Spam from "me[at]myaddress.com"?

[svanslyck]

Two questions here.

May I safely assume that even though the spam shown below had my own address in the header, by filing the report I have not accused myself of sending it?

Second, except for the "network hosting website referenced in spam," no report has been filed against the sender or intermediate ISPs. Could someone explain how this works? In other words, why not?

Third, is anything being done by the various gummints or organizations involved, to pull the internet access or ISP's who refuse to take action against spammers who are using or hacking into their networks? Sure, lots of spam is generated by my.neighbors.bot.net but lots is also generated, I should think, by spammers with paid (or otherwise authorized) accounts with ISP's who just don't care. Surely "we have the technology" to totally exclude an ISP, even all the way up to a top level domain owner, who refuses to do anything about the unsolicited email passing through their systems.

Fourth, what, theoretically, did my report below do? Did it get 87.240.63.252 or any of the referenced IP addressses added to a blocklist?

Thanks folks.

Tracking message source: 87.240.63.252:

Display data:

"whois 87.240.63.252[at]whois.ripe.net" (Getting contact from whois.ripe.net)

Lookup fsi-ripe[at]whois.ripe.net

Display data:

"whois fsi-ripe[at]whois.ripe.net" (Getting contact from whois.ripe.net)

fsi-ripe =

Lookup ais-ripe[at]whois.ripe.net

Display data:

"whois ais-ripe[at]whois.ripe.net" (Getting contact from whois.ripe.net)

ais-ripe =

whois.ripe.net 87.240.63.252 (nothing found)

host 87.240.63.252 = host-63-252.qwerty.ru (cached)

Host host-63-252.qwerty.ru (checking ip) IP not found ; host-63-252.qwerty.ru discarded as fake.

No reporting addresses found for 87.240.63.252, using devnull for tracking.

Message is 17 hours old

87.240.63.252 not listed in dnsbl.njabl.org

87.240.63.252 not listed in dnsbl.njabl.org

87.240.63.252 listed in cbl.abuseat.org ( 127.0.0.2 )

87.240.63.252 is an open proxy

87.240.63.252 not listed in accredit.habeas.com

87.240.63.252 not listed in plus.bondedsender.org

87.240.63.252 not listed in iadb.isipp.com

Finding links in message body

Parsing HTML part

Resolving link obfuscation

http://www.coldprepare.com

Host www.coldprepare.com (checking ip) = 203.168.233.85

host 203.168.233.85 = cm203-168-233-85.hkcable.com.hk (cached)

Host www.coldprepare.com (checking ip) = 203.168.233.85

host 203.168.233.85 = cm203-168-233-85.hkcable.com.hk (cached)

Tracking link: http://www.coldprepare.com/

[report history]

Resolves to 203.168.233.85

Routing details for 203.168.233.85

[refresh/show] Cached whois for 203.168.233.85 : dnsadmin[at]cms.hkcable.com

Using abuse net on dnsadmin[at]cms.hkcable.com

abuse net cms.hkcable.com = abuse[at]cms.hkcable.com

Using best contacts abuse[at]cms.hkcable.com

Reports regarding this spam have already been sent:

Re: 87.240.63.252 (Administrator of network where email originates)

Reportid: 2558974286 To: nomaster[at]devnull.spamcop.net

Re: Forwarded spam (User defined recipient)

Reportid: 2558974289 To: spam[at]uce.gov

If reported today, reports would be sent to:

Re: 87.240.63.252 (Administrator of network where email originates)

nomaster[at]devnull.spamcop.net

Re: http://www.coldprepare.com/ (Administrator of network hosting website referenced in spam)

abuse[at]cms.hkcable.com

[Miss Betsy]

If you use a Tracking URL, it is much easier for others to answer questions. The Tracking URL is at the top of the parser page.

Spammers routinely forge the return path or From with addresses from their lists. If that's where your email address was, then there is no problem. the spamcop parser looks at the IP address that is recorded by the receiving server. Since the parser identifies the IP address of this spam (from the output that you did post) as an open proxy, unless you are using a computer with an open proxy somewhere in Eurpoe and no abuse address (since the abuse address listed was discarded as fake), you are all right in reporting it.

