Jump to content


  • Posts

  • Joined

  • Last visited

Vanguard's Achievements


Member (2/6)



  1. I'm starting to suspect we got ourselves a troll here.
  2. I use SpamPal. It has a Bayesian plug-in so it will "learn" like you mention. It helps if you have a set of good e-mails and a set of spam mails to feed it as good and bad to preload your Bayes database; otherwise, you'll spend some time with it in learn mode weighting keywords in the e-mails you receive after installing and enabling it. Unlike other Bayesian filters which work alone and so they can only based their judgement regarding spamminess on just the content of the e-mails, the SpamPal Bayesian plug-in can learn from SpamPal's blacklists and from the other plug-ins. This helps the Bayesian filter keep in sync as to what is spam because it has been identified as such using other methods than just a weighted database of words. It also has a Reclassify window that you can use to change the status of an e-mail from spam to good (false positive) or from good to spam (false negative) in case the spam got missed by everything else, including the Bayesian filter, or you consider it a false positive. Don't expect Bayesian filters to be some omnipotent spam catching mechanism. The technique is fallible. Some spam actually tries to poison the Bayesian filter (they look to be targeting the one in Outlook 2003 because the one in SpamPal has a configurable word expiry to eliminate the "noise" floor of its database). SpamPal also uses DNSBLs. Blacklists are its primary means of detecting spam. However, it is up to YOU to investigate how each blacklist works and what they list. SPEWS, for example, is not interested in providing a list of actual spammers. They are interested in penalizing ISPs by cutting a wide swath of their IP addresses; i.e., they rate the trustworthiness or spamminess of an ISP or e-mail provider rather than identify the spammers there. They rely on the victims at the spam-lazy or spam-friendly ISP that are getting notified that their e-mails are getting block by their recipient to complain to their ISP. SPEWS wants to coerce the victims at the penalized domain to complain to that domain. Other blacklists are more focused at actually identifying the spammers, a task that is difficult because they keep moving. SPEWS and SORBS don't update their lists very frequently. When my IP lease expired and I got a new IP address from my ISP's IP pool, it was in SORBS blacklist but the last update on whomever they thought was spamming from it was over 3 months old. SORBS was responsive and manually updated their records the next day, but obviously the 3-month old record (and other remarks about them) show that they are slow to update, so to a degree they are like SPEWS which is quick to add, cut a wide swath, and slow to update (but their intent is not to be current to identify spammers but to rate a domain regarding trust or spamminess). Investigate the blacklists you use. Another example is blacklisting by country. SpamPal lets me do that. I can blacklist e-mails that originate from certain countries. That doesn't mean all e-mails from those countries are spam. However, I do not correspond with any entity in those countries so any e-mails originating from there were unsolicited. SpamPal does have a Logfile plug-in that retains a text-only version of all spam-tagged e-mails. This lets you recover from a false positive. That way I can have my e-mail monitor (Magic Mail Monitor) where I can define rules that delete spam-tagged e-mails off my mail server without every having to download them (make sure to test only on headers) but still have enough info in the logs to identify the sender should a false positive occur. Unfortunately the Logfile plug-in does not automatically expire the logfiles so I wrote a batch file that kills logfiles over a specified number of days old and then add it to Task Scheduler (and I gave a copy of the batch file to the plug-in author who has a link to download it from his site). Another means of avoiding spam is to block any e-mails that originate from a mail server that has a dynamically assigned IP address. Dial-up and cable/DSL users have dynamic IP addresses. Their zombied hosts running a mailer trojan will spew out its spam but SpamPal's MXblock plug-in will see it came from a dynamic IP address and tag it as spam. I did edit the MXblock plug-in's config.dat file to specify the SpamHaus DUL (dynamic IP list) rather than use the