Jump to content


  • Posts

  • Joined

  • Last visited

Belinn's Achievements


Newbie (1/6)



  1. If this is fixed now, i'm really glad. But tomorrow the spammers will just mangle the html differently. How do I know this? Experience! Here's a message I emailed to spamcop two years ago: Hello, I have been a big fan of spamcop for a number of years, but there is a problem with your reporting process that is causing us tons of hassle. I really hope you can improve your parsing to deal with this, because it's threatening your credibility when 5 out of 6 reports we get are invalid. What I see happening is that some spammers are seeding their html with URLs of innocent third parties. It appears that they are using a dictionary word list as the source for these URLs. It may be possible for your software to parse them out as they do not appear ~significantly~ in the html when rendered, but only in the source to create a distraction to services such as yours. Thanks for your attention to this, xxxxx xxxxx ~~~samples below~~~ [ SpamCop V1.3.4 ] This message is brief for your comfort. Please use links below for details. Spamvertised website: http://braziers.com http://braziers.com is; Tue, 30 Mar 2004 20:21:24 GMT http://www.spamcop.net/w3m?i=z838987395z44b23de335bbd217dbaf5e3decc5d60az [ Offending message ] Return-Path: <hydrothermalmeditative[at]worldnet.att.net> Delivered-To: x Received: from swdcma.org (adsl-65-66-119-129.dsl.rcsntx.swbell.net []) by marathon.simons-rock.edu (Postfix) with ESMTP id 780DD167F7 for <x>; Tue, 30 Mar 2004 14:52:39 -0500 (EST) Received: from scribbles ([]) by swdcma.org with Microsoft SMTPSVC(6.0.3790.0); Tue, 30 Mar 2004 12:40:02 -0600 From: "Beatriz Monson" <hydrothermalmeditative[at]worldnet.att.net> To: x Subject: C1A|LIS & LEV|1TRA : D0CTOR & FDA a'pprova1 ! Mime-Version: 1.0 Content-Type: text/html; charset=us-ascii Content-Transfer-Encoding: 7bit Message-ID: <SERV___________________be35[at]swdcma.org> X-OriginalArrivalTime: 30 Mar 2004 18:40:04.0187 (UTC) FILETIME=[6A86E2B0:01C41686] Date: 30 Mar 2004 12:40:04 -0600 <html><body ><b><font color=#FF0000> VIA*GRA final1y found a t0ugh cOmpetIt0r -- C1AL|IS & LEV1|TRA! </font></b><br><br> <font color=#000033> <1> Overal1 erect1le functi0n <br> <2> Partners' s.atisfaction with s|exua1l Intercourse . <br> <3> s~atisfaction with the hardness of erect11e. <br> <4> DOCT0R & F_D_A a`pproved !</font> <p><font color=#FF0000><b> <a href=http://tells.destaine.com/at>YOUR S0lUTION 1s h~e~r~e</a><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><a href=http://ices.net>^</a><p><a href=http://braziers.com>*</a></p><a href=http://pocketing.org>-</a></b></font> </P> </BODY></HTML> 0 [ SpamCop V1.3.4 ] This message is brief for your comfort. Please use links below for details. Spamvertised website: http://scolds.com http://scolds.com is; Mon, 22 Mar 2004 09:01:47 GMT http://www.spamcop.net/w3m?i=z812170323zc47658abc4775df94801d65f703a9a68z [ Offending message ] Return-Path: <adaptivelyploys[at]ameritech.net> Received: from amst-s3.thi.nl (amst-s3.thi.nl [] (may be forged)) by amst-n3.thi.nl (8.10.2/8.10.2) with ESMTP id i2K4sQm29639 for <x>; Sat, 20 Mar 2004 05:54:26 +0100 Received: from eforward4.name-services.com (eforward4.name-services.com []) by amst-s3.thi.nl (8.12.9/8.12.9) with ESMTP id i2K4sPIi011693 for <x>; Sat, 20 Mar 2004 05:54:26 +0100 Received: from csproxy.carolstream.org ([]) by eforward4.name-services.com with Microsoft SMTPSVC(5.0.2195.6747); Fri, 19 Mar 2004 21:02:05 -0800 Received: from mig (200-207-205-247.dsl.telesp.net.br []) by csproxy.carolstream.org with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2653.13) id H2A1NWPM; Fri, 19 Mar 2004 22:41:33 -0600 From: "Ivy Rendon"<adaptivelyploys[at]ameritech.net> To: x Subject: C1A-LIS & LEV-1TRA is knOwn as V'IAGRA because it acts quicker and lasts much 10nger! Mime-Version: 1.0 Content-Type: text/html; charset=us-ascii Content-Transfer-Encoding: 7bit Message-ID: <EF4B___________________0ee0[at]eforward4.name-services.com> X-OriginalArrivalTime: 20 Mar 2004 05:02:05.0250 (UTC) FILETIME=[7D11EA20:01C40E38] Date: 19 Mar 2004 21:02:05 -0800 <html><body ><b><font color=#FF0000> postmaster: <br> C1AL-IS & LEV1-TRA is AlMOND pi1l--it acts quIcker and 1asts much l0NGER! </font></b><br><br> <font color=#0000FF> - Save MOney -------- upto 70% <br> - Save Time ---------O.vernight Shipping <br> - No Doctors A|ppointment---------- Needed <br> - No P~rescription ----------- Required <br> - D0CTOR & FDA ------------ A`pproved </font> <p><font color=#FF0000><b> <a href=http://excitable.wenaad.com/at>Y0UR SOlUT10N Is h-e-r-e</a><br><br><br><br><br><br><br><br><br><a href=http://plum.net>^</a><a href=http://scolds.com>*</a><br><a href=http://scrapped.org>-</a></b></font> </P> </BODY></HTML> 0 [ SpamCop V1.3.4 ] This message is brief for your comfort. Please use links below for details. Spamvertised website: http://scored.com http://scored.com is; Tue, 23 Mar 2004 13:12:51 GMT http://www.spamcop.net/w3m?i=z815267887z3266c8d1d1e26b7f1e6183ab4470fecbz [ Offending message ] Return-Path: <alabamiancosmos[at]pacbell.net> Received: from ishara-traders.com ([]) by sparkie.nagel.lan (8.12.8/8.12.8) with ESMTP id i2M1LgCm024409 for <x>; Sun, 21 Mar 2004 20:22:15 -0500 Date: Sun, 21 Mar 2004 20:22:12 -0500 Message-Id: <2004___________________4409[at]sparkie.nagel.lan> Received: from hopscotch ([]) by ishara-traders.com ([]) with SMTP (MDaemon.PRO.v6.7.9.R) for <x>; Mon, 22 Mar 2004 01:56:38 +0600 From: "Stacie Moussa"<alabamiancosmos[at]pacbell.net> To: x Subject: anti-i.mpotence drug to win a|pproval from the u.s. food and drug a~dministration Mime-Version: 1.0 Content-Type: text/html; charset=us-ascii Content-Transfer-Encoding: 7bit X-Authenticated-Sender: test[at]ishara-traders.com X-MDRemoteIP: X-Return-Path: alabamiancosmos[at]pacbell.net X-MDaemon-Deliver-To: x <html><body ><b><font color=#FF0000> CIAL1*S & LEVIT*RA works in as 1ittle as 3O minutes and 1asts for up to 36 h0urs. </font></b><br><br> <font color=#000099>* Overal1 erect1le functi0n <br> * Partners' s`atisfaction with s^exua1l Intercourse . <br> * s*atisfaction with the hardness of erect11e. <br> * DOCT0R_&_FDA a-pproved !</font> <p><font color=#FF0000><b> <a href=http://tending.vroeddd.com/as>YOUR S0lUTION 1s h-e-r-e</a><br><br><br><br><br><br><br><br><br><br><br><br><br><a href=http://hurdle.net>_</a><p><a href=http://scored.com>'</a></p><a href=http://boosts.org>.</a></b></font> </P> </BODY></HTML> 0 In the html above the bait urls have a single clickable character. As I said, I think they are choosing them directly out of a dictionary. I think there's a good chance that it's actually the same spammer as the first one I posted - notice no www in the bait URLs? I choose this email to show you because these complaints are against the same customer account as the one in my first example. If I dug around in our ticket system I bet I could find 200 complaints against this customer. So far as I have been able to tell, not a single one of them is valid. Do you really think this is fair? What would your ISP do after the 200th spam complaint against you? Would they turn you off? Would they block spamcop complaints? Thanks for reading
  2. Thanks for responding guys. I realize it's hard to work without examples so here's one: [ SpamCop V1.527 ] This message is brief for your comfort. Please use links below for details. Spamvertised web site: http://snarled.com http://www.spamcop.net/w3m?i=z1699372247z662e1306f75f64b36a2fbe385e9172d1z http://snarled.com is; Fri, 24 Mar 2006 20:19:47 GMT [ Offending message ] Return-Path: <StivetheJAXsaviors[at]cool.net> Received: from aamtain01-winn.ispmail.ntl.com ([]) by mtain04-winn.ispmail.ntl.com with ESMTP id <20060324201846.UKXJ2851.mtain04-winn.ispmail.ntl.com[at]aamtain01-winn.ispmail.ntl.com>; Fri, 24 Mar 2006 20:18:46 +0000 Received: from x ([]) by aamtain01-winn.ispmail.ntl.com with SMTP id <20060324201845.CKGA15361.aamtain01-winn.ispmail.ntl.com[at]ja.stagg>; Fri, 24 Mar 2006 20:18:45 +0000 Message-ID: <hqgh_______________________rcvs[at]Joecarter13xggbwkf.com> From: "Joecarter13" <StivetheJAXsaviors[at]cool.net> Date: Fri, 24 Mar 2006 20:18:29 +0000 To: x, x, x, x, x, x, x, x, x Subject: [spam][96.3%] Jack, its my mom and uncle Greg!!! MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Content-Type: text/html; charset=iso-8859-1 <html> <head> <body bgcolor= "#faffed" text="#000000"> <font color= #edeff6> irritates! sprinters, persisted boxcars argonauts. </font><br> <font face="Verdana, Arial" size="2" color= "#003300">This hot oriental mom wanted some cum to go with her sushi! So after a nice dinner of rice and noodles, <font color= #eee9f0> tolerant! functors, Chapman aforesaid myrtle. </font><br> she's f0kced like a whore and opens her mouth for a huge load of seprm! <a hreflopsidedhref=http://snarled.com href= "http://www.koaltree.com/page/">go here</a> for more!</font> <font color= #e3f4e4> Stephanie! solely, Libyan spreader Chisholm. </font> <font color= #f0f4f3> digestible! ladylike, annoying jesting jailed. </font><br> </body> </html>
  3. Hi Folks, I guess I should have been more clear about some of the things i am trying to say. I work for a hosting company. We have about 8k ip addresses on our network, and many many tens of thousands of domain names point to those addresses. We have _no_ user maintained systems here, only servers that we configure and manage. Customers have access to various resources through user level accounts. We have various systems in place to help us prevent and stop our customers from using our resources for network abuse. We keep track of a lot of system activity in order to be able to confirm complaints and know when we have a black hat on one of our systems. I'm not saying we are perfect, but we consider anti abuse to be a significant priority and it gets ongoing attention. I was a paying spamcop member back when it was just julian. Believe me, we want to eliminate spam just as much as anyone here does. And what I am suggesting is that spamcop will be MORE EFFECTIVE in stopping spam if it focuses on spam sources, and stops sending reports of spamvertized websites to hosting companies. You need to understand that the vast majority of spamcop's spamvertized site reports are inaccurate. I know that you won't want to believe this but it is true. I've spent days reading html, viewing spam in mail programs and browsers, and watching for patterns. Do you know why I would do that? Because my log scanners, time after time after time, show NO traffic coming to the supposedly spamvertized URLs, or if there is traffic, it is all coming from legitimate sources (website referrers, not including webmail pages). Remember, I'm the hosting company. I can see every file that is part of the site, every rewrite rule, every log line. We do dns for most of these sites - and I can see the log of any changes there too. The reports are inaccurate, and this is happening because the parsing system cannot accurately tell the difference between bait URLs and real visible clickable urls. The reader who said that the complaint about the reporting system is usually that it does NOT pick up spamvertized URLs is absolutely right. Because the spammers are hiding the real url in combinations of html and java scri_pt, or obfusticating it in ways that cannot be easily (computationally easily) discovered. Spamcop is honest about the limitations of the parsing system in a technical sort of way, but they aren't honest in a "non technical full disclosure for an end user" sort of way. They don't come right out and say: If you complain about the URLs we found in this message you will probably be creating 50 false complaints for every 1 accurate complaint. Nor do they say: You shouldn't really expect to hear back on these complaints because most of them will be a pointless waste of time to the administrators who receive them. Neither do they say: Please do not abuse the administrator who responds that the referenced site is an innocent third party; We know that almost all of them are. And they don't say: The administrator who receives this complaint has no technical means to confirm the guilt or innocence of the