[Resolved] Receiving 50 Malware E-mails A Day

[Wazoo]

To be frank, I just had to google "What is ISP?" As I had guessed it means "Internet Service Provider", but otherwise I would not have been sure.

This as an example of the extend of my technical Internet knowledge. Nearly zilch.

Reading through the FAQ list I see so many abbreviations I have no idea what they stand for -let alone know what they would mean in the context of what I need to know to set up safely reporting spam- that I don't even want to begin studying it. It would take me many hours of reading, googling, and still asking lots of questions here...

At the top of this page, check the dropdown menu offered under the link FAQs & Words .... The Glossary hasn't been touched in quite a while as we've tried to move it all over into the Wiki.

I just now tried to register for the free reporting option, but I got a message that my e-mail address has already been registered. I did have a paid account, but for the given reasons in my last post had asked to cancel it and been given a refund:

Please see

Why are there so many different account names/passwords needed?

SpamCop Reporting Accounts

OK, you had a SpamCop e-mail account. It would follow that you have things set-up to log into either webmail.spamcop.net or mailsc.spamcp.net ..... both would be trying to use the credentials of this "paid" account, and trying to connect to the CESMail servers.

I would like to be able to report the malicious e-mail stream I am still receiving

Pointing your web-browser to www.spamcop.net should allow you to then login using the your non-SpamCop.net e-mail account data (or Register using that address??) as this would use the Cisco/IronPort/SpamCop servers for the Parsing & Reporting System.

Question: Why might it be better not to utilize MailWasher's 'bounce back' option?

Can't thiink of that many instances where the MailWasher "Bounce" feature has been mentioned without the pretty much automatic answer being provided. Do NOT use it!! It is a wonder that they still include that function, as it will only serve to get "you" into trouble.

[Lodewijk]

Thank you for explaining why using the 'bounce back' feature is unsafe. Trusting the advice not to use it even before receiving the explanations I had already un-checked that option to make sure I would not use it by mistake.

I have asked the SpamCop admin. if he can change the e-mail address I used in the now canceled paid account to a free one. It would be handy if all I have to do is just fill in that address on MailWasher's 'Enable SpamCop Reporting' interface panel.

From the little experiment I found out that only checking 'SpamCop blackist' -leaving 'Spamhause blacklist' un-checked- indeed some of the mail marked as spam has the message "Origin blacklisted by SpamCop." But many don't have that message even though they are marked as spam, some even as "Possible Virus."

This makes me think that possibly not all of them are on SpamCop's blacklist. If this would be so, would it do any harm if I check both 'Spamhause blacklist' and 'SpamCop blacklist' and report all those marked as spam by Spamhause -and the few undecided ones- to SpamCop? Even though some of them might already be on SpamCop's blacklist?

[petzl]

This makes me think that possibly not all of them are on SpamCop's blacklist. If this would be so, would it do any harm if I check both 'Spamhause blacklist' and 'SpamCop blacklist' and report all those marked as spam by Spamhause -and the few undecided ones- to SpamCop? Even though some of them might already be on SpamCop's blacklist?

SpamHause will catch more spam than "SpamCops Blocklist"

Not using Mailwasher (I don't have to I just use SpamCop email) I don't know how many blocklists you have access to. SpamCop mainly tries to inform an ISP of a security problem, to get listed on THE SCBL is pretty remote.

[Lodewijk]

Then I think it might be a good idea to report the spam-malware e-mails to SpamCop, so it informs the ISP.

I do see some of it with "Origin blacklisted by SpamCop", but the informing the ISP function might be needed to stop the flow, so others don't get infected by the attachments.

[Lodewijk]

PS:

Reading about the possibility that -unless one knows exactly what one is doing using SpamCop- one might cause difficulties for innocent people -and even oneself- I decided to leave the reporting to SpamCop to those who are much more knowledgeable about all this than I am.

I'm glad to see there are plenty of those who are helping to diminish the flow of spam and malware mail.

I want to thank those who responded to my calls for help, and particularly petzl for his MailWasher tip.

Success and the best of luck to you all.

