Jump to content

More phishing scams since I started reporting


MsLil

Recommended Posts

I assume/hope that your URL is for another account type. I believe I have a pretty basic one, and it's very old. Do you have any info on this?

That account is associated with my spamcop email account. I much prefer the pop-up login to the cookie one as I have 2 accounts (free for work and paid for personal) and can be logged into both at the same time with the pop-up login.

Link to comment
Share on other sites

  • Replies 109
  • Created
  • Last Reply

You say that this mailbox is very old (actually you said your spamcop account was very old) and that it has consistently been receiving spam, but you don't say how long it has been receiving spam.

You would think that you would get ca cb, as well as cd. However, if this address has been getting spam for some time, are you still looking at the logs for 'some time'? If the first time, there were ca's cb's etc. but you didn't check then, then as soon as you reported the one you got, the spammer had the cdspamcop one. Possibly, they don't try them one after another since it would be easy for the receiver to spot that and start blocking. Another possibility is that since cd[?] is your standard method and other addresses have been spammed and that it is not a novel way to create 'special' addresses, that the spammer is trying cd[?] also after harvesting the other addresses from an unmunged spamcop report (or one that has the address in a place that the parser doesn't find).

If a spammer had somehow hijacked spamcop email addresses, it seems to me that there would be more than two people complaining. I have a very old account also and I have not received any spam to my sign up address, but I can't be certain because I don't run a mail server and those I use do use blocklists and don't deliver all the email. If it came by bot, then the likelihood of my getting it would be slim. And that may be your argument that there are lots more getting spam to their spamcop sign up account, only they don't know it.

Whether or not the spamcop list was hijacked, this situation just emphasizes the fact that email is hampered by spam and that there is not much that a receiver can do about it. If the email address is not guessed, it is harvested when a correspondent gets a virus, or whatever and eventually it starts getting spam. Now *senders* can do something. Since spam is increasingly advertising illegal activities, it should be easier to make rules to prevent them from getting email accounts and access to email servers or to cut them off at the first report.

OTOH, many receivers who are server admins hardly ever see any spam since they have blocklists that filter out spam. Some of them don't even feel responsible for stopping spam from leaking out of their networks via bots as long as their mail servers are clean. They don't have any interest in the plight of those who still have catchalls enabled and don't filter spam out. And there are those who think that there is never any reason for reading a spam so if you discover it was particularly nasty, that's your own fault for reading it.

IOW, it may be an interesting exercise to try and guess how a spammer could have gotten your 'special spamcop email address' but whatever the outcome, it really isn't of any interest to the 'pragmatists' who run the email servers or the end users who have no control over their email servers. And, it doesn't contribute anything to a practical solution of preventing spam from clogging inboxes since even if it was hijacked, as you said, even that can happen to the best of us, and it doesn't prevent it from happening again to know that it has happened.

I forget whether you have officially notified spamcop by filling out a webform on the official pages or emailing the deputies, but there was one of you who did and the deputies were not any more helpful than this thread has been and not in the least alarmed - at least in the email that was quoted.

IOW, probably several people will continue to put forward theories and be willing to discuss your problem, If you were wanting to alert official spamcop, just remember that those who are answering you are not official.

Miss Betsy

Link to comment
Share on other sites

They got that string from somewhere.
Yep, they sure did. I gave you one possible explanation (which I consider to be the most likely, based on my own experience and my reading of trusted sources). You reject it. That seems to be the end of this particular conversation, at least from my end. I hope you'll find your answer elsewhere.

-- rick

Link to comment
Share on other sites

They got that string from somewhere.
On the bright side, they didn't get it from SpamCop. There isn't any way for anybody to find out what address is registered with us unless you personally reveal it as the "Full Name" you send out on your reports.

Your reports go out using a "From" address like this:

From: "Chris" <3212345678[at]reports.spamcop.net>

Occasionally, a user will cleverly put their email address into the "Full Name" setting so that their reports go out with their email address displayed in the "From" field:

From: "MyEmail[at]address.com" <3212345678[at]reports.spamcop.net>

- Don D'Minion - SpamCop Admin -

.

Link to comment
Share on other sites

...I bet that's more information than you wanted! Apologies for all the screed, but I thought I should supply this stuff for completeness' sake....
:D Thanks, appreciated. Looks like you're pretty secure. Nothing's bulletproof, as you say but the odds of some snoopware laying you open wouldn't seem to be high. I do see an amount of spam with apparent tracking capability built into the code - nothing like that coming my way at the moment (to the extent that my kindly ISP allows) but it happens from time to time. But even that wouldn't explain how 'they' could hit right on a single address in isolation when you don't allow SMTP address verification and don't reject bad addresses. There would have to have been random tries in the background at some stage in support of any conceivable harvesting attack. But you don't recall any such events. I'm stumped.
Link to comment
Share on other sites

Yep, they sure did. I gave you one possible explanation (which I consider to be the most likely, based on my own experience and my reading of trusted sources). You reject it. That seems to be the end of this particular conversation, at least from my end. I hope you'll find your answer elsewhere.

I'm grateful for the information you supplied, and for your efforts. As it appears to irritate you so much that I still have doubts about your dictionary scan theory, perhaps it's for the best that you've decided to drop out of the thread. As a 40-year IT veteran, I have experience of my own to bring to this issue.

CD

Link to comment
Share on other sites

Folks, I think I have all the info I was hoping for.

