URLs Resolving Limitation

[ohmniscient]

Hi Spamcop providers,

I have seen that several spams have many URLs, but when the number of URL is high, the URL resolving module states: "too many links" and ignore all URLs. It does not happen when you have, for example, 5 URLs. Why does it have to be everything or nothing? In many cases, the several URLs in the spam point to the same IP, therefore, a few URL resolving would be enough for reporting.

It would be great if the system allowed unlimited URL resolving or at least a limited number of URLs to resolve independently of the numbers of URLs within the spam.

thanks in advance

[petzl]

I have seen that several spams have many URLs, but when the number of URL is high, the URL resolving module states: "too many links" and ignore all URLs. It does not happen when you have, for example, 5 URLs. Why does it have to be everything or nothing? In many cases, the several URLs in the spam point to the same IP, therefore, a few URL resolving would be enough for reporting.

It would be great if the system allowed unlimited URL resolving or at least a limited number of URLs to resolve independently of the numbers of URLs within the spam.

Just to do with time it takes to resolve a URL

Look at SpamCop's graph if a link does not resolve quick SpamCop drops it

If it didn't SpamCop reporting would slow

[rconner]

I have seen that several spams have many URLs, but when the number of URL is high, the URL resolving module states: "too many links" and ignore all URLs.

As you may already have gathered, the operators of SpamCop consider it their primary mission to pinpoint sources of spam mailings (to feed into the SpamCop Blocking List) more so than to identify websites used in spam.

SpamCop will offer to report websites for you, but there are definite limits, some having to do with resources like CPU time as petzl says. One other obvious limitation is that SpamCop can't tell whether a given URL found in a spam message is part of the spam operation, or just happens to appear in the message (i.e., "noise" added by the spammer or others). This would be true in spades for a message containing a dozen or more links (I once got one that had over 80 links, of which only two were relevant to the spam). Humans are much better at this work than computer programs.

There are other places and other techniques to deal with the spam website problem specifically if you want to go more in depth.

-- rick

[turetzsr]

Just to do with time it takes to resolve a URL

<snip>

<snip>

SpamCop will offer to report websites for you, but there are definite limits, some having to do with resources like CPU time as petzl says.

<snip>

...Note that the requester has allowed for that (emphasis mine):

<snip>

a few URL resolving would be enough for reporting.

It would be great if the system allowed unlimited URL resolving or at least a limited number of URLs to resolve independently of the numbers of URLs within the spam.

<snip>

...Original discussion of this topic with the OP is in SpamCop Forum "thread" "Spamcop bugs."

[petzl]

There are other places and other techniques to deal with the spam website problem specifically if you want to go more in depth.

Yes if you actually find the end link where the "bot" sends you it's a good idea to send a complaint to the registrar

There is a program called complainterator which makes it easy, however I find them a bit "spammy" so use your free throwaway email account (Gmail is good) to register. I think they are a bit over-keen that's all, but they can be annoying. Use the link provided by SpamCop to point to evidence.

If you are going to track down websites by clicking spammers link. Make sure you have maximum protection

(check my signature)

Taking down the final spammers website hurts spammer but takes time. Usually the email link just takes you to a botnet (these IP's change every few minutes) that just redirects

[ohmniscient]

As you may already have gathered, the operators of SpamCop consider it their primary mission to pinpoint sources of spam mailings (to feed into the SpamCop Blocking List) more so than to identify websites used in spam.

I know, I read the FAQ. However, the system already provide this function so why not improve it? It resolves 5 URLs, why not limit to 5 from the whole bunch of URLs? It's better than nothing in my opinion.

One other obvious limitation is that SpamCop can't tell whether a given URL found in a spam message is part of the spam operation, or just happens to appear in the message (i.e., "noise" added by the spammer or others). This would be true in spades for a message containing a dozen or more links (I once got one that had over 80 links, of which only two were relevant to the spam). Humans are much better at this work than computer programs.

No problem. I can tell which URL is the target. Spamcop is always asking me who to report. An this example is an exception rather than a rule.

There are other places and other techniques to deal with the spam website problem specifically if you want to go more in depth.

I know, but I am thinking in a system for non-expert internet users, people that don't have too much time in front of the computer. When you increase the number of tools, softwares, links, the thing doesn't get feasible for us, unfortunately.

If you are going to track down websites by clicking spammers link. Make sure you have maximum protection

(check my signature)

To track down spammers websites has been quite easy for me... I have got them by using:

http://web-sniffer.net

I checked my security where you suggested. I'm safe, fortunately. =)

The last check did not complete because I'm not IE user.

thanks

[petzl]

To track down spammers websites has been quite easy for me... I have got them by using:

http://web-sniffer.net

I checked my security where you suggested. I'm safe, fortunately. =)

The last check did not complete because I'm not IE user.

