Jump to content

SpamCop Report Types


Jeff G.

Recommended Posts

All SpamCop Reports are emails sent by Reporters using the SpamCop Parsing and Reporting Service to System or Network Administrators, alerting those Administrators to the association between their Systems or Networks and particular pieces of particular spam messages. "Report" as a verb is the act of sending a Report(n). If the Administrator replies to the Report, the reply will go to the "Report Email Address", and on to the Reporter's secret email address. If Reports to particular Administrators bounce enough times, those Administrators' email addresses will be flagged as bouncing, and will no longer receive Reports. Some Reporters will not want to send Reports to certain Administrators, and may want to send Reports to the Administrators of upstream or networks - this is one reason for the User Notification Report. The various types of SpamCop Reports follow.

<a href="http://forum.spamcop.net/forums/index.php?showtopic=4540#SpamSourceReport">spam Source Report</a>

<a href="http://forum.spamcop.net/forums/index.php?showtopic=4540#UserDefinedRecipientReport">User Defined Recipient Report</a>

<a href="http://forum.spamcop.net/forums/index.php?showtopic=4540#ThirdPartySourceReport">Third Party Source Report</a>

<a href="http://forum.spamcop.net/forums/index.php?showtopic=4540#OpenRelayReport">Open Relay Report</a>

<a href="http://forum.spamcop.net/forums/index.php?showtopic=4540#OpenRelayTesting">Open Relay Testing System(s) Report</a>

<a href="http://forum.spamcop.net/forums/index.php?showtopic=4540#SpamvertizedURLReport">Spamvertized URL Report</a>

<a href="http://forum.spamcop.net/forums/index.php?showtopic=4540#ThirdPartyURLReport">Third Party URL Report</a>

<a href="http://forum.spamcop.net/forums/index.php?showtopic=4540#UserNotificationReport">User Notification Report</a>

<a href="http://forum.spamcop.net/forums/index.php?showtopic=4473#Man">Manual Report</a>

<a name="SpamSourceReport"></a>A spam Source Report is a Report of the IP Address of a System or Network that was traced by the Parser as having been the source of a spam message. The Parser's immediate output labels every spam Source Report's destination email address with "(Administrator of network where email originates)". The Report History labels every spam Source Report with "( IP Address )". The subject of every spam Source Report begins with "[spamCop (IP Address)". The first line of every spam Source Report is "[ SpamCop VParser Version ]", currently "[ SpamCop V1.471 ]". The second line of every spam Source Report is "This message is brief for your comfort. Please use links below for details.". The third line of every spam Source Report is blank. The fourth line of every spam Source Report is "Email from IP Address / Date/Time Stamp of Received Header Line". The fifth line of every spam Source Report is the Tracking URL. The sixth line of every spam Source Report may be "IP Address is open proxy, see: http://www.spamcop.net/mky-proxies.html", if appropriate. A spam Source Report that is actually sent will increase the likelihood of the reported IP Address being listed by the SCBL, or if it is already listed increase the length of the listing. The ISP Control Center thinks of a spam Source Report recipient as "source (Administrator of network where email originates)". Please see What does a SpamCop Report look like? for details on what a spam Source Report looks like.

<a name="UserDefinedRecipientReport"></a>A User Defined Recipient Report is a Report of the IP Address of a System or Network that was traced by the Parser as having been the source of a spam message, and is selected via checkbox by the Reporter as one of the addresses the Reporter may have pre-loaded into the Reporter's "Advanced Preferences" AKA "Report Handling Options" AKA "Reporting Preferences" (up to one in "Personal copies of outgoing reports" and up to 100 bytes in "Public standard report recipients"). The Parser's immediate output labels every User Defined Recipient Report's destination email address with "(User defined recipient)". The Report History labels every User Defined Recipient Report with "( Forwarded spam )". The subject of every User Defined Recipient Report begins with "[spamCop (Forwarded spam)". The first line of every User Defined Recipient Report is "[ SpamCop VParser Version ]", currently "[ SpamCop V1.471 ]". The second line of every User Defined Recipient Report is "This message is brief for your comfort. Please use links below for details.". The third line of every User Defined Recipient Report is blank. The fourth line of every User Defined Recipient Report is "User-targeted report, see notes, if any." The fifth line of every User Defined Recipient Report is the Tracking URL. The ISP Control Center thinks of a User Defined Recipient Report recipient as "notify (User defined recipient)".