My primary goal in piling into this thread - triggered by the receipt of this nasty mail - was to find out if any others were receiving spam to unique addresses registered with SpamCop. That goal has been realised. I'm reassured from all directions that my greatest fear - that SpamCop's list could have been hijacked - is groundless. Good.

All things considered, I suspect that the most likely explanation is an old workstation (now a Domain Controller). I believe this machine was hacked at one point years ago. Perhaps my old inbox was scanned.

I can handle one or two spams a year coming to that mailbox. I don't use SpamCop reporting anymore, as my multiple mailboxes seem to bother the system. I'll just add the cdspamcop address to the reject list.

Grateful thanks to everyone who helped. Dawkins bless you all.

CD

Link to comment
Share on other sites

Well, you have now heard from the person as high up the SpamCop chain you are likely to see in these forums (SpamCopAdmin), and he agrees that it is not possible for the address to be found at spamcop. My address which is only used for my paid (email) account reporting has never been spammed and has been active for about 5 years now.

Link to comment
Share on other sites

Folks, I think I have all the info I was hoping for.

My primary goal in piling into this thread - triggered by the receipt of this nasty mail - was to find out if any others were receiving spam to unique addresses registered with SpamCop. That goal has been realised. I'm reassured from all directions that my greatest fear - that SpamCop's list could have been hijacked - is groundless. Good.

Great. I've been curiously testing how spammers responds to knowing who I am and that I report my spam here. The phishers very quickly took me off all lists, which suggest there were few of these and they could change their lists quickly. The fact that they sent a spurt of normal spam 'from me' just before removing me suggests they, too, are responsible for some normal spam.

All spam I've now been reporting and examining. Though this month has produced only about 200 spam letters, a little graph theory suggests they come from three organizations, two affiliated. One sends spam from Estonia through Arabia, with a website in Russia; the affiliate send mail from Turkey and has websites in China; and the unrelated one is in Sourth America, sending mail from Colombia with websites in Korea. Supporting this is the fact that each day, I seldom receive two letters from the same countries or on the same subject: it's as if one very well organized group is distributing their letters for maximal effect.

What is slightly confusing is whose DNS is correct. Resolving names from Florida, California, and Washington don't always agree. This tool I've been using to examine my spams suggests many websites designed to collect your credit card have been in existence for a year or more, and many are owned by a single 'corporation' who lives on one continent, has a server on another, and whose (50 or more) ISPs are on others. (I've even received some spam sent from cell phones.) I greatly admire SpamCop for attempting to figure all this out:

http://www.domaintools.com/

My other tool, I'm embarrassed to write, is this ISO site of country abbreviations:

http://www.iso.org/iso/country_codes/iso_3...de_elements.htm

Today I received twice as many spams as on any other day, and one was 'sent from me'. This may be a sign that someone took notice. So, if you never read another post by me, you can assume a denial-of-service attack; otherwise, it should be interesting to see if the spam suddently stops, as the phish did.

I have noticed that there are now more random characters at the ends of subject lines: perhaps this is done to everyone whom they want to verify as a nuisance (though my name is on each report).

I'm pleased to read that you have found how spammers learned of your address. This has peaked my interest in learning what spammers will do if they learn of my reporting them to SpamCop.

It's interesting to report that not a single spam, from a Mum in England wanting to chat with someone to a pharmaceutical corporation apologizing for spam falsely selling its products (sent by me :-) was a legitimate advertisement. I've asked myself why spam would be worth writing. It has occurred to me that the same people who post flawless phish also post ads, with many spelling errors, selling diplomas and prescription narcotics. Makes me wonder whether amateurish ads aren't written for adolescents who have access to their parents' credit cards.

Rapakiwi

Link to comment
Share on other sites

Good for you Rapakiwi, just keep an open mind. Many people get fascinated by "the mind of the spammer", but few are the resulting insights and fewer yet are any accruing benefits AFAICT. Rule #1 ("Spammers lie") may be more rigorously applicable than most of us can understand. And spammers act "stupidly". Evidently the unit cost of most of the junk is so low that no "business plan" as such (or any sort of attention to detail) is necessary, maybe it is actually counter-productive in the mainstram botnetted environment. Which is fortunate for them (not being the sharpest tools in the shed) though very few of them seem to make even the undemanding grade for this "trade". Unfortunately for us there are more than enough replacements coming on stream to replentish these "lusers".

But yes, there is some evidence of exceptions, the "targetted spam" operators and some few of the phishers/other phishers, etc.

Link to comment
Share on other sites

But yes, there is some evidence of exceptions, the "targetted spam" operators and some few of the phishers/other phishers, etc.

Perhaps, but when dealing with confidence artists, my interest is more in the purposes of each act rather than in the mind of a sociopath. For example, I assume having to replace [DOT] with a period is to hide the web site from, say, SpamCop, rather than worry about a transient web site being hacked. Consequently, I do insert a period before having it processed.

Examining this month's spam is an experiment that might help resolve the effect of a spammer's knowing the name and email of someone reporting everything to SpamCop. The month isn't over yet. However, the conclusions may be of little benefit if only two or three organized groups are targeting Dartmouth alumni; and the statistics do suggest that.

Assuming this, I have to answer the question of why a very organized group (and when I see that a spamming corporation owns 100 websites under that name alone, I think organized) would send very professional spoofs for bank account information, home-written looking ads for 'prescription drugs' in exchange for a credit card, and illiterate ads for university diplomas in exchange for one's name, address, & phone number?

