Farelf Posted June 1, 2005 Posted June 1, 2005 SpamCop could help all of us by munging the display names, thereby making the reporting process more efficient and removing the transparency of the display name to the spammer. Can we get a little help from the "powers that be"? 28726[/snapback] I'm with you there Bob, but as mole I shouldn't really have a beef. "Don't call me Shirley," just an irritation factor for me. I think it all (arbitrary display names) started as a way for spammers to differentiate their spew from viruses which used to be fairly easily identifiable by the lack of anything in front of the address. I've seen code in broken spam like "%RND(female_name)" (little devils practicing their "human engineering" on the back of research indicating men expect, against all evidence, to be less harmed by women than by other men). But, as you say, it can be used for tracking. The trouble is, there are so many other ways. The first thorough canvassing of that I can recall was here back last year. There seems to be the effective (non) response of "if it can't all be fixed, why fix any of it?" Which is a "convenient" rationalization, to put it kindly. So - please go to it SpamCop, this is a relatively easy one, one more tick on the checklist, improve the munging (or "mungling" as that Dutch guy used to say) by "x"ing the handle/display name.
PGTips91 Posted October 28, 2005 Posted October 28, 2005 Hi All, I have been reporting as 'mole' for a few months now. Having read the posts above I realised for the first time that 'no reports have been sent'. This is a clarification for me and I second the suggestion that the nature of mole reporting be clarified up front, especially for newbies like me. A suggestion as to features desired, why not have a list of suggestions posted that people can vote for and rank them in order of votes? This would empower the 'serfs' and ensure that the 'lords' are focused on what is actually wanted by users of the service. Differing levels of voting power can be allocated relative to the influence of the position/status held. [bTW I borrowed this from the Linspire CNR Warehouse, where it has recently been implemented.] Recently I have been looking closer into the parsing of spam and the reasons for certain Spamvertised sites not being reported. What I am seeing is that some Spammers are getting quite clever at using throw-away URLs that simply point to a web site that does not move [as much]. They can use expendable open relays to send from and now they are adding expendable reply-to addresses. This means that they can keep their main site less vulnerable to reporting and shutting down. [Example: Parsing input: [url=http://rmohiq.pridebook.info/?marbuexwntvyudsffdzpoggebec]http://rmohiq.pridebook.info/?marbuexwntvyudsffdzpoggebec[/url] Host rmohiq.pridebook.info (checking ip) IP not found; rmohiq.pridebook.info discarded as fake. ] This actually takes my browser to MyCanadianPharmacy which I have seen from many similar URLs to the above. One question I have is, if mole reporting does not send any reports, are they being made use of for any other purpose than adding to black-lists? Another question I have is, if the parser is having difficulty finding the ultimate 'target' that the Spammers want people to go to , would it not be possible for the user's computer to supply the information? After all I have never yet failed to get to the 'desired' URL when putting it into the address field in my browser. It is not a question of obfusticating the URL, rather it is the use of forwarding URLs with built in time delays that only stop the parsing machine but never a browser. Looking deeper into the habits of Spammers, I think that I see a pattern of them grouping together with 'suppliers' who are willing to provide the necessary services, such as DNS, Domain names, etc, that keeps them in business after they have been 'shut down'. After a few days delay they are back in business with a newly registered domain name and DNS server. Another suggestion would be that SpamCop go after these providers or their up-stream providers as this would increase the difficulties for the actual Spammers exponentially. I hope this can be clarified by more experienced people. I am rather out of my depth here but hope my ideas can help. Paul
dbiel Posted October 28, 2005 Posted October 28, 2005 A user can always send individual private reports, but at this time, I do not believe that SpamCop has any interest in going after the forwarded links. SpamCop does what it does for its on reasons and until such time as management feels inclined to make changes to its current methods, we users will simply have to learn to live with its limiltations.
StevenUnderwood Posted October 28, 2005 Posted October 28, 2005 One question I have is, if mole reporting does not send any reports, are they being made use of for any other purpose than adding to black-lists?35090[/snapback] From the Link in the FAQ: What is Mole Reporting?SpamCop now offers new and existing users an option to withhold almost all data - registering reports in SpamCop's database, but never sending reports to the "ISP" (all too often, the spammer, or a spam-friendly host). andSpamCop will then only give information about these "mole" reports as aggregate and unspecific totals. Another question I have is, if the parser is having difficulty finding the ultimate 'target' that the Spammers want people to go to , would it not be possible for the user's computer to supply the information? After all I have never yet failed to get to the 'desired' URL when putting it into the address field in my browser. It is not a question of obfusticating the URL, rather it is the use of forwarding URLs with built in time delays that only stop the parsing machine but never a browser.35090[/snapback] Security concerns would be one problem (you would need to allow spamcop to make a dns lookup from your machine) as well as timing issues (for your information, a web browser will wait a relatively long time retrying an address before throwing up an error). It would be an interesting thought to use the distributed computing model for it, however. This would reduce the computer overhead and allow longer timeouts for things, though the immediacy might be affected. Imagine having your own "spamcop reporter" on your machine which checks it's version against the master for updates, and parses your messages and sends them out. One trouble would be getting any replies to your reports anonymously.
