Dear spam Cops,

Can I forward my spam to SpamCop and not have to log-on to review it?

If I must log on, I might as well just copy the source to the (CastleCops-like) windows it provides, as I always did. Such added effort only makes sense to me if I report all spam only once daily, after the computer boots in the morning. Only then would it be reasonable to take the time to log into SpamCop by browser, verify all my reports, & mail them. This is not good for SpamCop.

Why SpamCop needs Rapid Reporting

Mozilla's (platform-independent) Thunderbird lets me instantly classify spam & forward various kinds (phish, for example) to various organizations ('Phish' can be a group of collected addresses). Or, I can mail everything in my junk folder to various agencies, then delete it (with the press of a toolbar button from 'Habu'). At the moment, my computer's voice tells me that spam has arrived, and within a minute I can examine it safely (blocking MIME), classify it, & forward it to an appropriate agency.

But I don't believe I can do this with SpamCop because of my having to start my browser (which must swap out Thunderbird) and examine SpamCop's report. However, I want to use SpamCop to get phish and illicit sites off the internet as fast as possible!

I'm only a scientist with little time to report my research, not a full-time cop. If I must decide between reporting my research or spam reports, I'll naturally chose the thing only I can do. However, using free services on the internet means, to the internet citizen, one helps as much as one benefits. There are many spam reporting organizations that I can easily zip a letter to; but they likely only rapidly take down phishing sites. (KnujOn, however, wants to kill lethal medicinal sites, which prey upon us poor.)

SpamCop & KnujOn Complement One Another

The aged may remember that in posts long ago I had mistakenly been attempting to use SpamCop to perform the services of KnujOn. KnujOn appears interested in illicit spam, preventing the stealing of identities (and USD 600 million per annum, and lives taken by counterfeit medicines). However, the wheels of justice grind slowly (if at all). Reports of KnujOn's becoming personae non grata at ICANN are most encouraging, however. (Jon Postel is likely rolling in his grave at ICANN's choice to ignore crime.)

SpamCop blocks spam, quickly: as a side-effect, it reports the site's activities (to everyone up to ICANN, I wish) in a letter. I don't know whether it places the illicit store's site on the SCBL before it can claim more victims; but I hope it does. Both KnujOn's and SpamCop's services are important for me to use.

Using Apple Mail & Thunderbird

To report spam quickly & easily on my little Mac (running 10.4.11), I've installed two mailing agents: Apple Mail (for my spam-free accounts) and Thunderbird (for my unhappy spam-trap). Apple mail is unique in that its Junk folder allows the viewing of mail, yet avoids web bugs and malware. However, unless one is running MacOSX 10.5, it won't forward dangerous HTML mail, even as an attachment. This is an Apple Mail problem.

Thunderbird announces when spam arrives (using GrowlMail, though it can do this itself), and the combination ClamXav Sentry & Growl throws up a persistent warning screen that prevents my opening a letter (RFC822.eml) tainted by mailware, or has even a phishy smell.

Thunderbird for MacOSX
http://www.versiontracker.com/dyn/moreinfo/macosx/20359

Thunderbird for Portable Drives
http://www.versiontracker.com/dyn/moreinfo/macosx/29719

The Ease of Selectively Reporting to Knujon, FTC, SEC, FDA, ACMA, DSLReports, Millersmile, &c: Knujon.net has, well, nine mailing addresses, which I symbolize by a one-word 'Tag': Phish, Drugs, Counterfeits, &c, and Unknown. Because Thunderbird's Junk folder doesn't protect one, I turned off all associations of MIME objects (photos, movies, hyperlinks) but plain text.

1. Knujon on Thunderbird

I rapidly view the text in each spam and tag it according to Knujon's classification. Then I view letters of one tag, such as 'Phish', select them all, and forward them as attachements to, for example,

Phish <phishing[at]coldrain.net>

which Thunderbird fills in itself from my 'Collected Addresses'. The 'Sent' folder records what I have reported. This takes less than a minute for three or four spams. Note that I have already carefully examined the spam. Anything not spam I have moved to the Inbox, anything questionable I just deleted. On the toolbar, just above the list of letters, I've placed 'Tag', 'Forward', & 'Report' (by Habu).

The Habu Thunderbird Add-On
https://addons.mozilla.org/en-US/thunderbir...abu&cat=all

2. SpamCop on Thunderbird

After reporting this, I was hoping to select all letters in my Junk mailbox, forward them to my special e-mail address at SpamCop, then move them to the Trash. (An add-on by Habu will mail all letters in the Junk folder to any combination of these: address of your choice, SpamCop, KnujOn, various US governmental organizations, and the Australian government. Then Habu will discard all the spam.) No reporting organization requires further action on our part ...but SpamCop.

This is a Problem

SpamCop's requiring further action is a problem because some of us haven't much of a life left. I should be willing to contribute a book (USD 15) for the ability to check 'Don't send report to From address', 'Don't send report if address may be forged', 'Don't send report to hyperlinks', 'Don't report sites in one's host country' &c. In other words, I should like to make 'safe' choices in advance, assuring that only proper reports are sent, any questionable ones not.

Is there some reason why SpamCop can't do this (forcing its own choices if necessary)? Those with time will likely customize their reports, as is now required. Other organizations seem to post-process what they receive, taking on this burden themselves. (Many, of course, are financed by taxes.)

Is this available Now? Suggestion.

At the moment, security sites and computer companies recommend users trash their spam. Were SpamCop to make such an option available, everyone could click (for example) Habu's green dot on the toolbar to automatically report spam before trashing it. (Wow!) The default choices of 'Rapid SpamCop' could include 'Don't send any reports', until the user logs in and reads the instructions about releasing each default restriction imposed by SpamCop on 'safe' reporting.

