I have been under the assumption that for awhile the SC email system is not parsing sending IPs through all the blocklists I have selected. Today, I did a check and noticed that this does seem to be the case. I have been meaning to check into this in the past, but I haven't had time. So, for now, this post only contains 2 email examples that have slipped through the blacklist filtering system. I will post more if need be, as they come into my inbox and are not placed in Held Mail.

Right now I have all blocklists enabled, except CBL since you should be able to use SpamHaus's XBL as it feeds from the CBL. SpamAssassin is set to level 5.

First email:
http://www.spamcop.net/sc?id=z1322355043z0...4a8be7ba5ca17cz
IP: 85.108.206.134
Listed in SpamHaus XBL: http://www.spamhaus.org/query/bl?ip=85.108.206.134
Listed in SORBS:



Second email:
http://www.spamcop.net/sc?id=z1322368954z7...1b8e6f981cd79az
IP: 83.5.240.245
Listed in SpamCop (prior to me reporting it): http://www.spamcop.net/w3m?action=checkblo...ip=83.5.240.245
Listed in SORBS:



So, is there someone I need to contact to let them know about this problem?

That would be JT, the admin of the email service. I can not support your claim with more evidence, however as I know I have had spam held by at least the spamcop bl within the last week.

There is a web link in the FAQ. I have had good luck using the support[at]spamcop.net address as well.

It seems to be sporadic and I can't say when or why it will occur. I've noticed spams in my held mail that were blocked by SPBL and SpamHaus in the recent past, but it's almost ALWAYS blocked by SpamAssassin. If it passes through SA then it seems to make it into my inbox, even if it shows up as an open proxy/relay when I report it.

I'm not 100% sure of the mechanisms behind SA, but I believe that it does check some blacklists itself.

SA is currently checked first and if it does not pass, no further checks are made. I only have a small percentage that get checked by the DNSBL's, but have only had one spam slip by the filters in the last 60 days.

To answer your PM (this is a public forum to share information), I provided the email address in my original response and you even quoted it.

Also, possibly in play here, is the recent report of a DDoS against many of the DNSBL's ( http://www.channelinsider.com/article/Anti...e/209254_1.aspx )

Okay, that was just a misunderstanding by me. I thought the support address was an alternate address for getting in touch with SC support. I actually don't know who JB is, although I see his/her initials posted frequently here.



True, and that is always an ongoing thing with DNSbls. However, I would assume that if I use their lookup interface on their website then that should indicate that the blocklist is functioning, as it is at least able to query their database. I also checked the story from ISC, and they are also reporting that an SA rules list that's widely used is offline too. Does SpamCop host it's own SA rules?
http://isc.sans.org/diary.html?storyid=2940

On a side note, there are now some very effective methods to combat against DoS attacks. Service provider Prolexic has technology for hosting sites and server software/hardware to help slow and stop these kinds of attacks. Unfortunately, their services are pretty expensive, so I doubt that non-profit BLs have the kind of capital to use those kinds of defensive measures.



Let me make sure I understand you. Are you saying that all incoming emails are only checked by SA, and the sending IP address is not being passed through the DNS blacklists that the user has enabled under Options, SpamCop Tools, Select your email filtering blacklists?

Not always a good assumtion. Web pages are generally designed to wait a much longer time to display the information that most DNS lookups would wait.
No, but the DNSBL's are only checked if the SA rule does not "call it spam". If SA score is lower than your setting, then the first DNSBL is checked, if negative, the next one is checked, etc.

You can check what SpamAssasin (SA) assigns for each IP listed on a blocklist here (this is for ver 3.1 latest SA is 3.2)If listed on SpamCop's SCBL gets a score of 1.332 or 1.558 added depending on set-up.
http://spamassassin.apache.org/tests_3_1_x.html
I do not believe this is a dynamic link (as is SpamCop emails) for a DNSBL look-up not sure of how often it is renewed

I believe SA is first checked then whitelist, if passed, SpamCop email then checks your Blacklist, and other DNBL's. If whitelisted will deliver, Your whitelist by-passes all other blocks including blacklist

It helps to have in your blacklist country specific blocks like br, de, cn, pl, it, uk, mx, ro and so on if you do not on a normal basis receive email from these countries. A full email address on your whitelist will bypass such blocks

Section 8 - SpamCop's System & Active Staff User Guide