Jump to content

SpamCop Glossary Archive


Wazoo

Recommended Posts

Posted

<a name="archive"></a>

Link to SpamCop Glossary (consolidated) Alphabetical listing of the glossary

Edit note: when the forum software was upgraded html font sizes were displayed differently. The oversized heading found in the earlier entires are a result of that change. Since this is an archive of the original entries, no attempt was made to correct the display size. The font size was corrected in the active (consolidated) glossary.

The following begins the first post which was the starting point of the SpamCop Glossary:

last edit 21 June 2005

Backscatter, Blowback, Misdirected Bounces

Delayed bounces, virus notices, out-of-office messages and other forms of auto-responses that are frequently mis-directed, basing their targets on data found within forged header lines. In the past, these types of notifications were a nicety. However, as the spammers have once again used a "feature" of something developed under the "trusted users" model to aid in delivering their spew, this activity of e-mail servers has moved into the "bad"zone. More desirable these days is the non-deliverable e-mail will be handled at the time of attempted delivery, such that any rejection notice required is supplied to the sending server, rather than a possible innocent third-party.

See also: http://www.spamcop.net/fom-serve/cache/329.html http://spamlinks.net/prevent-secure-backscatter.htm

Content-ID: / cid:

The Uniform Resource Locator (URL) schemes, "cid:" and "mid:" allow references to messages and the body parts of messages. For example, within a single multipart message, one HTML body part might include embedded references to other parts of the same message. (extracted from http://www.ietf.org/rfc/rfc2111.txt )

Domain Name

Domain names have an important role in Internet traffic. They provide a straightforward basis for contact with computers, websites and electronic mailboxes belonging to companies, other organisations and private individuals. Using a domain name, an Internet user can, for example, find the site belonging to a company and thus obtain information, view the company’s catalogue, place an advertisement, perform a financial transaction, place an order or whatever. In short, domain names make the Internet usable.

Domain names are derived from the unique numbers that all computers on the Internet have. These numbers are known as IP (Internet Protocol) addresses and consist of figures only. Unfortunately, long numbers aren’t very easy to remember, so it was decided to use a system whereby you can have a name that corresponds to an IP address. The Internet uses what are known as ‘domain name servers’ to look up the numbers (IP addresses) that these names correspond to. Every domain name is made up of at least two elements. The last element of the name is called the top-level domain. Country code top-level domain names refer to countries; so, for example, there is ‘.nl’ for the Netherlands, ‘.be’ for Belgium and ‘.de’ for Germany (Deutschland).

Not all top-level domain names relate to countries, however. The most commonly seen top=level domains were agreed upon as an aid to identify the type of site you were going to visit. These include ‘.com’ for commercial, ‘.org’ for organization, '.edu' for educational, ‘.net’ for network, '.gov' for government. Recent additions include '.info' for informational and '.biz' for business. However, it must be noted that spammers and hucksters have managed to further muddy the waters that these 'identifying' names were supposed to represent.

The item in front of the top-level domain name is usually the company/personal/entity name of the folks behind the web-site.

The "www:" in front of all of this is also (mostly) a convenience, letting the user know that this is a web site normally accessed via a web-browser using HTTP (HyperText Transfer Protocol) .. You may also see "ftp:" (File Transfer Protocol) or "news:" (Network News Transfer Protocol)

Items seen between the first "protocol" bit and the company/personal/entity name is basically there to guide to to a certain/specific area that is hosted by the folks behind the name. Items seen after the Top-level Domain name (separated by a "/") will take you to a specific web-page on that hosted web-site.

HTTP

HyperText Transfer Protocol - The protocol for moving hypertext files across the Internet. Requires a HTTP client program on one end, and an HTTP server program on the other end. HTTP is the most important protocol used in the World Wide Web .

IP Address

Each device connected to a network, be it a LAN (Local Area Network), a WAN (Wide Area Network), or the Internet has an assigned unique IP (Internet Protocol) Address which identifies that specific device to the rest of the network. For example, Show me my IP Address will take a look at "your" computer and list the address of "your" system. (if you are using a modem to dial into your ISP, this number will likely change at every connection ... cable and DSL modems may have the same address for quite a while) Your ISP has a pool of IP Addresses, some are used to provide their customers with a unique address when on-line, others the ISP use themselves for things like running an e-mail server to handle all the incoming/outgoing e-mail for their customers. (NOTE: the above is very simplified. If/when all the other techy stuff gets added, this block will be revisited and a bunch of items will be added, like "See TCP/IP, Network Protocols, Proxy, etc.)

For more info;

http://computer.howstuffworks.com/question549.htm

http://www.webopedia.com/TERM/I/IP_address.html

ISP

Internet Service Provider .... the company you are giving your money to that lets you then connect to the Internet, send and receive e-mail, interact with some strange people, check the weather without having to get out of bed .. all those important things <g>

Joe Job

1. A "joe job" is a spam run forged to appear to come from another innocent party, with the intention of generating complaints about the victim and damaging their reputation.

