Jump to content
Sign in to follow this  
amanuensis

Request to mung email prefix (userID)

Recommended Posts

Some spam arrives with the following in the To: line

abcde <abcde[at]spamxxx.con>

Where clearly the "abcde" gives away the user's name or prefix.

Sometimes that prefix (or userid) is a random name; but when it's a user's actual ID, it is almost equivalent of not munging the address, since the spammer probably knows it's a spamcop address from other data.

Would it be too much to have the parser for the munging also remove the prefix before the <....> ?

At least in the case where that ID is identical to the user's email address prefix?

Just asking.

Share this post


Link to post
Share on other sites

...Since this question seems to be more along the lines of "possible features / changes to the codebase" than "help users with reporting spam using the SpamCop Parsing and Reporting Service," I have moved it from the SpamCop Reporting Help forum to the New Feature Request Forum.

Share this post


Link to post
Share on other sites

Until the email ID is removed from a 'munged" report, I will be canceling any spam report that bears my email ID or prefix.

This will probably be about 40% of my email submissions, which will let these spammers go without a report.

This will also mean that I will be deleting rather than quick reporting any spam I get.

If I cannot check each and every spam, I will not report it through spamcop unless they remove my name from their so-called munged reports. I am just canceling any report that contains by name.

I would hope everyone would do the same until this bug is fixed

Edited by amanuensis

Share this post


Link to post
Share on other sites
Until the email ID is removed from a 'munged" report, I will be canceling any spam report that bears my email ID or prefix.

This will probably be about 40% of my email submissions, which will let these spammers go without a report.

<snip>

...Not really. It means that SpamCop will not be getting your reports. That is not the ideal situation but it's up to you. As long as it is not your report(s) that put an IP address over the threshold to put them in the SCBL, the consequences are nil.
I would hope everyone would do the same until this bug is fixed
...Thank you but I decline -- let 'em send me more spam (great, more spam for me to report to SpamCop!) or try to retaliate.... :) <g>

Share this post


Link to post
Share on other sites

...Not really. It means that SpamCop will not be getting your reports. That is not the ideal situation but it's up to you. As long as it is not your report(s) that put an IP address over the threshold to put them in the SCBL, the consequences are nil....Thank you but I decline -- let 'em send me more spam (great, more spam for me to report to SpamCop!) or try to retaliate.... :) <g>

Then why mung at all? I assume you do not, that you send all your reports "in the clear"

Many prefer munging, and until my prefix is not used in a report, I will be canceling these particular reports.

If SC doesn't care, neither do I.

Edited by amanuensis

Share this post


Link to post
Share on other sites
...Many prefer munging, and until my prefix is not used in a report, I will be canceling these particular reports.

If SC doesn't care, neither do I.

Those who get a lot of spam quite possibly have different "flavors" of spam, and they change. Your 40% incidence is very, very high compared to what I see. I get different flavors at work and at home, I can only (conveniently) check my home flavor at the moment and found only one instance in 103 before I ran out of puff. All I can say with confidence is that my occurrences seem to be comparatively rare. And it's my recollection the same applies to the stuff at work.

Not wanting to spook you or anything, there are many, many places where spammers could inject traces if they wanted to, including those apparently random "prefixes". These is no persuasive evidence either way. I hasten to admit that the occasional broken spam I see has, indeed, included unexecuted code indicating a random selection from a list is made for that part. A better way, from the spammer's point of view, would simply be to code the From: (which, somewhat controvertially and last I heard, is never munged anyway, even if it has your *whole* email address in it). Makes me think they're not really trying to trace, certainly not in any obvious way.

Notwithstanding all of that and as you say, it would be logical to extend the munging in such an obvious way as you ask but I think "doesn't care" is an unduly bleak interpretation of what SC's regard for the proposition might be when and if it is considered. I can see no reason why your request couldn't be obliged, when priorities permit. Incidentally I send munged SC reports from home and manual, unmunged reports from work. I have just about convinced myself to allow (unmunged) SC reports to those who don't accept munged reports. Many reporters don't munge at all and appear to suffer no bad consequences. But I am very aware of the "flavors" thing. No-one could be sure all of "your" spammers are as indifferent to challenge and or cleaning lists as the greater majority appear to be.

Bottom line, FWIW I think your request has merit and please don't be disconsolate if not everyone shares your urgent concern. Despite those of contrary inclination (or indifference), I'm sure there are many other reporters who would like "full munging" too.

Share this post


Link to post
Share on other sites

Those who get a lot of spam quite possibly have different "flavors" of spam, and they change. Your 40% incidence is very, very high compared to what I see. I get different flavors at work and at home, I can only (conveniently) check my home flavor at the moment and found only one instance in 103 before I ran out of puff. All I can say with confidence is that my occurrences seem to be comparatively rare. And it's my recollection the same applies to the stuff at work.

