ViRGE Posted July 18, 2007 Share Posted July 18, 2007 I'm sure by now a lot of people here have seen it, and I'm at my wit's end now that the volume is so high and the Spamcop filters catch so little(24 made it through in the last 8 hours). Does anyone have some suggestions for stopping this, other than blocking PDFs entirely? Link to comment Share on other sites More sharing options...
Telarin Posted July 18, 2007 Share Posted July 18, 2007 Nothing useful yet, we've been seeing tons of this in the last few weeks as well. Hopefully as we keep reporting them, they'll get listed and slow down some. Link to comment Share on other sites More sharing options...
StevenUnderwood Posted July 19, 2007 Share Posted July 19, 2007 Both of mine received since 16-jul-2007, ended up in SpamCop's Held Mail folder with X-SpamCop-Disposition: Blocked cbl.abuseat.org http://www.spamcop.net/sc?id=z1363367697za...d5d995005282dbz http://www.spamcop.net/sc?id=z1363367703z1...ee8999e8c1db2ez Link to comment Share on other sites More sharing options...
jongrose Posted July 22, 2007 Share Posted July 22, 2007 Both of mine received since 16-jul-2007, ended up in SpamCop's Held Mail folder with X-SpamCop-Disposition: Blocked cbl.abuseat.org I don't know how it is that your account is able to filter emails whose sending IP is blacklisted in cbl.abuseat.org and mine is not. I am still frequently getting email coming into my inbox that is identified as being on one of the blacklists I have enabled when I manually report it. None of the emails are whitelisted, and SA usually assigns a score of 0.0 to these spams w/ PDF attachments. Link to comment Share on other sites More sharing options...
DavidT Posted July 22, 2007 Share Posted July 22, 2007 I don't know how it is that your account is able to filter emails whose sending IP is blacklisted in cbl.abuseat.org and mine is not.I doubt that's the case, unless you don't have the CBL selected in your filtering blacklist options. It's more likely that Steven's "spam exposure profile" is different (lower) than yours, which has been the case when Steven and I have made comparisons in the past. I am still frequently getting email coming into my inbox that is identified as being on one of the blacklists I have enabled when I manually report it.That's usually a case of lag time between the listings on those BLs and SpamCop's cache of the BL info. A while back, I removed the CBL and DSBL from my options due to excessive false positives. I think I'll try turning them back on and see what happens. DT Link to comment Share on other sites More sharing options...
jongrose Posted July 22, 2007 Share Posted July 22, 2007 I doubt that's the case, unless you don't have the CBL selected in your filtering blacklist options. It's more likely that Steven's "spam exposure profile" is different (lower) than yours, which has been the case when Steven and I have made comparisons in the past. See my post here for examples of this happening in my account. Even IPs listed on SpamCop's BL got through. Although the majority of UCEs are caught and moved to my Held mail folder, they are 99% of the time caught by SA. http://img59.imageshack.us/my.php?image=sp...ocklistsdu4.jpg Notice that I have both CBL and XBL enabled, even though XBL is supposed to pull results from the CBL. A while back, I removed the CBL and DSBL from my options due to excessive false positives. I think I'll try turning them back on and see what happens. Unfortunately for me, the opposite is true. Moderator Edit: image tags removed .... pop-ups, attempted Flash installation, etc. .. absolutely no need to 'forcr' this on anyone/everyone that looks at this Topic ..... only folks that 'want' to go take a look can now click on the link to take a peek the the configuration settings depicted. Excess vertical whitespace removed. Link to comment Share on other sites More sharing options...
