SpamCop Parsing and Reporting Service

SpamCop Mail Service

SpamCop Blocking List information

General information about SpamCop

Help for abuse-desks and administrators

What other sites should I visit to help fight spam?

Credits and thanks

How does SpamCop reporting work?

To get started:
How do I sign up?
Rules - everybody read!
How do I get started reporting spam?
How do I submit spam via email?
How do I get my email program to reveal the full, unmodified email?
Parsing and reporting spam with SpamCop - decisions, problems
How do I configure Mailhosts for SpamCop?
What is "mole" reporting?

Additional configuration questions:
Member and account management questions
How do I set up SpamAssassin to work with SpamCop?

Can I automatically forward spam from my spamtraps?

There are three main parts to SpamCop; the Reporting Service, Mail Service, and Blocking List. All three operate independently of each other, but they also rely on each other to operate effectively. The reporting service allows you to file complaints with appropriate administrators about spam. These reports generate statistics that are fed to the Blocking Service, automatically keeping it up to date. The Blocking Service in turn helps the Mail Service filter spam from reaching subscriber inboxes.

Most of this document deals with spam reporting, however the filtering is a necessary part of a spam-free existence, since some companies don't take abuse complaints as seriously as they should. Don't be discouraged though. Reporting alone has been reported to reduce spam by quite a bit.

To get an introduction to filtering, check out the Subscribe Now section for details and examples of how it works.

SpamCop will parse the headers of unwanted email and (if all goes well) phrase a complaint to the system administrator responsible for the spammer's internet access. This complaint will be addressed from a blind SpamCop.net email address, however any responses to that address will be routed to the email address you have provided with your SpamCop account. You may be presented with more than one address to send your complaint to and can select whether to send to each individual address or not.

Network administrators don't usually know that spammers are abusing their networks, nor should they be expected to. However, most administrators are interested to learn of abuse, and they will often take action against the people responsible. This is usually no more severe punishment than yanking the user's account. Some ISPs (Internet service providers) take punishment farther - actually billing the spammers and kicking them off.

Unfortunately, it is usually too difficult to figure out who was responsible for any one email, particularly with the advanced techniques that savvy spammers use. However, the key to this puzzle is the combination of the IP address of the sender and the time and date at which the mail was sent. These two pieces of information can lead an administrator back to the user who actually sent the mail. Both pieces of information are in your email header.

SpamCop uses a combination of network queries (dns, whois) to cross-check all the information in an email header and find the email address of the administrator on the network where the email originated. It then formulates a polite request for discipline, including all the information the admin needs to track down the user responsible.

When logging in, remember your username is your complete email address. Passwords are cAse sENsiTive and may contain lookalike digits such as, "one" and "ell" or "Oh" and "zero." Our system will allow you to paste in your password if your browser will. After you log in, you can use the "Preferences" link at the left side of the page to change your password.

• No advertising or delay (nag) screens;
• Access to the database to check reports you have sent in the past 30 days;
• The option to appeal a website/URL issue in parsed spam that you find has been incorrectly reported as 'closed' or an 'innocent bystander';

Cost for an upgraded account is as little as $2.00 for one megabyte of reporting fuel. If you purchase more than two megabytes, the cost is $1.00 per megabyte (i.e. $25.00 for 25MB). These purchases are known as "fuel".

Fuel is consumed each time you parse spam through your premium SpamCop account. Each byte in the spam will consume one byte of fuel. While the paid reporting only system is still relatively new, early estimates are that 15 MB of fuel will last most users two years.

To upgrade to a premium SpamCop account, you must first sign up for and verify a free account. Then, from your SpamCop access page, simply click on the "Preferences" link and "Add Fuel" to your account.

As long as there is fuel in your account you will not be nagged by ads or the delay screens. If you run out of fuel, your account will automatically revert to a free user account.

On what type of email should I (not) use SpamCop?

Material changes to spam

What if I break the rule(s)?

Do not use SpamCop to report anything except spam. This includes any and all responses to your SpamCop reports which are not blatant spam.

We define spam as Unsolicited Bulk Email (UBE). To be considered spam, a message must be:

1. Unsolicited (I didn't request it explicitly or implicitly); and,
2. Bulk (the same message was sent to many people at once).

Some examples of messages which should not be reported as spam:

1. Email flaming you from someone you are in an argument with.
2. Email from people who you want to "get into trouble".
3. Email that is obviously sent innocently to an incorrect address. This might include sales receipts, booking confirmations, etc.
4. "Office email" with stupid jokes/anecdotes/attachments.
5. Forwarded/CCed email from "friends and family" regarding signing petitions.

Spam sent to mailing lists
No matter how hard list managers try, spammers find a way to inject spam to the list (sometimes even going so far as to subscribe to the list first). This results in all list members receiving the spam.

List servers often show themselves as the source of the mail sent to it, not the originating user's IP address. Spam sent to mail lists/groups must not be reported using SpamCop except by the list owner. Subscribers may send a note to the list owner who can block the source from sending to the list or take responsibility for reporting the spam themselves.

Spam within other messages

If you receive a message (perhaps a bounce) which contains spam, you should not report the spam contained within the message, even if it includes what appear to be the full original headers. This is someone else's spam, not yours. It is expected that you can verify that the headers of reported mail are accurate, something you can't do for mail received on a network you are not familiar with.

Messages which may be reported:

There are several types of responses to forged email that SpamCop has in the past prohibited. However, these messages have become a big enough problem that we now allow them to be reported as the spam that they technically are.

Examples of messages in this category:

1. Misdirected bounces
2. Misdirected virus notifications
3. Misdirected vacation emails
4. Misdirected challenges from challenge/response spam filtering systems

Of course, this is contingent on the message actually being misdirected. You should never report a bounce or a challenge email which was caused by a message you did send. Many people dislike some of these auto-responses, but if you triggered them by sending a message, they are considered implicitly solicited emails and thus not spam. You don't have to email the same recipient in the future if you don't wish to receive the resulting response.

We have a FAQ aimed at the sources of these messages:
Why are auto-responders (and delayed bounces) bad?

Viruses

Viruses are another form of spam and may be reported to SpamCop as such. Viruses may also be used to trigger Ironport's Virus Outbreak Filters^tm.

SpamCop does what it does and doesn't do for a reason. Do not make any material changes to spam before submitting or parsing which may cause SpamCop to find a link, address or URL it normally would not, by design, find.

SpamCop does not generate reports for From: or Reply To: addresses. Do not add these within the body of the spam to cause a report for these to be generated.

SpamCop does not decode javascript because it does not have its own javascript interpreter. Unless you can properly decode the javascript, even what you see may not be correct. Do not make any changes to the spam to cause SpamCop to report addresses, links or URLs that are contained within the javascript, decoded or not.

It is okay to munge your personal email address contained within links in the body of the spam, if SpamCop does not find and munge them, with one exception. If a report is going to an abuse desk that does not accept munged reports, you must not make even these minor changes to the spam.

Base64 Encoded Spam - Many spammers are sending messages with Base64 encoded bodies. While SpamCop normally decodes and parses Base64 fine, it is possible for spammers to hide your address or other identifiable information within the encoded body.

For this reason, SpamCop has made an exception to the normal alteration rule for those who know what they are doing:

1. Use a Base64 decoding tool like http://www.opinionatedgeek.com/dotnet/tools/Base64Decode/
2. Remove the encoded Base64 body and replace it with the decoded text
3. A disclaimer must be added to the top of the spam body. (Remember to leave a blank line between the last header line and your disclaimer):

"I have decoded the original Base64 spam body and munged personal details that were in that body. The original body has been replaced with this decoded text. I understand that you may consider this to be altered and not acceptable as evidence"

Paying Reporting Service Members:
Members who break a rule will be fined $2.00 worth of fuel, your account could be suspended or you could be banned from future use of the service. If you do not have sufficient fuel left your account will be terminated.

(Flat rate) Mail Service Subscribers:
If you are a subscriber to the flat rate mail system and break one of the reporting side rules, your access to the (free) reporting service will be immediately revoked. Your mail service (with CESMail) will continue but you will not be able to use the reporting side of the system.

First of all, SpamCop users should know what is and is not appropriate to report as spam to SpamCop.

• Spam is unsolicited bulk email. Not all bulk email is spam. Not all commercial email is spam. Email must be unsolicited and bulk in order to be spam. Unsolicited email is email the recipient did not (explicitly or implicitly) agree to receive. If the recipient agreed to receive it, then it is not spam.
• Bulk email can be split into two categories: Opt-in and Opt-out. Opt-in is email that an individual requested or agreed to receive. Many legitimate mailers use opt-in methods for marketing. Individuals are responsible for reading and understanding a company's privacy policies and acceptable use policies (if applicable) before submitting an email address. If a privacy or acceptable use policy clearly states that signing up for the service results in receiving marketing or commercial email, then the individual has "opted-in" to receive email and that email is not spam. Individuals also implicitly opt-in for email regarding a purchase or transaction; for example, when buying an airline ticket via the web, the purchaser receives an emailed purchase confirmation, which is not spam. With opt-out email, the sender adds an email address to a mailing list without prior consent, then asks the recipient to request removal (or "opt-out") if he does not want to continue to receive email. Opt-out email is unsolicited and is by definition spam.
• Spam is bulk email. If someone writes to an individual personally, one-on-one, to ask a question or inquire about a post made to a newsgroup or website, then that is not spam, even if it contains commercial or marketing content. However, email containing the recipient's name is not always legitimate. For example, if someone writes a personalized message, but fails to address any subject which is specific or relevant to the recipient ("Kelly, get the lowest prices on prescription drugs!" is an example), it is safe to assume the message is spam.

There are some categories of email that do not fit clearly into the opt-in or opt-out category.

Viruses

The spread of viruses through email is reaching epidemic proportions. The owner of the infected machine sending virus-generated emails rarely knows about or consents to sending these emails. The virus itself generates and sends email to addresses obtained from various sources, often the victim's address book.

A recipient should use the contact address to forward the email, along with a polite explanation of the message's problems to the originating ISP. In the accompanying email, the recipient should explain the ISP's customer is using a computer that appears to be infected with a virus and request the ISP assist their customer. If the recipient happens to be personally acquainted with the sender, direct personal contact such as a phone call to politely let them know that their computer appears to be infected with a virus may speed the clean-up process and prevent further spread of the virus.

"Legitimate" bulk email

Many reputable companies use opt-in email for marketing purposes. When receiving email purporting to be from a company normally considered reputable, the recipient should consider carefully the possibility that he or she did agree to receive it sometime in the past.

If after reviewing the sender's privacy and acceptable use policies, the recipient is certain he did not agree to receive the email in question, then it may be someone attempting to appear as the company in question, without the company's consent. If a recipient is certain he did not request the email, then the recipient may report it as spam using the SpamCop reporting tool.

To better identify legitimate email, some email users provide unique tagged addresses or disposable email addresses to vendors or companies on the Internet. For example, Joe has the domain example.com. When conducting business with Spaceley Sprockets, Joe provides the specific email address spaceleysprockets_mar2004@example.com. As a result, if Joe receives email to spaceleysprockets_mar2004@example.com, Joe is confident he gave Spaceley that email address and it is legitimate commercial email. SpamCop accounts offer wildcard addresses (i.e. account_name+spaceleysprockets@spamcop.net, account_name+travelagency@spamcop.net, account_name+onlineretailer@spamcop.net) which are all delivered to account_name@spamcop.net. There are also disposable email addresses available from online services, some of which are free for limited use.

Hoaxes and form letters

Often, individuals receive email warning them of a new virus, a pending law, or some other threat. A chain letter may offer individuals amazing rewards for forwarding the letter. Emails such as these can and do circulate for years. Recipients should view skeptically any email which asks the recipient to send copies to more individuals. In addition, it is recommended the recipient research the issue or threat using online resources such as Google or snopes.com before forwarding the mail. This kind of email is a nuisance, but is not spam, and should not be reported via the SpamCop service.

If a recipient knows the sender of a hoax or form letter, the recipient should consider personal contact with the sender prior to reporting the email as spam. Reporting email as spam results in real consequences for many email users. The sender's ISP may fine the sender or terminate his account due to a single spam report. A company may discipline or fire one of its employees for sending email that generates complaints. Forwarding a form letter, joke, or chain letter rarely, if ever, justifies such severe consequences. Rather than reporting the mail as spam, the recipient should send a personal reply to the sender, explain that it is not appropriate to send such email, and ask them to not send it in the future.

Confirmation requests

Confirmed opt-in mailing lists (sometimes called double opt-in) mailing lists are considered best practice. Confirmed mailing lists require the would-be subscriber to provide a positive response to an initial email. For example, the recipient must respond to an email or click on a link in an email. Occasionally, confirmation requests are misdirected, usually due to innocent typing errors. If one receives a single misdirected confirmation message, do not report it as spam. Sometimes spammers attempt to disguise spam as confirmation messages. The recipient must use good judgment in this instance. Confirmation messages should not include any explicit marketing information.

Confirmation messages should include information about how they were generated. For example, they might reference a specific website URL. Ideally, they will also provide specific information about the numeric Internet (IP) address responsible for creating the confirmation. However, not all confirmation messages include this sort of detail, so again, use good judgment in determining if this is spam.

Challenge/Response systems

A challenge/response system attempts to protect its users from receiving spam by sending a "challenge" in response to email from an unfamiliar address. The original sender must click on a link, visit a website, or solve a puzzle, for example. This proves the sender is a human and that the mail the sender wishes to send is not spam. If one sends email to a challenge/response user and receives a challenge, the challenge is not spam. Recipients should not report it using SpamCop. However, forged from: and reply to: fields are often found in emails which propagate a virus or are sent as a result of a virus, as well as in spam. If one receives a challenge as a result of mail one did not send (i.e., the email address was forged into a from: or reply to: field) then the recipient may report that challenge as spam.

Unsubscribing

On January 1, 2004, the CAN-SPAM Act became law in the US. (CAN-SPAM is an acronym for Controlling the Assault of Non-Solicited Pornography And Marketing). CAN-SPAM requires all unsolicited commercial email contain a label of unsolicited commercial email (although it doesn't require a particular method or label), a working unsubscribe mechanism and a physical address for the sender. It also prohibits the use of forged or falsified headers and misleading or deceptive subject lines. Many legitimate senders are complying with some or all of the provisions of the CAN-SPAM act, but so are many spammers. CAN-SPAM compliance is not necessarily a reliable way to distinguish solicited from unsolicited email. Be aware that CAN-SPAM requires that an individual be removed from a list upon request.

Unsubscribing from Existing Relationships

If one signed up for a newsletter or product updates, or otherwise agreed to receive email from a reputable company, one should use the unsubscribe method or other removal process provided in the email before deciding the email is spam. It is very difficult for a legitimate sender to remove an address from their mailing list based on a SpamCop report. Usually, it is faster and more reliable to use the sender's noted unsubscribe procedure.

After trying without success to unsubscribe when a company normally removes subscribers, then one may file a spam report. In these cases, SpamCop recommends including a note in the comments section of the spam report describing the removal attempts. A SpamCop member may add comments to any report he or she submits via SpamCop. This lends credence to the report and provides the sender information to help solve the general problem with the unsubscribe system.

Subscribers should be aware that it is sometimes difficult for large emailers to remove an address from a mailing list instantly. It may take hours or days to stop receiving email following an unsubscribe request, depending on how an email system works. Many sites state how long it takes to stop receiving mail after an unsubscribe request. An unsubscriber often receives an email confirming the unsubscribe request. This confirmation email is not spam, and should not be reported using the SpamCop service. If one continues to receive email from that sender after the appropriate period of time has passed, then one may report the spam using the SpamCop service. The CAN-SPAM Act requires that a mailer process an unsubscribe request within 10 business days.

Some services require a user to receive email from them in order to use their services. Examples of these services include free services such webmail accounts and website hosts, as well as downloaded software. A valid email address is the cost of using the service and the resulting email is not spam. These companies supplied the user with a product or service in exchange for the user's attention; not all payment is monetary. Do not use the SpamCop reporting service to complain about such email. These services should provide their users a method to unsubscribe (which may prevent access to the original product or service). If these unsubscribe methods fail, the user may submit a report to SpamCop. Again, SpamCop recommends including information in the notes section regarding the methods tried to unsubscribe.

Unsubscribing from Unknown Companies

A recipient should be cautious if he receives email from an unknown organization or a known organization without any prior communication, as following the removal instructions in the spam may result in more spam. By using the removal instructions, the recipient verifies that he received the spam and read it. That makes the email address more valuable to the spammer, and the recipient may get more spam. Normally, SpamCop recommends that one never reply to spam email or trust any of the information in the spam unless one really trusts the company and included information. SpamCop recommends erring on the side of caution.

As mentioned earlier, spammers frequently forge From: and Reply To: email addresses. As a result, if one receives a spam from a common email address just as john@aol.com, one should not reply to john@aol.com nor report the spam to AOL's abuse department (abuse@aol.com). As spammers easily forge this information, do not trust the information seen in the headers of the email received. In addition, replies to forged email often result in harassment of an innocent person.

Reporting Spam

Revealing Full Headers

Once a recipient determines that an email really is spam, the recipient needs to reveal the full email headers to report it accurately to SpamCop. Without full headers, SpamCop will report an error. Getting full headers from an email software is often a hurdle to reporting spam. Most email software is not clear about how to get full headers. However, practically all email software provides a way to get full headers. Consult the email software's FAQ to learn how to get the headers from the software.

Changing Your Spam

Before submitting or parsing spam, SpamCop members should not make any material changes to the spam which might cause SpamCop to find a link, address, or URL it normally would not find.

SpamCop does not generate reports for From: or Reply To: addresses, because these are often forged and not reliable. SpamCop members should not add these within the body of the spam to cause a report for these to be generated.

SpamCop does not decode javascript because it does not have its own javascript interpreter. Unless one can properly decode the javascript, what one sees may not be correct. SpamCop members should not make any changes to the spam to cause SpamCop to report addresses, links, or URLs that are contained within the javascript, whether they are decoded or not.

If SpamCop does not find and hide a personal email address contained within the body of a spam, it is okay to munge (e.g., hide) such an address. There is one exception: if a report is going to an abuse desk that does not accept munged reports, a SpamCop member should not make even these minor changes to the spam.

Many spammers are sending messages with Base64 encoded bodies. While SpamCop normally decodes and parses Base64, it is possible for spammers to hide an address or other identifiable information within the encoded body.

Misreporting Spam.

Calling something spam when it is not spam is harmful. Erroneous reports cause abuse desks to take SpamCop reports less seriously; they also lead to the unjust and unfair suspension or termination of the reported account. SpamCop's maintainers and deputies must handle erroneously filed reports, which is not an effective use of SpamCop staff resources. Additionally, spam reports feed the SpamCop Blocking List (SCBL). Erroneous reports make the SCBL less accurate and potentially cause thousands of sites to mistakenly block wanted, solicited email. For these reasons, there are penalties for violating the rules that have been set forth here and in the Acceptable Use Policy.

Free Reporting Service Users:
SpamCop will ban users of the free reporting service who violate these rules.

Paying Reporting Service Members:
SpamCop may fine, suspend or terminate the accounts of paid members who violate these rules.

(Flat rate) Mail Service Subscribers:
SpamCop will revoke access to the (free) reporting service for subscribers to the flat rate mail system who break reporting rules. Subscribers may continue to use the mail service (with CESMail) but are not be able to use the reporting system.

Users should consult the FAQ or the forum if they have any question about SpamCop policy. If in doubt, users should ask before acting. We do not want to take discliplinary action against our users.

To use the "Email submission system" you now have to register for a SpamCop account.

Once you have confirmed your registration, log into SpamCop. Right below the "Welcome" message you will notice a coded email address.

This is your personal email address that you can forward spam to. Spam you forward to this address will have a reply (containing the parsing link) to the address you used to register with SpamCop.

Forward as an attachment your spam to the personal reporting address shown on your front page. You will get back a reply with already-authorized URLs for reporting the spam at the address you used to register for SpamCop with.

MIME format is best, although normal text/plain format will work fine too. Avoid uuencoding.

Your email address will be replaced with a blind SpamCop address in outgoing reports, however any communication back from administrators you file those reports with will be forwarded to the address you used to register with SpamCop.

You should receive an email to your registered email address whenever you submit spam via email. If there are problems, the return email should include errors detailing the problem. Otherwise, you should get a message including links to the reporting system.

You may attach multiple spams to a single submission. You should not exceed 20 spams attached to a submission. The maximum size for the overall submission must not exceed 50 KB.

Helper Scripts

Scripts are available at these links to help Unix users send spam to the SpamCop email processor:

Perl script

Gloomytrousers Perl script

An Apple-Script for Eudora for Mac

Microsoft products

Mac OS X

Netscape, Mozilla and Thunderbird

Eudora

AOL

Pine

Lotus Notes (v.4.x and v.5.x)

Lotus Notes (v.6.x)

Pegasus Mail

WebTV

Claris Emailer

kmail (KDE Desktop)

GNU/Emacs integrated email

Mail Warrior

Juno Version 4+

Mutt

The Bat!

Pronto mail (GTK/unix)

StarOffice

Novell Groupwise

Blitzmail

Forté Agent

Ximian Evolution

Sylpheed

Web-based email software:
Hotmail and Windows Live Hotmail
Yahoo Mail
Excite web-mail
Netscape Webmail
Blitzmail
Operamail
Lycos Mail (mailcity.com)
Onebox.com
Outlook Web Access
Shawcable Webmail
MSN Premium
GMail

Because of Microsofts proprietory method of handling messages, not all versions of their software work with both the web form and/or email submission system.

The instructions for each of the versions below include separate instructions for using the web form and email submission system.

Email Submission Method

The email submission system should work with all Windows versions of Microsoft Outlook Express (4, 5 and 6). You must use Forward-as-attachment. You can forward multiple spam at once be creating a new message to your email submission address. Then, drag each indivdual spam into the body of the new message.

Please try this method first - is is much easier and faster.

Web Form Submission

Start by opening the message in it's own window (or when viewing the message in the preview pane). Then:

With the keyboard:

1. CTRL-F3 (Message Source Window)
2. CTRL-A (select all)
3. CTRL-C (copy)
4. ALT-F4 (close)

With the mouse:

1. Click the "File" menu
2. Click "Properties"
3. Click the "Details" tab
4. Click "Message Source"
5. Highlight, copy and paste everything from this window (Ctrl-A, Ctrl-C)

With viruses, worms and trojans being spread via email, many users now work with the preview screen in Outlook Express turned off. Viewing the contents of email in the preview screen is no different than opening the message. If the email has malicious content, it may execute in the preview screen.

The following is instructions to obtain the full message source if you have the preview panel turned off:

Using the keyboard:

1. Highlight the message in the folder
2. Press alt & enter - this will open a message information window
3. Press Ctrl & Tab - this changes to the "Details" tab
4. Press Alt & m - the opens the message source
5. Press Ctrl & a - to select all the text
6. Press Ctrl & c - to copy the selected text to the clipboard
7. Press Alt & F4 - to close the message source window
8. Press the Esc keay - to close the information window
9. Switch to the SpamCop reporting page
10. With the curser in the parsing box, press Ctrl & v to paste the clipboard contents into the window
11. Click the Process Spam button.
    

Outlook does not properly forward mail with the headers and message body intact. It is not possible to use SpamCop's email submission system with Outlook unless you use one of the below add-on programs or similar macro.

As a result of a fairly lengthy and intense investigation of Outlook 2003 and 2007: Outlook does *not* include full and accurate headers when you forward spams as attachments. It reorders the Received headers, which makes them untrustworthy, as well as deleting/not forwarding other headers including X-headers, which is of less importance but which may loose some valuable information needed by ISPs/hosting companies.

The result of the 'scrambled" or reordered Received headers means that SpamCop does not reliably know where the injection point of the spam is.

Outlook is reordering the headers, not SpamCop.

