Time to stop chasing spamvertized URLs

[Belinn]

Hi All,

I expect there will be disagreement with this proposal, but please read and consider.

I am an abuse desk. I exist because my company wants to be a good net citizen. My job is to stop our users from using our resources to abuse other people or networks.

But I keep getting these "reports" telling me that such and such url was referenced in such and such spam.

And I have been researching them. I diligently waste time searching through logs, and looking at html. And basically 2/3 of these complaints were mis-parsed and the other 1/3 cannot be substantiated by any evidence that I have access to.

These reports are hurting spamcop's credibility with abuse desk people

These reports are also MISLEADING spamcop users into thinking that the solution lies with the host.

Yes, I completely understand why people are mad at the host. They are getting little or no satisfaction from the cable and dsl networks which are filled with zombie spam spewing pcs. therefore they have to get satisfaction from someone else. Anyone who can plausibly be held responsible for the misery they face each morning when opening the mailbox becomes a target.

So I get these messages which demand that I turn so and so's site off with no evidence at all that so and so actually sent the spam. Is it likely that he sent it? Yah, i guess it is. And it's also likely that someone who doesn't like him sent it. And it's also possible that it has nothing to do with him but is somebody trying to get the cable company, or the hosting company, or the pc owner in trouble.

The only people who can confirm the truth of the complaint, and fix the problem, are the people whose networks are emitting the spam!

Yes, i'm sure some spam would be reduced if hosting companies just turned off anyone about whom they received a complaint. But aren't you guys a little worried that you will be the target of a complaint one day? Have you not seen the websites that tell of years long joe jobs based on unpopular opinions expressed, or over competitive competitors?

Spamcop should stop supporting the idea of turning people off without proof of wrongdoing. You technical people here know the limits of the evidence the abuse desk at the hosting company has - the end users for the most part don't.

Spamcop should own up to the fact that they can't accurately parse the crap that spammers put in their messages. They can't reliably work out the interactions between invalid html, invisible links, java scri_pt, and just plain bait and distraction.

I swear to you, nobody hates spam more than I do. I've used the same email address since 1995, so I bet you can guess what my mailbox looks like each morning. But I still have to say attacking the hosting companies that DO care, and giving major rudeness and grief to abuse people who are only trying to do what is right, is not helpful.

Thanks for reading

[Wazoo]

I don't see a "new feature" suggestion / request here. At best, this seems to be a complaint about bad reporting and / or the alleged mis-parsing.

Bad-Reporting has penalties. Make the complaint.

Mis-parsing of a URL? Oddly enough, the normal complaint is the lack of a successful parse of a spamvertised site in a spam. This mis-parsing thing comes up in NANAE all the time, but ... just as seen here ... evidence is not provided.

The only people who can confirm the truth of the complaint, and fix the problem, are the people whose networks are emitting the spam!

Not sure I follow that logic. The source of the spam is one thing, spamvertised web-site is something else. Typically, the spew source has no direct connection to the web-site.

These reports are also MISLEADING spamcop users into thinking that the solution lies with the host

Also not following this .... a spamvertised report has links to allow the involved ISP/abuse staff to "do something" .... shutting down the web-site is only one action that could be accomplished. Another is to flag the site as an Innocent Bystander, which would also stop the inflow of SpamCop.net Reports. But, the ultimate decision on the spamvertised site can only be accomplished by the host of that site ... again, the spam spew source generically has no connection, SpamCop.net has no 'power' beyond the Report (ignoring the possibility of feeding the SURBL)....

Spamcop should stop supporting the idea of turning people off without proof of wrongdoing

Where exactly do you see this stated? Victim receives spam, report is made with the anticipation that analysis will be accomplished. Expectations are that if bad stuff is involved, something will be done. Not totally sure of why a spamvertised web-site report would automarically lead to chasing log files and HTML analysis, but .... that to me implies something else is going on ..

connecting the dots of your mis-parsing accusarions, the chasing log files, etc. puts me in the mind of one who is trying to correlate some data that was hosted by a compromised machine, of which evidence exists on some of these within this Forum. Some spammers running a rotating DNS on a series of infected computers pointng to web-sites hosted on other infected computers .. the parse is but a snapshot of where those pointers were at the time of the parse. And by the time the abuse-desk folks read the complaint, the data has moved on .... most abuse folks know about compromised computers, but some ISPs have no plan for the handling of these issues. Kind of hard to place this on SpamCop.net.

