Jump to content

elind

Membera
  • Content Count

    192
  • Joined

  • Last visited

Everything posted by elind

  1. I didn't want to post the reference number because this spam has my non spamcop email embedded in too much of the text, but can anyone advise what this technique is and why spamcop can't trace the source or the spam host? Spamcop did not flag this as held mail. These spam are for somewhat legitimate products, like Frontline Flea Killer. The ad actually says it comes from Romania. This is the host links: (The questweather URL doesn't work if tried separately, so I figured it doesn't matter if it is printed here) <a href="http://t. questweather . com/JfshFLTWt32663/GooglePayda y.php?uID=3521282&uMAIL=************&cID=2663"><img border=0 src="http://t.qu estweather. com/JfshFLTW t32663/Google Payday-r.jp eg" /></a><br> <a href="http://t.quest weather. com/JfshFLTWt32663/GooglePayday.php?uSUB=3521282&cID=2663&uMAIL=************"><img border=0 src="http://t.quest weather .com/Jfs hFLTWt32663/GooglePayday-u.gif" /></a><br> <a href="http://quest weather.com/Jfsh FLTWt 32663 /GooglePayd ay.ph p?uMAIL=****************&cID=2663&sTR=3521282"><!-- Removed by HIPS FW ******************************************************************************************************************************* --></a> <STYLE> Moderator edit: added spaces per rconner post although OP says they don't work anyway
  2. I did this and received a reply. I reported that there was no reporting name or address: Thank you for submitting and confirming your Whois Data report re: questweather.com. Your report has been entered into ICANN's database. For reference your report ID is: ********************** Any future correspondence sent to ICANN must contain your report ID number. Please allow 45 days for ICANN's WDPRS processing of your Whois inaccuracy claim. This 45 day WDPRS processing cycle includes forwarding the complaint to the registrar for handling, time for registrar action and follow-up by ICANN if necessary. A copy of your report will be forwarded directly to the sponsoring registrar for investigation. The sponsoring registrar is responsible for investigating and correcting the data in response to your report as described in ICANN's "Registrar Advisory Concerning Whois Data Accuracy" <http://www.icann.org/announcements/advisory-10may02.htm>. For additional background information regarding registrars' Whois data accuracy obligations, see also the Registrar Advisory Concerning the '15-day Period' in Whois Accuracy Requirements <http://www.icann.org/announcements/advisory-03apr03.htm>. As discussed in detail in these advisories, it might legitimately take up to several weeks for the registrar to take action in response to your report. Please save this email as a record of your report. After the 45 day WDPRS cycle, if you have reason to believe that the sponsoring registrar may not be fulfilling its obligations, please forward your copy of this e-mail, along with any other relevant information, to ICANN's Contractual Compliance department at compliance[at]icann.org. ICANN will review your submission and work with the registrar to ensure compliance. Also, in order to assist our efforts to improve Whois data accuracy, after the conclusion of the 45 day WDPRS cycle we may contact you later via e-mail to follow-up concerning the registrar's handling of your report. Thank you again for taking the time to help improve Whois accuracy by submitting your report. Best regards, ICANNâ?Ts Contractual Compliance Department
  3. Gonna be one of those days it seems. The sender was 95.64.60.81 and the host (website) was 95.64.0.98. Both had the same name. As I said I GUESSED that they were probably the same, in this case, but who cares. That's it above, according to spamcop. So I ask the silly question why it has "nomaster". I gave the whole strings with only my email address munged. I thought I explained that. My question was largely due to the fact that I have looked at thousands of spam analyzed by spamcop. I don't remember any, that I saw, with my email as a part of a login ID to the spammer. I would have thought that obvious. I tried to access their site based on the URL alone and I tried it with a corrupted version of my email, in the URL. Neither gained access. I'm assuming that a valid email would have connected me, but I didn't wish to go that far. Sorry I didn't explain myself more clearly, I somehow thought people here would know a lot more than I did. You can be as pedantic as you want about the way I asked the question, which I thought was self explanatory. This spam seemed like it had an unusual combination of issues that I hadn't seen before, and I was curious if anyone had any insights. Instead I get mostly critiques of how I phrased the question. Sheesh
  4. Thanks, but a quick search on ICANN says that they do not accept reports of this sort.
  5. I am aware regarding spam URLs. I explained why I didn't completely munge them, however the spam source was shown in the email as the same as the website, so that is probably where it came from, and since there is no reporting address what do they care? Why would not all spammers just set up without reporting addresses and make their life even easier? As to the URL (partly munged) that I did post, I was curious if anyone knows the point of doing it as they did. I understand that this "Google Payday" is a scam in itself, so maybe this is a jerk getting ripped off, but smart enough to avoid getting identified? As to the website not working. What it says (questweather) is "Forbidden - you don't have access", however the full URL, which includes my email, I presume is a logon and my email is registered with them, so in that regard I have adequately munged the URL. So, how do we get the bastards?
  6. Its would be easier to scan held mail for possible valid mail if it was presented according to some held criteria, instead of by time received. A high spamassassin rating, for example, is unlikely to be a valid email that got past a low filter setting. If it were at the top of the list it would be less likely to be missed among a hundred spam. Perhaps I can already do that, in which case I apologize in advance.
  7. elind

