Hi there, I hope I'm posting in the right place (I did read the FAQs etc) first. I'm not a computer tech or anything, just an ordinary person with a loathing for spam.

I recently started using SpamCop again after an absence - the sheer volume of spam got me down. But I started again recently and as soon as I did, I immediately noticed a huge increase in the amount of phishing scams I received - the Nigerian crap, the lotteries, the dying people who want to leave me their bazillions - on and on.

Is it possible that this huge increase is somehow linked to my recent reporting spree? I'm sorry if this is a naive question but I'm generally curious.

Thanks and keep up the good work. I hope it's actually having some impact.

Cheers.

You just didn't look in the right place, this is an old thread. I would direct your attention to this thread.

More Phishing spam? your just lucky I guess.

Let's do some deduction: In order for you to get more scam mail due to your SpamCop activities, it would be necessary for SpamCop to have given your e-mail address (or allowed it to be given) to the crooks. As far as I can tell, this isn't going to happen. SpamCop generally munges your address out of reports so that no one seeing the reports would find it. Even if it did not, these reports generally go to ISP abuse desks, who (we hope) are not in the regular practice of handing these reports off to scammers. Even if they were, it doesn't seem logical for scammers to target addresses given in abuse reports, since these people are the most likely to complain and get the scammer cut off from his mail.

Most scammers (vs. spammers) are using freemail services, so it seems unlikely (to me, at any rate) that they would have the "juice" necessary to get information from their providers about those who rat on them.

I hope this provides some assurance to you. As Lking says, you are likely just "lucky" to be getting more of this stuff right now. Correlating it to SpamCop may just be post-hoc thinking.

By the way, just to be pedantic, the term "phishing" is usually used to describe folks who try to impersonate banks, etc. to get your personal info. The 419s, advance fee artists, etc. also try to trick you but their M.O. is a bit different so I for one do not use the term "phishing" for them. See the Wiki for articles on advance-fee frauds, phishing, and job scams for more info about e-mail frauds.

-- rick

Cool. Thanks for that. I agree the link was a tenuous one and yep, I suppose I'm just lucky. After I made the post, I actually had 7 identical emails from the one scam artist. What joy.

My apologies for using the term "phishing" as an umbrella term and also for not looking around the site enough to find a similar topic. As I said, I'm just an average person who hates spam and I posted in haste this morning.

I may not know all my terminology, but I am very savvy when it comes to scams, frauds, etc. It's people like the women I work with and my mum that I worry about!

Cheers.

Not at all, no apologies needed. Thanks for posting and for looking around first.

-- rick

MsLil, I think you should check that you don't have the option "Leave spam copies intact" selected under "Spam Munging" on your "Reporting Preferences" page.

You'd be surprised how many women are spam/scam-savvy. Getting assaulted with large volumes of male-orientated filth focuses the mind wonderfully!


I suspect that what often happens is that accomplished criminals deliberately sell lists containing e-mail addresses of known anti-spammers to their less accomplished brethren in order to damage them (and annoy the anti-spammers of course).

Penny

I was wondering the same thing when I began using SpamCop a few weeks ago. My spam has been increasing. But maybe that is just part of overall spam increase. OTOH, I have an idea that spammers have been getting smarter about what they include in their spam, and it seems to me that there are parts of the message that have no other reason than to provide hidden feedback. I can well imagine an ISP involved with spammers.

I have written my own Eudora filter that I invoke before sending data to SpamCop. It filters each email and creates an individual email to send to SpamCop. Here is a list of the filter types that I address because they have contained either data that I suspected was my email address encrypted, or actual fields that contained personal data that SpamCop was not filtering.
To:
Bcc: - Yup, believe it or not, there I was in the BCC.
X-Persona
Message-ID:
Envelope-To:
In-Reply-To:
by fred.org - actual domain is not fred
by fred.com

The by field, for example, would contain the real name of my domain. Doesn't take much to figure out which address os a good one. Ditto with the others. I didn't realize it at first; I just sent off the reports. Now the damage might be done, but at least I know to look for stuff that SpamCop leaves in the report in the future.

