[Resolved] Spamcop might reveal spammer URL was clicked

[ankman]

I can't see this was discussed before.

"The Canadian Pharmacy" is since a few days (and with additional measurements since today) using (very likely) unique subdomains. Here is one of a recent spam (click it if you want, I already reported via Spamcop)

http://05098.whichhot. com/ (remove the space)

Every spam I receive has a different subdomain (is I guess how you call those). Since today they also add a unique sort of session ID at the end.

I fear (and it seems it is true since after I started reporting spam from this spammer increased massively) that Spamcop is confirming that the mail was read and the link was clicked to the spammer. As in the reports I can see the full domain, not altered. It's so also send to the (bullet proof) hoster in China of the spammer (Chinatietong and other fu**ers).

[dra007]

I doubt spammers take time nowdays to identify reciepients..they have millions of botnets to send to...

[SpamCopAdmin]

Spamcop is confirming that the mail was read and the link was clicked to the spammer.

How is the confirmation being accomplished?

- Don D'Minion - SpamCop Admin -

.

[ankman]

How is the confirmation being accomplished?

Despite dra007 says they have botnets, which is true of course, I know that if you place an order (I did several tests with newly created email addresses of mine and placed test orders on pill or Rolex spammers, to see what happens) that all spammer bomb you with even more spam. The (fake) name given in the form is used often in the subject line ("Dear Clint Eastwood", they don't really check if it could be real or not :-). Or you get a reminder to refill, with a listing of your (failed, of course) test order you placed before.

You are a "valuable" customer then.

I assume those unique subdomains tell the spammer who is interested and send him more (possibly even different that others receive) spam.

What reason would those unique subdomains, and now also this session-ID like thing they put behind the URL, otherwise have?

If an URL is black listed - for evaluating if a mail is spam or not - it doesn't matter for my knowledge if this URL has unique parts before or after and gets recognized anyway.

[turetzsr]

Spamcop is confirming that the mail was read and the link was clicked to the spammer.

How is the confirmation being accomplished?

know that if you place an order (I did several tests with newly created email addresses of mine and placed test orders on pill or Rolex spammers, to see what happens) that all spammer bomb you with even more spam.

<snip>

...Sorry but I don't see an answer to Don D'Minion's question .... You say you placed an order which was followed by even more spam. That makes some sense. But what is the step that causes you to conclude that "Spamcop is confirming that the mail was read and the link was clicked to the spammer."? I can see how this might happen if SpamCop offered (and you accepted that offer) to report the spam to the spammer because the spammer registered her/his e-mail address as the abuse reporting address but I don't see how SpamCop could have otherwise done what you accuse it to have done. Can you explain further to those of me who aren't able to see the connection? <g>

[ankman]

<snip>...Sorry but I don't see an answer to Don D'Minion's question .... You say you placed an order which was followed by even more spam. That makes some sense. But what is the step that causes you to conclude that "Spamcop is confirming that the mail was read and the link was clicked to the spammer."? I can see how this might happen if SpamCop offered (and you accepted that offer) to report the spam to the spammer because the spammer registered her/his e-mail address as the abuse reporting address but I don't see how SpamCop could have otherwise done what you accuse it to have done. Can you explain further to those of me who aren't able to see the connection? <g>

Okay, sorry for that. Spamcop has nothing to do with my test orders. I used it as example what happens when a verification link in spam gets clicked. Even without placing orders you get more spam.

I assume the spammer has a database. The subdomain part is assigned to the email address the spam got sent. So clicking (even "wget --spider", what Spamcop probably does in some way when checking whom an URL belongs to) the link tells the spammer who clicked it.

You might probably recall the old method. who_ever.com]http://www.spammer.tld?email=what_ever[at]who_ever.com

That is to obvious and Spamcop replaces the email address by an "x".

What I reported here seems to be another method of link verification. And I fear that Spamcop here, not replacing the subdomain by something, confirms the link was clicked when the spam gets parsed.

[agsteele]

What I reported here seems to be another method of link verification. And I fear that Spamcop here, not replacing the subdomain by something, confirms the link was clicked when the spam gets parsed.

OK, I think that you're saying that a Spamcop submission which does not obfuscate the spammers link could allow the spammer to see that a specific recipient addressee had reported and, implicitly, that Email address is functioning.

But honestly, I doubt that's happening. The botnet scenario is so effective in distributing spam that the time and effort involved in working through Spamcop reports is undoubtedly too much effort.

Thanks for raising the question but I think you are mistaken in your conclusions.

Andrew

[Telarin]

As far as I go, Spamcop never "visits" (with WGET or otherwise) links in emails. The most action it takes is to do a DNS lookup on the site itself. I SUPPOSE if the spammer had full control of the DNS servers AND used a different host name for each spam sent out that they could build a list of which host names have ever had their DNS A record queried, but I don't think that would be practical in most if not all situations. As far as data in the querystring portion of the URL, that would not go through, as only the host.domain.tld portion would ever be queried against the DNS server.

[ankman]

OK, I think that you're saying that a Spamcop submission which does not obfuscate the spammers link could allow the spammer to see that a specific recipient addressee had reported and, implicitly, that Email address is functioning.

More, checking that the owner clicks the link.

But honestly, I doubt that's happening. The botnet scenario is so effective in distributing spam that the time and effort involved in working through Spamcop reports is undoubtedly too much effort.

Thanks for raising the question but I think you are mistaken in your conclusions.

Well... All right then. It was later explained Spamcop merely does a DNS lookup. Then I see no problem there anymore.

Thanks all.

[turetzsr]

More, checking that the owner clicks the link.

...Or perhaps there's a Web-Bug (a.k.a. Web beacon, tracking bug, pixel tag, clear gif) in the spam e-mail and you are somehow triggering it yourself (the SpamCop parser wouldn't do that)?

Well... All right then. It was later explained Spamcop merely does a DNS lookup. Then I see no problem there anymore.

Thanks all.

...Thank you for letting us know you are satisfied with the responses! <g>