Jump to content
Sign in to follow this  
proski

SpamCop Blacklist getting toothless?

Recommended Posts

I'm a paid subscriber. I have noticed that very little spam to my SpamCop address is blocked by the SpamCop blacklist. Most spam is blocked by SpamAssassin, and quite a lot of spam is getting to my INBOX.

It used to be different. Until a few months ago, I had all blacklists enabled in the blacklist configuration (http://webmail.spamcop.net/horde/imp/spamcop/blacklists.php), and the SpamAssassin limit was set at the default 5.

Very few spam would come through. I remember that about a third or all spam as shown by http://www.spamcop.net/reportheld?action=heldlog was blocked by bl.spamcop.net.

Back then, the biggest problem wasn't the spam getting through - it were false positives, i.e. legitimate messages getting to the Held Mail folder. One day I got fed with it and disabled two blacklists that cause virtually all of the false positives - list.dsbl.org and dnsbl.sorbs.net. I also upped the SpamAssassin limit to 6 to allow some very technical posts with lots of unusual punctuation.

As one would expect, false positives became quite rare, while more spam started getting to the INBOX. But over time, the amount of spam getting though the filters grew dramatically, exceeding the legitimate e-mail traffic, including several mailing lists I'm subscribed to.

Initially, I attributed it to increased cleverness of the spammers. However, I noticed one anomaly. Very few spams are blocked by bl.spamcop.net now. Absolute majority of spams are blocked by SpamAssassin, even despite the limit increased to 6. I don't have any reliable statistics, but bl.spamcop.net catches one or two spams of 100-150 spams I'm getting in a day. I would say bl.spamcop.net almost certainly catches less than 5% of the spam I'm getting.

I'm reporting all the spam that comes to me. My average reporting time is 4 hours. Am I wasting my time on those reports? Is bl.spamcop.net getting too lenient to spammers?

Share this post


Link to post
Share on other sites

I recall this question being asked previously in the Email forum.

WHat we don't know is the order in which the various spam tests are performed. If the SpamAssassin score is checked first then that will trap much spam before the blocklist check.

Andrew

Share this post


Link to post
Share on other sites
WHat we don't know is the order in which the various spam tests are performed. If the SpamAssassin score is checked first then that will trap much spam before the blocklist check.

I'm pretty sure that the SA routine happens first, because according to the headers of messages put into our Held Mail due to the SA score, the IP addresses aren't even checked...here's an example:

X-SpamCop-Checked:

X-SpamCop-Disposition: Blocked SpamAssassin=11

whereas the next item in my current Held Mail is more like this:

X-SpamCop-Checked: 192.168.1.101 x.x.x.x x.x.x.x 219.114.33.118

X-SpamCop-Disposition: Blocked bl.spamcop.net

(I masked the two IPs having to do with my Mailhosts)

My experience lately has been similar....very few items caught by the SCBL, but this may simply be a function of them being so "spammy" as to exceed the SA threshhold I've defined, at which point the checking stops.

DT

Share this post


Link to post
Share on other sites

My recollection was that SpamAssassin is pretty much first, the SpamCopDNSBL last .... However, not finding a post from JT that actually says this in here .... noting that all the SpamAssassin discussion stuff dates back to early 2004 timeframe .. which suggests that it may have possibly been a newsgroup post ... different seaarch criteria, too many windows open for too long here, I'll let the search work get handled by someone else ....

Share this post


Link to post
Share on other sites

My experience lately has been similar....very few items caught by the SCBL, but this may simply be a function of them being so "spammy" as to exceed the SA threshhold I've defined, at which point the checking stops.

Anyway, I think I see more spam getting through than blocked by SCBL. And it's pretty "spammy", although it lacks the exact characteristics SpamAssassin is looking for. It also has patterns suggesting that spam is sent by the same people.

The spam that gets through all the time:

spam containing "pu├čIicidad" in subject, always from Peru

Canadian pharmacy

"Russian teens", usually misspelled and with a female name in From

pump-and-dump using a GIF image for the message and some meaningless text

spam that used to get through until I put them to my personal blacklist:

bizsyscon.com (radio hardware)

mwart.com (medieval weapons)

beautysak.com (cosmetics)

I've just disabled all blacklists and Spamassassin, leaving only SCBL. Let's see what I'll get overnight.

