Jump to content
ANGEL

SC parser report distribution question

Recommended Posts

Question re: SC report auto-distribution; not any address manually entered in [User Notification] field.

Are SC reports ever directed to the "source" of the spam?

Not sure if an example is needed, posting just in case:

https://www.spamcop.net/w3m?i=z6898801339z8c25e92a12dc86c774a950d737412c13z

 

Cheers.

Share this post


Link to post
Share on other sites
16 minutes ago, ANGEL said:

Are SC reports ever directed to the "source" of the spam?

SC reports are directed to the administrator listed as the abuse contact for that network.  Most networks are gathered from the whois data for the IP range as appears to be the case when I browse down to your tracking URL.  I see that this report was sent to both an outlook.com address and a user defined hotmail.com address.  The IP address in question seems to be assigned to an ISP called CoreIP.  Rather than provide a real abuse address the CoreISP internet provider appears to be using one at outlook.com.

Now you ask, if the reports are ever directed to the "source" of the spam.  There have been a number of spammers that appear to purchase a whole entire network range just so they can be the abuse contact listed in the whois.  As soon as those are found out, the deputies can block the reports from going to those addresses and/or redirect them to their upstream provider.

Share this post


Link to post
Share on other sites

 

1 hour ago, ANGEL said:

Are SC reports ever directed to the "source" of the spam?

Help if you sent a tracking URL

Your email server collects a received IP address.that is are genuine IP a lot of spam has fake IP's stamped with the spam SpamCop will disregard these if there is something dodgy about it (no DNS etc)  example below.

Received: from WINDOWS-COSBPNE (unknown [113.140.86.66]) my email server
	by vmx5.spamcop.net (Postfix) with ESMTP id 07FDAAF6FB
	for <xxx[AT]spamcop.net>; Wed,  9 Jan 2019 13:31:08 -0800 (PST)
Received: from jakwcdbio (Unknown [182.111.98.3]) claimed/fake email server stamped source

DNS LOOKUPS
Forward and Reverse DNS lookups are performed to see, if the name to IP and IP to name DNS lookups produce the same results. This feature is used to see if DNS is correctly set up for a host and can be an indicator for a malicious host.

 

Edited by petzl

Share this post


Link to post
Share on other sites
1 hour ago, gnarlymarley said:

SC reports are directed to the administrator listed as the abuse contact for that network.  Most networks are gathered from the whois data for the IP range as appears to be the case when I browse down to your tracking URL.  I see that this report was sent to both an outlook.com address and a user defined hotmail.com address.  The IP address in question seems to be assigned to an ISP called CoreIP.  Rather than provide a real abuse address the CoreISP internet provider appears to be using one at outlook.com.

Now you ask, if the reports are ever directed to the "source" of the spam.  There have been a number of spammers that appear to purchase a whole entire network range just so they can be the abuse contact listed in the whois.  As soon as those are found out, the deputies can block the reports from going to those addresses and/or redirect them to their upstream provider.

Thank you Gnarlymarley, 

Your answer is exactly the information I needed & clarifies the issue:)

Re [As soon as those are found out..], is there anything we [SC] users can do/need to do, to facilitate [action by SC deputies](apart from submitting spam to SC)?

Share this post


Link to post
Share on other sites
45 minutes ago, petzl said:

 

Help if you sent a tracking URL

Your email server collects a received IP address.that is are genuine IP a lot of spam has fake IP's stamped with the spam SpamCop will disregard these if there is something dodgy about it (no DNS etc)  example below.


Received: from WINDOWS-COSBPNE (unknown [113.140.86.66]) my email server
	by vmx5.spamcop.net (Postfix) with ESMTP id 07FDAAF6FB
	for <xxx[AT]spamcop.net>; Wed,  9 Jan 2019 13:31:08 -0800 (PST)
Received: from jakwcdbio (Unknown [182.111.98.3]) claimed/fake email server stamped source

DNS LOOKUPS
Forward and Reverse DNS lookups are performed to see, if the name to IP and IP to name DNS lookups produce the same results. This feature is used to see if DNS is correctly set up for a host and can be an indicator for a malicious host.

 

Hi Petzl, what does "Help if you sent a tracking URL" mean please?

Edited by ANGEL
Typo: corrected Petzel to Petzl

Share this post


Link to post
Share on other sites
1 hour ago, gnarlymarley said:

SC reports are directed to the administrator listed as the abuse contact for that network.  Most networks are gathered from the whois data for the IP range as appears to be the case when I browse down to your tracking URL.  I see that this report was sent to both an outlook.com address and a user defined hotmail.com address.  The IP address in question seems to be assigned to an ISP called CoreIP.  Rather than provide a real abuse address the CoreISP internet provider appears to be using one at outlook.com.