<a name="ThirdPartySourceReport"></a>A Third Party Source Report is a Report of the IP Address of a System or Network that was traced by the Parser as having been the source of a spam message, and is optionally selected by the Reporter. The system-wide Third Party Source Report goes to spamcop[at]imaphost.com - see Cyveillance spam collection for details, noting that some Reporters don't like Cyveillance - details 1 and details 2. Third parties specifically request notification of such IP Addresses. The Parser's immediate output labels every Third Party Source Report's destination email address with "(Third party interested in email source)". The Report History labels every Third Party Source Report with "( IP Address )". The subject of every Third Party Source Report begins with "[spamCop (IP Address)". The first line of every Third Party Source Report is "[ SpamCop VParser Version ]", currently "[ SpamCop V1.471 ]". The second line of every Third Party Source Report is "This message is brief for your comfort. Please use links below for details.". The third line of every Third Party Source Report is blank. The fourth line of every Third Party Source Report is "Email from IP Address / Date/Time Stamp of Received Header Line". The fifth line of every Third Party Source Report is the Tracking URL. The sixth line of every Third Party Source Report may be "IP Address is open proxy, see: http://www.spamcop.net/mky-proxies.html", if appropriate. The ISP Control Center thinks of a Third Party Source Report recipient as "intermediary (Administrator interested in intermediary handling of spam)".

<a name="OpenRelayReport"></a>An Open Relay Report is a Report of the IP Address of a System or Network that was parsed as having been an Open Relay. The Parser's immediate output labels every Open Relay Report's destination email address with "(Administrator of network with open relays)". The Report History labels every Open Relay Report with "( IP Address )". The subject of every Open Relay Report begins with "[spamCop (IP Address)". The first line of every Open Relay Report is "[ SpamCop VParser Version ]", currently "[ SpamCop V1.471 ]". The second line of every Open Relay Report is "This message is brief for your comfort. Please use links below for details.". The third line of every Open Relay Report is blank. The fourth line of every Open Relay Report is "Open relay exploited: IP Address / Date/Time Stamp of Received Header Line". The fifth line of every Open Relay Report is the Tracking URL. The ISP Control Center thinks of an Open Relay Report recipient as "relay (Administrator of network with open relays)".

<a name="OpenRelayTesting"></a>An Open Relay Testing System(s) Report is report of the IP Address of a System or Network that was parsed as having been an Open Relay to one or more Open Relay Testing System(s), but it is not sent as a regular Report with a Report ID, it is instead sent in a proprietary format. The Parser's immediate output labels every Open Relay Testing System(s) report's destination email address with "(Automated open-relay testing system(s))". The Report History labels every Open Relay Testing System(s) Report with "Saved relay ip: IP Address". The form of the Open Relay Testing System(s) report has not yet been disclosed - its Preview is "Would submit to open relay tracker:IP Address". The ISP Control Center does not specifically mention an Open Relay Testing System(s) Report recipient, as the recipient(s) is/are Open Relay Testing System(s), not ISP(s).

<a name="SpamvertizedURLReport"></a>A Spamvertized URL Report is a Report of a URL that was parsed as having been advertised in either a plain text spam message or an A Tag href in an HTML spam message (IMG Tag src URLs are not parsed due to past risk of Innocent Bystanders). The Parser's immediate output labels every Spamvertized URL Report's destination email address with "(Administrator of network hosting website referenced in spam)". The Report History labels every Spamvertized URL Report with "( URL )". The subject of every Spamvertized URL Report begins with "[spamCop (URL)". The first line of every Spamvertized URL Report is "[ SpamCop VParser Version ]", currently "[ SpamCop V1.471 ]". The second line of every Spamvertized URL Report is "This message is brief for your comfort. Please use links below for details.". The third line of every Spamvertized URL Report is blank. The fourth line of every Spamvertized URL Report is "Spamvertised web site: URL". The fifth line of every Spamvertized URL Report is the Tracking URL. The sixth line of every Spamvertized URL Report is "URL is IP Address; Date/Time Stamp of Parsing". The ISP Control Center thinks of a Spamvertized URL Report recipient as "www (Administrator of network hosting website referenced in spam)".