Is this stupidity or is it specific marketing to those with bank accounts, those with access to credit cards, and those who skipped four years of school looking for a peer who is selling diplomas. Could the same people, for example, have written all the (few) original letter I see? If stupidity, no; if cleverness, yes.

It's true I tend to see obscure relations among things, but that was my job. The only way I know of to conclude whether this is cleverness or stupidity is to know how successful it is. That I do not know. I do read, however, that identity theft is very profitable.

When a spammer has a server in Puerto Rico, connected to an ISP is in China, and SpamCop complains to Russia, I can't really think 'stupid'. I do think 'rich'.

Rapakiwi

Your Rule #1 did catch me off guard: every single unsolicited advertisement was spam with undoubted criminal intent. Wow!

Link to comment
Share on other sites

For example, I assume having to replace [DOT] with a period is to hide the web site from, say, SpamCop, rather than worry about a transient web site being hacked. Consequently, I do insert a period before having it processed.

Can't let that one go by without comment. Even with the expanded data inserted into the Wiki version of the SpamCop FAQ entry Material changes to spam, this action can result in damage to your Reporting Account.

Link to comment
Share on other sites

Can't let that one go by without comment. Even with the expanded data inserted into the Wiki version of the SpamCop FAQ entry Material changes to spam, this action can result in damage to your Reporting Account.

AH ... good trick on their part. I read carefully the page you reference, but the few bad examples did materially change the content of the letter. If someone can manually interpret java scri_pt, it wasn't clear to me then that I couldn't manually interpret the parsing rule 'replace [DOT] in the following web site address with a period' from SpamScript, and the site 'www.scam[DOT]com' was manually interpreted by me as as 'www.scam.com'. While it's true this is not java scri_pt, I'm not sure my interpretation is any less accurate.

Can you promise it will cause damage to my Reporting Account'? I've not had success in forwarding spam, so I've copied & pasted each from source. This month has been a lot of work, I could use a forced vacation. :-)

What is the appropriate procedure for handling [DOT], for example? SpamCop didn't recognize these as web sites; and I've considered the web sites much more important to close than mailing addresses. (My interest is not so much in eliminating spam from my box as in doing my bit to reduce identify theft.)

Thanks very much!

Rapakiwi

Link to comment
Share on other sites

Can you promise it will cause damage to my Reporting Account'?
Yep, I can promise that. :-)

When I catch people altering spam to make SpamCop "find" something it ordinarily couldn't, I routinely suspend their reporting privileges.

The way to handle the "DOT" problem is to convert the URL to the proper syntax, and then open another window to SpamCop and enter the URL in our web form. When you hit the "Process" button, SpamCop will find a reporting address that you can use to send a personal report, or if you have a Paid Subscription, you can go back to the window where you're processing the spam, and use the address to have SpamCop send a "User Notify" report to it.

- Don D'Minion - SpamCop Admin -

.

Link to comment
Share on other sites

....I've considered the web sites much more important to close than mailing addresses. (My interest is not so much in eliminating spam from my box as in doing my bit to reduce identify theft.)

Closing the source address or alerting other server admins to a source to block is effective in reducing identity theft because end users don't see the spam and so can't get sucked in.

However, if you are interested in closing spamvertized websites, it is much more effective, IMHO, to use Complainerator (found in the software form here) though some people swear by Knujon. I have my doubts about the latter. Another way to help the gullible is to look for email addresses in 419 spam and do manual reports to shut them down.

IMHO, however, it will be impossible to eliminate the criminals. It is a very lucrative business. Therefore, the best defense is to stop them from reaching their target which is to block them at the server level.

Miss Betsy

Link to comment
Share on other sites

Closing the source address or alerting other server admins to a source to block is effective in reducing identity theft because end users don't see the spam and so can't get sucked in.

However, if you are interested in closing spamvertized websites, it is much more effective, IMHO, to use Complainerator (found in the software form here) though some people swear by Knujon. I have my doubts about the latter. Another way to help the gullible is to look for email addresses in 419 spam and do manual reports to shut them down.

IMHO, however, it will be impossible to eliminate the criminals. It is a very lucrative business. Therefore, the best defense is to stop them from reaching their target which is to block them at the server level.

Perhaps. If possible, it would solve your problem: an overabundance of spam.

My Mac's several mail accounts all use different spam blocking procedures, courtesy of the ISPs. One I ask to be sent through to me, though marked. This is the account I use to collect spam for SpamCop.

Still, when I receive mail from someone I haven't written, it goes into one of two folders: unsolicited mail marked clean (likely from old colleagues - for I never had friends) or mail marked spam in another folder. My Mac lets me browse these without graphics being shown, automatic downloads being activated, or other code being executed. The few that I want, I can just click 'not spam', and they will be added to my 'safe' list of senders.

Still, an overabundance of spam takes from all our pockets, because of the cost of sending an individual letter isn't paid for by the spammer (as paper junk mail is): it's paid for by everyone. This is a good reason to eliminate spam: its nuisance properties and mailing costs. I shall checkout the software you mention first, thank you!

However:- :-)

1. Previous to this month's test, I had reported only phish, malicious spam. I did this for years by myself, before I discovered SpamCop. However, every innocuous looking spam letter I examined this month has been malicious. Every one! Now I'm thinking of joining (though I have no income) and forwarding or otherwise automating the reporting.

