last edit 5 March, 2015
The SpamCop Glossary currently exists in three "flavors". This forum version; the new SpamCop Dictionary version; and the newest, a Wiki "flavor", that includes extensive cross indexing
Note: additions, corrections, suggestions, etc are encouraged and will be merged into this consolidated glossary after allowing amply time for comment. Please post your comments in this thread. After they have been consolidated they will be moved to the archive SpamCop Glossary Archive, Historical record of changes and posts Click on the link to jump to Archive. For terms not included in this glossary please see the entry Additional Glossary Sources found at the conclusion of this glossary.
Note: All underlined text (regardless of color) found in the glossary is an indication of a clickable link. These links vary as to how they function. Some links will simply jump you to another part of the glossary (using the browser "back" button will return you to your previous location); while other links will open up a new window. Color coding in the glossary is used to grab attention or to aid in readability.
Clicking on any of the index items below will jump you to that entry below. Using the browser's back button will return you to the index.
Clicking on any of the index items above will jump you to that entry below. Using the browser's back button will return you to the index.
A special thanks to Wazoo for getting the index to work.
Sending something nowhere. SpamCop's parser discards messages by sending them to user#domain[at]devnull.spamcop.net (this is a pseudo-Report because it doesn't go anywhere, but it does get recorded in the statistics and can help keep an SCBL listing alive). Reasons for discarding reports include bouncing of previous Reports that were sent to user[at]domain, as well as SpamCop Deputy and SpamCop Admin intervention due to listwashing, ROKSO listing, obviously ignoring reports, passing reports to inappropriate places, etc.
The derivation of this term is the Unix Null Device /dev/null. Other terms for the same concept include vaporization, deletion, and sending something to a data sink, Bit Bucket, DOS's NUL:, trash can, or round file.
For more info, please see Steps taken by the parser and Ellen's description of why Reports are turned off.
Acronyms & Text Messaging Shorthand
The following link is to NetLingo's extensive List of Acronyms & Text Messaging Shorthand
Acronyms have always been an integral part of computer culture, and they have since spawned a new language on the Internet. Commonly thought of as a series of letters that make up a "word" there is a distinction between acronyms and shorthand.
Online enthusiasts, primarily millennials, are learning that shorthand are in fact called acronyms, but this is incorrect. The difference between acronyms and shorthand is that with acronyms, you pronounce the letters as a new word (for example, FUBAR is pronounced "foo-bar" and RADAR is pronounced "ray-dar"). In contrast, shorthand pronunciations are always to say the letters one-by-one and not pronounce it as a word (for example, FYI is pronounced "F-Y-I" and BRB is pronounced "B-R-B"). The difference between shorthand and an initialism (or abbreviation) is that the latter refers to the shortening of a word itself, for example "esp" for "especially." The online practice is to refer to any shorthand or abbreviation as an acronym.
Examples commonly used in the SpamCop Forums include:
AFAIK - As Far As I Know
AKA - Also Known As
BI - Breidbart Index
BOFH - Bastard Operator From Hell
BTW - By The Way
FAQ - Frequently Asked Questions
FWIW - For What It's Worth
HTIW - How The Internet Works
HTML - HyperText Markup Language
HTTP - HyperText Transfer Protocol
IIRC - If I Remember Correctly or If I Recall Correctly
IIUC - If I Understand Correctly
IIWY - If It Was You
IMAP - Internet Message Access Protocol
ISTM - It Seems to Me
ITYM - I Think You Mean
NOC - Network Operations Center
OWTTE - Or Words To That Effect
PITA - Pain In The Ass
POP3 - Post Office Protocol version 3
RSN - Real Soon Now
SBRS - SenderBaseÂ®Reputation Score
SMTP - Simple Mail Transport Protocol
TOE - Train On Errors
TPTB - The Powers That Be
TTFN - Ta Ta For Now
tinu - there is no us
tinw - there is no we
URI - Uniform Resource Identifier
URL - Uniform Resource Locator
URN - Uniform Resource Name
UUBE - Unwanted/Unsolicited Bounce Email
Alternate reference source: Internet slang From Wikipedia, the free encyclopedia.
