Jump to content
SpamSpam

Using the SpamCop Blacklist at the desktop

Recommended Posts

Multi-part question:

1. Why is it worthwhile to a SpamCop user to submit reports of already SpamCop-blacklisted IP addresses? Examples of what the SCBL may show about an IP address,

  • "Causes of listing > SpamCop users have reported system as a source of spam about 10 times in the past week", why is me reporting it one more time going to change me getting spam when it's already blacklisted and one more report does nothing to curtail persistant spamming IP networks? I've seen up to "70 times"; how many reports of spamming are needed, rhetorical? I consider it pointless to me as a spam recipient to submit a report to certain networks that do nothing to overall diminish their spamming?

  • "Listing History > ...it has been listed ... a total of 67 days". Me reporting it one more time is very unlikely to change the spam from this spamming IP address [i have my own Idea of what a spamming network is and me reporting to such a network operator does nothing nothing to overall diminish their spamming).

Right now, it seems pointless to me to display such stats to SpamCop reporters. These numbers give no context of what a number of spam reports and number of spamming days is categorized as (is 7 days of spamming "high"? Is 14 days high? Is 67 days high? Or, is 67 days or 70 SpamCop user reports a "critical" amount--Senderbase uses the verbage of 30-day period of "medium", "very high", or "critical" rating)?

2. As a followup, and what I've been investigating to perhaps only report not-already-SpamCop-blacklisted IP addresses is: Is there a way to run the SC Blacklist through a filter in a desktop (non-mailserver) implementation of Thunderbird? The closest I've found so far is: 1. SpamPal; which supposedly requires additional software for use with web-based email accounts (I tried SpamPal and couldn't get it to filter my web-based email; but didn't try installing the supposedly required additional software to get it to work with "non-standards-based" web-based accounts); 2. SpamAssassin for Windows (which didn't install on my medium-old version of Windows; and, I don't wish to keep installing tons of additional scripting and Windows packs to get it to work on my production desktop.

Edited by SpamSpam

Share this post


Link to post
Share on other sites

Multi-part question:

1. Why is it worthwhile to a SpamCop user to submit reports of already SpamCop-blacklisted IP addresses? Examples of what the SCBL may show about an IP address,

  • "Causes of listing > SpamCop users have reported system as a source of spam about 10 times in the past week", why is me reporting it one more time going to change me getting spam when it's already blacklisted and one more report does nothing to curtail persistant spamming IP networks? I've seen up to "70 times"; how many reports of spamming are needed, rhetorical? I consider it pointless to me as a spam recipient to submit a report to certain networks that do nothing to overall diminish their spamming?
  • "Listing History > ...it has been listed ... a total of 67 days". Me reporting it one more time is very unlikely to change the spam from this spamming IP address [i have my own Idea of what a spamming network is and me reporting to such a network operator does nothing nothing to overall diminish their spamming).
Right now, it seems pointless to me to display such stats to SpamCop reporters. These numbers give no context of what a number of spam reports and number of spamming days is categorized as (is 7 days of spamming "high"? Is 14 days high? Is 67 days high? Or, is 67 days or 70 SpamCop user reports a "critical" amount--Senderbase uses the verbage of 30-day period of "medium", "very high", or "critical" rating)?

2. As a followup, and what I've been investigating to perhaps only report not-already-SpamCop-blacklisted IP addresses is: Is there a way to run the SC Blacklist through a filter in a desktop (non-mailserver) implementation of Thunderbird? The closest I've found so far is: 1. SpamPal; which supposedly requires additional software for use with web-based email accounts (I tried SpamPal and couldn't get it to filter my web-based email; but didn't try installing the supposedly required additional software to get it to work with "non-standards-based" web-based accounts); 2. SpamAssassin for Windows (which didn't install on my medium-old version of Windows; and, I don't wish to keep installing tons of additional scripting and Windows packs to get it to work on my production desktop.

If you report fresh spam it sets the clock to 24 hours removal

Paid subscribers can see the reports made over 90 days

I add notes in my reports sample below

>
111.23.153.228 (Administrator of network where email originates)
BOTNET ATTACK HOST
http://www.abuseat.org/lookup.cgi?ip=111.23.153.228

IP Address 111.23.153.228 is listed in the CBL. It shows signs of being infected with a spam sending trojan, malicious link or some other form of botnet.

It was last detected at 2016-04-18 12:00 GMT (+/- 30 minutes), approximately 7 hours ago.

If this IP address is NOT a shared hosting IP address, this IP address is infected with/emitting spamware/spamtrojan traffic and needs to be fixed. Find and remove the virus/spamware problem then use the CBL delisting link below.

In some unusual cases, IP addresses used in shared hosting (especially those using IPSwitch Imail, Plesk or Cpanel) can trigger CBL listings. If this is a shared hosting IP address, make sure that your mail server software is set up to identify _itself_ in its mail connections, not each of your customers. 


