rooster Posted January 25, 2005 Posted January 25, 2005 Hello & greetings; This is my first post and I am a newbie to the net and to this forum. Over the last few weeks I have read what I could find on: SMPT, TCP, UDP, IGMP, POP3, INet Protocols, HTML, "How to Read EMail Headers", URL's, IP's, ISP's, Domain Names, and all the literature about O/D-ing on Ibuprophen. Oh, and I've read all I could find by way of FAQ's and posts on this forum. But now I have a blizzard of Q's. If I understand the practice of this forum, the idea is to ask just one or two at a time. I just hope members can be a little patient with me until I get up to speed. I use OE 6. My problem began when a friend of mine who doesn't believe he needs to update his AV ware (or even try to understand what being infected actually means) or take other precautions, got a trojan and my addie got harvested. He still doesn't believe he is causing any problems and simply refuses to assume responsibility. Before this occurred, I only got a couple of spam a week, on average. I learned just enough about "WhoIs-ing" the 3 major networks, and how to use Traceroute and Netcraft, before discovering this site, to forstall all but one spammer. He is really proving to be a challenge. My first Q has to do with the, "Forwarding as an Attachments", as recommended by your FAQ's, Miss Betsy (Jan 20 2005, 01:24 PM Post #5) and Flagginator (same thread). My concerns are: not opening the preview pane so's not to activate the "bug" response back to the spammer, and not opening email or attachments which I don't trust. I read that working offline affords some degree of protection and I do have AVG email scanning in situ, but I am paranoid that some clever professional spammer (porcosapiens) will bomb me with something, anyway. If they can 'bug' my preview pane, then what *can't* they do? Until my last submission, I used the web reporting page and just hi-lited the preview page. But I have just realized (by accident) much of my spam has attachments in addition to masked links in the actual message itself. I discovered this when I tried to forward a report using OE and the darned page opened. I had not realized that was how it worked. I assumed I could forward the whole shebang unopened. So; how do I hi-lite a message safely? My second Q concerns the "DO NOT CHANGE ANYTHING" in the header or message imperative. Some of my spam has 20-50 lines of 'white space' in between sections of the message. I don't understand enough about MIME limitations to know if this feature compromises SC tracking abilities or not, but I ask whether manually compressing some of these 'blank verse' epistles would help or hinder the process? I hope members can be a little patient with me for a while. Bear in mind that until just a few months ago I thought 'download" meant what you do to your teenager when they blow curfew and "Megahertz" was just some campy expression about what to expect if you 'dissed' a biker's ride. rooster
Miss Betsy Posted January 25, 2005 Posted January 25, 2005 You are absolutely right to be wary of the 'preview' pane. It can be turned off by going to View->Layout in OE. Then you can put your mouse on the subject of the spam and it will be highlighted without opening anything. The best way to submit spam is to Forward as Attachment (right click on spam and choose from pop up menu); send to your secret address. That way all is preserved just as it was sent. and that's the way the parser likes it. It doesn't care about blank spaces in the spam itself (it only balks if it can't find anything, but you can search the FAQ for 'No Message Found' (someone else will have to confirm that will find it). Miss Betsy
rooster Posted January 25, 2005 Author Posted January 25, 2005 Miss Betsy; Got it; thanks very much. I think I hadn't grasped what you meant by hi-lite. I took it to mean I had to open the message and hi-lite it the way I had been doing with the Header in Properties when I first started posting on the web site. And I'll leave my messages stet. I had read the FAQ's and posts on this; I just needed clarification. I'm still learning how to interpret headers. One thing I would like to have confirmed is; does OE, "Return Path", mean the same as reverse DNS? The examples I have seen use several different references to this feature; e.g. "Reading Email Headers" by Ken Lucke calls them, "Mail From". If I know this for sure, it will save me time if I want to use Netcraft or another service since I can begin knowing I have the correct info. If I understand correctly, the first "Received: from", is *relatively* more reliable than any that might follow; I just want to be sure I am not confusing one "Command" with another. There is "Message Source" component available in OE Properties about which I'm sure SC is fully apprised. Does/ would this info play any useful role in tracking? One last thing; I've uncovered a few specific characteristics viz. attempts to forge/deceive on the part of one pesistent spammer which link a number of spams to the same source even though all other header info appears different. How can 'we' put such info to use? I have scant understanding about what actually goes on at SC's end, so I can't tell if add'l info would be useful or redundant. Regards, rod
