grwsmith Posted June 1, 2007 Share Posted June 1, 2007 Hello, I am getting a string of spams from a company called Sao Lois Mining Inc. Some how they have put my email address in the senders’ properties, well at least that is where it appears in Outlook! How is this? I keep reporting them but they change their address and the contents of the message is just one graphic. Link to comment Share on other sites More sharing options...
rconner Posted June 1, 2007 Share Posted June 1, 2007 I am getting a string of spams from a company called Sao Lois Mining Inc. Some how they have put my email address in the senders’ properties, well at least that is where it appears in Outlook! How is this? I keep reporting them but they change their address and the contents of the message is just one graphic. Have you reported any of these via SpamCop? If so, can you furnish us with a tracking link so that we can take a closer look? Hard for me to draw many conclusions from the information above. -- rick Link to comment Share on other sites More sharing options...
grwsmith Posted June 2, 2007 Author Share Posted June 2, 2007 I do all my reporting by Quick Report So do not get a link reported. I have just forwarded one of the messages I received yesterday to "submit.<code removed>[at]spam.spamcop.net" and got a reply with subject saying "[spamCop] Errors encountered": I am not sure if I should post the contents as it has a hell of a lot of personal info? Guy. <Moderator edit> to remove your secret reporting code. If you start to see strange replies from your reporting account, you may want to request a new reporting address. Link to comment Share on other sites More sharing options...
Miss Betsy Posted June 2, 2007 Share Posted June 2, 2007 If the spam only has your email address in the From, that is a common spammer trick to forge the From address and means nothing. Since you said they are coming from different sources, it looks as though the spammer is using a bot to send them from various infected computers. Don't why the last one had errors. You should be able to look at the report history and find it, I think, and then post the Tracking Url (which is explained in the FAQ) for people to see what happened. It might be that because the spammer is using various sources that that source could not be found quickly by the spamcop parser (the parser can't wait the way a person does). Spammers generally use a forged From (randomly from their list) for a relatively short period of time and then change to another one so they will probably stop after a while. Miss Betsy Link to comment Share on other sites More sharing options...
rconner Posted June 2, 2007 Share Posted June 2, 2007 I do all my reporting by Quick Report So do not get a link reported.OK, well, I'm not an Outlook expert so I don't know exactly what you mean by "sender's properties." That's why it would be helpful to see the SMTP header from one of your spams. However, we know that spammers are able to forge their from-addressesdto make it appear as though they came from someone else (even the recipient), and that may be what is going on here. I Googled "Sao Luis Mining" and found indications that your mailings may be part of a garden-variety stock spam racket.You might want to note this press release in which Sao Luis Mining disclaims the spam. -- rick Link to comment Share on other sites More sharing options...
axxx007 Posted June 2, 2007 Share Posted June 2, 2007 I have been seeing a lor of this lateley as well. Most of it has been stock image spam. The headers will have my emaill address in several of the lines. I don't have a report link to put here, but let me show you an example of the headers on the spam: X-Message-Status: X-SID-Result: X-Message-Info: Received: X-Originating-IP: X-Originating-Email: [MYEMAIL[at]ADDRESS.com] Return-Path: MYEMAIL[at]ADDRESS.com Received: Message-Id: To: <MYEMAIL[at]ADDRESS.com> Subject: From: admin[at]fakecompany.com <MYEMAIL[at]ADDRESS.com> The above lines are in the spam (without the actual data in them.) Several of the lines has my email address posted. When this is parsed through spamcop, it is not removed or munged. Link to comment Share on other sites More sharing options...
grwsmith Posted June 2, 2007 Author Share Posted June 2, 2007 Hi, I have done a full Spamcop report and here is the link: http://www.spamcop.net/sc?id=z1316343118z3...27a50c1f11cb59z Hope it sorts the origin and the reason it they skipping the Spamcop filter. Guy Link to comment Share on other sites More sharing options...
