Jump to content
Sign in to follow this  
Per G

Additional info wanted on spam trap reports

Recommended Posts

I have yet to receive a real complaint against real UCE spam sent out by a customer of ours.

I have however seen many complaints (both SC and otherwise) as a result of many other much more 'innocent' things. The worst culprit by far is auto-responders that despite them being severely filtered in their input (they rarely get spam to respond to) sometimes do respond to spam, which includes some appearing to be sent from what turns out to be SC spamtraps.

First of all, SC's advice about getting rid of auto-responders just doesn't help. In a commercial setting with many separate customers and email much more central than webpages, there's no way to do without them. Sure, the stupid "We have received your mail and will respond ASAP" can be easily skipped, but those informing customers of vacations and other abscenses cannot. Despite a consistent use of a generic support address our customers often write personal mails instead of support mails, and they just don't get that people sometimes isn't there. We've lost major customers because support mails written personally went unanswered. Thus the auto-responders.

Now, while spamtraps generally is a good idea (heck, I even run one myself), bounces and auto-responses often land there due to the ever-present faking of sender email in all spam. Now, when one hits SC's spamtrap, things get interesting because a lot of people use SC as a front line blocking system (as RBLS originally were used, as opposed to scoring in a spamassassin-like setting), and mails start bouncing.

Some spammers switch their sending email all the time, rarely resulting in more than one hit on SC's spamtraps, while others still run a joe-job like scheme resulting in thousand of bounces (and auto-responses) hitting a single innocent victim - or a spamtrap.

I order to fix things we (the ISPs) need info on the violations. We need to know something about what hit the spamtrap. IP's and headers would be nice, just like in regular reports. Feel free to remove any info identifying the trap if that's an issue, but it would be nice to be able to (for instance) identify a non-filtered auto-responder, a new mailserver still configured to send bounces etc.

With no information and about 3.000 possible servers to examine, it's impossible for me to actually do something about a SC spamtrap hit, and that's what this place is really about isn't it? - to make people/ISPs act to fix whatever broken system that caused the SC response. The generic solution of just getting rid of auto-responders often isn't possible, both due to customer demand and due to them being hard to find.

Oh yeah, I should mention that the reason we cannot identify a specific server from the listed IP is that we run a gateway (actually a small cluster) that filters outgoing mail. Individual servers cannot send mail outside our firewalls; they have to smart-host it through the gateway.

Share this post


Link to post
Share on other sites

Been there, done that, buried the T-shirt ....

All data was once upon a time available. Spammers took advantage of that fact and gamed the system.

These spammer actions are what led things to where they are no. I note that you didn't offer any thanks to the spammers for all their help in these matters.

Share this post


Link to post
Share on other sites

First of all, SC's advice about getting rid of auto-responders just doesn't help. In a commercial setting with many separate customers and email much more central than webpages, there's no way to do without them. Sure, the stupid "We have received your mail and will respond ASAP" can be easily skipped, but those informing customers of vacations and other abscenses cannot. Despite a consistent use of a generic support address our customers often write personal mails instead of support mails, and they just don't get that people sometimes isn't there. We've lost major customers because support mails written personally went unanswered. Thus the auto-responders.

It should be your job as the ISP to inform your customers about the dangers of auto-responders. Auto responders can be used fairly safely IF you are filtering out the majority of the spam before it reaches those triggers. It is the real people you want to respond to, not the spam.

Share this post


Link to post
Share on other sites
Sure, the stupid "We have received your mail and will respond ASAP" can be easily skipped, but those informing customers of vacations and other abscenses cannot. Despite a consistent use of a generic support address our customers often write personal mails instead of support mails, and they just don't get that people sometimes isn't there. We've lost major customers because support mails written personally went unanswered.

There are also whitelists for major customers - or you forward to another person who sends a reply.

Spammers have made it more difficult for everyone and raised the cost of doing business on the internet in a number of ways.

If average users were aware of the problems (like your customers who don't get it that people go on vacation - what would they do if a snail mail weren't answered?), they might contribute to the solution rather than be a part of the problem.

You might put on your website or in your initial contact with the customer a short explanation of the problems with auto responses so that they don't expect email to always be 'instant' and contribute to the solution rather than shrug your shoulders and allow thousands more people to deal with the problem when a spammer chooses an out of office address.

Oh yeah, I should mention that the reason we cannot identify a specific server from the listed IP is that we run a gateway (actually a small cluster) that filters outgoing mail. Individual servers cannot send mail outside our firewalls; they have to smart-host it through the gateway.

