Do not report viruses as spam

[Claude-Eric Desguin]

These last days, I received a lot of spams with a virus attached. When I "quick-report" them, spamcop says "Error - do not report viruses as spam". OK OK, but to see those viruses I need to open ALL spam mails, and this is exactly what I wanted to avoid when I subscribed to the service... So, what am I supposed to do?

[Ellen]

These last days, I received a lot of spams with a virus attached. When I "quick-report" them, spamcop says "Error -  do not report viruses as spam". OK OK, but to see those viruses I need to open ALL spam mails, and this is exactly what I wanted to avoid when I subscribed to the service... So, what am I supposed to do?

Just delete anything with an attachment -- that should take care of the viruses. No need to open them.

[StevenUnderwood]

Another way would be to install and maintain a virus scanner on your machine to intercept these messages.

[Wazoo]

I received a lot of spams with a virus attached

Trying to be fair here, how much of your "normal" e-mail arrives with attachments? And, how many of those show up with those usually so obvious Subject Lines? If your daily incoming e-mail really includes stuff from friends and family that so closely resemble spam such that you can't tell the difference at a glance, perhaps it's time you started educating your friends and family?

[Claude-Eric Desguin]

The point is that most viruses are sent automatically (without the sender's knowledge) from computers where my address is listed. I cannot "educate" those infected computers.

[Claude-Eric Desguin]

By the way, my virus scanner is updated every two days. My concern is this: all unidentified incoming mails are systematically reported to spamcop as spams, without being viewed, so I don't really pay attention to possible viruses in attached files. When there is one, spamcop says "please do not report viruses as spam". The problem is that I don't want to take a chance in checking attachments before reporting spams. Naively, I was assumig that this is spamcop's job.

[Miss Betsy]

The problem is that I don't want to take a chance in checking attachments before reporting spams.

You appear to be using Mozilla and I am not familiar with that. However, I think that you probably can check what Outlook Express calls the Message Source which is a fairly safe way of checking. A few spams do contain attachments, but very, very few so you are relatively safe in deleting anything with an attachment. Again, I would expect that Mozilla has a way of showing you that the email has an attachment without opening it.

I also don't know what happens when spamcop does identify a virus - whether it gives you an error message and does not report it or whether it will still report it although warning you it is a virus. That's because I can identify some viruses by subject line, others because my AV 'cleans' it so the attachment is no longer there, but the rest of the email is.

But the basic problem is that you have misunderstood spamcop's function. It is a software program that makes it easy to identify who to send reports to. It is NOT an automatic spam detector. The reporter decides that it is spam before s/he reports it. There are bound to be 'false positives' at some point - not just viruses and bounces and you don't want to report them either. So you do need to review the subject and sender, at least briefly, before submitting.

Although spamcop does not report viruses, you can report them by using the spamcop parser to find the proper abuse address and then cancelling the report. It pays to report them, because, 9 times out of 10, the abuse desk will notify the infected user and they stop coming. Sometimes you will receive several more before it stops, but rarely do ISP's ignore virus reports.

If you have a lot of clueless correspondents, you can constantly be receiving viruses as they forward things from you to more clueless people so even after they are uninfected, you will still receive the virus from unknown people.

IMHO, it is worth the time to report viruses. I will report viruses before I report spam, if I have time constraints, since there are bound to be other people reporting the spam to spamcop.

However, if there is no way to safely view unexpected emails, then you should delete all but the most obvious rather than report them. It is better to JHD (just hit delete) than to report in error or to open them.

Miss Betsy

[WB8TYW]

It is very risky to report spam with out looking at it to confirm it's content.

Otherwise you could accidently report something that is not reportable by spamcop.

Spamcop should not be used to report viruses, worms, or worm poop, bounces or responses to spam complaints.

Some spam complaints may use the same subjects that are in spam.

Some viruses scanners strip the virus out of the message send the rest of the junk through, so a virus scanner on your side (or even built into the spamcop parser) may not prevent a bad report.

The only risk for opening spam is when you have a e-mail client that automatically opens links in HTML, or execute content the body or in attachements.

Current verisions of Outlook and Mozilla should have the ability to safely deal with spam.

A virus scanner can only protect you against viruses that it already knows about, and it seems to take about 8 hours after a new outbreak for a new pattern to be released.

-John

Personal Opinion Only.