<a name="ThirdPartyURLReport"></a>A Third Party URL Report is a Report of a URL that was parsed as having been advertised in either a plain text spam message or an A Tag href in an HTML spam message (IMG Tag src URLs are not parsed due to past risk of Innocent Bystanders), and is optionally selected by the Reporter. Third parties specifically request notification of such URLs. The Parser's immediate output labels every Third Party URL Report's destination email address with "(Third party interested in spamvertized web site)". The Report History labels every Third Party URL Report with "( URL )". The subject of every Third Party URL Report begins with "[spamCop (URL)". The first line of every Third Party URL Report is "[ SpamCop VParser Version ]", currently "[ SpamCop V1.471 ]". The second line of every Third Party URL Report is "This message is brief for your comfort. Please use links below for details.". The third line of every Third Party URL Report is blank. The fourth line of every Third Party URL Report is "Spamvertised web site: URL". The fifth line of every Third Party URL Report is the Tracking URL. The sixth line of every Third Party URL Report is "URL is IP Address; Date/Time Stamp of Parsing". The ISP Control Center thinks of a Third Party URL Report recipient as "ns (Name server for spamvertised domain)".

<a name="UserNotificationReport"></a>A User Notification Report is a Report of the IP Address of a System or Network that was traced by the Reporter as having been the source of a spam message. The Reporter types or pastes in up to four email addresses that should be sent User Notification Report(s). The Parser's immediate output labels every User Notification Report's destination email address with "User Notification". The Report History labels every User Notification Report with "( )". The subject of every User Notification Report begins with "[spamCop ( )". The first line of every User Notification Report is "[ SpamCop VParser Version ]", currently "[ SpamCop V1.471 ]". The second line of every User Notification Report is "This message is brief for your comfort. Please use links below for details.". The third line of every User Notification Report is blank. The fourth line of every User Notification Report is "User-targeted report, see notes, if any." The fifth line of every User Notification Report is the Tracking URL. The ISP Control Center thinks of a User Notification Report recipient as "notify (User defined recipient)". User Notification Reports are not available to Free Reporters.

Edit: 2005/07/18 16:31 EDT -0400 Jeff G. replaced "identifies" with "labels" and corrected "User Notification Report" to add the email addresses.

Edit: 2005/07/18 21:17 EDT -0400 Jeff G. addressed Miss Betsy's concerns about Reporters who don't want to send reports to Administrators that look like the spamvertiser, Reporters who don't want to report to Cyveillance, and why people use the User defined reports.

Edit: 2005/07/23 18:28 EDT -0400 Jeff G. added more Cyveillance details.

Edit: 2005/07/27 10:08 EDT -0400 Jeff G. added What does a SpamCop Report look like?.

Edit: 2005/07/31 02:12 EDT -0400 Jeff G. added new sightings "(Administrator of network with open relays)" and "(Automated open-relay testing system(s))" and Report texts.

Edit: 2005/10/27 12:55 PDT -0700 dbiel added HTML tags.

Edit: 2005/10/29 09:58 EDT -0400 Jeff G. added an HTML tag index and info from the ISP Control Center, and moved the HTML tags closer to the text they reference.

Edit: 2005/11/07 13:05 EST -0500 Jeff F. added "User Notification Reports are not available to Free Reporters."

Edit: 2005/11/16 05:32 PST -0800 dbiel added link to "Manual Report

Link to comment
Share on other sites

  • 3 months later...

Jeff, thanks for including the comment "moved the HTML tags closer to the text they reference" For the average user nothing was actually moved. But for the person editing the file, the move makes a big difference by displaying a blank line between entries rather than having the blank line occupied by the tag. Interesting what a difference is made by simply moving a tag one character to the right.

I think I will implement that change on the glossary as well. Thank you.

Link to comment
Share on other sites

[quote name='Jeff G.' date='Oct 29 2005, 07:38 AM']Actually, the user does see a difference (one more line of text on the screen my way than your way).
[right][snapback]35147[/snapback][/right]
[/quote]I am sorry, but I do not understand what you mean by "one more line of text"
Are you saying two blank lines between entries?
If so it must be a browser issue as I still only see one blank line between entries using OE 5.5
Or are you saying that the blank line between entries did not display on your screen until you made the change?
If that is the case, can you take a look at the Glossary and let me known how it displays for you, 
example one no blank line
example two tag sitting in blank line
example three blank line followed with tag starting next line.

