Jump to content

Spamcop details:


flagginator

Recommended Posts

1. In the spam reports I notice a lot of things are

dev'nulled.

Why are they dev'nulled?

2. Some reports go to Spamcop (Level 3).

What is a Level 3 report?

3. Why are most China-com spams coming through Sprint?

Can we get after Sprint or boycott them? I know they're huge, but they also account for a good chunk of my received spam.

4. Yesterday I got a bunch of spams that reference an "appointment at...".

Did anybody else get these? What advantage is there to a spammer sending me a dozen of these that are so similar? How do they make their money? Who's paying them? Can we castrate some of them?

PS: For those of you that are spelling challenged as I am I have found

http://www.iespell.com

to be invaluable in making me look smarter than I really am.

/end of rant.

/end of questions for today. :P

Link to comment
Share on other sites

Hi, flagginator!

... Did you try Search-ing for some of these? Many have been covered before. Please don't take this as a flame against you; just informational inquiries.

1. In the spam reports I notice a lot of things are

dev'nulled.

Why are they dev'nulled?

16260[/snapback]

...SpamCop threw them away for some reason because it probably has some experience that actually sending the reports is ignored, does more harm than good, or bounces.

2. Some reports go to Spamcop (Level 3).

What is a Level 3 report?

16260[/snapback]

...Don't know the answer to that one.

3. Why are most China-com spams coming through Sprint?

<snip>

16260[/snapback]

...Nor this one. Perhaps China-com uses the Sprint network for outbound messages?

4. Yesterday I got a bunch of spams that reference an "appointment at...".

Did anybody else get these?

16260[/snapback]

...Absolutely!

What advantage is there to a spammer sending me a dozen of these that are so similar? How do they make their money?<snip>

16260[/snapback]

...Are you sure a (one) spammer is sending you a dozen of those? I presume it's more likely that a dozen different spammers purchased the same spam kit and e-mail addresses (including yours) to spam.
Link to comment
Share on other sites

1. In the spam reports I notice a lot of things are dev'nulled.

Why are they dev'nulled?

Usually indicative of an ISP that doesn't care, bounces SpamCop e-mail, etc. .. so the result is that the report generates a count for the BL, but doesn't waste the energy in trying to send yet another e-mail that will be ignored.

2. Some reports go to Spamcop (Level 3).

What is a Level 3 report?

Kind of guessing here, as I think the words are a bit out of context ... Level3 is a bandwidth provider, in addition to being an ISP, Hosting, and other big-money stuff. I believe you are talking about an address specified by Level3 to directly accept SpamCop reports, rather than being mixed in with all the other traffic to the normally used abuse address.

3. Why are most China-com spams coming through Sprint?

Can we get after Sprint or boycott them? I know they're huge, but they also account for a good chunk of my received spam.

This stuff is referenced elsewhere, but again, Sprint is a backbone provider. At this level, the reality is that spam traffic is just a tiny percentage of total data flow. And as the money or peering relationships is based on total traffic bandwidth, trying to take the time and try to extract/block (number pulled out of the air) 2% of traffic is really hard to justify.

4. Yesterday I got a bunch of spams that reference an "appointment at...".

Did anybody else get these? What advantage is there to a spammer sending me a dozen of these that are so similar? How do they make their money? Who's paying them? Can we castrate some of them?

Heh .. here you go ... a Tracking URL would help in analyzing this one. This spam not seen here .. is it an out-of-office type thing?

PS: For those of you that are spelling challenged as I am I have found

http://www.iespell.com

to be invaluable in making me look smarter than I really am.

TinySpell (found at http://www.megspace.com/computers/tinyspell/ ) is another option. (Again, tips like these would be great in that section suggested in the "Forum configuraiton changes" layout, huh?)

Link to comment
Share on other sites

1. In the spam reports I notice a lot of things are dev'nulled.

Why are they dev'nulled?

Usually means the address the report would go to is bouncing SC reports or has turned off reports.

2. Some reports go to Spamcop (Level 3).

What is a Level 3 report?

Level3 is a tier one backbone. I think what you are referring to is a n address of the forfat <something>[at]admin.spamcop.net? That means that the ISP has asked us to send reports to a secret address and so use the [at]admin.spamcop.net domain and then route internally to the appropriate address

3. Why are most China-com spams coming through Sprint?

Can we get after Sprint or boycott them? I know they're huge, but they also account for a good chunk of my received spam.

Sprint gives transit to some China IPs and they keep an eye on the report levels. It is actually a good thing that Sprint keeps an eye on this not a bad thing.

4. Yesterday I got a bunch of spams that reference an "appointment at...".

Did anybody else get these? What advantage is there to a spammer sending me a dozen of these that are so similar? How do they make their money? Who's paying them? Can we castrate some of them?

