Michael
Done anything to speed up that process?
--like make a complaint?
NNTP-Posting-Host: 72.229.239.187
X-Complaints-To: abuse@ rr.com
mailto:ab...@rr.com
Until recently, I had THOUGHT this was a moderated newsgroup, but
obviously it is not. I read with Agent and I would love to use a
filter, but I cannot think of how to set up such a filter for that
stuff.
Lou
It's not actually spam, which makes it difficult to filter. With spam,
filters can look for things like adverts for small blue pills or known
spam website urls. But these posts seem to be random noise - they are
not advertising anything, have no links, have no embedded malware, and
have no purpose I can think of except to annoy c.a.e. readers.
We could certainly sent complaints to roadrunner.com's abuse address,
but I would expect that the person behind these posts is using a cracked
account, or another temporary account, and it would take a lot of
detective work to identify the true culprit - something that the ISPs
and newserver staff are unlikely to do.
Perhaps if we send the RIAA a "tipoff" that the posts are song snippets
using a stenographic-style encoding, they will track down the irritating
poster?
Cheers
TW
My usenet provider is news.individual.net (http://www.individual.net/)
They do an excellent job on spam filtering. I realized the amount of
junk messages must be increasing because on the groups I monitor
through them, the number has gone from practically zero to a few
annoyances here and there.
Roberto Waltman
[ Please reply to the group,
return address is invalid ]
I'm using Thunderbird, and I'm also stuck. I can't filter based on
Path. Last time I looked at this junk, Path seemed to be the thing
that would work.
Mel.
I am the publisher of EmbeddedRelated.com and I provide a web access to
this newsgroup on the site.
I would certainly be interested in hearing any idea that would help me
filter these waves of junk mail. So far, I haven't been able to find
anything in particular in the header (path included) or in the message
itself that would allow me to recognize them with my script. So I have to
manually delete them and it's a pain.
Thanks
Stephane
Examining several of the junk posts
http://groups.google.com/group/comp.arch.embedded/msg/c988977aa07e6d94?dmode=source
http://groups.google.com/group/comp.arch.embedded/msg/828f7e3149a0f49d?dmode=source
http://groups.google.com/group/comp.arch.embedded/msg/792fbd1b9a3859ab?dmode=source
shows there are 2 IP addresses doing all the spewing.
Here is the 2nd:
NNTP-Posting-Host: 82.35.108.103
X-Complaints-To: http://netreport.virginmedia.com
Are your headers pre-truncated?
Message-ID: <fhu95g$5lf$1...@news.httrack.net> has some pointers.
Comp.robotics.misc has been being hit for several months and this is
from a thread over there.
[Bah, Google Groups doesn't see that message ID. Search on
groups.google.com in comp.robotics.misc for subjects containing "sporge"
for the post from Xavier Roche.]
Some upstream servers do a better job of filtering. Verizon (my home
account) doesn't seem to do anything, while my roaming account via Forte
of Agent newsreader fame mostly does a pretty good job. I haven't seen
any of the current sporge flood on the sci.electronics.* groups lately,
as I'm coming in via that path now.
Note that following some discussions on c.r.m last summer about
filtering, the filterable pattern (which was nearly 100% effective just
using the headers) was changed so it's possible that the sociopath
adjusts his tactics to maximize harm.
--
Rich Webb Norfolk, VA
I am using a free news server nntp.aioe.org and it gets almost
none of the sporge that others are seeing. Unfortunatly their
web page www.aioe.org does not give a contact email.
However their pages do mention they use something called Cleanfeed
http://linux.die.net/man/8/cleanfeed
http://www.exit109.com/~jeremy/news/cleanfeed/
but I know nothing more about this.
Hope that helps.
Eric
Somewhat pointless. Where the crap comes from changes fairly often.
So, you would have to change the filters every day or so. Somebody
using the same crap generator program has pretty much destroyed
sci.crypt. In that group, I would see the garbage coming from up to 5
different sources in a single day. After deleting 40 or 60 thousand
trash posts in a 30 day period, I gave up. Your lucky here, only a
few hundred, so far.