Jeff G. Posted October 28, 2005 Posted October 28, 2005 I second the suggestion that the nature of mole reporting be clarified up front, especially for newbies like me.35090[/snapback] SpamCop.net - Sign up for SpamCop reporting states "Register as a "mole"? [_] What's this?", which links to What is "mole" reporting?, which states the following:As spam defenses and spammers become more sophisticated, many smart spammers have developed very sophisticated defenses against being detected. One of the spammer's strategies is to quickly and effectively remove anyone from their mailing lists who files a spam complaint (until they want to get revenge, and then the use these "remove lists" differently). This is generally (although not always) good for the person filing the complaint, but it is bad for spam defense in general, since these activists are the only ones identifying the problem. By removing the "trouble makers", spammers too often slip "under the radar" and appear to be legitimate senders, even though the majority (or entirety) of the victims don't want the mail (they are just the ones who don't bother to make waves). In the past, SpamCop has attempted to clean outgoing complaints of any identifying information (codes which spammers use to figure out who is reporting them). However, it has become plain that the only way to really sanitize the reports is to not send them at all. So that is exactly what we're going to do. SpamCop now offers new and existing users an option to withhold almost all data - registering reports in SpamCop's database, but never sending reports to the "ISP" (all too often, the spammer, or a spam-friendly host). Some users may wish to file reports, and get themselves removed from any spammer's list who is sophisticated enough to remove them (and take the risk of retaliation). Others may wish to take advantage of this new SpamCop feature and become a "mole." SpamCop will then only give information about these "mole" reports as aggregate and unspecific totals. Truly consciencious ISPs will still find some value in these aggregate numbers, while the less ethical won't be able to "work the system." It is recommended that users pick one mode or the other and use that exclusively. Otherwise, you are likely to get the worst of both worlds. For existing users who wish to become a "mole", either consult your preferences (for paying users) or re-register (for free users). What is confusing about that? Thanks!
PGTips91 Posted October 28, 2005 Posted October 28, 2005 From the Link in the FAQ: What is Mole Reporting?andSecurity concerns would be one problem (you would need to allow spamcop to make a dns lookup from your machine) as well as timing issues (for your information, a web browser will wait a relatively long time retrying an address before throwing up an error). It would be an interesting thought to use the distributed computing model for it, however. This would reduce the computer overhead and allow longer timeouts for things, though the immediacy might be affected. Imagine having your own "spamcop reporter" on your machine which checks it's version against the master for updates, and parses your messages and sends them out. One trouble would be getting any replies to your reports anonymously. 35094[/snapback] Yes, my thought is that experienced users could have some code to run on their computer that would interface with SpamCop and report back the data that is being missed by their parser due to load and timing issues. This would help more than just refreshing the query multiple times as well as taking some load off the server. I am not sufficiently up with distributed computing to know how practical this might be but it may be worth looking into if someone does have the expertise. Paul
Wazoo Posted October 28, 2005 Posted October 28, 2005 I have been reporting as 'mole' for a few months now. Having read the posts above I realised for the first time that 'no reports have been sent'. This is a clarification for me and I second the suggestion that the nature of mole reporting be clarified up front, especially for newbies like me. And to pile on all the Mole stuff posted thus far, please see an item in the Announcments section ... Mole Reporting is Back .. as seen thus far, it's not the data has been forcefully hidden away .... A suggestion as to features desired, why not have a list of suggestions posted that people can vote for and rank them in order of votes? Take a look at Screen sizes / resolutions .. over 600 views, 24 votes, yet this is something for this very application ... Recently I have been looking closer into the parsing of spam and the reasons for certain Spamvertised sites not being reported. What I am seeing is that some Spammers are getting quite clever at using throw-away URLs that simply point to a web site that does not move [as much]. They can use expendable open relays to send from and now they are adding expendable reply-to