Jump to content


  • Posts

  • Joined

  • Last visited

About ahoier

  • Birthday 09/07/1984

Contact Methods

  • AIM
  • MSN
  • Website URL
  • Yahoo

Profile Information

  • Location

ahoier's Achievements


Member (2/6)



  1. Props to the engineers! It all seems to be working fine now.....all last night I kept getting the Gateway Timeouts....now it's golden Reporting all my spam just fine via the web interface..... EDIT: Seems to be back Gateway Timeout The proxy server did not receive a timely response from the upstream server. Reference #1.14354317.1341331619.498e6fa7
  2. Yes, I'm sure they could battle it. But all through SpamCop history, primary emphasis seems to be on reporting/mailing/blocking the machines/addresses that are doing the actual mailing of the spam, rather than the domains appearing IN the spam e-mail. As far as I don't know about "replaced by" - lol. These domains are fly by night, and seems that the sponsoring registrar has taken action and decided to suspend the domain
  3. Spammers have been evading SpamCop reporting for a while (years?) now...hence the reason why they will split up their domain name.....adding spaces, using ASCII "art", even "images" depicting a browser address bar, showing the user where to "enter" the domain name. I have a feeling there ARE some "hosts" that DO in fact take SpamCop reports seriously, which is why the spammers go so far as to evade spam filtering by splitting up their domain names (rx pills dot com, rxpills . com, etc other methods...to evade URL filtering, automated NSLOOKUPS, etc) even though we may not receive a reply from the host. The most probable cause regarding this issue is the spammer nameserver is blocking Ironport/SpamCop DNS queries....so then Spamcop's parser sees the domain as "dead"... Here's an example: http://www.spamcop.net/sc?id=z3625825284z4...4eff9dc93c3b03z Tracking link: http://delivokay.com/ No recent reports, no history available Cannot resolve http://delivokay.com/ I know sometimes, if you "Refresh" the page, to let SC parse it again, it may "take" (resolve) and give you the contact addresses.....but then there are some domains which SpamCop will not/ever resolve(see my tracking URL, this is one of them); because the criminal entities that control the nameserver(s) behind that domain have blocked IronPort's DNS queries.... delivokay.com is a "Dr. MaxMan" spambrand; previously known as "Herbal King" (these guys change their alias every 6 months.....my take is their marketing team must suck, can't find any customers, so they keep renaming in hopes of picking some customers up.), and you can find a whole bunch of details regarding the scam at the spamtrackers wiki: http://www.spamtrackers.eu/wiki/index.php/Dr.MaXman In my domain case, delivokay currently points to a server at, and well, it's blocklisted at Spamhaus too even: http://www.spamhaus.org/sbl/sbl.lasso?query=SBL83594 So, in the future, if you wanted to take a pro-active measure to domains that don't resolve with spamcop, you could. nslookup the domain. input the returned address into spamcop's form (http://www.spamcop.net/sc?track= And mail the abuse contacts listed. You can find decent templates for contacting these addresses at the spamtrackers wiki too: http://spamtrackers.eu/wiki/index.php?title=Hijacked_host towards the bottom of the page
  4. This topic brings up a good question. Would it be possible for me to, say, on my parents computer, use SpamCop's DNS server? Since spammers like blocking spamcop's DNS so much, it would, in the end, stop these spammer sites from loading on my parents computer If so, how would I go about doing this? Or, does it not "work" this way? Now, if only they would "block" OpenDNS servers (, if any of you miscreants are reading!).
  5. something I did notice, that shuttorperte domain is now offline/NXDOMAIN So someone's reporting got in, likely to the domain name registrar, who in turn, suspended the domain due to abuse of terms of service, or acceptable use policies. I think to an extent, SC reports to the embedded links/hosts hurts the spammers (likely the bells, roadrunners, etc....that will look into the issue, and clean up their network of the infected user) and so I think thats why some spammers insist on munging links. Why anyone would want to piece together a spam e-mail/URL like "type spam ver site d ot . c0m into your address to see the grand prize!" is beyond me..... But it must work, otherwise they probably wouldnt do it. For reporting domain name abuse to the proper registrars, try out the complaint generator tool from complainterator.com. I know you mentioned KnujOn - they have been good at opening ICANN/InterNICs blind eyes to the problems of problematic domain registrars, but end-users have power of sending complaints too, with Complainterator
  6. wooooops. I replied to the "other" thread on page 4: http://forum.spamcop.net/forums/index.php?...3842&st=120 my take on the situation situation, from reading _this_ thread seems to have come out about right.... I haven't been hit by this unwanted mail, but perhaps something that fanbridge should look into, so their service isn't abused like this in the future.
