Jump to content

SpamCop will not report virus spams


Recommended Posts

Since February 2004 I have been receiving about one spam mail a week containing a virus. A number of times I pulled these from the server (using SpamCombat) in order to report them to SpamCop, during which process the virus was detected and removed by my Norton antivirus. Normally I am a mole. However I used the SpamCop report on the virus spams to send personal complaints to the ISPs listed in the report, together with a copy of the report including the IP of the probable sending machine. This was very useful as without the SpamCop report I would never have been able to figure out who the ISP was, what the spammer IP was, or a host of other important things.

However, because of the continuing virus spams I have had to change my policy. I no longer pull down "my" spam but report it directly from webmail on my server (dds.nl), then delete spam and pull down clean mail. This is because I am afraid that if I receive and pull down multiple virus spams, my antivirus will be overwhelmed (it has already had a double virus spam, and it was unable to delete the second, though fortunately I was able to delete it manually). In the webmail application it is often very difficult even to see if there is a virus attachment. They seem to be being concealed with increasing cleverness. And anyway, when sending spam reports I want to do as little with the spam, with its often highly offensive content, as possible.

The method of forwarding to SpamCop I now use in my webmail (which strongly resembles the SpamCop webmail, which I've just started using) is as follows. Click on the spam (yuk! - could this also be sending a confirmation to the spammer?) and the spam opens in clear text (which is usually mercifully blank or contains only anti-Bayesian poetry), with the HTML as a separate icon. Click on "Message Source" and the HTML source opens in a separate Notepad-style box. Copy and paste entire content of this box into a message to my SpamCop reporting address and send. I should add that all attempts I made to simply forward the mail by webmail to SpamCop resulted in a "SpamCop encountered errors" message, whereas this method is usually succesful (although about 30% "Could not parse header" but that's another topic which I will post about if I have time and my ground on this hasn't been covered already). I assumed that by doing this I was only sending the spam header and body in clear text and without attachments including viruses.

However, the first virus spam I reported this way (I didn't even notice this one came with a virus) produced a report suddenly broken off with a blood red message "This message looks like a virus, will not report. Do not report viruses as spam! Nothing to do." (report link now removed - we don't want the spammers following it and harvesting my info)

Help! Why won't SpamCop accept reports of spam if the spam contained a virus? Am I, using the method described, unintentionally sending the actual virus to SpamCop? Obviously I don't want to do that and I realise that if I did, SpamCop must block and destroy the virus like all of us. But I do hope that SpamCop don't consider that spams which originally contained viruses are not spams, because they are the worst sort of spam! As available open relays are becoming scarcer, spammers I fear are increasingly taking to the use of spammed viruses with a payload which turns the victim's machine into an open relay, hence why I expect there to be more and more of these odious weapons. Surely fighting this development should be a high priority for SpamCop? And these developments are certainly an important reason for me to be seeking refuge with SpamCop.

So, can somebody tell me whether this method of reporting is sending the virus with the spam report? If not, can somebody tell me why SpamCop apparently considers spammed virus not to be spam? By opening the spam on the server, am I sending the spammer a confirmation? Fourthly, can someone in authority tell me what SpamCop's position is on the spamming out of viruses and the ominous threat of multiple spam-virus attacks designed to enslave new machines as open relays? And surely by breaking my mole "cover" and manually and explicitly sending my full SpamCop report to the ISP and other report addresses I am making the best possible use of SpamCop to help me fight back?

Link to comment
Share on other sites

Spamcop is not intended to report viruses and it is against spamcop policy to try to use it for that. Most viruses come from compromised machines with trojans, not from spammers, and virus complaints are handled differently by the ISP's.

Use spamcop to identify the reporting address of the origination IP only, then send the complaint manuallly to that address. Indicate in the Subject field that it is a virus report. Do not include the virus attachment with your report -- many ISP's will automatically bounce a complaint with a virus in it.

Link to comment
Share on other sites

Wazoo, thanks for your very speedy advice and I will follow it.

