daizzzy Posted October 30, 2008 Share Posted October 30, 2008 how to report this kind of spam? SC sends abuse to yahoo, but it's misleading. p.s. i couldn't use quote or code tag for mail source code (( are they working? Delivered-To: ***** Received: by 10.100.201.17 with SMTP id y17cs68468anf; Thu, 30 Oct 2008 01:44:40 -0700 (PDT) Received: by 10.150.121.3 with SMTP id t3mr8917708ybc.131.1225356280593; Thu, 30 Oct 2008 01:44:40 -0700 (PDT) Return-Path: <corneliusspurrial2554441[at]yahoo.com> Received: from n8.bullet.re3.yahoo.com (n8.bullet.re3.yahoo.com [68.142.237.93]) by mx.google.com with SMTP id 6si1915233gxk.63.2008.10.30.01.44.39; Thu, 30 Oct 2008 01:44:39 -0700 (PDT) Received-SPF: pass (google.com: domain of corneliusspurrial2554441[at]yahoo.com designates 68.142.237.93 as permitted sender) client-ip=68.142.237.93; DomainKey-Status: good (test mode) Authentication-Results: mx.google.com; spf=pass (google.com: domain of corneliusspurrial2554441[at]yahoo.com designates 68.142.237.93 as permitted sender) smtp.mail=corneliusspurrial2554441[at]yahoo.com; domainkeys=pass (test mode) header.From=corneliusspurrial2554441[at]yahoo.com Received: from [68.142.237.87] by n8.bullet.re3.yahoo.com with NNFMP; 30 Oct 2008 08:44:39 -0000 Received: from [216.252.111.168] by t3.bullet.re3.yahoo.com with NNFMP; 30 Oct 2008 08:44:39 -0000 Received: from [127.0.0.1] by omp103.mail.re3.yahoo.com with NNFMP; 30 Oct 2008 08:44:39 -0000 X-Yahoo-Newman-Property: ymail-3 X-Yahoo-Newman-Id: 339748.58950.bm[at]omp103.mail.re3.yahoo.com Received: (qmail 15577 invoked by uid 60001); 30 Oct 2008 08:44:39 -0000 DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com; h=Received:Date:From:Subject:To:Cc:MIME-Version:Content-Type:Content-Transfer-Encoding:Message-ID; b=bXgHje4EBUoFzNNABBEB0E/EXc0sC4pBWE4sEdMLqzy8P0/2HC+QJ+mnFiGGKPSMeVe0vruKIRMqC003N31eJ+iXQZtoERMMzhkPHaibu9Lkm8HPpvfnBOH2CPiFc7RWYzdQ4BwLCPS3bqnLWknuhhxXVqimhS9NUmvB+IFQD/o=; Received: from [85.87.241.196] by web57410.mail.re1.yahoo.com via HTTP; Thu, 30 Oct 2008 01:44:39 PDT Date: Thu, 30 Oct 2008 01:44:39 -0700 (PDT) From: Cornelius Spurrial <corneliusspurrial2554441[at]yahoo.com> Subject: seeix up your life her To: daddieskitten1966[at]sbcglobal.ne Cc: pcurrynew[at]aol.com, shineon[at]blueyonder.co.uk, sjdhkj[at]gfhklj.com, acerroo[at]sbcglobal.net, ckroll[at]tmail.com, bryanindelmar[at]yahoo.com, seancnd[at]hotmail.com, electroshy26[at]yahoo.com, memo85_85[at]hotmail.com, tmthyis07[at]yahoo.com, martinezjr.alexander[at]gmail.com, aaghtsbbddf[at]hotmail.com, aschwemmer[at]vjf.inserm.fr, airichiro[at]aol.com, chstrfox[at]yahoo.com, kid-vargas[at]hotmail.com, naughty_alyssa21[at]hotmail.com MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit Message-ID: <138732.14265.qm[at]web57410.mail.re1.yahoo.com> mary cake round low rings ma hues mist. google.com/notebook/public/05377497236356013399/BDQqXSgoQrbKf0dIj/?harkwerzrspillpewtyr2elbow Link to comment Share on other sites More sharing options...
