New breed of spam??

[David40]

I noticed lately I've been getting lots of spam for pharmaceuticals and when I submit them to SPAMCOP the report doesn't really seem to be able to discover where it really came from. Is this some new form of spammer that can actually totally hide their identity?

[Wazoo]

Please provide a Tracking URL such that someone can see just what your real question might be. You used the words 'where it came from' which implies the sending e-mail server, but most talk since the last upgrade has been about spamvertised site resolution. That's a major difference.

As this appears t be a Reporting issue/query, I'm moving this to the Reporting Help Forum section with the expectation that you will provide the requested data and make this a Reporting Help Discussion.

[David40]

Wow, that's way over my head, I'm not sure what you are asking for. Maybe if I explained a bit more?

Lately I get these little adds for Viagra or whatever. I go into my message source and copy the entire email with all the headers. Then I go to the Spamcop site and paste the information into the box and hit Process spam. The only thing that comes back is a report to MSN.com Now I'm fairly certain these spam emails are not coming from MSN because they have a tight spam policy and would have stopped them very quickly. So

http://www.spamcop.net/sc?id=z2811517487z4...e98a725601d0bcz

[edit - spam and parse detail replaced by the tracking URL included in that detail]

[turetzsr]

Hi, David40!

...The information you provided came from the page linked to by the Tracking URL (see Glossary entry http://forum.spamcop.net/forums/index.php?...topic=4473#TURL or SpamCop Wiki entry http://forum.spamcop.net/scwik/TrackingURL)! Do you see in your post the text "Here is your TRACKING URL - it may be saved for future reference:"? The line underneath that is a Report ID, which can be converted to the Tracking URL that Wazoo was requesting via these instructions: FAQ Entry: Getting a Tracking URL from a Report ID.

<snip>

The only thing that comes back is a report to MSN.com Now I'm fairly certain these spam emails are not coming from MSN because they have a tight spam policy and would have stopped them very quickly. So to me it appears as though someone has figured out a way to outsmart the Spamcop tracking system. I don't know? unsure:

<snip>

...When I enter the header data you posted, I also get back an offer to report to MSN.com, so I'd say that's correct.

[Wazoo]

Wow, that's way over my head, I'm not sure what you are asking for.

That seems a bit strange. A Dictionary, FAQ, Glossary, Wiki, provided and countless thousands of preceding Posts, Topics, And Discussions but a requested bit of data seen in every successful and most unsuccessful parse results is an unknown entity? One that takes extreme character-set size and font-changing to "make us understand" ...????

Maybe if I explained a bit more?

Not really, simply providing a Tracking URL would have been more than sufficient.

I go into my message source and copy the entire email with all the headers. Then I go to the Spamcop site and paste the information into the box and hit Process spam.

Totally missing are the tools and sources involved in your efforts. Nothing about being web-based stuff, use of a specific e-mail client or not, nothing about Operating System, on and on ...

Another strange thing is that I am subscribed to this thread but I never received notification or your reply. I just happened to think of it and checked on my own.

Yet another situation that is described in a number of places, to include previous traffic, Announcements, Forum FAQ ....

SELECT * FROM <prefix>tracker where member_id='9351'

trid member_id topic_id start_date last_sent topic_track_type

6261 9351 10278 1239734035 0 delayed

The "delayed" selection and the way things work on "this Forum" make that setting usually a bad selection. Your posting into a wrong Forum section, causing the Post/Topic to be moved, in addition to the first Reply being made while you were still online caused the notification not to be sent, as the software made the call that it was un-necessary ... you were still around to see the Reply. The normal suggestion is to change that setting to "immediate"

I'll try to paste the stuff in here and maybe what you need is in there:

Here is one of the emails followed by the Spamcop Report,[/

There really has to be some sort of logic involved here, but I can't come up with it. So many folks have worked to write the code to protect your e-mail address from further scraping and being added to more spammer lists, yet you post it in the clear here (rather than providing the Tracking URL)[and again, why the 'need' for a font and size change?]<<and this isn't even yet complaining about the 'need' to clutter up the database and vertical display space on this server with much un-needed data in this case>>

Let someone know (me or one of the Moderators) how long you want this data to stay available, being gathered up and indexed by how many search engines, etc.

Spoiler Alert !!

SpamCop v 4.5.0.102 © 1992-2009 Cisco Systems, Inc. All rights reserved.

