Jump to content

Is it really doing any good?


wlwesq

Recommended Posts

Hello

I am a paid member of Spamcop. This is my first post to this form.

I recently received a spam email that apparently came from my email address! (IP addresss was different from mine)

How is this possible! I did not send this email.

chilko

Link to comment
Share on other sites

  • Replies 271
  • Created
  • Last Reply

Hi, chilko,

Hello

I am a paid member of Spamcop.  This is my first post to this form.

I recently received a spam email that apparently came from my email address!  (IP addresss was different from mine)

How is this possible!  I did not send this email.

chilko

25822[/snapback]

...You are probably looking at a forged "From:" address. Many e-mail applications allow the sender to enter any e-mail address they wish in the "From" line.
Link to comment
Share on other sites

  • 2 weeks later...

I was getting alot of the most disgusting spam I've ever seen from above.net. 5 or 6 a day. I began reporting them with spamcop and they quickly trailed off then quit altogether. Now I'm getting some of the same garbage from kornet.net, cninfo.net and chinatietong.com. Reported these emails hundreds of times and nothing seems to slow them down. Do these asian ISPs not care? Its getting so bad that I'm thinking of just giving up and changing my email address. Can anything be done to stop this spammer?

Link to comment
Share on other sites

Do these asian ISPs not care? Its getting so bad that I'm thinking of just giving up and changing my email address. Can anything be done to stop this spammer?

1.That is the general concensus.

2.If they are being protected by their ISP, probably not.

I ended up using spamcops filtering service when I began to get overwhelmed with this type of spam. I am currently in the process of giving up my other public email address (for support reasons) and am using only the spamcop address right now.

Link to comment
Share on other sites

I was getting alot of the most disgusting spam I've ever seen from above.net. 5 or 6 a day. I began reporting them with spamcop and they quickly trailed off then quit altogether. Now I'm getting some of the same garbage from kornet.net, cninfo.net and chinatietong.com. Reported these emails hundreds of times and nothing seems to slow them down. Do these asian ISPs not care? Its getting so bad that I'm thinking of just giving up and changing my email address. Can anything be done to stop this spammer?

26229[/snapback]

Cujo,

I'm having the same problem. Also, the more I report, the more I seem to get. They are now bombing me with spam. I don't know if they're retaliating or trying to figure out who is reporting them, but it went from ~5-10/day to >100/day since I started reporting.

Link to comment
Share on other sites

I can verify first-hand that many ISPs not only condone spam, but profit from each spam that is verified delivered to an active e-mail box.

I have been reporting spam to SpamCop, spam[at]uce.gov and spamrecycle[at]chooseyourmail.com for more than 2 years. However, I continue receiving spam from the same few ISPs that condone spam.

Here's a partial list of consistent ISPs abuse reporting that verify my statement:

ircontact[at]corp.thrunet.com, englishadmin[at]korea.com, hostmaster[at]ns.chinanet.cn.net, cs[at]peer1.net , bora.net (hwang337[at]dacom.net), Webmaster[at]korea.net, abuse[at]geocities.com.

There are many additional ISPs in the spamming business that I did not list here.

These ISPs will not intervene as long as they are realizing a profit.

I'm not saying that SpamCop and many other spam warriors are not controlling some spam. However, until we have a do not spam law that can apply to International ISPs, we will continue to have spam. In fact, the so-called Can spam law is bringing in more spam because a spammer is within the law by simply adding the word "spam" in the e-mail......what a joke....and it's on us.

Link to comment
Share on other sites

  • 3 weeks later...

I have this email box that I've hardly used in the last 2 years because of the amount of spam I get.

I decided to try to "take back" my account and do spam reporting. Well it's been about a week of reporting. Today I reported 100+ spam email. The my average is 50 reportings a day.

I don't seem to be getting any less spam than I did before reporting.

The mailserver that I'm on is setup with the spamcop blacklist and I thought when you report spam, the black list gets updated and then all the users of that mailserver benefits from 1 person reporting.

I asked my friend (who's on the same mailserver) if she is getting any less spam and she said no.

BTW i'm reporting as a mole.

So does reporting work they way I think it should?

Thanks,

Ben

Link to comment
Share on other sites

BTW i'm reporting as a mole.

So  does reporting work they way I think it should?

27051[/snapback]

One persons reports will not get an IP on the blocklist, only a percentage of spam reports to the overall number of messages seen. Also, recent trends are that the spam is comiong from many zombie machines so it is more difficult to stop the flow. Are you seeing messages from the same IP's? Can you post those IP's here for investigation?

