Marc M

droped url if ISP does not wish to receive reports

11 posts in this topic

Hello,

In case of :

ISP does not wish to receive reports regarding http://url.ext/ - no date available

Why the abuse email was dropped ? should it be abuse#isp.ext@@devnull.spamcop.net or something like that to allow third party to known that this url is used by spammer (and more : the isp don't care about spam hosted website) ?

 

Regards,

Marc

Share this post


Link to post
Share on other sites

A Tracking URL would help to know exactly the details of this situation.

If you want to send the spam report to a third party you can do that manually. Currently I don't have a spam to use to step through the process but ...

Share this post


Link to post
Share on other sites
56 minutes ago, Lking said:

A Tracking URL would help to know exactly the details of this situation.

here it is :  https://www.spamcop.net/sc?id=z6418005827z820854e5242e36bc84a648a53134a1f7z

another : https://www.spamcop.net/sc?id=z6418018034zb71ddb44c6ec6b04f38a110c52f1508az

 

56 minutes ago, Lking said:

If you want to send the spam report to a third party you can do that manually. Currently I don't have a spam to use to step through the process but ...

of course, but I thought that one of the benefits of SP was to feed another BL with confirmed links in spam. I am wrong ?
I already send my reports to knujon but if it is useful to pass them to others, I can add them easily. the ideal being not having to do the same operation several times (it would be convenient to be able to add a forward "automatically checked")

Share this post


Link to post
Share on other sites

The SCBL contains the IP addresses of the sources of spam. This is the first priority of SC.

Secondly SC tries to identify valid abuse address(es) to send spam reports, giving responsible ISP managers information to be "good" internet citizens.

Thirdly SC tries to identify valid abuse addresses for any link contained in the spam so spam reports can be send.

There would be no value to adding link IPs to the SCBL sense the link does not generate the spam email.  In the cases you identified above, ( http;\\www,stripweb,be and http;\\www,le8heures,be ) it would appear that the ISP for the links do not care in general or are receiving enough money by hosting the spamvertized website that they can't afford to do anything.

SpamCop's objective is to build a block list to help ISPs keep spam out of client's email inbox, a tactical approach.  As you knujon on the other hand, concentrates on the links in the spam; following the money as an strategic approach to fighting spam.

Share this post


Link to post
Share on other sites

those 3 priority work badly for spams I report since more than 1 year (only one ip adding to SP blacklist... maybe too little people report those country-related spam)

I thought there was a 4) store urls reported as supporting spam and those report are used for example by surbl as indicated on their page
http://www.surbl.org/faqs#reporting

why else SP store stats when abusing@hosteur bounce if it has no value ?
like this one
https://www.spamcop.net/sc?id=z6418146825z20388e8070905f7fe866f3109901b380z

SP store stats for hoster when it bounce but drop it if the hoster is a spam-friendly and request no-spam-report ? that's strange...

Edited by Marc M
typo

Share this post


Link to post
Share on other sites

My understanding is that the SCBL is more concerned with IP addresses used to deliver the spam than the sites linked to in the body of the email. Reports that get sent to the admin of the websites and their providers are like a bonus.

Edited by lisati

Share this post


Link to post
Share on other sites

Sorry you feel SCBL doesn't work for you. Look at How it works followed by "SCBL Rules" to get another view of the objectives.  It does happen that reported IPs do not make it on the BL if as you said ~ to few people report the sender.

SURBL.org is not related to SpamCop/SCBL 

1 hour ago, Marc M said:

why else SP store stats when abusing@hosteur bounce if it has no value ?

I think you have stumbled onto a programming logic error.  In your last example I notice that the IP of the link(s) in the body are the same as the IP of the source of the email.  Whereas in the examples you provided earlier, (Post #3 this thread) the Source IP is not the same as the links and data was not saved.

Summarizing the three examples

1-2 The source of the reported email was identified, an abuse address found and a spam report was send.  Links in the body of the spam were found, IP address identified BUT the ISP hosting the link does want to receive reports, so none was sent.

3.  The source of the reported email was identified, an abuse address found BUT the last 6 spam reports sent have to the abuse address have bounced, so report was devnulled (stored by SC).  Links in the body of the spam were found, IP address identified and an abuse address found.  Sense the link IP address and abuse are the same as the source again reports are not sent because past reports have bounced.  IMHO the process should have stopped here.  However, the results of a link is treated the same as the results of a link and the link reports are sent to devnull.

Because in your last example the source IP and the linked IPs are the same AND passed reports bounces, it is easy to spot what I think is an error in logic.  Complete path testing is always an ongoing effort, especially with software under constant upgrade by a team.

Share this post


Link to post
Share on other sites
1 hour ago, Lking said:

Look at How it works followed by "SCBL Rules" to get another view of the objectives.  It does happen that reported IPs do not make it on the BL if as you said ~ to few people report the sender.

I reread the page, usefully because I did not remember a few details. The sentence :

  • The SCBL will not list an IP address with only one report filed.

mean only one report ever ? or one report for every daily spam should trigger an add in the BL ?

Quote

SURBL.org is not related to SpamCop/SCBL 

not related but is it true that SURBL use SP user report regarding url in the body of spam ?

Quote

I think you have stumbled onto a programming logic error.  In your last example I notice that the IP of the link(s) in the body are the same as the IP of the source of the email.  Whereas in the examples you provided earlier, (Post #3 this thread) the Source IP is not the same as the links and data was not saved.

Summarizing the three examples

1-2 The source of the reported email was identified, an abuse address found and a spam report was send.  Links in the body of the spam were found, IP address identified BUT the ISP hosting the link does want to receive reports, so none was sent.

