Jeff G.
-
Posts
3,727 -
Joined
-
Last visited
Content Type
Profiles
Forums
Events
Posts posted by Jeff G.
-
-
snaller, I just used the Parser to parse just that URL twice. The first time, it couldn't resolve the IP Address, and the second time, it could resolve it and offered shengjun.zheng<at>fibrlink.net and wei.deng<at>fibrlink.com as reporting email addresses for IP Address 210.72.224.49. In my experience troubleshooting this particular issue, parsing just the URL independently until the Parser resolves the IP Address helps to increase the likelihood that parsing a spam that includes the URL will include resolution of the IP Address. Perhaps this is because parsing of individual URLs uses a longer timeout or a different algorithm or source for dns resolution, and parsing of spams relies in part on the cached results of the parsing of individual emails, and it may also depend on which servers in the farm you hit.
-
I added " (if those addresses are for role accounts)".
-
You're welcome.
-
-
I have toned down the rhetoric.
-
Please note that I will be re-evaluating the harshness of my original Post that started this Topic.
-
Link analysis is performed by the SpamCop Parser, part of the SpamCop Parsing and Reporting Service.
Finding links in message body is the first step of the process. The Parser steps through the body (if any) and each attachment that could contain a link (if any). It skips attachments that contain images and will reduce redundant links as necessary. It doesn't actually display the links it found in this step. It sometimes fails to find links that are really there - refreshing usually helps.
Resolving link obfuscation is the middle step of the process. The Parser displays each link it found, followed by any deobfuscation that is necessary, followed by the IP Address of the link's host (a lookup of the A DNS Record), followed by the canonical name of that IP Address (a lookup of the PTR DNS Record). It frequently fails to start looking up the IP Address - refreshing usually helps. It also sometimes fails to resolve the IP Address, especially with the domains of spammers who are playing fast and loose with the Domain Name System, producing "ip not found" and "discarded as fake." messages - refreshing usually helps, and parsing the URL only in a separate browser window usually helps in stubborn cases when refreshing hasn't been helping.
Tracking link is the final step of the process. The Parser again displays each link it found and was able to resolve (deobfuscated if necessary), again followed by the IP Address, and then the email addresses in the whois lookups of that IP Address from cache or (if the cached entry is stale or nonexistent) from ARIN and other appropriate Registries (there is currently a known issue with lookups of contacts at APNIC), followed by the abuse.net lookups of those email addresses (if those addresses are for role accounts), and finally a list of best contacts. It sometimes fails to start this step - refreshing usually helps. If it fails to resolve the IP Address, it displays a "Cannot resolve" message.
Please make sure this email IS spam: indicates the end of the link analysis process.
If you get tired of refreshing, please send a Manual Report for the URL(s).
I believe all the failures described above are known issues, I just wanted to document them in one Topic.
See also: SpamCop reporting of spamvertized URLs and a contribution from Don in that Topic.
Edit: 2005/07/01 23:13 EDT -0400 Jeff G. added messages and Manual Report. Also added APNIC, toned down the rhetoric, and added " (if those addresses are for role accounts)".
Edit: 2005/10/29 18:44 EDT -0400 Jeff G. added references to SpamCop reporting of spamvertized URLs and a contribution from Don in that Topic.
-
Via email:
Submitting spam for reporting via email is covered in general at SpamCop.net - SpamCop FAQ: How do I submit spam via email?
If you forward the spam to SpamCop (using your submit email address to SpamCop), make sure you forward it as an attachment. Forwarding inline will strip out all the headers from the original spam and make your report worthless. Configure your email client to forward as attachment. That way, the attached file will be the original message with the headers included. Typical problems with submitting via email are covered by E-Mail spam submittals blocked by your ISP? and Emailed spam Submissions Disappearing? No Confirmation e-mails?.
If you forward the spam as an attachment, you have to wait for SpamCop to send back a submission reply email which provides a link for you to click on to get to the parser and submit page. If you have spam filtering enabled in your Hotmail or other account, you might have to whitelist emails coming from SpamCop.
