not sure what happens. It probably disappears since the receiving computer is not set up to receive email. Any way, it seems from previous discussions that it isn't a bad practice to reject email from open proxies.

Miss Betsy

[DavidT]

Most of the other broadband ISPs in the US seem to have gotten more control of their outgoing spew...except for Comcast. They've done that by restricting outgoing SMTP traffic from their customers, only allowing them to connect to the official SMTP servers of the ISP. I wonder when Comcast is going to get a clue?

Edit:

I see that Comcast made a big deal about it over a year ago. Here's a link to an InfoWorld article:

http://www.infoworld.com/article/04/03/09/...castspam_1.html

Also, when looking at SenderBase results on my own provider, Cox, I see that they're far from 100% successful in blocking outbound spam from their broadband users. Here's a link:

http://www.senderbase.org/?searchString=co...searchBy=domain

The alphanumeric hostnames of home users start with "ip" -- I'm not sure what all those machines are that start with "wsip."

DT

[agsteele]

Most of the other broadband ISPs in the US seem to have gotten more control of their outgoing spew...except for Comcast. They've done that by restricting outgoing SMTP traffic from their customers, only allowing them to connect to the official SMTP servers of the ISP. I wonder when Comcast is going to get a clue?

27481[/snapback]

That does, sadly, seem to be one of the only effective approaches offered for infected ADSL users whose machines start spewing.

It isn't always helpful for those who travel a lot. I have my own SMTP server which I use with my laptop configured to let just me in which means I canuse it from wherever I am in the world without the inconvenience of reconfiguring for each and every connection I make.

Using webmail isn't a very attractive option for my own needs so blocking access to other SMTP servers provides a distinct inconvenience but I fear it may be one I'll gradually forced to accept.

Andrew

[michaelanglo]

[...]

Using webmail isn't a very attractive option for my own needs so blocking access to other SMTP servers provides a distinct inconvenience but I fear it may be one I'll gradually forced to accept.

Andrew

27487[/snapback]

Gmail (Google mail) now offers a SMTP passworded server accessable from anywhere on the net so anyone with a reasonably up-to-date mail client can do what you do - no need to use webmail and also handy when your ISP's standard server is on a blocklist.

[DavidT]

also handy when your ISP's standard server is on a blocklist.

Yes, but unfortunately, the GMail servers are making frequent appearances on SpamCop's Blocking List due to nonstandard headers. When a GMail user sends mail using the web interface, the originating IP isn't in the headers, so the GMail server is seen as the source of the mail and winds up getting blocked. This is only tangential to the subject, but I thought I'd mention it.

DT

[WisTex]

Too bad for some of us, its not so simple to block entire countries or all foreign e-mail. As an ISP or international business, that isn't an option.

I am wondering if the spam is sent from zombies perhaps? Or could be dynamic IPs as well? That would make it harder to block, especially if they are sending from a large number of IP addresses.

In these situations, a blacklist alone is not the answer. You will need additional filtering on your e-mail account to snag the ones who make it past the blacklist.

[turetzsr]

Too bad for some of us, its not so simple to block entire countries or all foreign e-mail.  As an ISP or international business, that isn't an option.

27625[/snapback]

...Sure would be nice to have the capability to block entire countries "except for <whitelist>," wouldn't it?

I am wondering if the spam is sent from zombies perhaps?  Or could be dynamic IPs as well?  That would make it harder to block, especially if they are sending from a large number of IP addresses.

27625[/snapback]

...Now I may be wrong, but I could have sworn I've seen references to people using lists of dynamic IPs for blocking....

In these situations, a blacklist alone is not the answer.  You will need additional filtering on your e-mail account to snag the ones who make it past the blacklist.

27625[/snapback]

...If you use a good blocking list (or combination of lists), they should do a good enough job that the spam making it past them would be sufficiently small as to require little effort to handle (store, optionally report, and delete).

[Jeff G.]

Now I may be wrong, but I could have sworn I've seen references to people using lists of dynamic IPs for blocking

27626[/snapback]

ISPs probably do that more than people do, but that's the whole reason that the DUL and other lists of dynamic addresses are used - to block unwanted email from dynamic addresses of systems that should be sending through their ISPs.

[dzaidle]

...Sure would be nice to have the capability to block entire countries "except for <whitelist>," wouldn't it?...Now I may be wrong, but I could have sworn I've seen references to people using lists of dynamic IPs for blocking.......If you use a good blocking list (or combination of lists), they should do a good enough job that the spam making it past them would be sufficiently small as to require little effort to handle (store, optionally report, and delete).

27626[/snapback]

Rather than use published lists, I maintain my own. Here's how I do it:

1. Block all email fron non-North American IP addresses.

2. Allow through emails with comcast.net and rr.com in the FROM field.

3. Block all email from comcast.net and rr.com IP addresses that does NOT have comcast.net or rr.com in the FROM field.

This reduces my spam volume by about 90 percent. Whatever gets through, I report. I long ago concluded that reporting to Comcast and RoadRunner is futile.

