vsxo Posted April 23, 2004 Share Posted April 23, 2004 The more strict the spamcop system gets, the less useful it is becoming as a unique tool to report spam... Reported the spam below, and have the following remarks: 1) This message does *not* come from 207.126.97.64: a number of recent spams have included a forged X-Originating-IP header, recently. 2) No report was sent to kornet for the website (which incidentally does not offer ladens, but viagra). Why not? The URL is easy enough to detect... If in doubt, the report could always be de-selected by default... And, BTW, this also goes for email addresses mentioned in the message body. Generally, they're real, and ought to be reported. Return-Path: <izvmowbc[at]yahoo.com> Received: from 207.126.97.64 ([67.15.24.51]) by plushie.suespammers.org (8.12.9-20030919/8.12.9) with SMTP id i3NIhAql003031; Fri, 23 Apr 2004 11:43:17 -0700 Received: from 72.120.212.158 by ; Fri, 23 Apr 2004 22:37:49 +0300 Message-ID: <KFXRFSCVLGEWGNNEYPZXF[at]msn.com> From: "Paige Travis" <izvmowbc[at]yahoo.com> Reply-To: "Paige Travis" <izvmowbc[at]yahoo.com> To: brad[at]suespammers.org Subject: Osama Bin Laden Captured Date: Fri, 23 Apr 2004 18:33:49 -0100 MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="--68006688853118330163" X-Originating-IP: 207.126.97.64 Status: ----68006688853118330163 Content-Type: text/html; Content-Transfer-Encoding: quoted-printable Just got this from CNN Osama Bin Laden has just been captured! A video and some pictures have been released. Goto the link below for pictures, I will update the page with the video as= soon as I can: <br> http://220.95.231.54/pics/ God Bless America! ----68006688853118330163-- Link to comment Share on other sites More sharing options...
PeterJ Posted April 23, 2004 Share Posted April 23, 2004 Did the SpamCop parser determine the source to be 207.126.97.64 or 67.15.24.51? 67.15.24.51 is listed and the sample given matches your subject regarding Osama: http://www.spamcop.net/w3m?action=checkblock&ip=67.15.24.51 Link to comment Share on other sites More sharing options...
Merlyn Posted April 23, 2004 Share Posted April 23, 2004 Spamcop does not use any of the X-Originating-IP headers. In fact Spamcop does not use any "X-" headers as those can have anything in the the person who runs the email server wants them to have. The Correct IP in the case of Received: from 207.126.97.64 ([67.15.24.51]) by plushie.suespammers.org (8.12.9-20030919/8.12.9) with SMTP id i3NIhAql003031; Would be 67.15.24.51 Like the above post said this IP is listed. I see no problem. Link to comment Share on other sites More sharing options...
Spambo Posted April 23, 2004 Share Posted April 23, 2004 1) This message does *not* come from 207.126.97.64: a number of recent spams have included a forged X-Originating-IP header, recently. Which is precisly why SpamCop, TTBOMK, doesn't pay any attention to non-standard headers. Headers that aren't defined as standard by the relevant RFCs should NEVER be trusted by anyone except the admins responsible for the servers that inserted the headers. Link to comment Share on other sites More sharing options...
vsxo Posted April 24, 2004 Author Share Posted April 24, 2004 Did the SpamCop parser determine the source to be 207.126.97.64 or 67.15.24.51? It showed the 207.126.. address as the source, and as the 1st on the list of to-be-reported addresses. The 67.xxx one was given only at the bottom, with its ISP listed as '3rd party interested in a copy' or something to that effect. I posted the full spam, so anybody interested can try this out for themselves. I agree that care should be taken with non-standard headers, but I am also under a very strong impression that spamcop *does* (or at least, did) use X-Originating-IP headers. 419 scams often contain these (or similar) as they are generally sent out through free, webbased services. And not all of those show the originating IP in a standard received: header. Link to comment Share on other sites More sharing options...
Merlyn Posted April 24, 2004 Share Posted April 24, 2004 Did the SpamCop parser determine the source to be 207.126.97.64 or 67.15.24.51? It showed the 207.126.. address as the source, and as the 1st on the list of to-be-reported addresses. The 67.xxx one was given only at the bottom, with its ISP listed as '3rd party interested in a copy' or something to that effect. I posted the full spam, so anybody interested can try this out for themselves. I agree that care should be taken with non-standard headers, but I am also under a very strong impression that spamcop *does* (or at least, did) use X-Originating-IP headers. 419 scams often contain these (or similar) as they are generally sent out through free, webbased services. And not all of those show the originating IP in a standard received: header. Spamcop never used any "x-" headers. Link to comment Share on other sites More sharing options...