[elvey]

all unidentified incoming mails are systematically reported to spamcop as spams, without being viewed, so I don't really pay attention to possible viruses in attached files.

That's inappropriate use of SC. You should be looking at the SUBE you report to see that it's not

1)viruses or

2)blowback from a joe-job. (I.e. spam that is bounced to you because it was identified as spam and bounced to you because your address was in the spam's FROM address and the recipient's server is not configured per best practices.)

[AlphaCentauri]

If you have Mailwasher, you can insert a filter near the top of your filter list to look for executable attachments. Since Mailwasher looks at the message and attachment together as a text file, it isn't executable, but it's pretty obvious it would be if you downloaded the file and opened it. My filter looks like this:

[enabled],virus?,zvirus?,16711680,OR,Body,containsRE,"\.pif""|\.vbs""|\.cpl""|\.bat""|\.scr""|\.cmd""|\.zip""|\.hta""|\.exe""|\.vbe""|Content-Disposition: attachment"

[cgflute]

A couple of times lately, I've gotten the message that reported spam had a virus even though it had no attachment. Why would that happen? Norton scans all my incoming e-mails and I never knowingly report anything with a virus or even with an attachment.

[studog]

But the basic problem is that you have misunderstood spamcop's function. It is a software program that makes it easy to identify who to send reports to. It is NOT an automatic spam detector. The reporter decides that it is spam before s/he reports it.

Fair enough. However.

I regularly receive email which is marked as spam by my ISP's spam scanner, and which when I try to report it to Spamcop is rejected as being a virus.

Question 1: Isn't what's good enough to be spam according to SpamAssassin good enough to be spam according to Spamcop?

Here's a sample spam that I am talking about.

Which raises

Question 2: When email is marked as spam because of Spamcop's BL doesn't that automatically mean it is spam?

I'll repeat that for clarification: I receive email that my ISP has flagged as spam before I ever see it, they have marked it as spam in part or in whole because of Spamcop's BL service, and Spamcop's reporting service then rejects it as not really spam.

Here's the important headers from the sample spam I linked to above (I don't know if one can retrieve the whole headers from a saved-spam-link like the above or not, I couldn't in the 20 seconds I looked at it):

X-spam-Flag: YES

X-spam-Status: Yes, hits=14.1 required=5.4 tests=FORGED_OUTLOOK_TAGS,

HTML_50_60,HTML_IMAGE_ONLY_02,HTML_MESSAGE,HTML_TAG_BALANCE_BODY,

RCVD_IN_BL_SPAMCOP_NET,RCVD_IN_SORBS,RCVD_IN_XBL autolearn=no

version=2.63

X-spam-Report:

*  0.3 HTML_TAG_BALANCE_BODY BODY: HTML has unbalanced "body" tags

*  2.2 HTML_IMAGE_ONLY_02 BODY: HTML: images with 0-200 bytes of words

*  0.0 HTML_MESSAGE BODY: HTML included in message

*  0.2 HTML_50_60 BODY: Message is 50% to 60% HTML

*  4.5 RCVD_IN_XBL RBL: Received via a relay in Exploits Block List

*      [<http://www.spamhaus.org/query/bl?ip=62.139.6.92>]

*  3.3 RCVD_IN_BL_SPAMCOP_NET RBL: Received via a relay in bl.spamcop.net

*      [blocked - see <http://www.spamcop.net/bl.shtml?62.139.6.92>]

*  2.5 RCVD_IN_SORBS RBL: SORBS: sender is listed in SORBS

*      [62.139.6.92 listed in dnsbl.sorbs.net]

*  1.1 FORGED_OUTLOOK_TAGS Outlook can't send HTML in this format

X-spam-Level: **************

X-spam-Checker-Version: SpamAssassin 2.63 (2004-01-11) on

spamscanner3.sentex.ca

Is this not a bug in Spamcop, somewhere?

...Stu

[turetzsr]

<snip>

I regularly receive email which is marked as spam by my ISP's spam scanner, and which when I try to report it to Spamcop is rejected as being a virus.

<snip>

Question 2: When email is marked as spam because of Spamcop's BL doesn't that automatically mean it is spam?

<snip>

Hi, Stu!

...Absolutely NOT! You've made a serious, although perhaps understandable, leap in thought. Remember what the SpamCop BL is -- it is a list of IP addresses which have either been reported as spam sources by SpamCop reporting users or which are the source of spam that has come to a registered spam trap. That doesn't mean that all e-mail that comes through that IP address is spam any more than the fact that some postings in these SpamCop web fora (especially those that I write <g>) contain mistakes means that every posting here contains a mistake.

