only third party reports available? Options

[kbarlow]

Howdy deputies,

I registered with an ISP account, and put our 10 mx hosts' ip addresses in the reporting tool, but the only reports visible, and the only reports delivered, are summary reports. I can't find detailed reports that actually let me see headers of reported spam.

From everything I've read in the forum, FAQ and help pages, I have an expectation of seeing actual headers in the reports, but all I get is this:

IPADDY Nov 3 16h/0 0 1 0 0 FQDN. (with IPADDY and FQDN replaced by the host's information)

If I can see the headers, I can see who is sending the spam and take appropriate action, my hopes are dashed.

In my "request reports" section, and subsequently "show routes" section, all I see is:
[delete] IPADDY IPADDY Third party interested in daily aggregate summary reports

Can someone give me a clue? I do appreciate it.

thanks!
ken

[turetzsr]

Hi, ken!

Howdy deputies,

...The SpamCop Deputies don't drop by here often. Note message at top of where you composed your post: "The primary mode of support here is peer-to-peer, meaning users helping other users. (please remember this at all times!)"

I registered with an ISP account, and put our 10 mx hosts' ip addresses in the reporting tool, but the only reports visible, and the only reports delivered, are summary reports. I can't find detailed reports that actually let me see headers of reported spam.

From everything I've read in the forum, FAQ and help pages, I have an expectation of seeing actual headers in the reports, but all I get is this:
<snip>

...Does StevenUnderwood's reply in the article "Getting reports" help?
...If you'd care to post one of the IP addresses that you have reason to believe is on the SpamCop blacklist, others (paying members) here may be able to provide you with more information.

[Farelf]

Refreshing my memory concerning Steve's (turetzsr's) "Getting Reports" link above to StevenUnderwood's reply it is evident that this can certainly be a vexed matter if not addressed positively. For a completely different take on How Does A Server Admin Handle An Abuse Issue? see this link. I'm not an admin, have no idea how "good" the advice is (it is certainly detailed) but if it is any use would appreciate your (and any other admin's) comment/response.

[Wazoo]

I registered with an ISP account, and put our 10 mx hosts' ip addresses in the reporting tool, but the only reports visible, and the only reports delivered, are summary reports. I can't find detailed reports that actually let me see headers of reported spam.

ISP Account pages were just added to the Wiki ... in fact done up to answer the situation you find yourself in ... Other than as an 'alert' the general consensus seems to be that this is a pretty useless tool .. and Ellen just posted into the newsgroups that the 'alert' setting has a bug in it, so she's recommending selecting the hourly report instead ... I was going to add it to the Wiki pages, but ... the server decided to die ....

[Miss Betsy]

Someone is getting detailed reports (unless the only hits are on spam traps and you won't get anything but a subject line from the deputies). If reports are only going to spam traps then the culprits are usually not spammers, but auto responses or misdirected bounces to spam.

If you are not getting reports, perhaps your provider is getting them and you can get the reports from them. If you post an IP address, someone can tell you where the reports are going.

Miss Betsy

[SpamCopAdmin]

I registered with an ISP account, and put our 10 mx hosts' ip addresses in the reporting tool, but the only reports visible, and the only reports delivered, are summary reports. I can't find detailed reports that actually let me see headers of reported spam.

SpamCop uses Whois lookups and the Abuse.net database to get reporting addresses. All our reports go to the address we get from the lookup.

Only in extraordinary circumstances will we send reports to a different address.

Anybody can sign up for summary reports so that they will be notified of spam activity from their network. No details are provided by SpamCop. It's up to the system administrator to find the source of the unusual activity.

- Don D'Minion - SpamCop Admin -

[kbarlow]

SpamCop uses Whois lookups and the Abuse.net database to get reporting addresses. All our reports go to the address we get from the lookup.

Only in extraordinary circumstances will we send reports to a different address.

Thanks, everyone, for the replies. I do appreciate it.

I, just now, submitted our two standard reporting addresses to abuse.net and will keep checking for real reports.

Regards,
ken

[StevenUnderwood]

Thanks, everyone, for the replies. I do appreciate it.

I, just now, submitted our two standard reporting addresses to abuse.net and will keep checking for real reports.

I don't see that you provided the IP's involved here or we could tell you where they are currently being reported to.

[agsteele]

I, just now, submitted our two standard reporting addresses to abuse.net and will keep checking for real reports.

I have to say that I've not found having a reporting address listed in abuse.net to be universally reliable whereas being listed as contact for the specific ip address is always reliable.

You should get the contact for your IP to forward copies of any alerts/reports to you.

Andrew

[kbarlow]

I don't see that you provided the IP's involved here or we could tell you where they are currently being reported to.

sorry:
206.65.163.7

I'm playing whack-a-spammer with 491ers since a new product launch two weeks ago, seems there's rooms full of scumbags in Nigeria and elsewhere creating multiple accounts, spamming in blocks of 10 or 100 per email message, thus evading outbound threshold alarms. Since it only takes a few hits to block an IP, we're starting to see the outbound IPs blocked.