But I would like to point out that what I am trying to do is exactly what is described in link 125: "... parse the header through SpamCop, or use SpamCop's email submission system (send the basic message only, not any attachments) to find the contact address for the originating ISP." I am not trying to report the virus to SpamCop, but what I believe to be the spam that it was brought by.

And as I said I often simply do not know beforehand whether an unsollicited e-mail from someone I don't know with an unrecognisable subject, link obfuscation and the usual stuff (that to me is spam) contains a virus.

The SpamCop report in question does give me the originating IP and their ISP, so I have enough to use it as you say, but I was a bit thrown by the blood-red lettered termination. Can I take it that by using SpamCop in this way, I am not upsetting anybody at SpamCop?

And I would still appreciate an answer from anyone about the safest method for sending such a mail, i.e. at all costs not sending on the virus attachment to SpamCop or anyone.

Thanks

Link to comment
Share on other sites

The SpamCop report in question does give me the originating IP and their ISP, so I have enough to use it as you say, but I was a bit thrown by the blood-red lettered termination. Can I take it that by using SpamCop in this way, I am not upsetting anybody at SpamCop?

The parser software is programmed to use that red lettering to get the attention of someone who doesn't know they are parsing a virus. If you know that you are parsing a virus, and did not intend to send a report through spamcop, you don't have to take it personally. The parser, being a program, doesn't know your motive.

And I would still appreciate an answer from anyone about the safest method for sending such a mail, i.e. at all costs not sending on the virus attachment to SpamCop or anyone.

The best way to report such email to the proper abuse desk is to send only the headers with a note about the virus that was found. You should never send the attachment.

If you are using web email, it is probably not possible for you to get the headers. I think before you try to report viruses, you should learn a little bit more about email and how it works. It is ok to just delete them. Someone else will report them.

Several people say that spam contains the virus. Perhaps, I am defining spam differently, but none of the UCE I receive has ever contained a virus and none of the viruses I have received ever looked like a UCE to me. I agree with the people who say that viruses are a class of UBE, but none of the viruses seemed to be anything but what that virus puts in its email to get you to open the attachment.

Miss Betsy

Link to comment
Share on other sites

I recieve 3-4 virus spams a day, usually after I report a bunch of regular spams, most come with a short message informing me of a cute little girl and are in Java scri_pt, note that my server checks for both spam content and virus, yet some of these e-mails make it through the filter:

Return-Path: <rightly[at]loughlen.freeserve.co.uk>

X-Original-To:  :D [at]my.isp

Delivered-To: ads5[at]stargate.pitt.edu

Received: from localhost (localhost [127.0.0.1])

by smtp-ext-xx-priv.mx.pitdc1.stargate.net (Postfix) with ESMTP id CE3425213A

for < :D [at]my.isp>; Sat, 17 Apr 2004 04:34:30 -0400 (EDT)

Received: from smtp-ext-xx.mx.pitdc1.stargate.net ([127.0.0.1])

by localhost (smtp-ext-03 [127.0.0.1]) (amavisd-new, port 10024) with LMTP

id 03688-01-90 for < :D [at]my.isp>;

Sat, 17 Apr 2004 04:34:30 -0400 (EDT)

Received: from 61.49.130.113 (unknown [61.49.130.113])

by smtp-ext-xx.mx.pitdc1.stargate.net (Postfix) with SMTP id 60DEF51E6B

for < :D [at]my.isp>; Sat, 17 Apr 2004 04:34:17 -0400 (EDT)

Received: from unknown (HELO JFBDFCHDKCI) (192.168.49.34)

  by 61.49.130.113 with SMTP;  17 Apr 2004 01:23:54 -0700

Message-ID: <00d401c42455$4dd76b80$d742fad3[at]JFBDFCHDKCI>

From: "neala" <rightly[at]loughlen.freeserve.co.uk>

To: " :D [at]my.isp" < :D [at]my.isp>

Subject: have you seen her

Date: Sat, 17 Apr 2004 01:23:47 -0700

MIME-Version: 1.0

Content-Type: multipart/alternative;

  boundary="----=_NextPart_000_00D1_01C42462.53AEC832"