Also, mole reports have had different weightings over the last year. The current description is here: http://www.spamcop.net/fom-serve/cache/373.html but it does not mention how those reports affect the bl.

Link to comment
Share on other sites

I think that spam from zombies cannot be effectively blocked by a blackhole list. In today's world, spammers use multiple tactics to get around spam blocks. You really need to use multiple tactics.

1. Use the blackhole list to block spam from known spammers.

2. Use an effective Bayesian spam-filter to catch the rest. Or if you don't have a Bayesian filter, at least use a key-word spam filter.

By combining these tactics, you will eliminate much of the spam. One method alone isn't that effective anymore.

Link to comment
Share on other sites

  • 3 weeks later...
I have noticed that at least 70% of my spam is coming from chinanet.net and it just keeps coming. Reporting it does not seem to stop.  I get on an average of 150 to 200 spam emails per week.

Can anyone out there in SpamCop land tell me if this is all worth the effort.

Thanks

Spike

18721[/snapback]

Having exhaustively read this thread, it is apparent to me that Spamcop does make a difference, though I don't actually benefit very much from it personally - I suspect that my ISPs (4 of them, 3 based in the UK and one hosted in the USA) don't apply spamcop filtering.

The fact that I don't benefit personally inhibits me from taking up a "paid for" spamop account. I have been using my existing email accounts for some time now, and changing them to spamcop accounts would be a nightmare.

I suggest that additional pressure (supplementing Spamcop's efforts) should be applied to the worst offenders. I recently posted the following letter to the Chinese Embassy in London. If everyone complained to their Chinese embassy in the same vein, perhaps they would act on the matter:

"Cultural Attaché

Chinese Embassy

49-51 Portland Place

London

W1N 4JL

Cc: The British Foreign & Commonwealth Office

11th May 2005

Dear Sir or Madam,

I would like to draw your attention to a very unwelcome export from China - unsolicited email (also known as "spam").

I have three email accounts, and I receive about 60 spam messages daily. I report these regularly to "spamcop", an internet-based organisation which notifies internet service providers about spamming activity, but the Chinese ISPs seem to be unwilling or unable to control spam which either originates from China or is promoting Chinese websites. Most of the spam which I receive is trying to persuade me to buy Viagra and other "remedies" which I have no use for (my erections are quite adequate my girlfriend assures me).

I estimate that 50% of the spam which I receive either originates in China, or is promoting Chinese web-sites. The remainder comes from Russia (20%), South America (primarily Brazil, 20%), Europe (mainly Spain and Italy, 8%) and the USA (2%).

This is also reflected at the Spamcop web site (www.spamcop.net), please see the list of recent offending sites at appendix 'A'.

I don't know if this is a cultural difference between China and the UK (is it considered good business practice in China to send unsolicited email?), or if it is a criminal offence, as it is here in the UK. It is certainly bad for the image of China, because China is rapidly becoming seen as an internet nuisance.

If this situation persists or becomes worse, I am very tempted to mount a campaign seeking to block all email and web sites hosted in China. This would have an adverse effect on China's ability to compete with internet trade, as I am sure you will be aware.

Please can you tell me what steps are already in place to reduce this problem, and if there are plans to improve the situation in the near future?

Regards,

Joe <deleted> (Mr.)

Appendix A - list of offending sites reported taken from Spamcop 16:00 11/5/05

Abuse report sent to Age Reported web site

crnet_tec[at]chinatietong.com 0.08 min. http://qqackpbiednhbhhf9e9vtegv.plapfacba.com:/

crnet_mgr[at]chinatietong.com 0.10 min. http://qqackpbiednhbhhf9e9vtegv.plapfacba.com:/

postmaster[at]chinatietong.com 0.13 min. http://qqackpbiednhbhhf9e9vtegv.plapfacba.com:/

postmaster#cnc-noc.net[at]devnull.spamcop.net 1.65 min. http://frothoscountries.com/

<snipped 3 lanscaped pages of similar entries>

I hope the formatting of the above turns out allright. I have naturally removed my reply address details.

As yet I have had no reply from the Chinese Embassy, I will report back here if and when I get one.

Joe

Link to comment
Share on other sites

I have been using my existing email accounts for some time now, and changing them to spamcop accounts would be a nightmare.

