I'd like to bring this back into discussion.... I've found that 90% of my spam is going to my cesmail account and since I don't ever send from that account, I can only assume that it's being harvested off reports that I queue and report from the reporting site (rather than 'report as spam' from email). I believe it has something to do with the reports of spamvertized domains that go to blackhats in China... like Week5 (that reports to happie498cn[at]yahoo.com.cn) and others.

Anyone else have thoughts on this? And how can I go about changing my CESMAIL account address?

(btw, I'm not a new user, I just chose a new SN, because I didn't want to keep posting with my full name )

[edit - clipped from http://forum.spamcop.net/forums/index.php?showtopic=8000]

Not sure you've actually described your Reporting method. Also not stated is whether you have ever looked at the Preview of any of your outgoing Reports to see if you have a valid concern/issue or not.

There is only one way ... contact the folks that own, manage, and maintain the SpamCop.net e-mail system with a really, really good reason. Conact points are provided in numerous FAQ entries, even the Wiki ... for instance, Where to get Help

Not sure what you mean by SN ... however, the way I read this, you chose to ignore a Forum FAQ entry, please see SECTION 7 - Change of Username When you make contact and verify that you are who I believe you are, this account will be terminated. Actually, based on a littled research, this account will be terminated even if you don't contact me.

Moderator Edit; Accounts all taken care of, some posts may still need som hand massaging ???? ... Thanks!!

typically, I report my messages from my 'held' folder, by clicking 'Report as Spam'. But in the past, I went into the mailsc.spamcop.net site, queued up messages for reporting and reported through that portal.

Since I don't ever advertise or use my cesmail account, I can only assume that the receiving email address for the spamvertized domains is scraping email addresses from the SpamCop reports. I just tested and saw that my full cesmail address is listed in the report that goes to the recipient of a spamvertized domain. In this case, it was happie498cn[at]yahoo.com.cn. Reports are disabled for this email address, but there are many others that I fear might be working with spammers and utilizing these reports for the wrong reasons.

(report in question is: http://www.spamcop.net/sc?id=z1778554839zb...7f39d24daf1505z )

If you do not munge your address data (I don't) then your address is available in EVERY report reguardless of how you send the message to SpamCop. Using the "Report as Spam" link is just another way to send your reports via email to your quick.* address.

The option is available on the SpamCop reporting page, Preferences tab, Report Handling Options, Spam Munging section.

And unless your address is a highly complex one, it is even more possible that the address was simply found via a dictionary attack.

This topic split out from http://forum.spamcop.net/forums/index.php?showtopic=8000 on suggestion of the original poster.

Yes, I think that spammers do harvest email addresses from spamcop reports. Also, I believe that many of the spamvertized website reports go to spammers. I started only using quick reporting or unchecking all but the source reports because of that reason.

OTOH, I see no point in trying to mung an address. For one thing, there are so many places that spamcop does not see the address that every spam has to be looked at. For another, there are so many ways that spammers can identify a reporter without actually using an address. And, from anecdotal experience, it doesn't make a lot of difference in the amount of spam - some spammers listwashing reporters, but others harvesting addresses.

Miss Betsy

Well... I certainly wasn't listwashed. I started munging my address again, but it's painfully clear to me that my CESMAIL address was plucked from a SpamCop report sent and received by a blackhat. Either that, or some completely airheaded host/ISP that is oblivious to their business-goings-on with a spammer and they forwarded my SC report to them.

I tend to think it's the former of the two.

One thing I suspect is that some spam has a unique code embedded in the subject or the email body or even the return address. When this is reported as spam they just process the code and know it's a valid email address.

Keep in mind that in order to tag a spam message with a secret code that would identify the recipient, the spammer has to limit himself to only sending one message at a time so that his software can create a unique message for each recipient.

That process is *extremely* slow. For every unique message he sends so he can identify the recipient later, he could be sending that same message to thousands of Bcc recipients and increase the number of people he reaches by a factor of a thousand or more.

Spammers rely on a tiny response rate from a very few gullible people out of the millions they send mail to. All they want to do is send, send, send, to as many people as possible every day. Slow is not part of their business plan.

