[Resolved] Why must I verify spam reports only on SpamCop?, Mac user thinks everyone could report spam rather than trash it! Options

[agsteele]

Not sure what you might actually mean, as SpamCop.net does nothing to black/grey/white-list web-sites.

Hi Wazoo,

I think this guy is probably referring to the Email service where, of course, various colours of listing are available (although I guess black, white and grey aren't technically colours...) (IMG:style_emoticons/default/wink.gif)

Andrew

[Wazoo]

I think this guy is probably referring to the Email service where, of course, various colours of listing are available (although I guess black, white and grey aren't technically colours...) (IMG:style_emoticons/default/wink.gif)

Yeah, I thought about that ... but that would have taken things back to one of the major points made so many times already .... SpamCop.net doesn't block e-mail either. So I left my comments dealing strictly with what was typed into the post(s) I was replying to. However, things lke the "small busnesses being shut down" comment were simply too excessive to worry about providing a response.

[Rapakiwi]

Yeah, I thought about that ... but that would have taken things back to one of the major points made so many times already .... SpamCop.net doesn't block e-mail either. So I left my comments dealing strictly with what was typed into the post(s) I was replying to. However, things lke the "small busnesses being shut down" comment were simply too excessive to worry about providing a response.

Oh, I thought 'this guy' was you, sorry. :-)

So, I assume from your posts that the SCBL only reports illicit web stores (in English): it does not black-, white-, or greylist them (bit of jargon here). I admire the SCBL, but I don't use it.

I have to get back to bed (for I am here just to quickly send tonight's spam to KnujOn's various addresses). I've recently reported only one spam to SpamCop, just to test whether it accepts Thunderbird's 'forward by attachment' results (for Mac's implementation of some mail RFCs has bugs, leaving .eml about, &c). The 'inline' attachment option was also accepted, but the link in the body wasn't reported. (This paragraph is for Mac users.)

SpamCop seems to accept these Thunderbird forwards just fine without any 'add-ons' (which attach the source without any Apple bugs); so I trust those to KnujOn are acceptable (though I'll double-check). Thank SpamCop for the great reports!

To clarify your puzzlement, one report (a year or two ago) contained a link to opera.com. Because all previous links to, say, Здравствуйте!.ru, had reports prepared, I anticipated one about opera.com, which I should delete, lest (I excessively worried) it might make it to the SCBL. It didn't appear. Thus I concluded you had a list of legitimate sites (common corporations who would not respond well to being reported by you) about which you did not prepare reports.

BTW, thanks for the last link, which I'll check out. However, I've pretty much decided to report all the method that reports only headers. One user kind noted that even reports of phish elsewhere must be examined by hand: this I didn't know. Why, I still don't know; but I'll ask at CastleCops.

I also have my old spam (yes, I archive spam); so I'll run through the SpamCop parser what I had analyzed by hand some days ago and see if SpamCop can find more from its envelopes (English, not networking jargon): in English, a letter has an envelope and a signature. On the envelope, the mailer (the post office) applies a stamp when the letter is posted. (If SpamCop's use is for Knurds only, I'll change my language, for I worked as a computer professional between legitimate jobs.

Don't waste your time puzzling over details sufficient only to illustrate a point. As for your earlier remarks that the 'problem' here is a refusal to fulfill my contractual responsibility, then allowing ignorant people access to the internet, I think you should take the time to get out more.

My best,


Rapakiwi

[agsteele]

Don't waste your time puzzling over details sufficient only to illustrate a point. As for your earlier remarks that the 'problem' here is a refusal to fulfill my contractual responsibility, then allowing ignorant people access to the internet, I think you should take the time to get out more.

Hi Rapakiwi,

I'm sorry you aren't able to get your head around how the SpamCop systems work and confuse this as a place to get help with other services.

I'm sorry you feel you have to take an unhelpful, combative and, frankly, rude approach to folk who try to help.

But I'll simply add you to the appropriate list so I don't have to read your posts henceforth.

Andrew

[DavidT]

Faulty terminology and assumptions will almost always interfere with effective communications, as is the case here.

DT

[rconner]

So, I assume from your posts that the SCBL only reports illicit web stores (in English): it does not black-, white-, or greylist them (bit of jargon here).

