Does Microsoft utilize and coordinate with DNSBLs from SpamCop and others?

[Kristian]

Dear all

The last three months, I have received an increased amount of spam from the Microsoft system. SpamCop has decided that appropriate reports should be sent to the addresses report_spam[at]msn.com, report_spam[at]hotmail.com or abuse[at]msn.com, and almost virtually all SpamCop reports have been sent to these addresses lately with very few exceptions. I can get up to 8-10 emails like this per day.

I am using Mailwasher to bounce and blacklist spammers in combination with reporting the spam to SpamCop on web. This has been an excellent combination because Mailwasher bounces my email address so it appears it never existed, and I am able to report the ISP to SpamCop if it has not already been DNS blacklisted.

In Mailwasher I see that most addresses from Yahoo.com addresses have been blacklisted by either Spamhaus or SpamCop. Furthermore, when reporting to Yahoo, I most often get a nice reply that they have taken appropriate action against the account. Yahoo also takes action against accounts where the origin is not Yahoo (according to the SpamCop reporting). Since Feb. 28, Yahoo has closed down 249 spammer accounts based on my reports

However, virtually none of the emails originating from the Microsoft system (according to SpamCop) are blacklisted by neither SpamCop nor Spamhaus or any other DNSBLs. Therefore, I'm wondering if the Microsoft system coordinates their anti-spam policies sufficiently with DNSBLs such as SpamCop, Spamhaus, MAPS RBL, SORBS or SPEWS. Reporting spam to Yahoo has been a positive experience, but when sending to the Microsoft system, it feels like sending emails into a black hole. How does Microsoft coordinate with SpamCop?

Cheers

Kristian

[Wazoo]

I am using Mailwasher to bounce and blacklist spammers in combination with reporting the spam to SpamCop on web. This has been an excellent combination because Mailwasher bounces my email address so it appears it never existed, and I am able to report the ISP to SpamCop if it has not already been DNS blacklisted.

Use of the MailWasher Bounce function is strongly recommended against as a bad thing. It does not work as you described it, it does not make your e-mail adddress "appear as it never existed" .. and in fact, this could be putting your hosted account in hazard for several reasons. Even worse, these 'fake bouces' could be tagging your host's e-mail servers as "sources of spam" by those hapless folks hat have had their e-mail addresses forged into 'your spam' and as such may be merrily reporting away upon receiving these 'spam' e-mail (that really are) from you.

I'm wondering if the Microsoft system coordinates their anti-spam policies sufficiently with DNSBLs such as SpamCop, Spamhaus, MAPS RBL, SORBS or SPEWS.

Although in the past, Microsoft, to include Bill Gates specifically, swore they were going to have the spam problem fixed, that was a few years back. There have been world-wide conferences, many breifings, a lot of white=paper reeases, but .... spam is still here. Microsoft dealing with other companies, well, not really discussed publically. After all, "if a company had something worth while, Microsoft would buy it or put it out of business by offering up a 'free' version" has been he game plan for many, many years. Kind of makes it hard for some other companis to 'come to the table' and talk with Microsoft about much of anything.

Of course, one could make note that Microsoft bought out Brightmail a few years back and this is used for the Microsoft/HotMail/Live-Mail stuff these days.

[Kristian]

Thanks for advise on not bouncing in Mailwasher, Wazoo. I will disable that feature.

Seems like we are fighting an uphill battle against Microsoft....

But does anyone know if they utilize DNSBLs at all?

[Miss Betsy]

They are very aggressive when it comes to blocking spam into their networks - at least hotmail is. I don't know what they do about stopping spammers. The only control that hotmail seems to have is that you can only send so many emails a day. Of course, there may be others, but since I don't spam, I haven't encountered them. Yes, I have encountered another one. Once in a while, I am required to do one of those boxes with the letters before I can send an email.

I got an internal (hotmail account to hotmail account) phish that I reported manually to the abuse address. I got two return emails (aside from the automatic one) stating that they were doing something. The second one said that they had closed the hotmail account that was allegedly the sender. And I can't remember what action they took on the first one. I was surprised, after their history of closing accounts at the smallest hint of spam (like Wazoo's and my daughter's just because they were associated with a spam email that they had received), that there was additional investigation about the sender address.

Very often, ISPs do not send replies to spamcop reports, even the automatic replies. I hate to disillusion you, but 'appropriate action' does not necessarily mean that the account was closed. If the spam came from a non-yahoo IP address, with a forged yahoo address in the sender line, the forged address was probably not the spammer and the appropriate yahoo action would be to ignore your report.

