Jump to content
Sign in to follow this  
Clydesdale

Does SPAMmer automatic removal time need to be lengthened?

Recommended Posts

Hello,

I apologize if this has been discussed already. I did a **quick** search and couldn't find anything.

I send pretty much every spam that I get to SpamCop and have been looking at the SpamCop Blocking List, then SenderBase report, for most of the spam that I report. I may be completely wrong here but it seems to me that there are quite a few spam houses that have figured out how to completely bypass SpamCop. They simply rotate through a block of spam server IP addresses, changing to the new address when the old one is being blocked. This may not be proof but here's an example. I reported/looked up IP 58.49.133.30 (reporting addresses = anti-spam[at]ns.chinanet.cn.net, postmaster[at]wh.hb.cn, spam_hb[at]public.wh.hb.cn, and abuse_hb[at]public.wh.hb.cn). Then I check the BlockList. The BlockList result is:

"58.49.133.30 not listed in bl.spamcop.net"

So I do a SenderBase lookup and get the below:

address hostname DNS Verified Daily Magnitude Monthly Magnitude

125.113.143.216 216.143.113.125.broad.jh.zj.dynamic.163data.com.cn Y 0.0 4.1

218.85.57.97 97.57.85.218.broad.fz.fj.dynamic.163data.com.cn 0.0 3.9

61.177.186.61 61.186.177.61.broad.yz.js.dynamic.163data.com.cn 0.0 3.8

218.85.28.202 202.28.85.218.broad.fz.fj.dynamic.163data.com.cn Y 0.0 3.8

61.177.183.146 146.183.177.61.broad.yz.js.dynamic.163data.com.cn 4.5 3.7

59.61.128.119 119.128.61.59.broad.fz.fj.dynamic.163data.com.cn 0.0 3.7

222.64.94.36 36.94.64.222.broad.xw.sh.dynamic.163data.com.cn 0.0 3.7

59.56.195.122 122.195.56.59.broad.qz.fj.dynamic.163data.com.cn Y 0.0 3.6

59.61.215.242 242.215.61.59.broad.qz.fj.dynamic.163data.com.cn Y 0.0 3.6

221.225.151.2 2.151.225.221.broad.sz.js.dynamic.163data.com.cn 0.0 3.6

221.225.148.105 105.148.225.221.broad.sz.js.dynamic.163data.com.cn 0.0 3.6

222.64.32.159 159.32.64.222.broad.xw.sh.dynamic.163data.com.cn 3.1 3.6

221.224.200.201 201.200.224.221.broad.sz.js.dynamic.163data.com.cn 0.0 3.6

221.234.208.39 39.208.234.221.broad.wh.hb.dynamic.163data.com.cn 0.0 3.6

218.80.172.20 20.172.80.218.broad.xw.sh.dynamic.163data.com.cn 0.0 3.5

222.184.102.18 18.102.184.222.broad.ha.js.dynamic.163data.com.cn 4.2 3.5

222.187.181.128 128.181.187.222.broad.xz.js.dynamic.163data.com.cn 0.0 3.5

125.78.74.234 234.74.78.125.broad.qz.fj.dynamic.163data.com.cn Y 4.4 3.5

218.85.56.11 11.56.85.218.broad.fz.fj.dynamic.163data.com.cn 0.0 3.5

59.61.215.186 186.215.61.59.broad.qz.fj.dynamic.163data.com.cn Y 3.3 3.5

.

.

.

(It goes on and on)

Since the average Monthly Magnitude of all of these servers is between 3.5 and 3.6 yet many have a Daily Magnitude of 0.0 or 4.X, it looks like they are simply bypassing SpamCop's algorithm.

Is this the case? I want to keep reporting spam but am starting to feel like the professional spam houses have defeated SpamCop's methods. Please tell me that this isn't true, or that SpamCop will lengthen the time for automatic removal so that spam houses can't so easily bypass SpamCop's removal algorithm.

Sincerely,

Steve

Edited by Clydesdale

Share this post


Link to post
Share on other sites

Your query actually addresses a whole lot of different things. The majority are addressed within the SpamCop FAQ with the Dictionary, Glossary, and the Wiki also providing definitions of terminology in use.

