Spamcop inconsistent in identifying spam sources and hosts

[elind]

I manually submitted a spam that was not caught and held by spamcop (even though it was clearly spam).

However in this case I did not see the website host identified in the first pass, so I pasted the source in again and then did see both email originator and website host and reported those.

I then had an "unreported" spam from the first attempt in the system, but when I clicked on that I now saw both the email source (same as the one above), and a website host, but the latter was not the same as the report(s) just submitted.

There are two questions here:

First, why would an initial report not show the website host, but then if that report is not sent and "unreported" spam is looked at there is suddenly a website host that was not there before, for the same spam?

Second, how can two reports of exactly the same spam (from the same copy/paste) result in different website identities?

Following are the IDs of these two reports:

Submitted: Wednesday, September 24, 2008 8:42:28 AM -0400:

a $10,000 watch, we sell at $200+-, 70-85% OFF your needed Watches, Japanese ...

* 3509468810 ( ht tp://tw wl.dxsp ell.cn/ ) To: p.sowa[at]multimedia.pl

* 3509468803 ( ht tp://tw wl.dxsp ell.cn/ ) To: a.dziedzic[at]multimedia.pl

* 3509468800 ( ht tp://tw wl.dxsp ell.cn/ ) To: abuse[at]cdp.pl

* 3509468795 ( ht tp://tw wl.dxsp ell.cn/ ) To: abuse.ip[at]multimedia.pl

* 3509468794 ( ht tp://tw wl.dxsp ell.cn/ ) To: abuse#multimedia.pl[at]devnull.spamcop.net

* 3509468778 ( ht tp://tw wl.dxsp ell.cn/ ) To: p.sadlo[at]multimedia.pl

* 3509468777 ( ht tp://tw wl.dxsp ell.cn/ ) To: postmaster#multimedia.pl[at]devnull.spamcop.net

* 3509468769 ( 84.222.136.107 ) To: abuse[at]tiscali.it

* 3509468764 ( 84.222.136.107 ) To: postmaster[at]tiscali.it

* 3509468750 ( 84.222.136.107 ) To: abuse[at]it.tiscali.com

Submitted: Wednesday, September 24, 2008 8:42:11 AM -0400:

a $10,000 watch, we sell at $200+-, 70-85% OFF your needed Watches, Japanese ...

* 3509470972 ( ht tp://tw wl.dxsp ell.cn/ ) To: abuse[at]comcast.net

* 3509470970 ( 84.222.136.107 ) To: abuse[at]tiscali.it

* 3509470967 ( 84.222.136.107 ) To: postmaster[at]tiscali.it

* 3509470965 ( 84.222.136.107 ) To: abuse[at]it.tiscali.com

[urls broken]

[DavidT]

I've seen the parsing system be schizophrenic like this, and I'm sure it's been discussed before in the Reporting forum, which is where this topic belongs.

I can't remember the specific explanation, but it usually involves sometimes "seeing" and processing the embedded URLs, and then sometimes not.

BTW, Tracking URLs for your two attempts would be more useful than the data you posted.

DT

[elind]

I've seen the parsing system be schizophrenic like this, and I'm sure it's been discussed before in the Reporting forum, which is where this topic belongs.

I can't remember the specific explanation, but it usually involves sometimes "seeing" and processing the embedded URLs, and then sometimes not.

BTW, Tracking URLs for your two attempts would be more useful than the data you posted.

To be honest, I was curious more than expecting someone to analyze this case in detail. I thought the reporting numbers would identify the spam to Spamcop if they wanted to look into it further.

Also, even though I have been using spamcop for years, I am never quite sure how to provide all the tracking data without inadvertently also publishing my email to all the spammer scum reading this.

If you want to give me a quick lesson, I'll try to do so.

[DavidT]

To be honest, I was curious more than expecting someone to analyze this case in detail.

Here's a link to a mega-topic in the Reporting area about URLs not being reported:

URLs not reported, SC finds, but does not offer to LART!

I thought the reporting numbers would identify the spam to Spamcop if they wanted to look into it further.

