Report spam even if it's already listed on SpamCop or ORDB?

Steve Lamb · Guest

Hi,

Is it worth reporting spam messages to FirstAlert if they are already on the other spam blacklist servers such as SpamCop or ORDB? I guess the advantage of doing so is that the FirstAlert database gets built up, but the disadvantage may be more work for the administrators. What do you reckon?

Thanks,
--Steve

stan_qaz · Posted: Thu Nov 13, 2003 12:21 pm Post subject:

Report everything that is spam to First Alert, that allows the system to add it to the database.

The goal of First Alert is to enable the folks that aren't satisfied with the accuracy of the other spam tools to have one that with the two person review should have almost no false positives and be able to use the autodelete function for First Alert identified messages

Reporting to spamcop is slightly different, it takes a lot more time and doesn't have the high accuracy of the First Alert system. When I am busy I screen my messages for ones that are listed in the spamcop RBL and don't resubmit them to spamcop.

Steve Lamb · Guest

Thanks!

Eggman5X · Posted: Thu Nov 13, 2003 5:55 pm Post subject:

A couple more things to consider:

Spamcop has a "window" for reporting. I think it's 3 days. Reporting older messages is pretty much useless.

The spamcop blacklist considers the number of reports received as well as the age of the reports when deciding whether a server should or should not be blacklisted. So not reporting a message because it's already blacklisted may actually let the worst spammers off more easily.

Since the specifics are subject to change, it's probably a good idea to review the spamcop FAQ to guide your decision making.

stan_qaz · Posted: Thu Nov 13, 2003 6:12 pm Post subject:

I haven't run into the old spam window but I recall reading about it.

My average reporting time is hovering between 4 and 5 hours. If I didn't report the overnight junk it would stay around an hour or two. Mailwashers report option has doubled the amount of spam I can report in the same amount of time.

geo_splash_12 · Posted: Sat Nov 29, 2003 10:49 am Post subject:

Just got my firstalert account and wonder also about who to report to. Spamcop is a very effective bl but it takes time since every report needs to be completed over the web. In spamcop you can also track whether other reports were made of the spam you just reported in to spamcop. Firstalert seems easier to use, but I can't tell whether it is more accurate, guess that a lot of responsibility is with the people who maintain the database. It seems more user friendly and especially less time consuming for the user. For the time being I will report to both. Greetings from Rotterdam....

stan_qaz · Posted: Sat Nov 29, 2003 3:42 pm Post subject:

If you activate the spamcop RBL under the spam tools source of spam button you will get some good out of reporting to spamcop as well as the fact that they do try to stop spammers. They don't audit the submissions so it can report valid e-mails so you have to keep an eye on it.

First Alert doesn't try to stop spam, it merely tries to keep us from having to look at it, the faster and more accurate make it worth the reporting effort to me.

edrub43 · Cadet Joined: Jan 19, 2004 Posts: 6 Location: Uk

If I get a spam known to Spamcop but not to First Alert, I report it to FA but not to Spamcop. However, if I get a 'known spam', I do not know whether Spamcop knows about it or not. If I report it to Spamcop, I might be sending a lot of material they already know about. If I don't, Spamcop might be missing some useful data.

Have you any guidance on this point? I would hate to think I am missing out on any opportunity to get these bastards.

stan_qaz · Posted: Wed Jan 28, 2004 9:00 pm Post subject:

Several of us have mentioned this as an improvement we would like to see to the user interface. We want to know if a spam is on the spamcop RBL regardless of the other spam tools status (that includes the friends list too) so we can report efficiently and monitor and report false positives.

Guest · Posted: Thu Jan 29, 2004 7:21 am Post subject:

Thank you.

AbdLomax · Private Joined: Mar 10, 2004 Posts: 35 Location: USA

First Alert and SpamCop use different methods of tagging spam. SpamCop is not actually a spam database, rather it is a database of servers recently known to be sending spam. Since some of these servers are being used also by legitimate mailers, SpamCop is *not* reliable as a sole identifier of spam, and automatically deleting mail based on it having source IP on the SpamCop database is dangerous.

