Tracking sender of reports

[darkangel]

Hi,

I'm worried about being identified as the reporter of spam (as reports are commonly sent to the spammer him/herself, if I understand correctly).

Three methods I've noted:

1. Best described with an example:

Received: from x ([x.x.x.x]:18155 "EHLO x"

smtp-auth: <none> TLS-CIPHER: <none> TLS-PEER-CN1: <none>)

by [x.x.x.x] with ESMTP id x (ORCPT

<rfc822;my_address%yahoo.com[at]c.mx.mail.yahoo.com>);

Sun, 19 Aug 2007 12:01:15 +0300

I actually submitted a report with a header like this accidentally (it was my first submission). Could the parser be updated to mask these occurrences?

2. Email account name in subject line:

Subject: to my_account

Again, the system could search for the first part of the email address and mask it. It may incorrectly mask other parts of the email, but if necessary the reporter could be allowed to select whether something should or shouldn't be masked.

I've just submitted an email like this now and I'm not sure what to do, as it doesn't seem as if it's possible to edit the email once submitted. Should I cancel the report? Is it OK to edit a message (to remove all such items) and then submit it via the web interface?

3. They could probably also use the boundary string, the subject, and the sender headers to identify the recipient (using unique values). Example:

Subject: Find best International on-line pharmacy 731114

Where 731114 is a unique identifier, which links to my email address in their database.

Should we not be able to edit the email on the report screen to remove these possible identifiers? (I realise not all of this can be done through software.) Could unnecessary headers (or header parts) such as MIME boundaries not be removed?

(Apologies for the rather long post.)

_da.

[Telarin]

Honestly, the vast majority of spam is sent by compromised zombie computers without the owners knowledge. spam reports go to that person's ISP, and have no way of finding their way back to the spammers. It is very rare that an ISP forwards spam on to the spammers, and spamcop will usually remove those ISPs from the reporting loop if they find out they are doing it intentionally.

[darkangel]

I'm sure I read that somewhere. Why mask our address at all then, if it's just going to a "trusted" ISP?

_da.

[Wazoo]

I'm worried about being identified as the reporter of spam (as reports are commonly sent to the spammer him/herself, if I understand correctly).

Reports are sent to the identified abuse contacts for the source of the spew. these reports can fo to isps that don't care, isps that are in cahoots with the spammer, and yes, possibly to the spammer him/herself. on the other hand, "you" are the one that decides whaich Reports go out and where they end up.

There is a "mole" option if you actually feel the need.

Three methods I've noted:

In general, any munging in the outgoing Report is primarily based on the contents of the "To:" line. Your samples don't provide siggicient detail to get to your specific issues ... the use of Tracking URLs would allow the actual spam item to be seen.

Again, the system could search for the first part of the email address and mask it.

As above, this isn't the way it works .... the actual e-mail address is what's scanned for. As you've noted, there are thousands of ways to encode data into the e-mail beyond a plain-text entry.

It may incorrectly mask other parts of the email, but if necessary the reporter could be allowed to select whether something should or shouldn't be masked.

I've just submitted an email like this now and I'm not sure what to do, as it doesn't seem as if it's possible to edit the email once submitted. Should I cancel the report? Is it OK to edit a message (to remove all such items) and then submit it via the web interface?

Editing a spam for submittal is addressed within the Rules .... way too many folks have gotten into trouble by interpreting those Rules, technical advice offered elsewhere for 'experts' but interpreted and used by newbies .. on and on ... in short, if you have to ask, you probably shouldn't.

Again, if this is an issue for you, look at "Mole Reporting"

Should we not be able to edit the email on the report screen to remove these possible identifiers? (I realise not all of this can be done through software.) Could unnecessary headers (or header parts) such as MIME boundaries not be removed?

The other side of the coin ... the Reports are going to abise folks that want/need/expect to see the actual spam involved .... playing games by making deletions "here and there" would not be taken lightly by those receiving ISP folks.

[turetzsr]

<snip>

Editing a spam for submittal is addressed within the Rules .... way too many folks have gotten into trouble by interpreting those Rules, technical advice offered elsewhere for 'experts' but interpreted and used by newbies .. on and on ... in short, if you have to ask, you probably shouldn't.

