Re: [dnswl-users] Experimental dnswl.org feature - Abuse Reporting

[Jost Krieger <Jost.Krieger+dnswl@xxxxxxxxxxxxxxxxxx>]

On Fri, Dec 18, 2009 at 11:09:18AM +0100, Matthias Leisi wrote:
 
> Over the past couple of days, we started to implement a feature to get
> feedback about spam (and other forms of abuse) from dnswl.org-listed
> IP addresses.
> 
> The feature is still experimental, but we would like to get a handful
> of you to test it out. It is currently a simple web form, but we plan
> to add an SMTP option as soon as things have matured a bit.

Obviously there is quite some work going on ...

> Basically, there are four steps to the Abuse Reporting process:
> 
> 1) The user (that would be you :) ) copy&pastes the raw mail source
> into the web form. (Currently, you should also indicate the offending
> IP, because the parser is very limited)
> 2) A regularly running script tries to add additional information to
> your report - DNSWL Id, link to internally stored network ranges etc.
> 3) Editors review the reports and give three types of feedback:
> ** Is it really spam/abuse?
> ** Indicate what action has been taken (no action, rescore, delist, "other")
> ** And actually execute the action
> 4) The user (again, you!) can see the progress of each report in the
> web form (for the last 20 or so reports).
> 
> Reports about IPs not listed in our DB may get deleted.
> 
> If you would like to participate in the trial phase, please send me an
> email directly to matthias(at)leisi.net indicating your preferred
> login name and I'll send you the login information.
> 
> In the trial phase, we would like to find out whether the process
> works as intended, or where/how it would need to be adjusted.
> Additionally, we would like to get an array of different Received:
> header formats, so that the reporting can be better automated.

I've tested it and I have a few recommendations:

For reporters:
1. Don't report
a) Spam sent through legitimate mailing lists, unless
   the mailing list has turned into a main source of spam.
b) Spam sent to your forwarding accounts somewhere else.

SpamCop, e.g., has a mechanism to reliably find out the correct IP in
these cases, but it's complicated and most probably this will not be an
address on DNSWL.

I'm not sure what to do about outscatter.

2. I'm preprocessing the reported spams by first, folding header lines, and
then, eliminating locally added header lines. This will put the first
relevant "Received" line on top and they have always been automatically (I
hope) recognized. I'm not sure if it's sensible to remove all
spam-handling headers but the samples will probably be forwarded to the
originating party?

For DNSWL:

In the current interface, I always find "Corr" to be "0", but the IP and
ID has been filled in. I hope that doesn't mean someone is doing this by
hand :-)

Tha "Action" column has a lot of "undefs". Perhaps this is a moving
target, but it would be nice to see if someone has handled the case in
any way, to find out whether to provide more samples for the same IP,
e.g..

Keep up the good work
Jost
-- 
| Helft Spam ausrotten!                HTML in Mail ist unhöflich. |
| Postmaster, JAPH, manchmal Wahrsager               am RZ der RUB |
| Bitte immer an Funktionsadressen schreiben:    Postmaster@xxxxxx |

Attachment: smime.p7s
Description: S/MIME cryptographic signature