More phishing scams since I started reporting Options

[Farelf]

Good for you Rapakiwi, just keep an open mind. Many people get fascinated by "the mind of the spammer", but few are the resulting insights and fewer yet are any accruing benefits AFAICT. Rule #1 ("Spammers lie") may be more rigorously applicable than most of us can understand. And spammers act "stupidly". Evidently the unit cost of most of the junk is so low that no "business plan" as such (or any sort of attention to detail) is necessary, maybe it is actually counter-productive in the mainstram botnetted environment. Which is fortunate for them (not being the sharpest tools in the shed) though very few of them seem to make even the undemanding grade for this "trade". Unfortunately for us there are more than enough replacements coming on stream to replentish these "lusers".

But yes, there is some evidence of exceptions, the "targetted spam" operators and some few of the phishers/other phishers, etc.

[Rapakiwi]

But yes, there is some evidence of exceptions, the "targetted spam" operators and some few of the phishers/other phishers, etc.

Perhaps, but when dealing with confidence artists, my interest is more in the purposes of each act rather than in the mind of a sociopath. For example, I assume having to replace [DOT] with a period is to hide the web site from, say, SpamCop, rather than worry about a transient web site being hacked. Consequently, I do insert a period before having it processed.

Examining this month's spam is an experiment that might help resolve the effect of a spammer's knowing the name and email of someone reporting everything to SpamCop. The month isn't over yet. However, the conclusions may be of little benefit if only two or three organized groups are targeting Dartmouth alumni; and the statistics do suggest that.

Assuming this, I have to answer the question of why a very organized group (and when I see that a spamming corporation owns 100 websites under that name alone, I think organized) would send very professional spoofs for bank account information, home-written looking ads for 'prescription drugs' in exchange for a credit card, and illiterate ads for university diplomas in exchange for one's name, address, & phone number?

Is this stupidity or is it specific marketing to those with bank accounts, those with access to credit cards, and those who skipped four years of school looking for a peer who is selling diplomas. Could the same people, for example, have written all the (few) original letter I see? If stupidity, no; if cleverness, yes.

It's true I tend to see obscure relations among things, but that was my job. The only way I know of to conclude whether this is cleverness or stupidity is to know how successful it is. That I do not know. I do read, however, that identity theft is very profitable.

When a spammer has a server in Puerto Rico, connected to an ISP is in China, and SpamCop complains to Russia, I can't really think 'stupid'. I do think 'rich'.


Rapakiwi

Your Rule #1 did catch me off guard: every single unsolicited advertisement was spam with undoubted criminal intent. Wow!

[Wazoo]

For example, I assume having to replace [DOT] with a period is to hide the web site from, say, SpamCop, rather than worry about a transient web site being hacked. Consequently, I do insert a period before having it processed.

Can't let that one go by without comment. Even with the expanded data inserted into the Wiki version of the SpamCop FAQ entry Material changes to spam, this action can result in damage to your Reporting Account.

[Rapakiwi]

Can't let that one go by without comment. Even with the expanded data inserted into the Wiki version of the SpamCop FAQ entry Material changes to spam, this action can result in damage to your Reporting Account.

AH ... good trick on their part. I read carefully the page you reference, but the few bad examples did materially change the content of the letter. If someone can manually interpret java scri_pt, it wasn't clear to me then that I couldn't manually interpret the parsing rule 'replace [DOT] in the following web site address with a period' from SpamScript, and the site 'www.scam[DOT]com' was manually interpreted by me as as 'www.scam.com'. While it's true this is not java scri_pt, I'm not sure my interpretation is any less accurate.

Can you promise it will cause damage to my Reporting Account'? I've not had success in forwarding spam, so I've copied & pasted each from source. This month has been a lot of work, I could use a forced vacation. :-)

What is the appropriate procedure for handling [DOT], for example? SpamCop didn't recognize these as web sites; and I've considered the web sites much more important to close than mailing addresses. (My interest is not so much in eliminating spam from my box as in doing my bit to reduce identify theft.)

Thanks very much!


Rapakiwi

[SpamCopAdmin]

Can you promise it will cause damage to my Reporting Account'?

Yep, I can promise that. :-)

When I catch people altering spam to make SpamCop "find" something it ordinarily couldn't, I routinely suspend their reporting privileges.

The way to handle the "DOT" problem is to convert the URL to the proper syntax, and then open another window to SpamCop and enter the URL in our web form. When you hit the "Process" button, SpamCop will find a reporting address that you can use to send a personal report, or if you have a Paid Subscription, you can go back to the window where you're processing the spam, and use the address to have SpamCop send a "User Notify" report to it.

- Don D'Minion - SpamCop Admin -
.

[Miss Betsy]

....I've considered the web sites much more important to close than mailing addresses. (My interest is not so much in eliminating spam from my box as in doing my bit to reduce identify theft.)

Closing the source address or alerting other server admins to a source to block is effective in reducing identity theft because end users don't see the spam and so can't get sucked in.

However, if you are interested in closing spamvertized websites, it is much more effective, IMHO, to use Complainerator (found in the software form here) though some people swear by Knujon. I have my doubts about the latter. Another way to help the gullible is to look for email addresses in 419 spam and do manual reports to shut them down.

IMHO, however, it will be impossible to eliminate the criminals. It is a very lucrative business. Therefore, the best defense is to stop them from reaching their target which is to block them at the server level.

Miss Betsy

[Rapakiwi]

Closing the source address or alerting other server admins to a source to block is effective in reducing identity theft because end users don't see the spam and so can't get sucked in.

However, if you are interested in closing spamvertized websites, it is much more effective, IMHO, to use Complainerator (found in the software form here) though some people swear by Knujon. I have my doubts about the latter. Another way to help the gullible is to look for email addresses in 419 spam and do manual reports to shut them down.

