Jump to content


SpamCop Staff
  • Posts

  • Joined

  • Last visited

Everything posted by kmolloy

  1. Sorry for the late notice, but we need to do a quick database upgrade today, 6/30, at 11 am PDT. This will require placing the website into maintenance mode for one hour. Thanks for your patience!
  2. Yes, I know. I've been out sick, so I'm behind. Working on it.
  3. As Don said, MC shouldn't get reports and we'll fix that. But I also know some people over at Mailchimp and I am confident that they don't want their customers sending nastygrams. If you're willing to send me a copy of the mail you received with full headers, I'll make sure the abuse guy at MC sees it. (you can forward it to deputies[at]spamcop.net).
  4. No, we disabled reports for NetAtlantic because they're an non-COI sending ESP, and therefore our policy says they cannot receive reports.
  5. There are basically only a few reasons we don't send reports: 1) We know the entity listwashes. 2) Reports are bouncing. 3) The responsible party told us they didn't want reports. 4) It's a non-COI ESP. We'll re-enable reports if whatever is causing bounces is fixed, or if the recipient organization has a change of heart and decides they would like reports. We do not send reports to non-COI ESPs because of the risk of listwashing. Rather than make a case-by-case judgment, we decided to just apply a policy.
  6. An ESP is an Email Service Provider. An example that's been in the news lately is Epsilon. ESPs manage marketing mail for companies but send from their own networks.
  7. Hi, everyone. I was hoping that you guys might be able to help me with something. I'm corresponding with someone from an ESP who says that Spamcop reporters contact him and ask why that ESP "refuses" Spamcop reports. They don't refuse them; we decline to send them because our policy is to only send reports to ESPs that send only confirmed opt-in (COI) email. I pointed out that the language on the site says "reports are disabled for abuse[at]example.com", which I think is pretty neutral language. It doesn't say "abuse[at]example.com refuses Spamcop reports." He asserts that there must be some language or messaging somewhere that causes reporters to believe that this ESP actively refuses reports. This is possible, but I don't see it. So, just out of curiosity: Did you know that Spamcop doesn't send reports to ESPs that don't meet our COI policy? Did you know why we don't or that such a policy was in place? Do you think that ESPs in general refuse reports? If you do, why do you think that? When you see "reports are disabled for [address]," what does that make you think about that network? Thanks for answering! I'm definitely interested in your responses.
  8. In general, if you find that an IP belonging to your webhost or ISP is listed, the correct course of action is to contact your ISP. IPs are listed because they send spam, and we can't make the spam stop; only your ISP can do this. We likely won't be able to help you.
  9. Epsilon isn't a remailer, they're an email service provider. ESPs are useful in the sense that the people who run them have a clue about how to send technically correct mail, handle bounces properly and send mail in vast quantities without crashing the recipient servers. Some even do a good job riding herd on their customers and make sure they don't abuse. However, some do not. Epsilon isn't the first company to be breached recently, either; there's been a rash of these since last fall. It appears in at least some of the cases these have been "inside" jobs, where an employee or other person with authorized access to the database has stolen it. Rumor has it Epsilon is one of them.
  10. CAN-spam compliance means that the email is not legally actionable. It doesn't mean it's not spam. Report away!
  11. Just so you're aware, the CERT link you provided is no longer maintained, and if you read it, it describes phishing. The Wikipedia link cites no sources. Neither are authoritative documents, IMHO. Occam's razor tells me that the problem is local to you--probably in your MUA. I read mail to deputies[at] daily, and no one else is reporting the same issues you are, and I don't see issues here in the newsgroup. I also don't see malformed mail such as you're reporting in our traps, either. If you describe the path your mail takes to get to you and then the steps you take to report it, we can help you find where things are going pear-shaped.
  12. No, our policy is to not send reports to ESPs unless all their lists are COI. We do this to prevent listwashing and because while there are ESPs that do not do 100% opt in and would handle reports responsibly, we have to be fair and COI is the best bright line we can come up with.
  13. I am pleased to say that I have managed to be annoying enough that IPv6 for Spamcop is a top priority and work should start late Spring/early Summer.
