cwg Posted May 23, 2010 Share Posted May 23, 2010 Wait, when did ATT become black hat to where their reporting address is devnull'ed? Tracking message source: 98.88.220.188: Routing details for 98.88.220.188 [refresh/show] Cached whois for 98.88.220.188 : abuse[at]bellsouth.net Using abuse net on abuse[at]bellsouth.net abuse net bellsouth.net = abuse[at]att.net Using best contacts abuse[at]att.net Reports disabled for abuse[at]att.net Using abuse#att.net[at]devnull.spamcop.net for statistical tracking. Link to comment Share on other sites More sharing options...
Farelf Posted May 24, 2010 Share Posted May 24, 2010 Wait, when did ATT become black hat to where their reporting address is devnull'ed? ...Good question - Don or the deputies would know. The standard reasons for that action are given:No valid email addresses found, sorry! There are several possible reasons for this: The site involved may not want reports from SpamCop. SpamCop administrators may have decided to stop sending reports to the site to prevent listwashing. SpamCop uses internal routeing to contact this site, only knows about the internal method and so cannot provide an externally-valid email address. There may be no working email address to receive reports. Maybe it's the internal routing one - though that's not the impression given by "Reports disabled for abuse[at]att.net Using abuse#att.net[at]devnull.spamcop.net for statistical tracking." It is a worry. Anyway, applies to (at least) most of what SenderBase says is "Network Owner BellSouth.net Domain bellsouth.net": NetRange: 98.64.0.0 - 98.95.255.255 CIDR: 98.64.0.0/11 Abuse Email: abuse[at]att.net NetRange: 184.32.0.0 - 184.47.255.255 CIDR: 184.32.0.0/12 NetRange: 204.127.0.0 - 204.127.255.255 CIDR: 204.127.0.0/16 NetRange: 207.203.0.0 - 207.203.255.255 CIDR: 207.203.0.0/16 NetRange: 208.61.128.0 - 208.61.159.255 CIDR: 208.61.128.0/19 NetRange: 65.0.0.0 - 65.15.255.255 CIDR: 65.0.0.0/12 NetRange: 65.80.0.0 - 65.83.255.255 CIDR: 65.80.0.0/14 NetRange: 66.20.0.0 - 66.21.255.255 CIDR: 66.20.0.0/15 etc., etc. - an exception within that is: NetRange: 207.115.0.0 - 207.115.63.255 CIDR: 207.115.0.0/18 Abuse Email: abuse[at]sbcglobal.net ... vide 207.115.11.17 and Ameritech, SB says. Link to comment Share on other sites More sharing options...
SpamCopAdmin Posted May 24, 2010 Share Posted May 24, 2010 I disabled the reports. They don't appear to have noticed. - Don D'Minion - SpamCop Admin - Link to comment Share on other sites More sharing options...
Farelf Posted May 24, 2010 Share Posted May 24, 2010 Thanks Don, marking resolved with this post. People will be curious - but a little reflection on the "They don't appear to have noticed." comment should a be sufficient tip-off. In some/a few cases of disinterest in SC reports it is possible to get a reaction (or a least a response) to a Manual Report - see that Wiki entry, anyone unsure of the meaning. Link to comment Share on other sites More sharing options...
mrmaxx Posted June 6, 2010 Share Posted June 6, 2010 Thanks Don, marking resolved with this post. People will be curious - but a little reflection on the "They don't appear to have noticed." comment should a be sufficient tip-off. In some/a few cases of disinterest in SC reports it is possible to get a reaction (or a least a response) to a Manual Report - see that Wiki entry, anyone unsure of the meaning. Note: I have a contact at AT&T (a fellow geek on a mailing list) whom I can contact to see if AT&T is now spam-friendly. I seriously doubt it, but just guessing here -- it could be that the alleged spammer has convinced AT&T that this is a case of mistaken reporting, where they claim people have signed up for a mailing list or have failed to opt-out of a mailing list and so they are not guilty of "spamming" per se. Granted, our definition of the word "spam" and the legal definition are two different things, but I still think that if someone reports it, they should investigate. I'll follow up with my contact to see if he knows of any official or unofficial changes to AT&T spam policy. Link to comment Share on other sites More sharing options...
