Yambo shifts into high gear

[rconner]

My daily spam load has more than tripled over the past week, and the rate is accelerating. Nearly all of the increase seems to be due to the Yambo crew with messages like this one (tracking link).

They're using a lot of bare .hk domains hosted mainly at something called "cvtelcorp.com", with a contact by the risible name of Andrew Poon. The addresses rotate elsewhere every day or so, however.

Right now, I've gone back to quick-reporting most of these, lest I spend my entire day tracking down these goofy websites.

By the way, one interesting characteristic that I've observed of the Yambo website kit (MyCanadianPharmacy, International Legal Rx, et. many al.) is that it keeps a sharp eye on who's visiting and for what purposes:

• I generally use a Perl LWP scri_pt that I wrote that actually fetches the website URL to look for redirects (it also does DNS and IP-whois info to give me reporting contacts). I find that when I refetch the same website for a subsequent spam (which may be going by another domain name) that the web server will refuse service, often by simply failing to answer my query at all (causing an LWP timeout and a 500 HTTP code). This can go on for an hour or more until I am again served.
  
• It isn't that the site goes offline -- when I try it from another IP, I can see that it is still working. I also have no trouble getting DNS or Whois data for these sites even when they go silent on me.
  
• I am mildly deceptive in that I have told LWP to use a standard HTTP user-agent string (for Apple Safari) in its query, rather than the default LWP string (which would be a dead giveaway of snooping), so I'm reasonably sure that I look like a normal web browser.
  
• I do not query for any of the images or other linked files.
  

The latter item seems to be the key. The only thing I can figure is that the web server keeps track of who's downloaded the main URL without getting any of the associated linked files, and then puts these IPs in a "penalty box."

Anyone else noticed this behavior? I hear tell that these sites can lock you out if you are abusive (i.e., flooding with queries), but my queries are usually at least a minute apart.

-- rick

[StevenUnderwood]

Just a quick note to let you know that tracking link is still active, reports have not been sent yet. Would hate for you to lose your account if that is not reportable for some reason and someone "does you a favor".

Quick reporting or simply do the ful reporting and accept what spamcop can do. My spam shows it catches links in about 50% of the spam I processd in the last week and was able to report on probably about 50% of that. If I quick reported, that would be 25% I missed by doing what I was going to do any ways.

From time to time, I pass the ones spamcop detects and does not process into the Complainerator application available through another spamcop member in the Suggested Tools forum here and determine if I should send those reports.

[rconner]

Just a quick note to let you know that tracking link is still active, reports have not been sent yet. Would hate for you to lose your account if that is not reportable for some reason and someone "does you a favor".

Oops! Thank you. I have reported the message.

-- rick