It would also be nice, after an illness, to ship everything to SpamCop and have them choose among the twenty reports, ignoring old ones while sending the new ones. (I've noticed that spammers are dating letters in advance, so your mailer will open them first; and dating some '1976', so SpamCop will ignore them. I should have to take the time to examine the complete envelope before knowing whether to send this to SpamCop or not. Other organizations deal with them.

Because my little iBook must swap a mailing agent and browser, I should like to set up an account on SpamCop described above, so I can report spam as I do to other reporting agencies. Is this possible? As mailing agents add features, such as safe viewing in the Junk folder, they could add a button like Habu's. It might be a good idea to prepare for this.

Thanks

Topic moved from SpamCop Email System & Accounts forum to the SpamCop Reporting Help Forum as this is a reporting issue and not an email issue.

For a better understand of how SpamCop works I would suggest stating at the following wiki page: The SpamCop.net Reporting process and following the links for additional information as desired.

Quick Reporting

Earlier responses deal with the substance of your posting, I'm just cherry-picking this one point - the SC parser will never be fooled by a forged date (even if your email client is). The header segment used by SC to determine age will depend on whether or not you have mailhosting established for your reporting account (mailhosting is mandatory for quick reporting) but essentially the spammers would have to have control of the server SC trusts for that purpose and that would be an actual time stamp, not something inserted by the spammer's mass-mailer application.

The proof of the pudding being in the eating - just (promptly) submit them, they should be handled just fine. Mine were but I doubt I got more than one a month or about 0.3%, back in the days when my ISP would actually allow me to receive spam. And I don't think it is a spammer ploy - but I may be wrong.

Gotcha!


Rapakiwi

Thanks for finding the right spot. My post was long because I combined my query about whether SpamCop is going to change its procedures (hint, hint) with a contribution to (at least) Mac users.

Though I do indeed find SpamCop's organization and documentation too sophisticated and often too technical to follow, I knew the answer: 'of course not'. I appreciated and read the hyperlinks your recommended.

The spam that comes to me is extremely professional, designed to look amateurish - to appeal, I suspect, to a specific kind of person. Last night I personally examined the envelopes from yesterday's spam, all illicit.

All the letters appeared to be from illicit ISPs (or mail servers, at least), and most all the originating ip addresses appeared forged. Every 'From', 'Reply-To', and 'Return-Path' were bogus. Two were from 'me'. The letter titled 'High-quality service is guaranteed' was labeled as comaror.kr by the mailer, but the ip address reported it from kornet.kr. Consequently, I don't think 'Quick SpamCop' is for me.

In contrast, the enclosed hyperlinks were genuine. Reading the letter immediately opened a web page on a Hong Kong server (owned by Typhoon Games, Ltd), which bounced me to a web store on an ISP in San Mateo, California (owned by Xo Communications, in Herdon, Virginia) that sells 'sex-enhancing' drugs. Because the recipient (I) live in Northern California, this fact is useful. (In contrast, the 'Canadian Pharmacy' store in rural Romania, bounced to by a computer in China (with no websites itself), mailed to me from an American insurance company apparently situated in Vietnam is of less use.)

As Miss Betsy knows, my silly idea was to use my illicit spam to report & expose these websites until the cost of moving them exceeds profits gained from emptying American bank accounts and credit companies. For, to quote ICANN,

'APNIC does not operate networks using this IP address range and is not able to investigate spam or abuse reports relating to these addresses. For more help, refer to http://www.apnic.net/info/faq/abuse.'

Because 'Quick SpamCop' would, in my case, serve no purpose but to blacklist myself, this query is resolved only in the sense that I can't help anyone by using its services, so I cannot use it nor expect to in the near future.

Thank you for the useful information, however.

Most sincerely,


Rapakiwi, PhD

That's good to read. All my 'Received' lines end in dates (which helps me find forged ip addresses). The warnings in the 'Quick SpamCop' documentation suggested the 'Return-Path' and even 'From' might be used to determine the mailer. So, I expected the worst.

It occurred to me that it could be just a dead watch battery :-) , but all my spam comes, I suspect, from illegal ISPs.

Found something possibly great since I posted. If I ctrl-click on an illicit website, a contextual menu pops up with the option 'Report E-mail Scam'. This takes one to this site, which includes reporting sites deleterious to the user's experience:

http://www.google.com/safebrowsing/report_phish/

Of course, clicking an illicit gmail site will not bring it up. :-) (Before SpamCop came, I had dreadful times working with Google's 'security'.) I've not checked whether this will help people who are tempted to click on an illicit site, whether it will prevent java scri_pt from opening one, and whether the sites are reported to any profit-free internet crime organizations; but the sudden interest in removing these sites from search engines (though not domain servers), I find very encouraging.

In the year 2000, the United States had the opportunity to create a cooperation among law enforcement agencies in all countries, and to and harass international crime syndicates of all kinds. If these were preoccupied with rapidly moving from country to country, they might have less time to organize & execute criminal activities. Perhaps later.

My best,


Rapakiwi
Paroled from Dartmoor

Not much help with no specifics offered. The majority of the FAQs and Wiki entries were developed by other users. A Dictionary and Glossary were populated, now incorporated into the Wiki. If there still remains specfic items that are not yet resolved, bring them up (in the appropriate Forum section and Topic.)

