Jump to content
Sign in to follow this  
thatsaspam

[Resolved] SpamCop spamtraps

Recommended Posts

My mail server has been blacklisted for sending email to a SpamCop spamtrap. Before I go on, I'll put my own philospohy on spam into perspective.

I've been using SpamCop and other blacklists to try to manage spam, as a mail admin, for at least five years. I typically report something like 30 emails a day as spam - my logic on this is that anything that doesn't get caught by my mailer's auto-filtering gets reported (if I reported everything I'd be doing 250-300 a day, and unfortunately I don't have the time for that).

So, I think this generally indicates that I am a "friend" of SpamCop, and not an obvious spammer.

So, back to the listing.

We have no PCs on our small network of about half a dozen machines - so no host has been compromised by malware (and there is no evidence to the contrary).

I am the only user sending email out on a regular basis: in general that's as responses to incoming mail.

We manage a few small lists, which have 10 - 5,000 users on them (in reality that's one big list and three-four small ones, for a total of less that 6,000 users). To put that number in perspective, the biggest list is an opt-in announce list that has been built up over a ten year period. This sends out mail on an intermittent basis, one mail every two - four weeks.

This big list is also regularly trimmed for bounces (ie if we get three consecutive bounces on an address it is removed from the list), and requires verification to subscribe.

Given the size and policy on this list I think it's fairly clear we aren't spammers. Additionally, just to note, the mail host hasn't been listed by users who have been receiving spam, but by automated spam traps.

I can only think of two ways this could have happened:

1. Someone has managed to by-pass the verification process on the mail list subscription (bug in software, it can happen).

2. A bounce message from our mail host has been sent to a spam trap address, because that was the stated return address (the SpamCop help sheet says that this can happen).

There may be other ways that other people can think of, but these are the only two I think are possible.

If this is correct, then this indicates that the SpamCop spam trap addresses are known, and that someone is using them maliciously to undermine the effectiveness of the system.

The help sheet in this area says that SpamCop will not supply the "spammer" with information about the spam trap reports. I have emailed the SpamCop admin and not yet received a response (setting out my concerns as above).

So, my question is: how do I track down an apparently verified list subscription address, when I don't know the email address or even the list it was sent from (most probably the big list, but not guaranteed), or how do I deal with bounces (which I think should be sent to indicate a problem to the sender) when the sender may be a compromised spam trap address?

Edited by thatsaspam

Share this post


Link to post
Share on other sites

Let's hope you provided more data to the "SpamCop Admin" ..... the lack of a provided IP address in question doesn't allow for anyone to do any research, provide data to your long query.

We have no PCs on our small network of about half a dozen machines

Not sure what this is supposed to mean.

no host has been compromised by malware

perhaps you're stating that no Windows-based PCs are in use, but one could then point to the word 'exploit' if you are suggesting Macs/*NIX in use ...?? Again, specific data not provided in your query.

One of the major items that you don't actually seem to address is the math involved in getting listed in the SpamCopDNSBL. Please see What is the SpamCop Blocking List (SCBL)? and see if you can work out your '6,000 subscribers' (?) and 'a single spamtrap address/hit being the sole source of the issue ..... Granted, spamtrap hits have a much greater scoring factor involved, but .....

Share this post


Link to post
Share on other sites
Let's hope you provided more data to the "SpamCop Admin" ..... the lack of a provided IP address in question doesn't allow for anyone to do any research, provide data to your long query.

I didn't post the IP address here because there's not much point. The server is de-listed, the only report was a spamtrap address for which there is no information shown. I did post the IP address to the spamcop admin address that I have (as a long-term SpamCop user I've access to that info - but responses to that address don't seem as quick as they used to be).

perhaps you're stating that no Windows-based PCs are in use, but one could then point to the word 'exploit' if you are suggesting Macs/*NIX in use ...?? Again, specific data not provided in your query.

There are no Windows PCs, only Macs/Unix. I don't believe there are any "exploits" because there is no other evidence than a single (apparently) spamtap mail to SpamCop (ie there are no reports from users) and there are no complaints from elsewhere.

One of the major items that you don't actually seem to address is the math involved in getting listed in the SpamCopDNSBL. Please see What is the SpamCop Blocking List (SCBL)? and see if you can work out your '6,000 subscribers' (?) and 'a single spamtrap address/hit being the sole source of the issue ..... Granted, spamtrap hits have a much greater scoring factor involved, but .....

There's no threshold mentioned on that page, so I can't guess at what point someone gets listed. It does say that a host can be listed with as little as two users reports, and that spamtrap reports have greater weighting - so it seems possible that a single spamtrap report was that cause.

Again, I'll state: there were only spamtrap reports to block this host - there was no indication as to how many there were, there could have been only one. The page you reference says this:

"Viruses and spam often use addresses from the list of recipients to populate the From: field. Sometimes, these addresses are spamtraps."

