Jump to content


  • Posts

  • Joined

  • Last visited

Everything posted by jongrose

  1. There is some discussion of this on Wilders and some members have successfully gotten archived stuff from CC off Google cache. It's definitely very sad and too bad the owners didn't provide a copy of the wiki and forum database for others to recreate. http://www.theregister.co.uk/2008/12/29/castlecops_closes/
  2. It appears that report_spam[at]hotmail.com is now bouncing my reports of 419/lotto email reports. They are now filtering that address to prevent spam (?![at]). Here is the report URL http://www.spamcop.net/sc?id=z2402230779ze...aaccde7bb89198z This is the 2nd bounce I have gotten from this address w/in a couple weeks, so I know it is not an error/coincidence. I'm not sure if they have any alternative reporting addresses.
  3. Steve Gibson said in Security Now episode #167 that the reports of WPA and WPA2 were "totally bogus". Transcript (search for "WPA").
  4. Yeah, that's pretty much the same problem I've been having. Some days it's extremely slow to the point of being totally inaccessible, but other days it seems to work okay. I assumed it was DoS attacks against them, but I know they are using Prolexic which is supposed to be DoS proof, so I couldn't understand what the problem was. Anyway, thanks for the insight.
  5. I know they were hit with a DDoS last month, but since then, it seems like they are super slow and it is nearly impossible to connect to their site everyday now. Does anyone know if they are still under attack or are they having some other problems? Thanks, Jon
  6. First off, I want to state that I realize that the main objective of SpamCop is to report the source of spam, and that identifying and reporting the spamvertized URLs contained within email is secondary. Nonetheless, because this feature is included in SpamCop, I believe that all attempts should be made to keep up with the methods employed by spammers to stop their criminal activities. SpamCop is an automated tool used to fight spam not only for its members but for the good of the worldwide internet community. In keeping with this goal, a simple modification to the SpamCop parsing engine should be made in order to allow it to detect URLs that are currently being missed. So, for the sake of this discussion, I would appreciate it if the argument of SpamCop's URL detection philosophy be left out of this topic. The Problem For quite some time, spammers have been abusing the use of MIME (Multipurpose Internet Mail Extensions) email headers in an attempt to bypass detection and avoid anti-spam techniques. By adding a malformed MIME header line in an email, the spammer causes what essentially amounts to a broken encoding method for the email. The MIME type used by spammers for this purpose is known as the "Alternative Subtype". In the headers of the email, the spammer will add an incomplete Content-Type and boundary line that is commonly used for sending messages in both plain text and HTML format in a situation when it is unknown which format the email client supports. It is my understanding, based on this thread, that SpamCop cannot properly parse URLs contained in emails that include malformed and incomplete MIME headers. In this thread I will attempt to explain MIME to the best of my knowledge and put forth the argument that SpamCop should modify the parsing engine to allow it to detect and report URLs currently bypassed by exploiting this technique. What is MIME? Below is an example of the correct implementation of the MIME alternative subtype. I have included numbers prefixing the code to explain it's usage below. 1 MIME-Version: 1.0 2 Content-Type: multipart/alternative; 3 boundary="=_ba87f495fb100f8dc950f0cef0ffa800" 4 5 --=_ba87f495fb100f8dc950f0cef0ffa800 6 Content-Type: text/plain; charset="ISO-8859-1" 7 Content-Transfer-Encoding: 7bit 8 9 --=_ba87f495fb100f8dc950f0cef0ffa800 10 Content-Type: text/html; charset="ISO-8859-1" 11 Content-Transfer-Encoding: quoted-printable 12 In lines 1-3 are what is included in the headers of the email. Line 1 defines that the email includes a MIME section. Line 2 and 3 then set that the content is multipart and will include more than one encoding type. The boundary is a set of random characters and may include a timestamp or other information, it will tell the email client where to find and identify the MIME content type. In line 5 we see the boundary code again, prefixed by two hyphens. Lines 6-7 inform the email client that this section is made up of plain text, along with the character set and the encoding. After this is displayed in the body of the email, the message will be shown to the end user in plain text format. In line 9 we again see the boundary code and in 10-11 the content is now HTML. This would normally follow with the same message shown after the previous plain text version for HTML compliant email clients. As you can see, the purpose of the usage of this MIME encoding was to send the email to a client which the sender did not know if it would view (or prefer) the message in HTML or plain text. How is MIME abused? When a spammer incorrectly uses MIME, it is similar to using a broken or incomplete syntax. For example, when writing the code to create a link in HTML, the correct syntax would be to use <a