There are other places. In many instances, the subject now contains my email address, but SpamCop doesn't see it. So I check each line and change personal info before sending to SpamCop.

I sent a message off to SpamCop weeks ago, but haven't heard back from anyone. Then I learned about this forum and thought I'd see what might be here...

~Rich~

Undoubtedly, there are spammers who harvest 'live' email addresses from spamcop reports. Probably, just as many spammers 'listwash' or remove email addresses found in spamcop reports.

In several, more or less controlled, but not scientific experiments, the amount of spam received from munged reports vs unmunged reports (or from non reported email addresses vs reported email addresses) is not significant. Once an email address has been harvested, it is sold and resold, and is on many lists.

If you are getting more of a certain kind of spam, then it just means your address was on a list that was sold to that kind of spammer.

Miss Betsy

My e-mail address was stolen from a large bulletin board (Delphi, I believe) about 15 years ago and was even blacklisted after it was used on the 'From' line by a virus. Consequently, I don't bother to mung my address, and use to to collect SPAM. Junk mail containing the word 'bank' sets off alerts on my computer, and I've recently been reporting bank phish as quickly as I can.

SpamCop should know this has proved successful. After only a month of rapid reporting, the 'Russian Business Network', I'm assuming, sent spam using me on the 'From' line for a week or so, to irritate me; but then, unfortunately, I find I'm no longer receiving bank pfish. (Rats!)

I hadn't thought that leaving my address visible would cause it to be removed from an East European pfishing list. Nevertheless, it's also my understanding that sophisticated statistical methods allow most any letter sent within my ISP's range of addresses to be associated with me. (My punctuation gives me away.)

Nevertheless, my experience proves that even one individual can pose a threat to criminal pfishers.

Many spams have a string or two or three of 'gibberish" in them.

I have proven those (especially those sent to olcab.ro) to be an encrypted form of your email.

Mung those strings and you're OK.

Only now did I read your original post -- and its initial reply. Buck up man (or woman)! Never apologize to people who use words like 'post-hoc': it only encourages them.

IMO, it's wise to never underestimate your opponents. Those who are selling innocent spam, at least, would be the various advertising agencies who have the computer power and statistical algorithms it takes to finally connect your internet shopping and browsing habits with, finally, an email address (and it takes only one person, or 'mole', in an online store, let's say, to do this).

While I never attempt to disguise my identity on reports, my reporting only bank 'pfishing' (sensu lato) quickly resulted in my no longer receiving any. Another, who used his address only for 'munged' reports, has been intimidated with a denial-of-service email attack. Clearly, people with great resources are attempting to intimidate SpamCop users. You should consider it a compliment. You have my thanks, and congratulations.

My thanks to those whose suggestions make SpamCop reports less traceable.

Rapakiwi
(programming daily since a byte was only six bits)

But beware that you do not run foul of SpamCop's "material changes" policy. Of course, if you are reporting outside SpamCop, this is less of an issue.

If the spammer has encrypted your e-mail address into the spam, then he will be able to tell who is complaining, but ONLY IF HE GETS A COPY OF THE REPORT. I can't see this being the case with reports filed only on the spam source (not on URLs), since the ISP would probably be unable to locate the botherder behind a spewing address even if it wanted to share the report (which it has no reason to do). I grant that it might be more likely for the crook to see a SpamCop report if it has been filed with a hosting provider he uses (particularly one as patently crooked as olcab.ro). The better part of wisdom in this case might be to avoid reporting the URLs (since these providers aren't listening anyway).
Or 'sensu lato'?

-- rick

Spamcop rules allow you to mung your email address - since it is just that in a different form, no rules are broken

Do you know how many mail providers are setup by spammers and Spamcop inavertantly reports to them? Plenty. A quick search here shows there's been a few mail providers we've busted... mostly Chinese or Russian in origin.

Cheers!