I am not a server admin, but other admins apparently have figured out how to handle the situation. It seems obvious to me that if you filter outgoing email, you could filter outgoing auto responses and eliminate those that are responding to spam - particularly if there were a lot of them.

It may not be easy and it may cost money in additional hardware, but doing business has its expenses, like the merchant fees for credit cards (and I am old enough to remember merchants complaining about that when credit cards first became popular).

Saying you can't do something in this forum won't get you any sympathy since the ones here who are server admins manage to do it. However, they are glad to assist you in finding a solution if you want to find one.

Miss Betsy

Share this post


Link to post
Share on other sites

There are also whitelists for major customers - or you forward to another person who sends a reply.

Wouldn't work because all personal mail would be forwarded. Basically the same solution as having someone else simply check your mailbox for important mails. Reading other peoples personal mail is actually illegal in many places.

If average users were aware of the problems (like your customers who don't get it that people go on vacation - what would they do if a snail mail weren't answered?), they might contribute to the solution rather than be a part of the problem.

Unfortunately many customers have a notion that they're the only customer and that everybody personally is working 24/7 without breaks, sleep etc. - yes, I've awoken to a mailbox featuring a series of mails from the same customer that starts out with a support request and 15 mails and 4 hours later ending the threats about lawsuits etc.

You might put on your website or in your initial contact with the customer a short explanation of the problems with auto responses so that they don't expect email to always be 'instant' and contribute to the solution rather than shrug your shoulders and allow thousands more people to deal with the problem when a spammer chooses an out of office address.

Now, one thing is our own website - we could easily put it there, but we're also a hosting business and we have many customers with their own servers and websites and it's hard to explain to them how they should be doing business. This is the core issue - we are responsible for the connectivity but have zero influence on how our customers do business as long as they don't spam or spamvertise.

I am not a server admin, but other admins apparently have figured out how to handle the situation. It seems obvious to me that if you filter outgoing email, you could filter outgoing auto responses and eliminate those that are responding to spam - particularly if there were a lot of them.

We do filter away spam before *our* auto-responders, and they only very rarely fall prey to responding to spam, but our customers have their own mailservers and thus their own auto-responders. Their responses come out through our gateways and thus it's our gateways that get listed.

The reason we enforce this gateway setup is the virus plague. We need to prevent infected machines (most of which are not under our control - they belong to customers) from drowning each other and the world in emails. Thus the simple idea that machines internally can only reach the gateway on port 25, not each other or the world.

About filtering auto-responses... Trouble is that the response itself does not contain the spam itself. It is simply a response with a unique recipient. No way to tell what it responded to. There are already loop control measures in place to prevent primitive auto-responders from responding to each other in a loop, so any given recipient can only receive one auto-response an hour from any given account. For an extended abusing spam run this still yields 24 auto-responses per 24 hours and thus a SC listing.

Saying you can't do something in this forum won't get you any sympathy since the ones here who are server admins manage to do it. However, they are glad to assist you in finding a solution if you want to find one.

I would love to know how people in the hosting business like we are do manage this. Setting rules inside the same company is just a matter of deciding them and enforcing them. Doing the same across completely separate and unrelated companies are next to impossible, especially since the so-called dangers of auto-responses just doesn't seem to strike any form of sympathy. I know that a lot of people just cannot see what harm an auto-response you didn't ask for can do. Only if they're flooding your mailbox is it a problem, but a single one is nothing to get all worked up about. Edited by Per G

Share this post


Link to post
Share on other sites

All data was once upon a time available. Spammers took advantage of that fact and gamed the system.

These spammer actions are what led things to where they are no. I note that you didn't offer any thanks to the spammers for all their help in these matters.

Well, thank you dear spammers... ;)

Seriously, I cannot see how you could abuse the system when all you had available were the internal headers from the spamtrapped mail (and only one for each sending IP). Sure, by carefully comparing logs with the report from the spamtrap you might be able to deduce the domain and/or target email that were the spamtrap entry, but you'd only be able to find one spamtrap per hit per listing period (24 hours) so it would take forever to find much of anything.

Clever spamtraps might also be working on specific target email adresses only (and not just a whole domain as normally done) so the spammers might even be blacklisting a whole domain when it's only a few specific email addresses that were the trap, thus easing the spam load on other addreses on the same domain.

