Jump to content
Sign in to follow this  
cwg

Using abuse#att.net[at]devnull.spamcop.net for statistical tracking.

Recommended Posts

Wait, when did ATT become black hat to where their reporting address is devnull'ed?

Tracking message source: 98.88.220.188:

Routing details for 98.88.220.188

[refresh/show] Cached whois for 98.88.220.188 : abuse[at]bellsouth.net

Using abuse net on abuse[at]bellsouth.net

abuse net bellsouth.net = abuse[at]att.net

Using best contacts abuse[at]att.net

Reports disabled for abuse[at]att.net

Using abuse#att.net[at]devnull.spamcop.net for statistical tracking. :blink:

Share this post


Link to post
Share on other sites
Wait, when did ATT become black hat to where their reporting address is devnull'ed? ...
Good question - Don or the deputies would know. The standard reasons for that action are given:
No valid email addresses found, sorry!

There are several possible reasons for this:

  • The site involved may not want reports from SpamCop.
  • SpamCop administrators may have decided to stop sending reports to the site to prevent listwashing.
  • SpamCop uses internal routeing to contact this site, only knows about the internal method and so cannot provide an externally-valid email address.
  • There may be no working email address to receive reports.

Maybe it's the internal routing one - though that's not the impression given by "Reports disabled for abuse[at]att.net

Using abuse#att.net[at]devnull.spamcop.net for statistical tracking." It is a worry.

Anyway, applies to (at least) most of what SenderBase says is "Network Owner BellSouth.net Domain bellsouth.net":

NetRange: 98.64.0.0 - 98.95.255.255

CIDR: 98.64.0.0/11

Abuse Email: abuse[at]att.net

NetRange: 184.32.0.0 - 184.47.255.255

CIDR: 184.32.0.0/12

NetRange: 204.127.0.0 - 204.127.255.255

CIDR: 204.127.0.0/16

NetRange: 207.203.0.0 - 207.203.255.255

CIDR: 207.203.0.0/16

NetRange: 208.61.128.0 - 208.61.159.255

CIDR: 208.61.128.0/19

NetRange: 65.0.0.0 - 65.15.255.255

CIDR: 65.0.0.0/12

NetRange: 65.80.0.0 - 65.83.255.255

CIDR: 65.80.0.0/14

NetRange: 66.20.0.0 - 66.21.255.255

CIDR: 66.20.0.0/15

etc., etc. - an exception within that is:

NetRange: 207.115.0.0 - 207.115.63.255

CIDR: 207.115.0.0/18

Abuse Email: abuse[at]sbcglobal.net

... vide 207.115.11.17 and Ameritech, SB says.

Share this post


Link to post
Share on other sites

Thanks Don, marking resolved with this post. People will be curious - but a little reflection on the "They don't appear to have noticed." comment should a be sufficient tip-off.

In some/a few cases of disinterest in SC reports it is possible to get a reaction (or a least a response) to a Manual Report - see that Wiki entry, anyone unsure of the meaning.

Share this post


Link to post
Share on other sites
Thanks Don, marking resolved with this post. People will be curious - but a little reflection on the "They don't appear to have noticed." comment should a be sufficient tip-off.

In some/a few cases of disinterest in SC reports it is possible to get a reaction (or a least a response) to a Manual Report - see that Wiki entry, anyone unsure of the meaning.

Note:

I have a contact at AT&T (a fellow geek on a mailing list) whom I can contact to see if AT&T is now spam-friendly. I seriously doubt it, but just guessing here -- it could be that the alleged spammer has convinced AT&T that this is a case of mistaken reporting, where they claim people have signed up for a mailing list or have failed to opt-out of a mailing list and so they are not guilty of "spamming" per se.

Granted, our definition of the word "spam" and the legal definition are two different things, but I still think that if someone reports it, they should investigate.

I'll follow up with my contact to see if he knows of any official or unofficial changes to AT&T spam policy.

Share this post


Link to post
Share on other sites

Alleged spammer? I thought Don disabled their reports due to http://forum.spamcop.net/forums/index.php?showtopic=11343

Here's a sample of the boilerplate their attglobal.net division started sending in response to SpamCop reports.

  • They closed the ticket, apparently ignoring the data provided
  • They failed to include the SpamCop report ID in the subject or body
  • They failed to reply to the [at]reports.spamcop.net address (reply was sent to the From address in the spam)
  • My reply pointing out the above problems bounced with "<rm-aots-ticketing[at]ems.att.com> Permanent Failure: Other address status"

From: ts03 <abuse[at]attglobal.net>

To: [REDACTED]

Subject: Howdy, [REDACTED]! Today you get 85% Cash-Back No evolution (REF:#_aotsmail_000000123598975)

Date: 06-05-2010 12:08

This is the report of the incident you should receive. Sev: 4 - Warning

For Account: aotsmail Incident Number: 000000123598975 Status: Closed

Last Updated: 05/06/2010 15:08:54 (UTC)

********************

Summary: Howdy, [REDACTED]! Today you get 85% Cash-Back No evolution the

_______________________________________________________________

Thank you for taking the time to inform us of this situation.

