Jump to content

To Report or Not To Report - That Is The Question

Ex_Brit

By Ex_Brit
in SpamCop Reporting Help

Recommended Posts

Ex_Brit Advanced Member

Ex_Brit

Posted
Posted

For years now I have been dutifully reporting every single spam that arrives in my SC Email Account Held Mail. I use the "munged" setting to obscure identifying information by the way.

As an experiment I stopped 2 weeks ago and started simply deleting them all to save time. Since then the number of spam emails has dropped sharply.

It would seem that the very act of reporting spammers encourages even more mail, so I ask others for their opinions. Considering that it seems to be so infrequently that I see the "ISP has stopped the spam" notice I'm wondering if it really is worth my effort to resume reporting.

I'm really just commenting on what I have found but would be interested in hearing what others think on this subject.

By the way my main reason for even thinking about stopping the reporting was because SC's servers seem to be taking so long to do the reporting sometimes.

Link to comment
Share on other sites
Wazoo What Life?

Wazoo

Posted
Posted
It would seem that the very act of reporting spammers encourages even more mail, so I ask others for their opinions. Considering that it seems to be so infrequently that I see the "ISP has stopped the spam" notice I'm wondering if it really is worth my effort to resume reporting.

From the other side of the situation ... a few years back, I went round and round with some received HotMail spam, in the process running into all sorts of bogus/bad WHOIS data, broken 'special' 'reporting' addresses (Microsoft) HotMail themselves provided .... I apprently misakenly added some 'new' content to the recycled (manually generated) spam-report which eventually ended with a bot or an idiot seeing my IP Address in the iniial part of the e-mail, so my original (generated less than a month after HotMail first appeared, much prior to Microsoft's buyout) was cancelled.

However, it wasn't handled competely. The Nessenger IM account still used those credentials, and that set of servers apparently were never touched, so the IM Accont was used over these years .. only contact being with thise friends & family in the Buddy List at the time. Any attempt at searching or recreating the specific HotMail accont either came back as "already taken" or "cancelled" .... Come the transition to the Live crap .... this data inconsistency between the various Microsoft servers and databases allowed me to re-activate that (Microsoft) HotMail account.

The pont being, that account was dead for a number of years, so obviously not much Reporting going on. Yet, spam continues to roll into that account's InBox (just looked a it yesterday, 326 spam e-mails in that Folder in less than a month) ... and that's even after so many other folks talk about what a great job HotMail filterng is doing, them not seeing any spam at all.

I'd say it more depends on just which lists the address in question has made it onto/into and just where those lists end up. There 'simple' spammers, but there are some pretty sophisticated folks out there also. I'm also of the opinion that some addresses end up being a bit of a 'verification' test, to see of the spam run is actually making it through various (ISP/Hosting) filters.

BTW: congrats on the MVP award. I burned out doing (primarily) Internet Mail/OE support way back when, dropping out a few monthe before that program came nto being.

Link to comment
Share on other sites
Lking What Life?

Lking

Posted
Posted
I use the "munged" setting to obscure identifying information by the way.

There has been long threads on the 'to munge' or not to munge question. SpamCop also has thoughts in FAQ about the subject. Myself I don't and I don't see that my personal spam level goes up any faster that the general trend.

As an experiment I stopped 2 weeks ago and started simply deleting them all to save time. Since then the number of spam emails has dropped sharply.

Back in 2006 there was a long thread on this. In fact we ran a similar test over several months. comparing the counted spam with the general trend on the volume of spam no one saw an real difference. That old data is still available at http://www.knob.com/spam/ As you can see after three months, I found other things to do or lost interest due to the lack of new information (I can't remember which).

It would seem that the very act of reporting spammers encourages even more mail, so I ask others for their opinions. Considering that it seems to be so infrequently that I see the "ISP has stopped the spam" notice I'm wondering if it really is worth my effort to resume reporting.