A backronym or bacronym is a type of acronym that is formed to match the letters of a word already in use. The word "backronym" is a portmanteau of back and acronym and was coined in 1983.
See the entry in wikipedia for a more detailed explaination.
BBCode is short for Bulletin Board Code. It is used as a way for formatting posts made on message boards, blogs and more. It is similar to HTML in the sense that in BBCode one does also use tags to format something specific (contained within the tag). In BBCode, tags are indicated by rectangular brackets surrounding a keyword, which is in turn transformed into HTML before being delivered to a web browser.
BBCode was implemented as method of providing a safer and easier way of allowing posts to be formatted on forums. Before BBCode, forums sometimes allowed users to include HTML code in their posts, which had many security issues (i.e. the user could execute java scri_pt code, break the layout of the site and so on). With BBCode being parsed by the forum scripts, it is easier to control what the user can do and can not do (allowing or not allowing specific BBCode tags).
The basic BBCode tags are often very similar across many different forums (which includes the SpamCopForum) but there are some variants in existence as well. Sometimes BBCode tags have to be in specific cases (i.e. [ b]bold text[ /b] will work, while [ B]bold text[ /B] will not). It is also very different as to which of the more unsafe and/or complex tags that are supported. For instance you cannot always expect the [ img] image tag to be supported as allowing posters unlimited power to post any picture they like could have some pretty nasty effects.
Note: space added at the beginning of each BBCode tag to stop them from being rendered in this definition.
Note: in the SpamCopForum, BBCode tags are not case sensitive.
When writing or editing a post in the SpamCopForum, clicking on "BB Code Help" will open up a help screen that contains detailed examples.
The universal data sink (originally, the mythical receptacle used to catch bits when they fall off the end of a register during a shift instruction). Discarded, lost, or destroyed data is said to have gone to the bit bucket. On Unix, often used for /dev/null. Sometimes amplified as the Great Bit Bucket in the Sky.
This is a system where suspected spam is accepted by the mail server or user and silently deleted. Neither the sender or the receiver is notified.
This seems to be preferred by many companies as it means that none of their potential customers will see a rejection message, and by many users as they can not tell if a spam filter deleted the message or some other computer glitch deleted it before it got to their server. When coupled with a whitelisting system where any outgoing e-mail address is whitelisted for a response, the error rate can be almost invisible to the senders and the receivers.
As with the quarantine method, it is a more expensive method than using DNSbls.
Blowback, Backscatter, Misdirected Bounces
Delayed bounces, virus notices, out-of-office messages and other forms of auto-responses that are frequently mis-directed, basing their targets on data found within forged header lines. In the past, these types of notifications were a nicety. However, as the spammers have once again used a "feature" of something developed under the "trusted users" model to aid in delivering their spew, this activity of e-mail servers has moved into the "bad"zone. More desirable these days is the non-deliverable e-mail will be handled at the time of attempted delivery, such that any rejection notice required is supplied to the sending server, rather than a possible innocent third-party.
Used by some as a description of undelivered e-mail.
More accurately it refers to a mail message that a mail server generates to indicate a mail message is not delivered.
RFCs allow a receiving mail server to generate a bounce, but that is no longer a good practice as for spam or viruses which are now between 50 to 70 percent of incoming e-mail, that bounce will go to some innocent victim, like you.
The preferred practice is for the receiving mail server to issue an SMTP reject code if it can not deliver the e-mail, and then the sending mail server will generate a bounce.
Since spam and most recent viruses are not sent through real mail servers, no bounce message will be generated for them.
Breidbart Index (BI)
A weighted measure of posting and cross posting of an article in newsgroups in which an index of 20 or greater is taken by some administrators to be a spamming violation and the posts liable to cancellation.
The Breidbart Index is defined as the sum of the square roots of n (n is the number of newsgroups each copy was posted to).