28186[/snapback]

Well, I was using a poboxes.com address since 1996 and I just switched over to using my spamcop address and it was not as bad as I imagined. I started 6 months ago, putting all of my personal contacts on notice that the address would be changing. Then I removed all the filters I had to sort the various types of email I receive and started creating new filters using the plussed address of spamcop where I could. Then as an email would come in that did not get filtered, I would go through the process of modifying the address and then create the filter. The first couple of weeks there were lots of changes (I left the message in the default inbox until I completed the change) but very few there after.

My spam has dropped from close to 200 per day to about 10-20 and those are mostly coming from my yahoo account and my ISP account which both travel through spamcop. The plussed addressing allows me to monitor where messages are coming from. Unfortunately, many online forms do not accept the + sign as valid.

Link to comment
Share on other sites

I send on average 40 to 60 SpamCop reports a day. Over the past month or so I don't think I've gotten so much as an auto-acknowledge message from any of the ISPs that I've reported spam and website spamming to.

It could be because a lot of the spams I'm getting come from non-U.S sources (Brazil, Korea, China, Japan) but I feel as if I'm wasting my time even bothering to report via SpamCop if ISPs are going to ingore my reports! :(

Link to comment
Share on other sites

A support rep at hawaiiteleport.com wrote in part

The ip address will be blocked. Thanks for the notification.

A support rep at uk.easynet.net wrote in part

Thank you for your recent report to abuse[at]uk.easynet.net concerning

the above abuse incident.

This incident arose as a result of a security vulnerability on

our customer's network, which appears to have had the primary

functionality of facilitating Unsolicited Bulk Email transmission

without our customer's knowledge, authorisation or permission.

Our customer has been contacted, and our customer has put technical

measures in place to secure the network concerned.

More information on Trojan horse programs designed to facilitate the

transmission of Unsolicited Bulk Email is available at:

http://www.securityfocus.com/news/4217

Please accept our apologies for any inconvenience that this incident

may have caused.

Kind regards

A support rep at hotmail.com wrote in part

Thank you for writing back to MSN Hotmail.

...

I am writing in response to your concern that the

address ...[at]hotmail.com is being used for commercial purposes.

...

After a careful investigation of the account you reported, I have closed

the account ...[at]hotmail.com in accordance with the Hotmail Terms

of Use (TOU). It is a strict violation of the TOU for our members to

send objectionable material of any kind or nature using our service.

Link to comment
Share on other sites

As yet I have had no reply from the Chinese Embassy, I will report back here if and when I get one.

28186[/snapback]

Hopes set on high for you ... I got no where with this when I tried it years ago ....

Link to comment
Share on other sites

Thanks for the replies so far.

I actually have 4 email accounts, though one of them is simply used to register at web-sites (it avoids getting more spam on the other accounts). One of them is one which I have tried to close down, but I still occasionally get valid posts to it even after nearly three years! The remaining two are both active, and I have two in case there are problems with either one.

Wazoo, where did you complain to in the past, and what (if any) response did you get?

Regards,

Joe

Link to comment
Share on other sites

The "China connection" in most of the spam I report is that the spamvertized domains are hosted there. I use a SpamCop email account to filter my incoming mail, and one of our filtering options is "cn.rbl.cluecentral.net" (based on IPs originating in China). Overnight, out of 138 messages caught in my Held Mail by SpamCop's system, only 3 were caught specifically by that filter. Admittedly, some of the spam caught by the SCBL, or by my SpamAssassin settings, etc. might also have originated in China, but I also report spam received at some unfiltered accounts, and very little of that is coming from China.

DT

Link to comment
Share on other sites

Well it's a partial sucess story for me!

I have four accounts all with the same ISP, plus a few others that I use for specific purposes that are all spam-free at the moment.

#1 - My original account that I keep open, 50-100 spams per day, nothing unusual. I only keep it open to monitor the spam situation and very occasionally I get a good e-mail from someone you has failed to update their records. The hope is that Ican one day start using this account full-time again one day.

#2 - My new 'good' account. I started to recieve spam on this account a few weeks ago. All sent from or through a Comcast source. Every one was reported and after a few days the spam stopped. Coincidence?

#3 - Account never used so no spam as the username is unlikely ever to be guessed.

#4 - My domain. I submitted my website to several search engines and the spammed started quite quickly. Again, each one was reported and after a few weeks the spam level dropped significantly to just one or two each week. Those were identical but were received through different ISPs. For over a month now, nothing at all.

So, I may have been lucky and have found that SpamCop has really worked for me but I guess it depends on just who actually gets hold of your e-mail address and to how many others it gets passed to.

