From: spamblock@no.spam (Harry Mason) Newsgroups: alt.ascii-art Subject: Spam Message-ID: User-Agent: slrn/0.9.6.3 (Linux) NNTP-Posting-Host: lover.ecs.soton.ac.uk Date: 31 Jul 2001 10:33:45 GMT X-Trace: 31 Jul 2001 10:33:45 GMT, lover.ecs.soton.ac.uk Lines: 5 Path: chonsp.franklin.ch!pfaff.ethz.ch!news-zh.switch.ch!news-ge.switch.ch!isdnet!skynet.be!peer.news.eu-x.com!server2.netnews.ja.net!news-spool.soton.ac.uk!news.ecs.soton.ac.uk!spamblock Xref: chonsp.franklin.ch alt.ascii-art:20391 What's this new pile of spam about then? Is it trying to sell something or just annoy everyone? -- Harry Mason ("hjm200.ecs@soton@ac@uk" =~ tr/@./.@/) ###### Newsgroups: alt.ascii-art From: Faux_Pseudo@24.177.56.253 (Faux_Pseudo) Subject: Re: Spam References: Reply-To: Faux_Pseudo@yahoo.com Message-ID: User-Agent: slrn/0.9.7.0 (Linux) Lines: 145 Date: Tue, 31 Jul 2001 12:03:45 GMT NNTP-Posting-Host: 24.177.56.253 X-Complaints-To: abuse@home.net X-Trace: news1.rdc1.sdca.home.com 996581025 24.177.56.253 (Tue, 31 Jul 2001 05:03:45 PDT) NNTP-Posting-Date: Tue, 31 Jul 2001 05:03:45 PDT Organization: Excite@Home - The Leader in Broadband http://home.com/faster Path: chonsp.franklin.ch!pfaff.ethz.ch!news-zh.switch.ch!news-ge.switch.ch!enews.sgi.com!newshub2.rdc1.sfba.home.com!news.home.com!news1.rdc1.sdca.home.com.POSTED!not-for-mail Xref: chonsp.franklin.ch alt.ascii-art:20396 --(Once apon a time, in alt.ascii-art,)-- --(Harry Mason said it like only they can.)-- > > What's this new pile of spam about then? Is it trying to sell something or > just annoy everyone? > -- > Harry Mason ("hjm200.ecs@soton@ac@uk" =~ tr/@./.@/) some free spam filters for you You will probably have to upgrade to 0.9.7.x from your current 0.9.6.x because i don't remember if your version dose hard scoring with "=" as is shown below. Upgrade anyway because there are just some really nice improvemnts from 6 to 7 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% [*] Score:: =-9999 Subject: \cre: \C[a-z] Score: =-9999 ~Subject: \c[a-z] ~Subject: FAQ Score: =-9999 Subject: ^Re: \c[^a-z]*$ Subject: ^Re: \c.*[A-Z] ~Subject: FAQ Score: =-9999 Newsgroups: , Subject: /[0-9]) ~Lines: 30 % odviously if its that small and crostposted % then its not a multi-part post worth having Score:: =-9999 Subject: S.?U.?B.?L.?I.?M.?I.?N.?A.?L Subject: p.?r.?e.?.?.?.?.?t.?e.?e.?n Subject: P.?H.?E.?R.?O.?M.?O.?N.?E.?S Subject: S.?E.?X.?A.?P.?P.?E.?A.?L Subject: A.?P.?H.?R.?O.?D.?I.?S.?I.?A.?C Subject: Q.?U.?I.?T S.?M.?O.?K.?I.?N.?G Subject: A.?T.?T.?R.?A.?C.?T Subject: \<\cD.?E.?B.?T\C\> Subject: F.?R.?E.?E.?M.?O.?B.?I.?L.?E % kill any post that wants to use some variation % of those words Subject: \!\!\! Subject: free.+sex Subject: guaranteed Subject: out of the office Subject: Penis Subject: pics xxx Subject: please read Subject: test.?+ignore Subject: out of the office Subject: WAREZ Subject: xxx pics Subject: \cDVD Subject: rough Subject: divx Subject: www\. Subject: XXX Subject: Earn \$ Subject: Earn cash Subject: make \$ Subject: make cash Subject: fast \$ Subject: fast cash Subject: money fast Subject: money \$ Subject: http:// Subject: \ Subject: ^Re: FREE\> Subject: \$\$ Subject: ^!+ + Subject: you [alt.binaries.*, *sex*] Score: =-9999 ~Lines: 100 Score:: =-9999 %takeing sugestions here for new key words Subject: ^GAY Subject: Boys Subject: \ Subject: pissing Subject: ^stud Subject: XXX Subject: http:// Subject: ^!+ + Subject: drunk Subject: repost Subject: \cRP\C Subject: Marilyn Chambers Subject: Britney Spears Subject: Mariah Carey Subject: Pamela Anderson Subject: Jennifer Lopez Subject: horney Subject: ORGASM Subject: Thousands Subject: Pussy Subject: free Subject: Banned Subject: ^Hot Subject: ^See % Subject: Amateur Subject: virgin Subject: \cSEX Subject: deep Subject: Posting what I Got from here recently Subject: white.*black % posts gay porn From: xposed From: @not\.for\.news From: ColumbiaStud From: Strip-Pics From: Nakked Master From: no\.email\.address\.entered From: respondby From: sex From: stud From: www\. From: sweet girls From: @pussy % a animal poster From: pictureposter %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% -- --(tty1@faux.local|04:45|/home/faux)-- cat .sig GUI's are for slackers. Get ibpconf.sh 6.1 on freshmeat.net It's a damn poor mind that can only think of one way to spell a word. - Andrew Jackson ###### From: spamblock@no.spam (Harry Mason) Newsgroups: alt.ascii-art Subject: Re: Spam References:

Message-ID: User-Agent: slrn/0.9.6.3 (Linux) NNTP-Posting-Host: lover.ecs.soton.ac.uk Date: 31 Jul 2001 18:18:02 GMT X-Trace: 31 Jul 2001 18:18:02 GMT, lover.ecs.soton.ac.uk Lines: 24 Path: chonsp.franklin.ch!pfaff.ethz.ch!news-zh.switch.ch!news-ge.switch.ch!newsfeed00.sul.t-online.de!t-online.de!skynet.be!peer.news.eu-x.com!server2.netnews.ja.net!news-spool.soton.ac.uk!news.ecs.soton.ac.uk!spamblock Xref: chonsp.franklin.ch alt.ascii-art:20389 On Tue, 31 Jul 2001 12:03:45 GMT, Faux_Pseudo wrote: > --(Once apon a time, in alt.ascii-art,)-- > --(Harry Mason said it like only they can.)-- > > What's this new pile of spam about then? Is it trying to sell something or > > just annoy everyone? > some free spam filters for you I'm already behind a filter for /normal/ spam, but the latest batch is really weird: | Hey, Roger never trains until Zephram outwits the tall laptop bimonthly. | It's very robust today, I'll vend eventually or Chester will take the | advertisements. | To be bizarre or overloaded will engulf cold advertisements to finally open. | | cheers, L. Jacobs Is this a carefully coded message, an experimental AI program, just meaningless bunkum, or what? I'm totally baffled. -- Harry Mason ("hjm200.ecs@soton@ac@uk" =~ tr/@./.@/) ###### Path: chonsp.franklin.ch!not-for-mail From: Neil Franklin Newsgroups: alt.ascii-art Subject: Re: Spam Date: 31 Jul 2001 20:38:10 +0200 Organization: My own Private Self Lines: 54 Message-ID: <6usnfd9c6l.fsf@chonsp.franklin.ch> References:

NNTP-Posting-Host: chonsp.franklin.ch X-Trace: chonsp.franklin.ch 996604692 301 10.0.3.2 (31 Jul 2001 18:38:12 GMT) X-Complaints-To: news@chonsp.franklin.ch NNTP-Posting-Date: 31 Jul 2001 18:38:12 GMT X-Newsreader: Gnus v5.7/Emacs 20.4 Xref: chonsp.franklin.ch alt.ascii-art:20400 spamblock@no.spam (Harry Mason) writes: > On Tue, 31 Jul 2001 12:03:45 GMT, Faux_Pseudo wrote: > > --(Once apon a time, in alt.ascii-art,)-- > > --(Harry Mason said it like only they can.)-- > > > What's this new pile of spam about then? Is it trying to sell something or > > > just annoy everyone? > > some free spam filters for you > > I'm already behind a filter for /normal/ spam, but the latest batch is > really weird: > > | Hey, Roger never trains until Zephram outwits the tall laptop bimonthly. > | It's very robust today, I'll vend eventually or Chester will take the > | advertisements. > | To be bizarre or overloaded will engulf cold advertisements to finally open. > | > | cheers, L. Jacobs > > Is this a carefully coded message, an experimental AI program, just > meaningless bunkum, or what? It looks to me like an revenge attempt by an spammer. Looking at: - the multiple (obviously faked) From: lines, which all look like actual users accounts - The Followup to an newsgroup that discusses fighting email spammers I suspect this is a spammer who got shafted by some folks in that group and is trying to get revenge by: - burrying the group in complaint replys - getting some of his opponents accounts killed for "spamming" To get your back at this guy do this: - analyse his NNTP-Posting-Host: lines for the sending provider - report the spams with explanation of the situation to the providers - ask them to kill his net access AND CHARGE HIM CLEAN UP COSTS Clean up costs from enough providers will harm him financially so that he will in the end stop. Happy spammer trashing. -- Neil Franklin, neil@franklin.ch.remove http://neil.franklin.ch/ Hacker, Unix Guru, El Eng HTL/BSc, Sysadmin, Archer, Roleplayer - Intellectual Property is Intellectual Robbery ###### From: Bean Newsgroups: alt.ascii-art Subject: Re: Spam Date: Wed, 1 Aug 2001 20:47:03 +0100 Message-ID: References:

<6usnfd9c6l.fsf@chonsp.franklin.ch> Organization: OWG X-Newsreader: MicroPlanet Gravity v2.30 Lines: 74 X-Original-NNTP-Posting-Host: 62.60.43.202 NNTP-Posting-Host: 10.250.101.2 X-Trace: 1 Aug 2001 20:47:18 GMT, 10.250.101.2 X-Report: Report abuse to nntpabuse@vip.uk.com Path: chonsp.franklin.ch!pfaff.ethz.ch!news-zh.switch.ch!news-ge.switch.ch!newsfeed00.sul.t-online.de!t-online.de!news-lei1.dfn.de!news-fra1.dfn.de!news0.de.colt.net!colt.net!newsfeed.icl.net!iclnet!news1.vip.uk.com Xref: chonsp.franklin.ch alt.ascii-art:20420 In article <6usnfd9c6l.fsf@chonsp.franklin.ch>, neil@franklin.ch.remove gaily trilled... > spamblock@no.spam (Harry Mason) writes: > > Looking at: > > - the multiple (obviously faked) From: lines, which all look > like actual users accounts All of the ones that my newsfeed picked up are yahoo.com addresses. Is this something that all these messages have in common? > - The Followup to an newsgroup that discusses fighting email spammers > On about half of them. The others do not have a followup header, although all seem to either be crossposted to nanae or have followup to there. > I suspect this is a spammer who got shafted by some folks in that > group and is trying to get revenge by: > > - burrying the group in complaint replys Simon was looking over my shoulder when I read this, and laughed at this line. I don't know why. > - getting some of his opponents accounts killed for "spamming" > One possible motive. I would also add: - He is a troll. He merely wants to annoy everyone so much that its not worth the trouble sifting through his garbage posts, and they leave. Trolls love to drive people out of interesting groups. > > To get your back at this guy do this: > > - analyse his NNTP-Posting-Host: lines for the sending provider They're not all the same. The Path: and X-Complaints-to: lines all seem to match other posts from the same providers, so I'd guess either he has a lot of accounts with different people, or he's found some way to screw up these headers (not easy AFAIK). Also, he's using a lot of different newsreaders. The first few were all sent through OE, which made me immediately think of some kind of email virus firing off random messages to newsgroups. However, this doesn't seem so likely when there are so many different programs being used. [edit - since I wrote this, I just saw one that is PGP signed. A bit odd, for spam.] > - report the spams with explanation of the situation to the providers > - ask them to kill his net access AND CHARGE HIM CLEAN UP COSTS > > Clean up costs from enough providers will harm him financially so that > he will in the end stop. > > Happy spammer trashing. > > > -- > Neil Franklin, neil@franklin.ch.remove http://neil.franklin.ch/ > Hacker, Unix Guru, El Eng HTL/BSc, Sysadmin, Archer, Roleplayer > - Intellectual Property is Intellectual Robbery > -- Isuldir, Demon prince of spam (if you really want to know, ask) Death is great fun... You haven't lived until you've tried it. Newsfeed full of holes, please cc me a copy ###### Path: fakehost.somewhere.dom!not-for-mail From: User Newsgroups: alt.ascii-art Subject: Re: Spam, with header faked Date: 01 Aug 2001 23:09:37 +0200 Organization: This is a fake also Lines: 82 Message-ID: References:

<6usnfd9c6l.fsf@chonsp.franklin.ch> NNTP-Posting-Host: fakehost.somewhere.dom X-Trace: fakehost.somewhere.dom 996700177 1798 10.0.3.2 (1 Aug 2001 21:09:37 GMT) X-Complaints-To: user@fakehost.somewhere.dom NNTP-Posting-Date: 1 Aug 2001 21:09:37 GMT X-Newsreader: Faked-by-hand Software, 1.5beta Xref: fakehost.somewhere.dom alt.ascii-art:20423 Bean writes: > In article <6usnfd9c6l.fsf@chonsp.franklin.ch>, neil@franklin.ch.remove > gaily trilled... > > > > - the multiple (obviously faked) From: lines, which all look > > like actual users accounts > > All of the ones that my newsfeed picked up are yahoo.com addresses. Is > this something that all these messages have in common? I have seen at least 5 different providers. > > - The Followup to an newsgroup that discusses fighting email spammers > > On about half of them. The others do not have a followup header, > although all seem to either be crossposted to nanae or have followup to > there. Jes, nanae crossposts also. Also points to flooding it. > > I suspect this is a spammer who got shafted by some folks in that > > group and is trying to get revenge by: > > > > - burrying the group in complaint replys > > Simon was looking over my shoulder when I read this, and laughed at this > line. I don't know why. Is he also sysadmin? > I would also add: > - He is a troll. He merely wants to annoy everyone so much that its not > worth the trouble sifting through his garbage posts, and they leave. > Trolls love to drive people out of interesting groups. Trolls usually focus on killing one group at a time, as intensity is crucial to their "success". This one was scattered over many groups. > > To get your back at this guy do this: > > > > - analyse his NNTP-Posting-Host: lines for the sending provider > > They're not all the same. The Path: and X-Complaints-to: lines all seem > to match other posts from the same providers, so I'd guess either he has > a lot of accounts with different people, or he's found some way to screw > up these headers (not easy AFAIK). I expect lost of (trow away) accounts. Spammers are experienced in getting them fast. Faking NNTP-Posting-Host: requires finding an old server that does not strip NNTP-Posting-Host: from NNRP connections and replace it by its own one. That is not fitting with the providers used. NNTP-Posting-Host: is the most reliable header entry of all. > Also, he's using a lot of different newsreaders. The first few were all > sent through OE, which made me immediately think of some kind of email > virus firing off random messages to newsgroups. However, this doesn't > seem so likely when there are so many different programs being used. That is fakeable. Easy. I think for demo I will do a maximal fake header on this post. Compare it with the previous one. > [edit - since I wrote this, I just saw one that is PGP signed. A bit > odd, for spam.] Also fakeable. Or did you try to check up the PGP key if it is valid? -- Neil Franklin, neil@franklin.ch.remove http://neil.franklin.ch/ Hacker, Unix Guru, El Eng HTL/BSc, Sysadmin, Archer, Roleplayer - Intellectual Property is Intellectual Robbery ###### From: User Newsgroups: alt.ascii-art Subject: Re: Spam, with header faked Date: 01 Aug 2001 23:09:37 +0200 Organization: This is a fake also Lines: 82 Message-ID: References:

<6usnfd9c6l.fsf@chonsp.franklin.ch> X-Complaints-To: user@fakehost.somewhere.dom NNTP-Posting-Date: 1 Aug 2001 21:09:37 GMT X-Newsreader: Faked-by-hand Software, 1.5beta NNTP-Posting-Host: ascension.ethz.ch X-Trace: 1 Aug 2001 23:13:15 +0200, ascension.ethz.ch Path: chonsp.franklin.ch!pfaff.ethz.ch!fakehost.somewhere.dom!not-for-mail Xref: chonsp.franklin.ch alt.ascii-art:20433 Bean writes: > In article <6usnfd9c6l.fsf@chonsp.franklin.ch>, neil@franklin.ch.remove > gaily trilled... > > > > - the multiple (obviously faked) From: lines, which all look > > like actual users accounts > > All of the ones that my newsfeed picked up are yahoo.com addresses. Is > this something that all these messages have in common? I have seen at least 5 different providers. > > - The Followup to an newsgroup that discusses fighting email spammers > > On about half of them. The others do not have a followup header, > although all seem to either be crossposted to nanae or have followup to > there. Jes, nanae crossposts also. Also points