Keep getting complaints about phishing emails.

[getnetincorporated]

I host the website for a small credit union. As with many other banks, there are occasionally phishing emails sent out with this bank's name in the body of the email, and these get reported to spamcop which then sends a complaint to me because I own the IP address. I click on the spamcop link in the email and select the option which says "URL used without permission (Stop sending reports)." and get a response which states that no further emails will be sent unless the domain moves to a different IP address. Unfortunately, I continue to get complaints even though the domain never moves! Is this some kind of bug with spamcop? I can't imagine that they are sending out thousands of complaints to wells fargo or bank one or bank of america because their names are listed in phishing emails sent out without their knowledge. Has anyone else run into a situation like this?

[dra007]

No, but I report phishers in hope the banks will take some action on them. I can't imagine why banks would not be happy to hear reports on phishers which misrepresent themselves as coming from a bank, however small. Oviously a criminal activity which banks would have a vested interest in stopping.

[dbiel]

I believe that some admins actually do what the reports. But that should be the choice of the admin.

In your case I would try sending an email to Don D'Minion/Argyle - SpamCop Administrative affairs [at] service[at]admin.spamcop.net

Be sure to clearly identify yourself as the appropriate admin for the domain by using an return email address that would support that claim such as one of the email addresses registered in the "whois" database.

If you do not want to receive the reports, you should have the right to request that they not be sent.

Another idea you may want to think about is to set up a special email address for those reports to be sent to. But again, the choice should be yours, not SpamCop.

[getnetincorporated]

I have no problem whatsoever with receiving reports from spamcop about spam that is emanating from one of my users - I want to know about it. What I do have a problem with is getting complaints about spam that I have nothing whatsoever to do with just because a domain I host is mentioned in the body of an email. Imagine a spammer using your email address as the reply-to and then sending out 100,000 spams from a computer in Singapore - there's absolutely nothing that you could do about it, yet you would still receive complaints simply because your email address was used in the spams without your knowledge. In this instance, there is also nothing that I can do to stop the spam mails from going out because I'm not sending them - the only thing linking me to them is the unauthorized use of a customer's domain name in the body of the messages.

[Lking]

Another idea you may want to think about is to set up a special email address for those reports to be sent to.  But again, the choice should be yours, not SpamCop. 

39212[/snapback]

 

Another idea you may want to think about is using the volume of phishing email using this bank's name as a trigger to worn members what the phish look like and that they are not from you. This traffic analysis could also be used to alert the banks security folks to look more closely for unusual account activity.

Just a thought.

[Jeff G.]

After consultation with Credit Union personnel and their counsel, you could also alert the Phoenix PD, Arizona State Police, Arizona Attorney General, FBI, CIA, FDIC, and/or FTC of these attempts against the Credit Union and its customers and potential customers in the forms of fraud, trespass, defamation, attempted theft, attempted identity theft, and CAN-spam violations.

You are probably getting additional SpamCop Reports after declaring the Credit Union's URLs to be Innocent Bystanders because the phishers are probably using different URLs (bare or in A tags) for each spam message or run that are pointing to the Credit Union's website on your system. Hopefully, you can work with a SpamCop Deputy or a SpamCop Admin to implement your wishes concerning reception of SpamCop Reports.

In consultation with Credit Union personnel and their counsel, you could also work together to prominently post on the Credit Union's website warnings concerning the dangers of phishers and phishing, especially on the front page and the 404 page (this last to combat any of those URLs being spamvertized that are 404-compliant).

[Miss Betsy]

Imagine a spammer using your email address as the reply-to and then sending out 100,000 spams from a computer in Singapore - there's absolutely nothing that you could do about it, yet you would still receive complaints simply because your email address was used in the spams without your knowledge. 

39213[/snapback]

Some people don't have to imagine that scenario - except that they get the undeliverable messages from admins who are behind the times!