BLOCK OUTBOUND PORT 25, 
RESERVE FOR LEGIT EMAIL SERVER
Make sure you are connecting to your mail server's 'authenticated mail' port 587 and not the ordinary 'unauthenticated' port 25. (ask your ISP to check for you)

CHANGE TO SECURE PASSWORD 
SCAN INFECTED COMPUTER FOR MALWARE

A BOTNET infected computer/server means the all data passing through it may be compromised (bank details, log-on/password, email, etc). 
CBL (abuseat.org) lists those computers that are infected with instructions on how to remove BOTNET infections

Change log-on to a more secure password! 

The following Cisco site shows servers/computers with prior or existing BOTNET infections
http://www.senderbase.org/lookup/ip/?search_string=111.23.153.228

spewing spam
https://www.spamcop.net/w3m?action=checkblock&ip=111.23.153.228

Other hosts in this "neighborhood" with spam reports
111.23.152.231 111.23.152.241 111.23.152.243 111.23.152.246 111.23.152.247 111.23.152.254 111.23.152.255 111.23.153.2 111.23.153.6 111.23.153.8 111.23.153.9 111.23.153.14 111.23.153.15 111.23.153.18 111.23.153.19 111.23.153.27 111.23.153.28 111.23.153.30 111.23.153.37 111.23.153.49 111.23.153.52 111.23.153.56 111.23.153.61 111.23.153.62 111.23.153.66 111.23.153.75 111.23.153.76 111.23.153.77 111.23.153.78 111.23.153.80 111.23.153.87 111.23.153.93 111.23.153.106 111.23.153.110 111.23.153.112 111.23.153.116 111.23.153.118 111.23.153.121 111.23.153.135 111.23.153.137 111.23.153.140 111.23.153.145 111.23.153.146 111.23.153.147 111.23.153.148 111.23.153.151 111.23.153.152 111.23.153.153 111.23.153.160 111.23.153.166 111.23.153.169 111.23.153.174 111.23.153.176 111.23.153.188 111.23.153.191 111.23.153.193 111.23.153.194 111.23.153.199 111.23.153.202 111.23.153.203 111.23.153.212 111.23.153.217 111.23.153.219 111.23.153.232 111.23.153.234 111.23.153.235 111.23.153.239 111.23.153.241 111.23.153.242 111.23.153.243 111.23.154.18 111.23.154.20 111.23.154.27 111.23.154.29 111.23.154.41 111.23.154.48 111.23.154.49 111.23.154.50 111.23.154.54 111.23.154.58 111.23.154.66 111.23.154.86 111.23.154.87 111.23.154.91 111.23.154.94 111.23.154.99 111.23.154.100 111.23.154.103 111.23.154.107 111.23.154.108 111.23.154.111 111.23.154.116 111.23.154.118 111.23.154.119 111.23.154.145 111.23.154.146 111.23.154.147 111.23.154.152 111.23.154.153 111.23.154.161 111.23.154.167 111.23.154.172 111.23.154.183 111.23.154.186 111.23.154.211 111.23.154.213 111.23.154.215 111.23.154.217 111.23.154.221 111.23.154.223
>

Share this post


Link to post
Share on other sites

If you report fresh spam it sets the clock to 24 hours removal

Do "bad" networks always get treated the exact same way as "good" networks? Meaning a bad network may reset the 24-hour clock for the next century every few days? I suppose the added reports count towards devnull reports too that I read up on some today for the first time. (I've actually been a member of SC since perhaps 2000 - 2005, or whatever year it was. Having lots of nuances to SC and SC spam-reporting it's difficult to know all the aspects of SC).

Guess my point is, that with the "bad" networks that consistantly spew "very high" and "critical" numbers of spams, as Senderbase puts it, that it seems SpamCop treats "bad" networks too nicely by resetting a 24-hour clock when the network as a whole has "very high" or "critical" numbers of spams for days, reported up to a month by Senderbase for the exact IP address(es). At least for particular 30-day high spam sending IP addresses, they could care less--as the spewing continues for commonly days. Where's my days- or months-long clock for "bad" networks that spew for days or more than a month, rhetorical?

Share this post


Link to post
Share on other sites

In an ideal world, we probably wouldn't receive the kind of junk email that people report, and when it does slip through the nets, the people who receive the reports would be actually do something to curb the flow.

The main advantage I see to reporting IP addresses that are already listed is that it helps provide evidence to use in future decisions to list the IP address. There are admins out there who take unhelpful attitudes such as "we are not spammers" - it can be helpful to be able to say, "Really? Here's the evidence." (The legal niceties about what constitutes spam is potential can of worms that I don't particularly want to get into. Spemcop has its guidelines in its FAQ)

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×