Example: If two copies of a posting are made, one to 9 groups, and one to 16, the Breidbart Index is 1*sqrt(9)+1*sqrt(16) = 3+4 = 7
Example: 10 copies of an article are posted, each cross-posted to 4 groups, the BI is 10*sqrt(4) = 20
External reference: The Breidbart Index Definition & spam Threshold FAQ
A cache (pronounced cash) or buffer is basically a local copy or storage area that provides speedy access to stuff that is normally stored elsewhere. Computers cache and buffer information inside and outside their CPUs, in RAM, and on Hard Disks. In the interest of speed and reduced redundant network traffic and load, the Parser caches DNS, WHOIS and abuse.net lookup results (more info on them below) Information about how long the Parser caches those lookup results is confidential, as exact numbers might give the spammers ideas.
The term cartooney refers to the baseless legal threats or the nonexistent lawyers often made by spammers in their attempts to be removed from mail filters. The word can be used either as an adjective or a noun; i.e., "The spammer made cartooney threats" or "The spammer sent me a cartooney".
An e-mail account that accepts anything in front of the [at]Domain part of the e-mail address. In the days before spam, this was a normal mode of most all Domain / web-site settings. Now it's more advised to actually define 'real' e-mail accounts to be used by that Domain and reject e-mail sent to non-existent accounts. This is sometimes an issue with various web-hosting plans that may limit the number of e-mail accounts that can be used, but there should normally be enough available to handle things like info[at] sales[at] webmaster[at] etc.
C/R or Challenge Response
A service that issues a challenge to make sure that a human is sending a mail.
When they challenge spam and viruses, they bother innocent people.
If they use SMTP rejects, then only real senders will get the challenges.
Generally an expensive method of spam control, and spammers can easily get around the challenge if they care to by redirecting the challenge to a porn site and promising free porn to the humans that visit the site and answer the challenge.
A challenge response system that does not use SMTP rejects is prone to sending e-mail to spamtraps which will cause other mail servers to refuse the challenges.
The only way that a challenge response system that does not use SMTP rejects to avoid hitting spam traps is if it makes sure that it never issues a challenge to a forged address in a spam or a virus. And of course if it knew how to do that, it would not need to issue a challenge.
A typical chain letter consists of a message that attempts to induce the recipient to make a number of copies of the letter and then pass them on to two or more new recipients. A chain letter can be considered a type of meme, a self-replicating piece of information that uses a human host to distribute copies of itself. Common methods used by chain letters include emotionally manipulative stories, get-rich-quick pyramid schemes, and the exploitation of superstition to threaten the recipient with bad luck or even physical violence if he or she "breaks the chain" and refuses to adhere by the conditions set out by the letter.
See also http://en.wikipedia.org/wiki/Chain_letter
CIDR - Classless Inter-Domain Routing
A method of expanding the usable number of IP addresses available by changing the method of how the numbers are interpreted for routing purposes.
See Wikipedia for a more detailed explanation.
A content filter is one that looks at the contents of a message and tries to guess if it is spam or a real e-mail.
Generally content filters are not vary accurate, and as they require that the mail server allow the transfer of the body of the message, they are more expensive to operate than using DNSbls.
Generally to make up for the inaccuracies in content filters, they are accompanied by a quarantine area to check for errors.
The accuracy of content filters can be greatly enhanced by using conservative DNSbls to keep the bulk of the spam out of the mail server, and then using aggressive DNSbls or fail strict rDNS checks to determine if the content filter should examine the message.
Of the content filter checks, the one that shows the most accuracy is to look up the I.P. address that any web link in the e-mail references, and check it against a DNSbl. But you only want to do that check on e-mail that fails one of the aggressive tests, or you may miss legitimate mail discussing spam and how to fight it.
Content-ID: / cid:
The Uniform Resource Locator (URL) schemes, "cid:" and "mid:" allow references to messages and the body parts of messages. For example, within a single multipart message, one HTML body part might include embedded references to other parts of the same message. (extracted from http://www.ietf.org/rfc/rfc2111.txt )
DNS based blocking system. A DNS server keeps track of IP addresses that meet the listing service's criteria. Also known as BLOCKING LISTS and BLACKHOLE lists.
