Wazoo Posted November 30, 2005 Share Posted November 30, 2005 Good morning campers Does this help? 36950[/snapback] [How-to] Post a Question The Details If it's a spam in question, do not post the spam here. Use a Tracking URL Tracking URL to offer a link to both the spam and the parse results. That way we're all talking about the same data. If it's a bounce/rejection notification, provide the critical lines of data. The IP address being rejected will be at the root of any research. One created with just the snippet provided (thus having no idea what the actual e-mail body looked like) is seen at http://www.spamcop.net/sc?id=z834385364z25...6b00b6572bf381z reported via a non-MailHosted accout .. not showig any resemblance to a "self-reported" parse result in this sample. But yes, this would have been much more helpful at the start of this Topic. Link to comment Share on other sites More sharing options...
maz Posted November 30, 2005 Author Share Posted November 30, 2005 I post this too? Your message To: herbertn[at]ulm.de Subject: [*spam-TAG*] 3: ALL MAJOR DESIGNER REPLICA //ATCHES! Save $38 Sent: Wed, 30 Nov 2005 15:27:33 +0100 did not reach the following recipient(s): herbertn[at]ulm.de on Wed, 30 Nov 2005 15:28:20 +0100 Der Name des Empfängers wurde nicht erkannt. Die MTS-ID der ursprünglichen Nachricht ist: c=de;a=dbp;p=bwl;l=SUS000180511301428X7RB9QLW MSEXCH:IMS:Stadt Ulm:STADTULM:SUS00018 0 (000C05A6) Unbekannter Empfänger From: jpocas[at]mercuryexposure.org Date: November 30, 2005 6:27:33 AM PST To: herbertn[at]ulm.de Subject: [*spam-TAG*] 3: ALL MAJOR DESIGNER REPLICA //ATCHES! Save $38 Get the <http://ctqvim.opcxcfbybwc1hoo4toomt666.slipbandbf.com/?owyu> Finest Rolex Watch Replica! We only sell premium watches. There's no battery in these replicas just like the real ones since they get recharged as you move. The second hand moves JUST like the real ones, too. These original watches are sold in stores for thousands of dollars. We sell them for a fraction of a price. - Replicated to the Smallest Detail - 98% Perfectly Accurate Markings - Signature Green Sticker with Serial Number on Watch Back - Magnified Quickset Date - Includes all Proper Markings Make your <http://qqnw.m5avav9w9cshx4m2rmm2944m.sawdernb.com/?yrsi> order before the prices go up. Order Rolex <http://ctqvim.opcxcfbybwc1hoo4toomt666.slipbandbf.com/?owyu> or other Swiss watches online To unsubscribe click here! <http://ctqvim.opcxcfbybwc1hoo4toomt666.slipbandbf.com/Qot?ucs> Link to comment Share on other sites More sharing options...
StevenUnderwood Posted November 30, 2005 Share Posted November 30, 2005 Good morning campers Thank you for understanding. Does this help? 36950[/snapback] I will give it a shot. A tracking URL would help, though. My lookup of the word Unzustellbar: roughly translates to undelivered, i.e. the host 195.243.22.149 bounced this message to the forged email address jpocas. 1)You can report this bounce using spamcop. 2)As stated elsewhere, there is nothing you can do to stop the original machine from using your email address forged in the headers. 3)Spamcop will not see you as a spammer because of the forged name. 4)If you were listed, it was for another reason. Please continue to ask questions about spam related things you are still uncertain about. Your issues with Mercury dumping, while I am sympathetic, nothing can be done here. Link to comment Share on other sites More sharing options...