Which is one of my previous guesses as to what may have happened. What this means is that someone spammed me, and I bounced the message back to the "sender" (as defined in the email header). That can apparently get me blacklisted.

ie, it's possible that it really wasn't an email that I sent at all, but a rejection notice.

I checked the lists again just now, it turns out that the biggest list we have is only 4,300 users, so that means that there are considerably less than 5,000 in total across the few lists we run.

We have never gone out and harvested email addresses for any of these lists, they really are strictly opt-in only (though we still do get the occasional complaint from the odd luser who can't read the instructions on unsubscribing) - as far as I am aware there have never been any previous SpamCop reports about this host and the use of these lists.

But, I am willing to accept the possibility that a rogue address has got in there somehow, and by-passed the verification. Tell me what it is and I'll check the logs to see how it got there, remove it and block it from being added again. If, indeed, that is the problem.

Otherwise I can't really see what I can do about this (if it's a list problem).

If it's a bounce problem, then I probably can't do anything about it at all.

Share this post


Link to post
Share on other sites
Which is one of my previous guesses as to what may have happened. What this means is that someone spammed me, and I bounced the message back to the "sender" (as defined in the email header). That can apparently get me blacklisted.

ie, it's possible that it really wasn't an email that I sent at all, but a rejection notice.

...

If it's a bounce problem, then I probably can't do anything about it at all.

Correct, and I would guess the more likely problem from your description. Do not return messages to the often forged email addresses in any messages. Reject them during the SMTP transaction and you will not be sending any messages for undeliverable messages.

Have you had a look at: http://www.spamcop.net/fom-serve/cache/329.html

Share this post


Link to post
Share on other sites
I didn't post the IP address here because there's not much point.

Om the other hand, I know you looked at other Topics in this Forum section. Not sure how you overlooked things like SenderBase data, just as a for instance ...

The server is de-listed, the only report was a spamtrap address for which there is no information shown. I did post the IP address to the spamcop admin address that I have (as a long-term SpamCop user I've access to that info - but responses to that address don't seem as quick as they used to be).

??? That information is provided in numerous FAQ entries, over in the Wiki, and countless numbers of posts within the Forum, and that's not to mention the same data availble in the newsgroups (and archives) As a long-time user, it would seem apparent that you'd know that there is Don and two others recofnized as Deputies ... last stated volume of e-mail for them was typically between 800-1800 e-mails a day ... if you addressed your e-mail to Don's account, then you reduced the count of people seeing and acting on that e-mail to one.

There's no threshold mentioned on that page, so I can't guess at what point someone gets listed. It does say that a host can be listed with as little as two users reports, and that spamtrap reports have greater weighting - so it seems possible that a single spamtrap report was that cause.

Back before 'reputsation points' . it was basically 2% ... but again, there is definitely enough of a formula offered up on that page to reglect that one spamtrap hit as compared to 5-6,000 e-mails us not enough to trigger a listing. Again, this is a SenderBase item that could/should have been researched.

Which is one of my previous guesses as to what may have happened. What this means is that someone spammed me, and I bounced the message back to the "sender" (as defined in the email header). That can apparently get me blacklisted.

ie, it's possible that it really wasn't an email that I sent at all, but a rejection notice.

Meaning many more FAQ entries dealing with things / terms like Misdirected Bounces, BackScatter, etc.

as far as I am aware there have never been any previous SpamCop reports about this host and the use of these lists.

Additional data, had it been provided, may have allowed someone 'here' to at least try and take a look.

But, I am willing to accept the possibility that a rogue address has got in there somehow, and by-passed the verification.

A mailing-list run appropriately would not meet the above condition, as spamtraps send no e-mail, so therefore wouldn't have replied 'to confirm' either ....

Tell me what it is and I'll check the logs to see how it got there, remove it and block it from being added again. If, indeed, that is the problem.

Otherwise I can't really see what I can do about this (if it's a list problem).

If it's a bounce problem, then I probably can't do anything about it at all.

You've already pointed out that it's publically posted that you won't be handed the address in question. If it's a 'bounce' issue, then you are contributing to the world-wide spam issue. Please reconfigure your servers to not send e-mail to forged From: / Reply-To: data.

Share this post


Link to post
Share on other sites

Hey, Wazoo, thanks, that wasn't very useful at all. Perhaps you can find a better way to fill your day?

As to your 2% threshold claim, 2% of what. Just because I said there are 6,000 potential recievers of email, that's nothing like saying that there are 6,000 actual receivers of email in any given period. ie, if we sent out 50 email in a day, and that was somehow registered accurately somewhere, then a single spamtrap addressed mail is enough to get our host listed.

If the computation is a score of five times the number of spamtrap emails as a percentage of our total email volume, then a single spamtrap addressed mail would score 5, indicating that if our volume was less than 250 we could get listed?

