Jump to content

General Questions


Nev

Recommended Posts

Hi All,

Having used SpamCop for around 6 months and still a relative newbie to your excellent services, but not a newbie to computing or receiving spam, I for one would like to know:

1) What happemns in general when our spam Reports land in the abuse departments of the ISPs ?

2) Do you ever communicate directly with them and get notification of spammers being banned .. as I do when reporting spam and Criminal attempts at fraud direct to Yahoo ( for example ) ?

3) With the never ending flood of spam chinanet / cnc-noc.net / nic.br / sprint.net and the other chief culprits allow to pass through their systems .. do they actually ever do anything about it or are all our spam Reports autnomatically deleted or diverted to a shute straight out of their office windows ?

6) Is there any known reason why more spam from Turkey is suddenly appearing ?

5) Is it possible to see the statistics of the worst ISP offenders and are they told just how bad they are by anyone in any authority which they would take notice of ?

6) Have you any evidence that using SpamCop is having any effect on either the rogue ISPs or the spammers themselves ?

A Happy and spam Free New Year to you All

Link to comment
Share on other sites

1) What happemns in general when our spam Reports land in the abuse departments of the ISPs ?

22564[/snapback]

Some ignore them.

The well run ISPs or network operators understand that a spam report that indicates spam is being sent means that serious money is being lost by them through bandwidth theft, and they start a security scan to verify how that theft if being done and stop it. Many have that step automated, so by the time the human gets involved, all they have to do is confirm that the problem system is now isolated.

The less clueful ISPs check to see if it is one of their mail servers and if not, issue a warning to the owner to get their machine fixed, and then if they are still getting reports in a week then they take action.

The spammers really love those ISPs and favor stealing bandwidth from them.

Note that if you are on one of those ISPs that gives one week warnings, you will find that you have intermittant network quality issues, because while one of the spam runs are in progress, they will utilize almost all of the ISP's bandwidth for the segment that the compromised system is on.

So inaddition to the less clueful ISP losing money on the bandwidth stolen, they are also losing money because they are issuing refunds to their other customers because they are allowing their network to be overloaded.

Of course all that is passed back on to the other users of that ISP in added costs and or poor performance.

See the pinned item on the "cost of spam".

2) Do you ever communicate directly with them and get notification of spammers being banned .. as I do when reporting spam and Criminal attempts at fraud direct to Yahoo ( for example ) ?

22564[/snapback]

Usually the only response to a spamcop.net report is an auto-ack from an robot. Only a few ISPs actually repspond with termination notices.

The feedback that is important how many times that ISP shows up in spamcop.net reports that you send. If it shows up a lot, it indicates that they really do not care about dealing with spam, and prefer to just pass the costs on to their paying customers.

3) With the never ending flood of spam chinanet / cnc-noc.net / nic.br / sprint.net and the other chief culprits allow to pass through their systems .. do they actually ever do anything about it or are all our spam Reports autnomatically deleted or diverted to a shute straight out of their office windows ?

22564[/snapback]

Only those ISPs know what they do with them.

Many mail server operators will no longer accept any e-mail from several networks and countries that are spam friendly unless prior whitelisting for specific mail servers has been done.

While you may have a fixed monthly cost, it is likey that your mail server operator at some level is paying a metered rate. So any spam that is let into the mail server that could have been blocked by a DNSbl is a needless expense.

You will generally find that when the bandwidth costs comes out of the server operator's profit and they are aware of it, they will protect their profit and block e-mail from any IP range that shows up as a chronic source of spam.

Blocking lists make spam the problem and expense of the sending network.

6) Is there any known reason why more spam from Turkey is suddenly appearing ?

22564[/snapback]

Was that supposed to be 4?

I am not seeing any spam originating from any Turkish ISPs, and have not for quite some time.

5) Is it possible to see the statistics of the worst ISP offenders and are they told just how bad they are by anyone in any authority which they would take notice of ?

22564[/snapback]

There are many sources of spam statisitics on the Internet.

If they are not known to the people in authority it is only because those people are choosing not to look at them.

6) Have you any evidence that using SpamCop is having any effect on either the rogue ISPs or the spammers themselves ?