Snowbat Posted June 12, 2010 Share Posted June 12, 2010 Alleged spammer? I thought Don disabled their reports due to http://forum.spamcop.net/forums/index.php?showtopic=11343 Here's a sample of the boilerplate their attglobal.net division started sending in response to SpamCop reports. They closed the ticket, apparently ignoring the data provided They failed to include the SpamCop report ID in the subject or body They failed to reply to the [at]reports.spamcop.net address (reply was sent to the From address in the spam) My reply pointing out the above problems bounced with "<rm-aots-ticketing[at]ems.att.com> Permanent Failure: Other address status" From: ts03 <abuse[at]attglobal.net> To: [REDACTED] Subject: Howdy, [REDACTED]! Today you get 85% Cash-Back No evolution (REF:#_aotsmail_000000123598975) Date: 06-05-2010 12:08 This is the report of the incident you should receive. Sev: 4 - Warning For Account: aotsmail Incident Number: 000000123598975 Status: Closed Last Updated: 05/06/2010 15:08:54 (UTC) ******************** Summary: Howdy, [REDACTED]! Today you get 85% Cash-Back No evolution the _______________________________________________________________ Thank you for taking the time to inform us of this situation. However, we cannot take any further action until you provide us with the actual connection logs. These connection logs will include the complete IP address, date, time and time zone associated with the abusive action. Only with this information can we identify the responsible individual. Regards, Postmaster To find more information on filtering spam, please visit http://help.attbusiness.net/index.cfm and type the word filter into the search engine. If you feel we handled this incident improperly or require assistance providing headers, please call 800-821-4612. DO NOT reply directly via e-mail. If you need additional assistance, please send a new e-mail to abuse[at]attglobal.net Ticket has been Closed Email Problem ******************** If replying via email, do not alter the reference id in the subject line and send only new information, do not send entire note again. Do not send attachments, graphics or images. Link to comment Share on other sites More sharing options...
Farelf Posted June 12, 2010 Share Posted June 12, 2010 Alleged spammer? I thought Don disabled their reports due to http://forum.spamcop.net/forums/index.php?showtopic=11343 Here's a sample of the boilerplate their attglobal.net division started sending in response to SpamCop reports. They closed the ticket, apparently ignoring the data provided They failed to include the SpamCop report ID in the subject or body They failed to reply to the [at]reports.spamcop.net address (reply was sent to the From address in the spam) My reply pointing out the above problems bounced with "<rm-aots-ticketing[at]ems.att.com> Permanent Failure: Other address status" Thanks Snowbat - sounds like someone needs to contact them on 800-821-4612 and go through all the frustrations of dancing with the scri_pt-droids if they are to be coaxed back onto the paths of righteousness. They seem to be doing the three wise monkeys act but forgot about the "speak no evil" part (effective stochastic and heuristic outwards filtering and/or blocking direct sending from domestic accounts, responsibility and complaint monitoring concerning commercial accounts). Two out of three ain't wise - it's bottom-line beancounter territory and may a murrain take their herds as they duly deserve. In the meantime any sources in their netspace get reported and (with sufficient weight) listed in the SCbl, which is the principal object. Link to comment Share on other sites More sharing options...
cwg Posted June 30, 2010 Author Share Posted June 30, 2010 Got off the phone, the recommendation is to send it to abuse[at]bellsouth.net Link to comment Share on other sites More sharing options...
turetzsr Posted June 30, 2010 Share Posted June 30, 2010 ...Due to new datum from cwg, I have removed the "Resolved" flag, hoping for acknowledgement from a SpamCop employee. Link to comment Share on other sites More sharing options...
cwg Posted July 1, 2010 Author Share Posted July 1, 2010 And I open my inbox this morning, and got a double reply from my manual report to abuse[at]att.net Return-path: <please_do_not_reply[at]att.net> Envelope-to: user[at]mywebsite.com Delivery-date: Wed, 30 Jun 2010 15:42:00 +0000 Received: from abuse-att.net ([12.1.241.201]) by mywebsite.com with esmtps (TLSv1:AES256-SHA:256) (Exim 4.69) (envelope-from <please_do_not_reply[at]att.net>) id 1OTzQG-0000q6-Ds for user[at]mywebsite.com; Wed, 30 Jun 2010 15:42:00 +0000 Received: (qmail 6621 invoked by uid 210); 30 Jun 2010 15:41:57 -0000 Received: from 127.0.0.1 by mailwallout (envelope-from <please_do_not_reply[at]att.net>, uid 201) with qmail-scanner (Clear:RC:1(127.0.0.1):. Processed in 0.016578 secs); 30 Jun 2010 15:41:57 -0000 Received: from hades.sgi.int (127.0.0.1) by mailwallout.sgi.int with ESMTPS (DHE-RSA-AES256-SHA encrypted); 30 Jun 2010 15:41:57 -0000 Received: (qmail 10588 invoked by uid 1001); 30 Jun 2010 15:41:57 -0000 Date: 30 Jun 2010 15:41:57 -0000 Message-ID: <20100630154157.10587.qmail[at]hades.sgi.int> X-OID: 063010-114157-60844-00 To: user[at]mywebsite.com From: please_do_not_reply[at]att.net Subject: Re: SpamCop.net [063010-114157-60844-00] THIS IS AN AUTO-RESPONSE MESSAGE - PLEASE DO NOT REPLY - AT&T WILL NOT SEE ANY REPLY SENT TO THIS MESSAGE NOTE: Responsibility for abuse[at]bellsouth.net has been assumed by abuse[at]att.net. Your report has been forwarded automatically. You do NOT need to resend your report. In the future please send your reports for bellsouth.net directly to abuse[at]att.net. This message confirms that your report has been received by the AT&T Internet Services Security Center. The AT&T Internet Services Acceptable Use Policy is located at http://my.att.net/legal/aup. Please note that we can only take action on reports that implicate the AT&T network as a source of abuse. As we are unable to take any action on reports not involving AT&T's network, we recommend that you send those reports directly to the abuse address of the originating domain or service provider. You can identify the originator by reading the expanded e-mail headers. If you need help with reading headers, visit the following: http://spamcop.net/fom-serve/cache/19.html For any abuse report involving e-mail, it is essential that the report include the full original expanded headers containing the source IP address and time stamp, along with the complete unedited subject line and message. A report cannot be investigated without this information. Please send one report at a time, as combining multiple reports only detracts from our ability to effectively and efficiently address abuse issues. For abuse reports involving security incidents, please include relevant log excerpts of the incident directly in the body of your message. Logs must be in plain text or ASCII format and include the time zone, source IP address, destination IP, timestamps, and port numbers. If you are an AT&T customer and have a specific question related to spam, including how to report messages you received as spam to AT&T, please visit http://helpme.att.net, enter your email id and domain, and use the help search box to search for "spam" to reference spam FAQs for your service type. For Copyright, Trademark, or DMCA allegations of Infringement, please visit: http://www.att.net/legal/copyright If your report involves a threat, please take steps to protect yourself and your property by reporting the incident to your local law enforcement agency. We will investigate your complaint and cooperate fully with any requests from law enforcement. You will receive no further contact from us, unless there are special circumstances or we require additional information to complete our investigation. AT&T Internet Services Security Center Link to comment Share on other sites More sharing options...