Wazoo Posted January 25, 2005 Posted January 25, 2005 If they can 'bug' my preview pane, then what *can't* they do? Until my last submission, It's not the "preview pane" that's the issue. It's the rendering of HTML that allows things to happen. That can happen within the preview pane if allowed, it can also happen if you double-click (or right-click / open) on the e-mail Subject Line and open that e-mail "full-screen" .... (again OE6 /Windows being talked about here) I used the web reporting page and just hi-lited the preview page. But I have just realized (by accident) much of my spam has attachments in addition to masked links in the actual message itself. This is a bit confusing, as any submittal performed as you just described would have resulted in an error message, as least a "no headers found" ... I discovered this when I tried to forward a report using OE and the darned page opened. I had not realized that was how it worked. I assumed I could forward the whole shebang unopened. So; how do I hi-lite a message safely? This I know is discussed in the new "How to ..." Forum .. (noting that Miss Betsy has also provided some changed data that needs to be handled <g>) My second Q concerns the "DO NOT CHANGE ANYTHING" in the header or message imperative. Some of my spam has 20-50 lines of 'white space' in between sections of the message. I don't understand enough about MIME limitations to know if this feature compromises SC tracking abilities or not, but I ask whether manually compressing some of these 'blank verse' epistles would help or hinder the process? This actually goes back to a position offered ... if you have to ask if it's OK, you'd probably better not do it <g>
Wazoo Posted January 25, 2005 Posted January 25, 2005 I'm still learning how to interpret headers. One thing I would like to have confirmed is; does OE, "Return Path", mean the same as reverse DNS? No. Some of this info is found in the SpamCop Glossary, also linked to from the Forum FAQ. The examples I have seen use several different references to this feature; e.g. "Reading Email Headers" by Ken Lucke calls them, "Mail From". If I know this for sure, it will save me time if I want to use Netcraft or another service since I can begin knowing I have the correct info. If I understand correctly, the first "Received: from", is *relatively* more reliable than any that might follow; I just want to be sure I am not confusing one "Command" with another. The "only" thing reliable is the "assumed" to be the handoff line that shows where your ISP's e-mail server received the e-mail from (and that can only be true if your ISP folks have set things up correctly, the servers involved pass on the correct data, your e-mail application receives, handles, and displays this data correctly and you're reading the data correctly) Data beyond that line can be seen as increasingly nebulous, as it can be forged. The "addresses" you are talking about are the easiest lines to forge. There is "Message Source" component available in OE Properties about which I'm sure SC is fully apprised. Does/ would this info play any useful role in tracking? Also talked about in the "How to ..." Forum One last thing; I've uncovered a few specific characteristics viz. attempts to forge/deceive on the part of one pesistent spammer which link a number of spams to the same source even though all other header info appears different. How can 'we' put such info to use? I have scant understanding about what actually goes on at SC's end, so I can't tell if add'l info would be useful or redundant. I'm not sure I understand the question, after having been couched in the "I've read as much as I can" mode ... "we" can't tell for sure what you might mean by "the same source" here ... that reporting your spam feeds the DNSBL is mentioned in a number of places, use of the DNSBL is talked about in many other places, so I for one am not sure where this question is actually headed. Sorry.
