ssybesma
-
Posts
6 -
Joined
-
Last visited
Content Type
Profiles
Forums
Events
Posts posted by ssybesma
-
-
Hi again Steve. As Steve T says, quite simply you cannot dummy a submission to make the parser find something it couldn't do by itself and then send the report as if the parser had done it all. That's the "material changes" rule - http://www.spamcop.net/fom-serve/cache/283.html You can always use the parser to find reporting addresses with manually altered data but you can't alter the spam that is reported.
Seems frustrating I know but SC relies on INTEGRITY which is closely guarded to maintain credibility and cooperation within the internet community. That's why those other tools are needed (instead of SC reports) and the SCbl handles only e-mail originating IP addresses, not web sites. Reports to the associated network admins are a courtesy only, in the hope they will take action to shut down the spammers abusing their services. In the case of websites that is the only SC action, no SCbl entry (though the SURBL, mentioned in one of those other topics indicated, does independently use SC spamvertized site data).
The parser is completely unable to follow redirections but I suppose you might be entitled to add an additional report recipient or two (if you are a paying user) reflecting anything you have found out yourself. (You need to be more than a bit cautious about following redirections by the way.) But anyway, you might then have some difficulty explaining in notes to those additional recipients what is going on since the report won't be indicating their networks. Very few of them are highly motivated towards anti-spamming activity, sadly. And the report has no consequences for them, as said - except if they are actually hard-core spammers, then the consequences could be a bit negative.
OK, very good. I'll abide by the rules. I registered with knujon.com, am trying to register with complainterator.com (although their site seems to be timing out when I attempt) and I sent an email to see about having the latter two domains added to Bill Stearn's blacklist. WorkFor375.com I noticed is already on the WS list, but that doesn't stop the problem like squashing the domains will. Think I hit all the bases possible.
-
Hi ssybesma.
Yes, unlike your browser, the parser won't take an implied link like WorkFor375.com and treat it as a link (which is one reason why the spammers/authors don't put in the full link) If it had the http:// bit in front of it, it would be processed. I dummied a submission (and cancelled it) - http://www.spamcop.net/sc?id=z5322915931za...00961daa75b681z
You can see it would work then, but can't pick up the redirection.
SpamCop is all about finding the e-mail source. You need to go to other tools to address the "spamvertized" links with full rigour. There are all sorts of problems and solutions associated with the links both innocent and spammy that can be found in a spam e-mail. See http://forum.spamcop.net/forums/index.php?showtopic=12362 for a recent discussion of another type of link resolution problem and some links to those other tools. See http://forum.spamcop.net/forums/index.php?showtopic=4085 for some background, if you haven't looked there already.
Steve
Very EXCELLENT reply Steve (my name is Steve as well).
How would I go about 'dummying' the submission to add the spamvertised website? I will check out the tools you mentioned, so that may take out the necessity of doing it that way and make my question moot.
The other thing I was thinking about, is that there is probably a better strategy of reporting spamvertised websites in the case of a redirected domain and a link to a domain.
I should probably go after the domain at the end of the line and work my way up, because if the domains farther out get reported last, they may not see the connection to the domain that I had to get to before that one if it was shut down already.
I didn't think about that initially and reported workfor375.com first (yesterday), then the redirected domain trustedssurveys.com right afterward, and then the link from the redirected domain (trustedsurveys.com) was reported today.
Shoulda did it the other way. Oops!
-
The reporting tool is missing the spamvertised website mentioned in the headers and the body of
the spam below (my email and others obfuscated for privacy reasons). The name of the domain
is workfor375.com.
I had to do the legwork myself and reported that domain, the domain it redirects to (trustedssurveys.com)
and the domain that webpage contains a link to (trustedsurveys.com) as well as all three IP addresses to
their respective hosting/allocating companies.
When I used spamcop on the spam below, all it reported to was Yahoo.