IMHO, however, it will be impossible to eliminate the criminals. It is a very lucrative business. Therefore, the best defense is to stop them from reaching their target which is to block them at the server level.

Perhaps. If possible, it would solve your problem: an overabundance of spam.

My Mac's several mail accounts all use different spam blocking procedures, courtesy of the ISPs. One I ask to be sent through to me, though marked. This is the account I use to collect spam for SpamCop.

Still, when I receive mail from someone I haven't written, it goes into one of two folders: unsolicited mail marked clean (likely from old colleagues - for I never had friends) or mail marked spam in another folder. My Mac lets me browse these without graphics being shown, automatic downloads being activated, or other code being executed. The few that I want, I can just click 'not spam', and they will be added to my 'safe' list of senders.

Still, an overabundance of spam takes from all our pockets, because of the cost of sending an individual letter isn't paid for by the spammer (as paper junk mail is): it's paid for by everyone. This is a good reason to eliminate spam: its nuisance properties and mailing costs. I shall checkout the software you mention first, thank you!

However:- :-)

1. Previous to this month's test, I had reported only phish, malicious spam. I did this for years by myself, before I discovered SpamCop. However, every innocuous looking spam letter I examined this month has been malicious. Every one! Now I'm thinking of joining (though I have no income) and forwarding or otherwise automating the reporting.

2. spam wouldn't be mailed if it wasn't successful. That is, if it didn't steal bank account information, credit card information, and name, phone number, and address (to augment the previous). The results of this can destroy a person or family utterly. When Scotland experienced the crime of mass murder, they found the perpetrators by having their detectives coordinate efforts with detectives in other countries. Why can't this be done to find perpetrators of mass destruction, without violating privacy rights?

3. When I have received a spam letter, thousands (millions?) of others have already received it. When it was phish, I stopped my work to spend an hour tracking down the web site and informing the administrators immediately, to shut it down before people lost their savings. I didn't go after the sender. I assumed the same site was sent to many other people.

4. Though I've not clicked any of the hyperlinks, every one will likely do more than ask for personal information: they will, I assume, attempt to install malware on my computer. If successful, this will allow the spammer to send mail from my computer.

5. Instead of having a dedicated mail server, which could easily be shut down, a 'botnet' of a million computers (and this is a reasonable number) will send malicious spam whose intent is to steal identities and create more spam mailers. The only site they all have in common (relatively common) is the web site that does the real harm.

6. You see my reasoning. If I report you, or a proxy server at the Red Cross, as a spammer, I will at least alert both of you to check your computers; or, at most, shut down a spammer's misuse of a proxy server. All those who have already received the letter, however, will not be helped; and many more little spamming sites may grow from this web site.

7. Now, I can twist my mind into understanding why SpamCop might not want to consider the target of a hyperlink an abuser if the hyperlink 'isn't there', made extant only by my editing. Spammers could place honest, 'munged' hyperlinks in a tenth of their mail, and the one who made it genuine might (with an amazingly twisted, narrow view of law) be guilty of a crime.

However, this seems a hollow argument: spammers could just as easily include actual, honest, hyperlinks and even falsify the actual sender to be a local politician before an election, for example. I shall ask the administrator to clarify why spammers can be allowed to succeed in all this and remain anonymous just by adding [DOT] to their web sites.

So, all the above was to answer you question of why I had preferred to go after the web site rather than the mailer. My reasoning could be flawed, for I'm new to cyber-crime (except for software vulnerability).


Rapakiwi

PS. You get that much spam? Have you coughed up $30 to have it filtered by the SpamCop Blocking List?

[Rapakiwi]

Yep, I can promise that. :-)

When I catch people altering spam to make SpamCop "find" something it ordinarily couldn't, I routinely suspend their reporting privileges.

The way to handle the "DOT" problem is to convert the URL to the proper syntax, and then open another window to SpamCop and enter the URL in our web form. When you hit the "Process" button, SpamCop will find a reporting address that you can use to send a personal report, or if you have a Paid Subscription, you can go back to the window where you're processing the spam, and use the address to have SpamCop send a "User Notify" report to it.

Sorry to bother you, but - if you read my letter to Miss Betsey - you'll understand my confusion. First, it might be nice to clarify this to all contributors as unacceptable: a 'material change' in the letter.

It has been a strain reporting all my spam by copy & paste. Though I used to resolve spoofs & phish myself, and send personal warnings to the banks (which still difficult to contact). Clearly I can't do this for other kinds of spam, though innocuous-looking spam letters may cause lesser monetary losses, but affect more people, because of its quantity. Miss Betsy, however, pointed me to some software.

A hyperlink to a web site in spam is, essentially, malware delivered by email. If not, botnets would not have over a million zombie computers in them. Clearly SpamCop would like to remove malware, as my ISP does, so it would be nice to know why you choose only to 'kill the messenger', as Shakespeare wrote.

If spam were sent from botnets, created by web sites with [DOT] or a similar spelling variant, how effective would SpamCop be?

Perhaps only I am confused. More and more I've found law and common sense conflicting. If this a fine reading of the law, as parsed by spammers' litigation attorneys, is there any reason the law(s) should not be changed? If the law prevents SpamCop from reporting spam after computers at SpamCop 'convert the URL to the proper syntax', shouldn't it prevent me from doing just that?

Admittedly, it takes human intervention to replace the [DOT] with a period; but it also takes human intervention to click a hyperlink.

Thank you very much for clarifying this to all contributors!


Rapakiwi

[Miss Betsy]

There are probably a lot of different reasons why no 'material changes' to spam are allowed.

