Victimized by Spamcop

[marcsten]

We own hundreds of domain names. About 6 months ago we set up a reseller account with a Hosting Provider. Some Domain Names have their own accounts, but the majority of all our domain names are just pointed to one or the other account within the reseller hosting account.

After several weeks or months, the hosting provider suspended our account and we were told that there were spamcop complaints regarding some of our domain names. The domain Names mentioned did not even have any email capabilities or their own websites, they were just pointed to an “under construction” website. Eventually we had to change the Hosting Provider because our Account kept being suspended /unsuspended and it seemed that the Hosting Provider did not want to spend the time to research our claims and fight with spamcop, even though these spam allegations were completely unfounded etc.

After we moved to another "capable and reliable provider" everything went well for a few months, but within the last few weeks our account was again suspended/unsuspended and has now been suspended for several days.

This time we had set up all the accounts in such a way that all the MX capabilities were completely removed, just to be sure that we would not be falsely accused to be involved with spam again. This time the accusations from spamcop are that some of our domain names are "spamvertised", and since we are on a shared server, the Hosting Provider had to disable our account in order not to risk having the whole server blocked by spamcop. We received some of the spamcop complaints from our Hosting Provider and found that some of our domain names, sometimes along with some other "innocent" websites were mentioned/linked in spam messages (I have no Idea why). If anyone would have ever checked on any of the links which were supposedly "spamvertised" one could easily have seen that all of our names were just pointing to the same type of "under construction" page with not commercial content whatsoever. It seems to me that spamcop is just having robots looking at content of spam messages and automatically threatens to block IP addresses even though there is absolutely no real reason for such action. Since time is money, nobody is investigating whether the allegations are supported by any shred of evidence. We therefore become innocent victims of spamcop's efforts to fight real spammers. It seems that the real spammers can easily move around and abuse the system but spamcop is able to create a lot of grief for people like us, I guess we are just part of "collateral damage" victims. In the real world no cop would be allowed to hit every potential suspect over the head, hoping to also hit some "bad guys".

My question is how can we avoid to be victimized by spamcop?

Thanks!

[Wazoo]

Only going with what you've stated. SpamCop does NOT do any blocking of anything. That's the first misconception.

That you go to the extent of talking about having no MX's, no e-mail sent is an interesting concept. If all this was actually accomplished, then this would mean that there'd be no way any of your IPs could have ever made it to the SpamCopdnsBL either, as theoretically, no e-mail would have ever left any of your systems. (Though this seems odd that none of your clients wouldn't want to have their own e-mail address tied to "their" domain .. but none of my business)

It does sound like you have been through two ISPs that also don't understand the issues, or how SpamCop works. If all is as you say, then your ISP could have simply followed through with any of the "complaints" and had your "sites" identified as "innocent bystanders" ..... There is no mechaism in lace at SpamCop to add in Domains or web-sites into the dnsBL .. this list of IP's is only used to identify sources of spam spew.

There are no "robots" involved. SpamCop is a tool used to more easily and accurately track down the source of the spam coming into someone's InBox. spam is submitted to the tool, spam is parsed, and a list of targets for the complaints is offered. It's up to that user to make that final determination as to which report gets sent or not. nd, as an additional note, if there is claim that the spam complaint/report was bogus, there are penalties involved for the reporter, ranging from a "fine" to banishment.

Your real issue is with the spammers, actually. Of interest, of course, is why a spammer would be pointing to an "under construction" web page for any reason. Is there perhaps some history behind the "we own hundreds of domain names" .. all generated and originally registered by "you" .. or are you picking up some stuff that's been abandoned by someone else because of the spamvertised history? Not implying anything, just trying to figure out what else could be behind the question asked above.

[Miss Betsy]

This time the accusations from spamcop are that some of our domain names are "spamvertised",

These are not 'accusations' from spamcop. They are merely reports that these domain names were 'advertised' in spam.

the Hosting Provider had to disable our account in order not to risk having the whole server blocked by spamcop.

Since spamcop does NOT put domain names on its blocklist, there is no risk of having any server blocked by someone using the spamcop blocklist.

Since time is money, nobody is investigating whether the allegations are supported by any shred of evidence.

