Amazing reduction in Spam

[DavidT]

It's always possible to search using inurl:googlepages.com and parse the resulting pages for addresses - does your site come up through that?

Edit - You can also try site:googlepages.com and search through the 'about 144,000' results for your site.

No, it's not in either of those searches. You can actually modify those searches like this:

inurl:googlepages.com nazanin

inurl:nazanin.googlepages.com

site:googlepages.com nazanin

site:nazanin.googlepages.com

all of which pull up the various "nazanin" stuff on googlepages, but using my userid, none of those pulled up my little site. I don't think it was harvested that way....might have to take your prize back. :-)

DT

[turetzsr]

<snip>

The scientific approach is all about the identification and control of the variables.

<snip>

...And please bear in mind that there are a class of variables none (well, almost none) of us will be able to control: what our e-mail providers and ISPs do to reject spam and other actions to which we are not privy.

[rooster]

Miss Betsy;

It is not so much that masses of people reporting that will do the good. It is the masses of people who understand that blocklists are the best weapon against spam that will change the tide.

[Miss Betsy]

Persuading (one’s) local media to campaign on spam issues might be as effective a weapon; eh?

Informing Joe Q. Public in a way that doesn’t require he register in a graduate degree in arcane technology just as a prerequisite to fighting spam, in addition to tasking (threatening?) him with actually having to report a couple of dozen/hundreds of spam every time he boots up, would go a ways to mitigate the evil. Every technical solution I’ve seen is just 24 hours (times may vary in your area) away from some spammer finding a work-around. For every “Zero” there is a countervailing “One”; and so on up the chain.

Advertising gets people to buy; unless I've been misinformed. Enlisting the media to help persuade people to NOT buy anything spammed to them would be a challenge that has a reasonable chance of having a significant effect. And that is only one ‘hook’ that could/should be included in such a campaign. Lawsey, there are dozens more. Similar to some “fails to boot” problems with Windows, sometimes it makes sense to step outside “the program” to get things started again. Trying to staunch spam by working almost exclusively in/on/by the internet is subject to the cliché about lifting oneself up by one’s own bootstraps in addition to the bigger problem of getting enough people to follow procedures they don’t understand and don’t want to spend the time doing.

When it comes to technical matters, even the simplest and most mundane procedures are bound to fail on a large scale. For instance; we have had microwaves in the house for more than 20 years; roughly a generation. Truth be known, my wife is probably smarter than me, but during the entire microwave era, she still always asks me, “What temperature should I set it at for ...?” despite the optical fact that the buttons she pushes are inscribed, and all the LEDs display, “Time”. We love to laugh together about this; except me. Those of you who have had a Chicken Cordon Bleu cooked at “350” in a nuker routinely plopped on your dinner plate by your beaming spouse will understand my mirth.

David;

I could use a little clarification regarding your spreadsheet...I'm not entirely sure what all the columns represent. You wrote that prior to the start date of 18 June, that you were "getting about 10-35 a week spread over 3 email accounts" and yet in the tables, I see a "Total" of 351 for the first week...is that the total emails received (both good and bad) across the three accounts? What is meant by the "X-PLICIT" column? Sorry if I'm being a bit dense.

The “Total of 351” is spam only for those 3 accounts.

“X-PLICIT” refers to spam my ISP receives from “geocities”. They always have the subject line beginning, “SEXUALLY EXPLICIT”. The spam originates on a server in Ukraine that used to be owned by Leo Kuvayev before he sold it, and a few hundred more, to a different group working out of Toronto. They, fortunately, have less ambitious aspirations and have toned down the subject line text.

LK was mailbombing me with (ball park total) 5500 of these in 8-9 months until Jan. And the subject line suffixes that appeared in his spam were always gruesome; so much so that I made him my project. A few articulated “Child Porn” references, a somewhat larger %age spoke of “Bestiality” and all of them used terms and descriptive phrases I found offensive; way beyond my threshold of tolerance. And I don’t mean just “four-letter” words and naughty stuff; I’m talking “grim”. The thought that many of these subject lines from his indiscriminate spewing were appearing before the eyes of children all over the world upset me a lot. The numbers you see are included in those under the “Home” column. I just want to keep an eye on them.

I don't think that the immediacy of a reporting action should have any effect on the issue at hand

I know. There isn’t much I can think of that is objective/measurable about my reporting bh and changes in it. I mentioned it with the erroneous supposition in mind that reporting bh might somehow be associated with an increase in spam … from the more realistic perspective that an increase in spam is apt to change our perceptions of, and sensitivity to, the variations and how aggressively some of us might report it. Not to make an ‘oer’ subtle point; but, I don’t mind getting spam; I do mind having to deal with it.

But, to a large extent, dealing with it is my (our) choice. With the right programs & applications, and a properly configured O/S, all it would take is a couple of clicks a day and ‘poof’ no problem; … the oft proffered solution touted by your friendly neighbourhood spammer.

I don’t believe there is any more cause & effect relationship between reporting spam and getting spam than there is between washing the car and rain. If it rains, you might resent having to wash the car; but if you wash the car just to make it look nice, it isn’t going to make it rain … although you might be advised to put the top up, just in case.

Are you saying that you're "living dangerously" by allowing Thunderbird to load remote images when opening email messages? I strongly suggest that you consider activating the following useful option:

No; I’m not suggesting that at all. Many email harvesters and spammers include in the header:

“Return-Receipt-To: <email-address>”, or:

“X-Confirm-Reading-To: <email-address>”

Just by “previewing” such a spam, or by opening it (as I did accidentally), can cause a “delivery confirmation” or a “reading confirmation” to be returned to the sender. T-Bird has a check box and variable “offset” time option that, supposedly, gives the operator a short time to interdict this response if such a SOTF is committed. I just don’t know for certain if this actually succeeds.