The security site while very good is trying to sell you Norton

I use Google Chrome and it works for me, but doesn't recognise Virus updates which are always the very latest I use Microsoft's (free) Security Essentials (Windows 7 Firewall)

Before SpamCop had to sell up to Ironport (to stop it going under DOS attacks & Law suits) the ability to effectively track down URL's was being worked on by it's creator.

He was saying it would take a extra membership to make it viable as it would slow down the already overused Blocklist (spam Radar) reporting.

So if this is going to be done via the Web it will need financing which not many people are willing to front-up with cash.

So far the best for reporting Spammers Websites is Complainerator and is effective (use ones free throwaway email account like Gmail though) This is the most effective attack on a Spammer one can do.

Your link to http://web-sniffer.net is good to use to protect your computer from being compromised

[Farelf]

...To track down spammers websites has been quite easy for me... I have got them by using:

http://web-sniffer.net

Excellent. Another utility to use (without the 'arms-length' anonymity of a web-based utility but still quite safe IMO) is Steve Gibson's ID Serve. This is tiny (28k - written in Complier), independent of browser and fast. It can actually query any port (eg news.spamcop.net:119 or news://news.spamcop.net) but port 80 (HTTP) by default. A fast-flux bot-net hosted http://wk0.tabl-online.com discussed in another topic 'instantly' yields (amongst other information)

Location: http://www.discountmedstablets.net

[ohmniscient]

The ability to effectively track down URL's was being worked on by it's creator.

He was saying it would take a extra membership to make it viable as it would slow down the already overused Blocklist (spam Radar) reporting.

So if this is going to be done via the Web it will need financing which not many people are willing to front-up with cash.

So far the best for reporting Spammers Websites is Complainerator and is effective (use ones free throwaway email account like Gmail though) This is the most effective attack on a Spammer one can do.

Your link to http://web-sniffer.net is good to use to protect your computer from being compromised

Well... I tested the compainterator, but It seems a little primitive, a few problems happened (like it couldn't find the whois of one of the websites and I had to check by myself at robotex or some crazy stuff with the tabs of my firefox that made me write the body text manually!). I should say that I felt a little stupid asking a registrar to take down a domain bought by someone just because I got 1 spam.

This is why the best thing would be:

1. At every URL resolving, spamcop should copy the link in a list

2. From the list, it should get the http reader response and track the redirection:

example:

http://bedebtfreeblog.com/clod26.html
http://www.dentalalcudia.es/outrun27.html
http://194.38.172.24/fume66.html

for the 3 links, the header response is quite ridiculous:

<html><head><scri_pt>location = 'http://drugstore-menu.com:8080/';</scri_pt></head></html>

3. Then, it should list the URLs in the header responses (limit of 5).

4. Calculates how many spams redirects to the same domain in the last 24h and send a complete report to the registrar for those domains with higher number of spams.

It would be more effective in inhibiting spam and less overloading than sending single reports to the registrars of the botnets which mask the real spamvertised domains.

Actually, it wouldn't take too much lines of scri_pt from what the system already does.

The thing is, and it is hard to say, maybe they don't really want to stop spam as AV companies don't want to stop malware developing... It is business and it requires not solving the problem, as we are not going to find a cure for HIV and not going to change our energy source (that kills the earth) because it would break down someone else business.

[petzl]

Actually, it wouldn't take too much lines of scri_pt from what the system already does.

The thing is, and it is hard to say, maybe they don't really want to stop spam as AV companies don't want to stop malware developing... It is business and it requires not solving the problem, as we are not going to find a cure for HIV and not going to change our energy source (that kills the earth) because it would break down someone else business.

When SpamCop was independent and financed by member the problems were bandwidth and cash.

Free membership was increasing disproportionate to what could be afforded in the fight with spammers

Fact is our new owners (IMO) also are not interested in stopping spammers. Just effectively block them, which they are undoubtedly the best in the business at doing (my company buy their hardware and it's magnificent).

I doubt if there is any reason why our new owners (CISCO) would bother to provide the extra finance bandwidth or "SpamCop 2" software that would do what you suggest (I think the software is already written by SpamCops Creator?). Where is the profit?

I already see the SCBL has been turned down to almost off. I suspect the only value in continuing SpamCop reporting is that real people validate spam sent to spamtrap email addresses for CISCO. Although SpamCop does attempt to warn an ISP of a compromised computer, which for me is it's main strength

[ohmniscient]

When SpamCop was independent and financed by member the problems were bandwidth and cash.

Free membership was increasing disproportionate to what could be afforded in the fight with spammers

Fact is our new owners (IMO) also are not interested in stopping spammers. Just effectively block them, which they are undoubtedly the best in the business at doing (my company buy their hardware and it's magnificent).

Great explanation. Nothing to add to it. This is exactly how the thing works.