Jump to content
Sign in to follow this  
DavidT

False reporting of newsletters puts "JAlbum" on Blocklist

Recommended Posts

OK, so this one's not as egregious as the nitwits who put the OpenOffice.org email server on the SCBL because they were reporting newsletters they had subscribed to....but almost.

While digging through my Held mail folder (I'm a SC email customer), I stumbled upon an innocent newsletter from a Swedish software developer. It was regarding the free photo gallery software named "JAlbum" and I long ago gave them my email address when I registered my software. I checked why the false positive had happened and found that the sending IP [212.247.178.236] is on the SCBL, and when I looked at the "Report History" for that IP, all I saw were some copies of the same newsletter which I received, which are clearly careless, false reports, the same kind I identified involving the OpenOffice.org newsletters.

Here's a Tracking URL on my copy of the newsletter (note: the spam has been redacted for my privacy because this report was cancelled):

http://www.spamcop.net/sc?id=z1219243342z4...898d26819753adz

So, I'll contact the Deputies using the normal address to call their attention to the false reporting of this benign host. But there's a bit of a complication. When I looked up the reason for the listing of the Swedish IP on the SCBL, I saw this:

Causes of listing

* System has sent mail to SpamCop spam traps in the past week (spam traps are secret, no reports or evidence are provided by SpamCop)

* SpamCop users have reported system as a source of spam less than 10 times in the past week

So, I did a little more research on the IP, because if it was actually "guilty" of sending to spam traps, you'd think that there's be some other "red flags" somewhere out there.

1. no hits on Google

2. no hits on Google Groups (where the abuse newsgroups are archived)

3. no other positives at the Robtex Multi-RBL check (http://www.robtex.com/rbls/212.247.178.236.html)

4. stats at SenderBase not alarming at all (http://www.senderbase.org/search?searchBy=ipaddress&searchString=212.247.178.236)

So, this adds to my existing suspicions that at least some of the addresses trusted by SC as "spam traps" were in previous use and were given out by their owners for things like software registrations. I've seen other obvious false attributions of spam trap hits before and this sure smells like one. JAlbum has been around for a long time and is used by millions of people. Also, they hardly ever send out any sort of "newsletters" or other communications, making them prime targets for this kind of false positive situation, in that SC reporters (and spam trap address owners) have forgotten that they once willingly supplied their addresses to this nice guy in Sweden, and this is his reward....being put on the SCBL!

I'll notify David Ekholm of this situation, but the harm has already been done, in that his attempt to contact his registered users has been disrupted by flaws in the SpamCop reporting/blocklisting system. You can challenge that if you'd like, but I was right about the OpenOffice situation and I'm convinced this is a similar situation.

DT

Share this post


Link to post
Share on other sites

212.247.178.236 = shutter.jalbum.net was put on our list because it's sending this mail to our spamtraps.

Date: Thu, 8 Feb 2007

From: David Ekholm <david[at]jalbum.net>

Reply-To: david[at]jalbum.net

Subject: JAlbum Newsletter - February

A spamtrap is an unused address whose sole reason for existence is to see if people will send unsolicited mail to it. Spamtraps are basically the nonexistent addresses at small vanity domains owned by us or our associates. Mail to nonexistent addresses is proof-positive that email addresses are being added to a mailing list without the address owner's permission.

- Don D'Minion - SpamCop Admin -

Share this post


Link to post
Share on other sites
212.247.178.236 = shutter.jalbum.net was put on our list because it's sending this mail to our spamtraps.

...*and* because of the bogus reports by SC users...it says so right in the system, Don.

A spamtrap is an unused address whose sole reason for existence is to see if people will send unsolicited mail to it. Spamtraps are basically the nonexistent addresses at small vanity domains owned by us or our associates. Mail to nonexistent addresses is proof-positive that email addresses are being added to a mailing list without the address owner's permission.

Didn't I already cover this issue? Here's what I just emailed back to Don, to David Ekholm, and to his IP host:

I challenge the assertion that *all* of the spamtraps submitted by

associates are "perfect." I know that they are supposed to be, in theory.

I went over this in both my message and my forum post. I recommend a very

close inspection of the supposed "spamtrap hits" and followup contact with

the owners of those addresses. Given what I know about this sender and the

parameters of the situation, this begs for that kind of treatment. Simply

waiting for the server to fall off the SCBL isn't adequate if there are

some "polluted" spamtrap addresses (and I assert that this is a likely

explanation).

