Reputable entities refusing spamcop reports

[BrianL]

SpamCop tells me that e-Bay refuses SpamCop reports. Rian W. on behalf of Bill Cobb (President of eBay North America) tells me that e-Bay does not refuse reports from SpamCop. It isn't the end of the world - either way - but it is dissappointing that two supposedly credible sources have such diametrically contradictory positions about what should be a simple fact.

Here is supporting documentation:

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

From: On behalf of Bill Cobb [billcobb[at]ebay.com]

Sent: Sunday, February 13, 2005 1:11 PM

To: BrianL

Subject: Re: questions about eBay fraud policies (KMM27861709V62382L0KM)

Hello Brian,

Thank you for your email to Bill Cobb. Bill has requested that I respond on his behalf. I appreciate your comments and concerns and look forward to addressing them.

I understand your concern regarding Spoof and Phishing emails. I assure you that we do take these reports very seriously. We do everything that we can to stop these emails, and prosecute those who are responsible.

We team up with law enforcement agencies across the world to try and eliminate these problems. I invite you to visit the eBay security center at the following link:

http://pages.ebay.com/securitycenter/index.html

The error you received when you tried to report your email from spam Cop does not seem to be one sent from eBay. I don't show that any email like that was received at our spoof[at]ebay.com email address from you in the recent past. You may be best off just forwarding those emails to spoof[at]ebay.com from the regular email program.

As far as emails that are sent from eBay, you can sign in to your my eBay page and click the eBay preferences link on the left side, under the My Account heading. From that page, you can click the notification preferences change link, and set the eBay notifications that will be sent to you via email.

Any email that is sent about your account from eBay will be able to be verified from your My Messages section of my eBay. eBay will never ask you to provide sign-in passwords, credit card numbers, or other sensitive information through email. If we request information from you, we will always direct you back to the eBay site. With very few exceptions, you can submit the requested information through your "My eBay" page. If you would like more information about spoof emails and how you can help protect yourself I would encourage you to visit these two links:

http://pages.ebay.com/help/policies/id-acc...heft-spoof.html

and

http://pages.ebay.com/education/spooftutorial/

I feel confident in saying that the email you received this morning was not from ebay. While these emails are getting better and better at looking like they are from us, ebay will not request information like that through email, and by signing in to your my eBay account, you would be able to see the status of your account there.

Again I thank you for your email and the opportunity I have had to assist you. I appreciate you being a part of the eBay community.

Regards,

Rian W. on behalf of Bill Cobb

President

eBay North America

_____________________________________________

Original Message Follows:

-------------------------

Dear Mr. Cobb

As a nearly five year registered eBay user, a primary concern of mine is fraud and abuse.

I get a large number of spoof / phishing e-mails purporting to be from eBay, asking me to click and update my personal information. I try to report all of these to spoof[at]ebay.com.

After registering with eBay (but prior to eBay's refined policy to limit address exposure to spammer harvesters), my rate of spam has increased to more than 1000 times what is was prior to that. As a result, I have employed SpamCop to filter my e-mail.

This morning I received another message appearing to be an eBay spoof, requesting updated information under threat of eBay account closure. I tried to report it to eBay through SpamCop.

This is part of what I got back:

Parsing input:

https://signin.ebay.com/saw-cgi/ebayisapi.d...iveworld_us_ans

wer_center&ruproduct=user

[report history]

<http://mailsc.spamcop.net/mcgi?action=showhistory;slice=issueid;val=45738258>

Routing details for 66.135.205.137

<http://mailsc.spamcop.net/sc?action=showroute;ip=66.135.205.137;typecodes=1

7>[refresh/show]

<http://mailsc.spamcop.net/sc?action=rcache;ip=66.135.205.137> Cached

whois

for 66.135.205.137 : network[at]ebay.com

Using abuse net on network[at]ebay.com

abuse net ebay.com = spam[at]ebay.com, spoof[at]ebay.com, postmaster[at]ebay.com

Using best contacts spam[at]ebay.com spoof[at]ebay.com postmaster[at]ebay.com

spoof[at]ebay.com refuses SpamCop reports

Using spoof#ebay.com[at]devnull.spamcop.net for statistical tracking.

My first question is: what is e-Bay's real level of commitment to fighting fraud, if Bay is refusing reports of fraud merely because they come via SpamCop?

My second question is: Apparently this particular message actually came from a domain with 'ebay' in the name. This led me to wonder if it could have been legitimate. I cannot retrieve it now, because it was reported through SpamCop. I logged in to eBay and hunted for some time, and found no evidence that my account might expire, but I remain concerned. Do I need to do something to remain a registered user in good standing?

Sincerely,

BrianL

[StevenUnderwood]

I don't show that any email like that was received at our spoof[at]ebay.com email address from you in the recent past.

That is because no message was ever sent. The deputies would need to address the history behind this, but it is usually that someone from ebay contacted spamcop and requested the reports stop or they simply blocked the sending of those reports.

My second question is: Apparently this particular message actually came from a domain with 'ebay' in the name. This led me to wonder if it could have been legitimate.

Using the evidence you provided, the message would have been sent (if spamcop's database did not say they refuse the reports) because of a link (Parsing input: https://signin.ebay.com/...) within the spam. What you don't show is where the source of the message was. In any correspondence, you should include the Tracking URL from the report you made, so anyone can see exactly what is being discussed.

[Jeff G.]

Although I would like to see this matter addressed publicly, you will probably get a faster answer by emailing the Deputies via deputies<at>spamcop.net.

[BrianL]

Steven: Thanks, but the origin of the original spam is not an issue here. The original headers were trashed when I attempted to report to spoof[at]eBay (clicking "queue for reporting and move to trash"). This occurred quite some time ago (January?). None of the headers would have been particularly meaningful to Mr. Cobb.

Jeff: Thanks! The next time I have occasion to report a held spoof/phish to e-Bay, I will inquire of the deputies as you suggested. If I get a meaningful reply, I'll post it here for all to see. If the reply supports Steven's guess, I will write again to Mr. Cobb for his explanation.

[Miss Betsy]

I can't remember now whether it was ebay or someone else recently who kept sending me emails that they couldn't receive my report - which I sent as a cut and paste from message source, forwarded as attachment, and forwarded inline. None were through spamcop. I think it was ebay. And the ebay phish I got also had a legitimate looking ebay address in it. (I don't have an ebay account so there was no doubt that they were bogus)

It could be just a temporary problem with ebay's spoof address and have nothing to do with spamcop at all.

BTW, also, recently, a report on another phishing spam was returned by an abuse desk because ClamV detected a phishing email. <g>

Miss Betsy

[StevenUnderwood]

Steven:  Thanks, but the origin of the original spam is not an issue here.  The original headers were trashed when I attempted to report to spoof[at]eBay (clicking "queue for reporting and move to trash").  This occurred quite some time ago (January?). None of the headers would have been particularly meaningful to Mr. Cobb.

25951[/snapback]

I was speaking to the comment you made about the message possibly coming from ebay legitimately. The headers would have allowed them to answer your question to them more authoratatively.

Apparently this particular message actually came from a domain with 'ebay' in the name. This led me to wonder if it could have been legitimate.

What I meant was that if the source were ebay, then the message source parse would have gone there as well.

For your information, unless you have your account setup to delete rather than trash, the original message may still have been there (though very hard to find among the other garbage) in the trash folder. That can be accessed via IMAP or webmail.

[Jeff G.]

My manual reports of phishing attempts to spoof<at>ebay.com (and their related enterprise spoof<at>paypal.com) have included the phishing attempts in the body of the email (forwarded inline), and have been analyzed and acknowledged with the long form of "thanks for the report, the reported phish attempt was definitely not from us, we'll get those phishers!, and here are some safety tips". Some report recipients don't like or accept emails forwarded as MIME attachments, for a number of possible reasons:

• The incident response or trouble ticket system or email client can't deal with them as easily as with inline attachments.
  
• Paranoid filters are removing them (they might be virmen (viruses or worms)).
  
• Paranoid filters are deleting messages containing them (they might be virmen).
  
• Paranoid PHBs are configuring paranoid filters.
  
• Stingy PHBs are configuring paranoid filters as a way of reducing the number of reports they or their staff has to deal with.
  
• Greedy PHBs are configuring paranoid filters as a way of reducing the number of reports filed so they can keep the profits from their pink contracts.
  

Of course, the virmen and their authors are out to get all of us, generally not abuse/support/spoof desks in particular.