Jump to content

Security of Spam Cop's List


lfv

Recommended Posts

I have to admit that the spam has reduced since the splurge when I signed up. However, I am also (and this is my personal feeling) that the cause of most of my spam was indeed from signing up for spam Cop. The reason is that I have several mail accounts all running off the same server and all of them are posted on the internet (I run a website and that's typically what you do with your e-mail address for your website). However, I find it interesting that immediately after signing up for spam Cop only the address that I signed up with has a massive increase in spam. But I am not trying to say that the service spam Cop provides is bad. My purpose of making this post really is to ask if spam Cop is encrypting the e-mail addresses of those who signup for it, and if so, how many bits? You can have the best spam protection in the world (and for all I know so far, maybe you do) but if you are not encrypting our e-mails then it is not going to do much good.

Thanks.

Link to comment
Share on other sites

My purpose of making this post really is to ask if spam Cop is encrypting the e-mail addresses of those who signup for it, and if so, how many bits? You can have the best spam protection in the world (and for all I know so far, maybe you do) but if you are not encrypting our e-mails then it is not going to do much good.

I'm not clear whether you are referring to a SpamCop reporting account or a SpamCop Email account.

Certainly the reporting accounts only pass on a reporting address which is unique to the report you submit - so that a responsible ISP can tell you what action they may or may not be taking. However, you can become a 'mole' reporter and never have your reports forwarded if you prefer. You can also enable what is called 'munging' so that your address which may appear in the spam item is also obscured - not just encrypted but obliterated. So, if you're referring to the reporting side then you should ensure your preferences are set to reflect your personal level of concern.

If you are referring to an Email account then the above also applies in respect of the reporting side of things. But, of course, your Email address will be out in the clear if you choose to send an Email using the account in the same way as it would with any other Email you might send. But the munging and mole settings are created within the reporting interface rather than the Email account interface.

Hope that helps.

Andrew

Link to comment
Share on other sites

But I am not trying to say that the service spam Cop provides is bad. My purpose of making this post really is to ask if spam Cop is encrypting the e-mail addresses of those who signup for it, and if so, how many bits? You can have the best spam protection in the world (and for all I know so far, maybe you do) but if you are not encrypting our e-mails then it is not going to do much good.
First of all, there is no "you" here; nearly all of the posters are fellow SpamCop users or volunteers, although SpamCop admins & staffers do frequently read and respond.

I'm puzzled on a couple of points here, but let's tackle the encryption business first.

Your query is confusing to me because I am not sure what you mean by "encrypting our e-mail addresses". Where is it that you think SpamCop is or should be encrypting our addresses? As far as I am aware, SMTP transfers do not allow for encrypted addresses to be passed, and since pretty much every output of SpamCop is SMTP of one kind or another, I don't know how you'd encrypt an address or where you'd put it once you did.

The only things that come out of SpamCop (for me at any rate) are reports to providers, which are not signed with my e-mail address (an "alphabet soup" temporary address is provided for the abuse guy to contact me if he needs to), and the filtered or released mail (which goes straight to my in box). Both of these are via SMTP. Neither of these seems to provide any opportunity to encrypt e-mail addresses.

SpamCop usually munges e-mail addresses out of messages (i.e., replacing them with "x") before including them in reports to providers, so there should be no need for encryption here. If a provider refuses to accept munged reports, SpamCop will indicate such, and allow you to decide whether or not to proceed with the report. If you think that the provider might do bad things with your address, you can cancel the report.

Spammers can conceal e-mail information in various places in an e-mail (including the arguments of CGI calls); these could potentiallly be harvested by a knowledgable person looking at a spam report, but since SpamCop generally can't detect these in the first place, it can't encrypt them.

-- rick

Link to comment
Share on other sites

I have several mail accounts all running off the same server and all of them are posted on the internet (I run a website and that's typically what you do with your e-mail address for your website).

It used to be that way. These days, not quite so common. I maintain several 'buisness' sites that make no e-mail accounts 'visible' ... all contact is made via forms, almost all use a dropdown to select 'where' the contact (data) needs to go, and the backend routine actually habdles the delivery of that e-mail. If the user wishes a CC: of that contact e-mail, then the CC: copy to them includes a 'special' e-mail address in the Reply-To: line, such that the onlu e-mail that should arrive there would be the follow-up contacts from an actual customer.

is to ask if spam Cop is encrypting the e-mail addresses of those who signup for it, and if so, how many bits? You can have the best spam protection in the world (and for all I know so far, maybe you do) but if you are not encrypting our e-mails then it is not going to do much good.

