luk3

Interpreting "[SpamCop] summary report" emails from the "SpamCop robot"

7 posts in this topic

I am subscribed to "SpamCop Summary Reports", which are sent by "SpamCop robot". An email looks like this:

[ SpamCop Summary Report ]
-- See footer for key to columns and notes about this report --

     IP_Address Start/Length Trap User Mole Simp Comments
                RDNS

Summary:
205.201.130.123                               Nov  7 21h/7      1    2    3    4
mail123.wdc02.mwdlv.net.                      blocklisted
[...]

-- Key to Columns --
IP Address:  The numeric address.
Start:       The first date (within the past week) that spam was
             reported to have originated from the IP address.
Length:      The duration of the incident in # of days
Trap:        Messages received at traps.
User:        Messages reported by registered users.
Mole:        Messages reported by registered users who prefer to remain
             anonymous.
Simp:        Simple reports - messages submitted by unregistered users.
Comments:    Notes reflect blocking-list status and issue-resolved status.
RDNS:        Reverse dns name of ip address (must pass forward and reverse)

-- Summary Report Notes --
o  All times are GMT, exact time of incident withheld.
o  Time of this report is: Wed Nov 15 13:01:51 2017
[...]

How do I interpret the summary data - especially with regards to Start (Nov 7) and Length (21h/7)? Has the IP been blocklisted for 7 days and 21 hours and is it still blocklisted? During what time period occured the 1 trap hit, 2 registered user reports, 3 mole reports, and 4 simple reports?

I've always wondered that. After looking into the FAQ and searching the forum, I am still a bit puzzled.

Thanks & regards!

 

Share this post


Link to post
Share on other sites
1 hour ago, luk3 said:

and is it still blocklisted?

You can look up your IP here: https://www.spamcop.net/w3m?action=map or enter your IP here:  https://www.spamcop.net/bl.shtml

The IP does not appear to be listed currently.

I have never received/seen a summary report so with only one example it is hard for me to interpret. Others may have more insight.

Share this post


Link to post
Share on other sites

Thanks @lisati and @Lking for your prompt response & sorry that I did not express myself very well. I guess the reporting date was misleading.

My question is not about a new blocklisting issue that has to be solved. Instead, it is about how to read the email reports, which you can subscribe to at https://www.spamcop.net/mcgi?action=reqroute:

Request Aggregate Reports
Please specify which IP(IPv4: dotted quad, IPv6: colon-separated hex) ranges you would like to receive reports about; enter ranges as one of the following:

    CIDR (IP/mask)
    or
    Range (IP1 - IP2)
    or
    Single ip (IP)
    or
    Lookup mailservers by domain 

[205.201.1.1
...
]

Aggregate reports will be sent only if there is spam:
[ ] Never [ ] Hourly [X] Daily 

At least I believe this is the form. The subscription is several years old and I can't recall where on spamcop.net I did it.

Anyway, I wanted to analyse the hundreds of historic reports for intelligence purposes, now. However, while doing so I stumbled over the interpretation issue that I described above. 

Thanks again & kind regards.

 

 

Edited by luk3

Share this post


Link to post
Share on other sites

You probably have an ISP/Provider account on the spamcop reporting site, possibly (but not necessarily) with the email address that's receiving the reports as login i.d.

Share this post


Link to post
Share on other sites
18 hours ago, lisati said:

You probably have an ISP/Provider account on the spamcop reporting site, possibly (but not necessarily) with the email address that's receiving the reports as login i.d.

Yep sort of. I created a spamcop.net account in 2013 with a private gmail email address. After that, I subscribed to daily reports via email for several networks and email service providers, which you can set up under the "preference" tab: https://www.spamcop.net/mcgi?action=showispprefs. Each email lists spam sources (trap hits or user complaints) for the networks. 

E.g. report email #1 on maybe 14 November:

205.201.130.123                               Nov  7 21h/7      1    2    3    4
mail123.wdc02.mwdlv.net.                      blocklisted

Another report email two days later:

205.201.130.123                               Nov  7 13h/9      1    0    2    1
mail123.wdc02.mwdlv.net.                      blocklisted

To read the reports properly, I assume that you can order by report date. then group by ip and starting date (= incident id), cumulate the trap hits and complaints per id, use the last entry per id, and use period between startdate (Nov 7) and last duration (+9 days and 13 hours) as the timespan during which SpamCop registers an IP address as a potential spam source. I then take the sum of IPs per day as an indicator for the spamminess of the network over time.  

I dunno if this approach is valid (apart from varying number of IPs over time). And I also noted that IPs sometimes seem to be blocklisted due to trap hits, sometimes not. As I found no further documentation, I thought the forum can maybe shed some light on it.

Edited by luk3

Share this post


Link to post
Share on other sites
9 hours ago, luk3 said:

To read the reports properly, I assume that you can order by report date. then group by ip and starting date (= incident id), cumulate the trap hits and complaints per id, use the last entry per id, and use period between startdate (Nov 7) and last duration (+9 days and 13 hours) as the timespan during which SpamCop registers an IP address as a potential spam source. I then take the sum of IPs per day as an indicator for the spamminess of the network over time.  

I dunno if this approach is valid (apart from varying number of IPs over time). And I also noted that IPs sometimes seem to be blocklisted due to trap hits, sometimes not. As I found no further documentation, I thought the forum can maybe shed some light on it.

The IP's are too old for one to see (over 24 hours old). So it "looks" to me like IP "205.201.130.123" is hitting spamtraps and no info is held or given on them, only a spam report would be saved.

Someone is using a dodgy mailing list! Spamtraps are secret and can only be got by a "web spider" scraping email address hidden on the Internet (web pages, newsgroups, etc).

Edited by petzl

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now