Got a Spamcop message last night, haven't had one in a few months guess I'm due.

So I read through it figuring to find out who's account I need to nuke. Imagine my surprise when the only place I see one of my servers mentioned in the email is as the RECEIVING server of the spam.

Received: from unknown (HELO localhost.localdomain) (211.101.236.180) by
an.rsta.org with SMTP; 1 Aug 2002 11:07:01 -0000

That's my server allright, RECEIVING the spam.

Yes folks, my server is now listed on Spamcop for RECEIVING spam.

No I'm not really amused, it pisses me off really and they better fix this little "booboo" soon this is totally unacceptable.

I'm not really a fan of these un-monitored uncontrolled vigilante blacklists, you can't have a trustworthy police force when no one has any control over them who's not a part of them. Just ask my granddad in Germany how it works out when the policing body isn't answerable to anyone and is controlled only by those with the same agenda.

Ok here's the full message so maybe you can tell me what I'm missing:


[SpamCop (http://www.sujee.net) id:97744176]www.x.net



From:
97744176@reports.spamcop.net


To:
grimster@dixiesys.com


Date:
1 Aug 2002 11:07:01 -0000
- SpamCop V1.3.3 -
This message is brief for your comfort. Please follow links for details.


http://spamcop.net/w3m?i=z97744176zec7811f39ef72b3e604a321522a46b61z
Spamvertised website: http://www.sujee.net

> http://www.sujee.net is 12.37.166.66; Fri, 02 Aug 2002 03:51:39 GMT



Offending message:
Return-Path: <bounce@trafficmagnet.com>
Delivered-To: x
Received: (qmail 14119 invoked from network); 1 Aug 2002 11:07:01 -0000
Received: from unknown (HELO localhost.localdomain) (211.101.236.180) by
an.rsta.org with SMTP; 1 Aug 2002 11:07:01 -0000
Received: from emaserver ([211.157.101.50]) by localhost.localdomain
(8.11.6/8.11.6) with ESMTP id g71B1eg12612 for <x>; Thu, 1
Aug 2002 19:01:58 +0800
Message-ID: <392C_______1919@emaserver.trafficmagnet.net>
Date: Thu, 1 Aug 2002 19:02:21 +0800 (CST)
From: Sarah Williams <bounce@trafficmagnet.com>
Reply-To: Sarah Williams <Sarah_Williams@trafficmagnet.com>
To: x
Subject: www.x.net
Mime-Version: 1.0
Content-Type: multipart/alternative; boundary=1132609206.1028199741671.JavaMail.SYSTEM.emaserver
X-EMA-CID: 6502058
X-EMA-LID:
X-EMA-PC: 0ef642fae9a00



--1132609206.1028199741671.JavaMail.SYSTEM.emaserver
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit


Hi


I visited www.x.net, and noticed that you're not listed on some search engines! I think we can
offer you a service which can help you increase traffic and the number of visitors to your website.


I would like to introduce you to TrafficMagnet.com. We offer a unique technology that will submit your
website to over 300,000 search engines and directories every month.


You'll be surprised by the low cost, and by how effective this website promotion method can be.


To find out more about TrafficMagnet and the cost for submitting your website to over 300,000 search
engines and directories, visit us at:


http://emaserver.trafficmagnet.net/trafficmagnet/www/r?1000001919.392.23.Fcy6+769pcvyEA



I would love to hear from you.



Best Regards,


Sarah Williams
Sales and Marketing
E-mail: Sarah_Williams@trafficmagnet.com
http://www.TrafficMagnet.com


This email was sent to x.
I understand that you may NOT wish to receive information from me by email.
To be removed from this and other offers, simply go to the link below:
http://emaserver.trafficmagnet.net/trafficmagnet/www/optoutredirect?UC=Lead&UI=6502058
--1132609206.1028199741671.JavaMail.SYSTEM.emaserver
Content-Type: text/html; charset=utf-8
Content-Transfer-Encoding: 7bit


<HTML>
<HEAD>
<!-- 1.0 -->
<TITLE></TITLE>
<STYLE TYPE="text/css">
<!--
TD { font-family: verdana, arial, helvetica; font-size: 11px; color: #000000 }
-->
</STYLE>
</HEAD>
<BODY BGCOLOR="#FFFFFF">
<TABLE WIDTH="600" BORDER="0" CELLSPACING="0" CELLPADDING="0">
<TR>
<TD>Hi<BR>
<BR>
I visited <A HREF="http://emaserver.trafficmagnet.net/trafficmagnet/www/r?1000001919.392.5.XLny4HZZ4r3GW5">www.x.net</A>, and
noticed that you're not listed on some search engines! I think we can offer
you a service which can help you increase traffic and the number of visitors
to your website.<BR>
<BR>
I would like to introduce you to <A HREF="http://emaserver.trafficmagnet.net/trafficmagnet/www/r?1000001919.392.2.u4ffJWvt5C$qFI">TrafficMagnet.com</A>. We offer a unique technology
that will submit your website to over 300,000 search engines and directories
every month.<BR>
<BR>
<TABLE WIDTH="398" BORDER="0" CELLSPACING="0" CELLPADDING="0" ALIGN="center">
<TR>
<TD><A HREF="http://emaserver.trafficmagnet.net/trafficmagnet/www/r?1000001919.392.8.ju6J4MIdwERtK9"><IMG SRC="http://www.trafficmagnet.com/img/img_tm.gif" WIDTH="137" HEIGHT="136" BORDER="0"></A>&nbsp;</TD>
<TD><A HREF="http://emaserver.trafficmagnet.net/trafficmagnet/www/r?1000001919.392.11.aqWl3Sa7HVLNps"><IMG SRC="http://www.trafficmagnet.com/img/img_website.gif" WIDTH="197" HEIGHT="141" BORDER="1"></A></TD>
<TD VALIGN="bottom"><A HREF="http://emaserver.trafficmagnet.net/trafficmagnet/www/r?1000001919.392.14.h1irpSHrAnukO4"><IMG SRC="http://www.trafficmagnet.com/img/img_signup.gif" WIDTH="62" HEIGHT="136" BORDER="0"></A></TD>
</TR>
</TABLE>
<BR>
You'll be surprised by the low cost, and by how effective this website promotion
method can be. <BR>
<BR>
To find out more about TrafficMagnet and the cost for submitting your website
to over 300,000 search engines and directories, visit <A HREF="http://emaserver.trafficmagnet.net/trafficmagnet/www/r?1000001919.392.17.mMbBN41CFU6kPZ">www.TrafficMagnet.com</A>.
<BR>
<BR>
I would love to hear from you. <BR>
<BR><BR>
Best Regards,<BR><BR>
Sarah Williams<BR>
Sales and Marketing<BR>
E-mail: Sarah_Williams@trafficmagnet.com<BR>
<A HREF="http://emaserver.trafficmagnet.net/trafficmagnet/www/r?1000001919.392.20.Pt+smp4Iv+3fQe">http://www.TrafficMagnet.com</A>
<P>&nbsp;</P></TD>
</TR>
<TR>
<TD><FONT COLOR="#999999">This email was sent to x.<BR>
I understand that you may NOT wish to receive information from me by email.<BR>
To be removed from this and other offers, simply <A HREF="http://emaserver.trafficmagnet.net/trafficmagnet/www/optoutredirect?UC=Lead&UI=6502058">click here</A>.<BR></FONT>
</TD>
</TR>
</TABLE>
<IMG SRC="http://emaserver.trafficmagnet.net/trafficmagnet/www/picture.jsp?UC=Lead&UI=6502058&CRID=392CR1000001919" ALT="." HEIGHT=1 WIDTH=1>
</BODY>
</HTML>
--1132609206.1028199741671.JavaMail.SYSTEM.emaserver--

I agree with you. These lists are ridiculous.

Spamcop sucks, so does Spews, Orbz, Osirsoft - the whole friggin lot need to be boxed up and launched on the next shuttle. I mean, is a spammer going to use his own server to spam through? Of course not. They scour for a victim.

All IPs listed in these lists are legit hosts. I just had to reroute email through another IP on one of our servers because of these lists. :angry:

I've fed the odd trafficmagnet one throygh SpamCop due to Sarah and her filthy spamming ways. From memory your own domain will show up in the report, but with the check box unchecked. You need to check that box first to get complaints sent to 'yourself'. Maybe someone you host did it?

Just a guess.

Greg Moore

how to ban these SPAMming websites TrafficMagnet.net or trafficMagnet.com

Originally posted by Dixiesys
No I'm not really amused, it pisses me off really and they better fix this little "booboo" soon this is totally unacceptable.

I'm not really a fan of these un-monitored uncontrolled vigilante blacklists, you can't have a trustworthy police force when no one has any control over them who's not a part of them. Just ask my granddad in Germany how it works out when the policing body isn't answerable to anyone and is controlled only by those with the same agenda.

