showker Posted December 15, 2006 Share Posted December 15, 2006 For the past two weeks, SpamCop's reports have not included the Link or Site advertised in the spam. Consequently, the reports have stopped reflecting the actual spammer. Link to comment Share on other sites More sharing options...
Telarin Posted December 15, 2006 Share Posted December 15, 2006 Not sure I understand the question. I have been reporting spamvertised sites and the reports have been going where expected. Do you have a tracking URL showing one of the submitted spams with this problem? Link to comment Share on other sites More sharing options...
turetzsr Posted December 15, 2006 Share Posted December 15, 2006 Hi! ...First, I would like to refer you to the SpamCop FAQ (see link near top left side of page) entry labeled "SpamCop reporting of spamvertized sites - some philosophy." If you have questions after reading that, please do return here to ask. ...Next, I would like to refer you to the SpamCop Forum "Search for" capability (see form fields very close to the top of the page) to find other SpamCop Forum threads which discuss exactly this same issue. I would suggest you use "spamvertized OR spamvertised" as your key words for the search. ...Finally, I would recommend you supply a tracking URL that demonstrates an example of the behavior to which you refer so that we have a context in which to discuss the specifics of the matter you raise. Thanks! Link to comment Share on other sites More sharing options...
showker Posted December 15, 2006 Author Share Posted December 15, 2006 No, no, no... that's not at all what I refer to. Over the entire history of SpamCop reporting, the report would always return with included links... they would include "admin of websites referenced in spam" along with the offending links. (These 'offending' links would be the actual spammer's site that the spam wants you to click to -- as opposed to *who* sent the spam -- as we know, *who* sent the spam is usually a forged address that leads nowhere.) However, in the past two weeks or so, these sites "referenced in the spam" have been OMITTED from the reports. So the admins of those sites have NOT received SpamCop comlaints. In the case of Phishing -- this defeats the entire purpose of SpamCop reports, because the 'spoofed' victim -- be it eBay or Paypal, or whoever -- have not been alerted. Worse yet, the admins of the servers and networks hosting the phisher have not been alerted either. Only the admin of the network where the spam originated. So, that's the question -- How come SpamCop no longer references links within the message of the spam? Link to comment Share on other sites More sharing options...
Telarin Posted December 15, 2006 Share Posted December 15, 2006 As I said, spamvertised links in my submissions have been being reported just fine. Please provide a tracking URL to one of your messages that is not, there may be a specific reason that it is not. Also, how are you submitting your messages to spamcop? VER reporting from spamcop webmail? Forwarding to submit.code[at]spamcop.net or quick.code[at]spamcop.net? Copying and pasting into the submission form at spamcop.net perhaps? I need more information to guess at why you are experiencing a problem. Link to comment Share on other sites More sharing options...
showker Posted December 15, 2006 Author Share Posted December 15, 2006 Okay... here's an example: In the spam Cop report results I see this: Please make sure this email IS spam: From: "Rosetta Kirk" <gazwisconsinliftvot[at]wisconsinlift.com> (Don't be the "little guy" in the club) ------------F21CED3BBB48D3B Content-Type: text/plain; charset=Windows-1252 View full message Here is the TRACKING URL noted by SpamCop for "future reference" From: "Rosetta Kirk" <gazwisconsinliftvot[at]wisconsinlift.com> (Don't be the "little guy" in the club) View full message http://www.spamcop.net/sc?id=z1167110244z7...0432aa483eb663z Report spam to: Re: 83.10.199.80 (Administrator of network where email originates) To: abuse[at]tpnet.pl (Notes) Re: 83.10.199.80 (Third party interested in email source) To: Cyveillance spam collection (Notes) Re: User Notification (Notes) ### ...and, there's a button to click to "Send Report" That's it. So, I've sent the report to the "abuse" guy at tpnet.jpl, and the "third party" who is at the SAME IP ADDRESS. Yet, buried down in the spam is the link to the actual spammer <a href="http://www.olelukoe.net/?90&GJj7GJG5DFG0HKgf"> Read more testimonals about this marveouls product here! </a> olelukoe.net = 202.103.172.97 (Zhejiang China) ... the spammer is in China, NOT 83.10.199.80 -- a server in Poland So, SpamCop has reported this incident to an admin in Poland, when the actual spammer SHOULD have been reported to an admin in China. I've only seen this start in the past two weeks or so. I'm just wondering why the change in reporting. It's sort of like when you report a murder, you identify the street where the murder occurred, rather than the murderer who committed the crime. Does that make sense? Link to comment Share on other sites More sharing options...