Now you ask, if the reports are ever directed to the "source" of the spam.  There have been a number of spammers that appear to purchase a whole entire network range just so they can be the abuse contact listed in the whois.  As soon as those are found out, the deputies can block the reports from going to those addresses and/or redirect them to their upstream provider.

Re [There have been a number of spammers that appear to purchase a whole entire network range just so they can be the abuse contact listed in the whois]

Are they really: 

- that rich? :wacko:

- that dumb?:wacko:

 

-

Share this post


Link to post
Share on other sites
36 minutes ago, ANGEL said:

that rich? :wacko:

Yes. 

37 minutes ago, ANGEL said:

that dumb?:wacko:

If they "own" a block of IPs, they can rotate the IP they uses to send spam whenever an IP gets blocked. They will never have a host block their spam because of complaints.  Sorry to say, from a business stand point owning a range of IPs makes sense.

Share this post


Link to post
Share on other sites
50 minutes ago, ANGEL said:

Hi Petzl, what does "Help if you sent a tracking URL" mean please?

Before you submit a spam at the top of page is a "tracking URL" copy it and one can then see what you are on about

Share this post


Link to post
Share on other sites
16 minutes ago, petzl said:

Before you submit a spam at the top of page is a "tracking URL" copy it and one can then see what you are on about

Like the url I referenced when I submitted the issue Petzl?  

Please refer to attached image - ✔️ URL  ✔️

SC Report URL.jpg

Share this post


Link to post
Share on other sites
20 minutes ago, Lking said:

Yes. 

If they "own" a block of IPs, they can rotate the IP they uses to send spam whenever an IP gets blocked. They will never have a host block their spam because of complaints.  Sorry to say, from a business stand point owning a range of IPs makes sense.

Thanks Lking, that adds to the helpful info posted by Gnarleymarley.

Not that it's welcome info.

(imo) It means they are: rich, dumb, business owners🤢

Share this post


Link to post
Share on other sites

Am I missing something?

This is what I posted: "Not sure if an example is needed, posting just in case:"

https://www.spamcop.net/w3m?i=z6898801339z8c25e92a12dc86c774a950d737412c13z

Share this post


Link to post
Share on other sites
4 hours ago, ANGEL said:

Am I missing something?

BEFORE you click submit the tracking URL is at top of page

https://ibb.co/4PCKSm7

Share this post


Link to post
Share on other sites
13 hours ago, ANGEL said:

(imo) It means they are: rich, dumb, business owners🤢

Like all business owners, they get their money from somewhere.  Either they have investors, or they people that keep buying into the spams (either by entering banking information or by clicking an advertisement link).  My guess is the mostly latter.

ANGEL,  The tracking link would have the "sc?id=" in the middle of it.  This would be your tracking link:

Here is your TRACKING URL - it may be saved for future reference:
https://www.spamcop.net/sc?id=z6512755812z8ee73d74322c131f8ca885cc287a03fcz

 

Share this post


Link to post
Share on other sites
3 hours ago, gnarlymarley said:

Like all business owners, they get their money from somewhere.  Either they have investors, or they people that keep buying into the spams (either by entering banking information or by clicking an advertisement link).  My guess is the mostly latter.

ANGEL,  The tracking link would have the "sc?id=" in the middle of it.  This would be your tracking link:


Here is your TRACKING URL - it may be saved for future reference:
https://www.spamcop.net/sc?id=z6512755812z8ee73d74322c131f8ca885cc287a03fcz

 

Thank you Gnarleymarly, however, I'm a tad confused:

a) you responded to my original post (& I took from your reply) you interrogated the url I posted - no?

b) when I go to [ https://www.spamcop.net/w3m?i=z6898801339z8c25e92a12dc86c774a950d737412c13z ] & select [Show how SpamCop traced this message] redirects to https://www.spamcop.net/sc?id=z6512755812z8ee73d74322c131f8ca885cc287a03fcz, imo, gets to the same result, therefore, not much difference. 

But, I'm happy to take on the learning, thank you😊

Share this post


Link to post
Share on other sites
2 hours ago, ANGEL said:

a) you responded to my original post (& I took from your reply) you interrogated the url I posted - no?

 

yes, but I had to click the "Show how SpamCop traced this message" to find it.

2 hours ago, ANGEL said:

imo, gets to the same result, therefore, not much difference. 

It does kinda get the same results.  The issue is it also gives me access to a menu item that I normally do not see as a spamcop user, but only as a provider.  The link you sent will allow me to respond as you to the report back to the original submitter.  i am not comfortable with such a link.  The spammers do have access to this form, and they could select the option that "it was not spam" on your behalf.  I understand why petzl only wants the tracking URL.

Share this post


Link to post
Share on other sites

Once again Gnarleymarley, thank you, clarification and logical explanation is very helpful.

I thought I was providing "a" tracking url. Did not understand the distinction.

Many thanks & cheers.

 

 

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×