Gmail's server blocked

[agsteele]

...I respectfully disagree.  See my reply in thread "[Resolved] Gutsy spammer", under the second quote, and replies following.

33694[/snapback]

Hi Steve,

I understand the wider arguments regarding tagging and blocking. I was using language similar to the OP to make the point that there are bigger issues to consider than the ones he was objecting to. No disrespect was taken and I'm not even sure I fully agree with myself ;-)

Andrew

[hadaso]

You are partly right here.  The major problem is that most spam messages also contain forged IP addresses in the headers, so to rely on the source IP would be to list inocent IP addresses.  SpamCop has chosen to list the last known valid IP address as the source of the spam, even if it is not the true source, it still is the path through which the spam went and could have been stopped. 

33712[/snapback]

Spamcop doesn't list the last known IP address. It list the first known email address in the list of Received headers, i.e. the earliest verifiable IP address in the path the email takes. If there is more than one transmision it is not the same address that most systems use when determining whether to refuse or discard a message. And SpamCop does an excelent job in this respect. I report spam manually, I usually look at SpamCop analysis of headers, and almost always there are forged Received headers and SpamCop seems to stop at exactly the right header and avoid the forged ones. However, one thing that makes it possible is spammers' stupidity. It is possible to forge Received headers in a way that would be indistinguishable from real headers, by simulating the real process of email transmision. Now that spamming is moving from little private enterprizes run from mobile homes in Florida to a more global mega-business run by the Russian mafia things might change in this respect. The russian mafia has the resources to hire unemployed scientists or former KGB employees that can do a much better job than the scri_pt kiddies that used to run the spamming business. The fact that they haven't done it so far is that this kind of blocking probably doesn't bother them.

There's another more important aspect of the difference between what is listed and what is checked by blocking software: SpamCop's original mission is to pinpoint the machine whare spam actually originates and make it easy for networks admins to find and eliminate the nuisanse. If blocking software using spamcop would actually do the same kind of header analysis (like in spamcop mail service) and check this originating IP against the SCBL, what would happen is like this: Joe User (after visiting several pron sites and gambling sites) would catch a spam relaying trojan. Joe User's PC would become a zombie PC, part of a botnet of spam relays, and start sending out spam. It would get listed on SpamCop. Joe would then try to send out email to the friends he hangs out with on thursday nights and some of it would bounce stating SCBL. Joe would call his ISP and complain. The ISP would check the SpamCop listing and tell Joe the problem is his PC is infected and he should clean it, and perhaps also tell him how to clean it. The spam from Joe's machine stops, and perhaps at the same time Joe learns a bit about ways to watch pron and gamble without getting infected... But what happens right now is that Joe's machine can continue to send out spam, and Joe can still send out email through his ISP, because the recipients' servers check the IP address of Joe's ISP server against SCBL and not the IP of Joe's PC. Using this IP for blocking spam works fairly well since zombie PCs send out email directly. But there is no incetive for the ISP to get rid of the spam relays on their customers' PCs. Actually it's better for them that these IP addresses remain listed.

If what we want is to stop spammers, then it is better to promote using SCBL the correct ways. If email recipient use it correctly, the the ISPs of senders would have a financial incentive to keep their networks clean (avoid the cost of customer service related to blocked outgoing email). If it is used the incorrect way, it actually makes a negative incentive: it is cheaper not to deal with the problem than to deal with it.

[James Cridland]

There is absolutely NO reason for a server to be sending email to an address that have never been used for any reason but being hidden on a web page someplace.  Either gmail allows spammers to use their service in a high enough percentage to be blocked, or they don't.  The other possibility is that gmail is bouncing non-deliverable messages to the forged email addresses in messages which happen to be spamtraps.

Steven, I completely agree that there is no reason for a human being to be sending email to a spamtrap address. However, the fact that it's happening (whether maliciously or not) has massive consequences in this case.

Blocking (or tagging) all Gmail, or Hotmail, or AOL, etc, messages as "spam" - simply because one miscreant has sent an email to a spamtrap - is using a very big sledgehammer to crack a very tiny nut.

Either way, they are sending a relatively high percentage of junk onto the internet and the majority of people do not care to receive messages from them.

The majority of people do not care to receive messages from Gmail, Hotmail, etc? Get real.