Fonman805 Posted July 2, 2010 Share Posted July 2, 2010 And I open my inbox this morning, and got a double reply from my manual report to abuse[at]att.net <snip> Please note that we can only take action on reports that implicate the AT&T network as a source of abuse. As we are unable to take any action on reports not involving AT&T's network, we recommend that you send those reports directly to the abuse address of the originating domain or service provider. You can identify the originator by reading the expanded e-mail headers. If you need help with reading headers, visit the following: http://spamcop.net/fom-serve/cache/19.html <snip> AT&T Internet Services Security Center I have been seeing the same double auto-responses from AT&T for at least the last two months. One time in late May I received 12 auto-responses to a single abuse submission. It seems a bit odd that the message still references SpamCop even though they aren't receiving SpamCop reports, and don't seem to have noticed, or maybe they just don't care. Link to comment Share on other sites More sharing options...
kmolloy Posted July 3, 2010 Share Posted July 3, 2010 ...Due to new datum from cwg, I have removed the "Resolved" flag, hoping for acknowledgement from a SpamCop employee. If the OP could send this to deputies[at]spamcop.net with a brief explanation, we can look at the data and see if a change in routing is needed. Thanks! (We prefer to use deputies[at] for trackability purposes). Link to comment Share on other sites More sharing options...
cwg Posted July 4, 2010 Author Share Posted July 4, 2010 Send what? It was a phone conversation. Link to comment Share on other sites More sharing options...
Farelf Posted July 5, 2010 Share Posted July 5, 2010 Send what?...A statement of the recommendation - report to abuse[at]bellsouth.net, so the deputies have a record in their preferred form (which is a new stipulation AFAICT). But that att/bellsouth recommendation seems to have been promptly repudiated by the subsequent advice, as you advisedNOTE: Responsibility for abuse[at]bellsouth.net has been assumed by abuse[at]att.net. Your report has been forwarded automatically. You do NOT need to resend your report. In the future please send your reports for bellsouth.net directly to abuse[at]att.net. - that was presumably after sending a manual report to abuse[at]bellsouth.net. As noted elsewhere, and apparently confirmed by Fonman805 in this topic with specific reference to att.net, providers ignoring SC reports often/sometimes accept manual reports, or at least send auto responses. Most SC users would not know if SC reports (when they are sent) generate an auto response since 'robot' responses are rejected in their profiles by default. At the end of the the day it looks like att simply gave you the run-around when it comes to SC reports. But there is inertia in large organisations, any change they might have made may still be working its way though their system (that is to say the autoresponse note not to use abuse[at]bellsouth.net might be incorrect, old words). The deputies might or might not want to over-ride the present devnull, you could send them an e-mail simply re-stating your efforts and the 'phone response and let them consider. Clearly a number of users aren't ready to give up on att.net just yet and the ease of SC reporting compared to manual reporting would be a welcome restoration. And the added volume of VER/Quick reporting would help att if att actually want to control their network. Don and the Deputies will be best placed to detect any change in whatever att behaviour concerning listed and reported IP addresses triggered Don's present over-ride if they do relent and resume reporting. Well, we know what the behaviour was - there was no appreciable difference when they were not reported. The overheads saved in simply devnulling, no doubt, then seemed worthwhile. Maybe mrmaxx has learned something from his inside source and can add to this? (Direct to the deputies if it is privileged, not for broadcast - in which case some hint 'here' would be appreciated.) The advantage of coverage in the forum in such matters is both to spread the knowledge and to reduce duplicated effort and not everything needs to be spelled out in exquisite detail to progress those objectives. Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.