Miss Betsy Posted January 25, 2005 Posted January 25, 2005 One last thing; I've uncovered a few specific characteristics viz. attempts to forge/deceive on the part of one pesistent spammer which link a number of spams to the same source even though all other header info appears different. How can 'we' put such info to use? I have scant understanding about what actually goes on at SC's end, so I can't tell if add'l info would be useful or redundant. My interpretation of what he is saying is that he is getting the same spamvertised site in emails that come from different IP addresses. My answer is that when the IP addresses are different that the spammer is using trojaned computers to send them (a spamcop report will alert the appropriate admin that there is a compromised machine which is good because many will, then, fix the machine) or is rotating IP addresses to avoid being picked up as sending spam (difficult to do anything about and reports are probably ignored). Bottom line: submit spam by forward as attachment and let spamcop decide what to do with it. Knowing how to shut down spam web sites is not as easy as reading headers and unless you have time to really study the subject is not worth one's time. In fact, I uncheck all boxes except the source most of the time because I don't have time to decide whether or not I want to send them to that abuse address. In reading headers, it depends on whether your ISP relays from machine to machine or not, whether the first received line is the one from which the spam came. It is the received line where your ISP received it from the internet that can't be forged. Anything after that is suspect (but may be legitimate relays). Miss Betsy
rooster Posted January 27, 2005 Author Posted January 27, 2005 [ Hi Wazoo; Re: "the rendering of HTML... ". I use plain text only in OE preview. I had assumed, based on research at W98 Discusions Forum that "Open in Plain Text Only" addressed this potential problem *until* I read in this forum about the "bugging". Now I'm confused again. Re: ".. performed as you described..." I was referring to just the message portion of the web post; already having copied the Header portion. Re: "" the new"How to... " Forum"" : check para 4; my opening post, this thread. Re: "... position offered... if you have to ask..." I have no idea what "position offered" refers to, but I think Miss Betsy answered my Q in her response above. Re: "No. Some of this info is found in the SpamCop Glossary, also linked to from the Forum FAQ." I spent 2 hours last nite trying to re-access the "Forum Faq" from this page. Then I asked a neighbour with a few years experience on the net and he gave up too after seeing "Search/ Search Help for FAQ, FAQ's or Forum FAQ & etc. and every intuitive combination we could conjure, return the message: "Sorry, we could not find any help topics that matched your search criteria, please try again", and several variatons thereof... for the umpteenth time. He eventually went home to his computer (which is much faster than this 16MB/133MHz wheezer) and eventually found it by Googling. It turns out to be a; "You can't get there from here", paradox. Maybe you could include something about this in the "Discussions" Search Menus under, "Tips for Idiots". I finally did re-locate the FAQ entry I had previously read, assuming from your RTFM enjoinder that I had missed something, but I find myself back at my original Q in this post. The text copied below does indeed omit a reference to the line I am inquiring about. To whit: does OE, "Return Path", mean the same as reverse DNS? Likewise; "The Spamcop Glossary". The Forum FAQ at Spamcop.net doesn't seem to mention the item. If I missed it, it wasn't or lack of trying. Where is it? <COPIED FROM FORUM FAQ> "Here's an example of the headers of an email: Return-Path: <nospam[at]julianhaight.com> Received: from julianhaight.com (usr25-dialup4.mix1.Sacramento.mci.net [166.55.9.4]) by sam.julianhaight.com (8.8.7/8.8.7) with ESMTP id MAA14120; Sat, 7 Mar 1998 12:08:52 -0800 Message-ID: <3501A7D6.9C842904[at]julianhaight.com> Date: Sat, 07 Mar 1998 12:02:30 -0800 From: Julian Haight <nospam[at]julianhaight.com> X-Mailer: Mozilla 4.04 [en] (WinNT; I) MIME-Version: 1.0 To: feedback[at]pfmicro.com Subject: TWINSTOR TS210 Disk Mirroring Controller Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Notice the line marked in red. This is the most important part of the header that SpamCop cares about. This is called a received line. Some email messages have only one received line, some have more than one. Every time the email makes a "hop" from one server on the internet to another, one more received line is added. They can be used to track the email back along its path to the origin. Without this information, SpamCop can do nothing. All the other information in the header is suspect (it can be faked). The received line portion of the header always contains SOME kernel of truth. SpamCop separates the kernel from the chaff in order to find the true source of the spam." <END COPY> QUOTE "The "only" thing reliable is the "assumed" to be the handoff line..." I'm just not sure what you want me to understand here. Do you mean, the