Jump to content
Sign in to follow this  
voodoo

what the h#*l is that

Recommended Posts

ok since yesterday i keep getting deutsch mails, like 10 / hours, with no ad inside, only two lines like

Obj : Dresden Bombing Is To Be Regretted Enormously

Full Article:

http: // service.s-----el.de/cache/international/0,1518,341239,00.html

which leads to a real site...

i guess i should not report them? why the hell do i receive that? any advice?

thanks

Edited by voodoo

Share this post


Link to post
Share on other sites

If you want to talk about a particular spam, best if data is provided via the use of a Tracking URL. (see the SpamCop Glossary, a link in the Forum FAQ)

If you want to talk about filtering an item like this, in addition to the Tracking URL, one would want to provide some listing of the utilities and applications in use.

If you are seriously asking the "why do I receive this" question, I'll simply state that there aren't that many folks in the world that claim to understand the spammer mind-set without getting into some nasty characterizations .... you tell me why one of my pet spammers thinks that sending me 8 to 30 copies of essentially the same spam on a daily basis is somehow going to have me one day decide that I've had enough and actually send the lowlife some money? Some would ask "why are you reading your spam?" .. followed by "why are you following links in your spam?" (That said, der Spiegel is an actual magazine, available internationally.)

If the only reason of posting the "contents of your spam" was to give yet more exposure to the article, one of my edits was to make the link non-clickable, and lessening the impact of a Search Engine finding another link to add to the page-ranking formula.

Share this post


Link to post
Share on other sites

ok maybe i was not clear enough

spam i usually get is for me to buy viagra, software, whatever.

now those "new" spams i got are : 1 subject, 1 line ("Full article" or something) then a link to a REAL site that does not sell anything, like the one i just copy-pasted there.

since my last post, i received 6 others just like that!

is that clearer? does anyone have the same type of spam?

ps i do not want to give more exposure to whatever, just delete the link if you will

Share this post


Link to post
Share on other sites
ok maybe i was not clear enough

spam i usually get is for me to buy viagra, software, whatever.

now those "new" spams i got are : 1 subject, 1 line ("Full article" or something) then a link to a REAL site that does not sell anything, like the one i just copy-pasted there.

since my last post, i received 6 others just like that!

is that clearer? does anyone have the same type of spam?

ps i do not want to give more exposure to whatever, just delete the link if you will

28083[/snapback]

Yes they have been sending to me and getting reported and blocked :D

http://www.spamcop.net/sc?id=z763884465ze1...7e333bb9e5902ez

I'm suspecting some spammer grub has found these "forums" and is just putting email addresse in them? (Mine seem to be sent to spamcop domains possiby a disgruntled spammer :rolleyes: )

Keep reporting them at last it keeps the trojanised PC in the SCBL

Share this post


Link to post
Share on other sites

petzl's spamvertised link comes up 404 .... the combo voodoo has provided thus far suggects to me that voodoo is on a 'special' list as both basically deal with 'foreign" actions/people/events from the "Germany is a victim" viewpoint. I'd rate it right up there in the same class as your "spam i usually get is for me to buy viagra, software, whatever" description. As the headers presented don't seem to tie in to any sort of mailing list, it is pretty likely that there should be no arguement that it looks, smells, and walks just like any other spam e-mail.

Share this post


Link to post
Share on other sites

Looks like it might even be borderline neo-Nazi stuff (they don't like foreigners getting Visas, which is what the spamvertized URL is about), sent through a French ISP. I see that there are three of these posted/reported in "news.admin.net-abuse.sightings" today. So they're blasting these out to lots of people...keep reporting them.

DT

Share this post


Link to post
Share on other sites

Agree with the borderline (though it is assumed [note the 'special' qualifier]) .. I just didn't want to use those words based on just the 'evidence' seen in the two samples I looked at ...

Share this post


Link to post
Share on other sites

I have just reported a few of identical spams myself. In German, same subject line and content links. Fact that more than one SC user gets them must be telling. Perhaps a disgruntled spammer?

