Jump to content
Sign in to follow this  
dbiel

/dev/null'ing report

Recommended Posts

This relates to some recent posts such as "no master' but being a specific question I decided to start a new topic.

I frequently see the message:

Report spam to:

Re: 83.198.14.31 (Administrator of network where email originates)

   To: postmaster#wanadoo.fr[at]devnull.spamcop.net (Notes)

   To: abuse[at]wanadoo.fr (Notes)

I was under the impression that this was a special mail box used to hold reports that the receipient had requested not be delivered which would be used for statistical purposes. Then when the reports are sent the following is displayed:
/dev/null'ing report for postmaster#wanadoo.fr[at]devnull.spamcop.net

spam report id 1452615684 sent to: abuse[at]wanadoo.fr

which to my uninformed mind seems to say that the reports are simply being trashed. Could someone translate the line in red for me?

Share this post


Link to post
Share on other sites
<snip>

I frequently see the message:I was under the impression that this was a special mail box used to hold reports that the receipient had requested not be delivered which would be used for statistical purposes.  Then when the reports are sent the following is displayed:

/dev/null'ing report for postmaster#wanadoo.fr[at]devnull.spamcop.net

spam report id 1452615684 sent to: abuse[at]wanadoo.fr

which to my uninformed mind seems to say that the reports are simply being trashed. Could someone translate the line in red for me?

29515[/snapback]

...Perhaps Web page Paste-in submittal (scan down page looking for "SpamCop dev/null address") answers the question?

Share this post


Link to post
Share on other sites

Thanks for the reply, it reconfirms my understanding of:

"To: postmaster#wanadoo.fr[at]devnull.spamcop.net (Notes)"

but still does not answer the question as to what "/dev/null'ing report" means

It is probably one of the unimportant things that I should simply ignore.

Thank you.

Share this post


Link to post
Share on other sites
Thanks for the reply, it reconfirms my understanding of:

"To: postmaster#wanadoo.fr[at]devnull.spamcop.net (Notes)"

but still does not answer the question as to what "/dev/null'ing report" means

<snip>

29518[/snapback]

...From Web page Paste-in submittal that I referenced earlier:
SpamCop dev/null address - usually indicative of an ISP that cares not about their good name and for whatever reason rejects/bounces/or ignores SpamCop reports/complaints ... though reports don't go to this target, if the source of the spam, the data is added to the SpamCopDNSBL
I interpret that to mean that /dev/null is basically a bit-bucket (the report itself is not sent but a record is kept that an IP address belonging to wanadoo.fr was the source of spam). Did you miss that or do you need a further explanation?

Share this post


Link to post
Share on other sites

From the programming point of view .. code was written to develop all those reports. I believe that if you look at the Preview, you'll see all og the reports generated. At the point you click on the 'Send' button, actions is taken to 'handle' all those reports. Those acrually headed out are sent to the e-mail app for hanfling. Those that aren't going to actually 'leave' get sent to the /dev/null device, which in *NIX land is the preverbial bit-bucket (dating back to the days of Hollerith cards and paper-punch tape, the recepticle for all those punched out bits of paper/code) ... Failing to actually "do" something with the generated e-mail would run one into the issue of resources tied up 'storing' all that unsent e-mail, eventually sucking up too much RAM, blowing swap file space into actual wasted space ... so there was probably once a small note made for debugging purposes to show that the program was working as designed, then either left in place or modified to 'explain' the discrepancy between the "Previewed" Reports and the list of "Sent" Reports. If the particular report was for the source of the e-mail/spam, the counters are still incremented.

Hope I've actually talked to what you were asking ..???

Share this post


Link to post
Share on other sites

Actually, in this specific case (as in others I've seen) there will be several possible email addresses for a particular ISP and only one will accept SC reports. Therefore, SC will not even bother trying to send reports to email addresses that don't want them and will "bit-bucket" those particular reports, however, it will send a report to the address that does accept SpamCop reports.

