Jump to content
Sign in to follow this  
daizzzy

how to fight this kind of spam

Recommended Posts

how to report this kind of spam? SC sends abuse to yahoo, but it's misleading.

p.s. i couldn't use quote or code tag for mail source code (( are they working?

Delivered-To: *****

Received: by 10.100.201.17 with SMTP id y17cs68468anf;

Thu, 30 Oct 2008 01:44:40 -0700 (PDT)

Received: by 10.150.121.3 with SMTP id t3mr8917708ybc.131.1225356280593;

Thu, 30 Oct 2008 01:44:40 -0700 (PDT)

Return-Path: <corneliusspurrial2554441[at]yahoo.com>

Received: from n8.bullet.re3.yahoo.com (n8.bullet.re3.yahoo.com [68.142.237.93])

by mx.google.com with SMTP id 6si1915233gxk.63.2008.10.30.01.44.39;

Thu, 30 Oct 2008 01:44:39 -0700 (PDT)

Received-SPF: pass (google.com: domain of corneliusspurrial2554441[at]yahoo.com designates 68.142.237.93 as permitted sender) client-ip=68.142.237.93;

DomainKey-Status: good (test mode)

Authentication-Results: mx.google.com; spf=pass (google.com: domain of corneliusspurrial2554441[at]yahoo.com designates 68.142.237.93 as permitted sender) smtp.mail=corneliusspurrial2554441[at]yahoo.com; domainkeys=pass (test mode) header.From=corneliusspurrial2554441[at]yahoo.com

Received: from [68.142.237.87] by n8.bullet.re3.yahoo.com with NNFMP; 30 Oct 2008 08:44:39 -0000

Received: from [216.252.111.168] by t3.bullet.re3.yahoo.com with NNFMP; 30 Oct 2008 08:44:39 -0000

Received: from [127.0.0.1] by omp103.mail.re3.yahoo.com with NNFMP; 30 Oct 2008 08:44:39 -0000

X-Yahoo-Newman-Property: ymail-3

X-Yahoo-Newman-Id: 339748.58950.bm[at]omp103.mail.re3.yahoo.com

Received: (qmail 15577 invoked by uid 60001); 30 Oct 2008 08:44:39 -0000

DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws;

s=s1024; d=yahoo.com;

h=Received:Date:From:Subject:To:Cc:MIME-Version:Content-Type:Content-Transfer-Encoding:Message-ID;

b=bXgHje4EBUoFzNNABBEB0E/EXc0sC4pBWE4sEdMLqzy8P0/2HC+QJ+mnFiGGKPSMeVe0vruKIRMqC003N31eJ+iXQZtoERMMzhkPHaibu9Lkm8HPpvfnBOH2CPiFc7RWYzdQ4BwLCPS3bqnLWknuhhxXVqimhS9NUmvB+IFQD/o=;

Received: from [85.87.241.196] by web57410.mail.re1.yahoo.com via HTTP; Thu, 30 Oct 2008 01:44:39 PDT

Date: Thu, 30 Oct 2008 01:44:39 -0700 (PDT)

From: Cornelius Spurrial <corneliusspurrial2554441[at]yahoo.com>

Subject: seeix up your life her

To: daddieskitten1966[at]sbcglobal.ne

Cc: pcurrynew[at]aol.com, shineon[at]blueyonder.co.uk,

sjdhkj[at]gfhklj.com, acerroo[at]sbcglobal.net, ckroll[at]tmail.com,

bryanindelmar[at]yahoo.com, seancnd[at]hotmail.com, electroshy26[at]yahoo.com,

memo85_85[at]hotmail.com, tmthyis07[at]yahoo.com, martinezjr.alexander[at]gmail.com,

aaghtsbbddf[at]hotmail.com, aschwemmer[at]vjf.inserm.fr, airichiro[at]aol.com,

chstrfox[at]yahoo.com, kid-vargas[at]hotmail.com, naughty_alyssa21[at]hotmail.com

MIME-Version: 1.0

Content-Type: text/plain; charset=iso-8859-1

Content-Transfer-Encoding: 8bit

Message-ID: <138732.14265.qm[at]web57410.mail.re1.yahoo.com>

mary cake round low rings ma hues mist.

google.com/notebook/public/05377497236356013399/BDQqXSgoQrbKf0dIj/?harkwerzrspillpewtyr2elbow

Edited by daizzzy

Share this post


Link to post
Share on other sites

First of all, you are giving a sexually harassing spammer free publicity with the URL below. I hope a moderator will be along very soon to remove it! When posting an example it is always best to provide a tracking url than to paste even the spam header. Certainly the body of a spam should never be pasted. See here for instructions on how to obtain a tracking url.

To me as a technically non-fluent SpamCop user it is not clear what your problem is with reporting. I think you will need to explain it more clearly. Then technically fluent people will be along to help you with your problem, probably as dawn breaks on the shores of America (although certain Western Australian specialists may also find the time in their afternoon schedule...)

