Jump to content

Idea to improve the effectiveness of spamcop


donsimon

Recommended Posts

I work for one of the largest domain registrars, and one of the things that would help us shut down spammers spamcop could help us with. Currently, if I wanted to see a list of sites that were currently spamming, I could go to http://www.spamcop.net/w3m?action=inprogress;type=www then parse each URL and then do a WHOIS on each domain listed. From there I could then find out which ones were registered with us and then shut them down and stop the spammers right then.

But right now this is not something that is very easy to do because of how the system is setup. Not all domain registrars shutdown their registrants domains for spamming, but some do. As long as they know about the spamming to begin with. Spamcop does not make this easy for registrars to find this data easily.

Since you already have the domain that was referenced in the spam, why not parse it and then do a WHOIS on the domain and grab the registrar and then allow each registrar to grab the list of domains that have spammed and do whatever they want with them. Shutdown the sites, beat their customers, or just sit and do nothing.

Just an idea from a registrar with over a million domains and would definitely be happy to shut sites down if it would cut down on the spam.

Donny

Link to comment
Share on other sites

Just as an example, I was going through the list and was checking the WHOIS on different domains and ran across freshfacedcutegirl.biz, which noticed that it was registered with us. I went in saw that it had been submitted a few times. I checked our internal mail archiver which receives about a million emails a week and we had about 20 spams from the domain. And as of this minute the domain is now shutdown. It's been put on registrar-hold which means the domain does not resolve anymore.

It may take .biz about 15 minutes to remove it from the root, but in essense the domain no longer exists.

Donny

Link to comment
Share on other sites

First of all, interesting reading that a Registrar does have the power, capability, and (assumedly) the TOS/AUP to do this. To be honest, this is something that would need to at least start with an explanation sent to Deputies <at> admin.spamcop.net .... convince one or more of them, and it'll get to Julian pretty quick.

However, a couple of things to note. Whacking on Domains isn't really in the past / current charter. That statustics page is being scraped and used by a number of other BL providers, but that wasn't the intended purpose of that page. For instance, there is no judgment call there on just what that web-page was all about, just that it was reported. The downside is that there could be some other reasons for a URL to show up ... A number of other Topics that discuss this very thing exist, but here's a very recent one; http://forum.spamcop.net/forums/index.php?showtopic=2928

What I'm keying on is your phrase "we had about 20 spams from the domain" .... You saw the e-mail, so it's probably wrong to disect this, but ... it's pretty rare these days that a Domain owner would actually spam from his/her own domain. The assumption has to be that the spams included a link to the site (making it a spamvertised site in the language in these parts) ... In this case, it's a pretty good guess that the subject material was a bit off color, etc., but you didn't make note that you took a look at the site before nailing the data records.

So now combining spammer methodolgies, possible SpamCop parser problems with either the submittal or analysis of a spam, and the unfortunate case of a bad reporter, there is that question of whther or not the spamvertised site was in fact a "bad" place and deserves this "kill" mode reaction. I've no doubt that this will be the first stumbling block on getting the Deputies / Julian to go along with this plan. And of course, in that e-mail to them, you'll surely need to add a bit more detail on just who all is concerned ... the level of agreement there wouldn't hurt either. For instance, I'm suspecting that a Tier 1 staffer at Network Solutions / Verisign wouldn't get too many folks excited "here" ... ??? (no insult intended, just in case <g>)

Link to comment
Share on other sites

The only registrar that I know of that does anything about spam is godaddy - however, if other registrars are going to join in, then adding the registrar to the list of report recipients sounds like a good idea to me. Receiving a report means that the registrar still has to check out that the site actually is being spamvertized (all of Wazoo's caveats), but at least they would be getting a heads up. The fact that many registrars do not want to take the trouble and hide behind 'policy' is no different than sending reports to unresponsive admins.

Miss Betsy

Link to comment
Share on other sites

Donny, I have seen what you have said in NANAE about terminating accounts. Maybe as a gesture of good faith you would be willing to setup an email address where people could send a fact filled email with proof of a domain registered with InterCosmos.

I believe you hate spam as much as all of us and I applaud your efforts. Like I stated above I personally would like a contact address and I will send you all info available. I have not come accross much spam where you were the registrar and I believe this might be the reason why but when I do it would be nice to have a place to send it where I know action will be taken ir at least looked at.

Maybe Spamcop could even start another discussion group here called InterCosmos and people could post the info here.

