spam, SpamCop, KnujOn and philosophy

[Lking]

There has been several treads of late centering around spamvertised links, why SpamCop doesn't/can't resolve the link in the body, etc. These thread often end with someone suggestion other services like KnujOn. I received this from KnujOn and think it explains the difference in the two groups philosophy, note #3, #6, and #7. The difference is why I send all my spam the spam I get to both.

One of the problems thus far with the anti-spam effort is a lack of guiding

principles or philosophy. We have set out, from the beginning, to establish

foundational thinking to address the issues of online abuse and fraud. Below

are our seven core beliefs. There may be more. We hope this helps explain

our project.

1.spam is not an impossible problem to solve

2.It is possible to collect and process every piece of unwanted email for

examination and enforcement

3.spam is about who benefits from it, not who sent it

4.Spammers send mass email because someone pays them to

5.The motivation is money, the goal is a transaction

6.Focus efforts on the transaction target or platform not on the

advertisement

7.Eliminating transaction access removes money from the illicit cycle

The SpamCop and KnujOn approaches are both valid and reflect the differences in attacking the problem, tactically or Strategically.

[Miss Betsy]

That will prove a valuable resource when someone else asks the question!

The spamcop blocklist (and many others) depend on the sending IP address. The basic philosophy is 'my server, my rules' or in Miss Manners' terminology, those who are rude enough to send unsolicited email, may receive the 'cut direct' (or be ignored).

If every server admin blocked at the server level, legitimate emails from spam sending sources would get a rejection message and the end user sender would know that his email did not arrive and for what reason. Senders from ISPs who have frequent appearances on blocklists, if they cared, would go to a responsible ISP or email service. Then everyone who wanted responsible email service would not have a problem because none of their emails would ever be blocked (or, if there were an accident, for a limited period between the first report to the email service and their immediate action).

Other ISPs and email services could continue to offer services to the spammers, but they wouldn't bother most responsible customers in either sending or receiving email. The reason this scenario has not worked is because most end users are not good consumers - they complain if they don't get an email, rather than pointing out to the sender that the sender is using questionable services and putting the receiver to a lot of bother. Therefore, email services use all kinds of filtering methods to make sure the end user gets all of his real email. End users using spam sources don't know that they are part of the problem - especially those who have had their computers infected and are part of a botnet.

Knujon wants to shut down the site that is advertising via spam and they have stated their reasons why they think this will stop spam.

Miss Betsy

[dbiel]

Additional information from the KnujOn web site.

More Information About Headers

We do not look at headers or trace IP origin on a large scale, but in select cases. We're not trying to reinvent the wheel, we are fully aware that services like SpamCop are already doing this job and doing it well. We encourage everyone to use many services to fight this problem on multiple levels. In the future we may work with other services to provide 100% protection. However, for the moment we are focused on our own model which is not so much on the junk mail traffic (ISP abuse, botnets, zombies) but more on the fraud and illegal activity going on behind the scenes. Reduction in junk mail is a byproduct of that effort. This is not to say we are not concerned with botnets and zombies, we are and as time permits we research that as well. So, if KnujOn users send full headers along, we use them. But we are not requesting or requiring that people do send the headers.

Using SpamCop report to also send to KnujOn

MailWasher/SpamCop

VIA SpamCop Method(Updated: 02.21.07)

This version may be easier.

If you are using MailWasher and SpamCop, try these instructions:

1. On SpamCop.net, click on the "Preferences" tab.
   
2. Click on the "Report Handling Options".
   
3. The second option will be "Personal copies of outgoing reports". Enter nonregistered[at]coldrain.net (or the registered user address) into this field.
   
4. Click "Save Preferences" at the bottom of the page. From now on, whenever confirming a report in SpamCop, the reporting address you entered will automatically be included in the list of recipients to receive a copy of the report.
   

Previous instructions VIA SpamCop Method

1. On SpamCop.net, click on the "Preferences" tab.
   
2. Click on the "Report Handling Options".
   
3. The third option will be "Public standard report recipients". Enter nonregistered[at]coldrain.net(or the registered user address) into this field.
   
4. Click "Save Preferences" at the bottom of the page.
   

From now on, whenever confirming a report in SpamCop, one of the checkboxes for recipients of reports will be Knujon. You will need to manually check this box for each spam you're sending reports for.

