[Resolved] Why must I verify spam reports only on SpamCop?

[Rapakiwi]

Dear spam Cops,

Can I forward my spam to SpamCop and not have to log-on to review it?

If I must log on, I might as well just copy the source to the (CastleCops-like) windows it provides, as I always did. Such added effort only makes sense to me if I report all spam only once daily, after the computer boots in the morning. Only then would it be reasonable to take the time to log into SpamCop by browser, verify all my reports, & mail them. This is not good for SpamCop.

Why SpamCop needs Rapid Reporting

Mozilla's (platform-independent) Thunderbird lets me instantly classify spam & forward various kinds (phish, for example) to various organizations ('Phish' can be a group of collected addresses). Or, I can mail everything in my junk folder to various agencies, then delete it (with the press of a toolbar button from 'Habu'). At the moment, my computer's voice tells me that spam has arrived, and within a minute I can examine it safely (blocking MIME), classify it, & forward it to an appropriate agency.

But I don't believe I can do this with SpamCop because of my having to start my browser (which must swap out Thunderbird) and examine SpamCop's report. However, I want to use SpamCop to get phish and illicit sites off the internet as fast as possible!

I'm only a scientist with little time to report my research, not a full-time cop. If I must decide between reporting my research or spam reports, I'll naturally chose the thing only I can do. However, using free services on the internet means, to the internet citizen, one helps as much as one benefits. There are many spam reporting organizations that I can easily zip a letter to; but they likely only rapidly take down phishing sites. (KnujOn, however, wants to kill lethal medicinal sites, which prey upon us poor.)

SpamCop & KnujOn Complement One Another

The aged may remember that in posts long ago I had mistakenly been attempting to use SpamCop to perform the services of KnujOn. KnujOn appears interested in illicit spam, preventing the stealing of identities (and USD 600 million per annum, and lives taken by counterfeit medicines). However, the wheels of justice grind slowly (if at all). Reports of KnujOn's becoming personae non grata at ICANN are most encouraging, however. (Jon Postel is likely rolling in his grave at ICANN's choice to ignore crime.)

SpamCop blocks spam, quickly: as a side-effect, it reports the site's activities (to everyone up to ICANN, I wish) in a letter. I don't know whether it places the illicit store's site on the SCBL before it can claim more victims; but I hope it does. Both KnujOn's and SpamCop's services are important for me to use.

Using Apple Mail & Thunderbird

To report spam quickly & easily on my little Mac (running 10.4.11), I've installed two mailing agents: Apple Mail (for my spam-free accounts) and Thunderbird (for my unhappy spam-trap). Apple mail is unique in that its Junk folder allows the viewing of mail, yet avoids web bugs and malware. However, unless one is running MacOSX 10.5, it won't forward dangerous HTML mail, even as an attachment. This is an Apple Mail problem.

Thunderbird announces when spam arrives (using GrowlMail, though it can do this itself), and the combination ClamXav Sentry & Growl throws up a persistent warning screen that prevents my opening a letter (RFC822.eml) tainted by mailware, or has even a phishy smell.

Thunderbird for MacOSX

http://www.versiontracker.com/dyn/moreinfo/macosx/20359

Thunderbird for Portable Drives

http://www.versiontracker.com/dyn/moreinfo/macosx/29719

The Ease of Selectively Reporting to Knujon, FTC, SEC, FDA, ACMA, DSLReports, Millersmile, &c: Knujon.net has, well, nine mailing addresses, which I symbolize by a one-word 'Tag': Phish, Drugs, Counterfeits, &c, and Unknown. Because Thunderbird's Junk folder doesn't protect one, I turned off all associations of MIME objects (photos, movies, hyperlinks) but plain text.

1. Knujon on Thunderbird

I rapidly view the text in each spam and tag it according to Knujon's classification. Then I view letters of one tag, such as 'Phish', select them all, and forward them as attachements to, for example,

Phish <phishing[at]coldrain.net>

which Thunderbird fills in itself from my 'Collected Addresses'. The 'Sent' folder records what I have reported. This takes less than a minute for three or four spams. Note that I have already carefully examined the spam. Anything not spam I have moved to the Inbox, anything questionable I just deleted. On the toolbar, just above the list of letters, I've placed 'Tag', 'Forward', & 'Report' (by Habu).

The Habu Thunderbird Add-On

https://addons.mozilla.org/en-US/thunderbir...abu&cat=all

2. SpamCop on Thunderbird

After reporting this, I was hoping to select all letters in my Junk mailbox, forward them to my special e-mail address at SpamCop, then move them to the Trash. (An add-on by Habu will mail all letters in the Junk folder to any combination of these: address of your choice, SpamCop, KnujOn, various US governmental organizations, and the Australian government. Then Habu will discard all the spam.) No reporting organization requires further action on our part ...but SpamCop.