Edited by thatsaspam

Share this post


Link to post
Share on other sites

If you are sending NDRs to "FROM" and "REPLY-TO" addresses, which are almost always forged in spam, rather than rejecting the message with a 500 series SMTP error, you will send messages to spamtraps, and to people that do not want the messages, and you will get listed. This is simple to fix, all you have to do is configure your mailserver to properly reject messages, rather than generating NDRs after it has already accepted the email.

If you want to be sure, you can send an email to deputies[at]admin.spamcop.net with your IP address, and ask them what type of traffic they are seeing in the spamtraps from you. They won't be able to give you exact information, as the spamtrap addresses are pretty closely guarded secrets, but they will be able to tell you if they are seeing genuine spam, or just misdirected bounces.

Share this post


Link to post
Share on other sites

Correct, and I would guess the more likely problem from your description. Do not return messages to the often forged email addresses in any messages. Reject them during the SMTP transaction and you will not be sending any messages for undeliverable messages.

Have you had a look at: http://www.spamcop.net/fom-serve/cache/329.html

Yes, unfortunately this is a clash between what is considered "normal" email practice and the SpamCop philosophy. As to my server, I don't think it can be reconfigured to not send bounces (if we get to the point that we actually establish that the problem is a bounce). Plus, the SpamCop solutions to "I'm away on holiday" type mails just aren't workable for many people - it's appropriate to send out an auto-response.

Here's an example of where this philosophy definitely breaks down: list server invariably have "commands" addresses for users to subbscribe/unsubscribe, etc. These addresses appear in the lists spammers use to distribute their crap (I know this because I see plenty of spam come in sent to those addresses). The list software will send a response asking for verification, which could be sent to a spamtrap address.

Thus, the normal operations of a list server are enough to trigger a SpamCop listing.

To me this seems like a problem with SpamCop rather than a problem with the philosophy of list server software. There should at least be some filtering between "legitimate" bounces, list subscription verification mail and "real" spam. I know that the spam trap address doesn't want any of these, but some of it is unavoidable in a real world mail system.

If you want to be sure, you can send an email to deputies[at]admin.spamcop.net with your IP address, and ask them what type of traffic they are seeing in the spamtraps from you. They won't be able to give you exact information, as the spamtrap addresses are pretty closely guarded secrets, but they will be able to tell you if they are seeing genuine spam, or just misdirected bounces.

Will, thanks, already did that, awaiting a response.

Edited by thatsaspam

Share this post


Link to post
Share on other sites

Yes, unfortunately this is a clash between what is considered "normal" email practice and the SpamCop philosophy. As to my server, I don't think it can be reconfigured to not send bounces (if we get to the point that we actually establish that the problem is a bounce). Plus, the SpamCop solutions to "I'm away on holiday" type mails just aren't workable for many people - it's appropriate to send out an auto-response.

This is simply not true. Normal and accepted email server operation is to reject undeliverable emails with a 500 series error message during the SMTP transaction, and allow the sending server to worry about generating an NDR to the sender. All current email server applications support this mode, and for the vast majority, it is the default configuration.

Here's an example of where this philosophy definitely breaks down: list server invariably have "commands" addresses for users to subbscribe/unsubscribe, etc. These addresses appear in the lists spammers use to distribute their crap (I know this because I see plenty of spam come in sent to those addresses). The list software will send a response asking for verification, which could be sent to a spamtrap address.

To me this seems like a problem with SpamCop rather than a problem with the philosophy of list server software. There should at least be some filtering between "legitimate" bounces, list subscription verification mail and "real" spam. I know that the spam trap address doesn't want any of these, but some of it is unavoidable in a real world mail system.

There is some amount of filtering and detection that goes on with the spamtrap addresses, as it is not uncommon to see "It appears this listing is caused by misdirected bounces" on the SCBL lookup page. Of course, this is going to depend on the format of the NDR you are returning, as I have seen many that do not follow the "standard" format for NDRs.

As far as verification messages, since these are recommended by spamcop to verify a valid email address before adding it to a mailing list, I suspect that this is taken into account, and these are looked for before adding an IP address to the BL based on spamtrap hits. Of course, this last bit is simply speculation, as I don't know for sure.

Also, your assertion that you are immune to malware simply because you don't have any Windows based PCs on your network is a dangerous falacy. There is malware floating around for every major (and most minor) OS on the market. In fact, the vast majority of spam websites and nameservers are hosted on compromised *nix machines. They are excellent targets as they are usually connected to a fast connections, and many *nix admins have lax security because they believe they can't be targeted.

Edited by Telarin

Share this post


Link to post
Share on other sites
This is simply not true. Normal and accepted email server operation is to reject undeliverable emails with a 500 series error message during the SMTP transaction, and allow the sending server to worry about generating an NDR to the sender. All current email server applications support this mode, and for the vast majority, it is the default configuration.

