Jump to content
Sign in to follow this  
TerryNZ

BotNet scenario

Recommended Posts

The focus of SpamCop's parsing is primarily on spam source address, and secondarily on the spamvertized site.

It is a given in the ongoing "War on Spammer" that whenever a countermeasure becomes effective, it becomes known by the spammer, and he finds a way to circumvent it. And so it has happened.

SOURCE OF spam

For source of spam, we are seeing botnets exceeding 1 million sites in size (Recently Dutch authorities discovered and prosecuted a botnet over 1 million in size) and others exist today of hundreds of thousands in size. The "source of spam" method is now defeated by the sheer numbers. And that's all the "quick" reporting contributors are targetting. Forget this method as the first line of attack, you have to know when you have lost.

SPAMVERTIZED SITE

For the spamvertized site method, we find a similar story. With today's domain kiting, we see "hit, run and move on" as one spammer tactic. Register a domain name with an expected life cycle of 5 days, farm it out to spamming affiliates, they send millions of spams for it, and repeat every 2 hours. That's 12 domains per day. Poor old SpamCop parses the site name, sends off abuse complaints, and maybe a few of the 12 get shut down, but by that time they are past their use-by date anyway. It's a throw-away society.

Another spamvertized site measure now in common use is the botnet website method. Since SpamCop does a lookup on the site name's IP Address, the perfect counter is to move the site from one IP address to another every 5 minutes. That is what Alex Polyakov does with his pharmacy sites for example. SpamCop complaints by no stretch of the imagination can match a 5 minute reporting window of opportunity!

SpamCop's methodology is now obsolete. A better method designed to counter modern spammer methods is required.

Edited by TerryNZ

Share this post


Link to post
Share on other sites
... SpamCop's methodology is now obsolete. A better method designed to counter modern spammer methods is required.
G'day TerryNZ. Oh for a "magic bullet" that would solve all of the problem at once, eh? I can't see anything better than the continuing evolution of the "track back to source" methodology which (with possibly an increasing reliance on spam traps) is what SC does. Given a sufficiently energetic ISP even the botnets can be tackled. Googling botnet does indicate some "new methods" to scope one in operation (last time I looked). But, at the end of the day, the specific sources have to be identified and the shovels unsheathed - erm, for those that carry their shovels in a scabbard.

Anyway, good post, challenging the orthodoxy is the way to progress. Did your own researches indicate the way ahead?

Share this post


Link to post
Share on other sites

Extracted from a not-quite-associated Topic/Discussion/FAQ-linked item .. made into it's own Topic for discussion .. moved to the Loinge area.

Share this post


Link to post
Share on other sites
The focus of SpamCop's parsing is primarily on spam source address, and secondarily on the spamvertized site.

It is a given in the ongoing "War on Spammer" that whenever a countermeasure becomes effective, it becomes known by the spammer, and he finds a way to circumvent it. And so it has happened.

SpamCop's methodology is now obsolete. A better method designed to counter modern spammer methods is required.

SpamCop not only finds the source of spam which can lead to being added to the SCBL which happens while the spammer is sending spam not after spam is sent (spam runs take hours involving billions of email addresses. This makes the SpamCop SCBL act like a radar releasing an IP when spam is seen to stop

SpamCop also notifies the owner of that IP (or at least does for competent ISP's) this action can, has and does provide evidence for authorities to track down the, or a spammer sending the authorities in for criminal prosecution

By just using a spamtrap or heuristics alone to detect and then block a IP without notifying the owner of IP source may stop spam But does nothing to advise the owner of a computer that has been compromised.

A compromised computer can not only start spewing spam it can also provide information about the owner of that computer. Such as when they are home when they are not, items for blackmail, Credit Card, Bank details, etc.

SpamCop is also continually advancing and always will. Reporting spam is still very much a necessity as by not reporting, blocking only does nothing much but block a minimal amount of spam allowing a spammer anonymity and imunity from law (Although many spamtraps and computers are run by big corporations to catch these criminals.)

Share this post


Link to post
Share on other sites

Link http://blog.taragana.com/index.php/archive...mised-computers

QUOTE

Dutch Authorities Bag a BotNet of 1.5 Million Compromised Computers

October 24th, 2005 by Angsuman Chakraborty

Dutch prosecutors last month arrested three young men for creating and operating a botnet allegedly used to extort a U.S. company, to steal PayPal and eBay accounts, and to install adware and spyware.

It turned out that the botnet was comprised of a staggering 1.5 million computers.

The three suspects, aged 19, 22, and 27, were arrested on charges of threatening a U.S. firm with a denial-of-service (DoS) attack. They used phishing tactics to hijack PayPal and eBay accounts, then used them to pay for goods ordered on the Internet.

They also may have written viruses for others, who paid the hackers to come up with tools for stealing online bank account usernames and passwords.

The two younger men (19 year old being the leader) are still in custody but the 27-year-old has been released pending trial.

They supposedly used the Toxbot/Codbot Trojan horse to infect the machines.