I know that there are occasional examples of encoded spam, but it seems to me that it comes mostly from what I call "main sleaze" spammers, which are established and known businesses who have stepped over the line in their address collection practices, as opposed to criminal spammers defrauding the public.

- Don -

It looks to me like SpamCop does a good job of deleting our addresses from the reports we send.

Anybody see my address in this?

- Don -

User-targeted report, see notes, if any.
http://www.spamcop.net/w3m?i=z3031007786z8...37f9104d705a60z

[ Offending message ]
Return-Path: <skvcgp[at]bmw.com.ph>
Delivered-To: x
Received: (qmail 29312 invoked from network); 17 Apr 2008 15:09:19 -0000
X-Spam-Checker-Version: SpamAssassin 3.2.4 (2008-01-01) on filter7
X-Spam-Level: ******
X-Spam-Status: hits=6.6 tests=URIBL_AB_SURBL,URIBL_BLACK,URIBL_SBL
version=3.2.4
Received: from unknown (192.168.1.108)
by filter7.cesmail.net with QMQP; 17 Apr 2008 15:09:19 -0000
Received: from sc-smtp1-bulkmx.soma.ironport.com (204.15.82.123)
by mx71.cesmail.net with SMTP; 17 Apr 2008 15:09:19 -0000
Received: from sc-app10.spamcop.net (HELO sc-app10.soma.ironport.com) ([204.15.82.89])
by sc-smtp1.soma.ironport.com with ESMTP; 17 Apr 2008 08:09:18 -0700
Received: by sc-app10.soma.ironport.com (Postfix)
id A75D1FDF4; Thu, 17 Apr 2008 08:09:18 -0700 (PDT)
Delivered-To: x
Received: from sc-smtp2-bulkmx.soma.ironport.com (sc-smtp2-bulkmx.soma.ironport.com [204.15.82.125])
by sc-app10.soma.ironport.com (Postfix) with ESMTP id A22D6FDF3;
Thu, 17 Apr 2008 08:09:18 -0700 (PDT)
Received: from unknown (HELO [78.172.66.129]) ([78.172.66.129])
by vmx2.spamcop.net with ESMTP; 17 Apr 2008 08:09:07 -0700
Received: from [78.172.66.129] by mxa.expurgate.net; Thu, 17 Apr 2008 17:09:17 +0200
Date: Thu, 17 Apr 2008 17:09:17 +0200
From: "Annette Foreman" <skvcgp[at]bmw.com.ph>
X-Mailer: The Bat! (v2.00.0) Educational
Reply-To: skvcgp[at]bmw.com.ph
X-Priority: 3 (Normal)
Message-ID: <8754________________4439[at]bmw.com.ph>
To: x
Subject: Re: get thin easy
MIME-Version: 1.0
Content-Type: text/plain;
charset=Windows-1252
Content-Transfer-Encoding: 7bit
X-SpamCop-Checked: 204.15.82.123 204.15.82.89 204.15.82.125 78.172.66.129

This idea is out of date. On a check 50% of the Spam I receive has my address in the "To:" field and 70+% in one of the To: or CC: fields so they are individual or semi-individual.

The spammers switched to doing this at least 4 years back when the anti-spammers tried to filter on "not in To: or CC:", eg bulk mail using bcc:

Why should someone who is stealing all the resources and/or using a Zombie aka botnet care about such ?

How would a spammer get his hands on reports about spam coming from a zombied machine?

- Don -

Not to mention, even if the spammer managed to somehow get into the feedback loop and get these reports from one or more ISPs, their zombies would have to "phone home" to update a database with which codes match to which email addresses. They would then have to analyze the reports they got hold of to match them to those email addresses. Sounds like a lot of work to me, and to what ends? Harassing anti-spammers doesn't make them any more money. Listwashing might help cut down the number of reports against them, but considering the way they operate, this would not be a productive use of their time.

No, I suspect that any increase in spam to your spamcop email address or to other reporting addresses is, at best, coincidental. At worst, it may indicate that you have inadvertently compromised that address, either by using it to send email to someone with a compromised computer, or having one of your own computers compromised. Remember, once an address gets on a single spammer list, it is sold and resold until they all have it.

In about 20-30% of the spam I receive my uniqe part om my e-mail address is in the subject field. Therefore I think harvest is more common than is said here.