This is a Problem

SpamCop's requiring further action is a problem because some of us haven't much of a life left. I should be willing to contribute a book (USD 15) for the ability to check 'Don't send report to From address', 'Don't send report if address may be forged', 'Don't send report to hyperlinks', 'Don't report sites in one's host country' &c. In other words, I should like to make 'safe' choices in advance, assuring that only proper reports are sent, any questionable ones not.

Is there some reason why SpamCop can't do this (forcing its own choices if necessary)? Those with time will likely customize their reports, as is now required. Other organizations seem to post-process what they receive, taking on this burden themselves. (Many, of course, are financed by taxes.)

Is this available Now? Suggestion.

At the moment, security sites and computer companies recommend users trash their spam. Were SpamCop to make such an option available, everyone could click (for example) Habu's green dot on the toolbar to automatically report spam before trashing it. (Wow!) The default choices of 'Rapid SpamCop' could include 'Don't send any reports', until the user logs in and reads the instructions about releasing each default restriction imposed by SpamCop on 'safe' reporting.

It would also be nice, after an illness, to ship everything to SpamCop and have them choose among the twenty reports, ignoring old ones while sending the new ones. (I've noticed that spammers are dating letters in advance, so your mailer will open them first; and dating some '1976', so SpamCop will ignore them. I should have to take the time to examine the complete envelope before knowing whether to send this to SpamCop or not. Other organizations deal with them.

Because my little iBook must swap a mailing agent and browser, I should like to set up an account on SpamCop described above, so I can report spam as I do to other reporting agencies. Is this possible? As mailing agents add features, such as safe viewing in the Junk folder, they could add a button like Habu's. It might be a good idea to prepare for this.

Thanks

[dbiel]

Topic moved from SpamCop Email System & Accounts forum to the SpamCop Reporting Help Forum as this is a reporting issue and not an email issue.

For a better understand of how SpamCop works I would suggest stating at the following wiki page: The SpamCop.net Reporting process and following the links for additional information as desired.

[Wazoo]

Quick Reporting

[Farelf]

...(I've noticed that spammers are dating letters in advance, so your mailer will open them first; and dating some '1976', so SpamCop will ignore them. I should have to take the time to examine the complete envelope before knowing whether to send this to SpamCop or not. Other organizations deal with them....

Earlier responses deal with the substance of your posting, I'm just cherry-picking this one point - the SC parser will never be fooled by a forged date (even if your email client is). The header segment used by SC to determine age will depend on whether or not you have mailhosting established for your reporting account (mailhosting is mandatory for quick reporting) but essentially the spammers would have to have control of the server SC trusts for that purpose and that would be an actual time stamp, not something inserted by the spammer's mass-mailer application.

The proof of the pudding being in the eating - just (promptly) submit them, they should be handled just fine. Mine were but I doubt I got more than one a month or about 0.3%, back in the days when my ISP would actually allow me to receive spam. And I don't think it is a spammer ploy - but I may be wrong.

[Rapakiwi]

Quick Reporting

Gotcha!

Rapakiwi

[Rapakiwi]

Topic moved from SpamCop Email System & Accounts forum to the SpamCop Reporting Help Forum as this is a reporting issue and not an email issue.

For a better understand of how SpamCop works I would suggest stating at the following wiki page: <SNIP, SNIP>.

Thanks for finding the right spot. My post was long because I combined my query about whether SpamCop is going to change its procedures (hint, hint) with a contribution to (at least) Mac users.

Though I do indeed find SpamCop's organization and documentation too sophisticated and often too technical to follow, I knew the answer: 'of course not'. I appreciated and read the hyperlinks your recommended.

The spam that comes to me is extremely professional, designed to look amateurish - to appeal, I suspect, to a specific kind of person. Last night I personally examined the envelopes from yesterday's spam, all illicit.

All the letters appeared to be from illicit ISPs (or mail servers, at least), and most all the originating ip addresses appeared forged. Every 'From', 'Reply-To', and 'Return-Path' were bogus. Two were from 'me'. The letter titled 'High-quality service is guaranteed' was labeled as comaror.kr by the mailer, but the ip address reported it from kornet.kr. Consequently, I don't think 'Quick SpamCop' is for me.

In contrast, the enclosed hyperlinks were genuine. Reading the letter immediately opened a web page on a Hong Kong server (owned by Typhoon Games, Ltd), which bounced me to a web store on an ISP in San Mateo, California (owned by Xo Communications, in Herdon, Virginia) that sells 'sex-enhancing' drugs. Because the recipient (I) live in Northern California, this fact is useful. (In contrast, the 'Canadian Pharmacy' store in rural Romania, bounced to by a computer in China (with no websites itself), mailed to me from an American insurance company apparently situated in Vietnam is of less use.)

As Miss Betsy knows, my silly idea was to use my illicit spam to report & expose these websites until the cost of moving them exceeds profits gained from emptying American bank accounts and credit companies. For, to quote ICANN,

'APNIC does not operate networks using this IP address range and is not able to investigate spam or abuse reports relating to these addresses. For more help, refer to http://www.apnic.net/info/faq/abuse.'