--
ArarghMail712 at [drop the 'http://www.' from ->] http://www.arargh.com
BCET Basic Compiler Page: http://www.arargh.com/basic/index.html
To reply by email, remove the extra stuff from the reply address.
There was a time when Google was useless on these,
but they fixed it a long time ago.
You have to do it this way for Google to auto-convert:
news:fhu95g$5lf$1...@news.httrack.net
gives you
http://groups.google.com/group/comp.robotics.misc/msg/251a2f0281431d00
[yada,yada]
Thanks! Of course, it would be nice if the Do No Evil crowd would allow
standard header formats ...
I think they gave up on the "Don't Be Evil" thing several years back.
Concurrent with "going public", I'd say.
http://www.google.com/search?q=google+ipo+2004
8-(
Using Netscape, I periodically access the group and download the
headers. Most normal spams are picked up by my filters. These
bursts are basically single messages, no answers, and are all
roughly the same physical size. (I sort messages by thread.) I
mark these all as deleted, and then download the remaining (if any)
messages.
The fact that I operate offline, and thus load headers and messages
separately, helps. I am sure I lose a fair number of messages.
--
Chuck F (cbfalconer at maineline dot net)
<http://cbfalconer.home.att.net>
Try the download section.
--
Posted via a free Usenet account from http://www.teranews.com
Sporge floods like this, as I understand it, come from a pool of zombie
machines. There is usually only a few sources at a time. (Three for
the floods here recently, under a dozen or so for a really big one like
sci.electronics.design got this last year).
The sporgers don't seem to prevent the NNTP-Posting-Host header being
included by the initial news server that processes them. (If they
get lucky and use a NSP that anonymizes the posts, the tail end of
the Path header, or the content of an X-Trace: header may still be
a reliable test).
So, if you can take the recent traffic, sort by the Posting Host
(or equivalent) and delete those posts coming from any one site that
post more than a threshold count.
Another test is a Subject that starts with "Re:" but without a
References: header. Long Subjects, and Subjects with first
names are good but less reliable tests.
Perhaps just get your feed from a site with better filters,
of if their terms of service won't allow your forwarding, get
your feed and then compare that with a NSP with good filters and
drop the stuff that didn't show up on the second site.
Mark Zenier mze...@eskimo.com
Googleproofaddress(account:mzenier provider:eskimo domain:com)
It is not just hard to do, it is actually counterproductive.
The IP addresses get listed constantly, and being dynamic one
zombie PC can take care of having several addresses listed.
Then the ISP uses this as a justification for initiating content
filtering (e.g. recently my ISP began to block my outgoing connections
to port 25). Since most people are technically illiterate, they accept
that this is just a fight against spam or some other evil and we have
to take yet another cut in our rights.
Worse, we actually do not know who floods the net with that spam,
it is so stupid I find it difficult to believe most of it is done by
any other purpose than the flood itself. Once everyone is tired enough
of the flood the rescue will come with new restrictions, of course,
which will have been the sole purpose of the flood all along...
Dimiter
------------------------------------------------------
Dimiter Popoff Transgalactic Instruments
http://www.tgi-sci.com
------------------------------------------------------
http://www.flickr.com/photos/didi_tgi/sets/72157600228621276/
On Dec 5, 5:24 pm, David Brown <da...@westcontrol.removethisbit.com>
wrote:
Actually, I would prefer if ISPs blocked port 25 for their customers
(except of course when the destination was their own MTA server) - if
they also have a good enough technical support system that they can
distinguish between competent and knowledgeable users, and the unwashed
masses, and open port 25 for those that know how to use it properly.
Perhaps some sort of internet drivers' license is what's needed here -
users should only be allowed access to more risky network services (such
as incoming traffic, and general outgoing port 25) if they can show that
they know what these services do.
> Worse, we actually do not know who floods the net with that spam,
> it is so stupid I find it difficult to believe most of it is done by
> any other purpose than the flood itself. Once everyone is tired enough
> of the flood the rescue will come with new restrictions, of course,
> which will have been the sole purpose of the flood all along...