2. spam wouldn't be mailed if it wasn't successful. That is, if it didn't steal bank account information, credit card information, and name, phone number, and address (to augment the previous). The results of this can destroy a person or family utterly. When Scotland experienced the crime of mass murder, they found the perpetrators by having their detectives coordinate efforts with detectives in other countries. Why can't this be done to find perpetrators of mass destruction, without violating privacy rights?

3. When I have received a spam letter, thousands (millions?) of others have already received it. When it was phish, I stopped my work to spend an hour tracking down the web site and informing the administrators immediately, to shut it down before people lost their savings. I didn't go after the sender. I assumed the same site was sent to many other people.

4. Though I've not clicked any of the hyperlinks, every one will likely do more than ask for personal information: they will, I assume, attempt to install malware on my computer. If successful, this will allow the spammer to send mail from my computer.

5. Instead of having a dedicated mail server, which could easily be shut down, a 'botnet' of a million computers (and this is a reasonable number) will send malicious spam whose intent is to steal identities and create more spam mailers. The only site they all have in common (relatively common) is the web site that does the real harm.

6. You see my reasoning. If I report you, or a proxy server at the Red Cross, as a spammer, I will at least alert both of you to check your computers; or, at most, shut down a spammer's misuse of a proxy server. All those who have already received the letter, however, will not be helped; and many more little spamming sites may grow from this web site.

7. Now, I can twist my mind into understanding why SpamCop might not want to consider the target of a hyperlink an abuser if the hyperlink 'isn't there', made extant only by my editing. Spammers could place honest, 'munged' hyperlinks in a tenth of their mail, and the one who made it genuine might (with an amazingly twisted, narrow view of law) be guilty of a crime.

However, this seems a hollow argument: spammers could just as easily include actual, honest, hyperlinks and even falsify the actual sender to be a local politician before an election, for example. I shall ask the administrator to clarify why spammers can be allowed to succeed in all this and remain anonymous just by adding [DOT] to their web sites.

So, all the above was to answer you question of why I had preferred to go after the web site rather than the mailer. My reasoning could be flawed, for I'm new to cyber-crime (except for software vulnerability).

Rapakiwi

PS. You get that much spam? Have you coughed up $30 to have it filtered by the SpamCop Blocking List?

Link to comment
Share on other sites

Yep, I can promise that. :-)

When I catch people altering spam to make SpamCop "find" something it ordinarily couldn't, I routinely suspend their reporting privileges.

The way to handle the "DOT" problem is to convert the URL to the proper syntax, and then open another window to SpamCop and enter the URL in our web form. When you hit the "Process" button, SpamCop will find a reporting address that you can use to send a personal report, or if you have a Paid Subscription, you can go back to the window where you're processing the spam, and use the address to have SpamCop send a "User Notify" report to it.

Sorry to bother you, but - if you read my letter to Miss Betsey - you'll understand my confusion. First, it might be nice to clarify this to all contributors as unacceptable: a 'material change' in the letter.

It has been a strain reporting all my spam by copy & paste. Though I used to resolve spoofs & phish myself, and send personal warnings to the banks (which still difficult to contact). Clearly I can't do this for other kinds of spam, though innocuous-looking spam letters may cause lesser monetary losses, but affect more people, because of its quantity. Miss Betsy, however, pointed me to some software.

A hyperlink to a web site in spam is, essentially, malware delivered by email. If not, botnets would not have over a million zombie computers in them. Clearly SpamCop would like to remove malware, as my ISP does, so it would be nice to know why you choose only to 'kill the messenger', as Shakespeare wrote.

If spam were sent from botnets, created by web sites with [DOT] or a similar spelling variant, how effective would SpamCop be?

Perhaps only I am confused. More and more I've found law and common sense conflicting. If this a fine reading of the law, as parsed by spammers' litigation attorneys, is there any reason the law(s) should not be changed? If the law prevents SpamCop from reporting spam after computers at SpamCop 'convert the URL to the proper syntax', shouldn't it prevent me from doing just that?

Admittedly, it takes human intervention to replace the [DOT] with a period; but it also takes human intervention to click a hyperlink.

Thank you very much for clarifying this to all contributors!

Rapakiwi

Link to comment
Share on other sites

There are probably a lot of different reasons why no 'material changes' to spam are allowed.

There is no law on the internet. There is only etiquette. And there is no 'force' - one can do what one wants to and can't be prevented except by denial of internet access. When there is only etiquette, and no way to 'force' someone by law, then you either go along with the accepted 'rules of the road' (MX and DNS and all that technical stuff that permits computers to talk to one another) or you can't connect. If someone doesn't like your website or your email, then he doesn't have to go to it or he can refuse to let it appear in his inbox.

My server, my rules (spamcop says no material changes, that's the way it is) and if you have a problem with that, it is your problem, not mine. If I have a problem because of my rules keeping me from communicating with the rest of the internet, then it's my problem, not anyone else's. Only the *sending* computer can stop spam from being sent. If the sending computer owner is irresponsible or ignorant, then it's not my problem. I can't force them to change. However, if they want to communicate with me, then they will have to change their modus operandi.

Miss Betsy

Link to comment
Share on other sites

As Miss Betsy says - probably a number of reasons. But as Don (SC staff) said, and the one thing that has been said by all the SC staff consistently, the first commandment, "Thou shall not alter thy spam to 'help' the parser". That should be very clearly understood.

Then, considering that spam reports are evidence-based - if you start altering the evidence, where does it end? SC's reputation relies on users sticking to the rules. Undermine that and there is nothing, SC would be better off without reporters at all (just spam traps). OK, the spam may be 'altered' in the course of its travels and during the parser processing but that is 'programic', (more or less) predictable and replicatable.

