Jump to content

More phishing scams since I started reporting


MsLil

Recommended Posts

Hi there, I hope I'm posting in the right place (I did read the FAQs etc) first. I'm not a computer tech or anything, just an ordinary person with a loathing for spam.

I recently started using SpamCop again after an absence - the sheer volume of spam got me down. But I started again recently and as soon as I did, I immediately noticed a huge increase in the amount of phishing scams I received - the Nigerian crap, the lotteries, the dying people who want to leave me their bazillions - on and on.

Is it possible that this huge increase is somehow linked to my recent reporting spree? I'm sorry if this is a naive question but I'm generally curious.

Thanks and keep up the good work. I hope it's actually having some impact.

Cheers.

Link to comment
Share on other sites

  • Replies 109
  • Created
  • Last Reply
Is it possible that this huge increase is somehow linked to my recent reporting spree? I'm sorry if this is a naive question but I'm generally curious.

You just didn't look in the right place, this is an old thread. I would direct your attention to this thread.

More Phishing spam? your just lucky I guess.

Link to comment
Share on other sites

Let's do some deduction: In order for you to get more scam mail due to your SpamCop activities, it would be necessary for SpamCop to have given your e-mail address (or allowed it to be given) to the crooks. As far as I can tell, this isn't going to happen. SpamCop generally munges your address out of reports so that no one seeing the reports would find it. Even if it did not, these reports generally go to ISP abuse desks, who (we hope) are not in the regular practice of handing these reports off to scammers. Even if they were, it doesn't seem logical for scammers to target addresses given in abuse reports, since these people are the most likely to complain and get the scammer cut off from his mail.

Most scammers (vs. spammers) are using freemail services, so it seems unlikely (to me, at any rate) that they would have the "juice" necessary to get information from their providers about those who rat on them.

I hope this provides some assurance to you. As Lking says, you are likely just "lucky" to be getting more of this stuff right now. Correlating it to SpamCop may just be post-hoc thinking.

By the way, just to be pedantic, the term "phishing" is usually used to describe folks who try to impersonate banks, etc. to get your personal info. The 419s, advance fee artists, etc. also try to trick you but their M.O. is a bit different so I for one do not use the term "phishing" for them. See the Wiki for articles on advance-fee frauds, phishing, and job scams for more info about e-mail frauds.

-- rick

Link to comment
Share on other sites

Cool. Thanks for that. I agree the link was a tenuous one and yep, I suppose I'm just lucky. After I made the post, I actually had 7 identical emails from the one scam artist. What joy.

My apologies for using the term "phishing" as an umbrella term and also for not looking around the site enough to find a similar topic. As I said, I'm just an average person who hates spam and I posted in haste this morning.

I may not know all my terminology, but I am very savvy when it comes to scams, frauds, etc. It's people like the women I work with and my mum that I worry about!

Cheers.

Link to comment
Share on other sites

MsLil, I think you should check that you don't have the option "Leave spam copies intact" selected under "spam Munging" on your "Reporting Preferences" page.

It's people like the women I work with and my mum that I worry about!
You'd be surprised how many women are spam/scam-savvy. Getting assaulted with large volumes of male-orientated filth focuses the mind wonderfully!

it doesn't seem logical for scammers to target addresses given in abuse reports, since these people are the most likely to complain and get the scammer cut off from his mail.
I suspect that what often happens is that accomplished criminals deliberately sell lists containing e-mail addresses of known anti-spammers to their less accomplished brethren in order to damage them (and annoy the anti-spammers of course).

Penny

Link to comment
Share on other sites

  • 2 weeks later...

I was wondering the same thing when I began using SpamCop a few weeks ago. My spam has been increasing. But maybe that is just part of overall spam increase. OTOH, I have an idea that spammers have been getting smarter about what they include in their spam, and it seems to me that there are parts of the message that have no other reason than to provide hidden feedback. I can well imagine an ISP involved with spammers.

I have written my own Eudora filter that I invoke before sending data to SpamCop. It filters each email and creates an individual email to send to SpamCop. Here is a list of the filter types that I address because they have contained either data that I suspected was my email address encrypted, or actual fields that contained personal data that SpamCop was not filtering.

To:

Bcc: - Yup, believe it or not, there I was in the BCC.

X-Persona

Message-ID:

Envelope-To:

In-Reply-To:

by fred.org - actual domain is not fred

by fred.com

The by field, for example, would contain the real name of my domain. Doesn't take much to figure out which address os a good one. Ditto with the others. I didn't realize it at first; I just sent off the reports. Now the damage might be done, but at least I know to look for stuff that SpamCop leaves in the report in the future.