Spamcop provides a service for people who receive spam to report it to the proper place. Sometimes 'innocent' domain addresses are included in spam. However, unless they are obvious (like the AMA in prescription medicine spam), most people don't know whether they are innocent or not so they send a report. If your hosting provider does not want to investigate the report, then you have a problem with them. You already have an answer on how to contact spamcop about innocent bystanders.

Most domain owners are happy to receive the spamcop reports because they do not want their name associated with spam. Although there is not much that can be done to the spammer (unless you have deep pockets), some sites will put a disclaimer on their web site. Since most of your sites are under construction apparently, there is no point to putting a disclaimer on your sites. (though I do remember a post that asked why spammers would point to an 'under construction site')

So you are being victimized by the spammers and by your Hosting providers, not spamcop.

If you want further information so that you can educate your hosting provider, just ask.

Miss Betsy

[marcsten]

Wow, thanks for your replies. I am impressed that you took the time to answer in a detailed way.

Yes, I’m a newbie with spamcop and also not very knowledgeable with technical matters regarding the inner workings of the internet. What I do know is that it has happened twice now that our Hosting Provider did not want to deal with us anymore, a client for some of who’s domain names they continued to receive spamcop complaints/warnings. Yes, the Provider could check on each complaint and then report back to spamcop, but then another domain is being reported or again the same name a few days/weeks later and it never ends, since there are hundreds of domain names pointing to the same IP address. Spamcop obviously sends out messages without checking the merits of the complaints and leaves it up to the Hosting Provider to check and respond…

Since spamcop is not sending the complaints to me, I cannot react directly to take the pressure off the Hosting Provider…

I would love to share the actual spamcop messages I received from the Hosting Provider, but I would like to do it in a “private” way with someone who has authority at spamcop to make changes.

I did not get the complaints directly, but I can understand a provider that does not want to constantly investigate many spamcop complaints for the same client, at some point you’d rather ditch the client than having to go through all that time and trouble.

Regarding MX records: We have full control over all our domain names, most of them were just pointed to an “under construction” site. At this point they do not need any email capabilities and yes, we discovered when we had enabled email on some of them for a short while, that although we owned all the domains for several years and never used them in any way, some of them received tons of spam. That was part of the reason why we disabled the MX records at the advise of the most recent Hosting Provider, in order not to unnecessarily burden their mail servers with junk.

As you know there are often bogus return addresses included in spam and in our case also links to nonexistent websites.

For example two “spamvertised” mails contained these links (I replaced the actual domain names with “xyz”):

<a href=http://xyz.wqwemds.com/at>V`1`S`I`T Our S`1`T`E and 0`r`d`e`r h`e`r`e</a><br><br><br><br><br><br><br><br><br><a href=http://xyz.net>^</a><a href=http://xyz.com>*</a><br><a href=http://xyz.org>

or

<a href=http://sclerosis.sayzsw.com/at>NOw VIS1T 0ur W`EBSITE : C!1!1!C!K H!E!R!E</a><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><br><a href=http://xyz.net>^</a><p><a href=http://xyz.com>*</a></p><a href=http://xyz.org>

Obviously each mail contains links to four “spamvertised websites”. At least none of the last three domains had anything to do with any spam as far as I can tell.

Since one of each of the four domains mentioned in these spam letters is my domain name, I automatically get reported/complained about. Why are four domains “spamvertised” in each mail? – Beats me!

Unfortunately I did not see a solution to my concern: What can I do to directly deal with the complaints, since the Providers seem to be unwilling to spend many hours to investigate many complaints and figure out whether I’m telling the truth or not?

Is there a way that spamcop can send me potential complaints related to a certain IP address directly?

Thanks!

[Wazoo]

Why are four domains “spamvertised” in each mail?

Ok, one of the ways a number of spammers have tried to beat the SpamCop tool is by "overloading" it with too many URL's ... this is probably the first most likely scenario in your inclusion in the lists of links.

I would like to do it in a “private” way with someone who has authority at spamcop to make changes.

