rconner Posted January 24, 2008 Share Posted January 24, 2008 Not looking to toss hand grenades here or anything, but just curious about some things I've seen. I searched the SC FAQ & forums but did not find much to bear on this. If necessary, I will open a CastleCops account to take a look through their posts, but I wanted to try things out here first with folks who may already have been knujon users for awhile. I signed up for a paid knujon account just to give it a try. I even turned off my ISP's filters to give it a good sample handful of my spam. When I look at my website report, I see that I have reported a lot of domains that have also been reported hundreds or even thousands of times by others. This is what one would expect. So far, so good. I do find a few sites that only I have reported (apparently). I checked a few of these, and a couple seem to be non-spammy to me. I'd be willing to imagine that spam sites were hidden in these domains somewhere, but without the original context of the report I made (via SpamCop) I can't be sure. I wonder whether some of these might be "camouflage" links or Joe jobs, and this possibility scares me a bit. I tend to remember spams and spam domains that fall outside the usual formulas for at least a couple of days, but none of these seemed familiar to me. Just to be safe, I attempted to "trusted purge" some of these sites to get them off my list. The message from knujon indicates that these purges are not automatic and must be reviewed by the humans at knujon. I also see that these purged domains do not go away, but are put on a "watch list." Finally, when I refreshed my report page, the sites I tried to clear are still there. I am normally quite careful to do my due diligence before allowing website reports to go out via SpamCop. I figure that the best reason for this is that the reports are traceable to me. I wonder whether the same is true of knujon. For my part, I would rather not have a report show up as having come from me if I did not get to buy into where and why the report was sent. I had assumed that knujon would only report spam websites, but could it be that it also reports innocent domains elsewhere in the message (such as, eek, from-addresses or HELOs)? Maybe I just need one of those vaunted "paradigm shifts" here. Any thoughts? -- rick Link to comment Share on other sites More sharing options...
Spamnophobic Posted January 25, 2008 Share Posted January 25, 2008 For something under a year now, I have been sending Knujon a copy of my SpamCop reports. I also handed over my $13 when they went paid at the beginning of this year. On my report I too see sites only I have reported, It never occurred to me (duh!) that they might be false positives. Actually there are 5 of them in my list, and the funny thing is they are all exactly 4 letters.com. There is also one site where my report is 1 of 2, also 4 letters.com. Anyone mind if I inconvenience some forum electrons here? 6-11-07 gxxy.com: score 1/1; InterNIC whois whois: Domain Name: GXXY.COM Registrar: BIZCN.COM, INC. Whois Server: whois.bizcn.com Referral URL: http : // www. bizcn.com Name Server: NS1.4EVERDNS.COM Name Server: NS2.4EVERDNS.COM Status: clientTransferProhibited Status: clientDeleteProhibited Updated Date: 02-nov-2007 Creation Date: 01-dec-2003 Expiration Date: 01-dec-2008. gxxy.com shows as "pending" on McAfee site advisor. This site advisor however found 63 trojans on the site bizcn.com. Also, according to virusalert.nl (in Dutch), the virus PWSteal.Gamanlock sends information harvested from the compromised computer to bbs9182.w165.bizcn.com. 16-11-07 hgga.com: score 1/1; InterNIC whois: Domain Name: HGGA.COM Registrar: ENOM, INC. Whois Server: whois.enom.com Referral URL: http : // www.enom.com Name Server: NS1.DSREDIRECTION.COM Name Server: NS2.DSREDIRECTION.COM Status: clientTransferProhibited Updated Date: 05-nov-2007 Creation Date: 31-mar-2003 Expiration Date: 31-mar-2008; hgga.com pending on McAfee site advisor, enom.com clean. 16-11-2007 jaqr.com: score 1/1; InterNIC whois: Domain Name: JAQR.COM Registrar: ARSYS INTERNET, S.L. D/B/A NICLINE.COM Whois Server: whois.nicline.com Referral URL: http : // www .nicline.com Name Server: DNS7.SERVIDORESDNS.NET Name Server: DNS8.SERVIDORESDNS.NET Status: ok Updated Date: 19-dec-2007 Creation Date: 18-dec-2003 Expiration Date: 18-dec-2008; jaqr.com pending on McAfee site advisor, nicline.com clean. 6-11-2007 qoca.com: score 1/1; InterNIC whois: Domain Name: QOCA.COM Registrar: MONIKER ONLINE SERVICES, INC. Whois Server: whois.moniker.com Referral URL: http : // www .moniker.com/whois.html Name Server: DNSP1.POWERHOSTING.COM Name Server: DNSP2.POWERHOSTING.COM Status: clientTransferProhibited Status: clientUpdateProhibited Status: clientDeleteProhibited Updated Date: 24-dec-2007 Creation Date: 06-jan-2005 Expiration Date: 06-jan-2009; qoca.com pending on McAfee site advisor, moniker.com clean. 16-11-2007 ttqb.com: score 1/1; InterNIC whois: Domain Name: TTQB.COM Registrar: ENAME, INC Whois Server: whois.ename.com Referral URL: http : // www .ename.com Name Server: PK1.ENAME.CN Name Server: PK2.ENAME.CN Status: clientTransferProhibited Status: clientDeleteProhibited Updated Date: 12-jan-2008 Creation Date: 20-jul-2007 Expiration Date: 20-jul-2008; ttqb.com pending on McAfee site advisor, ename.com also pending. 6-11-2007 danl.com: score 1/2; InterNIC whois: Domain Name: DANL.COM Registrar: TUCOWS INC. Whois Server: whois.tucows.com Referral URL: htt_p : //domainhelp . opensrs.net Name Server: NS1.SEDOPARKING.COM Name Server: NS2.SEDOPARKING.COM Status: clientTransferProhibited Status: clientUpdateProhibited Updated Date: 09-may-2007 Creation Date: 07-jun-2000 Expiration Date: 07-jun-2008. danl.com shows as "pending" on McAfee site advisor, tucows.com clean of course (except for a little adware in the advertised downloads). I also notice that the most "suspended" or "suspension pending" entries in my Knujon report seem to have the longest names. Coincidence? I refuse to join the CastleCops forum as long as they use those awful militaristic "ranks". I did ask a moderator if they would create a category "irregulars" for me without rank progression, half jokingly ... the answer of course was 'fraid not. I hope no-one minds my continuing this discussion here as I'm really only addressing the issue of Knujon reports. But this is the Lounge, so what the heck? I have re-examined my SpamCop reports for the dates my Knujon summary gives, but can find no mention of any of the four-letter names in the clear text of the full message, or under "Finding links in message body". I do not know how Knujon found these domain names, but I am also not well versed in any but the most simple technical procedures needed to find domain names if they are not obvious, which is one reason why I send reports to Knujon. So the summary of what I have been able to find is pretty inconclusive. As I can find nothing which prompts me to want to ask for the site to be de-listed, I am inclined to leave it up to Knujon. What do you think, Rick, anything else I can do? Any suggestions or links you can give me for further research would be welcome and most instructive, by PM if you think all this is getting a little out of the SpamCop forum's province. Penny (Oops... sorry, broke links as quickly as I could!) Link to comment Share on other sites More sharing options...