rconner Posted June 2, 2007 Share Posted June 2, 2007 Hi, I have done a full Spamcop report and here is the link: http://www.spamcop.net/sc?id=z1316343118z3...27a50c1f11cb59z Hope it sorts the origin and the reason it they skipping the Spamcop filter. Guy SpamCop wouldn't parse it because the headers don't conform to standard e-mail specs (i.e., SMTP). My guess is that somehow you didn't submit the headers in raw form. For example, the critical lines that begin here with "from" are supposed to begin with "Received: from". To see whether you're doing it right, go to http://www.spamcop.net/fom-serve/cache/19.html and select the appropriate link for mail client. Mail programs (especially Microsoft) like to do things to the headers that ruin them as far as SpamCop is concerned, you need to be sure you are getting at the actual raw headers as received. Once you get this sorted out, I suspect that we will find that this is a fairly standard stock spam pitch. The spammers will use a different (stolen) e-mail address in the From: field each time, and will generally send from a different IP address (usually on a botnet) each time. The payload is contained in an image so that it cannot be scanned by text-based spam content filters. Often the images are themselves distorted or oddly colored so that OCR-based spam filters will have a hard time fishing text from the image. Not much to be done about these other than report, report, report! -- rick Link to comment Share on other sites More sharing options...
rconner Posted June 2, 2007 Share Posted June 2, 2007 I have been seeing a lor of this lateley as well. Most of it has been stock image spam. The headers will have my emaill address in several of the lines. I don't have a report link to put here, but let me show you an example of the headers on the spam: X-Message-Status: X-SID-Result: X-Message-Info: Received: X-Originating-IP: X-Originating-Email: [MYEMAIL[at]ADDRESS.com] Return-Path: MYEMAIL[at]ADDRESS.com Received: Message-Id: To: <MYEMAIL[at]ADDRESS.com> Subject: From: admin[at]fakecompany.com <MYEMAIL[at]ADDRESS.com> The X-lines are by definition "experimental," probably not worth much investigation. The return-path, to, and from addresses are very easy for spammers to forge, they can usually put in any e-mail address they like. You omitted the most important parts of the header (at least as far as SpamCop is concerned): the "Received:" lines, of which at least one will be found in each spam (more likely two or more). These lines tell us which machine originated the spam, what provider was serving that machine, and possibly where on the earth the machine is located. These lines usually also include the e-mail address that the spammer intended to send to (in the "for" clause of one of these lines). Was there something else in your list that you wanted to point out but that I missed? -- rick Link to comment Share on other sites More sharing options...
Wazoo Posted June 2, 2007 Share Posted June 2, 2007 I have done a full Spamcop report and here is the link: http://www.spamcop.net/sc?id=z1316343118z3...27a50c1f11cb59z As rconner states ... what a frigging disaster. I can only surmize that this is 'copied' from some web-mail application, but as noted, there is no way this type of submittal will ever be parsed, due to the bad content and formatting ..... Hope it sorts the origin and the reason it they skipping the Spamcop filter. Not sure what "skipping the Spamcop filter" might mean as the Dispostion: line indictes that it was in fact recognized amd treated as (probable) spam ... X-SpamCop-Disposition: Blocked cbl.abuseat.org I have been seeing a lor of this lateley as well. Most of it has been stock image spam. The headers will have my emaill address in several of the lines. I don't have a report link to put here, but let me show you an example of the headers on the spam: X-Message-Status: X-SID-Result: X-Message-Info: Received: X-Originating-IP: X-Originating-Email: [MYEMAIL[at]ADDRESS.com] Return-Path: MYEMAIL[at]ADDRESS.com Received: Message-Id: To: <MYEMAIL[at]ADDRESS.com> Subject: From: admin[at]fakecompany.com <MYEMAIL[at]ADDRESS.com> The above lines are in the spam (without the actual data in them.) Several of the lines has my email address posted. When this is parsed through spamcop, it is not removed or munged. This 'sample/example' is basically useless. SpamCop FAQ links at the top of this very page scroll/jump down to the section SpamCop Parsing and Reporting Service scroll down to find (and follow the link to) How To Get Report History When you have that data plled up, then the next FAQ entry of note will be; Parsing Problems / Issues How Do I Show Full / Technical Details in a Parse? "Header incomplete, aborting." and "No source IP address found, cannot proceed." Causes of "Would send" and "If reported today, reports would be sent to:" messages SpamCop said "No reports filed." What does it mean? Steps taken by the parser, general overview The Link Analysis Process SpamCop reporting of spamvertized sites - some philosophy Getting a Tracking URL from a Report ID ^^^^^^^^^^^^^^^^^^^^^^^^^^ Then one of these (hopefully successful) Tracking URLs can be provided to show the missing details. Link to comment Share on other sites More sharing options...
