[Resolved] False report, please remove

[Zxx]

I dont know where to post or send it, so I try to post this message here.

I would like to ask you to remove false report from your database. I dont think you need to store something that was "created" by user. This one.

http://www.spamcop.net/sc?id=z1043703405zc...;action=display

Thank you.

[agsteele]

Hi Zxx!

I'm afraid I don't fully understand your request, but the example Email you provided looks just like spam to me and should, therefore, have been accepted.

The ip address is not currently listed in the SCBL but there are a small number of reports that do appear, on the face of it, to be correct. These are spam Emails.

Perhaps you can give more detail since I'm not following your concern.

Andrew

Originating Ip appears to be 62.143.42.217

[Miss Betsy]

You are going to give us more data. What makes you think that this report is 'false'? It looks like a spam message to me. Who is the user who created this report?

What is your IP address? Have looked to see if it is blocked?

You may be sending emails through the same email server that this spam came from.

What else do you not understand about how spamcop works?

Miss Betsy

[Zxx]

Here is the situation.

I'm the owner of given "doorway" website and I have some idea who may sent you this report, even if I'm not shure.

From what I know, I was never sending spam emails, however, I got a message from my hosting, now I have problems with them, so I would like to solve this with you, then with them.

First, looking on given report, I dont see any text/title among url, is it usual for spam emails?

What else - I believe this is the single report that is closed to the given domain from "spam email body", but isnt typical to receive more than one report if spam accident happens?

About IP/headers - I believe they were just copied from some real spam email, and probably you may prove this, if you check other reports of the user who has sent the report.

[agsteele]

First, looking on given report, I dont see any text/title among url, is it usual for spam emails?

Yes, this is very common.

What else - I believe this is the single report that is closed to the given domain from "spam email body", but isnt typical to receive more than one report if spam accident happens?

As far as I can tell there have been three reports for your mail server in recent days. You do not appear to have been added to the SCBL.

About IP/headers - I believe they were just copied from some real spam email, and probably you may prove this, if you check other reports of the user who has sent the report.

I am not able to determine whether these headers have been copied and the reported falsified. If you believe that these reports are false and have been created maliciously then you should submit the evidence to deputies[at]spamcop.net since they are the ones that can assist you.

However, you will need to provide more evidence than a feeling.

Bear in mind that if you share your mailserver with anyone else then it could be their Emails causing the trouble. Also, if your machine has been infected by a virus or trojan then you can find yourself with a problem. However in these situations I would expect to see a significant quantity of spam which does not exist.

Andrew

[Zxx]

2agsteele: Sorry for my bad English, I feel there is some misunderstanding.

I believe that headers are real, as they were copied from some real spam email [letter], but the "body" of message for shure is false.

Thanks for the given email, I will get in touch with them.

[Wazoo]

http://www.dnsstuff.com/tools/whois.ch?ip=...rxpharmacy.info

Domain ID:D14484081-LRMS

Domain Name:PHENTERMINERXPHARMACY.INFO

Created On:24-Aug-2006 18:41:16 UTC

Last Updated On:24-Aug-2006 18:41:21 UTC

Expiration Date:24-Aug-2007 18:41:16 UTC

08/28/06 12:56:56 Browsing http://phenterminerxpharmacy.info/phentermine189.html

Fetching http://phenterminerxpharmacy.info/phentermine189.html ...

GET /phentermine189.html HTTP/1.1

Host: phenterminerxpharmacy.info

HTTP/1.1 403 Forbidden

08/28/06 12:58:06 Browsing http://phenterminerxpharmacy.info/

Fetching http://phenterminerxpharmacy.info/ ...

GET / HTTP/1.1

Host: phenterminerxpharmacy.info

HTTP/1.1 403 Forbidden

The site wasn't around long enough for Search engines to pick it up, apparently.

[StevenUnderwood]

I believe that headers are real, as they were copied from some real spam email [letter], but the "body" of message for shure is false.

It is not "for shure" false as I have also received spam emails with only a single weblink in it. However, this might be this users atempt at getting a web site reported that was contained within a graphic attached to the email received. If so, the user needs to be reported. That is usually done throught the options the link on the report you (or your webhost) received. You will need to provide the proof of this, likely the message that was in the body of that message.