What gets listed is based on a mathmatical formula, with a couple of 'rules' involved ...

All of your listed IP addresses are 'named' with the word 'dynamic' ... in general, this suggests that these are of the "Dial Up List" type of address blocks ... specifically suggesting that these IP addresses are more than likely showing traffic from compromised 'home' computers ... search for bot-net for example, a much discussed scenario for a nunber of years now.

SenderBase generates and provides their data based on their policies, procedures, and collected statistics. Look a but harder and you'll see that even I have run into issues with some of that data ... and have not been able to have my questions answered.

SpamCop.net uses some of that SenderBase data, generally using it to generate, manage the "reputation" of an IP address, which is a factor in the above mentioned math formula.

The FAQs/Wiki are provided so folks don't have to re-type this stuff over and over.

I disagree with this post being a "New Feature Request" ... especially when you note that you've not done the initial research on how things work at present. So with this post, this Topic is being moved to the Forum area that specifically deals with the SpamCopDNSBL .....

Share this post


Link to post
Share on other sites

Thanks for the quick response. And, yes, I am a novice at spam, not knowing all of the terms, etc. This is why I still didn't have an answer after looking through the FAQs, and really didn't know where to look. I'll read them again. Hopefully I'll be able to get out of them how one particular URL (many, actually, it seems) can have so many spam servers yet rarely, if ever, be listed in the BlockList. I'll see what I can find.

Thanks again,

Steve

Share this post


Link to post
Share on other sites
Is this the case? I want to keep reporting spam but am starting to feel like the professional spam houses have defeated SpamCop's methods. Please tell me that this isn't true, or that SpamCop will lengthen the time for automatic removal so that spam houses can't so easily bypass SpamCop's removal algorithm.

There are different blocklists for different purposes. The spamcop bl is more aggressive in listing IP addresses, but also delists automatically when the problem is fixed. For someone who makes a mistake or who has a user who gets infected, that's good news - both in the notification and the delisting when the spam stops.

Other blocklists don't list as quickly, but once on the list, it is much more difficult to get off. Spamcop has tinkered with the algorithm, I think, so that the more times an IP address is listed, the longer it stays on the bl. However, since there are other bls that list the ones that are chronic spam spewers, keeping them on the spamcop bl is not a high priority since most server admins use a combination of lists to filter out spam.

HTH,

Miss Betsy

Share this post


Link to post
Share on other sites
I send pretty much every spam that I get to SpamCop and have been looking at the SpamCop Blocking List, then SenderBase report, for most of the spam that I report.

Before you get a letter from the lawyers at a certain canned meat firm, may I point out that spam is chopped tinned pork and spam is unsolicited commercial email.

As Wazoo says, the IPs you list are mostly dynamic, indicating cluelessness rather than malice.

Share this post


Link to post
Share on other sites
As Wazoo says, the IPs you list are mostly dynamic, indicating cluelessness rather than malice.

I obviously made a mistake by only posting SenderBase results from one IP address that I reported. I should have posted ten or twenty so that some were not dynamic and the discussion wouldn't be focused on that.

So you think that all spam (little letters to once again try to not side track the discussion) houses are simply clueless? About a year ago, when the Blue Frog stuff was going on, a link to a spammer bulliten board was posted in a Blue Frog discussion (not on this site, I believe on some kind of security site). The posts were kind of fascinating, people trying to sell their e-mail lists, etc. Then there were the ones who stated that they rotated through IP addresses to avoid being blocked by sites like SpamCop. So the spammers claim that this is what they do but we actually know that the sites are all just clueless and the spammers are lying?

Share this post


Link to post
Share on other sites
As Wazoo says, the IPs you list are mostly dynamic, indicating cluelessness rather than malice.
<snip>

So you think that all spam (little letters to once again try to not side track the discussion) houses are simply clueless?

<snip>

...I believe I can safely speak for both Wazoo and Derek if I say, "no."

Share this post


Link to post
Share on other sites
So you think that all spam (little letters to once again try to not side track the discussion) houses are simply clueless?

