Link to SpamCop Glossary (consolidated) Alphabetical listing of the glossary

Edit note: when the forum software was upgraded html font sizes were displayed differently. The oversized heading found in the earlier entires are a result of that change. Since this is an archive of the original entries, no attempt was made to correct the display size. The font size was corrected in the active (consolidated) glossary.

The following begins the first post which was the starting point of the SpamCop Glossary:

last edit 21 June 2005

Backscatter, Blowback, Misdirected Bounces
Delayed bounces, virus notices, out-of-office messages and other forms of auto-responses that are frequently mis-directed, basing their targets on data found within forged header lines. In the past, these types of notifications were a nicety. However, as the spammers have once again used a "feature" of something developed under the "trusted users" model to aid in delivering their spew, this activity of e-mail servers has moved into the "bad"zone. More desirable these days is the non-deliverable e-mail will be handled at the time of attempted delivery, such that any rejection notice required is supplied to the sending server, rather than a possible innocent third-party.
See also: http://www.spamcop.net/fom-serve/cache/329.html http://spamlinks.net/prevent-secure-backscatter.htm

Content-ID: / cid:
The Uniform Resource Locator (URL) schemes, "cid:" and "mid:" allow references to messages and the body parts of messages. For example, within a single multipart message, one HTML body part might include embedded references to other parts of the same message. (extracted from http://www.ietf.org/rfc/rfc2111.txt )

Domain Name
Domain names have an important role in Internet traffic. They provide a straightforward basis for contact with computers, websites and electronic mailboxes belonging to companies, other organisations and private individuals. Using a domain name, an Internet user can, for example, find the site belonging to a company and thus obtain information, view the company’s catalogue, place an advertisement, perform a financial transaction, place an order or whatever. In short, domain names make the Internet usable.

Domain names are derived from the unique numbers that all computers on the Internet have. These numbers are known as IP (Internet Protocol) addresses and consist of figures only. Unfortunately, long numbers aren’t very easy to remember, so it was decided to use a system whereby you can have a name that corresponds to an IP address. The Internet uses what are known as ‘domain name servers’ to look up the numbers (IP addresses) that these names correspond to. Every domain name is made up of at least two elements. The last element of the name is called the top-level domain. Country code top-level domain names refer to countries; so, for example, there is ‘.nl’ for the Netherlands, ‘.be’ for Belgium and ‘.de’ for Germany (Deutschland).

Not all top-level domain names relate to countries, however. The most commonly seen top=level domains were agreed upon as an aid to identify the type of site you were going to visit. These include ‘.com’ for commercial, ‘.org’ for organization, '.edu' for educational, ‘.net’ for network, '.gov' for government. Recent additions include '.info' for informational and '.biz' for business. However, it must be noted that spammers and hucksters have managed to further muddy the waters that these 'identifying' names were supposed to represent.

The item in front of the top-level domain name is usually the company/personal/entity name of the folks behind the web-site.

The "www:" in front of all of this is also (mostly) a convenience, letting the user know that this is a web site normally accessed via a web-browser using HTTP (HyperText Transfer Protocol) .. You may also see "ftp:" (File Transfer Protocol) or "news:" (Network News Transfer Protocol)

Items seen between the first "protocol" bit and the company/personal/entity name is basically there to guide to to a certain/specific area that is hosted by the folks behind the name. Items seen after the Top-level Domain name (separated by a "/") will take you to a specific web-page on that hosted web-site.

HTTP
HyperText Transfer Protocol - The protocol for moving hypertext files across the Internet. Requires a HTTP client program on one end, and an HTTP server program on the other end. HTTP is the most important protocol used in the World Wide Web .

IP Address
Each device connected to a network, be it a LAN (Local Area Network), a WAN (Wide Area Network), or the Internet has an assigned unique IP (Internet Protocol) Address which identifies that specific device to the rest of the network. For example, Show me my IP Address will take a look at "your" computer and list the address of "your" system. (if you are using a modem to dial into your ISP, this number will likely change at every connection ... cable and DSL modems may have the same address for quite a while) Your ISP has a pool of IP Addresses, some are used to provide their customers with a unique address when on-line, others the ISP use themselves for things like running an e-mail server to handle all the incoming/outgoing e-mail for their customers. (NOTE: the above is very simplified. If/when all the other techy stuff gets added, this block will be revisited and a bunch of items will be added, like "See TCP/IP, Network Protocols, Proxy, etc.)

For more info;
http://computer.howstuffworks.com/question549.htm
http://www.webopedia.com/TERM/I/IP_address.html

ISP
Internet Service Provider .... the company you are giving your money to that lets you then connect to the Internet, send and receive e-mail, interact with some strange people, check the weather without having to get out of bed .. all those important things

Joe Job
1. A "joe job" is a spam run forged to appear to come from another innocent party, with the intention of generating complaints about the victim and damaging their reputation.
2. A Joe job is an e-mail spam designed to tarnish the reputation of an innocent third party. Despite having existed since at least 1996, Joe jobs are uncommon compared to other types of spam because they provide no commercial benefit to the Joe jobber.
3. A "joe job" is something far above and distinct from the all too typical spammer construct of a "From" Address Forgery

For more info:
Why am I getting all these bounces?
http://spamlinks.net/faqs-joejob.htm
http://en.wikipedia.org/wiki/Joe_jobs

Mail-Host Configuration
Procedure of "training" the SpamCop parser to identify the mail-hosts / e-mail servers that "your" e-mail travels through on its way to your InBox. The primary purposes of configuring your account is to help identify some spammer forgery and manipulation of the spam headers to point to innocent ISPs and to help prevent folks from reporting themselves or their own ISPs. Nothing is foolproof, blindly trusting any tool is silly, so the requirement that you verify the parser analysis and report targets is still a mandatory part of the agreeement between you and SpamCop. It has been stated that performing this configuration on your account will be mandatory at some time in the future.

