Jump to content

Parsing misses subnets within an IP block


fubar
 Share

Recommended Posts

I'm fairly new here. I've been reporting spam here a few weeks, and I've spent some afternoons looking for this issue in forums and FAQs.

A recent tracking URL that illustrates my question is

http://www.spamcop.net/sc?id=z3072941200za...ccb256d022aeaaz

As you see on the SpamCop tracking report, the abuse report email address is to the main provider's (and entire block owner's) abuse desk.

But the actual sender of spam has leased or rented a subnet or smaller netblock from the main provider and block owner. That smaller netblock (and its abuse desk email address) shows up in IP lookups that I do outside of SpamCop. The abuse email address for that subnet is listed in whois databases.

The larger block owner is a major ISP, who apparently is content to ignore spamming by some bigger customers.

If you simply take the IP shown on the tracking URL for "message source", and append it to

http://whois.domaintools.com/

ie: http://whois.domaintools.com/xxx.xxx.xxx.xxx

You'll see the subnet owned or rented by the spammer on the lower part of the whois listing.

How do I convince SpamCop to notify the actual spammer, ie: the owner of the domain that uses the smaller netblock? I'm quite happy to use any workaround, but I just couldn't find one in the FAQs and forums.

Hope at least my question is parsable.

TIA for any advice.

Link to comment
Share on other sites

I think, in general, when the report goes to the 'upstream', it is because the sub net has been unresponsive. IOW, sending reports to the spammer is not at all productive. For one thing, spammers can 'listwash' or remove reporters' names from their lists and thus, eventually avoid getting listed. For another, it is useless to continue to send reports to sub nets who are not interested in cleaning up their networks. The 'upstream' even large and slow to react, may eventually do something.

The IP address that is listed on the spamcop blocklist is the one that the spam comes from, no matter where the report goes.

Sometimes reports go to responsible server admins who have made a mistake or otherwise let a spammer slip by and who correct the problem promptly. However, that is rare. The real value of reporting is to put the IP address that is sending spam on the spamcop blocklist so that it is filtered out before it gets to users' inboxes.

Miss Betsy

Link to comment
Share on other sites

...You'll see the subnet owned or rented by the spammer on the lower part of the whois listing.
Yes, I see that.
...How do I convince SpamCop to notify the actual spammer, ie: the owner of the domain that uses the smaller netblock? I'm quite happy to use any workaround, but I just couldn't find one in the FAQs and forums.
Well the deputies are able to over-ride the automated results, if they are convinced of the merits. That would take an email to deputies[at]admin.spamcop.net with the subject of "Report routing - network:ID:NETBLK-ISRC-24.43.0.0/16" or similar and with your research in the body and the clear expression of exactly what reporting address you propose. Now, subnets might change fairly rapidly which is one factor the deputies would consider. Also reporting tends to be directed more 'upstream' than 'downstream' (possibly for that reason). Anyway, the deputies would consider it all in the light of their experience.
...Hope at least my question is parsable.
:D
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

×
×
  • Create New...