22564[/snapback]

Several people claiming to operate networks have posted in the various forums that they use the reports to keep zombie computers on their networks from stealing bandwidth from them and abusing others.

At least one lawsuit, which was settled out of court and resulted in no change is spamcop.net's operation.

Several attempts to DDOS it out of service.

Attempts to send forged reports through spamcop.net to get the wrong I.P. addresses listed.

Attempts to forge sign up e-mail addresses harvested from the spamcop.net on opt-out mailers that do not confirm subscriptions.

But spamcop.net is not the worst thing for the spammers. Based on one of my mail mail server operator's statistics, it is only blocking about 2% of the spam attempted to be delivered to them.

The local blocks handle most of the spam, followed by the DYNAMIC IP DNSbls block the majority of the spam, followed by the open proxy blocking lists. Then the spamhaus list and the open relays lists catch most of the rest.

Essentially the spamcop.net list is most useful for catching new spam sources, which are mostly zombie machines that have not yet been caught by the open proxy lists.

-John

Personal Opinion Only

Link to comment
Share on other sites

Many thanks for your interesting, obviously time-consuming and well-consdered personal reply.

As I would humbly consider the answers to my questions to be essentially at the root of us using SpamCop and spending quite a lot of time in sending off spam Reports .. are they not worthy of any official comments from the moderators of these forums ? Please nicely .....

Cheers

Nev

Link to comment
Share on other sites

Approximately 20 inches of snow outside, neighborhood full of older folks, this Moderator has been a bit busy outside these last two days. If you'd take a look-see, you'll note that this Moderator has been posting all over the place while inside. This Moderator saw your (lengthy) list of questions, saw that it was going to take some extensive bit of time to respond with answers above and beyond the "read the FAQ" and "read these other discussions" ... so yes, immediate response mode was not actioned .... however, coming back when I thought I'd take the time and finding John's excellent post that seemed to touch at least one aspect of all your questions, I went back on to other queries, issues, and problems ... figuring I'd wait to see what your response was going to be to John's post ... definitely not expecting what you did say ....

JeffG hasn't worn his Moderator hat in quite a while (though recently threatening to pull it out of the box when year-end stuff gets finishd <g>)

If you're talking about those folks identified as Staff/Admin, what time they spend "here" is looking to resolve issues that might need their "powers" ... not a lot of spare time to hit a "general perception" type thing most days.

Is there something that you want more data on specifically?

Link to comment
Share on other sites

5) Is it possible to see the statistics of the worst ISP offenders and are they told just how bad they are by anyone in any authority which they would take notice of ?

ROKSO has detailed statistics on the worst spammers and I am sure there are lots of lists that pinpoint who are the worst ISPs (china and korea come to mind).

The primary problem is that not enough end users have made themselves heard about the censorship by ISPs who do not allow end users to choose filtering methods or even inform them about their use and about the good practice of using blocklists that reject at the server level so the sender can do something about the spam coming from the IP address he is using (either complain or leave).

Therefore the top level (some spammers own their own IP space) is not motivated to actually cut them off (the top level being the backbone providers).

As a side note, the people who have answered your questions (with the exception of me) are just about as knowledgable as you can get about spam, spam sources, and filtering methods. What they don't know about spam probably isn't worth knowing.

Don't get hung up on titles.

Miss Betsy

Link to comment
Share on other sites

Hi Wazoo,

Good luck with the snow-shovelling .. and thanks for your reply .. sorry that my response to John's post was not what you expected.

In his post, John did say it was his "personal opinion" and although a good post … how, as a newbie … was I supposed to know he is a past moderator ?

The basic answers to a couple of my questions still remain in the air :

I suppose what I am really asking for is for statistical proof that SpamCop is having some effect on the spam mountain .. and if the rogue ISPs are being exposed internationally to authorities that can, are or will do something about them ?

Whilst I have your attention .. Cyveillance .. are always included in the list of recipients for spam Reports. If I understand correctly that their aims are to report to Websites that references to them have been included in spam mails .. surely any Website owners, with an interest in unsolicited mailings to promote their name or products, are going to be highly pleased to be notified that their strategy is successful .. hardly dissuading them from continuing.

So, in essence, how much is the time spent using SpamCop benefiting me, others and the cyber-world as a whole please ? I am more than willing to continue using it … but some actual proof of results would be reassuring.