If you submit via email and you don't want to wait for the submission reply email to show up in your email account, you can click on "Report Now" above the web form. If you click both "Report Now" and the Tracking URL in the submission reply email for the same submission, you will get "Would send" and "If reported today, reports would be sent to:" messages.
Via the web form:
The web form is typically located at http://www.spamcop.net/, http://members.spamcop.net/, or http://mailsc.spamcop.net/ after you login, depending on the type of account you have.
If you use the web form to copy/paste in the spam message, you need to see ALL of the headers. SpamCop.net - SpamCop FAQ: How do I get my email program to reveal the full, unmodified email? covers how to do that. In addition to that FAQ entry's subsection SpamCop.net - SpamCop FAQ: Hotmail, please note that MSN Hotmail doesn't have a toggle option to let you switch between a normal view and a view showing all the headers. You'll need to go into to your global options to configure your Hotmail account to show ALL headers. However, whether spam or not, you'll then see all the headers for every e-mail that you view. Yahoo! has a per-message toggle that lets you switch between normal and all-header view but Hotmail does not (except as a global option).
If you use the web form, the parsing is immediate and you get the parse page with the option to send your report (which gets sent from an email address composed of the Report ID Number and hostname on the SpamCop.net domain, not from your email address). That eliminates the delay in waiting to get the submission response email from SpamCop (which gets lower priority and may take several minutes to arrive). However, the trade-off is the nuisance of having to copy the headers, paste them, and then copy the body and paste that (and you should be copying the HTML code for an HTML-formatted message, not the rendered version of the spam).
Acknowledgement:
The vast majority of the preceding was written by Vanguard in Re: How do I submit my spam to spamcop?.
-
The following is from the Blacklists / Blacklist Filters page, in its secure and insecure forms, modified in form for posting here:
Select the DNS Zone blacklists you want to use. DNS blacklists are used by SpamCop to identify possible spamming IP addresses or misconfigured mail relays. Only the SpamCop blacklist is run by SpamCop. All others are run by independent third parties with no connection to SpamCop and have their own criteria for who to list. The default selection is to query only the SpamCop list. To potentially stop even more spam, try one or more of the other lists. The more lists you use, the higher the potential that legitimate email will be blocked. [B]DNS Blacklist DNS Zone Website[/B] ------------- -------- ------- SpamCop Blacklist bl.spamcop.net www.spamcop.net/bl.shtml SPEWS level 1 l1.spews.dnsbl.sorbs.net www.spews.org DSBL open relays list.dsbl.org dsbl.org Spamhaus Blacklist sbl.spamhaus.org www.spamhaus.org/sbl/ South Korea (the country) korea.services.net korea.services.net China (the country) cn.rbl.cluecentral.net www.cluecentral.net/rbl/ Nigeria nigeria.blackholes.us www.blackholes.us Argentina argentina.blackholes.us www.blackholes.us Brazil brazil.blackholes.us www.blackholes.us Composite Blocking List cbl.abuseat.org cbl.abuseat.org Spamhaus XBL xbl.spamhaus.org www.spamhaus.org/xbl/ SORBS DNSbl dnsbl.sorbs.net www.dnsbl.sorbs.net
I am using all the blacklists except South Korea (korea.services.net, only because I can't whitelist bigfoot.com's mailservers in that country).
-
Sorry, there is no such link for users strictly following those directions.
Sorry, the process is no longer "already done" as described in the quote above.
-
[The following is quoted from Edit mailhost configuration, but you should use your own "Mailhosts" link because it is coded with your own Authorization Code.]
Mailhost configuration
SpamCop is undergoing has undergone a major renovation to the underlying logic which it uses to determine spam sources. Soon Eventually, all SpamCop users will be required to use this new system, completing additional setup steps. Some "unique" users may not be able to report all the spam they have in the past.
