spamcop.net tactics

[Amos <a....@gmail.com>]

I must say I'm not particularly thrilled about the tactics employed by
SpamCop. At a university it is sometimes difficult to control every
single thing that everybody does on campus, unless of course perhaps
if this was a complete authoritarian state. We try hard to control and
minimize spamming events, but alas, sometimes they happen.

Just recently we discovered we've been tagged by spamcop. Since the
spamtrap is "secrete", there's no way to know what incident triggered
this event, which makes it pretty damn difficult to track it down to
try to deal with it. Furthermore, a site has only one chance to delist
their server. After that, it's a permanent block.

So, if we can't tell what source is a problem, only have one chance to
delist--EVER--seems to me we're pretty screwed. Lovely.

Amos

Re: spamcop.net tactics

[Aaron Grewell <AG...@uwb.edu>]

> Seems to me like setting up a firewall or network logger should make it
pretty 
> easy to see what is sending out inordinate amounts of traffic on port 25.
Or 
> you could just block port 25 outgoing as a matter of policy and force
people 
> to go out through the university mail servers.  No one should be sending 
> email directly from a residential machine anyway.
> 
> It may be difficult either politically or technically, but it's not
spamcop's 
> job to police your network for you.  It's spamcop's job to help its
customers 
> deal with *their* spam problem - that you're apparently (if unwittingly) 
> helping to cause.
> 
> University networks are pretty well known to be swiss cheese as far as 
> security goes.  Yours is probably no exception.  Fix that problem and your

> spam problem should be fixed along with it.

It's a nice thought, but if it's anything like our environment we're not
actually allowed to fix it (we don't control the routers etc) so that's
not an option.  My suggestion is to ask the network folks for a
mirroring port on your WAN router and monitor it carefully for abuse.
Ask your users to register non-campus equipment with the helpdesk.  You
may be forced to resort the the LAN Mafia routine a few times, but as
the users begin to understand that you can shut them down if you need to
(block them at the DHCP server or whatever resources you do control) you
should be able to get more cooperation since it reduces inconvenience
for them if something bad does happen.  We find our monitoring system
(NTop, Snort, etc) to be invaluable for dealing with this sort of thing,
and you may be able to use SpamAssassin with a mirror port to check
outbound mail through the WAN link if you set it up right.  I haven't
tried that but it's probably worth a shot.

Re: spamcop.net tactics

[Russell Miller <rm...@duskglow.com>]

On Monday 21 November 2005 10:11, Amos wrote:
> I must say I'm not particularly thrilled about the tactics employed by
> SpamCop. At a university it is sometimes difficult to control every
> single thing that everybody does on campus, unless of course perhaps
> if this was a complete authoritarian state. We try hard to control and
> minimize spamming events, but alas, sometimes they happen.
>
> Just recently we discovered we've been tagged by spamcop. Since the
> spamtrap is "secrete", there's no way to know what incident triggered
> this event, which makes it pretty damn difficult to track it down to
> try to deal with it. Furthermore, a site has only one chance to delist
> their server. After that, it's a permanent block.
>
> So, if we can't tell what source is a problem, only have one chance to
> delist--EVER--seems to me we're pretty screwed. Lovely.
>
Seems to me like setting up a firewall or network logger should make it pretty 
easy to see what is sending out inordinate amounts of traffic on port 25.  Or 
you could just block port 25 outgoing as a matter of policy and force people 
to go out through the university mail servers.  No one should be sending 
email directly from a residential machine anyway.

It may be difficult either politically or technically, but it's not spamcop's 
job to police your network for you.  It's spamcop's job to help its customers 
deal with *their* spam problem - that you're apparently (if unwittingly) 
helping to cause.

University networks are pretty well known to be swiss cheese as far as 
security goes.  Yours is probably no exception.  Fix that problem and your 
spam problem should be fixed along with it.