Mung / Munge / Obfuscate
Mung (or munge) is computer jargon for "to make repeated changes which individually may be reversible, yet which ultimately result in an unintentional irreversible destruction of large portions of the original item." It was created in 1958 at the Tech Model Railroad Club, at the Massachusetts Institute of Technology. In 1960, the backronym "Mash Until No Good" was created to describe Mung, and a while after that it was revised to "Mung Until No Good"—making it one of the few recursive acronyms.

Mung originally had two main meanings: to make large-scale and irrevocable changes to a file and to destroy something. A person who vandalizes a Wiki page would not be munging that page because the changes could be reversed. In the early text-adventure game Zork, also known as Dungeon, the user could mung an object and thereby destroy it, making it impossible to finish the game if the object was an important item.

The spam epidemics of the 1990s have created a new meaning for mung: to modify an e-mail address so that humans can readily reverse it but robots and address harvesters cannot.

Mung also sometimes stands for Multipurpose Unilateral Nonsense Generator, which is a program that will take web pages and run algorithms on them to make them read as if said in a dialectical manner.
(extracted from http://en.wikipedia.org/wiki/Mung)

Phish / Phishing
The practice of sending bogus e-mails that try to trick people into revealing private and / or financial information for purposes of identity theft. AOL needs your password, e-bay is going to close your account if you don't verify your data in the next 12 hours, CitiBank needs your data to verify their records, fantatstic opportunities to get a mortgage at a discount with no credit check involved, you are the 1,000th visitor to this web page, on and on, obviously idiotic ploys to get "you" to fill in the blanks.

Proxy

• A software agent that acts on behalf of a user. Typical proxies accept a connection from a user, make a decision as to whether or not the user or client IP address is permitted to use the proxy, perhaps does additional authentication, and then completes a connection on behalf of the user to a remote destination.
  http://www.atharmahboob.com/courses/securi...ry-firewall.htm
  
• An intermediary program which acts as both a server and a client for the purpose of making requests on behalf of other clients. Requests are serviced internally or by passing them, with possible translation, on to other servers. A proxy must interpret and, if necessary, rewrite a request message before forwarding it. Proxies are often used as client-side portals through network firewalls and as helper applications for handling requests via protocols not implemented by the user agent.
  http://www.freesoft.org/CIE/RFC/1945/3.htm

As defined above, a proxy can be a good thing. As such, open and abusable proxues fell into the list of things 'good' about the 'net' that spammers learned to abuse. These days, with spammers and virus writers teaming up, open/abusable proxies are no longer only something set up by an ISP/Hosting service, unfortunately cropping up around the world on home/end user computers. Folks, install and update anti-virus and anti spyware tools, get that firewall installed. Learn to use them all.

Quick Reporting
Mode of reporting in that ONLY the source of the spam is tracked and reported. Items within the spam body are ignored. When it works, its great within this limited scale of reporting. However, if anything goes wrong, the lack of oversight has caused problems for some users. These problems led to the creation of the MailHost configuration to minimize these errors. However, just as a hammer has the capability of hitting one's thumb rather than the nail on occasion, the decision to use Quick-Reporting should only come after verifying that the spam submittals are parsed correctly .. specifically, that one is not trying to report themselves.

Tracking URL
When looking at the Report Page of the Parser Results, the top of the page contains these words (your reference number will be different);

Spam Header
This page may be saved for future reference:
http://www.spamcop.net/sc?id=z641303267z045b750a0c3cf8aa3bfef3b3d92488bfz
Skip to Reports

This "future reference" URL is the "Tracking URL" .... As one of the IronPort "purchase" benefits has turned out to be the addition of some serious storage capabilities, the entire spam submittal is now stored (for some time). These days, things are made much easier when asking for some review, analysis, or assistance, simply copy this provided link and use it to point to the spam submittal in your query. This way, anyone looking to try to answer the query is looking at the spam submittal as the SpamCop parsing engine saw it, thus everyone is talking about the same data.

Update: those lines in the parser output now read as;
Spam Header
Here is your TRACKING URL - it may be saved for future reference:
http://www.spamcop.net/sc?id=z641303267z045b750a0c3cf8aa3bfef3b3d92488bfz
Skip to Reports

VER - Very Easy Reporting
Web-based Quick Reporting, which is an exclusive feature of the SpamCop Parsing and Reporting System which only SpamCop Email System Customers may access at: http://mailsc.spamcop.net/reportheld?action=heldlog



Contributors;
dbiel

WORM POOP
Viruses, worms, and anything that generates a mail message to the forged address in a worm or a virus.

This included misconfigured virus scanners, vacation/out of office autoresponders, and mail servers that bounce undelivered mail instead of using SMTP rejects.

VACATION responders
A service that you can set on many mail servers to automatically let criminals know that they can steal your identify for a specific period of time with out fear of getting caught. It allows them to steal anything from your company that someone else thinks you are authorized to mail with out your signature.

These criminals are also known to use voicemail vacation messages for this purpose.