grwsmith Posted June 2, 2007 Author Share Posted June 2, 2007 This is the full text and header of one of the messages in question: Content-Type: text/html Date: Fri, 1 Jun 2007 01:35:02 +0100 (BST) [01/06/07 01:35:02 BST] Delivered-To: spamcop-net-grwsmith[at]spamcop.net grwsmith[at]dsl.pipex.com From: admin[at]tdwaterhouse.com Importance: High MIME-Version: 1.0 Message-Id: <20070531033515.18697.qmail[at]pool-151-203-125-120.bos.east.verizon.net> Received: (qmail 14701 invoked from network); 1 Jun 2007 00:40:04 -0000 from unknown (HELO c60.cesmail.net) (192.168.1.105) by blade5.cesmail.net with SMTP; 1 Jun 2007 00:40:04 -0000 from mx53.cesmail.net ([216.154.195.53]) by c60.cesmail.net with ESMTP; 31 May 2007 20:39:59 -0400 from pop.dsl.pipex.com [62.241.162.110] by mx53.cesmail.net with POP3 (fetchmail-6.2.1) for grwsmith[at]spamcop.net (single-drop); Thu, 31 May 2007 20:39:58 -0400 (EDT) from national.systems.pipex.net (national.systems.pipex.net [62.241.163.9]) by banzai.systems.pipex.net (Postfix) with ESMTP id AE7D3E00023B for <grwsmith[at]dsl.pipex.com>; Fri, 1 Jun 2007 01:35:03 +0100 (BST) from pool-151-203-125-120.bos.east.verizon.net (pool-151-203-125-120.bos.east.verizon.net [151.203.125.120]) by national.systems.pipex.net (Postfix) with SMTP id E78C7E00025B for <grwsmith[at]dsl.pipex.com>; Fri, 1 Jun 2007 01:35:02 +0100 (BST) (qmail 18695 by uid 394); Thu, 31 May 2007 08:35:15 -0500 Return-Path: <grxpeering[at]mtt.ru> Subject: RE: Top-Alert To: grwsmith[at]dsl.pipex.com X-Envelope-To: grwsmith[at]dsl.pipex.com X-IronPort-AV: E=Sophos;i="4.16,371,1175486400"; d="scan'208";a="484722258" X-Original-To: grwsmith[at]dsl.pipex.com X-Originating-Email: [grwsmith[at]dsl.pipex.com] X-Originating-IP: [87.84.676.38] X-Sender: grwsmith[at]dsl.pipex.com X-spam-Checker-Version: SpamAssassin 3.1.8 (2007-02-13) on blade5 X-spam-Level: X-spam-Status: hits=0.5 tests=HTML_MESSAGE,HTML_MIME_NO_HTML_TAG, MIME_HTML_ONLY version=3.1.8 X-SpamCop-Checked: 192.168.1.105 216.154.195.53 62.241.162.110 62.241.163.9 151.203.125.120 X-SpamCop-Disposition: Blocked cbl.abuseat.org Part(s): 1 unnamed [text/html] 5.12 KB Headers: Show Limited Headers I reported it as it appears above on the Spancop web server by forwarding it to: submit.TSOfxuWMKTDkEREm[at]spam.spamcop.net. So I do not get why it still could not be processed (i.e. as it said in the report: No source IP address found, cannot proceed.) Wazoo said: Not sure what "skipping the Spamcop filter" might mean as the Dispostion: line indictes that it was in fact recognized amd treated as (probable) spam ... It may have been recognised but SpamCop is still forwarding it to me??!! What is oing on there. I have set my SpamAssassin Limit to 4 and selected all the DNS Blacklists. Does it need to go lower than 4? Guy Link to comment Share on other sites More sharing options...