DT

Share this post


Link to post
Share on other sites

It could also be that someone registered using a compromised spamtrap address with the malicious intent of getting him added to the SCBL. If he is not doing any kind of email confirmation, that is always a possibility. It might also be a sign that Don should check the traffic coming into that spamtrap and see if there are any other indications that the address might have been compromised somehow.

Share this post


Link to post
Share on other sites

It could also be that someone registered using a compromised spamtrap address with the malicious intent of getting him added to the SCBL. If he is not doing any kind of email confirmation, that is always a possibility. It might also be a sign that Don should check the traffic coming into that spamtrap and see if there are any other indications that the address might have been compromised somehow.

Or they are spamming :wub:

I agree, Don could check to see if it is multiple reporters and the spamtrap traffic.

It does raise a flag when there are spamtraps and manual reports

Share this post


Link to post
Share on other sites
I agree, Don could check to see if it is multiple reporters and the spamtrap traffic.

It *was* both factors, the Reporting System doesn't lie about things like that and you'll see an exact quote of what the Reporting System said about it approx. 8 hours ago. However, I now see that the IP is no longer listed, but since it came off the SCBL ahead of schedule, either someone used the self delisting option or a Deputy intervened. The SenderBase stats are off the charts now, because this server usually doesn't transmit much email and the JAlbum owner sent out his newsletter to a lot of addresses in the last 24 hours.

It does raise a flag when there are spamtraps and manual reports

Did I mention manual reports? The report history could be all "quick" or other kinds of less-than-manual reporting. There's only been one more report show up since I first posted this topic.

DT

Share this post


Link to post
Share on other sites
Did I mention manual reports? The report history could be all "quick" or other kinds of less-than-manual reporting. There's only been one more report show up since I first posted this topic.

I said it wrong I did mean "Human" submissions.

Share this post


Link to post
Share on other sites
I said it wrong I did mean "Human" submissions.

If an IP is Joe jobbing the world as this one is it deserved to be blocked

A SpamCop spamtrap address is taken by using a webbot/spider program to scraping email addresses mainly off websites and newsgroups. These email addresses have around 16 random characters in address. This is better than bank security and odds are it cannot be "guessed"

Emailers are again and again and again and again and again and again and again and again and again and again etc told that Double opt-in needs to be compulsory for email lists (not rocket science)

Simple' a once only confirmation email is sent to email addressee, ideally with a url link with log-on details to accept/confirm that that party wishes for email to be sent and ONLY from a email address stated This confirmation needs to be kept

Other problems happen when senders of mail don't send at least monthly and reciever forgets after a year or so

Senders of this email are responsible for providing an unsubscribe option in applicable mail, and for ensuring that the unsubscribe channel is functional

Share this post


Link to post
Share on other sites
Or they are spamming

Saying something repeatedly doesn't make it so, Merlyn. The JAlbum folks are NOT spamming. They are sending out a newletter to their large base of registered users, many who have forgotten that they registered. As for the spamtrap hit (and it seems to have only been one), I don't have enough information to do more than speculate how that might have happened. I'm waiting to hear from the owner/operator of JAlbum on that issue. All of the other evidence points to innocence on their part.

DT

Share this post


Link to post
Share on other sites

I remember another instance where a newsletter was sent so irregularly that many people forgot they signed up. I believe that 'best practices' includes regular mailings, partly so people remember and partly so that if email addresses have been changed, that the mailing list manager is aware. Some of those people who are reporting may, in fact, not be signed up, but have chosen the same address as someone who signed up, but changed their address.

The spam trap address is another problem. The most likely way to have a spam trap address is to not use a confirmation email.

And, if they are not using a confirmation email, then they are 'spamming' - at least not using good practices.

Miss Betsy

Share this post


Link to post
Share on other sites

Yes, it would be nice if everyone adhered to "best practices," but those practices have been a bit of a "moving target" in the last few years. The list of addresses used by this sender probably predates the general acceptance of some of those practices. Here's how he answered me in his public support forum:

Thanks for your help on this. Even though I can't understand the motivation for some people, I guess some people enter spam trap addresses or other people's email addresses when they register as they download JAlbum. We have made the registration fully optional and we have unsubscribe links, still this happen.

I followed up with a response suggesting that he work with the Deputies to see what he can do, short of dumping his entire list and starting over. He might need to do an "after-the-fact" confirmation, in which he sends out a message to the effect that the recipient will have to take an action to *remain* subscribed to his messages, and then remove all those addresses for which the action is not taken. However, in order to make sure that such a message could go out, he'd have to get some sort of "special dispensation" from the SC Deputies lest a spamtrap hit put his IP immediately on the SCBL, thus causing many people not to receive and/or see the message. But that's between him and SpamCop.

