DavidT Posted October 21, 2006 Posted October 21, 2006 For the benefit of those who read this forum, a definitive and comprehensible submission that can categorically demonstrate one’s email address can’t be confirmed by opening/previewing spam would benefit a lot of us who have had the opposing view drilled into them by MS MVP’s for a good portion of the last decade. Did I come across as saying that "one’s email address can’t be confirmed by opening/previewing spam"? That woudn't necessarily be a true statement in all situations, so nobody can provide that for you. What I've been trying to get across is that good email software need not automatically transmit anything back to the spammers provided that reasonable precautions are taken, such as setting your Options/Preferences so that your program doesn't automatically respond to any "DNRs" and that remote images are *not* loaded by default unless you specifically allow that to happen. One additional precaution would be to have a good quality anti-virus program and firewall, the combination of which should take care of malicious scripting/code other than the images themselves. When I'm searching through my SC email acccount's Held Mail folder (I view it in an IMAP session), my antivirus software sometimes pops up with a warning about something like that. When a message comes in with a DNR, and your software responds to it (because of your settings), then of course there's a possibility that a signal could get back to a spammer. None of the spams that I receive contain DNRs, but you've already shown us one of yours that did. As for the remotely-hosted images in HTML email messages, if you your email software isn't configured properly, then opening a message containing a "web bug" style image link can send a signal to a spammer. I'm pretty sure that the primary use of those "web bugs" today is by commercial entities whose email newsletters, offers, etc. you've agreed to receive. They like to know how many recipients are actually opening their messages, and they sometimes even want to know exactly who had opened their messages. DT
rooster Posted October 22, 2006 Posted October 22, 2006 Tonite in Australia This Afternoon in England Right now here in BC Still under discussion by Quantum Gravity Physicists Wazoo: missed was the line I offered: This is an e-mail address ... user name of "stafordcad" at the Domain of "micnik.com" I didn’t miss it (I don’t think) … as your “who-is” suggests to me any way … I had pulled that domain info up long before I showed up here. Before I did the “Completewhois” seach on the username+domain name, I naturally looked up to see who the domain “micnik.com” was registered to, collecting Registrar, registration dates, contact &/or complaint info, record of abuse info, IP Block and ns info, … and from there to Spamhause to look up ns. IP#s …. and on, and on. Is it possible that something I had written made it appear to you that I was “going for” a web site with that info? If so; my bad. All I was “going for” was background and support info on “micnic.com”. After this “before”, the next thing I did was apply to micnic for an email account, name of "stafordcad.micnic.com”. Reason being: pings and traceroutes seldom accomplish what I want, so I use this ploy to find out if the un+dn exists on specific ISPs, or whatever agent I happen to be probing. In this case, the name was available; therefore a) no doubt all mention of that address is forged, and no need to probe the registered owner of that email address to see if they know it is being used to spam, if they are aware their PC could be compromised/hijacked, & etc., & etc. I didn’t get into all this initially because I assume this and similar regimes are routine for many/most of y’all, esp. in instances when the same OpenRelay/Proxy shows up over a long period of time. In this specific instance, I went the extra mile just because the address showed up in a very unusual location, in a very unusual email. In some instances the are also issues associated with rotating IP’s, dial-up accounts, shared servers… point being: I think you can understand why I wouldn’t go into that level of detail just to footnote a simple spreadsheet showing my spam numbers. Now that I’ve suffered y’all to go over all this extra detail, perhaps you can understand why I suffer to know just how the dickens DT managed to scope out a web site out of that email address. HUH? the domain is most certainly registered, and it's got a website...that of an "Author, educator, and professional musician" who writes books and does workshops, assemblies, etc. for schools and teachers.[That’s one too many for me; for sure. The time stamp issue; well Wazoo, this is a can of worms, and I am a fly fisherman. If you find yourself clinically deprived of stimulation and need a challenge in the next while, I’ve got a brain teaser for that great throbbing brain of yours. It’s not a SC issue, so I don’t want to poke it in here lest I trigger a cascade of WOTopic responses from well meaning puzzle fanatics. I burned myself out providing support on the Microsoft newsgroups years backGod Bless you Old Timer. If you think I’m a PITA here, you can imagine what I nuisance I was over there when I first laid hands on a PC 2 years ago, running a 2nd hand W-98 OEM with no docs or discs, on Touch Systems 16 MB [sic] [at] 133 MHz [sic, sic]. If it hadn’t been for the friendly folk like Gary Terhune, Jeff Richards, Haggis, PCR, Brian