hank

"mole" reports -- truly mostly pointless? inform blocklist?

5 posts in this topic

The Preferences says:
 

Quote

Become a "mole" - Don't even send reports (mostly pointless)

...

It has become painfully obvious that spammers are able to identify your email address by using tracking codes - even after SpamCop's attempts to munge them. It has also become plain that even the largest and most well-respected ISPs forward complaints intact to the accused.

In response, we now offer the ability to send reports silently. These reports are not emailed and are not available to anyone but SpamCop administrators and will not be shared (except as aggregate counts).

So -- the real point of reporting is to inform the blocklist process, right?  I realize reporting doesn't reduce spam and in actual experience reporting usually validates the reporting email and produces a flood of more spam at first. 

But eventually my ISP, which uses the Spamcop blocklist, starts accumulating the spam (e.g. from "qq.com" to myuserid@spamcop.net, automatically forwarded to my ISP) And the spam ends up in my ISP's graymail folder.

So seems to me that's the point of using the "mole" approach -- not validating the email address being used to report the spam, but still informing the blocklist.
Or rather informing the "SpamCop administrators" who presumably are updating the blocking list -- aren't they?  Is there still someone doing that, and is this how it's being done?

Can anyone clarify why Spamcop calls the "mole" reporting "mostly pointless" in the Preferences explanation of that option? 
What's not the point here about this?

Share this post


Link to post
Share on other sites

Posted (edited)

The goal of spamcop is to help us (receivers of spam) to get an ISP to do something about their troublesome clients.  If that fails, then just block the IP address until those responsible at that ISP decides to do something about those problematic clients.

The goal of the munging is to prevent spammers from finding out who is reporting them.  Most spammers do not use a mail server and therefore they are not able to figure out who to retaliate against.  The spamcop report contains the ID that the mail server put on it, so the true ISP will be able to see who the email was sent to, who logged in (authenticated to) the mail server, and then do something about it.

Edit: What is meant by mole reporting is that the report never goes to the ISP administrators, nor to the suspected spammer.  It only is used for statistics and populating the blacklist.

Edited by gnarlymarley

Share this post


Link to post
Share on other sites

> block the IP address

Unfortunately "qq.com" can't be blocked by Spamcop, and that source apparently owns (or uses, or forges?) a huge number of IP addresses.

I'd have to comb through hundreds of spams to make a complete list.  I wish Spamcop would do that little chore.

The spam seems to be using some kind of randomization process to vary both the word salad text and the header lines.
 

Hundreds more came through overnight.

Share this post


Link to post
Share on other sites

If you can, please report every email that you receive that is actual spam, which will allow the spamcop blocklist to have all IPs listed.  Also, spamtraps only use mole reporting.  See below why spamcop only blocks on reported IPs.  When a sufficient number of spams are reported, spamcop automatically adds it to the blocklist.  Now, to make sure false-positives are not added, spamcop uses a special formula to verify that only actual spammer's IPs are added to the blocklist.  This means that it will take more than one report to have the IP listed on the blocklist.

I believe the issue is that folks who send legitimate email do not want to have their IP listed.  This can cause issues if spamcop just started randomly adding IPs to their block list.  Because of this, I maintain my own block list along side of spamcop, where I can and do block whole subnets from repeated spammers.  But before I add the whole subnet to my personal blocklist, I have to check and verify that there is no legitimate emails and that there are no IPs that should not be blocked.

*.128.80.bl 3600 A 127.0.0.2

Share this post


Link to post
Share on other sites

Take the following personal (not official in any way) comment with a grain of salt.  As all my English teachers would tell you, I use English as a second language.  So my evaluation of other's English is suspect.

Quote

Become a "mole" - Don't even send reports (mostly pointless)

I think people may be miss reading the line about becoming a mole. I believe you are reading

'Become a "mole" (mostly pointless) - Don't even send reports'

This interpretation totally disregards any value of the SCBL. I think what is intended is

'Become a "mole" - Don't even send reports (mostly pointless {because spammers and their ISPs put all spam reports in a black hole anyway})'

One could also read What is "mole" reporting? ~~ Rereading I see some have.

Personally, I "Leave spam copies intact."  1) I don't believe spammers bother to take the time to wash their emailing list. Spammers & the bots/zombies they control get paid for volume. (Spammers think you are dumb. Spammers are dumber)  2) I am a spam reporter.  My objective is to receive and report spam. It would be counter productive to not 'validate' my email addresses.

As a result of my approach, the level of spam sent to valid email boxes at domains I manage has remained fairly constant over the ~20 years I have had a domain.  Results of directory attacks are another story and I have had one DOS attack (That was back when a phone call to my ISP got me the bw to report most of the spam.)

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now