Jump to content

Can I report Bouced Spam to Spamcop


IHateSpam

Recommended Posts

  • 3 weeks later...
  • Replies 56
  • Created
  • Last Reply
Don't let it get you down.  It certainly seems that way when the flood comes in, but if you look at the history of spam, the good guys are steadily winning and driving the spammers into desperate measures like using viruses to spread their spew.

Usually the flood doesn't last long so do what you can to control it.  And since it is an ever-increasing phenomenon, measures to counteract it will start to be established.

Miss Betsy

15867[/snapback]

I think you're missing the point of what Paul is (and now I am) saying.

We (taking my understanding of his position from his original post) do not find bounced spam a problem. I would be horrified if ISP's stopped bouncing it.

What I do find a problem is that my domain is being defamed, and my potential connectivity also, if the domain gets blocked on a widespread basis. The domain is my online identity - it's even a Registered Trade Mark in my own country - and that identity has been stolen. I currently spend 2-3 hours every day trying to defend it, and to no avail because the spamvertised sites are in China. I need my life back from these crooks, or I will go under.

The problem began at the turn of the year, and I reported it, and the Chinese hosts shut down the websites, and the problem went away for six months. Then, in July, it started again. I complained and within a couple of days the sites were unreachable and the bounces stopped. For the next month I was spammed with empty E-mails, about 30 a day, which I filtered on subject. The day these stopped (31st August) the bounces began again. I complained to the ISPs, but this time they've found hosting companies who don't care, and I don't know what to do.

I can't fight this on my own. I need the help of fellow-sufferers, and I thought Spamcop was the obvious place to look, so you can imagine my dismay at being told in the FAQ the spam was not my problem. It certainly feels like my problem. I would suggest it's far more damaging and distressing than ordinary spam. For the second day running it's lunchtime and I haven't even stopped for breakfast yet, because I have to defend my name.

I understand there may well be technical problems which make it difficult to handle bounced spam, but it's an even bigger menace for the victims than ordinary spam. Please, someone, come up with an answer. Point us in the right direction, at least.

KJP

Link to comment
Share on other sites

What I do find a problem is that my domain is being defamed, and my potential connectivity also, if the domain gets blocked on a widespread basis.

How is your domain being defamed by having it forged as the sender of spam. From my conversations with people, most now know that the from address is usually forged in junk mail (except for MicroSoft apparently, see thread in Lounge). I have not seen an email at my place of business complaining about a spam they received because our address was the sender in over a year now.

"Domains" do NOT generally get blocked, IP addresses (and maybe ranges in some bls) do. If your IP is not sending spam, the likelyhood of it being blocked are extremely low. With the spamcop email system and other systems (I use Postini at work which also has this feature), someone may place a domain on their personal blacklist but I personnaly only have 1 entry in my blacklist and none on my company blacklist.

I currently spend 2-3 hours every day trying to defend it, and to no avail because the spamvertised sites are in China. I need my life back from these crooks, or I will go under.

This situation sounds more like a Joe-job (using your domain name to sell their junk) than the simple bounces most people get. More description of what is being received is needed here, I think.

Link to comment
Share on other sites

I understand there may well be technical problems which make it difficult to handle bounced spam, but it's an even bigger menace for the victims than ordinary spam. Please, someone, come up with an answer. Point us in the right direction, at least

Pointing to the "right dierection" is also part of that package of "technical issues" ...

Strangely eough, I just spent over an hour on the phone last night with one of my brothers, it seems his name had been drawn out of the hat and he wanted me to tell him how to handle the MAILER-DEAMON e-mails he was now getting ... 3,500 the first connection .. after deleting the crap out of those, he then reconnected and found he had to wait for the next 450+ to download ... this on a 56k dial-up ...

Here's the basic problem ... pick one spammer, who is going to deliver the 250,000 e-mails some other idiot has paid this spammer to deliver .. spammer fires up his neat-o software to handle that high-speed e-mail advertising/marketing delivery process ....