/Anders

If the spammer already has your address, noted by the fact that the spam was sent 'to you' .... how does that then backwards translate into harvesting your address ??????

At best, we may be dealing with some different definitions of the word 'harvest' ...????

'Tracking' is probably closer to the concept that is frequently thrown up in relation to these 'personalized' spam and certainly there seems to be quite a bit of it from time to time. No idea what "they" are up to but modest manual munging is permissible. Of course there is no way of knowing whether other ('coded') content also exists in these or other spam. At the end of the day, it doesn't seem to make a lot of difference though it is increasingly difficult to assess the impact of any ISP filtering which could potentially be junking huge amounts of the stuff on our behalf (together with the hypothetical volumes stopped within the source networks).

It would be fair to say that the blind scatter-gun approach is not the only 'business plan' in currency amongst the myrmidons of spamdom (may fluorescing carbuncles invest their rectal regions) though it certainly seems needlessly elaborate, effortful and self-limiting. Or, as has been suggested/implied, they just like to play with our minds, a further small unkindness within the greater torment.

As Wazoo says, if your email address is in the FROM, then that email address is already on a spammer list. If it is already on a spammer list, then it cannot be 'harvested.' However, perhaps it could be 're-harvested'? I doubt very much if spammers check their lists for duplicates. (that may account for the multiple copies of the same spam)

A mailing list value lies in how many addresses on it. Secondarily, its value is determined by the % of those responding. Since spammers are essentially con artists, the number of addresses is important to them. So what if a person is annoyed by multiple copies of the same spam? That person probably wouldn't respond anyway. The number of responses is not determined by the target audience or the quality of the ad, but by getting past as many filters as possible to reach the clueless buyer. That also accounts for the harvesting of known spamcop email addresses. The number of addresses is the selling point, not whether the addresses will provide a response.

I still think that a lot of spammer money comes from the selling of lists to clueless people. The list may be used only once (until the ISP stops it), but that results in people getting spam from lots of clueless people. The criminals who use spam, such as the 419 spammers, are more discriminating in sending their spam because it is worth it to them to get past the filters.

The bottom line is that once an address gets on the spammer lists, it is going to get spam - more when a spammer is successful in selling his list to more people. And even more when it is added to other lists. Many large ISPs are now dumping quantities of email from known spammer IP addresses and from zombies so that most email addresses get much less spam. If you are administering your own server and accepting all email and then sorting it, you will be getting increasing amounts of spam. There is no way around it. If you report that spam via spamcop, you may get on more lists (or get duplicated) faster, but does it matter if the spam is filtered out?

Miss Betsy

Perfectly possible even if the bot net ISP is white hat since (unless Quick Reporting) a 'bullet proof host' or even a white hat host "show that you are not spamvertising a site I host" could pass reports along.

My point however is that most spam is individual or semi-individual (cc to other addresses in same domain).

If you disagree let's see some numbers.

Just a note/question

The reporting IP address is posted in all reports so like me I have had the same block of static IP addresses for 10 years and the reporting IP could definately be tracked to me on a whois. Not that I care because I report a bunch and I try as hard as I can to get a copy of the report to the spammer too but just curious. This is certainly a way for the spammers to find some people. The reporting IP should not go in the reports.

And you know exactly how the spammer is generating, obtaining, whatever all the names chosen for spew recipients?

Please .. not here. There is already a ton-load of traffic on this and other similar Topics in the Lounge area. Join one of those existing discussions.

That was actually my previous point... I see many 'report to' addresses of throwaway email addresses (which seems suspect to me) and some ISP/hosts that keep receiving email and never bounce (which are non-'abuse' addresses).

It seems to me that a spammer could pay that person an amount to have all of the SC reports forwarded to them. How else can anyone explain how my CESMAIL address is now the #1 target of the 500+ spam messages I get a day? I have NEVER emailed from that address (except to SC admins) and never reference it anywhere.

ZBYD Technology Co.,Ltd
Medical library of People\'s liberation Army
HARBIN-JAZZINESS-NETBAR

.. and I'm sure others are 'in bed' with spammers and being paid off to forward reports. Their email addresses don't bounce like many, so they obviously read or do something with the abuse reports.