It certainly doesn't help not getting the full reports, if we got headers the feedback loop would be tighter, and I could close the accounts within a few mail notes (he says optimistically).

I've cancelled at least 30 accounts, deleted thousands of emails waiting to be sent, and in each case, we're blocking the source IP at the firewall, but it's not enough. We've considered blocking the whole subnet as a next step.

What do other service providers do about this stuff?

How the hell do you stop a scammer who basically has all the time in the world on their hands, doesn't mind clicking, copying/pasting lists of addresses in, and sending even if the ratio of targets to emails is 1:1?

Can you really compete with their wages? Hire an intern to work for peanuts whose only job is to scan outbound logs for spam? Do we put an antispam server between our "customers" and the internet, triggering alerts for anything over a certain level? hmm, actually, that's not a bad idea.

[Telarin]

What kind of "product" are you talking about? Is this like a free webmail service? If so, I can think of a few things you could possibly do offhand. How feasible any of these are I don't know, since I've not seen your software, but here are just a few possibilities.

Use a different IP for sending mail from newly created accounts, that way they don't end up poisoning your existing customers.

Check the signup IP address against various BLs (SCBL, Spamhaus, SPEWS, etc) and if they are listed, require that you manually activate the account before they can send mail.

Check outbound mail using a keyword filter on things like "Trunk Box" and other scammer favorites. Anything that matches should raise a flag on the account for review.

Make sure you are stamping a "Received From" line on the email for the originating IP address. That allows spamcop to track back further than your mailserver, so it can list the actual source instead. If you do this, you will probably need to contact the deputies so that they can note that your servers are trusted.

Make sure your abuse contact information for you IP block in the WHOIS data is correct, current and working.

If you can prove to the deputies that you control that block of IP address (not sure how to go about doing that but using one of the WHOIS listed email addresses couldn't hurt) you may be able to get them to manually change the routing on those reports to a dedicated address. I've heard of some ISPs that never even look at spamcop reports, they are routed to a seperate address where they are automatically parsed and processed and accounts are temporarily blocked and flagged until an admin has time to review them.

Once you get a reputation with the scammers for shutting down accounts, they will mostly go away.

Remember, if you shut down one of their accounts mid-scam, they have basically lost the victim and any time they have spent working on them since they seldom keep any written records.

This post has been edited by Telarin: Nov 7 2006, 04:33 PM

[Wazoo]

Data point 1743 GMT -6
http://spamcop.net/w3m?action=checkblock&ip=206.65.163.7
206.65.163.7 listed in bl.spamcop.net (127.0.0.2)

If there are no reports of ongoing objectionable email from this system it will be delisted automatically in approximately 10 hours.

Causes of listing
System has sent mail to SpamCop spam traps in the past week (spam traps are secret, no reports or evidence are provided by SpamCop)
SpamCop users have reported system as a source of spam less than 10 times in the past week

Listing History
In the past 2.8 days, it has been listed 3 times for a total of 36 hours
Other hosts in this "neighborhood" with spam reports
206.65.163.5

http://www.senderbase.com/?searchBy=ipaddr...ng=206.65.163.7
Report on IP address: 206.65.163.7

Volume Statistics for this IP
Magnitude Vol Change vs. Average
Last day ......... 4.2 .. 2979%
Last 30 days ... 3.3 ... 277%
Average ......... 2.7

Parsing input: 206.65.163.7
host 206.65.163.7 = outbound3.bluetie.com (cached)
host 206.65.163.7 = outbound3.bluetie.com (cached)
Report routing for 206.65.163.7: abuse[at]mci.com, abuse[at]uu.net
abuse[at]mci.com redirects to abuse[at]uu.net

Report History:
------------------------------------------
Submitted: Tuesday, November 07, 2006 11:35:07 AM -0600:

2006295961 ( 206.65.163.7 ) To: abuse[at]uu.net
----------------------------------------------
Submitted: Tuesday, November 07, 2006 1:29:32 AM -0600:
The will
2005393015 ( 206.65.163.7 ) To: mole[at]devnull.spamcop.net
----------------------------------------------
Submitted: Saturday, November 04, 2006 5:43:46 PM -0600:
FROM THE DESK OF PROFESSOR.CHARLES.C.SOLUDO
2001505186 ( 206.65.163.7 ) To: abuse[at]uu.net
--------------------------------------------
Submitted: Friday, November 03, 2006 10:02:55 AM -0600:
[SPAM] From The Desk of: Professor Charles Soludo.
1999901517 ( 206.65.163.7 ) To: spamcop[at]imaphost.com
1999901508 ( 206.65.163.7 ) To: abuse[at]uu.net

You want headers? A ton-load available at another BL .... http://psbl.surriel.com/listing?ip=206.65....PSBL+list+query offers a list (note, this is all after their re-start November 1)

Insert the IP address into the lower box and click to "see the evidence" .....