accused site. If the site is turned off as a result it will not be based on evidence of responsibility for the spam you received. Those statements above are the real truth about reporting spamvertized sites from spamcop's parsed result. I want you to think of the boy who cried "Wolf!" Day by day, with each inaccurate or uconfirmable report, spamcop loses credibility. Each day an abuse desk person learns through personal experience that spamcop reports are not helpful, and that reviewing them is not a good use of time. Spamcop should do what it is good at, send reports of spam sources. When it is used for this purpose the spam report ends up in the hands of an administrator who has the technical means to confirm the accuracy of the report, to track the size of the problem, and to require that it be fixed. I have written to spamcop admins with the specifics of some of the inaccurate reports that sneak by. I don't have permission from my boss to bring our company name into this discussion, and I can't reference tracking urls until I do. It's been a fairly good week here; only one frustrated victim of referrer spam has threatened to dos us for not turning off a site. Thanks for reading
  4. Hi All, I expect there will be disagreement with this proposal, but please read and consider. I am an abuse desk. I exist because my company wants to be a good net citizen. My job is to stop our users from using our resources to abuse other people or networks. But I keep getting these "reports" telling me that such and such url was referenced in such and such spam. And I have been researching them. I diligently waste time searching through logs, and looking at html. And basically 2/3 of these complaints were mis-parsed and the other 1/3 cannot be substantiated by any evidence that I have access to. These reports are hurting spamcop's credibility with abuse desk people These reports are also MISLEADING spamcop users into thinking that the solution lies with the host. Yes, I completely understand why people are mad at the host. They are getting little or no satisfaction from the cable and dsl networks which are filled with zombie spam spewing pcs. therefore they have to get satisfaction from someone else. Anyone who can plausibly be held responsible for the misery they face each morning when opening the mailbox becomes a target. So I get these messages which demand that I turn so and so's site off with no evidence at all that so and so actually sent the spam. Is it likely that he sent it? Yah, i guess it is. And it's also likely that someone who doesn't like him sent it. And it's also possible that it has nothing to do with him but is somebody trying to get the cable company, or the hosting company, or the pc owner in trouble. The only people who can confirm the truth of the complaint, and fix the problem, are the people whose networks are emitting the spam! Yes, i'm sure some spam would be reduced if hosting companies just turned off anyone about whom they received a complaint. But aren't you guys a little worried that you will be the target of a complaint one day? Have you not seen the websites that tell of years long joe jobs based on unpopular opinions expressed, or over competitive competitors? Spamcop should stop supporting the idea of turning people off without proof of wrongdoing. You technical people here know the limits of the evidence the abuse desk at the hosting company has - the end users for the most part don't. Spamcop should own up to the fact that they can't accurately parse the crap that spammers put in their messages. They can't reliably work out the interactions between invalid html, invisible links, java scri_pt, and just plain bait and distraction. I swear to you, nobody hates spam more than I do. I've used the same email address since 1995, so I bet you can guess what my mailbox looks like each morning. But I still have to say attacking the hosting companies that DO care, and giving major rudeness and grief to abuse people who are only trying to do what is right, is not helpful. Thanks for reading
  • Create New...