Not wanting to spook you or anything, there are many, many places where spammers could inject traces if they wanted to, including those apparently random "prefixes". These is no persuasive evidence either way. I hasten to admit that the occasional broken spam I see has, indeed, included unexecuted code indicating a random selection from a list is made for that part. A better way, from the spammer's point of view, would simply be to code the From: (which, somewhat controvertially and last I heard, is never munged anyway, even if it has your *whole* email address in it). Makes me think they're not really trying to trace, certainly not in any obvious way.

Notwithstanding all of that and as you say, it would be logical to extend the munging in such an obvious way as you ask but I think "doesn't care" is an unduly bleak interpretation of what SC's regard for the proposition might be when and if it is considered. I can see no reason why your request couldn't be obliged, when priorities permit. Incidentally I send munged SC reports from home and manual, unmunged reports from work. I have just about convinced myself to allow (unmunged) SC reports to those who don't accept munged reports. Many reporters don't munge at all and appear to suffer no bad consequences. But I am very aware of the "flavors" thing. No-one could be sure all of "your" spammers are as indifferent to challenge and or cleaning lists as the greater majority appear to be.

Bottom line, FWIW I think your request has merit and please don't be disconsolate if not everyone shares your urgent concern. Despite those of contrary inclination (or indifference), I'm sure there are many other reporters who would like "full munging" too.

I use spamcop primarily to parse my email and secondly to report spam. I am not one who uses SC to "attract" and "punish" spammers, although I do like it. :) I am not an "activist" so to speak.

Still, if SC does not consider a more careful parsing of the "To:" in an email, I will start moving my main email address from the current SC to another hidden address. I never considered my SC email address to be anything other than a spam-free address, which it is, in the main. But if SC doesn't keep it hidden, then eventually I will not be using their system as my primary email address, but rather another one which receives little spam.

This is not to SC's advantage, since they want lots of spam, for financial reasons, but nevertheless, it is certainly not in my favor.

Share this post


Link to post
Share on other sites

Since no employee of spamcop, to my knowledge (not to my best knowledge since I haven't looked at all the posts in this particular forum, the New Features Forum), has ever replied to a post here, the best course is to email the deputies and JT, the owner of spamcop email, directly with your opinion. (you can find out how to contact them somewhere in the FAQ)

That is no indication, of course, that they do not read the topics in the New Features. However, if you want management to know, then posting here is not guaranteed to be reaching them.

The spamcop forums are for users to exchange views and help one another with using spamcop email and reporting.

IMHO, your viewpoint is reasonable. Whether or not, the management will is anyone's guess. (or can comply - the code for the parser is very complicated and it is not easy to mung all instances of an address, I expect, without causing problems of one kind or another)

Miss Betsy

Share this post


Link to post
Share on other sites

Still, if SC does not consider a more careful parsing of the "To:" in an email

I have not seen any evidence that showing the username is exposing anything. Most spammers these days are not anywhere near the source where the spam is being sent. They are using groups of comprimised end user machines which are not revealing their identities in any simple manner.

My reason for reporting at this point is to inform the ISP's of these comprimised machines so they can be removed and make the spammers world a bit smaller. If we could get people to protect their machines from the malware out there and to clean up their machines, spammers would need to find a new way to spread their mesage.

Share this post


Link to post
Share on other sites

I would like to add that this "prefix" is sometimes replaced with an "x" and other times it is left alone. This might be a bug in the parser rather than a requested feature. The fact that it is unpredictable makes me wonder about it.

Share this post


Link to post
Share on other sites

I would like to add that this "prefix" is sometimes replaced with an "x" and other times it is left alone. This might be a bug in the parser rather than a requested feature. The fact that it is unpredictable makes me wonder about it.

Is it just the prefix, or the name or full email address? I have never noticed a prefix being replaced (not to say it has not happened).

Share this post


Link to post
Share on other sites

Is it just the prefix, or the name or full email address? I have never noticed a prefix being replaced (not to say it has not happened).

It's just the prefix, if that's the proper word. Everything before the [at] sign. But it appears outside the actual email address as a nickname.

Example:

To: Henneryxx <henneryxx[at]spamcop.con>

It is that first Henneryxx that is sometimes replaced by an "x" and other times left untouched. i think it's a bug.

The actual email address is always munged properly. That's not my point. It's that "nickname" which corresponds to the prefix that I am concerned about.

I would estimate that about half the time it's munged with an "x" and the other half it's left alone.