outdated MXEasy list. It has worked many times to identify spam that came from zombied users. SpamPal has a RegEx plug-in if you want to define regular expressions which go far beyond what you can define using the rules in your e-mail client. SpamPal and its other plug-ins have been so successful at identifying spam that I have never need to use the RegEx plug-in. The HTMLmodify plug-in not only makes HTML-formatted e-mails more safe (although your first defense should be using the Restricted Sites security zone set to its High level) but also detects spammy mails based on their HTML characteristics, like too many bogus HTML tages (spammers will hide their message inside an illegal tag because it won't get rendered and will show as e-mail but many filters will strip out any strings that look like HTML tags), URL obfuscation (which it will de-obfuscate), The URLbody plug-in will identify spam based on a URL link within the body of the message that goes to a known (i.e., blacklisted) spam site. However, while it sounds nice, it can be somewhat aggressive. Like the Bayesian plug-in, the URLbody plug-in must download the entire message so it can look inside the body. If you want to eliminate spam then YOU will have to take action to do so. Stop relying on reporting the spam to the ISPs in some altruistic hope that those ISPs will be oh so ever responsive to those reports. The reports do help but my guess is that put all of maybe 10% of a dent in the volume of spam. You'll need to be aggressive and use something more than complaints to avoid getting spam. With SpamPal, you get an entire suite of different methods to detect spam, and SpamPal is free. If you are looking only for one method to identify spam, say, Bayesian, then you could try SpamBayes. It runs as an Outlook plug-in but, I believe, it will also run as a proxy, like SpamPal, so any POP3/SMTP compliant e-mail client can use it. SpamPal has its own forums for support. Buy a commercial product if you have the need to call someone for support. But do something more than just report the spam. Whining about spam and bitching to ISPs and e-mail providers is not going to eliminate the spam in your Inbox. It will eliminate some. I report spam through SpamCop not only to bitch to the e-mail providers but also to update SpamCop's blacklist which gets used in SpamPal. Whether the e-mail providers uses the SpamCop report or not, SpamCop's blacklist gets updated and I get the benefit of not getting more spam from that source (if there are enough reports about the spam source). Whining only works to a small degree, so choose to control what gets delivered in the first place.
  3. Reporting the spams to the ISPs (actually the e-mail providers) only gives them the opportunity, if they have the desire, to clean up their service to keep them from eventually getting blacklisted. Whether or not they cleanup their e-mail service doesn't prevent you from using the DNSBLs (DNS blacklists) to block spam, so you and others reporting spam will update the blacklists of known spam sources and using those blacklists will eliminate getting more spam from those identified spam sources. You can report all you want but don't rely on e-mail providers being nice. If you don't report bad food or service to the restaurant manager, they won't know there is a problem or its severity. Even when you do report the problem, it's still their choice whether or not they do anything about it. If you use SpamCop then you should also be implementing DNSBLs to avoid getting the spam. If you don't want to pay SpamCop for their spam-free e-mail service, you could use SpamPal or Mailwasher to use the DNSBLs to avoid the spam. What's the point of reporting spam when you already know the e-mail providers are likely to ignore the problem or won't address the problem immediately? To reflect their spamminess in a blacklist that you actually USE. Many blacklists don't even bother notifying the e-mail providers of the spam but just update their blacklist with every spam report or with their automated spam detection methods. Some e-mail providers do use the spam reports whether they come from SpamCop or directly from you. Some don't. Are you going to rely on the nicesness of e-mail providers to eliminate spam from your mailbox? Get real. Will a burglar stop taking your stuff while you simply nag at them to stop it? You lock your doors and maybe even bar your windows, and that what is USING the blacklist(s) provides to you.