That's a bold assertion since the SpamCop help pages themselves say this is a problem, and I get a fair amount of bounce messages that aren't generated by my server (ie they aren't in English, they don't have relevant information for me to act on them, or they are bounced responses to spam).

Also, your assertion that you are immune to malware simply because you don't have any Windows based PCs on your network is a dangerous falacy. There is malware floating around for every major (and most minor) OS on the market. In fact, the vast majority of spam websites and nameservers are hosted on compromised *nix machines. They are excellent targets as they are usually connected to a fast connections, and many *nix admins have lax security because they believe they can't be targeted.

Well, I didn't say we were immune, I just said that we don't have any Windows-based PCs - which cuts down the problem considerably. I also said that there are no reports other than this SpamCop spamtrap issue, and no other indications that there are any "exploits" on the servers. So, my current assumption is that there are no such exploits.

The servers are also heavily firewalled, with few ports open to them, so it would be very difficult to get in there.

Do you know of any malware/control exploits for MacOS X? I've never seen any.

Share this post


Link to post
Share on other sites
Yes, unfortunately this is a clash between what is considered "normal" email practice and the SpamCop philosophy. As to my server, I don't think it can be reconfigured to not send bounces (if we get to the point that we actually establish that the problem is a bounce). Plus, the SpamCop solutions to "I'm away on holiday" type mails just aren't workable for many people - it's appropriate to send out an auto-response./quote]

Unfortunately, "normal" email practice as you describe them is no longer "normal." Server admins have realized that responding to the return path is more often than not to be responding to an innocent victim of spammer forgery. They have various workarounds for OOO auto responses.

On the internet today, spamcop philosophy about 'misdirected bounces' or NDRs sent to the return path IS the internet philosophy. Even AOL acknowledged years ago that the oldfashioned 'normal' way is no longer workable.

I hope that you are able to find the problem. Since you did state that you are a spamcop reporter, have you configured mailhosts? Is it possible that you used quick reporting and didn't check the spamcop report and you have reported yourself? Have you looked at the firewall logs - it seems that you have since you are confident that your machines are clean - but you didn't actually state that you didn't see any unusual activity. And did you look at the Senderbase statistics? If you have run scans on your machines, the Senderbase statistics are normal, there is no unusual activity in your firewall logs, you are confident that your lists are all confirmed subscription (which I don't remember your stating explicitly), and you do send NDRs to the return path, then it probably is a 'misdirected bounce' If you stop sending NDRs after acceptance, then, perhaps it will be a moot point about what actually caused this listing because if it is an NDR this time, then you won't be listed again.

Miss Betsy

Share this post


Link to post
Share on other sites
Unfortunately, "normal" email practice as you describe them is no longer "normal." Server admins have realized that responding to the return path is more often than not to be responding to an innocent victim of spammer forgery. They have various workarounds for OOO auto responses.

Like I say, I get lots of these types of bounces, so... Also, we haven't yet established the cause, so between us debating it we're just causing more noise (I'm guilty too!). Like we could have a debate about what SpamCop does with verification email sent out to spamtrap addresses - but we don't know because it is a "secret".

I hope that you are able to find the problem.

Me too!

Since you did state that you are a spamcop reporter, have you configured mailhosts?

Yes.

Is it possible that you used quick reporting and didn't check the spamcop report and you have reported yourself?

It is possible, but I think it's unlikely.

Have you looked at the firewall logs - it seems that you have since you are confident that your machines are clean - but you didn't actually state that you didn't see any unusual activity.

There is no unusual activity.

And did you look at the Senderbase statistics?

Yes, but again they aren't very useful. Because we are few users the volume tends to spike from time to time, there's nothing I can discern from those stats.

ou are confident that your lists are all confirmed subscription (which I don't remember your stating explicitly),

There are essentially two types of list. Announce lists and discussion lists. The former are all opt-in and confirmed subscription, the latter are by request from a know user to join, and added by an administrator.

then it probably is a 'misdirected bounce'.

Seems most likely.

Share this post


Link to post
Share on other sites

SpamCop admins say that list mail went out to one of their spamtrap addresses. Waiting for further information, but they haven't given me the address so I can't find out what has gone wrong.

So, it kind of looks like someone has by-passed the verification process.

Share this post


Link to post
Share on other sites
Like I say, I get lots of these types of bounces, so...

You'd get a *LOT* more misdirected bounces if people like me weren't reporting them as the spam that they are. I get lots of traditional spam too - that doesn't mean I'd consider sending it.

Which software does your mail server run? Qmail?

So, it kind of looks like someone has by-passed the verification process.