to flooding it. > > I suspect this is a spammer who got shafted by some folks in that > > group and is trying to get revenge by: > > > > - burrying the group in complaint replys > > Simon was looking over my shoulder when I read this, and laughed at this > line. I don't know why. Is he also sysadmin? > I would also add: > - He is a troll. He merely wants to annoy everyone so much that its not > worth the trouble sifting through his garbage posts, and they leave. > Trolls love to drive people out of interesting groups. Trolls usually focus on killing one group at a time, as intensity is crucial to their "success". This one was scattered over many groups. > > To get your back at this guy do this: > > > > - analyse his NNTP-Posting-Host: lines for the sending provider > > They're not all the same. The Path: and X-Complaints-to: lines all seem > to match other posts from the same providers, so I'd guess either he has > a lot of accounts with different people, or he's found some way to screw > up these headers (not easy AFAIK). I expect lost of (trow away) accounts. Spammers are experienced in getting them fast. Faking NNTP-Posting-Host: requires finding an old server that does not strip NNTP-Posting-Host: from NNRP connections and replace it by its own one. That is not fitting with the providers used. NNTP-Posting-Host: is the most reliable header entry of all. > Also, he's using a lot of different newsreaders. The first few were all > sent through OE, which made me immediately think of some kind of email > virus firing off random messages to newsgroups. However, this doesn't > seem so likely when there are so many different programs being used. That is fakeable. Easy. I think for demo I will do a maximal fake header on this post. Compare it with the previous one. > [edit - since I wrote this, I just saw one that is PGP signed. A bit > odd, for spam.] Also fakeable. Or did you try to check up the PGP key if it is valid? -- Neil Franklin, neil@franklin.ch.remove http://neil.franklin.ch/ Hacker, Unix Guru, El Eng HTL/BSc, Sysadmin, Archer, Roleplayer - Intellectual Property is Intellectual Robbery ###### From: Lennert Stock Newsgroups: alt.ascii-art Subject: Re: Spam Message-ID: <7f4hmtcnhqop3th75s3csikufs19390m4k@4ax.com> References:

<6usnfd9c6l.fsf@chonsp.franklin.ch> X-Newsreader: Forte Agent 1.8/32.548 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Lines: 30 Date: Thu, 02 Aug 2001 01:44:11 +0200 NNTP-Posting-Host: 213.73.134.67 X-Complaints-To: abuse@quicknet.nl X-Trace: news.quicknet.nl 996709344 213.73.134.67 (Thu, 02 Aug 2001 01:42:24 MET DST) NNTP-Posting-Date: Thu, 02 Aug 2001 01:42:24 MET DST Organization: QuickNet Path: chonsp.franklin.ch!pfaff.ethz.ch!news-zh.switch.ch!news-ge.switch.ch!news-fra1.dfn.de!unlisys!news.snafu.de!news.stealth.net!news-feed.nld.sonera.net!news.quicknet.nl!not-for-mail Xref: chonsp.franklin.ch alt.ascii-art:20438 On Wed, 1 Aug 2001 20:47:03 +0100, Bean wrote: >One possible motive. > >I would also add: >- He is a troll. He merely wants to annoy everyone so much that its not > worth the trouble sifting through his garbage posts, and they leave. > Trolls love to drive people out of interesting groups. > >> >> To get your back at this guy do this: >> >> - analyse his NNTP-Posting-Host: lines for the sending provider > >They're not all the same. The Path: and X-Complaints-to: lines all seem >to match other posts from the same providers, so I'd guess either he has >a lot of accounts with different people, or he's found some way to screw >up these headers (not easy AFAIK). Uhh forget it. It's just a misaimed new generation of spam. Maybe some funkup or test. Typically, what appears to be the source(s) are real people whose addresses have been 'hyjacked' and faked. These happy people (they're innocent) get the complaints and the bounces when the e-mail type is used. One of the objects is to become non-filterable. Joy joy joy :(