Well the deputies queue gets dozens of those a day and I am as befuddled as you are :-) We are also getting lots with strange subject line involving jpeg<number> and I have no clue about why that should be appealing. These are, of course, in addition to the usual dead dicatators and their relations. And last but not least a domain I own is getting (or was getting before I turned on reject for the whole domain) 6000+ a day for the same 8 or 10 subject lines. Your guess is at least as good as mine. Basically however since they are sending thru compromised machines it costs them little or nothing to send zillions of spams so they don't much care how many get delivered or don't, how many duplicates go to the same address or don't -- if 1 in a million hooks someone they are making money.

P.S. I bet I don't have this quoting thing under control on the forum yet and so this post is apt to look *cough* odd ...

(Wazoo stepped in and stirred a few of the Quote marks around.)

Link to comment
Share on other sites

It's not so much that it looks odd - it's that I didn't realize that you had responded at first - I thought you had just quoted his whole message and not written anything.

Or maybe I just need more sleep ;) ...

(Later)

Here is a tracking URL for an "appointment" spam I received. Looks suspicious to me ...

Link to comment
Share on other sites

OK, changed Ellen's post a bit, didn't think it was a good thing to have one of the Deputies looking confused <g> ....

qjvgpuryy, the sample you provided ... again, a spam not seen by me, but .. three to five people have really been churning these around in a couple of the newsgroups (moving from spamcop to spamcop.geeks) but noting that their focus has been on the java scri_pt, so there's no connection between their discussion and this Topic about "appointments" ... I actually haven't been following those threads closely, between the paranoia levels of some of the participants and that if those involved would follow the oft recommended security settings for Outlook and Outlook Express, this scripting wouldn't be an issue to begin with.

Link to comment
Share on other sites

(Wazoo stepped in and stirred a few of the Quote marks around.)

16299[/snapback]

Cool -- I was going to say you could explain it to me but upon consideration it seems that it would be much easier for me to just post those cludges and let you sort them out :-) Thanks

Link to comment
Share on other sites

  • 2 weeks later...
  • 4 weeks later...

I asked this question before but I did not have specifics: What is Level 3 Reporting?

>>>>

Report spam to:

Re: 4.29.227.45 (Administrator of network where email originates)

To: Internal Spamcop handling: (level3) (Notes)

Re: 4.29.227.45 (Third party interested in email source)

To: Cyveillance spam collection (Notes)

<<<<

Link to comment
Share on other sites

I asked this question before but I did not have specifics: What is Level 3 Reporting?

I've answered it every time you've asked, Ellen has weighed in ... just how many more times do you need to see the "details" ????? This query merged into the same Topic that the last request for the same data was merged into ....

Link to comment
Share on other sites

No offense, but the answers were all vague and guessing if I take them literally. I did not realize a solid answer had been given.

When somebody, says "not sure, but..." or "I'm guessing..." I take it at face value.

I could have gotten new fresh answers if you'd left things alone as I asked this question a month ago and nobody new is going to look at it, right?

All helpful answers are appreciated.

I'll keep asking until I understand and assimilate the answers. You got a problem with that Sarge? :)

Please don't link me to a bunch of help pages. That is not helpful. Thanks!

Link to comment
Share on other sites

Well this forum is users helping users. Official spamcop employees rarely stop by (though they have been present in the last few days).

Official answers would require following the links in the FAQ or an email to the appropriate spamcop personnel. Those addresses are available in the FAQ, so back to the links you refuse to follow.

Good luck in your pursuit.

Link to comment
Share on other sites

Having a hard time going with your description of "vague" ... here's a compilation of answers ... maybe you can point out where the question is NOT answered ...

2. Some reports go to Spamcop (Level 3).

What is a Level 3 report?

Kind of guessing here, as I think the words are a bit out of context ... Level3 is a bandwidth provider, in addition to being an ISP, Hosting, and other big-money stuff. I believe you are talking about an address specified by Level3 to directly accept SpamCop reports, rather than being mixed in with all the other traffic to the normally used abuse address.

Level3 is a tier one backbone. I think what you are referring to is a n address of the forfat <something>[at]admin.spamcop.net? That means that the ISP has asked us to send reports to a secret address and so use the [at]admin.spamcop.net domain and then route internally to the appropriate address

Level 3 is the Bandwidth/host provider, they have some kind of arrangement with spamcop for receiving reports.
Link to comment
Share on other sites

  • 5 months later...

"Internal spamcop handling" generally means that the reports go to an unpublished address, where they are dealt with in an undisclosed manner. In Level3's case, the forwarder for that address appears to be "level3<at>admin.spamcop.net".

Link to comment
Share on other sites

As (I thought) was stated previously, the address in question was worked out between Level3 staff and SpamCop staff. Again, this helps to keep the SpamCop reports/complaints out of the mix of all other e-mail coming in to the 'publicly advertised abuse' address .. specific reasons could be many, quicker reaction time, more credence of SpamCop reports, probably others .....

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...