Does your verification process use a unique unguessable token for each request? Which software do you use for your mailing lists? Edited by Snowbat

Share this post


Link to post
Share on other sites

Everybody gets lots of these 'misdirected bounces' from irresponsible or ignorant ISPs. Now, I don't mean to be insulting, but just as most server admins have ways to prevent spam from leaving their mail servers, most server admins no longer use NDRs for mail that has been accepted. Since you seem to be running a very specialized internet service, you can be excused for not knowing that they are now old-fashioned. In fact, when the spammers first started using the forgeries, even spamcop employees said that what they now are calling 'misdirected bounces' were not only useful, but essential and wouldn't consider allowing them to be reported. However, now that almost all spam has the return path forged, the problem is just as bad as spam. Even worse for some people who get hundreds and thousands.

And, of course, just as there are greedy and irresponsible ISPs out there that don't care how much spam is sent (I am sure that one server admin said that he knew that the server that filtered incoming email was being used by trojans to send spam, but he didn't care because it never sent email), there are also server admins who are too lazy or really have no idea what they are doing or just don't care, who allow 'misdirected bounces' in spite of the fact they end up on blacklists (and not just spamcop's).

I don't think that spamcop deputies will give you an address. It would compromise that spam trap.

It might be possible that one of the emails on the request list had a typo in it.

Miss Betsy

Share this post


Link to post
Share on other sites
Does your verification process use a unique unguessable token for each request?

Let's just say that after some testing I found that there is a rather large security hole. I've informed the developer, I suppose I'll have to wait a few days to see what they say.

You'll excuse me for being a little obscure on the response, I hope.

Share this post


Link to post
Share on other sites
I don't think that spamcop deputies will give you an address. It would compromise that spam trap.

I suppose that's true. But I suppose it's also true that having people blacklisted who want to be "clean" tends to undermine the usefulness of the entire system. You'd kind of think I'd have some standing as a non-spammer, reporting thousands of emails over the last five years or so, that I wouldn't be releasing that information to others.

But, wow, what a sleeper cell I'd make, spending hundreds of hours building up my credibility so I could compromise just one SpamCop spamtrap address!

It might be possible that one of the emails on the request list had a typo in it.

You mean in the sense that someone keyed it incorrectly? No, it doesn't work like that, the user inputs their own address, and responds with a confirmation from that address. If there's some input issue with the email address - that I can't really trace because I don't know the address - it could be that someone's input two addresses separated by a comma, or that they've used some old relay syntax by putting in a "%".

While I think of it, it's not really correct to say that it's only brain-dead or ignorant mail admins that are accepting mail, and then sending bounce messages to the "from" or "reply-to" address. One example where this can occur is where a secondary mail server or relay does not know the accounts on the target machine. Therefore the secondary/relay takes the mail in good faith, the final destination host rejects this, and the secondary/relay doesn't have much option other than to bounce to the apparent sender.

Share this post


Link to post
Share on other sites

Yes, unfortunately this is a clash between what is considered "normal" email practice and the SpamCop philosophy. As to my server, I don't think it can be reconfigured to not send bounces (if we get to the point that we actually establish that the problem is a bounce). Plus, the SpamCop solutions to "I'm away on holiday" type mails just aren't workable for many people - it's appropriate to send out an auto-response.

It is no longer "normal email practice" to be sending email to people who never requested it. It has not been acceptable for several years now and it is not only SpamCop saying this. All OoO messages are not bad, they just need to be thought through. If you are filtering your incoming so you are unlikely to be sending any autoreply to a spam message, you will likely not have any problems. All the messages you are bouncing to innocent third parties could be reported to your ISP. Most people do not report them, but they are not acceptable.

Here's an example of where this philosophy definitely breaks down: list server invariably have "commands" addresses for users to subbscribe/unsubscribe, etc. These addresses appear in the lists spammers use to distribute their crap (I know this because I see plenty of spam come in sent to those addresses). The list software will send a response asking for verification, which could be sent to a spamtrap address.

Thus, the normal operations of a list server are enough to trigger a SpamCop listing.

To me this seems like a problem with SpamCop rather than a problem with the philosophy of list server software. There should at least be some filtering between "legitimate" bounces, list subscription verification mail and "real" spam. I know that the spam trap address doesn't want any of these, but some of it is unavoidable in a real world mail system.

Will, thanks, already did that, awaiting a response.

What do you not understand about one report not causing a listing????? http://www.spamcop.net/fom-serve/cache/297.html

The SCBL will not list an IP address with only one report filed.

I have gotten many "list subscription verification" emails which are real spam because I did not request them.

spam, for most of the internet, is defined as UCE or UBE, Unsolicited Bulk or Commercial Email. It does not matter what the content of the message is, only that is was not requested, that you have no authority to use that address. Sending one message to that address will not get you listed.

You say it is unavoidable, yet many other lists have never been listed.

One example where this can occur is where a secondary mail server or relay does not know the accounts on the target machine. Therefore the secondary/relay takes the mail in good faith, the final destination host rejects this, and the secondary/relay doesn't have much option other than to bounce to the apparent sender.

