spamcop not reporting links for inertia.pl

[cfaaaaa]

for the last week or so, I've been getting dozens of spams linking back to random hosts at inertia.pl - here's an example:

http://www.spamcop.net/sc?id=z2761423543z1...1e67f6368ae676z

The link is extracted ok during parsing, but I never get the "Tracking link" section, so the hosting company is not notified.

Is there anything I can do about this? Can anyone explain why spamcop is ignoring inertia.pl links?

[Wazoo]

Is there anything I can do about this? Can anyone explain why spamcop is ignoring inertia.pl links?

Thanks for providing a Tracking URL. There doesn't appear to my eyes to be any construction problem that should 'fool' the parser. So, let me start by asking ..... the numerous existing Topics/Discussions, FAQ entries, etc. aren't clear enough? What aren't you finding .. or is it that you haven't looked?

For example, the last post I made here in this Forum section, attempting to discuss the exact same type of query ..... http://forum.spamcop.net/forums/index.php?...ost&p=70341 .. heck of a lot of words to have to re-type, re-type, and re-type for each 'new' query on this same issue, never mind the disk space and database complexity involved .... that's the primary reason for the FAQ, Wiki, Dictionary, Glossary, Search Tools/Functions, etc.

I suppose one could point out that your "week or so" does seem to also tie into the recent major software upgrade on the Parsaing & Reporting System. There is documentation existing here on several issues that still remain outstanding, "to be installed at the next rollout" .. no timeline offered as to when that will be.

[Farelf]

...Is there anything I can do about this? Can anyone explain why spamcop is ignoring inertia.pl links?

There has been much discussion about this over the years - http://forum.spamcop.net/forums/index.php?showtopic=4085 is one of the consolidated topics.

SC's essential focus is on the spam sender. Lesser priority is given to the links. However the parser will usually/often find a reporting address for a spamvertized site even if it doesn't offer it up in the first instance. You can simply paste the URL into the webform submission box (your 'members.spamcop.net' page) and the available address(s) are produced (the note there says - my emphasis - "Paste entire spam (headers, blank line, body) - or - single address (one line only): ". If you do this in a separate window before you submit your report and you have the ability to add reporting addresses to your outgoing report (ie, you're a paying member) that is the simplest way to do it. A free member would need to do a 'manual report' (refer to the Wiki).

In the case you refer to, the stand alone parse produces:

SpamCop v 4.5.0.101 © 1992-2009 Cisco Systems, Inc. All rights reserved.

Parsing input: .http://voudboic.eu.interia.pl

Routing details for 217.74.65.163

[refresh/show] Cached whois for 217.74.65.163 : ripe[at]firma.interia.pl

Using best contacts spamcop[at]firma.interia.pl

Statistics:

217.74.65.163 not listed in bl.spamcop.net

More Information..

217.74.65.163 not listed in dnsbl.njabl.org ( 127.0.0.8 )

217.74.65.163 not listed in dnsbl.njabl.org ( 127.0.0.9 )

217.74.65.163 not listed in cbl.abuseat.org

217.74.65.163 not listed in dnsbl.sorbs.net

Reporting addresses:

spamcop[at]firma.interia.pl

In this instance it is a 'special' reporting address (not the registered abuse.net addresses) which would technically create a bit of a problem in using it with a manual report (which aren't meant to imply/pretend that they're SC reports) but we can probably ignore that aspect at this stage.

Whether offered for reporting in the initial parse or not, it is important to check as best you can (using the "View entire message" link in the initial parse result) as part of your report verification that the that the 'spamvertized' site really is that, and not an 'innocent bystander', inserted into the spam message to confuse and create trouble.

[cfaaaaa]

I did search for an explanation, but obviously wasn't looking for the right thing. Thanks for the pointers.

[rconner]

I did search for an explanation, but obviously wasn't looking for the right thing. Thanks for the pointers.

Sometimes reloading the report page will force the parser to retry, and it may then offer to report the link. I actually will do a shift-reload (hold shift key and press reload in the browser) to do this, although I'm not sure that this is any better than a plain old reload.