Based in the content of this post, I'm moving it to the Reporting Help Forum with the request that if there is to be any follow-up ... there should be something offered as evidence of the bad-reporting or the mis-parsing so that something can actually be accomplished.

[Merlyn]

Actually I do not think it is bad reporting. I believe this is an admin who cannot accept responsibility for a trojaned computer on their network or does not know how to find it. Very sad times we are living in. The blind leading the blind. No wonder why trojans are running wild.

[StevenUnderwood]

Spamcop should stop supporting the idea of turning people off without proof of wrongdoing. You technical people here know the limits of the evidence the abuse desk at the hosting company has - the end users for the most part don't.

41629[/snapback]

Thank you for your opinion. Perhaps you misunderstand the reason we send the spamvertized reports. It is so that abuse desks will do exactly what you are doing....INVESTIGATING the issue and shutting them down if a problem exists.

Unfortunately, we are seeing the use of networks of infected machines being used to host sites, sometimes only for a short time. This means by the time you get to investigate, the site has moved. This may be where some/most of your

"misparsing" comes from. Spamcop tends to be very strict about what it considers a spamvertized site.

In that type of case, many of us here would like you to inform the user if they show any signs of having an infection and have a way of helping them resolve it, not shut them off.

[dra007]

I would think most responsible admins would want to act quickly if reported and remove potential trojaned machines in their network. Unfortunately there aren't many of them, and we only see the ones that come here to complain about being overworked!

[James Merrill]

[snip]

I am an abuse desk. I exist because my company wants to be a good net citizen. My job is to stop our users from using our resources to abuse other people or networks.

But I keep getting these "reports" telling me that such and such url was referenced in such and such spam.

And I have been researching them. I diligently waste time searching through logs, and looking at html. And basically 2/3 of these complaints were mis-parsed and the other 1/3 cannot be substantiated by any evidence that I have access to.

These reports are hurting spamcop's credibility with abuse desk people

These reports are also MISLEADING spamcop users into thinking that the solution lies with the host.

[snip]

41629[/snapback]

I presume that you work for an abuse desk at a company that hosts web sites -- otherwise you would not care about reports concerning spamvertised sites. When the site of one of your customers is spamvertised, it can be presumed that the customer is a beneficiary of the spamming. They quite possibly did not have anything to do directly with the spam being sent -- they might well not have paid anyone to send the spam -- but they quite possibly have "affiliates" that get paid when someone goes to the spamvertised site with a URL that identifies the affiliate.

If the URL pointing to your customer's site (it's included in the message you get from SpamCop) doesn't include any kind of identifier, it becomes more likely that they paid someone to send the spam, or they created it themselves using another ISP to do the sending (to avoid your company, a "white hat", banning them). It's either that or a Joe Job. Shouldn't you ask them about it? If they say "we had nothing to do with it" you can believe them and ask SpamCop to treat them as an innocent bystander.

If the URL pointing to your customer's site includes an affiliate identifier, you should tell your customer and request that they punish the affiliate -- presumably, their affiliates are not allowed to send spam. If their affiliates ARE allowed to send spam, your customer is complicit in the spamming and you should be able to punish them (after enough complaints).

What I don't understand is why you would normally need to look at logs, or parse java scri_pt, or anything like that. SpamCop can't find any URLs that are built by JS. (Can you give an example?) If the site seems to be an innocent bystander, just tell SpamCop -- you don't have to figure out what the _real_ spamvertised site is to do that.

Unfortunately, it seems that some of the people who replied presumed that you work for the ISP that owns the spam source, even though you would have no reason to be talking about spamvertised sites in that case. If you have customers whose sites generate enough "spamvertised site" complaints, you should want to have them stop doing what they're doing or, if they're innocent, do something to mark them as an innocent bystander.

[Belinn]

Hi Folks,

I guess I should have been more clear about some of the things i am trying to say.

I work for a hosting company. We have about 8k ip addresses on our network, and many many tens of thousands of domain names point to those addresses. We have _no_ user maintained systems here, only servers that we configure and manage. Customers have access to various resources through user level accounts.

We have various systems in place to help us prevent and stop our customers from using our resources for network abuse. We keep track of a lot of system activity in order to be able to confirm complaints and know when we have a black hat on one of our systems. I'm not saying we are perfect, but we consider anti abuse to be a significant priority and it gets ongoing attention.