X-Priority: 3

X-Virus-Scanned: by amavisd-new at mail.stargate.net

X-spam-Status: No, hits=3.5 tagged_above=-999.0 required=5.5 tests=BAYES_50,

HTML_90_100, HTML_MESSAGE, PRIORITY_NO_NAME, RATWR7a_MESSID,

TO_ADDRESS_EQ_REAL

X-spam-Level: ***

This is a multi-part message in MIME format.

------=_NextPart_000_00D1_01C42462.53AEC832

Content-Type: multipart/alternative;

boundary="----=_NextPart_001_00D2_01C42462.53AEC832"

------=_NextPart_001_00D2_01C42462.53AEC832

Content-Type: text/plain;

charset="utf-8"

Content-Transfer-Encoding: quoted-printable

this is plain text part

------=_NextPart_001_00D2_01C42462.53AEC832

Content-Type: text/html;

charset="utf-8"

Content-Transfer-Encoding: quoted-printable

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">

<HTML><HEAD>

<META http-equiv=3DContent-Type content=3D"text/html; charset=3Dutf-8">

<STYLE></STYLE>

</HEAD>

<BODY><B>This message</B> has a sweet girl waiting for you</BODY>=

</HTML>

------=_NextPart_001_00D2_01C42462.53AEC832--

------=_NextPart_000_00D1_01C42462.53AEC832

Content-Type: text/html;

name="surtax.html"

Content-Transfer-Encoding: quoted-printable

Content-Disposition: attachment;

filename="surtax.html"

<scri_pt language=3D"java scri_pt">[/color]

:huh:
Link to comment
Share on other sites

Though there are some out there that would call java scri_pt a "virus" ... I don't actually see a virus in your sample ..?? Note that you did stop the flow at the start of the java scri_pt section, but .... was this supposed to be a sample of a virus-bearing spam?

Link to comment
Share on other sites

I removed the Java scripted virus, would you really want me to paste it here?

PS. If I attempt to open or forward these e-mails Norton quarantines the virus, nesky in most! This was actually the file attached to the e-mail:

Content-Disposition: attachment;

filename="surtax.html"

Link to comment
Share on other sites

Well, yes, the HTML is the "envelope" for the java scri_pt ... what I was looking at was the line "X-Virus-Scanned: by amavisd-new at mail.stargate.net" that didn't seem to set off the clangers and flashing llights .... thus the question as to "was it a virus?"

Link to comment
Share on other sites

If you are suggesting that I should open every single virus I get, just to be sure it was a virus, no thanks! I have recieved a lot of these e-mail, when checked lo and behold, Norton detected the virus...

Tell me how to safely send you next attachment I get and I will!

Link to comment
Share on other sites

I don't think the attachment is necessary. It is the subject lines and the name of the attachment (which probably Norton does not delete).

I forget what kind of email reader you are using. I use the Message Source in Outlook Express to read *any* email including undeliverable email that I am not expecting. I have gotten spam (UCE) that has included an attachment. Since I never open them and apparently the way I have OE set up, even if I forward them as attachments, my AV (McAfee) doesn't go off. So I have to be able to recognize viruses by subject line and attachment file name.

There is someone else who seems to receive viruses /without/ the payload after reporting spam. If that is what you are receiving, then that explains why the virus scanner that your IT department runs is letting them through. They will want to be conservative on attachments (since I assume you get a lot of them as normal email). However, Norton perhaps identifies them as viruses even though the actual payload is missing. That's all just plain guessing - not even an educated guess.

People are on different lists. In the newsgroup, someone will post that they have a decrease or a marked increase and someone else will answer them with an opposite experience. There was one spam I was getting daily and there was only one other poster who seemed to be receiving it.

