Is it really doing any good?

[rconner]

I appreciate your comments, Showker, they are forcing me to rethink some points I've made. I've been coming to the gradual conclusion that the best reason for fighting spam right now is not that my granny might get a couple of porn ads she doesn't like, but that spam is a huge nexus for criminal activity (as you ably point out) that could as well be turned to more destructive purposes. However...

However the Task Force would investigate and discover that of

all that spam, there is only TWO destinations. TWO. This is something

NO filter or black list could figure out because it's the THIRD link

found in the trail of links to the spammer's revenue source.

I know, I've been tracking them. This takes maybe five minutes. But a human has to do it.

NOT a filter or DNSBL.

Hmm... an "elite" group of human analysts will be telling us all on a daily basis what websites or blocks we will be prevented from visiting. Am I the only one who would find this far scarier than just allowing the fake-watch websites to stay up? If I want to do my own investigation, how can I do so if my ISP blocks my outgoing traffic to these blocks? Does some ISP in Fuzhou really care much that a bunch of big American companies have decided to block traffic to them?

Having the owners of Megadik file a suit would be like a gift from heaven.

The owners of Megadik will not be the ones filing suit. In my hypothetical, "company X" is the company that holds the address allocations as shown in Whois (e.g., some small Chinese ISP to cite the most usual case). This is seldom the party responsible for the spam or the websites (i.e., it would be the ISP whose addresses Megadik is using or stealing).

So, does this Company X (as I define it) deserve to be boycotted in this fashion? Perhaps, but the fact remains that if the incoming traffic is halted, the Megadik people will just slink off to some other bribable or complaisant provider (or more likely find some exploitable host on their own) and continue their operations much as before, while we continue to expend effort to block outgoing traffic directed to some Chinese netblock that now no longer has any Megadik websites on it. Seems like a waste of time and resources, no? It is like finding cockroaches in one of your kitchen cabinets and then spraying it; the roaches all move elsewhere, and meanwhile you are unable to use the cabinet you just sprayed.

Let's say that I decide to set up a spam pharma website on a Linux box connected to Comcast. Then, I use reverse web-proxy bots and redirections from Googlepages (etc.) to shield it. Then, your investigators trace me down. What would they then block? My single static IP? The entire Comcast block containing that address? All of Comcast net space? Maybe Comcast would deserve to be blocked in this case, but you can bet that they won't like it, and would be taking vigorous action on all fronts to stop it. In the mean time, I have long since closed out my Comcast account and have switched over to Road Runner to start over again...

What are they going to say???

"Your honor, we're suing this Task Force because they're preventing

us from distributing pornography (a violation of Title 18 of the Federal Code)

and keeping us from making money by stealing people's identities!"

What's the Judge going to say???

You'd be surprised (unpleasantly) as to what judges can say (and have said). Ref. Monsterhut v. Paetec, and more recently e360 v. Spamhaus. In the former case, it took appeals that eventually went to the NY Supreme Court to stop the decisions that came in favor of Monsterhut. In the latter, the defendant (Spamhaus) did for itself by failing to show up in court to mount a defense.

As for what Megadik might say, phrases like the following come to mind:

• "harmless herbal preparation not prohibited by FDA"
  
• "restraint of trade"
  
• "internet vigilantes"
  
• "100% opt-in list"
  
• "physical threats against my person and property"
  
• "freedom of speech"
  

The point is not whether these excuses work; in the long run they probably don't. However, they do force the defendants to expend time and effort (and money) to respond to them.

However in many, many of the worst and

most prolific cases, ALL of the domains owned by the spammer

funnel down to one or two specific outlaw ISPs providing nameserver

or DNS services.

Suggest that "rogue ISP" or "negligent/ignorant ISP" might be more precise terms than "outlaw ISP" because you can't be an outlaw if there are no laws governing your behavior (or your obligations of due diligence) in the first place; also, it isn't clear whether you are bound by laws in other countries for activities (e.g., domain parking, web hosting) that you do entirely within you own country. This, I think, is one of the big problems here, that the law is about 20 years (or more) behind the technology of internetworking.