justauser Posted November 30, 2005 Share Posted November 30, 2005 So a misconfigured Microsoft Exchange Internet Mail Service Version 5.5.2657.72 configured to use the German Language, three levels deep in a German network, and calling itself postmaster[at]ulm.de bounced the spam without revealing any of the Received Header Lines, so we can't track the source of that particular message without asking postmaster[at]ulm.de, who probably does not prefer English. However, we do have the payload URLs, all of which point to IP Address 218.65.209.27, listed twice by the SBL as SBL34434 (218.65.209.27/32) and SBL34688 218.65.209.0/24; see also the ROKSO records for Ukranians Alex Blood / Alexander Mosh / AlekseyB / Alex Polyakov (compsoagg.com ; syzygialjc.info ; sa.akekicb.com). SpamCop's parser recommends reporting abuse by that IP Address to hostmaster[at]gx163.net, anti-spam[at]chinanet.cn.net, ct-abuse[at]abuse.sprint.net, and postmaster[at]gx163.net. I'd suggest adding abuse[at]gx163.net (because it should work) and abuse[at]savvis.net (which provides connectivity from chinanet directly to the US (LA, Dallas, Atlanta, Washington, and New York) per my traceroute). Would you care to post another bounce message, this time with the Received Header Lines in the bounced message it contains? Thanks! Link to comment Share on other sites More sharing options...
maz Posted November 30, 2005 Author Share Posted November 30, 2005 http://www.spamcop.net/sc?id=z834560796z76...fe00dd4be07f5cz From postmaster[at]planalfa.es Wed Nov 30 15:29:46 2005 Received: from me3 by server012.kionic.com with local-bsmtp (Exim 4.54 (FreeBSD)) id 1Ehafa-0000l3-2D for help[at]mercuryexposure.org; Wed, 30 Nov 2005 16:43:22 -0600 X-spam-Checker-Version: SpamAssassin 3.1.0 (2005-09-13) on server012.kionic.com X-spam-Level: X-spam-Status: No, score=1.0 required=3.0 tests=FUZZY_ROLEX autolearn=no version=3.1.0 Received: from [217.75.236.253] (helo=onesmtp.planalfa.es) by server012.kionic.com with esmtp (Exim 4.54 (FreeBSD)) id 1EhafZ-0000kf-OI for otakut[at]mercuryexposure.org; Wed, 30 Nov 2005 16:43:21 -0600 Received: from correo.planalfa.es ([172.16.0.10]) by onesmtp.planalfa.es with Microsoft SMTPSVC(6.0.3790.1830); Wed, 30 Nov 2005 23:43:14 +0100 Received: by CORREO with Internet Mail Service (5.5.2656.59) id <W75G3LYQ>; Wed, 30 Nov 2005 23:44:46 +0100 Message-ID: <B39D3314D88D524B95F545ECC797AD140763B4E5[at]CORREO> From: System Administrator <postmaster[at]planalfa.es> To: otakut[at]mercuryexposure.org Subject: Undeliverable: [Probable spam] - 2: What to look for when purchas ing a replica watch! Save $33 Date: Wed, 30 Nov 2005 23:44:46 +0100 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2656.59) X-MS-Embedded-Report: Content-Type: multipart/mixed; boundary="----_=_NextPart_000_01C5F5FF.A99F07E0" X-OriginalArrivalTime: 30 Nov 2005 22:43:14.0978 (UTC) FILETIME=[734C6820:01C5F5FF] This message is in MIME format. Since your mail reader does not understand this format, some or all of this message may not be legible. ------_=_NextPart_000_01C5F5FF.A99F07E0 Content-Type: text/plain; charset="iso-8859-1" Your message To: ocdav[at]planalfa.es Subject: [Probable spam] - 2: What to look for when purchasing a replica watch! Save $33 Sent: Wed, 30 Nov 2005 22:48:22 +0100 did not reach the following recipient(s): OCDAV[at]PLANALFA.ES on Wed, 30 Nov 2005 23:44:33 +0100 The recipient name is not recognized The MTS-ID of the original message is: c=es;a= ;p=plan alfa s.l.;l=CORREO0511302244W75G3LYJ MSEXCH:IMS:Plan Alfa S.L.:DOM_CORREOPA:CORREO 0 (000C05A6) Unknown Recipient ------_=_NextPart_000_01C5F5FF.A99F07E0 Content-Type: message/rfc822 Message-ID: <001f01c5f600$2a87d9ca$0100a8c0[at]your-3hcef8q6j0> From: otakut[at]mercuryexposure.org To: ocdav[at]planalfa.es Subject: [Probable spam] - 2: What to look for when purchasing a replica w atch! Save $33 Date: Wed, 30 Nov 2005 22:48:22 +0100 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2656.59) X-MS-Embedded-Report: Content-Type: text/plain; charset="iso-8859-1" <http://rmev.stgjy1f2xign3as8xsa8fsaa.basebredcl.com/?srue> VIP REPLICA //ATCHES! We offer a free gift box with every VIP watch ordered. You can use it as a lovely gift for your friends or relatives or keep your gorgeous watch there. No matter what you do with your watch, you will enjoy it. -All Time Classics -Exquisite R0lex Replica -Superb Quality //atch and others!# <http://rmev.stgjy1f2xign3as8xsa8fsaa.basebredcl.com/?srue> Check out our gift boxes that will make the present even more glamorous. To unsubscribe click here! <http://uyvg.wfknkn16jmk97wecjeecjeew.lowlandmf.com/Frc?hJz> ------_=_NextPart_000_01C5F5FF.A99F07E0-- Like this? Raw source instead of headers. This one is the latest and collects in a different folder. This said yum this is fresh spam, nothing to do. http://www.spamcop.net/sc?id=z834561519z60...32317adae675f6z From MAILER-DAEMON[at]me.freeserve.com Wed Nov 30 15:38:51 2005 Received: from me3 by server012.kionic.com with local-bsmtp (Exim 4.54 (FreeBSD)) id 1EhbV5-0006lK-N2 for help[at]mercuryexposure.org; Wed, 30 Nov 2005 17:36:35 -0600 X-spam-Checker-Version: SpamAssassin 3.1.0 (2005-09-13) on server012.kionic.com X-spam-Level: ** X-spam-Status: No, score=2.1 required=3.0 tests=FUZZY_ROLEX,HTML_FONT_BIG, HTML_MESSAGE,MIME_HTML_MOSTLY,MPART_ALT_DIFF autolearn=no version=3.1.0 Received: from [193.252.22.158] (helo=smtp1.freeserve.com) by server012.kionic.com with esmtp (Exim 4.54 (FreeBSD)) id 1EhbV4-0006l6-R0 for ekyfw[at]mercuryexposure.org; Wed, 30 Nov 2005 17:36:35 -0600 Received: by mwinf3010.me.freeserve.com (SMTP Server) id 6F9485C21ED1; Thu, 1 Dec 2005 00:17:21 +0100 (CET) Date: Thu, 1 Dec 2005 00:17:21 +0100 (CET) X-ME-UUID: 20051130224332358.577B688004DD[at]mwinf3014.me.freeserve.com From: MAILER-DAEMON[at]me.freeserve.com (Mail Delivery System) Subject: Undelivered Mail Returned to Sender To: ekyfw[at]mercuryexposure.org MIME-Version: 1.0 Content-Type: multipart/report; report-type=delivery-status; boundary="3D0075C883EB.1133392641/me.freeserve.com" Message-Id: <20051130231721.6F9485C21ED1[at]mwinf3010.me.freeserve.com> This is a MIME-encapsulated message. --3D0075C883EB.1133392641/me.freeserve.com Content-Description: Notification Content-Type: text/plain This is the SMTP Server program at host me.freeserve.com. I'm sorry to have to inform you that your message could not be be delivered to one or more recipients. It's attached below. For further assistance, please send mail to <postmaster> If you do so, please include this problem report. You can delete your own text from the attached returned message. The SMTP Server program <gabinetto.presidenza[at]consiglioregionale.piemonte>: Host or domain name not found. Name service error for name=consiglioregionale.piemonte type=A: Host not found --3D0075C883EB.1133392641/me.freeserve.com Content-Description: Delivery report Content-Type: message/delivery-status