Why? This is being done because of ongoing problems - spammers have finally begun doing what we have known they could do all along - create really convincing mail header forgeries. These forgeries make SpamCop think spam is being sent from innocent sites where it is actually not. Clearly, this must be stopped. Currently, only a few spam forgeries cause serious problems for SpamCop, but if this problem is not solved, it will become much worse. Even now, a few mis-identified innocent sites are a big problem. This system promises to eliminate the forgery problem forever, while also avoiding problems caused by other less-drastic attempts to mitigate the forgeries. However, it does require more involvement from SpamCop users.
When? For now, this new system is optional. You may chose to use it or not. However, users are encouraged to start using it immediately. Once we have some feedback from users, and have addressed the most serious problems, it will become mandatory for all users. In the future, we may make other changes which will make reporting spam easier. For example, if we can be sure there are no errors, we may be able to dispense with additional user confirmation when spam is submitted. [Quick Reporting]
How? For users with only one email address, the process is easy. Simply click the Add/Change link below and follow the instructions. For users using their SpamCop email exclusively, the process is even easier - it is already done (visiting this page has activated it!). Note that if you forward SpamCop email into or from the SpamCop system, you still have to configure the other accounts involved.
For users with multiple accounts, the proceedure is slightly more difficult. For example, a user with two forwarding addresses configured to forward to one email account should first configure the main account, then configure each of the forwarding accounts:
In example 1, Account C should be configured first, then B and then A. In example 2, Account C should be configured first, followed by A and B in no particular order. Accounts should be configured in reverse order of email delivery. That is, if an email is received first at address A, then that account should be the last to be configured with SpamCop.
Warning: If you use this new system, you must complete the configuration process for all accounts where you receive spam. If you fail to complete the configuration for one of your legitimate mail hosts, you may cause SpamCop to attribute spam to it. Once you begin the migration process, do not report any more spam until it is complete. For now, there is an option to revert away from this new system. However, users are urged to try the new system and post problems in the forum rather than reverting. At least, do not do both - reverting your account will make it more difficult for us to diagnose problems.
-
This Scorecard lists Service Providers that provide Authenticated SMTP Services (linked to their main website URLs), Mitigating Objective Facts (linked to the sources of those facts), and Subjective Comments. Additions and comments are welcome.
SpamCop.Net ("Leave the SMTP server set up with the server your ISP provides." and "No, sorry, we don't."): Sorry, not offered.
MochaMail ("New Accounts Coming Soon!"): Works well with no perceived limitations.
MailAndNews.com ("At this time we are not accepting new accounts."): Reliability problems but no perceived limitations.
MyRealBox ("The MyRealBox system will continue to no longer accept new accounts at this time." within "MRB News" halfway down the page): Reliability problems but no perceived limitations.
DynDNS.org MailHop Outbound (Minimum $14.95 for the first year and $9.95 for additional years at 150 Relays Per Day): I haven't tried it.
Yahoo! (Minimum $19.95/year for "POP Access & Forwarding"): May require POP before SMTP instead of Authenticated SMTP.
Yahoo! UK & Ireland (Free via smtp.mail.yahoo.com or smtp.mail.yahoo.co.uk after signing up for "POP Access & Forwarding"): Works, but recently added a little text advertising at the end of the body. For instance:
___________________________________________________________
How much free photo storage do you get? Store your holiday
snaps for FREE with Yahoo! Photos http://uk.photos.yahoo.com
Gmail (A beta service of Google, free via smtp.gmail.com using SSL Port 465, subject to caveats and requiring an invitation): Works well so far...
Revision History:
v1.00 by Jeff G. - Initial Release
v1.01 by Jeff G. 2004/03/08 13:24 EST - Added SpamCop and respaced
v1.02 by Jeff G. 2004/03/08 16:10 EST - Added Yahoo!
v1.03 by Jeff G. 2005/05/31 10:18 EDT - Added Gmail and made a minor grammar correction
v1.04 by Jeff G. 2005/07/15 08:48 EDT - Updated Yahoo! UK with ads
-
Is that "different AV-System" similar to the one described edtnps84]here?
you just have to make Spamcop POP your Emails. - Those go through a different AV-System deleting everything it is unable to scancan we SpamCop Email System Customers please get an optional filter for password-protected .ZIP files?