People will say that they are getting spam that the spammer has disguised as a bounce when it is not sent from the spammer. The spammer has sent it to forged email addresses that are bouncing. That is a different problem than a spammer who really has disguised a spam as a bounce message so that spamcop reporters cannot report it.

IMHO, saying that the spammer sends you viruses in response to reports may not be accurate. It may be something else entirely that the spammer is only indirectly responsible for or it may be totally unconnected (for instance, the time you report your spam is just before the time that some infected machine sends out its payload).

I am not saying that it is impossible or even improbable. I would just like to see a little more evidence to support your theory.

Miss Betsy

Link to comment
Share on other sites

Thanks to all the folks who have given me advice so quickly.

I have now transferred to my paid SpamCop mail account and it seems to be working like a dream. The quick reporting works really well and I assume I can now stop worrying about what may happen if there's a virus among the spams. I read in mrmaxx's post that he just reported 1000 spams by quick reporting, and I can't imagine that he checked them all first to see if they were UCE or UBE.

Miss Betsy you are right that at the moment most viruses and worms don't seem to be doing anything much other than opening backdoors and sending copies of themselves, but I still think we should be getting ready for the developments I described. W32.HLLW.Fizzer[at]mm and W32.Sobig.F[at]mm (Symantec names) both start up their very own little SMTP server when executed, and it's not hard to guess what that can be used for. (See:

http://www.monitor.ca/monitor/issues/vol10iss11/online.html

http://www.pcworld.com/howto/article/0,aid,111636,00.asp

).

As my Help questions are now cleared up, if I feel like expounding on "background, history, philosophy, etc .... " I'll do it in the Lounge (not all over the carpet I hope).

Yours ever

Link to comment
Share on other sites

Thanks to all the folks who have given me advice so quickly.

I have now transferred to my paid SpamCop mail account and it seems to be working like a dream. The quick reporting works really well and I assume I can now stop worrying about what may happen if there's a virus among the spams. I read in mrmaxx's post that he just reported 1000 spams by quick reporting, and I can't imagine that he checked them all first to see if they were UCE or UBE.

Miss Betsy you are right that at the moment most viruses and worms don't seem to be doing anything much other than opening backdoors and sending copies of themselves, but I still think we should be getting ready for the developments I described. W32.HLLW.Fizzer[at]mm and W32.Sobig.F[at]mm (Symantec names) both start up their very own little SMTP server when executed, and it's not hard to guess what that can be used for. (See:

http://www.monitor.ca/monitor/issues/vol10iss11/online.html

http://www.pcworld.com/howto/article/0,aid,111636,00.asp

).

As my Help questions are now cleared up, if I feel like expounding on "background, history, philosophy, etc .... " I'll do it in the Lounge (not all over the carpet I hope).

Yours ever

You are actually expected to make sure that what you are reporting are spams -- not viruses and not good mail. If you report viruses and we receive a complaint from an abuse desk and/or notice it for some other reason then your account may be suspended. Ditto if you report good mail -- i.e. mail that you asked for.

Link to comment
Share on other sites

If you report viruses and we receive a complaint from an abuse desk and/or notice it for some other reason then your account may be suspended.

And there was me thinking we'd got this cleared up and sorted!

At the moment I get about 100 spams a week, and about 1 virus a week. The viruses usually look like spams to me. I can't tell the difference. But if I report a virus mail to the SpamCop parser then I may be suspended. And I only just joined.

Rather than run that risk, I am going to stop reporting spam for the time being.

Link to comment
Share on other sites

If a spammer slips in a virus that you don't know about it's not your fault and you should appeal any suspension associated with it. Spamcop users should not be expected to be omniscient, expecially with the difficulty of finding clear documentation and guidelines covering all the details needed. But you can normally spot a virus. For example, if unexpected email -- especially from someone you don't recognize-- has an attachment that looks like it may be executable and a message that only says something like 'read this document' or 'here is you document' it's probably a virus. If you think think something is spam and spamcop tells you it's a virus it won't report, then don't try to report it manually. Someone more familiar with spamcop operations than I am should elaborate on what you should do.