I do not believe that there is anyone here that would know just what your knowledge and skill set might be for reading and parsing a set of e-mail headers. Without a Tracking URL being provided, there's no way that anyone can analyze your suggested "error" ....

Terminology is yet another issue. A web-site doesn't "bounce" anythng. Assumedly you are talking about some kind of redirection, a function that can be 'supplied' to your browser in several different ways.

Reporting is one thing, actually only useful (in stopping the spam) if the hosting ISP actually gets involved.
"Exposing them" requires some kind of definition. I really can't think of any user I've dealt with that would look up a URL on some kind of "don't go there" before clicking or typing someting into the address line on their browser. Yes, some browsers (and add-in toolbars, plug-ins, etc.) offer up some phishing, porn, etc. type checks, but this doesn't directy relate to your "exposing them" phrase.

This looks more like some kind of reporting error on your part. APNIC does not run "the world" ...???

There most definitely needs some kind of explanation. "Blacklisting myself" sounds exactly like yet another user Reporting error, perhaps a MailHost Configuration of your Reporting Account screw-up ...????

So much data that you suggest you looked at and yet you make this statement ...??? Apparently you missed the details on the SpamCopDNSBL, which may folks (to nclude ISPs) use to help manage their incoming.

XO is a huge wholesale network provider. Perhaps they do "own" the ISP that hosted the store, but it might also be that the ISP simply contracted with XO for its connectivity. That ISP may itself not be directly connected with the spammers, other than having them as users (paid and above-board, or unpaid and undetected) of its services. Certainly, you are entitled to report the abuse of the address to XO (and to its "downstream" ISP), but it may be a bit of a stretch to say that they "own" the web store. I'm not sure what you mean by "illicit ISP," either -- a provider that supports an infected bot is certainly less than 100% free from negligence, but I wonder whether we can paint them as criminally culpable. Let's have an analogy: Avis rents a lot of cars every day. No doubt some of these cars are used to break traffic laws, or even for worse purposes (e.g., getaway cars for bank robberies). Does this mean that Avis is responsible for these acts? I think this would be stretching the point. Certainly we can report this abuse to Avis, and even sternly counsel them to be more careful to whom they rent cars, but I'm not sure we can say that Avis is an "illicit" car-rental firm, or that they "own" the criminal activity carried out in their cars.

APNIC is the regional internet registry for the Asia-Pacific region. Their job is to hand out IP addresses to top-tier providers in this region, who then resell them to downstream customers. It sounds like a cop-out to say that they have no responsibility for abuse, but that's the way the public net works (for good or ill). Another analogy: here in the U.S., the Federal Reserve controls the supply of U.S. dollars available to banks etc, and the Bureau of Engraving and Printing is responsible for actually producing the coins and bills that we use. If I decide to use some of their fine products in criminal activities (e.g., by paying someone to break into my neighbor's house), does this mean that they are responsible for my acts? If you wanted to nail me, you would get far better results reporting me to the police or the FBI rather than to the Federal Reserve or the Mint.

-- rick

Yes, thank you, but I didn't post in the help section; so my message was in English.

I'm 'afraid' the stores of yesterday are gone today, so not much data is to be had. By 'expose', I suggest that reports to responsible ISPs unknowingly housing illicit stores (in the report to the store's contact) is 'exposure', for the store in San Mateo is gone today. 'Illicit' stores might be recognized, for example, by many consumer seals, all GIF images. I'm hoping, as you read earlier, to use 'Quick SpamCop' to send reports to web stores and their ISPs (and registrars, I wish). People doing this, I assume, is why these stores are so ephemeral.

I may answer some of your questions in my post below. However, I obtained my information by combining pieces of various SpamCop documents.

I'd like to emphasize to people that I never entered a store, but used ICANN's regional internet registry's servers to anonymously obtain information about other servers on the internet.

I shall give 'Quick SpamCop' another examination. Thank you!


Rapakiwi

Well, that store closed its shutters; so I can't state who owned the ISP. I can say that I caught it while still alive, and I used the 'whois' internet service at APNIC and ARIN regional internet registries to find its physical location as best as possible. I certainly hope that ISP was not connected with the illicit store, using spamming as a delivery device. Otherwise, reports of the store's activities to its ISP would not help remove it. I wish to again emphasize to people that I never opened the door of any store.

By an 'illicit ISP', I refer to those who are connected with spammers. I didn't know these existed until I studied my spam before my absence. These might include ... well, all of mine: those who allow initial forged 'Received' lines, allow me to send a million letters a day, using 'TheBat!' ... you get the idea. My principal way of discovering these was not hard: one letter, posted from A, had a store on B; and another letter, posted from B had a store on A. Both mailing address & store changed their ips daily, but stayed on the same servers. Note quite that easy, but almost.

Why must it work that way? If it's rules have failed us, isn't it our responsibility to fix them? I am attempting to work within the current rules of this broken system, just to reduce a bit of personal tragedy. But, of course, there could be many 'me's. Aren't you a Mac user? :-)

Yes, but my neighbor doesn't live in China or Turkey. Consider the current locations of these domain servers, owned by XIN NET in Beijing:-

ns3.njdbidew.com. 170605 IN A 59.4.132.222 APNIC Korea's Korea Telecom
ns2.njdbidew.com. 170605 IN A 203.93.212.111 APNIC China's Nokia China Investment Company
ns1.njdbidew.com. 170605 IN A 190.17.129.108 LACNIC Argentina's Buenos Aires Cablevision S.a
ns4.njdbidew.com. 170605 IN A 85.196.248.75 RIPE Estonia's Parnu

One of the latest of the illicit web stores (selling just counterfeit items, for a credit card) immediately wanted to directed me to 'http://rhmj.tathem.cn' (though I didn't let it). The domain 'tathem.cn' (indeed owned by a company in Beijing), is today given by the above servers a block of ip addresses in Tennessee, owned by Charter Communications. I have no doubt you will tell me how responsible Charter Communications is. That's fine; but who just stole my bank account?