[Jeff G.]

dzaidle, I guess you won't be getting any email from me, then, unless you add the following:

2.5. Allow through emails with spamcop.net in the FROM field. (or a specific address I can PM you)

[dzaidle]

dzaidle, I guess you won't be getting any email from me, then, unless you add the following:

2.5. Allow through emails with spamcop.net in the FROM field. (or a specific address I can PM you)

27630[/snapback]

Well, actually, for the time being mail from comcast IPs without comcast.net in the FROM field go to a "holding area" rather than directly to the bit bucket. I'd get the email, but maybe delayed a few hours, depening on how often I check the server spam folder.

DZ

[sdlawrence]

bellsouth.net,Apr 29 2005, 03:26 PM]For weeks now I've been receiving one particular piece of spam advertising "Save up to 80% on ED drugs" at the top, and "Any item priced less than $2.18 a pop" at the bottom, with the usual camoflage-spelled Cialis, Viagra, Levitra in the middle.

Always the same format... a tri-colored box (colors differ). Curiously,  only once or twice have they had a validly formatted contact website! I must have reported 3 or 4 dozen of these. Once they reportedly came from India, sometimes I see a chinanet address in there somewhere.

Any way to stop these? They're getting past the SpamCop filters and X-spam (which is, I believe, a Bellsouth filter).

27412[/snapback]

I stopped them completely. Here's the trick I used:

View the message source (I use Mozilla Thunderbird, so I did it from there). The embedded graphics code begins (or at least it did in my case) EVERY TIME - with the characters: R0lGOD

I created a filter, saying if the body of the message contains R0lGOD, delete the message, and then delete it from the server. It had the effect of not even downloading it from the server after that. I kept copies of the offending emails, and after putting the filter/rule into effect, I forwarded copies of the offending spam to myself. None of them made it past the filter. Several sent out to myself - none returned.

It doesn't matter what graphic they use - there is a beginning code to it. Once filtered, they're gone.

My only regret in posting this is that those bastards will eventually read this and find a workaround like the slimy, puss-infected, subhuman cockroach pieces of dung they are.

Anyway, hope that helps.

[sdlawrence]

OK, maybe I'm not so bright - it filters out ALL email that have any kind of .gif file embedded. Not so sure that's a good idea. Ideas anyone?

OK - first off, it applies to all embedded graphics - .gif or .jpg. I went a little deeper into the code. The "ED-DRUGS" emails have a signature that looks like this:

R0lGODlhX

That was enough to catch only the "ED-DRUGS" embedded emails. The ones that look like this:

http://www.examples.com/Mimubo.GIF

I'm creating more specific filters for any others that make it through, as they come in. The fact that they repeat the use of the same tired graphics is handy. The stupid little pills graphic is commonly used by a lot of different spammers. Somewhere in the center of that code is a string of characters common to all of them. I'll find that and create a new filter using that string.

Here's a screenshot of my SINGLE filter that I now use to accumulate offending graphics signatures:

http://www.examples.com/filters.gif

[sdlawrence]

Since implementing this filter, I have yet to see any of the ED-DRUGS or Buy Windows XP Professional, or Viagra, or any of the other spams that included those annoying little graphics. Each time a graphic embedded spam email came in, I viewed the source, captured a small part of its code, and added it to my filter. Now NONE OF THEM SHOW UP ANY MORE! SILENCE, SWEET SILENCE!

Here is what my message rules filter for Thunderbird looks like:

(located in C:\Documents and Settings\MyName\Application Data\Thunderbird\Profiles\woms0cl9.default\Mail\pop.mydomain.net\msgFilterRules.dat)

version="8"

logging="no"

name="R0lGOD codes"

enabled="yes"

type="1"

action="Delete"

action="Delete from Pop3 server"

condition="OR (body,contains,R0lGODlhTAEdAJ) OR (body,contains,R0lGODlhMQE9AJE) OR (body,contains,R0lGODlhX) OR (body,contains,R0lGODlhTAEd) OR (body,contains,R0lGODlhWw) OR (body,contains,R0lGODlhCg) OR (body,contains,R0lGODlhBQHH)"

This only filters spam with the offending embedded graphics, nothing else. Deletes them from my system AND my pop3 server upon detection, and I never see them! If you just want to test it, change the rule so that it moves them to another folder - until you get comfortable with them - then you can just have the filter delete them.

For those of you who don't use thunderbird, you can use the following list as words to filter on (i.e., If Message Contains....blah blah...)

R0lGODlhTAEdAJ

R0lGODlhMQE9AJE

R0lGODlhX

R0lGODlhTAEd

R0lGODlhWw

R0lGODlhCg

R0lGODlhBQHH

Believe it or not, I have yet to see any new ones. That small list above ZAPS all the embedded graphics spams I ever receive (and it used to be at least a dozen different ones from different addresses a day - now it's down to ZERO).