Jump to content

Very poor Spamcop stop rates


Recommended Posts

I have a Spamcop report-only account.

The last month or so, I've seen very poor performance by Spamcop. I now routinely see 1-3 messages per day on the Held Mail page. Meanwhile, it lets through 15-25 spam a day. A week ago or so, I began reporting them individually, (forwarding the messages returns an error) but that does not seem to have helped Spamcop recognize the spam.

They appear to mostly come in pairs. I'll see two with similar subjects and senders about reverse mortgage. Then two about Oz weight loss. Etc. So, most of them appear to be coming from the same one or two machines. If there were some way to figure out where they're coming from and flat blacklist those machines, it would be ideal.

For example:

http://www.spamcop.net/sc?track=http%3A%2F...FABMS2917673145

http://www.spamcop.net/sc?track=http%3A%2F...CLJVN2860667430

So, has there been a change in Spamcop or in spam that has greatly affected recognition of spam?

Thanks,

Drake

Link to comment
Share on other sites

  • Replies 69
  • Created
  • Last Reply

Hi Drake,

I'm confused about the 'report-only account'. I think you established a couple of years ago that you had a combined account (e-mail and reporting) at that time. Your use now of the term 'Held Mail' and your expectation that SC should arbitrate what goes there is something one would usually associate with the SC webmail. What mail client are you talking of and how does SC come into the picture?

I have heard recently (other places) some complaint against the Thunderbird client for 'suddenly' missing a lot of spam and suggestion of changes in either the nature of the spam or in the effectiveness of that client's Bayesian filtering. Your comment that forwarding spam (to SC) produces an error deserves some attention too.

Perhaps it would be best if you could at least provide a Tracking URL of an example of your problem spam, also the error message you get when trying to forward if you want to follow-up on that. Networks are increasingly active in suppressing the transit of spam, though that is counter-productive to the sending of samples for anti-spam measures - but if you are getting a SC error that is not a current concern for you, from the sounds of it, simply the format of the forwarding.

SC concentrates on the spam source (sending server), not on the 'payload' as I think you appreciate. It has to be said that the SCbl is not going to be particularly effective in blocking messages originating from widely-distributed, relatively low-volume botnets. User-level filtering, utilising something like the SC mail system (and/or MailWasher) in conjunction with a suite of RBLs should offer some prospect of relief if Bayesian/context filtering doesn't do the trick unaided. Not sure if that can be extended to the use of other BLs such as URIBL and SURBL which DO focus on spam websites (others may be able to say).

Sorry to be a pain, but I think "we" need more information - unless I am missing something?

Steve

Link to comment
Share on other sites

I appreciate the quick and informative response.

I guess I'm not certain of the nomenclature. I have a fairly old Spamcop account (More than 10 years, I think.) I have it set up so that mail sent to my publicly known address is auto-redirected to Spamcop. Spamcop filters the email and sends what it thinks is good email to a "clean" email address that I never give out. It holds the spam, and I log into Spamcop every day or so and check the "Held mail" for false positives (very rare,) and report the rest.

So, my email client doesn't come into the picture. All this is done at the server level, prior to ever getting to my email client.

That portion all works, in the sense that there are no errors. But, the success rate of blocking spam has gone from 90+% to less than 20%. It was a sudden change, maybe 4-6 weeks ago. From your description, it sounds like my email address may have made it onto a couple of related botnets. That would explain why I get the frequently related spams.

I have looked into Bayesian filters in the past. In fact, I was using one for a while, though I can't come up with the name right now. I think it had an octopus for a logo :-) Anyway, the Spamcop filtering has been adequate for so long, that when I reinstalled Windows one time I didn't bother putting that filter back in. That's also when I got in the habit of doing the vast majority of my email through a webmail client on my server.

I'm using roundcube for my client. Because of this recent increase in spam leaking through, I have tried to forward some of them to the Spamcop reporting address that appears on the Report spam tab. Apparently, I haven't kept any of the rejection emails I've gotten, so I can't give you the precise error message. And, I don't happen to have any spam in my inbox at the moment. I'll follow up with that tomorrow.

I thought I had included a couple of tracking URLs in my original post. Were those not the correct links?

Drake

Link to comment
Share on other sites

I appreciate the quick and informative response.

I thought I had included a couple of tracking URLs in my original post. Were those not the correct links?

Drake

You did just don't make sense somethings wrong?

It's only reporting the spamvertised URL no headers?

Here's a track of my own

http://www.spamcop.net/sc?id=z5883721337z2...160a30d3f5dab3z

Link to comment
Share on other sites

<snip>

I have a fairly old Spamcop account (More than 10 years, I think.) I have it set up so that mail sent to my publicly known address is auto-redirected to Spamcop. Spamcop filters the email and sends what it thinks is good email to a "clean" email address that I never give out. It holds the spam, and I log into Spamcop every day or so and check the "Held mail" for false positives (very rare,) and report the rest.