There is no law on the internet. There is only etiquette. And there is no 'force' - one can do what one wants to and can't be prevented except by denial of internet access. When there is only etiquette, and no way to 'force' someone by law, then you either go along with the accepted 'rules of the road' (MX and DNS and all that technical stuff that permits computers to talk to one another) or you can't connect. If someone doesn't like your website or your email, then he doesn't have to go to it or he can refuse to let it appear in his inbox.

My server, my rules (spamcop says no material changes, that's the way it is) and if you have a problem with that, it is your problem, not mine. If I have a problem because of my rules keeping me from communicating with the rest of the internet, then it's my problem, not anyone else's. Only the *sending* computer can stop spam from being sent. If the sending computer owner is irresponsible or ignorant, then it's not my problem. I can't force them to change. However, if they want to communicate with me, then they will have to change their modus operandi.

Miss Betsy

[Farelf]

As Miss Betsy says - probably a number of reasons. But as Don (SC staff) said, and the one thing that has been said by all the SC staff consistently, the first commandment, "Thou shall not alter thy spam to 'help' the parser". That should be very clearly understood.

Then, considering that spam reports are evidence-based - if you start altering the evidence, where does it end? SC's reputation relies on users sticking to the rules. Undermine that and there is nothing, SC would be better off without reporters at all (just spam traps). OK, the spam may be 'altered' in the course of its travels and during the parser processing but that is 'programic', (more or less) predictable and replicatable.

The two things you are allowed to do is mask/mung(e) your email address - including the LH part of it if appearing in isolation - in headers or spam body if the parser doesn't pick it up (IF you know what you are doing, I think is the standard admonition) and you can add a comment - like [no body] to manufacture a body in real 'no body' spam (documentation on that point controversial in past times but now authoratative).

Is there any confusion now? Those are the relevant 'rules' by which you agree to abide if you use the SC reporting service. Very important.

[Rapakiwi]

Is there any confusion now? Those are the relevant 'rules' by which you agree to abide if you use the SC reporting service. Very important.

I'll be returning to Dartmoor after I file my report at the end of the month (whose content will surprise you). However, where did you read the rule above other than the post you refer to?

The actual document, posted in preparation for a pan-galactic bypass, gave as an example of a 'material change' the addition of a From line where it was not in the real header. That could screw things up, I agree. It also stated that, because SpamCop doesn't have a java scri_pt parser, I could interpret the java scri_pt manually.

Well, munged URLs were designed so computer could not parse & interpret them, only humans can. So, I did. Now I just watch SpamCop fail, but I suggest it's failing because they already know the site in Argentina hosting all sites munged with a [DOT]. That would have been a clarification.

Here's the original, which SpamCop parses as www.hitoferaf and fails:

- Visit our site: www.hitoferaf[DOT]com
(copy this link then replace "[DOT]" to ".")

Here's my change after it fails:

- Visit our site: www.hitoferaf.com
(copy this link then replace "[DOT]" to ".")

Where are we now? We clearly followed the second line to the letter, so SpamCop could also help close the web site down. Do you honestly think someone who does this should be returned to Dartmoor?

I'll offer an imaginary clarification: 'You need not clarify obfuscated lines that SpamCop appears unable to interpret. We examine each and modify our parser daily; or, we recognize the obfuscated line and choose to not report it, for reasons that are good ones.'

Watch it fail and do nothing to help. Watch crimes occur and do nothing to help. Watch people be hurt and do nothing to help. Twenty years ago I gave up a teaching career at a university because essentially all the students wanted only a diploma and to be told what they needed to do to get one: no one came to learn how to think for themselves and question the reasoning behind statements of 'fact'.

Miss Betsy's letter didn't really need a commentary for me to understand: shut up or get out. I'm getting out and writing my own Unix scripts to send off letters. Oh, and I won't be leasing a large, dynamic blacklist that doesn't profit from shutting down spammer's web sites.


Rapakiwi

[Miss Betsy]

I didn't say anything about 'shutting up and getting out' What I said was that 'shutting down' websites is not the 'internet' way of operation. Web site owners can include in their Terms of Service that sites that spammers cannot use their block of IP addresses. However, there are irresponsible and ignorant web site owners who do not want to stop spammers from operating. There is nothing that can be done about that because there are web sites that some people do not want to see published and to make 'laws' about what can be published and what cannot be published is censorship.

The way the internet works is that one can refuse to accept email from irresponsible and ignorant people who allow spamming. One can not force them to stop spamming, but one cannot be forced to accept their spam also.

The main focus of spamcop, which I thought you probably knew, since you are researching, is to stop the source of spam, not those websites that are advertising via spam. In the beginning, reports were sent to 'educate' and 'warn' those email servers that were sending spam that spam was coming from those email servers and would be blocked by other email servers until the spam stopped. It was worthwhile to report also to spamvertized sites because many did not know that unsolicited email was not a good idea or how to build a mailing list that did not have addresses on it who did not want to be on the list. In those days, there were many 'innocent' people who were using mailing lists that bothered many people with unsolicited email.

Today, however, there are only ignorant people who spam 'innocently' - the part of the parser that deals with spamvertized sites is low priority for spamcop program coders because almost all spamvertized websites are operated by those who intend to spam. They create hundreds of sites to keep ahead of filters and of being shut down. They use bots and other means to deliver the spam. They use stolen credit cards to pay for the sites and they use false information when they register them. To shut them down is called playing 'Whack a mole' because one gets shut down and they register another. That's why some people think that it is more effective to attack them through the registrar who is supposed to maintain accurate information.

There can be porn sites and sites on how to make bombs and sites preaching weird religious practices as long as they don't advertise via spam. Nobody can force a person to go to them.

