karlisma Posted April 5, 2006 Posted April 5, 2006 http://www.spamcop.net/sc?id=z913889139zfb...cee2ef1aa62d0fz http://www.spamcop.net/sc?id=z913888870z86...d96183dba3d5d2z http://www.spamcop.net/sc?id=z913889289zab...4ca9d79cc5fb77z http://www.spamcop.net/sc?id=z913927598zff...d5c3a49d7d3508z http://www.spamcop.net/sc?id=z913928641z83...ced6e6e1029f68z http://www.spamcop.net/sc?id=z913890043z30...02e217ecc640cdz http://www.spamcop.net/sc?id=z913889139zfb...cee2ef1aa62d0fz http://www.spamcop.net/sc?id=z913931654z86...bc11fa961ca683z i guess, they do it intentionally, starting today.... All spam I got today, was baseically "the same".
karlisma Posted April 13, 2006 Author Posted April 13, 2006 http://www.spamcop.net/sc?id=z919239459za5...72aa2d60e13fc9z http://www.spamcop.net/sc?id=z919240335zee...23ab2fed141ba3z http://www.spamcop.net/sc?id=z919241655z0d...e5674bb0cb4233z http://www.spamcop.net/sc?id=z919237267z87...72f3fd378cc09az http://www.spamcop.net/sc?id=z919237268ze4...5b7c4901ac2f8cz http://www.spamcop.net/sc?id=z919237271zea...c885bbdb3d001bz http://www.spamcop.net/sc?id=z919237275z60...0fb72c1d4e26acz http://www.spamcop.net/sc?id=z919237276zef...8b0ba797b89741z http://www.spamcop.net/sc?id=z919257857z73...122ead684ad031z sanya? Yes same type e-mails with tracking codes to sanya and sender friend, e-mail addresses ending with .biz, contain links to various url, same design viagra/cialis page... and spamvertized site is NEVER, I mean NEVER been tracked, although in browser it opens quite nicely. and yet again - i know the philosphy, yet do not agree with it. if you have something to promote, the channel can be easily found, if you don't have - no need for channel.
karlisma Posted April 13, 2006 Author Posted April 13, 2006 http://www.spamcop.net/sc?id=z919299879z99...16db21b277d1d4z
Wazoo Posted April 13, 2006 Posted April 13, 2006 Seems like a continuation of the theme ... I've re-read many of your previous posts and the Topics they were in .... mosst of the issues involved have been covered multiple times, so not sure whaat you are looking for at this pont. I merged your last into the previous Topic you started. Same issues involved for the most part. For example, the first two items in your second post should never get rendered in an e-mail client (that renders HTML crap) ... Boundary lines missing, mis-identified ... surely you can also notice that there is a distinct lack of cyrillic characters in the text following the charset="koi8-r" designation. Then you can move on to http://www.dnsreport.com/tools/dnsreport.c...in=zealworn.net and note all the failures in the DNS characteristics of this particulr domain .... http://www.dnsreport.com/tools/dnsreport.c...in=yarnyell.net shows the same failures .... jumping to the last item in your second post of this Topic, strangely, your spammer seems to be working better at contrsucting the spam, as the MIME Boundry lines almost come together, but .. still focused on the charset="koi8-r" .. the URL data is same as above. Once again, the use of Manual Reporting is an option. Philosophies have been discussed in Topics that you've participated in, never mind the others that you probably have not read ... The differences between the SpamCop.net parser, the single-line lookup option, and the personal web-browser have been talked about numerous times before. This is a user-to-user support Forum for the most part, means and methods to contact "Official" staff are provided.
Wazoo Posted April 13, 2006 Posted April 13, 2006 http://www.spamcop.net/sc?id=z919299879z99...16db21b277d1d4z 41992[/snapback] http://www.dnsreport.com/tools/dnsreport.c...in=viewall.info Failures Warnings Issues! 04/13/06 05:28:45 Slow traceroute viewall.info Trace viewall.info (61.180.4.238) ... 202.97.22.26 RTT: 292ms TTL: 64 (No rDNS) 220.177.236.238 RTT: 291ms TTL: 64 (No rDNS) 220.177.236.66 RTT: 289ms TTL: 64 (No rDNS) 61.180.4.238 RTT: 291ms TTL: 43 (viewall.info ok) 04/13/06 05:35:52 dns viewall.info Canonical name: viewall.info Addresses: 61.180.4.238 More of the same .... DNS games ... koi8-r lies ...