  14. I've been a professional antispammer for 12 years now, and Sean is full of it. The only way you're not going to have Received: headers for at least the final hop is if: 1) your MUA is broken and either cannot show them to you or is refusing to show them to you; 2) there's a huge bug in your MTA code, or 3) the message isn't transmitted via SMTP. It is possible to forge the content of a Received: header, but you cannot eliminate it entirely so long as the mail is transmitted using RFC822 SMTP. Also, "spoofing" technically refers to a very difficult kind of man-in-the-middle attack. I would not trust the technical expertise of someone who refers to forging as spoofing.
  15. If you find that you must receive mail from any network, I would suggest whitelisting them first in your config and *then* checking whatever BLs you wish to use.
  16. FWIW, "LHS[at][]" is called a "domain literal". We used to use it as a cc: way back when I worked on another fine BL, and I don't think we ever got a reply as a result.
  17. That IP sent a lot of Viagra spam in a short burst about 24 hours ago. My guess is Cutwail but I could be wrong. Definitely bot spam, though.
  18. Hi, can you please forward the response you received (with headers) to deputies[at]spamcop.net? You can put my name (I'm deputy kelly) in the subject line so I can find it. thank you!
  19. I actually find that very credible; I can believe that RBN (who is likely behind Heihachi) would "frame" AnonOps for a DDoS. thanks all who spread the word.
  20. I'm boosting signal for the Spamhaus folks, with permission from Mr. Linford. They did post this at spamhaus.org, but it's no longer visible due to DDoS. For speaking out about the crime gangs located at the wikileaks.info mirror IP, Spamhaus is now under ddos by AnonOps. As our site can't be reached now, we can not continue to warn Wikileaks users not to load things from the Heihachi IP. If you know journalists who would get this message out, please forward this message (entire) to them. AnonOps did not like our article update, here's what we said and what brought the ddos on us: ---- In a statement released today on wikileaks.info entitled "Spamhaus' False Allegations Against wikileaks.info", the person running the wikileaks.info site (which is not connected with Julian Assange or the real Wikileaks organization) called Spamhaus's information on his infamous cybercrime host "false" and "none of our business" and called on people to contact Spamhaus and "voice your opinion". Consequently Spamhaus has now received a number of emails some asking if we "want to be next", some telling us to stop blacklisting Wikileaks (obviously they don't understand that we never did) and others claiming we are "a pawn of US Government Agencies". None of the people who contacted us realised that the "Wikileaks press release" published on wikileaks.info was not written by Wikileaks and not issued by Wikileaks - but by the person running the wikileaks.info site only - the very site we are warning about. The site data, disks, connections and visitor traffic, are all under the control of the Heihachi cybercrime gang. There are more than 40 criminal-run sites operating on the same IP address as wikileaks.info, including carder-elite.biz, h4ck3rz.biz, elite-crew.net, and bank phishes paypal-securitycenter.com and postbank-kontodirekt.com. Because they are using a Wikileaks logo, many people thought that the "press release" was issued "by Wikileaks". In fact there has been no press release about this by Wikileaks and none of the official Wikileaks mirrors sites even recognise the wikileaks.info mirror. We wonder how long it will be before Wikileaks supporters wake up and start to question why wikileaks.info is not on the list of real Wikileaks mirrors at <a href="http://wikileaks.ch/mirrors.html">wikileaks.ch</a>. Currently wikileaks.info is serving highly sensitive leaked documents to the world, from a server fully controlled by Russian malware cybercriminals, to an audience that faithfully believes anything with a 'Wikileaks' logo on it. Spamhaus continues to warn Wikileaks readers to make sure they are viewing and downloading documents only from an official Wikileaks mirror site. We're not saying "don't go to Wikileaks" we're saying "Use the wikileaks.ch server instead". ---- Steve Linford The Spamhaus Project http://www.spamhaus.org
  21. ARF has been around for a long time, and most places use it (esp as part of feedback loops). In fact, Julian was one of the original proponents back in the day. However, so far as I'm aware, no one is turning down SC reports because they're not ARF.
  22. Twitter's mail admin has contacted us a few times to demand whitelisting. When I respond and explain that we're receiving spam from those IPs, he does not respond and then comes back a few weeks later to again demand whitelisting.
  • Create New...