The report goes to devnull which is a techie expression for being discarded since there was no address to send the report to; however, spamcop does count it as a hit on the blocklist so those who use the blocklist for filtering will benefit.

Even if someone did get the report (a human might be able to find a good address), the probability doing something being done to stop the spam is very low. It is rare for a responsible server admin to permit spam to leave hir network. It does happen occasionally. Most reporters never see an answer to a report. Others think the spammer has found their address and don't recognize it as a reply to a report.

The ISPs who allow spam to come from 'real' accounts, not zombies, are mostly in China, Russia, and maybe South America. Many people block all email from those countries. And that's why the spammers have resorted to using infected computers to send their spew. Now there are lots of 'responsible' ISPs who don't do much of anything about them because stopping them means losing customers and the owners of the infected computer are 'innocent'. It is also so easy to block email from a non-email server, it only takes one if the server admin is on the ball.

Governmental regulation is not a main factor in controlling spam because the internet crosses so many national boundaries and also because no one wants governments to get involved because of censorship. The server admins have pretty much controlled spam by using blocklists and content filters (for spam not yet listed) to screen out almost all spam. It is a method that fits the internet which is entirely based on netiquette. Miss Manners says the way to treat extreme rudeness is the 'cut direct' and blocklists are the internet equivalent. There is no such thing as 'force' on the internet - if you don't play by the rules, people won't play with you.

Hope this answers all four of your questions.

Miss Betsy

[abledragon]

Hi,

Apologies for sounding dumb, but I'm new here and pretty new to working online so still getting to grips with things.

I've been receiving spam from 'my own' email address. From Reading Miss Betsy's reply below, am I correct to assume that if I add these emails to my blacklist it will be the real originator's address that is blocked and backlisted, not mine..?

Thanks for any advice!

Martin.

Edited to remove quote which is found 'above' and does not need to be repeated. Miss Betsy

[agsteele]

I've been receiving spam from 'my own' email address. From Reading Miss Betsy's reply below, am I correct to assume that if I add these emails to my blacklist it will be the real originator's address that is blocked and backlisted, not mine..?

Welcome along...

Unfortunately, it isn't clear from your question how you are 'blacklisting' Emails.

Assuming you're talking about the SpamCop Email service (and that's just a guess) then your assumption is incorrect. The personal blacklist (and the whitelist for that matter) works on the Email address.

But if you're talking about the SpamCop BLOCKlist (fine distinction in terms) then reporting an Email will cause the originating mail server's IP address to be listed which is totally unconnected to the Email address in the from line. In this case you're absolutely safe.

The confusion here is your use of the term 'blacklist'. There are no blacklists in the reporting service - just blocklists whereas the Email service uses both approaches.

Andrew

[Miss Betsy]

Being new does not always equal being 'dumb'!! However, it does mean that one needs to learn and there are people who respond regularly are willing to help you. It helps if a 'newbie' looks at the Glossary and tries to use terms correctly. As I never can find what I want in any FAQ, I am sympathetic with those who can't find a particular question. However, if you are interested in learning, reading them certainly will prevent you from asking questions that have already been answered.

...adding [your email address] to your blacklist....

That is difficult to answer because we don't know what 'your blacklist' is. In general, adding your email address to a blocklist of email addresses will block email where you are the sender. That will mean that if you send email to yourself, it will also be blocked. In general, blocking using email addresses is not effective since the From:'s can be forged. It doesn't stop very much spam since the spammers change addresses to avoid such blacklists and will stop good email from those addresses as well as spam.

Reporting email to spamcop with your email address in the From: results in the IP address from which the email comes being added to the spamcop blocklist. It depends on whether others report email from that IP address whether the IP address is published as being a source of spam.

If you are using the spamcop email service, posting a question (or better yet, reading previous discussions on how to set up filters and then asking questions) in the spamcop email service forum would help you educate yourself on how to effectively use the spam filters provided. IIRC (if I remember correctly), there was a topic where someone had blacklisted his email address because he was receiving email that looked like he had sent it, and then later ran into some problem. Since I don't use the spamcop email service (and, as I said, never can find what I am looking for), I don't know where that discussion is or if I imagined it. You might have better luck.