The two things you are allowed to do is mask/mung(e) your email address - including the LH part of it if appearing in isolation - in headers or spam body if the parser doesn't pick it up (IF you know what you are doing, I think is the standard admonition) and you can add a comment - like [no body] to manufacture a body in real 'no body' spam (documentation on that point controversial in past times but now authoratative).

Is there any confusion now? Those are the relevant 'rules' by which you agree to abide if you use the SC reporting service. Very important.

Link to comment
Share on other sites

Is there any confusion now? Those are the relevant 'rules' by which you agree to abide if you use the SC reporting service. Very important.

I'll be returning to Dartmoor after I file my report at the end of the month (whose content will surprise you). However, where did you read the rule above other than the post you refer to?

The actual document, posted in preparation for a pan-galactic bypass, gave as an example of a 'material change' the addition of a From line where it was not in the real header. That could screw things up, I agree. It also stated that, because SpamCop doesn't have a java scri_pt parser, I could interpret the java scri_pt manually.

Well, munged URLs were designed so computer could not parse & interpret them, only humans can. So, I did. Now I just watch SpamCop fail, but I suggest it's failing because they already know the site in Argentina hosting all sites munged with a [DOT]. That would have been a clarification.

Here's the original, which SpamCop parses as www.hitoferaf and fails:

- Visit our site: www.hitoferaf[DOT]com

(copy this link then replace "[DOT]" to ".")

Here's my change after it fails:

- Visit our site: www.hitoferaf.com

(copy this link then replace "[DOT]" to ".")

Where are we now? We clearly followed the second line to the letter, so SpamCop could also help close the web site down. Do you honestly think someone who does this should be returned to Dartmoor?

I'll offer an imaginary clarification: 'You need not clarify obfuscated lines that SpamCop appears unable to interpret. We examine each and modify our parser daily; or, we recognize the obfuscated line and choose to not report it, for reasons that are good ones.'

Watch it fail and do nothing to help. Watch crimes occur and do nothing to help. Watch people be hurt and do nothing to help. Twenty years ago I gave up a teaching career at a university because essentially all the students wanted only a diploma and to be told what they needed to do to get one: no one came to learn how to think for themselves and question the reasoning behind statements of 'fact'.

Miss Betsy's letter didn't really need a commentary for me to understand: shut up or get out. I'm getting out and writing my own Unix scripts to send off letters. Oh, and I won't be leasing a large, dynamic blacklist that doesn't profit from shutting down spammer's web sites.

Rapakiwi

Link to comment
Share on other sites

I didn't say anything about 'shutting up and getting out' What I said was that 'shutting down' websites is not the 'internet' way of operation. Web site owners can include in their Terms of Service that sites that spammers cannot use their block of IP addresses. However, there are irresponsible and ignorant web site owners who do not want to stop spammers from operating. There is nothing that can be done about that because there are web sites that some people do not want to see published and to make 'laws' about what can be published and what cannot be published is censorship.

The way the internet works is that one can refuse to accept email from irresponsible and ignorant people who allow spamming. One can not force them to stop spamming, but one cannot be forced to accept their spam also.

The main focus of spamcop, which I thought you probably knew, since you are researching, is to stop the source of spam, not those websites that are advertising via spam. In the beginning, reports were sent to 'educate' and 'warn' those email servers that were sending spam that spam was coming from those email servers and would be blocked by other email servers until the spam stopped. It was worthwhile to report also to spamvertized sites because many did not know that unsolicited email was not a good idea or how to build a mailing list that did not have addresses on it who did not want to be on the list. In those days, there were many 'innocent' people who were using mailing lists that bothered many people with unsolicited email.

Today, however, there are only ignorant people who spam 'innocently' - the part of the parser that deals with spamvertized sites is low priority for spamcop program coders because almost all spamvertized websites are operated by those who intend to spam. They create hundreds of sites to keep ahead of filters and of being shut down. They use bots and other means to deliver the spam. They use stolen credit cards to pay for the sites and they use false information when they register them. To shut them down is called playing 'Whack a mole' because one gets shut down and they register another. That's why some people think that it is more effective to attack them through the registrar who is supposed to maintain accurate information.

There can be porn sites and sites on how to make bombs and sites preaching weird religious practices as long as they don't advertise via spam. Nobody can force a person to go to them.

Stopping spam from being sent can only be done by the person in control of the computer it is being sent from or by the internet service provider who refuses to connect that computer. Spammers have taken control of many computers without the owner's knowledge and criminals can always find an internet service provider that is greedy enough to take their dollars to connect and turn a blind eye to their activities.

Therefore, the way to stop spam is to prevent it from entering one's inbox. There may be 'trusted' senders and eventually a 'safe' neighborhood maintained by those who are polite to one another for email. But there will always be the 'other side of town' where it is not safe. That's why the source IP address is so much more important than the website IP address.

You cannot stop people from being ignorant or greedy. The 419 scams wouldn't be so lucrative if they didn't find people who are greedy - people who are educated and should be able to understand that it is not wise to take part in something shady. You can't stop people from being naive and gullible in spite of the fact that it is common knowledge about how criminals send email phishing for your credit card numbers.

You can offer ways to protect them - such as spam filtering and free anti viral programs. But it is their problem if they don't listen or avail themselves of the filtering or the warnings about criminal spam. You can't stop website owners from buying 'guaranteed 100% optin' lists. But it is their problem if they use them and get their web access denied and the email from their email servers blocked by receivers.