A., Almost Bob and PaBear(?), I would have taken the thing out into the bay and left it there for the crabs; … chained to the person who gave the thing to me in the first place. Indeed, I learned betimes many/most of the MVPs had their peccadilloes. Unlike many subscribers (supplicants) I stayed at it for months, not just dropping in when I had a problem. So, I learned how to search, tried to learn the ‘lingo’ (huge learning curve for me) and made enough headway to move on; i.e. upgrade. I was so far behind the curve at start that it took me almost 6 months just to realize my 16/133 PC was slow! I couldn’t understand why it took 45 minutes to d/load some web pages! I got to see a lot of those “day trippers” you allude to; the ones who showed up at “Emerg” screaming "I’ve just been poisoned, somebody do something”. I learned to empathize with both sides; easy for me because I was blanker than 99% of the people who where posting, … didn’t even know the terminology, much less how to ask a sensible question. Bear in mind too, searching on a machine that took 15 minutes to an hour to d/load a single page, and sometimes as long just to access a link on the page … often meant I didn’t get very far before I had to resort to the ng where it only took a couple of minutes to get on. I think the folks I mentioned above, and a few others who’s screen names I forget, took mercy on me. However; if you thought the Windows 95 & 98 ngs were a pain, Lawsey, Lawsey, Lawsey, what a ‘disastrophe’ the XP-Home discussions groups are!!! I ‘pines there be woe out yonder when Vista comes out. If you suffered burn out trying to cope with the 9x ngs then it’s good for us SC ‘homies’ y’all made the move. Youd’a been incinerated trying to cope responsibly with such a vastly oversubscribed screed of ngs; peccadilloes notwithstanding. You made the right move at the right time; methinks. Pity the SC organizational chart doesn’t have a solid line between y’all and SCHQ. If BG has set up MS that way, he would probably still be working out of a garage and living in his parents spare bedroom; …and single. Oh well; I guess he can still dream.
rooster Posted October 23, 2006 Posted October 23, 2006 David; What I've been trying to get across is that good email software need not automatically transmit anything back to the spammers provided that reasonable precautions are taken, such as setting your Options/Preferences so that your program doesn't automatically respond to any "DNRs" When a message comes in with a DNR, and your software responds to it (because of your settings), then of course there's a possibility that a signal could get back to a spammer. In my OP, I simply wanted to ‘footnote’ the spreadsheets to indicate this assumption – that T-Bird software is “good” or that all my (other) precautions were definitively “reasonable”-- required a certain amount of trust; trust that, within my skill envelope, I couldn’t substantiate. WRT the “dippity doos” and trolling spammers who want to dissuade the afflicted from reporting to SC on the basis it would/does/has lead to an increase in their spam, this “caveat” is one of several I could have selected to preclude applying such a misinterpretation to the increase in my spam load as it appeared on my spreadsheets. As Farelf pointed out, there are many possible variables and very little of a generalized nature can be concluded from a sampling of one person; just speculations. If you graph my numbers, the increase does not conform to the graphs of SC submissions and reports. Taken by themselves, my numbers would qualify as an “Amazing increase”. Unless I misinterpreted your first couple of responses, you were emphasizing the dangers associated with the message portions of spam, and (almost?) dismissing potential dangers that I was referencing; to whit: the possible effects on spam numbers, both increases and reductions, (“Amazing” or otherwise) WRT careless operator bh. ( “bh”…never taken any psych courses; eh? You got away lucky) My feeling still is that considering the number of possible insertion points, and the ease with which header lines can be manipulated such that PC’s can be instructed to take certain actions (e.g. return hits to GOKWho, the lightening speed with which web sites (domains) can be made to appear, able to collect return hits, and then disappear posing little or no threat of discovery to the offending harvester, … well … you see, within my skill envelope (barely large enough to put a stamp on), I am not prepared to accept the contention that this risk of opening a ‘loaded’ spam poses no appreciable “hit” risk to the DT operator ; generally. ‘Coevally’; consider the viscidities, variables and general bad effects, the “Amazing” increase in defacto internet spam, associated with the “Auto Reply” configuration. Who knew a few years ago how spammers would exploit this otherwise valuable feature and turn many a business into mules for spam, … to such an extent that it is tantamount to “poisoning the well” of existing and potential customers and clients. I appreciate this is only a fraction of the insult to the internet attributable to this feature. Bringing this all together the best I can at this point, I submit that if there should be an “Amazing” increase in an operators spam load over a couple of weeks, the DNT issue would be something to look into, and eliminate as a possible cause. Does that look reasonable to you? Or am I straining gnats?
