Parsing of incoming SpamCop mail

[PeterJ]

I am a SpamCop mail user. I have some questions regarding how SpamCop handles incoming mail as my IP is currently on DSBL. Here are the headers from a message I sent to my wife a couple days ago to help illustrate my question:

(EDIT: I forgot to mention that my wife also has a SpamCop mail account, so this sample message was sent from my Windows mail client using our ISPs SMTP server and received by her SC mail account)

Return-Path: <X[at]devnull.spamcop.net>

Delivered-To: spamcop-net-Z[at]devnull.spamcop.net

Received: (qmail 24031 invoked from network); 2 May 2004 00:47:29 -0000

Received: from unknown (192.168.1.101)

  by blade6.cesmail.net with QMQP; 2 May 2004 00:47:29 -0000

Received: from smtp802.mail.sc5.yahoo.com (66.163.168.181)

  by mailgate.cesmail.net with SMTP; 2 May 2004 00:47:28 -0000

Received: from unknown (HELO spamcop.net) (X[at]ameritech.net[at]67.36.58.194 with plain)

  by smtp802.mail.sc5.yahoo.com with SMTP; 2 May 2004 00:47:25 -0000

Message-ID: <>

Date: Sat, 01 May 2004 20:47:17 -0400

From: X <X[at]devnull.spamcop.net>

User-Agent:

X-Accept-Language: en-us, en

MIME-Version: 1.0

To: Y

CC: Z[at]devnull.spamcop.net>

Subject: [Fwd: Northwest...

Content-Type: multipart/mixed;

boundary="------------010202030601000201010901"

X-spam-Checker-Version: SpamAssassin 2.63 (2004-01-11) on blade6

X-spam-Level:

X-spam-Status: hits=0.8 tests=CLICK_BELOW,HTML_40_50,HTML_FONTCOLOR_UNKNOWN,

HTML_FONT_BIG,HTML_MESSAGE,LINES_OF_YELLING,LINES_OF_YELLING_2

version=2.63

X-SpamCop-Checked: 192.168.1.101 66.163.168.181 67.36.58.194

X-SpamCop-Disposition: Blocked list.dsbl.org

First I understand that I can simply force my broadband modem to get a new IP address, but for now I want to keep this slightly poisoned IP so that I might understand better.

I use SBC Yahoo for a DSL connection and my IP for now is 67.36.58.194. I did upgrade my firmware on my router recently, so I probably got a new IP after that.

I read here and elsewhere that many people do not accept mail from dynamic IPs (of course), therefore one with a dynamic IP should send mail via their ISP. Well this is where I am a little confused because the above sample is a mail that I sent via SBC Yahoo's SMTP server, so why would SpamCop hold the above mail?

Does SpamCop test every IP in the headers when considering what to hold?

Is there a similar and parallel process to the "mailhosts" implementation for reporting, perhaps behind the scenes, for incoming mail? Or maybe the mailhosts data is utilized by the parsing process on incoming mail...

It seems to me that SpamCop could simply recognize that the email came from a legitimate SMTP server (66.163.168.181) and continue without testing my actual IP address.

Thinking aloud: Is the reason this will not work because although many spammers are using open proxies now, some are still using throwaway dial up accounts and actually sending through the ISPs SMTP instead of direct to MX?

As this whole open proxy thing continues to blow up, it seems to me that pollution of dyamic IP pools is going to continue to get worse. Does anyone know if spammers are using "thowaway" broadband accounts? It can't be cheap enough for this yet, can it?

Ok, someone bring me up to speed on this please.

[StevenUnderwood]

BTW, that IP is no longer listed:

67.36.58.194 not listed in bl.spamcop.net

I read here and elsewhere that many people do not accept mail from dynamic IPs (of course), therefore one with a dynamic IP should send mail via their ISP. Well this is where I am a little confused because the above sample is a mail that I sent via SBC Yahoo's SMTP server, so why would SpamCop hold the above mail?

Does SpamCop test every IP in the headers when considering what to hold?

To answer the last question first, yes, spamcop checks all of the IP's a message has gone through when determining if a spamsorce has touched it. This is possible because spamcop accepts the entire message and simply holds it separate from clean messages.

Most servers are configured to use DNSBL's to reject email during the initial connection. During that time, the only thing that the server knows about the connection is the IP of that server and possibly what that server is calling itself (HELO). In this type of configuration, your message would have been accepted because the connecting server was not listed.

Is there a similar and parallel process to the "mailhosts" implementation for reporting, perhaps behind the scenes, for incoming mail? Or maybe the mailhosts data is utilized by the parsing process on incoming mail...

No. Every IP is tested against the bl's and/or the body is sent through spamassasin you have configured.

It seems to me that SpamCop could simply recognize that the email came from a legitimate SMTP server (66.163.168.181) and continue without testing my actual IP address.

Then a message sent from an IP that was recently reported as having sent spam would get through, exactly what the users of the spamcop email service do not want. If that were the case, a home spammer could send all the spam he wanted "direct to MX" and still use the IP for personal use by relaying through the unlisted ISP server.

As this whole open proxy thing continues to blow up, it seems to me that pollution of dyamic IP pools is going to continue to get worse.

The only people it will affect are those sending to users of spamcop (and similar services) that check every IP the mail has traversed. Normally, if sending through your ISP, the message above would not be stopped. And the messages sent to spamcop are held for you to handle as you see fit.

The new mailhost configuration will report these open proxies and get them on the list. This will act to notify them that they are assisting spammers, hopefully forcing the owners of the machine to clean it up when every IP they get becomes corrupt because of their machine.

Hope this helps. Please ask any further questions you may have.

[PeterJ]

BTW, that IP is no longer listed:

67.36.58.194 not listed in bl.spamcop.net

Thanks Steve. Your information is most useful. I just wanted to clarify that I never mentioned being on the spamcop block list, only on DSBL. I think I will hold on to this IP address for a while and see if I can make it "good" again. I already submitted the address for removal at DSBL.

The main question I wanted answered was whether or not SpamCop checks *every* IP address on received mail. I will either adjust my blocklist settings for SpamCop mail or get a different dynamic IP to solve the issue when I need/want to.

I suppose I could complain to SBC Yahoo that I received a tainted IP, but I am not sure that this is useful. But just in case, does anyone have an open letter to broadband providers regarding stopping open proxy abuse on their network?

I ask this because I do not pretend that SBC is innocent and I am a customer so theoretically could apply pressure; especially as renewal time approaches...

The new mailhost configuration will report these open proxies and get them on the list. This will act to notify them that they are assisting spammers, hopefully forcing the owners of the machine to clean it up when every IP they get becomes corrupt because of their machine.

Hopefully...only if the ISPs do something about it.