only thing reliable is the line which is "assumed" to be the handoff line; or perhaps, the only thing reliable is assumed to be [the contents of] the handoff line. The rest of the paragraph deepens the confusion for this ingenubie. I just want to know which "Command" applies to the "Return-Path:" line and what does the scri_pt in that line signify. You say it is not a reverse DNS, but what *is* it? Re: "Also talked about in the "How to ..." Forum" OK; another RTFM. I'll get to it by'n bye. Re: "so I for one am not sure where this question is actually headed. Sorry." The key phrase was "all other header info...". I was referring to observed errata in headers which might be apparent to the human (my) eye, but which might not trip a computer tracking scan. (Like I would know) And I didn't want to provide the precise info here in case, as the Forum bumph warns, spammers do read your forum. To be slightly more clear, I should have said: what is the protocol for learning/checking the value of characteristics peculiar to individual spammers which might aid in identifying them, and which might or might not already be part of your programs' tasks. Longitudinal and subjective studies sometimes reveal things a 'flash' track might not. Experts in the field probably have a term for what I am struggling to describe; I just haven't learned it yet. I appreciate the time constaints under which you and Miss Betsy must work and I want to thank you for taking the time with me. The more I learn about pernicious spammers (porcinosapiens) the more intent I am on assuming an active role in frustrating them. "Attaboy" to SpamCop and all who sail in her. Regards, rod p.s. I haven't figured out how to use the Quote command yet, but I'll work on it.
Wazoo Posted January 27, 2005 Posted January 27, 2005 I don't know how you "got in here" .. this might be part of the problem ..??? You should have arrived via a link to http://forum.spamcop.net/forums/ .... Here you would have seen a list of "Subject" sections that this Forum thing is broken into. If you are reading this, you are within the "SpamCop Reporting Help" section of the Forum structure. .. This would normally mean that your eyes, mouse, perhaps a few other items had scrolled down that first page and made something happen that got you 'in here' ... So, having to imagine that you got "in here" following some other path ... look towards the top of the screen ... click on the leftmost set of words "SpamCop Discussion" which should take you back to where I said in the above that you should have arrived at. You will see a list of the different areas of dicussion Subjects, including the above mentioned "How To ..." .. this Reporting Help" section .... Clicking on the SpamCop Reporting Help "bold" text will bring you right back "in here" .. at that point, you have somehow managed to skip over a Pinned item Titled; Pinned: Original SpamCop FAQ Plus - Read before Posting FAQ = Frequently Asked Questions Just checked and it's the first entry on that page ... due to details of this application, this will offer you yet another link, which eill take to the the Forum FAQ .... which includes data within the www.spamcop.net FAQ and a whole bunch more .. such as the link to the Forum Glossary ... Up until about a half-hour ago, I was bouncing between 5 keyboards and two laptops, troubleshooting client systems, writing a web-page, some dialog with Miss Betsy about incorporating some commentary provided over in the SpamCop newsgroups into an existing FAQ entry "here" .. and the really sucky part .. researching the alleged support Forums for this application ... after having read through all the Bug reports, the Suggestions Forum, the pre-sales Forum, the Company news Forum, the 20+ pages of the "support" Forum, the 41 pages of Archived Support Forum discussions, on and on ... I've picked enough knowledge that I'm answering questions "over there" .. but still waiting for someone to answer my queries .... let's not talk about the telephone calls ... had to edit some profanity in another posting here and PM that user about that action, moved some posts around here, posted some stuff over in the newsgrups, posted some stuff here answering other queries .... Now looking at your last monster of a seris of questions, but bowled over a bit about how you've missed the links that "we" tried to place so one couldn't help but trip over them on their way to ask a question. The folks just dropped off their tax information and would like their taxes done by the week-end. I've got a plea for help from someone in the newsgroups to try to track down who is spoofing her over there. I've got some e-mail from a couple of the Deputies, I know I've go some unanswered PMs in here .... I don't think I'm going to touch your questions for a while, rather willing to wait until you find the "real Forum FAQ" and wade through some of that first. This is not meant to give you a rough time, I'm just more than a bit baffled by your xperience here thus far, my eyes are killing me, and I'm using a keyboard that has most of the letters worn off the keys (and I don't touch type) ... time for a bit of a break here <g>