Yes, you do say (earlier) "I have proven those (especially those sent to olcab.ro) to be an encrypted form of your email." Well "proof" is a pretty unequivocable concept and if you have actually tested/demonstrated/replicated the results of your hypothesis to some degree of rigor and if SC deputies/admin accept that proof and if anyone else who might mung their 'encoded address' is similarly cluesome then I guess it is all okay. Otherwise it sounds to me like a quick way to lose reporting privileges. So, if you're advocating that approach, then you had better offer something much more substantial than a simple assertion.

None of my available olcab.ro cases are constructed the way you say - but tolcab.ro do seem to host a great number of spamsites and perhaps a great range of different approaches to the 'business' of spamming.

Hi,

Yes I have.

Send spam reprts with three letters of gibberish removed, wait 24 hours, no returns. Send same spams jibberish unmunged and within 20-40 minutes, my mailbox was bombed with same spamvertized URL as before.

If this is insufficient proof, then that's OK, I'll just file-13 those and not report them.

Seems pretty solid to me

Cheers!

** edit **

It could have been tolcab.ro... I just remember the ...cab.ro and olcab was first to mind.

Always ask the deputies before you do anything adventurous - just in case (we need all the reporters we can get). If you have obtained those results repeatedly (for some value of 'repeated') then maybe you should ask them. Whatever we individual reporters see, they see a thousand times over, they will use that experience and any submission you make to determine the merits - offset against any risks (to SC) that might be involved (accusations of forgery, whatever).

Sure, you, anyone, is within their rights in removing identifying information from the spam to be reported - but that is talking about recognized/recognizable data. But in the absence of specific authorization relative to some supposed coded/registered information, the general advice would have to be - just drop those spam if you're not confident about the security of reporting them intact (and you're certainly not).

Whether you report a spam all depends on whether you think it is a good idea to list the source IP address on the spamcop blocklist or not. Many spamvertized site reports are going directly to the spammers so unchecking all reports except the source, or quick reporting, still keeps the source on the bl without sending a report to the spammer.

If you are also suspicious of the source IP (that they pass the reports to the spammer or that the spammer owns that IP address), then perhaps jhd is a good idea for you if you don't want more spam to report. However, if it is a spamcop email account, it just goes to your Held mail folder so it can be easily reported and doesn't really interfere with your email, right? In addition, sometimes an email to the deputies containing easily confirmed information can result in reports going to devnull which keeps the source IP on the list without sending a report.

OTOH, if you think that the source IP is just clueless, an alternative is to mung the 'gibberish', but send the report manually from a special email address created just for that purpose. You can still obtain the correct abuse address from spamcop, but cancel the spamcop report.

People forget that spamcop is just a tool created to inform the proper server admins of abuse on their network. The other part of spamcop is the blocklist, a tool for server admins and the spamcop email system to block or tag spam so that it does not get into one's inbox.

Reports can get the source of the spam stopped by the receiving server admin. (I believe it is in the lounge where a server admin responded to a report of a phish not too long ago. It wasn't very encouraging because he was only going to warn the customer, but in that case, a manual dialogue might convince him that he should be more diligent.) However, reports going to those who might respond favorably are getting to be few and far between since most server admins know what to do to avoid having spammers abuse their networks in the first place and many don't care about bots because their mail servers are clean.

Unless you can gain benefit by using the scbl, you are only being altruistic to report spam so that it is on the scbl. There are reporters who do like to support the scbl even though they don't gain any direct benefit.

So, deciding whether or not to submit spam to spamcop to send reports, contribute to the scbl, or obtain an abuse address to send a manual report, depends a great deal on what your purpose is in using the two spamcop tools.

Miss Betsy

This seems a great letter from someone who certainly does one's homework.

My purpose in reporting bank pfish as soon as they appeared was in the hope that the logical address of the fake bank would be nullified by the ISP before anyone mistakenly used it. There seemed to me no hope in finding the criminals (without prior preparation by law enforcement or extreme stupidity on the spoofers' part): but there was hope in preventing a tragedy, even to one person. Before SpamCop, I had stopped everything, attempted to find the ISP using internet tools, and wrote my own warnings to the administrator. This would often take an hour. SpamCop has saved me (and administrators) untold time.

