Jump to content
Sign in to follow this  
PeterJ

Exact duplicate spam

Recommended Posts

I receive exact duplicate and triplicate spam (via my SC mail account) often and I am wondering what people do with these messages with regards to reporting. I typically quick report my spam now that I am mostly confident with the Mailhosts system, however should I be reporting messages that are exact dups or trips?

If I blindly report these then extra reports are going to the same abuse desk I assume; hopefully they are not bothered. Does reporting all of the messages help the SCBL anymore than just reporting one?

If it is preferred that exact dups and trips not be reported then in one sense spammers have suceeded in making my dealings with spam harder as I will need to look at the source of these messages to determine if they are indeed "exact duplicates" or merely "near duplicates."

Before posting I searched for this topic here and in the newsgroups, no luck, but I imagine it has been discussed before.

Share this post


Link to post
Share on other sites
I receive exact duplicate and triplicate spam (via my SC mail account) often and I am wondering what people do with these messages with regards to reporting.

My own experience is that duplicate messages may be duplicates of content but almost always using different mail servers to send from so, from a Spamcop point of view, they are not duplicates at all since they originate from a different IP address.

Of course, you can only be sure of this by manually reporting.

Personally speaking, though, I would consider reporting each and every item of spam regardless of its duplicated origin but I don't remember that happening to me and I'm not sure how the AUP would deal with this.

Andrew

Share this post


Link to post
Share on other sites

Unless there is a problem with the mail server, each of those messages should have a different message id, so they are in fact seperate messages and should be reported.

Are you sure that you are seeing the same message from the exact same source? I get several "similiar" messages every day, but they come through different paths (usually open proxies) to my account. The subject, forged sender, and body are identical, but the path they took is not.

Compare a few to see if this is the case. Look at the headers before submitting or check the spamcop reply (that you should be doing any way) to see if they were all reported to the same location. Chances are, they are not.

Share this post


Link to post
Share on other sites

Let's define some terms for ease of use:

Exact duplicate (or triplicate, I have not seen more yet): The message source for each is *exactly* the same, every single character is identical.

Near duplicate (or triplicate, etc.): The message source for each are not *exactly* the same. For example the received lines may be the only difference.

Is no one else receiving exact duplicate spam but me? Note that I only use IMAP mail, not POP, might be relevant...

Unless there is a problem with the mail server, each of those messages should have a different message id, so they are in fact seperate messages and should be reported.

Yeah, the problem is spam spewing <_<

Share this post


Link to post
Share on other sites
Is no one else receiving exact duplicate spam but me? Note that I only use IMAP mail, not POP, might be relevant...

I have received your definition of "Exact duplicate" including message id's. It just meant my address was on the RCPT TO line multiple times.

My description of a server problem for multiple copies with the same ID, seems to be wrong. I tested from Yahoo. If I put my address in both the To: and CC: field, I get 2 copies of the message with identical message id's. If I put 2 copies of the address on the same line, I get only one. Yahoo must combine the addresses from the same line and send only one message.

You don't need to worry about the bl because multiple reports from the same reporter do not add an IP to the bl. It takes multiple reporters.

Edited by StevenUnderwood

Share this post


Link to post
Share on other sites
I have received your definition of "Exact duplicate" including message id's. It just meant my address was on the RCPT TO line multiple times.

Cool. I just checked some of mine and I could only find one where my email address was listed twice under the "To:" header. I presume that on the others it was duplicated using Bcc.

My description of a server problem for multiple copies with the same ID, seems to be wrong. I tested from Yahoo. If I put my address in both the To: and CC: field, I get 2 copies of the message with identical message id's. If I put 2 copies of the address on the same line, I get only one. Yahoo must combine the addresses from the same line and send only one message.

Interesting to note the differences between mail servers or clients on this...

I just logged into Horde Imp with my SpamCop account and confirmed that I can send myself duplicate or triplicate messages by either using To:, Cc:, and Bcc: OR by simply typing my email address twice in the To: field. Apparently, Horde Imp is not as discriminatory as what you just tested with Yahoo.

Using the Thunderbird mail client I cannot send myself duplicate or triplicate messages by any method that I tried similarly in Horde Imp. I am not sure if this is because of the client or because of my ISP's SMTP server.

You don't need to worry about the bl because multiple reports from the same reporter do not add an IP to the bl. It takes multiple reporters.