rconner Posted June 2, 2007 Share Posted June 2, 2007 from mx53.cesmail.net ([216.154.195.53]) by c60.cesmail.net with ESMTP; 31 May 2007 20:39:59 -0400 from pop.dsl.pipex.com [62.241.162.110] by mx53.cesmail.net with POP3 (fetchmail-6.2.1) for grwsmith[at]spamcop.net (single-drop); Thu, 31 May 2007 20:39:58 -0400 (EDT) from national.systems.pipex.net (national.systems.pipex.net [62.241.163.9]) by banzai.systems.pipex.net (Postfix) with ESMTP id AE7D3E00023B for <grwsmith[at]dsl.pipex.com>; Fri, 1 Jun 2007 01:35:03 +0100 (BST) from pool-151-203-125-120.bos.east.verizon.net (pool-151-203-125-120.bos.east.verizon.net [151.203.125.120]) by national.systems.pipex.net (Postfix) with SMTP id E78C7E00025B for <grwsmith[at]dsl.pipex.com>; Fri, 1 Jun 2007 01:35:02 +0100 (BST) (qmail 18695 by uid 394); Thu, 31 May 2007 08:35:15 -0500 The lines above from your last post are malformed. Like I said, they need to start with "Received:" or they don't comply with SMTP, and SpamCop won't/can't parse them. Also, I saw in the tracking link you posted, these lines are not properly folded according to SMTP requirements. There's no body to the message (despite what you said), but there's an odd notation where the body would be: "Headers: Show Limited Headers". It seems rather unlikely that the message could have reached you with the headers in this condition, so somewhere after you have received it they are getting munged, most likely by the program you use to pick up and read the mail. Sorry, I'd suggest (re)visiting my earlier advice. -- rick Link to comment Share on other sites More sharing options...
axxx007 Posted June 2, 2007 Share Posted June 2, 2007 The information learned here is always valuable, and is much appreciated when someone with the knowledge such as Rick and Wazoo provides answers. Here is a tracking URL http://www.spamcop.net/sc?id=z1314073331z8...51abc7ecd55e7cz for one of the image stock spams I have recently recieved and reported. Wazoo, thank you for the instructions on how to obtain the tracking URL. Link to comment Share on other sites More sharing options...
rconner Posted June 3, 2007 Share Posted June 3, 2007 Here is a tracking URL http://www.spamcop.net/sc?id=z1314073331z8...51abc7ecd55e7cz I've also begun to receive spams like these. Unlike most recent stock spam, they have gone back to hosting their pitches on graphics that are served from websites (rather than being embedded directly into the message). I expect this is a countermeasure against the deployment of spam filters that attempt to scan embedded images for text, or even to reject mails altogether if they have certain styles of embedding. The body is basically two big servings of meaningless "text salad" with an URL in the middle pointing to the image link at bewerbung-leicht-gemacht.com. The reader's eye will be drawn to the image (if it loads) and not to the text, but the text may be useful (according to old spammers' tales) to help defeat Bayesian spam filters. I won't say that the host I named above is spamaceous, but its main page is suspiciously lightweight, and actually is headed with a completely different domain name ("lebenslauf.de"). Since a lot of the shares these guys tout are on the DAX (Frankfurt) exchange, and since they speak German on the image hosting site, I'm going to posit that these guys are German. The hosting provider for the website is located next door in the Czech Republic. -- rick Link to comment Share on other sites More sharing options...