I wonder how many such botnets are still in existence. Botnets already made IP banning totally useless as a spam prevention tool.

END QUOTE

I find "totally useless" to be a gross exaggeration. Reporting botnet spam sources has its place. But it is no longer on the frontier. It is a like brandishing a sword when we need missiles. What we need is an approach which takes one spamvertized message, and shuts down a hundred related spamvertized sites as a result. Retune the parser, and that is what we could achieve.

Edited by TerryNZ

Share this post


Link to post
Share on other sites
What we need is an approach which takes one spamvertized message, and shuts down a hundred related spamvertized sites as a result. Retune the parser, and that is what we could achieve.

"Retuning the parser" ...???? What you appear to be decribing is something else entirely.

One spam reported, 'hundreds of related sites' identified ...???? related how?

You apparently have the knowledge of the secret tool out there that would "shut down" a site, just becaise it was included in a spam submitted to your magic tool ...????

Share this post


Link to post
Share on other sites

You apparently have the knowledge of the secret tool out there that would "shut down" a site, just becaise it was included in a spam submitted to your magic tool ...????

If only I had a magic tool.... :)

Half the hosts don't want to know, half the ISP's don't want to know, and as for most of the registrars - forget it... :( Never mind 'ordinary' spammers, even out and out criminal fraudsters easily get away with it indefinitely with the right choice of host and registrar combination.

Let's just analyse this latest (today) one that I often get up to ten times a day and have been Spamcopping & manually reporting to nameserver hosts and registrars involved, literally for months:

http://norwaygroupconsulting.cn/index.php?...d=6〈=en (Harmless link)

These are well known money laundering criminal fraudsters, (the phishers have go to get rid of their ill-gotten gains somehow). It is the same lot as the old Honda handle & Swiss-invest crowd, among others.

Look at the current DNS traversal data for norwaygroupconsulting.cn:

----------------Server------------------------------Response

ns1.teams-cs.com [85.234.150.43] 24.3.193.151 82.56.100.126 84.189.252.183 85.60.42.249 87.16.236.12

ns2.teams-cs.com [195.45.33.12] Timeout

For starters there's the registrar for norwaygroupconsulting.cn - Joker.com. You can forget about reporting any out and out criminal domains to Joker - they are a pretty safe haven for crooks. I've been submitting full evidential reports on that domain and about ten other similar variants for months to Joker with little effect. (Similarly, MIT simply ignore 'phishing' domain reports, that's why they seem to be the phishers favourite registrar for the ones I get).

Secondly there's the nameserver domain teams-cs.com, registered recently with Enom by the criminals as an integral part of their network - similarly been reporting that to Enom - waste of time.

Thirdly there's the nameserver domain host 85.234.150.43. That belongs to Poundhost Internet Services - no response to my abuse reports in the last three months or so. Are they straight? Are they bent? Your guess is as good as mine - they're certainly happy to host criminals.

Lastly we come to the botnet.... RDNS for 24.3.193.151 is a Comcast user....Hahaha... Next one is a dynamic telecomitalia.it one....I'm quickly losing the will to live, here.... That's another point, if the zombies are on static IP's you may just get the odd responsible smaller ISP interested, if they're on dynamic - forget it...

I tried manually reporting the botnet list a few times, but quickly came to the conclusion that I would have more luck juggling jello from some of the incredibly dumb replies I received about a week later - made the Yahoo/MSN/Hotmail abuse teams look positively sensible by comparison....

In conclusion, I find it difficult to avoid a complete sense of hopelessness regarding the battle against spam, (especially criminal fraud), when large sections of the internet chain don't even want to know about out and out criminal fraudsters, never mind the 'ordinary' pill pushers & 'pump & dumpers'.

Populating the blocklists is about the only useful thing that Spamcop can realistically do in the current climate, it seems to me.

Share this post


Link to post
Share on other sites

If only I had a magic tool.... :)

<snip>

Let's just analyse this latest (today) one that I often get up to ten times a day and have been Spamcopping & manually reporting to nameserver hosts and registrars involved, literally for months:

http://norwaygroupconsulting.cn/index.php?...d=6〈=en (Harmless link)

These are well known money laundering criminal fraudsters, (the phishers have go to get rid of their ill-gotten gains somehow). It is the same lot as the old Honda handle & Swiss-invest crowd, among others.

Look at the current DNS traversal data for norwaygroupconsulting.cn:

----------------Server------------------------------Response

ns1.teams-cs.com [85.234.150.43] 24.3.193.151 82.56.100.126 84.189.252.183 85.60.42.249 87.16.236.12

ns2.teams-cs.com [195.45.33.12] Timeout

Excellent - you have used a traversal to correctly locate three key items -

1. the nameservers,

2. the nameserver addresses,

3. the web site addresses.

Already you have shown you possess part of the "magic tool".