Then again, there will be some cases (as in one I just posted) where there isn't anyone who wants to receive SpamCop reports, so any reports that would be sent to that ISP will be trashed. This will also happen when it's known that the ISP *is*the spammer.

Edited by mrmaxx

Share this post


Link to post
Share on other sites

It appears that I do not communicate very well, so I will attempt to be clearer.

Also note that I will consider this issue dead but for clarity sake will still restate it anyway.

When the parser first runs it lists a series of addresses it will send reports to:

Report spam to:

Re: 83.198.14.31 (Administrator of network where email originates)

  To: postmaster#wanadoo.fr[at]devnull.spamcop.net (Notes)

  To: abuse[at]wanadoo.fr (Notes)

Note: a specific address "postmaster#wandoo.fr" to be sent to "[at]" "devnull.spamcop.net"

The when the reports are sent a record of those are posted, in this case:

/dev/null'ing report for postmaster#wanadoo.fr[at]devnull.spamcop.net

spam report id 1452615684 sent to: abuse[at]wanadoo.fr

indicating that a report was sent to "abuse[at]wanadoo.fr" (second report) but the first report is stated as "/dev/null'ing report for postmaster#wanadoo.fr[at]devnull.spamcop.net"

I would have expected something like "report sent to postmaster#wanadoo.fr[at]devnull.spamcop.net" but instead a verb seems to be interduced "/dev/null'ing" not a path.

The term "null'ing" did not appear to be a unix term to me but on further research does appear to be a verb meaning "to send to /dev/nul" or in the windows/mac enviroments "to delete or to trash". The following quote seems to make that point

Ignrance of the problem is difference from indifference. By /dev/null'ing your records you are saying that you know it happens and you would prefer that there was no evidence of the transaction. Judges don't like that excuse. If your site has a posted policy of /dev/null'ing records for other reasons that's another story.
Thus implying that no record, count, or summary would be kept.

So back to the point (or original question) restated once more.

Why indicate that you are sending a report to a specific address if the disposition of that report is to "/dev/null'ing (delete/ignore)"

Then again the server devnull.spamcop.net does not seem to exist anyway.

Share this post


Link to post
Share on other sites
It appears that I do not communicate very well, so I will attempt to be clearer.

My problem also, in that I still believe I did answer what I believe you asked.

So back to the point (or original question) restated once more.

Why indicate that you are sending a report to a specific address if the disposition of that report is to "/dev/null'ing (delete/ignore)"

Then again the server devnull.spamcop.net does not seem to exist anyway.

Actually, it "does" exist, but it is defined as a "Null Device" ... such that anything directed 'there' will end up being nothing but a collection of random electrons <g>

Share this post


Link to post
Share on other sites

Thanks Wazoo. It does help clarify the what happens.

Report generated, Report sent to trash can.

But to continue to beat the dead horse see the following:

I see a report being sent to bad_tracking[at]devnull.spamcop.net

( http://www.spamcop.net/sc?id=z673954712zaa...2f08fdf877da99z ).

A first for me.

I shor am powerful curious to know what this "bad_tracking" business means....?

17635[/snapback]

and reply from Ellen
When a url resolves to an unrouted IP then the reports are sent to bad_tracking. Or if the header parse results in an unrouted or reserved IP. I see further down the thread that the url is now resolving to a routeable IP so they were playing DNS games.

17662[/snapback]

(color highlighting added)

But since devnull.spamcop.net is basicly a trash can, why bother to create reports to different addresses.

I guess that the answer must be that something else is happening in between the time the reports are written and the reports are sent. And that something is probably the statistical listing of reports sent / would have been sent but actually /dev/null'ed

And for what seems to be even clearer answers to my question see

http://forum.spamcop.net/forums/index.php?...299entry16299

Implying that counts cannot be created/increased unless the report is first generated.

