Jump to content

shull2805@spamcop.net

Members
  • Content Count

    33
  • Joined

  • Last visited

Community Reputation

0 Neutral

About shull2805@spamcop.net

  • Rank
    Member
  1. shull2805@spamcop.net

    Why does SpamCop release so much spam to me?

    Here is a follow-up in case anyone is interested. 2 days ago, I changed my spam Assassin threshold from 2 to 1. Since then, I have had no spam forwarded from SpamCop to my Inbox. I gave away a new email address to an online vendor and they sent me a confirmation which was not held by SpamCop (I didn't want it to be held); it ended up in my Inbox. 1 email (a Microsoft newsletter) was held by SpamCop; I whitelisted and released it. I'm very happy with the current status quo. I can continue to use my catch-all account, I don't have to waste time reporting spam, whitelisting false positives isn't a big deal, and everybody who spams me gets reported. Best of all, when I go on the road and retrieve my email via my cell phone, I'm not paying by the minute to download spam. FWIW, I have 15 addresses on my whitelist. I see that a couple of them can be eliminated if I use wildcards in the address field.
  2. shull2805@spamcop.net

    Why does SpamCop release so much spam to me?

    Wait a minute! You seem to imply that it's OK for SpamCop to pass spam on to my Inbox because I have a catch-all account. You have indicated that you are willing to tolerate a low number of false negatives. I would be as happy as you are if I had the same number of false negatives that you do. On a percentage basis, we probably still get approximately the same number of false negatives. But I get orders of magnitude more spam than you do, so the absolute number of false negatives hitting my Inbox is much higher than what you get. I acknowledge the fact that using a catch-all is the main reason that I get more spam than you. That's not the point. My point is that regardless of whether I use a catch-all, or even if I openly post my email address(es) everywhere for spammers to harvest them, SpamCop is not doing a thorough job of filtering out the spam. By only looking at the headers, it's ignoring a vital weapon in the war against spam. I willingly acknowledge that SpamCop does a very good job of catching incoming spam; it's taken header-only analysis to the state-of-the-art level. Maybe a 95% catch rate is as good as it can get for programs that only analyze email headers. But, I'm getting close to 3000 emails a day. How happy would YOU be if you had 150 spams in your Inbox each day? The spam reaching my Inbox has innocuous headers (or they wouldn't get past SpamCop). This spam has a little bit of random text, one or two URLs, and maybe an embedded .gif file. Unless SpamCop starts looking at these URLs, we might as well pack up and head home- the spammers are gonna win this one. I already have Baysian software running on my email client that does a better job than SpamCop at figuring out whether incoming mail is spam or not. When I get the crap that passes through SpamCop, my email client redirects it to my junk mail folder. (In case you're asking, "If he's already got software that he says does a better job than SpamCop, why is he using SpamCop?", the answer is simple. I don't want to download 3000 spam emails. I don't want to download 150, either. ) Am I being unreasonable in asking why SpamCop can't do a better job of figuring out what is spam and what isn't?
  3. shull2805@spamcop.net

    Why does SpamCop release so much spam to me?

    Just went thru 914 held emails and batch reported the lot of 'em. Not one was legit. I don't have to "spend countless hours whitelisting everyone with whom I correspond". As mentioned previously, I'm running spam Assassin at level 2, and I'll bet I have fewer than a dozen email addresses in my whitelist. Yet, there are hundreds of addresses that make it through just fine, primarily because they don't send emails that look enough like spam to upset spam Assassin. Heck, yesterday, the spammers even managed to get 66 identical emails through without SA complaining.
  4. shull2805@spamcop.net

    Why does SpamCop release so much spam to me?

    Not all of my legitimate correspondents have been added to the whitelist. I still get a lot of legitimate email from people who have never emailed me before. I can lose business if people get turned off by a challenge-response type system. I'm OK with forwarding email from new correspondents through SpamCop, but what's the point if SpamCop is just going to forward spam back to my Inbox? If SpamCop considered URLs that had been reported for spamvertising, this would be a moot point.
  5. shull2805@spamcop.net

    Why does SpamCop release so much spam to me?

