Need to stop Virused email

[rcp7474]

I'm receiving 300+ virused emails a day from one addressee who, of course, doesn't exist. My current email address has received approximately 3000+ emails from somebody using this email address.

RoadRunner is marking them as virused:

"ALERT!!!

This e-mail in its original form contained one or more attached files that were infected with a virus or worm, or contained another type of security threat. " ....blah, blah, blah.

Anyway, I try to report them using SpamCop and I'm told no reports will go out because SpamCop doesn't do virused email.

Any suggestions on how to fight this at the source? I'm using MailWasher and they're "blacklisted" and Thunderbird is marking them as junk.

But they're still filling up my email client and server accounts and have to be constantly deleted.

Thanks for any suggestions.

[Wazoo]

I'm a bit curious over some of your write-up. You start by talking of virus'd e-mail, but then state that you tried to use SpamCop to report them. So this begins with the hint that you did not take the time to go through and read the FAQ on how to use, what and when to use, and when not to use the parsing and reporting tools.

Then you talk about the e-mails coming from the "same e-mail address" .. which again, it shouldn't take to long to find out that the SpamCop parsing and Reporting tools don't even look at the "From:" lines in submitted spam, as it's pretty much assumed that the address there is forged or useless. The only real bit of data that can be traced is the tracing of the source of the spam e-mail via the handling lines in the header, basically identified by the IP addresses of the involved systems .. and for whatever reason this bit of data is completely missing from your write-up.

Bottom line: quit looking at the "e-mail address of the Sender" and actually look at the header data to see where the spam/virus is actually coming from. Then go after that target.

Topic moved to the Lounge, as there doesn't appear to be an actual Reporting problem involved.

[Miss Betsy]

It is possible to use the spamcop parser to find the proper abuse address and then cancel the report and notify the abuse desk yourself. It works for me.

OTOH, you have a server and that's a different problem. IMHO, you should learn more about how to be a responsible server operator. Somewhere recently there was a post by a sysadmin describing how he controls spam and viruses. People may help you to understand how to operate your server. It is really dangerous not to know - like driving a car without instruction. Lots of things can go wrong.

Miss Betsy

[rcp7474]

Thanks for the assistance.

Wazoo,

I'm trying to stop spam emails that happen to be virused. I'm a new user of SpamCop. I did look at the FAQs and I'm aware that SpamCop isn't used for viruses.

If I wrote up my post incorrectly, I'm sorry.

I was just trying to say that I didn't see the actual advanced addressing information (which address doesn't exist, etc.) that I usually see when I submit a spam report.

I only saw 2 addresses [at] spamcop which apparently gather statistics.

I DO know that the from address are usually spoofed. My wife's email address from her charity website was used by pondscum that used it as the "from" address for borderline kiddy-prOn. We got an amazing amount of legitimately outraged response from recipients. All I could say was, "Sorry, it wasn't us and our pc's have been checked and we're clean." . Most of the addressing had been cleaned up by their email packages or the bounce process of their ISP's.

I was merely attempting to get some assistance on trying to generate the listing that gives the real spammers addressing and host.

Miss Betsy, the server space I was referring to was the garbage filling up my mailbox on RoadRunners servers, possibly causing other legitimate email to be bounced if the mailbox filled up without me downloading it . I appreciate you comments.

[DavidT]

The procedure for infected messages is this:

1. Reveal the headers on one of the infected messages.

2. Using the SpamCop reporting system, parse the message headers, putting "no body" where the body and infected attachments would be.

3. Don't "Submit" but before you "Cancel" simply note the abuse reporting address of the IP source of the infected message and send them the headers of the infected message using your email software.

4. Then "Cancel" the SpamCop report, because reporting infected messages if a violation of policies.

If you find that many (or all) of the messages are from the same IP address (this is often the case...it's probably a cable modem or DSL user), then send reports every day to the ISP responsible for the IP address. You might also Google the IP to see if that user has posted in any venues where IP's are recorded (some forums do that). I've been able to track down the offending users myself that way.

These are probably NOT spam...so it's not useful to refer to them that way. Unless perhaps they are the types of infections that are designed to turn your computer into a "zombie" that would then spew spam...then you might refer to them as spam, I suppose.

I've reported hundreds and hundreds of incidents like this over the last four or five years, and in almost every case, the source ISP has eventually shut down the infected user until they clean up their act.

DT

[rcp7474]

Thanks, David.

Sorry about the wording confusion. I had always considered spam to be unsolicited mail which this certainly is.

In this case, I never got to see the contents of the email and especially not the virus attachment, as RoadRunner was helping me by cleaning up and deleting the offending content.

The "no body" part should do the trick.

case closed (at least until I get home and get to try it!)

[sommerfeld]

Thanks,  David.

Sorry about the wording confusion.  I had always considered spam to be unsolicited mail which this certainly is.

21145[/snapback]

I feel the same way -- mail sent by mass-mailing malware is, IMHO, spam.

spamcop doesn't. i don't understand why -- seems to me to be a relic of a kinder, gentler era when spammers weren't using virus-infested zombie armies to spread their spew. :angry:

[StevenUnderwood]

If however, you are receiving actual spam (without viruses attached) which is being sent out through that same infected system, that is reportable and will get the machine on the SCBL.

[Jeff G.]

Please see my Reply at http://forum.spamcop.net/forums/index.php?...indpost&p=20974.

[Miss Betsy]

spamcop doesn't. i don't understand why -- seems to me to be a relic of a kinder, gentler era when spammers weren't using virus-infested zombie armies to spread their spew

Since I don't have anything to do with the actual running of servers, I may not have this right, but IIUC, ISPs asked spamcop not to report viruses through spamcop. And I think the reason is that ISPs handle the situations differently. In one case the spammer is violating contractual obligations and in the other, someone has a 'broken' computer so to speak.

I also think that the algorithym for any blocklist would have different criteria and different weights because of the way spam and viruses are disseminated.

The original point of spamcop was to help ISPs stop spam runs, the blocking was only to keep others from getting the spam until ISPs shut the spammer down. Somewhat the way it works now with infected machines. It is only those IP addresses that do not use responsible practices that are more or less perpetually listed.

That's why manual reporting does work - because usually even spammy ISPs don't want viruses. However, reporting a virus as a spam through spamcop does not work and can get your account suspended.

Miss Betsy