Jump to content
Sign in to follow this  
contact

The more spam emails we submit, the more we get!

Recommended Posts

1. The more spam emails we submit, the more spam we get. To verify whether this was true, we tested by submitting spam received in some domains, and not submitting for other domains. We have also submitted spam received in specific email accounts while not submitting spam received from other email accounts.

The results seems to be that spammers are now punishing us by sending us every day hundreds more spam emails (some spam are just repeats of the same spam 20, 30, 40 times) for those email accounts or domains that we submitted. The more we keep submitting, the more the spam increases.

We are a small company and we host various of our and client domains. We use the email method to submit hundreds of spam everyday. We also have our email server check incoming emails against the spamcop bl list.

Mentioned somewhere else in this site, is that some ISPs forward the spam copy to the spammers, where then the spammer picks up unique identifying code in the forwarded spam copy, and then know to whom that particular email was sent to. That is how they can retaliate, which seems what is happenning to us.

I would like to continue submitting these spams, and continue to have these counted in the Spamcop black list, but do not wish to have these spam forwarded to the ISPs, since it quite seems the spammers are receiving copies of our spam submissions.

The "mole" option does not seem to be good for us, since it does not count towards the black listing.

Sometime ago I read in this website about a submit account or option where the submitted spam gets counted in the spamcop black listing, but the spam is not forwarded to the ISP. What is that option?

2. This is a question for Spamcop. Spamcop uses certain email addresses where emails sent to that address gets put into the black list, and I believe, not passed to the ISPs. I forgot the name of this method. I would like to volunteer one or more of the email addresses for various domains we host or own. Hope to hear from someone.

Thanks,

Share this post


Link to post
Share on other sites
  The "mole" option does not seem to be good for us, since it does not count towards the black listing.
On what basis did you make that statement? Last I heard, the "mole" option did count toward the SCBL.
  Sometime ago I read in this website about a submit account or option where the submitted spam gets counted in the spamcop black listing, but the spam is not forwarded to the ISP. What is that option?

20477[/snapback]

That would be the "mole" option.

Share this post


Link to post
Share on other sites

Check Pinned item in the Announcements section .... Some commentary there from Julian himself ... the SCBL isn't ruled out, just not in place at the moment. The only place a mle report now shows up is in an aggregate database, which an ISP can look at, but generally it's just background data for Deputies to base other decisions on at this point.

Share this post


Link to post
Share on other sites
<snip>
Sometime ago I read in this website about a submit account or option where the submitted spam gets counted in the spamcop black listing, but the spam is not forwarded to the ISP. What is that option?
That would be the "mole" option.

20480[/snapback]

...My guess would be that "contact" is referring to spamtraps.

Share this post


Link to post
Share on other sites

That was an interesting test on the part of contact. Other people who have tried to test the idea that reporting brings more spam have not had their results duplicated by other reporters.

Can anyone else duplicate the test?

Miss Betsy

PS I agree that spam traps are what contact is thinking of. One can't sign up to be a 'spam trap' - they are email addresses that have never been used that are put on web sites to 'trap' the spammer spiders into picking them up and sending spam to. Since they have never been used for email, whatever is sent there has been unsolicited.

Share this post


Link to post
Share on other sites

I can't say that my experience matches contact's. Over the years there has been a steady increase in spam levels but I don't see any evidence to support the suggestion that reporting via SpamCop leads to increased levels of spam.

Of course reporting via systems that do not munge the addresses could lead to increased spam but, again, most reporters that do not munge say they don't suffer any appreciable increase as a result.

Andrew

Share this post


Link to post
Share on other sites
/snip

Of course reporting via systems that do not munge the addresses could lead to increased spam but, again, most reporters that do not munge say they don't suffer any appreciable increase as a result.

Andrew

20490[/snapback]

Perhaps not, but it can lead to other retaliations as well, see my post Hacker attack above.

Edited by dra007

Share this post


Link to post
Share on other sites
Perhaps not, but it can lead to other retaliations as well, see my post Hacker attack above.

20493[/snapback]

I'm not sure that you have clear evidence that the attack is a result of reporting spammer(s).

We suffered a denial of service attack which when investigated appeared to have no connection with spam reporting.