2. A Joe job is an e-mail spam designed to tarnish the reputation of an innocent third party. Despite having existed since at least 1996, Joe jobs are uncommon compared to other types of spam because they provide no commercial benefit to the Joe jobber.

3. A "joe job" is something far above and distinct from the all too typical spammer construct of a "From" Address Forgery

For more info:

Why am I getting all these bounces?

http://spamlinks.net/faqs-joejob.htm

http://en.wikipedia.org/wiki/Joe_jobs

Mail-Host Configuration

Procedure of "training" the SpamCop parser to identify the mail-hosts / e-mail servers that "your" e-mail travels through on its way to your InBox. The primary purposes of configuring your account is to help identify some spammer forgery and manipulation of the spam headers to point to innocent ISPs and to help prevent folks from reporting themselves or their own ISPs. Nothing is foolproof, blindly trusting any tool is silly, so the requirement that you verify the parser analysis and report targets is still a mandatory part of the agreeement between you and SpamCop. It has been stated that performing this configuration on your account will be mandatory at some time in the future.

Mung / Munge / Obfuscate

Mung (or munge) is computer jargon for "to make repeated changes which individually may be reversible, yet which ultimately result in an unintentional irreversible destruction of large portions of the original item." It was created in 1958 at the Tech Model Railroad Club, at the Massachusetts Institute of Technology. In 1960, the backronym "Mash Until No Good" was created to describe Mung, and a while after that it was revised to "Mung Until No Good"—making it one of the few recursive acronyms.

Mung originally had two main meanings: to make large-scale and irrevocable changes to a file and to destroy something. A person who vandalizes a Wiki page would not be munging that page because the changes could be reversed. In the early text-adventure game Zork, also known as Dungeon, the user could mung an object and thereby destroy it, making it impossible to finish the game if the object was an important item.

The spam epidemics of the 1990s have created a new meaning for mung: to modify an e-mail address so that humans can readily reverse it but robots and address harvesters cannot.

Mung also sometimes stands for Multipurpose Unilateral Nonsense Generator, which is a program that will take web pages and run algorithms on them to make them read as if said in a dialectical manner.

(extracted from http://en.wikipedia.org/wiki/Mung)

Phish / Phishing

The practice of sending bogus e-mails that try to trick people into revealing private and / or financial information for purposes of identity theft. AOL needs your password, e-bay is going to close your account if you don't verify your data in the next 12 hours, CitiBank needs your data to verify their records, fantatstic opportunities to get a mortgage at a discount with no credit check involved, you are the 1,000th visitor to this web page, on and on, obviously idiotic ploys to get "you" to fill in the blanks.

Proxy

  • A software agent that acts on behalf of a user. Typical proxies accept a connection from a user, make a decision as to whether or not the user or client IP address is permitted to use the proxy, perhaps does additional authentication, and then completes a connection on behalf of the user to a remote destination.
    http://www.atharmahboob.com/courses/securi...ry-firewall.htm
  • An intermediary program which acts as both a server and a client for the purpose of making requests on behalf of other clients. Requests are serviced internally or by passing them, with possible translation, on to other servers. A proxy must interpret and, if necessary, rewrite a request message before forwarding it. Proxies are often used as client-side portals through network firewalls and as helper applications for handling requests via protocols not implemented by the user agent.
    http://www.freesoft.org/CIE/RFC/1945/3.htm

As defined above, a proxy can be a good thing. As such, open and abusable proxues fell into the list of things 'good' about the 'net' that spammers learned to abuse. These days, with spammers and virus writers teaming up, open/abusable proxies are no longer only something set up by an ISP/Hosting service, unfortunately cropping up around the world on home/end user computers. Folks, install and update anti-virus and anti spyware tools, get that firewall installed. Learn to use them all.

Quick Reporting

Mode of reporting in that ONLY the source of the spam is tracked and reported. Items within the spam body are ignored. When it works, its great within this limited scale of reporting. However, if anything goes wrong, the lack of oversight has caused problems for some users. These problems led to the creation of the MailHost configuration to minimize these errors. However, just as a hammer has the capability of hitting one's thumb rather than the nail on occasion, the decision to use Quick-Reporting should only come after verifying that the spam submittals are parsed correctly .. specifically, that one is not trying to report themselves.

