Jump to content

Wazoo

Forum Admin
  • Posts

    13,222
  • Joined

  • Last visited

Everything posted by Wazoo

  1. So much stuff is in the configuration settings, most of which have not been changed/updated. Only now got to a place where I could check in to see why I was getting all the failure messages from Google about all the dead URLs and systems. And .. only now do I find out what the cause was. Do I guess that stuff other than this "new" install of this IPB Board didn't make the move? Based on the messgae traffic and the unchanged settings seen here, I've got to gues that a lot of stuff is gone or broken. Off to poke around and see what else has happened. A bit later .... ouch. all those years of code manipulation, all gone. Noted that htere is yet one more update to the board software that hasn't been applied. Dropped a PM to RW to ask for some guidance.
  2. What types of connections have you tried in the "away" mode| For example, I seem to recall having issues with WEP when trying to use the pass phrase, but worked fine when I used the hex string. What firewall might you be using, thinking of a setting for "trusted" networks being involved??? For example, I've been forced to notice that some of the defaul settings are different between manufacturers (and even different model numbers from the same vendor) some using 192.168.0.x, other using 192.168.1.x.
  3. Sent a note upstream, asking for something more direct. This would probably fall under the need for an 'engineering request' even further upstream, so even if agreed to, it might take some time to implement.
  4. http://www.spamcop.net/sc?track=223.130.209.13 Parsing input: 223.130.209.13 Display data: "whois 223.130.209.13[at]whois.arin.net" (Getting contact from whois.arin.net ) Redirect to apnic: "whois 223.130.209.13[at]whois.apnic.net" (Getting contact from whois.apnic.net mirror) Display data: whois.apnic.net redirects to krnic Display data: "whois 223.130.209.13[at]whois.krnic.net" (Getting contact from whois.krnic.net) - not found No reporting addresses found for 223.130.209.13, using devnull for tracking. http://www.spamcop.net/sc?action=showcmd;c...whois.krnic.net [ Network Information ] IPv4 Address : 223.130.128.0 - 223.130.255.255 (/17) Service Name : JNDINFO Organization Name : JND Communication Organization ID : ORG828317 Address : 1056-11 5F JNDINFO.CO, Gyeonggi-do Gwonseon-dong Zip Code : 441-390 Registration Date : 20100729 [ Admin Contact Information ] Name : jang hyun wook Phone : +82-31-226-9399 E-Mail : comnetjw[at]hanmir.com [ Tech Contact Information ] Name : jung boung woo Phone : +82-31-226-9399 E-Mail : comnetjw[at]hanmir.com [ Network Abuse Contact Information ] Name : kim young-sook Phone : +82-31-221-7722 E-Mail : young55[at]naver.com
  5. Wazoo