>
If you are suggesting that these post floods are generated by ISPs, or
someone else trying to get more restrictions on the net (motivated by
money, power, or politics), then I think that's a little paranoid. Mind
you, it's the only rational explanation I've heard so far.
mvh.,
David
It may be quite easy to do something like that. Just counting the
outgoing
SYN segments of each subscriber/weeek (or so) will quickly reveal
spam sources. The few other high mail output customers (non-spam,
that is) can be checked manually.
> If you are suggesting that these post floods are generated by ISPs, or
> someone else trying to get more restrictions on the net (motivated by
> money, power, or politics), then I think that's a little paranoid. Mind
> you, it's the only rational explanation I've heard so far.
Of course it is paranoid. Which does not mean reality is not even
worse, of course... :-).
Dimiter
------------------------------------------------------
Dimiter Popoff Transgalactic Instruments
http://www.tgi-sci.com
------------------------------------------------------
http://www.flickr.com/photos/didi_tgi/sets/72157600228621276/
On Dec 9, 4:19 pm, David Brown
The only way of stopping spam is to have an exam to get a license to use
the Internet.
Spam only works because there are enough idiots on line who want viagra,
penis extensions, boob jobs, share and land deals that are too good to
be true. Get rid of these idiots and spam will largely disappear.
Happy Christmas... :-)
--
\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\
\/\/\/\/\ Chris Hills Staffs England /\/\/\/\/
/\/\/ ch...@phaedsys.org www.phaedsys.org \/\/\
\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/
>In message <13lbs50...@corp.supernews.com>, msg
><msg@_cybertheque.org_> writes
>>In a recent thread, a poster stated he saw perhaps 500 spam posts
>>per day on c.a.e.; I couldn't imagine until about 2300 UTC when
>>my Supernews feed failed to filter about 100 spams per minute.
>>I have not had a need for filtering before this and I hope this
>>is only a transient.
>>
>>Michael
>
>The only way of stopping spam is to have an exam to get a license to use
>the Internet.
>
>Spam only works because there are enough idiots on line who want viagra,
>penis extensions, boob jobs, share and land deals that are too good to
>be true. Get rid of these idiots and spam will largely disappear.
No, I don't think that would do it. IMO, 2 things need to happen:
1) Need to have providers (ISPs, news services) who actually give a
damn, who are willing to act in these cases, instead of just
wanting the money.
2) Need to have EVERY post be identifiable as to who sent it. Too
many posts/complaints, cancel the account & blacklist them.
(It follows that non-identifiable posts are simply dropped)
Of course, neither will happen. :-)
Which could be as simple as blocking port 25 by default and unblock it
by users request. If a user explicitly requests port 25 to unblocked,
chances are that the user knows what he/she is doing.
> The only way of stopping spam is to have an exam to get a license to use
> the Internet.
The same way drivers' licensing stops traffic jams. Right. :-) Nice
idea, really, but it just won't work.
> Spam only works because there are enough idiots on line who want viagra,
> penis extensions, boob jobs, share and land deals that are too good to
> be true. Get rid of these idiots and spam will largely disappear.
Unfortunately, it's a given fact that mother nature's supply of idiots
is quite inexhaustible.
Drivers' licenses (or rather, the training and then tests - and the lose
of license for driving offences) don't stop all problems on the roads,
but I'm confident there would be far more problems without them.
>> Spam only works because there are enough idiots on line who want
>> viagra, penis extensions, boob jobs, share and land deals that are
>> too good to be true. Get rid of these idiots and spam will largely
>> disappear.
>
> Unfortunately, it's a given fact that mother nature's supply of idiots
> is quite inexhaustible.
As a really smart bloke once said, "Two things are infinite: the
universe, and human stupidity; and I'm not sure about the universe."
What surprises me is not the number of idiots out there, but the number
of idiots with enough money to pay for all that junk. I can well
understand people clicking on "free pictures here" links, but I'm amazed
that people can make money from spams advertising small blue pills and
the like. After all, spam is not entirely free - even at a few
millicents per message, you need to send out such a vast number that it
adds up to real money in the end, and you're competing with thousands of
others for the same tiny market.