--Russell

-- 

Russell Miller - rmiller@duskglow.com - Agoura Hills, CA

Re: spamcop.net tactics

[Jeff Chan <je...@surbl.org>]

On Monday, November 21, 2005, 8:39:13 PM, Amos Amos wrote:
> On 11/21/05, Jeff Chan <je...@surbl.org> wrote:
>> detect it, then yes your IPs can get blacklisted.  The best way
>> to solve that is to stop the emission of spam from your network.

> It's easier to do when the source is identified.

True.

>> While SpamCop's trap addresses don't provide visible analyses of
>> headers IIRC, user reports do, so that you can see how the

> We never received a user report, nor was a report visible using our
> account, only the indication of the IP being blocked. (Perhaps our
> greylisting blocked the user report.)

The user reports are sent through SpamCop and are usually sent to
your registered abuse.net or ARIN (or local IP registry if you're
not in the U.S.) contacts.  So make sure you have appropriate
contact information set for your domain and networks.

Probably we should take this off list after this.

Jeff C.
-- 
Jeff Chan
mailto:jeffc@surbl.org
http://www.surbl.org/

Re: spamcop.net tactics

[Amos <a....@gmail.com>]

On 11/21/05, Jeff Chan <je...@surbl.org> wrote:
> detect it, then yes your IPs can get blacklisted.  The best way
> to solve that is to stop the emission of spam from your network.

It's easier to do when the source is identified.

> As was already suggested, one good way to do that is to block
> direct port 25 output from your network and instead direct users

Irrelevant in this case since it would appear this incident was
instigated by an Exchange user, and Exchange itself is used for
sending the mail. (Can Exchange be viewed as virusware?)

> While SpamCop's trap addresses don't provide visible analyses of
> headers IIRC, user reports do, so that you can see how the

We never received a user report, nor was a report visible using our
account, only the indication of the IP being blocked. (Perhaps our
greylisting blocked the user report.)

> You can also sign up for an account that gives periodic reports
> for your networks.

Yup. Already have.

> As has already been noted, this is not an appropriate place to
> b!tch about SpamCop.  Better to discuss it on the SpamCop
> forums:

Thanks for the reminder, and the followups from others.

Amos

Re: spamcop.net tactics

[Jeff Chan <je...@surbl.org>]

SpamCop simply notes what addresses appear to be emitting spam.
If your network is emitting spam and SpamCop users or traps
detect it, then yes your IPs can get blacklisted.  The best way
to solve that is to stop the emission of spam from your network.

As was already suggested, one good way to do that is to block
direct port 25 output from your network and instead direct users
to officially sanctioned outbound smtp servers.  This has become
a standard practice for many ISPs, wireless networks, companies,
hotels, wifi hotspots, etc., these days for the good reason that
it defeats most outbound spam from viruses/bots/zombies.

While SpamCop's trap addresses don't provide visible analyses of
headers IIRC, user reports do, so that you can see how the
headers were interpreted.  Usually they are interpreted correctly
these days.  There is a link in the reports that shows the
analyses.

You can also sign up for an account that gives periodic reports
for your networks.

As has already been noted, this is not an appropriate place to
b!tch about SpamCop.  Better to discuss it on the SpamCop
forums:

  http://forum.spamcop.net/forums

Jeff C.
-- 
Jeff Chan
mailto:jeffc@surbl.org
http://www.surbl.org/

Re: spamcop.net tactics

[Chris Conn <cc...@abacom.com>]

Amos wrote:
> I must say I'm not particularly thrilled about the tactics employed by
> SpamCop. At a university it is sometimes difficult to control every
> single thing that everybody does on campus, unless of course perhaps
> if this was a complete authoritarian state. We try hard to control and
> minimize spamming events, but alas, sometimes they happen.
> 
> Just recently we discovered we've been tagged by spamcop. Since the
> spamtrap is "secrete", there's no way to know what incident triggered
> this event, which makes it pretty damn difficult to track it down to
> try to deal with it. Furthermore, a site has only one chance to delist
> their server. After that, it's a permanent block.
> 
> So, if we can't tell what source is a problem, only have one chance to
> delist--EVER--seems to me we're pretty screwed. Lovely.
> 
> Amos

Hello,

First off this is not the SpamCOP rant list, it is the SpamAssassin software 
list.  SpamCOP and SA are not involved, other than the fact that SA queries 
SpamCOP and score email according to its presence or absence of the SpamCOP 
lists.  SA does not need SpamCOP, and the reverse is also true.

