It's not a huge splurge, and they're easy to delete, but I was just
curious, as recently spam levels have been pretty low here.
--
Peter
Yeah, I got a pile of this stuff starting sometime yesterday I think.
The nerfed thunderbird junkmail detection and filtering doesn't help, I
have no idea why but junkmail and filters that thunderbird used to run
automatically on received pop3 mails don't seem to work any more, and
the only "explanation" I could find is that they don't work because they
can't work ... well they can, because they used to in earlier versions.
Rgds
Denis McMahon
I thought it was just my turn for the barrel having been virtually spam
free for a while. Received about six yesterday and another six this
morning using old message IDs as the address, K9 filtered them out
for deletion unread.
--
Les
I had four emails (all to spammer only addresses) rejected by my
filtering this morning. Certainly a deluge by recent standards.
Adrian
--
To Reply :
replace "news" with "adrian" and "nospam" with "ffoil"
Sorry for the rigmarole, If I want spam, I'll go to the shops
Every time someone says "I don't believe in trolls", another one dies.
Guessing that some chinese spammer has resurrected / bought an old list
of "uk email domains" that contains a few [hundred] demon hosts ....
wonder how much spam is bouncing because the hosts don't exist any more.
Rgds
Denis McMahon
Over the last three days I have noticed a few in my inbox and some in
the junk folder. I'm sure the junk detection will soon catch up.
Steve
--
Neural Planner Software Ltd www.NPSL1.com
Probably yes - they are self-evident spam so I forward them to 'missed'
unopened. About 10 today, which is 9 more than usual.
--
Andy Taylor [Editor, Austrian Philatelic Society].
Visit <URL:http://www.austrianphilately.com>
Yes, I'm surpised they're not caught (by the filters at Demon)
(posting from somewhere else)
--
Vista: the hd dvd player that thinks it's an operating system �JC 2009
Windows 7: a faster dvd player
All men are islands
>
>"Andy" <an...@kitzbuhel.demon.co.uk> wrote in message
>news:mkq4WlDy...@kitzbuhel.demon.co.uk...
>> In message <1jaaq78.1c1t6ac38ek28N%pe...@cara.demon.co.uk>, Peter Ceresole
>> <pe...@cara.demon.co.uk> wrote
>>>Anybody else seeing a sudden burst of Chinese spam making it through the
>>>filters? Cialis and stuff... A picture attached for the address to go
>>>and buy the stuff, with word wooze to reduce the repetition score.
>
>Yes, I'm surpised they're not caught (by the filters at Demon)
>(posting from somewhere else)
Perhaps most of them are caught by Demon. I'm not going to switch the
filters off just to find out. About ten a day get through to me. Agent
has adapted to catch them all. It's interesting to see that all of the
ones that get through to Agent are sent by Thunderbird users.
> It's interesting to see that all of the
> ones that get through to Agent are sent by Thunderbird users.
You mean:
It's interesting to see that all of the ones that get through to Agent
have a Thunderbird user agent header.
I can set that in emails sent from php, it's meaningless. I doubt that
thunderbird is being used to send these, much more likely to be a botnet.
Rgds
Denis McMahon
> >Yes, I'm surpised they're not caught (by the filters at Demon)
> >(posting from somewhere else)
>
> Perhaps most of them are caught by Demon. I'm not going to switch the
> filters off just to find out.
Jeez... Neither am I.
> About ten a day get through to me.
Here it's more like 20, trickling in throughout the day. But hardly
enough even to be a nuisance and they are all caught by my Eudora
filters and sent to trash. Effectively no other spam at all is getting
through.
I expect that the filters will catch up with this new series soon.
I've forgotten who are providing the spamblocking service now. Is it
still Cloudmark? Or did Demon switch to somebody else? Why does the name
'Highwinds' come to my mind? Probably because I'm getting so ancient...
Either way, it seems to work pretty well.
--
Peter
It is probably a fake header but it is unusual for botnets to use the
same headers for so many messages as that makes filtering so easy. The
only message I have tracked back to source was from a user of a
compromised machine who was using Thunderbird.
> It is probably a fake header but it is unusual for botnets to use the
> same headers for so many messages as that makes filtering so easy. The
> only message I have tracked back to source was from a user of a
> compromised machine who was using Thunderbird.
Hmm, wonder if thunderbird exposes an api that allows sending of mail,
or querying of version info.
Maybe the spam malware is using the send-to api? Botnet the machine and
use the system send to api to spam. I guess that's more economical than
coding your own smtp sender.