Because 'Quick SpamCop' would, in my case, serve no purpose but to blacklist myself, this query is resolved only in the sense that I can't help anyone by using its services, so I cannot use it nor expect to in the near future.

Thank you for the useful information, however.

Most sincerely,

Rapakiwi, PhD

[Rapakiwi]

<SNIP> The header segment used by SC to determine age will depend on whether or not you have mailhosting established for your reporting account (mailhosting is mandatory for quick reporting) but essentially the spammers would have to have control of the server SC trusts for that purpose and that would be an actual time stamp, not something inserted by the spammer's mass-mailer application.

That's good to read. All my 'Received' lines end in dates (which helps me find forged ip addresses). The warnings in the 'Quick SpamCop' documentation suggested the 'Return-Path' and even 'From' might be used to determine the mailer. So, I expected the worst.

<SNIP, SNIP> The proof of the pudding being in the eating - just (promptly) submit them, they should be handled just fine. Mine were but I doubt I got more than one a month or about 0.3%, back in the days when my ISP would actually allow me to receive spam. And I don't think it is a spammer ploy - but I may be wrong.

It occurred to me that it could be just a dead watch battery :-) , but all my spam comes, I suspect, from illegal ISPs.

Found something possibly great since I posted. If I ctrl-click on an illicit website, a contextual menu pops up with the option 'Report E-mail Scam'. This takes one to this site, which includes reporting sites deleterious to the user's experience:

http://www.google.com/safebrowsing/report_phish/

Of course, clicking an illicit gmail site will not bring it up. :-) (Before SpamCop came, I had dreadful times working with Google's 'security'.) I've not checked whether this will help people who are tempted to click on an illicit site, whether it will prevent java scri_pt from opening one, and whether the sites are reported to any profit-free internet crime organizations; but the sudden interest in removing these sites from search engines (though not domain servers), I find very encouraging.

In the year 2000, the United States had the opportunity to create a cooperation among law enforcement agencies in all countries, and to and harass international crime syndicates of all kinds. If these were preoccupied with rapidly moving from country to country, they might have less time to organize & execute criminal activities. Perhaps later.

My best,

Rapakiwi

Paroled from Dartmoor

[Wazoo]

Though I do indeed find SpamCop's organization and documentation too sophisticated and often too technical to follow,

Not much help with no specifics offered. The majority of the FAQs and Wiki entries were developed by other users. A Dictionary and Glossary were populated, now incorporated into the Wiki. If there still remains specfic items that are not yet resolved, bring them up (in the appropriate Forum section and Topic.)

All the letters appeared to be from illicit ISPs (or mail servers, at least), and most all the originating ip addresses appeared forged. Every 'From', 'Reply-To', and 'Return-Path' were bogus. Two were from 'me'. The letter titled 'High-quality service is guaranteed' was labeled as comaror.kr by the mailer, but the ip address reported it from kornet.kr. Consequently, I don't think 'Quick SpamCop' is for me.

I do not believe that there is anyone here that would know just what your knowledge and skill set might be for reading and parsing a set of e-mail headers. Without a Tracking URL being provided, there's no way that anyone can analyze your suggested "error" ....

In contrast, the enclosed hyperlinks were genuine. Reading the letter immediately opened a web page on a Hong Kong server (owned by Typhoon Games, Ltd), which bounced me to a web store on an ISP in San Mateo, California (owned by Xo Communications, in Herdon, Virginia) that sells 'sex-enhancing' drugs. Because the recipient (I) live in Northern California, this fact is useful. (In contrast, the 'Canadian Pharmacy' store in rural Romania, bounced to by a computer in China (with no websites itself), mailed to me from an American insurance company apparently situated in Vietnam is of less use.)

Terminology is yet another issue. A web-site doesn't "bounce" anythng. Assumedly you are talking about some kind of redirection, a function that can be 'supplied' to your browser in several different ways.

my silly idea was to use my illicit spam to report & expose these websites until the cost of moving them exceeds profits gained from emptying American bank accounts and credit companies.

Reporting is one thing, actually only useful (in stopping the spam) if the hosting ISP actually gets involved.

"Exposing them" requires some kind of definition. I really can't think of any user I've dealt with that would look up a URL on some kind of "don't go there" before clicking or typing someting into the address line on their browser. Yes, some browsers (and add-in toolbars, plug-ins, etc.) offer up some phishing, porn, etc. type checks, but this doesn't directy relate to your "exposing them" phrase.

For, to quote ICANN,

'APNIC does not operate networks using this IP address range and is not able to investigate spam or abuse reports relating to these addresses. For more help, refer to http://www.apnic.net/info/faq/abuse.'

This looks more like some kind of reporting error on your part. APNIC does not run "the world" ...???

