Address harvesting from reports?

[btech]

I'd like to bring this back into discussion.... I've found that 90% of my spam is going to my cesmail account and since I don't ever send from that account, I can only assume that it's being harvested off reports that I queue and report from the reporting site (rather than 'report as spam' from email). I believe it has something to do with the reports of spamvertized domains that go to blackhats in China... like Week5 (that reports to happie498cn[at]yahoo.com.cn) and others.

Anyone else have thoughts on this? And how can I go about changing my CESMAIL account address?

(btw, I'm not a new user, I just chose a new SN, because I didn't want to keep posting with my full name )

[edit - clipped from http://forum.spamcop.net/forums/index.php?showtopic=8000]

[Wazoo]

since I don't ever send from that account, I can only assume that it's being harvested off reports that I queue and report from the reporting site (rather than 'report as spam' from email).

Not sure you've actually described your Reporting method. Also not stated is whether you have ever looked at the Preview of any of your outgoing Reports to see if you have a valid concern/issue or not.

Anyone else have thoughts on this? And how can I go about changing my CESMAIL account address?

There is only one way ... contact the folks that own, manage, and maintain the SpamCop.net e-mail system with a really, really good reason. Conact points are provided in numerous FAQ entries, even the Wiki ... for instance, Where to get Help

(btw, I'm not a new user, I just chose a new SN, because I didn't want to keep posting with my full name )

Not sure what you mean by SN ... however, the way I read this, you chose to ignore a Forum FAQ entry, please see SECTION 7 - Change of Username When you make contact and verify that you are who I believe you are, this account will be terminated. Actually, based on a littled research, this account will be terminated even if you don't contact me.

Moderator Edit; Accounts all taken care of, some posts may still need som hand massaging ???? ... Thanks!!

[btech]

typically, I report my messages from my 'held' folder, by clicking 'Report as spam'. But in the past, I went into the mailsc.spamcop.net site, queued up messages for reporting and reported through that portal.

Since I don't ever advertise or use my cesmail account, I can only assume that the receiving email address for the spamvertized domains is scraping email addresses from the SpamCop reports. I just tested and saw that my full cesmail address is listed in the report that goes to the recipient of a spamvertized domain. In this case, it was happie498cn[at]yahoo.com.cn. Reports are disabled for this email address, but there are many others that I fear might be working with spammers and utilizing these reports for the wrong reasons.

(report in question is: http://www.spamcop.net/sc?id=z1778554839zb...7f39d24daf1505z )

[StevenUnderwood]

typically, I report my messages from my 'held' folder, by clicking 'Report as spam'. But in the past, I went into the mailsc.spamcop.net site, queued up messages for reporting and reported through that portal.

Since I don't ever advertise or use my cesmail account, I can only assume that the receiving email address for the spamvertized domains is scraping email addresses from the SpamCop reports. I just tested and saw that my full cesmail address is listed in the report that goes to the recipient of a spamvertized domain. In this case, it was happie498cn[at]yahoo.com.cn. Reports are disabled for this email address, but there are many others that I fear might be working with spammers and utilizing these reports for the wrong reasons.

If you do not munge your address data (I don't) then your address is available in EVERY report reguardless of how you send the message to SpamCop. Using the "Report as spam" link is just another way to send your reports via email to your quick.* address.

The option is available on the SpamCop reporting page, Preferences tab, Report Handling Options, spam Munging section.

And unless your address is a highly complex one, it is even more possible that the address was simply found via a dictionary attack.

[Farelf]

This topic split out from http://forum.spamcop.net/forums/index.php?showtopic=8000 on suggestion of the original poster.

[Miss Betsy]

Yes, I think that spammers do harvest email addresses from spamcop reports. Also, I believe that many of the spamvertized website reports go to spammers. I started only using quick reporting or unchecking all but the source reports because of that reason.

OTOH, I see no point in trying to mung an address. For one thing, there are so many places that spamcop does not see the address that every spam has to be looked at. For another, there are so many ways that spammers can identify a reporter without actually using an address. And, from anecdotal experience, it doesn't make a lot of difference in the amount of spam - some spammers listwashing reporters, but others harvesting addresses.

Miss Betsy

[btech]

And, from anecdotal experience, it doesn't make a lot of difference in the amount of spam - some spammers listwashing reporters, but others harvesting addresses

Well... I certainly wasn't listwashed. I started munging my address again, but it's painfully clear to me that my CESMAIL address was plucked from a SpamCop report sent and received by a blackhat. Either that, or some completely airheaded host/ISP that is oblivious to their business-goings-on with a spammer and they forwarded my SC report to them.

I tend to think it's the former of the two.

[mr_zeno]

One thing I suspect is that some spam has a unique code embedded in the subject or the email body or even the return address. When this is reported as spam they just process the code and know it's a valid email address.

