Hello there!

There are some spam gangs operating via this (so called) " hosting service ", domain [ datacorpore.com.br ]. Some seasoned spammers moved there and I see more and more of this trend. I would already consider it yet another Brazilian safe haven.

They do however offer a "Security Office / Abuse" reporting address [abuse[at]datacorpore.com.br]. SpamCop isn´t using it at the moment. And that´s my point. All reports are being sent to [contato[at]datacorpore.com.br], the whois contacts and that´s simply a waste of time and resources.

I would certainly have added to the SpamCop reports yet, mail-abuse[at]nic.br, plus cert[at]cert.br and possibly the upstream provider to [ datacorpore.com.br ].

What do we do about that?

Thank you.

fgs,

Not to question you research or good intent, but take a look at what you suggest from this side of the screen.

1. If I were a spammer, and didn't want my ISP to receive reports from SpamCop, it would be clever of me to get SC to send the reports somewhere other than the registered abuse address. Now if you have knowledge that the whois Abuse address is incorrect, that is a violation of the registration and should be reported.

2. If SC were to accept your information, the abuse record for datacorpore could be updated manually. The data would revert the next time an automatic check of the whois was made. The record for datacorpore.com.br could be flagged to skip the automatic update, which would almost assure the record would be out of date. You suggested 2 other domains would need manual updates. What is the total number? How many manhours would it take to maintain the abuse lookup db? How would you prioritize the job if you don't rely on whois?

Now a provider that may be making money from the spammers, as you suggest, has it both ways. They didn't receive any reports because they weren't sent to their "whois abuse" address or they admit whois is out of date and reports weren't sent to the correct address.

A white hat provider won't have these issues and will respond to all reports. If the provider is supporting the spammers, it doesn't make any difference where the reports are sent.

I see the abuse.net registered addresses are:
postmaster[at]datacorpore.com.br (for datacorpore.com.br)
abuse[at]datacorpore.com.br (for datacorpore.com.br)
I see datacorpore.com.br website has the address abuse[at]datacorpore.com.br
I see nic.br advice for the whois.lacnic.net record(The last bit presumably the same for all .br registrations).

I am not sure what they might make of it but the procedure would be to e-mail the deputies - deputies[at]admin.spamcop.net - with your evidence and suggest they consider a change of reporting address. Much would depend on their experience with cert.br, in terms of the generic advice.

As Lou says, whether they're whitehat or blackhat, it is hard to see a change of report address making much difference - unless, as you say, the upstream provider is contacted instead/as well - and is more reactive. Just who that 'upstream' might be, I have no idea - the map of that network - http://www.robtex.com/dns/datacorpore.com.br.html - is beyond my comprehension (and there is no whois immediately available for AS28271).

From http://www.senderbase.org/senderbase_queri...a%C3%A7%C3%B5es
I see just a handful (9) actively sending IP addresses that have been registering on RBLs (including SC). There may be others not seen by SenderBase - the deputies would know.

Dear Lou,

Thank you for your reply.

I think we should maybe skip "contato", "abuse" or whatever @ datacorpore.com.br and add mail-abuse[at]nic.br, cert[at]cert.br which are "statistical" addresses for the short term and mainly add some upstream provider abuse desk to it.

Regarding you being a bit cautious about my real intent, take a look at this URL [ http://pabx.datacorpore.com.br/site/Contato ] which is advertised contact info for this operation.

Please consider this:

1) This is serious matter. I wouldn´t be wasting my work time to write it.

2) As I said, more and more spammers are moving to this safe haven. I bet they have good reasons for that.

3) SC users like me are wasting time and SC´s resources.

Looking forward to read from you again,
Fernando.

As above, missed or ignored.

Had two spams reported this morning to abuse[at]datacorpore.com.br instead of contato[at]datacorpore.com.br. SpamCop used "best contacts" this time around.

Thank you.

Still, I do think mail-abuse[at]nic.br and cert[at]cert.br are good addresses to be copied as well. Those addresses are for statistic purposes, I think. If I got it right, domain datacorpore.com.br is very likely to get high on their public lists of most active spam sources and hosts in Brazil.

Take a look at this URL:
http://www.antispam.br/estatisticas/

I´ll keep an eye on it. Last resort is to add their upstream provider.

