I have yet to receive a real complaint against real UCE spam sent out by a customer of ours.

I have however seen many complaints (both SC and otherwise) as a result of many other much more 'innocent' things. The worst culprit by far is auto-responders that despite them being severely filtered in their input (they rarely get spam to respond to) sometimes do respond to spam, which includes some appearing to be sent from what turns out to be SC spamtraps.

First of all, SC's advice about getting rid of auto-responders just doesn't help. In a commercial setting with many separate customers and email much more central than webpages, there's no way to do without them. Sure, the stupid "We have received your mail and will respond ASAP" can be easily skipped, but those informing customers of vacations and other abscenses cannot. Despite a consistent use of a generic support address our customers often write personal mails instead of support mails, and they just don't get that people sometimes isn't there. We've lost major customers because support mails written personally went unanswered. Thus the auto-responders.

Now, while spamtraps generally is a good idea (heck, I even run one myself), bounces and auto-responses often land there due to the ever-present faking of sender email in all spam. Now, when one hits SC's spamtrap, things get interesting because a lot of people use SC as a front line blocking system (as RBLS originally were used, as opposed to scoring in a spamassassin-like setting), and mails start bouncing.

Some spammers switch their sending email all the time, rarely resulting in more than one hit on SC's spamtraps, while others still run a joe-job like scheme resulting in thousand of bounces (and auto-responses) hitting a single innocent victim - or a spamtrap.

I order to fix things we (the ISPs) need info on the violations. We need to know something about what hit the spamtrap. IP's and headers would be nice, just like in regular reports. Feel free to remove any info identifying the trap if that's an issue, but it would be nice to be able to (for instance) identify a non-filtered auto-responder, a new mailserver still configured to send bounces etc.

With no information and about 3.000 possible servers to examine, it's impossible for me to actually do something about a SC spamtrap hit, and that's what this place is really about isn't it? - to make people/ISPs act to fix whatever broken system that caused the SC response. The generic solution of just getting rid of auto-responders often isn't possible, both due to customer demand and due to them being hard to find.

Oh yeah, I should mention that the reason we cannot identify a specific server from the listed IP is that we run a gateway (actually a small cluster) that filters outgoing mail. Individual servers cannot send mail outside our firewalls; they have to smart-host it through the gateway.

Been there, done that, buried the T-shirt ....

All data was once upon a time available. Spammers took advantage of that fact and gamed the system.
These spammer actions are what led things to where they are no. I note that you didn't offer any thanks to the spammers for all their help in these matters.

It should be your job as the ISP to inform your customers about the dangers of auto-responders. Auto responders can be used fairly safely IF you are filtering out the majority of the spam before it reaches those triggers. It is the real people you want to respond to, not the spam.

There are also whitelists for major customers - or you forward to another person who sends a reply.

Spammers have made it more difficult for everyone and raised the cost of doing business on the internet in a number of ways.

If average users were aware of the problems (like your customers who don't get it that people go on vacation - what would they do if a snail mail weren't answered?), they might contribute to the solution rather than be a part of the problem.

You might put on your website or in your initial contact with the customer a short explanation of the problems with auto responses so that they don't expect email to always be 'instant' and contribute to the solution rather than shrug your shoulders and allow thousands more people to deal with the problem when a spammer chooses an out of office address.


I am not a server admin, but other admins apparently have figured out how to handle the situation. It seems obvious to me that if you filter outgoing email, you could filter outgoing auto responses and eliminate those that are responding to spam - particularly if there were a lot of them.

It may not be easy and it may cost money in additional hardware, but doing business has its expenses, like the merchant fees for credit cards (and I am old enough to remember merchants complaining about that when credit cards first became popular).

Saying you can't do something in this forum won't get you any sympathy since the ones here who are server admins manage to do it. However, they are glad to assist you in finding a solution if you want to find one.

Miss Betsy

Wouldn't work because all personal mail would be forwarded. Basically the same solution as having someone else simply check your mailbox for important mails. Reading other peoples personal mail is actually illegal in many places.

Unfortunately many customers have a notion that they're the only customer and that everybody personally is working 24/7 without breaks, sleep etc. - yes, I've awoken to a mailbox featuring a series of mails from the same customer that starts out with a support request and 15 mails and 4 hours later ending the threats about lawsuits etc.

Now, one thing is our own website - we could easily put it there, but we're also a hosting business and we have many customers with their own servers and websites and it's hard to explain to them how they should be doing business. This is the core issue - we are responsible for the connectivity but have zero influence on how our customers do business as long as they don't spam or spamvertise.