<snip>

...That very much sounds like the "SpamCop e-mail system," not the SpamCop Reporting capability, so I have taken the liberty of moving this discussion from the "SpamCop Reporting Help" Forum to the "SpamCop Email System & Accounts" Forum.
Link to comment
Share on other sites

Thanks for all of that Drake. I believe quite a few members use SC the same way as yourself and should be able to chip in with some informed opinion/ideas to assist.

In the meantime - those are old-fashioned, 'straight-up' spam (not botnet) and I can see no reason it shouldn't be entirely feasible to keep those 'messages' out of your intray. For instance the zen.spamhaus.org RBL would catch that stuff every time and I think you can add that lookup to your SC filters? It is a little surprising that the SCbl has not caught them at the time - can only mean not enough members are reporting them or that they are just a little too nippy in changing servers when they spew their stuff.

S

Link to comment
Share on other sites

Thanks for all of that Drake. I believe quite a few members use SC the same way as yourself and should be able to chip in with some informed opinion/ideas to assist.

[snip]

Yes it's spam from a spam friendly USA host TURN THE HEAT UP ON COMPLAINT!

You need to go to your trash folder and Forward as Attachment to BOTH

abuse[at]serverhub.com AND spam[at]uce.gov

(Just select message and click Forward)

In message body include

SPAMCOP TRACKING URL - it may be saved for future reference:

http://www.spamcop.net/sc?id=z5883582630za...41abd4dbb2b2cez

173.232.40.185 (Administrator of network where email originates)

Previous abuse reports

Submitted: Saturday, 26 April 2014 9:40:05 AM +1000:

FHA Reverse-Mortgage for retired seniors

6122629913 ( http://www.dulelfingo.com/unsPAQT4107CWFKOJ102M... ) To: spamcop[at]serverhub.com

6122629912 ( 173.232.40.185 ) To: spamcop[at]serverhub.com

Submitted: Thursday, 17 April 2014 1:47:19 AM +1000:

[spam 9.3] Retirees- Get cash-payouts for your home's value

6117417219 ( http://www.dulelfingo.com/unsI3655EN102VAVN/539... ) To: spamcop[at]serverhub.com

6117417218 ( 173.232.40.185 ) To: spamcop[at]serverhub.com

Submitted: Thursday, 17 April 2014 1:40:13 AM +1000:

Retirees- Get cash-payouts for your home's value

6117413071 ( http://www.dulelfingo.com/unsA3655GJ102GYYY/539... ) To: spamcop[at]serverhub.com

6117413070 ( 173.232.40.185 ) To: spamcop[at]serverhub.com

Submitted: Friday, 11 April 2014 6:26:08 AM +1000:

Is your next a date a criminal?

6114011517 ( http://www.dulelfingo.com/unsLCTNI3379UU100CPRF... ) To: spamcop[at]serverhub.com

6114011516 ( 173.232.40.185 ) To: spamcop[at]serverhub.com

Submitted: Friday, 11 April 2014 6:26:06 AM +1000:

Is your next a date a criminal?

6114011577 ( http://www.dulelfingo.com/unsLCTNI3379UU100CPRF... ) To: spamcop[at]serverhub.com

6114011576 ( 173.232.40.185 ) To: spamcop[at]serverhub.com

Submitted: Friday, 11 April 2014 6:26:05 AM +1000:

Is your next a date a criminal?

6114011596 ( http://www.dulelfingo.com/unsLCTNI3379UU100CPRF... ) To: spamcop[at]serverhub.com

6114011595 ( 173.232.40.185 ) To: spamcop[at]serverhub.com

Submitted: Friday, 11 April 2014 4:21:07 AM +1000:

Is your next a date a criminal?

6113948397 ( http://affiliate.cpaftrck.com/oo/oo.php?sid=247... ) To: spamcopabuse[at]webhosting.net

6113948379 ( http://www.dulelfingo.com/l/lt1IEVA3379JSLE100Y... ) To: spamcop[at]serverhub.com

6113948378 ( 173.232.40.185 ) To: spamcop[at]serverhub.com

Link to comment
Share on other sites

How can Drake catch more of these in his Held folder petzl? They are mostly leaking through. Can the zen.spamhaus.org RBL easily be added to the SC filters in his account? Other ways? Ta.

Link to comment
Share on other sites

How can Drake catch more of these in his Held folder petzl? They are mostly leaking through. Can the zen.spamhaus.org RBL easily be added to the SC filters in his account? Other ways? Ta.

