Jump to content
Sign in to follow this  
Wintermute

Malicious Reporting of a message..

Recommended Posts

Okay, update from the ISP - this is the report that triggered the block on our IP.

<snip>

[ Offending message ]

Status:  U

Return-Path: x

Received: from spf7.us4.outblaze.com ([205.158.62.41])

by pickering.mail.mindspring.net (EarthLink SMTP Server) with

ESMTP id 1biuTE7j63Nl3p20

for <x>; Tue, 27 Apr 2004 11:53:22 -0400 (EDT)

Received: from n19.grp.scd.yahoo.com (n19.grp.scd.yahoo.com

[66.218.66.74])

by spf7.us4.outblaze.com (Postfix) with SMTP id 8D6E12AC7B

<snip>

...Think I may have found it. Going to http://www.spamcop.net/bl.shtml and entering "66.218.66.74" results in:

Query bl.spamcop.net - 66.218.66.74

66.218.66.74 is n19.grp.scd.yahoo.com

66.218.66.74 not listed in bl.spamcop.net

Since SpamCop started counting, this system has been reported about 380 times by about 190 users. It has been sending mail consistently for at least 198.1 days. It has never been listed.

In the past week, this system has:

Been reported as a source of spam less than 10 times

Been witnessed sending mail about 18620 times

Other hosts in this "neighborhood" with spam reports:

66.218.66.64

66.218.66.65

<snip long list>

A sample sent sometime during the 24 hours beginning Tuesday, May 11, 2004 20:00:00 -0400:

Received: from -.-.-.-.com ([66.218.66.74])-

        by -.-.-.net (- -.-.-.- -.-.-) with SMTP id -74-

        for <-[at]-.net>- Wed, - May 2004 - -

Subject: - spam - invitation - join the - group

From: hy.. at ..s.com

A sample sent sometime during the 24 hours beginning Monday, April 19, 2004 20:00:00 -0400:

Received: from -.-.-.-.com (-.-.-.-.com [66.218.66.74])-

by -.com (- -.-) with SMTP id - -

<-[at]-.com>- Tue, - Apr 2004 - - (-)-

Subject: - digest number -

From: fo.. at ..s.com

<snip others>

Share this post


Link to post
Share on other sites
Well...

A lot of statements that may well describe the desired process don't unfortunately marry well with the facts.

I would agree that one report *shouldn't* list you, but it certainly seems to have done so in this case (or possibly the same post being reported multiple times)

When I entered our IP address into the spamcop checker, I got the same information you have posted here. It certainly isn't listed here now.

However, our IP address *was* blocked as a result of being blacklisted - Eclipse claim because of a notification by spamcop.

An Open relay is simply something that we checked for internally - I wasn't implying that spamcop is a list of open relays.

Of course, a lack of reverse DNS may cause problems with strict RFC1912 mailservers, however, In practice, we have a delivery rate of around 99.8%.

At this point, I suspect that eclipse are in fact using another RBL service, or are otherwise confused. As our IP does not appear to be listed (how did you tell that it had never been listed, incidentally?) there must be another explanation.

Thanks for helping to unravel this part of the problem.

There was one report on the last 30 days; the IP was not listed.

Share this post


Link to post
Share on other sites
Meassage is 15.4 days old

"Meassage"?

It's a typo that's been reported to Julian.

Share this post


Link to post
Share on other sites

okay, Eclipse forwarded this -

[ SpamCop V1.3.4 ]

This message is brief for your comfort. Please use links below for details.

Email from 82.152.28.237 / 27 Apr 2004 15:50:26 -0000

http://www.spamcop.net/w3m?i=z950047427zec...17dec095888f97z

Seems to be one of yours after all - and now I have the answer to the question I asked originally - can Spamcop reporters hide behind anonymity.

It's clear to me that the user who submitted this report at the very least needs to explain their reasoning, and provide some assurance that they have not simply indulged in a little religious prejudice.

The FAQ here http://www.spamcop.net/fom-serve/cache/167.html seems to indicate the address to direct complaints to is blproblem[at]admin.spamcop.net

Is this the best way to procced, or do staffers read these forums?

back and forth, I guess. We'll get to the bottom of this.

Ian.

Share this post


Link to post
Share on other sites
It's clear to me that the user who submitted this report at the very least needs to explain their reasoning, and provide some assurance that they have not simply indulged in a little religious prejudice.

So, follow the link from the spam report that you posted, click on the "Who reported me" link (about 1/2 way down the page), and send the person that reported you an email. The "To:" address will look something like "1234567890[at]reports.spamcop.net". The person who reported you will receive your email but they are not required to respond. How you word your email could determine if you receive a response or not.

