Discussion:
UMSY
CO-DBA-SC-EL
2006-03-03 20:16:01 UTC
Permalink
Why can't SpamCop email filter these annoying UMSY spams? See for example
report ID 1677920143.
I am bombarded with those, obviously sent through botnets. This has been
going on for over one week. The spammer has obviously found the right
formula to get around spamcop and spamAssassin. They don't even bother to
try to obfuscate "UMSY".

C_O
Mike Easter
2006-03-03 21:13:47 UTC
Permalink
Post by CO-DBA-SC-EL
Why can't SpamCop email filter these annoying UMSY spams? See for
example report ID 1677920143.
When you call up your own reportid, you can access everything about it
via its tracker. When anyone else calls up your reportid, they can only
see the subject Promo Movers: Weekly Member Newsletter

Then, in order to know whatever it is you are trying to talk about, I
have to go to sightings to find a spam and determine that it is a
stockspam, and then I have to further derive that UMSY is a stock
abbreviation by determining that US MedSys Corp is a known stockspam
'marketer'.

So, then further, I have to search a little harder in sightings to find
an actual UMSY stock promo in a promo movers newsletter.
http://snipurl.com/n5gu

Then, since you didn't provide a tracker to an example of the spam, I
guess I'll make one myself

http://www.spamcop.net/sc?id=z889921579z6324ae41d86ed5577815eb2cb0b372ffz

That particular item was sourced from a CBL listed proxy
222.40.149.15 -- and it is entirely possible that yours was too.
Post by CO-DBA-SC-EL
I am bombarded with those, obviously sent through botnets. This has
been going on for over one week. The spammer has obviously found the
right formula to get around spamcop and spamAssassin. They don't even
bother to try to obfuscate "UMSY".
From your reportid, it appears that you are not spamcop reporting your
spam, but instead you are mole reporting, which means that your spam
isn't contributing to the SCbl.

If you want to discuss why a particular spam wasn't blocked, you should
be looking at its headers and you should be thinking about what
blocklists you have enabled, and you should be thinking about how you
have your SpamAssassin SA score set, because the item which I provided a
tracker for was caught be a SA type filter, and that item would have
also been caught by my filter on the basis of its CBL listing.

So, if your choice of configuration for spamcop's filter isn't doing the
job, maybe you should consider fixing your configuration.

So, my gripes about this communication so far are:

- if you are going to talk about a spam which wasn't filtered, you
should post a tracker for it, not a reportid
- if you are going to talk about /anything/ don't abbreviate more than
what someone who isn't looking at the same thing you are looking at will
be able to figure out. This isn't a guessing game, altho' sometimes we
play it
- if you are 'just' a mole reporter, your reports don't really count,
so you aren't helping the SCbl and therefore your reports aren't helping
other people filter their spam
--
Mike Easter
kibitzer, not SC admin
Mike Easter
2006-03-03 21:16:08 UTC
Permalink
Post by Mike Easter
That particular item was sourced from a CBL listed proxy
222.40.149.15 -- and it is entirely possible that yours was too.
I meant, if a particular spam modus operandi is utilizing something like
abused proxy smtp injection, then it is likely that other items of the
same modus also use abused proxies, but not likely the same exact one,
but a different one.
--
Mike Easter
kibitzer, not SC admin
CO-DBA-SC-EL
2006-03-04 05:20:08 UTC
Permalink
Mike, thank you for your reply.

Why bother with mole reporting if it does not contribute to the SCbl?
Hmm....

As to why I did not post the full tracker: The tracker contains information
that identifies me, my antispam measures and and my mail server. Much too
much information to put on a public newsgroup monitored by spammers.

As to why I went "mole". Same thing. What prompted me to go "mole" a couple
of years ago was regular upsurges of spam after I reported some spam.
Watching the detailed spam parses these days for the stuff I drop into the
"Report" form, much too often I see that the report would not be anywhere
near sanitized well enough, or would be going to someone who has a
connection with the spammer. For example, I don't for a second believe that
spamcop reports to chinanet are just ignored. There is just too much good
stuff to mine from them.

My posting to mail was because as a spamcop mail customer I think the
problem with this particular spammer getting through so easily is a
SpamAssassin rule problem, rather than a reporting problem. Every single
address that particular spammer has been using that I bothered to track down
looked like a zombie. A different one every time, of course.

