Jump to content

SpamCop Drops "Spamvertised" sites...


showker
 Share

Recommended Posts

Hi!

...First, I would like to refer you to the SpamCop FAQ (see link near top left side of page) entry labeled "SpamCop reporting of spamvertized sites - some philosophy." If you have questions after reading that, please do return here to ask.

...Next, I would like to refer you to the SpamCop Forum "Search for" capability (see form fields very close to the top of the page) to find other SpamCop Forum threads which discuss exactly this same issue. I would suggest you use "spamvertized OR spamvertised" as your key words for the search.

...Finally, I would recommend you supply a tracking URL that demonstrates an example of the behavior to which you refer so that we have a context in which to discuss the specifics of the matter you raise. Thanks!

Link to comment
Share on other sites

No, no, no... that's not at all what I refer to.

Over the entire history of SpamCop reporting, the report

would always return with included links... they would

include "admin of websites referenced in spam" along

with the offending links.

(These 'offending' links would be the actual spammer's

site that the spam wants you to click to -- as opposed

to *who* sent the spam -- as we know, *who* sent

the spam is usually a forged address that leads

nowhere.)

However, in the past two weeks or so, these sites

"referenced in the spam" have been OMITTED from

the reports. So the admins of those sites have NOT

received SpamCop comlaints.

In the case of Phishing -- this defeats the entire purpose

of SpamCop reports, because the 'spoofed' victim --

be it eBay or Paypal, or whoever -- have not been alerted.

Worse yet, the admins of the servers and networks

hosting the phisher have not been alerted either.

Only the admin of the network where the spam originated.

So, that's the question --

How come SpamCop no longer references links within

the message of the spam?

Link to comment
Share on other sites

As I said, spamvertised links in my submissions have been being reported just fine. Please provide a tracking URL to one of your messages that is not, there may be a specific reason that it is not.

Also, how are you submitting your messages to spamcop?

VER reporting from spamcop webmail?

Forwarding to submit.code[at]spamcop.net or quick.code[at]spamcop.net?

Copying and pasting into the submission form at spamcop.net perhaps?

I need more information to guess at why you are experiencing a problem.

Link to comment
Share on other sites

Okay... here's an example:

In the spam Cop report results I see this:

Please make sure this email IS spam:

From: "Rosetta Kirk" <gazwisconsinliftvot[at]wisconsinlift.com> (Don't be the "little guy" in the club)

------------F21CED3BBB48D3B

Content-Type: text/plain; charset=Windows-1252

View full message

Here is the TRACKING URL noted by SpamCop for "future reference"

From: "Rosetta Kirk" <gazwisconsinliftvot[at]wisconsinlift.com> (Don't be the "little guy" in the club)

View full message

http://www.spamcop.net/sc?id=z1167110244z7...0432aa483eb663z

Report spam to:

Re: 83.10.199.80 (Administrator of network where email originates)

To: abuse[at]tpnet.pl (Notes)

Re: 83.10.199.80 (Third party interested in email source)

To: Cyveillance spam collection (Notes)

Re: User Notification (Notes)

###

...and, there's a button to click to "Send Report" That's it.

So, I've sent the report to the "abuse" guy at tpnet.jpl,

and the "third party" who is at the SAME IP ADDRESS.

Yet, buried down in the spam is the link to the actual spammer

<a href="http://www.olelukoe.net/?90&GJj7GJG5DFG0HKgf">

Read more testimonals about this marveouls product here!

</a>

olelukoe.net = 202.103.172.97 (Zhejiang China)

... the spammer is in China, NOT 83.10.199.80 -- a server in Poland

So, SpamCop has reported this incident to an admin in Poland,

when the actual spammer SHOULD have been reported to an

admin in China.

I've only seen this start in the past two weeks or so.

I'm just wondering why the change in reporting.

It's sort of like when you report a murder,

you identify the street where the murder occurred,

rather than the murderer who committed the crime.

Does that make sense?

Link to comment
Share on other sites

As stated in yet another Topic/Discussion, the 'started the last couple of weeks' also seems to correlate with the installation of a different version of the parsing codebase.

As far as 'resolving' the spamvertized URLs ... what's new?

http://www.dnsreport.com/tools/dnsreport.c...ww.olelukoe.net shows that the spammer is running his/her own DNS server, and the configuration of those servers suck for any 'normal' usage ....

Can't help but note that your spam sample only includes those links in the HTML portion of the e-mail .. those looking at just the plain text 'version' would really have to dig down deep to even 'find' those links.

12/15/06 14:09:02 whois www.olelukoe.net

.net is a domain of Network services

Searches for .net can be run at http://www.crsnic.net/

whois -h whois.crsnic.net olelukoe.net ...

Redirecting to ENOM, INC.

whois -h whois.enom.com olelukoe.net ...

Failed, socket error: Connection reset by peer (WSAECONNRESET)

(no explanation for this, but ... not able to work around it 'here' either ... but similar results from the parser look-up would have the same results in the parse results .. no answers/targets provided ....)