This software includes the functions of using e-mail addresses already culled from somewhere else, generating more "new" e-mail addresses by using the "names" from that culled list and attaching those names to other domain names .. thus "doubling" the original list on the first pass ... toggle the domain name again, now the send-list has tripled ... That the addresses aren't any good is of no consequence, as the contract only specified "send out 250,000 e-mails" ....

The spammer would like to not have to change his/her own account set-up all the time, so this outgoing e-mail traffic isn't going to use his/her e-mail server to get out .. so spammer pulls up that list of compromised e-mail servers that someone else has found/hacked, pumps some spam through that compromised e-amil server. To speed things up, the list of compromised machines that have been found/hacked by someone else that now have the capability to spew forth quantities of e-mail is pulled up and these systems are tapped into .... This type of activity continues until that spam run is done, then the next get-rich-quick-idiot's spam run gets put into the queue.

Somewhere in the process, a random generator, another list, or just because you complained to a spam-friendly ISP that passed on your complaint to this spammer ... your name comes up as part of the "hide the source" bit and now these spams are going into the world with your address in the From: line.

You start getting the bounces from the systems that follow the rules of being nice that date back to the origins of the "net" .. letting "you" know that you'd obviously mis-typed the address or got mixed up when you typed in the To: address. Ok, you could send an e-mail to an admin at that suystem and tell them that time has moved on, things have changed, and the days of bouncing e-mail back to what's seen in the From: line is something that's been destroyed by spammers and should cease. Maybe you'll convince that ISP.

The problem is that your bounces are coming from all over ... and now you're stuck with trying to work with the different types of bounces (some have the complete original e-mail attached or in-line, others only provide a few header lines to show the "wrong" address, others give broken crap as maybe there was also a virus/trojan in the spam that got manipulated/mangled in the process of handling ..)

Places to send your complaints now include stupid/lazy ISPs, compromised computers owned by Mr. & Mrs. Clueless in Seattle, Joe 6-pack in Witchita, on and on .... but the point is, one spammer is responsible for the spew, but your receipt of bounced e-mails might include 3,000 different sources from that 250,000 spam delivery run. How much time do you want to spend on trying to track down and notify that list, noting that most, like the compromised "home" computers will never see the "postmaster" e-mail and whether their ISP gets involved is a coin-toss ...

Yes, the SpamCop parser can be used to track down the source (for use in making your own manual complaint), but then one is back to the knowledge of the reporter as to selecting what part of the headers to feed the parser, and that's even making the assumption that what's needed was included in the bounce (if we're talking about reporting the spam source) .... and unfortunately, this scenario hasn't worked all that well, too many folks simply submitting the whole lot and hitting "Send" ... Thus the official words of "Bounces will not be reported via SpamCop" these days.

Solutions? None good, short of finding the spammer and changing his/her outlook on life and such ...

Whitelist known good addresses, rest goes into a bitbucket - not a business deal

Filter incoming based on something (like MAILER ...) but not all matches, so rules start getting big

Take the time to try to educate those systems doing the bouncing based on bad From: line contents

Change your address

Just a few of the many possible "solutions" .. but I suspect you'll agree, none of them are good ...on the other hand, it's pretty rare that one can get over the $250,000 threshold to get the FBI involved in pursuing the cause of all these problems ... the lowlife spammer ...

Link to comment
Share on other sites

How is your domain being defamed by having it forged as the sender of spam....

"Domains" do NOT generally get blocked, IP addresses (and maybe ranges in some bls) do.

17120[/snapback]

Thanks, that may be true in the Unix world, but most people I know use Outlook Express or something similar to receive their E-mail. Filtering by domain name is all they have.

In the majority of cases that won't matter, because I'll never have cause to E-mail them, but among those millions setting filters against my domain, may be friends who don't recognise it or people I am yet to meet.

My social life is already being disrupted by friends not receiving my E-mails, and while I've been writing this my stockbroker has just phoned because a transaction nearly went astray when they failed to receive my instructions (that represents a fifth of my life savings). AoL blocked my domain at the beginning of the year. So I think it does happen.