So implied order of things:

1) reports created

2) Statistical Function implemented, BL udated, etc

3) reports sent and/or trashed (/dev/null'ed) as indicated

Edited by dbiel

Share this post


Link to post
Share on other sites

Gads, you know how to brighten a day ... "bad-tracking" for instance ... I was going to add that to the Glossary here ... that was until I went there and saw your work at combining all existing entries .. (thanks again, reminding myself that I still hadn't commented there ... and will do that in a minute or two now that I'm reminded) ...

I think where we're at .. you submit a spam .. parser kicks in ... various "threads" are started ...

header stucture analyzed

body looked for

chain test starts on the header

'logical' source address found - internal/external database lookups started

body analyzed for URLs

body URLs found - internal/external database lookups started

now, remember, the parsing 'process' is still sitting there, waiting for a response from all of the sub-processes fired up .... (and this leads us into that area of the internal/external database lookups timing out)

eventually/hopefully all the lookup sub-processes come back with results ... so we're sitting there with a minimum of five storage locarions tied up with that spam .. the spam itself, the Tracking URL, the spew source, the spamvertised site, and the "computer notepad" that's keeping all of this stuff tied together ... all that data gets fed into the "handling" side of the "reporting" section ...

Now we've got to tickle the SpamCopDNSBL counter for the source IP, generate the e-mails for "all" of the target e-mail addresses found by the parser ... this generates the stuff found when you hit the "Preview" button ...

At the point you hit the "Send" button, then decision are made where to "send" the e-mail ... stuff going out gets sent to the SMTP engine, stuff that goes to "special" addresses gets handled internally based on those internal factors (some ISPs want groups, some want a special format, and as above, some go to special internal accounts for other purposes) .. and those items already identified as going to ISPs that specifically requested/selected not to be informed make their trip to the /dev/null but-bucket. Again, the intent is to let the computer do its thing, empty the "notepad" of collected data and clear all the flags set to "done" ...

All the space, resources, attention that was focused on your last spam submittal are now free to handle the next incoming spam submittal.

Share this post


Link to post
Share on other sites

Thanks Wazoo

An excellent answer that puts this issues to bed.

Thank you again.

For additional information see

Reports sent to SpamCop addresses

Note that the internal address would actually be abuse#isp.net[at]admin.spamcop.net (these reports get forward to secret addresses specificly set up to handle SpamCop reports)

The xxxxx[at]devnull.spamcop.net domain is reserved for reports that will not be sent because they are bouncing or have requested that they not be sent.

edit to include current glossary entry:

/dev/null'ing

The act of vaporizing a file (sending it to the unix directory /dev/nul)

SpamCop uses email addresses addressed to xxxx[at]devnull.spamcop.net to discard messages that have been generated after they have been statically recorded where the intended recipient has historically bounced similar messages or has requested that they no longer be sent.

Share this post


Link to post
Share on other sites

A bit strange to continue on this thread, 7 years after it was active last. But I got a lot of "/dev/null'ing report for nomaster[at]devnull.spamcop.net" messages lately. Not knowing what it meant I looked it up on the Internet, and came here.

Too bad that this trashing due to ISP's not caring is happening.

I also get more IPv6 "Nothing doing" messages lately. I heard from Don D' Minion that work is done on that.

Oh well, as long as some of it gets through to some ISP's who care to stop spam... : )

Share this post


Link to post
Share on other sites

A bit strange to continue on this thread, 7 years after it was active last. But I got a lot of "/dev/null'ing report for nomaster[at]devnull.spamcop.net" messages lately. Not knowing what it meant I looked it up on the Internet, and came here.

Too bad that this trashing due to ISP's not caring is happening.

I also get more IPv6 "Nothing doing" messages lately. I heard from Don D' Minion that work is done on that.

Oh well, as long as some of it gets through to some ISP's who care to stop spam... : )

You can add your own reporting address

Widows free software

http://www.nirsoft.net/utils/ipnetinfo.html

or

http://www.gena01.com/win32whois/

SpamCops software sometimes does not pick up reporting addresses

Fact is no matter what software used, it can miss a reporting address even the ones I mention here, but it gives you a 2nd go which is often successful

Share this post


Link to post
Share on other sites
...

