Jump to content
Sign in to follow this  
abuse At Load.com

Feedback Loop System

Recommended Posts

AOL has a feature like this and it looks like hotmail / msn is working on something like this as a service to ISP's, ASP's . . . pretty much any one who is stuck with the un-enviable task of hosting other peoples e-mail

In aol's scenario an attached copy of the message is sent back to the feedback address with recipient information stripped out. Allowing your abuse desk to take immediate, possibly automated, action to solve a problem you may not yet be aware of.

In msft's current solution they give access to a web site where you can find the unique helo / mail from / connection ip etc in a list format for all of the distinct connections from the networks you you can prove you have a right to see, and they are currently working on something like this in a web services format for a bit more of an automated reporting solution.

I can only imagine some of the larger isp's / asp's that have deal with spam cop would be willing to contribute for this type of service, I know we would be willing to if it made sense. I can only imagine it would promote more immediate action on behalf of large service providers that have enough problems staying ahead of inbound mail traffic much less keeping track of their "not always so legit" out bound mail traffic.

Adam Rogas

CTO Load Ltd

Edited by abuse At Load.com

Share this post


Link to post
Share on other sites

still not clear on how the system works. Could you post a reference link or two?

Share this post


Link to post
Share on other sites

Both items appear to be another approach at doing what SpamCop / IronPort already does.

Share this post


Link to post
Share on other sites
Both items appear to be another approach at doing what SpamCop / IronPort already does.

30530[/snapback]

Not quite. The ISP's have to sign up to get 'reports'. So, as soon as chinanet.cn.net signs up to get info on any spam sent from their domain, we'll all be saved.

That, and it has no teeth. SC reports are tied to a blacklist. (AKA incentive to remediate.) And those two are so big, and the 'report as spam' is so easy to do, that there's going to be a ton of false positives.

So, the whitehat ISP's that actually sign up for this are going to be swamped with a bunch of spam reports that might not be spam, will take a while to verify, and that give them little reason to do anything about it.

It's better than nothing, though. And maybe it's an indicator that the big guys are finally seeing what works in combating spam.

Edited by Jank1887

Share this post


Link to post
Share on other sites

I guess the point is this,

Right now there is pretty much nothing, until it is too late.

We get notified that within the last hour "someone" submitted "something" about our network. And many times we can get a copy of the message that has offended, but we have a couple million mail boxes to keep track of many of them hosted for private labeled "free" web mail services, similar to hotmail.

The benefit of us getting direct feed back when one of our users pisses someone at hotmail or aol off when something like this happens is huge, we at least can flag the account as suspicious, we have heuristics that do this type of thing in place for other signs of abuse already, but this one really helps, as it is pretty much another human (in the case of AOL) saying hey this message is crap, and you should watch this guy. And quite honestly our false positive rate is under 0.1% with this in place. All I know is that it has been effective.

Nothing that is currently available is the silver bullet that is going to put an end to spam. I, We are not implying that this is. However it is far easier to integrate into the work flow of a semi-automated abuse desk/system than the all manual process of checking spamcop every waking hour of the day.

The list is great, we use the list it helps us block / tag allot of spam. This would just allow us to be a bit more pro-active (or really directly reactive). Most of the information we have gotten from AOL and HotMail, with filtering, has enabled us to stop spammers / abusive users as or before they get out of hand, not 24 hours latter when the damage to our reputation has already been done.

We had many reservations when we started this process, espcially with AOL, concerns of false positives, or a masive manual process of confirming the spam complaints, but honestly what we found, at least with our user base, was that 99.9% of the complaints we were getting from them (aol) were legitimate in nature, and direct action was able to be taken on our part, with direct proof of the occurence, while still protecting the privacy of the submiting aol user.

Adam Rogas

CTO Load Ltd.

Edited by abuse At Load.com

Share this post


Link to post
Share on other sites

There is little difference between this approach and establishing a special secret address for receipt of SpamCop Reports (see How can I get SpamCop reports about my network? for details or email the Deputies via deputies[at]spamcop.net), and then reviewing the emails to the account associated with that email addres.

Share this post


Link to post
Share on other sites

maybe a silly question, but are you "the" Adam? As compared to a generally more common "abuse" address?

209.58.236.25 is an mx ( 20 ) for load.com

host 209.58.236.25 (getting name) = smtp-id.load.com.