addresses. This means that they can keep their main site less vulnerable to reporting and shutting down. Not sure why you call this "new" ... perhaps "you" recently discovered/noticed this, but ... This actually takes my browser to MyCanadianPharmacy which I have seen from many similar URLs to the above. Take a look at a walk-through I built up for someone else at http://forum.spamcop.net/forums/index.php?showtopic=5200 Another question I have is, if the parser is having difficulty finding the ultimate 'target' that the Spammers want people to go to , Have you also read through SpamCop reporting of spamvertized sites - some philosophy ? would it not be possible for the user's computer to supply the information? After all I have never yet failed to get to the 'desired' URL when putting it into the address field in my browser. It is not a question of obfusticating the URL, rather it is the use of forwarding URLs with built in time delays that only stop the parsing machine but never a browser. You are mixing symptoms, facts, and results in a bad way. The parser does not follow "forwards" (see the analysis of a browser interaction with one of these referenced above ... the "does not resolve" is not based on a meta-tag delay/refresh/forward codebit ... "your" browser does not have to handle the queries caused by 100's of spam submittals a minute and do all the additional parsing, tracking, recording, sorting, display, e-mail creation, etc., etc., ec., that the Parsing & Reporting system is being tasked to do .. so there are time limits placed on certain functions ... Looking deeper into the habits of Spammers, I think that I see a pattern of them grouping together with 'suppliers' who are willing to provide the necessary services, such as DNS, Domain names, etc, that keeps them in business after they have been 'shut down'. After a few days delay they are back in business with a newly registered domain name and DNS server. Again, you may find this "new" ... but .... Another suggestion would be that SpamCop go after these providers or their up-stream providers as this would increase the difficulties for the actual Spammers exponentially. 35090[/snapback] There was once an experimental phase of expanding the SpamCopDNSBL listing beyond "just the IP spewing the spam" .. rather like a SPEWS escalation ... the collateral damage from this type of expanded SpamCopDNSBL listing brought that to a halt, not fitting into the actual intent of a SpamCopDNSBL listing ... You want expanded IP blocks, upstreams, etc. .. there are other BLs that do this.
PGTips91 Posted November 8, 2005 Posted November 8, 2005 You are mixing symptoms, facts, and results in a bad way. The parser does not follow "forwards" (see the analysis of a browser interaction with one of these referenced above ... the "does not resolve" is not based on a meta-tag delay/refresh/forward codebit ... "your" browser does not have to handle the queries caused by 100's of spam submittals a minute and do all th additional parsing, tracking, recording, sorting, display, e-mail creation, etc., etc., etc., that the Parsing & Reporting system is being tasked to do .. so there time limits placed on certain functions ... Again, you may find this "new" ... but .... There was once an experimental phase of expanding the SpamCopDNSBL listing beyond "just the IP spewing the spam" .. rather like a SPEWS escalation ... the collateral damage from this type of expanded SpamCopDNSBL listing brought that to a halt, not fitting into the actual intent of a SpamCopDNSBL listing ... You want expanded IP blocks, upstreams, etc. .. there are other BLs that do this. 35102[/snapback] Well, I have just processed two new spam emails, both of which link to a new web site. Submitted: Wed Nov 9 07:44:12 2005 +1300: General health * 1550725889 ( 200.121.122.208 ) To: mole[at]devnull.spamcop.net Submitted: Wed Nov 9 07:44:05 2005 +1300: Women's health * 1550722803 ( 24.226.233.3 ) To: mole[at]devnull.spamcop.net On poking around on the 'new' web site I find that it is a reincarnation of MyCanadianPharmacy, complete with a bogus Verisign certificate: -- MyCanadianPharmacy is a Soltrus Secure Site Security remains the primary concern of online consumers. The VeriSign Secure Site Program, brought to you by Soltrus, allows you to learn more about Web sites you visit before you submit any confidential information. Please verify that the information below is consistent with the site you are visiting. Name: Intenational Legal RX Medications Status: Valid Validity Period: 13-SEP-05 - 13-SEP-06 Server ID Information: Country = US State = UT Locality = Layton Organization = Technical Consultants and Experts Group Inc Organizational Unit = TCE Group Organizational Unit = Terms of use at Verisign © 04 Organizational Unit = Authenticated by Verisign Organizational Unit = Member, VeriSign Trust Network Common Name = Intenational Legal RX Medications If the information is correct, you