…because your address would probably be sitting on the computers of third parties (friends, strangers, etc.) whose computers could be compromised at any moment…

Don’t I know it!!! THAT was how LK got my addie in the first place. I had just got my first PC (Feb 2004) and it took me 6 months to figure out how/why the heck I was getting slimed by his filth. When I found out who had got infected …. well, let’s just say he had a lot of “‘splainin’ to do”.

Again, I was just trying to be objective. As y’all well realize, the account in question was active prior to me rendering it mordent. So, that is the context in which it should be viewed by anyone making comparisions.

Wazoo;

Ta for the bumph on the “Forum” versus “Reporting” accounts. Just based on the way my setup fell together, I assumed all reporting was supposed to be vetted through one (default) account. I happen to have remote accounts such as gmail auto-routed to my ISP accounts, so I report everything from there. Incidentally, I do use my gmail account sparingly, but in the 10 months I’ve had it, nary a spam!

Nuts; I just looked out and it’s starting to look like rain.

[Farelf]

...And please bear in mind that there are a class of variables none (well, almost none) of us will be able to control: what our e-mail providers and ISPs do to reject spam and other actions to which we are not privy.

Truer words were never spoken ... er written. Not only uncontrollable at the account level (by definition) but ISP action appears to be the great unknown, generally unheralded in its introduction and modification these days (which is a worry on several counts) and very likely the cause of much of the relative freedom from spam on some accounts. And for a "variable" mail experience all around (thinking of spam coming in but apparently evaporating when trying to forward the stuff to another account and so on).

[DavidT]

The “Total of 351” is spam only for those 3 accounts.

During the one week of June 18-25? You wrote earlier that "Prior to then [the week just named], I was getting about 10-35 a week spread over 3 email accounts." And then it jumps around 1,500% the week you start reporting? I'm sorry, but that's ridiculous. What was your method of reporting? Was it done by pasting the source of the spams into the SpamCop parser? SpamCop munges the outgoing reports, hiding any obvious references to your address. How would your addresses suddenly be attacked so visciously and suddenly? You also wrote about some rather specific spamming earlier on....the "mailbombing"....there seems to be more to this story...maybe your mailbombers sold their address list to spammers who coincidentally started using it during your reporting activity....that would explain the extreme jump.

There isn’t much I can think of that is objective/measurable about my reporting bh and changes in it.

"bh"? Is that "by hand," as in manually, outside of the SpamCop system? If so, your manual reports probably were falling into the wrong hands....you pissed someone off, or proved your addresses to be "good." Once you go outside the conventional SC reporting system, all bets are off, unless you're *extremely* well versed in the art of munging and also knowing who *not* to contact.

Many email harvesters and spammers include in the header:

“Return-Receipt-To: <email-address>”, or:

“X-Confirm-Reading-To: <email-address>”

Um...no, they don't. Not sure where in the world you got that idea, but spammers don't want to reveal an actual return address at all, or they'll likely suffer negative consequences. I just searched my current inbox of almost 1200 messages....not a single hit on "X-Confirm" and only four on "Return-Receipt" and they were all from the same idiot in Israel who thinks it's the end of the world monetary system (very tinfoil hattish). I then turned to my special archive folder of spam and spam-relataed messages that go back to 1999....no hits on either. Usually the only people who use those tags are indeed legitimate correspondants.

WRT Thunderbird and return receipts, however, I'll point you to *another* setting that will protect you...the global setting for what to do with receipt requests:

Options: Composition: Return Receipts: "When I receive a request for a return receipt:"

Yes, they hid this option in the "Composition" section, which is a bit stupid, but there it is, and you can tell Thunderbird how you want to deal with *incoming* messages containing them.

DT

[Lking]

Not only uncontrollable at the account level (by definition) but ISP action appears to be the great unknown,

As reflected in my spam count (Dec 05-Jan 06, Mar 06, Jul 06). I would spot missing email, spamcop reports being blocked, etc. When I called my ISP they would find a new email filter or one the tech didn't know about. It was a revelation that no one knew about all the filters on the system.

The more I know the more I am aware that NO one paid attention in those configuration management classes.

Miss Betsy I don't see any weekend-spammer effect like you suggested, do you?

The number of Pump & Dumps does seem to be trending up this month, but this could only be a long cycle.

As a group the "OEM software" folks don't seem to respond to click-throughs. Don't bother to flame me on this, but I go to all software offer sights. After reporting several software sights, MS ask me if I had any info on the sight so I started going to the link to get names, addresses etc. in case the link was broken by the time MS checked.

Anyway, as you can see there are only a few SW spam with fairly random daily levels. It may be possible that as a group they are scribing there list (I look but never buy). Antidotally the level of SW offers has been much higher in the past, e.g 10-15 a month as I remember.

So before we get to the end of the month, how long do you think we should continue this non-reporting bit? Of course it would have been nice if we had two domains with similar histories for a compare and contrast but we got what we got. But it occurs to me if there is something to be learned by a longer break in reporting now would be the time to check it. If we start reporting it will take a month to get to back to where we are now. My original plan was to not report and count this month then report and count during Nov.

Going to be on the road the end of the month and don't know what my access will be. Data may get a little rough and late.

Lou

[rooster]

Farelf;

...And please bear in mind that there are a class of variables none (well, almost none) of us will be able to control: what our e-mail providers and ISPs do to reject spam and other actions to which we are not privy.

There are many more variables than that, don’tyathink?; too many to deal with even if we were writing a book; well, one we could sell for money. Software, d/l’d applications, operator’s habits (including flubs) up and down the chains, spammers techniques, Registrar AUPs and how they are applied, regional legislation….

Even trying to summarize or generalize in this wise leaves a body open to appearing underinformed or narrow-minded. If one or two things are cited just for illustration, there are dozens of equally pertinent qualifiers and corollary issues that instantly come to mind.

I’m thinking that many of the “variables” eventually will involve “internet neutrality” issues when it comes to trying to control activities that involve internet marketing, freedom of access, freedom of speech ….. and spam.