Farelf Posted June 3, 2007 Share Posted June 3, 2007 The body is basically two big servings of meaningless "text salad" with an URL in the middle pointing to the image link at bewerbung-leicht-gemacht.com. The reader's eye will be drawn to the image (if it loads) and not to the text, but the text may be useful (according to old spammers' tales) to help defeat Bayesian spam filters. I won't say that the host I named above is spamaceous, but its main page is suspiciously lightweight, and actually is headed with a completely different domain name ("lebenslauf.de"). (All) good data, thanks Rick. Hmmm... bewerbung-leicht-gemacht, roughly "facilitated application" and lebenslauf "personal record". I'm going to hop wayyy out on a limb here and opine these are not just spamaceous but are, indeed "essence de spam". While truth in advertizing might indicate a better name (Unverschämtheit unbegrenzt "impudence unlimited" for instance) we take it on faith, supported by endless anecdotal evidence, that spammers are better at prevarication if not outright mendacity than they are at probity. Link to comment Share on other sites More sharing options...
grwsmith Posted June 3, 2007 Author Share Posted June 3, 2007 Rick, Sorry but I am not getting this. I am not a total newbie but, as I said, is the problem, that I am doing quick reports? I do understand the reason why my email address appears in the Senders properties when message is displayed in Outlook. However, Regarding: It seems rather unlikely that the message could have reached you with the headers in this condition, so somewhere after you have received it they are getting munged, most likely by the program you use to pick up and read the mail. The text I included for the spam message was copied direct from Spamcop webmail page. I use Opera instead of MS IE as my browser could that be a problem. I report my spams direct from spamcop.net I do download copeis to Outlook leaving a copy on the server for 2 weeks. This is a copy of the same message I displayed previously, as it appears using MS IE ver7: Content-Type: text/html Date: Fri, 1 Jun 2007 01:35:02 +0100 (BST) [01/06/07 01:35:02 BST] Delivered-To: spamcop-net-grwsmith[at]spamcop.net grwsmith[at]dsl.pipex.com From: admin[at]tdwaterhouse.com Importance: High MIME-Version: 1.0 Message-Id: <20070531033515.18697.qmail[at]pool-151-203-125-120.bos.east.verizon.net> Received: (qmail 14701 invoked from network); 1 Jun 2007 00:40:04 -0000 from unknown (HELO c60.cesmail.net) (192.168.1.105) by blade5.cesmail.net with SMTP; 1 Jun 2007 00:40:04 -0000 from mx53.cesmail.net ([216.154.195.53]) by c60.cesmail.net with ESMTP; 31 May 2007 20:39:59 -0400 from pop.dsl.pipex.com [62.241.162.110] by mx53.cesmail.net with POP3 (fetchmail-6.2.1) for grwsmith[at]spamcop.net (single-drop); Thu, 31 May 2007 20:39:58 -0400 (EDT) from national.systems.pipex.net (national.systems.pipex.net [62.241.163.9]) by banzai.systems.pipex.net (Postfix) with ESMTP id AE7D3E00023B for <grwsmith[at]dsl.pipex.com>; Fri, 1 Jun 2007 01:35:03 +0100 (BST) from pool-151-203-125-120.bos.east.verizon.net (pool-151-203-125-120.bos.east.verizon.net [151.203.125.120]) by national.systems.pipex.net (Postfix) with SMTP id E78C7E00025B for <grwsmith[at]dsl.pipex.com>; Fri, 1 Jun 2007 01:35:02 +0100 (BST) (qmail 18695 by uid 394); Thu, 31 May 2007 08:35:15 -0500 Return-Path: <grxpeering[at]mtt.ru> Subject: RE: Top-Alert To: grwsmith[at]dsl.pipex.com X-Envelope-To: grwsmith[at]dsl.pipex.com X-IronPort-AV: E=Sophos;i="4.16,371,1175486400"; d="scan'208";a="484722258" X-Original-To: grwsmith[at]dsl.pipex.com X-Originating-Email: [grwsmith[at]dsl.pipex.com] X-Originating-IP: [87.84.676.38] X-Sender: grwsmith[at]dsl.pipex.com X-spam-Checker-Version: SpamAssassin 3.1.8 (2007-02-13) on blade5 X-spam-Level: X-spam-Status: hits=0.5 tests=HTML_MESSAGE,HTML_MIME_NO_HTML_TAG, MIME_HTML_ONLY version=3.1.8 X-SpamCop-Checked: 192.168.1.105 