Jump to content

Recent slight tsunami


Recommended Posts

Hi persistent spamfighters,
Recent weeks have seen a "mini tsunami" of spam against my spamfiltering e-mail aliasses. They are all extortion spams of the familiar type. The addresses they are against seem to have been collected together for some sort of big effort on the part of spammers.

Typical tracking URLs:

typical backscatter

report in Spanish of original extortion spam

report in Dutch of original extortion spam

There has been much backscatter, whereby spammers have inserted my e-mail aliasses as senders, and clueless e-mail systems have bounced the spam back to my alias. Interesting is however that these bounces have been forwarded to Spamcop. Spamcop normally greets inline forwards with a "SpamCop encountered errors" messages, but does accept forwards as an attachment. The clueless bouncers send the message back to "me" as an attachment.

But how on earth does it get from there to SpamCop? Of course I am fine with spam or backscatter being forwarded to SpamCop. There was once a lot of discussion about whether backscatter could be reported as spam, but if I remember correctly this was resolved with the decision that any unsollicited mail, including backscatter, could be reported, and on that basis I have been diligently reporting the backscatter too.

But what is the step that leads backscatter to be reported to SpamCop after "bouncing" as attachments by the clueless mail servers, without my intervention to report it?

Anybody any idea?

Meanwhile "my" spam tsunami seems to be slowly abating, with only backscatter reverberating around like residual waves on the sea. And I'm not too bothered as I have well-proven spam defences, even in these times of war. Alexai please note.

But just curious how this particular step would have worked.


PS if this is some new line of defence by SpamCop which shouldn't be made public, I am fine with that. A PM would suffice.

Link to comment
Share on other sites

no, those are only visible for the reporter (OP.)

On 11/17/2023 at 12:48 PM, Spamnophobic said:

the top one is the link we can use, the other two, the OP would need to access those reports and post the tracking URLs.
I sometimes go into [Past Reports] tab and select from the reporting time I choose the spam I'm interested in. There, it depends on which link was chosen:
1. I always choose my own reported link (to myself) where at the bottom,
   below the drop-down box   (Please select one..) and the [Proceed] button (I don't use those)
   there is a link
   Show how SpamCop traced this message

   which is actually the tracking URL, but only for my own report.

2. If the link clicked is a different one (for one of the ISPs,) then at the top there is a
    Parse link which again is the tracking URL (not the address shown in the URL bar for that page itself)

3. or by clicking on either link to get to the parse screen and post the tracking URL given there as
     Here is your TRACKING URL - it may be saved for future reference:

all three aforementioned and given links point to the same spam on my reports, but each taken from a different source.


Link to comment
Share on other sites

  • 2 weeks later...

This is known as "snowshoe spam". Spammers still appear to be trying to use as many different mail servers as possible, apparently to avoid reports accruing to any one server and get it on the Spamcop (and other) BL. Though in the current spamstorm (Dec. 4th 2023) they seem to have thrown caution to the wind and are hammering at least one server, in Brazil. It's all extortion spam, and I hope anyone on this forum knows better than to fall for that.

Link to comment
Share on other sites

Brazilian mailserver administrators seem to be the only ones recently repeatedly sending spam over the same server. I always report, also to Brazil, of course. What e-mail address is the "invoice accounts dept."? Don't know what the "invoice accounts dept." might be. Receiving much spam from Brazillian servers (.br is the identified source).

Meanwhile I'm receiving large amounts of backscatter now. Do so many so-called "administrators" still not realise that the address forged in the sender e-mail is not the source of the spam? They're clearly not worthy of the title "administrator". I still keep reporting them in the hope that once they're on the SC blacklist/blocklist they will one day understand that sending autoreplies etc (out-of-office, non-delivery etc.). back to the sender listed in the header (easy for spammers to forge) should be disabled? Perhaps they'll notice when their customers can no longer send e-mails because they're on the SC blacklist !!!@? Lazy administrators watch out.

Of course the backscatter getting submitted to SpamCop is simply because my e-mail spam detection is set to forward spam to my spam aliasses to SpamCop which generates a "SpamCop errors encountered" message which does give me a heads-up to resubmit it manually as an attachment. I have nagged my e-mail provider to provide an option "forward as attachment" but they have not proved willing to do that, though to their credit they have allowed me multiple aliasses to allow me to select spam and send it manually.

As long as it is included as an attachment, which it is in the case of a rejection e-mail or out-of-office reply, it is however submitted.

Link to comment
Share on other sites

On forged email address from sender that is the preferred method used by pirates because they send out in mass and don't want a reply or to unsub but want the target to open links fill in forms and they will do anything to get credit card details. The sender wants value for money for the $50 or so they paid for the lead and if they get no joy then the info is on sold to the next catch of the day company. The SC app is not interested in the email address and that's up to you to block and the apps job is to pull apart the raw message to RESOLVE the source of the IP of the sender. This setup is practically not for profit run by volunteers on a shoestring budget and any spending is on a ROI basis with the exception of the management of the SC email system.

The extortion spam you refer to is more scam than spam and SC treats them the same way but there's a big difference in the outcome to the victims - crooks stealing private info id theft and or money compared to outsourced sales and marketing call centres aggressively pursuing the customer and breaching express consent privacy laws while they're at it. Are scams more a police matter than a bunch of code designed to reduce unwanted emails?

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Create New...