Link to comment
Share on other sites

If you report viruses and we receive a complaint from an abuse desk and/or notice it for some other reason then your account may be suspended.

And there was me thinking we'd got this cleared up and sorted!

At the moment I get about 100 spams a week, and about 1 virus a week. The viruses usually look like spams to me. I can't tell the difference. But if I report a virus mail to the SpamCop parser then I may be suspended. And I only just joined.

Rather than run that risk, I am going to stop reporting spam for the time being.

If you are the first person to receive some new variant of a virus and the AV programs aren't updated yet then yes you might accidently report a virus -- altho the fact that an email has an attachment is usually a good sign that you should stop and think about whether it might be a virus or not. We *do* expect that SpamCop users are updating their AV dat files regularly -- once a week is not enough nowadays and daily would be good or every other day -- and that your AV program should be catching the known viruses.

We are not going to bash you to death with the cluebat but we are going to get testy if it appears that a user is reporting older viruses or is reporting something that has distinct signs of being a virus.

If you do receive a virus or multiples and want to drop a personal note to the ISP abuse desk, you can parse the headers, note where SC would have reported it, click cancel reports if that button comes up and then write to those addresses manually. Or just delete the virus mail.

What I usually do is to delete the virus mails unles I notice that it is the same IP sending them repetitively. For example at one time I was getting multiple viruses a day from some IP in Estonia and so I wrote the abuse desk a note about it.

Link to comment
Share on other sites

Spamnophobic is now using a "paid SpamCop mail account", so depending on where the incoming spam is viewed it may or may not be checked by the client AV. Does the spamcop mail system have its own AV?

Also, watch out for encoded spam bodies that, depending on where and how they are viewed, may show up as unreadable 'gibberish', but which are actually only base64 encoded, not executable like a virus. The Spamcop parser automatically reads this encoding but if you encounter it raw you can translate it using a decoder like the one at http://www.toastedspam.com/decode64. If the code doesn't translate into text, be suspicious of it (but it still might be only an image).

Of course none of this automatizes the procedure, and it requires time and effort, but spamcop is not intended to be completely automatic, it's a mechanized tool requiring that the user know what he is doing.

Link to comment
Share on other sites

Does the spamcop mail system have its own AV?

Yes and it silently discards the message with no warning to the receiver (that was turned off about a year ago and never turned back on) and I suspect no warning to the sender, though I can not confirm that.

The checkmark in the Options section does nothing at this time.

Link to comment
Share on other sites

(snip mega quote)

You are actually expected to make sure that what you are reporting are spams -- not viruses and not good mail. If you report viruses and we receive a complaint from an abuse desk and/or notice it for some other reason then your account may be suspended. Ditto if you report good mail -- i.e. mail that you asked for.

Ellen, et al:

I do look over the spams, but with over 1000 messages in a 2-3 day period, there's no way I have time to open each one and verify that each one is a spam and not a virus, etc. I use quick-reporting because it's just that -- Quick. Having to open each and every individual email in my held mail folder is not possible.

As I said, I do look at the sender and the subject line. I may inadvertantly attempt to report a virus or something once in a great while, but I'm pretty darn sure that 99.999% of everything I report is spam. I don't think you or Julian or Don could do any better. :) Your job is to help administer the reporting system. I have a job too - it's called PC Tech / Help Desk. I also have a wife and a life. I don't know about you, but my spouse does not like me spending hours upon hours reviewing spam to report it, so I give it a quick once-over to make sure I don't inadvertantly report something that's not spam and hit "report as spam" after selecting all messages and deselecting anything I want to keep or report the old-fashioned way. :-)

I don't know that I'm following the letter of the law when it comes to using SpamCop, but I believe I'm following the spirit of the law. Again, I don't promise I'll never report a virus or non-UCE/UBE, but I don't purposely do it.