-- rick

[Wazoo]

although I'm not sure that this is any better than a plain old reload.

In theory, the 'simple reload' uses cahced data .. the 'shift reload' is an attempt to ignore the cache and do a 'complete' reload using 'fresh' data.

[gnarlymarley]

In theory, the 'simple reload' uses cahced data .. the 'shift reload' is an attempt to ignore the cache and do a 'complete' reload using 'fresh' data.

geocities.com has the same problem as in this page, http://www.spamcop.net/sc?id=z2772635443zb...854c6c5c3650bez. Last night, the pages started showing that reporting information for those pages. I submit this is either an extreme load on the dns servers causing the lack of reporting information or the code is not up to sync on all spamcop servers.

[rconner]

In theory, the 'simple reload' uses cahced data .. the 'shift reload' is an attempt to ignore the cache and do a 'complete' reload using 'fresh' data.

I was assuming that pages from the parser were marked for no-cache, so the shift key might be superfluous in this case.

-- rick

[gnarlymarley]

geocities.com has the same problem as in this page, http://www.spamcop.net/sc?id=z2772635443zb...854c6c5c3650bez. Last night, the pages started showing that reporting information for those pages. I submit this is either an extreme load on the dns servers causing the lack of reporting information or the code is not up to sync on all spamcop servers.

Now the weird thing, is putting the link into the reporting form, pulls up the information. It just does not show on the page with the spam. http://www.spamcop.net/sc?track=http%3A%2F...c.eu.interia.pl

[Farelf]

Now the weird thing, is putting the link into the reporting form, pulls up the information. It just does not show on the page with the spam. ...

Yep, confirming I see that behavior in my recent reporting (what there is of it) as well, with GeoCities.

Now, in both cases, there is a special SC ('best contacts') reporting address:-

spamcop[at]firma.interia.pl

spamcop[at]mailservices.yahoo.com

Just a guess but I'm thinking there may be a 'rate limiting' arrangement for SC reports to those addresses. Or maybe summary reports only. I can't recall/find relevant previous discussion about such addresses. Anyway, that would probably have the effect of keeping them out of the http://www.spamcop.net/w3m?action=inprogress;type=www lists (and presumably out of the SURBL lists as well). Note there is no 'If reported today' for the addresses when viewing the tracking URLs.

Such latitude would not be lightly given, I'm thinking (deputy/admin oversight for sure, if that is the way of it). Just what is going on, we won't know unless SC tells us but presumably there is some degree of interaction with SC (the opposite of the dev-nulling used for providers who 'opt out' of receiving SC reports or who are apparently complicit in spamming or who have unresponsive/invalid reporting addresses).

Yeah, it would be nice to know, spamvertizing targets being 'not the principal mission' notwithstanding.

[expanded on edit]

[gnarlymarley]

Just a guess but I'm thinking there may be a 'rate limiting' arrangement for SC reports to those addresses. Or maybe summary reports only. I can't recall/find relevant previous discussion about such addresses. Anyway, that would probably have the effect of keeping them out of the http://www.spamcop.net/w3m?action=inprogress;type=www lists (and presumably out of the SURBL lists as well). Note there is no 'If reported today' for the addresses when viewing the tracking URLs.

Now, I have noticed that about 30 minutes to 40 minutes after the hour, the reporting information will show up without a refresh for me. Not sure about the original submitter, but I suspect you are correct about the rate limiting.

[cfaaaaa]

Now, I have noticed that about 30 minutes to 40 minutes after the hour, the reporting information will show up without a refresh for me. Not sure about the original submitter, but I suspect you are correct about the rate limiting.

I've probably reported 50 or so of these in the last couple of week, and only once have I seen the special spamcop reporting address show up - usually, the link is just ignored. Given the number of spams I've been getting using this redirect mechanism, it's not surprising. But it sure would be nice if they'd fix the problem.

[Farelf]

I've probably reported 50 or so of these in the last couple of week, and only once have I seen the special spamcop reporting address show up - usually, the link is just ignored. Given the number of spams I've been getting using this redirect mechanism, it's not surprising. But it sure would be nice if they'd fix the problem.

