[Suggestion]Add another role to SpamCop: Botnet Cop

[zcscjin]

According to various reports, more than 80% of global spam are being sent by botnets, which are groups of malware-infected computers controlled by hackers. We can not possibly reduce spam without reducing the size of botnets first. As I see it, SpamCop can make a unique and valuable contribution in this regard.

I came to this forum because SpamCop was listed as a major user of greylisting. Greylisting has been known to be very effective at reducing bot-sent spam, but most of its applications stop there. If we think about it, of those IPs which couldn't get through greylisting, some of them might be misconfigured mail servers, but the majority are very likely to be part of spam-sending botnets. So every greylisting installations is in fact also a botnet detection system.

While SpamCop may not have the largest greylisting system (the largest one I know fended off about 460K connection attempts per day in 2005), the existing communication channels with ISPs, which few other greylisting installations have, is SpamCop's unique strength.

If SpamCop has not already done so, I suggest that SpamCop start to identify suspected botnet computers with greylisting, and report them to relevant ISPs. It will reduce not only spam, but also identity theft, data leakage, and DDoS, etc. This will no doubt make a positive impact on the Internet.

[rconner]

As I see it, SpamCop can make a unique and valuable contribution in this regard.

I think SpamCop is already "contributing its logs" (as the blog post proposes) via the SpamCop blockling list, which is used by lots of large commercial e-mail providers for detecting and blocking or detaining spam. Also, I know that every spam I report thru SpamCop gets traced to its origin IP (i.e., the bot), and this IP is then reported to its operators, so they get fair warning of bot activity. If you check the graph at top right, you'll see that SpamCop processed over 4 million spams in the past 24 hours.

Spamcop offers graylisting to paid users as an optional feature of its mail service, this may be where you found the SpamCop-graylisting connection.

-- rick

[zcscjin]

I think SpamCop is already "contributing its logs" (as the blog post proposes) via the SpamCop blockling list,

SpamCop blocking list is summarized from user reports. Bot-sent spams possibly could not pass greylisting. Users might not get to see these spams, thus won't report them, either. So the current blocking list may not include all the bots SpamCop has already detected.

Reporting botnets has another advantage. Knowning the true cause of spam, instead of asking the victims to stop sending spam, ISPs might ask them to clean up their computers. This shrinks the botnets, which leads to less spam. The victims also get a chance to stay alert, and take steps to reduce damage from possible data theft, etc.

[agsteele]

SpamCop blocking list is summarized from user reports. Bot-sent spams possibly could not pass greylisting. Users might not get to see these spams, thus won't report them, either. So the current blocking list may not include all the bots SpamCop has already detected.

Thanks for the suggestion. I'm not, personally, convinced but since it isn't up to me that's hardly relevant.

You've started this discussion in the The Lounge and your idea isn't likely to get any attention from the SpamCop deputies who would take this forward if it was thought a good approach.

You'd be better posting this as an Email to deputies[at]spamcop.net - or perhaps even better service[at]admin.spamcop.net But I'm not overly confident that your suggestion will be taken forward.

Andrew

[turetzsr]

<snip>

I came to this forum because SpamCop was listed as a major user of greylisting.

<snip>

Hi, zcscjin!

...Please be aware that there are (at least) three unrelated (although partly integrated) "products" involved in "SpamCop:"

• SpamCop Parsing and Reporting system
  
• SpamCop blacklist
  
• SpamCop e-mail
  

The first two are operated by Cisco Corporation's SpamCop business unit and the third by JT (Jeff Tucker). It is the e-mail system that offers Greylisting as an option to its clients and, IIUC, would have to be modified to do what you suggest. JT doesn't seem to spend too much time here, so I would suggest you try contacting him directly at e-mail address support[at]spamcop.net. Recent evidence is that JT isn't able to be readily responsive, presumably because his current workload exceeds the amount of time he has, so please do not expect a quick reply.

...Good luck!

[rconner]

SpamCop blocking list is summarized from user reports. Bot-sent spams possibly could not pass greylisting. Users might not get to see these spams, thus won't report them, either. So the current blocking list may not include all the bots SpamCop has already detected.

Well, someone is reporting four million spams per day thru SpamCop, so obviously not all the spams are being rejected by a graylist. The graylist is available to paid users, but I suspect these only account for a minority of the people who submit spam for reporting (and many of those, including yours truly, no doubt opt to run without the graylist). In other words, I think that as a source of proof of bot activities, the graylist log would be pretty meager when compared to the SCBL. Still, you should pursue the question with JT etc. to see what comes of it.

-- rick

[kmolloy]

SpamCop blocking list is summarized from user reports. Bot-sent spams possibly could not pass greylisting. Users might not get to see these spams, thus won't report them, either. So the current blocking list may not include all the bots SpamCop has already detected.

The SCBL is derived from user reports *and* mail sent to our spamtraps. We don't reject/graylist any mail sent to our traps.