Jump to content

Is this a new spammer method of verifying spamcop addresses?


elind
 Share

Recommended Posts

I have started, fairly recently, to receive more spam that includes my email address, or my name in the email address within the subject or the body of the spam. Nearly all my spam comes to my spamcop address anyway (go figure), but it occurs to me that if they expect it to be reported then it will be reported with my email clearly identified.

What they do from there is beyond me, but I would like to know if this is a recognized spammer method, and if it is possible for Spamcop to parse the message and subject and remove (munge?) the identifying information before reporting. Simply removing any match with the receiving address should be simple, I think.

In truth I have started to either not report these or, if I have a few minutes, removing that information myself before reporting. However if the volume increases that will not be practical.

Link to comment
Share on other sites

What they do from there is beyond me, but I would like to know if this is a recognized spammer method, and if it is possible for Spamcop to parse the message and subject and remove (munge?) the identifying information before reporting. Simply removing any match with the receiving address should be simple, I think.
Sounds like a kissing cousin to web bugging, but what do you suppose they would do with this info?

In order to make use of the information, the spammers would have to be able to see the reports. This probably wouldn't happen for botnet spam (where the spammers are stealing bandwidth), but might happen if the mail was sent from a resource that the spammer (or an ally) actually controlled. Likewise for reporting websites in the spam.

Me, I don't worry much about this, I just report.

-- rick

Link to comment
Share on other sites

There are lots of things I don't understand, like why waste so much resource on addresses that obviously are reporting and why send the same message repeatedly to the same addresses? Email itself may be cheap, but many sending locations and websites do get shut off due to reporting. Wouldn't it make sense to maximize their use better?

In this case I simply notice a new deliberate style and I am wondering if there is an explanation for it.

Link to comment
Share on other sites

...In this case I simply notice a new deliberate style and I am wondering if there is an explanation for it.
I have seen stuff like that - it comes and goes - for years. It may be some sort of attempt to evade filtering, more likely it is a bluff to discourage people from reporting but who knows? In most cases it won't serve as a tracking bug via SC reporting because (typically botnetted) the spammer will never see it. Spammers using botnets to send their stuff probably don't worry obsessively about SC anyway. They (more likely their bot herders, different 'trades') replace zombie machines faster they lose them - self-evidently, because botnets keep expanding). I just report it all.

I suppose only a small fraction of spam gets through to the typical user these days (ISP filtering). Of that which gets through, only a small fraction makes a sale - or whatever the aim of it is (due to sales resistance, common sense, demographic, etc.). Spammers respond to more efficient filtering by increasing the volumes they send. That is probably more critical than working on the sales resistance. The high volumes and distributed sending networks probably don't encourage close control anyway.

Anything which slows or diverts their spew is bad for business, even if just a little bit. A SC reporter who doesn't report is never going to hurt their business. Which comes back to the bluff as the most likely explanation. Maybe.

Link to comment
Share on other sites

Back in the day, many more people were more concerned about these instances of email addresses, primarily because the spam report would reveal a reporter and the email address could be 'listwashed' (removed from the spammer list so that he would not be reported). Most reporters no longer worry about listwashing because it apparently makes no difference in the amount of spam sent and there are enough reporters now that it doesn't make any difference if some are listwashed and, as was pointed out, a lot of spam is sent from botnets so that reports don't go to the spammer anyway.

Another reason that reporters stopped worrying about email addresses is that, if the spammer really wanted to know who was reporting, there are so many ways of coding an email to identify it, that there is not enough time on the reporter's part to decode it as well as having to go against spamcop rules in 'substantially' changing the spam.

spam lists of email addresses are constantly bought and sold (IMHO, part of the profit from spamming is the generation of lists and the selling of them. Since spammers are not honest people by definition, selling a list of email addresses gathered from reports as active email addresses to a buyer who doesn't pay attention to details is a possibility for the reason spamcop addresses are spammed. Possibly, your current spammer was sold an old spam generation program from the days of listwashing at the same time. (IMHO, a lot of the profit in spam is selling to the gullible who wanna be rich - like other products sold by spammers, the spam list and generation program may not be the highest quality.)

Or possibly, as someone else suggested, email addresses in the body make it look as though it is a legitimate list to filters.

IOW, the bottom line is that it may be interesting to note changes in the construction of spam, but unless you possess the ability to think like a spammer and are privy to the latest buzz about how to evade filters and garner customers, you probably will never really know why spam is constructed the way it is.

And, there is no reason to worry about identifying your email address as a reporter because spammers are now relying on volume rather than avoiding being reported and few source reports go to the spammer because of the use of botnets. It would probably be better to avoid reporting spamvertized sites if you are concerned about what a spammer might do with your email address - though, it is unlikely that anything worse would happen than more spam.

Miss Betsy

Link to comment
Share on other sites

I think it's not a deliberate measure but rather one way of many techniques spammers use to get past spam filters, filters most people use nowdays. I get a lot of spam with my provider's help desk e-mail as the sender's. It's an annoyance, when I do get them I send a copy to the help desk as well for whatever good it might do.

Link to comment
Share on other sites

...I get a lot of spam with my provider's help desk e-mail as the sender's. It's an annoyance, when I do get them I send a copy to the help desk as well for whatever good it might do.
'Informed backscatter', I guess it could be called. Actually it raises a good point about (non-existent) sender validation - if help desks can't implement it for their own clients (so they can tag all else purporting to be from their help desk, or never see it), who can? But that's getting a little O/T. But yeah, it's not too much to expect your network to protect you from this stuff at least. And even the most rabid resisters of 'ISP filtering' (in which number I should be counted but the cunning sods blindsided me) could hardly object to networks filtering out forged help desk spam targeting their own clients, 'we would never send you emails' notwithstanding. Reminding them when this stuff comes in - that's one (perhaps the only) form of backscatter to which I am sypathetic. It might (who knows?) encourage them to lift their game. One day. For internal web mail would be nice too ;)
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

×
×
  • Create New...