Discussion:
Understanding SC's Reports
antioch
2006-05-09 14:09:33 UTC
Permalink
Hello to this group
I have recently joined spamcop in hope that I might add my help to fight
spam.
I spent all day yesterday(well just over 10 hours) going round and round
their site, trying to figure out what it was all about.
Cant say I did very well, but at my age it takes a hell of a time to let
info sink in.
I managed to sort out the reporting side - chose email method - seemed the
easiest way - sent off 8 spams.
Reports started to fly back as fast as I could send.
I also had a try at searching those IP numbers.
Having got these reports, I then spent some hours trying to find a way to
see how to read/understand/interpret them. Despite trying various words in
the search facility I gave up.
It's probably there somewhere. If anybody knows then a prod in the right
direction would be appreciated.
Rgds
Antioch
P.S.
I tried the forum for an answer - I think I will give that a miss.
I have spent most of today have to read so much .... before making that
first post.
I prefer newsgroups.
Mike Easter
2006-05-09 14:26:32 UTC
Permalink
Post by antioch
Hello to this group
I have recently joined spamcop in hope that I might add my help to
fight spam.
Okey dokey.
Post by antioch
I spent all day yesterday(well just over 10 hours) going round and
round their site, trying to figure out what it was all about.
That is a very useful activity.
Post by antioch
Cant say I did very well, but at my age it takes a hell of a time to
let info sink in.
I managed to sort out the reporting side - chose email method -
seemed the easiest way - sent off 8 spams.
I also 'recommend' using the webparser first for most people. To me it
is simpler and cleaner to 'troubleshoot'. The person needs to know how
to access the raw spam with complete headers with their mailuser agent,
and then they paste it into the webparser, and then they immediately see
the result of the parse.

Whereas emailing is a 'blackbox' concept, and if there is trouble, I
think there can be confusion about where things weren't right.
Post by antioch
Reports started to fly back as fast as I could send.
I also had a try at searching those IP numbers.
I'm losing you. I don't know what you mean.
Post by antioch
Having got these reports, I then spent some hours trying to find a
way to see how to read/understand/interpret them. Despite trying
various words in the search facility I gave up.
Let's do something different.

Let's talk about a spam by your posting its tracking URL. That is, you
submit a spam to the parser; I recommend the webparser, but you can
also use email if it is working for you. The tracker and its
environment looks like:

Here is your TRACKING URL - it may be saved for future reference:
http://www.spamcop.net/sc?id=z939018156zce3ff9ab3b5765265194cea1472a5ccez

at the top of the webparse before reporting or cancelling, which you
would copy for pasting here, or in the email that SC sends you in this
environment:

May be saved for future reference:
http://www.spamcop.net/sc?id=z939018156zce3ff9ab3b5765265194cea1472a5ccez
Post by antioch
It's probably there somewhere. If anybody knows then a prod in the
right direction would be appreciated.
I'm not sure what you are trying to find out.

When you submit a spam to the webparser, it can give you its verbose
output if you configure for that in the preferences. That verbose
output tells you a lot about what is the parser's logic in its
processes. If you think the faq was difficult to understand and
navigate, you'll find the parser verbose particularly confusing. But it
too is worth getting oriented with.
Post by antioch
I prefer newsgroups.
Me too.
--
Mike Easter
kibitzer, not SC admin
antioch
2006-05-09 20:03:15 UTC
Permalink
Hello Mike
And thank you for the response - you not understanding my explanations will
happen, until the 'geek/lingo' speak is more familiar.
The spam I am getting is, I am told, in .gif format and so message rules do
not apply, although there is a very long workaround I believe.
When I have received the email reply to a spam report, what am I looking
for, where do I find it, what do I do with the info contained within this
report, what actions do I do or SC do for me.
Of the first 8 sent, some have extra bits added to it, like

Quoting: Reports re this spam have already been sent to....
If reported today, would be sent to....
***@.......
Re144 ... ... ...
***@imaphost

Sorry this email is too old etc etc but goes on and gives more info plus 'If
reported....then at bottom Re 144 ... ... 3rd party interest in email
report.
Another, towards the bottom asks if this email IS Spam with a name and email
address.
Then I have three choices Send Spam - Report Now - Preview Report and Cancel
Underneath is a warning box - avoid checking any boxes left empty...false
reports etc
Quotes End