Personally I munge my address when reporting and seem to get just about the same amount of spam as a colleague who chooses to report without munge-ing.

Andrew

Share this post


Link to post
Share on other sites

Thank you for everyone's response. Some clarifications and extra info.

1a. Increase in spam mail after reporting. Some Background Info. No Reply Needed:

- I am actually more concerned about "extreme" retaliation, than "some" increase in spam mail. I also understand and have seen a regular and constant increase in spam mail during these past years, plus some spikes at times. I am not referring to these, but to a new average and sustained increase we have experienced in the past 2 weeks of about 200%+, of which there may probably be a reason.

- Just FYI. We submit all spam emails we receive to SpamCop, if SpamCop keeps records some of the following could be confirmed. 3 and more weeks ago we used to get about 80 - 100 spam mails everyday. About 2 weeks ago, for one particular domain, we also started submiting all spam sent to this domain's non-existant accounts. This added about another 80 emails a day, bringing it to about 160-180 spam emails a day we received and submitted. From about 2 weeks ago our daily spam mail has steadily increased to now about 300-400 daily received and still submitting.

- Noteworthy are:

- a) whereas in the past maybe once or twice daily we noticed the same spam email subject/content sent to 2 or 3 different email addresses, and an extremely small proportion of duplicate emails to the same email account, since about 2 weeks ago we started getting bombarded with 10,15, 20, of the same "unique" spam email to the same email accounts. Duplicate the above a few times for a few accounts, plus add all the other regular spam emails, we get the 300-400 daily.

- B) The above spam received is not unfiltered. That is, this is the spam we receive AFTER our email server filters all incoming connections before accepting emails (our email server checks: Spamcop.net's BL relays.ordb.org sbl-xbl.spamhaus.org spam.dnsrbl.net ). If it did not, we would probably be receiving thousands of emails everyday.

- c) Problem above seems to have started after submitting all spams received to the mentioned particular domain.

- If Spamcop provided statistical information on a per spam reporter account basis, it would really help us, plus confirm any information such as the above.

* All above is just FYI. No need for reply.

1b. "about a submit account or option where the submitted spam gets counted in the spamcop black listing, but the spam is not forwarded to the ISP. What is that option?"

- As of the current build info, and I believe this is what Wazoo refers, it seems the mole option does no do the above. In the FAQ http://www.spamcop.net/fom-serve/cache/373.html

"SpamCop now offers new and existing users an option to withhold almost all data - registering reports in SpamCop's database, but never sending reports to the "ISP" (all too often, the spammer, or a spam-friendly host)." Specificaly "registering" the mole reports to the database means " SpamCop will then only give information about these "mole" reports as aggregate and unspecific totals." since "Truly consciencious ISPs will still find some value in these aggregate numbers, while the less ethical won't be able to "work the system." ". End result, mole reports get submitted to an agregate report which could be viewed by ISP, but does not get added or weighted in Spamcop's block list.

- It would be much more helpful if the mole, or some other option, reports were actually added to the block list, not just to the aggregate statistical totals report.

* So my question is still the same. Is there any option where "submitted spam gets counted in the spamcop black listing, but the spam is not forwarded to the ISP."

2. Yes, I was referring to Spamtraps. I would gladly offer new email accounts or even assign over new host domain MX records to and for SpamCop's sole use. My assumption here is that since emails sent to Spamtraps do not get sent to the sending ISPs, but get counted in the block list, that would reduce retaliation from spammers to any of my hosted domains. Plus since the spammers are not getting my reports, it may actually reduce the spam we receive.

* If Spamcop is interested, please contact me.

3. Retaliation from spammers is my main concern. I can see that it would be quite manageable to build an application that picks up the domains and email accounts of the complaining reports, then does (all the following could be reusable spamming code) various automated DNS lookups searches for other domains and IPs associated with the complainer, builds a database of all possible email accounts for the above domains, and then bombards all the domains associated, managed, or hosted by the complainer. There would not be any business reason for a spammer to do the above, other than retaliation and to scare reporters from submitting their reports. [of course there could be other retaliations, such as DOS, owning attempts, etc. but the retaliation above would make it more clear to a reporter the cause of the retaliation].

* Just FYI. No need to reply.