Who is "Spamcop"? Most of the users here are just that....users. We can't do much with the data you posted, which is why posting Tracking URLs is generally the standard procedure for this kind of topic.

Also, even though I have been using spamcop for years, I am never quite sure how to provide all the tracking data without inadvertently also publishing my email to all the spammer scum reading this.

The information seen on each Tracking URL has been munged. If you find that there's still too much personal info there and want to remove some of it, you can make some careful modifications to the raw spam source that you paste into the reporting form during the creation of TUs for posting here....just don't complete the reporting process on those submissions, because that would break the rules.

DT

[Farelf]

...There are two questions here:

First, why would an initial report not show the website host, but then if that report is not sent and "unreported" spam is looked at there is suddenly a website host that was not there before, for the same spam?

Second, how can two reports of exactly the same spam (from the same copy/paste) result in different website identities?...

Coincidentally a quick nslookup fairly well recapitulates the parser results but is superior in the sense of revealing all the hosts. The crux of the matter is that twwl.dxspell.cn (and dxspell.cn) is "hosted" on some sort of a botnet of disparate (and undoubtedly unknowing) machines. That makes it a little hard to resolve and once it does resolve the parser usually only picks on the first of the rotating roster of addresses.

Looking at the lookups

- first try, time out

- second try, a list

- third try, same addresses in different order.

C:\Documents and Settings\Steve>nslookup dxspell.cn

...

DNS request timed out.

timeout was 2 seconds.

DNS request timed out.

timeout was 2 seconds.

*** Request to UnKnown timed-out

C:\Documents and Settings\Steve>nslookup dxspell.cn

...

Non-authoritative answer:

Name: dxspell.cn

Addresses: 72.175.192.232, 77.45.26.245, 89.33.218.38, 98.197.5.134

189.120.204.85, 190.72.215.105

C:\Documents and Settings\Steve>nslookup dxspell.cn

...

Non-authoritative answer:

Name: dxspell.cn

Addresses: 77.45.26.245, 89.33.218.38, 98.197.5.134, 189.120.204.85

190.72.215.105, 72.175.192.232

So, do you get the hang of it now? I haven't spelled it out very well and can try a bit harder if necessary.

I will next remove the links you posted to that spam site. The spammer paid good money to advertize that thing. And you are furthering his work for free. Do you want a discount or something?

Everything you need to know about tracking urls is here - http://forum.spamcop.net/scwik/TrackingURL (just post the link then check it doesn't reveal your address anywhere - remove it if it does). When you look at the whole message from within your account before you've sent reports the munging isn't evident (I think that's the way it goes), it is in place outside of that special context.

Only Don and the deputies can do anything with your report numbers

And I guess I'll move the topic, as David points out ...

[Wazoo]

First, why would an initial report not show the website host, but then if that report is not sent and "unreported" spam is looked at there is suddenly a website host that was not there before, for the same spam?

Second, how can two reports of exactly the same spam (from the same copy/paste) result in different website identities?

The generic term for the typical configuration for what Farelf attempts to describe is fastflux Generally, the spammer hosts DNS records on compromised computers using a very short time-to-live number. The parser may hitone time when there is something actually found at the IP Address found at the time of its DNS look-up, other times it will hit a cached record but the actual payload has already moved.

This also makes it hard for some abuse folks to react because by the time they receive and read the Report, then try to check the situation out, there is nothing found .. again, because the data has been moved/pointed to yet another location.

And yes, I'll note that we have yet to add fastflux to either the Dictionary, Glossary, or Wiki.

[elind]

Here's a link to a mega-topic in the Reporting area about URLs not being reported:

URLs not reported, SC finds, but does not offer to LART!

Thanks

Who is "Spamcop"? Most of the users here are just that....users. We can't do much with the data you posted, which is why posting Tracking URLs is generally the standard procedure for this kind of topic.

I was thinking that if there was a real "problem", that the spamcop administration would be the ones to investigate, rather than the forum members.

The information seen on each Tracking URL has been munged. If you find that there's still too much personal info there and want to remove some of it, you can make some careful modifications to the raw spam source that you paste into the reporting form during the creation of TUs for posting here....just don't complete the reporting process on those submissions, because that would break the rules.

