Sign in to follow this  
Followers 0
trpted

URLs not reported

148 posts in this topic

The reason the tracking URL I provided might have indicated that reports were sent is that, like someone else who posted here, I keep reloading the page (or going back to the "Unreported spam Saved: Report Now" link) until SpamCop decides to stop ignoring the URLs.

Yeah, I hate spammers that much.

But it's frustrating to me and, almost certainly more important, generating a lot of useless load on SpamCop if multiple people have to re-analyze their spam 10, 20, or 30 times before SpamCop works properly.

Share this post


Link to post
Share on other sites

OK, here's a URL that won't be recognized no matter how many times I reload... and, since I can't get at the rest of my queued spam until I give up on this one.

http://www.spamcop.net/sc?id=z801601960zb5...67868c2715a2d9z

Finding links in message body

Parsing text part

Resolving link obfuscation

http://uneaten.net/cs/?ronn

http://uneaten.net/rm.php?ronn

Please make sure this email IS spam:

... etc. BUT... parse http://uneaten.net/cs/?ronn on its own and I get:

Parsing input: http://uneaten.net/cs/?ronn

[report history]

Routing details for 221.11.133.82

Report routing for 221.11.133.82: abuse[at]cnc-noc.net

Statistics:

221.11.133.82 not listed in bl.spamcop.net

More Information..

221.11.133.82 not listed in dnsbl.njabl.org

221.11.133.82 not listed in dnsbl.njabl.org

221.11.133.82 not listed in cbl.abuseat.org

221.11.133.82 listed in dnsbl.sorbs.net ( 127.0.0.6 )

221.11.133.82 not listed in relays.ordb.org.

Reporting addresses:

abuse[at]cnc-noc.net

... no problem. But I can reload the original spam and it still does nothing with the URL.

Maybe there's a reason why SpamCop is declining to report, but it would be nice to know what that reason is.

Share this post


Link to post
Share on other sites
The reason the tracking URL I provided might have indicated that reports were sent is that, like someone else who posted here, I keep reloading the page (or going back to the "Unreported spam Saved: Report Now" link) until SpamCop decides to stop ignoring the URLs.

32252[/snapback]

Thank you for that update. Now we can stop chasing that question.

But it's frustrating to me and, almost certainly more important, generating a lot of useless load on SpamCop if multiple people have to re-analyze their spam 10, 20, or 30 times before SpamCop works properly.

32252[/snapback]

I don't think most people do reload endlessly until it reports. Most people accept what spamcop hands them and go on with their lives. Also, many people use quick reporting either directly or via webmail and do not report web sites at all. As mentioned elsewhere in this long thread, it is on the todo list but most people believe keeping up with the spammers latest tricks to keep the email out of the inboxes in the first place is more important than the reporting of web sites that has been mistaken by ISP's (more than once) as an actual spam report against the site owner. The ones we hear about are usually 3rd parties with nothing to do with the spam.

Share this post


Link to post
Share on other sites
... etc. BUT... parse http://uneaten.net/cs/?ronn on its own and I get:

Maybe there's a reason why SpamCop is declining to report, but it would be nice to know what that reason is.

32253[/snapback]

http://www.dnsreport.com/tools/dnsreport.c...ain=uneaten.net

A timeout occurred getting the NS records from your nameservers! None of your nameservers responded fast enough. They are probably down or unreachable. I can't continue since your nameservers aren't responding.

Your NS records at the parent servers are:

ns1.iratest.com. [221.11.133.81] [TTL=172800] [CN]

ns2.iratest.com. [221.11.133.82] [TTL=172800] [CN]

[These were obtained from m.gtld-servers.net]

You'll note that DNS is 'provided' by the same IP address used to 'serve' the spamvertised web-page.

Share this post


Link to post
Share on other sites
A timeout occurred getting the NS records from your nameservers!

But, when I copy the URL and paste it into the SpamCop reporting window, SpamCop resolves it fine. OK, so the DNS servers were slow but now SpamCop knows the answer... so I go back to the spam in the reporting queue, it still doesn't report them.

Also, whenever SpamCop is inable to resolve a URL, it reports that fact. It does not do so in these cases.

I therefore believe that the problem is not that SpamCop cannot resolve the URL.

Share this post


Link to post
Share on other sites
But, when I copy the URL and paste it into the SpamCop reporting window, SpamCop resolves it fine.  OK, so the DNS servers were slow but now SpamCop knows the answer... so I go back to the spam in the reporting queue, it still doesn't report them.

The single-line look-up tool and the spam parsing tool are two separate codebase items. The only thing in common is they both use the same entry window. If there is no new-line character at the end of the first line of text pasted in, the single-item lookip code is followed. If there is a new-line character involved, the spam parser is invoked.

Also, whenever SpamCop is inable to resolve a URL, it reports that fact.  It does not do so in these cases.

Not really, as explained above. The single-line entry lookup simply looks for a reporting address for the one item queried and thows that data up on screen. The spam parsing engine invokes many, many things on the search / process of diagnosing the spam and all its contents.

I therefore believe that the problem is not that SpamCop cannot resolve the URL.

32286[/snapback]

Have you actually read this whole Topic/Discussion? Have you read the associated entries in the SpamCop FAQ here? Have you looked at other Topics/Discussion on the same type of problem/complaint? Do you actually see anyone arguing with you? Have you looked at http://www.spamcop.net/spamgraph.shtml?spamstats ? (hmm, no complaints about the outage .interesting)

Share this post


Link to post
Share on other sites
I don't think most people do reload endlessly until it reports.  Most people accept what spamcop hands them and go on with their lives.  Also, many people use quick reporting either directly or via webmail and do not report web sites at all.  As mentioned elsewhere in this long thread, it is on the todo list but most people believe keeping up with the spammers latest tricks to keep the email out of the inboxes in the first place is more important than the reporting of web sites that has been mistaken by ISP's (more than once) as an actual spam report against the site owner.  The ones we hear about are usually 3rd parties with nothing to do with the spam.

32254[/snapback]

You could be right, you could be wrong about what most people do. I for one am very interested in getting the websites reported, and will refresh until it does work. The spamers can't make any money if their web sites have been taken down, and will not be able to keep spamming. Also I do SURBL checks on incoming mail. I need those websites listed so the SURBL check will tag the e-mails as spam. Whether or not getting them listed is dependant on the parser or not I don't know, but I'm sure Wazoo can tell us. (I know... there's already a thread on it, go do my own research... right?) :D

Share this post


Link to post
Share on other sites
Whether or not getting them listed is dependant on the parser or not I don't know, but I'm sure Wazoo can tell us.  (I know... there's already a thread on it, go do my own research... right?)   :D

35010[/snapback]

Well, as a matter of fact, Jeff G. did write up a FAQ entry, it has been added to the Forum version of the SpamCop FAQ and has also been included into the KnowledgeNase view of the FAQ I'm trying to populate ... So you don't even have to search for the "Thread" , Topic, or Discussion .. it's is in two versions of the FAQ at present ....

New! How does SpamCop interface with SURBL?

How does SpamCop interface with SURBL?

It is a challenge to see how much of this stuff we can hide, just so no one can find it, causing the question to have to be asked agian and again ... just so "we" can bitch about the fact that it does actually already exist somewhere ....

Share this post


Link to post
Share on other sites
Well, as a matter of fact, Jeff G. did write up a FAQ entry, it has been added to the Forum version of the SpamCop FAQ and has also been included into the KnowledgeNase view of the FAQ I'm trying to populate ... So you don't even have to search for the "Thread" , Topic, or Discussion .. it's is in two versions of the FAQ at present ....

New! How does SpamCop interface with SURBL?

How does SpamCop interface with SURBL?

It is a challenge to see how much of this stuff we can hide, just so no one can find it, causing the question to have to be asked agian and again ... just so "we" can bitch about the fact that it does actually already exist somewhere ....

35012[/snapback]

I've read enough posts to know that you do a good job of documenting what is going on. I was just poking fun at myself there, because I knew I was being too lazy to go find it, and new you would point that out. :) I'm really having a good laugh right now.

So if I'm reading that SURBL FAQ correctly, if the parser does not parse the URL, then the ULR will not make it on to the SURBL list. Is that correct? Or am I just totally lost?

Edited by lcusdtech

Share this post


Link to post
Share on other sites
So if I'm reading that SURBL FAQ correctly, if the parser does not parse the URL, then the ULR will not make it on to the SURBL list.  Is that correct?  Or am I just totally lost?

35013[/snapback]

Correct

Share this post


Link to post
Share on other sites
Correct

35017[/snapback]

Good, then add that as one more reason I want the URL's parsed, and will refresh until they do. :)

Share this post


Link to post
Share on other sites
It is a challenge to see how much of this stuff we can hide, just so no one can find it, causing the question to have to be asked agian and again ... just so "we" can bitch about the fact that it does actually already exist somewhere ....

35012[/snapback]

Simultaneously laughing out loud, crying, rolling eyes, and remarking HHOS! Keep up the good work (please!)!

Share this post


Link to post
Share on other sites

You got spam from the exact same source (24.203.217.72) and the date it was sent (not when you received it) was after March 26, 2005 8:50:49 AM -0600? Please post the tracking URL only please.

From your original:

0: Received: from 24.203.217.72 (HELO modemcable072.217-203-24.mc.videotron.ca) (24.203.217.72) by mta305.mail.scd.yahoo.com with SMTP; Sat, 26 Mar 2005 05:05:11 -0800 (25-mar-2005:21:05:11)

ISP has indicated spam will cease; ISP resolved this issue sometime after Saturday, March 26, 2005 8:50:49 AM -0600 (26-mar-2005:02:50:49)

As Jeff stated, the spam was sent to you almost 6 hours before the ISP took action. That is actually pretty good response time from an ISP. If you are a paid account holder, you are allowed to appeal the ISP response if nobody has appealed the ISP response already. In that case a deputy will look over the evidence and start sending reports again, but the timing needs to be correct.

Little older article here. But there is this new Social Network spammer at FanBridge dot com. I get about 3 spams a day, trying to complain via Spamcop results in

==

Tracking message source: 74.86.91.162:

Routing details for 74.86.91.162

[refresh/show] Cached whois for 74.86.91.162 : abuse[at]softlayer.com

Using abuse net on abuse[at]softlayer.com

abuse net softlayer.com = postmaster[at]softlayer.com, abuse[at]softlayer.com

Using best contacts postmaster[at]softlayer.com abuse[at]softlayer.com

ISP has indicated spam will cease; ISP resolved this issue sometime after Sat 12 Jul 2008 02:09:40 PM EDT -0400

Message is 0 hours old

==

So the spam is from today (13th) and Softlayer is not larted because he "indicated" something.

And the previous days the same happened, decrease day by one for the Spamcop message "ISP has indicated spam will cease...". And I bet it will continue tomorrow and so on.

Since Fanbridge seems to be a fairly big spammer and need to spam, and Softlayer appears in reports often too, Softlayer is lying and Spamcop obeys. That sucks.

Spamcop should have a database, and if there come further complaints for an ISP which "indicated spam will cease" notes of this ISP should be ignored and complaints be filed to get them listed.

Or do I get something wrong?

Share this post


Link to post
Share on other sites

Spamcop should have a database, and if there come further complaints for an ISP which "indicated spam will cease" notes of this ISP should be ignored and complaints be filed to get them listed.

Or do I get something wrong?

You may have something wrong... even with the "ISP does not want reports" set, those reports still are used to list the IP address if the math works.

SpamCop can not make any ISP do anything, and if they have indicated one way or another that they do not want SpamCop to send them any more reports, it would be abuse to keep sending those reports.

Share this post


Link to post
Share on other sites
Little older article here. But there is this new Social Network spammer at FanBridge dot com. I get about 3 spams a day, trying to complain via Spamcop results in

Note: Tracking URL not provided. Only a snippet of a parse result posted.

So the spam is from today (13th) and Softlayer is not larted because he "indicated" something.

Evidence presented would indicate that the ISP/Host made the selection that the issue had been handled, with the result that further reporting had been "turned off" for 24 hours.

And the previous days the same happened, decrease day by one for the Spamcop message "ISP has indicated spam will cease...". And I bet it will continue tomorrow and so on.

Hard to agree or disagree due to lack of evidence presented here. The available Reporting History seen for the IP Address of 74.86.91.162 doesn't actually match your attempted scenario, specifically the "3 spams a day" description (based on the spams reported) .. and before you try the "because they were not larted because ...." justification, I'll point out the breaks in the sequential dates, the differing Subject lines/differing spams, the different Reporter/Reporting modes involved .....

Since Fanbridge seems to be a fairly big spammer and need to spam, and Softlayer appears in reports often too, Softlayer is lying and Spamcop obeys. That sucks.

"Fanbridge" only seen specifically in two of the past Reports. Not enough evidence rovided in your single snippet to talk about a response from Softlayer.

Spamcop should have a database, and if there come further complaints for an ISP which "indicated spam will cease" notes of this ISP should be ignored and complaints be filed to get them listed.

Or do I get something wrong?

http://www.senderbase.org/senderbase_queri...ng=74.86.91.162

Volume Statistics for this IP

Magnitude Vol Change vs. Last Month

Last day ....... 3.2 .. -80%

Last month ... 3.9

It does seem to suggest that something has changed, although noting that it's a week-end involved here.

On the other hand, with only 10 reported spams over the last 90 days, but a magnitude showing of approximately 4,000 e-mails a day, it's hard to see where your excitement may be coming from. More than likely, you are not taking the IP Address targetting mode of the SpamCop Reporting System into account as far as your Reporting activity goes.

Share this post


Link to post
Share on other sites
ISP has indicated spam will cease
That only applies for 24 hours, at which time SpamCop will resume sending reports if there is fresh spam. It's designed to allow an abuse desk to flag an IP with us as "being fixed" in order to give them relief from a flood of reports while they work on the problem.

In this case, the time has expired and you can send reports again.

I removed the "innocent bystander" flag from the fanbridge.com web URLs. SpamCop will send reports about them now.

User's Tracking URL:

http://www.spamcop.net/sc?id=z2063702686z8...725445a2e0f27bz

- Don D'Minion - SpamCop Admin -

.

Share this post


Link to post
Share on other sites

Hi there, Wazoo referred me to this topic, I too have received some fanbridge.com spams recently and have been frustrated in attempting to report them. Since no reports were generated, I don't have tracking URLs for them, though it appears that the spams I received were from members of fanbridge, rather than being unwillingly registered myself. I have unblocked the addresses from my various email accounts, and if I receive any more, I'll submit them.

Share this post


Link to post
Share on other sites

spam aside, have you attempted to contact www.fanbridge.com? I know some of these "social networks" have "Let us have your e-mail address and password and we'll tell all your FRIENDS that you're here!" features...

Perhaps this is the case, one of your "friends" has/had your address within their "address book" - and when they signed up for fanbridge, perhaps they have a similar "feature" - decided to give this site their e-mail address and password, and you are receiving this unwanted mail from "FanBridge" on-behalf of your "friends".

I got hit by this from some "yearbook" site a while back, I clicked the unsubscribe/opt out link (yes, I know many anti-spam resources say NOT to.....but in some cases, the opt-out/unsubscribe link does actually work) and haven't heard anything since from this yearbook/social networking site....

I wish sites that had features like this would actually tell me what "friend" is "inviting" me to their service.

But this is just one consideration to take.

Based on the domain registration of fanbridge.com, siteadvisor reviews, alexa, aboutus ratings, etc. it does seem like a "legit" site...but they just need some lessons in unsolicited e-mailing :P

And well, seeing as how the parsed report does show the mail being sent from an IP traced back to the site, atleast we know it's not some infected or otherwise "bulletproof hosting" provider in russia/india....

Share this post


Link to post
Share on other sites

Hi ahoier, no, I know exactly where my several addresses were harvested from, one place being a mailing list - I have mentioned my concerns to the list owner as that is a TOS violation; the others from Usenet, but there were also pretty specific addresses for the groups. Not much I can do about that, but that is one reason why I only used Yahoo addresses for Usenet. Funny that I hadn't posted anything for a good long while, but the addresses still were harvested...

Share this post


Link to post
Share on other sites

Just a follow-up, I have received another spam from fanbridge.com, letting me know that I have been added to the DJ Sharon fan list, aren't I lucky. And such careful instructions on how to add DJ Sharon to my "Safe Senders List" :blink:

Tracking URL:

http://www.spamcop.net/sc?id=z2076050906z8...436c3bbec150f1z

"ISP has indicated spam will cease; ISP resolved this issue sometime after Wednesday, July 16, 2008 8:32:18 AM -0400"

Erm, apparently not.

Share this post


Link to post
Share on other sites
"ISP has indicated spam will cease; ISP resolved this issue sometime after Wednesday, July 16, 2008 8:32:18 AM -0400"

Erm, apparently not.

Just noting that this same outfit, same situation has been posted over in the newsgroups today. Unfortunately, cross-posted into spamcop.routing and spamcop.help .... the first newsgroup not being the correct place as the post was a general bitch, rather than an actual routing change request with data provided. The second newsgroup isn't actually seen by a lot of folks, as it had been removed from the Help page at www.spamcop.net years ago.

[scrouting] Deputies : Fanbridge misusing "isp resolved" status multiple times Ismo Salonen

Share this post


Link to post
Share on other sites
Just noting that this same outfit, same situation has been posted over in the newsgroups today. Unfortunately, cross-posted into spamcop.routing and spamcop.help .... the first newsgroup not being the correct place as the post was a general bitch, rather than an actual routing change request with data provided. The second newsgroup isn't actually seen by a lot of folks, as it had been removed from the Help page at www.spamcop.net years ago.

[scrouting] Deputies : Fanbridge misusing "isp resolved" status multiple times Ismo Salonen

Hi,

I am replying in this and the other thread with the same message. The incidents mentioned were from multiple accounts in our system all created by the same user (which is how the same email address was on multiple lists as we do not facilitate sharing of lists at all). All of that user's accounts were promptly disabled as soon as we saw the heightened level of complaints.

Sincerely,

Mark Brooks

FanBridge.com

Share this post


Link to post
Share on other sites
<snip>

From this side of the screen, one knows not all the stuff going on from Julian's perspective, ....

<snip>

These days you've got Julian working his magic, ....

<snip>

I can tell you that Julian is working on the codebase, ....

<snip>

...Replace all instances of "Julian" with "Cisco engineers." See Don D'Minion's post in SpamCop Forum topic "Reporting problems today?"

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now
Sign in to follow this  
Followers 0