[SpamCopAdmin]

One thing I suspect is that some spam has a unique code embedded in the subject or the email body or even the return address.

Keep in mind that in order to tag a spam message with a secret code that would identify the recipient, the spammer has to limit himself to only sending one message at a time so that his software can create a unique message for each recipient.

That process is *extremely* slow. For every unique message he sends so he can identify the recipient later, he could be sending that same message to thousands of Bcc recipients and increase the number of people he reaches by a factor of a thousand or more.

Spammers rely on a tiny response rate from a very few gullible people out of the millions they send mail to. All they want to do is send, send, send, to as many people as possible every day. Slow is not part of their business plan.

I know that there are occasional examples of encoded spam, but it seems to me that it comes mostly from what I call "main sleaze" spammers, which are established and known businesses who have stepped over the line in their address collection practices, as opposed to criminal spammers defrauding the public.

- Don -

It looks to me like SpamCop does a good job of deleting our addresses from the reports we send.

Anybody see my address in this?

- Don -

User-targeted report, see notes, if any.

http://www.spamcop.net/w3m?i=z3031007786z8...37f9104d705a60z

[ Offending message ]

Return-Path: <skvcgp[at]bmw.com.ph>

Delivered-To: x

Received: (qmail 29312 invoked from network); 17 Apr 2008 15:09:19 -0000

X-spam-Checker-Version: SpamAssassin 3.2.4 (2008-01-01) on filter7

X-spam-Level: ******

X-spam-Status: hits=6.6 tests=URIBL_AB_SURBL,URIBL_BLACK,URIBL_SBL

version=3.2.4

Received: from unknown (192.168.1.108)

by filter7.cesmail.net with QMQP; 17 Apr 2008 15:09:19 -0000

Received: from sc-smtp1-bulkmx.soma.ironport.com (204.15.82.123)

by mx71.cesmail.net with SMTP; 17 Apr 2008 15:09:19 -0000

Received: from sc-app10.spamcop.net (HELO sc-app10.soma.ironport.com) ([204.15.82.89])

by sc-smtp1.soma.ironport.com with ESMTP; 17 Apr 2008 08:09:18 -0700

Received: by sc-app10.soma.ironport.com (Postfix)

id A75D1FDF4; Thu, 17 Apr 2008 08:09:18 -0700 (PDT)

Delivered-To: x

Received: from sc-smtp2-bulkmx.soma.ironport.com (sc-smtp2-bulkmx.soma.ironport.com [204.15.82.125])

by sc-app10.soma.ironport.com (Postfix) with ESMTP id A22D6FDF3;

Thu, 17 Apr 2008 08:09:18 -0700 (PDT)

Received: from unknown (HELO [78.172.66.129]) ([78.172.66.129])

by vmx2.spamcop.net with ESMTP; 17 Apr 2008 08:09:07 -0700

Received: from [78.172.66.129] by mxa.expurgate.net; Thu, 17 Apr 2008 17:09:17 +0200

Date: Thu, 17 Apr 2008 17:09:17 +0200

From: "Annette Foreman" <skvcgp[at]bmw.com.ph>

X-Mailer: The Bat! (v2.00.0) Educational

Reply-To: skvcgp[at]bmw.com.ph

X-Priority: 3 (Normal)

Message-ID: <8754________________4439[at]bmw.com.ph>

To: x

Subject: Re: get thin easy

MIME-Version: 1.0

Content-Type: text/plain;

charset=Windows-1252

Content-Transfer-Encoding: 7bit

X-SpamCop-Checked: 204.15.82.123 204.15.82.89 204.15.82.125 78.172.66.129

[michaelanglo]

Keep in mind that in order to tag a spam message with a secret code that would identify the recipient, the spammer has to limit himself to only sending one message at a time so that his software can create a unique message for each recipient.

That process is *extremely* slow. For every unique message he sends so he can identify the recipient later, he could be sending that same message to thousands of Bcc recipients and increase the number of people he reaches by a factor of a thousand or more.

This idea is out of date. On a check 50% of the spam I receive has my address in the "To:" field and 70+% in one of the To: or CC: fields so they are individual or semi-individual.

The spammers switched to doing this at least 4 years back when the anti-spammers tried to filter on "not in To: or CC:", eg bulk mail using bcc:

Why should someone who is stealing all the resources and/or using a Zombie aka botnet care about such ?

[SpamCopAdmin]

Why should someone who is stealing all the resources and/or using a Zombie aka botnet care about such ?

How would a spammer get his hands on reports about spam coming from a zombied machine?

- Don -

[Telarin]

How would a spammer get his hands on reports about spam coming from a zombied machine?