-
you just have to make Spamcop POP your Emails. - Those go through a different AV-System deleting everything it is unable to scancan we SpamCop Email System Customers please get an optional filter for password-protected .ZIP files?
I'd need lots more than ten slots to make that happen, and they wouldn't cover the following:
- email sent directly to my spamcop.net account
- email sent through strict forwarders, like bigfoot, sneakemail, and spammotel
- email forwarded through systems that are too messed up to allow changes, like mailandnews
- email sent directly to my spamcop.net account
-
JT, can we SpamCop Email System Customers please get an optional filter for password-protected .ZIP files? I'm not expecting any such files via email any time soon, and I'd like to have the bagle-spew filtered. Thanks!
-
Julian's explanation at http://forum.spamcop.net/forums/index.php?...st=0entry1904 was as follows:
I have discussed this problem with ATT's tier-2 DNS support for business customers (very nice, responsive, professional folks). They are intentionally blocking the spamcop list queries - supposedly because of the extra load on their main DNS servers causing problems for other non-list-using customers. While I think that reasoning is lame, I respect their decision. Perhaps if they get enough complaints, they'll change the policy.They provide other DNS servers which don't include this "feature" but ask that their customers contact them directly for the correct IPs. I have created a new FAQ with this information.
Having said all that, I think JeffG cuts to the chase with that list of alternate IPs. ATT reps have asked that I not publish that information in the FAQ (so that only ATT customers will use it).
-=Julian=-
The FAQ URL:
http://www.spamcop.net/fom-serve/cache/375.html
This is not mirrored as I write, so here's the content:
Q: Why can't I get to the blocking list from ATT's network?
A: ATT's business networks DNS department has decided to block DNS requests for the SpamCop blocking list, as well as other popular DNS-based lists, because of the extra load on their servers.
They do however provide a workaround for their customers. If you are an ATT business customer, you can contact ATT for information on secondary DNS servers which don't prevent the use of DNS-based lists.
Visit ATT's DNS page (https://mis-att.bus.att.com/mys/dns_res_terms.html) or call 888-613-6330 (option 3,1) for more details. You will be asked to prove you are an ATT business customer.
-
Webmail:
- Login to Webmail at https://webmail.spamcop.net or http://webmail.spamcop.net
- In the top bar, all the way to the right, use the pull-down selector to select "INBOX".
- Click the "Open Folder" Link.
- Note that file attachments are limited to approximately 2Meg from this view, both up and down-loading.
Forwarding:
- Login to Webmail at https://webmail.spamcop.net or http://webmail.spamcop.net
- Click the "Options" Link.
- Under "Mail Management", click the "SpamCop Tools" Link.
- Click on the "Select your email forwarding, change your password or mail reports." Link.
- In the second section, "Forwarding Address", enter the address you wish to forward to. There is no "keep a copy" functionality. PLEASE DO NOT FORWARD TO YOUR SPAMCOP.NET ACCOUNT!
- Click the "Submit" Button.
POPping using the POP3 Protocol via Standard Port 110 or via SSL Port 995:
- POP3 Server: pop.spamcop.net
- Username or Account name: Your full SpamCop Userid (including [at]spamcop.net, [at]cesmail.net, or [at]cqmail.net)
- Password: Your SpamCop Password
IMAPping using the IMAP4 Protocol via Standard Port 143 or via SSL Port 993:
- IMAP Server: imap.spamcop.net
- Username or Account name: Your full SpamCop Userid (including [at]spamcop.net, [at]cesmail.net, or [at]cqmail.net)
- Password: Your SpamCop Password
- OE Sent Items path: sent-mail
- OE Drafts path: Drafts
Edit: 2005/05/11 01:23 EDT by Jeff G. - corrected nonexistent hostname webmails.spamcop.net and added SSL Ports.