Lking Posted October 23, 2006 Posted October 23, 2006 <snip> Bringing this all together the best I can at this point, I submit that if there should be an “Amazing” increase in an operators spam load over a couple of weeks, the DNT issue would be something to look into, and eliminate as a possible cause. Does that look reasonable to you? Or am I straining gnats? It is better to analyze a known variable and look for others than to just through up our hands and say "There is so much we don't know this can't be understood." The 'You can't know the unknowable' approach taken by others does not add to the discussion, it just blows of the question. As for DNR and other "call home" approaches, being behind Norton Firewall I get ask every time any "personal" information is set to be send. Any response I supposes differentiates between those email read and those just put in the bit bin. "When I was reporting" I was looking for spammers so the doors are open wide. anything addressed to [at]mydomain.xxx gets in but I don't let the spam call home. My thinking was that if they are on the scbl my reports would keep them there longer. Haven't had the time to do any distribution analysis on the data I've collected but, although not "amazing" I see a slight increase during this month of not reporting. Significant? In light of all we don't know I don't think so. On the other hand looking at the net wide level of spam, it would have been "interesting" IF my level had not increased. With some understanding of one variable we can move on to another.
DavidT Posted October 23, 2006 Posted October 23, 2006 I submit that if there should be an “Amazing” increase in an operators spam load over a couple of weeks, the DNT issue would be something to look into, and eliminate as a possible cause. Does that look reasonable to you? Yes, it does....and it can be done fairly easily by searching the headers of one's own spam collection before reporting and/or deleting it. For example, I just searched for "receipt" then "disposition-" then "confirm" in the 85 messages in my SC Held Mail folder this morning and there were no hits on any of those terms found in DNRs, so I could safely open open up ALL of those messages, even with unsafe mailer settings, were it not for the additional danger of remote image links. However, my mailer also protects me from those, so I can open them all up without fear. Haven't had the time to do any distribution analysis on the data I've collected but, although not "amazing" I see a slight increase during this month of not reporting. As seen on the SpamCop Email System News page: Oct 19, 2006 [10:45 EDT] SpamCop and others are monitoring a huge global increase in spam volumes that started late last week. Networks are reporting anywhere from 30-50% increases in spam volume.This is very typical...spam levels, sources, and techniques are quite variable -- much too much so for any one user to declare that a sudden reduction (or increase) in their personal receipt of spam is due to any specific change in "bh" on their part. ;-) DT
Lking Posted October 23, 2006 Posted October 23, 2006 DT You could have quoted the other half of that thought: "Significant? ... I don't think so. On the other hand looking at the net wide level of spam, it would have been 'interesting' IF my level had not increased." So we agree. Oh well. trudge, trudge, trudge.
rooster Posted October 24, 2006 Posted October 24, 2006 Lou; It is better to analyze a known variable and look for others than to just through up our hands and say "There is so much we don't know this can't be understood." The 'You can't know the unknowable' approach taken by others does not add to the discussion, it just blows of the question.I have no idea what that means; too many variables, … maybe. Should I "differentiate", "integrate" or apply the "Chi Squared Rule"? David; For example, I just searched for "receipt" then "disposition-" then "confirm" in the 85 messages in my SC Held Mail folder this morning… I gather from this that you have some tools that I don’t. I’m getting around 200 spams a day now. I “eyeball” things that have remarkable subject lines as I drift down through the SC Parse on my way to click “Report”, but that is about as far as my time constraints permit; … at least at the present time. I’m gradually migrating over to a Debian distro (with great fear and trepidation) in hope of installing some tools specific to spamjamming (d/b’s, search & sort, reporting boilerplate etc., etc.) but I’m going about it slowly and carefully. With some better tools, hopefully, I won’t be as susceptible to latching on to an “erratic” as I probably have done with the T-Bird/DNT issue. Although; begging forgiveness, I didn’t really “latch on to it”, … I just thought it might bear mentioning. I do appreciate all your guidance and for helping get a better (more current) understanding of the issue. Now; if you could just tell me how you found that website …. I could finish my cocoa, put the fire out, and crawl into my tent a happy camper.