As noted by Lking in the first post in this topic; SpamCop and KnujOn approach the spam fight from two totally different by complementary methods:

SpamCop is primarily concerned with the source or injection point of the spam message

KnujOn is primarily concerned with the fraud and illegal activity going on behind the scenes, or put differently the spamvertised web site that are part of the spam message.

[g4mby]

KnujOn is primarily concerned with the fraud and illegal activity going on behind the scenes, or put differently the spamvertised web site that are part of the spam message.

KnujOn doesn't take action on every spam report though.

In my case over 67% of the sites that I have reported are shown in my reports as "No action" status. This is disappointing. They also include the domains of several of the UK's major banks in their lists. Despite repeated attempts to get them to remove these domains they continue to feature.

[dbiel]

I am beginning to question the professionalism of KnujOn.

They do respond to email questions, but it may take a week or more to do so.

The answers are also disappointing.

Your FAQ states regarding SpamCop to:

"The second option will be "Personal copies of outgoing reports". Enter nonregistered[at]coldrain.net (or the registered user address) into this field."

This will send copies of each and every report that is sent. Thus one spam message may result in dozens of reports being sent to you.

This this what you really want?

Yes, the more samples the better.

How can anyone consider the multiple reports that SpamCop sends from a single spam email to be "more samples"?

Their web site continues to have references and links to CastleCops and when questioned about it, their reply was

We are in the process of overhauling the site and reports. The CastleCops

reference will be removed when the new version is released.

But when you consider the state of the official SpamCop FAQ, I guess it should be expected?

[Wazoo]

But when you consider the state of the official SpamCop FAQ, I guess it should be expected?

Let's face it, there aren't that many places that have such a dedicated crew of volunteers that try to keep things up-to-date, especially noting the 'distance' between those volunteers and those that are actually 'in charge of' the actual product/tool-set.

Offering yet another 'thank you' to all who participate and contribute here, the Wiki, and yes, even 'over there' in the newsgroups <g>

[elind]

I've been in discussions about this (spam source/ spam host etc.) before and whatever the philosophy differences, I am still somewhat confused as to why spamcop tries, but seldom succeeds, to identify host URLs at all.

It is my impression lately, perhaps since this year, that spamcop doesn't resolve 90%+ of host URLs, whereas it used to most of the time.

An example is this one of a few minutes ago.

http://www.spamcop.net/sc?id=z2975392421z4...363c6254e593e4z

I immediately get connected with that website if I point my browser to it, but spamcop says it can't resolve it, and I don't think this is a case of wandering DNS lists.

Also, spamcop seems to discourage use of knujon. One can put their forwarding address into spamcop, and if one does a manual submit it comes up as an optional report recipient, but I still have to check the box. However a "quick report and trash" submit does not include the knujon address in the reports, and that is how I submit 99% of my reports.

I've contacted both knujon and spamcop on this. Knujon said they would try to contact spamcop, but I haven't heard any more.

Spamcop just gave me the instructions to do what I had already said I have done.

I don't get it. We seem to be losing steam here.

[Wazoo]

I immediately get connected with that website if I point my browser to it, but spamcop says it can't resolve it, and I don't think this is a case of wandering DNS lists.

06/05/09 15:55:25 dig grasbeach.com [at] 208.67.220.220

Dig grasbeach.com[at]ns2.supernamebot.com (220.248.184.7) ...

failed, couldn't connect to nameserver

Dig grasbeach.com[at]ns1.supernamebot.com (119.67.72.170) ...

failed, couldn't connect to nameserver

Dig grasbeach.com[at]208.67.220.220 ...

Non-authoritative answer

Recursive queries supported by this server

Query for grasbeach.com type=255 class=1

grasbeach.com NS (Nameserver) ns1.supernamebot.com

grasbeach.com NS (Nameserver) ns2.supernamebot.com

grasbeach.com NS (Nameserver) ns1.supernamebot.com

grasbeach.com NS (Nameserver) ns2.supernamebot.com

and needless to say, pulling up that info took quite a long time .... 10 to 12 seconds at least .... whereas the more 'simple' request happened in a split second;

06/05/09 15:55:43 dns grasbeach.com

Canonical name: grasbeach.com

Addresses: 119.67.72.170

06/05/09 15:58:54 Slow traceroute grasbeach.com

Trace grasbeach.com (119.67.72.170) ...