209.58.236.25 is an mx ( 20 ) for load.com

Routing details for 209.58.236.25

Using smaller IP block (/ 24 vs. / 19 )

Removing 1 larger (> / 24 ) route(s) from cache

[refresh/show] Cached whois for 209.58.236.25 : adam[at]loadmail.com

Using last resort contacts adam[at]loadmail.com

Reports routes for 209.58.236.25:

routeid:8238306 209.58.236.0 - 209.58.236.255 to:adam[at]loadmail.com

Administrator found from whois records

Did a Refresh on the SpamCop parser, now seeing;

Removing old cache entries.

Tracking details

Display data:

"whois 209.58.236.25[at]whois.arin.net" (Getting contact from whois.arin.net )

checking NET-209-58-236-0-1

Display data:

"whois NET-209-58-236-0-1[at]whois.arin.net" (Getting contact from whois.arin.net )

Found AbuseEmail in whois abuse[at]load.com

209.58.236.0 - 209.58.237.255:abuse[at]load.com

checking NET-209-58-224-0-1

Display data:

"whois NET-209-58-224-0-1[at]whois.arin.net" (Getting contact from whois.arin.net )

209.58.224.0 - 209.58.255.255:ipadmin[at]telepacific.com

whois.arin.net contact: ipadmin[at]telepacific.com

Routing details for 209.58.236.25

Using smaller IP block (/ 23 vs. / 19 )

Removing 1 larger (> / 23 ) route(s) from cache

Using abuse net on abuse[at]load.com

abuse net load.com = abuse[at]nyi.net, postmaster[at]load.com

Using best contacts abuse[at]nyi.net postmaster[at]load.com

07/22/05 17:24:31 whois !NET-209-58-236-0-1[at]whois.arin.net

whois -h whois.arin.net !net-209-58-236-0-1 ...

OrgName: Load Ltd.

OrgID: LOADL-1

Address: 6325 McLeod Dr. Suite 8

City: Las Vegas

StateProv: NV

PostalCode: 89120

Country: US

NetRange: 209.58.236.0 - 209.58.237.255

CIDR: 209.58.236.0/23

NetName: LOADLTD

NetHandle: NET-209-58-236-0-1

Parent: NET-209-58-224-0-1

NetType: Reassigned

NameServer: NS1.LOAD.COM

NameServer: NS2.LOAD.COM

Comment: For abuse issues contact abuse[at]load.com

RegDate: 2005-07-01

Updated: 2005-07-01

AbuseHandle: LLA39-ARIN

AbuseName: Load Ltd Abuse

AbusePhone: +1-702-898-1234

AbuseEmail: abuse[at]load.com

TechHandle: LLS4-ARIN

TechName: Load Ltd support

TechPhone: +1-702-898-1234

TechEmail: support[at]load.com

OrgTechHandle: LOADL-ARIN

OrgTechName: Load Ltd

OrgTechPhone: +1-702-898-1234

OrgTechEmail: support[at]load.com

Registering at abuse.net would kick reports to a more normal/correct address ... not exactly sure why the abuse address isn't being picked up, other than perhaps the logic involved in scoping down the IP block .. maybe the 'newness' of this registration? .. perhaps a routing request in news://news.spamcop.net.routing for this IP range ....???

Share this post


Link to post
Share on other sites

I just recently updated abuse.net, so it should have updated information shortly

I have no idea who abuse[at]nyi.net or why they would be listed as a responsible party of this ip block or our others.

209.58.232.0/23

209.58.234.0/23

209.58.236.0/24

209.58.237.0/24

209.58.238.0/24

but they are.

Our admins used to just use my old address to deal with tracking these issues with spamcop but as we got bigger we needed to reorganize all of this in to a more appropriate account / mail box

Share this post


Link to post
Share on other sites
There is little difference between this approach and establishing a special secret address for receipt of SpamCop Reports (see How can I get SpamCop reports about my network? for details or email the Deputies via deputies[at]spamcop.net), and then reviewing the emails to the account associated with that email address.

30549[/snapback]

The real difference is ease of use, basically the messages that get sent back via the loop are not munged (the original receipt info is removed), so it is easy to start tickets on the abusive users the second we get the message. Also the fact that they are sent back as attachments keeps things neat and tidy, this is just really more a preference than any thing as it is easier for us to know for sure what we are parsing. Basically all of the minor differences are why the "secret" address method is really not so useful in a large volume, very dynamic, automated scenario.