- Login to Webmail at https://webmail.spamcop.net or http://webmail.spamcop.net
-
According to http://forum.spamcop.net/forums/index.php?showtopic=107 , "sending as the original was what worked" for reporting spam using "Open WebMail".
-
Jeff G.'s Guide to SpamCop Quick Reporting
Requirements:
1. A functional SpamCop Mail account (assumed to be LOGON[at]spamcop.net -
substitute with LOGON[at]cesmail.net if appropriate)
2. A PC or emulator running Microsoft Windows with a working mouse
3. An installed copy of Microsoft Outlook (configured for IMAP, not
Microsoft Exchange) or Outlook Express (hereinafter "OE"), containing an
email which is spam that you wish to report
4. Internet access
Steps:
1. Print out these instructions so that you can refer to them while your
PC is otherwise occupied.
2. Configure OE to use your SpamCop account via IMAP, connecting to IMAP
Server imap.spamcop.net using your SpamCop LOGON[at]spamcop.net and PASSWORD.
See "Jeff G.'s Guide to accessing SpamCop email using OE and IMAP" at
http://forum.spamcop.net/forums/index.php?showtopic=87 for more info on
this.
3. Make sure that you use a View Layout that shows your Folder List and
your emails.
4. Make sure that you can see your "Held Mail" Folder in your Folder List.
You may have to hit the "+" next to "Inbox" in order to see it.
5. Find an email which is spam, has not been reported yet, and is no more
than three days old. If you can't see your "Held Mail" Folder in your
Folder List any more, use the scrollbar on your Folder List to view your
"Held Mail" Folder in your Folder List, but DO NOT CLICK ON YOUR "Held
Mail" FOLDER because then you will not be able to see your email which is
spam.
6. Position your mouse pointer over that email (anywhere on that line
should do). (Optional: use Shift+Click and/or Ctrl+Click to select more
than one spam.)
7. Hold down your left mouse button over that email (or one of multiple
emails).
8. Move your mouse pointer to your "Held Mail" Folder. Your "Held Mail"
Folder should be highlighted and your mouse pointer should have changed
from a "DO NOT ENTER" symbol to a normal mouse cursor symbol with a little
gray-bordered box below it and to its right. This action is called
"dragging".
9. Let go of your left mouse button. This action is called "dropping".
The mail should now move to your "Held Mail" Folder. (Optional substitute
for Steps 7-9: Right-Click on the email(s), select "Move to Folder...",
select your "Held Mail" Folder, and click "OK".)
10a. If you are using Webmail, open your "Held Mail" Folder. It should
show the spam you dropped in step 9 above. You may need to "Refresh" in
order to see the spam you dropped.
10b. If you are using a web browser to access your Very Easy Reporting
(VER) screen (also known as the "report held spam" screen or the "Held
Mail Log" screen, which is no longer being developed) via
<http://LOGON%40spamcop.net:PASSWORD[at]mailsc.spamcop.net/reportheld?action=
heldlog> (or clicking on "Held Mail" at the top of almost any screen at
http://mailsc.spamcop.net), that screen should show the spam you dropped
in step 9 above. You may need to "Refresh" in order to see the spam you
dropped.
11a. If you are using Webmail, check the boxes for all the spam in your
"Held Mail" Folder. If it is all spam, you can use the checkbox in the
top left corner of the matrix (under "Delete") or use its shortcut Alt+K
to check all. Please note that this Select All Keyboard Shortcut was only changed to Alt+K in the "Held Mail" mailbox/Folder - it is still Alt+N in all other mailboxes/Folders.
11b. If you are using the VER screen, select the appropriate Action from
the drop-down listbox "-- Select Action --". In this particular case, the
Action should include either "report" or "Queue for reporting".
12a. If you are using Webmail, click the "Report as spam" link or use its
shortcut Alt+E.
12b. If you are using the VER screen, check the boxes for the emails to
which you wish to apply that Action. If it is all spam, click "Check
All".
13. If you are using the VER screen, click the "Release / Delete selected
messages" button to apply that Action.