210.120.155.109 RTT: 235ms TTL:170 (ppp210120155109.dial.dacom.co.kr ok)

203.248.207.50 RTT: 237ms TTL:170 (No rDNS)

203.233.1.138 RTT: 234ms TTL:170 (No rDNS)

203.233.1.154 RTT: 252ms TTL:170 (No rDNS)

211.63.37.162 RTT: 238ms TTL:170 (No rDNS)

* * * failed

* * * failed

* * * failed

119.67.72.170 RTT: 241ms TTL:235 (No rDNS)

I've contacted both knujon and spamcop on this. Knujon said they would try to contact spamcop, but I haven't heard any more.

Spamcop just gave me the instructions to do what I had already said I have done.

In the interest of "not fueling the fire" I will not respond to this.

[Miss Betsy]

Quick Reporting is well publicized as NOT even looking at the spamvertized sites within the spam. It is a specific tool that reports source of spam.

I don't know how many times that the analogy of tools has to be reiterated. Why not fuss at knujon for not including the source in their reports?

These are two different reporting tools. You shouldn't hammer a screw and you won't get very far trying to screw a nail.

Miss Betsy

[elind]

In the interest of "not fueling the fire" I will not respond to this.

I don't know what you mean by that. It's a simple enough question and I'm not fueling anything. If spamcop simply wants to say that they have problems with auto copy of reports on quick reports, then they can say so. I don't see why they have a facility that only works in limited ways, without explanation.

As to the matter of not identifying hosts, as I said, it seems to me that spammers have figured out how to hide these from spamcop. We've had discussions on that in the past, and I have seen how in many cases even my browser can't find a website (when I've experimented) except after multiple tries. However I have the impression that something has changed, because lately most of my browser attempts connect immediately but spamcop routinely reports it can find nothing.

If that is unique to the lists I'm on, or something else I don't know, but I'm getting a real uncomfortable feeling coming here with observations like this and receiving replies about fueling fires that I haven't a clue about.

Anyone care to suggest I get a Phd in spamcop protocols before I post again?

Quick Reporting is well publicized as NOT even looking at the spamvertized sites within the spam. It is a specific tool that reports source of spam.

I don't know how many times that the analogy of tools has to be reiterated. Why not fuss at knujon for not including the source in their reports?

These are two different reporting tools. You shouldn't hammer a screw and you won't get very far trying to screw a nail.

I don't know what you mean. It most certainly looks if the report analysis says it can't find anything for the URL, doesn't it?

I'm getting tired of this childishness.

Bye

[Wazoo]

I don't know what you mean by that. It's a simple enough question and I'm not fueling anything.

You were fishing for some kind of response dealing with user/client relationship with the paid-staff of SpamCop.net. I didn't want to further fuel that fire ..... already have another incident still smoldering in another area ...

If spamcop simply wants to say that they have problems with auto copy of reports on quick reports, then they can say so. I don't see why they have a facility that only works in limited ways, without explanation.

Sorry, but in general, SpamCop.net woks just as advertised, the magic words used being "as is"

As to the matter of not identifying hosts, as I said, it seems to me that spammers have figured out how to hide these from spamcop. We've had discussions on that in the past, and I have seen how in many cases even my browser can't find a website (when I've experimented) except after multiple tries. However I have the impression that something has changed, because lately most of my browser attempts connect immediately but spamcop routinely reports it can find nothing.

If that is unique to the lists I'm on, or something else I don't know,

Most definitely. For example, probably 99% of the spam (attempts) to the newsgroup Archive/Mailing-List have no issue resolving included URLs. spam coming to 'my' e-mail addresses would probably come in at about 60-70%.

but I'm getting a real uncomfortable feeling coming here with observations like this and receiving replies about fueling fires that I haven't a clue about.

All I can say is that there is a lot of activity in other Forum sections that you probably don't see because you don't look in those other sections, probably due to non-interest in the subject matter. As I read 'everything' it's a bit hard at times to keep in mind that very few other people do ... but to 'forget' that I just replied to something elsewhere a few minutes prior to reading something in yet another Forum section about some other matter that does 'touch' a bit on other situations is something not always done well.

