Reports to postmaster even though abuse.net doesn't suggest it

[mslw]

Twice today SC has suggested sending email to postmaster[at] and well as abuse[at] for a domain, e.g.

Using abuse net on abuse[at]lumison.net

abuse net lumison.net = abuse[at]lumison.net, postmaster[at]lumison.net

Using best contacts abuse[at]lumison.net postmaster[at]lumison.net

Using abuse net on abuse[at]vexxhost.com

abuse net vexxhost.com = abuse[at]vexxhost.com, postmaster[at]vexxhost.com, noc[at]vexxhost.com

Using best contacts abuse[at]vexxhost.com postmaster[at]vexxhost.com noc[at]vexxhost.com

However, abuse.net doesn't list postmaster for either of these domains.

Is SC adding postmaster or is there some other reason?

I don't want to bother postmaster with reports if they have taken the trouble to register with abuse.net.

[Lking]

I don't want to bother postmaster with reports if they have taken the trouble to register with abuse.net.

They are your reports. Of course you can un-check the box next to any report you do not want to send.

As noted at the bottom of the reporting screen

ATTENTION: Report only those e-mail addresses and web sites that you think your spammer has used. Avoid checking any boxes left empty unless you know that your spammer has used the addresses or sites thus identified. Each false report that you submit means wasted time for a network administrator, so take care. The last thing SpamCop wants are network administrators so accustomed to false claims that they no longer take these spam reports seriously.

[JoeColorado]

Hi,

I don't speak for abuse.net, but I do believe I understand the situation.

0. There four ways to query abuse.net:

a. The web interface:

http://abuse.net/

b. Doing a whois with whois.abuse.net as the whois server, e.g.,

whois domainname.tld whois.abuse.net

c. DNS lookup

d. For heavy users, a mirror of the underlying database (presumably, spamcop.net uses this method).

These methods are all documented at http://abuse.net/using.phtml

1. It used to be that abuse.net returned postmaster[at]domain.tld when you queried a domain that did not have an entry in the abuse.net database. E.g.,

whois unknowndomain.tld whois.abuse.net

postmaster[at]unknowndomain.tld (default, no info)

2. Sometime in the past year or so, abuse.net began (sensibly) returning abuse[at] as the default contact for unknown entries:

whois unknowndomain.tld whois.abuse.net

abuse[at]unknowndomain.tld (default, no info)

3. In addition, there are (essentially) two conditions under which entries are added to abuse.net:

a. When a trusted source (e.g., the owner of a domain) submits network abuse contacts, that DB record include only those entries submitted by that source. E.g., a trusted source submitted the network abuse contact information for CNN.com

whois cnn.com whois.abuse.net

abuse[at]cnn.com (for cnn.com)

b. When other than a trusted source submits submitted network abuse contacts, it used to be (I'm not sure this is still true) that DB record added postmaster[at]domain.tld to those entries submitted by that source. This means that postmaster[at] would be returned on a query.

c. Since the change of the default from postmaster[at] to abuse[at] what is returned by the first two methods described has some subtle differences. E.g.,

1) http://abuse.net/lookup.phtml?domain=vexxhost.com

abuse[at]vexxhost.com (for vexxhost.com)

abuse[at]vexxhost.com (for vexxhost.com)

noc[at]vexxhost.com (for vexxhost.com)

2) whois vexxhost.com whois.abuse.net

abuse[at]vexxhost.com (for vexxhost.com)

noc[at]vexxhost.com (for vexxhost.com)

You can see that the underlying DB contains postmaster[at]vexxhost.com, but the web interface translates the postmaster[at] entry to abuse[at] while the whois entry eliminates one of the two abuse[at] entries as a duplicate. However, the fourth method still reflects the postmaster[at] entry added to reflect that a non-trusted source provided the vexxhost.com entry.

I hope this explains things well.

Cheers,

____

Footnote: if you are using Windows, a whois tool is available at:

http://technet.microsoft.com/en-us/sysinternals/bb897435

[mslw]

Thanks for the detailed reply Joe. I was comparing SC with the command line whois, which is why postmaster appeared to be missing.

Perhaps SC should translate postmaster[at] to abuse[at] like other abuse.net lookups do?

[petzl]

Twice today SC has suggested sending email to postmaster[at] and well as abuse[at] for a domain, e.g.

However, abuse.net doesn't list postmaster for either of these domains.

Is SC adding postmaster or is there some other reason?

I don't want to bother postmaster with reports if they have taken the trouble to register with abuse.net.

AFAIK

SpamCop gets it's abuse address from a number of sources, abuse.net is not the official source for an abuse address. There is ripe.net and apnic.net. abuse.net is a "johnny come lately" which spamcop also checks.

all abuse addresses should be postmaster[at] "joe-jobs". spammers often make these addresses unworkable

SpamCop often has "personalized" abuse addresses set-up by "abuse-desks and administrators"

Abuse.net is/was the easiest for abuse-desks and administrators to register with, while ripe.net and apnic.net were complicated particularly with non-English speaking to formally register with

[SpamCopAdmin]

If you have a TRACKING URL that shows this problem, I would like to see it.

Thanks!

- Don D'Minion - SpamCop Admin -

- service[at]admin.spamcop.net -

[mslw]

Here is the vexxhost.com one:

http://www.spamcop.net/sc?track=http%3A%2F...contract.com%2F