Jump to content


  • Content Count

  • Joined

  • Last visited

Everything posted by elind

  1. Yes, they are sent to spamcop address, (mine is not the one shown, but I presume the list is all spamcop) as is 99% of all the spam I get. I don't have blacklists turned off, but I'm not sure what you mean. I don't know what Cloudmark means and I haven't fiddled with my configuration for years. I have the spamcop address, another main address which is forwarded to spamcop for filtering and Held Mail. Real mail that is not held then gets forwarded to another email which is the one I read from, but normally never publish or use otherwise. Maybe there are simpler ways, but if it ain't broke.... I'm still wondering however if anyone has an opinion on why this happens. I would consider a programming error by the spammer, except that it is the same spam from a similar incident not long ago. And, another question, is there no legal liability for the hosting ISP in these cases (when they appear to be US based)? It really is vandalism. I'm still getting them. When I first looked a couple of hours ago it was 7000 odd, now it's nearly 9000 and thats after reporting a bunch. Of course hostway doesn't work on weekends (I tried calling) and their contact form is non functional.
  2. I regularly receive one or two spam per day that get through the spamcop filter. However they are addressed to a .[dot]spamcop address (not simply mine) and by all accounts should be seen as spam, and they all have a varying but similarly random letter web link ending in .[dot]CN. I submit these manually and sometimes get a hit on the "hosting" domain of the website, sometimes not. I have noticed that if I resubmit the same spam, to spamcop, I will now get a different host domain. So I repeatedly resubmitted about 10 times, and every time got a different host for the website (although email source remained constant). Sometimes I got no website host, and sometimes there was a repeat of one of them, everywhere from .jp, to .RU to our friends at kornet and .MX and .TW and of course, Comcast. All this was within 5 minutes, on the same spam source. I don't ask for an analysis of this specific email, although I'm sure there will be more in the future; but I would appreciate an explanation of how this works. Seems like they can randomly rotate the links to their websites every few seconds (assuming the problem is not with spamcop), and given that I routinely get this spam without it being picked up by spamcop, there is something different being done here. On the other hand, if they are so damn smart, why do they bother spamming spamcop addresses??
  3. Here's the latest 4 link one, in case anyone can work the links to the end. http://www.spamcop.net/sc?id=z2468210465z4...a2004ad9582605z
  4. Well, I've learned some more again. I haven't researched other anti spam efforts as described, just doing my bit with spamcop seemed enough, but I'll see how easily I can contribute to these others as well. As to the BOINC approach, granted if spamcop is only peripherally interested in getting to spam websites they may not be the ones to do this, and someone else may be able to manage the same with their dedicated systems. I don't think it is terribly complicated, there are plenty of users of that on the web (I run Seti only) and I suspect one can get a "package" where one just writes ones own code inside it. In the case I described all it is a matter of building a table of unique hits from the URLs in question over a period of time, then treating it exactly like a spamcop report, except to all the multiple hosts identified. However, It seems to me that the very fact that spammers have no interest in removing spamcop addresses from their lists means that they don't much care about spam message reduction efforts. That is just a cost of doing business. However simple economics says that if they lose their sales points, of which there will be less than their mailing points, then they will be hit harder than by spamcop reports to the sender's ISPs who mostly don't seem to care. What is also missing, IMHO, is a concerted effort by the people who can have influence and pressure in the market as a whole. That means the main telecommunication companies and ISPs etc., including those like Microsoft. A few years ago even Bill Gates was talking of stopping spam, now one hears almost nothing except from the technical press. What happened?
  5. Hello again. HD started to crash. Installed a new one. Reinstalled everything. Backups went to the wrong directories, and I could go on.... I haven't read everything above, but I have been getting the same spam with the cryptic 2 words ending in CN. Usually it's watches. However when they first started it was one web link. Then they came with two and now it is 4 separate links in groups of two, usually only the first word varies in each spam. I think (IE guess) they are deliberately doing this to spoof the likes of spamcop because I've been resubmitting them manually to see what comes up. The sender is always the same of course, but 9 out of 10 spamcop processes come up with nothing on the URLs and then there will be a series of hits, but usually only one or two of the addresses, then no hits for several minutes (resubmitting as fast as spamcop responds, and canceling if nothing new appears). Some hits reappear more often than others (EG Chello.hu) but good old Comcast, Earthlink and even RR pop up now and then. I understand that for reasons I don't understand, Spamcop doesn't focus on spamsites as much as senders, and I'm sure there are good technical reasons to not persist (wait?) to resolve these changing URLs; but it seems to me that spammers are a lot more vulnerable at the point of sale than the mailboxes they send from. If the reasoning for not addressing this ploy is technical, bandwidth/hardware/whatever, then it occurred to me that Spamcop should consider putting an application on BOINC to spread the load. These kinds of delayed URL resolutions could be farmed out to participating PCs who would repeatedly, on their dime, try to resolve all the varying URLs in a particular piece of spam then, within a certain time limit, send back the list of resolved hosts to spamcop for reporting.