Tracking URL

When looking at the Report Page of the Parser Results, the top of the page contains these words (your reference number will be different);

spam Header

This page may be saved for future reference:

http://www.spamcop.net/sc?id=z641303267z045b750a0c3cf8aa3bfef3b3d92488bfz

Skip to Reports

This "future reference" URL is the "Tracking URL" .... As one of the IronPort "purchase" benefits has turned out to be the addition of some serious storage capabilities, the entire spam submittal is now stored (for some time). These days, things are made much easier when asking for some review, analysis, or assistance, simply copy this provided link and use it to point to the spam submittal in your query. This way, anyone looking to try to answer the query is looking at the spam submittal as the SpamCop parsing engine saw it, thus everyone is talking about the same data.

Update: those lines in the parser output now read as;

spam Header

Here is your TRACKING URL - it may be saved for future reference:

http://www.spamcop.net/sc?id=z641303267z045b750a0c3cf8aa3bfef3b3d92488bfz

Skip to Reports

VER - Very Easy Reporting

Web-based Quick Reporting, which is an exclusive feature of the SpamCop Parsing and Reporting System which only SpamCop Email System Customers may access at: http://mailsc.spamcop.net/reportheld?action=heldlog

Contributors;

dbiel

  • Replies 180
  • Created
  • Last Reply
Posted

WORM POOP

Viruses, worms, and anything that generates a mail message to the forged address in a worm or a virus.

This included misconfigured virus scanners, vacation/out of office autoresponders, and mail servers that bounce undelivered mail instead of using SMTP rejects.

VACATION responders

A service that you can set on many mail servers to automatically let criminals know that they can steal your identify for a specific period of time with out fear of getting caught. It allows them to steal anything from your company that someone else thinks you are authorized to mail with out your signature.

These criminals are also known to use voicemail vacation messages for this purpose.

VOICEMAIL

A service that you can get as an answering machine from the phone company instead of a standalone box.. Criminals are known to use vacation/out-of-office notices from these to sucessfully steal from companies.

C/R or CHALLENGE RESPONSE

A service that issues a challenge to make sure that a human is sending a mail.

When they challenge spam and viruses, they bother innocent people.

If they use SMTP rejects, then only real senders will get the challenges.

Generally an expensive method of spam control, and spammers can easily get around the challenge if they care to by redirecting the challenge to a porn site and promising free porn to the humans that visit the site and answer the challenge.

A challenge response system that does not use SMTP rejects is prone to sending e-mail to spamtraps which will casue other mail servers to refuse the challenges.

The only way that a challenge response system that does not use SMTP rejects to avoid hitting spam traps is if it makes sure that it never issues a challenge to a forged address in a spam or a virus. And of course if it knew how to do that, it would not need to issue a challenge.

DNSbl

DNS based blocking system. A DNS server keeps track of I.P.s that meet the listing service's criteria. Also known as BLOCKING LISTS and BLACKHOLE lists.

Mail servers and other network servers can reference them to reject mail or connections, or to decided if they need to examine them further. They also can be used to indicate trusted I.P. addresses to accept mail or connections.

There are many DNSbls with different criteria.

The spamcop.net DNSbl lists I.P. addresses that spam has been reported to originate from. It is agressive, and may list real mail servers.

Some list only I.P. addresses that have been shown to be compromised and abused by spammers. Others list I.P. addresses that are known to be controlled by spammers.

These are known as conservative DNSbls.

And some list I.P. addresses that are DHCP assigned. These are known as Dyanmic list and sometimes DIALUP lists. Many mail servers will not accept e-mail from these addresses.

There are also DNSbls that list all I.P. addresses for specific ISP's and countries.

Use of conservative DNSbls can block over 80% of the incoming spam usually with out any real e-mail being rejected unless the sender's mail server has a severe security problem. Adding a good DHCP blocking list to that can eliminate most of the remaing spam with a very small chance of rejecting a real e-mail.

An aggressive DNSbl can be used to indicate if addtional tests should be done on an incoming e-mail to see if it is spam or real e-mail.

rDNS

Reverse DNS. The reverse DNS is a service that returns a name assigned to an I.P. address.

An I.P. address can be used by many domain names. The rDNS name is the true name, the rest are aliases, or "knick-names"

Apparently there is a requirement that a mail server identify itself with it's rDNS assigned name when it attempts to deliver e-mail.

The receiving mail server can verify this name against the I.P. address to see if can trust the sending mail server. It is estimated by some internet posters that 80 percent of the incoming spam has bad rDNS data.

Unfortunately there are still too many real mail servers with misconfigured rDNS for many mail servers to use this easy method of sorting out spam.

Content Filter

A content filter is one that looks at the contents of a message and tries to guess if it is spam or a real e-mail.

Generally content filters are not vary accurate, and as they require that the mail server allow the transfer of the body of the message, they are more expensive to operate than using DNSbls.

Generally to make up for the innaccuracies in content filters, they are accompanied by a quarantine area to check for errors.

The accuracy of content filters can be greatly enhanced by using conservative DNSbls to keep the bulk of the spam out of the mail server, and then using aggressvie DNSbls or fail strict rDNS checks to determine if the content filter should examine the message.