Edited by dra007

Share this post


Link to post
Share on other sites

I got one too, BCC'd to my spamcop.net address.

Share this post


Link to post
Share on other sites
I have just reported a few of identical spams myself. In German, same subject line and content links. Fact that more than one SC user gets them must be telling. Perhaps a disgruntled spammer?

28094[/snapback]

This arse is sending masses of them from realitivly new trojanised IP's

like

http://www.senderbase.org/?searchBy=ipaddr...g=219.89.113.14

http://www.senderbase.org/?searchBy=ipaddr...=69.166.151.154

Now to wait for the bounces

Share this post


Link to post
Share on other sites

http://isc.sans.org/diary.php?date=2005-05-15 has some data for background ...

ranges from viral infectio to the pretty much all-inclusive 'political' scenario ..

This will probably be the last update I will do on the subject of the German spam. As this is the 60th anniversary of the end of WWII, I had guessed that the propoganda was more in response of the events of many years ago. It may still be related, but several of of German Speakers have noted a couple of details that might point the motivation in another direction. Apparently there is an election coming up in the largest population state in Germany on May 22nd. The Diet election (Landtagswahl) in Nordrehein-Westfallen appears to be the most likely case as Sober.G last June also had an element of spamming associated with it prior to the European Parliament election in 2004. Thanks to Philipp Krenn for some of the information about the current election connection.

*I really hope that people are not so naive to be swayed in their votes for their elected officials on account of spam. And I will never trust the political views of a malware writer. So I hope and pray that if the virus and spam was meant to sway the votes of the people in the way that the Madrid terrorist activity last year did, then the people of Germany would have the courage and wisdom to vote as the truly believe. Not the way others would have them believe.*

Share this post


Link to post
Share on other sites

Has anyone seen these spam(s)? What you do about it?

ex of spam received:

Received: from rsuqd.com (itcdsl129219.iro.ptd.net[204.186.129.219](untrusted

sender))

by worldnet.att.net (mtiwmxc15) with SMTP

id <2005051522502601500k8d2oe>; Sun, 15 May 2005 22:50:47 +0000

X-Originating-IP: [204.186.129.219]

From: KMFreese[at]lycos.com

To: x

Date: Sun, 15 May 2005 22:46:49 UTC

Subject: Schily ueber Deutschland

Importance: Normal

X-Priority: 3 (Normal)

MIME-Version: 1.0

Message-ID: <6a78__________fedf[at]lycos.com>

Content-Transfer-Encoding: 7bit

Content-Type: text/plain; charset="us-ascii"

Lese selbst:

http://www.heise.de/newsticker/meldung/59427

Edited by trpted

Share this post


Link to post
Share on other sites

I merged trpted's Topic into this one and PM'd the Member.

Share this post


Link to post
Share on other sites
Has anyone seen these spam(s)? What you do about it?

It seems reporting the website has many removed which helps deter spammers

The problem is, as always, providers reacting to abuse reports not at all?

http://www.senderbase.org/?searchBy=ipaddr...204.186.129.219

shows your reported IP still spewing spam up 12000% over a day

SpamCop has most if not all of these IP's blocked very early in the piece

PAys to dump your provider if they have not protected the email address they dump on you (these are NOT free) Demand a discount for the crappy "service" they have you pay for as compensation for not using their compulsory email This link explains why

"spam zombies make money for the ISP

Think about it. If one residential user's PC is sending 100,000 spams/day, and we assume a typical spam message is 4 Kb, that's a transmission of more than 11 Gb/month! Most ISPs are going to charge an extra fee to a residential, broad-band user for using so much bandwidth.

What's worse is that ignorant users may not realize why their bandwidth is so high (when they see the surcharges on their bill). When they phone up the customer support about thier bill, the ISP may encourage them to upgrade to a higher forfeit bandwidth package. Zombies are not the only reason why bandwidth usage could be high. Peer-to-peer applications (BitTorrent, E-mule, etc.) are very popular. A user running one of these applications and also infected with a zombie would have to be fairly sophisticated to be able to know what percentage of bandwidth was due to zombie spams originating from his PC.

