abuse At Load.com Posted July 22, 2005 Share Posted July 22, 2005 AOL has a feature like this and it looks like hotmail / msn is working on something like this as a service to ISP's, ASP's . . . pretty much any one who is stuck with the un-enviable task of hosting other peoples e-mail In aol's scenario an attached copy of the message is sent back to the feedback address with recipient information stripped out. Allowing your abuse desk to take immediate, possibly automated, action to solve a problem you may not yet be aware of. In msft's current solution they give access to a web site where you can find the unique helo / mail from / connection ip etc in a list format for all of the distinct connections from the networks you you can prove you have a right to see, and they are currently working on something like this in a web services format for a bit more of an automated reporting solution. I can only imagine some of the larger isp's / asp's that have deal with spam cop would be willing to contribute for this type of service, I know we would be willing to if it made sense. I can only imagine it would promote more immediate action on behalf of large service providers that have enough problems staying ahead of inbound mail traffic much less keeping track of their "not always so legit" out bound mail traffic. Adam Rogas CTO Load Ltd Link to comment Share on other sites More sharing options...
Jank1887 Posted July 22, 2005 Share Posted July 22, 2005 still not clear on how the system works. Could you post a reference link or two? Link to comment Share on other sites More sharing options...
abuse At Load.com Posted July 22, 2005 Author Share Posted July 22, 2005 Here are the links for the two services I referenced above AOL http://postmaster.aol.com/tools/fbl.html MSN http://postmaster.msn.com/snds/ Link to comment Share on other sites More sharing options...
Wazoo Posted July 22, 2005 Share Posted July 22, 2005 Both items appear to be another approach at doing what SpamCop / IronPort already does. Link to comment Share on other sites More sharing options...
Jank1887 Posted July 22, 2005 Share Posted July 22, 2005 Both items appear to be another approach at doing what SpamCop / IronPort already does.30530[/snapback] Not quite. The ISP's have to sign up to get 'reports'. So, as soon as chinanet.cn.net signs up to get info on any spam sent from their domain, we'll all be saved. That, and it has no teeth. SC reports are tied to a blacklist. (AKA incentive to remediate.) And those two are so big, and the 'report as spam' is so easy to do, that there's going to be a ton of false positives. So, the whitehat ISP's that actually sign up for this are going to be swamped with a bunch of spam reports that might not be spam, will take a while to verify, and that give them little reason to do anything about it. It's better than nothing, though. And maybe it's an indicator that the big guys are finally seeing what works in combating spam. Link to comment Share on other sites More sharing options...
abuse At Load.com Posted July 22, 2005 Author Share Posted July 22, 2005 I guess the point is this, Right now there is pretty much nothing, until it is too late. We get notified that within the last hour "someone" submitted "something" about our network. And many times we can get a copy of the message that has offended, but we have a couple million mail boxes to keep track of many of them hosted for private labeled "free" web mail services, similar to hotmail. The benefit of us getting direct feed back when one of our users pisses someone at hotmail or aol off when something like this happens is huge, we at least can flag the account as suspicious, we have heuristics that do this type of thing in place for other signs of abuse already, but this one really helps, as it is pretty much another human (in the case of AOL) saying hey this message is crap, and you should watch this guy. And quite honestly our false positive rate is under 0.1% with this in place. All I know is that it has been effective. Nothing that is currently available is the silver bullet that is going to put an end to spam. I, We are not implying that this is. However it is far easier to integrate into the work flow of a semi-automated abuse desk/system than the all manual process of checking spamcop every waking hour of the day. The list is great, we use the list it helps us block / tag allot of spam. This would just allow us to be a bit more pro-active (or really directly reactive). Most of the information we have gotten from AOL and HotMail, with filtering, has enabled us to stop spammers / abusive users as or before they get out of hand, not 24 hours latter when the damage to our reputation has already been done. We had many reservations when we started this process, espcially with AOL, concerns of false positives, or a masive manual process of confirming the spam complaints, but honestly what we found, at least with our user base, was that 99.9% of the complaints we were getting from them (aol) were legitimate in nature, and direct action was able to be taken on our part, with direct proof of the occurence, while still protecting the privacy of the submiting aol user. Adam Rogas CTO Load Ltd. Link to comment Share on other sites More sharing options...
Jeff G. Posted July 22, 2005 Share Posted July 22, 2005 There is little difference between this approach and establishing a special secret address for receipt of SpamCop Reports (see How can I get SpamCop reports about my network? for details or email the Deputies via deputies[at]spamcop.net), and then reviewing the emails to the account associated with that email addres. Link to comment Share on other sites More sharing options...
Wazoo Posted July 22, 2005 Share Posted July 22, 2005 maybe a silly question, but are you "the" Adam? As compared to a generally more common "abuse" address? 209.58.236.25 is an mx ( 20 ) for load.com host 209.58.236.25 (getting name) = smtp-id.load.com. 209.58.236.25 is an mx ( 20 ) for load.com Routing details for 209.58.236.25 Using smaller IP block (/ 24 vs. / 19 ) Removing 1 larger (> / 24 ) route(s) from cache [refresh/show] Cached whois for 209.58.236.25 : adam[at]loadmail.com Using last resort contacts adam[at]loadmail.com Reports routes for 209.58.236.25: routeid:8238306 209.58.236.0 - 209.58.236.255 to:adam[at]loadmail.com Administrator found from whois records Did a Refresh on the SpamCop parser, now seeing; Removing old cache entries. Tracking details Display data: "whois 209.58.236.25[at]whois.arin.net" (Getting contact from whois.arin.net ) checking NET-209-58-236-0-1 Display data: "whois NET-209-58-236-0-1[at]whois.arin.net" (Getting contact from whois.arin.net ) Found AbuseEmail in whois abuse[at]load.com 209.58.236.0 - 209.58.237.255:abuse[at]load.com checking NET-209-58-224-0-1 Display data: "whois NET-209-58-224-0-1[at]whois.arin.net" (Getting contact from whois.arin.net ) 209.58.224.0 - 209.58.255.255:ipadmin[at]telepacific.com whois.arin.net contact: ipadmin[at]telepacific.com Routing details for 209.58.236.25 Using smaller IP block (/ 23 vs. / 19 ) Removing 1 larger (> / 23 ) route(s) from cache Using abuse net on abuse[at]load.com abuse net load.com = abuse[at]nyi.net, postmaster[at]load.com Using best contacts abuse[at]nyi.net postmaster[at]load.com 07/22/05 17:24:31 whois !NET-209-58-236-0-1[at]whois.arin.net whois -h whois.arin.net !net-209-58-236-0-1 ... OrgName: Load Ltd. OrgID: LOADL-1 Address: 6325 McLeod Dr. Suite 8 City: Las Vegas StateProv: NV PostalCode: 89120 Country: US NetRange: 209.58.236.0 - 209.58.237.255 CIDR: 209.58.236.0/23 NetName: LOADLTD NetHandle: NET-209-58-236-0-1 Parent: NET-209-58-224-0-1 NetType: Reassigned NameServer: NS1.LOAD.COM NameServer: NS2.LOAD.COM Comment: For abuse issues contact abuse[at]load.com RegDate: 2005-07-01 Updated: 2005-07-01 AbuseHandle: LLA39-ARIN AbuseName: Load Ltd Abuse AbusePhone: +1-702-898-1234 AbuseEmail: abuse[at]load.com TechHandle: LLS4-ARIN TechName: Load Ltd support TechPhone: +1-702-898-1234 TechEmail: support[at]load.com OrgTechHandle: LOADL-ARIN OrgTechName: Load Ltd OrgTechPhone: +1-702-898-1234 OrgTechEmail: support[at]load.com Registering at abuse.net would kick reports to a more normal/correct address ... not exactly sure why the abuse address isn't being picked up, other than perhaps the logic involved in scoping down the IP block .. maybe the 'newness' of this registration? .. perhaps a routing request in news://news.spamcop.net.routing for this IP range ....??? Link to comment Share on other sites More sharing options...
abuse At Load.com Posted July 22, 2005 Author Share Posted July 22, 2005 I just recently updated abuse.net, so it should have updated information shortly I have no idea who abuse[at]nyi.net or why they would be listed as a responsible party of this ip block or our others. 209.58.232.0/23 209.58.234.0/23 209.58.236.0/24 209.58.237.0/24 209.58.238.0/24 but they are. Our admins used to just use my old address to deal with tracking these issues with spamcop but as we got bigger we needed to reorganize all of this in to a more appropriate account / mail box Link to comment Share on other sites More sharing options...
abuse At Load.com Posted July 22, 2005 Author Share Posted July 22, 2005 And yes, . . . I am the adam Link to comment Share on other sites More sharing options...
abuse At Load.com Posted July 22, 2005 Author Share Posted July 22, 2005 There is little difference between this approach and establishing a special secret address for receipt of SpamCop Reports (see How can I get SpamCop reports about my network? for details or email the Deputies via deputies[at]spamcop.net), and then reviewing the emails to the account associated with that email address. 30549[/snapback] The real difference is ease of use, basically the messages that get sent back via the loop are not munged (the original receipt info is removed), so it is easy to start tickets on the abusive users the second we get the message. Also the fact that they are sent back as attachments keeps things neat and tidy, this is just really more a preference than any thing as it is easier for us to know for sure what we are parsing. Basically all of the minor differences are why the "secret" address method is really not so useful in a large volume, very dynamic, automated scenario. The one thing that is huge for us with Hotmail is that they will give us at least limited information about the number of times specific addresses have hit their spam traps. If there were levels of trust so that we, as a reputable asp/isp were trusted enough to be given at least some information about users that have hit spam traps out there, so that we could take action against them instead of shooting in the dark trying to find out which one really abusive user in the middle of thousands of legitimate high volume text messengers and business users, is causing your trust in us to go right out the window. I completely understand the necessity of protecting the network of trap addresses, We have many trap addresses at our service as well as at others, it is a key component to our spam fighting techniques. However I / we have a real enforcement problem if we don't know who to point the finger at, and with the volumes we are talking about, emailing the deputies and pleading for info every time is not a real solution. There is not really any way around it, the type of services that many of us provide are unfortunately targets for abusive users, we are constantly trying to be diligent about actively policing our users. My suggestions have one goal, and that is to help me as an email provider protect the other email providers of the world from my potentially abusive users, just as I would hope they would all be as diligently trying to protect me, and the rest of us from their users. Adam Rogas CTO Load Ltd Link to comment Share on other sites More sharing options...
turetzsr Posted July 23, 2005 Share Posted July 23, 2005 Hi, Adam, ...You seem to be a serious admin making a serious attempt to fight spam and to try to work with SpamCop to help you. As a spam victim, I just want to let you know how much I appreciate that, no matter the outcome of your attempt to change SpamCop to make things easier for you. Thanks! <big g> Link to comment Share on other sites More sharing options...
Miss Betsy Posted July 23, 2005 Share Posted July 23, 2005 The real difference is ease of use, <snip> Adam Rogas CTO Load Ltd 30558[/snapback] Since I am not an admin and am technically non-fluent, what you are saying doesn't seem to make sense to me. What I have understood about spam reporting is that all the admin needs is the headers which show which machine the alleged spam email came from. The end receiver's email address is irrelevant. how admins can decipher who actually sent the email out on their server is a mystery to me, but apparently competent admins can. Are you saying that sending a spamcop report is not as effective because it is not a forwarded email? Or that it is not as effective because the receiver's email address is munged? Or are you complaining because spamtraps don't send reports? Hotmail seems to just delete the spam. Fortunately, I don't get a lot of spam on my hotmail accounts so I can set my filter to low and don't have to worry about false positives as much. Why is that system better than the spamcop system? It would seem to me to be worse since no one who cares knows that email has not been delivered. Miss Betsy Link to comment Share on other sites More sharing options...
abuse At Load.com Posted July 23, 2005 Author Share Posted July 23, 2005 Since I am not an admin and am technically non-fluent, what you are saying doesn't seem to make sense to me. What I have understood about spam reporting is that all the admin needs is the headers which show which machine the alleged spam email came from. The end receiver's email address is irrelevant. how admins can decipher who actually sent the email out on their server is a mystery to me, but apparently competent admins can. Are you saying that sending a spamcop report is not as effective because it is not a forwarded email? Or that it is not as effective because the receiver's email address is munged? Or are you complaining because spamtraps don't send reports? Hotmail seems to just delete the spam. Fortunately, I don't get a lot of spam on my hotmail accounts so I can set my filter to low and don't have to worry about false positives as much. Why is that system better than the spamcop system? It would seem to me to be worse since no one who cares knows that email has not been delivered. Miss Betsy 30564[/snapback] I can clarify some of my recent posts. What I have understood about spam reporting is that all the admin needs is the headers which show which machine the alleged spam email came from. The end receiver's email address is irrelevant. This statement is very true, all we pretty much need are the headers of the message to track down where the mail is coming from. Also true is that we do not need to know, nor do we care who received the message. All we really care about is that we receive the report that someone has gotten spammed so that we can take immediate action. Are you saying that sending a spamcop report is not as effective because it is not a forwarded email? No we believe that spam cop reports are effective, they help us both as a mail sender, as well as a mail receiver. Our suggestions were to make clear what is currently working with other systems. . . . Or that it is not as effective because the receiver's email address is munged? No all we care about is that the senders address is not munged. . . Or are you complaining because spamtraps don't send reports? Yes this is probably the one thing that we think would help us do a better job of policing our users. Hotmail seems to just delete the spam. . . . Why is that system better than the spamcop system? It would seem to me to be worse since no one who cares knows that email has not been delivered. To the end user Hotmail just deletes some incoming spam messages, and then filters other messages. From their data feed service, that we subscribe to, they give us the names and counts of offenders, so basically they help us track down abusive users that have slipped through the cracks, so we can take action before they affect a wider range of internet users. Adam Rogas CTO Load Ltd Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.