Jump to content
Sign in to follow this  
Windrider6

Is Spamcop reporting doing any good anymore?

Recommended Posts

Given the ongoing problems with Spamcop hosted e-mail, I've started to question whether I should use Spamcop at all.

What percentage of system administrators pay attention to Spamcop complaint/reports anymore?

How many of the sysadmins are bad guys, thus dev-nulling Spamcop's reports?

How many of the sysadmins are good guys, but ignore Spamcop's reports?

Is there any evidence that Spamcop's complaint reports are welcome by system administrators anymore?

Share this post


Link to post
Share on other sites

...AFAIK, there has never been any hard evidence. I use SpamCop because it facilitates sending reports to abuse addresses (and I just assume that at least one of these has helped a white-hat), the FTC, Knujon and an anti-phishing organization and to feed the statistics that are used to decide if a spam source should be included in the SpamCop blacklist.

Share this post


Link to post
Share on other sites

I seem to have noticed a drop in the correlation between SC reports and action by ISPs too. One ISP in particular, serverhub, is currently responsible for 1/2 the spam my domain is getting yet, in spite of continued reports to Spamcop, none of the IPs I've reported show on Spamcop's own RBL.

EXAMPLE:

http://www.spamcop.net/sc?id=z5887218933z9...3cbfde6b6aeccfz

http://mxtoolbox.com/SuperTool.aspx?action...p;run=toolpage#

In another thread, I jokingly referred to the abuse address for serverhub (spamcop[at]serverhub.com) as really being routed to devnull by serverhub.

Share this post


Link to post
Share on other sites

Spamcop reporting has killed off a lot of repeat spammers. I've received at least some reports back from the ISP that the problem was terminated. (There are the repeat offenders like OVH, ccedu, and various Brazilian operations, which I report even those are ignored or /dev/null'ed)

Share this post


Link to post
Share on other sites

For me it's the SpamCop parse that's the most valuable bit. In the details I can see to which of my Sneakemail-style addresses the spam was sent, and alert the "owner" of that address (by including them in the notifications, with extra text) to the fact that they have allowed, unwittingly or otherwise, my private address to be stolen from them. If the spam volume to that address gets too high, I automatically devnull anything more coming in to that address, after notifying said "owners" of the fact that the address is "closing down".

(Small clarifying change on edit.)

Edited by Spamnophobic

Share this post


Link to post
Share on other sites

I have used Spamcop for around a decade now. It has not stopped the vast majority of spam. People who spammed me on day 1 are still spamming today. As a spam prevention tool, it is useless. As a spam analysing service (to parse headers etc) it's quite useful. I've had more luck contacting ISPs directly than waiting for SpamCop to try and get action taken.

Very depressing, but the spammers won a long time ago. Internet protocols were never designed to stop unsolicited messages. Given the nature of how communication systems work, spam can never be stopped 100%, so get used to it!

Share this post


Link to post
Share on other sites

There are certain spammers that have continued to spam me throughout the years, even though I've reported every email to SC. I made the mistake of using my real email address when contacting car dealers about 8 years ago, and haven't been able to get them to stop emailing me since. Their unsubscribe link doesn't do anything. There are some other businesses doing this too.

Is there anything additional I can do?

Share this post


Link to post
Share on other sites

&nbsp &nbsp&nbsp&nbsp&nbsp Unfortunately, there is precious little that you, as a victim, can effectively do. First: NEVER unsubscribe to anything to which you never subscribed -- that's a common way for spammers to confirm that an address on their "purchase this list of e-mail addresses to which you can send spam" list is a "live" one! Reporting spam via SpamCop is one bit because it contributes to statistics used to populate the SpamCop blacklist, which is used by a number of e-mail admins to flag or block spam. If your e-mail provider subscribes to the SpamCop blacklist, that might help you directly. Using a blacklist or other filtering on your incoming e-mail may be something that could help you, if it is possible for your situation. If it is feasible for you to abandon your spammed e-mail address entirely, you could start fresh with a new e-mail address; if not, you could still apply for a new e-mail address and migrate your correpondents to the new one, relegating the old one to only spammers, those who can't or won't switch and those you failed to notify. Also peruse the links in the SpamCop FAQ section with heading "What other sites should I visit to help learn about, fight, handle spam?"

