RobiBue
-
Posts
453 -
Joined
-
Last visited
Content Type
Profiles
Forums
Events
Posts posted by RobiBue
-
-
Well, my idea wasn't to thwart the spammers... (ok, in a way it is 😛)
Instead, it would be meant to keep the forums "readable" after 3 or 4 users have reported the posts.
They'd still be there if one really desires to read them, but they'd be hidden until they get handled by an admin.personally, they don't bother me (much), but I see the occasional OP who mentions the garbage in the forums (fora, fori, forii, whatever) and /me thinks/ (dangerous thing BTW) that there could be something that could be done besides one or two admins cleaning up garbage left by some 💩
es...
Usually we don't get much. It seems that today, though, is a different matter... some "recruiter" must have promised a lot of 💵 to some poor souls...
That's actually my idea behind it. Have as few spamposts as possible visible to users, and I think that could accomplish it (I'm sure there are some of us users that report those spams, and if it's just 3 or 4 per post it would do the trick...)
Just my thought... and then Lking could even enjoy his carb-sugar-caffeine drink in a more leisurely manner
-
If I query ARIN, I am told it’s a RIPE address...
and the abuse email address given, ending in “.ru” does not help my confidence in its trustworthiness...
I apologize to all honest Russians, but living here in the Americas leaves me with little trust in Russian owned web addresses.
In God I trust, but not in Товарищ владимир и собрат дональд
-
I just had a brainfart (pardon my French)...
Sooo, we have these pesky little 💩 that think that the readers of these forums are interested in their spew 🤮
Well, here is my proposal to alleviate the problem:
- Reported posts receive a mark/counter (see below: 1 reported...)
- Posts that are less than 24 hours old and reported more than 3 times get hidden (can be unhid[sic] by the user if he/she so desires)
- A user with a post reported 4 times would be prevented from posting in the forum (reading is ok, and pm an admin to ask for unblocking)
-
Eventually a forum admin can do some garbage collection (GC) the way they usually do it
this would be the forum view with all topics displayed (the two marked "4 reported" would be hidden by default)
.png.a4063d1c18dccd63199fd44dfe3a9d47.png)
This would be the "Unread" topics view (hey, no spam
but only if 4 reported them beforehand)
in Content Types, the user could choose to see the spam (unless the forum admin already done the GC)
Suggestions or ideas (or the other way around) are always welcome.
-
Now that's a new one to me!
https://www.spamcop.net/sc?id=z6558965774z4e9bfbe926ede8ccf1c336a6fb42d396z
I wasn't thinking much about it when I sent the report, but today I received the following reply from NordVPN abuse desk:
QuoteThank you for informing us about possible violation of laws related to activities of one of our services' users. We take serious matter of the illegal actions and/ or crimes committed by abusively using our services.
NordVPN is a VPN service provider and offers shared IP addresses to its users.
Unfortunately, in this specific case we are not able to assist as it’s impossible for us to locate which user on the server is actually responsible for the violation, since we do not log user's activity or IP address.
Therefore we can not identify the user on the basis of this inquiry notice.
More about our Privacy policy (https://nordvpn.com/privacy-policy/).
Please don't hesitate to let us know should we be able to assist with something else.well, internet privacy vs internet privacy.
ain't that swell...
-
16 minutes ago, Lking said:
The source of an email can be identified by the FROM: line or the IP address found in the list of Received: lines in the header. The FROM: which looks like a good choice and is valid for all legitimate emails emails you received, it is easy to forge by the spammer (or anyone) and maybe a valid email for someone totally unrelated to the source of the spam. Although it could be a Joe Job, The forged/spoofed FROM: is just a randomly selected mailbox.
Around 20 years ago, I used to send my wife occasional emails that would look like she sent them to me, just to make sure that she understood that anybody could send an email with spoofed/fake names.
So the From: line in the headers is only valid for “trusted” emails. (And then, only if you trust them
)
23 minutes ago, Lking said:The IP address found in the header Received: lines must point back to the true source (well mostly). If the IP address is not correct the network will not be able to do the required handshaking as the email (packets) move through the network to the destination.
As Lking states, the Received: line in the headers is the one that gets you closest to the original sender. Many times, though, a computer is hacked and some malware is installed, sending the spam from that computer without the knowledge of the real user. Sending spam reports to the ISP of said user is necessary to alert the ISP that the user is either a spammer or has compromised hardware. It is also possible that a company has their own mail server which is open and can be used as a proxy. For the latter, it is also important to have their ISP inform them that they are running an open proxy allowing spammers to abuse their system.