The FAQ here http://www.spamcop.net/fom-serve/cache/167.html seems to indicate the address to direct complaints to is blproblem[at]admin.spamcop.net

That address is for problems related to the SCBL (blocklist), your IP still has "never been listed" so I would say that any emails sent there would be inappropriate.

Is this the best way to procced, or do staffers read these forums?

SpamCop staff reads these forums, anyone with a "SpamCop.net" logo under their name is SpamCop staff. There is a sample of the logo about 2 or 3 posts above your most recent message (made be Ellen, who is a Deputy).

Edited by Spambo

Share this post


Link to post
Share on other sites
So, the next question - do spam reporters have anonymity to hide behind, or do I have a path to hold someone to account for causing my office several hours of downtime by a malicious, false report?

OK, so going back to what you originally actually asked ... anonymous? yes and no ... e-mail addresses are protected, but by responding via the links in the report, you/your ISP can send a response to the reporter. As mentioned above, you may or may not receive an answer.

false/malicious reports ... addressed in the signup agreement, fines and/or banishment are possibilities for this type of action.

several hours of downtime ... doesn't seem possible from this end of the screen ... Ellen researched and advised that there was a single report made, and the listing formula for the DNSbl doesn't allow a single report to make anything happen.

side note, rhetorical ..... what type of office is this that allows this type of traffic to occur on their system? Talking about someone's bel;ief in God, mentioning mental health, Subject Line of ALL IMPORTANT PRETEST in some group named fullalbumtorrents seems way off-topic to begin with? Wierd .....

Share this post


Link to post
Share on other sites

I would be willing to bet that the reporter just made a mistake. So it really makes a difference on how you word the reply you make. If it sounds as if you are accusing them of something that they did not do, remember your reaction to getting the spamcop report in the first place.

It is pretty easy to miss a real email in amongst the spam - particularly if the recipient had not been following the topic of your exchange.

And to be clear, since the IP address was never listed, and it is pretty obviously not spam, it was your ISP's overreaction to the report that has caused you trouble, not the report itself. Remember who is the person who made the most damaging mistake. It wasn't the reporter. All the reporter can do is say it is unsolicited. The abuse desk where the report goes has to be the one to determine that it is bulk. (Of course, if there are a number of reports, then the scbl can determine that it is probably bulk.)

Miss Betsy

Share this post


Link to post
Share on other sites
I would be willing to bet that the reporter just made a mistake.  So it really makes a difference on how you word the reply you make.  If it sounds as if you are accusing them of something that they did not do, remember your reaction to getting the spamcop report in the first place.

It is pretty easy to miss a real email in amongst the spam - particularly if the recipient had not been following the topic of your exchange.

And to be clear, since the IP address was never listed, and it is pretty obviously not spam, it was your ISP's overreaction to the report that has caused you trouble, not the report itself.  Remember who is the person who made the most damaging mistake.  It wasn't the reporter.  All the reporter can do is say it is unsolicited.  The abuse desk where the report goes has to be the one to determine that it is bulk.  (Of course, if there are a number of reports, then the scbl can determine that it is probably bulk.)

Miss Betsy

If this was a request to join the group then it is possible the reported has considered this spam and rightly so. This was one of the worst options Yahoo Groups has done.

Share this post


Link to post
Share on other sites
If this was a request to join the group then it is possible the reported has considered this spam and rightly so. This was one of the worst options Yahoo Groups has done.

It wasn't.

It was an ordinary post (opinionated, but not less so than the ones posted in .social).

The OP was mad because his ISP cut his connection because the ISP had received a spamcop report. After several go arounds, it was finally established that it had been reported thru spamcop. However, Ellen says the IP address was never listed.

Now, the OP wants to confront the reporter.

My post was to remind him that his troubles came about because the ISP did not read the report nor respond appropriately. That although the initial problem came about because the reporter reported it, it is not likely that it was done maliciously. And even if it was done maliciously, nothing would have happened if the ISP had responded appropriately.

Miss Betsy

Share this post


Link to post
Share on other sites
Seems to be one of yours after all - and now I have the answer to the question I asked originally - can Spamcop reporters hide behind anonymity.

It's clear to me that the user who submitted this report at the very least needs to explain their reasoning, and provide some assurance that they have not simply indulged in a little religious prejudice.

Here's my read on what's happened. I could easily be wrong.

A person deemed one of the messages from the Yahoo group as spam. He reported it through Spamcop and a single report was sent to your ISP.

Based on that one report, your ISP pulled the plug on your net access.

I see two responses:

1) Determine whether the person who submitted the message signed up to receive them. If so, he/she is violating Spamcop rules and will be reprimanded.

2) Complain loudly to your ISP! They should understand the concept of false positives. No ISP should have a zero tolerance policy with regards to Spamcop reports. Since there is a human element to these reports, there will always be false positives.

Share this post


Link to post
Share on other sites

The links posted show the e-mail that was reported, and it clearly was not spam.

