Jump to content


  • Posts

  • Joined

  • Last visited

Everything posted by enigma1

  1. Maybe it wasn't accidental, given the type of spam I got, sc perhaps was trying to avoid listwashing.
  2. I was able to see the mail headers of your url. I had to login with my account and see it. I guess the www version can be seen by everyone. I get quite few emails like this. And for some hosts the references go back to 2003 plus listings can be found in other sbls like spamhaus. Now the thing I am not sure about is how often these hosts rotate the IPs. But I would think they need to keep them for sometime. Something else I noticed is mail lists spammers use they must exchange with others right after they see the emails are rejected - as I block ip ranges if I see persistent spam coming from a particular host. So there are quite a few of those not listed in sc.
  3. Well the spam I was referring to, is coming from various popular hosts. http://www.spamcop.net/sc?id=z54593705...b2bc2ce7fd09f0z And from the notes seems like it's pointless to notify them because they either bounce the reports there is no recipient.
  4. I am also having lots of spam mail with no abuse recipient via the sc report. For most of the cases seems the host doesn't want the sc reports so what I do I'll ban the IP range the host has from my server for a month or so. For many cases devnull is a flag for friendly spam hosts.
  5. FF with some plugins to block cookies, js, redirections etc is enough. The thing is you never know who you're attacking. The spam IP is likely a compromised system. The spamadvertized domain can be a portal pointing to another portal and in the end it could be some legit business who paid "somebody" for advertizing. Or they just try to compromise other systems in the process. Or they hope by having the victim's browser with js enabled to do something malicious towards another site. And many other combinations and in the attack process you may affect hosts or ISPs who have no idea at the time what's happening (although they should be more vigilant they aren't).
  6. I see plenty of hack attempts in my server logs from the 173.201 gd range so surely it's not just a couple of IPs sending spam
  7. There is no specific country responsible for spam or hacks. I guess depends on the temporary system acquisitions of the C&Cs at any given time.
  8. There are some ways for hosts to pay attention. They have representatives in the WHT forum so you can go there and open a thread about it, in the security or hosting sections. They have the capability to discipline their customers at anytime and the last thing they need is bad reputation of compromised boxes or blacklisted IPs which will then circulate among their clients. Hosts have less resources than ISPs and tend to address issues faster in many cases. Of course there are exceptions but worth to try.
  9. How's the IPv6 support is progressing? Any chance to see sc supporting the format this year? I cannot report any spam message since the last update.
  10. Everything is possible but I said its the incoming emails that contain the attachments. The weakness is you open up scripting in order to use gmail. Maybe you don't browse too many sites. Even with the most effective av you still run the risk of getting malware. If they're so immune why you think they make all these security updates every other day. Browsers and O/Ses Opening an HTML email in the browser with scripting disabled will do nothing. But when you open it in gmail scripting has to be on.
  11. Actually this is the other way around. In order to get to gmail, you need to allow your browser to run all kinds of active scripting. That means an attachment or jscript or other attacking techniques attached or integrated with emails must be filtered via the browser first because gmail won't work without active scripting enabled. I won't use gmail for anything serious. And downloading malware into your computer has no effect unless you run it in someway (via browser or execute it as a program etc).
  12. Well the bad news is all a spamer now has to do to evade the sc form processing is to insert a received header with an ipv6 format.
  13. I believe something was changed in the SC form processing the past day or so, because older mails from my list that were successfully processed are now give the same error. Here is one that was successfully submitted on the 23rd of March. It now gives the ipv6 error http://www.spamcop.net/sc?id=z4951592112za...7d1347ec862128z
  14. Here is the tracking url http://www.spamcop.net/sc?id=z4951929098zc...a37d342d18e94bz The received line has an additional double column but that's how I received it. [::ffff:..... Seems the filtering mechanism of the SC form processing assumes its an IPV6
  15. There should be a "Received" header and that is missing from your reports JMark. One other issue that I figured out the hard-way though is that if the "from" header is empty the SC form won't process the mail. Makes you wonder how an ISP will ever allow the mail to be dispatched with an empty from.
  16. Looking at your last tracking this is the line which makes the difference. Content-Type: text/html The header entry seems to instruct the parser for html instead of the actual content of the mail. I just tried it with the original email I have and using the single form (not the 2 parts one) and I did not get the spurious link message. I inserted the content-type just after the last header line. Still the original email headers did not include a content-type header. So is that inserted for the 2 parts form automatically by the SC processing?
  17. I haven't seen the thousands of seconds but I also noticed an intermittent behavior sometimes I post the email and there is no delay at all not even the few secs but other times I run up to nearly 100. In one case I submitted the email it the initial screen was saying 6 secs then it changed to 63 seconds without reloading or anything.
  18. Farelf, the 2 tracking urls you posted, do not show the line break right after the "doctype html". So somehow you removed it during the copy/paste operation? What I posted is exactly the content of the mail as it came through. I did not convert or remove the line breaks.
  19. Actually I did use the single form not the outlook one and it wasn't outlook the mailer. I think the problem comes when the HTML is perhaps not formatted the standard way from its origin. It still valid though at least with the w3c validator. &lt;!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"&gt; &lt;html xmlns="http://www.w3.org/1999/xhtml"&gt; See the line break in the first line? Could be the reason of the problem but I still think is the SC form processing that does it.. You would expect the SC form to check if it's an <a> tag since the format is html not plain text. A browser will treat this first section (up to the dtd"> as a single tag for the doctype.
  20. I got another one today with this doctype issue I mentioned, here is the tracking link http://www.spamcop.net/sc?id=z4897143775zc...304b52577baf8az So basically the email contains the html start tags with the doctype and it could the SC form processing code doesn't realize it. I don't think it has anything to do with a specific mail program.
  21. Yes I also do the same the whole thing. So say if you have outlook you take the headers you put them in the form then you click source on the mail you take the html and you post it. With other mailers this maybe in one step. Headers+Mail Content is retrieved and posted. The form will discard submission unless the headers are present and valid. So with some emails after submitting the form I get the notices I mentioned earlier. And I cannot find the exact report that had the problem now, I posted several yesterday and deleted the original mails. I will update this thread with the tracking url the next time I see it.
  22. If I manually post HTML code in the reporting form in SC it seems to translate the HTML presumably for security but when it parses the body of the mail it doesn't revert back to process the actual html. The end result may involve invalid links because of the translated characters that may be assumed as spam links. For example: I tried in different ways copying it from a textarea directly into the SC form or copying it to the notepad first and then to the SC form so it's not the clipboard during the paste operation from my part.
  23. in most cases but by default is deleted so it is never seen. And spammers are using invalid email addresses to check for mail bounce which then become spam platforms.
  24. Sorry I don't follow, you will get hosting and with it comes the email service. So who's your host google? So you are already paying for the mail service is just you utilize it by other means like a third party app. I don't find that too useful. And if you use it directly it like sending to your customers from the example[at]gmail.com it looks very unprofessional. For B2B relationships I don't even read emails coming form popular hosts like gmail because 99% is spam.
  25. Yes and you can also check domain age along with other parameters (tlds etc) before allowing your service. It will minimize the abuse
  • Create New...