Thanks to everyone for responding and expressing their opinions!

Edited by contact

Share this post


Link to post
Share on other sites

There is one other explanation for multiple copies of the same spam (which have been reported by other people - usually in reference whether or not to report them all). Newbie spammers who buy the software because they wannbe rich do not always understand how to work the program. A while back apparently there was a spammer software that wasn't clear on how to add the message and reporters were inudated with blank spams. I actually got one of the blank ones followed within a few minutes with the whole spam when the spammer figured it out (one of the brighter ones, I guess).

Miss Betsy

Share this post


Link to post
Share on other sites

I have experienced the same thing. My former email ID had 100-120 spams/day when I deleted it. I now am incredibly careful with the new IDs. I have zero spams now. The spams I DID get on the new ID I religiously did not send to SpamCop, but instead sent to the Missouri Attorney General as a spam complaint and copied to the FTC as spam complaint. I ceased getting spams for each of them, but instead now I get 0-5 VIRUSES every day on this ID. They come in many forms. I am not saying SpamCop caused anything. It didn't. It is an incredibly useful tool.

What I am saying is several things:

1. Spammers probably are responsible for some viral attacks as retaliation for some actions, including mine where I have deliberately gotten them fined thousands of dollars for their spams.

2. Those of us who receive viruses need to be able to deal with these and I am not sure how to do so. (Obviously, I have antivirus, firewalls plural, etc., mail prescreener, and spam blockers) But proactively, virus senders need to be STOPPED. So true that most send viruses without a clue they are infected or run a zombie PC.

If it is a friend, or known person, then they simply need to clean up. If it is a deliberate spammer attack, then they need an FBI visit.

3. We need a tool for reporting VIRUS emails like spams. I feel REALLY uncomfortable with the idea of running a virus through SpamCop. I don't want to infect SpamCop, nor do I want to risk infecting the Webmasters who would diligently read the email. Yet we need to be able to tell them there was a virus from one of their IPs and ask them to stop the problem, and if needed keep the copy of the email available to them so they can see it without risk of infection.

4. I am beginning now to run the headers for these virus emails through SpamCop. I am trending the senders' IPs. Once I see who the sender is and if they trend, I will start notifying the ISPs. But it would be so nice if there was a VIRUS reporting tool.

The reason I know I have incoming viruses is that I built several sophistocated filters into Mailwasher. I know when I see attachments that are known carriers. I never download those into Outlook so that the antivirus and firewall would block them. The headers and the message are in text in Mailwasher and I can prescreen them, SpamCop the header, and then purge the inbox prior to reading the other messages. It is a shame it comes down to this, but it is the world we live in.

Advice and comments welcome.

Dennis

Share this post


Link to post
Share on other sites

I suffered a year long VIRUS ATTACK as well as various HACKER ATTEMPTS!

Nothing ever stopped them, they come back in cycles. I suppose once they realize you are fighting back, they turn this into some kind of game. The problem is ISPs and upstream ISPs who chose to shelter these bastards, for profit or out of sheer incompetence. Hard to tell.

Share this post


Link to post
Share on other sites
Nothing ever stopped them, they come back in cycles. I suppose once they realize you are fighting back, they turn this into some kind of game. The problem is ISPs and upstream ISPs who chose to shelter these bastards, for profit or out of sheer incompetence. Hard to tell.

20898[/snapback]

Another major reason to have a competent provider yourself that does offer effective spam filtering The best and only is a SpamCop email account which keeps spam out of your inbox and spammers in the dunny ready for flushing. Very rare does one get to your inbox and in unlikely event they do easy task to full report websites as well (and I follow the links but use a safe browser like "Net.Demon"

To ensure your own windows computer is secure check my signature also consider saving ALL your passwords to a "PassWord Saver" program. Spyware looks for your passwords giving access to your provider and other info you need to keep secure (Bank accounts etc) I recommend you (further) run such password software from a USB removable hard drive

Share this post


Link to post
Share on other sites
What I am saying is several things:

1. Spammers probably are responsible for some viral attacks as retaliation for some actions, including mine where I have deliberately gotten them fined thousands of dollars for their spams.

