21 replies to this topic

[Mike Rochip]

Hello all-

I've been trying to diagnose some issues with my computer for a while now concerning network slowdowns (pages loading very slowly or stopping). I've been looking at ZoneAlarm logs along with info from a program called Who's Connected that lists the programs on your computer that are trying to establish Internet connections and the status of those that are connected. I've looked up dozens of IP Addresses using the website all-nettools.com using their SmartWhois feature. To make a long story short, I've tracked down most of the issues and eliminated them except for one. According to the ZoneAlarm log there is an ISP which is constantly trying to connect far more often than any other. This ISP is UUNet which is a very large provider owned and operated by MCI.com.

Here's the wonderful part of all this:

MCI for years now has been by far the largest ISP that WILLINGLY hosts ILLEGAL spamhouses as they are called. They are making an estimated $5 Million a year by protecting these outfits by claiming they are protecting our First Ammendment rights to send and receive illegal, unwanted, computer slowing spam which the UN estimates is costing $25 Billion dollars a year. Spamhaus estimates by mid 2006 this will amount to 95% of all e-mail traffic on the web. MCI.com is also hosting web sites who sell and distribute the malware that makes this problem possible. These sites also sell lists of individual computers that they have infected.

Sorry for the long post but it is really amazing (depressing) that this type of bs is still happening despite the efforts of a lot of people and organizations to stop it. MCI.com is by far the largest ISP allowing this and about the only one that is unwilling to do anything about it and in fact is encouraging the use of their network to facilitate spamming.

Thanks

Spamhaus.org

PS: Thanks rridgely for finding the Who's Connected app, it's a great program!

[Andavari]

uunet is an annoyance that I block in the HOSTS file and in my web browsers. uunet constantly showed up in Sygate Personal Firewall logs back when I used it.


To block them in the HOSTS file input these:
127.0.0.1 uu.com
127.0.0.1 uu.net
127.0.0.1 uunet.com
127.0.0.1 uunet.net
127.0.0.1 www.uu.com
127.0.0.1 www.uu.net
127.0.0.1 www.uunet.com
127.0.0.1 www.uunet.net


To block them in Mozilla Suite, & Mozilla Firefox:
uu.com
uu.net
uunet.com
uunet.net


To block them in Internet Explorer:
*.uu.com
*.uu.net
*.uunet.com
*.uunet.net

[Eldmannen]

In one way I think it is good that they dont bow down, and censor things and host pretty much anything.

Even though I do strongly despise spam and UBE.

Use a mail client ot mail service that provides spam protection. Use more than one email address, and becareful on how, where and to whom you reveal it to. And in what format you reveal it.

If you host a website and display your email, a good idea is to put the address in a picture, so it cant be automatically read by software.

[Andavari]

Eldmannen, on Dec 6 2005, 05:41 AM, said:

a good idea is to put the address in a picture, so it cant be automatically read by software.

Just wait until someone figures out how to reverse engineer some scanner software that can read text from a scanned image, then even a picture won't add any email address security from spammers.

[Glenn]

Simple solution:

Use a string of at least 5 numeric (I use more) in your address. After more than five years with spam filters turned off completely ... not one unsolicited e-mail.

[Eldmannen]

Andavari, on Dec 6 2005, 06:11 PM, said:

Just wait until someone figures out how to reverse engineer some scanner software that can read text from a scanned image, then even a picture won't add any email address security from spammers.

Good point, however then the crawler would need to download the pictures too, not only plain/text which would consume alot of bandwidth. Only a minority of pictures contain email addresses. And even if the guy could efficiently get email addresses that way, the people who use the picture method are users who are aware of spam and probably dont open those spam or click the links on those spam. So he wouldnt really get anything from them, they are not a good target user-base.

--

Spammers often sell CD's full of lists of email addresses, usually sorted in alphabetic order. So the mailer starts sending to email where first letter is A and sometimes never finishes. Using an email address with the first letter in the username is Z might actually help some.

There are also filters such as bayenesian filters and such which can filter spam by like 99% accuracy.

Gmail has an feature to flag/mark spam as spam when arrived in your inbox.

[Eldmannen]

Glenn, on Dec 6 2005, 06:38 PM, said:

Simple solution:

Use a string of at least 5 numeric (I use more) in your address.  After more than five years with spam filters turned off completely ... not one unsolicited e-mail.

I doubt that helps anything at all. The crawler/mail-sender doesnt care how many numbers you have in your letter, it is an automated processes the crawler match a certain pattern such as *@*.* or [A-Za-z0-9.-_]{1,32}@[A-Za-z0-9.-]{1,128}.[A-Za-z]{2,4} or something similiar. And the sender just read what ever is on the line in the file or in the row in the database and send a letter to it.

[Glenn]

Quote

... the crawler match a certain pattern ...

Precisely. A few years ago, I happened to notice one of my addresses was spam free and checked with an ISP support guy I knew at the time. He said he knew about it and that at one time 4 digits was enough to cause most crawlers to pass over the string but that it seemed 5 or more was becoming necessary.

[Eldmannen]

I doubt it. The pattern is probably usually a simple regex (Regular Expression) pattern that matches all alphabetical characters.

[Mike Rochip]

Hello again-

Thanks everyone for all the advice, as always I really appreciate it. None of the spam is getting through, it just annoys me that my computer is always being asked to initiate connections with this cr*p. I could very well be wrong but I assume it is tying up resources in some way.