If Drake's blacklist filters are all checked it should not go to his inbox?

173.232.40.185 is listed in sbl.spamhaus.org

http://www.spamhaus.org/query/bl?ip=173.232.40.185

I'm findig that since the owner of SpamCop email disappeared a lot of the blacklists selected don't now work?

I use whitelist email only followed up by "mail washer", this suits me because I'm a low volume user doubt if it's suitable for high volume users?

My main email is now Gmail but don't like its security implications of them gleaning my information then making that information public domain (which they have done to me without any warning)!

That said they are expert in sorting spam from ham.

You need to use PGP for confidentiality Gmail read all emails coming and going and are good at it!

As I have to check my held folder "gunkiing" it up with spam that get through because spamcop emails Greylist is not doing it's job. Seems to come and go so there is something happening where Greylisting is not challenging straight to MX spam (I watch the pending mail but it *IS* often bypassing the challenge)

Slowed down but these 2 passed Botnet attack hosts stamped "blacklist"? I suspect stamped by greylist instead of bitbinning it?

http://www.spamcop.net/sc?id=z5883868379z1...081cb023886942z

http://www.spamcop.net/sc?id=z5883721337z2...160a30d3f5dab3z

Been using SpamCop Email since it began (before Cesmail) looks like it's going/gone the way of the dinosaur

Link to comment
Share on other sites

In the meantime - those are old-fashioned, 'straight-up' spam (not botnet) and I can see no reason it shouldn't be entirely feasible to keep those 'messages' out of your intray. For instance the zen.spamhaus.org RBL would catch that stuff every time and I think you can add that lookup to your SC filters? It is a little surprising that the SCbl has not caught them at the time - can only mean not enough members are reporting them or that they are just a little too nippy in changing servers when they spew their stuff.

In the "Blacklists" settings for CESMail accounts, here are the Spamhaus options:

sbl.spamhaus.org

xbl.spamhaus.org

pbl.spamhaus.org

but not "zen." Regarding the SCbl, having that selected in the "Blacklists" setting used to redirect messages from SCbl-listed IPs to Held, but it has not done so for me for many months--I think something is broken, at least when mail is auto-forwarded to a CESMail mailbox from other sources (which is the way I've always used mine).

DT

Link to comment
Share on other sites

Thanks everyone, I really appreciate all the help.

I'm about to walk out the door, so I've only had a chance to skim today's posts. I'll be back in a few hours and I'll try out the suggestions. I'll let you know if I have any questions. And, I'll make it a point to report back in a coupla days if they do appear to be effective.

Drake

Link to comment
Share on other sites

For some time it’s been "seeming" to me like spamcop hasn’t been filtering all that much. After reading this message I cleaned out held mail and waited a few hours. The result: 8 new spams in my Thunderbird junk folder. Zero in Spamcop Held mail. Of course a few hours is not much of a test and Sundays seem generally slow for spam anyway.

My black lists haven’t changed in years and are:

SpamCop Blacklist

Spamhaus Blacklist

Nigeria

Are other blacklists better?

Link to comment
Share on other sites

Okay. I logged into the Spamcop webmail. I don't think I've ever logged in there.

I found where to check those blacklists. So, you're saying that those are checked for email that's auto-forwarded on through, and doesn't end up in the Spamcop webmail?

Drake

Link to comment
Share on other sites

Okay. I logged into the Spamcop webmail. I don't think I've ever logged in there.

I found where to check those blacklists. So, you're saying that those are checked for email that's auto-forwarded on through, and doesn't end up in the Spamcop webmail?

Drake

Checking all the blacklists should help (spam Assassin set to 5) then click submit

See Image here of Set-Up

You need to check VER (Held Mail) via your browser often

http://mailsc.spamcop.net/reportheld?action=heldlog

Link to comment
Share on other sites

Checking all the blacklists should help (spam Assassin set to 5) then click submit

See Image here of Set-Up

You need to check VER (Held Mail) via your browser often

http://mailsc.spamcop.net/reportheld?action=heldlog

As I said, I'm not using the Spamcop webmail system, so I don't think Spamassassin applies.

Changing the blacklist checkboxes did not appear to change the behavior, much. So far today, it has stopped 3 messages and let 13 through.

Drake

Link to comment
Share on other sites

spam Assassin applies even when not using Web mail. In fact, my total since I started counting yesterday is:

8 Spams in Held mail due to a spam Assassin score of 5 or more.

2 Spams in Held mail due to sbl.spamhaus.org

(no other block lists mentioned in held mail)

47 Spams caught by Thunderbird as Junk

1 got through to my inbox.

Link to comment
Share on other sites

Okay. I just checked, and Spamassassin has been selected all along and is at level 5.