Farelf Posted October 24, 2006 Posted October 24, 2006 ...I have no idea what that means; too many variables, … maybe. Should I "differentiate", "integrate" or apply the "Chi Squared Rule"?Gather the data, make observations, form hypotheses, test them and have others replicate, look for exceptions and failures and stuff happening at the periphery of the known/explicable, work through *them* in turn, repeat until enlightement or senility strikes (seek a second opinion in either case), but ignore the unknown unless and only when it reveals itself in the course of your toils (thus becomes sorta "known"). And try not to "overeducate" yourself in the process - remembering always the words of Bokonon - words to the effect of "Beware the educated man. At the start he knows nothing and, knowing he knows nothing, studies long and hard to learn more and more about less and less until, at the end, he realizes he *still* knows nothing. He *despises* those who came by their ignorance the *easy* way." Now you won't find *that* in the FAQs.
DavidT Posted October 24, 2006 Posted October 24, 2006 Now; if you could just tell me how you found that website …. Here you go... From the headers of the sample spam you posted here: Received-SPF: none (No spf1 record for (micnik.com) ) client-ip=60.2.77.102; envelope-from=<stafordcad[at]micnik.com>; X-Default-Received-SPF: fail (Last token {-all} (res=FAIL)) client-ip=60.2.77.102; envelope-from=<stafordcad[at]micnik.com>; Return-Path: <stafordcad[at]micnik.com> Disposition-Notification-To: phelia gennifer <stafordcad[at]micnik.com> From: phelia gennifer <stafordcad[at]micnik.com> Each one of those lines contains a reference to "micnik.com" so I simply used my browser to go to: http://micnik.com and voila!, you see the website of the innocent victim whose domain was randomly chosen by the spammer when building the forged return address on the outgoing spew. That's all there was to it. If I suspected anything evil about the domain, I wouldn't have visited it with a browser on my PC, but would instead have use the text-only browser Lynx on a 'nix box to safely visit the site. I wasn't worried about this one, however, especially after I looked at the "whois" data. BTW, I find the following domain lookup site to be superior to Dotster: http://www.domaintools.com If you go back to look at the message source on your computer, I think you'll find that where you see "[at]" in the lines above, there was actually an "[at]" symbol. So the "stafordcad" portion is a forged/bogus "username" that supposedly is "[at]" the domain randomly chosen by the spammer (or their software). The username portion in forged spam is even more meaningless than the domain that is chosen for the return address. You used the Dotster site to search for the *entire* (bogus) email address. Yes, I know you qualified it by stating that: Poking around often leads me to things that probably don’t mean anything but this particular "poking around" had no possibility to ever be meaningful. Any return receipts generated by this particular spam would go to that "stafordcad" address and disappear (I tested, and they either have a "catch all" that's eating messages or they're dumping them silently in a bitbucket...at least they're not sending after-the-fact NDRs). The owner/operator of "micnik.com" surely had nothing whatsoever to do with the spam. The spamvertised website in your original post (before Wazoo redacted it) is long since dead...it was registered/created the day before you received your spam, had a brief run of spamming (3 days) from diverse IP sources, and then was probably shut down. As for spammers using Thunderbird to spam....I'm not sure how the whole process works in which innocent computers are infected/hijacked and then spew spam, so I have no idea if Thunderbird can be used by such exploits or not. It used to be that these things had their own SMTP engines, but maybe they can actually now use the existing email software on the computer to automatically crank out spam....I just don't know. DT
Wazoo Posted October 24, 2006 Posted October 24, 2006 If you go back to look at the message source on your computer, I think you'll find that where you see "[at]" in the lines above, there was actually an "[at]" symbol. So the "stafordcad" portion is a forged/bogus "username" that supposedly is "[at]" the domain randomly chosen by the spammer (or their software). The username portion in forged spam is even more meaningless than the domain that is chosen for the return address. You used the Dotster site to search for the *entire* (bogus) email address. Just noting that I even used color to try to point out the same thing back in Linear post #75 ....
