Jump to content

SpamCop abuse (to ISP) posted on public website

DavidT

By DavidT,
in SpamCop Reporting Help

Recommended Posts

DavidT Been There

DavidT

Posted
Posted

I've just discovered that all of the reports that SpamCop sends regarding abuse from the largest provider in Italy are being published to the Web in archives that are indexed by the search engines. This means that if you are using the "Leave spam copies intact" option in your reporting preferences, and you happen to report something coming from their IP space, an unmunged copy (including your email address) will not only be sent to the abuse addresses, but will then also be archived on the Web at:

http://listserv.nic.it/listserv/abuse.html

Unfortunately, they have not protected the site against Web spiders, and so all of the details of SpamCop reports sent to them are now in Google (and other engines). I discovered this by searching for one of my addresses (and I generally try to minimize exposure of my email addresses on websites) and found one of the reports I submitted recently on a Nigerian 419 scam...hoping that they would cancel the source email account.

When something from the SMTP servers (perhaps originating from their webmail system, according to my analysis) of the Italian ISP "tin.it" gets reported, it goes to:

Reporting addresses:

abuse[at]tin.it

postmaster[at]tin.it

abuse[at]na.nic.it

e.berti[at]tin.it

The one that is producing the archives is the one at "na.nic.it" and so I will send an urgent message to the Deputies suggesting that no more abuse reports get sent to that address. In their archive, I found reports regarding the same 419 from the same email address a week later, so they didn't even take action, and yet the source IP isn't in the SpamCop DNSBL (despite plenty of current reporting "History" found when parsing the IP)...perhaps because it's not part of the dynamic IP space of individual users, but appear to involve their SMTP servers and perhaps their webmail system.

I was using the "Leave spam copies intact" option and only reporting the most agregious items (such as 419 scams) in hopes that ISPs would take the reports more seriously and take action, but not to have them archived for address-harvesting spiders to pick them up. I've stopped using that option.

DT

Link to comment
Share on other sites
DavidT Been There

DavidT

Posted
  • Author
Posted
Ellen told me Tue, 9 Nov 2004 at 15:12:16 -0500 that she devnulled the reports to nic.it.

She didn't dev/null the correct address, because it you look here,

http://listserv.nic.it/cgi-bin/wa?A1=ind0411b&L=abuse#691

you'll see plenty of SpamCop reports continuing to be sent, even today. The problem is, she didn't "dev/null" the address that's going straight to the online archives, which is:

abuse[at]na.nic.it

If you put certain "tin.it" IPs into the parser (specifically ones in the range 212.216.176.*), you'll see that:

Reporting addresses:

abuse[at]tin.it

postmaster[at]tin.it

abuse[at]na.nic.it

e.berti[at]tin.it

are all being sent reports. The "na.nic.it" address is the problem. Does anyone know how to "page" Ellen? I've sent an urgent message to the "deputies" address but haven't received a response.

DT

Link to comment
Share on other sites
Wazoo What Life?

Wazoo

Posted
Posted

Deputies address is good ... it also means that there are more eyes to see in addition to Ellen's. On the other hand, that e-mail box does have a tendency to get overloaded at times <g> I don't know all the background on this ISP, but perhaps there's some research going on in trying to track down the range of IPs it controls .. going with that Ellen handled "this set" of IPs, but these recent reports are coming from yet "another set" of IPs ...??? just a guess at a possibility right now ... headed out again ...

Link to comment
Share on other sites
Tim P Member

Tim P

Posted
Posted
Deputies address is good ... it also means that there are more eyes to see in addition to Ellen's.  On the other hand, that e-mail box does have a tendency to get overloaded at times <g>  I don't know all the background on this ISP, but perhaps there's some research going on in trying to track down the range of IPs it controls .. going with that Ellen handled "this set" of IPs, but these recent reports are coming from yet "another set" of IPs ...??? just a guess at a possibility right now ... headed out again ...

20065[/snapback]

Judging from the recent crap(spam) Ive been getting from past reports that had been sent to abuse[at]nic.it....

the spammers have been using the reporting # and sending back more spam through those report #s.

Duh :huh:

For those other than the recipients....

Turn those addresses into spamtraps, I say :D

Link to comment
Share on other sites
Ellen Advanced Member

Ellen

Posted
Posted
Ellen told me Tue, 9 Nov 2004 at 15:12:16 -0500 that she devnulled the reports to nic.it.

20048[/snapback]

Yes we devnulled nic.it but missed the other address -- I devnulled that today -- or maybe it was yesterday. I apologize for missing that.

Link to comment
Share on other sites
mrmaxx Advanced Member

mrmaxx

Posted
Posted
Yes we devnulled nic.it but missed the other address -- I devnulled that today -- or maybe it was yesterday. I apologize for missing that.

20127[/snapback]

Awww...Ellen, you're only human... You're entitled to make one or two mistakes per week. Guess you used one last week. ;-) Keep up the good work!

Link to comment
Share on other sites
Wazoo What Life?

Wazoo

Posted
Posted
still addresses available at http://listserv.nic.it/listserv/abuse.html

I gave up looking ... are you talking about additional reports since the date Ellen said she turned it all off? Are you expecting that someone "here" would have the "powers" needed to have those folks remove what's already there?

If you've got some specific items that you're trying point at, how about actually providing some pointers?

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

Go to topic listing
×
×
  • Create New...