Because 'Quick SpamCop' would, in my case, serve no purpose but to blacklist myself,

There most definitely needs some kind of explanation. "Blacklisting myself" sounds exactly like yet another user Reporting error, perhaps a MailHost Configuration of your Reporting Account screw-up ...????

this query is resolved only in the sense that I can't help anyone by using its services, so I cannot use it nor expect to in the near future.

So much data that you suggest you looked at and yet you make this statement ...??? Apparently you missed the details on the SpamCopDNSBL, which may folks (to nclude ISPs) use to help manage their incoming.

[rconner]

In contrast, the enclosed hyperlinks were genuine. Reading the letter immediately opened a web page on a Hong Kong server (owned by Typhoon Games, Ltd), which bounced me to a web store on an ISP in San Mateo, California (owned by Xo Communications, in Herdon, Virginia) that sells 'sex-enhancing' drugs. Because the recipient (I) live in Northern California, this fact is useful. (In contrast, the 'Canadian Pharmacy' store in rural Romania, bounced to by a computer in China (with no websites itself), mailed to me from an American insurance company apparently situated in Vietnam is of less use.)

As Miss Betsy knows, my silly idea was to use my illicit spam to report & expose these websites until the cost of moving them exceeds profits gained from emptying American bank accounts and credit companies. For, to quote ICANN,

'APNIC does not operate networks using this IP address range and is not able to investigate spam or abuse reports relating to these addresses. For more help, refer to http://www.apnic.net/info/faq/abuse.'

XO is a huge wholesale network provider. Perhaps they do "own" the ISP that hosted the store, but it might also be that the ISP simply contracted with XO for its connectivity. That ISP may itself not be directly connected with the spammers, other than having them as users (paid and above-board, or unpaid and undetected) of its services. Certainly, you are entitled to report the abuse of the address to XO (and to its "downstream" ISP), but it may be a bit of a stretch to say that they "own" the web store. I'm not sure what you mean by "illicit ISP," either -- a provider that supports an infected bot is certainly less than 100% free from negligence, but I wonder whether we can paint them as criminally culpable. Let's have an analogy: Avis rents a lot of cars every day. No doubt some of these cars are used to break traffic laws, or even for worse purposes (e.g., getaway cars for bank robberies). Does this mean that Avis is responsible for these acts? I think this would be stretching the point. Certainly we can report this abuse to Avis, and even sternly counsel them to be more careful to whom they rent cars, but I'm not sure we can say that Avis is an "illicit" car-rental firm, or that they "own" the criminal activity carried out in their cars.

APNIC is the regional internet registry for the Asia-Pacific region. Their job is to hand out IP addresses to top-tier providers in this region, who then resell them to downstream customers. It sounds like a cop-out to say that they have no responsibility for abuse, but that's the way the public net works (for good or ill). Another analogy: here in the U.S., the Federal Reserve controls the supply of U.S. dollars available to banks etc, and the Bureau of Engraving and Printing is responsible for actually producing the coins and bills that we use. If I decide to use some of their fine products in criminal activities (e.g., by paying someone to break into my neighbor's house), does this mean that they are responsible for my acts? If you wanted to nail me, you would get far better results reporting me to the police or the FBI rather than to the Federal Reserve or the Mint.

-- rick

[Rapakiwi]

Not much help with no specifics offered. <SNIP, SNIP, SNIP>

Yes, thank you, but I didn't post in the help section; so my message was in English.

I'm 'afraid' the stores of yesterday are gone today, so not much data is to be had. By 'expose', I suggest that reports to responsible ISPs unknowingly housing illicit stores (in the report to the store's contact) is 'exposure', for the store in San Mateo is gone today. 'Illicit' stores might be recognized, for example, by many consumer seals, all GIF images. I'm hoping, as you read earlier, to use 'Quick SpamCop' to send reports to web stores and their ISPs (and registrars, I wish). People doing this, I assume, is why these stores are so ephemeral.

I may answer some of your questions in my post below. However, I obtained my information by combining pieces of various SpamCop documents.

I'd like to emphasize to people that I never entered a store, but used ICANN's regional internet registry's servers to anonymously obtain information about other servers on the internet.

I shall give 'Quick SpamCop' another examination. Thank you!

Rapakiwi

[Rapakiwi]

XO is a huge wholesale network provider. Perhaps they do "own" the ISP that hosted the store, but it might also be that the ISP simply contracted with XO for its connectivity. That ISP may itself not be directly connected with the spammers, other than having them as users (paid and above-board, or unpaid and undetected) of its services. <SNIP, SNIP>

Well, that store closed its shutters; so I can't state who owned the ISP. I can say that I caught it while still alive, and I used the 'whois' internet service at APNIC and ARIN regional internet registries to find its physical location as best as possible. I certainly hope that ISP was not connected with the illicit store, using spamming as a delivery device. Otherwise, reports of the store's activities to its ISP would not help remove it. I wish to again emphasize to people that I never opened the door of any store.