Although not necessary, you could expand on that analysis like this:

7:45 PM

ns1.teams-cs.com [85.234.150.43] 71.40.178.222 80.121.25.234 81.57.142.41 82.49.138.20 84.151.85.69

ns2.teams-cs.com [195.45.33.12] Timeout

Nameservers

85.234.150.43 PoundHost Internet Services (UK)

195.45.33.12 Provider Local Registry, IUNet SPA (Italy)

Webservers

71.40.178.222 Road Runner HoldCo LLC (FL, USA)

80.121.25.234 Telekom Austria Aktiengesellschaft (Austria)

81.57.142.41 Proxad / Free SAS (France)

82.49.138.20 Telecom Italia S.p.A. (Italy)

84.151.85.69 Deutsche Telekom AG (Germany)

7:55 PM

ns1.teams-cs.com [85.234.150.43] 151.50.89.123 68.49.226.233 71.40.178.222 81.57.142.41 82.49.138.20

ns2.teams-cs.com [195.45.33.12] Timeout

Webservers

151.50.89.123 IUNET-BNET50, Via Lorenteggio 257 (Italy)

68.49.226.233 Comcast Cable Communications Inc (NJ, USA)

71.40.178.222 Road Runner HoldCo LLC (Florida)

81.57.142.41 Proxad / Free SAS (France)

82.49.138.20 Telecom Italia S.p.A. (Italy)

This additional analysis is to build legal evidence. To a technically competent lawyer, this is clear evidence of a botnet of compromised web servers, and there is a good probability that the nameservers are also part of that botnet. Proxy nameserver/proxy webserver trojans are becoming prevalent, and a rotation of multiple hosts spread all over the world is a clear fingerprint of an illegal webserver botnet.

For starters there's the registrar for norwaygroupconsulting.cn - Joker.com. You can forget about reporting any out and out criminal domains to Joker - they are a pretty safe haven for crooks. I've been submitting full evidential reports on that domain and about ten other similar variants for months to Joker with little effect.

How sad to read this. I had the same opinion back in August. Then I changed my communication method, and my opinion. CSL (Joker) now has the fastest response time of all ISPs I deal with, averaging 48 hours from request to fulfillment. In my experience they are second only to Yahoo!

(Similarly, MIT simply ignore 'phishing' domain reports, that's why they seem to be the phishers favourite registrar for the ones I get).

I delegate all phishing reports to the experts. The PIRT team is hugely effective. See that magic tool at http://wiki.castlecops.com/PIRT

Secondly there's the nameserver domain teams-cs.com, registered recently with Enom by the criminals as an integral part of their network - similarly been reporting that to Enom - waste of time.

What a shame. eNom is efficient, skilled in DNS administration, and responsive. In my experience they are next in line after Yahoo! and CSL/Joker. Average response time to my requests is 2-3 days.

Thirdly there's the nameserver domain host 85.234.150.43. That belongs to Poundhost Internet Services - no response to my abuse reports in the last three months or so. Are they straight? Are they bent? Your guess is as good as mine - they're certainly happy to host criminals.

Try http://85.234.150.43

A noobie has installed Apache and left it with the default password. An open invitation to any 10-year old hacker. "I'm all yours, come and use me as you will". Some people can't be helped. The best you can do (short of logging on to it and doing a password change and shutdown) is send a traceroute to the IP admin, plus notification of the Apache stupidity.

Lastly we come to the botnet.... RDNS for 24.3.193.151 is a Comcast user....Hahaha...

As a Comcast shareholder, I have to admit considerable disappointment here. Their abuse department is totally geared to dealing with abuse FROM their network, and do not seem able to take on board the concept of dealing with advisories on abuse TO their network. I am seeking a "Security Incident" ID. I will not give up. And I am holding on to my shares. So far...

Next one is a dynamic telecomitalia.it one....I'm quickly losing the will to live, here.... That's another point, if the zombies are on static IP's you may just get the odd responsible smaller ISP interested, if they're on dynamic - forget it...

Are you trying to shut down a botnet single handed? Set your sights higher, and leave botnet removal to the authorities with the manpower to do it.

In conclusion, I find it difficult to avoid a complete sense of hopelessness regarding the battle against spam, (especially criminal fraud), when large sections of the internet chain don't even want to know about out and out criminal fraudsters, never mind the 'ordinary' pill pushers & 'pump & dumpers'.

Populating the blocklists is about the only useful thing that Spamcop can realistically do in the current climate, it seems to me.

If I had had as little success as you appear to have met with, I would feel the same. There is a corrollary. If you had met with success, and shut down thousands of spam sites in a month as a result of your efforts, you would be filled with a complete sense of hopefulness.

As an afterthought. Try this:

================================================

To: legal /at/ eNom.com

Subject: name server removal of teams-cs.com

Please process this compliance request to lock out the zone file and remove nameserver

resolution Address records from the domain

teams-cs.com

This domain is registered with eNom as you can determine from this link

http://www.dnsstuff.com/tools/whois.ch?ip=...om&email=on

EVIDENCE OF ILLEGALITY

Spamvertized site is

http://norwaygroupconsulting.cn

DNS Traversal is

http://www.dnsstuff.com/tools/traversal.ch...g.cn&type=A

>> above obfuscated link contains /tools/traversal.ch?domain=norwaygroupconsulting.cn&type=A

Observation: DNS traversal reveals a webserver botnet of illegally hijacked machines

You will find detailed evidence of the illegality of the spamvertized site norwaygroupconsulting.cn at

http://www.google.com/search?q=norwaygroupconsulting.cn

You may use the traversal link above to verify the success of the nameserver removal.