may submit sensitive data (e.g., credit card numbers) to this site with the assurance that: * This site has a VeriSign Secure Server ID, authenticated by Soltrus. * Soltrus has verified the organizational name and that TECHNICAL CONSULTANTS AND EXPERTS GROUP INC has the proof of right to use it. * This site legitimately runs under the auspices of TECHNICAL CONSULTANTS AND EXPERTS GROUP INC. * All information sent to this site, if in an SSL session, is encrypted and protected against disclosure to third parties. To ensure that this is a legitimate Soltrus Secure Site, make sure that: 1. The original URL of the site you are visiting comes from MyCanadianPharmacy 2. The status of the Server ID is Valid. I tried putting just the URL of the Spamvertised site into the parser, several times, but with the same result each time - SpamCop failed to identify this site: — Resolving link obfuscation http://iocdqm.polartop.net/legalrx/?rkpbwvxwntvyrqucruzpodihhoo Host iocdqm.polartop.net (checking ip) IP not found; iocdqm.polartop.net discarded as fake. Tracking link: http://iocdqm.polartop.net/legalrx/?rkpbwvxwntvyrqucruzpodihhoo No recent reports, no history available Cannot resolve http://iocdqm.polartop.net/legalrx/?rkpbwvxwntvyrqucruzpodihhoo I accept that SpamCop regards this as secondary to blocking the source of the spam, but that seems to be a rather feeble way of combating spam. There is an unlimited supply of compromised computers that can be used to send out spam and shutting them down will be an unending task. Paul
Jeff G. Posted November 8, 2005 Posted November 8, 2005 The DNS for iocdqm.polartop.net currently scores an F (failing grade) per http://www.dnsstuff.com/tools/dnstime.ch?n...rtop.net&type=A - no wonder SpamCop's Parser has trouble with it.
Wazoo Posted November 8, 2005 Posted November 8, 2005 I accept that SpamCop regards this as secondary to blocking the source of the spam, but that seems to be a rather feeble way of combating spam. There is an unlimited supply of compromised computers that can be used to send out spam and shutting them down will be an unending task. 35672[/snapback] I'm not quote sure I'm following why this is in a Topic titled "Seems like more spam now" ... Hoever, please provide a Tracking URL un the future ... Report ID numbers are only usable by yourself and the Deputies .... As Jeff G. already stated, the DNS for this site sucks ... and this stuff was just hashed over a few posts back in this very Topic ... However, the following data is provided if you want to get involved in "sgutting the spamvertised web-site down" ... whois -h whois.PublicDomainRegistry.com polartop.net ... Registration Service Provided By: TRI RUBLYA J.S.C. Contact: +7.8123760140 Domain Name: POLARTOP.NET Registrant: Pero Strbe Pero Strbe (nfhbdyrt[at]yahoo.com) Stjepana Radica 1 Metkovic Medjimurakazupanija,20350 HR Tel. +385.20681031 Creation Date: 01-Nov-2005 Expiration Date: 01-Nov-2006 Domain servers in listed order: ns1.healzymen.info ns2.yourbestmedz.info ns2.healzymen.info ns1.yourbestmedz.info Administrative Contact: Pero Strbe Pero Strbe (nfhbdyrt[at]yahoo.com) Stjepana Radica 1 Metkovic Medjimurakazupanija,20350 HR Tel. +385.20681031 Technical Contact: Pero Strbe Pero Strbe (nfhbdyrt[at]yahoo.com) Stjepana Radica 1 Metkovic Medjimurakazupanija,20350 HR Tel. +385.20681031 Billing Contact: Pero Strbe Pero Strbe (nfhbdyrt[at]yahoo.com) Stjepana Radica 1 Metkovic Medjimurakazupanija,20350 HR Tel. +385.20681031 Status:ACTIVE You should note the shiny "creation" date .. 11/08/05 13:53:32 Slow traceroute polartop.net Trace polartop.net (211.172.244.173) ... 61.33.1.162 RTT: 199ms TTL:224 (No rDNS) 211.233.88.156 RTT: 212ms TTL:224 (No rDNS) 211.233.95.2 RTT: 220ms TTL:224 (No rDNS) 211.234.120.138 RTT: 210ms TTL:224 (No rDNS) 211.172.244.173 RTT: 210ms TTL: 49 (polartop.net ok) 11/08/05 14:05:05 whois 211.172.244.173[at]whois.nic.or.kr Please contact following ISP for further information [ ISP Organization Information ] Org Name : Korea Internet Data Center Inc.KIDC, 261-1, Nonhyun-dong, Kangnam-gu Service Name : KIDC Org Address : KIDC, 261-1, Nonhyun-dong, Kangnam-gu [ ISP IP Admin Contact Information ] Name : IP Administrator Phone : +82-2-2086-2924 E-Mail : support[at]kidc.net [ ISP IP Tech Contact Information ] Name : IP manager Phone : +82-2-2086-2924 E-mail : ip[at]kidc.net [ ISP Network Abuse Contact Information ] Name : Network Abuse Phone : +82-2-2086-2918 E-mail : security[at]kidc.net As far as the "forwarding" aspects, apparently there's some .htaccess or possibly some .PHP coding going on with this site (and various sub-domains) as though I can GET the web-page connection data, there is no actual 'content' being returned in my testing ... Not my spam, only playing with snippets of some data as provided ... yet also noting that even if the sites were resolved by the parser in your case .. so what? Mole reports don't go anywhere directly anyway ...????
