Spammer using assorted random domain names to avoid reporting

[MisterBill]

I've started getting Viagra spam at multiple addresses at my private domain which have clearly been stolen from other sites. Making things worse, the sleazy spammer is using multiple random first level names on their domain (example: http://lpijuxl.domcitystr.com), so Spamcop stops looking at URLs after the first 25 and does not report any of them! I tried playing with it and changed a bunch of the URLs to be the same and it was going to report to:

spam[at]ccert.edu.cn

anti-spam[at]mail.sxptt.zj.cn

abuse#anti-spam.cn[at]devnull.spamcop.net

What can be done to fix Spamcop so it can't get tricked by spammers like this and DOES report? Granted, reporting to this site is not likely to result in the spammer being stopped, but it would be nice to have it sent so it can be tracked. I wonder if the spammer is actually doing this to break Spamcop, or for another reason.

Here is the spam with my domain and forwarding email at my ISP x'ed out:

Admn Edit: entire spam posting removed. Things like this is why the use of a Tracking URL is requested.

[Wazoo]

What can be done to fix Spamcop so it can't get tricked by spammers like this and DOES report? Granted, reporting to this site is not likely to result in the spammer being stopped, but it would be nice to have it sent so it can be tracked. I wonder if the spammer is actually doing this to break Spamcop, or for another reason.

The lack of a Tracking URL prevents trying to probide a specific answer in this case. The ussie of non-resolving URLs has been around forever and it's because there are som nay reasons that can cause it to happen. Your "first-level" description is actually what most folks and RFX's call sub-domains. Failure to resolve them can be caused by many, naby issues .. the sub-domain may not actually exist (at the actual moment, perhaps never did, perhaps never will) theere may be DNS tricks involved, i.e. blocking lookups of fast-flux ... could be that the spammer was working towards the magic 'too many link' body count .... on and on. Again, please provide a Tracking URL if you want something specific.

[MisterBill]

Sorry, I did not want to post the URL because I thought that it would have my actual email address in the source, but I see that it's x'ed out. This is not the link for the email that I posted above, but it is a similar one (turns out they were using several different domains, I discovered this when processing the rest of the spam I had received).

http://www.spamcop.net/sc?id=z4993364257z6...9710e86d3c2b5fz

And the issue is not that some of the domain names are not valid and cannot be resolved -- it's that Spamcop doesn't even try because there are more than 25 in the email, so it stops processing any of them. It seems like a really simple way for a spammer to avoid getting their domains reported. Just overload Spamcop with a bunch of different hosts, and none get reported.

[turetzsr]

<snip>

And the issue is not that some of the domain names are not valid and cannot be resolved -- it's that Spamcop doesn't even try because there are more than 25 in the email, so it stops processing any of them. It seems like a really simple way for a spammer to avoid getting their domains reported. Just overload Spamcop with a bunch of different hosts, and none get reported.

...Not to worry, reporting 'spamvertized' URLs is just "cream" (when it works) -- the SpamCop parser's principal goal is to identify the spam (e-mail) source. If you feel it important to report spamvertized links, I would recommend a different tool, such as Complainterator.

[MisterBill]

...Not to worry, reporting 'spamvertized' URLs is just "cream" (when it works) -- the SpamCop parser's principal goal is to identify the spam (e-mail) source. If you feel it important to report spamvertized links, I would recommend a different tool, such as Complainterator.

Well, given that the emails seemed to come from different locations, I assume they were being sent by zombie machines, which made the mail origin not very useful, either.

[turetzsr]

...Reporting the actual spam source, zombied or not, should be useful in the sense that it will contribute to adding the zombied machine to the blacklist and alerting the "responsible" admins that there's a problem with the machine.

[SpamCopAdmin]

Please do NOT alter the URLs or anything else in the spam. That is a HUGE taboo with us.

I recommend simply deleting a bunch of the URLs before submitting the spam for processing.

- Don D'Minion - SpamCop Admin -

- service[at]admin.spamcop.net -

.

[MisterBill]

Please do NOT alter the URLs or anything else in the spam. That is a HUGE taboo with us.

I recommend simply deleting a bunch of the URLs before submitting the spam for processing.

I had not thought of deleting lines, but how is doing that any different than changing the URL to be the same domain as others already in the email? Either way, the mail has been doctored. It's not like I am adding new domains to be reported, so the result is the same as deleting the lines.

[turetzsr]

...For something of an explanation, please see Farelf's reply in SpamCop Forum "thread" "Parser fooled by < p > tags at end of URL", especially the third paragraph.

[MisterBill]

...For something of an explanation, please see Farelf's reply in SpamCop Forum "thread" "Parser fooled by < p > tags at end of URL", especially the third paragraph.

Thanks. But once again, it appears that deleting lines is just as bad as changing URL's. So I don't understand why that was suggested as an acceptable solution.

[turetzsr]

<snip>

But once again, it appears that deleting lines is just as bad as changing URL's. So I don't understand why that was suggested as an acceptable solution.

...It may have to do with the fact that "fixing" the URLs adds addresses that the SpamCop parser wouldn't otherwise find whereas deletes do not change the results of the parse in terms of reports sent to abuse e-mail addresses. Not being a SpamCop employee, I can't say for certain.

[MisterBill]

...It may have to do with the fact that "fixing" the URLs adds addresses that the SpamCop parser wouldn't otherwise find whereas deletes do not change the results of the parse in terms of reports sent to abuse e-mail addresses. Not being a SpamCop employee, I can't say for certain.

Not to belabor the point, but the net result was the same. Changing the URL's so that enough of them were alike or deleting a bunch, both reduced the count of URL's to allow Spamcop to report on a number it considers acceptable. In both cases it changed the behavior of Spamcop because it would not have reported any URL's otherwise.

[turetzsr]

<snip>

In both cases it changed the behavior of Spamcop because it would not have reported any URL's otherwise.

...Quite true and I see your point, but you're looking at this from your perspective rather than from SpamCop's. My supposition is that the prohibition against changes to the headers or bodies of spam submitted to the parser involves the relationship between SpamCop and those to whom SpamCop (on your behalf) are reporting spam and/ or spamvertizing. Apparently the SpamCop folks are willing to defend truncation of a part of the spam body but not changes. That seems understandable to me, as it is (or, at least, could be) very difficult for others to see that the "fixes" you made ended up with a result identical to what would have happened if you had only deleted.