Of the content filter checks, the one that shows the most accuracy is to look up the I.P. address that any web link in the e-mail references, and check it against a DNSbl. But you only want to do that check on e-mail that fails one of the agressive tests, or you may miss legitimate mail discussing spam and how to fight it.

WEB-BUG

Web-bugs are used by spammers to track if a human read the message. If you have your e-mail system set to plain text, they do not work.

RFC

RFC stands for Request For Comments, but are usually what results from after the comments are done about a subject. RFCs are the rules of the internet, and e-mail.

Systems and users that do not comply with the RFCs can expect to have problems communicating on the internet.

SMTP

Simple Mail Transport Protocol. This is how E-MAIL is transfered on the Internet.

BOUNCE

Used by some as a description of undelived e-mail.

More accurately it refers to a mail message that a mail server generates to indicate a mail message is not delivered.

RFCs allow a receiving mail server to generate a bounce, but that is no longer a good practice as for spam or viruses which are now between 50 to 70 percent of incoming e-mail, that bounce will go to some innocent victim, like you.

The preferred practice is for the receiving mail server to issue an SMTP reject code if it can not deliver the e-mail, and then the sending mail server will generate a bounce.

Since spam and most recent viruses are not sent through real mail servers, no bounce message will be generated for them.

SMTP REJECT

This is where the receiving mail server refuses delivery with a code and a brief message to describe why.

This is now the only non-abusive way for a receiving network to indicate that a message will not be delivered.

A mail server that is the front end for other mail servers on a network now should have the ability to verify that the destination mail servers will accept the message, and this is possible with current technnology for such complex systems.

QUARANTINE

A place that a mail server or mail program will put suspected spam. Generally if there is a high amount of spam in the quarantine area, real message will get lost, or be delayed.

Note that if the mail was rejected instead of quarantined, the sender would have received a bounce generated by their mail server, so would know that the mail was not delivered, so would have been able to make arangements to get a time critical message.

Ironically, the taging / quarantine systems are put in because of fear of rejecting a real mail message, but by not issuing an SMTP reject, they introduce human error, and are probably more likely to cause a time critical message to be lost or delayed.

BLACKHOLE

This is a system where suspected spam is accepted by the mail server or user and silently deleted. Neither the sender or the receiver is notified.

This seems to be preferred by many companies as it means that none of their potential customers will see a rejection message, and by many users as they can not tell if a spam filter deleted the message or some other computer glitch deleted it before it got to their server. When coupled with a whitelisting system where any outgoing e-mail address is whitelisted for a response, the error rate can be almost invisble to the senders and the receivers.

As with the quarantine method, it is a more expensive method than using DNSbls.

-John

Personal Opinion Only

  • 2 months later...
Posted

Manual Report

A Manual Report is a Report that you construct and send by hand. Manual Reports should be sent for cases where you can't or shouldn't send a SpamCop Report. These cases include, but are not limited to:

  • Network Abuse that is not spam
  • Viruses
  • Worms
  • Worm Poop
  • Bounces
  • Double Bounces
  • Attempts to Relay, Hack, and Crack
  • Newsgroup Posts that violate a Newsgroup Charter but have BI<20
  • URLs that the Parser refuses to find because of its strict adherence to standards
  • URLs that the Parser refuses to deal with because there are too many (please don't report unclickable URLs)
  • URLs that the Parser refuses to deal with because they are in java scri_pt
  • Extra reporting addresses that the Parser refuses to let you add (it's limited to four), such as those found on Marjolein's spam Reporting Addresses page, the Network Abuse Clearinghouse, NANAE, spam-L, and elsewhere
  • Email Addresses that you know derive benefit from spam (such as those used in 419 Advance Fee Fraud spam emails and in spam emails that do not contain even one URL)
  • Phone Numbers that you know derive benefit from spam (such as those used in diploma mill spam emails and in spam emails that do not contain even one URL), if you can figure out where to send the Report
  • Violations of any TOS (Terms Of Service or local equivalent), AUP (Authorized or Acceptable Use or Usage Policy or local equivalent), Rule, Law, Internet Standard, RFC (Request For Comments), and/or BCP (Best Common Practice)
  • Anything else that a SpamCop Admin or Deputy states shouldn't be reported through SpamCop

Although you may use the SpamCop Parser to identify where to send your Manual Report, "SpamCop" should not appear in that Report, except possibly in the Headers because you received the email through your SpamCop Email System account. Manual Reports should include a minimum of facts and explanation of facts, unless you know the recipients need more, and should be polite. If you have the time to do the research, it helps to quote the chapter and verse (specific Section or Subsection) of the TOS/AUP, Internet Standard(s), and/or RFC(s) that you think is/are being violated. When complaining about commercial use of an MSN Hotmail or Yahoo! account, for instance, I have found the phrases 'in violation of the Term "Unless otherwise specified, the MSN Sites/Services are for your personal and non-commercial use" of your "MSN Terms of Use" per your page http://privacy.msn.com/tou/' and 'exploiting that customer's Yahoo! I.D. and Email portions of your Service for commercial purposes in violation of Term 10 of your Yahoo! Terms of Service at http://docs.yahoo.com/info/terms/' and quoting of whois results to be helpful in expediting the desired results.