  7. spam aside, have you attempted to contact www.fanbridge.com? I know some of these "social networks" have "Let us have your e-mail address and password and we'll tell all your FRIENDS that you're here!" features... Perhaps this is the case, one of your "friends" has/had your address within their "address book" - and when they signed up for fanbridge, perhaps they have a similar "feature" - decided to give this site their e-mail address and password, and you are receiving this unwanted mail from "FanBridge" on-behalf of your "friends". I got hit by this from some "yearbook" site a while back, I clicked the unsubscribe/opt out link (yes, I know many anti-spam resources say NOT to.....but in some cases, the opt-out/unsubscribe link does actually work) and haven't heard anything since from this yearbook/social networking site.... I wish sites that had features like this would actually tell me what "friend" is "inviting" me to their service. But this is just one consideration to take. Based on the domain registration of fanbridge.com, siteadvisor reviews, alexa, aboutus ratings, etc. it does seem like a "legit" site...but they just need some lessons in unsolicited e-mailing And well, seeing as how the parsed report does show the mail being sent from an IP traced back to the site, atleast we know it's not some infected or otherwise "bulletproof hosting" provider in russia/india....
  8. very interesting. You think there are some ISPs who simply "dumping" these SpamCop reports to dev/null/ ? I know I've seen some very pleasant auto-responses, but yea, makes me wonder if these hosts/ISPs actually go in and disinfect these likely malware infected systems that are being used to send the large amounts of spam e-mail...?
  9. Alrighty, thanks for the prompt response Actually, upon doing my own research, https://gmail.google.com/support/bin/answer...amp;topic=12852 may work a lot better, since it files a complaint against the user as a separate process. It wouldn't be possible for the parser to include a note of this, would it....? hehe.
  10. The following tracking URL gave me a error, no source IP headers found: http://www.spamcop.net/sc?id=z1654814214za...c369eb855ae098z But, to me, it looks like it is/was sent from a gmail account, to my gmail account. I retrieved the full headers from Gmail's "Show Original" - unless this is another case of the spammers mangling the headers...?
  11. Interesting. Straight away my guess was it had to be a missing variable in their bulker-scri_pt/app thing. But yea, I'm using gspamcop, which, as far as I know, uses IMAP to download and submit the message, but your messages look very different than mine. (the %XMIMEOE being in the body instead of the header). But yea, probably not worth "fixing" since they will just create a new %VARIABLE next week that will throw-off the parser anyhow.
  12. I've received some spam lately, that use a %XMIMEOE in the header/body (in Gmail's "Show Original" it's in the header, but in the email view it's in the body, likely because it's not supposed to be IN the header). http://www.spamcop.net/sc?id=z1637898685za...9d3b4532dbda9dz is the relevant tracking URL. http://www.spamcop.net/sc?id=z1637898687zd...a3333f9b8235f9z is another occurrence. http://www.spamcop.net/sc?id=z1637898688z5...8f12c222494242z is another occurrence. http://www.spamcop.net/sc?id=z1638020829z9...9196238fed8c68z is another one. http://www.spamcop.net/sc?id=z1638033515z7...17c51cd7feb501z is another. Just figured I'd report it, since this is probably the 3rd time I've seen it pop up. There's also other instances of similar occurrences from a Google search for that strange variable (likely a bug in the spammers "kit" they are using?) http://www.google.com/search?q=%25XMIMEOE&...58&filter=0 - one of which points to NANAS USENET group. To expand: I'm experiencing this with Gmail as noted above. I use Gspamcop mentioned in this thread to forward the spam. I guess it's not really a question per se...I just figured I should report this happening so the developers/admins/etc are aware. I did try searching the forums/faq but didn't find any results with %XMIMEOE.
  13. Indeed they are And from the webpage that referenced at http://forum.spamcop.net/forums/index.php?...amp;#entry58407 The Submanifold scri_pt(s) now use Gmail's IMAP feature to grab only "spam" messages, and batch send them to SpamCop (and Knujon, optionally). Thus far, it's working great, been using it about a month or two now without any errors. The only restriction I think may be that IMAP is currently only rolled out for English (US) gmail.com users...
  14. alright, I'll let it fly then I report everything anyways, we'll see what happens Thanks for the prompt response Miss Betsy
  15. Is this a joke? I just received this 419/deposit scam, pasted it into the web interface, and it's saying the problem was resolved already? But I just received the e-mail 1 minute ago (give or take now...but close...)? http://www.spamcop.net/sc?id=z1530719099z0...167210abb8a701z is the tracking URL... Just curious really
  • Create New...