Recently, there was an article in the local newspaper about a woman who smelled something fishy about an email. She eventually decided to send a Western Union money order for $1 just to let the guy know she was wise to him. The clerk said that there had been several people who had sent the requested amount that day. Now, wouldn't it be more effective to 'protect' people to have information on typical scams and maybe even 'scam of the day' posted at the Western Union office - the way anti-viral people post information about current viruses? It would also have been effective to report the IP address so that no more people received the scam. In this case there was no spamvertized site.

All I am saying is what has been discussed at length in many topics on this forum. I didn't mince words because I assumed (always a bad thing) that since you were a researcher, you had read those topics.

It is a different opinion than yours. But you can take it or leave it or argue the opposite viewpoint. It won't change how official spamcop interprets the 'no material changes' rule. Neither you nor I can do anything about how spamcop decides to interpret that rule, but argue against it. spamcop can, and will, revoke your reporting status if their rules are not followed (my server, my rules). But my post, in no way, suggests that you should shut up or leave this forum. No one can 'force' you to change your mind and that's the beauty of the internet.

Miss Betsy

Link to comment
Share on other sites

However, where did you read the rule above other than the post you refer to?
The rules are in the FAQ linked at the top of the page,

SpamCop Parsing and Reporting Service,

Rules - everybody read! (recent changes made ... you may need to re-look)

-----> Material changes to spam

-------> Material changes to spam - Updated!

The first Material changes section has your exact issue, and I quote (color is mine):

SpamCop does not decode java scri_pt because it does not have its own java scri_pt interpreter. Unless you can properly decode the java scri_pt, even what you see may not be correct. Do not make any changes to the spam to cause SpamCop to report addresses, links or URLs that are contained within the java scri_pt, decoded or not.

This is in the "Original FAQ" located on the SpamCop servers. The FAQ in the Wiki, which can be modified and kept up to date, also has that information as well as updates from discussions with SpamCop staff.

Final test: Did your change find a link that was not found before the change... if so, then it is against the rules.

I'll offer an imaginary clarification: 'You need not clarify obfuscated lines that SpamCop appears unable to interpret. We examine each and modify our parser daily; or, we recognize the obfuscated line and choose to not report it, for reasons that are good ones.'

Watch it fail and do nothing to help. Watch crimes occur and do nothing to help. Watch people be hurt and do nothing to help. Twenty years ago I gave up a teaching career at a university because essentially all the students wanted only a diploma and to be told what they needed to do to get one: no one came to learn how to think for themselves and question the reasoning behind statements of 'fact'.

This is completely covered in the opening statement of both pages linked above:

SpamCop does what it does and doesn't do for a reason. Do not make any material changes to spam before submitting or parsing which may cause SpamCop to find a link, address or URL it normally would not, by design, find.

Oh, and I won't be leasing a large, dynamic blacklist that doesn't profit from shutting down spammer's web sites.

Use of the SpamCop blocklist is free... no lease is needed.

And SpamCop's primary purpose is NOT to shutdown websites, but to shutdown the SOURCE of the spam so the links to those websites are never seen, rendereing them useless.

Link to comment
Share on other sites

The rules are in the FAQ linked at the top of the page,

SpamCop Parsing and Reporting Service,

Rules - everybody read! (recent changes made ... you may need to re-look)

-----> Material changes to spam

-------> Material changes to spam - Updated!

<SNIP, SNIP>

Final test: Did your change find a link that was not found before the change... if so, then it is against the rules.

This is completely covered in the opening statement of both pages linked above:

SpamCop does what it does and doesn't do for a reason. Do not make any material changes to spam before submitting or parsing which may cause SpamCop to find a link, address or URL it normally would not, by design, find.

Use of the SpamCop blocklist is free... no lease is needed.

And SpamCop's primary purpose is NOT to shutdown websites, but to shutdown the SOURCE of the spam so the links to those websites are never seen, rendereing them useless.

There was an experiment once done with cats, I believe. They were raised in an environment with all vertical stripes. When then placed in one with horizontal stripes, they didn't see them: they didn't see what didn't make sense. I'm guessing some other people, too, are like cats. I could easily read all the carefully written instructions and fail to recognize those that go against common sense.

It's true that 99% of people have been trained to follow instructions without thought. Some people, those whose brains constantly judge and question, color what they read by what they anticipate will be the 'right thing' to do.

Submitting spam only before following what the letter instructs us to do, before clarifying a URL that was designed to defeat SpamCop's mechanical parser, before being able to report the only URL in the letter known to be genuine, may not make sense to that select 1% of the population; and they may miss it, though it is written as clearly as it is. All that will help these miscreants is, I suspect, to clarify why this is bad. Repeating is not clarifying. Speaking more loudly, with harsher punishments, is not clarifying. 'SpamCop does what it does and doesn't do for a reason.' Perhaps they should know exactly what this reason is. If it's a matter of National Security (as many things are these days), perhaps one can just mention in the brief introduction (for some do have lives) that 'You may see our parser fail to resolve certain addresses, and the natural tendency of some might be to ... ; but ... .'

The web site address is the only one in any spam that is known to be genuine. Some people who are afflicted with self thought might not understand that 'throwing out the baby with the bath water' is good, common sense. Explaining that SpamCop's purview is not web sites doesn't address the above problem, it just adds a second.