I appreciate your early compliance with this request.

====================================================

Append your name and contact details to show this is a genuine request.

You could even add some of the traversal evidence if you wish.

In dealing with other registrars, adopt the same terminology and mindset.

Do not expect a reply, but do expect action.

Now, wouldn't it be a neat paradigm shift if the SpamCop parser performed the same DNS traversal that you and I perform manually, and produced the compliance request template?

Share this post


Link to post
Share on other sites
Now, wouldn't it be a neat paradigm shift if the SpamCop parser performed the same DNS traversal that you and I perform manually, and produced the compliance request template?

Per the graphic / data provided on the graphic / link at the top tight of this web page, I'm not groking the 'ease' implied at doing this kind of research based on numbers like "average 12 messages per second" ... won't even go near the 'max' number ....

Yes, I do this kind of research / complaining pretty often, but it takes me a whole lot longer than a few milliseconds to capture the data .....

Share this post


Link to post
Share on other sites

Yes, Wazoo, I am aware of the statistical turn-around requirements. I am also aware of the effort involved in manually performing the analyses. I have also invested time in automating the processes but to a limited extent.

This is a very large topic, and not one which can be dispensed with in a few sentences. There are major shifts involved - shifts in thinking, shifts in philosophy, shifts in implementation.

Questions I would like to raise

1. What are the primary objectives of SC today?

2. Are these objectives still achievable?

3. Has SC reached its limits (processing required vs reporting frequency)?

A point for consideration

Every spam reported to SC is treated equally, irrespective of who the spamvertizer is, irrespective of source address, irrespective of content, irrespective of reporting frequency. That may not be the best philosophy with today's volumes.

This means that Johnny Spammer who sends 1,000 spams, of which 10 get reported, receives 10 advisories and Alex Spammer who sends 10 million spams of which 1 million get reported receives 1 million advisories. I don't know the ratio of "quick" vs "standard" reports, so assume 50% - Johny's website IP owner gets 5 advisories and Alex's half a million.

Half a million? Have I got that right? Please correct me if I have misunderstood. Explain to me what throttling mechanism is in place to ensure that does not happen. But let's move on.

So the next question is

4. Is it time to introduce a priority system which gives weight to such factors as spamvertizer identity, source address, content and frequency?

Taking the lead from other organisations that have adopted such a priority approach, I have had considerable success in curtailing both spamvertized sites and even spamming volumes. This has been in both a research and implementation phase over the past two months, with significantly encouraging results.

I am hopeful that SpamCop has not become complacent with its own success, and I am grateful for the opportunity to bring some new ideas to the table. Thank you for your feedback to date, it is most encouraging.

Share this post


Link to post
Share on other sites
1. What are the primary objectives of SC today?

Suggesting that they've changed?

2. Are these objectives still achievable?

Based on the folks posting about their e-mails getting "blocked by SpamCop" .. something is still happening ...

3. Has SC reached its limits (processing required vs reporting frequency)?

programmers have been credited, hardware keeps getting added/upgraded ... been the same since Julian ran the whole show from "the kitchen table" ....

This means that Johnny Spammer who sends 1,000 spams, of which 10 get reported, receives 10 advisories and Alex Spammer who sends 10 million spams of which 1 million get reported receives 1 million advisories. I don't know the ratio of "quick" vs "standard" reports, so assume 50% - Johny's website IP owner gets 5 advisories and Alex's half a million.

??? Not sure what you actually meant as you seemed not to have defined your terms ... Quick-reporting targets the spew source while the 'standard' reports try to parse it all ... so your math depends on whether you're talking about the source or spamvertised sites .... back to the 'primary objectives' which have been repeatedly stated ... again, both 'reports' are basically niceties to the hosting ISP, still requiring them to 'give a damn' ... the SpamCopDNSBL came along later when it was obvious that far too many of them didn't.

Half a million? Have I got that right? Please correct me if I have misunderstood. Explain to me what throttling mechanism is in place to ensure that does not happen. But let's move on.

Part of each report is a link to a 'contol panle' for the ISP to make a selection, which even includes "don't send me any more reports"

4. Is it time to introduce a priority system which gives weight to such factors as spamvertizer identity, source address, content and frequency?

The standard and repeated answer .. bring it on .... the world is waiting for it ....

Share this post


Link to post
Share on other sites
Excellent - you have used a traversal to correctly locate three key items -

1. the nameservers,

2. the nameserver addresses,

3. the web site addresses.

Already you have shown you possess part of the "magic tool".