Regards,
Fernando.

+1
Ellen added them as 'interested third parties' on a few blocks for me but she didn't know why SpamCop had stopped autoadding them. There are now many BR blocks that do not include a report to cert.br. It would be nice if that could be fixed.

It was interesting (but no surprise at all) to see Oi/Telemar (sources) and hospedagemdesites/locaweb.com.br (hosts) at number 1. The former probably is in line with the size of their customer base but the latter really deserves to be 'Intercaged'. They were very slow pulling some trojan distribution sites I reported to them (some were still up last time I checked). They are happy to hit 'spam will cease' on reports of smartfarma's weekly spam runs and do squat about it.


I have a pet spammer on datacorpore so I'll keep an eye on it too. Datacorpore's upstream is Brasiltelecom so I don't think that would help much. Some of Brasiltelecom's upstreams, on the other hand, have very large cluesticks!

I have a few (very important) comments to make on all of this.

On SnowBat´s comment about hospedagemdesites/locaweb.com.br specifically, they suffer from a huge client base too and seems they have lost hand dealing with a growing abusive base. Must be pretty tough to act against wide spread abuse from inside countries like Brazil deprived of legal grounds to deal with.

Back to [datacorpore.com.br], their real name or at least main domain is [hostgold.com.br]. They seem to have partnered with cjbhost.(com, net).br, running things like "watch replicas", "your new shampoo miracle" and "mailing lists services". "cjbhost" I know for a fact is a convicted spammer as I was contacted a few (years!) ago by a representative of yet another network operator "cjbhost" was operating from at that time asking if I could help them in their legal actions against "cjbhost" by means of providing spam evidences. "cjbhost" moved on, as we see now, to "Brasiltelecom" in hopes (they) won´t do much effort to stop them.

Furthermore, local registration for the company behind domains [datacorpore.com.br / hostgold.com.br] looks very suspicious, being nowhere near a big city centre. They certainly can´t run anything from that address.

As I said above, I take this situation very seriously as more and more networks in Brazil are being built "spam-ready"; take as yet another example, abuse[at]embratel.net.br which stopped receiving complaints. Not to mention Brasiltelecom operations merged with Oi/Telemar creating a giant spam backbone.

Bottom line is that´s pretty much done deal for spammers (on their favor). Ain´t much we can do about it unless sit and watch.

Regards,
Fernando.

The problem of spammers infiltrating Brazil networks is, as you say, a serious problem. The only thing, however,that spamcop does is to put IP addresses on a blocklist which most server admins use to filter spam, although a few do block email from IP addresses on the spamcop blocklist.

It is the people in Brazil who need to be educated. I don't know how you are going to accomplish that. Someone did finally get to the McColo upstream, but I don't think it was spamcop reporting that convinced them.

My solution is to block them. My son said years ago, "Hey, I actually got a legitimate email from Brazil." It is not a new problem, I don't believe. When Brazilian entrepreneurs have difficulty reaching their clients,then possibly they will insist on better control.

Miss Betsy

The whole point of this thread of mine is to convince SC´s admins to broaden the scope of some of their reports. In the case of [datacorpore.com.br] and their partners in crime, we should at least get mail-abuse[at]nic.br + cert[at]cert.br informed plus their datacenter operator, meaning, BrasilTelecom. Companies like BrasilTelecom, Oi/Telemar and the likes must feel the heat as their traffic get aggressively blocked.

And SpamCop isn´t doing nearly enough to help us in that sense. We´re simply wasting our time reporting to abuse[at]datacorpore.com.br or whatever[at]datacorpore.com.br solely.

No matter who the report goes to, the IP address is added to the spamcop blocklist. Those IP addresses are probably also on other blocklists. APEWS is the only list, I believe, that lists blocks of IP addresses where spam comes from. So it won't change what is happening as far as blocking goes to change the reporting address.

Sending reports only is effective if the person getting the report wants to listen. The farther upstream you go, the less interested they are. As long as people are willing to pay them for the bandwidth, they don't care what use it is put to. People don't want to pay for services if they can't rely on their email being delivered. So the trick is to get people demanding good service.

McColo operated for a long time before the upstream finally was convinced that they should do something. If I remember correctly, it was as though they had never heard complaints before, but all at once, they saw the light. I am sure that they were getting all kinds of reports all along, from spamcop as well as others.