[petzl]

...With all due respect to a long-serving and knowledgeable fellow volunteer, no, you have not (IMHO). Please see my post in SpamCop Forum article "FAQ Entry: What is Quick Reporting?" Caution must still be exercised in sending reports.

Always good advice.

It would pay one to delete your existing mailhosts and reapply (redo) say "every year"

SpamCop as always is "improving" and it is a more robust now than it was when I first did it

Mailhost will give a warning if you are about to report your own mailhost.

It will not stop one accidentally reporting (false positive) an innocent

[petzl]

Can't thiink of that many instances where the MailWasher "Bounce" feature has been mentioned without the pretty much automatic answer being provided. Do NOT use it!! It is a wonder that they still include that function, as it will only serve to get "you" into trouble.

A very popular running machine came fitted with an ashtray. A good selling point. Even though smoking kills!

Same goes for Mailwasher it's not until Grandma or Grandpa get a big legal bill from their ISP for bouncing email (AKA spamming) that they realize it is a "feature" that is painful to use

[Lodewijk]

Someone on the MailWasher forum -stan_qaz- is encouraging me to utilize Reporting to SpamCop:

http://forum.firetrust.com/viewtopic.php?f...;p=55702#p55702

So I would like to try it, although I still need help. I just received the following message (I subsituted the xxx):

"Sent test email to xxx[at]alice.nl through mx101.alice.nl.

SpamCop has just sent you 1 test messages to xxx[at]alice.nl.

Please allow for up to an hour for those messages to reach you, and then follow the enclosed instructions.

Some errors were encountered sending test email, but other tests were sent without trouble. This is probably normal, but here is a detailed list of errors:

Detailed errors:

Connecting to mx1.bbeyond.nl.:

smtpSend:smtpEnvelope (service[at]admin.spamcop.net, xxx[at]alice.nl): smtpTo rcpt to:xxx[at]alice.nl (450 4.2.0 : Recipient address rejected: Greylisted, see http://postgrey.schweikert.ch/help/alice.nl.html)"

Now what?

[petzl]

So I would like to try it, although I still need help. I just received the following message (I subsituted the xxx):

Now what?

read

http://spamcop.net/fom-serve/cache/166.html

[Lodewijk]

Thank you.

I was just wondering if the error meant I had to do something about it. I guess not then.

I received a test mail from SpamCop which I copy/pasted into a new e-mail and send to SpamCop using the special reporting address SpamCop gave me.

What next?

(I plan to use the 'How To' text of this forum exchange as a possible 'SpamCop Tutorial for Dummies.')

PS:

I just received a reply from SpamCop saying that an error occurred: the Message Header was not shown.

So I posted on the Opera forum:

"How to Show Message Headers in Body of Message

Hi.

In order to report spam and malicious e-mails to SpamCop I have to include the message headers in the mail to be reported to them.

In their tutorial on how to enable this in Operamail they say:

'Operamail

Choose Options and enable [x] Show Message Headers in Body of Message'.

I am using the free version of Opera mail, and I have not found this option."

(I knew this was going to be work... )

[Lodewijk]

In the mean time I saw that by right-clicking on e-mails in MailWasher a window opens with the option 'Show complete header.'

Using that option I copy pasted the header at the head of a new e-mail, and then the text below it, and received the following message:

.........................................................................

"Hello SpamCop user,

Sorry, but SpamCop has encountered errors:

Headers mangled

It appears that the sample you provided has been altered. Often, extra

line-breaks are inserted by your software in an invalid format. Part of

the reason for this proceedure is to ensure that you and your software are

submitting spam in an error-free format. Please review the relevant FAQ

for your software and ensure you are following a proceedure which returns

intact spam content to SpamCop.

In this sample, the problem was found near the line:

HSNMST01V01.hsn.alice-dsl.net with Microsoft SMTPSVC(6.0.3790.3959

(etc.)"

.....................................................................................................

I then copy/pasted the header and text in these respective fields:

http://www.spamcop.net/mcgi?action=mhreturn

I got a window with an error message, but also with with a 'Waiver' option. I used that and am waiting for a reply from the administrator.

