Jump to content


  • Content Count

  • Joined

  • Last visited

Everything posted by elind

  1. Then after reporting as many of these as I can, at 100 per time, get connection refused from spamcop, even thought I can access other areas on the menu. Getting too late to play with this, but I would appreciate any insights.
  2. I manually submitted a spam that was not caught and held by spamcop (even though it was clearly spam). However in this case I did not see the website host identified in the first pass, so I pasted the source in again and then did see both email originator and website host and reported those. I then had an "unreported" spam from the first attempt in the system, but when I clicked on that I now saw both the email source (same as the one above), and a website host, but the latter was not the same as the report(s) just submitted. There are two questions here: First, why would an initial report not show the website host, but then if that report is not sent and "unreported" spam is looked at there is suddenly a website host that was not there before, for the same spam? Second, how can two reports of exactly the same spam (from the same copy/paste) result in different website identities? Following are the IDs of these two reports: Submitted: Wednesday, September 24, 2008 8:42:28 AM -0400: a $10,000 watch, we sell at $200+-, 70-85% OFF your needed Watches, Japanese ... * 3509468810 ( ht tp://tw wl.dxsp ell.cn/ ) To: p.sowa[at]multimedia.pl * 3509468803 ( ht tp://tw wl.dxsp ell.cn/ ) To: a.dziedzic[at]multimedia.pl * 3509468800 ( ht tp://tw wl.dxsp ell.cn/ ) To: abuse[at]cdp.pl * 3509468795 ( ht tp://tw wl.dxsp ell.cn/ ) To: abuse.ip[at]multimedia.pl * 3509468794 ( ht tp://tw wl.dxsp ell.cn/ ) To: abuse#multimedia.pl[at]devnull.spamcop.net * 3509468778 ( ht tp://tw wl.dxsp ell.cn/ ) To: p.sadlo[at]multimedia.pl * 3509468777 ( ht tp://tw wl.dxsp ell.cn/ ) To: postmaster#multimedia.pl[at]devnull.spamcop.net * 3509468769 ( ) To: abuse[at]tiscali.it * 3509468764 ( ) To: postmaster[at]tiscali.it * 3509468750 ( ) To: abuse[at]it.tiscali.com Submitted: Wednesday, September 24, 2008 8:42:11 AM -0400: a $10,000 watch, we sell at $200+-, 70-85% OFF your needed Watches, Japanese ... * 3509470972 ( ht tp://tw wl.dxsp ell.cn/ ) To: abuse[at]comcast.net * 3509470970 ( ) To: abuse[at]tiscali.it * 3509470967 ( ) To: postmaster[at]tiscali.it * 3509470965 ( ) To: abuse[at]it.tiscali.com [urls broken]
  3. Point taken. I should have realized that. However I would still be somewhat surprised to find that they profit from that in any real way. They can create the same links themselves via manufactured discussion forums, that would have much more complimentary comments attached. Do we really care if the idiots of the world actually go searching for websites that sell fake watches and all the rest? A;ll they have to do is respond to a few spam and the world will come to them.
  4. OK Boss. Found that. Did that. Thanks. Will do. I suppose you are one of those who will read the entire manual for a coffee maker before plugging it in or buying coffee? Lighten up.
  5. I get the idea, if not the hang, and I won't test your patience, but while this makes sense as a technique I have noticed with considerable regularity that more manual reports than not (I don't analyze the bulk reports much) come up without a report for the hosting website URL, and then if not reported immediately will show a reporting address the second time around. If I understand you correctly that should average out to a 50/50 rate, even though I don't have the hard stats. Honestly, if a jerk is actually reading spamcop hoping to see a new spammer site that they can send money to, I wish they would send their life savings; they would deserve it. I did that above for this example, but I don't see how that gives you enough information to do anything new, without the full source which I would need to edit before publishing I understand. I had thought they might sometimes read these posts. On another thought relating to spam, I wonder how many members here use a spamcop email that starts with their screen name. I do, so perhaps that is why I get so much more spam to this address than elsewhere? Some brilliant spammer maybe decided to try that for valid addresses, just to ensure that they would get reported regularly, but then again, those who buy their lists will never know how many addresses are good or get reported anyway.............. Boggles the mind.
  6. Thanks I was thinking that if there was a real "problem", that the spamcop administration would be the ones to investigate, rather than the forum members. I presume this is what you mean http://www.spamcop.net/sc?id=z2273571886z3...c672f58ebc5b5fz However that does not show me the source for the message, only how it was reported as far as I can tell, which is what I posted earlier via a copy paste. In my experience looking at the original source, it always shows at least my spamcop email, which is where it was forwarded from. I don't see how that can be called munged. I have commented in the past that nearly all of my spam comes to my spamcop address, and the past year or two the rate seems to have at least doubled, even though I haven't been to any naughty websites giving out that address. I sometimes wonder if there could not have been some way that my spamcop address has been visible to some of the 80,000 reports I have made so far (actually, that's 80,000 spam items, with an average of ? reports per spam. I feel guilty already).
  7. To be honest, I was curious more than expecting someone to analyze this case in detail. I thought the reporting numbers would identify the spam to Spamcop if they wanted to look into it further. Also, even though I have been using spamcop for years, I am never quite sure how to provide all the tracking data without inadvertently also publishing my email to all the spammer scum reading this. If you want to give me a quick lesson, I'll try to do so.
  8. I have started, fairly recently, to receive more spam that includes my email address, or my name in the email address within the subject or the body of the spam. Nearly all my spam comes to my spamcop address anyway (go figure), but it occurs to me that if they expect it to be reported then it will be reported with my email clearly identified. What they do from there is beyond me, but I would like to know if this is a recognized spammer method, and if it is possible for Spamcop to parse the message and subject and remove (munge?) the identifying information before reporting. Simply removing any match with the receiving address should be simple, I think. In truth I have started to either not report these or, if I have a few minutes, removing that information myself before reporting. However if the volume increases that will not be practical.
  9. There are lots of things I don't understand, like why waste so much resource on addresses that obviously are reporting and why send the same message repeatedly to the same addresses? Email itself may be cheap, but many sending locations and websites do get shut off due to reporting. Wouldn't it make sense to maximize their use better? In this case I simply notice a new deliberate style and I am wondering if there is an explanation for it.
  10. I'm not expert enough to design such a system, but you alluded to a two tier service, which is what caught my eye. The majority of email users are individuals and even companies can have quite specific rules about who is allowed to email them (most have given up on public email addresses anyway, using web forms instead). Any legitimate users should not have a problem with a system that positively and verifiably identified both the sender and their ISP. I am much more inconvenienced by spam than I would be by any such system I can imagine. Let those who respond to spam continue to receive it. I believe there are solutions, but the question is what are the necessary pressures to actually implement any? It would seem that as long as the capacity exists, and providers have an opportunity to bill by bandwidth used directly or indirectly, then spam is an indirect opportunity to keep revenues above where they would otherwise be. For example Sprint seems to be the primary carrier for much of the spam from China (according to Spamcop reports). I would imagine they bill someone for that traffic.
  11. Have there not been proposals made to this effect? Would it not be possible to add protocols (which clearly identify the sender), which could be optional (opt-in), so that the user would choose to tell all those who communicate with them that they will not receive any communication from anyone not using this protocol? Didn't Microsoft start to suggest something like that?
  12. elind