Thusly, if you are running Outlook you *may not* forward your spams as an attachment for processing. You can copy/paste or look into running mailwasher or some other 3rd party add-in/add-on but you must stop forwarding as an attachment.

Outlook (97, 2000, XP, 2003 and 2007

Email submission system

It is not possible to use the email submission system with Outlook. The add-on programs mentioned above will not work with Outlook. You must use the web form to submit spam if you use Outlook as your email client.

Web Form Submission

Microsoft Outlook 97 may require an update called the Internet Mail Enhancement Patch in order to display the email headers AT ALL.

Outlook 2000, XP, 2003 and 2007

Web Form Submission

Outlook does not display the Internet headers and message body together for submission using the standard web form. To submit spam from Outlook you must use the special Outlook/Eudora workaround form, which is accessible from the initial log-in page. Users of Outlook may now paste spam headers and body into a special two-part form, and SpamCop will do its best to patch them together. It should be noted that even with this, or any other work-around discovered to date, Outlook users simply cannot get the full email source. All Outlook add-ons or work-arounds are only partial solutions, they do not actually get the full email source. Users are encouraged to complain about this deficiency to Microsoft.

How to use the website submission form...

1. Make sure your account is set to use the two-part "workaround form".
2. Open the message in a separate window (double click)
3. Under the View menu select Options
4. Copy the text in the Internet Headers window (unfortunately it doesn't include the message itself).
5. Paste into the Headers box on the SpamCop page.
6. Close the options window
7. If the spam header shows "text/html":
   1. Right click on the body of the spam, and choose 'View Source'.
   2. This automatically opens the HTML code up in Notepad.
8. Copy the entire message body.
9. Paste into email body box on the SpamCop page.

A registry hack is available to make Outlook 2003 display the full email source code, including HTML, MIME and Base64 encoding in the pop-up window that formerly only displayed the header information. This means it is possible to get the full header and body source code in one step for pasting in the webform box. This does not fix the problem of not being able to use the email submission system with a stock Outlook installation.

Follow the instructions on the Outlook Tips page for adding a registry key and value. Note that is "All", not "AII" in the parameter.

Once done, when you right-click on the message in the message list and choose "Options", the box with the "Internet Headers:" now contains the headers and full message source of the email body, which you can paste into the single-part form on the SpamCop reporting page.

Email Submission System

Four add-on products have been created by SpamCop users to help streamline this process. SpamCop does not endorse or even test these programs. Links are provided for the convenience of our users. Questions and support must be directed to the provider of the program.

• SpamSource for Outlook 2000/XP by Chris Price
• SpamGrabber - The ultimate Outlook spam reporting tool (formerly olspamcop) by Leon Mayne (updated Sept. 7, 2010 with all new version, now open-source)
• SpamControl Outlook Tool by Hendrickson Software Components (updated 9/22/2003 for latest SpamCop changes)

1. Click the "File" menu
2. Click "Properties"
3. Click the "Details" tab
4. Click "Message Source"
5. Highlight, copy and paste everything from the "Message Source" window (Ctrl-A, Ctrl-C)

• After clicking on the message, select "Source" from the View menu
• A new window will open showing the full message source with complete headers.
• Copy and paste into the webform

To get the full message source:

1. Select a spam message
2. Select menu item View, Show, Raw Source
   (or you can use option-apple-U as a keyboard shortcut).
3. Click on the resulting text
4. Click Edit, Select All, then Edit, Copy
5. Paste into spamcop's reporting form

Preferred method: Click on the "View" menu, then "Page Source," (ctrl-U in windows, meta-U in unix, ?-U on the Mac) then copy the contents of the window (Ctrl-A, Ctrl-C windows).

Old versions: Click on the "View" menu, then "Headers," then "All." Note: This method will not work correctly with HTML spam.

Netscape communicator also makes it very easy to report multiple messages using the email interface:

1. Create a new message to your personal SpamCop reporting address.
2. Drag each spam to the attachments window at the top of the message window.
3. Send the mail.
4. Wait for the reply from spamcop and use the links in that message to proceed with the reporting process.

Update (July 1, 2006):

It has come to our attention that a patch is now available for Eudora which allows the forwarding of received spam as an attachment. Forward as Attachment Plugin .

The Eudora plugin is provided by a third party. SpamCop has not tested the plugin nor warrant its effectiveness or security.

Cut and Paste method

To display the full message source for cut and paste:

Eudora for the Mac:

1. Open the spam and click the BLAH BLAH BLAH button on the upper left hand corner of the message. This shows the extended headers.
2. Select the whole message including headers and paste into SpamCop.

Eudora for the PC - there are 2 slightly different methods depending on whether the mail contains HTML or not.

In any case, to prepare for HTML email, you should turn off the use of Microsoft's HTML viewer. To do so, click Tools, then Options, then Viewing Mail. Uncheck the box labeled "Use Microsoft's viewer."

How to know if it's HTML mail: once you have opened the email, look near the bottom of the headers (see below for revealing headers) for a line like the following: Content-Type: text/html ... you can frequently spot HTML email because it has font effects, pictures, etc but this is not always true so you have to take a quick look at the headers.

Why do I care if it's HTML mail: all kinds of interesting things can be "hidden" in HTML mail that won't show up when you see the mail interpreted by your email program/browser. Actual URLs do not necessarily show up in interpreted HTML messages. For example: you might see CLICK HERE but the underlying HTML contains a URL that indicates the spammers web site. In order to report properly SpamCop needs those hidden URLs.

Eudora for the PC - non-HTML mail:

1. Open the email by double clicking on the subject line. Click the 'blah blah blah' button to reveal the headers.
2. Place your cursor anywhere in the body of the email and select the entire message (Edit/Select All or Ctrl-A)
3. Copy the entire email (right click and click copy OR Ctl/C OR Edit/Copy)
4. Paste (right click/paste or Ctl/V) the entire message into SpamCop.

Eudora for the PC - HTML mail:

1. Open the email and click blah blah blah.
2. Hi-lite the headers only. Copy and paste the headers into SpamCop as above.
3. Hit enter twice after the pasted headers to force a blank line after the headers.
4. Back in Eudora window, place your cursor anywhere in the body of the message and right click and click "view source". A new window will open.
5. In the new window, select all (as above) and copy the contents of the new window.
6. Paste the window contents into SpamCop.

Good news for Mac users!

Philipp has provided an AppleScript that works with Eudora for Mac to easily and seamlessly use the SpamCop email submission system. Philipp's instructions are to create a nickname of "spamcop" with your personal spam submission address in your address book, then save the below script as an application in your Eudora Apple-Script folder. On execution, the currently selected E-Mail will be made in a new email ready for sending to spamcop.

Script:

tell application "Eudora"
set spammsg to message 0
set spamsubject to "submitted spam"
set spamtext to whole text of message spammsg
set mymsg to make new message at end of mailbox "out" of mail folder ""
set signature of mymsg to none
set rec to addresses of nickname "spamcop"
set field "to" of message mymsg to rec
set field "subject" of message mymsg to spamsubject
set field "" of message mymsg to spamtext
end tell

One last tip from a user:

I transfer all spam messages to a folder named "a _spam folder". Once a day, I open Outlook Express (which I have configured only for outgoing (do not check for new mail)). I import the "_spam folder" (the _ places it toward the top of the list). I then select all messages, right click and "Forward as Attachment" to my reporting address. I then delete from both programs so I do not resubmit.

I've found that it is easiest for AOL users to process spam by using SpamCop's email submission system.

Open the email, click on "Actions", then on "Tools", then on "Delivery Information."

Next, you have to pick out the internet-style mail header information from the window that appears when you select Delivery Information.

Lotus Notes v.4.x
Look for the first line that begins with "Received". There should be a blank line just above it. Then, scroll down to the next blank line. The stuff in between the two blank lines are the headers you need.

Lotus Notes v.5.x
Look for the seperator line that reads
-------- Additional Header ------.
Select everyhing from there down to the next seperator line, usually
-------- Routing Information ------.
The stuff in between the two seperator lines are the headers you need.

Lotus Notes v.5.x (easier method)

1. Open your inbox
2. Highlight the message that you wish to get header information for.
3. Choose File -> Export...
4. Type in a filename, leave the type as "Structured Text" and click Export
5. From the Dialog Box that comes up, choose "Selected Documents" and click OK
6. Now you can open that message you saved in Wordpad and Cut&Paste it into the SpamCop website parsing box.

Alternate method for those that don't have Delivery Information
Right-click on the email and select Document Properties. On the Fields tab, copy all the text from the value of the $AdditionalHeaders field. an example of the data provided for the $AdditionalHeaders field:

Field Name: $AdditionalHeaders
Data Type: TextList
Data Length: 1228 bytes
Seq Nun: 1
Dup Item ID: 0
Field Flags:

"Received: from westrelay03.boulder.ibm.com ([9.99.132.206]) by ...
13:44:09 -0400

Note that you want to copy everything AFTER the double quote and note there is no matching double quote - the area marked in bold.

If these methods both fail
Then you are probably in a Notes deployment that is using a customized client template, contact your Notes template designers for information on obtaining this information under their design.

General Notes Notes

These will not capture the Notes Server routings and hand offs, only the MTA hand offs, and so will not be any good for reporting spam from other Notes users. If you are getting spam from other notes users, contact your own system administrator to resolve the problem.

1. Open the e-mail document.
2. From the menu select View, Show, Page Source.

The best way to get the full email source from Pegasus Mail is to use SpamCop's email submission system.

In Pegasus E-Mail, to forward your spam to SpamCop, simply forward the spam, as outlined here, to your personal SpamCop submission address. Perhaps a third party spam scanner has classified your e-mail for you, sorting it for easy reporting.

One way is to use Pegasus's built-in mail filtering rules, the general set, to move all your spam to a separate folder. Open that folder and right-click and select all messages. Press "Forward" and choose the option "Start a new message with the messages attached" (the third one down). Press "Send". It will ask, "you have entered a message with no subject(and possibly no body) are you sure you want to send it?" Reassure the program you want to send it. Then, under file, select "send all queued mail". Wait a few minutes, then visit the spamcop website to confirm and send your reports.

(Thanks Scott, for the above.)

Using the web submission form:

These instructions provided for the impatient - please try to use the above email system first.

Try just hitting the "backspace" to toggle from full headers to none, if this doesn't work then go through this rigamaroll:

In the New Mail or other folder window:

1. Right click the message, and select Message Properties.
2. In the right hand column uncheck the box beside Contains HTML data.
3. Click OK. That should allow you to see the message as a text message only.
4. Click Ctrl-H to bring up the full headers.

Another way:

1. Highlight the HTML spam in the new mail folder
2. Open a new email message
3. Drag the HTML spam onto the new message
4. In the dialog that appears select "Show All Headers"
5. Highlight the entire message, then copy to clipboard
6. Paste message into SpamCop.net window.

If you prefer to use the website submission form, it is necessary to "bounce" the spam to yourself first to obtain the full headers.

1. While viewing the spam, hit "Forward" on the sidebar. Address the document to yourself.
2. Completely erase the subject line.
3. Put your cursor on the first line of the "body" (text area); Hit "Return" (enter) twice. Your cursor should now be on the 3rd line of the text area.
4. Type any "Alt" character on this line; DO NOT HIT "RETURN"
5. Cut and Paste the "Alt" character onto the subject line: (CMD+"A"), (CMD+"X"), (CMD +"V") The "Alt" character should "jump" down to the message text-area.
6. Hit "Send"; open the received mail and Copy-Paste the item into the SpamCop text-area.

Using the WebTV console is completely different than using a computer to track and report spam. Because of this difference, it can sometimes be difficult to get assistance within the SpamCop help groups.

There are a number of WebTV users dedicated to fighting spam that congregate in a newsgroup accessible to WebTV users only. Discussion centers around reporting spam, with a large number of SpamCop users and SpamCop related posts.

This link should take you to the WebTV group:
news:alt.discuss.clubs.public.other.activist_fighting_spam

Use the "Show Long Headers" option in the "Mail" menu while you have the spam message open.

Versions earlier than 2.0:

Click the blue triangle near the "from" information to show additional message information, then click the "Show Original Headers..." button to bring up the full header info.

You'll have to cut/paste the header into SpamCop and then the body text.

In the KDE Mail Client that comes with the KDE desktop for Linux, select Message, View Source. Copy and paste the text from the "Message as Plain Text" window into SpamCop.

Press the keys 'W', then 'v' in the summary or mail buffer.

To get full "message source"
1. When viewing the message, click File, then Save Message As.
2. A standard save window will appear.
3. Save the message as a .txt file (spam.txt).
4. Open the file you created, select all (ctrl-A) and copy (ctrl-c).
5. Open the SpamCop reporting form and paste (ctrl-v).

On the drop down menu "Options", choose "Email Options.." (press ctrl-E) Under "Show Message Headers", select the "full" option. Click the OK button to save the setting.

Juno version 4+ can display MIME and HTML email, but does not provide a way of Viewing the HTML Source for the message within Juno.

To get the full source, including HTML codes:

1. In the Juno mail client, click "file" and then "Save Message as Text File.." (ctrl-T).
2. Give the file a name which you will remember (many people save temporary files to the desktop).
3. Double-click on the resulting file and then cut-and-paste the contents to the SpamCop web-site.
4. After the spam is reported you can delete the temporary file or just over-write it the next time you need to report spam.

Mutt has a mime_forward setting that must be enabled so that forwarded messages are sent as MIME-formatted attachments with full headers. This may be added to your ~/.muttrc file or entered after starting Mutt:

set mime_forward=yes

Once this is set, simply forward each message to your SpamCop submit address using the f (forward) command.

Unfortunately, most people get more than one or two spam messages per day, and no one has their SpamCop submit address memorized (or always in their copy-paste buffer), so it's a good idea to create a macro for forwarding spam to SpamCop.

The following macros will submit all of the currently tagged messages to SpamCop via email in a single message. It will work while viewing the list of messages in your mailbox (macro index) or while viewing a single message (macro pager) using the Ctrl-X command:

macro index \cx ":set autoedit=no fast_reply=yes  editor=\"/bin/true\"\n<tag-prefix><forward-message>submit.xxxxxxxxxx xxxxxx@spam.spamcop.net\n<send-message>:set autoedit=yes fast_ reply=no editor=\"/usr/bin/editor\"\n" \
        "Forward mail to SpamCop"
macro pager \cx ":set autoedit=no fast_reply=yes  editor=\"/bin/true\"\n<tag-prefix><forward-message>submit.xxxxxxxxx xxxxxxx@spam.spamcop.net\n<send-message>:set autoedit=yes fast_ reply=no editor=\"/usr/bin/editor\"\n" \
        "Forward mail to SpamCop"


Macro configuration notes:

1. The macro must be defined on one line, with a backslash continuation character at the end of the line for the description.
2. Replace submit.xxxxxxxxxxxxxxxx@spam.spamcop.net with your SpamCop submit address in both macros.
3. The macros assume that mime_forward is set to yes. If not, it may be set and unset within the macro definitions like fast_reply is set and then unset.
4. If you set autoedit to no in your .muttrc, it may be removed from the macro definitions.
5. If you set fast_reply to yes in your .muttrc, it may be removed from the macro definitions.
6. You must change editor from /usr/bin/editor to the path of your real editor (unless you're also using Debian GNU/Linux).
7. If you want to change the macros to only forward one message at a time (i.e., the currently highlighted or currently viewed message), then remove <tag-prefix> from the macro definitions.

Thanks to Martijn Pieters for submitting his .muttrc file in a bug report on bugs.guug.de with these macros originally defined.

- Message -> SaveAs -> Save as Type - I
- Select Unix Mailboxes[*.mbx]
- Open the file in your preferred editor, then simply cut and paste.

For The Bat! v1.53bis:

- Select the message in question
- Click on the "Messages" menu
- Select "View Source"
- Alternatively, you may push F9 instead of the last two steps.

1. Click "Message", then "View Source"
2. Highlight the message source as normal with the mouse
3. Copy using Control+C
4. Paste into SpamCop as usual

1. Right click on the container name in the explorer panel (either a top-level mail box or a specific mail folder).
2. Select the Properties item from the pop-up menu.
3. In the properties notebook, select the Headers tab.
4. Click the "All" button on the right.
5. Press "OK" and you're done, the coplete header is available in the header panel and can be selected/pasted into SpamCop.

1. Open the message
2. In the message window select: File > Attatchments > View
3. Select the Mime.822 attachment

Press CTRL-R to display in RAW mode, then CTRL-A and CTRL-C

Don't forget to press CTRL-R again to display in normal mode after you do this

Go to the "View" menu, select "Message Display" and click on "Show Full Headers".

• Select the email
• Right click and mouse-over "View"
• Select "Source" from the popup menu

or....

• Select the email
• Left click on the "View" menu
• Select "View Source"

or....

• Select the email
• Press Ctrl-U (default keymap setting)

To use the Email Submission System with Sylpheed, it is necessary to use a command line mailer such as Blat.

Using blat, you automatically send spam reports from the command line:

blat %1 -subject "spam report" -to submit.YourSpamCopCode@spam.spamcop.net

where the %1 variable is replaced by the Sylpheed message number (an ordinary text file).

To see the full, unmangled headers in Hotmail:

1. First, configure your options:
   On the upper right "Options | Help" links, click on "Options." Click on the "Mail Display Settings" link, find the item "Message Headers." Choose "Advanced" and click the "OK" button.
2. Then, to report spam:
   When viewing a message, use the "View E-mail Message Source" to display the message in raw mode before copying into SpamCop. (This link is right below the headers.)

To see the full, unmangled headers if you are using Windows Live version of Hotmail:

You can determine the source and path of an e-mail message by viewing the e-mail header information. This information can be used by system administrators to track incoming messages and to help reduce spam. To view the e-mail header information:

1. In the left pane, click Mail.
2. In the Folders list, click Inbox.
3. Right-click the message in the message list, and then click View source.

Unfortunately Microsoft has chosen to not follow the RFC guidelines for email and double-spaces the headers displayed. The blank lines need to be removed between each header line for the SpamCop parser to work.

Since Yahoo! does not provide a raw email source feature, it is easiest to report spam received in your Yahoo! account by using the SpamCop email interface. Simply forward (as attachment) the offending email to your personal spam reporting address.

Cutting and pasting in the SpamCop web parsing form is a time consuming task when using Yahoo! web mail. It is recommended you use the mail forwarding method above.

If you insist on using the web form, follow these steps:

First you must turn on "Full Headers". From your Yahoo! mail account, click on "Mail Preference". Scroll down the page to "Message Headers" and click on the "all" radio button. Save your preferences at the bottom of the page.

Next, view the message you want to report. If the message is in plain text, copying from this page and pasting it in the parsing box will work.

If the message to be reported is HTML, a two stepped process must be used:

1. View the message and copy the complete headers. Paste these in the SpamCop window, then add a blank line.
2. Go back to the Yahoo! window and select to "Forward" the message as "inline text" (drop down menu). Scroll down the message to the start of the message body. (The first line of the HTML body will usually begin <HTML). Copy the body of the message and paste into the SpamCop parsing window. Make sure a blank line remains between the header and body.

Click on the "Process Spam" button.

We have received a report that you can still "forward as attachment" the spam to your SpamCop account. This is done by holding down the "Ctrl" key ('apple' key with Mac) while you click 'Forward'.

• Sign in to your email account.
• Click on Preferences on the Email home page
• Click on Email Preferences
• Check the box to display headers
• Click on Save

You can then see the headers in all messages in your folders.

Alternatively, you can use the SpamCop email submission system by forwarding the email as an attachment to your personal reporting address.

To close the full headers and return to brief headers, click the yellow triangle again.

I would suggest you complain to Lycos since they are the only people that will be able to identify the source of the spam via their mail server logs.

At the top of the message you will see the following links in the message frame right above the "reply" buttons:
[folder name] : Prev | Next : Download
Select "Download" from the above.

This changes the message window into the download window. In most cases you will see a line like this:
Full message: Content-Type: message/rfc822, with "Full Message" as a link.
(Note, depending on the spam, the "Content-Type" may not match the sample above. This shouldn't matter...)

A new browser window will spawn with both the headers and the message text. At this point, simply copy all the text in order to paste it to spamcop or in a message to whomever, should you be doing your own spam fighting :)

You may then close that full message browser window. To get back to the folder where the spam was, simply click on the [folder name] link either in the message window, or in the onebox.com navigation frame to the left.

• Left click on the letter you want to open and click on 'Properties'.
• When that opens click on the 'Details' tab, and then on 'Message Source'.
• This will open the email so the full headers will be available for viewing.
• Select and copy the text. Paste it into the SpamCop parsing window.

Exchange 2000 Outlook Web Access

Unfortunately there is currently no known way of viewing the message source in Exchange 2000 Outlook Web Access.

Exchange 2003 Outlook Web Access

Under Exchange 2003 there is a free, third-party 'ViewMessageSource' extension available which the mail server administrator can install. It adds a 'View Source' option to the right click menu of all messages.

You can download it from:
http://www.asaris-matrix.com/sweber/playground/downloads/forms/DispForm.aspx?ID=18

Once installed (instructions are included in the .zip file):

• Open up the folder which contains the email you would like to report.
• Right click on the email you want to report and click on 'View Source'. A new window should pop up with the full message source inside.
• Select all of the text (Ctrl-A) and copy it (Ctrl-C). Paste it into the SpamCop parsing window.

Only the email submission system works with Shawcable's webmail service. You cannot cut and paste spam into the SpamCop reporting form.

To successfully use the email submission system, you must first display the full headers of the spam you are forwarding.

1. Log into the Shaw webmail service
2. Open/view the mail
3. On the right side opposite the "from" address you will see a triangle/arrow. Click that to display full headers
4. Click on the "Forward" button
5. A new blank composition message will open with the original spam showing as an "attachment"
6. Send this new email to your spam submission address shown on your SpamCop page.

In a few minutes you will receive a response back from SpamCop to your SpamCop registered address, with links to complete the reporting. Alternatively, you can watch for the "Unreported Spam" link on your main SpamCop page to take you to outstanding reports.

MSN Premium

MSN Explorer
version 9.50.0034.2000

1. Open the message you wan to examine.
2. Press "Ctrl-Enter" or select "View/Message Headers."
3. Under the "Details" tab will be the internet headers for the message. This does not include the message text itself.
4. Press the "Message Source" button to view the entire message, headers and all.
5. Right click within the Message Source window and you can "Select All" and then "Copy" the message source so that it can be pasted into other applications.

1. Log into your GMail account.
2. Open the message you'd like to view headers for.
3. Click the down arrow next to Reply, at the top-right of the message pane.
4. Press the "Message Source" button to view the entire message, headers and all.
5. Select Show original.

How should I select the recipients for my spam report?

How do I change my spam-reporting email address?

Submitting a Report:
What do you mean by "full headers"?
Why does SpamCop show different results from one day to the next?
How do I decide an appeal of status is warranted?
SpamCop said "No reports filed." What does it mean?
Why does SpamCop want to send a report to my own network administrator?
How should I report usenet (newsgroup) spam?
Reports sent to SpamCop addresses
How is data from spam submissions used?

Regarding specific reporting problems:
Why does SpamCop refuse to accept my HTML spam?
Why does SpamCop say "Sorry, X refuses to accept SpamCop reports?"
Why does SpamCop say email to X bounces?
What does "no date available" mean?
Why doesn't SpamCop always generate reports for relay administrators?
Why doesn't SpamCop make reports about "reply-to" and "from" addresses?
Why does SpamCop say my spam is too old?
Why does my modem disconnect when I try to submit spam?
How can I easily report spam on my MAC?
SpamCop has quit working with Netscape
Why does submitting to SpamCop results in an error/timeout?
Are servers which do not include IP source information broken?
What does "untrusted" mean?
Why do I get a "Network Error - connection reset by peer in transfer loop" when using SpamCop with Intermute's AdSubtract?
Problems with spam not in original format

Source of email

This is the actual source of the email as determined by SpamCop. In almost every case, you should leave this box checked unless you believe SpamCop has made an error in finding this administrator's address. If the administrator has already taken action against this spammer, this choice may not be available.