But that would not be describing a zombie machine but rather an IP address that is complicit in the act of spamming. A zombie machine would be found on any network without the owners knowledge or consent (think ISP X). ISP X would then need to be willing to "sell" their abuse desk address out to the spammers for the spammers to get the spam reports.

Your "bogus" reporting addresses are generally going to be for large blocks of IP's. Anybody can request a block of IP's, though you will usually need to have a valid reason for a relatively large block now (used to be much easier). As I stated earlier, at my previous place of employment, our one domain was configured with the abuse address to that domain, but used a Yahoo account for Technical contact in case that domain was inoperable due to the technical issue being worked on. My current place of employment has no shortage of domains (130+ at last count) so that is not an issue.

Clarifying (I thinK) where 'report to' refers to the abuse address, not to the header line item which is useless or worse in all spam.Ask a question ... if you Google your address you will find the helpful folk at tcrc.edu.tw have it shown in clear (since June 2006) within a SC report on one of their pages. Just guessing but this seems to be .edu.tw telling the world what a good/useable abuse report should look like and as such would be prime viewing for any and all of the world's 1.5 billion Chinese-readers having an interest/concern in or with spam.The most 'economic' solution for the hardcore spammers or those cluelessly and comprehensively compromised would just be a straight-line chute to the bitbucket but anything is possible. However, having an address 'en clair' on the internet is another explanation. Can you see that page at tcrc.edu.tw? Maybe they will pull it or munge it for you but I can assure you, having an address of mine on the internet for a time, the spam will not go away when the address is finally taken off. But the volumes might 'normalize' in time. I would be talking to JT about a new address (tedious though it would be to make all the consequent changes in various places).

oh wow... they DO have my address up there. I wonder if there's any way to get them to remove that report from their site? I munge my reports again (I did for a while, but turned that off, like an idiot), so I hope this won't be an issue in the future... damage is done it seems.

I suppose the positive in this is that I get so much spam to this address, that my reporting is doing some good to point out the exploited IPs. They should have just listwashed me... <eg>

OK, I just reported a message that claimed to be from me, to me (horray!), but I found an error in the munging. I have munging set 'on' for all reports, yet I found the 'Delivered-To' address was intact.

http://www.spamcop.net/sc?id=z1886568202z0...e406bdee7f4181z



I munged the bolded part for this forum, but check the SC report and you'll see the address is there.

Specifics actually needed, though not necessarily posted. At issue, does the line not munged actually equate to the data used in the To: line? I suspect not.

Of course, the other question would be .. why are these lines (possibly) repeated? (CC: type of addressing used or just multiple addresses on one line?) (Still of the thought that the To: line contained a different address and this was the one used for munging.)

btech,

If your address were sold to others, it would be quite a joke on them. In a separate post, I mentioned how my un-munged reports caused me to apparently be removed from an East European phishing list. The more I report to SpamCop, the less spam I get.

However, 500 letters a day would be considered a denial-of-service attack. You must be dealing with different people than I, people you've really ticked off. Though I have a dynamic ip address, I've no doubt there are organizations that can pick me out from my ISP and my punctuation. :-)

Only once did my account receive that many letters. Eight years ago I reported some voting irregularities in Florida, here in the US, to the appropriate politicians and officials of two political parties. A week later, and every election year since, that address is flooded daily with invitations to pornographic web sites in the Far East. When you receive that many letters, it's personal. (Makes you wonder who would knock on my door, if I clicked one.)

Non-munging when your address is in the forged 'From:'/'Return-Path:' addresses is/was a known issue. I thought I saw an example where this might have changed recently, but I guess not. Trouble is those lines are important evidence of forgery and may be required to demonstrate such. I think. Not sure why that would affect other lines but at a guess, when that agent of the parser hits an unmungeable line (process order unknown) it stops trying.

Here's an interesting change in reporting.... it seems the system is not only munging my address, but it's also picking out my address in the subject line and munging it. For example "We caught you in the act x!"

Odd thing is, it seems to be sporadic and not all reports are munged in this fashion.

Example: http://www.spamcop.net/sc?id=z1932681373z0...1f60890cc19357z

Notice:

The parse is supposed to look for the "To" address and munge it wherever it finds it. The parse also automatically munges other addresses in the headers. such as the "For" address and the "Delivered-To" address regardless of what they are.