Here is your TRACKING URL - it may be saved for future reference:

http://www.spamcop.net/sc?id=z2811517487z4...e98a725601d0bcz

The exact data originally requested that "was over your head" as seen in your provided copy/paste action.

Received: from hrndva-mxlb.mail.rr.com ([10.128.255.85]) by hrndva-imta05.mail.rr.com with ESMTP

Internal rr.com handoff, use of a non-routable IP Address

Received: from [65.55.116.28] ([65.55.116.28:21074] helo=blu0-omc1-s17.blu0.hotmail.com) by hrndva-iedge05.mail.rr.com (envelope-from <korifrancynehpqi[at]live.com>)

RR.com received this from a HotMail server

Received: from BLU133-W49 ([65.55.116.9]) by blu0-omc1-s17.blu0.hotmail.com with Microsoft SMTPSVC

the Live.Mail connection to the HotMail system

X-Originating-IP: [87.64.34.37]

One might believe that this could be the connection to the Live.Mail system, but .... as an X-Line:, not trustworthy on its own.

[StevenUnderwood]

....When I enter the header data you posted, I also get back an offer to report to MSN.com, so I'd say that's correct.

And since those are the only headers other than your final rr one, it is the source.

[David40]

Oh crap, I didn't even consider that. By all means get rid of my email address from the thread.

Thanks for the information.

[Farelf]

...By all means get rid of my email address from the thread. ...

I substituted the tracking URL for all of that part of the post 70878[/snapback]

[David40]

And since those are the only headers other than your final rr one, it is the source.

I can't understand how that's possible. This has been going on for over a month and you would think MSN could get a handle on that and block whomever it is that keeps repeatedly abusing their system. I've sent so many of those reports that I got to thinking it was not doing any good. Other reports have resulted in the spam stopping almost immediately. I'll continue to report those if you think it does any good.

I substituted the tracking URL for all of that part of the post 70878[/snapback]

Thanks I really appreciate that. I

[Farelf]

...I've sent so many of those reports that I got to thinking it was not doing any good. Other reports have resulted in the spam stopping almost immediately. I'll continue to report those if you think it does any good.

That is a high volume server - http://www.senderbase.org/senderbase_queri...ing=65.55.116.9 (the 'Magnitude 5.0 indicates about 200,000 messages per day). I guess it would take a lot of reports by different reporters (or spamtrap hits) to see it listed. Continued reporting will help build up the evidence which is all an individual reporter can ever do within the SC reporting system. Yes, it is worthwhile but it may be thankless, even fruitless, on any individual spam source.

[Miss Betsy]

You could also try manually reporting to msn. That means pasting the message source in an email and addressing it to the msn abuse address with the subject 'Repeated spam'. You don't need to say very much in the email. Just something like: FYI I have gotten this ad repeatedly over the last few weeks. I thought you had very strict spam policies, but it looks like this one is escaping you. followed by the message source.

Sometimes manual reports work better than spamcop reports if the ISP is interested in preventing spam leaving their servers.

Miss Betsy

[David40]

Thanks very much for the information and the tip. Since I started visiting this forum it's nice to finally get an answer without being humiliated and treated like an idiot.

[Miss Betsy]

Thank you for the compliment! Too often, us users are accused of being too blunt in our answers and giving too much information which those who expect 'customer service' see as 'rude'. We are always glad to help.

Miss Betsy

[Crocuta]

I don't know if it's the same spam or not, but I've been having trouble with them myself for the last month or so at the rate of 10-12 per day. It's about the only thing that gets through my filters at this point. Here are the last five that I parsed out (I got two more while I was putting these links together):

http://www.spamcop.net/sc?id=z2834667145zf...fcbd6ca01c583dz

http://www.spamcop.net/sc?id=z2834672387z4...90a405f73f321cz

http://www.spamcop.net/sc?id=z2834675776z3...2f08eccf3817acz

http://www.spamcop.net/sc?id=z2834679413zd...6a67e604a4c3f0z

http://www.spamcop.net/sc?id=z2834680839z8...e22edffee0ce10z

The spam consists of an inline image with the advertisement for a canadian pharmacy and the rest of the email is nonsense text. These don't seem to trigger spamassassin, giving results anywhere from 0 - 5, mostly toward the lower end.

I could try to tighten up my filter thresholds, but I've found a nice balance where I wasn't false catching legitimate emails. Anyone have any thoughts on why these are blasting through the filters?