Reporting-MTA: dns; me.freeserve.com X-SMTP-Server-Queue-ID: 3D0075C883EB X-SMTP-Server-Sender: rfc822; ekyfw[at]mercuryexposure.org Arrival-Date: Wed, 30 Nov 2005 23:43:33 +0100 (CET) Final-Recipient: rfc822; gabinetto.presidenza[at]consiglioregionale.piemonte Action: failed Status: 5.0.0 Diagnostic-Code: X-SMTP-Server; Host or domain name not found. Name service error for name=consiglioregionale.piemonte type=A: Host not found --3D0075C883EB.1133392641/me.freeserve.com Content-Description: Undelivered Message Content-Type: message/rfc822 Received: from smtp1.freeserve.com (mwinf3014 [172.22.159.42]) by mwinf3010.me.freeserve.com (SMTP Server) with ESMTP id 3D0075C883EB for <gabinetto.presidenza[at]consiglioregionale.piemonte>; Wed, 30 Nov 2005 23:43:33 +0100 (CET) Received: from me-wanadoo.net (localhost [127.0.0.1]) by mwinf3014.me.freeserve.com (SMTP Server) with ESMTP id 2D85388004EA for <gabinetto.presidenza[at]consiglioregionale.piemonte>; Wed, 30 Nov 2005 23:43:33 +0100 (CET) Received: from your-3hcef8q6j0 (user-1938.l1.c1.dsl.pol.co.uk [81.77.71.146]) by mwinf3014.me.freeserve.com (SMTP Server) with SMTP id 577B688004DD for <gabinetto.presidenza[at]consiglioregionale.piemonte.>; Wed, 30 Nov 2005 23:43:32 +0100 (CET) X-ME-UUID: 20051130224332358.577B688004DD[at]mwinf3014.me.freeserve.com Message-ID: <002101c5f600$4421fa3c$0100a8c0[at]your-3hcef8q6j0> From: <ekyfw[at]mercuryexposure.org> To: <gabinetto.presidenza[at]consiglioregionale.piemonte> Subject: 9: replica //atches! rolex, patek philippe, vacheron constantin and others! Ref:333 Date: Wed, 30 Nov 2005 22:49:05 +0100 MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_NextPart_000_001E_01C5F600.441F9300" X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2900.2180 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180 This is a multi-part message in MIME format. ------=_NextPart_000_001E_01C5F600.441F9300 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable ------=_NextPart_000_001E_01C5F600.441F9300 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <HTML><HEAD> <META http-equiv=3DContent-Type content=3D"text/html; charset=3Diso-8859-1"> <META content=3D"MSHTML 6.00.2900.2722" name=3DGENERATOR> <STYLE></STYLE> </HEAD> <BODY bgcolor=3D"#FFFFFF"> <div align=3D"center"> <p align=3D"left"><font size=3D"+1"><b><a href=3D"http://rmev.stgjy1f2xign3as8xsa8fsaa.basebredcl.com/?srue"><i><font color=3D"#FF0000">VIP</font> REPLICA //ATCHES!</i></a></b></font></p> <p align=3D"left"><font size=3D"+1">We offer a free gift box with every VIP watch ordered. You can use it as a lovely gift for your friends or<br> relatives or keep your gorgeous watch there. No matter what you do with your watch, you will enjoy it. </font></p> <p align=3D"left">-All Time Classics<br> -Exquisite R0lex Replica<br> -Superb Quality //atch </p> <p align=3D"left">and others!#</p> <p align=3D"left"><a href=3D"http://rmev.stgjy1f2xign3as8xsa8fsaa.basebredcl.com/?srue"><font size=3D"+1"><i><b>Check out our gift boxes that will make the present even more glamorous.</b></i></font></a><br> </p> </div> <DIV align=3D"center"><FONT face=3DArial size=3D2>To unsubscribe <A href=3D"http://uyvg.wfknkn16jmk97wecjeecjeew.lowlandmf.com/Frc?hJz">click here!</FONT></DIV> </BODY> </HTML> ------=_NextPart_000_001E_01C5F600.441F9300-- --3D0075C883EB.1133392641/me.freeserve.com-- http://www.spamcop.net/sc?id=z834564085zee...dda60a8880c7cfz Link to comment Share on other sites More sharing options...