As others have stated, this question really doesn't make a lot of sense.

What you seem to want to know can be seen by submitting a spam via the web-page form, let the parser run its course, then click on the "Preview" button to see just what is going to be sent out in those reports you elect to actually be sent.

Link to comment
Share on other sites

Ok, after exploring the site a bit more, I am not sure exactly what I am signed up for. I gave an e-mail address under the "Report spam" category on the home page. But then I read the last category labeled "Use the spam Cop blocking list." Does the spam Reporting thing actually do anything to protect me against spam or am I only reporting messages? I also tried logging in and clicking on Past Reports and noticed that there was nothing there. I use Squirel Mail and under "Options" there is a section to enable spam Cop. So I used that and now there is a link to report each message as spam. I have been using that, but since it says there are no reports, does that mean that it is not working? Pasting the header into that online form doesn't actually sound like it is very efficient.

It used to be that way. These days, not quite so common. I maintain several 'buisness' sites that make no e-mail accounts 'visible' ... all contact is made via forms, almost all use a dropdown to select 'where' the contact (data) needs to go, and the backend routine actually habdles the delivery of that e-mail. If the user wishes a CC: of that contact e-mail, then the CC: copy to them includes a 'special' e-mail address in the Reply-To: line, such that the onlu e-mail that should arrive there would be the follow-up contacts from an actual customer.

hmm, I never took the time to view the source of one of those forms, so I never even considered determining the e-mail address on the server side. Will it do any good if I start doing that now or is it too late to save my e-mail addresses?

Link to comment
Share on other sites

Ok, after exploring the site a bit more, I am not sure exactly what I am signed up for. I gave an e-mail address under the "Report spam" category on the home page. But then I read the last category labeled "Use the spam Cop blocking list." Does the spam Reporting thing actually do anything to protect me against spam or am I only reporting messages?
...It sounds as if you have signed up as a "Reporter" of spam. The SpamCop blacklist can not affect your spam at all unless you (or your e-mail provider) are using it to filter or block incoming e-mail.
I also tried logging in and clicking on Past Reports and noticed that there was nothing there. I use Squirel Mail and under "Options" there is a section to enable spam Cop. So I used that and now there is a link to report each message as spam. I have been using that, but since it says there are no reports, does that mean that it is not working?
...Reporting spam is a two-part process:
  1. Submit the spam to the parser.
  2. Review the parse results and send the spam complaints.

You may be doing only the first part and not the second.

Pasting the header into that online form doesn't actually sound like it is very efficient.

<snip>

...Well, perhaps, but ... compared to what? The SpamCop parser automates time-consuming research that you would have to perform on your own: principally to look through the e-mail internet headers to identify the source of the spam, then identify the correct abuse addresses for those sources, then compose complaint e-mails and send to those abuse addresses in a manner that hides your identity but still allows the administrators of the spam sources to contact you, if they wish. SpamCop also allows you to submit via e-mail multiple spam for parsing, if your e-mail client is capable of forwarding as attachments multiple spam e-mails at once.
Link to comment
Share on other sites

Pasting the header into that online form doesn't actually sound like it is very efficient.
You'd be surprised. By the time you traverse the routing chain in a header (which will contain spammer forgeries as well as odd stuff planted by honest ISPs), then run whois on IP addresses to collect contact info, then dump the whole deal into an e-mail message, you could have pasted and reported 20 e-mails using the spamcop form.

hmm, I never took the time to view the source of one of those forms, so I never even considered determining the e-mail address on the server side. Will it do any good if I start doing that now or is it too late to save my e-mail addresses?
There are other ways to keep e-mail addresses from being harvested from web pages. I list some of them on my website at http://www.rickconner.net/spamweb/avoiding.html. If you use a mailback form, there are some important things to be careful of, such as not posting e-mail addresses in the HTML, even as "hidden" form items.

-- rick

Link to comment
Share on other sites

Ok, after exploring the site a bit more,

exploring what site? There is only the www.spamcop.net web page, which for logged-in users primarily consists of the paste-your-spam-in-the-box. The Help link on that page takes one to the original/official FAQ, and the complaints over the years led to the various FAQs and tools added 'here' to try to resolve all those complaints.

Did you look at the Start Here - before you make your first Post page? Have you looked at What is SpamCop.net? yet? If you meant 'searching this Forum' then it should have been seen that there are a number of parts / sections of the SpamCop.net toolset. Reporting of your spam is just one of those tools.