However, I always assumed these scams were sent from dynamically allocated ip addresses, billed to a post office box, and collected from a crowded internet café in a different country. Every time I reported one, it would pop-up the next day in a different East European country. I certainly wouldn't want to blacklist an ip address: a dynamic one that moments later might belong to an innocent user; or a static one that, the next day, would be sold to an innocent business.

When you say 'blacklisting', I hope you mean a personal blacklist. I can imagine blacklisting every letter from some East Euorpean countries would be a convenience for me (for I no longer correspond with colleagues there), hence my question: are global blacklists reported by SpamCop gleaned from those sites common to all our personal blacklists, or from those statistical reports of persistent spamming sites? It's the latter, I hope.

Because of the hierarchical organization of the internet, that blacklisting is needed still amazes me but I've seen some German lists, and they're huge.

This query just requires a quick repy: I don't want to distract anyone from this important thread: whether reporting spam increases it, and how to prevent this.

Rapakiwi

PS. Once blacklisted myself by an organization that brilliantly harvested 'from' lines in spam

Thanks for the info everyone!

Ah, I missed that part of the letter that I marked in bold. Thank you. It wasn't clear before that the blocklist is dynamic, and it is of use both to system administrators who want to protect user from scams and to individual users who are experiencing 'denial-of-service' attacks. That's great.

My assumption here was that both users & system administrators are indeed altruistic; so they would want dangerous spoofs to be blocked at their source, and thus they would continue to send the most effective reports to the appropriate administrators. Mine contained a note starting with 'Bank Phish', which is likely recognizable, whatever the administrator's native language.

My apology for being confused about, well, why SpamCop users would need protection from scams. I hadn't realized that the documentation is written for both audiences: users & administrators.

Thanks for the letter, which I now understand better. Should have done my homework.

Rapakiwi

What is SpamCop.net?
What is the SpamCop Blocking List (SCBL)?

Some SpamCop.net e-mail account holders have recently proven to be just as ignorant as users of any other ISP/Host/System. Some of them fell for the phish e-mails asking for their account details. Hard to believe.

Documentation is for anyone / everyone, to include those folks impacted by the various parts of the SpamCop.net tool-set. Note the numerous Topics in the Blocking List Help Forum section from folks that had never heard about SpamCop.net until thier IP Address made it into the SpamCopDNSBL, typically due to a comprimised computer on their network or a hijacked wireless metwork connection.

To the original poster/question: NO.

FWIW, I've seen a huge increase in the number of 419 messages I've received lately... I have received over 100 this week alone, when I usually get 10 a week.

I've found it varies a lot with season. :-) This year has shown a remarkable increase this spring:

http://www.spamcop.net/spamgraph.shtml?spamyear

Someone created an account solely for reporting spam with munged reports, but the quantity of spam sent to his account appeared an attempt to prevent its being used. My reports have me thoroughly identified, so I'll start reporting regular spam (rather than just dangerous spam) and see what happens. Besides, it will force me to learn AppleScript. :-)

An increase, it seems to me, could only be to prevent or punish your reporting; however, I try and know as little of crime as necessary.

As mentioned elsewhere, each election year after 2000, all my accounts received 100 to 500 spam a day. (Interestingly, the pornographic spam was kept off the mailers at American Ivy League universities -- their supervisors' alma maters?) This has dropped to 10 a day, though this is an election year. I'm not sure 100 a week is a denial-of-service attempt, so the reason for your increase is puzzling to me. (No list buyers would want to pay for a problem, I should think.)

If my spam show a marked change in rate, I'll report this on the forum.

Rapakiwi

Moderator Edit: excessive vertical whitespace removed. Referenced link URL changed to the 'public' version - was members .. noting that this is already provided as a graphic / link at the top right of this and every Forum page

This site is a godsend to all user of e-mail. I can't commend it enough. It is, however, just a bit 'techie'. The forums are, presumably, to remedy this. A lack of knowledge by me makes some choices difficult.