216.154.195.53 62.241.162.110 62.241.163.9 151.203.125.120 X-SpamCop-Disposition: Blocked cbl.abuseat.org Part(s): 1 unnamed [text/html] 5.12 KB Headers: Show Limited Headers As you can see it still has the 'From' instead of 'Received from'. but there's an odd notation where the body would be: "Headers: Show Limited Headers". "Show Limited Headers" is a Spamcop button switching the message to and from full/limited headers. I have just realised where the problem my be, Below is a copy of the message using message source. Return-Path: <grxpeering[at]mtt.ru> Delivered-To: spamcop-net-grwsmith[at]spamcop.net Received: (qmail 14701 invoked from network); 1 Jun 2007 00:40:04 -0000 X-spam-Checker-Version: SpamAssassin 3.1.8 (2007-02-13) on blade5 X-spam-Level: X-spam-Status: hits=0.5 tests=HTML_MESSAGE,HTML_MIME_NO_HTML_TAG, MIME_HTML_ONLY version=3.1.8 Received: from unknown (HELO c60.cesmail.net) (192.168.1.105) by blade5.cesmail.net with SMTP; 1 Jun 2007 00:40:04 -0000 X-IronPort-AV: E=Sophos;i="4.16,371,1175486400"; d="scan'208";a="484722258" Received: from mx53.cesmail.net ([216.154.195.53]) by c60.cesmail.net with ESMTP; 31 May 2007 20:39:59 -0400 X-Original-To: grwsmith[at]dsl.pipex.com X-Envelope-To: grwsmith[at]dsl.pipex.com Delivered-To: grwsmith[at]dsl.pipex.com Received: from pop.dsl.pipex.com [62.241.162.110] by mx53.cesmail.net with POP3 (fetchmail-6.2.1) for grwsmith[at]spamcop.net (single-drop); Thu, 31 May 2007 20:39:58 -0400 (EDT) Received: from national.systems.pipex.net (national.systems.pipex.net [62.241.163.9]) by banzai.systems.pipex.net (Postfix) with ESMTP id AE7D3E00023B for <grwsmith[at]dsl.pipex.com>; Fri, 1 Jun 2007 01:35:03 +0100 (BST) Received: from pool-151-203-125-120.bos.east.verizon.net (pool-151-203-125-120.bos.east.verizon.net [151.203.125.120]) by national.systems.pipex.net (Postfix) with SMTP id E78C7E00025B for <grwsmith[at]dsl.pipex.com>; Fri, 1 Jun 2007 01:35:02 +0100 (BST) X-Originating-IP: [87.84.676.38] X-Originating-Email: [grwsmith[at]dsl.pipex.com] X-Sender: grwsmith[at]dsl.pipex.com Received: (qmail 18695 by uid 394); Thu, 31 May 2007 08:35:15 -0500 Message-Id: <20070531033515.18697.qmail[at]pool-151-203-125-120.bos.east.verizon.net> To: <grwsmith[at]dsl.pipex.com> Subject: RE: Top-Alert From: admin[at]tdwaterhouse.com <grwsmith[at]dsl.pipex.com> MIME-Version: 1.0 Importance: High Content-Type: text/html Date: Fri, 1 Jun 2007 01:35:02 +0100 (BST) X-SpamCop-Checked: 192.168.1.105 216.154.195.53 62.241.162.110 62.241.163.9 151.203.125.120 X-SpamCop-Disposition: Blocked cbl.abuseat.org <style> <!I have been lowcarbing for about 3months (had a week off over xmas) however, back on induction.... If i do a small amount of cardio e.g 30 - 40 mins Bike; after - the endorphins seem to flow and i don't feel too bad. However, if i do resistance training i seem to feel really drained of energy and i am overcome by a generall feeling of unwellness. After resistance training today (feeling drained)i went and ate a low carb breakfast, which seemed to pick me up but throughout the day i have still felt pretty sh**ty... Help anyone? I know this post is prob a bit vague but im hoping its just a common hurdle that people know about........... Wayne ><!HAHAHAHAHA. This cross-dressing loony is turning out to be a godsend for the liberals. (snip) After we bomb North Korea, what's the next country we should invade? "Iran. Though that's the beauty part of Iraq: It may well not be necessary. Because precisely what I'm saying with nuking North Korea-despite that wonderful peace deal Madeline Albright negotiated with the North Koreans, six seconds before they feverishly began developing nuclear weapons. They're a major threat. I just think it would be fun to nuke them and have it be a warning to the rest of the world." (snip) >< I'm gonna say I could take Ray Romano. Just 'cause I really want to. Here are my faves from the above page: The Onion: Who could