Why is RCVD_IN_BL_SPAMCOP_NET not '-lastexternal'?

[RW <rw...@googlemail.com>]

I don't see anything on the site to suggest that it avoids listing
dynamic IP addresses. And here:

  https://www.spamcop.net/fom-serve/cache/357.html

commenting on listing history it says:


  "One also has to remember that IP addresses change hands. Many ISPs
   assign IP addresses to customers dynamically, so addresses are
   changing all the time."

Re: Why is RCVD_IN_BL_SPAMCOP_NET not '-lastexternal'?

[RW <rw...@googlemail.com>]

On Mon, 30 Jul 2018 11:58:48 +0200
Matus UHLAR - fantomas wrote:

> On 28.07.18 18:13, RW wrote:
> >Most -lastexternal lists are mixed dynamic/static. Deep checks should
> >be, and mostly are, list for exploitable servers or IP addresses
> >under the control of spammers (or very spam friendly ISPs).
> >
> >RCVD_IN_BL_SPAMCOP_NET seems to be an anomaly.  
> 
> spamcop does list IPs that send spam. It does not care whether static
> or dynamic, mailserver or open proxy.

It doesn't care because it's intended to be used as an MTA blocklist
where it wont see any legitimate mail direct from dynamic addresses.

Spamcop looks deep to avoid listing intermediate service providers, and
so the most relevant organization can be alerted to the abuse. 


> If you want to be 100% sure, you can split RCVD_IN_BL_SPAMCOP_NET
> into two rules, one for -lastexternal and one for deep header tests. 
> 
> But I don't think it's worth trying. spamcop delists IP 24 hours
> after last spam from it is received.

In some dynamic address pools a single address might be used by
hundreds of legitimate mail clients in that time. For example my mobile
service provider supports ~10 million users on 3072 IPv4 addresses. And
a single infected device may use many pool addresses before it's
dealt with.


I don't actually have a problem with this myself, but I know that my ham
is very insensitive to FPs of this kind. It could be that Spamcop is
tuned so that dynamic addresses are unlikely to be listed unless they
are relatively sticky. 

Re: Why is RCVD_IN_BL_SPAMCOP_NET not '-lastexternal'?

[Matus UHLAR - fantomas <uh...@fantomas.sk>]

>> On 28.07.18 17:06, RW wrote:
>> >I don't see anything on the site to suggest that it avoids listing
>> >dynamic IP addresses. And here:
>> >
>> >  https://www.spamcop.net/fom-serve/cache/357.html
>> >
>> >commenting on listing history it says:
>> >
>> >
>> >  "One also has to remember that IP addresses change hands. Many ISPs
>> >   assign IP addresses to customers dynamically, so addresses are
>> >   changing all the time."

>On Sat, 28 Jul 2018 18:12:42 +0200 Matus UHLAR - fantomas wrote:
>> and the point is?
>> A-ha. ou put it in subject:
>>  Re: Why is RCVD_IN_BL_SPAMCOP_NET not  '-lastexternal'?
>>
>> well, the -lastexternal is for dynamic IPS, and spamcop lists spam
>> sources, not (just) dynamic addresses.

On 28.07.18 18:13, RW wrote:
>Most -lastexternal lists are mixed dynamic/static. Deep checks should
>be, and mostly are, list for exploitable servers or IP addresses under
>the control of spammers (or very spam friendly ISPs).
>
>RCVD_IN_BL_SPAMCOP_NET seems to be an anomaly.

spamcop does list IPs that send spam. It does not care whether static or
dynamic, mailserver or open proxy.

That means, since spamcop lists exploited servers and IP addresses used by
spammers, using it in deep header tests is correct.

If you want to be 100% sure, you can split RCVD_IN_BL_SPAMCOP_NET into two
rules, one for -lastexternal and one for deep header tests. 

But I don't think it's worth trying. spamcop delists IP 24 hours after last
spam from it is received.

ISPs providing dynamic IP addresses should better block port 25 to outside
and thus only allow authenticated submission.

-- 
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Linux IS user friendly, it's just selective who its friends are...

Re: Why is RCVD_IN_BL_SPAMCOP_NET not '-lastexternal'?

[RW <rw...@googlemail.com>]

On Sat, 28 Jul 2018 18:12:42 +0200
Matus UHLAR - fantomas wrote:

> On 28.07.18 17:06, RW wrote:
> >I don't see anything on the site to suggest that it avoids listing
> >dynamic IP addresses. And here:
> >
> >  https://www.spamcop.net/fom-serve/cache/357.html
> >
> >commenting on listing history it says:
> >
> >
> >  "One also has to remember that IP addresses change hands. Many ISPs
> >   assign IP addresses to customers dynamically, so addresses are
> >   changing all the time."  
> 
> and the point is?
> A-ha. ou put it in subject:
>  Re: Why is RCVD_IN_BL_SPAMCOP_NET not  '-lastexternal'?
> 
> well, the -lastexternal is for dynamic IPS, and spamcop lists spam
> sources, not (just) dynamic addresses.

Most -lastexternal lists are mixed dynamic/static. Deep checks should
be, and mostly are, list for exploitable servers or IP addresses under
the control of spammers (or very spam friendly ISPs). 

RCVD_IN_BL_SPAMCOP_NET seems to be an anomaly. 

Re: Why is RCVD_IN_BL_SPAMCOP_NET not '-lastexternal'?

[Matus UHLAR - fantomas <uh...@fantomas.sk>]

On 28.07.18 17:06, RW wrote:
>I don't see anything on the site to suggest that it avoids listing
>dynamic IP addresses. And here:
>
>  https://www.spamcop.net/fom-serve/cache/357.html
>
>commenting on listing history it says:
>
>
>  "One also has to remember that IP addresses change hands. Many ISPs
>   assign IP addresses to customers dynamically, so addresses are
>   changing all the time."

and the point is?
A-ha. ou put it in subject:
 Re: Why is RCVD_IN_BL_SPAMCOP_NET not  '-lastexternal'?

well, the -lastexternal is for dynamic IPS, and spamcop lists spam sources,
not (just) dynamic addresses.

Therefore it's useful to do deep header scanning for spamcop listings.


-- 
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
We are but packets in the Internet of life (userfriendly.org)