Rgds
Denis McMahon
patic...@ouwestomp.nl rqzu8obm...@kitzbuhel.demo
cli...@thebitterend.nl 7644an...@kitzbuhel.demon.co
produ...@gk.net.mx lup...@kitzbuhel.demon.co.uk
tail...@feijngezicht.nl rspxn...@kitzbuhel.demon.co.
ferti...@musicgallery.ca 7690an...@kitzbuhel.demon.co
dedu...@mail-bericht.nl 3txhj5pz...@kitzbuhel.demo
silve...@royalsmilde.nl tzbhbvog...@kitzbuhel.demo
Looks like someone's got their Xmas pressy early :(
In the same vein, how would you describe Windows XP, Windows ME and
Windows 98?
:-)
--
Nicholas David Richards -
"O� sont les neiges d'antan?"
>> Vista: the hd dvd player that thinks it's an operating system �JC
>> 2009 Windows 7: a faster dvd player
>
> In the same vein, how would you describe Windows XP, Windows ME and
> Windows 98?
I can't, they're not in the same vein anyway, vista was such a very radical
departure from the nt line from nt3.5, nt4, windows 2000, xp, vista, windows
7 (I've omitted a few servers) whereas windows me and windows 98 are
directly descended from dos.
>Interesting thread. I've had TP set to reject unrecognised addresses
>for some time and the spam rate has dropped virtually to zero. Friday I
>unticked the box and spam began to increase slowly at first but
>yesterday and today is about 40+. Is this just coincidence?
No coincidence at all: most spam is sent to "unknown" addresses, so by
unticking this option you should expect to receive some spam (a bit more
than usual at the moment, for reasons mentioned in this thread).
The option to reject email to unrecognised addresses has a downside -
any genuine email from a contact who mistypes your address will be
rejected. Only you can be the arbiter of that risk. Most people select
addresses from their address book or click on a link, neither of which
ought to cause a problem. But some people manually type addresses, and
that's where the risk lies.
For that reason, I prefer to limit my email rejection to a few addresses
that I know are only used by spammers. K9 classifies the rest, so I can
browse through the spam list at intervals in order to check that nothing
important has been overlooked.
--
Paul Terry
> In message <E0qYrqAR2UHLFAc$@musonix.demon.co.uk>, Paul Terry
> <ne...@nospam.demon.co.uk> writes
> If it is not a coincidence that the
> spam increased when I stop rejecting that would imply some monitoring of
> rejects by the spammer would it not?
It's most likely to be a coincidence. Virtually all spam is sent using
forged sender addresses, which means that any bounces end up in an
innocent users mailbox because the spammer forged their address. And,
if the supposed senders address is completely made up, a bounce gets
rejected and the double-bounce ends up going to the postmaster.
This is what happens when you receive mail by SMTP, accept the mail and
then your server decides it can't actually deliver it[0]. With POP3,
rejecting the mail doesn't send back a bounce and the rejected mail is
just deleted.
> So I suppose I was really asking if
> they actually would do that
I don't think the majority of spammers have done that for over a
decade.
>>The option to reject email to unrecognised addresses has a downside -
>>any genuine email from a contact who mistypes your address will be
>>rejected. Only you can be the arbiter of that risk. Most people select
>>addresses from their address book or click on a link, neither of which
>>ought to cause a problem. But some people manually type addresses, and
>>that's where the risk lies.
>>
> Yes I am aware of that but on the other hand if their e-mail is rejected
> hopefully they would examine their typing very carefully.
Only if they know that their mail wasn't received. Receiving mail using
POP3 won't let them know their mail wasn't received.
>>For that reason, I prefer to limit my email rejection to a few
>>addresses that I know are only used by spammers. K9 classifies the
>>rest, so I can browse through the spam list at intervals in order to
>>check that nothing important has been overlooked.
> When not rejecting I dump mine into a spam folder and have a quick scan
> through but it would be easy to overlook a mis-typed valid one amongst
> all the junk - and then the sender thinks you have received their
> e-mail, which is probably a worse scenario than having it positively
> rejected.
Unless you're receiving the mail using POP3, or using Turnpikes
"Reject mail"[1] after it's been received, they won't know if it's
arrived or not. Once it's placed into the POP3 mailbox, it's been
delivered whether you received it, rejected it, or dumped it into
a spam folder and then erroneously deleted it.
[0] This also happens with Demons servers. If mail collection is only
for specific users, those that aren't collected after 30 days results
in a bounce being sent back to the purported sender. Three guesses who
those are most likely to be.
[1] Not sure on the exact name of it, but the effect is to fake a
bounce and send it back to the purported sender.