Stopping spam from being sent can only be done by the person in control of the computer it is being sent from or by the internet service provider who refuses to connect that computer. Spammers have taken control of many computers without the owner's knowledge and criminals can always find an internet service provider that is greedy enough to take their dollars to connect and turn a blind eye to their activities.

Therefore, the way to stop spam is to prevent it from entering one's inbox. There may be 'trusted' senders and eventually a 'safe' neighborhood maintained by those who are polite to one another for email. But there will always be the 'other side of town' where it is not safe. That's why the source IP address is so much more important than the website IP address.

You cannot stop people from being ignorant or greedy. The 419 scams wouldn't be so lucrative if they didn't find people who are greedy - people who are educated and should be able to understand that it is not wise to take part in something shady. You can't stop people from being naive and gullible in spite of the fact that it is common knowledge about how criminals send email phishing for your credit card numbers.

You can offer ways to protect them - such as spam filtering and free anti viral programs. But it is their problem if they don't listen or avail themselves of the filtering or the warnings about criminal spam. You can't stop website owners from buying 'guaranteed 100% optin' lists. But it is their problem if they use them and get their web access denied and the email from their email servers blocked by receivers.

Recently, there was an article in the local newspaper about a woman who smelled something fishy about an email. She eventually decided to send a Western Union money order for $1 just to let the guy know she was wise to him. The clerk said that there had been several people who had sent the requested amount that day. Now, wouldn't it be more effective to 'protect' people to have information on typical scams and maybe even 'scam of the day' posted at the Western Union office - the way anti-viral people post information about current viruses? It would also have been effective to report the IP address so that no more people received the scam. In this case there was no spamvertized site.

All I am saying is what has been discussed at length in many topics on this forum. I didn't mince words because I assumed (always a bad thing) that since you were a researcher, you had read those topics.

It is a different opinion than yours. But you can take it or leave it or argue the opposite viewpoint. It won't change how official spamcop interprets the 'no material changes' rule. Neither you nor I can do anything about how spamcop decides to interpret that rule, but argue against it. spamcop can, and will, revoke your reporting status if their rules are not followed (my server, my rules). But my post, in no way, suggests that you should shut up or leave this forum. No one can 'force' you to change your mind and that's the beauty of the internet.

Miss Betsy

[StevenUnderwood]

However, where did you read the rule above other than the post you refer to?

The rules are in the FAQ linked at the top of the page,
SpamCop Parsing and Reporting Service,
Rules - everybody read! (recent changes made ... you may need to re-look)
-----> Material changes to spam
-------> Material changes to spam - Updated!

The first Material changes section has your exact issue, and I quote (color is mine):
SpamCop does not decode java scri_pt because it does not have its own java scri_pt interpreter. Unless you can properly decode the java scri_pt, even what you see may not be correct. Do not make any changes to the spam to cause SpamCop to report addresses, links or URLs that are contained within the java scri_pt, decoded or not.

This is in the "Original FAQ" located on the SpamCop servers. The FAQ in the Wiki, which can be modified and kept up to date, also has that information as well as updates from discussions with SpamCop staff.

Final test: Did your change find a link that was not found before the change... if so, then it is against the rules.

I'll offer an imaginary clarification: 'You need not clarify obfuscated lines that SpamCop appears unable to interpret. We examine each and modify our parser daily; or, we recognize the obfuscated line and choose to not report it, for reasons that are good ones.'

Watch it fail and do nothing to help. Watch crimes occur and do nothing to help. Watch people be hurt and do nothing to help. Twenty years ago I gave up a teaching career at a university because essentially all the students wanted only a diploma and to be told what they needed to do to get one: no one came to learn how to think for themselves and question the reasoning behind statements of 'fact'.

This is completely covered in the opening statement of both pages linked above:
SpamCop does what it does and doesn't do for a reason. Do not make any material changes to spam before submitting or parsing which may cause SpamCop to find a link, address or URL it normally would not, by design, find.

Oh, and I won't be leasing a large, dynamic blacklist that doesn't profit from shutting down spammer's web sites.

Use of the SpamCop blocklist is free... no lease is needed.

And SpamCop's primary purpose is NOT to shutdown websites, but to shutdown the SOURCE of the spam so the links to those websites are never seen, rendereing them useless.

[Rapakiwi]

The rules are in the FAQ linked at the top of the page,
SpamCop Parsing and Reporting Service,
Rules - everybody read! (recent changes made ... you may need to re-look)
-----> Material changes to spam
-------> Material changes to spam - Updated!
<SNIP, SNIP>
Final test: Did your change find a link that was not found before the change... if so, then it is against the rules.

This is completely covered in the opening statement of both pages linked above:
SpamCop does what it does and doesn't do for a reason. Do not make any material changes to spam before submitting or parsing which may cause SpamCop to find a link, address or URL it normally would not, by design, find.

Use of the SpamCop blocklist is free... no lease is needed.

And SpamCop's primary purpose is NOT to shutdown websites, but to shutdown the SOURCE of the spam so the links to those websites are never seen, rendereing them useless.

There was an experiment once done with cats, I believe. They were raised in an environment with all vertical stripes. When then placed in one with horizontal stripes, they didn't see them: they didn't see what didn't make sense. I'm guessing some other people, too, are like cats. I could easily read all the carefully written instructions and fail to recognize those that go against common sense.

It's true that 99% of people have been trained to follow instructions without thought. Some people, those whose brains constantly judge and question, color what they read by what they anticipate will be the 'right thing' to do.