VOICEMAIL
A service that you can get as an answering machine from the phone company instead of a standalone box.. Criminals are known to use vacation/out-of-office notices from these to sucessfully steal from companies.

C/R or CHALLENGE RESPONSE
A service that issues a challenge to make sure that a human is sending a mail.

When they challenge spam and viruses, they bother innocent people.

If they use SMTP rejects, then only real senders will get the challenges.

Generally an expensive method of spam control, and spammers can easily get around the challenge if they care to by redirecting the challenge to a porn site and promising free porn to the humans that visit the site and answer the challenge.

A challenge response system that does not use SMTP rejects is prone to sending e-mail to spamtraps which will casue other mail servers to refuse the challenges.

The only way that a challenge response system that does not use SMTP rejects to avoid hitting spam traps is if it makes sure that it never issues a challenge to a forged address in a spam or a virus. And of course if it knew how to do that, it would not need to issue a challenge.

DNSbl
DNS based blocking system. A DNS server keeps track of I.P.s that meet the listing service's criteria. Also known as BLOCKING LISTS and BLACKHOLE lists.

Mail servers and other network servers can reference them to reject mail or connections, or to decided if they need to examine them further. They also can be used to indicate trusted I.P. addresses to accept mail or connections.

There are many DNSbls with different criteria.

The spamcop.net DNSbl lists I.P. addresses that spam has been reported to originate from. It is agressive, and may list real mail servers.

Some list only I.P. addresses that have been shown to be compromised and abused by spammers. Others list I.P. addresses that are known to be controlled by spammers.
These are known as conservative DNSbls.

And some list I.P. addresses that are DHCP assigned. These are known as Dyanmic list and sometimes DIALUP lists. Many mail servers will not accept e-mail from these addresses.

There are also DNSbls that list all I.P. addresses for specific ISP's and countries.

Use of conservative DNSbls can block over 80% of the incoming spam usually with out any real e-mail being rejected unless the sender's mail server has a severe security problem. Adding a good DHCP blocking list to that can eliminate most of the remaing spam with a very small chance of rejecting a real e-mail.

An aggressive DNSbl can be used to indicate if addtional tests should be done on an incoming e-mail to see if it is spam or real e-mail.

rDNS
Reverse DNS. The reverse DNS is a service that returns a name assigned to an I.P. address.

An I.P. address can be used by many domain names. The rDNS name is the true name, the rest are aliases, or "knick-names"

Apparently there is a requirement that a mail server identify itself with it's rDNS assigned name when it attempts to deliver e-mail.

The receiving mail server can verify this name against the I.P. address to see if can trust the sending mail server. It is estimated by some internet posters that 80 percent of the incoming spam has bad rDNS data.

Unfortunately there are still too many real mail servers with misconfigured rDNS for many mail servers to use this easy method of sorting out spam.

Content Filter
A content filter is one that looks at the contents of a message and tries to guess if it is spam or a real e-mail.

Generally content filters are not vary accurate, and as they require that the mail server allow the transfer of the body of the message, they are more expensive to operate than using DNSbls.

Generally to make up for the innaccuracies in content filters, they are accompanied by a quarantine area to check for errors.

The accuracy of content filters can be greatly enhanced by using conservative DNSbls to keep the bulk of the spam out of the mail server, and then using aggressvie DNSbls or fail strict rDNS checks to determine if the content filter should examine the message.

Of the content filter checks, the one that shows the most accuracy is to look up the I.P. address that any web link in the e-mail references, and check it against a DNSbl. But you only want to do that check on e-mail that fails one of the agressive tests, or you may miss legitimate mail discussing spam and how to fight it.

WEB-BUG
Web-bugs are used by spammers to track if a human read the message. If you have your e-mail system set to plain text, they do not work.

RFC
RFC stands for Request For Comments, but are usually what results from after the comments are done about a subject. RFCs are the rules of the internet, and e-mail.

Systems and users that do not comply with the RFCs can expect to have problems communicating on the internet.

SMTP
Simple Mail Transport Protocol. This is how E-MAIL is transfered on the Internet.

BOUNCE
Used by some as a description of undelived e-mail.

More accurately it refers to a mail message that a mail server generates to indicate a mail message is not delivered.

RFCs allow a receiving mail server to generate a bounce, but that is no longer a good practice as for spam or viruses which are now between 50 to 70 percent of incoming e-mail, that bounce will go to some innocent victim, like you.

The preferred practice is for the receiving mail server to issue an SMTP reject code if it can not deliver the e-mail, and then the sending mail server will generate a bounce.

Since spam and most recent viruses are not sent through real mail servers, no bounce message will be generated for them.

SMTP REJECT
This is where the receiving mail server refuses delivery with a code and a brief message to describe why.

This is now the only non-abusive way for a receiving network to indicate that a message will not be delivered.

A mail server that is the front end for other mail servers on a network now should have the ability to verify that the destination mail servers will accept the message, and this is possible with current technnology for such complex systems.

QUARANTINE
A place that a mail server or mail program will put suspected spam. Generally if there is a high amount of spam in the quarantine area, real message will get lost, or be delayed.

Note that if the mail was rejected instead of quarantined, the sender would have received a bounce generated by their mail server, so would know that the mail was not delivered, so would have been able to make arangements to get a time critical message.

Ironically, the taging / quarantine systems are put in because of fear of rejecting a real mail message, but by not issuing an SMTP reject, they introduce human error, and are probably more likely to cause a time critical message to be lost or delayed.

