Jump to content


  • Posts

  • Joined

  • Last visited

jongrose's Achievements

Advanced Member

Advanced Member (3/6)



  1. There is some discussion of this on Wilders and some members have successfully gotten archived stuff from CC off Google cache. It's definitely very sad and too bad the owners didn't provide a copy of the wiki and forum database for others to recreate. http://www.theregister.co.uk/2008/12/29/castlecops_closes/
  2. It appears that report_spam[at]hotmail.com is now bouncing my reports of 419/lotto email reports. They are now filtering that address to prevent spam (?![at]). Here is the report URL http://www.spamcop.net/sc?id=z2402230779ze...aaccde7bb89198z This is the 2nd bounce I have gotten from this address w/in a couple weeks, so I know it is not an error/coincidence. I'm not sure if they have any alternative reporting addresses.
  3. Steve Gibson said in Security Now episode #167 that the reports of WPA and WPA2 were "totally bogus". Transcript (search for "WPA").
  4. Yeah, that's pretty much the same problem I've been having. Some days it's extremely slow to the point of being totally inaccessible, but other days it seems to work okay. I assumed it was DoS attacks against them, but I know they are using Prolexic which is supposed to be DoS proof, so I couldn't understand what the problem was. Anyway, thanks for the insight.
  5. I know they were hit with a DDoS last month, but since then, it seems like they are super slow and it is nearly impossible to connect to their site everyday now. Does anyone know if they are still under attack or are they having some other problems? Thanks, Jon
  6. First off, I want to state that I realize that the main objective of SpamCop is to report the source of spam, and that identifying and reporting the spamvertized URLs contained within email is secondary. Nonetheless, because this feature is included in SpamCop, I believe that all attempts should be made to keep up with the methods employed by spammers to stop their criminal activities. SpamCop is an automated tool used to fight spam not only for its members but for the good of the worldwide internet community. In keeping with this goal, a simple modification to the SpamCop parsing engine should be made in order to allow it to detect URLs that are currently being missed. So, for the sake of this discussion, I would appreciate it if the argument of SpamCop's URL detection philosophy be left out of this topic. The Problem For quite some time, spammers have been abusing the use of MIME (Multipurpose Internet Mail Extensions) email headers in an attempt to bypass detection and avoid anti-spam techniques. By adding a malformed MIME header line in an email, the spammer causes what essentially amounts to a broken encoding method for the email. The MIME type used by spammers for this purpose is known as the "Alternative Subtype". In the headers of the email, the spammer will add an incomplete Content-Type and boundary line that is commonly used for sending messages in both plain text and HTML format in a situation when it is unknown which format the email client supports. It is my understanding, based on this thread, that SpamCop cannot properly parse URLs contained in emails that include malformed and incomplete MIME headers. In this thread I will attempt to explain MIME to the best of my knowledge and put forth the argument that SpamCop should modify the parsing engine to allow it to detect and report URLs currently bypassed by exploiting this technique. What is MIME? Below is an example of the correct implementation of the MIME alternative subtype. I have included numbers prefixing the code to explain it's usage below. 1 MIME-Version: 1.0 2 Content-Type: multipart/alternative; 3 boundary="=_ba87f495fb100f8dc950f0cef0ffa800" 4 5 --=_ba87f495fb100f8dc950f0cef0ffa800 6 Content-Type: text/plain; charset="ISO-8859-1" 7 Content-Transfer-Encoding: 7bit 8 9 --=_ba87f495fb100f8dc950f0cef0ffa800 10 Content-Type: text/html; charset="ISO-8859-1" 11 Content-Transfer-Encoding: quoted-printable 12 In lines 1-3 are what is included in the headers of the email. Line 1 defines that the email includes a MIME section. Line 2 and 3 then set that the content is multipart and will include more than one encoding type. The boundary is a set of random characters and may include a timestamp or other information, it will tell the email client where to find and identify the MIME content type. In line 5 we see the boundary code again, prefixed by two hyphens. Lines 6-7 inform the email client that this section is made up of plain text, along with the character set and the encoding. After this is displayed in the body of the email, the message will be shown to the end user in plain text format. In line 9 we again see the boundary code and in 10-11 the content is now HTML. This would normally follow with the same message shown after the previous plain text version for HTML compliant email clients. As you can see, the purpose of the usage of this MIME encoding was to send the email to a client which the sender did not know if it would view (or prefer) the message in HTML or plain text. How is MIME abused? When a spammer incorrectly uses MIME, it is similar to using a broken or incomplete syntax. For example, when writing the code to create a link in HTML, the correct syntax would be to use <a href="http://www.website.xyz/">Click here</a>. However, when using a malformed MIME Content-type, it would be like leaving the trailing "</a>" off the end of the HTML a href code. When the email client first sees that the message is MIME encoded and then looks for its follow up boundary code to display the email message in it's preferred format for the reader. If it does not find this, it will do certain things depending upon how it's configured or setup. In most instances, it will simply display