  • 6 months later...
Posted

Cache

A cache (pronounced cash) or buffer is basically a local copy or storage area that provides speedy access to stuff that is normally stored elsewhere. Computers cache and buffer information inside and outside their CPUs, in RAM, and on Hard Disks. In the interest of speed and reduced redundant network traffic and load, the Parser caches DNS, WHOIS and abuse.net lookup results (more info on them below) Information about how long the Parser caches those lookup results is confidential, as exact numbers might give the spammers ideas.

MX Record

MX stands for "mail exchange" or Mail Server. MX is a type of DNS Resource Record, which tells SMTP Senders where to send email for a particular domain (specifically identifying a hostname, which must then have at least one A Record pointing to the IP Address(s) of the Mail Server(s)). "is not an MX for domainname" means that the Mail Server IP Address currently under review by the Parser is not listed in any A Record for any hostname in any MX Record for domainname, and that it therefore is not a registered Mail Server for domainname. Please see RFC 974 MAIL ROUTING AND THE DOMAIN SYSTEM for more information on the use of MX Records.

Using last resort contacts

When the Parser can't find any information about an IP Address's WHOIS listed contacts' domains in the abuse.net master database of reporting addresses, cached or via direct lookup, it uses those contacts' email addresses as contacts of last resort. All responsible domain administrators should register with abuse.net.

WHOIS

WHOIS is a service and protocol defined by RFC 1032 DOMAIN ADMINISTRATORS GUIDE, RFC 954 NICNAME/WHOIS, and their predecessors for providing information about allocated Domain Names and IP Addresses. When the Parser does lookup and finds a hit in the cache, it reports "Cached whois".

Edit: 2005/05/17 10:26 Jeff G. added "Cache".

  • 1 month later...
Posted

Combined Glossary in Alphabetical Order

last edit 21 June 2005

This post has been moved to a new thread SpamCop Glossary (consolidated), Alphabetical listing of glossary for ease of use. The contents have been deleted from this thread as it is simply a duplication of all the other posts that still remain.

Edit note: this post remains solely to archive the date of the creation / split of the separate Glossary and Glossary Archive treads

Posted

Suggested additions to the glossary

/dev/null'ing

The act of vaporizing a file (sending it to the unix directory /dev/nul)

SpamCop uses email addresses addressed to xxxx[at]devnull.spamcop.net to discard messages that have been generated after they have been statically recorded where the intended recipient has historically bounced similar messages or has requested that they no longer be sent.

for more information see http://forum.spamcop.net/forums/index.php?showtopic=4430

quote from the newgroup - one of Wazoo's many postings

Again, still waiting for JT to do something, but the next

step was going to be converting the Glossary page to an

HTML linked set-up .. once again, it's gotten too big in

the format that it's in now .... once that action was

accomplished, I was then looking forward to trying to do

the same with the Forum FAQ.

I like the sound of that, But when/how are you ever going to find/make the time to do all of that? Sounds like a major undertaking to me.
Posted
I like the sound of that,  But when/how are you ever going to find/make the time to do all of that?  Sounds like a major undertaking to me.

29569[/snapback]

Didn't you know Wazoo is made of time (not money) ;)

Posted

...Please consider adding this to the FAQ (rewording encouraged):

spam Trap or Spamtrap

"Secret" e-mail addresses (they have never been used to send e-mail). Any e-mail sent to a spam trap is presumed to be either:

  • a confirmation e-mail, if it appears to be a one-time confirmation e-mail

or

  • spam

The spam traps are set to recognize one-time confirmation e-mails and ignore them. If it is judged to be spam, then SpamCop weighs it more heavily than it would a report by a user in deciding whether the source IP address should be placed on the SpamCop DNSBL.

  • 3 weeks later...
Posted

Suggested addition to the glossary

<a name="Report"></a>

Report

A SpamCop Report is an email sent to various administrators as suggested by the SpamCop Parsing and Reporting Service. Please see SpamCop Report Types for details on the types of SpamCop Reports that Reporters have the option of sending.

<a name="ReportEmailAddress"></a>

Report Email Address

A Report Email Address is an email address that can be used by the Report's recipient to indirectly email the Reporter for some time after the submission of the Report, incorporates a Report ID, is used as the From Address on the actual Report, and looks kind of like 1466329110[at]reports.spamcop.net but with an [at]-sign in the middle (spam emailed to this address will be treated as such). A report email address could be used to spam you, so you should avoid revealing it.

<a name="ReportID"></a>

Report ID

A SpamCop Report ID number is a unique number, as of this writing ten digits long like 1466329110, assigned by the SpamCop Parsing and Reporting System to a particular Report sent to a particular Administrator regarding a particular piece of a particular spam by a particular Reporter.

Please note that the Report ID numbers are keyed to your reporting account, such that someone else's Report ID numbers are pretty much useless to you for discussing the actions of the SpamCop Parsing and Reporting Service and they could be used to spam you, so you should avoid revealing them. The Moderation Team suggests that you discuss a <a href="#TURL">Tracking URL</a> instead - for instructions on how to get one, please see FAQ Entry: Getting a Tracking URL from a Report ID.

<a name="ReportURL"></a>

Report URL

A Report URL shows the headers for the spam reported using the associated Report ID and a "Parse" Link to a <a href="#TURL">Tracking URL</a> for that spam, and incorporates a Report ID, which can only be used by the associated Reporter or a SpamCop Admin. The Report URL is therefore useless for discussion in public fora, looks like http://www.spamcop.net/mcgi?action=gettrack&reportid=1466329110 or http://members.spamcop.net/mcgi?action=gettrack&reportid=1466329110 or http://mailsc.spamcop.net/mcgi?action=gettrack&reportid=1466329110 (depending on which reporting website you use), and could be used to spam you, so you should avoid revealing any Report URL.

Edit by Jeff G. 2005/07/12 17:25 EDT Separated three items into separate entries, edited the entries, and added a fourth.

Edit by Jeff G. 2005/07/17 11:22 EDT Replaced "I suggest" with "The Moderation Team suggests", and incorporated dbiel's syntax change to "Report URL".

Edit by Jeff G. 2005/07/17 12:08 EDT Addressed a security concern with "Report ID", "Report URL", and "Report Email Address".

Edit by Jeff G. 2005/07/17 17:13 EDT Addressed dbiel's suggestions for "Report" and added timezones to the Edit timestamps.

Edit by dbiel 2005/07/17 14:30 PDT added html tags to prepare for insertion into glossary (no content edits).

Edit by dbiel 2005/07/17 15:40 PDT altered hyper links to point directly to glossary enteries.

Edit by Jeff G. 2005/07/17 20:03 EDT Addressed Wazoo's suggestions re not-exactly-usable hyperlinks in "Report URL" and confusion re the word "Report".

Edit by Jeff G. 2005/07/17 20:11 EDT Addressed Miss Betsy's suggestion re the SCBL mention in "Report".

Edit by Jeff G. 2005/07/17 20:17 EDT Fixed the [at]-escaping problem introduced by dbiel turning on HTML.

Edit by Jeff G. 2005/07/17 20:20 EDT Added 'If the Administrator replies to the Report, the reply will go to the "Report Email Address", and on to the Reporter's secret email address. If Reports to particular Administrators bounce enough times, those Administrators' email addresses will be flagged as bouncing, and will no longer receive Reports.' to and removed other info about "Report Email Address" from "Report".

Edit by Jeff G. 2005/07/17 20:33 EDT Reworked the first sentence of "Report" to remove "reporting".

Edit by Jeff G. 2005/07/18 14:18 EDT Reworked "Report" per Miss Betsy's suggestion, moving details to a new Topic.

Edit by Jeff G. 2005/07/18 20:58 EDT Added " that Reporters have the option of sending" near the end of "Report".

Posted
What do you think about the following change, it seems to make it clearer (at least to me) - change indicated in red

Report

A SpamCop Report is an email sent by a Reporter using the SpamCop Parsing and Reporting Service using the "Report Email Address" to a System Administrator, reporting a particular piece of a particular spam associated with that System Administrator's Network.

30307[/snapback]

How about the following?

Report

A SpamCop Report is an email sent by a Reporter using the SpamCop Parsing and Reporting Service using the "Report Email Address" in the "From" Header Line to a System or Network Administrator, reporting a particular piece of a particular spam associated with that System or Network Administrator's System or Network.

Comment (not part of the Entry): The reported item is generally an IP Address (source of spam) or spamvertized URL which resolves to an IP Address, either of which may be on a system which has its own administrator and nothing to do with the network it's on and the administrator of that network.

Posted

I especially like the changes you made to the first part.

What do you think if we simply delete that last part indicated with the strike through font?

Report

A SpamCop Report is an email sent by a Reporter using the SpamCop Parsing and Reporting Service using the "Report Email Address" in the "From" Header Line to a System or Network Administrator, reporting a particular piece of a particular spam associated with that System or Network Administrator's System or Network.