There are three parts to an email that can indicate where the spam came from. The IP address of the sending computer that connects to the receiving mail server. This IP address generally can be relied on. When you report via spamcop, spamcop looks up the abuse email address for the IP address and sends the report to the abuse email address. The IP address is also added to the spamcop blocklist. The return-path is the second element. When you reply to an email, your mail server looks at the email address in the return-path. This can be changed. I can send an email from my hotmail account that has a return address to another email account. The third element is the sender name that appears in your email client. This also can be changed. I don't often change it, but it would be possible to make all my emails say "Miss Betsy" instead of 'Miss Betsy or husband'. The second and third elements are routinely forged by the spammers so that no email that comes to an inbox is returned to them. Usually the sender name and the return path are forged by the spammer with another email address from their list and no one filters using the sender name or return path. They can't forge the IP address of the computer that they send the email from.

Blocklists like spamcop, spamhaus, etc. consist of IP addresses, not email addresses. Mail server admins consult those blocklists and compare the IP addresses of incoming email to them. Some server admins compare the IP addresses before they accept the email. If there is a match, they return the email to the sending server. Other mail server admins tag the email as spam if there is a match. Since I am not a server admin, I am not very clear on exactly how or when they do their filtering. They also use content filters to decide whether an email is spam or not which also have to be used after the email is accepted. Some ISPs allow you to choose the level of spam filtering; other ISPs simply do not deliver email tagged as spam to you. A lot of spam is sent by 'bots' - computers that have been infected by a trojan. I suspect that most server admins use the blocklist that has identified the 'bots' before email is accepted. Since the infected computer is not a mail server, it cannot be contacted by the receiving mail server and the email just disappears.

The problem with blocking mail servers is that anyone using that email server to send email will be also be blocked. hotmail servers send millions of legitimate emails every day. If one spammer slips past their controls, other server admins will not block hotmail because the server admin customers would not get any email from their correspondents who use hotmail. The server admin will accept the email, possibly check against filters and tag it as spam, but will deliver it to their customers.

The beginning premise of spamcop was that the server admin who received a spamcop report would immediately find and stop a spam run. The spam run would be blocked (as well as legitimate email) as long as the server admin did not find and stop it. If the server admin is competent, there would be minimal interruption of service to his other customers (and that only if they emailed networks where the server admin was using the spamcop blocklist). As legitimate businesses discovered that sending unsolicited email was not a good idea and spam came more and more from criminals and shifty merchants, sending a report has come less and less important. It does still alert responsible server admins that someone on their networks has an infected computer or that a spammer has slipped by their defenses, but in comparison to volume that happens rarely.

The important part of spamcop now is the blocklist. There are lots of blocklists that server admins use because each one has a different focus. The scbl doesn't work well against the spammers who use a rotating system of IP addresses to send their spam. However, other blocklists do discover all those IP addresses and list them permanently. On the other hand, the scbl often identifies a new source before it is identified by other blocklists so it is used in conjunction with other filters - blocklists using IP addresses only and other filters such as content or spamvertised websites.

There have been several complaints recently against Microsoft for not controlling the amount of spam that comes from their servers. These things tend to go in cycles - MS comes up with a way to detect and stop spammers - spam from them goes down; the spammers start experimenting with ways to get around those controls and find a way to get around the controls - spam from them goes up; MS comes up with a way to stop them - spam from them goes down. It reminds of a story my father used to tell about WWII. The manufacturer of bunkers complained that every time he designed a wall that the Army shell couldn't go through, the Army wanted a bigger one. Once at a conference he conversed with a manufacturer of shells and that manufacturer had the same complaint. What was happening, they discovered was that as soon as one of them built a bigger and better bunker or shell, the Army went to the other one and asked for a design that would stop/penetrate it. (the story probably goes back to pre-history <g>)

Miss Betsy

[rconner]

How does Microsoft coordinate with SpamCop?

Hard to say, we here don't have access to that info. It is entirely possible that MS uses SpamCop for filtering inbound mail, but they may not want to describe their spam defenses in public. This was one of the issues on which the e360 v. Comcast suit turned (i.e., e360 wanted Comcast to describe exactly how Comcast blocked spam, which presumably would have enabled e360 to tune their mail operations to sneak in past the Comcast filters).

As far as outbound spam goes, I get the impression that some providers are "specially" connected to SpamCop, some of them even seem to have special addresses just to receive SpamCop reports. I don't think that MS is among these.

-- rick