The SCBL does not "report" anything. The SCBL is merely a list, or a database if you prefer. But you do not have to take the posters' word for it, the operators of the SCBL speak for themselves at http://www.spamcop.net/fom-serve/cache/297.html:

The SCBL is a list of IP addresses which have transmitted reported email to SpamCop users, which in turn is used to block and filter unwanted email.

SpamCop USERS, and not the SCBL, report spam links they find in their mail as a sidebar to the more specific function of identifying spam-source ADDRESSES (not websites) and listing them in the SCBL. Up-to-date and accurate info on sources of spam is what internet providers require in order to block or detail spam being delivered to their hosts. Info about spam websites is useless for this purpose.

Identifying and dealing with website links in spam is an order of magnitude more difficult and ambiguous than simply identifying spam sources, but I t hink you've probably read about this before. Here's another link for your collection: http://forum.spamcop.net/forums/index.php?...amp;#entry65360.

-- rick

[Miss Betsy]

Up-to-date and accurate info on sources of spam is what internet providers require in order to block or detail spam being delivered to their hosts. Info about spam websites is useless for this purpose.

This is not quite accurate. The spam sources (IP addresses) of where spam comes from is very useful to server admins to block or filter spam as it comes into their network. The DNSBLs, including spamcop's, are used to identify spam sources. This is very useful, especially since spammers discovered how to evade filters using botnets. spam from botnets comes from non-email computers and can be blocked without fear of blocking real email. The DNSBLs are, as rconner said, just a database of IP addresses that have been discovered to send spam. Spamcop discovers this through user reports and spam trap hits. Other DNSBLs have other methods of deciding what is a spam source.

The part of the above quote that is not quite accurate is that knowing spam websites is useless for filtering spam. It is useless as far as blocking spam at the server level, but after accepting email, it still can be filtered by various means. One of those is to filter for spam websites. Spamcop does not offer a filtering list because, IMHO, the policy is that the /source/ is more important to identify than the website. There has been no attempt to keep the parser concurrent with spammer tactics to evade filters that identify websites. As has been said several times, there are different methods and different tools to filter spam. OTOH, there are server admins who do filter after accepting email by the websites within the email. One such server admin told me in the ngs that he estimated 25% of his spam was caught in this manner.

I believe that is one of the reasons that spamcop continues to identify spamvertised websites. Imperfect though it is, the spamcop parser does identify enough websites accurately for others to use them as a filter. There are also those, like rconner, who use the parser as a first step in identifying the owners and creating their own reports.

The OP is particularly interested in identifying criminal websites to protect ignorant or careless web users. Spamcop is not the tool he needs to do that. As I said before, web users are protected by the use of the spamcop blocklist indirectly in that, if used to stop email from sources known to be sending spam, web users never see the spam and so are not tempted to visit spamvertised websites.

Again, there are other methods to identify and report spamvertised websites. There are also other methods to avoid them while surfing such as the McAfee SiteAdvisor. Since others have developed more sophisticated tools, spamcop is not going to try to improve what they have. It is still accurate enough to be of some use to those who have other methods to do whatever it is they want to do about spamvertised websites.

IMHO, there is very little chance that criminal websites will be eliminated online any more than criminal activity has been eliminated offline. Netizens will have to learn to be careful just as they are offline. And, if they don't, they will fall victim to various scams - some more serious than others. However, I do think that spam can be reduced considerably by the use of blocklists - especially if the receiving server blocks them at the server level. Eventually, responsible people wanting to use the internet will only use email services that are responsible and don't allow spam to be sent so that they can be assured that their email will be delivered. And they will be using email services that block spam from irresponsible networks so that they will never see any spam.

Miss Betsy

[rconner]

The part of the above quote that is not quite accurate is that knowing spam websites is useless for filtering spam. It is useless as far as blocking spam at the server level, but after accepting email, it still can be filtered by various means.

Thanks for the amplification, but I'm going to stick by what I said -- that info about websites in spam is not useful for hosts that wish to reject mail based on source. The reason is that the decision whether to reject is most often made BEFORE the body of the e-mail message is ever seen (i.e., the host would give a permanent reject code in response to one of the commands preceding the DATA command that offers the body). So, the mail host actually has no idea what websites are mentioned in the spam when it decides whether to reject.