Cheers

Nev

Link to comment
Share on other sites

In his post, John did say it was his "personal opinion" and although a good post … how, as a newbie … was I supposed to know he is a past moderator ?

JeffG volunteered for the Moderating status way back when. I didn't think I'd spend much time here. so I ignored JT's request for vounteers. However, noting that so few of the newsgroup regulars made the transisition to this web-based thing, I ended up spending more and more time here trying to help. So it was later on that JT asked if I'd do some Moderating things also. Real life kind of sucked up JeffG's free time, leaving me with the no life situation well in hand, well, I have something to do <g> That's the history of the Moderators here.

This is set up as a peer-to-peer support Forum, so answer to questions can come from anybody. I'd say it was up to you to determine who to believe/trust, but bad answers usually get corrected quickly <g>

In this case, John has lot of knowledge and graced you with the time spent to compose a response.

I suppose what I am really asking for is for statistical proof that SpamCop is having some effect on the spam mountain .. and if the rogue ISPs are being exposed internationally to authorities that can, are or will do something about them ?

No idea how to provide that data short of suggesting you take the time to read other Topics/discussions here (for starters) ... Statistical analysis would have to start with specific data, such as how much spam is Ralsky going to spew out today? How much of that spew is going to be caught by "what" ... personal filters, ISP filters, ISP IP range blocks, various BLs (of which SpamCop is only one), content filters, etc. etc. etc. The SpamCop is only one tool available out there, and the contents of that BL are fed via the spam complaints generated through the use of the SpamCop parsing and reporting engine.

As you read some of the other Topics / discussions, you'll find that the use of the SCBL shows up all over the place (for example; the latest round of YahooGroup e-mail getting blocked at numerous receiving ISPs) However, there's no way to put a "number" on any of that as "we" haven't a clue as to how many folks are impacted but don't find their way "here" .... There's another Topic or three within the Lounge, title is something like "Is it worth it" ... basically your same query ...

For "direct" results, either you or your ISP would be using the SCBL or you would be using the SpamCop Filtered E-Mail account ... but for "me/us" to give you a chart .. not possible ... On the other hand, if there was no SpamCop or any of the other attempted means of stopping the spew, it's a sure bet that e-mail would not be usable at all by this point.

Whilst I have your attention .. Cyveillance  .. are always included in the list of recipients for spam Reports. If I understand correctly that their aims are to report to Websites that references to them have been included in spam mails .. surely any Website owners, with an interest in unsolicited mailings to promote their name or products, are going to be highly pleased to be notified that their strategy is successful .. hardly dissuading them from continuing.

No idea ... my only dealings with Cyveillance is the blocking I put on all my managed web-sites to keep them out. Google is your friend if you want to study that issue. There isn't a web-site owner/manager (that I know) that allows them access and I have never come across a press release where Cyveillance was mentioned in "cracking the case" .. nevermind not knowing or caring just what the fees must be for their "services" .... Julian did a thing along the lines of an enemy of my enemy is my friend, and it's his system, thus his decision .. again, Google works just fine <g>

So, in essence, how much is the time spent using SpamCop benefiting me, others and the cyber-world as a whole please ? I am more than willing to continue using it … but some actual proof of results would be reassuring.

To "touch" all your questions, I can only say here .. please see the above ... between the spammer rants, the ISPs that fix their servers thus shutting down more spew, mailing-list users that eventually see the errors of their ways by using "bought over the Internet millions of known-good opted-in e-mail addresses of folks that desparately need your (insert product name here)" .... again, no way to put a number on these things.

Link to comment
Share on other sites

Many thanks Miss Betsy and Wazoo, for your comments .. and please bear in mind I did appreciate and acknowledge John's reply and in no way denigrated it.

I see that factual data is difficult, if not impossible, to display and only hope that our efforts are making as big a difference as possible in the spam Wars.

Google certainly does give some interesting facts about Cyveillance. With my suspicions, I haven't sent any reports to them for a long time .. I shall continue not to do so. I wonder why Julian continues the association.

Thank you again to you all.

Cheers

Nev

Link to comment
Share on other sites

Thanks for your contribution Steven,

I had looked at these pages before but will readily admit to struggling to understand some of the information contained in them.

