Jump to content

James Merrill

  • Posts

  • Joined

  • Last visited

Everything posted by James Merrill

  1. As part of parsing a spam, I'm told that vms169131.mailsrvcs.net is not associated with any of my mailhosts. However, vms169121.mailsrvcs.net is listed as being associated with one of my mailhosts (related to my verizon.net email address). What's the easiest way to get this list updated so that I can report the spam?
  2. I'm surprised to be the first one reporting this, but I can't log in to the reporting system -- and thus I can't log in to email. Among the messages has been:
  3. Can't you post some example spam (real ones), replacing the name of the SpamCop-parse-generated spamvertised site with xyz.com (or something else)? Of course you should copy the original message out of the email you received and paste it into the "report spam" window. I spend a non-trivial time checking the content of spams myself, before reporting, so that I don't report spamvertised sites that aren't really involved. (But I'll admit I spend more time now, having seen your message.) Of course, you don't host genuinely-spamvertised sites so you don't see how many spams there are that either don't attempt to obfuscate the spamvertised site's URL, or that do it in such a way that it's not completely effective. You also can reply to the message from SpamCop. I (and probably most people) have things set up so that I get any replies from any humans that reply, but not from automatons. (How SpamCop makes that happen, I don't know. Just more magic...) If a SpamCop user has erroneously reported one of your customers, it would be good for everyone if you told them!
  4. On the page where SpamCop's analysis is presented and we get to submit the spam report, there are two changes to the HTML that I would much appreciate. They both seem quite easy to me. The first one is to use a fixed name for the "user notification" text box, rather than having it be the last in a series with a numbered suffix. That will cause the browser to think that these are all the same (which they are!), and thus to remember our previous answers as a single set, rather than as separate sets based on how many other emails will be generated for the spam. The second change is to make the "user notification" text box much wider. I often report "buy software for way too little" spams to a number of violated software publishers (in the hope that at least one will chase the bastards down and shoot them). I can't distinguish between the different lists easily when I can't see more than one address at a time. Thanks.
  5. I presume that you work for an abuse desk at a company that hosts web sites -- otherwise you would not care about reports concerning spamvertised sites. When the site of one of your customers is spamvertised, it can be presumed that the customer is a beneficiary of the spamming. They quite possibly did not have anything to do directly with the spam being sent -- they might well not have paid anyone to send the spam -- but they quite possibly have "affiliates" that get paid when someone goes to the spamvertised site with a URL that identifies the affiliate. If the URL pointing to your customer's site (it's included in the message you get from SpamCop) doesn't include any kind of identifier, it becomes more likely that they paid someone to send the spam, or they created it themselves using another ISP to do the sending (to avoid your company, a "white hat", banning them). It's either that or a Joe Job. Shouldn't you ask them about it? If they say "we had nothing to do with it" you can believe them and ask SpamCop to treat them as an innocent bystander. If the URL pointing to your customer's site includes an affiliate identifier, you should tell your customer and request that they punish the affiliate -- presumably, their affiliates are not allowed to send spam. If their affiliates ARE allowed to send spam, your customer is complicit in the spamming and you should be able to punish them (after enough complaints). What I don't understand is why you would normally need to look at logs, or parse java scri_pt, or anything like that. SpamCop can't find any URLs that are built by JS. (Can you give an example?) If the site seems to be an innocent bystander, just tell SpamCop -- you don't have to figure out what the _real_ spamvertised site is to do that. Unfortunately, it seems that some of the people who replied presumed that you work for the ISP that owns the spam source, even though you would have no reason to be talking about spamvertised sites in that case. If you have customers whose sites generate enough "spamvertised site" complaints, you should want to have them stop doing what they're doing or, if they're innocent, do something to mark them as an innocent bystander.