I was more concerned with whether or not abuse desk might get frustrated with receiving what seems like duplicate reports for the same spam. If the bcc method was used to send me duplicate or triplicate spam then how does anyone else know I received multiple copies versus simply reporting the same spam 3 times by accident.

If I receive exact triplicates and report it three times, does this help the IP stay on teh BL any longer than reporting it once?

Share this post


Link to post
Share on other sites

I was wrong about my tests with Horde Imp under SpamCop with regards to sending myself exact duplicate mail. I came *very* close and with some more tries and some luck I probably could get exact dups.

Instead my brief tests showed that my most recent received line usually differed by one second with each message and in another case the received lines differed only by the qmail # as follows:

Received: (qmail 27029 invoked from network); 10 Jun 2004 15:13:14 -0000

Received: (qmail 27022 invoked from network); 10 Jun 2004 15:13:14 -0000

Maybe with some luck I could get "exact dups" from SpamCop's Hord Imp when sending to myself, but hopefully this shows instead that JT has got SpamCop's mail configured well in this regard.

Sorry for the digression here in "help"

Share this post


Link to post
Share on other sites

When downloading to imap, are you sure you did not also create a forward to your own host e-mail? If the e-mail is not recognized as spam and moved to the held mail folder, forwarding may result in looping and duplicate/multiple e-mails.

Share this post


Link to post
Share on other sites

dra007--

I am not sure where you are going with this, maybe you could elaborate. Are you referring to my side attempts to send myself exact duplicate mail or are you referring to spam that I reference in my original post? I do not know how I could accidentally duplicate the spam messages I receive by accesing my mail using IMAP at imap.spamcop.net

Share this post


Link to post
Share on other sites

Ok, the way I have it setup is to download the IMAP folder on my machine with OE. Not on the website. But I also have the good e-mail forwarded to one of my accounts once it gets filtered on SpamCop's. When I first set up I had some looping since I have more than one account forwarding. Sounds like that might not be your situation.

Share this post


Link to post
Share on other sites

Ok, I understand now. This is not what I am seeing as I do not forward any email *from* my SpamCop mail account. It appears that most exact duplicate and exact triplicate spam I receive is as a result of my email address being listed twice or three times in the Bcc field of a particular piece of spam.

If someone has any ideas on the following as further discussion I am interested:

1) My concern with whether or not abuse desks might get frustrated with receiving what seems like duplicate reports for the same spam. If the bcc method was used to send me duplicate or triplicate spam then how does anyone else know I received multiple copies versus simply reporting the same spam 3 times by accident.

2) If I receive exact triplicates and report each copy, does this help the IP stay on the BL any longer than reporting a single copy?

3) Does the SpamCop TOS ask that I not report the same spam three times if I received three identical copies? Or is the parser smart enough to discard the additional reports?

Thanks.

Share this post


Link to post
Share on other sites
If someone has any ideas on the following as further discussion I am interested:

1) My concern with whether or not abuse desks might get frustrated with receiving what seems like duplicate reports for the same spam. If the bcc method was used to send me duplicate or triplicate spam then how does anyone else know I received multiple copies versus simply reporting the same spam 3 times by accident.

I sometimes receive duplicates. Depending on my mood and my time, I will either note on one that I have received several and delete the rest or put #1 received, etc. Since you use quick reporting, you wouldn't be able to do that. It may not make the abuse desks any happier, but it makes me happier some days.

2) If I receive exact triplicates and report each copy, does this help the IP stay on the BL any longer than reporting a single copy?

IIUC, the time an IP address stays on the bl is gauged from the time of the last spam received (from the date stamp put there by your ISP). Since there are second increments, I don't think it would make a significant difference.

And someone else said that it takes more than one reporter to make a difference in the bl listing. Therefore, my guess is that it doesn't make a difference how many each reporter reports, but how many reporters and when they received the spam.

3) Does the SpamCop TOS ask that I not report the same spam three times if I received three identical copies? Or is the parser smart enough to discard the additional reports?

My guess is that the parser is not smart enough to discard additional reports. Most replies from reporters to questions like this is that "a spam received is a spam reported," (with some noting the number as in my answer to #1 above). I don't remember ever seeing an official spamcop comment.

When you think that an abuse desk can receive hundreds of complaints from one spam run, I doubt that they notice that the same reporter has reported more than one.

A lot of guesswork - maybe someone else will have a better answer.

Miss Betsy

Share this post


Link to post
Share on other sites

I've found that the spam was "duplicated" as far as what was displayed. However, when I opened up a comparison, i.e. copy the message source of each message to excel or another spreadsheet (in different worksheets) and compared all of them, all were unique.