Since this morning I've seen 1 more message held and 7 or 8 let through. So, I'm still at around 20% success.

I was hoping that manually reporting most of what leaks through would help Spamassassin, since they're mostly the same 8 or 10 variations. But, it doesn't appear to be making much difference.

Again, the curious part is that it changed fairly quickly. About the time that the majority of my spam started showing up paired up.

Any other suggestions would be appreciated.

Drake

In the "Blacklists" settings for CESMail accounts, here are the Spamhaus options:

sbl.spamhaus.org

xbl.spamhaus.org

pbl.spamhaus.org

but not "zen." Regarding the SCbl, having that selected in the "Blacklists" setting used to redirect messages from SCbl-listed IPs to Held, but it has not done so for me for many months--I think something is broken, at least when mail is auto-forwarded to a CESMail mailbox from other sources (which is the way I've always used mine).

DT

Is there someone we can notify about this? This kind of sounds like what's changed for me.

Drake

Link to comment
Share on other sites

As I said, I'm not using the Spamcop webmail system, so I don't think Spamassassin applies.

Changing the blacklist checkboxes did not appear to change the behavior, much. So far today, it has stopped 3 messages and let 13 through.

Drake

I don't use the "webmail system" either but you need to set it up as I described don't forget to hit submit after seting this up.

Yes webmail system applies.

In your headers

X-spam-Level: ****

is the count th3 lower the number the less it stops this only counted 4 and would of got through

http://www.spamcop.net/sc?id=z5884551137ze...021023ae244133z

I use Thunderbird Portable on a USB drive

Link to comment
Share on other sites

Drake

Is there someone we can notify about this? This kind of sounds like what's changed for me.

Drake

SpamCop stops all in "Zen" as zen is the combined spamhaus.org lists

You can reduce SpamAssasin level down to stop more spam try 4

Your whitelist

http://webmail.spamcop.net/horde/imp/spamcop/whitelist.php

overrides ALL Blacklists and Greylisting

http://webmail.spamcop.net/horde/imp/spamcop/preferences.php

to activate click

"Click here to enable greylisting"

If spamcop is not reporting YOU (your mail hosts are set-up) you can use Quck-reporting in VER

http://mailsc.spamcop.net/reportheld?action=heldlog

"Quick report and send to trash"

You can also Whitelist emails in you VER (Held) folder by same scroll bar

Link to comment
Share on other sites

<snip>

If spamcop is not reporting YOU (your mail hosts are set-up) you can use Quck-reporting in VER

<snip>

...But please be aware that just because you are not reporting your own e-mail provider today does not guarantee that you will never report your own e-mail provider, so please watch it very carefully!
Link to comment
Share on other sites

I don't use the "webmail system" either but you need to set it up as I described don't forget to hit submit after seting this up.

Yes webmail system applies.

In your headers

X-spam-Level: ****

is the count th3 lower the number the less it stops this only counted 4 and would of got through

http://www.spamcop.net/sc?id=z5884551137ze...021023ae244133z

I use Thunderbird Portable on a USB drive

I clicked Submit. I logged in again today and they're still checked.

I realize I can run a second Bayesian filter on a local email client. But, I use POP Peeper to notify me of new mail every few minutes. So, I greatly prefer something that intercepts the spam before it hits my inbox. Spamcop has been doing an adequate job for years, until a few weeks ago. But, if it's only going to stop ~15% of the spam then it's not really worth it to me to continue using it.

Drake

Link to comment
Share on other sites

I clicked Submit. I logged in again today and they're still checked.

I realize I can run a second Bayesian filter on a local email client. But, I use POP Peeper to notify me of new mail every few minutes. So, I greatly prefer something that intercepts the spam before it hits my inbox. Spamcop has been doing an adequate job for years, until a few weeks ago. But, if it's only going to stop ~15% of the spam then it's not really worth it to me to continue using it.

Drake

MailWasher the freeware version works for me sits on Toolbar

If spam is in your inbox it sends it to SpamCop for reporting without your email client downloading it.

Link to comment
Share on other sites

I realize I can run a second Bayesian filter on a local email client.

I hope my comments about Thunderbird weren't interpreted as a suggestion that you should be using Bayesian filtering and not care about Spamcop performance. I am running Bayesian filtering and it's pretty much the only defense that doing anything for me at the moment but I would prefer that many more spams be caught at Spamcop. Since last night: 30 more spams. 3 were caught by Spamcop via spam Assasin and one was caught by sbl.spamhaus. All the rest were caught by Thunderbird. So I'm wondering if block lists just aren't effective or is something going wrong such that they're not being checked reliably?

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.


×
×
  • Create New...