Jump to content

scbl all IPs


enigma1

Recommended Posts

Is there a method from spamcop.net that can retrieve whether or not an IP is reported even once? I think right now if I query bl.spamcop.net for an IP it uses only the weighted score method to return results. So an IP can be listed already but the weight threshold isn't reached yet.

Can we have an option or an entry to return back whether or not an IP is reported at all at the moment of a query? That doesn't mean a new IP is listed but the info can be used in other ways by mail servers.

TIA

Link to comment
Share on other sites

Is there a method from spamcop.net that can retrieve whether or not an IP is reported even once? I think right now if I query bl.spamcop.net for an IP it uses only the weighted score method to return results. So an IP can be listed already but the weight threshold isn't reached yet.

Can we have an option or an entry to return back whether or not an IP is reported at all at the moment of a query? That doesn't mean a new IP is listed but the info can be used in other ways by mail servers.

TIA

Paid reporters, and those include all email users, have that option. For instance, your IP address shows: No recent reports, no history available

If there has ever been activity, a link would have been available like: [report history]

We used to have access to more information for an indefinite length of time but spammers ruined that by using the info to game the system. We are limited to 90 days now.

Here is the information available from a report I sent this morning.

Report History: <<24 hours>> 48 hours Last week Last 30 days Last 90 days

--------------------------------------------------------------------------------

Submitted: Friday, August 06, 2010 07:18:26 -0400:

Thanks for planning your event with Evite •5124680078 ( 93.44.101.105 ) To: abuse[at]fastweb.it

Link to comment
Share on other sites

My impression of the OP is that he is asking for a queryable DNS type service like the current bl.spamcop.net, but that returns a hit if there are ANY reports. If that is indeed the question you are asking, then the answer is No, there is currently no such service offered by spamcop, though it would certainly be handy for building a weighted spam filtering system.

Link to comment
Share on other sites

If that is indeed the question you are asking

Yes it is.

but spammers ruined that by using the info to game the system

What's the difference with the current system then? If someone abuses the system he could setup 10 different accounts with spamcop then use 10 different hosts and start cooking the scores of ips.

But in the end it all comes down to the resolution of the report. If the ISP/Host submits records that prove the mails reported were forged the member is kicked isn't it?

Link to comment
Share on other sites

What's the difference with the current system then? If someone abuses the system he could setup 10 different accounts with spamcop then use 10 different hosts and start cooking the scores of ips.

But in the end it all comes down to the resolution of the report. If the ISP/Host submits records that prove the mails reported were forged the member is kicked isn't it?

Without giving too much away (I don't want people gaming it) we have a lot of ways to detect that kind of abuse. It happens very, very, very rarely.

If a member reports verifiably wanted/solicited e-mail, we do deal with that, yes.

Link to comment
Share on other sites

Yes I understand there are ways to detect.

One of the reasons I asked though, had to do with reporting methods. What I noticed was, if I kept reporting every single spam mail I got, the number of incoming spam significantly increased. And I couldn't see a point reporting the same mail coming from the same IP multiple times in a short period of time other than generating traffic which at some point could impact my mail server (I also tried the hidden report mechanism but did not change the number of incoming mails - at least in a period of couple of days that I tried).

I then changed the scripts to check if the IP is listed in and if it is in bl.spamcop.net I don't report it again. The problem with that is of course there is no way of telling when an IP will be removed and if the sender's system is still compromised or not. And giving out info about the current IP score has of course the problems you mentioned already.

Link to comment
Share on other sites

I then changed the scripts to check if the IP is listed in and if it is in bl.spamcop.net I don't report it again. The problem with that is of course there is no way of telling when an IP will be removed and if the sender's system is still compromised or not. And giving out info about the current IP score has of course the problems you mentioned already.

If the IP is listed, please do report it! That resets the delisting clock, which is very valuable.

Link to comment
Share on other sites

<snip>

What I noticed was, if I kept reporting every single spam mail I got, the number of incoming spam significantly increased.

...Lest anyone misinterpret this to mean that reporting spam caused you to receive more spam (something you did not say!), I'll repeat here the assertion from other SpamCop Forum "threads" that, while possible, it appears to be unlikely.
And I couldn't see a point reporting the same mail coming from the same IP multiple times in a short period of time other than generating traffic which at some point could impact my mail server....