I was a paying spamcop member back when it was just julian. Believe me, we want to eliminate spam just as much as anyone here does.

And what I am suggesting is that spamcop will be MORE EFFECTIVE in stopping spam if it focuses on spam sources, and stops sending reports of spamvertized websites to hosting companies.

You need to understand that the vast majority of spamcop's spamvertized site reports are inaccurate. I know that you won't want to believe this but it is true.

I've spent days reading html, viewing spam in mail programs and browsers, and watching for patterns. Do you know why I would do that? Because my log scanners, time after time after time, show NO traffic coming to the supposedly spamvertized URLs, or if there is traffic, it is all coming from legitimate sources (website referrers, not including webmail pages).

Remember, I'm the hosting company. I can see every file that is part of the site, every rewrite rule, every log line. We do dns for most of these sites - and I can see the log of any changes there too.

The reports are inaccurate, and this is happening because the parsing system cannot accurately tell the difference between bait URLs and real visible clickable urls.

The reader who said that the complaint about the reporting system is usually that it does NOT pick up spamvertized URLs is absolutely right. Because the spammers are hiding the real url in combinations of html and java scri_pt, or obfusticating it in ways that cannot be easily (computationally easily) discovered.

Spamcop is honest about the limitations of the parsing system in a technical sort of way, but they aren't honest in a "non technical full disclosure for an end user" sort of way.

They don't come right out and say:

If you complain about the URLs we found in this message you will probably be creating 50 false complaints for every 1 accurate complaint.

Nor do they say:

You shouldn't really expect to hear back on these complaints because most of them will be a pointless waste of time to the administrators who receive them.

Neither do they say:

Please do not abuse the administrator who responds that the referenced site is an innocent third party; We know that almost all of them are.

And they don't say:

The administrator who receives this complaint has no technical means to confirm the guilt or innocence of the accused site. If the site is turned off as a result it will not be based on evidence of responsibility for the spam you received.

Those statements above are the real truth about reporting spamvertized sites from spamcop's parsed result.

I want you to think of the boy who cried "Wolf!"

Day by day, with each inaccurate or uconfirmable report, spamcop loses credibility. Each day an abuse desk person learns through personal experience that spamcop reports are not helpful, and that reviewing them is not a good use of time.

Spamcop should do what it is good at, send reports of spam sources. When it is used for this purpose the spam report ends up in the hands of an administrator who has the technical means to confirm the accuracy of the report, to track the size of the problem, and to require that it be fixed.

I have written to spamcop admins with the specifics of some of the inaccurate reports that sneak by. I don't have permission from my boss to bring our company name into this discussion, and I can't reference tracking urls until I do.

It's been a fairly good week here; only one frustrated victim of referrer spam has threatened to dos us for not turning off a site.

Thanks for reading

[Wazoo]

OK, a bit of traffic ensued, some ideas floated, and the bottom line now .... this can only be considered as a bit of a rant thing, as no specifics are apparently going to be provided here.

Originally posted into "New Feature Request" Forum, but ....

Moved to "Reporting Help" Forum ro possibly resolve the problems pointed to ....

Moved to the "Lounge" area for any further possible discussion, though the lack of specifics seems like the discussion can't go much further.

[Miss Betsy]

Day by day, with each inaccurate or uconfirmable report, spamcop loses credibility. Each day an abuse desk person learns through personal experience that spamcop reports are not helpful, and that reviewing them is not a good use of time.

Spamcop should do what it is good at, send reports of spam sources. When it is used for this purpose the spam report ends up in the hands of an administrator who has the technical means to confirm the accuracy of the report, to track the size of the problem, and to require that it be fixed.

41644[/snapback]

Your opinion is shared by many reporters (and though I can't speak for Julian, from what he said when he introduced Quick Reporting, he seems to agree also that reporting websites is not very productive).

However, an admin responded to a question that I asked him about the effectiveness of blocking based on the websites in the spam and he thought that blocking by URLs caught 25% of spam, IIRC, so there is some use for identifying the URLs in spam. Since most admins use more than one filter, probably a legitimate email containing an IB would make it past the filters.

IMHO, you are looking at the problem from only one angle. SpamCop doesn't lose its credibility for the reports it sends about the sources. The reports about spamvertized sites may occasionally give a heads up to an admin for a spammer who doesn't realize that there are ways to hide. It provides a way of identifying the current spam runs. So it does have a usefulness in spite of the fact that most of what you get is inaccurate. You can just ignore spamcop reports or review them randomly - it is kind of like the problem with bouncing email after acceptance (or the security steps one has to take offline as well as online such as locking doors or providing photo IDs - they all create hassles - how many IDs does a clerk have to check before s/he finds a forged one?).