Wazoo Posted July 22, 2007 Share Posted July 22, 2007 Nothing said about Dispostion line data. Nothing said about any whitelisting. No specific Tracking URLs in this Topic. Asked elsewhere .... was there any 'experimentation' done with the Beta WebMail application? Settings under that interface/account and the 'regular' interface/account may not match, also putting things into a mish-mash as far as actual operation .... Link to comment Share on other sites More sharing options...
jongrose Posted July 23, 2007 Share Posted July 23, 2007 Moderator Edit: image tags removed .... pop-ups, attempted Flash installation, etc. .. absolutely no need to 'forcr' this on anyone/everyone that looks at this Topic ..... only folks that 'want' to go take a look can now click on the link to take a peek the the configuration settings depicted. Excess vertical whitespace removed. I apologize if the link to the thumbnail attempted to do anything malicious. I, like users of most modern browsers, do not see any of that thanks to the default settings to block that. The reason I linked to the thumbnail is simply to allow the users to choose if they want to see the full sized image or not w/o having it load the ~100kb image when viewing this topic. But, again, I apologize if this inconvenienced anyone. I would recommend using that everyone run Firefox with the NoScript (which blocks java scri_pt, flash, XSS and other potentially malicious code) and AdBlock Plus extensions (just to name a few) or Opera. ... Are you asking me to post this info or the thread starter? For the sake of hopefully helping resolve my situation, I will answer the questions you've posted. I will refer back to the post I linked to above and the reports I filed where the spams that made it into my inbox, but were on listed on one of the blacklists I have selected. These are not the PDF spams the OP was referring to, however, but I have gotten those and I have seen many instances where the sender IP was in a blacklist. If necessary, I can post other data on past spams that made it into my inbox and were listed in one of the blacklists (or even future ones). Nothing said about Dispostion line data. Email 1 No disposition line. Sending IP listed in XBL and SORBS. Email 2 No disposition line. Sending IP listed in SpamCop BL and SORBS. Nothing said about any whitelisting. None of the emails are whitelisted No specific Tracking URLs in this Topic. I can post tracking URLs for spam attached w/ PDF where sender IP is listed in one of the blacklists if required. Asked elsewhere .... was there any 'experimentation' done with the Beta WebMail application? Settings under that interface/account and the 'regular' interface/account may not match, also putting things into a mish-mash as far as actual operation .... I am currently using Webmail Beta, although what type of experimentation or settings change would have this type of effect I am not aware of. All blacklists are enabled, SA is set to 5. Blockists and whitelists are configured, but as there is no disposition lines indicating that the sending email addresses are listed on either that would not be the case. No filters are set to move any mail out of Held Mail for any reason and no other settings I am familiar with would cause this behavior. Link to comment Share on other sites More sharing options...
DavidT Posted July 23, 2007 Share Posted July 23, 2007 Asked elsewhere .... was there any 'experimentation' done with the Beta WebMail application? Settings under that interface/account and the 'regular' interface/account may not match, also putting things into a mish-mash as far as actual operation .... I'm pretty sure that the Spamcop-specific settings are in a database shared by both the production and the beta versions, so this shouldn't be an issue. BTW, in order to reduce the amount of spam slipping through to my inbox, I lowered my SA threshhold from 5 to 4 a long time ago. Having it set at 5 will generally allow more spam to hit your inbox. DT Link to comment Share on other sites More sharing options...
StevenUnderwood Posted July 23, 2007 Share Posted July 23, 2007 Email 1 No disposition line. Sending IP listed in XBL and SORBS. IP Address Lookup 85.108.206.134 is not listed in the SBL 85.108.206.134 is listed in the PBL, in the following records: PBL043354 85.108.206.134 is not listed in the XBL PBL is not on my list of options for inclusion, SBL and XBL are both included. SORBS is not on the list as I see it either. DNS Blacklist DNS Zone Website SpamCop Blacklist bl.spamcop.net www.spamcop.net/bl.shtml DSBL open relays list.dsbl.org dsbl.org Spamhaus Blacklist sbl.spamhaus.org www.spamhaus.org/sbl/ South Korea (the country) korea.services.net korea.services.net China (the country) cn.countries.nerd.dk countries.nerd.dk/more.html Nigeria nigeria.blackholes.us www.blackholes.us Argentina argentina.blackholes.us www.blackholes.us Brazil brazil.blackholes.us www.blackholes.us Composite Blocking List cbl.abuseat.org cbl.abuseat.org Spamhaus XBL xbl.spamhaus.org www.spamhaus.org/xbl/ Email 2 No disposition line. Sending IP listed in SpamCop BL and SORBS. 83.5.240.245 not (currently) listed in bl.spamcop.net and probably was not when it passed through the system. Already discussed SORBS above. I just had a thought. Are you referring to the lists in the parse? Message is 44.2 days old 83.5.240.245 not listed in dnsbl.njabl.org 83.5.240.245 not listed in dnsbl.njabl.org 83.5.240.245 not listed in cbl.abuseat.org 83.5.240.245 listed in dnsbl.sorbs.net ( 127.0.0.10 ) 83.5.240.245 not listed in accredit.habeas.com 83.5.240.245 not listed in plus.bondedsender.org 83.5.240.245 not listed in iadb.isipp.com FYI, the parsing system and the Email system are seperate entities. The list generated by the parser is there to help you determine if it really is spam (and how widespread the particular IP is listed). The ONLY DNSBL from this list that is also used by spamcop's email system is cbl.abuseat.org Link to comment Share on other sites More sharing options...
