john1000 Posted July 16, 2004 Posted July 16, 2004 Hi can someone tell me what else i can do against a spammer/and my ISP cause nothing works. The story..... For a few weeks now im getting mail from a spammer located at 80.57.52.231 Im reporting my ass off here and at some point a employe of chello indicated i could better send the full email copy to abuse[at]chello so its reported twice....that was his idea because its not always certain emails arrive... After about 15 mails (4 of them were infected) a whole bunch of phonecalls,promises that they will warn him, and a day ago they called me to say it wasnt a spammer but he was infected and they gave him a few hours to cleanup and get some kind of protection on his computer... but now im getting a mail again....and again its infected... Now tell me....what to do about this ""spam" if a lowlife ISP like chello doesnt do his work properly ?
Miss Betsy Posted July 16, 2004 Posted July 16, 2004 See "Need help with upstream" in this forum - that may help you. Miss Betsy
StevenUnderwood Posted July 16, 2004 Posted July 16, 2004 Well, if you were using the spamcop blocking list you would not be getting that junk: 80.57.52.231 listed in bl.spamcop.net (127.0.0.2) In the past 59.9 days, it has been listed 22 times for a total of 44.0 days Thank you for your reporting, it is keeping the junk from reaching me
StevenUnderwood Posted July 16, 2004 Posted July 16, 2004 In reply to john1000's PM, the primary function of the spamcop reporting service is to feed the spamcop blocking list. For more information, start at the FAQ. Spamcop goes one step further, however, and alerts the ISP that spam has been received from one of their IP addresses. Typically, your mail server (ISP or company) would be configured to query this list every time a server tried to send an email message to it. The spamcop email service also uses the spamcop bl (and others) to hold suspected spam in a held mail folder. I believe you can also get third party software to install on your local machine which does something similiar.
john1000 Posted July 16, 2004 Author Posted July 16, 2004 well steven thats all great but that doesnt work.....cause as the mentioned ip turns up at the blocked list how can i recieve mails ? No offence but we are not all that smart as you ! so sending me to the faq page is great reading stuff ,reading about programs and server stuff but what if its all habracadabra... explaining something isnt the same as telling me howto ...
turetzsr Posted July 16, 2004 Posted July 16, 2004 <snip> sending me to the faq page is great reading stuff ,reading about programs and server stuff but what if its all habracadabra... explaining something isnt the same as telling me howto ... Hi, john1000, ...Steven probably did not mean to imply that you could do anything about this problem by yourself. It is the responsibility of your e-mail provider to determine how to keep the spam from reaching you. However, some e-mail providers prefer to not get involved in that activity. If that is the case for you, you may wish to consider finding a different e-mail provider who can do it.
john1000 Posted July 16, 2004 Author Posted July 16, 2004 well im using spambully and as far i can tell i can configure it in that way people must be approved to mail...or something like that.... still figuring out how it works...
StevenUnderwood Posted July 16, 2004 Posted July 16, 2004 Thanks Steve T for the clarification. john1000... Your choices for using the spamcop dnsbl (and/or others) is: to request that your ISP start using them change email providers (spamcop is only one) use an email application that processes your mail before your email client sees it to either delete or move it to an alternate location I do not have a need for the third one, so have no reccomendation there. The system you are contemplating is also known as challenge/response. It may help to keep your inbox clean, but because most spam and viruses use forged from addresses, you will be sending your spam and viruses to other innocent users. This could possibly also get your machine on the same spammer blocklists so people could not receive your messages or get your account shutdown for sending (actually redirecting) viruses.
john1000 Posted July 16, 2004 Author Posted July 16, 2004 well this is the only way for me to do something,btw....as the system of spamcop always indicates....no reporting of bounced mails...so why should i make it harder on myself using this type... And my spammer is listed but still sends mails....
john1000 Posted July 18, 2004 Author Posted July 18, 2004 and im still receiving spam from 80.57.52.231 and my isp chello.nl isnt doing anything..... :angry: :angry: :angry: :angry: :angry: :angry: :angry: :angry: :angry: :angry: :angry: :angry: :angry: :angry: :angry: :angry: :angry:
keythumper Posted July 18, 2004 Posted July 18, 2004 try SpamAssassin, OR find a better ISP. You get what you pay for. I like what companies like Telus have started doing. They nolonger let their users access to port 25, unless they route via the Telus mail servers. Wish our company did this. -- Gary
john1000 Posted July 30, 2004 Author Posted July 30, 2004 I wasnt sure how to call it all but most of you remember my previous post about a spammer at 80.57.52.231 well after getting atleast 25 mails from which about 7 were infected with dirty scripting were now at the point that even my isp doesnt believe that the spam mail comes originaly from 80.57.52.231 So where does this leaves me ? All the mails i got from 80.57.52.231 were submitted to spamcop and the sytem was clear on where it came from... But it gets a problem if i cannot convince my isp.. So can spamcop be fooled in this way cause the employe of the helpdesk said that if the spammer (infected or not) comes from another network other then chello he can create false ip addresses like 80.57.52.231 ,and what a coincidence huh... The person of the ip knew he was infected and admitted it also and was even shut off for a few days. But after that it all started again.... I knew it was him because of the names used and they were the same, and thats not a coincidence.................it was him im sure of it. So can someone,or even anyone from spamcop explain this in a not to technical way so i can discuss this with my isp the next time the mails start to come... John
dbiel Posted July 30, 2004 Posted July 30, 2004 Have you gone through the MailHost configuration? If not, you should. Yes IP addresses can be easily forged. The mailhost identification procedure helps to clearly identify the valid IP addresses that the mail has past through and discards any that are associated with your mail service and ignores any except the one from which your mail service first recieved the message. Another potential problem area is web sites that are adverstised within the body of the message. Many times these are valid sites that have nothing to do with the spam itself and if fact are victims of that very same spam. These sites are sometimes reported in error as the parser can't tell the difference between the victim and the guilty and the individual reporting does not take the time to carefully review the reports before sending them. I hope that his helps some the following is the current information on the IP address you posted. 80.57.52.231 listed in bl.spamcop.net (127.0.0.2) Causes of listing SpamCop users have reported system as a source of spam less than 10 times in the past week Additional potential problems (these factors do not directly result in spamcop listing) Listing History In the past 73.6 days, it has been listed 27 times for a total of 53.4 days
Miss Betsy Posted July 30, 2004 Posted July 30, 2004 If the spam is the same spam, then it is possible the spammer found another infected machine. The only way it would be the same infected machine is if the IP address is the same. Even then, it could be another infected machine using the same IP address. So, it probably is the same spammer, but he may not be using the same machine to deliver. Miss Betsy
john1000 Posted July 30, 2004 Author Posted July 30, 2004 well my main question realy was...can spamcop be fooled.. cause if thats the case it would be the perfect way to spam for the rest of your life.... so even i can do it dbiel ? sending thousands of mails ? Find that hard to believe .......