dbiel Posted November 8, 2005 Posted November 8, 2005 I accept that SpamCop regards this as secondary to blocking the source of the spam, but that seems to be a rather feeble way of combating spam. There is an unlimited supply of compromised computers that can be used to send out spam and shutting them down will be an unending task.35672[/snapback] Unending task? Yes; but it is the task that SpamCop has chosen to take on. SpamCop is not the cureall for spam, it is but one small part of the battle. SpamCop provides a specific and limited service and encourages the use of other blocking/tagging lists, filtering methods, and other practices that all work together to help fight the spam war. SpamCop's email service makes use of several outside BL's as well as an very flexible filtering system plus the use of white and black lists. The parser is a very good tool, but it is far from perfect. The cost in programming time and hardware to try to make it a perfect tool by far outweights the benefits of doing so.
PGTips91 Posted November 16, 2005 Posted November 16, 2005 Unending task? Yes; but it is the task that SpamCop has chosen to take on. SpamCop is not the cureall for spam, it is but one small part of the battle. SpamCop provides a specific and limited service and encourages the use of other blocking/tagging lists, filtering methods, and other practices that all work together to help fight the spam war. SpamCop's email service makes use of several outside BL's as well as an very flexible filtering system plus the use of white and black lists. The parser is a very good tool, but it is far from perfect. The cost in programming time and hardware to try to make it a perfect tool by far outweights the benefits of doing so. 35677[/snapback] I have just reported another spam and Spamvetised site that the parser could not identify. Tracking URL: http://www.spamcop.net/sc?id=z827425775ze1...cd7ca748ae42cez However a DNS search did succeed DNS Lookup: htqrbk.houseportal.biz A record Generated by www.DNSstuff.com How I am searching: Searching for htqrbk.houseportal.biz A record at f.root-servers.net [192.5.5.241]: Got referral to A.GTLD.biz. [took 61 ms] Searching for htqrbk.houseportal.biz A record at A.GTLD.biz. [209.173.53.162]: Got referral to NS1.GREATHEALZNOW.INFO. [took 23 ms] Searching for htqrbk.houseportal.biz A record at NS1.GREATHEALZNOW.INFO. [220.80.107.193]: Reports htqrbk.houseportal.biz. [took 560 ms] Answer: Domain Type Class TTL Answer htqrbk.houseportal.biz. A IN 600 222.122.52.103 houseportal.biz. NS IN 600 ns2.houseportal.biz. houseportal.biz. NS IN 600 ns1.houseportal.biz. ns1.houseportal.biz. A IN 600 222.122.52.103 ns2.houseportal.biz. A IN 600 222.122.52.103 I now understand the position that SpamCop takes on these Spamvertised sites but it would be good to see the information being at least reported and handed on to others who can take action at that level. By the way, I have seen a couple of interesting sites that move the play forward. http://www.internetperils.com/index.php InternetPerils, Inc. provides quantification and visualization products to help insurers, financial institutions, banks, telecommunications providers, government, and enterprises manage their Internet business risks. and http://bestprac.org/ Stop spam : Best Practice in Email spam Prevention and Eradication. BestPrac.Org is a globally focused anti spam organization, founded in January 2001. The purpose of BestPrac.Org is to stop spam worldwide. In recent years, there has been a proliferation of client-side spam blockers and anti spam filters. However, there are even greater technically feasible ways to stop spam than just spam filtering. Most spam filters don't stop spam from being sent, nor in most cases from even being received. spam is merely filtered out of view after the damage of stolen bandwidth and unauthorised use of network and private computer resources has already been done. Such client side spam blockers and anti spam filters have become counter-productive in the fight to stop spam. BestPrac.Org has believed since its inception that the anti spam fight must be addressed at source - particularly at the email server level. All internet users will benefit from greater spam protection as all parties including ISPs, corporations, hosting services and the everyday user adopt BestPrac.Org's Best Practices in email server and network security technology and industry ethics that will identify and block spam at the email server source, or at the earliest possible point along network routes. BestPrac.Org's Principles of Best Practice are essential guides for all people who are involved in any way in either sending or receiving email, whether for private purposes or responsible opt in bulk email, or for those involved in ethical email marketing for business or enterprise. I would be interested in others' thoughts about the above, particularly, as it echoes my own thoughts almost 100% also http://www.antiphishing.org/ for help in reporting Phishing sites. Paul
StevenUnderwood Posted November 16, 2005 Posted November 16, 2005 I have just reported another spam and Spamvetised site that the parser could not identify. Tracking URL: http://www.spamcop.net/sc?id=z827425775ze1...cd7ca748ae42cez 36126[/snapback] And again, I find it interesting that you appear to be set for mole reporting meaning effectively no reports will be sent anyway.