The other option (only viable one) is to drop that bounce message because the sender address can no longer be assumed to be the correct sender, unless the messages are filtered of the majority of smap before forwarding.

Share this post


Link to post
Share on other sites

All OoO messages are not bad, they just need to be thought through.

Except that the SpamCop help pages say "don't send them at all"!?

If you are filtering your incoming so you are unlikely to be sending any autoreply to a spam message, you will likely not have any problems. All the messages you are bouncing to innocent third parties could be reported to your ISP. Most people do not report them, but they are not acceptable.

I think you really need to jump into the real world here rather than the idealised one you think exists.

spam gets through spam filters - no matter how hard you try to stop it. Spammers see it as their job to get past the spam filters, and there are a lot of them working at it - some of them will be successful.

Once they've done that how do you propose that a machine decides that after all it really is spam, and doesn't send it's auto-response (which the user of that account actually really wants it to do). There has to be a trade-off here between declaring false positives and letting spam through, between what the user of the account wants to do and what is practical to send out auto-responses to.

What do you not understand about one report not causing a listing????? http://www.spamcop.net/fom-serve/cache/297.html

I think it depends how you parse it. It reads to me like "you need two users reports", that isn't the same as needing two spamtrap reports. I can see how you can read it differently. Maybe someone needs to edit it. SpamCop admins have supplied one partial header, they haven't indicated that there are more.

I have gotten many "list subscription verification" emails which are real spam because I did not request them.

I guess you could report them as such, but I'm not sure that's a good use of anyone's resources. If a spam gets through some filtering and sends an auto-response then that's the price we pay for having some kind of "open" internet. Likewise the price we pay for a free and open society is some tolerance of crime - we could of course lock everyone up who is under 70, but I can't see that really solving the problem.

spam, for most of the internet, is defined as UCE or UBE, Unsolicited Bulk or Commercial Email. It does not matter what the content of the message is, only that is was not requested, that you have no authority to use that address.

So, what are you suggesting that anyone sending an email should first request that they can send an email to a certain address? How should they do that, make a phone call first?

You say it is unavoidable, yet many other lists have never been listed.

And the SpamCop help pages indicate that it happens a lot. So? I've never been listed before, I've never had this problem. Things change, I'm trying to react to that problem and this change.

The other option (only viable one) is to drop that bounce message because the sender address can no longer be assumed to be the correct sender, unless the messages are filtered of the majority of smap before forwarding.

But that's what is happening!?

[tag fixed]

Edited by Farelf

Share this post


Link to post
Share on other sites

A wider pool of mail/server admins to bounce ideas off might be found at http://www.webservertalk.com/ - maybe there are some "elegant" solutions to the OoO autoreply thing (though spamfiltering at the "edge", mentioned by an earlier poster, seems to work fairly well as far as I can see). Anyway, stuff like edge servers and so-on might be covered over there. Non-technical myself, not able to assess the possible usefulness of much of the discussion. They seem to have their share of trolls and spammers though :D.

Share this post


Link to post
Share on other sites

I think you really need to jump into the real world here rather than the idealised one you think exists.

Thank you, but I believe myself and my employer are both in the real world, last time I checked.

spam gets through spam filters - no matter how hard you try to stop it. Spammers see it as their job to get past the spam filters, and there are a lot of them working at it - some of them will be successful.

Yes, but at my company (14 domains with MX records) we are able to get only a few through to the users. We start with Postini filtering the majority at the edge, then have additional spam and virus filters installed at the server. We get a call maybe once a week asking about a spam that got through and our scanning of the users accounts indicate not much more than thata is getting through.

Yesterday's Postini stats:

Grand Total

Messages 11,768

Bytes 303,205,378

Acct Msgs 11,746

Forwarded Acct Msgs 3,499

% of Msgs 29.8

% of Bytes 82.3

Blocked Acct Msgs 6,471

% of Msgs 55.1

% of Bytes 14.3

Quarantined Acct Msgs 1,776

% of Msgs 15.1

% of Bytes 3.4

Once they've done that how do you propose that a machine decides that after all it really is spam, and doesn't send it's auto-response (which the user of that account actually really wants it to do). There has to be a trade-off here between declaring false positives and letting spam through, between what the user of the account wants to do and what is practical to send out auto-responses to.

As I said, with proper filtering, it should not be a problem. Also, depending on your management, it may be really simple. Current company requests we use OoO and that is with the filtering I mentioned above. There has been no problems reported to this point, though that of course could change. Previous company, OoO were banned to external sources (and actually filtered out and the user reminded of the rules) because IT explained the problems to upper management, and they understood the issue and agreed. Many lower management people were not happy, but they managed.

I guess you could report them as such, but I'm not sure that's a good use of anyone's resources. If a spam gets through some filtering and sends an auto-response then that's the price we pay for having some kind of "open" internet. Likewise the price we pay for a free and open society is some tolerance of crime - we could of course lock everyone up who is under 70, but I can't see that really solving the problem.