As stated

Report History of the IP sending the spam:

--------------------------------------------------------------------------------

Submitted: Monday, August 28, 2006 1:05:45 PM -0400:

1895937689 ( 62.143.42.217 ) To: spamcop[at]imaphost.com

--------------------------------------------------------------------------------

Submitted: Sunday, August 27, 2006 1:38:14 AM -0400:

1893811551 ( z_User_Notification ) To: [concealed user-defined recipient]

1893811546 ( http://phenterminerxpharmacy.info/phentermine18... ) To: abuse[at]consultit.ru

1893811540 ( Forwarded spam ) To: [concealed user-defined recipient]

1893811536 ( 62.143.42.217 ) To: spamcop[at]imaphost.com

1893811530 ( 62.143.42.217 ) To: postmaster[at]ish.de

1893811523 ( 62.143.42.217 ) To: webmaster[at]ish.de

1893811517 ( 62.143.42.217 ) To: abuse[at]ish.de

1893811499 ( 62.143.42.217 ) To: abuse[at]eu.level3.net

--------------------------------------------------------------------------------

Submitted: Saturday, August 26, 2006 10:44:55 PM -0400:

[spam]

1893687241 ( Forwarded spam ) To: [concealed user-defined recipient]

1893687240 ( 62.143.42.217 ) To: spamcop[at]imaphost.com

1893687238 ( 62.143.42.217 ) To: postmaster[at]ish.de

1893687237 ( 62.143.42.217 ) To: webmaster[at]ish.de

1893687234 ( 62.143.42.217 ) To: abuse[at]ish.de

1893687230 ( 62.143.42.217 ) To: abuse[at]eu.level3.net

Report History of the web site in question:

--------------------------------------------------------------------------------

Submitted: Sunday, August 27, 2006 2:55:41 AM -0400:

it`s all about SOFT Imogene

1893866693 ( z_User_Notification ) To: [concealed user-defined recipient]

1893866688 ( z_User_Notification ) To: [concealed user-defined recipient]

1893866686 ( http://phenterminerxpharmacy.info/phentermine18... ) To: abuse[at]consultit.ru

1893866684 ( http://g6m9m73n3t438yg101grlgyy.slowriell.st/ ) To: anti-spam[at]ns.chinanet.cn.net

1893866679 ( http://g6m9m73n3t438yg101grlgyy.slowriell.st/ ) To: ct-abuse[at]abuse.sprint.net

1893866674 ( Forwarded spam ) To: [concealed user-defined recipient]

1893866671 ( 218.73.195.103 ) To: spamcop[at]imaphost.com

1893866669 ( 218.73.195.103 ) To: postmaster[at]zj.cn

1893866663 ( 218.73.195.103 ) To: antispam[at]dcb.hz.zj.cn

1893866660 ( 218.73.195.103 ) To: postmaster#dcb.hz.zj.cn[at]devnull.spamcop.net

1893866653 ( 218.73.195.103 ) To: anti_spam[at]mail.nbptt.zj.cn

--------------------------------------------------------------------------------

Submitted: Sunday, August 27, 2006 1:38:14 AM -0400:

1893811551 ( z_User_Notification ) To: [concealed user-defined recipient]

1893811546 ( http://phenterminerxpharmacy.info/phentermine18... ) To: abuse[at]consultit.ru

1893811540 ( Forwarded spam ) To: [concealed user-defined recipient]

1893811536 ( 62.143.42.217 ) To: spamcop[at]imaphost.com

1893811530 ( 62.143.42.217 ) To: postmaster[at]ish.de

1893811523 ( 62.143.42.217 ) To: webmaster[at]ish.de

1893811517 ( 62.143.42.217 ) To: abuse[at]ish.de

1893811499 ( 62.143.42.217 ) To: abuse[at]eu.level3.net

[Zxx]

It is not "for shure" false as I have also received spam emails with only a single weblink in it.

However, this might be this users atempt at getting a web site reported that was contained within a graphic attached to the email received. If so, the user needs to be reported. That is usually done throught the options the link on the report you (or your webhost) received. You will need to provide the proof of this, likely the message that was in the body of that message.

I also sometimes receive picture spam , however, I cant remember any spam letters without title and text, but just with a link in a body.