the email message without difficulties. An example of an invalid MIME alternative subtype simply looks like the following: 1 MIME-Version: 1.0 2 Content-Type: multipart/alternative; boundary="0-1466100096-1197442086=:47221" 3 Content-Transfer-Encoding: 8bit Lines 1-3 are included in the headers of the spam email. As you can see, the implementation is correct. However, nowhere in the body of the email is there a boundary follow up code to let the email client know where to look for any content type that what's including in either plain text, HTML, or any other format. This could be caused by a poorly written email program or some other type of error, but in this case it is simply used in a malicious attempt to trick the email client from employing it's spam filters to check the body of the email or any URLs that may be included. Where does SpamCop come in? SpamCop trusts the MIME Content-Type/boundary and when the bogus lines are added in the headers it fouls up the parsing engine causing it to bypass or ignore any URLs, no matter how obvious they are to the reader. Why or how this happens, I do not know, as I am not familiar with the specific workings of the SpamCop parsing engine. When an email with bogus MIME Content-Type is passed through the parsing engine, the message will show up, indicating that SpamCop has missed the URL(s) in the email. Here are some examples: http://www.spamcop.net/sc?id=z1570835087z5...49feaba719fe77z http://www.spamcop.net/sc?id=z1561617737z1...814be496d226adz http://www.spamcop.net/sc?id=z1570175158z8...843f2459f4a92dz http://www.spamcop.net/sc?id=z1561673499zb...de9f8cca4bc21dz The third and fourth links are both phishing emails, which is all the more reason that these URLs need to be reported. Here is a previous discussion on this topic: Parsing: Spamcop not finding links in email when there are links Resources & References MIME - Wikipedia RFC 2387: The MIME Multipart/Related Content-type RFC 2046: MIME Part Two: Media Types - 5.1.4. Alternative Subtype Content boundary - Wikipedia
  7. ISPs could probably cut spam rates in half on their networks if they just gave end users out a CD with a copy of AVG Anti-Virus Free and a few other freeware security tools (granted that the user installed this). If you look at AOL and their inclusion of more secure software for their users and the amount of spam coming from them is practically non-existent.
  8. I've always just used the abuse[at]yahoo.com address for anything from Yahoo, and have never gotten a response ever, not even an automated one. Yahoo's FAQ says that their regular abuse addy is fine for this too [Google search "geocities abuse"]. Abuse.net also gives the address abuse[at]geocities.com.
  9. I thought I might also mention CastleCops SIRT which takes spam URLs and manually report them, as does KnujOn. Are you using the software version? Because the Sam Spade website seems to be down.
  10. I wouldn't say that is necessarily true. It all depends on what kind of infection it it and how deeply the infection has gotten into the system (and how much time the user wants to spend trying to disinfect themselves). Malware Removal Guide - Optimize Guides Recover from a Virus or Trojan Attack (PDF) - US CERT Unexplained computer behavior may be caused by deceptive software - Microsoft Malware Removal and Prevention - CastleCops Step by Step Malware Removal Guides - Google Try and run one of the many online virus scanners to identify (if not remove) the threat you have. Once you have it identified, it becomes much easier to discover a guide or even a tool that will help you remove it. HiJackThis and the many forums that help analyze the logs and guide users through removal and repair can also be of great help. Make sure and secure yourself once you've gotten rid of the problem, however you choose to do so. Make sure and always apply the latest patches for your OS and any other software you run, use both a software and hardware firewall. Download or purchase an anti-virus and keep it up to date and scan your system at least once a week, as well as one or more of the spy/ad/malware and rootkit solutions. Finally, take great precaution in what you download off the internet and through email. Here's a few more helpful links for that: Secure XP Basic Home Computer Security Home Network Security Good luck!
  11. You may want to try the Google Webmaster Center and tools section, if you haven't already.
  12. I notice this a lot as well. It's clearly a way to get around automated spam reporting tools such as SpamCop. I have also read that one well known spammer, Alex Polyakov, blocks Ironport's servers to prevent them from looking up domain names, thus blocking reporting of his spam sites. I have also heard that When that occurs I will report the message to CastleCop's SIRT tool.
  13. You might go ask this question at TheCarPCStore - Kill Spammers Forum that has a lot of members that are keen on this type of thing and can probably help you better find what you're looking for.
  14. I don't remember SORBS being a BL option, but I did have some back and forth with a few of you (I can pull up the thread if necessary) about it, and as I recall, SORBS is pretty slow just when trying to look up something through it's web based lookup tool, so I believe one of the assumptions was that it, along with some of the other DNS/RBLs, might be too slow and that's the reason that emails (which, in some cases, have IPs that are listed in one ore more of the BLs enabled) get skipped by them. That's one of the reasons I have both the CBL and SpamHaus's XBL enabled, even though that is technically redundant.
  15. www.mailtester.com Does a test similar to the one Farelf performed. Some mail hosts won't return any answer (such as Yahoo), but when others reply I have found it to be quite accurate.
  • Create New...