[kbarlow]

http://spamcop.net/w3m?action=checkblock&ip=206.65.163.7
206.65.163.7 listed in bl.spamcop.net (127.0.0.2)

Submitted: Saturday, November 04, 2006 5:43:46 PM -0600:
FROM THE DESK OF PROFESSOR.CHARLES.C.SOLUDO
2001505186 ( 206.65.163.7 ) To: abuse[at]uu.net

You want headers? A ton-load available at another BL .... http://psbl.surriel.com/listing?ip=206.65....PSBL+list+query offers a list (note, this is all after their re-start November 1)

Insert the IP address into the lower box and click to "see the evidence" .....

snipped alot of that reply:

That's exactly what I'm interested in seeing, and in that report's case, we closed the account, and blocked the IP from which the spammer was signing up a few days ago. We also checked any other accounts signed up under that IP (many of which were unused) and closed them. Obviously this process has to be rinsed/repeated on a regular basis.

Telarin: To answer, yes, it's a hosted email product.

I'll be creating bookmarks for all our outbound servers for those reports, and perhaps an automatic pull, and figure out a way to integerate our outbound sending with spamtrap addresses, i.e. you send to a spamtrap address, you lose your account.

More readily though, we'll try puttin spamassassin on one of the outbound machines and somehow rigging it to report-only mode or something like that, that is, every email passing through the host on it's way out of our environment would be scanned, and anything failing certain rules would generate a report to us. I think there are more rules we're interested in than others, like ADVANCE_FEE, since those are the ones getting through.

Thanks again, I do apreciate it.

[Miss Betsy]

I'll be creating bookmarks for all our outbound servers for those reports, and perhaps an automatic pull, and figure out a way to integerate our outbound sending with spamtrap addresses, i.e. you send to a spamtrap address, you lose your account.

It should be very difficult to know what a spamtrap address is - that's why they are spamtraps. I think you will have to devise some other method to accomplish what you want to do.

Miss Betsy

[dbiel]

Just so there is no confusion or misconceptions; there is no relationship between the Passive Spam Block List as seen at psbl.surriel.com and SpamCop. An IP address may appear of the SpamCop list or the PSBL or both. The commonality between the two is that they both address the problem of spam that is caught by independent and unrelated sets of spamtraps. Surriel.com still makes available the complete headers and email content with only the spamtrap address being munged where SpamCop has found it necessary to stop providing that information.

[kbarlow]

It should be very difficult to know what a spamtrap address is - that's why they are spamtraps. I think you will have to devise some other method to accomplish what you want to do.

Yup, the intention was for me to create my own spamtraps or use "dead" addresses as such. Obviously this is a longer term goal. The other goals are shorter term, like this week. (spamassassin, plumbing the various RBLs for evidence and reporting against it etc)

thanks
ken

[kbarlow]

to post a resolution to the issue:

I contacted Spamcop directly via the form, and requested reports for our outbound hosts, and now receive them directly. The inclusion of the abuse addresses in abuse.net's database has also generated needed complaints. On top of that, we're also getting the reports from our IP provider giving us three different reporting mechanisms. Sometimes these generate redundant reports, sometimes not, but I would rather have some redundancy than miss reports.

We added functionality for us unix admins that customer service would normally do, that is, the ability to quickly and efficiently delete a user account without having to supply a reason. i.e. killspammer.pl username, where the scri_pt reports the user to customer service, deletes the account, wipes out any held mail and logs the IP address of the offending user.

Outbound filtering, for now, is being implimented on the postfix body_checks side of things, holding messages that fail the regexps in the queue for examination by admins later. Since the 419ers are sending thousands at time, several hundred per email note, they stand out quite clearly in the queue, and I'll start to take action to automatically delete them using the above mentioned scri_pt as soon as I can reliably impliment it.

Of course, the only thing this can't resolve are complaints generated by people who can't see through forged headers, no idea how to address those issues other than to reply as appropriate to the reporter and claim innocent bystander status.

Thanks again for all your help, and I hope to be able to return the assistance to the spam fighting community in the near future.

ken

[dbiel]

Thanks for posting your resolution. I am not going to change this topic to resolved at this time due to some of your comments near the end of your post indicating that some additional dialog might still be in order.
Not quite sure what you are refering to with

can't resolve are complaints generated by people who can't see through forged headers

Are you talking about forged from / reply to addresses? in which case it would not be an issue with SpamCop as these are simply ignored and never used. Yet such forged address can and do cause problems for the owner of the address. Or are you talking about other types of forged headers that might be an issue with SpamCop and its reporters?
Glad to hear that our are finally getting the reports you need to help deal with abuses of your email system indicating that you are definately trying to do what you can to help manage the ever growing problem of spam. Thank you.