BLACKHOLE
This is a system where suspected spam is accepted by the mail server or user and silently deleted. Neither the sender or the receiver is notified.

This seems to be preferred by many companies as it means that none of their potential customers will see a rejection message, and by many users as they can not tell if a spam filter deleted the message or some other computer glitch deleted it before it got to their server. When coupled with a whitelisting system where any outgoing e-mail address is whitelisted for a response, the error rate can be almost invisble to the senders and the receivers.

As with the quarantine method, it is a more expensive method than using DNSbls.


-John
Personal Opinion Only

Manual Report
A Manual Report is a Report that you construct and send by hand. Manual Reports should be sent for cases where you can't or shouldn't send a SpamCop Report. These cases include, but are not limited to:

• Network Abuse that is not Spam
• Viruses
• Worms
• Worm Poop
• Bounces
• Double Bounces
• Attempts to Relay, Hack, and Crack
• Newsgroup Posts that violate a Newsgroup Charter but have BI<20
• URLs that the Parser refuses to find because of its strict adherence to standards
• URLs that the Parser refuses to deal with because there are too many (please don't report unclickable URLs)
• URLs that the Parser refuses to deal with because they are in java scri_pt
• Extra reporting addresses that the Parser refuses to let you add (it's limited to four), such as those found on Marjolein's Spam Reporting Addresses page, the Network Abuse Clearinghouse, NANAE, SPAM-L, and elsewhere
• Email Addresses that you know derive benefit from spam (such as those used in 419 Advance Fee Fraud spam emails and in spam emails that do not contain even one URL)
• Phone Numbers that you know derive benefit from spam (such as those used in diploma mill spam emails and in spam emails that do not contain even one URL), if you can figure out where to send the Report
• Violations of any TOS (Terms Of Service or local equivalent), AUP (Authorized or Acceptable Use or Usage Policy or local equivalent), Rule, Law, Internet Standard, RFC (Request For Comments), and/or BCP (Best Common Practice)
• Anything else that a SpamCop Admin or Deputy states shouldn't be reported through SpamCop

Although you may use the SpamCop Parser to identify where to send your Manual Report, "SpamCop" should not appear in that Report, except possibly in the Headers because you received the email through your SpamCop Email System account. Manual Reports should include a minimum of facts and explanation of facts, unless you know the recipients need more, and should be polite. If you have the time to do the research, it helps to quote the chapter and verse (specific Section or Subsection) of the TOS/AUP, Internet Standard(s), and/or RFC(s) that you think is/are being violated. When complaining about commercial use of an MSN Hotmail or Yahoo! account, for instance, I have found the phrases 'in violation of the Term "Unless otherwise specified, the MSN Sites/Services are for your personal and non-commercial use" of your "MSN Terms of Use" per your page http://privacy.msn.com/tou/' and 'exploiting that customer's Yahoo! I.D. and Email portions of your Service for commercial purposes in violation of Term 10 of your Yahoo! Terms of Service at http://docs.yahoo.com/info/terms/' and quoting of whois results to be helpful in expediting the desired results.

Cache
A cache (pronounced cash) or buffer is basically a local copy or storage area that provides speedy access to stuff that is normally stored elsewhere. Computers cache and buffer information inside and outside their CPUs, in RAM, and on Hard Disks. In the interest of speed and reduced redundant network traffic and load, the Parser caches DNS, WHOIS and abuse.net lookup results (more info on them below) Information about how long the Parser caches those lookup results is confidential, as exact numbers might give the spammers ideas.

MX Record
MX stands for "mail exchange" or Mail Server. MX is a type of DNS Resource Record, which tells SMTP Senders where to send email for a particular domain (specifically identifying a hostname, which must then have at least one A Record pointing to the IP Address(s) of the Mail Server(s)). "is not an MX for domainname" means that the Mail Server IP Address currently under review by the Parser is not listed in any A Record for any hostname in any MX Record for domainname, and that it therefore is not a registered Mail Server for domainname. Please see RFC 974 MAIL ROUTING AND THE DOMAIN SYSTEM for more information on the use of MX Records.

Using last resort contacts
When the Parser can't find any information about an IP Address's WHOIS listed contacts' domains in the abuse.net master database of reporting addresses, cached or via direct lookup, it uses those contacts' email addresses as contacts of last resort. All responsible domain administrators should register with abuse.net.

WHOIS
WHOIS is a service and protocol defined by RFC 1032 DOMAIN ADMINISTRATORS GUIDE, RFC 954 NICNAME/WHOIS, and their predecessors for providing information about allocated Domain Names and IP Addresses. When the Parser does lookup and finds a hit in the cache, it reports "Cached whois".


Edit: 2005/05/17 10:26 Jeff G. added "Cache".

Combined Glossary in Alphabetical Order
last edit 21 June 2005

This post has been moved to a new thread SpamCop Glossary (consolidated), Alphabetical listing of glossary for ease of use. The contents have been deleted from this thread as it is simply a duplication of all the other posts that still remain.

Edit note: this post remains solely to archive the date of the creation / split of the separate Glossary and Glossary Archive treads

Suggested additions to the glossary

/dev/null'ing
The act of vaporizing a file (sending it to the unix directory /dev/nul)
SpamCop uses email addresses addressed to xxxx[at]devnull.spamcop.net to discard messages that have been generated after they have been statically recorded where the intended recipient has historically bounced similar messages or has requested that they no longer be sent.
for more information see http://forum.spamcop.net/forums/index.php?showtopic=4430

quote from the newgroup - one of Wazoo's many postingsI like the sound of that, But when/how are you ever going to find/make the time to do all of that? Sounds like a major undertaking to me.