3.  The source of the reported email was identified, an abuse address found BUT the last 6 spam reports sent have to the abuse address have bounced, so report was devnulled (stored by SC).  Links in the body of the spam were found, IP address identified and an abuse address found.  Sense the link IP address and abuse are the same as the source again reports are not sent because past reports have bounced.  IMHO the process should have stopped here.  However, the results of a link is treated the same as the results of a link and the link reports are sent to devnull.

thank you for the precision about the difference of same ip for url and smtp or different ip, I had not thought.
I thought there was also a boost (for inclusion in the SPBL) for reports coming from registered user compared to reporting from spamassasin module in anonymous mode. This is not the case ?

Regards,

Marc

Edited by Marc M

Share this post


Link to post
Share on other sites

Thank you for your questions. Reading the link I provided again, I learned something.

The response to your third example does not identify an error.  See the first bullet below ("unless that IP is also used to send the mail.").

Quote
  • The SCBL does not count reports regarding URLs or addresses in the body of the email. Therefore, the SCBL does not list websites or email addresses used to receive replies in reported email, unless that IP is also used to send the mail.
  • The SCBL will not list an IP address with only one report filed.
  • With only two reports against an IP address, the SCBL will list the IP address for a maximum of 12 hours after the most recent reported mail was sent.
  • The SCBL will not list an IP address if there are no reports against it within 24 hours.

Your questions:

1 hour ago, Marc M said:

mean only one report ever ? or one report for every daily spam should trigger an add in the BL ?

See the fourth bullet.  So if SC only receives 1 report every 24 hrs it will not be listed.

1 hour ago, Marc M said:

not related but is it true that SURBL use SP user report regarding url in the body of spam ?

I do not know.  That would be a never ending rabbit hole to understand all the other block list available. I spend way to much time on the net as it is.

1 hour ago, Marc M said:

This is not the case ?

Go back to How it works and read the second paragraph. spamassasin would be one of those 'websites that use the SCBL' as described in the balance of that paragraph.

Share this post


Link to post
Share on other sites
12 hours ago, Lking said:

The response to your third example does not identify an error.  See the first bullet below ("unless that IP is also used to send the mail.").

https://www.spamcop.net/sc?id=z6418341167z734b4b275575fdfd546f37aa8e823589z

the ip of the url www nl is not the same as the ip used to send the mail but it still keep for "statistical tracking"

maybe because it is the same abuse email... but not because it is the same ip as for the smtp

Quote

if SC only receives 1 report every 24 hrs it will not be listed.

If I receive identical spam every day, I do not report at the same time. for example today I report at 11 am.
if tomorrow I report for the same ip at 10 am, there will be 2 reports in less than 24 hours but this spammer is never listed.

another example of 2 spam from the same ip in a few hours but the ip is not listed in SPBL

https://www.spamcop.net/sc?id=z6418341167z734b4b275575fdfd546f37aa8e823589z
https://www.spamcop.net/sc?id=z6418349470zdb7ac82bb4548b6bddb3ad8c9f41bbbaz

I do not know if SP is still actively developed, but perhaps it would be necessary to provide an adjustment so that an accumulation of reports on the same ip ends up having an impact. Because I seriously ask myself of the usefulness of my reports because in the current configuration, they are without effect (bounce or ignored by the service of abuse, no impact in terms of BL)

Regards,

Marc

Edited by Marc M

Share this post


Link to post
Share on other sites
12 hours ago, Marc M said:

YOU HAVE TRIED 

https://www.outlettoday.nl/lists/?p=unsubscribe

With rouge abuse address try the CERT of Country concerned  cert [ at ] ncsc.nl

put in comments

DoS spam attack from "NETWORK OWNER    Mihos"  "DOMAIN    12byte.com"

IP 109.237.216.13 abuse@mihos.net bounces (6 sent : 6 bounces)
Submissions (samples) to  abuse@mihos.net which bounce

 
Submitted: 10/28/2017, 10:11:41 PM +1100: 
Dagaanbieding van Koopditvandaag

Submitted: 10/28/2017, 8:29:07 PM +1100: 
Dagaanbieding van DealsforMen

Submitted: 10/27/2017, 6:41:29 PM +1100: 
Dagaanbieding van DealsforMen

Submitted: 10/27/2017, 6:39:33 PM +1100: 
Dagaanbieding van Koopditvandaag

Submitted: 10/26/2017, 6:33:34 PM +1100: 
Dagaanbieding van Koopditvandaag

Submitted: 10/26/2017, 6:15:23 PM +1100: 
Dagaanbieding van DealsforMen

Submitted: 10/25/2017, 6:58:16 PM +1100: 
Dagaanbieding van Koopditvandaag

Submitted: 10/25/2017, 6:51:18 PM +1100: 
Dagaanbieding van DealsforMen

Submitted: 10/24/2017, 6:34:07 PM +1100: 
Dagaanbieding van Koopditvandaag

Submitted: 10/24/2017, 6:31:24 PM +1100: 
Dagaanbieding van DealsforMen

Submitted: 10/13/2017, 6:53:03 PM +1100: 
Dagaanbieding van Koopditvandaag

Submitted: 10/13/2017, 6:43:15 PM +1100: 
Dagaanbieding van DealsforMen

Submitted: 10/12/2017, 7:03:25 PM +1100: 
Dagaanbieding van Koopditvandaag

Submitted: 10/12/2017, 6:57:42 PM +1100: 
Dagaanbieding van DealsforMen

Submitted: 10/11/2017, 6:43:30 PM +1100: 
Dagaanbieding van Koopditvandaag

 

AND SO ON, AND ON, AND ON!!

Edited by petzl

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now