Each one should be reported as unique spam, they are NOT duplicates. Some spammer must *know* about the SpamCop rule to avoid re-reporting spam.

Unfortunately, earlier I assumed that the problem was on my side in my email client IMAP. I deleted what I thought were duplicates. This is one more reason to keep checking the forums and newsboards. B)

Share this post


Link to post
Share on other sites
all were unique

Care to mention what was unique about them? Just the routing I assume.

I DO receive exact duplicate and triplicate spam and I also receive near duplicate and near triplicate spam. Right now I am reporting all spam I receive as I am not about to examine the message source every time I receive two or three messages that appear similar to determine whether they are in fact unique. Unless someone from SpamCop asks me not to, this is how I am going to continue to handle them.

It is possible that some abuse desks may believe I am an idiot for reporting a particular piece of spam three times--caused by address being listed three times in the "Bcc:" field, but no one will ever know how many copies I actually received except the spammer and I (maybe not even the spammer perhaps.) This is of course assuming that the particular abuse desk notices first and then actually cares that I sent them three reports.

Share this post


Link to post
Share on other sites

If an ISP sends you multiple copies of spam they should get full credit for it. You have to deal with all of it and are under no obligation to spend even more of your time sorting through it. If the ISP doesn't like it, they should realize they should expend more effort on controlling their own spam problem and what they are doing to you.

Share this post


Link to post
Share on other sites

StevenUnderwood wrote at post #5:

You don't need to worry about the bl because multiple reports from the same reporter do not add an IP to the bl. It takes multiple reporters.

What defines a unique "reporter"? The spamcop account under which the spam is forwarded or the spamcop login under which the report is confirmed or something else?

Share this post


Link to post
Share on other sites

Not exactly sure how those two items could be "different" ..????

Share this post


Link to post
Share on other sites

Not directed exactly to the question but may be helpful to others.

If you are using POP3 to access the mail it is very possible to get duplicate, triplicate, etc. copies of mail. It is caused when the POP3 client tries to download mail and is unable to finish the process. The next time it tries to download, it starts at the same place. Until the problem is fixed (usually be deleting a specific email on the server that is not download for some unknown reason) you keep download the same mail over and over again. Note: this will include spam as well as legit email.

These duplicates should not be reported as they are actually the same single email.

Just for the record this has happened to me about two dozen times downloading from Earthlink using OE

I have never seen this problem when using IMAP though

Share this post


Link to post
Share on other sites

ewv:

What defines a unique "reporter"? The spamcop account under which the spam is forwarded or the spamcop login under which the report is confirmed or something else?

wazoo:

Not exactly sure how those two items could be "different" ..????

spam is reported using the preferences parameters of the browser login, not the account under which it is forwarded to spamcop, so there is a conflation in the identify of the reporter.

Share this post


Link to post
Share on other sites

I'm getting some duplicates where the to address is repeated - one of them from the wanadoo dialer spammer 6 times. It maybe an atempt to discredit SC reports. If an abuse desk gets 6 identical reports with the same time etc then they would think that the SC paser is playing up and not take any notice.

If this happens (and I spot it) Then I only send 1 report with a comment about the repeated To: addresses.

Rob

Share this post


Link to post
Share on other sites
spam is reported using the preferences parameters of the browser login, not the account under which it is forwarded to spamcop, so there is a conflation in the identify of the reporter.

I beg to differ here. I submit some spam from my spamcop email account (forward for full reporting) to my paid account and some from my work email to my free account. When I receive the link to complete the reporting, no matter which account I am logged into at the time, the reports show up in the correct account.

Share this post


Link to post
Share on other sites
I'm getting some duplicates where the to address is repeated - one of them from the wanadoo dialer spammer 6 times. It maybe an atempt to discredit SC reports. If an abuse desk gets 6 identical reports with the same time etc then they would think that the SC paser is playing up and not take any notice.

I get dupes all the time with spamtraps and the To is quite often the same. The only way to tell they were not dupes is the Delivered-To header.

My only complaint about the 2-man reporting rule is that I report all of these under 1 account. If I report 12 spams from the same spammer, it seems that should count towards the BL. I've been tempted to get two accounts and split the spamtraps among them so that I could guarantee that spamee got on the BL, but I suspect that would not work. Something tells me Julian has thought of that dodge.

...Ken

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

×