Jump to content
Sign in to follow this  
Cedders

Feature request: reporting to admin of Reply-To MX

Recommended Posts

This specifically concerns receipt of 419, job scams and similar scams, and most clearly spear phishing for webmail passwords. Unlike botnet spam and bank phishing, such frauds (often originating in Nigeria, Gabon etc.) usually request a response to a stated email address, either in the body text or the Reply-To header (or sometimes the Subject line).

Phishing for mail account passwords increased in 2008, and typically they were sent from a student's account at an academic institution, where the student had responded to identical spam.

From: "Surname, Forename" <Forename.Surname[at]cit.act.edu.au> (a compromised account)

Subject: mailbox has exceeded the storage limit

Your mailbox has exceeded the storage limit set by your administrator.You may not be able to send or receive new mail until your mailbox size is increased by your system administrator. You are required to contact your system administrator through e-mail with your Username:{ } and Password:{ } to increase your storage limit.

System Administrator

E-mail: system_webincrease[at]live.com

You will continue to receive this warning message periodically if your inbox size continues to exceed its size

limit.This email is intended only for the use of the individual or entity towhich it is addressed and contains

information that is privileged and confidential.

Sysadmins at the institution will usually respond quickly to a report of a compromised account by closing the account or changing the password, so SpamCop is a quick way of doing this. Occasionally it seems SpamCop is able to parse the HTTP submission all the way to the Nigerian ISP, although sometimes it is the abuse address of the institution hosting the compromised account. Of course the same report is not currently also forwarded to the live.com abuse address, which clearly should be notified. This therefore has to be done manually, as described at http://forum.spamcop.net/scwik/ReportingEMailAddresses . So unfortunately SC is not a big time saver in reporting scams where the From and Reply-To address (or From and address that appears in the body) differ.

The decision to not implement an option to report to sysadmins responsible for, e.g. Reply-To address or a single address in the body is understandable if you accept the assumption that all email addresses in spam are forged - but in fact Reply-To and body email addresses in a large fraction of spam are genuine, and the wave of webmail phishing in 2008 changes the situation significantly, as allowing collection accounts to continue for hours or days after a phishing mailout vastly increases the possibility of the inconvenience of a compromised email account, and also of fraud against vulnerable people.

Reporting collection account addresses is analogous to reporting "spamvertised websites" - for example, if a 419 includes a web link it is very likely to a news article on a genuine server. It has to be to the discretion of the reporter to choose which addresses are appropriate to receive the report. Ideally SpamCop itself would make a default decision about whether the type of spam means it could or should be reported to the provider (I have SpamAssassin rules to do this relying on phrases such as "System Administrator E-mail...", but the presence of an account at a free email provider is also evidence).

I think adding the ability to report mailto URIs in the same way as HTTP URIs would be effective and worth a bit of development time.

Share this post


Link to post
Share on other sites

I believe this "feature" was removed a long time ago because of misuse. There is no way for the parser to know when an address in the body is in the cases you describe or not and too many people click every box or do not unclick boxes that are not appropriate.

You are of course welcome to either add that mail system administrator if you are a paying member of spamcop or generate your own complaint to the mail system administrator.

Share this post


Link to post
Share on other sites
I believe this "feature" was removed a long time ago because of misuse. There is no way for the parser to know when an address in the body is in the cases you describe or not and too many people click every box or do not unclick boxes that are not appropriate.

Interesting. But that argument works equally for spamvertised HTTP URIs, in fact more so in my experience. I for one do untick uninvolved websites mentioned. SC could provide unticked tick boxes for the email category.

You say there is no way for the parser to know, but presence of a Reply-To with a different domain in practice does distinguish, and think we will come to an arrangement with MSN that they get automated alerts when webmail phishing is detected by us (no FPs so far with rules that catch >90% of webmail phishing). I accept that composition of the spam burden changes over time and so an decision algorithm would need occasional maintenance.

You are of course welcome to either add that mail system administrator if you are a paying member of spamcop or generate your own complaint to the mail system administrator.

Good point - I was using a free account for this particular report. But SC doesn't do the lookup for the MX abuse address for me in any case, which still means it's more time efficient for advanced users to report directly, and for others, I think they are unlikely to do what you suggest.