rconner Posted January 26, 2008 Author Share Posted January 26, 2008 On my report I too see sites only I have reported, It never occurred to me (duh!) that they might be false positives. Actually there are 5 of them in my list, and the funny thing is they are all exactly 4 letters.com. There is also one site where my report is 1 of 2, also 4 letters.com. (snip) I also notice that the most "suspended" or "suspension pending" entries in my Knujon report seem to have the longest names. Coincidence? I also have a couple of "four letter word" domains that only I seem to have reported. Don't know what to make of them. I also have two pending suspensions, but wouldn't call the domain names unusually long. It bothers me that I don't recall SpamCop popping these domains up as spam websites. Of course, some of my spams have very highly obfuscated addresses that SC can't or won't parse, so perhaps some of these are being detected by knujon. I refuse to join the CastleCops forum as long as they use those awful militaristic "ranks". I did ask a moderator if they would create a category "irregulars" for me without rank progression, half jokingly ... the answer of course was 'fraid not. I hope no-one minds my continuing this discussion here as I'm really only addressing the issue of Knujon reports. But this is the Lounge, so what the heck?Well, the ranks do seem kinda silly, but I've nevertheless signed on as a "cadet" and posted some questions (http://www.castlecops.com/t213938-Question...ujon_works.html) that perhaps someone might answer for me. I have re-examined my SpamCop reports for the dates my Knujon summary gives, but can find no mention of any of the four-letter names in the clear text of the full message, or under "Finding links in message body". I do not know how Knujon found these domain names, but I am also not well versed in any but the most simple technical procedures needed to find domain names if they are not obvious, which is one reason why I send reports to Knujon.I actually do know how to find URLs and the like embedded in spam bodies, and can do it pretty much by eye except in the case of the most constipated spams. This is why it bothers me that I'm not recognizing some of these names. Still, I have no basis from which to draw any conclusions yet. So the summary of what I have been able to find is pretty inconclusive. As I can find nothing which prompts me to want to ask for the site to be de-listed, I am inclined to leave it up to Knujon. What do you think, Rick, anything else I can do? Any suggestions or links you can give me for further research would be welcome and most instructive, by PM if you think all this is getting a little out of the SpamCop forum's province.I would that knujon provided a bit more comprehensive explanation of what they do with these data that we send to them. Too many details seem to be hidden. Yes, it is true that most of us wouldn't know what to make of such details, but some of us do know, and would like to see them. By contrast, although SpamCop is pretty complicated, you can if you wish see nearly everything they do with your spam, and they not only encourage you to take direct personal responsibility for your own reports, they REQUIRE you to do so. The question appears to be whether we are simply using a tool to help us file reports for ourselves (as with SpamCop), or whether we are simply handing off the spam for someone else to process in ways not known to us. One interesting tid-bit is found on the knujon site at http://www.knujon.com/sendusspam.html#reg_nonreg, all the way at the bottom of the page: "Email forwarded to KnujOn becomes the property of KnujOn.com and Coldrain.net."This suggests to me that whatever I send to them becomes "theirs," such that they can do what they like with it. This would tend to let me off the hook as far as false reporting is concerned. On the other hand, I find this at http://www.knujon.com/register.html (under "AGREEMENT"): "I also release Knujon.com and Coldrain.net from any liability that may arise as the result of procedural actions against websites or entities for which Knujon is handling complaints on my behalf."So, reading this as a non-lawyer, I figure that this puts the blame right back onto me if there are repercussions from false reports that I initiate. Very confusing. Another worrisome detail is the fact that I sent knujon a message (via their website form) asking about an issue unrelated to the matters here, but it's been nearly a week with no response from them. As for what to do, I think what I'll try in my own case is to throttle back on the reporting to knujon, and carefully check each spam before I report it to them and then again after the results are "posted." Perhaps then I can find some correlation which now escapes me. Also, maybe I will get a response to my CastleCops post; if so, I will post a link here. -- rick Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.