We do filter away spam before *our* auto-responders, and they only very rarely fall prey to responding to spam, but our customers have their own mailservers and thus their own auto-responders. Their responses come out through our gateways and thus it's our gateways that get listed.

The reason we enforce this gateway setup is the virus plague. We need to prevent infected machines (most of which are not under our control - they belong to customers) from drowning each other and the world in emails. Thus the simple idea that machines internally can only reach the gateway on port 25, not each other or the world.

About filtering auto-responses... Trouble is that the response itself does not contain the spam itself. It is simply a response with a unique recipient. No way to tell what it responded to. There are already loop control measures in place to prevent primitive auto-responders from responding to each other in a loop, so any given recipient can only receive one auto-response an hour from any given account. For an extended abusing spam run this still yields 24 auto-responses per 24 hours and thus a SC listing.

I would love to know how people in the hosting business like we are do manage this. Setting rules inside the same company is just a matter of deciding them and enforcing them. Doing the same across completely separate and unrelated companies are next to impossible, especially since the so-called dangers of auto-responses just doesn't seem to strike any form of sympathy. I know that a lot of people just cannot see what harm an auto-response you didn't ask for can do. Only if they're flooding your mailbox is it a problem, but a single one is nothing to get all worked up about.

Well, thank you dear spammers...

Seriously, I cannot see how you could abuse the system when all you had available were the internal headers from the spamtrapped mail (and only one for each sending IP). Sure, by carefully comparing logs with the report from the spamtrap you might be able to deduce the domain and/or target email that were the spamtrap entry, but you'd only be able to find one spamtrap per hit per listing period (24 hours) so it would take forever to find much of anything.

Clever spamtraps might also be working on specific target email adresses only (and not just a whole domain as normally done) so the spammers might even be blacklisting a whole domain when it's only a few specific email addresses that were the trap, thus easing the spam load on other addreses on the same domain.

These special (clever) spamtraps are actually easy to create. My own spamtrap (coded from scratch by your truly) works this way. Once you have a regular spamtrap listening on port 25 on some IP, you simply forward those trap email addreses from a regular MTA to the spamtrap that is specially configured to go one step backwards when resolving the IP to be blacklisted, when the immidiate source is a specific IP which actually is the MTA hosting all the emails on that domain in question (the MX host). This way servers sending mails to trap[at]example.com get listed while those sending to johndoe[at]example.com doesn't. Those traps are very hard to find and avoid even with a ton of info from the trap owner - like SC.

That seems easy to me to fix - just make it one auto-response per 24 hours. I can't imagine why anyone legitimate would send more than one email per day to someone who responded with an auto-response.

Or make your customers include the original message.

Or insist on whitelists.

I don't understand your technical suggestion. But since Julian is a really brilliant programmer, I expect there is a good reason why he doesn't do it that way.

Miss Betsy

I don't know where in the world you are, but in the US, the general idea is that company email is owned by the company because it is on the company servers. There have been many articles written about this in the IT type magazines. Many companies outright ban personal email with dismissal being a possible result. My company allows it, but with the understanding that "the company is watchting" so it can be personal, but it is not private. We regularly open mailboxes during vacations to other employees of the same department.

Back in the Dark Ages when I worked for a large consulting firm, the "what to do about email when on vacation?" was solved the same way the ringing phone on the empty desk was solved - they were forwarded to someone that cares.

As I remember the event after the vp for technology got a call from a gov. contracting officer controlling a $35M contract the word went out 'If you can't respond to a clients email or phone message within ONE business day, have someone knowledgeable with the project return the call; or pick up your last paycheck when you come back.'

The policy was put in place (both parts). Until we got better our cubical/office mate screened all our phone messages and emails twice a day while we were gone. They forwarded messages based on our directions or bumped them up the chain. == Some times technology requires human intervention. Forethought also helps. When going on business trips - call clients, tell them who to call if they have a question. Don't have time for care and feeding of clients? You may have to many.

This beats any auto-responder, saves clients and avoids SC.