    Thanks for your suggestion regarding protecting my email address. While that will help prevent future address harvesting, I'm afraid after having that link on my website for over 10 years, the damage has already been done. And, yes, I am using a catch-all account, which does make things much worse. But despite whatever things I might have done to get myself into this predicament, SpamCop should be doing a better job of filtering out the spam. I'm really not experiencing any problems as a result of lowering my spam Assassin threshold to 2. I had already whitelisted quite a few email addresses before I lowered the threshold. In fact, I'm thinking of lowering the threshold to 1, making the necessary additions to the whitelist, and using the whitelist to set up forwarding rules with my web host/email provider. Thanks again for your code snippet.
  6. shull2805@spamcop.net

    Why does SpamCop release so much spam to me?

    My reports were sent to the web site admin because I manually submitted the spam for full reporting...after it had already passed thru SpamCop and ended up in my Inbox. My complaint has two parts: 1) Why does this stuff keep passing through SpamCop and ending up in my Inbox, and, 2) Even if I go to the trouble to do a full report, the SpamCop FAQ says it will not use Spamvertised websites as a determining factor as to whether a particular email is spam. So it appears that I am wasting my time reporting the spam that makes it to my Inbox.
  7. shull2805@spamcop.net

    Why does SpamCop release so much spam to me?

    OK, I understand what's going on, but I disagree with the decision to ignore Spamvertised URLs. I just opened my client email software, and downloaded 66 almost identical spams. All were from "Online Pharmacy-Wholesale"<some fake email address>, all had a few lines of nonsense and a link to rxchoices4sure.net. I have been reporting the heck out of these folks for weeks, but their spam still passes through SpamCop. Here are some links to spam I just reported: http://www.spamcop.net/sc?id=z746873325z78...b8170839c3879az http://www.spamcop.net/sc?id=z746873326z77...af7422ffdfbd2dz http://www.spamcop.net/sc?id=z746873327zfc...f6581f533fbe85z http://www.spamcop.net/sc?id=z746873328z8f...7796048e43fb22z http://www.spamcop.net/sc?id=z746873329zea...82978f8ac6e017z Is there anything I can do to prevent this stuff from getting to my Inbox? Thanks!
  8. shull2805@spamcop.net

    URLs not reported

    Ref: http://www.spamcop.net/sc?id=z745018536zc1...a13408cb61eda4z I submitted this spam for full reporting, yet SpamCop did not want to send an email the the spamvertised web site's admin. What's up with that?
  9. shull2805@spamcop.net

    Thunderbird forward as attachment works @50%

    Wazoo, you had the problem pegged from the get-go. I hadn't heard anything lately either, so (erroneously) assumed the problem still existed. But I just forwarded a couple of spam from my Inbox to my submit address at SpamCop. No dangling 'X', no error messages saying the body of the email was missing, no problems at all. I'm a happy camper. Thanks to all who helped on this one. - Steve
  10. shull2805@spamcop.net