However, there should be a way to discontinue the spamcop reports, if you wish. It is a good opportunity to 'educate' your users about phishes though.

I hope you get it worked out to your satisfaction.

Miss Betsy

[Wazoo]

I click on the spamcop link in the email and select the option which says "URL used without permission (Stop sending reports)." and get a response which states that no further emails will be sent unless the domain moves to a different IP address.

Let ne first say that I haven't seen that page in a long while, but .. the actual senrence you offer up is new to me. There used to be the "Innocent Bystander" check box that would stop further complaints, unless/until a paid-account type member would challenge that status. If research indicated that the IB status wasn't true, that flag would be removed and the reports would start again.

There were other checkboxes available that would basically turn off reports for 24 hours, based on the premise that the spam spew was being "handled" ... yes, this would also mean that slow spam reporters could then again start the flow of reports the next day, but that should have been the end of things (spam can't be reported over 48 hours old, and the spew was handled/stopped) ...

The killer is of course that what I'm relating to is the actions offered for the sourcing of the spew .. and you're talking about actions for a spamvertised site ... can only say that I've once again asked for some help in order to develop a FAQ entry for all of this ....

Unfortunately, I continue to get complaints even though the domain never moves!  Is this some kind of bug with spamcop?  I can't imagine that they are sending out thousands of complaints to wells fargo or bank one or bank of america because their names are listed in phishing emails sent out without their knowledge.  Has anyone else run into a situation like this?

39209[/snapback]

Although Don/Deputies would be the actual path you need to follow for a specific resolution, samples of the spam in question would allow others here to try to offer better answers (preferably via the use of a Tracking URL) but I'll state that I'd like to be able to see one of the pages you're seeing, such that I could use that to buid a new FAQ entry for the data seen there. I'm not suggesting that one of those links be posted here ...

[Merlyn]

What I find hard to believe is this person is hosting the phish target site and does not want to share this information with s/h/it client. I think this is worse than being the phishers. (Lets just keep this quiet so I can get my money for hosting.)

Just my 2 cents.

[getnetincorporated]

Who said anything about sharing information with the client and how does that possibly enter into the discussion?!! I was under the impression that the purpose of this forum was to assist people who are having a problem with spamcop but so far all I have gotten is "gee, this would be a good addition to our FAQ page", "This would be a good opportunity to educate your customer about the evils of phishing emails", and this last post which is obviously nothing more than a flame - love the use of profanity by the way; putting those //s in there really helped make the comment seem more relevant (thanks for the edit Merlyn!)

/sarcasm

[Wazoo]

Posted as an item on the first page of almost every Forum section here.

This is a User to User Support Forum

The primary mode of support here is peer-to-peer, meaning users helping other users. (please remember this at all times!)

Provided as a FAQ entry is Section 8 - SpamCop's System & Active Staff

Posted as an Announcement in every Forum section is Announcement: How To Get Official SpamCop.Net Customer Support .. though also noting that a specific address was already offered.

Sorry you see my offer of help as just a silly exercise.

[Miss Betsy]

Who said anything about sharing information with the client and how does that possibly enter into the discussion?!!  I was under the impression that the purpose of this forum was to assist people who are having a problem with spamcop but so far all I have gotten is "gee, this would be a good addition to our FAQ page", "This would be a good opportunity to educate your customer about the evils of phishing emails", and this last post which is obviously nothing more than a flame - love the use of profanity by the way; putting those //s in there really helped make the comment seem more relevant (thanks for the edit Merlyn!)

/sarcasm

39226[/snapback]

Actually, the first couple of posts directed you to an email address because users (and there are all kinds of users here) don't have control on how a feature works.

As an end user, I always like to encourage admins to 'educate' their customers. So many seem to put 'sharing information' with the customer low on their priorities - and I want to be specific, I am not offering an opinion here on what you do, but only explaining that since I am not a server admin, I didn't have anything to add to previous posts. The previous posts seemed to me to offer all the information that you needed for resolution of your problem plus some good advice on how to handle 'phishes' that mention your customer's name.