For example, I leave spam reports to 'abuse[at]bigtelephonecompany.com' checked, because I'm assuming they have an automated method of checking on smaller ISPs if they continue to receive 'carbons' of complaints. But I don't know that this is correct; and I wouldn't want to put all of AT&T on a blacklist. :-)

Learning that my spam reports are used, though as resonably as possible, for a dynamic blacklist makes it all the more important that I understand the implication of checking a little box on my report. SPAM is a whole world of organized crime I know nothing about. Some links to sites that discuss how this organization works might help me, at least, in making the human decisions needed in reporting spam. Yes, I know such information is somewhere on the internet; but the internet only works if users get from it far more than they put into it.

Again, tremendous thanks to SpamCop for providing this invaluable service.

(Back in the '80s, I was among those consulted by the Gore Commission about releasing the internet to the public. Censorship & restricting knowledge to those who could pay were the principal worries: {permitting} its use for other forms of crime never crossed my mind. Big surprise!)

Rapakiwi

Oddly coincidental, but since making that post, I've received 10 of the SAME email from the same IP. Dumb spammers.

[69317] busewenonpaya[at]avasmail.com.mv ((Used This Funds for the needy) Preview )
Thu, 5 Jun 2008 22:18:24 +0100 (Blocked SpamAssassin=4)
[69319] busewenonpaya[at]avasmail.com.mv ((Used This Funds for the needy) Preview )
Thu, 05 Jun 2008 20:07:13 +0000 (Blocked SpamAssassin=18)
[69321] busewenonpaya[at]avasmail.com.mv ((Used This Funds for the needy) Preview )
Thu, 05 Jun 2008 14:47:35 -0700 (Blocked SpamAssassin=4)
[69322] busewenonpaya[at]avasmail.com.mv ((Used This Funds for the needy) Preview )

That does seem unusual - but then I guess you are comparatively 'visible'.Yes, these spam are often/sometimes much more 'individually' distributed (being from places without a whole lot of internet presence I guess). I hope this is not an indication that 419s are going 'mainstream' (or, worse yet, onto the 'new mainstream' - the botnets). - but the signs and sightings, taken together, do seem to be pointing that way.

At one time, I tried to write (or edit) FAQ for the 'technically non-fluent' since that's what I am. For a long time now, I haven't had time to contribute. And it is difficult - techies want lots of details. You can see how the 'server admin' section of the 'Why Am I Blocked' FAQ kept growing and growing.

My contention is that the 'technically non-fluent' can understand the concept of how email works without knowing the details - just as non-mechanics can understand the concept of how piston engines work and how to maintain an automobile in good running order without being able to actually 'fix' it.

If it is the source IP abuse address, you are probably correct. If it is a spamvertized site, perhaps not. However, since spamvertized sites are not added to the blocklist, it wouldn't be a major problem.

SPAM is the name of a meat product produced by Hormel. spam is the word for unsolicited email. one of our regular posters has a link to the Hormel page that asks people to not use all caps to designate unsolicited email. Although I can rarely find what I am looking for, you might be able to find it. Sorry I just don't have time this morning. Spamcop is the only public blocklist that allows non-technically fluent people to contribute. The source IP abuse address is rarely 'wrong' though sometimes the techies think that there is a better address (better meaning one where there is a likelihood that they will do something to stop the spam). Learning about headers and how blocks of IP addresses are allocated would be a start on how an abuse address is chosen.

There are many people who want to close spamvertized sites using the rationale that if the site isn't there, the spam is useless to send. However, the aversion to censorship is one of the reasons that approach is not as successful as blocklists. Blocklists are the internet polite way of dealing with inconsiderate use of the internet - in the same way that the 'cut direct' is the mannerly way of dealing with rudeness offline. And it works online because there is no 'force' that can change what a server admin decides to do with his server. There is no 'force' that can be applied that can make an end user read an email or reply to it after reading it.

Miss Betsy

...Please see the first part of my post in Forum thread "Seeking suggestions for handling bounces/misdirects".