From what you've offered, I'm not sure that there are any direct changes that can be made (this does go back to whoever's getting the reports to follow through on them and do the innocent bystander thing) ... but a direct line would be to send your details to Deputies at admin.spamcop.net

I did not get the complaints directly ..... Is there a way that spamcop can send me potential complaints related to a certain IP address directly

First of all, have you registered an abuse address at abuse.net for all the domains in question? Depending on your network size (and therefore your hosting ISP's aggreemant, please see the FAQ at http://www.spamcop.net/fom-serve/cache/94.html ....

I think "we've" touched a bit on about the only real tngible thing you can do under the circumstances as they appear, and that's to find a host that is either up to snuff on the various BL's or is willing to get a bit more educated. It is shocking to see thousands of spam complaints going to the same ISP hour after hour, month after month and absolutely nothing seems to happen .. and then there are stories worse than yours, sites/Domains getting whacked at the first hint of a SpamCop report, even though for a spamvertised site notification, there is no such thing as "blocking" via the SpamCop system. (There are so many other Block lists for such a thing <g>)

[marcsten]

I appreciate your help and suggestions, thanks a lot. I'll follow up tomorrow.

[Spambo]

Here are a few facts that might be useful.

• The SpamCop blocklist (SCBL) does not list domain names or email addresses, it only lists IP addresses which have been determined to be the source (origination point) of spams reported by users.
  
• If a spammer mentions an unrelated domain name in a URL in the message body it can generate spam reports. "Spamvertised" URLs DO NOT feed the blocklist (unless the IP of the domain is also determined to be the source IP). Mentioning non-related domains in spam is not a smart move by spammers because it sends potential 'pigeons' to unrelated sites. Most people never click on even one link in a spam, much less two (or more) so spammers are cutting their own profits by misdirecting their 'marks'.
  
• Should a spammer be stupid enough to try using links to non-related domains in his spewage the abuse department receiving the spam report(s) can easily mark a domain as an innocent bystander by following a link in the spam report. This wil permanently turn off ALL future reports about a domain unless a paying SpamCop user files an appeal of the claimed status. When an appeal is filed a SpamCop Deputy or admin will review the evidence and if it is determined that the 'innocent bystander' isn't so innocent the ability for users to report the URL will be restored.
  
• spam reports do not accuse anyone of spamming, you can see an example of what a spam report looks like here. The determination of a domain's involvement with the spam is decided solely by the abuse department receiving the spam report.
  
• SpamCop DOES NOT pay any attention to the return address, it is generally forged. No spam reports are ever sent based on the content of the From: or Reply-To: addresses.
  

[WB8TYW]

Just as a sanity check:

There is still the spammer that is sending out the fake notices claiming that spamcop is going to block a domain.

A web hosting provider with adequate spam protection would not see most of these as they are sent through open proxies.

An incompetent web hosting provider may believe them.

-John

Personal Opinion Only

[Jeff G.]

There is still the spammer that is sending out the fake notices claiming that spamcop is going to block a domain.

I'd like to see one of these. If you post it, please surround it with text indicating that it is untrue. Thanks!

[greyfire]

Here is a link in the faq http://www.spamcop.net/fom-serve/cache/124.html that should answer your question. The second one should answer your hosting services questions. At one time there was a sample of the hoax email but I can't find it on the spamcop website now.

Tom

[Wazoo]

can't find it on the spamcop website now.

I'm thinking that the sample was actually on one of Julian's pages, but I also gave up looking for it.

[Mikey]

I'm probably reading this too superficially, but it seems to me that his biggest problem lies with his ISP/host provider(s).

It sounds like the ISPs simply run for the hills when they get their first spamcop notice (be it a real, forged, or mistake message). Instead of spending a couple of minutes to actually check out the complaint and deal with spamcop, they simply cut the guy loose.

The ironic thing is that is EXACTLY what we wish providers would do to REAL spammers -- drop kick them immediately.

[dra007]

Funny thing my ISP only took my spam complains seriously when I told them I was reporting all spams to Spamcop. You have no idea how much they improved the spamblocking overnight. They are even studying each spam detected on the server before I get it filtered and cleaned of all bugs and viruses.

[Farelf]

can't find it on the spamcop website now.

I'm thinking that the sample was actually on one of Julian's pages, but I also gave up looking for it.

