Jump to content
Sign in to follow this  
karlisma

Internal spamcop handling: (level3)

Recommended Posts

see Found by searching on 'Yum"

Spamcop sometimes handles spam in a special way internally at the request of server admins or for other reasons. I don't know what that means, but if I were to look at it, I might be able to give an educated guess (or perhaps some other poster will). Usually anything 'internal' at spamcop is not explained in detail. Wazoo's guess from another post: Kind of guessing here, as I think the words are a bit out of context ... Level3 is a bandwidth provider, in addition to being an ISP, Hosting, and other big-money stuff. I believe you are talking about an address specified by Level3 to directly accept SpamCop reports, rather than being mixed in with all the other traffic to the normally used abuse address. From a more official post: Level3 is a tier one backbone. I think what you are referring to is a n address of the forfat <something>[at]admin.spamcop.net? That means that the ISP has asked us to send reports to a secret address and so use the [at]admin.spamcop.net domain and then route internally to the appropriate address.

Found these by searching on 'internal spamcop handling'

I don't mean to be snippy since usually I don't have such good luck when I am looking for something! If I am learning to be a better searcher, maybe you can also.

Miss Betsy

Share this post


Link to post
Share on other sites

As Miss Betsy posted some special handling. When I follow your link and read the parsing I see the following:

abuse[at]level3.net redirects to abuse[at]level3.com

I know this ISP's abuse address:level3[at]admin.spamcop.net

Message is 8 hours old

I would think that I know this ISP... is instructive.

and - Yum - that spam is fresh! all the time? c'mon.

No not all the time. It does depend on how often you report spam. Some new spam may have arrived at your ISP just after the last time you checked and some could have arrived just before you checked your mail. I am a bit anal about reporting but try to get other things done. When I report, say every 2 hours, I get some that are "Yum - that spam is fresh! Message is 0 hours old" and some that are "Message is 4 hours old" (No 'Yum' this is fresh).

Share this post


Link to post
Share on other sites
what does this mean? (searched, could not find the answer)

Why am I sending a Report to SpamCop?

and - Yum - that spam is fresh! all the time? c'mon.

You submitted your spam e-mail within two hours of when the parser determines you received it. You got the "yum" message from the parser, the Reports going out would have a "RECENT" tag inserted into the SUbject: line to indicate that a possible spam-run was in progress.

Share this post


Link to post
Share on other sites

Aha, that great talk about what each single word means. Thank You for being so patient explaining this.

Can anybody stitch this all together?

The spam from that block of ips is frequent and fresh almost all the time, it even has some internal handling... though it spits and spits. As it looks from here: ISP doesn' t care. That was why i even tried to ask.

and I know this ISP... is instructive... say what?

Share this post


Link to post
Share on other sites
Aha, that great talk about what each single word means. Thank You for being so patient explaining this.

Can anybody stitch this all together?

After all the provided explanations, words, links .. what exactly are you now asking for?

The spam from that block of ips is frequent and fresh almost all the time, it even has some internal handling... though it spits and spits. As it looks from here: ISP doesn' t care. That was why i even tried to ask.

Level3 is absolutely huge, but in your example, they are not the actual "primary" responsible source ... and that source does aooear to be non-responsive.

and I know this ISP... is instructive... say what?

I can make no sense out of that at all .... is this somekind of question?

Share this post


Link to post
Share on other sites

'I know this ISP' is instructive - means that if the parser says "I know this ISP" (actually a comment printed when certain conditions in the code are met), then it means that the people who wrote the code really do know who the ISP is, have talked with a representative from the ISP, and found them to be someone who is going to get special treatment - probably because they are cooperative, but another piece of code might separate the good from the bad for different kinds of special treatment. I don't think that experienced reporters often see known spammers as being recognized in this way so it probably means that the ISP is being cooperative and that's why he is getting special treatment. Also generally, non-responsive abuse addresses are handled by the code as going to devnull.

It may not seem like it to you who, apparently, are getting repetitive spam. However, Level 3 is a very large organization. The actual spammer may be the customer of a customer of a customer of Level 3. If a server admin actually sees a spam leave the server and has had the forethought to include no spamming clause in the contract, then he can cut the connection to the internet right then and there. However, perhaps he sees that it can be corrected, that it probably is not deliberate. Then he might email them and explain what needs to be done. Suppose the customer doesn't understand the first time around - 'What! I never would send spam. You must be mistaken.' Then another round of emails or phone calls would ensue before the server admin just cuts the connection or the customer understands. Multiply that by several layers, each time 'cutting the connection' means cutting service to hundreds, thousands of customers who are not spamming, and perhaps you can see why although Level 3 is apparently cooperative, nothing has stopped the spam.

Now the above is pure guess on my part, gleaned from other discussions and from the little bit I know about how code works, how the internet is constructed, and how some server admins who have gotten blocked by spamcop react.

Miss Betsy

Share this post


Link to post
Share on other sites
'I know this ISP' is instructive - means that \snip

This reminds me of a cassette tape that made the rounds in SEA. The tape "was" an interview of a fighter pilot 'assisted' by a Public Information Officer. The one joke, with variations, was repeated several times:

(interviewer) "What was you mission today Captain?"

(Pilot) "We went up there and bomb the [at]#&% out of those $$^*#[at]."

(PR officer) "What the Captain meant to say was 'After careful analysis of the strategic targets, we preceded..."

This all goes to show I did take English as a second language. Thanks Miss B.