By an 'illicit ISP', I refer to those who are connected with spammers. I didn't know these existed until I studied my spam before my absence. These might include ... well, all of mine: those who allow initial forged 'Received' lines, allow me to send a million letters a day, using 'TheBat!' ... you get the idea. My principal way of discovering these was not hard: one letter, posted from A, had a store on B; and another letter, posted from B had a store on A. Both mailing address & store changed their ips daily, but stayed on the same servers. Note quite that easy, but almost.

APNIC is the regional internet registry for the Asia-Pacific region. Their job is to hand out IP addresses to top-tier providers in this region, who then resell them to downstream customers. It sounds like a cop-out to say that they have no responsibility for abuse, but that's the way the public net works (for good or ill).

Why must it work that way? If it's rules have failed us, isn't it our responsibility to fix them? I am attempting to work within the current rules of this broken system, just to reduce a bit of personal tragedy. But, of course, there could be many 'me's. Aren't you a Mac user? :-)

Another analogy: here in the U.S., the Federal Reserve controls the supply of U.S. dollars available to banks etc, and the Bureau of Engraving and Printing is responsible for actually producing the coins and bills that we use. If I decide to use some of their fine products in criminal activities (e.g., by paying someone to break into my neighbor's house), does this mean that they are responsible for my acts? If you wanted to nail me, you would get far better results reporting me to the police or the FBI rather than to the Federal Reserve or the Mint.

Yes, but my neighbor doesn't live in China or Turkey. Consider the current locations of these domain servers, owned by XIN NET in Beijing:-

ns3.njdbidew.com. 170605 IN A 59.4.132.222 APNIC Korea's Korea Telecom

ns2.njdbidew.com. 170605 IN A 203.93.212.111 APNIC China's Nokia China Investment Company

ns1.njdbidew.com. 170605 IN A 190.17.129.108 LACNIC Argentina's Buenos Aires Cablevision S.a

ns4.njdbidew.com. 170605 IN A 85.196.248.75 RIPE Estonia's Parnu

One of the latest of the illicit web stores (selling just counterfeit items, for a credit card) immediately wanted to directed me to 'http://rhmj.tathem.cn' (though I didn't let it). The domain 'tathem.cn' (indeed owned by a company in Beijing), is today given by the above servers a block of ip addresses in Tennessee, owned by Charter Communications. I have no doubt you will tell me how responsible Charter Communications is. That's fine; but who just stole my bank account?

So, should one tell Charter they own a little bit of China, or should we send the FBI to Beijing?

I won't even get into IAP servers that intercept http requests and forward them to others, encircling the World and ending in a store in rural Paraguay. :-)

My quote from APNIC was just to remind us that there is no current way of eliminating international internet crime but the dissemination of information (in the way of reports) to the responsible (thank you, ICANN). KnujOn and others are apparently working with legal authorities. Some organizations need to inform abuse personnel as soon as possible. SpamCop does this if I use the copy & paste method, but not if I forward the spam to them. That was my original query: will this soon change?

Rapakiwi

[Wazoo]

Yes, but my neighbor doesn't live in China or Turkey. Consider the current locations of these domain servers, owned by XIN NET in Beijing:-

ns3.njdbidew.com. 170605 IN A 59.4.132.222 APNIC Korea's Korea Telecom

ns2.njdbidew.com. 170605 IN A 203.93.212.111 APNIC China's Nokia China Investment Company

ns1.njdbidew.com. 170605 IN A 190.17.129.108 LACNIC Argentina's Buenos Aires Cablevision S.a

ns4.njdbidew.com. 170605 IN A 85.196.248.75 RIPE Estonia's Parnu

One of the latest of the illicit web stores (selling just counterfeit items, for a credit card) immediately wanted to directed me to 'http://rhmj.tathem.cn' (though I didn't let it). The domain 'tathem.cn' (indeed owned by a company in Beijing), is today given by the above servers a block of ip addresses in Tennessee, owned by Charter Communications. I have no doubt you will tell me how responsible Charter Communications is.

Yet again, not enough actual data provided .. however, the most likely issue you are actually trying to describe actually sounds like what has been described/defined as a FastFlux botnet situation. The bottom line there is that there are simply too many ignorant users that have easy access to the Internet.

SpamCop does this if I use the copy & paste method, but not if I forward the spam to them. That was my original query: will this soon change?

This was not the subject matter of your initial post. As a matter of fact, I don't see this "failure" anywhere in your previous posts. Your "problem" seems to be that you agreed to review the parser results before actually sending out a Report on your spam submittal but you did not wish to honor that part of the agreement. The only difference between the cut/paste mode and the e-mail submittal mode (excluding Quick-Reporting) is that one is done real-time, the other is handled as a background process by the Parsing & Reporting system (though most folks seem to think that this is also done in real-time, getting excited if they don't receive a response in a matter of seconds.)

