thwaller Posted May 2, 2016 Share Posted May 2, 2016 I am new to SpamCop and attempted to find a similar posting for this but did not. My question is that I have tried submitting spam both via the web site and via forwarding the email, as attachment, to the assigned email address. The issue I have is that when done via email, it sometimes returns errors, which it seems to happen when the spam email has an attachment of its own, and sometimes has a different list of those to report the email to compared to when done online. Quick example... Online reports to a, b and c Via email reports to b only. What is the possible cause(s) of this? I can test it by reporting via email then parsing it again via web site, just not resubmitting it. Link to comment Share on other sites More sharing options...
Lking Posted May 2, 2016 Share Posted May 2, 2016 I would help if you would provide a TRACKING URL for each of the spam submitted. At the top of the screen, after you click the "process button" or when you follow the link back to SpamCop after sending an email submission, you will see: Quote SpamCop v 4.8.4 © 2016 Cisco Systems, Inc. All rights reserved. Here is your TRACKING URL - it may be saved for future reference: https://www.spamcop.net/sc?id=z6234149496zb5949cd1df11f97fc1ebb81f8c31f520z The third line is the Tracking URL. With that the rest of us can then see what the parser did with your submission. Link to comment Share on other sites More sharing options...
thwaller Posted May 3, 2016 Author Share Posted May 3, 2016 Here is an example: https://www.spamcop.net/sc?id=z6234543446zc088e93784a7d290ce8a1d1c18a1e080z In this example, the email replied to me that it was sent to one, but could have been sent to three. This is the common problem. The email picks up usually only 1. Manual submission or anything via website picks up more, or just one if that is all there is. Link to comment Share on other sites More sharing options...
Lking Posted May 3, 2016 Share Posted May 3, 2016 There may be several reasons for what you are seeing. When I look at your example now I see: Quote Reports regarding this spam have already been sent: Re: 167.88.109.197 (Administrator of network where email originates) Reportid: 6452407705 To: abuse[at]virtuzo.com If reported today, reports would be sent to: Re: 167.88.109.197 (Administrator of network where email originates)abuse[at]virtuzo.com Re: 82.57.200.105 (Administrator interested in intermediary handling of spam)abuse[at]business.telecomitalia.it Re: https://appleoffice00-pjeqv.formstack.com/forms... (Administrator of netwfoork hosting website referenced in spam)abuse[at]amazonaws.com Before you click "send spam report(s) Now" I assume only the first of the three is listed with the box checked. The others may not be sent due to traffic at the time and priorities. For example, the third, abuse[at]amazonaws.com, (website referenced in spam) is the lowest priority objective of the parser. If at the time you reported 'lots' of other spam was being processed, time would not be taken to process the body of your spam and to find a reporting address for the found link. Upstream nods (abuse[at]business.telecomitalia.it) are also a lower priority. Available processing time is the only explanation for differences in the results between webpage submissions and email submits. The only true test would be to submit the same spam in both ways (be sure to cancel the first) and compare the results. It is also possible that at the time of the original processing, a valid reporting email address was not found for the upstream nod or the spamvertized link. When look at later, more information was available. Link to comment Share on other sites More sharing options...
thwaller Posted May 4, 2016 Author Share Posted May 4, 2016 Thanks for the reply. My concern is that the results were different at basically the same time. After I received the email reply, I checked online and parsed the spam. The results showed all three. 8 hours ago, Lking said: The only true test would be to submit the same spam in both ways (be sure to cancel the first) and compare the results. This is exactly what I did, except I cancelled the second, not the first, as the first was a 'quick' email submission which did not use all email addresses. Link to comment Share on other sites More sharing options...
Lking Posted May 4, 2016 Share Posted May 4, 2016 28 minutes ago, thwaller said: This is exactly what I did, except I cancelled the second, not the first, as the first was a 'quick' email submission which did not use all email addresses. That is the answer. A 'quick' submission does not (I believe) bother to check the body of the spam nor upstream nods. The source of the spam is all that is identified to add the IP to the SCBL and sent a report to the host of the sender. Link to comment Share on other sites More sharing options...
petzl Posted May 4, 2016 Share Posted May 4, 2016 28 minutes ago, thwaller said: Thanks for the reply. My concern is that the results were different at basically the same time. After I received the email reply, I checked online and parsed the spam. The results showed all three. This is exactly what I did, except I cancelled the second, not the first, as the first was a 'quick' email submission which did not use all email addresses. "Quick" reporting only sends to the IP SpamCop detects as sending spam which should be % Abuse contact for '82.57.200.0 - 82.57.207.255' is 'abuse[at]business.telecomitalia.it' 167.88.109.197 (Administrator of network where email originates) abuse[at]retail.telecomitalia.ithttps://www.spamcop.net/sc?id=z6234543446zc088e93784a7d290ce8a1d1c18a1e080z This IP is a Botnet mass spam senderhttp://www.senderbase.org/lookup/?search_string=167.88.109.197 Link to comment Share on other sites More sharing options...
thwaller Posted May 4, 2016 Author Share Posted May 4, 2016 22 minutes ago, petzl said: "Quick" reporting only sends to the IP SpamCop detects as sending spam which should be % Abuse contact for '82.57.200.0 - 82.57.207.255' is 'abuse[at]business.telecomitalia.it' The quick reporting did not select this one though. Regardless, thank you both for the replies, and I apologize for failing to mention 'quick' reporting on the initial post. I did not realize that there would be a difference in how a submission is handled, but the explanation does make sense. I believe it is clear to me know though, the differences are explain to a degree, so I would consider this resolved. Link to comment Share on other sites More sharing options...
Lking Posted May 4, 2016 Share Posted May 4, 2016 So marked. Link to comment Share on other sites More sharing options...
thwaller Posted May 4, 2016 Author Share Posted May 4, 2016 28 minutes ago, Lking said: So marked. Was this something I should have done? If so, I missed it. Link to comment Share on other sites More sharing options...
Lking Posted May 4, 2016 Share Posted May 4, 2016 Nope. it is a moderator thing. Link to comment Share on other sites More sharing options...
petzl Posted May 6, 2016 Share Posted May 6, 2016 On 04/05/2016 at 11:44 AM, thwaller said: The quick reporting did not select this one though. There are two "whois" sites SpamCop looks up Arin I check with Ripe to see if there is a difference if there is I add it to report A free Windows Ripe WhoIs program is herehttp://www.nirsoft.net/utils/ipnetinfo.html Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.