Link to comment
Share on other sites

I would report partial success also. Spammers can be split into 2 groups - the "casual" ones (that will stop after losing an account or two) and the "hard core".

For the hard core spammers, SpamCop should be seen as a starting point only. They will not stop spamming unless you take further measures to make life awkward for them. If you choose to do so, bear in mind that it can be time-consuming and rather labour-intensive. However I only receive about 20 hard-core spams/week (and I don't use filtering - preferring to report all spam instead) and my inbox has been clear for the last few days, suggesting some degree of success.

The first step is to create (if you don't have one already) a throwaway email account which you will use for the reporting. This is because you are going to include the spammers' addresses in your reports and you do not therefore want to risk exposing your primary email address - using a SpamGourmet alias is great for this, but ensure that you have enabled reply address masking first and note that you will have to use the "send a message from one of your disposable addresses" option to get a special address to use. Also note that you will probably need to send complaints to each address individually with SpamGourmet rather than using CC/BCC.

For the spams you wish to report, check the domain registration details for each spamvertised website - either using a tool like Sam Spade or a site like DNSStuff. Check that the address/phone/fax numbers seem reasonable - any inaccuracies (e.g. address in country X but with a phone number in country Y) should be reported to the Whois Problem Data Reporting Service since they may be grounds for termination of the domain (WDPRS can take time though, so don't expect a fast fix from this and they will request an update in 6 weeks, so keep their first email which will include full details of the complaint).

Note the following details:

  • The domain registrar (often this will be identified by an LRMS number - see Sponsoring Registrar I.D.s for a list of corresponding registrars);
  • The registrant email address (this will almost surely be a way of contacting the spammer);
  • The DNS server used - do a separate lookup on this to find its contact email address and registrar.

Then put together an email complaint, including copies of the spam with full email headers. Include in the text the address for each group (DNSStuff's Abuse lookup can be used to find a suitable address for any domain) and a brief summary of why they have been sent the complaint (e.g. "To abuse[at]registrar.com - I have received the following spam for domains x.info, y.com and z.biz which are registered with you. This should be in breach of your Acceptable Use Policy so please terminate these domains.") If you have several spams sent by the same source, then consolidate them into one report to save effort . Send this to the following:

  • The registrant email address - this will be for 2 reasons, to inconvenience them (they need to monitor that address to administer the domain so receiving complaints will require them to at least press Delete and at worst may fill their mailbox) and for pschological purposes (by showing them who else you are posting to, you may cause them to prepare for service termination even without any action by the service providers);
  • The sponsoring registrar - they can terminate the domain preventing any further access even if the website is still up (unless the spammer sends out emails with just the IP address!). Some may try to claim it is not their responsibility but that of the hosting ISP (e.g. Tucows did this a lot in my experience). This is untrue since the registrar is in the same position as an ISP, accepting money to provide a service - if they choose to service network abusers, then they deserve every complaint they get. ;)
  • The registrant's email address provider - this will almost certainly be a free throwaway account with hard-core spammers. However such accounts will be correspondingly more likely to be closed which then forces the spammer to create new ones and update domain registration details to reflect this (more likely they will just create new domains - they are cheap but you are still increasing the time, effort and money they have to spend to stay in business).
  • The DNS server administrator - a hard-core spammer will likely handle their own DNS, but even so it is worth including them just to give them that bulging inbox feeling. :)
  • The DNS domain registrar - do this only if you see the same DNS server being used for multiple spams and previous complaints have had no effect, or if you have other reasons to believe the DNS to be run by the spammer (e.g. it has the same IP address as the spamvertised websites). If the registrar pulls the plug on a domain used for a DNS server, it can prevent lookups for all domains stored on that server.
  • The DNS email address provider - again only if previous complaints have had no effect.

As for effectiveness, I have noted partial success using this method. The group (doubtless familiar to most here - pushing c1al1s and v1agr& through dubiously named domains with Russian registration addresses hosted in China) has had to change domain registrars several times (moving from Tucows to Gandi, then GoDaddy and now DirectNIC/YesNIC) and email addresses (from mail.ru to yahoo.com - and these are now showing some turnover). If the registrant email addresses are terminated (causing subsequent complaints to bounce) then the domains can then be reported to the WDPRS for having invalid contact emails! :P (mention this also to the domain registrar if they do not act to close such domains - at the very least it increases the administration work they have to do which may result in them charging the spammers more).

