Little or no help from SpamCop

[mp9]

We had a few of our emails bounced because of SpamCop blacklists. We use best of breed mechanisms to ensure our domain is not an open relay and that it takes care of unsolicited mail and spam. So it was shocking to see one of our servers in the RBL. No other spam list had it and none of our other servers was blocked. We did not receive any warning from SpamCop or anyone else. You would agree we were both shocked and amazed! The small message which we were referred to, about 'misdirected bounces', was very vague and did not quite point out what the problem could be. To complicate matters, we got very little help from SpamCop. 24 hours after the incident, we had been de-listed but there was no response from SpamCop about what was wrong!

I feel that, for a service, which acts as a Internet Mail Cop and is subscribed to by a good customer-base, the help posted on the website is really bad!! To say that they get too much email is a ridiculous excuse - its like 911 saying they get too many phone calls! I have a few questions to ask-

1. Why does SpamCop not provide a quick and easy way to find out what someone can do to solve the problem that could have caused their listing? How does someone ensure that they will not be listed again?

2. Why does not SpamCop issue a warning or notification prior to a block?

3. The moderator - Jeff understands the need for a sample email for troubleshooting. Then, why doesnt SpamCop list the email that caused someone to be reported? Or atleast provide some means of quickly getting hold of a report that explains what caused the listing in technical terms?

4. How can someone trace back the listing to a email/ report/ trap that was filed or generated?

5. How does someone know that SpamCop is not being used by a malicious person?

I am posting in this forum as a last hope to find out why our server was listed. Can someone respond?

[StevenUnderwood]

1. Why does SpamCop not provide a quick and easy way to find out what someone can do to solve the problem that could have caused their listing? How does someone ensure that they will not be listed again?

2. Why does not SpamCop issue a warning or notification prior to a block?

3. The moderator - Jeff understands the need for a sample email for troubleshooting. Then, why doesnt SpamCop list the email that caused someone to be reported? Or atleast provide some means of quickly getting hold of a report that explains what caused the listing in technical terms?

4. How can someone trace back the listing to a email/ report/ trap that was filed or generated?

5. How does someone know that SpamCop is not being used by a malicious person?

I am posting in this forum as a last hope to find out why our server was listed. Can someone respond?

1. Because there are as many answers to that question as there are software titles, software versions, and options in those packages. You have provided no information to give you specifics.

2. Spamcop does not block. If you get a standard report from a spamcop user, and you are the owner of the IP address in question, and you have not turned off receiving the messages or had them bounce, you will receive a message. You have provided no information to give you specifics.

3a. Spammers used the open information that used to be here to "work the system". If there are regular reports, you will receive the reports or you can use an ISP account (free) to get some information.

3b. Spammers used the regular reports to whitelist reporters and sometimes to attack them. THerefore, mole reports were created to protect those that felt the need. These give you (if you ask) summary reports of how many reports have been received for your IP addresses, but no additional information. If you have enough reports from users (regular and mole) to be listed, then generally, there is enough spam coming from your machine that it should not be difficult to locate.

3c. Spamtraps are special addresses never used to send any mail, so if they receive it, it is by definition, smpam. Those addresses are protected very carefully, because if they become known, they are then useless. If you are sending messages to spamtrap addresses, either you are using a list which has scrapped the web for email addresses (and you are spamming) or your server is sending automatic replies (Out of Office, non-deliverable, auto-response, etc.) to the forged email address in a message that happens to be one of these addresses. To solve this, you simply stop sending emails to the forged addresses but simply rejecting the non-deliverables during the SMTP transaction and turning off the other options, OR filtering out all spam before they get to the auto-reply stage.

4. Spamcop listings are based on a mathematical formula, not by any single report. Using reports received and/or an ISP account can get you some information. You have provided no information to give you specifics.

5. Spamcop listings are based on a mathematical formula, not by any single report. That formula is based on spam being a significant percentage of the valid email coming from any specific IP address. If a report is found to be malicious, the IP owner can reply to the message and the reporter will be contacted by the deputies. I have been contacted a couple of times, once was a mistake, the other a list I had signed up for a specific software product ~7 years before and I received the email about a different product the company was offering. Deputies, an suspend reporting rights of users who break the rules. You have provided no information to give you specifics.

If you want to investigate a problem, you need to provide us some information. Specifically, we need the IP address you are talking about having been listed. SInce it appears not to be listed any longer, that answer may only be a best guess unless you contact deputies[at]spamcop.net. That route is likely to take much longer, though. Since this is your first post in the support forums, it is unlikely you asked here for help previously.

How did you ask for help?