Web site host

Often, spam will include links to web sites. Spammers use these to draw victims in for more pitches. However, most administrators will terminate such accounts merely for being associated with the sending of spam - even though there is no direct proof that the owner of the site is responsible for the spam. Because there is no direct proof, you should be very careful when selecting these boxes. Read the spam, and be sure that the spam is really promoting the web address, and not just referencing it off-hand. Spammers will often include innocent parties' addresses in spam in an effort to confuse and discredit. For instance, www.yourdomainhere.com is often the target of erroneous complaints. Another example: some stock-market spammers will reference stock-quote sites to help prove whatever points they are making. These are "innocent bystanders" and should not be reported as spammers. Make sure these boxes are unchecked if you are not fairly sure the address in question is being used by the spammer.

Relay administrator

If SpamCop recognizes that a mail server other than that on the originating or receiving network has relayed an email (also known as "open relay" or "relay rape"), SpamCop will attempt to find a valid reporting address for the administrator of that server. If found, you will be given the option of sending a report to that administrator notifying them the server is being abused for unauthorized mail relaying and asking them to secure the relay.

Relay Testers

SpamCop checks several different blocking lists to see in an IP address is listed as an open mail relay or an open proxy. If the IP is not listed on any of these lists and this is the first time SpamCop has encountered that IP, SpamCop will offer to send the IP address to for testing. SpamCop will also save a copy of the headers "as proof" of relaying. If the IP is already listed on a blocking list but this is the first time SpamCop has seen the IP, it will not be sent a second time, but SpamCop will save a copy of the headers as "evidence" of relaying.

Other email addresses (members only, experts only)

If you are an expert, and you feel SpamCop has missed out on reporting spam to a certain administrator, you can tell it to report the spam to any email address you want. Just check this box, and fill in the email address in the space provided. For this recipient, SpamCop will make no assertions about the administrator's role, so you should include some of your own comments in the "additional notes" space. Explain why you think they should review the spam report. You can put up to four email addresses into this field - seperate each one with a comma.

Appeal disabled targets (members only, experts only)

Do not use this feature unless you are sure of what you are doing. If you believe that a web site or email address has been registered as resolved erroneously, you may file an "appeal." SpamCop's administrator will receive a copy of the spam, and the situation will be reviewed manually to see who is telling the truth. Do not use this feature unless you have verified, either by sending email or visiting the web site, that the account that has been marked closed is in fact still in operation.

You are also given the chance to add additional comments to the spam report. Normally, SpamCop includes all the information needed to indicate the reason for the report, but you can use the comments section to indicate:

• Why you feel this message is spam. e.g. "This may look like a legitimate newsletter, but I never requested it - I was subscribed against my will."
• What you have done in the past to be removed from this person's mailing list. e.g. "I have asked to be removed several times from this person's mailing, but I still keep receiving it."
• What your past experiences have been with this particular spammer, e.g. "I get spam from this huckster once a week, like clock-work."

For free users, your SpamCop account is tied to the email address you used to sign up with. If you stop using that address, your login will still work, however SpamCop will still forward any messages to that address. If that address starts bouncing or we don't receive a reply to a query sent your way, the account will be suspended.

Addresses used to sign up for free SpamCop accounts cannot be changed. You must sign up for a new account, using your new email address. Simply visit SpamCop account signup.

To access and use your new SpamCop account, it will be necessary for you to find and delete the cookie placed on your harddrive by SpamCop (if you chose to accept a cookie).

Notice the line marked in red. This is the most important part of the header that SpamCop cares about. This is called a received line. Some email messages have only one received line, some have more than one. Every time the email makes a "hop" from one server on the internet to another, one more received line is added. They can be used to track the email back along its path to the origin. Without this information, SpamCop can do nothing. All the other information in the header is suspect (it can be faked). The received line portion of the header always contains SOME kernel of truth. SpamCop separates the kernel from the chaff in order to find the true source of the spam.

When you parse a message and see that "ISP has taken action" or "ISP does not wish to receive reports", you will almost always be presented with a checkbox to appeal. Before checking this box, you are expected to verify that the issue *really does* need to be reopened; ie, it says that the website is shut down but it's not.

Obviously, these issues are not always cut and dried, and sometimes all you can do is appeal and see what we have to say about it. But there are certain situations where it should be clear that the reported status is appropriate. Your own email address is one of those situations. Completely innocent third party sites like spamlaws.com, biz.yahoo.com, etc. are other examples.

When deciding whether or not to check that appeals box, ask yourself whether or not the administrator of that issue *really* needs to be notified. Go back and reread the spam to see in what context a URL or email address is used.

Bottom line, if you are currently just blindly checking every box SpamCop is presenting you with, you need to slow down and be a little more conscientious. I know that the point of this system is that it is quick and painless, but the user has to be responsible in order for it to work.

1. Problems at your end:
   The header of the spam didn't have enough information to figure out what IP the spam came from. This happens sometimes on very old or strangely configured email systems. For instance, if you are using a Novell or old Microsoft server, you may have this problem. The problem also occurs with hotmail, but only intermitantly. If this is the problem, you will probably see it with ALL email (unless you use hotmail, then only sometimes).
2. Problems at the spammer's end:
   SpamCop couldn't figure out who is responsible for the IP that the spam originated from. This is sometimes caused by temporary network outages. It can also be caused by poorly configured DNS servers and out-of-date IP registration information.
3. All issues have already been resolved:
   Sometimes you will receive this message because all hosts involved (originating IP, web/email hosts) have reported back to SpamCop action has been taken and closed the issues.

View the messages in red to find the specific reason for this message and then check the other FAQs in this category for more information on the solutions.

SpamCop no longer (as of Feb 25th, 2003) trusts relays which have not been submitted for relay testing by SpamCop. If you find your mailserver (or your ISP's mailserver) is not trusted ("recently discovered, untrusted as relay"), please avoid reporting it as the source of spam, but do submit it for testing (uncheck the box(es) labeled 'network where email originates' and leave checked ones labeled 'open-relay testing') After 48 hours if the system is not found to be an open relay or proxy (and it meets SpamCop's other criteria), sources of spam it identifies will be accepted by SpamCop.

One reason this problem can occur is because your internal mail server does not indicate the source IP address of the spam. Talk to your network administrator about fixing the problem.

The other, more complicated and more common cause of this problem is when the email bounces around the network too much, causing a chain error. This problem can also be solved by your system administrator. Don't let the email bounce around so much once it reaches your company's network. Specifically, change the setup so that all the mail servers in your company identify themselves in a consistent way.

The mail servers handling your email must identify themselves in a consistent way, and the DNS records associated with them must be correct. For instance, if a mail server identifies itself as "mail5.netcom.com", then the server must actually be delivering mail from an IP address (close to the one) given by that name.

Not confused yet? Then here's an even more technical explanation: For each "received" line, the receiving server must identify itself as being in the same Second Level Domain as the previous received line's sending server OR as being in the same Class-C (/24) network as the previous received line's sender. Whew. IP addresses used by mailservers must have reverse DNS (a mapping from an IP address to a hostname).

This chain-test is one of the primary ways of detecting spammer forgeries. Any relaxation of the rules involved would surely defeat the forgery detection and result in many more inaccurate complaints.

As with email spam, you must use your best judgment. By normal usenet definitions, spam is a message which is either cross-posted excessively or multi-posted excessively. However, other forms of postings are often frowned upon by usenet administrators and ISPs in general even if not strictly defined as spam.

Usenet is much more complicated than email to evaluate. Each group has its own rules (for instance, most groups - but not all - forbid commercial postings). When reporting a usenet message, you should always add some comments of your own to indicate why you are reporting the message as spam. Indicate what local rules the poster is breaking and include a link to the group's charter, if available. Or, indicate that the message has been excessively multi-posted or cross-posted.

Under no circumstances should you report messages which are freedom of speech issues. For instance, if you are reading a pro-choice newsgroup, and you see an objectionable post from a pro-lifer, this should *not* be reported to the ISP using SpamCop or any other method. Simply being off-topic does not make a message spam. Reporting such messages will gain nothing and will only serve to dilute the opinion of administrators for you personally and SpamCop generally. See also the rules FAQ for possible punishment (including banning from SpamCop).

If you object to a certain post, you should also make every effort to educate the poster before you report them to their ISP. Usenet is a place where many people learn about netiquette for the first time. If you think the poster is doing the wrong thing out of ignorance, please try to educate them nicely via email before you cry spam. Don't clutter the newsgroup with these educational messages. Send the poster email. If the person continues to post spam to your group and they are unwilling to be educated, only then should you bring the issue to the attention of their ISP.

An example of the internal address used is abuse#isp.net@devnull.spamcop.net

SpamCop administrators have set up special internal addresses for some service providers. These providers have requested SpamCop reports be sent to a secret address other than their standard abuse addresses.

In many cases it is the result of negotiations between the service provider and SpamCop administrators because the service provider has implemented a 'webform' based complaint system, or it may be simply that they want SpamCop reports kept separate from other complaints for their own reasons.

When one of these is encountered you will see a notice in the report sending area "Internal SpamCop Handling".

Spam submitted to SpamCop is used in various ways. However, your personal email address is never revealed beyond the initial report, and the email you provide is not released beyond the initial submission. One exception to this - each spam submission generates a tracking URL, and that URL can be used to view the original headers of the spam. This tracking URL is given to you when you report the spam. It is also included in the spam reports. Copies of this URL contain all the information from the original headers.

When viewing spam headers from a tracking URL, SpamCop attempts to conceal any email addresses in the header which may belong to the recipient of the email. However, this system is not perfect. It is possible that the header may reveal your email address.

IP addresses contained within the header may be scheduled for testing by ORDB, an open relay blocking system. See http://www.ordb.org/ for more information on ORDB. This means that mail servers you use may be probed by ORDB to see if they are secure.

Email, web and IP addresses from the spam email along with responsible administrator email addresses are kept in a database and used to produce statistics on spam trends which are publicly available. This database may also be used by SpamCop Mail Service Subscribers to filter email based on spam trends.

Information from the database and headers may be shared with other administrators as needed. Reasonable attempts will be made to preserve the anonymity of the recipient in cases like this, however the email address used to send SpamCop reports may be used to contact you concerning reports you have filed.

2/9/00 - SpamCop has begun requiring that spam containing HTML is submitted with the HTML codes intact (funny codes in the body of the message). This prevents erroneous complaints and allows SpamCop to find sites referenced within the HTML. Just because you don't see pretty pictures and colorful text does not mean the email you are viewing does not use HTML coding.

The HTML source is important for three reasons:

1. The HTML tags contain the email and web site addresses, which may not be contained in the plain text. If the spammer includes, for example, "<a href="http://spammer.website.here/">click here!</a>" in the email, then to be able to deal with that website, SpamCop needs the whole thing - just the words "click here!" are useless.
2. The abuse desk receiving the spam may want to match the spam with other copies of the spam, or with their logs. To do this, they need an accurate representation of the email that traveled through their system.
3. Spammers can actually exploit the inaccurate rendering of HTML source to falsely implicate innocent parties. For instance, the HTML code "<a href="http://spammer.website.here/">http://www.whitehouse.gov/</a>" when rendered in an HTML viewer shows only "http://www.whitehouse.gov". If SpamCop accepted that text, it would send abuse reports to the administrator of the Whitehouse web-site rather than the spammer's web-site.

Please re-read the FAQ section for your email software to see if you can meet this requirement.
Email software help

If you do not find a solution there, try the email interface:
Email interface instructions

If neither approach works for you, please join the forum and/or help research the best way to solve the problem using your email software.

Of course, if you subscribe and route your email through the SpamCop filters initially, SpamCop keeps an accurate copy of your email for single-click reporting without email software hassles.

Here is an example of how spam in HTML format looks when intact.

Here is an example of how spam in MIME format looks when intact.

This means that for whatever reason, the administrator responsible for the network you are trying to report does not like SpamCop reports. Although I make every attempt to resolve disputes with ISPs and modify SpamCop to suit their needs, sometimes they decide they would rather not receive reports.

You may mail such administrators personalized spam reports if you are sure they are the correct persons to contact (sometimes people disable reporting because they are *not* the correct person). You can even ask them why they disabled SpamCop. Please be polite if you do.

Often, this is not a serious problem. Sometimes, SpamCop will identify two administrators for a domain (postmaster@ and abuse@ for example). Using this disable feature is often an ISP's way of telling us which address is active (disable postmaster@ to let us know that abuse@ is getting the reports loud and clear).

This means that SpamCop found an email address to complain to, but it was invalid. If you find a more-correct place to report spam issues for the email in question, you may report these updates to deputies@admin.spamcop.net. Please do not send email unless you can provide a working abuse address where none was found before. You must confirm that the new address is correct and responsive to spam reports before you ask SpamCop to use it. Julian does not do the legwork of finding correct abuse email addresses.

Sometimes, if no correct contact information is on file, SpamCop guesses by using the RFC-822 required email address postmaster@ as well as the DNS server's administrative contact from the "SOA" record.

A good way to track down the correct abuse address is to visit the web page of the domain that bounced your complaint.

SpamCop keeps most data for only 30 days. If the issue you are trying to report was marked as resolved more than 30 days ago, SpamCop does not know the exact date it was marked resolved.

This statement should not affect your appealing the issue. Follow the normal protocol of testing if the URL or email address is still active before filing an appeal (see FAQ How do I decide an appeal of status is warranted?)

Open relays are often found in far-off countries where the software is out-of-date and cannot be upgraded because the hardware can't handle newer versions. Sometimes the server is long forgotten, stuffed in a closet, seldom looked at much less monitored.

Finding an email address in whois databases beyond ARIN can be difficult without human eyes as the information is not presented in a standard format and can be buried several layers deep. Often, even if an address is found and a report sent, language barriers prevent the intent of the message from getting through.

SpamCop will not send reports for any spam it detects is more than 48 hours old, as indicated by the first accepted Received: line.

Why?

Short answer: because it is.

Long answer:
SpamCop uses the date of the topmost useful Received: line. This is usually information direct from your own email server, not the spammer's email system. The date used is actually appended by your own ISP and indicates the amount of time the email has been sitting in your inbox waiting for you to retrieve it. This part of the header cannot be forged to fool SpamCop. If there is a discrepancy in the date from the first "received" line it is due to a problem with your email provider's server. Either it is working very slowly or it has a clock that is out of sync.

Chances are that within two days, the spam will have been reported many times over (especially in cases of large spam runs). In fact, most spam reports are redundant after only a few hours. If an administrator is going to do something about the problem, he/she will already have done so or is in the process of doing so. Sending more reports at this point would just serve to bog down their already full inboxes, and the last thing we want to do is overburden the people whose help we need.

It is understandable that you want to "go on record" as having received the spam, but it's just not practical. If you simply must file a report on a message you can still do so manually.

Perhaps you are using a USR sportster or other faulty modem.

Try adding S12=0 and S2=128 to your modem initialization string (ATS12=0S2=128). This disables the escape sequence (normally - +++). I heard that this is a common problem with USR 56K's - they erroneously detect the escape sequence and go into a wrong mode.

The reason you see it with SpamCop is that the web forms get "URLencoded" which means that spaces are converted to pluses and if the spam that you tried to paste had three consecutive spaces in it, Netscape sends +++ and this kills the connection...

Applescript for obtaining headers

A recent problem has been identified by Netscape 4.x users, whereby trying to parse spam through the web submission form returns a "Document contains no data" error.

The problem has been narrowed down to the way SpamCop and Netscape interact with each other. When parsing spam, SpamCop places a temporary file on your hard drive in the form of "nsform**.tmp". These files should automatically be deleted by Netscape, but that doesn't always occur for some reason or other. Once there are 1,024 of these files on your hard drive, Netscape will return the no data error when trying to use SpamCop and some web based email programs.

The fix is actually quite simple. Perform a search for all files named "nsform**.tmp" and delete these files. The ** will be two letters, two numbers or one of each. With Windows 9.x, the files will usually be found in the c:\Windows\Temp directory. On the Windows NT platform (NT, 2000, etc.), the files should be in the c:\Temp directory.

A special thanks to "Spambo" for the discovery of this fix.

Mac:

On Macintosh computers running Netscape, the problem appears differently. When trying to use SpamCop, you will receive an incorrect authorization, or "old authorization" error message.

On Macs, look for a file named "nsform". It will probably be found as a hidden file on your desktop. Delete the file, empty your trash and Netscape/SpamCop should be happy again.

Thanks to Lori C for this fix

Users are able to reach the SpamCop site and parse/report small emails, but when trying to submit a large spam through the website form they get a time-out error after clicking the "parse" button.

This is a problem experienced by users with firewalls. It may be a personal hardware/software firewall you have employed or, there may be a firewall on your ISP's network "protecting" you that you are not necessarily aware of. To see if you are being affected by this problem, you can submit SpamCop's form with only a few characters filled in. If this works, but submitting actual spam does not, you are probably experiencing this problem.

Simple explanation: Your firewall is misbehaving. Your computer and the internet gateways between your computer and SpamCop are trying to negotiate an efficient way of transmitting data. Your firewall is discarding critical information necessary to this negotiation. Your computer could recover from this problem, but it is giving up instead. This problem does not appear with other sites because you don't normally transmit large chunks of data to other sites, as you do with SpamCop.

Solution 1: Manually set your MTU in your network preferences to something lower. Here is a good article with instructions for various systems. Note the article talks about destination sites which are broken. In SpamCop's case, you encounter the problem if your traffic goes through a particular router on the Accretive network. SpamCop does not limit packet size or ICMP. You can also read Microsoft's Knowledge Base article Q120642 on this subject.

Note that the above article has some incorrect information. The article states that the default MTU for Windows is 1400. The default MTU for Windows is actually 1500. The router in question accepts packets with a maximum MTU of 1496, so setting your MTU below 1496 should correct the problem.

Solution 2: Allow ICMP unreachable packets (type 3), or if you cannot do that, allow all ICMP packets. This will partially compromise your firewall protection (you will no longer be "invisible", but it will not open up any actual security holes.

Technical explanation: When submitting spam to SpamCop, your computer attempts to discover the maximum transmit unit (MTU) by sending large packets with the DF (do not fragment) field set.

Some routers drop the large packet and generate a return ICMP-unreachable (type 3), fragmentation needed (subtype 4) packet.

So far, this is perfectly normal behavior. Your computer should receive the ICMP packet, note the correct MTU and re-send the same packet in smaller chunks. However, that doesn't happen if a firewall is blocking these return packets.

Instead, your firewall blocks the ICMP-unreachable packet, and your computer assumes (perhaps after many retries) that the network connection cannot be established. Theoretically, your computer could assume that the missing packet indicates a problem and fall back to a fail-safe mode. But this dosn't happen either.

ICMP packet types, are documented in RFC 792. Unreachable (fragmentation needed) packets are discussed on page 3. This RFC was published in 1981, before anyone even considered the need for "firewalls". Since this type of network communication has been well documented for over 20 years, there is no excuse for the broken behavior of these firewalls.

Some users may be experiencing this problem for the first time because of recent operating system upgrades which implement this MTU discovery process. Or because of new firewall products. However, the firewall is really the cause of the problem, regardless of when/why if first cropped up.

If your mail is received at a server which (sometimes) only reports the hostname of the sending server, you should not use that information to track spam. You should not use SpamCop if there is no IP address listed by your server for the source of the spam.

Some mail servers, noteably Groupwise and McAfee's SMTP proxy, do not record the source IP address of the sending server on all messages. Instead, they check the reverse DNS of the sending IP and if present, report that. However, reverse dns is unreliable. It can be set any way the remote site wants. For example, an IP in china could be configured to report a hostname of 'hotmail.com', even if the site has no connection to hotmail.

Only by checking the reverse dns against the forward dns can it be relied upon. For example, if the name 'hotmail.com' is checked, it is found to be different than the chinese host claiming to be 'hotmail.com'. Unfortunately, most mailservers which report only the hostname skip this critical check.

A perfect example of this type of problem is given by the chronically misconfigured telesp.net.br IPs:

$ host 200.148.201.44
44.201.148.200.in-addr.arpa domain name pointer 200-148-201-44.customer.telesp.net.br.

$ host 200-148-201-44.customer.telesp.net.br 
Host 200-148-201-44.customer.telesp.net.br not found: 3(NXDOMAIN)

Note that the reverse DNS of this host "looks" good, but when we try to figure out the actual IP of that name, we come up empty. Yet, groupwise does not detect this problem, and still reports the hostname instead of the IP (this is a real sample from a real spam):

Received: from 200-148-201-44.customer.telesp.net.br
        by smtp; Sat, 22 Mar 2003 23:09:38 -0500

Here we see groupwise reporting a supposedly-verified hostname as the source, even though we've just seen that this hostname is not valid and has no IP address associated with it. Groupwise also does not report it's own version or it's hostname, but that's another issue (and yet another way in which groupwise is broken).

Even asside from these issues, it should be remembered that DNS information can be easily changed. Even if a server does all the required checks, and determines that the IP claiming to be 'server.example.com' really is authorized by 'example.com' to represent it, the IP address of that hostname can be changed at the drop of a hat. So spam received from 'server.example.com' may come from one IP address on day 1, and another on day 2 (or hour 1 and hour 2, or minute..). So reporting by hostname is prone to failure in any case, even if both forward and reverse dns checks are performed. Spammers have not yet started to exploit this last vulnerability, but you can be sure it is only a matter of time before they do.

In practice, servers reporting only by hostname do not do even the minimal forward/reverse checks. They should be replaced, upgraded or reconfigured so that the numeric IP address of the sending server is always included.

Update: We have been told that Groupwise-IA 6.5 and 6.0 with service pack 3 will always report a numeric IP address. Please upgrade if you want to use groupwise headers with SpamCop.

A SpamCop admin or deputy may manually add an IP address or host name as untrusted because analysis has shown that it does not always report the IP address of the computer forwarding (connecting) to it accurately. You will see this most often with user IP addresses, although sometimes an ISP's mail server may not be trusted or certain software versions.

The second circumstance is one that shows up as "x.x.x.x recently discovered". SpamCop's policy is that an IP address is suspect and not trusted for 48 hours from the first time the reporting system sees the IP address.

This is in response to the high rate of open proxy servers being abused in the sending of spam and allows time for other blocking lists to test and list the IP if it is an open proxy. After 48 hours the IP will become trusted by SpamCop if it has not been listed by one of the blocking lists checked by SpamCop.

AdSubtract does not properly handle complex form data, and SpamCop now uses a system which discards such invalid requests instead of trying to deal with them (done to combat denial of service attacks). This combination causes the "Network Error" problem.

AdSubtract users should configure their browsers to contact SpamCop's site without using the proxy server. Note, it is not sufficient to configure AdSubtract to allow spamcop.net. You must configure your browser to avoid AdSubtract.

One user reports this response from the makers of AdSubtract:

Response (Mike) - 07/24/2003 08:32 AM
Unfortunately sites like this require adsubtract not be present. We are aware of this issue, and hope to have it fixed in future releases of adsubtract.
Thank You

Another user reminds us it is necessary to re-enter the 'proxy ignore' settings every time you reboot the computer (at least with Windows XP). Rebooting causes the "ignore proxy for domain settings" to blank.

We (SpamCop) are working on a fix for this as well. More details will be posted here when available.

SpamCop has become more and more strict over the years about the formatting of spam. Although SpamCop is very tolerant of formatting errors and formatting tricks produced by spammers, it has also grown less and less tolerant of errors introduced by users after the spam is received.

Recently (Aug, 2003), SpamCop has been updated to do much more precise scanning of message bodies. At the same time, it has become more strict about how headers are submitted by users.

To help users who do not have compatible email software, SpamCop now includes a work-around, dubbed the "outlook/eudora workaround". By clicking this option below the website submission form, users can select a two-part submission system which will fix up the submission as much as possible before accepting it.

For users of Outlook who want an even easier solution, consider one of the 3rd party add-ons. Please note that none of these options actually provides full content for SpamCop. Our best information at the moment is that Outlook discards information when it retrieves your email.

What follows is a detailed description of the problem, read on if you are interested.

One common pitfall that still seems to be prevalent is erroneous wrapping of long email header lines being submitted to SpamCop. If this type of problem is present in submitted spam, SpamCop will refuse to scan the message body for links, instead producing an error.

An example:

Note the sections in red - these are long header lines which have been wrapped incorrectly post-receipt. Had they been sent by the spammer in this format, the message would never even show up correctly in the recipient's message window. SpamCop uses exactly the same system for interpreting messages, so it cannot see messages which have been "mangled" this way either.

In contrast, the correct formatting of the above headers would be:

Note how the long lines have been indented properly, so that software interpreting the headers can tell that the second part is a continuation of the first part.

When messages are received, these long lines are either actually all on one line, or they are broken and indented properly. However, when copying messages to SpamCop, long lines can often be corrupted, so they appear to be two separate lines. This causes problems, and should be avoided.

I cannot emphasize enough that this is not a trick by spammers to "fool spamcop". It is an error introduced by the recipient (you) when copying or submitting email to spamcop. If you encounter this problem, please review how you submit spam to SpamCop and take corrective action. Please don't just "fix up" the headers, but actually find a way to submit them unaltered in the first place. Fixing headers by hand only introduces even more fatal errors, not to mention being a big pain.

The best way to submit spam to SpamCop is by forwarding it as an attachment to your unique submission address - shown above the submission form on your personal start page.

Mailhost configuration

SpamCop is undergoing a major renovation to the underlying logic which it uses to determine spam sources. Soon, all SpamCop users will be required to use this new system and to complete this additional setup. Some "unique" users may not be able to report all the spam they have in the past.

Why?We are addressing ongoing problems - spammers are finally doing what we have known they could do all along - create really convincing mail header forgeries. These forgeries make SpamCop think spam is being sent from innocent sites, when it is not. Currently, only a few spam forgeries cause SpamCop serious problems, but if we do not solve this problem it will become much worse. Even now, a few mis-identified innocent hosts are a big problem. This system promises to eliminate the forgery problem forever, while avoiding problems caused by other less drastic attempts to mitigate the forgeries. However, it does require more involvement and additional information from SpamCop users.

When? For now, the new system is optional. However, users are encouraged to start using it. Once we have feedback from users and have addressed the most serious problems, it will become mandatory. In the future, we may make other changes which will make reporting spam easier. For example, if we can be sure there are no errors, we may be able to dispense with additional user confirmation steps when spam is submitted.

How? For users with only one email address, the process is easy. Simply log into your SpamCop reporting account and click on the Mailhosts tab at the top of the page. Click on the link at the the bottom of the page to Add first hosts and follow the instructions. For users using their SpamCop email account exclusively, the process is even easier - it is already done. Note: if you forward SpamCop email into or from the SpamCop system, you still have to configure the other email accounts involved.

For users with multiple accounts, the procedure is slightly more difficult. For example, a user with two forwarding addresses configured to forward to one email account should first configure the main account, then configure each of the forwarding accounts:

In example 1, Account C should be configured first, then B and then A. In example 2, Account C should be configured first, followed by A and B in no particular order. Accounts should be configured in reverse order of email delivery. That is, if an email is received first at address A, then that account should be the last to be configured with SpamCop.

Warning: If you use this new system, you must complete the configuration process for all accounts where you receive spam. If you fail to complete the configuration for one of your legitimate mail hosts, you may cause SpamCop to attribute spam to it.

Once you begin the migration process, do not report any more spam until the process is complete.

For now, there is an option to revert away from this new system. However, users are urged to try the new system and post problems in the forum rather than reverting. At least, do not do both - reverting your account will make it more difficult for us to diagnose problems.

As spam defenses and spammers become more sophisticated, many smart spammers have developed very sophisticated defenses against being detected. One of the spammer's strategies is to quickly and effectively remove anyone from their mailing lists who files a spam complaint (until they want to get revenge, and then they use these "remove lists" differently). This is generally (although not always) good for the person filing the complaint, but it is bad for spam defense in general, since these activists are the only ones identifying the problem. By removing the "trouble makers", spammers too often slip "under the radar" and appear to be legitimate senders, even though the majority (or entirety) of the victims don't want the mail (they are just the ones who don't bother to make waves).

In the past, SpamCop has attempted to clean outgoing complaints of any identifying information (codes which spammers use to figure out who is reporting them). However, it has become plain that the only way to really sanitize the reports is to not send them at all. So that is exactly what we're going to do. SpamCop now offers new and existing users an option to withhold almost all data - registering reports in SpamCop's database, but never sending reports to the "ISP" (all too often, the spammer, or a spam-friendly host).

Some users may wish to file reports, and get themselves removed from any spammer's list who is sophisticated enough to remove them (and take the risk of retaliation). Others may wish to take advantage of this SpamCop feature and become a "mole." SpamCop will then only give information about these "mole" reports as aggregate and unspecific totals. Truly conscientious ISPs will still find some value in these aggregate numbers, while the less ethical won't be able to "work the system."

It is recommended that users pick one mode or the other and use that exclusively. Otherwise, you are likely to get the worst of both worlds. Users may set their account to "mole" status under the "Preferences" menu item, "Reporting Preferences", "Spam Munging".

Why do I have to authorize my membership?

How am I billed for SpamCop?

How can I contact someone about a billing question?

Is there a limit on reporting spam?

How can I get my browser to remember my password?
I forgot my password. How do I reset it?
How do I change my email address?
I can't Log In

What happened to all the ISP replies?

How is my personal data used (not used)? (privacy policy)
What is my average reporting time?
Why was my authorization revoked?

One of the main complaints from ISPs regarding SpamCop reports is the lack of responsiveness from the people reporting spam. Part of the reason for this lies with the ISPs themselves. By deluging users with useless auto-responses, they reduce the attention of users for their email.

However, part of the blame lies with people reporting spam. They fire off complaints without spending the time to deal with the responses. Often, users configure SpamCop without any email address. Free users have been forced to provide a valid, verifiable email address for some time. Now, members are being asked to do the same.

This is something which we (TINW) preach constantly - opt-in. It is a little different in this case, but the real issue is that someone with a SpamCop account should not be able to enter an email address into their preferences which they don't personally control.

Also, I require that people filing spam reports read and respond (within reason) to people challenging them over the validity of their complaints. There is no point in reporting spam if you don't also plan on defending your position. To do otherwise only gives the spam-friendly more ammunition.

Please see the accompanying FAQ on how SpamCop is eliminating the garbage email from ISPs.

The price is $1.00 per megabyte of email processed. This charge is asessed when a) when you paste email into SpamCop's reporting form and hit "parse" or b), when you click on the link to go to the parsing page for spam submitted through the SpamCop's email submission system.

Also, if you break the rules, you may be charged a fine. For more details, see the rules FAQ.

When you subscribe, we bill you for however many bytes you choose to use, and we warn you on the homepage when you run out of "fuel." It is always your choice to add more bytes, and we will never send you email telling you your account is dead. If your account remains unattended and unpaid for a long time, it may be terminated.

Contact us using the form below if you have a problem with the way you are being billed or if you have account-related questions that you don't feel comfortable discussing in the forum.

Please do not send email for questions regarding using or setting up SpamCop. If you cannot find the answer to your question here in the FAQ, try posting a question in the forum.

Long answer:

Most people fall into the category of receiving a few spams per day. Some may even top out at a couple of dozen spams in their mail account daily. A very small percentage of users fall into the category of receiving hundreds of spams per day, even with multiple mail accounts.

Given these facts and given the fact that spammers will try anything to make life miserable for SpamCop and its users, SpamCop has had to limit the number of emails that may be submitted by a user for reporting to defend itself from attacks by spammers, trying to bring the system down by overloading it.

SpamCop has implemented a very generous limit of 3,000 emails that may be submitted for parsing by a single account in a 24 hour period. If you exceed this limit, the system will automatically disable your reporting account.

If you run into the "Your account has been disabled" message, you must pass the "I'm not a spammer" test by writing service@admin.spamcop.net explaining your situation. Those passing this simple 'test' will have their account reinstated, however the limit will remain in place.

SpamCop uses traditional HTTP basic authentication. Most browsers will allow you to bypass the password prompt by constructing a URL which includes your username and password like this:

http://yourname%40yourdomain.com:password@members.spamcop.net/

Once you log in using this method, just bookmark the home page. The bookmark will preserve your login information. You can have one of these bookmarks for each family member or other user of your computer.

Warning: This method is inherently insecure. If you do not trust everyone who sits in front of your computer, you should not save your passwords on your computer. This principle is equally true for sites which use cookie based authentication.

Passwords are used to keep your account information and email secure. By saving passwords on your computer, you are defeating the security provided by the password. Also consider the possibility that your computer may be broken into over the internet. If you save your passwords on your computer, you will lose those passwords to anyone who breaks into your computer.

It is also a good idea to use the log-in URL only once to log in. After the first log-in, you should re-load the main page using a normal URL:

http://members.spamcop.net/

Doing so will further ensure your security/privacy. It will avoid the possibility of a copy/paste mishap or having your browser reveal (as the referrer) your SpamCop userid and password when browsing to another site from the SpamCop members site.

Note: (added January 31, 2004)

We have received information that Microsoft will be changing the behaviour of Internet Explorer with an upcoming patch so these browsers will no longer work with this method of authenticated login. If you use Internet Explorer with this patch, you will have to use the pop-up username/password box, or, use the optional cookie login method.

The preferences provides a way to update your email address. The spam reporting service included with SpamCop email service always remains connected with the spamcop.net address for the account.

The most likely cause is that you recently made a change in your Internet Explorer program's security settings to allow anonymous logins. This causes IE to not open the pop-up "Network Password" window.

Reset your Internet security setting to default, or add spamcop.net to your Trusted Sites list.

SpamCop has been redesigned to act as a double-blind between ISPs and people reporting spam. All spam reports are addressed from [reportid]@report.spamcop.net. This email address is connected to your real reporting address, but it is filtered. The filter works like this:

When an ISP replies to their first SpamCop report, the email is forwarded to the correct person. However, at the same time, the ISP is sent back a challenge email asking them to verify by clicking a URL. If the same ISP (as identified by their "from" or "reply-to" header) tries to reply to other SpamCop reports without first responding to the challenge, their email will be unceremoniously deleted.

Paying members have some options not available to free users:

• On the Advanced Preferences page you can set SpamCop to work as described above. The two options you have is to have SpamCop forward all ISP replies or forward only replies from humans (those that have answered the challenge.
  

This document is not intended to be a complete statement of SpamCop's privacy policy, rather it covers the frequently asked questions. As a subsidiary of Ironport Systems, Inc., SpamCop is governed by the Ironport Privacy Policy. Please consult it for a more thorough legal explanation of our privacy policy.

Detailed description of how spam report data is used.

Privacy Limitations:
Information you submit in your spam reports is considered to be in the public domain. This information may be shared with others - in fact, that is the entire purpose of SpamCop. SpamCop makes some attempt to conceal the identity of the recipient of the spam, but this method is not foolproof and should not be relied on. All spam reports include a valid email address for you and the IP address which you used to submit the report.

Privacy Protection:
All other information (member data) - member preferences, authorized and blocked email addresses, forwarding addresses, pop accounts and passwords, and of course incoming email - is kept in strict confidence. No other members are permitted to access this data nor are other third parties. Member data may be viewed by an administrator in the process of debugging, development or simple customer assistance, but it will always be held in strict confidence.

Unforseen problems:
It is possible, though unlikely, that through programming error or security breach, member data could become available to outside parties. Although I take every precaution against this possibility, nothing is 100%, and there is always a chance of failure. You can help by picking a good password and keeping it a secret.

Under no circumstances can we be held liable for any type of security breach or programming error, no matter what the impact. This service is provided "as is".

Since October 2003, SpamCop has been tracking user's speed at reporting spam. This speed is calculated by comparing the time that the spam is received at the recipient mailserver with the time at which it is submitted as spam to SpamCop.

Turn-around time is very important for SpamCop. Quick notification lets responsible administrators take action before the damage is too great. It also makes sure irresponsible sites get blacklisted - also, before the damage is too great.

There are two basic reasons:

• You broke one of the rules. In this case you will have been sent an email explaining what you did wrong and that you have been banned from using the free SpamCop service.

• Your email address is bouncing. A requirement of using SpamCop is that you must maintain a valid email address that accepts mail from SpamCop. ISP replies to your reports are routed through SpamCop to your email address. If the email address no longer exists, or your ISP does not accept mail from the SpamCop server, your authorization URL will be suspended until communication with you can be re-established. (Of course, since SpamCop has no way of contacting you, you will not have received the email referred to in the message.)

  If this happens, please Contact Us. Please be sure to include the particulars, including the email address you used to sign up with SpamCop. An administrator will investigate and lift the suspension once a valid email address is set up and communication with you is verified.

• skip_rbl_checks 1
• required_hits 10
• auto_report_threshold 30
• rewrite_subject 0
• report_header 1
• use_terse_report 1
• defang_mime 0
• spam_level_stars 0

You can set the required_hits at your comfort level.

Spamcop will not have any problems with this, and yet you will still get all of the details you need (as headers) to see why a given message was tagged. You should also be sure you are running spamassassin -F0 or something like that if you are running spamc/spamd, since otherwise the FROM: line will be rewritten.

If you are a mailserver administrator and you have have spamtraps, you may help feed the SpamCop database, subject to administrator approval.

Traps must consist of email addresses which have never been used for legitimate email. They should not be "recycled" user accounts. They should not be well known email addresses, however fake. Spammers and other users should not be aware what the addresses are and you should try to keep them as confidential as is reasonably possible. SpamCop will also keep them secret. We never reveal trap messages. Web-poison addresses and the like are acceptable sources. Traps must be submitted in real-time (no delay under normal circumstances).

There are three possible methods for submitting traps (in order of preference):

1. MX hosted: SpamCop mail servers receive mail for your domain(s) directly. You update your dns records to designate SpamCop servers as your MX for the domain(s). We will forward back to you accounts you wish to preserve. This is only appropriate if the bulk of the mail to the domain(s) is spam. This method is preferable for several reasons:
   • Takes load off of your MX.
   • Ensures that none of the spam is filtered out at your MX.
   • Gives us more control over the "conversation" with the senders.
   • Ensures that your MX is never accidentally identified as a source of spam.
2. Spam in message body: You configure your system to create a new message with the spam being submitted in the body of it - much like the normal email submission process. Messages can be submitted as plain-text bodies or as MIME attachments (multiple submissions per email).
3. Direct forwarding: You configure your system to simply redirect the trap addresses to SpamCop. This method requires more setup and ongoing maintenance - SpamCop must be configured for your mailserver setup ahead of time. You must notify us if your mailserver configuration ever changes.

To proceed, please give us a brief description of your traps. Please include the following information:

• How many messages per day your traps receive appoximately.
  (We usually won't bother with traps getting less than 2000 spam messages per day)
• Which of the above three forwarding methods you prefer.
• Confirm that the addresses being trapped have never been used.
• Tell us how the traps were originally created.

We will respond with more details on the specifics for your submission method.

Tell us about your traps

What is this SpamCop Mail Service?

What is the cost?

How do I sign up?

How do I setup my account?

Subcategories:
FAQ about the Personal Blacklist and Whitelist
FAQ about POPping out of SpamCop
FAQ about WebMail
FAQ about IMAP
FAQ about Filtering and Held Mail

Generic FAQs about the SpamCop Mail Service:
How do I sign up for multiple accounts under the "family plan"?
(missing or broken file)
I want email to go from myaccount@myemail.com and back to the same account. Is this possible?
When does my account expire?

Where can I get further assistance?

Why can't I receive any email?

Information for Individual Users

Information for Businesses

Information for ISPs

Contact us

Both lists work on the same headers. These entries were written before the blacklist existed, so if blacklists aren't explicitly mentioned, it probably applies to blacklists as well as whitelists.

How do I add an entry to my whitelist or blacklist?

How do I whitelist yahoo groups?

How do I view my whitelist?

Subcategories:
What headers are checked?
How do entries work?

1. Log into webmail http://webmail.spamcop.net
2. Click on Options at the top. That will take you to http://webmail.spamcop.net/horde/imp/prefs.php
3. Click on "SpamCop Tools" under "Mail Management".
4. Click on "Manage your personal blacklist" or "Manage your personal whitelist" as appropriate

After you have logged into webmail, go to http://webmail.spamcop.net/horde/imp/spamcop/whitelist.php

If that doesn't work, then:

• Log into webmail
• Click on Options (on the top toolbar)
• Click on Spamcop Tools (in the middle, under Mail Management)
• Click on Manage your personal whitelist

The following headers are checked against the whitelist

• Envelope Sender aka Return Path
• From:
• Sender:

Whitelist and Blacklist entries work by matching email addresses from the right against certain headers What headers are checked? . The email address and the whitelist entry are deconstructed into "words" on the . (dots)and @ (at) characters. These words are then matched right to left. This means that an entry of friend.com will match joe@friend.com, and jane@friend.com , but not lover@adultfriend.com. The leftmost character of the entry should not be @ (at) or . (dot) or the entry will not work.

The safest entry to put in the whitelist is the full user@domain.ext but if you communicate with many different people from the same company, you might want to just add domain.ext to your whitelist.

If you want to block an entire domain, you can just add domain.ext to your blacklist.

Some examples of whitelist and blacklist matching

• yourcompany.com
  • dave@marketing.yourcompany.com -- MATCH
  • mike@online.marketing.yourcompany.com -- MATCH
  • sue@yourcompany.com -- MATCH

• marketing.yourcompany.com
  • dave@marketing.yourcompany.com -- MATCH
  • mike@online.marketing.yourcompany.com -- MATCH
  • sue@yourcompany.com -- NO MATCH

• company.com
  • dave@marketing.yourcompany.com -- NO MATCH
  • mike@online.marketing.yourcompany.com -- NO MATCH
  • sue@yourcompany.com -- NO MATCH
  • jenny@theircompany.com -- NO MATCH
  • marketing@company.com -- MATCH

• president@yourcompany.com
  • president@yourcompany.com -- MATCH
  • dave@marketing.yourcompany.com -- NO MATCH
  • mike@online.marketing.yourcompany.com -- NO MATCH
  • sue@yourcompany.com -- NO MATCH

• smith@yourcompany.com
  • smith@yourcompany.com -- MATCH
  • john.smith@yourcompany.com -- MATCH
  • john_smith@yourcompany.com -- NO MATCH
  • suzie@yourcompany.com -- NO MATCH

This section covers questions about using POP to get messages out of SpamCop.

There is general information about POPping out of Spamcop
here http://mail.spamcop.net/members.php#setup
and here http://mail.spamcop.net/setup/setup_pop2.php

And here are a couple more issues that sometimes arise.

Answers in this category:
Eudora doesn't let me enter username separate from server
Netscape version 4 doesn't like the "@" character in my username.

Apparently, old versions of Eudora (near 1.5.2) don't have separate fields for username and server. You are supposed to enter login@popserver.domain.ext and it will separate the username from the server.

If you enter username@mail.spamcop.net, you get a "login failed" message.

If you enter username@spamcop.net, you get a "Could not connect to spamcop.net. Cause: Connection refused (10061)" message.

Use username%spamcop.net@pop.spamcop.net

Enter username%spamcop.net into the username field instead of username@spamcop.net.

(This is allowable in any mail utility, not just Netscape)

Answers in this category:
Why do I keep being logged out with messages about my session expiring?
Why can't I create a folder?
Is Webmail available in a secure version?

Symptom:

You are having problems using webmail such that each time you try and do ANYTHING, you are logged out with a message that your session expired.

Answer:

99% of the time this is a cookie issue. Cookies aren't required to use the SpamCop webmail program. What will cause problems, though, is if you use a cookie blocking program or a "personal firewall" which interferes with cookies. If cookies are accepted by your computer, but not returned, or if your computer sometimes responds with cookies and sometimes does not, it will cause this problem.

Symptom:

When you try to create a new folder you get the following error

"The folder "Testing" was not created. This is what the server said: Invalid mailbox name" 

Answer:

You can only create folders which are subfolders of Inbox or other folders. So, just check the box next to Inbox before you create your new folder and it will work.

Yes. Simply log in to https://webmail.spamcop.net/
Don't forget though - All mail is transmitted insecurely. The SMTP protocol that is used to transport all internet mail is a non-secure protocol. Establishing a secure connection to webmail only ensures that the connection between you and webmail.spamcop.net is encrypted. Everything on the other side of webmail.spamcop.net is still transmitted in cleartext.

Answers in this category:
How do I configure Pine?
Using Eudora 5.x with IMAP and SSL to access SpamCop Mail

Getting Eudora to read SpamCop mail using IMAP is straightforward. Adding Secure Sockets Layer (SSL) encryption requires additional steps.

Here's how to get it all working. There are three basic steps and one optional:

1. Create a Eudora "personality" for accessing SpamCop through IMAP.
2. Configure Eudora SpamCop personality for SSL
3. Get SSL working
   1. Mark mail.spamcop.net certificate as trusted
   2. Download and import Equifax root certificate

Here we go:

1. Create a Eudora personality for IMAP access to SpamCop mail

The first step is to create a "personality" for SpamCop email. In this description, I assume you have Eudora up and running and want to add a "personality" for reading mail on the Spamcop server.

Start Eudora. Select Tools/Personalities to show the list of personalities. Right click on the white space in the list and select New... to start the wizard to create a new personality for accessing SpamCop email.

When the wizard starts, select "Create a brand new email account" and press Next. Enter a personality name, user name, email address (e.g., xxx@spamcop.net), pressing Next as needed. For the login name, enter your full spamcop email address (e.g., xxx@spamcop.net). Set the incoming server to mail.spamcop.net and select IMAP as the protocol. Leave the "location prefix" blank. Set the outgoing server to the SMTP server that you use. Close the wizard when done.

Eudora will ask for the password for your spamcop account. Enter it when it asks. You should now be accessing Spamcop email successfully using IMAP with Eudora 5.x. As the messages pass over the internet from Spamcop's server to you, they are not encrypted. If you would like to use SSL (Secure Sockets Layer which encrypts traffic over the net), proceed to step 2.

2. Configure Eudora SpamCop personality for SSL

The SpamCop IMAP server uses the "alternate port" technique for SSL access. Eudora's default behavior is to use "STARTTLS" on the default IMAP port. You must change Eudora's SSL behavior to use SSL. Here's how:

• Open the personality that you have set up to access SpamCop
• Click on the "Incoming Mail" tab
• Set "Secure Sockets when Receiving" to "Required, Alternate Port"
• Click OK to save the personality properties
• Close and restart Eudora

Now when you refresh the SpamCop mailbox, Eudora should now report that the operation fails. The failure occurs because of a certificate verification problem. Go to step 3 to correct the certificate problem.

Note: I am uncertain this procedure will work with Eudora 5.1. If it does not, set "Secure Sockets when Receiving" to "Never." With that setting, SSL will not be used. (You can also do the same with Eudora 5.2 to disable SSL. You will still be using IMAP, but the email being sent from SpamCop's mail server to you will not be encrypted.

3. Get SSL working

These steps are required to complete SSL configuration when reading mail from the SpamCop IMAP server.

Open the personality property again and go to the "Incoming Mail" tab again. Click on the "Last SSL Info" button. You should see these messages:

Certificate Error: Cert Chain not trusted.

Try adding this certificate to your certificate database for SSL to succeed.

Certificate Error: Unknown and unprovided root certificate.

Click on the "Certificate Information Manager" button. There are now two ways that you can fix this problem: either mark the mail.spamcop.net certificate as trusted, or import the missing root certificate. You need do only one of these two options.

3a. Mark mail.spamcop.net certificate as trusted

With the "Certificate Information Manager" dialogopened, select the server certificate for mail.spamcop.net (this entry will probably already be selected). Click the "Add to Trusted" button, then Done, OK, OK. Enter your password again when prompted.

You should now be able to read SpamCop mail using IMAP and SSL. If you open the personality properties, go to the "incoming mail" tab and click on "Last SSL Info" button, you should see these messages:

Certificate Error: Unknown and unprovided root certificate.

But ignoring this error because Certificate is trusted

At this point, Eudora is working fine using IMAP and SSL to access your Spamcop email.

3b. Download and import Equifax root certificate

The reason "unknown and unprovided root certificate" messages shows up on the "Last SSL Info" screen is that Eudora 5.2 has not included the root certificate for Equifax that the mail.spamcop.net certificate refers to. As an alternative to simply flagging the mail.spamcop.net certificate as trusted, you could provide an Equifax root certificate, and mark it as trusted instead. "Last SSL Info" would then just show "Certificate OK".

If you want to do this, you'll need to get the Equifax root certificate. Browsers are normally responsible for providing the root certificate, so I think supplying the certificate is Eudora's responsibility. However, since Eudora has not supplied the Equifax certificate, SpamCop has placed a copy on the spamcop.net web site.

To install the Equifax root certificate:

• Download https://mail.spamcop.net/eudora/equifaxca.cer and save it on your hard drive
• Open the Properties page for the SpamCop personality you created
• Click on the "incoming mail" tab
• Click on "Last SSL Info"
• Click on "Certificate Information Manager"
• Click on "Import Certificate" and import the Equifax certificate that you downloaded and saved to your hard drive

Thereafter, each time you refresh your Spamcop mailbox, Eudora will be able to find the root certificate and conclude everything was fine.

Having done all of the above, the only difference from just having marked the mail.spamcop.net certificate as trusted is that the "Last SSL Info" message will say the certificate is OK. You never see that message unless you go digging for it.

*Special thanks to Guy Scharf for providing these instructions*

Answers in this category:
How do I deal with my Held Mail?
Why is all my mail being held?
Why did this message get held?
Why didn't this message get held
What happens when I whitelist sender?
How can this kind of message get thru your filter?
Should I bother to report held emails that were blocked?

To report spam that is in your SpamCop Email Service held mail folder, you have four options:

From the SpamCop Reporting System website:

• Click on the "Held Mail" link. This will take you to a page showing a summary of the mail currently in your held mail folder. Alternatively, you can get to this page by clicking of the "Held Mail" link at the top of any page in the Webmail interface.
• Review the mail shown to ensure it is all spam. You can review the contents of an individual email by clicking the "Preview" link beside each summary.
• Place a checkmark beside each piece you want to report as spam
• Select the "action" you wish to take from the drop-down menu
• Click the "Release/Delete" button.

From within Webmail:

There are two ways to report spam from within the webmail interface:

• Go to your Held Mail folder
• Review the mail to ensure it is all spam you wish to report
• Place a checkmark beside each piece of mail you wish to report as spam
• Click the "Report as Spam" link near the top of the page

• Select the "Forward" link and forward the mail to your personal spam submission email address. Be sure you select the "as attachment" option from the drop down menu.

From an IMAP client

• Go to your Held Mail folder
• Select the message you want to report as spam
• Forward the spam AS AN ATTACHMENT to your personal spam submission address
• Alternatively, you can report multiple messages by starting a new email addressed to your personal spam submission address then dragging each mail you are reporting into the body of the new email. This will "attach" each email to the one you are sending.

Look at the full headers of the message

At the bottom of the headers, Spamcop adds it's own stuff. The headers we care about here are X-SpamCop-Checked and X-SpamCop-Disposition

• The LAST IP in the X-SpamCop-Checked list is the one that resulted in the message being held
• If the X-SpamCop-Disposition says "Blocked bl.spamcop.net" then proceed, otherwise you will need to refer to the website for the blocklist (see the bottom of this page for some multi-search pages)
• go to http://spamcop.net/bl.shtml and enter the LAST IP from the list into the lookup box
• from there, you will see information about why that server is blacklisted.

• http://www.dnsstuff.com/
• http://www.openrbl.org/ (seems busy and uses javascript and etc, but it does have a few things such as google searches of news.admin.net-abuse.* )

Yes you should report all held mail that is spam.

Mail held by bl.spamcop.net:
You should report this mail to ensure that the IP addresses STAY on the blocklist, and so that the ISPs who are receiving the reports understand the volume of spam at issue.

Mail held by other lists:
The other lists don't neccessarily email the ISP about the spam, so they might not cancel the spammer's account.

For both of these reasons you should report your held mail. If you do not have time to report it all, prioritize according to what you feel is most annoying or most offensive, or most disturbing.

First: The family plan is for FAMILIES. It is for up to four family members living in the same house.

Right now the process is manual. Basically, the steps are:

1. Create the master account here and pay for it normally.
2. Create the additional accounts here. Go through step one, but don't make any payments (via PayPal).
3. Pay for the additional accounts. You have two choices for this
   • Payment using PayPal
   • Pay by check
   Make sure you include a short note explaining what you're doing and the usernames of all the accounts involved (especially the "master" account).
4. Send an email to service@cesmail.net stating that you just paid for additional family members, which payment method you used (don't include credit card numbers, just say PayPal or Check), what your master account name is, and what the family account names are.
5. When I get your payment, I'll activate all the accounts. This will generally be the same day as I'm always around.

Answers in this category:
Payment using PayPal
Pay by check

Make your check out to Corporate Email Services, and send it to

  Corporate Email Services
  1032 Old Peachtree Rd.
  Suite 401-145
  Lawrenceville, GA 30043
  US 

Make sure that you include a note that has the name of the master account, and all the additional accounts. Write the check out for $15US for each additional account.

You will be able to keep using your existing email address and the email program you use today, assuming your email provider lets you forward your email to another address.

Take a look at http://mail.spamcop.net/setup/setup.php for more information on how to set up SpamCop mail filtering.

1. Login to SpamCop Webmail
2. Select Options
3. Click SpamCop Tools
4. Choose Select your email forwarding, change your password or mail reports.

Your renewal date is listed near the top of that page.

You should first check theTips from Newsgroups page, which has some very useful information on it (but sometimes it is a little out of date)

Secondly, the main source for quick help is the SpamCop Email Forum

A third place to get assistance in the SpamCop Mail Newsgroup
(Warning! - This link will open your news reader, add the SpamCop news server and add the spamcop.mail newsgroup.)

We hear this occasionally. Here is how to test your setup if you're not receiving any email.

Send a test email

First, send an email directly to your spamcop.net email address. Then, login to webmail or use your regular email program to see if it shows up. If it does, that shows that we're receiving email and your account is currently capable of receiving email.

SpamCop POPs mail from your ISP

If we POP your mail for you, login to webmail and go to your POP settings. Are your POP accounts listed as having zero errors? If not, there should be a clue here as to why we are unable to POP your mail any more.

Your ISP forwards mail to Spamcop

If you forward your email from another address to SpamCop, ask the internet provider that forwards your email what is going on. Most of the time, we find that there is an error or problem at the forwarding provider. Any decent mail provider will have detailed logs of the deliveries that they attempt and what happened. Without these logs, there is very little that we can do. If your forwarding provider doesn't even try to deliver the email, we obviously cannot receive it.

Some ISP's might be hard to deal with or refuse to provide logs. Please remember that we are the last in a chain of computers which handles your email. If a computer earlier breaks the chain, we'll never receive your email. Email logs are like package tracking. If they won't help, you ought to consider using a different ISP to handle your email.

SpamCop forwards mail to destination address

Several times we have had questions about missing mail where our system is configured to forward email to another computer system. In all of these cases, we are able to provide logs showing the exact time of the delivery and the return status code that the distant ISP gave us. If we hand your mail to your ISP and they lose it, again there's nothing we can do. If your ISP is unreachable, your email will be stored here and again, we'll have logs of all of this and will be glad to provide them to you so you can work with your ISP to correct the situation.

Multiple email programs (Mail User Agents [MUA]) running

We have had reports in the past of missing mail where the user has later discovered that they left an email program running at the office or at home. That other program was downloading and removing all of the email and storing it locally on that computer. When the user checked mail at one location, they didn't see any because it had all been downloaded already to the other location. So, make sure you don't leave your email program running if you need to read your email somewhere else.

Your server is blacklisted

Occasionally, a user ends up with their own mailserver on the SpamCop blacklist. This causes all of their email to be held. Check your Held Mail to see if all of your email is there for some reason.

If you still are not receiving mail

Finally, our system is engineered to be extremely robust. No mail is ever deleted by our system until is has been verified to be delivered to the next location. Every time this issue comes up, it turns out that the problem is somewhere else, usually another ISP that is having temporary problems and fails to forward email for a while. We will be glad to work with you, but we need the following information:

• The exact date, time, and timezone you sent a test message directly to your spamcop.net account.
• The exact date, time, and timezone you sent a test message to another account which forwards to your spamcop.net account (if applicable).
• Logs from your forwarding ISP showing that they either delivered a message which never showed up or that they received an error when attempting to deliver a message (if applicable).
• Your spamcop.net username and the email address that you use which forwards to your spamcop.net account (if applicable).

Please help support this service!
If you use the list and like it, please give some money to help keep it alive.

Pick your mailserver software for information on how to properly configure it. If your software isn't included in this list, a comprehensive list is available at http://www.us.sorbs.net/using.shtml. Substitute or add "bl.spamcop.net" where applicable. The response code from the SpamCop server to indicate a queried IP is listed is 127.0.0.2

We recommend that when using any spam filtering method, users be given access to the filtered mail - don't block the mail as documented here, but store it in a separate mailbox. Or tag it and provide users documentation so that they can filter based on the tags in their own MUA. We provide this information only for administrators who cannot use a more subtle approach for whatever reason.

If you don't control your mailserver configuration or prefer to have more granular control over what is blocked, please see the faq section How can I use the blocklist without mailserver configuration?

To turn on blanketed RLB checking with iPlanet Messaging 5.0+, modify the dispatcher.cnf file, adding a DNS_VERIFY_DOMAIN option.

Note there are other ways to do this with iPlanet Messaging, but this is the quickest and easiest. The disadvantage of this simpler approach is that it does the checks for all normal incoming SMTP messages including those from internal users. An alternative is to call out to dns_verify from a PORT_ACCESS mapping table or ORIG_MAIL_ACCESS mapping table. (See the iPlanet Messaging Reference Manual for additional details).

Here is an example of the iPlanet Messaging dispatcher.cnf file which is located in /msg-/imta/conf/dispatcher.cnf

[SERVICE=SMTP]
PORT=25
! turn on RBL checking (uncomment the ones you want to check.  Note there is
! a limit of 3 sources)
!
DNS_VERIFY_DOMAIN=inputs.orbz.org
DNS_VERIFY_DOMAIN=bl.spamcop.net
!DNS_VERIFY_DOMAIN=outputs.orbz.org
!DNS_VERIFY_DOMAIN=relays.ordb.org
!DNS_VERIFY_DOMAIN=orbs.dorkslayers.com
!DNS_VERIFY_DOMAIN=dev.null.dk
!DNS_VERIFY_DOMAIN=relays.osirusoft.com
!DNS_VERIFY_DOMAIN=relays.visi.com
!DNS_VERIFY_DOMAIN=rbl.maps.vix.com       (same as ENABLE_RBL=1)

If you wish the MTA to log such rejections, the 24th bit of the Dispatcher debugging DEBUG option can be set (DEBUG=16%1000000) to cause logging of the rejections to the dispatcher.log file. Log entries take the following form:

access_control: host a.b.c.d found on DNS list and rejected

Unless otherwise specified, the default dispatcher.log* file would be located in /msg-/log/imta/dispatcher.log*

A sample of what is contained when a perp is identified looks like this:

10:42:54.08 (   4): access_control: host
(25.364) 154.235.170.64.inputs.orbz.org found on DNS list
(25.364) and rejected (500 5.7.1 Open relay input.  See
(25.364) http://orbz.org/?64.170.235.154)
(25.364) 10:42:54.08 (   4): app_listen(SMTP/25): conn REJECTED from
(25.364) 64.170.235.154, descr=19
(25.364) 10:43:24.37 (   4): access_control: host
(25.365) 119.151.242.216.bl.spamcop.net found on DNS list
(25.365) and rejected (500 5.7.1 Blocked - see
(25.365) http://spamcop.net/bl.shtml?216.242.151.119)
(25.365) 10:43:24.37 (   4): app_listen(SMTP/25): conn REJECTED from
(25.365) 216.242.151.119, descr=18
(25.365)

Before the connection is closed with the perp, they see the following:

500 5.7.1 access_control: host 216.242.151.119 found on DNS list and rejected

To make your changes to the dispatcher.cnf take effect, do an imsimta restart with the following command:

# /msg-/imsimta restart

Now check your dispatcher.log* file for rejected connections if you turned on logging. That's it!

Another user has provided his setup file which uses various blocking lists, including MAPS RBL+. This can be viewed at Chad's personal mappings file

1. Add the following line to your config.m4
   FEATURE(`dnsbl', `bl.spamcop.net', `"Spam blocked see: http://spamcop.net/bl.shtml?"$&{client_addr}')dnl
   Or for later versions:
   FEATURE(`enhdnsbl', `bl.spamcop.net', `"Spam blocked see: http://spamcop.net/bl.shtml?"$&{client_addr}', `t')dnl
2. Re-compile your sendmail.cf from the config.m4
3. Re-start sendmail

Some problems have been found with later versions of Sendmail.

The easiest fix may be to use the second method above, enhdnsblk instead of dnsbl.

SpamCop uses 'rbldns' to serve it's blacklist information. Rbldns does not yet have support for IPv6, but newer versions of sendmail (8.12.0 and greater) try IPv6 before IPv4. Sendmail asks for an AAAA record instead of an A record and SpamCop rejectes the query - resulting in spam slipping through the filters.

It appears rbldns developers are working on a fix for this, but the current version (1.05) still does not have support for AAAA records (and it handles them incorrectly even though it dosn't support them). Until rbldns releases a version which fixes this problem, a patch for sendmail should be found.

For sendmail versions after 8.12.1, adding this to the config.m4 file should solve the problem:
define(`confBIND_OPTS', `WorkAroundBrokenAAAA')dnl

Another fix which has been suggested is to modify the "Kdnsbl" line of the raw sendmail.cf file:
Kdnsbl dns -R A -T

An rbldns developer has this to say, implying that sendmail, and not rbldns is really to blame for this incompatibility:

I looked at the code and tried some experiments -- rbldns sends back a REFUSED code for AAAA queries.

It's hard for me to imagine a mindset that would consider the current behavior to be wrong. I suppose maybe it wants an NXDOMAIN error instead.

1. Get the current 'tcpserver' sources from http://cr.yp.to/ucspi-tcp.html and follow the instructions on the site for setting up Qmail to work with 'tcpserver'. Most Qmail sites will probably have already done so although older sites may have to upgrade their 'tcpserver' to version 0.88 containing 'rblsmtpd' support.
2. Add "rblsmtpd -r bl.spamcop.net" to the startup arguments for 'tcpserver'. You can also run multiple DNSBLs by adding more "-r" args to it, i.e. "rblsmtpd -r bl.spamcop.net -r relays.ordb.org".
3. restart the mail server.

smtpd_recipient_restrictions =

reject_invalid_hostname,

reject_non_fqdn_sender,

reject_non_fqdn_recipient,

reject_unknown_sender_domain,

reject_unknown_recipient_domain,

reject_unauth_pipelining,

permit_mynetworks,

reject_unauth_destination,

reject_rbl_client bl.spamcop.net

permit

Another example using several BL's is available at http://jimsun.linxnet.com/misc/postfix-anti-UCE.txt

Martijn Jongen has provided a plugin for Exchange: ORFilter

GFI MailSecurity is another option for Exchange users.

Vamsoft Open Relay Filter is another commercial option for Exchange 2000 users.

(Third party software is not supported by SpamCop)

For Exchange 2003:

Make sure you install SP2 first, as it contains some important updates for Intelligent Message Filtering.

• Display Name: spamcop
• DNS Suffix: bl.spamcop.net

1. Go into "Settings, Protection, Blacklisted IP Addresses"
2. Add "bl.spamcop.net" into the form field, under "Use Blacklisting DNS Servers (RBLs)"
3. Click Update
4. Check the box which says "Use Blacklisting DNS Servers (RBLs)"
5. Click Update

Note#1 : This can be used with SIMS v1.7 or above, though it's strongly recommended to get at least 1.8b8 from ftp://ftp.stalker.com/ -- it's stable, and has numerous additional features. This FAQ is written for 1.8b8 or above.

Note #2: This assumes one is using the HTTP administrative interface, rather than connecting with CommuniGator.

Step #1: Log into your SIMS mailserver with an account with administrative priviliges (usually postmaster).

Step #2: Select the "SMTP" tab from the left menu.

Step #3: Select the "RBL Server List" link in the bottom right.

Step #4: Enter bl.spamcop.net "See http://spamcop.net/bl.shtml" into the text field, and push "Update". (Notes in quotation marks are included in the bounce message and can be customized to each server. I've included a suggested wording.)

Step #5: Select the "SMTP" tab again from the left menu.

Step #6: Tick the "Use Blacklist DNS Server(s)" option in the bottom-center, and click "Update".

You're done!

Thanks to Pete Stephenson for these instructions.

1. Go into "acl_check_rcpt:"
2. Add:
   deny message = DNSBL listed at $dnslist_domain\n$dnslist_text
   dnslists = sbl.spamhaus.org:bl.spamcop.net:cbl.abuseat.org

The 'message' is what's sent in the SMTP error message to the client, and the
'dnslists' field is a colon seperated list of DNSBL zones.

Many spam filtering systems automatically use the SpamCop blocklist as part of a larger scheme. SpamCop does not review or garantee these third party products.

One very effective and well-known filter is Spam Assassin; an open-source perl scoring system. Spam Assassin can be installed on unix-based systems in either system-wide or in "user land". It is highly configurable.

Important Disclaimers:

This description is subject to change and may be out of date.

The description that follows is complex. It is an attempt to explain accurately and in detail the SpamCop Blocking List (SCBL), specifically the SCBL rules and how the SCBL decides to list an IP address. SpamCop provides this description so that email senders and recipients will understand better how and why email is refused, blocked or filtered. We intentionally omit the description of certain processes in order to make it more difficult for senders of spam to evade or "game" the SCBL.

• The SCBL is an aggressive spam-fighting tool. By using this list, you can block a lot of spam, but you also may block or filter wanted email. Because of this limitation, one should strongly consider using the SCBL as part of a scoring system and explicitly whitelist wanted email senders (e.g., mailing lists and other IPs from which you want to receive email).
• With any spam filtering system, you should consider keeping suspected spam so that it can be retrieved. Doing so will prevent bounces from your system hitting innocent third parties.
• New users of the SCBL should read the description below and all other documentation carefully before deciding to use the SCBL.

What is the SCBL?

The SCBL is a list of IP addresses which have transmitted reported email to SpamCop users, which in turn is used to block and filter unwanted email. The SCBL is a fast and automatic list of sites sending reported mail, with a number of report sources, including automated reports and SpamCop user submissions. The SCBL also quickly and automatically delists these sites when reports stop.

The SCBL aims to block spam with minimal blocking or misidentification of wanted email. Given the power of the SCBL, SpamCop encourages users to also actively maintain a whitelist of wanted senders of email. SpamCop also encourages SCBL users to tag and divert email, rather than block it outright. In the end, most SCBL users find that the amount of unwanted email successfully filtered makes the risks and additional efforts worthwhile.

Important Definitions

• Reported Email. Mail reported as spam by SpamCop users will be referred to as "reported email" or "reports" throughout this document. The SpamCop reporting tool cannot determine if email reported by users is or is not spam; it can only parse and report email which users give it. SpamCop users can and do make mistakes.
• Spamtrap Reports. SpamCop reports generated as a result of mail sent to non-existent email addresses ("spamtraps") set up by SpamCop.
• Spamtraps. Non-existent email addresses set up by SpamCop to definitively identify spam. As SpamCop never used these email addresses to signup for a mailing list or purchase an item, for example, SpamCop knows spammers harvested the emails for their mailing lists.
• Reputation Points. Part of a scoring system SpamCop uses to weight reported email. A mail sender receives a reputation point for each SCBL query that is not reported as spam.
• Open Proxy. Systems that accept connections from any network address, acting as a blind intermediary to virtually any other network addresses. A growing source of spam, as the anonymous nature of the transaction makes it difficult to track the source of email.
• Open Relays. Typically refers to an e-mail server (SMTP server) that is configured to deliver any incoming mail to another mail server. In the past, open relays (open relay servers) were common, but today, most e-mail servers block all e-mail that does not originate with the customers of the service or employees of the company.
• Whitelist. A list of mailservers from which one expects, wants or needs to receive email. Marking these email senders in one's whitelist exempts these IP addresses from blocking and/or filtering.

How the SCBL Works

The SCBL is a list of IP addresses which have transmitted reported email to SpamCop users. The sending system can be a direct email source (such as a site's primary mail server) or an indirect source (such as an open proxy or open relay that has been abused to send spam). The SCBL weights the number of reports referencing an IP against a sample of the total amount of email sent by that IP. This method is not perfect. For example, some IPs which send a significant amount of reported mail may rarely or never be listed in the SCBL because those IPs also send a lot of non-reported mail.

SpamCop uses a number of report sources, including SpamCop users, spamtraps and websites that use the SCBL. Spamtraps are email addresses that spammers have harvested or created, but the owner of these email addresses never used them to receive wanted email or to subscribe intentionally to mailing lists. SpamCop also monitors queries from a sample of sites that use the SCBL. SCBL users query the SCBL servers during every SMTP transaction. We count the total number of queries for each IP address and whether or not that IP address appears on the SCBL, to generate an estimate of how much email is transmitted by each IP. When a sampled site queries the SCBL about an IP address sending mail which is not reported mail, that host is given a reputation point.

Most of the sites SpamCop monitors send either mostly reported email or mostly non-reported email. The difficult part is deciding what to do with ones in the middle. These few systems account for the most email.

Some blocking lists block mail from misconfigured or insecure servers (such as open proxies or open relays), or from certain classes of machines (such as machines with dynamically-assigned IP addresses). The SCBL does not consider these characteristics. Instead, the SCBL lists only IP addresses of machines that are sending reported email. As a result, IP addresses which do not host a misconfigured or insecure server, but do send reported mail, may be listed. An insecure machine that has never been abused would not be listed.

Timeliness is key to the SCBL's value. The automated queries results in fast listing of spam, which increases the accuracy of the SCBL. Also, without any additional reports, a reported address stays on the SCBL for only 24 hours. This limits the amount of damage if users make a mistake and report legitimate mail using SpamCop.

SCBL Rules

The system currently operates based on these rules:

• SCBL lists IP addresses with a large number of reports relative to reputation points. The SpamCop team manually balances the threshold in an effort to make the list as accurate as possible.
• The SCBL weights reports depending on how recently the mail was received (or "freshness"):
  • The SCBL counts the most recently received reports 4:1.
  • The SCBL counts reports for email 48 hours and older 1:1, with a linear sliding scale between the most recent and 48 hours past.
  • The SCBL ignores reports for email received more than one week ago.
• The SCBL uses Spamtrap reports to weight total reports. For spamtrap scores less than 6, the SCBL multiplies by 5 the quantity of spamtrap reports and adds this to the report score. For larger spamtrap scores, the SCBL squares the quantity. Examples:
  • If an IP address has 2 spamtrap reports and 3 SpamCop user-reported reports, its weighted score is 13: (2 * 5) + 3 = 13.
  • If a host has 7 spamtrap reports and 3 manual reports, its weighted score is 52: (7 * 7) + 3 = 52.
• The SCBL does not count reports regarding URLs or addresses in the body of the email. Therefore, the SCBL does not list websites or email addresses used to receive replies in reported email, unless that IP is also used to send the mail.
• The SCBL will not list an IP address with only one report filed.
• With only two reports against an IP address, the SCBL will list the IP address for a maximum of 12 hours after the most recent reported mail was sent.
• The SCBL will not list an IP address if there are no reports against it within 24 hours.
• If a server sends bounces to an SCBL spamtrap in sufficient quantity to meet the listing criteria, the SCBL will list that server. This situation results as some mailservers do not reject mail during the SMTP transaction, but rather accept the mail and then send a bounce message later. (These servers usually run qmail or postfix). Viruses and spam often contain a forged From: line. If email is rejected or blocked during the SMTP transaction, the bounce will go to the connecting IP. If the bounce comes after the mail is accepted for delivery, then the bounce will go to the address in the From: field. Viruses and spam often use addresses from the list of recipients to populate the From: field. Sometimes, these addresses are spamtraps.