Share this post


Link to post
Share on other sites

There are certain spammers that have continued to spam me throughout the years, even though I've reported every email to SC. I made the mistake of using my real email address when contacting car dealers about 8 years ago, and haven't been able to get them to stop emailing me since. Their unsubscribe link doesn't do anything. There are some other businesses doing this too.

Is there anything additional I can do?

Since this is "straight up" spam you can just use the 'blocked sender' feature or whatever your mail client calls it. (Personal blacklist in the former Spamcop email system). It will then cease to clutter your inbox and you can report it as you wish.

Share this post


Link to post
Share on other sites

Since this is "straight up" spam you can just use the 'blocked sender' feature or whatever your mail client calls it. (Personal blacklist in the former Spamcop email system). It will then cease to clutter your inbox and you can report it as you wish.

Thanks. I could also just filter them to the trash, but I was kind of hoping I could get them stopped. I'm sure many people get spam from them. I guess that's why I've wasted time reporting to SC all this time. Thankfully they only email once a week or so.

Share this post


Link to post
Share on other sites

My biggest observation is things don't get listed anymore. Getting 100s of spams a day from eonix, global layer, serverhub, singlehop, offercenteral, sagonet, sendgrid, webnx, hostsailor, krdpd3, fdcservers, leaseweb, toqen, level3, u2kgroup etc. Every time I report I check, and they're getting away with it. Scott Free!!

I can not be the only one getting this flavor of spam as I see the same complaints on this board and others. Are people getting paid off?

Eonix seems to have found a way to disable reports.

http://www.spamcop.net/sc?action=rcache;ip=104.206.22.111

When the spamcop system gets to it it just says.

Sorry, no reporting addresses found for 104.206.22.111.

Nothing to do.

Edited by Schmide

Share this post


Link to post
Share on other sites

I think you may be confusing the secondary SC objective with the primary objective.

1. Identify the source IP address of the reported spam. This is the primary objective, to identify the IP address that spam is coming from and add that IP address to the Block List. This is the function of the parser and results in a product that SpamCop provides to their clients for them to use to help filter spam from their users email, so that those end users don't have to deal with the flood of spam that is out in the world.

2. Notify upstream ISPs that spam is coming from IP address(es). Having identified the IP address (above), IF (a) an abuse email address for that IP address can be found AND (B) the abuse email address has not indicated that they do not want to receive spam reports THEN a report is sent to the ISP supporting the offending IP address.

As has been noted here several times sometimes it looks like the spammers have their own ISP, or the ISPs that support the spammers prefer to get the spammer's money than stop the flow of spam, or the ISP don't know how to control their spammy users or all of the above. At any rate, seldom is it apparent that an ISP has taken action to close down a spammer.

Often SpamCop can not identify a valid abuse[at] address to send a spam report to. This is due do (a) failure by the ISP to establish or publish the information (B) failure of the domain registrar to enforce the requirements to identify the domain contact info © failure of ICANN to enforce their own rules. If SpamCop can not identify a reporting address in an automated way, then no report can be sent unless someone does the manual work of finding an address and letting SC know.

There are lost of reason why a report is not/can not be sent and you see the "nothing to do" status. As the status said in full:

Sorry, no reporting addresses found for 104.206.22.111.

Nothing to do.

That just means that no report is sent. It does not mean that the offending IP address is not added to the Block List assuming other have also reported the same source.

Share this post


Link to post
Share on other sites
As has been noted here several times sometimes it looks like the spammers have their own ISP, or the ISPs that support the spammers prefer to get the spammer's money than stop the flow of spam, or the ISP don't know how to control their spammy users or all of the above. At any rate, seldom is it apparent that an ISP has taken action to close down a spammer.

It is more than obvious that the spammers are just snowshoeing their IPs to keep them under the magnitude needed to get listed. Mags stay around 5 and manual adjustments to the BL are completely non existent.

I've been here since the late 90s, I understand the objectives. It's the lack of adaptation I cannot fathom. I'm not limiting this to spamcop, other lists/reports have been equally absent from the easily traceable signatures.

Share this post


Link to post
Share on other sites

&nbsp &nbsp&nbsp&nbsp&nbsp Unfortunately, there's [apparently] no way for SpamCop to tell that spammers are snowshoeing IPs to avoid making their way onto the blacklist. But I imagine that most aren't clever enough.