Usually we get questions on how to report spam or what to do if blocked by an ISP using the spamcop bl. We(tinw) like to be able to answer all questions, if we can, so when someone asks a question that concerns an area we don't have experience with using, we hope that s/he will give us some information on how their question was resolved so that the forum is useful to the next person who asks.

Miss Betsy

[petzl]

What I find hard to believe is this person is hosting the phish target site and does not want to share this information with s/h/it client. IJust my 2 cents.

39225[/snapback]

I understand this claimed webhost does not want reports from SpamCop claims to of requested via link in SpamCop abuse report to stop reports being sent, claims to be still getting them?

Why this not stop? Clicking appropriate Link works for everyone else? (I often get webhost not interested in recieving reports?)

Just send a email to service[at]admin.spamcop.net which is always answered within 24 hours

IMO

Proper course would be instead of just milking credit cards or bank accounts of course would be to contact the owner that people are reporting phishing attempt threatening their financial institution. Ask if they wish to get these reports? If they do create a fraud[at]address for SpamCop to send reports to (They of course may not be interested either?)

Question: How do you start a small business

Answer: webhost a big business first

[SpamCopAdmin]

I click on the spamcop link in the email and select the option which says "URL used without permission (Stop sending reports)." and get a response which states that no further emails will be sent unless the domain moves to a different IP address.  Unfortunately, I continue to get complaints even though the domain never moves!

SpamCop is very specific about the URL at issue. The new reports you're seeing are about a slightly different URL. Probably a link to a different page at the same site.

Just use the link in the latest report and mark it as "used without permission" too.

We have the ability to mark the entire domain that way, but we generally won't do that without seeing a copy of the complaints you're getting.

- Don D'Minion - SpamCop Admin -

[SpamCopAdmin]

What I find hard to believe is this person is hosting the phish target site and does not want to share this information with s/h/it client. I think this is worse than being the phishers. (Lets just keep this quiet so I can get my money for hosting.)

Just my 2 cents.

39225[/snapback]

Thank you for sharing...

- Don -

[Miss Betsy]

SpamCop is very specific about the URL at issue.  The new reports you're seeing are about a slightly different URL.  Probably a link to a different page at the same site.

Just use the link in the latest report and mark it as "used without permission" too.

We have the ability to mark the entire domain that way, but we generally won't do that without seeing a copy of the complaints you're getting.

- Don D'Minion - SpamCop Admin -

39239[/snapback]

Thank you for confirming that the reason the OP keeps getting reports is because the URL keeps changing.

Miss Betsy

[turetzsr]

I have no problem whatsoever with receiving reports from spamcop about spam that is emanating from one of my users - I want to know about it.

39213[/snapback]

...That's good -- I think it's very commendable that you are concerned about people for whom you have no direct responsibility to protect (the victims of spam) when the source is your responsibility. Thanks!

What I do have a problem with is getting complaints about spam that I have nothing whatsoever to do with just because a domain I host is mentioned in the body of an email.  Imagine a spammer using your email address as the reply-to and then sending out 100,000 spams from a computer in Singapore - there's absolutely nothing that you could do about it, yet you would still receive complaints simply because your email address was used in the spams without your knowledge.

39213[/snapback]

...Sorry, I disagree that this is the same thing. There's nothing I can do about a spammer spoofing my e-mail address because the economic loss to me is too small to interest a law enforcement agency and I do not have the resources to pursue the spammer myself.

In this instance, there is also nothing that I can do to stop the spam mails from going out because I'm not sending them <snip>

39213[/snapback]

...Why not? Suppose I stole your institution's letterhead and sent some large number of mails to your customers (pretending to be you) asking them for information that I could use to steal their identities? I would hope you'd be after me with all the vigor and resources you could muster. I don't think you'd decline to even try to do something about it just because it wasn't you sending the mail.