    Thunderbird forward as attachment works @50%

    Steven, I sent the following email to my Web Hosting /Email provider: >> >>Since the changeover to SmartMax/MailMax, I have been experiencing >>problems reporting spam to SpamCop. Basically, the automated parser >>says it is unable to locate the body in the email I forward for >>reporting. However, if you look at the complete message SpamCop >>received, the body is most definitely there. >> >>There is one thing that one of the SpamCop administrators commented on. >> The mail I forward to SpamCop has a bunch of X-Headers inserted just >>ahead of the Subject: line. Apparently, this is very unusual, although >>it does not violate RFC-822. I was wondering if there is anything you >>can do to change the insertion point for the X-Headers so they go in >>AFTER the Subject line. >> >>Ref: >>http://forum.spamcop.net/forums/index.php?showtopic=3622&view=findpost&p=25142 >> I got a very interesting reply: The reason for this is because our server adds up X- headers for spam/virus scans, and then rewrites the Subject: header depending on whether it thought the message was spam or not. The rewrite is unconditional - if the message is not spam, it just rewrites the header back the way it was before. If it was spam, it inserts *spam* before the subject. Because the rewrite is unconditional, and because in order to rewrite a subject in our mail software (Exim), we have to remove the Subject: line, then add it back in the way we want. Because of this, it ends up at the bottom. There is absolutely nothing incorrect about how our system operates, and as you/they state it does not violate any RFCs. If SpamCops system is unable to read the messages because of this, this would constitute a "bug" in their mail parser and should be fixed. I have no problems working with them for testing or anything, I just do not feel that because their software can't read a message based on the position of the Subject: header that the "fix" would have to be done on our end. They are likely to encounter other people who may end up with similar messages, as there is nothing unusual with our Exim configuration. If SpamCop would like more information - we do the Subject: header rewriting at transport time in Exim. We do not use a system filter, as it is overkill for just rewriting a header. If we were to use a system filter, then the Subject: header would be rewritten before the X- headers were inserted. There is also a feature in the newer Exim versions to specify where in the headers to insert new headers, however this does not yet work in the router/transport sections of Exim, so it would not help us in this situation. The best solution is for them to detect the message body very simply based on the newline break between headers & body which is the RFC way of separating the headers from the message body. I would also like to note that after viewing the messages you posted on the SpamCop forum, some *missing* headers are puzzling me. Our systems format the headers our systems add like this: X-Headers-Begin: <message id> X-spam-*: ... X-Virus-*: ... X-Headers-End: <message id> Subject: The Subject: header is the only header that is outside of the X-Headers-Begin: and X-Headers-End: since it is being rewritten, it will never be inside there (and also there's only allowed one Subject: header). There should also ALWAYS be X-spam-*: and X-Virus-*: headers between those header markers. If the system doesn't scan a message, it will insert a message saying that (it will only pass a scan if the message was too big). Since X- headers can be duplicated, I do not understand why the messages you posted show this: X-Headers-Begin: 1D8EOz-0002JX-Mw X-Virus-Scan: YES X-Headers-End: 1D8EOz-0002JX-Mw ... X-Headers-Begin: 1D8ESZ-0002u4-O2 X-spam-Flag: NO X-spam-Level: / X-spam-Score: 0.0 (0) X-spam-Report: NO hits=0.0 reqd=7.0 tests= X-Virus-Scan: YES X-Headers-End: 1D8ESZ-0002u4-O2 It appears that the message is being passed through our system twice? I did not check all the routing but I did notice our system does appear to touch it twice (I didn't check to find out why). However, I do not know why you do not have any X-spam-*: headers in the first set. The only time you can end up with none of our X-spam-*: or X-Virus-*: headers is if you send a message out with our system to a remote user - it will strip out our custom headers (not the X-Headers-*: ones though) before sending since those headers are not relevant for remote systems (thus, removed). Eli. ExpertHost Support http://www.experthost.com/ ----------------------------------------
  11. shull2805@spamcop.net

    Why does SpamCop release so much spam to me?

    I had all the Block Lists checked. As mentioned, SA threshold was 5, have changed to 2 and will try that for a while. I would be happy as a pig in sunshine if I only got 2 or 3 false negatives a week; with all lists checked and SA threshold of 5, I got 192 false negatives yesterday. I'm not so sure how quickly an IP gets added to the lists. In the past two weeks, I'll bet I have received over 1,000 spams identical to the six I reported in the first message of this thread. Maybe 400 or so got to my Inbox, so their IP address wasn't on any of the Block Lists. Some of the 600 were blocked because they originated in Korea, Brazil, etc., and not because they were reported to SpamCop. Of the 400 that made it to my Inbox, I doubt very seriously that each of them was sent from a unique server, so at least some of them had to be sent from servers I had already reported. I suspect there's probably a minimum number of spams that has to be reported before anything is done. (To be technically correct, there has to be a minimum, even if it's 1. However, I'm willing to be it takes more than one spam to get put on one of the lists.)
  12. shull2805@spamcop.net

    Why does SpamCop release so much spam to me?