Secondly, from my reading of their policies, you have one chance to 
_expedite_ de-listing, which in my dictionary means "speed up".  De-listing 
happens automatically, however if you continue to spew spam, complaints from 
SpamCOP users will continue to list you into oblivion if need be.

You are not screwed, but you are (according to your email) responsible. 
Claiming non-socialist ideals will get you nowhere, particularily if you 
send your concerns to the wrong people.

Good luck,

Chris Conn

Re: spamcop.net tactics

[Matt Kettler <mk...@evi-inc.com>]

Amos wrote:
> I must say I'm not particularly thrilled about the tactics employed by
> SpamCop. At a university it is sometimes difficult to control every
> single thing that everybody does on campus, unless of course perhaps
> if this was a complete authoritarian state. We try hard to control and
> minimize spamming events, but alas, sometimes they happen.
> 
> Just recently we discovered we've been tagged by spamcop. Since the
> spamtrap is "secrete", there's no way to know what incident triggered
> this event, which makes it pretty damn difficult to track it down to
> try to deal with it. Furthermore, a site has only one chance to delist
> their server. After that, it's a permanent block.
> 
> So, if we can't tell what source is a problem, only have one chance to
> delist--EVER--seems to me we're pretty screwed. Lovely.

Eh? So the spamcop FAQ is incorrect in stating:

"The SCBL will not list an IP address if there are no reports against it within
24 hours."

AFAIK, spamcop ONLY lists IPs that have sourced spam in the past 24 hours, and
auto-delists everything that stops sending spam...

Re: spamcop.net tactics

[Leonard SA <sp...@pcnetsources.com>]

BTW list ..

Can I use the whitelisting feature eventhough I use qmail-scanner? Where 
would this be configured?

Regards ..

Leonard
----- Original Message ----- 
From: "Jeff Chan" <je...@surbl.org>
To: "Leonard SA" <sp...@pcnetsources.com>
Sent: Wednesday, November 23, 2005 9:13 AM
Subject: Re: spamcop.net tactics


> On Wednesday, November 23, 2005, 5:39:05 AM, Leonard SA wrote:
>> Jeff,
>
>> I found this out yesterday after enabling the RBL lookups in the local.cf
>> config file. Its great to get a high score slash because they are listed 
>> in
>> the rbl list, but not rejected in case there are errors..
>
>> As being a cautious user; I still glance over my spam folders, so I would
>> still catch these messages marked as spam as a result. Its not the best
>> solution, but better then blockage at the MTA level.
>
>> I still don't know how whitelisting works and where to configure this.. 
>> so
>> until this time; I have to handle it this way.
>
>> Thanks again for your insight Jeff.
>
>> Regards ..
>
>> Leonard
>
> Hi Leonard,
> Glad to help!  Definitely check out the whitelisting feature.
> The SA Wiki may help, etc.
>
> Cheers,
>
> Jeff C.
> -- 
> Jeff Chan
> mailto:jeffc@surbl.org
> http://www.surbl.org/
>
> 

Re: spamcop.net tactics

[Leonard SA <sp...@pcnetsources.com>]

Jeff,

Thanks again ..

Regards ..

