Internal spamcop handling: (bondedsender)

[ninth]

9 hours ago, grifferz said:

I'm a little confused as to the status of this now.

The current situation from my perspective is that (almost?) all "source of email" reports go only to bondedsender. The only other reports I see are for URLs in the body text.

Is it the case that SpamCop considers this new behaviour as intentional, correct behaviour of the reporting system, or is this acknowledged as a problem that is still being worked on?

Thanks!

Quick reporting option is a work around.

[Spamnophobic]

On 8/10/2024 at 8:42 AM, ninth said:

This is not the case...the app works out the email/IP that really sent the spam which can be faked and reports to the responsible network admins indicated by the whois are sent out. The spammers use VPNs IP/email forgery and hack servers and email account passwords not using 2nd authentication or use an alias to hide the sender in the inbox. Every possible scenario when there is an exception to the rule cannot reasonably be predicted by the programmers and the changes to fix it cannot be made on the fly when 50,000 plus spam abuse reports are processed every 24 hours.

The only lines in the header which cannot be forged are those in the stamp applied by the sending mailserver as a mail leaves it, which is what SpamCop uses to determine the source of the spam. All the rest of the header, and indeed the whole e-mail, can be and is forged by the sender.

Often the "To" line is replaced by the victim's e-mail address. This is done by simple scripting and mass pasted into the spam from the DVD during the spam run, to make the poor victim believe they have been "hacked".

spam headers often make entertaining reading if you have time. The BS that is put into them proceeds from the "master spammer"'s imagination, who thinks it will have Heaven knows what "magical" effects. Read only for personal entertainment though.

"Received" isn't one line but a group of them, all of which can be forged.

[Spamnophobic]

17 hours ago, fliptop said:

One of my clients just had his Office365 account hacked and it was immediately used to pump out spam to his whole contact list and a bunch of other recipients.  It happens all the time.

By "hacked", do you mean that your client's account's name and password have become known to criminals?

In that case they should immediately change their password and if possible, account name, block any credit card etc. details which may have been on the website, notify their bank and keep the account under close scrutiny. This is very serious but fortunately not very common. Criminals don't usually get that far.

On the other hand, if it is the case, such "hacking" is done when a user has been tricked into giving criminals their username and password, and the account has sufficient privileges to let a criminal using it further pervert the site. Usually this will be via a ransomware attack.

But please be aware that there are many, many spams about whose senders claim that their victim's account has been "hacked", but that the victim should not be spooked by this and just report the mails as spam. As they're spamming there will be a compromised or criminal-controlled mail server involved, and this will help get anything coming from that server blacklisted. I send many such reports almost every day and I have never been really "hacked", colourful though the language is in these spams. Unfortunately the term "hacked" is bandied about far too much these days which only benefits criminals. Real hacking is a complex skill which few possess.

Then, re "pump out spam". It would be very unusual for criminals to use a victim's account to "pump out spam". The pumping is done via a compromised or criminal-controlled mailserver using a forged sender's address. If you report such a spam, you will see that server listed in the report, and if the report is made quickly, the server stands a good chance of getting on to the SpamCop blacklist, which will effectively stop the "spam run".
 

[A.J.Mechelynck]

3 hours ago, Spamnophobic said:

[...]

"Received" isn't one line but a group of them, all of which can be forged.

"Received" lines are attached, one by one, by the various routers through which the message passes.

Each router adds a line saying what amounts to "I am a.b.c.d and I got this from w.x.y.z" and it adds that before any Received lines already there so that the top one(s) of them was (or were) added by your own mailhosts, which SpamCop knows about. As soon as the SC parser comes, while parsing the Received lines, to an IP address not belonging to one of your mailhosts, it says "Will not trust this Received line" and discards the rest of the Received lines, which may have been forged; but the ones appearing first in the message headers, and which were put there last, cannot have been forged because they were put there after the message left the spammer. This is how SpamCop used to (and still ought to) determine where the message came from.

Other headers, including the "From" line, can be forged and usually are.

[ninth]

This is getting off topic but relevant to the forum. SC gets straight to the point by only blocking at the IP level. Shared/free IPs and compromised servers are often causes for blocking and the users assume they are mistakenly blocked as evident by the posts here. Spammers hack servers to use old or new email addresses and send out thousands of emails a day from the IPs and .com until the logs are checked. Individual IPs are far less stealthy than those in bad neighborhoods where most spam originates. The private IP addresses in the header starting with 10 and VPNs cannot be traced.   