I’m also thinking that one of the most impressive variables, by virtue of it’s impact, are Windows O/Ss and other software. On one hand, Windows is arguably the biggest single factor because it is so vulnerable to spammers/hackers, worms, viruses; and like that. On the other hand, MS maintains ‘ginormous’ legal and technical staff deployed in the fight against many forms of internet abuse, including UBE. I submit: that observable fact alone makes a pretty good argument when trying make the case that the attempt to seriously mitigate spam from just within the technical community has not been succeeding; unless you have an abnormally low threshold of satisfaction.

If crime rates increased like spam rates over the last 2 years alone; there’d be a revolt. The whole world would be in a state of anarchy. (And no my erudite little buddy; don't let's go there right now ;-))

As I think over all the things I have been able to find and try to identify something that suggests an approach that just might have more success than what I’ve been seeing, and a strategy that uses existing resources with a proven track record, getting the media to dissuade John Q from buying anything spammed at them has a lot of instinctive appeal to me. If JQP doesn’t buy; many spammers and internet gangsters and fraudsters can’t do business. It doesn’ t take an Adam Smith or John Maynard Keynes to understand that. The leverage available from reducing the consumer base for spammed items is substantial. There really isn’t much leverage in trying to reduce spam traffic; even if a body does manage to take down an entire IP Block every once in a while. It’s like throwing spears at someone squatting behind a “Phalanx” machine gun battery.

David;

"bh"? Is that "by hand,"

BeHavior.

And then it jumps around 1,500% the week you start reporting? I'm sorry, but that's ridiculous.

I didn’t make that at all clear; I apologize. The 10-15 a week I cited refers to the “Daily” column. I should have said something like, “10-15 a day based on weekly averages”.

“…and they were all from the same idiot in Israel..”

Well; what does that tell you about random sampling techniques? Be cool; I am blissfully underinformed on many aspects of the SMTP world, but I’m not an idiot …. although I sometimes wonder if I don’t have the occasional “Alzheimer’s Moment” from time to time. ……. now what was I saying ??? Oh yes:

“Um...no, they don't. Not sure where in the world you got that idea…”

There are many sources; some of them even credible. Here’s one.

http://www.private.org.il/harvest.html

In addition, 5 minutes on any Windows ng since Windows 95 will give you ample posts substantiating the need to make certain the preview pane is deactivated for just this reason.

WRT Thunderbird and return receipts, however, I'll point you to *another* setting that will protect you...the global setting for what to do with receipt requests:

Thunderbird’s “Global Setting” is a bad idea for my needs; and most peoples’ I think. There are several reasons, not the least of which is "The Bird's" blamed twitchiness, but the main one for me is that when/if T-Bird crashes, the prefs.js and .sbd folders in the Profile can get irretrievably befouled/lost. For folks with a lot of “remote” email client accounts, this feature is very useful. I only have 3 of that article. Two of the moderators on the Moz T-Bird forum I know usually dissuade people from using it unless they have a real need for it and who have a tight schedule for doing backups; like daily.

Yes, they hid this option[response offset] in the "Composition" section..

Yes; but: can we rely on it? Since I can’t state conclusively that I didn’t accidentally provide “hits” to some spammers, I feel it needs be a noted qualifier for anyone contemplating the possible whys and wherefores of the increases in spam my spreadsheet shows. Especially; for those very “special” people who have arrived at that exquisite state of dead certainty that the numbers can only mean reporting to SC causes more spam; eh?

[Farelf]

... There are many more variables than that, don’tyathink...

Yes (assuming the subject/object is the number of variables and not my cogitative state though an unkind critic might note the affirmative case could be convincingly argued for either).

[rooster]

Yes (assuming the subject/object is the number of variables and not my cogitative state though an unkind critic might note the affirmative case could be convincingly argued for either).

Nottage Hill does make a delightful Shiraz; eh? Pre-prandial, that is. I like to go with the Wolf Blass 'après goût'.

[Miss Betsy]

Persuading (one’s) local media to campaign on spam issues might be as effective a weapon; eh?

Informing Joe Q. Public in a way that doesn’t require he register in a graduate degree in arcane technology just as a prerequisite to fighting spam, in addition to tasking (threatening?) him with actually having to report a couple of dozen/hundreds of spam every time he boots up, would go a ways to mitigate the evil. Every technical solution I’ve seen is just 24 hours (times may vary in your area) away from some spammer finding a work-around. For every “Zero” there is a countervailing “One”; and so on up the chain.

Advertising gets people to buy; unless I've been misinformed. Enlisting the media to help persuade people to NOT buy anything spammed to them would be a challenge that has a reasonable chance of having a significant effect. And that is only one ‘hook’ that could/should be included in such a campaign. Lawsey, there are dozens more. Similar to some “fails to boot” problems with Windows, sometimes it makes sense to step outside “the program” to get things started again. Trying to staunch spam by working almost exclusively in/on/by the internet is subject to the cliché about lifting oneself up by one’s own bootstraps in addition to the bigger problem of getting enough people to follow procedures they don’t understand and don’t want to spend the time doing.

I submit: that observable fact alone makes a pretty good argument when trying make the case that the attempt to seriously mitigate spam from just within the technical community has not been succeeding; unless you have an abnormally low threshold of satisfaction.

I’m thinking that many of the “variables” eventually will involve “internet neutrality” issues when it comes to trying to control activities that involve internet marketing, freedom of access, freedom of speech ….. and spam.

I watched a show last night about 'internet neutrality' issues. The problem, IMHO, seems to be that, like the railroads in the old west, the ones who are 'building' the internet want complete control of everything. Also, IMHO, the solution of internet neutrality lies in getting John Q. Public to understand the issues - which include spam. The fact that the technical community has not been able to control spam is because the marketing community has seriously hampered their ability to use blocklists because the clients and customers get upset at having their precious email rejected. If the thousands of Comcast customers understood that the company they use to access the internet also allowed numerous zombies to spew porn spam, they might just get indignant and be willing to listen to simpe instructions on how to be a good netizen.