So, should one tell Charter they own a little bit of China, or should we send the FBI to Beijing?

I won't even get into IAP servers that intercept http requests and forward them to others, encircling the World and ending in a store in rural Paraguay. :-)

My quote from APNIC was just to remind us that there is no current way of eliminating international internet crime but the dissemination of information (in the way of reports) to the responsible (thank you, ICANN). KnujOn and others are apparently working with legal authorities. Some organizations need to inform abuse personnel as soon as possible. SpamCop does this if I use the copy & paste method, but not if I forward the spam to them. That was my original query: will this soon change?

Rapakiwi

Yet again, not enough actual data provided .. however, the most likely issue you are actually trying to describe actually sounds like what has been described/defined as a FastFlux botnet situation. The bottom line there is that there are simply too many ignorant users that have easy access to the Internet.

This was not the subject matter of your initial post. As a matter of fact, I don't see this "failure" anywhere in your previous posts. Your "problem" seems to be that you agreed to review the parser results before actually sending out a Report on your spam submittal but you did not wish to honor that part of the agreement. The only difference between the cut/paste mode and the e-mail submittal mode (excluding Quick-Reporting) is that one is done real-time, the other is handled as a background process by the Parsing & Reporting system (though most folks seem to think that this is also done in real-time, getting excited if they don't receive a response in a matter of seconds.)

I don't think 'Quick' reporting will do what you want. Quick reporting only looks at the header of the reported spam, sending reports to the source of the spam, when it can be identified. It does not look at the body of the spam.

You seem to be more interested in the spamvertised sites in the body of the spam. Reporting these sites must included human intervention to assure that legitimate sites are not reported. I'm sure you have seen spam that includes references to, for example, "as seen in New York Times", with a link to the Times. If parsed automatically the link to Times would be included with other sites being reported. - That is of course why 'Submit' and cut & past processing require your verification of the reports before they are sent. This gives you the opportunity to 'un-check' reports for the Times.

As for reporting yourself, I think you need to re-read the references to configuring Mailhost in SC and re-read the references to forged FROM:, Reply-To: and Return-Path: and how they are not used by SC. If you properly configure Mailhost, SC can use that information so that your ISP (you) will not be included in reports generated for your review or sent by 'Quick' reporting.

I agree with Lou - spamcop reporting does not stop criminal activity. All it does is to provide IP addresses for server admins to use to prevent spam (criminal and otherwise) from being delivered to their inboxes.

In an indirect way, this helps the gullible and ignorant since they do not receive the spam if they are using an email service that filters effectively.

Using Quick Reporting would indirectly accomplish part of your mission . You would have to utilize other services to find and report spamvertised sites. As you point out, since spammers utilize websites and servers in different countries, it is very difficult to use law enforcement to shut them down. Usually, law enforcement requires a loss before they attempt to act. Some ISPs, such as Charter, might shut down websites engaged in illegal activity because it violates their terms of Service. However, their legal departments require certain proofs before they can act.

ICANN is considering new rules that would prevent registrars from doing some of the things that make spammers hard to track. This post by showker explains it New Rules

Miss Betsy

Yes, that's exactly what I read when I followed Wazoo's initial link to 'Quick SpamCop'.


Exactly. That's the problem. My unhappiness, I suspect, is simply because I'm not thinking of other users. My situation is a good one.

First, I safely & carefully pre-examine everything I send to SpamCop. Most people can't safely open the letter. Next, being a member of the poor as well as ignorant, I no longer travel. Never have I received an e-mail with a hyperlink to a store outside the United States. However, were SpamCop to report hyperlinks in the body of the message, I should still check the (imaginary) option 'Don't report links to sites in my host country' (didn't I write that once before?).

What I was expecting from SpamCop was a way to easily report Canadian pharmacies in Russia to supervising officials. Though ICANN doesn't police, it does prohibit (by contractual agreement) 'FDA-Recommended Canadian Pharmacy' from moving its website if the owner has committed fraud. By initially clicking all the 'don't report if ..' safety options, SpamCop (would, in my imagination) initially send no reports to store's ISPs (as now).

This really isn't the problem, I suspect. The real problem may also be more than allowing ignorant people to use the internet. The real problem may be SpamCop's blacklist (someone will no doubt offer me the cognoscenti's acronym). Mailers always go down, and the mail is just stored (if possible) until it's up; but if a tiny home business is shutdown for more than a day, it could be devastating. This is why I, too, am not enthusiastic about blacklisting (greylisting) 'Mom & Pop' websites, while whitelisting corporate ones, as SpamCop appears to do (in a very reasonable manner).

Yet, I'm requesting the ability to shutdown a store be made even easier! Well, not really. I'm not interested (though I admire!) SpamCop's blacklist: I want only supervisors to know what they are, perhaps inadvertently, helping sell. It needn't even be reported as 'spam': it could be reported separately, to those supervisors who want to be informed: they could choose the urgency of the message. In this case, knowing that 'bookfinder.com' sells books is likely to cause no one harm.

This isn't SpamCop's mandate. SpamCop does one thing, and it does it extremely well. However, if you know where I can find another organization that can report illicit stores as fast as it does phish (or even general spam here), I should use it.