Submitting spam only before following what the letter instructs us to do, before clarifying a URL that was designed to defeat SpamCop's mechanical parser, before being able to report the only URL in the letter known to be genuine, may not make sense to that select 1% of the population; and they may miss it, though it is written as clearly as it is. All that will help these miscreants is, I suspect, to clarify why this is bad. Repeating is not clarifying. Speaking more loudly, with harsher punishments, is not clarifying. 'SpamCop does what it does and doesn't do for a reason.' Perhaps they should know exactly what this reason is. If it's a matter of National Security (as many things are these days), perhaps one can just mention in the brief introduction (for some do have lives) that 'You may see our parser fail to resolve certain addresses, and the natural tendency of some might be to ... ; but ... .'

The web site address is the only one in any spam that is known to be genuine. Some people who are afflicted with self thought might not understand that 'throwing out the baby with the bath water' is good, common sense. Explaining that SpamCop's purview is not web sites doesn't address the above problem, it just adds a second.

Your parser finds clear web sites and sends reports to their supervisors. When it attempts to remove the 'obfuscation' of these site and fails, it may not seem reasonable to some to not help because SpamCop does not want to report web sites, when it clearly does not exclude them from being parsed, interpreted, and reported. (We're confusing two separate things, as you know.)

Strange as it seems, it may seem to some that (since the obfuscation was designed for humans to remove), they should actually help SpamCop by manually correcting the URL. Increasing the severity of the punishment won't help these 'normally challenged' people.

Thank you for your careful reply; and sorry for thinking the SCBL cost a fee.

Rapakiwi

When taking out your appendix, would you rather have your neighbor do it, following written instructions by the foremost experts; or would you trust it to be done better by an everyday physician, one who understands the reasons the human body works as it does?

[Rapakiwi]

I didn't say anything about 'shutting up and getting out' What I said was that 'shutting down' websites is not the 'internet' way of operation.

Thank you for your kind explanation of how the internet works. The main focus of spamcop, which I thought you probably knew, since you are researching, is to stop the source of spam, not those websites that are advertising via spam. Are they really different?

Though I may be a researcher, I have a life; and it's not researching spamcop. However, I took a day off to explore how much of my spam is from 'zombies', and whether it may come from the same servers that host the web sites in the spam. This is hardly definitive, but it's mildly interesting.

Thought I would take a glance at some spam I just picked at random. What is interesting about these is that, I can understand a zombie computer stripping the mailing agent's identification (Microsoft loves little Xes), or just not having any. But, after the letter is sent, other computers often scribble on the bottom of the envelopes. Yet, every envelope, from Seoul to Delhi, had only and exactly the following marks on it:

Mime-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-Msmail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2900.3138
X-Mimeole: Produced By Microsoft MimeOLE V6.00.2900.3198

Doesn't it seem strange that people in Thailand and Turkey all use the ISO-8859-1 character set? Especially when the mail appears to be sent from the World's largest cities, using dynamically allocated ip addresses or internet cafés, in countries that use a different character set? If the spammer added the above, why? It's not visible in the header.

If various spammers added the lines above, for some reason (for they can be stripped), why didn't at least one computer scribble something of its own on the bottom of the envelope. I sent many letters to myself (not that this is my life) and every mailer added its own little Xed comments.

The source of the letters couldn't be the same servers that house the web sites? Well, we know the web sites' ip addresses with complete certainty. No, that would make their mailers (ip domains) easy targets for blacklists. Still, why not look at most of this week's spam: that which I ignorantly allowed SpamCop to report for a couple of days.

Subject lines and arrival dates
0. Subject: Best of Adidas, Coach, UGG today
1. Subject: Best of Hermes, Dsquared, Versace today
2. Subject: to bathurst today
3. Subject: Best of Chanel, Burberry, UGG today
4. Subject: Best of Hermes, Paul Smith, Versace 1 day ago
5. Subject: Best of Chanel, D&G, UGG 1 day ago
6. Subject: Best of Prada, D&G, Versace 2 days ago
7. Subject: Best of Bally, Dior, UGG 2 days ago
8. Subject: Best of Hermes, D&G, UGG 5 days ago

Sender's possible ip, ISP, and number of users that ISP has
0. Received: from 125.031.137.100 Seoul Cable TV network: 16,128
1. Received: from 059.095.036.149 New Delhi Backbone 6,553,600
2. Received: from 124.121.010.212 Bangkok ISP 16,128
3. Received: from 190.174.197.079? Buenos Aires Telefonica de Argentina
4. Received: from 124.121.126.088? Bangkok ISP 16,128
5. Received: from 122.163.204.142? Delhi AirTel Broadband 655,360
6. Received: from 059.092.198.020? Chennai India's Backbone 6,553,600
7. Received: from 088.241.190.119? Balikesir Turktelecom's DHCP DSL
8. Received: from 088.227.85.213 Samsun Turktelecom's DHCP DSL
Question mark means ip was labeled 'possibly forged' by the mailer.

Populations of cities mail may have been sent from
0. Seoul, South Korea 23 Million
1. New Delhi, India 320,000 (14 Million)
2. Bangkok, Thailand Over 8 Million
3. Buenos Aires, Argentina 13 Million
4. Bangkok, Thailand Over 8 Million
5. Delhi, India 14 Million
6. Chennai (Madras), India 7.5 Million
7. Balikesir, Turkey 650,000 (near Istanbul, & Greece)
8. Samsun, Turkey 725,000 (on Black Sea, shared by 8 countries)

Result of reports of the above senders to SpamCop
0. Blacklist Status: Clear
1. Blacklist Status: Clear
2. Blacklist Status: Clear
3. Blacklist Status: Clear
4. Blacklist Status: Clear
5. Blacklist Status: Clear
6. Blacklist Status: Clear
7. Blacklist Status: Clear
8. Blacklist Status: Clear

Web sites SpamCop didn't report
0. - Visit our site: www.fanleost[DOT]com 'Fan Leos t'
1. - Visit our site: www.fanleost[DOT]com 'Fan Leos t'
2. - Visit our site: www.vawwosoft[DOT]com 'Va w Wo Soft'
3. - Visit our site: www.fanleost[DOT]com 'Fan Leos t'
4. - Visit our site: www.anwaspe[DOT]com 'An Wasp E'
5. - Visit our site: www.norokuse[DOT]com 'No Rukus E'
6. - Visit our site: www.dimaeine[DOT]com 'Di Ma Eine'
7. - Visit our site: www.dimaeine[DOT]com 'Di Ma Eine'
8. - Visit our site: www.hitoferaf[DOT]com 'Hito Fe Raf'

Store names and years they've been doing business
0. Website Title: Exquisite Footwear & Bags CLOSED
1. Website Title: Exquisite Footwear & Bags 03 days
2. Website Title: All popular OEM software for PC and MAC 04 days
3. Website Title: Exquisite Footwear & Bags 03 days
4. Website Title: Exquisite Footwear & Bags 03 days
5. Website Title: None 29 days
6. Website Title: None 15 days
7. Website Title: None 03 days
8. Website Title: Not known 02 days
Store's locations
0. IP Location: Guizhou (Southern China) & Zhenjiang (near Nanjing)
1. IP Location: Guizhou (Southern China) & Zhenjiang (near Nanjing)
2. IP Location: Thrunet Co. Ltd, Kyonggi-do (Seoul), South Korea
3. IP Location: Guizhou (Southern China) & Zhenjiang (near Nanjing)
4. IP Location: Guizhou (Southern China) & Zhenjiang (near Nanjing)
5. IP Location: New Generation Technology, Ltd., Hong Kong
6. IP Location: New Generation Technology, Ltd., Hong Kong
7. IP Location: New Generation Technology, Ltd., Hong Kong
8. IP Location: Guizhou (Southern China) & Zhenjiang (near Nanjing)

None are blacklisted, so how is business?
0. Domain Status: On Hold (generic)
1. Domain Status: On Hold (generic)
2. Domain Status: Registered and Active Website
3. Domain Status: On Hold (generic)
4 .Domain Status: Registered And Active Website
5. Domain Status: Registered and Active Website
6. Domain Status: On Hold (generic)
7. Domain Status: On Hold (generic)
8. Domain Status: On Hold (generic)

Those who registered the clever names above
0. Registrant: Forex Hosting, Taubaté, Brazil (Sao Paulo)
1. Registrant: Forex Hosting, Taubaté, Brazil (Sao Paulo)
2. Registrant: "PrivacyProtect.org" PO Box 97, Moergesstel, NL (821,591)
3. Registrant: Forex Hosting, Taubaté, Brazil (Sao Paulo)
4. Registrant: Forex Hosting, Taubaté, Brazil (Sao Paulo)
5. Registrant: Shichun Wang, kunming Yunnan 346892 (420)
6. Registrant: He Yong, haidingqu Beijing 100086 (1,716)
7. Registrant: He Yong, haidingqu Beijing 100086 (1,716)
8. Registrant: He Yong, haidingqu Beijing 100086 (1,716)
Note that registrant 2 refuses to be contacted by mail. :-)

* Was Dynamic Dolphin, Inc. 5023 W 120th Ave, Broomfield, CO, USA
until suspended a few minutes ago. Now owned by He Yong.

Now, let's go shopping! [CHILDREN UNDER THE AGE OF 100 SHOULD NOT PERFORM THE FOLLOWING STUNTS EVEN UNDER AN ADULT'S SUPERVISION!] (My computer is as secure as most servers, for that was once my job.)

My running shoes were looking a bit shabby, so I thought I'd shop at 'Fan Leos t'. To my surprise they sold luxury shoes, so I settled for a $165 pair of Prada loafers. Indeed, when paying, the web page changed to 'Infinity Secure', making me feel better, though it was still the same site. It was a very professional, beautiful and elegantly written site; but a bit slow, though it was hand written in 1999 HTML. I was surprised that I was now shoping at Infinity Secure, 17 Bank Street, Ottawa, CA.

When I attempted to pay for my new Pradas, and the 'Insured Express Courier Delivery'. The $10 extra for shipping outside the USA, Canada, or the UK wasn't charged me, since the shoes were coming from Canada. But, funny thing: an examination of the website with a spam tool showed no outgoing links. They must encrypt email to Canada; but wait, I thought the Chinese government prohibited that.

The consumer links made me feel safe: ScanAlert's Hacker Safe, GeoTrust, Verified by Visa; but the links didn't work. Oh, that's because of the absence of outgoing links. However, nothing bad came to my computer, except a cookie...or several. (Lucky I had archived them before going there with my browser, which I set to identify itself wrongly.) I attempted to trace the site, to verify that it was Chinese: it was, and it kept the browser connection open indefinitely, as it scanned all of my computer's ports.

Because I was a bit uncomfortable knowing that my life's history, and especially that of my credit card, was needed for a discount purchase, I thought I should email the 'contact us' link. However, 'luxuryshoes.com', in Canada, was apparently owned by Liu Bing of Changsha, Hunan (who owned 2633 other internet stores), yet chose to have his email account in Istanbul, where his ISP provider is Istanbul Telekom. Strange, those in the US, Canada, the UK, and even China are closer. Well, the 'Great Firewall' is an inconvenience.

Istanbul. Isn't that near Balikesir, where my spam advertising 'The Best of Bally, ..,' came from? Coincidence, perhaps, though I was fortunate that this Adidas store sold Bally and Prada shoes! Lucky me! However, I decided to only 'window' shop today.