Mail servers and other network servers can reference them to reject mail or connections, or to decided if they need to examine them further. They also can be used to indicate trusted IP addresses to accept mail or connections.
There are many DNSbls with different criteria.
The spamcop.net DNSbl lists IP addresses that spam has been reported to originate from. It is aggressive, and may list real mail servers.
Some list only IP addresses that have been shown to be compromised and abused by spammers. Others list IP addresses that are known to be controlled by spammers.
These are known as conservative DNSbls.
And some list IP addresses that are DHCP assigned. These are known as Dyanmic list and sometimes DIALUP lists. Many mail servers will not accept e-mail from these addresses.
There are also DNSbls that list all IP addresses for specific ISP's and countries.
Use of conservative DNSbls can block over 80% of the incoming spam usually with out any real e-mail being rejected unless the sender's mail server has a severe security problem. Adding a good DHCP blocking list to that can eliminate most of the remaining spam with a very small chance of rejecting a real e-mail.
An aggressive DNSbl can be used to indicate if additional tests should be done on an incoming e-mail to see if it is spam or real e-mail.
Also see rDNS
Links to other definitions of DNSbl
Domain names have an important role in Internet traffic. They provide a straightforward basis for contact with computers, websites and electronic mailboxes belonging to companies, other organizations and private individuals. Using a domain name, an Internet user can, for example, find the site belonging to a company and thus obtain information, view the company's catalogue, place an advertisement, perform a financial transaction, place an order or whatever. In short, domain names make the Internet usable.
Domain names are derived from the unique numbers that all computers on the Internet have. These numbers are known as IP (Internet Protocol) addresses and consist of figures only. Unfortunately, long numbers aren't very easy to remember, so it was decided to use a system whereby you can have a name that corresponds to an IP address. The Internet uses what are known as "domain name servers" to look up the numbers (IP addresses) that these names correspond to. Every domain name is made up of at least two elements. The last element of the name is called the top-level domain. Country code top-level domain names refer to countries; so, for example, there is ".nl" for the Netherlands, ".be" for Belgium and ".de" for Germany (Deutschland).
Not all top-level domain names relate to countries, however. The most commonly seen top=level domains were agreed upon as an aid to identify the type of site you were going to visit. These include ".com" for commercial, ".org" for organization, ".edu" for educational, ".net" for network, ".gov" for government. Recent additions include '.info' for informational and '.biz' for business. However, it must be noted that spammers and hucksters have managed to further muddy the waters that these 'identifying' names were supposed to represent.
The item in front of the top-level domain name is usually the company/personal/entity name of the folks behind the web-site.
The "www:" in front of all of this is also (mostly) a convenience, letting the user know that this is a web site normally accessed via a web-browser using HTTP (HyperText Transfer Protocol) .. You may also see "ftp:" (File Transfer Protocol) or "news:" (Network News Transfer Protocol)
Items seen between the first "protocol" bit and the company/personal/entity name is basically there to guide to to a certain/specific area that is hosted by the folks behind the name. Items seen after the Top-level Domain name (separated by a "/") will take you to a specific web-page on that hosted web-site.
Alternative (somewhat overlapping but complementary) definitions:
- A situation wherein a server is "hosted" on some sort of a botnet of disparate (and undoubtedly unknowing) machines. This makes it difficult to resolve and, once it does resolve, the SpamCop parser usually only picks on the first of the rotating roster of addresses.
- Generally, the spammer hosts DNS records on compromised computers using a very short time-to-live number. The SpamCop parser may hit one time when there is something actually found at the IP Address found at the time of its DNS look-up, other times it will hit a cached record but the actual payload has already moved.
Flaming is the act of posting messages that are deliberately hostile and insulting. It will not be tollerated in the SpamCop Forums with the possible exception of the Lounge, but even there limits do exist.