I have interspliced/clipped my responses and yours just to pick out the
salient points. Hope it works ;-)
Hope you don't mind - and as a result, I have top-posted. :-(
Post by Mike Easter
That is a very useful activity.
Not according to 'Her indoors'
Post by Mike Easter
I also 'recommend' using the webparser first for most people. To me it is
simpler and cleaner to 'troubleshoot'. The person needs to know how to
access the raw spam with complete headers with their mailuser agent, and
then they paste it into the webparser, and then they immediately see the
result of the parse.
I will do as you suggest with the next 8 to 10 waiting in my 'Kill Folder'.
I will need to read-up on that.
Post by Mike Easter
Post by antioch
Reports started to fly back as fast as I could send.
I also had a try at searching those IP numbers.
I'm losing you. I don't know what you mean.
As I was doing attachments to each email to send to SC, I started to get the
email replies with the links like you put below as an example. And I was
also doing searches re the IP numbers - I do these from time to time on
other search engines, as it is a neat practice to have.
Post by Mike Easter
Let's do something different.
Let's talk about a spam by your posting its tracking URL. That is, you
submit a spam to the parser; I recommend the webparser, but you can also
use email if it is working for you. The tracker and its environment looks
http://www.spamcop.net/sc?id=z939018156zce3ff9ab3b5765265194cea1472a5ccez
at the top of the webparse before reporting or cancelling, which you would
copy for pasting here, or in the email that SC sends you in this
http://www.spamcop.net/sc?id=z939018156zce3ff9ab3b5765265194cea1472a5ccez
Both the above are the same? - its the info contained in them I don't
understand. That is what I was asking
Post by Mike Easter
Post by antioch
It's probably there somewhere. If anybody knows then a prod in the right
direction would be appreciated.
I'm not sure what you are trying to find out.
When you submit a spam to the webparser, it can give you its verbose
output if you configure for that in the preferences. That verbose output
tells you a lot about what is the parser's logic in its processes. If you
think the faq was difficult to understand and navigate, you'll find the
parser verbose particularl confusing.
But it too is worth getting oriented with.

Configure - I don't remember reading about that - I cant believe I missed
something!!!! So you can get a condensed reply of info if you want??
Post by Mike Easter
--
Mike Easter
kibitzer, not SC admin
Thank you again for the help. I will leave it there for the moment.
Better to take things in stages. I will have a go at the web parse.
Rgds
Antioch
'You cant educate pork' - The bagpipes seem a better alternative.
Mike Easter
2006-05-09 21:02:18 UTC
Permalink
Post by antioch
The spam I am getting is, I am told, in .gif format and so message
rules do not apply, although there is a very long workaround I
believe.
One example of spams which are in a .gif are stock spams. Typically the
only thing which will come out of the spamcop parse will be spamcop
identifying the IP of the source and offering to report that spamsource
IP to the spamsource provider.

The method by which SC spamcop determines a notify is based on a lookup
in the regional registrar for the IP block.

All of the IPs of the world which are routing can be found in the whois
lookup of one of the RIR regional internet registrars, arin, ripe,
lacnic, apnic, afrinic. There is a lot of 'organization' about ICANN
and its ASO and NRO and those registrars.