jongrose Posted July 24, 2007 Share Posted July 24, 2007 [at]StevenUnderwood: The two emails you queried were several months old, so I suspect they would have dropped off the blocklists I mentioned sometime ago. So, I did a very long bit of research this morning looking at all the spams that slipped through into my inbox and checked each IP against the blacklists that allow you to query them. I have included below a partial list of those emails, including links to parsable email, the plain text email, the URL to the blacklisted IP inclusion (and a screen shot taken with a time & date stamp added) along with a screen shot of the spam being parsed through the manual reporting system. The links to the screen shots are direct links to the JPGs, so there will be no concern by viewing them. All emails listed below are ones that came into my inbox and whose sending IP was on one of my selected blacklists at the time I queried and reported it. The ones at the very bottom (the last two I believe) were the most recent - they came into my inbox while I was doing this process, the ones at the top are sometimes several hours old or more. Although most are PDF spam, there are several that are not and are noted as such in the first line. SC Report id# 240159253 (might also be id# 2401592531): Failed to identify sending IP as being listed in SORBS prior to this report being filed Email shows to be received on SC server at 24 Jul 2007 01:24:46 (1:24:46AM CST GMT -6) Plain text: http://www.spamcop.net/sc?id=z136861620...;action=display Parsable: http://www.spamcop.net/sc?id=z1368616203za...cedaf24c64fd53z 62.224.95.229 listed in SORBS http://img441.imageshack.us/img441/165/sor...24015925ui0.jpg SpamCop reporting tool did not identify 62.224.95.229 as being blacklisted by SORBS at Tuesday, July 24, 2007 4:44:34 AM -0500 http://img526.imageshack.us/img526/1395/sp...29240159ca3.jpg SC Report id# 2401654486: Failed to identify sending IP as being listed in SpamCop BL, SpamHaus XBL, and CBL prior to this report being filed Email shows to be received on SC server at 23 Jul 2007 19:16:57 (7:16:57 PM CST GMT -6) Plain text: http://www.spamcop.net/sc?id=z136863903...;action=display Parsable: http://www.spamcop.net/sc?id=z136863903...7aec2df8da69cez 72.54.148.2 listed in SpamCop BL: http://www.spamcop.net/w3m?action=checkblo...;ip=72.54.148.2 http://img295.imageshack.us/img295/5042/sp...82240165zb0.jpg 72.54.148.2 listed in SpamHaus XBL: http://www.spamhaus.org/query/bl?ip=72.54.148.2 http://img512.imageshack.us/img512/7380/sh...01654486tz4.jpg 72.54.148.2 listed in CBL: http://cbl.abuseat.org/lookup.cgi?ip=72.54...;.submit=Lookup http://img410.imageshack.us/img410/4908/cb...01654486tj0.jpg SpamCop reporting tool identified 72.54.148.2 as being blacklisted by CBL and as an open proxy at Tuesday, July 24, 2007 5:21:19 AM -0500 http://img178.imageshack.us/img178/4657/sp...24016544nf1.jpg SC Report id# 2401683236: Failed to identify sending IP as being listed in SpamCop BL prior to this report being filed Email shows to be received on SC server at 23 Jul 2007 19:28:50 (7:28:50 PM CST GMT -6) Plain text: http://www.spamcop.net/sc?id=z136866844...;action=display Parsable: http://www.spamcop.net/sc?id=z1368668440zd...8e7ed44527a47fz 216.144.215.142 listed in SpamCop BL: http://www.spamcop.net/w3m?action=checkblo...216.144.215.142 http://img259.imageshack.us/img259/4411/sp...21514224du4.jpg SpamCop reporting tool did not identify 216.144.215.142 as being blacklisted at Tuesday, July 24, 2007 5:59:57 AM -0500 http://img339.imageshack.us/img339/20/spam...51422401pj6.jpg