Lydia Posted February 18, 2008 Share Posted February 18, 2008 For the past couple of weeks or so, I have noticed that there is much more spam is making it into my spamcop email account than there used to be. Almost all of it is advertising GeoCities URLs. When I report this spam, the URLs don't get seem to get parsed for some reason, since there is almost never an email generated to Yahoo/GeoCities abuse. There is only mail sent to the admins of the network where the spam originated. I don't understand why so much of this is getting through. There doesn't appear to be anything particularly unusual or complicated about the emails. They're for commonly-spamvertised products like pharmaceuticals and penis-enlargement crap, and contain spammy keywords. Here's an example: Tracking URL for recent spam Is there any way to cut down on this? I use IMAP, and not the webmail interface, so it's my understanding that using the filter mechanism in Horde won't help. Link to comment Share on other sites More sharing options...
StevenUnderwood Posted February 18, 2008 Share Posted February 18, 2008 For the past couple of weeks or so, I have noticed that there is much more spam is making it into my spamcop email account than there used to be. Almost all of it is advertising GeoCities URLs. When I report this spam, the URLs don't get seem to get parsed for some reason, since there is almost never an email generated to Yahoo/GeoCities abuse. There is only mail sent to the admins of the network where the spam originated. I don't understand why so much of this is getting through. There doesn't appear to be anything particularly unusual or complicated about the emails. They're for commonly-spamvertised products like pharmaceuticals and penis-enlargement crap, and contain spammy keywords. Here's an example: Tracking URL for recent spam Is there any way to cut down on this? I use IMAP, and not the webmail interface, so it's my understanding that using the filter mechanism in Horde won't help. You are correct, the Horde webmail filters will not help. The IP address for the message shown is currently listed, but possibly was not when you received the message. There are currently lots of reports against it right now, however. It is also listed at several large bl's: dnsbl.sorbs.net bl.spamcop.net cbl.abuseat.org pbl.spamhaus.org What bl's do you have spamcop checking? Link to comment Share on other sites More sharing options...
DavidT Posted February 18, 2008 Share Posted February 18, 2008 I'm wondering if you have all the available blacklists turned "on" in your SC email config? The reason I'm wondering is that the source IP of your sample message is listed in all of the following BLs right now: cbl.abuseat.org dnsbl-2.uceprotect.net dnsbl-3.uceprotect.net dnsbl.sorbs.net dul.dnsbl.sorbs.net no-more-funn.moensted.dk sbl-xbl.spamhaus.org spamcop xbl.spamhaus.org The SCBL listing happened about 3 hours ago, but apparently after you received the message. The CBL listing happened at: 2008-02-18 15:00 GMT (+/- 30 minutes) which is only 10 minutes before the SC email system accepted the message on your behalf. The IP is also listed in the SpamHaus PBL, but IIRC, the SC implementation of PBL blocking is a bit lacking, in that it *should* have caught this one for you, but I've previously reported in this forum about the problems with the PBL implementation. The parser probably should have offered to send a report on the URL, however, unless there's something specific about that host that I'm not aware of. (on edit) Looks like Steven beat me to the punch on this one (we were both composing our messages simultaneously). Steven, there are problems with the SC email implementation of several of those BLs...you and I have discussed this, and this poster's problem is further proof that I'm probably correct...hope you come around eventually. :-) And if we had SORBS back....another thing I've asked for....it probably would have been caught. DT Link to comment Share on other sites More sharing options...
Lydia Posted February 19, 2008 Author Share Posted February 19, 2008 I only had SpamCop's BL selected -- I set up this account years ago and have never really changed anything. I will look through and see which others I might want to enable. Thanks for the tip. Link to comment Share on other sites More sharing options...
Farelf Posted February 19, 2008 Share Posted February 19, 2008 In a recent discussion in the newsgroups a couple of senior commentators between them proposed a DNSbl set of: bl.spamcop.net cbl.abuseat.org zen.spamhaus.org (alternatively just pbl.spamhaus.org) dul.dnsbl.sorbs.net list.dsbl.org Link to comment Share on other sites More sharing options...
Farelf Posted April 12, 2008 Share Posted April 12, 2008 ...proposed ... DNSbl set: bl.spamcop.net cbl.abuseat.org zen.spamhaus.org (alternatively just pbl.spamhaus.org) dul.dnsbl.sorbs.net list.dsbl.org And recently, in grc.spam, poster ObiWan reported good results with: ix.dnsbl.manitu.net (from heise.de) The point of that one being, like SC, it is what is lightly called "zero maintenance" meaning delisting is automatic - after 72 hours spam-free (and yes, the "zero maintenance" description would give both Heise and SC staff a wry chuckle). A quick sampling of listings in SC's HoS shows surprisingly little overlap between the two bls. I was sorta expecting the same "usual suspects" but with greater persistence in the manitu.net one but the fairly low initial coincidence means a lot more data (IP addresses) would need to be sampled over a longer time interval to test that (not having access to report history myself). Anyway, could be worth a try, another array of spamtraps in play and "faultless" delisting. Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.