ANGEL Posted January 12, 2019 Share Posted January 12, 2019 Question re: SC report auto-distribution; not any address manually entered in [User Notification] field. Are SC reports ever directed to the "source" of the spam? Not sure if an example is needed, posting just in case: https://www.spamcop.net/w3m?i=z6898801339z8c25e92a12dc86c774a950d737412c13z Cheers. Link to comment Share on other sites More sharing options...
gnarlymarley Posted January 12, 2019 Share Posted January 12, 2019 16 minutes ago, ANGEL said: Are SC reports ever directed to the "source" of the spam? SC reports are directed to the administrator listed as the abuse contact for that network. Most networks are gathered from the whois data for the IP range as appears to be the case when I browse down to your tracking URL. I see that this report was sent to both an outlook.com address and a user defined hotmail.com address. The IP address in question seems to be assigned to an ISP called CoreIP. Rather than provide a real abuse address the CoreISP internet provider appears to be using one at outlook.com. Now you ask, if the reports are ever directed to the "source" of the spam. There have been a number of spammers that appear to purchase a whole entire network range just so they can be the abuse contact listed in the whois. As soon as those are found out, the deputies can block the reports from going to those addresses and/or redirect them to their upstream provider. Link to comment Share on other sites More sharing options...
petzl Posted January 12, 2019 Share Posted January 12, 2019 1 hour ago, ANGEL said: Are SC reports ever directed to the "source" of the spam? Help if you sent a tracking URL Your email server collects a received IP address.that is are genuine IP a lot of spam has fake IP's stamped with the spam SpamCop will disregard these if there is something dodgy about it (no DNS etc) example below. Received: from WINDOWS-COSBPNE (unknown [113.140.86.66]) my email server by vmx5.spamcop.net (Postfix) with ESMTP id 07FDAAF6FB for <xxx[AT]spamcop.net>; Wed, 9 Jan 2019 13:31:08 -0800 (PST) Received: from jakwcdbio (Unknown [182.111.98.3]) claimed/fake email server stamped source DNS LOOKUPS Forward and Reverse DNS lookups are performed to see, if the name to IP and IP to name DNS lookups produce the same results. This feature is used to see if DNS is correctly set up for a host and can be an indicator for a malicious host. Link to comment Share on other sites More sharing options...
ANGEL Posted January 12, 2019 Author Share Posted January 12, 2019 1 hour ago, gnarlymarley said: SC reports are directed to the administrator listed as the abuse contact for that network. Most networks are gathered from the whois data for the IP range as appears to be the case when I browse down to your tracking URL. I see that this report was sent to both an outlook.com address and a user defined hotmail.com address. The IP address in question seems to be assigned to an ISP called CoreIP. Rather than provide a real abuse address the CoreISP internet provider appears to be using one at outlook.com. Now you ask, if the reports are ever directed to the "source" of the spam. There have been a number of spammers that appear to purchase a whole entire network range just so they can be the abuse contact listed in the whois. As soon as those are found out, the deputies can block the reports from going to those addresses and/or redirect them to their upstream provider. Thank you Gnarlymarley, Your answer is exactly the information I needed & clarifies the issue Re [As soon as those are found out..], is there anything we [SC] users can do/need to do, to facilitate [action by SC deputies](apart from submitting spam to SC)? Link to comment Share on other sites More sharing options...
ANGEL Posted January 12, 2019 Author Share Posted January 12, 2019 45 minutes ago, petzl said: Help if you sent a tracking URL Your email server collects a received IP address.that is are genuine IP a lot of spam has fake IP's stamped with the spam SpamCop will disregard these if there is something dodgy about it (no DNS etc) example below. Received: from WINDOWS-COSBPNE (unknown [113.140.86.66]) my email server by vmx5.spamcop.net (Postfix) with ESMTP id 07FDAAF6FB for <xxx[AT]spamcop.net>; Wed, 9 Jan 2019 13:31:08 -0800 (PST) Received: from jakwcdbio (Unknown [182.111.98.3]) claimed/fake email server stamped source DNS LOOKUPS Forward and Reverse DNS lookups are performed to see, if the name to IP and IP to name DNS lookups produce the same results. This feature is used to see if DNS is correctly set up for a host and can be an indicator for a malicious host. Hi Petzl, what does "Help if you sent a tracking URL" mean please? Link to comment Share on other sites More sharing options...
ANGEL Posted January 12, 2019 Author Share Posted January 12, 2019 1 hour ago, gnarlymarley said: SC reports are directed to the administrator listed as the abuse contact for that network. Most networks are gathered from the whois data for the IP range as appears to be the case when I browse down to your tracking URL. I see that this report was sent to both an outlook.com address and a user defined hotmail.com address. The IP address in question seems to be assigned to an ISP called CoreIP. Rather than provide a real abuse address the CoreISP internet provider appears to be using one at outlook.com. Now you ask, if the reports are ever directed to the "source" of the spam. There have been a number of spammers that appear to purchase a whole entire network range just so they can be the abuse contact listed in the whois. As soon as those are found out, the deputies can block the reports from going to those addresses and/or redirect them to their upstream provider. Re [There have been a number of spammers that appear to purchase a whole entire network range just so they can be the abuse contact listed in the whois] Are they really: - that rich? - that dumb? - Link to comment Share on other sites More sharing options...