Share this post


Link to post
Share on other sites

It used to be different. Until a few months ago, I had all blacklists enabled in the blacklist configuration (http://webmail.spamcop.net/horde/imp/spamcop/blacklists.php), and the SpamAssassin limit was set at the default 5.

That is my configuration just about since I started with SpamCop ~4 years ago. I have very few false positives after whitelisting for the first month or so. I have maybe a dozen or so entries in the whitelist. My percentage of spam into the inbox has varied a little from time to time, but always back to a normal false negative of about 1/month.

SpamAssassin was placed as the first scan about a year ago now. My first post on the subject is here: http://forum.spamcop.net/forums/index.php?...ost&p=35389

Share this post


Link to post
Share on other sites

SpamAssassin was placed as the first scan about a year ago now.

Thanks for the link! That answers some of my questions.

I should have concentrated my initial post on one problem, namely SCBL being ineffective.

So far, 1 of 4 spams has been blocked:

[52224] yamasaki2525[at]hotmail.co.jp (=?ISO-2022-JP?B?GyRCJWIlSyU/ITw1XkpnPTghKiEqGyhC?= Preview )

Thu, 28 Sep 2006 19:33:59 -0400 (Blocked bl.spamcop.net)

[52225] lznoiybdszl[at]yahoo.co.jp (=?iso-2022-jp?B?GyRCTSUkNyQkOEBNVSRyJCskMSRGJCQkPyRAJCQkPyQzJEghIjtkJE8bKEI=?= Preview )

Thu, 28 Sep 2006 19:34:22 -0400 ()

[52226] tomwblvq[at]acculab.com (Young aphrodisiac Cuties good Videeo! Preview )

Thu, 28 Sep 2006 17:14:58 -0400 ()

[52227] jaimeerhart[at]x-provider.com (Oristano/ E' morto il parlamentare di Forza Italia Ignazio Manunza Preview )

Thu, 28 Sep 2006 17:49:13 -0500 ()

I bet I saw that "aphrodisiac cuties" spam in my INBOX earlier today and reported it. If dynamic IP filtering (SCBL) plus static content filtering (SpamAssassin) are ineffective, maybe we should be thinking about dynamic content filtering? That's surely a topic for the "feature requests" section.

Share this post


Link to post
Share on other sites

Thanks for the link! That answers some of my questions.

I should have concentrated my initial post on one problem, namely SCBL being ineffective.

So far, 1 of 4 spams has been blocked:

Unless you provide us the Tracking URL's for those messages, we will not be able to tell you why they were allowed through. In the past few years, there have been only a few times where spam was regularly slipping through. Usually, it only lasts for a couple of days until the filters catch up.

Share this post


Link to post
Share on other sites

I am experiencing the same high rate slip throughs with similar setings, I will bring some tracking urls next time I report. Oddly spampal recognizes the majority of these and it uses similar filtering.

Edited by dra007

Share this post


Link to post
Share on other sites
I bet I saw that "aphrodisiac cuties" spam in my INBOX earlier today and reported it. If dynamic IP filtering (SCBL) plus static content filtering (SpamAssassin) are ineffective, maybe we should be thinking about dynamic content filtering? That's surely a topic for the "feature requests" section.

and for that, my original search pattern would work, again referencing 2004 discussions in here .... using the 'word' link Search at the top of the screen .... SpamAssassin as the keyword, jefft as the poster, select "as posts" ... do it .... a number of discussions, attempts, results on various 'additional' tools, bits, etc.

Share this post


Link to post
Share on other sites

Unless you provide us the Tracking URL's for those messages, we will not be able to tell you why they were allowed through.

These are the four spams that slipped through SCBL since I turned off other filters:

http://www.spamcop.net/sc?id=z1082903827z6...87d9d2eb2745aez

http://www.spamcop.net/sc?id=z1082903838z4...5241fad58efed3z

http://www.spamcop.net/sc?id=z1082903847zb...31d97fb62ddb1fz

http://www.spamcop.net/sc?id=z1082988037z2...b5a252abceda20z

Share this post


Link to post
Share on other sites

First glance .. compromised computers .. not enough reports yet to get listed ...