<snip>

...If you are the only user reporting that IP address and there are no SpamCop spam traps being hit by the IP address then there is, indeed, no use in reporting [edit after initial post: except for what KMolloy noted, above]. However, if more than one user is reporting, then IIUC each report is adding to the calculation that determines whether an IP address gets onto the SCBL (see the article linked to by the link labeled "What is on the list?" in the SpamCop FAQ, a link to which appears near the top of each SpamCop Forum page).
Link to comment
Share on other sites

If the IP is listed, please do report it! That resets the delisting clock, which is very valuable.

It won't reset anything because its the same mail. Perhaps it wasn't clear from my previous post so here is what is happening.

The server is configured with a catch all so it retrieves every single mail that comes to a number of domains. Spambots do check the mail server by sending the same email to multiple addresses to the same server, including invalid addresses.

Server retrieves the same email from different mail accounts (same malware attachments, content etc)

Although not everything in the mail body is identical and of course the headers indicate a different recipient. But it is the same source IP, same time stamp. So the server now has to send multiple emails or I submit the form multiple times with basically the same IP address. Nothing will reset as the emails reported from the same IP with almost identical time stamp.

reporting spam caused you to receive more spam

There is automation, for instance a spambot has access to reports because of course the spammer can setup the whois records so he will receive reports isn't it? In this case the spambot knows who is reporting it also thinks if a report came in the address used, the it is "valid" and circulates yet another mail address about the same server which in reality is invalid.

It's very simple to try what I am saying, just setup a mail server with the following.

1. Use the catch all mail function

2. Report every spam email regardless if the incoming email address is valid or not.

You should notice the incoming mail increase I mentioned within few days. You will also notice spam coming in, using "new" email accounts over time.

The other case is configuring the account as a mole. Ok in this case the spambot may not have info from the logs but it has access to the the various ip databases and other sites including senderbase and it knows the addresses used to send out spam (it sent them after all) and can calculate what was reported and what the current status of an IP is (current mail volume etc).

And I haven't gone as far as I would like with the code to filter out duplicates yet and report incoming email based on ips once, even if it is listed. There is a number of factors that I need to setup with the filtering code and it is not trivial. And currently the only information I use for reference is the bl.spamcop.net, the reason I asked if there is any other info available from the queries. If there was timer info in one of the queries then I could use it easily and filter out duplicates without complex coding.

Link to comment
Share on other sites

The incoming e-mail address has no baring, spammers spoof it and bcc the correct e-mail so you don't see it; (blind carbon copy) most of the spam I get is not even addressed to me but more often than not my e-mail address is spoofed in the sender not the recipient. I as many here think the ups and downs in spam flow are coincidental and don't correlate with anything! It is matematically impossible to keep track of millions of spam e-mails sent by bots (randomly and based on very large lists); spammers don't have the resources to do it. That is my oppinion, of course I can't discount the possibility you raise but after many years of reporting on a regular bases I simply came to that conclusion on my own.

Link to comment
Share on other sites

What I noticed was, if I kept reporting every single spam mail I got, the number of incoming spam significantly increased.

Your observation has been made here before. There are long threads in the archives on "report or not report" and "munged or not..." if you do a search on knob.com/spam you will find several old threads. At that time the volume of spam I got, reported or not, tracked the volume reported to spamcop which followed the general estimates of spam in the world.

Two asides:

1) It is myopic to think that spammers care about "you" as an individual. If they did why would I get spam for breast enhancements? Why would my daughter working overseas get ED spam? Why would a spam reporter get any spam at all? Why would anyone send spam to postmaster[at]..

2) If your volume of spam goes up when you report and you continue to report all the increase your volume of spam should increase geometrically not just follow the general long term trend upward.

c) When people start reporting spam they pay more attention to their spam (reporting takes more effort/time than just deleting). So whether you actually count it or not you notice the gradual increase over time.

And I couldn't see a point reporting the same mail coming from the same IP multiple times in a short period of time

Just as a matter of definition, two emails coming from the same IP with different message-ID's are not the same spam. Each copy sent/that you receive clutters your inbox just as much, taxes the internet resources just as much whether the body and subject are the same or different; whether the source is the same or different. Currently there are 23 new "Online Canada ~Pharmacy-Store" spam in my inbox, all from the same forged FROM with the same TO (this time. often I will get several to each of my addresses). What different does it make (to me) where they really came from? Besides reporting them all will either add to the count for 23 sources or add 23 to the count of one source or some where in between.

I then changed the scripts to check if the IP is listed in and if it is in bl.spamcop.net I don't report it again. The problem with that is of course there is no way of telling when an IP will be removed and if the sender's system is still compromised or not.

That has been addressed I see. If you got a spam they still haven't gotten it fixed and should remain on the bl. not have a window opened for them.
Link to comment
Share on other sites

and bcc the correct e-mail so you don't see it

Sorry I don't follow, what do you mean I don't see it? I have access to a server so every email comes through it. There isn't anything in-between. To give you an example, say you own example.com and you setup 2 email accounts.

joe[at]example.com

admin[at]example.com

You retrieve regular mail as it comes through these 2 accounts only. Let's say there isn't any spam there. Then you enable the catch all on the mail server. You start getting email on:

jim[at]example.com

phil[at]example.com

which do not exist.

The mail headers indicate the delivery was indeed on jim[at]example.com and phil[at]example.com because pretty much the Delivered-To: header says that, and an email arrived on both at the same time but with different headers.

So the bcc has to happen on these 2 invalid accounts as neither joe nor admin got anything. Now why some spambots would send mail to invalid accounts? There are various reasons among them to see if the server bounces mail without the end user ever noticing, if they can forge the headers and bounce emails to other victims no need for others to know, if the mail content is logged someplace they can see perhaps later on etc.

My opinion is, if you have a good system in place without false positives in terms of reporting and you can afford the required resources, enable the catch all and report spam that comes through. Compromised systems can be identified much faster than using just the regular accounts.

Link to comment
Share on other sites

It is myopic to think that spammers care about "you" as an individual

Never said that. Surely they don't care about me as a person. But they do care about resources at my disposal. And if they can have my server doing stuff in favor that's a plus for them. They're after another server or box to compromise.

when you report and you continue to report all the increase your volume of spam should increase geometrically

It did increase dramatically, from dozens of mails to hundreds of mails within few days. I cannot tell what will happen in the future but is what I noticed.

If you got a spam they still haven't gotten it fixed and should remain on the bl. not have a window opened for them.

Its matter of available resources. I cannot blindly file reports. Every mail that comes through is examined before reporting, at least I have to read the subject, to make sure it isn't some foul attempt to opt-in to a newsletter or some email processing of a legit site even if it comes to invalid mailboxes. So there is a difference checking a handful of emails that manage to come through, vs hundreds every day.

And yes I understand the problem with the window of opportunity that's what I am trying to figure out how to realistically setup the scripts for identification.

PS: Some ideas that come to mind about your question of item-1:

They can send to the postmaster to see if he opens the mail or not. Opening the mail can pull-in external resources an <img src="tag" for instance is sufficient for them to know if you accessed the mail or not. They can try to infiltrate your box with scripts if the mail viewer automatically runs them, or to find people who are curious/upset for getting emails to retaliate, to call a number, visit a link or try to access a site with a browser as they may have setup other scripts to try and compromise your box. Plus they do look for people who are ignorant enough to fall for fraud. They can use the fact you submit a report if they have access to the logs and verify the mailbox, to sell another "mailing list" to others. There is an endless list of "applications".

Link to comment
Share on other sites

It won't reset anything because its the same mail. Perhaps it wasn't clear from my previous post so here is what is happening.

Although not everything in the mail body is identical and of course the headers indicate a different recipient. But it is the same source IP, same time stamp. So the server now has to send multiple emails or I submit the form multiple times with basically the same IP address. Nothing will reset as the emails reported from the same IP with almost identical time stamp.