However, we cannot take any further action

until you provide us with the actual connection logs.

These connection logs will include the complete IP

address, date, time and time zone associated with the

abusive action. Only with this information can we

identify the responsible individual.

Regards,

Postmaster

To find more information on filtering spam, please visit

http://help.attbusiness.net/index.cfm

and type the word filter into the search engine.

If you feel we handled this incident improperly or require

assistance providing headers, please call 800-821-4612.

DO NOT reply directly via e-mail. If you need additional assistance,

please send a new e-mail to abuse[at]attglobal.net

Ticket has been Closed

Email Problem

********************

If replying via email, do not alter the reference id in the subject line and send only new information, do not send entire note again. Do not send attachments, graphics or images.

Edited by Snowbat

Share this post


Link to post
Share on other sites
Alleged spammer? I thought Don disabled their reports due to http://forum.spamcop.net/forums/index.php?showtopic=11343

Here's a sample of the boilerplate their attglobal.net division started sending in response to SpamCop reports.

  • They closed the ticket, apparently ignoring the data provided
  • They failed to include the SpamCop report ID in the subject or body
  • They failed to reply to the [at]reports.spamcop.net address (reply was sent to the From address in the spam)
  • My reply pointing out the above problems bounced with "<rm-aots-ticketing[at]ems.att.com> Permanent Failure: Other address status"

Thanks Snowbat - sounds like someone needs to contact them on 800-821-4612 and go through all the frustrations of dancing with the scri_pt-droids if they are to be coaxed back onto the paths of righteousness. They seem to be doing the three wise monkeys act but forgot about the "speak no evil" part (effective stochastic and heuristic outwards filtering and/or blocking direct sending from domestic accounts, responsibility and complaint monitoring concerning commercial accounts). Two out of three ain't wise - it's bottom-line beancounter territory and may a murrain take their herds as they duly deserve.

In the meantime any sources in their netspace get reported and (with sufficient weight) listed in the SCbl, which is the principal object.

Share this post


Link to post
Share on other sites

Got off the phone, the recommendation is to send it to abuse[at]bellsouth.net

Share this post


Link to post
Share on other sites

...Due to new datum from cwg, I have removed the "Resolved" flag, hoping for acknowledgement from a SpamCop employee.

Share this post


Link to post
Share on other sites

And I open my inbox this morning, and got a double reply from my manual report to abuse[at]att.net

Return-path: <please_do_not_reply[at]att.net>

Envelope-to: user[at]mywebsite.com

Delivery-date: Wed, 30 Jun 2010 15:42:00 +0000

Received: from abuse-att.net ([12.1.241.201])

by mywebsite.com with esmtps (TLSv1:AES256-SHA:256)

(Exim 4.69)

(envelope-from <please_do_not_reply[at]att.net>)

id 1OTzQG-0000q6-Ds

for user[at]mywebsite.com; Wed, 30 Jun 2010 15:42:00 +0000

Received: (qmail 6621 invoked by uid 210); 30 Jun 2010 15:41:57 -0000

Received: from 127.0.0.1 by mailwallout (envelope-from <please_do_not_reply[at]att.net>, uid 201) with qmail-scanner

(Clear:RC:1(127.0.0.1):.

Processed in 0.016578 secs); 30 Jun 2010 15:41:57 -0000

Received: from hades.sgi.int (127.0.0.1)

by mailwallout.sgi.int with ESMTPS (DHE-RSA-AES256-SHA encrypted); 30 Jun 2010 15:41:57 -0000

Received: (qmail 10588 invoked by uid 1001); 30 Jun 2010 15:41:57 -0000

Date: 30 Jun 2010 15:41:57 -0000

Message-ID: <20100630154157.10587.qmail[at]hades.sgi.int>

X-OID: 063010-114157-60844-00

To: user[at]mywebsite.com

From: please_do_not_reply[at]att.net

Subject: Re: SpamCop.net

[063010-114157-60844-00]

THIS IS AN AUTO-RESPONSE MESSAGE - PLEASE DO NOT REPLY - AT&T WILL

NOT SEE ANY REPLY SENT TO THIS MESSAGE

NOTE: Responsibility for abuse[at]bellsouth.net has been assumed

by abuse[at]att.net. Your report has been forwarded automatically.

You do NOT need to resend your report. In the future please send

your reports for bellsouth.net directly to abuse[at]att.net.

This message confirms that your report has been received by the

AT&T Internet Services Security Center.

The AT&T Internet Services Acceptable Use Policy is located at

http://my.att.net/legal/aup.

