thwaller

[Resolved] Web site vs email reporting differences

12 posts in this topic

I am new to SpamCop and attempted to find a similar posting for this but did not. My question is that I have tried submitting spam both via the web site and via forwarding the email, as attachment, to the assigned email address. The issue I have is that when done via email, it sometimes returns errors, which it seems to happen when the spam email has an attachment of its own, and sometimes has a different list of those to report the email to compared to when done online.

Quick example...
Online reports to a, b and c
Via email reports to b only.

What is the possible cause(s) of this? I can test it by reporting via email then parsing it again via web site, just not resubmitting it.

Share this post


Link to post
Share on other sites

I would help if you would provide a TRACKING URL for each of the spam submitted.

At the top of the screen, after you click the "process button" or when you follow the link back to SpamCop after sending an email submission, you will see:

Quote

SpamCop v 4.8.4 © 2016 Cisco Systems, Inc. All rights reserved.

Here is your TRACKING URL - it may be saved for future reference:

https://www.spamcop.net/sc?id=z6234149496zb5949cd1df11f97fc1ebb81f8c31f520z

 

The third line is the Tracking URL.  With that the rest of us can then see what the parser did with your submission.

Share this post


Link to post
Share on other sites

Here is an example:

https://www.spamcop.net/sc?id=z6234543446zc088e93784a7d290ce8a1d1c18a1e080z

In this example, the email replied to me that it was sent to one, but could have been sent to three. This is the common problem. The email picks up usually only 1. Manual submission or anything via website picks up more, or just one if that is all there is.

Edited by thwaller

Share this post


Link to post
Share on other sites

There may be several reasons for what you are seeing.  When I look at your example now I see:

 
Quote

 

Reports regarding this spam have already been sent:

Re: 167.88.109.197 (Administrator of network where email originates)
   Reportid: 6452407705 To: abuse[at]virtuzo.com

If reported today, reports would be sent to:

Re: 167.88.109.197 (Administrator of network where email originates)

abuse[at]virtuzo.com

Re: 82.57.200.105 (Administrator interested in intermediary handling of spam)

abuse[at]business.telecomitalia.it

Re: https://appleoffice00-pjeqv.formstack.com/forms... (Administrator of netwfoork hosting website referenced in spam)

abuse[at]amazonaws.com

 

Before you click "send spam report(s) Now"  I assume only the first of the three is listed with the box checked.

The others may not be sent due to traffic at the time and priorities. For example, the third, abuse[at]amazonaws.com, (website referenced in spam) is the lowest priority objective of the parser. If at the time you reported 'lots' of other spam was being processed, time would not be taken to process the body of your spam and to find a reporting address for the found link.  Upstream nods (abuse[at]business.telecomitalia.it) are also a lower priority.

Available processing time is the only explanation for differences in the results between webpage submissions and email submits.  The only true test would be to submit the same spam in both ways (be sure to cancel the first) and compare the results.

It is also possible that at the time of the original processing, a valid reporting email address was not found for the upstream nod or the spamvertized link.  When look at later, more information was available.

Share this post


Link to post
Share on other sites

Thanks for the reply. My concern is that the results were different at basically the same time. After I received the email reply, I checked online and parsed the spam. The results showed all three.

8 hours ago, Lking said:

The only true test would be to submit the same spam in both ways (be sure to cancel the first) and compare the results.

This is exactly what I did, except I cancelled the second, not the first, as the first was a 'quick' email submission which did not use all email addresses.

Share this post


Link to post
Share on other sites
28 minutes ago, thwaller said:

This is exactly what I did, except I cancelled the second, not the first, as the first was a 'quick' email submission which did not use all email addresses.

That is the answer.  A 'quick' submission does not (I believe) bother to check the body of the spam nor upstream nods.  The source of the spam is all that is identified to add the IP to the SCBL and sent a report to the host of the sender.

Share this post


Link to post
Share on other sites
28 minutes ago, thwaller said:

Thanks for the reply. My concern is that the results were different at basically the same time. After I received the email reply, I checked online and parsed the spam. The results showed all three.

This is exactly what I did, except I cancelled the second, not the first, as the first was a 'quick' email submission which did not use all email addresses.

"Quick" reporting only sends to the IP SpamCop detects as sending spam
which should be

% Abuse contact for '82.57.200.0 - 82.57.207.255' is 'abuse[at]business.telecomitalia.it'

167.88.109.197 (Administrator of network where email originates)
 abuse[at]retail.telecomitalia.it
https://www.spamcop.net/sc?id=z6234543446zc088e93784a7d290ce8a1d1c18a1e080z
This IP is a Botnet mass spam sender
http://www.senderbase.org/lookup/?search_string=167.88.109.197

Share this post


Link to post
Share on other sites
22 minutes ago, petzl said:

"Quick" reporting only sends to the IP SpamCop detects as sending spam
which should be

% Abuse contact for '82.57.200.0 - 82.57.207.255' is 'abuse[at]business.telecomitalia.it'

The quick reporting did not select this one though.

Regardless, thank you both for the replies, and I apologize for failing to mention 'quick' reporting on the initial post. I did not realize that there would be a difference in how a submission is handled, but the explanation does make sense. I believe it is clear to me know though, the differences are explain to a degree, so I would consider this resolved.

Share this post


Link to post
Share on other sites

So marked.

Share this post


Link to post
Share on other sites
28 minutes ago, Lking said:

So marked.

Was this something I should have done? If so, I missed it.

Share this post


Link to post
Share on other sites

Nope. it is a moderator thing.

Share this post


Link to post
Share on other sites
On 04/05/2016 at 11:44 AM, thwaller said:

The quick reporting did not select this one though.

There are two "whois" sites
SpamCop looks up Arin
I check with Ripe to see if there is a difference if there is I add it to report
A free Windows Ripe WhoIs program is here
http://www.nirsoft.net/utils/ipnetinfo.html

Edited by petzl

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now