This FAQ is designed to assist end users who have received an email delivery failure notification (bounce) citing the SpamCop Blocking List as the reason.

• The bounce message should contain the name of the blocking list and the IP address being rejected. If the IP address is not included in the bounce message, please contact your mail service provider.
• You send mail through your ISP or hosting company: the listed IP is the ISP/host mail server. The ISP must solve the problem that caused the listing. Send the bounce message to them and ask them to contact SpamCop if assistance is required.
• If the IP shown in the bounce message is the one assigned to your computer by your ISP: your computer/network/LAN is insecure. A PC may be infected; a proxy may be insecure; a script may be insecure or your mailserver may not be set up correctly. Once you find and remove the source of the spam your IP will automatically delist after 24 hours with no new reports. Your ISP has probably received reports concerning the spam activity; get in touch with them for more information.
• Additional information on virus infections and other causes for spam to be sent from your IP:
• Viruses may disable Antivirus (AV) programs or your AV definitions may not be up-to-date or may not have caught the virus. If your computer is on a home/office network behind a NAT router, it could be any computer on your network that is infected. The NAT router does not prevent the mailers from sending spam, or the "call home" function of many backdoor trojans.
• It is not required that you open an email attachment to be infected. Downloader trojans are found on many malicious websites or even hidden in images received in email. Simply visiting such a site or viewing an image could cause your computer to be infected.

If the bounce message includes your IP, you should:

• Scan your computer with an AV program different from the one you normally use. All major AV companies provide free online virus scanning. One can be found at Trend Micro
• Make sure all your software, including your operating system and third-party programs are fully patched and up-to-date. In particular, a lot of malicious malware is pushed through media files, taking advantage of known exploits in Windows Media Player, WinAmp and others. If you don't have your software set for automatic updating, make it a habit to check for patches, updates and upgrades at least once per week.

• Run at least two spyware removal tools on your computer. Spyware tools are very effective at finding and removing these malicious programs. Spyware removal tools are available for free download from:
  • Spybot Search & Destroy
  • Ad-Aware Personal
  • HijackThis

  If your use HijackThis, you should run the resulting log through a helper site such as Network Techs

This is not an endorsement of the above products or sites. Many other security tools are available for free or low cost and work just as well or better. These tools are suggested because they are among the better known products on the Internet. Be careful though as many lesser known spyware products are rogue or of dubious value. See Spyware Warrior

Sometimes these viruses will alter/add so many files and registry keys that recovery is just not possible or causes longterm instability (frequent crashes) of your computer. When this happens, reformatting your harddrive and re-installing your operating system is the only solution.

This FAQ is for network and server administrators. If you are an end-user whose email is being rejected and you're getting delivery failure notices that cite SpamCop as the reason, please go here for information about what to do.

Dispute Resolutions

IPs are listed when our users and spamtraps receive spam from the IP and the amount of spam meets the listing criteria. See blocklist criteria

A common cause of an IP being listed is a worm/virus/trojan compromised PC on your network sending spam. It may have its own virus installed SMTP engine and be sending direct-to-mx or it may be smarthosting through your mail server. A virus may have installed a proxy or a spammer may be exploiting an existing proxy or cache installed on your server.

Other exploits include insecure cgi/php scripts, SMTP/AUTH name/password hacks and incorrect settings on your server. Misdirected bounces and autoresponders may be sending to the forged "from" addresses in spam inbound to your system.

How to alert SpamCop about an SCBL error

• Please do not write us to tell us that you have fixed the problem and ask for early delisting. The IP will delist automatically within 24 hours, if there are no new reports
• We will attempt to answer your mail. However, we may not respond if you are not the admin of the listed IP or you are asking for early delisting
• IPs are automatically delisted after 24 hours with no new spam reports. You can check to see the time to delisting here. If you see the IP will be delisted in "0" time, that means it has entered into the delisting process. It may take up to 4 hours for the delist to fully propagate to our mirrors and bl users
• The SpamCop blocklist lists only IPs that are sending spam; the blocklist does not list email addresses or domain names. It does not list for missing or incorrect DNS/rDNS
• If you are the administrator of the listed IP and you do not know why you are listed, please start here to ask us about the listing. Include a description of your relationship to the IP, your name and title and write from your postmaster@ or abuse@ or other role account address. We will provide as much information as we can. Please allow up to one day for a response
• If you have received a SpamCop report you are challenging, please use this form to contact us. Include the complete subject line from the report, describe the reason you are disputing the report, any supporting documentation, your name and your title
• We can resolve an issue faster if we do not have to ask for additional information. We generally do not need information like copies of whois records, traceroutes, logs, etc. If there is a need to show us a large file, please put it on a webserver and send us the URL for the file
• We do not answer mail with profanities or threats. If you threaten legal action, we will have to refer your email to our legal department, which will delay any action we might otherwise have taken
• Please do not ask us to make exceptions to our posted policies

Reasons to ask for a SCBL listing to be reviewed

There are two main reasons to ask us to review an IP that has been listed:

• Technical Errors: a malfunction on the part of a SpamCop server or program that causes an IP to be listed in error. Tell us concisely why the listing should be removed
• User Error: occurs when a user mistakenly reports mail that is not spam. When asking us to review a user error, please provide us with any information that will help us determine the mail should not have been reported.

  This information should include the record of the user's closed-loop confirmation (also known as "double opt-in"). SpamCop may or may not consider other forms of evidence, at the sole discretion of the SCBL staff.

NO WARRANTY OR LIABILITY: By using the SCBL, or any information contained on the SpamCop website, you acknowledge and agree that the SCBL is provided "as is", SpamCop does not guarantee the effectiveness or results of the SCBL or any other service or product provided by SpamCop, and any and all warranties, implied or otherwise, are expressly excluded. In no event shall SpamCop, or its parent, subsidiaries or licensors, be liable to you or any third party for any direct, indirect, special, incidental, exemplary or consequential damages of any kind arising out of or in connection with your use of the SCBL or the SpamCop website, however caused and on any theory of liability.

As the blocklist matures and I never get around to working on billing/authentication solutions, I decided to simply accept donations. If you use the blocklist and like it, please feel free to make a donation using the link below.

Any amount would be appreciated.

Checks are also accepted

Note: This method is only for customers willing to pay for direct access to the blocklist. If you want information on using the blocklist in the normal, casual way see the How do I configure my mailserver FAQ.

The SCBL is a constantly changing real-time list. Therefore, downloading the whole list (doing a "zone transfer") is not as effective at blocking spam unless it is done every minute. Downloading it every minute would be very inefficient.

For this reason, we provide a more efficient option of running a mirrored server through transfer using rsync and ssh. You have the option of the mirror server being public or private as described below. rsync access is provided free of charge to sites willing to host a public mirror of the BL.

Private Mirror BL Server

The bad news is that we charge $1000 per year per server for this service. To pay for private mirror access, make a $1000 payment through PayPal:
.
Be sure to include the email address you will be contacting us from in your PayPal payment to assist us in matching the payment to you.

First, create a new user and an ssh key:
useradd -G nobody bl
mkdir /home/bl
chown bl.nobody /home/bl
su - bl
ssh-keygen -t dsa -N "" -f ~/.ssh/id_dsa
cat ~/.ssh/id_dsa.pub

Now, send us us the key. Include your Paypal receipt number and username so we can match the payment on our end.

Once you have been authorized to retrieve the blocklist, retrieve it once manually, accepting the host key from SpamCop (if it matches):
rsync -e ssh -L bl@blrsync.spamcop.net:bl.data ~/bl.data

Or if you prefer to fetch the data in rbldnsd format: rsync -e ssh -L bl@blrsync.spamcop.net:rbldnsdbl.data ~/rbldnsdbl.data

You should see:
DSA key fingerprint is b3:5f:4c:db:38:d5:4d:25:62:e6:c5:5d:9e:96:58:ba.
or
RSA key fingerprint is 18:aa:95:36:18:39:d3:0d:6c:e4:fb:5a:99:cc:16:ba.

If you do, answer yes. If you do not (very unlikely), abort!

You should now have an initial bl.data file in the user's home directory.

Now configure a cron to rsync this file every minute:

As bl user:
crontab -e

Add to file:
* * * * * rsync -e ssh -L bl@blrsync.spamcop.net:bl.data ~/bl.data

Now, you will have a constantly-updated mirror of the SpamCop blocklist file You can do with it what you like (except share it with others). Ask to be added to the mailing list for mirror operators. Critical updates will be sent to this list when access information changes. Also monitor the cron output for errors (redirect bl's email to an address you read). You may get a few failure errors when Internet connectivity is congested or down. This is normal (the whole point of running a mirror).

One possible use is to republish it internally using the same software SpamCop uses, rbldns.

Here are some very brief instructions on setting up rbldns. For more detailed information, please see D.J. Bernstein's documentation.

# install rbldns and set up a cron which runs as the "bl" user:
# first daemontools from: http://cr.yp.to/daemontools/install.html
# (as root)
mkdir /package
chmod 1755 /package
cd /package
wget http://cr.yp.to/daemontools/daemontools-0.76.tar.gz
tar -xvzf daemontools-0.76.tar.gz
cd admin/daemontools-0.76/
package/install
package/run.rclocal
# tail /etc/rc.local for startup command instead of rebooting.
# next, djbdns from http://cr.yp.to/djbdns/install.html
cd /usr/src
wget http://cr.yp.to/djbdns/djbdns-1.05.tar.gz
tar -xvzf djbdns-1.05.tar.gz
cd djbdns-1.05
make
make setup check
rbldns-conf bl bl /var/rbldns YOURIPADDR spamcopbl.YOURDOMAIN.TLD
chown -R bl.nobody /var/rbldns/root/
rm /var/rbldns/root/data ln -s ~bl/bl.data /var/rbldns/root/data
ln -s /var/rbldns /service

Now, edit your cron, add "; make -C /var/rbldns/root > /dev/null" to the every-minute cron, so that it will rebuild the rbldns data file after every sync. Make sure data.cdb remains up-to-date. You should now have a working DNS mirror of the SpamCop data under spamcopbl.YOURDOMAIN.TLD. You will need to set up NS records pointing to YOURIPADDR for spamcopbl.YOURDOMAIN.TLD.

Public Mirror BL Server

Free mirror service is provided to sites who are willing to host a public mirror (serving data to other free users).

To host a public mirror we require:

• Dedicated Intel PIII or better box running FreeBSD;
• Root access to the server;
• Minimum 1Mbit/sec sustained bandwidth;
• Reliable network and power configuration.

If you are interested, please contact us with a brief description of your network and the server. We will configure and maintain it with the software needed to provide the SpamCop blocklist service. Cable modem or xDSL connections are not sufficient.

If you want to use the list manually, or from custom software, you should instruct your system to do a dns query for the information. For example, if you want to check if 1.2.3.4 is on the blacklist, you might type this at the command-line:

nslookup 4.3.2.1.bl.spamcop.net

If you get back an IP address (typically 127.0.0.2), then the IP you asked about is listed. If you get back a non-existant message, then the IP you asked about is not listed.

"nslookup" is just the most common method for looking up a hostname. Your system may have another name for it. Other common names are "host" and "dig".

Alternatively, you can look up an IP address on the web lookup form .

Each SCBL page includes a "listing history" for the IP address being looked up. The history contains the date and time of all listing and delisting for that IP address for the last 30 days, regardless of whether the listing was valid or mistaken. There is no indication in the history whether the listing was valid or mistaken, timed off or was a manual delisting.

One also has to remember that IP addresses change hands. Many ISPs assign IP addresses to customers dynamically, so addresses are changing all the time. Customers with fixed addresses may also be moved between addresses, and complete blocks of IP addresses may be reassigned, so that users end up with IP addresses that have a listing history they have nothing to do with.

The listing history is just that, a history. The current user of an IP address should not be considered a spammer just because there are previous listings shown for their IP. The listing could have been directed at a different person, a different company or the result of a mistaken report by a SpamCop user.

The SpamCop Blocking List history should be used as a small item of interest in a larger investigation which includes, but is not limited to, lookups at spamhaus.org, spews.org, the usenet group(s) news.admin.net-abuse.* and other forums, maillists, publicly accessible blocklists and search engine results.

ATT's business networks DNS department has decided to block DNS requests for the SpamCop blocking list, as well as other popular DNS-based lists, because of the extra load on their servers.

They do however provide a workaround for their customers. If you are an ATT business customer, you can contact ATT for information on secondary DNS servers which don't prevent the use of DNS-based lists.

Visit ATT's DNS page or call 888-613-6330 (option 3,1) for more details. You will be asked to prove you are an ATT business customer.

How can I get help? How can I report a bug? How can I suggest a feature?

What are the rules for posting to the forum?

May I create a link to SpamCop from my site?

Can I get a copy of the source code for SpamCop?

What is SpamCop's history?

Why did I get a spam promoting SpamCop?

What are some general tips for responding to questions in the forum?

Adding items to the FAQ

Features and Bugs

Non-SpamCop information
How can I make a donation?
Can I advertise on SpamCop?
SpamCop Policies and Disclaimers
How can I contact a SpamCop representative?

1. If you are referring to a problem with a particular spam, please be sure to include the tracking URL in your post. SpamCop dispenses a new, unique, tracking URL every time you submit a spam. Some people collect them.
2. DO NOT post the headers or the output from SpamCop. Just the tracking URL. Posts which include the actual spam message will be deleted without comment.
3. Normal netiquette and common sense rules also apply.

Everyone is encouraged to post. No question is too dumb. The forum is a place for new users to learn as well as a place for feedback. Expert users are often happy to answer questions about SpamCop or just spam in general.

Here's the HTML to do it:

<a href="http://spamcop.net/"><img
  src="http://spamcop.net/images/spamcop.gif"
  width=90 height=30 border=0
  alt="SpamCop.net - Spam reporting for the masses"></a>

Here's how it will look:

There are four different designs to choose from:

http://spamcop.net/images/minibutton1.gif :

http://spamcop.net/images/minibutton2.gif :

http://spamcop.net/images/minibutton3.gif :

http://spamcop.net/images/minibutton4.gif:

And a full-sized banner ad:

<a href="http://spamcop.net/"><img
  src="http://spamcop.net/images/sc_bannerad.gif"
  width=469 height=60 border=0
  alt="SpamCop.net - Free spam reporting - Filtering - Information"></a>

Note, there are no spaces between the a, img and /a tags. This keeps some browsers from displaying little _ characters before/after the image.

You are encouraged to download a copy of the .gif and serve it from your own site rather than loading it from mine.

The SpamCop Reporting and Blocking List services are owned by Cisco Ironport Systems, LLC. The SpamCop Filtered Mail Service is owned by Corporate Email Services (CESMail).

SpamCop is the premier web-based service for reporting and blocking spam, founded in 1998 by Julian Haight. SpamCop processes over one million spam complaints a day and is supported by hundreds of thousands of users, a knowledgeable volunteer community, and a professional staff. SpamCop streamlines the process of determining the origin of spam emails and reporting them to the relevant Internet service providers. SpamCop offers both free and premium reporting services.

As of June 2003, SpamCop is a wholly-owned subsidiary of IronPort Systems, Inc, the leading email infrastructure products and services company.

SpamCop's wide range of spam reporting and filtering services aims to eliminate spam at its source.

Spam reporting

SpamCop offers free and premium reporting services to report spam quickly and accurately. SpamCop reporting streamlines the process of determining the origin of spam emails and reporting them to the relevant Internet service providers. In addition to providing direct feedback to Internet service providers, SpamCop reports fuel the SpamCop blocking list.

Filtered email

SpamCop offers full featured email accounts with unlimited spam reporting. Based around easy-to-use webmail, SpamCop email supports advanced features like IMAP and configurable blocking lists. Only $30/year.

DNS-based SpamCop Blocking List

The SpamCop Blocking List offers service providers and other email administrators an automated tool to filter out aggressively spam from an email network. Used with existing email servers, the SpamCop Blocking List is automated and time-based, allowing administrators to quickly and accurately filter reported spam.

Because SpamCop is a big thorn in spammers' sides, they will often try to cause trouble by sending out spam that appears to be from SpamCop, but which is actually not. Because most of an email can be forged (including who it is "from"), spammers can send email from addresses @spamcop.net in an attempt to discredit us.

However, now that you are here, you can look around and learn what you can do to stop these low-lifes from invading your inbox with their junk - or not. In either case, it is usually not a good idea to reply to spam directly. Spammers use these replies to confirm that your address is real, not to remove you as they claim. There are many resources available to help you fight spam, and SpamCop is just one. There are links from this FAQ to other sites that help you learn about all the issues involved and what you should/should not do about spam.

Common lies told about SpamCop:

SpamCop helps spammers

Some spammers claim SpamCop has helped them by disclosing user information (so-called 'listwashing'). This is not the case. SpamCop's user information is never shared, nor has it been stolen.

SpamCop will shut down your web site

Although SpamCop does file complaints with ISPs, we do not make ultimatums, nor are we directly responsible for terminating anyone's website. This is what a legitimate SpamCop report looks like.

SpamCop costs money

While there are two levels of pay service which allows total control of your inbox or access to advanced features, the basic spam-reporting service is (and always has been) free.

SpamCop offers a spam bounty

If you use SpamCop for filtering and spam slips past the filters, you may certainly report the problem. However, SpamCop does not offer money for spam.

You should telephone SpamCop

SpamCop reports do not include a phone number. Calling the phone number listed in fake reports will only serve the spammer's purpose - harrassment of those associated with SpamCop.

SpamCop can unsubscribe you

SpamCop can help you report spam to the ISP of the spammer. SpamCop is not intended for direct contact with the sender of the spam you receive - to be unsubscribed or for any other reason.

1. Focus on the issue not the person.
2. Focus on the complaint, not some perceived attitude.
3. Don't go looking for a fight.
4. If someone is excited, or you feel they are ranting, listen carefully. Encourage them to talk and to tell the whole story. (Avoid telling them how to talk. Avoid changing the topic.)
5. Don't respond to complaints about your organization's alleged failings with the allegations of failings of the other party.
6. Don't ridicule the other person (or the other person's company, country, race, or religion).
7. Don't assume that a mistake or misunderstanding is the result of malice.
8. Use dictionary English or proper technical English, not euphemisms and slang, when speaking with people for whom English is obviously a second language. This is especially vital when:
   • you are representing the organization that initiated the conversation,
   • the other party is in a country where English is not an official language,
   • and if your organization is even merely being PERCEIVED as having sent a THREAT. (New people, caps are okay for occasional emphasis.)
9. Don't expect the other person to translate 5,000 words of foreign language documents before looking for personal help.

So the Commissioner of Spam is working on the next version of SpamCop. New features may include:

There is a wealth of information on bills relating to spam at the website of the Coalition Against Unsolicited Commercial Email (CAUCE) CAUCE legislation page and at Thomas, an online legislative information database.

Some bills often referenced by spammers include:

S. 1618, title III

Passed in Senate, died in conference in 1998

H.R. 1910

Pending legislation in the 106th Congress.

To befuddle the automatic spam cancel bots that rove Usenet and cancel byte-for-byte postings for every message/email. Every number changes on every post, but nowadays, some intelligent administrative tools can recognize those numbers and cancel those spams.

Basically, the codes are intended to to confuse the autocancel comparison tools that the good guys use.

The same applies to email.

As more and more ISPs and individual users put email spam filters in place, spammers try different tricks to fool the filters. You may notice a string of numbers in the subject line, random numbers or characters in the body text, or even a rambling of words that may or may not make sense.

It is not believed these methods are used to identify recipients in any way. Rather, they are used to try to trick spam filters into thinking each message is unique in content.

Example: http://%4a%55%53%54%49%43%45@%33%35%31%37%37%31%32%39%30%35/

There are three things you need to know about to decode these URLs. They're not actually bogus; they're just made hard to read.

% encoding is normally used to encode characters that aren't legal in URLs; the spammers encode all (or at least some of) the characters, including the legal ones, to make them hard to read.

Each character is represented as a '%' followed by a two digit hex number, which corresponds to the ASCII code for the character. e.g. %4a is J

for your URL this gives us:

http://JUSTICE@3517712905/

Everything before the last @ sign in the URL is authentication information, which is ignored by most servers for most pages anyway. For the purposes of identifing the host, we can chop this off to get

http://3517712905/

This refers to the root page / on host IP 3517712905.

This large number is the IP address of the host, but written as one large decimal number rather than four smaller numbers as is normally the case. To convert it we first need to convert to hex, which gives us

D1AC0A09

Then we break this into two digit pieces:

D1.AC.0A.09

and convert to decimal:

209.172.10.9

Instead of doing this all manually, it's much easier to use a tool that follows these same steps, such as:

http://samspade.org/t/url.cgi

SpamCop's hosttracker will do the same thing, and if you receive a SpamCop report for a URL, you can click the "see how SpamCop tracked this" link to see the steps it took.

The owner of the FFA site sends a "confirmation" (advertising) e-mail to the contact address every time a web site is submitted for listing. Every FFA page owner does this every time.

There are a zillion FFA sites out there. There is even software available (FFA Blaster) that will submit your web site link to thousands of FFA pages at once.

There are also "Link Advertising" sites that offer to submit your web site to "a thousand search engines" so that you can start getting more traffic to your site. What they mean is that they will submit your site to Yahoo, AltaVista, and 998 FFA pages.

The novice takes them up on their offer and gets 998 "confirmation" messages from the FFA owners. The experienced user knows about the "confirmation" e-mails so he uses a bogus address, or your address, so he won't get the traffic.

The real purpose of having an FFA site is so the owner can collect addresses to send his advertising mail to.

One FFA page owner I corresponded with told me he got hundreds of new submissions every day, and the response from his "confirmation" messages was making him a tidy profit.

You can read more about them here:
http://www.ffanet.com/
http://www.free-for-all-links.com/

This page is for people who want to donate money to our cause, but don't want or need a premium reporting account, or you already have a flat-rate CESmail/SpamCop email account and wish to support the reporting service. This can provide the satisfaction of knowing you're helping the good guys fight spam.

For that we thank you very much and direct you to the instructions and links at the bottom of this page where we will gratefully accept your assistance.

If you would prefer, you may add money to your existing SpamCop reporting account

For those who wish to subscribe to one of our services, please visit our account sign-up system

To donate to SpamCop:

(Donate via PayPal) (credit card or e-check)

To donate to the SpamCop legal defense fund:

Spammers target SpamCop, both legally and technically, to try to slow our spam-fighting efforts. To counter legal attacks against SpamCop by spammers, SpamCop established the SpamCop Legal Defense Fund. All donations are kept in a separate account and will be used solely for the defense of any legal actions brought against SpamCop or its parent company, Cisco IronPort Systems, LLC. While SpamCop cannot comment on any pending or threatened litigation, your donations are greatly appreciated.

(Donate via PayPal) (credit card or e-check)

Alternately, if you wish to donate by check, send it to:

SpamCop Donation
950 Elm Ave
San Bruno, CA 94066-3047

Make checks payable to "SpamCop.net, Inc.". If you would like your check to be used for the Legal Defense Fund, please note those words in the memo field.

Thanks in advance for your help!

Sorry, we do not offer advertising on the SpamCop site at this time.

• Privacy Policy
• Dispute Resolution
• What is the SpamCop Blocking List (SCBL)?
• Getting Started with SpamCop

How to contact us depends on the reason for the contact. Below are some possibilities:

Introduction - What is this thing? How does it work?

I have been falsely and/or maliciously accused of spamming, what can I do?

How can I contact a real person about this?

Interacting with SpamCop and its users:
You are mailbombing me! How can I make it stop?
How can I get SpamCop reports about my network?
How do I register an abuse@ email address?
How can I get removed from SpamCop's blocking system?
Once I close a spammer's account, how can I prevent others reporting it?
How can I respond to spam complaints via email?
How can I control what type of reports I receive?
You've munged the header...
How do I get in touch with the person who filed the complaint?

Help with SpamCop reports and spam in general
Robots: Mailing lists and autoresponders
Double/Confirmed Opt In
I didn't originate the spam. My server might have relayed this message. Why report it to me?
What does a SpamCop Report look like?
Why did SpamCop report this usenet message to me?

General questions:
Who appointed you the "cop" of the internet? Where do you get off?
My web site got terminated/threatened because of SpamCop, but I did not send the spam. What's the big idea?
Why did SpamCop submit my server to relay-testing sites?
What is your opinion of FFA (free for all) pages?
How do Deputies respond to appeals?
Abuse-queue management tools

Assistance stopping spam:
I'm receiving spam reports, but my mail server logs don't reflect it. Why?
HTTP Proxies (Cisco / Squid / Mailtraq)
Formmail
Open Relay Servers
Adding BLs to Postfix
Spam-sending malware
But my server is secured against relay...
How can I control spam from my network?
SOCKS Proxy Servers
Links to help with removing open proxies

You have probably arrived here because you received an email generated using SpamCop. This is a free service available to all netizens. Reports from SpamCop are sent by individual users who review email manually and identify spam (Unsolicited Bulk Mail). You can try it yourself to see how it works.

SpamCop administrators do not, and cannot verify the claims made by its users. Not only are there simply far too many reports filed for anyone to manually review them, but even if we were to, there is no way for us to know whether a user actually did or did not solicit a message prior to reporting it as spam.

SpamCop currently generates two main types of spam reports. All look very similar, but you can tell the difference from the subject line:

• [SpamCop:63.11.142.206,id:246645593]Adv: Affordable Dental Care
• [SpamCop:(http://www.geocities.com/dentalcare),id:246645595]Adv: Affordable Dental Care

The first example indicates that SpamCop has tracked the source of the email to your network. This is the most serious type of report, and it is the only type that is used to track spam sources. The second shows a spammer advertising a web site using spam hosted on one of your systems. You would be very unlucky (or negligent) if you see both types of reports on the same message (as pictured above).

Please be careful when taking action. It is possible (though unlikely) that the account is what we call an "innocent bystander".

Once you have resolved an abuse report (or if the URL/web address is an innocent bystander), you may register this with SpamCop by clicking the URL in the spam report and following the appropriate option from the resulting "SpamCop ISP response page". This will save everyone's time by preventing future spam reports using SpamCop. Users will get instant notification that you are taking action against spam and you will not see further redundant reports.

If you are trying to decipher an obfuscated URL or you are not sure why SpamCop has traced you as the responsible network, you can click another link from the SpamCop ISP response page. There are several other options to explore from that page.

There is a lot more general information here. Surf the links. Check out this FAQ section for more ISP information, also check out the rest of the FAQ if you are interested in learning more about how SpamCop works. Current events are in the forum, and you can post your own questions/comments and someone will read them and respond.

Thanks for taking action against spam!

False spam reports are not tolerated.

Users who file false reports will be banned from the SpamCop service and/or fined. However, in order to take action, we must see proof of wrongdoing.

Please use the link(s) included in the report in question to dispute it. All SpamCop reports include at least one issue-tracking link.

If you were forwarded a SpamCop report from your ISP without the link included, please contact the person who forwarded the report to you to dispute it.

If you are administrator of a system being blocked, please see:
How can I be delisted? (dispute resolution).

If you would like to pursue action with the user's internet provider, SpamCop reports include all the information you need to do so. IP address and datestamp of the complainant are included in the report. You can even feed a SpamCop report to SpamCop to determine the originating point.

Note, this contact method is for Internet Service Provider personnel only
Other contact options

If you are contacting us about email being blocked, please start here and provide the IP address of the system in question.

To contact us, please begin by giving a brief description of the reason for the contact (message subject):

If you are writing about a spam report, please include a copy of the report in question - including full headers and the spam itself. Your email will be read by a living, breathing, thinking (!) person.

We are very busy also, and spend good time writing and maintaining this FAQ, so please give it a look. You may be surprised.

Function temporarily removed due to abuse

Report routing

Anyone may receive summary reports about any netspace they specify. To receive reports, first create an ISP account.

Once you have logged in with your new account, use the "Request Reports" menu item to specify which networks you would like to receive reports about. At any time, you may use the "show routes" menu item to view which networks you are configured to receive reports about.

In addition, your ISP account allows you to spot-check any IP address for recent reports.

It is important that all IP addresses in your network (particularly mail servers) have valid and correct forward and reverse DNS which agrees (paranoid reverse DNS). Many sites will bounce mail based solely on lacking DNS information.

Abuse.net maintains a database of contact addresses at various Internet Service Provider, which should be used when reporting spam or abuse issues on their network. Your primary domain name(s) should be registered with Abuse.net.

The SpamCop blocking list now has its own FAQ section

The short answer is that you cannot be removed.

SpamCop automatically handles blocking and unblocking of ISPs. If SpamCop continues to receive reports of spam originating from the networks you are responsible for, those networks will continue to be blocked. If not, then you will be unblocked by SpamCop automatically after 24 hours.

If the SpamCop reports that you receive relate only to web-hosting for the spammer, then this does not count toward blocking. The email filters consider only complaints of sourcing spam.

If you have recently closed an open relay on your network, you should check and/or notify the various relay blocking systems in use:

• ORDB - Open Relay Database
• MAPS RSS - Relay Spam Stopper

Please only notify them if they have in fact detected and listed your open server.

You can check your listing status on over 150 blocking lists at DNS Stuff

SpamCop reports include a URL that allows you to register an issue (IP/datestamp or website) as "resolved." For a website, you even have the option of registering as an "innocent bystander." In either case, anyone who tries to report the same issue through SpamCop in the future will receive a message stating what action you have taken and they will be prevented from filing a report on the same issue. This keeps your workload to a minimum and lets spam fighters know you are helping wipe out spam!

See also the next question related to responding by email instead of the web.

Some administrators have a scripted system for handling abuse complaints or just don't like to use a web browser in their daily work. SpamCop now provides the ability for administrators to respond to spam complaints via email.

Every SpamCop report includes an ID number in the subject line. This ID is used to report issues resolved or to report email and/or web sites as innocent parties. Keep in mind that you cannot claim innocence if SpamCop has identified you as the source of the offending message (see introduction FAQ on types of reports). This ID number is also part of the message-id. To extract the ID number from a SpamCop email in a script, you might use this regex:

m/^message-id:\s*\<(\d+)/i

Once you have the report id, you can send email to one of these addresses to report action:

To report an issue resolved:
resolved.ID@cmds.spamcop.net

To report an address as innocent:
innocent.ID@cmds.spamcop.net

You will not receive a confirmation, but if you want to confirm the system is working, you can always log out the web-browser and visit the resolution web page. This page will indicate issues that have been resolved and/or innocentized.

Also, you can refuse any report if the user has not agreed to reveal all header information, including recipient email addresses.

If you don't yet have an ISP password, refer to the link in any SpamCop report to retrieve one. Once you have a password,..

Change your preferences here.

ISPs now have the option of receiving reports from SpamCop only if the headers are complete and unmunged (as received by SpamCop). Users will be given the option of sending unmunged headers or no report.

To set your options, log into your ISP account here.

If you don't yet have an ISP password, refer to the link in any SpamCop report to retrieve one.

If you feel that SpamCop is being used in an abusive manner, I want to hear about it. SpamCop can be used to track its own complaints, so you can easily figure out where the complaint originated and ask the users's ISP to take disciplinary action.

Many of my users prefer to keep their email addresses confidential for obvious reasons. I mask the recipient's address from the header to preserve the recipient's identity. I will not release this information. However, if you are indeed the sender of the email, you should be able to figure it out from your logs. If this doesn't work, you can always reply to the spam report and ask the user for assistance. If you are nice and convince the user that he or she did actually sign up for your list, the user will probably help you.

First, look at the SpamCop report. It should include the full headers of the email in question, including the partial MessageID:

From root@julianhaight.com Thu May 20 17:16:54 1999
Received: from localhost (root@localhost)
         by sam.julianhaight.com (8.9.3/8.9.1) with ESMTP id RAA13580
         for <x>; Thu, 20 May 1999 17:16:56 -0700
Date: Thu, 20 May 1999 17:16:55 -0700 (PDT)
From: <root@julianhaight.com>
To: <x>
Subject: messageid test
Message-ID: <Pine__________________________________________________.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII

Using the receiving servers (domain), date and time stamps and the partial MessageID provided, you should be able to match the header to your mail logs to get the address the mail was sent to.

But, I don't keep my logs. What can I do?

Select email source carefully

You should think about where you get the email addresses that you send email to. Never send email to addresses that you get from outside sources. If you do use a list from someone else, and you start to get spam reports, dump the whole list immediately. The fact that a few users from a list are reporting spam indicates that many other addresses on the same list are probably 'dirty.' If you do get email addresses from multiple sources, keep track of where each one comes from so that you can figure out where the "dirty" addresses are coming from.

State your terms clearly

Make it very clear to people when they sign up for your list what they should expect. If you send your email once a week, let them know that they will be getting weekly email from you, and tell them what they will have to do in the future to unsubscribe.

If you offer some service in return for people reading your email, make sure that people know reading your email is a condition of a contractual agreement.

Verify email addresses

Sometimes, people will use a fake email address when signing up for something. Once in a while, this fake address can be someone else's real address. The recipient then sees your mailing as spam. Also, people have been known to take revenge on spam-fighters by signing them up for hundreds of mailing lists at once. Ideally, all mailing lists should protect against this. You can protect against this by asking each list subscriber to respond with a special code that you send out in email:

1. New user (Joe) asks to be added to list.
2. You send email with enable-code to Joe confirming signup.
3. Joe replies to your email.
4. Signup confirmed, and Joe is added to your list.

This is the method most noncommercial lists use, as well as well run commercial systems like deja.com.

This is a bit of a barrier for a commercial list, so you may decide to avoid verification of this kind, but you should be extra careful in your removal procedures if you do forgo address verification. You should also be prepared for fallout from this (IMHO) bad decision.

Purchased Lists

Purchased lists are bad. Period. The people on those lists didn't opt-in to receive email from you. They're not going to recognize you, and they're going to report your mail as spam. Besides possibly ending up on the SpamCop and other blocking lists, you could find yourself blocked from sending to many of the major providers such as AOL, Hotmail, Yahoo and Mail.com. Doing email right means getting permission. People should know they're signing up to receive emails from you. If they don't, that list will cause problems.

Identify yourself clearly

At the start of your mailing, identify your company and tell the recipients where you got their email addresses and when/where they authorized you to use their addresses for sending this mailing. For example "This email is sent from www.widgets.com. You authorized this mailing when you registered your widget on our web-site. See below for removal directions."

Personalize the headers and body of the email

It takes longer to send mailings this way, but it makes the mailing look much more credible and professional. Personalize the email with the recipient's email address in the To: field, and at the start of the body - possibly as part of the sender-identification suggested above. "Hello buyer@widgetbuyers.com. This email.."

See also:
Basic Mailing List Management Principles for Preventing Abuse by Trend Micro
Double Opt-in How-To by Digital River

Easy, anonymous unsubscribe

One way to handle this is to provide an easy and anonymous unsubscribe link in your outgoing email. Assign each user an id number that differs from his or her email address, and keep some sort of database (even if it's just a spreadsheet) of these userids. Then create a link in your mailings that automatically unsubscribes people based on ID, like this:

http://www.mylist.com/unsubscribe?userid=1234

Now, users just have to click once on the link, and they are unsubscribed without having to reveal their email addresses.

This technique is also very handy when you are faced with a spam report. Every spam report includes a copy of the spam, so you can just click the link, and know that the person has been unsubscribed without having to grep through logs files.

Also, I have created a special set of FAQs for mailing list administrators (in this section of the FAQ). It includes info on how to reduce spam complaints and handle the ones you do get gracefully.

• Traditional auto-responders
• Misdirected bounces
• Challenge/response spam filtering
• Why not allow bounces?
• Mitigation techniques?

Lately, people find their automatic responses are being reported as spam or blocked. These "auto-responders" respond indiscriminately to forged and legitimate email. Spam and virus messages are almost invariably forged so as to appear to be "from" an unrelated third party. When an auto-responder receives one of these forged messages, they in turn send misdirected mail. Because of this, they become spam sources themselves and are the subject of blockades. There are several types of email, detailed below, which we refer to generally as "autoresponders".

Problem: The traditional auto-responder

Description: A message is sent in response to inbound email informing the purported sender that you are on vacation, listing FAQs or otherwise sending a standard message - all too often, to the wrong person.

Solution: Do not use these systems. Inform your normal corespondents of your absence before you depart. Or let a co-worker answer your email in your absence. Publish FAQ information on a web-site. If you wish to dispense information via email, it's easy to reject a message while referring the sender to a FAQ web-page. Using sendmail, this is done in the access.db table like so:

to:oldaddress@example.com 550 Old address no longer valid, please see: http://www.example.com/NewAddressInfo.html

Problem: Misdirected bounces

Description: When a mail server accepts a message and later decides that it can't deliver the message, it is required to send back a bounce email to the sender of the original message. These bounce emails are often misdirected.

Solution: Upgrade and/or configure your mail server software so that this situation is never encountered. Configure your software to either reject messages during delivery or accept them permanently. Do not let your software make choices about delivery after it has accepted a message. If you must accept delivery before you know the status of a message, then file it internally - do not send, forward or bounce it outside your organization. The errant message can be placed in a special folder or routed to your postmaster.

Avoid offloading your filtering task onto random third parties. You must filter your own mail, not ask others to do it for you.

Qmail:

Qmail is one popular mail exchanger which suffers from this problem by default. If you use qmail, please apply a patch: spamcontrol or qmail-ldap.

There is also an experimental patch for qmail which allows you to send bounces, but isolate them on a different IP address (so that spamcop can block them without blocking other mail): Richard Lyons' BOUNCEQUEUE patch

John Simpson has provided a set of qmail patches that enjoy wide distribution. Check out qmail validrcptto.cdb Patch

PZInternet.com reports chkuser is a very good qmail patch to avoid misdirected bounces - very easy to install too! http://www.interazioni.it/opensource/chkuser/

For users of qmail-toasters, check out the simscan patch

Microsoft Exchange:

Microsoft has updates available for their Exchange Servers to control whether the Internet Mail Service suppresses or delivers non-delivery reports:
Microsoft Exchange Server 5.5
Microsoft Exchange Server 2000 and 2003

Others:

If you know or find other tips for fixing this problem in other popular software, please Post it to the forum and we will be happy to add it to this FAQ.

It is important to prevent a global plague of misdirected bounces - already many people are filtering out *all* bounces because they can't sort the misdirected ones from the real ones. This further degrades the reliability of email.

Challenge/response spam filtering

Description: This "selfish" method of spam filtering replies to all email with a "challenge" - a message only a living person can (theoretically) respond to. There are several problems with this method which have been well known for many years.

1. Does not scale: If everyone used this method, nobody would ever get any mail.
2. Annoying: Many users refuse to reply to the challenge emails, don't know what they are or don't trust them.
3. Ineffective: Because of confusion about these emails, many of them are confirmed by people who did not trigger them. This results in the original malicious email being delivered.
4. Selfish: This is the problem we are mainly concerned with. By using challenge/response filtering, you are asking innumerable third parties to receive your challenge emails just so that a relatively few legitimate ones get through to the intended recipient.

SpamCop abandoned this method of filtering after a short test period in 2001. Another site discussing the problems with challenge/response: Challenge-Response Anti-Spam Systems Considered Harmful

Solution: Do not use challenge/response filtering. Although it may stop most unwanted email for the person shielded by it, it generates more unwanted email for others.

Since more and more sites will rightly block these challenge emails, you can never be sure they will reach their target even when they are not misdirected themselves. So these systems will lose legitimate mail in an attempt to stop unwanted mail.

In general, all these types of autoresponders are sending mail to people who have had their email addresses used without their permission. The recipients of these messages rightly consider them unsolicited. In extreme cases, sites have been "bounce-bombed" with misdirected mail, preventing them from receiving legitimate mail.

Q: Why not allow bounces? They are required by RFC822!
A: Originally, SpamCop made attempts to forgive misdirected bounce messages - to reject them as evidence of spam. However, there are two factors conspiring to force us to rescind this policy. First of course, is that these misdirected messages *are* spam as we define it (Unsolicited Bulk Mail). They are objectionable to recipients and can even cause denial of service to innocent third parties. Users of our blocking service want us to stop them.

Second is that spammers have taken advantage of this policy, disguising their spam as bounce messages in order to avoid SpamCop. If we did not change the policy, this would become a highly popular way to "beat SpamCop".

Although bounces are required, it is possible to avoid the situation under which they are required (see above). So they aren't really required unless you have already 'painted yourself into a corner.'

Q: Is there any way to mitigate the problem without entirely disabling auto-responses?
A: Yes, due to recent attempts to "fix" the problem of forged email, there is. If you must continue to use an auto-responder, you can greatly increase it's accuracy (and perhaps avoid being blocked). Using this method, the auto-responder may not always respond to every legitimate email. It will respond to the vast majority, and it will send much less (although not zero) misdirected mail.

To do this, your responder should use SPF and/or Domain Keys to verify the authenticity of the message being replied to. The details of these methods are beyond the scope of this FAQ, but here are a few notes about the proper implementation of SPF for auto-responders:

• If the SPF record is too broad, use only the explicitly listed IP ranges or mx fields.
• If the sending domain lacks an SPF record, accept mail only from the IP addresses listed as the domain's MXs (inbound mailservers). Large domains have mostly adopted SPF already. Smaller domains are likely to use the same servers for inbound and outbound mail.

SPF is much more widely used, but Domain Keys is more reliable and error-proof. Most senders who use Domain Keys also use SPF (there is no disadvantage to using both). In short, implementing SPF checking will give you the most benefit with the least effort.

Q: If I disable delayed bounces, won't I be vulnerable to a directory harvest attack?

A: Yes. If you do nothing else to prevent harvest attacks, spammers will be able to more easily try many possible usernames to check which ones you accept mail for. There are other, better ways to mitigate this problem beyond the scope of this document (tarpitting). Sending delayed bounces to all and sundry is not a good way to prevent directory harvesting - it harms others and does not really prevent harvesting.

When a web site sends an email based on input from a web client, it should maintain the "chain of custody" for the message. This is done by including the client's IP address in the email headers in standard format. This is the technique used by hotmail, yahoo and most other webmail systems. SpamCop supports it, and it works well with most web to email scripts.

A relevant example: Consider a typical "refer a friend" script. It accepts essentially one piece of input from the web user - the recipient email address. It then sends a big advertisement for the site in question to that address. As such, it is ripe for abuse. If the script passes the web client's IP address to the recipient, the recipient can file a SpamCop report and bring the incident to the attention of the web client's administrator - the real sender - rather than the administrator of the web server, who didn't initiate the email.

To continue the example, consider a user, Mary who is logged onto the net from 10.1.2.3. She enters her friend John's email address (john@example.com) into a website (website.example.com). As a result, the web site's script generates an email to John which looks like this:

Received: from [10.1.2.3]
    by website.example.com with HTTP; 01 Jan 2003 12:34:56 -0000
From: Mary <devnull@website.example.com>
To: John <john@example.com>
Subject: Visit website.example.com!
Date: 01 Jan 2003 12:34:56 -0000
Message-id: <something_random@website.example.com>
X-Mailer: refer-a-friend web to email gateway script v.2.3

Mary thought you would like to see
http://website.example.com/

Sorry if you aren't interested. Mary sent this email from 10.1.2.3.

After the message is sent, other "Received" headers will be prepended, indicating the chain of custody from the website onward. By including one received header in the "original" message, website can indicate the true source of the message (and potentially, abuse).

The Double Opt-in How-To information package is available here.

Your server's received line didn't indicate an incoming IP address.

Even if your server is performing reverse lookups on the senders to verify that they provide the correct hostname on HELO, SpamCop has no way to know that this check has been performed unless the IP address of the sender is actually included as part of the received line. Either upgrade your SMTP server or change the settings so that the source IP address of the sender is identified. Hopefully, you will also disable third-party relay completely, but that is your choice.

More information on "relay rape":

"Relay rape" is a term used to describe the unwanted use of your open (trusting) email systems by spammers. There is another antispam organization, the Mail Abuse Prevention System (MAPS), that has a lot of information on this subject. Please visit the web site:

http://www.mail-abuse.com/support/an_sec3rdparty.html

This page explains why you should stop spammers and how to do it.

The email was received at your site BY a server in one domain and then it left your organization through a server that claimed to be in different domain.

This is the hardest problem to solve. It's perfectly legal for an email to be received "by" smtp1.ge.com and then in the very next line be received "from" mailserver.gecapital.com. Hopefully, you can find an internal solution to this problem, because it does cause confusion for SpamCop (and just general confusion), particularly when the IPs involved don't have name service or are part of a private network (intranet). This type of problem usually affects the SpamCop user, not the recipient of the complaint. This problem can also occur with some forwarding services such as bigfoot and iname - although those two examples have already been 'fixed' by explicit exceptions to this rule in SpamCop's code.

SpamCop was unable to parse the received line your server inserted even though the line did include an IP address.

This is very rare, but it may be a bona-fide bug in SpamCop.

For help with any of these problems, please post a message in the forum or see the FAQ "How to contact a real person".

Authentic SpamCop Reports:

• come from an address '####@reports.spamcop.net'
• are sent from a 'ironport.com' server
• clearly state the the issue (IP address, website URL or email address) in both the Subject line and early in the body of the message
• include the headers and full message being reported
• are sent in plain text (html will appear untranslated)
• contains a link to the issue in the SpamCop database where you can add a note, close the issue or declare it an innocent bystander.

This is what a real SpamCop Report looks like:

From: Some User <1234@reports.spamcop.net>
To: abuse@example.com
Subject: [SpamCop (1.2.3.4) id:1234]PC Home Worker

- SpamCop V1.3.3 -
This message is brief for your comfort. Please follow links for details.

http://spamcop.net/w3m?i=z1234z14ad22c721b0b0e5fcd4f3d0b8555992z
Email from 61.171.141.31 / Sun, 11 Aug 2002 00:11:15 -0700

Offending message:
"From solary@example.net Sun, 11 Aug 2002 00:12:26 -0700"
Received: from [61.171.141.31] by hotmail.com (3.2) with ESMTP id
MHotMailBF1F590F008F4136E80B3DAB8D1F04170; Sun, 11 Aug 2002 00:11:15 -0700
From: "work at home"
To: <x>
Subject: PC Home Worker
Sender: "work at home"
Mime-Version: 1.0
Content-Type: text/plain; charset="ISO-8859-1"
Date: Sun, 11 Aug 2002 15:08:26 +0800
Content-Transfer-Encoding: 8bit

Would you like to work at home ?PC Home Worker
process orders from your own home! All you need is a PC,
Email, and a quality printer!
Email phmwky@example.net with 'more info'' in subject
line for more information

This is a one time mailing. To be removed, reply to
solary@example.net with REMOVE in the subject line.

I don't personally send any of the SpamCop complaints, and I don't 'trawl' for spam to complain about. All the complaints come from real people who deserve respect. They may not be tech-heads, but that doesn't mean they must put up with an inbox full of spam.