At least SpamCop has warm bodies on the other end that can fix problems like these. You can't say that for some other lists out there (SPEWS).

I usually get problems with SpamCop resolved in a couple of hours.

I don't get it. Are you being blacklisted for receiving spam?

Example of SPEWS Support:

Message to them:

I got listed by accident when we opened a new server with IMAIL that we forgot to turn off open relay during the first 24 hours, someone found it, and got us listed with you. Can you please test the IP that you found that caused you to block 2 whole Class C addresses that we own and unblock us?

Message from them (exact paste):

If you guys were not such dumbas*es you would not of got blacklisted. Maybe in 6 months you can send to people that use us, until then, you will learn not to support spam.


Now how did I support spam, I explained to them what happened, and invited them to see that the problem was fixed. I am lost. How is this even legal to some extent???

check out this one too...

http://www.webhostingtalk.com/showthread.php?threadid=63089

Node, the only reason spews is legal is the fact that the owner/operator runs around and hides in the shadows. Many other spam block lists that tried to do what spews does got sued and shut down (I don't remember the exact names or cases). So spews is probabbly doing a good bit of illegal stuff but by using russian servers and living god knows where spews seems to be hard to track down.

Yet another reason why I abhore SPEWS.

Unlike SPEWS http://abuse.net/ is one of the few reputable ones that will actually work with you. I have gotten a responsive and courteous email back everytime I have contacted them.

Negative section removed as a favor asked of me by a good friend.

Whoa dude, that's just mean. Of course I wouldn't submit with my real internet access (not that I'd condone this) but I'd get some 'free AOL' time to do it from I mean, no need in antagonizing these ... organizations with your real IP ya know. Not that I'd do this or condone anyone else with some free time and a grudge to do it either but I sure would make sure to use "throwaway" access.

shhhh, you didn't really say that. At least I didn't hear it.

btw, AOL isn't just a "throwaway" it is more like a "reformat away"

Spamcop interacts with Abuse.net. Keep all your stuff correct with Abuse.net and you really wont have a prob with Spamcop.

Negative section removed as a favor asked of me by a good friend.

btw wats the website of SPEWS? :)

http://www.spews.org/

These Anti-Spam sites think their out to do the world a favour, but to be quite frank they would do us all more of a favour by shutting down.

When anti-spam sites came around, the ISP's were still not regulating the spam. Now that people are doing it, we do not need lists like this, as most webmail programs have a "block" feature in them.

I am sick of it, as spews has blacklisted 2 full Class C's of mine, told me that it was because we were stupid, and refused to unlist me even though the problems were corrected.

We have customers that now can not send to people that have done nothing wrong, and we have orders to people each day that we have to use hotmail or something because of these people. (Most are free email accounts, but it is still the point)

Anyone have any ideas on how to go about getting rid of unregulated directories like SPEWS?

Ugh... TrafficMagnet just irritates me.

Well... we could always do a coordinated dos attack against their servers... :) I mean they *are* in russia and its not like their gunna break their cloak of secrecy to go after anybody hehe

Who knows... it could be fun! heh

From a brief telephone conversation yesterday with Joe at osirusoft.com:In my attempt to walk on water I've found myself knee-deep in sh*t.Poor guy, accidentally blocked an entire /12 yesterday which I just happened to be a part of. Took care of it immediately, but this just goes to show that mistakes *do* happen with lists like these and innocents suffer from it.

The bottom line is that they are trying to regulate something they hve no business regulating. The only way to really get rid of them is to stop acknowledging them, as hard as that may be.

You can't get rid of things like SPEWS. They are breaking no laws. Whether some ISP or network admin decides to use their listings is entirely up to that ISP or admin. SPEWS simply collects items from the .sightings newsgroup and lists them. It is rumored, but not confirmed, that nominations to SPEWS are accepted via the other email abuse newsgroup - I doubt this, personally. There is nothing illegal or even unethical about those actions. What people decide to do with the information presented in the lists is their choice. If it impacts you, then you should determine why that is: are you not taking care of spam complaints in a timely fashion, and thus landing yourself on the unreformed list? Are you buying connectivity from a company that is known not to deal with their spammers (Verio comes immediately to mind)? Are you being combatative when admins inform you of spammers or file abuse reports (this happens more than you would believe)? These "you"s are, of course, generic, and not directed at anyone in particular. It is simple enough to be removed from SPEWS if the problem has been addressed, and we have helped other people get off the listing by helping them root out spammers or by helping them find a different provider than the one they were using, who would not stop their customers from spamming. If you have major problems with some entity that uses the listings from SPEWS, then you should take those problems up directly with those people - after all, they are the ones blocking you, not SPEWS.

I would imagine that trying any attacks against SPEWS would have some results that would be severely counterproductive to your life online.

Originally posted by RackMy.com
Ugh... TrafficMagnet just irritates me.

I got like 6 of those today!

Post removed as a favor asked of me by a good friend.

I received some very confusing garble from Spam Cop about eight months ago... accusations, threats... etc. And I don't even have a server, and I've never spammed anybody in my seven years on the net. I have nothing to spam. Someone at Cybercon, Inc., a NOC in St. Louis was somehow sending out zillions of emails with one of my domain names involved in the header info. How they did it, I'll never know. I had tried my hand at leasing a server there about three years ago. It was then I learned it's best if I know something about UNIX before spending all that money. Somehow, there was still some reference to my domain name on a server there.

Since I didn't understand the CopTalk, I responded with an Email asking what it all meant. The response I received was (paraphrased): "How do we know you are a real live human being and not a robot trying to probe us? To prove you are real, do this, do that, stick your left foot in, stick your left foot out, stick your left foot in, and turn it all about..., blah blah, ad infinitum."

So I jumped through the hoops, and finally got a response from old Wyatt Earp himself. The response was a technical explanation to a layman's question. I still didn't get it, and still didn't like being on anyone's "most wanted" list.

So I checked to see if the Marshall had a jail I could call. Yep.
WHOIS: Domain Name: SPAMCOP.NET
Registrar: CORE INTERNET COUNCIL OF REGISTRARS

Admin Contact, Technical Contact, Zone Contact:
Julian Haight (COCO-254526) jkdom@mail.julianhaight.com
206-362-5759

I called him. He seemed somewhat surprised that I would call him, but nevertheless did his best to explain to me what was going on. I didn't get most of it, even hearing it from him, but what I did get from the conversation was his satisfaction that he had made a mistake... my address was being "spoofed" or something like that.

Also, I must share my observations with you that the old Cop seemed rather meek "in person". After my third call to him, I believe he was regretting that his number was listed in the whois.

I personally believe that SpamCop and other like minded organizations are indeed breaking the law somehow. I'm just not sure how yet. I would like to know by what authority they can disrupt another person's business. In the "live world", you just don't disrupt a business and cut off profits without due process of law. I think it's called "interfering with commerce, or free trade" or something like that. There are procedures that must be followed to protect the innocent.

Regarding "Traffic Magnet". I've been receiving those for a couple of years. They are breaking copyright laws by duplicating your homepage in the Thumbnail graphic that accompanies their spam. There is no "Sarah". I've tried tracking this idiot down.
WHOIS: Domain Name: TRAFFICMAGNET.COM
Registrar: CORE INTERNET COUNCIL OF REGISTRARS
Admin Contact, Technical Contact, Zone Contact:
admin zhron9 (COCO-856023) contact@trafficmagnet.net
none
======
Strange the registrar is the same as SpamCop's.

If I could find him, and he was in the U.S., I would most likely take a trip to his office, and beat him to a pulp with my bare hands. I find that solution much more rewarding than attacking his computers. I would prefer teaching him a lesson that he can associate with extreme physical pain when he might again consider stealing the bandwidth of so many good people.

When I get spam, I do my best to find a phone number associated with the spam. Even if the spammer has hired a third party 800 line, I call repeatedly, and complain bitterly to the operator, in the hopes that the third party 800 line will realize it's not worth the aggravation.

I tracked down a spammer to an office in Los Angeles several months ago. Got the number AND address from whois. I called the office. A young, haughty girl answered. I told her I wanted to speak to whomever was responsible for the spam. She flippantly told me all I had to do was delete it, or click the "unsubscribe" list. She had a **** you attitude.

I told her I lived about ten miles from her office, and that if I received one more spam email from them, I was going to drive over there, stake out the place for a couple of days, and when the opportunity presented itself, I was going to cut her throat. She asked, "What did you say?" I repeated, in all seriousness, "If I get one more spam from your office, I am coming over there and I am going to cut your throat."

Her reply: "Are you threatening me?"