I think the term Joe-job may well apply to what is happening here, though I'm not an expert on Internet slang (sorry - technical language). Someone is sending spam advertising prescription drugs for sale at websites hosted at various Ips in China (Chinanet, Unicom), pointed to by a variety of domains which change every few days. (The registrants are giving postal addresses in Poland, Benin, or wherever, though their E-mail addresses look similar.) And yes, the From: header has a fictitious name followed by a random string [at]instabook.com (which is my domain name). The spam originates from various networks all over the world, and one ISP has told me the sender is a virus, so it's probably trojanised machines being used to send it.

I only get to know about the spam that bounces, but that's the tip of an iceberg, because I don't believe the Spammer is only sending a dozen or so a day. The vast majority are not being bounced. Whether they are getting through or just being deleted I can't say. If this activity has resulted in ISPs not bouncing undelivered mail the spammers have already won, because E-mail has ceased to be a reliable system where we can be reasonably confident our messages have been delivered.

I think it's defamatory to have one's name associated with antisocial and possibly illegal activity. It certainly feels that way.

And you're right. I haven't got the time. Which is why I was hoping there were others who might have the expertise to help me beat this menace. Spamcop seemed the obvious service to do that.

KJP

Link to comment
Share on other sites

I don't think anyone answered me when I asked this before, but I don't know why the ISPs can't run the 'bounce' emails through a spam content filter set on high before they send them and dump those that don't pass. Also, an ISP could write a parser for its own use - in fact some of the bounces that I have received actually had the correct IP address added. The reason that there isn't another available for other people on the web is spamcop's ability to deal with many different header configurations. A private one also doesn't have to send reports or look up abuse desks. That is one reason why it is so stupid that ISPs send email bounces to the 'returnpath' - if they feel that they can't dump undeliverable mail, there are ways to send it to the proper place - it just costs more.

I've been getting about 300-400 bounces a day for the last month. I finally figured out how to filter most of the bounces on the receiving end and it is not pretty (procmail => a little filter I wrote to look for a From header in a form other than the one I use to sign my mail).

My bounces go through SpamAssassin -- which sees something that convinces it that they aren't spam, even with the original spam in the message -- the Bayesian filter reports 0% probability of spam.

I lost a couple days banging my head on the way that Exim + the virtual hosting software (cPanel) run by my ISP does not allow the normal Exim filtering mechanism to operate on bounces.

I guess all this is to say that separating the bounced spams from bounces you might actually want to see is not a simple task... it's taken most of my spare time over a week and a half to get the bounces under control.

Doug

Link to comment
Share on other sites

K.J. Petrie, it sounds like your problem is much bigger than just bounces.

Most ISP blocking is IP based, not domain name based. End users tend to block based on domain name. I would doublt that your stock broker would have blocked your domain, so the assumption would be that the ISP was blocking your IP address. Note: sender based blocking does not exist, all blocking is done at the receiving end with the exception of blocking by your own ISP and if that is the case then you have even bigger problems.

Have you read the FAQ Why Am I Blocked? FAQ, Please read before posting If not please read and come back and post more information so we can try to help.

Also have you read FAQ Entry: Why am I getting all these bounces?

I agree with you about it being a major problem and the fact that you are being hurt by it, but I do not believe that it is the entire or even major part of your specific problem with people not receiveing your mail.

We look forward to hearing from you with information about the mailserver you are using to send your mail. It may be that "you" are actually the one that is sending the spam without knowing it. In this case "you" means the IP number of the mailserver you are using to send your mail.

Link to comment
Share on other sites

I can see how that is true for /after/ the bounce message has been created and when the recipient is trying to sort real email from bounce emails - and goes a long way towards explaining why spamcop doesn't accept bounces for processing!

However, the receiving ISP still has the original email that he could filter with a much higher setting for spam (since it is suspect). Only after the email passes the spam and virus filter would the process send an undeliverable email message. Even though, some real undeliverable emails may be lost with high settings, the percentage is bound to be miniscule compared to the nuisance for those who are receiving bounce emails to forged addresses. The possibility is that real undeliverable email will pass the test and the person notified is still there. It would be preferable to simply dumping all undeliverable email and definitely better than 'bouncing' it.