It isn't really that difficult to understand the concepts - except that the techies want to tell you lots more than you need to know so it all seems hopelessly confusing. A good PR person could promote both good internet practice and the 'good' side of the freedom of the internet. However, PR people want to get paid and internet access companies would rather spend their money on PR to promote their products.

An ISP trade association that promoted 'internet neutrality' and also blocklist support could go a long way in educating the public. The only ISP trade associations that I found (several years ago) were dominated by the 'big guys' or too much concerned with more mundane issues, like bandwidth prices, to be interested.

spamcop had the opportunity to be a non-profit and to enlist the support of those interested in 'internet neutrality' and spam control to educate the public, but Julian decided to take the for-profit corporate route.

It is all very interesting to see how the 'internet society' is shaping up. There are both freedom and economic factors at work.

And, to change the subject, I have not been scientific about it, but it seems to me that there is more weekend spam - and particularly the kind that comes in a spammer package. also the ones that still have the 'random words' line in the subject where the newbie hasn't figured it out yet seem to come in the evenings and weekends. There is a guy named Sheets who has touted a sure-fire money making scheme offline (but also with half hour infomercials on TV) for years. Basically what it is, is that you buy a house in the need of repair as cheaply as possible, fix it up, and sell at a profit. Like anything else, it requires knowledge of construction, real estate, and financing - and most importantly, lots of sweat, to make it work. He makes his money selling the 'course' which most people never read past the 'work' involved. Some, however, read far enough that they bother legitimate real estate with stupid questions and demands. Although it is just a hunch, I expect that the same people who buy the course from Sheets also buy spammer packages and last about as long as most of his students at working at it.

I am not at all convinced that anyone still makes money from selling spamvertized products - I think most of the money is in the 'how to spam and be rich' kits and in really criminal activities (or borderline as in the 'genuine' Rolex watches and the stock spam and porn) as well as selling lists. These kinds of spam are going to continue (some have been around for years and are just adapted to the internet), but decent people need to know that they don't have to receive most of it by demanding that their ISPs reject at the server level. Or they can pay a premium and receive everything.

Miss Betsy

[rooster]

Miss Betsy;

I agree with your perspective on the internet and spam issues. I hope to hear more of what you have to say, by 'n bye.

[DavidT]

There are many sources; some of them even credible. Here’s one.

http://www.private.org.il/harvest.html

Oh my, no. Much of his information is extremely out of date. I see that he's been maintainging this as a "FAQ" which is posted to various newsgroups, including NANAE, but after reading through it, I had to laugh...nobody "fingers" systems for information on users any more. That's of the same vintage as "gopher" and other pre-web stuff. I'm not impressed by Mr. Raz's information, having myself been active in this "scene" since the very first spam runs. In fact, in my experience, Israel (where Mr. Raz lives) is *way* behind the curve when it comes to "things Internet." I once had my web hosting at a company that, when they lost the license to the control panels they were using, bought into a hosting system programmed in Israel, and what a MESS that was! But I digress...

No, the overwhelming majority of spammers are not longer putting "return receipt" requests into the email headers. I can state that with a very high level of confidence. They simply can't get away with that any more.

In addition, 5 minutes on any Windows ng since Windows 95 will give you ample posts substantiating the need to make certain the preview pane is deactivated for just this reason.

No...IIUC, the two primary reasons for not using a preview pane are:

1. "Web bugs" -- links to transparent gifs on a remote server in the HTML portion of a message that "phone home" to that server and that are coded in such a fashion as to act in a similar fashion to the old "return receipts" that you're talking about. However, as I've mentioned, most of the current versions of PC-based email programs have given users the option *not* to load remote images from untrusted senders. Even in the AOL interface, a warning window pops up when such things are present in an email, and suggests that the user NOT allow the message to load with the remote images.

2. Nasty scripts, executable attachments, and the like, such as the messages spread by worms. However, those have become FAR less numerous, now that many ISPs are using port 25 blocking, outbound virus filtering, and other techniques, as well as the inbound virus filtering that occurs on many systems. They're not extinct by any means, but after years of dealing with that kind of crap, I rarely see one any more.

Those, and related issues, are the historical problems with preview panes....not actual return receipts....and this isn't a YMMV issue....it's the current situation...Mr. Raz and others are living way in the past.

DT

[qjvgpuryy]

No, it's not in either of those searches. You can actually modify those searches like this:

inurl:googlepages.com nazanin

inurl:nazanin.googlepages.com

site:googlepages.com nazanin

site:nazanin.googlepages.com

all of which pull up the various "nazanin" stuff on googlepages, but using my userid, none of those pulled up my little site. I don't think it was harvested that way....might have to take your prize back. :-)

DT

Oh well - easy come easy go.

[rooster]

Hi DT;

I always appreciate learning from someone who knows a lot more about this venue than me. So, thanks for pointing me in the (your) more current direction and sharing your perspective.

If I understand your basic premise, it is: “hits” back to spammers can’t be effected by opening spam email; either on purpose or by accident; web bugs and other nasties notwithstanding.

In order for me to completely surrender my quaint notion that such is the case, I would like to hear you develop a theme that ties together three things; two of which are contained in your last post.

No, the overwhelming majority of spammers are not longer putting "return receipt" requests into the email headers. I can state that with a very high level of confidence. They simply can't get away with that any more.

<SNIP>

That's of the same vintage as "gopher" and other pre-web stuff. I'm not impressed by Mr. Raz's information, having myself been active in this "scene" since the very first spam runs. In fact, in my experience, Israel (where Mr. Raz lives) is *way* behind the curve when it comes to "things Internet."

I underlined the parts that especially interest me.