I have not the slightest what it all means, but hope it works eventually.

[turetzsr]

...Sorry, Lodewijk, it doesn't appear to be feasible for you to provide all the information we here would need to help resolve this. I would suggest you contact the SpamCop Deputies at e-mail address deputies[at]admin.spamcop.net. You might wish to forward to them the e-mail from SpamCop that contains the error message, along with the exact data you pasted into http://www.spamcop.net/mcgi?action=mhreturn and perhaps a link to this SpamCop Forum article (http://forum.spamcop.net/forums/index.php?showtopic=11910).

...Good luck!

[petzl]

Thank you.

'Operamail

Choose Options and enable [x] Show Message Headers in Body of Message'.

I am using the free version of Opera mail, and I have not found this option."

(I knew this was going to be work... )

This maybe now outdated? Should be in Opera mail help at their website

Someone in your Opera Forum replied to you (don't seem that Opera Mail can send email as attachment)

http://my.opera.com/community/forums/topic.dml?id=1051332

Questions

You do now have a working free SpamCop reporting page?

You have got your submit. address to forward spam?

Mailwasher used to do this without going through your email client (havent used this in years)? As long as you have your SECRET submit address (just installed Mailwasher, works well, it sent report to SpamCop (which then sent me a link for full reporting)

[Lodewijk]

Thank you both.

I might contact the SpamCop Deputies and provide the info as suggested.

I do have a working free SpamCop reporting page, and a SECRET submit address.

If I remember well, when I used the 'Waiver' option I was told the admin. would get back to me. So I'll wait at least another day or two more.

If I don't receive a reply I'll contact the SpamCop Deputies.

I also posted a reply on the Opera Mail forum about the header problem being solved:

http://my.opera.com/community/forums/topic...#comment9913932

[petzl]

I do have a working free SpamCop reporting page, and a SECRET submit address.

With Maiulwasher you can add blocklists under "spam tools" "origin of spam"

Their are many like

cbl.abuseat.org

put this in "Domain" box after giving it a name (CBL)

It's up to you if you report or not (you can just delete)

Reporting does some good though and it's easy

[Lodewijk]

Thank you.

It looks like adding 'cbl.abuseat.org' will block more spam, but what I prefer for now I just posted here:

(Sat Jul 16, 2011 9:22 pm) http://forum.firetrust.com/viewtopic.php?f...;p=55816#p55816

Maybe later.

I'm glad I just received the Waiver from Don D'Minion - SpamCop Admin. Looks like I'm in...

[petzl]

It looks like adding 'cbl.abuseat.org' will block more spam, but what I prefer for now I just posted here:

"During the one day I had a paid SpamCop account I reported some 100 of them. Maybe it helped."

Fact is now that spammers have your email address it will be sold to others and your spam attacks are going to grow and Grow and GROW. You need to build a defense

Reporting spam to SpamCop is the easiest best defense and ATTACK method around. In one day it has shut down a spammers botnet that was attacking you. A SpamCop Email address makes it even easier

MailWasher also allows whitelisting (this overrides blocklists) learn how to set it up (it's important)

Once you have your whitelist (Mailwasher call it "Friends")

You should add more blocklists (in "Origin of spam" under "settings")

If you don't expect email from certain countries you can add a blocklist to block that specific country

For China the Country add

cn.countries.nerd.dk

Mailwasher call Blocklist list "Origin of spam"

This makes it easy to report spam.

Have your email client sort SpamCop notifications to their own folder

"[spamCop] has accepted 1 email for processing"

Just by logging on to your reporting page these will be waiting for you anyway

[Lodewijk]

Thank you again.

In one day it has shut down a spammers botnet that was attacking you.

Wow. If this sudden complete stopping of the flow of all those fake malware UPS, USPS, DHL, and FedEx mails was due to my reporting during just one day, it's very impressive how fast en efficient SpamCop and the agents the reports were forwarded to work.

A SpamCop Email address makes it even easier

1. You mean a paid account?

I prefer the free one, as the paid one disabled the use of the combination Opera Mail and my ISP Mail. With MailWasher I don't have to change anything, and can still report to SpamCop.