Rapakiwi

[StevenUnderwood]

Your parser finds clear web sites and sends reports to their supervisors.

Sometimes it does, other times it does not. See the many threads about that here in these forums.

When taking out your appendix, would you rather have your neighbor do it, following written instructions by the foremost experts; or would you trust it to be done better by an everyday physician, one who understands the reasons the human body works as it does?

Every doctor I have met has already "read the instructions" before performing the operation, even for the first time. I'll stop there because your analogy breaks down even further beyond that. But keep in mind, most "doctors of spam reporting" do their own parsing and send their own reports (which tend to be more effective that SpamCop reports in my experience), not rely on a tool written by someone else to do it for them.

[Rapakiwi]

Sometimes it does, other times it does not. See the many threads about that here in these forums.
Every doctor I have met has already "read the instructions" before performing the operation, even for the first time. I'll stop there because your analogy breaks down even further beyond that. But keep in mind, most "doctors of spam reporting" do their own parsing and send their own reports (which tend to be more effective that SpamCop reports in my experience), not rely on a tool written by someone else to do it for them.

Do you have pointy ears?

No, that analogy was much more vague: In my experience, the most detailed instructions fail among 1% of people when something unexpected turns, up (which it always does), and they have to judge for themselves the best course of action.

I'm a doctor of a natural science, not spam reporting. To practice my profession or even have a life, I could never automate my own spam complaints. Yes, I've watched your parser peel the envelope from the outside in, checking each layer. Only a very large & dedicated organization could attempt what SpamCop does. However, I have always filed individual reports of spoofs and phish, which are no longer sent me. I just redirected phish to the to banks, who took it from there.

Miss Betsy was kind enough to point me to a 'Confabulator', or something similar, written for Windows (which I have never owned). The information in it, however, would permit me to throw together an 'awk' scri_pt or something similar. I was hoping instead to have KnujOn added to the recipients of my SpamCop reports; they, in turn, forward theirs to uce.gov. When I can afford a proper account, I may follow your earlier suggestion. Today, as you know, even token fees have to be budgeted by (sadly) many, many people.

There is another possibility, for which there may be a very good reason not to not suggest: Send one unadulterated copy, which goes to those responsible for the mailers; then a second, adulterated one, describing the adulteration in the large comment box, and un-clicking all the little boxes to the mailers, leaving these to be sent to the web site administrators.

Ideally, reports referencing reports would go up the business ladder as far as needed, some possibly to ICAMM itself: these, in turn, would be within the purview of the Federal Trade Commission (and drawn to the attention of the Department of State). It could be done tastefully. Of course, users' reports likely go right to spammers, as one subject line in a previous letter to Miss Betsy suggests.

I'm sure it's coincidence, but since that personal spam to me, all spam of every kind has stopped. Strangely, I'm not sure how I should feel being blacklisted by the blacklisted.


Rapakiwi

[Miss Betsy]

Actually, those who deal with spam daily, (the experienced doctor) in your analogy, seem to prefer to use a combination of blocklists and content filters (of which the scbl is only one) to prevent spam from entering their network. They may, or may not, report spam to the source, but I expect the ones who do, are discriminatory, only reporting what appears to be a leak to a known, responsible server admin, or in support of their favorite blocklists. The content filter is primarily for those spam that have not been identified yet by the blocklists and probably some of those are reported (or simply added manually to their own blocklist).

The other daily users just leave to the IT department to keep spam out.

Spamvertized site blocklists (some of which come from those identified by spamcop reporters), a server admin estimated, caught about 25% of incoming spam.

Researchers into spam statistics and patterns are necessary as in any field, but unless they produce a better spam trap, the 'experienced' are not much interested in the details.

One point that you might consider in your theory of reporting is that the FTC, the major blocklists, and the major spoofed domains (such as ebay) can collect all the spam they want to analyze without relying on inexperienced people who don't read the instructions before sending reports.

spam goes in waves, for no discernible, repeatable reasons.

Miss Betsy
[PS Official spamcop pages have not been changed for years in spite of suggestions. Spamcop was written for techies and there is no accommodation for anyone who isn't a techie. The forum, and some posters (particularly me since I am technically non-fluent) try to translate for people who are not techies . My quixotic hope is that consumers will become savvy enough to force ISPs to use blocklists rather than content filters and not dump email before the consumer sees it.]

[Farelf]

...Thank you for your kind explanation of how the internet works. The main focus of spamcop, which I thought you probably knew, since you are researching, is to stop the source of spam, not those websites that are advertising via spam. Are they really different?

Though I may be a researcher, I have a life; and it's not researching spamcop. However, I took a day off to explore how much of my spam is from 'zombies', and whether it may come from the same servers that host the web sites in the spam. This is hardly definitive, but it's mildly interesting.
<snip>

In answer to your question - though you doubtless meant it to be rhetorical- yes, they really are different in terms of the way they are approached. You were quick to dismiss Complainterator yet the base methodology is the exact way to do something about spamvertized websites, in particular the pesky ones hosted on botnets - "attacking" those through SC is like hunting vampires without your trusty silver bullets. As an aside - that's the paradox of pattern recognition - it's the way perception works but if you fix on an incomplete pattern you are blind to much that may be 'real'. Like your cats - or, to reverse things, my daughter's dog which hunts the shadows of smoke. (Other dogs have no idea what she's on about.) For the approach template to initiate effective action against the most intractable spamvertizers see http://forum.spamcop.net/forums/index.php?...ost&p=48929 (IIUC DNSStuff no longer provides free the tools it did then but there are others) - and you could do worse than to read the whole topic. It just takes through, to a useful point, the sort of research you detail in the above post.