There are other places. In many instances, the subject now contains my email address, but SpamCop doesn't see it. So I check each line and change personal info before sending to SpamCop.

I sent a message off to SpamCop weeks ago, but haven't heard back from anyone. Then I learned about this forum and thought I'd see what might be here...

~Rich~

Link to comment
Share on other sites

Undoubtedly, there are spammers who harvest 'live' email addresses from spamcop reports. Probably, just as many spammers 'listwash' or remove email addresses found in spamcop reports.

In several, more or less controlled, but not scientific experiments, the amount of spam received from munged reports vs unmunged reports (or from non reported email addresses vs reported email addresses) is not significant. Once an email address has been harvested, it is sold and resold, and is on many lists.

If you are getting more of a certain kind of spam, then it just means your address was on a list that was sold to that kind of spammer.

Miss Betsy

Link to comment
Share on other sites

  • 2 months later...

My e-mail address was stolen from a large bulletin board (Delphi, I believe) about 15 years ago and was even blacklisted after it was used on the 'From' line by a virus. Consequently, I don't bother to mung my address, and use to to collect spam. Junk mail containing the word 'bank' sets off alerts on my computer, and I've recently been reporting bank phish as quickly as I can.

SpamCop should know this has proved successful. After only a month of rapid reporting, the 'Russian Business Network', I'm assuming, sent spam using me on the 'From' line for a week or so, to irritate me; but then, unfortunately, I find I'm no longer receiving bank pfish. (Rats!)

I hadn't thought that leaving my address visible would cause it to be removed from an East European pfishing list. Nevertheless, it's also my understanding that sophisticated statistical methods allow most any letter sent within my ISP's range of addresses to be associated with me. (My punctuation gives me away.)

Nevertheless, my experience proves that even one individual can pose a threat to criminal pfishers.

Link to comment
Share on other sites

  • 3 weeks later...
Let's do some deduction: In order for you to get more scam mail due to your SpamCop activities, it would be necessary for SpamCop to have given your e-mail address (or allowed it to be given) to the crooks.

Many spams have a string or two or three of 'gibberish" in them.

I have proven those (especially those sent to olcab.ro) to be an encrypted form of your email.

Mung those strings and you're OK.

Link to comment
Share on other sites

My apologies for using the term "phishing" as an umbrella term and also for not looking around the site enough to find a similar topic. As I said, I'm just an average person who hates spam and I posted in haste this morning.

Only now did I read your original post -- and its initial reply. Buck up man (or woman)! Never apologize to people who use words like 'post-hoc': it only encourages them.

IMO, it's wise to never underestimate your opponents. Those who are selling innocent spam, at least, would be the various advertising agencies who have the computer power and statistical algorithms it takes to finally connect your internet shopping and browsing habits with, finally, an email address (and it takes only one person, or 'mole', in an online store, let's say, to do this).

While I never attempt to disguise my identity on reports, my reporting only bank 'pfishing' (sensu lato) quickly resulted in my no longer receiving any. Another, who used his address only for 'munged' reports, has been intimidated with a denial-of-service email attack. Clearly, people with great resources are attempting to intimidate SpamCop users. You should consider it a compliment. You have my thanks, and congratulations.

My thanks to those whose suggestions make SpamCop reports less traceable.

Rapakiwi

(programming daily since a byte was only six bits)

Link to comment
Share on other sites

Many spams have a string or two or three of 'gibberish" in them.

I have proven those (especially those sent to olcab.ro) to be an encrypted form of your email.

Mung those strings and you're OK.

But beware that you do not run foul of SpamCop's "material changes" policy. Of course, if you are reporting outside SpamCop, this is less of an issue.

If the spammer has encrypted your e-mail address into the spam, then he will be able to tell who is complaining, but ONLY IF HE GETS A COPY OF THE REPORT. I can't see this being the case with reports filed only on the spam source (not on URLs), since the ISP would probably be unable to locate the botherder behind a spewing address even if it wanted to share the report (which it has no reason to do). I grant that it might be more likely for the crook to see a SpamCop report if it has been filed with a hosting provider he uses (particularly one as patently crooked as olcab.ro). The better part of wisdom in this case might be to avoid reporting the URLs (since these providers aren't listening anyway).

