[Resolved] Why must I verify spam reports only on SpamCop?

[rconner]

So, I assume from your posts that the SCBL only reports illicit web stores (in English): it does not black-, white-, or greylist them (bit of jargon here).

The SCBL does not "report" anything. The SCBL is merely a list, or a database if you prefer. But you do not have to take the posters' word for it, the operators of the SCBL speak for themselves at http://www.spamcop.net/fom-serve/cache/297.html:

The SCBL is a list of IP addresses which have transmitted reported email to SpamCop users, which in turn is used to block and filter unwanted email.

SpamCop USERS, and not the SCBL, report spam links they find in their mail as a sidebar to the more specific function of identifying spam-source ADDRESSES (not websites) and listing them in the SCBL. Up-to-date and accurate info on sources of spam is what internet providers require in order to block or detail spam being delivered to their hosts. Info about spam websites is useless for this purpose.

Identifying and dealing with website links in spam is an order of magnitude more difficult and ambiguous than simply identifying spam sources, but I t hink you've probably read about this before. Here's another link for your collection: http://forum.spamcop.net/forums/index.php?...amp;#entry65360.

-- rick

[Miss Betsy]

Up-to-date and accurate info on sources of spam is what internet providers require in order to block or detail spam being delivered to their hosts. Info about spam websites is useless for this purpose.

This is not quite accurate. The spam sources (IP addresses) of where spam comes from is very useful to server admins to block or filter spam as it comes into their network. The DNSBLs, including spamcop's, are used to identify spam sources. This is very useful, especially since spammers discovered how to evade filters using botnets. spam from botnets comes from non-email computers and can be blocked without fear of blocking real email. The DNSBLs are, as rconner said, just a database of IP addresses that have been discovered to send spam. Spamcop discovers this through user reports and spam trap hits. Other DNSBLs have other methods of deciding what is a spam source.

The part of the above quote that is not quite accurate is that knowing spam websites is useless for filtering spam. It is useless as far as blocking spam at the server level, but after accepting email, it still can be filtered by various means. One of those is to filter for spam websites. Spamcop does not offer a filtering list because, IMHO, the policy is that the /source/ is more important to identify than the website. There has been no attempt to keep the parser concurrent with spammer tactics to evade filters that identify websites. As has been said several times, there are different methods and different tools to filter spam. OTOH, there are server admins who do filter after accepting email by the websites within the email. One such server admin told me in the ngs that he estimated 25% of his spam was caught in this manner.

I believe that is one of the reasons that spamcop continues to identify spamvertised websites. Imperfect though it is, the spamcop parser does identify enough websites accurately for others to use them as a filter. There are also those, like rconner, who use the parser as a first step in identifying the owners and creating their own reports.

The OP is particularly interested in identifying criminal websites to protect ignorant or careless web users. Spamcop is not the tool he needs to do that. As I said before, web users are protected by the use of the spamcop blocklist indirectly in that, if used to stop email from sources known to be sending spam, web users never see the spam and so are not tempted to visit spamvertised websites.

Again, there are other methods to identify and report spamvertised websites. There are also other methods to avoid them while surfing such as the McAfee SiteAdvisor. Since others have developed more sophisticated tools, spamcop is not going to try to improve what they have. It is still accurate enough to be of some use to those who have other methods to do whatever it is they want to do about spamvertised websites.

IMHO, there is very little chance that criminal websites will be eliminated online any more than criminal activity has been eliminated offline. Netizens will have to learn to be careful just as they are offline. And, if they don't, they will fall victim to various scams - some more serious than others. However, I do think that spam can be reduced considerably by the use of blocklists - especially if the receiving server blocks them at the server level. Eventually, responsible people wanting to use the internet will only use email services that are responsible and don't allow spam to be sent so that they can be assured that their email will be delivered. And they will be using email services that block spam from irresponsible networks so that they will never see any spam.

Miss Betsy

[rconner]

The part of the above quote that is not quite accurate is that knowing spam websites is useless for filtering spam. It is useless as far as blocking spam at the server level, but after accepting email, it still can be filtered by various means.

Thanks for the amplification, but I'm going to stick by what I said -- that info about websites in spam is not useful for hosts that wish to reject mail based on source. The reason is that the decision whether to reject is most often made BEFORE the body of the e-mail message is ever seen (i.e., the host would give a permanent reject code in response to one of the commands preceding the DATA command that offers the body). So, the mail host actually has no idea what websites are mentioned in the spam when it decides whether to reject.

I agree that the website info is VERY useful for MDA-based filtering (where the mail has been accepted for delivery, but can be detained in a separate "spam queue"). This is where SURBL, URIBL, SpamAssassin, Bayesian filters, et. al. come into play.

-- rick

[Miss Betsy]

Exactly!

Miss Betsy

[Rapakiwi]

Exactly!

Miss Betsy

Exactly! Even I can agree with that statement! :-)

This last note is to thank those who attempted to analyze specific spam letters from tiny fragments I posted. I read and always appreciate the links offered me (especially those from Wazoo, which I always read), but my only interest was in knowing why I needed to examine reports to ISPs supporting illicit websites. Clearly that would be the only ip address NOT hidden from me. I just hadn't time to do this. No matter; I've found a happy solution that may help others, even Microsoft users. This letter may offer ideas (and does offer links) for Mac users. My ending post.

Victims

During my absence (a blocking list sending letters was a migraine-aura typo, BTW), I thought of a way of quickly reporting spam to both KnujOn and SpamCop, reporting 'spamvertized' websites. The sites I just couldn't ignore, since the very professional letters selling sex-enhancing drugs and diplomas are purposefully written in an illiterate manner. These appear designed to hook young Americans, who are using their parents' credit cards. Perhaps yours.

'Additional Comments from Recipients'

Rather than type a personal message on each report, as I used to do (and took too much time), I prepared on Mac's 'Tiger' OS a simple text letter with my most common remarks, under headings based upon KnujOn's classification (Phish, Drugs, Counterfeits, Software, &c).

Thunderbird Forwards by Attachment

Now, when I forward spam (by attaching it to an empty file) using the forward toolbar button on Thunderbird, I forward all the day's drug spam to both Drugs <rx[at]coldrain.net> and SpamCop's address given me. Quite soon, SpamCop will ask me to verify my report (which is very good).

Select an Appropriate Paragraph, Drag & Drop

In the corner of my Desktop is my text file. I examine the report, the spam, select an appropriate 'generic' paragraph from my text letter, drag it to the box on SpamCop, and modify the comments specifically for that spam letter. This removes the slowest part of reporting spam to SpamCop, and appears satisfactorily fast. That solved my problem of wanting to quickly report illicit websites as well as spam letters. (spam is not my profession.)

The Haku & KnujOn extensions to add-on

The Add-Ons to Thunderbird that forward my junk folder to various agencies are not for me: forwarding the spam to more specialized addresses and giving it (at SpamCop) my real e-mail address and personal remarks are worth the extra effort, if I could afford the time. Now I believe I can. I do find these useful, though:

Alerts are more Important to me

Growl for Mac's 'Tiger' OS

http://www.versiontracker.com/dyn/moreinfo/macosx/24638

Growl Mail for Apple Mail notifications

http://growl.info/extras.php#GrowlMail

Growl Thunderbird Notifications (now built-in, I think)

https://addons.mozilla.org/en-US/thunderbir...owl&cat=all

Growl used to work well (before Apple crippled my G3 iBook) with ClamXav Sentry and Apple Mail.

One's Speaker has a Use

Mail in my Inbox is scanned automatically for malware, and the 'music video' alert pops up a translucent black screen with sender & subject, so I know whether to stop working. Mail in the Junk folder is announced by voice, and malware is announced by both (with a persistent message window). I either found or recorded spam.aiff, malware.aiff, and error.aiff, which I put in

/Users/Me/Library/Sounds/

So, a simple collection of my favorite paragraphs with audio alerts allows me to now report spam in a timely manner with little effort.

Thank you all very much anyway for all your advice and helpful links.

Rapakiwi

PS. Occasionally I do receive solicited mail with hyperlinks. Never have I opened one without checking whether it is a real link to a friendly domain, or a name or image of that domain that would take me to Baluchistan. (Now on a Mac one can just wave the pointer over it.)

[Rapakiwi]

This letter may offer ideas (and does offer links) for Mac users. My ending post.

Sorry, but here's an addendum to it for Thunderbird users. While adjusting Thunderbird, I asked it to warn me of 'e-mail scams' and 'spam'. Though I received hundreds of spam letters with frightening web links, no warning ever appeared. (Phish I'm no longer sent, after I started reporting it: almost all my spam comes from one organization, in Asia.)

Finally, today, a dire warning of an e-mail scam appeared. It was my monthly book catalog from Dover Publications. I don't know about others, but I consider most of their books outstanding bargains. The message is, at the moment, use more security than that offered by Thunderbird. :-)

Rapakiwi

[Axxxim]

Dear US and Canada Capitalist Pigs,

If you'll notice, each XIN NET spam email will contain a simple http graphics file call to display a picture in your email. This simple code allows our Chinese government to grab and log your personal IP on our servers for our planned cyber attack support on your spoiled and selfish country! Think of what a country could do with a complete list of active and sniffed out list of IPs of its enemy. Your internet will be of no use. You're country is too Open. Long live the People's Republic!

Please wake up, spread the word and do everything to stop XIN NET now!

[Lking]

If you'll notice, each XIN NET spam email will contain a simple http graphics file call to display a picture in your email.

Axxxim, you may notice that I have setup my email app so that if an email source is not on my white list the "simple http graphics file call" will not be made. So you and your sarcastic Chinese government will only know that the email was accepted by the server. You will not know whether it was read, reported to SC or just sent directly to a digital black hole.

Oh I'm sorry, you can't tell can you. Sense you are not on my white list you can't see past the mail server. All you know is your spam didn't bounce.

Nicely played though.

[Rapakiwi]

Axxxim,

<SNIP, SNIP>

Nicely played though.

Lking,

China is likely too busy negotiating baby formulas with Taiwan to consider aggression. However, Axxxim's point (I think) is a good one, once raised by Miss Betsy. How do you verify that a letter is spam without opening it? Even after running it through your ISP's filters and your own malware filters, opening it can open many little 1x1-pixel GIF images back in ... 'China': web bugs.

SpamCop's 'filter' (please substitute the correct acronym) I can't speak of. However, the classic web bug, I've noticed, has recently been replaced with innocent-looking little company logos or signatures small enough to preferably be sent as a real image rather than a hyperlink. I should guess it hard to automatically filter these out: they could be colorful buttons, for example.

You know this, so this is written for others. Your method of 'white listing' all but your reliable correspondents is an excellent strategy, advocated by Apple. However, it doesn't solve the problem of what to do with the letter titled 'Deliver Status Notification (Failure)' currently in my Junk Folder. I received a genuine one yesterday. This one I know is spam, likely with web bugs, because it was not sent from an automated mailer or Postmaster, but from me. :-)

In the 90's, I used to just unplug the ethernet cable before reading all mail. This would work when reading suspect mail (and manually removing suspect files). Apple's Junk folder (junk status) prevents opening any images on the sender's site; but I don't know whether others' do.

This subject is in apropos for this thread. Perhaps someone could re-post Axxxim's amusing little post to a new thread, if the administrators feel this subject is one that spam reporters (average folk) should be more aware of. I have no doubt it is discussed in a help file I should have read.

Rapakiwi

Persona non Grata

[Lking]

<snip>

How do you verify that a letter is spam without opening it? Even after running it through your ISP's filters and your own malware filters, opening it can open many little 1x1-pixel GIF images back in ... 'China': web bugs.

Not true. I use the features of Thunderbird. Unless I have approved a email source, remote gif's of any size, are not loaded and Thunderbird displays this message "To protect your privacy, Thunderbird has blocked remote images in this message." There is a button if you want the images fetched and displayed. There is also an option in red "Click here if you always want to load images from Your_mothers[at]email.com"

<snip>However, it {white listing} doesn't solve the problem of what to do with the letter titled 'Deliver Status Notification (Failure)' currently in my Junk Folder.

Yes it does. A true 'Deliver Status...' contains more than remote images, for example the header of the rejected message. So there most likely is enough information to judge the true status of the 'Deliver Status Notification'. Based on the ones I have been receiving my first clue is that one of my addresses have been forged as the sender.

This is not true for the drug spam that used to be common which only contained a GIF. Of course that was a clue in its self. No one I know sends email which contains only a GIF. So when I open this type of spam with Thunderbird I see nothing, except the message "To protect your privacy, Thunderbird has blocked remote images in this message." That gives me the first clue. If I need more a CTRL-U gives me more than enough info.

IMO there is no need to move Axxxim's post. He joined, double posted his little joke and I bet he is gone. As Farelf noted he has double posted the same message in an other forum after joining. I don't think he will be back. So why bother? {edited to add a word}

[Rapakiwi]

Not true. I use the features of Thunderbird. <SNIP, SNIP>

Yes, you are right. My apology. I had forgotten that this thread was on Thunderbird.

In earlier discussions, I found that many people (using many mailing agents on many operating systems) report their spam without opening it (Miss Betsy being one), likely in wise fear of web bugs and malware; and others (including me) were unaware of the safety features (if any) that various mailing agents imposed upon their 'Junk folders'. There are dozens of mailing agents.

Most people used subject lines to easily recognize spam, and 'Delivery Status Notification' (sorry about the typo) was just an example of a subject line designed to fool the non-paranoid person into quickly opening it. (You recognized this one as spam by opening the letter yourself and finding a hyperlink inside.) Normal people shouldn't have to open mail unsafely or read full headers and check the ip addresses using, for example,

http://www.domaintools.com/

Apple's approach opens these safely in the junk folder (as does many others, I'm sure), but what should the normal person do; especially if such deceptive spam appears in their inbox? (Using a PC should be like driving a car.)

IMO there is no need to move Axxxim's post. He joined, double posted his little joke and I bet he is gone. As Farelf noted he has double posted the same message in an other forum after joining. I don't think he will be back. So why bother? {edited to add a word}

Yes, you are correct: this is the help section. I didn't mean to address this subject to help Axxxim, who has no need of help.

My posts everywhere are addressed to normal people (hence my language), just to help 'clean the sidewalk I walk on'. Individual help I offer by e-mail; but posts are for everyone. Axxxim did raise an important point the normal person should be aware of, and the normal spam reporter needs to solve. (Yes, you have already, I know.) The 'you' that follows refers to a normal person.

Apple's solution is to treat all new mail as suspicious, and open it in the Junk folder. Apple Mail's Junk folder is a 'sandbox', in which one can open any letter safely. Only if the letter is from someone in your Address Book, a previous recipient, or mail you manually marked 'Not Junk', will the new letter appear in your Inbox rather than the Junk folder. After a while, the normal user finds all Junk becomes spam.

Problems occur when you have sent carbons to your own address, and spam sent from 'your account name' appear in your Inbox with an innocuous subject line, such as 'Re: Yesterday. Habit may cause many (such as me) to open it (which is why I have it automatically checked for at least malware first, using a method which will not protect one from malware installed by a computer to which I was automatically redirected when the letter was opened. (When this happens, I pull the ethernet and run two malware checkers (whose databases were updated when the machine booted in the morning).

Rapakiwi

[Miss Betsy]

Since most end users are technically non-fluent, many email applications now do not display images by default for senders not on the contact list. For most end users JDH (Just Hit Delete) is how they deal with spam and they rely on their providers to filter the spam to the junk folder.

Since I have become interested in spam and how it is dealt with, if I think I need to open an email that might not be spam, but that I don't recognize, I use the message source (I used Outlook Express and now Windows Live for my email application). I learned how to do that from people in the spamcop community of users.

Interestingly, I used to receive the Dover Books newsletter at a hotmail account and no longer do so. Dover must have had some problems with their mailing list or how they sent it to be tagged suddenly as spam. Perhaps, as spam filters get more aggressive some methods that used to work no longer do. Although companies tell you to add their newsletter addresses to your contact list, I usually don't want to bother so many newsletters that I used to receive I no longer do. As I rarely read them until I want to order again, it is no loss. Many people don't even use their email very much any more because they don't want to take the time to adjust filters, add contacts, etc. to make their inboxes useful.

Miss Betsy