SC uses those databases db/s to determine the contact information for
the IP's block, and also uses the abuse.net registered contact or its
default suggestions for a domainname derived from the RIR contact, and
also uses its own experience with addresses which bounce, and also uses
its own database of human adjustments referred to as 'routing'
information. SC also uses any information which a provider or other
admin has provided about whether it wants to be notified or not, or
alternate addresses for notifying,. In addition, sometimes there are
third parties which may be notified about an IP or about all IPs.
Post by antioch
When I have received the email reply to a spam report, what am I
looking for, where do I find it, what do I do with the info contained
within this report, what actions do I do or SC do for me.
Of the first 8 sent, some have extra bits added to it, like
Quoting: Reports re this spam have already been sent to....
If reported today, would be sent to....
Re144 ... ... ...
Sorry this email is too old etc etc but goes on and gives more info
plus 'If reported....then at bottom Re 144 ... ... 3rd party interest
in email report.
Another, towards the bottom asks if this email IS Spam with a name
and email address.
Then I have three choices Send Spam - Report Now - Preview Report and
Cancel Underneath is a warning box - avoid checking any boxes left
empty...false reports etc
Quotes End
All of that is about the reporter fulfilling hir responsibilities about
reporting spam.
Post by antioch
I have interspliced/clipped my responses and yours just to pick out
the salient points. Hope it works ;-)
Hope you don't mind - and as a result, I have top-posted. :-(
Post by Mike Easter
That is a very useful activity.
Not according to 'Her indoors'
I don't understand 'her indoors'
Post by antioch
Post by Mike Easter
I also 'recommend' using the webparser first for most people. To me
it is simpler and cleaner to 'troubleshoot'. The person needs to
know how to access the raw spam with complete headers with their
mailuser agent, and then they paste it into the webparser, and then
they immediately see the result of the parse.
I will do as you suggest with the next 8 to 10 waiting in my 'Kill
Folder'. I will need to read-up on that.
You can also do it with an old one; all you have to do is parse
something you have already reported, and then copy the tracking url, and
then cancel the report.
Post by antioch
As I was doing attachments to each email to send to SC, I started to
get the email replies with the links like you put below as an
example. And I was also doing searches re the IP numbers - I do these
from time to time on other search engines, as it is a neat practice
to have.
I completely agree. When I first started to use spamcop, I did not use
it to report. I manually parsed all of my own spam headers and
'manually' by doing my own lookups determined all of my own notifies.
After I was completely thru' deriving my own notifies, then I submitted
the spam to spamcop to see how spamcop would notify, and I compared SC's
results with my own, and cancelled the spamcop report. When they
differed, I sought to understand why my notify would be different from
SC's. When I was a neophyte, it was often that SC was not only much
faster at notifying than I, but also 'better'. As time went on and I
became more skilled at both parsing and also deriving notify addresses,
then I became better at notifying by my criteria than spamcop's
notifies.
http://www.spamcop.net/sc?id=z939018156zce3ff9ab3b5765265194cea1472a5ccez
Post by antioch
Both the above are the same? - its the info contained in them I don't
understand. That is what I was asking
We can talk about that. I have a way I like to use to abbreviate the
Received headerlines. I'll use one of mine from above as an example

In the above example there's only one line:

Abbreviated Received traceline *comment
from my.flirt.com.ua ([58.51.7.200]) by
mx-roseate.atl.sa.earthlink.net *sourceline

SC determines that source IP and determines the notifies for it, and
also determines a spamvertised link and determines the notifies for it.
In addition, SC offers to report to the 3rd party at imaphost.com --
which is another story and which I routinely uncheck.
Post by antioch
Post by Mike Easter
When you submit a spam to the webparser, it can give you its verbose
output if you configure for that in the preferences.
On the page with the webparser which I'm encouraging you to use and
experience, there is a 'preferences' link which gives you access to 4
different kinds of preferences, one of which is report handling. In the
report handling preferences, there are a number of choices, the 4th one
of which is "Show Technical Details during reporting" I like those
technical details.
Post by antioch
That verbose
Post by Mike Easter
output tells you a lot about what is the parser's logic in its
processes. If you think the faq was difficult to understand and
navigate, you'll find the parser verbose particularl confusing.
But it too is worth getting oriented with.
Configure - I don't remember reading about that - I cant believe I
missed something!!!! So you can get a condensed reply of info if you
want??
The preference for show techical details is /more/ verbose or wordy, not
less.
Post by antioch
Better to take things in stages. I will have a go at the web parse.
Good idea.
--
Mike Easter
kibitzer, not SC admin
antioch
2006-05-09 23:24:00 UTC
Permalink
Post by Mike Easter
One example of spams which are in a .gif are stock spams. Typically the
only thing which will come out of the spamcop parse will be spamcop
identifying the IP of the source and offering to report that spamsource IP
to the spamsource provider.
Stock reports - yes they are the ones I am getting
Post by Mike Easter
The method by which SC spamcop determines a notify is based on a lookup in
the regional registrar for the IP block.
All of the IPs of the world which are routing can be found in the whois
lookup of one of the RIR regional internet registrars, arin, ripe, lacnic,
apnic, afrinic. There is a lot of 'organization' about ICANN and its ASO
and NRO and those registrars.
They are some I have used in the past.
Post by Mike Easter
SC uses those databases db/s to determine the contact information for the
IP's block, and also uses the abuse.net registered contact or its default
suggestions for a domainname derived from the RIR contact, and also uses
its own experience with addresses which bounce, and also uses its own
database of human adjustments referred to as 'routing' information. SC
also uses any information which a provider or other admin has provided
about whether it wants to be notified or not, or alternate addresses for
notifying,. In addition, sometimes there are third parties which may be
notified about an IP or about all IPs.
Interesting info.