Only now did I read your original post -- and its initial reply. Buck up man (or woman)! Never apologize to people who use words like 'post-hoc': it only encourages them.
Or 'sensu lato'?

-- rick

Link to comment
Share on other sites

But beware that you do not run foul of SpamCop's "material changes" policy. Of course, if you are reporting outside SpamCop, this is less of an issue.

Spamcop rules allow you to mung your email address - since it is just that in a different form, no rules are broken ;)

If the spammer has encrypted your e-mail address into the spam, then he will be able to tell who is complaining, but ONLY IF HE GETS A COPY OF THE REPORT.

Do you know how many mail providers are setup by spammers and Spamcop inavertantly reports to them? Plenty. A quick search here shows there's been a few mail providers we've busted... mostly Chinese or Russian in origin.

Cheers!

Link to comment
Share on other sites

Spamcop rules allow you to mung your email address - since it is just that in a different form, no rules are broken ;)...
Yes, you do say (earlier) "I have proven those (especially those sent to olcab.ro) to be an encrypted form of your email." Well "proof" is a pretty unequivocable concept and if you have actually tested/demonstrated/replicated the results of your hypothesis to some degree of rigor and if SC deputies/admin accept that proof and if anyone else who might mung their 'encoded address' is similarly cluesome then I guess it is all okay. Otherwise it sounds to me like a quick way to lose reporting privileges. So, if you're advocating that approach, then you had better offer something much more substantial than a simple assertion.

None of my available olcab.ro cases are constructed the way you say - but tolcab.ro do seem to host a great number of spamsites and perhaps a great range of different approaches to the 'business' of spamming.

Link to comment
Share on other sites

Hi,

Yes I have.

Send spam reprts with three letters of gibberish removed, wait 24 hours, no returns. Send same spams jibberish unmunged and within 20-40 minutes, my mailbox was bombed with same spamvertized URL as before.

If this is insufficient proof, then that's OK, I'll just file-13 those and not report them.

Seems pretty solid to me :)

Cheers!

** edit **

It could have been tolcab.ro... I just remember the ...cab.ro and olcab was first to mind.

Link to comment
Share on other sites

...If this is insufficient proof, then that's OK, I'll just file-13 those and not report them.

Seems pretty solid to me :)...

Always ask the deputies before you do anything adventurous - just in case (we need all the reporters we can get). If you have obtained those results repeatedly (for some value of 'repeated') then maybe you should ask them. Whatever we individual reporters see, they see a thousand times over, they will use that experience and any submission you make to determine the merits - offset against any risks (to SC) that might be involved (accusations of forgery, whatever).

Sure, you, anyone, is within their rights in removing identifying information from the spam to be reported - but that is talking about recognized/recognizable data. But in the absence of specific authorization relative to some supposed coded/registered information, the general advice would have to be - just drop those spam if you're not confident about the security of reporting them intact (and you're certainly not).

Link to comment
Share on other sites

Whether you report a spam all depends on whether you think it is a good idea to list the source IP address on the spamcop blocklist or not. Many spamvertized site reports are going directly to the spammers so unchecking all reports except the source, or quick reporting, still keeps the source on the bl without sending a report to the spammer.

If you are also suspicious of the source IP (that they pass the reports to the spammer or that the spammer owns that IP address), then perhaps jhd is a good idea for you if you don't want more spam to report. However, if it is a spamcop email account, it just goes to your Held mail folder so it can be easily reported and doesn't really interfere with your email, right? In addition, sometimes an email to the deputies containing easily confirmed information can result in reports going to devnull which keeps the source IP on the list without sending a report.

OTOH, if you think that the source IP is just clueless, an alternative is to mung the 'gibberish', but send the report manually from a special email address created just for that purpose. You can still obtain the correct abuse address from spamcop, but cancel the spamcop report.

People forget that spamcop is just a tool created to inform the proper server admins of abuse on their network. The other part of spamcop is the blocklist, a tool for server admins and the spamcop email system to block or tag spam so that it does not get into one's inbox.

Reports can get the source of the spam stopped by the receiving server admin. (I believe it is in the lounge where a server admin responded to a report of a phish not too long ago. It wasn't very encouraging because he was only going to warn the customer, but in that case, a manual dialogue might convince him that he should be more diligent.) However, reports going to those who might respond favorably are getting to be few and far between since most server admins know what to do to avoid having spammers abuse their networks in the first place and many don't care about bots because their mail servers are clean.