Again, I don't mind *except* when it's my real prefix. Usually it's a nonsense name.

Since the abuse desk knows it's from spamcop, it's trivial to get my real full address, hence making the munging moot in that case. Not all abuse desks are run by nice people, and sometimes the spam is actually reported back to the spammer, either directly or from the abuse desk.

I assume that I can replace the prefix with an "x" since SC does it half the time, but it's a nuisance and it's a lot easier to simple cancel the report in these cases.

Edited by amanuensis

Share this post


Link to post
Share on other sites
Since no employee of spamcop, to my knowledge (not to my best knowledge since I haven't looked at all the posts in this particular forum, the New Features Forum), has ever replied to a post here, the best course is to email the deputies and JT, the owner of spamcop email, directly with your opinion. (you can find out how to contact them somewhere in the FAQ)

I looked through the FAQs but did not find any direct way to contact JT. In fact, I seemed to get into a loop.

Can you or someone point me to the FAQ that has that contact information?

Thanks,

Amanu...

Share this post


Link to post
Share on other sites
I looked through the FAQs but did not find any direct way to contact JT. In fact, I seemed to get into a loop.

You got lost in a loop in a FAQ somewhere ...??? Without specifics, there is no way one could fix this, if in fact you were talking about any of the FAQ items developed "here"

Can you or someone point me to the FAQ that has that contact information?

There's the original/official FAQ that caused all the other forms/versions to be created 'here'

The top of this very page has two links (operating a but differently for browser operation) to a single-page-access version - a response to the complaints about the original/official FAQ

There's the red announcement thing that contains data and links

There's the Wiki, which I will use as a provided link; Where to get Help

The next issue is ... JT provides the hosting/servers for the newsgroups, this Forum, and e-mail accounts. The issue you're raising is a Reporting issue, which is all handled by the IronPort/SpamCop-paid staff on the west-coast U.S. hardware. So 'bothering' JT on this issue would be wasting several folks' time.

Getting to the problem that you couldn't find the data would be something better worked 'here' now ...

Share this post


Link to post
Share on other sites

Funny, I could've sworn that the deputies' addresses were all over the place, but I couldn't find them looking in the FAQ (very quickly). When I used the search, the wiki item that Wazoo quoted was what was first in line.

I didn't look at pinned items though.

Seems like the contact form was the preferred method, but I didn't find that either.

Some of us have the gift of being able to find something in the FAQ and some of us don't. When I get to heaven I will sing and dance and find things in FAQs!

Miss Betsy

Share this post


Link to post
Share on other sites

Funny, I could've sworn that the deputies' addresses were all over the place, but I couldn't find them looking in the FAQ (very quickly). When I used the search, the wiki item that Wazoo quoted was what was first in line.

I didn't look at pinned items though.

Seems like the contact form was the preferred method, but I didn't find that either.

Some of us have the gift of being able to find something in the FAQ and some of us don't. When I get to heaven I will sing and dance and find things in FAQs!

Miss Betsy

Well at least I don't feel so silly. Thanks for the effort.

Maybe someone else can point out the area for the email address or the contact sheet for someone at the top.

Edited by amanuensis

Share this post


Link to post
Share on other sites
...Maybe someone else can point out the area for the email address or the contact sheet for someone at the top.
Since SC needs to be able to deflect criticism that it is "uncontactable", I'm staying with the official FAQ path:

SpamCop

Help Options:

SpamCop FAQ

General information about SpamCop

How can I contact a SpamCop representative?

[Yep, that last one is a "loop" in the sense that anyone wanting Email service support is directed back to the forum or to the NGs - no actual contact address or linked form, the contact form being on the previous page and clearly marked "To contact us for any other reason ..." ie, AFTER the diverting link for Email service support.]

[Further addition: So, the pinned announcement How To Get Official SpamCop.Net Customer Support is a fairly obvious/evident source- or at least an upper level and clearly designated one. Noting it is buried under other announcements now. Which brings us back to the Wiki and the red announcement and the single-entry portal.]

Share this post


Link to post
Share on other sites

I still think that the 'red' announcement should say 'Look Here First!' - that covers both functions - to alert regulars to look at it for updates on current problems and to attract attention of newbies.

Miss Betsy

Share this post


Link to post
Share on other sites
I still think that the 'red' announcement should say 'Look Here First!' - that covers both functions - to alert regulars to look at it for updates on current problems and to attract attention of newbies.

Heh! After all my "time off" ... do you have any idea how long it's going to take to remember how/where I stuck that existing code in to begin with? <g> Technically, this thing should have been running on version 2.2.1 a long time ago, but ..... a bit hard to get back into the 'fun' of things for some reason ....

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

×