Jump to content

How come a gmail, hotmail or similar administrator adress is accepted?


ka112

Recommended Posts

How come a gmail, hotmail or similar adress as "Administrator of network where email originates" is accepted?

Is't that a bit too obvious? What ISP would use a such adress???

My apologies... It is probabl;y too early in the day but I'm not sure I understand your question.

'..is accepted' for what? Could you give a bit more detail to the background to your question. It would help me at least <_<

Andrew

Link to comment
Share on other sites

...What ISP would use a such adress???
Only shonky ones, I would venture to guess, however it is not SC's mission to LART the buggers but just to give a polite "heads up" that they may be about to tip themselves into the SCbl - and only then if they haven't "opted out" (yes, there is a spam-type irony in that since they never opted in).

Anyway, the abuse/admin address is that registered (typically) in whois.ripe.net though other sources may be considered by the deputies on observation or evidence through the "routing" newsgroup. What you see in the parse for any lookup is like (taking an address at random) ;)

Parsing input: 91.95.207.151

Routing details for 91.95.207.151

[refresh/show] Cached whois for 91.95.207.151 : abuse[at]siwnet.net

Using abuse net on abuse[at]siwnet.net

abuse net siwnet.net = postmaster[at]siwnet.net, abuse[at]siwnet.net

Using best contacts postmaster[at]siwnet.net abuse[at]siwnet.net

Note this is cached. A reporter hitting the [refresh/show] link will force a database look-up like
Removing old cache entries.

Tracking details

Display data:

"whois 91.95.207.151[at]whois.ripe.net" (Getting contact from whois.ripe.net)

whois.ripe.net found abuse contacts for 91.95.207.151 = abuse[at]siwnet.net

whois: 91.95.200.0 - 91.95.207.255 = abuse[at]siwnet.net

Routing details for 91.95.207.151

Using abuse net on abuse[at]siwnet.net

abuse net siwnet.net = postmaster[at]siwnet.net, abuse[at]siwnet.net

Using best contacts postmaster[at]siwnet.net abuse[at]siwnet.net

Needless to say, anyone finding a better address is encouraged to alert the deputies (but do ALL the homework first).

[on edit - some turgid prose clarified, if not enlivened]

Link to comment
Share on other sites

My apologies... It is probabl;y too early in the day but I'm not sure I understand your question.

'..is accepted' for what? Could you give a bit more detail to the background to your question. It would help me at least

Accepted as a "Administrator of network where email originates" address by SpamCop when reporting spam. See http://www.spamcop.net/

Link to comment
Share on other sites

Spamcop and ISPs do not look at the email address, but at the IP address of where a spam came from. If it comes from yahoo or hotmail, the parser looks at the IP address of the computer which is using yahoo or hotmail. If it comes from gmail, gmail won't show the IP address of the computer who is using their service so the gmail servers are listed. If the spammer has forged the FROM to look as though it comes from yahoo or hotmail, then the parser can tell and sends the report to the abuse address of the IP address of the sending computer. The sending computer is often not a mail server since spammers use infected computers to send a lot of spam.

I suspect that you don't have technical details turned on because that shows to some extent how the parser figures out who to send a report to. To a non-technically fluent person, it is a little intimidating, but, with patience, one can get a general idea of what is going on.

Miss Betsy

Link to comment
Share on other sites

- and only then if they haven't "opted out"
Administrators of spam-sending networks can opt out? Like "My network sends a lot of spam but I would rather not be on the SpamCop blocklist"? Surely not?

Sometimes you have to de-lurk to learn a little more (though Encarta already helped me with the Australian).

Link to comment
Share on other sites

No, more like "My network sends a lot of spam, but I don't want to hear about it". They stop getting reports, but they still get listed in the SCBL. The only way to "opt-out" of being listed in the SCBL is to not send spam.

Link to comment
Share on other sites

...Administrators of spam-sending networks can opt out? ...
Nah, sorry for being unclear - like Will says, they can elect not to receive reports, that's all. The SCbl listing process is totally unaffected by any such withdrawal from notifications.
Link to comment
Share on other sites

I thought the original poster was asking why SpamCop would believe that a domain that wasn't gmail, hotmail, et al would have a administrative reporting address from gmail, hotmail, et al - I could be wrong.