As said, I'm not sure but the whole reporting thing with inertia.pl (and others with the special SC reporting address) may not be a problem but a solution worked out between the providers and SC. That the address exists (instead of dev.null) implies that reports are accepted. The fact that reports are only occasionally sent might imply that the providers get 'sufficient' reports for their purposes (remembering no-one can force them to accept any reports). And they are, presumably, listed on the SURBL when they are supporting spam activities (allowing those who wish to block on that basis to do so).

Testing the last assumption:

C:\...>nslookup
...
>voudboic.eu.interia.pl
...

Non-authoritative answer:
Name:	voudboic.eu.interia.pl
Address:  217.74.65.163

>163.65.74.217.multi.surbl.org
...
Non-authoritative answer:
Name:	163.65.74.217.multi.surbl.org
Address:  127.0.0.2

>set type=txt
>163.65.74.217.multi.surbl.org
...
Non-authoritative answer:
163.65.74.217.multi.surbl.org   text =

		"Blocked, 163.65.74.217 on lists [sc], See: http://www.surbl.org/lists.html"
>exit
C:\...>

Which confirms the SURBL entry on account of SpamCop reporting (the 127.0.0.2 indicates listing, SURBL has many lists, looking at the TXT return confirms which one - note the IP address is reversed for lookups against the BL).

Really, I don't think anything more can be expected of SC (or of SURBL) in such a case.

[nomorejunk]

It's been noted that SC has, in the past, focused on the sender. The links within the message have not been used.

Given the amount of garbage associated with interia.pl, it is clear a different tack should be tried. These folks are sending a LOT of spam which directs to interia.pl sites, e.g. http://{junkhere}.w.interia.pl/

Root cause analysis would indicate that if the real source is hit hard, it will also affect the spammers. In this case interia.pl is the source.

[rconner]

It's been noted that SC has, in the past, focused on the sender. The links within the message have not been used.

Actually, it may be more accurate to say "sometimes the links have not been used [or reported]."

Given the amount of garbage associated with interia.pl, it is clear a different tack should be tried. These folks are sending a LOT of spam which directs to interia.pl sites, e.g. http://{junkhere}.w.interia.pl/

That's why I report mine to KnujOn, which is more oriented toward dealing with websites -- including their hosting providers and their domain registrars.

Root cause analysis would indicate that if the real source is hit hard, it will also affect the spammers. In this case interia.pl is the source.

Actually, to be pedantic, inertia.pl is not the "source;" inertia.pl is the web hosting service. Unless, that is, you are also receiving mail that is sent through inertia.pl (I'm not, FWIW). As others have noted, SpamCop is not ideally set up to deal with spam websites; this is where operations like KnujOn come in.

-- rick

[Geek]

It's been noted that SC has, in the past, focused on the sender. The links within the message have not been used.

IMO, this is a bad idea.

The link is the *reason* for the spammer to spam. It's his place of business.

Like many Chinese spammers I've seen eventually go bye, bye, take away their reason and the spammer disappears.

No need to come to work if your building keeps getting knocked down as soon as it's built.

Cheers!

[turetzsr]

IMO, this is a bad idea.

...But this is SpamCop's philosophy. It just is. They do not seem (nor, IMHO, should they feel the need to be) open to discussing it. They provide the service they provide (and very well, also IMHO) and we are free to use it or not as we prefer. There are other services more focused on spamvertized addresses.

The link is the *reason* for the spammer to spam.

<snip>

...But the e-mail is the method the spammer is using to drive traffic to the web site. No e-mail, no (well, certainly less) web site traffic.

[gnarlymarley]

The main issue with reporting a link with no IP is that the whois address for the domain usually reports back to the spammer. How would we know that http://{junkhere}.w.interia.pl/ or the dns registry of {junkhere}.w.interia.pl, does not point back to the spammer? We don't. Thus said, we do not want to notify the spammer that his email is actually getting out. This means we either get the IP lookup portion working, or we ignore the link and do not report.

[rconner]

Comprehensively tracking and reporting spam web links in real time is a major undertaking, not at all a trival change. It would probably degrade performance for all SC users and would also result in misdirected reports. I've put in my $.02 on this subject elsewhere.

Meanwhile, here's a vignette that might be edifying: A man walks into a hardware store carrying a handsaw, and walks up to the clerk on duty:

MAN: I bought this SpamCop-brand saw from you last week, but I'm not altogether happy with it.

CLERK: What's wrong, doesn't it cut wood properly?

MAN: It cuts wood just fine, but it does a really bad job driving in nails.

CLERK: Why would you want to use it to drive nails? It's a saw, after all.

MAN: Come on, are you kidding? There's no point cutting up the wood if you can't nail it to anything!

CLERK: Why not just use a hammer?

MAN: Because this saw already cuts the wood! I just want to make it so it can drive nails as well. Really, it's very simple, just add a metal bit to here, cut a hole in there, do some other stuff, and it'll drive nails. Might be a bit wobbly, but --

CLERK: (producing a hammer from under the counter) Much simpler and cheaper just to use this KnujOn hammer. Or, we also carry Complainterator hammers. Many other brands as well.

MAN: (continuing) -- no, really, you could just make these parts removable and then have little pouch that hangs off the side to hold them when you are sawing...

-- rick

[Geek]

Rick,

Your illustration lost me

gnarlymarley,

Exactly why the munging is important

[rconner]

Your illustration lost me

I apologize for any offense, but I did not mean to insult anyone. I merely mean to point out that if you want to deal a blow to spam websites, there are very convenient means already available for you to do so, you do not have to wait for SpamCop to be convinced to add or reinforce such capability. Why insist that SpamCop come up with their version of a hammer when you can go elsewhere to get the genuine article?

We could debate indefinitely over whether reporting mail sources is more important than reporting websites, but this is ultimately a false dichotomy: you can do both if you care to.

For instance, KnujOn has a public reporting address that accepts any and all spam submissions from the public. They fish out the website links from this spam and deal with them on two fronts -- with hosting providers, and with domain registrars. KnujOn has been particularly successful in getting ICANN to hold crooked registrars' feet to the fire. KnujOn accepts submissions via SpamCop, you can just do as I do and add their e-mail address as a user-defined report recipient (if this option is available to you). Or, you can bypass SpamCop and just send the mail directly to them via any of several means (including ZIPped archives). I don't want to come off as a KnujOn shill (indeed, there are some parts of the operation that leave me a bit puzzled if not disappointed), but one cannot deny that they have had a massive and largely beneficial impact on the spam hosting problem. If they haven't been fully successful in all cases, that simply points out the current intractability of the problem.

I have no personal experience with Complainterator (which will not run on my Mac), but my understanding is that it can deduce the hosting providers and the domain registrars for spam links, and can help you direct reports to them. If this is what you want to do, then it would be well worth a look.

Both KnujOn and Complainterator are free to use. They also are not under the same "real-time" constraint as SpamCop's reporting service, they can afford to take a bit more time to develop more information and get a proper, well-targeted result. If you look at the link to my previous post that I provided above, you will see where all this extra time and effort is necessary.

-- rick

[Geek]

No fair, you quoted before I edited

Indeed there is convenient methods, but sometimes Spamcop has a cache of the *real* reporting address.

I recall this one time there was a particular nasty site about a year... year and a half ago and their pipe owners were gz21.cn (IIRC). Within 24 hours of them popping up, they used a privacy masking service in the Netherlands.... but not before Spamcop got a cache of the real owner.

Three cheers for SC on that one!!!

[rconner]

No fair, you quoted before I edited

Well, I can edit too as you see. Seriously, I am not here to make fun of people (unless they are demented spammers, perhaps). I seek only to pass on what I have learned, and more importantly to try to learn from others. If I came off as a bit testy, perhaps you will mark it down to battle fatigue.

Indeed there is convenient methods, but sometimes Spamcop has a cache of the *real* reporting address.

Are you saying that you got WHOIS reporting data for a domain via SpamCop? That's news to me, maybe this is one of those occasions where I can learn from others.