Not to mention, even if the spammer managed to somehow get into the feedback loop and get these reports from one or more ISPs, their zombies would have to "phone home" to update a database with which codes match to which email addresses. They would then have to analyze the reports they got hold of to match them to those email addresses. Sounds like a lot of work to me, and to what ends? Harassing anti-spammers doesn't make them any more money. Listwashing might help cut down the number of reports against them, but considering the way they operate, this would not be a productive use of their time.

No, I suspect that any increase in spam to your spamcop email address or to other reporting addresses is, at best, coincidental. At worst, it may indicate that you have inadvertently compromised that address, either by using it to send email to someone with a compromised computer, or having one of your own computers compromised. Remember, once an address gets on a single spammer list, it is sold and resold until they all have it.

[ka112]

In about 20-30% of the spam I receive my uniqe part om my e-mail address is in the subject field. Therefore I think harvest is more common than is said here.

/Anders

[Wazoo]

In about 20-30% of the spam I receive my uniqe part om my e-mail address is in the subject field. Therefore I think harvest is more common than is said here.

If the spammer already has your address, noted by the fact that the spam was sent 'to you' .... how does that then backwards translate into harvesting your address ??????

At best, we may be dealing with some different definitions of the word 'harvest' ...????

[Farelf]

...At best, we may be dealing with some different definitions of the word 'harvest' ...????

'Tracking' is probably closer to the concept that is frequently thrown up in relation to these 'personalized' spam and certainly there seems to be quite a bit of it from time to time. No idea what "they" are up to but modest manual munging is permissible. Of course there is no way of knowing whether other ('coded') content also exists in these or other spam. At the end of the day, it doesn't seem to make a lot of difference though it is increasingly difficult to assess the impact of any ISP filtering which could potentially be junking huge amounts of the stuff on our behalf (together with the hypothetical volumes stopped within the source networks).

It would be fair to say that the blind scatter-gun approach is not the only 'business plan' in currency amongst the myrmidons of spamdom (may fluorescing carbuncles invest their rectal regions) though it certainly seems needlessly elaborate, effortful and self-limiting. Or, as has been suggested/implied, they just like to play with our minds, a further small unkindness within the greater torment.

[Miss Betsy]

As Wazoo says, if your email address is in the FROM, then that email address is already on a spammer list. If it is already on a spammer list, then it cannot be 'harvested.' However, perhaps it could be 're-harvested'? I doubt very much if spammers check their lists for duplicates. (that may account for the multiple copies of the same spam)

A mailing list value lies in how many addresses on it. Secondarily, its value is determined by the % of those responding. Since spammers are essentially con artists, the number of addresses is important to them. So what if a person is annoyed by multiple copies of the same spam? That person probably wouldn't respond anyway. The number of responses is not determined by the target audience or the quality of the ad, but by getting past as many filters as possible to reach the clueless buyer. That also accounts for the harvesting of known spamcop email addresses. The number of addresses is the selling point, not whether the addresses will provide a response.

I still think that a lot of spammer money comes from the selling of lists to clueless people. The list may be used only once (until the ISP stops it), but that results in people getting spam from lots of clueless people. The criminals who use spam, such as the 419 spammers, are more discriminating in sending their spam because it is worth it to them to get past the filters.

The bottom line is that once an address gets on the spammer lists, it is going to get spam - more when a spammer is successful in selling his list to more people. And even more when it is added to other lists. Many large ISPs are now dumping quantities of email from known spammer IP addresses and from zombies so that most email addresses get much less spam. If you are administering your own server and accepting all email and then sorting it, you will be getting increasing amounts of spam. There is no way around it. If you report that spam via spamcop, you may get on more lists (or get duplicated) faster, but does it matter if the spam is filtered out?

Miss Betsy

[michaelanglo]

How would a spammer get his hands on reports about spam coming from a zombied machine?

Perfectly possible even if the bot net ISP is white hat since (unless Quick Reporting) a 'bullet proof host' or even a white hat host "show that you are not spamvertising a site I host" could pass reports along.

My point however is that most spam is individual or semi-individual (cc to other addresses in same domain).

If you disagree let's see some numbers.

[Merlyn]

It looks to me like SpamCop does a good job of deleting our addresses from the reports we send.

Anybody see my address in this?

Just a note/question

The reporting IP address is posted in all reports so like me I have had the same block of static IP addresses for 10 years and the reporting IP could definately be tracked to me on a whois. Not that I care because I report a bunch and I try as hard as I can to get a copy of the report to the spammer too but just curious. This is certainly a way for the spammers to find some people. The reporting IP should not go in the reports.

[Wazoo]

My point however is that most spam is individual or semi-individual (cc to other addresses in same domain).

And you know exactly how the spammer is generating, obtaining, whatever all the names chosen for spew recipients?

If you disagree let's see some numbers.

Please .. not here. There is already a ton-load of traffic on this and other similar Topics in the Lounge area. Join one of those existing discussions.