Spambo Posted April 24, 2004 Share Posted April 24, 2004 I agree that care should be taken with non-standard headers, but I am also under a very strong impression that spamcop *does* (or at least, did) use X-Originating-IP headers. 419 scams often contain these (or similar) as they are generally sent out through free, webbased services. And not all of those show the originating IP in a standard received: header. Spamcop never used any "x-" headers. IMO, if SC were to trust any X- headers, without regards to what is stated in the RFC, then any admin who was responsible for a listed IP could use the specified tracing process to prove that the headers didn't support the determination. SpamCop has no more authority to define X- headers as valid than M$, Yahoo, or any other domain. Link to comment Share on other sites More sharing options...
Wazoo Posted April 24, 2004 Share Posted April 24, 2004 Did the SpamCop parser determine the source to be 207.126.97.64 or 67.15.24.51? It showed the 207.126.. address as the source, and as the 1st on the list of to-be-reported addresses. The 67.xxx one was given only at the bottom, with its ISP listed as '3rd party interested in a copy' or something to that effect. I posted the full spam, so anybody interested can try this out for themselves. No way will I suggest that you're lying, but I just don't see how the parser would have come back with your listed response. I've got the same problem Merlyn showed, the parser rejects the forged lines, doesn't bother with X-Lines, and only offers the 67.15 ..... IP for reporting directly ... I'd really like to see the Tracking URL of the parse you're suggesting you saw the strange results in. Link to comment Share on other sites More sharing options...
Farelf Posted April 25, 2004 Share Posted April 25, 2004 1) This message does *not* come from 207.126.97.64: a number of recent spams have included a forged X-Originating-IP header, recently. 2) No report was sent to kornet for the website (which incidentally does not offer ladens, but viagra). Why not? The URL is easy enough to detect... If in doubt, the report could always be de-selected by default... And, BTW, this also goes for email addresses mentioned in the message body. Generally, they're real, and ought to be reported. No way have I been able to coax the parser into picking up 207.126.97.64, it always picks 67.15.24.51 whether the spam is submitted by pasting or by email as an attachment, with or without a leading blank line in the header (just to try some obvious variations, I can't email the sample inline which is the other possibility). Report would be sent per: Cached whois for 67.15.24.51 : abuse[at]ev1.net. Conclude something *not* obvious is involved perhaps involving the configuration of the email client - if so it would be particularly worth tracking down. The "missing link" is trivial - comes down to the incorrect content type. If that were text/plain instead of text/html it would be picked up in the body parse, as is well known (well, the header lines would need to be dragged out of the message body too, in this case). Report would *not* have any effect per "abuse[at]kornet.net refuses SpamCop reports." Precisely why SpamCop permits the wrong content type to elude it is one of the deeper mysteries - the body parser is really quite robust, apart form the "too many links" issue which possibly serves a useful function in some spam by keeping innocent bystanders out of the equation. The question of email adresses is a different matter. Must admit I don't look beyond the alias, which is often "inventive", not to put too fine a point upon it. Is there any point in bothering the nominal sender, if as stated they are real? Why would spammers *not* forge them too? - and dragging yet more innocents into the fray would simply escalate the whole business IMO. I think ISPs make enough incidental money out of spam as it is. [what a relief! - thought for a moment I had pressed the wrong button and reported instead of cancelling one of my trial parses]. Link to comment Share on other sites More sharing options...
Miss Betsy Posted April 25, 2004 Share Posted April 25, 2004 The question of email adresses is a different matter. Must admit I don't look beyond the alias, which is often "inventive", not to put too fine a point upon it. Is there any point in bothering the nominal sender, if as stated they are real? Why would spammers *not* forge them too? - and dragging yet more innocents into the fray would simply escalate the whole business IMO IIRC, the above was the reason that spamcop stopped reporting email addresses. In addition, reporters were checking off email addresses that spamcop parser did not pick up because of the various ruses the spammer used and thus creating a bunch of nuisance reports. IME, except for Nigerian scams, there are not that many email addresses that can be determined as 'drop boxes' for spam. Most spam now has you go to a website. Miss Betsy Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.