Leonard
----- Original Message ----- 
From: "Jeff Chan" <je...@surbl.org>
To: "Leonard SA" <sp...@pcnetsources.com>
Sent: Wednesday, November 23, 2005 9:13 AM
Subject: Re: spamcop.net tactics


> On Wednesday, November 23, 2005, 5:39:05 AM, Leonard SA wrote:
>> Jeff,
>
>> I found this out yesterday after enabling the RBL lookups in the local.cf
>> config file. Its great to get a high score slash because they are listed 
>> in
>> the rbl list, but not rejected in case there are errors..
>
>> As being a cautious user; I still glance over my spam folders, so I would
>> still catch these messages marked as spam as a result. Its not the best
>> solution, but better then blockage at the MTA level.
>
>> I still don't know how whitelisting works and where to configure this.. 
>> so
>> until this time; I have to handle it this way.
>
>> Thanks again for your insight Jeff.
>
>> Regards ..
>
>> Leonard
>
> Hi Leonard,
> Glad to help!  Definitely check out the whitelisting feature.
> The SA Wiki may help, etc.
>
> Cheers,
>
> Jeff C.
> -- 
> Jeff Chan
> mailto:jeffc@surbl.org
> http://www.surbl.org/
>
> 

Re: spamcop.net tactics

[Jeff Chan <je...@surbl.org>]

On Wednesday, November 23, 2005, 3:33:47 AM, Leonard SA wrote:
> Hello,

> I have had to remove spamcop from my rbl check list. they have had some 
> legitimate mail servers listed recently. They had the gentoo mail list 
> listed and some other important servers which i cant see why they were 
> added.

> Regards ..

> Leonard

If you mean at the MTA level, yes, I don't use bl.spamcop.net in
my MTAs.  For SpamAssassin, however it's useful as another
somewhat reliable indicator of spammyness to increment the scores
a bit, just like SORBLs or SPEWS, which would otherwise be
largely unusable for outright blocking in an MTA for most
people.

SpamCop's bl gets IPs that users report.  There's some filtering
and munging, but it's either less than one would like or more
than one would like, depending on one's perspective.  IOW some
SpamCop user (unwisely) reported a gentoo mailing list message as
spam, and that's why it got onto the blacklist: user error.

Jeff C.
-- 
Jeff Chan
mailto:jeffc@surbl.org
http://www.surbl.org/

Re: spamcop.net tactics

[Leonard SA <sp...@pcnetsources.com>]

Hello,

I have had to remove spamcop from my rbl check list. they have had some 
legitimate mail servers listed recently. They had the gentoo mail list 
listed and some other important servers which i cant see why they were 
added.

Regards ..

Leonard
----- Original Message ----- 
From: "Christopher X. Candreva" <ch...@westnet.com>
To: <us...@spamassassin.apache.org>
Sent: Wednesday, November 23, 2005 2:29 AM
Subject: Re: spamcop.net tactics


> On Tue, 22 Nov 2005, Chr. v. Stuckrad wrote:
>
>> So simply by having users use 'vacation' or viruses/worms
>> sending themselves from faked spam-trap-addresses and bouncing
>> at your site, you can be blacklisted for 24 hours (for each?).
>
> By having users use vacation without a filter to stop it from replying to
> spam, or accepting virus mail then generating a new error, you are engaged
> in a DDOS against the people who's address is forged into the mail. We 
> have
> users getting 3-6 THOUSAND such bounces a day.
>
> So yes, I'm glad SpamCop is blocking sites that do this.
>
> ==========================================================
> Chris Candreva  -- chris@westnet.com -- (914) 967-7816
> WestNet Internet Services of Westchester
> http://www.westnet.com/
> 

Re: spamcop.net tactics

["Christopher X. Candreva" <ch...@westnet.com>]

On Wed, 23 Nov 2005, Ed Kasky wrote:

> I for one would be interested to know how you implement a filter like this.
> It's one of the things that keeps me from using it sometimes...

procmail does wonders, just don't call vacation for anything marked as spam. 
We use that plus some other checks:

:0 c
* !^Return-Path: <(www|nobody|apache|httpd|bounce|no-?reply|devnul|root|notify|owner-)
* !^X-Spam-Status: Yes
* !^List-
* !^X-Mailer: Accucast
* !^X-Campaignid:
|/usr/local/bin/vacation $VACATIONOPT

As for not accepting then bouncing -- do virus checking in a milter (we use 
ClamAV), and push a list of valid users to your secondaries. This sort of 
this in access.db:

To:westnet.com  ERROR:5.1.1:"550 User unknown"
To:chris@westnet.com	OK
To:root@westnet.com	OK
To:postmaster@westnet.com	OK
To:... etc


==========================================================
Chris Candreva  -- chris@westnet.com -- (914) 967-7816
WestNet Internet Services of Westchester
http://www.westnet.com/

Re: spamcop.net tactics

["Christopher X. Candreva" <ch...@westnet.com>]

On Tue, 22 Nov 2005, Chr. v. Stuckrad wrote:

> So simply by having users use 'vacation' or viruses/worms
> sending themselves from faked spam-trap-addresses and bouncing
> at your site, you can be blacklisted for 24 hours (for each?).

By having users use vacation without a filter to stop it from replying to 
spam, or accepting virus mail then generating a new error, you are engaged 
in a DDOS against the people who's address is forged into the mail. We have 
users getting 3-6 THOUSAND such bounces a day.

So yes, I'm glad SpamCop is blocking sites that do this.

==========================================================
Chris Candreva  -- chris@westnet.com -- (914) 967-7816
WestNet Internet Services of Westchester
http://www.westnet.com/

Re: spamcop.net tactics

["Chr. v. Stuckrad" <st...@mi.fu-berlin.de>]

On Tue, Nov 22, 2005 at 09:24:28AM -0800, Linda Walsh wrote:
> That doesn't mean it's a moral, an ethical or respectable reason:
> "Spite" is reason enough for most people these days. 
> 
> Michele Neylon:: Blacknight.ie wrote:
> 
> >if your IPs end up in there it's usually for a
> >reason.

Before we get into 'arguments' or even 'flamewars':

We (@{math,inf,mi}.fu-berlin.de) were hit by the same problem,
we also could not find *anything* visible, which had could have
put us into their list, and so we had to resort to 'circumventing'
the assumed problem.

Seemingly 'spamcop' not only counts 'real spam' (explicitly
sent to spam-traps) but also counts 'any bounce stranding in
their spam-trap' as an 'spammer or open-relay'.

So simply by having users use 'vacation' or viruses/worms
sending themselves from faked spam-trap-addresses and bouncing
at your site, you can be blacklisted for 24 hours (for each?).

After reducing 'bounces' by patching 'qmail' with a user
check in 'RCPT' of the SMTP-Delivery, making all lists
reply to local owner-addresses instead of bouncing,
by checking all auto-answering-services to never answer
on bounces, bulk-mails and spams, and such,
thereby reducing the 'chance' of hitting the
spam-traps again, we 'survived' so far without being
blocked again (at least without being blocked again
for more than the lifetime of mails sent to us).

Stucki    (postmaster)

Re: spamcop.net tactics

[Linda Walsh <sa...@tlinx.org>]

That doesn't mean it's a moral, an ethical or respectable reason:
"Spite" is reason enough for most people these days. 

Michele Neylon:: Blacknight.ie wrote:

>if your IPs end up in there it's usually for a
>reason.
>
>Michele
>
>  
>

Re: spamcop.net tactics

["Michele Neylon:: Blacknight.ie" <mi...@blacknight.ie>]

Amos wrote:
> I must say I'm not particularly thrilled about the tactics employed by
> SpamCop. At a university it is sometimes difficult to control every
> single thing that everybody does on campus, unless of course perhaps
> if this was a complete authoritarian state. We try hard to control and
> minimize spamming events, but alas, sometimes they happen.
> 
> Just recently we discovered we've been tagged by spamcop. Since the
> spamtrap is "secrete", there's no way to know what incident triggered
> this event, which makes it pretty damn difficult to track it down to
> try to deal with it. Furthermore, a site has only one chance to delist
> their server. After that, it's a permanent block.
> 
> So, if we can't tell what source is a problem, only have one chance to
> delist--EVER--seems to me we're pretty screwed. Lovely.
> 
> Amos
Amos

Signup for an account with them so that you can see the reports related
to your IP block(s)

There's no point ranting about spamcop. Their listing criteria are
fairly transparent and if your IPs end up in there it's usually for a
reason.