The one thing that is huge for us with Hotmail is that they will give us at least limited information about the number of times specific addresses have hit their spam traps. If there were levels of trust so that we, as a reputable asp/isp were trusted enough to be given at least some information about users that have hit spam traps out there, so that we could take action against them instead of shooting in the dark trying to find out which one really abusive user in the middle of thousands of legitimate high volume text messengers and business users, is causing your trust in us to go right out the window.

I completely understand the necessity of protecting the network of trap addresses, We have many trap addresses at our service as well as at others, it is a key component to our spam fighting techniques. However I / we have a real enforcement problem if we don't know who to point the finger at, and with the volumes we are talking about, emailing the deputies and pleading for info every time is not a real solution.

There is not really any way around it, the type of services that many of us provide are unfortunately targets for abusive users, we are constantly trying to be diligent about actively policing our users.

My suggestions have one goal, and that is to help me as an email provider protect the other email providers of the world from my potentially abusive users, just as I would hope they would all be as diligently trying to protect me, and the rest of us from their users.

Adam Rogas

CTO Load Ltd

Edited by abuse At Load.com

Share this post


Link to post
Share on other sites

Hi, Adam,

...You seem to be a serious admin making a serious attempt to fight spam and to try to work with SpamCop to help you. As a spam victim, I just want to let you know how much I appreciate that, no matter the outcome of your attempt to change SpamCop to make things easier for you. Thanks! :D <big g>

Share this post


Link to post
Share on other sites
The real difference is ease of use, <snip>

Adam Rogas

CTO Load Ltd

30558[/snapback]

Since I am not an admin and am technically non-fluent, what you are saying doesn't seem to make sense to me. What I have understood about spam reporting is that all the admin needs is the headers which show which machine the alleged spam email came from. The end receiver's email address is irrelevant. how admins can decipher who actually sent the email out on their server is a mystery to me, but apparently competent admins can.

Are you saying that sending a spamcop report is not as effective because it is not a forwarded email? Or that it is not as effective because the receiver's email address is munged? Or are you complaining because spamtraps don't send reports?

Hotmail seems to just delete the spam. Fortunately, I don't get a lot of spam on my hotmail accounts so I can set my filter to low and don't have to worry about false positives as much. Why is that system better than the spamcop system? It would seem to me to be worse since no one who cares knows that email has not been delivered.

Miss Betsy

Share this post


Link to post
Share on other sites
Since I am not an admin and am technically non-fluent, what you are saying doesn't seem to make sense to me.  What I have understood about spam reporting is that all the admin needs is the headers which show which machine the alleged spam email came from.  The end receiver's email address is irrelevant.  how admins can decipher who actually sent the email out on their server is a mystery to me, but apparently competent admins can.

Are you saying that sending a spamcop report is not as effective because it is not a forwarded email?  Or that it is not as effective because the receiver's email address is munged?  Or are you complaining because spamtraps don't send reports?

Hotmail seems to just delete the spam.  Fortunately, I don't get a lot of spam on my hotmail accounts so I can set my filter to low and don't have to worry about false positives as much.  Why is that system better than the spamcop system?  It would seem to me to be worse since no one who cares knows that email has not been delivered. 

Miss Betsy

30564[/snapback]

I can clarify some of my recent posts.

What I have understood about spam reporting is that all the admin needs is the headers which show which machine the alleged spam email came from.  The end receiver's email address is irrelevant.

This statement is very true, all we pretty much need are the headers of the message to track down where the mail is coming from. Also true is that we do not need to know, nor do we care who received the message. All we really care about is that we receive the report that someone has gotten spammed so that we can take immediate action.

Are you saying that sending a spamcop report is not as effective because it is not a forwarded email?

No we believe that spam cop reports are effective, they help us both as a mail sender, as well as a mail receiver. Our suggestions were to make clear what is currently working with other systems.

. . . Or that it is not as effective because the receiver's email address is munged?

No all we care about is that the senders address is not munged.

. . Or are you complaining because spamtraps don't send reports?

Yes this is probably the one thing that we think would help us do a better job of policing our users.

Hotmail seems to just delete the spam.  . . .  Why is that system better than the spamcop system?  It would seem to me to be worse since no one who cares knows that email has not been delivered.

To the end user Hotmail just deletes some incoming spam messages, and then filters other messages. From their data feed service, that we subscribe to, they give us the names and counts of offenders, so basically they help us track down abusive users that have slipped through the cracks, so we can take action before they affect a wider range of internet users.

Adam Rogas

CTO Load Ltd

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

×