[Farelf]

I don't know if it's the same spam or not, but I've been having trouble with them myself for the last month or so at the rate of 10-12 per day.

No, I think your case is more along the lines of "SpamAssassin filter"(I may be wrong but try searching the forums here for any inspiration along those lines).

....The spam consists of an inline image with the advertisement for a canadian pharmacy and the rest of the email is nonsense text. These don't seem to trigger spamassassin, giving results anywhere from 0 - 5, mostly toward the lower end.

I could try to tighten up my filter thresholds, but I've found a nice balance where I wasn't false catching legitimate emails. Anyone have any thoughts on why these are blasting through the filters?

I guess the easy answer is, it has to be the SA rules you are using. The couple of tracking urls I looked at (thanks for those) make it seem those sources are known sources in various blocklists, including the SCBL (at least now they are). Can you add RBLs to the header area tests in your filter rules?

As to why it might suddenly have changed? All sorts of possibilities there - greater spam volumes (though I would expect you would mention that), you might have graduated up the lists and are getting hit early in the spam cycles (before some of the tests react), ISP inwards 'pre-filtering' (if any) might have momentarily failed, outwards filtering (which some providers do) might have momentarily failed ... at this point my imagination fails but lots of other possibilities, I'm sure.

[David40]

I don't know if it's the same spam or not, but I've been having trouble with them myself for the last month or so at the rate of 10-12 per day. It's about the only thing that gets through my filters at this point. Here are the last five that I parsed out (I got two more while I was putting these links together):

The spam consists of an inline image with the advertisement for a canadian pharmacy and the rest of the email is nonsense text. These don't seem to trigger spamassassin, giving results anywhere from 0 - 5, mostly toward the lower end.

I could try to tighten up my filter thresholds, but I've found a nice balance where I wasn't false catching legitimate emails. Anyone have any thoughts on why these are blasting through the filters?

BINGO! These are exactly the one's that triggered my original inquiry. 99% percent of them point to Canadian Pharmacy. I can't seem to stop them either no matter what I do. I keep reporting them and they keep coming. Seems like there should be some way to file a complaint against the Canadian Pharmacy or their ISP but I have not learned how to go about that. Also, If you go to the Canadian Pharmacy web site Contact Page there is a "Report spam" check box. I don't know if it's legit or not. Some of those just use it as a way to verify your address and I don't want to take a chance on increasing the frequency of these things.

Another thing I noticed is that Spamcop does not identify the link the email points to (Canadia Pharmacies ISP). It says the link is obfuscated, but if you click on the link in the email you end up at the Canadian Pharmacy. With other spam I have received Spamcop identifies the link referenced in the spam and sends a report to it's host as well a the sender. I don't know why that fails with these and that is why I call it a new breed of spam because they seem to be able to hide this stuff from spam detection systems.

Let me know if you figure it out.

Thanks

[Miss Betsy]

You aren't the only one who would like to stop the Canadian Pharmacy from spamming! They work really hard at evading filters - probably changing constantly so that if a filter catches their spam, the next spam run won't be able to be caught by the same criteria.

There are long discussions (some even recent) about why spamcop does not always find the link in the body of the email. If you are curious, you could look for them. Bottom line: spamcop doesn't attempt to upgrade the parser to find links in the body of the spam, but concentrates on finding the sender. It is not a 'new breed of spam' spamcop leaves the reporting of spamvertised sites to other blocklists who do it much more efficiently.

The purpose of reporting, particularly prolific spammers like Canadian Pharmacy, is to put them on blocklists. Reports to the sender ISP generally go only to those who are not interested in stopping spam. Occasionally, they do go to a server admin who is interested and immediately stops the source, but not often enough to 'stop' the spam.

You can tweak your filters to possibly exclude them or you can learn to live with them if tweaking causes too much legitimate email to be caught. Also, some people swear by greylisting. If you have a spamcop email account, there are lots of discussions in that forum on how to use the spamcop email filters to the best advantage. If you don't have a spamcop email account, you may have to do something else - switch ISPs to one that has a more aggressive filter policy or buy an application that has decent filters that you can tweak or forward your email to a hotmail or yahoo account - both of whom have aggressive spam filters - even with junk filtering turned off, almost no spam gets through and only very occasionally does a legitimate email not make it.

Miss Betsy