I think you will find it was posted by Anthony Rabaa at amconresearch.net (going by threads like http://news.spamcop.net/pipermail/spamcop-...rch/036146.html) but it's gone now, got a reference to it in web archives WayBack machine but neither the actual spamcop.eml nor spamcop-two.eml (public copy) was archived. So much for "immortalized on the web".

[Ellen]

I appreciate your help and suggestions, thanks a lot. I'll follow up tomorrow.

Send me a copy of the report -- and I will look at it and set whatever innocnet bystander flags that need to be set. deputies <at> spamcop.net

[berryproud]

I am no expert at spam. But I DO know its easy to bounce off of a router and steal an IP. Is it possible some of these spammers are doing just that?? We already know the return addresses are bogus. Just curious after reading the above posts if maybe the spammers are doing something similar. Thanks.

[shep1812]

Mentioning non-related domains in spam is not a smart move by spammers because it sends potential 'pigeons' to unrelated sites.  Most people never click on even one link in a spam, much less two (or more) so spammers are cutting their own profits by misdirecting their 'marks'.

What Wazoo refers to is the relatively new technique of 'hiding' dozens of innocent URLs behind the visible html of a spam email. What the victim sees is perhaps one or two URLs at most. However, they DON'T see the dozens more within the source and so they are not distracted by them. They are there purely for generating the "too many URLs" error on a Spamcop submission. I have had many of these myself and I have edited the source, removing the innocent bystanders, such that only the guilty URLs get submitted! But that is not a task we can expect everyone to carry out!! As I said, it's a new tactic, and one deliberately aimed at foiling Spamcop submissions :angry:

[dra007]

I hope the inocent bystenders will take some action, the problem is that a lot of ISPs do not take spam seriously and we are all victims. I have lost track of how long I have been reportin yet, except for brief pauses, I keep getting repeats of the same annoyng spams, routed through the same limited IPs in cycles....

If spammers would simply target potential customers it buffles me that they would continue to send the same spew to a limitted number of people over and over...doing everything to frustrate and beat any action against them...

[Spambo]

What Wazoo refers to is the relatively new technique of 'hiding' dozens of innocent URLs behind the visible html of a spam email. What the victim sees is perhaps one or two URLs at most. However, they DON'T see the dozens more within the source and so they are not distracted by them. They are there purely for generating the "too many URLs" error on a Spamcop submission. I have had many of these myself and I have edited the source, removing the innocent bystanders, such that only the guilty URLs get submitted! But that is not a task we can expect everyone to carry out!! As I said, it's a new tactic, and one deliberately aimed at foiling Spamcop submissions  :angry:

AIUI the parser ignores URLs and domain names contained in the source code of HTML spams if they are not visible as links when the HTML is rendered.

[Farelf]

<snip>

What Wazoo refers to is the relatively new technique of 'hiding' dozens of innocent URLs behind the visible html of a spam email. What the victim sees is perhaps one or two URLs at most. However, they DON'T see the dozens more within the source and so they are not distracted by them. They are there purely for generating the "too many URLs" error on a Spamcop submission. I have had many of these myself and I have edited the source, removing the innocent bystanders, such that only the guilty URLs get submitted! But that is not a task we can expect everyone to carry out!! As I said, it's a new tactic, and one deliberately aimed at foiling Spamcop submissions  :angry:

It should be pointed out that editing the source to enable the use of the parser to identify the real spamvertised sites for subsequent manual reporting is fine, actually using the edited source to send reports to admins of spamvertized websites in the normal way is not - refer Material changes to spam. Because it seemed reasonable (to me) to "help" the parser, I emailed the deputies last month for confirmation and received the following gentle knock-back from Ellen

Hi Stephen -- we are aware of this spammer sna the "empty" links which are

put into the body of the spam just to create problems for SpamCop. We have

been working on getting a code fix to resolve this problem. Please do not

alter your spam. I know it is frustrating to see the "too many links"

message but please bear with us until we get this resolved.

[edited] ob1db [/edited] subsequently pointed out that the requisite links *were* resolved on going back to the cancelled report confirmation (and it was so) but subsequently this seems to have gone or is intermittent. Worth checking though, to save a bit of work. There's alway the survey to make the point for those hopeing for something to happen a little sooner.