Didn't you know Wazoo is made of time (not money)

...Please consider adding this to the FAQ (rewording encouraged):

Spam Trap or Spamtrap
"Secret" e-mail addresses (they have never been used to send e-mail). Any e-mail sent to a spam trap is presumed to be either:

• a confirmation e-mail, if it appears to be a one-time confirmation e-mail

or

• spam

The spam traps are set to recognize one-time confirmation e-mails and ignore them. If it is judged to be spam, then SpamCop weighs it more heavily than it would a report by a user in deciding whether the source IP address should be placed on the SpamCop DNSBL.

Suggested addition to the glossary

Report
A SpamCop Report is an email sent to various administrators as suggested by the SpamCop Parsing and Reporting Service. Please see SpamCop Report Types for details on the types of SpamCop Reports that Reporters have the option of sending.

Report Email Address
A Report Email Address is an email address that can be used by the Report's recipient to indirectly email the Reporter for some time after the submission of the Report, incorporates a Report ID, is used as the From Address on the actual Report, and looks kind of like 1466329110[at]reports.spamcop.net but with an @-sign in the middle (spam emailed to this address will be treated as such). A report email address could be used to spam you, so you should avoid revealing it.

Report ID
A SpamCop Report ID number is a unique number, as of this writing ten digits long like 1466329110, assigned by the SpamCop Parsing and Reporting System to a particular Report sent to a particular Administrator regarding a particular piece of a particular spam by a particular Reporter.

Please note that the Report ID numbers are keyed to your reporting account, such that someone else's Report ID numbers are pretty much useless to you for discussing the actions of the SpamCop Parsing and Reporting Service and they could be used to spam you, so you should avoid revealing them. The Moderation Team suggests that you discuss a Tracking URL instead - for instructions on how to get one, please see FAQ Entry: Getting a Tracking URL from a Report ID.

Report URL
A Report URL shows the headers for the spam reported using the associated Report ID and a "Parse" Link to a Tracking URL for that spam, and incorporates a Report ID, which can only be used by the associated Reporter or a SpamCop Admin. The Report URL is therefore useless for discussion in public fora, looks like http://www.spamcop.net/mcgi?action=gettrack&reportid=1466329110 or http://members.spamcop.net/mcgi?action=gettrack&reportid=1466329110 or http://mailsc.spamcop.net/mcgi?action=gettrack&reportid=1466329110 (depending on which reporting website you use), and could be used to spam you, so you should avoid revealing any Report URL.



Edit by Jeff G. 2005/07/12 17:25 EDT Separated three items into separate entries, edited the entries, and added a fourth.
Edit by Jeff G. 2005/07/17 11:22 EDT Replaced "I suggest" with "The Moderation Team suggests", and incorporated dbiel's syntax change to "Report URL".
Edit by Jeff G. 2005/07/17 12:08 EDT Addressed a security concern with "Report ID", "Report URL", and "Report Email Address".
Edit by Jeff G. 2005/07/17 17:13 EDT Addressed dbiel's suggestions for "Report" and added timezones to the Edit timestamps.
Edit by dbiel 2005/07/17 14:30 PDT added html tags to prepare for insertion into glossary (no content edits).
Edit by dbiel 2005/07/17 15:40 PDT altered hyper links to point directly to glossary enteries.
Edit by Jeff G. 2005/07/17 20:03 EDT Addressed Wazoo's suggestions re not-exactly-usable hyperlinks in "Report URL" and confusion re the word "Report".
Edit by Jeff G. 2005/07/17 20:11 EDT Addressed Miss Betsy's suggestion re the SCBL mention in "Report".
Edit by Jeff G. 2005/07/17 20:17 EDT Fixed the @-escaping problem introduced by dbiel turning on HTML.
Edit by Jeff G. 2005/07/17 20:20 EDT Added 'If the Administrator replies to the Report, the reply will go to the "Report Email Address", and on to the Reporter's secret email address. If Reports to particular Administrators bounce enough times, those Administrators' email addresses will be flagged as bouncing, and will no longer receive Reports.' to and removed other info about "Report Email Address" from "Report".
Edit by Jeff G. 2005/07/17 20:33 EDT Reworked the first sentence of "Report" to remove "reporting".
Edit by Jeff G. 2005/07/18 14:18 EDT Reworked "Report" per Miss Betsy's suggestion, moving details to a new Topic.
Edit by Jeff G. 2005/07/18 20:58 EDT Added " that Reporters have the option of sending" near the end of "Report".

How about the following?
Report
A SpamCop Report is an email sent by a Reporter using the SpamCop Parsing and Reporting Service using the "Report Email Address" in the "From" Header Line to a System or Network Administrator, reporting a particular piece of a particular spam associated with that System or Network Administrator's System or Network.

Comment (not part of the Entry): The reported item is generally an IP Address (source of spam) or spamvertized URL which resolves to an IP Address, either of which may be on a system which has its own administrator and nothing to do with the network it's on and the administrator of that network.

I especially like the changes you made to the first part.
What do you think if we simply delete that last part indicated with the strike through font?
Report
A SpamCop Report is an email sent by a Reporter using the SpamCop Parsing and Reporting Service using the "Report Email Address" in the "From" Header Line to a System or Network Administrator, reporting a particular piece of a particular spam associated with that System or Network Administrator's System or Network.