...In the end, it could be that you would be unsuccessful in pursuing (through both your own and responsible legal authorities' resources) the criminals who are sending the phishes but if I were one of your customers I would be very displeased with you if you chose to do nothing whatsoever to try to stop the criminals.

...In any event, good luck in your efforts to get the notices from SpamCop stopped -- I certainly agree that whether you receive them should be your choice.

[btech]

I have no problem whatsoever with receiving reports from spamcop about spam that is emanating from one of my users - I want to know about it.  What I do have a problem with is getting complaints about spam that I have nothing whatsoever to do with just because a domain I host is mentioned in the body of an email. 

39213[/snapback]

Ahh, but this is something you SHOULD want to know about. While you may have a client who's site is being put into spam messages and they may be 'helpless targets' of spammers, there are many companies that are not so legit.

What you as the host need to do is to really investigate the complaints and see if there is validity to what the client says. We all want to beleive people are honest, but let's be frank: Many are not.

[dra007]

//...snip//

We all want to beleive people are honest, but let's be frank:  Many are not.

39925[/snapback]

And that is especially true when it comes to spammers... I even wonder if an honest spammer is an oxymoron...

[InvisiBill]

What I do have a problem with is getting complaints about spam that I have nothing whatsoever to do with just because a domain I host is mentioned in the body of an email.  Imagine a spammer using your email address as the reply-to and then sending out 100,000 spams from a computer in Singapore - there's absolutely nothing that you could do about it, yet you would still receive complaints simply because your email address was used in the spams without your knowledge.  In this instance, there is also nothing that I can do to stop the spam mails from going out because I'm not sending them - the only thing linking me to them is the unauthorized use of a customer's domain name in the body of the messages.

39213[/snapback]

I agree with you, as far as only being involved as much as the recipient is. I've been joejobbed before (on a relatively small scale), and it's a pain because it really has nothing to do with you. As others have stated, I usually only inform the true site of phishing emails so that they can use the data against the criminals behind the scam, not because I think they're involved.

However, as a site that handles sensitive financial transactions, I feel it's your responsibility to help protect your users by helping to point out the scams. I would highly suggest using SPF, DK, SenderID, etc. to verify the source of your emails. SPF only requires adding a simple TXT record to your DNS, and can make it much easier for a user to tell if an email is valid or not. It doesn't protect against lookalike sites, but it will highlight scams that are impersonating your actual domain name. When I started to get a lot of complaints, I posted instructions on how to find the IP address that sent the message and test it on the SPF site, to show that I had already declared that as coming from an invalid source. It shows that you really are working to help stop spammers and scammers...

[Farelf]

Realistically, the financial institutions being spoofed have no liability in law (IIUC), whatever the morality of the matter (as perceived, presumably, by non-stockholders ). Apart from the criminal himself being directly liable (subject to apprehension, proof etc., etc.), the network owner from whence the message originated may have some secondary liability, as may the host of the exploit/target site (wherever the victims are directed to part with their account details and identity). That would be particularly so if those providers were duly alerted to wrongdoing being perpetrated in their netspace and if they then failed to exercise their "obligations". Whatever those might be in detail, any citizen, corporate or natural, is required to refrain from participating in or aiding and abetting criminal activity when the definition of criminal activity includes the attempt to commit specific crimes (in virtually every known criminal code, I think).

I have been prompted to these musings and commentary by an apparently rare victory - the Abuse Team at

EV1Servers.net -- The Planet obligingly and quickly suspending an account which was hosting a phishing exploit page. Sorry, no tracking URL, this was a manual report. But it may help to know that "it works" from time to time. If the source phish had been reported through SC, the same abuse desk would have received the same information and presumably the same result would have ensued. But with "human only" response allowed on my SC account I may never have known.

[Carted the spam to my home computer - here's a tracking URL:

http://www.spamcop.net/sc?id=z1353271886z5...8cc35e5c848d09z]