And I am not an admin so I don't know whether the suggestion that there are infected machines is still a reasonable one or not.

Miss Betsy

[Jank1887]

Belinn, since you cant quote specifics here, can you invent an example (for discussion if nothing else) of some of the inaccurate parsing? what sorts of things cause the false reports you're discussing. We should be able to look at this while "protecting the witness"

Edit: typos

[James Merrill]

The reports are inaccurate, and this is happening because the parsing system cannot accurately tell the difference between bait URLs and real visible clickable urls.

41644[/snapback]

Can't you post some example spam (real ones), replacing the name of the SpamCop-parse-generated spamvertised site with xyz.com (or something else)? Of course you should copy the original message out of the email you received and paste it into the "report spam" window.

I spend a non-trivial time checking the content of spams myself, before reporting, so that I don't report spamvertised sites that aren't really involved. (But I'll admit I spend more time now, having seen your message.) Of course, you don't host genuinely-spamvertised sites so you don't see how many spams there are that either don't attempt to obfuscate the spamvertised site's URL, or that do it in such a way that it's not completely effective.

You also can reply to the message from SpamCop. I (and probably most people) have things set up so that I get any replies from any humans that reply, but not from automatons. (How SpamCop makes that happen, I don't know. Just more magic...) If a SpamCop user has erroneously reported one of your customers, it would be good for everyone if you told them!

[Belinn]

Thanks for responding guys. I realize it's hard to work without examples so here's one:

[ SpamCop V1.527 ]
This message is brief for your comfort. Please use links below for details.

Spamvertised web site: http://snarled.com
http://www.spamcop.net/w3m?i=z1699372247z662e1306f75f64b36a2fbe385e9172d1z
http://snarled.com is 66.172.91.198; Fri, 24 Mar 2006 20:19:47 GMT

[ Offending message ]
Return-Path: <StivetheJAXsaviors[at]cool.net>
Received: from aamtain01-winn.ispmail.ntl.com ([81.103.221.35])
by mtain04-winn.ispmail.ntl.com with ESMTP
id <20060324201846.UKXJ2851.mtain04-winn.ispmail.ntl.com[at]aamtain01-winn.ispmail.ntl.com>;
Fri, 24 Mar 2006 20:18:46 +0000
Received: from x ([81.151.64.246]) by aamtain01-winn.ispmail.ntl.com
with SMTP
id <20060324201845.CKGA15361.aamtain01-winn.ispmail.ntl.com[at]ja.stagg>;
Fri, 24 Mar 2006 20:18:45 +0000
Message-ID: <hqgh_______________________rcvs[at]Joecarter13xggbwkf.com>
From: "Joecarter13" <StivetheJAXsaviors[at]cool.net>
Date: Fri, 24 Mar 2006 20:18:29 +0000
To: x, x, x, x, x, x, x, x, x
Subject: [spam][96.3%] Jack, its my mom and uncle Greg!!!
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Content-Type: text/html; charset=iso-8859-1

<html>
<head>
<body bgcolor=

"#faffed" text="#000000">
<font color=

#edeff6> irritates! sprinters, persisted boxcars argonauts. </font><br>
<font face="Verdana, Arial" size="2" color=

"#003300">This 
hot oriental mom wanted some cum to go with her sushi! So after a nice dinner 
of rice and noodles, <font color=

#eee9f0> tolerant! functors, Chapman aforesaid myrtle. </font><br>
she's f0kced like a whore and opens her mouth for a huge load of seprm! <a hreflopsidedhref=http://snarled.com href=

"http://www.koaltree.com/page/">go 
here</a> for more!</font> <font color=

#e3f4e4> Stephanie! solely, Libyan spreader Chisholm. </font>
<font color=

#f0f4f3> digestible! ladylike, annoying jesting jailed. </font><br>
</body>
</html>

[Telarin]

looks pretty straightforward. The parser is find hreflopsidedhref=http://snarled.com and thinks it is valid. since hreflopsidedhref is not a valid keyword, this is a simple mistake on the parsers part (probably looking for any occurance of href within the message. Shouldn't be too difficult to fine tune it to look only for valid occurences (either " href" with a leading space or "<href" since any other occurances would be an invalid keyword disguised to look like an href.

Wazoo, do you want to kick an email upstream to look at this part of the parser?

[Wazoo]

I've played around a bit with the example, but the best I can oome up with at ths point is that it "has" been fixed. All of my submittal/parser results only come back with the (apparently Yahoo killed) koaltree link that doesn't resolve.

[Belinn]

If this is fixed now, i'm really glad.

But tomorrow the spammers will just mangle the html differently. How do I know this? Experience!

Here's a message I emailed to spamcop two years ago:

Hello,

I have been a big fan of spamcop for a number of years, but there is a problem with your reporting process that is causing us tons of hassle. I really hope you can improve your parsing to deal with this, because it's threatening your credibility when 5 out of 6 reports we get are invalid.

What I see happening is that some spammers are seeding their html with URLs of innocent third parties. It appears that they are using a dictionary word list as the source for these URLs. It may be possible for your software to parse them out as they do not appear ~significantly~ in the html when rendered, but only in the source to create a distraction to services such as yours.

Thanks for your attention to this,

xxxxx
xxxxx



~~~samples below~~~


[ SpamCop V1.3.4 ]
This message is brief for your comfort.  Please use links below for details.

Spamvertised website: http://braziers.com
http://braziers.com is 66.172.77.203; Tue, 30 Mar 2004 20:21:24 GMT
http://www.spamcop.net/w3m?i=z838987395z44b23de335bbd217dbaf5e3decc5d60az

[ Offending message ]
Return-Path: <hydrothermalmeditative[at]worldnet.att.net>
Delivered-To: x
Received: from swdcma.org (adsl-65-66-119-129.dsl.rcsntx.swbell.net [65.66.119.129])
	by marathon.simons-rock.edu (Postfix) with ESMTP id 780DD167F7
	for <x>; Tue, 30 Mar 2004 14:52:39 -0500 (EST)
Received: from scribbles ([200.217.144.206]) by swdcma.org with Microsoft SMTPSVC(6.0.3790.0);
	Tue, 30 Mar 2004 12:40:02 -0600
From: "Beatriz Monson" <hydrothermalmeditative[at]worldnet.att.net>
To: x
Subject: C1A|LIS & LEV|1TRA : D0CTOR & FDA a'pprova1 !
Mime-Version: 1.0
Content-Type: text/html; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-ID: <SERV___________________be35[at]swdcma.org>
X-OriginalArrivalTime: 30 Mar 2004 18:40:04.0187 (UTC) FILETIME=[6A86E2B0:01C41686]
Date: 30 Mar 2004 12:40:04 -0600

<html><body ><b><font color=#FF0000>
VIA*GRA final1y found a t0ugh cOmpetIt0r -- C1AL|IS & LEV1|TRA! </font></b><br><br>
<font color=#000033> <1>	Overal1 erect1le functi0n	<br>	<2>	Partners' s.atisfaction with s|exua1l Intercourse .	<br>	<3>	s~atisfaction with the hardness of erect11e.	<br>	<4>	DOCT0R & F_D_A a`pproved !</font>
<p><font color=#FF0000><b>
 <a href=http://tells.destaine.com/at>YOUR S0lUTION 1s h~e~r~e</a><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><a href=http://ices.net>^</a><p><a href=http://braziers.com>*</a></p><a href=http://pocketing.org>-</a></b></font>
</P>
</BODY></HTML>
0




[ SpamCop V1.3.4 ]
This message is brief for your comfort.  Please use links below for details.

Spamvertised website: http://scolds.com
http://scolds.com is 66.172.68.186; Mon, 22 Mar 2004 09:01:47 GMT
http://www.spamcop.net/w3m?i=z812170323zc47658abc4775df94801d65f703a9a68z

[ Offending message ]
Return-Path: <adaptivelyploys[at]ameritech.net>
Received: from amst-s3.thi.nl (amst-s3.thi.nl [212.67.170.78] (may be forged))
	by amst-n3.thi.nl (8.10.2/8.10.2) with ESMTP id i2K4sQm29639
	for <x>; Sat, 20 Mar 2004 05:54:26 +0100
Received: from eforward4.name-services.com (eforward4.name-services.com [64.74.96.246])
	by amst-s3.thi.nl (8.12.9/8.12.9) with ESMTP id i2K4sPIi011693
	for <x>; Sat, 20 Mar 2004 05:54:26 +0100
Received: from csproxy.carolstream.org ([64.107.150.2]) by eforward4.name-services.com with Microsoft SMTPSVC(5.0.2195.6747);
	Fri, 19 Mar 2004 21:02:05 -0800
Received: from mig (200-207-205-247.dsl.telesp.net.br [200.207.205.247]) by csproxy.carolstream.org with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2653.13)
	id H2A1NWPM; Fri, 19 Mar 2004 22:41:33 -0600
From: "Ivy Rendon"<adaptivelyploys[at]ameritech.net>
To: x
Subject: C1A-LIS & LEV-1TRA is knOwn as V'IAGRA because it acts quicker and lasts much 10nger!
Mime-Version: 1.0
Content-Type: text/html; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-ID: <EF4B___________________0ee0[at]eforward4.name-services.com>
X-OriginalArrivalTime: 20 Mar 2004 05:02:05.0250 (UTC) FILETIME=[7D11EA20:01C40E38]
Date: 19 Mar 2004 21:02:05 -0800

<html><body ><b><font color=#FF0000>
postmaster: <br> C1AL-IS & LEV1-TRA  is AlMOND pi1l--it acts quIcker and 1asts much l0NGER! </font></b><br><br>
<font color=#0000FF>  - Save MOney -------- upto 70% <br> - Save Time ---------O.vernight Shipping <br> - No Doctors A|ppointment---------- Needed <br> - No P~rescription ----------- Required <br> - D0CTOR & FDA ------------ A`pproved </font>
<p><font color=#FF0000><b>
 <a href=http://excitable.wenaad.com/at>Y0UR SOlUT10N Is h-e-r-e</a><br><br><br><br><br><br><br><br><br><a href=http://plum.net>^</a><a href=http://scolds.com>*</a><br><a href=http://scrapped.org>-</a></b></font>
</P>
</BODY></HTML>
0




[ SpamCop V1.3.4 ]
This message is brief for your comfort.  Please use links below for details.

Spamvertised website: http://scored.com
http://scored.com is 66.172.68.186; Tue, 23 Mar 2004 13:12:51 GMT
http://www.spamcop.net/w3m?i=z815267887z3266c8d1d1e26b7f1e6183ab4470fecbz

[ Offending message ]
Return-Path: <alabamiancosmos[at]pacbell.net>
Received: from ishara-traders.com ([203.160.130.26])
	by sparkie.nagel.lan (8.12.8/8.12.8) with ESMTP id i2M1LgCm024409
	for <x>; Sun, 21 Mar 2004 20:22:15 -0500
Date: Sun, 21 Mar 2004 20:22:12 -0500
Message-Id: <2004___________________4409[at]sparkie.nagel.lan>
Received: from hopscotch ([80.130.52.238])
	by ishara-traders.com ([203.160.130.26])
	with SMTP (MDaemon.PRO.v6.7.9.R)
	for <x>; Mon, 22 Mar 2004 01:56:38 +0600
From: "Stacie Moussa"<alabamiancosmos[at]pacbell.net>
To: x
Subject: anti-i.mpotence drug to win a|pproval from the u.s. food and drug a~dministration
Mime-Version: 1.0
Content-Type: text/html; charset=us-ascii
Content-Transfer-Encoding: 7bit
X-Authenticated-Sender: test[at]ishara-traders.com
X-MDRemoteIP: 80.130.52.238
X-Return-Path: alabamiancosmos[at]pacbell.net
X-MDaemon-Deliver-To: x

<html><body ><b><font color=#FF0000>
CIAL1*S & LEVIT*RA  works in as 1ittle as 3O minutes and 1asts for up to 36 h0urs. </font></b><br><br>
<font color=#000099>*	Overal1 erect1le functi0n	<br>	*	Partners' s`atisfaction with s^exua1l Intercourse .	<br>	*	s*atisfaction with the hardness of erect11e.	<br>	*	DOCT0R_&_FDA a-pproved !</font>
<p><font color=#FF0000><b>
 <a href=http://tending.vroeddd.com/as>YOUR S0lUTION 1s h-e-r-e</a><br><br><br><br><br><br><br><br><br><br><br><br><br><a href=http://hurdle.net>_</a><p><a href=http://scored.com>'</a></p><a href=http://boosts.org>.</a></b></font>
</P>
</BODY></HTML>
0

In the html above the bait urls have a single clickable character. As I said, I think they are choosing them directly out of a dictionary. I think there's a good chance that it's actually the same spammer as the first one I posted - notice no www in the bait URLs?

I choose this email to show you because these complaints are against the same customer account as the one in my first example.

If I dug around in our ticket system I bet I could find 200 complaints against this customer. So far as I have been able to tell, not a single one of them is valid.

Do you really think this is fair?

What would your ISP do after the 200th spam complaint against you? Would they turn you off? Would they block spamcop complaints?

Thanks for reading

[lcusdtech]

Looks to me like it is parsing corectly today. I took the header from a phishing scam I just got and pasted the body from one of your examples above and got the following parse:

http://www.spamcop.net/sc?id=z909108980z80...181ab628eae9c4z

I didn't submit it of course.

[btech]