[Miss Betsy]

We had a few of our emails bounced because of SpamCop blacklists. We use best of breed mechanisms to ensure our domain is not an open relay and that it takes care of unsolicited mail and spam. So it was shocking to see one of our servers in the RBL. No other spam list had it and none of our other servers was blocked. We did not receive any warning from SpamCop or anyone else. You would agree we were both shocked and amazed! The small message which we were referred to, about 'misdirected bounces', was very vague and did not quite point out what the problem could be. To complicate matters, we got very little help from SpamCop. 24 hours after the incident, we had been de-listed but there was no response from SpamCop about what was wrong!

Open relays are not the only way that spammers use others' computers to send out spam. There are a number of exploits that Exchange servers have if not configured properly. There are open proxies as well as open relays. And there are trojannized computers.

Often the spamcop blocklist acts as an early warning system since it is more aggressive than some other lists. It is used by the spamcop email service to tag rather than block spam because of its aggressiveness, but some ISPs who use it prefer to use it to reject email from IP addresses that have made it to the spamcop blocklist.

I don't know who refer you to 'misdirected bounces' but I don't think that the material found on this forum in the FAQ is vague. You might read it.

Basically, there are two kinds of bounces. The first is rejection at the server level before acceptance of the email. That sends a code back to the sending server.

The second kind is RFC compliant, but even AOL is convinced that the advantages are far outweighed by the annoyance and real problems it causes innocent people. That 'bounce' is to accept the email and then send a non-delivery email to the return-path. Since spammers always forge the return path, it does not return to the real sender, but to a completely innocent person. Occasionally some domains receive thousands of these 'misdirected' bounces and it is a real problem. Usually, however it is about the same level as other spam.

Often the forged addresses are spam trap addresses. Since spam traps do not send email, there are no reports to the abuse desk where the bounce came from.

There are other blocklists that do not notify you and have much more complicated removal procedures (spamcop is entirely automatic) and these blocklists also use spam traps in determining what goes on their list.

If you accept email and then send a non-delivery email to the return path, stop it.

Miss Betsy

[Derek T]

All of our psychics are on holiday. Care to offer an IP address or post a rejection message in full? You will then get LOTS of help!

I am posting in this forum as a last hope to find out why our server was listed. Can someone respond?

This is the the FIRST port of call for getting help, how did you manage to miss it for so long?

[mp9]

Folks,

Thank you for the generous replies. Atleast someone responds!

Let me clarify a few points. My complaint is primarily about getting information on a blocked IP. The relevant details of IP address, blocking domain (SpamCop subscriber) etc were provided to SpamCop about 40 hours ago on their website. I submitted information on the web page 'How can I contact a real person about this?' on the SpamCop FAQ. I provided a return email address - but so far I have had NO reply. That- right there - is my problem. I created an ISP account at the same time but neither the Request Reports section nor Find Reports query were effective. My second option was this forum which yielded some results.

As for posting the email notification, it goes something like this - 'Your message cannot be delivered to the following recipients... Reason: Remote SMTP server has rejected address. Diagnostic code: smtp;550 5.7.1 Email rejected because <IP address> is listed by bl.spamcop.net. Please see http://www.spamcop.net/bl.shtml for more information.' The rest of the message, as anyone knows, merely lists the sender and recipient email addresses and domains. Its a standard rejection notice - and thats all I get! The SpamCop site has the standard explanation on 'misdirected bounces' as the likely cause. We do not use an unpatched email system and auto-replies are usually not sent to mail lists. I am sure something triggered the listing, but what?

I strongly suggest that there should be SOME way to find out report information quickly and reliably.

This is very important because SpamCop is 'aggressive' and counts established business processes like 'Auto-replies' as possible sources of spam. These processes are RFC compliant - which means that SpamCop's judgement is not standards-based even if it is made in good faith. SpamCop not revealing their test methodology is understandable but not revealing their findings is NOT!

Either there should have been detailed explanations of what caused a listing or their should be some mechanism in place to do this. I admit, this is the first time I am encountering such an incident. But I am sure there are lots more like me. I can understand that SpamCop cannot openly post reports for all to see. But surely, there is something to be done? Here's a suggestion - SpamCop maintains a channel with their subscribers listing all report details and a blocked IP owner can contact the subscriber who can then make such a report available. Maybe, a warning system could also be made possible on a B2B basis?

[Telarin]

Well, thanks for posting the message , you removed the single piece of information that we would need to help you. There are a number of people here with good understanding of how spamcop works that can help track down your problem, but without an IP address, we can't offer more than random suggestions.

[agsteele]

The small message which we were referred to, about 'misdirected bounces'

Others have replied to your message and have pointed oput that the most important item of information in tracking your problem is the IP address of your mail server which you removed from your follow-up message.

However, if, as you indicate, the more generic explanation you find on the SC website refers to 'misdirected bounces' then it is likely that there will be very little that a general user can tell you. You will need to contact deputies[at]spamcop.net to get definitive answers.

