[SpamCop.net - protecting the internet through technology]

[SpamCop-List] Re: Spamcop reporting troubles

Flwrite lostwithout at home.com
Sun Oct 10 15:54:14 EDT 2004 

> > a phone call from the
> > central help desk telling you that your PC is spreading viruses. This
> > can't be true, was my initial reaction, but they were right

>>>But for the time being my
>>>solution is to avoid spamcop reporting at work

As a neophyte, here's my opinion.  The punchline is to remove the
virus-file-attachment before forwarding the email to SpamCop.

If your procedure includes sending, forwarding, or otherwise transmitting a
virus email, then you're doing it wrong.  I have never heard of any
legitimate service that would want you to re-send a virus.  If I try to
email a virus, my antivirus program interrupts when I hit the Send button,
and I receive a small electric shock in the keyboard.  (That was an
inexpensive, optional peripheral.)

To avoid such warnings when forwarding a virus email, the outgoing email
should include the complete headers of the virus email, but first remove the
virus attachment.  That would do the trick.  But problems remain.

If spam is forwarded "Quoted In-Line," the complete headers of the offending
email is displayed in the Body of the email.  If the headers are included
properly, SpamCop will accept this.  However, the headers are rendered
unusuble by SpamCop if they are messed with, such as being broken up into
multiple lines.  And invariably, long lines in the header _will_ be broken
up into two or three lines when Quoting In-Line.  If that happens, SpamCop
won't accept the submission.  Personally, I have never successfully
forwarded offending headers in the body of an email, no matter how hard I
try.  Forwarding the email in-line opens it, re-formats it, and otherwise
screws up its headers.

Therefore, I send spam "as attachments," which simply forwards the offending
email file without opening it.  It has never failed.

Forwarding a virus email in-line would have an advantage.  Up in the corner,
the virus-file-attachment will be listed in the attachments.  At that point,
I can delete the attachment, and send the email to SpamCop without actually
re-transmitting the virus, bothering my anti-virus software, or bothering my
IT department (who is me).  However, I still have a problem with the header
information getting screwed up, so SpamCop won't accept the submission,
anyway.

If I hit "forward as an attachment" instead, the headers are kept intact
within the original email file, including its virus.  That opens a New Email
window with an empty body, and the offending email listed in the
"Attachments List."  In that case, there is no way to remove the virus
because it is contained within the single attached file -- the original
offending email inlcluding its header information, its body, its virus
attachment, etc., all in the single attached file.  (.eml?)

So, I can't send a virus email to SpamCop as Quoted In-Line, because that
screws up its headers.  And I can't send a virus email as an attachment,
because that doesn't provide an opportunity to delete the virus, first.

This may not be a bad thing.  I have read something, somewhere, deep in the
SpamCop instructions, that they only want you to forward spam to them, not
viruses.  So I do not consider myself "stuck" if I can't find a way to
forward a virus email to them -- they specified they don't want them,
anyway.

My biggest concern, Geo_Splash, is that your computer is apparently able to
Send a virus email, without making a fuss.  I recommend either installing
some antivirus software that has email protection, or upgrade what you
already have.  Check out http://www.my-etrust.com/microsoft/ by Computer
Associates.  Its user interface is a dog, but the protection is good, and
it's free for a year.  Not to be confused with Network Associates, who foist
McAfee upon the world.  eTrust is much less bloated, and it even works well
with my older, Win98se computer.  When I try to email a virus, the screen
switches to 640x480 16-color DOS, and provides a good clear warning (in ugly
red and yellow).  When the monitor switches to ugly DOS, it lets out a
little high-voltage "snap!" which helps to attract attention and slow down
carelessly fast fingers.  When I tell it "No," it returns to the previous
windoze mode, and all is well with the world.

In the meantime, the question is what to do with a virus email if SpamCop
won't process it for you.  This is an opportunity to check out it's headers,
learn to eliminate the fraudulent "From" and "Reply-To" fields, to search
for the true ISP from where the email was <i>really</i> sent, and to find
that ISP's "abuse address" for reporting that one of their customers are
sending virus emails.  Just like spam, there may be a bunch of red herring
IP addresses in the email, and you don't want to send a complaint to the
wrong organization.

When you are sure you have the proper IP address of the sender, go to
http://ww3.arin.net/whois/ and put the offending IP address into the field.
Instead of putting the whole IP address into the field, just put in the
first two bytes followed by two x's, like this -- 69.168.x.x   In that case,
they will return a page with the organization's information, especially the
abuse at blah.com email address.

Then you're in business, and you can diplomatically send them an email with
a copy of the headers of the offending email.  (Headers include the IP
address of the offender and the time they sent the email.  That should be
sufficient to pin down the particular customer, even if they use dynamic IP
addresses.)  You might include the name of the virus as reported by your
antivirus software.   Keeping the original format of the header won't be
quite as sensitive as if you were submitting the information to the SpamCop
system, but you don't want to change anything, anyway.

Within a day or two, you'll get an email back from the other ISP, thanking
you for making the world a little cleaner.

Best luck,
              -Neil-

More information about the SpamCop-List mailing list