Although not necessary, you could expand on that analysis like this:

7:45 PM

<snips> [various... :) ]

A noobie has installed Apache and left it with the default password. An open invitation to any 10-year old hacker. "I'm all yours, come and use me as you will". Some people can't be helped. The best you can do (short of logging on to it and doing a password change and shutdown) is send a traceroute to the IP admin, plus notification of the Apache stupidity.

Are you trying to shut down a botnet single handed? Set your sights higher, and leave botnet removal to the authorities with the manpower to do it.

I must admit that I am surprised at the apparent success you have had with Joker, especially in view of this extract from their T's & C's:- "Joker.com will support your effort to stop somebody to spam, but will not make own judgements about the case. We are not taking the chance to "hurt" one innocent under 100 fraudulent registrants." and also Yahoo..... The number of times I have reported money laundering and 419 scammers' Yahoo response email addresses to whatever Yahoo are using for abuse addresses this week and got the cretinous reply "This spam was not sent through the Yahoo network, we can therefore take no action" message....

The problem I find with abuse teams in general is that they do not have the time to read long evidential abuse reports. For the sort of out and out criminal ones I include all the pertinent traversal data, & all the IP lookups that clearly demonstrate, (to me anyway), that a botnet is being used and clearly state the fact. Where pertinent, I also include evidence from the websites where it demonstrates illegality or fraud. In fact I report generally along the lines you suggest, (I'm also a registered Joker account holder - so the abuse report comes from a registered client with full contact documentation). Been there, done that with Enom, by the way. I'll set you a couple of little challenges: teams-cs.com - if you can get enom to suspend that in five working days I will be well impressed.... :) ) (It's registrar-hold at the moment so it's in the zone although it doesn't have an A record, of course. Similarly with Joker for the most recent Norway Consulting domain:- norwaygroupconsulting.cn Good luck! :)

I don't try to shut down the individual zombies of a botnet, as I said, that's even more futile - I aim for the domains, the nameserver domains and the nameserver hosts, all of which would undoubtedly be effective if they abuse teams could be persuaded to act together and with alacrity. Some do, by the way, but it's the odd bad apples that the criminals aim for.

Interestingly enough, since I first posted, Joker seem to have acted on all the Norway Consulting domains that I have been reporting to them for months, namely:

norways-consulting-grp.cn

norwayconsultinggroup.cn

group-norway-consulting.cn

norway-group.cn

norway-cons-group.cn

norway-consulting-gr.cn

consulting-group-norway.cn

norway-consulting-group.cn

norway-consult-group.cn

consulting-norway-gr.cn

However, if you check the reasons for placing the domains on hold you will see that it is always either "invalid address" or "unpaid". I still maintain that a lot of registrars such as Joker will not take action on criminal fraud itself, but only if the stolen credit card that is used to pay for these domains bounces or they can be bothered to check that the whois data is false, which it always is....

There are many registrars that I have instant success with - they are the good ones who do not hide behind the 'crooks charter' that Joker, MIT et al do. Onlinenic for example are superb - on my criminal fraud reports they will remove the main domain & the nameserver domains from the zone within minutes of receiving my abuse report, (20 mins is my record turnaround... :) ). Unfortunately, criminals unsuprisingly don't use them anymore - they use Joker & MIT etc. instead & I suggest they use them for a reason....

The default Apache webserver is a trademark of all these phishing and criminal fraud gangs - you've probably seen the R11.com phisher ones. They seem to rely on them not being in the same place long I guess.

Share this post


Link to post
Share on other sites

Perhaps the Norway Consulting Group could be separated off to a separate discussion, as it is a by-product of the main one here.

In the meantime, be assured that users of the Site Advisor extension in Firefox will be seeing this as a clickable option when they visit that site

http://www.siteadvisor.com/sites/norwaygroupconsulting.cn

That link makes it easier when reporting to the Registrar with a "compliance request".

Share this post


Link to post
Share on other sites

I must admit that I am surprised at the apparent success you have had with Joker,[snip]

I am impressed - you certainly know about the methods to use. I find in reading many different people's experiences with Registrars, that someone's best is someone else's worst. Why is that? It could be that some request methods work better than others. Maybe someone else has a better contact address or communication method.

Here are two suggestions.

1. Format the email into 3 sections. REQUEST / RESAON / EVIDENCE

REQUEST

Make the request in the first one or two sentences, such as

"Please lock out the zone file example.com and remove the nameserver Address records ns1.example.com and ns2.example.com". Expand on "lock out" if necessary by expressing the required STATUS codes, which vary according to site type (.com / .net is different from .info / .biz - see this status codes link )

REASON

"This domain is used exclusively for defining access to illegal ..... web sites belonging to Leo xxx / Alex yyy listed in the ROKSO Top 10 at http://www.spamhaus.org/statistics/spammers.lasso ..."

EVIDENCE

[insert all of the long-winded evidence here. If sections 1 and 2 are sufficiently well expressed, then reading this becomes optional. Use links as much as possible, as they are language independent. Sequence this in most important to least important order - most telling evidence first]

2. LACK OF RESPONSE

Most registrars have a general policy to avoid escalating mail volumes - never to reply. They understandably do not want a dialog over every request.

