Jump to content

Intersted "3rd party" and source are same


mshalperin

Recommended Posts

http://www.spamcop.net/sc?id=z857521355z4c...009264d7f275ddz

The parser identified the "Administrator of network where email originates" and "Third party interested in email source" both as 82.128.3.137, reporting to postmaster#multilinks.com<at>devnull.spamcop.net for both (dev/nul due to multiple bounces). How can a "3rd party interested in the source" and the actual source be the same? How are these 3rd parties identified with Spamcop?

Link to comment
Share on other sites

I'm not sure what you're getting at. These "3rd parties" are by definition ones who are interested in networks other than their own and do not refer reports sent to spam reporters. From time to time the parser identifies a specific "3rd party" interested in a specific spam source or spamvertised website and generates a report to them. If the "3rd party" is the same as the one they're interested in, this is a cyber-oxymoron. The FAQ references you listed only discussed registering as an ISP and Spamcop users selecting what reports are to be sent to them. I can't find any reference how 3rd parties connect themselves with specific spam source or spamvertised site. Whatever the mechanism, you can't be interested in yourself as a "3rd party".

Link to comment
Share on other sites

I'm not sure what you're getting at.  These "3rd parties" are by definition ones who are interested in networks other than their own and do not refer reports sent to spam reporters.  From time to time the parser identifies a specific "3rd party" interested in a specific spam source or spamvertised website and generates a report to them.  If the "3rd party" is the same as the one they're interested in, this is a cyber-oxymoron.  The FAQ references you listed only discussed  registering as an ISP and Spamcop users selecting what reports are to be sent to them.  I can't find any reference how 3rd parties connect themselves with specific spam source or spamvertised site.  Whatever the mechanism, you can't be interested in yourself as a "3rd party".

39280[/snapback]

Like so many parser comments, you can't 'define' them by what they say. A "3rd party" is someone who wants to get reports that the parser doesn't choose to get reports by default in its parsing.

I can't explain very well because I have never taken the time to understand how webhosting relates to ISPs, etc. However, one can get a website with someone who sells websites. The seller of websites has a server with an IP address that is within a block of IP addresses. The owner of the block of IP addresses has other customers than the webhost. So, now you have the website owner, the webhost, and the one who provides space. Depending on various factors reports might go to any one of them. For instance, if the website owner is spamming and the web host hasn't shut him down, reports may stop going to either of them (to prevent listwashing) and go to the one who provides space. Then some other website owner of the same host wants to get reports so he has to register as a 3rd party in order to get them.

Sometimes in a proactive situation the 'upstream' will request reports as 3rd party.

SpamCop tries to prevent spammers from registering themselves as 3rd party recipients, but anything is possible.

Occasionally, the guy in the middle (the web host) gets upset because he never saw the spamcop report so could not do anything about it. He never saw it because it is going to the website owner or the larger IP block abuse desk. So he will ask to be a 3rd party.

And then, of course, there are 3rd parties like Cyveillance who want reports for other reasons than knowing about spam on their networks.

Miss Betsy

Link to comment
Share on other sites

I'm not sure what you're getting at.  These "3rd parties" are by definition ones who are interested in networks other than their own and do not refer reports sent to spam reporters.  From time to time the parser identifies a specific "3rd party" interested in a specific spam source or spamvertised website and generates a report to them.  If the "3rd party" is the same as the one they're interested in, this is a cyber-oxymoron.  The FAQ references you listed only discussed  registering as an ISP and Spamcop users selecting what reports are to be sent to them.  I can't find any reference how 3rd parties connect themselves with specific spam source or spamvertised site.  Whatever the mechanism, you can't be interested in yourself as a "3rd party".

39280[/snapback]

It is possible that at one time they were not (or could not) be registered in the normal way (i.e. their ISP received the original report) but they have since fixed this so the parser recognizes them as the primary.

Or, as was my case for a while, I did not completely understand the process and added my network as a third party because I wanted to get reports if there were any. I then realized I would already have received reports and fixed it within my ISP account (which I got much later, not realizing that I was the "ISP" for my companies users).

Interested third party reports, at one point, could be received by anybody. That process has been tightened down a bit.

Link to comment
Share on other sites

http://www.spamcop.net/sc?action=showroute...37;typecodes=17

Reports routes for 82.128.3.137:

routeid:16872337 82.128.0.0 - 82.128.31.255 to:deep[at]multilinks.com

Administrator found from whois records

routeid:16872338 82.128.0.0 - 82.128.31.255 to:ipadmin[at]multilinks.com

Administrator found from whois records

routeid:16872339 82.128.0.0 - 82.128.31.255 to:abuse[at]multilinks.com

Administrator found from whois records

In the sace of your spam report, the spam source was isentified as coming from 82.128.3.137 ... a comnplaint was generated to go to a 'responsible' e-mail address in charge of that IP address. Looking at the block of IP addresses 'owned' by multilinks.com, one could assume that someone there has placed the "interested third-party" for the entire block. So two pieces of the Parsing & Reporting code were activated ... the 'send complaint to owner' and the 'send complaint to interested third party' ... one of those computer programming things ...