Wazoo Posted July 30, 2004 Posted July 30, 2004 You're asking questions in the abstract. Please provide a Tracking URL of one of these that you've parsed or show some headers to show what you've got.
turetzsr Posted July 30, 2004 Posted July 30, 2004 well my main question realy was...can spamcop be fooled.. cause if thats the case it would be the perfect way to spam for the rest of your life.... so even i can do it dbiel ? sending thousands of mails ? Find that hard to believe ....... 14332[/snapback] ...IIUC, one of Julian's great missions is to stay ahead of the spammers. Thus, little projects such as the SpamCop Mailhosts process are born. ...You're probably familiar with PC viruses and the various products available to avoid and/ or clean them. Virus makers are forever trying to beat, and sometimes succeed in fooling, the anti-virus products. Anti-virus toolmakers are forever reacting to these new virus strategies. Something similar goes on in the spammer / anti-spammer world. ...Those of us who use the internet are far more indebted to people like Julian (and those who help him) than is generally appreciated. <big g, that they are around!>
john1000 Posted July 31, 2004 Author Posted July 31, 2004 well unfortunate ive deleted the last received spam mails otherwise i posted it here. but that is what im trying to say...reported at spamcop and it simply shows that it originates from 80.57.52.231,no doubt about that....that is was the report says. so the question is,is that accurate ? Cause my isp is saying......yes customer i know you reported it ,and yes it says 80.57.52.231....but sir believe me it ....its not coming from him.... well to make it more clearer...its the same like that iraqi idiot who's famous by now with..."believe me....there are no americans nearby and we are winning...." how true is it when the spamcop report says ip...80.57.52.231 So ?
Wazoo Posted July 31, 2004 Posted July 31, 2004 Again, you're asking abstract ... without seeing the data, the parse, all the details, there is no way to offer an answer to your question.
dbiel Posted July 31, 2004 Posted July 31, 2004 how true is it when the spamcop report says ip...80.57.52.231 Please note Wazoo's reply You're asking questions in the abstract. Please provide a Tracking URL of one of these that you've parsed or show some headers to show what you've got. Without that information your question is imposible to answer. Too bad that you deleted the mail so that you are unable to post it. Remember that the parcer is a tool. It is not perfect and it DOES make mistakes, thats the whole reason why we are told to review the results of the parce before actually sending out the reports. Dispite what I have just said, I should also say that the parcer does an extremely good job and I do not know of anything that works better.
john1000 Posted August 1, 2004 Author Posted August 1, 2004 okay here it is.... spammer is busy again... url... http://www.spamcop.net/sc?id=z578840707z09...7c25718e18f777z And who can tell...? is it realy send by IP 80.57.52.231 ?
Wazoo Posted August 1, 2004 Posted August 1, 2004 With only one IP / link in the header, there's no way one could argue where this one came from. On the other hand, there's no way anyone could be confused by where it came from, so one has to ask, how close are these headers to what's really being sent to cello abuse folks? Not going to accuse you of manufacturing a set of headers, but if this is the real thing, there's not much to discuss, debate, or analyze .. which is also why something doesn't smell quite right here .... how often does anyone see a set of headers that contains only a single Received: line??
john1000 Posted August 1, 2004 Author Posted August 1, 2004 okay call me an idiot for not understandinf this tut..... but the other previous ones are the same ....simple and not that long. so please wazoo.....send by that IP or not ? Yes or no...?
Wazoo Posted August 1, 2004 Posted August 1, 2004 Again, based on your sample, the only way it did not come from that IP is if the cello servers are really screwed up and are inserting that IP as the Received From: address onto anything it touches ... or you've got a spammer that has direct control over either cello's e-mail server (or your e-mail application on your system) and can sweet talk the app into accepting some direct text input and add the resulting output file directly into the Incoming E-Mail spool .... and if spammer has this kind of access, control, and capability, one would think he/she would be really, really busy doing something a bit higher order than pushing some spam. Now, on a completely different tack .... the included Base-64 content in your sample decodes to the following; Norton AntiVirus heeft de bijlage verwijderd: Part-2.zip. De dreiging W32.Netsky.Z[at]mm is gedetecteerd in de bijlage. Can you say .. yet another mis-configured anti-virus product that's sending out bad data to the (assumedly) "Forged" addresses in the header? But even this seems odd based on the "From:" address used in what you offered as your sample, as one would think that this type of message would have come from a cello server, vice Microsoft .... again, something is not quite right ....
Recommended Posts
Archived
This topic is now archived and is closed to further replies.