SC Report id# 2401736835: Failed to identify sending IP as being listed in SpamHaus XBL and CBL prior to this report being filed Email shows to be received on SC server at 23 Jul 2007 15:09:21 (3:09:21 PM CST GMT -6) Parsable: http://www.spamcop.net/sc?id=z1368702704zb...7b2ce86c5ec090z Plain text: http://www.spamcop.net/sc?id=z136870270...;action=display 196.28.255.109 listed in SpamHaus XBL: http://www.spamhaus.org/query/bl?ip=196.28.255.109 http://img174.imageshack.us/img174/6734/sh...92401736mc9.jpg 196.28.255.109 listed in CBL: http://cbl.abuseat.org/lookup.cgi?ip=196.2...;.submit=Lookup http://img252.imageshack.us/img252/1717/cb...40173683vf2.jpg SpamCop reporting tool identified 196.28.255.109 as being blacklisted by CBL and as an open proxy at Tuesday, July 24, 2007 6:45:06 AM -0500 http://img252.imageshack.us/img252/6392/sp...10924017ev6.jpg SC Report id# 2401787317: Failed to identify sending IP as being listed in SpamHaus XBL and CBL prior to this report being filed (not PDF spam) Email shows to be received on SC server at 23 Jul 2007 12:11:12 (12:11:12 PM CST GMT -6) Parsable: http://www.spamcop.net/sc?id=z1368727548zb...30739c42c1463ez Plain Text: http://www.spamcop.net/sc?id=z136872754...;action=display 89.54.162.218 listed in SpamHaus XBL: http://www.spamhaus.org/query/bl?ip=89.54.162.218 http://img502.imageshack.us/img502/2876/sh...24017873mx3.jpg 89.54.162.218 listed in CBL: http://cbl.abuseat.org/lookup.cgi?ip=89.54...;.submit=Lookup http://img401.imageshack.us/img401/5703/cb...01787317vb4.jpg SpamCop reporting tool identified 89.54.162.218 as being blacklisted by CBL and as an open proxy at Tuesday, July 24, 2007 7:13:33 AM -0500 http://img442.imageshack.us/img442/2218/sp...18240178im9.jpg SC Report id# 2401868931: Failed to identify sending IP as being listed in SpamCop BL, SpamHaus XBL, and CBL prior to this report being filed Email shows to be received on SC server at 23 Jul 2007 10:35:37 (10:35:37 AM CST GMT -6) Plain text: http://www.spamcop.net/sc?id=z136877565...;action=display Parsable: http://www.spamcop.net/sc?id=z1368775658zc...9d079d85f8e475z 89.127.165.219 listed in SpamCop BL: http://www.spamcop.net/w3m?action=checkblo...=89.127.165.219 http://img338.imageshack.us/img338/7224/sp...65219240vj5.jpg 89.127.165.219 listed in SpamHaus XBL: http://www.spamhaus.org/query/bl?ip=89.127.165.219 http://img259.imageshack.us/img259/609/shx...92401868nr0.jpg 89.127.165.219 listed in CBL: http://cbl.abuseat.org/lookup.cgi?ip=89.12...;.submit=Lookup http://img504.imageshack.us/img504/9805/cb...40186893fy6.jpg SpamCop reporting tool identified 89.127.165.219 as being blacklisted by CBL and as an open proxy at Tuesday, July 24, 2007 8:15:50 AM -0500 http://img338.imageshack.us/img338/4589/sp...21924018oe7.jpg SC Report id# 2401902474: Failed to identify sending IP as being listed in SORBS prior to this report being filed (not PDF spam) Email shows to be received on SC server at 24 Jul 2007 12:56:44 (12:56:44 PM CST GMT -6) Plain Text: http://www.spamcop.net/sc?id=z136879219...;action=display Parsable: http://www.spamcop.net/sc?id=z1368792191zc...fd1edb01dfc253z 193.250.30.110 listed in SORBS http://img503.imageshack.us/img503/1696/so...02401902qd7.jpg SpamCop reporting tool identified 193.250.30.110 as being blacklisted by SORBS at Tuesday, July 24, 2007 8:36:27 AM -0500 http://img103.imageshack.us/img103/4299/sp...11024019lm2.jpg Moderator edit to replace mailsc with www so people can access the links provided. Link to comment Share on other sites More sharing options...
StevenUnderwood Posted July 24, 2007 Share Posted July 24, 2007 I will look at this when SpamCop reporting page returns. Seems to have dropped off the face of the internet about 16:30 EDT As previously stated, SORBS is not an option you can check within SpamCop's webmail system so I will not look at those. Unfortunately, it appears the system being down wiped all your spamcop data. I am only interested in seeing what you are calling "Parsable" which is actually the TrackingURL (after I replaced all of the mailsc's with www so anyone other than yourself can get the link to work). The "Plain Text" link is available from that TrackingURl link. I would like to see a screen shot of your spamcop webmail BL selections. However, it is likely the only person who can fully address your concerns is JT, the SpamCop email administrator. He will be able to check the logs and see if the lookups were skipped, the lookups timed out (which has been an issue in the past), or if the lookups were actually done and showed not listed (indicating caching issues). From your 6th (of 7) sample (89.127.165.219), if the email came through right now, it should be caught by all the following lookups: > 219.165.127.89.bl.spamcop.net Server: resolver2.opendns.com Address: 208.67.220.220:53 Non-authoritative answer: Name: 219.165.127.89.bl.spamcop.net Address: 127.0.0.2 > 219.165.127.89.cbl.abuseat.org Server: resolver2.opendns.com Address: 208.67.220.220:53 Non-authoritative answer: Name: 219.165.127.89.cbl.abuseat.org Address: 127.0.0.2 > 219.165.127.89.xbl.spamhaus.org Server: resolver2.opendns.com Address: 208.67.220.220:53 Non-authoritative answer: Name: 219.165.127.89.xbl.spamhaus.org Address: 127.0.0.4 > Link to comment Share on other sites More sharing options...
DavidT Posted July 24, 2007 Share Posted July 24, 2007 Jongrose! Did you read the following before doing all your detailed research? I just had a thought. Are you referring to the lists in the parse? FYI, the parsing system and the Email system are seperate entities. The list generated by the parser is there to help you determine if it really is spam (and how widespread the particular IP is listed). The ONLY DNSBL from this list that is also used by spamcop's email system is cbl.abuseat.org You mention SORBS in your research, and yet SORBS is *not* one of the BLs that's available in the SC Email account Blacklists. I'm guessing that Steven was correct, and that you are being confused by what you are seeing during manual parsing/reporting. Those details are almost *meaningless* when it comes to what will or will not be blocked/held by the BLs available to us. DT Link to comment Share on other sites More sharing options...
jongrose Posted July 25, 2007 Share Posted July 25, 2007 I will look at this when SpamCop reporting page returns. Seems to have dropped off the face of the internet about 16:30 EDT As previously stated, SORBS is not an option you can check within SpamCop's webmail system so I will not look at those. You're right, I'm not sure why I was querying that BL. Here is a JPG screenshot of my blacklist options: http://img59.imageshack.us/img59/4297/spam...ocklistsdu4.jpg Unfortunately, it appears the system being down wiped all your spamcop data. I am only interested in seeing what you are calling "Parsable" which is actually the TrackingURL (after I replaced all of the mailsc's with www so anyone other than yourself can get the link to work). The "Plain Text" link is available from that TrackingURl link. I would like to see a screen shot of your spamcop webmail BL selections. However, it is likely the only person who can fully address your concerns is JT, the SpamCop email administrator. He will be able to check the logs and see if the lookups were skipped, the lookups timed out (which has been an issue in the past), or if the lookups were actually done and showed not listed (indicating caching issues). I apologize for the mailsc links, thanks for fixing them. If I post this type of data in the future, I'll make sure the links are viewable by all. I just checked and you should be able to view the parsable URLs (is there a better name for them?) if the reporting server was down earlier, it appears to be up now. Jongrose! Did you read the following before doing all your detailed research? You mention SORBS in your research, and yet SORBS is *not* one of the BLs that's available in the SC Email account Blacklists. I'm guessing that Steven was correct, and that you are being confused by what you are seeing during manual parsing/reporting. Those details are almost *meaningless* when it comes to what will or will not be blocked/held by the BLs available to us. David, you're right, I'm not sure why I was trying to lookup the IPs in that database. Either way, emails 2-6 should have been caught by the filters, as they had nothing to do with SORBS, so I wouldn't say it's "meaningless". I can post more data like this if anyone would like to review it, just let me know what you want to see. It's just an extremely long project to do. I manually reported all above listed spams, linked to the blocklists they were in, took screen shots of them being in the BL, crop it and time/date stamp it, then upload it and create a legible list. Link to comment Share on other sites More sharing options...
DavidT Posted July 25, 2007 Share Posted July 25, 2007 Just don't spend more time on it than it's worth. I checked the status line on all of the items that accumulated in my Held Mail folder for the last 24 hours, and while most of them were there due to SA scores over 4.0 (I strongly suggest not using the default setting of 5), there were items put there due to hits on the DSBL, the CBL, the SCBL, and the China BL (cn.countries.nerd.dk). I think the most common reason for items to bypass getting put into Held Mail is a lag between the time the email hit your mailbox, and the actual listing of the IP in a particular BL, and/or a lag between SpamCop's cache of that BL (I'm assuming that all the BL lookups aren't done live and in real time). DT Link to comment Share on other sites More sharing options...
mrmaxx Posted August 8, 2007 Share Posted August 8, 2007 I would like to see some options for filtering on the body and/or attachments... I don't see any way (currently) to search for "attachment contains pdf" or anything like that, or maybe I'm missing something? Also, can we do something about that greeting card crap? I've tried making filters for it, but I'm still getting a butt-load of that in my inbox. Link to comment Share on other sites More sharing options...
DavidT Posted August 9, 2007 Share Posted August 9, 2007 I would like to see some options for filtering on the body and/or attachments... I don't see any way (currently) to search for "attachment contains pdf" or anything like that, or maybe I'm missing something?That sounds like a "Feature Request," and unfortunately, those don't seem to get much attention around here...other than from fellow users. Also, can we do something about that greeting card crap? I've tried making filters for it, but I'm still getting a butt-load of that in my inbox.Hmmm....I get lots of spam, but something is keeping me from seeing the greeting card items....I thought SpamCop was doing that, but it might be the Barracuda SF through which much of my mail passes on its way to SpamCop. IIUC, the antivirus systems have determined some of the greeting card stuff to be dangerous and are treating those incoming items as being infected. DT Link to comment Share on other sites More sharing options...
mrmaxx Posted August 16, 2007 Share Posted August 16, 2007 That sounds like a "Feature Request," and unfortunately, those don't seem to get much attention around here...other than from fellow users. Hmmm....I get lots of spam, but something is keeping me from seeing the greeting card items....I thought SpamCop was doing that, but it might be the Barracuda SF through which much of my mail passes on its way to SpamCop. IIUC, the antivirus systems have determined some of the greeting card stuff to be dangerous and are treating those incoming items as being infected. Yeah... I saw something on Snopes about that... still would like to be able to skip the rest, though.. As you mentioned, the Barracuda seems to be doing a good job of filtering that crap. I'm filtered through a Barracuda here at work, and I get at most one or two spam messages per day that make it through the Barracuda. Most days, I don't eve get that many. Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.