Farelf Posted April 14, 2006 Posted April 14, 2006 Seems viewall.info is bad to the bone. Just one of their servers - http://www.spamhaus.org/sbl/sbl.lasso?query=SBL40307 (re 140.128.187.88/32 - cookies may be required to access). Have to conclude there is nothing to be gained by sending them (or authories) confirmation of what they have already been told in most robust terms. No doubt, in a system of symmetrical justice, the perpetrators would be sitting on short and sharpened stakes but that is not the way it works.
karlisma Posted April 18, 2006 Author Posted April 18, 2006 ok. if no need to send, then don't. :0 of course it would be better to see "server is bad to the bone" message than follow with useless discussions about "unpicked links" charset koi8-r is used mainly because Sanya is russian, and ....and it doesn't say that this charset don't contain latin characters. and what and why it makes me worry - there are only this particular spam i receive, except for Small Stocks without any links in body. a plus - that spam with yahoo and geocities links is gone now.
Wazoo Posted April 18, 2006 Posted April 18, 2006 ok. if no need to send, then don't. :0 of course it would be better to see "server is bad to the bone" message than follow with useless discussions about "unpicked links" Not sure I follow your "useless" description .. even "your" subject points have ranged from submission problems to spam construct issues ... there has been an attempt to offer some information, education on the specifics ... charset koi8-r is used mainly because Sanya is russian, and ....and it doesn't say that this charset don't contain latin characters. I don't see any need for debate ... my last 'education' phase that involved koi8-r was setting up a "sponsoring Mom's" computer such that her hosted "foreign exchange student" from the Ukraine could talk to her family. My recollection is that switching the system between character sets didn't lend itself to 'rapid typing' on the alternate character set .... one could 'switch' the keyboard layout or use an on-screen type 'select a character' tool, run text through a translator, etc. ... however, I also recall the e-mail stuctires in my received e-mail that had MIME Boundary lines flipping between character sets, whenever the composer switched the language being typed. I don't claim to be an expert, just basing these results on what experience I do have. and what and why it makes me worry - there are only this particular spam i receive, except for Small Stocks without any links in body. a plus - that spam with yahoo and geocities links is gone now. 42058[/snapback] I'll repeat, most of the samples you've shown shouldn't actually be rendering in an e-mail client, so the work on the spam delivery really should be seen as wasted effort ... unfortunately, there are still too many folks not handling their e-mail securely .... thus back to the educational items mentioned in the first paragraph.
karlisma Posted April 19, 2006 Author Posted April 19, 2006 I don't see any need for debate ... my last 'education' phase that involved koi8-r was setting up a "sponsoring Mom's" computer such that her hosted "foreign exchange student" from the Ukraine could talk to her family. My recollection is that switching the system between character sets didn't lend itself to 'rapid typing' on the alternate character set .... one could 'switch' the keyboard layout or use an on-screen type 'select a character' tool, run text through a translator, etc. ... however, I also recall the e-mail stuctires in my received e-mail that had MIME Boundary lines flipping between character sets, whenever the composer switched the language being typed. I don't claim to be an expert, just basing these results on what experience I do have. I'll repeat, most of the samples you've shown shouldn't actually be rendering in an e-mail client, so the work on the spam delivery really should be seen as wasted effort ... unfortunately, there are still too many folks not handling their e-mail securely .... thus back to the educational items mentioned in the first paragraph. 42075[/snapback] admit it, Sanya is good on stumbling spamcop parser, thats it. And I tried to make Your (spamcop) attention on it. As I noticed - the link parsing problems are occurring much more often, than let's say two weeks ago. If before users were p#%$ed off only by problems with tracing geocities links, now.... it's different, the tool doesn't trace most of the links. These in this post - it traces NEVER. About rendering these particular e-mails - they shouldn't render but they DO... whether it is Mail.app on MacOsX or Mozilla suite on WinXp. And again - it makes me think that Sanya is good on it, and does it on intent. And he is flooding everything
btech Posted April 19, 2006 Posted April 19, 2006 Here's a sneaky one that's been dumped into my Hotmail and Comcast accounts lately: "CiTiSMADEU.COM" http://www.spamcop.net/sc?id=z922995673z9f...953330e1eeb066z     <p align=3D"center"><font face=3D"Verdana, Arial, Helvetica, = sans-serif" size=3D"4"><b><font color=3D"#FFFFFF">C</font><font = color=3D"#FFFFFF"><br>      i<br>      T<br>      i<br>      S<br>      M<br>      A<br>      D<br>      E<br>      U<br>      .<br>      C</font></b></font><font color=3D"#FFFFFF"><br>      <font face=3D"Verdana, Arial, Helvetica, sans-serif" = size=3D"4"><b>O</b></font><br>      <font face=3D"Verdana, Arial, Helvetica, sans-serif" = size=3D"4"><b>M</b></font></font><br>
karlisma Posted April 24, 2006 Author Posted April 24, 2006 oh, thanks, SomeOne, up there.... it traces, now.