That said, we will be able to give a good guess at the cause. Indeed, I can guess now that one or move of your Email users set up a vacation message auto-response. This will, in turn have replied to each message received saying 'Sorry I'm away, back soon...' Any spam received will have also received this auto-response.

Now, since most spam has a forged sender address, the replies will have returned to folk who did not send the original message. The forged sender addresses will often include spam-trap addresses which a spammer has harvested and uses indiscriminately. As soon as your user sends auto-responses spam traps, listing the SCBL is pretty much guaranteed.

To avoid this type of issue you need to implement a more sophisticated approach to vacation messages etc or, better still, avoid using them altogether.

This FAQ answer may help further: http://www.spamcop.net/fom-serve/cache/329.html

Andrew

[dra007]

I would like to reiterate what others have said,

no IP = no help.

I haven't yet seen a simpler equation.

[turetzsr]

<snip>

We did not receive any warning from SpamCop or anyone else.

<snip>

...In that case, either

• "You" have not reviewed or do not have access to the incoming e-mail of the registered abuse address that SpamCop has (usually from abuse.net) for the blocked IP address.
  
• All the spam that caused your IP to be listed went to SpamTraps
  

To say that they get too much email is a ridiculous excuse - its like 911 saying they get too many phone calls!

...And what would you expect to happen if a 911 center were staffed with, say, three people and 1800 calls came in during one day? I think some of those emergency calls would not get handled right away. If that were an ongoing situation, the local authorities would simply raise taxes and hire more 911 operators. SpamCop can't raise our taxes for its benefit and their services are all free, except for the e-mail service, the money for which does not go to SpamCop!

[Farelf]

...no IP = no help.

I haven't yet seen a simpler equation.

Cancelling the common terms, IP = help

[Miss Betsy]

....This is very important because SpamCop is 'aggressive' and counts established business processes like 'Auto-replies' as possible sources of spam. These processes are RFC compliant - which means that SpamCop's judgement is not standards-based even if it is made in good faith. SpamCop not revealing their test methodology is understandable but not revealing their findings is NOT!

Although they are still RFC compliant, it is accepted, even by AOL, that auto-replies to the return path are as abusive as spam since more spam is 'auto-replied' to and returned to innocent people who did not send the message than any advantage gained by the intent of the original RFC. There are ways to still use 'vacation' notices that only go to legitimate incoming mail.

Either there should have been detailed explanations of what caused a listing or their should be some mechanism in place to do this. I admit, this is the first time I am encountering such an incident. But I am sure there are lots more like me. I can understand that SpamCop cannot openly post reports for all to see. But surely, there is something to be done? Here's a suggestion - SpamCop maintains a channel with their subscribers listing all report details and a blocked IP owner can contact the subscriber who can then make such a report available.

There is a mechanism in place to deal with reports from live people who can answer. The report goes to an abuse address for that IP address and has a distinctive number. The report can be replied to if there has been an error. The reply goes to the reporter.

Unfortunately, in the case of misdirected bounces many of them are directed to spam traps - email addresses that are placed in places deliberately so that spammer spider bots harvest them to use in spam lists. These email addresses never send email (part of the definition of a spam trap) so no reports are sent to the abuse desk.

Since there are frequently posts to this forum complaining that no report was sent, it is reasonable to think that possibly spamcop could figure out a way to notify bl listings from spam trap hits. However, I don't think that other major blocklists ever notify anyone and since removal is entirely automatic (happening whenever spam stops coming from that IP address), the people who run spamcop bl probably think that there really is no need.

Part of the intent of spamcop is to alert server admins to the fact that their system is abusing other users of the internet. spamcop expects server admins who either receive a report or are blocked to find out what the problem is and fix it. spamcop 'official' help is apologetic about the lack of information given from spam trap reports, but there is no alternative since spammers use the information to evade the bl. Again, it seems to me that spamcop expects that server admins will be able to find and fix problems with the information that has been given about misdirected bounces.

If you cannot do so, there are server admins here who will help you find the problem and offer solutions on how to fix it. Just remember asking them is like asking shade mechanics to help you with a mechanical problem - some of them are not trained in customer service, but know everything there is to know about cars or email systems.

Miss Betsy

[mp9]

Thank you friends and sorry for the late response.

I never listed the IP because my key complaint was about not receiving help from SpamCop when I needed it. Miss Betsy got this point and I found her replies helpful.

I certainly understand that as of today, major BL's do not warn of a possible listing. However, considering the impact a listing can have on business processes, I think, a warning is essential. This could be made possible through the BL subscriber itself, who would be concerned about business processes being affected.

The BL's credibility could also be called into question. I will give an example - we had a brush with a BL located at 'secureserver.net'. Who is this? Its not even listed at DNSStuff. How do I know a BL's credentials unless it provides some means of a feedback and help?