12/15/06 13:57:17 Slow traceroute www.olelukoe.net

Trace www.olelukoe.net (202.103.172.97) ...

12/15/06 13:56:51 Slow traceroute olelukoe.net

Trace olelukoe.net (202.103.172.97) ...

whois -h whois.apnic.net 202.103.172.97 ...

inetnum: 202.103.128.0 - 202.103.191.255

netname: CHINANET-GD

descr: CHINANET Guangdong province network

descr: Data Communication Division

descr: China Telecom

country: CN

admin-c: CH93-AP

tech-c: IC83-AP

mnt-by: APNIC-HM

mnt-lower: MAINT-CHINANET-GD

changed: hostmaster[at]ns.chinanet.cn.net 20000101

changed: hm-changed[at]apnic.net 20040906

status: ALLOCATED PORTABLE

changed: hm-changed[at]apnic.net 20041209

source: APNIC

person: Chinanet Hostmaster

nic-hdl: CH93-AP

e-mail: anti-spam[at]ns.chinanet.cn.net

address: No.31 ,jingrong street,beijing

address: 100032

phone: +86-10-58501724

fax-no: +86-10-58501724

country: CN

changed: lqing[at]chinatelecom.com.cn 20051212

mnt-by: MAINT-CHINANET

source: APNIC

Heck, you knw these folks are going to jump right on this .... geeze ....

A record: www.olelukoe.net. A 221.12.66.38

whois -h whois.apnic.net 221.12.66.38 ...

inetnum: 221.12.66.0 - 221.12.66.255

netname: China169-WZ-PPPOE-POOL

country: CN

descr: China169£¬Wenzhou,Zhejiang

admin-c: JQ16-AP

tech-c: JQ16-AP

status: ASSIGNED NON-PORTABLE

changed: zhulidan[at]china-netcom.com 20051121

mnt-by: MAINT-CNCGROUP-ZJ

source: APNIC

route: 221.12.0.0/17

descr: CNC Group CHINA169 Zhejiang Province Network

country: CN

origin: AS4837

mnt-by: MAINT-CNCGROUP-RR

changed: abuse[at]cnc-noc.net 20060118

source: APNIC

yet another world-famous place well-known for taking immediate action on spam .. yeah, right ...

So, I've sent the report to the "abuse" guy at tpnet.jpl, and the "third party" who is at the SAME IP ADDRESS.

No, two separate reports went out to two different folks "about" the same IP address.

So, SpamCop has reported this incident to an admin in Poland, when the actual spammer SHOULD have been reported to anadmin in China.

???? Huh? A report was generated about the "source" of the spam e-mail.

You are asking about the generation of yet another report about the spamvertised web-site that is located elsewhere .. and most of that issue is as provided above and in previous replies .....

Link to comment
Share on other sites

No, no, no... that's not at all what I refer to.

<snip>

...Sorry, but I believe both the replies from Will Russell and me do address exactly what you are asking -- we need a Tracking URL to provide context to your question (which you did provide in your next post -- thanks!), it's working for Will and there's the FAQ entry and other Forum posts that address complaints of the SpamCop parser failing to find spamvertized web sites and then send reports to the abuse address of those web sites.
Link to comment
Share on other sites

Okay...

I was just hit with another of "those" spams, and this time

decided to actually document the problem.

As you see in THIS screen capture...

http://www.ugnn.com/pictures/spam_report.gif

the actual SpamCop reporting says

> Finding links in message body

> no links found

Yet looking at the actual text of the spam, you see there

are AT LEAST THREE unique links, NONE OF WHICH

are related in any way to the admin recipient of

the report.

I'll grab another one in the morning. Now it's getting dark,

and I'm going home.

:-) Good night.

Fred

Link to comment
Share on other sites

Hi, Fred,

...This is exactly the type of thing discussed in the FAQ entry to which I referred and many of the SpamCop Forum threads you'll find by doing the search I suggested in my first reply to you. Please do some reading there and then return here with any specific questions you have about them with respect to your situation. Thanks!

Link to comment
Share on other sites

as opposed to *who* sent the spam -- as we know, *who* sent the spam is usually a forged address that leads nowhere.)

The other issue is being taken care of. I want to address this misunderstanding. SpamCop ignores the forged sender information and locates the machine the spam was sent from. That is NOT a forged address and will add to the probability of the IP address being placed on the SCBL.

Link to comment
Share on other sites

FIRST:

Quote:

> ...This is exactly the type of thing discussed in the FAQ entry to which I

> referred and many of the SpamCop Forum threads you'll find by

> doing the search I suggested in my first reply to you.

> Please do some reading there and then return here with any specific

> questions you have about them

You did not reference the forum thread, and I do not know what to

'search' for... all of the references returned when searching for "finding links"

assume that SpamCop looks for and finds links embedded in the spam.

Totally different issue, since this thread confirms that SpamCop does NOT

find links embedded in spam. (Or, at least stopped finding them about

two weeks or so ago.)

CONFIRMED

I just spent over an hour very carefully tracing and validating

8 new spams sent in by a spammer based at :

http://hypotenuse.roundcircumference.com/

Each one spamvertised a 3rd party "affiliate" link, at a totally

different domain. Each had an embedded graphic from that

domain. Each had more than one additional link in the html

of the spam.