Too bad that this trashing due to ISP's not caring is happening.

I also get more IPv6 "Nothing doing" messages lately. I heard from Don D' Minion that work is done on that.

...

Another view - IPv4 space running out and (I guess) there is frantic re-shuffling of blocks as they become available, sometimes in advance of allocation records being completely set up, rather than (necessarily) ISPs not caring - though it is to be admitted many/most don't. More fragmentation, more "dark internet". "Failures within the allocation of Internet resources due to the Internet's chaotic tendencies of growth and decay are a leading cause of dark address formation." as some Wikipedia contributor puts it.

Might be my imagination but it seems to me that more and more ESPs are finding their outbound servers listed in more and more relatively unforgiving private and public DNSBLs. cesmail.net/spamcop.net is not the only one running afoul of hotmail and others. My own provider seems to be continually blocked by networks using UCEPROTECT for instance.

Looking for evidence of spam broadcasting to explain those listings, in the several instances that I find the servers have been reported by SC within the last 90 days (as one of the few sources of some detail), I see them mostly in tandem with (usually) different Indian server sources - that is reports appear to have gone to two "originating" networks. Not sure how that would occur with a mailhosted reporting account frankly, or I might have misread the summaries (would need to see the full spam headers and parses). But it makes me wonder how many DNSBLs are vulnerable to forged headers. Or whether "my" outbound servers might be involved in some risky relaying, though a bit unlikely (inwards and outwards servers to and from "my" network are spam filtered using IronPort devices). Still, I will never know how much is silently rejected.

One way or another, it seems just about impossible for a commercial public service to keep itself clean these days. And the IPv4 chaos is not about to abate.

...

Oh well, as long as some of it gets through to some ISP's who care to stop spam... : )

That is good when it happens - meantime a flood from any particular IP address - "no master", devnulled, or not - is likely to see it in the SCbl which is the main game. We can only hope the IPv6 reporting is implemented soon ... IPv6 spam isn't going away without some "encouragement" and IIUC the allocation of "blame" will ultimately be more certain once we get to do some encouraging.

Share this post


Link to post
Share on other sites

"No master" means SpamCop couldn't find a reporting address for the IP.

Sometimes, we choose not to send reports to a particular reporting address for reasons of our own.

It is the act of sending a report that feeds our blocking list data. Sending the report to devnull/trash is sufficient for blocking purposes.

The new SpamCop release is due out soon. It will support IPv6 addressing.

- Don D'Minion - SpamCop Admin -

- Service[at]Admin.SpamCop.net -

Share this post


Link to post
Share on other sites

Thank you petzl.

Using extra software to find the address is a good idea, but I'm just not up to it. Not motivated enough. I beg forgiveness... :rolleyes:

Thank you Farelf.

I hardly understand a word of your post, but I'm sure others do. :blush:

Thank you too, SpamCopAdmin.

I'm sure "Sometimes, we choose not to send reports to a particular reporting address for reasons of our own" is for good reasons concerning all of us in the end.

Good to know that even the trashed reports are useful, and that IPv6 reporting will be implemented soon.

Today I got some spam that did have address to be send on to according to SpamCop. I was almost beginning to think that all spammers had found a way -or some ISP- to avoid being bugged.

Overal good news. :)

Share this post


Link to post
Share on other sites

Today I got some spam that did have address to be send on to according to SpamCop. I was almost beginning to think that all spammers had found a way -or some ISP- to avoid being bugged.

I logged in to post a question along the lines of this topic... that is, "have the spammers won?" A significant amount (vast majority? almost every single one??) of my spam reports come back with only a "notification" to /dev/null. My "number" is completely un-scientific, but it feels like 90% of my reports go to the bit bucket. I understand you use this info for statistical purposes, but it doesn't "feel" like anything actually happens to reduce the spam itself.