Example one: (on my screen "Worm Poop" does not start on a new line but reads as follows:
....hit in the cache, it reports "Cached whois".[color="orange"][size=7][b]Worm Poop[/b][/size][/color] [quote][size=7][color="orange"][b]WHOIS[/b][/size][/color]
WHOIS is a service and protocol defined by [url="http://www.rfc-editor.org/rfc/rfc1032.txt"]RFC 1032 DOMAIN ADMINISTRATORS GUIDE[/url], [url="http://www.rfc-editor.org/rfc/rfc954.txt"]RFC 954 NICNAME/WHOIS[/url], and their predecessors for providing information about allocated Domain Names and IP Addresses.  When the Parser does lookup and finds a hit in the cache, it reports "Cached whois".&lt;a name="Worm Poop"&gt;&lt;/a&gt;[color="orange"][size=7][b]Worm Poop[/b][/size][/color]
Viruses, worms, and anything that generates a mail message to the forged address in a worm or a virus.[/quote] Example two:[quote][size=7][color="orange"][b]WHOIS[/b][/size][/color]
WHOIS is a service and protocol defined by [url="http://www.rfc-editor.org/rfc/rfc1032.txt"]RFC 1032 DOMAIN ADMINISTRATORS GUIDE[/url], [url="http://www.rfc-editor.org/rfc/rfc954.txt"]RFC 954 NICNAME/WHOIS[/url], and their predecessors for providing information about allocated Domain Names and IP Addresses.  When the Parser does lookup and finds a hit in the cache, it reports "Cached whois".
&lt;a name="Worm Poop"&gt;&lt;/a&gt;
[color="orange"][size=7][b]Worm Poop[/b][/size][/color]
Viruses, worms, and anything that generates a mail message to the forged address in a worm or a virus.[/quote] Example three: (On my screen there is no difference between example two and three, both display a single blank line between entries.[quote][size=7][color="orange"][b]WHOIS[/b][/size][/color]
WHOIS is a service and protocol defined by [url="http://www.rfc-editor.org/rfc/rfc1032.txt"]RFC 1032 DOMAIN ADMINISTRATORS GUIDE[/url], [url="http://www.rfc-editor.org/rfc/rfc954.txt"]RFC 954 NICNAME/WHOIS[/url], and their predecessors for providing information about allocated Domain Names and IP Addresses.  When the Parser does lookup and finds a hit in the cache, it reports "Cached whois".

&lt;a name="Worm Poop"&gt;&lt;/a&gt;[color="orange"][size=7][b]Worm Poop[/b][/size][/color]
Viruses, worms, and anything that generates a mail message to the forged address in a worm or a virus.[/quote]

Edit: lengthy post put inside code box to reduce screen space as issue has been resolved.

Link to comment
Share on other sites

No, what I mean is that if I go to "your style" tag, there is a blank line at the top of my window, before the text I want to read, whereas if I go to "my style" tag, the blank line has scrolled off the top of the window, and I get to see more of what I want to read (no blank line at the top, one more line of text at the bottom). There is one blank line either way.

Link to comment
Share on other sites

  • 3 weeks later...

Jeff, I added a link to "Manual Report" found in the glossary.

You may want to delete the glossary entry and add / rewrite the manual report entry into your post; or you may want to leave it as is.

Personally I think it would flow better if it were rewritten to follow the same pattern as the rest of the report types, but that is only my opinion.

But I did feel that it was important to add it as a report type to your list of reports, even though it is not generated by SpamCop, it is still a valid report type.

Link to comment
Share on other sites

  • 1 year later...
Hi guys,

I didn't see any reference to the "unsolicited bounce" messages that SpamCop sends out (and for which I proposed a new FAQ entry in this same area).

Should you include this kind of report on this page, or is this stuff migrating to the Wiki?

The 'unsolicited bounce' message is a typical Spamcop source report AFAIK. I don't have any past reports handy of a submission of a 'bounce' so I can't look to see if there is different language, but I doubt it.

Glad to see someone interested in adding and clarifying the FAQ!

Miss Betsy

Link to comment
Share on other sites

The 'unsolicited bounce' message is a typical Spamcop source report AFAIK. I don't have any past reports handy of a submission of a 'bounce' so I can't look to see if there is different language, but I doubt it.

Here's what one looks like (I BCC'd myself on one recently, using the SpamCop preference to receive 'Personal copies of outgoing reports'):

[ SpamCop V640 ]
This message is brief for your comfort.  Please use links below for details.
...
(IP address) appears to be sending unsolicited bounces, please see:
http://www.spamcop.net/fom-serve/cache/329.html

[ Offending message ]
...

Link to comment
Share on other sites

(IP address) appears to be sending unsolicited bounces, please see:
http://www.spamcop.net/fom-serve/cache/329.html
...

And that link is the specific "Why are auto responders bad?" FAQ.

Thanks Fuhrmanator.

...Should you include this kind of report on this page, or is this stuff migrating to the Wiki?
The intention is to populate the Wiki. There remain topics/items from the FAQ in the forum (to which this refers) which have not "migrated" - but supporting two venues with new material is clearly sub-optimal. So, creating directly in the Wiki would be my recommendation. See the registration details starting from the entry page there.
Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...