Should we report mass spam?

[davitof]

Since a few days, many spam have been arriving ("CNN.com daily alert" and "CNN Alerts: My Custom Alert"). These are much more complex than normal everyday spam and the volumes are much more important than usually. So I wonder if it is any use continuing to report them, or if we should avoid to overflow SpamCop with these?

[StevenUnderwood]

Since a few days, many spam have been arriving ("CNN.com daily alert" and "CNN Alerts: My Custom Alert"). These are much more complex than normal everyday spam and the volumes are much more important than usually. So I wonder if it is any use continuing to report them, or if we should avoid to overflow SpamCop with these?

If I were you, I would report a few and see if they all come from the same source IP or if they are distributed. If all the same, I would be tempted to just report a few a day (to add to the BL) as others have likely also reported them to help get them on the BL. If the source addresses are all different, these are likely comming from comprimised desktop machines in which case I would report them all so that all the different IP's get at least a report against them. Then the ISP can do what they want with the report.

I don't think SpamCop's capacity is such an issue any longer as we have not thad the bad delays and other symptoms in quite a while (knock, knock).

[Farelf]

Since a few days, many spam have been arriving ("CNN.com daily alert" and "CNN Alerts: My Custom Alert"). These are much more complex than normal everyday spam and the volumes are much more important than usually. So I wonder if it is any use continuing to report them, or if we should avoid to overflow SpamCop with these?

See http://forum.spamcop.net/forums/index.php?...ost&p=66058 which is the topic started for the spam which seems to have 'evolved' into the CNN stuff (which now consists of 2 or more varieties, as you note).

I'm with Steven, the volume shouldn't matter and the complexity doesn't seem to be an issue for the parser - for instance it seems to "know" to ignore any real CNN links and only goes after the actual infector site (payload site which tries to trick visitors into downloading malware and turning *their* machines into zombies too) when it analyzes the links.

The sending sites seem to be the usual botnet zombies so there's a chance the unsuspecting owners might get to learn what their computers have been up to through reports to their ISPs (and disinfect them), and volumes might be enough to get them listed on the SCbl and slow the flow, or at least make the botnet controller work for his money. These things DO contain links to infector sites so disruption is (to my mind) even more important than it is for commercial spam. For that reason too, if my suspicion that these infector sites are mostly hacked is correct, then reporting those sites is more likely to get them taken down and cleaned up than would be the case for ordinary commercial spamvertized sites.

Just my opinion.

[Merlyn]

Update: Fake-CNN spam mutates as attacks continue

http://www.computerworld.com/action/articl...rc=news_ts_head

[Farelf]

Update: Fake-CNN spam mutates as attacks continue

http://www.computerworld.com/action/articl...rc=news_ts_head

Thanks Merlyn. It appears the attack is unabated, checking the mailbox of the account I am receiving these on, over VPN (unfortunately I can't get the headers over Outlook Web Access to report them). Some (elsewhere) have commented that the numbers are tapering off but I would guess that's just some filtering kicking in.

CNN is not coping at all well with this (so yeah, to the OP, help them, definitely REPORT the things if you can). Their (CNN) advice - at the top of http://behindthescenes.blogs.cnn.com/2008/...nncom/#comments was late, incomplete (didn't spell out the hazard) and in the user comments (a blog which *reviews* posts) they even allowed the posting of a live link to one of the infector sites! (Fortunately that infector page is gone at the moment but did the website's owner close the vulnerability? If not the exploit page can be restored in an instant.) For Pete's sake.

If ever we wonder if we do any good 'here' just have a look at that comment blog and so remind yourself what the average, uncommited (even when aroused), internet user is like. Pitiful. And the manifest inadequacies of businesses (even those in the communications business) - or CNN at least - to deploy any sort of realistic and timely response when they are 'used' in attack. I mean, CNN is being harmed by this too, have they never forseen the possibiity?

Oh yeah, to all, don't go following "Microsoft.com's" emailed invitation to update IE7. Unrelated (it looks) but yet another spoof pointing to Lord knows what at some definitely non-MS website target (along with some genuine MS "backgound" links, like "unsubscribe"). "You are receiving this e-mail because you subscribed to MSN Featured Offers." - what nonsense. Seen amongst all my "CNN alerts" (as they are now), along with messages from those helpful "UPS Postal Service" people (unzip attached invoice and mosey on down to our office to retrieve your package - 12,000 miles away but what the heck) and an eCard awaiting my download, just to cheer me up.

Wow, as said elsewhere, the botnet recruiment thing is really picking up. Please report them.