I agree that the website info is VERY useful for MDA-based filtering (where the mail has been accepted for delivery, but can be detained in a separate "spam queue"). This is where SURBL, URIBL, SpamAssassin, Bayesian filters, et. al. come into play.

-- rick

[Miss Betsy]

Exactly!

Miss Betsy

[Rapakiwi]

Exactly!

Miss Betsy

Exactly! Even I can agree with that statement! :-)

This last note is to thank those who attempted to analyze specific spam letters from tiny fragments I posted. I read and always appreciate the links offered me (especially those from Wazoo, which I always read), but my only interest was in knowing why I needed to examine reports to ISPs supporting illicit websites. Clearly that would be the only ip address NOT hidden from me. I just hadn't time to do this. No matter; I've found a happy solution that may help others, even Microsoft users. This letter may offer ideas (and does offer links) for Mac users. My ending post.

Victims

During my absence (a blocking list sending letters was a migraine-aura typo, BTW), I thought of a way of quickly reporting spam to both KnujOn and SpamCop, reporting 'spamvertized' websites. The sites I just couldn't ignore, since the very professional letters selling sex-enhancing drugs and diplomas are purposefully written in an illiterate manner. These appear designed to hook young Americans, who are using their parents' credit cards. Perhaps yours.

'Additional Comments from Recipients'

Rather than type a personal message on each report, as I used to do (and took too much time), I prepared on Mac's 'Tiger' OS a simple text letter with my most common remarks, under headings based upon KnujOn's classification (Phish, Drugs, Counterfeits, Software, &c).

Thunderbird Forwards by Attachment

Now, when I forward spam (by attaching it to an empty file) using the forward toolbar button on Thunderbird, I forward all the day's drug spam to both Drugs <rx[at]coldrain.net> and SpamCop's address given me. Quite soon, SpamCop will ask me to verify my report (which is very good).
Select an Appropriate Paragraph, Drag & Drop

In the corner of my Desktop is my text file. I examine the report, the spam, select an appropriate 'generic' paragraph from my text letter, drag it to the box on SpamCop, and modify the comments specifically for that spam letter. This removes the slowest part of reporting spam to SpamCop, and appears satisfactorily fast. That solved my problem of wanting to quickly report illicit websites as well as spam letters. (spam is not my profession.)

The Haku & KnujOn extensions to add-on

The Add-Ons to Thunderbird that forward my junk folder to various agencies are not for me: forwarding the spam to more specialized addresses and giving it (at SpamCop) my real e-mail address and personal remarks are worth the extra effort, if I could afford the time. Now I believe I can. I do find these useful, though:

Alerts are more Important to me

Growl for Mac's 'Tiger' OS
http://www.versiontracker.com/dyn/moreinfo/macosx/24638

Growl Mail for Apple Mail notifications
http://growl.info/extras.php#GrowlMail

Growl Thunderbird Notifications (now built-in, I think)
https://addons.mozilla.org/en-US/thunderbir...owl&cat=all

Growl used to work well (before Apple crippled my G3 iBook) with ClamXav Sentry and Apple Mail.

One's Speaker has a Use

Mail in my Inbox is scanned automatically for malware, and the 'music video' alert pops up a translucent black screen with sender & subject, so I know whether to stop working. Mail in the Junk folder is announced by voice, and malware is announced by both (with a persistent message window). I either found or recorded spam.aiff, malware.aiff, and error.aiff, which I put in

/Users/Me/Library/Sounds/

So, a simple collection of my favorite paragraphs with audio alerts allows me to now report spam in a timely manner with little effort.

Thank you all very much anyway for all your advice and helpful links.


Rapakiwi

PS. Occasionally I do receive solicited mail with hyperlinks. Never have I opened one without checking whether it is a real link to a friendly domain, or a name or image of that domain that would take me to Baluchistan. (Now on a Mac one can just wave the pointer over it.)

[Rapakiwi]

This letter may offer ideas (and does offer links) for Mac users. My ending post.

