Jump to content
Sign in to follow this  
snaller

What about 'picture' spam?

Recommended Posts

How does one report the companies that are the repeated sources of spam? Such as GDKI (Goldmark Industries, www.rxmarte.org, www.fastrx.org, www.rxcart.org - the last three of which are obviously the same source with rotating URLs. They happen to hide these sources as image spam.

Two points:

1) I think you are confusing the "sources of spam" with the companies that are advertised in the spam. As you note GDKI has "rotating URLs" and they most likely did not actually sent the email (spam). Going after them is similar to the bomker game, they just pop up some where else. On the other hand, by going after the sender of the spam (most likely a zombie) and their ISP and educating them, we (hopefully) add one more user of the web to the fight against spam.

2) As a spam reporting tool, the objective of SpamCop is to develop a list of URLs that send spam to be use as a filter for incoming email. Having identified the source of the spam, as an aside, a report is also sent to the ISP of the sender. In your example, the rotating URLs of GDKI do not actually send the spam so there is no need to add those URLs to the black list.

On the other hand, other reporting groups do go after the companies advertised in the spam. And you are free to report your spam to them in addition to SC. There are several threads here about reporting to these "special interest groups" such as FTC, FDA, phishing etc.

I'm getting tired of the same companies spamming me -
Aren't we all.

...or at least allow some underground group to hack into their servers and bring them down.

We would not want to advocate any illegal activity. Part of the beauty, and bane, of the web is that anyone can put what every they want on the web for others to see (or not). If "we" start establishing rules about what can be on the web, it then would be ok for another "we" to decide to hack or bring down what you or I put on the web.

Share this post


Link to post
Share on other sites
The admin lumped my last post into the image spam thread, and 20 messages into it I could find nothing helpful except a lot of bickering.

No, "the Admin" didn't touch your prior post. However, "the Admin" did exactly the same thing with this "new" Topic as was done by one of the Moderators with your last one.

So let me rephrase:

How does one report the companies that are the repeated sources of spam? Such as GDKI (Goldmark Industries, www.rxmarte.org, www.fastrx.org, www.rxcart.org - the last three of which are obviously the same source with rotating URLs. They happen to hide these sources as image spam. I'm getting tired of the same companies spamming me - one would think that knowing the URL of the source would help, or at least allow some underground group to hack into their servers and bring them down.

As previously described, your use of the word "source" is technically invalid (unless you can actually 'prove' all the connections involved) ....

And as your query/complaint/subject-matter is in fact dealing with "picture spam" ... it has been merged into just the latest of these discussions on that subject. There are others.

Share this post


Link to post
Share on other sites

I have a simple question - the same companies are spamming me with the same companies and websites that they want me to support, though putting their names in image spam. It's like watching someone burglarize your house behind a glass wall.

Worse thing is that I've asked this question twice, and I get either put into a useless image spam discussion with 90% of it personal bickering, or it gets deleted.

How in the world are we supposed to work together to solve these repititive spam cases if there's no means of being led to concise answers.

Share this post


Link to post
Share on other sites

In spite of all the chaff in the fodder your original question was answered by me and others. IMHO the problem is you don't like the answer.

Yes, your repeated posting keeps getting grouped with others about image spam, because your question seems to be about spam which 'contains an image to hide the content from parsers.' If this is not what your question is about, an example may help explain the difference. Without being redundant, you were provided guidance as to how to reference an example in addition to the FAQ entries.

If you take spam personally, it is frustrating. No one claims spammers are smart. In Oct I received 158 copies of the same virus in identical spam from the same source. On the 9th of Dec. I received 226 copies of the same spam from the same source all with forged earthlink.com FROM: addresses. That string continued for several days and I still haven't bought a watch from them, or stocks, drugs or software for that matter. But the spam keeps coming.

To paraphrase the old line, 'I know you think you know what you ask, but I don't think you know what I (we) heard.' Perhaps if you stated you question in another way, with an example, what you meant to ask would be understood.