  4. Turns out the e-mail address in the submitted message was invalid but I had changed it, or so I thought. I had decided not to bother specifying an e-mail address for newsgroup posts. I wanted to keep all replies in the newsgroup and prevent anyone from disconnecting it via e-mail (i.e., share with others or don't bother to post). I would no longer bother to maintain an e-mail account for newsgroup replies since I don't want and will no longer accept e-mails for newsgroup discussions. An e-mail account is not mandatory to actually use NNTP. The e-mail address will be fake or munged. Since I wasn't going to maintain an e-mail account that might allow for disconnecting the discussion via e-mail, there would be not point in munging an e-mail address. Instead the e-mail address would be fake. What is the difference between a fake e-mail address (to which you cannot send e-mail) and no e-mail address (so, again, you cannot send e-mail)? One difference is that the potential respondent might send off the e-mail to the fake e-mail address, if permitted, and not realize why there was no response. However, trying to send to an invalid e-mail address would immediately alert the user that was impossible, so it would prod the user to put their reply back in the thread in the newsgroup. Another difference is RFC compliance, but NNTP doesn't actually go through an e-mail account so an e-mail account was and is never actually required, and we already know that many of the RFCs are outdated and don't reflect current real-world conditions. As a result, and after deleting the e-mail account previously assigned for any newsgroup replies sent via e-mail (which I didn't want and rarely received), I configured my news accounts to *not* specify an e-mail address. I've done that before with other NNTP servers, like my old ATT/Comcast NNTP server (now defunct) and with Giganews and Microsoft that I'm use now. It was several days later that I then attempted to post to the SpamCop NNTP when it complained about the From header. When trying to figure out what it got that it was complaining about, and because I was used to other NNTP servers accepting my values, I just didn't hit on what to look at last night (I was exhausted and got stuck focusing on why *that* message generated the "441 invalid From syntax" error). After some sleep and some coffee, I did what I should've done last night: look in raw mode to see what it was that I was sending since the troubleshooting logfile didn't tell me and the error message sent back from the SpamCop NNTP server didn't mention what value it got that it was complaining about. The problem was ... (drumroll) ... the copy of the message in the Outbox is static. That is, once composed and moved into the Outbox, any changes to your accounts are not reflected in your pending outbound messages. I had sent the message so it was in my Outbox, the send got rejected, and it sat in my Outbox. I changed my settings according to SpamCop's complaint but that didn't resolve the problem because messages in the Outbox don't get updated. Messages in your Drafts folder will get updated if you change your account settings before sending those messages. However, messages in the Outbox are static: their headers remain fixed to whatever were the settings in your account at the time you composed the message (rather than add or update those headers to match your account settings during the SMTP or NNTP session). So, yeah, I was changing to a validly syntaxed e-mail address in my account settings but that did nothing to update the message sitting in my Outbox. Argh! Time to add something stronger to my coffee. A test this morning clued me in. I sent a new post and it worked because there was a validly syntaxed From header used in the message. Then it dawned at me to use raw mode to look inside the message rather than rely on looking at what the UI presented to me. Seeing "Vanguard" in the From header shown in the UI version of the message doesn't help because that is what I always see (it doesn't show the e-mail address, only the name that I use to identify myself). Silly me for thinking the application would use whatever values were currently configured for an account when I send a message. The way to get around the problem is to reopen the message in the Outbox and then send it. Opening it makes it sync up with the new settings because there is an implicit Save operation which causes an update to the message to reflect the current account settings; i.e., an implicit Save after opening and resending (or a manual Save followed by a resend) gets the current account settings used in that message's headers. Server: Your From header isn't a valid e-mail address. Me: Okay, so I'll change it just for special little you. Here it is again. Server: Your From header isn't a valid e-mail address. Me: Yes, it is. Server: No, it isn't. Me: Okay, then try this one which is valid. Server: Nope, won't take that one, either. Me: What?! Well, how about this one? Others say they can use it. Server: Nope, don't care, yours is invalid. Me: But it works for others. Server: Don't care. Not valid. Me: What the fu..?! Server: I don't do requests, and you're not my type, anyway. Me: (Get some sleep.) Me: (Next morning, send a *new* message.) Server: That one has a valid From header. Me: But it's the same one for the other message. Server: Nope, but I'm still not going to tell you what *is* the value that I don't like. Me: But the From header does have a ... hmm, wait a minute ... what if ... (looks in raw mode) Me: Hey, that still has the original invalid e-mail address that I changed. What gives? Me: (Opens old message and resends it okay.) Me: Huh, now that From header that was invalid before is okay now? Server: Well, what you sent now is okay. Me: (Do a couple more tests.) Me: Okay, looks like the old message still had the old bad value. It updated when I *opened* it again instead of just resending it. Server: See, I was right. User error. Me: Oh, shut up! You're the only one that bitched in the first place. No one else complains. Now you know why I felt like I was on the wrong end of a comedy skit.