[A.J.Mechelynck]

I've reported one spam a few minutes ago, and it did not go to "internal SpamCop handling: bondedsender" but AFAICT to the actual originating ISP. Let's keep fingers crossed...

[Richard W]

Yes, the final fix was pushed out about 5 hours ago.  It was tested to death in sandbox late last week before final approval to go hot this morning.  We did have an alternative fix earlier but opted to wait out for this fix as permanent. The quick fix obviously would have lowered the priority on the permanent fix, which could them become forgotten.

I've tested heavily this morning and have seen no glitches.

Richard

[Jese]

Yes, it's true. I've just posted 6 reports, and in every case, a submission is made to the handling address associated with the sending IP.
All credit due to fixing in a calm and dignified manner.
Appreciate what it's like to have the pressure on, to expedite
a fix without following due process.

✔️

[Spamnophobic]

19 hours ago, Richard W said:

Yes, the final fix was pushed out about 5 hours ago.  It was tested to death in sandbox late last week before final approval to go hot this morning.  We did have an alternative fix earlier but opted to wait out for this fix as permanent. The quick fix obviously would have lowered the priority on the permanent fix, which could them become forgotten.

I've tested heavily this morning and have seen no glitches.

Richard

All our thanks to Richard and the SpamCop admins and deputies. As soon as the gentlemen spammers are so kind as to send me another spam, I will test it.

[ninth]

I like this word borked.

[atarspam]

Just successfully reported some spam from an IPv4 address, so it looks like it is working.

[Spamnophobic]

Yes, reporting now working normally. The mysterious "bonded sender" seems to have disappeared. We will never know what this really meant, but that is part of the mystique of SpamCop.

[petzl]

10 hours ago, Spamnophobic said:

Yes, reporting now working normally. The mysterious "bonded sender" seems to have disappeared. We will never know what this really meant, but that is part of the mystique of SpamCop.

Just a legacy issue where during last millennium SpamCop members agreed to allow whitelisting of bonded sender a former Whitehat that has merged (or been merged) with other conglomerates. many of which are still whitehat (not blackhat)
a Whitelist overrides a blacklist

Edited August 18 by petzl

[jondaley]

Thanks.  I haven't had any failures since then.  So nice to be able to have reports going to the right places - hopefully they actually read the reports and do something about it.  Sometimes it feels so futile fighting against spammers.

[Spamnophobic]

What actually happens if you report a spam correctly goes like this. A report is sent to the registered administrator of the server which forwarded the spam telling them that their server is being used for spamming. If they want to do something about this they can (a) block further spam from being forwarded, (b) take further steps to avoid their server being put on the SpamCop blacklist. This blacklist is used by very many other mailserver administrators to tune their "spambox" settings. Ie. users getting mail from that address will see that the mail has been placed in their spambox so that they can discard it or not at their choosing. Some mail administrators just delete such mails, so the user never even gets the choice. This policy is not recommended by SpamCop but is the choice of the relevant mail administrator. Some users get very worked up about this, but it is really and always simply the choice of their own mail administrator.

More importantly, reported spam via a mail server on the SpamCop list, if the administrator be conscientious (whitehat) will lead to the administrator taking swift action to block the "spamrun" (early blocking puts a spanner in their works) and thereafter better defend their server against spam relaying. Spamming can be as "innocent" as saying "buy more viagra" or as criminal as persuading people that their account has been "hacked" and they have to pay extortion to get it unhacked. It's not innocent. The trick is always the same: send a victim mail that looks like it is sent from their own mail address, or any other address, which can easily be forged. And that via a scri_pt on a DVD times x million or more.

I hope some posts could redirect to this explanation, as I don't have time to keep repeating it.

JonDaley I hope I have helped you feel less futile fighting spam.

Spamnophobic

[ninth]

Ask if it can be bumped up or pinned. Either way forum users have the ability to do their own research by using the search function so would it be better to start a topic to find it easier? I've noticed a lot of newbies only create one topic and or post and leave and they are often not that technical but very good at the business they run.

[Joshua26]

On 7/21/2024 at 9:07 PM, AmyLynn said:

I emailed the ADMIN. I thought about doing it yesterday. But I thought coming here would be enough. Still broken for me as well. EVERYTHING I report.

It's great that you talked to the administrator, but it's clear that extra follow-up is required. Documenting each incident and that link with support can help to expedite the resolution process.