The correct way to forward spam?

[etherdeath]

Hi,

I recently started using the spamcop reporting services.. I found I had so much spam to report that I bought a spamcop email account, intending to use it just for reporting spam, hoping it would speed up the process. On my own mail server, I run spamassassin which encapsulates spam in attachments. I use procmail to catch these, parse out the attachment and the email it to my spamcop account, etherdeath<at>spamcop.net (as an attachment). Spamcop puts these in my, held mail folder. When I want to report them, it thinks my mail server had something to do with facilitating the spam, ie, not seeing that I am only forwarding them. I added my email address to the mail hosts, but this does not seem to get spamcop to realize my server shouldn't be reported. There may be a reason why. I looked at the email header through spamcop and it is something like the following :

Received: from mail.mymailserver.com (HELO anothername.mymailserver.com) (xxx.xxx.xxx.xxx)

by mailgate2.cesmail.net with SMTP; 13 May 2005 23:32:59 -0000

Now, both names are fine for my mail server, as far as I am concerned. but the second name (anothername.mymailserver.com) is one of the names listed in my mailhosts on spamcop, and the first is not. I do not know if this is causing the problem, and if so, how to add that first name to my mailhosts. The IP is listed as a relaying address. I think spamcop is getting that first name (mail.mymailserver.com) from a reverse DNS look up on the IP. I don't remember setting that up - I think my ISP must have. I don't mind this name, however, I do not use it anywhere. I did just setup a DNS entry for it pointing to the IP, hoping that might add some kind of consistency... but I'm not sure if I have to add that to the server somewhere. I do not want to change my mail server's hostname. (I was able to add this name to my mailhosts by temporarily changing my myhostname setting in postfix, for the duration of the process to add a mailhost, however this has not seemed to help.)

I am sending these to my spamcop.net address, not the submit.whatever<at>spamcop.net, because handing it through that is slow (you don't ge the menu to quick report (which I have not yet tried, but I assume it saves time)). The reason I signed up for a spamcop account was so that I could use its facility for reporting spam, which I thought might be faster. All the emails I am forwarding as attachments will definitely be spam, plus I will look them over in my held email folder before I report them all. Perhaps there is a better way to go about the whole thing.

Thanks

*EDIT*munged the email address

[Wazoo]

A Tracking URL with not so much munging involved is needed in order to talk specifics. Killing off the primary details in your post looks a bit off when you turn around and post your address in clear sight.

Your description of "receiving e-mail, SpamAssassin collects and encapsulates it, you parse that out, attach that, send to your spamcop e-mail account, then try to report it" just sounds wrong, in addition to offering so many points for something to get manipulated badly, then trusting the parser to handle it anyway .. which you say isn't happening .....

Forum FAQ has an entry to many items dealing with set-up and use, even an entry titled "How I use ...." which may be of great benefit in changing the way you are attempting to manipulate things.

[StevenUnderwood]

When I want to report them, it thinks my mail server had something to do with facilitating the spam, ie, not seeing that I am only forwarding them. 

28022[/snapback]

No, the spamcop parser correctly thinks that your mail server sent the message to your spamcop.net address.

One solution would be to forward all messages from the spammed account to spamcop and have spamcop forward them back to a different, clean address. That way, most spam would be caught by spamcop for easy reporting.

A second possibility, which would need to be tested carefully first, so the messages will be seen as coming from the original source, you would need to redirect the message to your spamcop address. You could also do this for any messages that slip by spamcop in the first solution.

A way to do this without a spamcop email account would be to get your account authorized for quick reporting and then send the attatched spam to the quick.<secret code> address. Even with a spamcop email account, until your reporting account is authorized for quick reporting, you still need to do the followup inspection and reporting.

<Standard Quick Reporting Warning> Test carefully before using quick reporting and randomly check the quick report summaries for mistakes. They can and do happen. Also make sure to configure the mailhost system to minimize the chance of reporting your own ISP or server.

[etherdeath]

Thanks,

A second possibility, which would need to be tested carefully first, so the messages will be seen as coming from the original source, you would need to redirect the message to your spamcop address.  You could also do this for any messages that slip by spamcop in the first solution.

A way to do this without a spamcop email account would be to get your account authorized for quick reporting and then send the attatched spam to the quick.<secret code> address.  Even with a spamcop email account, until your reporting account is authorized for quick reporting, you still need to do the followup inspection and reporting.

This sounds promising - I'll look into this. I definitely do not want to forward all my mail to spamcop or use spamcop to tell me what is spam - I'm pretty happy with the way my setup does it.

A Tracking URL with not so much munging involved is needed in order to talk specifics.  Killing off the primary details in your post looks a bit off when you turn around and post your address in clear sight.

"A bit off" - can you explain this in some less vague way? I didn't think much about posting my address in clear sight since I'm only using that account for spam. What kind of tracking URL? One like :

http://www.spamcop.net/sc?id=something ?

Should I be posting something with my mail server address in it like that? It will contain my mail server as the receiver and possibly a real email address that I use to read mail.

Your description of "receiving e-mail, SpamAssassin collects and encapsulates it, you parse that out, attach that, send to your spamcop e-mail account, then try to report it" just sounds wrong, in addition to offering so many points for something to get manipulated badly, then trusting the parser to handle it anyway .. which you say isn't happening .....

Sounds wrong in what way? If you mean wrong as in the wrong way to do it, that is why I'm posting, and I thought the title of the post was indicative of that. Though I'm new to handling spam, what I am doing seems pretty straight forward to me. I don't want to send the spam I get along with my spamassassin wrappers around it, because I figured it would be a waste for spamcop to have to go through it, or worse it would report something I didn't want to report. I am also not sure if spamcop keeps copies of spams for some kind of spam archive.. if so, I'm sure spamcop doesn't want my mail server's spamassassin tags all over it. I basically take out the spamassassin added parts and put in new mail To, From and Subject headers from me to my spamcop account. This is exactly what I do when I send it to the report.whatever[at]spamcop.net address, and that method I didn't invent - someone else who told me about spamcop said that is what they do (though he doesn't use a perl scri_pt). What do I say isn't happening?

I get 100-200 spam emails per day, and my mail server is using about 15 blacklists. I figured reporting these spam emails would be helpful for fighting spam... I just don't have 2-3 hours per day to spend manually reporting each one. I was even willing to pay a little (I figured it went towards a good cause) to report mail. I wasn't even sure it would mean I would get less spam. It's not critical though... I can just go back to not reporting it.

Thank you

[Wazoo]

Tracking URL - data is provided in every parse result screen .. defined / described n the SpamCop Glossary (found as a link in the Forum FAQ)

The "sounds off / wrong" is the best I could do with the lack of details offered to 'analyze' the flow of your e-mail/spam submittal process. Your query was about how the parser came up with its results, bit only one line of munged data was offered to look at. The "handling" of e-mail is problematic by some uers, some e-mail applications, some transfer mechanisms, etc. and as described in your flow of processes, there seemed to be many opportunities for something to go wrong, a usual problem is where one application decides to handle line-breaks / word-wrapping itself and the parser chokes on the now mal-formed header lines ....

Pages here are archived by various search engines, and it's a bit obvious that some of your fellow Registered users (and no doubt many of the Guests) are in fact of the spamming crowd keeping up with the state of affairs on this side of the 'battle' .... Munging of e-mail addresses is a pretty standard suggestion here ...

[etherdeath]

The "sounds off / wrong" is the best I could do with the lack of details offered to 'analyze' the flow of your e-mail/spam submittal process.  Your query was about how the parser came up with its results, bit only one line of munged data was offered to look at.  The "handling" of e-mail is problematic by some uers, some e-mail applications, some transfer mechanisms, etc. and as described in your flow of processes, there seemed to be many opportunities for something to go wrong, a usual problem is where one application decides to handle line-breaks / word-wrapping itself and the parser chokes on the now mal-formed header lines ....

I am not saying nor did I mean to imply that anything is going wrong in any part of the process, not on my side and especially not on spamcop's side. I am forwarding spams to my spamcop email, and when reporting them through that address, rather than the reporting address, it sees my forward as part of the spam chain. I suspected this would happen when I tried it. I do not think spamcop should behave differently or handle my emails any differently.. what I was interested to know was if there was another way I could forward my spams to my spamcop email so that my server was not parsed and listed, by default, as one of the IPs to report on. I suspected there is a way to do this, since when forwarding the same spam emails to the reporting address, it does not list my IP to report on. The only reason I rather send my spam email to my spamcop address, rather than the reporting address, is that the spamcop address has a way to quick report. If the reporitng address also had a quick report feature, when associated with a paid spamcop email account, that would have worked for me - and I expected that to be the case... that's why I went ahead and paid for the account before posting any questions here. I wasn't sure if the URLs to the reports were also tracking URLs. I can create a tracking URL, but I have to go back to sending my spam to the spamcop account, and I really don't see how it is going to help. I still have yet to finish looking into the options StevenUnderwood suggested, but I am wondering if forwarding the spams to my spamcop address normally, instead of as an attachment, will do what I want.

Pages here are archived by various search engines, and it's a bit obvious that some of your fellow Registered users (and no doubt many of the Guests) are in fact of the spamming crowd keeping up with the state of affairs on this side of the 'battle' .... Munging of e-mail addresses is a pretty standard suggestion here ...

Thanks for the suggestion... but what you had said at first did not sound like a suggestion at all. I wouldn't mind so much at all if my spamcop email received spam from spammers finding my email here - I'd report it. I was aware that the pages here are likely archived and anyone is free to read them.. which is why I didn't want to post the real IP/hostnames of my mail server... I am sure it is pretty secure, but as you can guess, I am not a mail server guru, and I thought those types of people might be able to do something malicious to it if I gave that information out - was that unreasonable?

Thank you

[Wazoo]

If your account has been approved for Quick-Reporting, change the

submit.SoMeLoNgStRiNgOfTeXt[at]spam.spamcop.net

to read;

quick.SoMeLoNgStRiNgOfTeXt[at]spam.spamcop.net

Again, any analysis/suggestions on how to resolve the parsing issues of your submittals can't be done in the dark. The parser expects the submittal to arrive in a certain format. From your description and resulting problems with a bad parse, it's apparent that the format of your submittals isn't correct.