rooster Posted October 24, 2006 Posted October 24, 2006 Steve; Gather the data, make observations, form hypotheses, test them and have others replicate, look for exceptions and failures and stuff happening at the periphery... Oh, you are "on" today mite. Someday you might really enjoy reading: "The Retroactive Existence of Mr. Juggins" from: "Behind the Beyond and Other Contributions to Human Knowledge", by Stephen Leacock. John Lane Company, New York, NY Date Published: (c1913)
Farelf Posted October 25, 2006 Posted October 25, 2006 Rod, "Behind the Beyond and Other Contributions to Human Knowledge", by Stephen Leacock.John Lane Company, New York, NY Date Published: (c1913)If I have a chance - some things Canadians seem to keep to themselves, like Stephen Leacock and those funny screwdrivers (which one finds by Googling screw canada - and I mean that in the nicest possible way). Now what was the topic? Steve
rooster Posted October 25, 2006 Posted October 25, 2006 David; micnic.com …and voila!, you see the website of the innocent victim whose domain was randomly chosen by the spammer… I tried that 3 times back when and got a ‘404’ or “Server Not Found” message. Just to indulge you, I did it again now (in OE instead of Ffx) and lo’, there it was. Because I couldn’t get it before, I went “after” the other domain info (micnic.com) from “Completewhois” & etc. I just tried it in Ffx now too, and it is showing up, ♫ and all. I wonder if the webmaster was working on the site when I was trying to access it; eh? http://www.domaintools.com I have them in my toolbox. Somewhere along the line I gravitated toward “Completewhois” and “DNS Stuff”. As a fledgling in this field, I found “Complete” the easiest to learn from since it presented the most info on one page of the tools I was using to “explore”. If I already know where I’m headed, I go straight to interNic. I’ll take your suggestion and give ‘dt’ (no pun intended) another go for a while. I discovered early on that “going after” email addresses was, to a large extent, a ‘fools errand’ for a desktopper like me; but a necessary part of the learning process. Remember; I got my first PC just 2 ½ years ago and for the first year I could barely open a web site. I got this unit a little over a year ago… so I am really starting from scratch. …but this particular "poking around" had no possibility to ever be meaningful. Any return receipts generated by this particular spam would go to that "stafordcad" address and disappear (I tested, and they either have a "catch all" that's eating messages or they're dumping them silently in a bitbucket...at least they're not sending after-the-fact NDRs). The owner/operator of "micnik.com" surely had nothing whatsoever to do with the spam. Sage words, but I ‘spect I’ll be doing lots more “poking around”. Y’all know the labyrinth far better than me; …laid down lots of breadcrumbs and string leads and marked off the dead ends and pitfalls. Me; I’m still “spelunking” solo for most of the time and trying to learn to read the hieroglyphics along the way. No Rosetta Stone so far; just a lot of digging and ‘sploring. As for spammers using Thunderbird to spam....I'm not sure how the whole process works in which innocent computers are infected/hijacked and then spew spam, so I have no idea if Thunderbird can be used by such exploits or not. It used to be that these things had their own SMTP engines, but maybe they can actually now use the existing email software on the computer to automatically crank out spam....I just don't know. If I’m following along in the right path, it seems the most important thing in this instance, and what y'all appreciated from the outset, is that the portions of the headers that mention the T-Bird mailer are forged. Having gone through all the hoops examining this “erratic” really hasn’t provided anything significant to explain why the spammer chose to format the forgery in this way; neither have we been able to determine if this could ever appear as the result of a T-Bird user’s PC being compromised, since the un+dn is still “Available” from micnic. I’m still winding my mind around all this, but I think I would still have to establish the status of the address before the other considerations could be eliminated. I am very much aware that this example might be nothing more than an erratic produced by some “ubergoöf” after scoring a baggie of “BC Bud”; … eh? Thanks a bunch for all your help and patience. Wazoo can put the nitro tabs back in the drawer and look forward to spicy foods again once they remove the stitches securing the end of his nearly amputated tongue.
Wazoo Posted October 25, 2006 Posted October 25, 2006 Thanks a bunch for all your help and patience. Wazoo can put the nitro tabs back in the drawer and look forward to spicy foods again once they remove the stitches securing the end of his nearly amputated tongue. He's just been really, really busy getting his behind kicked by software elsewhere. Basically in the same mode you say you're in, learning my way arounf yet another version of Linux, trying to learn enough Python to be able to read and follow the code, trying to inderstand data found written for an entirely different environment and trying to translate it to the workspace I'm attempting to build the new landscape in .... and needing to get it all sorted out before JT hits me with "OK, change servers now" ....