[turetzsr]

There is absolutely NO reason for a server to be sending email to an address that have never been used for any reason but being hidden on a web page someplace.  Either gmail allows spammers to use their service in a high enough percentage to be blocked, or they don't.  The other possibility is that gmail is bouncing non-deliverable messages to the forged email addresses in messages which happen to be spamtraps.

Steven, I completely agree that there is no reason for a human being to be sending email to a spamtrap address. However, the fact that it's happening (whether maliciously or not) has massive consequences in this case.

Blocking (or tagging) all Gmail, or Hotmail, or AOL, etc, messages as "spam" - simply because one miscreant has sent an email to a spamtrap - is using a very big sledgehammer to crack a very tiny nut.

33743[/snapback]

...It's the best tool we victims have. And it's the most likely to do some good. And it's temporary (provided the ISP or MSP actually takes action to stop the spew). There are massive consequences to a lack of action -- continued wholesale abuse of the internet and victims' inboxes, including the time and expense of storage, network use and end-user handling.

Either way, they are sending a relatively high percentage of junk onto the internet and the majority of people do not care to receive messages from them.

The majority of people do not care to receive messages from Gmail, Hotmail, etc? Get real.

33743[/snapback]

...That isn't what StevenUnderwood was saying. He was saying that most people don't want to receive spam or misdirected bounces from them.

[StevenUnderwood]

Steven, I completely agree that there is no reason for a human being to be sending email to a spamtrap address. However, the fact that it's happening (whether maliciously or not) has massive consequences in this case.

33743[/snapback]

All the more reason for gmail's administrators to take care of the problem.

Blocking (or tagging) all Gmail, or Hotmail, or AOL, etc, messages as "spam" - simply because one miscreant has sent an email to a spamtrap - is using a very big sledgehammer to crack a very tiny nut.

33743[/snapback]

Again, due to the volumes of mail processed (spamcop uses a ratio) there are probably more than one "miscreant". It is enough so that a significant percentage of email coming from that IP address is spam.

The majority of people do not care to receive messages from Gmail, Hotmail, etc? Get real.

33743[/snapback]

The majority of people do not want to receive spam regardless of where it comes from.

Plain and simple, it is the senders responsibility to get their message through. There are plenty of other services you could use. The majority of servers in the world that have managed to stay off the blocklists. Big services will get blocked from time to time but spamcop minimizes that time by using the ratio of good/bad email sent. Spamcop also automatically removes servers when reports stop coming in.

[hadaso]

...

There is absolutely NO reason for a server to be sending email to an address that have never been used for any reason but being hidden on a web page someplace...

33706[/snapback]

One possible reason to send email to spamtraps is to generate SpamCop listings. One possible reason to generate SpamCop listings is to cause the blocking of legitimate email and indirectly cause email providers to stop using SCBL.

You seem to believe that spamtrap addresses used to by SpamCop are unknown to anyone but spamcop. However there are easy ways to extract those from mailing lists, because SpamCop responds to email sent to them by creating SCBL listings that spammers can access. It is not too difficult to take a mailing list and extract from it a sublist of addresses that have high probability of generating SCBL listing. At least it's not to difficult if you have access to a botnet of a few thousands compromised PCs that can relay email for you from different IP addresses and a list of a few millions addresses scraped of the net that you can purchase for a reasonable price on the web.

Anyway, I've seen evidence that spammers have some knowledge of spamcop spamtraps. This post made early this year on emaildiscussions shows a SpamCop spam source report with an unreasonable percentage of spamtrap vs. user reports on one IP address compared to another.

-- spam SOURCE REPORT --
IP Address     Start/Duration Trap User Mole Simp Additional comments
    66.111.4.27  Jan 12 19h/0    0   11    1    0 
    66.111.4.25  Jan 10 15h/0    0    1    0    0 
    66.111.4.26  Jan 17 17h/4  210   13    1    0  

There is no way that this "just happened". You don't have to be a statistician to see that this cannot be explained by chance. But anyway I did make a statistical comparison using this online chi-square calculator and the result is

Trap vs. User comparison

      Trap	User	Total
IP 1    0  11   11
IP 2  210  13  223
Total	210  24  234

Degrees of freedom: 1
Chi-square = 100.997757847534
p is less than or equal to 0.001.
The distribution is significant. 

This means that the probablity of getting this unusual ratio of spamtrap vs. user reports without any real cause is less than one in a thousand.