Link to comment
Share on other sites

(snip mega quote)

You are actually expected to make sure that what you are reporting are spams -- not viruses and not good mail. If you report viruses and we receive a complaint from an abuse desk and/or notice it for some other reason then your account may be suspended. Ditto if you report good mail -- i.e. mail that you asked for.

Ellen, et al:

I do look over the spams, but with over 1000 messages in a 2-3 day period, there's no way I have time to open each one and verify that each one is a spam and not a virus, etc. I use quick-reporting because it's just that -- Quick. Having to open each and every individual email in my held mail folder is not possible.

As I said, I do look at the sender and the subject line. I may inadvertantly attempt to report a virus or something once in a great while, but I'm pretty darn sure that 99.999% of everything I report is spam. I don't think you or Julian or Don could do any better. :) Your job is to help administer the reporting system. I have a job too - it's called PC Tech / Help Desk. I also have a wife and a life. I don't know about you, but my spouse does not like me spending hours upon hours reviewing spam to report it, so I give it a quick once-over to make sure I don't inadvertantly report something that's not spam and hit "report as spam" after selecting all messages and deselecting anything I want to keep or report the old-fashioned way. :-)

I don't know that I'm following the letter of the law when it comes to using SpamCop, but I believe I'm following the spirit of the law. Again, I don't promise I'll never report a virus or non-UCE/UBE, but I don't purposely do it.

mrmaxx,

...No one expects you to report every darned last bit of spam you receive. Prioritize, decide how much time you have to devote to it, and report in descending priority order until you hit your time limit. No one will flame you for failing to report all of it! :)

Link to comment
Share on other sites

(snip my quotes)

mrmaxx,

...No one expects you to report every darned last bit of spam you receive.  Prioritize, decide how much time you have to devote to it, and report in descending priority order until you hit your time limit.  No one will flame you for failing to report all of it! :)

Heck.. if I did that, I'd never have time to report anything. My point is that 99.9% of the spam I get is blatantly spam. All this sildenafil citrate and viagra and other stuff makes up about 80% of it. The rest is various scams and such. Again, I don't know that there's not a virus in there, but then again I trust SpamCop's virus scanner to nuke such things. :)

I want to make it perfectly clear that I *do* look at the subject and sender lines before I click "report as spam" and if there's anything that looks like it might be an admin message, or a real bounce (not a spam thats crafted to appear to be a bounce, but a true bounce) I open it in another window and double-check that it really is a spam. I don't want to give anyone the impression that I click on "select all" and then "report as spam" without even looking. :)

Link to comment
Share on other sites

(snip mega quote)

You are actually expected to make sure that what you are reporting are spams -- not viruses and not good mail. If you report viruses and we receive a complaint from an abuse desk and/or notice it for some other reason then your account may be suspended. Ditto if you report good mail -- i.e. mail that you asked for.

Ellen, et al:

I do look over the spams, but with over 1000 messages in a 2-3 day period, there's no way I have time to open each one and verify that each one is a spam and not a virus, etc. I use quick-reporting because it's just that -- Quick. Having to open each and every individual email in my held mail folder is not possible.

As I said, I do look at the sender and the subject line. I may inadvertantly attempt to report a virus or something once in a great while, but I'm pretty darn sure that 99.999% of everything I report is spam. I don't think you or Julian or Don could do any better. :) Your job is to help administer the reporting system. I have a job too - it's called PC Tech / Help Desk. I also have a wife and a life. I don't know about you, but my spouse does not like me spending hours upon hours reviewing spam to report it, so I give it a quick once-over to make sure I don't inadvertantly report something that's not spam and hit "report as spam" after selecting all messages and deselecting anything I want to keep or report the old-fashioned way. :-)

I don't know that I'm following the letter of the law when it comes to using SpamCop, but I believe I'm following the spirit of the law. Again, I don't promise I'll never report a virus or non-UCE/UBE, but I don't purposely do it.

Well you know what the policies are ... I don't know what more you want me to say.

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...