There are tens of thousands of criminal domain operations

either hosted by Joker, or on Joker's name servers.

I'm sure you have evidence on this, but I guess my own experience differs. I have not seen many spam websites actually hosted on Joker (i.e., DNS resolves to an address in Joker netblock). I could not swear to you that Joker isn't parking large numbers of spam domains on their NSs, but most of the more abusive botnet operations I've tracked use their own jackleg DNS and not Joker's. Frequently, members of the botnets themselves are delegated as auth NS for short periods of time (presumably via open proxy).

Remember, registering your domain through Joker does NOT mean that you have to use any hosting offered by them, or park your domain on their nameservers. In fact, I'm sure that Joker prefers for some of their customers--the spammers, that is--NOT to do so for the very reasons you describe. The only thing you need Joker for is to put your auth-NS hosts into the root DNS servers and your registrant data into the domain-whois database.

Besides, in the by-laws managing the Task Force, JOKER

would have a method by which he could petition to get his

IP ranges back.

How did Mr. Joker lose these ranges in the first place? I thought we were just going to set our routers not to let our customers go to them, not actually get ARIN/APNIC/RIPE etc. to deallocate them. Having Joker's IP blocks deallocated for its technically-unrelated activities as a registrar is a bit puzzling, like taking away my fishing license for my not paying my tab at Red Lobster. I could see a lot of lawyering on that one.

It would take only ONE or maybe TWO episodes of JOKER

getting blocked by the "Big Six" ISPs to finally get it through

his thick skull that providing these services to criminals is

'eventually' going to be very unprofitable.

How does one go about "blocking Joker?" As far as I know, we have to look up every domain name listed in every e-mail and then try to trace it to Joker via domain-whois. That would be pretty scary code to write (I know, I've tried to write some of it myself). Do we have to block domains that are not Joker-registered, but redirect (via HTTP or scriptlet) to those that are? Gets very squirrelly indeed. Does AOL (etc.) simply block its customers from reaching Joker net blocks (maybe including Joker's main website), even though these may not contain any spam websites? That oughta keep a whole cohort of lawyers busy for awhile.

That said, I'd certainly sign on to any efforts to get Joker (and any other domain registrar) to enforce its ICANN obligations on to its customers. Actually, I'd be in favor of kicking ICANN's, um, tushie to get it to be more aggressive about faked registrations. Believe me, Joker is very far from being the worst of the registrars (are you listening, Beijing Innovative?).

[rconner]

I don't think so. Although the idea that email has to either deliver an email or send a 'bounce' is the ideal, because of spammers forging the return-path, it is no longer practical to accept an email and then return it to the sender - unless, of course, the receiving MX is certain that the return path is authentic.

If we go by RFC 2821, then a mail host is still required either to deliver a message or else to account for its nondelivery (i.e., via a bounce), viz:

"If there is a delivery failure after acceptance of a message, the receiver-SMTP MUST formulate and mail a notification message." (RFC 2821, paragraph 6.1)

"MUST," in RFC language, means "must," not "may, if your policies allow it." Maybe this language has been superseded, but as far as I know it is still in effect. Also, I contend that a willful refusal to deliver a message that has been previously accepted for delivery constitutes a "delivery failure" that must be bounced. I can see bending the rule by sending delayed bounces only if some sort of SPF-like check has been done to rule out the possibility that the return path is spoofed. It might even be OK to refuse to send bounces on messages that have been tagged as spam (if the particular recipient has opted for the spam filtering that makes this decision). I think, though, that the rule above still needs to stand in all other cases.

We depend upon bounces to tell us that our messages aren't being delivered, and conversely we also rely on not getting bounces to suggest to us (with less than complete assurance, granted) that messages have, in fact, been delivered. This mechanism, to me, is too valuable to throw out simply because of sporadic instances of misdirected bounces.

There are technically-defensible reasons for delayed bounces; these usually manifest when there is some technical mis-coordination between the hosts within a receiving domain. Of course, delay-bouncing a message because the MX was too lazy to reject on first offer it is not a technically-defensible reason.

What happens now is that emails that can't be delivered are dropped.

