I'm a paid subscriber. I have noticed that very little spam to my SpamCop address is blocked by the SpamCop blacklist. Most spam is blocked by SpamAssassin, and quite a lot of spam is getting to my INBOX.

It used to be different. Until a few months ago, I had all blacklists enabled in the blacklist configuration (http://webmail.spamcop.net/horde/imp/spamcop/blacklists.php), and the SpamAssassin limit was set at the default 5.

Very few spam would come through. I remember that about a third or all spam as shown by http://www.spamcop.net/reportheld?action=heldlog was blocked by bl.spamcop.net.

Back then, the biggest problem wasn't the spam getting through - it were false positives, i.e. legitimate messages getting to the Held Mail folder. One day I got fed with it and disabled two blacklists that cause virtually all of the false positives - list.dsbl.org and dnsbl.sorbs.net. I also upped the SpamAssassin limit to 6 to allow some very technical posts with lots of unusual punctuation.

As one would expect, false positives became quite rare, while more spam started getting to the INBOX. But over time, the amount of spam getting though the filters grew dramatically, exceeding the legitimate e-mail traffic, including several mailing lists I'm subscribed to.

Initially, I attributed it to increased cleverness of the spammers. However, I noticed one anomaly. Very few spams are blocked by bl.spamcop.net now. Absolute majority of spams are blocked by SpamAssassin, even despite the limit increased to 6. I don't have any reliable statistics, but bl.spamcop.net catches one or two spams of 100-150 spams I'm getting in a day. I would say bl.spamcop.net almost certainly catches less than 5% of the spam I'm getting.

I'm reporting all the spam that comes to me. My average reporting time is 4 hours. Am I wasting my time on those reports? Is bl.spamcop.net getting too lenient to spammers?

I recall this question being asked previously in the Email forum.

WHat we don't know is the order in which the various spam tests are performed. If the SpamAssassin score is checked first then that will trap much spam before the blocklist check.

Andrew

I'm pretty sure that the SA routine happens first, because according to the headers of messages put into our Held Mail due to the SA score, the IP addresses aren't even checked...here's an example:

X-SpamCop-Checked:
X-SpamCop-Disposition: Blocked SpamAssassin=11

whereas the next item in my current Held Mail is more like this:

X-SpamCop-Checked: 192.168.1.101 x.x.x.x x.x.x.x 219.114.33.118
X-SpamCop-Disposition: Blocked bl.spamcop.net

(I masked the two IPs having to do with my Mailhosts)

My experience lately has been similar....very few items caught by the SCBL, but this may simply be a function of them being so "spammy" as to exceed the SA threshhold I've defined, at which point the checking stops.

DT

My recollection was that SpamAssassin is pretty much first, the SpamCopDNSBL last .... However, not finding a post from JT that actually says this in here .... noting that all the SpamAssassin discussion stuff dates back to early 2004 timeframe .. which suggests that it may have possibly been a newsgroup post ... different seaarch criteria, too many windows open for too long here, I'll let the search work get handled by someone else ....

Anyway, I think I see more spam getting through than blocked by SCBL. And it's pretty "spammy", although it lacks the exact characteristics SpamAssassin is looking for. It also has patterns suggesting that spam is sent by the same people.

The spam that gets through all the time:

spam containing "pußIicidad" in subject, always from Peru
Canadian pharmacy
"Russian teens", usually misspelled and with a female name in From
pump-and-dump using a GIF image for the message and some meaningless text

Spam that used to get through until I put them to my personal blacklist:

bizsyscon.com (radio hardware)
mwart.com (medieval weapons)
beautysak.com (cosmetics)

I've just disabled all blacklists and Spamassassin, leaving only SCBL. Let's see what I'll get overnight.

That is my configuration just about since I started with SpamCop ~4 years ago. I have very few false positives after whitelisting for the first month or so. I have maybe a dozen or so entries in the whitelist. My percentage of spam into the inbox has varied a little from time to time, but always back to a normal false negative of about 1/month.

SpamAssassin was placed as the first scan about a year ago now. My first post on the subject is here: http://forum.spamcop.net/forums/index.php?...ost&p=35389

Thanks for the link! That answers some of my questions.
I should have concentrated my initial post on one problem, namely SCBL being ineffective.
So far, 1 of 4 spams has been blocked:

[52224] yamasaki2525[at]hotmail.co.jp (=?ISO-2022-JP?B?GyRCJWIlSyU/ITw1XkpnPTghKiEqGyhC?= Preview )
Thu, 28 Sep 2006 19:33:59 -0400 (Blocked bl.spamcop.net)
[52225] lznoiybdszl[at]yahoo.co.jp (=?iso-2022-jp?B?GyRCTSUkNyQkOEBNVSRyJCskMSRGJCQkPyRAJCQkPyQzJEghIjtkJE8bKEI=?= Preview )
Thu, 28 Sep 2006 19:34:22 -0400 ()
[52226] tomwblvq[at]acculab.com (Young aphrodisiac Cuties good Videeo! Preview )
Thu, 28 Sep 2006 17:14:58 -0400 ()
[52227] jaimeerhart[at]x-provider.com (Oristano/ E' morto il parlamentare di Forza Italia Ignazio Manunza Preview )
Thu, 28 Sep 2006 17:49:13 -0500 ()

I bet I saw that "aphrodisiac cuties" spam in my INBOX earlier today and reported it. If dynamic IP filtering (SCBL) plus static content filtering (SpamAssassin) are ineffective, maybe we should be thinking about dynamic content filtering? That's surely a topic for the "feature requests" section.

Unless you provide us the Tracking URL's for those messages, we will not be able to tell you why they were allowed through. In the past few years, there have been only a few times where spam was regularly slipping through. Usually, it only lasts for a couple of days until the filters catch up.

I am experiencing the same high rate slip throughs with similar setings, I will bring some tracking urls next time I report. Oddly spampal recognizes the majority of these and it uses similar filtering.

and for that, my original search pattern would work, again referencing 2004 discussions in here .... using the 'word' link Search at the top of the screen .... SpamAssassin as the keyword, jefft as the poster, select "as posts" ... do it .... a number of discussions, attempts, results on various 'additional' tools, bits, etc.

These are the four spams that slipped through SCBL since I turned off other filters:

http://www.spamcop.net/sc?id=z1082903827z6...87d9d2eb2745aez
http://www.spamcop.net/sc?id=z1082903838z4...5241fad58efed3z
http://www.spamcop.net/sc?id=z1082903847zb...31d97fb62ddb1fz
http://www.spamcop.net/sc?id=z1082988037z2...b5a252abceda20z

First glance .. compromised computers .. not enough reports yet to get listed ...

Here are some that slipped through in my case:

http://www.spamcop.net/sc?id=z1083376674z0...a39446c05438baz
http://www.spamcop.net/sc?id=z1083376678z7...17ef0333a441dcz
http://www.spamcop.net/sc?id=z1083376684z3...1f8966e99053c5z
http://www.spamcop.net/sc?id=z1083376688z9...5f80f021eae520z

These are but a few of many I reported this morning, all but 1 were however picked up by spampal!

Here's one that slipped through:

http://www.spamcop.net/sc?id=z1083657607z5...f665721b1c5a10z

The source wasn't on the SCBL because nobody else has reported it yet. Maybe we need more reporters, assuming that the spam sources seem to be multiplying?

Also, I'm a bit surprised that SpamAssassin only scored this one with 0.7, given the body and the Geocities URL:



The SA tests mentioned in the headers that I withheld were: "SARE_SPEC_XXGEOCITIE5,UNPARSEABLE_RELAY" (and yes, I carefully mess with the headers....the spam sources don't need to know the details of my filtering technology....they only need to see what the headers *would* have looked like without all that extra processing).

I previously had my Brazil and Argentina blocklists turned "off" in my SC email settings, but I've just turned them "on" as well as the other two that I wasn't using, and lowered my SA threshhold to 4.

BTW, a lot of the stuff in this topic is specific to SC Email accounts, but it started off being about the SCBL, so I suppose it still belongs here in the Blocklist Help forum.

DT

The net result is that about one third of spam is caught by SCBL. Perhaps my e-mail address is known to the "best" spammers using the most "advanced" methods of spam delivery via zombies

Obviously you are not alone!

I don't think that's a bad statistic...it would be nice if it were higher, but the number of zombies seems to have grown exponentially, so the SCBL can only keep up with that if reporting activity is similarly increased, and perhaps if the threhholds for listing an IP were made more aggressive. Failing that, we must rely on a "cocktail" of multiple BLs and SpamAssassin, which can bring the amount caught/blocked/held/whatever much closer to 100%, with few false positives.

DT

Email filters really need to be looked at as stop-gap solutions - they do nothing to discourage spammers from spamming (if anything, they'll spam even more to try to bypass them). Therefore spam victims need to consider more aggressive strategies to deter spammers, specifically ones that harm their business (or "bizness").

In the case of "refi spam", there is a simple solution - the KS FormFiller Refi extension for Firefox that makes it easy to swamp such sites with fake leads. Do this often enough for long enough and the spammers will eventually wise up and drop you from their lists (it's worked for me). This is discussed further in the Refi FormFiller (GreaseMonkey) v1.0 thread.

...That doesn't sound like a good idea. It's doing the same thing spammers do -- hog up the internet with garbage....This sounds like listwashing, which others in these fora have mentioned to be something not to be encouraged.