[StevenUnderwood]

Question 1: Isn't what's good enough to be spam according to SpamAssassin good enough to be spam according to Spamcop?

Since Steve T answered your second question, I will take your first.

Spamassasin rules can be defined to trap viruses, especially since they usually have pretty specific messages or headers, they are easy to check.

Viruses, while some people consider them spam, are not reportable through spamcop by the agreement you made with spamcop setting up your account.

[Wazoo]

Question 1: Isn't what's good enough to be spam according to SpamAssassin good enough to be spam according to Spamcop?

Things may have changed since you received this spam or you picked a bad example .. there's nothing in your sample that should trigger a "virus" alert.

Question 2: When email is marked as spam because of Spamcop's BL doesn't that automatically mean it is spam?

Technically, no .. all that's being referenced is that the e-mail came from a "known" spam spew source. This is where a "whitelist" would come into play, in that even though coming from a bad neighborhood, a particular e-mail may be coming from a "friend" ....

But, again, in the sample you provided, there are multiple "spam" markers, forged construction bits, content srtucture and detail ....

if one can retrieve the whole headers from a saved-spam-link like the above

Look for the words "View entire message"

Spamcop's reporting service then rejects it as not really spam.

Again, problems with your sample begin with "Sorry, this email is too old to file a spam report. You must report spam within 3 days of receipt. This mail was received on Tue, 27 Apr 2004 01:39:57 -0400 (EDT) Message is 63.9 days old"

[studog]

Things may have changed since you received this spam or you picked a bad example .. there's nothing in your sample that should trigger a "virus" alert.

Possible. I do save all my spam, and classify it into folders depending on what Spamcop tells me about it. The "Resolved" folder is depressingly small, the "Not Detained" folder is extremely large (from back when Spamcop used to say, if you had a paid account and used our filtering, this spam would have been detained, or not). This came from the "Looks like virus" folder. I could have misfiled it, but I do

know this has happened on several occasions, so even if this specific example is bad, the general case is true.

Technically, no .. all that's being referenced is that the e-mail came from a "known" spam spew source.

I realised this shortly after hitting Post. Where's the unPost button?

However, taken both together, that a reported email has been marked as spam in the headers, and that part of that reasoning was SpamCop itself, I would argue that's reasonable evidence that the email *is* spam, and even if it looks like a virus it should be allowed to be reported.

Also, I feel there's a grey area these days with viruses et al that spammers propagate to further the spamming cause. Not spam directly, but certainly should be reportable.

Also, would it be that hard to change the "Look like a virus" message to a report that mentions that it's a virus instead of spam, and send that instead? I guess then Spamcop would have to be BadEmailcop or Junkmailcop or something.

...Stu

[Wazoo]

would it be that hard to change the "Look like a virus" message to a report that mentions that it's a virus instead of spam, and send that instead? I guess then Spamcop would have to be BadEmailcop or Junkmailcop or something.

Julian's focus is on 'spam' ... there was a time when virus traffic was looked at, filtered, etc ... ISPs receiving the reports asked that it be stopped, as these reports weren't "SpamCop spam complaints" .... and the usual bellyaching and whining from folks that don't understand that (almost all) Anti-Virus products are "reactive" .. thus the "filters, traps, and recognition triggers" aren't available until "after" the virus is seen in the wild and has undergone analysis ... so basically too many people placing their trust in an added in function and that caused problems, so that was dropped ... Yes, there are many things that a complaint to an appropriate target seems like an obvious move, but again, the SpamCop tool set is focused on "spam" ...

[turetzsr]

<snip>

Technically, no .. all that's being referenced is that the e-mail came from a "known" spam spew source.

I realised this shortly after hitting Post. Where's the unPost button?

<snip>

Hi, Stu,

...You should see a button labeled "Edit" at the top right-hand side of your post. There may also be a "Delete" button.

[studog]

...the SpamCop tool set is focused on "spam"

I know; just my own little bit of bellyaching there. :-)

...Stu

[studog]

You should see a button labeled "Edit" at the top right-hand side of your post. There may also be a "Delete" button.

There is! I'm not a regular forum user (anywhere), preferring newsgroups, but I'm learning. Thanks!

...Stu