It could have been a malicious report, but it is also possible that it was an accident.

Some people have their spam filtering software flag or segregate what it detects is spam, and then they send it to spamcop and confirm it with out checking.

And when they set up their spam to be totally processes automatically it makes any error by their spam detector cause severe problems.

-John

Personal Opinion Only

Share this post


Link to post
Share on other sites
The links posted show the e-mail that was reported, and it clearly was not spam.

It could have been a malicious report, but it is also possible that it was an accident.

Where is this clear evidence the emails weren't spam?

Mailing list managers do not have an inherent right to invite strangers to join their groups or to fill the inboxes of unwilling recipients with digest versions of their mailing lists.

The emails, based on what has been provided, very well could have been spam.

Share this post


Link to post
Share on other sites

side note, rhetorical ..... what type of office is this that allows this type of traffic to occur on their system?  Talking about someone's bel;ief in God, mentioning mental health, Subject Line of ALL IMPORTANT PRETEST in some group named fullalbumtorrents seems way off-topic to begin with?  Wierd .....

Its a SOHO office whose acceptable use policy pretty much clearly states that staffs usage of internet during lunchtime or out of hours is pretty much their own business.

We do not monitor the email or internet usage of the 3 staff that work there during the day.

The fact that this office is also my home and the work PC is also my home PC further explains the situation.

Share this post


Link to post
Share on other sites

Here's my read on what's happened.  I could easily be wrong.

A person deemed one of the messages from the Yahoo group as spam.  He reported it through Spamcop and a single report was sent to your ISP.

Based on that one report, your ISP pulled the plug on your net access.

I see two responses:

1) Determine whether the person who submitted the message signed up to receive them.  If so, he/she is violating Spamcop rules and will be reprimanded.

2) Complain loudly to your ISP!  They should understand the concept of false positives.  No ISP should have a zero tolerance policy with regards to Spamcop reports.  Since there is a human element to these reports, there will always be false positives.

I agree absolutely, I am perfectly willing to accept that this may be an honest mistake on the part of the spamcop reporter, I am just looking for clarification. I have now contacted the reporter using the form suggested - we will see what they say.

My main point throughout this has been to figure out precicely what happened, not with a view to attributing blame and being all letigious. The end goal has got to be that this doesnt happen again. I can see that the ISP is going to have to have a little education in using spamcop reports properly.

Share this post


Link to post
Share on other sites
Where is this clear evidence the emails weren't spam?

Mailing list managers do not have an inherent right to invite strangers to join their groups or to fill the inboxes of unwilling recipients with digest versions of their mailing lists.

The emails, based on what has been provided, very well could have been spam.

Its a catch 22 situation, without knowing the email address of the reporter, I cant confirm with the list owner that the reporter correctly went through Yahoo's confirmation process. I have asked the owner of the list and he has confirmed that no one has been added to the list using Yahoo's automatic signup process, I agree this is a poorly thought out feature and it is something that is deliberately not used on any of the Yahoo groups which I moderate. However, in this case, the list owner says it hasnt been used, short of paranoia, thats good enough for me.

Share this post


Link to post
Share on other sites
I have now contacted the reporter using the form suggested - we will see what they say.

Reporters get so few answers that newcomers often don't know what they are.

I hope that you get a reply. However, some do not because to reply shows your true email address. (I know there are ways to get around that, but if s/he is a newcomer, she may not have something already set up, may not know how to do it, and may not have time to do to learn. - that's all from experience though I did answer the one report I made in error that was responded to.)

And some people just don't like to admit mistakes.

If I ran spamcop, reporters would have to reply.

And you have been very patient with the process of figuring out what happened. If you don't get a reply, my advice for the good of your health is to assume the reporter is too embarassed.

Also keep in mind that although errors occur in spamcop system, at least you get notification. If it were a content filter, it would just have disappeared. In your case that would have been good. In other cases, however, that causes the same amount of lost time and frustration because there is no notification.

Miss Betsy

Share this post


Link to post
Share on other sites

One other issue that seems to be dismissed is that it is rather easy for a single email to a Yahoo group to end up triggering multiple SpamCop reports and possibly a blacklisting. How?

Many Yahoo groups send their mail using the return address of the poster, not the group. So there is no way to whitelist everyone who may post.

Yahoo groups have ads at the bottom of the posts. Some of the advertisements are for URL's that are also spamvertized. If you have spam filters set up to check for these URL's, you will tend to consider them pretty specific for spam (as opposed to filters for content that are more easily false positives) and maybe not check them so closely before reporting. So a post to Yahoo groups can trigger someone's spam filters and not their friends list.

Multiply that by a few hundred recipients, and they could be happily clicking "Report to SpamCop" on their mail previewer without realizing it is a Yahoo group posting -- especially if it is responding to an off-topic post. Now your one email to the Yahoo group generates over 10 spam reports.