I am a technical person, but have NO SIGNIFICANT expertise in the specific domain of email traffic and spam management. My ISP provides me a couple of "you figure it out" tools on my domains-- spam Assasin and SpamBox, but I haven't figure out how to actually utilize any of the SpamCop data/reports/lists to beef up my end. I've searched, read, scratched head, etc... any suggestions for an "idiot's guide" on how to improve protection on this end?

Share this post


Link to post
Share on other sites

Hi, labboypro,

<snip>

but it feels like 90% of my reports go to the bit bucket.

...Which is perfectly fine if the "abuse address" to which SpamCop would have reported is owned or controlled by the spammer or the "abuse address" owner has told SpamCop that she or he does not wish to see the reports or if the "abuse address" owner would not have taken any action against the spammer, anyway.
I understand you use this info for statistical purposes, but it doesn't "feel" like anything actually happens to reduce the spam itself.

<snip>

...True, SpamCop does not and never has (directly, at least) had as its goal the reduction of spam.
any suggestions for an "idiot's guide" on how to improve protection on this end?
...Not exactly an "idiot's guide" but there may be some useful guidance in the SpamCop FAQ (links to which appear near the top left of every SpamCop Forum page) entry labeled "How do I configure my mailserver to reject mail based on the blocklist?" But please especially note the paragraph that begins with "We recommend that when using any spam filtering method...." This probably means that to do the "right thing," some further searching will be necessary on your part. Hopefully, someone will come by with more helpful advice (especially if you'd be willing to tell us with what kind of e-mail server environment you are dealing).

...Good luck!

Share this post


Link to post
Share on other sites

True, SpamCop does not and never has (directly, at least) had as its goal the reduction of spam....

Your response (and the fact that it's called "spam COP") kind of begs the question of what it's goal is, then. If it's not trying to fight spam (through ISP notifications, blacklisting reporting, and other methods that I may not be able to imagine.), then it would only seem to be for "entertainment purposes," which would be an expensive and obscure hobby.

Not exactly an "idiot's guide" but there may be some useful guidance in the SpamCop FAQ (links to which appear near the top left of every SpamCop Forum page) entry labeled "How do I configure my mailserver to reject mail based on the blocklist?" But please especially note the paragraph that begins with "We recommend that when using any spam filtering method...." This probably means that to do the "right thing," some further searching will be necessary on your part.

Thanks, I've already read that... so to clarify my earlier comment, I am "technical," but none of that made much sense in terms of actual implementation. I'm a "hardware guy." The mail world is not something I'm well versed in, so it all starts to sound like acronymony.

Hopefully, someone will come by with more helpful advice (especially if you'd be willing to tell us with what kind of e-mail server environment you are dealing).

No idea. Domain is on a shared host plan with a gazillion other sites heaped on the same server. My "awareness" of the server setup is only what I see through the Cpanel access they give me. From that, I can tell it's a Linux system (Kernel 2.6.18), HTTP is handled by Apacke 2.2.17, but I see nothing specifically identifying mailer.

Thanks for the reply.

Share this post


Link to post
Share on other sites

Your response (and the fact that it's called "spam COP") kind of begs the question of what it's goal is, then. If it's not trying to fight spam (through ISP notifications, blacklisting reporting, and other methods that I may not be able to imagine.)

Thanks for the reply.

