Jump to content

2 days limit


william_

Recommended Posts

tried to report a spam when it was Mon, 23 Apr 2012 09:25 +0100 but got the following message:

Sorry, this email is too old to file a spam report. You must report spam within 2 days of receipt. This mail was received on Sat, 21 Apr 2012 09:14:21 +0100

I guess ideally it should allow from Friday close of business, i.e. 5pm when reporting on Monday morning?

Link to comment
Share on other sites

It is my understanding that:

One of the objectives of reporting is to send reports to the ISP of the offender. Seems that to be effective reports need to be timely and what that is of course is a matter of opinion.

Another objective of reporting is to build a time sensitive list that can be used by others to help sort (block) their incoming spam. Again seems it is a matter of opinion what is timely.

IMHO reporting on Monday at 9am that there was a burst of spam from a source 64 hours ago (

Friday 5pm) would be less than effective. As in many situations, someone has to pick a cut-off and 48hrs is just as arbitrary as 64hrs, why not three days?

I'm sure our situations are different but my solution is to just not report (delete) all spam that I don't get reported as it comes in, more or less. Now if not overpowering, I do report old spam to KnujOn being their process is not as time sensitive. This arbitrary personal choice is in part because I don't want to spend the time to catch-up on several hundred spam a day when I get behind.

All reporting is a personal choice and all reporting supports the cause. Thanks.

Link to comment
Share on other sites

...I guess ideally it should allow from Friday close of business, i.e. 5pm when reporting on Monday morning?
Interesting notion and well worth some further discussion IMO if it implies any "weekend surges". If not, then as Lou says, maybe just report what you are able to report and sincere thanks for that.

Possible weekend surges (tactical or otherwise). Don't know about you William, but the spam I get comes from all over the world, always has, from many different time zones, and although one might sometimes suspect it is cunningly timed to take advantage of weekends in my time zone (or represents part-time spammers from my time zone using the weekend off-time from their day jobs, or represents the "prime time" for zombied machines and their owners being "awake") other evidence - such as other reporters seeing the same stuff in other time zones, also any weekend surges seem not to persist longer-term - suggest it is VERY rarely so targeted (that is, that it is aimed at me, specifically, or even my time zone). Such "suggest" (on the balance of probability) but don't prove it, lacking close analysis.

Accordingly, the question would be, "Friday close of business" for who? But - you could be on to something, perhaps others are seeing an uncanny timing, long term? That would be very interesting.

The next thing needing attention would be the parsing algorithm which (as you know) weights the "spam score" according to "freshness". Apart from that, the mail/network admins receiving and acting on reports need fresh data falling within their current logs. Although their attention or inattention matters as nothing to the SCbl (unless they seek express de-listing), there is and always has been an earnest desire by SC to enlist their active support in the fight - so they can get off the list and keep off the list.

Anyway, will be interesting to see if others have experienced weekend surges or whether it is simply frustration that amplifies the perception. Always learning ...

Link to comment
Share on other sites

<snip>

lacking close analysis.

<snip>

Anyway, will be interesting to see if others have experienced weekend surges or whether it is simply frustration that amplifies the perception. Always learning ...

In the spirit of '1 data point is anecdotal, 2 data points are datum.'

Looking at the weekly graph of spam reported, there does not seem to be much of a dip over the weekend. What little dip I see last Saturday is the sum of several factors which may, or may not, reflect the real world. Who reports on the weekend is a self selecting group, and what they have time to report is also unknown (could be more or less than 'normal'). So that non-scientific sample of spam may not reflect the true world daily 'weekend' volume of spam.

I am fairly anal about reporting. I do not notice much day to day change in my volume. There has been one exception. About 3 years ago I was targeted, or someone's tool got stuck. I received hundreds of the same spam an hour for most of the day. Close to DOS. On the other hand, when traveling I don't bother to report because most reports get blocked by the WiFi links I use or by my SMTP because I'm coming through an open relay.

I would also question timing being targeted. Anecdotally I use a VSAT link for my internet. As a result where I am, where my IP addy is, is not well defined; some pick the ISP corporate office in Kansas, others identify the terminal in Alabama. Using WhoIs also does not always reflect were I am physically. As a result if there were time targeting the peak(s) should shift as I change time zones in relation to where they think I am. Without much analysis my spam load seems to be spread throughout the day, which may reflect where all of the spammers are.

