turetzsr Posted April 1, 2006 Posted April 1, 2006 Just to add my 2 cents, the failure on the parsers part to resolve urls is of concern to me too, as I have said before in other posts about this subject. So there are others here that feel getting the websites reported is important.41455[/snapback] ...And I hope they will band together to commission a tool that will report spamvertized websites and do it well. SpamCop is not that tool and it appears that (unless a miracle happens and the things that have been keeping Julian and the Deputies busy ensuring that the parser works well in finding the source of the spam e-mails) it never will. Quote
oldskoolflash Posted July 25, 2006 Posted July 25, 2006 (unless a miracle happens and the things that have been keeping Julian and the Deputies busy ensuring that the parser works well in finding the source of the spam e-mails) I think the parser often gets the source wrong! Often it or gives the spammers email address as a reporting address - how and why does the parser give the address royir143[at]hotmail.com as a valid spam reporting email adddress (see below) ?!!! Surely it must be possible to have a system where anything other than abuse[at]hotmail.com is discarded as fake. I really think the spammers are one step ahead here and are actively building a database of users who report spam. They can then use this for a variety of uses like refining spam to evade the pharser, using reporters of spam to maliciously report legitimate websites, or more worryingly set DDos attacks and virus campaigns... Tracking message source: 124.106.177.207: Routing details for 124.106.177.207 [refresh/show] Cached whois for 124.106.177.207 : rrdelavega[at]pldt.com.ph nctabernilla[at]pldt.com.ph ssmiguel[at]pldt.com.ph riresurreccion[at]pldt.com.ph jcgonzales[at]pldt.com.ph vrortiz[at]pldt.com.ph royir143[at]hotmail.com Using last resort contacts rrdelavega[at]pldt.com.ph nctabernilla[at]pldt.com.ph ssmiguel[at]pldt.com.ph riresurreccion[at]pldt.com.ph jcgonzales[at]pldt.com.ph vrortiz[at]pldt.com.ph royir143[at]hotmail.com Message is 4 hours old 124.106.177.207 not listed in dnsbl.njabl.org 124.106.177.207 not listed in dnsbl.njabl.org 124.106.177.207 not listed in cbl.abuseat.org 124.106.177.207 not listed in dnsbl.sorbs.net 124.106.177.207 not listed in relays.ordb.org. 124.106.177.207 not listed in accredit.habeas.com 124.106.177.207 not listed in plus.bondedsender.org 124.106.177.207 not listed in iadb.isipp.com Finding links in message body Parsing text part no links found Please make sure this email IS spam: From: "Phyllis Honeycutt" <tkynqmck[at]ainsight.com> (FWD: Big news shows promise) Did not par ticularly enjoy your previous tra ding day? Don?t focus on that. Mov e on to your most successful one with the tips I listed below! You?ll come out o View full message Report spam to: Re: 124.106.177.207 (Administrator of network where email originates) To: royir143[at]hotmail.com (Notes) To: vrortiz[at]pldt.com.ph (Notes) To: jcgonzales[at]pldt.com.ph (Notes) To: riresurreccion[at]pldt.com.ph (Notes) To: ssmiguel[at]pldt.com.ph (Notes) To: nctabernilla[at]pldt.com.ph (Notes) To: rrdelavega[at]pldt.com.ph (Notes) Re: 124.106.177.207 (Third party interested in email source) To: Cyveillance spam collection (Notes) Quote
turetzsr Posted July 25, 2006 Posted July 25, 2006 I think the parser often gets the source wrong! Often it or gives the spammers email address as a reporting address - how and why does the parser give the address royir143[at]hotmail.com as a valid spam reporting email adddress <snip> ...*shrug* To what e-mail address would you suggest reporting spam from this IP address, given the following?APNIC whois for 124.106.177.207[/url]]inetnum: 124.104.0.0 - 124.107.255.255 netname: IPG descr: IPG descr: Philippine Long Distance Telephone Company country: PH tech-c: RD18-AP tech-c: JG149-AP tech-c: NT80-AP tech-c: VO2-AP tech-c: SM140-AP admin-c: RR5-AP mnt-by: APNIC-HM mnt-lower: PHIX-NOC-AP status: ALLOCATED PORTABLE remarks: -+-+-+-+-+-+-+-+-+-+-+-++-+-+-+-+-+-+-+-+-+-+-+-+-+-+ remarks: This object can only be updated by APNIC hostmasters. remarks: To update this object, please contact APNIC remarks: hostmasters and include your organisation's account remarks: name in the subject line. remarks: -+-+-+-+-+-+-+-+-+-+-+-++-+-+-+-+-+-+-+-+-+-+-+-+-+-+ changed: hm-changed[at]apnic.net 20060213 changed: hm-changed[at]apnic.net 20060220 source: APNIC person: Roy I Resurreccion address: Philippine Long Distance Telephone Company address: 14/F Ramon Cojuangco Building address: Makati Avenue, Makati City 1200, Philippines country: PH phone: +63-2-810-4070 fax-no: +63-2-894-5332 e-mail: riresurreccion[at]pldt.com.ph e-mail: royir143[at]hotmail.com nic-hdl: RR5-AP mnt-by: MAINT-PH-PLDT-ENGG changed: riresurreccion[at]pldt.com.ph 20011016 source: APNIC person: Jaime Gonzales nic-hdl: JG149-AP e-mail: jcgonzales[at]pldt.com.ph address: PLDT Co., 3/F MGO Bldg., Legaspi cor Dela Rosa Sts., Makati City phone: +63-2-864-5752 fax-no: +63-2-813-5794 country: PH changed: jcgonzales[at]pldt.com.ph 20040719 mnt-by: PHIX-NOC-AP source: APNIC person: Rowell Dela Vega nic-hdl: RD18-AP e-mail: rrdelavega[at]pldt.com.ph address: PLDT Co., 3/F MGO Bldg., Legaspi cor. Dela Rosa Sts., Makati City phone: +632-864-5752 fax-no: +632-813-5794 country: PH changed: jcgonzales[at]pldt.com.ph 20040719 mnt-by: PHIX-NOC-AP source: APNIC person: Noel Tabernilla nic-hdl: NT80-AP e-mail: nctabernilla[at]pldt.com.ph address: PLDT Co., 3/F MGO Bldg., Legaspi cor Dela Rosa Sts., Makati City phone: +632-864-5752 fax-no: +63-2-813-5794 country: PH changed: jcgonzales[at]pldt.com.ph 20040719 mnt-by: PHIX-NOC-AP source: APNIC person: Sonny Miguel nic-hdl: SM140-AP e-mail: ssmiguel[at]pldt.com.ph address: PLDT Co. address: 3/F MGO Bldg., Legaspi cor Dela Rosa Sts., Makati City 1229 phone: +632-864-5752 fax-no: +63-2-813-5794 country: PH changed: jcgonzales[at]pldt.com.ph 20040927 mnt-by: PHIX-NOC-AP source: APNIC person: Victor Ortiz nic-hdl: VO2-AP e-mail: vrortiz[at]pldt.com.ph address: PLDT Co. address: 3/F MGO Bldg., Legaspi cor Dela Rosa Sts., Makati City 1229 phone: +632-864-5752 fax-no: +63-2-813-5794 country: PH changed: jcgonzales[at]pldt.com.ph 20050321 mnt-by: PHIX-NOC-AP source: APNIC ...Seems to me that the SpamCop parser's decision was consistent with the available information for this IP address .... Quote
oldskoolflash Posted July 25, 2006 Posted July 25, 2006 ...*shrug* To what e-mail address would you suggest reporting spam from this IP address, given the following?...Seems to me that the SpamCop parser's decision was consistent with the available information for this IP address .... I know the parser is using the info provided for that IP, my point was, why does the parser not filter out donaldduck[at]hotmail.com and discard it as fake. Whenever I question the reliability of the parser at locating referenced websites, people are very quick to pipe up that this is not what the parser is for, and all the efforts are put in to detecting the source of the spam. My point is that quite often it does not do that very efficiently. Who wants to send spammers confirmation that their email address is live, and actively reports spam and yet the parser allows this with surprising ease. I know you can untick specific addresses, but surely anything [at]gmail.com or [at]hotmail.com or [at]geocities.com that isn't abuse[at] or postmaster[at] is fake, the parser should be smart enough to discard anything that is obviously fake. Quote
turetzsr Posted July 25, 2006 Posted July 25, 2006 I know the parser is using the info provided for that IP, my point was, why does the parser not filter out donaldduck[at]hotmail.com and discard it as fake. Whenever I question the reliability of the parser at locating referenced websites, people are very quick to pipe up that this is not what the parser is for, and all the efforts are put in to detecting the source of the spam. My point is that quite often it does not do that very efficiently. Who wants to send spammers confirmation that their email address is live, and actively reports spam and yet the parser allows this with surprising ease. I know you can untick specific addresses, but surely anything [at]gmail.com or [at]hotmail.com or [at]geocities.com that isn't abuse[at] or postmaster[at] is fake, the parser should be smart enough to discard anything that is obviously fake. ...The parser is just a tool. It's our job, as users, to use the tool appropriately. Not all of us (necessarily) want the parser to make decisions such as you propose for us .... <g> Quote
StevenUnderwood Posted July 25, 2006 Posted July 25, 2006 I know you can untick specific addresses, but surely anything [at]gmail.com or [at]hotmail.com or [at]geocities.com that isn't abuse[at] or postmaster[at] is fake, the parser should be smart enough to discard anything that is obviously fake. Not true, anyone can use one of these addresses to register their domain, sometimes for legitimate reasons (If my domain is expired, how will I get email to account[at]mydomain if that is my only email account?) And spamcop does go as far as the registration info to find reporting addresses. Searching for specific strings (daffyduck) would be a terible procedure to start doing just for the overall speed of the parsing. Quote
turetzsr Posted July 25, 2006 Posted July 25, 2006 I know you can untick specific addresses, but surely anything [at]gmail.com or [at]hotmail.com or [at]geocities.com that isn't abuse[at] or postmaster[at] is fake, the parser should be smart enough to discard anything that is obviously fake.<snip>Searching for specific strings (daffyduck) would be a terible procedure to start doing just for the overall speed of the parsing....In all fairness to oldskoolflash (although I disagree with his suggestion), that would not be necessary -- just ignore anything that isn't of the form "abuse[at]<host>" for selected hosts, such as hotmail.com and yahoo.com. Quote
mmp997 Posted April 18, 2010 Posted April 18, 2010 Can we have this stated clearly and unambiguously? 1. Assume that the name of my site is: wonderfulsite.com 2. spam arrives with obfuscated links and appears to be from superguy[at]wonderfulsite.com. Most details in the spam e-mail refer to superguy[at]wonderfulsite.com 3. Despite this, I should report it. No ISP will misinterpret this and start blocking wonderfulsite.com Am I getting that right? Send the spam report! Even if the 'from' field is my own domain! The consequences will be OK! Right? Please reassure me. That's what I understand from the discussion so far, but it seems a tad unlikely as a conclusion. Perhaps the following is relevant. Issue - refresh button. There's a lot of discussion above about the 'refresh' button or function, but I don't see any 'refresh' button on Spamcop, and using the browser refresh button doesn't achieve any result. Could someone spell out in simple language what refresh button/function is meant in this context? As much as I try to 'refresh', the "from" field is still superguy[at]wonderfulsite.com Sorry to be obtuse, but I'm just trying to follow the procedures. 50% of all spams that arrive now have cloaked or obfuscated urls Quote
Wazoo Posted April 18, 2010 Posted April 18, 2010 Can we have this stated clearly and unambiguously? Actually, not sure .. your query/scenario isn't actually unambiguous unfortunately. 1. Assume that the name of my site is: wonderfulsite.com 2. spam arrives with obfuscated links and appears to be from superguy[at]wonderfulsite.com. Most details in the spam e-mail refer to superguy[at]wonderfulsite.com 3. Despite this, I should report it. No ISP will misinterpret this and start blocking wonderfulsite.com Am I getting that right? Not sure. You have decided to seemingly include e-mail addresses, URIs, and Domain names. These items are not to be treated the same, especially in reference to the parsing and reporting codebase. Send the spam report! Even if the 'from' field is my own domain! The consequences will be OK! In general, yes. The included e-mail address references will not be Reported anywhere, your From: address is generally munged, so the only Report recipients would be the source of the spam e-mail itself and the identified 'concerned party' involved with any (resolved) URLs. Issue - refresh button. There's a lot of discussion above about the 'refresh' button or function, but I don't see any 'refresh' button on Spamcop, and using the browser refresh button doesn't achieve any result. Could someone spell out in simple language what refresh button/function is meant in this context? As much as I try to 'refresh', the "from" field is still superguy[at]wonderfulsite.com By using either checkboxes provided or going into Preferences for your Reporting Account, one need to turn on the Full/Complete Technical Details ... which will change the way the Parsing results are displayed. Certin results/targets will include a "Refresh Cache" option/link. Depending on the specific data, resource, and target involved, this function may work, may be locked out, may not be allowed for a number of reasons. Quote
mmp997 Posted April 18, 2010 Posted April 18, 2010 "so the only Report recipients would be the source of the spam e-mail itself and the identified 'concerned party' involved with any (resolved) URLs." Huh? Why would the source of the spam e-mail receive a report? Quote
Farelf Posted April 18, 2010 Posted April 18, 2010 ...Huh? Why would the source of the spam e-mail receive a report?Because they (network administrators) will (hopefully) work out where the (typically) bot-netted machine that is spewing the spam is in their network and cut it off. They're the only ones that can do that if a consumer-level dynamic link address is being used for internet connection by the offending machine. spam sending is prohibited by the 'rules' of the network owners, most spam comes from forged addresses and through zombie machines without the knowledge or agreement of the machine's owner. If they (machine owners) *are* doing it knowingly they will still be shut down - and may face prosecution as well. Some countries are thinking about making the owners of the machines responsible even if they don't know it has been taken over by the powers of evil (phrase used jokingly, most of us aren't quite that fanatical though there may be exceptions). If you want some background to how the spammers work you could do a lot worse than have a look at Rick Conner's website - http://www.rickconner.net/spamweb/ - where Rick explains it. There's plenty more information on these pages too. Quote
Wazoo Posted April 18, 2010 Posted April 18, 2010 "so the only Report recipients would be the source of the spam e-mail itself and the identified 'concerned party' involved with any (resolved) URLs." Huh? Why would the source of the spam e-mail receive a report? Trying to guess that perhaps you are confusing the From: address with the IP Address of the sending e-mail server ... yet, even you mentioned the "even if the From: field is my own Domain" which made it sound as if you were aware of the normal mode these days of forged From: line data. However, guessing is way too hard and too much work. Quote
lisati Posted July 28, 2011 Posted July 28, 2011 Huh? Why would the source of the spam e-mail receive a report? Trying to guess that perhaps you are confusing the From: address with the IP Address of the sending e-mail server ... yet, even you mentioned the "even if the From: field is my own Domain" which made it sound as if you were aware of the normal mode these days of forged From: line data. However, guessing is way too hard and too much work. I've even had an incoming spam with a forged "Reply-to:" addresses using my own domain. I suspect that it could be a variant of the spam technique that utilizes backscatter to get the spam through, but I only recall noticing one such email. Quote
Farelf Posted July 28, 2011 Posted July 28, 2011 Some high-volume spammers use the same list for both their target "To:" address and the forged "From:" and/or "Reply-to:" address. The differences in the use of the forged address and the "To:" addresses from that same list are that there might be tens of thousands (or more) different "To:" addresses, all using the same "Reply-to:" address (for one or more complete spam runs) - and that they seem to rotate the "Reply-to:" addresses fairly regularly. But of course the actual IP addresses (there will be many) of the sender will be totally wrong for the purported sender email address (just the one for this type). Yes, it seems uncanny to receive a spam apparently from yourself or with reply to yourself (if doing "long" reporting you never forget the first time, those doing "quick" reporting probably don't even notice) but usually it doesn't happen very often, your address has been picked out of the very big pool when it is your "turn" to be the forged sender. The fun starts when they have a bad list (they don't care, they're not paying for the volume of mail), with valid domains but abandoned or otherwise invalid user parts of the address. Then you stand to receive many thousands of misdirected bounces from clueless mail admins returning all that "undelivered mail" to your innocent address. I don't think that (in the usual case) the backscatter is deliberate, much of it consists of simple NDRs without the original spam - depends on the policy of the "bouncer". But it still happens, apparently, although the RFC which gave the practice some justification has been superseded for years. There is also some thought that another type of spammer, using a crafted low-volume approach, might specifically use your own address as sender to try to get through your mail filters (any whitelisting you might have of your own address). One way or another, just about anyone should certainly anticipate seeing spam from (or reply to) themselves, at least occasionally. Sender validation checks, greylisting, message-ID verification (for bounces), who knows what else, might eventually eliminate much of it - perhaps those are starting to do that already. Quote
ssybesma Posted May 8, 2012 Posted May 8, 2012 (edited) The reporting tool is missing the spamvertised website mentioned in the headers and the body of the spam below (my email and others obfuscated for privacy reasons). The name of the domain is workfor375.com. I had to do the legwork myself and reported that domain, the domain it redirects to (trustedssurveys.com) and the domain that webpage contains a link to (trustedsurveys.com) as well as all three IP addresses to their respective hosting/allocating companies. When I used spamcop on the spam below, all it reported to was Yahoo. ============================================================ Return-path: <thezeroplan128[at]yahoo.com> Envelope-to: <OBFUSCATED FOR PRIVACY REASONS> Delivery-date: Sun, 06 May 2012 03:34:52 -0500 Received: from nm16-vm1.bullet.mail.bf1.yahoo.com ([98.139.213.131]) by server509.webhostingpad.com with smtp (Exim 4.69) (envelope-from <thezeroplan128[at]yahoo.com>) id 1SQwvY-0047HO-EC for <OBFUSCATED FOR PRIVACY REASONS>; Sun, 06 May 2012 03:34:52 -0500 Received: from [98.139.212.151] by nm16.bullet.mail.bf1.yahoo.com with NNFMP; 06 May 2012 08:34:47 -0000 Received: from [98.139.212.240] by tm8.bullet.mail.bf1.yahoo.com with NNFMP; 06 May 2012 08:34:47 -0000 Received: from [127.0.0.1] by omp1049.mail.bf1.yahoo.com with NNFMP; 06 May 2012 08:34:47 -0000 X-Yahoo-Newman-Property: ymail-5 X-Yahoo-Newman-Id: 248258.25919.bm[at]omp1049.mail.bf1.yahoo.com Received: (qmail 95838 invoked by uid 60001); 6 May 2012 08:34:47 -0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s1024; t=1336293287; bh=iLdWCppUyJWwtTtwpaXIbQtCd9bWuEy8P1VLHBZrY58=; h=X-YMail-OSG:Received:X-Mailer:Message-ID:Date:From:Reply-To:Subject:To:Cc:MIME-Version:Content-Type; b=pOe5jE9noygec3LcP2Sjhym3zN39aNMDzO3lttjyLv4ZXtBfhSuAEXTLCSYnAGyeF1rOEPwYPpX/zgufkDjB9I1OX/TmpB7QA9ABKWwbAeC6uT6VgkzBlBY8CAdyhPwc2zxLGSErr9xUIu90fQDJZ0uMpQe9NnWnu+EbxLUYgXQ= DomainKey-Signature:a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com; h=X-YMail-OSG:Received:X-Mailer:Message-ID:Date:From:Reply-To:Subject:To:Cc:MIME-Version:Content-Type; b=TQtMk7TgXQUstyeoWuy4IpDHpe+J0e5rmgOjP2I/N6nxZwzXquRJTisZbxZmaTYM4d+ilUxpuaavJRvK7IUQLbz2M//u0U2W1uiGGGDX0pvZrnuKM8jX6ih4wwIvhRTCpA0SSpX0QJX5tCW1F7L7IJjnGwADG7SaBQR/2J6nKDk=; X-YMail-OSG: hkaRdlgVM1nA_VtrXS9FUDyXbNIPiQWwpyk9_qhcYl91fZx VT1v0yTlsHH.VWiJ52buboOrlac6qHn6Fe27BqOODJn4zVHpUgTRl3gnCuzq laRah9rIxXvfaymszNJgt1VbR28ikBURSt1vU10qnvMjS1.8omc7ubB6V0_a 3U5dFqmypzclf0XLA_ViVk7NNvgM.uExTBVVX2nsppmaZQMo8veRRGuYjAWi OhdDO8HXOMtn4jEXDOu9p6VG1iCJ1Cddz9_71lJZuNCpgQ7ApubIRmb3yptO 6fXZaQbNGRlbIEe_OCTmGmfgfsoPj8o3sHe.r_Dit4ngxjegnh6_lyfIz85c L40gRPiZj1FWPpROvutCUgPZeieeR5y1IyAtpZNuOXatv4pGxAy5PZuX3.uw PkURDkjX3wq8hhUSdPO5dUA36jBdNYRQIzHYv8nhp6KfoEEuU.ymszV7vetj htwBD4eh07UKioGBvrbiJ465XCcGfIFGjfOE.YD8xCnZKiaKSxX.fhlBM3_B NqFcztSaPfspD4EafY4IO4v_mnMp9x9IJ6ALhyFn0JORf2HRyZjYBtdnMVXW pWWpJ0cQ2ykCeVbe0_40MQUhpKRku3YU- Received: from [178.88.10.39] by web161802.mail.bf1.yahoo.com via HTTP; Sun, 06 May 2012 01:34:47 PDT X-Mailer: YahooMailWebService/0.8.117.340979 Message-ID: <1336293287.86220.YahooMailRC[at]web161802.mail.bf1.yahoo.com> Date: Sun, 6 May 2012 01:34:47 -0700 (PDT) From: Jake Bufton <thezeroplan128[at]yahoo.com> Reply-To: Jake Bufton <thezeroplan128[at]yahoo.com> Subject: hey, i have a question about your ad To: mikaisme at hotmail dot com [NOTE: probably a test address or a mailing list address] Cc: <OBFUSCATED FOR PRIVACY REASONS> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-spam-Status: No, score=1.7 X-spam-Score: 17 X-spam-Bar: + X-Ham-Report: spam detection software, running on the system "server509.webhostingpad.com", has identified this incoming email as possible spam. The original message has been attached to this so you can view it (if it isn't spam) or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: Hey, I like working with people that post ads online, since I already know that you basically know your way around a computer. I need a few people here in town for some part-time help with some online work that I have. The work is very easy, but it's too much for me to by myself, so I thought that I'd email a few people and see if you'd be interested. [...] Content analysis details: (1.7 points, 4.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at http://www.dnswl.org/, no trust [98.139.213.131 listed in list.dnswl.org] 1.6 URIBL_WS_SURBL Contains an URL listed in the WS SURBL blocklist [uRIs: workfor375.com] 0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail provider (thezeroplan128[at]yahoo.com) 0.2 FREEMAIL_REPLYTO_END_DIGIT Reply-To freemail username ends in digit (jake bufton <thezeroplan128[at]yahoo.com> ) -0.0 T_RP_MATCHES_RCVD Envelope sender domain matches handover relay domain 0.2 FREEMAIL_ENVFROM_END_DIGIT Envelope-from freemail username ends in digit (thezeroplan128[at]yahoo.com) -1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1% [score: 0.0000] 1.5 URIBL_RHS_DOB Contains an URI of a new domain (Day Old Bread) [uRIs: workfor375.com] X-spam-Flag: NO Hey, I like working with people that post ads online, since I already know that you basically know your way around a computer. I need a few people here in town for some part-time help with some online work that I have. The work is very easy, but it's too much for me to by myself, so I thought that I'd email a few people and see if you'd be interested. Just go to my website for more information and to apply if you're interested: WorkFor375.com Just copy and paste the above link into your web browser. **************************************** If you don't want to receive any more email from us, just go to WorkFor375.com/remove **************************************** Edited May 8, 2012 by ssybesma Quote
Farelf Posted May 8, 2012 Posted May 8, 2012 The reporting tool is missing the spamvertised website mentioned in the headers and the body of the spam below (my email and others obfuscated for privacy reasons). The name of the domain is workfor375.com. ... Hi ssybesma. Yes, unlike your browser, the parser won't take an implied link like WorkFor375.com and treat it as a link (which is one reason why the spammers/authors don't put in the full link) If it had the http:// bit in front of it, it would be processed. I dummied a submission (and cancelled it) - http://www.spamcop.net/sc?id=z5322915931za...00961daa75b681z You can see it would work then, but can't pick up the redirection. SpamCop is all about finding the e-mail source. You need to go to other tools to address the "spamvertized" links with full rigour. There are all sorts of problems and solutions associated with the links both innocent and spammy that can be found in a spam e-mail. See http://forum.spamcop.net/forums/index.php?showtopic=12362 for a recent discussion of another type of link resolution problem and some links to those other tools. See http://forum.spamcop.net/forums/index.php?showtopic=4085 for some background, if you haven't looked there already. Steve Quote
ssybesma Posted May 8, 2012 Posted May 8, 2012 (edited) Hi ssybesma. Yes, unlike your browser, the parser won't take an implied link like WorkFor375.com and treat it as a link (which is one reason why the spammers/authors don't put in the full link) If it had the http:// bit in front of it, it would be processed. I dummied a submission (and cancelled it) - http://www.spamcop.net/sc?id=z5322915931za...00961daa75b681z You can see it would work then, but can't pick up the redirection. SpamCop is all about finding the e-mail source. You need to go to other tools to address the "spamvertized" links with full rigour. There are all sorts of problems and solutions associated with the links both innocent and spammy that can be found in a spam e-mail. See http://forum.spamcop.net/forums/index.php?showtopic=12362 for a recent discussion of another type of link resolution problem and some links to those other tools. See http://forum.spamcop.net/forums/index.php?showtopic=4085 for some background, if you haven't looked there already. Steve Very EXCELLENT reply Steve (my name is Steve as well). How would I go about 'dummying' the submission to add the spamvertised website? I will check out the tools you mentioned, so that may take out the necessity of doing it that way and make my question moot. The other thing I was thinking about, is that there is probably a better strategy of reporting spamvertised websites in the case of a redirected domain and a link to a domain. I should probably go after the domain at the end of the line and work my way up, because if the domains farther out get reported last, they may not see the connection to the domain that I had to get to before that one if it was shut down already. I didn't think about that initially and reported workfor375.com first (yesterday), then the redirected domain trustedssurveys.com right afterward, and then the link from the redirected domain (trustedsurveys.com) was reported today. Shoulda did it the other way. Oops! Edited May 8, 2012 by ssybesma Quote
turetzsr Posted May 8, 2012 Posted May 8, 2012 Hi, Steve, <snip> (my name is Steve as well). ...That's three of us! How would I go about 'dummying' the submission to add the spamvertised website? <snip> ...That's not advised -- see SpamCop FAQ (to which links may be found near the top left of each SpamCop Forum page) articles labeled "-------> Material changes to spam - Updated!" and "-----> What if I break the rule(s)?" Steve (Farelf) did it only to illustrate his point, then canceled it so he would not violate the rules. Quote
Farelf Posted May 8, 2012 Posted May 8, 2012 Hi again Steve. As Steve T says, quite simply you cannot dummy a submission to make the parser find something it couldn't do by itself and then send the report as if the parser had done it all. That's the "material changes" rule - http://www.spamcop.net/fom-serve/cache/283.html You can always use the parser to find reporting addresses with manually altered data but you can't alter the spam that is reported. Seems frustrating I know but SC relies on INTEGRITY which is closely guarded to maintain credibility and cooperation within the internet community. That's why those other tools are needed (instead of SC reports) and the SCbl handles only e-mail originating IP addresses, not web sites. Reports to the associated network admins are a courtesy only, in the hope they will take action to shut down the spammers abusing their services. In the case of websites that is the only SC action, no SCbl entry (though the SURBL, mentioned in one of those other topics indicated, does independently use SC spamvertized site data). The parser is completely unable to follow redirections but I suppose you might be entitled to add an additional report recipient or two (if you are a paying user) reflecting anything you have found out yourself. (You need to be more than a bit cautious about following redirections by the way.) But anyway, you might then have some difficulty explaining in notes to those additional recipients what is going on since the report won't be indicating their networks. Very few of them are highly motivated towards anti-spamming activity, sadly. And the report has no consequences for them, as said - except if they are actually hard-core spammers, then the consequences could be a bit negative. Quote
ssybesma Posted May 8, 2012 Posted May 8, 2012 Hi again Steve. As Steve T says, quite simply you cannot dummy a submission to make the parser find something it couldn't do by itself and then send the report as if the parser had done it all. That's the "material changes" rule - http://www.spamcop.net/fom-serve/cache/283.html You can always use the parser to find reporting addresses with manually altered data but you can't alter the spam that is reported. Seems frustrating I know but SC relies on INTEGRITY which is closely guarded to maintain credibility and cooperation within the internet community. That's why those other tools are needed (instead of SC reports) and the SCbl handles only e-mail originating IP addresses, not web sites. Reports to the associated network admins are a courtesy only, in the hope they will take action to shut down the spammers abusing their services. In the case of websites that is the only SC action, no SCbl entry (though the SURBL, mentioned in one of those other topics indicated, does independently use SC spamvertized site data). The parser is completely unable to follow redirections but I suppose you might be entitled to add an additional report recipient or two (if you are a paying user) reflecting anything you have found out yourself. (You need to be more than a bit cautious about following redirections by the way.) But anyway, you might then have some difficulty explaining in notes to those additional recipients what is going on since the report won't be indicating their networks. Very few of them are highly motivated towards anti-spamming activity, sadly. And the report has no consequences for them, as said - except if they are actually hard-core spammers, then the consequences could be a bit negative. OK, very good. I'll abide by the rules. I registered with knujon.com, am trying to register with complainterator.com (although their site seems to be timing out when I attempt) and I sent an email to see about having the latter two domains added to Bill Stearn's blacklist. WorkFor375.com I noticed is already on the WS list, but that doesn't stop the problem like squashing the domains will. Think I hit all the bases possible. Quote