you take in a fight? Conan O'Brien: Let's see, who could I take in a fight? Definitely Ruth Bader Ginsburg. Have you seen her? Her upper body is very frail. I think I could take her if she was sleepy and I had a two-by-four. She'd go down quickly. The Onion: Who could you take in a fight? Emo Philips: Hawking, Reeve. Not at the same time. -- ironcladlou, keeper of faq, bringer of poop humor "You are a pitiful excuses for a human beings." - tzakol ><!Hi, I was wondering what is the best way to find out the person to whom a coat of arms was granted. I have a list from Burke's Armory of Perry/Pery Arms that were granted (about 15 in total) but most of them don't say which particular person the Arms were granted to, although I know one or two of them. I have found one of the families in the Herald's visitations, but it doesn't say to whom the arms were granted, is the earliest person in the pedigree the original bearer of the arms? I realise I can apply to the College of Arms, but I was hoping there would be a slightly more inexpensive option! Thanks Vicki _________________________________________________________________ Match.com - Click Here To Find Singles In Your Area Today! > <!For those AFers contemplating a walking program this Spring, you may want to pick up the April issue of Prevention. A special issue devoted to Walking Smart. Included is a 4 week pull-out plan specified for either the Walking Rookie or the Walking Whiz. Lots of great tips. Also included is their test of Walking Shoes including an excerpt on whether your foot is neutral, rigid or flexible which should enter into your choice of shoes. Shoes tested were Adida, Asics, New Balance, Nike, Reebox and Saucony. I have decided I must have the New Balance 788WB as the testers commented on lots of space in the toe area. Also lists the 12 best Walking Cities. </style><img src="http://www.sourimage.com/img/cf27d97ceb13cd985b9db2171e04a330/ar3453422t34.jpg"> <style> Remember Friday, April 2 is Prevention's National Walk to Work Day. Plus a lot of other good articles. Jo Ann > <!There used to be this show on Channel 7 (WXYZ in Detroit) Friday nights at 11:30 pm called "In Concert". I was an impressionable 13-yr-old just gettin' in to rock music in the summer of 1974 when they showed parts of the California Jam in sucessive weeks on TV. I was a Deep Purple freak (still am) and sat glued to the set, enthralled with Ritchie Blackmore's stage antics (trashing a television camera while it was filming him and 'blowing up' his amps). Well, "Deep Purple - Live In California '74" was released on DVD yesterday, and it's just as enthralling (warts and all) as it was 26+ yeard ago. It may not have been their best show, but it reminded me of the thrill I got when I was a kid. I hope that thrill never goes away. -- Steve > <!Hi there, when I first turn on my computer for the day, it will run fine for up to 3 minutes or so until I get a complete blue screen with an error message which reads: ____________________________________________ *** HARDWARE MALFUNCTION PLEASE CONTACT YOUR HARDWARE VENDOR (something like this) *** The sv ____________________________________________ I can not do a CRTL-ALT-DEL reboot or anything....no response to anything except for a complete hard reboot. After a reboot my computer will run perfectly fine and won't see this message again. I only get the error message when my computer is cold it seems. But after running a while, it runs perfectly. Has anyone had this problem, or can anyone shed some light into this issue please? Thank you very much for your help people. Please respond to group. Thank you. </style> I have no idea what that is all about. None of that text appears in the message when I read the message in Outlook! All that appears is a single graphgic. Is this the "text salad" with an URL in the middle you talk about? Guy Link to comment Share on other sites More sharing options...