Therefore it helps to ask a direct question to encourage an answer. Example - "Am I am sending this request to the right email address? Please reply with the best address to use"

or

"I have copied 3 others on this request. Tell me which addresses I should exclude on future requests"

The objective is to assure yourself that you are getting through to the right entity. Once you see actions being taken in response to requests, the lack of dialog is no problem.

Edited by TerryNZ

Share this post


Link to post
Share on other sites

PM brought to 'here' .... basically, I don't have time for this kind of crap. Of all the names I've been called here, being described as "evasive" is pretty interesting. Simple point made clear yet again, I don't get paid for this. As I stated, if you want 'official' answers / responses, you need to talk to "them" .... that's not 'evasive' .. that's the simple fact .... explained / defined at Section 8 - SpamCop's System & Active Staff User Guide

As to what set this off ... just back from the folks' house ... dishes, laundry, supper accomplished, plumbing issue wasn't raised until 2100 for some reason, so some disassembly accomplished, parts not available until 'normal' working hours tomorrow ... came back here to find that JT had set me up an account on a new server, so spent some time trying to find my way around there, make some configuration changes, move some files, etc. ... came back here to find that spammers have been busy, handled some other traffic, then run into the following ... again, I don't have the time or inclination to get involved with the alleged issue ... Geezus, read what's here .. you don't like it, OK ... that's why this is in the Lounge area to begin with ....

I am sending this directly rather than via the forum.

My questions were sincerely asked. Your responses were evasive. I am prepared to put forward a lot of useful ideas, but I sense you are giving me the brush-off. I have been a long term SpamCop user, supporter and advocate. Don't take criticisms personally, and don't feel you have to go on defense against what may appear on the surface to be an attack. That is not my objective.

If you would prefer to address those questions directly by response to me, fine.

If you would like to do so on the forum, even by edit of your previous response, fine.

If you want to point me at a URL that addresses them, great.

Over to you.

By the way, there is a New Feature Request Forum section ....

Share this post


Link to post
Share on other sites

1. What are the primary objectives of SC today?

Suggesting that they've changed?

That's what I meant by "evasive". My question was asked to find out if anyone reading could point me at what the primary objectives of SC were, and if they have changed to meet spammer countermeasures.

To elaborate.

Does SC set out to persuade ISPs to take action to clean up the spam emanating from their area?

Does SC have a mission to educate Internet users on methods to filter spam?

Is the primary role now seen as feeding the SC blocklist (arguably the best in the industry)?

Does SC feel that it has a role to reduce the amount of spam?

I did not put forward these questions previously, in case they tainted the responses by limiting them only to those options. But I am particularly interested in the fourth question. SC may achieve a lot of spam reduction, but I do not know if that is a result of its current actions or a primary objective. Why does it matter?

If it is the result, then there is no need to look any further. Overall spam reduction ( or more accurately a slower increase) is a useful effect. If it is a primary objective, then there are other ways that SC can achieve more overall spam reduction.

So I asked the question to see if I need go any further. I was disappointed that the only response was not a response. No criticism intended.

I went to the section Wazoo referred to. Hey, I go back to data entry switches, paper tape, the wondrous 80-column card, and acoustic couplers too. "Core", those were the good old days. Now I am off to fix the washing machine with its blocked impellor, whatever that is. :-(

Share this post


Link to post
Share on other sites
In the meantime, be assured that users of the Site Advisor extension in Firefox will be seeing this as a clickable option when they visit that site

http://www.siteadvisor.com/sites/norwaygroupconsulting.cn

That link makes it easier when reporting to the Registrar with a "compliance request".

Excellent - all publicity helps! (Although not necessarily a lot if there are so many 'bombproof' links in the chain....).

Perhaps the Norway Consulting Group could be separated off to a separate discussion, as it is a by-product of the main one here.
Probably not worth it TBH - This domain was just one I picked to illustrate a point related to the original thread subject, namely 'Botnet Scenario'. I could have picked others.

2. LACK OF RESPONSE - Therefore it helps to ask a direct question to encourage an answer. Example - "Am I am sending this request to the right email address? Please reply with the best address to use"

or "I have copied 3 others on this request. Tell me which addresses I should exclude on future requests"

Sometimes what I tend to do is to add a note after a multiple abuse address posting to the effect:-"Please excuse the multiple address posting - no abuse procedure listed in whois data", or words to that effect to try and encourage helpful information in the whois data table, sometimes I place a direct request for the correct contact address - it rarely produces a response, though. I'm wary of using abuse.net - I've found it not to be too accurate or reliable in the past. It certainly helps if you can build up a good relationship with an abuse team, onlinenic's team I got to know by name - v.helpful crowd, but in being proactive in fighting spam & criminality means I don't get to write to them anymore as the criminals rarely use them now - there's a lesson there for every criminal friendly ISP/Host/Registrar that gets bombarded with abuse reports & does very little....