[Lking]

I shall give 'Quick SpamCop' another examination.

I don't think 'Quick' reporting will do what you want. Quick reporting only looks at the header of the reported spam, sending reports to the source of the spam, when it can be identified. It does not look at the body of the spam.

You seem to be more interested in the spamvertised sites in the body of the spam. Reporting these sites must included human intervention to assure that legitimate sites are not reported. I'm sure you have seen spam that includes references to, for example, "as seen in New York Times", with a link to the Times. If parsed automatically the link to Times would be included with other sites being reported. - That is of course why 'Submit' and cut & past processing require your verification of the reports before they are sent. This gives you the opportunity to 'un-check' reports for the Times.

As for reporting yourself, I think you need to re-read the references to configuring Mailhost in SC and re-read the references to forged FROM:, Reply-To: and Return-Path: and how they are not used by SC. If you properly configure Mailhost, SC can use that information so that your ISP (you) will not be included in reports generated for your review or sent by 'Quick' reporting.

[Miss Betsy]

I agree with Lou - spamcop reporting does not stop criminal activity. All it does is to provide IP addresses for server admins to use to prevent spam (criminal and otherwise) from being delivered to their inboxes.

In an indirect way, this helps the gullible and ignorant since they do not receive the spam if they are using an email service that filters effectively.

Using Quick Reporting would indirectly accomplish part of your mission . You would have to utilize other services to find and report spamvertised sites. As you point out, since spammers utilize websites and servers in different countries, it is very difficult to use law enforcement to shut them down. Usually, law enforcement requires a loss before they attempt to act. Some ISPs, such as Charter, might shut down websites engaged in illegal activity because it violates their terms of Service. However, their legal departments require certain proofs before they can act.

ICANN is considering new rules that would prevent registrars from doing some of the things that make spammers hard to track. This post by showker explains it New Rules

Miss Betsy

[Rapakiwi]

I don't think 'Quick' reporting will do what you want. Quick reporting only looks at the header of the reported spam, sending reports to the source of the spam, when it can be identified. It does not look at the body of the spam.

Yes, that's exactly what I read when I followed Wazoo's initial link to 'Quick SpamCop'.

must[/b] included human intervention to assure that legitimate sites are not reported. I'm sure you have seen spam that includes references to, for example, "as seen in New York Times", with a link to the Times. If parsed automatically the link to Times would be included with other sites being reported. - That is of course why 'Submit' and cut & past processing require your verification of the reports before they are sent. This gives you the opportunity to 'un-check' reports for the Times.

Exactly. That's the problem. My unhappiness, I suspect, is simply because I'm not thinking of other users. My situation is a good one.

First, I safely & carefully pre-examine everything I send to SpamCop. Most people can't safely open the letter. Next, being a member of the poor as well as ignorant, I no longer travel. Never have I received an e-mail with a hyperlink to a store outside the United States. However, were SpamCop to report hyperlinks in the body of the message, I should still check the (imaginary) option 'Don't report links to sites in my host country' (didn't I write that once before?).

What I was expecting from SpamCop was a way to easily report Canadian pharmacies in Russia to supervising officials. Though ICANN doesn't police, it does prohibit (by contractual agreement) 'FDA-Recommended Canadian Pharmacy' from moving its website if the owner has committed fraud. By initially clicking all the 'don't report if ..' safety options, SpamCop (would, in my imagination) initially send no reports to store's ISPs (as now).

This really isn't the problem, I suspect. The real problem may also be more than allowing ignorant people to use the internet. The real problem may be SpamCop's blacklist (someone will no doubt offer me the cognoscenti's acronym). Mailers always go down, and the mail is just stored (if possible) until it's up; but if a tiny home business is shutdown for more than a day, it could be devastating. This is why I, too, am not enthusiastic about blacklisting (greylisting) 'Mom & Pop' websites, while whitelisting corporate ones, as SpamCop appears to do (in a very reasonable manner).

Yet, I'm requesting the ability to shutdown a store be made even easier! Well, not really. I'm not interested (though I admire!) SpamCop's blacklist: I want only supervisors to know what they are, perhaps inadvertently, helping sell. It needn't even be reported as 'spam': it could be reported separately, to those supervisors who want to be informed: they could choose the urgency of the message. In this case, knowing that 'bookfinder.com' sells books is likely to cause no one harm.

This isn't SpamCop's mandate. SpamCop does one thing, and it does it extremely well. However, if you know where I can find another organization that can report illicit stores as fast as it does phish (or even general spam here), I should use it.

not[/b] used by SC. If you properly configure Mailhost, SC can use that information so that your ISP (you) will not be included in reports generated for your review or sent by 'Quick' reporting.

I shall. The documents were very vague. I'm never examined Mailhost simply because the first document said, as you do here, 'Quick Spamcop' uses only the envelope (header, for Wazoo), whereas, as you've noted, I want parts of the letter (body, for Wazoo) reported.

