Jump to content
Sign in to follow this  
elvey

[Resolved] Missing report?

Recommended Posts

It seems there isn't a forum for spamcop report recipients other than this thread, so posting here.

I recently received a legit report of a spam apparently sent from an IP in an IP range I monitor that also referenced an URL that resolves to an IP in that same range.

Oddly, I only received one report, for the domain. Is that normal? I do normally get reports for SUBE from that IP.

FYI, for admins: the report id:2372902008

It makes me wonder if some of the reports I should be getting are going missing.

I don't spam-filter reports from spamcop; e.g. I see one from the 1st that scored 19.

Actually, I just noticed it happened again, with report id:2378805404 !

If I have spamcop analyze the spam, it seems to accept the hand-off the Received lines indicate an blame another IP. I should hear back soon about whether logs show the spam went out from the IP range in question.

Share this post


Link to post
Share on other sites

It seems there isn't a forum for spamcop report recipients other than this thread, so posting here.

I recently received a legit report of a spam apparently sent from an IP in an IP range I monitor that also referenced an URL that resolves to an IP in that same range.

Oddly, I only received one report, for the domain. Is that normal? I do normally get reports for SUBE from that IP.

FYI, for admins: the report id:2372902008

It makes me wonder if some of the reports I should be getting are going missing.

I don't spam-filter reports from spamcop; e.g. I see one from the 1st that scored 19.

Actually, I just noticed it happened again, with report id:2378805404 !

If I have spamcop analyze the spam, it seems to accept the hand-off the Received lines indicate an blame another IP. I should hear back soon about whether logs show the spam went out from the IP range in question.

First, this is the forum for your query even though you are not necessarily on the blocklist at the moment.

I believe you should only receive 1 report, primarily for the source of the spam and may mention the URL issue as well. SpamCop does not want to overwhelm administrators with multiple emails per spam.

I would be interested in seeing the spamcop parse. The link in the report should get to one you could post the URL for. Your later lines seems to indicate the source email went elsewhere because that is what the parse determined.

Share this post


Link to post
Share on other sites

geeze .. if I can actually make a post ....

I'll toss in my disagreement about the placement of this post/query. It is in fact dealing with the "Reporting" side of the house. I'd move it, but .... again, I'm not even sure if I will be able to get this post made ....

On the other hand, there are no "Admins" here with access to a Report ID .... several FAQ entries deal with this, the "user to user support Forum" description, etc. etc. So what would be needed for any input 'here' would be a Tracking URL.

The Wiki has a page or two about "Types of Reports" that may or may not answer the actual question ....

(dang .... something like 17 tries to post this .. and now I want to edit it ...)

Confusing, over a half-hour trying to pull up a few Wiki pages .... and cannot find the one that was in my head, so ... change the reference to a FAQ page 'here' .... SpamCop Report Types

Share this post


Link to post
Share on other sites

I am with Steven here. A question about /getting/ reports is more likely to be of interest to those interested in blocklist issues rather than reporting issues. The parse was just a tool to discover what was going on.

IIUC, your last remarks about the results of the parse seem to indicate that this time one report went to the 'source' and the other report went to you as the spamvertised site even though the way you read the headers, the email did come from your IP. If you post a Tracking URL (you can cancel the report), then perhaps others can show you why the headers do not show your IP as the source.

IIWY, I would be looking for ways to stop the spam from leaving that IP address. But maybe there is a good reason why you are monitoring the reports.

Miss Betsy

Share this post


Link to post
Share on other sites

I am with Steven here. A question about /getting/ reports is more likely to be of interest to those interested in blocklist issues rather than reporting issues. The parse was just a tool to discover what was going on.

IIUC, your last remarks about the results of the parse seem to indicate that this time one report went to the 'source' and the other report went to you as the spamvertised site even though the way you read the headers, the email did come from your IP. If you post a Tracking URL (you can cancel the report), then perhaps others can show you why the headers do not show your IP as the source.

IIWY, I would be looking for ways to stop the spam from leaving that IP address. But maybe there is a good reason why you are monitoring the reports.

Miss Betsy

You understand correctly (except I'm technically a 3rd-party report recipient).

Ok, turns out nothing is wrong; spamcop is working correctly. The spam was indeed sent through the system at the IP range I monitor (let's call it "FM") and spamcop blamed the IP of the machine that submitted it to FM via (authenticated) SMTP, because spamcop in this case accepted the Received header line FM had added.

I was thrown because abuse of FM via (authenticated) SMTP is very rare. Thanks, folks.

And I'll be sure to post a tracking URL next time I have a question/issue, so more folks here can look/help.

As for "looking for ways to stop the spam from leaving that IP address": for FM, this has to a great extent come down to figuring out how to detect credit card fraud, such as with FraudCall.

Share this post


Link to post
Share on other sites

Thanks for coming back and indicating the resolution!

I don't remember if I mentioned that web hosting and server administration are not very comprehensible to me since I have no experience with either. You are obviously are a responsible person taking such measures as you can to prevent spam. However, isn't there any way to measure quantity of email sent to give you a heads up that something might be going on? Perhaps it is because of your 3rd party status that you can't do that.

I sure hope that you never have to post a tracking url, but if you do, I hope that the experienced posters are around to help figure it out!

Miss Betsy

Share this post


Link to post
Share on other sites

Rate limiting and outgoing spam detection are already in place. They're quite effective; I estimate the mail stream from FM is about 99.9% ham. But FM has been the subject of a header-forging joe-job attack... I'll write more soon.

Share this post


Link to post
Share on other sites
<snip>

Ok, turns out nothing is wrong; spamcop is working correctly. The spam was indeed sent through the system at the IP range I monitor (let's call it "FM") and spamcop blamed the IP of the machine that submitted it to FM via (authenticated) SMTP, because spamcop in this case accepted the Received header line FM had added.

I was thrown because abuse of FM via (authenticated) SMTP is very rare. Thanks, folks.

<snip>

...As Miss Betsy remarked, above, in linear post #6, thanks for letting us know! Based on this, I am marking this Forum thread as "Resolved."

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

×