Funny. I have several email addresses. The ones published on the web get spam - which I report. A couple do not get spam. Because of virus filters, several of my addresses don't get viruses that I can identify and report. However, on the one that does get lots of viruses (because my address is in a lot of address books) it is only /after/ I get a run of viruses that I get a spam. - usually a 419 one.

IMHO, with all the virus filters out there a spammer would not try to 'attack' with viruses since a reporter of spam would probably have a virus filter. Since spammers tend to forge addresses in the return path, the explanation is probably that a spam with a forged email address has been sent and is now on some clueless user's computer (or many clueless users) and that's why viruses seem to follow spam.

Miss Betsy

Share this post


Link to post
Share on other sites

When we receive virus generated spoofed emails where the headers are known to contain a phony sender email ID, is the IP address within the header or the SpamCop derived IP address valid still, or not?

Any comments on whether a virus sender reporting tool would be helpful? It may be easy to set the antivirus to delete the message and not tell us, but it doesn't help us stop the person sending the bugs. And as long as they don't protect themselves, they continue to catch and spread bugs. The gotcha here is that no antivirus software is 100% perfect in catching and eliminating all viruses, worms, and trojans, so the more coming in, the more likely one will get through.

Dennis

Share this post


Link to post
Share on other sites
When we receive virus generated spoofed emails where the headers are known to contain a phony sender email ID, is the IP address within the header or the SpamCop derived IP address valid still, or not?

SInce a virus infected message is just a special type of email, yes, the results of the spamcop parser are valid for finding the source of the virus infected message. It is against spamcop's rules, however, to use spamcop to send the report. You can use spamcop to determine the source, cancel that report and send a manual report.

Share this post


Link to post
Share on other sites
SInce a virus infected message is just a special type of email, yes, the results of the spamcop parser are valid for finding the source of the virus infected message. It is against spamcop's rules, however, to use spamcop to send the report.  You can use spamcop to determine the source, cancel that report and send a manual report.

20960[/snapback]

Thanks Steven. Not to worry. I check the headers and cancel the reports. I didn't like the idea that someone else might be exposed.

Dennis

Share this post


Link to post
Share on other sites
Any comments on whether a virus sender reporting tool would be helpful? It may be easy to set the antivirus to delete the message and not tell us, but it doesn't help us stop the person sending the bugs. And as long as they don't protect themselves, they continue to catch and spread bugs.

Many people would like a reporting /and blocking/ tool for viruses. However, spamcop keeps its focus on spam, and will not report either email bounces or viruses.

I manually report each one (that the virus checker doesn't delete - why it decides to delete some and not others is something neither the virus company nor I know). Usually it only takes one report to stop them. Sometimes it takes longer and then I wish I could block!

Miss Betsy

Share this post


Link to post
Share on other sites

It appears that I neglected to mention in this Topic that you should file a Manual Report for each instance of bad code (Viruses, Trojan horses, Worms, Macros, Vulnerabilities, and Exploits) you get, including the name of the bad code and which antivirus company gave it that name. If you want to go the extra mile and include many of the names it has been given, IME the Symantec Security Response database of Viruses, Trojan horses, Worms, Macros, Vulnerabilities, and Exploits usually provides the most names given by other companies. Please don't include any of the bad code itself, or you may infect the recipient.

Share this post


Link to post
Share on other sites
Any comments on whether a virus sender reporting tool would be helpful?

20959[/snapback]

being a sysadmin, i read this thread closely. fwiw, i will share my techniques (which i have honed over the past 2 years) on how i combat both spam and virus attacks. i have about 25 published email addresses that routinely receive lots of spam, many times copies of the same spam. there was a time when i received more than 500 spams and about 20-30 virus-laden emails per day. i now receive less than 30 spams per day and maybe 1 or 2 virus-laden emails per week. here's what i do:

first of all, all mail received at my server is checked against the following:

distributed server boycott list - list.dsbl.org

sorbs - dnsbl.sorbs.net

spamcop blacklist - bl.spamcop.net

i have found using these 3 lists stops 2000-3000 (on average) spam emails per week.

1) virus-laden emails - just add the damn ip address to ipchains/iptables and block access to port 25. i never receive another virus email from that machine. in almost all cases they are dsl or cable internet users whose computers are on and connected all the time, and they should be sending me email through their downstream provider, not directly from their box.