But in general, what does last words about "proof" means? Now you are suggesting me to give the "original spam message" or what??? Understand, you have all the facts, not I am, I just can tell you - its in your interests (and in my also) to check good this report, because it is false. Why it is false? Just because it is my site and I never sent spam letters.

I believe any services who respect themselves should put the facts together and check and recheck everything (is it multiple report or single, is it looks like typical spam, is there are equal headers in other reports, what kind of history the user who do false report has, and so on) in cases if occurs the doupts in the work.

Why do you think many people like I am dont use spam filters at all? Not because they dont like that filters caught only 95% of spam, but because those filters can filter like 0.5-1% (or even less) of the non-spam messages, and these looses for shure will be much more harmful than 95% of "good work". Here situation is the same. What will you do if tomorrow I (or someone) will register a lot of accounts at you, and I will start to send similar false reports about the sites of the all people with whom I have bad relationship? Or if someone will write very simple scri_pt that do this?

Well, I'm sorry for your service, I was thinking you have much bigger experience and also abilities to recognise if it is false report or no. Continue to keep users who send false reports and gather such kind of reports and look for your reputation.

Good bye.

[Miss Betsy]

Why do you think many people like I am dont use spam filters at all? Not because they dont like that filters caught only 95% of spam, but because those filters can filter like 0.5-1% (or even less) of the non-spam messages, and these looses for shure will be much more harmful than 95% of "good work".

Many people do use spamcop in just this way - to tag what may be spam. In conjunction with other filtering techniques, they get very few 'false positives.'

Continue to keep users who send false reports and gather such kind of reports and look for your reputation.

Spamcop does not keep users who send false reports. The reports, in fact, are just that: reports. It is up to the receiver of the report to decide whether it is false or not.

But in general, what does last words about "proof" means? Now you are suggesting me to give the "original spam message" or what??? Understand, you have all the facts, not I am, I just can tell you - its in your interests (and in my also) to check good this report, because it is false. Why it is false? Just because it is my site and I never sent spam letters.

We don't have any more facts that what you have given us. If that is spamcop report that you received, what site is yours? Do you mean the site in the body (message) of the email? That does look like a spam site.

Miss Betsy

[Merlyn]

I don't think it was a false report.

Looks like you have a problem being blocked in the following lists also:

-----------------------------------------------------------------------------------------

NJABLDYNA NJABL list of dynamic ip spaces: dynablock.njabl.org -> 127.0.0.3

Dynamic/Residential IP range listed by NJABL dynablock - http://njabl.org/dynablock.html

--------------------------------------------------------------------------------

NJABLCOMBINED NJABL & NJABLDYNA combined: combined.njabl.org -> 127.0.0.3

Dynamic/Residential IP range listed by NJABL dynablock - http://njabl.org/dynablock.html

--------------------------------------------------------------------------------

CBL The CBL - Composite Blocking List: cbl.abuseat.org -> 127.0.0.2

Blocked - see http://cbl.abuseat.org/lookup.cgi?ip=62.143.42.217

--------------------------------------------------------------------------------

XBL Exploits Block List (includes CBL): xbl.spamhaus.org -> 127.0.0.4

http://www.spamhaus.org/query/bl?ip=62.143.42.217

--------------------------------------------------------------------------------

SBLXBL Combined zone to reduce queries. Includes both SBL and XBL zones: sbl-xbl.spamhaus.org -> 127.0.0.4

http://www.spamhaus.org/query/bl?ip=62.143.42.217

--------------------------------------------------------------------------------

BLARSBL Blars Block List: block.blars.org -> 127.1.0.17

--------------------------------------------------------------------------------

FIVETEN local bl at 510 Software Group: blackholes.five-ten-sg.com -> 62.143.176.169.ish.de.misc.spam.blackholes.five-ten-sg.com. -> 127.0.0.2

62.143.176.169.ish.de.misc.spam.blackholes.five-ten-sg.com.

miscellaneous address blocks that have sent spam here

--------------------------------------------------------------------------------

TRANSIPPROXY open proxies: proxy.block.transip.nl -> 127.0.0.2

Blocked - see http://cbl.abuseat.org/lookup.cgi?ip=62.143.42.217

--------------------------------------------------------------------------------

TRANSIPRES dynamic ip: residential.block.transip.nl -> 127.0.0.10

Dynamic IP Addresses See: http://www.sorbs.net/lookup.shtml?62.143.42.217

--------------------------------------------------------------------------------

UCEPROTECTL2 UCEPROTECT®-Network Project - Level 2: dnsbl-2.uceprotect.net -> 127.0.0.2