    Suggestion for Spamcop

    Yes, but not practical if one submits multiple times daily with just a few mouse clicks. Presumably a scri_pt could be written by the user to do this automatically, but I don't know how. The easiest would be if spamcop would do it as a user service.
  8. elind

    Suggestion for Spamcop

    No. I haven't got a problem. I did lower my threshold and that eliminated all of the spamcop addressed email that prompted some of my earlier posts here (and the fun I had in repeatedly sourcing their varying host URLs). The only ones I now get are a very few of the more sophisticatedly disguised "ads" for legitimate products to one of my other emails addresses. It is simply that I think it would be a lot easier to scan the list if it was presorted as I suggested, as I doubt I would ever get a legitimate email with a spamassassin rating above 4 or 5 or even 3. I do still get a hundred or more (other than the occasional f*ups with thousands) to my spamcop email address every day. I think I'm at about 130k now. I could of course just change my email address and have them go to a black hole somewhere, but I feel I'm doing some kind of service to society, if only adding to the statistics of the assholes who don't.
  9. Always something new to learn and something not to make assumptions about. Thanks.
  10. Does anyone know if there is a point to these ridiculously long random character string subject names in many spam messages? It can't be a reporting tracking ID because 80+ random characters can probably ID every grain of sand on the planet, if not the universe, and they haven't reached that volume yet.
  11. R. Conner: I can see that, but it doesn't take a line long enough to give the NSA headaches to differentiate even millions of spam. Barring any other thoughts, I will guess just a sloppy program generating them that nobody bothers to correct, since only idiots read this stuff anyway and these details don't matter. Farelf: You are not wasting my time and hopefully not yours, or I wouldn't be here. I'll be happy to provide tracking on some soon, I just thought everybody got these and there wasn't much point. I suppose I could imagine that some filters might have been turned off by sentence long subject field, but obviously not now. On the other hand, while I don't have statistics at hand, I don't think I saw many of those a year or so ago. I could be wrong. Here's a recent one, although not the longest seen by any means: subject: Subject: =?windows-1251?B?Q2hlY2sgbmV3IGRpc2NvdW50IHByaWNlcy4=?= Tracking: http://www.spamcop.net/sc?id=z2599193261z1...652cb376aba080z Of course we immediately notice that the spamcop tracking is even longer, which suggests that it is composed of several groupings of multiply byte data categories. Perhaps that is all the spammers do too, although I wonder about the "=", "?" and the "windows" meanings?
  12. elind

    Why does this spam get past spamcop

    OK. Thanks. That gives me plenty to play with.
  13. I'm not sure if I have asked this before, but can anyone explain how this spam got past spamcop? http://www.spamcop.net/sc?id=z2583318867za...9d3f82ba6186eaz I regularly receive a handful of spam that are not held by spamcop, but I also see the same basic spam in my held mail which may be in the hundreds per day (always to my spamcop address). There must be something in this one and others like it (addressed in this case to "asl" at spamcop, but many say "my name" at spamcop) that prevents it from being recognized as spam, even thought everything in the mail is obviously spam. I do have one email address that my cleared mail is forwarded to and which is not filtered, but would not that be shown in the TO field if it was the one being used?
  14. elind

    Why does this spam get past spamcop

    Well, on context analysis I agree that a completely new piece of spam, originally written, would need to be verified by other methods before being branded, but given that so much of it is duplicated, either identically or very very similarly, much of the subsequent ones could be recognized easily. As the yahoo emails, no, it was a contact address in the body. The only contact address. Either fishing for emails or an invitation to a sex site, and as usual many identical ones except the sending source and a few number variations in the email name. I didn't think there was any point in providing the tracking number. On reading your above comments about building up a score on a particular spam; how is a piece of spam tagged in that system? It can't be by the sending source since that is not unique and it can't be by subject alone. What is left except by analyzing the body text?
  15. elind

    Why does this spam get past spamcop

    When I said I could, I believed it but wasn't really intending to take the time to do so, although I might. I've actually never looked into spamassassin as a customizable tool. Can anyone direct me to sources for that? However, conceptually I think a good syntax analysis system could easily catch virtually all spam, except perhaps those that are clones of legitimate businesses. At least of the stuff I get, 75% or more are identical or minor variations of prior spam, same spelling and grammar mistakes included. However since most of it is caught by the methods mentioned above this is probably redundant anyway, but I would be surprised if some of the filters out there don't already do it. I seem to recall that when sending x rated pictures in the spam was more common, that filters looked for unusually large expanses of pink in a message...... It wouldn't surprise me if someone called that a racist ploy Anyway, on the plus side spam has some amusing and entertaining aspects to it, if only to verify that there are many people out there more stupid than oneself. BTW, without counting I am under the impression that volume is increasing significantly in the past month or two. Also, since lowering the score to 3, I haven't had any of the spam mentioned above get through, but I have started to get a few Julia ones with yahoo email addresses. Since the email addresses are all similar but with number variations, I suspect they have hundreds or more of yahoo email addresses for contact. I've informed abuse at yahoo, but I wonder if they act on something if it is not hosted or sent from them. I wonder of they read spamcop reports, being busy and all that?
  16. elind