My provider does this; however, the important thing to note is that it does so with my explicit permission (i.e., I had to make this setting in my mail setup). This, to me, doesn't go against the rule above, because I chose to use the spam filter, and to tell the mail server what to do with this mail; the server didn't act without my knowledge or consent. It would be comparable to my telling the MX not to accept the mail (under your "my server, my rules" notion).

If ISPs are really throwing previously-accepted mail into /dev/null without either bouncing it or getting prior permission from the recipients to discard it, this seems to me to be very disturbing indeed.

So, by association, your proviso is probably justified; --you must be confused and should seek professional help ASAP.

Umm, what? I think I'm supposed to laugh, yes?

-- rick

'

[Farelf]

...If ISPs are really throwing previously-accepted mail into /dev/null without either bouncing it or getting prior permission from the recipients to discard it, this seems to me to be very disturbing indeed. ...

Some would be sailing close to the wind on that from what I can see - application of filtering by default with supposed notification to users not being recalled/noticed by the great majority of users, even the mechanism of notification unclear.

Then we come to silent outwards filtering - in some instances where it is supposed to be in operation it may not be but it certainly is in use with some providers, perhaps many of them. No permission is sought because it is assumed only spam is being blocked and, rather than affect revenue, it is apparently assumed this is inadvertent/unknown on the part of the paying customer whose machine is the sender (makes spam complaining and reporting more than tricky though). It would be interesting to see how one's own provider might react to the argument that RFCs "require" notification in these cases. I might try that line with my provider (but since they are quite immune to ridicule and utterly unaffected by appeals to reason it may not be very effective). I'm actually thinking there has to be a weasel provision in there somewhere excepting application to the initial hop - the one to the mail server. Yes?

[Miss Betsy]

<snip>

Hmm... an "elite" group of human analysts will be telling us all on a daily basis what websites or blocks we will be prevented from visiting. Am I the only one who would find this far scarier than just allowing the fake-watch websites to stay up? <snip>

No, you aren't the only one. IMHO, the reason that this line of anti-spam is not used is that there are lots of people who see that 'banning websites' is a slippery slope. The same effect is achieved by blocking the source of the spam and by AUPs & TOSs forbidding the use of spam to advertise.

<snip>

So, does this Company X (as I define it) deserve to be boycotted in this fashion? Perhaps, but the fact remains that if the incoming traffic is halted, the Megadik people will just slink off to some other bribable or complaisant provider (or more likely find some exploitable host on their own) and continue their operations much as before, while we continue to expend effort to block outgoing traffic directed to some Chinese netblock that now no longer has any Megadik websites on it.

Seems like a waste of time and resources, no? It is like finding cockroaches in one of your kitchen cabinets and then spraying it; the roaches all move elsewhere, and meanwhile you are unable to use the cabinet you just sprayed.

Yes, Company X does deserve to be boycotted. There are no 'innocents' on the internet concerning spam, only 'ignorants' and ignorance has never been an excuse for the avoidance of consequences. Blocklists have, and are, used to block traffic from IP addresses that are the source of spam where many 'innocents' had email accounts. The advice to them is to complain loudly or change email service.

And, yes, the roaches just go somewhere else. However, the ideal would be that eventually no one would host them (which is why many have gone to zombies). Someone in the ngs is calling this the Red Queen Effect. However, in all probability, what will eventually happen is that there are alternate 'neighborhoods' - one where blocking is the norm and where responsible email servers are identified and one where anything goes.

Miss Betsy

[Miss Betsy]

If we go by RFC 2821, then a mail host is still required either to deliver a message or else to account for its nondelivery (i.e., via a bounce), viz:

"MUST," in RFC language, means "must," not "may, if your policies allow it." Maybe this language has been superseded, but as far as I know it is still in effect. Also, I contend that a willful refusal to deliver a message that has been previously accepted for delivery constitutes a "delivery failure" that must be bounced. I can see bending the rule by sending delayed bounces only if some sort of SPF-like check has been done to rule out the possibility that the return path is spoofed. It might even be OK to refuse to send bounces on messages that have been tagged as spam (if the particular recipient has opted for the spam filtering that makes this decision). I think, though, that the rule above still needs to stand in all other cases.