CLIPPED
Post by Mike Easter
Post by antioch
Sorry this email is too old etc etc but goes on and gives more info
plus 'If reported....then at bottom Re 144 ... ... 3rd party interest
in email rep
All of that is about the reporter fulfilling hir responsibilities about
reporting spam.
So I have done another 10 or more and got all the reports back and saved. I
did it as you said and by God it was fast. They must have one hell of a
computer/programme.
This is what I mean - unless I know what I am reading in these reports, then
I have no idea what I am supposed to do next. In partic on the ones that
ask if this is a spam.
Post by Mike Easter
Post by antioch
Not according to 'Her indoors'
I don't understand 'her indoors'
Are you from the other side of the pond?
Her indoors OR she who must be obeyed - its the wife :-) :-)
Post by Mike Easter
Post by antioch
Post by Mike Easter
I also 'recommend' using the webparser first for most people. T
Done that way.
Post by Mike Easter
You can also do it with an old one; all you have to do is parse
something you have already reported, and then copy the tracking url, and
then cancel the report.
That is handy.
Post by Mike Easter
http://www.spamcop.net/sc?id=z939018156zce3ff9ab3b5765265194cea1472a5ccez
its the info contained in them I don't
understand. That is what I was asking
Post by Mike Easter
We can talk about that. I have a way I like to use to abbreviate the
Received headerlines. I'll use one of mine from above as an example.
Abbreviated Received traceline *comment
from my.flirt.com.ua ([58.51.7.200]) by
mx-roseate.atl.sa.earthlink.net *sourceline
Sorry - you have lost me already.
Post by Mike Easter
SC determines that source IP and determines the notifies for it, and also
determines a spamvertised link and determines the notifies for it. In
addition, SC offers to report to the 3rd party at imaphost.com -- which
is another story and which I routinely uncheck.
Post by antioch
Post by Mike Easter
When you submit a spam to the webparser, it can give you its verbose
output if you configure for that in the preferences.
CLIPPED

there are a number of choices, the 4th one
Post by Mike Easter
of which is "Show Technical Details during reporting" I like those
technical details.
Thanks for that - yes I did spot it
Post by Mike Easter
Post by antioch
That verbose
Post by Mike Easter
output tells you a lot about what is the parser's logic in its
processes. If you think the faq was difficult to understand and
navigate, you'll find the parser verbose particularl confusing.
But it too is worth getting oriented with.
This is what I want to be able to do, otherwise the whole point of coming
here is rather pointless.
Post by Mike Easter
The preference for show techical details is /more/ verbose or wordy, not
less.
As I found out when making the choices.

Additional Info
As I went in and did the first parse/report as you suggested, I got a report
for an email that I have never received. It certainly was not the one I had
copied and pasted.
Panic set in - what the hell had I done - red card coming I thought.
So I found a contact, pasted it in there and explained what had happened.
Then I cancelled it as a choice, there and then.
Forgot to save a copy though. I am waiting for their reply.
I did the parse again and got a proper report the second time.

