Jump to content

For the First Time: Nearly 48 Hours Not 1 spam.


Lodewijk

Recommended Posts

Hi!

About 7 weeks ago I suddenly began to get some 50 spam a day. Nearly all with malware attachments. After a few days the number had increased to over a 100.

Through a tip someone gave me on the Wilders Security forum I found out about SpamCop, and started to post here.

With the friendly help I got here -and a tip to utilize MailWasher- was able to set up reporting to SP and Knujon-Coldrain. (Even though I was told that the latter only uses links in spam that lead to spamvertized sites, and most of the spam I got did not have those links. But some did.)

Since then I have been reporting all spam, usually 3 or 4 times a day, each time reporting a batch of about 20-30, taking me some 10 minutes or less each time.

A few weeks ago it happened one day that I did not get any spam (or only 1 or 2) in 24 hours. After that it began again, but a bit less intensely than before.

But now it has been nearly 48 hours of 0 spam!

To check I send myself an email, and I got it right away. So this is for real.

I almost miss my spam... but note that I say "almost." ;) (The reporting was fun.)

This is great! B)

(In case it would start again, so will I with reporting.)

Link to comment
Share on other sites

...We may be experiencing a general respite from spam -- my spam flow has trickled from one to two dozen per day to a handful in the past two to three days and I have taken no special actions. My guess is, though, that this happy condition is temporary and we'll be seeing more normal levels really soon.

Link to comment
Share on other sites

...We may be experiencing a general respite from spam -- my spam flow has trickled from one to two dozen per day to a handful in the past two to three days and I have taken no special actions. My guess is, though, that this happy condition is temporary and we'll be seeing more normal levels really soon.

There is no doubt attacking spammers does work to a high degree

(better still if you also report their websites to the registrar).

It is also a fact that once your email address is in the hands of spammers it will be handed/sold to more (different spammers).

Link to comment
Share on other sites

I got 5 since I posted here some 20 hours ago.

Me not getting all that spam I like to think has to do with doggedly having reported every single one over the last nearly 2 months. (9.5M bytes total.) And thanks to the efforts of others as well of course.

PS: If I were a spammer, and would find out the address of who was reporting my spam, I would delete him from my addressees list. But I guess it doesn't work that way.

Link to comment
Share on other sites

<snip>

PS: If I were a spammer, and would find out the address of who was reporting my spam, I would delete him from my addressees list. But I guess it doesn't work that way.

...It probably does (this is called "listwashing," btw)! But SpamCop takes some care to avoid notifying the spammers and I expect other reporting services, such as Knujon, to do the same. Ditto the admins to whom abuse reports were sent.
Link to comment
Share on other sites

Sorry for using up so much space,
...Yeow! So, why did you? :) In the SpamCop Forums, you are welcome (encouraged!) to not post spam headers or content!
but where can I have MW cut off this one

<snip>

...That question is probably best asked in an MW forum rather than a SpamCop Forum (although it is possible that someone here has enough experience with MW to be able to help you). Good luck!
Link to comment
Share on other sites

OK. What I meant is until what line is the data useful to SP, so that I can set MW to cut off the rest below it.

<snip>

...Oh, sorry, I see. In that case, I would refer you to SpamCop Wiki article "Material changes to spam." As a fairly non-technical person with respect to e-mail, I would personally interpret that article to mean for me that I must make *no* changes to the spam headers other than removing information I am certain identifies me and "cc" addresses; if that means the parser will not accept the spam for reporting, I would just delete that spam, perhaps report it manually, and go on to the next spam to be reported.
Link to comment
Share on other sites

See the foregoing, addressing your question ... but then, going back to the point (quotes deleted text)

Sorry for using up so much space,
I didn't see the post before deletion but for reference, the way to discuss spam samples is to post a Tracking URL then discuss the data within it. Note, these URLs can be obtained even for spam that refuses to parse - in such cases it is not recorded in your "Past Reports" and must be copied from the initial parse page. The spam can be re-submitted and a new Tracking URL obtained if you missed the URL the first time around - usually one would then need to cancel the reports for multiple submissions but not, of course, with those that don't offer to report in the first place.

Tracking URLs "expire" after 90 days. If there is a need to preserve the data longer than that (which would be very rare), there may be a case to post the spam in the forum. In that case, putting it in a [ codebox ] (without leading & trailing spaces) is a way to minimise vertical space. [ codebox ] is like [ code ] but scrollable within the box. Posted spam in these pages will lose some of the original formatting and may compromise some aspects of your security unless you are very careful to munge all personal detail.

Link to comment
Share on other sites

It looks like in my case reporting the first 37 lines is enough. I had MW report the first 100 until now. No wonder I spend nearly 2/3 of my 'fuel' in 7 weeks... :o

I emailed the 2 header + body examples I had posted above (and deleted) to our Admin, and at my request he was so kind as to return them to me with all the unnecessary data trimmed off. I had not known where the headers ended, and the bodies began. But now I do.

Both were different kinds of spam -of the sort I usually got- one header ending line 30 with (quotation marks added):

"FILETIME=[D6E732E0:01CC60CD]"

the other ending line 30 with:

"FILETIME=[11EADBB0:01CC607B]"

In both the body after a blank line began with (again, " " added):

"This is a multi-part message in MIME format."

To make sure I asked if that would do as the required minimum first body line, and Don D'Minion answered "Yes."

And also:

"Keep in mind that not all headers contain the same number of lines, but they do generally follow the same format and sequence of header lines.

Any single line of text after the blank line will suffice as "body text."

So now I want to experiment a bit with MW's throttle. I have it set to "Download first 37 lines." But even 33 might be enough.