rooster Posted October 25, 2006 Posted October 25, 2006 Wazoo; …learning my way arounf yet another version of Linux, trying to learn enough Python to be able to read and follow the code… Je savais bien. I jumped in to the *nix realm with Debian 3.1 r3 Official last week; reasoning that I might as well force myself to learn the ropes… running from a command line, and basic Python… instead of taking the easy route with more user friendly Linux versions like Lindows, Ubuntu or Mepis. I went a little way with Perl on XP, but I am too nervous to actually run anything significant. XP doesn’t cotton to stranger in it’s parts… and part of me still quivers with the apprehension that I am going to push the wrong button on this thing one day and some Virginia Class Sub moseying about the Barents Sea (studying Atlantic Salmon migration patterns of course) will start raining nukes down on sleeping Norwegians; or even worse, the Swedes! I’d never be able to get parts for my wife’s Volvo. ‘Speakig ob tung bitig’; having to deal with some of the Qs here on the forum, on some days you must feel like a tenured professor waking up and finding himself in a disassociative fugue, teaching a grade 3 class of recent immigrants, with a smattering of constitutionally disagreeable ones in the mix; eh?
Wazoo Posted October 25, 2006 Posted October 25, 2006 instead of taking the easy route with more user friendly Linux versions like Lindows, Ubuntu or Mepis. Not sure about the 'user-friendly' aspects ... yes, I've got the live-cd versions of several distros, but .... I've yet to find one that wanted to alow me to actually install where I wanted it ... the third or fouth hard drive (already having 14 partitions between them, add in three CD/DVD units .... where I can't (re)install Windows ot run some DOS programs without disconnecting two of the hard drives to remove all those partitions) .... and of course, reaching out long distance only bia a command-line isn't anywhere near the 'user-friendly' GUI mode, no matter which desktop manager you choose to go with .... ... and some Virginia Class Sub first thought .. man, am I out of touch .. Virginia class doesn't ring a bell .. a few minutes of reflection .. recalling that 'our' subs were never the targets of my 'work' .... yet ... oddly enough, I just re-read Blind Man's Bluff a few months back .... have to pull it back out again or do some other look-ups ... ‘Speakig ob tung bitig’; having to deal with some of the Qs here on the forum, on some days you must feel like a tenured professor waking up and finding himself in a disassociative fugue, teaching a grade 3 class of recent immigrants, with a smattering of constitutionally disagreeable ones in the mix; eh? How I spent most of last nite/this morning; Cistomer request .. install Office 97 on a Win-95 machine .. (new hard drive) .. ran into an issue or two .... folkls bitching about not being able to find stuff in the FAQ here .. geeze .. try to fig up ancient data on these out-of-date products .... it's out there, but you have to work like heck to weed out all the XP/2003/etc. stuff .... User had a Palm VII ... picked up a Palm M130 ... updated the Palm software .. noted that some software / functions were lost ... Palm admits that they 'removed' stuff from their desktop application .... sitting here trying to compare the different versions of their software package, trying to sort out if just moving a few files around would bring some of the functions back ..... been all around the world a couple of times looking for answers on this .... Have an Assante hub that has decided to partition off the thin-net side of my network .. of course, only deciding to do that when I'm wanting to reach out from one of those systems ... naturally while I'm typing on this system (connected to another router, more or less directly connected to the cable modem) it's not showing any alarm lights ..... just a few of the things to fill in the gaps between getting bashed in here <g> That said .. trying to decide now on whether to grab a blanket and try to get some sleep or go snag a cup of coffee that I made four or five hours ago and haven't touched yet .... that I'm having trouble reading the screen is suggesting the obvious 'good' decision ..... man, talk about off-topic ....
MikeJT Posted October 27, 2006 Author Posted October 27, 2006 man, talk about off-topic .... Mmm, yes, part of the problem here. I suggest that spammers ae probably a bit more focussed on their task at hand... a geat strenght of theirs I'm afraid!!!
Miss Betsy Posted October 27, 2006 Posted October 27, 2006 Perhaps spammers only have room for one thought at time? Miss Betsy
Farelf Posted October 27, 2006 Posted October 27, 2006 Or put it another way. Reward (spammers have at least the prospect of financial reward) appears to be more effective than reduced punishment (we, the spammed, are trying to minimize the punishment inflicted upon us by those bottom-feeders who would make Harry Butler's louse look like a prince - cf: Lower than a snake's belly is ...). Well, who'd a thunk it? Back to the topic...