It looks like someone made the effort and got a list of spamcop "secret adresses" and spammed them. If spamtraps are not discarded weekly and replaced by new spamtraps they cannot be considered "secret" and cannot be used to reliably estimate the volume of spam sent to real people. Not if SpamCop responds to them by listing IP addresses.

[StevenUnderwood]

One possible reason to send email to spamtraps is to generate SpamCop listings. One possible reason to generate SpamCop listings is to cause the blocking of legitimate email and indirectly cause email providers to stop using SCBL.

33765[/snapback]

Except that is gmails servers properly identified the source it received the message fro, their servers would not be reported. This is a very old discussion and gmail seems not to care about being listed. Take that as you may.

Posts by the deputies have indicated that spamtraps are retrired as the need arises. However, it has also been stated that simply because a spamtrap is receiveing lots of messages is NOT a reason to retire it. The address has still never requested any email so is showing weaknesses in other systems which allow spam to be sent.

[hadaso]

Except that is gmails servers properly identified the source it received the message fro, their servers would not be reported....

33768[/snapback]

... and then they won't have any urgent reason to deal with any abusers of their system. So everybody's happy, except for those receiving the spam...

Posts by the deputies have indicated that spamtraps are retrired as the need arises.  However, it has also been stated that simply because a spamtrap is receiveing lots of messages is NOT a reason to retire it.  The address has still never requested any email so is showing weaknesses in other systems which allow spam to be sent.

33768[/snapback]

But once a list of spamtraps is compiled, using it doesn't show any weakness in any other system. Any email system that allows signups using credit cards can be used to send a few hundred messages before being blocked. spam can only be recognized after it has been sent, and spammers look like any other email user before they start spamming. Being able to send a few hundred copies of a message before being stopped shows nothing about the ability to send tens of thousands or millions of messages.

[Wazoo]

In addition to StevenUnderwood's last (and actually an undocumented item in a number of other posts) is the simple matter of the math involved. Folks wanting to go with the "thousands" of users impacted need to also go take a look at the FAQ entry What is on the list? and try to do some of their own math. The repeated phrase in here of "just one user sending an e-mail to a spamtrap causing a listing" is absurd.

That I've also included in this Discussion my attempted dialog with someone at Google's GMail (and there are others that tried the same thing) simply seems to have been ignored by the recent postings. The problem has been identified, Google folks know about it, nothing has been done ... spam continues to leave those servers ... the SpamCopDNSBL works as advertised and ISPs still use it to actually block incoming traffic ...

Contemplating simply closing this Topic down .. until/unless GMail techs get around to actually fixing their tools.

[dbiel]

Except that is gmails servers properly identified the source it received the message fro, their servers would not be reported....

33768[/snapback]

... and then they won't have any urgent reason to deal with any abusers of their system. So everybody's happy, except for those receiving the spam...

33769[/snapback]

Not really. The actual sending IP would be the one getting listed instead of the intermediate IP. The main difference would be the reduction of legitamate mail being affected.

[hadaso]

... and then they won't have any urgent reason to deal with any abusers of their system. So everybody's happy, except for those receiving the spam...

33769[/snapback]

Not really. The actual sending IP would be the one getting listed instead of the intermediate IP. The main difference would be the reduction of legitamate mail being affected.

33772[/snapback]

Not the sending IP. The IP of a machine that runs an interface controling the machine that sends the message. In webmail the user's machine is only an I/O device that controls an MUA running on a different machine (on the web server). Those services recording the web session in a "Received" header as if it was a transmision of an email message are just not following RFCs. SpamCop's logic would require that if I telnet a UNIX host and send mail by using the "mail" command in a UNIX shell like I did in the good old days before spam then a "Received" header should be added recording the IP address of the telnet client. What's the difference between controling an MUA using telnet or using http as the communications protocol that sends instructions to the MUA?

The main difference between recording the IP address of the control mechanism and not recording it is not the reduction in legitimate mail blocked, but the reduction of the blocking of all mail, because that way the IP addresses getting listed doesn't run any kind of software that transmits email. What you are saying that the way to avoid legitimate email being blocked using SCBL is to fool spamcop by providing an IP address of a machine that does not transmit email.