Posted
I especially like the changes you made to the first part.

30328[/snapback]

Thanks.
What do you think if we simply delete that last part indicated with the strike through font?

Report

A SpamCop Report is an email sent by a Reporter using the SpamCop Parsing and Reporting Service using the "Report Email Address" in the "From" Header Line to a System or Network Administrator, reporting a particular piece of a particular spam associated with that System or Network Administrator's System or Network.

30328[/snapback]

Sure, I guess it was a little repetitive.
Posted
A SpamCop Report is an email sent by a Reporter using the SpamCop Parsing and Reporting Service using the "Report Email Address" in the "From" Header Line to a System or Network Administrator, reporting a particular piece of a particular spam associated with that System or Network

Sorry to chime in so late. I don't like the use of "From" - people are sure to get that confused with the other "From" - the one that is forged.

My version:

A SpamCop Report is an email sent by a Reporter using the SpamCop Parsing and Reporting Service. The parser suggests a "Report email address" which is to the System or Network Administrator who is responsible for the IP address from which the spam has come. Reports may also go to special addresses arranged between SpamCop and Administrators or to 'devnull' which means that the email address for the Administrator is either bouncing or refusing SpamCop reports. Reports also are counted on the SpamCop Blocklist no matter where they go.

Miss Betsy

Posted
<snip>Reports also are counted on the SpamCop Blocklist no matter where they go.

Miss Betsy

30334[/snapback]

I do not believe that is a correct statement as reports are also sent to interested third parties. The BL is feed by the source IP address, not the email address that reports are sent to.

It may be that we are using the term "Report" two different ways

1) the individual reports (one or more) that are sent to varrious parties a

2) Report - the act of submitting a spam message for reporting

Posted
Sorry to chime in so late.

30334[/snapback]

The more, the merrier! :)
I don't like the use of "From" - people are sure to get that confused with the other "From" - the one that is forged.

30334[/snapback]

A From Header Line is a From Header Line - the difference is in how they are used. I'll work on refining it.
Posted
The more, the merrier! :)A From Header Line is a From Header Line - the difference is in how they are used.  I'll work on refining it.

30340[/snapback]

I know what you meant. I just don't think it is necessary to tell whoever needs to use a glossary item. 'IP address in the headers from which the spam comes' is all they need to know. There must be an explanation of headers and how spamcop finds the correct one somewhere.

A newbie knows the forged "From" and may not have read the header explanation yet. And you don't want to put 'how to read headers' in this glossary item.

There could be a cross reference to 'how to read headers' at the bottom.

Miss Betsy

Posted
I do not believe that is a correct statement as reports are also sent to interested third parties.  The BL is feed by the source IP address, not the email address that reports are sent to.

It may be that we are using the term "Report" two different ways

1) the individual reports (one or more) that are sent to varrious parties a

2) Report - the act of submitting a spam message for reporting

30337[/snapback]

Since I only read the last post (which is probably a good thing for editing purposes!), I assumed that it was talking about the 'primary' report to the source administrator since the 'report email' was singular and it mentioned the 'From' line.

If the purpose is to include /all/ reports, then it should read:

'A SpamCop Report is an email sent by a Reporter using the SpamCop Parsing and Reporting Service. The parser suggests a "Report email address" which is to the System or Network Administrator who is responsible for the IP address from which the spam has come. Reports may also go to special addresses arranged between SpamCop and Administrators or to 'devnull' which means that the email address for the Administrator is either bouncing or refusing SpamCop reports. Reports of this type also are counted on the SpamCop Blocklist no matter where they go. Additionally report email addresses to the people responsible for the websites that are advertising in the spam and to third parties interested in receiving reports for other reasons are also chosen by the parser and may be sent by the reporter. These emails are not added to the SpamCop blocklist.'

Again, because I haven't read the beginning of the thread, I don't know whether you all had started out to define

what an email report is (a - individual reports - in which case the different kinds of reports should be outlined as well as where they go including the blocklist)

the act of reporting (b - in which case, IMHO, 'A SpamCop Report is an email sent to various administrators as suggested by the SpamCop Parsing and Reporting Service.' is all that is necessary in a glossary. Additional information should be in the 'How to use' instructions.)

Miss Betsy

Posted
Again, because I haven't read the beginning of the thread, I don't know whether you all had started out to define

what an email report is (a - individual reports - in which case the different kinds of reports should be outlined as well as where they go including the blocklist)

the act of reporting (b - in which case, IMHO, 'A SpamCop Report is an email sent to various administrators as suggested by the SpamCop Parsing and Reporting Service.' is all that is necessary in a glossary.  Additional information should be in the 'How to use' instructions.)

30347[/snapback]

I believe I have addressed all of that, but 'How to use' seems like the wrong place for the additional information.
Posted
I believe I have addressed all of that, but 'How to use' seems like the wrong place for the additional information.