These special (clever) spamtraps are actually easy to create. My own spamtrap (coded from scratch by your truly) works this way. Once you have a regular spamtrap listening on port 25 on some IP, you simply forward those trap email addreses from a regular MTA to the spamtrap that is specially configured to go one step backwards when resolving the IP to be blacklisted, when the immidiate source is a specific IP which actually is the MTA hosting all the emails on that domain in question (the MX host). This way servers sending mails to trap[at]example.com get listed while those sending to johndoe[at]example.com doesn't. Those traps are very hard to find and avoid even with a ton of info from the trap owner - like SC.

Share this post


Link to post
Share on other sites
About filtering auto-responses... Trouble is that the response itself does not contain the spam itself. It is simply a response with a unique recipient. No way to tell what it responded to. There are already loop control measures in place to prevent primitive auto-responders from responding to each other in a loop, so any given recipient can only receive one auto-response an hour from any given account. For an extended abusing spam run this still yields 24 auto-responses per 24 hours and thus a SC listing.

That seems easy to me to fix - just make it one auto-response per 24 hours. I can't imagine why anyone legitimate would send more than one email per day to someone who responded with an auto-response.

Or make your customers include the original message.

Or insist on whitelists.

I don't understand your technical suggestion. But since Julian is a really brilliant programmer, I expect there is a good reason why he doesn't do it that way.

Miss Betsy

Share this post


Link to post
Share on other sites

Wouldn't work because all personal mail would be forwarded. Basically the same solution as having someone else simply check your mailbox for important mails. Reading other peoples personal mail is actually illegal in many places.

I don't know where in the world you are, but in the US, the general idea is that company email is owned by the company because it is on the company servers. There have been many articles written about this in the IT type magazines. Many companies outright ban personal email with dismissal being a possible result. My company allows it, but with the understanding that "the company is watchting" so it can be personal, but it is not private. We regularly open mailboxes during vacations to other employees of the same department.

Share this post


Link to post
Share on other sites

First of all, SC's advice about getting rid of auto-responders just doesn't help. In a commercial setting with many separate customers and email much more central than webpages, there's no way to do without them. Sure, the stupid "We have received your mail and will respond ASAP" can be easily skipped, but those informing customers of vacations and other abscenses cannot. Despite a consistent use of a generic support address our customers often write personal mails instead of support mails, and they just don't get that people sometimes isn't there. We've lost major customers because support mails written personally went unanswered. Thus the auto-responders.

Back in the Dark Ages when I worked for a large consulting firm, the "what to do about email when on vacation?" was solved the same way the ringing phone on the empty desk was solved - they were forwarded to someone that cares.

As I remember the event after the vp for technology got a call from a gov. contracting officer controlling a $35M contract the word went out 'If you can't respond to a clients email or phone message within ONE business day, have someone knowledgeable with the project return the call; or pick up your last paycheck when you come back.'

The policy was put in place (both parts). Until we got better our cubical/office mate screened all our phone messages and emails twice a day while we were gone. They forwarded messages based on our directions or bumped them up the chain. == Some times technology requires human intervention. Forethought also helps. When going on business trips - call clients, tell them who to call if they have a question. Don't have time for care and feeding of clients? You may have to many. <_<

This beats any auto-responder, saves clients and avoids SC.

Edited by Lking

Share this post


Link to post
Share on other sites
The reason we enforce this gateway setup is the virus plague. We need to prevent infected machines (most of which are not under our control - they belong to customers) from drowning each other and the world in emails. Thus the simple idea that machines internally can only reach the gateway on port 25, not each other or the world.
This may be part of the problem that you can fix - Not the concept, but the application. When your gateway receives and passes on the messages, does it added to the headers of the message and is it in the correct format.

I can not say that this will solve your problem, as I do not know the exact logic that SpamCop uses for identifying the source of spam especially when related to spamtraps.

You may want to use a free SpamCop reporting account and try parsing a message that you can send that goes through the gateway to an address outside of any within in the domains using the gateway. When you parse the message, make sure to cancel the reports to avoid adding to the listing problem. This may provide some insight as to exactly what may be happening, and why the gateway is being listed as the source rather than just part of the path that the message takes getting to the other end.

Share this post


Link to post
Share on other sites

I don't know where in the world you are, but in the US, the general idea is that company email is owned by the company because it is on the company servers. There have been many articles written about this in the IT type magazines. Many companies outright ban personal email with dismissal being a possible result. My company allows it, but with the understanding that "the company is watchting" so it can be personal, but it is not private. We regularly open mailboxes during vacations to other employees of the same department.