The cost of even doing that extra step of putting the email through a virus filter or spam filter might be enough to keep those who are cheap from doing it though. It would probably mean more hardware. I think that's why many ISPs don't use blocklists and use content filters instead to filter spam.

Miss Betsy

Link to comment
Share on other sites

<snip>

In the majority of cases that won't matter, because I'll never have cause to E-mail them, but among those millions setting filters against my domain, may be friends who don't recognise it or people I am yet to meet.

17179[/snapback]

...To avoid that, e-mail should not be the first contact vehicle! :) <g>

My social life is already being disrupted by friends not receiving my E-mails, and while I've been writing this my stockbroker has just phoned because a transaction nearly went astray when they failed to receive my instructions (that represents a fifth of my life savings).  AoL blocked my domain at the beginning of the year. So I think it does happen.

17179[/snapback]

...Yes, spammers have ruined the internet for everyone! This is a valuable lesson, though -- internet e-mail is not a guaranteed delivery mechanism, so you should not rely on it for important matters. Besides spammers, backhoes can break datacomm lines, servers can crash, packets of data can be lost.

I think the term Joe-job may well apply to what is happening here, though I'm not an expert on Internet slang (sorry - technical language).

<snip>

17179[/snapback]

...One of the aforementioned pinned items, Pinned: Original SpamCop FAQ Plus - Read before Posting, has link to another page that includes a link to The Net Abuse Jargon File which contains a reference to a "joe."

I think it's defamatory to have one's name associated with antisocial and possibly illegal activity. It certainly feels that way.

<snip>

17179[/snapback]

...But no one with any sense will assume that you have anything to do with it. IIUC (If I understand correctly), in order to have defamation, there must be damages arising from "reasonable ordinary prudent" people relying on the false information. :) <g>
Link to comment
Share on other sites

Thanks, dbiel,

I send through relay.pol.net.uk as its alias smtp.wanadoo.co.uk which has IP addresses of 195.92.195.153 and 195.92.193.153.

Wanadoo is a pretty major European ISP, and has recently taken over the entire Freeserve network in the UK, so whilst spammers will almost certainly use it occasionally, I wouldn't expect any responsible list operator to include it. I'm certainly not suggesting that SpamCop has.

None of the bounced messages originated from this network. Most of them originated in the Far East, a few from the US, a few from Germany, and a few from Spain.

Earlier today the abuse addresses at cj.net and apol.com.tw 553ed my complaints about spam sent from their network! I resent my complaints (through the same server) using an old domain (at which I can also receive mail) for the From: address, except that I forgot to change the From address on one of them, and it came straight back. The others did not. So at least one of these ISPs appears to be blocking by domain. As I said in an earlier post, I think it does happen. Whether these ISPs are reasonable ordinary prudent people I can't say.

KJP

Link to comment
Share on other sites

I sure wish there was a place to report these <<bouncers>> somewhere. All of the bounce I get now have MIME-exploits or viruses attached and for the most part spoof my own domain name.

Are these idiots so clueless that they don't realize the real IP can be parsed out? As far as dealing with that abuse I have reached an impass as my ISP is just as cluless in stopping or dealing with the bounces. I am sorry if I sound frustrated, I am!

I am done with posting examples here ...I just wish someone would come up with a feasable idea on how to deal with such abuse.

Link to comment
Share on other sites

I just wish someone would come up with a feasable idea on how to deal with such abuse

Your idea of feasible seems to be hand it off to someone else to deal with.

I have told you how I deal with every piece of virus infected message that postini stops and every misdirected bounce I receive and it has worked grreat for me. Only a few different IP's have I ever had to blocklist for ignoring the message they were infected and the problem was gone within the 30 day expiration of the block I instituted. Usually, I have received messages that the problem was found and fixed and thank yous. The misdirected bounces have gotten a few replies asking for more information. There is only one domain that took longer than a week to stop sending them to me. THose now seem to have stopped as well.

At this point in time, totally eliminating unwanted email is not a likely scenario without starting with a completely fresh email address that is a random set of letters and numbers.