Miss Betsy Posted January 27, 2005 Posted January 27, 2005 "The "only" thing reliable is the "assumed" to be the handoff line..." I'm just not sure what you want me to understand here. Do you mean, the only thing reliable is the line which is "assumed" to be the handoff line; or perhaps, the only thing reliable is assumed to be [the contents of] the handoff line. The rest of the paragraph deepens the confusion for this ingenubie. I just want to know which "Command" applies to the "Return-Path:" line and what does the scri_pt in that line signify. You say it is not a reverse DNS, but what *is* it? The 'return-path' line is the line that OE and other email applications use to address a 'reply'. It can be easily changed to any address you want to put there. At one time this made it easy for people who used one computer at work and one at home to put the work address when they were emailing about work issues from home. However, the spammers discovered that they would not get bounces and that people could not 'reply' to them with angry words or block that email address from entering their email inbox if they used a different address in the return path. Therefore, the return-path cannot be trusted as the place from which the spam came. I don't know if you were the one I said this to recently, but unless you want to really study the subject (and there are plenty of links plus courses at your local community college), you really don't have to know 'how' spamcop works in detail. The spammer forges things, the only reliable, non-forgeable way to tell where a spam comes from (not who the spammer is or what his email address is or how to reach him) is the IP address from which your ISP got the email. There are various technical details about how one can determine legitimate IP addresses, but one really has to know all the technical details of email in order to use them. What spamcop does is, automatically, determine the IP address - using those technical details - and then, automatically look up the abuse email address for that IP address (again, a routine that involves several different criteria) and tells you what it is so you can send a report to them that you have received unsolicited email that you want them to investigate. Unless you are technically fluent, you are not going to be able to help spamcop do its job any better. If you are technically fluent and receive hundreds of spam per day, you could look up each one yourself, but spamcop, being automatic, does it quicker. You can tell at a glance whether spamcop has done it the best way or not. So, bottomline is, people are very good about explaining technical aspects if it is relevant to the understanding of a particular reporting issue (and this is where I have learned most of my 'technical' knowledge). But most of the regulars here make their living by helping people understand their computers. They don't have time to give you a course free of charge. Miss Betsy
rooster Posted January 27, 2005 Author Posted January 27, 2005 Miss Betsy; Thank you again. I'm sorry I didn't respond yesterday; I had Wazoo's response on my screen and didn't see yours until a minute ago. I deduced from reading a number of your posts before I started this thread, that your (and all moderator's) time is a precious commodity. You don't have the luxury of making a specific spammer a 'project'. I do, on the other hand. My limitations are: my 'wetware' and my very slow computer (16MB/133MHz). You can execute more commands in 30 seconds than I can in an hour. Deciding what to get is my next step. To a newbie, this is a big job. Putting aside for the moment all the "command function" analyses applied to headers which are covered quite well in SC FAQ's and other materials suggested therin, and putting aside Trojaned computers, misconfigured computers, forgeries, rotating addies and relays.... in the case of my specific nemesis, he has made one assumption in all his spam headers which links them (in my case) to a common computer. Likewise the "subject lines" in his spam, coupled to his spam plain text language also points to one specific individual. (I deduced this before I read SC warnings about the *bug* phenomenon in the preview pane) I have found what I think is a good candidate; his web site, his computer, his primary ISP and his email software. But I recognize the chances of so serendipitous an occurrance, based on my feeble savvy set, are so slim, I am emarrased to even suggest it. Nevertheless, I would just like the chance to check with someone without alerting the jerk in the process. I just don't know the appropriate way to do this. And your time is far too valuable to be playing guessing games with newbies like me, I'm sure. Even if I have beaten the odds and actually found him, I appreciate there might be little that can be done to yank his chain. But for me, at least, it would feel as though I had accomplished something. Happy trails, rod
Wazoo Posted January 27, 2005 Posted January 27, 2005 Thank you again. I'm sorry I didn't respond yesterday; I had Wazoo's response on my screen and didn't see yours until a minute ago. And the lack of a response there suggesting I wasted my time trying to walk you through how to use this Forum?