DT

Share this post


Link to post
Share on other sites
I followed up with a response suggesting that he work with the Deputies to see what he can do, short of dumping his entire list and starting over.
There is no need to contact the deputies. If he's reading his email, he has my email address. As you know, I copied him on the email I sent to you where I suggested that he could probably fix the problem by just deleting any new (unconfirmed) subscribers.

- Don -

Share this post


Link to post
Share on other sites

That's not my interpretation, Don. When you wrote this:

This appears to be a new thing. I don't see any previous reports about the email in the last 90 days. If David removes the new (unconfirmed) subscribers, he may be able to avoid sending more mail to our traps.

You didn't seem to be aware that JAlbum seldom sends out such broadcast emails. I think the last one that they sent was last Summer, so the 90-day window is meaningless, because they didn't send anything during that period of time. Furthermore, it's also possible that their IP address and/or server situation has changed since the prior broadcasts. The Senderbase page on the current IP shows that the first time it was detected sending messages was 2006-08-08. They very well could have been landing on the SCBL each time they've sent out one of these sporadic messages in the past, so yes, I think that the owner of JAlbum would be well advised to do as I've suggested and work with the Deputies on some sort of after-the-fact confirmation of his entire list. If he doesn't, then the next time he transmits an email like this, his IP will very likely land on the SCBL again, meaning that many recipients will have trouble receiving the information.

DT

Edited by DavidT

Share this post


Link to post
Share on other sites

Just so there's no confusion about our trap addresses...

We do have a bunch of 16-character bait addresses, but the vast majority of our spamtraps are simply the nonexistent (never existed) addresses at small vanity domains owned by us or our associates around the world. If a spammer is using "guessing" software on a trap domain, pretty much everything he sends in that run will go straight to our trap system.

In this case, JAlbum is accepting forged subscriptions. Visitors are making up what they think are fake email addresses in order to get services from his web site without giving up their real email address.

Unfortunately for JAlbum, in this instance the domain in the forgery belongs to us and feeds our trap system.

SpamCop is typically just the tip of the iceberg in situations like this. There are likely hundreds, if not thousands, of other forged email addresses on the JAlbum list from people signing up their friends and enemies so they can download stuff without getting any email about it.

- Don -

Share this post


Link to post
Share on other sites
SpamCop is typically just the tip of the iceberg in situations like this. There are likely hundreds, if not thousands, of other forged email addresses on the JAlbum list from people signing up their friends and enemies so they can download stuff without getting any email about it.

Sounds perfectly logical, and I agree that he should be confirming those addresses. But given the situation he's in, the best thing for him to do, IMO, would be to send out a single "after-the-fact" confirmation message to his whole list, advising eveyone that wishes to remain on his list that they must take an affirmitve action to do so (either reply to the email or click on a link coded with their address). However, he won't be able to do this successfully unless you were to give him some sort of one-time "pass" on the spamtraps so that his IP wouldn't hit the SCBL part way through the delivery process, as it clearly did during his newsletter broadcast. I have no idea if you'd be open to such a negotiated process with him, which is why I've suggested that he get in touch with you.

Regarding the download/registration issue for JAlbum....it's entirely optional, so it doesn't make sense that people would be entering random/bogus addresses, because they're not being asked for and address in the first place. Take a look at his download page:

http://jalbum.net/download/

DT

Edited by DavidT

Share this post


Link to post
Share on other sites

That's not my interpretation, Don.

I don't know if you meant the part about bringing the deputies into this, but I am the one handling this issue and there is no need to bring the deputies into it.

You didn't seem to be aware that JAlbum seldom sends out such broadcast emails. I think the last one that they sent was last Summer, so the 90-day window is meaningless, because they didn't send anything during that period of time. Furthermore, it's also possible that their IP address and/or server situation has changed since the prior broadcasts.
By golly, you've got me there! All that is definitely possible, or even likely. I noticed in the text of the newsletter where JAlbum said it had been a long time since the last newsletter, but I figured he meant like two weeks or something.

unless you were to give him some sort of one-time "pass" on the spamtraps so that his IP wouldn't hit the SCBL part way through the delivery process
I might be inclined to help him out on a one-time basis if he wants to make some changes. However, you appear to be the only one concerned about this. I'm not so sure Mr. Ekholm gives a rats. I haven't heard from him yet. And if there was a problem in the past, nobody appears to have said anything about it.