Anyone care to suggest I get a Phd in spamcop protocols before I post again?

The SpamCop FAQ found here and the SpamCop Wiki would be the normally suggested places to start.

I don't know what you mean. It most certainly looks if the report analysis says it can't find anything for the URL, doesn't it?

As I showed in my last post, this particular spammer is playing DNS server games. The tool I was using (and most certainly your web browser) kept trying and trying to resolve the URL, the SpamCop Parsing tool doesn't do that ... though you state that you've read/heard all that before.

Somewhat of a corollary, Airbus warns airlines after Air France crash contains some dialog that seems to actually fit here;

"This is a plane that is conceived by engineers for engineers and not always for pilots," Jean-Pierre Albran, a veteran pilot of Boeing 747s, told Le Parisien newspaper.

"For example on a 747, the throttle is pushed by hand. You feel it move in turbulence. On recent Airbuses, this throttle is fixed. You look at the dials. You don't feel anything."

In the case of SpamCop.net, back in the beginning, only Julian had the total knowledge of how things worked within the Parsing & Reporting System. These days, one would have to state that it's the Cisco/IronPort software engineers that would hold those 'secrets.' The Deputies, but one step removed from those folks, have described the 'engineering reports' from the Cisco/IronPort folks as pretty much gobbeltygook. The folks choosing to try to provide support here as volunteers are just as removed from "the core" as you are.

[rconner]

If spamcop simply wants to say that they have problems with auto copy of reports on quick reports, then they can say so. I don't see why they have a facility that only works in limited ways, without explanation.

Think of Quick Reporting as "SpamCop Lite." In exchange for SpamCop processing your mail more quickly and without your direct involvement, SpamCop only reports the mail sources that it finds via the parser. This makes sense if you think about it, since most of us who use user-defined reporting addresses don't really intend for them to be used in every case (e.g., no point in reporting spam to KnujOn if it has no URL in it), but SpamCop can't guess what the cases are and so simply omits all the user-defined addresses. I don't have any evidence that KnujOn is singled out in any way, I think that all user-defined reports (e.g., uce[at]fcc.gov or whatever that address is) will be skipped. To infer from this that SpamCop discourages copying reports to KnujOn is not accurate, as far as I can tell; I've seen nothing in these forums or in official SpamCop policies that bears on this.

As to the matter of not identifying hosts, as I said, it seems to me that spammers have figured out how to hide these from spamcop.

Perhaps, but this may be as much by accident as by design. I think I've pointed out the many problems involved with tracing spam URLs, the first of which is that you have to be able to resolve them quickly in DNS (something that is typically not required when dealing with a spam source, which is always identified directly by IP address). If the spammer's DNS is slow to respond (as these often are), SpamCop apparently won't wait around and will simply move on. Your browser is generally more tolerant of slow DNS (and, recall, "slow" could be as little as a second or so) and will probably dig up the site where SpamCop doesn't. It may well be that some spammers have "cooked" their DNS to refuse service to clients known to be controlled by SpamCop, and perhaps this is what we are dealing with here, but I have no hard evidence of this.

I see that you are frustrated with SpamCop because you think it is failing to do things that seem reasonable and logical to you, and is not laying out clearly why it doesn't do them. I agree with a lot of what you say, the state of "official" SpamCop documentation is pretty bad (a lack we have tried to make up for here in the forums and on the Wiki that no one wants to be told to read, and that even some paid SpamCop staff appear to think is twaddle). My own attitude is to use SpamCop for the things it is good at, and to use KnujOn et. al. for the things they are good at. I reserve my annoyance for the spammers who have thrust all this work upon me.

-- rick

[Farelf]

...As to the matter of not identifying hosts, as I said, it seems to me that spammers have figured out how to hide these from spamcop.

Straight-forward links are identified perfectly. As explained, time and again (here and elsewhere), it is not surprising that links engineered so no single host can be targeted for take-down will usually cause the parser, looking within a limited time for a single host, to give up. That must say something about the 'styles' of spam business - their 'business plans'. It certainly says SC is not primarily concerned with 'spamvertizements' in all their variations.