Many thanks again for your patience and help.
I see that in spam group there are a couple of threads re the stock spam.
Better go - her etc etc is wondering when/if I am going to bed.
Rgds
Antioch
'The name of the slough was Spamcop' - apologies to Bunyan
Ant
2006-05-09 23:49:52 UTC
Permalink
Post by antioch
Post by Mike Easter
I don't understand 'her indoors'
Are you from the other side of the pond?
Mike is from Leftpondia, whereas U and I are Rightpondians.
Post by antioch
Her indoors OR she who must be obeyed - its the wife :-) :-)
A popular UK colloquialism from the TV series Minder.
"I could be so good for you".

http://www.oed.com/bbcwordhunt/her-indoors.html
antioch
2006-05-09 23:56:21 UTC
Permalink
And old Rumpy-Bumpy of the Old Bailey.
Post by Ant
Post by antioch
Post by Mike Easter
I don't understand 'her indoors'
Are you from the other side of the pond?
Mike is from Leftpondia, whereas U and I are Rightpondians.
Post by antioch
Her indoors OR she who must be obeyed - its the wife :-) :-)
A popular UK colloquialism from the TV series Minder.
"I could be so good for you".
http://www.oed.com/bbcwordhunt/her-indoors.html
Mike Easter
2006-05-10 01:15:04 UTC
Permalink
Post by Ant
Post by antioch
Post by Mike Easter
I don't understand 'her indoors'
Are you from the other side of the pond?
Mike is from Leftpondia, whereas U and I are Rightpondians.
You guys need to get straightened out on your ponds.

There are two. The big pond and the little pond.

I am on the right shore of the big pond.

You guys over there on the right shores of the little pond seem to
imagine that there is only one pond, and that the only people on the
other side of the little pond you know about are the ones on the left
shore of the little pond.

That is a little bit like imagining that the earth is flat or something.
We call it the Pacific Rim.


OTOH -- I have no defense for the inane methods of sizing paper in the
US. Why they don't adopt the logical standards of ISO 216 I have no
idea. Just for the record, I believe we should use ISO 8601 for time
standards and ISO 216 for paper standards.

Some of you Rightpondians are a little confused about some of those
issues as well.


There are a few lurking non-participants in these 'topic drifts' who
think the subject should be changed.

Bah humbug. We don't need no steenkin' subject badges.
--
Mike Easter
kibitzer, not SC admin
antioch
2006-05-10 09:31:02 UTC
Permalink
Post by Mike Easter
Post by Ant
Post by antioch
Post by Mike Easter
I don't understand 'her indoors'
Are you from the other side of the pond?
Mike is from Leftpondia, whereas U and I are Rightpondians.
You guys need to get straightened out on your ponds.
We know where we are - WE only have one pond. We also have a 'gutter' which
keeps us away(but not enough these days) from another land-mass.
Post by Mike Easter
There are two. The big pond and the little pond.
Gosh - you are a lucky bloke - you have two ponds ;-) ;-)
Post by Mike Easter
I am on the right shore of the big pond.
Is that the sunny side, then?
Post by Mike Easter
You guys over there on the right shores of the little pond seem to
imagine that there is only one pond, and that the only people on the
other side of the little pond you know about are the ones on the left
shore of the little pond.
That is a little bit like imagining that the earth is flat or something.
We call it the Pacific Rim.
OTOH -- I have no defense for the inane methods of sizing paper in the US.
Why they don't adopt the logical standards of ISO 216 I have no idea.
Just for the record, I believe we should use ISO 8601 for time standards
and ISO 216 for paper standards.
Some of you Rightpondians are a little confused about some of those issues
as well.
There are a few lurking non-participants in these 'topic drifts' who
think the subject should be changed.
Bah humbug. We don't need no steenkin' subject badges.
--
Mike Easter
kibitzer, not SC admin
P.S.
BS came back to me - they have no idea how I got another user's report.
It was also pointed out that I had not activated any of my reports.
So I will be spending most of the day trying to find out how to do that.
Rgds
Antioch
Chris Wright
2006-05-10 13:18:58 UTC
Permalink
LMAO
Post by Mike Easter
Post by Ant
Post by antioch
Post by Mike Easter
I don't understand 'her indoors'
Are you from the other side of the pond?
Mike is from Leftpondia, whereas U and I are Rightpondians.
You guys need to get straightened out on your ponds.
There are two. The big pond and the little pond.
I am on the right shore of the big pond.
You guys over there on the right shores of the little pond seem to
imagine that there is only one pond, and that the only people on the
other side of the little pond you know about are the ones on the left
shore of the little pond.
That is a little bit like imagining that the earth is flat or something.
We call it the Pacific Rim.
OTOH -- I have no defense for the inane methods of sizing paper in the
US. Why they don't adopt the logical standards of ISO 216 I have no
idea. Just for the record, I believe we should use ISO 8601 for time
standards and ISO 216 for paper standards.
Some of you Rightpondians are a little confused about some of those
issues as well.
There are a few lurking non-participants in these 'topic drifts' who
think the subject should be changed.
Bah humbug. We don't need no steenkin' subject badges.
Ant
2006-05-10 21:36:16 UTC
Permalink
Post by Mike Easter
You guys need to get straightened out on your ponds.
There are two. The big pond and the little pond.
I am on the right shore of the big pond.
You guys over there on the right shores of the little pond seem to
imagine that there is only one pond, and that the only people on the
other side of the little pond you know about are the ones on the left
shore of the little pond.
I include right big-pondians in my little-pondian perspective. If you
were talking with the Aussies or Chinese rather than Europeans, your
pondian-ness would be big!
Post by Mike Easter
That is a little bit like imagining that the earth is flat or something.
We call it the Pacific Rim.
It's probably more to do with the convention in (flat) world maps of
depicting the americas on the left, and the rest on the right.
Post by Mike Easter
OTOH -- I have no defense for the inane methods of sizing paper in the
US. Why they don't adopt the logical standards of ISO 216 I have no
idea. Just for the record, I believe we should use ISO 8601 for time
standards and ISO 216 for paper standards.
Some of you Rightpondians are a little confused about some of those
issues as well.
Are we? Well, if you mean we are supposed to have 'gone metric' and
yet our road signs are still in miles and our beer is served in pints
then perhaps we are. Personally, I prefer feet and inches to metres
and centimetres -- they are a more natural measure.