    Is SpamCop Worth It?

    I am back just to browse and see what's new, but partly because I always have the same thought about effectiveness, while getting some pleasure in reporting. However I've been reporting with Spamcop for several years now, and kept the same email addresses, and most of my spam is sent to my spamcop address (who knows, maybe I was bad a long time ago?) and I only get 2 to 4 coming through to my inbox every day; BUT the amount reported has been increasing steadily, particularly the past year it seems and I wonder if that is just me or everywhere? I seem to recall that a couple of years ago there was actually a drop in spam, but it sure doesn't look that way to me today, and I'm pushing 76000 today. I do wish Spamcop would do some more fun analysis with it's reporting data though. It would be interesting to see how the patterns and sources change over time, in total and by reporter for example. However too much detail might also be useful for the spammers, so maybe that is not a good idea.
  13. elind

    URL not parsing

    Moderator Edit: extracted from http://forum.spamcop.net/forums/index.php?showtopic=9481 and made into its own Topic, moved to a different Forum section, as the subject matter of this post has no bearing on the Topic it was posted into. Thanks to the replies above, and perhaps someone can explain what it means when spamcop analysis says "resolving link obfuscation" followed by the website in question, but the only reporting done is to the source of the email, not the website host? This applies when the sole message is a website link (with an exe file) and without the forwarding disguise in this original thread post. I'm still getting these same spam, with a file called video.exe or video1.exe, but they seem to have dropped the doubleclick disguise now and just send a web link, but one that never gets reported by spamcop. All I can imagine is that they hope I (this spam is addressed to me by spamcop name) will click on it by mistake if they send enough of them; but even that sounds really stupid, so I really don't get it. What is the point? Moderator Edit: PM sent to advise of all the handling and movement of this post.
  14. <a = href=3D"http://ad.doubleclick.net/click;h=3DDwXgyklaAFflZyiLhMnAiifOjiqGD= wXgykla;~sscs=3D%3fhttp://teknoatilim.com/video.exe">Watch. = <br><a> I am receiving spam with the above link. I am curious about what it does. It appears to be using doubleclick.net, but Spamcop parsing doesn't pick it up, yet it is the only link in the spam. Can anyone explain how this works?
  15. elind

    A question about disguised links

    OK, I too know the legal meanings of guarantee, but that is not the same thing as deliberate erasing. As to RR, all I know is that when I found the secret passage to the "voluntary" filter and turned it off, I haven't noticed any problems, and that goes for the most obvious spam that I occasionally forward from my held mail rather than report directly, just because I am curious about it.
  16. elind