I am not sure exactly what I am signed up for. I gave an e-mail address under the "Report spam" category on the home page.

That would be your Reporting Account .. which is basically what has been discussed thus far in all of your previous posts.

But then I read the last category labeled "Use the spam Cop blocking list." Does the spam Reporting thing actually do anything to protect me against spam or am I only reporting messages?

As explained elsewhere in the FAQ, the Wiki, etc. .... there is the Reporting Account that in addition to notifying ISPs about their spam spew, also feeds the SpamCopDNSBL. The SpamCopDNSBL is used by the SpamCop.net e-mail system, but has also been made available to the public. ISPs can and do use this BL, there are third-party tools out there for personal use of this BL.

I also tried logging in and clicking on Past Reports and noticed that there was nothing there. I use Squirel Mail and under "Options" there is a section to enable spam Cop. So I used that and now there is a link to report each message as spam. I have been using that, but since it says there are no reports, does that mean that it is not working? Pasting the header into that online form doesn't actually sound like it is very efficient.

In general, this storyline usually means that you may have been submitting spam, but never actually 'Reporting' it. per the agreement at sign-up time, spamcop.met sends nothing on its own. You need to review the results of a spam parsing and you are then to select/deselect the appropriate targets for the reports, then you must click on the send button to actually have those reports go out. If you've never done this, then there will be no reports in your history.

hmm, I never took the time to view the source of one of those forms, so I never even considered determining the e-mail address on the server side. Will it do any good if I start doing that now or is it too late to save my e-mail addresses?

My form(s) are custom ... no idea what you'll find elsewhere. Based on your previous, your e-mail is 'out there' Lots of "businessmen" make their money by selling lists of "known-good-they=want-your-e-mail" lists. others make their money by doing the 'high-speed-delivery-of-requested-data- to their massive lists of obtained, stolen, generated, possibly even bought, but ever-growing lists of those e-mail addresses. The point is, there isn't any known way yto get your e-mail address removed from any/all of those lists out there, CAN-spam ACT be damned.

Link to comment
Share on other sites

hmm, I never took the time to view the source of one of those forms, so I never even considered determining the e-mail address on the server side. Will it do any good if I start doing that now or is it too late to save my e-mail addresses?

It depends. By posting your email address openly, it has almost definitely been harvested, but you still have some options. There are about a billion free email services out there which you could use as an alternate or forwarding address (depending upon your current email configuration) and filter it for spam and so forth.

To prevent your email address from being harvested in the future, rconner's site has just about every method available to do so. Here are a couple of my own tips:

  • Use Privacysig.com to create an image based email address. It has some built in templates for well known providers to make it look a little more attractive than plain text images. You can also use some graphic design software to create your own email graphic, which I've shown below, that makes it almost impossible for a spambot to read. I've included a link to the Photoshop PSD template w/ layers intact, if you have that program and want to modify it yourself.
  • Place a link on your site to one of SpamPoison's sites on your website (such as http://www1186632274377.virtual-dc.com/ - click the orange and purple "Spampoison" button on their main page for a fresh one on every reload). This will send a spam email harvester bot into and endless page of bogus email addresses for harvesting and (hopefully) ruin it's email list. There are different ways and places to add this link to your site.
  • Use a FormMail scri_pt to allow visitors to fill out a form for sending you an email. As opposed to the original buggy FormMail scri_pt, NMS's TFMail version is rewritten to be free of exploits and pretty hard to spam. There are probably more complex scripts out there that use CAPTCHAs and other devices to make it even harder still.
  • Encode your email address using JavaSCR|PT (changed link to a tinyurl one since the board blocks out the word "s c r i p t") to prevent it being read by being read by spam harvesters. This, of course, has its pros and cons.

Here is my email image example:

nospamemailexamplexf6.jpg

Here is a link to the PSD to the template:

nospam_email_template.psd (1.8MB)

Other than that, Rconner's page pretty much has it covered.

...It sounds as if you have signed up as a "Reporter" of spam. The SpamCop blacklist can not affect your spam at all unless you (or your e-mail provider) are using it to filter or block incoming e-mail.

If lfv is a Windows user and uses a client like Outlook, he (?) could use a program like SpamPal, which incorporates DNSBls (including SpamCops) into the program's filtering techniques and benefit from the spam he is reporting. SpamAware, which also works w/ Outlook, is a port of SpamAssassin to Windows. So, with those two pieces of software, lfv could have all the benefits of a SC email address. Both programs are freeware. There is probably other software out there that does the same thing, but those are the only two I am aware of.

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...