href="http://www.website.xyz/">Click here</a>. However, when using a malformed MIME Content-type, it would be like leaving the trailing "</a>" off the end of the HTML a href code. When the email client first sees that the message is MIME encoded and then looks for its follow up boundary code to display the email message in it's preferred format for the reader. If it does not find this, it will do certain things depending upon how it's configured or setup. In most instances, it will simply display the email message without difficulties. An example of an invalid MIME alternative subtype simply looks like the following: 1 MIME-Version: 1.0 2 Content-Type: multipart/alternative; boundary="0-1466100096-1197442086=:47221" 3 Content-Transfer-Encoding: 8bit Lines 1-3 are included in the headers of the spam email. As you can see, the implementation is correct. However, nowhere in the body of the email is there a boundary follow up code to let the email client know where to look for any content type that what's including in either plain text, HTML, or any other format. This could be caused by a poorly written email program or some other type of error, but in this case it is simply used in a malicious attempt to trick the email client from employing it's spam filters to check the body of the email or any URLs that may be included. Where does SpamCop come in? SpamCop trusts the MIME Content-Type/boundary and when the bogus lines are added in the headers it fouls up the parsing engine causing it to bypass or ignore any URLs, no matter how obvious they are to the reader. Why or how this happens, I do not know, as I am not familiar with the specific workings of the SpamCop parsing engine. When an email with bogus MIME Content-Type is passed through the parsing engine, the message will show up, indicating that SpamCop has missed the URL(s) in the email. Here are some examples: http://www.spamcop.net/sc?id=z1570835087z5...49feaba719fe77z http://www.spamcop.net/sc?id=z1561617737z1...814be496d226adz http://www.spamcop.net/sc?id=z1570175158z8...843f2459f4a92dz http://www.spamcop.net/sc?id=z1561673499zb...de9f8cca4bc21dz The third and fourth links are both phishing emails, which is all the more reason that these URLs need to be reported. Here is a previous discussion on this topic: Parsing: Spamcop not finding links in email when there are links Resources & References MIME - Wikipedia RFC 2387: The MIME Multipart/Related Content-type RFC 2046: MIME Part Two: Media Types - 5.1.4. Alternative Subtype Content boundary - Wikipedia
  7. ISPs could probably cut spam rates in half on their networks if they just gave end users out a CD with a copy of AVG Anti-Virus Free and a few other freeware security tools (granted that the user installed this). If you look at AOL and their inclusion of more secure software for their users and the amount of spam coming from them is practically non-existent.
  8. I've always just used the abuse[at]yahoo.com address for anything from Yahoo, and have never gotten a response ever, not even an automated one. Yahoo's FAQ says that their regular abuse addy is fine for this too [Google search "geocities abuse"]. Abuse.net also gives the address abuse[at]geocities.com.
  9. I thought I might also mention CastleCops SIRT which takes spam URLs and manually report them, as does KnujOn. Are you using the software version? Because the Sam Spade website seems to be down.
  10. I wouldn't say that is necessarily true. It all depends on what kind of infection it it and how deeply the infection has gotten into the system (and how much time the user wants to spend trying to disinfect themselves). Malware Removal Guide - Optimize Guides Recover from a Virus or Trojan Attack (PDF) - US CERT Unexplained computer behavior may be caused by deceptive software - Microsoft Malware Removal and Prevention - CastleCops Step by Step Malware Removal Guides - Google Try and run one of the many online virus scanners to identify (if not remove) the threat you have. Once you have it identified, it becomes much easier to discover a guide or even a tool that will help you remove it. HiJackThis and the many forums that help analyze the logs and guide users through removal and repair can also be of great help. Make sure and secure yourself once you've gotten rid of the problem, however you choose to do so. Make sure and always apply the latest patches for your OS and any other software you run, use both a software and hardware firewall. Download or purchase an anti-virus and keep it up to date and scan your system at least once a week, as well as one or more of the spy/ad/malware and rootkit solutions. Finally, take great precaution in what you download off the internet and through email. Here's a few more helpful links for that: Secure XP Basic Home Computer Security Home Network Security Good luck!
  11. You may want to try the Google Webmaster Center and tools section, if you haven't already.
  12. I notice this a lot as well. It's clearly a way to get around automated spam reporting tools such as SpamCop. I have also read that one well known spammer, Alex Polyakov, blocks Ironport's servers to prevent them from looking up domain names, thus blocking reporting of his spam sites. I have also heard that When that occurs I will report the message to CastleCop's SIRT tool.
