Proper reporting of image spam?

[Tux Kapono]

This is pretty much all the spam I get now, and reporting it by forwarding it does nothing because it's the information in the image that's the key to bringing them down. The irony is that they're using the same approach that sign-ups with image verification are using to prevent spam.

So, when I get image spam everyday advertising the same website and the same drugs or the same penny stock, but embedded in the image with a bunch of nonsense text below to throw us off, what exactly should we all report?

I wish there was an international blacklist of companies that are associated with spam that consumers should never do business with.

[StevenUnderwood]

This is pretty much all the spam I get now, and reporting it by forwarding it does nothing because it's the information in the image that's the key to bringing them down. The irony is that they're using the same approach that sign-ups with image verification are using to prevent spam.

So, when I get image spam everyday advertising the same website and the same drugs or the same penny stock, but embedded in the image with a bunch of nonsense text below to throw us off, what exactly should we all report?

I wish there was an international blacklist of companies that are associated with spam that consumers should never do business with.

THere is no easy answer, right now. If you are a paying reporter, you can put the link into another parsing window to determine reporting addresses for it and add those addresses in the user reports section. More work, but gets the ISP the information. You could also do manual reporting, which is even more work.

[rconner]

So, when I get image spam everyday advertising the same website and the same drugs or the same penny stock, but embedded in the image with a bunch of nonsense text below to throw us off, what exactly should we all report?

Can't speak for anyone else, but here's what I do:

If I get one of these in my inbox that touts a website in the picture (usually drugs or HGH), I trace and report the website as Steven suggests.

For me, most of this kind of spam is probably detained by SpamCop before I see it (I'm a paying customer), and I don't bother trying to decode and view the images of these messages, so I probably miss a lot of them in this way. So I take a bit of extra effort on the ones that get through.

I personally do not report stock spams to anyone but the mail source. The companies whose shares are flogged are not necessarily responsible for the spam.

I wish there was an international blacklist of companies that are associated with spam that consumers should never do business with.

That would be one huge list, I fear.

-- rick

[Farelf]

... So, when I get image spam everyday advertising the same website and the same drugs or the same penny stock, but embedded in the image with a bunch of nonsense text below to throw us off, what exactly should we all report?

I wish there was an international blacklist of companies that are associated with spam that consumers should never do business with.

SpamCop is primarily concerned with black listing repeat offender ISP addresses, with a secondary function of alerting the admins at those originating sites should they care to locate and "fix" the problem and, at the best, a tertiary function of similarly alerting the domain address admins of the "payload" spamvertized websites.

Standard reporting takes care of the primary and secondary objectives although the growing use of botnets has eroded the effectiveness of the blocklist to a considerable degree. That's a different discussion but TerryNZ's topic "Botnet Scenario" deals with an approach to gather evidence and manually report, the template being The Registrar / Nameserver compliance request method. If the botnets are shut down the spam messages dry up. That's a very big "if" but a more focussed approach to that particular problem than SC provides.

Doing anything about the image spam payload also involves manual reporting for most of us, unfortunately, as you have been told. There has been much prior discussion about this already - What about 'picture' spam? as you well know. If you want to personally pursue the targets, that can be discussed some more (for instance viewing the spam in a browser/reader is not a good idea - take the source code for (just) the image part to a decoder like the online ToastedSpam). Use the SC parser (paste in page) to get the reporting addresses for any URLs and manually report or add to the SC reports if you have the facility (StevenUnderwood's post). Forward stock spam per PinkSheets Interested in Pump 'n Dump spam and/or spam[at]NASD.com (btech's post at the end of that discussion). A lot of work is involved.

SpamHaus lists the worst of the spammers, including their "marketing" domains in some instances (despite a recent adverse US court judgement, also discussed elsewhere "here"). That's nothing like "an international blacklist of companies that are associated with spam" but it's a start, the crust of the scum.

[btech]

THere is no easy answer, right now. If you are a paying reporter, you can put the link into another parsing window to determine reporting addresses for it and add those addresses in the user reports section. More work, but gets the ISP the information. You could also do manual reporting, which is even more work.

I do the bolded part. I also send nameserver removal requests (unless for Pacnames Ltd.. they're just a front company for spammers to register names.)

[csouter]

Hi

Perhaps this is a little OT, but I have another suggestion:

You could also consider forwarding all your spam to KnujOn.

They don't even need headers. They go after the so-called "businesses" referred to in the links, in conjunction with various law-enforcement agencies.

Have a look at their site, anyway, and see what you think. There's heaps of information there, with lots of links to further information.

If you register with them (free for private use, at least for the present), you will get an individualised reporting address, just like you get with SpamCop.

I think they're brilliant! My daily spam count has been reduced by at least 60% in the nine months since I joined up with them after the "Great BlueFrog Debacle." (If anyone doesn't know what that was - and wants to know - there is an archived BlueFrog forum over at CastleCops. CastleCops also hosts a couple of forums for KnujOn users.

I have been religiously reporting all spam to SpamCop for almost two years now, and to KnujOn for about nine months. I am now a complete convert to this philosophy: "Never delete spam without reporting it first." Filtering and deletion (without reporting, that is) only helps the spammers.

BTW, as regards the links in the image spam, I notice that the SpamCop parser often discards the link as fake. However, if the users clicks on the image, he/she is always taken to some website or other, usually an alleged "Canadian Pharmacy" or fake mortgage broker. What I can't work out is how the fake links can work. SpamCop says the URL doesn't have a vaild IP address, but somehow the link still leads to a working website. I guess there must be some very clever HTML coding for the browser to know where to go.

Anyway, it's beyond me; I now just send it all to KnujOn and let them trace the links. It's all well outside my (extremely limited) range of skills!

[StevenUnderwood]

BTW, as regards the links in the image spam, I notice that the SpamCop parser often discards the link as fake. However, if the users clicks on the image, he/she is always taken to some website or other, usually an alleged "Canadian Pharmacy" or fake mortgage broker. What I can't work out is how the fake links can work. SpamCop says the URL doesn't have a vaild IP address, but somehow the link still leads to a working website. I guess there must be some very clever HTML coding for the browser to know where to go.

Anyway, it's beyond me; I now just send it all to KnujOn and let them trace the links. It's all well outside my (extremely limited) range of skills!

This has been discussed here numerous times under many different titles. The problem boils down to the time it takes to resolve these sites and the secondary nature of the link reports.