Sorry, but here's an addendum to it for Thunderbird users. While adjusting Thunderbird, I asked it to warn me of 'e-mail scams' and 'spam'. Though I received hundreds of spam letters with frightening web links, no warning ever appeared. (Phish I'm no longer sent, after I started reporting it: almost all my spam comes from one organization, in Asia.)

Finally, today, a dire warning of an e-mail scam appeared. It was my monthly book catalog from Dover Publications. I don't know about others, but I consider most of their books outstanding bargains. The message is, at the moment, use more security than that offered by Thunderbird. :-)


Rapakiwi

[Axxxim]

Dear US and Canada Capitalist Pigs,

If you'll notice, each XIN NET spam email will contain a simple http graphics file call to display a picture in your email. This simple code allows our Chinese government to grab and log your personal IP on our servers for our planned cyber attack support on your spoiled and selfish country! Think of what a country could do with a complete list of active and sniffed out list of IPs of its enemy. Your internet will be of no use. You're country is too Open. Long live the People's Republic!

Please wake up, spread the word and do everything to stop XIN NET now!

[Lking]

If you'll notice, each XIN NET spam email will contain a simple http graphics file call to display a picture in your email.

Axxxim, you may notice that I have setup my email app so that if an email source is not on my white list the "simple http graphics file call" will not be made. So you and your sarcastic Chinese government will only know that the email was accepted by the server. You will not know whether it was read, reported to SC or just sent directly to a digital black hole.

Oh I'm sorry, you can't tell can you. Sense you are not on my white list you can't see past the mail server. All you know is your spam didn't bounce.

Nicely played though. (IMG:style_emoticons/default/dry.gif)

[Rapakiwi]

Axxxim,

<SNIP, SNIP>

Nicely played though. (IMG:style_emoticons/default/dry.gif)

Lking,

China is likely too busy negotiating baby formulas with Taiwan to consider aggression. However, Axxxim's point (I think) is a good one, once raised by Miss Betsy. How do you verify that a letter is spam without opening it? Even after running it through your ISP's filters and your own malware filters, opening it can open many little 1x1-pixel GIF images back in ... 'China': web bugs.

SpamCop's 'filter' (please substitute the correct acronym) I can't speak of. However, the classic web bug, I've noticed, has recently been replaced with innocent-looking little company logos or signatures small enough to preferably be sent as a real image rather than a hyperlink. I should guess it hard to automatically filter these out: they could be colorful buttons, for example.

You know this, so this is written for others. Your method of 'white listing' all but your reliable correspondents is an excellent strategy, advocated by Apple. However, it doesn't solve the problem of what to do with the letter titled 'Deliver Status Notification (Failure)' currently in my Junk Folder. I received a genuine one yesterday. This one I know is spam, likely with web bugs, because it was not sent from an automated mailer or Postmaster, but from me. :-)

In the 90's, I used to just unplug the ethernet cable before reading all mail. This would work when reading suspect mail (and manually removing suspect files). Apple's Junk folder (junk status) prevents opening any images on the sender's site; but I don't know whether others' do.

This subject is in apropos for this thread. Perhaps someone could re-post Axxxim's amusing little post to a new thread, if the administrators feel this subject is one that spam reporters (average folk) should be more aware of. I have no doubt it is discussed in a help file I should have read.


Rapakiwi
Persona non Grata

[Lking]

<snip>
How do you verify that a letter is spam without opening it? Even after running it through your ISP's filters and your own malware filters, opening it can open many little 1x1-pixel GIF images back in ... 'China': web bugs.

Not true. I use the features of Thunderbird. Unless I have approved a email source, remote gif's of any size, are not loaded and Thunderbird displays this message "To protect your privacy, Thunderbird has blocked remote images in this message." There is a button if you want the images fetched and displayed. There is also an option in red "Click here if you always want to load images from Your_mothers[at]email.com"

<snip>However, it {white listing} doesn't solve the problem of what to do with the letter titled 'Deliver Status Notification (Failure)' currently in my Junk Folder.

Yes it does. A true 'Deliver Status...' contains more than remote images, for example the header of the rejected message. So there most likely is enough information to judge the true status of the 'Deliver Status Notification'. Based on the ones I have been receiving my first clue is that one of my addresses have been forged as the sender.