I understand IP addresses and looked up a few of the list toppers to be told they are open proxies .. which I also understand the significance of in general terms.

However I, and probably many compuer users who can use SpamCop with ease, but are not into the technical terms, can much more readily recognise ***.whatever as a major transgressor being named and shamed rather than having to take a degree in statistical analysis to understand some of the technical terms and the graphs.

This is no criticism of you all in anyway .. rather a failing on my part .. and no, don't worry, I won't ask you to explain them all !! :))

Thank you again ..

Cheers

Nev

Link to comment
Share on other sites

With the best will in the world, Wazoo my friend .. I have two 500 page Website businesses to run, another 600+ page Site to control and despite using most every trick in the book to minimise spam, am taking time out to report the rubbish I do receive to SpamCop .. there are not enough hours in the day to wipe my proverbial posterior .. no matter trying to fit in learning the finer arts of statistical analysis :)

Here it is 2.35am and I am still at it ! :blink:

I will leave it to you boffins and trust that we will win one day ... without having the understanding to actually know when from the statistics .. only from the prayed-for lack of spam in my Inboxes.

Cheers

Nev

Link to comment
Share on other sites

In his post, John did say it was his "personal opinion" and although a good post … how, as a newbie … was I supposed to know he is a past moderator ?

22653[/snapback]

John has never been a moderator of this forum unless someone did that to him with out his knowledge.

-John

Personal Opinion Only

Link to comment
Share on other sites

Google certainly does give some interesting facts about Cyveillance. With my suspicions, I haven't sent any reports to them for a long time  .. I shall continue not to do so. I wonder why Julian continues the association.

22659[/snapback]

The amount of data that spamcop.net has fed them has been too much for them at least once, and required Cyveillance to beef up what ever is receiving the reports.

-John

Personal Opinion Only

Link to comment
Share on other sites

I suppose what I am really asking for is for statistical proof that SpamCop is having some effect on the spam mountain .. and if the rogue ISPs are being exposed internationally to authorities that can, are or will do something about them ?

22653[/snapback]

As Wazoo has noted there isn't any easy way to show whether SpamCop or any other blocklist has had an effect on the spammers sending the junk. It has certainly inconvenienced them and caused them to issue legal proceedings (as noted by WB8TYW) and you can infer, I think, that some effect has been achieved.

However, the value of the BL is in its usefulness to the end user to filter or block the incoming stream and thus start the day with a relatively clear mailbox.

If you are reporting then I am most grateful. My filtering scenario works so well that I don't remember the last time I got junk in my inbox and the number of false positives I receive is tiny (although I did get one thismorning ;) )

So please keep on reporting it does what it it supposed to do - makes the blocklist effective.

Thanks again.

Andrew

Link to comment
Share on other sites

Good, because to tell you the truth, other than the overall feel of the graphs, I don't really understand what I'm looking at on the new section in the middle.

Wow! I used to scan the other stats pages, looking for listings of an IP under the control of my ISP and pointed to that data in a heads-up to my contacts there. Went through the "Browseable map of IPv4 netspace" and made the same type of drilling down to my ISP's blocks. I am impressed that only 2 IP blocks showed a nasty "red" bar, followed the provided link to SenderBase ... packaged up my heads-up to my favorite abuse guys <g> I like this new section. At a minimum, possible use for a pointer to those that are of the "we don't have a problem" type <g>

Link to comment
Share on other sites

Hi All,

Sorry John, for inadvertantly 'promoting' you .. :) I was getting my Johns, JTs and GeffGs mixed up from Wazoo's original answer.

Remember all these people and their initials etc. are quite familiar to long-time members on here .. but not to me. Sorry for any confusion.

I will keep reporting with SpamCop, as you all enthusiastically agree it IS having a positive effect .. and would dearly like to use block lists etc. but I have a world-wide customer base and cannot totally exclude any ISP for fear of missing important mails and orders from new customers.

Cheers

Nev

Link to comment
Share on other sites

I will keep reporting with SpamCop, as you all enthusiastically agree it IS having a positive effect .. and would dearly like to use block lists etc. but I have a world-wide customer base and cannot totally exclude any ISP for fear of missing important mails and orders from new customers.