Thanks.Sure, I guess it was a little repetitive.

Sorry to chime in so late. I don't like the use of "From" - people are sure to get that confused with the other "From" - the one that is forged.

My version:
A SpamCop Report is an email sent by a Reporter using the SpamCop Parsing and Reporting Service. The parser suggests a "Report email address" which is to the System or Network Administrator who is responsible for the IP address from which the spam has come. Reports may also go to special addresses arranged between SpamCop and Administrators or to 'devnull' which means that the email address for the Administrator is either bouncing or refusing SpamCop reports. Reports also are counted on the SpamCop Blocklist no matter where they go.

Miss Betsy

I do not believe that is a correct statement as reports are also sent to interested third parties. The BL is feed by the source IP address, not the email address that reports are sent to.

It may be that we are using the term "Report" two different ways
1) the individual reports (one or more) that are sent to varrious parties a
2) Report - the act of submitting a spam message for reporting

The more, the merrier! A From Header Line is a From Header Line - the difference is in how they are used. I'll work on refining it.

I know what you meant. I just don't think it is necessary to tell whoever needs to use a glossary item. 'IP address in the headers from which the spam comes' is all they need to know. There must be an explanation of headers and how spamcop finds the correct one somewhere.

A newbie knows the forged "From" and may not have read the header explanation yet. And you don't want to put 'how to read headers' in this glossary item.

There could be a cross reference to 'how to read headers' at the bottom.

Miss Betsy

Since I only read the last post (which is probably a good thing for editing purposes!), I assumed that it was talking about the 'primary' report to the source administrator since the 'report email' was singular and it mentioned the 'From' line.

If the purpose is to include /all/ reports, then it should read:

'A SpamCop Report is an email sent by a Reporter using the SpamCop Parsing and Reporting Service. The parser suggests a "Report email address" which is to the System or Network Administrator who is responsible for the IP address from which the spam has come. Reports may also go to special addresses arranged between SpamCop and Administrators or to 'devnull' which means that the email address for the Administrator is either bouncing or refusing SpamCop reports. Reports of this type also are counted on the SpamCop Blocklist no matter where they go. Additionally report email addresses to the people responsible for the websites that are advertising in the spam and to third parties interested in receiving reports for other reasons are also chosen by the parser and may be sent by the reporter. These emails are not added to the SpamCop blocklist.'

Again, because I haven't read the beginning of the thread, I don't know whether you all had started out to define
what an email report is (a - individual reports - in which case the different kinds of reports should be outlined as well as where they go including the blocklist)
the act of reporting (b - in which case, IMHO, 'A SpamCop Report is an email sent to various administrators as suggested by the SpamCop Parsing and Reporting Service.' is all that is necessary in a glossary. Additional information should be in the 'How to use' instructions.)

Miss Betsy

I believe I have addressed all of that, but 'How to use' seems like the wrong place for the additional information.

I just saw the FAQ entry on 'Reports' which does cover all the different kinds of reports.

IMHO, the glossary entry should be 'A SpamCop Report is an email sent to various administrators as suggested by the SpamCop Parsing and Reporting Service.' see FAQ entry URL for description of the different kinds of reports that can be sent at the reporter's discretion.

When I suggested 'How to use' I was thinking of people who don't want to send reports to admins that look like the spamvertiser and people who don't want to report to Cyveillance and why people use the User defined reports.

Miss Betsy

Added "Report Types" to Glossary Index with hyper link to Separate topic.
Currently no plans to include Report Types definitions in the glossary tread itself.
The index link should suffice.

A special thanks to Jeff G. for all his work creating and editing the varrious "Report" entries.
Note: all entries have been added to the index.
Definitions will be merged into Glossary after editing activity comes to a close. In the mean time the index does actively point to the correct entries.

Edited to correct name "Jeff G."

Email addresses embedded in websites that can only be seen by spammer 'spider' software that collects addresses. [actually I am not positive if this is correct - they could also include addresses at a domain that are easy to obtain using the dictionary technique]

These email addresses have never been used to send email nor have received legitimate email. Therefore, any email that comes to one of these email addresses is to an email address that has been collected illegitimately by a spammer. One exception is a confirmation email to a mistyped address. Confirmation emails can be identified and are ignored.

SpamCop spamtraps collect spam, misdirected bounces, out of office replies, viruses, and worms directed to the spamtrap email address. There is no report sent to an administrator, but a report is sent to the blocklist. A report from a spamtrap is weighted more in the blocklist algorithym for listing than reports from reporters.

Other people have spamtraps that they use for reporting spam or building personal blocklists. Some people refer to old email addresses that no longer receive any legitimate email as spamtraps; however, SpamCop, and other widely used blocklists, only employ never-been-used email addresses as spamtraps.

That's my understanding of spamtraps. Now let someone who knows, edit!

Miss Betsy

dbiel, you're welcome. FYI, I actually prefer "Jeff G." to "JeffG", but I didn't realize that the space was allowed when I created my original account here.

Miss Betsy,Please don't be surprised if you don't get an official comment on the first sentence of that.