I shall. The documents were very vague. I'm never examined Mailhost simply because the first document said, as you do here, 'Quick Spamcop' uses only the envelope (header, for Wazoo), whereas, as you've noted, I want parts of the letter (body, for Wazoo) reported.

The specific question in my initial post you express very well. Thank you. The extended question is: Is SpamCop capable of changing, as the needs of us (ignorant masses) change?


Rapakiwi

I am sorry, but your logic is only half right. I am sure you are checking what you send to SpamCop is valid spam; what also needs to be checked is to be sure that the parser is not sending reports to locations you do not want them to go to; that it is correctly identifying the source of the spam. IP addresses sometimes change, mailhosts can change, and they are not always picked up by SpamCop when that happens which can result in you reporting yourself. Not a good thing to do.

Ms Betsy,

Always a pleasure to hear from you. Thank you for clarifying Lou's opinion, which I somehow missed. I examined only about five spam addresses to conclude they were of little value. A while ago, if you remember, I examined dozens and found a strong correlation between web store ISP and spam sending ISP, which would make address reporting useful. Unfortunately, these were the ISPs likely owned by World-wide organized crime syndicates, so reporting would be of little value.

If everyone used the SCBL (or whatever it's now called), I should be pleased to report. I'm getting migraine again, so I can't remember whether I can report by forwarding attachments without reviewing & confirming or not now. (At the moment I can't.) If so, I shall reconsider the value of SpamCop to me (for I don't mind spam). I may be gone for a few days, but then I'll check.

The link is great! Thank you!

You realize that helping police the worst on the net is just a social obligation. My research must take the bulk of my time. This morning I zipped away 6 spam from the night, each to a different address at KnujOn. It took less than one minute.

Bruce
The Irritating

PS Long ago some of us at supercomputer centers were consulted by the Gore Commission about how to release NSFnet to the public. Corporations such as IBM wanted to control it, but we urged it be controlled directly by Congress, the way the five NSF supercomputers were. ICANN is a private company, though non-profit; however, I shall find out whether Congress (whether you and I) have any real influence over it. In any case, I have many suggestions. :-)

Microsoft imposed outrageous contracts upon others for decades; why can't ICANN's contract address the recommendations of international law enforcement agencies, and just propagate itself when registrars sell blocks of ip addresses, all the way to the individual user? Perhaps our new Administration, State Department, and Congress would be interested in helping formulate ICANN's new contract in coordination with concomitant new treaties. :-)

Thank you very much for giving me the best link yet!

That, I think is the correct answer. You can't expect everyone to do everything well.

As has been mentioned somewhere in this thread there are others that do other parts of this, and they do those part well.

KnujOn identified a Thunderbird add-on that will email all identified spam in a TB folder to your KnujOn account and to anyone else you added to the list (for example, SpamCop). KnujOn looks at the body of the spam.

I also sort out the phishing spam for extra "TLC" sending it to PhishTank and CastleCops for processing by their PIRT squad.

Going back to your original "can SpamCop..." you will notice that in each case, KnujOn, PhishTank and CastleCops, people are involved in the process of parsing the body of the spam to correctly identify "bad" ISP/domains. In fact CastleCops ask for users to join the PIRT Squad to process submissions to Fried Phish. So as you suggested, getting the reporter out of the loop of parsing the body of the spam by SpamCop, "an't going to happen."

http://www.forum.spamcop.net/
http://forum.spamcop.net/scwik/SpamCopWhereToGetHelp
http://forum.spamcop.net/scwik/SpamCopBlockingList

Not sure what you might actually mean, as SpamCop.net does nothing to black/grey/white-list web-sites.

?? There are walk-throughs provided, much discussion within the appropriate Forum. Once again your ".. documents were very vague" statement with no specific details offered doesn't help much with solving your perceived issue.

Sorry, but .... Quick Reporting is the term in question.
envelope (header, for Wazoo) ... the 'header' is not the 'envelope' .... unless one runs his/her own e-mail server, one doesn't actually have access to the 'envelope' of an e-mail.

You are essentially talking about the difference between 'full' reporting and Quick Reporting.

I can only vaguely remember when I only had to deal with 6 spam e-mails a day.

Wondering if an older press release from IronPort migh add some definition to your suggested problems in relating the various IP Addresses involved in the delivery and content of your spam ..??? The magic words are 'botnet' and 'fastflux' ... as previously pointed out.
IronPort Research Discovers Links Between Malware Originators and Illegal Online Pharmaceutical Supply Chain

Hi Wazoo,

I think this guy is probably referring to the Email service where, of course, various colours of listing are available (although I guess black, white and grey aren't technically colours...)

Andrew

Yeah, I thought about that ... but that would have taken things back to one of the major points made so many times already .... SpamCop.net doesn't block e-mail either. So I left my comments dealing strictly with what was typed into the post(s) I was replying to. However, things lke the "small busnesses being shut down" comment were simply too excessive to worry about providing a response.

Oh, I thought 'this guy' was you, sorry. :-)

So, I assume from your posts that the SCBL only reports illicit web stores (in English): it does not black-, white-, or greylist them (bit of jargon here). I admire the SCBL, but I don't use it.

I have to get back to bed (for I am here just to quickly send tonight's spam to KnujOn's various addresses). I've recently reported only one spam to SpamCop, just to test whether it accepts Thunderbird's 'forward by attachment' results (for Mac's implementation of some mail RFCs has bugs, leaving .eml about, &c). The 'inline' attachment option was also accepted, but the link in the body wasn't reported. (This paragraph is for Mac users.)