  5. Okay, now it gets strange. When trying to submit my prior reply post, SpamCop's NNTP server would spew back its 441 error saying it didn't like my From header. So I tried replying to another post and that one got accepted. Huh? It didn't like my From header before (or now) for replying to that other message, but my From header is okay when replying to a different message?
  6. I just tried "vanguard[at]nixnntp.com" (after first checking that nixnntp.com was not a registered domain so it couldn't be inuse somewhere) and it still didn't like that one. I don't want to using a registered domain because I'm not interested in energizing spam at some innocent. The line from the troubleshooting log that says: NNTP: 20:17:31 [rx] 441 From: address not in Internet syntax The "[rx]" means that status line was *received* from the news.spamcop.net server. So it was the NNTP server that rejected the From header's value. Right now it is rejecting whatever I put in that header. Since the value of the From header can be seen whenever I post to other NNTP servers, I know that what I am specifying in OE for the From header (for the Name and E-mail address fields in the account definition) is getting sent to the NNTP server. By seeing my posts sent to the other NNTP servers, I can see what the value was in the From header that it got from my NNTP client. Since Spamcop's message doesn't specify what it got for the From header that it is complaining about, I cannot guarantee what value it received. However, since it works for all the other NNTP servers then the finger pointing is directed at the SpamCop server. I don't know why you could get it to work, especially since you did not use the "recommended" fake e-mail address (I was thinking that maybe someone screwed up and was forcing everyone to use the same fake one, but not even a legit one got accepted). However, you did post to a different group than I am trying to use. It would seem weird and silly that the NNTP server would have one set of rules regarding the From header depending into which group the message got posted. -- UPDATE -- Oops. See that you simply *found* a post from earlier today that was from someone using nobody[at]nowhere.invalid. My last post was back on the 20th so all I could claim is that something changed since then and when I tried posting about an hour ago (and ever since then). So maybe the "change" occurred sometime after 5PM today (which was for the post that you noted).
  7. That should be considered ONLY a suggestion. It would be utterly stupid for every poster to use the same e-mail address in the From header. Why? Well, say you have a puerile malcontent that wants to troll or flame in the groups provided by the SpamCop NNTP poster. How can you killfile (plonk) that poster if he/she uses the same e-mail as everyone else. What a wonderful concept. Have everyone use the same e-mail address to render completely unusable the ability to killfile any undersirable posters, or killfile the one troll and end up killfiling everyone (so why bother visiting the group if you're not going to see anyone's posts?). Why do posters [hopefully] use different monikers to identify themself when they post? So you get used to who is posting and can differentiate who is submitting the post and who is replying to it. The e-mail address should also be unique (but munged) *if* it is supplied at all. If you have absolutely no desire to disconnect the conversation by taking if offline via e-mail then why even bother providing a munged e-mail address? Yeah, some NNTP servers still require something in the From header but then you end up just putting in a completely bogus e-mail address or one that directs to a null service (so obviously there was no point in providing an e-mail address in the first place). If you do want to provide an e-mail address as an additional part of your identity then you should be able to munge your e-mail address, and using the .invalid TLD is perfectly legitimate not only for munging but as the e-mail value in the From header. Telling every poster to use the same e-mail address is stupid. It is more likely that posters (that use e-mail values) will have different e-mail addresses than they for having different monikers. In fact, the ploy of a malcontent is to impersonate someone else by using their moniker AND their e-mail address, so when someone plonks them then they also plonk the impersonated user. Also, the fact remains that something has changed. If you look at my prior posts to the spamcop group on the news.spamcop.net server, I used "vanguard[at]domain.invalid". Obviously that was accepted because my posts are there. Something has recently changed that won't accept that or any other validly syntaxed e-mail address. I even tried vanguard[at]example.com and it won't accept that one, either! And to add, using a valid domain that then sinks e-mails sent to that hostname still wastes resources at the recieving mail server. I munge the domain to deliberately specify a domain that doesn't exist. That way, the sending mail server can't even connect to a receiving mail server. It dies immediately when trying to send, not sometime later after sending and the receiving mail server has to waste CPU cycles and resources to auto-delete or reject it on delivery.
