[Dshield] Novice regarding reporting spam, would like to learn how to.

Peter Stendahl-Juvonen peter.stendahl-juvonen at welho.com
Thu Apr 29 17:58:18 GMT 2004



Freddie, James, Chris, Kevin et al.


Thank you all for the awesome pieces of advice.


Have now reported first spam following James' and with Freddie's
guidance. (For the first, I used a modified spam report from the form
letter posted to this list by John Draper. Thanks.)

If I understood correctly, the report should be sent to the abuse@ the
ISP of the first un-trusted IP. 

(Thought so myself, but was not sure whether should also CC to abuse@
ISPs of possible other prior un-trusted IPs. Now think that would not be
necessary, because of high possibility of easy forgery. Apparently, the
ISP that will get the report is able to determine the real origin of the
spam, or at least the next hop.)

Comment also inline (further below).

Thanks again.


- Pete


      "Wisdom is ofttimes nearer when we stoop than when we soar." 
             William Wordsworth (1770-1850); English poet. 



list-bounces at lists.dshield.org <mailto:list-bounces at lists.dshield.org>
wrote on Wednesday, April 28, 2004 9:27 PM (EETDST) UTC+3 on behalf of
Freddie Sorensen

| Try www.spamcop.net - the easiest way to report spam
| 

Reporting via SpamCop seems to be a good idea. It is fast & trivial. As
a bonus, SpamCop sends the report in addition to abuse@ of originating
ISP additionally to other relevant third parties as well.



list-bounces at lists.dshield.org <mailto:list-bounces at lists.dshield.org>
wrote on Wednesday, April 28, 2004 11:36 PM (EETDST) UTC+3 on behalf of
James Riden

| 
| Start at the top and work back through your trusted hosts. First
| untrusted IP that appears is 211.59.140.77
| 

| 
| % whois -h  whois.krnic.net 211.59.140.77

I do it easy-going with SmartWhois (from TamoSoft, Inc.
http://www.tamos.com/products/smartwhois/).  ;) 

| 
| gives abuse at thrunet.com.
| 

Came to this conclusion myself. Just did not know whether I should CC to
abuse@ ISP of the other "Received: from" IP (206.96.120.94 in the spam
in question). Now I interpret this other "Received: from" IP to be
forged.



list-bounces at lists.dshield.org <mailto:list-bounces at lists.dshield.org>
wrote on Thursday, April 29, 2004 5:11 AM (EETDST) UTC+3 on behalf of
Chris Tankelewicz

| How to report spam,
| 
| Someone had already mentioned spamcop...
| 
| What I use is a porgram called Mailwasher Pro from a company called
| Firetrust. http://entier.ecosm.com/link/?ibyuqt
| 


I have considered MailWasher Pro and other solutions.

Since I am still in the process of acquiring a new mail client S/W, I
have not yet decided what solution to rely on.

The mail clients that interest me the most are RitLabs' Ritlabs
SecureBat! Pro ( http://www.ritlabs.com/en/products/securebat/ )  and
The Bat! ( http://www.ritlabs.com/en/products/thebat/ ).

Possibly both approaches would include optional Bayesian filtering. (To
my understanding at least The Bat! has a Bayesian filtering plug-in (in
the default installation)).



list-bounces at lists.dshield.org <mailto:list-bounces at lists.dshield.org>
wrote on Thursday, April 29, 2004 2:35 PM (EETDST) UTC+3 on behalf of
Kevin Gadsden

| With regard to reporting spam and first time reports, I normally send
| out a response including this link
| http://spamcop.net/fom-serve/cache/19.html to end user.  It is a
| SpamCop site but it contains very useful information on how to find
| the e-mail headers on various e-mail software clients.
| 
| The information in the e-mail header is needed to help identify the
| source IP address and the route the e-mail took.
| 
| It is often better to copy and paste this information into your report
| as it will greatly assist the various network abuse teams etc.
| 


Had previously the opportunity to study email headers at another SW
vendor's (Visualware, Inc. "Email Tracking Tutorial: How to trace email"
http://www.visualware.com/whitepapers/tutorials/email.html ) web page
when I took my first steps in learning tracking email to the sender.

Also acquainted myself with S/W supposed to do the same (eMailTrackerPro
http://www.visualware.com/personal/products/emailtrackerpro/index.html ,
bundled with VisualRoute Personal Edition, which is necessary for the
results accuracy and verification of spam source
http://www.visualware.com/personal/products/visualroute/index.html ).





More information about the list mailing list