Link to comment
Share on other sites

How come a gmail, hotmail or similar adress as "Administrator of network where email originates" is accepted?
That's SpamCop telling you that we have set up reports about that IP to go to that address for some reason. It may or may not be the only address getting reports about that IP.

- Don D'Minion - SpamCop Admin -

Link to comment
Share on other sites

I thought the original poster was asking why SpamCop would believe that a domain that wasn't gmail, hotmail, et al would have a administrative reporting address from gmail, hotmail, et al - I could be wrong.
Indeed, and I sought to explain that the parser (first blush) uses the whois record which contains that information (which would certainly be suspect) and if those people don't actually want to be notified (and, reading between the lines, a false registration would tend to indicate that and other things) then SC is not dedicated to notifying them. Seems I over-elaborated?
Link to comment
Share on other sites

Seems I over-elaborated?

In my opinion, no. I certainly can't argue aginst Don's note that there might be some manually adjusted targets made to the database, but the overwhelming Parser results that I've seen with HotMail/Yahoo 'admin' addresses as Report targets are in fact due to results found in the WHOIS look-up sequence in the parser code .... sometimes a Cache Refresh will find a 'better' target, sometimes it will 'adjust' over time, sometimes it gets posted into the newsgroups and 'something happens' .... I can honestly say that I have never looked up a result from the Parser Result page and saw a Note about an added override to a HotMail, Yahoo, or GMail address. But if Don says they do it, it must be true.

Link to comment
Share on other sites

"Administrator of network where email originates"
I don't have an IP to work with so I can research the different responses, but that statement generally means that one of the staff established the reporting for that IP. It's not the same as the "Using best contacts..." statement, which is the result of a Whois lookup and a check with the Abuse.net database. And it doesn't mean that SpamCop will not use reporting addresses it gets from whois lookup.

All it means is that particular reporting address for that specific IP was established by manual intervention.

- Don -

Link to comment
Share on other sites

I don't have an IP to work with

Nor do 'we' .. back to all those hints and links about How to ask a Good Question yet again

so I can research the different responses, but that statement generally means that one of the staff established the reporting for that IP. It's not the same as the "Using best contacts..." statement, which is the result of a Whois lookup and a check with the Abuse.net database. And it doesn't mean that SpamCop will not use reporting addresses it gets from whois lookup.

All it means is that particular reporting address for that specific IP was established by manual intervention.

Thanks for the follow-up and additional information/clarification. More fodder for the 'live' FAQ and Wiki. Much appreciated.

Link to comment
Share on other sites

I thought the original poster was asking why SpamCop would believe that a domain that wasn't gmail, hotmail, et al would have a administrative reporting address from gmail, hotmail, et al - I could be wrong.

No, you are 100% right! More right than anyone so far!

Thanks!

/Anders

Link to comment
Share on other sites

No, you are 100% right! More right than anyone so far!

Totally not understanding that remark. You have the Administrator of the Parsing & Reporting system stating exactly how it can and does happen. I don't believe you can get much 'more right' than that ....?????

Link to comment
Share on other sites

No, you are 100% right! More right than anyone so far!

No, he (or she) is only saying that I have understood the question.

If I understand the answer(s) correctly, SpamCop has set up some of these administrative reporting addresses (for whatever reason), but they could also come from looking at online resources (like whois lookups and abuse.net).

(Edited to fix quote.)

Link to comment
Share on other sites

Let's see. The OP seems to be saying that the spam was NOT from gmail, hotmail, or yahoo, but that the spamcop report went to abuse at one of those. It could mean that the whois address was a gmail, hotmail, or yahoo address. IOW, the spam, as the parser has seen it, comes from domainx, but instead of sending a spamcop report to abuse at domainx, the parser sends it to somebody at a gmail or hotmail or yahoo address which it has gotten from the whois reports. But Don says that the wording means that it is manually added, in which case possibly someone at a gmail, hotmail, or yahoo address does want to get the reports and, for whatever reason, the deputies think it is a better place to send them than the whois or abuse address.

It would help to see the Tracking URL of one of these reports that are perplexing the OP.