  6. It appears that the current version of "Quick - report immediately and trash" reporting makes no effort to look for spamvertised sites and report them. (I don't know if it ever did. I know that I was a little surprised when I noticed that.) Shutting down spamvertised sites is much more valuable, I think, than telling ISPs responsible for the mail being sent that someone on their network has an open proxy or is a Windows box that's been taken over by the bad guys. I want to shut down the spamvertised sites, so that the people who run them stop thinking that it's so close to free to send a gazillion spams. I understand SpamCop not wanting to do the spamvertised-site reporting automatically. However, it takes a _lot_ more time to report spams manually than to quick-report them, largely because we have to wait for the parsing (though some of it is checking the appropriateness of the spamvertised site analysis and waiting for the reports to be generated). How about changing the behavior of "queue for reporting"? Now, when I go to the "Report spam" page and click "Unreported spam Saved: Report Now" I have to wait for them to be parsed one at a time, and the parsing is distinctly not instantaneous. I suggest that "queue for reporting" change (internally) to "queue for parsing" so that when I go to "report unreported spam" the already-parsed results are shown. (There would have to be a re-parse button in case I want to do that, and of course if there aren't any already-parsed results ready it would do a live parse.) That would reduce the waiting time for me to report the spams manually and thus hit the owners of spamvertised sites. In the implementation, some type of daemon task could throw away parse results that are more than 30 mins or 1 hour old. The queued parsing could run at a lower priority than live parsing (possibly running on older, slower, not-quite-recycled machines); that could improve response time for live parsing (by spreading out the parsing effort) while reducing see-parse-results wait time for people who are reporting many spams manually. This doesn't seem to me to be a particularly difficult thing to implement, and it offers significant benefits to SpamCop and not just its users. Thanks for listening.
  7. When SpamCop's parser finds the URL of an apparently-spamvertised site, it normally reports that it has resolved the domain name to an IP (and gives info about the responsible party) or it says that the domain name cannot be resolved. I understand the issue that SpamCop has to worry about taking too long to resolve the domain name to an IP, so that sometimes there won't be info about the URL but a re-report could get info about the same URL. (If there were a database-based caching mechanism that's filled in asynchronously by the requests, that might help. But that gets into all sorts of issues about making sure that already-shut-down spamvertised sites don't cause there to be more reports to the responsive ISP who has already taken the correct action to shut down the spamvertised site, while there are lots of still-unread spams advertising it.) I'm talking about a situation that seems far too common -- the parser sees a URL and is doing the domain name lookup, but there is no result of the lookup. It's not successful in finding the IP (as it doesn't display the result), nor does it report that the name could not be resolved. There's just no info about what's happened, and the report continues as if the name could not be resolved. Here's a sample: [start sample] Finding links in message body Parsing text part Resolving link obfuscation http://md-white.com Please make sure this email IS spam: [end sample] In this particular case, as the previous 3 spams I reported this morning were all spamvertising the same site, I knew to click the "report spam" link and re-process the same spam. This time it said [start sample] Resolving link obfuscation http://md-white.com Host md-white.com (checking ip) = host (getting name) no name [end sample] so the report went to the (non-responsive Chinese) responsible ISP. Is it known what causes this? In pretty much every case I can recall, if I don't Cancel but go back again to the Report spam page and get SpamCop to repeat the parse (as I did here), it displays a result of the lookup. Any ideas? Thanks.
  8. I am now really confused, and a bit worried, about this. As a SpamCop email system user who doesn't use the web-mail feature (non-spam mail is forwarded to a Comcast.net "secret" email address), I normally only go to the "Held mail" page. There, I might find a message or two to forward, but normally I end up "quick reporting" almost all of the messages. I cannot remember any case where a message forwarded from the "held mail" page has not arrived. I also get a lot of summaries about my quick reporting -- 32 of them since 7/15, including one today (7/28). Don't all those messages go to the same "forwarding" account, or could I have configured some of them to go elsewhere? Only when SpamCop lets through something that I decide to report as spam do I end up going to the SpamCop "report spam" page. Should I be going there regularly, just to clear the flag in case it gets set? Is it possible to see any info about what happened when the flag gets set? (I never have any info; it always just says "Subject:" and nothing else.) If you're right that the "bounce, click if ok" message on the "report spam" page means that my forwarding account is broken, what's happening to the email that has not been "held" (because SpamCop thought it wasn't spam) when the forwarding account isn't working? Is it being thrown away? I get plenty of email, my forwarding account's mail server (Comcast) has never been down for as much as 3-4 hours (that I've noticed), and I've never seen anything from Comcast's servers that says it's rejected anything from anywhere. (And why would they be rejecting anything?) Could anyone possibly look at what's been happening re my account? My SpamCop user name is jvm_cop.