Problem is, I've been waiting all day to try it out, but no spam... :D

Link to comment
Share on other sites

It looks like in my case reporting the first 37 lines is enough. I had MW report the first 100 until now. No wonder I spend nearly 2/3 of my 'fuel' in 7 weeks... :o ...

The big picture is that there is no "my case", in the fullness of time you will receive many different "kinds" of spam (well, hopefully not but on past experience ...) - admittedly much of it with a very short header count when sent by basic spambots but some not so short. Also it depends whether or not MW counts "lines" the standard way, which is to say things like an extensive list of comma-separated and indented "To:" and "CC:" lines are actually just one line (each) although physically there may be many - I suppose it does, but don't know. Anyway, it suits your current purpose but may not always do so.
...

Both were different kinds of spam -of the sort I usually got- one header ending line 30 with (quotation marks added):

"FILETIME=[D6E732E0:01CC60CD]"

the other ending line 30 with:

"FILETIME=[11EADBB0:01CC607B]" ...

If inserted by your provider's server as the last line of received and processed headers that is useful - but any part of the headers can be forged. Again, it suits your current purpose but may not always do so. When you read "Rule No. 1 - spammers lie," that really is a comprehensive statement, they lie about everything.
...In both the body after a blank line began with (again, " " added):

"This is a multi-part message in MIME format."...

Yes, that is "always" part of a multi-part message (for instance, text and HTML, which is very common, or text, HTML and Base64-encoded attachments with which it seems you were being bombarded. But some are not mult-part ("it suits your current purpose ...").

...To make sure I asked if that would do as the required minimum first body line, and Don D'Minion answered "Yes."

And also:

"Keep in mind that not all headers contain the same number of lines, but they do generally follow the same format and sequence of header lines.

Any single line of text after the blank line will suffice as "body text." ...

I'm not sure that constitutes a licence to truncate submitted spam - to the contrary, the directions on no "Material changes" to spam have been indicated to you several times now I think and indicate otherwise, quite clearly I would have thought: - http://www.spamcop.net/fom-serve/cache/283.html.

But then I'm not using "fuel" (I use a free reporting account) and have no idea off-hand of the exact mechanics of fuel consumption and "Quick reporting" already skips parsing the bodies - not sure it omits them from reports to spam sources though (I thought otherwise, but not being a spam host ...).

In any event I think we must ask Don to advise hereby if your interpretation is exactly what he meant in his advice to you. If it is so, at the very least

  • those authorities that require "unmunged" reports are going to refuse any such
  • the 2-part outlook/eudora workaround form which says "Paste decoded email body in second box:" should be amended to indicate that step is optional
  • the "Material changes" FAQ needs revision

Not wanting in any way to second-guess Don but there is considerable potential for confusion (maybe just me? - all sorts of doubts) if your interpretation/contention goes unchallenged.

...So now I want to experiment a bit with MW's throttle. I have it set to "Download first 37 lines." But even 33 might be enough.

Problem is, I've been waiting all day to try it out, but no spam... :D

Then you probably don't need to experiment until Don has clarified.

Link to comment
Share on other sites

Thank you for explaining.

Just before going to bed last night I got 1 spam. It turned out way to long still, even part of the malware code from the attachment visible. So I set MW's throttle to 20, the minimum option.

I just received 2 spam for breakfast. The 20 lines setting in MW is perfect for these 2: the last lines in both are the links -the addresses- to the respective spamvertized websites. Useful to knujon.

In the emails it looks like there are more than 20 lines, but at least for these 2 'viagra' type spam -again- the throttle setting is perfect.

I'll keep an eye on this to see if with the other kinds of spam -the ones with malware attachments- the first line -or a few more- of the body also appears.

This is what our Admin. had also mailed me:

"The larger the spams are, the more fuel is used up.

You can cut the spam anywhere you want as long as the full headers and at least one line of text are retained."

Anyway, at this rate of receiving such few spam now, and especially with the new MW throttle setting, my fuel reserve might last me years... and even if the spam tsunami would start again for me, my reserve will last me much longer than with the previous setting.

Link to comment
Share on other sites

Just now I received one more spam -a 'UPS' one I used get tons of. These come without a link to a spamvertized site, but with an attachment. With the 20 lines setting it showed the header, the body, and even the first few lines of the malware code from the attachment. Complete enough. B)

Link to comment
Share on other sites

Argh! Semantics.

You are welcome to truncate the body text as severely as you want as long as at least some little part is left.

SpamCop won't process spam that has no body text.

When I speak of "alter" or "change," I'm talking about modifying the text so that it says something different from what it said when it arrived.

- Don D'Minion - SpamCop Admin -

- service[at]admin.spamcop.net -

.

Link to comment
Share on other sites

Until a few moments ago I was not sure whether Knujon wants only spam with links in the bodies to spamvertized websites, or also spam without those links. So I had asked them about it:

------------------------------------------------------------------------------------------------------------------------------------------

"On my SP reporting page it has the following option to forward the spam to Knujon (unless coldrain.net would not be Knujon):

Re: Forwarded spam (User defined recipient)

[ ] To: nonregistered(at)coldrain.net (Notes)

This I have to check every time I want spam to be forwarded to Knujon. I now understand that I could simply not check the ones I know have no link to spamvertized websites, only checking the ones that do, which are the minority.

Unless Knujon wants all spam. So far I have forwarded all spam to Knujon."

-------------------------------------------------------------------------------------------------------------------------------------------

This was Knujon's response:

--------------------------------------------------------------------

"We want everything! Thanks."

--------------------------------------------------------------------

No shadow of doubt there anymore either... :D

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...