    Why does this spam get past spamcop

    Sorry for speedreading your first answer above. I'll try to figure out the detailed source in more detail next time, before spamcop munges it. I found I had spamassassin set to 4, I've lowered it to 3 and maybe that will reduce these that get through, although the few that do get through are kind of educational since they are the only ones I typically look at. Nevertheless, I don't know how spamassassin works, but I thought that part of it was algorithms for parsing messages for spam characteristics. I'm pretty sure I could write one that would catch 99.99% of these common spam, which is why I find it puzzling; after all many of them are identical in every way, except the URLs, not to mention misspellings of viagra or rolex. Anyway, thanks for the replies. BTW, geocities is becoming common in some of these again. Doesn't Yahoo know how to recognise these things by now?
  17. elind

    Why does this spam get past spamcop

    Thanks. Regarding the last point above, I was not sure about the TO address, but where in the source is the actual TO address? Doesn't it have to be there? In this case a few lines say: Received: (qmail 19448 invoked from network); 3 Feb 2009 18:50:13 -0000 X-spam-Checker-Version: SpamAssassin 3.2.4 (2008-01-01) on filter7 X-spam-Level: ** X-spam-Status: hits=2.5 tests=URIBL_BLACK version=3.2.4 Which is what you pointed out about spamassassin and I presume this means it had to go through spamcop. But what I don't understand is the 2.5 by spamassasin. Surely just the subject "Best Quality Swiss & Japanese Rep1icaWatches" flags spam to a newborn? On top of that it has the trademark host sites (several) as in http://code.client.cn How can spamassassin miss that? Another standard one that get through to me is the fake diploma ploy, and they are always identical. I don't get it.
  18. I sometimes notice on spamcop reports that the contact email for a report is something like a yahoo or gmail address, but the spam has no connection with yahoo or similar. Also the name is typically a person, rather than "abuse" or something like that. Of course I also see many individual names on reports to Hungary and Russia and other black holes. The question is simply, are there any firm rules about such matters? Are registrars (not that I know how the system works) not required to uphold any particular standards and could one not do a whois lookup and inform the registrar if there was a violation, if one had the time to do so?
  19. http://www.spamcop.net/sc?id=z2553887995z5...2a1142c8812d2cz coming from hostway and southwebventures So far I've got 8000+ and they are still coming in fast. The spam is the same as one that was sent a month ago. That lot was about 5000 pieces and came courtesy of aplus, who had had a similar incident last year sometime. Can anyone explain this? Is it an attack on the sending ISP (idiots) or on spamcop?
  20. I sent a message to support[at]hostway.com demanding an explanation. I actually received the following reply some days later, but I know that I was still getting new ones in my held mail until sometime on Saturday afternoon. Is that possible if the server was taken down EARLY on Saturday? (I had the same type of response last time this happened, from Aplus.com) Hello, Shortly after our last e-mail, we were informed of the spam issue regarding 207.150.194.88, one of our dedicated servers, by team that manages the southwebventures.com servers. We also received your notifications through abuse[at]hostway.com. They disconnected the server shortly after the attack was discovered early on Saturday. We do apologize for the inconvenience we know this caused for many people, including those of you at spamcop.net. Feel free to let us know if you require any further assistance. Thank you, Abuse Department Hostway Corporation
  21. I followed michaelanglo's instructions, the first part, and it zapped 16000 in a couple of minutes, as much as I wanted to report every last one.
  22. DavidT Sorry if I'm not clear. By mine is not the one shown, all I mean is that in looking at the actual message (not analyzing deeper) I see a spamcop address, but not mine, which is the way any multiple adressee email would show. Almost all spam I receive is to my spamcop address. Again, sorry if I'm not clear. All my spam is in my held mail, but I now have 15000+ messages there. How can I unload them faster than 100 at a time, which is all spamcop will let me do? You got me on the cloudmark. I haven't a clue. I do use spamassassin. The sample email I sent was one I forwarded to myself from held mail so I could have a look at it. I then reported it manually and that was the tracking URL. In this case that spam did go through RoadRunner, (from held mail to my RR account) so perhaps they added it, and perhaps they didn't know then if it was spam or not, so no score? Also, they seem to have stopped coming a few hours ago.
  23. 16000 now. Do I get any kind of medal? I'm going to sue the jackasses at hostway
  24. Now it's 10,000. What's the quickest way to delete more than 100 at a time? I don't have time to report all of them, and I guess it's not fair to spamcop.
×