Jump to content

My IP address revealed in web reports?


BlackRat

Recommended Posts

I am a registered SpamCop 'reporting' user.

I've been reporting as a 'mole' since registering a couple of weeks ago. Today I felt inclined to move over to more pro-active 'munged' reporting in relation to a selection of spam that has particularly caught my attention!

So I changed my preferences accordingly, and submitted the relevant header via the web based, cookie login, form. When I previewed the resulting reports I noticed that the submmission IP address - the IP address of my domain - apparently appeared at the top of every report!

I deleted all outstanding reorts, checked my preferences and tried again. My IP address was still there in the previewed reports.

Have I misunderstood or misinterpretted the reports? When you preview your reports are they *exactly* what gets sent?

If this is the case how can these reports possible claim to obscure the reporters identity?

I apologise in advance if I have got the wrong end of the stick, and fully accept that I will be put straight in very strong and clear terms ;)

TIA

Glynn

Link to comment
Share on other sites

I've tried previewing reports generated as a result of spam submitted via email. Those previews also include my IP address at the top of each report.

This appears to be the same whether my preferences are set to send complete reports or 'munged' ones.

I'm guessing that the previewed reports are *not* representative of those actually sent out - otherwise what is the point of having the 'munged' option at all?!!

Hopefully someone will be able to put my mind at rest and allow me to confidently report my spam.

Regards

Glynn

Link to comment
Share on other sites

Since others have not piped in here, I believe the munging only applies to your email address as the IP addresses are important to determine the source of the message. If the last IP is munged, how can anyone (other than the person munging the IP) trust what it is reporting?

Besides, this should only be a problem for people running their own server with only a few people on it. I doubt that a spammer would be willing to listwash all of the addresses from a specific ISP or company because of a couple of reports from that server.

Personally, I never saw the sense in munging and send all of my reports out unmunged on my paid account and specifically check the box to unmunge from my free account when necessary unless I had to munge for no body found. I have yet to be listwashed from any verio IP based lists which is the primary one I receive regularly. I have yet to be seriously attacked from any IP. I did receive a few bounces about spam I never sent, but there were less than a dozen of those.

Link to comment
Share on other sites

If this is the case how can these reports possible claim to obscure the reporters identity?

Not having reportd via SpamCop in so long, I didn't have a point of reference. Just in the nick of time, I got an incoming from one my most favorite lowlife scumsucking outfits, so ran it through the parser, did the preview. I have no idea when that little tidbit may have been added, but personally not sure that it's all that significant. From SpamCop's end, it would help identify the source of the reports, if an issue came up, say a compromised account, someone trying to circumvent things, etc. As StevenUnderwood states, an IP address does not directly translate to an e-mail address, so unless you're handling and using your own server, there shouldn't be an identity issue in general. A somewhat more 'normal' user may noy have that same IP for long anyway, that old static vice dynamic IP address thing <g>

As far as whether this data actually does go out, think the only ones that would have a clue besides Julian would be one of the Deputies .. perhaps one will stop by and answer this specific query.

Link to comment
Share on other sites

Thanks Steve and Wazoo for your replies,

Unfortunately for me I do have a static IP, from which a simple tracert will reveal my domain name. I'm on an ADSL connection and have the static IP because I do run a couple of services. I use the straight-forward POP3 mail service provided by my ISP, who also host my domain.

I am currently getting around a 1000 failure/return notices per day, resulting from one particular 'lowlife scumsucking outfit' that is spoofing my domain name. I'd hate to upset another such outfit and have them do the same. It's just too easy a hop from my IP address quoted in a SpamCop report, to a spammer spoofing my domain!

I guess that means I won't be able to actively report - and that annoys me. I feel the need to (anonymously) be a thorn in the side of a few 'lowlife scumsucking outfits'!

Link to comment
Share on other sites

At the very top of the "Preview," SpamCop shows you the basics of the headers from the message it's about to send. SpamCop always records the connecting IP of the person reporting the spam, and documents the connection in the headers of the complaint. I'm talking about the headers of the *complaint*, not the headers of the spam.

The "identity" that SpamCop obscures is the recipient's email address in the spam. Nothing else. The parse will remove the "To" and "For" addresses, and usually all the "Cc" addresses. If it finds the "To" address in the body text, it will munge it, too.

The parse can't find email addresses that have been encoded in "remove" links or such, either in the headers, or in the body. For example, username[at]domain.com can be found, but username=domain.com is not a standard format and won't be munged.

SpamCop needs full, unaltered headers in their raw state for proper tracking purposes. Modifying "received" lines to protect your identity is not allowed. Deleting your email address is an acceptable practice, but users caught altering the headers of spam in any other way will be cheerfully banned. :-)

The only way for users to assure complete anonymity is to not send the reports. Hence the "Mole" option. Mole complaints feed our blocking list database, but no reports are sent out. The act of "sending" the report to devnull (trash) accomplishes our purposes.

- Don -

Link to comment
Share on other sites

-Don-

Thanks for that, it all makes sense to me. I can understand the need to record reporting IPs - it's just a little unfortunate that those have to be passed on to the enemy. I also understand that having their IP revealed doesn't matter much to the majority of users, but in my situation it seems I'd be loading the gun, handing it to the 'scumsucker' and inviting him to do his worst!

Like I said before - I feel powerless against these bastards and that really annoys me. When I registered with SpamCop I had a naive belief that I could do something to make a difference - you live and learn don't you! Blocking or filtering alone feels like surrendering. But I suppose we're all the same boat.

Glynn

Link to comment
Share on other sites

The header of a copy of a SpamCop report I just sent myself contained

Received: from [my.ip.address] by spamcop.net	with HTTP; Fri,
 02 Apr 2004 20:36:46 +0000 (GMT)

That appears to be a tab character between "spamcop.net" and "with", making that header line look weird.

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...