Well, my location is Denmark (in Scandinavia, Northern Europe) and while the basic premise here is that all mail handled by company servers belongs to the company just like in the US if I understand that correctly, there has been legal cases where an employee succesfully sued a workplace for breach of privacy because he was terminated based on what was learned from his personal mail. It was some form of discrimination (he was a closet homosexual if I remember correctly) which was only revealed due to the company reading his private emails. He won the case and a substantial settlement primarily due to the invasion of his privacy the company performed. The discrimination wasn't proved to be the sole reason of his termination.

So it has ended up as a grey area - you own the mail but are not allowed to read it... That's why most employees here are encouraged to host their really personal mail elsewhere (gmail, own mailservers etc.). But there's still a need for one on one business contact, mostly because personal dialogues between someone else are just spam in everybody elses mailboxes if group addresses are used. And the minute you have a personal mailbox, the privacy rules apply, regardless of it actually being non-personal and pure business.

Anyway, that was just some background for you, so let us let this one rest and get back on topic... ;)

Share this post


Link to post
Share on other sites

I thought the topic was out of office replies and how you can communicate with your customers on why they may not use them because it gets the server listed. (I liked Lking's the best).

Miss Betsy

Share this post


Link to post
Share on other sites

I thought the topic was out of office replies and how you can communicate with your customers on why they may not use them because it gets the server listed. (I liked Lking's the best).

Yes, but also (and more important) how to locate them. I was requesting more info on spamtrap hits.

Remember our setup where everything goes through a gateway which gets listed by SC as a spamtrap feeder. Our customers may put up one of them (auto-responders) on any server which may respond to potentially all spam, thus quickly causing a SC listing - not of the actual server but the gateway which affects all customers.

Being told at SC that our gateway has sent mail to a spamtrap doesn't help at all because I'm always unable to locate the true source (the server behind the gateway). So I simply have to wait out the 24 hours doing nothing, potentially continuing the 'spam-attack', hoping that it stops on its own. I'd rather stop the thing immediately and have the gateway delisted, but I cannot stop what I cannot find. So the policy at SC shoots the cause (stopping spam and other unwanted emails) in the foot, crippling it.

Share this post


Link to post
Share on other sites

Being told at SC that our gateway has sent mail to a spamtrap doesn't help at all because I'm always unable to locate the true source (the server behind the gateway). So I simply have to wait out the 24 hours doing nothing, potentially continuing the 'spam-attack', hoping that it stops on its own. I'd rather stop the thing immediately and have the gateway delisted, but I cannot stop what I cannot find. So the policy at SC shoots the cause (stopping spam and other unwanted emails) in the foot, crippling it.

I'm too busy to go back through this thread, but somewhere here I'm sure you were told you need to contact the deputies to get more information on the spamtrap hits. If you are pleasant in the way you ask and prove you are responsible for the administration of that IP address, they may be able to provide enough information to help track down the sending server.

Share this post


Link to post
Share on other sites

I admit that I don't know very much about servers, but I don't understand, if you filter for outgoing, why you can't identify auto-responses when you know that there is a problem? Or why you don't require those who use your gateway to include the 'message' in returned messages so that you can filter for spam.

Another thing I don't understand is why you don't try being proactive and at least trying to inform your customers of the problem with auto responses and how to avoid the problem.

The reason I like blocklists is that it puts the burden of stopping spam on the sender rather than the recipient. I can remember legitimate ebusinesses moaning and groaning and being really nasty about the fact they got listed on spamcop back when confirmation emails were the 'solution' to mistyped email addresses, etc. Now it is the standard. I could repeat several different scenarios that were claimed to be 'unworkable' by the recipients of spamcop reports but turned out to have solutions.

As has been pointed out, the deputies are the only ones who can give you any information on email to spam traps. We (tinw) think that you have to prove that you really are the administrator and that they will give you some information - just enough to stop the problem. You will get an answer faster if your email contains all the information they need to answer the question. Since none of us are deputies, we don't know exactly what their standards or policies are.

Here in the forum, if you were interested, there might be someone who has 'solved' the problem by doing something about stopping auto-responses who would be willing to help you solve your problem.

Miss Betsy

Share this post


Link to post
Share on other sites
Yes, but also (and more important) how to locate them. I was requesting more info on spamtrap hits.