Please note that we can only take action on reports that implicate

the AT&T network as a source of abuse. As we are unable to take

any action on reports not involving AT&T's network, we recommend

that you send those reports directly to the abuse address of the

originating domain or service provider. You can identify the

originator by reading the expanded e-mail headers. If you need

help with reading headers, visit the following:

http://spamcop.net/fom-serve/cache/19.html

For any abuse report involving e-mail, it is essential that the

report include the full original expanded headers containing the

source IP address and time stamp, along with the complete unedited

subject line and message. A report cannot be investigated without

this information. Please send one report at a time, as combining

multiple reports only detracts from our ability to effectively and

efficiently address abuse issues.

For abuse reports involving security incidents, please include

relevant log excerpts of the incident directly in the body of your

message. Logs must be in plain text or ASCII format and include

the time zone, source IP address, destination IP, timestamps, and

port numbers.

If you are an AT&T customer and have a specific question related to

spam, including how to report messages you received as spam to

AT&T, please visit http://helpme.att.net, enter your email id and

domain, and use the help search box to search for "spam" to

reference spam FAQs for your service type.

For Copyright, Trademark, or DMCA allegations of Infringement,

please visit:

http://www.att.net/legal/copyright

If your report involves a threat, please take steps to protect

yourself and your property by reporting the incident to your local

law enforcement agency. We will investigate your complaint and

cooperate fully with any requests from law enforcement.

You will receive no further contact from us, unless there are

special circumstances or we require additional information to

complete our investigation.

AT&T Internet Services Security Center

Edited by cwg

Share this post


Link to post
Share on other sites
And I open my inbox this morning, and got a double reply from my manual report to abuse[at]att.net

<snip>

Please note that we can only take action on reports that implicate the AT&T network as a source of abuse.

As we are unable to take any action on reports not involving AT&T's network, we recommend that you send

those reports directly to the abuse address of the originating domain or service provider. You can identify

the originator by reading the expanded e-mail headers. If you need help with reading headers, visit the

following:

http://spamcop.net/fom-serve/cache/19.html

<snip>

AT&T Internet Services Security Center

I have been seeing the same double auto-responses from AT&T for at least the last two months. One time

in late May I received 12 auto-responses to a single abuse submission. :huh:

It seems a bit odd that the message still references SpamCop even though they aren't receiving SpamCop

reports, and don't seem to have noticed, or maybe they just don't care. :rolleyes:

Share this post


Link to post
Share on other sites
...Due to new datum from cwg, I have removed the "Resolved" flag, hoping for acknowledgement from a SpamCop employee.

If the OP could send this to deputies[at]spamcop.net with a brief explanation, we can look at the data and see if a change in routing is needed. Thanks!

(We prefer to use deputies[at] for trackability purposes).

Share this post


Link to post
Share on other sites

Send what?

It was a phone conversation.

Edited by cwg

Share this post


Link to post
Share on other sites
Send what?...
A statement of the recommendation - report to abuse[at]bellsouth.net, so the deputies have a record in their preferred form (which is a new stipulation AFAICT). But that att/bellsouth recommendation seems to have been promptly repudiated by the subsequent advice, as you advised
NOTE: Responsibility for abuse[at]bellsouth.net has been assumed

by abuse[at]att.net. Your report has been forwarded automatically.

You do NOT need to resend your report. In the future please send

your reports for bellsouth.net directly to abuse[at]att.net.

- that was presumably after sending a manual report to abuse[at]bellsouth.net. As noted elsewhere, and apparently confirmed by Fonman805 in this topic with specific reference to att.net, providers ignoring SC reports often/sometimes accept manual reports, or at least send auto responses. Most SC users would not know if SC reports (when they are sent) generate an auto response since 'robot' responses are rejected in their profiles by default.

At the end of the the day it looks like att simply gave you the run-around when it comes to SC reports. But there is inertia in large organisations, any change they might have made may still be working its way though their system (that is to say the autoresponse note not to use abuse[at]bellsouth.net might be incorrect, old words). The deputies might or might not want to over-ride the present devnull, you could send them an e-mail simply re-stating your efforts and the 'phone response and let them consider.

Clearly a number of users aren't ready to give up on att.net just yet and the ease of SC reporting compared to manual reporting would be a welcome restoration. And the added volume of VER/Quick reporting would help att if att actually want to control their network. Don and the Deputies will be best placed to detect any change in whatever att behaviour concerning listed and reported IP addresses triggered Don's present over-ride if they do relent and resume reporting. Well, we know what the behaviour was - there was no appreciable difference when they were not reported. The overheads saved in simply devnulling, no doubt, then seemed worthwhile.

Maybe mrmaxx has learned something from his inside source and can add to this? (Direct to the deputies if it is privileged, not for broadcast - in which case some hint 'here' would be appreciated.) The advantage of coverage in the forum in such matters is both to spread the knowledge and to reduce duplicated effort and not everything needs to be spelled out in exquisite detail to progress those objectives.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

×