  13. You might go ask this question at TheCarPCStore - Kill Spammers Forum that has a lot of members that are keen on this type of thing and can probably help you better find what you're looking for.
  14. I don't remember SORBS being a BL option, but I did have some back and forth with a few of you (I can pull up the thread if necessary) about it, and as I recall, SORBS is pretty slow just when trying to look up something through it's web based lookup tool, so I believe one of the assumptions was that it, along with some of the other DNS/RBLs, might be too slow and that's the reason that emails (which, in some cases, have IPs that are listed in one ore more of the BLs enabled) get skipped by them. That's one of the reasons I have both the CBL and SpamHaus's XBL enabled, even though that is technically redundant.
  15. www.mailtester.com Does a test similar to the one Farelf performed. Some mail hosts won't return any answer (such as Yahoo), but when others reply I have found it to be quite accurate.
  16. Seems slightly odd that the website would still be up if no one is maintaining it. I did look at the WHOIS data from www.whois.us I checked the email address listed there, and it is still valid. No mention of it on dnsbl.com
  17. Alright, I've been using the greylisting feature for about a week now and it's working very well. However, I would like to make a couple suggestions: 1) Change the Manage Greylist pages, for both pending and rejected, to have the list sorted by date - preferably received, but at least one or the other because it's hard to manage, especially the rejected page, since the messages don't seem to be in any discernible order from what I can tell. This would make it much easier to organize the list by pages and tell what day you're on and see if you need to approve any emails that were rejected. 2) One other thing I would like to see for either of the greylist management pages is the subject line of the email if that is possible. I realize that the object is not to download the entire mail to prevent the mail system from consuming resources, but the subject line would be very helpful in determining if the email may or may not be legit in case we don't know the sender, and since the IP address doesn't help very much in this instance either. 3) I think it would also be very helpful to incorporate a whitelist button within the Horde Inbox console, like there is for the Held Mail console. This way a user can whitelist email addresses permanently that might have gotten stuck in the graylist, and not have to go to the options, SpamCop tools, etc. every time a user needs to add to the list. That's all for now. Keep up the great work!
  18. Despite all the forum policies and politics about where this topic should be placed (which is really irrelevant, IMO), I completely agree w/ David that adding SH Zen would be a great benefit to the 0SpamCop email. There are a few other BLs I can think of I would like to add, but I would definitely put Zen at #1. That would also allow the removal of the SpamCop SBL, XBL and technically the CBL since it pulls it's info from the XBL. In fact, SpamHaus themselves, at the website linked above, say:
  19. Yeah, I highly recommend the greylisting feature. I've had it on for about 3 days now and it's working great. I went from having 20+ spams an hour to having maybe 1-2. Read through the thread David linked to, and the Wikipedia article which gives a very good simple overview of how it works.
  20. The broadcast was fairly good and touched on a couple applications he mentioned that can be used to monitor network traffic. I haven't used the ones he's mentioned (except Cain and Abel, available at www.oxid.it, which he didn't mention). There is a freeware packet sniffer called WireShark that has the same features of the ones he referred to, although it is more complex and takes some time to setup and learn. However, a novice admin can have some trouble figuring out the different protocols and what should and shouldn't be going on on a network for that matter. I also wanted to mention insecure.org's Top 100 security tools, most of which are freeware. insecure is the group that makes the nmap port scanning tool which works very well for network vulnerability testing as well, although it uses a command line interface. Some of the software they have listed are intrusion detection systems, network vulnerability testers, and things along those lines. This whole category might make for a good section to add to the wiki for admins who don't know how to determine what's wrong with their network if they're ending up on blacklists and what-not, but it all depends on the skill and education level of that admin to know where to start with the subject matter. Another set of security tools I thought I would bring up (some of which contain the tools listed in the top 100 above) are some very simple firewall systems that can be loaded on low end PCs and used to protect a network, at varying degrees of success depending upon the size of it. Basically, these are prepackaged firewalls loaded into *nix OS builds that can be dropped into a machine and configured to filter out certain protocols, scan for viruses, encrypt traffic, etc. Astaro Security Gateway free for home & non-corporate users IPCop - Info Smooth Wall Express - Info m0n0wall - Info pfSense - Info Firestarter More info about these can be found on other sites around the net.