About the only spam I see these days are banking phishes, the ones I get are the typical 'human engineering' things designed to panic a customer into going to a bogus website and revealing all their account access details. They are quite targeted and (for spam) involve high potential gain for relatively low volume. It is, each time, a hit-and-run operation in terms of the bogus, high-quality, high-reliability website to which the victim is directed (or re-directed). That is quite different to the 'everyday' spam targets which are high volume, 'shotgun' operations with little reliance on individual response and an interest in remaining viable for the maximum time (and set up accordingly).

'Horses for courses' as they say - SC is still serving a useful purpose in the body-parsing, link-tracing function though not for (most people's) bulk of spam, as it has evolved today. And it really can't work as the 'Swiss army knife' of anti-spam applications that many (including me) would like it to be. Nothing can do that currently - and there are huge problems to be overcome in implementing anything that could do that, as repeatedly discussed (elsewhere). That's how I see it, I allow myself to 'get over it' accordingly.

[Miss Betsy]

I don't know what you mean by that. It's a simple enough question and I'm not fueling anything. If spamcop simply wants to say that they have problems with auto copy of reports on quick reports, then they can say so. I don't see why they have a facility that only works in limited ways, without explanation.

I see. What you want to do is to send the spam to knujon when you quick report and that doesn't work. I would guess that the reason user-defined reporting addresses are not auto-copied on quick reports is because reporters are required to check them to send. That feature may even have been user requested, since some people like to send reports of 419s to certain sites, but of course, would not want to send reports of other types of spam to those sites.

As to the matter of not identifying hosts, as I said, it seems to me that spammers have figured out how to hide these from spamcop.

Yes, the spammers have figured out how to hide these from spamcop. spamcop made a decision not to continue an arms race with the spammers on finding urls in the body and to concentrate on finding the source of the spam. If you have read discussions of this in the past, you know that the philosophy is that blocking the source of spam effectively reduces the amount of spam in one's inbox. In fact, spamcop announced that it was discontinuing searching for urls in the spam body altogether at one time. However, the people who block using the urls in spam bodies raised an outcry and spamcop agreed to continue with the understanding that there would be very little attention paid to that part of the parser.

There is another difference in philosophy between spamcop and knujon. spamcop began very early in internet history. Early users of the internet were very impressed by the freedom of the internet. They enjoyed it. 'My server, my rules' In other words, you want to send me unsolicited email, fine - but I don't have to accept it. The early users of the internet did not want to dictate to other users how to use the internet. They established an etiquette of usage that was considerate and cooperative with other users. If a user was rude, they just ignored him/her. And that is the philosophy of spamcop - as long as you keep sending spam, my server will block all email from your server. (or in the case of zombies, your computer).

knujon is relatively recent - their philosophy is to stop spammers from sending spam by closing down the reason for the spam - the website that is advertised in spam. IMHO, it is not in the best interests of the freedom on the internet to close down websites because of what they are and closing them down for what they do is perilously near to censorship. However, most responsible web hosts do have a clause in their contracts that prohibits advertising a site via unsolicited email because spamming is such a breach of internet etiquette.

But the bottom line in anything is always economic. One has to pay for internet access. Even graffiti artists have to buy their spray paint. spam continues because someone is willing to pay for the bandwidth and access and someone is willing to sell it to them. One cannot prevent graffiti artists from causing you economic pain by either hiring guards or cleaning up. One can prevent spammers from using your bandwidth by blocking. You don't have to force anyone to do something or cease doing something. And they can't force you to use bandwidth to accept their spam.

It is not a childish subject - philosophy. It is also not childish to use tools the way they were designed to be used. Children put sharp objects in electrical outlets because they don't understand how to use tools properly. It is not dangerous to try to use spamcop to report urls in the spam body, but it is not using the tool the way it is meant to be used.

Miss Betsy

[Lking]

However a "quick report and trash" submit does not include the knujon address in the reports, and that is how I submit 99% of my reports.

As miss Betsy has said we are talking different tools for different uses. I use to have a template email pre-addressed to SpamCop quick and to knujon. I then dragged and dropped spam as attachments and email to both.

If you got to http://www.knujon.com/sendusspam.html#In%20Outlook you will find several tricks that may help you. On that page I found a "Thunderbird extension that Forwards all emails marked Junk (as attachments) to KnujOn.com (softpedia.com) "

I used this tools options and added my quick address to the list and can send blocks of spam to both with 2 click.