dbiel Posted December 1, 2005 Share Posted December 1, 2005 Yes, those are tracking URL, pasting of all the data simply duplicates the tracking URL and is not necessary BUT!!!!!! What is your question? This topic has gone in too many circles to guess at what you current question is. The tracking URL will help to answer the question (if the question relates to it) Link to comment Share on other sites More sharing options...
turetzsr Posted December 1, 2005 Share Posted December 1, 2005 <snip examples>36968[/snapback] ...The ones I looked at definitely look like bounce messages to the forged "From" address (various[at]mercuryexposure.org). As mentioned earlier, these tend to go on for a few days and then the spammer starts forging someone else's e-mail address in the "From" lline. In the meantime, the clueless admins who are bouncing the spam over to you need to be smacked on the head by being reported, so I hope you'll continue to do that as time permits. Thanks!This said yum this is fresh spam, nothing to do. http://www.spamcop.net/sc?id=z834561519z60...32317adae675f6z 36968[/snapback] ...That's just saying that none of the abuse addresses SpamCop knows of will work, so it can not report. However, it will include your submission in its decision as to whether to include in the SpamCop blocklist the IP address from which the bounce came so, again, I hope you'll report as many of these as you have time to do. Thanks! Link to comment Share on other sites More sharing options...
maz Posted December 1, 2005 Author Share Posted December 1, 2005 I have tried to get through to outblaze because they are rejecting good emails from forum. I don't know if they can add an option to allow one to pass through that does not spam. If I have a number of returns with the same relavent info only different to and from usernames, are they considered duplicates? Or do they add to the validity of the spamming? Thank you Link to comment Share on other sites More sharing options...
dbiel Posted December 1, 2005 Share Posted December 1, 2005 They are all separate individual bounces which can be reported as separate "spam" messages under the new rules. If they were true duplicates, same message ID, that your system happened to forward duplicate copies of, then only one should be reported, but in that case all information would be identical. Link to comment Share on other sites More sharing options...
Jeff G. Posted December 1, 2005 Share Posted December 1, 2005 I have tried to get through to outblaze because they are rejecting good emails from forum. I don't know if they can add an option to allow one to pass through that does not spam. 36977[/snapback] Please try using a different email address to contact postmaster[at]outblaze.com, explain the situation (referencing this Topic as appropriate), and tell Suresh Ramasubramanian you admire his work. Suresh is a long-time anti-spammer. If you still can't reach him, try him at ops.lists[at]gmail.com.If I have a number of returns with the same relavent info only different to and from usernames, are they considered duplicates? Or do they add to the validity of the spamming?36977[/snapback] They add to the volume of Reports. Please feel free to save them for last in your Reporting, as Reporting of them provides the lowest marginal value. Link to comment Share on other sites More sharing options...
maz Posted December 1, 2005 Author Share Posted December 1, 2005 Thank you. Gateway Timeout The proxy server did not receive a timely response from the upstream server. Reference #1.44f1840.1133422808.27e4e3d It could be me running slow. Link to comment Share on other sites More sharing options...
Jeff G. Posted December 1, 2005 Share Posted December 1, 2005 Gateway Timeout36981[/snapback] Sorry, you were unlucky enough to hit the Parsing and Reporting System during a performance dip. I hate it when that happens! Please try again. Link to comment Share on other sites More sharing options...
maz Posted December 1, 2005 Author Share Posted December 1, 2005 spamcop to google goes into the spam folder Link to comment Share on other sites More sharing options...
turetzsr Posted December 1, 2005 Share Posted December 1, 2005 spamcop to google goes into the spam folder 37000[/snapback] ...Sorry, I don't understand -- exactly what is it that is going into a spam folder? And where is this spam folder -- in your SpamCop e-mail account? Link to comment Share on other sites More sharing options...