seems to me there is some dudiligence required on the part of the reporters to see what is related to the spam and what is not. I'm not going to report a link to the host/ISP, unless I know that it's related. So from what I gather here, the issue is that people are reporting things they should not and that's an issue for Admins to remind users.

Also, there is an appeal process for links in SpamCop. Why not send a note to the admins regarding the site and getting it appealed? That will make the user have to manually click to report the link and then it will go to SpamCop admin appeals.

Maybe an idea for sites you're constantly getting reports on?

[Jeff G.]

Also, there is an appeal process for links in SpamCop.  Why not send a note to the admins regarding the site and getting it appealed?  That will make the user have to manually click to report the link and then it will go to SpamCop admin appeals.

41666[/snapback]

The proper way to do this is for the ISP to decide to mark the bait URLs as Innocent Bystanders. Then, only Reporters who have done their homework and agreeable SpamCop Deputies can combine to ask the ISP to reconsider the decisions on a URL by URL basis.

[lcusdtech]

Just a quick follow up on this. I had an ebay phishing scam e-mail mis-parse today. The first time it parsed it did not find the correct website, only came up with ebay urls. I hit reload on my browser and it parsed correctly the second time. Maybe the deputies should take a closer look at the parser.

Tracking url: http://www.spamcop.net/sc?id=z910438195zf6...aba42e48dfd9dfz

[turetzsr]

Thanks for responding guys. I realize it's hard to work without examples so here's one:

[ SpamCop V1.527 ] 
This message is brief for your comfort. Please use links below for details. 

Spamvertised web site: http://snarled.com 
<snip>

41656[/snapback]

Hi, Belinn!

...FWIW, I normally don't much care whether spamvertized sites are reported. There are, however, some cases in which (I can't take credit for this phrasing, I've stolen it) the spamvertized site is the spam. Typically, it's a bunch of noisewords or an apparent "newsy item" and a link to a pharmacy site.

...Isn't the simplest solution in your case to just ignore any reports with the string "Spamvertised web site:" in them?

...Of course, any help you can give to Julian, via the SpamCop Deputies, on how to improve the accuracy of the identification of spamvertized web sites is welcome.... <g>

[jtevans]

.....reliably work out the interactions between invalid html, invisible links, java scri_pt,  and just plain bait and distraction.

41629[/snapback]

As a newbie round here, who came believing that the Spamvertised site was the most important and useful target, this discussion is welcome education. I was not aware of these particular false trails, nor of the difficulty for service providers, apparently.

The spam I am currently getting tends to have a small number of very boring themes; loss of any of these "services" can only enhance the human condition (IMHO of course!) - HGH, Sex, other Drugs, Copy Watches, Stock Market tips (without URLs) and scam swiss job offers with email addresses hosted by Yahoo MX servers. Other Servers appear mostly to be in China, Korea, Russia and (for some reason) Holland.

Target URLs do not appear to be obfuscated and yet SpamCop does not appear to report them. I have more reading to do!

jte, uk

[agsteele]

Do you really think this is fair?

41663[/snapback]

I'm not sure that fairness is an issue with spamvertised URLs.

I'm one of those that consider them to be largely a waste of time and effort (but many others disagree).

However, since SpamCop's reporting of spamvertised URLs is not used to feed the blocklist, nobody is harmed by the message unless, after investigation, you choose to take action because of evidence you find.

As I recall, and I maybe wrong, you can indicate that you do not wish to receive reports of spamvertised URLs and that would stop you receiving this stuff which you find unhelpful.

If these reports aren't helping you then filter them out or ask for them to be stopped.

Andrew