Regards,
David Bolt
--
Team Acorn: www.distributed.net OGR-NG @ ~100Mnodes RC5-72 @ ~1Mkeys/s
openSUSE 11.0 32b | | openSUSE 11.2 32b |
openSUSE 11.0 64b | openSUSE 11.1 64b | openSUSE 11.2 64b |
TOS 4.02 | openSUSE 11.1 PPC | RISC OS 4.02 | RISC OS 3.11
>
> [0] This also happens with Demons servers. If mail collection is only
> for specific users, those that aren't collected after 30 days results
> in a bounce being sent back to the purported sender. Three guesses who
> those are most likely to be.
>
> [1] Not sure on the exact name of it, but the effect is to fake a
> bounce and send it back to the purported sender.
Surely this is extremely unwise of Demon, do they really do this? it's
likely to be some innocent person or go no-where generating another bounce,
just going to increase the enormous quantity of spam. I can't believe they
do this. If it does actually get to the person responsible, they'll figure
out that there is someone at home, rather than a black hole.
> David Bolt wrote:
>
>>
>> [0] This also happens with Demons servers. If mail collection is only
>> for specific users, those that aren't collected after 30 days results
>> in a bounce being sent back to the purported sender. Three guesses who
>> those are most likely to be.
>>
>> [1] Not sure on the exact name of it, but the effect is to fake a
>> bounce and send it back to the purported sender.
>
> Surely this is extremely unwise of Demon, do they really do this?
As far as I know, they still do. It's still mentioned in their help
documents:
http://www.demon.net/helpdesk/technicallibrary/misc/general/pop3smtp.html
<quote>
Demon's mail servers hold your mail for 30 days, after which it will be
returned to the sender as non deliverable and deleted from the Demon server.
</quote>
> it's
> likely to be some innocent person or go no-where generating another bounce,
> just going to increase the enormous quantity of spam.
I couldn't say which is the more likely to happen but it's still a bad
idea as there are many people out there that consider backscatter as
spam and they may blacklist the IP address sending them the bounce. By
definition a bounce received for a mail that the user didn't send
themselves, or authorise someone to send on their behalf, is spam. It's
unsolicited, most likely to be bulk, and definitely email.
> I can't believe they
> do this.
It's easy to confirm if you don't collect mail for every address at
$host.demon.co.uk. You just need to send a mail to an address at your
host, one that you don't usually collect, but using a different one as
the sender. As long as the sender address is one that you would
normally collect mail for, after 30 days you should end up with a
bounce for the "undelivered" email.
I must say I had thought they did this only for legitimate mail not for mail
which they classed as spam
> Mail which Demon's system detects as spam doesn't arrive in the first
> place, so it's not sitting in your email box for anything between 0
> seconds-30 days and therefore the issue doesn't arise. It's rejected
> before the sender has a chance to send any of the message body.
So demons spam filtering is based solely on delivering mta and rcpt-to?
Rgds
Denis McMahon
> David Bolt wrote:
The spam filters aren't perfect, and never will be, and so some spam
manages to get past them. Just looking at the comments here shows some
users receive several spams per day that manage to get through the
defences, although considerably less than they would receive if the
filtering wasn't in place[0]. It's these that are going to result in
a bounce if they aren't deleted using POP3, or some other method of
deleting spams[2].
[0] Before my change of service[1], and the subsequent change of host
name, I was receiving upwards of 12,000 spams per day to my unfiltered
host with a fair few number of days where this exceeded 15,000. With
the filtering in place, was often less than 140 per day. At the time, I
was receiving significantly more than the more normal users, similar
amounts to others who were/are still active Usenet users, but still
only around a quarter of RC's spam load.
[1] I ran an old dial-up account in parallel with an ADSL account, both
of which were closed almost two years ago when I moved on to the
present business account.
[2] Soruk, or Michael McConnell, wrote a very useful application called
pop3clean. If it's run and provided with a list of known addresses, it
goes through of a Demon POP3 mailbox and deletes those mails sent to
addresses not specified. If it's run without the list of valid
addresses, it provides a list of all the destination addresses. It's
fast at what it does. When i was using it, up to roughly a year and a
half ago, I clocked it at about 18.5 deletions per second. If the
POP3 servers have since been updated for faster machines, this could
even be higher as, at the time, the main rate limiter was waiting for
the server to process the DELE commands upon exiting. You can find a
copy of it here:
<URL:http://www.eridani.co.uk/pop3clean/>
As far as I know, Cloudmark uses content filtering as (a part of?) it's
method of spam determination. I don't know if there's an element of
DNSBL use to it, but it'd be surprising if there wasn't some notice
taken about where the spam originates. Unfortunately, or fortunately,
the methodology behind it is kept secret so there's no way to know for
end users to know for certain. Or, at least not without someone in the
know actually giving some of the broader details. I'd very much expect
specifics to stay secret so as to prevent spammers working around them
and quicker than they already trying to do.