  6. No time to read everything this morning, but this is my point, or what I imagine, exactly. That in turn means that the service specialists control the lists (only a fool would sell a list that someone else could then do with as they please), which means they are harming their own assets (zombies etc.) by knowingly sending out spam to recipients who are guaranteed to report them and who will not buy from the spam sites and who will actually compromise the spam websites as well. This is the part that I don't understand and why, with all due respect, I have trouble accepting the explanations I have seen so far.
  7. OK, but can you really buy a kit to first find and catch zombie PCs and then construct a network of them and then manage things like the changing DNS scenarios we have been talking about and simultaneously manage a counterfeit watch business? I'm no fool, but that seems way past what used to be simple scams like the random mailings from Nigeria. I just checked out a bank phishing spam (which was trapped by spamcop) and this one too has the DNS ploy. So far only Comcast, Charter, Theplanet and Earthlink. Note no RU, CN or BR. None of this, coupled with what they do with idiot's bank accounts, seems like a kit operation to me; but I'm just going by gut feel. No thanks. Of course my other email accounts that are filtered are not spamcop accounts, but the majority of what I get is still to the spamcop account. That is probably because I don't much care where I give it out. That gives me a fuzzy feeling.
  8. Glad you are enjoying yourself too. To answer Farelf on splitting out, I appreciate that a forum that also functions as a reference source needs to be managed logically and no doubt most if not all of this ground has been touched on elsewhere already, but for an occasional visitor like me it is more enjoyable to have an open ended discussion that can be more easily followed and back referenced. However that's not my call, so please do what you think is best for the forum. I do however have some thoughts on why I feel the reasons given for spamming spamcop accounts are unsatisfactory, without knowing how spammers think. No doubt some Nigerian scammers get shafted with bad lists, but I strongly suspect that the spammers are closely connected with the sellers of watches, Viagra and all the rest (come to think though, I do believe there is less porn spam than there used to be). After all, in any business it is best to have a piece of the whole chain, rather than just a part of it. Also, it is trivially simple to filter out spamcop addresses, and probably not much harder to do the same with those who report spam (put a unique key in the message that comes back). A sucker buyer probably has no access to the actual list and cannot verify even how many addresses are on the list (if they did have access they could copy and resell the list) and they will not just buy the list in most cases; they also buy the mailing, meaning use of a botnet controlled by the seller. In that situation it seems that all they do is shoot themselves in the foot because their network will be degraded by those reports that are acted on and I doubt a single spamcop addressee will be a customer. We know the spammers are technically savvy, so the question remains; what is the point? I think we are missing something here. PS. Two days and I haven't received any more of the common ***.cn lists that started this. Maybe taking the time to report as many of the hosts as I could has had an effect, but I'm not holding my breath yet.
  9. No offense taken. Just tooting my own horn a little, and your input is appreciated. Since we are covering a fair amount of ground here, which I hope nobody minds, may I take the opportunity to ask a couple of questions, somewhat related. I have been told that if connected to the internet via a router, then a firewall on the PC is redundant (and can sometimes cause network problems). Is that true? If one is fairly good at recognizing spam and knows better than to open unrecognized attachments or strange website links, and runs something like Adaware regularly, is it really necessary to run a virus protection system all the time? Are there any risks other than stupidity? I appreciate the rest of what you say, but I think this is an unrealistic fear, or at least one that you don't offer a solution for. Tyrants don't much care what stays on your computer, and if they did they can get at it one way or another. What they care about is what comes out of your computer to someone else, and that can be seen without touching your PC. I've bookmarked that for future education. Thanks.
  10. Just for the record, I'm He, and I don't think I'm technically challenged just because I haven't studied all of this the past few years Back in the good old days of Windows 98, primitive viruses and negligible spam I did create some online databases with MS SQL and other tools, as well as .... but I digress From my education here I think that there are two fundamental approaches to dealing with spam. One is essentially to fight the war, but don't touch the fundamentals of the internet, and the other is to change the rules of what one can do, unrestricted, with the internet (which presumably would also include changing parts of the internet). I think the wild west days are numbered and eventually (maybe not in my lifetime however) the business world will decide that it is in their interests too, to control the criminals. Imagine, for example, if telephone companies could be bothered to disconnect 800 numbers selling fake graduate degrees via spam, or that credit card companies would cancel the accounts of Canadian. Pharmacy.Com. Merchant credit card accounts are not simple to get, and they are easy to identify by making one small purchase. Cut them off, including those who purchase from spammers. The phishers for bank info..... Log on controls for this are still fairly primitive although my bank has a third level visual confirmation that it is a secure site. I don't know how good that is, but I can well imagine that if the banks are made legally responsible for any such misuse of online transactions, then they have to guarantee the funds unless they can prove it was the account holder committing fraud. Call it a kind of deposit insurance. I'm pretty sure they will spend a bit more money on security if that were the case, and Credit Card companies already do that to a large extent. Also, if pigs could be made to fly we could solve a lot of things.
