Wazoo Posted May 3, 2005 Share Posted May 3, 2005 Extracted from http://forum.spamcop.net/forums/index.php?...indpost&p=27119 From this side of the screen, one knows not all the stuff going on from Julian's perspective, so the following is simple observation / opinion. The SpamCop parsing and reporting tool was developed by Julian for his own purposes. he then offered it up for public usage. The prime concept was to report to the source of the spam with the intent that a caring ISP would resolve the problem. As time went on, more options added, more capabilities added, more functions introduced. In the meantime, some spammers got smarter (the dumb ones giving up after having account after account cancelled by those caring ISPs) These days you've got Julian working his magic, and you've got spammers working individually and collectively trying to defeat the SpamCop tool set. There's now enough money floating around (thanks to the gullible) that even the dumb spammers can now afford to hire knowledgable folks to work the 'net' to their own advantage. (old data, the 'net' was originally built by and for the U.S. Government, thus there was not the concept that looters and thieves would be part of the user base. Thus, the entire network was built based on all users being trusted.) This 'current issue' is just that. Last year it was rotating DNS, the year before that it was .... on and on. Two years ago, it took weeks to get a DNS change propagated. Now, in some case, it's just a matter of minutes. Some spammers are sending spam that includes links that won't actually be activated for hours/days after the spam goes out. Some spam goes out with included links of a site that was squashed days before. Some include links that never were and never will be active. As seen in the numerous complaints about "links not reported" .. a lot of this would be discovered by minimal research. Some research done results in the URL being found active, yet that's done from a system/browser that's designed to allow some lengthy timeout variables, as compared to the parsing tool trying to handle thousands of look-ups a minute. That DNS lookups are just another bit of web traffic that can be denied by a bit of code on a server also seems to be overlooked by some folks (i.e., referrer data can be evaluated, querying IP can be evaluated, and certain items can be ignored/blocked/dropped by that DNS server) ... a bit of 'for instance' ... there's an individual in the newsgroups that makes a repeated complaint that the SpamCop reporting results that send output to a /dev/null (though still feeding the statistics table) account (due to past e-mail bouncing) must be in error, because his e-mail to that address does not bounce ... somehow not relating his use of filtering of his e-mail to an ISP's capability to also filter e-mail coming from a certain address ..??? Getting back to the above, let's go back to the beginning, at which time the focus was to shut down the spew. I don't believe that this focus has changed. The reporting of spamvertized wsb-sites was an additional capability added along the way, but it's still a secondary item of interest. There has never been anything in place to stop someone from reporting things themselves (99%+ of my spam complaints I do myself as I'm much more brutal than the SpamCop parsing/reporting tool), so it's not like the world of complaints has stopped. I can tell you that Julian is working on the codebase, that's almost a constant, but again, it's him against the numerous spammer collective out there. In example, the SpamCopDNSBL has lost a bit of 'power' based on the merging of some spammer / virus/trojan writer activity, compromising the multitudes of end-user computers to send the spew ... spammer just moves to a new compromised machine when the SCBL kicks in. The majority of those IP addresses are already found in other BLs that contain DUL (dial-up IPs) .. but once again, the reports do go out, but to ISPs that either can't, won't, or are very slow to handle the spew issue from their customer base. So the continuing levels of spew from these sources aren't a failure on SpamCop's part ... Well, getting massive here, just hoping to toss some useful thoughts out ... One little nit -- where you say: "Some spammers are sending spam that includes links that won't actually be activated for hours/ days after the spam goes out." As I understand it the links are active almost immediately -- takes about 15 minutes for them to work because the DNS is updated *but* the whois ability to lookup a domain can take 12-24 hours because those databases are still only updated once or twice a day, I forget which it is. So you will see urls resolving but can't find out who registered them until the next day ... Link to comment Share on other sites More sharing options...
This topic is now archived and is closed to further replies.