30359[/snapback]

I just saw the FAQ entry on 'Reports' which does cover all the different kinds of reports.

IMHO, the glossary entry should be 'A SpamCop Report is an email sent to various administrators as suggested by the SpamCop Parsing and Reporting Service.' see FAQ entry URL for description of the different kinds of reports that can be sent at the reporter's discretion.

When I suggested 'How to use' I was thinking of people who don't want to send reports to admins that look like the spamvertiser and people who don't want to report to Cyveillance and why people use the User defined reports.

Miss Betsy

Posted

Added "Report Types" to Glossary Index with hyper link to Separate topic.

Currently no plans to include Report Types definitions in the glossary tread itself.

The index link should suffice.

A special thanks to Jeff G. for all his work creating and editing the varrious "Report" entries.

Note: all entries have been added to the index.

Definitions will be merged into Glossary after editing activity comes to a close. In the mean time the index does actively point to the correct entries.

Edited to correct name "Jeff G."

Posted
...Please consider adding this to the FAQ (rewording encouraged):

spam Trap or Spamtrap

"Secret" e-mail addresses (they have never been used to send e-mail).  Any e-mail sent to a spam trap is presumed to be either:

  • a confirmation e-mail, if it appears to be a one-time confirmation e-mail

or

  • spam

The spam traps are set to recognize one-time confirmation e-mails and ignore them.  If it is judged to be spam, then SpamCop weighs it more heavily than it would a report by a user in deciding whether the source IP address should be placed on the SpamCop DNSBL.

29604[/snapback]

Email addresses embedded in websites that can only be seen by spammer 'spider' software that collects addresses. [actually I am not positive if this is correct - they could also include addresses at a domain that are easy to obtain using the dictionary technique]

These email addresses have never been used to send email nor have received legitimate email. Therefore, any email that comes to one of these email addresses is to an email address that has been collected illegitimately by a spammer. One exception is a confirmation email to a mistyped address. Confirmation emails can be identified and are ignored.

SpamCop spamtraps collect spam, misdirected bounces, out of office replies, viruses, and worms directed to the spamtrap email address. There is no report sent to an administrator, but a report is sent to the blocklist. A report from a spamtrap is weighted more in the blocklist algorithym for listing than reports from reporters.

Other people have spamtraps that they use for reporting spam or building personal blocklists. Some people refer to old email addresses that no longer receive any legitimate email as spamtraps; however, SpamCop, and other widely used blocklists, only employ never-been-used email addresses as spamtraps.

That's my understanding of spamtraps. Now let someone who knows, edit!

Miss Betsy

Posted

dbiel, you're welcome. FYI, I actually prefer "Jeff G." to "JeffG", but I didn't realize that the space was allowed when I created my original account here.

Miss Betsy,

Email addresses embedded in websites that can only be seen by spammer 'spider' software that collects addresses.  [actually I am not positive if this is correct - they could also include  addresses at a domain that are easy to obtain using the dictionary technique]

30389[/snapback]

Please don't be surprised if you don't get an official comment on the first sentence of that. :)
Posted

Suggested addition to the glossary

<a name="ReportHistory"></a>

Report History

SpamCop Report History is an exclusive feature of the SpamCop Parsing and Reporting Service for Paid Reporters (both fuel-based and SpamCop Email System Customers). It shows the history of SpamCop Reports for a particular IP Address or URL. If it is applicable (the Reporter is authorized to view Report History and there is a History of Reports), a "[Report History]" Link will appear in the Parser's output under either "host IP Address = RDNS of IP Address" or "Tracking link: URL", as appropriate. The Report History shows the following for each Report of a spam that implicated that particular IP Address or URL: Date/Time Submitted (grouped by spam); the Subject of the spam (in italics, grouped by spam); Report ID; "( IP Address )" or "( URL )" or "( )" or "( Forwarded spam )"; "To:", and the Email Address of the Report's Recipient (which may include devnull if the intended Recipient's Email Address bounces or refuses Reports, or may be "mole[at]devnull.spamcop.net" for a Mole Report (which is not actually sent)). A typical Report History can be found here. "No recent reports, no history available" will be displayed as appropriate, meaning that no issueid has been assigned to that IP Address or URL. "Cannot find spam reports for issueid = issueid" indicates a database error, in that the IP Address or URL has been assigned an issueid, but there are no Reports matching that issueid.

Edit: 2005/07/20 14:30 Jeff G. Added some errors.

Edit: 2005/07/21 18:07 Jeff G. Modified the applicability restriction language per Jank1887's experience..

Posted
(or is it only for SpamCop Email System Customers?)

30457[/snapback]

Nope. I'm just a paid reporting Customer (i.e., added fuel) and now that I know where to look for the Report History link, I can see them.

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...