Net 62.143.42.0/24 is Level 2 listed at UCEPROTECT-Network. See http://www.uceprotect.net/en/rblcheck.php?ipr=62.143.42.0

--------------------------------------------------------------------------------

SORBS spam and Open Relay Blocking System: Aggregate zone: dnsbl.sorbs.net -> 127.0.0.10

Dynamic IP Addresses See: http://www.sorbs.net/lookup.shtml?62.143.42.217

--------------------------------------------------------------------------------

SORBSDUL Dynamic IP Address ranges (NOT a Dial Up list!): dul.dnsbl.sorbs.net -> 127.0.0.10

Dynamic IP Addresses See: http://www.sorbs.net/lookup.shtml?62.143.42.217

--------------------------------------------------------------------------------

DNSBLAUT1 Reynolds Technology Type 1: t1.dnsbl.net.au -> 127.0.0.2

Blocked - see http://cbl.abuseat.org/lookup.cgi?ip=62.143.42.217

62.143.42.217 See http://www.dnsbl.sorbs.net/cgi-bin/lookup?NAME=62.143.42.217

--------------------------------------------------------------------------------

DNSBLAUSORBS External Block List - SORBS: sorbs.dnsbl.net.au -> 127.0.0.2

62.143.42.217 See http://www.dnsbl.sorbs.net/cgi-bin/lookup?NAME=62.143.42.217

--------------------------------------------------------------------------------

HTH HAND

[Wazoo]

I don't think it was a false report.

Looks like you have a problem being blocked in the following lists also:

Ummmm .. minor detail (I think) but .. my initial research was done based on a spamvertised site being closed down by the hosting ISP. I'm not sure how that situation would feed into the BL info provided (which would more relate to "the spam" not being received in the first place <g>

I'm just having a hard time working up all the sympathy that this "might" deserve ....

Domain registered just a matter of days ago.

Domainname included the word "pharmacy"

Top-Level Domain includes ".info" .. used a ".biz" domain for DNS service.

Web-site described as a "doorway" .. sub-page titled "phentermine189" ..???? (can't help but wonder about the possible other pages that may have been there .... vailum97, viagra101, etc. ...)

ISP is apparently responsible for pulling the plug, one shouild assume "after some research"

Again, no one here "has the evidence" .... and no sign that any request for information has gone to those that can access the data.

[DavidT]

The site wasn't around long enough for Search engines to pick it up, apparently.

Look the domain up in Google again, and I think you'll find hundreds of hits to web-based forums where someone spammed the domain. It also shows up in "alt.lawyers" and "alt.flame" -- hmmm...interesting selection of newsgroups....wonder if someone is indeed trying to get this site in trouble?

DT

[DavidT]

I'm the owner of given "doorway" website ...

From what I know, I was never sending spam emails

I found over 600 hits in Google, which were all web forum posts linking to both "phenterminerxpharmacy.info" and to "7phentermine.com" both of which were registered on the 24th (using different registrars). I am the moderator of some web forums elsewhere that get hit with this kind of crap all the time, but they never see the light of day because I've changed the settings so that I have to approve each post before anyone can see it. That's a big pain in the ass, and it's due entirely to pharmacy website posts. So, "Zxx" if you're operating pharmacy-style websites, you're not likely to get any help here.

About IP/headers - I believe they were just copied from some real spam email, and probably you may prove this, if you check other reports of the user who has sent the report.

You might even be right about that, but if you're running pharmacy sites....

DT

[Jank1887]

I would suggest we mark this as: Resolved. As in, no more to see here. Just someone trying to get out of trouble with their ISP because they didn't think what they sent out was spam...

[dra007]

I would suggest we mark this as: Resolved. As in, no more to see here. Just someone trying to get out of trouble with their ISP because they didn't think what they sent out was spam...

That depends what you define spam spam is! To most of us here spam is spam.

[Farelf]

I would suggest we mark this as: Resolved. As in, no more to see here. ...

Agreed and done. The OP stalked off in high dugeon after his 29 Aug "goodbye" [well, it was 29 Aug in "my" TZ)] - thanks all those who contributed thereafter but as it happens he meant it.