After which you are left with those who are smart enought to pass
the exam, and want p0rn, amusement, power thrills, etc. There is
never any lack of idiots. Also, 'etc.' is open ended.
--
Merry Christmas, Happy Hanukah, Happy New Year
Joyeux Noel, Bonne Annee.
Chuck F (cbfalconer at maineline dot net)
<http://cbfalconer.home.att.net>
--
Either those users who ask have to be assigned to a narrow range of IP
numbers, or the router(s) in question each have to have 1 or 2 lines
added to their scripts. That will eventually slow the routers down to
the point where everybody has poor response.
Blocking port 25 takes 1 or 2 lines of script, and gets everybody.
Are you saying all the ISP personell are that stupid? [I must confess
this is what I think they are, of course.]
They do maintain a list of MAC addresses per customer (e.g. I do have
two DDNS records here which they do for free); so they do have
an up to date table MAC <-> IP. Then they can run through this table
only the outgoing packets which contain a SYN segment with port 25
as a destination port; this will be negligible on any working system.
Of course, they do expect to find a script written 20 years ago or so
which will do the job... Anything other than that they consider
"too complex", I suppose.
Dimiter
------------------------------------------------------
Dimiter Popoff Transgalactic Instruments
http://www.tgi-sci.com
------------------------------------------------------
http://www.flickr.com/photos/didi_tgi/sets/72157600228621276/
What is needed is for the ISPs to take a zero-tolerance approach.
It needn't be all of them, just enough of the big ones to make a
difference. E.g. the single biggest source of news spam is Google.
So block it as a spam site. All of it, not just Google groups.
Then they might start paying attention to abuse complaints.
Similarly, all those posts advertising blogspot sites - take down
the site. Until they do, block blogspot. This is the kind of
thing individual customers can't do and have any effect, but if the
big ISPs started doing it we'd begin to see some results.
Of course, it cuts both ways. Just lost your net connection?
That's because your PC is on a botnet and has been sending out
spam. However, I think most people would actually appreciate that
if it alerted them to the fact that their system was compromised
and prevented any further vulnerability until it had been fixed.
--
Andrew Smallshaw
and...@sdf.lonestar.org
Places like the biggy national ISPs, yes. Thay may have 1 or 2 people
who actually know which way is up, but those probably aren't the
people who are maintaining the dozens/hundreds/thousands of routers/
port aggreators/...
> They do maintain a list of MAC addresses per customer (e.g. I do have
>two DDNS records here which they do for free); so they do have
>an up to date table MAC <-> IP. Then they can run through this table
>only the outgoing packets which contain a SYN segment with port 25
>as a destination port; this will be negligible on any working system.
Asumming that are writing the code for the routers/port interface/...,
then yes that might work. Except, of course, for V9x or V120 or any
other PPP connection which doesn't have a MAC address.
Otherwise, you are trying to get Cisco or 3Com or whatever hardware
vendor to modify their software to do what you want.
> Of course, they do expect to find a script written 20 years ago or so
>which will do the job... Anything other than that they consider
>"too complex", I suppose.
More likely, too costly.
<snip>
>
>Of course, it cuts both ways. Just lost your net connection?
>That's because your PC is on a botnet and has been sending out
>spam. However, I think most people would actually appreciate that
>if it alerted them to the fact that their system was compromised
>and prevented any further vulnerability until it had been fixed.
I doubt it. I think that most lusers would blame the ISP for letting
their (the lusers) machine become infected in the first place.
"Zero tolerance" is just general term for "zero thought", "zero
knowledge" and "zero understanding".
When I was young and foolish (long ago, :-) ), our old mail server
program was passing on certain types of spam. Our ISP noticed the
problem and informed us - that way I managed to fix the problem and
learned a bit more during the process. With a "zero tolerance"
attitude, they would have closed our line (or at least, all outgoing email).
*Low* tolerance is good, but not *zero* tolerance.
Absolutely true, of course.
And with "zero tolerance" and many of the kind being so trendy
one wonders which planet we landed on... :-)
Dimiter
On Dec 10, 7:45 pm, David Brown
<david.br...@hesbynett.removethisbit.no> wrote:
> Andrew Smallshaw wrote: