Jump to content

If mails go this way... then...?


ccton

Recommended Posts

If someone sent a mail like this:

[ Header ]

Received: from localhost (Not Verified[61.157.212.166]) by

lpwebserver.landpower.local with NetIQ MailMarshal (v6,0,3,8)

id ; Mon, 25 Oct 2004 19:07:50 +1300

Received: from MOBILE ([61.157.212.166]) by localhost with Microsoft

SMTPSVC(6.0.2600.2180);

Mon, 25 Oct 2004 14:07:22 +0800

Date: Mon, 25 Oct 2004 14:07:22 +0800

Subject: TO: Landpower Taranaki Ltd

To: xxx[at]reciever.com

MIME-Version: 1.0

Content-type: text/html; charset=iso-8859-1

From: Support Team<support[at]mysite.com>

Return-Path: support[at]mysite.com

Message-ID:

X-OriginalArrivalTime: 25 Oct 2004 06:07:22.0936 (UTC)

FILETIME=[E4A89B80:01C4BA58]

Note the body part was talking about mysite and links to mysite.

I am not surprised by the spam reporting to spamcop - if it were me I may report as well. I am surprised that SapmCop forward this report among with a warning to mysite's ISP, the alert is based on the From field and Return-Path and the mail body - ignoring the RECEIVED IP which obviously does not stand with mysite's domain or ip. My ISP said if they kept receiving alerts then my account will be closed.

Well it seems there is a quite easy way to damage a site by sending fake source mails.

Surprised & Confused,

ccton

Link to comment
Share on other sites

You make it very hard to try to verify your claims. I tried to "play" with your sample just so I could show you that you are wrong, but your sample is pretty bad. At any rate, here's the Tracking URL on what I ran through the parser. http://www.spamcop.net/sc?id=z686203879z87...d84d7e62792228z

You'll see no mention of "mysite.com" in that report, noting that the parser doesn't look at the From: line in the header. If "mysite" was included in a report, it was either due to being a spamvertised site (included in the body as you state but don't show) or there's something that the reporter did, for some reason including it as an additional report. There's no way to see with what you've provided.

Link to comment
Share on other sites

Thanks for the quick response.

I guess it falls into 'a spamvertised site', is this the reason my ISP warned me? And what should I do?

About 3 days before I've even recieved several mails from my own address to itself too, and those mails contained virus, of cause the source IPs were out of my site.

Any idea?

Link to comment
Share on other sites

cctn PM'd me with another "copy" of some of the report. However, it was also edited so much that data needed wasn't there. The report number was included, so the best i can offer is to kicj this over to the Deputies so they can look it up that way and then offer feedback on what they see.

Data offered in the PM was strictly dealing with a spamvertised site. Best I can make out is some kind of a search site, too many cookies, frames, and such that my configuration won't let fly. So without a Tracking URL (or in this case an ISP/action URL) I can't tell anything about the construction of the spam involved. Hoefully, one of the Deputies will be up in a few hours, though no clue as their backlog.

Link to comment
Share on other sites

OK, you got me there. I was expecting the Tracking URL to be right at the top of that data .. not buried in the Spamvertised links .. apologies ..(now If I could kill that last e-mail <g>) ....

I have to tell you, this situation does have it's humerous side. That you were reported by what appears to be someone on the chinanet backbone is actually pretty amazing, considering the spew that comes from that direction.

Anyway, you have now got yourself in the middle of a bad situation. I think the best thing I can offer is to kick you to the FAQ and look for the stuff found under the heading "Am I running mailing lists responsibly?" for starters (I know it's not a mailing list, but the information and priciples are the same) .... From the gist of the "welcoming" letter "you" have sent out, "you" are probably going to be receiving a large number of these complaints. Though the intent is nice, spammers have ruined the scenario of this type of invitaional e-mail.

A specific issue in this complaint that I can't jump on is the address that this e-mail was actually sent to. This is an issue I just talked about over in http://forum.spamcop.net/forums/index.php?...indpost&p=19200 .... for instance, there might be 20 people at the complaining outfit that would just kill to get listed, but you chose the address of some accountant that's in the middle of a bad day, his InBox overflowing with 4,000 Viagra ads ....???

Link to comment
Share on other sites

Dear Wazoo,

I am not saying whether this kind of mails are spam or not, I am trying to figure out one simply thing:

Can anyone damage your site in this way?

Say, if Mr. Tom has a site and Mr. Jerry does not like this. So Jerry gets a careful look at Tom's site, and then makes a letter as ads for Tom's site and sends it to million people using a fake source - under Tom's name (since Jerry could not send the mails from Tom's ip, all mails remain the only difference) for Tom. This is expecting complaints and then, Tom's site gets load of complaints and gets closed finally - especially Tom's site is located on a shared server.

I don't believe any end-user would trace the source-ip of a mail before he reports a spam mail.

This situation seems not very well.

Link to comment
Share on other sites

Dear Wazoo,

I am not saying whether this kind of mails are spam or not, I am trying to figure out one simply thing:

Can anyone damage your site in this way?

Say, if Mr. Tom has a site and Mr. Jerry does not like this. So Jerry gets a careful look at Tom's site, and then makes a letter as ads for Tom's site and sends it to million people using a fake source - under Tom's name (since Jerry could not send the mails from Tom's ip, all mails remain the only difference) for Tom. This is expecting complaints and then, Tom's site gets load of complaints and gets closed finally - especially Tom's site is located on a shared server.

I don't believe any end-user would trace the source-ip of a mail before he reports a spam mail.

This situation seems not very well.

19286[/snapback]

This is a well-known and understood situation. Google on 'Joe-job'

Link to comment
Share on other sites

Can anyone damage your site in this way?

...

I don't believe any end-user would trace the source-ip of a mail before he reports a spam mail.

This situation seems not very well.

19286[/snapback]

The reports from spamcop for a spamvertized website is intended to only be informational and the ISP should be investigating to see whether the site is involved or not. Unfortunately, some hosts either misunderstand this or don't bother to investigate and shutdown the site on the first (or second or tenth...) report received from spamcop.

Any ISP receiving a report from an end user that does not know to look at the headers of the message to determine the real source, should be avoided at ALL costs. The spamcop parser does that tracing for the end-user so spamcop reports (for source) tend to be trusted by the ISP's if they are interested in acting.

Link to comment
Share on other sites

Any ISP receiving a report from an end user that does not know to look at the headers of the message to determine the real source, should be avoided at ALL costs.  The spamcop parser does that tracing for the end-user so spamcop reports (for source) tend to be trusted by the ISP's if they are interested in acting.

19292[/snapback]

Hmzzz this sounds pretty odd to me.

Basicly I can wipe out all my competitors this way, and thanks to spam cop I could become millionaire and spamcop will get involved into legal s*** for misleading information right?Cause the thing is, that you guys don't even know what an ISP will look for. So several company's closing the door and fill a lawsuit against spamcop. nice....

NOT!

And be honest here for a moment, Fact is that not all ISP's will examine every mail you guys send over to them, they will simply close accounts. It is to costy to check all emails spamcop sends.

Second thing is that most of those emails come from china or that sort of country's so over here people report 24/7 while everybody knows it doesn't help any s***. I personally didn't reported anything for several facts.

spam is not allowed, but you can't stop that s*** anyway, the more you report the more spam will come. check the stats between 2002, 2003 and right now in 2004! It gets only worse by the day. Like wasting the time to even report it.

then there is a new law called CAN-spam, what makes spam legal so you guys can't fight against it neither.I really see a day comming that you guys blacklist a CAN-spam and get sued for that.

I really hate spam, but thank god I got a Delete button what saves me alot time instead of reporting all those spams. I think, at least I won't fight against spam, it's like a dead end anyway. Waste of my time, in 5 seconds all the spam is gone from my inbox.

Link to comment
Share on other sites

The reports from spamcop for a spamvertized website is intended to only be informational and the ISP should be investigating to see whether the site is involved or not.  Unfortunately, some hosts either misunderstand this or don't bother to investigate and shutdown the site on the first (or second or tenth...) report received from spamcop.