Share this post


Link to post
Share on other sites

Worse thing is that I've asked this question twice, and I get either put into a useless image spam discussion with 90% of it personal bickering, or it gets deleted.

No message has been deleted (even the spam that comes here is moved out of sight but not deleted). Your messages were moved to the thread that was most appropriate for them as the question was asked.

If every person asked their question in a new thread, there would be no way to ever reference them in the future or to find the specific thread wanted.

The answer given in that thread is that spamcop can not do anything about picture spam because spamcop is a computer program that does not SEE the contents of the picture. YOU can use spamcop to get the information (reporting address) where you can send your manual reports.

Share this post


Link to post
Share on other sites
Worse thing is that I've asked this question twice, and I get either put into a useless image spam discussion with 90% of it personal bickering, or it gets deleted.

Not deleted .. as with your last, this 'new' Topic was 'merged' into an exisiting Topic/Discussion that covers the same ground. This is called "moderation" ... sometimes actioned by Moderators, these last two by the Admin ...

Usually, folks get a PM about the movement of their posts, but then again, this is usually a one-time thing ....

Share this post


Link to post
Share on other sites

It is time consuming, and I do not know if it works, but I look up the URL (using GEEKTOOLS), and when the admin lists a USA person, I forward the spam and that lookup to the Attorney General of that state, with a request for the website to be shut down. On second request, I ask the AG to be sure the guy is paying income tax on his spam earnings.

Natch, I don't expect to hear back, but if simpleRX.org goes away; =;+)

Share this post


Link to post
Share on other sites

I note the evolution from 'picture' to 'PDF of picture' - journal_hsirrsnn.pdf attached (and, incidentally, the first time I pulled up that link the munging was totally absent). I checked the payload, as text then in .pdf, against SpamTotal's assemblage of 30 AV engines before opening to verify it is indeed merely a lossy picture of some wobbly varicolored text eliciting investment in someone's favorite project. There is much commentary on the 'phenomenon' for the Googling, including PDF spam Pumps Stock Scam with a quote

The stock spam is believed to be sent from Stration infected computers, as this spam campaign closely followed a new W32/Stration worm mass-mailing which contained a number of .PDF files, and Stration has been associated with pump and dump spam in the past.
So, no change except the handy TOASTEDspam cannot be used to glimpse the content (but does confirm the file type) and there are (supposedly) PDF exploits which make opening of the attachment 'unwise', as ever.

So, I would say the reporting activity of 'the few' has been sufficient to cause the scammers some discomfort. I don't buy the contention (in the linked commentary) that the reason might be "easier automation" of the PDF payload file. Seems to me there is a further step in turning these into PDFs - okay, that can be scripted but making things a little harder/riskier for reporters who want to 'get' the beneficiaries of the scam would be more likely IMO.

FWIW (not much as contents will undoubtedly change frequently in subsequent mailings) hash values of the attachment as a text file are:

MD5: 3ada782ac2a5defa6a87dea9a3f9e9f8

SHA1: e2c6e1381252b65175f3be4654ece2e7edc98bc9

Share this post


Link to post
Share on other sites

Has anyone else seen an increase in spam which is merely a single PDF attachment?

Our spam trackers have opened a number of these and found them to be the typical "pump and dump" stock scam graphic of mangled text in a graphic.

This ploy will NEVER be parsed in SpamCop's spam filters.

Comments?

Noderator edit: merged this 'new' Topic into this existing Discussion, seeing it as just a variation on the 'picture spam' issue.

Share this post


Link to post
Share on other sites
Comments?

the timing is coincidental, i'm sure, but having just read Farelf's post last evening, it was something to see your post this morning asking avout the same subject. So yes, I in fact merged your 'new' Topic into the existing discussion .... PM sent to advise of the move.

Share this post


Link to post
Share on other sites
<snip>

This ploy will NEVER be parsed in SpamCop's spam filters.

<snip>

...That's all right with me, as long as the SpamCop parser can find the source of the spam, its primary mission. Everything else can be manually submitted by those who care about what's in the "body" of the spam.