The specific question in my initial post you express very well. Thank you. The extended question is: Is SpamCop capable of changing, as the needs of us (ignorant masses) change?

Rapakiwi

[dbiel]

First, I safely & carefully pre-examine everything I send to SpamCop. Most people can't safely open the letter. Next, being a member of the poor as well as ignorant, I no longer travel. Never have I received an e-mail with a hyperlink to a store outside the United States. However, were SpamCop to report hyperlinks in the body of the message, I should still check the (imaginary) option 'Don't report links to sites in my host country' (didn't I write that once before?).

I am sorry, but your logic is only half right. I am sure you are checking what you send to SpamCop is valid spam; what also needs to be checked is to be sure that the parser is not sending reports to locations you do not want them to go to; that it is correctly identifying the source of the spam. IP addresses sometimes change, mailhosts can change, and they are not always picked up by SpamCop when that happens which can result in you reporting yourself. Not a good thing to do.

[Rapakiwi]

I agree with Lou - spamcop reporting does not stop criminal activity. All it does is to provide IP addresses for server admins to use to prevent spam (criminal and otherwise) from being delivered to their inboxes.

Ms Betsy,

Always a pleasure to hear from you. Thank you for clarifying Lou's opinion, which I somehow missed. I examined only about five spam addresses to conclude they were of little value. A while ago, if you remember, I examined dozens and found a strong correlation between web store ISP and spam sending ISP, which would make address reporting useful. Unfortunately, these were the ISPs likely owned by World-wide organized crime syndicates, so reporting would be of little value.

If everyone used the SCBL (or whatever it's now called), I should be pleased to report. I'm getting migraine again, so I can't remember whether I can report by forwarding attachments without reviewing & confirming or not now. (At the moment I can't.) If so, I shall reconsider the value of SpamCop to me (for I don't mind spam). I may be gone for a few days, but then I'll check.

The link is great! Thank you!

You realize that helping police the worst on the net is just a social obligation. My research must take the bulk of my time. This morning I zipped away 6 spam from the night, each to a different address at KnujOn. It took less than one minute.

Bruce

The Irritating

PS Long ago some of us at supercomputer centers were consulted by the Gore Commission about how to release NSFnet to the public. Corporations such as IBM wanted to control it, but we urged it be controlled directly by Congress, the way the five NSF supercomputers were. ICANN is a private company, though non-profit; however, I shall find out whether Congress (whether you and I) have any real influence over it. In any case, I have many suggestions. :-)

Microsoft imposed outrageous contracts upon others for decades; why can't ICANN's contract address the recommendations of international law enforcement agencies, and just propagate itself when registrars sell blocks of ip addresses, all the way to the individual user? Perhaps our new Administration, State Department, and Congress would be interested in helping formulate ICANN's new contract in coordination with concomitant new treaties. :-)

Thank you very much for giving me the best link yet!

[Lking]

This isn't SpamCop's mandate. SpamCop does one thing, and it does it extremely well. However, if you know where I can find another organization that can report illicit stores as fast as it does phish (or even general spam here), I should use it.

That, I think is the correct answer. You can't expect everyone to do everything well.

As has been mentioned somewhere in this thread there are others that do other parts of this, and they do those part well.

KnujOn identified a Thunderbird add-on that will email all identified spam in a TB folder to your KnujOn account and to anyone else you added to the list (for example, SpamCop). KnujOn looks at the body of the spam.

I also sort out the phishing spam for extra "TLC" sending it to PhishTank and CastleCops for processing by their PIRT squad.

Going back to your original "can SpamCop..." you will notice that in each case, KnujOn, PhishTank and CastleCops, people are involved in the process of parsing the body of the spam to correctly identify "bad" ISP/domains. In fact CastleCops ask for users to join the PIRT Squad to process submissions to Fried Phish. So as you suggested, getting the reporter out of the loop of parsing the body of the spam by SpamCop, "an't going to happen."

[Wazoo]

The real problem may be SpamCop's blacklist (someone will no doubt offer me the cognoscenti's acronym).

http://www.forum.spamcop.net/

http://forum.spamcop.net/scwik/SpamCopWhereToGetHelp

http://forum.spamcop.net/scwik/SpamCopBlockingList

This is why I, too, am not enthusiastic about blacklisting (greylisting) 'Mom & Pop' websites, while whitelisting corporate ones, as SpamCop appears to do (in a very reasonable manner).

Not sure what you might actually mean, as SpamCop.net does nothing to black/grey/white-list web-sites.

The documents were very vague.

?? There are walk-throughs provided, much discussion within the appropriate Forum. Once again your ".. documents were very vague" statement with no specific details offered doesn't help much with solving your perceived issue.

I'm never examined Mailhost simply because the first document said, as you do here, 'Quick Spamcop' uses only the envelope (header, for Wazoo), whereas, as you've noted, I want parts of the letter (body, for Wazoo) reported.