A SpamCop spam trap has 16 or more alphanumeric letters in it meaning it has a minimum 128bit security which is considered unguessable (Bank security or better)

For your IP to get listed probably means you or someone on your network is bouncing email to return addresses

You have not sent the afflicted IP address so replies are based only on information you provide?

SpamCop when blocking IP's will only block the source IP which is the computer sending the spam If SpamCop blocks the upstream IP it means that the provider is incompetent (Exceptions are networks which send email through a "door")

Example of how SpamCop tracks to an IP

http://www.spamcop.net/sc?id=z954372779zccd9c25447bb065338ed20eb5b48aabaz

210.50.143.20 is/was my Personal computer not upstream (like the mail server it was sent through)

Share this post


Link to post
Share on other sites

Interesting that this issue recurs often (for sysadmins) and has been going on so long.

I admit that I don't know very much about servers, but I don't understand, if you filter for outgoing, why you can't identify auto-responses when you know that there is a problem? Or why you don't require those who use your gateway to include the 'message' in returned messages so that you can filter for spam.

Another thing I don't understand is why you don't try being proactive and at least trying to inform your customers of the problem with auto responses and how to avoid the problem.

I do discourage users setting up auto-responders and encourage forwarding to a colleague instead but some people expect them and there may be confidentiality issues as the OP says. Then there is software like mailman that responds to spam sent to certain list admin addresses; there could also be any number of things users have installed on their own site or gateway. We don't enforce a single outgoing smarthost, but obviously do make one available (as dbiel and petzl say, provided SC trusts your smarthost's headers, it should be reported to the owner of the user's mail gateway). The vacation program in common use on *nix systems does not include the email being responded to, and I'm not sure it should (also the default is to only send a maximum of one response per week - per hour is indeed excessive). The point is that anything that can create backscatter for a genuine reason may occasionally respond to spam that somehow gets through milters (incoming and outgoing), and that spam may forge an address that happens to be a SpamCop trap, and so generate a trap hit, which will not be accompanied by a Report of the email that triggered it. So we don't even know if it is and out-of-office message or something else, and that is the point Per G was making, and with which I wholeheartedly agree.

I also argued at http://forum.spamcop.net/forums/index.php?...ic=9532&hl= that there is on the face of it no reason why if a human Reporter can have an email address anonymised, a spamtrap address cannot be similarly anonymised and the data sent to the appropriate abuse address. The information that the deputies may provide on request may just be the subject line, which isn't necessarily going to be helpful to find a backscatter source (or in a worse case, an intrusion or user abuse): full headers including a username or x-php-scri_pt header is better. Otherwise summaries listing only trap hits are pretty unhelpful.

BTW most of the spamtrap addresses I maintain (usually adding to Bayesian detection and blacklisting more than anything) are single email addresses that spammers send to - would love the whole domain to get excluded by spammers.

Basically, it seems SpamCop does not trust all abuse desks. I think it should ideally be possible to get accredited as an abuse desk somehow and receive full data (headers and body) relating to trap hits, but with the spamtrap address anonymised. It's only with this information that you can really take action as Per G says. However, if it's been going on this long, I expect it's unlikely to change, which is why the page at http://forum.spamcop.net/scwik/TipsForSystemAdministrators is there.

Share this post


Link to post
Share on other sites
Basically, it seems SpamCop does not trust all abuse desks. I think it should ideally be possible to get accredited as an abuse desk somehow and receive full data (headers and body) relating to trap hits, but with the spamtrap address anonymised. It's only with this information that you can really take action as Per G says. However, if it's been going on this long, I expect it's unlikely to change, which is why the page at http://forum.spamcop.net/scwik/TipsForSystemAdministrators is there.
Ideally, yes, there should be some way to get 'accredited' - however, the way that the internet works, it is the senders who have to conform to whatever the receiving server admin wants if they want to send mail to that recipient.

Most of the people who have complained about spam traps recently do not have 'auto-response' problems, but are still accepting mail and emailing non-delivery notices or have an infected computer. I expect that if there is a listing due to auto-responses, it is as, you say, just one that slips through and the listing, if any, is not long, maybe not even noticed. There may even be a part of the algorithm that can identify auto responses and don't give them as much weight as other hits.

I think, in three years time, that most server admins have figured out how to avoid OOO spam trap hits. I believe, also, that if one contacts the deputies, they will tell you the 'type' of spam trap hit - spam or backscatter.

Miss Betsy

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

×