Miss Betsy Posted January 27, 2005 Posted January 27, 2005 Even if I have beaten the odds and actually found him, I appreciate there might be little that can be done to yank his chain. But for me, at least, it would feel as though I had accomplished something. There is little that you can do that is not stooping to his level except go one step further than spamcop reports and call his service provider, notify everybody that has anything to do with making policy for his service provider, web host that you are unhappy. Write a letter to the editor of his hometown newspaper. Since I am not technically fluent, I couldn't confirm that you had 'found' the spammer, but it is very possible that you have. Perhaps someone else will volunteer to check out your data in a PM or via email. Miss Betsy
flagginator Posted January 28, 2005 Posted January 28, 2005 Rod: 1. Take a chill pill and edit your posts. They're too long 2. Setup your OE to send reply to all emails by attachment. You don't need to look at any headers. Just forward by attachment to your super secret spamcop.net submission email address and you're almost done. 3. Ignore the replies from Spamcop.net 4. Go to http://www.spamcop.net and click on the "Report Now" link, then on the Submit link. Rinse and repeat until there is no longer a "Report Now" link. 5. Open IE (Internet Explorer). Click on Tools --> Internet Options --> Privacy --> Advanced --> Tick Override Automatic Cookie Handling --> Tick Prompt in both places --> OK --> Close --> Apply --> OK --> Close --> Close IE. Now, every time you preview an email with a cookie you will be prompted to accept the cookie. Of course, you will deny the cookie. That way the spammer won't have confirmation that you opened the email. Somehow you are making a mountain out of a molehill. Follow steps one to five and you are set. Don't sweat the rest of it. Also, this assumes you have set up your MAILHOSTS. If not, you are going to bust and annoy your ISP (your mail provider). Now, if you reply to this, please edit for brevity
rooster Posted January 29, 2005 Author Posted January 29, 2005 Wazoo; Hang in there. You didn't get your skills in 2 weeks. I'm just learning basic computer skills in addition to learning how to close info gaps in this very technical venu. I got the answers I needed on Headers from my ISP dude. He gave me some really nifty insights & tips, too, that I can't wait to try out. Maybe (don't choke) I'll be able to contribute to this forum one day. My site navigation problems stemmed from my not understanding about pages 'timeing out', and not understanding how to use the "View" => "Go To", whachamacallit. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Miss Betsy; Thanks again. Good advice; but I feel the need of forensic certainty before I make potentially damaging accusations. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Flagginator; Thanks, I had things set up like that already. Preview Pane is off: I pick up on contents from "Message" <=Details<=Properties. I'm not content to adopt a purely defensive posture vs. spammers. I want to learn all I can, so examining Headers, accessing the Big 3 "WhoIs's", Spamhouse, Netcraft , Sourcefor and any source I can find is the best way I know to do this. Oh yes; and asking questions. rod
Recommended Posts
Archived
This topic is now archived and is closed to further replies.