<snip>

Again, if this is an issue for you, look at "Mole Reporting"

<snip>

...Also, if you feel uncomfortable with the e-mail complaints being sent on your behalf by SpamCop, you can always use the SpamCop parse results to find candidate addresses to whom to send your own manual complaints, so you can completely control the content of those complaints.

[StevenUnderwood]

I'm sure I read that somewhere. Why mask our address at all then, if it's just going to a "trusted" ISP?

You don't need to... I have been reporting this way for years now.

[darkangel]

Reports are sent to the identified abuse contacts for the source of the spew. these reports can fo to isps that don't care, isps that are in cahoots with the spammer, and yes, possibly to the spammer him/herself. on the other hand, "you" are the one that decides whaich Reports go out and where they end up.

Right ... but obviously I don't know which of these three categories the recipient falls into.

There is a "mole" option if you actually feel the need.

Ah, that's where I saw this (on the preferences page):

It has become painfully obvious that spammers are able to identify your email address by using tracking codes - even after SpamCop's attempts to munge them. It has also become plain that even the largest and most well-respected ISPs forward complaints intact to the accused.

Your tone seems to suggest that I'm being unreasonable -- am I?

In general, any munging in the outgoing Report is primarily based on the contents of the "To:" line. Your samples don't provide siggicient detail to get to your specific issues ... the use of Tracking URLs would allow the actual spam item to be seen.

Example of 1: http://members.spamcop.net/mcgi?action=get...rtid=2449316847

Example of 2: http://members.spamcop.net/mcgi?action=get...rtid=2457727648

- Also an example of using the display name, which I notice was also mentioned here.

Example of 3: http://members.spamcop.net/mcgi?action=get...rtid=2456679896

- Subject: Enjoy Life To The Fullest iiqv

- "iiqv" could be a unique identifier.

As above, this isn't the way it works .... the actual e-mail address is what's scanned for. As you've noted, there are thousands of ways to encode data into the e-mail beyond a plain-text entry.

I know it isn't the way it currently works, it was a feature suggestion. It's becoming clear that it's next to impossible to remove all hidden references to the recipient. I guess the question is how many spammers actually use these methods, but even if one operator is able to identify the reporter, he/she would have a confirmed address.

Editing a spam for submittal is addressed within the Rules .... way too many folks have gotten into trouble by interpreting those Rules, technical advice offered elsewhere for 'experts' but interpreted and used by newbies .. on and on ... in short, if you have to ask, you probably shouldn't.

I hadn't yet read that FAQ entry. I wouldn't really call myself a newbie, I'm quite capable of comprehending such information. It doesn't cover everything though. It doesn't explicitly disallow the masking of a display name, for example.

Again, if this is an issue for you, look at "Mole Reporting"

I'm not sure how effective that is, or how frequently the aggregate reports are submitted.

The other side of the coin ... the Reports are going to abise folks that want/need/expect to see the actual spam involved .... playing games by making deletions "here and there" would not be taken lightly by those receiving ISP folks.

I'm not "playing games" here. This is serious. One can easily falsify a spam email, I wonder why the preservation of an email in its original form is so important. Why would an ISP care what the MIME boundary was, or that a possibly-unique identifier in the message body was masked, as long as the instance of marking was clearly indicated?

Thanks for your reply.

_da.

[Farelf]

...I'm not "playing games" here. This is serious. One can easily falsify a spam email, I wonder why the preservation of an email in its original form is so important. Why would an ISP care what the MIME boundary was, or that a possibly-unique identifier in the message body was masked, as long as the instance of marking was clearly indicated?...

There are many ISPs out there, doing many different things (well, a lot of them doing nothing but were talking about the "others"), second-guessing them is unlikely to be useful. But as a general forensic principle, one interferes with the "evidence" as little as possible. Every stage of the handling process already adds "fingerprints" of some sort. You might adopt the view that a few more won't matter. Undoubtedly you will be correct. Some of the time.