Wazoo Posted December 15, 2006 Share Posted December 15, 2006 As stated in yet another Topic/Discussion, the 'started the last couple of weeks' also seems to correlate with the installation of a different version of the parsing codebase. As far as 'resolving' the spamvertized URLs ... what's new? http://www.dnsreport.com/tools/dnsreport.c...ww.olelukoe.net shows that the spammer is running his/her own DNS server, and the configuration of those servers suck for any 'normal' usage .... Can't help but note that your spam sample only includes those links in the HTML portion of the e-mail .. those looking at just the plain text 'version' would really have to dig down deep to even 'find' those links. 12/15/06 14:09:02 whois www.olelukoe.net .net is a domain of Network services Searches for .net can be run at http://www.crsnic.net/ whois -h whois.crsnic.net olelukoe.net ... Redirecting to ENOM, INC. whois -h whois.enom.com olelukoe.net ... Failed, socket error: Connection reset by peer (WSAECONNRESET) (no explanation for this, but ... not able to work around it 'here' either ... but similar results from the parser look-up would have the same results in the parse results .. no answers/targets provided ....) 12/15/06 13:57:17 Slow traceroute www.olelukoe.net Trace www.olelukoe.net (202.103.172.97) ... 12/15/06 13:56:51 Slow traceroute olelukoe.net Trace olelukoe.net (202.103.172.97) ... whois -h whois.apnic.net 202.103.172.97 ... inetnum: 202.103.128.0 - 202.103.191.255 netname: CHINANET-GD descr: CHINANET Guangdong province network descr: Data Communication Division descr: China Telecom country: CN admin-c: CH93-AP tech-c: IC83-AP mnt-by: APNIC-HM mnt-lower: MAINT-CHINANET-GD changed: hostmaster[at]ns.chinanet.cn.net 20000101 changed: hm-changed[at]apnic.net 20040906 status: ALLOCATED PORTABLE changed: hm-changed[at]apnic.net 20041209 source: APNIC person: Chinanet Hostmaster nic-hdl: CH93-AP e-mail: anti-spam[at]ns.chinanet.cn.net address: No.31 ,jingrong street,beijing address: 100032 phone: +86-10-58501724 fax-no: +86-10-58501724 country: CN changed: lqing[at]chinatelecom.com.cn 20051212 mnt-by: MAINT-CHINANET source: APNIC Heck, you knw these folks are going to jump right on this .... geeze .... A record: www.olelukoe.net. A 221.12.66.38 whois -h whois.apnic.net 221.12.66.38 ... inetnum: 221.12.66.0 - 221.12.66.255 netname: China169-WZ-PPPOE-POOL country: CN descr: China169£¬Wenzhou,Zhejiang admin-c: JQ16-AP tech-c: JQ16-AP status: ASSIGNED NON-PORTABLE changed: zhulidan[at]china-netcom.com 20051121 mnt-by: MAINT-CNCGROUP-ZJ source: APNIC route: 221.12.0.0/17 descr: CNC Group CHINA169 Zhejiang Province Network country: CN origin: AS4837 mnt-by: MAINT-CNCGROUP-RR changed: abuse[at]cnc-noc.net 20060118 source: APNIC yet another world-famous place well-known for taking immediate action on spam .. yeah, right ... So, I've sent the report to the "abuse" guy at tpnet.jpl, and the "third party" who is at the SAME IP ADDRESS. No, two separate reports went out to two different folks "about" the same IP address. So, SpamCop has reported this incident to an admin in Poland, when the actual spammer SHOULD have been reported to anadmin in China. ???? Huh? A report was generated about the "source" of the spam e-mail. You are asking about the generation of yet another report about the spamvertised web-site that is located elsewhere .. and most of that issue is as provided above and in previous replies ..... Link to comment Share on other sites More sharing options...