So happens I got 5 "ISP has stopped the spam" yesterday, but I agree they are few and far between.

http://www.spamcop.net/sc?id=z3658537550zb...6ed73f218fd7baz

http://www.spamcop.net/sc?id=z3659452767z7...e7f7bd0f25efc5z

http://www.spamcop.net/sc?id=z3659452755zd...9405d6a6f1f480z

http://www.spamcop.net/sc?id=z3659452753zf...5afafbfbc11be3z

http://www.spamcop.net/sc?id=z3659452750z0...09125a71aaea2fz

OK so it is really just 2. Four are as a result of Dictionary Attack from the same IP

Link to comment
Share on other sites
Wazoo What Life?

Wazoo

Posted
Posted
So happens I got 5 "ISP has stopped the spam" yesterday, but I agree they are few and far between.

Just noting that this "status message" requires action to be taken by the ISP/Host in question. See ISP Abuse Report Center for available options. The point being, the Reports come in, if any action is takem the research and account handling is done. Most would go with 'problem solved' at that point, never going back to the web-page options to select a 'status' message.

Historically, there are some number of Topics/Posts made by folks that did use this option to turn off the incoming Reports "while" they were getting around to actually doing anything about it. These Posts usually go along the lines of I fixed it, why am I stll listed? with the typical results being that the spam-spew is still underway.

Point being, I'm not sure just how much weight this particular status message actually carries.

Link to comment
Share on other sites
Ex_Brit Advanced Member

Ex_Brit

Posted
  • Author
Posted

From the other side of the situation ... a few years back, I went round and round with some received HotMail spam, in the process running into all sorts of bogus/bad WHOIS data, broken 'special' 'reporting' addresses (Microsoft) HotMail themselves provided .... I apprently misakenly added some 'new' content to the recycled (manually generated) spam-report which eventually ended with a bot or an idiot seeing my IP Address in the iniial part of the e-mail, so my original (generated less than a month after HotMail first appeared, much prior to Microsoft's buyout) was cancelled.

However, it wasn't handled competely. The Nessenger IM account still used those credentials, and that set of servers apparently were never touched, so the IM Accont was used over these years .. only contact being with thise friends & family in the Buddy List at the time. Any attempt at searching or recreating the specific HotMail accont either came back as "already taken" or "cancelled" .... Come the transition to the Live crap .... this data inconsistency between the various Microsoft servers and databases allowed me to re-activate that (Microsoft) HotMail account.

The pont being, that account was dead for a number of years, so obviously not much Reporting going on. Yet, spam continues to roll into that account's InBox (just looked a it yesterday, 326 spam e-mails in that Folder in less than a month) ... and that's even after so many other folks talk about what a great job HotMail filterng is doing, them not seeing any spam at all.

I'd say it more depends on just which lists the address in question has made it onto/into and just where those lists end up. There 'simple' spammers, but there are some pretty sophisticated folks out there also. I'm also of the opinion that some addresses end up being a bit of a 'verification' test, to see of the spam run is actually making it through various (ISP/Hosting) filters.

BTW: congrats on the MVP award. I burned out doing (primarily) Internet Mail/OE support way back when, dropping out a few monthe before that program came nto being.

Thanks Wazoo, not sure how I got it but it arrived. I'm mostly posting on McAfee forums but do occasionally help out elsewhere, including the Microsoft NG's. Whether or not it gets renewed in April I will have to wait to see.

Thanks for the input - there's a lot for me to learn on this subject.

There has been long threads on the 'to munge' or not to munge question. SpamCop also has thoughts in FAQ about the subject. Myself I don't and I don't see that my personal spam level goes up any faster that the general trend.

Back in 2006 there was a long thread on this. In fact we ran a similar test over several months. comparing the counted spam with the general trend on the volume of spam no one saw an real difference. That old data is still available at http://www.knob.com/spam/ As you can see after three months, I found other things to do or lost interest due to the lack of new information (I can't remember which).

So happens I got 5 "ISP has stopped the spam" yesterday, but I agree they are few and far between.

http://www.spamcop.net/sc?id=z3658537550zb...6ed73f218fd7baz

http://www.spamcop.net/sc?id=z3659452767z7...e7f7bd0f25efc5z

http://www.spamcop.net/sc?id=z3659452755zd...9405d6a6f1f480z

http://www.spamcop.net/sc?id=z3659452753zf...5afafbfbc11be3z

http://www.spamcop.net/sc?id=z3659452750z0...09125a71aaea2fz

OK so it is really just 2. Four are as a result of Dictionary Attack from the same IP

..and thank you too, as I said, there's a lot to learn.