btech Posted April 27, 2006 Posted April 27, 2006 http://www.spamcop.net/sc?id=z928628886zf8...eaafff146ff72fz The parser isn't picking up the link in: <FONT SIZE="4" COLOR="#0B10E8"><STRONG>LoseTenPoundsInTenDays</FONT></PRE> <PRE> <a target="_parent" href="http://healthjunkiered.com">http://healthjunkiered.com</a>
Wazoo Posted April 27, 2006 Posted April 27, 2006 http://www.spamcop.net/sc?id=z928628886zf8...eaafff146ff72fz The parser isn't picking up the link in: 42341[/snapback] Did you take a look at http://www.dnsreport.com/tools/dnsreport.c...thjunkiered.com ..???? 04/26/06 21:57:04 Slow traceroute healthjunkiered.com Trace healthjunkiered.com (211.156.120.4) ... 04/26/06 21:57:38 dns healthjunkiered.com Canonical name: healthjunkiered.com Addresses: 211.156.120.4 whois -h whois.bulkregister.com healthjunkiered.com ... Record created date on: 2006-04-25 Domain servers in listed order: NS1.THISDNSDOMAIN.COM 125.208.3.24 NS2.THISDNSDOMAIN.COM 211.156.120.4 Failure modes: Mismatched Glue: ERROR: Your nameservers report glue that is different from what the parent servers report. This will cause DNS servers to get confused; some may go to the IP provided by the parent servers, while others may get to the ones provided by your authoritative DNS servers. Missing (stealth) nameservers: The following nameserver(s) are listed (at your nameservers) as nameservers for your domain, but are not listed at the the parent nameservers (therefore, they may or may not get used, depending on whether your DNS servers return them in the authority section for other requests, Stealth NS record leakage: Your DNS servers leak stealth information in non-NS requests: ..... This can cause some serious problems (especially if there is a TTL discrepancy). If you must have stealth NS records (NS records listed at the authoritative DNS servers, but not the parent DNS servers), you should make sure that your DNS server does not leak the stealth NS records in response to other queries on and on .... Yet another spammer playing DNS games .... if you want to get upset about it, do your own Manual Report .....
btech Posted May 1, 2006 Posted May 1, 2006 http://www.spamcop.net/sc?id=z932362576zeb...06f5473a6c8d08z Here's one that really annoys me. There are unrelated links in the message, but people are still reporting those links. It's the spammers outsmarting the reporters, by the reporters not using their brains. :angry:
StevenUnderwood Posted May 1, 2006 Posted May 1, 2006 It's the spammers outsmarting the reporters, by the reporters not using their brains. :angry: 42457[/snapback] How are they "outsmarting" the reporters? Both links are found in a spam message and are therefore, by definition, spamvertized links. The search engine link may or may not be sponsoring part of this spam run. I have received spam with only links to similiar pages. That is something I would leave up to the ISP's involved to investigate. If they determine the link is innocent, they can respond as such and no further reports will be received.
btech Posted May 2, 2006 Posted May 2, 2006 That's a valid point, but unless we report the links that are directly involved with the spammer and fraud, we're just sending reports to ISPs and hosts that don't need to be sent. I would think that those types of reports will only trivialize the the SpamCop report to these people and they may not want to take action on a report that IS valid. Honestly, if you see "msnbc.com" spamvertized in a message (I've seen 2 in the past few weeks) are you going to report it? I certainly won't... it's not MSNBC's fault a spammer is sending out messages with their address on it, to try to mask another spam site that commits fraud.
turetzsr Posted May 2, 2006 Posted May 2, 2006 <snip> Honestly, if you see "msnbc.com" spamvertized in a message (I've seen 2 in the past few weeks) are you going to report it? I certainly won't... it's not MSNBC's fault a spammer is sending out messages with their address on it, to try to mask another spam site that commits fraud. 42507[/snapback] ...And I'm not blaming them, I (though the SpamCop parser notifications) am following the Golden Rule and letting them know about it so they can take action, if they wish.
btech Posted May 2, 2006 Posted May 2, 2006 ...And I'm not blaming them, I (though the SpamCop parser notifications) am following the Golden Rule and letting them know about it so they can take action, if they wish. 42509[/snapback] But what action can one take if their site is used, but totally unrelated to a spam message? I don't know, but personally, I'd feel weary if my host started to get SpamCop reports from people, because one of my websites was stuck in a message sent out about Hoodia or mortgages. I'm sure my host would understand, but it would probably annoy them, for certain.
Telarin Posted May 2, 2006 Posted May 2, 2006 I would definitely want to know if my site was being listed in spam messages so that I could put a clear disclaimer on the front page letting people know that we were not sending them spam and were not in any way associated with the messages. At the same time, a larger company with the resources might even want those reports as evidence in the event that they wanted to attempt legal action against the spammers.
Wazoo Posted May 2, 2006 Posted May 2, 2006 But what action can one take if their site is used, but totally unrelated to a spam message? 42514[/snapback] Tag the item as an "Innocent Bystander" to stop future reports. Get excited enough to put up a warning blurb on the site to let folks know that the spam is crap. Get that ISP to ISP thing working .... Feeling froggy and rich ... turn the lawyers loose ....
Recommended Posts
Archived
This topic is now archived and is closed to further replies.