[gengler]

I'm having a similar problem to the original poster with a slight variation. My company's site is a very popular Mac software update site. As a result, third parties who are advertising their products often include links to our web site for downloads, more informations, reviews, etc. It seems that, at least once a week, I receive an spam report accusing our site of being "spamvertisers" within these emails.

And, near as I can guess, these emails appear to be legitimate mailings to registers users of a product. So, I really can't contact the senders of these emails as I really can't say they are spam. And, if they are announcing an update to their software, my company would like to encourage these software developers and their users to use the services of our site. (in other words, I really don't want to tell legitimate emailers that they can't include links to our site). Further, we, ourselves, have users that signup for our daily updates email, and then, several months later, decide to report us as spammers (I delete their accounts as soon as I receive the report). So, I also have some sympathy for their accused "spammer".

Now, I saw that Spambo earlier posting that claimed that spamvertisers are not included in the blacklist since they don't have a proper IP address associated with them. But the report I received included an IP address. So, I see no reason to believe it wouldn't be added to a blacklist. Further, Spambo states to not be an employee of SpamCop, so I can't depend on such assurances that we're not going to be blacklisted.

Also, I've seen statements about reporting our site as "an innocent bystander" to deputies. I've done a bit of searching on the spamcop.net site, but can't find any details. And, there are no links in the report other than the one that gives me some statistics on the incident itself. There are no links that I saw to report innocence or otherwise.

We're a small web company that's struggling to survive in this economy. SpamCop's blacklisting can have a very negative effect on our business. I try to take these reports seriously and they worry me greatly.

[Spambo]

I'm having a similar problem to the original poster with a slight variation. My company's site is a very popular Mac software update site. As a result, third parties who are advertising their products often include links to our web site for downloads, more informations, reviews, etc. It seems that, at least once a week, I receive an spam report accusing our site of being "spamvertisers" within these emails.

If you are truly an "innocent bystander" then the abuse department receiving the spam reports can easily follow a link to mark you as such. This will turn off future reports coming from SpamCop until/unless a user appeals the status and a Deputy or admin agrees that the "innocent" status doesn't apply and reinstates users ability to report your URL through SpamCop.

And, near as I can guess, these emails appear to be legitimate mailings to registers users of a product.

The fact that people have "registered" a product does NOT mean that they have explicitly granted their permission to receive "unsolicited commercial or bulk email" from the product vendor. spam is an issue of conSent, not conTent.

So, I really can't contact the senders of these emails as I really can't say they are spam.

So ask them not to refer to your domain in any bulk or commercial emails unless their mailing list uses confirmed opt-in.

[StevenUnderwood]

Now, I saw that Spambo earlier posting that claimed that spamvertisers are not included in the blacklist since they don't have a proper IP address associated with them.

That is not exactly true, spamvertizers are not included in the blacklist because that is not the criteria used by the spamcop bl to blacklist an IP address, only sources of recent spam are listed.

Further, Spambo states to not be an employee of SpamCop, so I can't depend on such assurances that we're not going to be blacklisted.

For an official word, you need to contact deputies<at>spamcop.net. Almost everyone on these forums are users who volunteer our time to help out where we can.

Also, I've seen statements about reporting our site as "an innocent bystander" to deputies. I've done a bit of searching on the spamcop.net site, but can't find any details. And, there are no links in the report other than the one that gives me some statistics on the incident itself. There are no links that I saw to report innocence or otherwise.

Are you receiving the reports as an interested third party or as the administrator of the IP address or domain? As the administrator, you should have more options to reply to the report. As I have never received an actual report for a spamvertized site, I could not be completely certain.

[Farelf]

Also, I've seen statements about reporting our site as "an innocent bystander" to deputies. I've done a bit of searching on the spamcop.net site, but can't find any details. And, there are no links in the report other than the one that gives me some statistics on the incident itself. There are no links that I saw to report innocence or otherwise.

If you are receiving the reports and it is not happening as described in the FAQ Resolving issues and following, you should email the deputies with the detail you *did* get:

deputies <at> spamcop.net