I searched our email archives, which go back a long ways. There's nothing either to or from any address [at]jalbum.net, and the only mention of JAlbum is in the recent traffic between you and I.

I'm a bit surpised you dropped into this thread to respond
There were some things that needed clarification.

after having written this to me
It's always good to take a quote out of one of my emails and post it in public without my permission. It increases the chances of you never getting email from me again.

- Don -

Share this post


Link to post
Share on other sites

Just to emphasise the point, he should also be pro-actively checking that his unsubscribe option actually works as mentioned earlier as I frequently come across the situation where I receive email from a source that I assess as reputable where I can't remember ever subscribing, but might have done at some time in the past so I always give them the benefit of the doubt and unsubscribe. All too often the unwanted mail still keeps coming.

Edited by bobbear

Share this post


Link to post
Share on other sites

I remember once, a long time ago, before the forum even, that someone got on the scbl because the unsubscribe was broken - which he discovered after getting on the scbl. He got no sympathy from any of the other posters. Just like admins with a computer that is compromised get no sympathy. Maybe some practical advice, but hey, if spam is coming because of a breakdown, sorry, but we want your IP address on the scbl.

Miss Betsy

Share this post


Link to post
Share on other sites
However, you appear to be the only one concerned about this.

...and I was similarly the only one who brought up the issue with the SCBL listing of OpenOffice.org, which had *some* similarities to this situation, but also some differences.

I searched our email archives, which go back a long ways. There's nothing either to or from any address [at]jalbum.net, and the only mention of JAlbum is in the recent traffic between you and I.

Thanks for doing so.

It's always good to take a quote out of one of my emails and post it in public without my permission. It increases the chances of you never getting email from me again.

Sorry that bugs you so much. I removed the less informational of the two quotes above, if you'd care to remove it from your response....your choice.

Of course, in both of these recent cases, you've exposed my private email adress to the various SpamCop reporting system users without my permission, by replying not just to me and to the server admins involved, but also by CC'ing the report-related addresses (ie 123456789[at]reports.spamcop.net). I don't know those people, and they don't know me, but now they've got my personal email address on their computers, which may be infected zombies, for all we know. You could have sent them the information in a separate communication, yet you exposed my address instead.

DT

Share this post


Link to post
Share on other sites
Of course, in both of these recent cases, you've exposed my private email adress to the various SpamCop reporting system users without my permission, by replying not just to me and to the server admins involved, but also by CC'ing the report-related addresses (ie 123456789[at]reports.spamcop.net).
You don't get any sympathy from me. You're the one who complained, so you were the focus of my response, which included reaching out to involved users. Next time, leave the complaining to the server admin and I'll focus on him instead.

- Don -

Share this post


Link to post
Share on other sites
I remember once, a long time ago, before the forum even, that someone got on the scbl because the unsubscribe was broken - which he discovered after getting on the scbl. He got no sympathy from any of the other posters. Just like admins with a computer that is compromised get no sympathy. Maybe some practical advice, but hey, if spam is coming because of a breakdown, sorry, but we want your IP address on the scbl.
What I didn't add is if the mail keeps coming I report it of course - there is no excuse for a bogus or broken unsubscribe link - these things should be checked by the mailer by unsubscribing check emails.

Share this post


Link to post
Share on other sites
What I didn't add is if the mail keeps coming I report it of course - there is no excuse for a bogus or broken unsubscribe link - these things should be checked by the mailer by unsubscribing check emails.

Yeah... unsub links can be nice -- IF they work, or as long as they don't necessarily require you to log in. Monster, USAJobs, and other job sites tend to want you to log in to remove yourself from their mailing list.

I started a new job last month as the IT Manager for a small carpet company. The previous IT manager was subscribed to all sorts of things like Monster.com job alerts, USAJobs job alerts, Focus on the Family, 1800flowers, etc. Some of these are easy to get off of, but others are a real PITA if you don't have the login info!

I would say that one should be able to unsubscribe just by putting the email address into a box on a website and clicking "unsubscribe."

Share this post


Link to post
Share on other sites
I would say that one should be able to unsubscribe just by putting the email address into a box on a website and clicking "unsubscribe."

Marketing Manager Are you serious? That would make it too easy for someone to unsubscribe anyone else's e-mail address ..... we can't have that happening! No, no,no .. we have to make really, really sure that the person unsubscribing is really the same person that subscribed!!!!

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

×