  8. I've been using the news.spamcop.net NNTP server for awhile. I didn't need to specify an e-mail address, especially since I never take any discussions offline to disconnect them from other group participants. There's no point to specify an e-mail address or even require one since everyone knows that it will be bogus to avoid the spambots from harvesting them. Even SpamCop's own help pages regarding the forum says to use a bogus e-mail address. When I attempt to submit a post, the news server now looks for a validly syntaxed e-mail address in the From header. Okay, so why won't it accept one? Currently I am using "reply2group[at]email.invalid" but only for those NNTP servers that demand that there be something in the From header. That *is* a validly syntaxed e-mail address. If SpamCop's news server won't accept .invalid as a top-level domain than it is screwed up. One of the easiest ways to munge an e-mail address is to use .invalid or example.com. So why the recent change in the server's handling of the From header and why won't it take validly syntaxed e-mail addresses? I get the following error messsage from OE: Outlook Express could not post your message. Subject '<subjectheader>', Account: 'Newsgroups - Spamcop', Server: 'news.spamcop.net', Protocol: NNTP, Server Response: '441 From: address not in Internet syntax', Port: 119, Secure(SSL): No, Server Error: 441, Error Number: 0x800CCCA9 I enabled the OE troubleshooting log (show below) but it didn't provide any more details regarding why the Spamcop NNTP server is bitching about the From header's value. Microsoft Internet Messaging API 6.00.2900.2527 (xpsp_sp2_gdr.040919-1056) NNTP Log started at 05/25/2005 20:17:30 NNTP: 20:17:30 [db] Connecting to 'news.spamcop.net' on port 119. NNTP: 20:17:30 [rx] 200 news.spamcop.net InterNetNews NNRP server INN 2.3.2 ready (posting ok). NNTP: 20:17:30 [tx] MODE READER NNTP: 20:17:30 [rx] 200 news.spamcop.net InterNetNews NNRP server INN 2.3.2 ready (posting ok). NNTP: 20:17:30 [tx] POST NNTP: 20:17:30 [rx] 340 Ok, recommended ID <d7383a$u1m$1[at]news.spamcop.net> NNTP: 20:17:30 [tx] . NNTP: 20:17:31 [rx] 441 From: address not in Internet syntax NNTP: 20:17:31 [db] Connection to 'news.spamcop.net' closed. Something changed (and the change was wrong). I've tried several e-mail addresses (none of which are my own but all of which use valid e-mail syntax) and I get the same error. I don't have the problem with any of the other NNTP servers that I use (Giganews' and Microsoft's), and this just was noticed today. Well, the last time that I tried to post was back on the 20th so it could've happened anytime in the last 5 days for this particular NNTP server. I can read but I just cannot post, and the error is bogus since the syntax is valid for the e-mail address in the From header.