MailWasher also allows whitelisting (this overrides blocklists) learn how to set it up (it's important)Once you have your whitelist (Mailwasher call it "Friends") You should add more blocklists (in "Origin of spam" under "settings")

I got the same advice on Mailwasher's forum, but as a newbie I feel a bit overwhelmed by all this info. So for now I prefer to just use the "Friends" list and the default SpamCop and Spamhause blacklists. Maybe later I will add more.

Have your email client sort SpamCop notifications to their own folder "[spamCop] has accepted 1 email for processing." Just by logging on to your reporting page these will be waiting for you anyway

2. I don't understand "Have your email client sort SpamCop notifications to their own folder." I don't even know what is meant by "your email client." In my ISP mail, Opera Mail, or MailWasher? And which folder?

I now always carefully check my mail in MailWasher first, and mark the undecided ones as spam if they are that. Only after that do I open my Opera Mail, receiving usually only 'Friend' mails. Only if in the last seconds some more spam was send to me -which I did not yet check in MailWasher- will it show up in my Opera Mail it looks like.

I'm going to set up reporting to SpamCop in my MailWasher now. I also received help with that on MailWasher's forum.

[Lodewijk]

PS:

I just read this:

"Manual Report

A Manual Report is a Report that you construct and send by hand. Manual Reports should be sent for cases where you can't or shouldn't send a SpamCop Report. These cases include, but are not limited to:

Viruses

Worms"

(These are only 2 of a long list of different cases.)

1. Since all the mentioned fake e-mails I received contain attachments with malware, should I not report them through MailWasher, but instead somehow separately "construct" them "and send by hand"?

I have no idea how to do that, and it looks like a lot of work.

As a newbie not understanding any of the below abbreviated terms, looking at this text -that follows under that above mentioned list- I want to run...

"Although you may use the SpamCop Parser to identify where to send your Manual Report, "SpamCop" should not appear in that Report, except possibly in the Headers because you received the email through your SpamCop Email System account. Manual Reports should include a minimum of facts and explanation of facts, unless you know the recipients need more, and should be polite. If you have the time to do the research, it helps to quote the chapter and verse (specific Section or Subsection) of the TOS/AUP, Internet Standard(s), and/or RFC(s) that you think is/are being violated. (etc.)"

http://forum.spamcop.net/forums/index.php?showtopic=4473#Man

[turetzsr]

<snip>

1. Since all the mentioned fake e-mails I received contain attachments with malware, should I not report them through MailWasher, but instead somehow separately "construct" them "and send by hand"?

<snip>

...IMHO, if the malware came in e-mail you did not request, it is spam and therefore may be reported.

I have no idea how to do that, and it looks like a lot of work.

...Not really; you can use the complaint that SpamCop would have sent and edit out those items that mention SpamCop.

As a newbie not understanding any of the below abbreviated terms

<snip>

...You can find definitions of most (if not all) the acronyms at the SpamCop Glossary and/ or SpamCop Wiki. There's a link to the Glossary in a drop-down list labeled "FAQs & Words" which appears near the top of every SpamCop Forum page. There's a link to the Wiki, labeled "SCWiki," also near the top of every SpamCop Forum page. Any acronyms that are not defined there can be found by searching the World Wide Web using your favorite search tool (for what it's worth, I mostly use GoodSearch and Google).

[petzl]

2. I don't understand "Have your email client sort SpamCop notifications to their own folder." I don't even know what is meant by "your email client." In my ISP mail, Opera Mail, or MailWasher? And which folder?

I now always carefully check my mail in MailWasher first, and mark the undecided ones as spam if they are that. Only after that do I open my Opera Mail, receiving usually only 'Friend' mails. Only if in the last seconds some more spam was send to me -which I did not yet check in MailWasher- will it show up in my Opera Mail it looks like.

I'm going to set up reporting to SpamCop in my MailWasher now. I also received help with that on MailWasher's forum.