Seriously, though, I wonder what good we do in directing reports to the spammer (if the domain registrant is indeed the spammer or a surrogate, as may have been the case here). Do we expect him to stop just because we are mad at him? Generally, I don't even waste time on WHOIS registrant data because I assume that it is either forged or cloaked, or else belongs to someone who isn't going to be responsive to complaints. Instead, I stick with the registrars and try to report matters to them. Even at that, many of the registrars behind most spam domains today are 100% bent, so even these reports are unlikely to do much good (in my opinion).

A couple of years ago, I routinely tracked down websites and included them in my SpamCop reports where SpamCop itself did not report them. I even cobbled together my own software to help me with this. I have pretty much stopped doing this, however, because it became too much work for me, to no good effect that I could see. I now use KnujOn because it has made itself far more difficult to ignore (due to its connections with ICANN, its activity in the press, etc.). I'm happy to send them my spam to add to the hod if they can get some results with it.

-- rick

[Miss Betsy]

To repeat, spamcop is a tool. (I loved rconner's 'conversation, BTW - maybe it should be added to the FAQ <g> at least to the wiki!)

If reports go to the spammers, I would not want to rely on the automatic munging to hide my identity. As I said before, if the spammer wants to know the identity of the reporter, he can devise all kinds of ways to identify the reporter that can't be removed without 'material changes' There are all kinds of stories about how honesty and good will prevail over dishonesty and maliciousness in the offline world - though it is always a risky venture and one may encounter many trials before the good wins out. Online, it is much easier to be open and honest without risk - and it works better also.

Reporting the source (especially since most sources, nowadays, are responsive to reports) is much more productive. If the source is not responsive, then blocking at the server level permanently effectively (again using another tool/blocklist than spamcop) blocks them from selling anything (which is why spammers keep trying, by dishonest means, to use responsible sources - often without the owner's knowledge).

To identify (using the correct tools) spamvertised websites - either manually or with another software - can be done. However, the process of making the person responsible take down the site has to be done with caution because one does not want to set a precedent of taking down websites because some people find them offensive. I don't know very much about Knujon, but I believe that they rely on other criteria than that the site is spamming. Kind of comparable to stopping criminals by prosecuting them on tax evasion.

Offline, one cannot 'knock down' a store just because it is selling porn or shoddy merchandise or scamming people with unnecessary 'service contracts.' It takes serious police investigation with lots of evidence to prove that a criminal has defrauded an innocent citizen. I believe that those investigations are being done against those criminals who are operating on the internet. However, the criminals still operate. Offline, prudent businesses and customers and citizens use locks, alarms, awareness of scams to protect themselves against criminals. Online it is no different. I don't know why people expect it to be different. The only difference is that prudent users of the internet cannot be forced by a criminal (as in an offline mugging) to answer an email and be robbed.

If one really wants to eliminate spam, then it would make more sense to prevent any careless users from accessing the internet. Blocking the source does work toward that goal because if all server admins blocked the sources and did not allow spam to be delivered, those ISPs that are not responsible and prudent would not have access to anyone using prudence. Many users who are gullible would be protected or would have to actively seek out an ISP who would allow them to receive spam. For instance, if you got all the people who have an interest in 'going green' to boycott any ISP who allows 'bots, you might find that some ISPs who now do nothing to shut them down, find ways to do so.

Miss Betsy

[Geek]

If reports go to the spammers, I would not want to rely on the automatic munging to hide my identity.

One reason I'm manually munging some (I've figured out which mess up the parser). It's mostly the fake WebMD, Men's Health and iTunes/Amazon invoice ones.

My spam has been steadily dropping since doing this. Slowly, but is dropping. Still five times what it should be for "normal" levels of activity according to the Spamcop stats.

Offline, one cannot 'knock down' a store just because it is selling porn or shoddy merchandise or scamming people with unnecessary 'service contracts.' It takes serious police investigation with lots of evidence to prove that a criminal has defrauded an innocent citizen.

Sorry, not in Vancouver.

Citizens complain.

City lets license lapse.

City evicts.

That's the order of the universe here. No cops needed.

Cheers!