[SC-Help] Re: Daughters email account being attacked: Best action?

[Mike Easter]

Dan French wrote:
> My daughter decided to start reporting spam to spamcop.  Well, one
> spammer sent her 500+ spam e-mail's to her account.

It is extremely unlikely that a 'spammer' [for some value of spammer, to
be discussed as a separate topic] is 'retaliating' by sending her 500
spams because of her SC reporting for several reasons:

 - 500 spams isn't a 'retalitaion'.  Altho' it is slightly inconvenient,
it wouldn't even temporarily fill a mailbox to result in the effect of a
denial of service for mailbox too full
 - a SC report is sent to the providers for the spamvertiser and for the
spamsource and the identity of the reporter is not 'announced'.  The
identity of the reporter is only provided by the report ID and SC uses a
'standard' munge or obfuscation in an attempt to mask occurrences of the
recipient's email address
 - many people who converse here in these newsgroups and forums have
reported tens of thousands of spams for years without any mungeing or SC
obfuscation of the reporting address -- emailed 'directly' from the
spammed address without any kind of retaliation
 - there are much more likely explanations of receiving 500 spams, which
order of the various likelihoods would require a more precise
characterization of exactly what you mean when you say 'a spammer sent
her 500+ spam'

If she received 500 'identical' spams from identical source IPs, it is
far more likely that the 'mechanism' for the spamsending was
'hiccupping' and some normal spam generation process went awry and sent
a 'lot' of spams to the same recipient/s.

If she suddenly started getting a lot more spam of a wide and diverse
nature so that she is now getting 500 spams in a much shorter time than
she did prior to becoming a spamcop reporter, it is more likely that she
has begun to report spam in an insecure manner, discussed below, and as
a consequence of the insecure spam handling she has gotten herself onto
many more spam lists.

> What is the best course of action to take?

The first course of action is for 'us' -- we correspondents here, me,
you, and other readers and posters here - to better characterize exactly
what you mean when you say 'one spammer sent her 500+ spam'.


First, we need to get a little past the word 'spammer' -- because the
definition is fuzzy.  A spam email typically has a source IP address -- 
that isn't a 'person', but an IP like 24.18.225.174.   That spam email
has a From email address and handle, but that is typically bogus;  also
doesn't represent a 'person'.  The spam also typically has a 'payload'
or spamvertiser.  That spamvertiser might be called a 'spammer' by some,
but the spamvertiser most often doesn't email a spam from its mail
system, except in the case of what I call 'straightup' spam which has
honest From which is the same as the source and the spamvertised.

There may be a tendency for some people to call the spamvertiser the
'spammer' -- but that isn't strictly true.  The spamvertiser is the
spamvertiser;  the spamsource is the spamsource;  the From is bogus -- 
there is no 'spammer' in the evidence of the spam.

These days the most common method of spam sending is by injecting the
spam via a proxified or compromised and abused user IP -- so therefore
the true 'source' or spammer-injector is not determinable.

Lest the reader drop off to sleep because this post is getting too long,
I'll save the topic of insecure spam handling by spamcop reporters which
causes them to get more spam for another post.

-- 
Mike Easter
kibitzer, not SC admin