The third thing is “Spammer Rule # 3”.

That should about do it for me; if you’re inclined to oblige.

[DavidT]

That should about do it for me; if you’re inclined to oblige.

I'll do my best, but it will have to wait. Lots of non-computing stuff to do today.

DT

[rooster]

I'll do my best, but it will have to wait. Lots of non-computing stuff to do today.

There's a "non-computing" dimension???

[rooster]

Dave;

I don’t want to unfairly influence your treatise; the which shall no doubt bring us all (including the periwigged Mr. Raz) up to date as per your earlier comments:

Oh my, no. Much of his [Mr. Raz] information is extremely out of date. I see that he's been maintainging this as a "FAQ" which is posted to various newsgroups, including NANAE, but after reading through it, I had to laugh...

<SNIP>

I'm not impressed by Mr. Raz's information, having myself been active in this "scene" since the very first spam runs.

… but, here’s a snippet from a spam I received Oct 5 that you might like to reference during the production. I have 11 more that feature the DNT or DNR and all are professed to be sent from T-Bird mailers. The use of T-Bird is unusual; although I have those 11 that I happened to notice and collect for curiosity’s sake since June 1.06. I can’t decide if the spammers are deliberately forging this, or whether the mailers just happen to be on the infected(?) computers. I'm counting on you to have an answer.

From - Thu Oct 05 22:36:23 2006

X-Account-Key: account4

X-UIDL: 1160100644.6132_2477836.mx4

X-Mozilla-Status: 0004

X-Mozilla-Status2: 08010000

Received-SPF: none (No spf1 record for (micnik.com) ) client-ip=60.2.77.102; envelope-from=<stafordcad[at]micnik.com>;

X-Default-Received-SPF: fail (Last token {-all} (res=FAIL)) client-ip=60.2.77.102; envelope-from=<stafordcad[at]micnik.com>;

Received: from cengh (unverified [60.2.77.102])

by mx.dccnet.com (DCCNet Email Cluster4) with ESMTP id 29407369

for <x>; Thu, 05 Oct 2006 19:10:42 -0700

Return-Path: <stafordcad[at]micnik.com>

Message-ID: 005701c6e8e5.57831100.c45fc0a8[at]rey

Disposition-Notification-To: phelia gennifer <stafordcad[at]micnik.com>

Date: Fri, 06 Oct 2006 01:18:34 +0000

From: phelia gennifer <stafordcad[at]micnik.com>

User-Agent: Thunderbird 1.5.0.5 (Windows/20060719)

MIME-Version: 1.0

To: leoline garnet <x>

Subject: Sweeter tasting sperm

Content-Type: multipart/alternative;

boundary="---------00000042.01C6E8E5"

X-ORBS-Stamp: Spamcop, http://spamcop.net/w3m?action=checkblock&ip=60.2.77.102

X-Rcpt-To: <x>

X-SpamDetect: *****: 5.000000 Poly=1.0,SPF Default Fail=1.0,Sender's IP was on Spamcop RBL=3.0

X-NotAscii: charset=us-ascii

X-IP-stats: Incoming Last 0, First 0, in=2, out=0, spam=0

X-External-IP: 60.2.77.102

Status: U

X-UIDL: 1160100644.6132_2477836.mx4

This is a multi-part message in MIME format.

-----------00000042.01C6E8E5

Content-Type: text/plain; charset=us-ascii

Content-Transfer-Encoding: 7bit

<actual spamload deleted by Wazoo>

<SNIP>

Poking around often leads me to things that probably don’t mean anything, and this DNT fits the bill.

https://secure.registerapi.com/dds2/index.p...y=5&=submit

stafordcadmicnik.com AVAILABLE

The return receipt address is not registered to anyone as you can see. I have to ask myself; “What was the point?”. Until I get a grasp of some questions like this, I remain very paranoid and very constrained about how I handle spam.

[DavidT]

I don’t want to unfairly influence your treatise; the which shall no doubt bring us all (including the periwigged Mr. Raz) up to date as per your earlier comments

Do I perhaps detect a slight edge of sarcasm in your tone? :-)

I have 11 more that feature the DNT or DNR

I understand "DNT" (Disposition-Notification-To) but what is "DNR"? Earlier, you specifically cited:

“Return-Receipt-To: <email-address>”, or:

“X-Confirm-Reading-To: <email-address>”

but now you're expanding that list. Interestingly enough, Mr. Raz doesn't seem to know about "Disposition-Notification-To:" -- it's not on that FAQ page you cited, which is further evidence that he's not up to date....if return receipts were even an issue in spam, which I contend that they no longer are. I scanned my current SC Held Mail folder and archived spam on my PC and didn't find any containing "Disposition-Notification-To" -- you seem to get some different flavors of spam than I do.

I can’t decide if the spammers are deliberately forging this, or whether the mailers just happen to be on the infected(?) computers. I'm counting on you to have an answer.

This one is easy....it's forged. The spam seems to have originated from an IP in China (big surprise!) and all those references to a return address at "micnik.com" are simply forged. Unfortunately, I suspect that the innocent domain in question is using a "catch all" email system (I sent to several test addresses and they didn't bounce back), so they might be getting randomly victimized by spammers, which is all too common.

stafordcadmicnik.com AVAILABLE

The return receipt address is not registered to anyone as you can see.

HUH? the domain is most certainly registered, and it's got a website...that of an "Author, educator, and professional musician" who writes books and does workshops, assemblies, etc. for schools and teachers. It looks like you combined the forged username with the victimized domain name and came up with an whole new, but irrelevant domain.

Not sure how I'm going to come up with time to respond to your earlier questions if you keep me busy with silly stuff like this. :-)

DT

[rooster]

David;

Do I perhaps detect a slight edge of sarcasm in your tone? :-)

I hope not. Perhaps a feeble (failed?) attempt at self deprecation. I spend most of my time fumbling about in this field feeling very much like I do when I’m having that recurring dream about trying to find the examination hall in university to write a final I didn’t study for, or attend the lectures; … seriously.