Sometimes munging the username when it appears alone in the subject line is a plus. To my knowledge, the parse has not been trained to do that. I couldn't duplicate it.

Example:
To: address: tail[at]furpants.com
Subject: video Kick-up for tail
Munged subject: video Kick-up for x

- Don D'Minion - SpamCop Admin -
.

This does not match the data discussed/seen in Linear Posts #24 and 25 .... the Tracking URL provided in Linear Post #24. Again noting the 'duplicate' lines involved in that set of headers. One could assume that the parser handled the 'first set' and somehow ignored the 'second set' ..????

It might not match the discussion, but I think it matches the facts.

- Don -

???? I just checked the example Tracking URL once again .... the discrepancy again is seen in the 'duplicate' (?) Delivered-To: and X-RCPT-TO; lines seen in that header .... noting that this was the actual question asked in Linear Post #24. Why only one 'set' of these is munged, the other left intact?

Actually, I'll note that there are three Delivered-To: liones in that header, so should be stating that two are munged, one is not. The first is probably from JT's server, the second might also be JT's server .... so perhaps, it is as I conjectured in my Linear Post #25, perhaps what you are implying here, .. the Delivered-To: addresses and the To: address do not match the un-munged address in question.

Guess it's up to btech to reply with whether his question has yet been answered or not.

I didn't say anything about the X-RCPT-TO lines.

I don't know. Maybe because one of them contained the user's email address and the other didn't.

The third Delivered-To: lion has a very oddly constructed email address. It could be that the system didn't recognize it as an email address.

I'm implying that the Delivered-To: addresses are supposed to be always munged regardless of what address is in the line. I don't know what the actual code says. I thought it was looking for email addresses in the Delivered-To: lions, as opposed to always munging the contents of the Delivered-To: lion.

- Don -
.

I only mentioned it because it was one of the lines 'duplicated' within the headers ... and it was munged in one instance, not in the other. I agree, that as an X-line item, it would normally tend to be ignored. But again, guessing that the contents of those two lines differed.

That's what I've been conjecturing, but only btech would know for sure (assuming that even your access to the actual submittal would also have the minged data at this point)

I won't comjecture about the parsing code, but .... the construct isn't any different than what JT's e-mail servers do for e-mail delived via his system .... basically pre-pending a version of the Domain name to the user account data.

Again, I believe we are in agreement here, missing is the actual content of those involved fields in the header lines. If all you see is the same thing 'we' see, then the answer has to come from btech.

PM sent to ask again about those little details.

I can use the code in a Tracking URL to see the unmunged raw headers of a spam.

- Don -
.

Not to continue to harp about it, but wouldn't that seem to state that you could see whether the content of the un-munged lines do in fact differ from the To: line data? Your answer could bring that part of the query to a close.

I have to be honest, I don't know much of this stuff, but the 'delivered to' is the same as the name that was made into 'x' in the subject line and is the same address as the rest that were munged in the report.

But, here's one that did NOT munge the subject line. http://www.spamcop.net/sc?id=z1941861991zc...e04e894aa6ce7dz

I'll leave it to you experts to see the differences in the two reports that could cause this discrepancy.

There is no email address in the subject line for the parse to find. SpamCop is a scri_pt. It can't read.

- Don -
.

That's correct. The addresses are different. Hence the wording of my earlier statement.

- Don -
.

OK, see in the second report how it says my name in the subject? That was munged with an 'x' in the first report I posted and is the address before the '@' symbol in my email address. That's the discrepancy I noted... it munges that subject line somtimes, but not others.

However, it was that previous statement that had me asking all the follow-on questions.

Again, three Delivered-To: lines, only two are munged.

I can go with the replacement of only those which match the contents of the To: line, but that's not the way I read your 'previous statement' ....???? Your word "regardless" is the catch.

I had made the assumption (though thinking it was wrong) that you only saw the munged copy because I didn't see your specific remarks that stated that the contents of the lines in question were in fact different.

I'm going to say that I have a suspicion that I know the answer, but I need to ask for some help off-line first. The largest problem for me (and the other Forum folks/users) is that we don't have the unrestricted access to the background data needed.