Interference is forbidden for SC reporting, which is something of a warning/indication about your proposals. Marking your spam to show where you have been is anyway mostly going to be ineffective. The sheer volume of spam is vast (and growing inexorably), over any sensible timescale, therefore anything you do is highly unlikely (in general) to be seen by a report recipient, far less to be mulled over, considered and taken into account.

spam, these days, tends *not* to be "personal". It is a business/collation of businesses, albeit illicit. Many experienced reporters and other types of spamhandlers ignore the possibility of retribution and do their thing regardless. Without apparent adverse effect.

Most of my own reporting is outside of SC and is *totally* unmunged and from my "real" email address. I have been doing this for 8 months. Many have been doing similar for far longer. It took me something like 4 years to assemble the courage/confidence to take that step. I certainly understand caution.

Of course my spam load increases. It does for every spammed address - once an address is spammed, that happens (and there are many ways for addresses to be obtained in the "first instance"). When it doesn't, I am certain it is on account of my ISP increasing the aggressiveness of the filtering they almost all do these days (because it makes their lives simpler) - or because the botnets are busy taking down Estonia or whatever their latest "labor of love" might be. But spam everywhere is increasing - though great quantities of it are invisible to the intendended recipients due to it being kept from them.

Some observations and a personal perspective, for what it is worth. There may be occasions where a lovingly-crafted (manual) report will be justified and the correct reaction to a specific case. But mostly not.

[Miss Betsy]

<snip>I hadn't yet read that FAQ entry. I wouldn't really call myself a newbie, I'm quite capable of comprehending such information. It doesn't cover everything though. It doesn't explicitly disallow the masking of a display name, for example.<snip>

The interpretation of the rule - "Do not make changes" - by the deputies is "Do not make ANY changes" to the submitted spam. If you are concerned about identifiers, etc., then you can find the abuse address via spamcop, cancel the report, and create your manual report.

Aside from the problem that you might change something that is essential to the admin the report goes to, if there is ever litigation, the spam must be unmodified.

Again, the spamcop deputies have been most emphatic that any other interpretation, especially picking out non-explicitly disallowed items, is not permitted. There are a couple of exceptions to allow spam to parse. Officially, they are not permitted either, but no one has ever been disciplined for using them. Any munging to avoid identification will be disciplined.

Miss Betsy

[darkangel]

Thanks for your input, Farelf and Miss Betsy.

A few notes:

- I find it surprising that a piece of copy/pasted text could pass as forensic evidence, but I won't argue, as I don't know enough about the subject.

- The original idea was to submit the full email to SC, edit it on the SC server, and then to submit the report, so that should the matter be taken further, a fully-intact copy could be forwarded to the ISP involved for use in legal proceedings.

- It may be a good idea to re-word the "Material changes to spam" FAQ entry, it's a little ambiguous.

Anyway, no need to threaten disciplinary action, it was never my intention to break any rules, I was just enquiring about the process.

_da.

[Miss Betsy]

Didn't mean to sound threatening and I don't have any way to enforce the rules anyway. However, in another case, that's what the deputies said. Official spamcop rules and instructions are often ambiguous to users, but they don't think they are.

Possibly no changes are allowed is because people can have their websites or their IP address cancelled and that could involve litigation if the person objected. If there were any changes to the email submitted, then the defense attorney could argue that other changes could have been made to implicate his client.

Miss Betsy

[SpamCopAdmin]

The interpretation of the rule - "Do not make changes" - by the deputies is "Do not make ANY changes" to the submitted spam.

It's OK to remove any personally identifying information from the spam.

It is NOT OK to remove or alter server info, or lines from the headers, but it's OK to delete your name or email address, and it's OK to remove any tracking codes that might lead to recipient identification.

Something to keep in mind is that the use of tracking codes in spam is extremely rare, and SpamCop goes to a lot of trouble to keep reports out of the hands of the spammers.

- Don D'Minion - SpamCop Admin -

[Miss Betsy]

Thank you for clarifying the rules.

Miss Betsy

[Wazoo]

- It may be a good idea to re-word the "Material changes to spam" FAQ entry, it's a little ambiguous.