22761[/snapback]

Thanks, Nev. Much appreciated. Why not implement are mail tagging solution which will at least allow you to filter suspect messages to a separate folder to be reviewed when you have the time?

Andrew

Link to comment
Share on other sites

I will keep reporting with SpamCop, as you all enthusiastically agree it IS having a positive effect .. and would dearly like to use block lists etc. but I have a world-wide customer base and cannot totally exclude any ISP for fear of missing important mails and orders from new customers.

22761[/snapback]

By not using blocking lists, you are actually increasing the chances that you will miss an important e-mail either because it is lost in a flood of spam, or your mail server/ account quota is full.

Statistically, you will lose more e-mail from human error than from use of conservative blocking lists.

In general if you are concerned about false positives, just use the conservative DNSbls for blockiing,

sbl-xbl.spamhaus.org - This is an aggregate list lincluding the following:

sbl.spamhaus.org - I.P. addresses under the total control of spammers.

xbl.spamhaus.org - I.P. addressses confirmed to be compromised, the xbl comprises

of the cbl.abuseat.org and opm.blizted.org.

cbl.abuseat.org - spamtraps that have been filtered to remove abusive bounces from

misconfigured mail servers.

opm.blitzed.org - I.P. addresses confirmed to have a vulnerability that allows spam to

be relayed through them.

This is a base line blocking, and if you tag for a year, it is unlikely that you will ever find any real e-mail coming from any I.P. address listed in the sbl-xbl.spamhaus.org.

And because of that, many people are using the sbl-xbl.spamhaus.org as one of their baselines.

Basically as long as you reject e-mail from any sane open proxy or open relay list, you have no risk of ever getting a real e-mail rejected.

Now to further refine your spam filtering:

The next highest source of spam is from DHCP allocated ranges, known as dialup pools or DHCP addresses. Most mail server operators that I know block them, and this stops well over 50 percent of the spam delivery attempts. This may stop a real e-mail, but it will be rare.

After an I.P. address has passed those tests, there is yet one more test. RFCs require all servers to have a valid rDNS assigned to them. If the I.P. address connecting to your mail server does not have an rDNS assigned to it, then there is a high probability of it being spam.

This will cut out most of the spam, but not all, and will perform better than any of the commercial content filters that I have seen, and yet, has not looked at the content of the message. All these checks can be done before your mail server has committed you to pay for the bandwidth used by the e-mail.

Now if you consider the I.P. on a dynamic list or having no rDNS too risky to consider it spam, or if you find the I.P. address on an aggressive list such as a multi-hop list or the spamcop.net list, then there is a simple test that will further screen out most of the spam.

But you will have to accept the body of the mail to do the test.

If the I.P. address of a URL in the e-mail does not resolve, or resolves to be in the sbl-xbl.spamhaus.org, then the message is spam, provided that you found something suspicious about the source I.P. address.

SpamAssassin 3.0 has the ability to make this check. I have not seen it in any other anti-spam product.

Note that applying content filtering on an I.P. address that is not listed in any DNSbl and has a good rDNS is more likely to cause a real e-mail to be flagged as spam than it is to find any more spam than what would otherwise be detected.

In general, a system that rejects what it considers spam at the SMTP with a diagnositic for the exact reason lets the users of the sending system know that they have a problem.

With systems that tag or divert spam, the sender is not notified that delivery is delayed, and if the message is accidentally deleted, then no one knows.

-John

Personal Opinion Only

Link to comment
Share on other sites

Gulp .. thanks John .. that's a lot to take in !!! :wacko:

I don't for a moment pretend to understand all your post .. but I will work at it.

Neither do I suffer from a flood of spam in my business account .. about 30% all round, which is lessening as time goes by, following my hiding of old e-mail address links, previously easily collectable on my Websites ..

Another account, a spare one, receives around 100 totally spam mails daily .. few addressed to me personally, but most as part of alphabetical lists of addressees .. which are deleted and bounced by Mailwasher. Seems my ISP can do little about these !

You cheerily say : "Just use the conservative DNSbls for blockiing .. "

OK .. cringe everybody, but please have sympathy with this ignoramus .. here comes the #1 dumb question of the year so far .. er how ? :rolleyes:

By looking at the Spamhaus Webpage, it seems that it would not be possible from within Mailwasher .. with which I initially and very easily sort the wheat from the chaff, before downloading the genuine mails onto my system.