I understand "DNT" (Disposition-Notification-To) but what is "DNR"? Earlier, you specifically cited:

Perhaps I should have bracketed “DNR” (Disposition-Notification-Request). I was alluding to the fact that some sources still use this acronym, and some ISPs still recognize it, even though it is now non-conforming. I came across MDN (Message Disposition Notification) in some of my readings; too. This is your ‘metier’, not mine. I assumed you would apply the appropriate interpretation. When one knows as little as me, it’s easy to make such an assumption.

you seem to get some different flavors of spam than I do.

There you go. Generalizing about anything in this field is like generalizing about women; … out loud.

In the context of this discussion, and being an unabashed neophyte in this field, you can understand why I am cautious about making assumptions about what some spammer might put in his headers; either on purpose, or in keeping with Spammer Rule # 3. Cutting-edge programmers (e.g. Barnu Rapatska), spammers and email addy harvesters are always ahead of the curve, unless I am mistaken. Some ISPs and some mail hosting services practice extraordinary things when handing off email, and some zombie machines are not only controlled by spammers, but many are owned by them; which means they can configure them any way they wish.

Remembering a thread I saw (circa 2004) between some procmail users, … they had discovered a ‘wow’ when watching mail downloading to their PC’s client that puzzled them. The “Sent” folders were briefly flashing [1] during d/loads but when the folders were checked, they were empty. The upshot was: at some point, their client mail programs had acquired a “Rule” i.e. “Generate Return Receipt v1.1”. Same time; somewhere in the chain of handoffs, the Return Receipt header was being scrubbed off. If this be a matter of poor configurations at procmail, client server account settings, or the ISP, so be it. But (to me) that is just another way of saying “by accident”.

I appreciate the fact that this instance occurred during the d/load from their servers and not a result of opening email, but to me it points to the issue that the protocols affecting ‘return/receipt notifications’ , by whatever term may be in fashion for the day, are subject to manipulation as well as mishandling. Since this header can be inserted in the forgeable (forgettable?) part of the header, where RFC 3798 and RFC 3464 are observed only gratuitously, and since I have no control over what my ISP or remote email clients are doing/undoing/misdoing, just where would y’all suggest I put my trust that it is not possible to send a “hit” back to someone I would probably want to hit, if I had the chance? I can be convinced otherwise, and be grateful for the education; it’s just for the nonce I’m opting to leave my spam in the can and just read the labels.

HUH? the domain is most certainly registered, and it's got a website...

Well, there we go again; I guess my previous reference must have been a bad generalization based on poor assumptions. So I won’t embarrass myself any further by drawing a conclusion from the following, and risk being deprecated as “silly”. I remember gettin a lot of "flames" with similar language in them in response to what I was writing back in '04 & '05 about the reasons why Canada did not accept the rationale(s) for invading Iraq. I did check "the website" before. It’s just that my previous reference took up less page. I think I also made my estimation of the value I ascribed to the observation “…things that probably don’t mean anything…” rather clear; but maybe not. But maybe I was being subtle and not realizing it.

Web

Your search - STAFORDCADMICNIK.COM - did not match any documents.

Suggestions:

• Make sure all words are spelled correctly.

• Try different keywords.

• Try more general keywords.

Getting Whois Data for stafordcadmicnik.com . Please wait ...

Completewhois.Com Whois Server, Version 0.91a33, compiled on May 28, 2006

Please see http://www.completewhois.com/help.htm for command-line options

Use of this server and any information obtained here is allowed only

if you follow our policies at http://www.completewhois.com/policies.htm

Unknown domain: STAFORDCADMICNIK.COM

[DOMAIN whois information for STAFORDCADMICNIK.COM ]

NOT FOUND

Domain STAFORDCADMICNIK.COM not found in registry whois server and in dns

Please note that this does not necessarily mean domain does not exist as

its possible that domain has been registered recently and has not been

added to whois yet or it maybe that there was an error in communication

between our server and registrar whois server or its possible there is

a problem with registrar whois database itself.

If you need more information on .COM domains or would like to make certain

domain is not registered, please see registry information below:

Namespace: ICANN Unsponsored Generic TLD - http://www.icann.org

TLD Info: See IANA Whois - http://www.iana.org/root-whois/com.htm

Registry: VeriSign, Inc. - http://www.verisign-grs.com

[DNS (DNSINFO) information for STAFORDCADMICNIK.COM ]

Trying "STAFORDCADMICNIK.COM"

Host STAFORDCADMICNIK.COM not found: 3(NXDOMAIN)

Received 111 bytes from 216.151.192.222#53 in 2 ms

216.151.192.222

216.151.192.222#53

** server can't find STAFORDCADMICNIK.COM:NXDOMAIN

[DavidT]

Why are you looking for this domain:

STAFORDCADMICNIK.COM

?????? I didn't mean to call *you* silly when I used the phrase "silly stuff." I was referring to the nonsensical domain name....so please explain...why did you take the userid and domain name from an obvious forgery (IOW, the "stafordcad" is presumably made up and doesn't exist anywhere in any context...Google will verify that) and concatenate them into a different domain name? It was that action and the related "noise" that confused me.

DT

[rooster]

Friday, October 20, 2006

21:17

DT;

Why are you looking for this domain:

Because it was there, …it was associated with a purported DNT header that I wanted to learn as much as I could about (since I was pretty much starting from scratch)…I wanted to see if the domain was listed or associated with an ISP, netblock, Name Server, mail hosting service, or just what, if anything, … I wanted to see if I could discover if the address was possibly hijacked or if there might be a history of abuse from it or ‘neighbouring’ IP numbers … and lastly, since “micnic.com” is kosher, I wondered why the spammer would pick a prefix like “stafordcad” when he could have used any gibberish for the entire forged address.