[btech]

How would a spammer get his hands on reports about spam coming from a zombied machine?

That was actually my previous point... I see many 'report to' addresses of throwaway email addresses (which seems suspect to me) and some ISP/hosts that keep receiving email and never bounce (which are non-'abuse' addresses).

It seems to me that a spammer could pay that person an amount to have all of the SC reports forwarded to them. How else can anyone explain how my CESMAIL address is now the #1 target of the 500+ spam messages I get a day? I have NEVER emailed from that address (except to SC admins) and never reference it anywhere.

ZBYD Technology Co.,Ltd

Medical library of People\'s liberation Army

HARBIN-JAZZINESS-NETBAR

.. and I'm sure others are 'in bed' with spammers and being paid off to forward reports. Their email addresses don't bounce like many, so they obviously read or do something with the abuse reports.

[StevenUnderwood]

That was actually my previous point... I see many 'report to' addresses of throwaway email addresses (which seems suspect to me) and some ISP/hosts that keep receiving email and never bounce (which are non-'abuse' addresses).

But that would not be describing a zombie machine but rather an IP address that is complicit in the act of spamming. A zombie machine would be found on any network without the owners knowledge or consent (think ISP X). ISP X would then need to be willing to "sell" their abuse desk address out to the spammers for the spammers to get the spam reports.

Your "bogus" reporting addresses are generally going to be for large blocks of IP's. Anybody can request a block of IP's, though you will usually need to have a valid reason for a relatively large block now (used to be much easier). As I stated earlier, at my previous place of employment, our one domain was configured with the abuse address to that domain, but used a Yahoo account for Technical contact in case that domain was inoperable due to the technical issue being worked on. My current place of employment has no shortage of domains (130+ at last count) so that is not an issue.

[Farelf]

...That was actually my previous point... I see many 'report to' addresses of throwaway email addresses (which seems suspect to me) and some ISP/hosts that keep receiving email and never bounce (which are non-'abuse' addresses).

Clarifying (I thinK) where 'report to' refers to the abuse address, not to the header line item which is useless or worse in all spam.

... It seems to me that a spammer could pay that person an amount to have all of the SC reports forwarded to them. How else can anyone explain how my CESMAIL address is now the #1 target of the 500+ spam messages I get a day? I have NEVER emailed from that address (except to SC admins) and never reference it anywhere.

Ask a question ... if you Google your address you will find the helpful folk at tcrc.edu.tw have it shown in clear (since June 2006) within a SC report on one of their pages. Just guessing but this seems to be .edu.tw telling the world what a good/useable abuse report should look like and as such would be prime viewing for any and all of the world's 1.5 billion Chinese-readers having an interest/concern in or with spam.

... and I'm sure others are 'in bed' with spammers and being paid off to forward reports. Their email addresses don't bounce like many, so they obviously read or do something with the abuse reports.

The most 'economic' solution for the hardcore spammers or those cluelessly and comprehensively compromised would just be a straight-line chute to the bitbucket but anything is possible. However, having an address 'en clair' on the internet is another explanation. Can you see that page at tcrc.edu.tw? Maybe they will pull it or munge it for you but I can assure you, having an address of mine on the internet for a time, the spam will not go away when the address is finally taken off. But the volumes might 'normalize' in time. I would be talking to JT about a new address (tedious though it would be to make all the consequent changes in various places).

[btech]

oh wow... they DO have my address up there. I wonder if there's any way to get them to remove that report from their site? I munge my reports again (I did for a while, but turned that off, like an idiot), so I hope this won't be an issue in the future... damage is done it seems.

I suppose the positive in this is that I get so much spam to this address, that my reporting is doing some good to point out the exploited IPs. They should have just listwashed me... <eg>

[btech]

OK, I just reported a message that claimed to be from me, to me (horray!), but I found an error in the munging. I have munging set 'on' for all reports, yet I found the 'Delivered-To' address was intact.

http://www.spamcop.net/sc?id=z1886568202z0...e406bdee7f4181z

X-RCPT-TO: x

Received: (qmail 20780 invoked by uid 399); 14 May 2008 15:05:44 -0000

Delivered-To: x

X-RCPT-TO: x

I munged the bolded part for this forum, but check the SC report and you'll see the address is there.

[Wazoo]

OK, I just reported a message that claimed to be from me, to me (horray!), but I found an error in the munging. I have munging set 'on' for all reports, yet I found the 'Delivered-To' address was intact.

I munged the bolded part for this forum, but check the SC report and you'll see the address is there.

Specifics actually needed, though not necessarily posted. At issue, does the line not munged actually equate to the data used in the To: line? I suspect not.

Of course, the other question would be .. why are these lines (possibly) repeated? (CC: type of addressing used or just multiple addresses on one line?) (Still of the thought that the To: line contained a different address and this was the one used for munging.)