Differences of opinion are not flaming and are fully welcome here. All we ask is the you follow standard Netiquette. For a more detailed definition see Wikipedia:Flaming
Formmail.pl, one of the most-used perl scripts on the Web, is designed to send data entered into a Web form to an e-mail address. This scri_pt could be exploited by a malicious user who could use FormMail as a spam server. If you use this scri_pt, spammers may be able to use it to send spam freely using your server's resources.
A paper (long) explaining the FormMail vulnerability is available at http://www.city-fan.org/ftp/contrib/websrv...il-advisory.pdf
Note this is a January 2002 document referencing FormMail 1.9
Also see formmail vulnerability tester [at] http://www.monkeys.com/formmailer/ftest1a.html
Version: 1.92 - Released: April 21, 2002 see: http://www.scriptarchive.com/formmail.html
Also see The nms Project for current versions of FormMail
The opposite of spam, i.e. regular email
A server that is set up to trick an intruder. Located either outside or inside the firewall, it is designed to let crackers think they are in a production machine. The applications running in the honeypot are set up similar to a normal server except that the data being processed is phony.
The honeypot is used to detect intruder's techniques as well as determine what may be vulnerable in the configuration of servers that are performing valid work. A "honeynet" is a network containing honeypots. A "virtual honeynet" is a honeynet that resides in a single server, but pretends to be a full network.
See entry in The Jargon File for additional meanings and usages of the term.
HyperText Markup Language (HTML) is the most common language of the World Wide Web (WWW). It can be used for formatting purposes in both the SpamCop Forums as well as the SpamCop Wiki, but its use has been limited due to abuses.
In the forums, it has been limited to use within the FAQ related forums only, and further limited to use by only thoses who have previously shown an interest and ability in working on expanding and/or improving the current SpamCop FAQ.
Note: the primary language for formatting within the SpamCop Forums is BB code, which is open to use by all registered users.
In the Wiki it can be used by any registered user but the language itself has been reduced to a "safe" set of commands.
HyperText Transfer Protocol - The protocol for moving hypertext files across the Internet. Requires a HTTP client program on one end, and an HTTP server program on the other end. HTTP is the most important protocol used in the World Wide Web .
A HyperLink is a clickable link to another page, document or other resource.
See http://en.wikipedia.org/wiki/Hyperlink for more information
Internet Message Access Protocol (IMAP) is one of the major email protocols along with SMTP and POP3 and belongs to the application layer of the Internet protocol suite.
It is one of the three (four, if you count forwarding) methods for retrieving messages from a SpamCop Email Account. The other two are POP3 and WebMail. You need a local email client to make use of IMAP. Unlike POP3 which will download all unread mail to your local email client, IMAP allows for direct access of your mail on the mail server permitting selective downloading of your messages and also allows for easy moving of messages between different email servers and accounts.
It can also be used in conjunction with the VER interface to make use of the additonal reporting options only available with an SpamCop Email Account.
Innocent Bystander (IB)
An Innocent Bystander (IB) is a URL or URI that is present in spam but is not authorized for such use by its owner.
Spammers will put 'innocent' URLs in their spam to make it look legitimate, for instance references to news articles or government web pages. Other examples include the mandatory advertising placed at the bottom of email messages in footers by free webmail companies and by antivirus software*. In the case of phishing email, nearly all links will be stolen from the Innocent Bystander.
An attempted Report of a URL or URI that is marked as an Innocent Bystander will be met with "ISP does not wish to receive report regarding [the Innocent Bystander]" and possibly "ISP does not wish to receive reports regarding [the Innocent Bystander] - no date available".
Please see Once I close a spammer's account, how can I prevent others reporting it? for how an ISP can mark a URL as an Innocent Bystander.
*Opinion: It is understood that free webmail companies need to recoup their investments via footer advertising. However, paid antivirus software companies' and paid ISPs are attempting to double-dip (unless they make it very clear in advance to their customers that their prices are significantly lower due to their footer advertising schemes, and give their customers options to pay higher prices for advertising-free products).
An IP is an "Internet Protocol" implementing lower layers of the ISO 7-layer model for purpose of communication.
An "IP address" is something different, and having people call it "an IP" only harms communication.