Maybe you have a tolerance for crime, I don't and I especially do not try to instill that in my children.

So, what are you suggesting that anyone sending an email should first request that they can send an email to a certain address? How should they do that, make a phone call first?

A phone call could be used, but if you already have their phone number, they likely already contacted you. If so, you should have requested authorization to use that information to send them email updates. It is quite common these days in case you had not noticed all the extra check marks every time you enter your email address on a form. Also, a web page can request contact information and authorization or a regular mailing can request contact information and authorization. Email should never be used as a first contact. That is the definition of spam.

Sorry, but your last quoted statement is starting to sound like you are in fact spamming. I don't think that was the way you meant it, however.

Running a business takes money to make money. Email is virtually free to the sender (only connect charges if those are not stolen) and most of the charge is passed to the receiver (connection time and/or data charges), which is why spamming is fought against, but also why it is popular among those starting out (and the criminals). My previous company saved more than the price of Postini on internet charges alone the first year it was implemented.

Share this post


Link to post
Share on other sites
We get a call maybe once a week asking about a spam that got through and our scanning of the users accounts indicate not much more than thata is getting through.

So, I think you are admitting there that spam filters are not infallible?

As I said, with proper filtering, it should not be a problem.

No, I'm sure you are saying that "with proper filtering it's a much smaller problem", aren't you? If that's the case then you are agreeing with my previous position that a certain number of bounces, including auto-responders and list verification emails, are in fact inevitable.

Maybe you have a tolerance for crime, I don't and I especially do not try to instill that in my children.

I have a tolerance of crime because I don't think it's a useful function of society to lock everyone up who could possibly commit a crime. I take it your children live in the basement dungeon and never see the light of day?

No, well that's what I'm saying, in managing servers and services you need a little pragmatism. The dogma you're spouting is the same thing that locks people up without trial.

A phone call could be used, but if you already have their phone number, they likely already contacted you.

I think we are talking at cross purposes here. Obviously if you want to put someone on a mailing list you have to ask their permission, and confirm that. No problem there, we all agree. What you said is that you need authorisation to use anyone's email address. Personally I can't see how that's possible. ie the deputies address is known, it's on the web site, but I don't see a telephone number there to call them and ask if I can mail them - so that I'm sure that I have "authorisation"!?

Email should never be used as a first contact. That is the definition of spam.

That's just stubborn dogma, and I'm sure you don't practice it yourself. I'm sure you've emailed people without having first sought their permission, merely because they've put their contact details on a web site. I'm not suggesting that you sent them commercial email, but I am trying to illustrate to you that you need to be more precise in your use of language, or you're going to be misunderstood.

My position on mailing lists is stated above. That doesn't mean I need prior authorisation for every email I send.

Sorry, but your last quoted statement is starting to sound like you are in fact spamming. I don't think that was the way you meant it, however.

I'm just pointing out that your use of terms in unclear.

Running a business takes money to make money.

Mostly :-)

A wider pool of mail/server admins to bounce ideas off might be found at http://www.webservertalk.com/ - maybe there are some "elegant" solutions to the OoO autoreply thing (though spamfiltering at the "edge", mentioned by an earlier poster, seems to work fairly well as far as I can see).

Yes, I'm discussing the particular issue I'm seeing with other people, I'm sure we'll get to a solution.

BTW, thanks for fixing the quote tag, I kept looking at it but couldn't find the problem.

The other option (only viable one) is to drop that bounce message because the sender address can no longer be assumed to be the correct sender, unless the messages are filtered of the majority of smap before forwarding.

Sorry, I had to come back to this, because it is simply nonsensical.

This is the scenario I've laid out: email goes into a secondary/relay server, that server does not have access to the account information, and thus accepts the email (this is what secondary/relay servers are for). The primary server, when it come back online, or has capacity, then rejects that mail, leaving the secondary with a message it cannot deliver.

What you are saying is that the secondary should just quietly drop that message and notify no one.

I can understand that you'd want to do that with spam, but I also think you're letting dogma overtake the practicalities of the situation.

Here's a scenario. An employee leaves a firm, and their email account is turned off (or someone's email address is published with a typographic mistake, somewhere, anywhere). That mail goes to the secondary, and is rejected by the primary. The secondary "eats" the message and gives no notification.

The good faith user is sitting at home waiting for a response. He has an expectation that his email was received, because he didn't get a bounce message.

He tries again a day or so later. He still gets no bounce messages - so perhaps assumes that this company/person is not interested in him, and finds someone else to talk to/buy from.

To me this doesn't seem a very satisfactory outcome for anyone concerned.

Had the email returned a bounce message then the original sender can work out that there is a problem, and may try some other mode of contact or do some research to find another email address. He may not take that option because he thinks he is being ignored.

Does that make sense for you?