ssybesma Posted May 8, 2012 Posted May 8, 2012 (edited) WOW!!! Quick SUCCESS on squashing one of the three domains. Never realized it was so easy. This is totally FUN!!! I am awaiting word on the initial spamvertised domain WorkFor375.com, as well as the end domain where the business is actually done (TrustedSurveys.com). The middle domain that the first one redirects to (TrustedSSurveys.com) is the one I just now got shut down. Like I said earlier, I should have reported the end domain first. Oh, well.) What I did on this, was go around the WhoisGuard'ed domain names and go to ARIN to find out who had the IP addresses and was able to find out who hosted the sites that way. Works REALLY great! At the end, I sent a gloating email to the email address mentioned on the end website that actually does the spamvertised business. I couldn't help myself. Why not? Steve ==================== Hello, Thank you for notifying us. I have suspended the website trustedssurveys.com. Sincerely, Ted Smith Security Specialist Endurance International Group -----Original Message----- From: Shimon Bakshi Sent: Tue 08-May-12 14:40 To: cogentabuse Subject: FW: spammer using IP address registered to you From: Steve [mailto:steve[at]vwebr.net] Sent: Tuesday, May 08, 2012 10:43 AM To: #CustomerRelations Subject: spammer using IP address registered to you Hello, Please forward this to your abuse dept or the dept that handles webhosting or IP services. The following is information regarding someone who is spamming a work-at-home scam using the domain workfor375.com, which redirects to trustedssurveys.com The domain trustedssurveys.com (note there is a doubled 's') has been obfuscated because the person is using Namecheap.com's Whoisguard service. HOWEVER, the IP address that trustedssurveys.com points to is 65.254.250.110. According to ARIN, that IP address is in your CIDR block. Can you please look into de-allocating/de-registering that IP address? I will forward the spam to you with all headers right after this email, but the domain name referred to is clearly in the spam and it redirects to the domain having the IP address in your CIDR block. Thank you, Steve Sybesma Lafayette, CO 720-934-2484 [Querying whois.arin.net] [whois.arin.net] # # Query terms are ambiguous. The query is assumed to be: # "n 65.254.250.110" # # Use "?" to get help. # # # The following results may also be obtained via: # http://whois.arin.net/rest/nets;q=65.254.2...amp;ext=netref2 # NetRange: 65.254.224.0 - 65.254.255.255 CIDR: 65.254.224.0/19 OriginAS: NetName: BIZLAND-FC03 NetHandle: NET-65-254-224-0-1 Parent: NET-65-0-0-0-0 NetType: Direct Allocation RegDate: 2004-01-06 Updated: 2012-03-02 Ref: http://whois.arin.net/rest/net/NET-65-254-224-0-1 OrgName: The Endurance International Group, Inc. OrgId: EIG-12 Address: 70 Blanchard Road City: Burlington StateProv: MA PostalCode: 01803 Country: US RegDate: 2005-02-07 Updated: 2011-09-24 Ref: http://whois.arin.net/rest/org/EIG-12 OrgTechHandle: BBR189-ARIN OrgTechName: Brock, Brian OrgTechPhone: +1-781-852-3254 OrgTechEmail: bnbrock[at]maileig.com OrgTechRef: http://whois.arin.net/rest/poc/BBR189-ARIN OrgAbuseHandle: BBR189-ARIN OrgAbuseName: Brock, Brian OrgAbusePhone: +1-781-852-3254 OrgAbuseEmail: bnbrock[at]maileig.com OrgAbuseRef: http://whois.arin.net/rest/poc/BBR189-ARIN OrgNOCHandle: ENO74-ARIN OrgNOCName: EIG Network Operations OrgNOCPhone: +1-339-234-9762 OrgNOCEmail: netmon[at]maileig.com OrgNOCRef: http://whois.arin.net/rest/poc/ENO74-ARIN # # ARIN WHOIS data and services are subject to the Terms of Use # available at: https://www.arin.net/whois_tou.html # Edited May 8, 2012 by ssybesma Quote
turetzsr Posted May 9, 2012 Posted May 9, 2012 ...Great work, Steve! I suspect you may have happened upon an all-too-rare abuse admin team with a sufficiently low volume of complaints that they actually have a knowledgeable human reading their abuse complaint e-mails. If you tried that with Yahoo, for example, you would have been much more frustrated. <g> Quote
danmoran Posted October 11, 2012 Posted October 11, 2012 Spamcop isn't picking up any links in reported spam today. Quote
ollioe Posted August 20, 2013 Posted August 20, 2013 Spamcop isn't picking up any links in reported spam today. Same today, not only one hyperlink is detected: spam Report Quote
Farelf Posted August 21, 2013 Posted August 21, 2013 Maybe the parsing was affected by the recovery period following the system upgrade? Does re-submitting the spam now (and cancelling reports) still show the same? You can save and show the tracking URL for a cancelled report. [edit] Ah, no, I see that is a mangled spam Content-Type: multipart/mixed; boundary="----msg_border_9717Cbc7e7" ... but following declaration, no boundaries are set within the HTML body. But ... fixing that doesn't seem to fix the parsing ... yes something seems to be wrong (or I'm not very good at fixing - not that "fixed" spam can be used for a real report anyway). Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.