HTH
-
7 hours ago, gnarlymarley said:
[...] mbox begin header that allows multiple emails messages to populate a single file (I believe this is RFC4155).
/me/ stands corrected. Thank you 😊.
wasn’t aware that the headers could share importance with a DB file structure (mbox in this case)
-
10 hours ago, Tesseract said:
I don't think there's really anything more to learn from them at this point, as it's the same behaviour documented earlier in the thread with the same type of invalid hostname in the messages. But here are two from today:
https://www.spamcop.net/sc?id=z6558374359zf6c6bc297b1bf5ec039668d1d2ea7f81z
https://www.spamcop.net/sc?id=z6558374020zba4d5b7c0c1112bc566769c280cda976z
atchooly....
is there a reason why the first From line doesn't have a colon ":"
From bounce@menshealth.com Mon Jul 8 01:35:59 2019 Return-Path: <bounce@menshealth.com> X-Original-To: x Delivered-To: x
in my book, that would be a reason for failure...
-
51 minutes ago, gabrielt said:
I found the culprit! Many thanks for your help!
It was a bug with our qmail installation!
The header in our received emails were malformed.
[...]
Once again, thank you so much your time. MIG's answer turned on a light bulb in my head that the email header might be malformed and...bingo!
I hope this topic helps other SpamCop users in the future.
Cheers,
Gabriel.
and so the G🦗H advances further to becoming a master
🙏
@gabrielt Glad you found the problem, and with it, also fixed an internal handoff problem with your qmail setup (malformed received line). (wish some big companies:
-- with outlook and hotmail -- would fix theirs.... )
-
13 hours ago, HeatherReid43 said:
Using last resort contacts search-apnic-not-arin#apnic.net@devnull.spamcop.net
any idea how to solve this issue ?
Unfortunately, that is not something we "mere mortal users" can solve unless we report manually and not through spamcop.
This issue has to be resolved through fixing spamcop's whois lookup with the registries, and following the correct protocol, which apparently ARIN changed a while back. RIPE also seems to have made some changes, but it's affecting spamcop only marginally.
Sadly many ARIN redirections to APNIC end up devnulled because cisco/talos seems to have only a minimal desire to keep spamcop up to date (at least so it seems to me personally)
What happens now, is, that someone asks in this forum to fix the reporting address (which may or may not happen), and if this reporting address gets manually changed, it is then prone to end up being the wrong address when the registrant changes the info in the whois DB.
-
On 6/15/2019 at 2:37 PM, Lking said:
As RobiBue suggest for some reason your address may have removed from their database. That would of course imply a though process on the part of the spammers.
yeah, rule #3, but don't forget Russel's Corollary...
-
On 6/13/2019 at 10:11 AM, showker said:
Nope, three weeks now and zero spam.
Is there some spamcop in the sky that blocks addresses from getting spam?
did the big spam cartels somehow decide to remove my address because my articles about spam and cybercrime were getting shared so much? ( https://www.facebook.com/safenetting/ )
Has my ISP blocked me from spam? Other email works perfectly, and some small-time, bush-league spammers get through . . . like those annoying BitCoin Blackmailers !
But Chinese spam? ZERO. Ever since I started posting translations!
Do you suppose the Chinese have the power to block ALL Chinese spam from a specific email address? I still get it in all my other addresses!
A uge mystery
Fred
I fathom that somehow they were tipped off to remove certain spam-traps from their database, yours included, but not the other addresses.
Just my thought...