Spamnophobic Posted October 30, 2008 Share Posted October 30, 2008 First of all, you are giving a sexually harassing spammer free publicity with the URL below. I hope a moderator will be along very soon to remove it! When posting an example it is always best to provide a tracking url than to paste even the spam header. Certainly the body of a spam should never be pasted. See here for instructions on how to obtain a tracking url. To me as a technically non-fluent SpamCop user it is not clear what your problem is with reporting. I think you will need to explain it more clearly. Then technically fluent people will be along to help you with your problem, probably as dawn breaks on the shores of America (although certain Western Australian specialists may also find the time in their afternoon schedule...) Link to comment Share on other sites More sharing options...
daizzzy Posted October 30, 2008 Author Share Posted October 30, 2008 thx fixed url i don't know how to explain more clearly. SC recognizes only 1 source of spam - yahoo. but it's misleading recognition. Link to comment Share on other sites More sharing options...
Miss Betsy Posted October 30, 2008 Share Posted October 30, 2008 I think your problem is that you are not forwarding as attachment. I haven't read much of this topic, but StevenUnderwood says: My solution above has nothing to do with holding down any button. With Yahoo! Mail Classic, there is a pulldown next to Forward which offers: Forward |-As Inline Text |-As Attachment This works in IE, FireFox and Safari on Windows. I don't see why it would not also work on a MAC. I also think that if you are not using Yahoo!Mail Classic, you don't have that option, but I am not sure on that point. Miss Betsy Link to comment Share on other sites More sharing options...
daizzzy Posted October 30, 2008 Author Share Posted October 30, 2008 I think your problem is that you are not forwarding as attachment. I haven't read much of this topic, but StevenUnderwood says: I also think that if you are not using Yahoo!Mail Classic, you don't have that option, but I am not sure on that point. sorry, didn't get it completely ) let me explain in other words. spaamers are using techniques which SC can't process correctly. and i don't think it's possible to do automatically. i just need some recommendations hot to do it manually. Link to comment Share on other sites More sharing options...
Miss Betsy Posted October 30, 2008 Share Posted October 30, 2008 Usually people who are having trouble submitting spam are not 'forwarding as attachment' However, I see now why you were confused. I think, for better advice, that you should post a Tracking URL (a definition can be found Here in the spamcop glossary) I am not an expert at reading headers, but it looks to me as though the spam did come from yahoo. The parser may not have been able to pick up the IP address that posted to yahoo ( which I think is there). However, if you get the Tracking URL, that would help people decide why the parser stopped when it did. Miss Betsy PS you can cancel the report if you have to submit it again to get a Tracking URL. Link to comment Share on other sites More sharing options...
artmaker Posted October 30, 2008 Share Posted October 30, 2008 I'd be interested to learn how to forward as attachment using yahoo too! So you know, they removed the pull down menu they USED to have. IT's gone. And... using a mac, there is NO WAY to get any option to forward as attachment. NO holding down command, (same as control on pc.) It doesn't work. I've been through this with yahoo's live help. They confirmed that it does not work and "are working on it." If there is any way to manually forward spam to spamcop again, I would love to know. It's been growing since yahoo "improved" their system. Link to comment Share on other sites More sharing options...
agsteele Posted October 30, 2008 Share Posted October 30, 2008 Hi daizzy, You are correct that the parser does identify a Yahoo! server as the source but it also appears that Yahoo! is the first mail server in the headers... However, there does appear to be an IP for the originating PC at 85.87.241.196 which the parser didn't identify. There are better informed users than me around so perhaps someone can say why 85.87.241.196 isn't picked up. Interestingly the SenderBase score for this IP is poor (626%) and it is listed in dnsbl.sorbs.net, cbl.abuseat.org and pbl.spamhaus.org - but not the scbl. For artmaker, there are other threads which I think have been posted previously for you which address the Yahoo! mail issue. It seems the new Yahoo! interface has dropped the inline-attachment option. You would need to switch back to the classic interface if you have that ability to gain the attachment option. Andrew Link to comment Share on other sites More sharing options...
