[Dshield] A new tactic for fighting spam?

Roger RShady at stny.rr.com
Thu Sep 12 13:24:03 GMT 2002

Jon R. Kibler wrote:

>John Draper wrote:
>>One thing I noticed (and sucessfully reported) is the Stock Pumpup scam.   New companies just recently gone IPO are victums...  it works
>>like this...   they (spammers) will send spam out to promote a new company's product (without knowledge of the company),   to increase
>>their sales (and eventually increase the value of their stock)..  before they do that,   they send out spams to millions of people "A Stock
>>deal you just can't refuse to pass up.....".  They buy stock in the new company (usually at the low initial offering price),  but knowing
>>the stock is going to increase.   Once it does,  they go on a mad selling spree (EVEN MORE SPAM),  and people fall for this shit.
>In case you are unaware, this type of spam should be reported to: enforcement at sec.gov
>with the subject: UCE Regarding Stocks/Investment
>And the SEC does respond. I have call backs on about 10% of my reports. Again, be sure you send full headers...
>Jon R. Kibler
>ASET, Inc.
>Charleston, SC  USA
>Dshield mailing list
>Dshield at dshield.org
>To change your subscription options (or unsubscribe), see: http://www.dshield.org/mailman/listinfo/list
Regarding SpamCop-the following was taken from Fred Langa's newsletter ( 
Http://www.langa.com/  ):

Relatedly, SpamCop has again "blacklisted" me as a spammer (see "The
Crude Hand Of SpamCop" in http://www.langa.com/newsletters/2002/2002-08-
22.htm#7 ), so a number of readers haven't been getting their issues
again. (Sigh.)

Amazingly, some of my supposed "spam" was nothing more nefarious than
administrative messages from the Lyris server that mails out this
newsletter: In one case, a reader sent a malformed request to the Lyris
server, which wouldn't figure out what the reader was trying to do---
subscribe, unsubscribe, whatever. The server then sent out a polite
admin message to help the reader accomplish whatever it was he or she
was attempting. But--- who knows why?--- the reader then notified
SpamCop that that innocent (and utterly noncommercial) message was spam.

It wasn't spam, of course; in fact  the reader's own error had triggered
the server's reply! But SpamCop blindly tallied it as spam, and used it
as part of the justification for blacklisting me; evil spammer that I

Around the same time, I heard from an ISP owner whose list-mailing
services also had been steamrollered by SpamCop;  I'll protect her
identity so the folks at SpamCop won't take revenge on her, but she said

     Hi Fred, We identified two (or perhaps three) lists on which
     the Klez virus [on a subscriber's PC] subscribed a spamcop
     spamtrap address. Spamcop refuses to confirm which list(s) the
     spamtraps are on or tell us the spamtrap address so we can
     remove them, leaving us with little choice other than to tell
     the list owners involved to re-confirm their entire lists.....
     I have already disabled their lists to prevent any future
     mailings until this is done. To put this into perspective,
     those two lists comprise 2.2 million subscribers and we are
     looking for about 2 or 3 spamtrap addresses....

     FWIW, I agree with block listing and use several block lists
     for my ISP customers here.... We don't use the spamcop block
     list because they play fast and loose with reports (as you
     have noted in your newsletter) and as a result have way too
     much collateral damage. Few ISPs actually use the spamcop list
     and many drop it as soon as they realize that it is very
     flawed. Spamcop does have a lot of individual users that pay
     for the service and these users have the option to whitelist
     mailers that are blocked by their own block list. (I have an
     account there so I can keep an eye on what they are doing).
     Sincerely, [Name withheld]

This shows why I've come to regard SpamCop as worse than useless:
Imagine treating utterly benign and reader-triggered administrative help
messages as spam; imagine having to make 2.2 million valid subscribers
jump through reconfirmation hoops because SpamCop thinks it found
problem emails at two or three mystery addresses... "collateral damage"

My own list is far smaller than the ones mentioned above, but the
effects of being on SpamCop's broad-brush blacklist are the same. So: If
you've missed issues recently due to SpamCop's cure-the-mosquito-bite-by-
chopping-off-the-leg approach to stopping spam, I apologize, but there's
not a thing I can do about it. I suggest you talk to your ISP or IT
department to let them know that the SpamCop blacklist is an unfinished
beta product; that it's deeply flawed; and that is wide open to both
accidental and deliberate misuse.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.dshield.org/pipermail/list/attachments/20020912/a3882951/attachment.htm

More information about the list mailing list