If you want to make an impression on BrasilTelecom, Oi/Telemar and the likes, I suspect that more than spamcop reports will be needed.

You are not wasting your time reporting the IP addresses because they are added to the spamcop blocklist and those who use the spamcop blocklist will not receive spam from those IP addresses.

Miss Betsy

Miss Betsy,

If we could get all [datacorpore.com.br] reports copied to mail-abuse[at]nic and cert[at]cert.br, as they should, that would be great. That´s one point.

I insist that a broader scope is needed. That already happened to abuse[at]gvt.net.br, I think. All reports hitting abuse[at]gvt.net.br get some Telefonica backbone copies. [datacorpore.com.br] is at least 2 layers down the road to a major overseas backbone provider.

Those datacenters, backbone operators are publicly traded companies. Brasiltelecom/Oi Telemar is. They certainly have some sort of corporate policy in place but can´t do much of a battle against abusive behaviour lacking the legal ground tools to make it.

And I always remember all those companies making money out of anti-spam products, just like the whole virus industry does. What´s the point of doing an effective anti-spam effort?

Anyway,

Fernando,
There seems to be two points that don't make it from one post to the next as I see things.

1. The primary objective if SpamCop is to build a list of IPs that are currently sending spam so that users of SpamCop's list can sort out spam by known sources. This includes adding IP addresses to the list as new spews of spam start and removing addresses as the they stop spamming. All other activities are secondary including sending reports, a teasing out spamvertised addresses or any thing else from the body of the spam.

As an adjunct reports of spam are send to the best known abuse address to inform responsible ISPs that spam is coming from one of their IP addresses. Giving everyone the benefit it is assumed every ISP is a whitehat. Some are not and the effort to send reports where they are not wanted is saved. You will see in your spam report evidence of this: Comments like 'I know this abuse office and will send a special message', 'ISP requested not to receive reports', or messages going to nil. Keep in mind that all of this is secondary to effectively, accurately building the list of IPs that are generating spam.

2. If what you say is true and the companies you identified are supporting spamming operations (I have no reason to dough you), what good does sending a spam report to them do? Send the report to the listed Abuse address, the abuse address on their web page, send it to their grandmother. If the growth market in their business is supporting spammers why would they take any action to stop, reduce their growing source of income? Who upstream is motivated to take action? No one. As long as none of their other clients are being effected, 'pay me by the Mb to send your stuff on.'

You are correct as a publicly traded company they do "have some sort of corporate policy in place." That policy is to make a profit. The data centers, backbone operators make profit based on the amount of data (emails) clients send to them to send on to the world. It makes no difference directly to their bottom line if no one read (or receives) what their client wants sent.

Again what motivation does the backbone operation have to reduce the volume of data they pump onto the internet and there by reduce their income?

What advantage does spamcop have to change their ways? All of these spammers are on the SCBL. It has not been demonstrated that additional expenditure of resources will make a difference.

Sounds cold but $$ is where its at.

Public Opinion can change corporate policy and so can stockholder opinion.

It seems to me that what you are saying is that if the upstreams got reports, then action would be taken. I seriously doubt that. However, something convinced the McColo upstreams after years of reporting. I don't know what it was. Whatever it was, or a serious consumer education campaign (like Ralph Nader did), might also work in Brazil. Also, Comcast apparently finally cleaned up its act. I don't know why, but I suspect it was some kind of pressure. Probably not my comment on this forum that if some Comcast customers knew that Comcast was deliberately allowing zombies to spew porn spam, the Comcast customers would be appalled. However, if I had the same mindset as spammers, I could have started an e-rumor to that effect to those correspondents I know like to FW FW and that might have made a difference in their policies when they started to get complaints.

It is not a waste of time to report spam even if the reports go to non-responsive server admins because the IP address is listed.

Miss Betsy

...IMHO, Miss Betsy got it: "... if some Comcast customers knew that Comcast was deliberately allowing zombies to spew porn spam, the Comcast customers would be appalled." Do Comcast customers know that Comcast was allowing [deliberately or not] zombies to spew ... spam..."? Already-educated (about spam) customers did; others may have discovered this in searching to try to figure out why their e-mail was not being delivered, as Comcast servers started showing up on IP blacklists. With increasing customer information, the profit motive can work to reduce spam! The remaining hole is represented by the intentional spam-friendly providers -- those can be addressed by Miss Betsy's oft-mentioned suggestion that in continuing to identify spam sources we reduce their ability to effectively spam as other providers block or label their spew as spam and we migrate towards a two-tier provider environment.