In addition if the hosting ISPs bounce SpamCop reports (yes, China Network Communications Group and China National Railway!) I include them in these reports (with a note why) and am now including their upstream provider (found using traceroute/tracert) in the complaint. I've only done this twice and it already appears to have had some impact, with traceroute now showing access going via two other networks with a subsequent increase in response time from about 250msec to 550msec.

With hard core spammers, the best you can do is wage a war of attrition on them and their suppliers, where the body count is measured in email account closures, domain changes and response times. However you are one of many while they are just a few. :)

Link to comment
Share on other sites

I don't have any real information to add here but I wanted to share some related things with you all.

I, too, got frustrated at the amount of spam that was getting through a combination of SpamCop, Spamhaus, SORBS and NJABL blacklists. I noticed over time that most of the spam that was getting through came from any one of the following countries, in order of their precedence:

1) China

2) South Korea

3) Brazil (minimal)

4) Russia (minimal)

5) Poland (minimal)

As a test I set up some DNS-based blacklists for the entirety of the IP blocks originating from those 5 countries and I immediately noticed a tremendous impact. My own mailbox went from receiving roughly 20 spams per day to less than 1 per day (about 1 every 2 to 3 days).

I left those blacklists in place on a server for some non-commercial domains for 3 months and they held the whole time. At the end of the 90 days I was still only receiving spam every now and then.

It worked so well that I thought of setting the lists up on some of our commercial servers so I started researching how the changes might affect some of our larger and more mail-prolific clients. I quickly discovered that blocking South Korea was out of the question because there are too many economic ties between them and the U.S. Several of our clients have customers and even contributors from South Korea. For one of our "big 3" clients blocking China was out, too, because they are actively marketing there. /sigh

Without the ability to block those 2 countries there was no point in worrying about the other 3 because China alone accounts for about 70% of the spam that gets through.

I know blacklisting enire countries is a very heavy-handed approach but it's the best solution I have found yet.

Link to comment
Share on other sites

I'd like to add here that the RBL do make a diference. As an ISP I have seen a marked drop in spam for our clients. In fact so much that I have decided to help out here with reporting.

I do agree that without being on an ISP who uses the SC RBL you are much less likely to see a direct reponse to your actions. Why don't you change to one that does?

If a small/medium sized ISP knows that using the SC RBL is a factor in getting your account, they will most likely impliment it. For larger ones you would need the numbers of course. By voting with your money/feet you may have a much larger effect than you realise.

Link to comment
Share on other sites

...

I, too, got frustrated at the amount of spam that was getting through a combination of SpamCop, Spamhaus, SORBS and NJABL blacklists.  I noticed over time that most of the spam that was getting through came from any one of the following countries, in order of their precedence:

1) China

2) South Korea

...

28523[/snapback]

This is unfamiliar to me - I use no blocklists and almost all the spam I get comes from "the usual suspects", such as are found in the domains of the top 200 report targets - http://www.spamcop.net/w3m?action=hoshame#domsum. My weighting is a little different (Comcast alone accounting for around 20%, hence my occasional rants) but apart from someone wanting to sell me inflatable rubber products (apparently of a most mundane kind), virtually none from China and very few (compared to USA) from Korea. Just about all the "spamvertized" websites these days are hosted in China, but that's another matter. I would suspect your blocklists must be keeping out a huge volume from the "regular" sources, unless there is some previously unsuspected structure to the spam "business". I wonder which ...

Link to comment
Share on other sites

unless there is some previously unsuspected structure to the spam "business".

28535[/snapback]

One thing that may be a factor here is the amount of zombied PCs that are present in China right now. There was (in my observation) an exponential ramp-up of these zombies starting around the beginning of this year, and peaking roughly 2 months ago. It's the same thing in South Korea (exact same patterns, exact same spams, just not as prolific) but it hasn't hit the news yet.

http://www.infoworld.com/article/05/04/21/...adechina_1.html

http://www.pcworld.com/resource/article/0,...,RSS,RSS,00.asp

As those articles mention most of this is due to 2 things:

1) The end users are running Windows.

2) The relative youth of the Internet in both countries means the sysadmins from businesses to ISPs don't have a solid footing yet and therefore are in way over their heads when it comes to handling anything having to do with their network(s). If you've ever tried to deal with any Chinese or South Korean admins you know exactly what I mean. Only about 5% of them seem to a) care and B) understand how to fix any particular issue you bring to their attention (whereas about 65% of U.S. ISPs meet these criteria, or at least pretend to meet them - it's sad, really).

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.


×
×
  • Create New...