============================================================
Return-path: <thezeroplan128[at]yahoo.com>
Envelope-to: <OBFUSCATED FOR PRIVACY REASONS>
Delivery-date: Sun, 06 May 2012 03:34:52 -0500
Received: from nm16-vm1.bullet.mail.bf1.yahoo.com ([98.139.213.131])
by server509.webhostingpad.com with smtp (Exim 4.69)
(envelope-from <thezeroplan128[at]yahoo.com>)
id 1SQwvY-0047HO-EC
for <OBFUSCATED FOR PRIVACY REASONS>; Sun, 06 May 2012 03:34:52 -0500
Received: from [98.139.212.151] by nm16.bullet.mail.bf1.yahoo.com with NNFMP; 06 May 2012 08:34:47 -0000
Received: from [98.139.212.240] by tm8.bullet.mail.bf1.yahoo.com with NNFMP; 06 May 2012 08:34:47 -0000
Received: from [127.0.0.1] by omp1049.mail.bf1.yahoo.com with NNFMP; 06 May 2012 08:34:47 -0000
X-Yahoo-Newman-Property: ymail-5
X-Yahoo-Newman-Id: 248258.25919.bm[at]omp1049.mail.bf1.yahoo.com
Received: (qmail 95838 invoked by uid 60001); 6 May 2012 08:34:47 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s1024; t=1336293287; bh=iLdWCppUyJWwtTtwpaXIbQtCd9bWuEy8P1VLHBZrY58=; h=X-YMail-OSG:Received:X-Mailer:Message-ID:Date:From:Reply-To:Subject:To:Cc:MIME-Version:Content-Type; b=pOe5jE9noygec3LcP2Sjhym3zN39aNMDzO3lttjyLv4ZXtBfhSuAEXTLCSYnAGyeF1rOEPwYPpX/zgufkDjB9I1OX/TmpB7QA9ABKWwbAeC6uT6VgkzBlBY8CAdyhPwc2zxLGSErr9xUIu90fQDJZ0uMpQe9NnWnu+EbxLUYgXQ=
DomainKey-Signature:a=rsa-sha1; q=dns; c=nofws;
s=s1024; d=yahoo.com;
h=X-YMail-OSG:Received:X-Mailer:Message-ID:Date:From:Reply-To:Subject:To:Cc:MIME-Version:Content-Type;
b=TQtMk7TgXQUstyeoWuy4IpDHpe+J0e5rmgOjP2I/N6nxZwzXquRJTisZbxZmaTYM4d+ilUxpuaavJRvK7IUQLbz2M//u0U2W1uiGGGDX0pvZrnuKM8jX6ih4wwIvhRTCpA0SSpX0QJX5tCW1F7L7IJjnGwADG7SaBQR/2J6nKDk=;
X-YMail-OSG: hkaRdlgVM1nA_VtrXS9FUDyXbNIPiQWwpyk9_qhcYl91fZx
VT1v0yTlsHH.VWiJ52buboOrlac6qHn6Fe27BqOODJn4zVHpUgTRl3gnCuzq
laRah9rIxXvfaymszNJgt1VbR28ikBURSt1vU10qnvMjS1.8omc7ubB6V0_a
3U5dFqmypzclf0XLA_ViVk7NNvgM.uExTBVVX2nsppmaZQMo8veRRGuYjAWi
OhdDO8HXOMtn4jEXDOu9p6VG1iCJ1Cddz9_71lJZuNCpgQ7ApubIRmb3yptO
6fXZaQbNGRlbIEe_OCTmGmfgfsoPj8o3sHe.r_Dit4ngxjegnh6_lyfIz85c
L40gRPiZj1FWPpROvutCUgPZeieeR5y1IyAtpZNuOXatv4pGxAy5PZuX3.uw
PkURDkjX3wq8hhUSdPO5dUA36jBdNYRQIzHYv8nhp6KfoEEuU.ymszV7vetj
htwBD4eh07UKioGBvrbiJ465XCcGfIFGjfOE.YD8xCnZKiaKSxX.fhlBM3_B
NqFcztSaPfspD4EafY4IO4v_mnMp9x9IJ6ALhyFn0JORf2HRyZjYBtdnMVXW
pWWpJ0cQ2ykCeVbe0_40MQUhpKRku3YU-
Received: from [178.88.10.39] by web161802.mail.bf1.yahoo.com via HTTP; Sun, 06 May 2012 01:34:47 PDT
X-Mailer: YahooMailWebService/0.8.117.340979
Message-ID: <1336293287.86220.YahooMailRC[at]web161802.mail.bf1.yahoo.com>
Date: Sun, 6 May 2012 01:34:47 -0700 (PDT)
From: Jake Bufton <thezeroplan128[at]yahoo.com>
Reply-To: Jake Bufton <thezeroplan128[at]yahoo.com>
Subject: hey, i have a question about your ad
To: mikaisme at hotmail dot com [NOTE: probably a test address or a mailing list address]
Cc: <OBFUSCATED FOR PRIVACY REASONS>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
X-spam-Status: No, score=1.7
X-spam-Score: 17
X-spam-Bar: +
X-Ham-Report: spam detection software, running on the system "server509.webhostingpad.com", has
identified this incoming email as possible spam. The original message
has been attached to this so you can view it (if it isn't spam) or label
similar future email. If you have any questions, see
the administrator of that system for details.
Content preview: Hey, I like working with people that post ads online, since
I already know that you basically know your way around a computer. I need
a few people here in town for some part-time help with some online work that
I have. The work is very easy, but it's too much for me to by myself, so
I thought that I'd email a few people and see if you'd be interested. [...]