Actually I don't believe the Comcast mail servers ever did show up on any blocklists, . Server admins blocked all of Comcast's IP addresses, but 'punched holes' for the mail servers so that the server admin's customers didn't complain that they couldn't get email from Aunt Minnie or clients who were using Comcast. Comcast didn't allow any spam from their mail servers. It was all the zombies. So, unless you did become interested in anti-spam efforts, you wouldn't know.

Comcast is not the only one. I remember reading a comment from a server admin who kept his mail servers clean, but let all the zombie traffic go out through the computer that screened incoming mail for viruses and spam. He didn't care if its IP address got blocked because it never sent legitimate mail.

So it was some other 'pressure' that was brought to bear on Comcast than public opinion. I am not enough of an insider to even make a guess what that was. It could have just been a really persistent employee who managed to get himself heard. A long time ago in the ngs, there was a Chinese server admin who was trying to tell his bosses that spamming was a really bad idea. And, I believe, that there are actually Chinese server admins who do try to stop spammers. There was one who came to the forum, IIRC, and asked advice. And, didn't rconner say that he had actually gotten a positive reply from Russia? There are decent, responsible Chinese and Russians who understand the spam problem, but they face the same problems as some server admins do here - from marketing departments and bosses who just don't understand what needs to be done.

I haven't heard any speculation on why the upstreams who killed McColo, 'all of a sudden' realized how big a spammer he was. I am sure they had gotten many, many reports from Spamcop and others over the years. So, why did they suddenly 'hear' them? Maybe some people have guessed, but since I don't frequent any forum except this one, I don't know what the guesses might be.

And, there is a guy in California who has been around since the very beginning of the internet before www. He is a genius and a little bit nuts. He deliberately still has an open relay, not because he is a spammer, but for some other reason (perhaps as a good neighbor? Which is what open relays originally were used for - like those stocked cabins in the mountains that anyone can use.

Miss Betsy

...Hmm, I thought we used to have Comcast servers implicated in spam, for example 76.96.62.61.

There might have some - just like hotmail has some still - in spite of best efforts to stop spammers. But even so, many server admins poked holes for the servers, I bet, and depended on content filters to stop spam from Comcast.

And there might have been a lot, but they cleaned up their servers a lot faster than the zombies. I don't remember exactly, but the point was that there is no pressure involved in blocking zombies who are not using servers. It stops spam from entering your network, but it doesn't put any pressure on the owners of those IP addresses to address the problem. Something else persuaded Comcast to do that. For all I know the owner who let zombies use one of his computers is still allowing spam to spew since his mail servers are clean.

Miss Betsy

Maybe, I'm not sure/convinced. The evidence, either way, is out there somewhere (botnet 'scoping' and other esoterica, though certainly indicative rather than absolute), all I have at this point is inference but pressing on with that ...

I had occasion (elsewhere) recently to look at a /16 CIDR range in SenderBase, owned by another provider. Now, using the same approach, Comcast is allocated the entire 76.96.0.0/11 - addresses in the 'block' 76.96.0.0 - 76.127.255.255 or 2,097,150 possible IP addresses. But SenderBase can only deal with /16 lookups - 65,536 addresses - at a time. Looking at a few /16 blocks within their allocation 'at random' - like 76.96.0.0/16 (76.96.0.1 - 76.96.255.255) shows IP addresses 'seen by SB' as 646 for that first /16 (~ 1%). Many addresses shown are mail servers on static assignment with neutral or (mostly) good SBRS (reputation scores). Just a few have no rDNS and/or the mysterious statistics of 0.0 daily magnitude and 0.41 (or 0.71 or 0.88) monthly magnitude. Subsequently, with some higher-number /16s, there are more IP address sightings (up to 3% of the range or ~ 2,000), dynamic assignments, more of the above 'mysterious' magnitude stats, more "Poor" SBRS ratings.