Suggested addition to the glossary

Report History
SpamCop Report History is an exclusive feature of the SpamCop Parsing and Reporting Service for Paid Reporters (both fuel-based and SpamCop Email System Customers). It shows the history of SpamCop Reports for a particular IP Address or URL. If it is applicable (the Reporter is authorized to view Report History and there is a History of Reports), a "[Report History]" Link will appear in the Parser's output under either "host IP Address = RDNS of IP Address" or "Tracking link: URL", as appropriate. The Report History shows the following for each Report of a spam that implicated that particular IP Address or URL: Date/Time Submitted (grouped by spam); the Subject of the spam (in italics, grouped by spam); Report ID; "( IP Address )" or "( URL )" or "( )" or "( Forwarded Spam )"; "To:", and the Email Address of the Report's Recipient (which may include devnull if the intended Recipient's Email Address bounces or refuses Reports, or may be "mole[at]devnull.spamcop.net" for a Mole Report (which is not actually sent)). A typical Report History can be found here. "No recent reports, no history available" will be displayed as appropriate, meaning that no issueid has been assigned to that IP Address or URL. "Cannot find spam reports for issueid = issueid" indicates a database error, in that the IP Address or URL has been assigned an issueid, but there are no Reports matching that issueid.


Edit: 2005/07/20 14:30 Jeff G. Added some errors.
Edit: 2005/07/21 18:07 Jeff G. Modified the applicability restriction language per Jank1887's experience..

Nope. I'm just a paid reporting Customer (i.e., added fuel) and now that I know where to look for the Report History link, I can see them.

Thanks, Jank1887. I updated it.

Merged the following entries into master Glossary
Report
Report Email Address
Report ID
Report URL

I have been waiting to get any comment (official or otherwise)!!

IMHO, Spam Trap would be a good addition to the glossary.

I, myself, am not exactly sure of the criteria for a blocklist-grade spam trap except that it has to be 'never been used for legitimate email'
and although individuals refer to abandoned email addresses as 'spamtraps' they are not the same as what spamcop and other blocklists use. I have seen numerous offers of donating an email address to spamcop as a spamtrap (and from the replies to those posts is where I have picked up most of my conception of a spam trap).

Miss Betsy

Suggested addition to the Glossary

SpamCop
SpamCop is a comprehensive service offering something for everyone in the fight against spam. In this case, COP stands for Citizen On Patrol. SpamCop Reporters patrol their mailboxes and report the spam inside. SpamCop has the following component Services and Systems:

• Parsing & Reporting Service
• Email System
• Blocking List Service (SCBL)
• Forums
• Frequently Asked Questions (FAQ)
• Glossary
• News

OK, let me spell it out for you. I don't think it's a good idea to tell the spammers that lurk in these parts exactly what or where SpamCop's spamtraps are. If they know exactly what the spamtraps are (by user id, domain name, and possibly subdomain name), they can programmatically listwash the spamtraps. If they know exactly where the spamtraps are (by page, domain, subdomain, or hiding technique), they can scrape those locations and then listwash the spamtraps.

...Whoa, what prompted that? I don't see anything in Miss Betsy's inquiry suggesting that we expose "exactly what or where SpamCop's spamtraps are." Did I miss something?

I have the same question

I was just trying to get Miss Betsy enough info that she would stop asking.

Note: the following post was moved the the main glossary.
Please add any edits and/or reply to that thread.
Click on the following link Original Message or the quote link (arrow in lower right corner of quote) to jump to the current location

dbiel, thanks, but the link you posted doesn't work. It would be best to point to the Post's new URL, namely http://forum.spamcop.net/forums/index.php?...indpost&p=30782. Also, where did all the whitespace come from? When quoting me, I'd appreciate the courtesy of quoting what I actually wrote, especially in terms of whitespace. This application provides quite enough extraneous whitespace - please don't exacerbate the problem. Thanks!

I am a bit confused by you statement that the link does not work.
I have tested it both on the system I created it with (an old version of IE running on NT4.0 and on a public computer at the court house running Mozilla Firefox. And both work.
As far as the white space goes, I have no idea what happened, it was an automatic reply quote with a comment added before the quote.
I will take a closer look at it to see if I can determine what happened.

Is anybody else having any problem using the link?
PS, there was a short period when the link would not have worked which was the time between the post was first written, the original message split off into a separate topic and then merged back into the glossary topic which change the address which required updating the original link, but that was all done with in a 20 min window which seems to be before your post. So I remain confused.

The link for the Glossary thread ( http://forum.spamcop.net/forums/index.php?...indpost&p=30782 ) works fine from here.

I am becomming more confused than ever.
One minute the links work and the next they don't.

Additional line breaks are being added automaticly and I have to keep removing them.
It appears if you are in preview mode and test the links, when you jump back additional line breaks are added between list entries which need to be removed again. I have never experienced that before.

dbiel, the original URL you posted in http://forum.spamcop.net/forums/index.php?...indpost&p=30846, while it may have been a functional URL, was not clickable because it was in quotes, parentheses, or brackets (I forget which). That's what I meant when I wrote that it didn't "work". After your edit, it now does "work". Sorry for any confusion.

OK, I did see it in that state as well...did not try it at that time, however.

I don't know whether I made it clear or not, but I don't like this definition of spam trap.

And I do think that a glossary item for spam trap would be a good idea.

Spam Trap - an email address that is never used to send or receive email that, however, spammers can discover through various means. Spamcop, as well as other blocklists, use spam traps to identify IP addresses from which unsolicited email comes. Spam traps are programmed to recognize confirmation emails to a mistyped address and discard those emails.

Some people refer to email addresses that have been abandoned because of the amount of spam received as spam traps and report the spam received on those email addresses. Blocklists, however, only use 'never-used' email addresses.