The last change I was able to effect was the (off-site) Base-64 decodong tool, as the much better one disappeared, along with the author. That was ages ago. Attempts to 'fix' the 'original / official' FAQ have basically been a lost cause these last few years. Again, no one 'here' has any access to the 'original / offical' FAQ on the www.spamcop.net pages.\

The single-page-access-expanded version of the SpamCop FAQ 'here' links back to the 'original / official/ FAQ .. which was also noticed as an issue when www.spamcop.net went down the last time .....

The SpamCop Wiki will be updated with this 'new' data, as it certainly is an extension of what the 'original / official' FAQ now states.

It's OK to remove any personally identifying information from the spam.

It is NOT OK to remove or alter server info, or lines from the headers, but it's OK to delete your name or email address, and it's OK to remove any tracking codes that might lead to recipient identification.

Something to keep in mind is that the use of tracking codes in spam is extremely rare, and SpamCop goes to a lot of trouble to keep reports out of the hands of the spammers.

Haven't seen or heard anything from R.W. in ages .. is he still around to possibly do the same for the 'official / origianal' FAQ?

[Farelf]

The SpamCop Wiki will be updated with this 'new' data, as it certainly is an extension of what the 'original / official' FAQ now states.

Which, for the record, and notwithstanding the apparent lack of/slowness of change, is

Material changes to spam

...

It is okay to munge your personal email address contained within links in the body of the spam, if SpamCop does not find and munge them, with one exception. If a report is going to an abuse desk that does not accept munged reports, you must not make even these minor changes to the spam.

Base64 Encoded spam - Many spammers are sending messages with Base64 encoded bodies. While SpamCop normally decodes and parses Base64 fine, it is possible for spammers to hide your address or other identifiable information within the encoded body.

For this reason, SpamCop has made an exception to the normal alteration rule for those who know what they are doing:

1. Use a Base64 decoding tool like http://www.opinionatedgeek.com/dotnet/tools/Base64Decode/

2. Remove the encoded Base64 body and replace it with the decoded text

3. A disclaimer must be added to the top of the spam body. (Remember to leave a blank line between the last header line and your disclaimer):

"I have decoded the original Base64 spam body and munged personal details that were in that body. The original body has been replaced with this decoded text. I understand that you may consider this to be altered and not acceptable as evidence"

[darkangel]

Didn't mean to sound threatening and I don't have any way to enforce the rules anyway. However, in another case, that's what the deputies said. Official spamcop rules and instructions are often ambiguous to users, but they don't think they are.

No worries.

Possibly no changes are allowed is because people can have their websites or their IP address cancelled and that could involve litigation if the person objected. If there were any changes to the email submitted, then the defense attorney could argue that other changes could have been made to implicate his client.

That's what I don't quite understand -- they could always argue that the email was fabricated, even if no changes were made at all.

_da.

[darkangel]

It's OK to remove any personally identifying information from the spam.

It is NOT OK to remove or alter server info, or lines from the headers, but it's OK to delete your name or email address, and it's OK to remove any tracking codes that might lead to recipient identification.

Something to keep in mind is that the use of tracking codes in spam is extremely rare, and SpamCop goes to a lot of trouble to keep reports out of the hands of the spammers.

- Don D'Minion - SpamCop Admin -

Thanks for your post, Don.

If it's not OK to alter headers, I guess that would mean that masking part of the subject line would be disallowed (as well as other, non-server-detailing headers [such as the MIME boundary])? i.e. only mask personally identifying information in the body of the email message?

_da.

[StevenUnderwood]

That's what I don't quite understand -- they could always argue that the email was fabricated, even if no changes were made at all.

But if the reports include multiple identical reports, it is more believable that this specific one was not fabricated. But if one is found to be different, it introduces doubt which can affect prosecution.

[SpamCopAdmin]

If it's not OK to alter headers, I guess that would mean that masking part of the subject line would be disallowed (as well as other, non-server-detailing headers [such as the MIME boundary])? i.e. only mask personally identifying information in the body of the email message?

Now you know why the staff doesn't post in the forums very much.

What we say has to be worded *absolutely* perfectly, or some jailhouse lawyer will jump up to nitpick.

Here is a more carefully worded version of my previous statement:

It's OK to remove any personally identifying information wherever it appears in the headers or text of the spam. It's OK to delete your name or email address, and it's OK to remove any tracking codes that might lead to recipient identification.