-
no, it is not an error, as this network entry really didn't provide an abuse address. Heck, they really didn't provide an address at all:
[ JPNIC database provides information regarding IP address and ASN. Its use ] [ is restricted to network administration purposes. For further information, ] [ use 'whois -h whois.nic.ad.jp help'. To only display English output, ] [ add '/e' at the end of command, e.g. 'whois -h whois.nic.ad.jp xxx/e'. ] Network Information: a. [Network Number] 202.238.198.0/24 b. [Network Name] IIJNET g. [Organization] IIJ Internet m. [Administrative Contact] JP00010080 n. [Technical Contact] JP00010080 p. [Nameserver] dns0.iij.ad.jp p. [Nameserver] dns1.iij.ad.jp [Assigned Date] 2018/06/25 [Return Date] [Last Update] 2018/06/25 17:35:04(JST) Less Specific Info. ---------- Internet Initiative Japan Inc. [Allocation] 202.238.192.0/18 More Specific Info. ---------- No match!!looking up the JP00010080 AS number (well, JP number, as it isn't really an AS number) I get:
[ JPNIC database provides information regarding IP address and ASN. Its use ] [ is restricted to network administration purposes. For further information, ] [ use 'whois -h whois.nic.ad.jp help'. To only display English output, ] [ add '/e' at the end of command, e.g. 'whois -h whois.nic.ad.jp xxx/e'. ] Group Contact Information: [Group Handle] JP00010080 [Group Name] IP Address Contact [E-Mail] nic-sec@iij.ad.jp [Organization] Internet Initiative Japan Inc. [Division] [TEL] 03-5205-6500 [FAX] [Last Update] 2014/07/22 12:02:04(JST) apply@iij.ad.jpSo nic-sec[at]iij.ad.jp would be the address to complain to, and I personally would add a comment to hostmaster[at]nic.ad.jp letting them know that the above entry has no abuse address listed and is spamming
-
22 hours ago, MIG said:
https://www.spamcop.net/sc?id=z6553438559z3bce578c31b64b0feee590952682dcb9z
Can't work this out, have not escalated any spam queries to email-abuse@amazon.com, is it legit or is it spam?
🙏G🦗H
1/2 way agree wit Petzl 😉
- fake bounce: no, it's a real bounce
- spammer has you as return address: yes. That's why you're receiving the bounce 😞
The address that the spammer sent the spam to, is invalid (either never existed or got removed from usage) and since your address was the return address (From:) ...
another reason to hate spammers...
but no point in submitting that one, as the owner is legit... they just replied to you to let you know that "your" mail couldn't be delivered...
that's another reason why spamcop goes after the Received: headers and not the From: email addresses 😉
-
On 6/3/2019 at 10:05 AM, hank said:
> what I did with Acoustic coupler, vt-100 terminal/300 baud modem
Logged into the WELL's VAX 11/750 in its early days. Didn't even need a home computer, just a phone line.
Oh those times 👴🏼
I think I’m showing my age 😗🎶
But to our microVAX I had direct terminal access
-
-
On 5/25/2019 at 4:29 PM, MIG said:
This potaroo
RobiBue?
G🤗H
almost
-- it's missing the net 
(sorry for the late reply, have been busy otherwise. Even my spam folder accumulated several days of unreported spam 🤫)
-
if I use my "potaroo.net" IPv6 checker on the aforementioned IPv6 address:
http://www.potaroo.net/cgi-bin/ipv6addr?pfx=2402%3Abc00%3A0%3Aa216%3A%3A19%3A124
I see the following comment in the APNIC entry:
remarks: This information has been partially mirrored by APNIC from remarks: JPNIC. To obtain more specific information, please use the remarks: JPNIC WHOIS Gateway at remarks: http://www.nic.ad.jp/en/db/whois/en-gateway.html or remarks: whois.nic.ad.jp for WHOIS client. (The WHOIS client remarks: defaults to Japanese output, use the /e switch for English remarks: output) last-modified: 2014-03-10T22:41:03Z
not shown above are other "last-modified" entries, the oldest dating 2009-11-04T06:54:54Z (that's a 10 year old listing), while the shown last-modified is 5 years old, whois.nic.ad.jp should have the current listing
although I do not find the abuse address mentioned by MIG, I find 2 entries, both using the same email address
https://whois.nic.ad.jp/cgi-bin/whois_gw?key=JP00076967/e
and
https://whois.nic.ad.jp/cgi-bin/whois_gw?key=JP00065730/e
Group Contact Information: [Group Handle] JP00076967 [Group Name] networkhozen [E-Mail] SS01629@enecom.co.jp <--- [Organization] Energia Communications,Inc [Division] [TEL] 050-8201-2351 [FAX] [Last Update] 2017/04/05 16:53:06(JST)
one is from 2011 and this one from 2017...
-
8 hours ago, gnarlymarley said:
There are a few options you have left when the adminstrator is useless if you really want to stop the spam.
- Keep reporting for two or three years and the spammer will give up.