I'm not saying that ISPs have a formal policy to not shut down zombies because they generate traffic. But it's clear that if we allow them to keep their zombies, they are profiting from it!"

I'm saying many ISP's have a formal policy not to shut down zombies! Get a SpamCop email account The only email address you will ever need

Get

Edited by petzl

Share this post


Link to post
Share on other sites
I'm saying many ISP's have a formal policy not to shut down zombies!

28143[/snapback]

What ISP's do you know of that "charge an extra fee to a residential, broad-band user for using so much bandwidth"? The extra traffic may slow down the users experience, but I know of no residential high-speed ISP's (at least in the US, I know you are not) that charge for bandwidth used. Business accounts on the other hand are (at least my connection at work is) but are likely to have more protection and monitoring of that bandwidth.

Share this post


Link to post
Share on other sites

This spam appears to be the remmants of the Sober P worm

From the 16 May 2005 - Vol. 3 No. 9 issue of Woody's Email Essentials Newsletter

First a German Pope and now our Inboxes are being infested with German language emails?  Is this part of a new Germanic conspiracy?  What's causing all these messages?  Is there anything to worry about?  What can you do about them?

The messages (which are not all in German) are an interesting offshoot of the Sober P worm that spread around the world earlier (the one that had messages about World Cup tickets). 

The new messages do not contain any infectious attachments and are not dangerous in themselves.  You can't be infected by opening or reading these messages.

Mind you the message content is offensive to most people - it is right-wing propaganda and links.  When we say 'right wing' we don't mean Republican/Tory right - we mean Nazi right wing.  One message suggests that the allies should be tried for war crimes.

And no - it's not part of a new Germanic conspiracy.  Just a few twisted people - it's not clear if the makers of the worm are extreme right-wing believers or just using that sickening dogma to gain notoriety.

http://www.sophos.com/virusinfo/analyses/trojsoberq.html

Troj/Sober-Q is a mass mailing spamming Trojan for the Windows platform.

Some of the spam emails sent out by the Trojan can have the following subject lines:

'4,8 Mill. Osteuropaeer durch Fischer-Volmer Erlass'

'Auf Streife durch den Berliner Wedding'

'Auslaender bevorzugt'

'Deutsche Buerger trauen sich nicht ...'

'Auslaenderpolitik'

'Blutige Selbstjustiz'

'Dresden 1945'

'Gegen das Vergessen'

'Deutsche werden kuenftig beim Arzt abgezockt'

'Tuerkei in die EU'

'Vorbildliche Aktion'

'60 Jahre Befreiung: Wer feiert mit?'

'Multi-Kulturell = Multi-Kriminell'

'Turkish Tabloid Enrages Germany with Nazi Comparisons'

'The Whore Lived Like a German'

'Armenian Genocide Plagues Ankara 90 Years On'

'Schily ueber Deutschland'

--Navigatr1

Share this post


Link to post
Share on other sites

Notice that the subject line in the header of the email submitted by trpted is one of the included subject lines of Troj/Sober-Q.

--Navigatr1

Share this post


Link to post
Share on other sites
What ISP's do you know of that "charge an extra fee to a residential, broad-band user for using so much bandwidth"?  The extra traffic may slow down the users experience, but I know of no residential high-speed ISP's (at least in the US, I know you are not) that charge for bandwidth used.  Business accounts on the other hand are (at least my connection at work is) but are likely to have more protection and monitoring of that bandwidth.

28152[/snapback]

Not many in Australia New Zealand and much of Europe that do not charge for excess bandwidth Particually with cheaper end monthly accounts (example)

Regional Residential ADSL 512/128k 512K Value/200MB 6 month contract $24.95 CC 200MB Free then 15c/MB (they do have a maximum charge limit of $35 on top of this however)

Whats your expalnation for Adelphia not stopping this Zombie spew (I have sent them over 20 unmunged reports since sunday and still sending, all are being caught in my VER folder). Bandwidth is not free and someone will have to cough up.