Oh yeah! I remember those guys now! That "thumbnail" part reminded me :D

Yeah, I blocked them a long time ago from our system. None of our clients get their spam. That's why I didnt remember them, because I dont recieve them anymore :stickout

if you dont support spammers, then you should have nothing to worry about.

and if accidents happen, and you get listed, with alittle bit of reading on the spews.org faq, you will find out just how to get removed. it is pretty easy actually (as long as the problem is fixed) but if you can't read the faq, then dont expect anything to get done.

i dont really agree with ""the powers to be"" and how things actually are being done, but i have learned that if you strive to understand, and do your homework, you'll figure out the how, why, and what you need to know to stay safe and clean.

rava

Originally posted by Webdude
Spews may not technically be doing anything illegal. However, they are doing enough wrong to have lawsuits against them if they were available to file suit against. I myself have gotten blocks of IP's that were "already" blocked by spews. Contacting them yielded no results, not even an email back. I had to exchange those blocks.

Really. What "wrongs" would those be, precisely?

However, technically, bombarding their servers as stated above is actually a decent option. If you cant get to them legally, you can get to them other ways. As stated, they would have to make themselves available to lawsuits in order to come out and cry about what's happening to them.

So, you advocate abuse right back at what you're crying abuse about? A canny person involved at the receiving end of an attack such as the one you advocate would simply blackhole anything related to you, forever and ever, amen.

The hosts here at WHT arent the only ones pissed at spews. Almost every host on the web is very well aware of spews and wants them gone.

I am not pissed at SPEWS. I don't care about them one way or the other, actually. I'd like to see the results of your survey that you can make such a sweeping generalization that the vast majority of the thousands and thousands of hosts "wants them gone". Many hosts have no clue what SPEWS is at all.

Back when spammers started hammering unsuspecting clients on hosts when they were using formmail, spews listed a whole messload of hosts, along with their clients. Even after hosts banned formmail, they are still blacklisted....all because of a poorly written script.

I'm afraid you don't understand SPEWS as well as you think you do if you think a simple formmail script is what lands people in SPEWS.

If spews is doing so much good and nothing wrong, why are they forced to hide out in Russia to avoid the legal action from thousands of upstanding hosts (from small hosts to major ones) that strictly enforce anti-spam rules themselves? Apparently they are doing something wrong if even the good guys dont like them.

Forced? I wouldn't call it that. More like expediency to avoid frivolous lawsuits.

And what does that mean? If they are forcefully shut down by hundreds of hosts, it would have no effect on me.

It would if you participated and someone got pissed enough at you to drop you into their blacklist. You think SPEWS is bad? Try getting out of the blackholes that some admins keep personally.

Spews is nothing but a renegade web cop who doesnt follow the rules of engagement. You try to avoid casualties. For example, you dont bomb a crowded room to get the one bad guy. For lack of a better term, that is exactly what spews does. They take out the bad guy regardless who else it hurts.

I think that's the first time I've ever heard anyone classify SPEWS as a single person. My understanding, based on activity I've seen at SPEWS, is a progressively wider mask on IP blocks that are listed due to inaction on the part of host or connectivity provider. Does SPEWS catch people collaterally? Yes, it does. I've said so on numerous occasions. I can see the point of it, though, if continued inaction is the only result from spam complaints. It isn't pretty, but let's face it: economics is the name of the game.

Before you argue the points here, you better go do some google searching on spews and find out just how bad it really is out there with these guys.

More sweeping generalizations. I already know about SPEWs and participate in the groups. One of the assists we did was for someone locked up not only with their inability to deal with spammers in their block, but with multiple associations with spamhausen. Before you presume to lecture someone about doing their homework, perhaps you should do some of your own - or at least make a cursory attempt.

I have never had a direct problem with Spews that I couldnt resolve. That guy sure thinks he's high and mighty for someone who's hiding from the world. Ask yourself why Spews is in hiding while Spamcop and Abuse.net are not.. Even those guys really dont care much for Spews. Nobody does, except aparrently, You.

Let's see: abuse.net doesn't provide anything other than contact databases and links to reporting forms. Spamcop provides the spamcop bl that no admin in their right mind uses. I can see how you could make a comparison between those two and SPEWS, which is not only more encompassing, but more broadly used and more likely to piss off people. Sure. And I must have missed any posts where Julian says he doesn't care for SPEWS, but if you'd like to point it/them out, that would be interesting reading, I'm sure.

And such a vitriolic post arising from something very simple: you can't get rid of SPEWS unless you'd like to spend the thousands and thousands of dollars to track down the responsible parties. I don't believe tracking SPEWS down to be an impossible task. I'm surprised that you do. Where's your venom for Steve at Spamhaus.org - or, do you not have any, because you personally have never been affected by the listings there? What about Morely's refuse list, which he publishes in public for everyone to see? Going after SPEWS because they publish a list is foolish, just as it would be foolish to go after someone who publishes a list of movies that no one should ever watch when you find you can't rent one of those movies at your local video store.

You don't seem to understand that SPEWS != something blocking you from anything. No one is under any obligation to carry your mail on their systems, just as you are under no obligation to carry anyone else's mail on systems you manage. If you want to change things, then you are going to have to convince the admins who use the SPEWS listings that their actions are causing more harm than good. I believe you'd have a hard time doing that, but more power to you.

edit :rolleyes:

I guess it does save time to completely bypass discussing the issue in favor of jumping to personal attacks, doesn't it? Your comment certainly illuminates one thing, but I doubt it's what you had in mind.

http://www.dotcomeon.com/tel_pacific.html

http://australianit.news.com.au/articles/0,7204,4309672%5e15306%5e%5enbv%5e,00.html

http://www.clickz.com/feedback/reader/print.php/1367091

A search on anti-spam website SPEWS.org reveals that at least 50 Australian organisations - including the National Maritime Museum and the Consulate General of Israel - are named on anti-spam black lists.

Wow, the National Maritime Museum and the Consulate General of Israel are spammers?? Who knew! Perhaps it is another screwup by Spews! Seems they block anyone on a whim. There's more I found in the articles above, but it's 3AM and I am hitting the sack. Perhaps others will read them closely and comment.

There are plenty more. Basically what spews does is instead of blocking just the spammer's IP, the block the whole block of IP's. So if a spammer's one IP is xxx.xxx.xxx.100 you better hope your own ip is not between xxx.xxx.xxx.0 and xxx.xxx.xxx.256 or your screwed. Just to block one spammer, they just blocked over 200 innocent people. Not to mention, one of those newstories explains how Telestra was entirely blocked by Spews because of a disagreement.

As I said, I have never had a problem with Spews, but I know what I see going on. Spews has become as bad, if not worse, than the spammers themselves. In the real world, you would have serious problems with the law if you obstructed business. Currently there is no serious regulations on Spammers or Anti-Spammers. What I see is a big war heating up between the two, and the rest of us are caught in the middle to suffer eventually.

I do disagree that "spammers" should be taking action against anti-spammers. But this is hurting business of nonspammers. For example, our relays are closed. However, if someone signed up and then spammed out, we may be listed on Spews before we even know about the spammer.

As for your comment on Formmail....read up. Once again, you are talking about something you know little about..

Part of a recent email to our clients about us banning formmail::
###################################################################
In case you are unaware of the risk FormMail poses to you, it is suffice to say that if a spammer finds it under your domain and spams through it, it looks like "you" are doing it, and can get your account shut down...and that is at any host. It is "very" insecure.

Summary
The CGI program Formmail.pl lacks adequate security checks and allows spammers to send anonymous e-mail using vulnerable host as mail relays.
This vulnerability has already been exploit by spammers in many installations of Formmail.pl.


Details
Matt Wright's formmail.pl program does a "security check" on the HTTP_REFERER server variable. The security check is usually used to verify that information submitted from a form came from a proper or designated domain. This is usually done to prevent someone from creating a local, malicious form to submit to a script. This can be easily bypassed by passing a raw HTTP request, and faking the HTTP Referrer. This script also allows you to set the recipient's email address in the form. These two factors allow a malicious user to use the formmail.pl program two distribute their email (SPAM).

Exploit:
A URL such as the following:
http://www.example.com/cgi-bin/FormMail.pl? recipient=email@address-to-spam.com&message= Proof%20that%20FormMail.pl%20can%20be%20used%20to%20send%20anonymous%20spam.

Will send an anonymous e-mail if the installed FormMail.pl is vulnerable.

Workaround:
1. Remove your formmail.pl script until the author provides a fix.
or:
2. Hard code the recipient's email address in the formmail.pl program. Do not rely on the address submitted by the user.
###################################################################


I did neglect to mention that since we do both named and static IP hosting, it could cause whatever IP blocks (the entire thing) to be listed on anti-spam lists.