    A question about disguised links

    I'm in Florida and use Road Runner (Bright House), and it did happen to me, but as I said because a filter setting got set somehow, not because it was a blanket policy. However I do recall that it was hard to get that information out of them, as I had never looked into those options before. Seems to me there would be a lot of legal liability there as much business is conducted by email. It's not just forum chat and family pleasantries, but I guess one has to pick one's service providers carefully, as in anything.
  17. elind

    A question about disguised links

    Uhh. I don't think so, I was just curious as to where it was and why spamcop couldn't recognize it; but now that you mention this wouldn't godaddy want to know, assuming they don't like spam either? Are you sure about that? I don't think any provider can delete any mail without the user asking for it, since no filter can be 100% accurate. I had that problem a while back when my provider's settings had somehow been set to filter spam without my knowledge. I was not receiving any "forward - do not whitelist sender" type of held mail, for example, and I was losing some legitimate mail. I eventually reset that to do not filter, since I rely on spamcop to do all my filtering, including my non spamcop address. The latter still receives much less spam since I am not as open with it. If providers really wanted to stop spam they could filter it outgoing instead of incoming and request individual client confirmation of suspect messages, or at least identify them statistically, could they not? I suspect that is only partly true, because spammers could still sell suckers lists or services, whether or not they make money for the suckers. There's one born every day, I hear.
  18. elind

    A question about disguised links

    That makes some sense in terms of improving the statistical return on spam. A little bit better can be a lot better, although I would then question why they send multiple spams to the same address at the same time and in particular why they send to spamcop addresses (which is where I get almost all spam), since that would seem to invalidate the former supposed sophistication. However perhaps they are just different spammers. I also have another suggestion for this method, in that it seems to confuse the spamcop parser. I received one with this link today. <a = href=3D"http://ad.doubleclick.net/click;h=3DprVJZxdCqxESRHIKqakxVhjqUyZRp= rVJZxdC;~sscs=3D%3fhttp://trieu-exotics.com/video.exe">Watch. = <br><a> The first report via spamcop did not recognize the the spam website. Editing out the doubleclick part and resubmitting with only trieu-exotics gives the host as godaddy.com Looking at trieu-exotics suggests that it is a legitimate aquarium products (live coral) site, so I'm still confused. Either it is a front or the site has been hacked and "video.exe" has been stored there. Can anyone run video.exe on a secure machine to see what it does? I don't want to on mine.
  19. elind

    A question about disguised links

    OK. Sorry to get off track. I misunderstood to mean source. Yes I could get the tracking URL by going back through logs, but I wasn't concerned about details; just the principles out of curiosity. I'm still receiving these. Some are reported to a website host. Some just say reporting suspended for doubleclick. I'll read up on the link provided without asking more silly questions. Thanks
  20. elind

    A question about disguised links

    That's simple to you. Obviously I wouldn't ask these questions if I thought nobody could answer them. I don't know what information you want that is relevant to how the link in question works. I don't provide the original source for obvious reasons; it contains my email addresses in addition to my spamcop one. I don't know how to edit it to be relevant and I am not a fool, but I don't understand how doubleclick can be hijacked to redirect as you say, nor do I understand the point of doing it that way in the first place, nor why such a "simple" method cannot be parsed by spamcop. If you want to be helpful ask intelligent questions, otherwise ignore mine. Thank you. Thank you
  21. elind

    A question about disguised links

    I'm not sure what you mean by protecting the searchbots? Are you saying they need to be protected against picking up spam? I copied/pasted the link as received without changing it. If it's broken it was likely a spammer mistake and, needless to say, I didn't try it. The source of the email was Charter according to spamcop. However I still don't understand how this is supposed to work, broken or not. What is the point?
  22. I sometimes see reporting addresses on my reported spam list that look suspicious to me. For example (I have seen other similar ones in the past), I recently noticed a spam report going to an address in the Bahamas (Bahamas Telecom) as follows: hussain[at]batelco.com.bh I don't know of any Arabs in government positions (or anywhere else) in the Bahamas, having lived there, and while it is of course possible I find it strange that the spam/abuse contact on record for Bahamas Telecom would be a Hussain. Could this be faked somehow?
  23. I would appreciate an explanation regarding link obfuscation. What does spamcop do with that? I often see spam which links through one website to another. Googlepages and geocities are common. That site then immediately redirects to another, typically chinese or korean sites in my case. In the spamcop analysis there is a link obfuscation section, but it often misses the real spammer site. However if I paste that site address into the source and process again, then it comes up in the reporting list, but the spamcop analysis doesn't seem to find it otherwise. Why? My questions are, why do the spammers bother to go to all the trouble since they are typically the usual foreign spammers anyway? Also, why does Google not accept spamcop reports? Are they mad at spamcop or don't they bother to pursue spammers?
  24. I haven't used their service but I don't see the difference between hosting a spammer site and a page that does nothing but automatically redirect to a spammer site. That's what some spammers do with Googlepages or Geocities. How is there no way to stop that from happening unless you are describing something different from what I am? They can easily automate checking, or simply not allow redirects, can't they? They can also accept spam reports like most others.