Is there anything I can do?
--
Kate B
PS 'elvira' is spamtrapped - please reply to 'elviraspam' at cockaigne if you want
to reply personally
>
>Is there anything I can do?
Set up a filter to delete anything that is not sent to your real
address.
--
Steve Wolstenholme Neural Planner Software
EasyNN-plus. The easy way to build neural networks.
http://www.easynn.com
>Is anyone else seeing these? In the last three days my trusty Turnpike
>has sent into oblivion nearly 25,000 bounce messages, all to
>non-existent names@cockaigne (many to the same two names), mostly from
>the mail delivery service at Wanadoo.fr. I rang the helpdesk to see if
>there was any way of stopping it getting to my mailbox and effectively
>blocking it. It's bearable on ADSL, but I'm not always at home and need
>to use the dial-up every so often, and this quantity of rubbish means
>you can't even look at your entire mailbox on webmail, but have to go
>through each valid email alias. Helpdesk muttered something sympathetic
>about lots of people having this problem at the moment and getting it
>fixed via the spamfilter in a few days. I'm actually going away for a
>few days now, thankfully I don't need to take the laptop, but am not
>looking forward to coming back to another 25,000 messages in the
>mailbox.
>
>Is there anything I can do?
>
Don't download them. Use MailWasher with rules based on
1)blacklisting everything then
2)classifying senders of wanted messages as "Friend"
then tweaking it further to cope for such things as genuine mail which
doesn't show as "To:" you or which gets sorted by the first name on a
Cc: list.
--
_______
+---------------------------------------------------+ |\\ //|
| Charles Ellson: cha...@e11son.demon.co.uk | | \\ // |
+---------------------------------------------------+ | > < |
| // \\ |
Alba gu brath |//___\\|
>Is there anything I can do?
If a substantial proportion are to a few names, see if Clive's Spam
Deleter works for you (it stopped working for this PC a while ago, but
still worked from the Library ones).
It deletes for one name at a time, but pretty quickly, seems runnable in
parallel with receiving mail by SMTP, and you could have a Notepad page
open with the list of names for rapid entry. Unlike WebMail's
inefficient windbaggery, it uses little of your connection's bandwidth.
<URL: http://www.davros.org/misc/killspam.html>
--
© John Stockton, Surrey, UK. ?@merlyn.demon.co.uk DOS 3.3, 6.20; Win98. ©
Web <URL:http://www.merlyn.demon.co.uk/> - FAQqish topics, acronyms & links.
PAS EXE TXT ZIP via <URL:http://www.merlyn.demon.co.uk/programs/00index.htm>
My DOS <URL:http://www.merlyn.demon.co.uk/batfiles.htm> - also batprogs.htm.
how about this option:
http://www.demon.net/helpdesk/networkstatus/serviceannouncements/announce9sept.html
I have been getting between 500-1000 spam emails a day for over three
weeks. Almost all of the form xy...@hostname.demon.co.uk
Helpline were saying their engineers were working on it three weeks
ago. Nothing has happened. RH
--
Robert Henderson
Blair Scandal website: http://www.geocities.com/ blairscandal/
Personal website: http://www.anywhere.demon.co.uk
If these are 'bounces' that you are seeing then you can make use of the
Discard DSN option that has been available for a while, via Web
Password:
https://www.password.uk.demon.net/webpassword.cgi
As ever, we only recommend that you have this option enabled for a short
period of time, whilst the issue is ongoing since it will also discard
DSNs for mail you have sent.
--
James Hoddinott email: ab...@demon.net
Network Abuse Team fax: 0870 051 9970
Demon Internet <URL:http://www.demon.net/helpdesk/aup/>
>i didnt know about that.
>i have enabled it,and will see how it affects traffic.
>thanks
Best of luck to you. I've had that option enabled for months, and I
still get these annoying mails. Of course, I've no idea as to how many
more I'd be getting without it enabled ;)
I've also had a flood of "out of office reply" type SPAMS recently...
Can we start a movement to insist that mailservers bother to verify
"reply to" addresses against observed message-origination IP? If a
mismatch is detected, they can either silently discard the non-delivery
advice message, or better, bounce it back to the true compromised IP
address.
I'm sure a whole host of experts will be along now to explain why this
can't be done.... :-(
It's bad enough that all this SPAM is out there. It is indefensible
that the ISPs simply DOUBLE the volume and number of people affected,
by "returning" it.