14. Wait for the results on the next screen - if you get a timeout error,
go "Back" in your web browser, "Refresh", and make sure your Action was
applied. If it was not applied, go back to Step 11 above and try again.
15. Use the "Purge" capability of OE to clean up your non-SpamCop mailbox
(if necessary and appropriate).
16. Review the following recommendation by Miss Betsy:
If you do use Quick Reporting, be sure to look at the reports you get back just in case the parser hiccups so you can correct any errors.I went for months without ever having a problem. Then two weeks before Quick Reporting started, the parser timed out and named my ISP. It never happened again, but if it happened once, it could happen again. Also sometimes ISP's change things that cause the parser to stop and you are unaware of it until you see your ISP checked (or if using Quick Reporting, reported).
I found reading the reports as tedious as reporting each spam so I would go with just reporting what you have time for (the newest first).
Revision History:
v1.02 by Jeff G., 2004/01/17 20:17 EST
v1.03 by Jeff G., 2004/01/19 02:24 EST shortened Guide names
v1.04 by Jeff G., 2004/01/21 12:00 EST adjusted for VER's impending doom
v1.05 by Jeff G., 2004/01/29 01:30 EST adjusted for web posting
v1.06 by Jeff G., 2004/02/04 00:40 EST adjusted for doom removal
v1.07 by Jeff G., 2004/02/25 14:19 EST Select All Keyboard Shortcut was changed from Alt+N to Alt+K.
v1.08 by Jeff G., 2004/02/27 16:41 EST Added Miss Betsy's recommendation.
v1.09 by Jeff G., 2005/05/13 09:28 EDT Expanded Select All Keyboard Shortcut Explanation and moved this Revision History to the end.
-
This forum is for discussion of pretty much anything that doesn't quite fit the other specific Help Forum categories, to include rants and raves!
-
Please also note that Yahoo! requires payment for the privilege of checking mail in this way.
I don't think you'll find that Yahoo requires payment... I know they require payment for pop3 access, but I've opted not to pay, and spamcop is able to fetch my mail with no cost (just send a test message, which arrived with no problems).
Malcolm
I'm sorry, I was mistaken. Thanks for checking. I will correct the post.
-
This is a Forum to help users with the SpamCop Reporting System. Questions about SpamCop Email should be directed to that forum (via this link which opens a new window), not this Forum. If your mail is being blocked, please read the the pinned item Why Am I Blocked? FAQ, before posting anything. You will also need to provide the complete text of the error or bounce message, including the IP Address of the system being blocked, if you still feel the need to post your query.
For questions concerning your submissions of spam to SpamCop, please provide a Tracking URL which is found at the top of the parsing page. Those lines in the parser output read as:
spam Header
Here is your TRACKING URL - it may be saved for future reference:
http://www.spamcop.net/sc?id=z641303267z04...fef3b3d92488bfz
Skip to Reports
Copy the URL. If you have a question about whether or not to send a report, please cancel the report before posting in the forum.
-
Proprietary ISPs MSN Hotmail, MSN, AOL, and Yahoo! are supported via a special gateway called PopGate. Please use the following configuration on the POP Configuration page at https://webmail.spamcop.net/horde/imp/spamcop/popconfig.php or http://webmail.spamcop.net/horde/imp/spamcop/popconfig.php for each of them:
POP Server: popgate.cesmail.net
Username: Email Address at that ISP (including [at]hotmail.com, [at]msn.com, [at]aol.com, or [at]yahoo.com)
Password: Password for that Email Address
Please note that AOL Users incur minutes for the privilege of checking mail in this way. If you are not on an unlimited plan, beware!
Please also note that Yahoo! normally requires payment for the privilege of checking mail via POP, but this method is free.
-
This forum is for discussing setting up a new SpamCop Email account. Here, you can find specific information on setting up an email account for various ISP's and email programs.
Jeff G.'s Hotspot SMTP-Auth Provider Status Report
in SpamCop Lounge
Posted
Yahoo! UK has started adding advertising.