Link to comment
Share on other sites
Farelf What Life?

Farelf

Posted
Posted
...I'm really just commenting on what I have found but would be interested in hearing what others think on this subject. ...
Hi Peter,

People have occasionally reported a drop in spam levels concurrent with a halt or reduction in their reporting. I suspect there are many more who stop or reduce reporting but see unchanged or increased spam levels (and neglect to post about such unremarkable results). Working through my thoughts ...

The reporting system is run so as to keep reports out of the hands of spammers as much as possible (SC staff have pretty-much made a career out of that), the apparently prevalent spam 'business model' uses botnets for sending so abuse reporting goes nowhere near the bot-herder/controller anyway and the actual spammer may be yet a further step removed from the controller. I supposed spamvertized website reports might be chink in the anonymity shield (those with spam-friendly hosting as opposed to botnet hosting) but even there the tendency seems to be more towards cheap and disposable hosting. In any event, it would be hard to imagine why spammers would go to the bother of 'rewarding' you if you stop or reduce reporting. They are not famous for validating their lists and the rise of botnets pushes the 'economics' of distribution towards very large spam runs with even less concern for list maintenance than hitherto.

Undoubtedly there are exceptions to the standard business model and you may have been on some tightly-controlled lists - but those spammers would be at more risk of exposure, they would really have to be masters of their craft. I suppose the longetivity of some on the Spamhaus ROKSO demonstrates that secrecy isn't necessary for spammer survival but I'm not sure those guys employ such finesse or, if they do, account for the spam volumes involved.

The total volumes of spam are immense and it seems short-term fluctuation is quite enormous as well, but with little or no net change in the short term. IronPort-SenderBase statistics probably represent the best single-source sampling of what is going on and here is the daily data for 82 days (from 28 Oct 09) http://img24.imageshack.us/img24/9859/ironportjan2010.jpg (from senderbase.org/home/detail_spam_volume). You can see that, despite some huge swings day-to-day, the net result is fairly much unaltered, with no significant trend within the period. If there can be such changes within some 200 billion spam per day, I'm sure there can be very substantial but non-significant/coincidental changes for individuals as well - to the extent that spam might almost completely disappear for a time. The test is whether it comes back again. In some of those other cases of reduction, the previous levels of spam have reasserted themselves within a matter of weeks/months for no obvious reason.

We know individual reporting won't reduce your level of spam. It's a community thing, we (mostly) trust it makes things better than they might have been, when we work together. Or at least keep the spammers from totally over-running the internet overnight. Our individual reports can't get an IP address listed. But, even with the botnets, some of the zombies actually get taken down - some SC notifies to some ISPs provide the evidence they use to identify compromised machines. But they won't necessarily advise SC or request a moratorium on reporting while they do it. And some ISPs might seem heedless because the SC 'formula' for spam control is different from their own. My own uses IronPort spam and AV filtering inwards (switchable) and outwards, something magical to stop misdirected inwards bounces, port blocking and rate limiting - and regards SC (and all RBLs) with total disdain because it all works very, very well. Usually. Sometimes they get their fingers burned and learn, all over again, that one ignores RBL notifications at one's peril. :P

So, I think I would advise you to continue your experiment. If the spam picks up again, then resume reporting (but maybe just the more recent spam - or the most annoying - something to make it less of a burden). Let us know in any event.

...By the way my main reason for even thinking about stopping the reporting was because SC's servers seem to be taking so long to do the reporting sometimes.
Hopefully that's not a permanent part of the landscape. It will be worth keeping an eye on this when/if you resume reporting - one or more of the servers could be struggling a little or it could be be just a local/line thing affecting just a few.
Link to comment
Share on other sites
Ex_Brit Advanced Member

Ex_Brit

Posted
  • Author
Posted

My spam is roughly between 100 and 200 daily but it did drop markedly a few days into my experiment with not reporting.

I wonder if I wasn't checking carefully enough and reporting responses too before?

Anyway, I'm back to reporting again now so am doing my duty.

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

Go to topic listing
×
×
  • Create New...