C_O
Post by Mike Easter
Post by CO-DBA-SC-EL
Why can't SpamCop email filter these annoying UMSY spams? See for
example report ID 1677920143.
When you call up your own reportid, you can access everything about it
via its tracker. When anyone else calls up your reportid, they can only
see the subject Promo Movers: Weekly Member Newsletter
Then, in order to know whatever it is you are trying to talk about, I
have to go to sightings to find a spam and determine that it is a
stockspam, and then I have to further derive that UMSY is a stock
abbreviation by determining that US MedSys Corp is a known stockspam
'marketer'.
So, then further, I have to search a little harder in sightings to find
an actual UMSY stock promo in a promo movers newsletter.
http://snipurl.com/n5gu
Then, since you didn't provide a tracker to an example of the spam, I
guess I'll make one myself
http://www.spamcop.net/sc?id=z889921579z6324ae41d86ed5577815eb2cb0b372ffz
That particular item was sourced from a CBL listed proxy
222.40.149.15 -- and it is entirely possible that yours was too.
Post by CO-DBA-SC-EL
I am bombarded with those, obviously sent through botnets. This has
been going on for over one week. The spammer has obviously found the
right formula to get around spamcop and spamAssassin. They don't even
bother to try to obfuscate "UMSY".
From your reportid, it appears that you are not spamcop reporting your
spam, but instead you are mole reporting, which means that your spam
isn't contributing to the SCbl.
If you want to discuss why a particular spam wasn't blocked, you should
be looking at its headers and you should be thinking about what
blocklists you have enabled, and you should be thinking about how you
have your SpamAssassin SA score set, because the item which I provided a
tracker for was caught be a SA type filter, and that item would have
also been caught by my filter on the basis of its CBL listing.
So, if your choice of configuration for spamcop's filter isn't doing the
job, maybe you should consider fixing your configuration.
- if you are going to talk about a spam which wasn't filtered, you
should post a tracker for it, not a reportid
- if you are going to talk about /anything/ don't abbreviate more than
what someone who isn't looking at the same thing you are looking at will
be able to figure out. This isn't a guessing game, altho' sometimes we
play it
- if you are 'just' a mole reporter, your reports don't really count,
so you aren't helping the SCbl and therefore your reports aren't helping
other people filter their spam
--
Mike Easter
kibitzer, not SC admin
Mike Easter
2006-03-04 06:00:40 UTC
Permalink
"Mike Easter"
that
item would have also been caught by my filter on the basis of its
CBL listing.
Every
single address that particular spammer has been using that I bothered
to track down looked like a zombie. A different one every time, of
course.
SC's dnsbl options include using the CBL. It is excellent for listing
proxified trojans.
--
Mike Easter
kibitzer, not SC admin
D. T.
2006-03-09 18:19:05 UTC
Permalink
Post by Mike Easter
SC's dnsbl options include using the CBL. It is excellent for listing
proxified trojans.
I think the CBL blocking might be broken at the moment for those of use
with SC email accounts. A few days ago, I too started seeing a flood of
obvious stock pumps that my SC settings were no longer catching. Here are
two tracking URLs:

http://www.spamcop.net/sc?id=z893629776zd3d88b5dc4ce361f2ddffd2c9ddbfb0cz
http://www.spamcop.net/sc?id=z893630493zb1c0b16af8742f09607ff4182a53754bz

According to what I see, both of those should have been caught due to their
listings on the CBL, or am I missing something?

Those are just two out of dozens and dozens that suddently started getting
through to my inbox a few days ago. I strongly suspect problems with the SC
system (this kind of thing has happened to the SC filtering system before,
and it did indeed turn out to be something that needed fixing).

DT
D. T.
2006-03-09 18:58:49 UTC
Permalink
I've done a little more research on the flood of false negatives making it
into my SC inbox, and although all of the IPs I've checked so far are
listed on the CBL, the listing times were less than half an hour before
their arrivals at the SC mail servers, so maybe the SC servers aren't doing
"realtime" queries of the CBL when processing incoming email? Here's an
example:

CBL lookup:
IP Address 221.199.146.98 was found in the CBL.
It was detected at 2006-03-09 12:00 GMT (+/- 30 minutes).

Spam received:
by mx53.cesmail.net with SMTP; 9 Mar 2006 12:32:40 -0000

So, although if things were functioning ideally, that spam should have been
blocked, we might be looking at stuff that's getting by just under the
wire, before the SC system can tell that the CBL is listing them.

DT
Mike Easter
2006-03-31 14:48:18 UTC
Permalink
Post by D. T.
I think the CBL blocking might be broken at the moment for those of
use with SC email accounts. A few days ago, I too started seeing a
flood of obvious stock pumps that my SC settings were no longer
www.spamcop.net/sc?id=z893629776zd3d88b5dc4ce361f2ddffd2c9ddbfb0cz

That tracker doesn't show me evidence of passing thru' SC's mail
filter -- there are no SC Xlines in the header. Yes, the source is
currently CBL listed.

www.spamcop.net/sc?id=z893630493zb1c0b16af8742f09607ff4182a53754bz

Same thing, no SC Xlines. When people with SC mail accounts look at
something which was caught or missed by the SC filter, they use the
Xlines to help figure out why.
--
Mike Easter
kibitzer, not SC admin
D. T.
2006-04-18 17:41:17 UTC
Permalink
Post by D. T.
Post by D. T.
I think the CBL blocking might be broken at the moment for those of
use with SC email accounts. A few days ago, I too started seeing a
flood of obvious stock pumps that my SC settings were no longer
www.spamcop.net/sc?id=z893629776zd3d88b5dc4ce361f2ddffd2c9ddbfb0cz
That tracker doesn't show me evidence of passing thru' SC's mail
filter -- there are no SC Xlines in the header. Yes, the source is
currently CBL listed.
Oops....I have this paranoid habit of stripping all the SC stuff, as well
as the Barracuda firewall stuff, out of messages before I parse/report
them. When actually sending spam reports, that's too much information
possibly delivered into the hands of spam-friendly hosts, IMO.

But when I post a Tracking URL here, I'll be sure to leave all the SC stuff
in the headers before parsing.

DT

Loading...