    Forum spam

    and yet again, still, on and on .... 'spam king' Wallace indicted for Facebook spam Wallace, 43, was indicted in July by a San Jose, Calif., grand jury on three counts of intentional damage to a protected computer and two counts of criminal contempt, according to the U.S. Attorney's Office in the Northern District of California. Wallace allegedly compromised approximately 500,000 Facebook accounts during three separate attacks on the social-networking giant between November 2008 and March 2009. .... Wallace, who was ordered by U.S. District Court Judge Jeremy Fogel in 2009 not to access Facebook, was also charged with violating that order by accessing the social network on an airline flight from Las Vegas to New York in April 2009 and by maintaining an account under the name David Sinful-Saturdays Fredericks for a few weeks earlier this year. ....
  6. Coming in a bit late, maybe you've already got it sorted ... but, the first jump to me (making the assumption that Windows is involved) would be the 'computer/hardware profile' .... the 'undocked' mode disabling the hardware ethernet interface, or possibly simply not recognizing it at all in that mode. Moved the Topic, as per your request.
  7. Is this customer doing DNS-lookups for something other than handling incoming e-mail? The SpamCopDNSBL is "very" dynamic .. nothing like other BLs.
  8. I know you said that the server was hacked, but ,,,, the 'adding a few lines to all the .js files' seems extremely out of the ordinary. More typical is the action of adding in something like an iframe bit to effect this sort of cross-site-scripting. The quick-check would be something simple like the file-dates of the web-page creation files .... the typical hack of this sort would leave an .html or .php file with the most recent date showing. But, yes, it would depend on the craftiness of the hacker. lthough my immediate reaction would be to get the bad code off-line and replaced with a copy of the 'backed-up good' version, the question of analysis is still valid, I suppose. Again, my first reaction .... hit it with the FireFox add-on tool "firebug" which would allow one to pretty much see the page make-up. You didn't say whether you had anything above user-level access to this server, but even then, the majority of the codebase structure should be available. Of course, the killer question is whether the hack vector has been discovered and closed. The entrance may not have actually been a server-hack, it may boil down to an exploitable application running on the web-server, the more typical problem of something allowed to get into the SQL database that then gets included on the displayed pages that is allowed to progress on exploitable (or trusting) web-bowers.
  9. At the top of this page, check the dropdown menu offered under the link FAQs & Words .... The Glossary hasn't been touched in quite a while as we've tried to move it all over into the Wiki. Please see Why are there so many different account names/passwords needed? SpamCop Reporting Accounts OK, you had a SpamCop e-mail account. It would follow that you have things set-up to log into either webmail.spamcop.net or mailsc.spamcp.net ..... both would be trying to use the credentials of this "paid" account, and trying to connect to the CESMail servers. Pointing your web-browser to www.spamcop.net should allow you to then login using the your non-SpamCop.net e-mail account data (or Register using that address??) as this would use the Cisco/IronPort/SpamCop servers for the Parsing & Reporting System. Can't thiink of that many instances where the MailWasher "Bounce" feature has been mentioned without the pretty much automatic answer being provided. Do NOT use it!! It is a wonder that they still include that function, as it will only serve to get "you" into trouble.
  10. Not sure. The "added headers" needs some kind of definition. At this time, I'm of the thought that OE6 Secure handling of e-mail, Why Forward won't work might be worth a look, even with the assumption that OE6 isn't the e-mail client in question. There is a whole section on "how to ..."" stuff in the single-page-access-expanded version of the SpamCop FAQ and the SpamCop Wiki both found via links at the top of this page.
  11. Moved out of the E-mail System & Accounts Forum section and placed into the Announcements Forum section with this Post, Yeah, I know .. I'm not supposed to do this, but ...???? A Parsing & Reporting System outage tossed into the E-mail System section doesn't seem right.
  12. Please re-read the 'error' message. There is quite a pile of servers involved in the handling of your incoming. Sending e-mails this huge is simply problenatic, as stated in so many places. For example, a general defaullt of a PHP install these days is a file-size limit of 4-Meg (up from 1-Meg just a few years back) .... It is possible that the actual issue was that a huge (e-mail with an attached) file was received, and during the processing/handling, it hit a server that hasn't had a manual configuration change to bump up some of the defailt limits. So there would have been a "file write" error when trying to save the incoming.
  13. Figure out who/where the alleged "spam filters" are, who set the configuration ... get it changed to tell the truth .... As Derek stated, the SpamCopDNSBL only does IP Addresses.