I'm also told that you are wrong about the USA not charging (particually) those that have minimal accounts not being charged extra for excess bandwidth (I would also be going over the/your ISP fine print)

Share this post


Link to post
Share on other sites
I'm also told that you are wrong about the USA not charging (particually) those that have minimal accounts not being charged extra for excess bandwidth (I would also be going over the/your ISP fine print)

28158[/snapback]

I have checked my agreements and found no mention of the possibility, but did send a request into my ISP (charter.net, high speed 3Mb/256Kb cable). I will update if I get a response.

Share this post


Link to post
Share on other sites
I have checked my agreements and found no mention of the possibility, but did send a request into my ISP (charter.net, high speed 3Mb/256Kb cable).  I will update if I get a response.

28159[/snapback]

Reply from support desk:

Thank you for contacting Charter Communications.  I appreciate the opportunity to serve you.

The only restrictions placed on the connections is the speed cap, i.e. what the modem is provisioned for.

Share this post


Link to post
Share on other sites
Reply from support desk:

28168[/snapback]

In the mean time for four days now Alselphia.net are still spewing spam as fast as the modem can push it out.

This is only one of a great many zombies pouring out spew from different providers In this case I have sent unmunged reports and even contacted Aldelphia by their web form. Still the spew continues with no end in site

I most certainly believe that many ISP's do find they conveniently make money by allowing this to happen In fact ISP's are often the source of the trojan that starts it as this article I believe correctly infers

Your ISP may be hosting spam zombies!

Edited by petzl

Share this post


Link to post
Share on other sites
In the mean time for four days now Alselphia.net are still spewing spam as fast as the modem can push it out.

28190[/snapback]

While you think this is a conspiracy, I think it is simply overworked, under trained support personnel.

Adelphia's agreement from their web site: http://www.adelphia.com/esafety/Adelphia_H...rev11_15_04.pdf

I have also requested information about what these "consumption limits" are for the Adelphia network though they are written vuage enough that they might not be currently in effect but the right is reserved.

ADELPHIA BROADBAND INTERNET ACCESS SERVICE AGREEMENT TERMS AND CONDITIONS

2.(e) Traffic Consumption Allowances. Adelphia has the right to monitor, measure and report bandwidth consumption by You. Adelphia reserves the right, in its sole discretion, to establish, modify and/or enforce consumption allowances at any time now or in the future, with or without notice to You, and to apply a surcharge for excess usage subsequent to notice of changes in bandwidth consumption allowances.

Adelphia Internet Acceptable Use Policy

2.(i) sending excessive data transfers that exceed consumption limits that are now in place or may be established in the future for the package or tier of service to which You subscribe;

(iv) failing to comply with any bandwidth, data storage, IP address or other use limitations imposed on your use of the Adelphia Broadband Service;

Share this post


Link to post
Share on other sites
If you want to talk about a particular spam, best if data is provided via the use of a Tracking URL.  (see the SpamCop Glossary, a link in the Forum FAQ)

If you want to talk about filtering an item like this, in addition to the Tracking URL, one would want to provide some listing of the utilities and applications in use.

If you are seriously asking the "why do I receive this" question, I'll simply state that there aren't that many folks in the world that claim to understand the spammer mind-set without getting into some nasty characterizations .... you tell me why one of my pet spammers thinks that sending me 8 to 30 copies of essentially the same spam on a daily basis is somehow going to have me one day decide that I've had enough and actually send the lowlife some money?  Some would ask "why are you reading your spam?" .. followed by "why are you following links in your spam?"  (That said, der Spiegel is an actual magazine, available internationally.)

If the only reason of posting the "contents of your spam" was to give yet more exposure to the article, one of my edits was to make the link non-clickable, and lessening the impact of a Search Engine finding another link to add to the page-ranking formula.

28082[/snapback]

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

×