I worked for 13 years in the UK arm of a US-based company, and got
used to US paper sizes as being normal. I found it strange going back
to UK A4 size when I left.
Post by Mike Easter
There are a few lurking non-participants in these 'topic drifts' who
think the subject should be changed.
Bah humbug. We don't need no steenkin' subject badges.
Let 'em flame!
anon
2006-05-10 22:38:57 UTC
Permalink
Post by Mike Easter
Post by Ant
Post by antioch
Post by Mike Easter
I don't understand 'her indoors'
Are you from the other side of the pond?
Mike is from Leftpondia, whereas U and I are Rightpondians.
You guys need to get straightened out on your ponds.
There are two. The big pond and the little pond.
I am on the right shore of the big pond.
You guys over there on the right shores of the little pond seem to
imagine that there is only one pond, and that the only people on the
other side of the little pond you know about are the ones on the left
shore of the little pond.
That is a little bit like imagining that the earth is flat or something.
We call it the Pacific Rim.
OTOH -- I have no defense for the inane methods of sizing paper in the
US. Why they don't adopt the logical standards of ISO 216 I have no
idea. Just for the record, I believe we should use ISO 8601 for time
standards and ISO 216 for paper standards.
The US paper sizes are about as sensible as the world wide (non) standard
railroad gauge - changing trains at national borders does not make sense.
Someone, way back then, must have had a huge piece of paper and proceeded to
cut it in half, then that in half - etc. until we got the 8-1/2x11 inches
letter size and 8-1/2 x 14 inches legal size. You guys just started with a
different 'huge' size to get your 8.3x11.7 inch A4 and 7.2x10.5 executive
sizes. There is really no logic to ANY paper size. At least one of the RR
gauges started with the wagon wheel/chariot wheel gauges - but who can say
how logical THOSE were.
--
A SpamCop user and forum reader,
Not Admin
Post by Mike Easter
Some of you Rightpondians are a little confused about some of those
issues as well.
There are a few lurking non-participants in these 'topic drifts' who
think the subject should be changed.
Bah humbug. We don't need no steenkin' subject badges.
--
Mike Easter
kibitzer, not SC admin
Continue reading on narkive:
Loading...