I presume this is what you mean

http://www.spamcop.net/sc?id=z2273571886z3...c672f58ebc5b5fz

However that does not show me the source for the message, only how it was reported as far as I can tell, which is what I posted earlier via a copy paste. In my experience looking at the original source, it always shows at least my spamcop email, which is where it was forwarded from. I don't see how that can be called munged.

I have commented in the past that nearly all of my spam comes to my spamcop address, and the past year or two the rate seems to have at least doubled, even though I haven't been to any naughty websites giving out that address. I sometimes wonder if there could not have been some way that my spamcop address has been visible to some of the 80,000 reports I have made so far (actually, that's 80,000 spam items, with an average of ? reports per spam. I feel guilty already).

[elind]

So, do you get the hang of it now? I haven't spelled it out very well and can try a bit harder if necessary.

I get the idea, if not the hang, and I won't test your patience, but while this makes sense as a technique I have noticed with considerable regularity that more manual reports than not (I don't analyze the bulk reports much) come up without a report for the hosting website URL, and then if not reported immediately will show a reporting address the second time around. If I understand you correctly that should average out to a 50/50 rate, even though I don't have the hard stats.

I will next remove the links you posted to that spam site. The spammer paid good money to advertize that thing. And you are furthering his work for free. Do you want a discount or something?

Honestly, if a jerk is actually reading spamcop hoping to see a new spammer site that they can send money to, I wish they would send their life savings; they would deserve it.

Everything you need to know about tracking urls is here - http://forum.spamcop.net/scwik/TrackingURL (just post the link then check it doesn't reveal your address anywhere - remove it if it does). When you look at the whole message from within your account before you've sent reports the munging isn't evident (I think that's the way it goes), it is in place outside of that special context.

I did that above for this example, but I don't see how that gives you enough information to do anything new, without the full source which I would need to edit before publishing

Only Don and the deputies can do anything with your report numbers

I understand. I had thought they might sometimes read these posts.

On another thought relating to spam, I wonder how many members here use a spamcop email that starts with their screen name. I do, so perhaps that is why I get so much more spam to this address than elsewhere? Some brilliant spammer maybe decided to try that for valid addresses, just to ensure that they would get reported regularly, but then again, those who buy their lists will never know how many addresses are good or get reported anyway..............

Boggles the mind.

[Wazoo]

I was thinking that if there was a real "problem", that the spamcop administration would be the ones to investigate, rather than the forum members.

On one hand, I am accused of cluttering this thing up too much with all sorts of extra data. Then a post shows up like this. Please scroll back up to the top of this page and tell me how to make the following more visible;

This is a User to User Support Forum

The primary mode of support here is peer-to-peer, meaning users helping other users. (please remember this at all times!)

Another try:

This forum is composed of people who have used spamcop and those who are learning about anti-spam efforts.

Noting that this only one of the places that this information shows up.

However that does not show me the source for the message, only how it was reported as far as I can tell, which is what I posted earlier via a copy paste.

Typical scenario ... you do not have Show Full/Technical Details selected in your Preferences (or used the checkboxes during a parse from the form at www.spamcop.net)

When set, you'd see a link to View entire message

In my experience looking at the original source, it always shows at least my spamcop email, which is where it was forwarded from. I don't see how that can be called munged.

You are looking at the 'live' parse. After it is submitted or canceled, those addresses are shown as <x> .. try going there now (again, show Full/Technical Details selected in your Reporting Account)

I have commented in the past that nearly all of my spam comes to my spamcop address, and the past year or two the rate seems to have at least doubled, even though I haven't been to any naughty websites giving out that address. I sometimes wonder if there could not have been some way that my spamcop address has been visible to some of the 80,000 reports I have made so far (actually, that's 80,000 spam items, with an average of ? reports per spam. I feel guilty already).

That is entirely a different subject, beat upon by numerous previous Topics/Discussions. Let's not start yet another one. Try the Lounge area.

[elind]

On one hand, I am accused of cluttering this thing up too much with all sorts of extra data. Then a post shows up like this. Please scroll back up to the top of this page and tell me how to make the following more visible;

OK Boss.

Typical scenario ... you do not have Show Full/Technical Details selected in your Preferences (or used the checkboxes during a parse from the form at www.spamcop.net)

When set, you'd see a link to View entire message

Found that. Did that. Thanks.

You are looking at the 'live' parse. After it is submitted or canceled, those addresses are shown as <x> .. try going there now (again, show Full/Technical Details selected in your Reporting Account)

Will do.

That is entirely a different subject, beat upon by numerous previous Topics/Discussions. Let's not start yet another one. Try the Lounge area.

I suppose you are one of those who will read the entire manual for a coffee maker before plugging it in or buying coffee? Lighten up.

[Farelf]

...Honestly, if a jerk is actually reading spamcop hoping to see a new spammer site that they can send money to, I wish they would send their life savings; they would deserve it. ...

You might notice the search engines scanning these pages when/if you enter at the index page, down the bottom, in the Board Statistics area (Google, Yahoo and MSN fairly well continually and AskJeeves from time to time and maybe others). Next, you might wonder what they are doing with the stuff they are sweeping into their collective maws. Finally you might try Googling (for instance) your forum name together with a phrase from an earlier post of yours (not this topic yet, earlier, they take a little time to index). Observe! Your every utterance is immortalized on the net. Spammers don't have to read 'here' to see what you posted here. Nor does anyone else (their potential customers). It follows that if you 'publicize' a spamsite 'here' you are doing them a considerable service beyond the bounds of these pages.

Sin no more.

[elind]

Sin no more.

Point taken. I should have realized that. However I would still be somewhat surprised to find that they profit from that in any real way. They can create the same links themselves via manufactured discussion forums, that would have much more complimentary comments attached.

Do we really care if the idiots of the world actually go searching for websites that sell fake watches and all the rest? A;ll they have to do is respond to a few spam and the world will come to them.

[turetzsr]

<snip>

And yes, I'll note that we have yet to add fastflux to either the Dictionary, Glossary, or Wiki.

...Glossary and Wiki are done (corrections and enhancements gladly welcome). Where is the Dictionary?

[Farelf]

Point taken. I should have realized that. However I would still be somewhat surprised to find that they profit from that in any real way. They can create the same links themselves via manufactured discussion forums, that would have much more complimentary comments attached.

Do we really care if the idiots of the world actually go searching for websites that sell fake watches and all the rest? A;ll they have to do is respond to a few spam and the world will come to them.

Well, there may be other factors - SEO scoring, domain name 'real estate' values, etc. - they know their business better than we know their business (the arrogance of believing otherwise is a serious vulnerability if you start to *really* believe it) - why risk helping them in ANY way?

[elind]

Well, there may be other factors - SEO scoring, domain name 'real estate' values, etc. - they know their business better than we know their business (the arrogance of believing otherwise is a serious vulnerability if you start to *really* believe it) - why risk helping them in ANY way?

I shall take your advice.

[Wazoo]

...Glossary and Wiki are done (corrections and enhancements gladly welcome). Where is the Dictionary?

Thanks for the quick action. The Dictionary is a bit of a problem. At present, only Dbiel and myself are set-up to log into its editor/admin directly. It is actually a pain to work with, in all honesty. Dennis has said in the past that he was pretty much done working on it, focusing instead on adding to the Wiki. I've been thinking of simply taking it out of the picture entirely, for a lot of the same reasons.

[DavidT]

I presume this is what you mean

http://www.spamcop.net/sc?id=z2273571886z3...c672f58ebc5b5fz

However that does not show me the source for the message

It does show the source if you click on the "View entire message" link in the middle of the page.

DT

[Wazoo]

I suppose you are one of those who will read the entire manual for a coffee maker before plugging it in or buying coffee? Lighten up.

As a matter of fact, yes I do read the manuals before operating the device. If I still have questions, research will be done first.

In fact, some purchases have not been made due to finding that the manual sucked while still at the store, usually after ticking off some employee that found it to be quite a pain to find the manual for the displayed item in the first place.