[SC-Help] Re: Understanding SC's Reports

Tue May 9 15:02:18 EDT 2006

antioch wrote:

> The spam I am getting is, I am told, in .gif format and so message
> rules do not apply, although there is a very long workaround I
> believe.

One example of spams which are in a .gif are stock spams.  Typically the
only thing which will come out of the spamcop parse will be spamcop
identifying the IP of the source and offering to report that spamsource
IP to the spamsource provider.

The method by which SC spamcop determines a notify is based on a lookup
in the regional registrar for the IP block.

All of the IPs of the world which are routing can be found in the whois
lookup of one of the RIR regional internet registrars, arin, ripe,
lacnic, apnic, afrinic.  There is a lot of 'organization' about ICANN
and its ASO and NRO and those registrars.

SC uses those databases db/s to determine the contact information for
the IP's block, and also uses the abuse.net registered contact or its
default suggestions for a domainname derived from the RIR contact, and
also uses its own experience with addresses which bounce, and also uses
its own database of human adjustments referred to as 'routing'
information.  SC also uses any information which a provider or other
admin has provided about whether it wants to be notified or not, or
alternate addresses for notifying,.  In addition, sometimes there are
third parties which may be notified about an IP or about all IPs.

> When I have received the email reply to a spam report, what am I
> looking for, where do I find it, what do I do with the info contained
> within this report, what actions do I do or SC do for me.
> Of the first 8 sent, some have extra bits added to it, like
>
> Quoting: Reports re this spam have already been sent to....
> If reported today, would be sent to....
> Abuse at .......
> Re144 ... ... ...
> spamcop at imaphost
>
> Sorry this email is too old etc etc but goes on and gives more info
> plus 'If reported....then at bottom Re 144 ... ... 3rd party interest
> in email report.
> Another, towards the bottom asks if this email IS Spam with a name
> and email address.
> Then I have three choices Send Spam - Report Now - Preview Report and
> Cancel Underneath is a warning box - avoid checking any boxes left
> empty...false reports etc
> Quotes End

All of that is about the reporter fulfilling hir responsibilities about
reporting spam.

> I have interspliced/clipped my responses and yours just to pick out
> the salient points.  Hope it works ;-)
> Hope you don't mind - and as a result, I have top-posted. :-(
>
> "Mike Easter" <MikeE at ster.invalid> wrote in message
> news:e3q8q5$d81$1 at news.spamcop.net...
>
>> That is a very useful activity.
>
> Not according to 'Her indoors'

I don't understand 'her indoors'

>> I also 'recommend' using the webparser first for most people.  To me
>> it is simpler and cleaner to 'troubleshoot'.  The person needs to
>> know how to access the raw spam with complete headers with their
>> mailuser agent, and then they paste it into the webparser, and then
>> they immediately see the result of the parse.
>
> I will do as you suggest with the next 8 to 10 waiting in my 'Kill
> Folder'. I will need to read-up on that.

You can also do it with an old one;  all you have to do is parse
something you have already reported, and then copy the tracking url, and
then cancel the report.

> As I was doing attachments to each email to send to SC, I started to
> get the email replies with the links like you put below as an
> example. And I was also doing searches re the IP numbers - I do these
> from time to time on other search engines, as it is a neat practice
> to have.

I completely agree.  When I first started to use spamcop, I did not use
it to report.  I manually parsed all of my own spam headers and
'manually' by doing my own lookups determined all of my own notifies.
After I was completely thru' deriving my own notifies, then I submitted
the spam to spamcop to see how spamcop would notify, and I compared SC's
results with my own, and cancelled the spamcop report.  When they
differed, I sought to understand why my notify would be different from
SC's.  When I was a neophyte, it was often that SC was not only much
faster at notifying than I, but also 'better'.  As time went on and I
became more skilled at both parsing and also deriving notify addresses,
then I became better at notifying by my criteria than spamcop's
notifies.

>> May be saved for future reference:
>>
http://www.spamcop.net/sc?id=z939018156zce3ff9ab3b5765265194cea1472a5ccez
>
> Both the above are the same? - its the info contained in them I don't
> understand. That is what I was asking

We can talk about that.  I have a way I like to use to abbreviate the
Received headerlines.  I'll use one of mine from above as an example

In the above example there's only one line:

   Abbreviated Received traceline *comment
   from my.flirt.com.ua ([58.51.7.200]) by
mx-roseate.atl.sa.earthlink.net *sourceline

SC determines that source IP and determines the notifies for it, and
also determines a spamvertised link and determines the notifies for it.
In addition, SC offers to report to the 3rd party at imaphost.com -- 
which is another story and which I routinely uncheck.

>> When you submit a spam to the webparser, it can give you its verbose
>> output if you configure for that in the preferences.

On the page with the webparser which I'm encouraging you to use and
experience, there is a 'preferences' link which gives you access to 4
different kinds of preferences, one of which is report handling.  In the
report handling preferences, there are a number of choices, the 4th one
of which is "Show Technical Details during reporting"   I like those
technical details.

> That verbose
>> output tells you a lot about what is the parser's logic in its
>> processes.  If you think the faq was difficult to understand and
>> navigate, you'll find the parser verbose particularl confusing.
> But it too is worth getting oriented with.
>
> Configure - I don't remember reading about that - I cant believe I
> missed something!!!! So you can get a condensed reply of info if you
> want??

The preference for show techical details is /more/ verbose or wordy, not
less.

> Better to take things in stages.  I will have a go at the web parse.

Good idea.

-- 
Mike Easter
kibitzer, not SC admin