I've also been trying to figure out why the System Idle Service is trying to initiate an internet connection. I thought it only is there to indicate CPU capability that is not being used, so why is it actively seeking a connection? There's quite a bit of info on the Web, but it's too technical for me to undestand.

Unfortunately, 1 email got through purporting to be from PayPal, claiming to need to verify my account info. I STUPIDLY responded to it, even though I noticed the URL was for hometown.aol.com. I realized when it asked for my credit card number that it was bogus, but I had already given my name, address, Mother's maiden name, and phone number. I notified the credit bureaus, Netzero, and PayPal. Netzero and PayPal responded very quickly with helpful advice and precautions, etc. However, all communication with AOL immediately was terminated by them when they realized I was not a subscriber (surprise, surprise). For some naive reason I thought maybe they would be concerned a subscriber was using their service to run a phishing scam. Wrong. Netzero certainly was, and said that although they weren't involved, they would forward the info to the appropriate people (Netzero is my ISP).

I can't believe I fell for it, but all the screens looked exactly like PayPal. Obviously, the wrong URL was a huge red flag, and the phisher wasn't even very sophisticated in that he didn't spoof the URL. Still I fell for it, my fault.

Thanks again for all the help and letting me vent my frustrations. Don't let your guard down for a second, that's all it takes!

[rridgely]

What email program do you use/service(gmail, yahoo, ect)?

[Mike Rochip]

rridgely, on Dec 6 2005, 06:18 PM, said:

What email program do you use/service(gmail, yahoo, ect)?

I've been using Thunderbird. One reason I guess I was fooled (other than being STUPID ) was I've had zero spam since I switched. The only email I've gotten since I switched was from Netzero, Rhapsody and other entities I've done business with. I use Yahoo for the folks I know will be sending junk I don't have any interest in.

EDIT: I did get another one from Avast supposedly warning my computer was infected that was so unbelievably lame I didn't fall for it.

[Eldmannen]

Andavari, on Dec 6 2005, 08:16 AM, said:

To block them in the HOSTS file input these:
127.0.0.1      uu.com
127.0.0.1      uu.net
127.0.0.1      uunet.com
127.0.0.1      uunet.net
127.0.0.1      www.uu.com
127.0.0.1      www.uu.net
127.0.0.1      www.uunet.com
127.0.0.1      www.uunet.net

I think that it is better to use 0.0.0.0 instead of 127.0.0.1
When you use 127.0.0.1 it can try establish a loopback connection to your computer which takes some time and resources.

Mike Rochip, on Dec 7 2005, 03:33 AM, said:

I use Yahoo for the folks I know will be sending junk I don't have any interest in.

You should give Gmail a try.

[Andavari]

Eldmannen, on Dec 7 2005, 07:35 AM, said:

I think that it is better to use 0.0.0.0 instead of 127.0.0.1
When you use 127.0.0.1 it can try establish a loopback connection to your computer which takes some time and resources.

That's why I have this in my HOSTS file:
127.0.0.1      localhost
   0.0.0.0      localhost

[Eldmannen]

I think that it is a bad idea to have double entries. It can only resolve to one anyways.

[Andavari]

Eldmannen, on Dec 8 2005, 12:04 PM, said:

I think that it is a bad idea to have double entries. It can only resolve to one anyways.

Whatever, these two entries are required for CookieCop to work without them it won't function properly:
127.0.0.1 localhost
0.0.0.0 localhost

Edit: Forgot these:
127.0.0.1 CookieCop
0.0.0.0 CookieCop

[Eldmannen]

Oh, that sounds really strange. The host file is for the computer to avoid doing a DNS lookup, so it looks in the hosts file for an hostname to which IP it should resolve to. A hostname does point to one IP address.
Then it tries to connect to that IP.

[Andavari]

Eldmannen, on Dec 9 2005, 08:56 AM, said:

Oh, that sounds really strange.

Probably is!
I remember using Norton Antivirus 2000 and it's email protection if I remember correctly added an entry in the HOSTS file as well.

[burtman]

Eldmannen, on Dec 6 2005, 06:56 PM, said:

Good point, however then the crawler would need to download the pictures too, not only plain/text which would consume alot of bandwidth. Only a minority of pictures contain email addresses. And even if the guy could efficiently get email addresses that way, the people who use the picture method are users who are aware of spam and probably dont open those spam or click the links on those spam. So he wouldnt really get anything from them, they are not a good target user-base.

--

Spammers often sell CD's full of lists of email addresses, usually sorted in alphabetic order. So the mailer starts sending to email where first letter is A and sometimes never finishes. Using an email address with the first letter in the username is Z might actually help some.

There are also filters such as bayenesian filters and such which can filter spam by like 99% accuracy.

Gmail has an feature to flag/mark spam as spam when arrived in your inbox.

Hate to tell u this (u prob already know this) the 911 geezers communicated this way (sorry)

[YoKenny]

Quote

I think that it is better to use 0.0.0.0 instead of 127.0.0.1
When you use 127.0.0.1 it can try establish a loopback connection to your computer which takes some time and resources.

Its best to use 127.0.0.1 and eDexter.
eDexter is a local proxy that looks at 127.0.0.1 requests and responds immediatly.
It also preserves the format of the site and reduces the number of "Page not found" messages.
http://www.pyrenean.com/?page_value=-2