Sorry, but .... Quick Reporting is the term in question.

envelope (header, for Wazoo) ... the 'header' is not the 'envelope' .... unless one runs his/her own e-mail server, one doesn't actually have access to the 'envelope' of an e-mail.

If everyone used the SCBL (or whatever it's now called), I should be pleased to report. I'm getting migraine again, so I can't remember whether I can report by forwarding attachments without reviewing & confirming or not now. (At the moment I can't.)

You are essentially talking about the difference between 'full' reporting and Quick Reporting.

This morning I zipped away 6 spam from the night, each to a different address at KnujOn. It took less than one minute.

I can only vaguely remember when I only had to deal with 6 spam e-mails a day.

[Wazoo]

Wondering if an older press release from IronPort migh add some definition to your suggested problems in relating the various IP Addresses involved in the delivery and content of your spam ..??? The magic words are 'botnet' and 'fastflux' ... as previously pointed out.

IronPort Research Discovers Links Between Malware Originators and Illegal Online Pharmaceutical Supply Chain

[agsteele]

Not sure what you might actually mean, as SpamCop.net does nothing to black/grey/white-list web-sites.

Hi Wazoo,

I think this guy is probably referring to the Email service where, of course, various colours of listing are available (although I guess black, white and grey aren't technically colours...)

Andrew

[Wazoo]

I think this guy is probably referring to the Email service where, of course, various colours of listing are available (although I guess black, white and grey aren't technically colours...)

Yeah, I thought about that ... but that would have taken things back to one of the major points made so many times already .... SpamCop.net doesn't block e-mail either. So I left my comments dealing strictly with what was typed into the post(s) I was replying to. However, things lke the "small busnesses being shut down" comment were simply too excessive to worry about providing a response.

[Rapakiwi]

Yeah, I thought about that ... but that would have taken things back to one of the major points made so many times already .... SpamCop.net doesn't block e-mail either. So I left my comments dealing strictly with what was typed into the post(s) I was replying to. However, things lke the "small busnesses being shut down" comment were simply too excessive to worry about providing a response.

Oh, I thought 'this guy' was you, sorry. :-)

So, I assume from your posts that the SCBL only reports illicit web stores (in English): it does not black-, white-, or greylist them (bit of jargon here). I admire the SCBL, but I don't use it.

I have to get back to bed (for I am here just to quickly send tonight's spam to KnujOn's various addresses). I've recently reported only one spam to SpamCop, just to test whether it accepts Thunderbird's 'forward by attachment' results (for Mac's implementation of some mail RFCs has bugs, leaving .eml about, &c). The 'inline' attachment option was also accepted, but the link in the body wasn't reported. (This paragraph is for Mac users.)

SpamCop seems to accept these Thunderbird forwards just fine without any 'add-ons' (which attach the source without any Apple bugs); so I trust those to KnujOn are acceptable (though I'll double-check). Thank SpamCop for the great reports!

To clarify your puzzlement, one report (a year or two ago) contained a link to opera.com. Because all previous links to, say, ЗдравÑтвуйте!.ru, had reports prepared, I anticipated one about opera.com, which I should delete, lest (I excessively worried) it might make it to the SCBL. It didn't appear. Thus I concluded you had a list of legitimate sites (common corporations who would not respond well to being reported by you) about which you did not prepare reports.

BTW, thanks for the last link, which I'll check out. However, I've pretty much decided to report all the method that reports only headers. One user kind noted that even reports of phish elsewhere must be examined by hand: this I didn't know. Why, I still don't know; but I'll ask at CastleCops.

I also have my old spam (yes, I archive spam); so I'll run through the SpamCop parser what I had analyzed by hand some days ago and see if SpamCop can find more from its envelopes (English, not networking jargon): in English, a letter has an envelope and a signature. On the envelope, the mailer (the post office) applies a stamp when the letter is posted. (If SpamCop's use is for Knurds only, I'll change my language, for I worked as a computer professional between legitimate jobs.

Don't waste your time puzzling over details sufficient only to illustrate a point. As for your earlier remarks that the 'problem' here is a refusal to fulfill my contractual responsibility, then allowing ignorant people access to the internet, I think you should take the time to get out more.

My best,

Rapakiwi

[agsteele]

Don't waste your time puzzling over details sufficient only to illustrate a point. As for your earlier remarks that the 'problem' here is a refusal to fulfill my contractual responsibility, then allowing ignorant people access to the internet, I think you should take the time to get out more.

Hi Rapakiwi,

I'm sorry you aren't able to get your head around how the SpamCop systems work and confuse this as a place to get help with other services.

I'm sorry you feel you have to take an unhelpful, combative and, frankly, rude approach to folk who try to help.

But I'll simply add you to the appropriate list so I don't have to read your posts henceforth.

Andrew

[DavidT]

Faulty terminology and assumptions will almost always interfere with effective communications, as is the case here.

DT