SpamCop seems to accept these Thunderbird forwards just fine without any 'add-ons' (which attach the source without any Apple bugs); so I trust those to KnujOn are acceptable (though I'll double-check). Thank SpamCop for the great reports!

To clarify your puzzlement, one report (a year or two ago) contained a link to opera.com. Because all previous links to, say, Здравствуйте!.ru, had reports prepared, I anticipated one about opera.com, which I should delete, lest (I excessively worried) it might make it to the SCBL. It didn't appear. Thus I concluded you had a list of legitimate sites (common corporations who would not respond well to being reported by you) about which you did not prepare reports.

BTW, thanks for the last link, which I'll check out. However, I've pretty much decided to report all the method that reports only headers. One user kind noted that even reports of phish elsewhere must be examined by hand: this I didn't know. Why, I still don't know; but I'll ask at CastleCops.

I also have my old spam (yes, I archive spam); so I'll run through the SpamCop parser what I had analyzed by hand some days ago and see if SpamCop can find more from its envelopes (English, not networking jargon): in English, a letter has an envelope and a signature. On the envelope, the mailer (the post office) applies a stamp when the letter is posted. (If SpamCop's use is for Knurds only, I'll change my language, for I worked as a computer professional between legitimate jobs.

Don't waste your time puzzling over details sufficient only to illustrate a point. As for your earlier remarks that the 'problem' here is a refusal to fulfill my contractual responsibility, then allowing ignorant people access to the internet, I think you should take the time to get out more.

My best,


Rapakiwi

Hi Rapakiwi,

I'm sorry you aren't able to get your head around how the SpamCop systems work and confuse this as a place to get help with other services.

I'm sorry you feel you have to take an unhelpful, combative and, frankly, rude approach to folk who try to help.

But I'll simply add you to the appropriate list so I don't have to read your posts henceforth.

Andrew

Faulty terminology and assumptions will almost always interfere with effective communications, as is the case here.

DT

The SCBL does not "report" anything. The SCBL is merely a list, or a database if you prefer. But you do not have to take the posters' word for it, the operators of the SCBL speak for themselves at http://www.spamcop.net/fom-serve/cache/297.html:
SpamCop USERS, and not the SCBL, report spam links they find in their mail as a sidebar to the more specific function of identifying spam-source ADDRESSES (not websites) and listing them in the SCBL. Up-to-date and accurate info on sources of spam is what internet providers require in order to block or detail spam being delivered to their hosts. Info about spam websites is useless for this purpose.

Identifying and dealing with website links in spam is an order of magnitude more difficult and ambiguous than simply identifying spam sources, but I t hink you've probably read about this before. Here's another link for your collection: http://forum.spamcop.net/forums/index.php?...amp;#entry65360.

-- rick

This is not quite accurate. The spam sources (IP addresses) of where spam comes from is very useful to server admins to block or filter spam as it comes into their network. The DNSBLs, including spamcop's, are used to identify spam sources. This is very useful, especially since spammers discovered how to evade filters using botnets. spam from botnets comes from non-email computers and can be blocked without fear of blocking real email. The DNSBLs are, as rconner said, just a database of IP addresses that have been discovered to send spam. Spamcop discovers this through user reports and spam trap hits. Other DNSBLs have other methods of deciding what is a spam source.

The part of the above quote that is not quite accurate is that knowing spam websites is useless for filtering spam. It is useless as far as blocking spam at the server level, but after accepting email, it still can be filtered by various means. One of those is to filter for spam websites. Spamcop does not offer a filtering list because, IMHO, the policy is that the /source/ is more important to identify than the website. There has been no attempt to keep the parser concurrent with spammer tactics to evade filters that identify websites. As has been said several times, there are different methods and different tools to filter spam. OTOH, there are server admins who do filter after accepting email by the websites within the email. One such server admin told me in the ngs that he estimated 25% of his spam was caught in this manner.

I believe that is one of the reasons that spamcop continues to identify spamvertised websites. Imperfect though it is, the spamcop parser does identify enough websites accurately for others to use them as a filter. There are also those, like rconner, who use the parser as a first step in identifying the owners and creating their own reports.

The OP is particularly interested in identifying criminal websites to protect ignorant or careless web users. Spamcop is not the tool he needs to do that. As I said before, web users are protected by the use of the spamcop blocklist indirectly in that, if used to stop email from sources known to be sending spam, web users never see the spam and so are not tempted to visit spamvertised websites.

Again, there are other methods to identify and report spamvertised websites. There are also other methods to avoid them while surfing such as the McAfee SiteAdvisor. Since others have developed more sophisticated tools, spamcop is not going to try to improve what they have. It is still accurate enough to be of some use to those who have other methods to do whatever it is they want to do about spamvertised websites.

IMHO, there is very little chance that criminal websites will be eliminated online any more than criminal activity has been eliminated offline. Netizens will have to learn to be careful just as they are offline. And, if they don't, they will fall victim to various scams - some more serious than others. However, I do think that spam can be reduced considerably by the use of blocklists - especially if the receiving server blocks them at the server level. Eventually, responsible people wanting to use the internet will only use email services that are responsible and don't allow spam to be sent so that they can be assured that their email will be delivered. And they will be using email services that block spam from irresponsible networks so that they will never see any spam.

Miss Betsy

Thanks for the amplification, but I'm going to stick by what I said -- that info about websites in spam is not useful for hosts that wish to reject mail based on source. The reason is that the decision whether to reject is most often made BEFORE the body of the e-mail message is ever seen (i.e., the host would give a permanent reject code in response to one of the commands preceding the DATA command that offers the body). So, the mail host actually has no idea what websites are mentioned in the spam when it decides whether to reject.