Your parser finds clear web sites and sends reports to their supervisors. When it attempts to remove the 'obfuscation' of these site and fails, it may not seem reasonable to some to not help because SpamCop does not want to report web sites, when it clearly does not exclude them from being parsed, interpreted, and reported. (We're confusing two separate things, as you know.)

Strange as it seems, it may seem to some that (since the obfuscation was designed for humans to remove), they should actually help SpamCop by manually correcting the URL. Increasing the severity of the punishment won't help these 'normally challenged' people.

Thank you for your careful reply; and sorry for thinking the SCBL cost a fee.

Rapakiwi

When taking out your appendix, would you rather have your neighbor do it, following written instructions by the foremost experts; or would you trust it to be done better by an everyday physician, one who understands the reasons the human body works as it does?

Link to comment
Share on other sites

I didn't say anything about 'shutting up and getting out' What I said was that 'shutting down' websites is not the 'internet' way of operation.

Thank you for your kind explanation of how the internet works. The main focus of spamcop, which I thought you probably knew, since you are researching, is to stop the source of spam, not those websites that are advertising via spam. Are they really different?

Though I may be a researcher, I have a life; and it's not researching spamcop. However, I took a day off to explore how much of my spam is from 'zombies', and whether it may come from the same servers that host the web sites in the spam. This is hardly definitive, but it's mildly interesting.

Thought I would take a glance at some spam I just picked at random. What is interesting about these is that, I can understand a zombie computer stripping the mailing agent's identification (Microsoft loves little Xes), or just not having any. But, after the letter is sent, other computers often scribble on the bottom of the envelopes. Yet, every envelope, from Seoul to Delhi, had only and exactly the following marks on it:

Mime-Version: 1.0

Content-Type: text/plain; charset="iso-8859-1"

Content-Transfer-Encoding: 7bit

X-Priority: 3

X-Msmail-Priority: Normal

X-Mailer: Microsoft Outlook Express 6.00.2900.3138

X-Mimeole: Produced By Microsoft MimeOLE V6.00.2900.3198

Doesn't it seem strange that people in Thailand and Turkey all use the ISO-8859-1 character set? Especially when the mail appears to be sent from the World's largest cities, using dynamically allocated ip addresses or internet cafés, in countries that use a different character set? If the spammer added the above, why? It's not visible in the header.

If various spammers added the lines above, for some reason (for they can be stripped), why didn't at least one computer scribble something of its own on the bottom of the envelope. I sent many letters to myself (not that this is my life) and every mailer added its own little Xed comments.

The source of the letters couldn't be the same servers that house the web sites? Well, we know the web sites' ip addresses with complete certainty. No, that would make their mailers (ip domains) easy targets for blacklists. Still, why not look at most of this week's spam: that which I ignorantly allowed SpamCop to report for a couple of days.

Subject lines and arrival dates

0. Subject: Best of Adidas, Coach, UGG today

1. Subject: Best of Hermes, Dsquared, Versace today

2. Subject: to bathurst today

3. Subject: Best of Chanel, Burberry, UGG today

4. Subject: Best of Hermes, Paul Smith, Versace 1 day ago

5. Subject: Best of Chanel, D&G, UGG 1 day ago

6. Subject: Best of Prada, D&G, Versace 2 days ago

7. Subject: Best of Bally, Dior, UGG 2 days ago

8. Subject: Best of Hermes, D&G, UGG 5 days ago

Sender's possible ip, ISP, and number of users that ISP has

0. Received: from 125.031.137.100 Seoul Cable TV network: 16,128

1. Received: from 059.095.036.149 New Delhi Backbone 6,553,600

2. Received: from 124.121.010.212 Bangkok ISP 16,128

3. Received: from 190.174.197.079? Buenos Aires Telefonica de Argentina

4. Received: from 124.121.126.088? Bangkok ISP 16,128

5. Received: from 122.163.204.142? Delhi AirTel Broadband 655,360

6. Received: from 059.092.198.020? Chennai India's Backbone 6,553,600

7. Received: from 088.241.190.119? Balikesir Turktelecom's DHCP DSL

8. Received: from 088.227.85.213 Samsun Turktelecom's DHCP DSL

Question mark means ip was labeled 'possibly forged' by the mailer.

Populations of cities mail may have been sent from

0. Seoul, South Korea 23 Million

1. New Delhi, India 320,000 (14 Million)

2. Bangkok, Thailand Over 8 Million

3. Buenos Aires, Argentina 13 Million

4. Bangkok, Thailand Over 8 Million

5. Delhi, India 14 Million

6. Chennai (Madras), India 7.5 Million

7. Balikesir, Turkey 650,000 (near Istanbul, & Greece)

8. Samsun, Turkey 725,000 (on Black Sea, shared by 8 countries)

Result of reports of the above senders to SpamCop

0. Blacklist Status: Clear

1. Blacklist Status: Clear

2. Blacklist Status: Clear

3. Blacklist Status: Clear

4. Blacklist Status: Clear

5. Blacklist Status: Clear

6. Blacklist Status: Clear

7. Blacklist Status: Clear

8. Blacklist Status: Clear

Web sites SpamCop didn't report

0. - Visit our site: www.fanleost[DOT]com 'Fan Leos t'

1. - Visit our site: www.fanleost[DOT]com 'Fan Leos t'

2. - Visit our site: www.vawwosoft[DOT]com 'Va w Wo Soft'

3. - Visit our site: www.fanleost[DOT]com 'Fan Leos t'