  11. The technical significance of what you say is above my level, but if it is that simple, it sure sounds like the simplest approach. So how does one get the good guys to work together so as to make the bad guys stick out like a sucked thumb on a dirty baby?
  12. I appreciate some of what you say, but the above is not the bugaboo you describe, IMHO, unless it is sold that way. Norton does check your machine and reports to them, every time it sees that you need an update and downloads it and changes your files and registry. So does Microsoft and a host of others and we trust that they aren't also copying our secret pictures. My reference to bogging down was just a joke dig at Norton, but more specifically there are many solutions to your concerns. You could simply be required to have installed and updated virus software from any one of participating companies, free or not, and all those systems have to do is tell your ISP OK or NOK whenever you log on, meaning scan up to date and run last night, or not.
  13. Scan for malware that could be controlling your PC of course. Are you saying that can't be done? I don't think the majority would object. That is no different from allowing Norton to do it, while slowing your PC to a crawl.
  14. My bad. I did not mean detecting a "network", just an infected computer, and I believe virus detection will detect what it takes to infect a PC for a botnet. I'm not sure, but won't a firewall also prevent that misuse? Yes, but a concerted effort to identify and show who cares and who doesn't would have an effect, at least in the West; if ISPs could be shown to be able to make a significant difference by being proactive rather than simply reactive. I, for example, will be looking to see if Comcast pays any attention at all to the reports I have sent them about this ****.cn botnet.
  15. That was interesting and informative. So what are the chances of something like that being implemented? On the subject of responsible behavior, are not botnets readily identifiable by virus detection software? Would it not be simple for reputable ISPs to require that all subscribers have such software, and indeed provide it for free if not from another source? A service provider could simply automatically trigger a scan at regular intervals, and advise how to prevent reinfection, or discontinue service if not complied with. This would not stop abuse, but it would push it to sloppy or criminal providers who would stand out more easily. As an example, the spam I get that started this thread has Comcast in all of the lists that I have investigated, and road runner in at least one. Comcast can be shamed easier that somebody in Russia.
  16. I can understand that part, but not really how they can switch the target, often many times per minute, and how do they switch them off entirely so that spamcop can't see them at all for a period of time? Typically repeated submissions to spamcop will always show the same email source, but sometimes no web site host (discarded by spamcop as fake), then less than a minute later there appears a valid web host. Then next time a different one. Then none. It seems to me that even someone who wanted to buy from them would often find it was an invalid web site and move on?? I'm guessing that in the case of a redirect which is made to a non existent IP, then spamcop will not even see the redirecting PC, or that if the redirecting PC server is switched off momentarily (from the remote CC) either deliberately or while it is reconfiguring for a new redirect, then it will also not be seen by spamcop. But that would mean a master PC and IP somewhere, which would be vulnerable.... Alternatively, perhaps there is a way to change IPs in the DNS servers on the fly, and there can be a delay while that is happening. However if that is the case, are not DNS servers controlled/regulated by civil people and would that not make it relatively easy to stop? Obviously I'm making guesses here since I don't know the details of how it all works, but I'll finish by asking if anyone can tell me how this tracking number can get through to me, when 99% of all other spam is stopped in spamcop held mail. This is one of those redirecting spammers and has the same MO and type of .cn URL. It is obviously spam, so why do I still get a few per day, and essentially only of this type? http://www.spamcop.net/sc?id=z2443567788zd...ecd5fc43d76cc0z
  17. This prompts me to ask where the redirect is executed, and indeed where the spammer website is hosted? Can it be on a hijacked PC, as opposed to a dedicated web server? I was trying to imagine a website that randomly or in time sequence redirects all connections to some URL on a list, and that URL will in turn do the same thing. However that suggests that each one needs to have information identifying all the others, which would mean that many are vulnerable if one is identified. I'm just guessing here, but the above explanations have made me realize how much more I don't understand. Any clarifications or links to the same would be interesting.
  18. I'm just wondering that if this is becoming a common method, why would not spamcop reconfigure to reanalyze several times to see if the host domain changes? If it comes up the same on the second attempt, carry on as normal. If it comes up different add that domain to the report and so on until a repeat is found, or perhaps just for a fixed number of attempts (say 8). Of course that adds overhead, but is the suggestion that spamcop has serious capacity limitations that cannot be addressed?
  19. Thanks. I agree I should have titled this "host" instead of "source". My bad, and I didn't provide the tracking URL because I didn't want to create unnecessary work for anyone. Seems to me that the internet is designed for spammers if it is this easy for them to arrange. I wonder what legitimate uses there are for doing the same redirect methods or automated domain registration? I'll be happy to provide a tracking URL for the next one if wanted, and I will check my whitelist again. Thanks for the comprehensive education.
  20. elind