Good Luck

Link to comment
Share on other sites

Miss Betsy - Actually the only registrar that comes out and says you spam we shut you down, is godaddy. Many registrars shut spammers down, they just don't really let it be known. In our case, if I get a spam complaint I check our local system which archives email for about 200,000 domains a day and all of them have a wildcard email record. So it gets a few emails every day. If the domain that was in the original complaint shows up once, I'll give them the benefit of the doubt. Twice and they are normally gone. If I can't find anything about them I look in the NANAE to see if I can find anything. If I can they are gone. If not, I consider the original complaint almost spam itself and just put it in the spam complaint folder.

I hate spam as much as anybody here, I've been a spamcop member for 4 or 5 years now. I have 3 spam filtering systems on my work email, SpamAssassin, Outlook 2003 junk filter, and SpamBayes. Now the funny thing is Outlook gets about 95% of the spam, which is amazing. But that's another story. And with all of those filters, I get about 5,000 emails in my spam folder a day, just at work. Then probably about the same at home. So anything I can do to stop them, I will.

Not to bash Spamcop, but about a year ago they stopped allowing people like us who have our IP blocks in another companies name from receiving spamcop reports. So now they go to our IP block owner, and sometimes they aren't the best at getting them to us, but that's another story.

If you need to send anything about spam just send it to my email address, donny<at>intercosmos.com . I'm bad about checking newsgroups and forums. I normally only check them when somebody brings it to my attention.

Donny

Link to comment
Share on other sites

Not to bash Spamcop, but about a year ago they stopped allowing people like us who have our IP blocks in another companies name from receiving spamcop reports.  So now they go to our IP block owner, and sometimes they aren't the best at getting them to us, but that's another story.

Not sure I can totally agree, thinking that there must be something more to the story that addresses your perceived change. (but then again, the discussion point here seems to be more about spamvertised web sites vice an actual IP address of the spew source ..??) For instance, the FAQ entry http://www.spamcop.net/fom-serve/cache/94.html still exists. The third-party thing hasn't worked for a lot of people, again, spammers abusing this and tainting that well, so a lot of reporters won't touch those boxes. I'm not sure that John over at abuse.net does a third-party notify, so that's probably not an option. And now wondering at the connection of a Registrar and hosting and a complaint about dealing with a Domain / web-page issue. Gads, what a time-sucker!

Link to comment
Share on other sites

Not sure I can totally agree, thinking that there must be something more to the story that addresses your perceived change.  (but then again, the discussion point here seems to be more about spamvertised web sites vice an actual IP address of the spew source ..??)  For instance, the FAQ entry http://www.spamcop.net/fom-serve/cache/94.html still exists.  The third-party thing hasn't worked for a lot of people, again, spammers abusing this and tainting that well, so a lot of reporters won't touch those boxes.  I'm not sure that John over at abuse.net does a third-party notify, so that's probably not an option.  And now wondering at the connection of a Registrar and hosting and a complaint about dealing with a Domain / web-page issue.  Gads, what a time-sucker!

19301[/snapback]

Let me address a couple of points ...

1) We have tried some code in the past to notify registrars for spamvertized urls and had some problems with the code slowing down the system too much and also complaints from some registrars about getting reports. The code has been yanked out which is not to say that it might not reappear at some point.

2) regarding 3rd party notifies -- people can no longer add themselves willy nilly. It now requires an email to us and we do an investigation. Some requests are granted and some aren't. We are behind in answering these requests as they take time to investigate and they always, when denied, lead to a long series of emails. In some cases we defer the request.

If the request comes from someone who doesn't sign their name or indicate with a reasonable degree of specificity who they are, who the company is, what their relationship is to the company and what and why they are sending mail it tends to get ignored. Very honestly we are handling huge increases in mail volume and we don't have time to play email tag. We also tend to drop a conversation if we ask questions and they get ignored. Sorry if that sounds impolite but the work load being what it is, we need to allocate the time to people who don't appear to be gaming us. Do *not* in any way take this last paragraph to imply anything at all about Donny or intercosmos -- it was just a general statement of the the world as it is today :-)

I do see an email exchange with Donny from Nov 17, 2003 in my archive which had nothing to do with a request for 3rd party reports. I don't see any other correspondence. That is not to say that there wasn't correspondence on the subject with Richard or Don. This is also not to say that Donny didn't write to us and the mail got lost or misplaced -- it happens sometimes and we hate when it does but being realistic email doesn't always arrive.

Certainly if Donny wants to make a request for 3rd party reports for some IP block we would consider it as we consider any such request.

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...