Unless you can gain benefit by using the scbl, you are only being altruistic to report spam so that it is on the scbl. There are reporters who do like to support the scbl even though they don't gain any direct benefit.

So, deciding whether or not to submit spam to spamcop to send reports, contribute to the scbl, or obtain an abuse address to send a manual report, depends a great deal on what your purpose is in using the two spamcop tools.

Miss Betsy

Link to comment
Share on other sites

Whether you report a spam all depends on whether you think it is a good idea to list the source IP address on the spamcop blocklist or not.

<SNIP, SNIP>

So, deciding whether or not to submit spam to spamcop to send reports, contribute to the scbl, or obtain an abuse address to send a manual report, depends a great deal on what your purpose is in using the two spamcop tools.

This seems a great letter from someone who certainly does one's homework.

My purpose in reporting bank pfish as soon as they appeared was in the hope that the logical address of the fake bank would be nullified by the ISP before anyone mistakenly used it. There seemed to me no hope in finding the criminals (without prior preparation by law enforcement or extreme stupidity on the spoofers' part): but there was hope in preventing a tragedy, even to one person. Before SpamCop, I had stopped everything, attempted to find the ISP using internet tools, and wrote my own warnings to the administrator. This would often take an hour. SpamCop has saved me (and administrators) untold time.

However, I always assumed these scams were sent from dynamically allocated ip addresses, billed to a post office box, and collected from a crowded internet café in a different country. Every time I reported one, it would pop-up the next day in a different East European country. I certainly wouldn't want to blacklist an ip address: a dynamic one that moments later might belong to an innocent user; or a static one that, the next day, would be sold to an innocent business.

When you say 'blacklisting', I hope you mean a personal blacklist. I can imagine blacklisting every letter from some East Euorpean countries would be a convenience for me (for I no longer correspond with colleagues there), hence my question: are global blacklists reported by SpamCop gleaned from those sites common to all our personal blacklists, or from those statistical reports of persistent spamming sites? It's the latter, I hope.

Because of the hierarchical organization of the internet, that blacklisting is needed still amazes me but I've seen some German lists, and they're huge.

This query just requires a quick repy: I don't want to distract anyone from this important thread: whether reporting spam increases it, and how to prevent this.

Rapakiwi

PS. Once blacklisted myself by an organization that brilliantly harvested 'from' lines in spam

Link to comment
Share on other sites

The other part of spamcop is the blocklist, a tool for server admins and the spamcop email system to block or tag spam so that it does not get into one's inbox.

<SNIP>

Unless you can gain benefit by using the scbl, you are only being altruistic to report spam so that it is on the scbl. There are reporters who do like to support the scbl even though they don't gain any direct benefit.

So, deciding whether or not to submit spam to spamcop to send reports, contribute to the scbl, or obtain an abuse address to send a manual report, depends a great deal on what your purpose is in using the two spamcop tools.

Ah, I missed that part of the letter that I marked in bold. Thank you. It wasn't clear before that the blocklist is dynamic, and it is of use both to system administrators who want to protect user from scams and to individual users who are experiencing 'denial-of-service' attacks. That's great.

My assumption here was that both users & system administrators are indeed altruistic; so they would want dangerous spoofs to be blocked at their source, and thus they would continue to send the most effective reports to the appropriate administrators. Mine contained a note starting with 'Bank Phish', which is likely recognizable, whatever the administrator's native language.

My apology for being confused about, well, why SpamCop users would need protection from scams. I hadn't realized that the documentation is written for both audiences: users & administrators.

Thanks for the letter, which I now understand better. Should have done my homework.

Rapakiwi

Link to comment
Share on other sites

When you say 'blacklisting', I hope you mean a personal blacklist. I can imagine blacklisting every letter from some East Euorpean countries would be a convenience for me (for I no longer correspond with colleagues there), hence my question: are global blacklists reported by SpamCop gleaned from those sites common to all our personal blacklists, or from those statistical reports of persistent spamming sites? It's the latter, I hope.

What is SpamCop.net?

What is the SpamCop Blocking List (SCBL)?

My apology for being confused about, well, why SpamCop users would need protection from scams.

Some SpamCop.net e-mail account holders have recently proven to be just as ignorant as users of any other ISP/Host/System. Some of them fell for the phish e-mails asking for their account details. Hard to believe.

I hadn't realized that the documentation is written for both audiences: users & administrators.