We depend upon bounces to tell us that our messages aren't being delivered, and conversely we also rely on not getting bounces to suggest to us (with less than complete assurance, granted) that messages have, in fact, been delivered. This mechanism, to me, is too valuable to throw out simply because of sporadic instances of misdirected bounces.

Some server admins who agree with you on the interpretation of the RFC have quoted it as you have in defense of their accepting email and then sending another email to say that it is undeliverable. However, it makes no difference to those who block based on its use. I don't know the 'politics' of changing an RFC, but it is like the stop sign for a railroad track that no longer has trains scheduled. No one, except the extremely rigid, ever stop at it.

And it is not 'sporadic instances' of misdirected bounces. There are people who receive thousands and some people where it never goes away. For some people they act as DDoS attack. They scare website owners and anger them.

I thought I had kept the part about 'extremely disturbing' in reference to service providers 'dropping email' without telling customers. If you read the topic Where are my submit messages going, you will see that not only do service providers drop incoming mail, they drop outgoing mail, and lie about it.

Miss Betsy

[rconner]

Some server admins who agree with you on the interpretation of the RFC have quoted it as you have in defense of their accepting email and then sending another email to say that it is undeliverable.

If they are citing this to defend the practice of punting the deliverability check to an MDA, then they may be misreading RFC2821:

"When the receiver-SMTP accepts a piece of mail (by sending a "250 OK" message in response to DATA), it is accepting responsibility for delivering or relaying the message. It must take this responsibility seriously. It MUST NOT lose the message for frivolous reasons, such as because the host later crashes or because of a predictable resource shortage." (RFC 2821, sec 6.1)

If a mail-server crash is considered "frivolous," then certainly failing to exercise due care when accepting messages that are later bounced must be way beyond frivolous.

I'm looking at SpamCop's info page on autoresponders (linked from the main reporting page and found here:

"Although bounces are required, it is possible to avoid the situation under which they are required (see above). So they aren't really required unless you have already 'painted yourself into a corner.'"

This seems a reasonable policy to me. The recipient domain should reject mail if it can't or won't deliver it, except in the tiny number of "nonfrivolous" cases in which this proves impossible. Failing to check deliverability at the time of the MX relay is not one of these cases, nor is accepting the mail and then bouncing it because it hits a spam filter.

If you read the topic Where are my submit messages going, you will see that not only do service providers drop incoming mail, they drop outgoing mail, and lie about it.

That's pretty disturbing as well. If I send a message through my outgoing host, and that host won't deliver it -- for whatever reason -- I would like to know about it (via a bounce).

Someone in the ngs is calling this the Red Queen Effect. However, in all probability, what will eventually happen is that there are alternate 'neighborhoods' - one where blocking is the norm and where responsible email servers are identified and one where anything goes.

Nice name, that. It seems to me that we are already most of the way toward the "two neighborhoods" notion, at least as far as hosting websites goes.

-- rick

[rooster]

Umm, what? I think I'm supposed to laugh, yes?

rick;

Yes. A muted chuckle would be appropriate.

[klausm]

Is reporting spam time well spent?

I have been doing this for a few weeks but I have not noticed a reduction in spam received.

I can only assume that there are probably a lot more spammers on this planet than people who report spam. While spammers probably spend the whole day on finding ways to send spam, most spam reporters can only spend a few minutes to report spam because they have a job.

The most frustrating thing is that I receive spam spoofed with fake email addresses from my own domain without having a way to prevent this.

I wonder if anybody has an encouraging response to my question.

[dra007]

The short answer is NO. As for reporting it only does you good if you have a SpamCop account to handle your e-mail. Some providers do take action based on our reports, but they have become rare in my experience. If anything, by reporting, you are helping many that rely on peple like you to cut down on spam, you are also inconvinienceing the spamemrs to some degree and that alone is a good reason to report.

[Miss Betsy]

Yes, the short answer is NO.