  9. I got a reply from Ellen (via e-mail) and from SpamCop Admin (also via e-mail). The problem was from several contributing factors: - The cookie login takes me into whichever account was last used. I typically login under account #1 and the cookie relogs me back into that account when I click on the link in the "accept" SpamPal reply after sending the spam report to SpamCop. - The spam reported from Outlook Express used the submit.<id>[at]spamcop.net e-mail address for my account #2. The Past Reports list records spam based to which SpamCop the report got sent (by the submit.<id>[at]spamcop.net e-mail address), not according to account you log under to complete the submission. So I sent to my submit e-mail address for account #2 but was logging on under account #1 to complete the submission. If I had logged out and back in under account #2 then I would've seen my recent reports submitted to account #2. - To further exascerbate the problem, I had an old and defunct SpamCop account #1 registered for my personal e-mail address. However, the account under which I was logging under and the one for the submit.<id>[at]spamcop.net e-mail address to which I was sending spam report was for a newer account. At some point, I must've abandoned my old account and had to create a new one. The help tells users to create a new SpamCop account rather than try to get the admins to reset the password, so maybe that is what happened. Both the old and new accounts had the same e-mail address listed but had different submit.<id>[at]spamcop.net e-mail addresses for reporting spam. Luckily I was using the submit e-mail address for my newest SpamCop account with that same registered e-mail address. I thought I would need a separate SpamCop account for each e-mail address but that is not correct. My mistake was thinking the "accept" replies from SpamCop after sending them a spam report would get sent to the e-mail address specified in my Preferences setting. Nope, those "accept" e-mails get sent back to whatever e-mail address sent the spam report in the first place. I was thinking that I would need multiple SpamCop accounts to ensure those "accept" messages got sent back to the proper e-mail account that was managed by the same e-mail client that handles the account from which the spam got reported. I use Outlook for one group of my e-mail accounts (personal and work) and I use Outlook Express for another group of my e-mail accounts (forums and newsgroups). Because the "accept" reply goes back to whatever e-mail address was used to send that report, it will show up in the appropriate e-mail client. I also wasn't used to performing tasks which should be going through account without actually being logged in under that account. That is, when you send a spam report to SpamCop to your account #2, you can be logged in under your account #1, or anyone's account, or not even logged in to complete the submission. I wasn't used to this lack of security. Apparently this has not yet been a security issue. As an aside to this discussion, I remember reading in the registration e-mail or in the help that I should keep private my submit.<id>[at]spamcop.net e-mail address to which I send spam reports. Presumably anyone could send messages to that e-mail address and potentially cause problems or deliberate abuse. Although I can use one SpamCop account to send spam reports from multiple e-mail accounts of mine, so can anyone else. I would think for security that users would be required to list from e-mail addresses their account will accept spam reports. When the user adds an e-mail address to their Preferences (which requires logging in), a confirmation e-mail gets sent back to complete the addition of that e-mail address. That way, anyone getting your submit.<id>[at]spamcop.net e-mail address cannot abuse or usurp it because the "accept" replies from SpamCop would still be getting sent back to the real user's authenticated account(s). To summarize: Issue with Past Reports has been resolved and found to be the typical source of problems: user error (more colorful expression also apply).
  10. Yeah, I wasn't sure if posting here (on *how* to report) was an appropriate place to report problems with the service. So I'll go hunting for an "upstream" contact to report the issue. Thanks anyway.
  11. When I send the attached spam via e-mail, I'm "requesting to submit" the report (as obviously I cannot force SpamCop to do anything regarding my e-mail sent to them). When I get the reply e-mail with the link, click on it, and okay that report, I'm "completing the submit". "Sent" could simply be that I sent them the attached spam in an e-mail which was the first step for "requesting to submit", so "sent" isn't a complete and accurate term, either. I really didn't want to bother saying that I "requested a submit and then completed the submission", and instead used "submit" to refer to the entire process. I have sent spam as attachments to SpamCop. SpamCop then sent me a reply e-mail with the link to their parser web form. I then completed that submission so the report would get filed and SpamCop's version of the spam reports get sent to the selected recipients. So what do YOU call that entire process without having to use an long descriptive paragraph? And why would "sent" be any better than "submit"? Sent just means I sent the spam to SpamCop. "Submit" sounds like something further in the process than just "sent". "Send" doesn't differentiate between me first sending the spam to SpamCop or when I click the "Send" button in their web form. If you look at the web form after clicking on the reply e-mail from SpamCop (with a Subject of "SpamCop has accepted 1 email for processing") which shows the parsing, look at the HTML on that page. You will see the button titled "Send spam Report(s) Now" is: <input type="submit" value="Send spam Report(s) Now"> So saying that I submitted the spam report is accurate since that is what I did by using that control in that web form. The text for the input control can be anything, even "File this report and send copies of it to the selected recipients" but that doesn't change that the action taken was a submit. So now that we've wasted time arguing over terminology, why isn't my Past Reports list getting updated for spam reports from the last week that have been submitted, sent, filed, recorded, or whatever you want to call it? Rather than this forum, is there a more appropriate contact that I should notify regarding this problem?