It would help identify cause if you gave a tracking URL at top of page like

http://www.spamcop.net/sc?id=z5444278067z8...a3e33bd67cb53fz

Share this post


Link to post
Share on other sites
Your response (and the fact that it's called "spam COP") kind of begs the question of what it's goal is, then. If it's not trying to fight spam (through ISP notifications, blacklisting reporting, and other methods that I may not be able to imagine.),

<snip>

...Please note that I did not write that SpamCop is not trying to fight spam but, rather, that it is not intended to be a tool to directly stop spam. It is intended to do what you suggest -- inform abuse addresses of spam and compile and make available a blacklist. But it tries not to send reports to those abuse addresses that ask it to not do so, to "abuse addresses" that it determines are in control of or friendly to the spammers, or to those that bounce its reports. And it doesn't put just any IP address on the blacklist that someone reports as being a source of spam, it requires either a certain number of complaints in proportion to the total e-mail seen coming from the IP address and they must be from more than one reporter.
none of that made much sense in terms of actual implementation. I'm a "hardware guy." The mail world is not something I'm well versed in

<snip>

...In that case, I'd respectfully suggest that you aren't the person to be trying to "figure out how to actually utilize any of the SpamCop data/reports/lists to beef up [your] end." I'd recommend you refer this discussion to someone who is responsible for your e-mail service.

Share this post


Link to post
Share on other sites

...Please note that I did not write that SpamCop is not trying to fight spam but, rather, that it is not intended to be a tool to directly stop spam. It is intended to do what you suggest -- inform abuse addresses of spam and compile and make available a blacklist.

Funny. That's what I thought it was trying to do, to which you repled that it wasn't. It looks like you've changed your mind, and now agree with my assumption about its purpose.

In that case, I'd respectfully suggest that you aren't the person to be trying to "figure out how to actually utilize any of the SpamCop data/reports/lists to beef up [your] end." I'd recommend you refer this discussion to someone who is responsible for your e-mail service.

I'm not a multi-national Fortune n00 corporation. I'm just a guy, sitting in my living room, who has a personal domain, who gets excessive spam. I am the "admin," "the web designer," the "CEO," and anything else I want from my $7/month personal domain space on the Internet. But (in what reads as a snarky passive-agressive comment from you about "respectfully" ???), I shouldn't LEARN anything about this stuff because I don't already know about this stuff... instead, I should shut up and pass this on to someone (like you?) who is smarter than me. Great community approach you're presenting.

Share this post


Link to post
Share on other sites
Funny. That's what I thought it was trying to do, to which you repled that it wasn't. It looks like you've changed your mind, and now agree with my assumption about its purpose.
...Sorry I was unclear; my fault for trying to explain a subtlety that turns out to have been irrelevant for your needs (hopefully it will be helpful to others, though). My reply wasn't intended to say that SpamCop is not intended to stop spam, it was to say that it is not intended to directly stop it and I stand by that assertion, mind unchanged. :) <g>
I am the "admin," "the web designer," the "CEO," and anything else I want from my $7/month personal domain space on the Internet. But (in what reads as a snarky passive-agressive comment from you about "respectfully" ???)
...Not only do you wear all the hats you describe, you are also an expert in psychology -- man, am I impressed (or perhaps I shouldn't be, that's probably a necessary skill for a CEO)! :) <g>.
I shouldn't LEARN anything about this stuff because I don't already know about this stuff... instead, I should shut up and pass this on to someone (like you?) who is smarter than me.

<snip>

...You are reading far too much into what I wrote, IMHO. I didn't mean to imply that you shouldn't try to learn about it, I was suggesting that since "none of that made much sense in terms of actual implementation. I'm a 'hardware guy.' The mail world is not something I'm well versed in" you might not be the person most suited to address what you wanted to do ("figure out how to actually utilize any of the SpamCop data/reports/lists to beef up my end"). Now that you've explained the situation, I humbly retract my statement. I'm certainly not smarter than you and my response was not intended to suggest that it might be appropriate for you to pass this over to someone more intelligent than you, just to someone whose experience would make it more natural for them to know what to do to accomplish the goal without the learning curve. That might still be the case if it is your domain provider that also provides your e-mail service.

Share this post


Link to post
Share on other sites

I am also having lots of spam mail with no abuse recipient via the sc report. For most of the cases seems the host doesn't want the sc reports so what I do I'll ban the IP range the host has from my server for a month or so. For many cases devnull is a flag for friendly spam hosts.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

×