Every SpamCop.net report gave the SAME :

> Finding links in message body

> no links found

See this for yourself at:

http://www.spamcop.net/sc?id=z1167831047z6...df088347ceef85z

All of the spam coming from this guy at hypotenuse.roundcircumference.com

"say" they're being reported to :: abuse[at]ca.mci.com

Obviously, "abuse[at]ca.mci.com" is not interested in stopping this guy.

So, this thread is useless. Another spammer gone free.

Link to comment
Share on other sites

Every SpamCop.net report gave the SAME :

> Finding links in message body

> no links found

See this for yourself at:

http://www.spamcop.net/sc?id=z1167831047z6...df088347ceef85z

By the RFC's, there is no body to this message. SpamCop sticks to the RFC's. Most other email clients stick to the RFC's. Some do not and will show you this body. THis would be one of the infamous "blank emails" in any RFC adhering client.

The line: Content-Type: multipart/alternative;boundary="--==--==_Seperator1" tells the client to look for the boundry "--==--==_Seperator1" to find the first section of the message. Since that does not exist, there officially is no body.

The fact that you never saw this before is remarkable. This type of thing has been going on for years.

Link to comment
Share on other sites

Quick reporting never reports spamadvertised links in the spam. You need to manually report and then on many occasions the parser fails to identify the link, there are also link obsfurcations which prevent an easy read. But then again, the philosophy of why reporting spamadvertised sites is not productive or even an important part of SpamCop reporting has been discussed ad nauseum and in many threads.

Edited by dra007
Link to comment
Share on other sites

> ...This is exactly the type of thing discussed in the FAQ entry to which I

> referred and many of the SpamCop Forum threads you'll find by

> doing the search I suggested in my first reply to you.

> Please do some reading there and then return here with any specific

> questions you have about them

You did not reference the forum thread,

however, what 'was' referenced was the SpamCop FAQ .. links available at the top of this very page

and I do not know what to 'search' for... all of the references returned when searching for "finding links"

Yep, that's an issue with trying to guess at how other folks decided to 'describe' the issue .. in most cases, you mght have had better luck with something along the lines of "won't resolve" .. but even that depends on just which search tool you tried to use ....

Totally different issue, since this thread confirms that SpamCop does NOT find links embedded in spam. (Or, at least stopped finding them about two weeks or so ago.)

Your blanket statement and reality don't fit together all that well. Properly constructed spam, URLs that are based in reality, do parse quickly and accurately. Once outside of that scenario, it's a bit of a coin toss. And as stated in so many places already, even if the spamvertised URL does resolve, the target seems to be a waste of time to actually notify.

I just spent over an hour very carefully tracing and validating 8 new spams sent in by a spammer based at : ht tp://hypo tenuse.roundcircumfer ence.com/

Yet, as Steven mentioned, it appears you didn't look at the spam itself. Construct is totally screwed.

So, this thread is useless. Another spammer gone free.

"Thread" is usually a term tied to newsgroup activity .. the forum word would be 'Topic' ...

You say useless, yet .... what is being discussed is actually the background of e-mail construction thus far. None of your samples thus far have shown a properly constructed e-mail.

Beyond that, ever again, there is nothing preventing you or anyone else from genererating your/their own complaints to these "missed" targets .....

Link to comment
Share on other sites

Obviously, "abuse[at]ca.mci.com" is not interested in stopping this guy.

So, this thread is useless. Another spammer gone free.

Almost all spammers have found a 'bulletproof' home. The best that one can do is to feed the blocklist so that others can know to block them (and to keep them on the list).

It is extremely difficult (and takes a lot of expertise) to identify an individual spammer and convince someone that that spammer should be denied internet access. Since many of the hardcore spammers use trojanned machines anyway, it is easier just to block them rather than care about notifying them. That means blocking the source, not the spamvertised site.

You need to catch up on what has been happening.

Miss Betsy

Link to comment
Share on other sites

FIRST:

Quote:

> ...This is exactly the type of thing discussed in the FAQ entry to which I

> referred and many of the SpamCop Forum threads you'll find by

> doing the search I suggested in my first reply to you.

> Please do some reading there and then return here with any specific

> questions you have about them

You did not reference the forum thread, and I do not know what to

'search' for

<snip>

...Since I don't remember your ever having intentionally posted a misleading reply before, I choose to believe you unintentionally missed what I wrote in my first reply [bold emphasis added here]:
<snip>

...Next, I would like to refer you to the SpamCop Forum "Search for" capability (see form fields very close to the top of the page) to find other SpamCop Forum threads which discuss exactly this same issue. I would suggest you use "spamvertized OR spamvertised" as your key words for the search.

...Since you have not seemed to be able to find the SpamCop Forum article ("SpamCop reporting of spamvertized sites - some philosophy") to which I referred you earlier, I shall assume it was my fault and provide the actual URL to that article:
...Hope this helps!
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

×
×
  • Create New...