Reporting spam via SpamCop is the most effective way of attacking spammers. There are some idiot/spam friendly ISP's that won't accept SpamCop reports, these inevitably end up on the SCBL, so no need to worry, however you can send a spam report from your own email account (warning this identifies you and can be added to confirmed address for spammers by rouge ISP's).

The free reporting is a good option. The SpamCop Email address is the only one you will ever need, as well as gives other privileges that the free one doesn't.

Don't use "Opera Mail" myself, but any half pie email client allows your email to be sorted to a separate folder (of your own creation, call it SpamCop). Should sort by senders address

You should only need to have to have MailWasher running and it will blink and play sound when email is in your ISP' "inbox" ready for delivery. In Mailwashers "settings" "General options" "Launch email application after processing" you click the "specify" button select "specify a email comand" and find the Opera Email execution /command to activate it (if it don't have one, again my advice is dump Opera Mail (Try Eudora) and your ISP's email provision You are backing a dead horse)

[Lodewijk]

...IMHO, if the malware came in e-mail you did not request, it is spam and therefore may be reported....

Glad to know that.

The malware is only in the attachments anyway, and I doubt SpamCop will open them and get infected...

I feel that now I don't have to make a whole 'study' of the mentioned text anymore about not reporting viruses , looking everything up in the glossary, and even google for it.

Thank you.

[Lodewijk]

There are some idiot/spam friendly ISP's that won't accept SpamCop reports, these inevitably end up on the SCBL, so no need to worry, however you can send a spam report from your own email account (warning this identifies you and can be added to confirmed address for spammers by rouge ISP's).

You should only need to have MailWasher running

Thanks.

It turns out that when I try to send the spam through MailWasher to SpamCop I get this message from MailWasher (I substitute xxx) :

----------------------------------------------------------------

Session encountered errors

Gobal SMTP server SpamCop reporting

The connection was intentionally closed by the server before the session was completed.

The SMTP cannot or will not send messages from <(xxx)[at]alice.nl>

The problem occured while trying to send the mail to submit.(xxx)[at]spam.spamcop.net

----------------------------------------------------------------

I wanted to send the spam from my ISP spam box also to SC through MW, so I send them on to my own email address. After that on a hunch I send some 'test' mails to myself, and they all ended up in my ISP spambox. So I am marked as a spammer by my own ISP it looks like... Only after disabling the spam filter can I now again send emails to myself.

I'm thinking of leaving that spam filter disabled, so I get all of it to send it on to SC through MW.

But I just called Alice about all of this and they made a ticket -as this is for a special unit of theirs to look at- telling me I will be called back next week. I told them they definitely should accept to send mail to SpamCop. The man agreed.

I also was given a special email address by him to get on their case that way as well.

If they would be on the SCBL, I wonder how that is going to affect this issue...

I suppose reporting spam to SC through MW is not going to identify me as a confirmed address to spammers.

[petzl]

I suppose reporting spam to SC through MW is not going to identify me as a confirmed address to spammers.

You have to set up MailWasher to go through "Alice" email server? Should be the same settings you use in "Opera mail"

Click Settings "Email account" "Name?" click TAB "bouncing and outgoing mail" Check button "advanced account settings"

[Lodewijk]

You have to set up MailWasher to go through "Alice" email server? Should be the same settings you use in "Opera mail"

Click Settings "Email account" "Name?" click TAB "bouncing and outgoing mail" Check button "advanced account settings"

I have the same Pop3 and SMTP info in MW as in Opera mail.

But turns out that I had not enabled 'My SMTP server requires authentication', 'Log on using' (my user name and password) and 'Remember password' in MW. That is enabled now.

I have 'Enable bouncing of messages from this account' disabled.

So thank you for the above tip.

I just put my email address in the "Safe senders" field of my ISP -Alice- mailhost and now sending a mail to myself it no longer ends up in its spam box, even when I have its spam filter on.

But I still get the same MW message when trying to report spam to SC.

I'll turn my ISP's spam filtering off again when the reporting to SP issue is solved. Then I want all of it for SP.

Now I'll write that email to Alice. They better accept sending spam to SP or else... :angry: