Recent slight tsunami

[Spamnophobic]

Hi persistent spamfighters,
Recent weeks have seen a "mini tsunami" of spam against my spamfiltering e-mail aliasses. They are all extortion spams of the familiar type. The addresses they are against seem to have been collected together for some sort of big effort on the part of spammers.

Typical tracking URLs:

https://www.spamcop.net/sc?id=z6872438022z3beec9a957231590a431826637bc21f0z
typical backscatter

https://www.spamcop.net/mcgi?action=gettrack&reportid=7298440529
report in Spanish of original extortion spam

https://www.spamcop.net/mcgi?action=gettrack&reportid=7297979107
report in Dutch of original extortion spam

There has been much backscatter, whereby spammers have inserted my e-mail aliasses as senders, and clueless e-mail systems have bounced the spam back to my alias. Interesting is however that these bounces have been forwarded to Spamcop. Spamcop normally greets inline forwards with a "SpamCop encountered errors" messages, but does accept forwards as an attachment. The clueless bouncers send the message back to "me" as an attachment.

But how on earth does it get from there to SpamCop? Of course I am fine with spam or backscatter being forwarded to SpamCop. There was once a lot of discussion about whether backscatter could be reported as spam, but if I remember correctly this was resolved with the decision that any unsollicited mail, including backscatter, could be reported, and on that basis I have been diligently reporting the backscatter too.

But what is the step that leads backscatter to be reported to SpamCop after "bouncing" as attachments by the clueless mail servers, without my intervention to report it?

Anybody any idea?

Meanwhile "my" spam tsunami seems to be slowly abating, with only backscatter reverberating around like residual waves on the sea. And I'm not too bothered as I have well-proven spam defences, even in these times of war. Alexai please note.

But just curious how this particular step would have worked.

Cheers.

PS if this is some new line of defence by SpamCop which shouldn't be made public, I am fine with that. A PM would suffice.

[ninth]

On 11/18/2023 at 5:48 AM, Spamnophobic said:

https://www.spamcop.net/mcgi?action=gettrack&reportid=7298440529
report in Spanish of original extortion spam

https://www.spamcop.net/mcgi?action=gettrack&reportid=7297979107
report in Dutch of original extortion spam

Not authorized to look at these?

[RobiBue]

no, those are only visible for the reporter (OP.)

On 11/17/2023 at 12:48 PM, Spamnophobic said:

Typical tracking URLs:

https://www.spamcop.net/sc?id=z6872438022z3beec9a957231590a431826637bc21f0z
typical backscatter

https://www.spamcop.net/mcgi?action=gettrack&reportid=7298440529
report in Spanish of original extortion spam

https://www.spamcop.net/mcgi?action=gettrack&reportid=7297979107
report in Dutch of original extortion spam

the top one is the link we can use, the other two, the OP would need to access those reports and post the tracking URLs.
I sometimes go into [Past Reports] tab and select from the reporting time I choose the spam I'm interested in. There, it depends on which link was chosen:
1. I always choose my own reported link (to myself) where at the bottom,
   below the drop-down box   (Please select one..) and the [Proceed] button (I don't use those)
   there is a link
   Show how SpamCop traced this message

   which is actually the tracking URL, but only for my own report.

2. If the link clicked is a different one (for one of the ISPs,) then at the top there is a
    Parse link which again is the tracking URL (not the address shown in the URL bar for that page itself)

3. or by clicking on either link to get to the parse screen and post the tracking URL given there as
     Here is your TRACKING URL - it may be saved for future reference:
     https://www.spamcop.net/sc?id=z6872954240z195cc201101d96d3efa15fe9001511f2z

all three aforementioned and given links point to the same spam on my reports, but each taken from a different source.

HTH
  

[Spamnophobic]

This is known as "snowshoe spam". Spammers still appear to be trying to use as many different mail servers as possible, apparently to avoid reports accruing to any one server and get it on the Spamcop (and other) BL. Though in the current spamstorm (Dec. 4th 2023) they seem to have thrown caution to the wind and are hammering at least one server, in Brazil. It's all extortion spam, and I hope anyone on this forum knows better than to fall for that.

[ninth]

Although Brazil has historically been known for sending high amounts of spam and bot ip's, in recent years the govt used stats from spamcop to help combat spam so reporting does make a real difference. Send the invoice accounts dept.

[Spamnophobic]

Brazilian mailserver administrators seem to be the only ones recently repeatedly sending spam over the same server. I always report, also to Brazil, of course. What e-mail address is the "invoice accounts dept."? Don't know what the "invoice accounts dept." might be. Receiving much spam from Brazillian servers (.br is the identified source).

Meanwhile I'm receiving large amounts of backscatter now. Do so many so-called "administrators" still not realise that the address forged in the sender e-mail is not the source of the spam? They're clearly not worthy of the title "administrator". I still keep reporting them in the hope that once they're on the SC blacklist/blocklist they will one day understand that sending autoreplies etc (out-of-office, non-delivery etc.). back to the sender listed in the header (easy for spammers to forge) should be disabled? Perhaps they'll notice when their customers can no longer send e-mails because they're on the SC blacklist !!!@? Lazy administrators watch out.

Of course the backscatter getting submitted to SpamCop is simply because my e-mail spam detection is set to forward spam to my spam aliasses to SpamCop which generates a "SpamCop errors encountered" message which does give me a heads-up to resubmit it manually as an attachment. I have nagged my e-mail provider to provide an option "forward as attachment" but they have not proved willing to do that, though to their credit they have allowed me multiple aliasses to allow me to select spam and send it manually.

As long as it is included as an attachment, which it is in the case of a rejection e-mail or out-of-office reply, it is however submitted.

[ninth]

On forged email address from sender that is the preferred method used by pirates because they send out in mass and don't want a reply or to unsub but want the target to open links fill in forms and they will do anything to get credit card details. The sender wants value for money for the $50 or so they paid for the lead and if they get no joy then the info is on sold to the next catch of the day company. The SC app is not interested in the email address and that's up to you to block and the apps job is to pull apart the raw message to RESOLVE the source of the IP of the sender. This setup is practically not for profit run by volunteers on a shoestring budget and any spending is on a ROI basis with the exception of the management of the SC email system.

The extortion spam you refer to is more scam than spam and SC treats them the same way but there's a big difference in the outcome to the victims - crooks stealing private info id theft and or money compared to outsourced sales and marketing call centres aggressively pursuing the customer and breaching express consent privacy laws while they're at it. Are scams more a police matter than a bunch of code designed to reduce unwanted emails?