I have to agree with the view that in the present climate there is little more that could be achieved by Spamcop. If all registrars were obliged under the ICANN accreditation agreement to implement a standardised strict AUP & be proactive against spam then perhaps there may be an argument for the parser to report spamvertized domains to the relevant registrar, but as things are, most registrars are either not interested or simply not geared up for the massive increase in abuse workload they would have to take on to join the battle.

To elaborate.

1)Does SC set out to persuade ISPs to take action to clean up the spam emanating from their area?

2)Does SC have a mission to educate Internet users on methods to filter spam?

3)Is the primary role now seen as feeding the SC blocklist (arguably the best in the industry)?

4)Does SC feel that it has a role to reduce the amount of spam?

I have no knowledge of Spamcop's inner workings, but I would guess, (and it IS only a guess - I am open to be corrected by those in the know!):

1)Generally only by them appearing on a blocklist

2)No

3)Yes

4)Possibly Yes as part of any 'mission statement', but as the whole 'system', (not just Spamcop's workings), stands at the moment that has not been and is unlikely to be achieved, although it could be argued that without organisations like Spamcop there would be even less incentive to take action against spammers and spam could be even worse than it is.....

Edited by bobbear

Share this post


Link to post
Share on other sites

Please note that the people responding here are NOT being "evasive". They / we simply do not know the answers to your questions. Questions about policy and goals can ONLY be answered by the paid staff and I wonder if even they have a common understanding of direction. Even Wazoo has very limited access to staff in terms of getting answers to questions. Most of the information we have has come from the trial and error approach, by using SpamCop and attempting to determine what it does by what we see as a result. And part of what we have seen is the the official FAQ just does not match the reality of today. As such we have worked to develop alternative FAQ's. Do we get any support from staff in our efforts. My personal experience is NO. Wazoo does seem to get some support on occasion. From my perspective as a moderator, the support he gets as Forum Admin from SpamCop staff/administration and the support that this Forum gets would rate a failing grade. On a scale of 1 to 10, I would have a hard time giving it even a 1.

Yet I believe in the product and the price, which does counter balance the lack of support. And to counter what I just said about Wazoo, he does get support, but it is mostly in the terms of "permissive" support rather than "functional" support.

Does staff support our attempts to build a functional FAQ, my answer would be a definite NO. Not a single staff member has even taken the time to register on the new Wiki; and contributions to the Forum base FAQ, by staff, are nearly non existant.

Sometimes I wonder why we continue to support the Forum/Wiki as it does not seem to be appreciated. Why put out the effort? and for What? It sure is not financial, as none of us even get a discount on a SpamCop Email Account. We pay full price just like every one else, or like Wazoo, the Forum Admin, do not have any access to SpamCop email even for testing purposes.

I guess it comes down to that we believe in the product and feel the desire to help others make use of it.

Share this post


Link to post
Share on other sites

To elaborate.

Does SC set out to persuade ISPs to take action to clean up the spam emanating from their area?

Sends a report to ISP & or 3rd parties for every spam reported by SpamCop

Does SC have a mission to educate Internet users on methods to filter spam?

Provides self-help discussion groups and Newsgroups, also employs a team of anti-spam specialists as well as volunteers

Is the primary role now seen as feeding the SC blocklist (arguably the best in the industry)?

SpamCop tries to use technology to stop spam and has formed an alliance with Ironport Together they have created new technologies to eliminate spam from hitting ones inbox

Does SC feel that it has a role to reduce the amount of spam?

SpamCop is reducing, infact stopping spam getting in to ones inbox

The SpamCop email service is proof of this. It not only accurately sorts spam into a VER folder but makes it easy for one to notify every ISP where spam came from.

Never automatically accept the email address forced on you by an ISP if email is important to you

Edited by petzl

Share this post


Link to post
Share on other sites

All these efforts are commendable. There are just too many if's. Let's not forget that any recent effort to go after web advertising more aggresively (i. e. Blue Frog like) have met with severe retaliation from spammers who were succesful shuting them down, as well as complaints about wasting internet resources. Bottom line is that any such effort has to have enough backing and resources to withstand attacks and defend itself. Spammers are criminals, and as such they will use all the dirty tricks in the books to destroy any attempt at reducing their illicit income. I don't think SpamCop would have survived and flourish on it's own without the support from IronPort.

Share this post


Link to post
Share on other sites

All these efforts are commendable. There are just too many if's. Let's not forget that any recent effort to go after web advertising more aggresively (i. e. Blue Frog like) have met with severe retaliation from spammers who were succesful shuting them down, as well as complaints about wasting internet resources.

As a moderator on the Blue Security forums both at bluesecurity.com and castlecops.com I am very aware of what happened. Although it was eventually fully protected with an Ironport level of security, the attacks continued to the extent of persuading Blue Security to close down. Too many innocent people and companies came under attack in the periphery.

This next comment is my considered opinion, and it will not please many, but I have to make it.

Blue Security came under attack because it was too successful.

SpamCop has not been subjected to the same treatment because the spammers have circumvented it.