As I said initially, and re-emphasized, it was one of those“…things that probably don’t mean anything…”.

However, when you challenged me on it,

HUH? the domain is most certainly registered, and it's got a website...that of an "Author, educator, and professional musician"

… I went back to see just where and how I goofed, even though I had intended to blow it off as a mere curiosity and nothing more. I’m still feeling goofy because you not only found that precise website, but you provided particulars about it, verily:

…an "Author, educator, and professional musician"

But I apparently have suboptimal skills in this wise, because I did not find it as you can see from both my subpoenas to Google search and the Completewhois Search that follows it immediately in my last post. I also took a ‘boo’ at www.DNSstuff.com, APNIC, RIPE and InterNic…. same thing. So, you can imagine my chagrin at NOT finding what you found so easily?

I feel not unlike a fool

[Wazoo]

Your spam sample includes data as exampled by this line;

Return-Path: <stafordcad[at]micnik.com>

The '[at]' sign has been changed here to read [at]

This is an e-mail address ... user name of "stafordcad" at the Domain of "micnik.com"

The question has been how you managed to read that as a Domain name of STAFORDCADMICNIK.COM (even the case change is in question)

I'm still trying to come up with why you need to add in the extra dates on your posts .. this application time-stamps them in the top line of the post .... have you checked out "your" settings here perhaps .. noting that you've got an 8 hour offset selected at present, if that feeds into anything ....

[DavidT]

I would like to hear you develop a theme that ties together three things; two of which are contained in your last post.

No, the overwhelming majority of spammers are no longer putting "return receipt" requests into the email headers. I can state that with a very high level of confidence. They simply can't get away with that any more.

That's of the same vintage as "gopher" and other pre-web stuff. I'm not impressed by Mr. Raz's information, having myself been active in this "scene" since the very first spam runs. In fact, in my experience, Israel (where Mr. Raz lives) is *way* behind the curve when it comes to "things Internet."

The third thing is “Spammer Rule # 3”.

Here are some responses as promised...not exhaustive by any means, but I don't have time to do all the research necessary for that kind of response.

WRT delivery receipts...I don't think anyone has really kept track of this phenomenon, but I'm sure that anyone who has been concerned with spam for at least 8 years or so has seen gradual changes, and yes, that would be "anecdotal/observational" evidence ("qualitative" vs. "quantitative"), and I think it's safe to generalize that current spammers rarely put a valid email address pointing back to themselves *anywhere* in a message. Once upon a time they used Hotmail and Yahoo accounts for spam runs and actually would collect responses at those addresses, but IIUC, that's too unreliable for them, so they're primarily sending people to websites, or providing phone numbers, or sometimes PO boxes.

As for the return receipts, I scanned through hundreds and hundreds of spams and didn't find a single one. You provided at least one example, so the phenomenon must exist, but I'd speculate that it's pretty rare.

As far as Israel being "way behind" on "things Internet," that was an over-generalization based on several different personal observations. One is the "Sphera" virtualization/hosting software ("Virtual Dedicated Servers") used by my former web host, Jumpline.com, which was developed in Israel. It leaves a LOT to be desired, and I tried staying with it, but eventually had to "jump ship" and find a new host. I went back and forth with Jumpline about the deficiencies of the platform, and they referred to the Israeli programmers "working on it," but things didn't get solved.

However, a little poking around shows me that it was Israeli programmers who developed the "Deep Junior" chess program, who took PHP to the point where it became useful for almost ubiquitous use on the web, and who also developed ICQ. They apparently tend to be skilled and hard working, according to what I've just read this morning. Many of the individual websites I've visited from Israel are similar to those found in Italy, but that's a narrow sampling. Although I do find some of the information provided by Mr. Raz to be dated, my comment wasn't really accurate.

As for "Spammer Rule #3" -- I find rules number 1 and 2 to be more solid....I don't think that all spammers are necessarily stupid...that's not particularly logical. As for actual communication from spammers, these are my two favorites:

Pickett's Commentary: Spammer lies are boring.

Spammer's Standard of Discourse: Threats and intimidation trump facts and logic.

DT

[rooster]

Wazoo;

Praefectus Alae,

Spammus Copia

The question has been how you managed to read that as a Domain name of STAFORDCADMICNIK.COM (even the case change is in question)

I read it as the domain name supplied by a spammer probably forging his way along and purportedly representing an ISP or some hosting service that handed the spam off to the internet. If I do a search for domain info on my email address domain, I find my ISP general information. I could, and probably did, a “dig” a “whois” and an “in-addr-arpa” just for the heck of it to see what I might see. I was exploring; nothing more. I tend to do that when I don't understand why certain things happen.

(even the case change is in question)

The “case change” has nothing to do with me !? That’s the way it appears on the copy/pasted reports…!??

And for the fourth time:

As I said initially, and re-emphasized, it was one of those “…things that probably don’t mean anything…”.

Perhaps I underestimated it’s fascination value because y’all keep bringing it back up. Perhaps too, you might just indulge me by showing me how DT did find a web site with that domain information and pull off the site owner’s info. I’m only asking because he brought it up and it's got me to wondering. The matter was already settled as far as I was concerned.

The “extra dates” occur because I usually write in Office Word and, as formatted headers, they are useful to me for business correspondence and publishing (deadlines) purposed. They are also handy to me when posting to forums, newsgroups and blogs that Date/Time Stamp posts using the full spectrum of offsets from GMT. If you haven’t noticed already, I get confused easily… and this feature helps me keep some order. You undoubtedly have a better brain than me; I get fuzzy responding to something that is Date/Time Stamped 16 hours in the future (tomorrow), or reviewing something I just sent that appears on my screen stamped yesterday. If it annoys the members, I can make a point of editing it out of my subs… although of the thousands of times I’ve used this convention in other areas, and since even more info is usually contained in the hard copy equivalent “header” of business correspondence, this is the first time I’ve seen anyone take exception to it.