What is the SpamCop Blocking List (SCBL)? includes a lot of descriptive data. Way back when, there was a threshold, something like 2 to 3% ratio of bad to good e-mail for a listing, now it's a whole lot more complicated. However, 'quantity' is still an important variable in the listing/de-listing equation. You suggest getting say a dozen spam e-mails, but you only Report one of them. Those eleven e-mails not Reported serve to increase the 'good' side of the ratio, thus aiding either not listing or speeding up the de-listing of the IP Address involved.

Link to comment
Share on other sites

If the IP is listed, please do report it! That resets the delisting clock, which is very valuable.
It won't reset anything because its the same mail.

<snip>

...No offense intended, enigma, but I'm going with kmolloy on this one because, as a SpamCop employee, she knows a good deal more than you or I ever could (unless we joined SpamCop and learned more) about how SpamCop works. :) <g>
reporting spam caused you to receive more spam
There is automation, for instance a spambot has access to reports because of course the spammer can setup the whois records so he will receive reports isn't it?
...But the spammer already has your e-mail address! IIUC adding a mechanism to find out who reported her/him adds little to her/his knowledge, only that the spam was reported by one of the (likely thousands or millions) victims (the report includes no identifying information about the person reporting it, unless it was in the body of the spam and not caught by the parser).
In this case the spambot knows who is reporting it also thinks if a report came in the address used, the it is "valid" and circulates yet another mail address about the same server which in reality is invalid.
...IM (and others') HO, it is unlikely that spammers care all that much. They send thousands or millions (billions?) of spam; whether one or a few specific victim e-mail addresses is/are valid is of little value. Buyers of e-mail lists are buying thousands or millions of addresses, so same argument.
It's very simple to try what I am saying, just setup a mail server with the following.

1. Use the catch all mail function

2. Report every spam email regardless if the incoming email address is valid or not.

<snip>

...If the invalid addresses were valid, it would obviously be appropriate for each of the victims to report the spam individually; IMHO, it is therefore appropriate (although you are not under any obligation to do so, if you do not wish) to report each instance of an invalid address.
Link to comment
Share on other sites

You suggest getting say a dozen spam e-mails, but you only Report one of them

By no means I am suggesting it as a solution. It's what I currently have my system setup to do.

So if I setup a storage medium to record mail come in from listed IPs and get reported then it has to be fully automated. And I am thinking about the side effects. If something goes wrong I may not detect it till its too late.

Link to comment
Share on other sites

unless it was in the body of the spam and not caught by the parser

That for sure is happening. And I don't see a way to setup a parser identifying encoded keywords or phrases. Also don't rule out headers. The recorded reports may contain all kinds of identification strings with the headers, subject, receive from, secondary headers etc which can be encoded in a way to identify who's the recipient.

...only that the spam was reported by one of the (likely thousands or millions) victims

yes but they're distributing the same mail over different ips to keep them under the radar. So it doesn't matter if me and you report the same spam mail content, if the ips send out just few mails they may not be enough to trigger a listing. And the 48hrs threshold period should been kept secret IMO. Or at least be in conjunction with other factors.

Link to comment
Share on other sites

Its matter of available resources. I cannot blindly file reports. Every mail that comes through is examined before reporting, at least I have to read the subject, to make sure it isn't some foul attempt to opt-in to a newsletter or some email processing of a legit site even if it comes to invalid mailboxes. So there is a difference checking a handful of emails that manage to come through, vs hundreds every day.

It sounds like you may qualify for a spamtrap, which would free you from having to report. If you send mail to deputies[at]spamcop.net and reference this conversation, I'll be happy to look into it for you.

Link to comment
Share on other sites

That for sure is happening. And I don't see a way to setup a parser identifying encoded keywords or phrases. Also don't rule out headers. The recorded reports may contain all kinds of identification strings with the headers, subject, receive from, secondary headers etc which can be encoded in a way to identify who's the recipient.

yes but they're distributing the same mail over different ips to keep them under the radar. So it doesn't matter if me and you report the same spam mail content, if the ips send out just few mails they may not be enough to trigger a listing. And the 48hrs threshold period should been kept secret IMO. Or at least be in conjunction with other factors.

Oh, I forgot to mention this too, but yes, they are spreading out mail over many IPs. It's called snowshoeing. The SCBL can detect that too, but more reports are better.

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...