Share this post


Link to post
Share on other sites

thx

fixed url

i don't know how to explain more clearly. SC recognizes only 1 source of spam - yahoo. but it's misleading recognition.

Share this post


Link to post
Share on other sites

I think your problem is that you are not forwarding as attachment. I haven't read much of this topic, but StevenUnderwood says:

My solution above has nothing to do with holding down any button. With Yahoo! Mail Classic, there is a pulldown next to Forward which offers:

Forward

|-As Inline Text

|-As Attachment

This works in IE, FireFox and Safari on Windows. I don't see why it would not also work on a MAC.

I also think that if you are not using Yahoo!Mail Classic, you don't have that option, but I am not sure on that point.

Miss Betsy

Share this post


Link to post
Share on other sites
I think your problem is that you are not forwarding as attachment. I haven't read much of this topic, but StevenUnderwood says:

I also think that if you are not using Yahoo!Mail Classic, you don't have that option, but I am not sure on that point.

sorry, didn't get it completely )

let me explain in other words. spaamers are using techniques which SC can't process correctly. and i don't think it's possible to do automatically. i just need some recommendations hot to do it manually.

Share this post


Link to post
Share on other sites

Usually people who are having trouble submitting spam are not 'forwarding as attachment' However, I see now why you were confused.

I think, for better advice, that you should post a Tracking URL (a definition can be found Here in the spamcop glossary)

I am not an expert at reading headers, but it looks to me as though the spam did come from yahoo. The parser may not have been able to pick up the IP address that posted to yahoo ( which I think is there).

However, if you get the Tracking URL, that would help people decide why the parser stopped when it did.

Miss Betsy

PS you can cancel the report if you have to submit it again to get a Tracking URL.

Share this post


Link to post
Share on other sites

I'd be interested to learn how to forward as attachment using yahoo too!

So you know, they removed the pull down menu they USED to have. IT's gone.

And... using a mac, there is NO WAY to get any option to forward as attachment.

NO holding down command, (same as control on pc.) It doesn't work.

I've been through this with yahoo's live help. They confirmed that it does not work and "are working on it."

If there is any way to manually forward spam to spamcop again, I would love to know. It's been growing since yahoo "improved" their system.

Share this post


Link to post
Share on other sites

Hi daizzy,

You are correct that the parser does identify a Yahoo! server as the source but it also appears that Yahoo! is the first mail server in the headers...

However, there does appear to be an IP for the originating PC at 85.87.241.196 which the parser didn't identify. There are better informed users than me around so perhaps someone can say why 85.87.241.196 isn't picked up. Interestingly the SenderBase score for this IP is poor (626%) and it is listed in dnsbl.sorbs.net, cbl.abuseat.org and pbl.spamhaus.org - but not the scbl.

For artmaker, there are other threads which I think have been posted previously for you which address the Yahoo! mail issue. It seems the new Yahoo! interface has dropped the inline-attachment option. You would need to switch back to the classic interface if you have that ability to gain the attachment option.

Andrew

Edited by agsteele

Share this post


Link to post
Share on other sites

Here is a parse of that data:

http://www.spamcop.net/sc?id=z2376517940ze...009998950373fcz

It seems to pick up host 85.87.241.196 = 196.85-87-241.dynamic.clientes.euskaltel.es which Andrew mentions.

We would need to see the O/Ps tracking URL to see why that didn't go the same way.

[On edit] Ah, I see, variable results! View the parse one time it says

If reported today, reports would be sent to:

Re: 85.87.241.196 (Administrator of network where email originates)

postmaster[at]euskaltel.es

abuse[at]t-ipnet.de

abuse[at]euskaltel.com

Processed by <!-- 05look $Revision: #1 $ produced by sc-app12 -->

View it another time, it says "No master" (Ah, how many times have I heard that? But I digress)

If reported today, reports would be sent to:

Re: 85.87.241.196 (Administrator of network where email originates)

nomaster[at]devnull.spamcop.net

<!-- 05look $Revision: #1 $ produced by sc-app10 -->

Share this post


Link to post
Share on other sites

Thanks!

What I'm going to guess at ..... Yahoo has added more e-mail servers to their server farm that have not been identified in the 'shared' MailHost Configuration database.

Possible actions: try to add this new data yourself by 'adjusting' your MailHost Configuration of your Reporting Account .... or contact Don/Deputies to get them to do a bit of manual updating to the same database.

Why I come to this probable conclusion: your Tracking URL lines;

1: Received: from [85.87.241.196] by web57410.mail.re1.yahoo.com via HTTP; Thu, 30 Oct 2008 01:44:39 PDT

Hostname verified: 196.85-87-241.dynamic.clientes.euskaltel.es

Possible forgery. Supposed receiving system not associated with any of your mailhosts

Will not trust anything beyond this header

The "receiving" system is in fact a Yahoo asset, but not found within the MailHost Configuration database.

Dig web57410.mail.re1.yahoo.com[at]208.67.220.220 ...

Non-authoritative answer

Recursive queries supported by this server

Query for web57410.mail.re1.yahoo.com type=255 class=1

web57410.mail.re1.yahoo.com MX (Mail Exchanger) Priority: 0 Malformed name

BTW: Quote is seen working at the top of this post.

testing
testing
testing

no problem seen with the 'code' tags either. How are you trying to use them?

Share this post


Link to post
Share on other sites

The difference between the parses (the genuine one above and my re-creation in linear post 9 further above) apparently comes about because of mailhosting, my test (and subsequent re-test) being with a non-mailhosted account. In this instance, I would prefer the non-mailhosted rendition (mine) which seems to indicate an entirely probable source (as Andrew points out) a but, alas, nothing can be done about that (other than manual reporting). The purpose of the mailhosting is to make it harder for cunning header forgeries to slip through the reporting and we can only bring it to the attention of the SC staff if we think it might have goofed in some specific instance in case there is some systemic problem with the parser logic/process. I am not really confident that it has goofed in this case but it does look so to me.

[on edit - ah, Wazoo suggests another possibility and some things the O/P can try]

Share this post


Link to post
Share on other sites
I'd be interested to learn how to forward as attachment using yahoo too!

So you know, they removed the pull down menu they USED to have. IT's gone.

And... using a mac, there is NO WAY to get any option to forward as attachment.

NO holding down command, (same as control on pc.) It doesn't work.

Are you using Yahoo! Mail Classic (does it say that just above the 4 tabs)? I most certainly have the option as I used copy/paste to make my post earlier. I do use the free option... things may be different if you are using one of the paid versions either directly through Yahoo or from one of the other providers using Yahoo.

Share this post


Link to post
Share on other sites
guys, i'm using only gmail, i don't know why u all are talking about yahoo ))
Relax daizzzy - we've diverged into two conversations (because Yahoo was in the headers) but thanks for confirming you're only involved in the original topic. Have you looked at Wazoo's response (further above) on the matter of mailhosting? Seems like it's time for you to contact Don - service[at]admin.spamcop.net - to see if there's something with the mailhosts setup that needs fixing. The rest of 'us' can't really see any other reason for your parse not drilling down to what we think is the actual spam injection. But Don knows all that stuff inside out.

Share this post


Link to post
Share on other sites

Daizzzy isn't a Yahoo user, so the Yahoo Mailhost isn't part of the problem.

The problem is that the Yahoo servers in his spam aren't included in our "Trusted Relays" database.

I added them to the list, and the parse is working correctly now.

- Don D'Minion - SpamCop Admin -

.

Share this post


Link to post
Share on other sites
guys, i'm using only gmail, i don't know why u all are talking about yahoo ))

The issue is that there is another Forum user that hasn't quite got things sorted out on how to use this thing. So she unfortunately keeps jumping into other people's Topics/Discussion to toss in her issues with her use of Yahoo on a Mac. Then she seems not to ever follow-up, the appearance is that she can't find or simply doesn't look for her previous posts ... there are loads of questions that she's never gotten around to answering.

Yet another PM sent to her about her actions.

Share this post


Link to post
Share on other sites
...

The problem is that the Yahoo servers in his spam aren't included in our "Trusted Relays" database.

I added them to the list, and the parse is working correctly now. ...

Thanks Don! daizzzy, if you pull up your (old) parse you will see that it automagically goes right down to the actual spammer now. Too late for that particular instance but any future handing by those Yahoo relays will be properly tracked through. Properly handled for everyone - including for those users who didn't even realise there was anything wrong. So your query has helped lots of people. Including the beleaguered network-abuse[at]cc.yahoo-inc.com. They ought to give you a medal!

Ah, synergy!

Share this post


Link to post
Share on other sites

thx guys

SC works really great! :)

u know, at the beginning i started to use SC i thought that i'll need to redeem balance each 2-3 months. but now it seems like there still will be some money after a year ))

Edited by daizzzy

Share this post


Link to post
Share on other sites

It is interesting that the topic starter of this topic titled: how to fight this kind of spam , insists on generating their own spam using the forum signature as the medium. The signature has been removed twice so far. We realize that there are not clear cut rules on what can be included in a signature, but there are limits and they will be inforced.

Share this post


Link to post
Share on other sites

ok, no more signatures

but your policy is really strange for me.

my sig had nothing about spam, it was what was actual for me. i think it's about paranoia.

Share this post


Link to post
Share on other sites
but your policy is really strange for me.

my sig had nothing about spam, it was what was actual for me. i think it's about paranoia.

Inappropriate content is the issue involved.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

×