TFMail formmail spam

[david1]

Should I report spam submitted using my own web form that is processed with the nms TFMail form mail program? The resulting email goes to my website email address that forwards it to my SpamCop Email account. If I report the email as spam, will SpamCop determine and report the IP address of the http connection that submitted the form? Or will SpamCop report my website as a spammer? I registered my website email service as my mailhost in SpamCop. Related links:

http://www.spamcop.net/fom-serve/cache/270.html

http://nms-cgi.sourceforge.net

[agsteele]

If I report the email as spam, will SpamCop determine and report the IP address of the http connection that submitted the form? Or will SpamCop report my website as a spammer?

It isn't possible to say with certainty as you haven't provided an example but my expectation is that you would report yourself.

You need to fix the form scri_pt to prevent the spam. Most form-to-mail scripts have more secure versions available to prevent this type of problem.

You could check the report by submitting a form and then taking the resulting Email and manually submitting it the SC parser. The result will tell you whether you are reporting yourself. Then CANCEL the report instead of submitting it.

Andrew

[david1]

... manually submitting it the SC parser. The result will tell you whether you are reporting yourself. Then CANCEL the report instead of submitting it.

Is the "SC parser" that allows me to review and cancel a submission the same as the page under the "Report spam" tab and with the "Process spam" button? That page does not say I'll have a chance to review and cancel. I don't want to report myself.

I'm using the latest TFMail, version 1.38 (9 Feb 2006). I don't want to modify it.

Also, I configured TFMail to include, in the body of the emails that it sends to me, a link that I don't want reported by SpamCop.

What should TFMail do to help SpamCop correctly report form mail spam I report?

[StevenUnderwood]

Is the "SC parser" that allows me to review and cancel a submission the same as the page under the "Report spam" tab and with the "Process spam" button? That page does not say I'll have a chance to review and cancel. I don't want to report myself.

If you submit by emailing to submit.x[at]spam.spamcop.net or by pasting into the form and you hit Process spam, you will get a summary of the parse, at which time you need to choose to send or cancel that report. Until you click one of those options, the submitted spam is simply waiting for your action.

Until you see what is going to be reported, we can not answer any other questions you have. You may not be able to use spamcop to report this type of activity as reports may very well report YOUR server.

[agsteele]

Is the "SC parser" that allows me to review and cancel a submission the same as the page under the "Report spam" tab and with the "Process spam" button? That page does not say I'll have a chance to review and cancel. I don't want to report myself.

Yes, this is the page that Steven Underwood refers to. As long as you choose CANCEL the form will not be reported.

I'm using the latest TFMail, version 1.38 (9 Feb 2006). I don't want to modify it.

Also, I configured TFMail to include, in the body of the emails that it sends to me, a link that I don't want reported by SpamCop.

Because form-to-mail scripts can be abused by spammers you are advised to ensure you are using a version that is resistant to such abuse. It really doesn't matter whether you want these Emails submitted, as soon as the spammer begins to abuse your scri_pt you will get reported.

What should TFMail do to help SpamCop correctly report form mail spam I report?

You need to use a scri_pt which has been secured against abuse by spammers.

Andrew

[david1]

The form-to-mail scri_pt I'm using, TFMail 1.38, will send email, including spam, only to the addresses I authorize (me). In a way, I'm glad I get the spam, if I can report it.

I just now submitted, to the parser, spam generated by my form. The parser lists my website as the only source of the spam, even though its the mailhost I specified in SpamCop. The parser also lists links in the message body; 2 of the 3 are mine. So, I won't report the spam.

I'm guessing the spam's email header line "X-Http-Client: [202.143.133.242]" indicates the IP address used to submit my form. But the parser does not report on that.

[Farelf]

I just now submitted, to the parser, spam generated by my form. ...

Hi David - any chance of you posting the Tracking URL for that cancelled report? You can get it from your Previous reports. Then we can see exactly what you are talking about (though the respondents so far seem to be doing a good job of "visualization"). If it contains detail you don't want to see in public then say so and we will just have to work around it.

[agsteele]

The form-to-mail scri_pt I'm using, TFMail 1.38, will send email, including spam, only to the addresses I authorize (me). In a way, I'm glad I get the spam, if I can report it.

Hi David1!

I think you have to resign yourself to receiving this spam unless you work out how the spammer is abusing it and add a clever fix. If you are the only recipient then I'd employ some content filtering and simply send it to the trash. Your server will always be identified as the source because the Email originates from your server. Reporting this type of spew serves no useful purpose since:

1. It doesn't affect the spammer

2. Tells you what you already know: someone is attempting to abuse your scri_pt

3. You are the only person affected: so nobody will report you

Be certain to get the filtering working before any SpamCop filtering since SpamCop will identify the items as spam and you'll need to get them out of your held mail before you report other items.

I just now submitted, to the parser, spam generated by my form. The parser lists my website as the only source of the spam, even though its the mailhost I specified in SpamCop. The parser also lists links in the message body; 2 of the 3 are mine. So, I won't report the spam.

As I understand, the Mailhost config will not protect you in this situation. But in any case, your webserver/scri_pt ip may well be different to your mailserver (registered in mailhost).

That said, do you have access to the logs of visitors to your site? You may well be capturing the IP address of the 'person' accessing your scri_pt. If this is consistent then you could manually raise it with the owner of the IP address and maybe get the problem fixed - at least temporarily. If it is consistently one particular IP or one in a block then you could possibly block access to your server by that ip or ip block.

Andrew

[StevenUnderwood]

I'm guessing the spam's email header line "X-Http-Client: [202.143.133.242]" indicates the IP address used to submit my form. But the parser does not report on that.

If you confirm this part, you COULD use the parser on that IP and manually report to that abuse desk. Depends on the value to you whether it is worth the trouble.

[Farelf]

... I'm guessing the spam's email header line "X-Http-Client: [202.143.133.242]" indicates the IP address used to submit my form.

[Resuming & editing after a short break...] That supposed IP apparently belongs to the Ministry of Education, Thailand. It doesn't seem a likely use for a compromised machine - and a Thai spammer seems relatively improbable. But as Steven Underwood has said, if you could verify the supposition (arrange a test from a known IP for instance) that would be the breakthrough.

[StevenUnderwood]

[Resuming & editing after a short break...] That supposed IP apparently belongs to the Ministry of Education, Thailand. It doesn't seem a likely use for a compromised machine - and a Thai spammer seems relatively improbable. But as Steven Underwood has said, if you could verify the supposition (arrange a test from a known IP for instance) that would be the breakthrough.

Ministry of Education space MAY include university space where there is a comprimised machine or someone playing around.

[DavidT]

Speaking of Thailand, BTW, I'm seeing a sudden increase of incoming spams from Thai IP addresses. Looks like a new Brazil/Korea/China in the making. Here's a link to Thai IP ranges:

http://www.completewhois.com/statistics/da...TH-netrange.txt

DT

[gushi]

Two thoughts.

First, I've seen SOME email forms which create pseudo-headers for the HTTP connection. This would be useful in getting the report working.

Secondly, I'm getting a TON of hits to my own forms with HUNDREDS of urls in responses to the forms. I am thinking that if Spamcop was able to parse these, it could complain to the offending hosts to have the links taken down (just like links in email), and also, the url's could be added to the SURBL (url-based blocklists) that are fed by spamcop.

Unfortunately, unless your system makes it look almost EXACTLY like an email was sent instead of an HTTP transaction, spamcop probably won't gain this functionality by itself. Which is a shame.

[agsteele]

I am thinking that if Spamcop was able to parse these, it could complain to the offending hosts to have the links taken down (just like links in email), and also, the url's could be added to the SURBL (url-based blocklists) that are fed by spamcop.

But bear in mind that the SC parser is designed to identify the source IP of an Email rather than URLs hidden inside messages. So the parser would always have a problem with this type of spam.

The reporting of spamvertised URLs by SpamCop is really more of a courtesy to ISPs. It has no blocking effect.

So you could manually report these if you wish. But my guess is that attempting to redesign the parser would be likely to be a way of taking the eye-off-the-ball as it were.

Andrew