This is not true for the drug spam that used to be common which only contained a GIF. Of course that was a clue in its self. No one I know sends email which contains only a GIF. So when I open this type of spam with Thunderbird I see nothing, except the message "To protect your privacy, Thunderbird has blocked remote images in this message." That gives me the first clue. If I need more a CTRL-U gives me more than enough info.

IMO there is no need to move Axxxim's post. He joined, double posted his little joke and I bet he is gone. As Farelf noted he has double posted the same message in an other forum after joining. I don't think he will be back. So why bother? {edited to add a word}

This post has been edited by Lking: Dec 11 2008, 05:20 PM

[Rapakiwi]

Not true. I use the features of Thunderbird. <SNIP, SNIP>

Yes, you are right. My apology. I had forgotten that this thread was on Thunderbird.

In earlier discussions, I found that many people (using many mailing agents on many operating systems) report their spam without opening it (Miss Betsy being one), likely in wise fear of web bugs and malware; and others (including me) were unaware of the safety features (if any) that various mailing agents imposed upon their 'Junk folders'. There are dozens of mailing agents.

Most people used subject lines to easily recognize spam, and 'Delivery Status Notification' (sorry about the typo) was just an example of a subject line designed to fool the non-paranoid person into quickly opening it. (You recognized this one as spam by opening the letter yourself and finding a hyperlink inside.) Normal people shouldn't have to open mail unsafely or read full headers and check the ip addresses using, for example,

http://www.domaintools.com/

Apple's approach opens these safely in the junk folder (as does many others, I'm sure), but what should the normal person do; especially if such deceptive spam appears in their inbox? (Using a PC should be like driving a car.)

IMO there is no need to move Axxxim's post. He joined, double posted his little joke and I bet he is gone. As Farelf noted he has double posted the same message in an other forum after joining. I don't think he will be back. So why bother? {edited to add a word}

Yes, you are correct: this is the help section. I didn't mean to address this subject to help Axxxim, who has no need of help.

My posts everywhere are addressed to normal people (hence my language), just to help 'clean the sidewalk I walk on'. Individual help I offer by e-mail; but posts are for everyone. Axxxim did raise an important point the normal person should be aware of, and the normal spam reporter needs to solve. (Yes, you have already, I know.) The 'you' that follows refers to a normal person.

Apple's solution is to treat all new mail as suspicious, and open it in the Junk folder. Apple Mail's Junk folder is a 'sandbox', in which one can open any letter safely. Only if the letter is from someone in your Address Book, a previous recipient, or mail you manually marked 'Not Junk', will the new letter appear in your Inbox rather than the Junk folder. After a while, the normal user finds all Junk becomes spam.

Problems occur when you have sent carbons to your own address, and spam sent from 'your account name' appear in your Inbox with an innocuous subject line, such as 'Re: Yesterday. Habit may cause many (such as me) to open it (which is why I have it automatically checked for at least malware first, using a method which will not protect one from malware installed by a computer to which I was automatically redirected when the letter was opened. (When this happens, I pull the ethernet and run two malware checkers (whose databases were updated when the machine booted in the morning).


Rapakiwi

[Miss Betsy]

Since most end users are technically non-fluent, many email applications now do not display images by default for senders not on the contact list. For most end users JDH (Just Hit Delete) is how they deal with spam and they rely on their providers to filter the spam to the junk folder.

Since I have become interested in spam and how it is dealt with, if I think I need to open an email that might not be spam, but that I don't recognize, I use the message source (I used Outlook Express and now Windows Live for my email application). I learned how to do that from people in the spamcop community of users.

Interestingly, I used to receive the Dover Books newsletter at a hotmail account and no longer do so. Dover must have had some problems with their mailing list or how they sent it to be tagged suddenly as spam. Perhaps, as spam filters get more aggressive some methods that used to work no longer do. Although companies tell you to add their newsletter addresses to your contact list, I usually don't want to bother so many newsletters that I used to receive I no longer do. As I rarely read them until I want to order again, it is no loss. Many people don't even use their email very much any more because they don't want to take the time to adjust filters, add contacts, etc. to make their inboxes useful.

Miss Betsy