I understand all these BL processes are still evolving and hope this email chain causes some change.

That said, I would appreciate any 'Best Practise' paper or document on configuring Auto-Replies to avoid spam.

[Telarin]

Well, I would start off by suggesting Google, you'll get more information than you ever wanted. But if you're too lazy to research on your own, you could start here as that page offers some very good information on both why they are bad, and what you can do to cut down on the problem.

At my organization, we do use Vacation auto-responders, however, because of the agressiveness of the spam filtering I have implemented, these account for such a small percentage of the outbound email, that the chance of even a single one being reported is virtually 0.

As far as no-such-user bounces, those are all done during the SMTP transaction with a 550 error. This both saves my bandwidth, since it rejected after the RCPT TO command, before the server has committed to receiving the body of the email, and it puts the responsibility of generating an NDR on the sending server. If it is junk coming from a zombie, no NDR is generated at all. If it is coming from a legitimate mail server, the NDR is returned to the senders mailbox regardless of what was used in the "MAIL FROM" portion of the transaction.

This type of rejection opens you up to directory harvest attacks, however, most MTAs support tarpitting which can easily be used to prevent them.

As far as notifications go, spamcop DOES send notifications for all reported spam to the abuse address registered for that IP address. Unfortunately, no notifaction can be sent for spamtrap hits as spammers could easily use that information to discover the spamtraps and render them useless. If you are not receiving reports (and we would be happy to look at the routing if you provided us a single piece of usable data) then that may be because you have not configured your abuse address as required by RFC2142, or you have not registered it so that spamcop can find it.

[Derek T]

Thank you friends and sorry for the late response.

I never listed the IP because my key complaint was about not receiving help from SpamCop when I needed it. Miss Betsy got this point and I found her replies helpful.

I certainly understand that as of today, major BL's do not warn of a possible listing. However, considering the impact a listing can have on business processes, I think, a warning is essential. This could be made possible through the BL subscriber itself, who would be concerned about business processes being affected.

The BL's credibility could also be called into question. I will give an example - we had a brush with a BL located at 'secureserver.net'. Who is this? Its not even listed at DNSStuff. How do I know a BL's credentials unless it provides some means of a feedback and help?

I understand all these BL processes are still evolving and hope this email chain causes some change.

That said, I would appreciate any 'Best Practise' paper or document on configuring Auto-Replies to avoid spam.

It won't cause any change. SpamCop is working perfectly. Help is available here but only if we know the IP!

As to the BL's 'credibility', if it didn't work properly people wouldn't use it: after all, it's a completely free service. If your IP was listed it was for a verty good reason. Unless you tell us the IP we can't even begin to tell you what that reason might be!

Care to offer up the IP so you can get some real help?

[Merlyn]

I would appreciate any 'Best Practise' paper or document on configuring Auto-Replies to avoid spam.

There is no propper way to configure Auto-Replies unless you can be sure they are from a valid email source. As you already know spammers use invalid "reply-to" or "from" addresses and Auto-Repliies send the email back to one of these addresses so in effect you are just relying spam back to someone who never sent the junk to begin with. Why would you insist on aiding the spammers by using Auto-Replies?

[Miss Betsy]

Spamcop often serves as an early warning system for admins who have problems because it does send reports from subscribers. (spam traps do not send reports because they are email addresses that are never used)

The blocklists that people use are ones that are reliable in stopping spam. Spamcop is rather aggressive and many admins only use as part of a total points count. Since spam (and the backscatter from spam) is 95% of email now, more and more admins are going to start using blocklists. The only way to keep from being listed on the ones that are trusted (and I am not sure how you discover how they are trusted) is to use best practices. There are many, many private blocklists that are not even shown on lists of bls. Usually they never receive legitimate email from those IP addresses so probably it doesn't matter until you try to send a legitimate email to them. If you are now spam-free, there should be no problem in getting yourself unlisted. If not, then you will have to find another way to email them. (some of the web hosting companies who didn't care in the beginning and got listed on too many lists will switch subscribers to a spamless server upon request).

The only way to use auto replies is to make sure that you are not replying to a spam. Having a really good filtering system or a whitelist for auto replies to legitimate correspondents would seem to me the only way to be able to use auto replies. Probably it is better not to use them at all. You could forward email from the mailbox of the one who is out of the office to someone who can answer them. You could also email everyone who might email you that you would want to know that you were not there and tell them you will be unavailable for a period of time. Many businesses tag incoming mail so they don't miss anything. It will just be a business expense for you to look through all the tagged mail to see if there is a legitimate email there while you are away. It probably is much less expensive to you than it is to the recipients of the forged email that you have responded to. The bottom line is who has to pay for it. If the recipients of your auto replies have no interest in what you are offering, then they definitely see no problem in blocking your auto replies to save them money.

Miss Betsy