turetzsr Posted December 15, 2006 Share Posted December 15, 2006 No, no, no... that's not at all what I refer to. <snip> ...Sorry, but I believe both the replies from Will Russell and me do address exactly what you are asking -- we need a Tracking URL to provide context to your question (which you did provide in your next post -- thanks!), it's working for Will and there's the FAQ entry and other Forum posts that address complaints of the SpamCop parser failing to find spamvertized web sites and then send reports to the abuse address of those web sites. Link to comment Share on other sites More sharing options...
showker Posted December 15, 2006 Author Share Posted December 15, 2006 Okay... I was just hit with another of "those" spams, and this time decided to actually document the problem. As you see in THIS screen capture... http://www.ugnn.com/pictures/spam_report.gif the actual SpamCop reporting says > Finding links in message body > no links found Yet looking at the actual text of the spam, you see there are AT LEAST THREE unique links, NONE OF WHICH are related in any way to the admin recipient of the report. I'll grab another one in the morning. Now it's getting dark, and I'm going home. :-) Good night. Fred Link to comment Share on other sites More sharing options...
turetzsr Posted December 15, 2006 Share Posted December 15, 2006 Hi, Fred, ...This is exactly the type of thing discussed in the FAQ entry to which I referred and many of the SpamCop Forum threads you'll find by doing the search I suggested in my first reply to you. Please do some reading there and then return here with any specific questions you have about them with respect to your situation. Thanks! Link to comment Share on other sites More sharing options...
StevenUnderwood Posted December 15, 2006 Share Posted December 15, 2006 as opposed to *who* sent the spam -- as we know, *who* sent the spam is usually a forged address that leads nowhere.) The other issue is being taken care of. I want to address this misunderstanding. SpamCop ignores the forged sender information and locates the machine the spam was sent from. That is NOT a forged address and will add to the probability of the IP address being placed on the SCBL. Link to comment Share on other sites More sharing options...
showker Posted December 16, 2006 Author Share Posted December 16, 2006 FIRST: Quote: > ...This is exactly the type of thing discussed in the FAQ entry to which I > referred and many of the SpamCop Forum threads you'll find by > doing the search I suggested in my first reply to you. > Please do some reading there and then return here with any specific > questions you have about them You did not reference the forum thread, and I do not know what to 'search' for... all of the references returned when searching for "finding links" assume that SpamCop looks for and finds links embedded in the spam. Totally different issue, since this thread confirms that SpamCop does NOT find links embedded in spam. (Or, at least stopped finding them about two weeks or so ago.) CONFIRMED I just spent over an hour very carefully tracing and validating 8 new spams sent in by a spammer based at : http://hypotenuse.roundcircumference.com/ Each one spamvertised a 3rd party "affiliate" link, at a totally different domain. Each had an embedded graphic from that domain. Each had more than one additional link in the html of the spam. Every SpamCop.net report gave the SAME : > Finding links in message body > no links found See this for yourself at: http://www.spamcop.net/sc?id=z1167831047z6...df088347ceef85z All of the spam coming from this guy at hypotenuse.roundcircumference.com "say" they're being reported to :: abuse[at]ca.mci.com Obviously, "abuse[at]ca.mci.com" is not interested in stopping this guy. So, this thread is useless. Another spammer gone free. Link to comment Share on other sites More sharing options...
StevenUnderwood Posted December 16, 2006 Share Posted December 16, 2006 Every SpamCop.net report gave the SAME : > Finding links in message body > no links found See this for yourself at: http://www.spamcop.net/sc?id=z1167831047z6...df088347ceef85z By the RFC's, there is no body to this message. SpamCop sticks to the RFC's. Most other email clients stick to the RFC's. Some do not and will show you this body. THis would be one of the infamous "blank emails" in any RFC adhering client. The line: Content-Type: multipart/alternative;boundary="--==--==_Seperator1" tells the client to look for the boundry "--==--==_Seperator1" to find the first section of the message. Since that does not exist, there officially is no body. The fact that you never saw this before is remarkable. This type of thing has been going on for years. Link to comment Share on other sites More sharing options...
dra007 Posted December 16, 2006 Share Posted December 16, 2006 Quick reporting never reports spamadvertised links in the spam. You need to manually report and then on many occasions the parser fails to identify the link, there are also link obsfurcations which prevent an easy read. But then again, the philosophy of why reporting spamadvertised sites is not productive or even an important part of SpamCop reporting has been discussed ad nauseum and in many threads. Link to comment Share on other sites More sharing options...