Comcast is also allocated 68.80.0.0/13 - 68.80.0.0 - 68.87.255.255. The story there is much the same - for the first half of the range. Apparently dynamic assignment, 2-4% of the range 'seen' by SB, raddled with the mysterious magnitude figures (0.0 & 0.41, etc.), poor SBRS, a scattering of DNSBL listings. There is the occasional daily magnitude, seldom above 2.3 (~ 4,000 messages). The second half of the /13 has very few records (not in use yet?)

Now, if there were a smart botnet or two, sending out up to 4,000 messages from a single machine/IP within a daily period then going dormant for a month or two (staggered with thousands of others doing the same, spread by design over the whole period of the cycle) that would be a 'snowshoe' operation which would be difficult to counteract (except by blocking dynamic sources), detect or eliminate. And that would be one interpretation of the figures. I don't really know enough about the SB operation/methods/results to know with any degree of assurance (for instance what, exactly, is the 'monthly' magnitude figure? - I've assumed it is the average daily magnitude for the previous month but it could be any of a number of quite different things). There's a limit to the amount of unremunerated research to which I am prepared/allowed to apply my haphazard and largely inadequate skills .

By the way, that 'other' case. A user with another provider was investigating the reasons for being threatened with account closure by that provider. He had the equivalent of about a /21 (+2,000 IP addresses) though address ranges unknown - or even whether all within the one /16 not quite disclosed. There are a number of interesting aspects to this, one of which being the 'mysterious' daily magnitudes for the /16 investigated was very much in evidence, with about 4% of available addresses showing up on the SB lookup (though by no means all of them with the same magnitudes discussed here). But anyway, maybe it really is the 'background hum' of something like a snowshoe botnet. Or maybe a totally different phenomenon. Some peer-to-peer backwash? I don't know enough. Another point being neither the user nor the ISP appears the least bit concerned about any botnet possibility that it might indicate (though maybe it's just none/few of the implicated addresses was/were involved).

A completely different matter of interest is that the closure is not threatened for actual spamming as such but due to (possible) 'scanner-like' activity when incoming responses to probes (made to TCP port 37153) were detected by ACMA (Fed authority), apparently initiated from within the implicated address space. OK, participation in The Australian Internet Security Initiative (AISI) is 'voluntary' (without knowing cost-benefit detail, inducements etc., associated with it) but hard to see anything similar gaining much traction in the land of the free. Or Brazil. Still, one must admit it is, indeed, an initiative. That other discussion at http://forums.whirlpool.net.au/forum-replies.cfm?t=1208490 if of interest. Not well handled, not yet resolved, but early days still, I guess. The sun-bronzed ANZACs as ever forging ahead in the race to create the all-enveloping 'nanny state'. Canadians are about to lose their lead .

Well, if you want to deal with facts....<g> Seriously, my information is solely anecdotal. People were, in the past, always complaining about Comcast, 'poking holes' came from another comment by a server admin, and the idea that Comcast had cleaned up its act also came from a recent comment. I don't have the technical expertise or the time to back those statements up.

When a single end user, like the OP Fernado (and he is not the first), finds out about spam activity and wants to stop it, it seems so simple. There they are; tell someone responsible. But it is very complex. There are all kinds of technical difficulties and economic considerations and layers of people with different ends to pursue and each layer has both competent and incompetent, ethical and unethical components.

End users have almost no control. They might, if they were stirred to action by a consumer advocate like Ralph Nader. Large corporations like Comcast don't seem to respond to anything but pressure against their bottom line.

Blocklists are basically defensive, rather than an offensive move to control spam. Reporting, whether on spamcop or hitting the 'junk' button on hotmail, is primarily a way to collect statistical evidence to forge a better defense. Contacting the source of spam could result in action against the spammer, but for a number of reasons, does not, at this time, usually result in stopping the spew.

Blocklists effectively stopped spammers from getting service directly so they resorted to indirect methods that are not so easy to stop.

And, that gets back to my original point: What influence finally woke up the McColo upstreams and, if Comcast has cleaned up its act, who, or what, persuaded them? Not spamcop reports. Spamcop reports can alert people who are already inclined to be proactive against spam to a spam problem, but they don't persuade anyone to be proactive. The blocklist is what wakes up those who aren't already anti-spam. If they are a big enough player, even the blocklist isn't a persuader. So what is?