agsteele Posted November 16, 2005 Posted November 16, 2005 I now understand the position that SpamCop takes on these Spamvertised sites but it would be good to see the information being at least reported and handed on to others who can take action at that level. 36126[/snapback] I guess there are a lot of things we might want the SpamCop reporting system to handle but the developers focussed on doing the primary task of identifying the sending source of UCE and it does this exceedingly well. I'm glad they've kept the focus and not been diverted into extra functions which are secondary to the primary objective. Andrew
dbiel Posted November 16, 2005 Posted November 16, 2005 And to build on Steven's reply, your posts and your actions are in total disagreement. The tracking URL listed indicates the following Reports regarding this spam have already been sent: Re: 201.124.182.2 (Silent report about source of mail) Reportid: 1557114663 To: mole[at]devnull.spamcop.net If reported today, reports would be sent to: Re: 201.124.182.2 (Administrator of network where email originates) I now understand the position that SpamCop takes on these Spamvertised sites but it would be good to see the information being at least reported and handed on to others who can take action at that level. It is hard to follow the train of thought here. Being a mole means that no report would be sent, even if the site was found. Note: that even though you see "Report sent to:" notice the destination [at]devnull.spamcop.net or said in other words "sent to the trash can - report can not be delivered" There are several reasons why reports will be sent to the trash "[at]devnull.spamcop.net" instead of being delivered; some of which are: 1) you are reporting as a mole - no reports are ever sent 2) the receipient has been bouncing reports, or has requested that SpamCop stop sending reports. 3) the address appears to be invalid and has been redirected to the trash. Note: this post has been edit in respose to comments by Farelf, a proactive mole reported who stated: I think it is a mistake to imagine we (mole reporters) don't send our own (manual) reports from time to time concerning both originating IPs and spamvertized URLsnote: text in red added to maintain original context. Faralf, thank you for your input.
PGTips91 Posted November 18, 2005 Posted November 18, 2005 And again, I find it interesting that you appear to be set for mole reporting meaning effectively no reports will be sent anyway. 36132[/snapback] Hi Steven, Well, I started sending spam to SpamCop at the end of July this year. When deciding how best to do this, while not exposing myself any more than necessary, I chose to take the 'mole' status. However at the time I had no way of knowing all the ins and outs of this, or of SpamCop's focus on blacklisting sending sites. In fact I am still learning. I would have imagined that SpamCop would take the mole reports, aggregate them and then take whatever action deemed appropriate with this information. The risk of back-lash from spam Gangs, rogue ISPs etc would be better known by them than the uninitiated user and their resources to deal with then also greater. I would be surprised to learn that my efforts have been entirely in vain with respect to Spamvertised sites. But if this is the case, and can be verified, then I will divert my efforts at reporting such elsewhere where the information will be acted on in some useful way. Where is this policy on the part of SpamCop enunciated? Paul
StevenUnderwood Posted November 18, 2005 Posted November 18, 2005 Where is this policy on the part of SpamCop enunciated? 36272[/snapback] THe last publicly available information is in the SpamCop FAQ:What is "mole" reporting?... SpamCop now offers new and existing users an option to withhold almost all data - registering reports in SpamCop's database, but never sending reports to the "ISP" (all too often, the spammer, or a spam-friendly host) ... Your reporting is not "in vain" but since spamcop's database is populated ONLY with the source of the spam, my reading of mole reporting means nothing is done with the spamvertized sites found, making complaining about not finding the spamvertized site information pointless for you. However, it is a problem and in the altruistic sense you are helping other (non-mole) users of the service.
Wazoo Posted November 18, 2005 Posted November 18, 2005 Where is this policy on the part of SpamCop enunciated? 36272[/snapback] Are you following any of the links previously provided? Just which of the FAQ listings have you looked at yet? I'm having a hard time coming up with why you seem not to be able to find any of this data, with three different versions of the SpamCop FAQ existing in public, and all three have links to "What is Mole eporting?" ....???? .... and I previously made note of an existing item in the Announcements Forum that includes dialog between myself and the SpamCop Admin ...