Tracking URL

When looking at the Report Page of the Parser Results, the top of the page contains these words (your reference number will be different);

spam Header

This page may be saved for future reference:

http://www.spamcop.net/sc?id=z641303267z04...fef3b3d92488bfz

Skip to Reports

This "future reference" URL is the "Tracking URL" .... As one of the IronPort "purchase" benefits has turned out to be the addition of some serious storage capabilities, the entire spam submittal is now stored (for some time). These days, things are made much easier when asking for some review, analysis, or assistance; simply copy this provided link and use it to point to the spam submittal in your query. This way, anyone looking to try to answer the query is looking at the spam submittal as the SpamCop parsing engine saw it, thus everyone is talking about the same data.

Miss Betsy

Link to comment
Share on other sites

...It would help to see the Tracking URL of one of these reports that are perplexing the OP.
It would indeed, some interesting stuff has been discussed but nothing specific which is now needed, going by Anders' response.

What colored my replies - the number of yahoo addresses I have seen in whois and abuse records are many - though not so many gmail and I can't recall any hotmail offhand (maybe because both those reject attempts to send to non-existent accounts right up front). But all of that now seems to be irrelevant. Come on Anders.

Link to comment
Share on other sites

It would indeed, some interesting stuff has been discussed but nothing specific which is now needed, going by Anders' response.

What colored my replies - the number of yahoo addresses I have seen in whois and abuse records are many - though not so many gmail and I can't recall any hotmail offhand (maybe because both those reject attempts to send to non-existent accounts right up front). But all of that now seems to be irrelevant. Come on Anders.

I do not have the spam left. I will get back to you when I find a spam not sent from gmail but with a emailadress to gmail.

/Anders

Link to comment
Share on other sites

I do not have the spam left. I will get back to you when I find a spam not sent from gmail but with a emailadress to gmail.

Actually many small domains use free email accounts for their registrations (even though that may be against their TOS). It makes sense in that if your domain is taken down, how can they email you about the issue?

Link to comment
Share on other sites

I do not have the spam left. I will get back to you when I find a spam not sent from gmail but with a emailadress to gmail.

Your Report History should have the Report-IDs of the spam submittal that started all this, the SpamCop FAQ as found here contains a link to explain how to derive a Tracking URL from a Report-ID. Point being that there isn't much of an excuse for not providing a Tracking URL in all this time.

Link to comment
Share on other sites

"Administrator of network where email originates" - All it means is that particular reporting address for that specific IP was established by manual intervention.
I retract my statements.

When SpamCop says, "Administrator of network where email originates" all it is telling us is what address it found to send reports to.

I was mistaken when I thought that statement reflected the source of the reporting address. It does not.

My apologies for all the trouble.

- Don D'Minion - SpamCop Admin -

Link to comment
Share on other sites

  • 2 weeks later...
Your Report History should have the Report-IDs of the spam submittal that started all this, the SpamCop FAQ as found here contains a link to explain how to derive a Tracking URL from a Report-ID. Point being that there isn't much of an excuse for not providing a Tracking URL in all this time.

You are probably right but I always seem to sooner or later get lost in the FAQ /FAQ's.

Sorry.

/Anders

Link to comment
Share on other sites

Your Report History should have the Report-IDs of the spam submittal that started all this, the SpamCop FAQ as found here contains a link to explain how to derive a Tracking URL from a Report-ID. Point being that there isn't much of an excuse for not providing a Tracking URL in all this time.

You are probably right but I always seem to sooner or later get lost in the FAQ /FAQ's.

In this case, the specific FAQ entries found in the single-page-access-expanded version of the SpamCop FAQ here use the same specific words I used in my references. This my confusion on why things are so hard to find in this case.

Getting a Tracking URL from a Report ID

How To Get Report History

Yes, I understand the problem in that data thus far is primarily provided in English (and yes, I also know that some folks even challenge this statement <g>) On the other hand, nothing can get 'fixed' based on such generalized statements. For example, I can't tell just what/which FAQs are included in your statement. The Wiki found here is something like the dozenth tool/attempt I have tossed up to provide an alternative to the Official FAQ, which has been complained about for years. The single-page-access version found here started as a Saturday morning hack - which then got expanded through work by the volunteers here. The Dictionary and Glossary worked the same way, I started them, other folks got involved with expanding them.

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...