Michele

-- 
Mr Michele Neylon
Blacknight Solutions
Quality Business Hosting & Colocation
http://www.blacknight.ie/
Tel. 1850 927 280
Intl. +353 (0) 59  9183072
Direct Dial: +353 (0)59 9183090
Fax. +353 (0) 59  9164239

Re: spamcop.net tactics

[Kelson <ke...@speed.net>]

Amos wrote:
> Just recently we discovered we've been tagged by spamcop. Since the
> spamtrap is "secrete", there's no way to know what incident triggered
> this event, which makes it pretty damn difficult to track it down to
> try to deal with it. Furthermore, a site has only one chance to delist
> their server. After that, it's a permanent block.
> 
> So, if we can't tell what source is a problem, only have one chance to
> delist--EVER--seems to me we're pretty screwed. Lovely.

We went through this earlier this year, back when forged Received 
headers suddenly became widely popular and sites building blacklists 
were still trusting all the headers.  None of the lists that blocked us 
-- SpamCop included -- would provide us any way to determine whether the 
messages had actually come from our server.

I understand they want to keep their sources secret, but this is like 
bringing evidence to a trial in a sealed envelope and not allowing the 
defense attorney to see it.  There's no way to verify that the evidence 
was collected properly or interpreted correctly, and of course there's 
no way to resolve the problem.

Actually, SpamCop was one of the more responsive lists.  I sent them a 
point-by-point list of possible explanations for them seeing our IP 
address in their spamtraps, how likely each one was (I didn't outright 
reject the possibility that someone had broken TOS or found a way to 
trick our server into sending something, but it seemed really unlikely), 
and some sample headers from mail that really came from our servers, and 
within a day they'd written back that they were satisfied the message in 
their spamtrap had used forged headers.

None of which helps you track down the problem if someone actually *is* 
abusing your server, and I think that a two-strikes-you're-out policy is 
f*#^ing INSANE (if you'll pardon the expression) and shows a complete 
lack of understanding as to the nature of providing email for large 
communities of people outside of your direct control.  I really do not 
understand the assumption some people make that either you're AOL, 
Earthlink or Yahoo, or you're some 20-person small business that can 
impose any draconian measures you want on your users.  There's a whole 
world of in-between sites.

-- 
Kelson Vibber
SpeedGate Communications <www.speed.net>

Re: spamcop.net tactics

[qqqq <qq...@usermail.com>]

I am not a fan myself and do not use them.  However, you should have received a mailing to postmaster (or abuse) due to
Spamcop complaints.  Did you get these?

QQQQ


----- Original Message ----- 
From: "Amos" <a....@gmail.com>
To: "SpamAssassin" <us...@spamassassin.apache.org>
Sent: Monday, November 21, 2005 11:11 AM
Subject: spamcop.net tactics


| I must say I'm not particularly thrilled about the tactics employed by
| SpamCop. At a university it is sometimes difficult to control every
| single thing that everybody does on campus, unless of course perhaps
| if this was a complete authoritarian state. We try hard to control and
| minimize spamming events, but alas, sometimes they happen.
|
| Just recently we discovered we've been tagged by spamcop. Since the
| spamtrap is "secrete", there's no way to know what incident triggered
| this event, which makes it pretty damn difficult to track it down to
| try to deal with it. Furthermore, a site has only one chance to delist
| their server. After that, it's a permanent block.
|
| So, if we can't tell what source is a problem, only have one chance to
| delist--EVER--seems to me we're pretty screwed. Lovely.
|
| Amos
|
|