  14. ???? And the "straight question" was based on what assumptions caused by the lack of detail on what tools were in use and how they were/are manipulated? Why did you jump the track and start talking about "forwarding an e-mail" in your first response .. especially when related to "a web interface?"
  15. Exactly my point with all the "How to ask a good question" links, hints, descriptions.
  16. Suggested reading; SpamCop said ''reports are disabled.'' What does it mean?
  17. I, lke others, would like to see just what your spam actually looks like. I have never received anything that quite compares to your description (and 'sources') I recall having a discussion with an alleged legal representativew for DirectTV years ago. Not sure if it's documented 'here' but U'm furssing that a Reply or two made into a Public Post. As far as notifying others, once again repeating the years ago decription, there was a time when some folks went nuts with coming up with lists of 'folks that would be concerned" with the spam spew, Unfortunately, this was also seen as a bit of spamming, Reports going to non-directly-associatd folks like secrataries, so Julian placed limits on the "other target addresses" line to prevent this kind of abuse of the SpamCop.net {arsing & Reporting system. Yes, it's possible that you might find a sympathetic ear, but it's also likely that you'll be hasseling someone that either knows exactly what's going on or the exact opposite, someone that doesn't have a clue or any power over the situation.
  18. Once again, a little thing like following a few of the hints on How to ask a good question would answer this and probably a slew of other quesztions. ??? Hmmm, even the venerable and much maligned Outlook Express has the mechanism to "show the full source" of an e-mail, which will in fact include any attachments. "Seeing" is not the same as "collecting the data" for a Report Submittal. Not sure what "forwarding" has to do with "the web interface" ... but then again, without specific details, "my" assumtion is that the www.spamcop.net page is being discussed, Lack of user's actual tools, steps, etc. leaves me thinking that mutilple things are being described here. I previousy szuggested alternative ways to Report, based on the appearance that cwg sure made it sound like the FAQs and Wiki had already been read, researched, etc. .... and as "deletion of body content" had just added (deletion of header data already addressed) ... other ways to "save fuel" seemed to be the real question (at the time.)
  19. Using the 'search' function found at the top right of this very page, using "nlayer.net" as the search term, shows that this fine place has an ancient history.
  20. A couple of possible suggestions; SpamCop Reporting Accounts Quick Reporting
  21. SpamCop Wiki page Material changes to spam updated
  22. Looking at http://www.senderbase.org/senderbase_queri...orationhost.net currently shows 8 out of 30 servers listed. Only Don/Deputies can talk to the spamtrap hits, but it seems that there is the real issue. User Reports Subject lines include; 216.166.12.31 Submitted: Saturday, June 11, 2011 1:20:15 AM -0500: Employment Opportunity Available Submitted: Friday, June 10, 2011 11:59:29 AM -0500: Greetings Submitted: Friday, June 10, 2011 1:51:35 AM -0500: IMF PENDING PAYMENT APPROVED NOTIFICATION.. 216.166.12.32 Submitted: Friday, June 10, 2011 3:16:24 PM -0500: IMF PENDING PAYMENT APPROVED NOTIFICATION.. Submitted: Friday, June 10, 2011 5:07:10 AM -0500: Greetings Submitted: Friday, June 10, 2011 5:01:58 AM -0500: Greetings Submitted: Friday, June 10, 2011 2:13:42 AM -0500: IMF PENDING PAYMENT APPROVED NOTIFICATION.. 216.166.12.69 Submitted: Saturday, June 11, 2011 2:45:30 AM -0500: Employment Project Submitted: Friday, June 10, 2011 8:53:03 AM -0500: IMF PENDING PAYMENT APPROVED NOTIFICATION.. 216.166.12.72 Submitted: Friday, June 10, 2011 9:19:48 AM -0500: Job Offer Submitted: Friday, June 10, 2011 4:52:15 AM -0500: IMF PENDING PAYMENT APPROVED NOTIFICATION.. Submitted: Thursday, June 09, 2011 11:53:35 PM -0500: IMF PENDING PAYMENT APPROVED NOTIFICATION.. 216.166.12.98Submitted: Friday, June 10, 2011 9:52:46 AM -0500: IMF PENDING PAYMENT APPROVED NOTIFICATION.. More of the same ..... Based on the complaints, it seems that it should be pretty easy for the staff involved to track down the source of these specific e-mails and take the appropriate action. Not sure that another output filter is the solution, but will note that some of the recent User Reports included the following targets exampled by; Submitted: Friday, June 10, 2011 1:58:27 AM -0500: Job Offer •5530473760 ( 216.82.255.3 ) To: abuse[at]messagelabs.com •5530473759 ( 216.166.12.98 ) To: abuse[at]datafoundry.com Also noting that most of these look-ups indicated a reduction in magnitude .... although another portion of the 30 listed servers seems to be showing "all new" traffic, which suggests another approach beng taken, not always for the best. To apply your "last 4 weeks" .. it would appear tht they have allowed someone to start using their services that doesn't play according to the rules. Why they can't seem to find that user (or multiple accounts?) based on the apparent spew of similar Subject: line content isn't readily apparent. Later edit: refreshed the SenderBase page, and it's now showing 9 of 30 listed in a BL.
×
×
  • Create New...