There are two sides to blocking legitimate email: the recipient loses the email too. And the main difference is that the recipient has no idea what email is not received. If the recipient is a business it means lost business. If the recipient needs info it means they'll have to live without that info. If they expect a job offer they'll have to find another job. So I guess Gmail counts on those recipients that need to have their incoming email to make their mail service stop blocking them.

Edit: 2005/10/06 01:03 EDT -0400 Jeff G. fixed the quoting.

Edit: lots of typos...

[turetzsr]

... and then they won't have any urgent reason to deal with any abusers of their system. So everybody's happy, except for those receiving the spam...

Not really. The actual sending IP would be the one getting listed instead of the intermediate IP. The main difference would be the reduction of legitamate mail being affected.

33772[/snapback]

Not the sending IP. The IP of a machine that runs an interface controling the machine that sends the message. In webmail the user's machine is only an I/O device that controls an MUA running on a different machine (on the web server). Those services recording the web session in a "Received" header as if it was a transmision of an email message are just not following RFCs. SpamCop's logic would require that if I telnet a UNIX host and send mail by using the "mail" command in a UNIX shell like I did in the good old days before spam then a "Received" header should be added recording the IP address of the telnet client.

The main difference between recording the IP address of the control mechanism and not recording it is not the reduction in legitimate mail blocked, but the reduction of the blocking of all mail, because that way the IP addresses getting listed doesn't run any kind of software that transmits email. What you are saying that the way to avoid legitimate email being blocked using SCBL is to fool spamcop by providing an IP address of a machine that does not transmit email.

33777[/snapback]

...Not sure I agree with what you are saying (it's GMail's server being listed that is the topic of this thread, isn't it?) but even if what you posit were true, the spam source is identified and, thus, SpamCop's goal is achieved. Whether you or I would prefer that a different IP address be identified is irrelevant (that's not to say that you should not have raised this as a potential problem -- I'm happy you did).

There are two sides to blocking legitimate email: the recipient loses the email too. And the main difference is that the recipient has no idea what email is not received.

33777[/snapback]

...This does not necessarily follow. See user noone_here's contribution in thread "Solomon Islands" (and there are others just like it).

If the recipient is a business it means lost business. If the recipient needs info it means they'll have to live without that info. If they expect a job offer they'll have to find another job.

<snip>

33777[/snapback]

...Forgive me if I don't shed too many tears over this. The fact of the matter is that e-mail is not (yet) a guaranteed delivery mechanism. Bits get lost, servers fail, backhoes accidentally cut lines. Relying on e-mail as the only form of communication is very nearly a guarantee of failure.

[James Cridland]

Right, I'm getting bored of this. Would someone please tell me...

1. What should I, and other Gmail users, be telling Gmail to do?

2. Is there an email address that would be best to inform Gmail what to do?

There, that can't be that difficult, can it?

[turetzsr]

Right, I'm getting bored of this. Would someone please tell me...

1. What should I, and other Gmail users, be telling Gmail to do?

33796[/snapback]

...Do a better job enforcing their Program Policies (http://www.google.com/mail/help/program_policies.html) against spam.

2. Is there an email address that would be best to inform Gmail what to do?

<snip>

33796[/snapback]

...Not that I can see on the GMail web site but there is Google Accounts Help "Contact Us" page.

...Good luck!

[Wazoo]

1. What should I, and other Gmail users, be telling Gmail to do?

There, that can't be that difficult, can it?

33796[/snapback]

Can only yet again point out that there is included dialog here from previous 'conversations' with the GMail folks. Problem is defined, solution is "we'll have out engineers look at it" ... the problem still remains the same.

[James Cridland]

Neither of the two answers actually answer the question I'm asking.

If a number of Gmail users politely ask Google to fix whatever is wrong, and give clear and succinct instructions on how to do so, then they are more likely to fix it. Asking them to sarcastically follow their program policies is immature and stupid, so I'll not be doing that: and, working for a new media operation myself, I know what my to-do list is like, and also know how to politely get Google to move something up the list a little.

Now, if you don't wish to help, that's fine, just say you don't wish to help. Of course, you may all be happy that SpamCop is currently having the effect of screwing up Gmail users' emails; that's also fairly clear from some of the replies here. That's well and good too. Otherwise, let's have a serious answer, so we can get Gmail to take this problem seriously.

Might I remind you all that the primary mode of support here is peer-to-peer, meaning users helping other users. A little mature help, in this case, won't go amiss; and there's precious little of that going on in this tawdry discussion.