Miss Betsy

I just would express that I'm totally disappointed with SC not getting mail-abuse[at]nic and cert[at]cert.br copied for the crap coming from [datacorpore.com.br] or whatever at the BR networks. My daily count on sh*t coming from this particular network is around 6.

No IP seems to be blocked anywhere.

They just laugh at us! Sometimes I'm forced to face the reality of SC being just a waste of time.

Seriously, let's face it!

Did you contact the deputies with specifics Fernando? I tried to indicate some supporting research, but we are just other users, the deputies are the ones to make any changes and they have a broader view, past experience with many of the networks on the effectiveness of reporting (but would welcome help in pinning down specifics). You may have noticed the request for a reporting change in a concurrent topic, http://forum.spamcop.net/forums/index.php?showtopic=10402 - that was quite fully documented, relatively straight-forward, there was a previous 'history' concerning reporting in that area and the deputies appear to have made the change.Exactly, there is no 'magic bullet'.That (McColo) has been the subject of much discussion and my impression of it all was it was a concerted effort from a number of people, using Complainterator-type evidence, in depth and and in overwhelming quantity but that still doesn't really explain it.

Look, well, maybe this discussion is a bit broader ("living and learning" so to speak) when it comes to SC´s admins behavior towards Brazil specifically.

For them, I would suggest a look at this URL:
http://www.cgi.br/internacional/index.htm

I don´t get why is being so hard to convince people around here to copy mail-abuse[at]nic.br or cert[at]cert.br.

You don't have to convince other users, you have to convince SC staff, most of whom don't look in these forums, those that might do have other things to do most of the time. As it says at the top of the page "This is a User to User Support Forum".

... Were you saying that SC´s admins have broader view and past experience, etc?

I think it´s time for them to step in to light and clarify ordinary users like me about that.

Yes, we would all welcome more involvement and feedback, something expressed many times. There are obviously limits to what can be prudently said in public but there is much opportunity for our 'education and enlightenment'. But maybe the same can be said about any product or service provider, I think. We must do what we can to help one another - and be thankful we at least have venues for that ('here' and the newsgroups).

Are you saying that, in spite of your reporting, that these IP addresses have not been added to the spamcop blocklist? Nor, have they appeared on other blocklists that rely on other criteria? If that is what you mean, then, perhaps other people are not receiving spam from these people. I can't remember - have you posted some IP addresses that you think should be on blocklists, but are not?

SC's purpose is not to force spammers out. The reports function of SC is to alert those server admins who are interested that there is a problem on their network. Since there are few mistakes on the part of responsible server admins and apparently fewer server admins who have not had adequate training to detect spamming activity on their servers, most reports go to unresponsive abuse addresses. Spamcop seems to handle these in two ways: one is to send reports to devnull (in other words, the reports are not sent) or to send reports to those upstream who may be interested. Since I am not very good at doing the kind of research that is necessary to show the deputies that the reports need to go somewhere else, I can't advise you on what the deputies require in order to change the abuse address.

Whether spamcop does, or does not, send reports, the IP address is added to the scbl. There is a complicated algorithm that determines when an IP address is listed. Reports, no matter how many, from one reporter will not list an IP address.

If you are not, in some way, using the spamcop blocklist to filter out spam, then you are wasting your time if you expect reporting to spamcop will reduce the amount of spam you receive.

It is not that people are not listening to your arguments. You need to provide technical evidence that reports need to go somewhere else.

What I have been trying to tell you is that where you send the reports is probably not important. The important thing is to add the IP addresses to the scbl. If these are as terrible spammers as you say they are, then the IP addresses they use to send the spam should be on several blocklists. If you are talking about a website that is found within a spam sent to you, then we are talking about something different. Spamcop is not the tool to report websites that advertise via spam.

If you have not emailed the deputies with your suggestions, then you should do so if you want something changed. I am a user like you and I cannot change anything that you can't change. If you don't get a satisfactory answer from the deputies, then you can tell us what they said. Depending on the user, some will be sympathetic with you; others may try to point out why the deputies answered as they did. If you do contact the deputies and you get a satisfactory answer, please let us know. Then, we can tell the next person who has an idea like yours, what will satisfy him or her.

Miss Betsy