Only people who use the spamcop blocklist benefit from spamcop reports. Occasionally, spamcop reports do go to server admins who are glad to be alerted to spammer activity. Most of the time they go to people who could care less. The real object of spam reporting is to place an IP address on the spamcop blocklist - which lots of people use to tag incoming email as spam (or to reject outright).

If spammers are using your domain, it is not such a big deal since most people conversant with the internet know that spammers do that. You can't stop them by reporting them via spamcop.

Miss Betsy

[Farelf]

Agree with dra007 and Miss Betsy (previous 2 posts).

...I can only assume that there are probably a lot more spammers on this planet than people who report spam. ...

Not necessarily, 'most' spam is from a finite number of botnets and that certainly represents a pinch point - there is a noticeable drop in spam whenever anything happens to disrupt the command and control of one of the major ones. Bits of botnets seem to be leased out to the spammers whose 'business plans' generally require that they pump out millions of messages daily to make a generally tenuous living. But SpamCop is operating at the other end of the spectrum, at the level of the individual IP address being used, almost always, by an unknowing compromised PC or server.

The best most of us can do is filter our mail so most of the spam doesn't reach our inboxes. SC contributes to that effort through the SC blocklist, as Rick has pointed out, above.

A light on the horizon is that increasing numbers of people report they phase out their old, spammed, addresses and get no spam/hardly any spam on their new addresses. That requires a certain amount of discipline in terms of not 'broadcasting' the new address too widely, not using it to purchase goods and services online if a 'disposable' address can be used instead. The free Hotmail, Yahoo, etc. services are getting very good at blocking spam and are a very useful adjunct to the 'real' address for many people in this way.

I gave up two 'moderately' spammed addresses (one running at about 200 spam and more a day with filters turned off, something I could not afford to do very often). My current address (filters turned off) received one spam on August 13, the previous spam was dated July 8. I actually miss my spam.

There's no single solution to spam - but there are a whole heap of things, working together, that can make it more or less manageable. SC is part of that and, although there is often some deprecation of its impact made in these pages the fact remains it often provides the first hint to concerned network administrators that they have a compromised machine (a botnet intrusion) on their net.

[Miss Betsy]

keeping an email address from being scraped by spiders is the key. I couldn't convince one group that it was not a good idea to publish email addresses on the web so I changed addresses and gave them a hotmail address. They claimed the spiders couldn't get the email addresses because it wasn't published in HTML. The hotmail address gets lots of 419s, but little of other kinds of spam - which could be due to the hotmail filters. I have another hotmail address that was 'exposed' at one time, but almost never gets spam and, if it does, it is almost always 419. And, I had another address that I couldn't convince people from publishing on the web. The first spam it got was 419s. They seem to work harder to get addresses and to get past filters.

Miss Betsy

[rob]

Hi

I discovered this service because it was hig on Google result search.

It is weeks I am forwarding spam to Spamcop using the link I got from web site, and after I go in that site and I press the Report Now button.

But the spam continues as before, I would ask if this is useful and when I will see some result.

Thanks.

[SpamCopAdmin]

Joining SpamCop is joining the army in the fight against spam. As in any army, as a soldier, you fight and fight and never see any benefit.

It's highly unlikely that you will see a reduction in spam as the result of using our service. By the time you found us, your address was already being passed around on the "Millions of Addresses" CDs the spammers sell each other. The level of spam will likely get worse from here on out.

The fight against spam is a long term battle. We get tons of open proxies, open relays, and exploited servers shut down, and we put a lot of spammers out of business, especially novices, but it's very difficult to stop the specific spammers sending *you* the spam.

Your reports make a difference! They are added to our blocking list database, which is being used by more and more ISPs around the world.

We feel like there is hope because of the effect the blocking lists are having. We're driving the professional spammers into ever smaller corners of the Internet where they're easier to block. Service providers around the world are starting to pay a lot more attention to plugging the holes in their systems. Unfortunately, the serious spam networks don't care much about being blocked because they still get their spam to enough gullible people to keep it profitable.

- Don D'Minion - SpamCop Admin -

.

[g4mby]

But the spam continues as before, I would ask if this is useful and when I will see some result.

I have quite a few email addresses and a few personal domains that receive varying amounts of spam.