Link to comment
Share on other sites

  • 1 month later...

I wonder if a simple forum poll would gauge Spamcop user's opinions on the 48hour limit if it was appropriately constructed.

Those of you who associate the request with 'surges over the weekend' or 'time zones' or similar are off the mark and have unfortunately not found extra reasoning for the proposed change.

I simply want to report spam that I receive(at work), and to that end the (arbitrary) 48hours limit is simply inadequate (as detailed with the weekend example in the first post).

Currently the Spamcop reporter cannot/will not wait mere seconds to resolve found domains in the body properly or process the email to properly extract links etc in a madcap rush to report to the ISP the existence of each spam item. (http://forum.spamcop.net/forums/index.php?showtopic=12209). In the last 365days the average was 10 emails per second.

Link to comment
Share on other sites

Hi, william_,

...It's unlikely that a poll will be of any practical use. SpamCop seems determined to set and keep the limit at 48 hours and even an overwhelming vote of its users to extend that is not likely to change that mindset. On the other hand, you are welcome to use the information returned by the SpamCop parser to send your own complaint(s) to the abuse desks of the spam sources, as long as you do not mention SpamCop and remove all references to SpamCop in the content you copy from the SpamCop parse. For more information, please see SCWiki entry "ManualReport."

Link to comment
Share on other sites

that is a rather pessimistic view.
I don't think so - more a realistic assessment based on long observation of how things seem to work in SC and how they change.

The limit used to be 3 days, probably with the weekend situation in mind. But that wasn't working out optimally so it was changed, back at the end of October 2004 (see http://forum.spamcop.net/forums/index.php?showtopic=2948). There was no poll conducted at the time - the SC deputies apparently made the call, based on them collectively seeing the full picture. Not to say they wouldn't reconsider given sufficient reporter feedback but the other part of the picture is they seem to have the Devil's own job in getting (some) changes made themselves. The final part of the picture is that the very potent spamtraps (by comparison with the weighting given to reporters' submissions) never sleep.

Steve T can answer for himself but I think those are all or most of the factors that would be running through his mind when he replied.

The other thing you could consider is having a VPN or other remote connection to your work so you can report from home. Not that I would recommend it - to my mind the home-work VPN is right up there with the mobile/cell 'phone, an invention of the aforesaid Devil to deprive us of our rest. Heck, even units of the 'Borg collective are allowed their downtime when they're not relentlessly intoning "Resistance is futile," and enslaving new species in their entirety.

Steve S

Link to comment
Share on other sites

<snip>

a realistic assessment based on long observation of how things seem to work in SC and how they change.

The limit used to be 3 days, probably with the weekend situation in mind. But that wasn't working out optimally so it was changed, back at the end of October 2004 (see http://forum.spamcop.net/forums/index.php?showtopic=2948). There was no poll conducted at the time - the SC deputies apparently made the call, based on them collectively seeing the full picture. Not to say they wouldn't reconsider given sufficient reporter feedback but the other part of the picture is they seem to have the Devil's own job in getting (some) changes made themselves. The final part of the picture is that the very potent spamtraps (by comparison with the weighting given to reporters' submissions) never sleep.

Steve T can answer for himself but I think those are all or most of the factors that would be running through his mind when he replied.

<snip>

...Mostly the first plus the fact that the SpamCop blacklist is designed to be very reactive, adding IP addresses of spam sources as the number of spam reports meets the criteria for listing and removing them as the good e-mail vs spam statistics fall below the listing threshold (see SpamCop FAQ, links to which can be found near the top left of each SpamCop Forum page, article labeled "What is on the list?" for more information), which require very timely reporting.

...For those of us for whom LARTing admins is the important thing, Manual Reporting can be used.

Link to comment
Share on other sites

  • 6 months later...

again it was 9:26am GMT on a Monday and I get the following message:

Sorry, this email is too old to file a spam report. You must report spam within 2 days of receipt. This mail was received on Fri, 30 Nov 2012 22:30:39 GMT

Message is 2.5 days old

spam originated from 31.169.70.246, I see that IP is not currently in the Spamcop DNSBL. Has it ever been and did it leave the DNSBL over the weekend...