2) spam w/o rdns info - blocked in sendmail access file, w/ a curt message to visit a special page on my website for the reason it's been blocked.

3) spam w/ rdns info - examine the headers, and if it came from a reputable isp like verizon, pacbell, comcast, etc. then i submit it to spamcop. if it came from an annoying or suspect place like yourbigvote.com or bargainfreestuff.com, it gets added to the sendmail access. if it's something i don't immediately recognize, like maybe bezeqint.net, i visit the website, and if i think it's valid, i submit to spamcop. otherwise, it goes right into sendmail access. this is by far the most tedious step since i usually have to examine the website, but it goes a long way when you find out it's bogus and can stop all email just by adding one line to the access file.

in 2 years, i have had only one complaint from implementing #2 and #3, and it was from a user in singapore, sending from the com.sg domain. i received 3 spams in one day from com.sg and just blocked it in sendmail access. however, a client w/ a domain hosted on my server has clients himself in singapore and they contacted him (by phone) when their email started getting rejected. so now i report any com.sg spam to spamcop.

i am seriously considering implementing a sendmail rule that just blocks all email from servers w/o rdns information, with a curt message along the lines of 'rejected due to missing or invalid rdns - contact your network administrator', and whitelisting any that complain i'm blocking valid email for 2 weeks. i'd give them 2 weeks to get rdns info in place, then start blocking again if it's not there after that time. in this day and age, i feel there's no reason for a company to not have valid rdns info. i'm considering this because my sendmail access file is starting to get quite large (almost 10,000 ip addresses/domains right now) and adding new entries is getting tedious. right now, more than 90% of my spam comes from machines w/o rdns info.

as i stated, i've reduced my spam load from more than 500 to less than 30 per day. any comments on my techniques are welcome.

later, paul

Share this post


Link to post
Share on other sites
in this day and age, i feel there's no reason for a company to not have valid rdns info.

I totally agree with your attitude. In this day and age, there are no 'innocent' senders. There are only 'ignorant' senders who, unknowingly, contribute to the spam problem instead of being responsible netizens.

I can't comment on your procedures because I don't run a server, but they look comparable to other sysadmins who successfully block spam.

Miss Betsy

Share this post


Link to post
Share on other sites

Hi, paul!

...Your post is AWESOME! I just forwarded it on to my employer's network admin in an e-mail in which I asked him to help pressure our e-mail admins to do something similar to what you are doing. Thanks! :D <big g>

Share this post


Link to post
Share on other sites

I am currently trying out Mailwasher Pro, and using the tie-in to report spam emails to Spamcop.

Why does my volume of spam appear to be increasing, since I started this trial? I have tried both Mailwasher and Spamcop before, independently in previous years, and noted the same problem then, before I eventually changed my email address.

The latest spams have come to my correct email ID [at] the smtp server name, not my correct email address, but they still get directed to me, of course. Is my ID and this server information getting leaked out somehow in your reports to spammers' ISPs?

Share this post


Link to post
Share on other sites

Many factors involved in your "increase" .... how you handle the spam for instance. To answer your "is data leaked" .. try hitting the "Preview" button which displays the actual complaint/report e-mail. If you want to go paranoid, then please be advised that "tracking" information can be hidden in many different ways, but the general guidance these days is that few spammers waste the time.

Share this post


Link to post
Share on other sites

Remember that reporting alone will do nothing to reduce the amount of spam you receive. It's primary purpose is to feed the SpamCop BL. It's secondary purpose is to send reports to the source of the spam with two differing goals. 1) if the source is a hijacked machine the goal is to inform them that someone is using their machine/bandwidth to send spam and to encourage them to fix the problem. 2) for direct spammers it is to encourage the ISP's involved to enforce their TOS. The big time spammers keep finding more ways of sending their junk. The key to reducing the amount of spam you personally receive is the proper use of Blocking lists and filters. If you do not make uses of BL's and filters, then your reporting will have little direct benefit to you personally but the rest of the world does enjoys the benefit of your reporting. So thankyou for helping to reduce the amount of spam I and others receive by continuing to report the spam that you are getting.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

×