Lking Posted January 12, 2019 Share Posted January 12, 2019 36 minutes ago, ANGEL said: that rich? Yes. 37 minutes ago, ANGEL said: that dumb? If they "own" a block of IPs, they can rotate the IP they uses to send spam whenever an IP gets blocked. They will never have a host block their spam because of complaints. Sorry to say, from a business stand point owning a range of IPs makes sense. Link to comment Share on other sites More sharing options...
petzl Posted January 12, 2019 Share Posted January 12, 2019 50 minutes ago, ANGEL said: Hi Petzl, what does "Help if you sent a tracking URL" mean please? Before you submit a spam at the top of page is a "tracking URL" copy it and one can then see what you are on about Link to comment Share on other sites More sharing options...
ANGEL Posted January 12, 2019 Author Share Posted January 12, 2019 16 minutes ago, petzl said: Before you submit a spam at the top of page is a "tracking URL" copy it and one can then see what you are on about Like the url I referenced when I submitted the issue Petzl? Please refer to attached image - ✔️ URL ✔️ Link to comment Share on other sites More sharing options...
ANGEL Posted January 12, 2019 Author Share Posted January 12, 2019 20 minutes ago, Lking said: Yes. If they "own" a block of IPs, they can rotate the IP they uses to send spam whenever an IP gets blocked. They will never have a host block their spam because of complaints. Sorry to say, from a business stand point owning a range of IPs makes sense. Thanks Lking, that adds to the helpful info posted by Gnarleymarley. Not that it's welcome info. (imo) It means they are: rich, dumb, business owners🤢 Link to comment Share on other sites More sharing options...
petzl Posted January 12, 2019 Share Posted January 12, 2019 2 hours ago, ANGEL said: Like the url I referenced when I submitted the issue Petzl? no. Look below Here is your TRACKING URL - it may be saved for future reference:https://www.spamcop.net/sc?id=z6512807609z140b367a456a8adeb495bd5a26b7edd1z Link to comment Share on other sites More sharing options...
ANGEL Posted January 12, 2019 Author Share Posted January 12, 2019 Am I missing something? This is what I posted: "Not sure if an example is needed, posting just in case:" https://www.spamcop.net/w3m?i=z6898801339z8c25e92a12dc86c774a950d737412c13z Link to comment Share on other sites More sharing options...
petzl Posted January 12, 2019 Share Posted January 12, 2019 4 hours ago, ANGEL said: Am I missing something? BEFORE you click submit the tracking URL is at top of page https://ibb.co/4PCKSm7 Link to comment Share on other sites More sharing options...
gnarlymarley Posted January 12, 2019 Share Posted January 12, 2019 13 hours ago, ANGEL said: (imo) It means they are: rich, dumb, business owners🤢 Like all business owners, they get their money from somewhere. Either they have investors, or they people that keep buying into the spams (either by entering banking information or by clicking an advertisement link). My guess is the mostly latter. ANGEL, The tracking link would have the "sc?id=" in the middle of it. This would be your tracking link: Here is your TRACKING URL - it may be saved for future reference: https://www.spamcop.net/sc?id=z6512755812z8ee73d74322c131f8ca885cc287a03fcz Link to comment Share on other sites More sharing options...
ANGEL Posted January 13, 2019 Author Share Posted January 13, 2019 3 hours ago, gnarlymarley said: Like all business owners, they get their money from somewhere. Either they have investors, or they people that keep buying into the spams (either by entering banking information or by clicking an advertisement link). My guess is the mostly latter. ANGEL, The tracking link would have the "sc?id=" in the middle of it. This would be your tracking link: Here is your TRACKING URL - it may be saved for future reference: https://www.spamcop.net/sc?id=z6512755812z8ee73d74322c131f8ca885cc287a03fcz Thank you Gnarleymarly, however, I'm a tad confused: a) you responded to my original post (& I took from your reply) you interrogated the url I posted - no? b) when I go to [ https://www.spamcop.net/w3m?i=z6898801339z8c25e92a12dc86c774a950d737412c13z ] & select [Show how SpamCop traced this message] redirects to https://www.spamcop.net/sc?id=z6512755812z8ee73d74322c131f8ca885cc287a03fcz, imo, gets to the same result, therefore, not much difference. But, I'm happy to take on the learning, thank you😊 Link to comment Share on other sites More sharing options...
gnarlymarley Posted January 13, 2019 Share Posted January 13, 2019 2 hours ago, ANGEL said: a) you responded to my original post (& I took from your reply) you interrogated the url I posted - no? yes, but I had to click the "Show how SpamCop traced this message" to find it. 2 hours ago, ANGEL said: imo, gets to the same result, therefore, not much difference. It does kinda get the same results. The issue is it also gives me access to a menu item that I normally do not see as a spamcop user, but only as a provider. The link you sent will allow me to respond as you to the report back to the original submitter. i am not comfortable with such a link. The spammers do have access to this form, and they could select the option that "it was not spam" on your behalf. I understand why petzl only wants the tracking URL. Link to comment Share on other sites More sharing options...
ANGEL Posted January 13, 2019 Author Share Posted January 13, 2019 Once again Gnarleymarley, thank you, clarification and logical explanation is very helpful. I thought I was providing "a" tracking url. Did not understand the distinction. Many thanks & cheers. Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.