My ISP email addresses have almost become spam-free but whether that is due to reporting everything through SpamCop for several years it's impossible to say as reports have also been sent elsewhere. One of my domains used to receive 300+ spams each day. Persistent reporting has reduced that to around 20 each day but I see no sign of it reducing any further. Another domain used to receive about 100 spams each day but that has now increased to about 220 with slightly less at the weekends but the same level of reporting.

If you look at what you are reporting you might see some results. Occasionally I get spam that is sent to a an email address that is seldom used anywhere, the advertised web-site looks genuine and the web host is well known. After a few SpamCop reports the spam stops.

But the bulk of my spam, especially that which has any association with China or anything that doesn't make reference to a specific website, will continue to be received for a very very long time. Unlike most people here I have seen a reduction in spam over the last year but I have been fighting spam long enough to know that I might see an increase very soon but I don't expect it to ever stop.

[rconner]

My ISP uses a spam filter that is extremely effective against spam -- on most days, I receive no spam at all.

Why is that filter so effective? Partly because people report their spam through SpamCop, which runs a service used by my provider's spam filter.

So, I do get indirect personal benefit from reporting what I can through SpamCop.

We also see results when we read the news and find that spammers lose their resources or get prosecuted for their crimes. It is the monitoring of their activity by services such as SpamCop that makes these results possible.

-- rick

(on edit -- fixed double-posting)

[Wazoo]

It is weeks I am forwarding spam to Spamcop using the link I got from web site, and after I go in that site and I press the Report Now button.

But the spam continues as before, I would ask if this is useful and when I will see some result.

First of all, I mergerd your 'new' Post into an existing Topic/Discussion on the same subject. (PM sent to advise of this action.)

Second, I'll suggest a bit more research ... for example;

What is SpamCop.net?

What is the SpamCop Blocking List (SCBL)?

Suggestion is that in order to see any 'direct' benefit, one must be able to use the SpamCopDNSBL. There are several thrid-party products that do this, running your own e-mail server would allow this, and of course, there's also the possibility of using the SpamCop.net e-mail system.

[purpley]

Admin Edit: merged into one of the exsting Topics/Discussions on the same subject. PM sent to advise of this action.

I have been using this service for around a week now, is it really doing any good? The spam hasnt stopped at all, it seems like its the same things over and over, I just want to be sure I am not wasting time here. Do the email reports really work in the long run? I sure hope so, I am sick of trying to find a real email.

[agsteele]

I have been using this service for around a week now, is it really doing any good?

Hope you'll have time to read through this thread. It has lots of useful background and answers to your question.

One of the most important things to remember that simply reporting will be unlikely to help you unless you use a mail server to collect your mail which itself uses the Spamcop blocklist to filter the junk that's arriving.

Your reports are welcome and help those who do make use of the SCBL (thanks for that) but you don't help yourself unless you or your ISP implement blocklist filtering. In fact it is one of several tools to deploy. I find a combination of grey listing and SCBL filtering keeps my spam load down to about 10 spam items per week.

Andrew

[BARBARELLA BLOODWORTH]

What's up World....How U Doinnnn?

On average I report about 20 annoying and vulgar spam. I seem to get double the "apy back" with EVEN more spam. Either:

a) it is coincidence or

the rports sent to "ISP Admins" reveal our email address despite spamcop's great efforts to keep us "blind," or

c) some of those "ISP Admin" addresses are spammers

d) this is some kind of punishment from the spammers so they dump even more on us as pay back?

[turetzsr]

Hi, BARBARELLA BLOODWORTH,

...Have you read the other posts in this "thread?" I believe you may find some answers (though perhaps none that are conclusive) there. If you have follow-up questions after reading the other posts, please reply back here.

[nei1_j]

Any macro- or micro-views on the spam situation, especially regarding any successes gained by our efforts?

There have been two or three stories in the last 10 years in the Major Media about spammers being closed down, maybe another story about how many hours people spend processing spam, but I haven't seen much more. Forums.spamcop would seem to be the place to get additional information, especially any battles won with the help of Spamcop submitters.

Such stories should be contained within a top, front, and center "Pin / Announcement."