-- The PG --
> Can we start a movement to insist that mailservers bother to verify
> "reply to" addresses against observed message-origination IP? If a
I think you mean "envelope sender", not "reply to".
Take an example of an email received via Demon's smart hosts, the
IP address could be a demon.net address, and, even if it is a demon.co.uk
one, it will not be a host.demon.co.uk (or if Demon allow it, a
businessuserofdemon.co.uk). Consequently, the IP address will not match
the host.demon.co.uk (businessuserofdemon.co.uk) address in the envelope
sender.
Moreover, resolving the MX DNS records for the envelope sender address
will not give you any of the IP addresses than are associated with the
outbound mail item, but rather will give you Demon's inbound mail routers.
This ignores the case where I'm emailing personal mail from the office
(in practice the IT department no longer allows me to use the home
email address, but the example is still good). Strictly speaking,
I ought to set the envelope address to match the true sender, i.e.
my office account, but, if I'm forced to use Outlook or Outlook Express,
I will not be able to do that, so the envelope sender address will
not look like my employer's. (If I were allowed to send, my employer
might also prefer that none of the email addresses be theirs.)
> mismatch is detected, they can either silently discard the non-delivery
> advice message, or better, bounce it back to the true compromised IP
> address.
In general, for a good MTA (Exchange seems not to be), they will not
have accepted the email at that stage, so the only sensible option will
be to reject it. That will cause any upstream relay to bounce to the
envelope sender, so will only be effective if implemented at the
immediate downstream relay from the initial sender, and assuming that
the initial sender is submitting in submission mode or interactive
mode (Outlook Express is an example of submission mode and sendmail
forwarding before locally queuing is an example of interactive mode).
>Can we start a movement to insist that mailservers bother to verify
>"reply to" addresses against observed message-origination IP?
I think you must mean the envelope return path - which is nothing
whatsoever to do with "reply-to".
>If a mismatch is detected, they can either silently discard the
>non-delivery advice message, or better, bounce it back to the true
>compromised IP address.
In the case of spam, the originating ISP is often unclear (because of
forged paths) so I cannot see this working; the return path may be
genuine but unrelated to the source - or it may not.
>I'm sure a whole host of experts will be along now to explain why this
>can't be done.... :-(
'fraid so (not that I would claim to be an "expert").
>It's bad enough that all this SPAM is out there. It is indefensible
>that the ISPs simply DOUBLE the volume and number of people affected,
>by "returning" it.
Whether it is "returned" or not depends on how you deal with it.
--
Paul Terry
Do you have any examples of these mails still? If so, I'd be interested
to see copies of them (full headers and message body). They can be sent
to the abuse@ address, marked for my attention.
>I've also had a flood of "out of office reply" type SPAMS recently...
I'm not sure such mails are valid DSNs so hence wouldn't get trapped by
the Discard DSN option.
>
>Do you have any examples of these mails still? If so, I'd be interested
>to see copies of them (full headers and message body). They can be sent
>to the abuse@ address, marked for my attention.
Done, hope it helps.
>>I've also had a flood of "out of office reply" type SPAMS recently...
>
>I'm not sure such mails are valid DSNs so hence wouldn't get trapped by
>the Discard DSN option.
Agreed- they seem to be a mixture of straight forward spam and auto
replies in respect of spam containing my address in the "reply to"
field.
John
If you need more I am getting 20 plus a day!
--
Gregory
:-( I thought the experts would tell me why it couldn't be done....
However, if I receive a misdirected non-delivery message, which
includes the full original email with headers, I can cut and paste that
original message into SpamCop. SpamCop then almost instantly tells me
whether the real originating address was on a Spammer list, or had come
from an open relay. I am then able to either advise the open relay of
their problem or report a spammer. Either way I am able to advise the
non-delivery-message sender that they had contacted me in error.
Just about all the "bounces" or direct spam I'm receiving atm consists
of a .gif of just under 50k. Anyone know which particular virus is
sending them?
-- The PG --
> Just about all the "bounces" or direct spam I'm receiving atm consists
> of a .gif of just under 50k. Anyone know which particular virus is
> sending them?