Miss Betsy, I'm very impressed by your posts; and I benefit greatly from them. However, I should use your above request to argue that you may actually qualify as a 'technie' (at Dartmouth, 'knurd': 'drunk' spelled backward). However, I shall respect Hormel's request (lest one confuse the two!); but I shall compromise and begin my sentences with a capital letter. :-)

Most respectfully,

Rapakiwi

HM Prison Service, Dartmouth? You old silver-tongued devil you, Rapakiwi. Though I thought their languague was a little more pithy there - and that's just the staff.

And you can do with "spam" as you will. Wazoo has fixed it, following David's brilliant suggestion.

No, NO, I am technically non-fluent. There is nothing that I know about spam and email that anyone who wants to know basic information about the world about them cannot understand. I know how to change a tire (from the textbook and observation), but I never have had to actually do it - gender characterization is sometimes ok! I also know a few other useful things about the automobiles I drive. And I know a little bit about how email works. But only with extreme effort and lots of books, could I ever build (or repair) an engine or run a server - that is what mechanics and techies do.

Miss Betsy

OK, Was it here I promised to test whether reporting spam increases it? Earlier I reported only phish. After on a week or so of rapid reporting, some spam was sent 'from' me (for I identify myself openly), then I never received any more phish. I assume I was taken off the phishing list. (Not what I wanted.)

Last week I started, for the first time, reporting 'innocent' spam (well, I consider those with hyperlinks not so innocent). My spam, which was a constant 12 or so a day for at least a year, has dropped continuously to one today. In every report I send, I add a personal comment, and I offer my full name and email address. Thus far I have received no email with nasty attachments or anything but silence. Most of the s-p-a-ms, by the way, were selling fake diplomas to Dartmouth alumni. :-)

This is clearly too early to tell, but I don't remember a decrease like this before. I was prepared to (and still am, I suppose) expect a decrease only after months of rapid reporting, when my address was blacklisted by those ... well, blacklisted.

If this decrease genuine, it suggests spam is sent by very few, very active organizations.

Rapakiwi

Ahem ... I deplore this attempt to impugn by 'record', for it's not the prison, but the jail I spent some quality time at, as you can clearly see by comparing the images.
HM Prison Service, Dartmouth
HM Gaol, Dartmouth

Proudly yours,

Rapakiwi

Ah yes, I see the similarity - not to be confused wth Dartmoor University (formerly Dartmoor College of Advanced Education).

Once, when I wrote a paper on mathematical software in a newsletter for a supercomputer center, the editor marked every other work with a trademark or registered trademark. I had to comment then that I believe the purpose of such trademarks is to legitimately prevent others from selling a product with the same name. The capitalized word is, to my knowledge, not an acronym involving e-mail, so I have no objection to anyone correcting my spelling.

In other words, I thank SpamCop for preventing me from discussing food products. If any should not, remember Hormel's reasoning: 'We coined this term in 1937 and it has become a famous trademark. Thus, we don't appreciate it when someone else tries to make money on the goodwill that we created in our trademark or product image, or takes away from the unique and distinctive nature of our famous trademark spam.' -Hormel Food Corporation

From this, I conclude that their objection to our writing a capitalized word appears to be for our benefit: they would never want the resemblance of the two products to lure us into opening some.

Rapakiwi

PS. Once, after being lured into a life of geology, I had to break some rocks at Dartmoor. But I was very young then.

We're well O/T but yes, I believe you've "nailed" the Hormel trademark thing. And, to stray even further, I once knew a yachtsman - he used to break wind.

...which would seem inconceivable, in this of all places.

And yet I, who signed on to Spamcop using a specific mailbox i created specifically for the purpose - a mailbox that has never been used for anything except mail from SpamCop to me - have consistently been receiving spams sent to that mailbox! How could this happen?

No mail has ever been sent from the address cdspamcop[at]smouse.demon.co.uk. No mail should ever have been sent to it by anyone other than Spamcop.net themselves - who should be the only people who know the address.