Miss Betsy Posted November 18, 2005 Posted November 18, 2005 I would be surprised to learn that my efforts have been entirely in vain with respect to Spamvertised sites. But if this is the case, and can be verified, then I will divert my efforts at reporting such elsewhere where the information will be acted on in some useful way. I think that someone has already said that SpamCop concentrates on the source IP addresses. AFAIK there is no other place to report where the information will be acted on in some useful way unless you learn how to report manually. Miss Betsy
PGTips91 Posted November 20, 2005 Posted November 20, 2005 I think that someone has already said that SpamCop concentrates on the source IP addresses. AFAIK there is no other place to report where the information will be acted on in some useful way unless you learn how to report manually. Miss Betsy 36285[/snapback] Hello Miss Betsy and thank you for your previous comments which I have not been able to reply to. I appreciate your more mild and positive responses. Taking the hint from yours and earlier postings I went in search of alternative places to report spam. A simple Google search brought up : -- 'Reporting spam' in Google search. Results 1 - 30 of about 12,200,000 for reporting spam. (0.31 seconds) Some sites where various types of spam may be reported, derived from the search, are: -- * FTC Consumer Complaint Form https://rn.ftc.gov/pls/dod/wsolcq$.startup?Z_ORG_CODE=PU01 This goes on to state: -- "If you have a specific complaint about unsolicited commercial e-mail (spam), use the form below. You can forward spam directly to the Commission at spam[at]UCE.GOV without using the complaint form. " * spam Reporting Addresses http://banspam.javawoman.com/report3.html#piracy1 This URL has a lot of specific email addresses to which spam may additionally be reported. Moderator Edit: Large snapshot from Marjolein's site snipped here. Time to once more state that her web-site is also found within the Forum version of the SpamCop FAQ. linked to at the top of this page. One site that interested me is SpamX.com, offering a 30 day free trial of the SpamX software. [$30.00 for one-time licence] Anti spam for any OS - Block & Report junk email - Mac, Windows, Linux, UNIX, Solaris Note, this program not only filters spam, but will send reports to the right parties, as determined by parsing the headers. It does not use black-lists or lists of user-made 'rules' but relies on parsing the header to determine whether it is spam or not [claiming a 99% success rate]. It is cross-platform, based on Java. Check spam is the main interface for all spam received. Check spam allows viewing the Source of the email with all headers without going through the special gyrations required by normal mail clients we might be familiar with, allows viewing mail in Normal mode which includes viewing HTML mail, allows parsing the mail to determine the ultimate source of the spam, allows previewing and sending of reports to the top level ISPs for the source and website links and email links in the spam body as well as any other addresses included in the Additional Addresses list and provides for maintenance of the saved spam folders. So basically this program enables both filtering spam, at the ISP before downloading to your email client, processes the spam in a secure environment, parses the headers and prepares reports to the sending ISP as well as third party email and web addresses spamvertised - all that SpamCop does and more. http://www.spamx.com/ Moderator Edit: snipped Meta tags. Can be seen if above link is followed. Further "advertising" for the same product was snipped, also available by following the above link. I hope this information is helpful for others who feel, as I do, that reporting the target sites that provide the payoff for Spammers is equally if not more important than black-listing their sending sites. Paul
petzl Posted November 20, 2005 Posted November 20, 2005 When deciding how best to do this, while not exposing myself any more than necessary, I chose to take the 'mole' status. 36272[/snapback] using spamcop to report spam (free version) you are best use a free throwaway email account like hard_2_guess_99[ AT ] hotmail com mole status does not much. except, help statistics (bit unclear myself on latest rendition) Better still is to get a SpamCop email account Whitelisting NZ would allow a major majority of your colleagues through but not spam (which SpamCop filters should stop)
PGTips91 Posted November 20, 2005 Posted November 20, 2005 And again, I find it interesting that you appear to be set for mole reporting meaning effectively no reports will be sent anyway. 36132[/snapback] I have back-tracked through the SpamCop site to see what it actually says and have to disagree with most of what has been said to me here in the forum. The page "SpamCop FAQ: What is "mole" reporting?" states: -- Some users may wish to file reports, and get themselves removed from any spammer's list who is sophisticated enough to remove them (and take the risk of retaliation). Others may wish to take advantage of this new SpamCop feature and become a "mole." SpamCop will then only give information about these "mole" reports as aggregate and unspecific totals. Truly conscientious ISPs will still find some value in these aggregate numbers, while the less ethical won't be able to "work the system." To me, that does not suggest at all that 'no reports will be sent'. It simply means that my name and email address [or any other mole reporters] will not be associated with the reports - just the statistics. That should be just as effective, as the preamble states and just as ineffective as sending detailed reports to Korea or China. One would hope that the information is being passed on to other organisations who would be interested in validated information on spam and Spammers and their Spamvertised sites. And, by the way, it was only several clicks deep into the site that much of the information in question became available and was clear only because I have used the site, this forum and thought and discussed it quite a lot. In my opinion, the information needs to be made available up front and in order much more than it is. Paul
