[SpamCop-List] Reporting: Common Practices / Best Practices

Wed Jan 21 18:12:49 EST 2004

At 04:41 PM 1/21/2004 -0600, Thomas Mooney typed:

>>From time to time there is anecdotal evidence of people reporting the wrong
>party.  Sometimes they report their own ISP.  Sometimes a party gets placed
>on SC's RBL causing those using SC's mail service to have additional mail
>from that party tagged/routed as spam.  Some SC users then inadvertently
>report that mail as spam in spite of the fact that they may have subscribed
>to that particular piece of mail.  (In some cases what is spam to one part
>is mail to another).

This was a good summary but the evidence isn't very anecdotal when the
people reporting the wrong party come in here to confess and ask for
suggestions on what to do next...

>Anyway, at this point the newsgroup discussion generally turns to something
>like: "You need to be responsible for each and every report you make.  You
>need to verify that each report is going to the correct party.  Etc.".

Yes, I think you should only report what you can realistically expect to be
responsible for.  I think SpamCop is more responsible for determining who
to send LARTs to, but you should at least make an attempt to understand
the basics of following a parse and be able to recognize a clear mistake on
the parser's part.

>My question is this:
>
>To what lengths do people go in this effort?  Do people look at the IP chain
>parse to make sure SpamCop got it right?  Do people do any validation on the
>spamvertised sites?

I go to great lengths, but then I get less than a dozen or so SPAM per day at
my work address.  I do look at the parse but trust SpamCop more than I
trust myself.  No, I don't check the SPAMvertised sites at all!  Getting you
to click on their links is the whole point of the SPAM, so why take the bait?
Unless a site is very obviously an innocent bystander, like the NEJM being
used as proof that a penis enlargement pill will work, I let SpamCop LART
them all.

>Here's what I do:
>1) I validate that what I've given to SpamCop is actually spam.  Sometimes
>the Subject: is a dead giveaway (e.g. a list of the drugs, misspelled just
>enough to fool SpamAssassin, that I can get without a doctor's visit),
>sometimes I need to look at the body.  There are lots of little clues.
>Bottom line: I make sure it's not mail I requested.

I am paranoid so I pre-munge everything before I report it to SpamCop.
By doing this, I not only fool myself into thinking I have protected myself
from revenge, but I can be pretty sure that what I thought was SPAM
really was cause I just walked through it looking for secret identity codes...

>2) Validate that I'm not reporting my own IP.  Only a couple times has the
>parser broken for me.  But I'm always on the lookout.  If it comes up
>rr.com, I confirm it's not my mail server being tagged.

Yes, I realized long ago that SpamCop's parser is better equipped to
root out the actual insertion point than I am.  I give the parse a once
over to make sure there aren't any glaring errors but I usually accept
whatever source SpamCop determines. Making sure my own host
hasn't been tagged is a no brainer...

>3) Send Spam Report(s) Now
>
>I look at the spamvertised sites out of interest, but I don't really
>scrutinize them.  I just assume the SpamCop is better at figuring these
>things out than I am.  If your spam is anything like mine, I see the same
>players over and over again.  But if a new site shows up, I don't get
>terribly suspicious.

Again, being paranoid, I always uncheck the reports sent to Cyveilence..
This give me the opportunity to check who the rest of the reports are
being sent to.  Again, if I notice my own host, I would stop everything
and try to figure out what went wrong.  I am also looking to make sure
the urls in the SPAM were found and are being reported.  Too many
times some misplaced header has caused this to fail, so I pay attention
to what is found and where it is being reported.  I would recommend
against checking out the sites themselves because the very act of doing
so can identify you as a live address if a unique url was used... Told
ya I was paranoid...

>Is my approach something close to "normal"?  Are others more rigorous?
>Tips?  Suggestions?

I'd say you are an above average reporter.  You seem to be as diligent
as I am to make sure you aren't reporting yourself or non-SPAM.  I
think the serious offenders are those with way too much SPAM to
report.  These are the ones using shortcuts to report as much as
possible, whether or not they have the time or inclination to check
things out responsibly.  Even though these are hard core reporters
and pulling the plug on them may hurt in the short term, I think
SpamCop would be all the stronger in the long run.