Share this post


Link to post
Share on other sites

Here are some that slipped through in my case:

http://www.spamcop.net/sc?id=z1083376674z0...a39446c05438baz

http://www.spamcop.net/sc?id=z1083376678z7...17ef0333a441dcz

http://www.spamcop.net/sc?id=z1083376684z3...1f8966e99053c5z

http://www.spamcop.net/sc?id=z1083376688z9...5f80f021eae520z

These are but a few of many I reported this morning, all but 1 were however picked up by spampal!

Edited by dra007

Share this post


Link to post
Share on other sites

Here's one that slipped through:

http://www.spamcop.net/sc?id=z1083657607z5...f665721b1c5a10z

The source wasn't on the SCBL because nobody else has reported it yet. Maybe we need more reporters, assuming that the spam sources seem to be multiplying?

Also, I'm a bit surprised that SpamAssassin only scored this one with 0.7, given the body and the Geocities URL:

Dear Home Owner,

Your crd. rating doesn't matter to us. If you own property

and need immediate capital to use any way you want or simply want

to cutback your monthly payments by a third or more,

fill out this simple, secure one minute form for an instant quote.

No sensitive information will be asked on the form

Don't worry about acceptance, your cr. will not disqualify you

we specialize in all kinds of ratings.

(url deleted)

Regards,

Cole Peoples

Approval Manager

________________________________________________

fun stuff:

bonnet it applicate may absorption try apron be

chemotherapy be afire it apparel be broadside and

ceres it cauliflower a contort see acetic the

betray it's doctrinaire a calamus may cutset may

cutout some clip not albany but brainstorm it's

artillery be befit in deforest a bricklaying may

coroutine but centerline and beachcomb try dialect not

The SA tests mentioned in the headers that I withheld were: "SARE_SPEC_XXGEOCITIE5,UNPARSEABLE_RELAY" (and yes, I carefully mess with the headers....the spam sources don't need to know the details of my filtering technology....they only need to see what the headers *would* have looked like without all that extra processing).

I previously had my Brazil and Argentina blocklists turned "off" in my SC email settings, but I've just turned them "on" as well as the other two that I wasn't using, and lowered my SA threshhold to 4.

BTW, a lot of the stuff in this topic is specific to SC Email accounts, but it started off being about the SCBL, so I suppose it still belongs here in the Blocklist Help forum.

DT

Edited by DavidT

Share this post


Link to post
Share on other sites

The net result is that about one third of spam is caught by SCBL. Perhaps my e-mail address is known to the "best" spammers using the most "advanced" methods of spam delivery via zombies :(

Share this post


Link to post
Share on other sites
The net result is that about one third of spam is caught by SCBL.

I don't think that's a bad statistic...it would be nice if it were higher, but the number of zombies seems to have grown exponentially, so the SCBL can only keep up with that if reporting activity is similarly increased, and perhaps if the threhholds for listing an IP were made more aggressive. Failing that, we must rely on a "cocktail" of multiple BLs and SpamAssassin, which can bring the amount caught/blocked/held/whatever much closer to 100%, with few false positives.

DT

Share this post


Link to post
Share on other sites

Also, I'm a bit surprised that SpamAssassin only scored this one with 0.7, given the body and the Geocities URL

Email filters really need to be looked at as stop-gap solutions - they do nothing to discourage spammers from spamming (if anything, they'll spam even more to try to bypass them). Therefore spam victims need to consider more aggressive strategies to deter spammers, specifically ones that harm their business (or "bizness").

In the case of "refi spam", there is a simple solution - the KS FormFiller Refi extension for Firefox that makes it easy to swamp such sites with fake leads. Do this often enough for long enough and the spammers will eventually wise up and drop you from their lists (it's worked for me). This is discussed further in the Refi FormFiller (GreaseMonkey) v1.0 thread.

Share this post


Link to post
Share on other sites
<snip>

In the case of "refi spam", there is a simple solution - the KS FormFiller Refi extension for Firefox that makes it easy to swamp such sites with fake leads.

...That doesn't sound like a good idea. It's doing the same thing spammers do -- hog up the internet with garbage.
Do this often enough for long enough and the spammers will eventually wise up and drop you from their lists (it's worked for me).

<snip>

...This sounds like listwashing, which others in these fora have mentioned to be something not to be encouraged.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

×