Lking Posted November 3, 2006 Posted November 3, 2006 Looking at the results for October, with no reporting, a 40% increase in spam is amazing. The number of "drug" spam seems fairly flat, while "stock" spam increased during the month. With only 33 phishing spam, hard to see any trend. I don't see a correlation between the spam and the day of the week. There does seem to be an increase in daily spam during the first half of the month and then a leveling off at the higher level during the end of the month. (the last 3 days of the month are averages for the 3 days - no internet). Is there a correlation between spam received and reporting? that is a different question. Will have to see what happens this month with reporting. Even then will the results be more than interesting? We'll see. Graphs and data still at www.knob.com/spam
rooster Posted November 7, 2006 Posted November 7, 2006 Wazoo; I didn’t have the email alert thing turned on for this thread… I figured it had fizzled out; else I would have replied sooner. first thought .. man, am I out of touch .. Virginia class doesn't ring a bell .. You must have been secunded [sic] to US Military Intelligence. Not sure about the 'user-friendly' aspects ... yes, I've got the live-cd versions of several distros, but .... I've yet to find one that wanted to alow me to actually install where I wanted it .. I’m still very much in the literature review phase of the (possible) migration. The local Linux User Group Newsgroup has had a number of threads lamenting “Live CD” distros for the same reason you cite. This inflexibility seems to have the most frustrating effects on Admins thinking about migrating and wanting to run tests (presumable involving networks) and to a lesser extent for the home Desk Top Commando not running much in the way of peripherals. I’m guessing of course, but I surmise most DTCs are also running Windows; meaning they are not running a dedicated system and can ‘work around’ some installation issues. So far I’ve been able to log-roll my way into installing an X Windows System in Gnome and using the APT (Advanced Package Tool) to get a few things where I can find/run them (with a ream of crib sheets by my side). It’s not that I really care about cobbling together an ensemble of spam analysis & reporting tools as an adjunct to what I’m running in XP; it’s that I am perfecting the dialectics in a subject upon which I can express great interest and enthusiasm, … and clear out a table full of dinner guests before they start tucking into my post-prandial liqueurs. I’ve only been at it a month or so and I reckon I’ve already saved about half what I need to get a Mac G5 for my music. The only downside is the wife invariably falls asleep before she cleans up the dishes; … on purpose, I think. trying to decide now on whether to grab a blanket and try to get some sleep I surmised as much. If you weren’t bagged when you replied, you would never have left yourself open to not knowing about the ‘Virginians’ in your “work”. If you only knew what a smarta** Canuck like me could have done with that, considering the prevailing “situation” Stateside… talk about your “tongue biting”. Lking; Interesting graphics. My spam load just took a dramatic drop in the last 7 days. I haven’t heard anyone else mention anything particularly unusual, so maybe it’s another IIJM? (is it just me?) observation. In keeping with the actual topic, which is probably even more ‘unusual’ a phenomenon, I have been reporting like mad (or, while mad) so that would run counter to the proposition that reporting begets spam; eh? In any case, it is a very pleasant hiatus at least. WARNING: Be sure to turn the sound down if you have it on. When I checked to see if the links worked the "Ka-Lunk" alert nearly gave me a coronary. It sounded like someone slamming the door as they headed off before the after-dinner talk got launched. http://img53.imageshack.us/my.php?image=sp...lsnov506ay7.png http://img292.imageshack.us/my.php?image=s...menov506cr6.png Moderator Edit: removed the 'image' tags .... not sure which links are actually 'valid' while doing this edit. Bandwidth is the issue .... second edit - removed the links to the thumbnails that were too small to see anything ...
jrssystemsnet Posted November 10, 2006 Posted November 10, 2006 Thunderbird’s “Global Setting” is a bad idea for my needs; and most peoples’ I think. Sheesh, guys, talk about a lot of ado over nothing. Rooster (and everybody), WRT Tbird and return receipts, the DEFAULT behavior is to pop up a dialog ASKING you if you wish to return a receipt to sender if the message is flagged for return receipt. If you click "OK", T-bird sends it. If you click "Cancel", T-bird does NOT send it. Unless you very specifically drilled down into Thunderbird's configs to tell it to always send return receipts when requested, it is absolutely impossible for you to have sent a return receipt to anyone, ever, without specifically authorizing it. This behavior has been consistent ever since the first time I installed Thunderbird, which was IIRC build 0.47. The way that spammers generally attempt to track viewings of their messages is MUCH simpler and lower bandwidth and more useful to them: they simply embed images with tracking codes in them. If you view that image, their webserver logs the fact that you did, and since nobody but you has that tracking code, they know that your mail address specifically is being monitored. No "exploits" required, that's just the way the internet works. OTOH, if you have image viewing disabled in Tbird - which I STRONGLY recommend - this is not an issue unless you specifically click the "show images" button. Images embedded IN the message are a different story entirely. They do display by default, because there is no way to "report home" by viewing an image stored in your own machine. More in a moment on the topic of whether spammers actually inject deliberate Return Receipt requests or not.