Miss Betsy

Note: quote replaced with original quote due to referenced quote having been deleted when merged into this topic - dbiel

Primarily caused by the BBCode/HTML/BBCode conversion processes. Looks at the BBCode, converts it to HTML for display in your browser ... but each "instance" includes a <br /> character in the process .. this translates to an HTML <br> (basically a short-hand for "line break") ... I am constantly editing posts as I read through them, removing all those extra "blank lines" that folks add, not realizing that there's already one inserted after each 'action' .. quote, list, etc. There are a few folks that seem to get carried away at the end of their posts at times, apparently thinking that a bunch of blank space adds something to the post ..???

In the upcoming new version, WYSIWYG and Rich-Text Ediiting ... some of these same issues exist, but adding in even more "fun" things, some of them based on which browser (even versions of) is in use, what options have been selected, etc. I suppose that on a "fun" forum, this stiff has its place, but in this support environment, when just getting a few details seems to be so much work at times, having to deal with off the wall fonts (sizes) and extreme gonzo mode in color selections of backgound colors, etc ... again, my thoughts are that most of that crap has to be turned off 'here' <g>

...Well, I think my offering wasn't too bad but I have to admit that yours is far clearer. The only things I'd like to see added to yours are:

• some hint that sending spam to spam traps is in some sense "more serious" than sending it to a real user in terms of SpamCop's weighting in deciding what goes on the BL.
• a note that spam sent to spam traps generates no notification to the abuse address of the source IP address.

If you agree, perhaps you can work your wordsmithing magic on them? <g>

... and here I was thinking that they were getting so much better at extraneous whitespace reduction.

actually not sure how some of it works ... for instance, those posts that get a dozen hits of the "Enter" key after the last typed word (resulting in having to scroll down a screen to then see a signature) ... all I do is hit Edit, then submit .. all that extra crud is gone .... now after a Quote stuff, I have to physically delete that extra line ...???

Actually, two extra lines around the [/quote] tag are superfluous, one before and one after.

Actually all I objected to in your version was that it didn't include spam traps other than spamcop's.

Spam Trap - an email address that is never used to send or receive email. These addresses, however, spammers can discover through various means - the same ways that they get your email address. Blocklists, including SpamCop, use spam traps to identify IP addresses from which unsolicited email comes. Spam traps are programmed to recognize confirmation emails to a mistyped address and discard those emails.

Some people refer to email addresses that have been abandoned because of the amount of spam received as spam traps and report the spam received on those email addresses.

Blocklists, however, only employ 'never-used' email addresses as spam traps. Reports are not made to the source IP address and addresses are automatically added to the blocklist. In SpamCop's algorithym for listing, spam trap hits 'weigh' more and can list an address more quickly than reports from reporters.

How's that?

Miss Betsy

That's fine with me, except that "algorithym" should be "algorithm".

SpamCop spamtraps are .....


..... but that is their misuse of the terminology.


.... not made to the souce ISP/Host and IP addresses are automatically added to the SCBL scoring database. In SpamCop's algorithm for listing .......

Spam Trap - an email address that is never used to send or receive email. These addresses, however, spammers can discover through various means - the same ways that they get your email address. Blocklists, including SpamCop, use spam traps to identify IP addresses from which unsolicited email comes. SpamCop spam traps are programmed to recognize confirmation emails to a mistyped address and discard those emails.

Some people refer to email addresses that have been abandoned because of the amount of spam received as spam traps and report the spam received on those email addresses. This is not a correct use of the term 'spam trap'.

Blocklists, however, only employ 'never-used' email addresses as spam traps. In general reports are not made to the source ISP and IP addresses are automatically added to the blocklist. In SpamCop's algorithm for listing, spam trap hits 'weigh' more and can list an address more quickly than reports from reporters.

New working copy reformated for insertion into glossary with an attempt to include edits from previous postings
Note: this post will be used as the master for editing until approved for final insertion into glossary

Spam Trap or Spamtrap
An email address that is never used to send or receive email, created for the specific purpose of "trapping" spam. Spam Traps are used by those who maintain blocklists to identify spamming sources.

Spammers can discover Spam Trap addresses through various means - the same ways that they use to get your email address. An email address that has been abandoned because of the amount of spam it receives is not considered a true Spam Trap and should not be used for that purpose.

The SCBL (SpamCop Blocking List) uses Spam Traps to identify the IP addresses from which unsolicited email comes, and is programmed to recognize and discard confirmation emails sent to mistyped addresses. The SCBL's algorithm for listing IP addresses applies a heavier weight to Spam Trap hits than to Reports and as a result, Spam Traps can cause IP addresses to be listed much faster and for longer time periods than Reports. Spam Trap hits do not generate Reports, and therefore do not show up in the Report History.

Based on original entry by turetzsr aka Steve T
Rewrite by Miss Betsy
Coments by Wazoo and Jeff G.
Edit by dbiel 2005/07/29 18:00 PDT 1st major rewrite also written from the view point of SpamCop (This Glossary is a SpamCop specific glossary, not a general usage glossary)
Edit by dbiel 2005/07/30 00:50 PDT replaced last paragraph with Jeff G.'s rewrite.
Edit by dbiel 2005/07/30 01:00 PDT added comma after "as a result"
Edit by dbiel 2005/07/30 07:48 PDT changed "these" to Spam Trap as suggested by Miss Betsy
Edit by dbiel 2005/07/30 10:15 PDT incorporated additional suggestions by Miss Betsy and Jeff G.