Content analysis details: (1.7 points, 4.0 required)
pts rule name description
---- ---------------------- --------------------------------------------------
-0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at http://www.dnswl.org/, no
trust
[98.139.213.131 listed in list.dnswl.org]
1.6 URIBL_WS_SURBL Contains an URL listed in the WS SURBL blocklist
[uRIs: workfor375.com]
0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail provider
(thezeroplan128[at]yahoo.com)
0.2 FREEMAIL_REPLYTO_END_DIGIT Reply-To freemail username ends in digit
(jake bufton <thezeroplan128[at]yahoo.com>
)
-0.0 T_RP_MATCHES_RCVD Envelope sender domain matches handover relay
domain
0.2 FREEMAIL_ENVFROM_END_DIGIT Envelope-from freemail username ends in
digit (thezeroplan128[at]yahoo.com)
-1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1%
[score: 0.0000]
1.5 URIBL_RHS_DOB Contains an URI of a new domain (Day Old Bread)
[uRIs: workfor375.com]
X-spam-Flag: NO
Hey,
I like working with people that post ads online,
since I already know that you basically know your
way around a computer. I need a few people here
in town for some part-time help with some online
work that I have. The work is very easy, but it's too
much for me to by myself, so I thought that I'd email
a few people and see if you'd be interested.
Just go to my website for more information
and to apply if you're interested:
WorkFor375.com
Just copy and paste the above link
into your web browser.
****************************************
If you don't want to receive any
more email from us, just go to
WorkFor375.com/remove
****************************************
FAQ Entry: The Link Analysis Process
in SpamCop Reporting Help
Posted · Edited by ssybesma
WOW!!! Quick SUCCESS on squashing one of the three domains. Never realized it was so easy.
This is totally FUN!!!
I am awaiting word on the initial spamvertised domain WorkFor375.com, as well as the end domain where the business is actually done (TrustedSurveys.com). The middle domain that the first one redirects to (TrustedSSurveys.com) is the one I just now got shut down.
Like I said earlier, I should have reported the end domain first. Oh, well.)
What I did on this, was go around the WhoisGuard'ed domain names and go to ARIN to find out who had the IP addresses and was able to find out who hosted the sites that way. Works REALLY great!
At the end, I sent a gloating email to the email address mentioned on the end website that actually does the spamvertised business. I couldn't help myself. Why not?
Steve
====================
Hello,
Thank you for notifying us.
I have suspended the website trustedssurveys.com.
Sincerely,
Ted Smith
Security Specialist
Endurance International Group
-----Original Message-----
From: Shimon Bakshi
Sent: Tue 08-May-12 14:40
To: cogentabuse
Subject: FW: spammer using IP address registered to you
From: Steve [mailto:steve[at]vwebr.net]
Sent: Tuesday, May 08, 2012 10:43 AM
To: #CustomerRelations
Subject: spammer using IP address registered to you
Hello,
Please forward this to your abuse dept or the dept that handles webhosting or IP services.
The following is information regarding someone who is spamming a work-at-home scam using the domain workfor375.com, which redirects to trustedssurveys.com
The domain trustedssurveys.com (note there is a doubled 's') has been obfuscated because the person is using Namecheap.com's Whoisguard service.
HOWEVER, the IP address that trustedssurveys.com points to is 65.254.250.110.
According to ARIN, that IP address is in your CIDR block.
Can you please look into de-allocating/de-registering that IP address?
I will forward the spam to you with all headers right after this email, but the domain name referred to is clearly in the spam and it redirects to the domain having the IP address in your CIDR block.
Thank you,
Steve Sybesma
Lafayette, CO
720-934-2484
[Querying whois.arin.net]
[whois.arin.net]
#
# Query terms are ambiguous. The query is assumed to be:
# "n 65.254.250.110"
#
# Use "?" to get help.
#
#
# The following results may also be obtained via:
# http://whois.arin.net/rest/nets;q=65.254.2...amp;ext=netref2
#
NetRange: 65.254.224.0 - 65.254.255.255
CIDR: 65.254.224.0/19
OriginAS:
NetName: BIZLAND-FC03
NetHandle: NET-65-254-224-0-1
Parent: NET-65-0-0-0-0
NetType: Direct Allocation
RegDate: 2004-01-06
Updated: 2012-03-02
Ref: http://whois.arin.net/rest/net/NET-65-254-224-0-1
OrgName: The Endurance International Group, Inc.
OrgId: EIG-12
Address: 70 Blanchard Road
City: Burlington
StateProv: MA
PostalCode: 01803
Country: US
RegDate: 2005-02-07
Updated: 2011-09-24
Ref: http://whois.arin.net/rest/org/EIG-12
OrgTechHandle: BBR189-ARIN
OrgTechName: Brock, Brian
OrgTechPhone: +1-781-852-3254
OrgTechEmail: bnbrock[at]maileig.com
OrgTechRef: http://whois.arin.net/rest/poc/BBR189-ARIN
OrgAbuseHandle: BBR189-ARIN
OrgAbuseName: Brock, Brian
OrgAbusePhone: +1-781-852-3254
OrgAbuseEmail: bnbrock[at]maileig.com
OrgAbuseRef: http://whois.arin.net/rest/poc/BBR189-ARIN
OrgNOCHandle: ENO74-ARIN
OrgNOCName: EIG Network Operations
OrgNOCPhone: +1-339-234-9762
OrgNOCEmail: netmon[at]maileig.com
OrgNOCRef: http://whois.arin.net/rest/poc/ENO74-ARIN
#
# ARIN WHOIS data and services are subject to the Terms of Use
# available at: https://www.arin.net/whois_tou.html
#