PS Contact me offline for an explanation of was a cassette tape is/was.

Share this post


Link to post
Share on other sites
PS Contact me offline for an explanation of was a cassette tape is/was.
Only those who know what a cassette tape is/was, will be protecting their keyboards! I am glad you are around tonight - that made my heart a lot merrier!

Miss Betsy

Share this post


Link to post
Share on other sites

Oh, thank You, Miss Betsy. (i adore your patience).

I understand about level3 and it's universe-like behavior.

In my report, i hope everybody could see those other addresses like kayit[at]turkline, iletisim[at]turktelekom. Which are very repetitive. Every single day.

And the question to explain is more like... Why they have special treatment at spamcop, and why they spit and spit?

Share this post


Link to post
Share on other sites
In my report, i hope everybody could see those other addresses like kayit[at]turkline, iletisim[at]turktelekom. Which are very repetitive. Every single day.

And the question to explain is more like... Why they have special treatment at spamcop, and why they spit and spit?

I have no idea where your "special treatment" concept comes from. The only Tracking URL you provided deals with a single IP Address. With no other data provided, the assumption would have to be that your "repeated" spam is actually coming in from different IP Addresses. Take a look at SenderBase Report on IP address: 85.110.165.145 and look at all the data provided on pretty much the whole range of IP Addresses they 'control' .....

Your first question about Level3 handling has pretty much been answered. Your last question about an ISP/Host really needs specific data that probably reflects the multiple/probably many IP Addresses involved in sending you your spew. The multiple/many IP Addresses would tend to explain the lack of a SpamCopDNSBL listing, which is (somewhat) explained in the SpamCop FAQ and SpamCop WIki .. links provided at the top of this very page. You will note that your Topic-starting IP Address is currently not listed in this BL, and that the SenderBase page seems to reflect that traffic from this IP Address has halted (the last day traffic showing as zero.) In this case, it appears that someone actually did something.

Share this post


Link to post
Share on other sites

Her special treatment comment comes from my explanation of what could be happening. There are ISPs who are cooperative and ask spamcop to send reports to a specific abuse address so that they can be handled faster than the regular abuse traffic. ISPs who show themselves uncooperative often have the reports going to devnull which means they don't get the report, but the report is counted on the blocklist. So there are two kinds of 'special treatment'.

It sounds like, from what Wazoo said, that the spam is maybe coming from rotating IP addresses. The process of stopping them is called 'whack a mole' (after the problems in catching moles which have extensive underground trails to multiple holes. Stop one hole and the mole will burrowed out another. ) OTOH, the OP examples in the last post are /email addresses/ - which are not looked at by spamcop at all so what is being seen may be lists that being used by multiple people.

Like 'locks only keep honest men out' - reports only are useful when sent to responsible server admins, who don't get them very often, if ever, and only if a mistake has been made on their part in preventing spammers from using their services. Reports going to irresponsible and many times criminal elements don't stop much of anything except when the reports are used to create a blocklist which responsible server admins use to stop spam from those IP addresses from entering their email system.

Miss Betsy

Share this post


Link to post
Share on other sites

Which is why they are so hard to stop! I don't know very much about the 'fast flux botnet' The way I understand it is that they use one, then stop so that IP address isn't blocked, then another, then another. The Russians, apparently, do not want to stop them so the only thing to do is to use a blocklist that keeps them listed all the time. End users do not get a choice of blocklists to use unless they buy a program.

Miss Betsy

Share this post


Link to post
Share on other sites
http://www.senderbase.org/senderbase_queri....110.165.0%2F24

...every single address... every. Same with 88.240.x.x etc. ...

Looks like snowshoeing - http://www.spamhaus.org/faq/answers.lasso?...on=Glossary#233 - but can also be used that way by a merely clueless owner who does not know a better way to stay out of blackists. That /24 is a long way from being the worst for spam - http://www.spamcop.net/w3m?action=map;net=...65535;sort=spam (they don't appear amongst the worst of the bad).

Share this post


Link to post
Share on other sites
Looks like snowshoeing - http://www.spamhaus.org/faq/answers.lasso?...on=Glossary#233 - but can also be used that way by a merely clueless owner who does not know a better way to stay out of blackists. That /24 is a long way from being the worst for spam - http://www.spamcop.net/w3m?action=map;net=...65535;sort=spam (they don't appear amongst the worst of the bad).

These reporting addresses on those IP Blocks appear since I am reporting spam . More less - every two days (of course, you can say i have dejavu). You can say they are not worst, though - they have a long lasting continuity.

Clueless owner with so wide address blocks? Turkish Telecommunications? C' mon. :)

Share this post


Link to post
Share on other sites
These reporting addresses on those IP Blocks appear since I am reporting spam . More less - every two days (of course, you can say i have dejavu). You can say they are not worst, though - they have a long lasting continuity.

Clueless owner with so wide address blocks? Turkish Telecommunications? C' mon. :)

Just saying there are worse around - http://www.spamhaus.org/statistics/countries.lasso

Doesn't *really* matter how bad they are - some of the 'worst' by personal standards of people writing in these forums are hardly heard of by other people. What turns sheeple into reporters (and stronger activists) is being bothered by their 'own' spammers past the point of endurance. By all means feel free to despise Turk Telekom. SenderBase sees them send about 316,000,000 messages a day - that's more than 4 per man, woman and child there (and I'm guessing most don't even have a computer). Maybe they deserve your wrath. :D

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

×