jrssystemsnet Posted November 10, 2006 Posted November 10, 2006 Okay, now, on the topic of spammers using return requests, I just happen to manage mailservers for a couple of reasonable size hosting companies. One of them filters roughly 50,000 spams per 12 hour period, quarantining the ones that make it through the RBLs but get caught by internal filters for a certain amount of time before deleting them. So I always have a nice big spam pit to play in when I want to analyze trends, or see how rule tweaks are working / not working. mx# cd [redacted]/.INBOX.spam/new && ls -l | wc -l 39007 There are currently 39,007 messages in the pit. mx# find . | xargs grep Disposition-Notification-To ./1162854531.M728233P20166.mx.[redacted].com:2,:Disposition-Notification-To: "[redacted] " <[redacted][at][redacted].com> mx# ... and only one of them contains a Return Receipt request. Examining that message reveals that it's the result of one of the users' friends attempting to forward that user a spam that they found funny, and Vipul's Razor recognizing the signature of the enclosed spam and killing the message. In other words: the message might have been a spam, but its origin AND the identity of the Return Receipt Request-er is, legitimately, somebody who uses Outlook in a business environment and simply has it configured to always ask for receipts. Honestly, guys, there's just ZERO percentage in a spammer deliberately inserting a Disposition-Notification-To targeted to an email account under his own control. Stop and think about this - a typical spam run will hit anywhere from 100,000 to 7,000,000 or more addresses FAST. In the present era of really big-time spam runs being run from botnets of thousands of trojan-infected computers, that can mean hundreds or even thousands of messages PER SECOND going out across the globe. Guess what happens if all of the resources of 5,000 or more PCs all generate a Return Receipt email simultaneously? You guessed it - the mailserver handling the address that gets the receipt gets insta-nuked. The bounce flood generated by the bad addresses in a spam run ALONE is enough to bring most servers to their knees. If you've never seen 30 AOL and Yahoo Groups bad-address or mailbox-full notifications come in per second for a half an hour straight, you aren't a big mailserver admin.
jrssystemsnet Posted November 10, 2006 Posted November 10, 2006 One final thought on the topic of whether you can discern meaningful trends in spam flow if you aren't the admin on your mailserver: the numbers you just looked at for one of my servers were actually just the spam that made it THROUGH the initial RBL-level filtering, in which recognized spam emitters are dropped before they can ever even try to send a message. Here are the complete numbers for that box since midnight last night: mx# grep rblsmtpd\: /var/log/maillog | wc -l 44026 mx# grep Quarantined /var/log/maillog | wc -l 6544 mx# grep delivery /var/log/maillog | grep local | wc -l 2732 In the last 16 hours, that particular server has, one way or another, deflected 50,566 individual spams while delivering 2,732 emails to user mailboxes. My (relatively unscientific) attempts to discover how much spam actually makes it through to the mailboxes seems to reflect about 300 undetected spams a day on that box, for a filter effectiveness of about 99.4%. Point being, believe me, the admin on your mailserver and his actions can have a GIGANTIC impact on the amount of spam you do and don't receive, all without any change of behavior from the actual spammers themselves. Just as importantly, the spammers adjusting their techniques effectively to try to fight through the filters put in place by people like me tends to have a much bigger impact on the volume of spam in actual user inboxes than simple increases/decreases in raw spam volume.
Telarin Posted November 10, 2006 Posted November 10, 2006 Agreed. The recent approximate 50% global increase in spam volume has no appreciable impact on the amount of spam hitting my users inboxes. I did however notice a very substantial increase in the amount of mail that was being rejected during the SMTP session by the various BLs I utilize as part of my filtering scheme.
Recommended Posts
Archived
This topic is now archived and is closed to further replies.