Let me try it another way. If you make a phone call and the phone just rings and rings, no one answers, you'll probably assume that no one is there to answer the call. You may try again later, and you may get the same response and assume the same thing.

If you dial the same number and constantly get an engaged signal, or some odd fault on the line, you're probably going to call the operator to try to find out what is wrong. ie, getting feedback about a problem is generally a good thing.

Share this post


Link to post
Share on other sites
... What you are saying is that the secondary should just quietly drop that message and notify no one.

I can understand that you'd want to do that with spam, but I also think you're letting dogma overtake the practicalities of the situation. ...

Intersting divergence right there. If most of the mail at that point is spam of course you would drop it. Many networks are seeing 90%+ of messaging being spam. End users who don't see that much spam are generally behind a massive filtering program (whether they're aware of it or not). Business accounts, at the intersection with the internet are not usually filtered. The suggestion has been that filtering takes place before distributing for individual employee account action, in particularly OoO notification.

I know quite a few corporations still use OoO and it is, indeed, very useful for the person trying to make contact. I don't know whether they rely on the "simple" filtering or something more advanced (which is why I suggested researching/querying an admin's forum in my previous post). I do know they have no particular problem with SC. You usually have no problem with SC. But you did recently. Maybe you and those other corporations have a totally different "spam experience". But I doubt it, all evidence is that there are no blessed pockets of immunity or if there are they are very well hidden. If you OoO autoreply routinely without effective filtering you are going to be scattergunning a lot of bewildered people. If insufficient of them are SC reporters then you are escaping SCBL listing purely on that basis. That doesn't mean you would not be affecting them. If that's what's happening.

If the suggestions thus far are unpalitable you will of course look further for other suggestions. The spamtraps, the issue bringing you here, are not going to go away. Normally you could not hit a spamtrap with either an OoO autoreply or a confirmed address mailing list. I think no-one here can explain how that could happen. Which causes something of a crisis of confidence, at several levels.

But when , however that is resolved and it is put behind you, reverting to the refrain (I can understand) you are finding tedious - not hitting a spamtrap and not "spamming" (however unfair the characterization) are not the same thing. No moderator, would resile from that and I doubt many other SC forum or NG participants would either.

Share this post


Link to post
Share on other sites

This has veered far from a "SpamCop Blocklist Help" item .. off to the Lounge with this ...

Share this post


Link to post
Share on other sites

You are starting to take the argument to extremes where it is no longer making sense (which is why Wazoo moved it).

Sorry, I had to come back to this, because it is simply nonsensical.

You think it is, I have used it in practice.

This is the scenario I've laid out: email goes into a secondary/relay server, that server does not have access to the account information, and thus accepts the email (this is what secondary/relay servers are for). The primary server, when it come back online, or has capacity, then rejects that mail, leaving the secondary with a message it cannot deliver.

What you are saying is that the secondary should just quietly drop that message and notify no one.

Yes, or if notifications are necessary, send them to your postmaster account and handle then on an individual basis.

Postini provided our backup/storage and was configured with our account list (pain to administer, but worth it). Wherever I have worked, the secondary/backup is only in place for very short times during an emergency with the primary (I was at the last place for 10 years and backup MX was used maybe 5 times during 2 major network outages and other minor problems). The numbers of dropped valid messages are minimal.

I can understand that you'd want to do that with spam, but I also think you're letting dogma overtake the practicalities of the situation.

Here's a scenario. An employee leaves a firm, and their email account is turned off (or someone's email address is published with a typographic mistake, somewhere, anywhere). That mail goes to the secondary, and is rejected by the primary. The secondary "eats" the message and gives no notification.

The good faith user is sitting at home waiting for a response. He has an expectation that his email was received, because he didn't get a bounce message.

He tries again a day or so later. He still gets no bounce messages - so perhaps assumes that this company/person is not interested in him, and finds someone else to talk to/buy from.

To me this doesn't seem a very satisfactory outcome for anyone concerned.

Had the email returned a bounce message then the original sender can work out that there is a problem, and may try some other mode of contact or do some research to find another email address. He may not take that option because he thinks he is being ignored.

Does that make sense for you?

What does not make sense to me is why your primary email is down so much to use your secondary for the same message twice. You are extending your facts to fit your argument.

Also, the good faith user needs to learn that email is not a guaranteed delivery medium, but that is another argument for another day.

Let me try it another way. If you make a phone call and the phone just rings and rings, no one answers, you'll probably assume that no one is there to answer the call. You may try again later, and you may get the same response and assume the same thing.

If you dial the same number and constantly get an engaged signal, or some odd fault on the line, you're probably going to call the operator to try to find out what is wrong. ie, getting feedback about a problem is generally a good thing.

The phone system is again, completely different. You have your feedback either way. Email is closer to tying a note to a rock and throwing it over the wall.

You have taken all of your arguments to the rediculous. I will not be replying again... Good day sir.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

×