Wazoo Posted December 16, 2006 Share Posted December 16, 2006 > ...This is exactly the type of thing discussed in the FAQ entry to which I > referred and many of the SpamCop Forum threads you'll find by > doing the search I suggested in my first reply to you. > Please do some reading there and then return here with any specific > questions you have about them You did not reference the forum thread, however, what 'was' referenced was the SpamCop FAQ .. links available at the top of this very page and I do not know what to 'search' for... all of the references returned when searching for "finding links" Yep, that's an issue with trying to guess at how other folks decided to 'describe' the issue .. in most cases, you mght have had better luck with something along the lines of "won't resolve" .. but even that depends on just which search tool you tried to use .... Totally different issue, since this thread confirms that SpamCop does NOT find links embedded in spam. (Or, at least stopped finding them about two weeks or so ago.) Your blanket statement and reality don't fit together all that well. Properly constructed spam, URLs that are based in reality, do parse quickly and accurately. Once outside of that scenario, it's a bit of a coin toss. And as stated in so many places already, even if the spamvertised URL does resolve, the target seems to be a waste of time to actually notify. I just spent over an hour very carefully tracing and validating 8 new spams sent in by a spammer based at : ht tp://hypo tenuse.roundcircumfer ence.com/ Yet, as Steven mentioned, it appears you didn't look at the spam itself. Construct is totally screwed. So, this thread is useless. Another spammer gone free. "Thread" is usually a term tied to newsgroup activity .. the forum word would be 'Topic' ... You say useless, yet .... what is being discussed is actually the background of e-mail construction thus far. None of your samples thus far have shown a properly constructed e-mail. Beyond that, ever again, there is nothing preventing you or anyone else from genererating your/their own complaints to these "missed" targets ..... Link to comment Share on other sites More sharing options...
Miss Betsy Posted December 16, 2006 Share Posted December 16, 2006 Obviously, "abuse[at]ca.mci.com" is not interested in stopping this guy. So, this thread is useless. Another spammer gone free. Almost all spammers have found a 'bulletproof' home. The best that one can do is to feed the blocklist so that others can know to block them (and to keep them on the list). It is extremely difficult (and takes a lot of expertise) to identify an individual spammer and convince someone that that spammer should be denied internet access. Since many of the hardcore spammers use trojanned machines anyway, it is easier just to block them rather than care about notifying them. That means blocking the source, not the spamvertised site. You need to catch up on what has been happening. Miss Betsy Link to comment Share on other sites More sharing options...
turetzsr Posted December 17, 2006 Share Posted December 17, 2006 FIRST: Quote: > ...This is exactly the type of thing discussed in the FAQ entry to which I > referred and many of the SpamCop Forum threads you'll find by > doing the search I suggested in my first reply to you. > Please do some reading there and then return here with any specific > questions you have about them You did not reference the forum thread, and I do not know what to 'search' for <snip> ...Since I don't remember your ever having intentionally posted a misleading reply before, I choose to believe you unintentionally missed what I wrote in my first reply [bold emphasis added here]:<snip> ...Next, I would like to refer you to the SpamCop Forum "Search for" capability (see form fields very close to the top of the page) to find other SpamCop Forum threads which discuss exactly this same issue. I would suggest you use "spamvertized OR spamvertised" as your key words for the search. ...Since you have not seemed to be able to find the SpamCop Forum article ("SpamCop reporting of spamvertized sites - some philosophy") to which I referred you earlier, I shall assume it was my fault and provide the actual URL to that article:<snip> SpamCop reporting of spamvertized sites - some philosophy <snip> ...Hope this helps! Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.