  21. Is the triplet combination saved permanently once it has been resent and bypasses the graylist or is there a time frame when this information expires and has to be passed through the graylist again? Or to put it another way, does the graylist have it's own internal whitelist (separate from a user's personal whitelist) for the triplet information and, if so, does the information in that whitelist ever come off it for whatever reason? My second question may have already been answered. In the Graylist pending entries under Options->SpamCop Tools, I see there is a button where you can "Allow Checked Entries". If you select a pending email and hit this button, will the email come directly into your Inbox (or other folder) or will this only allow it to be received once it is resent by the other mail server? I see under Rejected Entries is mentions that the emails listed there are "Unrecoverable". To be completely clear on how the graylisting feature works, does SC's SMTP server just check the triplet and send a bounce or does it fully receive the message, then check the triplet and bounce if it isn't recognized? I presume the latter option would be better suited for the users in a case where a legitimate email message were fully rejected, then the user could still view the message. For users of this type, the rejected email(s) could be set to automatically be deleted after a set time period in the scenario I mentioned above. If that kind of implementation is possible, I think it would be helpful in making graylisting more suitable for everyone - emails wouldn't be lost (unless they are not checked) and they still wouldn't show up in the mail folders. Finally, since graylisting bounces spam messages, would it work in the same vein as MailWasher in that since the email bounced, *some* spammers would automatically purge the address from their list? Or is the bounce message not of the same ilk that would be used to remove an address from a list? Graylisting kind of strikes me as similar to the Telezapper or anonymous call blocker for defeating telemarketing calls - it will block out many telemarketers but also stop some legitimate calls from coming through.
  22. Are you getting the "internal error" when you are trying to install XP or just during computer normal usage? Are you trying to reinstall Windows XP over top of your old copy? If so, I'd say don't bother. This used to be a technique for older versions of Windows, but with XP or newer it's not really necessary. One alternate you can try to reload some of the systems original files is by using the system file checker which will (normally) ask for the XP CD and recreate somewhat of an original state. There's other things you can try, but I'd have to ask why you are doing it and what is your intended end result? If you would like to try kamaraju's suggestion, I would recommend downloading a copy of PCLinuxOS which is an extremely simple Linux distribution that you can download as an ISO file and burn to a CD. Then, you can boot directly from it and it is completely functional w/o having to install anything on your HDD. It comes with all the software you would need to do just about anything and doesn't require any (or very little) experience with Linux. If you decide you want to install it, it has a function to create a dual boot so you can use XP and Linux. It also makes for a good emergency CD if you have a crash and have to get some work done.
  23. I received a signed PGP email yesterday from Microsoft (security bulletin) and I noticed that when I opened it in Webmail, I got the following messages: The message below has been digitally signed via PGP. Public PGP keyserver support has been disabled. So, I checked my PGP Options and have enabled: Enable PGP functionality? Yes Should the body of text/plain messages be scanned for PGP data? Yes I have it disabled to send my key out with all messages, but that's probably not relevant to this discussion anyway. I also have my 1024bit keyring uploaded to the server with the proper fields filled in (as far as I can tell). When I first checked these options, it said I needed to be on a secure connection, so I logged out and logged back in to the Webmail using SSL and now that warning is gone. I also see the following message: So, I also set to allow all popups from spamcop.net in my browser. However, I still see that error message. Here is the message headers and footers (body truncated for reading and space sake and changed my email username to ROT13): Return-Path: &lt;microsoft[at]newsletters.microsoft.com&gt; Delivered-To: spamcop-net-wbatebfr[at]spamcop.net Received: (qmail 14564 invoked from network); 11 Oct 2007 03:32:25 -0000 X-spam-Checker-Version: SpamAssassin 3.2.3 (2007-08-08) on blade6 X-spam-Level: X-spam-Status: hits=-100.0 tests=USER_IN_WHITELIST version=3.2.3 Received: from unknown ( by blade6.cesmail.net with QMQP; 11 Oct 2007 03:32:25 -0000 Received: from delivery.pens.microsoft.com ( by mx70.cesmail.net with SMTP; 11 Oct 2007 03:32:25 -0000 Received: from TK2MSFTDDSQ16 ([]) by delivery.pens.microsoft.com with Microsoft SMTPSVC(6.0.3790.1830); Wed, 10 Oct 2007 20:32:25 -0700 Thread-Topic: Microsoft Security Bulletin Re-Release thread-index: AcgLt1dE7wxtspNHRLmbQElvda1fPA== Reply-To: "Microsoft" &lt;10_88023_D2SYrRQglO43O8S+yVtQcQ[at]newsletters.microsoft.com&gt; From: "Microsoft" &lt;Microsoft[at]newsletters.microsoft.com&gt; To: &lt;wbatebfr[at]spamcop.net&gt; Subject: Microsoft Security Bulletin Re-Release Date: Wed, 10 Oct 2007 20:32:25 -0700 Message-ID: &lt;2510101c80bb7$57448c50$17f9280a[at]phx.gbl&gt; MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Mailer: Microsoft CDO for Windows 2000 Content-Class: urn:content-classes:message Importance: normal Priority: normal X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.2826 Return-Path: Microsoft[at]newsletters.microsoft.com X-OriginalArrivalTime: 11 Oct 2007 03:32:25.0339 (UTC) FILETIME=[5767A4B0:01C80BB7] X-SpamCop-Checked: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ******************************************************************** Title: Microsoft Security Bulletin Re-Release Issued: October 10, 2007 ******************************************************************** ...... -----BEGIN PGP SIGNATURE----- Version: PGP 8.1 iQIVAwUBRw1rnolDklrxMhdPAQIRQRAArfla72YN7T6vbq5ywUJsjhlA3v7g6gMn BbZNS0npqxXT1ypwpBqh5zYN2pkfhudF1upTDtyHvh2UcHME+yCTc+FEfPg53K7d ljy6hZ0khTjH2Lx1gTZPUGd9YkkOOvOgan0Cm+P4aDMMS1t+aVxuveSEGl2m8OG6 UH4Dg8HRt2Ot+UxqGGksahV4+x8QSuQ7h9XpZwZuJ3kVCM2mFnmq/+TLIrZj4rV7 Z0WoO0NYrCi678piJeqVtKlqYyugSwFUps7j94yLCtz1DTb8GekFa/Eb7XwB+VVb WlK3DWt9p/Zi63ljkQSN/oQlvyI9lmnRZjABH9jmB44NVL4YUajVDA2Wc3JoCirq 8zdkrp0rmoNGlrWrtygoZH8t8vaR1fEmWWTOSHQFm8VG2n6SvBqW3bYAe19uEZ1w gukNy03HOJMe704nKI/UgmtHKg8Y3LsjyDv0fF0eRQ6U11D0McAcc+O0rkGGxNLS ymWrugQZ6WyE0qCBuCdTyQZw3ysRKCSo/kbHRuPv2mjm2NNaQH4N47gq4TS/nHh6 XraVb1lK+cLBOwB/H+PF2sw+iZMDUeVIG7dZGgq+ryckgiK+sNf3zWuCgRsIvt3+ 4evk4lYahfYl0vMUgQoH/rTUWlTGezSjs3kGEOOFVv5Ai/n5bVSd2Bkf2Fs7XfF1 f+Xu0UcRobs= =GbiE -----END PGP SIGNATURE----- To cancel your subscription to this newsletter, reply to this message with the word UNSUBSCRIBE in the Subject line. You can also unsubscribe at the Microsoft.com web site &lt;http://www.microsoft.com/misc/unsubscribe.htm&gt;. You can manage all your Microsoft.com communication preferences at this site. Legal Information &lt;http://www.microsoft.com/info/legalinfo/default.mspx&gt;. This newsletter was sent by the Microsoft Corporation 1 Microsoft Way Redmond, Washington, USA 98052 Since there is no option to choose a keyring server under options, I presume this is something that must be defined in the server's configuration? If this is the case I'll shoot an email to support, otherwise, am I doing anything wrong on my end? Thanks in advance, Jon
  24. I've seen these types of spams before, but when reporting them to SC, I always see that it refuses to send a report to Google's abuse dept. Is this because Google doesn't want reports from spams that included Google pages where they turned out to be an innocent bystander? Google does have their own search result spam reporting page and a warning about rogue SEO companies, but I've never known exactly what to do when I see an UCE using IFL like the one mentioned.
  25. Maybe a bit slightly O/T from your post, but I thought I might mention it anyway. One addon I have found incredibly handy for IE7 is IE7Pro. It adds quite a bit of functionality to the browser and is freeware. The addition of customizable user scripts allow for endless customizations, which Opera has built in and Firefox has with the GreaseMonkey extension. Another program of a similar vein is Maxthon (previously MyIE2) which is sort of a browser built on top of IE (if that makes any sense) with a lot of additional features - including scripts & plugins as well, but stays true to the IE "feel". Although it's not technically an addon, it's a very nice platform, IMO. Finally, I wanted to mention MultipleIEs, an installer that allows an end-user to install multiple versions of IE on their system, meant to be used w/ IE7 installed as the main version, and then all prior versions, as early as IE3 can be installed and run without interfering with the others (although there still remains a single Control Panel module). It's especially helpful for webmasters to check and make sure your site is compatible in older versions of the browser - and if you're looking to install the old IE5 powertools, you should be able to do that also (although admittedly I haven't tried it).
  • Create New...