dbiel Posted November 20, 2005 Posted November 20, 2005 To me, that does not suggest at all that 'no reports will be sent'. It simply means that my name and email address [or any other mole reporters] will not be associated with the reports - just the statistics. 36329[/snapback] I am sorry to disagree with your interpretation and suggest that you take a closer look at the displayed results after you click on Submit Reports. All reports that have been sent are listed. As a mole reporter I believe that the only reports listed will look like the following taken from one of the URL that you posted. Reports regarding this spam have already been sent: Re: 201.124.182.2 (Silent report about source of mail) Reportid: 1557114663 To: mole[at]devnull.spamcop.net This indicated that only one report was sent. But note to where it was sent: mole[at]devnull.spamcop.net devnull is the unix trash directory. SpamCop maintains a summary list of all "reports" generated which is grouped by report type. So lets take a look at what is on file for 201.124.182.2 which you reported. 201.124.182.2 Listed in bl.spamcop.net Most recent spam reported about 4.7 days ago The following also provides some information http://www.spamcop.net/w3m?action=blcheck&ip=201.124.182.2 Summary reports are just that, summary. They list know many times reports have been submitted (includes mole reports) These summary reports are made available to ISP's that request them. They must be requested. So to restate. Mole reports are not actually sent to anyone other than the unix trash can. The do increment the report counter in the summary report. And they may possibly also be used to increase the time that a IP is listed. (Note: that there is much confusion about this last point and it would be nice to get it clarified with an official statement. But I do not hold out too much hope for that.)
petzl Posted November 20, 2005 Posted November 20, 2005 And they may possibly also be used to increase the time that a IP is listed. (Note: that there is much confusion about this last point and it would be nice to get it clarified with an official statement. But I do not hold out too much hope for that.) 36330[/snapback] I believe there is a "part" score added to SCBL for mole reporting, as is the count used by SpamCop's spam Traps A larger score/count is used by a "normal" SpamCop report meaning a Normal and or unmunged report will list a spamming IP quicker
Miss Betsy Posted November 20, 2005 Posted November 20, 2005 To me, that does not suggest at all that 'no reports will be sent'. It simply means that my name and email address [or any other mole reporters] will not be associated with the reports - just the statistics. IIUC, the statistics are published on the spamcop website for the use of ISPs, but no reports are sent to anyone. It is easy to see why you would assume that possibly reports of statistics were sent. One would hope that the information is being passed on to other organisations who would be interested in validated information on spam and Spammers and their Spamvertised sites. I think it is 'offered' but not sent. IOW, an interested person would have to seek it out. And, by the way, it was only several clicks deep into the site that much of the information in question became available and was clear only because I have used the site, this forum and thought and discussed it quite a lot. In my opinion, the information needs to be made available up front and in order much more than it is. Yes, much of the information about how spamcop works is only available to those who have spent some time ferreting out information. I, too, think it is a mistake. However, the TPTB are single minded - the primary purpose of spamcop is to identify the source of spam, provide a way for ISPs to prevent spam from entering their systems while there is spam spewing, and to provide reports to responsible admins that something has gone wrong so they can fix it. Everything else is 'extra' and, is added and maintained as long as it takes minimal effort - including documentation. The volunteers in this forum (and others in the newsgroups) try to make it easier for others to use and understand. Your viewpoint would be welcome to examine the Forum (version of the SpamCop) FAQ (nobody has any influence on changes in the official FAQ) and make concrete suggestions in the FAQ Under Construction forum. Having signed up long before there were 'mole' reporters, I can't make any comment on what was presented when you chose that option that would make it clearer that no reports are sent. As a matter of fact, I believe that it has gone back and forth several times on whether reports are sent so possibly when you signed up, reports were being sent. I haven't been able to keep fully informed and perhaps Wazoo can give you a correct version. Miss Betsy Moderator Edit: added a bit so as not to confuse someone trying to follow the link to the Forum FAQ and wondering what was missing.
Recommended Posts
Archived
This topic is now archived and is closed to further replies.