I agree that the website info is VERY useful for MDA-based filtering (where the mail has been accepted for delivery, but can be detained in a separate "spam queue"). This is where SURBL, URIBL, SpamAssassin, Bayesian filters, et. al. come into play.

-- rick

Exactly!

Miss Betsy

Exactly! Even I can agree with that statement! :-)

This last note is to thank those who attempted to analyze specific spam letters from tiny fragments I posted. I read and always appreciate the links offered me (especially those from Wazoo, which I always read), but my only interest was in knowing why I needed to examine reports to ISPs supporting illicit websites. Clearly that would be the only ip address NOT hidden from me. I just hadn't time to do this. No matter; I've found a happy solution that may help others, even Microsoft users. This letter may offer ideas (and does offer links) for Mac users. My ending post.

Victims

During my absence (a blocking list sending letters was a migraine-aura typo, BTW), I thought of a way of quickly reporting spam to both KnujOn and SpamCop, reporting 'spamvertized' websites. The sites I just couldn't ignore, since the very professional letters selling sex-enhancing drugs and diplomas are purposefully written in an illiterate manner. These appear designed to hook young Americans, who are using their parents' credit cards. Perhaps yours.

'Additional Comments from Recipients'

Rather than type a personal message on each report, as I used to do (and took too much time), I prepared on Mac's 'Tiger' OS a simple text letter with my most common remarks, under headings based upon KnujOn's classification (Phish, Drugs, Counterfeits, Software, &c).

Thunderbird Forwards by Attachment

Now, when I forward spam (by attaching it to an empty file) using the forward toolbar button on Thunderbird, I forward all the day's drug spam to both Drugs <rx[at]coldrain.net> and SpamCop's address given me. Quite soon, SpamCop will ask me to verify my report (which is very good).
Select an Appropriate Paragraph, Drag & Drop

In the corner of my Desktop is my text file. I examine the report, the spam, select an appropriate 'generic' paragraph from my text letter, drag it to the box on SpamCop, and modify the comments specifically for that spam letter. This removes the slowest part of reporting spam to SpamCop, and appears satisfactorily fast. That solved my problem of wanting to quickly report illicit websites as well as spam letters. (spam is not my profession.)

The Haku & KnujOn extensions to add-on

The Add-Ons to Thunderbird that forward my junk folder to various agencies are not for me: forwarding the spam to more specialized addresses and giving it (at SpamCop) my real e-mail address and personal remarks are worth the extra effort, if I could afford the time. Now I believe I can. I do find these useful, though:

Alerts are more Important to me

Growl for Mac's 'Tiger' OS
http://www.versiontracker.com/dyn/moreinfo/macosx/24638

Growl Mail for Apple Mail notifications
http://growl.info/extras.php#GrowlMail

Growl Thunderbird Notifications (now built-in, I think)
https://addons.mozilla.org/en-US/thunderbir...owl&cat=all

Growl used to work well (before Apple crippled my G3 iBook) with ClamXav Sentry and Apple Mail.

One's Speaker has a Use

Mail in my Inbox is scanned automatically for malware, and the 'music video' alert pops up a translucent black screen with sender & subject, so I know whether to stop working. Mail in the Junk folder is announced by voice, and malware is announced by both (with a persistent message window). I either found or recorded spam.aiff, malware.aiff, and error.aiff, which I put in

/Users/Me/Library/Sounds/

So, a simple collection of my favorite paragraphs with audio alerts allows me to now report spam in a timely manner with little effort.

Thank you all very much anyway for all your advice and helpful links.


Rapakiwi

PS. Occasionally I do receive solicited mail with hyperlinks. Never have I opened one without checking whether it is a real link to a friendly domain, or a name or image of that domain that would take me to Baluchistan. (Now on a Mac one can just wave the pointer over it.)

Sorry, but here's an addendum to it for Thunderbird users. While adjusting Thunderbird, I asked it to warn me of 'e-mail scams' and 'spam'. Though I received hundreds of spam letters with frightening web links, no warning ever appeared. (Phish I'm no longer sent, after I started reporting it: almost all my spam comes from one organization, in Asia.)

Finally, today, a dire warning of an e-mail scam appeared. It was my monthly book catalog from Dover Publications. I don't know about others, but I consider most of their books outstanding bargains. The message is, at the moment, use more security than that offered by Thunderbird. :-)


Rapakiwi

Dear US and Canada Capitalist Pigs,

If you'll notice, each XIN NET spam email will contain a simple http graphics file call to display a picture in your email. This simple code allows our Chinese government to grab and log your personal IP on our servers for our planned cyber attack support on your spoiled and selfish country! Think of what a country could do with a complete list of active and sniffed out list of IPs of its enemy. Your internet will be of no use. You're country is too Open. Long live the People's Republic!

Please wake up, spread the word and do everything to stop XIN NET now!

Axxxim, you may notice that I have setup my email app so that if an email source is not on my white list the "simple http graphics file call" will not be made. So you and your sarcastic Chinese government will only know that the email was accepted by the server. You will not know whether it was read, reported to SC or just sent directly to a digital black hole.

Oh I'm sorry, you can't tell can you. Sense you are not on my white list you can't see past the mail server. All you know is your spam didn't bounce.

Nicely played though.

Lking,

China is likely too busy negotiating baby formulas with Taiwan to consider aggression. However, Axxxim's point (I think) is a good one, once raised by Miss Betsy. How do you verify that a letter is spam without opening it? Even after running it through your ISP's filters and your own malware filters, opening it can open many little 1x1-pixel GIF images back in ... 'China': web bugs.