Link to comment
Share on other sites

Your idea of feasible seems to be hand it off to someone else to deal with. 

I have told you how I deal with every piece of virus infected message that postini stops and every misdirected bounce I receive and it has worked grreat for me. .../snip

17401[/snapback]

Only my ISP has that feature available to them and they refuse to do it. So, all is left for me is live with the abuse. As for contacting the senders I have, many times, all I got was more abuse. I have even contacted the upstream providers, all in vain. We are beating on a dead horse here. And I keep repeating myself, it's not the occasional abuse that bothers me, but the abuse that has persisted and continuses daily for months, and nothing ever seems to work against it. The abuse desks that are resposive, are soon forgotten (and forgiven).

Link to comment
Share on other sites

Earlier today the abuse addresses at cj.net and apol.com.tw 553ed my complaints about spam sent from their network! I resent my complaints (through the same server) using an old domain (at which I can also receive mail) for the From: address, except that I forgot to change the From address on one of them, and it came straight back. The others did not. So at least one of these ISPs appears to be blocking by domain. As I said in an earlier post, I think it does happen. Whether these ISPs are reasonable ordinary prudent people I can't say.

17399[/snapback]

I take it all back. They just took their time returning, that's all. So some ISPs are blocking Wanadoo! That's mystifying. They're one of the biggest providers in the EU and as respectable as they come! Doubtless they will get the odd nasty customer who'll abuse their network, and they'll throw them off just as quick, but perhaps if they get another rogue customer the next day... and the day after, which I suppose is inevitable when they're that big...

Link to comment
Share on other sites

...But no one with any sense will assume that you have anything to do with it.  IIUC (If I understand correctly), in order to have defamation, there must be damages arising from "reasonable ordinary prudent" people relying on the false information. :) <g>

17206[/snapback]

If the spammers/joers are relying on that defence they're going to get burnt. In England, the measure is the "right-thinking" person, and it takes no account of whether the falsehood is credible, only whether, in the eyes of a "right-thinking" person, it tends to lower the plaintiff's reputation. The more obviously untrue the allegation, the more culpable an English jury will consider the defamer, as he/she should have realised they were propogating an untrue slur, and the bigger the damages they will award.

Pity I haven't got the millions it takes to bring a successful action...

KJP

Link to comment
Share on other sites

So some ISPs are blocking Wanadoo!

I get AT LEAST 1 spam message from a Wanadoo IP every day. The last 2 days have been:

Subject: we carry vicodin (fegfipc[at]ALagny-152-1-31-206.w83-112.abo.wanadoo.fr [83.112.100.206])

Subject: An amazing technology to meet your changing needs... (hvs-w-19fc.adsl.wanadoo.nl [212.129.153.252])

Both of these are from what seem to be DHCP served accounts, probably virus infected, so the Wanadoo servers would not be listed. But these should be blocked for sending spam.

Link to comment
Share on other sites

My problem remains. I am being joed, the E-mail advertises a website at 61.240.131.219 which isn't on your blocklist because I am not allowed to report the spamvertising. If I could report it it might get the hosting company (UNICOM) to take notice...

I have dozens of E-mails containing the evidence for nearly a month now, and I am powerless because there isn't a means for me to report the problem, and the spammers are getting away with it! They mustn't be allowed to get away with it. It's like letting terrorists get away with it. In fact, it is a form of terrorism.

Link to comment
Share on other sites

The BL doesn't do websites ... only the IP of the spam spew source, usually an e-mail server, sometimes the IP of a compromised machine ....

I have to tell you, "dozens of e-mails for nearly a month" isn't much of a deal ... this is as compared to the last time one of my addresses was used as a forged From: line ... I'm talking 3 to 8,000 bounces in a single day .. and as I recollect, this went on for about three weeks. You still haven't offered enough detail to convince me that you are being joe-jobbed ... thus far all you've yet described is a forgery of the alleged From: address.

There is nothing preventing you from manually reporting this stuff yourself, if the bouce contains enough data to track anything down.