They feel that they can co-exist despite the best efforts of SpamCop and Spamhaus.

Bottom line is that any such effort has to have enough backing and resources to withstand attacks and defend itself. Spammers are criminals, and as such they will use all the dirty tricks in the books to destroy any attempt at reducing their illicit income. I don't think SpamCop would have survived and flourish on it's own without the support from IronPort.

I would love to get SpamCop running at such a level that the spammer gangs justify the Ironport protection. Right now they are too complacent, although recent news may have troubled them.

http://www.theregister.co.uk/2005/09/27/dea_crack_down/ (4,600 rogue pharmacy sites shut down)

http://www.theregister.co.uk/2006/09/25/on...macy_crackdown/

Edited by TerryNZ

Share this post


Link to post
Share on other sites
As a moderator on the Blue Security forums both at bluesecurity.com and castlecops.com I am very aware of what happened. Although it was eventually fully protected with an Ironport level of security,

I can find nothing on that page that mentions IronPort. Apparently, you are somehow confusing IronPort and Akamai, but I'm not sure how ....

SpamCop has not been subjected to the same treatment because the spammers have circumvented it.

???? Could be, but I'd think that the use of the Akamai service has more of an impact.

They feel that they can co-exist despite the best efforts of SpamCop and Spamhaus.

I would love to get SpamCop running at such a level that the spammer gangs justify the Ironport protection. Right now they are too complacent, although recent news may have troubled them.

http://www.theregister.co.uk/2005/09/27/dea_crack_down/ (4,600 rogue pharmacy sites shut down)

http://www.theregister.co.uk/2006/09/25/on...macy_crackdown/

Not a clue as to what the comparison is .... the closing of 'web sites' versus the identification of spewing IP addresses of outgoing e-mail ....???? On the other hand, there is no identification that SpamCop.net spam reporters didn't aid in those efforts by adding in additional targets for their outgoing complaints/reports ..??

Share this post


Link to post
Share on other sites

I can find nothing on that page that mentions IronPort. Apparently, you are somehow confusing IronPort and Akamai, but I'm not sure how ....

Sorry, yes, my mistakke. Blue Security eventually used Prolexic for DDOS protection - an "Akamai-like" protection is what I meant to say.

Not a clue as to what the comparison is .... the closing of 'web sites' versus the identification of spewing IP addresses of outgoing e-mail ....????

SpamCop addresses the source of spam by locating and emailing the "owner" of the IP range

SpamCop addresses the spamvertized site by reverse DNS lookup to locate the IP address and emailing the "owner" of that IP range

SpamCop enables filtering of spam by building a rapid response blocklist, which I consider to be the best in the industry.

What SpamCop could do is

Parse the URL.

Perform an address traversal to locate the name servers that resolve access to the spam site.

Perform a Whois lookup for the name servers to locate the registrars

Perform a lookup on registrar to locate the ICANN mandated contact address

Prepare a template message to the registrar contact

The decision to send a template message should be based on certain criteria, such as volume, known criminality, and other priorities. Requests to registrars should be minimal in number - not one per spam. Once DNS resolution to a site or range of a few hundred sites is removed by the registrar, no further messages can be generated because it will fail subsequent traversals.

The system as described here has been running since August 1, resulting in the removal of over 3,000 pharmacy websites by 100 nameserver removals. (The DEA crack down news item was amusing)

Julian has been good enough to comment on this idea. In summary, he did not think that registrars would be compliant, so had not considered the same experiment. He was surprised at my success rate. Secondly, he feels there is not sufficient resource to make the required changes at this time.

To me, I feel there is a great opportunity for "post-processing" the huge spambase the SpamCop attracts.

On the other hand, there is no identification that SpamCop.net spam reporters didn't aid in those efforts by adding in additional targets for their outgoing complaints/reports ..??

Perhaps someone can help me here. I know how to add comments to an outgoing SC report. How do I add more targets? It's probably staring me in the face . . . I have been having to send separate emails in tandem with the SC ones, to communicate to the registrars.

Thanks for the feedback.

Edited by TerryNZ

Share this post


Link to post
Share on other sites

Perhaps someone can help me here. I know how to add comments to an outgoing SC report. How do I add more targets? It's probably staring me in the face . . . I have been having to send separate emails in tandem with the SC ones, to communicate to the registrars.

Thanks for the feedback.

Preferences tab, Report Handling Options, Public standard report recipients

If you wish others to receive a copy of every spam you submit, enter the email address here. Please do not send to any address which is not receptive to receiving untargetted spam reports. Note this will create only one copy for each spam, even if there are multiple reports per spam.

Share this post


Link to post
Share on other sites
Julian has been good enough to comment on this idea. In summary, he did not think that registrars would be compliant, so had not considered the same experiment. He was surprised at my success rate. Secondly, he feels there is not sufficient resource to make the required changes at this time.

Well, pass on my thanks to Julian for repeating what I had already stated (in my previous evasive responses) .. glad to hear that I wasn't wrong ....

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

×