Greg Hewgill (ghewgill) wrote,
Greg Hewgill
ghewgill

spamcop can eat my shorts

As you probably know, I run lnk.nu which is a generic link shortening service. Occasionally, spammers will run their URL through lnk.nu to create a shorter version, and spam that instead. For example:

Subject: Want it to hang?

We know you wish yours was bigger for the ladies, now it has been proven
to work

http://lnk.nu/plqaksjuw.defote.com/imq

~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~
You may 0pt 0ut anytime

Now, when a certain subset of normal internet users receive spam like this, they forward it on to spamcop.net in the mistaken belief that doing so actually helps. Allow me to elaborate.

Spamcop inspects all aspects of the user's forwarded spam, including all RFC822 headers and the full message body, looks up the IP addresses of all involved servers, uses those IP addresses to look up the party responsible for the address range, and fires off automated messages to all involved abuse@ addresses. Now, they don't send messages to (in my case) abuse@lnk.nu, because if I were really a spammer, I wouldn't care. They send the messages to abuse@(my-hosting-provider).com. If you'll forgive the strained analogy, this is sort of like trying to solve schoolyard bullying by writing little notes to the principal and not even putting your name on them.

Anyway, my hosting provider appears to have an automated system for handling such abuse@ complaints. They log the complaint in their system, and a 24 hour clock starts ticking. If that clock reaches 24 hours without an acceptable response from the customer, network access for the customer's server is cut off (this actually happened to my server earlier this week because they sent the complaints to an email address I closed over two years ago). The customer must respond to each and every spam complaint in order to clear the abuse@ tickets from their system. This week, I have had to individually resolve no less than 14 such tickets.

My resolution action for each of the tickets is to mark the shortened link as "blocked" in the database, which disables the URL forwarding. Then I have to respond to the ticket email, and say what I've done (believe me, I have boilerplate text for this now). I hope they're getting tired of reading my response.

Further investigation into this week's spamvertised links indicates that they are all hosted in China. Lots of Chinese companies offer so-called "bulletproof" hosting that is friendly to spammers and is well outside the reach of antispam laws elsewhere in the world. This is where the spammers host their web sites. My solution to try to prevent this kind of thing from happening in the future is to identify the country in which the destination server is hosted (using the handy countries.nerd.dk), and if it's China, then apply some automatic heuristics that determines whether I'm going to allow the link to be created or not. For the case of this week's spammer, they would not have been able to create the lnk.nu URL and so would have gone somewhere else. You can still create short links for a legitimate site such as China Daily.

Spamcop is the master at causing collateral damage. I don't believe it actually helps, because it just keeps doggedly reporting the same thing over and over to the same people (every time some random user on the internet forwards a spam message to Spamcop). The people on the receiving end of the abuse@ mails either get tired of this pretty quickly and set up some filters, or simply pass on the annoyance to their customers.

Subscribe
  • Post a new comment

    Error

    Anonymous comments are disabled in this journal

    default userpic

    Your reply will be screened

    Your IP address will be recorded 

  • 11 comments