Each device connected to a network, be it a LAN (Local Area Network), a WAN (Wide Area Network), or the Internet has an assigned unique IP (Internet Protocol) Address which identifies that specific device to the rest of the network. For example, Show me my IP Address will take a look at "your" computer and list the address of "your" system. (if you are using a modem to dial into your ISP, this number will likely change at every connection ... cable and DSL modems may have the same address for quite a while) Your ISP has a pool of IP Addresses, some are used to provide their customers with a unique address when on-line, others the ISP use themselves for things like running an e-mail server to handle all the incoming/outgoing e-mail for their customers. (NOTE: the above is very simplified. If/when all the other techy stuff gets added, this block will be revisited and a bunch of items will be added, like "See TCP/IP, Network Protocols, Proxy, etc.)
For more info;
IPv4 (Internet Protocol version 4) defines the network level of the Internet Protocol on which today's internet is based. It defines an IP address as 32-bit (4 byte) address which can be written in a number of different way. Trying to keep this simple, the reason you need to understand something about it, is that SpamCop uses IP addresses as defined by IPv4 in its attempt to filter out spam from the internet.
IP addresses can be written in many different forms, but the one used exclussively by SpamCop is the Dot-decimal notation. All address fall within the range of 0.0.0.0 to 255.255.255.255.
The addresses that are most important to SpamCop are the IP Addresses of the Mail Server(s) used to send/receive email. Without knowing the specific IP addresses involved in handling your email, it is impossilbe to know why you mail may not be getting to it's intended destination.
The number of unassigned Internet addresses, based on IPv4 is running out, so a new classless scheme called CIDR is gradually replacing the system based on classes A, B, and C and is tied to adoption of IPv6 (Internet Protocol version 6).
For more information see: Wikipedia:IPv4
IPv6 (Internet Protocol version 6) was created to deal with the address shortage under IPv4 and allows for a near unlimited supply. It is currently in use in the internet but only represents a very small amount of today's traffic. SpamCop currently does not work with IPv6 addresses which are normally written as eight groups of four hexadecimal digits. IPv6 addresses are 128 bits long compared to the 16 bit addresses of IPv4.
For more information see: Wikipedia:IPv6
Internet Service Provider .... the company you are giving your money to that lets you then connect to the Internet, send and receive e-mail, interact with some strange people, check the weather without having to get out of bed .. all those important things
Definition 2 of the noun "jargon" per Merriam-Webster is "the technical terminology or characteristic idiom of a special activity or group". In the case of this Glossary (which attempts to explain SpamCop Jargon), the special activity is spam-fighting via SpamCop, and the group is spam-fighters or anti-spammers who use SpamCop. For more generic computer or hacker jargon, please see The Jargon File.
1. A "joe job" is a spam run forged to appear to come from another innocent party, with the intention of generating complaints about the victim and damaging their reputation.
2. A Joe job is an e-mail spam designed to tarnish the reputation of an innocent third party. Despite having existed since at least 1996, Joe jobs are uncommon compared to other types of spam because they provide no commercial benefit to the Joe jobber.
3. A "joe job" is something far above and distinct from the all too typical spammer construct of a "From" Address Forgery
For more info:
Why am I getting all these bounces?
Spammers use List Washing as a method of removing "trouble makers" (those who have filed formal complaints) from their mailing list. This generally does not include those who have simply sent an unsubscribe request. Spammers use unsubscribe requests as a means to validate their mailing list and to create additional lists of address that are know to open and read spam messages. These lists are considered extremely valuable to spammers who sell the list as validated email addresses.
Responsible list managers may use the process of list washing but the term should not be used in this context. List mantenance, merger/purge are better terms to use when talking about responsible list management where all unsubscribe requests are promptly processed and addresses are not added until they have been positively confirmed. The process can also be used to fine tune their lists for the specific needs or desires of their clients/subscribers.
Due to file space limitations, the glossary has been broken up into multiple posts.
See post #2 for next section of the Glossary
Edited by turetzsr, 05 March 2015 - 05:41 PM.
Added links to new entries "Parse," "Parser Page" and "Parsing."