Thanks for reply.

Share this post


Link to post
Share on other sites

Actually the developer of spamcop agrees with you on the spamvertised websites (you can see many discussions where people want spamcop to take more efforts to find and report spamvertised websites). However, spamcop still does the spamvertised websites because some server admins like to filter on them and it is a good source even with its limitations.

And there are some reporters who do take the time to report drop box email addresses just as there a lot of reporters who deobfuscate spamvertised URLs. Often, I will report the drop box before I would report the spam if I have a time crunch. Reporting drop boxes is much more likely to protect gullible recipients and stop the effect of the spam run since ISPs are generally very quick to respond. And it doesn't take more than one report since once alerted the ISP can determine whether or not the account is being abused so that numerous people don't need to report them.

I hope you have the time to manually report them since you are interested. If all reporters were as interested, there wouldn't be the necessity for excluding them. Unfortunately, many reporters don't pay enough attention or even understand what is really happening.

Miss Betsy

Share this post


Link to post
Share on other sites
...But SC doesn't do the lookup for the MX abuse address for me in any case, which still means it's more time efficient for advanced users to report directly, and for others, I think they are unlikely to do what you suggest....
You are aware that the parser will find the reporting address (if any) for any e-mail address you feed into the webform paste-in box? Although the detail is not picked up from the spam in the standard parse, copying and pasting the address into the box (say in a different window) is a quick and easy solution for paying members to get the detail to add to their reports - or even free account users to get the same for their manual reports.

Share this post


Link to post
Share on other sites
Interesting. But that argument works equally for spamvertised HTTP URIs

<snip>

...IMHO, that's an excellent point! However, I think from SpamCop's perspective, it's a reason to take away the ability to report spamvertized URLs rather than a reason to add the feature you are requesting! :) <g>
You say there is no way for the parser to know, but presence of a Reply-To with a different domain in practice does distinguish

<snip>

...My guess would be that this is not true but I'm too lazy to go though my spam to see. Seems like an interesting research project for someone with the time and inclination.
I was using a free account for this particular report.
...Probably not too useful for your needs but note the Preferences | Report Handling Options | "Public standard report recipients" feature of both paid and free reporting accounts.
But SC doesn't do the lookup for the MX abuse address for me

<snip>

...But you can enter the e-mail address and the SpamCop parser will tell you the reporting address it finds (if any), as Farelf notes, above (he submitted that while I was typing and editing this reply).

Share this post


Link to post
Share on other sites
The decision to not implement an option to report to sysadmins responsible for, e.g. Reply-To address or a single address in the body is understandable if you accept the assumption that all email addresses in spam are forged - but in fact Reply-To and body email addresses in a large fraction of spam are genuine,

Oh yeah, most definitely .... for yet another example of "you know it's gotta be true" see the posted spam over in http://forum.spamcop.net/forums/index.php?...ost&p=70606 .. no doubt in my mind that the From:, Reply-To:, Return-Path: addresses just have to be valid.

Share this post


Link to post
Share on other sites

I would like to add my voice to those that are calling for SpamCop to parse and offer to report email addresses found in the body of the message. It seems that spammers have found that SpamCop (and others) won't report these and are using these as drop boxes to collect the spam replies. Since most of the ones I've seen are phishing or 419 scams, and further that all have (so far) been MSN/Hotmail-hosted email domains, we should at least offer to report these so that the victims of these scams don't have as much of a chance of getting their replies through to the scammer!

Share this post


Link to post
Share on other sites
I would like to add my voice to those that are calling for SpamCop to parse and offer to report email addresses found in the body of the message.

<snip>

...And I would like to add my voice to StevenUnderwood's reply, above, and repeat that such a feature is too easily misused and that it's therefore preferable for users to generate their own complaints (noting Farelf's suggestion, above, that one can find the reporting e-mail address to which SpamCop would file a report by simply submitting the e-mail address from the spam message body).

...Also please see SpamCop Wiki entry "ReportingEMailAddresses" (thanks, Rick!).

Share this post


Link to post
Share on other sites

Hear, Hear! Spamcop reports are good for adding to the spamcop blocklist. But manual reports of email drop boxes are better. Remember spamcop is a tool!!

Miss Betsy

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

×