On the other hand, one of the real questions is why is the abuse[at] address seen and displayed, but not used .... the logic of 'deep' not being a role account and causing the abuse.net lookup is understandable, but ..... the content of the WHOIS record for showing the abuse[at] address isn't necessarily straight forward, but ....

Link to comment
Share on other sites

Like so many parser comments, you can't 'define' them by what they say.  A "3rd party" is someone who wants to get reports that the parser doesn't choose to get reports by default in its parsing. 

I can't explain very well because I have never taken the time to understand how webhosting relates to ISPs, etc.  However, one can get a website with someone who sells websites.  Sometimes in a proactive situation the 'upstream' will request reports as 3rd party. 

SpamCop tries to prevent spammers from registering themselves as 3rd party recipients, but anything is possible.

39282[/snapback]

Thanks for the detailed explanation of this confusing issue. In the case I cited, it seemed like spammer was registered as a 3rd party for his own site (and I'm not clear on why he would want to do so since it doesn't intercept anything).

Link to comment
Share on other sites

http://www.spamcop.net/sc?action=showroute...37;typecodes=17

Reports routes for 82.128.3.137:

routeid:16872337 82.128.0.0 - 82.128.31.255 to:deep[at]multilinks.com

Administrator found from whois records

routeid:16872338 82.128.0.0 - 82.128.31.255 to:ipadmin[at]multilinks.com

Administrator found from whois records

routeid:16872339 82.128.0.0 - 82.128.31.255 to:abuse[at]multilinks.com

Administrator found from whois records

So two pieces of the Parsing & Reporting code were activated ... the 'send complaint to owner' and the 'send complaint to interested third party' ... one of those computer programming things ...

On the other hand, one of the real questions is why is the abuse[at] address seen and displayed, but not used .... the logic of 'deep' not being a role account and causing the abuse.net lookup is understandable, but ..... the content of the WHOIS record for showing the abuse[at] address isn't necessarily straight forward, but ....

39289[/snapback]

Thanks for tracing the parser logic on this 0 I didn't know how to do this. OTOH, the logic of how the SC parser selects reporting addresses is beyond me. I do know that it's tweaked to avoid sending reports to spammers...

Link to comment
Share on other sites

http://www.spamcop.net/sc?id=z857521355z4c...009264d7f275ddz

The parser identified the "Administrator of network where email originates" and "Third party interested in email source" both as 82.128.3.137, reporting to postmaster#multilinks.com<at>devnull.spamcop.net for both (dev/nul due to multiple bounces).  How can a "3rd party interested in the source" and the actual source be the same?  How are these 3rd parties identified with Spamcop?

39275[/snapback]

There is no telling how or why postmaster got set up as a third party. Maybe they wanted two copies of the reports. Or maybe SpamCop wasn't finding that address as the contact point at the time.

In the before times, anybody could sign themselves up to get third party reports just by providing the IP range they wanted reports for. This is one of those deals. I'm trying to figure out how to get rid of it, but it's proving to be elusive.

These days, we control who gets third party reports so the spammers can't sign themselves up. They have to ask to get the reports and we decide. We won't switch reports away from the abuse address we find from Whois lookup without their permission. When we assign third party reports, it's usually because the admin responsible for the IP range isn't what we're finding from Whois info, and the people who are getting the reports want to keep getting them. It all depends. Sometimes we'll add them as an additional reporting address.

- Don D'Minion - SpamCop Admin -

Link to comment
Share on other sites

On the other hand, one of the real questions is why is the abuse[at] address seen and displayed, but not used .... the logic of 'deep' not being a role account and causing the abuse.net lookup is understandable, but ..... the content of the WHOIS record for showing the abuse[at] address isn't necessarily straight forward, but ....

39289[/snapback]

Yep. Something is not right. SpamCop isn't correctly parsing the afrinic Whois registry for some reason. I'll look into that.

In the meantime, I remapped postmaster to go to abuse[at]multilinks.com so the reports will at least go where they're supposed to.

- Don -

Link to comment
Share on other sites

Thanks for the detailed explanation of this confusing issue. In the case I cited, it seemed like spammer was registered as a 3rd party for his own site (and I'm not clear on why he would want to do so since it doesn't intercept anything).

39294[/snapback]

The spammer likes to get spamcop reports so that he can take spamcop reporters off his list.

Miss Betsy

Link to comment
Share on other sites

Yep.  Something is not right.  SpamCop isn't correctly parsing the afrinic Whois registry for some reason.  I'll look into that.

In the meantime, I remapped postmaster to go to abuse[at]multilinks.com so the reports will at least go where they're supposed to.

39299[/snapback]

http://www.spamcop.net/sc?id=z858389527z64...dc1bfe37b59c59z

This is another example where the source and interested 3rd party reporting address are identical.

Report spam to:

Re: 64.4.43.62 (Administrator interested in intermediary handling of spam)

  To: abuse[at]hotmail.com (Notes)

  To: report_spam[at]hotmail.com (Notes)

Re: 80.179.190.3 (Administrator of network where email originates)

  To: abuse[at]012.net.il (Notes)

Re: 80.179.190.3 (Third party interested in email source)

  To: abuse[at]012.net.il (Notes)

  To: Cyveillance spam collection (Notes)

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...