In addition to reporting spam to the source of the email, SpamCop also reports the incident to administrators of web-sites listed in the spam. Note, that these reports do not indicate that this site is responsible for the spam. Often, the site *is* responsible for the spam, and that is why the notification is generated, warning the ISP that they *may* be hosting a spammer. The ISP receiving the report must make a determination as to whether the spam really looks as if it was sent by the webmaster.

Unfortunately spammers like to include innocent parties in their spams in order to confuse administrators. ISPs must make this decision for themselves and take whatever action they feel is appropriate. It should be noted that SpamCop does not ever directly blame your web site for the spam. Your real enemy in this battle is the spammer who used your URL in his or her junk. You may be able to sue the spammer and collect damages for this type of "joe job."

The report generated is intended only as a notification of a reference to your site in a spam message. If your ISP and you both agree that you are innocent, then SpamCop provides an easy way to prevent reports regarding your site (or at least that specific URL). Not only will this prevent reports of the current spamming, but all future spamming that uses your URLs also.

SpamCop relies on third-party testing of open relays. When one of these third parties detects an open relay, SpamCop will begin sending reports about any spam travelling through the relay to the administrator.

However, before a server has been checked for relaying, it's very difficult for SpamCop to know whether it has a security problem. It may simply be a legitimate relay which shows up in the headers of some spam. In order to know the difference, SpamCop must submit each server it finds in the headers of spam for testing. This process is not intended to be an implication of guilt. It is a test designed to determine whether a relay has been abused or used legitimately.

To see a sample of spam from SpamCop's database, submit this form:

Unfortunately, you have spammed regardless of your belief that you used an opt-in list. Many of the FFA sites I have seen do not clearly state that submitted email addresses will be shared with all the individuals or organizations appearing on the FFA site. Many visitors to FFA sites do not understand they are joining a shared opt-in list.

This practice of collecting email addresses is only a small step above harvesting addresses from forums and web directories as a deceptive practice.

One SpamCop user has this to add:

Operators of FFAs would be well advised to include in their 'spam' the true To: address that their mail is being sent to. I set up an alias account on our domain which I used exclusively to register with search engines and FFAs. When mail comes in addressed to that address, I kick it over into a separate folder and ignore it. Only spam mail that comes in with no valid To: address gets reported as spam, as I cannot tell why I received it.

If these FFAs would do this, it would cut down greatly on the spam reports to them, at least from me.

And an email from an FFA site user to the administrator of the site:

xx Administration:

This is unacceptable. We have received FOUR spam complaints as a result of using the lists you are being PAID to provide of those who post a link to your site for the purpose of sending email confirmations [actually advertisements, not confirmations]. I own four large on-line businesses and bogus spam complaints are a recurring problem with FFA sites, primarily with your service.

As the owner of a large Internet Training company, I refer thousands of people to you each week in an effort to teach people how to responsibly market on the Internet. My members continue to be on the receiving end of spam complaints by using the lists you provide, which are supposed to be SAFE.

Until this is resolved, I can no longer recommend your service, as the spam complaints are now affecting my businesses. I implore you to do something about this immediately. My suggestion is that you repeat, over and over again on your site, the fact that EVERYONE who posts to your site is agreeing to receive a Thank You email from the owner of the FFA site to which they posted. I assume you also have some kind of arrangement with independent submission services who post to your FFA pages. They too MUST reiterate emphatically that the user of their services WILL receive and has agreed to receive a confirmation email.

My members have done everything right, including inserting the link to the FFA page which the email recipient posted on your site. Yet, they are being persecuted by overzealous people who either don't bother to read the stipulation about agreeing to receive a confirmation or they are just out for blood.

I also assert that you should include in your warnings that ANYONE who reports an FFA Net post confirmation as spam will have their URL AND EMAIL ADDRESS banned from ever posting to XX again. If multiple complaints are received from the same person, I suggest you consider a heavier penalty, including reporting the complainer to his/her ISP for fraud or harrassment.

You can't hide this policy and warning in a 10+ paragraph policies page that nobody reads. Spam has become too big an issue to let this fade into glossed-over verbiage on a policies page. Your failure to protect the people who are paying you to provide them with "valid," "opt-in" email lists will be the downfall of your company if you don't take measures to bring this to the forefront immediately. Someday this will get the wrong person in trouble and they will come after you with a vengeance. I have seen it happen enough times to know.

I am requesting that you send [emails of parties invloved in dispute] an email verifying that this person DID in fact post to FFA Net and that the email below is an invalid complaint. We will not tolerate being reported for abuse when there was no abuse. [signed]

(Appeals are reports filed by spamcop members regarding previously-shut-down websites which have sprung back to life. They are requests to allow spamcop to file reports with the new (or old) web host)

This FAQ is secretly a set of instructions for deputies, read it as such..

Think about:

• Is this spam? Is this the only user reporting the spam?
• Is reporting disabled because SpamCop is reporting to the wrong person?
• Is the address clearly involved in sponsoring the spam?

• Abacus commercial ticketing/tracking system designed specifically for abuse desks
• Kana commercial Customer Relations Management tool
• Remedy commercial Customer Relations Management tool
• Request Tracker (RT and RT2) open-source ticketing tool
• AbusePipe automated abuse handling software.

Note that SpamCop has not tested any of the above software and does not specifically endorse any of the companies or software listed. This list is provided simply for the convenience of service providers.

Perhaps the headers of the spam look something like this:

From wdwarren Sat Mar 04 07:07:05 2000
Received: from [10.1.1.1] by hotmail.com (3.2) with ESMTP id
    MHotMailBA8A709500C6D820F3D8D8475492505611; Sat Mar 04 07:06:28 2000 Message-ID: <539045@ 169770>
From: wdwarren <wdwarren>
Subject: UNIVERSITY DIPLOMAS (Verifiable)
Date: Sat, 04 Mar 2000 09:45:21 -0400 (EDT)
MIME-Version: 1.0
Content-Type: TEXT/HTML; charset="US-ASCII"
Content-Transfer-Encoding: 7bit

Where [10.1.1.1] is your server. Note that there are no "received" lines added by your server - or if there are additional received lines, they may look forged or otherwise inconsistant with lines added normally by your mailserver.

This situation is quite common. You may have a user running a dedicated spam sending program (ratware) to send directly from your server. These programs do not use any mailserver facilities on your server - specifically to avoid detection. They are usually named something innocuous like "mailform.pl" or "guestbook.exe". You may also have another exploitable service running on your server which is being exploited by the spammer (see below).

Ideally, you should filter port 25-outbound from this machine and force everyone who uses it legitimately to connect to another, seperate server to send their mail:

[user account server] -> [sendmail on remote mail server] -> [recipient's server]

.. instead of what's happening now:

[user account server] -> [recipient's server]

You must stop these direct connections with a filter and then poke a hole in the filter for only your one, dedicated mail server which should reside on a different server/IP. So applications running on the user's server can only connect to your mailserver via port 25. Of course, they can still send spam, but at least your mailserver will keep a record of it in this configuration.

Alternately, you can solve the problem in the whack-a-mole style: Don't fix the general problem, but sit around and wait for the spamming user to strike. When the spam is being sent (usually late at night or on weekends), you will see the program running (use 'top' or 'ps ax' under unix) and you will also see multiple outbound SMTP connections (use 'netstat -n | grep :25' under unix).

See other FAQ sections for more information on other exploits and fixes (HTTP and SOCKS proxies, etc.).

Cisco cache engines

Turn off http proxy service with the "no http proxy incoming" command in global config mode. This will prevent all users from arbitrarily using the cache engine as their HTTP proxy server.

Squid proxies
More and more often, spammers are transferring spam via Squid proxies. This allows them to hide their tracks entirely, so only the host of the proxy will be reveald in the spam headers.

The fix:
squid.conf should read:
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access deny all

Mailtraq

Mailtraq bills itself as an inexpensive alternative to Microsoft Exchange that runs on ordinary Windows. Mailtraq offers a Proxy as an option to all its Mailtraq versions. If you don't set up access rules, the proxy is open to anyone to abuse

The fix:
Select 'options - services' then select the properties of the HTTP proxy. In the properties there is an 'access control' tab that can be used to specify the authorized IP's.

A paper (long) explaining the FormMail vulnerability is available at http://www.city-fan.org/ftp/contrib/websrv/formmail-advisory.pdf

Secure fixes are available from:

ftp://ftp.monkeys.com/pub/formmail/1.9s/

or

http://nms-cgi.sourceforge.net/

In the early days of the Internet, it was considered good citizenship to leave a server available for all to use. Unfortunately, spammers and scammers started taking advantage of these relays to get around limits and terms of their own Internet service providers. It has become necessary to lock networks down tight and deny access to anyone other than authorized users.

In other words, if you leave a mail server open to free use and abuse, you are now considered a bad citizen of the Internet. Hundreds, if not thousands of public and private blacklists and blocking lists have been created with the sole purpose of listing the IP addresses of open relay servers. Users of these lists block all email traffic coming from servers finding themselves on these lists.

Servers need to be set up to prevent this unauthorized use. The Mail Abuse Prevention System (MAPS) provides excellent resources and links to assist you in closing and/or upgrading your server to prevent relay-rape. Check out the MAPS Transport Security Initiative pages.

Preventing relaying in Microsoft Exchange has a lot of useful and detailed information about a variety of commonly-used weaknesses in one of the most popular email servers.

maps_rbl_domains = blackholes.mail-abuse.org relays.mail-abuse.org bl.spamcop.net inputs.orbz.org outputs.orbz.org relays.ordb.org or.orbl.org

disable_vrfy_command = yes reject_non_fqdn_hostname #: reject HELO hostname that is not in FQDN form reject_non_fqdn_sender #: reject sender address that is not in FQDN form reject_non_fqdn_recipient #: reject recipient address that is not in FQDN form

smtpd_sender_restrictions = hash:/etc/postfix/access, reject_unknown_sender_domain smtpd_recipient_restrictions = permit_mynetworks, reject_unauth_destination smtpd_client_restrictions = permit_mynetworks, reject_maps_rbl

Recently (April/May 2003), we have been seeing a new type of spam. It appears to originate on normal Windows computers, sometimes inside corporate firewalls. We theorize that spam-sending "malware" has been installed accidentally by careless users or even through the exploitation of security holes (cracking). Thus, these Windows computers suffer yet another "infection".

There appear to be several different types of software, or modes to it's operation. In one mode, it sends directly on port-25 to recipient mailservers. In another, it uses the Microsoft Outlook proprietary mail-sending protocol to send out via Hotmail mailservers. This protocol is handled over WebDAV, and the headers will show Hotmail servers using the DAV protocol. Most common recently, the software (or more likely, it's user, the spammer) uses the mailserver provided by your own ISP.

In any case, it leaves little trace as to its origin and is undetectable from the outside. The only clue is the IP address and the date/time of the occurance. The real confusion begins when the infected system is part of a network using Network Address Translation (NAT) to proxy connections for internal hosts. It should be emphasized that some modes of operation bypass outbound mailservers and send directly to the recipient system or via Hotmail's servers.

Blocking port-25 at the firewall can stop the first mode, but it is very difficult to stop the DAV protocol method globally, since that is transmitted over normal port-80 (www) connections. It is also problematic blocking a system from the mailserver which it is authorized to use - the system can no longer send legitimate mail.

If you have any more information about this problem, please post it in the forum and it will be added to this FAQ. Specifically, it would be nice to bring this malware into "the lab" and figure out its exact operating parameters - how to remove it, how to detect it, and what it does exactly. One theory about how it is controlled - it may poll a secret URL to receive instructions on what spam to send, and who to send it to. Another theory is that it logs onto a secret IRC channel to receive commands (an tried-and-true control method).

Update:

One possible route of infection may be exploitation of a buffer overflow in Microsoft IIS 5.0. Microsoft has released a patch to correct this exploit. Information and links to the patch are available at http://isc.incidents.org/analysis.html?id=183

It is becoming increasingly common to see spam being relayed through servers that have all relaying options disabled. Why? Because your server thinks the spammers are authorized users. The spammers are authenticating — they are coming up with valid user names and passwords.

Any server that has authentication (SMTP AUTH) enabled can potentially be compromised in this way.

For example, by default, Microsoft Exchange 5.5, 2000, 2003 and the Exchange server with IIS/5 set up a guest account. This allows anyone to connect to and use the server. Even if you have set up "require authentication" (meaning the user must supply a username and password) the guest account will allow the user to send mail through the server even if their login fails.

The most commonly exploited accounts are admin, administrator, guest, test, demo and webmaster, although any account with a weak or missing password is vulnerable.

Spammers have "bots" that make repeated attempts to authenticate, using a set of default and easy-to-guess username/password combinations.The most common combinations are guest/guest, admin/admin, test/test and demo/demo, and there are sites that list many default username/password combinations, so it's not hard to build a list to try.

Spammers also use software (spamware) that allows brute force username/password guessing. This heavy duty software cycles through a bunch of common usernames and passwords, hoping to hit a match that works. If they get one that works, they effectively have an open relay.

Some sample usernames and passwords that are known to be used by at least one spammer:

Usernames: webmaster, admin, root, test, master, web, www, administrator, backup, server, data, abc

Possible common passwords: ${username}, ${username}12, ${username}123, 1, 111, 123, 1234, 12345, 123456, 1234567, 12345678, 654321, 54321, 00000000, 88888888, admin, root, pass, passwd, password, super, !@#$%^&*
as well as each user name with a blank password.

(Data acquired from ROKSO, the Register of Known Spam Organizations.)

The exploit works like this:

• The spammer connects to the server and goes through the normal HELO/EHLO.

• After this, one of the options the server offers is 250-AUTH=LOGIN.

• The spammer responds AUTH LOGIN and the server prompts with VXNlcm5hbWU6 which is the Base64 encoded version of "Username:".

• The spammer then replies with the Base64 encoded version of the username he want to (try to) authenticate as.

• The server answers with UGFzc3dvcmQ6, which is "Password:" (Base64 encoded) and the spammer responds with the Base64-encoded password.

• If the server replies with "Authentication successful", then the spammer is validated as an authorized user and can issue rcpt to commands for wherever he wants.

An ounce of Prevention:

1. Make sure you have disabled the "guest" account.

2. Make sure you have removed or renamed all default accounts or have changed the default passwords on any of these accounts that you keep.

3. Make sure your users select good passwords. In particular, make sure users don't use the same name or word for both the username and password, i.e., admin/admin. Make sure passwords such as "password" don't exist.

   Review the list of the most common passwords at http://geodsoft.com/howto/password/common.htm. Set up a file that will not allow these passwords to be used or run a script that compares users' passwords to the list of common choices. Reset any that are easy to guess.

4. Check out Securityfocus.com to make sure you are not open to the Microsoft Exchange Server Buffer Overflow Vulnerability.

5. Ensure you are not a victim of the known "null session" exploit - see Bugtraq for details.

6. With all Microsoft Windows products, make sure you have installed all cumulated service patches and updates available at the Windows Update page.

7. Turn off authentication (SMTP AUTH) unless it is necessary that you have it enabled. Disabling SMTP AUTH will allow only mail sourced internal to your network to be sent (i.e., from authorized IP addresses).

We see Microsoft Exchange 2000 and 2003 being compromised often because these servers install a guest account and also default to SMTP AUTH enabled.

For More Information

Two excellent plain English articles on this subject are available at Windows IT Pro Network:

"A New Kind of Attack" (Oct. 9, 2003) ( http://www.winnetmag.com/article/articleid/40507/40507.html)

"Exchange Server SMTP AUTH Attacks" (April 20, 2004) ( http://www.winnetmag.com/article/articleid/42406/42406.html)

Recently, there have been a lot of unsolicited bounces from ISPs which are created due to the following chain of events:

1. Spammer 0wns a box on an ISP network (zombie)
2. Zombie is programmed to use ISP's mailserver to send spam
3. Spam sent has forged env-sender, not hosted by ISP.
4. Spam is rejected during delivery to recipient mailserver.
5. ISP mailserver generates a bounce to the original, forged env-sender.

As a result of these messages (which are plauging my spamtraps as well as end-users' inboxes), the ISP mailserver is listed (blocked).

Here are some possible solutions to this problem, all requiring action from the ISP.

1. Look at your double-bounces and triage them.

   (rant on) For a long time, it has been conventional "wisdom" at large sites that double-bounces should simply be ignored. This was stupid from the begining, moreso in the current hostile email environment. Double-bounces are important indications of problems. They should not be ignored. The problem I outline will always be accompanied by a flood of double-bounces (as the forged sender address on the spam also proves invalid). Please please please, people: read your postmaster email!(rant off)

   I would guess that 90% of your postmaster mail represents actionable TOS violations at sites where this problem exists. You need look no further than your own postmaster accounts to find evidence of spam on your network.

2. Rate limit your outbound mxes to deny useful service to spammers on your network.
3. Rewrite the envelope-sender on outbound mail to a local address for the user sending the mail. Warn your users to check their ISP account for bounces.
4. Send bounces from a different server which we can all stand to see blocked. This option is not a real answer to the problem, but may be the only option in some cases.
5. Discard bounces which are not destined for local delivery. Another not-great option.
6. Force users to go through a closed loop confirmation process for every address they would like to use as a env-sender, reject mail with sender addresses not in the resulting opt-in list - or resort to #5 or #3 for them. This is probably the best option, but also the one that requires the most work from ISPs and their users.

To prevent your system from being abused, you should ensure that your proxy is only accessible to your local network (or that it has authentication in place).

AnalogX version 4 has an insecure configuration by default and must be reconfigured to bind only to the local network interface. Earlier versions of AnalogX and versions of Wingate prior to 2.1 cannot be secured and must be upgraded to a current version.

For information about SOCKS, see http://socks.permeo.com/AboutSOCKS/index.asp

This is a copy of an old page from Spam Links. Please visit spamlinks.net for updated or new information.

Fixing Open Proxies An open proxy can be used to anonymize connections to open relays, further complicating tracking a spammer down. These links contain advice on how to close an open proxy if you are using one of the main proxy servers found on the internet. If your proxy isn't listed here, try reading the manual or help files that came with the proxy, or contact the vendor, and if you do find a useful link to get the proxy closed, let us know. If you've been told you have an open proxy, but you didn't even know you had a proxy, open or otherwise, you may have a spam trojan. Consider using a virus scanner. Make of Proxy Advice to help close the proxy Miscellaneous Web Proxies www.cit.cornell.edu/computer/security/openweb/#remove Generic CONNECT Proxy www.kb.cert.org/vuls/id/150227 www.securityfocus.com/bid/4131 Apache Module mod_proxy httpd.apache.org/docs/mod/mod_proxy.html#access httpd.apache.org/docs-2.0/mod/mod_proxy.html#access httpd.apache.org/docs-2.1/mod/mod_proxy.html#access Squid squid.visolve.com/squid/squid24s1/access_controls.htm www.squid-cache.org/Doc/FAQ/FAQ-10.html Wingate support.qbik.com/index.php?_a=knowledgebase&_j=questiondetails&_i=34 Wingate 2.x www.practicallynetworked.com/sharing/secureproxy.htm N.B. Deerfield no longer produce or support Wingate of any version Microsoft Proxy Server www.microsoft.com/isaserver/evaluation/previousversions/default.asp WinProxy www.ositis.com/english/downloads/dl_config_en.asp CacheFlow www.cacheflow.com/files/solutions/solution_http_connect.pdf www.securityfocus.com/bid/4143 ComSocks www.linkbyte.com/support_client.htm Proxy Plus www.proxyplus.cz/security.php?lang=en Venturi Client www.venturiwireless.com/tech_support/Q_and_A/Q_A_09.htm 4D WebStar www.4d.com/support/documentation.html#webstar Gordano Proxy Server www.gordano.com/support/manuals/GMS_Admin_Guide/wwwproxy.html#pgfId-1010478 Cisco Transparent Cache Engine and Content Engine www.cisco.com/warp/public/707/transparentcache-tcp-relay-vuln-pub.shtml Trend InterScan VirusWall for UNIX 3.x kb.trendmicro.com/solutions/solutionDetail.asp?solutionId=13211 kb.trendmicro.com/solutions/solutionDetail.asp?solutionID=15960 WinRoute Pro support.kerio.com/index.php?_a=knowledgebase&_j=questiondetails&_i=42 Compaq web-enabled management software www.kb.cert.org/vuls/id/991240 MondoSearch www.mondosoft.com/security/ AnalogX Here is an extract from the readme file that came with AnalogX 4.14: By default the proxy binds to all TCP/IP interfaces... it will service requests from the Internet... You can force Proxy to only bind to your local IP address in the Configuration menu... if a valid [local] TCP/IP address is entered, the proxy will ONLY bind to that [and] the proxy will only talk to machines that connect to...your local network. That explains why there are so many open AnalogX proxies. Contact the author for any additional support you require.

• Abuse.net's introduction to spam: What is it and why is it bad?
• Elsop's anti-spam page - lots of other links to more information
• SamSpade - tools for the unix-deprived and other good info
• Bestprac.com - A guide for all types of users on how to avoid spamming
• abuse.net - ISP abuse address clearinghouse
• Realtime blackhole list - blocking of selected email servers
• Spamhaus - Lists ISPs who keep organized spamming alive
• The SpamCon Foundation (formerly suespammers.org)
• The author of this software, Julian Haight
• Net abuse jargon file - Cues for the acronym challenged
• Net abuse FAQ - all about spam
• An organization to fight "street spam" - those unsightly weight loss signs on the highway.
• Reading Email Headers.
• Sneakemail is a service that gives you more control over the emails you receive.
• SpamWars, a humorous kill-the-spammer browser-based game
• Monitoring and reporting worm/hacking activity

Recursos anti-spam en español

• Campaña anti-spam de El Espectador (Uruguay)
• Información básica acerca del 'spam'

For helping to wipe out spam by accepting and acting on spam reports: white-hat ISPs everywhere!

For putting up with SpamCop's mistakes and donating his time to fight the good fight: John Levine, author of the extremely fabulous Internet for Dummies, Internet Secrets, Internet Privacy for Dummies, and other books you can find at http://net.gurus.com

For providing the newsgroups and forums:
Jeff Tucker, Corporate Email Services

The SpamCop Deputies (many are listed elsewhere on this page) for their hard work trying to keep ISPs, administrators and SpamCop members around the world happy:
Don (aka Don D'Minion aka Argyle)
Ellen
Richard
Kelly

Ironport Systems, Inc. for purchasing SpamCop and for it's significant investments, not the least of which is the time invested by employees of the company:
System administration: Mike B and Tom A
Software development: Mike L, Cedric W, Kyle V
.. and many others who have contributed to the more business-related areas such as management, legal and accounting (if you aren't listed and want to be, let us know).

For maintaining the FAQ:
Richard W

For contributing a SpamCop's logo:
Andy Markley (Art 101)

For hosting blacklist mirrors (if you aren't mentioned and you want to be, let us know):
Griffin Internet
EASYHOST
(^) Caret Web Content Management

For contributing de-obfuscation code to SpamCop:
Joel Martin

For javascript help:
Jack Delay

For writing and maintaining the SpamCop news mailing list:
Pete Stephenson

For contributing answers to the FAQ:
Michael Lefevre
gK
John Pettitt
tj66821
~JA's~ Richard
Kelly Holmes
TeacherJH (Jose)
Christoph Conrad
x47 (Ellen)
dollface
Bill Henry
mikevp
Alexey Nogin
keith smyth
Ruud H.G. van Tol
John Levine

For frequently posting (correct) answers in the forum:
Jos� Lamas R�os (Thanks also for translation)
Michael Lefevre
Kevin
Everyone else who does so - sorry if I forgot you.
I'm also forgetting all the folks who have done translations. If you're one of them, let me know and I'll fix my error!

For financial contributions in excess of $100 (let us know if we missed you!):

• Ken Marcus - Shopping Cart - ECommerce Web Hosting

Also thanks to everyone who contributes to free software such as linux, apache, perl, sendmail and of course all the GNU programs that form the basis of all unix operating systems. This software forms the foundation on which SpamCop is built.