  12. Yep. I didn't remember the report ID and so I just clicked on the link to view recent reports. The most "recent" report listed is over 8 days ago.
  13. When looking under the Past Reports tab, the last report shown as submitted is dated back on May 12. Yet I've submitted reports once, or more, per day since then. Why isn't this list getting updated? I went there because I wanted to check on an IP address for a just submitted report but that list is too old.
  14. I didn't see Ellen's or your posts in the newsgroup because I had plonked a couple of other posters that used "nobody[at]" as their e-mail address (with the same domains as you and Ellen). It was because I saw Mike Easter quote your post but I couldn't see your post that I figured my rules were deleting some posts that I did want to see. So I reset the group to re-retrieve the message headers and, voila, there were Ellen's and your posts. I tried ping and it tried pinging on the domain portion *before* the ampersand. I used dnsstuff.com's deobfuscator and it parsed up to the ampersand to return the first part of the URL before the ampersand. Then I tried SamSpade for Windows with the full URL and it came back with a location of the full domain portion with just the ampersand stripped out. So I wasn't sure what to believe at that point as to what was the correct domain to be reported for the spamvertiser link. I wanted to make sure not to irritate someone that wasn't involved in delivering the spam. Guess I need to find better deobfuscator tools that take in account deliberately bad syntax. Several of them that I tried would just bitch back to me that the syntax was invalid. Well, yeah, I knew that but I wanted to find out what would get used anyway, if it got used at all. Thanks for the help all, especially Ellen.
  15. See http://www.spamcop.net/sc?id=z763127086z16...4f27973158fac1z for my spam report. Notice it says no links were found in the body of the e-mail. Yet there is a link: <A href="http://ntoslal.net&sxwgzihurfngdush5utq4x.bramiadcjlj.com/"> Does SpamCop's parser have a problem of knowing to terminate the parsing at the first illegal character used in the domain portion of the URL? Isn't the URL pointing to ntoslal.net (which is what the deobfuscators say it is), or is it bramiadcjlj.com? I know that I can specify either http://support.microsoft.com/?id=300698 as a URL to a Microsoft KB article but http://support.microsoft.com?id=300698 also works, so I figure the domain URL parsing stops at the first character that isn't allowed in a domain, and that would the ampersand ("&") character. Even if the domain is no longer registered, shouldn't the parser note the domain from the URL (so you are reminded that there is a URL to site within the body without having to view the entire message) and also note that there was no lookup on it at that time? I would've thought the first part of the domain portion of the URL would've been truncated at the "&" character and the first part used. But according to another SpamCop parse shown at http://www.spamcop.net/sc?id=z763048974zd6...1ea2ea24dbe1f9z, it trashes the first part before the "&" and uses the second half. The deobfuscators that I've used return the first part before the ampersand. In fact, a real easy deobfuscator is to simply use the ping.exe program. When I run: ping kwmsbgk.net&trjqauq2hnd6l2ipv2jgc5.bokarknjkjl.com it is trying to ping kwmsbgk.net. It seems SpamCop's parser is using the wrong portion of the obfuscated URL. As a result, SpamCop will be sending it spam reports to wrong recipients, something that I've heard accused of SpamCop. For this particular spam report, I decided to deselect the Chinese contacts because they were based on the domain extracted from the URL but SpamCop used the wrong portion of that URL.
  • Create New...