- Block the whole IP range. (this could be a problem as the emails from this forum appear to come from amazon, so this could block legitimate email.)
- Implement SPF checks on the MTA and hopes that blocks it (only works if you have the ability to control the MTA.)
- Use greylisting to make sure that only servers can connect and send you email (again, only works if you can change the MTA behavior.)
The reason most businesses offer the free accounts is it falls under the idea of advertising. If someone cannot check out the service, then they are less likely to use it. Kind of problem as it pulls in the jerks, but also pulls in paid accounts as well......
I like Idea #2!, especially if everybody is on-board.
a) it would convince amazon to clean up their act with spammers and hosting them,
b) especially if they start losing legitimate clientele
-
On 4/12/2019 at 8:44 PM, MIG said:
..., (for me) SC parser classifies Amazon (amazon[dot]com) as /dev/null, are you suggesting manually adding amazon[dot]com to https://www.spamcop.net/ [User_Notification] field, irrespective of SC's determination?
Thanks in advance!
On 4/12/2019 at 11:37 PM, Lking said:NO I am not. That would result in a spam Report, from SC going to amazon. I am suggesting something like this header from MY email:
with an amazon related spam attached; in this case
Note when I "Submit" the spam I BCC the email to SC to hide my private 16 char reporting account from Amazon.
Also note: Yes the FROM: is an obvious fake, but the sender is using the well known retailer's name to get "bigknow" to open the email.. I do the same for others common spam FROM UPS, American Express and others.
If amazon[dot]com is dev/null'ed, then placing it in the [User_Notification] field wouldn't change anything. It would still dev/null the address.
@Lking, question about the "Note". Do I understand this correctly, that you send (apart from sending the spam to SC as "bcc") the spam (as attachment) to the three listed entities?
How do you know where to send the spam before parsing it?
When I send the spam to SC, it gets parsed and /* then */ I know whom to send it as well... (Color me confused)
-
8 hours ago, MIG said:
Hey RobiBue,
Have you ever seen a 🦗 begging? Stand by to witness this miracle:
If your "dirty" scri_pt is safe to share may I have a copy please?
My litlle 🦗paws are fair worn out from modifying scummy spam urls...
Cheers!
Uhmmm... scri_pt is safe, but I do have 2 confessions to make:
- Currently I have no access to the pc I wrote the scri_pt on, and
- The scri_pt is a vba scri_pt for win word where I just dropped the spam in, ran the scri_pt, and attached the resulting text files to an email addressed to my reporting SC address...
The scri_pt works roughly as follows:
search for an https?:// domain name with regex and replace the numerical path (or ?argument) with the —ID...— line
that’s basically the idea.
fun to play and test reg(ular) ex(pressions) : https://regex101.com/r/wN6cZ7/478 (already set up for domain names)
and SO has a nice answer for the whole URL: https://stackoverflow.com/questions/27745/getting-parts-of-a-url-regex
sorry that I can’t be of more help atm... working these answers off a tablet...
-
5 hours ago, bobk said:
Thanks RobiBue. That seems exactly right.
When I followed your "here" link, though, your examples of how you munged cloudflare would not load: https://www.spamcop.net/sc?id=z6493410150za18869ba12b686fd60a88c35e34dc44ez . I'm hoping it's easier than putting an x on 30+ instances of the name.
What do you mean by deselecting the cloudflare report? The only way I can tell it's from them now is to recognize the scri_pt in the header.
Yeah, unfortunately the spam examples get removed by SC to conserve space (there are so many reports a DB can hold without having to add more HDD...) and when I checked my inbox, the spam from back then had already been deleted as well...
but I found examples in my sent folder:
Quote<img alt="Droid or Apple? Find Your New Cell Phone Today! Fresh Deals!" border="0" height="176" src="http://airlinehop.com/?--ID-number-1-(munged)--" width="23"/></td> <td bgcolor="#FFFFFF" height="175" valign="top" width="276"> <span style="font-family: Bookman Old Style; color: #242424; font-weight: 700"> <font style="font-size: 12pt">Search: <a href="http://airlinehop.com/?--ID-number-8-(munged)--">Cell Phones</a></font></span><p> <span style="font-family: Bookman Old Style; color: #242424"> Ready For A New Phone? <br/> <i>ANDROID</i> or <i>APPLE</i>? <br/> Browse Newest Models NOW!<br/>
I had written a quick and dirty scri_pt, which would replace the numbers after the host name with the text “?—ID-number-<n>-(munged)—“ where <n> is the last digit of the number... and then sent it off to SC for reporting...