<snip>...I believe I can safely speak for both Wazoo and Derek if I say, "no."

Steve took the words out of my mouth ...err... keyboard.

After a few years hanging out here I would say that ISPs fall into three categories:

White-hats. They hunt and destroy any intrusions into their systems either 'in-house' on on their customers' machines. If the customers don't 'get a clue' they pull the plug. They positively welcome the 'heads-up' that a SpamCop report provides.

Black-hats. They welcome spammers with open arms and take their money with a thank-you. They don't give a sh** about SpamCop or anyone else and, yes, rotate their IPs to keep the spam flowing.

Pointy-hats with a large 'D'. No malice, just fscking clueless. We've LARTed a few of those in our time! Nothing to do with size, either, some of the world's biggest providers don't correctly stamp the injection point in their headers and so end up with their servers listed. They're big, why should anyone tell them how to run their servers, they should be whitelisted, yadda, yadda, yadda...

Share this post


Link to post
Share on other sites

The FAQ / Wiki page you seem to have problems finding can be found 'here';

SpamCop FAQ - links at the top of this very page

Scroll/jump down to;

SpamCop Blocking List Service

How do I configure my mailserver to reject mail based on the blocklist?

What is on the list?

^^^^^^^^^^^^

which takes you to the original/official FAQ

The Wiki page is at What is the SpamCop Blocking List (SCBL)?

Both address the math formula used in the determination of a listing status. Your spam report is "one" count in that forumla structure.

Scenario: a compromised computer sitting at Grandma's house .. sending out hundreds and hyndreds of spam e-mails an hour. SenderBase traffic collection 'sees' this traffic (see thre IronPort/SendrBase pages for 'how') and thusly generates the "traffic seen" numbers. One of these spam e-mails hits your account, you report it. That makes a single complaint lodged against a traffic stream of thousands of e-mails. The math doesn't yet work for a SpamCopDNSBL listing. Way back when, there was a tipping pint at 2% .. now the calculation is much more complicated,.. but the old 2% number at least gives you something to look at and ponder. To get the results you want, you need to figure out how to get more spam recipients to report their spam, rather than the "just hit delete", "add it to the Delete filter", or even worse, "follow the links and spend some money" ... (and this is ignoring just how much of that spam may actually never end up anywhere, based on the forged addresses involved not actually existing) ....

Your mentioned phrase of "rotating IP addresses" actually has multiple defintions, conditions. One mode is as you suggest, working one IP address for a while, switching to another for the next spam spew run. The other is rotating even more data, DNS servers, web-site hsts, etc. .... All of this als points back to the previously mentioned problem area of compromised computers. As above, Grandma probably has no clue that anything is happening on her computer, other than the typical complaint ... "this thing sure is running slow ...."

In this example, Grandma's computer shouldn't be sending e-mail anyway, so lots of ISPs would probably reject her (system's) spam spew anyway, as her IP address would probably already be identified as being in a DUL (Dial Up List) type BL (again, pointing to the 'dynamic' data in your provided list) .. [Grandma's 'real' e-mail would be handled by her ISP's e-mail server]

What happens at the involved ISP when they receive a report about spam coming from Gandma's computer is hard to say. As above, some act on it immediately, others pay it no mind, as they don't want to tick off Grandma and kiss her money goodbye ....

Share this post


Link to post
Share on other sites

Great discussion, all. Thanks for all of the info. And thanks for the patience with putting up with me being relatively clueless when it comes to this stuff. I was getting frustrated, having heard that some spammers rotate their IP numbers, then thinking that I was seeing that confirmed when I did SenderBase lookups on spam that I report.

Now for me to side-track (hopefully not already throughly discussed already). What is it that I need to be sure that I am not one of the people with a 'bot' on his computer sending spam? If discussed already a link will be great. I use ZoneAlarm firewall and AntiVir virus protection as well as Microsoft's Defender. I have a tenant in my garage apartment who leaves his computer on 24/7, is connected to my FIOS via secure wireless, and I have no idea what virus protection, etc., he has.

Any preferred programs for detecting the problems? Any free?

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

×