Farelf Posted October 30, 2008 Share Posted October 30, 2008 Here is a parse of that data: http://www.spamcop.net/sc?id=z2376517940ze...009998950373fcz It seems to pick up host 85.87.241.196 = 196.85-87-241.dynamic.clientes.euskaltel.es which Andrew mentions. We would need to see the O/Ps tracking URL to see why that didn't go the same way. [On edit] Ah, I see, variable results! View the parse one time it says If reported today, reports would be sent to: Re: 85.87.241.196 (Administrator of network where email originates) postmaster[at]euskaltel.es abuse[at]t-ipnet.de abuse[at]euskaltel.com Processed by <!-- 05look $Revision: #1 $ produced by sc-app12 --> View it another time, it says "No master" (Ah, how many times have I heard that? But I digress) If reported today, reports would be sent to: Re: 85.87.241.196 (Administrator of network where email originates) nomaster[at]devnull.spamcop.net <!-- 05look $Revision: #1 $ produced by sc-app10 --> Link to comment Share on other sites More sharing options...
daizzzy Posted October 30, 2008 Author Share Posted October 30, 2008 http://www.spamcop.net/mcgi?action=gettrac...rtid=3629351960 is it this one? Link to comment Share on other sites More sharing options...
Farelf Posted October 30, 2008 Share Posted October 30, 2008 http://www.spamcop.net/mcgi?action=gettrac...rtid=3629351960 is it this one? Ah no, you need to go one step further to get the tracking URL from the report ID (because only you and the paid SC staff can see the detail from the report ID) - see http://forum.spamcop.net/forums/index.php?showtopic=4498 for how to do it. Link to comment Share on other sites More sharing options...
daizzzy Posted October 30, 2008 Author Share Posted October 30, 2008 sorry got it http://www.spamcop.net/sc?id=z2375972949z6...f43617afbcda98z Link to comment Share on other sites More sharing options...
Wazoo Posted October 30, 2008 Share Posted October 30, 2008 got it http://www.spamcop.net/sc?id=z2375972949z6...f43617afbcda98z Thanks! What I'm going to guess at ..... Yahoo has added more e-mail servers to their server farm that have not been identified in the 'shared' MailHost Configuration database. Possible actions: try to add this new data yourself by 'adjusting' your MailHost Configuration of your Reporting Account .... or contact Don/Deputies to get them to do a bit of manual updating to the same database. Why I come to this probable conclusion: your Tracking URL lines; 1: Received: from [85.87.241.196] by web57410.mail.re1.yahoo.com via HTTP; Thu, 30 Oct 2008 01:44:39 PDT Hostname verified: 196.85-87-241.dynamic.clientes.euskaltel.es Possible forgery. Supposed receiving system not associated with any of your mailhosts Will not trust anything beyond this header The "receiving" system is in fact a Yahoo asset, but not found within the MailHost Configuration database. Dig web57410.mail.re1.yahoo.com[at]208.67.220.220 ... Non-authoritative answer Recursive queries supported by this server Query for web57410.mail.re1.yahoo.com type=255 class=1 web57410.mail.re1.yahoo.com MX (Mail Exchanger) Priority: 0 Malformed name BTW: Quote is seen working at the top of this post. testing testing testing no problem seen with the 'code' tags either. How are you trying to use them? Link to comment Share on other sites More sharing options...
Farelf Posted October 30, 2008 Share Posted October 30, 2008 The difference between the parses (the genuine one above and my re-creation in linear post 9 further above) apparently comes about because of mailhosting, my test (and subsequent re-test) being with a non-mailhosted account. In this instance, I would prefer the non-mailhosted rendition (mine) which seems to indicate an entirely probable source (as Andrew points out) a but, alas, nothing can be done about that (other than manual reporting). The purpose of the mailhosting is to make it harder for cunning header forgeries to slip through the reporting and we can only bring it to the attention of the SC staff if we think it might have goofed in some specific instance in case there is some systemic problem with the parser logic/process. I am not really confident that it has goofed in this case but it does look so to me. [on edit - ah, Wazoo suggests another possibility and some things the O/P can try] Link to comment Share on other sites More sharing options...