Wazoo Posted June 3, 2007 Share Posted June 3, 2007 Sorry but I am not getting this. I am not a total newbie but, as I said, is the problem, that I am doing quick reports? I do understand the reason why my email address appears in the Senders properties when message is displayed in Outlook. I don't know exactly what you are talking about either. The text I included for the spam message was copied direct from Spamcop webmail page. I have just realised where the problem my be, Below is a copy of the message using message source. Yes, you have discovered the exact problem. It should be noted that there are several entries in the How to Use .... Forum section that would have helped you understand this a lot quicker .... the various How to ask Questions ... entries would also have had you identifying the tools in use and exactly how you were using them in your first post also .... Received: from unknown (HELO c60.cesmail.net) (192.168.1.105) by blade5.cesmail.net with SMTP; 1 Jun 2007 00:40:04 -0000 Received: from mx53.cesmail.net ([216.154.195.53]) by c60.cesmail.net with ESMTP; 31 May 2007 20:39:59 -0400 Received: from pop.dsl.pipex.com [62.241.162.110] by mx53.cesmail.net with POP3 (fetchmail-6.2.1) for grwsmith[at]spamcop.net (single-drop); Thu, 31 May 2007 20:39:58 -0400 (EDT) Received: from national.systems.pipex.net (national.systems.pipex.net [62.241.163.9]) by banzai.systems.pipex.net (Postfix) with ESMTP id AE7D3E00023B for <grwsmith[at]dsl.pipex.com>; Fri, 1 Jun 2007 01:35:03 +0100 (BST) Yes, this is the exact issue that has been discussed since your first post. I have no idea what that is all about. None of that text appears in the message when I read the message in Outlook! All that appears is a single graphgic. Is this the you talk about? There wasn't really a good reason to post the entire spam, but .. as you did .... take a close look, then read Linear Post #2 in the Topic at http://forum.spamcop.net/forums/index.php?showtopic=8306 .... you will see the exact same 'issue' .. the use of the < s t y l e> HTML tags ... compounded by the fact that you are using Outlook in a totally unsecure mode ..... and although http://forum.spamcop.net/forums/index.php?showtopic=3571 was specifically written for Outlook Express, the same concepts and most of the same settings apply.... Link to comment Share on other sites More sharing options...
StevenUnderwood Posted June 3, 2007 Share Posted June 3, 2007 I reported it as it appears above on the Spancop web server by forwarding it to: submit.<SECRET CODE REMOVED AGAIN>[at]spam.spamcop.net. So I do not get why it still could not be processed (i.e. as it said in the report: No source IP address found, cannot proceed.) Wazoo said: It may have been recognised but SpamCop is still forwarding it to me??!! What is oing on there. I have set my SpamAssassin Limit to 4 and selected all the DNS Blacklists. Does it need to go lower than 4? Guy As Wazoo mentioned, what you posted above and submitted looks more like you clicked the "Show All Headers" link in webmail and pasted it into the parser page. Clicking the "Message Source" link in the small menu just above the message will show what you want to paste into the form. Forwarding to your SECRET CODE (which you once again revealed to all the spammers in the world) has not worked in some time as noted in several posts in the EMail forum. I have resorted to making sure whatever I want to full report is in the Held Mail folder, then hitting the "Report spam" icon at the top of the page and reporting from VER (Held Email tab on the resulting page). The only reason that message, as presented, would have been forwarded to you is that you have your account configured for "Tag only" in which case all spam would be forwarded. Another possibility is that you did not include a line like: X-Spamcop-Whitelisted:xxx which indicates you have an address whitelisted which by passes the filters. Link to comment Share on other sites More sharing options...
rconner Posted June 3, 2007 Share Posted June 3, 2007 Is this the {text salad} you talk about? Guy This is a different message that the one I referred to above, but the principle is the same. You will notice that the blocks of text on either side of the payload image link are contained in <style>...</style> tags as if they contained stylesheet definitions; this stuff will not be rendered as part of the page. This is a pretty standard spammer tactic, used to "bloat up" a message with neutral text. It doesn't matter that these data aren't really stylesheet info, since your browser ignores them unless they are used somewhere in the message. I still don't know what is going on with the quoting and headers, but the copy of the spam you posted "using message source" does not seem to be mangled like the earlier ones. If I read it correctly, it shows that the message (probably) originated from 151.203.125.120, which is a Verizon broadband pool address, hence probably a zombie. -- rick Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.