SpamCop's 'filter' (please substitute the correct acronym) I can't speak of. However, the classic web bug, I've noticed, has recently been replaced with innocent-looking little company logos or signatures small enough to preferably be sent as a real image rather than a hyperlink. I should guess it hard to automatically filter these out: they could be colorful buttons, for example.

You know this, so this is written for others. Your method of 'white listing' all but your reliable correspondents is an excellent strategy, advocated by Apple. However, it doesn't solve the problem of what to do with the letter titled 'Deliver Status Notification (Failure)' currently in my Junk Folder. I received a genuine one yesterday. This one I know is spam, likely with web bugs, because it was not sent from an automated mailer or Postmaster, but from me. :-)

In the 90's, I used to just unplug the ethernet cable before reading all mail. This would work when reading suspect mail (and manually removing suspect files). Apple's Junk folder (junk status) prevents opening any images on the sender's site; but I don't know whether others' do.

This subject is in apropos for this thread. Perhaps someone could re-post Axxxim's amusing little post to a new thread, if the administrators feel this subject is one that spam reporters (average folk) should be more aware of. I have no doubt it is discussed in a help file I should have read.


Rapakiwi
Persona non Grata

Not true. I use the features of Thunderbird. Unless I have approved a email source, remote gif's of any size, are not loaded and Thunderbird displays this message "To protect your privacy, Thunderbird has blocked remote images in this message." There is a button if you want the images fetched and displayed. There is also an option in red "Click here if you always want to load images from Your_mothers[at]email.com"
Yes it does. A true 'Deliver Status...' contains more than remote images, for example the header of the rejected message. So there most likely is enough information to judge the true status of the 'Deliver Status Notification'. Based on the ones I have been receiving my first clue is that one of my addresses have been forged as the sender.

This is not true for the drug spam that used to be common which only contained a GIF. Of course that was a clue in its self. No one I know sends email which contains only a GIF. So when I open this type of spam with Thunderbird I see nothing, except the message "To protect your privacy, Thunderbird has blocked remote images in this message." That gives me the first clue. If I need more a CTRL-U gives me more than enough info.

IMO there is no need to move Axxxim's post. He joined, double posted his little joke and I bet he is gone. As Farelf noted he has double posted the same message in an other forum after joining. I don't think he will be back. So why bother? {edited to add a word}

Yes, you are right. My apology. I had forgotten that this thread was on Thunderbird.

In earlier discussions, I found that many people (using many mailing agents on many operating systems) report their spam without opening it (Miss Betsy being one), likely in wise fear of web bugs and malware; and others (including me) were unaware of the safety features (if any) that various mailing agents imposed upon their 'Junk folders'. There are dozens of mailing agents.

Most people used subject lines to easily recognize spam, and 'Delivery Status Notification' (sorry about the typo) was just an example of a subject line designed to fool the non-paranoid person into quickly opening it. (You recognized this one as spam by opening the letter yourself and finding a hyperlink inside.) Normal people shouldn't have to open mail unsafely or read full headers and check the ip addresses using, for example,

http://www.domaintools.com/

Apple's approach opens these safely in the junk folder (as does many others, I'm sure), but what should the normal person do; especially if such deceptive spam appears in their inbox? (Using a PC should be like driving a car.)


Yes, you are correct: this is the help section. I didn't mean to address this subject to help Axxxim, who has no need of help.

My posts everywhere are addressed to normal people (hence my language), just to help 'clean the sidewalk I walk on'. Individual help I offer by e-mail; but posts are for everyone. Axxxim did raise an important point the normal person should be aware of, and the normal spam reporter needs to solve. (Yes, you have already, I know.) The 'you' that follows refers to a normal person.

Apple's solution is to treat all new mail as suspicious, and open it in the Junk folder. Apple Mail's Junk folder is a 'sandbox', in which one can open any letter safely. Only if the letter is from someone in your Address Book, a previous recipient, or mail you manually marked 'Not Junk', will the new letter appear in your Inbox rather than the Junk folder. After a while, the normal user finds all Junk becomes spam.

Problems occur when you have sent carbons to your own address, and spam sent from 'your account name' appear in your Inbox with an innocuous subject line, such as 'Re: Yesterday. Habit may cause many (such as me) to open it (which is why I have it automatically checked for at least malware first, using a method which will not protect one from malware installed by a computer to which I was automatically redirected when the letter was opened. (When this happens, I pull the ethernet and run two malware checkers (whose databases were updated when the machine booted in the morning).


Rapakiwi

Since most end users are technically non-fluent, many email applications now do not display images by default for senders not on the contact list. For most end users JDH (Just Hit Delete) is how they deal with spam and they rely on their providers to filter the spam to the junk folder.

Since I have become interested in spam and how it is dealt with, if I think I need to open an email that might not be spam, but that I don't recognize, I use the message source (I used Outlook Express and now Windows Live for my email application). I learned how to do that from people in the spamcop community of users.

Interestingly, I used to receive the Dover Books newsletter at a hotmail account and no longer do so. Dover must have had some problems with their mailing list or how they sent it to be tagged suddenly as spam. Perhaps, as spam filters get more aggressive some methods that used to work no longer do. Although companies tell you to add their newsletter addresses to your contact list, I usually don't want to bother so many newsletters that I used to receive I no longer do. As I rarely read them until I want to order again, it is no loss. Many people don't even use their email very much any more because they don't want to take the time to adjust filters, add contacts, etc. to make their inboxes useful.

Miss Betsy