StevenUnderwood Posted October 31, 2008 Share Posted October 31, 2008 I'd be interested to learn how to forward as attachment using yahoo too! So you know, they removed the pull down menu they USED to have. IT's gone. And... using a mac, there is NO WAY to get any option to forward as attachment. NO holding down command, (same as control on pc.) It doesn't work. Are you using Yahoo! Mail Classic (does it say that just above the 4 tabs)? I most certainly have the option as I used copy/paste to make my post earlier. I do use the free option... things may be different if you are using one of the paid versions either directly through Yahoo or from one of the other providers using Yahoo. Link to comment Share on other sites More sharing options...
daizzzy Posted October 31, 2008 Author Share Posted October 31, 2008 guys, i'm using only gmail, i don't know why u all are talking about yahoo )) Link to comment Share on other sites More sharing options...
Farelf Posted October 31, 2008 Share Posted October 31, 2008 guys, i'm using only gmail, i don't know why u all are talking about yahoo ))Relax daizzzy - we've diverged into two conversations (because Yahoo was in the headers) but thanks for confirming you're only involved in the original topic. Have you looked at Wazoo's response (further above) on the matter of mailhosting? Seems like it's time for you to contact Don - service[at]admin.spamcop.net - to see if there's something with the mailhosts setup that needs fixing. The rest of 'us' can't really see any other reason for your parse not drilling down to what we think is the actual spam injection. But Don knows all that stuff inside out. Link to comment Share on other sites More sharing options...
daizzzy Posted October 31, 2008 Author Share Posted October 31, 2008 Thx Farelf ) Link to comment Share on other sites More sharing options...
SpamCopAdmin Posted October 31, 2008 Share Posted October 31, 2008 Daizzzy isn't a Yahoo user, so the Yahoo Mailhost isn't part of the problem. The problem is that the Yahoo servers in his spam aren't included in our "Trusted Relays" database. I added them to the list, and the parse is working correctly now. - Don D'Minion - SpamCop Admin - . Link to comment Share on other sites More sharing options...
Wazoo Posted October 31, 2008 Share Posted October 31, 2008 guys, i'm using only gmail, i don't know why u all are talking about yahoo )) The issue is that there is another Forum user that hasn't quite got things sorted out on how to use this thing. So she unfortunately keeps jumping into other people's Topics/Discussion to toss in her issues with her use of Yahoo on a Mac. Then she seems not to ever follow-up, the appearance is that she can't find or simply doesn't look for her previous posts ... there are loads of questions that she's never gotten around to answering. Yet another PM sent to her about her actions. Link to comment Share on other sites More sharing options...
Farelf Posted October 31, 2008 Share Posted October 31, 2008 ... The problem is that the Yahoo servers in his spam aren't included in our "Trusted Relays" database. I added them to the list, and the parse is working correctly now. ... Thanks Don! daizzzy, if you pull up your (old) parse you will see that it automagically goes right down to the actual spammer now. Too late for that particular instance but any future handing by those Yahoo relays will be properly tracked through. Properly handled for everyone - including for those users who didn't even realise there was anything wrong. So your query has helped lots of people. Including the beleaguered network-abuse[at]cc.yahoo-inc.com. They ought to give you a medal! Ah, synergy! Link to comment Share on other sites More sharing options...
daizzzy Posted November 1, 2008 Author Share Posted November 1, 2008 thx guys SC works really great! u know, at the beginning i started to use SC i thought that i'll need to redeem balance each 2-3 months. but now it seems like there still will be some money after a year )) Link to comment Share on other sites More sharing options...
dbiel Posted November 1, 2008 Share Posted November 1, 2008 It is interesting that the topic starter of this topic titled: how to fight this kind of spam , insists on generating their own spam using the forum signature as the medium. The signature has been removed twice so far. We realize that there are not clear cut rules on what can be included in a signature, but there are limits and they will be inforced. Link to comment Share on other sites More sharing options...
daizzzy Posted November 1, 2008 Author Share Posted November 1, 2008 ok, no more signatures but your policy is really strange for me. my sig had nothing about spam, it was what was actual for me. i think it's about paranoia. Link to comment Share on other sites More sharing options...
Wazoo Posted November 1, 2008 Share Posted November 1, 2008 but your policy is really strange for me. my sig had nothing about spam, it was what was actual for me. i think it's about paranoia. Inappropriate content is the issue involved. Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.