I've seen a couple of these gifs and they are images of text. The text
is either asking you to log into bank, with a hyperlink around the image
and some white on white text to try and fool word analysis. Or the text
is bogus stock info, not sure what they are angling at. Not sure if it
is a virus at all since I've seen the hosting change regularly for the
banking one, with the same paths and everything.
--
Chris
>I've seen a couple of these gifs and they are images of text. The text
>is either asking you to log into bank, with a hyperlink around the image
>and some white on white text to try and fool word analysis. Or the text
>is bogus stock info, not sure what they are angling at. Not sure if it
>is a virus at all since I've seen the hosting change regularly for the
>banking one, with the same paths and everything.
Yep, vast majority of the ones I've had fall into that category.
However, got one about 30 mins ago which NOD32 identifies as
containing Win32/VB.NEI worm. No idea what this worm does, will Google
it when I've got the time.
John
Sure, although it should be noted that the example that John sent me
showed that the DSN was not correctly constructed, i.e. it was lacking
in a null sender path, which is why they don't get picked up by the
Discard DSN tool.
<Discard DSN option)
Came back from my weekend in Greece (v hot and sunny, since you ask...
:() to find freezing cold weather and another 3000 Mail Delivery bounces
on the log. Then found your message and have now enabled the Discard
DNS option, will hope that works and will disable it in a week to see
how things are going. Thank you very much for this.
John G. Evans.
In message <JdkLg1dj...@cockaigne.demon.co.uk>, Kate Brown
<elv...@cockaigne.demon.co.uk> writes
It's often a way of delivering a spam masquerading as the original
message attached to the fake DSN. I really can't imagine why anyone
would bother reading it, never mind responding to the spam, but there
you are - I guess some fool must somewhere or they wouldn't bother.
I have seen two recent reports about spam,
1/ Criminals are using stolen/forged credit card details to purchase
products advertised, bringing the suppliers to the notice of their banks and
increasing their bank charges.
2/ Another new loose alliance has been proposed to swamp the spammers with
rejection replies (apparently the organisers of the first suffered a hoge
DoS attack, so this time many of the arrangements are to be secret).
--
Chris Bell
Since the spammers are rarely using their own addresses, how will that
work (and is it legal) ?
There have been several threads hereabouts about the flood of bounces.
In the past, these have lasted about 10-14 days. The current one seems
to be been going on since the 14th of April and the novelty is starting
to wear off.
Adrian
--
To Reply :
replace "news" with "adrian" and "nospam" with "ffoil"
Sorry for the rigmarole, If I want spam, I'll go to the shops
Every time someone says "I don't believe in trolls", another one dies.
I've subscribed for the moment to the Discard DSN service offered
up-thread. It's reduced the flood from 3000 or more a day to about 60.
Next week or so I'll unsubscribe, and hope for the best.
Spammers offering goods or services can only obtain payments if there is
a reference leading to either a genuine contact address or website. If
everyone who receives spam via any route, usually a compromised system,
sends a reply of any description, that contact address is likely to be
swamped. A previous software facility, downloaded by several thousand users,
was designed to identify the contact address and send a rejection email
automatically, but the organiser received a massive DoS attack. The new
system is planned to work from a distributed system so that it is less
susceptible to attack.
Spammers needing to process payments must use the normal banking system,
and excessive transactions involving forged or stolen banking details will
at least attract attention and increased charges.
>
>
> Adrian
--
Chris Bell
Just as a matter of interest, are the floods of bounces that all of you
are seeing the same US stocks and shares tips that I am seeing my
address used for ? It is bad enough them using fake names at my demon
account to send them but I'm now on the recieving end of them on my work
account ! Sometimes it feels like you just can't win...
Chris P
Railway pictures website http://chrispackman.fotopic.net
Mine were all to rubbish addresses - spammers spamming spammers, I
think!
That only works for those who are selling a service, if the spammers are
actually scammers, then it won't work. As mentioned further down the
thread, I'm getting "share tips", for the scam to work, I need to buy
these shares, so that the originator can dump their (presumably)
worthless stock, more difficult to trace them that way.
Most (may be all) of the bounces I get have a gif embedded in them.
Since I have turnpike set up to not display images, I don't see what is
in them, however occasionally (once or twice a week) I will open one,
and mostly there are the "share tips". The one suprising feature is
that I haven't had a spam from either of my domains yet.