Share this post


Link to post
Share on other sites
Has anyone else seen an increase in spam which is merely a single PDF attachment?

<snip>

Yes, apparently there show up more and more of them.

Using Outlook 2007 under Vista, I report in the two pane report option the header, as normal, and (this might be wrong): the text Attachment: <NameOfTheFile>.pdf in the second pane. After the parsing I send the report with exactly the same text Attachment: <NameOfTheFile>.pdf in the Note pane. I hope I'm doing well, and that I won't loose my ability to report...

I've been looking around in the forum how one should handle in the cases where there is seemingly no body: right-clicking in the message pane of the e-mail does not offer the opportunity to get the source of the body (in this case apparently only an attachment?).

In other words:

In Outlook (2007) there is no opportunity, as far as I know, to offer the code of the pdf-file: You only can extract the header from the e-mail, but not the attachment as some coded piece of text like html.

Am I right?

Share this post


Link to post
Share on other sites
In Outlook (2007) there is no opportunity, as far as I know, to offer the code of the pdf-file: You only can extract the header from the e-mail, but not the attachment as some coded piece of text like html.

Am I right?

Probably, certainly that's the case with 2003 and XP, some email settings/configuration not even giving the option to pick up the HTML part. I don't think you are doing anything wrong and I've not heard of any applicable work-around (web form submission). I refer to Outlook 2000, XP and 2003. If anyone knows of any Vista/Outlook 2007 solutions ...?

The capturing of included code may do nothing directly for the 'elimination' of spam but it would improve the forensic integrity/'intactness' of the evidence. And reduce the anxiety level of reporters worried about interfering with message content (which is, in truth, already thoroughly mangled by Outlook).

Edited by Farelf

Share this post


Link to post
Share on other sites

Have had the 'fun' of working on three Vista-based laptops thus far .... However, none of them had Outlook installed ....

Share this post


Link to post
Share on other sites

Perhaps I'm not as fast as I once was but I still get confused by the debate about reporting with attachments (gif/jpeg/PDF etc). The answer surely is: If the message is spam then report it in the normal way. Since the SCBL is primarily concerned with identifying sources of spam by IP address then that process should work just fine.

Of course, the content of the picture/PDF may not be parsed but since alerting hosts to the presence of a spammed website isn't the primary purpose that is a secondary issue. But we've debated that point elsewhere before :-)

Andrew

Share this post


Link to post
Share on other sites

Guys,

How do you raporting the PDF attachment email spam?

Every day I've got a lot emails with small pdf attachment :(

If I do forward to submit.324244[at]spam.spamcop.net

they send me back note with no spam founded :(

Share this post


Link to post
Share on other sites
Guys,

How do you raporting the PDF attachment email spam? Every day I've got a lot emails with small pdf attachment :(

If I do forward to submit.324244[at]spam.spamcop.net

they send me back note with no spam founded :(

If there is no message, then the parser can't find spam. The way around that is to add to the message body, "There is a pdf file attached." If you don't understand how to do that, then there are others who are submitting the psf spam to spamcop, so you can just delete them.

You may want to understand how to do that. If so, ask. Someone may be able to teach you.

Miss Betsy

Share this post


Link to post
Share on other sites
Guys,

Equal opportunity here .... all sexes are involved ....

How do you raporting the PDF attachment email spam?

SpamCop FAQ entries .... How to use .. Reporting entries etc. have instructions, tutorials, guidance on "how to report" spam from various clients, be it e-mail or web-mail ... you chose not to identify what tools you are using ...

Every day I've got a lot emails with small pdf attachment :(

If I do forward to submit.324244[at]spam.spamcop.net

they send me back note with no spam founded :(

Not sure I can come up with why "only a small PDF attachment" would be the only reason for a submittal that can't be parsed. But agsain, you used the word "Forward" which has caused many folks much grief, as not all clients actually handle "Forward" in the same way ...

Once again, 'help' not really possible due to the lack of data provided by the poster. No description of tools in use, no Tracking URLS, no samples .....

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

×