And yet this morning I received a distinctly nasty piece of spam, advertising an honest-to-god child porn site, illustrated with a pair of barely pubescent kids doing something their mums wouldn't approve of - addressed to this very mailbox.

It isn't the first spam sent to this address - though it is the nastiest. In the current climate, just having this picture is bad enough.

In previous correspondence, Spamcop admin have told me that the spammers probably got the address by guesswork. Pardon me, but - bollocks.

So - what is the explanation, I wonder? I hesitate to suspect malice, or malicious passing on of mailing lists by Spamcop admin, but how did it happen? I know that unique addresses I've used on other public forums have been passed to spammers before - which is why I use unique ones every time. Although I would expect Spamcop to be especially diligent about such things, I can't help thinking what a coup it would be for any spammers to get hold of this list, and how much they might pay for it.

And as it has happened, how vulnerable are any of us?

Any information gratefully received.

CD

I beg to contradict (tho I will not use the B-word): this sort of thing is quite common, it happens millions of times per day. If your e-mail address was composed of common names or words, it is subject to be harvested during a directory harvest attack. See this SpamCop Wiki page or http://www.rickconner.net/spamweb/analysis11.html.

-- rick

It would be so much easier to take your viewpoint if the address you specified wasn't so 'simple' ...

I created a hotmail account that I thought would be very unlikely to be 'guessable' (an acronym of six letters - never reported spam from it or sent any mail from it (it was just used to receive email forwarded from another address which I then could read in OE instead of online because I still had a dial up). Within two weeks, it received its first spam. I think I read somewhere that it is really easy to generate a lot of variations - we know that they deliberately send spam to spamcop.net addresses. how easy it would be to add initials in front? And we also know that they combine every possible email address with different domains. If you ever had any spam to any address at that domain, then you are doubly likely to get attempts, I would think.

Miss Betsy

I just abandoned my 10-year-old SpamCop account because it was beginning to get a significant amount of spam directly sent to it (something I hadn't noticed until about a couple of months ago). This time, I picked a long and weirdly random string of numbers and letters, we will see how long this one lasts.

-- rick

I'm most grateful for the information you supply, but I have to say that I still have doubts - which I'd be delighted to discover were merely misunderstandings. Let me give you a little context:

I have a couple of domains, one of which is the ancient smouse.demon.co.uk that I used, years ago, to use for signup to Spamcop and the like. The email account will accept mail sent to [anything][at]smouse.d.c.u

So early on I started creating unique mailboxes for any forums etc. I signed up to. These boxes would all be in the form cd[?*][at]s.d.c.u . This has allowed me to catch practically all dictionary and guesswork spam by validating the opening 'cdxxx'.

As anticipated, some sites I've signed up to in this way have indeed resulted in a spamvalanche - and I can just add exception processing to my Regex filters to ignore them. My signup for Koko the Gorilla's site produces tons of such crap, for instance.

If I understand you, you consider 'cdspamcop' an easy one for the spammers to have guessed. OK, so why no 'caspamcop', 'cbspamcop', 'ccspamcop' et seq. ? As these, too, would have been accepted without objection by the server, how likely is it that spammers would [a] have hit on the right combination, and [b] not tried any others?

(I do monitor the addresses to which spam is sent, and if one turns up repeatedly I save my filters some work by catching them. Nothing has ever to my knowledge been sent to [*]spamcop apart from the magic 'cd' combination.)

Perhaps I've missed a vital point in your references, but I can't see how spammers would have tried 'cdspamcop' unless they somehow knew it would work. Could the handful of legitimate mails sent, by spamcop.net themselves, somehow have been intercepted?

I'm all ears. Please forgive me if I'm being thick, but this nasty child porn mail has decidedly micturated me off. It's quite the most unpleasant spam I've received (out of about 100/day all told), and the fact that it has apparently tapped into a communication line to an anti-spam organisation is bloody irritating.