[turetzsr]

<snip>

If a number of Gmail users politely ask Google to fix whatever is wrong, and give clear and succinct instructions on how to do so, then they are more likely to fix it. Asking them to sarcastically follow their program policies is immature and stupid, so I'll not be doing that:

<snip>

34161[/snapback]

...No one said you had to be sarcastic. The fact is, they do not seem, from this side of the table, to be sufficiently enforcing their own anti-spam policies. Were I a GMail admin, I would consider a polite request to do a more effective job in this regard (especially by more than one of my users) to be appropriate. But of course you may feel free to disregard my advice - I'm certainly no expert in the area of "telling Gmail [what] to do."

A little mature help, in this case, won't go amiss; and there's precious little of that going on in this tawdry discussion.

34161[/snapback]

...That's your opinion and you are certainly entitled to it but I feel that I am equally entitled to disagree with you. I believe the replies to you here have been sufficiently "mature."

[Wazoo]

If a number of Gmail users politely ask Google to fix whatever is wrong, and give clear and succinct instructions on how to do so, then they are more likely to fix it.

34161[/snapback]

Not sure I'm reading the same discussion here .. for example, lieanr posts 30, 41, 51, 69 .. for starters ....???? sarcasm? multiple users? repeated queries? same answers and yet no action taken to resolve the source of the problem? Hard to figure where your "lack of answers" stems from if one is to believe one actually read the data already provided 'here' ....

[StevenUnderwood]

Otherwise, let's have a serious answer, so we can get Gmail to take this problem seriously.

34161[/snapback]

They have been contacted multiple times (see this entire 8 page thread for examples.

Solutions have even been suggested to them to include the IP of the machine inserting the spam into the stream. That resulted in a response back in April of:

Thanks for your report. We are aware of this problem, and our engineers are working diligently to find a solution.

Yet still the problems continue....The ball is already in their court, they decided to drop that ball.

[Jeff G.]

Are any of the Gmail servers still listed by the SCBL?  If so, please post a Tracking URL, Header, and/or Bounce (excluding actual spam body and confidential info).  The first few offers of PM or Email with the confidential info will be accepted, too.

Thanks!

30436[/snapback]

I repeat my request above from Linear Post #82. Once I have some evidence in hand, I will be happy to help feed it back to Gmail's support personnel so that they can better understand the problem. If the evidence doesn't include a bounce, offers of email addresses that bounce mail from SCBL-listed mailservers and don't mind test emails would be helpful (assuming the entire server farm isn't listed).

[Wazoo]

I'll admit that this didn't catch my eye until going through the entries to populate the KnowledgeBase / FAQ thing .... there is an existing SpamCop FAQ that addresses this specific issue .. please see How can I deflect reports about my web to email gateway?

[Jeff G.]

I still need some actual evidence with which to browbeat Gmail's admins (in addition to that fine FAQ Entry (thanks to Wazoo for bringing it to my attention)). If I don't get any evidence in the next 24 hours, I'll advocate considering this issue closed. PM is ok in this case for the paranoid, with the understanding that I will be sending the evidence to Gmail's admins.

[Jeff G.]

As a part of the evidence gathering process, could any of you (or your associates) who actually block based on the SCBL give me permission to send some test messages from Gmail's webmail interface in order to try and produce some evidence? Or you can do the testing yourself and just send me the results. Thanks!

[Jeff G.]

If I don't get any evidence in the next 24 hours, I'll advocate considering this issue closed.

34384[/snapback]

True to my word, having received no evidence in the past 24 hours, I now advocate conidering this issue closed and resolved. I'll leave it up to my fellow Moderators to do the dirty work or convince me to change my position.

[foobar]

Today I received the following error message while trying to send a message to an online store regarding my order with them:

TEMP_FAILURE: SMTP Error (state 8): 550 5.7.1 This system is configured to reject mail from xproxy.gmail.com (Host blacklisted in bl.spamcop.net)

I couldn't believe my eyes. Would a filtering organization actually blacklist the most important webmail provider in past years? Would a store operator actually use something as damaging and crude as a blacklist if their business relies on customer communication? It seems so.

Was this in error? I can't see any other explanation, but maybe someone could enlighten me?

(As a final touch of irony, gmail's spam filtering sent the SpamCop registration email straight to the spam folder, the first misidentified message I've had in months of using gmail)