It is NOT OK to remove or alter server info, or to remove complete lines from the headers.

- Don D'Minion - SpamCop Admin -

[darkangel]

Now you know why the staff doesn't post in the forums very much.

Sorry Don

[Wazoo]

Now you know why the staff doesn't post in the forums very much.

?? Sorry, but I don't see anyhing 'new' here .... these same types of discussions go/went on in the newsgroups also having the same types of results ... Don/Ellen says 'this is the way it is' ... What's 'different'????? ....

of course, noting that there used to be mich more interaction there from staff also ...

Material changes to spam Wiki page updated ... took longer than expected, handling some local folks' issues took priority ....

[darkangel]

Don,

Is there any preferred method of masking data?

Example:

ORIGINAL:

From: <dty365aoiu43sd[at]yahoo.com>

ALTERED:

From: <{removed}[at]yahoo.com>

OR:

From: <dty____oiu43sd[at]yahoo.com>

OR:

From: <x>

Other examples:

(1) Subject: to my_account

-> Subject: to {removed}

-> Subject: to __________

-> Subject: to x

(2) Content-Type: multipart/mixed;boundary= "----=_NextPart_000_0058_13247457.EEF3EDE4"

-> Content-Type: multipart/mixed;boundary= "----=_NextPart_{removed}"

-> Content-Type: multipart/mixed;boundary= "----=_NextPart____________________________"

-> Content-Type: multipart/mixed;boundary= "----=_NextPart_x"

_da.

Edit: I think the {removed} format is the easiest to identify.

[SpamCopAdmin]

I think the {removed} format is the easiest to identify.

You can use anything you want. An x is fairly standard.

Why would you munge the "From" address and the Boundary info? That looks like a total waste of time to me.

The munging the system does is good enough for me.

- Don -

[SpamCopAdmin]

of course, noting that there used to be mich more interaction there from staff also ...

It took a while, but we learned our lesson.

Don't forget that Ellen, Richard, and I all used to be volunteers, too. We enjoyed the discussions in the forums, and participated a lot.

Those days are long gone. We can no longer discuss anything. The days of exchanging opinions and learning from the discussions are ancient history.

Now, every word we say is taken as a Pronouncement from On High and fed to the corners of the universe so they can be retrieved and thrown in our face until the end of time.

As you might imagine, it sort of puts a chill on our participation in the public areas.

- Don -

[Miss Betsy]

<snip>

Now, every word we say is taken as a Pronouncement from On High and fed to the corners of the universe so they can be retrieved and thrown in our face until the end of time.

As you might imagine, it sort of puts a chill on our participation in the public areas.

- Don -

Well, it is understandable that your opinions would carry more weight when it comes to reporting issues because you have access to information that other forum participants don't have and you deal with questions more hours in the day so you have more experience with various problems than most of us.

And, there are some people who assume that 'officials' need to be respected and wouldn't think of arguing with them - or sometimes, even discussing ideas except as yesmen. That's partly the fault of some 'officials' who don't want argument or discussion. It's particularly evident in churches where for some people the pastor is always right. While most participants online are not those kinds of people, there are bound to be some who won't say anything even if the 'official' declares the moon is made of green cheese. And there are bound to be some 'officials' online who attack anyone disagreeing with them as undermining their authority. So, I don't think that the phenomenon is peculiar to this forum, but just one of those things that makes life more complicated than we wish it was.

We(tinw) wish that you would pay more attention to the questions where the answers are obvious if one has access to the data instead of the elaborate elimination process of assumptions we have to do (usually not me since I have so little technical knowledge). Sometimes, of course, the answer is better given in private (as Ellen used to say in the ngs "answered by email" which I am glad she has given up because, being a curious person, it was like a tease not knowing what the answer was!).

And, of course, no volunteer would want to say anything that wasn't policy so you are quoted as the authority. Maybe, sometimes, it seems to you as if someone skews your words in giving a policy interpretation, but it is no different, IME, than someone reading something into your post that you didn't intend.

I can understand your reluctance to participate frequently and also your seeming disappointment that you can no longer enter into the free and easy exchanges of the past.

Miss Betsy