    Please call 206 309 0336

    Start improving your life! Bachelors, Masters, MBA and/or Doctorate (PhD) NO ONE is turned down. 7 days a week. Give us a ring.. +12063090336 I've been getting a lot of this one lately. They think one will buy if they try often enough. The phone number is a mailbox that works for now. I thought I would ask if other would like to call and leave a nice long message to mess them up. Small stuff perhaps, but what the hell..... :angry:
  21. elind

    100,000 th anniversary

    I thought I would tell anyone who is interested that I submitted my 100,000th spam today. Wooppie
  22. elind

    100,000 th anniversary

    Yeah, That's what I meant by Woopie
  23. Every one was identical and every one that I checked came from aplus.net, who I called while they were coming in at 1 per second, and who had an idiot night time tech support who said to email their abuse address, which spamcop had already done 500 times by then. I think I've had a similar occurrence from aplus.net some time ago, though not quite as bad. Does anyone know what is going on with this? Is is a spammer programming error or an attack against aplus.net, or me? Also, how do I set reporting to be for more than 100 at a time? I still have 3300 emails to report and spamcop is getting ridiculously slow processing 100 reports at a time.
  24. Well it seems to be over for now. The tracking is http://www.spamcop.net/sc?id=z2300703753zf...c65e1bf295e55az for those interested. Every one I checked at random was identical and had the same email source (aplus.net) and the same godaddy hosted website. I think I received about 4500 of these, all held by spamcop, but they all came in over 12-24 hours, perhaps less. I contacted aplus.net (their legal department and a few others) and received the following reply (as well as a few inane ones from other departments): This server has been shut down for the past 2 days. However the spammer sent thousands of emails that were already in the outbound queue so suspending the server did not stop that traffic until the queue was emptied. We took action against this spammer within minutes of receiving spam complaints. The spam should be stopped by now. Somehow this explanation doesn't ring very true, and I had a similar but less severe incident with aplus.net in the past year. Perhaps simple incompetence is the reason. However, the logic behind this is still puzzling and the only one that really makes sense to me is a programming error by the spammer. Also, while it may make no difference to report 4500 identical spam, I like to think it makes a difference to the likes of aplus.net, who presumably will have that many more reports against them in a spam database somewhere, and some jerk somewhere in aplus.net will know how many reports he/she had to delete, and it gives me something to do while I'm waiting for some other page on something else to load. In the past I have usually seen a notice that the issue has been taken care of and spamcop will not send more reports. That never happened here, from aplus.net, or godaddy.com. Also, I noticed that spamcop can take up to 5 minutes to deal with 100 reports, before one can continue with the next 100. Is capacity really that limited? Until the next time...