Miss Betsy

[Spamnophobic]

Abledragon, I wouldn't recommend adding your own e-mail address to your blacklist! In fact in my opinion the whole personal blacklist option of Webmail is obsolete and useless, because spammers never use the same (forged) sender address twice to the same recipient (not a careful ploy by the way, just the way the numbers work out).

This reminds me that I have on occasion thought of posting a request to remove this feature from webmail, as apart from the above, I suspect it confuses new users. However there is no forum section for requests to remove obsolete features (smile), and I expect it is an integral part of the Horde version anyway and not separately removable.

The reason spammers sometimes send spam to you at youraddress "from you at youraddress" is because some people whitelist their own address, so that way the spammers defeat filtering (they hope). Easy to scri_pt. So I wouldn't recommend adding your own address to your whitelist either.

You can check an IP at http://spamcop.net/bl.shtml

87.240.63.252 is on the SpamCop blocklist. If you use the Spamcop BL to filter your mail, spam from that IP will be filtered out and placed in Held Mail. A SpamCop e-mail account can use a number of blocking lists to filter incoming mail. You can select these in webmail via Options, SpamCop Tools, Select your email filtering blacklists.

Hope this helps.

[michaelanglo]

Abledragon, I wouldn't recommend adding your own e-mail address to your blacklist! In fact in my opinion the whole personal blacklist option of Webmail is obsolete and useless, because spammers never use the same (forged) sender address twice to the same recipient (not a careful ploy by the way, just the way the numbers work out).

Not correct and I have discussed this under the "How I use SpamCop Mail" thread

Some spammers *have* to use a plausible From: so adding Ebay.com, BankofAmerica.com, irs.gov

and so forth catches phishes even if SpamAssassin doesn't and adding those who spam under their own names like adventist.org, wpls.i-friends.net and penknifepress.com is good too.

Since I block the whole of China adding 'cn' catches a few more and I see that I added 'ru' and 'tw'.

You might wish to add 'biz' and 'info' for example

Similarly the whitelist allows particular exceptions to the blacklist.

HTH

[abledragon]

Hey Everyone,

Thanks for your replies..!

I'm using Horde webmail, which is why I got the terminology wrong - apologies for not being clear.

I'm currently receiving 2 or 3 spams a day where the spammers are using my 'From' address (the same one that they're sending it to) but the 'Return path' addresses are different each time.

Based on the other posts in this thread I'm guessing that copying the return path addresses into my blacklist (horde terminology) may help..?

Or do I just have to sit it out until they get bored and find another address to use?

Since they will be spamming thousands of people am I correct to assume that my email address which they're using in the 'From' field is going to get flagged by these recipients..?

Thanks!

Martin.

[Farelf]

I don't think it is worth taking pains over 2-3 of these particular spam a day. Blocking the reply/return address may not achieve much since you say these are constantly changing. There is a (very) small chance you might actually and coincidentally block some good mail if you did this since, like the "From: " address, reply/return address are (usually) forgeries of real addresses. Just waiting it out is the usual advice to suit the usual "pattern".

The recipients of spam with your forged address as originator (or even return address) are unlikely to be fooled into thinking it really came from you. Forging addresses is such an established part of the spammer's MO that no experienced user is going to be unaware of the futility (and abusiveness) of responding/reacting to the address without further checking. There is, however, an option to do just that with some applications (such as MailWasher) so you may get some misplaced complaints or fake bounces from lazy or clueless people (even network admins). Also misplaced out of office autoresponses might be received. These are all reportable as spam/abuse but you might be better employed sending manual reports if you get just a few, pointing the perpetrators to such "educational" resources as http://www.spamcop.net/fom-serve/cache/329.html - *if the volume is manageble*.

[abledragon]

Farelf, thanks for your advice.

Thanks also to everyone else who replied...

I'll wait it out and hope they get bored quickly!

Martin.

[removed unnecessary quoted material - Miss Betsy]