SC is a tool with a particular application (identifying and listing the actively-sending IP addresses of significant spam sources). As a sideline (and, no doubt, retained only as a result of much nagging) it makes occasional attempts to resolve spamvertized websites. Many (including me) have railed against the 'wasted opportunity' of such diffidence, pointing out that the spamvertized websites are the whole point of (much of) the spam and we should be attacking them there, at the seat of corruption and where they might be 'hurt'. Yet SC resolutely holds to its self-appointed task. And, in the process, provides a tool which is the mere starting point for serious up-close and personal spam fighting. Despite the name it is not about law enforcement. State and national jurisdictional issues alone make that impracticable. And you are not going to reform SC single-handedly nor overnight. You are clearly exceptional. But not that exceptional. I think challenges to the orthodoxy might be essential to keep SC relevant and viable - thanks for trying (and I don't think you'll stop). But I don't think SC sees it quite the same way.

[rconner]

I confess that I am having a bit of trouble following the new direction of this thread, but I take it that we are now discussing why SpamCop won't consistently report website URLs found in spam, and why we aren't allowed to "help" the parser by massaging the spam mail before we submit it for parsing. While I'm not plugged into SpamCop management at all, I have been a paid user for nearly a decade and so perhaps I'm in a position to share some observations. Sorry for the length of this post, but perhaps it will be on-point nevertheless.

TRACING AND REPORTING WEBSITES

Tracing and reporting spam websites is far more difficult, and far more prone to ambiguity, than simply tracing the sources of spam mail (which can be done largely mechanically, the way SpamCop does it). I've been studying this area in particular for several years now, but even all this experience doesn't always enable me to keep up with all the ruses. I suspect that this difficulty and ambiguity are two of the principal reasons why SpamCop does not make exhaustive efforts on this front.

• For example, if you run a local nslookup on a URL given in spam, you cannot be sure that the IP address returned to you is the correct and only address of the site.
• Even if you do a top-down authoritative nslookup, however, you still can't rely completely on the results because some spammers can change their DNS records as frequently as every couple of minutes, meaning that the report you just worked so hard to document becomes invalid before you even manage to send it (check out the website URL in this very fresh tracking link, for instance -- it is currently showing four addresses and a three-minute TTL).
• Many websites are effectively protected by reverse-proxying zombies (NOT the same as the common Googlepages/Geocities redirectors), so your report will involve only a zombie and not the actual web server itself.
• You can't even go after the DNS support for these rotating websites and botnets, because the auth-DNS service itself is on the botnet and you (as a plain ol' user) can't always find the "brains" of the operation without concerted effort that can take literally DAYS.
• You can send notes to the domain registrars for the domains in question, but these domains are usually sold by the very same outfits that regularly appear on the various "Worst Registrars" lists, and you can automatically assume that any domain-WHOIS info you find is bogus. Your complaints will likely go straight to /dev/null.
• On the spam website itself, you may find a redirection to some other website where the stuff is sold. The spammer might be kind enough to include this in a META REFRESH tag for you to view, but more likely it will be encrypted into a java scri_pt that you cannot easily inspect. Yes you can report the site that is doing the redirecting, but this does not help you deal with the hand inside the sock puppet.
• Many spam links I get now are simply search-engine queries that are contrived to point directly to (and redirect to) the spammer's site. Often, the spammer includes enough alphabet soup and fake search info in these links to make them even more difficult to parse than they already would be in the first place.
• Many spam URLs are munged with errors that make them non-compliant with respect to strict URL syntax (e.g., backslashes in place of forward slashes, whitespace inserted, and the like), but the spammers have learned that many browsers (oh, say, IE) will tolerate these errors. So, a strict URL parser won't see them, but the user's mail program or browser certainly will
• And then, it might even be that the website named in the spam doesn't have anything at all to do with the spam (e.g., it was a link placed after-the-fact by some free e-mail service or anti-virus software, or it may have been planted on purpose by the spammer with the intention of diverting investigators, providing fake "documentation" for a claim (e.g., in 419 mail or stock spam), or "joe-jobbing" an enemy). No machine could figure out that such links aren't reportable.

Not every spam website link presents such problems, but in my experience enough of them do to make it tricky to program a machine to deal with them; human judgment is invariably required. There are so many chuckholes down this road that it hardly seems surprising (to me at any rate) that SpamCop would not want to deal with this problem. Although I do try to LART such sites myself (usually outside of SpamCop) if I have the time, it is not always very easy or fast to do (particularly where rotating IP addresses are involved).

THE NO-ALTERATION RULE

As for altering spam before parsing it: if there were no rule to prohibit people from altering spam they receive before they submit it, this would invariably lead to people clobbering RFC2822 structure, MIME layout and encoding, URL syntax, etc. They might cut off parts of a URL they have "decoded" (a critical error if you are dealing with a Geocities or Blogger redirect, for example). Not to mention that they could put info into their messages that could be just flat WRONG. This would allow the spammers targeted by SpamCop to justifiably claim "see, these SpamCop guys will forge evidence if they can't find it legitimately." This is precisely the kind of thing that SpamCop seeks to avoid. Again, speaking as user of SpamCop, I believe it to be better all around just to have The Rule.

If you are interested in having someone look at the websites in spam you get (or, at least, the ones that SpamCop doesn't deal with), you should be able to forward your SpamCop reports to Knujon (I don't think that this requires a paid Knujon membership). Best to check the Knujon website (http://www.knujon.com/) for this info. To me, forwarding to Knujon has been a bit like throwing stuff over a high wall -- I can't tell very easily what gets done with my spam after I forward it (and I actually paid for a membership). Still, they have been making some positive headlines recently, particularly with regard to crooked domain registrars.

-- rick