Wazoo Posted December 1, 2005 Share Posted December 1, 2005 spamcop to google goes into the spam folder 37000[/snapback] until you mark it as "not spam" Link to comment Share on other sites More sharing options...
Merlyn Posted December 1, 2005 Share Posted December 1, 2005 spamcop to google goes into the spam folder 37000[/snapback] Not for me Link to comment Share on other sites More sharing options...
Jeff G. Posted December 1, 2005 Share Posted December 1, 2005 spamcop to google goes into the spam folder 37000[/snapback] When I send a SpamCop Report to an address that is forwarded to my Gmail account (because its address is shorter than my Gmail address and I need the real estate in "Public standard report recipients"), the Report generally ends up in my Gmail spam Folder. I think this is what is also happening to maz. I have already suggested to Gmail that they allow whitelisting and that they allow whitelisting of everything (bypassing their anti-spam feature), but they have not acted on those suggestions. The more of you fellow Gmail users that make similar suggestions, the more they weight they should give those suggestions. Link to comment Share on other sites More sharing options...
maz Posted December 1, 2005 Author Share Posted December 1, 2005 Maybe they will read the thread, I wrote because they are named in the title of the spam I am receiving. Link to comment Share on other sites More sharing options...
maz Posted December 5, 2005 Author Share Posted December 5, 2005 Now I'm getting this as returned spam, and a zip file. Transaction Denied by Bank. Order details: Date: 11/21/05 Order number is: 003725 You have ordered the following: Price RING 1 147.20 RING 2 125.80 Setup fee 3.00 +VAT 93.50 _____________________________ Total in USD: 276.90 Please see attached file. GOLDNOW SHOP Billing Team. Thank you for choosing CCBill as the eMerchant for your subscription! Also getting returned mime files. Is it possible that with so much spam rerouting that its picking up viruses along the way before being returned under the fraudalent reply header? More blacklisting Link to comment Share on other sites More sharing options...
Jeff G. Posted December 5, 2005 Share Posted December 5, 2005 Is it possible that with so much spam rerouting that its picking up viruses along the way before being returned under the fraudalent reply header?37187[/snapback] What is more likely is the following scenario: Person A had some interest in maz and/or her cause, domain, or website/forum. maz's domain name ended up on Person A's computer because Person A browsed to her website/forum, sent her email, or got email from her. Person A's computer (Computer A) was infected with a worm that sent email with maz's domain as the from or envelope from. This was the primary source. maz started getting bounces from misconfigured servers that received the primary source's messages. There may not have been many of these. Spammer A got one of those infected email messages (or possibly scraped maz's domain name or email address from somewhere), and started sending spam with maz's domain as the from or envelope from. This was the secondary source. maz started getting bounces from misconfigured servers that received the secondary source's messages. Person B opened one of the infected email messages, infected Person B's computer (Computer , and Computer B started spewing infected email messages with maz's domain in the from or envelope from. This was the tertiary source. maz started getting bounces from misconfigured servers that received the tertiary source's messages. More people opened more infected messages, causing more computers to become infected and spew infected messages, causing maz to get more bounces. Eventually, the people responsible for those computers or their connectivity to the net will stop the madness. We hope. Link to comment Share on other sites More sharing options...
maz Posted December 5, 2005 Author Share Posted December 5, 2005 Oh what do we have now? http://www.spamcop.net/sc?id=z836737427zab...ef02747f21b59fz So I called the number to call the CIA and its someone's home phone number. Of course I did not open the attachment. Link to comment Share on other sites More sharing options...
maz Posted December 5, 2005 Author Share Posted December 5, 2005 Eventually, the people responsible for those computers or their connectivity to the net will stop the madness. We hope. Glad to be of assistance - clean sweeping the internet. http://www.spamcop.net/sc?id=z836747331z25...1fae2d13fdb32bz X-Virus-Scan-Result: Repaired 5617 Trojan.Danmec Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.