Link to comment
Share on other sites

My problem remains. I am being joed, the E-mail advertises a website at 61.240.131.219 which isn't on your blocklist because I am not allowed to report the spamvertising. If I could report it it might get the hosting company (UNICOM) to take notice...

I have dozens of E-mails containing the evidence for nearly a month now, and I am powerless because there isn't a means for me to report the problem, and the spammers are getting away with it! They mustn't be allowed to get away with it. It's like letting terrorists get away with it. In fact, it is a form of terrorism.

17811[/snapback]

Remember that SpamCop is only a tool to help you report spam. It has put in place limitations to help prevent abuse. Reporting remains an individual issue. You are free to report anything that you choose to report, but faulty reporting does not help anyone.

Note: there is actually NO restrictions on using the SpamCop parsing tool to help identify sources of any message (spam or otherwise). The restrictions apply on the use of the reporting portion of the tool only. If your statements are a true reflection of your beliefs, then do something about it. Don't complain about a tool that is provided to help you.

When you are trying to build something you will most often use several tools. Even hammering in a nail sometimes requires a drill to drill a pilot hole first to prevent splitting the wood. Remember that the tools can do nothing by themselves, they need someone to use them. SpamCop is but one tool in the fight against spam. If it is the only tool that you choose to use then your statement is actually nothing but a pile of hot air.

Link to comment
Share on other sites

If I read everything correctly, you don't have enough time to really go after the spammers who are using your domain name in the From:

Most people feel the way you do that it is a defamation of character to have /their/ domain associated with spam - even if they realize that prudent, knowledgable people don't pay any attention to the From in spam.

Unfortunately, no one has either the time or money to get any action taken in all the countries of the world who might actually be able to do something about stopping this practice.

Many people apparently have had to abandon some domains and start over.

So the short answer is that spamcop is a tool (as was explained in another post) and in this case, the wrong tool to protect /your/ domain. The spamcop blocklist is a long term tool to identify spam before it enters the inbox by either rejecting at the server or putting it in a special place. The result is that ISPs who are interested in providing reliable email service take care not to have spammers on their networks and, if a spammer is reported, take action immediately so that any interruption of service is no more serious or inconveniencing than a traffic jam.

The idiots like MS and McAfee still perpetuate the myth that the From can identify the sender. The best defense against the good name of your domain would be to conduct an educational PR campaign so that ordinary end users are aware that the 'block this sender' is a hoax

Miss Betsy

Link to comment
Share on other sites

SpamCop is but one tool in the fight against spam. If it is the only tool that you choose to use then your statement is actually nothing but a pile of hot air.

The bottom line is that bounces due to spoofed domains have become as problematic and numerous as spam itself. See, for example, the discussion started in the lounge about Microsoft suggesting bounces would work to prevent spam.

The issue a lot of us have raised is not how to manually parse and report 200 or more bounces a day. Nobody in their right mind would take the time to do such thing. Instead, it was raised as a legitimate issue to stimulate discussion on finding an efficient method to deal with it. It is evident that these bounces are raising new challanges and technical questions. It is also evident to me and others that spoofing reporters' domain names and e-mail addresses s is another way to abuse and intimidate the reporting side of the spam fight. In fact, when I first started reporting, I was getting 10-100x more bounces than I was getting spam.

Link to comment
Share on other sites

Several people have suggested several different things - most of them are time consuming for very little immediate return.

One thing that no one has suggested is that you complain to Wanadoo about unreliable service (or whoever is the owner of the IP address that is being blocked). IMHO, it is the *sender* of email that needs to *do* something about spam. Receivers should have little or no inconvenience.

Many large ISPs have been very slow to respond to complaints about spam coming from their networks, but eventually they all seem to start paying attention because they get enough complaints from their paying customers.

You have a range of options: from the most time consuming: learn how to read headers and find upstreams and go after the spammer by reporting and complaining to as many different people as you can that might have influence - not only by email but by phone and snail mail to the least timeconsuming: use a good filter to bit bucket the bounces and forget about it.

Miss Betsy

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.


×
×
  • Create New...