Any ISP receiving a report from an end user that does not know to look at the headers of the message to determine the real source, should be avoided at ALL costs.  The spamcop parser does that tracing for the end-user so spamcop reports (for source) tend to be trusted by the ISP's if they are interested in acting.

19292[/snapback]

oops...

sigh...

Hope my ISP will be reasonable.

Link to comment
Share on other sites

then there is a new law called CAN-spam, what makes spam legal so you guys can't fight against it neither.I really see a day comming that you guys blacklist a CAN-spam and get sued for that.

Feeding the trolls... I know it, but I'm in a bad mood and need to let off some steam...

There is the (I) CAN spam act, yes. But it does not control my mailserver, nor anyones at all. Email is not a public utility! If we block with SpamCop, then its our users that we have to answer to, not some idiots in the government that barely know how to spell 'computer', much less know how to run one. If SpamCop provides a block list of known spamming sites, that too is legal (a case has already been tried). I'll continue to use SpamCop, my users will be happy, and the several thousands of spams I block each day will not darken my network. The only time the users complain is when the spam count goes up, not when it goes down. The government can take the CAN-spam act and cram it where the sun does not shine. My mailserver, my rules.

Sometimes the good guy wins! Not often enough, but sometimes...

...Ken

Link to comment
Share on other sites

I personally think our mail programs like outlook should provide a plug-in funtion which allow end-user to compare the source ip and the sender's email domain automaticly, if there's no match in the 'received from' circle, the mail should be dropped without download.

That is, in my opinion, the right way to avoid problems.

Link to comment
Share on other sites

The reports from spamcop for a spamvertized website is intended to only be informational and the ISP should be investigating to see whether the site is involved or not.  Unfortunately, some hosts either misunderstand this or don't bother to investigate and shutdown the site on the first (or second or tenth...) report received from spamcop.

And I also believe that if the ISPs do not intend to have this investigation, SpamCop should stop sending alert to the ISPs. Obviously SpamCop can prase the header and then knows which one could be spam & which could not be.

Link to comment
Share on other sites

The reports from spamcop for a spamvertized website is intended to only be informational and the ISP should be investigating to see whether the site is involved or not.  Unfortunately, some hosts either misunderstand this or don't bother to investigate and shutdown the site on the first (or second or tenth...) report received from spamcop.

19292[/snapback]

And I also believe that if the ISPs do not intend to have this investigation, SpamCop should stop sending alert to the ISPs.

19312[/snapback]

...Gee, silly me, I've been using SpamCop for spam reporting for a year or so and I thought this is what happens (if the ISP so informs SpamCop)!

Obviously SpamCop can prase the header and then knows which one could be spam & which could not be.

19312[/snapback]

...Gee, silly me, I've been using SpamCop for spam reporting for a year or so and I thought this is exactly what the SpamCop parser does! Except that this has nothing to do with reporting spamvertized web sites. :unsure: <?>
Link to comment
Share on other sites

And I also believe that if the ISPs do not intend to have this investigation, SpamCop should stop sending alert to the ISPs. Obviously SpamCop can prase the header and then knows which one could be spam & which could not be.

Ummm, not really ... this goes back to that the SpamCop tool is just a tool. It's how that tool gets used that's at issue, and this goes back to the fact that it's the reporter that is supposed to be making decisions like this. Bad reporting has consequences.

Something that has for some reason been overlooked or just not brought up, a report to an ISP includes a number of options that the ISP can take in regards to the specific item. In the case of a spamverised web site, one option is to flag that site as an Innocent Bystander. This turns off the flow of similar complaints. To counter that option by a spam-supporting ISP, a paid reporter, upon receiving the spew later on, will also have the option to challenge this setting. Research done (hopefully by the paid-reporter before clicking on the challenge button) can result in that IB flag being removed and complaints start flowing again. Noting that any and all of this stuff does require someone spending some time actually looking at stuff ....

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...