Link to comment
Share on other sites

again it was 9:26am GMT on a Monday and I get the following message:

spam originated from 31.169.70.246, I see that IP is not currently in the Spamcop DNSBL. Has it ever been and did it leave the DNSBL over the weekend...

Would help if you provided evidence like a SpamCop tracking URL

eg one from a week ago

http://www.spamcop.net/sc?id=z5436560247z4...083cc92c494c8cz

Your computer or your email providers clock right?

Link to comment
Share on other sites

again it was 9:26am GMT on a Monday and I get the following message:

spam originated from 31.169.70.246, I see that IP is not currently in the Spamcop DNSBL. Has it ever been and did it leave the DNSBL over the weekend...

I'm guessing, if all the headers are correct and if all the clocks of all the servers are correct, that this is another one coming in to your place of work late Friday after COB and that by the start of work Monday it is already too old to report. Just a single case? If you're seeing so few it is not stacking up to a persuasive case for SC to reconsider the time limit, I would have thought ...

Anyway, there was a report concerning 31.169.70.246 over that weekend and a report went off to the abuse handler abuse[at]netfactor.com.tr There was another sighting from a mole account "report" too (no report to abuse handler but a reduced-weight score, counting towards possible SCbl listing). Certainly those would be insufficient to cause SCbl triggering, unless there were also spamtrap hits (only the SC staff could say for sure). But there's been no sighting since, there were no others in the previous 90 day limit of the reporting history and that IP address is listed on very few public blocklists around the internet generally.

I would tentatively conclude that slin.superim.net [31.169.70.246] is not a great problem in the spam world and that maybe NETFACTOR in Turkey has it under control. But (contrary-wise) I have to say SenderBase is currently seeing something of an upsurge in the activity of that server.

The subject lines for the two sightings were:

Number (754)19-754-754-7768-7768 and

[spam] Tracking ID (805)88-805-805-9238-9238

... which is possibly some auto-generated stuff from a spambot, the message was certainly easily recognised as spam by one reporter's system. Any responsible network should be able to track down any such leak in their system if they want to and this one was sent good and timely data from SC if that is part of their plan.

I used to suffer similar frustrations to yours but then my (then) employer decided to open a secure local network so we could all work from home on weekends too. Well, that's just not possible in some lines of business and anyway life's too short to "get" them all.

The key is timeliness of the reports to suit those (few) e-mail service providers who actually want to ferret out their spam sources so reporting over the weekend may be of limited use anyway (reduced staffing over weekends) and reporting after the weekend probably even less so (progressive volumes of records involved).

Sure, the SCbl should help by adding a little incentive (probably limited though, if it is confined to the weekends and the following Monday) and maybe this spammer is cunningly targeting enterprises and sending over the weekends to get around that - but really that is unlikely, unless the content (which we've not seen, as petzl points out) indicates otherwise.

All a bit inconclusive so far, AFAICT.

Link to comment
Share on other sites

  • 1 year later...

Just had several messages today that have two dates and apparently SpamCop thinks it is past the two day constraint. Here is an excerpt from the raw headers:

X-Apparently-To: <***ME***> via <***IP Address A***>; Wed, 12 Feb 2014 08:52:50 +0000

X-Apparently-To: <***ME***> via <***IP Address B***>; Mon, 10 Feb 2014 21:16:22 +0000

Today is 12 Feb 2014 but SpamCop is only acknowledging the second date stamp in which it says it is too old.

Here is another one:

X-Apparently-To: <***ME***> via <***IP Address A***>; Wed, 12 Feb 2014 11:24:42 +0000

X-Apparently-To: <***ME***> via <***IP Address B***>; Mon, 10 Feb 2014 18:45:53 +0000

Any recommendations?

Link to comment
Share on other sites

<snip>

Any recommendations?

...Oh, yes, absolutely: please provide us with a Tracking URL so we can get a better idea of what the parser did! :) <g>

...If I remember other conversations correctly, the parser ignores "X-" internet header lines. Also, if IP Address A and IP Address B are both within the same provider's server farm, the SpamCop parser would likely consider that an "internal handoff" and ignore it and therefore use only the oldest date as the date the spam arrived at that provider's "doorstep."

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...