Share this post


Link to post
Share on other sites

&nbsp &nbsp&nbsp&nbsp&nbsp What things would they equate? If anyone but the spammers had a list of the spammers' lists of snoeshoe addresses, the white hats would use that information to shut down those spammers and the spammers would have to move to some other means of sending their trash.

Share this post


Link to post
Share on other sites

ISP x sends the exact same spam from multiple IPs over the course of a day. Either a huge unfathomable coincidence, or snowshoeing in action.

Share this post


Link to post
Share on other sites

&nbsp &nbsp&nbsp&nbsp&nbsp Or multiple spammers with the same snowshoe list. And in many cases the individual spams are similar enough to appear to the victim to be the same spam but not similar enough for a program (parser) to be certain they're the same.

Share this post


Link to post
Share on other sites

I'm understand that munging, rephrasing, random referring are the order of business and I can easily see that. Reality is if you look at many of these runs that include 10s to 100s of spams received at one address, comming from multiple IPs, often in incremental order, from a single ISP at the same time. When such a source is identified, there should be some multiplication effect. Failure to do so is allowing the ISPs and spammers to snowshoe.

Share this post


Link to post
Share on other sites

&nbsp &nbsp&nbsp&nbsp&nbsp I have little doubt that you are correct. What I'm suggesting is that it is one thing for a human to use human judgment to come to such conclusions and to act on those conclusions and to take responsibility for those actions and quite another for a computer program to try to find a way to apply analogous judgment to come to the same conclusion when the consequences of action are potentially much more onerous for a business enterprise like Cisco than for us as private individuals.

Share this post


Link to post
Share on other sites

In our case, consistently reporting spam to Spamcop has resulted in a significant drop in spam.

Some addresses seem to be beyond saving, but others receive almost no spam anymore (*knock on wood*).

Share this post


Link to post
Share on other sites
Hello!
The problem has been solved - all malware is removed from the server.
Thank you!

2014-11-07 2:55 GMT+02:00 Lou <6221528837[at]reports.spamcop.net>:

Not all ISPs blow off spamCop reports. For example sometimes I get responses like the above that I received this morning.

Share this post


Link to post
Share on other sites

In our case, consistently reporting spam to Spamcop has resulted in a significant drop in spam.

Some addresses seem to be beyond saving, but others receive almost no spam anymore (*knock on wood*).

As my SpamCop email is filtered by CISCO I don't get any spam through there

So thought I would start attacking spammers in my throwaway Gmail account

now I don't see any.there either, at least at present,

Share this post


Link to post
Share on other sites

Among the list of popular, (or should I say unpopular) spammers, Teradyne should be listed as well. I receive at least 20 a day from these people but when I report them via SpamCop, all of the reporting addresses seem to get Null'ed so I am assuming that no complaints are being sent. However, when I send complaints directly to them myself, the emails do not seem to 'bounce' indicating that these are in fact valid email addresses.

I have even received email from a representative at Teradyne indicating that their IP address has been spoofed and I should contact my ISP, (AT&T) regarding the spam. Unfortunately when I did this I was told by AT&T that I should be contacting Teradyne. I am stuck in the middle of two ISPs pointing fingers.

Share this post


Link to post
Share on other sites

<snip>

all of the reporting addresses seem to get Null'ed so I am assuming that no complaints are being sent. However, when I send complaints directly to them myself, the emails do not seem to 'bounce' indicating that these are in fact valid email addresses.

&nbsp &nbsp&nbsp&nbsp&nbsp Note, though, that an invalid or bouncing abuse address in not the only (nor even the most frequent, as I understand it) reason that the SC parser will "devnull" a report.

I have even received email from a representative at Teradyne indicating that their IP address has been spoofed and I should contact my ISP, (AT&T) regarding the spam. Unfortunately when I did this I was told by AT&T that I should be contacting Teradyne. I am stuck in the middle of two ISPs pointing fingers.

&nbsp &nbsp&nbsp&nbsp&nbsp Assuming that you sent them the full, unmodified internet headers of the spam, it is clear that being knowledgeable about e-mail is not a prerequisite at Teradyne to be put in a position to respond to abuse complaints.

&nbsp &nbsp&nbsp&nbsp&nbsp Follow-ups regarding Teladyne to SC Forum Topic "Null'ing Email Addresses," please!

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

×