Luckily I do rotate our IP blocks about every 6 months...which has done well in keeping us out of Spews most likely when we had the bout with spammers using our client's accounts to spam thru.

<removed>

Before you presume to lecture someone about doing their homework, perhaps you should do some of your own - or at least make a cursory attempt.

What a cheek and I'm sure the people who have been really affected by Spews and their ridiculous attitude resent your own lecture. Eloquently written, obviously educated but you started taken the snipes. What has been illuminated here is some chip on your shoulder.

If you want to change things, then you are going to have to convince the admins who use the SPEWS listings that their actions are causing more harm than good. I believe you'd have a hard time doing that, but more power to you.

That would be not addressing the root of the problem. Spews is one, the users are many. I mean, c'mon.....
:rolleyes:

I don't know the inside workings as you appear to do. But I know why and how Spews will ban and the attitude with which they do it. Why are you defending them and how could you? I just managed to get an IP removed from Outblaze. It took one email request. Spews just laugh in your face and call you names.

Laurence, if you would like to address any of the points made with anything approaching civility or something to back up what you claim, please feel free. That's not addressing the issue, but come on. Surely you can do something - anything - other than personally attack me just because you don't agree with what I'm saying on this.

Why post in this topic, you ask? Because someone asked what could be done about SPEWS, and I offered my opinion. I believe my initial post was quite clear in its scope. I am not defending SPEWS. They don't need my help, and I have disagreed with some things in their listings from time to time as overly broad - as I mentioned, and as you seem to have skipped right over. I am saying that instead of whining about SPEWS and how bad it is, how about someone stepping up and talking (in a courteous, rational way) to the people who actually use the listings and try to give them some sort of evidence that their use of the list does more damage than it helps? It is, admittedly, not an easy task for someone who wants to do that, but I've always been a fan of people actually doing something about the things they complain about instead of just ranting about it to anyone who will listen.

I am saying that instead of whining about SPEWS and how bad it is, how about someone stepping up and talking (in a courteous, rational way) to the people who actually use the listings and try to give them some sort of evidence that their use of the list does more damage than it helps?

I know where Spews is(which is Australia by the way, not Russia). I dont know where all these others are.

Originally posted by Webdude
[snip links]

Wow, the National Maritime Museum and the Consulate General of Israel are spammers?? Who knew! Perhaps it is another screwup by Spews! Seems they block anyone on a whim. There's more I found in the articles above, but it's 3AM and I am hitting the sack. Perhaps others will read them closely and comment.

Sorry, had to break this into two replies, as otherwise it would be like reading Greer. :)

Now, you know as well as I do that those people are not spammers. You also know as well as I do that SPEWS does have erroneous listings (if you follow the groups, you'll remember one huge slip of the keyboard that wound up listing several million addresses instead of (I believe) a single /24). Basing conclusions just on newspaper articles (in one case, where the reporter doesn't seem to have a grasp on much anyway) is not enough. And again, you're missing something, just as Telstra is: SPEWS does not block anyone. Individual admins do this.

[Snipped basic lesson on SPEWS listing of blocks - yes, I know these things, thanks.]

As I said, I have never had a problem with Spews, but I know what I see going on. Spews has become as bad, if not worse, than the spammers themselves. In the real world, you would have serious problems with the law if you obstructed business.

And here, you have eloquently outlined the problem I see with people who constantly point to SPEWS as the big bad wolf. SPEWS is not obstructing anyone's business. Can you prove that they are?

Example: Say you are trafficmagnet, distasteful as that might be. I, as an admin, reject mail from trafficmagnet, those persistent spammers. Say further I create a list: here are the spammers I know and reject. Nexdog uses that list to filter for his sites/servers (since he says he filters trafficmagnet, and who can blame him?). You, as trafficmagnet, suddenly find yourself unable to send your "I saw your site" mails to Nexdog, because he's used my list and your mail to him is bouncing. If he wanted to whitelist trafficmagnet on that list, he could do that. He chose not to, so your thumbnails of his site never reach their destination. It is not my fault that your mail is bouncing. Nexdog has used tools at his disposal to manage his systems as he sees fit. I am not obstructing your business, and Nexdog has no obligation to take your mail.


I do disagree that "spammers" should be taking action against anti-spammers. But this is hurting business of nonspammers. For example, our relays are closed. However, if someone signed up and then spammed out, we may be listed on Spews before we even know about the spammer.

I agree with your first part, but not the second. SPEWS is not a listing of open relays, and this is indicated directly in their FAQ. It appears to take quite some time to land in SPEWS for regular old folks like you and me unless we manage to get some IP block previously assigned to some spammer. That is also easy enough to fix unless the ultimate upstream has a wide mask listing. It's akin to earthlink bouncing mail from one of our servers because the IP range was previously assigned as a dialup range and was listed in their DULs - a polite note to them with the circumstance and current standing, and the problem is resolved.

As for your comment on Formmail....read up. Once again, you are talking about something you know little about..

Really? Can you show me a SPEWS listing based solely on formmail scripts? I'd like to see it.

[Snip email to clients, as it has nothing to do with SPEWS]

I did neglect to mention that since we do both named and static IP hosting, it could cause whatever IP blocks (the entire thing) to be listed on anti-spam lists.

So do we. Ignoring spammers is not my forte, however.

Luckily I do rotate our IP blocks about every 6 months...which has done well in keeping us out of Spews most likely when we had the bout with spammers using our client's accounts to spam thru.

We've had spammers directly on the network. We've had spammers abuse client formmail scripts until we banned Matt's, while we tracked down the scripts and the users who had them. We've never had any problems with SPEWS because of either situation.

With that, I bid you adieu for the time being (although I'd love to continue this discussion with at least you) as I have to work my you know what off this weekend since I have a jury duty summons for bright and early Monday. Civic duty calls...

Your mail server received the spam and relayed it to the recipient mail server. That's a Bad Thing(tm)

If you had secured your server then you wouldn't have any problems with Spamcop, or any other blacklists.

Dixiesys, you had stated, "Ok here's the full message so maybe you can tell me what I'm missing" so allow me to step up to the plate. :)

First: as mentioned by sinistre, it's always a good thing to "verify" that a Server will not Relay.

Second: when the Spam was reported there are sometimes, boxes left "unchecked" with a message stating, "Do not check unless you know it came from them" or something close to those words. Have you ever used SpamCop yourself? Do you know for sure the person who reported the Spam did not incorrectly check the wrong box themselves?

I know I've seen my own Email address or that of my NOC and the box was not checked. Had I checked it, a notice would have been sent, but that does not mean the Email address or IP would have been blacklisted.

Your "report" to SpamCop shows you did not "take a minute to relax and reflect" on the situation and instead, sent them a knee-jerk, street-style, type notice. Understandable as we all do that sometimes, but hopefully you'll communicate again with SpamCop, in a more business-like manner. In your efforts to straighten this out, make sure you have "all" the facts first.


Third: did you run the Headers through SpamCop yourself? I did, with the ones you first provided, and this is what it showed as origins:
Please make sure this email IS spam:
From: Sarah Williams <bounce@trafficmagnet.com> (www.x.net)
--1132609206.1028199741671.JavaMail.SYSTEM.emaserver
Content-Type: text/plain; charset=utf-8
View full message

Report Spam to:

Re:211.101.236.180 (Administrator of network where email originates)
To: csd@capitalnet.com.cn (Notes)
To: postmaster@capitalnet.com.cn (Notes)
To: abuse@capitalnet.com.cn (Notes)
To: dandan.zhao@capitalnet.com.cn (Notes)

Re:http://emaserver.trafficmagnet.net/trafficmagne... (Administrator of network hosting website referenced in spam)
To: postmaster@chinacomm.com.cn (Notes)
All boxes for the above were checked and I do not see where your Email address or IP is listed?

Having used SpamCop (and recommending the service) for years, I know to look for the "first" Received line, as that is the originating Server. In this case:
Received: from emaserver ([211.157.101.50]) by localhost.localdomain - this is not you.


We cannot stop organizations like SpamCop nor would we want to. They are making great strides in cutting down on Spam. Also note, other sites and programs do the same thing in different areas. Search Engines for example, have been known to ban/block an IP address and heaven help those if it is a Shared IP.

Hundreds of sites could be sharing that IP address, but if only one spammed the Search Engine and it blacklisted the IP, all the rest are SOL. Fair? Of course not, but that's life.

Then there are the "Nanny" programs which seem to block sites willy-nilly. We don't even know about how many sites are blocked from those type programs. But, since what we don't know won't hurt us, most of don't care. Unless we hear back from someone using the program there is no justification in the time & effort to sort them out.

Oh well.

Originally posted by NexDog


All IPs listed in these lists are legit hosts.

That's the funniest thing I've read yet today.


-Bob

Originally posted by NodeHost
Example of SPEWS Support:

Message to them:

Message to who, SPEWS? I don't think so. Spews does not contact anyone, does not have a contact address, nor do they respond to anyone either directly or indirectly - except through their listings.

BTW, I saw in another post you were complaining about being "unfairly blocked" by SPEWS - I assume it's in reference to this:

http://spews.org/html/S1573.html

It looks like spam from "lotsofnakedchicks.com", who you are still hosting, is what landed you there.

I'd be interested to hear your side of this.

-Bob

Originally posted by Annette
I guess it does save time to completely bypass discussing the issue in favor of jumping to personal attacks, doesn't it?

The problem, Annette, is that your post was well-reasoned and dead accurate. Posts like that tend to piss people with no rational counter-argument off to no end.

-Bob

Originally posted by TMX


The problem, Annette, is that your post was well-reasoned and dead accurate. Posts like that tend to piss people with no rational counter-argument off to no end.

-Bob

TMX, exactly. People hate to proven that they are wrong.

This thread only shows the ignorance of admins who are jumping on the "bandwagon" to be a webhost. First all they see is that its a "great" thing, cause they see it as a money making adventure. They forget to do their research and about what really goes on to webhosting, and the internet (you know a bunch of PRIVATELY owned systems that allow traffic from each other to enter and leave), and that all they are is 1 person in a sea of millions.


Webdude is the exact personification of a webhost who does not understand the nature of Blocklists or why they are implemented, and I just love how this "webhost" provider suggest to combat a perfectly LEGAL blocklists with behaviour which are ACTUALLY illegal.

DOS/DDOS attacks are illegal and yet he and bunch of poster in this thread alone speak of doing that.

Forging headers is illegal in many states (20 to be exact) who have implemented new Anti-spam laws. Utah just implemented theirs.

So now, do we trust hosts who resort to childish antics because mommy took away their lollipop?

What they also failed to research is that the IP spaces that SPEWS is on have been BLOCKED by SPEWS already. And taken off because the ISP they are with was able to deal with their spamming problem. What they also faild to research is the fact that that SPEWS has no MAILSERVER. So they can put their ip block on their own blocklist all they want, it doesn't hurt them because they ARE not sending out email. So how does a blocklist used to block mailservers hurt SPEWS? How can "forging" email messages to look like they came from SPEWS hurt SPEWS? Anyone who knows how SPEWS works would know that its impossible for mail to come from SPEWS. They have no way of sending mail, using their domain name; Clue stick for ya, without a mailserver, how would they be able to send mail let alone have people forge them as being sender of email?


Also failed to be realized by everyone is that SPEWS blocks NO ONE.

See that:

SPEWS BLOCKS NO ONE.

Let me type that again:

SPEWS BLOCKS NO ONE!

Okay one more time:

SPEWS BLOCKS NO ONE!

Okay repeat this line over and over again until you realize that:

SPEWS BLOCKS NO ONE.


Now, once you understand this simple and basic of all concepts concerning SPEWS, you now havta understand that:

ISP's who uses SPEWS lists, do, knowing full well what SPEWS is and what they do. SPEWS is just a list of ip's that ISP's/sysadmins can refer to so they can block traffic from known spam sources. They can if they want to, USE THE LIST As a huge whitelist instead (for those who dont know what a whitelist is, that means they'll accept ALL mail from those listed at SPEWS). SPEWS never makes any demands on how to use their list. Nor are they being paid to keep such list.

Webdude, and to show more on your ignorance, SPEWS is not located in Austrailia.

For those "arguing" against SPEWS, you might wanna first read their FAQ before mouthing off.

At least you can get off of SPEWS listing, by taking care of spammers in your domain or hosting or pressuring your WEBHOST to take care of its spamming vermin, or you jump ship to another ISP/webhost.

Privately listed blocklists are more detrimental to you than SPEWS will ever be. Many private block lists are maintained by people who, with only one receipt of spam, will block you till the end of time, and there is no way you can "reason" with these list owners to take you off.

Originally posted by Annette
You can't get rid of things like SPEWS. They are breaking no laws. Whether some ISP or network admin decides to use their listings is entirely up to that ISP or admin. SPEWS simply collects items from the .sightings newsgroup and lists them. It is rumored, but not confirmed, that nominations to SPEWS are accepted via the other email abuse newsgroup - I doubt this, personally. There is nothing illegal or even unethical about those actions. What people decide to do with the information presented in the lists is their choice. If it impacts you, then you should determine why that is: are you not taking care of spam complaints in a timely fashion, and thus landing yourself on the unreformed list? Are you buying connectivity from a company that is known not to deal with their spammers (Verio comes immediately to mind)? Are you being combatative when admins inform you of spammers or file abuse reports (this happens more than you would believe)? These "you"s are, of course, generic, and not directed at anyone in particular. It is simple enough to be removed from SPEWS if the problem has been addressed, and we have helped other people get off the listing by helping them root out spammers or by helping them find a different provider than the one they were using, who would not stop their customers from spamming. If you have major problems with some entity that uses the listings from SPEWS, then you should take those problems up directly with those people - after all, they are the ones blocking you, not SPEWS.

I would imagine that trying any attacks against SPEWS would have some results that would be severely counterproductive to your life online.

Quite correct. SPEWS is only but a list, and is protected under the First Amendment as the clause of free speech. SPEWS only made their list public for ISP's to determine if they do not want spammers on their network. Many people who are indeed listed are either 1) innocent victims (under collateral damage) 2) spammers or 3) spam supporters.

I was collateral damage when I was listed by SPEWS for marketingbonzana.com and I requested delisting (after I _confirmed_ that the said spamvertisments that was on the IP address (I was right next to it) was disconnected), and I've already spoken with Atjeu and they are enforcing their spam policy. SPEWS has done its job in this case.

Now, the mailserver that I run is already SPEWS-protected because *i* chose to. They have been extremely useful to kicking the spammers off my networks. My networks, my rules. Do you understand? The Internet is not public, but rather an agreement between many private networks to connect to each other. One of the main goals is to prevent abuse, which the anti-spam community is *exactly* trying to do. I applaud to these efforts.

If you don't like being blocked, then get out of the business and go cook hamburgers at McDonald's. You will find it easier and get much more customers this way.

All of what I have said is an opinion, and it does not reflect to anyone.

Thank you,
Hawkeye-X

Post removed as a favor asked of me by a good friend.

Originally posted by Webdude


Spews may not technically be doing anything illegal. However, they are doing enough wrong to have lawsuits against them if they were available to file suit against. I myself have gotten blocks of IP's that were "already" blocked by spews. Contacting them yielded no results, not even an email back. I had to exchange those blocks.


SPEWS does not have any MX. It won't accept any e-mails. Only way to get SPEWS' attention is by posting news.admin.net-abuse.email. My advice is to review SPEWS request and the results, and *CORRECTLY* find the approach that would have satisfied SPEWS' requirements. Many people have made such requests, and have been delisted within 24 hours. Myself included.


However, technically, bombarding their servers as stated above is actually a decent option. If you cant get to them legally, you can get to them other ways. As stated, they would have to make themselves available to lawsuits in order to come out and cry about what's
happening to them.


Apparently, noone told you that SPEWS is mirrored heavily, and bombarding one only pisses the owner off. Joe Jared has implemented the mirroring strategy over a few months ago when SPEWS website (not SPEWS directly) was shut down for the first 2 hours. Immediately, mirrors for SPEWS have sprung up. Google for that event. Distributed Denial of Service Attack is a federal crime in the United States, so I do not recommend it.


The hosts here at WHT arent the only ones pissed at spews. Almost every host on the web is very well aware of spews and wants them gone. Back when spammers started hammering unsuspecting clients on hosts when they were using formmail, spews listed a whole messload of hosts, along with their clients. Even after hosts banned formmail, they are still blacklisted....all because of a poorly written script. If spews is doing so much good and nothing wrong, why are they forced to hide out in Russia to avoid the legal action from thousands of upstanding hosts (from small hosts to major ones) that strictly enforce anti-spam rules themselves? Apparently they are doing something wrong if even the good guys dont like them.



Just make sure the spammers stays off your netblock, and stays out. That's what SPEWS' ultimate goal for each ISPs/backbone connection. SPEWS is not the only ultimate blocklist. Spamhaus Block List (SBL) is also a major blocklist and is part of relays.osirusoft.com group along with inputs.relays.osirusoft.com and SPEWS. I use it on my mailserver, and I've succeeded in getting spammers the hell away from my networks.


And what does that mean? If they are forcefully shut down by hundreds of hosts, it would have no effect on me. Spews is nothing but a renegade web cop who doesnt follow the rules of engagement. You try to avoid casualties. For example, you dont bomb a crowded room to get the one bad guy. For lack of a better term, that is exactly what spews does. They take out the bad guy regardless who else it hurts.


SPEWS maintains a list. Period. Nothing else. It's not even a web cop like Spamcop. Spamcop has its flaws, and I was a member for a long time, then decided to read my own headers and get out of it altogether. Worked beautifully. I can LART, and some ISPs do respond to my individual LARTs instead of prepended LARTs.


Before you argue the points here, you better go do some google searching on spews and find out just how bad it really is out there with these guys. I have never had a direct problem with Spews that I couldnt resolve. That guy sure thinks he's high and mighty for someone who's hiding from the world. Ask yourself why Spews is in hiding while Spamcop and Abuse.net are not.. Even those guys really dont care much for Spews. Nobody does, except aparrently, You.

Exactly! Google on the RIGHT approaches. Not the wrong approaches!

Hope you people can read through the bullsh1t about SPEWS and see how useful it is.

:cartman:
Hawkeye-X

Originally posted by Webdude
http://www.dotcomeon.com/tel_pacific.html

http://australianit.news.com.au/articles/0,7204,4309672%5e15306%5e%5enbv%5e,00.html

http://www.clickz.com/feedback/reader/print.php/1367091



Wow, the National Maritime Museum and the Consulate General of Israel are spammers?? Who knew! Perhaps it is another screwup by Spews! Seems they block anyone on a whim. There's more I found in the articles above, but it's 3AM and I am hitting the sack. Perhaps others will read them closely and comment.

There are plenty more. Basically what spews does is instead of blocking just the spammer's IP, the block the whole block of IP's. So if a spammer's one IP is xxx.xxx.xxx.100 you better hope your own ip is not between xxx.xxx.xxx.0 and xxx.xxx.xxx.256 or your screwed. Just to block one spammer, they just blocked over 200 innocent people. Not to mention, one of those newstories explains how Telestra was entirely blocked by Spews because of a disagreement.

As I said, I have never had a problem with Spews, but I know what I see going on. Spews has become as bad, if not worse, than the spammers themselves. In the real world, you would have serious problems with the law if you obstructed business. Currently there is no serious regulations on Spammers or Anti-Spammers. What I see is a big war heating up between the two, and the rest of us are caught in the middle to suffer eventually.

I do disagree that "spammers" should be taking action against anti-spammers. But this is hurting business of nonspammers. For example, our relays are closed. However, if someone signed up and then spammed out, we may be listed on Spews before we even know about the spammer.

As for your comment on Formmail....read up. Once again, you are talking about something you know little about..

Part of a recent email to our clients about us banning formmail::


I did neglect to mention that since we do both named and static IP hosting, it could cause whatever IP blocks (the entire thing) to be listed on anti-spam lists.

Luckily I do rotate our IP blocks about every 6 months...which has done well in keeping us out of Spews most likely when we had the bout with spammers using our client's accounts to spam thru.

You don't need to bother rotating your IP addresses. In fact, you don't need to be rotating it anyway. You're not listed anywhere whatsoever. If you keep the spammers out, then you're doing a good job.

Take a look for yourself:

http://openrbl.org/ip/216/187/101/25.htm

Is just one example.

Plus, Peer1, your upstream provider is strict in terms of enforcing their AUP. I know the administrator there, and he does enforce.

Hawkeye-X

Hawkeye-X,

Now you have made a post in the right sense. No attacking like the rest of us are doing, no getting pissed off....just pure polite info.

I will reconsider my opinion of spews. Due to the amount of spam I myself am now getting, I am almost ready to say "screw what I think, I will implement their lists anyway". Just because of your two last posts. See? I'm not beyond reason..LOL

I remember I used to win over pissed off clients to becoming extremely loyal by being polite to them regardless what they thru at me.....surprising to see myself on the other end of that deal, and how well it works.

Thankyou Hawk for your posts.

++++++++++Forging headers is illegal in many states (20 to be exact) who have implemented new Anti-spam laws. Utah just implemented theirs.+++++++++++

Spews is not in the states.


That's correct. But we're not talking about SPEWS in this case. We're talking about spammers forging their ****ing headers. That's illegal. ANd they know it.

<snip>

+++++++++++++Also failed to be realized by everyone is that SPEWS blocks NO ONE. +++++++++++

Ok, listen one more time since evidently you didnt pay attention the first time. SPEWS releases listed that other admins use. They have put some ISP's on their lists over mere disagreements that had nothing to do with spam. They put on those lists entire blocks of IP resulting in hundreds of innocent people finding themselves blocked, along with the one spammer.


What part of SPEWS blocks NOONE don't you understand? SPEWS merely publishes a list. And SPEWS does not list out of spite. That's actually against their charter (they're not doing what made MAPS fall apart or ORBS either)


++++++++Webdude, and to show more on your ignorance, SPEWS is not located in Austrailia. ++++++

<snip traceroute info>

spews.org resolves to multiple addresses: 216.65.63.103 203.52.209.22 (this one is from Telestra in AU)

Using 216.65.63.103

Do not contact either Los Nettos (ln.net) or Centergate Research Group (centergate.com) based on the results of this traceroute.

3 130.152.80.30 4.669 ms isi-1-lngw2-pos.ln.net [AS226] Los Nettos origin AS
4 198.32.146.21 11.525 ms mae-la.above.net [AS226] Los Nettos origin AS
5 208.185.156.10 11.275 ms pos3-3.mpr2.lax2.us.mfnx.net [AS6461] Primary AS for Abovenet
6 208.185.156.125 11.470 ms pos2-0.mpr1.sjc2.us.mfnx.net [AS6461] Primary AS for Abovenet
7 208.184.102.202 11.762 ms so-1-1-0.mpr4.sjc2.us.mfnx.net [AS6461] Primary AS for Abovenet
8 208.185.175.162 11.261 ms pos6-0.mpr2.pao1.us.mfnx.net [AS6461] Primary AS for Abovenet
9 64.124.50.164 13.801 ms giga-abovenet.hostcentric.com (DNS error) [AS6461] Primary AS for Abovenet
10 66.40.24.109 14.451 ms GE6-0.FMT-2.hostcentric.com (DNS error) [AS11388] Maxim Computer Systems Corporation
11 66.40.24.106 14.507 ms VLAN3.FMT6509-1.hostcentric.com (DNS error) [AS11388] Maxim Computer Systems Corporation
12 216.65.63.103 14.663 ms hosting.wewak.net [AS701/AS11388] Alternet / Maxim Computer Systems Corporation


And according to this, wewak.net is in Papua, New Gunea. Gee. It's not far from Australia, but not in Australia!

Registrant:
Bigpela Warra Intanet
PO Box 484
Wewak, East Sepik Prov. PNG 11
PG

Registrar: Dotster (http://www.dotster.com)
Domain Name: WEWAK.NET
Created on: 15-APR-02
Expires on: 16-APR-04
Last Updated on: 15-APR-02

Administrative Contact:
menaga, posopis posopismenaga@wewak.net
Wewaklonghasebelongimkomputa
PO Box 484
Wewak, Sepik 11
PG
6126262626
616262626

Technical Contact:
man, liap liapman@wewak.net
Wewaklonghasebelongimkomputa
PO Box 484
Wewak, Sepik 11
PG
6126262626
616262626

[quote]
++++++++++For those "arguing" against SPEWS, you might wanna first read their FAQ before mouthing off.

At least you can get off of SPEWS listing, by taking care of spammers in your domain or hosting or pressuring your WEBHOST to take care of its spamming vermin, or you jump ship to another ISP/webhost. +++++++++

Now see, that's the problem. That's a lie for the most part. One client of ours I found still on SPEWS.

1, 207.202.0.68, Mostafa Mansour / productsyes.net / webwebyes.com / onestarnow.com / www.xbizresources.com / www.xmxmxm.com / havanasee.com / www.wkwkwk.com / ebuyebuy.com / webwebyes.com (interkey.net spam house)
1, 207.202.0.91, Mostafa Mansour / productsyes.net / webwebyes.com (interkey.net spam house)
1, 216.65.112.205, Mostafa Mansour / http://216.65.112.205/cgi-bin/ (digitalinet.com spam house)
1, 216.187.101.28, Mostafa Mansour / productsyes.net / www.firsttobuy.net / WORLDZONE.ORG (dead?)
2, 216.187.101.0/24, Mostafa Mansour / productsyes.net (Virtual Applications Corp / Peer1)

As I recall correctly, your webhost is on Peer1 upstream, and the last one is probably yours, which has a Listing of 2, which means that noone is currently blocking your netblock at this time via SPEWS. *because* Peer1 did its job and broke its foot kicking Mansour out (he's among one of the WORST spammers around) see: http://www.spamhaus.org/rokso/search.lasso?evidencefile=1839

I remember trying to get this one removed. This client was one who had a formmail in his account and fell victim to a spammer....which then got him blacklisted by spews. Productsys. Not that I am concerned too much about that one, but since I tried everything a while back to get that removed and nothing happened....well..That's the only prob I have ever personally had with SPEWS.

Something *did* happen - your netspace is level 2. That shows SPEWS recognizes that the spammer is off.


+++++++++++Privately listed blocklists are more detrimental to you than SPEWS will ever be. Many private block lists are maintained by people who, with only one receipt of spam, will block you till the end of time, and there is no way you can "reason" with these list owners to take you off. ++++++++++++

As does spews. I am not saying SPEWS is bad, just they need to try a little harder to remove from the lists those who have secured themselves and were not spammers, and try to avoid the massive casualties they currently inflict. [/B]

And SPEWS does take people off the list *if* they show beyond all reasonable doubt that the spammer won't be coming back. Too many ISPs move their spammers around their netblocks just to avoid the listings, but little do they realize that it's futile because SPEWS can increase the blocklist if evidence shows otherwise.

Hawkeye-X

Originally posted by Webdude
Hawkeye-X,

Now you have made a post in the right sense. No attacking like the rest of us are doing, no getting pissed off....just pure polite info.

I will reconsider my opinion of spews. Due to the amount of spam I myself am now getting, I am almost ready to say "screw what I think, I will implement their lists anyway". Just because of your two last posts. See? I'm not beyond reason..LOL

I remember I used to win over pissed off clients to becoming extremely loyal by being polite to them regardless what they thru at me.....surprising to see myself on the other end of that deal, and how well it works.

Thankyou Hawk for your posts.

No problem. I've been a victim and advocate on both sides, so I know exactly how you feel. I used to work for a spammer (3 years ago) and I've learned that spammers gain nothing but problems. That's why I left the business and worked for someone else.

I've been a very strong advocate on getting people to realize that SPEWS helps, not hinder people. In fact, I'm encouraging everyone to review many SPEWS removal requests and see how it works, because after close to one year since SPEWS has existed, there has been successes and failures in delisting.

More and more people are now advocating SPEWS victims review *OTHER* blocklists such as Spamhaus Blocklist (SBL), inputs.relays.osiurusoft.com and making it clear that this is the ultimate solution. Sure, SPEWS is flawed at times (people do make mistakes, like leaving a huge block that affected almost everyone before it was quickly fixed six hours later), but more importantly, it does the job because there are more and more evidence that spam abuse is getting to a point where it's intolerable. Here's an example: New York vs. Monsterhut, which is a well-known spamhaus recently booted off PaeTec after Monsterhut sued PaeTec to keep their connectivity active (and spamming from there too). Now, evidence has uncovered that Monsterhut is still around, spamming from an Idyia.com netblock which most of us felt are a front for Monsterhut. They, too, were booted off from GT.ca (they are originally canadians in the first place). Spammers suing ISPs and backbone providers (such as Ronnie Scelson suing Qwest and Covista) increases blocklist for Ronnie Scelson. One wonders if he would be able to make his next payment on his yellow 'Vette. All in all, spammers lose a lot, and ISPs lose next to nothing by using SPEWS.

Hawkeye-X

Hey Webdude. Do a post at news.admin.net-abuse.email and say POLITELY that you have booted off Mansour at %date%, and have waited some time and made sure you didn't welcome any spammers in, and you are requesting a delisting of 216.187.101.28 which indicates that the website or NS or anything related to you and Mansour is officially dead and politely ask to be removed from the list. They will often respond.

But...

Be prepared to wear Nomex pants because of flames against Mansour, but hopefully no flames against you, except questions as to why you kept the spammer for so long (even if you didn't.. just answer them honestly)

They will quiet down pretty quickly.

Trust me.

Hawkeye-X

Hawk are you tyring to get my ass kicked? If I even mentioned Mansour in there I had best be wearing more than just nomex pants....I'd best be wearing titanium plated armour with force shield technology...LOL

Originally posted by Dixiesys
Got a Spamcop message last night, haven't had one in a few months guess I'm due.

So I read through it figuring to find out who's account I need to nuke. Imagine my surprise when the only place I see one of my servers mentioned in the email is as the RECEIVING server of the spam.


That's my server allright, RECEIVING the spam.

Yes folks, my server is now listed on Spamcop for RECEIVING spam.


I've been seeing more and more of this type of thing lately. Here is an analysis I posted on our Community Forums:
http://www.aota.net/forums/showthread.php?s=&threadid=11759

Just in case you were interested in the "why" of it, as near as I can determine.

I to am considering using it, it still pisses me off how easy it is to wrongly get listed, granted with Spamcop it ain't usually but a simple email later to get off if it truly was a mistake. With spews from what I can tell it takes more than one complaint at least supposedly it does. But yes the amount of spam is beginning to override my fear of good guys getting blocked :( and yes that disturbs me frankly.

I hate all these types of listing. Even spamcop has some host advertising. It's all a scam, and should be shutdown.

Originally posted by WiseOnline
I hate all these types of listing. Even spamcop has some host advertising. It's all a scam, and should be shutdown.


Shows alot you know (which is nothing).
Nothing is a scam. Spamcop is free.
Spews is free.

A scam is like this;

Spammer puts you on their 100000 maling lists.
In order for you to unsubscribe, you have to pay them $1 for every list you're on to get off them.

That's a scam.

Please actually go to these sites and read what they are all about before saying they are "scams". A scam is where they take money from you. Spews and Spamcop dont.

Didn't know they hired a defender on WHT :) - Thanks for the followup though.

Perhaps you should read the whole message before jumping to conclusions. Note the part that says:

http://spamcop.net/w3m?i=z9774(munge)22a46b61z
Spamvertised website: http://www.sujee.net

Nowhere does it say the report is because the email came from your server. Nowhere in the report does it say it is about an.rsta.org.

SpamCop does not list IP addresses for hosted sites, only spam origination.

My analysis of what happened:

You or someone who's address appears on the website sujee.net received this spam from Trafficmagnet. They reported it through SpamCop.

Because the url http://www.sujee.net was in the body of the spam, SpamCop picked it up and offered to send a report regarding it. The user didn't pay attention and just hit send, thereby reporting their own website.

My look at the database shows reports were sent to:

capitalnet.com.cn re spam origination from 211.101.236.180

chinacomm.com.cn re url trafficmagent.com

dixiesys.com re url sujee.net

SpamCop didn't make any mistakes on this one, only the user.

Richard
SpamCop Deputy

Ahh nice. Spamcop Deputy :)

By golly, the Deputy pretty much said what I did. Where do I pickup my badge. :D

This has to be the hardest to follow thread in WHT history.

Wow I feel honored an honest to god alleged representative of Spamcop replied to my post.

Cool :D

Originally posted by TMX


That's the funniest thing I've read yet today.


-Bob

most of them probably are atleast.

Yee-ha, no jury duty required for me tomorrow, so here I am.

Originally posted by Webdude
Ok, listen one more time since evidently you didnt pay attention the first time. SPEWS releases listed that other admins use. They have put some ISP's on their lists over mere disagreements that had nothing to do with spam. They put on those lists entire blocks of IP resulting in hundreds of innocent people finding themselves blocked, along with the one spammer.

Where are these listings that are personal instead of professional? The listings I tend to see that are personal are done by individual admins for their systems. Go look at Morely's list and you'll see some examples (admin is a putz, etc.). SPEWS creates a list, nothing more. Individual admins use it, with or without modifications to whitelist ranges, as they see fit.

[Snip trace. Do you know how heavily mirrored SPEWS is?]


Now see, that's the problem. That's a lie for the most part. One client of ours I found still on SPEWS.

1, 216.187.101.28, Mostafa Mansour / productsyes.net / www.firsttobuy.net / WORLDZONE.ORG (dead?)
2, 216.187.101.0/24, Mostafa Mansour / productsyes.net (Virtual Applications Corp / Peer1)

I remember trying to get this one removed. This client was one who had a formmail in his account and fell victim to a spammer....which then got him blacklisted by spews. Productsys. Not that I am concerned too much about that one, but since I tried everything a while back to get that removed and nothing happened....well..That's the only prob I have ever personally had with SPEWS.

There is no way that this was listed for something like a form to mail script. Mansour is a well known spammer (http://spamhaus.org/rokso/spammers.lasso?-database=spammers.db&-layout=list&-maxrecords=100&-response=roksolist.lasso&-noresultserror=rocksonorecords.html&-operator=eq&spammer=Mostafa%20Mansour%20&status=live&-clientusername=guest&-clientpassword=guest&-sortfield=priority&-sortorder=descending&-sortfield=subject&-search), and any one of his domains in a lookup in Google would show that he is persistent and unrepentent. We don't even set up accounts where the domain has been registered at Parava, ever. The fact that the notation is a level 2 indicates that SPEWS saw something happening.

Regarding the Spamcop stuff that started off this thread: Gary, your own user reported that. They checked every single box on the spamcop form, and so you got a notice. We've received them as well, when our users receive spam and tick off every box they can find. We had one guy reporting every piece of spam he received to us via spamcop, for two weeks, because of course the parsing picked up his domain and us as the contact. We finally got him to understand that unless he sees something compelling, he needs to leave the unchecked boxes unchecked. You might want to have a similar chat with your user, because it certainly isn't spamcop's fault that your user doesn't know how to use it. It's not any sort of automatic blacklisting anywhere just because one user reports one piece of spam improperly.

:uzi: SPAMMERS
ISPS :nuke: SPAMMERS
WE MUST :flamethr: SPAMMERS
:pimp: it up! :argue: away!
:uhh:

Sorry.. got carried away

Hawkeye-X

Uhmmm. Dixie? If your IP is listed in the receiving section, that means *your* user reported you to spamcop.

Have you considered bitch-slapping your stupid luser?

:D

Haha ok guess I need to discuss the finer points of spam reporting with them.

Still quite a lively discussion :D

Yes, yes, it is... to even further participate and have fun, join news.admin.net-abuse.email at your local newsserver..

Hawkeye-X

do you notify your clients that their mail is being filtered?

I think many hosts that use spews and other lists fail to inform their clients...personally if i was signing up for webhosting/email I would want to know about this.

infact i would be surprised to see hosts openly saying "we use spews" as maybe it would cost them some business?

I have been following this thread closely. Except for the insult, this has been very enlightening. It gave an inside look at the methods of anti-spam organizations and their users.

Gary, your clients should report you more often.:D Thanks for the good thread.

-Lamar

Originally posted by Webdude


For example, you dont bomb a crowded room to get the one bad guy. For lack of a better term, that is exactly what spews does. They take out the bad guy regardless who else it hurts.



Guess the Israel's haven't heard of that one yet. :)

Sorry..Off Topic..

Back on topic...

My opinion is that what you need to do is organize a campaign against the customers of SPEW and simular scum. I hate spam as much as the next, and wouldn't hesitate to nuke a client guilty of it, but it should be MY job to monitor that and decide to take action. I've see way too many legitimate publications get tagged as spam, many with double opt-in methods of subscribing, etc.

Spam, schmam. My keyboard has a delete key. I don't need all these self-annointed SPAM watchdogs.

from hostpathSpam, schmam. My keyboard has a delete key. I don't need all these self-annointed SPAM watchdogs. Maybe not, but something more than a keyboard delete key is needed. For the past three days, I have been receiving several "bounced" SPAM messages, all originally sent to only AOL members from faked addresses on one of my re-sold accounts. I sent in a support ticket to my hosting provider, which included traceroutes, whois info and full Email and message headers. Here is the response I received:

Hello,
You are using an antiquated version of formmail in the cgi-bin and a spammer is exploiting the script. You will need to upgrade to current version which will prevent this:

Any users who have versions of FormMail prior to v1.91, including the popular version 1.6, should upgrade immediately. v1.91 plugs several more spam-related security holes. The following fixes have also been implemented since v1.6: prevents unwanted access to environment
variables and problem of receiving e-mail while using the redirect
option. The script has two extra arrays (new in v1.7) you must define, but will not affect current forms or the way they appear after having been submitted.

http://www.scriptarchive.com/formmail.html
==================================
Now here's the crazy part. I designed my client's site, and the form in question didn't even point to the formmail script in the cgi-bin, which had been sitting there dormant for a few years. It pointed to the default "clone" formmail supplied by CPanel, which is located at "cgi-sys", within an area of the server over which I have no control.

I removed the formmail.cgi from the server, and removed the form as well, since it also wasn't being used at that location.

So... if there was a keyboard delete key that would eradicate, eliminate, disintegrate, decapitate, pulverize, dematerialize, melt, explode, fry, bake, boil and/or spank the spammer, I'd be a reseller for that keyboard company. :dunce:

They dont need your formmail.html to point to your formmail.pl. They can have a form.html on THEIR server which submits to the formmail.pl on YOUR server. All they have to know is that there is a formmail.pl in your account.

People ask how in the world a formmail script can get your IP banned.....his description above is exactly how. Thos spams sent through your account look like they were done by YOU from YOUR domain ip. Hence, YOU get listed as a spammer.

Originally posted by Webdude
People ask how in the world a formmail script can get your IP banned.....his description above is exactly how. Thos spams sent through your account look like they were done by YOU from YOUR domain ip. Hence, YOU get listed as a spammer.


Not necessarily as the spammer, but as someone who has an unsecure version of formmail on their server.

-Bob

No, not true Bob.

The Originating Server is designated as a "Spammer" and it doesn't matter how it was done. After all, how is anyone to know if a script was hijacked or not -- except for the SysAdmin looking after the Server of course -- or if the offending Spam was sent intentionally?

Just wanted to post to say I have changed some of my previous posts. On looking back at them I recommended some things I usually would not have. Due to other projects, I have been working on about 2 hours of sleep a night. Most of you have worked such hours and know you dont always think clearly enough to be involved in controverial threads and be able to post responsibly.

I'm not saying I agree with how SPEWS does everything, and their mistakes can cause huge problems. However, I am saying that I recommended some bad advice on how to deal with it. Sometimes you read back over something you wrote and realize it was nothing like you would ever have said under normal conditions. A friend of mine asked me to re-read my own posts and see what I thought. This is one of those rare times where I would have almost flamed myself :eek:. My apologies to anyone I may have offended in posting those previous posts.

I am also well rested now :D

Originally posted by Website Rob
No, not true Bob.

The Originating Server is designated as a "Spammer" and it doesn't matter how it was done. After all, how is anyone to know if a script was hijacked or not -- except for the SysAdmin looking after the Server of course -- or if the offending Spam was sent intentionally?

Formmail abuse is usually fairly easy to spot since they tend to start off "Here are the results of your feedback form..."

Bob is pretty well on target. Since we've been the unwilling recipients of insecure formmail runs, I can say with certainty that dealing with the spam complaints when they roll in (and they do roll in) and addressing the issue - whether by banning it, like we have, or just removing the script and telling the customer to find something else - means that you are not automatically tagged as a spammer. Not dealing with it, though, is a surefire way to land in hot water as someone who does not properly maintain their machines and practice good neighbor policies.

And hey, Webdude - we've all had those x hours without sleep kind of stretches. At least you had something to add to the conversation. :)

Ok, put me in the same "lack of sleep" class as I can see I should have clairified a bit better.

If I get Spam and copy the Headers to submit to, say SpamCop, it does not matter what method was used to send the Spam. Only the originating Server and any other Servers involved, is what SpamCop would be looking for.

I presume the same Header method is used with other "Spam" type organizations. SpamCop works for me so I don't get out much in checking others. ;)

Originally posted by Website Rob
No, not true Bob.

The Originating Server is designated as a "Spammer" and it doesn't matter how it was done. After all, how is anyone to know if a script was hijacked or not

It's a fairly trivial task to differentiate spam from a hijacked copy of FormMail from other types of spam, and the admins of the better-run lists do just that. All the clues one needs are right there in the headers.

<edit>

Looks like I should have read to the end of the thread first..

I'm afraid I'll have to claim ignorance as to how spamcop handles things, as I generally dissect headers myself and submit complaints manually. I know that many people trust automated systems such as spamcop, but I trust me. :)

</edit>

-Bob

I think there are actually two different issues we're talking about: reporting of spam through something like spamcop and how it notates report destinations and actually getting labeled a spammer and tossed into a blacklist. Yes, spamcop will pick up the originating server information and offer to file the report. This is a Good Thing (tm). If no one reports the spam to you, it's hard to find and kill a rogue formmailer. However, just the fact that spamcop does pick up the originating server as yours and you get reports - even a lot of them - does not equate to you being thrown in any RBLs except maybe bl.spamcop. That list, which even Julian cautions against using, appears just to use a simple metric on total number of reports. IPs go on and off that list constantly, since a lack of reports = automatic removal from the list. It is the responsiveness of the provider that determines a broader application of an RBL, not spamcop parsing (say) a dozen spams sent through an abused script.

Let's turn our differences against each other, to an anger against these two. Two people that Hosts, ISP's, Email Owners, and antispam agencies hate.

http://newpaper.asia1.com.sg/news/npwo116.html

Originally posted by Webdude
http://newpaper.asia1.com.sg/news/npwo116.html


Here's a better picture of Cowles:

http://www.toledocybercafe.com/ivtg/arrested.htm

-Bob