-
9 minutes ago, bobk said:
Thanks all.
I've had a spamcop account for 17 years and never before encountered well over 50 spams per day in my spam folder, and two dozen more within minutes of my reporting, all from the same source. I wonder if their intention in sending so many right away would be to get me to get tired reporting those bogus ones and leave the other older ones alone.
These are all from cloudflare dot com. All until just recently were also from volia dot net from the Ukraine, I believe. All of the spams are using the same scripted header, with various creative bodies. Several times I have even tried to eliminate whatever code I could from the emails when I report them; I'm not sure if that helped any.
I even contacted cloudflare separately using a throwaway email address (hosted by cloudflare!), and got back a form letter response saying something about their notifying the sender if they could.
6936557925 and 6936557926 are examples of one such spam reported without any alteration other than spamcop's munging.
https://www.spamcop.net/sc?id=z6533678221z064eda6e37e20da61d4c35285b02f946z
Yep, just like I thought, those sigarpi.com links are some of those tracking links. Hitting them, triggers a scri_pt on their server that “assumes” that you’re interested in their products and they send a spew of their junk to the address linked to the number.
At least that’s the way it looks.
See here...
unfortunately nothing has been done about it
Deselect the cloudflare report and you should be ok...
I know, it’s not perfect, but you’d get less spam and eventually they’ll die out. Haven’t had one since last October...
-
1. welcome to the spamcop forum. We're mainly just SC users trying to help others in the fight against spam. Sometimes we can, sometimes we can't...
That said, some spam messages contain URLs which, if triggered, will cause more spam to be sent to you. Sometimes the ISP is "spammer friendly" and provides the spammer with your email address to "listwash" their DB or provides them with the email headers and they extrapolate your address through tracking codes they inserted in the headers.
If you have a Tracking URL (see Jeff G's welcoming post) and would provide it, it would be easier to analyze the reasons for your "multiplying spam" problems and find out a way to alleviate it.
I used to have similar problems with some spammers and by not reporting the links, only the source of the email, it reduced the spam volume drastically.
I also went in manually to report the links to the hosting companies and removing the tracking extension from the report, to prevent anybody from triggering more spam if they accidentally (or purposely) click on the link.
-
1 hour ago, petzl said:
Pretty sure these creeps are opening a new "free" amazon account when one is taken down.
Seems Amazon are shutting them down when reported from the spammed email address, stating IP address and copy and pasting full headers with report.
https://www.virustotal.com/#/url/51cfab3c89b464ef6e07c89d13ae048eb6708dd49233bf740609da33f2834ea2/details
status: 404 Not FoundI never report from the spammed email address, and always munge the latter.
Several providers have asked for full headers and I always tell them that the email address is of no concern to them as I do not wish retaliation or listwashing from their customers.
They sometimes claim it would be easier with my address, but I insist that they can enforce their AUP solely by the email received headers and the email content. This last scenario happened only twice in my umpteen years of reporting
es...
.png.a4063d1c18dccd63199fd44dfe3a9d47.png)
forum spam handling
in New Feature Request
Posted
Well, I don’t know about the forum spams being marked as spam in gmail since I only read them in SC. (Anyway, if you receive them as emails, then you should be able — as I do with other email forums — to mark them as never send to spam, and just delete the ones that are “offensive”, as forum emails come from the forum and not from the person sending them...)
Ah, but automated mistakes are also bad. That’s the reason SC uses human decision to ultimately report the processed spam...
... of course this would be “semi-automated”, as the automation process would start as soon as 3 or 4 humans decided to mark the post as “spam” (only possible in SC online forums)
The Latin phrase for that is “errare humanum est” (to err is human), and I have informed the admin “in situ” of a few odd misdirected posts (fat fingering and lack of caffeine are usually the reasons 🤫)
Well, as Lking already explained:
I figure, since the “spam-poster” needs an email account to sign in, these people have tons of throwaway addresses, since they can only use them once. (I am curious on how many addresses use the same domain, and thus prevent them, depending on the domain they use, to even create a SC account. Of course, if they use throwaway gmail, yahoo, hotmail, et.al. accounts, that wouldn’t be feasible...)