CD

I think the answer to this question would have been found in the links I posted above. Spammers find (or guess) addresses and then test them for deliverability using DHA probes. If an address is more "guessable" it is more likely to be tested in a probe. No, I can't tell you exactly what makes an address "guessable," nor can I tell you why one address might be harvested and spammed, while another similar one might not be; these are questions best directed to the spammers.

-- rick

What is your "Full Name" setting on your reporting account under Preferences, Change Email address or name? http://mailsc.spamcop.net/mcgi?action=wizard&stage=1

That moniker goes on every report that goes out.

You're not saying how you were aware of the specific content of that child porn spam (nor of the 'credentials' of the porn site it was pushing) - the possibility being that anything from 'trackers' to installed spyware of some kind might come into the equation depending on your past 'safe hex' practices.

Rick, I did read your references, and although they are informative and comprehensive, I didn't find anything that addressed my specific concerns:

• I don't believe there exists a cdspamcop MX record to be harvested
• I have never, to my knowledge, received either a spam or a probe aimed at [xxx]spamcop, which I would expect if the spammers had just guessed the address
• While in the context of this forum 'cdspamcop' may not look very random, it's not a string that would be found in any dictionary. Remember that choosing 123456 as your lottery numbers is no less likely to win than 942738.
• The string 'cdspamcop' finds no hits on Google (I checked when it first happened). If the spammers found that string somewhere legitimate, then where?

Again, I'd be delighted to be told that I missed something, but what is it?

But let me not seem to be nagging you - that's the last thing I want.

CD

Hmm, that's interesting: the URL to which I'm referred to change my Spamcop setting is <a href="http://www.spamcop.net/mcgi?action=wizard&stage=1" target="_blank">http://www.spamcop.net/mcgi?action=wizard&stage=1</a> . When I try the one you refer to, I get a popup dialog instead of a Web form, and entering my name and PW denies me and spits me to the 'Forget your password?' page - even if I'm already logged in.

I assume/hope that your URL is for another account type. I believe I have a pretty basic one, and it's very old. Do you have any info on this?

My name for emails is set to 'Chris' - very good call, though. Thanks!

CD

"cdspamcop" would not have an MX record. Your domain would -- e.g., "cdspamcop @ domain.foo" is in domain "domain.foo," you look up the MX record for "domain.foo" in order to deliver mail to cdspamcop. While you are at that MX, you can also try delivering to a few thousand other possible random addresses to see whether any might work.

"cdspamcop" is made up of dictionary words: "cd", "spam", and "cop." "sb2zn33f" (for instance) is not made up of dictionary words.

-- rick

Not sure quite how to answer that. The machine on which I received the spam was a laptop not equipped with spam filters (I host my own heavily-protected mailserver for my main account. Smouse is mostly for emergencies now.)

All the machine in my domain run AVG antivirus and -spyware. They all autoscan daily. The domain is Sygate firewalled, as are the individual machines in it. Tracking cookies are zapped. Sadly this doesn't remove the possibility that the machines have been hacked at some point. Nothing does, alas.

The header of the nasty mail is as follows:

The punt addresses are part of Demon's store&forward system, and are legitimate. The mail seems to have been sent to Demon from 202.191.61.82, which Whoises as MD Web Hosting in Australia. I assume that the sender is just a slave in someone's botnet.

The body of the mail consists of a few lines of anti-bayesian rubbish text and a single large JPEG. This picture has text, surmounted by a pair of kids. The text reads:

I bet that's more information than you wanted! Apologies for all the screed, but I thought I should supply this stuff for completeness' sake.

CD

Correct. Which was sort-of my point.

True, but stringing together any three words from even a small dictionary of, say, 50,000 words would give - what? - 2P^n permutations? Seems pretty steep to me.

Also true, but generating all the radix36 numbers between 00000000 and zzzzzzzz is no more of a chore than the dictionary trick.

But I won't argue the point, except to say that I receive plenty of dictionary-attack spam - some of which (predictably) even hits the magic cdxxx combination - and I still think it statistically unlikely that 'cdspamcop' was a lucky guess.

They got that string from somewhere.

CD