4. - Visit our site: www.anwaspe[DOT]com 'An Wasp E'

5. - Visit our site: www.norokuse[DOT]com 'No Rukus E'

6. - Visit our site: www.dimaeine[DOT]com 'Di Ma Eine'

7. - Visit our site: www.dimaeine[DOT]com 'Di Ma Eine'

8. - Visit our site: www.hitoferaf[DOT]com 'Hito Fe Raf'

Store names and years they've been doing business

0. Website Title: Exquisite Footwear & Bags CLOSED

1. Website Title: Exquisite Footwear & Bags 03 days

2. Website Title: All popular OEM software for PC and MAC 04 days

3. Website Title: Exquisite Footwear & Bags 03 days

4. Website Title: Exquisite Footwear & Bags 03 days

5. Website Title: None 29 days

6. Website Title: None 15 days

7. Website Title: None 03 days

8. Website Title: Not known 02 days

Store's locations

0. IP Location: Guizhou (Southern China) & Zhenjiang (near Nanjing)

1. IP Location: Guizhou (Southern China) & Zhenjiang (near Nanjing)

2. IP Location: Thrunet Co. Ltd, Kyonggi-do (Seoul), South Korea

3. IP Location: Guizhou (Southern China) & Zhenjiang (near Nanjing)

4. IP Location: Guizhou (Southern China) & Zhenjiang (near Nanjing)

5. IP Location: New Generation Technology, Ltd., Hong Kong

6. IP Location: New Generation Technology, Ltd., Hong Kong

7. IP Location: New Generation Technology, Ltd., Hong Kong

8. IP Location: Guizhou (Southern China) & Zhenjiang (near Nanjing)

None are blacklisted, so how is business?

0. Domain Status: On Hold (generic)

1. Domain Status: On Hold (generic)

2. Domain Status: Registered and Active Website

3. Domain Status: On Hold (generic)

4 .Domain Status: Registered And Active Website

5. Domain Status: Registered and Active Website

6. Domain Status: On Hold (generic)

7. Domain Status: On Hold (generic)

8. Domain Status: On Hold (generic)

Those who registered the clever names above

0. Registrant: Forex Hosting, Taubaté, Brazil (Sao Paulo)

1. Registrant: Forex Hosting, Taubaté, Brazil (Sao Paulo)

2. Registrant: "PrivacyProtect.org" PO Box 97, Moergesstel, NL (821,591)

3. Registrant: Forex Hosting, Taubaté, Brazil (Sao Paulo)

4. Registrant: Forex Hosting, Taubaté, Brazil (Sao Paulo)

5. Registrant: Shichun Wang, kunming Yunnan 346892 (420)

6. Registrant: He Yong, haidingqu Beijing 100086 (1,716)

7. Registrant: He Yong, haidingqu Beijing 100086 (1,716)

8. Registrant: He Yong, haidingqu Beijing 100086 (1,716)

Note that registrant 2 refuses to be contacted by mail. :-)

* Was Dynamic Dolphin, Inc. 5023 W 120th Ave, Broomfield, CO, USA

until suspended a few minutes ago. Now owned by He Yong.

Now, let's go shopping! [CHILDREN UNDER THE AGE OF 100 SHOULD NOT PERFORM THE FOLLOWING STUNTS EVEN UNDER AN ADULT'S SUPERVISION!] (My computer is as secure as most servers, for that was once my job.)

My running shoes were looking a bit shabby, so I thought I'd shop at 'Fan Leos t'. To my surprise they sold luxury shoes, so I settled for a $165 pair of Prada loafers. Indeed, when paying, the web page changed to 'Infinity Secure', making me feel better, though it was still the same site. It was a very professional, beautiful and elegantly written site; but a bit slow, though it was hand written in 1999 HTML. I was surprised that I was now shoping at Infinity Secure, 17 Bank Street, Ottawa, CA.

When I attempted to pay for my new Pradas, and the 'Insured Express Courier Delivery'. The $10 extra for shipping outside the USA, Canada, or the UK wasn't charged me, since the shoes were coming from Canada. But, funny thing: an examination of the website with a spam tool showed no outgoing links. They must encrypt email to Canada; but wait, I thought the Chinese government prohibited that.

The consumer links made me feel safe: ScanAlert's Hacker Safe, GeoTrust, Verified by Visa; but the links didn't work. Oh, that's because of the absence of outgoing links. However, nothing bad came to my computer, except a cookie...or several. (Lucky I had archived them before going there with my browser, which I set to identify itself wrongly.) I attempted to trace the site, to verify that it was Chinese: it was, and it kept the browser connection open indefinitely, as it scanned all of my computer's ports.

Because I was a bit uncomfortable knowing that my life's history, and especially that of my credit card, was needed for a discount purchase, I thought I should email the 'contact us' link. However, 'luxuryshoes.com', in Canada, was apparently owned by Liu Bing of Changsha, Hunan (who owned 2633 other internet stores), yet chose to have his email account in Istanbul, where his ISP provider is Istanbul Telekom. Strange, those in the US, Canada, the UK, and even China are closer. Well, the 'Great Firewall' is an inconvenience.

Istanbul. Isn't that near Balikesir, where my spam advertising 'The Best of Bally, ..,' came from? Coincidence, perhaps, though I was fortunate that this Adidas store sold Bally and Prada shoes! Lucky me! However, I decided to only 'window' shop today.

Rapakiwi

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.


×
×
  • Create New...