Cheers

Nev

Link to comment
Share on other sites

bounced by Mailwasher

Please disable that function as soon as possible or you may find your own IP on several blocklists. It is not helping and is causing harm to other people.

Because the return address is forged on the majority of spam messages, you are simply redirecting your spam onto some other innocent victim. If they report the message, it came from your IP.

There is no way to automatically return a message to its source once it has been accepted on the SMTP level. This is one of the advantages of a blocklist, the message is never accepted and the SENDING server notifies the sending account (which should be authorized and therefore known) of the problem.

For more details and others similiar feelings on this "feature", hit the search link at the top of this page and search all forums for mailwasher and start reading ;)

Link to comment
Share on other sites

Just to poke my head in here for a moment, I support every response that I've seen above, especially including the recommendation not to use the evil bounce function of MailWasher.

Link to comment
Share on other sites

Oh Heck,

More to condsider.....

Without Mailwasher I would not have found SpamCop .. and whilst I understand that Mailwasher makes every effort to report spam accurately to the IPSs involved .. the accuracy of their bounced messages I had not considered or previously questioned .. I will find out their views from source.

Thanks again folks ..

Cheers

Nev

Link to comment
Share on other sites

Nev

As one who was a newbie (and still doesn't know very much about servers and webhosting), I am going to re-explain about blocklists and servers.

Someone who runs a server has the capability of using blocklists. End users who simply download email cannot use blocklists except in some content filtering applications (spamassassin and mailwasher both have this capability, I think), they will allow you to use blocklist criteria for filtering to a special folder.

There are several steps to accepting an email at the server level. The first step is to look at where it came from and who it is going to. at that level, the server can say, "no thank you." based on whether that IP address is one you want to receive mail from or whether there is an email address on your server that corresponds. When the server says no, a 'code' message is returned to the server that sent the mail giving the reason. The sending server then composes an email to the end user who sent the email saying that the email was not delivered for this reason. Blocklists work at this level by returning a message saying the email was not delivered because the IP address is on such and such a blocklist. This is the best way of controlling spam because it tells the sender that his email was not accepted and why. The sender can then use some other means of communication, including another email address from an IP that is not blocked (for instance, hotmail or some other web based email service).

Then there is another step where the receiving server looks at the email, but doesn't accept it yet. spamassassin can be 'miltered' (and I have no idea of the technical aspects of this) to filter incoming email at this level.

The next step is that the receiving server accepts the email. From then on, there is no way to reply to the /real/ source of the email without looking at the headers because the return path and the From can be (and usually are forged) by spammers and viruses. The Mailwasher 'bounce' goes to the forged return path and just goes to some poor person whose name has been chosen by the spammer so they not only get spam from the spam run, but also all the bounces from people who don't understand and from ISPs who still use this method of bouncing (there used to be a good reason for doing it this way, but it has been spoiled by the spammers and virus writers). Occasionally they get nasty emails from people who think they are addressing the spammer. Those who have domains are particularly upset by this because of the good name of their domain and also because the spammers use made up addresses [at]domain so they may be getting thousands of bounces.

Mailwasher and other filters are used to tag this accepted email as potential spam or not. Many businesses like yours do not want to reject any email and so use filters (as opposed to blocklists) on all the email they accept. The problem, of course, is false positives are impossible to avoid and all email has to be examined after filtering in case the incoming email has been tagged erroneously. For blocklists, there are no false positives (although there may be legitimate email using the same server as the spammer) and any legitimate email is notified with the undeliverable code. Open proxy blocklists can be used without worrying about losing a customer's email because legitimate email is not sent through those IP addresses.

After the tagged-as-spam email has been examined for false positives, then it can be submitted to spamcop for parsing and reporting.

I don't have time to go back and see whether you actually have a server or not. But if you do, and really don't know what is happening, then you had better take some time to study how to run a server, or hire someone who does know.

OTOH, you may not have used the correct terms and are not running a server in which case you can only implement blocklists as another after the email has been accepted filter.

HTH

Miss Betsy

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...