In my circles, this information is considered polite, and not providing it impolite and unprofessional. Mais, “chaçun à son gout”; or perhaps “When in Rome, do as the Centurions tell you”. Then again; "If a foolish consitency be the ....."; but no, that might sound sarcastic (not to mention cut both ways; eh?)

Backing up to where I intruded into this thread:

Bear in mind, I’m contributing this [spreadsheets of spam received] just for it’s anecdotal value; not to make a point. Mayhap some others keep similar notes and might have an interest in comparing.

I addressed the issue some have taken up, some of which precede my post in this tread, that reporting has a connection to the volume of spam that ensued by suggesting that the increase in my spam was more probably, if not certainly, the result of my carelessness. I felt that accidentally opening/previewing spam deserved at least a cautionary note based on what I understood the record of such practices to indicate.

For the benefit of those who read this forum, a definitive and comprehensible submission that can categorically demonstrate one’s email address can’t be confirmed by opening/previewing spam would benefit a lot of us who have had the opposing view drilled into them by MS MVP’s for a good portion of the last decade. This is not a triviality; to be blythy 'poo-pood' without substantiation. It denotes a major change in operators’ generally accepted practices and procedures. As such, it needs be broadcast.

[Wazoo]

I read it as the domain name supplied by a spammer probably forging his way along and purportedly representing an ISP or some hosting service that handed the spam off to the internet. If I do a search for domain info on my email address domain, I find my ISP general information. I could, and probably did, a “dig” a “whois” and an “in-addr-arpa” just for the heck of it to see what I might see. I was exploring; nothing more. I tend to do that when I don't understand why certain things happen.

The “case change” has nothing to do with me !? That’s the way it appears on the copy/pasted reports…!??

missed was the line I offered:

This is an e-mail address ... user name of "stafordcad" at the Domain of "micnik.com"

And for the fourth time: Perhaps I underestimated it’s fascination value because y’all keep bringing it back up. Perhaps too, you might just indulge me by showing me how DT did find a web site with that domain information and pull off the site owner’s info. I’m only asking because he brought it up and it's got me to wondering. The matter was already settled as far as I was concerned.

whois -h whois.dotster.com micnik.com ...

Registrar: DOTSTER

Domain Name: MICNIK.COM

Created on: 14-JUN-00

Expires on: 14-JUN-07

Last Updated on: 25-MAY-06

10/21/06 16:16:17 Browsing http://micnik.com/

Fetching http://micnik.com/ ...

GET / HTTP/1.1

Host: micnik.com

HTTP/1.1 200 OK

Date: Sat, 21 Oct 2006 21:16:22 GMT

Server: Apache/1.3.37

Last-Modified: Tue, 23 May 2006 10:21:03 GMT

The “extra dates” occur because I usually write in Office Word and, as formatted headers, they are useful to me for business correspondence and publishing (deadlines) purposed. They are also handy to me when posting to forums, newsgroups and blogs that Date/Time Stamp posts using the full spectrum of offsets from GMT.

My 'concern' about those extra dates was attempting to resolve a possible issue with this Forum application It caught my eye when one of your 'posted dates' had no apparent correlation to the time-stamp of the post itself .. trying to come up with the possible problems involved there is where I picked up that you had the 8 hour offset configured on your account ....

If you haven’t noticed already, I get confused easily… and this feature helps me keep some order. You undoubtedly have a better brain than me; I get fuzzy responding to something that is Date/Time Stamped 16 hours in the future (tomorrow), or reviewing something I just sent that appears on my screen stamped yesterday.

and this was a feature I changed 'here' a very long time ago .... the actual argument at that tie started with PM traffic, then expanded to 'quoted posts' within the Forum itself .... actual time is used 'here' (which can be modified to show as 'local' time ....

If it annoys the members, I can make a point of editing it out of my subs… although of the thousands of times I’ve used this convention in other areas, and since even more info is usually contained in the hard copy equivalent “header” of business correspondence, this is the first time I’ve seen anyone take exception to it.

No 'exception' made here ... I was just trying to 'solve a possible problem' ....

Backing up to where I intruded into this thread:

I addressed the issue some have taken up, some of which precede my post in this tread, that reporting has a connection to the volume of spam that ensued by suggesting that the increase in my spam was more probably, if not certainly, the result of my carelessness. I felt that accidentally opening/previewing spam deserved at least a cautionary note based on what I understood the record of such practices to indicate.

For the benefit of those who read this forum, a definitive and comprehensible submission that can categorically demonstrate one’s email address can’t be confirmed by opening/previewing spam would benefit a lot of us who have had the opposing view drilled into them by MS MVP’s for a good portion of the last decade. This is not a triviality; to be blythy 'poo-pood' without substantiation. It denotes a major change in operators’ generally accepted practices and procedures. As such, it needs be broadcast.

I burned myself out providing support on the Microsoft newsgroups years back .... I quit a few months prior to the MVP 'program' showing up. I have no problem that not all MVPs are what you seem to make them out to be ... they are also just other users having the time and inclination to post answers to questions asked. And if you look closely, follow along long enough, you'll see that an overwhelming majority of them have their own little FAQ sheet pulled up, such that when they see the same question asked for the hundredth time that day, they can copy/paste in the same answer for the hundredth time that day, thus making it look like they really worked hard at doing the research and coming up with the solution to each and every one of those hundred-plus users that chose to post before reading anyone else's previous posting of exactly the same question .... some of those folks even went on to make a web-site of their own compiled FAQ sheets, most with the same thoughts as I ecpress here ... if I put this stuff in a FAQ, place pointers to that FAQ, I won't have to retype the same answers over and over and over and over and over .... yet, looking at the Microsoft newsgroups and this Forum, that plan still falls victim to those that choose to post before doing any research ....

Now that the Topic shift is so utterly complete ....