Yeah, I'd have thought that spam detection at the isp level would use a
combination of:
1) The overall pattern of emails being received
2) Where they're coming from
3) What they contain
(3) would require accepting the emails to analyse content. If (3) was
working I'd expect these mass mailings from multiple addresses to
multiple users all containing similar items (especially the image files)
to detect it.
I guess Cloudmark has dropped the ball on this one.
Rgds
Denis McMahon
I think it was Brightmail (the people before Cloudmark) who also ran a
number of honey-pots that were never used for anything legitimate at
all. Mail going to those was always spam, so they could use that to
tweak their spam detection too.
--
James Coupe
PGP Key: 0x5D623D5D YOU ARE IN ERROR.
EBD690ECD7A1FB457CA2 NO-ONE IS SCREAMING.
13D7E668C3695D623D5D THANK YOU FOR YOUR COOPERATION.
Yeah, just a bit concerned that after 4 days (I think) this latest pile
of spams is still making it through.
Having looked at a couple of the images, it seems that there's a limited
number of urls being used but that the image files are being generated
dynamically using some random params.
I guess it's a case of hunting down the websites.
Heh, surprise surprise, no contact information apart from a phone number
that I bet goes to a prepay mobile. From the website:
"Why is your product so cheap?
There is a number of reasons for that. We do not spend anything on
marketing, there are no taxes to be paid as the product comes into the
country unregistered, the manufacturer is located in an offshore zone
and the production costs are way lower. No child labor is used."
They forgot to add "the product is made from sugar, flour, water and
food colouring, with a random selection of waste industrial chemicals."
I see that the registrar and registrant are in china, as is the hosting,
although the website I looked at is "Canadian Pharmacy".
It's a pity the great firewall of china doesn't keep all their rubbish in.
Rgds
Denis McMahon
[snip]
> I see that the registrar and registrant are in china, as is the hosting,
> although the website I looked at is "Canadian Pharmacy".
I recall a case, a month or two ago, in which a site was hacked such that if
you visited it normally, you'd see the normal content, but if you arrived
there from Google, you'd be redirected to a certain pharm-acy...
> It's a pity the great firewall of china doesn't keep all their rubbish in.
Agreed.
--
| Darren Salt | linux at youmustbejoking | nr. Ashington, | Doon
| using Debian GNU/Linux | or ds ,demon,co,uk | Northumberland | Army
| + http://www.youmustbejoking.demon.co.uk/ & http://tlasd.wordpress.com/
And don't start a sentence with a conjunction.
>Yeah, just a bit concerned that after 4 days (I think) this latest pile
>of spams is still making it through.
the senders are competent...
... most pharmacies are run as affiliate schemes, so that any spammer
who wants can advertise the products, and if people buy then they get a
cut. Usually the website names you see are specific to a particular
spammer, whereas the backend site where the purchase is actually done is
rather more generic.
So if you have a good spam sending technology, this is the place to make
money with it whilst the filtering companies are still struggling and
you can crowd out competitors by being more in-your-face when people
decide they are going to purchase.
>Having looked at a couple of the images, it seems that there's a limited
>number of urls being used but that the image files are being generated
>dynamically using some random params.
as I said, competent. This type of email is very difficult for filters
to deal with...
>I guess it's a case of hunting down the websites.
... the websites are quite easy to find, but many are botnet hosted, so
that's not a very useful thing to do. The actual problem is persuading
the registrar to pull the domain name, and in general there's no-one
with significant resources trying to do that
>Heh, surprise surprise, no contact information apart from a phone number
>that I bet goes to a prepay mobile. From the website:
>
>"Why is your product so cheap?
>There is a number of reasons for that. We do not spend anything on
>marketing, there are no taxes to be paid as the product comes into the
>country unregistered, the manufacturer is located in an offshore zone
>and the production costs are way lower. No child labor is used."
>
>They forgot to add "the product is made from sugar, flour, water and
>food colouring, with a random selection of waste industrial chemicals."
not always -- it may be sourced from the third world, or time expired,
or home made from raw ingredients. For products like sleeping pills
there is no money in shipping placebo; since if you ship product with an
active ingredient you will get repeat orders -- and thereby continue to
make money. The journalists always seem to purchase and test the blue
pills (makes for a racier story I expect) and they generally find more
fakes... possibly because placebo is more likely to work :)
--
richard @ highwayman . com "Nothing seems the same
Still you never see the change from day to day
And no-one notices the customs slip away"