Documentation is for anyone / everyone, to include those folks impacted by the various parts of the SpamCop.net tool-set. Note the numerous Topics in the Blocking List Help Forum section from folks that had never heard about SpamCop.net until thier IP Address made it into the SpamCopDNSBL, typically due to a comprimised computer on their network or a hijacked wireless metwork connection.

Link to comment
Share on other sites

To the original poster/question: NO.

FWIW, I've seen a huge increase in the number of 419 messages I've received lately... I have received over 100 this week alone, when I usually get 10 a week.

Link to comment
Share on other sites

To the original poster/question: NO.

FWIW, I've seen a huge increase in the number of 419 messages I've received lately... I have received over 100 this week alone, when I usually get 10 a week.

I've found it varies a lot with season. :-) This year has shown a remarkable increase this spring:

http://www.spamcop.net/spamgraph.shtml?spamyear

Someone created an account solely for reporting spam with munged reports, but the quantity of spam sent to his account appeared an attempt to prevent its being used. My reports have me thoroughly identified, so I'll start reporting regular spam (rather than just dangerous spam) and see what happens. Besides, it will force me to learn AppleScript. :-)

An increase, it seems to me, could only be to prevent or punish your reporting; however, I try and know as little of crime as necessary.

As mentioned elsewhere, each election year after 2000, all my accounts received 100 to 500 spam a day. (Interestingly, the pornographic spam was kept off the mailers at American Ivy League universities -- their supervisors' alma maters?) This has dropped to 10 a day, though this is an election year. I'm not sure 100 a week is a denial-of-service attempt, so the reason for your increase is puzzling to me. (No list buyers would want to pay for a problem, I should think.)

If my spam show a marked change in rate, I'll report this on the forum.

Rapakiwi

Moderator Edit: excessive vertical whitespace removed. Referenced link URL changed to the 'public' version - was members .. noting that this is already provided as a graphic / link at the top right of this and every Forum page

Link to comment
Share on other sites

What is SpamCop.net?

What is the SpamCop Blocking List (SCBL)?

Some SpamCop.net e-mail account holders have recently proven to be just as ignorant as users of any other ISP/Host/System. Some of them fell for the phish e-mails asking for their account details. Hard to believe.

Documentation is for anyone / everyone, to include those folks impacted by the various parts of the SpamCop.net tool-set. Note the numerous Topics in the Blocking List Help Forum section from folks that had never heard about SpamCop.net until thier IP Address made it into the SpamCopDNSBL, typically due to a comprimised computer on their network or a hijacked wireless metwork connection.

This site is a godsend to all user of e-mail. I can't commend it enough. It is, however, just a bit 'techie'. The forums are, presumably, to remedy this. A lack of knowledge by me makes some choices difficult.

For example, I leave spam reports to 'abuse[at]bigtelephonecompany.com' checked, because I'm assuming they have an automated method of checking on smaller ISPs if they continue to receive 'carbons' of complaints. But I don't know that this is correct; and I wouldn't want to put all of AT&T on a blacklist. :-)

Learning that my spam reports are used, though as resonably as possible, for a dynamic blacklist makes it all the more important that I understand the implication of checking a little box on my report. spam is a whole world of organized crime I know nothing about. Some links to sites that discuss how this organization works might help me, at least, in making the human decisions needed in reporting spam. Yes, I know such information is somewhere on the internet; but the internet only works if users get from it far more than they put into it.

Again, tremendous thanks to SpamCop for providing this invaluable service.

(Back in the '80s, I was among those consulted by the Gore Commission about releasing the internet to the public. Censorship & restricting knowledge to those who could pay were the principal worries: {permitting} its use for other forms of crime never crossed my mind. Big surprise!)

Rapakiwi

Link to comment
Share on other sites

Oddly coincidental, but since making that post, I've received 10 of the SAME email from the same IP. Dumb spammers.

[69317] busewenonpaya[at]avasmail.com.mv ((Used This Funds for the needy) Preview )

Thu, 5 Jun 2008 22:18:24 +0100 (Blocked SpamAssassin=4)

[69319] busewenonpaya[at]avasmail.com.mv ((Used This Funds for the needy) Preview )

Thu, 05 Jun 2008 20:07:13 +0000 (Blocked SpamAssassin=18)

[69321] busewenonpaya[at]avasmail.com.mv ((Used This Funds for the needy) Preview )

Thu, 05 Jun 2008 14:47:35 -0700 (Blocked SpamAssassin=4)

[69322] busewenonpaya[at]avasmail.com.mv ((Used This Funds for the needy) Preview )

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.


×
×
  • Create New...