It's a bug in Yahoo groups that they allow groups to have mail come with nothing in the return or subjects fields that allows you to whitelist the posts. Not all are set up this way, but none should be.

Share this post


Link to post
Share on other sites
Many Yahoo groups send their mail using the return address of the poster, not the group.  So there is no way to whitelist everyone who may post.

Unless you read the FAQ entry on how to whitelist Yahoo Group messages: http://www.spamcop.net/fom-serve/cache/306.html

Multiply that by a few hundred recipients, and they could be happily clicking "Report to SpamCop" on their mail previewer without realizing it is a Yahoo group posting -- especially if it is responding to an off-topic post.  Now your one email to the Yahoo group generates over 10 spam reports.

Not verifying that a message is spam before reporting it is a violation of Spamcop rules and can get your reporting privileges suspended.

I don't mean to dismiss your concern - it is valid. There will always be careless reporters and mailing list messages are certainly problematic. But I'm not convinced the problem is as big as you think...

Share this post


Link to post
Share on other sites
This morning, we have been troubleshooting a pretty nasty Internet outage in our office... only to find that our ISP had withdrawn service due to us being listed on the Spamcop blacklist.

Fair enough, I support Spamcop's efforts, and was more concerned to quickly plug any problem.

This turned to anger as soon as I realised that there was no open relay on our site, nor in fact had any spam originated here. We have up to date AV, spyware scanners, and a firewall that logs all port 25 connections.

We appear to have been blacklisted due to a single message which was posted (by me) to Yahoo Groups. As I'm sure everyone is aware, Yahoo groups are opt-in discussion lists that users have to subscribe to, so recieving the list mails is hardly unsolicited.

On seeing a copy of the suspect email from my ISP, it's blindingly apparent that the message was properly sent through Yahoo Groups, and is not IN ANY WAY a spam message.

It's also apparent that the true reason for the complaint is that the reporter simply did not like the CONTENT of the email, which expressed my opinion about an off topic religious message sent to the group.

So, the next question - do spam reporters have anonymity to hide behind, or do I have a path to hold someone to account for causing my office several hours of downtime by a malicious, false report?

hi,

i came to this thread in search of the same thing, my computers and servers have been maliciously disrupted by the folks who originated a viral message.

if interested send me a private message, i can't discuss in forum because believe it or not, they are :ph34r: of this thread.

I know exactly what they are up to and :excl: they are, again, i can't discuss this out in the open.

kind regards.

these folks are not to play, use most caution. and don't want to be a tarGet

Share this post


Link to post
Share on other sites

okay, Eclipse forwarded this -

[ SpamCop V1.3.4 ]

This message is brief for your comfort. Please use links below for details.

Email from 82.152.28.237 / 27 Apr 2004 15:50:26 -0000

http://www.spamcop.net/w3m?i=z950047427zec...17dec095888f97z

Seems to be one of yours after all - and now I have the answer to the question I asked originally - can Spamcop reporters hide behind anonymity.

It's clear to me that the user who submitted this report at the very least needs to explain their reasoning, and provide some assurance that they have not simply indulged in a little religious prejudice.

The FAQ here http://www.spamcop.net/fom-serve/cache/167.html seems to indicate the address to direct complaints to is blproblem[at]admin.spamcop.net

Is this the best way to procced, or do staffers read these forums?

back and forth, I guess. We'll get to the bottom of this.

Ian.

Ok wintermute...waitaminute,

were you the originator of that email? because i just received one today, of similar nature to a non yahoo address. GMAIL

if you are the owner of that same ISP and you are not sending these messages, I would suggest that you look into, because some one is doing some illegal rigging to tap into your system.

I have traced every possible lead, that's how i got here..here's a clue:. if you have a red cat, please don't mess with M18, if you don't have a red cat, please keep doing more research and find who is viciously utilizing your account to send people viruses.

good day

Share this post


Link to post
Share on other sites

Ok wintermute...waitaminute,

were you the originator of that email? because i just received one today, of similar nature to a non yahoo address. GMAIL

if you are the owner of that same ISP and you are not sending these messages, I would suggest that you look into, because some one is doing some illegal rigging to tap into your system.

I have traced every possible lead, that's how i got here..here's a clue:. if you have a red cat, please don't mess with M18, if you don't have a red cat, please keep doing more research and find who is viciously utilizing your account to send people viruses.

good day

1. You replied to a message that was 2.5 years old. I doubt you will get a direct answer to your question.

2. You can sign up for YahooGroups using other email addresses if you wish. That is how the original message was delivered and those are supposed to be reportable ONLY by the moderator of those groups.

3. Did your message come from the same IP address as that one was?

4. Did you report the spam you received? Please provide a TrackingURL so we can discuss with some data.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

×