Having said that, source IP filtering is highly effective, and SpamCop filtering is very, very useful.

First Alert attempts to identify spam content. If the administration is well-done and the filters are properly designed, the false positive rate will be very, very low. Autodeleting First-Alert tagged mail should be quite safe.

So I'd highly recommend reporting to First Alert all spam that is not currently tagged by First Alert, regardless of whether or not it is on the SpamCop list. Eventually, complex filtering in Mailwasher, I'm pretty sure, will allow more flexible automated processing of spam. Basically, if First Alert is being run well -- I don't know yet about this -- it would be reliable for autodeletion.

When mail is being reported to First Alert, it would also generally be appropriate to report it to SpamCop if it is not already on the SpamCop database. However, until SpamCop reporting is made more efficient, I have found it an exercise in frustration, it is far too much work.

Ikeb · Posted: Tue Mar 16, 2004 11:59 am Post subject:

AbdLomax · Private Joined: Mar 10, 2004 Posts: 35 Location: USA

"Of course SpamCop needs to authenticate the reporter."

Absolutely. The place where SpamCop falls down is that the authentication process has been made far too difficult. I'd much rather pay them a few dollars a month if I could report more easily, and I'd even be willing to make myself liable for penalties for false reporting. When I enabled SpamCop reporting in Mailwasher, I was reporting spam whenever I checked my mail, but only non-SpamCop tagged mail, of course. This mail was, by definition, fresh spam. If the report could have been received and validated quickly, their database could have become much more current, and thus there would have been less mail to report. I was reporting perhaps fifty spams per day. By the time I got the mail back, and had time to log in, the spam was already getting old. It is a badly designed system, it only appeals to those of us who are desperate to *do something.*

"Currently that's done by logging into SpamCop and confirming each message."

Right. Each message, individually. Now, the fact is that a piece of mail is not really spam if received by only one person. It may be unwanted mail, but spam is something special: massively unwanted mail sent without any discrimination to huge numbers of people. If Joe Smith sends a piece of mail trying to sell his web design services to , it is not really spam, in my book, until he does this with *many* people. It is merely a blind sales call, and it is no more offensive than if he telephones. If he only sends one mail, it might even take him more time than if he telephones.... This is not the spam problem that is making us so angry!

So the way to kill spam is to (1) identify it quickly based on content and (2) receive a certain minimum number of reports from validated users (who would be unknown to the spammers in general. they could create valid user accounts, but it would cost them, since *I presume that validated users will be paying some fee* and some time will elapse). This process could easily be automated; and the result, if, say, 0.1% of mail recipients become validated reporter, iwould that spam would be tagged within, perhaps, the first few thousand receipts, quickly added to a First Alert type content database *plus* source IP reported. Thus a million-mail spam would be effectively killed within the first few thousand messages. With more reporters, tagging would be faster. With more reporters, a higher number of independent reports could be required without slowing down the process, thus it would be more secure.

SpamCop and First Alert can and should work together. SpamCop did not solve my spam problem, Mailwasher did. (The level of work currently involved to deal with spam is tolerable because of Mailwasher). Right now, however, source IP (i.e., SpamCop) is the most valuable tool I have for identifying spam. I just can't quite trust it to autodelete mail. Just today I found a customer mail that was SpamCop tagged. You guessed it. An AOL user.


	Home ˇ Topics ˇ Submit News ˇ Top 10 This entire site, Cops Themes, and Computer Cops are Š 2002 - 2004 Computer Cops, LLC. All rights reserved. You can syndicate our news using the file RSS 0.91, ultramode.txt, or RSS 1.0. Acceptable Use Policy. Use signifies your agreement. Engine Copyright Š 2002 by PHP-Nuke, GNU/GPL Licensed. ICRA Member. Paul Laudanski, Member of Computer Cops, LLC Server Load: 814 pages served in previous 5 minutes. Page Rendered: 0.683 seconds.