    OK, so SpamCop (or SpamAssassin) isn't using the Bayesian filter option. I've dropped my SpamAssassin threshold to 2 per Jeff's suggestion. Thanks again. - Steve
  13. shull2805@spamcop.net

    Why does SpamCop release so much spam to me?

    Thanks for the prompt reply, Jeff. I just checked out the SpamAssassin web site & FAQ. I noticed that SpamAssassin has a Bayes filter option. Does SpamCop enable that option? How does that work for multiple users? For instance, I've been receiving large quantities of the previously mentioned spam. So you would think that SpamAssassin would know by now that it's spam. But, if I'm the only SpamCop user getting this particular spam, even though it's a significant source of spam to me, it may be an insignificant fraction of the email going through your servers each day. I guess I'm asking if there's anything I can do to train SpamAssassin to get a better handle on which of my emails are spam vs. legit. Thanks again.
  14. Lately, I've been concerned about the number of spams that slip past SpamCop (as opposed to being held for my review). Yesterday, within a 24-hr period, 192 spams reached my Inbox (that's AFTER passing through the SpamCop filters). I looked a little closer, and was puzzled by the fact that some of the spam that got caught and held appeared to be very similar to spam that was being forwarded. Here are some examples of what I'm talking about: These emails were caught by SpamCop, and held for my review. I forwarded them to my submit address (i.e., NOT Quick Reported): 1) Subject: Re: [66:HHY]-Meddications http://www.spamcop.net/sc?id=z742090570z0a...292d0c8774e7e5z 2) Subject: Re: [15:WCJ]-Medicattions http://www.spamcop.net/sc?id=z742090572z4e...9c182e99d360d4z 3) Subject: Re: [73:TVO]-Medicattions http://www.spamcop.net/sc?id=z742090573z05...9d8d458ca3dad7z The following 3 emails were NOT caught by SpamCop and ended up in my Inbox. I also forwarded these to my submit address: 4) Subject: Re: [91:CKY]-Mediccations http://www.spamcop.net/sc?id=z742096268zdd...574e73bbd00d69z 5) Subject: Re: KF94[Meddications] http://www.spamcop.net/sc?id=z742096271z08...4d2d76e64b6ad3z 6) Subject: Re: -QM:52-Medicationns http://www.spamcop.net/sc?id=z742096273z41...26cc112482e9eaz Note that in all 6 instances, SpamCop was unhappy with the format of my submissions; although it could parse the headers, it thought the body of the email was missing (this problem has already been reported). It seems obvious that all 6 of these spams are from the same source, although they may have taken different routes to get to me. Do the Black Lists ONLY look at the headers? Would it be correct to say that if spam 'A' took route 'A', spam 'B' took route 'B', and only route 'A' uses email servers on one of the Black Lists, that spam 'A' would be held and spam 'B' would sail right through SpamCop? I have received hundreds of spams identical to these 6 over the past couple of weeks, and have reported them, but obviously many still slip through the SpamCop filters. Is SpamAssassin the only filter available at SpamCop that can examine message content? I had it configured at level 5, just changed it to 4 to see if that helps. In looking at the headers for example 6, does the "X-SpamLevel: **" mean I would have to lower my SpamAssassing threshold to 2 in order for it to flag this email as spam? Example 1 also had an X-SpamLevel of '**', so apparently SpamAssassin was not a contributing factor in flagging Ex. 1 as a spam. Any suggestions for how I can reduce the amount of spam still getting through would be appreciated. Thanks!
  15. shull2805@spamcop.net

    Thunderbird forward as attachment works @50%

    It's worth repeating something I said early on in this thread: I didn't have any of these problems until my web host (and email) provider "upgraded" to SmartMax on the server end. (But I must also point out that ~some~ of the spam reaching my Inbox can be parsed/reported successfully.) Thanks for your help, guys. it's been a very frustrating experience for me.
×