  9. Is there a chance to address the case where it's not your "secret address" but rather your spamcop.net (public) address that's bouncing? (I haven't seen a good explanation of how or why that happens, and there's never any "Subject" or mail-server message when it happens to me.)
  10. ... and it's always the case that the address that's "returning the bounce" is my SpamCop address -- that is, it's not the "forwarding" address to which SpamCop sends things when they aren't "held mail". It's my "filtered email address" that's apparently bouncing message from SpamCop itself! I've seen other reports about this where the issue seems to be that SpamCop can't get the message to the receiving user, but when the failing address is a spamcop.net address, what does that mean is going on? I have never seen any bit of a mail server error message, and the "Subject:" has always been blank. It's happened a number of times today that I've seen the message when I click the Report spam (manually) tab. Any thoughts?
  11. I've had the "bounce flag" set for my (paid email) spamcop email account twice today; it has never been set before. The details (if you could call them that) were Subject: A test message to the bouncing address -- my spamcop address -- came through quite quickly. If it never happens again, I won't mind. How can there be a bounce issue with messages to my spamcop address that's my fault (rather than the fault of the spamcop email system)? Is there a way to find out more? Thanks.
  12. I'd guess that's true; cogentco.com seems to be making it easier for their spammer customers to run their businesses unfettered by block lists by (apparently) moving domain names around among IP addresses on a regular basis. I'm not smart enough or persistent enough to be certain of this, but for example the IP was used to send spam (to me) that said it was from airsnow.com, but airsnow.com is now and now produces this from SpamCop: host (getting name) no name host = m20.wareglobe.com (old cache) Could a spammer get off a blocklist by saying "but I just got this IP yesterday; any older abuse by my predecessor isn't my fault"? Who knows. Sigh.
  13. From what I see, it's almost as though Cogentco is complicit with the spammers. They seem to shuffle IP addresses and domain names around. Do people think they're really "in cahoots" (a true black hat) or are they just dealing with "clever" spammers as customers? For example, these excerpts from reports: airsam.com [] airsam.com [] airsam.com [] airrs.com [] airlead.com [] airiv.com [] airera.com [] warmglobe.com [] wareglobe.com [] truckmatrix.com [] truckdreams.com [] truckdreams.com [] truckcoop.com [] talkycard.com [] stockmacro.com [] squarecash.com [] (all since 13May05) seem to be quite a pattern if cogentco.com isn't involved. Oh well, on we go.
  14. I have received a quite large amount of spam that was not held by spamcop with abuse[at]cogentco.com as the proper reporting party. It has been going on for quite a while. It seems to be the case that there are a lot of different cogentco "sub-customers" involved, but from what I've seen, there has been enough that their entire block could easily have been blacklisted. I just looked into some of the messages I had to report manually (because they weren't held). One of them was one of 8 messages today; maybe this sender will get blocked before long. Another was from a block with reporting address abuse[at]esnet.com that "refuses spamcop reports" but if reported today, it would go to cogentco.com. Is cogentco.com really doing enough anti-spam work that they deserve not to have all their clients blocked? Or have they threatened to sue or something?
  15. For a couple of days now, mailsc.spamcop.net is not responding or is very slow to reply. Using www.spamcop.net works fine, so that's what I'm doing. The "held mail" link in WebMail aims at mailsc.spamcop.net...
  16. Just a comment -- I use the 0spam service as well as SpamCop (say hi to Jeff for me), but I have the challenge / response mechanism turned off. Yes, that means that I end up having to whitelist people by hand, but it's quite painless after a week or two, and having it turned off doesn't cause the problems you've got now. I think you should make it more apparent to your users that the C/R system has its enemies, and that they might be better off leaving it turned off. You should certainly encourage them to look on the 0spam site to see if there are any "pending" messages that they think are from people they know, and whitelist them. If you could find out whose "verification" (C/R) messages are resulting in spam reports, you should definitely tell them to go the 0spam web site and manually whitelist their friends. You might ask your ISP to let you see some of the spams that have been reported; they presumably have been receiving each message that SpamCop has been counting towards your "spammer-ness." I hope they understand that you are distinctly "white hat" in the spam battle and won't worry that they might be delivering info that could cause retaliation or whitelisting etc. Good luck.
  • Create New...