This may be part of the problem that you can fix - Not the concept, but the application. When your gateway receives and passes on the messages, does it added to the headers of the message and is it in the correct format.
I can not say that this will solve your problem, as I do not know the exact logic that SpamCop uses for identifying the source of spam especially when related to spamtraps.
You may want to use a free SpamCop reporting account and try parsing a message that you can send that goes through the gateway to an address outside of any within in the domains using the gateway. When you parse the message, make sure to cancel the reports to avoid adding to the listing problem. This may provide some insight as to exactly what may be happening, and why the gateway is being listed as the source rather than just part of the path that the message takes getting to the other end.

Well, my location is Denmark (in Scandinavia, Northern Europe) and while the basic premise here is that all mail handled by company servers belongs to the company just like in the US if I understand that correctly, there has been legal cases where an employee succesfully sued a workplace for breach of privacy because he was terminated based on what was learned from his personal mail. It was some form of discrimination (he was a closet homosexual if I remember correctly) which was only revealed due to the company reading his private emails. He won the case and a substantial settlement primarily due to the invasion of his privacy the company performed. The discrimination wasn't proved to be the sole reason of his termination.

So it has ended up as a grey area - you own the mail but are not allowed to read it... That's why most employees here are encouraged to host their really personal mail elsewhere (gmail, own mailservers etc.). But there's still a need for one on one business contact, mostly because personal dialogues between someone else are just spam in everybody elses mailboxes if group addresses are used. And the minute you have a personal mailbox, the privacy rules apply, regardless of it actually being non-personal and pure business.

Anyway, that was just some background for you, so let us let this one rest and get back on topic...

I thought the topic was out of office replies and how you can communicate with your customers on why they may not use them because it gets the server listed. (I liked Lking's the best).

Miss Betsy

Yes, but also (and more important) how to locate them. I was requesting more info on spamtrap hits.

Remember our setup where everything goes through a gateway which gets listed by SC as a spamtrap feeder. Our customers may put up one of them (auto-responders) on any server which may respond to potentially all spam, thus quickly causing a SC listing - not of the actual server but the gateway which affects all customers.

Being told at SC that our gateway has sent mail to a spamtrap doesn't help at all because I'm always unable to locate the true source (the server behind the gateway). So I simply have to wait out the 24 hours doing nothing, potentially continuing the 'spam-attack', hoping that it stops on its own. I'd rather stop the thing immediately and have the gateway delisted, but I cannot stop what I cannot find. So the policy at SC shoots the cause (stopping spam and other unwanted emails) in the foot, crippling it.

I'm too busy to go back through this thread, but somewhere here I'm sure you were told you need to contact the deputies to get more information on the spamtrap hits. If you are pleasant in the way you ask and prove you are responsible for the administration of that IP address, they may be able to provide enough information to help track down the sending server.

I admit that I don't know very much about servers, but I don't understand, if you filter for outgoing, why you can't identify auto-responses when you know that there is a problem? Or why you don't require those who use your gateway to include the 'message' in returned messages so that you can filter for spam.

Another thing I don't understand is why you don't try being proactive and at least trying to inform your customers of the problem with auto responses and how to avoid the problem.

The reason I like blocklists is that it puts the burden of stopping spam on the sender rather than the recipient. I can remember legitimate ebusinesses moaning and groaning and being really nasty about the fact they got listed on spamcop back when confirmation emails were the 'solution' to mistyped email addresses, etc. Now it is the standard. I could repeat several different scenarios that were claimed to be 'unworkable' by the recipients of spamcop reports but turned out to have solutions.

As has been pointed out, the deputies are the only ones who can give you any information on email to spam traps. We (tinw) think that you have to prove that you really are the administrator and that they will give you some information - just enough to stop the problem. You will get an answer faster if your email contains all the information they need to answer the question. Since none of us are deputies, we don't know exactly what their standards or policies are.

Here in the forum, if you were interested, there might be someone who has 'solved' the problem by doing something about stopping auto-responses who would be willing to help you solve your problem.

Miss Betsy

A SpamCop spam trap has 16 or more alphanumeric letters in it meaning it has a minimum 128bit security which is considered unguessable (Bank security or better)

For your IP to get listed probably means you or someone on your network is bouncing email to return addresses

You have not sent the afflicted IP address so replies are based only on information you provide?

SpamCop when blocking IP's will only block the source IP which is the computer sending the spam If SpamCop blocks the upstream IP it means that the provider is incompetent (Exceptions are networks which send email through a "door")
Example of how SpamCop tracks to an IP
http://www.spamcop.net/sc?id=z954372779zccd9c25447bb065338ed20eb5b48aabaz
210.50.143.20 is/was my Personal computer not upstream (like the mail server it was sent through)